# Simple Tailscale Setup

## What you need:
1. A Tailscale account (free at https://tailscale.com)
2. An auth key from your Tailscale admin console

## 3-Step Setup:

### Step 1: Get your auth key
1. Go to https://login.tailscale.com/admin/settings/keys
2. Click "Generate auth key"
3. Make it **Reusable** and set expiration to **90 days** (or longer)
4. Copy the key (starts with `tskey-auth-`)

### Step 2: Store the key securely
```bash
make create-vault
```
When prompted, add this content:
```yaml
---
vault_tailscale_auth_key: "tskey-auth-your-actual-key-here"
```
Save and exit.

### Step 3: Install Tailscale everywhere
```bash
# Check what will happen (dry run)
make tailscale-check

# Install on all machines
make tailscale
```

That's it! Your machines should now be connected to your Tailscale network.

## Check if it worked:
```bash
make tailscale-status
```

## How the vault connects to your settings:

The `group_vars/all.yml` file now contains:
```yaml
tailscale_auth_key: "{{ vault_tailscale_auth_key | default('') }}"
```

This tells Ansible: "Look for `vault_tailscale_auth_key` in the encrypted vault file, and if it's not there, use an empty string."

So when you put your real auth key in the vault, it automatically gets used!

## The confusing variables explained:

- `tailscale_auth_key`: **YOU NEED THIS** - your authentication key
- `tailscale_ssh`: **USEFUL** - lets you SSH through Tailscale network
- `tailscale_accept_routes`: **USEFUL** - access other networks through Tailscale
- `tailscale_hostname`: **OPTIONAL** - custom name (defaults to your server names)
- `tailscale_advertise_routes`: **ADVANCED** - share your local network with others
- `tailscale_shields_up`: **SECURITY** - blocks incoming connections
- Everything else: **IGNORE** unless you have specific enterprise needs