home/nixos-servers
home/nixos-servers
Archived
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

feat(inbucket): Expose on tailnet

Browse source
This commit is contained in:
Pim Kunis 2024-07-21 15:05:27 +02:00
parent 835aea667c
commit 0f2a90ec8a
6 changed files with 77 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

5
kubenix-modules/bootstrap-default.nix
View file

@ -27,11 +27,6 @@
};
};
};
# argo-workflows = {
# chart = nixhelm.chartsDerivations.${system}.argoproj.argo-workflows;
# includeCRDs = true;
# };
};
resources = {

1
kubenix-modules/custom/default.nix
View file

@ -2,6 +2,5 @@
imports = [
./ingress.nix
./longhorn-volume.nix
./nfs-volume.nix
];
}

47
kubenix-modules/custom/nfs-volume.nix
View file

@ -1,47 +0,0 @@
{ lib, config, ... }:
let
nfsVolumeOpts = { name, ... }: {
options = {
path = lib.mkOption {
type = lib.types.str;
};
};
};
in
{
options = {
lab.nfsVolumes = lib.mkOption {
type = with lib.types; attrsOf (submodule nfsVolumeOpts);
default = { };
};
};
config = {
kubernetes.resources = {
persistentVolumes = builtins.mapAttrs
(name: nfsVolume: {
spec = {
capacity.storage = "1Mi";
accessModes = [ "ReadWriteMany" ];
nfs = {
server = "lewis.dmz";
path = "/mnt/longhorn/persistent/${nfsVolume.path}";
};
};
})
config.lab.nfsVolumes;
persistentVolumeClaims = builtins.mapAttrs
(name: nfsVolume: {
spec = {
accessModes = [ "ReadWriteMany" ];
storageClassName = "";
resources.requests.storage = "1Mi";
volumeName = name;
};
})
config.lab.nfsVolumes;
};
};
}

88
kubenix-modules/inbucket.nix
View file

@ -1,5 +1,42 @@
{ myLib, ... }: {
{ myLib, ... }:
let
# TODO: make module of this.
tailscaleSecretName = "tailscale-auth";
inbucketSAName = "inbucket";
in
{
kubernetes.resources = {
secrets.${tailscaleSecretName}.stringData.TS_AUTHKEY = "ref+sops://secrets/kubernetes.yaml#/tailscale/authKey";
roles.tailscale.rules = [
{
apiGroups = [ "" ];
resources = [ "secrets" ];
verbs = [ "create" ];
}
{
apiGroups = [ "" ];
resourceNames = [ tailscaleSecretName ];
resources = [ "secrets" ];
verbs = [ "get" "update" "patch" ];
}
];
roleBindings.inbucket-tailscale = {
subjects = [{
kind = "ServiceAccount";
name = inbucketSAName;
}];
roleRef = {
kind = "Role";
name = "tailscale";
apiGroup = "rbac.authorization.k8s.io";
};
};
serviceAccounts.${inbucketSAName} = { };
deployments.inbucket.spec = {
selector.matchLabels.app = "inbucket";
@ -7,12 +44,37 @@
metadata.labels.app = "inbucket";
spec = {
containers.inbucket = {
image = "inbucket/inbucket:edge";
serviceAccountName = inbucketSAName;
ports = {
web.containerPort = 9000;
smtp.containerPort = 2500;
containers = {
inbucket = {
image = "inbucket/inbucket:edge";
env.INBUCKET_WEB_ADDR.value = "0.0.0.0:80";
ports = {
web.containerPort = 80;
smtp.containerPort = 2500;
};
};
tailscale-sidecar = {
imagePullPolicy = "Always";
image = "ghcr.io/tailscale/tailscale:latest";
env = {
TS_HOSTNAME.value = "inbucket";
TS_KUBE_SECRET.value = tailscaleSecretName;
TS_USERSPACE.value = "false";
TS_DEBUG_FIREWALL_MODE.value = "auto";
TS_AUTHKEY.valueFrom.secretKeyRef = {
name = tailscaleSecretName;
key = "TS_AUTHKEY";
optional = true;
};
};
securityContext.capabilities.add = [ "NET_ADMIN" ];
};
};
};
@ -21,6 +83,8 @@
services = {
web.spec = {
type = "LoadBalancer";
loadBalancerIP = myLib.globals.inbucketWebIPv4;
selector.app = "inbucket";
ports.web = {
@ -31,7 +95,7 @@
email.spec = {
type = "LoadBalancer";
loadBalancerIP = myLib.globals.inbucketIPv4;
loadBalancerIP = myLib.globals.inbucketEmailIPv4;
selector.app = "inbucket";
ports = [{
@ -41,14 +105,4 @@
};
};
};
lab.ingresses.inbucket = {
host = "inbucket.kun.is";
entrypoint = "localsecure";
service = {
name = "web";
portName = "web";
};
};
}