From 786b2c6670500f27e92152d6f82b1ca009897b26 Mon Sep 17 00:00:00 2001
From: Adrian Cowan <othrayte@gmail.com>
Date: Sat, 6 Sep 2025 22:17:24 +1000
Subject: [PATCH] Switch from tailscale authkeys to an oauth client to fix
 issues with key expirey

---
 2-nomad-config/gitea.nomad.hcl  | 5 +++--
 2-nomad-config/gitea.tf         | 2 +-
 2-nomad-config/readme.md        | 4 ++++
 2-nomad-config/secrets.enc.json | 6 +++---
 4 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/2-nomad-config/gitea.nomad.hcl b/2-nomad-config/gitea.nomad.hcl
index c76311f..8940bde 100644
--- a/2-nomad-config/gitea.nomad.hcl
+++ b/2-nomad-config/gitea.nomad.hcl
@@ -112,8 +112,9 @@ EOF
       }
 
       env = {
-        TS_AUTHKEY  = "${ts_authkey}"
-        TS_HOSTNAME = "git"
+        TS_HOSTNAME   = "git"
+        TS_AUTHKEY    = "${ts_oauthsecret}?ephemeral=true"
+        TS_EXTRA_ARGS = "--advertise-tags=tag:nomad"
       }
 
       resources {
diff --git a/2-nomad-config/gitea.tf b/2-nomad-config/gitea.tf
index b6e4425..b6cfb7d 100644
--- a/2-nomad-config/gitea.tf
+++ b/2-nomad-config/gitea.tf
@@ -9,7 +9,7 @@ resource "cloudflare_dns_record" "git-othrayte-one" {
 
 resource "nomad_job" "gitea" {
   jobspec = templatefile("gitea.nomad.hcl", {
-    ts_authkey = data.sops_file.secrets.data["tailscale.auth_key"]
+    ts_oauthsecret = data.sops_file.secrets.data["tailscale.oauthsecret"]
   })
 }
 
diff --git a/2-nomad-config/readme.md b/2-nomad-config/readme.md
index 011a7d2..b847050 100644
--- a/2-nomad-config/readme.md
+++ b/2-nomad-config/readme.md
@@ -3,6 +3,10 @@
 Mount the state on the fileshare to 2-nomad-config/.tfstate/
 `sudo mount -t cifs //192.168.1.192/appdata/terraform /home/othrayte/Code/infra/2-nomad-config/.tfstate/ -o rw,username=othrayte,password=<pw>,uid=$(id -u),gid=$(id -g)`
 
+# Tailscale Oauth Client
+
+We use a Tailscale oauth client secret to allow our containers to connect to tailscale. We created an oauth client called `nomad` with the `auth_keys` (write) scope for the tag `nomad` and stored the secret in our secrets file.
+
 # Secrets
 
 The secrets file is encrypted using sops and will be automatically decrypted in the terraform provider.
diff --git a/2-nomad-config/secrets.enc.json b/2-nomad-config/secrets.enc.json
index 438cc52..69a7882 100644
--- a/2-nomad-config/secrets.enc.json
+++ b/2-nomad-config/secrets.enc.json
@@ -7,7 +7,7 @@
 		"direct_ip6": "ENC[AES256_GCM,data:E/V1pFjBp7c0PRhUa4cxqAVl8xZKsZzn,iv:Gw0qz2x1pMaieZaCcp4dD9sEVtQfcuEqRP3UpA2Bj/0=,tag:LpsPH3cJAlPCFX6EPabWnQ==,type:str]"
 	},
 	"tailscale": {
-		"auth_key": "ENC[AES256_GCM,data:gzh4nqEOQLijp5DTGHHSn0aO1mFQUB3sVSdAVDLG+a2H6XJ0BtJJGU55oLJURy7E/um7gzwDofP5mwZGTA==,iv:yl8lHqnNLB2AXlBfMyw/0CAR7+KmyKKDFc7kxbo9S6c=,tag:CunYd62x3omji6ozqmhgOg==,type:str]"
+		"oauthsecret": "ENC[AES256_GCM,data:c2GtA+FaDcAKqUtQquP35W650lo1soivNCJc7KzCoQws0hTkt3zICFomOArhIfpHQMnCG4SpNvnXalarKKKxVw==,iv:Pnf8+9wBGNooPl4sKX5aGXITQt7/qfpn+mWyKk8YLXo=,tag:mXL+bz0gESj18qjpdksldA==,type:str]"
 	},
 	"authelia": {
 		"session_secret": "ENC[AES256_GCM,data:eSpAwX/KPzed/Y0oi6QvBwB7Gv5Kiml4FJS5RyuJ7A0plAd8acNThNXi3H4=,iv:RmH0wB3smlSF+CYs4x1w2V9ixdxgdav4dAQntjO0S5g=,tag:Vo5eHiU+1/dep/IUryN/XQ==,type:str]",
@@ -30,8 +30,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-05-25T11:33:40Z",
-		"mac": "ENC[AES256_GCM,data:HvNkVDm3HOcYSAvDNFs0/w/QmiKFTTy0d+Onl/pFXEgdH/bBLqbeOwZV0tsaZYwNJluOH8EiU4gSBZ5EaCh4JrUTpHiiug4p5UXgRSva9sZ5D+9vzvfncqTdQVXKL6gdLMRVJQjz8lZVx0jV1czFES+4AECNgSq7lNRUHhau3eU=,iv:K33uicZwQyscLr1DUEAKLWPkFSH+aIntyceKB1KTu+M=,tag:mrTSWWlv5ZkN4K4HuIE/zw==,type:str]",
+		"lastmodified": "2025-09-06T12:15:59Z",
+		"mac": "ENC[AES256_GCM,data:kiyEudOTWXnF485QoODePBGNACuS6bY7KVZZe9oSPe2jnyyNn4oI3ukxsgZDEN48k4sESvSLN+yCCKx4I14oRYHMFRhLSN4YLivQOEp0XcR3w7wx3ONmNdiyMG+UgEquaCX4/lWDFUVfWkoWQeq8y+ap5LY1ocqZ9zJ+yCilCA4=,iv:qyQJi7Uf+JGDiPt0C6Ww4A7Fa6NGL0aD3B/CfB4pEG0=,tag:ci+amgE24/uiEPIT0aoc+A==,type:str]",
 		"encrypted_regex": "^(.*)$",
 		"version": "3.10.2"
 	}