From 3335020db59789f93b49c7c4ad8f93960d4c3506 Mon Sep 17 00:00:00 2001 From: MichaelFisher1997 Date: Sat, 28 Feb 2026 02:01:48 +0000 Subject: [PATCH] fix: make tailscale enrollment clone-safe and hostname-aware Reset cloned tailscale state before first join, remove one-shot marker dependency, and allow workflow host entries in host=hostname format so nodes join with VM-aligned tailscale names. --- .gitea/workflows/terraform-apply.yml | 19 ++++++++++++++++--- nixos/template-base/configuration.nix | 15 ++++++++------- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/.gitea/workflows/terraform-apply.yml b/.gitea/workflows/terraform-apply.yml index 7e8ec86..d35fe3d 100644 --- a/.gitea/workflows/terraform-apply.yml +++ b/.gitea/workflows/terraform-apply.yml @@ -81,12 +81,25 @@ jobs: exit 0 fi + echo "Expected format: host or host=hostname (comma-separated)" + install -m 700 -d ~/.ssh printf '%s\n' "$VM_SSH_PRIVATE_KEY" > ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa - for host in $(printf '%s' "$TAILSCALE_ENROLL_HOSTS" | tr ',' ' '); do + for target in $(printf '%s' "$TAILSCALE_ENROLL_HOSTS" | tr ',' ' '); do + host="${target%%=*}" + ts_hostname="" + if [ "$host" != "$target" ]; then + ts_hostname="${target#*=}" + fi + echo "Enrolling $host into Tailscale" - ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_rsa "micqdf@$host" \ - "echo '$TS_AUTHKEY' | sudo tee /etc/tailscale/authkey >/dev/null && sudo chmod 600 /etc/tailscale/authkey && sudo systemctl start tailscale-firstboot.service" + if [ -n "$ts_hostname" ]; then + ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_rsa "micqdf@$host" \ + "set -e; echo '$TS_AUTHKEY' | sudo tee /etc/tailscale/authkey >/dev/null; echo '$ts_hostname' | sudo tee /etc/tailscale/hostname >/dev/null; sudo chmod 600 /etc/tailscale/authkey; sudo hostnamectl set-hostname '$ts_hostname' || true; sudo systemctl restart tailscaled; sudo systemctl start tailscale-firstboot.service" + else + ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_rsa "micqdf@$host" \ + "set -e; echo '$TS_AUTHKEY' | sudo tee /etc/tailscale/authkey >/dev/null; sudo chmod 600 /etc/tailscale/authkey; sudo systemctl restart tailscaled; sudo systemctl start tailscale-firstboot.service" + fi done diff --git a/nixos/template-base/configuration.nix b/nixos/template-base/configuration.nix index 957346b..781adc7 100644 --- a/nixos/template-base/configuration.nix +++ b/nixos/template-base/configuration.nix @@ -49,20 +49,21 @@ RemainAfterExit = true; }; script = '' - if [ -f /var/lib/tailscale/.joined ]; then - exit 0 - fi - if [ ! -s /etc/tailscale/authkey ]; then exit 0 fi key="$(cat /etc/tailscale/authkey)" - ${pkgs.tailscale}/bin/tailscale up --auth-key="$key" --hostname="$(hostname)" + ts_hostname="" + if [ -s /etc/tailscale/hostname ]; then + ts_hostname="--hostname=$(cat /etc/tailscale/hostname)" + fi + + rm -f /var/lib/tailscale/tailscaled.state + ${pkgs.tailscale}/bin/tailscale up --reset --auth-key="$key" $ts_hostname - install -d -m 0700 /var/lib/tailscale - touch /var/lib/tailscale/.joined rm -f /etc/tailscale/authkey + rm -f /etc/tailscale/hostname ''; }; -- 2.49.1