Tailscale ACL GitOps Workflow

.env

# .github/act/.env
TS_TAILNET="op://Infrastruktur/TS_TAILNET/credential"
TS_API_KEY="op://Infrastruktur/TS_API_KEY/credential"

README.md

Tailscale ACL Workflow for GitOps

Tailscale recently introduced the possibility to manage Tailnet ACLs in Git Repositories. This is my tailscale.yml which has a notable difference to the one proposed by Tailscale. By putting the ACL test in front of the ACL deployment, it becomes a bit clearer that a failure happened b/c of a failed ACL.

Bonus: by installing act, one can actually run these tests locally, e.g. before committing / pushing to Github. Works well with a Git pre-commit hook that will fail if the ACL test is unsusscessful. Combined with the 1Password cli op command, you can get a nice little ACL workflow.

op run --env-file=".github/act/.env" -- act --secret TS_API_KEY --secret TS_TAILNET 

pre-commit

#!/bin/bash
# Put this into .git/hooks/pre-commit or amend your existing pre-commit hook accordingly
op run --env-file=".github/act/.env" -- act --secret TS_API_KEY --secret TS_TAILNET 

tailscale.yml

name: Sync Tailscale ACLs

on:
  push:
    branches: ["live", "main"]
  pull_request:
    branches: ["live"]

jobs:
  acls:
    name: "test and deploy"
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3

      - name: Test ACL
        id: test-acl
        uses: tailscale/gitops-acl-action@v1
        with:
          api-key: ${{ secrets.TS_API_KEY }}
          tailnet: ${{ secrets.TS_TAILNET }}
          action: test

      - name: Deploy ACL
        if: github.event_name == 'push' && github.ref == 'refs/heads/live'
        id: deploy-acl
        uses: tailscale/gitops-acl-action@v1
        with:
          api-key: ${{ secrets.TS_API_KEY }}
          tailnet: ${{ secrets.TS_TAILNET }}
          action: apply