ansible/roles/private-access/tasks/main.yml

---
- name: Create systemd unit for Grafana private access
  template:
    src: kubectl-port-forward.service.j2
    dest: /etc/systemd/system/k8s-portforward-grafana.service
    mode: "0644"
  vars:
    unit_description: Port-forward Grafana for Tailscale access
    unit_namespace: observability
    unit_target: svc/observability-kube-prometheus-stack-grafana
    unit_local_port: 13080
    unit_remote_port: 80

- name: Create systemd unit for Prometheus private access
  template:
    src: kubectl-port-forward.service.j2
    dest: /etc/systemd/system/k8s-portforward-prometheus.service
    mode: "0644"
  vars:
    unit_description: Port-forward Prometheus for Tailscale access
    unit_namespace: observability
    unit_target: svc/observability-kube-prometh-prometheus
    unit_local_port: 19090
    unit_remote_port: 9090

- name: Create systemd unit for Flux UI private access
  template:
    src: kubectl-port-forward.service.j2
    dest: /etc/systemd/system/k8s-portforward-flux-ui.service
    mode: "0644"
  vars:
    unit_description: Port-forward Flux UI for Tailscale access
    unit_namespace: flux-system
    unit_target: svc/flux-system-weave-gitops
    unit_local_port: 19001
    unit_remote_port: 9001

- name: Reload systemd
  systemd:
    daemon_reload: true

- name: Enable and start private access port-forward services
  systemd:
    name: "{{ item }}"
    enabled: true
    state: started
  loop:
    - k8s-portforward-grafana.service
    - k8s-portforward-prometheus.service
    - k8s-portforward-flux-ui.service

- name: Configure Tailscale Serve for private access endpoints
  shell: >-
    tailscale serve reset &&
    tailscale serve --bg --tcp={{ private_access_grafana_port }} tcp://127.0.0.1:13080 &&
    tailscale serve --bg --tcp={{ private_access_prometheus_port }} tcp://127.0.0.1:19090 &&
    tailscale serve --bg --tcp={{ private_access_flux_port }} tcp://127.0.0.1:19001
  changed_when: true
feat: automate private tailnet access on cp1 2026-03-08 04:16:06 +00:00			`---`
			`- name: Create systemd unit for Grafana private access`
			`template:`
			`src: kubectl-port-forward.service.j2`
			`dest: /etc/systemd/system/k8s-portforward-grafana.service`
			`mode: "0644"`
			`vars:`
			`unit_description: Port-forward Grafana for Tailscale access`
			`unit_namespace: observability`
			`unit_target: svc/observability-kube-prometheus-stack-grafana`
			`unit_local_port: 13080`
			`unit_remote_port: 80`

			`- name: Create systemd unit for Prometheus private access`
			`template:`
			`src: kubectl-port-forward.service.j2`
			`dest: /etc/systemd/system/k8s-portforward-prometheus.service`
			`mode: "0644"`
			`vars:`
			`unit_description: Port-forward Prometheus for Tailscale access`
			`unit_namespace: observability`
			`unit_target: svc/observability-kube-prometh-prometheus`
			`unit_local_port: 19090`
			`unit_remote_port: 9090`

			`- name: Create systemd unit for Flux UI private access`
			`template:`
			`src: kubectl-port-forward.service.j2`
			`dest: /etc/systemd/system/k8s-portforward-flux-ui.service`
			`mode: "0644"`
			`vars:`
			`unit_description: Port-forward Flux UI for Tailscale access`
			`unit_namespace: flux-system`
			`unit_target: svc/flux-system-weave-gitops`
			`unit_local_port: 19001`
			`unit_remote_port: 9001`

			`- name: Reload systemd`
			`systemd:`
			`daemon_reload: true`

			`- name: Enable and start private access port-forward services`
			`systemd:`
			`name: "{{ item }}"`
			`enabled: true`
			`state: started`
			`loop:`
			`- k8s-portforward-grafana.service`
			`- k8s-portforward-prometheus.service`
			`- k8s-portforward-flux-ui.service`

			`- name: Configure Tailscale Serve for private access endpoints`
			`shell: >-`
			`tailscale serve reset &&`
			`tailscale serve --bg --tcp={{ private_access_grafana_port }} tcp://127.0.0.1:13080 &&`
			`tailscale serve --bg --tcp={{ private_access_prometheus_port }} tcp://127.0.0.1:19090 &&`
			`tailscale serve --bg --tcp={{ private_access_flux_port }} tcp://127.0.0.1:19001`
			`changed_when: true`