fix: remove CI tailscale dependency and allow runner CIDR exception

.gitea/workflows/deploy.yml

@@ -17,6 +17,8 @@ env:
   TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
   TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
   TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
+  TF_VAR_allowed_ssh_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}
+  TF_VAR_allowed_api_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}
 
 jobs:
   terraform:
@@ -191,42 +193,9 @@ jobs:
           apt-get update && apt-get install -y python3-pip
           pip3 install --break-system-packages ansible kubernetes jinja2 pyyaml
 
-      - name: Install Tailscale on runner
-        run: curl -fsSL https://tailscale.com/install.sh | sh
-
-      - name: Start tailscaled daemon
+      - name: Note runner connectivity mode
         run: |
-          set -e
-          if command -v systemctl >/dev/null 2>&1; then
-            systemctl enable --now tailscaled || true
-          fi
-          if ! pgrep -x tailscaled >/dev/null 2>&1; then
-            service tailscaled start || true
-          fi
-          if ! pgrep -x tailscaled >/dev/null 2>&1; then
-            mkdir -p /var/run/tailscale /var/lib/tailscale
-            nohup tailscaled --state=/var/lib/tailscale/tailscaled.state >/tmp/tailscaled.log 2>&1 &
-          fi
-          for i in $(seq 1 30); do
-            tailscale status >/dev/null 2>&1 && exit 0
-            sleep 1
-          done
-          echo "tailscaled failed to start"
-          if [ -f /tmp/tailscaled.log ]; then cat /tmp/tailscaled.log; fi
-          exit 1
-
-      - name: Connect runner to tailnet
-        run: |
-          tailscale up \
-            --authkey "${{ secrets.TAILSCALE_CI_AUTH_KEY }}" \
-            --hostname "gitea-runner-${{ github.run_number }}" \
-            --ssh=false \
-            --accept-routes=false
-
-      - name: Verify runner tailnet status
-        run: |
-          tailscale status
-          tailscale ip -4
+          echo "Using runner public network access with RUNNER_ALLOWED_CIDRS for SSH/API"
 
       - name: Install Ansible Collections
         run: ansible-galaxy collection install -r ansible/requirements.yml

.gitea/workflows/destroy.yml

@@ -16,6 +16,8 @@ env:
   TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
   TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
   TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
+  TF_VAR_allowed_ssh_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}
+  TF_VAR_allowed_api_ips: ${{ secrets.RUNNER_ALLOWED_CIDRS }}
 
 jobs:
   destroy:

README.md

@@ -164,7 +164,7 @@ Set these in your Gitea repository settings (**Settings** → **Secrets** → **
 | `S3_BUCKET` | S3 bucket name (e.g., `k8s-terraform-state`) |
 | `TAILSCALE_AUTH_KEY` | Tailscale auth key for node bootstrap |
 | `TAILSCALE_TAILNET` | Tailnet domain (e.g., `yourtailnet.ts.net`) |
-| `TAILSCALE_CI_AUTH_KEY` | Tailscale auth key for CI runner |
+| `RUNNER_ALLOWED_CIDRS` | CIDR list (HCL format) allowed to SSH/API from CI runner, e.g. `["0.0.0.0/0"]` or your runner egress CIDR |
 | `SSH_PUBLIC_KEY` | SSH public key content |
 | `SSH_PRIVATE_KEY` | SSH private key content |
 

ansible/generate_inventory.py

@@ -32,12 +32,11 @@ def main():
     worker_names = outputs["worker_names"]["value"]
     worker_ips = outputs["worker_ips"]["value"]
     worker_private_ips = outputs["worker_private_ips"]["value"]
-    tailnet = outputs["tailscale_tailnet"]["value"]
 
     control_planes = [
         {
             "name": name,
-            "public_ip": f"{name}.{tailnet}" if tailnet else public_ip,
+            "public_ip": public_ip,
             "private_ip": private_ip,
         }
         for name, public_ip, private_ip in zip(
@@ -48,7 +47,7 @@ def main():
     workers = [
         {
             "name": name,
-            "public_ip": f"{name}.{tailnet}" if tailnet else public_ip,
+            "public_ip": public_ip,
             "private_ip": private_ip,
         }
         for name, public_ip, private_ip in zip(