PR #102 wired the standalone tailscale-auth-key vault item, but the
out-of-the-box path (no baked key) could not actually start the service:
- clawdie-tailscale-up kept required_files=<keyfile>, which onestart still
enforces; the keyfile is absent on the OOTB image. Removed it — the start
function already returns 0 when neither provider.env nor the keyfile carries
a key, so the guard is redundant.
- join-hive called `service ... start`: refused because the service defaults to
enable=NO without a baked key, and it lacked root. Now `mdo -u root service
... onestart` (root + bypass rcvar).
- join-hive's post-join cleanup ran `sed ... provider.env/d` — a stray /d on the
file path made it error. Dropped it; the rc.d strips the key on success.
- join-hive interpolated the key into `sh -c "..."` argv (visible in ps). Now
piped via stdin.
Also keep provider.env at 0600 after the rc.d rewrite (it still holds BW_*).
Validated: sh -n on both scripts, ./scripts/check-format.sh clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sam & Claude
6ad3fe5533