From fe8330ed8447b7aa0503f2749c10fbc41e179a5e Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom.hubrecht@dgnum.eu>
Date: Wed, 15 Jan 2025 13:40:37 +0100
Subject: [PATCH] feat(rescue01): Deploy a netbird relay

---
 machines/nixos/rescue01/_configuration.nix    |   1 +
 machines/nixos/rescue01/netbird-relay.nix     |  34 ++++++++++++++++++
 .../secrets/netbird-relay_environment_file    | Bin 0 -> 1513 bytes
 machines/nixos/rescue01/secrets/secrets.nix   |   1 +
 machines/nixos/storage01/netbird.nix          |   5 ++-
 meta/dns.nix                                  |   1 +
 meta/nodes/nixos.nix                          |   4 +++
 7 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 machines/nixos/rescue01/netbird-relay.nix
 create mode 100644 machines/nixos/rescue01/secrets/netbird-relay_environment_file

diff --git a/machines/nixos/rescue01/_configuration.nix b/machines/nixos/rescue01/_configuration.nix
index ce20daa..dc59d38 100644
--- a/machines/nixos/rescue01/_configuration.nix
+++ b/machines/nixos/rescue01/_configuration.nix
@@ -12,6 +12,7 @@ lib.extra.mkConfig {
 
   enabledServices = [
     # List of services to enable
+    "netbird-relay"
     "uptime-kuma"
   ];
 
diff --git a/machines/nixos/rescue01/netbird-relay.nix b/machines/nixos/rescue01/netbird-relay.nix
new file mode 100644
index 0000000..f2cbc97
--- /dev/null
+++ b/machines/nixos/rescue01/netbird-relay.nix
@@ -0,0 +1,34 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  config,
+  nixpkgs,
+  ...
+}:
+
+let
+  domain = "nb-relay01.dgnum.eu";
+in
+
+{
+  services = {
+    netbird.server.relay = {
+      enable = true;
+
+      package = nixpkgs.nixos.unstable.netbird;
+
+      inherit domain;
+      enableNginx = true;
+
+      environmentFile = config.age.secrets."netbird-relay_environment_file".path;
+      metricsPort = 9094;
+    };
+
+    nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}
diff --git a/machines/nixos/rescue01/secrets/netbird-relay_environment_file b/machines/nixos/rescue01/secrets/netbird-relay_environment_file
new file mode 100644
index 0000000000000000000000000000000000000000..d8654ecc52f1119076477be8f8ede3fb49f0c9d8
GIT binary patch
literal 1513
zcmZXUImqM$0EHLCCbESh!gf=L3h_6`<d|v19Fs{h$>f|QGoVW*_kB+?DQvW{wy>}h
z1TCyYa1ph$6U0Jm8*Rj55w`WWSc~8O!3U4;JvRz&g3@cRb)Qt_8&w-Y7X-L@bJ2D2
zP2i(Aj;t4{;Djo*5Ql&#A+s+nxL%t6$jUffA;xy1xMWJ~N{|%uu-Y7Rz5*D2Lh&{0
zFNG@OUAIE)j3lyAgo~y&S$6HC#kHfXty^JtX<Dw+Yi$vGO0*5r+?)JxkB~h}PN<AD
z!TJREdau^agj@<|<4`#T^t9!L*-rMcb8xySDQHezwpkk|o~zm_6X=MYBHqR{W_6d=
zg5?g<7HG!KoVCItI)wJyi!<4SpX?1%$F)2?Ri+<%b4f}eGaUedUDCF4PExXwVWo7$
zx$omDBr<TRq2vKVc$`4>aKjJPQ(D`(i>$R7Nduz77#q<P<=Y6vx}%AnuV{4bTq9l{
zH{_WJAXxFF6)2ZFIZj8I*(fpN6>CaW!8sfNT{GJuTw2#ipfIU$8%N?~@X(wpaA;%)
zIVS1~;kqy>)U@c7y6ru&Qb{tTB2!+`1P~Ba((_oO4Z4KJRpf0qLk1h$G(tnJ@wr1U
z@;lpd?V;H>hTr(6lUK`-j8!qLGUEhnY6k^LF;5QGk@7DSj%ilOcuw!(EvDDkO`A<q
z1*In!aa#eU<G=_ul_4*|<HcFlG%($|z}NIpUL5;0c&;+ZD>Do6HrwIsSYWEC9gci7
zazh_e*||M#6<E_oT_n?{a1<JtD;~Q|4>T>Gu8C<ZXSE!nr)@v=7P^d@r!5Za)+UOX
zGjwhg!=bhUKeG9QNM*RXJCw25ReO}I(vrb|1IZmub4+G7MY`Fn1v`PxPJ+;O<27nz
z(HMNm!Oz6zEZn8R`kK65NjI-e6+!iZm>|r)26159imy#b?8686c%s8D^N8t^jujyK
z4HHrZlLdThkxVrDSOz;7SjB0Ba+PhK`|#u@9DU91(!}jV?xRH!nNveUxFJZKg!$LJ
z!O`>tIeFa65{l?(Efu<lD|#9MyAF~YxrGJMz>R!=JNT0nQH`U?zE!V$uG#7Axz<Qs
z`_J2_O`Z>Fnna6y7h7k%RD+<|^zjVy2uL}!(lxij)COg6S4i@7vMT5ZXwMp}%-tox
z{H+#2?qHr}I7Z`mGm4~}TOKm^Ii^B{@IM+T@A+<A@T=)EDcqGQ83T3ncv(3~o8xDl
zBT|c*ERzg-EZt8_)&tm7R<3KMWb>6EI=kb94G~rfOr`2vhwL)nF`#4P-(JGu-zHx+
zz*mY_-J7Tl+%8x^4<!m9I!0kF0zQn%@`$w{RSq3<)DYQLay5f3(Be3XGaL<Rc1y%!
zm2^}?w(GSdNJcU=fWk8Ugz5SQZ4{3mc6)+2ZNeJW_wESX+}tci5Na_A%T3m%BzLZj
z<u#L;Amobk?5^ScjB1;mcggIz0{(pT(%auYc>MWWul;g=`QXQo?md3Le)fZxsgKnk
z?*IP!ljeo}v2|Yg{>jJs=2Q5Kzxbc$&t4qMPoMkb`LCXN?<erP4<Ehrwejw6-vnR6
LfB$js;jjMyN#^zU

literal 0
HcmV?d00001

diff --git a/machines/nixos/rescue01/secrets/secrets.nix b/machines/nixos/rescue01/secrets/secrets.nix
index f270805..bd9fae1 100644
--- a/machines/nixos/rescue01/secrets/secrets.nix
+++ b/machines/nixos/rescue01/secrets/secrets.nix
@@ -6,5 +6,6 @@
   [ "rescue01" ]
   [
     # List of secrets for rescue01
+    "netbird-relay_environment_file"
     "stateless-uptime-kuma-password"
   ]
diff --git a/machines/nixos/storage01/netbird.nix b/machines/nixos/storage01/netbird.nix
index f6c451b..c1c22ef 100644
--- a/machines/nixos/storage01/netbird.nix
+++ b/machines/nixos/storage01/netbird.nix
@@ -69,7 +69,10 @@ in
           };
 
           Relay = {
-            Addresses = [ "rels://${domain}:443" ];
+            Addresses = builtins.map (host: "rels://${host}:443") [
+              domain
+              "nb-relay01.dgnum.eu"
+            ];
             CredentialsTTL = "24h";
             Secret._secret = s "netbird-relay_secret_file";
           };
diff --git a/meta/dns.nix b/meta/dns.nix
index cd2602c..8732105 100644
--- a/meta/dns.nix
+++ b/meta/dns.nix
@@ -113,6 +113,7 @@ let
         ];
 
         rescue01.dual = [
+          "nb-relay01" # Netbird Relay
           "status" # Uptime Kuma
         ];
 
diff --git a/meta/nodes/nixos.nix b/meta/nodes/nixos.nix
index 6fa0798..b9306b6 100644
--- a/meta/nodes/nixos.nix
+++ b/meta/nodes/nixos.nix
@@ -181,6 +181,10 @@
       version = "24.11";
       system = "nixos";
     };
+
+    nix-modules = [
+      "services/netbird/server.nix"
+    ];
   };
 
   storage01 = {