initramfs hook for tailscale

This is intended to be used with an ephemeral auth key with an ACL tag,
and ACL rules that restrict the ephemeral node to inbound-only traffic.
It does not share instance state with tailscale running in Linux.

Reference:
- https://tailscale.com/kb/1111/ephemeral-nodes/
- https://tailscale.com/kb/1068/acl-tags/#generate-an-auth-key-with-an-acl-tag
- https://tailscale.com/kb/1068/acl-tags/#using-tags-in-acls-for-access-control

scripts/init-bottom/tailscale

@@ -0,0 +1,77 @@
+#!/bin/sh
+
+#set -e
+
+PREREQ=""
+prereqs()
+{
+    echo "$PREREQ"
+}
+
+case $1 in
+    prereqs)
+        prereqs
+        exit 0
+        ;;
+esac
+
+. /scripts/functions
+
+EXE="$(readlink -f /sbin/tailscaled)" && [ -f "$EXE" ] || exit 1
+PIDFILE="/run/tailscale.pid"
+TAILSCALE_SHUTDOWN_TIMEOUT=60
+TAILSCALE_LOGOUT=
+IFDOWN="*"
+
+if [ -e /etc/tailscale/initramfs/config ]; then
+    . /etc/tailscale/initramfs/config
+fi
+
+wait_for_tailscaled()
+{
+    # shellcheck disable=SC2039
+    # SC2039: In POSIX sh, 'local' is undefined.
+    local pid exe timer="$TAILSCALE_SHUTDOWN_TIMEOUT"
+    pid="$(cat "$PIDFILE" 2>/dev/null)" || return 1
+
+    while [ $timer -gt 0 ] && exe="$(readlink -f "/proc/$pid/exe" 2>/dev/null)"; do
+        if [ "$exe" = "$EXE" ]; then
+            echo "$pid"
+            return 0
+        fi
+        sleep 1
+        timer=$(( timer - 1 ))
+    done
+    return 1
+}
+
+
+if PID="$(wait_for_tailscaled)"; then
+    if [ -n "$TAILSCALE_LOGOUT" ]; then
+        log_begin_msg "Logging out of tailscale"
+        /bin/tailscale --socket=/run/tailscale/tailscaled.sock logout 2>>/run/initramfs/tailscale.log || true
+        log_end_msg
+    fi
+
+    log_begin_msg "Stopping tailscale"
+    kill -TERM "$PID"
+    wait "$PID" || true
+    /sbin/tailscaled -cleanup 2>>/run/initramfs/tailscale.log
+    log_end_msg
+fi
+
+rm -f "$PIDFILE"
+
+if [ "$BOOT" != nfs ] && [ "$IFDOWN" != none ]; then
+    for IFACE in /sys/class/net/$IFDOWN; do
+        [ -e "$IFACE" ] || continue
+        IFACE="${IFACE#/sys/class/net/}"
+        log_begin_msg "Bringing down $IFACE"
+        ip link    set   dev "$IFACE" down
+        ip address flush dev "$IFACE"
+        ip route   flush dev "$IFACE"
+        log_end_msg
+    done
+fi
+
+exit 0

scripts/init-premount/tailscale

@@ -0,0 +1,64 @@
+#!/bin/sh
+
+#set -e
+
+PREREQ="udev"
+prereqs()
+{
+    echo "$PREREQ"
+}
+
+case $1 in
+    prereqs)
+        prereqs
+        exit 0
+        ;;
+esac
+
+[ -x /bin/tailscale ] || exit 0
+
+. /scripts/functions
+
+if [ -e /etc/tailscale/initramfs/config ]; then
+    . /etc/tailscale/initramfs/config
+fi
+
+if [ -z "${TAILSCALE_HOSTNAME-}" ]; then
+    if [ -f /etc/tailscale/initramfs/hostname ]; then
+        HOSTNAME=$(cat /etc/tailscale/initramfs/hostname)
+    else
+        HOSTNAME=$(hostname -s)
+    fi
+
+    TAILSCALE_HOSTNAME=${HOSTNAME}-initramfs
+fi
+
+# shellcheck disable=SC2039,SC2086
+run_tailscale()
+{
+    log_begin_msg "Starting tailscale"
+
+    local options="--state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock"
+
+    # FIXME: This races with dropbear-initramfs bringing up the network
+    # asynchronously
+    [ "$BOOT" = nfs ] || configure_networking
+
+    # A little race-y to start the client before the daemon, but the client
+    # will attempt to connect to the socket for a while.
+    # https://github.com/tailscale/tailscale/blob/8cf1af8a0703c36256fc58e98ddb63b8907848f1/safesocket/safesocket.go#L119-L122
+    /bin/tailscale --socket=/run/tailscale/tailscaled.sock up --authkey="${TAILSCALE_AUTHKEY}" --hostname="${TAILSCALE_HOSTNAME}" $TAILSCALE_OPTIONS &
+
+    if [ "${debug:-}" != y ]; then
+        exec 2>/run/initramfs/tailscale.log
+    fi
+    exec /sbin/tailscaled $options $TAILSCALED_OPTIONS
+}
+
+[ "$BOOT" = nfs ] && configure_networking
+
+modprobe tun
+run_tailscale &
+echo $! > /run/tailscale.pid
+
+exit 0