production-deb/shared/post-install/30-tailscale.sh

#!/bin/sh
# 30-tailscale.sh — install Tailscale; auto-join tailnet if --ts-auth-key
# was passed at build time (key file at /root/s8n-postinstall/ts-auth-key).
# Without auth-key: install client only, manual `tailscale up` post-boot.
set -eu

if ! command -v tailscale >/dev/null; then
  echo "[30] adding tailscale repo + installing"
  curl -fsSL https://pkgs.tailscale.com/stable/debian/trixie.noarmor.gpg \
    -o /usr/share/keyrings/tailscale-archive-keyring.gpg
  curl -fsSL https://pkgs.tailscale.com/stable/debian/trixie.tailscale-keyring.list \
    -o /etc/apt/sources.list.d/tailscale.list
  apt-get update
  DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tailscale
else
  echo "[30] tailscale already installed"
fi

systemctl enable tailscaled || true

# Auto-join if auth-key file present. tailscaled isn't running yet (we're in
# chroot during install), so write a oneshot unit that joins on first boot.
KEY_FILE=/root/s8n-postinstall/ts-auth-key
if [ -s "$KEY_FILE" ]; then
  echo "[30] auth-key found, deploying first-boot join unit"
  install -m 600 "$KEY_FILE" /etc/tailscale-authkey
  cat > /etc/systemd/system/s8n-tailscale-join.service <<'UNIT'
[Unit]
Description=s8n Tailscale first-boot join
After=tailscaled.service network-online.target
Wants=network-online.target tailscaled.service
ConditionPathExists=/etc/tailscale-authkey

[Service]
Type=oneshot
ExecStart=/bin/sh -c 'tailscale up --login-server=https://hs.s8n.ru --auth-key=$(cat /etc/tailscale-authkey) && shred -u /etc/tailscale-authkey && systemctl disable s8n-tailscale-join.service'
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
UNIT
  systemctl enable s8n-tailscale-join.service || true
else
  echo "[30] no auth-key; install tailscale only. Login post-boot:"
  echo "       sudo tailscale up --login-server=https://hs.s8n.ru"
fi
fork: production-deb v0.1.0 from debian-s8ns-prefs-iso server variant Server-only canonical production Debian build. Drops laptop/vanilla variants. Interactive LUKS + hostname at install. user/123 forced rotate. DVD-1 offline base. S8N_LOGS log-capture partition. Lineage: forked from s8n/debian-s8ns-prefs-iso commit d4be55f. 2026-05-08 13:53:38 +01:00			`#!/bin/sh`
			`# 30-tailscale.sh — install Tailscale; auto-join tailnet if --ts-auth-key`
			`# was passed at build time (key file at /root/s8n-postinstall/ts-auth-key).`
			# Without auth-key: install client only, manual `tailscale up` post-boot.
			`set -eu`

			`if ! command -v tailscale >/dev/null; then`
			`echo "[30] adding tailscale repo + installing"`
			`curl -fsSL https://pkgs.tailscale.com/stable/debian/trixie.noarmor.gpg \`
			`-o /usr/share/keyrings/tailscale-archive-keyring.gpg`
			`curl -fsSL https://pkgs.tailscale.com/stable/debian/trixie.tailscale-keyring.list \`
			`-o /etc/apt/sources.list.d/tailscale.list`
			`apt-get update`
			`DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tailscale`
			`else`
			`echo "[30] tailscale already installed"`
			`fi`

			`systemctl enable tailscaled \|\| true`

			`# Auto-join if auth-key file present. tailscaled isn't running yet (we're in`
			`# chroot during install), so write a oneshot unit that joins on first boot.`
			`KEY_FILE=/root/s8n-postinstall/ts-auth-key`
			`if [ -s "$KEY_FILE" ]; then`
			`echo "[30] auth-key found, deploying first-boot join unit"`
			`install -m 600 "$KEY_FILE" /etc/tailscale-authkey`
			`cat > /etc/systemd/system/s8n-tailscale-join.service <<'UNIT'`
			`[Unit]`
			`Description=s8n Tailscale first-boot join`
			`After=tailscaled.service network-online.target`
			`Wants=network-online.target tailscaled.service`
			`ConditionPathExists=/etc/tailscale-authkey`

			`[Service]`
			`Type=oneshot`
			`ExecStart=/bin/sh -c 'tailscale up --login-server=https://hs.s8n.ru --auth-key=$(cat /etc/tailscale-authkey) && shred -u /etc/tailscale-authkey && systemctl disable s8n-tailscale-join.service'`
			`RemainAfterExit=yes`

			`[Install]`
			`WantedBy=multi-user.target`
			`UNIT`
			`systemctl enable s8n-tailscale-join.service \|\| true`
			`else`
			`echo "[30] no auth-key; install tailscale only. Login post-boot:"`
			`echo " sudo tailscale up --login-server=https://hs.s8n.ru"`
			`fi`