arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity

More testing with tailscale funnel

Browse source
This commit is contained in:
Gabriel Simmer 2022-11-26 10:41:40 +00:00
parent 269499e166
commit 7af2f57224
Signed by: arch
GPG key ID: C81B106D46C5B875
6 changed files with 191 additions and 63 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
flake.lock
View file

@ -15,6 +15,42 @@
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1636849918,
"narHash": "sha256-nzUK6dPcTmNVrgTAC1EOybSMsrcx+QrVPyqRdyKLkjA=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "28a5b0557f14124608db68d3ee1f77e9329e9dd5",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1669065280,
"narHash": "sha256-3+pq1oJWjGDLfd8G/vR3IIFZ+EQ/aglukA0bTiMlf3o=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "50aeec40f2072d2ab267c8ec8a345573704ec110",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1666926733,
@ -34,6 +70,7 @@
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs"
}
}

16
flake.nix
View file

@ -2,8 +2,12 @@
description = "A basic flake with a shell";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
inputs.flake-utils.url = "github:numtide/flake-utils";
inputs.nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, flake-utils }:
outputs = { self, nixpkgs, flake-utils, nixos-generators }:
flake-utils.lib.eachDefaultSystem (system: let
pkgs = nixpkgs.legacyPackages.${system};
in {
@ -14,9 +18,19 @@
pkgs.kubectl
pkgs.awscli2
pkgs.nodePackages.yaml-language-server
pkgs.python39Packages.python-lsp-server
pkgs.k9s
];
buildInputs = [ ];
};
packages.aarch64-linux = {
k3s-server = nixos-generators.nixosGenerate {
system = "aarch64-linux";
modules = [
./pi-imgs/k3s-server.nix
];
format = "sd-aarch64-installer";
};
};
});
}

7
homelab/tailscale-serve/app/Dockerfile Normal file
View file

@ -0,0 +1,7 @@
FROM python:3-alpine
WORKDIR /app
COPY . .
CMD [ "python", "main.py" ]

18
homelab/tailscale-serve/app/main.py Normal file
View file

@ -0,0 +1,18 @@
import socket
import ssl
import os
HOST = "127.0.0.1"
PORT = 8443
if __name__ == "__main__":
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain(os.getenv('CERT_FILE'), os.getenv('CERT_KEYFILE'))
with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock:
sock.bind((HOST, PORT))
sock.listen(5)
with context.wrap_socket(sock, server_side=True) as ssock:
conn, addr = ssock.accept()
conn.send('Hello, Tailscale Funnel!'.encode('utf-8'))

114
homelab/tailscale-serve/deployment.yaml Normal file
View file

@ -0,0 +1,114 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-tailscale-serve
spec:
selector:
matchLabels:
app: nginx-tailscale-serve
template:
metadata:
labels:
app: nginx-tailscale-serve
spec:
initContainers:
- name: tailscale-init
image: icr.gmem.ca/tailscale
resources:
requests:
memory: "1Mi"
cpu: "1m"
limits:
memory: "128Mi"
cpu: "500m"
env:
- name: MODE
value: "cert"
- name: TAILSCALE_CERT_FILE
value: "/tailscale/cert"
- name: TAILSCALE_CERT_KEY
value: "/tailscale/key"
- name: TAILSCALE_CERT_DOMAIN
value: "kubernetes-test.chimera-blues.ts.net"
- name: TAILSCALE_HOSTNAME
value: "kubernetes-test"
- name: TAILSCALED_TUN
value: "userspace-networking"
- name: TAILSCALED_STATE
value: "/tailscale/tailscaled.state"
- name: TAILSCALE_AUTH_KEY
valueFrom:
secretKeyRef:
name: tailscale-auth
key: TS_AUTH_KEY
optional: true
volumeMounts:
- name: data
mountPath: /tailscale
containers:
- name: nginx
image: nginx
resources:
limits:
memory: "32Mi"
cpu: "100m"
requests:
memory: "16Mi"
cpu: "1m"
ports:
- containerPort: 80
- name: tailscale-serve
image: icr.gmem.ca/tailscale
resources:
requests:
memory: "1Mi"
cpu: "1m"
limits:
memory: "128Mi"
cpu: "500m"
env:
- name: TAILSCALE_HOSTNAME
value: "kubernetes-test"
- name: TAILSCALED_TUN
value: "userspace-networking"
- name: TAILSCALE_FUNNEL_PROXY
value: "80"
- name: TAILSCALED_STATE
value: "/tailscale/tailscaled.state"
- name: TAILSCALE_AUTH_KEY
valueFrom:
secretKeyRef:
name: tailscale-auth
key: TS_AUTH_KEY
optional: true
volumeMounts:
- name: data
mountPath: /tailscale
volumes:
- name: data
persistentVolumeClaim:
claimName: tailscale-state
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: tailscale-state
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: nfs-client
---
apiVersion: v1
kind: Service
metadata:
name: nginx-tailscale-serve
spec:
selector:
app: nginx-tailscale-serve
ports:
- port: 80
targetPort: 80

62
homelab/tailscale-serve/nginx.yaml
View file

@ -1,62 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-tailscale-serve
spec:
selector:
matchLabels:
app: nginx-tailscale-serve
template:
metadata:
labels:
app: nginx-tailscale-serve
spec:
containers:
- name: hue
image: icr.gmem.ca/hue
resources:
limits:
memory: "32Mi"
cpu: "100m"
requests:
memory: "16Mi"
cpu: "1m"
ports:
- containerPort: 443
env:
- name: PORT
value: "443"
- name: tailscale-serve
image: icr.gmem.ca/tailscale
resources:
requests:
memory: "1Mi"
cpu: "1m"
limits:
memory: "128Mi"
cpu: "500m"
env:
- name: TAILSCALE_HOSTNAME
value: "kubernetes-test"
- name: TAILSCALED_TUN
value: "userspace-networking"
- name: TAILSCALE_FUNNEL_PROXY
value: "443"
- name: TAILSCALE_AUTH_KEY
valueFrom:
secretKeyRef:
name: tailscale-auth
key: TS_AUTH_KEY
optional: true
---
apiVersion: v1
kind: Service
metadata:
name: nginx-tailscale-serve
spec:
selector:
app: nginx-tailscale-serve
ports:
- port: 80
targetPort: 80