From 0108b687693a3bbca2c43189fce819c20b25fabe Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Wed, 6 May 2026 06:50:31 -0700
Subject: [PATCH] C1: mirror tailscale container locally for ringtail
 proxyclass (#347)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

Adds the first cut of a local nix build for `docker.io/tailscale/tailscale` and rewires only the ringtail tailscale-operator overlay to use it. Indri's overlay continues pulling upstream — minikube on indri is being decommissioned in favor of ringtail's k3s, so investing in dual-cluster routing here would be wasted churn.

## Changes

- `containers/tailscale/default.nix` — `buildGoModule` over `cmd/tailscale`, `cmd/tailscaled`, `cmd/containerboot`; packaged via `dockerTools.buildLayeredImage` with `cacert`, `iptables` (legacy symlink to match upstream Synology compat), `iproute2`, `tzdata`, `busybox`.
- `argocd/manifests/tailscale-operator-ringtail/kustomization.yaml` — kustomize `images:` rewrite swapping `docker.io/tailscale/tailscale` → `registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix`.
- `docs/changelog.d/mirror-tailscale-container.infra.md` — fragment.

## Pin rationale

v1.94.2 matches `service-versions.yaml:96` and the current ProxyClass exactly — this PR is "make it local," not "upgrade tailscale." Version bumps come as follow-up C0/C1 changes once we decide to test newer (v1.96.x had a Fly-side MagicDNS regression; v1.98.0 is current upstream stable).

## Test plan

- [x] Image built successfully on ringtail nix-container-builder (run #528).
- [x] Image visible in registry: `registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix`.
- [ ] Deploy from branch: `argocd app set tailscale-operator-ringtail --revision mirror-tailscale-container && argocd app sync tailscale-operator-ringtail`.
- [ ] Verify proxy pods restart with new image and existing tailnet ingresses (e.g., authentik, immich, tempo) keep resolving.
- [ ] After merge: rebuild on main SHA, update kustomization, run `services-check`.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/347
---
 .../kustomization.yaml                        | 14 ++++
 .../proxyclass-image.yaml                     | 11 +++
 containers/tailscale/default.nix              | 77 +++++++++++++++++++
 .../mirror-tailscale-container.infra.md       |  1 +
 4 files changed, 103 insertions(+)
 create mode 100644 argocd/manifests/tailscale-operator-ringtail/proxyclass-image.yaml
 create mode 100644 containers/tailscale/default.nix
 create mode 100644 docs/changelog.d/mirror-tailscale-container.infra.md

diff --git a/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml b/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml
index a14ca81..2d9ceb2 100644
--- a/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml
+++ b/argocd/manifests/tailscale-operator-ringtail/kustomization.yaml
@@ -8,3 +8,17 @@ resources:
   - ../tailscale-operator-base
   - proxygroup-ingress.yaml
   - external-secret.yaml
+
+# Rewrite the proxyclass image to our local nix-built mirror.
+# Scoped to ringtail only; indri's tailscale-operator/kustomization.yaml still
+# pulls from upstream docker.io. A strategic merge patch is used instead of
+# kustomize's `images:` directive because that directive only rewrites images
+# in standard k8s container fields, not custom-resource fields like
+# ProxyClass.spec.statefulSet.pod.tailscaleContainer.image.
+patches:
+  - path: proxyclass-image.yaml
+    target:
+      group: tailscale.com
+      version: v1alpha1
+      kind: ProxyClass
+      name: default
diff --git a/argocd/manifests/tailscale-operator-ringtail/proxyclass-image.yaml b/argocd/manifests/tailscale-operator-ringtail/proxyclass-image.yaml
new file mode 100644
index 0000000..b585e22
--- /dev/null
+++ b/argocd/manifests/tailscale-operator-ringtail/proxyclass-image.yaml
@@ -0,0 +1,11 @@
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: default
+spec:
+  statefulSet:
+    pod:
+      tailscaleContainer:
+        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix
+      tailscaleInitContainer:
+        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix
diff --git a/containers/tailscale/default.nix b/containers/tailscale/default.nix
new file mode 100644
index 0000000..8e87f76
--- /dev/null
+++ b/containers/tailscale/default.nix
@@ -0,0 +1,77 @@
+# Nix-built tailscale container for ringtail's tailscale-operator ProxyClass
+# Builds v1.94.2 from forge mirror; mirrors upstream Dockerfile contents.
+# Built with dockerTools.buildLayeredImage on the ringtail nix-container-builder.
+{ pkgs ? import <nixpkgs> { } }:
+
+let
+  version = "1.94.2";
+
+  src = pkgs.fetchgit {
+    url = "https://forge.ops.eblu.me/mirrors/tailscale.git";
+    rev = "v${version}";
+    hash = "sha256-qjWVB8xWVgIVUgrf27F6hwiFIE+4ERXWeHv26ugg/x4=";
+  };
+
+  tailscale = pkgs.buildGoModule {
+    inherit src version;
+    pname = "tailscale";
+    vendorHash = "sha256-WeMTOkERj4hvdg4yPaZ1gRgKnhRIBXX55kUVbX/k/xM=";
+
+    subPackages = [
+      "cmd/tailscale"
+      "cmd/tailscaled"
+      "cmd/containerboot"
+    ];
+
+    ldflags = [
+      "-s"
+      "-w"
+      "-X tailscale.com/version.longStamp=${version}"
+      "-X tailscale.com/version.shortStamp=${version}"
+    ];
+
+    doCheck = false;
+
+    meta = with pkgs.lib; {
+      description = "The easiest, most secure way to use WireGuard";
+      homepage = "https://tailscale.com";
+      license = licenses.bsd3;
+    };
+  };
+in
+
+pkgs.dockerTools.buildLayeredImage {
+  name = "blumeops/tailscale";
+  tag = "v${version}";
+
+  contents = [
+    tailscale
+    pkgs.cacert
+    pkgs.iptables
+    pkgs.iproute2
+    pkgs.tzdata
+    pkgs.busybox
+  ];
+
+  # Match upstream Dockerfile: symlink iptables-legacy over iptables.
+  # Synology NAS and similar hosts don't support nftables.
+  # Also recreate the /tailscale/run.sh compat symlink.
+  extraCommands = ''
+    rm -f usr/sbin/iptables usr/sbin/ip6tables
+    ln -s ${pkgs.iptables}/bin/iptables-legacy usr/sbin/iptables || true
+    ln -s ${pkgs.iptables}/bin/ip6tables-legacy usr/sbin/ip6tables || true
+    mkdir -p tailscale
+    ln -s /bin/containerboot tailscale/run.sh
+    mkdir -p tmp
+    chmod 1777 tmp
+  '';
+
+  config = {
+    Entrypoint = [ "/bin/containerboot" ];
+    Env = [
+      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      "TZDIR=${pkgs.tzdata}/share/zoneinfo"
+      "PATH=/bin:/usr/bin:/usr/sbin"
+    ];
+  };
+}
diff --git a/docs/changelog.d/mirror-tailscale-container.infra.md b/docs/changelog.d/mirror-tailscale-container.infra.md
new file mode 100644
index 0000000..54ca3ba
--- /dev/null
+++ b/docs/changelog.d/mirror-tailscale-container.infra.md
@@ -0,0 +1 @@
+Add local nix container build for `tailscale` (`containers/tailscale/default.nix`) so ringtail's tailscale-operator ProxyClass proxy pods pull from the forge mirror instead of `docker.io/tailscale/tailscale`. Pinned at v1.94.2 to match `service-versions.yaml`. Indri's tailscale-operator continues to use upstream during the k8s-to-ringtail migration.