Merge pull request 'feat/tailscale-vault-autojoin' (#102) from feat/tailscale-vault-autojoin into main

Reviewed-on: #102

live/operator-session/clawdie-join-hive.sh

@@ -184,6 +184,44 @@ else
     echo "       Vault provisioning is skipped until they are added."
 fi
 
+# 2b. Tailscale auth key (separate from vault-fetch — a single standalone item).
+if have bw && provider_env_has_bw_creds && ! tailscale status >/dev/null 2>&1; then
+    echo "       Fetching Tailscale auth key from vault..."
+    _tskey="$(mdo -u root sh -c '
+set -eu
+. /usr/local/etc/colibri/provider.env
+# Reuse existing session if possible; otherwise unlock fresh.
+SESSION="$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null || true)"
+if [ -z "$SESSION" ]; then
+    bw login --apikey >/dev/null 2>&1
+    SESSION="$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null)"
+fi
+# Handle both naming conventions: hyphenated in vault, underscored env var.
+ITEM="$(bw list items --search tailscale-auth-key --session "$SESSION" 2>/dev/null | \
+    python3 -c "import sys,json; items=json.load(sys.stdin); ts=[i for i in items if i.get(\"name\",\"\") in (\"tailscale-auth-key\",\"tailscale_auth_key\")]; print(ts[0][\"notes\"] if ts else \"\")" 2>/dev/null || true)"
+bw lock >/dev/null 2>&1 || true
+printf "%s" "$ITEM"
+' 2>/dev/null)"
+    if [ -n "${_tskey:-}" ]; then
+        echo "$_tskey" | grep -q '^tskey-auth-' && {
+            mdo -u root sh -c "
+                printf 'TAILSCALE_AUTH_KEY=%s\\n' '$_tskey' >> /usr/local/etc/colibri/provider.env
+                chmod 0600 /usr/local/etc/colibri/provider.env
+            "
+            echo "       TAILSCALE_AUTH_KEY written to provider.env."
+            if service clawdie_tailscale_up start >/dev/null 2>&1; then
+                echo "       Tailscale joined ($(tailscale status 2>/dev/null | head -1 || echo 'up'))."
+                # One-shot: remove the key from provider.env after use.
+                mdo -u root sh -c "sed -i '' '/^TAILSCALE_AUTH_KEY=/d' /usr/local/etc/colibri/provider.env/d"
+            else
+                echo "       WARNING: tailscale up failed — check the key in Vaultwarden."
+            fi
+        } || echo "       WARNING: Vaultwarden item found but does not look like an auth key."
+    else
+        echo "       No tailscale-auth-key item in Vaultwarden (create one to auto-join)."
+    fi
+fi
+
 # 3. Detect capabilities
 HOST=$(hostname 2>/dev/null || echo "clawdie-live")
 OS=$(uname -s 2>/dev/null | tr '[:upper:]' '[:lower:]')

live/operator-session/clawdie-tailscale-up

@@ -14,18 +14,26 @@ required_files="/var/lib/clawdie-iso/tailscale-authkey"
 
 clawdie_tailscale_up_start() {
     _keyfile="/var/lib/clawdie-iso/tailscale-authkey"
+    _envfile="/usr/local/etc/colibri/provider.env"
+
+    # Primary: auth key from provider.env (vault-fetched by join-hive).
+    # Fallback: legacy key file (ISO-baked or manually staged).
+    _authkey=""
+    if [ -r "$_envfile" ]; then
+        _authkey="$(grep '^TAILSCALE_AUTH_KEY=' "$_envfile" 2>/dev/null | head -1 | cut -d= -f2- | tr -d '\r\n')"
+    fi
+    if [ -z "${_authkey:-}" ] && [ -s "$_keyfile" ]; then
+        _authkey="$(tr -d '\r\n' < "$_keyfile")"
+    fi
+    [ -n "${_authkey:-}" ] || return 0
 
-    [ -s "$_keyfile" ] || return 0
     command -v tailscale >/dev/null 2>&1 || return 1
     service tailscaled onestatus >/dev/null 2>&1 || return 1
 
-    _authkey=$(tr -d '\r\n' < "$_keyfile")
-    if [ -z "${_authkey:-}" ]; then
-        rm -f "$_keyfile"
-        return 0
-    fi
-
     if tailscale up --auth-key="${_authkey}" --hostname=clawdie-live --ssh=false; then
+        # Clean up both sources so the one-shot key is consumed.
+        grep -v '^TAILSCALE_AUTH_KEY=' "$_envfile" > "$_envfile.tmp" 2>/dev/null && \
+            mv "$_envfile.tmp" "$_envfile" || true
         rm -f "$_keyfile"
         /usr/sbin/sysrc ${name}_enable=NO >/dev/null 2>&1 || true
         return 0