feat: add spinner
This commit is contained in:
eric
@@ -17,7 +17,7 @@ This repo currently provisions NixOS hosts with:
|
||||
- New machines are installed with `nixos-anywhere`
|
||||
- Ongoing changes are deployed with `colmena`
|
||||
- Hosts authenticate to OpenBao as clients
|
||||
- Tailscale auth keys are fetched from OpenBao namespace `it`, KV mount `kv`, path `tailscale`, field `auth_key`
|
||||
- Tailscale auth keys are fetched from OpenBao namespace `it`, KV mount `kv`, path `tailscale`, field `CLIENT_SECRET`
|
||||
- Public SSH must work independently of Tailscale for first access and recovery
|
||||
|
||||
## Repo Layout
|
||||
@@ -230,7 +230,7 @@ The host uses:
|
||||
- KV mount: `kv`
|
||||
- auth mount: `auth/approle`
|
||||
- secret path: `tailscale`
|
||||
- field: `auth_key`
|
||||
- field: `CLIENT_SECRET`
|
||||
|
||||
The host stores:
|
||||
|
||||
@@ -342,7 +342,7 @@ On first boot:
|
||||
|
||||
1. `vault-agent-tailscale.service` starts using `pkgs.openbao`
|
||||
2. it authenticates to OpenBao with AppRole
|
||||
3. it renders `auth_key` from namespace `it`, KV mount `kv`, path `tailscale` to `/run/nodeiwest/tailscale-auth-key`
|
||||
3. it renders `CLIENT_SECRET` from namespace `it`, KV mount `kv`, path `tailscale` to `/run/nodeiwest/tailscale-auth-key`
|
||||
4. `nodeiwest-tailscale-authkey-ready.service` waits until that file exists
|
||||
5. `tailscaled-autoconnect.service` uses that file and runs `tailscale up --ssh`
|
||||
|
||||
@@ -379,7 +379,7 @@ Typical causes:
|
||||
- wrong OpenBao policy
|
||||
- wrong secret path
|
||||
- wrong KV mount path
|
||||
- `auth_key` field missing in the secret
|
||||
- `CLIENT_SECRET` field missing in the secret
|
||||
|
||||
## Deploy Changes After Install
|
||||
|
||||
|
||||
Reference in New Issue
Block a user