home/nixos-servers
home/nixos-servers
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

feat(inbucket): Expose on tailnet

Browse source
This commit is contained in:
Pim Kunis 2024-07-21 15:05:27 +02:00
parent 835aea667c
commit 0f2a90ec8a
6 changed files with 77 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
kubenix-modules/bootstrap-default.nix
View file

@ -27,11 +27,6 @@
}; };
}; };
}; };
# argo-workflows = {
# chart = nixhelm.chartsDerivations.${system}.argoproj.argo-workflows;
# includeCRDs = true;
# };
}; };
resources = { resources = {

1
kubenix-modules/custom/default.nix
View file

@ -2,6 +2,5 @@
imports = [ imports = [
./ingress.nix ./ingress.nix
./longhorn-volume.nix ./longhorn-volume.nix
./nfs-volume.nix
]; ];
} }

47
kubenix-modules/custom/nfs-volume.nix
View file

@ -1,47 +0,0 @@
{ lib, config, ... }:
let
nfsVolumeOpts = { name, ... }: {
options = {
path = lib.mkOption {
type = lib.types.str;
};
};
};
in
{
options = {
lab.nfsVolumes = lib.mkOption {
type = with lib.types; attrsOf (submodule nfsVolumeOpts);
default = { };
};
};
config = {
kubernetes.resources = {
persistentVolumes = builtins.mapAttrs
(name: nfsVolume: {
spec = {
capacity.storage = "1Mi";
accessModes = [ "ReadWriteMany" ];
nfs = {
server = "lewis.dmz";
path = "/mnt/longhorn/persistent/${nfsVolume.path}";
};
};
})
config.lab.nfsVolumes;
persistentVolumeClaims = builtins.mapAttrs
(name: nfsVolume: {
spec = {
accessModes = [ "ReadWriteMany" ];
storageClassName = "";
resources.requests.storage = "1Mi";
volumeName = name;
};
})
config.lab.nfsVolumes;
};
};
}

88
kubenix-modules/inbucket.nix
View file

@ -1,5 +1,42 @@
{ myLib, ... }: { { myLib, ... }:
let
# TODO: make module of this.
tailscaleSecretName = "tailscale-auth";
inbucketSAName = "inbucket";
in
{
kubernetes.resources = { kubernetes.resources = {
secrets.${tailscaleSecretName}.stringData.TS_AUTHKEY = "ref+sops://secrets/kubernetes.yaml#/tailscale/authKey";
roles.tailscale.rules = [
{
apiGroups = [ "" ];
resources = [ "secrets" ];
verbs = [ "create" ];
}
{
apiGroups = [ "" ];
resourceNames = [ tailscaleSecretName ];
resources = [ "secrets" ];
verbs = [ "get" "update" "patch" ];
}
];
roleBindings.inbucket-tailscale = {
subjects = [{
kind = "ServiceAccount";
name = inbucketSAName;
}];
roleRef = {
kind = "Role";
name = "tailscale";
apiGroup = "rbac.authorization.k8s.io";
};
};
serviceAccounts.${inbucketSAName} = { };
deployments.inbucket.spec = { deployments.inbucket.spec = {
selector.matchLabels.app = "inbucket"; selector.matchLabels.app = "inbucket";
@ -7,12 +44,37 @@
metadata.labels.app = "inbucket"; metadata.labels.app = "inbucket";
spec = { spec = {
containers.inbucket = { serviceAccountName = inbucketSAName;
image = "inbucket/inbucket:edge";
ports = { containers = {
web.containerPort = 9000; inbucket = {
smtp.containerPort = 2500; image = "inbucket/inbucket:edge";
env.INBUCKET_WEB_ADDR.value = "0.0.0.0:80";
ports = {
web.containerPort = 80;
smtp.containerPort = 2500;
};
};
tailscale-sidecar = {
imagePullPolicy = "Always";
image = "ghcr.io/tailscale/tailscale:latest";
env = {
TS_HOSTNAME.value = "inbucket";
TS_KUBE_SECRET.value = tailscaleSecretName;
TS_USERSPACE.value = "false";
TS_DEBUG_FIREWALL_MODE.value = "auto";
TS_AUTHKEY.valueFrom.secretKeyRef = {
name = tailscaleSecretName;
key = "TS_AUTHKEY";
optional = true;
};
};
securityContext.capabilities.add = [ "NET_ADMIN" ];
}; };
}; };
}; };
@ -21,6 +83,8 @@
services = { services = {
web.spec = { web.spec = {
type = "LoadBalancer";
loadBalancerIP = myLib.globals.inbucketWebIPv4;
selector.app = "inbucket"; selector.app = "inbucket";
ports.web = { ports.web = {
@ -31,7 +95,7 @@
email.spec = { email.spec = {
type = "LoadBalancer"; type = "LoadBalancer";
loadBalancerIP = myLib.globals.inbucketIPv4; loadBalancerIP = myLib.globals.inbucketEmailIPv4;
selector.app = "inbucket"; selector.app = "inbucket";
ports = [{ ports = [{
@ -41,14 +105,4 @@
}; };
}; };
}; };
lab.ingresses.inbucket = {
host = "inbucket.kun.is";
entrypoint = "localsecure";
service = {
name = "web";
portName = "web";
};
};
} }

3
my-lib/globals.nix
View file

@ -8,7 +8,8 @@
bittorrentIPv4 = "192.168.30.133"; bittorrentIPv4 = "192.168.30.133";
gitIPv4 = "192.168.30.132"; gitIPv4 = "192.168.30.132";
piholeIPv4 = "192.168.30.131"; piholeIPv4 = "192.168.30.131";
inbucketIPv4 = "192.168.30.130"; inbucketEmailIPv4 = "192.168.30.130";
kmsIPv4 = "192.168.30.129"; kmsIPv4 = "192.168.30.129";
traefikIPv4 = "192.168.30.128"; traefikIPv4 = "192.168.30.128";
inbucketWebIPv4 = "192.168.30.137";
} }

6
secrets/kubernetes.yaml
View file

@ -26,6 +26,8 @@ atuin:
databasePassword: ENC[AES256_GCM,data:qfWOmFfBOuguOfb1Z51F527ic3o=,iv:4Yx5rpzZHzRlfvZydcBNFRStEO0P4uIcjDqxgRgQmHE=,tag:pbJXcUdvul7nCrXQ9ylAdQ==,type:str] databasePassword: ENC[AES256_GCM,data:qfWOmFfBOuguOfb1Z51F527ic3o=,iv:4Yx5rpzZHzRlfvZydcBNFRStEO0P4uIcjDqxgRgQmHE=,tag:pbJXcUdvul7nCrXQ9ylAdQ==,type:str]
immich: immich:
databasePassword: ENC[AES256_GCM,data:fZtGYiHOhYjdzBxaSdnstjlOAJE=,iv:YV+o4upajDHtwWSU6Z9h3Ncl9fXbo65KT6YMqlh2evY=,tag:BWLRc3bdnS9M70jC3SZXlA==,type:str] databasePassword: ENC[AES256_GCM,data:fZtGYiHOhYjdzBxaSdnstjlOAJE=,iv:YV+o4upajDHtwWSU6Z9h3Ncl9fXbo65KT6YMqlh2evY=,tag:BWLRc3bdnS9M70jC3SZXlA==,type:str]
tailscale:
authKey: ENC[AES256_GCM,data:pBbrL6/HVxDgvEeVHdnH6O3YsUB4tpRCO7SacYxSunDcMg8xcIXWWx1Zt65z9hcMcW/2AZbXC8mh+UPBRw==,iv:tTXdEAgCAHL46nN6yO0QNwJ0DUltAmQ/359TzuqXrpI=,tag:F7DtCigCRhdPBgMK3ZzV7g==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -50,8 +52,8 @@ sops:
aHpYZ2VtdVBVTkxZbGFOYzRpbGltZHMKJs4E+CsthuzQZqA0Yip4G/1XK4SuoiRP aHpYZ2VtdVBVTkxZbGFOYzRpbGltZHMKJs4E+CsthuzQZqA0Yip4G/1XK4SuoiRP
Lo65L33lfNibdSOeIygqnyo6GBwjD52TcNQpvzkVbr3M3hWlJs8wCA== Lo65L33lfNibdSOeIygqnyo6GBwjD52TcNQpvzkVbr3M3hWlJs8wCA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-16T16:10:38Z" lastmodified: "2024-07-18T09:03:54Z"
mac: ENC[AES256_GCM,data:VL8fsI2LWvXttPJDi+3TVBec/Ot4CFSM8MWVWu81YJAkG0V7FpUcmJ44PaaknzyISpZGo5hmpJOx8c/ad3CO5Mq1ZIGCf/vyN6iGHFD3tEOsxlp4puJcsoNgM2my5tQ7mRjNZrvgrmoDYinsFRHT+u0DWOcL8A8g8fLOOd/T5KA=,iv:KRW+aFyyYd/S9SMA19GiTQqDyk4b9CdgL5fNqvG9Kew=,tag:8sCbi0s4SJa38sX00qKb8g==,type:str] mac: ENC[AES256_GCM,data:BEgztutw7barzGcbx5hkfAnauPv2H4nvwZM5iUfPJcjOkPsKTVwYAcdDdJE8wL2Nc9b4iIGSRwf9fwizyaerPR6SFt1zNHgbQz0DbUz+j/bUIXwKBSQNgK0KjiX8ONyFK62OxAhEa600OUV0cqWURUwRl+F8fRQSqQCvKuREVyE=,iv:ZMj4NAVI94bM/HwYSkZIN9hRPXWR1miIld57EeC+ckk=,tag:wy2ENtExu2mtpFPc/jy+nw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1