airgapped developement audit #418

Closed
opened 2026-06-26 15:59:56 +00:00 by coilysiren · 1 comment
Owner

Kai's note: create a list of what I would need to do everyday dev "airgapped" inside my tailnet via goose or similar. (see also #417)

Deliverable

A single audit doc, docs/airgapped-dev-audit.md: enumerate every external dependency in the daily dev loop, classify each as [tailnet-native] / [has in-tailnet substitute] / [HARD GAP - needs public internet], and for every gap give the remediation (and file a follow-up issue for it). This is an inventory/audit task - the output is the doc, not code.

Seed inventory (verified in-repo - the goose should confirm each and expand)

  • Git hosting - [tailnet-native] - forgejo.coilysiren.me + in-cluster forgejo.forgejo.svc.cluster.local.
  • Homelab container images - [tailnet-native] - in-cluster OCI registry, ns registry, NodePort 30500 (192.168.0.194:30500, deploy/registry.yml).
  • Base/upstream container images - [HARD GAP] - codeberg.org, data.forgejo.org, ghcr.io, docker.io are pulled from the public internet (see image refs in deploy/forgejo.yml, deploy/forgejo-runner*.yml). Remediation: a pull-through cache / mirror in the in-cluster registry, or pre-baked images.
  • Secrets - [HARD GAP -> being fixed] - AWS SSM is public + 2FA-gated. Mitigated by #417 (mirror SSM into k3s). Until #417 lands, every secret read is a public AWS call.
  • LLM inference - [tailnet-native] - tower ollama (kai-tower-3026), in-cluster llama service, and the mac-proxy box.
  • Package managers - [HARD GAP] - brew, uv/pip (PyPI), npm, go mod, apt all hit public upstreams. Remediation: local pull-through caches (Sonatype Nexus / devpi / Athens / apt-cacher-ng) or pre-baked dev images.
  • DNS + TLS issuance - [HARD GAP for issuance] - cert-manager DNS-01 via Route 53 (public AWS). Existing certs are cached; renewal needs public AWS.
  • CI - [tailnet-native runner, gapped deps] - forgejo-runner runs in-cluster (deploy/forgejo-runner.yml) but jobs pull public deps/images (same gaps as above).
  • Agent containers - [tailnet-native] - ward agent pulls dev-base:latest from the forgejo registry.
  • Tailscale control plane - [HARD GAP - fundamental] - the coordination server is Tailscale SaaS, reached over the public internet. True full airgap needs Headscale. This is the structural limit #419 should also surface.

What to do

For each line above (and anything the goose finds the daily loop touches): state precisely what breaks when public internet is cut, and the in-tailnet substitute or the work needed to make one. File a follow-up infrastructure issue per HARD GAP and link it from the doc.

Acceptance

  • docs/airgapped-dev-audit.md exists, every daily-loop dependency is classified with one of the three tags, and each HARD GAP has a linked follow-up issue.
  • Cross-links #417 (secrets) and #419 (tailnet airgap mode).
> **Kai's note:** create a list of what I would need to do everyday dev "airgapped" inside my tailnet via goose or similar. (see also #417) ## Deliverable A single audit doc, `docs/airgapped-dev-audit.md`: enumerate **every external dependency in the daily dev loop**, classify each as **[tailnet-native]** / **[has in-tailnet substitute]** / **[HARD GAP - needs public internet]**, and for every gap give the remediation (and file a follow-up issue for it). This is an inventory/audit task - the output is the doc, not code. ## Seed inventory (verified in-repo - the goose should confirm each and expand) - **Git hosting** - `[tailnet-native]` - `forgejo.coilysiren.me` + in-cluster `forgejo.forgejo.svc.cluster.local`. - **Homelab container images** - `[tailnet-native]` - in-cluster OCI registry, ns `registry`, NodePort `30500` (`192.168.0.194:30500`, `deploy/registry.yml`). - **Base/upstream container images** - `[HARD GAP]` - `codeberg.org`, `data.forgejo.org`, `ghcr.io`, `docker.io` are pulled from the public internet (see image refs in `deploy/forgejo.yml`, `deploy/forgejo-runner*.yml`). Remediation: a pull-through cache / mirror in the in-cluster registry, or pre-baked images. - **Secrets** - `[HARD GAP -> being fixed]` - AWS SSM is public + 2FA-gated. Mitigated by **#417** (mirror SSM into k3s). Until #417 lands, every secret read is a public AWS call. - **LLM inference** - `[tailnet-native]` - tower ollama (`kai-tower-3026`), in-cluster `llama` service, and the mac-proxy box. - **Package managers** - `[HARD GAP]` - brew, uv/pip (PyPI), npm, `go mod`, apt all hit public upstreams. Remediation: local pull-through caches (Sonatype Nexus / devpi / Athens / apt-cacher-ng) or pre-baked dev images. - **DNS + TLS issuance** - `[HARD GAP for issuance]` - cert-manager DNS-01 via **Route 53** (public AWS). Existing certs are cached; renewal needs public AWS. - **CI** - `[tailnet-native runner, gapped deps]` - forgejo-runner runs in-cluster (`deploy/forgejo-runner.yml`) but jobs pull public deps/images (same gaps as above). - **Agent containers** - `[tailnet-native]` - `ward agent` pulls `dev-base:latest` from the forgejo registry. - **Tailscale control plane** - `[HARD GAP - fundamental]` - the coordination server is Tailscale SaaS, reached over the public internet. True full airgap needs Headscale. This is the structural limit #419 should also surface. ## What to do For each line above (and anything the goose finds the daily loop touches): state precisely **what breaks when public internet is cut**, and the in-tailnet substitute or the work needed to make one. File a follow-up `infrastructure` issue per HARD GAP and link it from the doc. ## Acceptance - `docs/airgapped-dev-audit.md` exists, every daily-loop dependency is classified with one of the three tags, and each HARD GAP has a linked follow-up issue. - Cross-links #417 (secrets) and #419 (tailnet airgap mode).
Author
Owner

see also: #417

see also: https://forgejo.coilysiren.me/coilyco-flight-deck/infrastructure/issues/417
Sign in to join this conversation.
No description provided.