Add 4 and update 2 files

2025-09-08 17:46:34 +12:00
parent 308e0e3bc6
commit 6880a0e321
6 changed files with 392 additions and 173 deletions
--- a/squashdisplay/setup.sh
+++ b/squashdisplay/setup.sh
@@ -0,0 +1,204 @@
+#!/bin/sh
+# This script runs inside the Alpine container to configure the host system
+set -e
+
+echo "Starting Squash Display kiosk setup..."
+
+# Function to run commands on the host
+host_exec() {
+    nsenter -t 1 -m -u -i -n -p -- "$@"
+}
+
+# Get environment variables (passed from Docker)
+KIOSK_URL="${KIOSK_URL:-https://squash.kiwi/court/otog}"
+KIOSK_USER="${KIOSK_USER:-squash}"
+DISPLAY_WIDTH="${DISPLAY_WIDTH:-1920}"
+DISPLAY_HEIGHT="${DISPLAY_HEIGHT:-1080}"
+DISPLAY_REFRESH="${DISPLAY_REFRESH:-60}"
+GPU_MEM="${GPU_MEM:-256}"
+ENABLE_WATCHDOG="${ENABLE_WATCHDOG:-true}"
+ENABLE_AUTO_LOGIN="${ENABLE_AUTO_LOGIN:-true}"
+ENABLE_HDMI_KEEP_ALIVE="${ENABLE_HDMI_KEEP_ALIVE:-true}"
+
+echo "Configuration:"
+echo "  URL: ${KIOSK_URL}"
+echo "  User: ${KIOSK_USER}"
+echo "  Display: ${DISPLAY_WIDTH}x${DISPLAY_HEIGHT}@${DISPLAY_REFRESH}Hz"
+
+# Install required packages
+echo "Installing required packages..."
+host_exec apt-get update
+host_exec apt-get install -y chromium-browser xorg xinit x11-xserver-utils unclutter || \
+host_exec apt-get install -y chromium xorg xinit x11-xserver-utils unclutter
+
+# Create kiosk user if it doesn't exist
+if ! host_exec id -u ${KIOSK_USER} >/dev/null 2>&1; then
+    echo "Creating user ${KIOSK_USER}..."
+    host_exec useradd -m -s /bin/bash ${KIOSK_USER}
+    host_exec usermod -aG video,audio ${KIOSK_USER}
+fi
+
+# Setup auto-login if enabled
+if [ "${ENABLE_AUTO_LOGIN}" = "true" ]; then
+    echo "Configuring auto-login for ${KIOSK_USER}..."
+    
+    host_exec mkdir -p /etc/systemd/system/getty@tty1.service.d
+    
+    # Create auto-login configuration
+    echo "[Service]" > /tmp/autologin.conf
+    echo "ExecStart=" >> /tmp/autologin.conf
+    echo "ExecStart=-/sbin/agetty --autologin ${KIOSK_USER} --noclear %I \$TERM" >> /tmp/autologin.conf
+    
+    host_exec cp /tmp/autologin.conf /etc/systemd/system/getty@tty1.service.d/autologin.conf
+    host_exec systemctl daemon-reload
+fi
+
+# Create kiosk script
+echo "Setting up kiosk script..."
+cat > /tmp/kiosk.sh << 'KIOSKSCRIPT'
+#!/bin/bash
+
+# Disable screen blanking and power management
+xset s noblank
+xset s off
+xset -dpms
+
+# Hide cursor after 1 second of inactivity
+unclutter -idle 1 &
+
+# Force display resolution
+xrandr --output HDMI-1 --mode DISPLAY_WIDTH_PLACEHOLDERxDISPLAY_HEIGHT_PLACEHOLDER --rate DISPLAY_REFRESH_PLACEHOLDER 2>/dev/null || \
+xrandr --output HDMI-2 --mode DISPLAY_WIDTH_PLACEHOLDERxDISPLAY_HEIGHT_PLACEHOLDER --rate DISPLAY_REFRESH_PLACEHOLDER 2>/dev/null || \
+xrandr --output default --mode DISPLAY_WIDTH_PLACEHOLDERxDISPLAY_HEIGHT_PLACEHOLDER --rate DISPLAY_REFRESH_PLACEHOLDER 2>/dev/null || true
+
+# Start Chromium in kiosk mode
+chromium-browser \
+  --window-size=DISPLAY_WIDTH_PLACEHOLDER,DISPLAY_HEIGHT_PLACEHOLDER \
+  --window-position=0,0 \
+  --noerrdialogs \
+  --disable-infobars \
+  --disable-features=TranslateUI \
+  --disable-extensions \
+  --disable-plugins \
+  --disable-web-security \
+  --disable-features=VizDisplayCompositor \
+  --start-fullscreen \
+  --kiosk \
+  --incognito \
+  --no-first-run \
+  --fast \
+  --fast-start \
+  --disable-default-apps \
+  --disable-translate \
+  --disable-background-timer-throttling \
+  --disable-renderer-backgrounding \
+  --disable-backgrounding-occluded-windows \
+  --disable-component-extensions-with-background-pages \
+  --autoplay-policy=no-user-gesture-required \
+  "KIOSK_URL_PLACEHOLDER"
+KIOSKSCRIPT
+
+# Replace placeholders
+sed -i "s|DISPLAY_WIDTH_PLACEHOLDER|${DISPLAY_WIDTH}|g" /tmp/kiosk.sh
+sed -i "s|DISPLAY_HEIGHT_PLACEHOLDER|${DISPLAY_HEIGHT}|g" /tmp/kiosk.sh
+sed -i "s|DISPLAY_REFRESH_PLACEHOLDER|${DISPLAY_REFRESH}|g" /tmp/kiosk.sh
+sed -i "s|KIOSK_URL_PLACEHOLDER|${KIOSK_URL}|g" /tmp/kiosk.sh
+
+host_exec cp /tmp/kiosk.sh /home/${KIOSK_USER}/kiosk.sh
+host_exec chmod +x /home/${KIOSK_USER}/kiosk.sh
+host_exec chown ${KIOSK_USER}:${KIOSK_USER} /home/${KIOSK_USER}/kiosk.sh
+
+# Setup watchdog if enabled
+if [ "${ENABLE_WATCHDOG}" = "true" ]; then
+    echo "Setting up watchdog script..."
+    cat > /tmp/watchdog.sh << 'WATCHDOG'
+#!/bin/bash
+while true; do
+    if ! pgrep chromium > /dev/null; then
+        echo "$(date): Chromium not running, restarting..." >> /home/KIOSK_USER_PLACEHOLDER/watchdog.log
+        DISPLAY=:0 /home/KIOSK_USER_PLACEHOLDER/kiosk.sh &
+    fi
+    sleep 30
+done
+WATCHDOG
+    
+    sed -i "s|KIOSK_USER_PLACEHOLDER|${KIOSK_USER}|g" /tmp/watchdog.sh
+    
+    host_exec cp /tmp/watchdog.sh /home/${KIOSK_USER}/watchdog.sh
+    host_exec chmod +x /home/${KIOSK_USER}/watchdog.sh
+    host_exec chown ${KIOSK_USER}:${KIOSK_USER} /home/${KIOSK_USER}/watchdog.sh
+fi
+
+# Configure .bashrc for auto-start
+echo "Configuring auto-start..."
+if ! host_exec grep -q "Auto-start X server" /home/${KIOSK_USER}/.bashrc 2>/dev/null; then
+    cat > /tmp/bashrc_append << 'BASHRC'
+
+# Auto-start X server and kiosk on login
+if [ -z "$DISPLAY" ] && [ "$XDG_VTNR" = 1 ]; then
+    exec startx ~/kiosk.sh
+fi
+BASHRC
+    
+    if [ "${ENABLE_WATCHDOG}" = "true" ]; then
+        echo '~/watchdog.sh &' >> /tmp/bashrc_append
+    fi
+    
+    host_exec sh -c "cat /tmp/bashrc_append >> /home/${KIOSK_USER}/.bashrc"
+fi
+
+# Disable automatic updates
+echo "Disabling automatic updates..."
+host_exec systemctl disable apt-daily.service 2>/dev/null || true
+host_exec systemctl disable apt-daily.timer 2>/dev/null || true
+host_exec systemctl disable apt-daily-upgrade.timer 2>/dev/null || true
+host_exec systemctl disable apt-daily-upgrade.service 2>/dev/null || true
+
+# Configure GPU memory split (Raspberry Pi specific)
+if host_exec test -f /boot/firmware/config.txt || host_exec test -f /boot/config.txt; then
+    echo "Configuring GPU memory split..."
+    CONFIG_FILE="/boot/firmware/config.txt"
+    host_exec test -f /boot/config.txt && CONFIG_FILE="/boot/config.txt"
+    
+    if ! host_exec grep -q "^gpu_mem=" ${CONFIG_FILE}; then
+        echo "gpu_mem=${GPU_MEM}" > /tmp/gpu_mem
+        host_exec sh -c "cat /tmp/gpu_mem >> ${CONFIG_FILE}"
+    else
+        host_exec sed -i "s/^gpu_mem=.*/gpu_mem=${GPU_MEM}/" ${CONFIG_FILE}
+    fi
+fi
+
+# Setup HDMI keep-alive service if enabled
+if [ "${ENABLE_HDMI_KEEP_ALIVE}" = "true" ]; then
+    echo "Setting up HDMI keep-alive service..."
+    cat > /tmp/hdmi-keep-alive.service << 'HDMISERVICE'
+[Unit]
+Description=Keep HDMI active
+After=graphical.target
+
+[Service]
+Type=simple
+ExecStart=/bin/sh -c 'while true; do tvservice -p 2>/dev/null || true; sleep 60; done'
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=graphical.target
+HDMISERVICE
+    
+    host_exec cp /tmp/hdmi-keep-alive.service /etc/systemd/system/hdmi-keep-alive.service
+    host_exec systemctl daemon-reload
+    host_exec systemctl enable hdmi-keep-alive.service 2>/dev/null || true
+fi
+
+echo ""
+echo "Squash Display kiosk setup complete!"
+echo ""
+echo "Configuration applied:"
+echo "  URL: ${KIOSK_URL}"
+echo "  User: ${KIOSK_USER}"
+echo "  Display: ${DISPLAY_WIDTH}x${DISPLAY_HEIGHT}@${DISPLAY_REFRESH}Hz"
+echo "  Watchdog: ${ENABLE_WATCHDOG}"
+echo "  Auto-login: ${ENABLE_AUTO_LOGIN}"
+echo ""
+echo "Please reboot the system for all changes to take effect."
--- a/squashdisplay/start.sh
+++ b/squashdisplay/start.sh
@@ -5,179 +5,45 @@ _check_required_env_vars "CONTAINER_NAME" "IMAGE_REGISTRY" "IMAGE_REPO" "IMAGE_T

 echo "Starting Squash Display setup container..."

-# Create the setup script as a heredoc that will be executed in the container
-SETUP_SCRIPT='#!/bin/sh
-set -e
+# Get the directory where this script is located
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

-echo "Starting Squash Display kiosk setup..."
-
-# Function to run commands on the host
-host_exec() {
-    nsenter -t 1 -m -u -i -n -p -- "$@"
-}
-
-# Install required packages
-echo "Installing required packages..."
-host_exec apt-get update
-host_exec apt-get install -y chromium-browser xorg xinit x11-xserver-utils unclutter || \
-host_exec apt-get install -y chromium xorg xinit x11-xserver-utils unclutter
-
-# Create kiosk user if it does not exist
-if ! host_exec id -u '"${KIOSK_USER}"' >/dev/null 2>&1; then
-    echo "Creating user '"${KIOSK_USER}"'..."
-    host_exec useradd -m -s /bin/bash '"${KIOSK_USER}"'
-    host_exec usermod -aG video,audio '"${KIOSK_USER}"'
+# Check if setup.sh exists
+if [ ! -f "${SCRIPT_DIR}/setup.sh" ]; then
+    echo "Error: setup.sh not found in ${SCRIPT_DIR}"
+    _die "Setup script not found!"
 fi

-# Setup auto-login if enabled
-if [ "'"${ENABLE_AUTO_LOGIN}"'" = "true" ]; then
-    echo "Configuring auto-login for '"${KIOSK_USER}"'..."
+# Make setup script executable
+chmod +x ${SCRIPT_DIR}/setup.sh

-    host_exec mkdir -p /etc/systemd/system/getty@tty1.service.d
-    cat <<EOF | host_exec tee /etc/systemd/system/getty@tty1.service.d/autologin.conf
-[Service]
-ExecStart=
-ExecStart=-/sbin/agetty --autologin '"${KIOSK_USER}"' --noclear %I \$TERM
-EOF
-    host_exec systemctl daemon-reload
-fi
+echo "Found setup script at: ${SCRIPT_DIR}/setup.sh"

-# Create kiosk script
-echo "Setting up kiosk script..."
-cat <<'"'"'KIOSKSCRIPT'"'"' | host_exec tee /home/'"${KIOSK_USER}"'/kiosk.sh
-#!/bin/bash
-
-# Disable screen blanking and power management
-xset s noblank
-xset s off
-xset -dpms
-
-# Hide cursor after 1 second of inactivity
-unclutter -idle 1 &
-
-# Force display resolution
-xrandr --output HDMI-1 --mode '"${DISPLAY_WIDTH}x${DISPLAY_HEIGHT}"' --rate '"${DISPLAY_REFRESH}"' 2>/dev/null || \
-xrandr --output HDMI-2 --mode '"${DISPLAY_WIDTH}x${DISPLAY_HEIGHT}"' --rate '"${DISPLAY_REFRESH}"' 2>/dev/null || \
-xrandr --output default --mode '"${DISPLAY_WIDTH}x${DISPLAY_HEIGHT}"' --rate '"${DISPLAY_REFRESH}"' 2>/dev/null || true
-
-# Start Chromium in kiosk mode
-chromium-browser \
-  --window-size='"${DISPLAY_WIDTH},${DISPLAY_HEIGHT}"' \
-  --window-position=0,0 \
-  --noerrdialogs \
-  --disable-infobars \
-  --disable-features=TranslateUI \
-  --disable-extensions \
-  --disable-plugins \
-  --disable-web-security \
-  --disable-features=VizDisplayCompositor \
-  --start-fullscreen \
-  --kiosk \
-  --incognito \
-  --no-first-run \
-  --fast \
-  --fast-start \
-  --disable-default-apps \
-  --disable-translate \
-  --disable-background-timer-throttling \
-  --disable-renderer-backgrounding \
-  --disable-backgrounding-occluded-windows \
-  --disable-component-extensions-with-background-pages \
-  --autoplay-policy=no-user-gesture-required \
-  "'"${KIOSK_URL}"'"
-KIOSKSCRIPT
-
-host_exec chmod +x /home/'"${KIOSK_USER}"'/kiosk.sh
-host_exec chown '"${KIOSK_USER}:${KIOSK_USER}"' /home/'"${KIOSK_USER}"'/kiosk.sh
-
-# Setup watchdog if enabled
-if [ "'"${ENABLE_WATCHDOG}"'" = "true" ]; then
-    echo "Setting up watchdog script..."
-    cat <<'"'"'WATCHDOG'"'"' | host_exec tee /home/'"${KIOSK_USER}"'/watchdog.sh
-#!/bin/bash
-while true; do
-    if ! pgrep chromium > /dev/null; then
-        echo "$(date): Chromium not running, restarting..." >> /home/'"${KIOSK_USER}"'/watchdog.log
-        DISPLAY=:0 /home/'"${KIOSK_USER}"'/kiosk.sh &
-    fi
-    sleep 30
-done
-WATCHDOG
-    host_exec chmod +x /home/'"${KIOSK_USER}"'/watchdog.sh
-    host_exec chown '"${KIOSK_USER}:${KIOSK_USER}"' /home/'"${KIOSK_USER}"'/watchdog.sh
-fi
-
-# Configure .bashrc for auto-start
-echo "Configuring auto-start..."
-if ! host_exec grep -q "Auto-start X server" /home/'"${KIOSK_USER}"'/.bashrc 2>/dev/null; then
-    cat <<'"'"'BASHRC'"'"' | host_exec tee -a /home/'"${KIOSK_USER}"'/.bashrc
-
-# Auto-start X server and kiosk on login
-if [ -z "$DISPLAY" ] && [ "$XDG_VTNR" = 1 ]; then
-    exec startx ~/kiosk.sh
-fi
-
-# Start watchdog in background
-if [ "'"${ENABLE_WATCHDOG}"'" = "true" ]; then
-    ~/watchdog.sh &
-fi
-BASHRC
-fi
-
-# Disable automatic updates
-echo "Disabling automatic updates..."
-host_exec systemctl disable apt-daily.service 2>/dev/null || true
-host_exec systemctl disable apt-daily.timer 2>/dev/null || true
-host_exec systemctl disable apt-daily-upgrade.timer 2>/dev/null || true
-host_exec systemctl disable apt-daily-upgrade.service 2>/dev/null || true
-
-# Configure GPU memory split (Raspberry Pi specific)
-if host_exec test -f /boot/firmware/config.txt || host_exec test -f /boot/config.txt; then
-    echo "Configuring GPU memory split..."
-    CONFIG_FILE="/boot/firmware/config.txt"
-    host_exec test -f /boot/config.txt && CONFIG_FILE="/boot/config.txt"
-    
-    if ! host_exec grep -q "^gpu_mem=" ${CONFIG_FILE}; then
-        echo "gpu_mem='"${GPU_MEM}"'" | host_exec tee -a ${CONFIG_FILE}
-    else
-        host_exec sed -i "s/^gpu_mem=.*/gpu_mem='"${GPU_MEM}"'/" ${CONFIG_FILE}
-    fi
-fi
-
-# Setup HDMI keep-alive service if enabled
-if [ "'"${ENABLE_HDMI_KEEP_ALIVE}"'" = "true" ]; then
-    echo "Setting up HDMI keep-alive service..."
-    cat <<'"'"'HDMISERVICE'"'"' | host_exec tee /etc/systemd/system/hdmi-keep-alive.service
-[Unit]
-Description=Keep HDMI active
-After=graphical.target
-
-[Service]
-Type=simple
-ExecStart=/bin/sh -c '"'"'while true; do tvservice -p 2>/dev/null || true; sleep 60; done'"'"'
-Restart=always
-RestartSec=10
-
-[Install]
-WantedBy=graphical.target
-HDMISERVICE
-    host_exec systemctl daemon-reload
-    host_exec systemctl enable hdmi-keep-alive.service 2>/dev/null || true
-fi
-
-echo "Squash Display kiosk setup complete!"
-echo ""
-echo "Configuration:"
-echo "  URL: '"${KIOSK_URL}"'"
-echo "  User: '"${KIOSK_USER}"'"
-echo "  Display: '"${DISPLAY_WIDTH}x${DISPLAY_HEIGHT}@${DISPLAY_REFRESH}"'Hz"
-echo "  Watchdog: '"${ENABLE_WATCHDOG}"'"
-echo "  Auto-login: '"${ENABLE_AUTO_LOGIN}"'"
-echo ""
-echo "Please reboot the system for all changes to take effect."
-'
+# Set default values for any unset variables
+KIOSK_URL="${KIOSK_URL:-https://squash.kiwi/court/otog}"
+KIOSK_USER="${KIOSK_USER:-squash}"
+DISPLAY_WIDTH="${DISPLAY_WIDTH:-1920}"
+DISPLAY_HEIGHT="${DISPLAY_HEIGHT:-1080}"
+DISPLAY_REFRESH="${DISPLAY_REFRESH:-60}"
+GPU_MEM="${GPU_MEM:-256}"
+ENABLE_WATCHDOG="${ENABLE_WATCHDOG:-true}"
+ENABLE_AUTO_LOGIN="${ENABLE_AUTO_LOGIN:-true}"
+ENABLE_HDMI_KEEP_ALIVE="${ENABLE_HDMI_KEEP_ALIVE:-true}"

 # Build the docker run command - needs privileged access to configure host
+# Using --env-file to avoid quoting issues
+cat > /tmp/squashdisplay.env << EOF
+KIOSK_URL=${KIOSK_URL}
+KIOSK_USER=${KIOSK_USER}
+DISPLAY_WIDTH=${DISPLAY_WIDTH}
+DISPLAY_HEIGHT=${DISPLAY_HEIGHT}
+DISPLAY_REFRESH=${DISPLAY_REFRESH}
+GPU_MEM=${GPU_MEM}
+ENABLE_WATCHDOG=${ENABLE_WATCHDOG}
+ENABLE_AUTO_LOGIN=${ENABLE_AUTO_LOGIN}
+ENABLE_HDMI_KEEP_ALIVE=${ENABLE_HDMI_KEEP_ALIVE}
+EOF
+
 DOCKER_RUN_CMD="docker run -d \
    --restart no \
    --name ${CONTAINER_NAME} \
@@ -185,14 +51,20 @@ DOCKER_RUN_CMD="docker run -d \
    --pid=host \
    --network=host \
    -v /:/host \
+    -v ${SCRIPT_DIR}/setup.sh:/setup.sh:ro \
+    --env-file /tmp/squashdisplay.env \
    ${IMAGE_REGISTRY}/${IMAGE_REPO}:${IMAGE_TAG} \
-    sh -c 'echo \"${SETUP_SCRIPT}\" | sh'"
+    sh /setup.sh"

 # Create and start the container
 if ! _create_and_start_container "$DOCKER_RUN_CMD" "$CONTAINER_NAME"; then
+    rm -f /tmp/squashdisplay.env
    _die "Failed to start Squash Display setup container"
 fi

+# Clean up env file
+rm -f /tmp/squashdisplay.env
+
 # Wait for setup to complete
 echo "Running kiosk setup..."
 echo "This may take several minutes as packages are installed..."
--- a/tailscale/emergency_access.sh
+++ b/tailscale/emergency_access.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+# Emergency access script - maintains a reverse SSH tunnel as backup
+# Only use this if you have a reliable jump server
+
+# Configuration (set these in service.env)
+JUMP_SERVER="${EMERGENCY_JUMP_SERVER:-}"
+JUMP_USER="${EMERGENCY_JUMP_USER:-}"
+JUMP_PORT="${EMERGENCY_JUMP_PORT:-22}"
+LOCAL_SSH_PORT="${LOCAL_SSH_PORT:-22}"
+TUNNEL_PORT="${EMERGENCY_TUNNEL_PORT:-}"  # Port on jump server
+
+if [ -z "$JUMP_SERVER" ] || [ -z "$TUNNEL_PORT" ]; then
+    echo "Emergency access not configured. Skipping."
+    exit 0
+fi
+
+echo "Setting up emergency SSH reverse tunnel..."
+
+# Create systemd service for persistent reverse tunnel
+cat << EOF | sudo tee /etc/systemd/system/emergency-tunnel.service
+[Unit]
+Description=Emergency SSH Reverse Tunnel
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/ssh -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -N -R ${TUNNEL_PORT}:localhost:${LOCAL_SSH_PORT} ${JUMP_USER}@${JUMP_SERVER} -p ${JUMP_PORT}
+Restart=always
+RestartSec=30
+User=root
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+sudo systemctl daemon-reload
+sudo systemctl enable emergency-tunnel.service
+sudo systemctl start emergency-tunnel.service
+
+echo "Emergency tunnel service configured."
+echo "In case of emergency, SSH to jump server and then:"
+echo "  ssh -p ${TUNNEL_PORT} localhost"
--- a/tailscale/healthcheck.sh
+++ b/tailscale/healthcheck.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+# Tailscale health check and auto-recovery script
+# Run this via cron every 5-10 minutes
+
+CONTAINER_NAME="${CONTAINER_NAME:-tailscale}"
+MAX_RESTART_ATTEMPTS=3
+RESTART_COUNT_FILE="/tmp/tailscale_restart_count"
+
+# Check if container is running
+if ! docker ps --format '{{.Names}}' | grep -q "^${CONTAINER_NAME}$"; then
+    echo "$(date): Container not running, attempting to start..."
+    docker start "${CONTAINER_NAME}"
+    sleep 10
+fi
+
+# Check Tailscale connection status
+if ! docker exec "${CONTAINER_NAME}" tailscale status &>/dev/null; then
+    echo "$(date): Tailscale not connected properly"
+    
+    # Track restart attempts
+    if [ -f "$RESTART_COUNT_FILE" ]; then
+        COUNT=$(cat "$RESTART_COUNT_FILE")
+    else
+        COUNT=0
+    fi
+    
+    if [ "$COUNT" -lt "$MAX_RESTART_ATTEMPTS" ]; then
+        echo "$(date): Restart attempt $((COUNT + 1)) of $MAX_RESTART_ATTEMPTS"
+        docker restart "${CONTAINER_NAME}"
+        echo $((COUNT + 1)) > "$RESTART_COUNT_FILE"
+        
+        # Wait and try to reconnect
+        sleep 30
+        docker exec "${CONTAINER_NAME}" tailscale up --authkey="${TAILSCALE_AUTH_KEY}" 2>/dev/null || true
+    else
+        echo "$(date): Max restart attempts reached. Manual intervention needed."
+        # Could send alert here
+    fi
+else
+    # Connection is good, reset counter
+    [ -f "$RESTART_COUNT_FILE" ] && rm "$RESTART_COUNT_FILE"
+    echo "$(date): Tailscale is healthy"
+fi
--- a/tailscale/install_monitor.sh
+++ b/tailscale/install_monitor.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+# Install monitoring script for Tailscale
+# This sets up a cron job to check and recover Tailscale connection
+
+source "${AGENT_PATH}/common.sh"
+
+echo "Setting up Tailscale monitoring..."
+
+# Copy healthcheck script to a safe location
+MONITOR_SCRIPT="/opt/tailscale-monitor.sh"
+sudo cp "${CONFIG_PATH}/healthcheck.sh" "$MONITOR_SCRIPT"
+sudo chmod +x "$MONITOR_SCRIPT"
+
+# Create systemd service for monitoring (more reliable than cron)
+cat << 'EOF' | sudo tee /etc/systemd/system/tailscale-monitor.service
+[Unit]
+Description=Tailscale Connection Monitor
+After=docker.service
+Requires=docker.service
+
+[Service]
+Type=simple
+ExecStart=/bin/bash /opt/tailscale-monitor.sh
+Restart=always
+RestartSec=300
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Enable and start the monitor service
+sudo systemctl daemon-reload
+sudo systemctl enable tailscale-monitor.service
+sudo systemctl start tailscale-monitor.service
+
+echo "Tailscale monitoring service installed and started"
+
+# Also add a cron job as backup
+(crontab -l 2>/dev/null | grep -v tailscale-monitor; echo "*/5 * * * * /opt/tailscale-monitor.sh >> /var/log/tailscale-monitor.log 2>&1") | crontab -
+
+echo "Backup cron job added (runs every 5 minutes)"
--- a/tailscale/start.sh
+++ b/tailscale/start.sh
@@ -75,12 +75,27 @@ if [ -n "$TAILSCALE_EXTRA_ARGS" ]; then
    TAILSCALE_UP_CMD="${TAILSCALE_UP_CMD} ${TAILSCALE_EXTRA_ARGS}"
 fi

-# Execute tailscale up command
-if ! docker exec ${CONTAINER_NAME} ${TAILSCALE_UP_CMD}; then
-    echo "Warning: Failed to connect to Tailscale network automatically."
+# Execute tailscale up command with retries
+RETRY_COUNT=0
+MAX_RETRIES=5
+RETRY_DELAY=10
+
+while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
+    if docker exec ${CONTAINER_NAME} ${TAILSCALE_UP_CMD}; then
+        echo "Successfully connected to Tailscale network!"
+        break
+    else
+        RETRY_COUNT=$((RETRY_COUNT + 1))
+        if [ $RETRY_COUNT -lt $MAX_RETRIES ]; then
+            echo "Connection attempt $RETRY_COUNT failed. Retrying in ${RETRY_DELAY} seconds..."
+            sleep $RETRY_DELAY
+        else
+            echo "Warning: Failed to connect after $MAX_RETRIES attempts."
            echo "You may need to connect manually using:"
            echo "  docker exec ${CONTAINER_NAME} tailscale up"
-fi
+        fi
+    fi
+done

 echo ""
 echo "Tailscale started successfully!"