# Role: tailscale

## Description
Installs and configures Tailscale VPN mesh networking for secure connectivity across all managed hosts.

## Requirements
- Ansible 2.9+
- Debian/Ubuntu/Alpine Linux
- Tailscale account and auth key
- Internet connectivity

## Features
- Cross-platform support (Debian, Ubuntu, Alpine)
- Automatic OS detection and package installation
- Secure auth key management via vault
- Configurable network settings
- SSH over Tailscale support

## Variables

| Variable | Default | Description |
|----------|---------|-------------|
| `tailscale_auth_key` | `{{ vault_tailscale_auth_key }}` | Auth key from vault |
| `tailscale_hostname` | `{{ inventory_hostname }}` | Custom hostname |
| `tailscale_accept_routes` | `true` | Accept subnet routes |
| `tailscale_accept_dns` | `true` | Accept DNS settings |
| `tailscale_ssh` | `true` | Enable SSH server |
| `tailscale_shields_up` | `false` | Block incoming connections |

## Vault Variables (Required)

| Variable | Description |
|----------|-------------|
| `vault_tailscale_auth_key` | Tailscale authentication key |

## Dependencies
- Valid Tailscale account
- Auth key stored in Ansible vault

## Example Playbook

```yaml
- hosts: all
  roles:
    - role: tailscale
      tailscale_accept_routes: false
```

## Tags
- `tailscale`: All Tailscale tasks
- `vpn`: VPN configuration
- `network`: Network setup

## Supported Platforms
- **Debian**: bullseye, bookworm, trixie
- **Ubuntu**: focal, jammy, noble  
- **Alpine**: all versions

## Notes
- Requires Tailscale auth key in vault
- Machines need approval in Tailscale admin console
- Supports both reusable and ephemeral keys
- Automatic logout/re-auth on key changes