fix(headscale): Add internal ingress to ACL

eaglesemanation · Feb 2, 2025 · 809c001 · 809c001
1 parent 4623853
commit 809c001
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 16 deletions.
diff --git a/k8s/apps/network/headscale/acl.jsonc b/k8s/apps/network/headscale/acl.jsonc
@@ -1,18 +1,44 @@
 {
-  "groups": {
-    "group:admin": ["eaglesemanation"],
-  },
-  "tagOwners": {
-    "tag:exit-node": ["group:admin"],
-  },
-  "autoApprovers": {
-    "exitNode": ["tag:exit-node"],
-  },
-  "acls": [
-    {
-      "action": "accept",
-      "src": ["*"],
-      "dst": ["tag:exit-node:0", "autogroup:internet:*"],
+    "groups": {
+        "group:admin": [
+            "eaglesemanation"
+        ],
+        "group:internal": [
+            "eaglesemanation",
+            "laser532"
+        ],
     },
-  ],
+    "tagOwners": {
+        "tag:exit-node": [
+            "group:admin"
+        ],
+    },
+    "autoApprovers": {
+        "exitNode": [
+            "tag:exit-node"
+        ],
+    },
+    "acls": [
+        {
+            "action": "accept",
+            "src": [
+                "*"
+            ],
+            "dst": [
+                "tag:exit-node:0",
+                "autogroup:internet:*",
+            ],
+        },
+        {
+            "action": "accept",
+            "src": [
+                "group:internal"
+            ],
+            "dst": [
+                "tag:exit-node:*",
+                "${SVC_DNS_ADDR}/32:53",
+                "${SVC_INGRESS_INTERNAL_ADDR}/32:80,443"
+            ],
+        },
+    ],
 }
diff --git a/k8s/apps/network/headscale/deployment.k8s.yaml b/k8s/apps/network/headscale/deployment.k8s.yaml
@@ -154,14 +154,23 @@ spec:
         app.kubernetes.io/instance: tailscale-exit-node
     spec:
       serviceAccountName: tailscale-exit-node
+      initContainers:
+        - name: sysctler
+          image: docker.io/library/busybox:1.37.0
+          securityContext:
+            privileged: true
+          command: ["/bin/sh"]
+          args:
+            - -c
+            - sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
       containers:
         - name: tailscale
           image: ghcr.io/tailscale/tailscale:v1.78.3
           env:
             - name: TS_USERSPACE
               value: "false"
             - name: TS_EXTRA_ARGS
-              value: "--advertise-tags=tag:exit-node --advertise-exit-node --login-server=https://headscale.${CLUSTER_DOMAIN}"
+              value: "--advertise-tags=tag:exit-node --advertise-routes=192.168.25.0/24 --advertise-exit-node --login-server=https://headscale.${CLUSTER_DOMAIN}"
             - name: TS_KUBE_SECRET
               value: tailscale-exit-node-state
             - name: TS_HOSTNAME