diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 900925e..5cd58d3 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -16,7 +16,6 @@ env:
   TF_VAR_s3_secret_key: ${{ secrets.S3_SECRET_KEY }}
   TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
   TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
-  TF_VAR_tailscale_auth_key: ${{ secrets.TAILSCALE_AUTH_KEY }}
   TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
 
 jobs:
@@ -175,6 +174,7 @@ jobs:
         run: |
           ansible-playbook site.yml \
             -e "hcloud_token=${{ secrets.HCLOUD_TOKEN }}" \
+            -e "tailscale_auth_key=${{ secrets.TAILSCALE_AUTH_KEY }}" \
             -e "cluster_name=k8s-cluster"
         env:
           ANSIBLE_HOST_KEY_CHECKING: "False"
diff --git a/.gitea/workflows/destroy.yml b/.gitea/workflows/destroy.yml
index c0d4d8a..a2f9ba5 100644
--- a/.gitea/workflows/destroy.yml
+++ b/.gitea/workflows/destroy.yml
@@ -15,7 +15,6 @@ env:
   TF_VAR_s3_secret_key: ${{ secrets.S3_SECRET_KEY }}
   TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
   TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
-  TF_VAR_tailscale_auth_key: ${{ secrets.TAILSCALE_AUTH_KEY }}
   TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
 
 jobs:
diff --git a/ansible/roles/common/defaults/main.yml b/ansible/roles/common/defaults/main.yml
index 79c3ef4..85be965 100644
--- a/ansible/roles/common/defaults/main.yml
+++ b/ansible/roles/common/defaults/main.yml
@@ -1,2 +1,5 @@
 ---
 common_upgrade_packages: false
+tailscale_auth_key: ""
+tailscale_ssh: false
+tailscale_accept_routes: false
diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml
index b5067b2..d37dbca 100644
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@@ -56,3 +56,31 @@
     - { name: net.bridge.bridge-nf-call-iptables, value: 1 }
     - { name: net.bridge.bridge-nf-call-ip6tables, value: 1 }
     - { name: net.ipv4.ip_forward, value: 1 }
+
+- name: Check if tailscale is installed
+  command: which tailscale
+  register: tailscale_binary
+  changed_when: false
+  failed_when: false
+  when: tailscale_auth_key | length > 0
+
+- name: Install tailscale
+  shell: curl -fsSL https://tailscale.com/install.sh | sh
+  when:
+    - tailscale_auth_key | length > 0
+    - tailscale_binary.rc != 0
+  changed_when: true
+
+- name: Check tailscale connection state
+  command: tailscale status --json
+  register: tailscale_status
+  changed_when: false
+  failed_when: false
+  when: tailscale_auth_key | length > 0
+
+- name: Connect node to tailnet
+  command: tailscale up --authkey {{ tailscale_auth_key }} --hostname {{ inventory_hostname }} --ssh={{ tailscale_ssh | ternary('true', 'false') }} --accept-routes={{ tailscale_accept_routes | ternary('true', 'false') }}
+  when:
+    - tailscale_auth_key | length > 0
+    - tailscale_status.rc != 0 or '"BackendState":"Running"' not in tailscale_status.stdout
+  changed_when: true
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
index 6c8c6a1..719ba02 100644
--- a/terraform.tfvars.example
+++ b/terraform.tfvars.example
@@ -10,7 +10,6 @@ s3_bucket     = "k8s-terraform-state"
 
 cluster_name = "k8s-prod"
 
-tailscale_auth_key = "tskey-auth-..."
 tailscale_tailnet  = "yourtailnet.ts.net"
 
 restrict_api_ssh_to_tailnet = true
diff --git a/terraform/servers.tf b/terraform/servers.tf
index 74ebe18..5b72730 100644
--- a/terraform/servers.tf
+++ b/terraform/servers.tf
@@ -17,14 +17,6 @@ resource "hcloud_server" "control_plane" {
     role    = "control-plane"
   }
 
-  user_data = <<-EOF
-    #cloud-config
-    package_update: true
-    runcmd:
-      - curl -fsSL https://tailscale.com/install.sh | sh
-      - tailscale up --authkey '${var.tailscale_auth_key}' --hostname '${var.cluster_name}-cp-${count.index + 1}' --ssh=false --accept-routes=false
-  EOF
-
   network {
     network_id = hcloud_network.cluster.id
     ip         = cidrhost(var.subnet_cidr, 10 + count.index)
@@ -52,14 +44,6 @@ resource "hcloud_server" "workers" {
     role    = "worker"
   }
 
-  user_data = <<-EOF
-    #cloud-config
-    package_update: true
-    runcmd:
-      - curl -fsSL https://tailscale.com/install.sh | sh
-      - tailscale up --authkey '${var.tailscale_auth_key}' --hostname '${var.cluster_name}-worker-${count.index + 1}' --ssh=false --accept-routes=false
-  EOF
-
   network {
     network_id = hcloud_network.cluster.id
     ip         = cidrhost(var.subnet_cidr, 20 + count.index)
diff --git a/terraform/variables.tf b/terraform/variables.tf
index e71f506..d21f797 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -76,12 +76,6 @@ variable "tailnet_cidr" {
   default     = "100.64.0.0/10"
 }
 
-variable "tailscale_auth_key" {
-  description = "Tailscale auth key for node bootstrap"
-  type        = string
-  sensitive   = true
-}
-
 variable "tailscale_tailnet" {
   description = "Tailnet domain suffix, e.g. mytailnet.ts.net"
   type        = string