Fix idempotency issues in playbook and tailscale_serve role

- Add tags to pre_tasks so they only run when relevant roles are included
- Make tailscale_serve idempotent by checking serve status JSON before
  configuring services (skips if already configured)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

ansible/playbooks/indri.yml

@@ -5,6 +5,7 @@
   # Fetch all 1Password credentials upfront to minimize prompts
   # Each role also fetches its own credentials (with 'when: <var> is not defined')
   # so they still work when running with --tags
+  # Tags ensure pre_tasks only run when relevant roles are included
   pre_tasks:
     - name: Fetch PostgreSQL superuser password
       ansible.builtin.command:
@@ -13,11 +14,13 @@
       register: _pg_superuser_pw
       changed_when: false
       no_log: true
+      tags: [postgresql]
 
     - name: Set PostgreSQL superuser password fact
       ansible.builtin.set_fact:
         pg_superuser_password: "{{ _pg_superuser_pw.stdout }}"
       no_log: true
+      tags: [postgresql]
 
     - name: Fetch PostgreSQL alloy user password
       ansible.builtin.command:
@@ -26,11 +29,13 @@
       register: _pg_alloy_pw
       changed_when: false
       no_log: true
+      tags: [alloy, postgresql]
 
     - name: Set PostgreSQL alloy password fact
       ansible.builtin.set_fact:
         alloy_postgres_password: "{{ _pg_alloy_pw.stdout }}"
       no_log: true
+      tags: [alloy, postgresql]
 
     - name: Fetch miniflux database password
       ansible.builtin.command:
@@ -39,11 +44,13 @@
       register: _miniflux_db_pw
       changed_when: false
       no_log: true
+      tags: [miniflux, postgresql]
 
     - name: Set miniflux passwords fact
       ansible.builtin.set_fact:
         miniflux_db_password: "{{ _miniflux_db_pw.stdout }}"
       no_log: true
+      tags: [miniflux, postgresql]
 
     - name: Fetch borgmatic database password
       ansible.builtin.command:
@@ -52,6 +59,7 @@
       register: _borgmatic_db_pw
       changed_when: false
       no_log: true
+      tags: [postgresql]
 
     - name: Build PostgreSQL user password lookup
       ansible.builtin.set_fact:
@@ -60,6 +68,7 @@
           borgmatic: "{{ _borgmatic_db_pw.stdout }}"
           alloy: "{{ _pg_alloy_pw.stdout }}"
       no_log: true
+      tags: [postgresql]
 
   roles:
     - role: loki

ansible/roles/tailscale_serve/tasks/main.yml

@@ -4,22 +4,33 @@
   register: serve_status
   changed_when: false
 
+- name: Parse serve status
+  ansible.builtin.set_fact:
+    serve_config: "{{ (serve_status.stdout | from_json).Services | default({}) }}"
+
+# Configure HTTPS if service doesn't have Web config yet
 - name: Configure HTTPS services
   ansible.builtin.command: >
     tailscale serve --service="{{ item.name }}"
     --https={{ item.https.port }} {{ item.https.upstream }}
   loop: "{{ tailscale_services }}"
-  when: item.https is defined
+  when:
+    - item.https is defined
+    - serve_config[item.name] is not defined or serve_config[item.name].Web is not defined
   register: https_result
-  changed_when: "'already serving' not in https_result.stderr | default('')"
   failed_when: false
 
+# Configure TCP if service doesn't have the specific port configured yet
 - name: Configure TCP services
   ansible.builtin.command: >
     tailscale serve --service="{{ item.name }}"
     --tcp={{ item.tcp.port }} {{ item.tcp.upstream }}
   loop: "{{ tailscale_services }}"
-  when: item.tcp is defined
+  when:
+    - item.tcp is defined
+    - serve_config[item.name] is not defined or
+      serve_config[item.name].TCP is not defined or
+      serve_config[item.name].TCP[item.tcp.port | string] is not defined or
+      serve_config[item.name].TCP[item.tcp.port | string].TCPForward is not defined
   register: tcp_result
-  changed_when: "'already serving' not in tcp_result.stderr | default('')"
   failed_when: false