Clarify GitHub repository secrets for CI/CD deployment

perigrin · perigrin · commit 166fbf1c2f03 · 2025-08-16T22:33:55.000-04:00
Both TAILSCALE_AUTHKEY and FLY_API_TOKEN are GitHub repository secrets,
not Fly.io secrets. The GitHub Actions workflow handles setting these
as Fly.io secrets during deployment.

## Changes Made

- **GitHub Actions workflow**: Add TAILSCALE_AUTHKEY environment variable
- **Deployment step**: Automatically set Tailscale auth key in Fly.io secrets
- **Documentation**: Clarify both secrets are GitHub repository secrets
- **Admin procedures**: Update key rotation to use GitHub secrets first
- **Deployment prerequisites**: Document both required GitHub secrets

## Required GitHub Repository Secrets

1. **FLY_API_TOKEN**: Fly.io deploy token for automated deployment
2. **TAILSCALE_AUTHKEY**: Ephemeral auth key for Tailscale mesh access

## GitHub Actions Workflow

The workflow now:
- Uses both secrets from GitHub repository settings
- Automatically sets TAILSCALE_AUTHKEY as Fly.io secret for each app
- Maintains existing FLY_API_TOKEN usage for deployment authentication

This provides proper separation between GitHub CI/CD secrets and
runtime Fly.io application secrets.
diff --git a/.github/workflows/fly.yml b/.github/workflows/fly.yml
@@ -9,6 +9,7 @@ on:
 
 env:
   FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
+  TAILSCALE_AUTHKEY: ${{ secrets.TAILSCALE_AUTHKEY }}
 
 jobs:
   test:
@@ -89,5 +90,10 @@ jobs:
             echo "PostgreSQL already attached to magnet-atheme"
           fi
         
+      - name: Set Tailscale Auth Key Secret
+        run: |
+          # Set Tailscale auth key as Fly.io secret
+          flyctl secrets set TAILSCALE_AUTHKEY="${TAILSCALE_AUTHKEY}" --app ${{ matrix.app }}
+        
       - name: Deploy ${{ matrix.app }}
         run: flyctl deploy --config ${{ matrix.config }} --app ${{ matrix.app }} --remote-only
diff --git a/docs/admin-access-procedures.md b/docs/admin-access-procedures.md
@@ -29,19 +29,29 @@ The Magnet IRC Network uses Tailscale for secure administrative access to IRC se
    - ✅ **Pre-approved**: Skip manual device approval (optional)
    - ⏱️ **90-day expiration**: Set reasonable expiration time
 
-### Fly.io Secrets Configuration
-Set the Tailscale auth key as a secret for each application:
+### GitHub Repository Secrets Configuration
+Set both Fly.io API token and Tailscale auth key as GitHub repository secrets for CI/CD deployment:
 
 ```bash
-# Generate ephemeral auth key (reuse for all services)
+# Generate ephemeral Tailscale auth key
 EPHEMERAL_KEY="tskey-auth-xxxxxx-xxxx"
 
-# Set secrets for all apps
-fly secrets set TAILSCALE_AUTHKEY=$EPHEMERAL_KEY --app magnet-9rl
-fly secrets set TAILSCALE_AUTHKEY=$EPHEMERAL_KEY --app magnet-1eu  
-fly secrets set TAILSCALE_AUTHKEY=$EPHEMERAL_KEY --app magnet-atheme
+# Generate Fly.io deploy token  
+FLY_TOKEN="fo1_xxxxxxxxxxxxxxxxxxxxxx"
+
+# Add to GitHub repository secrets at:
+# https://github.com/your-org/your-repo/settings/secrets/actions
+# 
+# Required secrets:
+# Name: FLY_API_TOKEN
+# Value: fo1_xxxxxxxxxxxxxxxxxxxxxx
+#
+# Name: TAILSCALE_AUTHKEY  
+# Value: tskey-auth-xxxxxx-xxxx
 ```
 
+**Note**: The GitHub Actions workflow will automatically set these as Fly.io secrets during deployment.
+
 ## Administrative Access Methods
 
 ### Method 1: Direct SSH via Tailscale (Recommended)
@@ -157,12 +167,18 @@ ssh root@magnet-9rl 'cat /proc/cpuinfo | grep flags'
 # Generate new ephemeral key
 NEW_KEY="tskey-auth-xxxxxx-yyyy"
 
-# Update secrets (containers will auto-reconnect on restart)
+# Update GitHub repository secret
+# Go to: https://github.com/your-org/your-repo/settings/secrets/actions
+# Update TAILSCALE_AUTHKEY with new value
+
+# Redeploy to apply new key (triggers via GitHub Actions)
+git commit --allow-empty -m "Rotate Tailscale auth key"
+git push
+
+# Or manually update Fly.io secrets if needed
 fly secrets set TAILSCALE_AUTHKEY=$NEW_KEY --app magnet-9rl
 fly secrets set TAILSCALE_AUTHKEY=$NEW_KEY --app magnet-1eu
 fly secrets set TAILSCALE_AUTHKEY=$NEW_KEY --app magnet-atheme
-
-# Restart containers to use new key
 fly machines restart --app magnet-9rl
 fly machines restart --app magnet-1eu  
 fly machines restart --app magnet-atheme
diff --git a/docs/deployment-prerequisites.md b/docs/deployment-prerequisites.md
@@ -149,9 +149,10 @@ fly tokens create deploy --app magnet-9rl
 fly tokens create deploy --app magnet-1eu  
 fly tokens create deploy --app magnet-atheme
 
-# Add to GitHub repository secrets as FLY_API_TOKEN
+# Add to GitHub repository secrets
 # Go to GitHub repo → Settings → Secrets → Actions
 # Create new secret: FLY_API_TOKEN = <your-deploy-token>
+# Create new secret: TAILSCALE_AUTHKEY = <your-ephemeral-auth-key>
 ```
 
 2. **Automatic Deployment**:
