Finalise use of package repo

This is a much cleaner process now. The tailscale package is installed
from the repo and the .deb stored in /config to be reinstalled on
firmware upgrade.

The firstboot and post-config scripts seem to work with minimal (no?)
manual intervention needed and should ensure that Tailscale starts after
routing is available. We now use a bind mount of the state directory to
/var/lib/tailscale as the symlink wasn't reliable - the bind mount means
systemd can ensure it's in place before starting the service.

The post-config script should detect when tailscaled.service needs
restarting and do so, in case unit overrides or the mount point weren't
in place when the package was installed.

README.md

@@ -2,21 +2,15 @@
 
 This is a short guide for getting [Tailscale](https://tailscale.com/) running on the Ubiquiti EdgeRouter platform. EdgeOS 2.0+ is required to make use of the systemd unit file shipped by Tailscale.
 
-This is inspired by [lg](https://github.com/lg)'s [gist](https://gist.github.com/lg/6f80593bd55ca9c9cf886da169a972c3) and [joeshaw](https://github.com/joeshaw)'s [suggestion](https://gist.github.com/lg/6f80593bd55ca9c9cf886da169a972c3#gistcomment-3578594) of putting everything under `/config/tailscale` rather than directly in `/config`, however this guide uses Tailscale's Debian package repository instead of downloading the tarball and manually managing the files.
-
-
-## Caveats & Known Issues
-
-* [#1](../../issues/1): Tailscale does not work correctly at boot ([tailscale/tailscale#1724](../../../../tailscale/tailscale/issues/1724))
-  * Resolved by restarting the `tailscaled` service (`sudo systemctl restart tailscaled`)
+This was originally inspired by [lg](https://github.com/lg)'s [gist](https://gist.github.com/lg/6f80593bd55ca9c9cf886da169a972c3) and [joeshaw](https://github.com/joeshaw)'s [suggestion](https://gist.github.com/lg/6f80593bd55ca9c9cf886da169a972c3#gistcomment-3578594) of putting everything under `/config/tailscale` rather than directly in `/config`, however this guide uses Tailscale's Debian package repository instead of downloading the tarball and manually managing the files.
 
 ## Installing Tailscale
 
 1. Configure the Tailscale apt repository
 
     ```
     configure
-    set system package repository tailscale url https://pkgs.tailscale.com/stable/debian
+    set system package repository tailscale url '[signed-by=/usr/share/keyrings/tailscale-stretch-stable.gpg] https://pkgs.tailscale.com/stable/debian'
     set system package repository tailscale distribution stretch
     set system package repository tailscale components main
     commit comment "Add Tailscale repository"
@@ -39,7 +33,7 @@ This is inspired by [lg](https://github.com/lg)'s [gist](https://gist.github.com
 
     ```sh
     sudo bash
-    mkdir -p /config/scripts/firstboot.d /config/tailscale/tailscaled.service.d
+    mkdir -p /config/scripts/firstboot.d
     curl -o /config/scripts/firstboot.d/tailscale.sh https://raw.githubusercontent.com/jamesog/tailscale-edgeos/main/firstboot.d/tailscale.sh
     chmod 755 /config/scripts/firstboot.d/tailscale.sh
     /config/scripts/firstboot.d/tailscale.sh
@@ -59,15 +53,15 @@ This is inspired by [lg](https://github.com/lg)'s [gist](https://gist.github.com
     1. Fetch the override unit
 
         ```sh
-        curl -o /config/tailscale/tailscaled.service.d/before-ssh.conf https://raw.githubusercontent.com/jamesog/tailscale-edgeos/main/tailscaled.service.d/before-ssh.conf
+        curl -o /config/tailscale/systemd/tailscaled.service.d/before-ssh.conf https://raw.githubusercontent.com/jamesog/tailscale-edgeos/main/tailscaled.service.d/before-ssh.conf
         systemctl daemon-reload
         ```
 
     2. Exit the shell, enter configure mode and set the listen-address
 
         If you don't currently have any listen-address directives, make sure you add any other addresses you want to access the router by, such as a private network IP.
 
-        N.B. the Tailscale IP can be found in the admin console, or using `tailscale status -peers=false | awk '{print $1}'`
+        The Tailscale IP can be found in the admin console, or using `tailscale ip`.
 
         ```
         exit

firstboot.d/tailscale.sh

@@ -2,33 +2,101 @@
 
 set -e
 
-# Symlink the state directory to /config to preserve across reboots/upgrades
+mkdir -p /config/tailscale/systemd/tailscaled.service.d
 mkdir -p /config/tailscale/state
-ln -s /config/tailscale/state /var/lib/tailscale
+
+# Create a bind mount for the Tailscale state directory
+if [ ! -f /config/tailscale/systemd/var-lib-tailscale.mount ]; then
+	cat > /config/tailscale/systemd/var-lib-tailscale.mount <<-EOF
+[Mount]
+What=/config/tailscale/state
+Where=/var/lib/tailscale
+Type=none
+Options=bind
+
+[Install]
+WantedBy=multi-user.target
+	EOF
+fi
+
+# Add an override to tailscaled.service to require the bind mount
+if [ ! -f /config/tailscale/systemd/tailscaled.service.d/mount.conf ]; then
+	cat > /config/tailscale/systemd/tailscaled.service.d/mount.conf <<-EOF
+[Unit]
+RequiresMountsFor=/var/lib/tailscale
+	EOF
+fi
+# Add an override to tailscaled.service to wait until "UBNT Routing Daemons"
+# has finished, otherwise tailscaled won't have proper networking
+if [ ! -f /config/tailscale/systemd/tailscaled.service.d/wait-for-networking.conf ]; then
+	cat > /config/tailscale/systemd/tailscaled.service.d/wait-for-networking.conf <<-EOF
+[Unit]
+Wants=vyatta-router.service
+After=vyatta-router.service
+	EOF
+fi
 
 if [ ! -L /etc/systemd/system/tailscaled.service.d ]; then
 	ln -s /config/tailscale/systemd/tailscaled.service.d /etc/systemd/system/tailscaled.service.d
 fi
+systemctl daemon-reload
 
-# Ensure there is a post-config script to install the tailscale package
+# Ensure there is a post-config script to install Tailscale
 mkdir -p /config/scripts/post-config.d
 if [ ! -x /config/scripts/post-config.d/tailscale.sh ]; then
-	cat > /config/scripts/post-config.d/tailscale.sh <<EOF
+	cat > /config/scripts/post-config.d/tailscale.sh <<"EOF"
 #!/bin/sh
 
 set -e
 
-if ! gpg --list-keys --with-colons --keyring /etc/apt/trusted.gpg | grep -qF [email protected]; then
+reload=""
+
+# The mount unit needs to be copied rather than linked.
+# systemd errors with "Link has been severed" if the unit is a symlink.
+if [ ! -f /etc/systemd/system/var-lib-tailscale.mount ]; then
+	echo Installing /var/lib/tailscale mount unit
+	cp /config/tailscale/systemd/var-lib-tailscale.mount /etc/systemd/system/var-lib-tailscale.mount
+	reload=y
+fi
+
+if [ ! -L /etc/systemd/system/tailscaled.service.d ]; then
+	ln -s /config/tailscale/systemd/tailscaled.service.d /etc/systemd/system/tailscaled.service.d
+	reload=y
+fi
+
+if [ -n "$reload" ]; then
+	# Ensure systemd has loaded the unit overrides
+	systemctl daemon-reload
+fi
+
+KEYRING=/usr/share/keyrings/tailscale-stretch-stable.gpg
+
+if ! gpg --list-keys --with-colons --keyring $KEYRING 2>/dev/null | grep -qF [email protected]; then
+	echo Installing Tailscale repository signing key
 	if [ ! -e /config/tailscale/stretch.gpg ]; then
-		curl -fsSLo /config/tailscale/stretch.gpg https://pkgs.tailscale.com/stable/debian/stretch.gpg
+		curl -fsSL https://pkgs.tailscale.com/stable/debian/stretch.asc | gpg --dearmor > /config/tailscale/stretch.gpg
 	fi
-	apt-key add /config/tailscale/stretch.gpg >/dev/null 2>&1
+	cp /config/tailscale/stretch.gpg $KEYRING
 fi
-if ! dpkg-query -Wf '${Status}' tailscale 2>/dev/null | grep -qF "install ok installed"; then
-	apt-get update
-	apt-get install tailscale
-	mkdir -p /config/data/firstboot/install-packages
-	cp /var/cache/apt/archives/tailscale_*.deb /config/data/firstboot/install-packages
+
+pkg_status=$(dpkg-query -Wf '${Status}' tailscale 2>/dev/null || true)
+if ! echo $pkg_status| grep -qF "install ok installed"; then
+	# Sometimes after a firmware upgrade the package goes into half-configured state
+	if echo $pkg_status | grep -qF "half-configured"; then
+		# Use systemd-run to configure the package in a separate unit, otherwise it will block
+		# due to tailscaled.service waiting on vyatta-router.service, which is running this script.
+		systemd-run --no-block dpkg --configure -a
+	else
+		echo "Installing Tailscale"
+		apt-get update
+		apt-get install tailscale
+		mkdir -p /config/data/firstboot/install-packages
+		cp /var/cache/apt/archives/tailscale_*.deb /config/data/firstboot/install-packages
+	fi
+fi
+
+if [ -n "$reload" ]; then
+	systemctl --no-block restart tailscaled
 fi
 EOF
 	chmod 755 /config/scripts/post-config.d/tailscale.sh