Support additional args on the tailscale up command

[hamishforbes]

I'm using ansible to deploy tailscale relays into AWS and want to be able to do something like..

- name: Get AZ subnets
  ec2_vpc_subnet_facts:
    region: "{{ placement.region }}"
    filters:
      vpc-id: "{{ vpc_id }}"
      availability-zone: "{{ placement.availability_zone }}"
  register: subnet_info

- name: Set Subnet list
  set_fact:
    subnet_blocks: "{{ subnet_info.subnets | map(attribute='cidr_block') | list  }}"

- name: Configure Sysctl
  sysctl:
    name: net.ipv4.ip_forward=1
    value: 1
    state: present
    ignoreerrors: true
    sysctl_set: true

- name: Iptables Masquerade
  iptables:
    table: nat
    chain: POSTROUTING
    jump: MASQUERADE

- name: Configure Tailscale
  include_role:
    name: tailscale
  vars:
    tailscale_args: "-accept-routes=false -advertise-routes={{ subnet_blocks | join(',') }}"

[artis3n]

Thanks for this PR! I'd like your thoughts on an arbitrary "args" parameter vs. whitelisted arguments, such as:

- name: Configure Tailscale
  include_role:
    name: tailscale
  vars:
    tailscale_accept_routes: false
    tailscale_advertise_routes: "{{ subnet_blocks | join(',' }}"

Arbitrary "args" would allow people to match tailscale's supported arguments faster, maybe at the cost of a less easier to configure Role. If we go with the former, we can pass arbitrary arguments safely to the command line with:

command: tailscale up --authkey={{ tailscale_auth_key | quote }} {{ tailscale_args | quote }}

[artis3n]

Additionally, to get CI tests running please follow https://github.com/artis3n/ansible-role-tailscale#development-and-contributing.

I need to update it because I just realized I am not mentioning the GitHub Actions-compatible instructions. Choose a password for .ci-vault-pass so make test can run locally, and then set that value to a Secret in your fork under the key name VAULT_PASS.

I'd love a simpler way to run CI but since we need an auth_key to actually verify tailscale currently the best I came up with was this.

[hamishforbes]

Yeah there's a few ways to go about this, I initially was going to add specific values but I feel like maintaining that whitelist approach will just be annoying.
Especially as Tailscale is early in development and will likely be adding / changing parameters frequently.

Other options:
Maybe a map of flags to values to add? Lets the role handle quoting etc

tailscale_args:
  advertise-routes: "{{ subnet_blocks | join(',') }}"
  accept-routes: false
  arbitrary-flag: some value

Use the argv option on command. tailscale_args could then be an array. (Below is untested but you get the idea?)

tailscale_args:
  - "-advertise_routes={{ subnet_blocks | join(',') }}"
  - "-accept-routes=false"

tailscale_default_args:
 - "/usr/bin/tailscale"
 - "up"
 - "-authkey={{ tailscale_auth_key }}"

command:
  argv: "{{ tailscale_default_args + tailscaled_args | default([]) }}"

I don't really have a strong opinion either way, this way is the smallest change I could make though :)

I will have a look at getting the CI working too

[artis3n]

Those CI instructions won't work because the auth_key in molecule/default/converge.yml is encrypted with my CI secret... All right I need to figure out how to enable contributions to this repo.

As for the design, I'm thinking arbitrary arguments works for now as Tailscale continues to rapidly develop, and at some point I'll convert it into a tailscale_args object for simpler usage.

[artis3n]

Going to start thinking about how to enable collaboration with the CI setup. For now, I'm taking your branch and pushing up my own building off of your commits (so your contributions are preserved).

The tailscale_args fails the command module because Ansible doesn't like the variable being empty. Working on it in the replacement for this PR - #29 .

   TASK [artis3n.tailscale : Bring Tailscale Up] **********************************
fatal: [instance]: FAILED! => {"changed": true, "cmd": ["tailscale", "up", "--authkey=tskey-redacted", ""], "delta": "0:00:00.711671", "end": "2020-04-25 18:20:58.395274", "msg": "non-zero return code", "rc": 1, "start": "2020-04-25 18:20:57.683603", "stderr": "2020/04/25 18:20:58 too many non-flag arguments: [\"\"]", "stderr_lines": ["2020/04/25 18:20:58 too many non-flag arguments: [\"\"]"], "stdout": "", "stdout_lines": []}

[artis3n]

Incorporated the changes in #29 , closing this one

[artis3n]

1.2.0 is now released on Ansible Galaxy with this functionality as described in the README.