Skip to content
This repository was archived by the owner on Feb 9, 2026. It is now read-only.

Commit cc75987

Browse files
classabbyampclassabbyamp
committed
mkinitcpio-tailscale-setup: add -f
Should be useful to force reauth if a machine is compromised and needs to be re-added
1 parent 2a2a52d commit cc75987

File tree

2 files changed

+18
-4
lines changed

2 files changed

+18
-4
lines changed

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ The following example ACL configuration allows `local` machines to connect to an
3636
}
3737
```
3838

39-
With this setup, while it is possible for an attacker to obtain the node key and other Tailscale state information from the initramfs, they would not be able to connect to any other machine in the Tailnet.
39+
With this setup, while it is possible for an attacker to obtain the node key and other Tailscale state information from the initramfs, they would not be able to connect to any other machine in the Tailnet. If this information is compromised, the machine can be removed from the Tailnet and re-added once secure again.
4040

4141
## Setup
4242

mkinitcpio-tailscale-setup

Lines changed: 17 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,16 @@
33
set -e
44

55
usage() {
6-
echo 'usage: mkinitcpio-tailscale-setup -H [HOSTNAME] -k [AUTHKEY PATH] -d "[TAILSCALED ARGS]" -t "[TAILSCALE UP ARGS]"' >&2
6+
cat >&2 <<EOF
7+
usage: mkinitcpio-tailscale-setup [-f] -H [HOSTNAME] -k [AUTHKEY PATH] -d "[TAILSCALED ARGS]" -t "[TAILSCALE UP ARGS]"
8+
9+
-f Force reauthentication
10+
-H Override hostname (default: '\$(cat /etc/hostname)-mkinitcpio')
11+
-k Path to file containing authkey
12+
-d Extra arguments to pass to 'tailscaled'
13+
-t Extra arguments to pass to 'tailscale up'
14+
EOF
15+
716
}
817

918
die() {
@@ -29,8 +38,9 @@ if pgrep -x tailscaled >/dev/null; then
2938
exit 1
3039
fi
3140

32-
while getopts H:k:d:t:h flag; do
41+
while getopts fH:k:d:t:h flag; do
3342
case "$flag" in
43+
f) FORCE_REAUTH="--force-reauth" ;;
3444
H) HOSTNAME="$OPTARG" ;;
3545
k) AUTHKEY="$OPTARG" ;;
3646
d) TAILSCALED_ARGS="$OPTARG" ;;
@@ -63,10 +73,14 @@ trap die EXIT INT TERM
6373

6474
mkdir -p /etc/tailscale
6575

76+
if [ -n "$FORCE_REAUTH" ]; then
77+
rm -f /etc/tailscale/tailscaled.state
78+
fi
79+
6680
# shellcheck disable=SC2086
6781
tailscaled -state "/etc/tailscale/tailscaled.state" $TAILSCALED_ARGS >/tmp/mkinitcpio-tailscale-setup-tailscaled.log 2>&1 &
6882
TAILSCALED_PID="$!"
6983
# shellcheck disable=SC2086
70-
tailscale up --authkey="file:$AUTHKEY" --hostname="$HOSTNAME" $TAILSCALE_UP_ARGS >/tmp/mkinitcpio-tailscale-setup-tailscale.log 2>&1
84+
tailscale up --authkey="file:$AUTHKEY" --hostname="$HOSTNAME" $FORCE_REAUTH $TAILSCALE_UP_ARGS >/tmp/mkinitcpio-tailscale-setup-tailscale.log 2>&1
7185

7286
echo "mkinitcpio-tailscale-setup: success" >&2

0 commit comments

Comments
 (0)