feat: integrate tailscale access and lock SSH/API to tailnet

.gitea/workflows/deploy.yml

@@ -16,6 +16,8 @@ env:
   TF_VAR_s3_secret_key: ${{ secrets.S3_SECRET_KEY }}
   TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
   TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
+  TF_VAR_tailscale_auth_key: ${{ secrets.TAILSCALE_AUTH_KEY }}
+  TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
 
 jobs:
   terraform:
@@ -155,6 +157,12 @@ jobs:
           apt-get update && apt-get install -y python3-pip
           pip3 install --break-system-packages ansible kubernetes jinja2 pyyaml
 
+      - name: Install Tailscale on runner
+        run: curl -fsSL https://tailscale.com/install.sh | sh
+
+      - name: Connect runner to tailnet
+        run: tailscale up --authkey "${{ secrets.TAILSCALE_CI_AUTH_KEY }}" --hostname "gitea-runner-${{ github.run_number }}" --ssh=false --accept-routes=false
+
       - name: Install Ansible Collections
         run: ansible-galaxy collection install -r ansible/requirements.yml
 

.gitea/workflows/destroy.yml

@@ -15,6 +15,8 @@ env:
   TF_VAR_s3_secret_key: ${{ secrets.S3_SECRET_KEY }}
   TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
   TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
+  TF_VAR_tailscale_auth_key: ${{ secrets.TAILSCALE_AUTH_KEY }}
+  TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
 
 jobs:
   destroy: