From f5802f9ed0d9c326f6302047806994c3239dbbe5 Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Sun, 22 Mar 2026 17:01:02 +0000
Subject: [PATCH] fix: LND config escaping in SSH heredoc, Tailscale fallback
 for build source

- Fix shell escaping in LND config sync block (single-quoted SSH context
  doesn't need backslash-escaped dollars)
- deploy-tailscale.sh BUILD_SOURCE auto-detects Tailscale IP when LAN
  unreachable (fixes "No binary on .228" error)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 scripts/deploy-tailscale.sh | 13 ++++++++++++-
 scripts/deploy-to-target.sh | 27 ++++++++++++++-------------
 2 files changed, 26 insertions(+), 14 deletions(-)

diff --git a/scripts/deploy-tailscale.sh b/scripts/deploy-tailscale.sh
index b7ad2601..0e60bebb 100755
--- a/scripts/deploy-tailscale.sh
+++ b/scripts/deploy-tailscale.sh
@@ -32,7 +32,18 @@ TARGET_DIR="/home/archipelago/archy"
 
 SSH_KEY="${ARCHIPELAGO_SSH_KEY:-$HOME/.ssh/archipelago-deploy}"
 SSH_OPTS="-o StrictHostKeyChecking=no -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -o ConnectTimeout=10 -i $SSH_KEY"
-BUILD_SOURCE="archipelago@${DEFAULT_PRIMARY:-192.168.1.228}"
+BUILD_SOURCE_LAN="archipelago@${DEFAULT_PRIMARY:-192.168.1.228}"
+BUILD_SOURCE_TS="archipelago@$(tailscale status 2>/dev/null | grep 'archipelago-0' | awk '{print $1}')"
+# Try LAN first, fall back to Tailscale
+if ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 -i "$SSH_KEY" "$BUILD_SOURCE_LAN" "echo ok" >/dev/null 2>&1; then
+    BUILD_SOURCE="$BUILD_SOURCE_LAN"
+elif [ "$BUILD_SOURCE_TS" != "archipelago@" ] && ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 -i "$SSH_KEY" "$BUILD_SOURCE_TS" "echo ok" >/dev/null 2>&1; then
+    BUILD_SOURCE="$BUILD_SOURCE_TS"
+    echo "Build source: using Tailscale IP (LAN unreachable)"
+else
+    BUILD_SOURCE="$BUILD_SOURCE_LAN"
+    echo "WARNING: Build source may be unreachable"
+fi
 BUILD_DIR="/home/archipelago/archy"
 
 # Node registry
diff --git a/scripts/deploy-to-target.sh b/scripts/deploy-to-target.sh
index 595c58dd..7bc6b06f 100755
--- a/scripts/deploy-to-target.sh
+++ b/scripts/deploy-to-target.sh
@@ -1526,23 +1526,24 @@ LNDCONF
           else
             # Always ensure LND config has correct RPC credentials from secrets
             LND_CONF=/var/lib/archipelago/lnd/lnd.conf
-            CURRENT_PASS=\$(sudo grep "bitcoind.rpcpass=" "\$LND_CONF" 2>/dev/null | cut -d= -f2)
+            CURRENT_PASS=$(sudo grep "bitcoind.rpcpass=" "$LND_CONF" 2>/dev/null | cut -d= -f2)
             NEEDS_FIX=0
-            grep -q "rpccookie" "\$LND_CONF" 2>/dev/null && NEEDS_FIX=1
-            grep -q "rpchost=127.0.0.1" "\$LND_CONF" 2>/dev/null && NEEDS_FIX=1
-            [ "\$CURRENT_PASS" != "$BITCOIN_RPC_PASS" ] && NEEDS_FIX=1
-            if [ "\$NEEDS_FIX" = "1" ]; then
+            grep -q "rpccookie" "$LND_CONF" 2>/dev/null && NEEDS_FIX=1
+            grep -q "rpchost=127.0.0.1" "$LND_CONF" 2>/dev/null && NEEDS_FIX=1
+            RPC_PASS_EXPECTED=$(sudo cat /var/lib/archipelago/secrets/bitcoin-rpc-password 2>/dev/null)
+            [ "$CURRENT_PASS" != "$RPC_PASS_EXPECTED" ] && NEEDS_FIX=1
+            if [ "$NEEDS_FIX" = "1" ]; then
               echo "   Syncing LND config with current RPC credentials..."
-              sudo sed -i "/bitcoind.rpccookie/d" "\$LND_CONF"
-              sudo sed -i "s|bitcoind.rpchost=127.0.0.1:8332|bitcoind.rpchost=bitcoin-knots:8332|" "\$LND_CONF"
-              sudo sed -i "s|bitcoind.rpcpass=.*|bitcoind.rpcpass=$BITCOIN_RPC_PASS|" "\$LND_CONF"
-              if ! sudo grep -q "bitcoind.rpcuser=" "\$LND_CONF" 2>/dev/null; then
-                sudo sed -i "/bitcoind.rpchost=/a bitcoind.rpcuser=$BITCOIN_RPC_USER" "\$LND_CONF"
+              sudo sed -i "/bitcoind.rpccookie/d" "$LND_CONF"
+              sudo sed -i "s|bitcoind.rpchost=127.0.0.1:8332|bitcoind.rpchost=bitcoin-knots:8332|" "$LND_CONF"
+              sudo sed -i "s|bitcoind.rpcpass=.*|bitcoind.rpcpass=$RPC_PASS_EXPECTED|" "$LND_CONF"
+              if ! sudo grep -q "bitcoind.rpcuser=" "$LND_CONF" 2>/dev/null; then
+                sudo sed -i "/bitcoind.rpchost=/a bitcoind.rpcuser=archipelago" "$LND_CONF"
               fi
-              if ! sudo grep -q "bitcoind.rpcpass=" "\$LND_CONF" 2>/dev/null; then
-                sudo sed -i "/bitcoind.rpcuser=/a bitcoind.rpcpass=$BITCOIN_RPC_PASS" "\$LND_CONF"
+              if ! sudo grep -q "bitcoind.rpcpass=" "$LND_CONF" 2>/dev/null; then
+                sudo sed -i "/bitcoind.rpcuser=/a bitcoind.rpcpass=$RPC_PASS_EXPECTED" "$LND_CONF"
               fi
-              sudo chown 100000:100000 "\$LND_CONF"
+              sudo chown 100000:100000 "$LND_CONF"
               RESTART_LND=1
               echo "   LND config updated"
             fi