feat(tailscale): Install k8s operator
This commit is contained in:
parent
8fc6961362
commit
cb6b883f6e
7 changed files with 66 additions and 89 deletions
|
@ -176,6 +176,11 @@
|
||||||
module = "${self}/kubenix-modules/minecraft.nix";
|
module = "${self}/kubenix-modules/minecraft.nix";
|
||||||
namespace = "minecraft";
|
namespace = "minecraft";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
tailscale = {
|
||||||
|
module = "${self}/kubenix-modules/tailscale.nix";
|
||||||
|
namespace = "tailscale";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
{ lib, nixhelm, system, machines, ... }: {
|
{ lib, nixhelm, system, machines, ... }: {
|
||||||
kubernetes = {
|
kubernetes = {
|
||||||
|
|
||||||
helm.releases = {
|
helm.releases = {
|
||||||
metallb = {
|
metallb = {
|
||||||
chart = nixhelm.chartsDerivations.${system}.metallb.metallb;
|
chart = nixhelm.chartsDerivations.${system}.metallb.metallb;
|
||||||
|
@ -48,6 +47,7 @@
|
||||||
dns = { };
|
dns = { };
|
||||||
media = { };
|
media = { };
|
||||||
minecraft = { };
|
minecraft = { };
|
||||||
|
tailscale = { };
|
||||||
};
|
};
|
||||||
|
|
||||||
nodes =
|
nodes =
|
||||||
|
|
|
@ -1,91 +1,50 @@
|
||||||
{ lib, config, ... }:
|
{ lib, config, ... }: {
|
||||||
let
|
|
||||||
cfg = config.lab.tailscale;
|
|
||||||
secretName = "tailscale-auth";
|
|
||||||
roleName = "tailscale";
|
|
||||||
sidecarContainername = "tailscale-sidecar";
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options = with lib.types; {
|
options = with lib.types; {
|
||||||
lab.tailscale = {
|
lab.tailscaleIngresses = lib.mkOption {
|
||||||
enable = lib.mkEnableOption "tailscale";
|
type = attrsOf (submodule {
|
||||||
|
options = {
|
||||||
|
host = lib.mkOption { type = str; };
|
||||||
|
|
||||||
allowedServiceAccounts = lib.mkOption {
|
service = {
|
||||||
type = listOf str;
|
name = lib.mkOption { type = str; };
|
||||||
|
|
||||||
description = ''
|
portName = lib.mkOption {
|
||||||
Allow specified service accounts to manage Tailscale authentication.
|
type = str;
|
||||||
'';
|
default = "web";
|
||||||
};
|
};
|
||||||
|
|
||||||
deploymentsWithSidecarContainers = lib.mkOption {
|
|
||||||
type = attrsOf (submodule ({ name, ... }: {
|
|
||||||
options.hostName = lib.mkOption { type = str; };
|
|
||||||
}));
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
});
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config =
|
config =
|
||||||
let
|
let
|
||||||
mkRoleBinding = name: {
|
cfg = config.lab.tailscaleIngresses;
|
||||||
name = "${name}-${roleName}";
|
|
||||||
value = {
|
mkTailscaleIngress = name: { host, service }: {
|
||||||
subjects = [{
|
spec = {
|
||||||
inherit name;
|
ingressClassName = "tailscale";
|
||||||
kind = "ServiceAccount";
|
|
||||||
|
rules = [{
|
||||||
|
http.paths = [{
|
||||||
|
path = "/";
|
||||||
|
pathType = "Prefix";
|
||||||
|
|
||||||
|
backend.service = {
|
||||||
|
name = service.name;
|
||||||
|
port.name = service.portName;
|
||||||
|
};
|
||||||
|
}];
|
||||||
}];
|
}];
|
||||||
|
|
||||||
roleRef = {
|
tls = [{
|
||||||
kind = "Role";
|
hosts = [ host ];
|
||||||
name = roleName;
|
}];
|
||||||
apiGroup = "rbac.authorization.k8s.io";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
mkSidecarContainer = name: { hostName, ... }: {
|
|
||||||
spec.template.spec.containers.${sidecarContainername} = {
|
|
||||||
imagePullPolicy = "Always";
|
|
||||||
image = "ghcr.io/tailscale/tailscale:latest";
|
|
||||||
|
|
||||||
env = {
|
|
||||||
TS_HOSTNAME.value = hostName;
|
|
||||||
TS_KUBE_SECRET.value = secretName;
|
|
||||||
TS_USERSPACE.value = "false";
|
|
||||||
TS_DEBUG_FIREWALL_MODE.value = "auto";
|
|
||||||
TS_AUTHKEY.valueFrom.secretKeyRef = {
|
|
||||||
name = secretName;
|
|
||||||
key = "TS_AUTHKEY";
|
|
||||||
optional = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
securityContext.capabilities.add = [ "NET_ADMIN" ];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
kubernetes.resources = lib.mkIf cfg.enable {
|
kubernetes.resources.ingresses = builtins.mapAttrs mkTailscaleIngress cfg;
|
||||||
secrets.${secretName}.stringData.TS_AUTHKEY = "ref+sops://secrets/kubernetes.yaml#/tailscale/authKey";
|
|
||||||
|
|
||||||
roles.${roleName}.rules = [
|
|
||||||
{
|
|
||||||
apiGroups = [ "" ];
|
|
||||||
resources = [ "secrets" ];
|
|
||||||
verbs = [ "create" ];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
apiGroups = [ "" ];
|
|
||||||
resourceNames = [ secretName ];
|
|
||||||
resources = [ "secrets" ];
|
|
||||||
verbs = [ "get" "update" "patch" ];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
roleBindings = builtins.listToAttrs (map mkRoleBinding cfg.allowedServiceAccounts);
|
|
||||||
|
|
||||||
deployments = builtins.mapAttrs mkSidecarContainer cfg.deploymentsWithSidecarContainers;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,10 +15,8 @@
|
||||||
inbucket = {
|
inbucket = {
|
||||||
image = "inbucket/inbucket:edge";
|
image = "inbucket/inbucket:edge";
|
||||||
|
|
||||||
env.INBUCKET_WEB_ADDR.value = "0.0.0.0:80";
|
|
||||||
|
|
||||||
ports = {
|
ports = {
|
||||||
web.containerPort = 80;
|
web.containerPort = 9000;
|
||||||
smtp.containerPort = 2500;
|
smtp.containerPort = 2500;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -52,9 +50,8 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
lab.tailscale = {
|
lab.tailscaleIngresses.tailscale = {
|
||||||
enable = true;
|
host = "inbucket";
|
||||||
allowedServiceAccounts = [ "inbucket" ];
|
service.name = "web";
|
||||||
deploymentsWithSidecarContainers.inbucket.hostName = "inbucket";
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -79,10 +79,9 @@
|
||||||
storage = "400Mi";
|
storage = "400Mi";
|
||||||
};
|
};
|
||||||
|
|
||||||
tailscale = {
|
tailscaleIngresses.tailscale = {
|
||||||
enable = true;
|
host = "sync";
|
||||||
allowedServiceAccounts = [ "syncthing" ];
|
service.name = "syncthing";
|
||||||
deploymentsWithSidecarContainers.syncthing.hostName = "syncthing";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
14
kubenix-modules/tailscale.nix
Normal file
14
kubenix-modules/tailscale.nix
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
{ nixhelm, system, ... }: {
|
||||||
|
kubernetes = {
|
||||||
|
helm.releases.tailscale = {
|
||||||
|
chart = nixhelm.chartsDerivations.${system}.tailscale.tailscale-operator;
|
||||||
|
includeCRDs = true;
|
||||||
|
namespace = "tailscale";
|
||||||
|
};
|
||||||
|
|
||||||
|
resources.secrets.operator-oauth.stringData = {
|
||||||
|
client_id = "ref+sops://secrets/kubernetes.yaml#/tailscale/oauth/clientID";
|
||||||
|
client_secret = "ref+sops://secrets/kubernetes.yaml#/tailscale/oauth/clientSecret";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -28,6 +28,9 @@ immich:
|
||||||
databasePassword: ENC[AES256_GCM,data:fZtGYiHOhYjdzBxaSdnstjlOAJE=,iv:YV+o4upajDHtwWSU6Z9h3Ncl9fXbo65KT6YMqlh2evY=,tag:BWLRc3bdnS9M70jC3SZXlA==,type:str]
|
databasePassword: ENC[AES256_GCM,data:fZtGYiHOhYjdzBxaSdnstjlOAJE=,iv:YV+o4upajDHtwWSU6Z9h3Ncl9fXbo65KT6YMqlh2evY=,tag:BWLRc3bdnS9M70jC3SZXlA==,type:str]
|
||||||
tailscale:
|
tailscale:
|
||||||
authKey: ENC[AES256_GCM,data:pBbrL6/HVxDgvEeVHdnH6O3YsUB4tpRCO7SacYxSunDcMg8xcIXWWx1Zt65z9hcMcW/2AZbXC8mh+UPBRw==,iv:tTXdEAgCAHL46nN6yO0QNwJ0DUltAmQ/359TzuqXrpI=,tag:F7DtCigCRhdPBgMK3ZzV7g==,type:str]
|
authKey: ENC[AES256_GCM,data:pBbrL6/HVxDgvEeVHdnH6O3YsUB4tpRCO7SacYxSunDcMg8xcIXWWx1Zt65z9hcMcW/2AZbXC8mh+UPBRw==,iv:tTXdEAgCAHL46nN6yO0QNwJ0DUltAmQ/359TzuqXrpI=,tag:F7DtCigCRhdPBgMK3ZzV7g==,type:str]
|
||||||
|
oauth:
|
||||||
|
clientID: ENC[AES256_GCM,data:HLkgZ2q79LSBDCrwgzErNVE=,iv:/877rL2F/r4yxhGXaZW/TsbaU0arBKJiH9arTqfStrk=,tag:lVLJJ/D19FoSJXLu7S3ByQ==,type:str]
|
||||||
|
clientSecret: ENC[AES256_GCM,data:AsgE6KYXP8Z/2c4WdxWOou62txjz/TNarlQn6osebPB3czVVlGky4d4KcDE2cMgXqIEY3E/LNxbjMnfxIC9s,iv:EQDN/ECzIkKXtfj2DE0JtgXEpRMMEbYbfYDMxwXkx5E=,tag:NXwbzQv38njh+a5O8kQOag==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -52,8 +55,8 @@ sops:
|
||||||
aHpYZ2VtdVBVTkxZbGFOYzRpbGltZHMKJs4E+CsthuzQZqA0Yip4G/1XK4SuoiRP
|
aHpYZ2VtdVBVTkxZbGFOYzRpbGltZHMKJs4E+CsthuzQZqA0Yip4G/1XK4SuoiRP
|
||||||
Lo65L33lfNibdSOeIygqnyo6GBwjD52TcNQpvzkVbr3M3hWlJs8wCA==
|
Lo65L33lfNibdSOeIygqnyo6GBwjD52TcNQpvzkVbr3M3hWlJs8wCA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-07-18T09:03:54Z"
|
lastmodified: "2024-07-21T16:43:44Z"
|
||||||
mac: ENC[AES256_GCM,data:BEgztutw7barzGcbx5hkfAnauPv2H4nvwZM5iUfPJcjOkPsKTVwYAcdDdJE8wL2Nc9b4iIGSRwf9fwizyaerPR6SFt1zNHgbQz0DbUz+j/bUIXwKBSQNgK0KjiX8ONyFK62OxAhEa600OUV0cqWURUwRl+F8fRQSqQCvKuREVyE=,iv:ZMj4NAVI94bM/HwYSkZIN9hRPXWR1miIld57EeC+ckk=,tag:wy2ENtExu2mtpFPc/jy+nw==,type:str]
|
mac: ENC[AES256_GCM,data:Gx9Zpdt/HzeYRj2ksmCGLaIJTcsfzxJklGdVNbtMIU888A32B72lAHfv0MbU5OBX0ZRt+VYDRncARSeTKPI3CGZu0qLtJwkDcVFGv+y+sea63DN8mmvNpYLQeif0daqE1GGMPVWukzV/2aBmfWbYBtHhm3C2v4f7KXobE83v3K0=,iv:bd+U7zyGOeH2Wq+y4RRv7kGfDkUGq1Kkfj4LOFdMJkY=,tag:5JkuFvY8kFfguBJoZfOnvg==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
Loading…
Reference in a new issue