production-deb/shared/post-install/30-tailscale.sh

#!/bin/sh
# 30-tailscale.sh — install Tailscale; auto-join tailnet if --ts-auth-key
# was passed at build time (key file at /root/s8n-postinstall/ts-auth-key).
# Without auth-key: install client only, manual `tailscale up` post-boot.
set -eu

if ! command -v tailscale >/dev/null; then
  echo "[30] adding tailscale repo + installing"
  curl -fsSL https://pkgs.tailscale.com/stable/debian/trixie.noarmor.gpg \
    -o /usr/share/keyrings/tailscale-archive-keyring.gpg
  curl -fsSL https://pkgs.tailscale.com/stable/debian/trixie.tailscale-keyring.list \
    -o /etc/apt/sources.list.d/tailscale.list
  apt-get update
  DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tailscale
else
  echo "[30] tailscale already installed"
fi

systemctl enable tailscaled || true

# Auto-join if auth-key file present. tailscaled isn't running yet (we're in
# chroot during install), so write a oneshot unit that joins on first boot.
KEY_FILE=/root/s8n-postinstall/ts-auth-key
if [ -s "$KEY_FILE" ]; then
  echo "[30] auth-key found, deploying first-boot join unit"
  install -m 600 "$KEY_FILE" /etc/tailscale-authkey
  cat > /etc/systemd/system/s8n-tailscale-join.service <<'UNIT'
[Unit]
Description=s8n Tailscale first-boot join
After=tailscaled.service network-online.target
Wants=network-online.target tailscaled.service
ConditionPathExists=/etc/tailscale-authkey

[Service]
Type=oneshot
ExecStart=/bin/sh -c 'tailscale up --login-server=https://hs.s8n.ru --auth-key=$(cat /etc/tailscale-authkey) && shred -u /etc/tailscale-authkey && systemctl disable s8n-tailscale-join.service'
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
UNIT
  systemctl enable s8n-tailscale-join.service || true
else
  echo "[30] no auth-key; install tailscale only. Login post-boot:"
  echo "       sudo tailscale up --login-server=https://hs.s8n.ru"
fi