Add Template to deploy forgejo.

This template allows deploying a forgejo en either Scaleway or Hetzner
(untested) without much knowledge about them.
It DOES require knowledge about Terragrunt and ansible. A wizard of
sorts is provided but it will not guarantee success without some
knowledge about the underlying technology.

ansible/roles/forgejo/tasks/tailscale.yml

@@ -0,0 +1,76 @@
+---
+# Tailscale VPN installation and configuration
+# Provides secure access to SSH and internal services
+
+- name: Install prerequisites for Tailscale
+  ansible.builtin.apt:
+    name:
+      - curl
+      - gnupg
+      - apt-transport-https
+    state: present
+    update_cache: yes
+  become: yes
+
+- name: Add Tailscale GPG key
+  ansible.builtin.shell: |
+    curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.noarmor.gpg | tee /usr/share/keyrings/tailscale-archive-keyring.gpg > /dev/null
+  args:
+    creates: /usr/share/keyrings/tailscale-archive-keyring.gpg
+  become: yes
+
+- name: Add Tailscale repository
+  ansible.builtin.shell: |
+    curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.tailscale-keyring.list | tee /etc/apt/sources.list.d/tailscale.list > /dev/null
+  args:
+    creates: /etc/apt/sources.list.d/tailscale.list
+  become: yes
+
+- name: Install Tailscale
+  ansible.builtin.apt:
+    name: tailscale
+    state: present
+    update_cache: yes
+  become: yes
+
+- name: Enable Tailscale service
+  ansible.builtin.systemd:
+    name: tailscaled
+    state: started
+    enabled: yes
+  become: yes
+
+- name: Check if Tailscale is already authenticated
+  ansible.builtin.command: tailscale status
+  register: tailscale_status
+  ignore_errors: yes
+  changed_when: false
+  become: yes
+
+- name: Display Tailscale authentication instructions
+  ansible.builtin.debug:
+    msg: |
+      ===============================================================
+      TAILSCALE AUTHENTICATION REQUIRED
+      ===============================================================
+
+      Tailscale is installed but needs to be authenticated.
+
+      SSH into the server and run:
+        sudo tailscale up --ssh
+
+      This will:
+        1. Open a browser URL for authentication
+        2. Connect to your Tailnet
+        3. Enable Tailscale SSH (optional but recommended)
+
+      For headless servers, use an auth key:
+        sudo tailscale up --authkey=tskey-auth-XXXXX
+
+      Generate an auth key at: https://login.tailscale.com/admin/settings/keys
+
+      After authentication, you can access this server via:
+        - Tailscale IP (shown in 'tailscale ip')
+        - Tailscale hostname (from admin console)
+      ===============================================================
+  when: tailscale_status.rc != 0