refactor(tailscale): Modularize Tailscale k8s config

2024-07-21 16:26:21 +02:00 · 2024-07-21 16:26:21 +02:00 · 6f3a7a3c44
commit 6f3a7a3c44
parent 0f2a90ec8a
3 changed files with 101 additions and 57 deletions
--- a/kubenix-modules/custom/default.nix
+++ b/kubenix-modules/custom/default.nix
@ -2,5 +2,6 @@
  imports = [
    ./ingress.nix
    ./longhorn-volume.nix
+    ./tailscale.nix
  ];
 }
--- a/kubenix-modules/custom/tailscale.nix
+++ b/kubenix-modules/custom/tailscale.nix
@ -0,0 +1,91 @@
+{ lib, config, ... }:
+let
+  cfg = config.lab.tailscale;
+  secretName = "tailscale-auth";
+  roleName = "tailscale";
+  sidecarContainername = "tailscale-sidecar";
+in
+{
+  options = with lib.types; {
+    lab.tailscale = {
+      enable = lib.mkEnableOption "tailscale";
+
+      allowedServiceAccounts = lib.mkOption {
+        type = listOf str;
+
+        description = ''
+          Allow specified service accounts to manage Tailscale authentication.
+        '';
+      };
+
+      deploymentsWithSidecarContainers = lib.mkOption {
+        type = attrsOf (submodule ({ name, ... }: {
+          options.hostName = lib.mkOption { type = str; };
+        }));
+      };
+    };
+  };
+
+  config =
+    let
+      mkRoleBinding = name: {
+        name = "${name}-${roleName}";
+        value = {
+          subjects = [{
+            inherit name;
+            kind = "ServiceAccount";
+          }];
+
+          roleRef = {
+            kind = "Role";
+            name = roleName;
+            apiGroup = "rbac.authorization.k8s.io";
+          };
+        };
+      };
+
+      mkSidecarContainer = name: { hostName, ... }: {
+        spec.template.spec.containers.${sidecarContainername} = {
+          imagePullPolicy = "Always";
+          image = "ghcr.io/tailscale/tailscale:latest";
+
+          env = {
+            TS_HOSTNAME.value = hostName;
+            TS_KUBE_SECRET.value = secretName;
+            TS_USERSPACE.value = "false";
+            TS_DEBUG_FIREWALL_MODE.value = "auto";
+            TS_AUTHKEY.valueFrom.secretKeyRef = {
+              name = secretName;
+              key = "TS_AUTHKEY";
+              optional = true;
+            };
+          };
+
+          securityContext.capabilities.add = [ "NET_ADMIN" ];
+        };
+      };
+    in
+    {
+      kubernetes.resources = lib.mkIf cfg.enable {
+        secrets.${secretName}.stringData.TS_AUTHKEY = "ref+sops://secrets/kubernetes.yaml#/tailscale/authKey";
+
+        roles.${roleName}.rules = [
+          {
+            apiGroups = [ "" ];
+            resources = [ "secrets" ];
+            verbs = [ "create" ];
+          }
+          {
+            apiGroups = [ "" ];
+            resourceNames = [ secretName ];
+            resources = [ "secrets" ];
+            verbs = [ "get" "update" "patch" ];
+          }
+        ];
+
+        roleBindings = builtins.listToAttrs (map mkRoleBinding cfg.allowedServiceAccounts);
+
+        deployments = builtins.mapAttrs mkSidecarContainer cfg.deploymentsWithSidecarContainers;
+      };
+    };
+}
--- a/kubenix-modules/inbucket.nix
+++ b/kubenix-modules/inbucket.nix
@ -1,41 +1,6 @@
-{ myLib, ... }:
-let
-  # TODO: make module of this.
-  tailscaleSecretName = "tailscale-auth";
-  inbucketSAName = "inbucket";
-in
-{
+{ myLib, ... }: {
  kubernetes.resources = {
-    secrets.${tailscaleSecretName}.stringData.TS_AUTHKEY = "ref+sops://secrets/kubernetes.yaml#/tailscale/authKey";
-
-    roles.tailscale.rules = [
-      {
-        apiGroups = [ "" ];
-        resources = [ "secrets" ];
-        verbs = [ "create" ];
-      }
-      {
-        apiGroups = [ "" ];
-        resourceNames = [ tailscaleSecretName ];
-        resources = [ "secrets" ];
-        verbs = [ "get" "update" "patch" ];
-      }
-    ];
-
-    roleBindings.inbucket-tailscale = {
-      subjects = [{
-        kind = "ServiceAccount";
-        name = inbucketSAName;
-      }];
-
-      roleRef = {
-        kind = "Role";
-        name = "tailscale";
-        apiGroup = "rbac.authorization.k8s.io";
-      };
-    };
-
-    serviceAccounts.${inbucketSAName} = { };
+    serviceAccounts.inbucket = { };

    deployments.inbucket.spec = {
      selector.matchLabels.app = "inbucket";
@ -44,7 +9,7 @@ in
        metadata.labels.app = "inbucket";

        spec = {
-          serviceAccountName = inbucketSAName;
+          serviceAccountName = "inbucket";

          containers = {
            inbucket = {
@ -57,25 +22,6 @@ in
                smtp.containerPort = 2500;
              };
            };
-
-            tailscale-sidecar = {
-              imagePullPolicy = "Always";
-              image = "ghcr.io/tailscale/tailscale:latest";
-
-              env = {
-                TS_HOSTNAME.value = "inbucket";
-                TS_KUBE_SECRET.value = tailscaleSecretName;
-                TS_USERSPACE.value = "false";
-                TS_DEBUG_FIREWALL_MODE.value = "auto";
-                TS_AUTHKEY.valueFrom.secretKeyRef = {
-                  name = tailscaleSecretName;
-                  key = "TS_AUTHKEY";
-                  optional = true;
-                };
-              };
-
-              securityContext.capabilities.add = [ "NET_ADMIN" ];
-            };
          };
        };
      };
@ -105,4 +51,10 @@ in
      };
    };
  };
+
+  lab.tailscale = {
+    enable = true;
+    allowedServiceAccounts = [ "inbucket" ];
+    deploymentsWithSidecarContainers.inbucket.hostName = "inbucket";
+  };
 }