Deploy tailscale and Vault via docker compose. those are the minimum requirements to deploy a basis infra via IaC. This is the controller for the pamji onprem infra. It servers as a low spec router, failover vpn access point and secrets manager.
- predeployed openwrt router
- a tailscale- and a vault docker container
- those are the minimum requirements to deploy the basis infra via IaC.
-
generate a tailscale oauth key
-
ssh into the openwrt router
-
get the files
wget --no-check-certificate --content-disposition https://github.com/pam-ji/onpremctl/archive/refs/heads/main.zip unzip onpremctl-main.zip
-
cd into
onpremctl-main/docker -
export your authkey
export TS_AUTHKEY="tskey-client-..."
-
edit your tailscale flags in the compose file under
TS_EXTRA_ARGS=- mine are for routing and ssh:
TS_EXTRA_ARGS=--ssh --advertise-routes=200.0.0.0/8,192.168.0.0/16 --advertise-tags=ci
- mine are for routing and ssh:
-
now you can deploy with
docker compose up -
unfortunately you need to click the login link in the docker compose output
its on of the first lines of the tailscale logs
- ssh into the container
- since we are having ssh access via tailscale and wifi access via the router, we dont need to worry about breaking something
tailscale set --advertise-routes=200.0.0.0/8,192.168.0.0/16 this way you dont need to use tailscale down, or "" for the advertise routes to delete them
- tailscale should use the ts_authkey which is available as a env var in the container and can be used via $TS_AUTHKEY, but somehow tailscale requires an initial login. the weird thing is tho, when you rerun compose, it does not ask for the login again and uses the authkey.
- make sure that openwrt allows your bridge to use the eth0 interface
this is my current setup:
under interfaces -> devices -> docker0
firewall
This is our dev environment which is scalable via AWS. Development is done locally, AWS is simulated locally too using localstack. The development containers stored in gitlab.
