From 6fada2f32a5b00cd0d0b88d7451c570554d570f4 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sat, 28 Feb 2026 12:12:58 +0000
Subject: [PATCH] refactor: use direct tailscale auth-key enrollment

Stop writing auth keys to guest files and enroll nodes by running tailscale up directly via Proxmox guest agent with VM-name hostnames.
---
 .gitea/workflows/terraform-apply.yml  | 10 ++++-----
 nixos/template-base/configuration.nix | 31 ---------------------------
 2 files changed, 4 insertions(+), 37 deletions(-)

diff --git a/.gitea/workflows/terraform-apply.yml b/.gitea/workflows/terraform-apply.yml
index 5e0b392..dbd7c00 100644
--- a/.gitea/workflows/terraform-apply.yml
+++ b/.gitea/workflows/terraform-apply.yml
@@ -199,14 +199,12 @@ jobs:
               safe_hostname = hostname.replace("'", "'\"'\"'")
               cmd = (
                   "set -e; "
-                  "install -d -m 700 /etc/tailscale; "
-                  f"printf '%s' '{safe_key}' > /etc/tailscale/authkey; "
-                  f"printf '%s' '{safe_hostname}' > /etc/tailscale/hostname; "
-                  "chmod 600 /etc/tailscale/authkey; "
                   f"hostnamectl set-hostname '{safe_hostname}' || true; "
+                  "install -d -m 700 /var/lib/tailscale; "
+                  "rm -f /var/lib/tailscale/tailscaled.state; "
                   "systemctl restart tailscaled; "
-                  "systemctl start tailscale-firstboot.service; "
-                  "tailscale status || true"
+                  f"/run/current-system/sw/bin/tailscale up --reset --auth-key='{safe_key}' --hostname='{safe_hostname}'; "
+                  "/run/current-system/sw/bin/tailscale status || true"
               )
 
               exitcode, stdout, stderr = exec_guest(vmid, cmd)
diff --git a/nixos/template-base/configuration.nix b/nixos/template-base/configuration.nix
index 3ec6384..7475bc4 100644
--- a/nixos/template-base/configuration.nix
+++ b/nixos/template-base/configuration.nix
@@ -39,37 +39,6 @@
 
   security.sudo.wheelNeedsPassword = false;
 
-  systemd.services.tailscale-firstboot = {
-    description = "One-time Tailscale enrollment";
-    after = [ "network-online.target" "tailscaled.service" ];
-    wants = [ "network-online.target" "tailscaled.service" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      install -d -m 0700 /etc/tailscale
-
-      if [ ! -s /etc/tailscale/authkey ]; then
-        exit 0
-      fi
-
-      key="$(cat /etc/tailscale/authkey)"
-      ts_hostname=""
-      if [ -s /etc/tailscale/hostname ]; then
-        ts_hostname="--hostname=$(cat /etc/tailscale/hostname)"
-      fi
-
-      install -d -m 0700 /var/lib/tailscale
-      rm -f /var/lib/tailscale/tailscaled.state
-      ${pkgs.tailscale}/bin/tailscale up --reset --auth-key="$key" $ts_hostname
-
-      rm -f /etc/tailscale/authkey
-      rm -f /etc/tailscale/hostname
-    '';
-  };
-
   environment.systemPackages = with pkgs; [
     btop
     curl