Forge Home


A module for installing and configuring the tailscale mesh network


120 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.0.0 (latest)
  • 0.3.0
  • 0.2.0
  • 0.1.0
released Jan 4th 2024
This version is compatible with:
  • Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
  • Puppet >= 6.0.0 < 9.0.0
  • , ,
  • install

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'blockops-tailscale', '1.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add blockops-tailscale
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install blockops-tailscale --version 1.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



blockops/tailscale — version 1.0.0 Jan 4th 2024


A module for installing and configuring the tailscale mesh network. Not sure what tailscale is? A wireguard based VPN service. Join multiple networks into a single mesh network and even share with your friends.

Table of Contents


A very basic module for setting up tailscale on debian and redhat systems.

Requires a authkey for automated setup. Essentially performs the installation instructions provided on their website.


What tailscale affects

  • Installs tailscale package
  • Installs systemd tailscale service
  • Runs the tailscale up command with provided authkey

Joins your system to a mesh network. Provide the wrong authkey and you might be joining to somebody else's network.

Setup Requirements

You will need an authkey and access to the internet.

Beginning with tailscale

In order to join the tailscale network you need the authkey. This key should be treated as sensitive data as anybody with the key can gain access to your network. We recommend using hiera-eyaml to encrypt the key. To take extra precautions when using a puppetserver you should also set the tailscale::use_node_encrypt parameter to true.


Without hiera example

class{'tailscale': auth_key => '123456' }

With hiera example

include tailscale

# data/common.yaml
tailscale::auth_key: 123456
tailscale::base_pgk_url: 'https://mydomain/packages/centos'

# example only, options are not required
  hostname: "%{::facts.hostname}"


These are the options available for providing tailscale up flags.

  up [flags]

"tailscale up" connects this machine to your Tailscale network,
triggering authentication if necessary.

With no flags, "tailscale up" brings the network online without
changing any settings. (That is, it's the opposite of "tailscale

If flags are specified, the flags must be the complete set of desired
settings. An error is returned if any setting would be changed as a
result of an unspecified flag's default value, unless the --reset
flag is also used.

  --accept-dns, --accept-dns=false
        accept DNS configuration from the admin panel (default true)
  --accept-routes, --accept-routes=false
        accept routes advertised by other Tailscale nodes (default false)
  --advertise-exit-node, --advertise-exit-node=false
        offer to be an exit node for internet traffic for the tailnet (default false)
  --advertise-routes string
        routes to advertise to other nodes (comma-separated, e.g. ",")
  --advertise-tags string
        comma-separated ACL tags to request; each must start with "tag:" (e.g. "tag:eng,tag:montreal,tag:ssh")
  --authkey string
        node authorization key
  --exit-node string
        Tailscale IP of the exit node for internet traffic
  --exit-node-allow-lan-access, --exit-node-allow-lan-access=false
        Allow direct access to the local network when routing traffic via an exit node (default false)
  --force-reauth, --force-reauth=false
        force reauthentication (default false)
  --host-routes, --host-routes=false
        install host routes to other Tailscale nodes (default true)
  --hostname string
        hostname to use instead of the one provided by the OS
  --login-server string
        base URL of control server (default
  --netfilter-mode string
        netfilter mode (one of on, nodivert, off) (default on)
  --operator string
        Unix username to allow to operate on tailscaled without sudo
  --reset, --reset=false
        reset unspecified settings to their default values (default false)
  --shields-up, --shields-up=false
        don't allow incoming connections (default false)
  --snat-subnet-routes, --snat-subnet-routes=false
        source NAT traffic to local routes advertised with --advertise-routes (default true)


At this time this module can only install and initialize tailscale.


Pull requests welcomed.