Tailscale module

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

API

Variable	Description	Status
TAILSCALE_API_KEY	Required for authentication.	required
TAILSCALE_TAILNET	Required for authentication.	required
TAILSCALE_OAUTH_CLIENT_ID	Optional OAuth client instead of an API key (tailnet admin scope).	optional
TAILSCALE_OAUTH_CLIENT_SECRET	OAuth client secret paired with TAILSCALE_OAUTH_CLIENT_ID.	optional

Sanity-check the wiring:

weave secrets check
weave tailscale --help
weave doctor   # reports TAILSCALE_API_KEY status

Capabilities

What this module can do, by entity and verb. ✓ means a working CLI surface; · means not (yet) wired.

Entity	find	list	show	do	snapshot	diff	apply
acl	·	·	·	·	✓	✓	✓
device	✓	✓	·	✓	·	·	·
key	·	✓	·	·	·	·	·

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

find (1)

find device

read

Find a device by hostname or id.

weave tailscale find device <identifier>

list (2)

list devices

read

List devices on the tailnet.

weave tailscale list devices <arg>

list keys

read

List auth keys.

weave tailscale list keys <arg>

do (3)

do delete

write

Delete a device from the tailnet.

weave tailscale do delete <device-id>

do expire-key

write

Expire a device's auth key (forces re-auth).

weave tailscale do expire-key <device-id>

do tag

write

Replace tags on a device.

weave tailscale do tag <device-id> <tags>

snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diff → apply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/tailscale/.

This module is on the thinner integration path — use snapshot / diff for audit; confirm apply per kind below before relying on writes.

acl

snapshot diff apply

Tailnet ACL document (acls, groups, hosts, tagOwners, ssh, …).

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: tailscale
kind: acl
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

ACL-as-code (the Tailscale way)

Most teams already keep HuJSON in git — weave makes the round-trip explicit.

weave tailscale snapshot acl
$EDITOR .weave-state/tailscale/acl.yaml
weave tailscale diff acl
weave tailscale apply acl --yes

Offboard a device

weave tailscale find device <hostname>
weave tailscale do delete <device-id> --yes

Retag a node for policy segmentation

weave tailscale list devices
weave tailscale do tag <device-id> tag:servers --yes

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource	weave equivalent
tailscale_acl	weave tailscale snapshot/diff/apply acl
tailscale_device	weave tailscale find/list device + do delete / tag / expire-key
tailscale_tailnet_key	weave tailscale list key
tailscale_dns_nameservers / dns_preferences	Not exposed yet — ACL document only today DNS prefs planned; ACL is the primary declarative surface.

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including TAILSCALE_API_KEY) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave tailscale diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/tailscale. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.