diff --git a/machines/storage01/netbird.nix b/machines/storage01/netbird.nix new file mode 100644 index 0000000..3ec6666 --- /dev/null +++ b/machines/storage01/netbird.nix @@ -0,0 +1,82 @@ +{ + config, + lib, + nixpkgs, + ... +}: + +let + domain = "netbird.dgnum.eu"; + + s = name: config.age.secrets.${name}.path; +in +{ + services = { + netbird.server = { + enable = true; + + package = nixpkgs.unstable.netbird; + + inherit domain; + + enableNginx = true; + + coturn.enable = lib.mkForce false; + + relay = { + environmentFile = s "netbird-relay_environment_file"; + metricsPort = 9094; + }; + + dashboard = { + settings = { + AUTH_AUTHORITY = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird"; + AUTH_AUDIENCE = "dgn_netbird"; + AUTH_CLIENT_ID = "dgn_netbird"; + }; + }; + + management = { + oidcConfigEndpoint = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird/.well-known/openid-configuration"; + + dnsDomain = "dgnum"; + + metricsPort = 9092; + + settings = { + DataStoreEncryptionKey._secret = s "netbird-data_store_encryption_key_file"; + + PKCEAuthorizationFlow.ProviderConfig = { + Audience = "dgn_netbird"; + ClientID = "dgn_netbird"; + AuthorizationEndpoint = "https://sso.dgnum.eu/ui/oauth2"; + TokenEndpoint = "https://sso.dgnum.eu/oauth2/token"; + }; + + IdpManagerConfig.ClientConfig.ClientID = "dgn_netbird"; + + DeviceAuthorizationFlow = { + Provider = "none"; + ProviderConfig = { + Audience = "dgn_netbird"; + ClientID = "dgn_netbird"; + }; + }; + + Relay = { + Addresses = [ "rels://${domain}:443" ]; + CredentialsTTL = "24h"; + Secret._secret = s "netbird-relay_secret_file"; + }; + }; + }; + }; + + nginx.virtualHosts.${domain} = { + enableACME = true; + forceSSL = true; + }; + }; + + dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ]; +} diff --git a/machines/storage01/netbird/default.nix b/machines/storage01/netbird/default.nix deleted file mode 100644 index 178d4ef..0000000 --- a/machines/storage01/netbird/default.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, ... }: - -let - domain = "netbird.dgnum.eu"; -in -{ - imports = [ ./module.nix ]; - - services.netbird-server = { - enable = true; - - logLevel = "DEBUG"; - enableDeviceAuthorizationFlow = false; - enableNginx = true; - enableCoturn = true; - setupAutoOidc = true; - - management.dnsDomain = "dgnum"; - - secretFiles.AUTH_CLIENT_SECRET = config.age.secrets."netbird-auth_client_secret_file".path; - - settings = { - NETBIRD_DOMAIN = domain; - - TURN_PASSWORD = "tototest1234"; - - NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT = "https://sso.dgnum.eu/oauth2/openid/netbird_dgn/.well-known/openid-configuration"; - NETBIRD_AUTH_PKCE_USE_ID_TOKEN = true; - - NETBIRD_AUTH_AUDIENCE = "netbird_dgn"; - NETBIRD_AUTH_CLIENT_ID = "netbird_dgn"; - NETBIRD_AUTH_USER_ID_CLAIM = "sub"; - # Updates the preference to use id tokens instead of access token on dashboard - # Okta and Gitlab IDPs can benefit from this - NETBIRD_TOKEN_SOURCE = "idToken"; - - # NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (p: "http://localhost:${p}") [ - # "53000" - # "54000" - # ]; - - NETBIRD_STORE_CONFIG_ENGINE = "sqlite"; - }; - }; - - dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ]; -} diff --git a/machines/storage01/netbird/module.nix b/machines/storage01/netbird/module.nix deleted file mode 100644 index b45da55..0000000 --- a/machines/storage01/netbird/module.nix +++ /dev/null @@ -1,643 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -let - inherit (lib) - filterAttrs - literalExpression - maintainers - mkDefault - mkEnableOption - mkIf - mkMerge - mkOption - optionalAttrs - optionalString - optionals - types - ; - - inherit ((import ./package { inherit pkgs; })) dashboard; - - cfg = config.services.netbird-server; - - stateDir = "/var/lib/netbird-mgmt"; - - settingsFormat = pkgs.formats.keyValue { }; - managementFormat = pkgs.formats.json { }; - - settingsFile = settingsFormat.generate "setup.env" ( - builtins.mapAttrs ( - _: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val - ) settings - ); - - managementFile = managementFormat.generate "config.json" cfg.managementConfig; - - settings = - rec { - TURN_DOMAIN = cfg.settings.NETBIRD_DOMAIN; - TURN_PORT = 3478; - TURN_USER = "netbird"; - TURN_MIN_PORT = 49152; - TURN_MAX_PORT = 65535; - TURN_PASSWORD = if cfg.secretFiles.TURN_PASSWORD != null then "$TURN_PASSWORD" else null; - TURN_SECRET = if cfg.secretFiles.TURN_SECRET != null then "$TURN_SECRET" else "secret"; - - STUN_USERNAME = ""; - STUN_PASSWORD = if cfg.secretFiles.STUN_PASSWORD != null then "$STUN_PASSWORD" else null; - - NETBIRD_DASHBOARD_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:443"; - NETBIRD_MGMT_API_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:${ - builtins.toString cfg.settings.NETBIRD_MGMT_API_PORT or NETBIRD_MGMT_API_PORT - }"; - NETBIRD_SIGNAL_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:${ - builtins.toString cfg.settings.NETBIRD_SIGNAL_PORT or NETBIRD_SIGNAL_PORT - }"; - - NETBIRD_SIGNAL_PROTOCOL = "https"; - NETBIRD_SIGNAL_PORT = 443; - - NETBIRD_AUTH_USER_ID_CLAIM = "sub"; - NETBIRD_AUTH_CLIENT_SECRET = - if cfg.secretFiles.AUTH_CLIENT_SECRET != null then "$AUTH_CLIENT_SECRET" else ""; - NETBIRD_AUTH_SUPPORTED_SCOPES = [ - "openid" - "profile" - "email" - "offline_access" - "api" - ]; - - NETBIRD_AUTH_REDIRECT_URI = ""; - NETBIRD_AUTH_SILENT_REDIRECT_URI = ""; - - NETBIRD_AUTH_DEVICE_AUTH_PROVIDER = "none"; - NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID; - NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE = cfg.settings.NETBIRD_AUTH_AUDIENCE; - NETBIRD_AUTH_DEVICE_AUTH_SCOPE = [ - "openid" - "profile" - "email" - "offline_access" - "api" - ]; - NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN = false; - - NETBIRD_MGMT_API_PORT = 443; - - NETBIRD_MGMT_IDP = "none"; - NETBIRD_IDP_MGMT_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID; - NETBIRD_IDP_MGMT_CLIENT_SECRET = - if cfg.secretFiles.IDP_MGMT_CLIENT_SECRET != null then - "$IDP_MGMT_CLIENT_SECRET" - else - cfg.settings.NETBIRD_AUTH_CLIENT_SECRET; - NETBIRD_IDP_MGMT_GRANT_TYPE = "client_credentials"; - - NETBIRD_TOKEN_SOURCE = "accessToken"; - NETBIRD_DRAG_QUERY_PARAMS = false; - - NETBIRD_USE_AUTH0 = false; - - NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = ""; - - NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ]; - NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map ( - p: "http://localhost:${p}" - ) cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS; - } - // (optionalAttrs cfg.setupAutoOidc { - NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT"; - NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT"; - NETBIRD_AUTH_TOKEN_ENDPOINT = "$NETBIRD_AUTH_TOKEN_ENDPOINT"; - NETBIRD_AUTH_JWT_CERTS = "$NETBIRD_AUTH_JWT_CERTS"; - NETBIRD_AUTH_AUTHORITY = "$NETBIRD_AUTH_AUTHORITY"; - }) - // cfg.settings; -in -{ - meta = { - maintainers = with maintainers; [ thubrecht ]; - }; - - options.services.netbird-server = { - enable = mkEnableOption (lib.mdDoc "netbird management service."); - - package = mkOption { - type = types.package; - default = pkgs.netbird; - defaultText = literalExpression "pkgs.netbird"; - description = lib.mdDoc "The package to use for netbird"; - }; - - settings = mkOption { - type = - with types; - attrsOf ( - nullOr (oneOf [ - (listOf str) - bool - int - float - str - ]) - ); - defaultText = lib.literalExpression '' - { - TURN_DOMAIN = cfg.settings.NETBIRD_DOMAIN; - TURN_PORT = 3478; - TURN_USER = "netbird"; - TURN_MIN_PORT = 49152; - TURN_MAX_PORT = 65535; - TURN_PASSWORD = if cfg.secretFiles.TURN_PASSWORD != null then "$TURN_PASSWORD" else null; - TURN_SECRET = if cfg.secretFiles.TURN_SECRET != null then "$TURN_SECRET" else "secret"; - - STUN_USERNAME = ""; - STUN_PASSWORD = if cfg.secretFiles.STUN_PASSWORD != null then "$STUN_PASSWORD" else null; - - NETBIRD_DASHBOARD_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:443"; - NETBIRD_MGMT_API_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:''${builtins.toString cfg.settings.NETBIRD_MGMT_API_PORT or NETBIRD_MGMT_API_PORT}"; - NETBIRD_SIGNAL_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:''${builtins.toString cfg.settings.NETBIRD_SIGNAL_PORT or NETBIRD_SIGNAL_PORT}"; - - NETBIRD_SIGNAL_PROTOCOL = "https"; - NETBIRD_SIGNAL_PORT = 443; - - NETBIRD_AUTH_USER_ID_CLAIM = "sub"; - NETBIRD_AUTH_CLIENT_SECRET = if cfg.secretFiles.AUTH_CLIENT_SECRET != null then "$AUTH_CLIENT_SECRET" else ""; - NETBIRD_AUTH_SUPPORTED_SCOPES = [ "openid" "profile" "email" "offline_access" "api" ]; - - NETBIRD_AUTH_REDIRECT_URI = ""; - NETBIRD_AUTH_SILENT_REDIRECT_URI = ""; - - NETBIRD_AUTH_DEVICE_AUTH_PROVIDER = "none"; - NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID; - NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE = cfg.settings.NETBIRD_AUTH_AUDIENCE; - NETBIRD_AUTH_DEVICE_AUTH_SCOPE = [ "openid" "profile" "email" "offline_access" "api" ]; - NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN = false; - - NETBIRD_MGMT_API_PORT = 443; - - NETBIRD_MGMT_IDP = "none"; - NETBIRD_IDP_MGMT_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID; - NETBIRD_IDP_MGMT_CLIENT_SECRET = if cfg.secretFiles.IDP_MGMT_CLIENT_SECRET != null then "$IDP_MGMT_CLIENT_SECRET" else cfg.settings.NETBIRD_AUTH_CLIENT_SECRET; - NETBIRD_IDP_MGMT_GRANT_TYPE = "client_credentials"; - - NETBIRD_TOKEN_SOURCE = "accessToken"; - NETBIRD_DRAG_QUERY_PARAMS = false; - - NETBIRD_USE_AUTH0 = false; - - NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = ""; - - NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ]; - NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (p: "http://localhost:''${p}") cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS; - } - ''; - description = lib.mdDoc '' - Configuration settings for netbird. - Example config values can be found in [setup.env.example](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/setup.env.example) - List of strings [ a b ] will be concatenated as "a b", useful for setting the supported scopes. - ''; - }; - - managementConfig = mkOption { - inherit (managementFormat) type; - description = lib.mdDoc "Configuration of the netbird management server."; - }; - - idpManagerExtraConfig = mkOption { - type = types.attrsOf types.str; - default = { }; - description = lib.mdDoc "Extra options passed to the IdpManagerConfig."; - }; - - ports.management = mkOption { - type = types.port; - default = 8011; - description = lib.mdDoc "Internal port of the management server."; - }; - - ports.signal = mkOption { - type = types.port; - default = 8012; - description = lib.mdDoc "Internal port of the signal server."; - }; - - logLevel = mkOption { - type = types.enum [ - "ERROR" - "WARN" - "INFO" - "DEBUG" - ]; - default = "INFO"; - description = lib.mdDoc "Log level of the netbird services."; - }; - - enableDeviceAuthorizationFlow = mkEnableOption "device authorization flow for netbird." // { - default = true; - }; - - enableNginx = mkEnableOption "NGINX reverse-proxy for the netbird server."; - - enableCoturn = mkEnableOption "a Coturn server used for Netbird."; - - setupAutoOidc = mkEnableOption "the automatic setup of the OIDC."; - - management = { - - dnsDomain = mkOption { - type = types.str; - default = "netbird.selfhosted"; - description = lib.mdDoc "Domain used for peer resolution."; - }; - - singleAccountModeDomain = mkOption { - type = types.str; - default = "netbird.selfhosted"; - description = lib.mdDoc '' - Enables single account mode. - This means that all the users will be under the same account grouped by the specified domain. - If the installation has more than one account, the property is ineffective. - ''; - }; - - disableAnonymousMetrics = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc "Disables push of anonymous usage metrics to NetBird."; - }; - - disableSingleAccountMode = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - If set to true, disables single account mode. - The `singleAccountModeDomain` property will be ignored and every new user will have a separate NetBird account. - ''; - }; - }; - - secretFiles = { - TURN_PASSWORD = mkOption { - type = with types; nullOr path; - default = null; - description = lib.mdDoc "Path to a file containing the secret TURN_PASSWORD."; - }; - - TURN_SECRET = mkOption { - type = with types; nullOr path; - default = null; - description = lib.mdDoc "Path to a file containing the secret TURN_SECRET."; - }; - - STUN_PASSWORD = mkOption { - type = with types; nullOr path; - default = null; - description = lib.mdDoc "Path to a file containing the secret STUN_PASSWORD."; - }; - - AUTH_CLIENT_SECRET = mkOption { - type = with types; nullOr path; - default = null; - description = lib.mdDoc "Path to a file containing the secret NETBIRD_AUTH_CLIENT_SECRET."; - }; - - IDP_MGMT_CLIENT_SECRET = mkOption { - type = with types; nullOr path; - default = cfg.secretFiles.AUTH_CLIENT_SECRET; - defaultText = lib.literalExpression "cfg.secretFiles.AUTH_CLIENT_SECRET;"; - description = lib.mdDoc "Path to a file containing the secret NETBIRD_IDP_MGMT_CLIENT_SECRET."; - }; - }; - }; - - config = mkMerge [ - (mkIf cfg.enable { - services.netbird-server.managementConfig = with settings; { - Stuns = mkDefault [ - { - Proto = "udp"; - URI = "stun:${TURN_DOMAIN}:${builtins.toString TURN_PORT}"; - Username = STUN_USERNAME; - Password = STUN_PASSWORD; - } - ]; - TURNConfig = { - Turns = [ - { - Proto = "udp"; - URI = "turn:${TURN_DOMAIN}:${builtins.toString TURN_PORT}"; - Username = TURN_USER; - Password = TURN_PASSWORD; - } - ]; - CredentialsTTL = "12h"; - Secret = TURN_SECRET; - TimeBasedCredentials = false; - }; - Signal = { - Proto = NETBIRD_SIGNAL_PROTOCOL; - URI = "${NETBIRD_DOMAIN}:${builtins.toString NETBIRD_SIGNAL_PORT}"; - Username = ""; - Password = null; - }; - Datadir = "${stateDir}/data"; - HttpConfig = { - Address = "127.0.0.1:${builtins.toString cfg.ports.management}"; - AuthIssuer = NETBIRD_AUTH_AUTHORITY; - AuthAudience = NETBIRD_AUTH_AUDIENCE; - AuthKeysLocation = NETBIRD_AUTH_JWT_CERTS; - AuthUserIDClaim = NETBIRD_AUTH_USER_ID_CLAIM; - OIDCConfigEndpoint = NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT; - }; - IdpManagerConfig = { - ManagerType = NETBIRD_MGMT_IDP; - ClientConfig = { - Issuer = NETBIRD_AUTH_AUTHORITY; - TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT; - ClientID = NETBIRD_IDP_MGMT_CLIENT_ID; - ClientSecret = NETBIRD_IDP_MGMT_CLIENT_SECRET; - GrantType = NETBIRD_IDP_MGMT_GRANT_TYPE; - }; - ExtraConfig = cfg.idpManagerExtraConfig; - }; - DeviceAuthorizationFlow = mkIf cfg.enableDeviceAuthorizationFlow { - Provider = NETBIRD_AUTH_DEVICE_AUTH_PROVIDER; - ProviderConfig = { - Audience = NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE; - Domain = NETBIRD_AUTH_AUTHORITY; - ClientID = NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID; - TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT; - DeviceAuthEndpoint = NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT; - Scope = builtins.concatStringsSep " " NETBIRD_AUTH_DEVICE_AUTH_SCOPE; - UseIDToken = NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN; - }; - }; - PKCEAuthorizationFlow = { - ProviderConfig = { - Audience = NETBIRD_AUTH_AUDIENCE; - ClientID = NETBIRD_AUTH_CLIENT_ID; - ClientSecret = NETBIRD_AUTH_CLIENT_SECRET; - AuthorizationEndpoint = NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT; - TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT; - Scope = builtins.concatStringsSep " " NETBIRD_AUTH_SUPPORTED_SCOPES; - RedirectURLs = NETBIRD_AUTH_PKCE_REDIRECT_URLS; - UseIDToken = NETBIRD_AUTH_PKCE_USE_ID_TOKEN; - }; - }; - }; - - services.nginx.virtualHosts = mkIf cfg.enableNginx { - ${cfg.settings.NETBIRD_DOMAIN} = { - forceSSL = true; - enableACME = true; - - locations = { - "/" = { - root = "${stateDir}/web-ui/"; - tryFiles = "$uri /index.html"; - }; - - "/signalexchange.SignalExchange/".extraConfig = '' - grpc_pass grpc://localhost:${builtins.toString cfg.ports.signal}; - grpc_read_timeout 1d; - grpc_send_timeout 1d; - grpc_socket_keepalive on; - ''; - - "/api".proxyPass = "http://localhost:${builtins.toString cfg.ports.management}"; - - "/management.ManagementService/".extraConfig = '' - grpc_pass grpc://localhost:${builtins.toString cfg.ports.management}; - grpc_read_timeout 1d; - grpc_send_timeout 1d; - grpc_socket_keepalive on; - ''; - }; - }; - }; - - systemd.services = { - netbird-setup = { - wantedBy = [ - "netbird-management.service" - "netbird-signal.service" - "multi-user.target" - ]; - serviceConfig = { - Type = "oneshot"; - RuntimeDirectory = "netbird-mgmt"; - StateDirectory = "netbird-mgmt"; - WorkingDirectory = stateDir; - EnvironmentFile = [ settingsFile ]; - }; - unitConfig = { - StartLimitInterval = 5; - StartLimitBurst = 10; - }; - - path = - (with pkgs; [ - coreutils - findutils - gettext - gnused - ]) - ++ (optionals cfg.setupAutoOidc ( - with pkgs; - [ - curl - jq - ] - )); - - script = - '' - cp ${managementFile} ${stateDir}/management.json.copy - '' - + (optionalString cfg.setupAutoOidc '' - mv ${stateDir}/management.json.copy ${stateDir}/management.json - echo "loading OpenID configuration from $NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT to the openid-configuration.json file" - curl "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" -q -o ${stateDir}/openid-configuration.json - - export NETBIRD_AUTH_AUTHORITY=$(jq -r '.issuer' ${stateDir}/openid-configuration.json) - export NETBIRD_AUTH_JWT_CERTS=$(jq -r '.jwks_uri' ${stateDir}/openid-configuration.json) - export NETBIRD_AUTH_TOKEN_ENDPOINT=$(jq -r '.token_endpoint' ${stateDir}/openid-configuration.json) - export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$(jq -r '.device_authorization_endpoint' ${stateDir}/openid-configuration.json) - export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT=$(jq -r '.authorization_endpoint' ${stateDir}/openid-configuration.json) - - envsubst '$NETBIRD_AUTH_AUTHORITY $NETBIRD_AUTH_JWT_CERTS $NETBIRD_AUTH_TOKEN_ENDPOINT $NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT $NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT' < ${stateDir}/management.json > ${stateDir}/management.json.copy - '') - + '' - # Update secrets in management.json - ${builtins.concatStringsSep "\n" ( - builtins.attrValues ( - builtins.mapAttrs (name: path: "export ${name}=$(cat ${path})") ( - filterAttrs (_: p: p != null) cfg.secretFiles - ) - ) - )} - - envsubst '$TURN_PASSWORD $TURN_SECRET $STUN_PASSWORD $AUTH_CLIENT_SECRET $IDP_MGMT_CLIENT_SECRET' < ${stateDir}/management.json.copy > ${stateDir}/management.json - - rm -rf ${stateDir}/web-ui - mkdir -p ${stateDir}/web-ui - cp -R ${dashboard}/* ${stateDir}/web-ui - - export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY" - export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID" - ${optionalString ( - cfg.secretFiles.AUTH_CLIENT_SECRET == null - ) ''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''} - export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE" - export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI" - export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI" - export USE_AUTH0="$NETBIRD_USE_AUTH0" - export AUTH_SUPPORTED_SCOPES=$(echo $NETBIRD_AUTH_SUPPORTED_SCOPES | sed -E 's/"//g') - - export NETBIRD_MGMT_API_ENDPOINT=$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//') - - MAIN_JS=$(find ${stateDir}/web-ui/static/js/main.*js) - OIDC_TRUSTED_DOMAINS=${stateDir}/web-ui/OidcTrustedDomains.js - mv "$MAIN_JS" "$MAIN_JS".copy - envsubst '$USE_AUTH0 $AUTH_AUTHORITY $AUTH_CLIENT_ID $AUTH_CLIENT_SECRET $AUTH_SUPPORTED_SCOPES $AUTH_AUDIENCE $NETBIRD_MGMT_API_ENDPOINT $NETBIRD_MGMT_GRPC_API_ENDPOINT $NETBIRD_HOTJAR_TRACK_ID $AUTH_REDIRECT_URI $AUTH_SILENT_REDIRECT_URI $NETBIRD_TOKEN_SOURCE $NETBIRD_DRAG_QUERY_PARAMS' < "$MAIN_JS".copy > "$MAIN_JS" - envsubst '$NETBIRD_MGMT_API_ENDPOINT' < "$OIDC_TRUSTED_DOMAINS".tmpl > "$OIDC_TRUSTED_DOMAINS" - ''; - }; - - netbird-signal = { - after = [ "network.target" ]; - wantedBy = [ "netbird-management.service" ]; - restartTriggers = [ - settingsFile - managementFile - ]; - - serviceConfig = { - ExecStart = '' - ${cfg.package}/bin/netbird-signal run \ - --port ${builtins.toString cfg.ports.signal} \ - --log-file console \ - --log-level ${cfg.logLevel} - ''; - Restart = "always"; - RuntimeDirectory = "netbird-mgmt"; - StateDirectory = "netbird-mgmt"; - WorkingDirectory = stateDir; - }; - unitConfig = { - StartLimitInterval = 5; - StartLimitBurst = 10; - }; - stopIfChanged = false; - }; - - netbird-management = { - description = "The management server for Netbird, a wireguard VPN"; - documentation = [ "https://netbird.io/docs/" ]; - after = [ - "network.target" - "netbird-setup.service" - ]; - wantedBy = [ "multi-user.target" ]; - wants = [ - "netbird-signal.service" - "netbird-setup.service" - ]; - restartTriggers = [ - settingsFile - managementFile - ]; - - serviceConfig = { - ExecStart = '' - ${cfg.package}/bin/netbird-mgmt management \ - --config ${stateDir}/management.json \ - --datadir ${stateDir}/data \ - ${optionalString cfg.management.disableAnonymousMetrics "--disable-anonymous-metrics"} \ - ${optionalString cfg.management.disableSingleAccountMode "--disable-single-account-mode"} \ - --dns-domain ${cfg.management.dnsDomain} \ - --single-account-mode-domain ${cfg.management.singleAccountModeDomain} \ - --idp-sign-key-refresh-enabled \ - --port ${builtins.toString cfg.ports.management} \ - --log-file console \ - --log-level ${cfg.logLevel} - ''; - Restart = "always"; - RuntimeDirectory = "netbird-mgmt"; - StateDirectory = [ - "netbird-mgmt" - "netbird-mgmt/data" - ]; - WorkingDirectory = stateDir; - }; - unitConfig = { - StartLimitInterval = 5; - StartLimitBurst = 10; - }; - stopIfChanged = false; - }; - }; - }) - - (mkIf cfg.enableCoturn { - services.coturn = { - enable = true; - - realm = settings.NETBIRD_DOMAIN; - lt-cred-mech = true; - no-cli = true; - - extraConfig = '' - fingerprint - - user=${settings.TURN_USER}:${builtins.toString settings.TURN_PASSWORD} - no-software-attribute - ''; - }; - - networking.firewall = { - allowedUDPPorts = with settings; [ - TURN_PORT - (TURN_PORT + 1) - 5349 - 5350 - ]; - allowedTCPPorts = with settings; [ - TURN_PORT - (TURN_PORT + 1) - ]; - allowedUDPPortRanges = [ - { - from = settings.TURN_MIN_PORT; - to = settings.TURN_MAX_PORT; - } - ]; - }; - }) - - (mkIf (cfg.enableNginx && cfg.enableCoturn) { - services.coturn = - let - cert = config.security.acme.certs.${settings.TURN_DOMAIN}; - in - { - cert = "${cert.directory}/fullchain.pem"; - pkey = "${cert.directory}/key.pem"; - }; - - users.users.nginx.extraGroups = [ "turnserver" ]; - - # share certs with coturn and restart on renewal - security.acme.certs.${settings.TURN_DOMAIN} = { - group = "turnserver"; - postRun = "systemctl reload nginx.service; systemctl restart coturn.service"; - }; - }) - ]; -} diff --git a/machines/storage01/netbird/package/dashboard.nix b/machines/storage01/netbird/package/dashboard.nix deleted file mode 100644 index 7dd72fc..0000000 --- a/machines/storage01/netbird/package/dashboard.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - lib, - buildNpmPackage, - fetchFromGitHub, -}: - -buildNpmPackage rec { - pname = "netbird-dashboard"; - version = "1.17.6"; - - src = fetchFromGitHub { - owner = "netbirdio"; - repo = "dashboard"; - rev = "v${version}"; - hash = "sha256-MDxN/58dv6OqPYnNgDVZ+YRzfw2dER7x8mEWe14rQ40="; - }; - - npmDepsHash = "sha256-x7YyzBPAiXyxaIcAvUrXBexYaw0TaYnKgQKT3KadW8w="; - npmFlags = [ "--legacy-peer-deps" ]; - - installPhase = '' - cp -R build $out - ''; - - meta = with lib; { - description = "NetBird Management Service Web UI Panel"; - homepage = "https://github.com/netbirdio/dashboard"; - license = licenses.bsd3; - maintainers = with maintainers; [ thubrecht ]; - }; -} diff --git a/machines/storage01/netbird/package/default.nix b/machines/storage01/netbird/package/default.nix deleted file mode 100644 index f6dd7d5..0000000 --- a/machines/storage01/netbird/package/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - pkgs ? import { }, -}: - -{ - dashboard = pkgs.callPackage ./dashboard.nix { }; -} diff --git a/machines/storage01/secrets/netbird-auth_client_secret_file b/machines/storage01/secrets/netbird-auth_client_secret_file deleted file mode 100644 index 177c27b..0000000 Binary files a/machines/storage01/secrets/netbird-auth_client_secret_file and /dev/null differ diff --git a/machines/storage01/secrets/netbird-data_store_encryption_key_file b/machines/storage01/secrets/netbird-data_store_encryption_key_file new file mode 100644 index 0000000..41b3993 --- /dev/null +++ b/machines/storage01/secrets/netbird-data_store_encryption_key_file @@ -0,0 +1,30 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA xId0d57S+YmTeZzTTNOs7Pt3RPQ7MLNiKg6Mox2MEFo +hFUYZMNoxZQBEKz4SYDC4nLDDXRftXtUtCLCX2kvwZ8 +-> ssh-ed25519 QlRB9Q kmsgaV+FRbqcKkhttlbmY22M6pO6kMCqLUYsq1yGSyA +VmprdWLh380qm6aarum1q17pDrMF0KLyXV/PN1OmEO8 +-> ssh-ed25519 r+nK/Q XVeZFVNLv0FlL/lPhXrvVJcHAubE1tTfSxl5iiixtF0 +Udm/qZMOzNcg2LMffkns+jUlrtXAC8Mk8ofCSD6zf/0 +-> ssh-rsa krWCLQ +OJlswMZEz2ONsqvFH8aMo4cRXzNiSkqtOmNQuWbRcAI4sXKCNuNtNcv6WPcpBMPZ +8eTvoIOf8triUwGBWLZ9oRvYOeoucyWCqx0zf11VwOclRBeziRPOQ5Uon+5gpsg2 +H1FO7Sk0sVjME/2INUjd1Q4TlPF9tlUOcEDBgyc81cLI0JrR7S2D6Hl/rAN9Gees +D9c+q5PJkvbw7KQPEu7WOxPNCi1gRyHSlKv5ef5gToNOl/c8GAJR5FutO/bTgTTl +P+yLysKXK+r2IwNNMHGFBDVbsp09IjQ+H623Sfr6H0pR7FYShohfzcM6JA3ydztN +Gy5MiJasx3nWCUYJZUL1Fw +-> ssh-ed25519 /vwQcQ OelREEMNnpUXuJ8BA1VPVM8yqEd8PS9m81sw5gaq8U8 +wPUQOWxzsj55/hii7Cd4+P1eFWVDQANwIcImOliOqog +-> ssh-ed25519 0R97PA 9NzXGY3sZb8srqaVWWbZhbNJdDfCfeZIhJHPWy9U4FU ++LvE5cI8heO8XhsejCWaJrwaRGYGCziymPZLrYTOXtg +-> ssh-ed25519 JGx7Ng 1jWoS1sqmY9MxZT7fAMsg5QbokAMNlTg9jmpxzr1ekQ +7MndRQ0ruZP2/cOKaid60rQg8Q3ljy2oknf0czOLGSo +-> ssh-ed25519 5SY7Kg Bm19KVQA8DkrDxiYsVRdKVubML7J9L/apLoUs+otehk +kQMv/7uijZlyGDbDt2aNF85vp4nYM9o3fIetvnykX6I +-> ssh-ed25519 p/Mg4Q /vhTds9k+5uwSDjLyKp18ge+bu/Aeg72nHx2joWUTw0 +zeim4NPL7floIvZ296vYuyk5XAVFCCaWRc0iRQQxbyg +-> ssh-ed25519 rHotTw YbKb6NyxsknA125fdWj5/RJjmaY22yDwNx+bLKV6ZW4 +jJw+YJqQC/B+UMLYAtTAIZuON2hiZAY171ovJ0ceKjg +-> @K'k$-grease x>ie }CH4sS h|s +bVzOpc2vPj8ldZskVlQSmOE7wHR2q/dXcdC6vrPXSvYWCKK8Rg +--- uDaSBMjg5lvDnZyTKHqveb5B+y71HjrDzOqtsJycuBs +1ҨRqn{T5?HXH1 %)01RGr׿fNT42B(); \ No newline at end of file diff --git a/machines/storage01/secrets/netbird-relay_environment_file b/machines/storage01/secrets/netbird-relay_environment_file new file mode 100644 index 0000000..27ea7e5 Binary files /dev/null and b/machines/storage01/secrets/netbird-relay_environment_file differ diff --git a/machines/storage01/secrets/netbird-relay_secret_file b/machines/storage01/secrets/netbird-relay_secret_file new file mode 100644 index 0000000..aea9b24 --- /dev/null +++ b/machines/storage01/secrets/netbird-relay_secret_file @@ -0,0 +1,31 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA lI9DxAFp/gbF+77Sofv9KIrs3kMTYTLEm8C6AsZBPyI +8RFGt1aJnZbd7Lpr4iy1VlMr3yzpPf6sI79cik5X77c +-> ssh-ed25519 QlRB9Q eMENLAMY+eNXJhduTnJoyPimbThM7VA+4m6BrnZa8RE +NpwcJhh0U8pMU1hnXFz2bfwSmCQra1CI5Tr2cbXGMT0 +-> ssh-ed25519 r+nK/Q eyuD/hYyYmG96AcPEZVNsohXgK9WD+g+ZyMpIyaiYjY +Ef+R/eXkqvOmYJvjz4muTjGamkXzgHzD31vXDXsgo3M +-> ssh-rsa krWCLQ +BuBMUp5uijNV71OYvMGS9NhBBplfFugJy14EOHclJ2TKjQ19RVKHPj0wX0AxuPCT +iV6j6Po/oKSsGuoKy6JMTLKjYtROPF70Ld8PlC4tFI5i0xQagEFhKONfk1Rd/mF0 +2qGriQhSUMvkMirbkhE3CxrAzSqcjuoGji+ZWwpz2LYUVsF89nnoLsTRri+Sg5ZW +4qhoo23UTU+IlrVtqjB7W1rNAwHKhWPZnjc08x1x/qnLATemmDMsFmTEGljJNGMR +kEg+oUdwdvLjDsnGBWkE+Ck/mrEGwjcsDTmZmCYcH/Q11EMdj5hnCfG68PRhLF9K +b28fHveM3i5/jHrrTxWbrA +-> ssh-ed25519 /vwQcQ 1xQWlLW6xCrheirHSKcGEu+KM644y8NP1KYvwOganQc +IFVYj83X1uLvgIRlnDvnLiaoZNM9viLT7X11vIHdLxY +-> ssh-ed25519 0R97PA I8K03IKgC59zmHqVr8h8TaxuuTSbmYsyap830JyhIhw +AGxW9sq7PQNgs9WFcbINI2CnE3lJJ0rDmseN83YSeT0 +-> ssh-ed25519 JGx7Ng syz/pzdj3Lg1VwulZhT8UQncgXjOH1nlbtqHgASLAws +IKaU32zbjFc319PctmGPtHt4RXjgzun0K+9HeuGS3FU +-> ssh-ed25519 5SY7Kg 06EjOyKw1zIWcdZGC7EfNt9mFix+fVcy1iS+SBhPgCQ +ZxcNbC1QmTPJkWlwBnD9YjuzekGZtSDeI7RYxq0uwgw +-> ssh-ed25519 p/Mg4Q uCbjjN5S0ZoZtsj5jva9mTrlZ2UE02A3DysxV1PZ/lM +7jWWiWp4ei5VjftKZz29osbaFxfpId+X3GLzgWZ9Wgo +-> ssh-ed25519 rHotTw Q1/zZpGbUCbXiEELad5710uNkllrFuQlhonSLfIoQVo +h6iW26rADPn1MRqNoD33ZVVDRDr2DBoNK+BjrDxwZik +-> ss-grease +A3WDPMHgipAaXF0MStKGx8CAbFTqks74CRTKButwwJYvgnMFp2Yglx3D2NOWTdJm +yde7gp5XInweYf2TjvQK88l0MD0VYlG9Lu7+wbWGFElCpQ +--- 0d/8UVX6ubUZpKG3LzJsFKbsZNRKUwQq7LuWMiyezKo +P?j@HߚwgکL_+|ζ٦#fu#cIS|4 \ No newline at end of file diff --git a/machines/storage01/secrets/secrets.nix b/machines/storage01/secrets/secrets.nix index 7004cdf..63a10d7 100644 --- a/machines/storage01/secrets/secrets.nix +++ b/machines/storage01/secrets/secrets.nix @@ -8,7 +8,9 @@ "influxdb2-initial_password_file" "influxdb2-initial_token_file" "influxdb2-telegraf_token_file" - "netbird-auth_client_secret_file" + "netbird-data_store_encryption_key_file" + "netbird-relay_environment_file" + "netbird-relay_secret_file" "nginx-tvix-store-password" "nginx-tvix-store-password-ci" "peertube-secrets_file" diff --git a/meta/nodes.nix b/meta/nodes.nix index fed15a1..95508cb 100644 --- a/meta/nodes.nix +++ b/meta/nodes.nix @@ -86,7 +86,10 @@ stateVersion = "23.11"; nixpkgs = "24.05"; - nix-modules = [ "services/forgejo-nix-runners" ]; + nix-modules = [ + "services/forgejo-nix-runners" + "services/netbird/server.nix" + ]; }; vault01 = { diff --git a/npins/sources.json b/npins/sources.json index bf223d8..7a1c44f 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -201,9 +201,9 @@ "url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git" }, "branch": "main", - "revision": "ab4b7da75cd4c1380d31862c0a6b29c35ce0fa40", + "revision": "516225dc6958645284b11b74b9ce31e01993341c", "url": null, - "hash": "1g7bv3q6kj6gql4hl1y6zxcbbizzzb6ai7wx53m0jdy4gakanc5l" + "hash": "1cxn1m1xf9p7p8a0y8r6iwp08d886k5rmgl947r9d0vg7ah31kmj" }, "nix-patches": { "type": "GitRelease", @@ -308,4 +308,4 @@ } }, "version": 3 -} \ No newline at end of file +} diff --git a/patches/05-netbird-relay.patch b/patches/05-netbird-relay.patch new file mode 100644 index 0000000..1b93876 --- /dev/null +++ b/patches/05-netbird-relay.patch @@ -0,0 +1,21 @@ +diff --git a/pkgs/tools/networking/netbird/default.nix b/pkgs/tools/networking/netbird/default.nix +index 07a1e906dad3..d5799446628b 100644 +--- a/pkgs/tools/networking/netbird/default.nix ++++ b/pkgs/tools/networking/netbird/default.nix +@@ -26,6 +26,7 @@ let + } else { + client = "netbird"; + management = "netbird-mgmt"; ++ relay = "netbird-relay"; + signal = "netbird-signal"; + }; + in +@@ -82,7 +83,7 @@ buildGoModule rec { + (lib.mapAttrsToList + (module: binary: '' + mv $out/bin/${lib.last (lib.splitString "/" module)} $out/bin/${binary} +- '' + lib.optionalString (!ui) '' ++ '' + lib.optionalString (!ui && module != "relay") '' + installShellCompletion --cmd ${binary} \ + --bash <($out/bin/${binary} completion bash) \ + --fish <($out/bin/${binary} completion fish) \ diff --git a/patches/default.nix b/patches/default.nix index e0e15f4..34ad98e 100644 --- a/patches/default.nix +++ b/patches/default.nix @@ -64,5 +64,11 @@ in sha = "ae4bf4c110378ebacb3989c9533726859cfebbfa"; hash = "sha256-SgHhW9HCkDQsxT3eG4P9q68c43e3sbDHRY9qs7oSt8o="; } + + # Build netbird-relay + { + _type = "static"; + path = ./05-netbird-relay.patch; + } ]; }