feat(tailscale): Install k8s operator

2024-07-21 19:47:22 +02:00 · 2024-07-21 19:47:22 +02:00 · cb6b883f6e
commit cb6b883f6e
parent 8fc6961362
7 changed files with 66 additions and 89 deletions
--- a/kubenix-modules/bootstrap-default.nix
+++ b/kubenix-modules/bootstrap-default.nix
@ -1,6 +1,5 @@
 { lib, nixhelm, system, machines, ... }: {
  kubernetes = {
-
    helm.releases = {
      metallb = {
        chart = nixhelm.chartsDerivations.${system}.metallb.metallb;
@ -48,6 +47,7 @@
        dns = { };
        media = { };
        minecraft = { };
+        tailscale = { };
      };

      nodes =
--- a/kubenix-modules/custom/tailscale.nix
+++ b/kubenix-modules/custom/tailscale.nix
@ -1,91 +1,50 @@
-{ lib, config, ... }:
-let
-  cfg = config.lab.tailscale;
-  secretName = "tailscale-auth";
-  roleName = "tailscale";
-  sidecarContainername = "tailscale-sidecar";
-in
-{
+{ lib, config, ... }: {
  options = with lib.types; {
-    lab.tailscale = {
-      enable = lib.mkEnableOption "tailscale";
+    lab.tailscaleIngresses = lib.mkOption {
+      type = attrsOf (submodule {
+        options = {
+          host = lib.mkOption { type = str; };

-      allowedServiceAccounts = lib.mkOption {
-        type = listOf str;
+          service = {
+            name = lib.mkOption { type = str; };

-        description = ''
-          Allow specified service accounts to manage Tailscale authentication.
-        '';
-      };
-
-      deploymentsWithSidecarContainers = lib.mkOption {
-        type = attrsOf (submodule ({ name, ... }: {
-          options.hostName = lib.mkOption { type = str; };
-        }));
-      };
+            portName = lib.mkOption {
+              type = str;
+              default = "web";
+            };
+          };
+        };
+      });
    };
  };

  config =
    let
-      mkRoleBinding = name: {
-        name = "${name}-${roleName}";
-        value = {
-          subjects = [{
-            inherit name;
-            kind = "ServiceAccount";
+      cfg = config.lab.tailscaleIngresses;
+
+      mkTailscaleIngress = name: { host, service }: {
+        spec = {
+          ingressClassName = "tailscale";
+
+          rules = [{
+            http.paths = [{
+              path = "/";
+              pathType = "Prefix";
+
+              backend.service = {
+                name = service.name;
+                port.name = service.portName;
+              };
+            }];
          }];

-          roleRef = {
-            kind = "Role";
-            name = roleName;
-            apiGroup = "rbac.authorization.k8s.io";
-          };
-        };
-      };
-
-      mkSidecarContainer = name: { hostName, ... }: {
-        spec.template.spec.containers.${sidecarContainername} = {
-          imagePullPolicy = "Always";
-          image = "ghcr.io/tailscale/tailscale:latest";
-
-          env = {
-            TS_HOSTNAME.value = hostName;
-            TS_KUBE_SECRET.value = secretName;
-            TS_USERSPACE.value = "false";
-            TS_DEBUG_FIREWALL_MODE.value = "auto";
-            TS_AUTHKEY.valueFrom.secretKeyRef = {
-              name = secretName;
-              key = "TS_AUTHKEY";
-              optional = true;
-            };
-          };
-
-          securityContext.capabilities.add = [ "NET_ADMIN" ];
+          tls = [{
+            hosts = [ host ];
+          }];
        };
      };
    in
    {
-      kubernetes.resources = lib.mkIf cfg.enable {
-        secrets.${secretName}.stringData.TS_AUTHKEY = "ref+sops://secrets/kubernetes.yaml#/tailscale/authKey";
-
-        roles.${roleName}.rules = [
-          {
-            apiGroups = [ "" ];
-            resources = [ "secrets" ];
-            verbs = [ "create" ];
-          }
-          {
-            apiGroups = [ "" ];
-            resourceNames = [ secretName ];
-            resources = [ "secrets" ];
-            verbs = [ "get" "update" "patch" ];
-          }
-        ];
-
-        roleBindings = builtins.listToAttrs (map mkRoleBinding cfg.allowedServiceAccounts);
-
-        deployments = builtins.mapAttrs mkSidecarContainer cfg.deploymentsWithSidecarContainers;
-      };
+      kubernetes.resources.ingresses = builtins.mapAttrs mkTailscaleIngress cfg;
    };
 }
--- a/kubenix-modules/inbucket.nix
+++ b/kubenix-modules/inbucket.nix
@ -15,10 +15,8 @@
            inbucket = {
              image = "inbucket/inbucket:edge";

-              env.INBUCKET_WEB_ADDR.value = "0.0.0.0:80";
-
              ports = {
-                web.containerPort = 80;
+                web.containerPort = 9000;
                smtp.containerPort = 2500;
              };
            };
@ -52,9 +50,8 @@
    };
  };

-  lab.tailscale = {
-    enable = true;
-    allowedServiceAccounts = [ "inbucket" ];
-    deploymentsWithSidecarContainers.inbucket.hostName = "inbucket";
+  lab.tailscaleIngresses.tailscale = {
+    host = "inbucket";
+    service.name = "web";
  };
 }
--- a/kubenix-modules/syncthing.nix
+++ b/kubenix-modules/syncthing.nix
@ -79,10 +79,9 @@
      storage = "400Mi";
    };

-    tailscale = {
-      enable = true;
-      allowedServiceAccounts = [ "syncthing" ];
-      deploymentsWithSidecarContainers.syncthing.hostName = "syncthing";
+    tailscaleIngresses.tailscale = {
+      host = "sync";
+      service.name = "syncthing";
    };
  };
 }
--- a/kubenix-modules/tailscale.nix
+++ b/kubenix-modules/tailscale.nix
@ -0,0 +1,14 @@
+{ nixhelm, system, ... }: {
+  kubernetes = {
+    helm.releases.tailscale = {
+      chart = nixhelm.chartsDerivations.${system}.tailscale.tailscale-operator;
+      includeCRDs = true;
+      namespace = "tailscale";
+    };
+
+    resources.secrets.operator-oauth.stringData = {
+      client_id = "ref+sops://secrets/kubernetes.yaml#/tailscale/oauth/clientID";
+      client_secret = "ref+sops://secrets/kubernetes.yaml#/tailscale/oauth/clientSecret";
+    };
+  };
+}