#!/bin/sh

# PROVIDE: clawdie_tailscale_up
# REQUIRE: LOGIN tailscaled
# KEYWORD: shutdown

. /etc/rc.subr

name="clawdie_tailscale_up"
rcvar="${name}_enable"
start_cmd="${name}_start"
stop_cmd=":"

# No required_files: the key may come from provider.env (vault-fetched by
# join-hive) rather than the legacy keyfile, and onestart still enforces
# required_files. The start function returns 0 cleanly when neither source
# carries a key.
clawdie_tailscale_up_start() {
    _keyfile="/var/lib/clawdie-iso/tailscale-authkey"
    _envfile="/usr/local/etc/colibri/provider.env"

    # Primary: auth key from provider.env (vault-fetched by join-hive).
    # Fallback: legacy key file (ISO-baked or manually staged).
    _authkey=""
    if [ -r "$_envfile" ]; then
        _authkey="$(grep '^TAILSCALE_AUTH_KEY=' "$_envfile" 2>/dev/null | head -1 | cut -d= -f2- | tr -d '\r\n')"
    fi
    if [ -z "${_authkey:-}" ] && [ -s "$_keyfile" ]; then
        _authkey="$(tr -d '\r\n' < "$_keyfile")"
    fi
    [ -n "${_authkey:-}" ] || return 0

    command -v tailscale >/dev/null 2>&1 || return 1
    service tailscaled onestatus >/dev/null 2>&1 || return 1

    if tailscale up --auth-key="${_authkey}" --hostname=clawdie-live --ssh=false; then
        # Clean up both sources so the one-shot key is consumed. provider.env
        # still holds the BW_* creds, so keep it 0600 after the rewrite.
        if grep -v '^TAILSCALE_AUTH_KEY=' "$_envfile" > "$_envfile.tmp" 2>/dev/null; then
            chmod 0600 "$_envfile.tmp"
            mv "$_envfile.tmp" "$_envfile"
        else
            rm -f "$_envfile.tmp"
        fi
        rm -f "$_keyfile"
        /usr/sbin/sysrc ${name}_enable=NO >/dev/null 2>&1 || true
        return 0
    fi

    return 1
}

load_rc_config "$name"
: "${clawdie_tailscale_up_enable:=NO}"
run_rc_command "$1"