Install tailscale

Install, not configure
2024-02-01 19:41:47 +00:00 · 2024-02-01 19:41:47 +00:00 · 02847355a7
commit 02847355a7
parent 29cac09b48
6 changed files with 30 additions and 1 deletions
--- a/ansible/galaxy-requirements.yml
+++ b/ansible/galaxy-requirements.yml
@ -20,3 +20,5 @@ roles:
    version: v2022.10.17
  - src: geerlingguy.certbot
    version: 5.1.0
+  - src: artis3n.tailscale
+    version: v4.4.1
--- a/ansible/group_vars/all/tailscale.yml
+++ b/ansible/group_vars/all/tailscale.yml
@ -0,0 +1,6 @@
+# Just install for now, don't configure
+tailscale_up_skip: true
+
+tailscale_cidr: 100.64.0.0/24  # It's really /10, but I don't use that many IPs
+
+tailscale_port: 41641
--- a/ansible/main.yml
+++ b/ansible/main.yml
@ -16,6 +16,7 @@
    - headscale
    - fail2ban_ssh
    - restic
+    - artis3n.tailscale

 - hosts:
    - pve
@ -79,6 +80,7 @@
    - nginx
    - ingress
    - nebula
+    - artis3n.tailscale

 - hosts: pve
  roles:
@ -114,6 +116,7 @@
    - commento
    - website
    - remark42
+    - artis3n.tailscale

 - hosts: jellyfin
  roles:
--- a/ansible/roles/ingress/files/nftables.conf
+++ b/ansible/roles/ingress/files/nftables.conf
@ -19,6 +19,9 @@ table inet filter {

        # Allow nebula
        udp dport {{ nebula_listen_port }} accept;
+
+        # Allow Tailscale
+        udp dport {{ tailscale_port }} accept;
    }

    chain POSTROUTING {
@ -27,6 +30,7 @@ table inet filter {

        # NAT - because the proxmox machines may not have routes back
        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
+        ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
    }

    chain FORWARD {
@ -39,5 +43,9 @@ table inet filter {

        # Allow monitoring of nebula network
        ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept
+
+        # Allow traffic from Tailscale to proxmox network
+        ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
+        ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ tailscale_cidr }} ct state related,established accept
    }
 }
--- a/terraform/casey_vps.tf
+++ b/terraform/casey_vps.tf
@ -91,6 +91,15 @@ resource "linode_firewall" "casey" {
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }
+
+  inbound {
+    label    = "allow-inbound-tailscale"
+    action   = "ACCEPT"
+    protocol = "UDP"
+    ports    = "41641"
+    ipv4     = ["0.0.0.0/0"]
+    ipv6     = ["::/0"]
+  }
 }

 resource "linode_rdns" "casey_reverse_ipv4" {
--- a/terraform/walker_vps.tf
+++ b/terraform/walker_vps.tf
@ -4,7 +4,8 @@ module "walker_firewall" {
  description = "walker"
  ports = [
    "80/tcp",
-    "443/tcp"
+    "443/tcp",
+    "41641/udp"
  ]
 }