From 0f2a90ec8aa203ef6de7af3e66a84925da5747e2 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Sun, 21 Jul 2024 15:05:27 +0200
Subject: [PATCH] feat(inbucket): Expose on tailnet

---
 kubenix-modules/bootstrap-default.nix |  5 --
 kubenix-modules/custom/default.nix    |  1 -
 kubenix-modules/custom/nfs-volume.nix | 47 --------------
 kubenix-modules/inbucket.nix          | 88 +++++++++++++++++++++------
 my-lib/globals.nix                    |  3 +-
 secrets/kubernetes.yaml               |  6 +-
 6 files changed, 77 insertions(+), 73 deletions(-)
 delete mode 100644 kubenix-modules/custom/nfs-volume.nix

diff --git a/kubenix-modules/bootstrap-default.nix b/kubenix-modules/bootstrap-default.nix
index e581c96..f1828b2 100644
--- a/kubenix-modules/bootstrap-default.nix
+++ b/kubenix-modules/bootstrap-default.nix
@@ -27,11 +27,6 @@
           };
         };
       };
-
-      # argo-workflows = {
-      #   chart = nixhelm.chartsDerivations.${system}.argoproj.argo-workflows;
-      #   includeCRDs = true;
-      # };
     };
 
     resources = {
diff --git a/kubenix-modules/custom/default.nix b/kubenix-modules/custom/default.nix
index d21b916..a1dc536 100644
--- a/kubenix-modules/custom/default.nix
+++ b/kubenix-modules/custom/default.nix
@@ -2,6 +2,5 @@
   imports = [
     ./ingress.nix
     ./longhorn-volume.nix
-    ./nfs-volume.nix
   ];
 }
diff --git a/kubenix-modules/custom/nfs-volume.nix b/kubenix-modules/custom/nfs-volume.nix
deleted file mode 100644
index 804cc7e..0000000
--- a/kubenix-modules/custom/nfs-volume.nix
+++ /dev/null
@@ -1,47 +0,0 @@
-{ lib, config, ... }:
-let
-  nfsVolumeOpts = { name, ... }: {
-    options = {
-      path = lib.mkOption {
-        type = lib.types.str;
-      };
-    };
-  };
-in
-{
-  options = {
-    lab.nfsVolumes = lib.mkOption {
-      type = with lib.types; attrsOf (submodule nfsVolumeOpts);
-      default = { };
-    };
-  };
-
-  config = {
-    kubernetes.resources = {
-      persistentVolumes = builtins.mapAttrs
-        (name: nfsVolume: {
-          spec = {
-            capacity.storage = "1Mi";
-            accessModes = [ "ReadWriteMany" ];
-
-            nfs = {
-              server = "lewis.dmz";
-              path = "/mnt/longhorn/persistent/${nfsVolume.path}";
-            };
-          };
-        })
-        config.lab.nfsVolumes;
-
-      persistentVolumeClaims = builtins.mapAttrs
-        (name: nfsVolume: {
-          spec = {
-            accessModes = [ "ReadWriteMany" ];
-            storageClassName = "";
-            resources.requests.storage = "1Mi";
-            volumeName = name;
-          };
-        })
-        config.lab.nfsVolumes;
-    };
-  };
-}
diff --git a/kubenix-modules/inbucket.nix b/kubenix-modules/inbucket.nix
index 80033f8..5e5b2b3 100644
--- a/kubenix-modules/inbucket.nix
+++ b/kubenix-modules/inbucket.nix
@@ -1,5 +1,42 @@
-{ myLib, ... }: {
+{ myLib, ... }:
+let
+  # TODO: make module of this.
+  tailscaleSecretName = "tailscale-auth";
+  inbucketSAName = "inbucket";
+in
+{
   kubernetes.resources = {
+    secrets.${tailscaleSecretName}.stringData.TS_AUTHKEY = "ref+sops://secrets/kubernetes.yaml#/tailscale/authKey";
+
+    roles.tailscale.rules = [
+      {
+        apiGroups = [ "" ];
+        resources = [ "secrets" ];
+        verbs = [ "create" ];
+      }
+      {
+        apiGroups = [ "" ];
+        resourceNames = [ tailscaleSecretName ];
+        resources = [ "secrets" ];
+        verbs = [ "get" "update" "patch" ];
+      }
+    ];
+
+    roleBindings.inbucket-tailscale = {
+      subjects = [{
+        kind = "ServiceAccount";
+        name = inbucketSAName;
+      }];
+
+      roleRef = {
+        kind = "Role";
+        name = "tailscale";
+        apiGroup = "rbac.authorization.k8s.io";
+      };
+    };
+
+    serviceAccounts.${inbucketSAName} = { };
+
     deployments.inbucket.spec = {
       selector.matchLabels.app = "inbucket";
 
@@ -7,12 +44,37 @@
         metadata.labels.app = "inbucket";
 
         spec = {
-          containers.inbucket = {
-            image = "inbucket/inbucket:edge";
+          serviceAccountName = inbucketSAName;
 
-            ports = {
-              web.containerPort = 9000;
-              smtp.containerPort = 2500;
+          containers = {
+            inbucket = {
+              image = "inbucket/inbucket:edge";
+
+              env.INBUCKET_WEB_ADDR.value = "0.0.0.0:80";
+
+              ports = {
+                web.containerPort = 80;
+                smtp.containerPort = 2500;
+              };
+            };
+
+            tailscale-sidecar = {
+              imagePullPolicy = "Always";
+              image = "ghcr.io/tailscale/tailscale:latest";
+
+              env = {
+                TS_HOSTNAME.value = "inbucket";
+                TS_KUBE_SECRET.value = tailscaleSecretName;
+                TS_USERSPACE.value = "false";
+                TS_DEBUG_FIREWALL_MODE.value = "auto";
+                TS_AUTHKEY.valueFrom.secretKeyRef = {
+                  name = tailscaleSecretName;
+                  key = "TS_AUTHKEY";
+                  optional = true;
+                };
+              };
+
+              securityContext.capabilities.add = [ "NET_ADMIN" ];
             };
           };
         };
@@ -21,6 +83,8 @@
 
     services = {
       web.spec = {
+        type = "LoadBalancer";
+        loadBalancerIP = myLib.globals.inbucketWebIPv4;
         selector.app = "inbucket";
 
         ports.web = {
@@ -31,7 +95,7 @@
 
       email.spec = {
         type = "LoadBalancer";
-        loadBalancerIP = myLib.globals.inbucketIPv4;
+        loadBalancerIP = myLib.globals.inbucketEmailIPv4;
         selector.app = "inbucket";
 
         ports = [{
@@ -41,14 +105,4 @@
       };
     };
   };
-
-  lab.ingresses.inbucket = {
-    host = "inbucket.kun.is";
-    entrypoint = "localsecure";
-
-    service = {
-      name = "web";
-      portName = "web";
-    };
-  };
 }
diff --git a/my-lib/globals.nix b/my-lib/globals.nix
index e070cc1..049c883 100644
--- a/my-lib/globals.nix
+++ b/my-lib/globals.nix
@@ -8,7 +8,8 @@
   bittorrentIPv4 = "192.168.30.133";
   gitIPv4 = "192.168.30.132";
   piholeIPv4 = "192.168.30.131";
-  inbucketIPv4 = "192.168.30.130";
+  inbucketEmailIPv4 = "192.168.30.130";
   kmsIPv4 = "192.168.30.129";
   traefikIPv4 = "192.168.30.128";
+  inbucketWebIPv4 = "192.168.30.137";
 }
diff --git a/secrets/kubernetes.yaml b/secrets/kubernetes.yaml
index 6fa7adf..a3847d3 100644
--- a/secrets/kubernetes.yaml
+++ b/secrets/kubernetes.yaml
@@ -26,6 +26,8 @@ atuin:
     databasePassword: ENC[AES256_GCM,data:qfWOmFfBOuguOfb1Z51F527ic3o=,iv:4Yx5rpzZHzRlfvZydcBNFRStEO0P4uIcjDqxgRgQmHE=,tag:pbJXcUdvul7nCrXQ9ylAdQ==,type:str]
 immich:
     databasePassword: ENC[AES256_GCM,data:fZtGYiHOhYjdzBxaSdnstjlOAJE=,iv:YV+o4upajDHtwWSU6Z9h3Ncl9fXbo65KT6YMqlh2evY=,tag:BWLRc3bdnS9M70jC3SZXlA==,type:str]
+tailscale:
+    authKey: ENC[AES256_GCM,data:pBbrL6/HVxDgvEeVHdnH6O3YsUB4tpRCO7SacYxSunDcMg8xcIXWWx1Zt65z9hcMcW/2AZbXC8mh+UPBRw==,iv:tTXdEAgCAHL46nN6yO0QNwJ0DUltAmQ/359TzuqXrpI=,tag:F7DtCigCRhdPBgMK3ZzV7g==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -50,8 +52,8 @@ sops:
             aHpYZ2VtdVBVTkxZbGFOYzRpbGltZHMKJs4E+CsthuzQZqA0Yip4G/1XK4SuoiRP
             Lo65L33lfNibdSOeIygqnyo6GBwjD52TcNQpvzkVbr3M3hWlJs8wCA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-16T16:10:38Z"
-    mac: ENC[AES256_GCM,data:VL8fsI2LWvXttPJDi+3TVBec/Ot4CFSM8MWVWu81YJAkG0V7FpUcmJ44PaaknzyISpZGo5hmpJOx8c/ad3CO5Mq1ZIGCf/vyN6iGHFD3tEOsxlp4puJcsoNgM2my5tQ7mRjNZrvgrmoDYinsFRHT+u0DWOcL8A8g8fLOOd/T5KA=,iv:KRW+aFyyYd/S9SMA19GiTQqDyk4b9CdgL5fNqvG9Kew=,tag:8sCbi0s4SJa38sX00qKb8g==,type:str]
+    lastmodified: "2024-07-18T09:03:54Z"
+    mac: ENC[AES256_GCM,data:BEgztutw7barzGcbx5hkfAnauPv2H4nvwZM5iUfPJcjOkPsKTVwYAcdDdJE8wL2Nc9b4iIGSRwf9fwizyaerPR6SFt1zNHgbQz0DbUz+j/bUIXwKBSQNgK0KjiX8ONyFK62OxAhEa600OUV0cqWURUwRl+F8fRQSqQCvKuREVyE=,iv:ZMj4NAVI94bM/HwYSkZIN9hRPXWR1miIld57EeC+ckk=,tag:wy2ENtExu2mtpFPc/jy+nw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1