C1: add containers/tailscale (nix) for ringtail proxyclass

Local mirror of docker.io/tailscale/tailscale, pinned at v1.94.2 to match service-versions.yaml and current ringtail proxyclass. Nix-only build via ringtail's nix-container-builder runner; mirrors upstream Dockerfile contents (tailscale, tailscaled, containerboot binaries plus iptables, iproute2, ca-certificates). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 06:29:16 -07:00 · 2026-05-06 06:29:16 -07:00 · 67af7a8e60
commit 67af7a8e60
parent 6f0d80ca1e
1 changed files with 77 additions and 0 deletions
--- a/containers/tailscale/default.nix
+++ b/containers/tailscale/default.nix
@ -0,0 +1,77 @@
+# Nix-built tailscale container for ringtail's tailscale-operator ProxyClass
+# Builds v1.94.2 from forge mirror; mirrors upstream Dockerfile contents.
+# Built with dockerTools.buildLayeredImage on the ringtail nix-container-builder.
+{ pkgs ? import <nixpkgs> { } }:
+
+let
+  version = "1.94.2";
+
+  src = pkgs.fetchgit {
+    url = "https://forge.ops.eblu.me/mirrors/tailscale.git";
+    rev = "v${version}";
+    hash = "sha256-qjWVB8xWVgIVUgrf27F6hwiFIE+4ERXWeHv26ugg/x4=";
+  };
+
+  tailscale = pkgs.buildGoModule {
+    inherit src version;
+    pname = "tailscale";
+    vendorHash = "sha256-WeMTOkERj4hvdg4yPaZ1gRgKnhRIBXX55kUVbX/k/xM=";
+
+    subPackages = [
+      "cmd/tailscale"
+      "cmd/tailscaled"
+      "cmd/containerboot"
+    ];
+
+    ldflags = [
+      "-s"
+      "-w"
+      "-X tailscale.com/version.longStamp=${version}"
+      "-X tailscale.com/version.shortStamp=${version}"
+    ];
+
+    doCheck = false;
+
+    meta = with pkgs.lib; {
+      description = "The easiest, most secure way to use WireGuard";
+      homepage = "https://tailscale.com";
+      license = licenses.bsd3;
+    };
+  };
+in
+
+pkgs.dockerTools.buildLayeredImage {
+  name = "blumeops/tailscale";
+  tag = "v${version}";
+
+  contents = [
+    tailscale
+    pkgs.cacert
+    pkgs.iptables
+    pkgs.iproute2
+    pkgs.tzdata
+    pkgs.busybox
+  ];
+
+  # Match upstream Dockerfile: symlink iptables-legacy over iptables.
+  # Synology NAS and similar hosts don't support nftables.
+  # Also recreate the /tailscale/run.sh compat symlink.
+  extraCommands = ''
+    rm -f usr/sbin/iptables usr/sbin/ip6tables
+    ln -s ${pkgs.iptables}/bin/iptables-legacy usr/sbin/iptables || true
+    ln -s ${pkgs.iptables}/bin/ip6tables-legacy usr/sbin/ip6tables || true
+    mkdir -p tailscale
+    ln -s /bin/containerboot tailscale/run.sh
+    mkdir -p tmp
+    chmod 1777 tmp
+  '';
+
+  config = {
+    Entrypoint = [ "/bin/containerboot" ];
+    Env = [
+      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      "TZDIR=${pkgs.tzdata}/share/zoneinfo"
+      "PATH=/bin:/usr/bin:/usr/sbin"
+    ];
+  };
+}