Good file

good.sh

#!/usr/bin/env bash
#
# Ephemeral VM bootstrap: Determinate Nix, OpenSSH (high port), Tailscale.
#
# Required:
#   TAILSCALE_AUTH_KEY   - Tailscale pre-auth key
#
# Optional:
#   SSH_PORT             - Port for sshd (default: 24000)
#   SSH_AUTHORIZED_KEYS  - Public keys to append to ~/.ssh/authorized_keys
#   TS_HOSTNAME          - Tailscale hostname (default: $(hostname)-ephemeral)
#
set -euo pipefail

SSH_PORT="22000"
TAILSCALE_AUTH_KEY="..."
SSH_AUTHORIZED_KEYS="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFHpbAubO7oLRlA1MJDUVaqeQzaiWfey22DqoWPyHQi cardno:11_579_423"
TS_HOSTNAME="zoidberg"

STATE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/.ephemeral"
SSH_DIR="$STATE_DIR/ssh"
TS_DIR="$STATE_DIR/tailscale"
mkdir -p "$SSH_DIR" "$TS_DIR"

curl --proto '=https' --tlsv1.2 -sSf -L \
  https://install.determinate.systems/nix | sh -s -- install --no-confirm

if [ -f /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh ]; then
  . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
elif [ -f "$HOME/.nix-profile/etc/profile.d/nix.sh" ]; then
  . "$HOME/.nix-profile/etc/profile.d/nix.sh"
fi

DROPBEAR="$(nix build nixpkgs#dropbear --no-link --print-out-paths)"
TAILSCALE="$(nix build nixpkgs#tailscale --no-link --print-out-paths)"

if [ -n "$SSH_AUTHORIZED_KEYS" ]; then
  mkdir -p "$HOME/.ssh"
  echo "$SSH_AUTHORIZED_KEYS" >> "$HOME/.ssh/authorized_keys"
  chmod 700 "$HOME/.ssh"
  chmod 600 "$HOME/.ssh/authorized_keys"
fi

[ -f "$SSH_DIR/host_key" ] || \
  "$DROPBEAR/bin/dropbearkey" -t ed25519 -f "$SSH_DIR/host_key"

"$DROPBEAR/bin/dropbear" \
  -r "$SSH_DIR/host_key" \
  -p "$SSH_PORT" \
  -F -E \
  -s -g &
disown

"$TAILSCALE/bin/tailscaled" \
  --state="$TS_DIR/tailscaled.state" \
  --socket="$TS_DIR/tailscaled.sock" \
  --tun=userspace-networking &
disown

for _ in $(seq 1 30); do
  [ -S "$TS_DIR/tailscaled.sock" ] && break
  sleep 1
done

"$TAILSCALE/bin/tailscale" up \
  --socket="$TS_DIR/tailscaled.sock" \
  --authkey="$TAILSCALE_AUTH_KEY" \
  --hostname="$TS_HOSTNAME"