fix: avoid server replacement; install tailscale via Ansible

.gitea/workflows/deploy.yml

@@ -16,7 +16,6 @@ env:
   TF_VAR_s3_secret_key: ${{ secrets.S3_SECRET_KEY }}
   TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
   TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
-  TF_VAR_tailscale_auth_key: ${{ secrets.TAILSCALE_AUTH_KEY }}
   TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
 
 jobs:
@@ -175,6 +174,7 @@ jobs:
         run: |
           ansible-playbook site.yml \
             -e "hcloud_token=${{ secrets.HCLOUD_TOKEN }}" \
+            -e "tailscale_auth_key=${{ secrets.TAILSCALE_AUTH_KEY }}" \
             -e "cluster_name=k8s-cluster"
         env:
           ANSIBLE_HOST_KEY_CHECKING: "False"

.gitea/workflows/destroy.yml

@@ -15,7 +15,6 @@ env:
   TF_VAR_s3_secret_key: ${{ secrets.S3_SECRET_KEY }}
   TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
   TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
-  TF_VAR_tailscale_auth_key: ${{ secrets.TAILSCALE_AUTH_KEY }}
   TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
 
 jobs:

ansible/roles/common/defaults/main.yml

@@ -1,2 +1,5 @@
 ---
 common_upgrade_packages: false
+tailscale_auth_key: ""
+tailscale_ssh: false
+tailscale_accept_routes: false

ansible/roles/common/tasks/main.yml

@@ -56,3 +56,31 @@
     - { name: net.bridge.bridge-nf-call-iptables, value: 1 }
     - { name: net.bridge.bridge-nf-call-ip6tables, value: 1 }
     - { name: net.ipv4.ip_forward, value: 1 }
+
+- name: Check if tailscale is installed
+  command: which tailscale
+  register: tailscale_binary
+  changed_when: false
+  failed_when: false
+  when: tailscale_auth_key | length > 0
+
+- name: Install tailscale
+  shell: curl -fsSL https://tailscale.com/install.sh | sh
+  when:
+    - tailscale_auth_key | length > 0
+    - tailscale_binary.rc != 0
+  changed_when: true
+
+- name: Check tailscale connection state
+  command: tailscale status --json
+  register: tailscale_status
+  changed_when: false
+  failed_when: false
+  when: tailscale_auth_key | length > 0
+
+- name: Connect node to tailnet
+  command: tailscale up --authkey {{ tailscale_auth_key }} --hostname {{ inventory_hostname }} --ssh={{ tailscale_ssh | ternary('true', 'false') }} --accept-routes={{ tailscale_accept_routes | ternary('true', 'false') }}
+  when:
+    - tailscale_auth_key | length > 0
+    - tailscale_status.rc != 0 or '"BackendState":"Running"' not in tailscale_status.stdout
+  changed_when: true

terraform.tfvars.example

@@ -10,7 +10,6 @@ s3_bucket     = "k8s-terraform-state"
 
 cluster_name = "k8s-prod"
 
-tailscale_auth_key = "tskey-auth-..."
 tailscale_tailnet  = "yourtailnet.ts.net"
 
 restrict_api_ssh_to_tailnet = true

terraform/servers.tf

@@ -17,14 +17,6 @@ resource "hcloud_server" "control_plane" {
     role    = "control-plane"
   }
 
-  user_data = <<-EOF
-    #cloud-config
-    package_update: true
-    runcmd:
-      - curl -fsSL https://tailscale.com/install.sh | sh
-      - tailscale up --authkey '${var.tailscale_auth_key}' --hostname '${var.cluster_name}-cp-${count.index + 1}' --ssh=false --accept-routes=false
-  EOF
-
   network {
     network_id = hcloud_network.cluster.id
     ip         = cidrhost(var.subnet_cidr, 10 + count.index)
@@ -52,14 +44,6 @@ resource "hcloud_server" "workers" {
     role    = "worker"
   }
 
-  user_data = <<-EOF
-    #cloud-config
-    package_update: true
-    runcmd:
-      - curl -fsSL https://tailscale.com/install.sh | sh
-      - tailscale up --authkey '${var.tailscale_auth_key}' --hostname '${var.cluster_name}-worker-${count.index + 1}' --ssh=false --accept-routes=false
-  EOF
-
   network {
     network_id = hcloud_network.cluster.id
     ip         = cidrhost(var.subnet_cidr, 20 + count.index)

terraform/variables.tf

@@ -76,12 +76,6 @@ variable "tailnet_cidr" {
   default     = "100.64.0.0/10"
 }
 
-variable "tailscale_auth_key" {
-  description = "Tailscale auth key for node bootstrap"
-  type        = string
-  sensitive   = true
-}
-
 variable "tailscale_tailnet" {
   description = "Tailnet domain suffix, e.g. mytailnet.ts.net"
   type        = string