feat(tailscale): Install k8s operator

2024-07-21 19:47:22 +02:00 · 2024-07-21 19:47:22 +02:00 · cb6b883f6e
commit cb6b883f6e
parent 8fc6961362
7 changed files with 66 additions and 89 deletions
--- a/flake-parts/kubenix.nix
+++ b/flake-parts/kubenix.nix
@ -176,6 +176,11 @@
        module = "${self}/kubenix-modules/minecraft.nix";
        namespace = "minecraft";
      };
      tailscale = {
        module = "${self}/kubenix-modules/tailscale.nix";
        namespace = "tailscale";
      };
    };
  in
  {
--- a/kubenix-modules/bootstrap-default.nix
+++ b/kubenix-modules/bootstrap-default.nix
@ -1,6 +1,5 @@
 { lib, nixhelm, system, machines, ... }: {
  kubernetes = {
    helm.releases = {
      metallb = {
        chart = nixhelm.chartsDerivations.${system}.metallb.metallb;
@ -48,6 +47,7 @@
        dns = { };
        media = { };
        minecraft = { };
        tailscale = { };
      };
      nodes =
--- a/kubenix-modules/custom/tailscale.nix
+++ b/kubenix-modules/custom/tailscale.nix
@ -1,91 +1,50 @@
-{ lib, config, ... }:
+{ lib, config, ... }: {
 let
  cfg = config.lab.tailscale;
  secretName = "tailscale-auth";
  roleName = "tailscale";
  sidecarContainername = "tailscale-sidecar";
 in
 {
  options = with lib.types; {
-    lab.tailscale = {
+    lab.tailscaleIngresses = lib.mkOption {
-      enable = lib.mkEnableOption "tailscale";
+      type = attrsOf (submodule {
        options = {
          host = lib.mkOption { type = str; };
-      allowedServiceAccounts = lib.mkOption {
+          service = {
-        type = listOf str;
+            name = lib.mkOption { type = str; };
-        description = ''
+            portName = lib.mkOption {
-          Allow specified service accounts to manage Tailscale authentication.
+              type = str;
-        '';
+              default = "web";
-      };
+            };
-
+          };
-      deploymentsWithSidecarContainers = lib.mkOption {
+        };
-        type = attrsOf (submodule ({ name, ... }: {
+      });
          options.hostName = lib.mkOption { type = str; };
        }));
      };
    };
  };
  config =
    let
-      mkRoleBinding = name: {
+      cfg = config.lab.tailscaleIngresses;
-        name = "${name}-${roleName}";
+
-        value = {
+      mkTailscaleIngress = name: { host, service }: {
-          subjects = [{
+        spec = {
-            inherit name;
+          ingressClassName = "tailscale";
-            kind = "ServiceAccount";
+
          rules = [{
            http.paths = [{
              path = "/";
              pathType = "Prefix";
              backend.service = {
                name = service.name;
                port.name = service.portName;
              };
            }];
          }];
-          roleRef = {
+          tls = [{
-            kind = "Role";
+            hosts = [ host ];
-            name = roleName;
+          }];
            apiGroup = "rbac.authorization.k8s.io";
          };
        };
      };
      mkSidecarContainer = name: { hostName, ... }: {
        spec.template.spec.containers.${sidecarContainername} = {
          imagePullPolicy = "Always";
          image = "ghcr.io/tailscale/tailscale:latest";
          env = {
            TS_HOSTNAME.value = hostName;
            TS_KUBE_SECRET.value = secretName;
            TS_USERSPACE.value = "false";
            TS_DEBUG_FIREWALL_MODE.value = "auto";
            TS_AUTHKEY.valueFrom.secretKeyRef = {
              name = secretName;
              key = "TS_AUTHKEY";
              optional = true;
            };
          };
          securityContext.capabilities.add = [ "NET_ADMIN" ];
        };
      };
    in
    {
-      kubernetes.resources = lib.mkIf cfg.enable {
+      kubernetes.resources.ingresses = builtins.mapAttrs mkTailscaleIngress cfg;
        secrets.${secretName}.stringData.TS_AUTHKEY = "ref+sops://secrets/kubernetes.yaml#/tailscale/authKey";
        roles.${roleName}.rules = [
          {
            apiGroups = [ "" ];
            resources = [ "secrets" ];
            verbs = [ "create" ];
          }
          {
            apiGroups = [ "" ];
            resourceNames = [ secretName ];
            resources = [ "secrets" ];
            verbs = [ "get" "update" "patch" ];
          }
        ];
        roleBindings = builtins.listToAttrs (map mkRoleBinding cfg.allowedServiceAccounts);
        deployments = builtins.mapAttrs mkSidecarContainer cfg.deploymentsWithSidecarContainers;
      };
    };
 }
--- a/kubenix-modules/inbucket.nix
+++ b/kubenix-modules/inbucket.nix
@ -15,10 +15,8 @@
            inbucket = {
              image = "inbucket/inbucket:edge";
              env.INBUCKET_WEB_ADDR.value = "0.0.0.0:80";
              ports = {
-                web.containerPort = 80;
+                web.containerPort = 9000;
                smtp.containerPort = 2500;
              };
            };
@ -52,9 +50,8 @@
    };
  };
-  lab.tailscale = {
+  lab.tailscaleIngresses.tailscale = {
-    enable = true;
+    host = "inbucket";
-    allowedServiceAccounts = [ "inbucket" ];
+    service.name = "web";
    deploymentsWithSidecarContainers.inbucket.hostName = "inbucket";
  };
 }
--- a/kubenix-modules/syncthing.nix
+++ b/kubenix-modules/syncthing.nix
@ -79,10 +79,9 @@
      storage = "400Mi";
    };
-    tailscale = {
+    tailscaleIngresses.tailscale = {
-      enable = true;
+      host = "sync";
-      allowedServiceAccounts = [ "syncthing" ];
+      service.name = "syncthing";
      deploymentsWithSidecarContainers.syncthing.hostName = "syncthing";
    };
  };
 }
--- a/kubenix-modules/tailscale.nix
+++ b/kubenix-modules/tailscale.nix
@ -0,0 +1,14 @@
 { nixhelm, system, ... }: {
  kubernetes = {
    helm.releases.tailscale = {
      chart = nixhelm.chartsDerivations.${system}.tailscale.tailscale-operator;
      includeCRDs = true;
      namespace = "tailscale";
    };
    resources.secrets.operator-oauth.stringData = {
      client_id = "ref+sops://secrets/kubernetes.yaml#/tailscale/oauth/clientID";
      client_secret = "ref+sops://secrets/kubernetes.yaml#/tailscale/oauth/clientSecret";
    };
  };
 }
--- a/secrets/kubernetes.yaml
+++ b/secrets/kubernetes.yaml
@ -28,6 +28,9 @@ immich:
    databasePassword: ENC[AES256_GCM,data:fZtGYiHOhYjdzBxaSdnstjlOAJE=,iv:YV+o4upajDHtwWSU6Z9h3Ncl9fXbo65KT6YMqlh2evY=,tag:BWLRc3bdnS9M70jC3SZXlA==,type:str]
 tailscale:
    authKey: ENC[AES256_GCM,data:pBbrL6/HVxDgvEeVHdnH6O3YsUB4tpRCO7SacYxSunDcMg8xcIXWWx1Zt65z9hcMcW/2AZbXC8mh+UPBRw==,iv:tTXdEAgCAHL46nN6yO0QNwJ0DUltAmQ/359TzuqXrpI=,tag:F7DtCigCRhdPBgMK3ZzV7g==,type:str]
    oauth:
        clientID: ENC[AES256_GCM,data:HLkgZ2q79LSBDCrwgzErNVE=,iv:/877rL2F/r4yxhGXaZW/TsbaU0arBKJiH9arTqfStrk=,tag:lVLJJ/D19FoSJXLu7S3ByQ==,type:str]
        clientSecret: ENC[AES256_GCM,data:AsgE6KYXP8Z/2c4WdxWOou62txjz/TNarlQn6osebPB3czVVlGky4d4KcDE2cMgXqIEY3E/LNxbjMnfxIC9s,iv:EQDN/ECzIkKXtfj2DE0JtgXEpRMMEbYbfYDMxwXkx5E=,tag:NXwbzQv38njh+a5O8kQOag==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -52,8 +55,8 @@ sops:
            aHpYZ2VtdVBVTkxZbGFOYzRpbGltZHMKJs4E+CsthuzQZqA0Yip4G/1XK4SuoiRP
            Lo65L33lfNibdSOeIygqnyo6GBwjD52TcNQpvzkVbr3M3hWlJs8wCA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-18T09:03:54Z"
+    lastmodified: "2024-07-21T16:43:44Z"
-    mac: ENC[AES256_GCM,data:BEgztutw7barzGcbx5hkfAnauPv2H4nvwZM5iUfPJcjOkPsKTVwYAcdDdJE8wL2Nc9b4iIGSRwf9fwizyaerPR6SFt1zNHgbQz0DbUz+j/bUIXwKBSQNgK0KjiX8ONyFK62OxAhEa600OUV0cqWURUwRl+F8fRQSqQCvKuREVyE=,iv:ZMj4NAVI94bM/HwYSkZIN9hRPXWR1miIld57EeC+ckk=,tag:wy2ENtExu2mtpFPc/jy+nw==,type:str]
+    mac: ENC[AES256_GCM,data:Gx9Zpdt/HzeYRj2ksmCGLaIJTcsfzxJklGdVNbtMIU888A32B72lAHfv0MbU5OBX0ZRt+VYDRncARSeTKPI3CGZu0qLtJwkDcVFGv+y+sea63DN8mmvNpYLQeif0daqE1GGMPVWukzV/2aBmfWbYBtHhm3C2v4f7KXobE83v3K0=,iv:bd+U7zyGOeH2Wq+y4RRv7kGfDkUGq1Kkfj4LOFdMJkY=,tag:5JkuFvY8kFfguBJoZfOnvg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1