From 2893bb77cd6132d2669062420f38fcc6c82e388c Mon Sep 17 00:00:00 2001
From: counterweight <counterweightoperator@protonmail.com>
Date: Sat, 13 Dec 2025 18:54:46 +0100
Subject: [PATCH] improve tailscale add

---
 ansible/infra/920_join_headscale_mesh.yml | 42 ++++++++++++++++++-----
 1 file changed, 34 insertions(+), 8 deletions(-)

diff --git a/ansible/infra/920_join_headscale_mesh.yml b/ansible/infra/920_join_headscale_mesh.yml
index cd6464c..77158fa 100644
--- a/ansible/infra/920_join_headscale_mesh.yml
+++ b/ansible/infra/920_join_headscale_mesh.yml
@@ -77,7 +77,7 @@
 
     - name: Add Tailscale repository
       apt_repository:
-        repo: "deb [signed-by=/etc/apt/keyrings/tailscale.gpg] https://pkgs.tailscale.com/stable/debian {{ ansible_lsb.codename }} main"
+        repo: "deb [signed-by=/etc/apt/keyrings/tailscale.gpg] https://pkgs.tailscale.com/stable/debian {{ ansible_distribution_release }} main"
         state: present
         update_cache: yes
 
@@ -99,6 +99,8 @@
         --login-server {{ headscale_domain }}
         --authkey {{ auth_key }}
         --accept-dns=true
+        --hostname={{ ansible_hostname }}
+        --reset
       register: tailscale_up_result
       changed_when: "'already authenticated' not in tailscale_up_result.stdout"
       failed_when: tailscale_up_result.rc != 0 and 'already authenticated' not in tailscale_up_result.stdout
@@ -107,6 +109,37 @@
       pause:
         seconds: 2
 
+    - name: Get node ID from headscale server
+      delegate_to: "{{ groups['lapy'][0] }}"
+      become: no
+      vars:
+        ssh_args: "{{ ('-i ' + headscale_key + ' ' if headscale_key else '') + '-p ' + headscale_port|string }}"
+      shell: >
+        ssh {{ ssh_args }}
+        {{ headscale_user }}@{{ headscale_host }}
+        "sudo headscale nodes list -o json"
+      register: nodes_list_result
+      changed_when: false
+      failed_when: nodes_list_result.rc != 0
+
+    - name: Extract node ID for this host
+      set_fact:
+        headscale_node_id: "{{ (nodes_list_result.stdout | from_json) | selectattr('given_name', 'equalto', ansible_hostname) | map(attribute='id') | first }}"
+      failed_when: headscale_node_id is not defined or headscale_node_id == ''
+
+    - name: Tag node with its hostname
+      delegate_to: "{{ groups['lapy'][0] }}"
+      become: no
+      vars:
+        ssh_args: "{{ ('-i ' + headscale_key + ' ' if headscale_key else '') + '-p ' + headscale_port|string }}"
+      shell: >
+        ssh {{ ssh_args }}
+        {{ headscale_user }}@{{ headscale_host }}
+        "sudo headscale nodes tag --tags tag:{{ ansible_hostname }} -i {{ headscale_node_id }}"
+      register: tag_result
+      changed_when: true
+      failed_when: tag_result.rc != 0
+
     - name: Display Tailscale status
       command: tailscale status
       register: tailscale_status
@@ -115,10 +148,3 @@
     - name: Show Tailscale connection status
       debug:
         msg: "{{ tailscale_status.stdout_lines }}"
-
-    - name: Deny all inbound traffic from Tailscale network interface
-      ufw:
-        rule: deny
-        direction: in
-        interface: tailscale0
-