update: automate tailscale enrollment from Gitea secrets

Add a first-boot tailscale enrollment service to the NixOS template and wire terraform-apply to inject TS auth key at runtime from secrets, so keys are not baked into templates or repo files.
2026-02-28 00:33:14 +00:00
parent e714a56980
commit 595df12b3e
2 changed files with 49 additions and 0 deletions
--- a/nixos/template-base/configuration.nix
+++ b/nixos/template-base/configuration.nix
@@ -39,6 +39,33 @@

  security.sudo.wheelNeedsPassword = false;

+  systemd.services.tailscale-firstboot = {
+    description = "One-time Tailscale enrollment";
+    after = [ "network-online.target" "tailscaled.service" ];
+    wants = [ "network-online.target" "tailscaled.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      if [ -f /var/lib/tailscale/.joined ]; then
+        exit 0
+      fi
+
+      if [ ! -s /etc/tailscale/authkey ]; then
+        exit 0
+      fi
+
+      key="$(cat /etc/tailscale/authkey)"
+      ${pkgs.tailscale}/bin/tailscale up --auth-key="$key" --hostname="$(hostname)"
+
+      install -d -m 0700 /var/lib/tailscale
+      touch /var/lib/tailscale/.joined
+      rm -f /etc/tailscale/authkey
+    '';
+  };
+
  environment.systemPackages = with pkgs; [
    btop
    curl
@@ -50,6 +77,7 @@
    htop
    jq
    ripgrep
+    tailscale
    tree
    unzip
    vim