Ephemeral Castle Rebirth Protocol

The Rebirth Protocol (create.sh V11.1) is a high-level orchestrator that moves the cluster from “Nothing” to “Blog Online” in approximately 12 minutes.

The create.sh Logic (Step-by-Step)

1. Secret Resolution

Uses the resolve() bash function to extract credentials from the TazPod Vault (/home/tazpod/secrets/).

  • If a file exists in the vault, it’s exported as an env var.

2. Tailscale AuthKey Minting

The script executes mint_tailscale_authkey():

  • Authenticates with Tailscale OAuth (client_id + client_secret).
  • Requests a short-lived (3600s), reusable, ephemeral key with tag:tazlab-k8s.
  • The key is kept in memory and never committed to Terraform state.

3. Terragrunt Execution

  • Applies secrets and platform sequentially.
  • Talos Patching: Injects the TS_AUTHKEY into nodes via talosctl apply-config using a Python inline patcher.
  • Applies engine.
  • Launches networking, gitops, and storage in the background (&).

4. GitOps Harmonization

  • Forces a Flux reconcile for the entire stack.
  • Waits for Kustomizations to reach Ready state.
  • Grafana Secret Sync: A Python helper synchronizes the dynamic Postgres credentials from the tazlab-db namespace to the monitoring namespace to avoid a bootstrap circular dependency.

Log Locations

Logs are stored in clusters/tazlab-k8s/proxmox/logs/ with a timestamped directory structure.

See Also