Role: tailscale
Description
Installs and configures Tailscale VPN mesh networking for secure connectivity across all managed hosts.
Requirements
- Ansible 2.9+
- Debian/Ubuntu/Alpine Linux
- Tailscale account and auth key
- Internet connectivity
Features
- Cross-platform support (Debian, Ubuntu, Alpine)
- Automatic OS detection and package installation
- Secure auth key management via vault
- Configurable network settings
- SSH over Tailscale support
Variables
| Variable |
Default |
Description |
tailscale_auth_key |
{{ vault_tailscale_auth_key }} |
Auth key from vault |
tailscale_hostname |
{{ inventory_hostname }} |
Custom hostname |
tailscale_accept_routes |
true |
Accept subnet routes |
tailscale_accept_dns |
true |
Accept DNS settings |
tailscale_ssh |
true |
Enable SSH server |
tailscale_shields_up |
false |
Block incoming connections |
Vault Variables (Required)
| Variable |
Description |
vault_tailscale_auth_key |
Tailscale authentication key |
Dependencies
- Valid Tailscale account
- Auth key stored in Ansible vault
Example Playbook
- hosts: all
roles:
- role: tailscale
tailscale_accept_routes: false
Tags
tailscale: All Tailscale tasksvpn: VPN configurationnetwork: Network setup
Supported Platforms
- Debian: bullseye, bookworm, trixie
- Ubuntu: focal, jammy, noble
- Alpine: all versions
Notes
- Requires Tailscale auth key in vault
- Machines need approval in Tailscale admin console
- Supports both reusable and ephemeral keys
- Automatic logout/re-auth on key changes
