feat: integrate tailscale access and lock SSH/API to tailnet

terraform/variables.tf

@@ -55,13 +55,42 @@ variable "location" {
 variable "allowed_ssh_ips" {
   description = "IP ranges allowed for SSH access"
   type        = list(string)
-  default     = ["0.0.0.0/0"]
+  default     = []
 }
 
 variable "allowed_api_ips" {
   description = "IP ranges allowed for Kubernetes API access"
   type        = list(string)
-  default     = ["0.0.0.0/0"]
+  default     = []
+}
+
+variable "restrict_api_ssh_to_tailnet" {
+  description = "Restrict SSH and Kubernetes API to tailnet CIDR"
+  type        = bool
+  default     = true
+}
+
+variable "tailnet_cidr" {
+  description = "Tailnet CIDR used for SSH/API access"
+  type        = string
+  default     = "100.64.0.0/10"
+}
+
+variable "tailscale_auth_key" {
+  description = "Tailscale auth key for node bootstrap"
+  type        = string
+  sensitive   = true
+}
+
+variable "tailscale_tailnet" {
+  description = "Tailnet domain suffix, e.g. mytailnet.ts.net"
+  type        = string
+}
+
+variable "enable_nodeport_public" {
+  description = "Allow public NodePort traffic"
+  type        = bool
+  default     = false
 }
 
 variable "network_cidr" {