[User Story] Configure Tailscale to use one-time auth keys #74
Description
Story Summary
As an infrastructure operator, I want Tailscale provisioning to use one-time auth keys, so that auth keys exposed in OpenTofu state cannot be reused by unauthorized parties.
✅ Acceptance Criteria
- Document the one-time key generation process in a runbook
- Update Bitwarden secret management to note that a new one-time key must be generated before reprovisioning
- Verify key is invalidated in Tailscale admin console after first use
- Update token rotation runbook with Tailscale auth key rotation procedure
📝 Additional Context
- Design: One-time auth keys are automatically revoked after first use, mitigating the risk of key exposure in OpenTofu state
- Docs: Update
docs/token-rotation-runbook.md - Related Issues/PRs: PR [User Story] Refactor Tailscale Install to Leverage systemd-sysext image #73 (Tailscale sysext refactor)
📦 Definition of Ready
- Acceptance criteria defined
- No unresolved external dependencies
- Story is estimated
- Team has necessary skills and access
- Priority is clear
- Business value understood
✅ Definition of Done
- All acceptance criteria met
- Peer-reviewed
- Docs updated
- No critical bugs/regressions