Skip to main content
← back to extensions

@john/tailscale

v2026.03.02.1

Tailscale tailnet management — 10 model types covering devices, users, ACLs, DNS, auth keys, webhooks, settings, contacts, posture, and log config. 22 workflows for device inventory, user lifecycle, ACL audit, security audit, compliance, incident response, monitoring, and more. Fix: OAuth token cache now keys on credentials so different tailnets/OAuth clients no longer share tokens.

Platforms

linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64

Labels

tailscalenetworkingvpnsecurity

Quality score

How well-documented and verifiable this extension is.

Not yet scored.

A score will be generated the next time this extension is published. The owner can also trigger scoring manually.

Install

$ swamp extension pull @john/tailscale

tailscale/posture.tsv2026.02.28.1
listList all posture integrations. Produces one resource instance per integration (factory pattern).
getGet a posture integration by ID.
ArgumentTypeDescription
integrationIdstringPosture integration ID
createCreate a new posture integration.
ArgumentTypeDescription
providerstringProvider name
cloudIdstring
clientIdstring
tenantIdstring
updateUpdate a posture integration.
ArgumentTypeDescription
integrationIdstringPosture integration ID
cloudIdstring
clientIdstring
tenantIdstring
deleteDelete a posture integration.
tailscale/contact.tsv2026.02.28.1
getGet tailnet contact information.
updateUpdate a contact email. A verification email will be sent if the address changes.
ArgumentTypeDescription
emailstringNew email address
tailscale/tailnet_settings.tsv2026.02.28.1
getGet current tailnet settings.
updateUpdate tailnet settings (partial update).
ArgumentTypeDescription
devicesApprovalOnboolean
devicesAutoUpdatesOnboolean
devicesKeyDurationDaysnumber
usersApprovalOnboolean
usersRoleAllowedToJoinExternalTailnetsstring
networkFlowLoggingOnboolean
regionalRoutingOnboolean
postureIdentityCollectionOnboolean
tailscale/acl.tsv2026.02.28.1
getGet the current ACL policy as JSON.
getRawGet the current ACL policy as HuJSON (raw text).
setSet the ACL policy. Optionally provide an ETag for conditional update.
validateValidate an ACL policy without applying it.
tailscale/log_config.tsv2026.02.28.1
getGet log streaming configuration for a log type.
setSet log streaming configuration for a log type.
deleteDelete log streaming configuration for a log type.
tailscale/device.tsv2026.02.28.1
listList all devices in the tailnet. Produces one resource instance per device (factory pattern).
getGet a single device by ID.
ArgumentTypeDescription
deviceIdstringDevice ID
deleteDelete a device from the tailnet.
ArgumentTypeDescription
deviceIdstringDevice ID to delete
authorizeAuthorize or deauthorize a device.
ArgumentTypeDescription
deviceIdstringDevice ID
setTagsSet ACL tags on a device.
ArgumentTypeDescription
deviceIdstringDevice ID
setKeySet key expiry properties on a device (enable/disable key expiry).
ArgumentTypeDescription
deviceIdstringDevice ID
setRoutesSet subnet routes for a device.
ArgumentTypeDescription
deviceIdstringDevice ID
getRoutesGet advertised and enabled subnet routes for a device.
ArgumentTypeDescription
deviceIdstringDevice ID
setNameRename a device.
ArgumentTypeDescription
deviceIdstringDevice ID
namestringNew device name (FQDN)
setIPv4Set the Tailscale IPv4 address of a device.
ArgumentTypeDescription
deviceIdstringDevice ID
ipv4stringNew IPv4 address
getPostureGet posture attributes for a device.
ArgumentTypeDescription
deviceIdstringDevice ID

Resources

device— Tailscale device
routes— Device subnet routes (advertised and enabled)
tailscale/webhook.tsv2026.02.28.1
listList all webhooks in the tailnet. Produces one resource instance per webhook (factory pattern).
getGet a single webhook by endpoint ID.
ArgumentTypeDescription
endpointIdstringWebhook endpoint ID
createCreate a new webhook.
ArgumentTypeDescription
endpointUrlstringURL to receive webhook events
updateUpdate a webhook
ArgumentTypeDescription
endpointIdstringWebhook endpoint ID
deleteDelete a webhook.
ArgumentTypeDescription
endpointIdstringWebhook endpoint ID to delete
testSend a test event to a webhook.
ArgumentTypeDescription
endpointIdstringWebhook endpoint ID to test
rotateSecretRotate the secret for a webhook.
tailscale/dns.tsv2026.02.28.1
getNameserversGet DNS nameservers for the tailnet.
setNameserversSet DNS nameservers for the tailnet.
getSearchPathsGet DNS search paths for the tailnet.
setSearchPathsSet DNS search paths for the tailnet.
getPreferencesGet DNS preferences (MagicDNS status).
setPreferencesEnable or disable MagicDNS.
getSplitDnsGet split DNS configuration.
setSplitDnsSet split DNS configuration (full replace).
updateSplitDnsPartially update split DNS configuration.

Resources

nameservers— DNS nameservers configured for the tailnet
searchPaths— DNS search paths configured for the tailnet
preferences— DNS preferences (MagicDNS status)
tailscale/user.tsv2026.02.28.1
listList all users in the tailnet. Produces one resource instance per user (factory pattern).
getGet a single user by ID.
ArgumentTypeDescription
userIdstringUser ID
approveApprove a pending user.
ArgumentTypeDescription
userIdstringUser ID to approve
suspendSuspend a user.
ArgumentTypeDescription
userIdstringUser ID to suspend
restoreRestore a suspended user.
ArgumentTypeDescription
userIdstringUser ID to restore
deleteDelete a user from the tailnet.
ArgumentTypeDescription
userIdstringUser ID to delete
setRoleUpdate a user
ArgumentTypeDescription
userIdstringUser ID
tailscale/auth_key.tsv2026.02.28.1
listList all auth keys in the tailnet. Produces one resource instance per key (factory pattern).
getGet an auth key by ID.
ArgumentTypeDescription
keyIdstringAuth key ID
createCreate a new auth key.
deleteDelete an auth key.
ArgumentTypeDescription
keyIdstringAuth key ID to delete

user-onboard03ceb53d-0eb8-4aaa-8d16-117d20984a61

Onboard a new user — approve them and create a pre-authorized auth key

onboardApprove the user and generate an auth key for their devices
1.approve-user— Approve the pending user
2.create-key— Create a pre-authorized auth key for the new user
user-offboardbf49eb37-9974-4c99-b54c-55c7c9115acb

Offboard a user — suspend them and list their devices for cleanup

offboardSuspend the user and discover their devices
1.suspend-user— Suspend the user account
2.list-devices— List all devices to identify those belonging to the suspended user
acl-auditfac4883d-5945-4593-83a1-e4b3e3d0c6a6

Full ACL audit — collect the current ACL policy, all devices, and all users for cross-referencing

collectGather ACL policy, devices, and users for audit analysis
1.get-acl— Fetch the current ACL policy
2.list-devices— List all devices for cross-referencing with ACL rules
3.list-users— List all users for cross-referencing with ACL groups
device-authorize939acc93-d489-4428-bc1a-4d14678ae12b

Authorize a pending device to join the tailnet

authorizeAuthorize the specified device
1.authorize-device— Set the device as authorized
dns-overview2995ca75-98d6-4c21-8ef4-55bb91e6d8d9

Complete DNS configuration snapshot — nameservers, search paths, MagicDNS preferences, and split DNS

collectGather all DNS configuration from the tailnet
1.nameservers— Fetch configured DNS nameservers
2.search-paths— Fetch DNS search paths
3.preferences— Fetch MagicDNS preferences
4.split-dns— Fetch split DNS configuration
tailnet-overview0665d0c1-efce-4ead-84f7-e2b359319580

Complete tailnet summary — devices, users, DNS nameservers, ACL policy, and tailnet settings

overviewCollect all tailnet resources for a comprehensive overview
1.list-devices— Fetch all devices in the tailnet
2.list-users— Fetch all users in the tailnet
3.get-nameservers— Fetch DNS nameserver configuration
4.get-acl— Fetch the current ACL policy
5.get-settings— Fetch tailnet settings
device-posture-auditeccbaba1-896d-4c11-81d3-6e8aa8148403

Collect posture data for all devices — discover the fleet and posture integrations, then gather posture attributes per device

discoverList all devices and posture integrations
1.list-devices— Fetch all devices in the tailnet
2.list-posture-integrations— Fetch all posture integration configurations
collect-postureCollect posture attributes for each discovered device
1.get-posture-${{ self.device.attributes.id }}— Get posture attributes for this device
stale-device-cleanup4402a6ef-a48c-46d6-a00c-441ef7f2afc7

Find all devices in the tailnet and quarantine stale ones — deauthorize and tag as stale

discoverList all devices in the tailnet for stale device identification
1.list-devices— Fetch all devices with connectivity and last-seen info
quarantineDeauthorize and tag each stale device
1.deauthorize-${{ self.device }}— Deauthorize the stale device
2.tag-stale-${{ self.device }}— Apply tag:stale to the device
enable-monitoringdb142c7e-c0ab-47d9-b1af-ae66b8157198

Set up webhook monitoring and enable flow logging — configure log streaming, then create and test a webhook for security events

configureEnable network flow logging and set up log streaming
1.enable-flow-logging— Enable network flow logging in tailnet settings
2.set-log-streaming— Configure network log streaming destination
setup-webhooksCreate a webhook for security events and send a test event
1.create-webhook— Create webhook endpoint with security event subscriptions
webhook-setupc68d9a67-3f7a-49ea-b1f7-0ee821df8bd8

Create a new webhook and send a test event to verify delivery

setupCreate the webhook and verify with a test event
1.create-webhook— Create the webhook endpoint with specified subscriptions
subnet-route-audit80bcbc86-9d2a-42be-910a-6de068c05c54

Audit all device subnet routes — discover devices then collect advertised and enabled routes for each

discoverList all devices in the tailnet
1.list-devices— Fetch all devices to identify which ones to inspect
inspect-routesCollect subnet routes for each discovered device
1.get-routes-${{ self.device.attributes.id }}— Get advertised and enabled routes for this device
incident-response2d2c1077-4c2e-4174-8b00-1df8853bd115

Emergency device lockdown — deauthorize a suspect device, tag for investigation, collect routes and posture for forensics

lockdownDeauthorize the device and tag it for investigation
1.deauthorize— Immediately deauthorize the suspect device
2.tag-investigation— Apply investigation tag to the locked-down device
forensicsCollect routes and posture data for forensic analysis
1.collect-routes— Get subnet routes from the locked-down device
2.collect-posture— Get posture attributes from the locked-down device
device-quarantinee369531b-6cec-4119-a02e-457fe27486df

Quarantine a device — deauthorize it and apply a quarantine tag

quarantineDeauthorize the device and tag it as quarantined
1.deauthorize— Revoke device authorization
2.tag-quarantined— Apply tag:quarantined to the device
acl-updated90fbfb6-3f0a-4d71-b096-7beb79c1e1d8

Validate then apply ACL changes — validation must pass before the policy is set

validateValidate the ACL policy without applying
1.validate-acl— Run ACL validation against the Tailscale API
applyApply the validated ACL policy
1.set-acl— Set the validated ACL policy
network-config-backupb5d21856-81d7-4eae-94db-79064d0c434a

Full network configuration export — DNS (nameservers, search paths, MagicDNS, split DNS), ACL (JSON + raw HuJSON), and tailnet settings

backupCollect all network configuration in parallel
1.get-nameservers— Fetch DNS nameserver configuration
2.get-search-paths— Fetch DNS search path configuration
3.get-dns-preferences— Fetch DNS preferences including MagicDNS status
4.get-split-dns— Fetch split DNS configuration
5.get-acl-json— Fetch the current ACL policy as JSON
6.get-acl-raw— Fetch the current ACL policy as raw HuJSON
7.get-settings— Fetch tailnet settings
compliance-snapshotc1f67910-2344-499b-9deb-deb20a300267

Full compliance data collection — tailnet settings, contacts, ACL policy, posture integrations, log config, all users, and all devices

collectGather all compliance-relevant data in parallel
1.get-settings— Fetch tailnet settings for compliance review
2.get-contacts— Fetch tailnet contact information
3.get-acl— Fetch the current ACL policy
4.list-posture— Fetch all posture integrations
5.get-network-log-config— Fetch network log streaming configuration
6.list-users— Fetch all users for compliance review
7.list-devices— Fetch all devices for compliance review
full-user-offboard3a730a3a-5f96-4967-a7fe-0f2c1bb15072

Complete user offboarding — suspend the user, snapshot ACL, list all devices and auth keys, then fetch device details for cleanup

lockoutSuspend the user immediately
1.suspend-user— Suspend the user account to revoke access
audit-collectCollect all data needed for cleanup and compliance
1.snapshot-acl— Snapshot the ACL policy for audit record
2.list-devices— List all devices to identify the offboarded user's devices
3.list-keys— List all auth keys to find keys created by the user
4.get-settings— Capture tailnet settings for compliance record
device-detailFetch full details for each device to identify the offboarded user's devices
1.get-device-${{ self.device.attributes.id }}— Fetch full device details
security-audit21b4d635-da69-4d18-a050-2e82c4e2f8fc

Full security posture audit — devices, users, ACL policy, webhooks, and tailnet settings

collectGather all security-relevant resources from the tailnet
1.list-devices— Fetch all devices to check authorization status, key expiry, and tags
2.list-users— Fetch all users to check roles and approval status
3.get-acl— Fetch the ACL policy for rule analysis
4.list-webhooks— Fetch webhooks to verify security event monitoring
5.get-settings— Fetch tailnet settings to verify security configuration
full-user-onboard5f948494-3568-4aa1-93dc-51665d028007

Complete user onboarding — snapshot ACL and settings for audit trail, approve the user, set their role, create a pre-authorized auth key, then verify

baselineSnapshot current state before making changes (audit trail)
1.snapshot-acl— Snapshot the current ACL policy before onboarding changes
2.get-settings— Capture current tailnet settings
3.list-webhooks— List existing webhooks for reference
provisionApprove the user, set their role, and create an auth key
1.approve-user— Approve the pending user account
2.set-role— Set the user's role
3.create-auth-key— Create a pre-authorized ephemeral auth key for the user's first device
verifyVerify the onboarding completed successfully
1.list-users— Re-list users to confirm the new user is active
key-rotation61c96c57-4dc4-4612-ab5f-c3a5bdf66a34

Rotate auth keys — list existing keys and create a new replacement key

rotateList current keys and create a new key
1.list-keys— List all existing auth keys to review before rotation
2.create-new-key— Create a new pre-authorized auth key
user-access-review86bc7c06-40af-461b-8b27-515a217273a9

User access review — collect all users, devices, ACL policy, and auth keys, then fetch full profiles for each user

collectList users, devices, ACL, and auth keys in parallel
1.list-users— Fetch all users in the tailnet
2.list-devices— Fetch all devices for cross-referencing with users
3.get-acl— Fetch the ACL policy for access rule analysis
4.list-keys— Fetch all auth keys to identify key ownership
detailFetch full profile for each discovered user
1.get-user-${{ self.user.attributes.id }}— Fetch full user profile
device-inventorya9b72570-66a9-42d2-bd26-5fe746115d8e

Discover all devices in the tailnet — hostname, OS, user, authorization status, tags, connectivity, and key expiry

discoverList all devices in the tailnet
1.list-devices— Fetch all devices with their status, tags, and connectivity info