blumeops/ansible/roles/tailscale_ci_gateway/templates/tailscale-ci-gateway.plist.j2

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>mcquack.tailscale-ci-gateway</string>

    <key>ProgramArguments</key>
    <array>
        <string>/bin/bash</string>
        <string>-c</string>
        <string><![CDATA[
# Stop and remove existing container if present
/usr/local/bin/docker stop {{ tailscale_ci_gateway_container_name }} 2>/dev/null || true
/usr/local/bin/docker rm {{ tailscale_ci_gateway_container_name }} 2>/dev/null || true

# Run the container (foreground so launchd manages lifecycle)
exec /usr/local/bin/docker run --rm \
  --name {{ tailscale_ci_gateway_container_name }} \
  --hostname {{ tailscale_ci_gateway_hostname }} \
  --network {{ tailscale_ci_gateway_network }} \
  --cap-add NET_ADMIN \
  --cap-add NET_RAW \
  -v {{ tailscale_ci_gateway_state_dir }}:/var/lib/tailscale \
  -e TS_AUTHKEY="{{ tailscale_ci_gateway_auth_key }}" \
  -e TS_STATE_DIR=/var/lib/tailscale \
  -e TS_USERSPACE=false \
  -e TS_ACCEPT_DNS=true \
  -e TS_EXTRA_ARGS="--accept-routes" \
  {{ tailscale_ci_gateway_image }}
]]></string>
    </array>

    <key>RunAtLoad</key>
    <true/>

    <key>KeepAlive</key>
    <true/>

    <key>StandardOutPath</key>
    <string>{{ ansible_env.HOME }}/Library/Logs/mcquack.tailscale-ci-gateway.out.log</string>

    <key>StandardErrorPath</key>
    <string>{{ ansible_env.HOME }}/Library/Logs/mcquack.tailscale-ci-gateway.err.log</string>
</dict>
</plist>