#!/bin/sh

# PROVIDE: clawdie_tailscale_up
# REQUIRE: LOGIN tailscaled
# KEYWORD: shutdown

. /etc/rc.subr

name="clawdie_tailscale_up"
rcvar="${name}_enable"
start_cmd="${name}_start"
stop_cmd=":"
required_files="/var/lib/clawdie-iso/tailscale-authkey"

clawdie_tailscale_up_start() {
    _keyfile="/var/lib/clawdie-iso/tailscale-authkey"
    _envfile="/usr/local/etc/colibri/provider.env"

    # Primary: auth key from provider.env (vault-fetched by join-hive).
    # Fallback: legacy key file (ISO-baked or manually staged).
    _authkey=""
    if [ -r "$_envfile" ]; then
        _authkey="$(grep '^TAILSCALE_AUTH_KEY=' "$_envfile" 2>/dev/null | head -1 | cut -d= -f2- | tr -d '\r\n')"
    fi
    if [ -z "${_authkey:-}" ] && [ -s "$_keyfile" ]; then
        _authkey="$(tr -d '\r\n' < "$_keyfile")"
    fi
    [ -n "${_authkey:-}" ] || return 0

    command -v tailscale >/dev/null 2>&1 || return 1
    service tailscaled onestatus >/dev/null 2>&1 || return 1

    if tailscale up --auth-key="${_authkey}" --hostname=clawdie-live --ssh=false; then
        # Clean up both sources so the one-shot key is consumed.
        grep -v '^TAILSCALE_AUTH_KEY=' "$_envfile" > "$_envfile.tmp" 2>/dev/null && \
            mv "$_envfile.tmp" "$_envfile" || true
        rm -f "$_keyfile"
        /usr/sbin/sysrc ${name}_enable=NO >/dev/null 2>&1 || true
        return 0
    fi

    return 1
}

load_rc_config "$name"
: "${clawdie_tailscale_up_enable:=NO}"
run_rc_command "$1"