feat(baseline): join tailnet

roles/baseline/defaults/main.yml

@@ -25,3 +25,5 @@ baseline_second_disk_var_size: "5G"
 baseline_second_disk_var_log_size: "5G"
 baseline_second_disk_var_log_audit_size: "5G"
 baseline_second_disk_var_tmp_size: "5G"
+baseline_tailscale_login_server:
+# baseline_tailscale_auth_key:

roles/baseline/tasks/main.yml

@@ -111,6 +111,10 @@
     file: ipaclient.yml
   when: "'ipaservers' not in group_names"
 
+- name: Baseline | PATCH | Join Tailnet
+  ansible.builtin.include_tasks:
+    file: tailscale.yml
+
 - name: Baseline | PATCH | Disable dnf-makecache.timer
   ansible.builtin.systemd_service:
     name: dnf-makecache.timer

roles/baseline/tasks/tailscale.yml

@@ -0,0 +1,40 @@
+---
+- name: Tailscale | PATCH | Add Tailscale repository
+  ansible.builtin.yum_repository:
+    name: tailscale-stable
+    description: Tailscale stable
+    baseurl: https://pkgs.tailscale.com/stable/rhel/$releasever/$basearch
+    gpgcheck: true
+    gpgkey: https://pkgs.tailscale.com/stable/rhel/{{ ansible_distribution_major_version }}/repo.gpg
+    repo_gpgcheck: true
+    enabled: true
+    includepkgs: tailscale
+  become: true
+
+- name: Tailscale | PATCH | Install Tailscale
+  ansible.builtin.dnf:
+    name: tailscale
+    state: present
+    update_cache: yes
+  become: true
+
+- name: Tailscale | PATCH | Enable and start tailscaled service
+  ansible.builtin.systemd:
+    name: tailscaled
+    enabled: yes
+    state: started
+  become: true
+
+- name: Tailscale | AUDIT | Check if Tailscale is already up
+  ansible.builtin.command: tailscale status
+  register: tailscale_status
+  ignore_errors: yes
+  changed_when: false
+  become: true
+
+- name: Tailscale | PATCH | Bring up Tailscale with custom login server
+  ansible.builtin.command:
+    cmd: "tailscale up --login-server={{ baseline_tailscale_login_server }} --authkey={{ baseline_tailscale_auth_key }}"
+  when: tailscale_status.rc != 0 or "Logged out" in tailscale_status.stdout
+  no_log: yes  # Hide auth key from logs
+  become: true