Build remote deployment system using Headscale (self-hosted Tailscale)

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/7fa16927-250f-4af4-bb11-e22ef7b2c997 Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
2026-04-11 23:33:35 +00:00
parent 9ec8618f7d
commit 8f97aa416f
7 changed files with 849 additions and 0 deletions
--- a/iso/sovran-install-headless.sh
+++ b/iso/sovran-install-headless.sh
@@ -14,6 +14,8 @@ Options:
  --relay-user USER            Relay username (default: deploy)
  --relay-port PORT            Relay SSH port (default: 22)
  --tunnel-port PORT           Reverse tunnel port on relay (default: 2222)
+  --headscale-server URL       Headscale login server for post-install Tailnet
+  --headscale-key KEY          Headscale pre-auth key for the installed OS
 USAGE
 }

@@ -28,6 +30,8 @@ RELAY_HOST=""
 RELAY_USER="deploy"
 RELAY_PORT="22"
 TUNNEL_PORT="2222"
+HEADSCALE_SERVER=""
+HEADSCALE_KEY=""

 FLAKE="/etc/sovran/flake"
 LOG="/tmp/sovran-headless-install.log"
@@ -58,6 +62,8 @@ while [[ $# -gt 0 ]]; do
        --relay-user)  RELAY_USER="$2";  shift 2 ;;
        --relay-port)  RELAY_PORT="$2";  shift 2 ;;
        --tunnel-port) TUNNEL_PORT="$2"; shift 2 ;;
+        --headscale-server) HEADSCALE_SERVER="$2"; shift 2 ;;
+        --headscale-key)    HEADSCALE_KEY="$2";    shift 2 ;;
        -h|--help)
            usage
            exit 0
@@ -225,6 +231,7 @@ if [[ -n "$DEPLOY_KEY" ]]; then
    relayUser = "${RELAY_USER}";
    relayPort = ${RELAY_PORT};
    reverseTunnelPort = ${TUNNEL_PORT};
+$([ -n "${HEADSCALE_SERVER}" ] && echo "    headscaleServer = \"${HEADSCALE_SERVER}\";")
  };
 }
 EOF
@@ -232,6 +239,14 @@ else
    cp /mnt/etc/nixos/custom.template.nix /mnt/etc/nixos/custom.nix
 fi

+# ── Write Headscale auth key if provided ─────────────────────────────────────
+if [[ -n "$HEADSCALE_KEY" ]]; then
+    mkdir -p /mnt/var/lib/secrets
+    echo "$HEADSCALE_KEY" > /mnt/var/lib/secrets/headscale-authkey
+    chmod 600 /mnt/var/lib/secrets/headscale-authkey
+    log "Headscale auth key written to /mnt/var/lib/secrets/headscale-authkey"
+fi
+
 # ── Step 11: Copy configs to host for flake evaluation ───────────────────────
 log "=== Copying config files to host /etc/nixos for flake evaluation ==="
 mkdir -p /etc/nixos
@@ -252,3 +267,5 @@ log "You can now reboot into Sovran_SystemsOS."
 log "After reboot, the machine will be accessible via SSH on port 22 (if --deploy-key was provided)."
 [[ -n "$RELAY_HOST" ]] && \
    log "Reverse tunnel will connect to ${RELAY_USER}@${RELAY_HOST}:${RELAY_PORT} — forward port ${TUNNEL_PORT} maps to the machine's SSH."
+[[ -n "$HEADSCALE_SERVER" ]] && \
+    log "Tailscale will connect to Headscale at ${HEADSCALE_SERVER} on first boot."