clawdie/clawdie-iso
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(tailscale): make vault auto-join work on the OOTB operator image #103

Merged
clawdie merged 1 commit from fix-tailscale-vault-autojoin-ootb into main 2026-06-21 21:52:42 +02:00
Conversation 0 Commits 1 Files changed 2 +24 -11
clawdie commented 2026-06-21 21:48:32 +02:00
Owner
Copy link

Follow-up to #102. The standalone tailscale-auth-key vault item is wired correctly, but the out-of-the-box path (no baked key) could not actually start the service. Four fixes:

# Where Fix
1 clawdie-tailscale-up Remove required_files=<keyfile>onestart enforces it and the keyfile is absent on the OOTB image. The start function already returns 0 when neither provider.env nor the keyfile carries a key.
2 join-hive mdo -u root service clawdie_tailscale_up onestart — was plain start (refused; service defaults to enable=NO without a baked key) and lacked root.
3 join-hive Drop the post-join sed ... provider.env/d — stray /d on the file path made it error; the rc.d already strips the key on success.
4 join-hive Pass the key via stdin, not sh -c argv (was visible in ps).

Also keeps provider.env at 0600 after the rc.d rewrite (it still holds the BW_* creds).

Validation: sh -n on both scripts, ./scripts/check-format.sh clean.

Needs a hardware boot check (Tailscale + secrets path) before merge.

🤖 Generated with Claude Code

Follow-up to #102. The standalone `tailscale-auth-key` vault item is wired correctly, but the out-of-the-box path (no baked key) could not actually start the service. Four fixes: | # | Where | Fix | |---|-------|-----| | 1 | `clawdie-tailscale-up` | Remove `required_files=<keyfile>` — `onestart` enforces it and the keyfile is absent on the OOTB image. The start function already returns 0 when neither provider.env nor the keyfile carries a key. | | 2 | `join-hive` | `mdo -u root service clawdie_tailscale_up onestart` — was plain `start` (refused; service defaults to `enable=NO` without a baked key) and lacked root. | | 3 | `join-hive` | Drop the post-join `sed ... provider.env/d` — stray `/d` on the file path made it error; the rc.d already strips the key on success. | | 4 | `join-hive` | Pass the key via stdin, not `sh -c` argv (was visible in `ps`). | Also keeps `provider.env` at `0600` after the rc.d rewrite (it still holds the `BW_*` creds). **Validation:** `sh -n` on both scripts, `./scripts/check-format.sh` clean. Needs a hardware boot check (Tailscale + secrets path) before merge. 🤖 Generated with Claude Code
clawdie added 1 commit 2026-06-21 21:48:35 +02:00 
PR #102 wired the standalone tailscale-auth-key vault item, but the
out-of-the-box path (no baked key) could not actually start the service:

- clawdie-tailscale-up kept required_files=<keyfile>, which onestart still
  enforces; the keyfile is absent on the OOTB image. Removed it — the start
  function already returns 0 when neither provider.env nor the keyfile carries
  a key, so the guard is redundant.
- join-hive called `service ... start`: refused because the service defaults to
  enable=NO without a baked key, and it lacked root. Now `mdo -u root service
  ... onestart` (root + bypass rcvar).
- join-hive's post-join cleanup ran `sed ... provider.env/d` — a stray /d on the
  file path made it error. Dropped it; the rc.d strips the key on success.
- join-hive interpolated the key into `sh -c "..."` argv (visible in ps). Now
  piped via stdin.

Also keep provider.env at 0600 after the rc.d rewrite (it still holds BW_*).

Validated: sh -n on both scripts, ./scripts/check-format.sh clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
clawdie merged commit 98c1010bc4 into main 2026-06-21 21:52:41 +02:00
clawdie deleted branch fix-tailscale-vault-autojoin-ootb 2026-06-21 21:52:42 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: clawdie/clawdie-iso#103
No description provided.
Delete branch "fix-tailscale-vault-autojoin-ootb"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?