diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 7176667..5575c1b 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -17,6 +17,8 @@ env: TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }} TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }} TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }} + TF_VAR_allowed_ssh_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }} + TF_VAR_allowed_api_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }} jobs: terraform: @@ -191,42 +193,9 @@ jobs: apt-get update && apt-get install -y python3-pip pip3 install --break-system-packages ansible kubernetes jinja2 pyyaml - - name: Install Tailscale on runner - run: curl -fsSL https://tailscale.com/install.sh | sh - - - name: Start tailscaled daemon + - name: Note runner connectivity mode run: | - set -e - if command -v systemctl >/dev/null 2>&1; then - systemctl enable --now tailscaled || true - fi - if ! pgrep -x tailscaled >/dev/null 2>&1; then - service tailscaled start || true - fi - if ! pgrep -x tailscaled >/dev/null 2>&1; then - mkdir -p /var/run/tailscale /var/lib/tailscale - nohup tailscaled --state=/var/lib/tailscale/tailscaled.state >/tmp/tailscaled.log 2>&1 & - fi - for i in $(seq 1 30); do - tailscale status >/dev/null 2>&1 && exit 0 - sleep 1 - done - echo "tailscaled failed to start" - if [ -f /tmp/tailscaled.log ]; then cat /tmp/tailscaled.log; fi - exit 1 - - - name: Connect runner to tailnet - run: | - tailscale up \ - --authkey "${{ secrets.TAILSCALE_CI_AUTH_KEY }}" \ - --hostname "gitea-runner-${{ github.run_number }}" \ - --ssh=false \ - --accept-routes=false - - - name: Verify runner tailnet status - run: | - tailscale status - tailscale ip -4 + echo "Using runner public network access with RUNNER_ALLOWED_CIDRS for SSH/API" - name: Install Ansible Collections run: ansible-galaxy collection install -r ansible/requirements.yml diff --git a/.gitea/workflows/destroy.yml b/.gitea/workflows/destroy.yml index a2f9ba5..d72febe 100644 --- a/.gitea/workflows/destroy.yml +++ b/.gitea/workflows/destroy.yml @@ -16,6 +16,8 @@ env: TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }} TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }} TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }} + TF_VAR_allowed_ssh_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }} + TF_VAR_allowed_api_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }} jobs: destroy: diff --git a/README.md b/README.md index 3cadfe1..0529bb5 100644 --- a/README.md +++ b/README.md @@ -164,7 +164,7 @@ Set these in your Gitea repository settings (**Settings** → **Secrets** → ** | `S3_BUCKET` | S3 bucket name (e.g., `k8s-terraform-state`) | | `TAILSCALE_AUTH_KEY` | Tailscale auth key for node bootstrap | | `TAILSCALE_TAILNET` | Tailnet domain (e.g., `yourtailnet.ts.net`) | -| `TAILSCALE_CI_AUTH_KEY` | Tailscale auth key for CI runner | +| `RUNNER_ALLOWED_CIDRS` | CIDR list (HCL format) allowed to SSH/API from CI runner, e.g. `["0.0.0.0/0"]` or your runner egress CIDR | | `SSH_PUBLIC_KEY` | SSH public key content | | `SSH_PRIVATE_KEY` | SSH private key content | diff --git a/ansible/generate_inventory.py b/ansible/generate_inventory.py index c6c6d78..dc931b2 100644 --- a/ansible/generate_inventory.py +++ b/ansible/generate_inventory.py @@ -32,12 +32,11 @@ def main(): worker_names = outputs["worker_names"]["value"] worker_ips = outputs["worker_ips"]["value"] worker_private_ips = outputs["worker_private_ips"]["value"] - tailnet = outputs["tailscale_tailnet"]["value"] control_planes = [ { "name": name, - "public_ip": f"{name}.{tailnet}" if tailnet else public_ip, + "public_ip": public_ip, "private_ip": private_ip, } for name, public_ip, private_ip in zip( @@ -48,7 +47,7 @@ def main(): workers = [ { "name": name, - "public_ip": f"{name}.{tailnet}" if tailnet else public_ip, + "public_ip": public_ip, "private_ip": private_ip, } for name, public_ip, private_ip in zip(