feat(join-hive): fetch Tailscale auth key from Vaultwarden on boot

Adds step [2b] to join-hive: if bw is available and the node is not yet on Tailscale, fetch the tailscale-auth-key item from Vaultwarden, write TAILSCALE_AUTH_KEY to provider.env, and trigger tailscale-up. - Handles both naming variants (tailscale-auth-key / tailscale_auth_key) - One-shot: key removed from provider.env after successful join - tailscale-up now reads from provider.env first, legacy key file as fallback - Graceful: no vault item → clear message, no break
2026-06-21 21:11:37 +02:00 · 2026-06-21 21:11:37 +02:00 · 772e32d8bb
commit 772e32d8bb
parent b1202bb235
2 changed files with 53 additions and 7 deletions
--- a/live/operator-session/clawdie-join-hive.sh
+++ b/live/operator-session/clawdie-join-hive.sh
@ -184,6 +184,44 @@ else
    echo "       Vault provisioning is skipped until they are added."
 fi

+# 2b. Tailscale auth key (separate from vault-fetch — a single standalone item).
+if have bw && provider_env_has_bw_creds && ! tailscale status >/dev/null 2>&1; then
+    echo "       Fetching Tailscale auth key from vault..."
+    _tskey="$(mdo -u root sh -c '
+set -eu
+. /usr/local/etc/colibri/provider.env
+# Reuse existing session if possible; otherwise unlock fresh.
+SESSION="$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null || true)"
+if [ -z "$SESSION" ]; then
+    bw login --apikey >/dev/null 2>&1
+    SESSION="$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null)"
+fi
+# Handle both naming conventions: hyphenated in vault, underscored env var.
+ITEM="$(bw list items --search tailscale-auth-key --session "$SESSION" 2>/dev/null | \
+    python3 -c "import sys,json; items=json.load(sys.stdin); ts=[i for i in items if i.get(\"name\",\"\") in (\"tailscale-auth-key\",\"tailscale_auth_key\")]; print(ts[0][\"notes\"] if ts else \"\")" 2>/dev/null || true)"
+bw lock >/dev/null 2>&1 || true
+printf "%s" "$ITEM"
+' 2>/dev/null)"
+    if [ -n "${_tskey:-}" ]; then
+        echo "$_tskey" | grep -q '^tskey-auth-' && {
+            mdo -u root sh -c "
+                printf 'TAILSCALE_AUTH_KEY=%s\\n' '$_tskey' >> /usr/local/etc/colibri/provider.env
+                chmod 0600 /usr/local/etc/colibri/provider.env
+            "
+            echo "       TAILSCALE_AUTH_KEY written to provider.env."
+            if service clawdie_tailscale_up start >/dev/null 2>&1; then
+                echo "       Tailscale joined ($(tailscale status 2>/dev/null | head -1 || echo 'up'))."
+                # One-shot: remove the key from provider.env after use.
+                mdo -u root sh -c "sed -i '' '/^TAILSCALE_AUTH_KEY=/d' /usr/local/etc/colibri/provider.env"
+            else
+                echo "       WARNING: tailscale up failed — check the key in Vaultwarden."
+            fi
+        } || echo "       WARNING: Vaultwarden item found but does not look like an auth key."
+    else
+        echo "       No tailscale-auth-key item in Vaultwarden (create one to auto-join)."
+    fi
+fi
+
 # 3. Detect capabilities
 HOST=$(hostname 2>/dev/null || echo "clawdie-live")
 OS=$(uname -s 2>/dev/null | tr '[:upper:]' '[:lower:]')
--- a/live/operator-session/clawdie-tailscale-up
+++ b/live/operator-session/clawdie-tailscale-up
@ -14,18 +14,26 @@ required_files="/var/lib/clawdie-iso/tailscale-authkey"

 clawdie_tailscale_up_start() {
    _keyfile="/var/lib/clawdie-iso/tailscale-authkey"
+    _envfile="/usr/local/etc/colibri/provider.env"
+
+    # Primary: auth key from provider.env (vault-fetched by join-hive).
+    # Fallback: legacy key file (ISO-baked or manually staged).
+    _authkey=""
+    if [ -r "$_envfile" ]; then
+        _authkey="$(grep '^TAILSCALE_AUTH_KEY=' "$_envfile" 2>/dev/null | head -1 | cut -d= -f2- | tr -d '\r\n')"
+    fi
+    if [ -z "${_authkey:-}" ] && [ -s "$_keyfile" ]; then
+        _authkey="$(tr -d '\r\n' < "$_keyfile")"
+    fi
+    [ -n "${_authkey:-}" ] || return 0

-    [ -s "$_keyfile" ] || return 0
    command -v tailscale >/dev/null 2>&1 || return 1
    service tailscaled onestatus >/dev/null 2>&1 || return 1

-    _authkey=$(tr -d '\r\n' < "$_keyfile")
-    if [ -z "${_authkey:-}" ]; then
-        rm -f "$_keyfile"
-        return 0
-    fi
-
    if tailscale up --auth-key="${_authkey}" --hostname=clawdie-live --ssh=false; then
+        # Clean up both sources so the one-shot key is consumed.
+        grep -v '^TAILSCALE_AUTH_KEY=' "$_envfile" > "$_envfile.tmp" 2>/dev/null && \
+            mv "$_envfile.tmp" "$_envfile" || true
        rm -f "$_keyfile"
        /usr/sbin/sysrc ${name}_enable=NO >/dev/null 2>&1 || true
        return 0