---
# Tailscale VPN installation and configuration
# Provides secure access to SSH and internal services

- name: Install prerequisites for Tailscale
  ansible.builtin.apt:
    name:
      - curl
      - gnupg
      - apt-transport-https
    state: present
    update_cache: yes
  become: yes

- name: Add Tailscale GPG key
  ansible.builtin.shell: |
    curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.noarmor.gpg | tee /usr/share/keyrings/tailscale-archive-keyring.gpg > /dev/null
  args:
    creates: /usr/share/keyrings/tailscale-archive-keyring.gpg
  become: yes

- name: Add Tailscale repository
  ansible.builtin.shell: |
    curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.tailscale-keyring.list | tee /etc/apt/sources.list.d/tailscale.list > /dev/null
  args:
    creates: /etc/apt/sources.list.d/tailscale.list
  become: yes

- name: Install Tailscale
  ansible.builtin.apt:
    name: tailscale
    state: present
    update_cache: yes
  become: yes

- name: Enable Tailscale service
  ansible.builtin.systemd:
    name: tailscaled
    state: started
    enabled: yes
  become: yes

- name: Check if Tailscale is already authenticated
  ansible.builtin.command: tailscale status
  register: tailscale_status
  ignore_errors: yes
  changed_when: false
  become: yes

- name: Display Tailscale authentication instructions
  ansible.builtin.debug:
    msg: |
      ===============================================================
      TAILSCALE AUTHENTICATION REQUIRED
      ===============================================================

      Tailscale is installed but needs to be authenticated.

      SSH into the server and run:
        sudo tailscale up --ssh

      This will:
        1. Open a browser URL for authentication
        2. Connect to your Tailnet
        3. Enable Tailscale SSH (optional but recommended)

      For headless servers, use an auth key:
        sudo tailscale up --authkey=tskey-auth-XXXXX

      Generate an auth key at: https://login.tailscale.com/admin/settings/keys

      After authentication, you can access this server via:
        - Tailscale IP (shown in 'tailscale ip')
        - Tailscale hostname (from admin console)
      ===============================================================
  when: tailscale_status.rc != 0