From 7af2f5722460093c4615b00ef752c4405e7f0693 Mon Sep 17 00:00:00 2001 From: Gabriel Simmer Date: Sat, 26 Nov 2022 10:41:40 +0000 Subject: [PATCH] More testing with tailscale funnel --- flake.lock | 37 ++++++++ flake.nix | 16 +++- homelab/tailscale-serve/app/Dockerfile | 7 ++ homelab/tailscale-serve/app/main.py | 18 ++++ homelab/tailscale-serve/deployment.yaml | 114 ++++++++++++++++++++++++ homelab/tailscale-serve/nginx.yaml | 62 ------------- 6 files changed, 191 insertions(+), 63 deletions(-) create mode 100644 homelab/tailscale-serve/app/Dockerfile create mode 100644 homelab/tailscale-serve/app/main.py create mode 100644 homelab/tailscale-serve/deployment.yaml delete mode 100644 homelab/tailscale-serve/nginx.yaml diff --git a/flake.lock b/flake.lock index 4f20cca..8f50405 100644 --- a/flake.lock +++ b/flake.lock @@ -15,6 +15,42 @@ "type": "github" } }, + "nixlib": { + "locked": { + "lastModified": 1636849918, + "narHash": "sha256-nzUK6dPcTmNVrgTAC1EOybSMsrcx+QrVPyqRdyKLkjA=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "28a5b0557f14124608db68d3ee1f77e9329e9dd5", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1669065280, + "narHash": "sha256-3+pq1oJWjGDLfd8G/vR3IIFZ+EQ/aglukA0bTiMlf3o=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "50aeec40f2072d2ab267c8ec8a345573704ec110", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1666926733, @@ -34,6 +70,7 @@ "root": { "inputs": { "flake-utils": "flake-utils", + "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs" } } diff --git a/flake.nix b/flake.nix index ab93141..8ccd87e 100644 --- a/flake.nix +++ b/flake.nix @@ -2,8 +2,12 @@ description = "A basic flake with a shell"; inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; inputs.flake-utils.url = "github:numtide/flake-utils"; + inputs.nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; - outputs = { self, nixpkgs, flake-utils }: + outputs = { self, nixpkgs, flake-utils, nixos-generators }: flake-utils.lib.eachDefaultSystem (system: let pkgs = nixpkgs.legacyPackages.${system}; in { @@ -14,9 +18,19 @@ pkgs.kubectl pkgs.awscli2 pkgs.nodePackages.yaml-language-server + pkgs.python39Packages.python-lsp-server pkgs.k9s ]; buildInputs = [ ]; }; + packages.aarch64-linux = { + k3s-server = nixos-generators.nixosGenerate { + system = "aarch64-linux"; + modules = [ + ./pi-imgs/k3s-server.nix + ]; + format = "sd-aarch64-installer"; + }; + }; }); } diff --git a/homelab/tailscale-serve/app/Dockerfile b/homelab/tailscale-serve/app/Dockerfile new file mode 100644 index 0000000..f04fe36 --- /dev/null +++ b/homelab/tailscale-serve/app/Dockerfile @@ -0,0 +1,7 @@ +FROM python:3-alpine + +WORKDIR /app + +COPY . . + +CMD [ "python", "main.py" ] \ No newline at end of file diff --git a/homelab/tailscale-serve/app/main.py b/homelab/tailscale-serve/app/main.py new file mode 100644 index 0000000..54fcf09 --- /dev/null +++ b/homelab/tailscale-serve/app/main.py @@ -0,0 +1,18 @@ +import socket +import ssl +import os + + +HOST = "127.0.0.1" +PORT = 8443 + + +if __name__ == "__main__": + context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) + context.load_cert_chain(os.getenv('CERT_FILE'), os.getenv('CERT_KEYFILE')) + with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock: + sock.bind((HOST, PORT)) + sock.listen(5) + with context.wrap_socket(sock, server_side=True) as ssock: + conn, addr = ssock.accept() + conn.send('Hello, Tailscale Funnel!'.encode('utf-8')) diff --git a/homelab/tailscale-serve/deployment.yaml b/homelab/tailscale-serve/deployment.yaml new file mode 100644 index 0000000..22a3a24 --- /dev/null +++ b/homelab/tailscale-serve/deployment.yaml @@ -0,0 +1,114 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-tailscale-serve +spec: + selector: + matchLabels: + app: nginx-tailscale-serve + template: + metadata: + labels: + app: nginx-tailscale-serve + spec: + initContainers: + - name: tailscale-init + image: icr.gmem.ca/tailscale + resources: + requests: + memory: "1Mi" + cpu: "1m" + limits: + memory: "128Mi" + cpu: "500m" + env: + - name: MODE + value: "cert" + - name: TAILSCALE_CERT_FILE + value: "/tailscale/cert" + - name: TAILSCALE_CERT_KEY + value: "/tailscale/key" + - name: TAILSCALE_CERT_DOMAIN + value: "kubernetes-test.chimera-blues.ts.net" + - name: TAILSCALE_HOSTNAME + value: "kubernetes-test" + - name: TAILSCALED_TUN + value: "userspace-networking" + - name: TAILSCALED_STATE + value: "/tailscale/tailscaled.state" + - name: TAILSCALE_AUTH_KEY + valueFrom: + secretKeyRef: + name: tailscale-auth + key: TS_AUTH_KEY + optional: true + volumeMounts: + - name: data + mountPath: /tailscale + containers: + - name: nginx + image: nginx + resources: + limits: + memory: "32Mi" + cpu: "100m" + requests: + memory: "16Mi" + cpu: "1m" + ports: + - containerPort: 80 + - name: tailscale-serve + image: icr.gmem.ca/tailscale + resources: + requests: + memory: "1Mi" + cpu: "1m" + limits: + memory: "128Mi" + cpu: "500m" + env: + - name: TAILSCALE_HOSTNAME + value: "kubernetes-test" + - name: TAILSCALED_TUN + value: "userspace-networking" + - name: TAILSCALE_FUNNEL_PROXY + value: "80" + - name: TAILSCALED_STATE + value: "/tailscale/tailscaled.state" + - name: TAILSCALE_AUTH_KEY + valueFrom: + secretKeyRef: + name: tailscale-auth + key: TS_AUTH_KEY + optional: true + volumeMounts: + - name: data + mountPath: /tailscale + volumes: + - name: data + persistentVolumeClaim: + claimName: tailscale-state +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: tailscale-state +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: nfs-client +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx-tailscale-serve +spec: + selector: + app: nginx-tailscale-serve + ports: + - port: 80 + targetPort: 80 diff --git a/homelab/tailscale-serve/nginx.yaml b/homelab/tailscale-serve/nginx.yaml deleted file mode 100644 index c656a56..0000000 --- a/homelab/tailscale-serve/nginx.yaml +++ /dev/null @@ -1,62 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-tailscale-serve -spec: - selector: - matchLabels: - app: nginx-tailscale-serve - template: - metadata: - labels: - app: nginx-tailscale-serve - spec: - containers: - - name: hue - image: icr.gmem.ca/hue - resources: - limits: - memory: "32Mi" - cpu: "100m" - requests: - memory: "16Mi" - cpu: "1m" - ports: - - containerPort: 443 - env: - - name: PORT - value: "443" - - name: tailscale-serve - image: icr.gmem.ca/tailscale - resources: - requests: - memory: "1Mi" - cpu: "1m" - limits: - memory: "128Mi" - cpu: "500m" - env: - - name: TAILSCALE_HOSTNAME - value: "kubernetes-test" - - name: TAILSCALED_TUN - value: "userspace-networking" - - name: TAILSCALE_FUNNEL_PROXY - value: "443" - - name: TAILSCALE_AUTH_KEY - valueFrom: - secretKeyRef: - name: tailscale-auth - key: TS_AUTH_KEY - optional: true ---- -apiVersion: v1 -kind: Service -metadata: - name: nginx-tailscale-serve -spec: - selector: - app: nginx-tailscale-serve - ports: - - port: 80 - targetPort: 80