# https://tailscale.com/download/linux/debian-bullseye - name: Install Tailscale hosts: all become: true tasks: # curl -fsSL https://pkgs.tailscale.com/stable/debian/bullseye.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null - name: Download Tailscale package signing key ansible.builtin.get_url: url: https://pkgs.tailscale.com/stable/debian/bullseye.noarmor.gpg dest: /usr/share/keyrings/tailscale-archive-keyring.gpg # curl -fsSL https://pkgs.tailscale.com/stable/debian/bullseye.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list - name: Add Tailscale repository ansible.builtin.apt_repository: repo: deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/debian bullseye main state: present # sudo apt-get update - name: Update apt-get ansible.builtin.apt: update_cache: true # sudo apt-get install tailscale - name: Install Tailscale ansible.builtin.package: name: tailscale state: present # https://tailscale.com/kb/1077/secure-server-ubuntu-18-04/ - name: Only allow connections over Tailscale hosts: all become: true tasks: - name: Get Tailscale status ansible.builtin.command: tailscale status --json register: tailscale_status changed_when: false - name: Only allow connections over Tailscale when: _tailscale_status.BackendState == "Running" vars: _tailscale_status: "{{ tailscale_status.stdout | from_json }}" block: - name: Install ufw ansible.builtin.package: name: ufw state: present - name: Allow access over tailscale community.general.ufw: state: enabled rule: allow interface_in: tailscale0 - name: Restrict incoming traffic community.general.ufw: default: deny direction: "{{ item }}" loop: - incoming - name: Allow access to HTTP(S) community.general.ufw: rule: allow port: "{{ item }}" proto: tcp loop: - http - https notify: - Reload ufw - Restart ssh handlers: - name: Reload ufw ansible.builtin.service: name: ufw state: reloaded - name: Restart ssh ansible.builtin.service: name: ssh state: restarted