Nomadic Operator Model
Level 1 (Concept) — Operator-as-nomad: portable identity across environments.
Concept
The TazLab operator identity is not tied to a specific machine or container. It is portable — carried by the encrypted vault, AWS SSO credentials, and S3-backed persistence. A fresh machine needs only Docker, a checkout of the project, and the vault passphrase to rebuild the full environment.
The Four Pillars
| Pillar | What | How |
|---|---|---|
| Encrypted vault | Portable secret store | vault.tar.aes — AES-256-GCM, PBKDF2 |
| S3 persistence | Remote durability | tazpod push vault / tazpod pull vault |
| AWS SSO | Cloud identity | aws sso login — no static keys |
| GitOps | Desired state in Git | Flux reconciles cluster from tazlab-k8s |
Recovery Sequence
On a fresh machine:
tazpod init(if .tazpod/ missing)tazpod login(AWS SSO)tazpod pull vault(S3 → local)tazpod unlock(decrypt RAM)tazpod enter(shell with full identity)
This sequence is encoded in smartEntry() — the nomadic recovery path is the default entry path.
Why It Matters
The container is disposable, the host is replaceable, but the operator identity survives because the encrypted vault remains portable and the recovery sequence is built into the CLI.
See Also
- Topic: Nomadic Workflow
- Detail: Smart Entry Detail
- Hub: TazPod