[solved] Possible to store authkey in secrets file?

Hello, is it possible store an authkey in a separate secrets file and reference it via tailscale up —authkey /path/to/authkey/file ?

My use case is that on NixOS, I want to configure tailscale to automatically authenticate on boot as explained in the NixOS Tailscale Minecraft blog post.

However, I don’t want to store secrets in my NixOS configuration files, since I share them on github. Is there any way to do this with Tailscale?

tailscale up —authkey $(cat /path/to/authkey/file)

?

2 Likes

Oh very clever, yes that worked, thank you! Just had to prepend sudo to cat (on the commandline test, not in the script)

sudo tailscale up --authkey $(sudo cat /path/to/authkey/file)

Thanks!

(Also in case anyone having the same problem finds this, I found you have to use a reusable key instead of a one-off key for this. The blog post uses a one-off key for some reason, but that causes subsequent auths to fail)

So, it seems that even the “reusable” keys now expire after 3 months… if i’m trying to use this on a laptop running nixos, does that mean i just have to get a new authkey every 3 months?

“Reusable” means it can create multiple nodes, it doesn’t cancel after creating one node.

For now at least, all authkeys expire after 90 days and new keys will need to be reloaded periodically.

There’s an updated syntax for this line now:

tailscale up --auth-key file:/etc/tailscale/tskey-reusable

When creating the authkey, you can give it tag, which will automatically apply to devices authenticated with that key and disable expiry for them.