From 90c7701ba9ab18258fea6e32d5c4fc291aa764c6 Mon Sep 17 00:00:00 2001
From: irl <iain@learmonth.me>
Date: Mon, 25 May 2026 12:42:33 +0100
Subject: [PATCH] feat(baseline): join tailnet

---
 roles/baseline/defaults/main.yml   |  2 ++
 roles/baseline/tasks/main.yml      |  4 +++
 roles/baseline/tasks/tailscale.yml | 40 ++++++++++++++++++++++++++++++
 3 files changed, 46 insertions(+)
 create mode 100644 roles/baseline/tasks/tailscale.yml

diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml
index 60910db..0456b3d 100644
--- a/roles/baseline/defaults/main.yml
+++ b/roles/baseline/defaults/main.yml
@@ -25,3 +25,5 @@ baseline_second_disk_var_size: "5G"
 baseline_second_disk_var_log_size: "5G"
 baseline_second_disk_var_log_audit_size: "5G"
 baseline_second_disk_var_tmp_size: "5G"
+baseline_tailscale_login_server:
+# baseline_tailscale_auth_key:
diff --git a/roles/baseline/tasks/main.yml b/roles/baseline/tasks/main.yml
index 2693fbc..6583a24 100644
--- a/roles/baseline/tasks/main.yml
+++ b/roles/baseline/tasks/main.yml
@@ -111,6 +111,10 @@
     file: ipaclient.yml
   when: "'ipaservers' not in group_names"
 
+- name: Baseline | PATCH | Join Tailnet
+  ansible.builtin.include_tasks:
+    file: tailscale.yml
+
 - name: Baseline | PATCH | Disable dnf-makecache.timer
   ansible.builtin.systemd_service:
     name: dnf-makecache.timer
diff --git a/roles/baseline/tasks/tailscale.yml b/roles/baseline/tasks/tailscale.yml
new file mode 100644
index 0000000..f0e011e
--- /dev/null
+++ b/roles/baseline/tasks/tailscale.yml
@@ -0,0 +1,40 @@
+---
+- name: Tailscale | PATCH | Add Tailscale repository
+  ansible.builtin.yum_repository:
+    name: tailscale-stable
+    description: Tailscale stable
+    baseurl: https://pkgs.tailscale.com/stable/rhel/$releasever/$basearch
+    gpgcheck: true
+    gpgkey: https://pkgs.tailscale.com/stable/rhel/{{ ansible_distribution_major_version }}/repo.gpg
+    repo_gpgcheck: true
+    enabled: true
+    includepkgs: tailscale
+  become: true
+
+- name: Tailscale | PATCH | Install Tailscale
+  ansible.builtin.dnf:
+    name: tailscale
+    state: present
+    update_cache: yes
+  become: true
+
+- name: Tailscale | PATCH | Enable and start tailscaled service
+  ansible.builtin.systemd:
+    name: tailscaled
+    enabled: yes
+    state: started
+  become: true
+
+- name: Tailscale | AUDIT | Check if Tailscale is already up
+  ansible.builtin.command: tailscale status
+  register: tailscale_status
+  ignore_errors: yes
+  changed_when: false
+  become: true
+
+- name: Tailscale | PATCH | Bring up Tailscale with custom login server
+  ansible.builtin.command:
+    cmd: "tailscale up --login-server={{ baseline_tailscale_login_server }} --authkey={{ baseline_tailscale_auth_key }}"
+  when: tailscale_status.rc != 0 or "Logged out" in tailscale_status.stdout
+  no_log: yes  # Hide auth key from logs
+  become: true