Skip to content

Bootstrap System

The Bootstrap System is a secure, encrypted mechanism for provisioning new servers and onboarding new devices into our infrastructure.

🛠️ Two Types of Bundles

We maintain two distinct types of bootstrap bundles, each serving a specific purpose:

1. 🖥️ Server Migration Bundle (bootstrap-secrets.age)

Use Case: Migrating production infrastructure or setting up a new production-class server.

  • Contains:
  • Infisical ENCRYPTION_KEY (The most critical secret)
  • Database & Redis credentials
  • Machine Identity credentials (for accessing existing Infisical instance)
  • Hetzner API token
  • SSH public keys for all devices
  • S3 & Storage Box credentials
  • Security: HIGH. Create before migration, delete immediately after.

2. 💻 Device Onboarding Bundle (device-bootstrap.age)

Use Case: Setting up a NEW laptop or computer to access the infrastructure.

  • Contains:
  • SSH Private Key: Your personal identity key.
  • Infisical Credentials: Universal-auth machine identity.
  • Optional Repository Backup: A compressed copy of coder-core for offline setup.
  • Security: CRITICAL. This bundle contains a private key. Transfer via secure method (USB/Tailscale) only.

🚀 Quick Usage

Creating Bundles (Existing Device)

Run these on your main device (macbook-pro):

cd ~/coder-core/.bootstrap

# Create Server Migration Bundle
./create-bundle.sh

# Create Device Onboarding Bundle
./create-device-bundle.sh

Using Bundles (New Device/Server)

On a New Device (Interactive)

The easiest way is using the Tailscale Bootstrap Server:

  1. On your main device: ./serve-via-tailscale.sh
  2. On the new device: curl http://<TAILSCALE_IP>:8080/device-bootstrap.age | age -d | bash

On a New Server (Manual)

# Transfer the bundle via SCP/SFTP
age -d bootstrap-secrets.age > .env
source .env

🔐 Security Standards

  1. Never Commit: Bundles (*.age) are gitignored and must NEVER be committed to source control.
  2. Encryption: All bundles are encrypted using age.
  3. Passphrases: Must be complex and stored in a password manager.
  4. Ephemeral: Server bundles should be deleted as soon as the migration is successful.
  5. Zero-Trust: Transfer device bundles only via private networks (Tailscale) or physical media (USB).