ansible-role-tailscale

Added

• This role now publishes a set of facts about the Tailscale node that was configured. See full details in the README. #464

Changed

• Speaking of which, the README's layout has been changed to better present info to users more clearly. There's a table of contents now.

Fixed

• tailscale up wouldn't properly redact the authkey when it was used with headscale keys, since their format doesn't match the tskey pattern. The redaction now uses the tailscale_authkey variable to ensure that exact value is always redacted. This is how redaction already worked in other areas of the role, but was missed in this step. #456 (Thanks @fredrikekre !)
• OpenSUSE distros sometimes failed repo signature validation when adding the Tailscale repo. This has now been definitively resolved so there will no longer be intermittent zypper failures. #460

New Contributors

• @kaiyou made their first contribution in https://github.com/artis3n/ansible-role-tailscale/pull/453
• @fredrikekre made their first contribution in https://github.com/artis3n/ansible-role-tailscale/pull/456

Fixed

• Debian distros would previously fail to invoke tailscale update due to an incorrect name for the tailscale source list file. This is now corrected. #449 (Thanks @cnkk !)

New Contributors

• @cnkk made their first contribution in https://github.com/artis3n/ansible-role-tailscale/pull/449

Fixed

• This role will no longer intermittently fail due to colliding variable names with other roles or tasks that may be running in your playbook. This changes internal variable names only, so it is not a breaking change. #431 (Thanks @mhitza !)
• state: absent now fully removes all Tailscale configuration data from your device. Previously, this role would uninstall Tailscale, but that might leave the /var/lib/tailscale directory behind, which contains a tailscaled.state file alongside log files which may contain information about your tailnet. The tailscaled.state file could also hypothetically be used to re-authenticate the server to your tailnet if the server is not de-authorized, however this role runs tailscale logout during uninstallation so the server is always de-authorized from your tailnet. However, I expect users don't want log files, and even stale configuration files, lying around after state: absent. #435 (Thanks @McSim85 !) #444

Changed

• This repo now uses geerlingguy/docker-debian12-ansible instead of cisagov/docker-debian12-ansible in the CI suite because the cisagov repo has been archived.

New Contributors

• @mhitza made their first contribution in https://github.com/artis3n/ansible-role-tailscale/pull/431

Fixed

• The Ansible async task timeout on the tailscale up command now incorporates tailscale_up_timeout. Previously the tailscale_up_timeout would just be passed to the tailscale up command and would signify how long the process should wait for tail scaled to become available. However, if that took longer than 60s, ansible would kill the async task. The async polling will now always be larger than the value in tailscale_up_timeout. #426 (Thanks @McSim85 !)
• Renamed tailscale_authkey_sting to tailscale_authkey_string. This is an internal fact created inside the role so this rename should not impact end users, therefore we are keeping this a patch release.

Changed

• Updated the devcontainer configuration in the project to Python 3.12
• Updated Python dependencies for the local project

Added

• Incorporated Dependabot's new devcontainers support, so devcontainer features with upgrades will trigger Dependabot update PRs

Fixed

• Replaced use of the pause module with wait_for, which ensures compatibility with playbooks running under strategy: free.

Changed

• Updated the development environment in the repository to Python 3.12

New Contributors

• @markstos made their first contribution in https://github.com/artis3n/ansible-role-tailscale/pull/415

Changed

• The tags behavior introduced in 4.3.0 for OAuth authkeys has been improved. This replaces the tailscale_oauth_tags variable with tailscale_tags. All --advertise-tags usage should now use tailscale_tags to list their desired tags. (#407) Thanks @McSim85 !

Added

• Added additional validation at the front of the role to catch misconfigured variables. (#407) Thanks @McSim85 !

Added

• Added support for Tailscale OAuth authkey types (#399, #402). Thanks @McSim85 ! Review tailscale_authkey documentation on the README for usage instructions.

Changed

[!IMPORTANT]

• The README uses more modern GitHub Markdown syntax. See if you can spot it.

Removed

• Ubuntu 16.04 is no longer supported by this role. Ubuntu 16.04 serves a version of Python below the minimum requirements for Ansible.

New Contributors

• @McSim85 made their first contribution in https://github.com/artis3n/ansible-role-tailscale/pull/399

Changed

• Updated Python and GitHub Action dependencies

Fixed

• Fixed a typo introduced in #328 that broke redaction of the authkey in the Report non-sensitive stdout from "tailscale up" step. (#344) Thanks @jonvmey !

New Contributors

• @jonvmey made their first contribution in https://github.com/artis3n/ansible-role-tailscale/pull/344

Added

• Added support for OSMC by fixing its ansible_distribution translation to debian (#331) Thanks @frodera!

Fixed

• Fixed situations on Fedora-like systems in which a degraded systemd would fail the role execution, when that is actually a continuable state (#336)

Changed

• The tailscale status commands now output in JSON for much easier parsing of tailscale state throughout the role (#328) Thanks @mprasil!
• Improved the Headscale support in the CI suite (#328) Thanks @mprasil!

New Contributors

• @frodera made their first contribution in https://github.com/artis3n/ansible-role-tailscale/pull/331

Changed

• Refactored all tests that run in CI to support testing against Headscale instead of only against Tailscale (#319) Thanks @mprasil !
• Refactored how state idempotency is tracked. State is now simpler to manage inside the role and a situation in which the role would see state as already configured and fail to properly invoke tailscale up is now fixed. (#320) Thanks @mprasil !
• As a result of the prior change, if any error occurs wherein executing tailscale up fails, the role will clear its state so that re-running the role will always run tailscale up and re-save the state. The tailscale up command is idempotent if all passed parameters remain the same, so this change will not break users, but may fix some erroneous failures to re-run tailscale up in some edge cases.
• Updated dependencies

Added

• Added a subtle note about how to use this role with Headscale to the README

New Contributors

• @mprasil made their first contribution in https://github.com/artis3n/ansible-role-tailscale/pull/320

Added

• Added support for Amazon Linux 2023 as a target host

Changed

• The CI suite is now upgraded to ubuntu 22.04 runners and leverages a reusable workflow to continue functioning with some legacy OS's that don't like cgroups v2 on an ubuntu 22.04 host. Doesn't matter for users of this role, but I'm glad to finally have a resolution there.

Added

• BREAKING CHANGE: This role now adheres to https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html and stores state in $XDG_STATE_HOME/artis3n-tailscale, or $HOME/.local/state/artis3n-tailscale if that env var is not present. This is technically a breaking change as this role will report state as "changed" upon the next run even if no state has changed. After the first time in which the state migrates to this new location, the role will correctly report state idempotency again. #286

Removed

• The legacy state directory, $HOME/.artis3n-tailscale will be removed from target machines the next time this role is run.

Fixed

• The CI suite experienced frequent timeouts from Ansible Galaxy. This is a known problem due to regular load against the Galaxy servers with no clear solution from Ansible. This role now bypasses Ansible Galaxy to install the community.general collection directory from its Git URL. This has no impact on end users, but contributors to this role should no longer experience failing tests due to Galaxy timeouts.

Changed

• BREAKING CHANGE: The vars/main.yml variables have all been updated with a prefix to help prevent conflicting with other role's parameters. These variables are not intended to be modified by end users, but if any end users are modifying these variables, they will need to update their references. #284 Thanks @hollow !
• Updated dependencies

New Contributors

• @hollow made their first contribution in https://github.com/artis3n/ansible-role-tailscale/pull/284

Added

• Adds support for OpenSUSE Tumbleweed and Leap (#256 and #268). Thanks @Jamdoog !
• Uses of apt update now set a cache expiration of one hour, to prevent this role from triggering false idempotency failures (#278). Thanks @mnaser for the PR and @dgibbs64 for raising!

Fixed

• Fixed an error incorrectly processing the ansible_distribution_major_version of pre-release Debian distros (#259)
• Conditional checks in this role would improperly fail if the role had previously installed Tailscale but the authkey had since expired. They will now correctly succeed (#280). Thanks to @toadjaune for raising.

Changed

• Updated dependencies

New Contributors

• @Jamdoog made their first contribution in https://github.com/artis3n/ansible-role-tailscale/pull/256
• @mnaser made their first contribution in https://github.com/artis3n/ansible-role-tailscale/pull/278

Fixed

• Ubuntu and Debian distros now store (and remove) the Tailscale GPG key in /usr/share/keyrings instead of using the legacy apt-key tool, which is deprecated in Ubuntu 22.04. This is backwards-compatible with earlier Ubuntu/Debian-based distributions. #249 Thanks @wormi4ok !

Changed

• Ansible-lint in the CI pipeline now pins to the production rules profile in ansible-lint's new format.

New Contributors

• @wormi4ok made their first contribution in https://github.com/artis3n/ansible-role-tailscale/pull/249

Adds

• Adds a latest state, making the possible state parameter values latest, present, or absent. #239

This role uses latest by default to help ensure your software remains up-to-date and incorporates the latest security and product features. For users who desire more control over configuration drift, present will not update Tailscale if it is already installed. Changes to tailscale_args will be applied under both latest and present; this parameter only impacts the version of Tailscale installed to the target system.

Changed

• Updated dependencies

Changes

• Updates dependencies

Fixes

• Restructures the order of tailscale up arguments such that errors are clearly funneled up instead of masked behind an invalid auth key message. Thanks @panos-- ! #206

Adds

• Adds a unit test to catch a future regression of the tailscale up argument formatting. Thanks @panos-- ! #206

Fixes

• Fixes the tailscale up command which in 3.2.0 incorrectly quoted multiple flag arguments, resulting in a command-line failure of the ansible.builtin.command module. Thanks @h3poteto ! #204

Added

• Support for Ubuntu 22.04
• Support for Debian 12 (Bookworm)