artis3n.tailscale

This role initializes a Tailscale node.

Find supported operating systems on this role's Ansible Galaxy page.

Requirements

You must supply a tailscale_auth_key variable, which can be generated under your Tailscale account at https://login.tailscale.com/admin/authkeys.

Role Variables

tailscale_auth_key

Required

Is not required if tailscale_up_skip is set to true.

An ansible-vault encrypted variable containing a Tailscale Node Authorization auth key.

A Node Authorization auth key can be generated under your Tailscale account at https://login.tailscale.com/admin/authkeys.

Encrypt this variable with the following command:

ansible-vault encrypt_string --vault-id tailscale@.ci-vault-pass '[AUTH KEY VALUE HERE]' --name 'tailscale_auth_key'

See Ansible's documentation for an explanation of the ansible-vault encrypt_string command syntax.

release_stability

Default: stable

Whether to use the Tailscale stable or unstable track.

stable:

Stable releases. If you're not sure which track to use, pick this one.

unstable:

The bleeding edge. Pushed early and often. Expect rough edges!

tailscale_args

Pass any additional command-line arguments to tailscale up.

Note that this parameter does not support bash piping or command extensions like & or ;. Only tailscale up arguments can be passed.

Do not use this for --authkey. Use the tailscale_auth_key variable instead.

In the future, this parameter will be replaced with a map of supported command-line arguments. Since Tailscale is still undergoing rapid development, we are holding off on creating such an argument map until features are more stable.

verbose

Default: false

Whether to output additional information during role execution. Helpful for debugging and collecting information to submit in a GitHub issue on this repository.

tailscale_up_skip

Default: false

If set to true, tailscale_auth_key is not required.

Whether to install and configure Tailscale as a service but skip running tailscale up. Helpful when packaging up a Tailscale installation into a build process such as AMI creation when the server should not yet authenticate to your Tailscale network.

force

Default: false

If set to true, tailscale up will always run. This can be beneficial if tailscale has already been configured on a host but you want to re-run up with different arguments.

Dependencies

None

Example Playbook

You must include the tailscale_auth_key variable. We cannot force you to use an encrypted variable, but please use an encrypted variable.

- name: Servers
  hosts: all
  roles:
    - role: artis3n.tailscale
      vars:
        # Fake example encrypted by ansible-vault
        tailscale_auth_key: !vault |
          $ANSIBLE_VAULT;1.2;AES256;tailscale
          32616238303134343065613038383933333733383765653166346564363332343761653761646363
          6637666565626333333664363739613366363461313063640a613330393062323161636235383936
          37373734653036613133613533376139383138613164323661386362376335316364653037353631
          6539646561373535610a643334396234396332376431326565383432626232383131303131363362
          3537

Pass arbitrary command-line arguments:

- name: Servers
  hosts: all
  tasks:
    - name: Get AZ subnets
      ec2_vpc_subnet_facts:
        region: "{{ placement.region }}"
        filters:
          vpc-id: "{{ vpc_id }}"
          availability-zone: "{{ placement.availability_zone }}"
      register: subnet_info

    - name: Set Subnet list
      set_fact:
        subnet_blocks: "{{ subnet_info.subnets | map(attribute='cidr_block') | list  }}"

    - name: Configure Sysctl
      sysctl:
        name: net.ipv4.ip_forward
        value: 1
        state: present
        ignoreerrors: true
        sysctl_set: true

    - name: Iptables Masquerade
      iptables:
        table: nat
        chain: POSTROUTING
        jump: MASQUERADE

    - name: Configure Tailscale
      include_role:
        name: artis3n.tailscale
      vars:
        tailscale_args: "--accept-routes=false --advertise-routes={{ subnet_blocks | join(',') }}"
        # Fake example encrypted by ansible-vault
        tailscale_auth_key: !vault |
          $ANSIBLE_VAULT;1.2;AES256;tailscale
          32616238303134343065613038383933333733383765653166346564363332343761653761646363
          6637666565626333333664363739613366363461313063640a613330393062323161636235383936
          37373734653036613133613533376139383138613164323661386362376335316364653037353631
          6539646561373535610a643334396234396332376431326565383432626232383131303131363362
          3537

Get verbose output:

- name: Servers
  hosts: all
  roles:
    - role: artis3n.tailscale
      vars:
        # Fake example encrypted by ansible-vault
        tailscale_auth_key: !vault |
          $ANSIBLE_VAULT;1.2;AES256;tailscale
          32616238303134343065613038383933333733383765653166346564363332343761653761646363
          6637666565626333333664363739613366363461313063640a613330393062323161636235383936
          37373734653036613133613533376139383138613164323661386362376335316364653037353631
          6539646561373535610a643334396234396332376431326565383432626232383131303131363362
          3537
        verbose: true

Install Tailscale, but don't authenticate to the network:

- name: Servers
  hosts: all
  roles:
    - role: artis3n.tailscale
      vars:
        tailscale_up_skip: true

Run tailscale up on a host that has been previously configured:

- name: Servers
  hosts: all
  roles:
    - role: artis3n.tailscale
      vars:
        # Fake example encrypted by ansible-vault
        tailscale_auth_key: !vault |
          $ANSIBLE_VAULT;1.2;AES256;tailscale
          32616238303134343065613038383933333733383765653166346564363332343761653761646363
          6637666565626333333664363739613366363461313063640a613330393062323161636235383936
          37373734653036613133613533376139383138613164323661386362376335316364653037353631
          6539646561373535610a643334396234396332376431326565383432626232383131303131363362
          3537
        force: true

License

MIT

Author Information

Ari Kalfus (@artis3n) dev@artis3nal.com

Development and Contributing

❗ Due to the encrypted Tailscale auth key in molecule/defaults/converge.yml, this repository can't successfully test PRs from forks. I'm working on how to enable collaboration and welcome any ideas.

This GitHub repository uses a dedicated "test" Tailscale account to authenticate Tailscale during CI runs. Each Docker container creates a new authorized machine in that test account. The machines are manually cleaned up every so often.

If you are interested in contributing to this repository, you must create a Tailscale account and generate a Node Authorization auth key.

Then, choose a password to encrypt with.

To run make test locally, write the password in a .ci-vault-pass file at the project root.

To run the GitHub Actions workflow, set a VAULT_PASS secret in your forked repository.

Then, run the following Ansible command to encrypt the auth key:

ansible-vault encrypt_string --vault-id tailscale@.ci-vault-pass '[AUTH KEY VALUE HERE]' --name 'tailscale_auth_key'

This will generate an encrypted string for you to set in the molecule/default/converge.yml playbook.