From b20356e9fe2217e866f76268b6338c997f04a6f6 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sat, 18 Apr 2026 18:16:27 +0000
Subject: [PATCH] fix: only clean stale Tailscale names before proxies exist

The Tailscale cleanup role was deleting reserved service hostnames on later
deploy runs, which removed the live Rancher/Grafana/Prometheus/Flux proxy
nodes from the tailnet. Skip cleanup whenever the current cluster already has
those Tailscale services, while still allowing cleanup on fresh rebuilds.
---
 ansible/site.yml | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/ansible/site.yml b/ansible/site.yml
index 9dc5c25..0a985ee 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -116,6 +116,16 @@
   roles:
     - doppler-bootstrap
 
+- name: Detect existing Tailscale service proxies
+  hosts: control_plane[0]
+  become: true
+  tasks:
+    - name: Check for current Tailscale service hostnames
+      command: kubectl get svc -A -o jsonpath='{range .items[*]}{.metadata.annotations.tailscale\.com/hostname}{"\n"}{end}'
+      register: existing_tailscale_hostnames
+      changed_when: false
+      failed_when: false
+
 - name: Clean up stale Tailscale devices
   hosts: localhost
   connection: local
@@ -125,9 +135,14 @@
       - grafana
       - prometheus
       - flux
-
-  roles:
-    - tailscale-cleanup
+  tasks:
+    - name: Delete stale devices only before service proxies exist
+      include_role:
+        name: tailscale-cleanup
+      when: >-
+        hostvars[groups['control_plane'][0]].existing_tailscale_hostnames.stdout_lines | default([])
+        | intersect(tailscale_reserved_hostnames)
+        | length == 0
 
 - name: Finalize
   hosts: localhost