Route entire cluster subnet over tailscale

.gitattributes

@@ -1 +1,2 @@
 _secrets.yaml filter=git-crypt diff=git-crypt
+secrets.yaml filter=git-crypt diff=git-crypt

config.yaml

@@ -1,3 +1,6 @@
 server:
     tftpIp: 192.168.1.1
     httpUrl: http://192.168.1.1:8000
+
+tailscale:
+    loginServer: https://headscale.huizinga.dev

nodes/_defaults.yaml

@@ -26,5 +26,6 @@ patches:
     - !patch install-disk
     - !patch network
     - !patch vip
+    - !patch tailscale
 patchesControlPlane:
     - !patch allow-control-plane-workloads

patches/hostname.yaml

@@ -1,3 +1,3 @@
 machine:
     network:
-        hostname: {{hostname}}
+        hostname: {{node.hostname}}

patches/install-disk.yaml

@@ -1,3 +1,3 @@
 machine:
     install:
-        disk: {{installDisk}}
+        disk: {{node.installDisk}}

patches/network.yaml

@@ -1,10 +1,10 @@
 machine:
     network:
         interfaces:
-            - interface: {{interface}}
+            - interface: {{node.interface}}
               dhcp: false
               addresses:
-                  - {{ip}}
+                  - {{node.ip}}
               routes:
                   - network: 0.0.0.0/0
-                    gateway: {{gateway}}
+                    gateway: {{node.gateway}}

patches/tailscale.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1alpha1
+kind: ExtensionServiceConfig
+name: tailscale
+environment:
+    - TS_AUTHKEY={{ config.tailscale.authKey }}
+    - TS_EXTRA_ARGS=--login-server https://headscale.huizinga.dev
+    - TS_ROUTES={{ helper.tailscale_subnet(node.gateway, node.netmask) }}

patches/vip.yaml

@@ -1,6 +1,6 @@
 machine:
     network:
         interfaces:
-            - interface: {{interface}}
+            - interface: {{node.interface}}
               vip:
-                  ip: {{cluster.controlPlaneIp}}
+                  ip: {{node.cluster.controlPlaneIp}}

requirements.txt

@@ -2,3 +2,4 @@ PyYAML==6.0.3
 requests==2.32.5
 Jinja2==3.1.6
 GitPython==3.1.45
+netaddr==1.3.0

schematics/default.yaml

@@ -5,3 +5,4 @@ customization:
             - siderolabs/util-linux-tools
             - siderolabs/intel-ucode
             - siderolabs/i915
+            - siderolabs/tailscale

tools/render

@@ -11,6 +11,7 @@ import git
 import requests
 import yaml
 from jinja2 import Environment, FileSystemLoader, StrictUndefined, Template
+from netaddr import IPAddress
 
 REPO = git.Repo(sys.path[0], search_parent_directories=True)
 assert REPO.working_dir is not None
@@ -40,7 +41,7 @@ def render_templates(node: dict, args: dict):
         def default(self, o):
             if isinstance(o, Template):
                 try:
-                    rendered = o.render(args | node)
+                    rendered = o.render(args | {"node": node})
                 except Exception as e:
                     e.add_note(f"While rendering for: {node['hostname']}")
                     raise e
@@ -52,6 +53,11 @@ def render_templates(node: dict, args: dict):
     return Inner
 
 
+def tailscale_subnet(gateway: str, netmask: str):
+    netmask_bits = IPAddress(netmask).netmask_bits()
+    return f"{IPAddress(gateway) & IPAddress(netmask)}/{netmask_bits}"
+
+
 @functools.cache
 def get_schematic_id(schematic: str):
     """Lookup the schematic id associated with a given schematic"""
@@ -134,7 +140,14 @@ def main():
     with open(ROOT.joinpath("config.yaml")) as fyaml:
         config = yaml.safe_load(fyaml)
 
-    template_args = {"config": config, "root": ROOT}
+    with open(ROOT.joinpath("secrets.yaml")) as fyaml:
+        config |= yaml.safe_load(fyaml)
+
+    template_args = {
+        "config": config,
+        "root": ROOT,
+        "helper": {"tailscale_subnet": tailscale_subnet},
+    }
 
     nodes = []
     for fullname in walk_files(NODES):