Update existing tailscale installation if up command-line arguments change

[artis3n]

This role will update Tailscale to the latest version but will only run up if it detects the system is logged out of Tailscale. It should support an idempotent method of re-running tailscale up if the command-line arguments to the up command change.

[artis3n]

Can maintain a statefile on the target host similar to https://github.com/artis3n/ansible-role-jetbrains-projector/blob/main/tasks/lib/update_configs.yml

[samuelharmer]

I'm just looking at implementing this as I probably want it before I implement subnet routes, but I have a question. According to the CLI manual:

To clear previously set flags like tags and routes, pass the flag with an empty argument:

# Connects with `tag:server`
tailscale up --advertise-tags=tag:server

# Connects and clears any tags
tailscale up --advertise-tags=

In Tailscale v1.8 or greater, if you forget to specify a flag you added before, the CLI will warn you and provide a copyable command that includes all existing flags.

Now, if we use the method laid out here we should be able to know if any arguments have been removed. So, if an argument has been removed, would we expect the new command to include an empty --flag=, to ensure a setting that is no longer part of Ansible gets unset? Or trust the user to know about this, and explicitly provide empty flags?

[artis3n]

I hadn't considered that yet! In the spirit of Ansible (idempotency, explicit declarations) I'd prefer this role have the capability to realize if a previously set flag is missing and fail the task with a clear failure message explaining what flags are missing. And the user would need to explicitly pass an input variable to allow overwriting the state without including previously declared flags. The user would otherwise need to include the empty flags in their tailscale_args themselves to ensure no unexpected behavior from the role.

Perhaps an assert similar to https://github.com/artis3n/ansible-role-jetbrains-projector/blob/main/tasks/lib/validate.yml which is looped from https://github.com/artis3n/ansible-role-jetbrains-projector/blob/main/tasks/main.yml.

Happy to let you tinker with an implementation for this issue! Feel free to put up a draft PR if you'd like input while you work on it.

[artis3n]

My previous comment creates idempotency challenges running the same playbook twice in a row so we'd need to solve for that.

[artis3n]

I've pushed a PR with initial support for this functionality. I've adjusted my previous comments to this behavior - let tailscale handle updating users correctly about required or missing CLI arguments and save this role from having to make any opinionated decisions on that front. Previously, all stdout/stderr was hidden from users by default because the authkey would be printed. Now stdout/stderr will be printed to users of the role and the authkey will be safely redacted by default. So in the event of missing CLI args, tailscale up will fail with a clear error message in its stderr and that will be safely printed to users without exposing their authkey.