fix: correct field from bao
This commit is contained in:
eric
@@ -17,7 +17,7 @@ This repo currently provisions NixOS hosts with:
|
||||
- New machines are installed with `nixos-anywhere`
|
||||
- Ongoing changes are deployed with `colmena`
|
||||
- Hosts authenticate to OpenBao as clients
|
||||
- Tailscale auth keys are fetched from OpenBao namespace `it`, path `tailscale`, field `auth_key`
|
||||
- Tailscale auth keys are fetched from OpenBao namespace `it`, KV mount `kv`, path `tailscale`, field `auth_key`
|
||||
- Public SSH must work independently of Tailscale for first access and recovery
|
||||
|
||||
## Repo Layout
|
||||
@@ -227,6 +227,7 @@ The host uses:
|
||||
|
||||
- OpenBao address: `https://secrets.api.nodeiwest.se`
|
||||
- namespace: `it`
|
||||
- KV mount: `kv`
|
||||
- auth mount: `auth/approle`
|
||||
- secret path: `tailscale`
|
||||
- field: `auth_key`
|
||||
@@ -247,12 +248,12 @@ Create a minimal read-only policy for the Tailscale secret.
|
||||
If the secret is accessible as:
|
||||
|
||||
```bash
|
||||
BAO_NAMESPACE=it bao kv get tailscale
|
||||
BAO_NAMESPACE=it bao kv get -mount=kv tailscale
|
||||
```
|
||||
|
||||
then create the matching read policy for that mount.
|
||||
|
||||
Example shape for a KV v2 mount named `kv`:
|
||||
Example shape for the KV v2 mount `kv`:
|
||||
|
||||
```hcl
|
||||
path "kv/data/tailscale" {
|
||||
@@ -341,7 +342,7 @@ On first boot:
|
||||
|
||||
1. `vault-agent-tailscale.service` starts using `pkgs.openbao`
|
||||
2. it authenticates to OpenBao with AppRole
|
||||
3. it renders `auth_key` from `it/tailscale` to `/run/nodeiwest/tailscale-auth-key`
|
||||
3. it renders `auth_key` from namespace `it`, KV mount `kv`, path `tailscale` to `/run/nodeiwest/tailscale-auth-key`
|
||||
4. `nodeiwest-tailscale-authkey-ready.service` waits until that file exists
|
||||
5. `tailscaled-autoconnect.service` uses that file and runs `tailscale up --ssh`
|
||||
|
||||
|
||||
Reference in New Issue
Block a user