# SPDX-FileCopyrightText: 2024 Tom Hubrecht # # SPDX-License-Identifier: EUPL-1.2 { config, lib, nixpkgs, ... }: let domain = "netbird.dgnum.eu"; s = name: config.age.secrets.${name}.path; in { services = { netbird.server = { enable = true; package = nixpkgs.nixos.unstable.netbird; inherit domain; enableNginx = true; coturn.enable = lib.mkForce false; relay = { environmentFile = s "netbird-relay_environment_file"; metricsPort = 9094; }; dashboard = { settings = { AUTH_AUTHORITY = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird"; AUTH_AUDIENCE = "dgn_netbird"; AUTH_CLIENT_ID = "dgn_netbird"; AUTH_REDIRECT_URI = "/index"; }; }; management = { oidcConfigEndpoint = "https://sso.dgnum.eu/oauth2/openid/dgn_netbird/.well-known/openid-configuration"; dnsDomain = "dgnum"; metricsPort = 9092; settings = { DataStoreEncryptionKey._secret = s "netbird-data_store_encryption_key_file"; PKCEAuthorizationFlow.ProviderConfig = { Audience = "dgn_netbird"; ClientID = "dgn_netbird"; AuthorizationEndpoint = "https://sso.dgnum.eu/ui/oauth2"; TokenEndpoint = "https://sso.dgnum.eu/oauth2/token"; }; IdpManagerConfig.ClientConfig.ClientID = "dgn_netbird"; DeviceAuthorizationFlow = { Provider = "none"; ProviderConfig = { Audience = "dgn_netbird"; ClientID = "dgn_netbird"; }; }; Relay = { Addresses = [ "rels://${domain}:443" ]; CredentialsTTL = "24h"; Secret._secret = s "netbird-relay_secret_file"; }; }; }; }; nginx.virtualHosts.${domain} = { enableACME = true; forceSSL = true; }; }; dgn-backups.jobs.netbird.settings.paths = [ "/var/lib/netbird-mgmt" ]; }