eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/containers/tailscale/default.nix
Erich Blume 0108b68769 C1: mirror tailscale container locally for ringtail proxyclass (#347) 
## Summary

Adds the first cut of a local nix build for `docker.io/tailscale/tailscale` and rewires only the ringtail tailscale-operator overlay to use it. Indri's overlay continues pulling upstream — minikube on indri is being decommissioned in favor of ringtail's k3s, so investing in dual-cluster routing here would be wasted churn.

## Changes

- `containers/tailscale/default.nix` — `buildGoModule` over `cmd/tailscale`, `cmd/tailscaled`, `cmd/containerboot`; packaged via `dockerTools.buildLayeredImage` with `cacert`, `iptables` (legacy symlink to match upstream Synology compat), `iproute2`, `tzdata`, `busybox`.
- `argocd/manifests/tailscale-operator-ringtail/kustomization.yaml` — kustomize `images:` rewrite swapping `docker.io/tailscale/tailscale` → `registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix`.
- `docs/changelog.d/mirror-tailscale-container.infra.md` — fragment.

## Pin rationale

v1.94.2 matches `service-versions.yaml:96` and the current ProxyClass exactly — this PR is "make it local," not "upgrade tailscale." Version bumps come as follow-up C0/C1 changes once we decide to test newer (v1.96.x had a Fly-side MagicDNS regression; v1.98.0 is current upstream stable).

## Test plan

- [x] Image built successfully on ringtail nix-container-builder (run #528).
- [x] Image visible in registry: `registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix`.
- [ ] Deploy from branch: `argocd app set tailscale-operator-ringtail --revision mirror-tailscale-container && argocd app sync tailscale-operator-ringtail`.
- [ ] Verify proxy pods restart with new image and existing tailnet ingresses (e.g., authentik, immich, tempo) keep resolving.
- [ ] After merge: rebuild on main SHA, update kustomization, run `services-check`.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #347
2026-05-06 06:50:31 -07:00

77 lines
2 KiB
Nix
Raw Blame History

# Nix-built tailscale container for ringtail's tailscale-operator ProxyClass
# Builds v1.94.2 from forge mirror; mirrors upstream Dockerfile contents.
# Built with dockerTools.buildLayeredImage on the ringtail nix-container-builder.
{ pkgs ? import <nixpkgs> { } }:
let
version = "1.94.2";
src = pkgs.fetchgit {
url = "https://forge.ops.eblu.me/mirrors/tailscale.git";
rev = "v${version}";
hash = "sha256-qjWVB8xWVgIVUgrf27F6hwiFIE+4ERXWeHv26ugg/x4=";
};
tailscale = pkgs.buildGoModule {
inherit src version;
pname = "tailscale";
vendorHash = "sha256-WeMTOkERj4hvdg4yPaZ1gRgKnhRIBXX55kUVbX/k/xM=";
subPackages = [
"cmd/tailscale"
"cmd/tailscaled"
"cmd/containerboot"
];
ldflags = [
"-s"
"-w"
"-X tailscale.com/version.longStamp=${version}"
"-X tailscale.com/version.shortStamp=${version}"
];
doCheck = false;
meta = with pkgs.lib; {
description = "The easiest, most secure way to use WireGuard";
homepage = "https://tailscale.com";
license = licenses.bsd3;
};
};
in
pkgs.dockerTools.buildLayeredImage {
name = "blumeops/tailscale";
tag = "v${version}";
contents = [
tailscale
pkgs.cacert
pkgs.iptables
pkgs.iproute2
pkgs.tzdata
pkgs.busybox
];
# Match upstream Dockerfile: symlink iptables-legacy over iptables.
# Synology NAS and similar hosts don't support nftables.
# Also recreate the /tailscale/run.sh compat symlink.
extraCommands = ''
rm -f usr/sbin/iptables usr/sbin/ip6tables
ln -s ${pkgs.iptables}/bin/iptables-legacy usr/sbin/iptables || true
ln -s ${pkgs.iptables}/bin/ip6tables-legacy usr/sbin/ip6tables || true
mkdir -p tailscale
ln -s /bin/containerboot tailscale/run.sh
mkdir -p tmp
chmod 1777 tmp
'';
config = {
Entrypoint = [ "/bin/containerboot" ];
Env = [
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"TZDIR=${pkgs.tzdata}/share/zoneinfo"
"PATH=/bin:/usr/bin:/usr/sbin"
];
};
}
Reference in a new issue View git blame Copy permalink