Merge pull request 'fix: make tailscale enrollment clone-safe and hostname-aware' (#22 ) from stage into master

Reviewed-on: #22
fix: make tailscale enrollment clone-safe and hostname-aware
2026-02-28 02:02:49 +00:00 · 2026-02-28 02:01:48 +00:00
2 changed files with 24 additions and 10 deletions
--- a/.gitea/workflows/terraform-apply.yml
+++ b/.gitea/workflows/terraform-apply.yml
@@ -81,12 +81,25 @@ jobs:
            exit 0
          fi
          echo "Expected format: host or host=hostname (comma-separated)"
          install -m 700 -d ~/.ssh
          printf '%s\n' "$VM_SSH_PRIVATE_KEY" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa
-          for host in $(printf '%s' "$TAILSCALE_ENROLL_HOSTS" | tr ',' ' '); do
+          for target in $(printf '%s' "$TAILSCALE_ENROLL_HOSTS" | tr ',' ' '); do
            host="${target%%=*}"
            ts_hostname=""
            if [ "$host" != "$target" ]; then
              ts_hostname="${target#*=}"
            fi
            echo "Enrolling $host into Tailscale"
-            ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_rsa "micqdf@$host" \
+            if [ -n "$ts_hostname" ]; then
-              "echo '$TS_AUTHKEY' | sudo tee /etc/tailscale/authkey >/dev/null && sudo chmod 600 /etc/tailscale/authkey && sudo systemctl start tailscale-firstboot.service"
+              ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_rsa "micqdf@$host" \
                "set -e; echo '$TS_AUTHKEY' | sudo tee /etc/tailscale/authkey >/dev/null; echo '$ts_hostname' | sudo tee /etc/tailscale/hostname >/dev/null; sudo chmod 600 /etc/tailscale/authkey; sudo hostnamectl set-hostname '$ts_hostname' || true; sudo systemctl restart tailscaled; sudo systemctl start tailscale-firstboot.service"
            else
              ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_rsa "micqdf@$host" \
                "set -e; echo '$TS_AUTHKEY' | sudo tee /etc/tailscale/authkey >/dev/null; sudo chmod 600 /etc/tailscale/authkey; sudo systemctl restart tailscaled; sudo systemctl start tailscale-firstboot.service"
            fi
          done
--- a/nixos/template-base/configuration.nix
+++ b/nixos/template-base/configuration.nix
@@ -49,20 +49,21 @@
      RemainAfterExit = true;
    };
    script = ''
      if [ -f /var/lib/tailscale/.joined ]; then
        exit 0
      fi
      if [ ! -s /etc/tailscale/authkey ]; then
        exit 0
      fi
      key="$(cat /etc/tailscale/authkey)"
-      ${pkgs.tailscale}/bin/tailscale up --auth-key="$key" --hostname="$(hostname)"
+      ts_hostname=""
      if [ -s /etc/tailscale/hostname ]; then
        ts_hostname="--hostname=$(cat /etc/tailscale/hostname)"
      fi
      rm -f /var/lib/tailscale/tailscaled.state
      ${pkgs.tailscale}/bin/tailscale up --reset --auth-key="$key" $ts_hostname
      install -d -m 0700 /var/lib/tailscale
      touch /var/lib/tailscale/.joined
      rm -f /etc/tailscale/authkey
      rm -f /etc/tailscale/hostname
    '';
  };
Author	SHA1	Message	Date
micqdf	5e1fd2e9f3	Merge pull request 'fix: make tailscale enrollment clone-safe and hostname-aware' (#22 ) from stage into master All checks were successful Terraform Apply / Terraform Apply (push) Successful in 1m54s Details Reviewed-on: #22	2026-02-28 02:02:49 +00:00
MichaelFisher1997	3335020db5	fix: make tailscale enrollment clone-safe and hostname-aware All checks were successful Terraform Plan / Terraform Plan (push) Successful in 17s Details Reset cloned tailscale state before first join, remove one-shot marker dependency, and allow workflow host entries in host=hostname format so nodes join with VM-aligned tailscale names.	2026-02-28 02:01:48 +00:00