Skip tailscale up command if you want (#73)

* Adds tailscale_up_skip variable Fixes #72 Starts an implementation for #64 but does not complete * Update dependabot python checks to weekly * Bump python in CI to python 3.9 * Remove traces of yamllint * Fixes #74 * Fix caching during CI workflow
artis3n · Feb 3, 2021 · 8be9067 · 8be9067
1 parent 2264c81
commit 8be9067
Show file tree

Hide file tree

Showing 18 changed files with 331 additions and 219 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,4 +9,4 @@ updates:
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
-      interval: "monthly"
+      interval: "weekly"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -31,7 +31,7 @@ jobs:
       - name: Set up Python 3.x
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.9
 
       - name: Install dependencies
         run: |
@@ -41,8 +41,8 @@ jobs:
       - name: Use Cache
         uses: actions/cache@v2
         with:
-          path: ~/.cache/pipenv
-          key: ${{ runner.os }}-pipenv-${{ hashFiles('**/Pipfile.lock') }}
+          path: ~/.local/share/virtualenvs
+          key: ${{ runner.os }}-pipenv-${{ hashFiles('Pipfile.lock') }}
           restore-keys: |
             ${{ runner.os }}-pipenv-
 
@@ -58,7 +58,7 @@ jobs:
           cp -r ./ ~/.ansible/roles/artis3n.tailscale
 
       - name: Molecule
-        run: echo "${{ secrets.VAULT_PASS }}" > /home/runner/work/_temp/.vault-ci-pass && ANSIBLE_VAULT_PASSWORD_FILE=/home/runner/work/_temp/.vault-ci-pass pipenv run molecule test
+        run: echo "${{ secrets.VAULT_PASS }}" > /home/runner/work/_temp/.vault-ci-pass && ANSIBLE_VAULT_PASSWORD_FILE=/home/runner/work/_temp/.vault-ci-pass pipenv run molecule test --all
         env:
           MOLECULE_DISTRO: "${{ matrix.distros }}"
 

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.2.0
+  rev: v3.4.0
   hooks:
     - id: check-yaml
       # https://github.com/pre-commit/pre-commit-hooks/issues/273
@@ -17,9 +17,11 @@ repos:
   rev: 2.1.4
   hooks:
     - id: shellcheck
+      # Temporary until https://github.com/jumanjihouse/pre-commit-hooks/pull/81 is merged
+      additional_dependencies: []
 
 - repo: https://github.com/ansible/ansible-lint
-  rev: v4.3.5
+  rev: v4.3.7
   hooks:
     - id: ansible-lint
       files: \.(yaml|yml)$
diff --git a/.yamllint b/.yamllint
diff --git a/Makefile b/Makefile
@@ -17,9 +17,8 @@ clean:
 
 .PHONY: test
 test:
-	ANSIBLE_VAULT_PASSWORD_FILE=$(PWD)/.ci-vault-pass pipenv run molecule test
+	ANSIBLE_VAULT_PASSWORD_FILE=$(PWD)/.ci-vault-pass pipenv run molecule test --all
 
 .PHONY: lint
 lint:
-	pipenv run yamllint .
 	pipenv run ansible-lint
diff --git a/Pipfile b/Pipfile
@@ -4,15 +4,11 @@ url = "https://pypi.org/simple"
 verify_ssl = true
 
 [dev-packages]
-ansible-lint = "*"
-yamllint = "*"
 pre-commit = "*"
-ansible = "*"
-molecule = {extras = ["docker"],version = "*"}
-docker = "*"
+molecule = {extras = ["docker", "lint"],version = "*"}
 
 [packages]
 ansible = "*"
 
 [requires]
-python_version = "3.8"
+python_version = "3.9"
diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/README.md b/README.md
@@ -21,6 +21,8 @@ You must supply a `tailscale_auth_key` variable, which can be generated under yo
 
 **Required**
 
+Is **not** required if `tailscale_up_skip` is set to `true`.
+
 An [ansible-vault encrypted variable][ansible-vault] containing a Tailscale Node Authorization auth key.
 
 A Node Authorization auth key can be generated under your Tailscale account at <https://login.tailscale.com/admin/authkeys>.
@@ -67,6 +69,15 @@ Since Tailscale is still undergoing rapid development, we are holding off on cre
 Whether to output additional information during role execution.
 Helpful for debugging and collecting information to submit in a GitHub issue on this repository.
 
+### tailscale_up_skip
+
+**Default**: `false`
+
+**If set to true, `tailscale_auth_key` is not required.**
+
+Whether to install and configure Tailscale as a service but skip running `tailscale up`.
+Helpful when packaging up a Tailscale installation into a build process such as AMI creation when the server should not yet authenticate to your Tailscale network.
+
 ## Dependencies
 
 None
@@ -158,6 +169,17 @@ Get verbose output:
         verbose: true
 ```
 
+Install Tailscale, but don't authenticate to the network
+
+```yaml
+- name: Servers
+  hosts: all
+  roles:
+    - role: artis3n.tailscale
+      vars:
+        tailscale_up_skip: true
+```
+
 ## License
 
 MIT

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -41,7 +41,3 @@ dnf_yum_dependencies:
 
 dnf_repos:
   Fedora: https://pkgs.tailscale.com/{{ release_stability | lower }}/fedora/tailscale.repo
-
-arch_dependencies:
-  - glibc
-  - go
diff --git a/molecule/default/cleanup.yml b/molecule/default/cleanup.yml
@@ -0,0 +1,8 @@
+---
+- name: Cleanup
+  hosts: all
+  tasks:
+  - name: De-register Tailscale node
+    become: yes
+    command: tailscale down
+    changed_when: false
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -5,11 +5,10 @@ driver:
   name: docker
 lint: |
   set -e
-  yamllint .
   ansible-lint
 platforms:
   - name: instance
-    image: ${MOLECULE_DISTRO:-geerlingguy/docker-ubuntu2004-ansible:latest}
+    image: ${MOLECULE_DISTRO:-ghcr.io/artis3n/docker-ubuntu2010-ansible:latest}
     # Needed for systemd
     command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
     volumes:
@@ -30,4 +29,5 @@ scenario:
     - converge
     - idempotence
     - verify
+    - cleanup
     - destroy
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
@@ -11,5 +11,4 @@
   - name: Assertions
     assert:
       that:
-        - '"linux" in tailscale_status.stdout'
-        - '"L+V9o" not in tailscale_status.stdout'
+        - '"hello.ipn.dev" in tailscale_status.stdout'
diff --git a/molecule/skip-authentication/converge.yml b/molecule/skip-authentication/converge.yml
@@ -0,0 +1,9 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: "Include artis3n.tailscale"
+      include_role:
+        name: artis3n.tailscale
+      vars:
+        tailscale_up_skip: true
diff --git a/molecule/skip-authentication/molecule.yml b/molecule/skip-authentication/molecule.yml
@@ -0,0 +1,32 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint: |
+  set -e
+  ansible-lint
+platforms:
+  - name: instance
+    image: ${MOLECULE_DISTRO:-ghcr.io/artis3n/docker-ubuntu2010-ansible:latest}
+    # Needed for systemd
+    command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+verifier:
+  name: ansible
+scenario:
+  name: skip-authentication
+  test_sequence:
+    - lint
+    - destroy
+    - syntax
+    - create
+    - converge
+    - idempotence
+    - verify
+    - destroy
diff --git a/molecule/skip-authentication/verify.yml b/molecule/skip-authentication/verify.yml
@@ -0,0 +1,14 @@
+---
+- name: Verify
+  hosts: all
+  tasks:
+  - name: Get Tailscale status
+    become: yes
+    command: tailscale status
+    changed_when: false
+    register: tailscale_status
+
+  - name: Assertions
+    assert:
+      that:
+        - '"hello.ipn.dev" not in tailscale_status.stdout'
diff --git a/tasks/arch.yml b/tasks/arch.yml
@@ -1,38 +1,8 @@
 ---
 
-- name: Arch | Install Dependencies
+- name: Arch | Install Tailscale
   become: yes
   pacman:
-    name: '{{ arch_dependencies }}'
+    name: '{{ tailscale_package }}'
     update_cache: yes
     state: present
-
-- name: Arch | Ensure non-root user
-  become: yes
-  user:
-    name: tailscale
-    home: /home/tailscale
-    system: yes
-
-- name: Arch | Add tailscale user to sudoers
-  become: yes
-  lineinfile:
-    path: /etc/sudoers
-    regexp: '^tailscale'
-    line: 'tailscale ALL=(ALL) NOPASSWD: ALL'
-
-- name: Arch | Download Tailscale AUR
-  become: yes
-  become_user: tailscale
-  git:
-    repo: https://aur.archlinux.org/tailscale.git
-    dest: /home/tailscale/tailscale
-    version: master
-
-- name: Arch | Install Tailscale
-  become: yes
-  become_user: tailscale
-  command: makepkg -si --noconfirm
-  args:
-    chdir: /home/tailscale/tailscale
-    creates: /usr/sbin/tailscale
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -5,7 +5,13 @@
       You must include a Node Authorization auth key.
       Set a `tailscale_auth_key` ansible-vault encrypted variable.
       You can create this key from: https://login.tailscale.com/admin/authkeys"
-  when: tailscale_auth_key is not defined
+  when: tailscale_auth_key is not defined and not tailscale_up_skip|bool
+
+- name: Skipping Authentication
+  debug:
+    msg: >
+      You have set 'tailscale_up_skip', so this node will not authenticate to your Tailscale network.
+  when: tailscale_up_skip|bool
 
 - name: Unstable Warning
   # Print an error message to the console but proceed anyway
@@ -74,6 +80,6 @@
   no_log: true
   register: tailscale_start
   when: >
-    tailscale_status.stdout | length == 0
-    or tailscale_status.stdout is match('\[L\+V9o\]')
+    not tailscale_up_skip | bool
+    and '"hello.ipn.dev"' not in tailscale_status.stdout
   notify: Confirm Tailscale is Connected
diff --git a/vars/main.yml b/vars/main.yml
@@ -3,3 +3,4 @@
 
 # Whether to output debug information during role execution
 verbose: false
+tailscale_up_skip: false
Original file line number	Diff line number	Diff line change
Expand Up		@@ -3,3 +3,4 @@

		# Whether to output debug information during role execution
		verbose: false
		tailscale_up_skip: false