diff --git a/live/operator-session/clawdie-join-hive.sh b/live/operator-session/clawdie-join-hive.sh index f27eaced..fabc8791 100755 --- a/live/operator-session/clawdie-join-hive.sh +++ b/live/operator-session/clawdie-join-hive.sh @@ -184,6 +184,44 @@ else echo " Vault provisioning is skipped until they are added." fi +# 2b. Tailscale auth key (separate from vault-fetch — a single standalone item). +if have bw && provider_env_has_bw_creds && ! tailscale status >/dev/null 2>&1; then + echo " Fetching Tailscale auth key from vault..." + _tskey="$(mdo -u root sh -c ' +set -eu +. /usr/local/etc/colibri/provider.env +# Reuse existing session if possible; otherwise unlock fresh. +SESSION="$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null || true)" +if [ -z "$SESSION" ]; then + bw login --apikey >/dev/null 2>&1 + SESSION="$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null)" +fi +# Handle both naming conventions: hyphenated in vault, underscored env var. +ITEM="$(bw list items --search tailscale-auth-key --session "$SESSION" 2>/dev/null | \ + python3 -c "import sys,json; items=json.load(sys.stdin); ts=[i for i in items if i.get(\"name\",\"\") in (\"tailscale-auth-key\",\"tailscale_auth_key\")]; print(ts[0][\"notes\"] if ts else \"\")" 2>/dev/null || true)" +bw lock >/dev/null 2>&1 || true +printf "%s" "$ITEM" +' 2>/dev/null)" + if [ -n "${_tskey:-}" ]; then + echo "$_tskey" | grep -q '^tskey-auth-' && { + mdo -u root sh -c " + printf 'TAILSCALE_AUTH_KEY=%s\\n' '$_tskey' >> /usr/local/etc/colibri/provider.env + chmod 0600 /usr/local/etc/colibri/provider.env + " + echo " TAILSCALE_AUTH_KEY written to provider.env." + if service clawdie_tailscale_up start >/dev/null 2>&1; then + echo " Tailscale joined ($(tailscale status 2>/dev/null | head -1 || echo 'up'))." + # One-shot: remove the key from provider.env after use. + mdo -u root sh -c "sed -i '' '/^TAILSCALE_AUTH_KEY=/d' /usr/local/etc/colibri/provider.env/d" + else + echo " WARNING: tailscale up failed — check the key in Vaultwarden." + fi + } || echo " WARNING: Vaultwarden item found but does not look like an auth key." + else + echo " No tailscale-auth-key item in Vaultwarden (create one to auto-join)." + fi +fi + # 3. Detect capabilities HOST=$(hostname 2>/dev/null || echo "clawdie-live") OS=$(uname -s 2>/dev/null | tr '[:upper:]' '[:lower:]') diff --git a/live/operator-session/clawdie-tailscale-up b/live/operator-session/clawdie-tailscale-up index 76f8abbc..a0db8a20 100644 --- a/live/operator-session/clawdie-tailscale-up +++ b/live/operator-session/clawdie-tailscale-up @@ -14,18 +14,26 @@ required_files="/var/lib/clawdie-iso/tailscale-authkey" clawdie_tailscale_up_start() { _keyfile="/var/lib/clawdie-iso/tailscale-authkey" + _envfile="/usr/local/etc/colibri/provider.env" + + # Primary: auth key from provider.env (vault-fetched by join-hive). + # Fallback: legacy key file (ISO-baked or manually staged). + _authkey="" + if [ -r "$_envfile" ]; then + _authkey="$(grep '^TAILSCALE_AUTH_KEY=' "$_envfile" 2>/dev/null | head -1 | cut -d= -f2- | tr -d '\r\n')" + fi + if [ -z "${_authkey:-}" ] && [ -s "$_keyfile" ]; then + _authkey="$(tr -d '\r\n' < "$_keyfile")" + fi + [ -n "${_authkey:-}" ] || return 0 - [ -s "$_keyfile" ] || return 0 command -v tailscale >/dev/null 2>&1 || return 1 service tailscaled onestatus >/dev/null 2>&1 || return 1 - _authkey=$(tr -d '\r\n' < "$_keyfile") - if [ -z "${_authkey:-}" ]; then - rm -f "$_keyfile" - return 0 - fi - if tailscale up --auth-key="${_authkey}" --hostname=clawdie-live --ssh=false; then + # Clean up both sources so the one-shot key is consumed. + grep -v '^TAILSCALE_AUTH_KEY=' "$_envfile" > "$_envfile.tmp" 2>/dev/null && \ + mv "$_envfile.tmp" "$_envfile" || true rm -f "$_keyfile" /usr/sbin/sysrc ${name}_enable=NO >/dev/null 2>&1 || true return 0