fix(tailscale): add Upholds= drop-in for reliable boot-time activation

bketelsen · Copilot · bketelsen · commit 40cb72f758de · 2026-05-15T09:39:28.000-04:00
The WantedBy=multi-user.target + preset approach doesn't reliably work for sysext-provided services. At PID 1 startup the sysext hasn't been merged yet, so the /etc/systemd/system/multi-user.target.wants/ symlink points to a missing unit file. systemd silently drops the dangling Wants= reference and never retriggers it after the daemon-reload that reload-sysext.service performs. Add usr/lib/systemd/system/multi-user.target.d/10-tailscale.conf to the sysext with Upholds=tailscaled.service. This drop-in is brand-new to systemd after the post-merge daemon-reload, so it is processed cleanly when multi-user.target activates — ensuring tailscaled starts on every boot without modification to the base image. Ref: https://www.flatcar.org/docs/latest/provisioning/sysext/ Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/docs/plans/2026-02-24-tailscale-sysext-design.md b/docs/plans/2026-02-24-tailscale-sysext-design.md
@@ -18,6 +18,7 @@ Official Tailscale APT repository (`pkgs.tailscale.com/stable/debian`), consiste
 - `/usr/share/factory/etc/default/tailscaled` — factory default config (port + flags)
 - `/usr/lib/tmpfiles.d/tailscale.conf` — restores /etc/default/tailscaled at boot
 - `/usr/lib/systemd/system-preset/40-tailscale.preset` — auto-enables tailscaled.service
+- `/usr/lib/systemd/system/multi-user.target.d/10-tailscale.conf` — `Upholds=tailscaled.service` drop-in for reliable boot activation
 
 ## /etc Configuration Handling
 
@@ -30,6 +31,10 @@ The `tailscaled.service` unit has `EnvironmentFile=/etc/default/tailscaled`. Wit
 
 System preset enables `tailscaled.service` by default. User authenticates post-boot via `tailscale up`.
 
+The preset alone is insufficient for reliable boot-time activation of sysext-provided services. At PID 1 startup the sysext is not yet merged, so the `/etc/systemd/system/multi-user.target.wants/tailscaled.service` symlink's target is missing; systemd silently drops the dangling `Wants=` reference. After `reload-sysext.service` merges the overlay and runs `daemon-reload`, the previously-evaluated wants list for `multi-user.target` is not re-triggered for the newly-available unit.
+
+The fix is a `multi-user.target.d/10-tailscale.conf` drop-in (shipped inside the sysext) that uses `Upholds=tailscaled.service`. Since this drop-in is brand-new to systemd after the daemon-reload, it is processed cleanly when `multi-user.target` activates — ensuring tailscaled starts on every boot. See [Flatcar sysext docs](https://www.flatcar.org/docs/latest/provisioning/sysext/) for background.
+
 ## Runtime State
 
 All persistent state lives in `/var/lib/tailscale/` (managed by systemd `StateDirectory=tailscale`). No build-time state needed.
@@ -58,6 +63,7 @@ mkosi.images/tailscale/
   mkosi.finalize
   mkosi.extra/usr/lib/
     systemd/system-preset/40-tailscale.preset
+    systemd/system/multi-user.target.d/10-tailscale.conf  ← Upholds= drop-in
     tmpfiles.d/tailscale.conf
 
 mkosi.conf  (add tailscale to Dependencies)
diff --git a/mkosi.images/tailscale/mkosi.extra/usr/lib/systemd/system/multi-user.target.d/10-tailscale.conf b/mkosi.images/tailscale/mkosi.extra/usr/lib/systemd/system/multi-user.target.d/10-tailscale.conf
@@ -0,0 +1,2 @@
+[Unit]
+Upholds=tailscaled.service

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+[Unit]`
	`2`	`+Upholds=tailscaled.service`