From f78631e3aee0d52460ecca4f83b67b2bb405b31a Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Mon, 8 Apr 2024 20:42:06 +0200
Subject: [PATCH] create traefik entrypoint on port 444 expose inbucket web GUI
 on port 444

---
 nix/flake/kubenix/default.nix  | 33 ++++++++++++++++++++++------
 nix/flake/kubenix/inbucket.nix | 40 ++++++++++++++++++++++------------
 2 files changed, 52 insertions(+), 21 deletions(-)

diff --git a/nix/flake/kubenix/default.nix b/nix/flake/kubenix/default.nix
index c2d09ac..cc97ebc 100644
--- a/nix/flake/kubenix/default.nix
+++ b/nix/flake/kubenix/default.nix
@@ -26,6 +26,10 @@
           kubenix.project = "home";
 
           kubernetes = {
+            # TODO: These were copied from https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml
+            # See https://cert-manager.io/docs/installation/helm/
+            # Seems kubenix cannot import a list of resources, but only individual resources.
+            # Might be good to create PR for this.
             imports = [
               ./certificaterequest.yaml
               ./certificate.yaml
@@ -74,15 +78,30 @@
               ipAddressPools.main.spec.addresses = [ "192.168.30.128-192.168.30.200" ];
               l2Advertisements.main.metadata = { };
 
+              # NOTE: The name of each helmChartConfig must match the relevant chart name!
               # Override Traefik's service with a static load balancer IP.
-              helmChartConfigs.traefik = {
-                metadata.namespace = "kube-system";
+              helmChartConfigs = {
+                traefik = {
+                  metadata.namespace = "kube-system";
 
-                spec.valuesContent = ''
-                  service:
-                    spec:
-                      loadBalancerIP: "192.168.30.128"
-                '';
+                  spec.valuesContent = ''
+                    service:
+                      spec:
+                        loadBalancerIP: "192.168.30.128"
+                    ports:
+                      localsecure:
+                        port: 8444
+                        expose: true
+                        exposedPort: 444
+                        protocol: TCP
+                        tls:
+                          enabled: true
+                          options: ""
+                          certResolver: ""
+                          domains: []
+
+                  '';
+                };
               };
 
               clusterIssuers.letsencrypt = {
diff --git a/nix/flake/kubenix/inbucket.nix b/nix/flake/kubenix/inbucket.nix
index 2870698..d7aabd4 100644
--- a/nix/flake/kubenix/inbucket.nix
+++ b/nix/flake/kubenix/inbucket.nix
@@ -53,22 +53,34 @@
       };
     };
 
-    # ingresses.inbucket.spec = {
-    #   ingressClassName = "traefik";
+    ingresses.inbucket = {
+      metadata.annotations = {
+        "cert-manager.io/cluster-issuer" = "letsencrypt";
+        "traefik.ingress.kubernetes.io/router.entrypoints" = "localsecure";
+      };
 
-    #   rules = [{
-    #     host = "inbucket.kun.is";
+      spec = {
+        ingressClassName = "traefik";
 
-    #     http.paths = [{
-    #       path = "/";
-    #       pathType = "Prefix";
+        rules = [{
+          host = "inbucket.kun.is";
 
-    #       backend.service = {
-    #         name = "inbucket-web";
-    #         port.number = 80;
-    #       };
-    #     }];
-    #   }];
-    # };
+          http.paths = [{
+            path = "/";
+            pathType = "Prefix";
+
+            backend.service = {
+              name = "inbucket-web";
+              port.number = 80;
+            };
+          }];
+        }];
+
+        tls = [{
+          secretName = "inbucket-tls";
+          hosts = [ "inbucket.kun.is" ];
+        }];
+      };
+    };
   };
 }