2024-03-21 20:39:59 +01:00
|
|
|
{
|
|
|
|
pkgs,
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
...
|
|
|
|
}: let
|
|
|
|
inherit
|
|
|
|
(lib)
|
|
|
|
mkPackageOption
|
|
|
|
mkIf
|
|
|
|
mkEnableOption
|
|
|
|
mkOption
|
|
|
|
types
|
|
|
|
isBool
|
|
|
|
boolToString
|
|
|
|
;
|
|
|
|
|
|
|
|
toStringEnv = value:
|
|
|
|
if isBool value
|
|
|
|
then boolToString value
|
|
|
|
else toString value;
|
|
|
|
cfg = config.services.netbird-dashboard;
|
|
|
|
in {
|
|
|
|
options.services.netbird-dashboard = {
|
|
|
|
enable = mkEnableOption "the static netbird dashboard frontend";
|
|
|
|
package = mkPackageOption pkgs "netbird-dashboard" {};
|
|
|
|
enableNginx = mkEnableOption "Nginx as a webserver serving the backend";
|
|
|
|
domain = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
description = "The domain under which the dashboard runs.";
|
|
|
|
default = "localhost";
|
|
|
|
};
|
|
|
|
settings = mkOption {
|
|
|
|
type = types.submodule {
|
|
|
|
freeformType = types.attrsOf (types.oneOf [types.str types.bool]);
|
|
|
|
config = {
|
|
|
|
#AUTH_AUTHORITY = ""; #${AUTH_AUTHORITY:-https://$AUTH0_DOMAIN}
|
|
|
|
#AUTH_CLIENT_ID = ""; #${AUTH_CLIENT_ID:-$AUTH0_CLIENT_ID}
|
|
|
|
# Due to how the backend and frontend work this secret will be templated into the backend
|
|
|
|
# and then served statically from your website
|
|
|
|
# This enables you to login without the normally needed indirection through the backend
|
|
|
|
# but this also means anyone that can reach your website can
|
|
|
|
# fetch this secret, which is why there is no real need to put it into
|
|
|
|
# special options as its public anyway
|
|
|
|
# As far as I know leaking this secret is just
|
|
|
|
# an information leak as one can fetch some basic app
|
|
|
|
# informations from the IDP
|
|
|
|
# To actually do something one still needs to have login
|
|
|
|
# data and this secret so this being public will not
|
|
|
|
# suffice for anything just decreasing security
|
|
|
|
AUTH_CLIENT_SECRET = ""; #${AUTH_CLIENT_SECRET}
|
|
|
|
AUTH_AUDIENCE = "netbird"; #${AUTH_AUDIENCE:-$AUTH0_AUDIENCE}
|
|
|
|
#AUTH_REDIRECT_URI=${AUTH_REDIRECT_URI}
|
|
|
|
#AUTH_SILENT_REDIRECT_URI=${AUTH_SILENT_REDIRECT_URI}
|
|
|
|
USE_AUTH0 = false; #${USE_AUTH0:-true}
|
|
|
|
AUTH_SUPPORTED_SCOPES = "openid profile email"; #${AUTH_SUPPORTED_SCOPES:-openid profile email api offline_access email_verified}
|
|
|
|
|
2024-03-24 21:06:11 +01:00
|
|
|
NETBIRD_MGMT_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; #$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
|
|
|
|
NETBIRD_MGMT_GRPC_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; #${NETBIRD_MGMT_GRPC_API_ENDPOINT}
|
2024-03-21 20:39:59 +01:00
|
|
|
#NETBIRD_HOTJAR_TRACK_ID=${NETBIRD_HOTJAR_TRACK_ID}
|
|
|
|
#NETBIRD_GOOGLE_ANALYTICS_ID=${NETBIRD_GOOGLE_ANALYTICS_ID}
|
|
|
|
NETBIRD_TOKEN_SOURCE = "idToken";
|
|
|
|
#NETBIRD_DRAG_QUERY_PARAMS=${NETBIRD_DRAG_QUERY_PARAMS:-false}
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
config = let
|
|
|
|
deriv = pkgs.runCommand "template-netbird-dashboard" {} ''
|
|
|
|
cp -r ${cfg.package} ./temp
|
|
|
|
|
|
|
|
|
|
|
|
${
|
|
|
|
lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: ''export "${name}"="${toStringEnv value}"'') cfg.settings)
|
|
|
|
}
|
|
|
|
|
|
|
|
# replace ENVs in the config
|
|
|
|
ENV_STR="\$\$USE_AUTH0 \$\$AUTH_AUDIENCE \$\$AUTH_AUTHORITY \$\$AUTH_CLIENT_ID \$\$AUTH_CLIENT_SECRET \$\$AUTH_SUPPORTED_SCOPES \$\$NETBIRD_MGMT_API_ENDPOINT \$\$NETBIRD_MGMT_GRPC_API_ENDPOINT \$\$NETBIRD_HOTJAR_TRACK_ID \$\$NETBIRD_GOOGLE_ANALYTICS_ID \$\$AUTH_REDIRECT_URI \$\$AUTH_SILENT_REDIRECT_URI \$\$NETBIRD_TOKEN_SOURCE \$\$NETBIRD_DRAG_QUERY_PARAMS"
|
|
|
|
|
|
|
|
find temp -type d -exec chmod 755 {} \;
|
|
|
|
OIDC_TRUSTED_DOMAINS="./temp/OidcTrustedDomains.js"
|
|
|
|
${pkgs.gettext}/bin/envsubst "$ENV_STR" < "$OIDC_TRUSTED_DOMAINS".tmpl > "$OIDC_TRUSTED_DOMAINS"
|
|
|
|
for f in $(grep -R -l AUTH_SUPPORTED_SCOPES ./); do
|
|
|
|
${pkgs.gettext}/bin/envsubst "$ENV_STR" < "$f" > "$f".copy
|
|
|
|
mv -f "$f".copy "$f"
|
|
|
|
done
|
|
|
|
mkdir -p $out
|
|
|
|
cp -r ./temp/. $out/
|
|
|
|
'';
|
|
|
|
in
|
|
|
|
mkIf cfg.enable
|
|
|
|
{
|
|
|
|
services.nginx = mkIf cfg.enableNginx {
|
|
|
|
enable = true;
|
|
|
|
virtualHosts = {
|
|
|
|
${cfg.domain} = {
|
|
|
|
locations = {
|
|
|
|
"/" = {
|
|
|
|
root = "${deriv}/";
|
2024-03-24 21:06:11 +01:00
|
|
|
tryFiles = "$uri $uri.html $uri/ =404";
|
2024-03-21 20:39:59 +01:00
|
|
|
};
|
|
|
|
};
|
2024-03-24 21:06:11 +01:00
|
|
|
extraConfig = ''
|
|
|
|
error_page 404 /404.html;
|
|
|
|
location = /404.html {
|
|
|
|
internal;
|
|
|
|
}
|
|
|
|
'';
|
2024-03-21 20:39:59 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|