Tailscale Operator & Ansible Tailscale deployment

.gitattributes

@@ -8,3 +8,5 @@ secret.yml filter=git-crypt diff=git-crypt
 ghcr-pull-secrets.yaml filter=git-crypt diff=git-crypt
 ssh-secrets.yaml filter=git-crypt diff=git-crypt
 guix/resources/age-key filter=git-crypt diff=git-crypt
+*-secret.md filter=git-crypt diff=git-crypt
+*-secrets.md filter=git-crypt diff=git-crypt

ansible/group_vars/all/nftables.yml

@@ -51,6 +51,9 @@ nftables_configuration: |
       # Allow loopback
       iif lo accept
 
+      # Allow all traffic from/to tailscale0
+      iifname tailscale0 accept
+
       # Allow certain inbound ICMP types (ping, traceroute).
       # With these allowed you are a good network citizen.
       meta l4proto { icmp, ipv6-icmp } counter accept

ansible/playbook.yml

@@ -4,6 +4,7 @@
     - linode-ips
     - common
     - pydis-mtls
+    - tailscale
     - wireguard
     - munin-node
 

ansible/roles/postgres/templates/postgresql.conf.j2

@@ -2,7 +2,7 @@ data_directory = '/var/lib/postgresql/{{ postgres_version }}/main'
 hba_file = '/etc/postgresql/{{ postgres_version }}/main/pg_hba.conf'
 ident_file = '/etc/postgresql/{{ postgres_version }}/main/pg_ident.conf'
 external_pid_file = '/var/run/postgresql/{{ postgres_version }}-main.pid'
-listen_addresses = '89.58.26.118,localhost'
+listen_addresses = '89.58.26.118,lovelace.opossum-python.ts.net,localhost'
 port = 5432
 unix_socket_directories = '/var/run/postgresql'
 

ansible/roles/tailscale/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+tailscale_rocky_repo: "https://pkgs.tailscale.com/stable/centos/10/tailscale.repo"
+tailscale_gpg_key_url: "https://pkgs.tailscale.com/stable/debian/trixie.noarmor.gpg"
+tailscale_apt_repo: "https://pkgs.tailscale.com/stable/debian/trixie.tailscale-keyring.list"

ansible/roles/tailscale/tasks/main.yml

@@ -0,0 +1,117 @@
+---
+- name: Add Tailscale repository (Rocky)
+  ansible.builtin.get_url:
+    url: "{{ tailscale_rocky_repo }}"
+    dest: /etc/yum.repos.d/tailscale.repo
+    mode: "0644"
+  when: ansible_facts["distribution"] == "Rocky"
+  tags:
+    - role::tailscale
+
+- name: Ensure keys directory exists (Debian)
+  file:
+    path: /usr/share/keyrings
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  when: ansible_facts["distribution"] == "Debian"
+  tags:
+    - role::tailscale
+
+- name: Download Tailscale GPG key (Debian)
+  ansible.builtin.get_url:
+    url: "{{ tailscale_gpg_key_url }}"
+    dest: /usr/share/keyrings/tailscale-archive-keyring.gpg
+    mode: "0644"
+  when: ansible_facts["distribution"] == "Debian"
+  tags:
+    - role::tailscale
+
+- name: Add Tailscale APT repository (Debian)
+  ansible.builtin.get_url:
+    url: "{{ tailscale_apt_repo }}"
+    dest: /etc/apt/sources.list.d/tailscale.list
+    mode: "0644"
+  when: ansible_facts["distribution"] == "Debian"
+  tags:
+    - role::tailscale
+
+- name: Update APT cache (Debian)
+  ansible.builtin.apt:
+    update_cache: yes
+  when: ansible_facts["distribution"] == "Debian"
+  tags:
+    - role::tailscale
+
+- name: Install Tailscale
+  package:
+    name: tailscale
+    state: present
+  tags:
+    - role::tailscale
+
+- name: Ensure Tailscale is enabled and started
+  ansible.builtin.systemd:
+    name: tailscaled
+    enabled: yes
+    state: started
+  tags:
+    - role::tailscale
+
+- name: Check if Tailscale is already authenticated
+  ansible.builtin.command: tailscale status --json
+  register: tailscale_status
+  failed_when: false
+  changed_when: false
+  tags:
+    - role::tailscale
+
+- name: Parse Tailscale status
+  ansible.builtin.set_fact:
+    tailscale_authenticated: "{{ tailscale_status.stdout | from_json | json_query('BackendState') not in ['NeedsLogin', 'Stopped'] }}"
+  tags:
+    - role::tailscale
+
+- name: Authenticate Tailscale
+  when: not tailscale_authenticated
+  ansible.builtin.command: |-
+    tailscale up \
+    --authkey '{{ tailscale_oauth2_client_secret }}?preauthorized=true&ephemeral=false' \
+    --advertise-tags '{{ tailscale_advertise_tags }}' \
+    --hostname '{{ inventory_hostname }}' \
+    --accept-routes \
+    --accept-dns
+  register: tailscale_up_result
+  changed_when: "'Already up to date' not in tailscale_up_result.stdout"
+  tags:
+    - role::tailscale
+
+- name: Fetch hosted Tailscale services
+  ansible.builtin.command: tailscale serve get-config --all
+  register: tailscale_services_status
+  failed_when: false
+  changed_when: false
+  tags:
+    - role::tailscale
+
+- name: Parse Tailscale services
+  ansible.builtin.set_fact:
+    tailscale_hosted_services: "{{ tailscale_services_status.stdout | from_json | json_query('services') }}"
+  tags:
+    - role::tailscale
+
+- name: Set tailscale_hosted_services to empty list if not defined
+  ansible.builtin.set_fact:
+    tailscale_hosted_services: []
+  when: not tailscale_hosted_services
+  tags:
+    - role::tailscale
+
+- name: Ensure Tailscale services are configured
+  ansible.builtin.command: |-
+    tailscale serve --yes --service svc:{{ item.ts_service_name }} --{{ item.proto }} {{ item.listen_port }} {{ item.proxy_dest }}
+  loop: "{{ tailscale_services }}"
+  when: "'svc:' + item.ts_service_name not in tailscale_hosted_services and item.host == inventory_hostname"
+  tags:
+    - role::tailscale

ansible/roles/tailscale/vars/main/main.yml

@@ -0,0 +1,12 @@
+---
+tailscale_oauth2_client_id: "{{ vault_tailscale_oauth2_client_id }}"
+tailscale_oauth2_client_secret: "{{ vault_tailscale_oauth2_client_secret }}"
+
+tailscale_advertise_tags: "tag:baremetal"
+
+tailscale_services:
+  - host: lovelace
+    ts_service_name: "postgres"
+    proto: "tcp"
+    listen_port: 5432
+    proxy_dest: "127.0.0.1:5432"

ansible/roles/tailscale/vars/main/vault.yml

@@ -0,0 +1,13 @@
+$ANSIBLE_VAULT;1.1;AES256
+62316632633033623735393336623133363763323038323630656365363363373138626439316333
+6565656364343564393239666334613664323264663562660a366666626333666130396534663733
+37386435316135633936623961393461343765346630613064386135376530373964386338623464
+3034663939353036620a386463333639396233303332386230376164353633353631376439623136
+61346161633661323932633238393863626665663830353762323165613765313433646563656532
+64303166343534316531316539303633336433333966353038653363656163663538636464626462
+34383732346232313732336462303437346566363632653838363966653461386131633162313630
+63653733666165336363313937393034626662333833353631306238316433306164333464313664
+39333031383331393436306465636133636131316465333239363435666165643736666363353132
+36333962353639333436666334356534393033666236656261663562306436643837613733303664
+64666338653162376239643462393036626538316364396235633331336632656566643238323561
+31393130323134383462

kubernetes/namespaces/tailscale/README.md

@@ -0,0 +1,20 @@
+# Tailscale
+
+We use the Tailscale Kubernetes Operator to allow in-cluster services to connect securely to external services via a secure tunnel.
+
+## Deployment
+
+1. Add the Helm chart `helm repo add tailscale https://pkgs.tailscale.com/helmcharts`
+2. Update the Helm repo `helm repo update`
+3. Install the tailscale operator, replacing OAuth credentials as necessary (from the Trust credentials section of Tailscale admin console):
+    ```bash
+    helm upgrade \
+    --install \
+    tailscale-operator \
+    tailscale/tailscale-operator \
+    --namespace=tailscale \
+    --create-namespace \
+    --set-string oauth.clientId="<OAauth client ID>" \
+    --set-string oauth.clientSecret="<OAuth client secret>" \
+    --wait
+    ```

kubernetes/namespaces/tailscale/services/postgres.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    tailscale.com/tailnet-fqdn: postgres.opossum-python.ts.net
+  name: postgres
+  namespace: tailscale
+spec:
+  externalName: placeholder # any value - will be overwritten by operator
+  type: ExternalName

pyproject.toml

@@ -17,6 +17,7 @@ ansible = [
     "ansible-core>=2.17.0,<3",
     "ansible-lint==25.2.1 ; platform_system != 'Windows'",
     "dnspython==2.7.0",
+    "jmespath==1.1.0"
 ]
 dns = [
     "octodns>=1.8.0,<2",