til

Tailscale on Talos (Day 38)

Getting Tailscale running on Talos nodes.

Vince

13 Jul 2025 — 1 min read

Photo by Devon MacKay / Unsplash

Tailscale Extension

First, add the Tailscale system extension to your Talos configuration:

# extensions.yaml
customization:
  systemExtensions:
    officialExtensions:
      - siderolabs/tailscale

Build a custom Talos image with the extension:

# Generate custom image with Tailscale extension
curl -X POST --data-binary @extensions.yaml https://factory.talos.dev/schematics

# Returns a schematic ID like: 8cdf4cd0a3a9fa4771aab65437032804940f2115b1b1ef6872274dde261fa319

Upgrade your Talos nodes to use the custom image:

# Upgrade node with the new image (talosctl manages the Talos OS lifecycle)
talosctl upgrade --preserve --nodes 10.30.30.155 \
  --image factory.talos.dev/installer/8cdf4cd0a3a9fa4771aab65437032804940f2115b1b1ef6872274dde261fa319:v1.10.4

Tailscale Configuration

Configure Tailscale with your auth key (SOPS-encrypted for security):

# tailscale-config.yaml (decrypted view)
apiVersion: v1alpha1
kind: ExtensionServiceConfig
name: tailscale
environment:
    - TS_AUTHKEY=tskey-auth-<your-key-here>  # Your Tailscale auth key
    - TS_EXTRA_ARGS=--accept-routes --reset  # Accept subnet routes and reset on conflicts

Apply the configuration to your node:

# Patch machine config to add Tailscale configuration
talosctl -n 10.30.30.155 -e 10.30.30.155 patch mc -p @tailscale-config.yaml

After applying, Tailscale will start automatically and connect your Talos node to your tailnet. The node will appear in your Tailscale admin console with its hostname.

SOPS Encryption

The actual tailscale-config.yaml is SOPS-encrypted to protect the auth key:

# Encrypt your config
sops -e tailscale-config.yaml > tailscale-config.enc.yaml

# Decrypt when applying
sops -d tailscale-config.enc.yaml | talosctl -n <node> patch mc -p -

This keeps the Tailscale auth keys secure when checked in on git.

Joining a non-Talos node to a Talos cluster (Day 39)

How to add non-Talos nodes to a Talos cluster with HAProxy for KubePrism compatibility.

Terraform Provider in Rust (Day 36-37)

From terragrunt hooks to a Rust Terraform provider to replace hacky workarounds for OIDC realm configuration in Proxmox.

Proxmox OIDC integration and terragrunt hooks (Day 36)

Turns out the Telmate Proxmox provider doesn't have resource support for creating authentication realms or configuring OIDC. But since Proxmox has a REST API, I could work around the provider limitations, and so I ended up with: terraform { source = "." after_hook "create_realm" { commands

Authentik OAuth2 with Terraform (Day 35)

I recently started using Authentik to provide auth for my services and applications in the homelab. Authentik is an open-source identity provider that supports OAuth2, SAML, and more, and comes with a Terraform provider, so naturally, I defaulted to managing everything that way. This means I no longer need to