Sam & Claude
6ad3fe5533
PR #102 wired the standalone tailscale-auth-key vault item, but the out-of-the-box path (no baked key) could not actually start the service: - clawdie-tailscale-up kept required_files=<keyfile>, which onestart still enforces; the keyfile is absent on the OOTB image. Removed it — the start function already returns 0 when neither provider.env nor the keyfile carries a key, so the guard is redundant. - join-hive called `service ... start`: refused because the service defaults to enable=NO without a baked key, and it lacked root. Now `mdo -u root service ... onestart` (root + bypass rcvar). - join-hive's post-join cleanup ran `sed ... provider.env/d` — a stray /d on the file path made it error. Dropped it; the rc.d strips the key on success. - join-hive interpolated the key into `sh -c "..."` argv (visible in ps). Now piped via stdin. Also keep provider.env at 0600 after the rc.d rewrite (it still holds BW_*). Validated: sh -n on both scripts, ./scripts/check-format.sh clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
55 lines
1.8 KiB
Bash
55 lines
1.8 KiB
Bash
#!/bin/sh
|
|
|
|
# PROVIDE: clawdie_tailscale_up
|
|
# REQUIRE: LOGIN tailscaled
|
|
# KEYWORD: shutdown
|
|
|
|
. /etc/rc.subr
|
|
|
|
name="clawdie_tailscale_up"
|
|
rcvar="${name}_enable"
|
|
start_cmd="${name}_start"
|
|
stop_cmd=":"
|
|
|
|
# No required_files: the key may come from provider.env (vault-fetched by
|
|
# join-hive) rather than the legacy keyfile, and onestart still enforces
|
|
# required_files. The start function returns 0 cleanly when neither source
|
|
# carries a key.
|
|
clawdie_tailscale_up_start() {
|
|
_keyfile="/var/lib/clawdie-iso/tailscale-authkey"
|
|
_envfile="/usr/local/etc/colibri/provider.env"
|
|
|
|
# Primary: auth key from provider.env (vault-fetched by join-hive).
|
|
# Fallback: legacy key file (ISO-baked or manually staged).
|
|
_authkey=""
|
|
if [ -r "$_envfile" ]; then
|
|
_authkey="$(grep '^TAILSCALE_AUTH_KEY=' "$_envfile" 2>/dev/null | head -1 | cut -d= -f2- | tr -d '\r\n')"
|
|
fi
|
|
if [ -z "${_authkey:-}" ] && [ -s "$_keyfile" ]; then
|
|
_authkey="$(tr -d '\r\n' < "$_keyfile")"
|
|
fi
|
|
[ -n "${_authkey:-}" ] || return 0
|
|
|
|
command -v tailscale >/dev/null 2>&1 || return 1
|
|
service tailscaled onestatus >/dev/null 2>&1 || return 1
|
|
|
|
if tailscale up --auth-key="${_authkey}" --hostname=clawdie-live --ssh=false; then
|
|
# Clean up both sources so the one-shot key is consumed. provider.env
|
|
# still holds the BW_* creds, so keep it 0600 after the rewrite.
|
|
if grep -v '^TAILSCALE_AUTH_KEY=' "$_envfile" > "$_envfile.tmp" 2>/dev/null; then
|
|
chmod 0600 "$_envfile.tmp"
|
|
mv "$_envfile.tmp" "$_envfile"
|
|
else
|
|
rm -f "$_envfile.tmp"
|
|
fi
|
|
rm -f "$_keyfile"
|
|
/usr/sbin/sysrc ${name}_enable=NO >/dev/null 2>&1 || true
|
|
return 0
|
|
fi
|
|
|
|
return 1
|
|
}
|
|
|
|
load_rc_config "$name"
|
|
: "${clawdie_tailscale_up_enable:=NO}"
|
|
run_rc_command "$1"
|