/ansible-role-tailscale

Ansible role to install and enable a Tailscale node.

Primary LanguageDockerfileMIT LicenseMIT

artis3n.tailscale

Ansible Role GitHub Workflow Status (branch) GitHub release (latest SemVer including pre-releases) GitHub last commit GitHub GitHub Sponsors GitHub followers Twitter Follow

This role initializes a Tailscale node. If Tailscale is already installed, this role will update Tailscale to the latest version.

Supported operating systems:

  • Debian
  • Ubuntu
  • CentOS / RedHat
  • Amazon Linux 2
  • Oracle Linux
  • Fedora
  • Arch Linux
  • Raspbian (untested but should work)

See the CI worfklow for the list of distribution versions actively tested in each pull request.

This role does not re-apply the up command if Tailscale is already logged in. This will be supported in a future release.

Requirements

You must supply a tailscale_auth_key variable, which can be generated under your Tailscale account at https://login.tailscale.com/admin/authkeys.

Role Variables

Required

One of tailscale_auth_key or tailscale_up_skip must be present. In most cases you will use tailscale_auth_key.

tailscale_auth_key

Is not required if tailscale_up_skip is set to true.

A Tailscale Node Authorization auth key.

A Node Authorization auth key can be generated under your Tailscale account at https://login.tailscale.com/admin/authkeys. Note that reusable authorization keys now expire 90 days after they are generated.

This value should be treated as a sensitive secret. You are encouraged to use ansible-vault to encrypt this value in your playbook.

tailscale_up_skip

If set to true, tailscale_auth_key is not required.

Default: false

Whether to install and configure Tailscale as a service but skip running tailscale up. Helpful when packaging up a Tailscale installation into a build process such as AMI creation when the server should not yet authenticate to your Tailscale network.

Optional

insecurely_log_authkey

Default: false

If set to true, the "Bring Tailscale Up" command will not mask any failing output message. The authkey is not logged in successful task completions. Since the authkey is printed to the console if the task fails, no_log is enabled by default on the task.

If you are encountering an error bringing Tailscale up and want the "Bring Tailscale Up" task to log details on the error, set this variable to true.

force

Default: false

If set to true, tailscale up will always run. This can be beneficial if tailscale has already been configured on a host but you want to re-run up with different arguments.

release_stability

Default: stable

Whether to use the Tailscale stable or unstable track.

stable:

Stable releases. If you're not sure which track to use, pick this one.

unstable:

The bleeding edge. Pushed early and often. Expect rough edges!

tailscale_args

Pass any additional command-line arguments to tailscale up.

Note that this parameter does not support bash piping or command extensions like & or ;. Only tailscale up arguments can be passed.

Do not use this for --authkey. Use the tailscale_auth_key variable instead.

In the future, this parameter will be replaced with a map of supported command-line arguments. Since Tailscale is still undergoing rapid development, we are holding off on creating such an argument map until features are more stable.

verbose

Default: false

Whether to output additional information during role execution. Helpful for debugging and collecting information to submit in a GitHub issue on this repository.

Dependencies

None

Example Playbook

- name: Servers
  hosts: all
  roles:
    - role: artis3n.tailscale
      vars:
        # Fake example encrypted by ansible-vault
        tailscale_auth_key: !vault |
          $ANSIBLE_VAULT;1.2;AES256;tailscale
          32616238303134343065613038383933333733383765653166346564363332343761653761646363
          6637666565626333333664363739613366363461313063640a613330393062323161636235383936
          37373734653036613133613533376139383138613164323661386362376335316364653037353631
          6539646561373535610a643334396234396332376431326565383432626232383131303131363362
          3537

Pass arbitrary command-line arguments:

- name: Servers
  hosts: all
  tasks:
    - name: Get AZ subnets
      ec2_vpc_subnet_facts:
        region: "{{ placement.region }}"
        filters:
          vpc-id: "{{ vpc_id }}"
          availability-zone: "{{ placement.availability_zone }}"
      register: subnet_info

    - name: Set Subnet list
      set_fact:
        subnet_blocks: "{{ subnet_info.subnets | map(attribute='cidr_block') | list  }}"

    - name: Configure Sysctl
      sysctl:
        name: net.ipv4.ip_forward
        value: 1
        state: present
        ignoreerrors: true
        sysctl_set: true

    - name: Iptables Masquerade
      iptables:
        table: nat
        chain: POSTROUTING
        jump: MASQUERADE

    - name: Configure Tailscale
      include_role:
        name: artis3n.tailscale
      vars:
        tailscale_args: "--accept-routes=false --advertise-routes={{ subnet_blocks | join(',') }}"
        # Fake example encrypted by ansible-vault
        tailscale_auth_key: !vault |
          $ANSIBLE_VAULT;1.2;AES256;tailscale
          32616238303134343065613038383933333733383765653166346564363332343761653761646363
          6637666565626333333664363739613366363461313063640a613330393062323161636235383936
          37373734653036613133613533376139383138613164323661386362376335316364653037353631
          6539646561373535610a643334396234396332376431326565383432626232383131303131363362
          3537

Get verbose output:

- name: Servers
  hosts: all
  roles:
    - role: artis3n.tailscale
      vars:
        verbose: true
        # Fake example encrypted by ansible-vault
        tailscale_auth_key: !vault |
          $ANSIBLE_VAULT;1.2;AES256;tailscale
          32616238303134343065613038383933333733383765653166346564363332343761653761646363
          6637666565626333333664363739613366363461313063640a613330393062323161636235383936
          37373734653036613133613533376139383138613164323661386362376335316364653037353631
          6539646561373535610a643334396234396332376431326565383432626232383131303131363362
          3537

Install Tailscale, but don't authenticate to the network:

- name: Servers
  hosts: all
  roles:
    - role: artis3n.tailscale
      vars:
        tailscale_up_skip: true

Run tailscale up on a host that has been previously configured:

- name: Servers
  hosts: all
  roles:
    - role: artis3n.tailscale
      vars:
        force: true
        # Fake example encrypted by ansible-vault
        tailscale_auth_key: !vault |
          $ANSIBLE_VAULT;1.2;AES256;tailscale
          32616238303134343065613038383933333733383765653166346564363332343761653761646363
          6637666565626333333664363739613366363461313063640a613330393062323161636235383936
          37373734653036613133613533376139383138613164323661386362376335316364653037353631
          6539646561373535610a643334396234396332376431326565383432626232383131303131363362
          3537

License

MIT

Author Information

Ari Kalfus (@artis3n) dev@artis3nal.com

Development and Contributing

This GitHub repository uses a dedicated "test" Tailscale account to authenticate Tailscale during CI runs. Each Docker container creates a new authorized machine in that test account. The machines are authorized with ephemeral auth keys and are automatically cleaned up within 30 minutes-48 hours.

This value is stored in a GitHub Action secret with the name TAILSCALE_CI_KEY. If you are interested in contributing to this repository, you must create a Tailscale account and generate a Node Authorization ephemeral auth key. Fork this repo and add an ephemeral auth key to the fork's secrets under the name TAILSCALE_CI_KEY.

To test this role locally, store the Tailscale ephemeral auth key in a TAILSCALE_CI_KEY env var.

If you are a Collaborator on this repository, you can open a GitHub Codespace and the TAILSCALE_CI_KEY will be populated for you.