From 213c1fb4e47cd2c56870a38e5f859db75325911c Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Tue, 3 Mar 2026 08:51:25 +0000
Subject: [PATCH] fix: detect tailscale tag permission errors and clean access
 output

---
 ansible/roles/observability/tasks/main.yml      | 8 ++++----
 ansible/roles/tailscale-operator/tasks/main.yml | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/ansible/roles/observability/tasks/main.yml b/ansible/roles/observability/tasks/main.yml
index 4d06478..e74bbc2 100644
--- a/ansible/roles/observability/tasks/main.yml
+++ b/ansible/roles/observability/tasks/main.yml
@@ -201,17 +201,17 @@
       debug:
         msg: |
           Observability stack deployed with Tailscale access!
-          
+
           Grafana: http://grafana{% if grafana_lb_ip.stdout | default('') | length > 0 %} (or http://{{ grafana_lb_ip.stdout }}){% endif %}
           Prometheus: http://prometheus{% if prometheus_lb_ip.stdout | default('') | length > 0 %} (or http://{{ prometheus_lb_ip.stdout }}){% endif %}
-          
+
           Login: admin / {{ grafana_password_effective }}
-          
+
           Access via:
           - MagicDNS: http://grafana or http://prometheus (if enabled)
           - Direct endpoint: {% if grafana_lb_ip.stdout | default('') | length > 0 %}http://{{ grafana_lb_ip.stdout }}{% else %}(pending){% endif %} / {% if prometheus_lb_ip.stdout | default('') | length > 0 %}http://{{ prometheus_lb_ip.stdout }}{% else %}(pending){% endif %}
           - Tailnet FQDN: http://grafana.{{ tailscale_tailnet | default('tailnet.ts.net') }}
-          
+
           Note: Ensure Tailscale Kubernetes Operator is installed first
   when:
     - tailscale_oauth_client_id | default('') | length > 0
diff --git a/ansible/roles/tailscale-operator/tasks/main.yml b/ansible/roles/tailscale-operator/tasks/main.yml
index 8e8cc0c..26c9841 100644
--- a/ansible/roles/tailscale-operator/tasks/main.yml
+++ b/ansible/roles/tailscale-operator/tasks/main.yml
@@ -115,17 +115,17 @@
 - name: Fail when Tailscale OAuth permissions are insufficient
   fail:
     msg: |
-      Tailscale operator started but cannot create auth keys (403 permission error).
+      Tailscale operator started but cannot create auth keys (OAuth/tag permission error).
       Fix your Tailscale OAuth client/tag permissions.
 
       Required checks in Tailscale admin:
-      - OAuth client has devices:core write access
+      - OAuth client has devices:core, auth_keys, and services write access
       - OAuth client can create tagged devices for: {{ tailscale_operator_default_tags | join(', ') }}
       - ACL/tag ownership allows those tags for this OAuth client
 
       Operator log excerpt:
       {{ tailscale_operator_logs.stdout | default('n/a') }}
-  when: "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout)"
+  when: "tailscale_operator_logs.stdout is defined and ('does not have enough permissions' in tailscale_operator_logs.stdout or 'Status: 403' in tailscale_operator_logs.stdout or 'invalid or not permitted' in tailscale_operator_logs.stdout or 'Status: 400' in tailscale_operator_logs.stdout)"
 
 - name: Warn if Tailscale operator is not ready yet
   debug: