artis3n / ansible-role-tailscale Goto Github PK

https://hub.docker.com/r/geerlingguy/docker-fedora30-ansible
https://hub.docker.com/r/geerlingguy/docker-fedora31-ansible

https://hub.docker.com/r/geerlingguy/docker-debian9-ansible

Build a docker-ansible container off of https://hub.docker.com/r/redhat/ubi8. Should be very similar to https://github.com/geerlingguy/docker-centos8-ansible/blob/master/Dockerfile. Include this container in the CI suite to ensure compatibility with RHEL.

This is a reversion of #82 (comment) and https://github.com/artis3n/ansible-role-tailscale/pull/82/files#diff-3d0ff1709ca48add100327bb2a468e6c508fb92a159c64c4f99ad1df89d9bddeR26. Need to look into why Debian Bullseye isn't properly updating after lsb-release anymore.

Ansible 2.9 - https://docs.ansible.com/ansible/2.9/modules/win_package_module.html
Ansible 2.10 - https://docs.ansible.com/ansible/latest/collections/ansible/windows/win_package_module.html

https://tailscale.com/kb/1022/install-windows

If tailscale up is successful, it would take very little time to return. But if something is wrong (say wrong key), the it takes forever before failing. It would save a few mins if this timeout can be implemented.

#111 adds support for OraceLinux. To add this distro to the CI checks, make an Ansible+Molecule-packaged image from https://hub.docker.com/_/oraclelinux , looks like 8-slim is the image we want. They do not use latest.

A subscription is required but not clear if I can still use that in these tests. Alternatively, we do not test this distro and it is supported on a best-effort basis.

Should be similar Dockerfile to https://github.com/geerlingguy/docker-centos8-ansible.

On Ansible 2.10 - https://docs.ansible.com/ansible/latest/collections/community/general/mas_module.html

https://tailscale.com/kb/1016/install-mac

Support installing Tailscale onto a host without running authentication.

New flow:

tailscale_auth_key is required unless tailscale_up_skip is present and set to true. If tailscale_up_skip is set to true, then skip the "Bring Tailscale Up" task.

Use case is to run this role as part of a Packer AMI build without authenticating the node until a server is actually created from that AMI.

Ansible 2.10 moves a lot of plugins and filters into Ansible Collections. Review this role and make any necessary changes to comply with 2.10 best practices.

https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.10.html

Latest on pypi is now 3.1.0. Ansible 3 moves community plugins to a separate collection, update syntax to use fully qualified collection modules.

https://hub.docker.com/_/rockylinux

Centos 8 has reached EOL. Make sure OS resolution tasks support Rocky Linux in the CentOS family of distros instead.

On Arch, this role installs tailscale 1.2.10. The current version is 1.4.2.

TASK [artis3n.tailscale : Tailscale Version] ***********************************
ok: [instance] => {
    "msg": [
        "1.2.10",
        "  tailscale commit: e480f8ddf6f7334fda1b3d0dd1b500f2f01f961b",
        "  go version: go1.15.7"
    ]
}

Follow the Ubuntu format, except the distribution name retrieved from ansible_facts will need to change from 'PopOS!' to 'Ubuntu'.

https://tailscale.com/download/linux/centos-stream-9

It will work today, but add a docker container in the CI suite.

How? Molecule has the --parallel flag that "enables parallelization." It creates UUIDs and seems to require the user to leverage other tools (tox?) to run tests in parallel.

This is only beneficial to local testing, as the GitHub Actions workflow already runs the Molecule tests in parallel.

https://hub.docker.com/r/geerlingguy/docker-debian10-ansible

Build a state: absent functionality that will de-register a Tailscale node from its account and clean up any Tailscale artifacts on the system.

https://tailscale.com/kb/1063/install-nixos/

This role will update Tailscale to the latest version but will only run up if it detects the system is logged out of Tailscale. It should support an idempotent method of re-running tailscale up if the command-line arguments to the up command change.

Describe the bug

This commit added the role variables to vars/main.yml. This makes the role very very difficult to use, and in fact breaks instances where the role was working fine before.

The problem is one of variable precedence. Variables defined in vars/main.yml have very very high precdence, see this list from the ansible docs: https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable

Notably vars in vars/main.yml override host_vars, group_vars, and play vars (and a bunch more, but these are the most commonly used).

To Reproduce

Inventory host vars file:

# host_vars/myhost.yml
---
tailscale_auth_key: my encrypted key

Playbook

- hosts: myhost
  pre_tasks:
   # this prints out 'my encrypted key' showing that the var is indeed set in the hostvars
    - debug:
        msg: "{{ hostvars[inventory_hostname].tailscale_auth_key }}"
  roles:
    - role: artis3n.tailscale

Result:

TASK [artis3n.tailscale : Tailscale Auth Key Required] *********************************************
Wednesday 25 August 2021  11:17:51 +0200 (0:00:00.332)       0:00:38.857 ****** 
fatal: [myhost]: FAILED! => changed=false 
  msg: |-
    You must include a Node Authorization auth key. Set a `tailscale_auth_key` ansible-vault encrypted variable. You can create this key from: https://login.tailscale.com/admin/authkeys.

Expected behavior

It should work without error

Target (please complete the following information):

• OS: Fedora
• Ansible version: 2.10.4
• artis3n.tailscale version: 1.31.1

Proposed Solution

IMHO, the correct way is to leave the vars/main.yml empty in this case, and specify the variable defaults in defaults/main.yml.

I see the comment in vars/main.yml says "Variables that a user may want to modify." I understand why you did this. It seems natural to put variables that the user should/must define in vars/main.yml as a sort of declaration, but this is not how ansible works (unfortunately). In reality declaring variables in that file makes it more difficult to modify them.

Ansible has no real mechanism to "declare" variables that have no sane default, except by documenting them in the docs and raising runtime errors when variables are not well defined.

You can always use the following to guard against undefined variables.

     when: tailscale_auth_key is not defined or tailscale_auth_key == None and not tailscale_up_skip | bool

Now that bullseye is no longer testing, the following condition fails:

TASK [artis3n.tailscale : Debian | Legacy Apt Dependencies] ********************************************************************************************************************
fatal: [xxx]: FAILED! => {"changed": false, "msg": "No package matching 'python-apt' is available"}

I'm not sure what the best solution would be to update that condition, as it should match all the distributions...

In my personal debian base role, I have the following shell task:

"apt update; RC=$?; [ \"$RC\" = \"100\" ] || [ \"$RC\" = \"0\" ] && apt install -y python{{ ansible_python['version']['major'] if ansible_python['version']['major'] > 2 }}-apt"

Thats definitely not the cleanest solution, however after a fresh installation of Proxmox VE the apt update fails (Enterprise repo without accompanying credentials configured), so the apt module can't handle it itself without failing.

Should fail when return code is "NOT" 1 (or 0 also). Something like below.

tailscale_status.rc not in  [0, 1]

Describe the bug
Been using this role for a while. Recently, I guess something in Tailscale changed, because there's now a problem bringing up the Tailscale connection, which fails every time (I'm using tailscale_args to set subnet routes).

To Reproduce
Steps to reproduce the behavior:

1. Go to use this role to install Tailscale
2. See failure at start-up

Expected behavior
Tailscale should start.

Screenshots
N/A.

Desktop (please complete the following information):

• OS: Ubuntu 18.04, 20.0

Additional context
I think Tailscale introduced extra logging as part of "tailscale up", such that the test

tailscale_status.stdout | length == 0

fails, even when the application has successfully started. As a work around, I've made the test >=, but this is clearly a hack.

While Tailscale is successfully installed and started, the install task is re-run during the idempotence test. This is a recent occurrence. Potentially due to Ansible version updates? Maybe the update_cache parameter? Investigate.

I moved this repo from master to main, and Ansible Galaxy doesn't know how to handle that, it appears. I filed ansible/galaxy#2535, have to find a resolution. In the worst case, I have to return the default branch to be master, but hopefully there is a way to force re-sync the repo such that the default branch is updated on Galaxy's end.

Describe the bug
When setting tailscale_up_skip to true similar to the example in the readme (see below), the playbook fails if tailscale_auth_key is not set. I'm not sure if this is the intended behavior.

- name: Servers
  hosts: all
  roles:
    - role: artis3n.tailscale
      vars:
        tailscale_up_skip: true

I just set a fake value to tailscale_auth_key and the playbook goes through but gets stuck at the task "Bring Tailscale Up".

Expected behavior
Just install Tailscale when tailscale_up_skip

Target (please complete the following information):

• OS: Debian Buster
• Ansible version: 3.0.0
• artis3n.tailscale version: v1.9.0
• Tailscale version (set verbose to true):

Output of tailscale status during role execution (set verbose to true):

verbose does not seem to work.

Additional context

I'm using Ansible in Packer to create a GCP image.

Packer version: 1.7.0
Python version: 3.9.1

https://tailscale.com/download/linux/debian-bookworm

Add a container to the CI suite.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Tailscale 1.6.0 introduced support for --advertise-exit-node https://tailscale.com/kb/1103/exit-nodes

Describe the solution you'd like
A clear and concise description of what you want to happen.

Support to run tailscale as either an exit node or using an exit node as part of the module

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

I dig into the module code and didn't really find a good place to introduce this change without a major refactor, but happy to help

https://tailscale.com/kb/1047/install-opensuse-tumbleweed/

describe the bug
Once I run the play book (see playbook.yaml) the system errors on the ansible role.

Playbook

---
- name: Setup virtual machine tools & users
  hosts: all
  remote_user: root

  tasks:
  - name: Ping machines
    ping:
  - name: Update & Upgrade ubuntu packages
    apt:
      upgrade: "yes"
      update_cache: true
      cache_valid_time: 86400

  - name: Configure Tailscale
    include_role:
      name: artis3n.tailscale
    vars:
      verbose: true
      tailscale_args: "--accept-routes=true"
      # Pulled from the env vars on the host running Ansible
      tailscale_auth_key: "{{ lookup('env', 'TAILSCALE_KEY') }}"

Error

ERROR! this task 'ansible.builtin.include_tasks' has extra params, which is only allowed in the following modules: include, include_tasks, command, meta, set_fact, add_host, import_tasks, win_shell, shell, win_command, include_role, raw, group_by, import_role, script, include_vars

The error appears to be in '/root/.ansible/roles/artis3n.tailscale/tasks/main.yml': line 55, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:


- name: CentOS and related families
  ^ here

Operating System
local machine: Windows WSL 2 (Ubuntu)
target machines: Ubuntu 20.04

I'm wondering if im doing anything wrong? I'm fairly new to Ansible, but I was trying to use the simple examples in the README.md

Use the new tailscale down command to de-register each Molecule container after verification. In the cleanup molecule scenario.

Allow users to configure certificates through Tailscale (https://tailscale.com/kb/1153/enabling-https/) via this role. Open question about what that support would look like.

https://tailscale.com/download/linux/static

https://hub.docker.com/r/geerlingguy/docker-amazonlinux2-ansible

Support all distributions located at https://pkgs.tailscale.com/stable/. This is not a prioritized list.

This ticket will track the overall state of each distribution and link to the relevant pull requests.

Supported:

• Ubuntu 16.04 (Xenial)
• Ubuntu 18.04 LTS (Bionic) - #2
• Ubuntu 19.10 (Eoan)
• Ubuntu 20.04 LTS (Focal)
• Debian Stretch
• Debian Buster (stable)
• Debian Bullseye (unstable)
• Debian Sid (testing)
• Raspbian Buster
• CentOS 7 - #2
• CentOS 8
• Fedora
• RHEL 8
• Amazon Linux 2
• OpenSUSE Leap 15.1
• OpenSUSE Leap 15.2
• Arch Linux

Experimental:

• Windows

Maybe:

• Static binaries