ansible-tailscale/roles/config-tailscale/tasks/main.yml

---
- name: Check authentication status
  block:
    - ansible.builtin.set_fact:
        _auth_needed: false

    - register: _status
      changed_when: false
      ansible.builtin.command:
        argv:
          - 'tailscale'
          - 'status'
          - '--json'

    - when: _fields.BackendState == "NeedsLogin"
      ansible.builtin.set_fact:
        _auth_needed: true
      vars:
        _fields: "{{ _status.stdout | from_json }}"

- name: Login
  when: _auth_needed
  block:
    - name: Login into tailscale
      pause:
        prompt: "Enter to continue."

- name: Configure tailscale
  become: true
  command:
    argv:
      - 'tailscale'
      - 'set'
      - "{{ item }}"
  loop:
    - '--auto-update=false'
    - '--update-check=false'
    - '--accept-dns=false'
    - "--webclient={{ tailscale.webclient | default('false') }}"
    - "--advertise-exit-node={{ tailscale.exit_node | default('false') }}"
    - "--advertise-routes={{ tailscale.routes | default([]) | join(',') }}"
    - "--ssh={{ tailscale.ssh | default('false') }}"
    - "--snat-subnet-routes=false"
  notify:
    - Restart tailscale