From 6ad3fe5533d7b0d5274b2ff20f73064b738d08b7 Mon Sep 17 00:00:00 2001
From: Sam & Claude <hello@clawdie.si>
Date: Sun, 21 Jun 2026 21:48:14 +0200
Subject: [PATCH] fix(tailscale): make vault auto-join work on the OOTB
 operator image
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR #102 wired the standalone tailscale-auth-key vault item, but the
out-of-the-box path (no baked key) could not actually start the service:

- clawdie-tailscale-up kept required_files=<keyfile>, which onestart still
  enforces; the keyfile is absent on the OOTB image. Removed it — the start
  function already returns 0 when neither provider.env nor the keyfile carries
  a key, so the guard is redundant.
- join-hive called `service ... start`: refused because the service defaults to
  enable=NO without a baked key, and it lacked root. Now `mdo -u root service
  ... onestart` (root + bypass rcvar).
- join-hive's post-join cleanup ran `sed ... provider.env/d` — a stray /d on the
  file path made it error. Dropped it; the rc.d strips the key on success.
- join-hive interpolated the key into `sh -c "..."` argv (visible in ps). Now
  piped via stdin.

Also keep provider.env at 0600 after the rc.d rewrite (it still holds BW_*).

Validated: sh -n on both scripts, ./scripts/check-format.sh clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 live/operator-session/clawdie-join-hive.sh | 19 ++++++++++++-------
 live/operator-session/clawdie-tailscale-up | 16 ++++++++++++----
 2 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/live/operator-session/clawdie-join-hive.sh b/live/operator-session/clawdie-join-hive.sh
index fabc8791..27c0842c 100755
--- a/live/operator-session/clawdie-join-hive.sh
+++ b/live/operator-session/clawdie-join-hive.sh
@@ -204,15 +204,20 @@ printf "%s" "$ITEM"
 ' 2>/dev/null)"
     if [ -n "${_tskey:-}" ]; then
         echo "$_tskey" | grep -q '^tskey-auth-' && {
-            mdo -u root sh -c "
-                printf 'TAILSCALE_AUTH_KEY=%s\\n' '$_tskey' >> /usr/local/etc/colibri/provider.env
-                chmod 0600 /usr/local/etc/colibri/provider.env
-            "
+            # Pass the key via stdin, not argv, so it never appears in ps.
+            printf '%s' "$_tskey" | mdo -u root sh -c '
+                set -eu
+                f="/usr/local/etc/colibri/provider.env"
+                read -r k
+                printf "TAILSCALE_AUTH_KEY=%s\n" "$k" >> "$f"
+                chmod 0600 "$f"
+            '
             echo "       TAILSCALE_AUTH_KEY written to provider.env."
-            if service clawdie_tailscale_up start >/dev/null 2>&1; then
+            # onestart: the service defaults to enable=NO on the OOTB image, and
+            # onestart bypasses rcvar. With required_files removed it reads the
+            # key from provider.env and strips it after a successful join.
+            if mdo -u root service clawdie_tailscale_up onestart >/dev/null 2>&1; then
                 echo "       Tailscale joined ($(tailscale status 2>/dev/null | head -1 || echo 'up'))."
-                # One-shot: remove the key from provider.env after use.
-                mdo -u root sh -c "sed -i '' '/^TAILSCALE_AUTH_KEY=/d' /usr/local/etc/colibri/provider.env/d"
             else
                 echo "       WARNING: tailscale up failed — check the key in Vaultwarden."
             fi
diff --git a/live/operator-session/clawdie-tailscale-up b/live/operator-session/clawdie-tailscale-up
index a0db8a20..18148582 100644
--- a/live/operator-session/clawdie-tailscale-up
+++ b/live/operator-session/clawdie-tailscale-up
@@ -10,8 +10,11 @@ name="clawdie_tailscale_up"
 rcvar="${name}_enable"
 start_cmd="${name}_start"
 stop_cmd=":"
-required_files="/var/lib/clawdie-iso/tailscale-authkey"
 
+# No required_files: the key may come from provider.env (vault-fetched by
+# join-hive) rather than the legacy keyfile, and onestart still enforces
+# required_files. The start function returns 0 cleanly when neither source
+# carries a key.
 clawdie_tailscale_up_start() {
     _keyfile="/var/lib/clawdie-iso/tailscale-authkey"
     _envfile="/usr/local/etc/colibri/provider.env"
@@ -31,9 +34,14 @@ clawdie_tailscale_up_start() {
     service tailscaled onestatus >/dev/null 2>&1 || return 1
 
     if tailscale up --auth-key="${_authkey}" --hostname=clawdie-live --ssh=false; then
-        # Clean up both sources so the one-shot key is consumed.
-        grep -v '^TAILSCALE_AUTH_KEY=' "$_envfile" > "$_envfile.tmp" 2>/dev/null && \
-            mv "$_envfile.tmp" "$_envfile" || true
+        # Clean up both sources so the one-shot key is consumed. provider.env
+        # still holds the BW_* creds, so keep it 0600 after the rewrite.
+        if grep -v '^TAILSCALE_AUTH_KEY=' "$_envfile" > "$_envfile.tmp" 2>/dev/null; then
+            chmod 0600 "$_envfile.tmp"
+            mv "$_envfile.tmp" "$_envfile"
+        else
+            rm -f "$_envfile.tmp"
+        fi
         rm -f "$_keyfile"
         /usr/sbin/sysrc ${name}_enable=NO >/dev/null 2>&1 || true
         return 0