clawdie-iso/live/operator-session/clawdie-tailscale-up

#!/bin/sh

# PROVIDE: clawdie_tailscale_up
# REQUIRE: LOGIN tailscaled
# KEYWORD: shutdown

. /etc/rc.subr

name="clawdie_tailscale_up"
rcvar="${name}_enable"
start_cmd="${name}_start"
stop_cmd=":"

# No required_files: the key may come from provider.env (vault-fetched by
# join-hive) rather than the legacy keyfile, and onestart still enforces
# required_files. The start function returns 0 cleanly when neither source
# carries a key.
clawdie_tailscale_up_start() {
    _keyfile="/var/lib/clawdie-iso/tailscale-authkey"
    _envfile="/usr/local/etc/colibri/provider.env"

    # Primary: auth key from provider.env (vault-fetched by join-hive).
    # Fallback: legacy key file (ISO-baked or manually staged).
    _authkey=""
    if [ -r "$_envfile" ]; then
        _authkey="$(grep '^TAILSCALE_AUTH_KEY=' "$_envfile" 2>/dev/null | head -1 | cut -d= -f2- | tr -d '\r\n')"
    fi
    if [ -z "${_authkey:-}" ] && [ -s "$_keyfile" ]; then
        _authkey="$(tr -d '\r\n' < "$_keyfile")"
    fi
    [ -n "${_authkey:-}" ] || return 0

    command -v tailscale >/dev/null 2>&1 || return 1
    service tailscaled onestatus >/dev/null 2>&1 || return 1

    if tailscale up --auth-key="${_authkey}" --hostname=clawdie-live --ssh=false; then
        # Clean up both sources so the one-shot key is consumed. provider.env
        # still holds the BW_* creds, so keep it 0600 after the rewrite.
        if grep -v '^TAILSCALE_AUTH_KEY=' "$_envfile" > "$_envfile.tmp" 2>/dev/null; then
            chmod 0600 "$_envfile.tmp"
            mv "$_envfile.tmp" "$_envfile"
        else
            rm -f "$_envfile.tmp"
        fi
        rm -f "$_keyfile"
        /usr/sbin/sysrc ${name}_enable=NO >/dev/null 2>&1 || true
        return 0
    fi

    return 1
}

load_rc_config "$name"
: "${clawdie_tailscale_up_enable:=NO}"
run_rc_command "$1"
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness 2026-05-24 23:21:02 +02:00			`#!/bin/sh`

			`# PROVIDE: clawdie_tailscale_up`
			`# REQUIRE: LOGIN tailscaled`
			`# KEYWORD: shutdown`

			`. /etc/rc.subr`

			`name="clawdie_tailscale_up"`
			`rcvar="${name}_enable"`
			`start_cmd="${name}_start"`
			`stop_cmd=":"`

fix(tailscale): make vault auto-join work on the OOTB operator image PR #102 wired the standalone tailscale-auth-key vault item, but the out-of-the-box path (no baked key) could not actually start the service: - clawdie-tailscale-up kept required_files=<keyfile>, which onestart still enforces; the keyfile is absent on the OOTB image. Removed it — the start function already returns 0 when neither provider.env nor the keyfile carries a key, so the guard is redundant. - join-hive called `service ... start`: refused because the service defaults to enable=NO without a baked key, and it lacked root. Now `mdo -u root service ... onestart` (root + bypass rcvar). - join-hive's post-join cleanup ran `sed ... provider.env/d` — a stray /d on the file path made it error. Dropped it; the rc.d strips the key on success. - join-hive interpolated the key into `sh -c "..."` argv (visible in ps). Now piped via stdin. Also keep provider.env at 0600 after the rc.d rewrite (it still holds BW_*). Validated: sh -n on both scripts, ./scripts/check-format.sh clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-21 21:48:14 +02:00			`# No required_files: the key may come from provider.env (vault-fetched by`
			`# join-hive) rather than the legacy keyfile, and onestart still enforces`
			`# required_files. The start function returns 0 cleanly when neither source`
			`# carries a key.`
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness 2026-05-24 23:21:02 +02:00			`clawdie_tailscale_up_start() {`
			`_keyfile="/var/lib/clawdie-iso/tailscale-authkey"`
feat(join-hive): fetch Tailscale auth key from Vaultwarden on boot Adds step [2b] to join-hive: if bw is available and the node is not yet on Tailscale, fetch the tailscale-auth-key item from Vaultwarden, write TAILSCALE_AUTH_KEY to provider.env, and trigger tailscale-up. - Handles both naming variants (tailscale-auth-key / tailscale_auth_key) - One-shot: key removed from provider.env after successful join - tailscale-up now reads from provider.env first, legacy key file as fallback - Graceful: no vault item → clear message, no break 2026-06-21 21:11:37 +02:00			`_envfile="/usr/local/etc/colibri/provider.env"`

			`# Primary: auth key from provider.env (vault-fetched by join-hive).`
			`# Fallback: legacy key file (ISO-baked or manually staged).`
			`_authkey=""`
			`if [ -r "$_envfile" ]; then`
			`_authkey="$(grep '^TAILSCALE_AUTH_KEY=' "$_envfile" 2>/dev/null \| head -1 \| cut -d= -f2- \| tr -d '\r\n')"`
			`fi`
			`if [ -z "${_authkey:-}" ] && [ -s "$_keyfile" ]; then`
			`_authkey="$(tr -d '\r\n' < "$_keyfile")"`
			`fi`
			`[ -n "${_authkey:-}" ] \|\| return 0`
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness 2026-05-24 23:21:02 +02:00
			`command -v tailscale >/dev/null 2>&1 \|\| return 1`
			`service tailscaled onestatus >/dev/null 2>&1 \|\| return 1`

			`if tailscale up --auth-key="${_authkey}" --hostname=clawdie-live --ssh=false; then`
fix(tailscale): make vault auto-join work on the OOTB operator image PR #102 wired the standalone tailscale-auth-key vault item, but the out-of-the-box path (no baked key) could not actually start the service: - clawdie-tailscale-up kept required_files=<keyfile>, which onestart still enforces; the keyfile is absent on the OOTB image. Removed it — the start function already returns 0 when neither provider.env nor the keyfile carries a key, so the guard is redundant. - join-hive called `service ... start`: refused because the service defaults to enable=NO without a baked key, and it lacked root. Now `mdo -u root service ... onestart` (root + bypass rcvar). - join-hive's post-join cleanup ran `sed ... provider.env/d` — a stray /d on the file path made it error. Dropped it; the rc.d strips the key on success. - join-hive interpolated the key into `sh -c "..."` argv (visible in ps). Now piped via stdin. Also keep provider.env at 0600 after the rc.d rewrite (it still holds BW_*). Validated: sh -n on both scripts, ./scripts/check-format.sh clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-21 21:48:14 +02:00			`# Clean up both sources so the one-shot key is consumed. provider.env`
			`# still holds the BW_* creds, so keep it 0600 after the rewrite.`
			`if grep -v '^TAILSCALE_AUTH_KEY=' "$_envfile" > "$_envfile.tmp" 2>/dev/null; then`
			`chmod 0600 "$_envfile.tmp"`
			`mv "$_envfile.tmp" "$_envfile"`
			`else`
			`rm -f "$_envfile.tmp"`
			`fi`
Merge xfce-operator-usb: Track F Colibri, DeepSeek smoke, LLM provider harness 2026-05-24 23:21:02 +02:00			`rm -f "$_keyfile"`
			`/usr/sbin/sysrc ${name}_enable=NO >/dev/null 2>&1 \|\| true`
			`return 0`
			`fi`

			`return 1`
			`}`

			`load_rc_config "$name"`
			`: "${clawdie_tailscale_up_enable:=NO}"`
			`run_rc_command "$1"`