clawdie/clawdie-iso
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(tailscale): make vault auto-join work on the OOTB operator image

Browse source 
PR #102 wired the standalone tailscale-auth-key vault item, but the
out-of-the-box path (no baked key) could not actually start the service:

- clawdie-tailscale-up kept required_files=<keyfile>, which onestart still
  enforces; the keyfile is absent on the OOTB image. Removed it — the start
  function already returns 0 when neither provider.env nor the keyfile carries
  a key, so the guard is redundant.
- join-hive called `service ... start`: refused because the service defaults to
  enable=NO without a baked key, and it lacked root. Now `mdo -u root service
  ... onestart` (root + bypass rcvar).
- join-hive's post-join cleanup ran `sed ... provider.env/d` — a stray /d on the
  file path made it error. Dropped it; the rc.d strips the key on success.
- join-hive interpolated the key into `sh -c "..."` argv (visible in ps). Now
  piped via stdin.

Also keep provider.env at 0600 after the rc.d rewrite (it still holds BW_*).

Validated: sh -n on both scripts, ./scripts/check-format.sh clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Sam & Claude 2026-06-21 21:48:14 +02:00
parent 50629cd7a1
commit 6ad3fe5533
2 changed files with 24 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
live/operator-session/clawdie-join-hive.sh
View file

@ -204,15 +204,20 @@ printf "%s" "$ITEM"
' 2>/dev/null)" ' 2>/dev/null)"
if [ -n "${_tskey:-}" ]; then if [ -n "${_tskey:-}" ]; then
echo "$_tskey" | grep -q '^tskey-auth-' && { echo "$_tskey" | grep -q '^tskey-auth-' && {
mdo -u root sh -c " # Pass the key via stdin, not argv, so it never appears in ps.
printf 'TAILSCALE_AUTH_KEY=%s\\n' '$_tskey' >> /usr/local/etc/colibri/provider.env printf '%s' "$_tskey" | mdo -u root sh -c '
chmod 0600 /usr/local/etc/colibri/provider.env set -eu
" f="/usr/local/etc/colibri/provider.env"
read -r k
printf "TAILSCALE_AUTH_KEY=%s\n" "$k" >> "$f"
chmod 0600 "$f"
'
echo " TAILSCALE_AUTH_KEY written to provider.env." echo " TAILSCALE_AUTH_KEY written to provider.env."
if service clawdie_tailscale_up start >/dev/null 2>&1; then # onestart: the service defaults to enable=NO on the OOTB image, and
# onestart bypasses rcvar. With required_files removed it reads the
# key from provider.env and strips it after a successful join.
if mdo -u root service clawdie_tailscale_up onestart >/dev/null 2>&1; then
echo " Tailscale joined ($(tailscale status 2>/dev/null | head -1 || echo 'up'))." echo " Tailscale joined ($(tailscale status 2>/dev/null | head -1 || echo 'up'))."
# One-shot: remove the key from provider.env after use.
mdo -u root sh -c "sed -i '' '/^TAILSCALE_AUTH_KEY=/d' /usr/local/etc/colibri/provider.env/d"
else else
echo " WARNING: tailscale up failed — check the key in Vaultwarden." echo " WARNING: tailscale up failed — check the key in Vaultwarden."
fi fi

16
live/operator-session/clawdie-tailscale-up
View file

@ -10,8 +10,11 @@ name="clawdie_tailscale_up"
rcvar="${name}_enable" rcvar="${name}_enable"
start_cmd="${name}_start" start_cmd="${name}_start"
stop_cmd=":" stop_cmd=":"
required_files="/var/lib/clawdie-iso/tailscale-authkey"
# No required_files: the key may come from provider.env (vault-fetched by
# join-hive) rather than the legacy keyfile, and onestart still enforces
# required_files. The start function returns 0 cleanly when neither source
# carries a key.
clawdie_tailscale_up_start() { clawdie_tailscale_up_start() {
_keyfile="/var/lib/clawdie-iso/tailscale-authkey" _keyfile="/var/lib/clawdie-iso/tailscale-authkey"
_envfile="/usr/local/etc/colibri/provider.env" _envfile="/usr/local/etc/colibri/provider.env"
@ -31,9 +34,14 @@ clawdie_tailscale_up_start() {
service tailscaled onestatus >/dev/null 2>&1 || return 1 service tailscaled onestatus >/dev/null 2>&1 || return 1
if tailscale up --auth-key="${_authkey}" --hostname=clawdie-live --ssh=false; then if tailscale up --auth-key="${_authkey}" --hostname=clawdie-live --ssh=false; then
# Clean up both sources so the one-shot key is consumed. # Clean up both sources so the one-shot key is consumed. provider.env
grep -v '^TAILSCALE_AUTH_KEY=' "$_envfile" > "$_envfile.tmp" 2>/dev/null && \ # still holds the BW_* creds, so keep it 0600 after the rewrite.
mv "$_envfile.tmp" "$_envfile" || true if grep -v '^TAILSCALE_AUTH_KEY=' "$_envfile" > "$_envfile.tmp" 2>/dev/null; then
chmod 0600 "$_envfile.tmp"
mv "$_envfile.tmp" "$_envfile"
else
rm -f "$_envfile.tmp"
fi
rm -f "$_keyfile" rm -f "$_keyfile"
/usr/sbin/sysrc ${name}_enable=NO >/dev/null 2>&1 || true /usr/sbin/sysrc ${name}_enable=NO >/dev/null 2>&1 || true
return 0 return 0