forked from DGNum/infrastructure
feat(netbird): Update
This commit is contained in:
parent
5f0c7d4e22
commit
51133e6e5f
14 changed files with 180 additions and 733 deletions
82
machines/storage01/netbird.nix
Normal file
82
machines/storage01/netbird.nix
Normal file
|
@ -0,0 +1,82 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
nixpkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
|
let
|
||||||
|
domain = "netbird.dgnum.eu";
|
||||||
|
|
||||||
|
s = name: config.age.secrets.${name}.path;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services = {
|
||||||
|
netbird.server = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
package = nixpkgs.unstable.netbird;
|
||||||
|
|
||||||
|
inherit domain;
|
||||||
|
|
||||||
|
enableNginx = true;
|
||||||
|
|
||||||
|
coturn.enable = lib.mkForce false;
|
||||||
|
|
||||||
|
relay = {
|
||||||
|
environmentFile = s "netbird-relay_environment_file";
|
||||||
|
metricsPort = 9094;
|
||||||
|
};
|
||||||
|
|
||||||
|
dashboard = {
|
||||||
|
settings = {
|
||||||
|
AUTH_AUTHORITY = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird";
|
||||||
|
AUTH_AUDIENCE = "dgn_netbird";
|
||||||
|
AUTH_CLIENT_ID = "dgn_netbird";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
management = {
|
||||||
|
oidcConfigEndpoint = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird/.well-known/openid-configuration";
|
||||||
|
|
||||||
|
dnsDomain = "dgnum";
|
||||||
|
|
||||||
|
metricsPort = 9092;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
DataStoreEncryptionKey._secret = s "netbird-data_store_encryption_key_file";
|
||||||
|
|
||||||
|
PKCEAuthorizationFlow.ProviderConfig = {
|
||||||
|
Audience = "dgn_netbird";
|
||||||
|
ClientID = "dgn_netbird";
|
||||||
|
AuthorizationEndpoint = "https://sso.dgnum.eu/ui/oauth2";
|
||||||
|
TokenEndpoint = "https://sso.dgnum.eu/oauth2/token";
|
||||||
|
};
|
||||||
|
|
||||||
|
IdpManagerConfig.ClientConfig.ClientID = "dgn_netbird";
|
||||||
|
|
||||||
|
DeviceAuthorizationFlow = {
|
||||||
|
Provider = "none";
|
||||||
|
ProviderConfig = {
|
||||||
|
Audience = "dgn_netbird";
|
||||||
|
ClientID = "dgn_netbird";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
Relay = {
|
||||||
|
Addresses = [ "rels://${domain}:443" ];
|
||||||
|
CredentialsTTL = "24h";
|
||||||
|
Secret._secret = s "netbird-relay_secret_file";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
nginx.virtualHosts.${domain} = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ];
|
||||||
|
}
|
|
@ -1,47 +0,0 @@
|
||||||
{ config, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
domain = "netbird.dgnum.eu";
|
|
||||||
in
|
|
||||||
{
|
|
||||||
imports = [ ./module.nix ];
|
|
||||||
|
|
||||||
services.netbird-server = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
logLevel = "DEBUG";
|
|
||||||
enableDeviceAuthorizationFlow = false;
|
|
||||||
enableNginx = true;
|
|
||||||
enableCoturn = true;
|
|
||||||
setupAutoOidc = true;
|
|
||||||
|
|
||||||
management.dnsDomain = "dgnum";
|
|
||||||
|
|
||||||
secretFiles.AUTH_CLIENT_SECRET = config.age.secrets."netbird-auth_client_secret_file".path;
|
|
||||||
|
|
||||||
settings = {
|
|
||||||
NETBIRD_DOMAIN = domain;
|
|
||||||
|
|
||||||
TURN_PASSWORD = "tototest1234";
|
|
||||||
|
|
||||||
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT = "https://sso.dgnum.eu/oauth2/openid/netbird_dgn/.well-known/openid-configuration";
|
|
||||||
NETBIRD_AUTH_PKCE_USE_ID_TOKEN = true;
|
|
||||||
|
|
||||||
NETBIRD_AUTH_AUDIENCE = "netbird_dgn";
|
|
||||||
NETBIRD_AUTH_CLIENT_ID = "netbird_dgn";
|
|
||||||
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
|
|
||||||
# Updates the preference to use id tokens instead of access token on dashboard
|
|
||||||
# Okta and Gitlab IDPs can benefit from this
|
|
||||||
NETBIRD_TOKEN_SOURCE = "idToken";
|
|
||||||
|
|
||||||
# NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (p: "http://localhost:${p}") [
|
|
||||||
# "53000"
|
|
||||||
# "54000"
|
|
||||||
# ];
|
|
||||||
|
|
||||||
NETBIRD_STORE_CONFIG_ENGINE = "sqlite";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ];
|
|
||||||
}
|
|
|
@ -1,643 +0,0 @@
|
||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
let
|
|
||||||
inherit (lib)
|
|
||||||
filterAttrs
|
|
||||||
literalExpression
|
|
||||||
maintainers
|
|
||||||
mkDefault
|
|
||||||
mkEnableOption
|
|
||||||
mkIf
|
|
||||||
mkMerge
|
|
||||||
mkOption
|
|
||||||
optionalAttrs
|
|
||||||
optionalString
|
|
||||||
optionals
|
|
||||||
types
|
|
||||||
;
|
|
||||||
|
|
||||||
inherit ((import ./package { inherit pkgs; })) dashboard;
|
|
||||||
|
|
||||||
cfg = config.services.netbird-server;
|
|
||||||
|
|
||||||
stateDir = "/var/lib/netbird-mgmt";
|
|
||||||
|
|
||||||
settingsFormat = pkgs.formats.keyValue { };
|
|
||||||
managementFormat = pkgs.formats.json { };
|
|
||||||
|
|
||||||
settingsFile = settingsFormat.generate "setup.env" (
|
|
||||||
builtins.mapAttrs (
|
|
||||||
_: val: if builtins.isList val then ''"${builtins.concatStringsSep " " val}"'' else val
|
|
||||||
) settings
|
|
||||||
);
|
|
||||||
|
|
||||||
managementFile = managementFormat.generate "config.json" cfg.managementConfig;
|
|
||||||
|
|
||||||
settings =
|
|
||||||
rec {
|
|
||||||
TURN_DOMAIN = cfg.settings.NETBIRD_DOMAIN;
|
|
||||||
TURN_PORT = 3478;
|
|
||||||
TURN_USER = "netbird";
|
|
||||||
TURN_MIN_PORT = 49152;
|
|
||||||
TURN_MAX_PORT = 65535;
|
|
||||||
TURN_PASSWORD = if cfg.secretFiles.TURN_PASSWORD != null then "$TURN_PASSWORD" else null;
|
|
||||||
TURN_SECRET = if cfg.secretFiles.TURN_SECRET != null then "$TURN_SECRET" else "secret";
|
|
||||||
|
|
||||||
STUN_USERNAME = "";
|
|
||||||
STUN_PASSWORD = if cfg.secretFiles.STUN_PASSWORD != null then "$STUN_PASSWORD" else null;
|
|
||||||
|
|
||||||
NETBIRD_DASHBOARD_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:443";
|
|
||||||
NETBIRD_MGMT_API_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:${
|
|
||||||
builtins.toString cfg.settings.NETBIRD_MGMT_API_PORT or NETBIRD_MGMT_API_PORT
|
|
||||||
}";
|
|
||||||
NETBIRD_SIGNAL_ENDPOINT = "https://${cfg.settings.NETBIRD_DOMAIN}:${
|
|
||||||
builtins.toString cfg.settings.NETBIRD_SIGNAL_PORT or NETBIRD_SIGNAL_PORT
|
|
||||||
}";
|
|
||||||
|
|
||||||
NETBIRD_SIGNAL_PROTOCOL = "https";
|
|
||||||
NETBIRD_SIGNAL_PORT = 443;
|
|
||||||
|
|
||||||
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
|
|
||||||
NETBIRD_AUTH_CLIENT_SECRET =
|
|
||||||
if cfg.secretFiles.AUTH_CLIENT_SECRET != null then "$AUTH_CLIENT_SECRET" else "";
|
|
||||||
NETBIRD_AUTH_SUPPORTED_SCOPES = [
|
|
||||||
"openid"
|
|
||||||
"profile"
|
|
||||||
"email"
|
|
||||||
"offline_access"
|
|
||||||
"api"
|
|
||||||
];
|
|
||||||
|
|
||||||
NETBIRD_AUTH_REDIRECT_URI = "";
|
|
||||||
NETBIRD_AUTH_SILENT_REDIRECT_URI = "";
|
|
||||||
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER = "none";
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE = cfg.settings.NETBIRD_AUTH_AUDIENCE;
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_SCOPE = [
|
|
||||||
"openid"
|
|
||||||
"profile"
|
|
||||||
"email"
|
|
||||||
"offline_access"
|
|
||||||
"api"
|
|
||||||
];
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN = false;
|
|
||||||
|
|
||||||
NETBIRD_MGMT_API_PORT = 443;
|
|
||||||
|
|
||||||
NETBIRD_MGMT_IDP = "none";
|
|
||||||
NETBIRD_IDP_MGMT_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
|
|
||||||
NETBIRD_IDP_MGMT_CLIENT_SECRET =
|
|
||||||
if cfg.secretFiles.IDP_MGMT_CLIENT_SECRET != null then
|
|
||||||
"$IDP_MGMT_CLIENT_SECRET"
|
|
||||||
else
|
|
||||||
cfg.settings.NETBIRD_AUTH_CLIENT_SECRET;
|
|
||||||
NETBIRD_IDP_MGMT_GRANT_TYPE = "client_credentials";
|
|
||||||
|
|
||||||
NETBIRD_TOKEN_SOURCE = "accessToken";
|
|
||||||
NETBIRD_DRAG_QUERY_PARAMS = false;
|
|
||||||
|
|
||||||
NETBIRD_USE_AUTH0 = false;
|
|
||||||
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
|
|
||||||
|
|
||||||
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
|
|
||||||
NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (
|
|
||||||
p: "http://localhost:${p}"
|
|
||||||
) cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
|
|
||||||
}
|
|
||||||
// (optionalAttrs cfg.setupAutoOidc {
|
|
||||||
NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT";
|
|
||||||
NETBIRD_AUTH_TOKEN_ENDPOINT = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
|
|
||||||
NETBIRD_AUTH_JWT_CERTS = "$NETBIRD_AUTH_JWT_CERTS";
|
|
||||||
NETBIRD_AUTH_AUTHORITY = "$NETBIRD_AUTH_AUTHORITY";
|
|
||||||
})
|
|
||||||
// cfg.settings;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
meta = {
|
|
||||||
maintainers = with maintainers; [ thubrecht ];
|
|
||||||
};
|
|
||||||
|
|
||||||
options.services.netbird-server = {
|
|
||||||
enable = mkEnableOption (lib.mdDoc "netbird management service.");
|
|
||||||
|
|
||||||
package = mkOption {
|
|
||||||
type = types.package;
|
|
||||||
default = pkgs.netbird;
|
|
||||||
defaultText = literalExpression "pkgs.netbird";
|
|
||||||
description = lib.mdDoc "The package to use for netbird";
|
|
||||||
};
|
|
||||||
|
|
||||||
settings = mkOption {
|
|
||||||
type =
|
|
||||||
with types;
|
|
||||||
attrsOf (
|
|
||||||
nullOr (oneOf [
|
|
||||||
(listOf str)
|
|
||||||
bool
|
|
||||||
int
|
|
||||||
float
|
|
||||||
str
|
|
||||||
])
|
|
||||||
);
|
|
||||||
defaultText = lib.literalExpression ''
|
|
||||||
{
|
|
||||||
TURN_DOMAIN = cfg.settings.NETBIRD_DOMAIN;
|
|
||||||
TURN_PORT = 3478;
|
|
||||||
TURN_USER = "netbird";
|
|
||||||
TURN_MIN_PORT = 49152;
|
|
||||||
TURN_MAX_PORT = 65535;
|
|
||||||
TURN_PASSWORD = if cfg.secretFiles.TURN_PASSWORD != null then "$TURN_PASSWORD" else null;
|
|
||||||
TURN_SECRET = if cfg.secretFiles.TURN_SECRET != null then "$TURN_SECRET" else "secret";
|
|
||||||
|
|
||||||
STUN_USERNAME = "";
|
|
||||||
STUN_PASSWORD = if cfg.secretFiles.STUN_PASSWORD != null then "$STUN_PASSWORD" else null;
|
|
||||||
|
|
||||||
NETBIRD_DASHBOARD_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:443";
|
|
||||||
NETBIRD_MGMT_API_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:''${builtins.toString cfg.settings.NETBIRD_MGMT_API_PORT or NETBIRD_MGMT_API_PORT}";
|
|
||||||
NETBIRD_SIGNAL_ENDPOINT = "https://''${cfg.settings.NETBIRD_DOMAIN}:''${builtins.toString cfg.settings.NETBIRD_SIGNAL_PORT or NETBIRD_SIGNAL_PORT}";
|
|
||||||
|
|
||||||
NETBIRD_SIGNAL_PROTOCOL = "https";
|
|
||||||
NETBIRD_SIGNAL_PORT = 443;
|
|
||||||
|
|
||||||
NETBIRD_AUTH_USER_ID_CLAIM = "sub";
|
|
||||||
NETBIRD_AUTH_CLIENT_SECRET = if cfg.secretFiles.AUTH_CLIENT_SECRET != null then "$AUTH_CLIENT_SECRET" else "";
|
|
||||||
NETBIRD_AUTH_SUPPORTED_SCOPES = [ "openid" "profile" "email" "offline_access" "api" ];
|
|
||||||
|
|
||||||
NETBIRD_AUTH_REDIRECT_URI = "";
|
|
||||||
NETBIRD_AUTH_SILENT_REDIRECT_URI = "";
|
|
||||||
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER = "none";
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE = cfg.settings.NETBIRD_AUTH_AUDIENCE;
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_SCOPE = [ "openid" "profile" "email" "offline_access" "api" ];
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN = false;
|
|
||||||
|
|
||||||
NETBIRD_MGMT_API_PORT = 443;
|
|
||||||
|
|
||||||
NETBIRD_MGMT_IDP = "none";
|
|
||||||
NETBIRD_IDP_MGMT_CLIENT_ID = cfg.settings.NETBIRD_AUTH_CLIENT_ID;
|
|
||||||
NETBIRD_IDP_MGMT_CLIENT_SECRET = if cfg.secretFiles.IDP_MGMT_CLIENT_SECRET != null then "$IDP_MGMT_CLIENT_SECRET" else cfg.settings.NETBIRD_AUTH_CLIENT_SECRET;
|
|
||||||
NETBIRD_IDP_MGMT_GRANT_TYPE = "client_credentials";
|
|
||||||
|
|
||||||
NETBIRD_TOKEN_SOURCE = "accessToken";
|
|
||||||
NETBIRD_DRAG_QUERY_PARAMS = false;
|
|
||||||
|
|
||||||
NETBIRD_USE_AUTH0 = false;
|
|
||||||
|
|
||||||
NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT = "";
|
|
||||||
|
|
||||||
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS = [ "53000" ];
|
|
||||||
NETBIRD_AUTH_PKCE_REDIRECT_URLS = builtins.map (p: "http://localhost:''${p}") cfg.settings.NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS or NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS;
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Configuration settings for netbird.
|
|
||||||
Example config values can be found in [setup.env.example](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/setup.env.example)
|
|
||||||
List of strings [ a b ] will be concatenated as "a b", useful for setting the supported scopes.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
managementConfig = mkOption {
|
|
||||||
inherit (managementFormat) type;
|
|
||||||
description = lib.mdDoc "Configuration of the netbird management server.";
|
|
||||||
};
|
|
||||||
|
|
||||||
idpManagerExtraConfig = mkOption {
|
|
||||||
type = types.attrsOf types.str;
|
|
||||||
default = { };
|
|
||||||
description = lib.mdDoc "Extra options passed to the IdpManagerConfig.";
|
|
||||||
};
|
|
||||||
|
|
||||||
ports.management = mkOption {
|
|
||||||
type = types.port;
|
|
||||||
default = 8011;
|
|
||||||
description = lib.mdDoc "Internal port of the management server.";
|
|
||||||
};
|
|
||||||
|
|
||||||
ports.signal = mkOption {
|
|
||||||
type = types.port;
|
|
||||||
default = 8012;
|
|
||||||
description = lib.mdDoc "Internal port of the signal server.";
|
|
||||||
};
|
|
||||||
|
|
||||||
logLevel = mkOption {
|
|
||||||
type = types.enum [
|
|
||||||
"ERROR"
|
|
||||||
"WARN"
|
|
||||||
"INFO"
|
|
||||||
"DEBUG"
|
|
||||||
];
|
|
||||||
default = "INFO";
|
|
||||||
description = lib.mdDoc "Log level of the netbird services.";
|
|
||||||
};
|
|
||||||
|
|
||||||
enableDeviceAuthorizationFlow = mkEnableOption "device authorization flow for netbird." // {
|
|
||||||
default = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
enableNginx = mkEnableOption "NGINX reverse-proxy for the netbird server.";
|
|
||||||
|
|
||||||
enableCoturn = mkEnableOption "a Coturn server used for Netbird.";
|
|
||||||
|
|
||||||
setupAutoOidc = mkEnableOption "the automatic setup of the OIDC.";
|
|
||||||
|
|
||||||
management = {
|
|
||||||
|
|
||||||
dnsDomain = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "netbird.selfhosted";
|
|
||||||
description = lib.mdDoc "Domain used for peer resolution.";
|
|
||||||
};
|
|
||||||
|
|
||||||
singleAccountModeDomain = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "netbird.selfhosted";
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Enables single account mode.
|
|
||||||
This means that all the users will be under the same account grouped by the specified domain.
|
|
||||||
If the installation has more than one account, the property is ineffective.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
disableAnonymousMetrics = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = lib.mdDoc "Disables push of anonymous usage metrics to NetBird.";
|
|
||||||
};
|
|
||||||
|
|
||||||
disableSingleAccountMode = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
If set to true, disables single account mode.
|
|
||||||
The `singleAccountModeDomain` property will be ignored and every new user will have a separate NetBird account.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
secretFiles = {
|
|
||||||
TURN_PASSWORD = mkOption {
|
|
||||||
type = with types; nullOr path;
|
|
||||||
default = null;
|
|
||||||
description = lib.mdDoc "Path to a file containing the secret TURN_PASSWORD.";
|
|
||||||
};
|
|
||||||
|
|
||||||
TURN_SECRET = mkOption {
|
|
||||||
type = with types; nullOr path;
|
|
||||||
default = null;
|
|
||||||
description = lib.mdDoc "Path to a file containing the secret TURN_SECRET.";
|
|
||||||
};
|
|
||||||
|
|
||||||
STUN_PASSWORD = mkOption {
|
|
||||||
type = with types; nullOr path;
|
|
||||||
default = null;
|
|
||||||
description = lib.mdDoc "Path to a file containing the secret STUN_PASSWORD.";
|
|
||||||
};
|
|
||||||
|
|
||||||
AUTH_CLIENT_SECRET = mkOption {
|
|
||||||
type = with types; nullOr path;
|
|
||||||
default = null;
|
|
||||||
description = lib.mdDoc "Path to a file containing the secret NETBIRD_AUTH_CLIENT_SECRET.";
|
|
||||||
};
|
|
||||||
|
|
||||||
IDP_MGMT_CLIENT_SECRET = mkOption {
|
|
||||||
type = with types; nullOr path;
|
|
||||||
default = cfg.secretFiles.AUTH_CLIENT_SECRET;
|
|
||||||
defaultText = lib.literalExpression "cfg.secretFiles.AUTH_CLIENT_SECRET;";
|
|
||||||
description = lib.mdDoc "Path to a file containing the secret NETBIRD_IDP_MGMT_CLIENT_SECRET.";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkMerge [
|
|
||||||
(mkIf cfg.enable {
|
|
||||||
services.netbird-server.managementConfig = with settings; {
|
|
||||||
Stuns = mkDefault [
|
|
||||||
{
|
|
||||||
Proto = "udp";
|
|
||||||
URI = "stun:${TURN_DOMAIN}:${builtins.toString TURN_PORT}";
|
|
||||||
Username = STUN_USERNAME;
|
|
||||||
Password = STUN_PASSWORD;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
TURNConfig = {
|
|
||||||
Turns = [
|
|
||||||
{
|
|
||||||
Proto = "udp";
|
|
||||||
URI = "turn:${TURN_DOMAIN}:${builtins.toString TURN_PORT}";
|
|
||||||
Username = TURN_USER;
|
|
||||||
Password = TURN_PASSWORD;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
CredentialsTTL = "12h";
|
|
||||||
Secret = TURN_SECRET;
|
|
||||||
TimeBasedCredentials = false;
|
|
||||||
};
|
|
||||||
Signal = {
|
|
||||||
Proto = NETBIRD_SIGNAL_PROTOCOL;
|
|
||||||
URI = "${NETBIRD_DOMAIN}:${builtins.toString NETBIRD_SIGNAL_PORT}";
|
|
||||||
Username = "";
|
|
||||||
Password = null;
|
|
||||||
};
|
|
||||||
Datadir = "${stateDir}/data";
|
|
||||||
HttpConfig = {
|
|
||||||
Address = "127.0.0.1:${builtins.toString cfg.ports.management}";
|
|
||||||
AuthIssuer = NETBIRD_AUTH_AUTHORITY;
|
|
||||||
AuthAudience = NETBIRD_AUTH_AUDIENCE;
|
|
||||||
AuthKeysLocation = NETBIRD_AUTH_JWT_CERTS;
|
|
||||||
AuthUserIDClaim = NETBIRD_AUTH_USER_ID_CLAIM;
|
|
||||||
OIDCConfigEndpoint = NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT;
|
|
||||||
};
|
|
||||||
IdpManagerConfig = {
|
|
||||||
ManagerType = NETBIRD_MGMT_IDP;
|
|
||||||
ClientConfig = {
|
|
||||||
Issuer = NETBIRD_AUTH_AUTHORITY;
|
|
||||||
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
|
|
||||||
ClientID = NETBIRD_IDP_MGMT_CLIENT_ID;
|
|
||||||
ClientSecret = NETBIRD_IDP_MGMT_CLIENT_SECRET;
|
|
||||||
GrantType = NETBIRD_IDP_MGMT_GRANT_TYPE;
|
|
||||||
};
|
|
||||||
ExtraConfig = cfg.idpManagerExtraConfig;
|
|
||||||
};
|
|
||||||
DeviceAuthorizationFlow = mkIf cfg.enableDeviceAuthorizationFlow {
|
|
||||||
Provider = NETBIRD_AUTH_DEVICE_AUTH_PROVIDER;
|
|
||||||
ProviderConfig = {
|
|
||||||
Audience = NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE;
|
|
||||||
Domain = NETBIRD_AUTH_AUTHORITY;
|
|
||||||
ClientID = NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID;
|
|
||||||
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
|
|
||||||
DeviceAuthEndpoint = NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT;
|
|
||||||
Scope = builtins.concatStringsSep " " NETBIRD_AUTH_DEVICE_AUTH_SCOPE;
|
|
||||||
UseIDToken = NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
PKCEAuthorizationFlow = {
|
|
||||||
ProviderConfig = {
|
|
||||||
Audience = NETBIRD_AUTH_AUDIENCE;
|
|
||||||
ClientID = NETBIRD_AUTH_CLIENT_ID;
|
|
||||||
ClientSecret = NETBIRD_AUTH_CLIENT_SECRET;
|
|
||||||
AuthorizationEndpoint = NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT;
|
|
||||||
TokenEndpoint = NETBIRD_AUTH_TOKEN_ENDPOINT;
|
|
||||||
Scope = builtins.concatStringsSep " " NETBIRD_AUTH_SUPPORTED_SCOPES;
|
|
||||||
RedirectURLs = NETBIRD_AUTH_PKCE_REDIRECT_URLS;
|
|
||||||
UseIDToken = NETBIRD_AUTH_PKCE_USE_ID_TOKEN;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts = mkIf cfg.enableNginx {
|
|
||||||
${cfg.settings.NETBIRD_DOMAIN} = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
|
|
||||||
locations = {
|
|
||||||
"/" = {
|
|
||||||
root = "${stateDir}/web-ui/";
|
|
||||||
tryFiles = "$uri /index.html";
|
|
||||||
};
|
|
||||||
|
|
||||||
"/signalexchange.SignalExchange/".extraConfig = ''
|
|
||||||
grpc_pass grpc://localhost:${builtins.toString cfg.ports.signal};
|
|
||||||
grpc_read_timeout 1d;
|
|
||||||
grpc_send_timeout 1d;
|
|
||||||
grpc_socket_keepalive on;
|
|
||||||
'';
|
|
||||||
|
|
||||||
"/api".proxyPass = "http://localhost:${builtins.toString cfg.ports.management}";
|
|
||||||
|
|
||||||
"/management.ManagementService/".extraConfig = ''
|
|
||||||
grpc_pass grpc://localhost:${builtins.toString cfg.ports.management};
|
|
||||||
grpc_read_timeout 1d;
|
|
||||||
grpc_send_timeout 1d;
|
|
||||||
grpc_socket_keepalive on;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services = {
|
|
||||||
netbird-setup = {
|
|
||||||
wantedBy = [
|
|
||||||
"netbird-management.service"
|
|
||||||
"netbird-signal.service"
|
|
||||||
"multi-user.target"
|
|
||||||
];
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
RuntimeDirectory = "netbird-mgmt";
|
|
||||||
StateDirectory = "netbird-mgmt";
|
|
||||||
WorkingDirectory = stateDir;
|
|
||||||
EnvironmentFile = [ settingsFile ];
|
|
||||||
};
|
|
||||||
unitConfig = {
|
|
||||||
StartLimitInterval = 5;
|
|
||||||
StartLimitBurst = 10;
|
|
||||||
};
|
|
||||||
|
|
||||||
path =
|
|
||||||
(with pkgs; [
|
|
||||||
coreutils
|
|
||||||
findutils
|
|
||||||
gettext
|
|
||||||
gnused
|
|
||||||
])
|
|
||||||
++ (optionals cfg.setupAutoOidc (
|
|
||||||
with pkgs;
|
|
||||||
[
|
|
||||||
curl
|
|
||||||
jq
|
|
||||||
]
|
|
||||||
));
|
|
||||||
|
|
||||||
script =
|
|
||||||
''
|
|
||||||
cp ${managementFile} ${stateDir}/management.json.copy
|
|
||||||
''
|
|
||||||
+ (optionalString cfg.setupAutoOidc ''
|
|
||||||
mv ${stateDir}/management.json.copy ${stateDir}/management.json
|
|
||||||
echo "loading OpenID configuration from $NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT to the openid-configuration.json file"
|
|
||||||
curl "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" -q -o ${stateDir}/openid-configuration.json
|
|
||||||
|
|
||||||
export NETBIRD_AUTH_AUTHORITY=$(jq -r '.issuer' ${stateDir}/openid-configuration.json)
|
|
||||||
export NETBIRD_AUTH_JWT_CERTS=$(jq -r '.jwks_uri' ${stateDir}/openid-configuration.json)
|
|
||||||
export NETBIRD_AUTH_TOKEN_ENDPOINT=$(jq -r '.token_endpoint' ${stateDir}/openid-configuration.json)
|
|
||||||
export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$(jq -r '.device_authorization_endpoint' ${stateDir}/openid-configuration.json)
|
|
||||||
export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT=$(jq -r '.authorization_endpoint' ${stateDir}/openid-configuration.json)
|
|
||||||
|
|
||||||
envsubst '$NETBIRD_AUTH_AUTHORITY $NETBIRD_AUTH_JWT_CERTS $NETBIRD_AUTH_TOKEN_ENDPOINT $NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT $NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT' < ${stateDir}/management.json > ${stateDir}/management.json.copy
|
|
||||||
'')
|
|
||||||
+ ''
|
|
||||||
# Update secrets in management.json
|
|
||||||
${builtins.concatStringsSep "\n" (
|
|
||||||
builtins.attrValues (
|
|
||||||
builtins.mapAttrs (name: path: "export ${name}=$(cat ${path})") (
|
|
||||||
filterAttrs (_: p: p != null) cfg.secretFiles
|
|
||||||
)
|
|
||||||
)
|
|
||||||
)}
|
|
||||||
|
|
||||||
envsubst '$TURN_PASSWORD $TURN_SECRET $STUN_PASSWORD $AUTH_CLIENT_SECRET $IDP_MGMT_CLIENT_SECRET' < ${stateDir}/management.json.copy > ${stateDir}/management.json
|
|
||||||
|
|
||||||
rm -rf ${stateDir}/web-ui
|
|
||||||
mkdir -p ${stateDir}/web-ui
|
|
||||||
cp -R ${dashboard}/* ${stateDir}/web-ui
|
|
||||||
|
|
||||||
export AUTH_AUTHORITY="$NETBIRD_AUTH_AUTHORITY"
|
|
||||||
export AUTH_CLIENT_ID="$NETBIRD_AUTH_CLIENT_ID"
|
|
||||||
${optionalString (
|
|
||||||
cfg.secretFiles.AUTH_CLIENT_SECRET == null
|
|
||||||
) ''export AUTH_CLIENT_SECRET="$NETBIRD_AUTH_CLIENT_SECRET"''}
|
|
||||||
export AUTH_AUDIENCE="$NETBIRD_AUTH_AUDIENCE"
|
|
||||||
export AUTH_REDIRECT_URI="$NETBIRD_AUTH_REDIRECT_URI"
|
|
||||||
export AUTH_SILENT_REDIRECT_URI="$NETBIRD_AUTH_SILENT_REDIRECT_URI"
|
|
||||||
export USE_AUTH0="$NETBIRD_USE_AUTH0"
|
|
||||||
export AUTH_SUPPORTED_SCOPES=$(echo $NETBIRD_AUTH_SUPPORTED_SCOPES | sed -E 's/"//g')
|
|
||||||
|
|
||||||
export NETBIRD_MGMT_API_ENDPOINT=$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
|
|
||||||
|
|
||||||
MAIN_JS=$(find ${stateDir}/web-ui/static/js/main.*js)
|
|
||||||
OIDC_TRUSTED_DOMAINS=${stateDir}/web-ui/OidcTrustedDomains.js
|
|
||||||
mv "$MAIN_JS" "$MAIN_JS".copy
|
|
||||||
envsubst '$USE_AUTH0 $AUTH_AUTHORITY $AUTH_CLIENT_ID $AUTH_CLIENT_SECRET $AUTH_SUPPORTED_SCOPES $AUTH_AUDIENCE $NETBIRD_MGMT_API_ENDPOINT $NETBIRD_MGMT_GRPC_API_ENDPOINT $NETBIRD_HOTJAR_TRACK_ID $AUTH_REDIRECT_URI $AUTH_SILENT_REDIRECT_URI $NETBIRD_TOKEN_SOURCE $NETBIRD_DRAG_QUERY_PARAMS' < "$MAIN_JS".copy > "$MAIN_JS"
|
|
||||||
envsubst '$NETBIRD_MGMT_API_ENDPOINT' < "$OIDC_TRUSTED_DOMAINS".tmpl > "$OIDC_TRUSTED_DOMAINS"
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
netbird-signal = {
|
|
||||||
after = [ "network.target" ];
|
|
||||||
wantedBy = [ "netbird-management.service" ];
|
|
||||||
restartTriggers = [
|
|
||||||
settingsFile
|
|
||||||
managementFile
|
|
||||||
];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = ''
|
|
||||||
${cfg.package}/bin/netbird-signal run \
|
|
||||||
--port ${builtins.toString cfg.ports.signal} \
|
|
||||||
--log-file console \
|
|
||||||
--log-level ${cfg.logLevel}
|
|
||||||
'';
|
|
||||||
Restart = "always";
|
|
||||||
RuntimeDirectory = "netbird-mgmt";
|
|
||||||
StateDirectory = "netbird-mgmt";
|
|
||||||
WorkingDirectory = stateDir;
|
|
||||||
};
|
|
||||||
unitConfig = {
|
|
||||||
StartLimitInterval = 5;
|
|
||||||
StartLimitBurst = 10;
|
|
||||||
};
|
|
||||||
stopIfChanged = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
netbird-management = {
|
|
||||||
description = "The management server for Netbird, a wireguard VPN";
|
|
||||||
documentation = [ "https://netbird.io/docs/" ];
|
|
||||||
after = [
|
|
||||||
"network.target"
|
|
||||||
"netbird-setup.service"
|
|
||||||
];
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
wants = [
|
|
||||||
"netbird-signal.service"
|
|
||||||
"netbird-setup.service"
|
|
||||||
];
|
|
||||||
restartTriggers = [
|
|
||||||
settingsFile
|
|
||||||
managementFile
|
|
||||||
];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = ''
|
|
||||||
${cfg.package}/bin/netbird-mgmt management \
|
|
||||||
--config ${stateDir}/management.json \
|
|
||||||
--datadir ${stateDir}/data \
|
|
||||||
${optionalString cfg.management.disableAnonymousMetrics "--disable-anonymous-metrics"} \
|
|
||||||
${optionalString cfg.management.disableSingleAccountMode "--disable-single-account-mode"} \
|
|
||||||
--dns-domain ${cfg.management.dnsDomain} \
|
|
||||||
--single-account-mode-domain ${cfg.management.singleAccountModeDomain} \
|
|
||||||
--idp-sign-key-refresh-enabled \
|
|
||||||
--port ${builtins.toString cfg.ports.management} \
|
|
||||||
--log-file console \
|
|
||||||
--log-level ${cfg.logLevel}
|
|
||||||
'';
|
|
||||||
Restart = "always";
|
|
||||||
RuntimeDirectory = "netbird-mgmt";
|
|
||||||
StateDirectory = [
|
|
||||||
"netbird-mgmt"
|
|
||||||
"netbird-mgmt/data"
|
|
||||||
];
|
|
||||||
WorkingDirectory = stateDir;
|
|
||||||
};
|
|
||||||
unitConfig = {
|
|
||||||
StartLimitInterval = 5;
|
|
||||||
StartLimitBurst = 10;
|
|
||||||
};
|
|
||||||
stopIfChanged = false;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
})
|
|
||||||
|
|
||||||
(mkIf cfg.enableCoturn {
|
|
||||||
services.coturn = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
realm = settings.NETBIRD_DOMAIN;
|
|
||||||
lt-cred-mech = true;
|
|
||||||
no-cli = true;
|
|
||||||
|
|
||||||
extraConfig = ''
|
|
||||||
fingerprint
|
|
||||||
|
|
||||||
user=${settings.TURN_USER}:${builtins.toString settings.TURN_PASSWORD}
|
|
||||||
no-software-attribute
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall = {
|
|
||||||
allowedUDPPorts = with settings; [
|
|
||||||
TURN_PORT
|
|
||||||
(TURN_PORT + 1)
|
|
||||||
5349
|
|
||||||
5350
|
|
||||||
];
|
|
||||||
allowedTCPPorts = with settings; [
|
|
||||||
TURN_PORT
|
|
||||||
(TURN_PORT + 1)
|
|
||||||
];
|
|
||||||
allowedUDPPortRanges = [
|
|
||||||
{
|
|
||||||
from = settings.TURN_MIN_PORT;
|
|
||||||
to = settings.TURN_MAX_PORT;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
})
|
|
||||||
|
|
||||||
(mkIf (cfg.enableNginx && cfg.enableCoturn) {
|
|
||||||
services.coturn =
|
|
||||||
let
|
|
||||||
cert = config.security.acme.certs.${settings.TURN_DOMAIN};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
cert = "${cert.directory}/fullchain.pem";
|
|
||||||
pkey = "${cert.directory}/key.pem";
|
|
||||||
};
|
|
||||||
|
|
||||||
users.users.nginx.extraGroups = [ "turnserver" ];
|
|
||||||
|
|
||||||
# share certs with coturn and restart on renewal
|
|
||||||
security.acme.certs.${settings.TURN_DOMAIN} = {
|
|
||||||
group = "turnserver";
|
|
||||||
postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
|
|
||||||
};
|
|
||||||
})
|
|
||||||
];
|
|
||||||
}
|
|
|
@ -1,31 +0,0 @@
|
||||||
{
|
|
||||||
lib,
|
|
||||||
buildNpmPackage,
|
|
||||||
fetchFromGitHub,
|
|
||||||
}:
|
|
||||||
|
|
||||||
buildNpmPackage rec {
|
|
||||||
pname = "netbird-dashboard";
|
|
||||||
version = "1.17.6";
|
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
|
||||||
owner = "netbirdio";
|
|
||||||
repo = "dashboard";
|
|
||||||
rev = "v${version}";
|
|
||||||
hash = "sha256-MDxN/58dv6OqPYnNgDVZ+YRzfw2dER7x8mEWe14rQ40=";
|
|
||||||
};
|
|
||||||
|
|
||||||
npmDepsHash = "sha256-x7YyzBPAiXyxaIcAvUrXBexYaw0TaYnKgQKT3KadW8w=";
|
|
||||||
npmFlags = [ "--legacy-peer-deps" ];
|
|
||||||
|
|
||||||
installPhase = ''
|
|
||||||
cp -R build $out
|
|
||||||
'';
|
|
||||||
|
|
||||||
meta = with lib; {
|
|
||||||
description = "NetBird Management Service Web UI Panel";
|
|
||||||
homepage = "https://github.com/netbirdio/dashboard";
|
|
||||||
license = licenses.bsd3;
|
|
||||||
maintainers = with maintainers; [ thubrecht ];
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,7 +0,0 @@
|
||||||
{
|
|
||||||
pkgs ? import <nixpkgs> { },
|
|
||||||
}:
|
|
||||||
|
|
||||||
{
|
|
||||||
dashboard = pkgs.callPackage ./dashboard.nix { };
|
|
||||||
}
|
|
Binary file not shown.
|
@ -0,0 +1,30 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA xId0d57S+YmTeZzTTNOs7Pt3RPQ7MLNiKg6Mox2MEFo
|
||||||
|
hFUYZMNoxZQBEKz4SYDC4nLDDXRftXtUtCLCX2kvwZ8
|
||||||
|
-> ssh-ed25519 QlRB9Q kmsgaV+FRbqcKkhttlbmY22M6pO6kMCqLUYsq1yGSyA
|
||||||
|
VmprdWLh380qm6aarum1q17pDrMF0KLyXV/PN1OmEO8
|
||||||
|
-> ssh-ed25519 r+nK/Q XVeZFVNLv0FlL/lPhXrvVJcHAubE1tTfSxl5iiixtF0
|
||||||
|
Udm/qZMOzNcg2LMffkns+jUlrtXAC8Mk8ofCSD6zf/0
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
OJlswMZEz2ONsqvFH8aMo4cRXzNiSkqtOmNQuWbRcAI4sXKCNuNtNcv6WPcpBMPZ
|
||||||
|
8eTvoIOf8triUwGBWLZ9oRvYOeoucyWCqx0zf11VwOclRBeziRPOQ5Uon+5gpsg2
|
||||||
|
H1FO7Sk0sVjME/2INUjd1Q4TlPF9tlUOcEDBgyc81cLI0JrR7S2D6Hl/rAN9Gees
|
||||||
|
D9c+q5PJkvbw7KQPEu7WOxPNCi1gRyHSlKv5ef5gToNOl/c8GAJR5FutO/bTgTTl
|
||||||
|
P+yLysKXK+r2IwNNMHGFBDVbsp09IjQ+H623Sfr6H0pR7FYShohfzcM6JA3ydztN
|
||||||
|
Gy5MiJasx3nWCUYJZUL1Fw
|
||||||
|
-> ssh-ed25519 /vwQcQ OelREEMNnpUXuJ8BA1VPVM8yqEd8PS9m81sw5gaq8U8
|
||||||
|
wPUQOWxzsj55/hii7Cd4+P1eFWVDQANwIcImOliOqog
|
||||||
|
-> ssh-ed25519 0R97PA 9NzXGY3sZb8srqaVWWbZhbNJdDfCfeZIhJHPWy9U4FU
|
||||||
|
+LvE5cI8heO8XhsejCWaJrwaRGYGCziymPZLrYTOXtg
|
||||||
|
-> ssh-ed25519 JGx7Ng 1jWoS1sqmY9MxZT7fAMsg5QbokAMNlTg9jmpxzr1ekQ
|
||||||
|
7MndRQ0ruZP2/cOKaid60rQg8Q3ljy2oknf0czOLGSo
|
||||||
|
-> ssh-ed25519 5SY7Kg Bm19KVQA8DkrDxiYsVRdKVubML7J9L/apLoUs+otehk
|
||||||
|
kQMv/7uijZlyGDbDt2aNF85vp4nYM9o3fIetvnykX6I
|
||||||
|
-> ssh-ed25519 p/Mg4Q /vhTds9k+5uwSDjLyKp18ge+bu/Aeg72nHx2joWUTw0
|
||||||
|
zeim4NPL7floIvZ296vYuyk5XAVFCCaWRc0iRQQxbyg
|
||||||
|
-> ssh-ed25519 rHotTw YbKb6NyxsknA125fdWj5/RJjmaY22yDwNx+bLKV6ZW4
|
||||||
|
jJw+YJqQC/B+UMLYAtTAIZuON2hiZAY171ovJ0ceKjg
|
||||||
|
-> @K'k$-grease x>ie }CH4sS h|s
|
||||||
|
bVzOpc2vPj8ldZskVlQSmOE7wHR2q/dXcdC6vrPXSvYWCKK8Rg
|
||||||
|
--- uDaSBMjg5lvDnZyTKHqveb5B+y71HjrDzOqtsJycuBs
|
||||||
|
1Ò¨Rq¢<>nýµ{”ýT°5?HXH1¢ Ê%‘)Í01’RGr׿fÖNT4å2B(í);ìíÿ‰íÁœ
|
BIN
machines/storage01/secrets/netbird-relay_environment_file
Normal file
BIN
machines/storage01/secrets/netbird-relay_environment_file
Normal file
Binary file not shown.
31
machines/storage01/secrets/netbird-relay_secret_file
Normal file
31
machines/storage01/secrets/netbird-relay_secret_file
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 jIXfPA lI9DxAFp/gbF+77Sofv9KIrs3kMTYTLEm8C6AsZBPyI
|
||||||
|
8RFGt1aJnZbd7Lpr4iy1VlMr3yzpPf6sI79cik5X77c
|
||||||
|
-> ssh-ed25519 QlRB9Q eMENLAMY+eNXJhduTnJoyPimbThM7VA+4m6BrnZa8RE
|
||||||
|
NpwcJhh0U8pMU1hnXFz2bfwSmCQra1CI5Tr2cbXGMT0
|
||||||
|
-> ssh-ed25519 r+nK/Q eyuD/hYyYmG96AcPEZVNsohXgK9WD+g+ZyMpIyaiYjY
|
||||||
|
Ef+R/eXkqvOmYJvjz4muTjGamkXzgHzD31vXDXsgo3M
|
||||||
|
-> ssh-rsa krWCLQ
|
||||||
|
BuBMUp5uijNV71OYvMGS9NhBBplfFugJy14EOHclJ2TKjQ19RVKHPj0wX0AxuPCT
|
||||||
|
iV6j6Po/oKSsGuoKy6JMTLKjYtROPF70Ld8PlC4tFI5i0xQagEFhKONfk1Rd/mF0
|
||||||
|
2qGriQhSUMvkMirbkhE3CxrAzSqcjuoGji+ZWwpz2LYUVsF89nnoLsTRri+Sg5ZW
|
||||||
|
4qhoo23UTU+IlrVtqjB7W1rNAwHKhWPZnjc08x1x/qnLATemmDMsFmTEGljJNGMR
|
||||||
|
kEg+oUdwdvLjDsnGBWkE+Ck/mrEGwjcsDTmZmCYcH/Q11EMdj5hnCfG68PRhLF9K
|
||||||
|
b28fHveM3i5/jHrrTxWbrA
|
||||||
|
-> ssh-ed25519 /vwQcQ 1xQWlLW6xCrheirHSKcGEu+KM644y8NP1KYvwOganQc
|
||||||
|
IFVYj83X1uLvgIRlnDvnLiaoZNM9viLT7X11vIHdLxY
|
||||||
|
-> ssh-ed25519 0R97PA I8K03IKgC59zmHqVr8h8TaxuuTSbmYsyap830JyhIhw
|
||||||
|
AGxW9sq7PQNgs9WFcbINI2CnE3lJJ0rDmseN83YSeT0
|
||||||
|
-> ssh-ed25519 JGx7Ng syz/pzdj3Lg1VwulZhT8UQncgXjOH1nlbtqHgASLAws
|
||||||
|
IKaU32zbjFc319PctmGPtHt4RXjgzun0K+9HeuGS3FU
|
||||||
|
-> ssh-ed25519 5SY7Kg 06EjOyKw1zIWcdZGC7EfNt9mFix+fVcy1iS+SBhPgCQ
|
||||||
|
ZxcNbC1QmTPJkWlwBnD9YjuzekGZtSDeI7RYxq0uwgw
|
||||||
|
-> ssh-ed25519 p/Mg4Q uCbjjN5S0ZoZtsj5jva9mTrlZ2UE02A3DysxV1PZ/lM
|
||||||
|
7jWWiWp4ei5VjftKZz29osbaFxfpId+X3GLzgWZ9Wgo
|
||||||
|
-> ssh-ed25519 rHotTw Q1/zZpGbUCbXiEELad5710uNkllrFuQlhonSLfIoQVo
|
||||||
|
h6iW26rADPn1MRqNoD33ZVVDRDr2DBoNK+BjrDxwZik
|
||||||
|
-> ss-grease
|
||||||
|
A3WDPMHgipAaXF0MStKGx8CAbFTqks74CRTKButwwJYvgnMFp2Yglx3D2NOWTdJm
|
||||||
|
yde7gp5XInweYf2TjvQK88l0MD0VYlG9Lu7+wbWGFElCpQ
|
||||||
|
--- 0d/8UVX6ubUZpKG3LzJsFKbsZNRKUwQq7LuWMiyezKo
|
||||||
|
P?j@¦Hˆ´ßš¥¼ówgêìÚ©L¥_ã+ì|ζãÙ¦Ö#‘“fu#c涯„IæS†|¨À²å 4Š
|
|
@ -8,7 +8,9 @@
|
||||||
"influxdb2-initial_password_file"
|
"influxdb2-initial_password_file"
|
||||||
"influxdb2-initial_token_file"
|
"influxdb2-initial_token_file"
|
||||||
"influxdb2-telegraf_token_file"
|
"influxdb2-telegraf_token_file"
|
||||||
"netbird-auth_client_secret_file"
|
"netbird-data_store_encryption_key_file"
|
||||||
|
"netbird-relay_environment_file"
|
||||||
|
"netbird-relay_secret_file"
|
||||||
"nginx-tvix-store-password"
|
"nginx-tvix-store-password"
|
||||||
"nginx-tvix-store-password-ci"
|
"nginx-tvix-store-password-ci"
|
||||||
"peertube-secrets_file"
|
"peertube-secrets_file"
|
||||||
|
|
|
@ -86,7 +86,10 @@
|
||||||
stateVersion = "23.11";
|
stateVersion = "23.11";
|
||||||
nixpkgs = "24.05";
|
nixpkgs = "24.05";
|
||||||
|
|
||||||
nix-modules = [ "services/forgejo-nix-runners" ];
|
nix-modules = [
|
||||||
|
"services/forgejo-nix-runners"
|
||||||
|
"services/netbird/server.nix"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
vault01 = {
|
vault01 = {
|
||||||
|
|
|
@ -201,9 +201,9 @@
|
||||||
"url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git"
|
"url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git"
|
||||||
},
|
},
|
||||||
"branch": "main",
|
"branch": "main",
|
||||||
"revision": "ab4b7da75cd4c1380d31862c0a6b29c35ce0fa40",
|
"revision": "516225dc6958645284b11b74b9ce31e01993341c",
|
||||||
"url": null,
|
"url": null,
|
||||||
"hash": "1g7bv3q6kj6gql4hl1y6zxcbbizzzb6ai7wx53m0jdy4gakanc5l"
|
"hash": "1cxn1m1xf9p7p8a0y8r6iwp08d886k5rmgl947r9d0vg7ah31kmj"
|
||||||
},
|
},
|
||||||
"nix-patches": {
|
"nix-patches": {
|
||||||
"type": "GitRelease",
|
"type": "GitRelease",
|
||||||
|
@ -308,4 +308,4 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"version": 3
|
"version": 3
|
||||||
}
|
}
|
||||||
|
|
21
patches/05-netbird-relay.patch
Normal file
21
patches/05-netbird-relay.patch
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
diff --git a/pkgs/tools/networking/netbird/default.nix b/pkgs/tools/networking/netbird/default.nix
|
||||||
|
index 07a1e906dad3..d5799446628b 100644
|
||||||
|
--- a/pkgs/tools/networking/netbird/default.nix
|
||||||
|
+++ b/pkgs/tools/networking/netbird/default.nix
|
||||||
|
@@ -26,6 +26,7 @@ let
|
||||||
|
} else {
|
||||||
|
client = "netbird";
|
||||||
|
management = "netbird-mgmt";
|
||||||
|
+ relay = "netbird-relay";
|
||||||
|
signal = "netbird-signal";
|
||||||
|
};
|
||||||
|
in
|
||||||
|
@@ -82,7 +83,7 @@ buildGoModule rec {
|
||||||
|
(lib.mapAttrsToList
|
||||||
|
(module: binary: ''
|
||||||
|
mv $out/bin/${lib.last (lib.splitString "/" module)} $out/bin/${binary}
|
||||||
|
- '' + lib.optionalString (!ui) ''
|
||||||
|
+ '' + lib.optionalString (!ui && module != "relay") ''
|
||||||
|
installShellCompletion --cmd ${binary} \
|
||||||
|
--bash <($out/bin/${binary} completion bash) \
|
||||||
|
--fish <($out/bin/${binary} completion fish) \
|
|
@ -64,5 +64,11 @@ in
|
||||||
sha = "ae4bf4c110378ebacb3989c9533726859cfebbfa";
|
sha = "ae4bf4c110378ebacb3989c9533726859cfebbfa";
|
||||||
hash = "sha256-SgHhW9HCkDQsxT3eG4P9q68c43e3sbDHRY9qs7oSt8o=";
|
hash = "sha256-SgHhW9HCkDQsxT3eG4P9q68c43e3sbDHRY9qs7oSt8o=";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Build netbird-relay
|
||||||
|
{
|
||||||
|
_type = "static";
|
||||||
|
path = ./05-netbird-relay.patch;
|
||||||
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue