stuff

ansible/infra/920_join_headscale_mesh.yml

@@ -99,7 +99,6 @@
         --login-server {{ headscale_domain }}
         --authkey {{ auth_key }}
         --accept-dns=true
-        --advertise-tags "tag:{{ inventory_hostname }}"
       register: tailscale_up_result
       changed_when: "'already authenticated' not in tailscale_up_result.stdout"
       failed_when: tailscale_up_result.rc != 0 and 'already authenticated' not in tailscale_up_result.stdout
@@ -117,3 +116,9 @@
       debug:
         msg: "{{ tailscale_status.stdout_lines }}"
 
+    - name: Deny all inbound traffic from Tailscale network interface
+      ufw:
+        rule: deny
+        direction: in
+        interface: tailscale0
+