nix-config/modules/netbird-server.nix

253 lines
8.1 KiB
Nix
Raw Normal View History

2024-03-19 23:13:24 +01:00
{
config,
pkgs,
lib,
...
}: let
inherit
(lib)
mkEnableOption
mkOption
types
2024-03-21 20:39:59 +01:00
mkPackageOption
2024-03-19 23:13:24 +01:00
mkIf
;
2024-03-21 20:39:59 +01:00
cfg = config.services.netbird-server;
2024-03-19 23:13:24 +01:00
2024-03-21 20:39:59 +01:00
configFile = formatType.generate "config.json" cfg.settings;
2024-03-19 23:13:24 +01:00
2024-03-21 20:39:59 +01:00
formatType = pkgs.formats.json {};
2024-03-19 23:13:24 +01:00
in {
2024-03-21 20:39:59 +01:00
options.services.netbird-server = {
2024-03-19 23:13:24 +01:00
enable = mkEnableOption "netbird, a self hosted wireguard VPN";
2024-03-21 20:39:59 +01:00
package = mkPackageOption pkgs "netbird" {};
2024-03-19 23:13:24 +01:00
domain = mkOption {
description = "The domain of your netbird instance";
};
2024-03-21 20:39:59 +01:00
port = mkOption {
description = "The port the management interface will listen on";
type = types.port;
default = 3000;
};
2024-03-19 23:13:24 +01:00
oidcConfigEndpoint = mkOption {
type = types.str;
example = "https://example.eu.auth0.com/.well-known/openid-configuration";
description = "The oidc discovery endpoint";
};
2024-03-21 20:39:59 +01:00
signalPort = mkOption {
description = "The listening port for the signal protocol";
default = 3001;
type = types.port;
};
singleAccountModeDomain = mkOption {
description = "Optional domain for single account mode, set to null to disable singleAccountMode";
type = types.nullOr types.str;
default = "netbird.selfhosted";
example = null;
2024-03-19 23:13:24 +01:00
};
2024-03-21 20:39:59 +01:00
2024-03-19 23:13:24 +01:00
turn = {
domain = mkOption {
description = "The domain under which the TURN server is reachable";
type = types.str;
example = "localhost";
2024-03-21 20:39:59 +01:00
default = cfg.domain;
2024-03-19 23:13:24 +01:00
};
port = mkOption {
description = "The port under which the TURN server is reachable";
2024-03-21 20:39:59 +01:00
type = types.port;
2024-03-19 23:13:24 +01:00
default = 3478;
};
userName = mkOption {
description = "The Username for logging into your turn server";
type = types.str;
default = "netbird";
};
password = mkOption {
description = "The password for logging into your turn server";
type = types.str;
default = lib.trace "should not be part of the final config" "netbird";
};
};
settings = mkOption {
2024-03-21 20:39:59 +01:00
default = {};
2024-03-19 23:13:24 +01:00
type = types.submodule {
freeformType = formatType.type;
2024-03-21 20:39:59 +01:00
config = {
2024-03-19 23:13:24 +01:00
Stuns = [
{
Proto = "udp";
2024-03-21 20:39:59 +01:00
Uri = "turn:${cfg.turn.domain}:${toString cfg.turn.port}";
2024-03-19 23:13:24 +01:00
Username = "";
Password = null;
}
];
TURNConfig = {
Turns = [
{
Proto = "udp";
2024-03-21 20:39:59 +01:00
Uri = "stun:${cfg.turn.domain}:${toString cfg.turn.port}";
2024-03-19 23:13:24 +01:00
Username = cfg.turn.userName;
Password = cfg.turn.password;
}
];
CredentialsTTL = "12h";
Secret = lib.trace "this should probably be an option as well" "secret";
TimeBasedCredentials = false;
};
Signal = {
Proto = "https";
URI = "${cfg.domain}:443";
Username = "";
Password = null;
};
ReverseProxy = {
TrustedHTTPProxies = [];
TrustedHTTPProxiesCount = 0;
TrustedPeers = [
"0.0.0.0/0"
];
};
2024-03-21 20:39:59 +01:00
Datadir = "/var/lib/netbird-mgmt";
DataStoreEncryptionKey = lib.trace "uppsi wuppsi ich hab mein netbird unsiccccccher gemacht" "X4/obyAolDVhjGsz8NDb4TJqgCfwmCA7lOtJFHt9L3w=";
2024-03-19 23:13:24 +01:00
StoreConfig = {
Engine = "sqlite";
};
HttpConfig = {
2024-03-21 20:39:59 +01:00
Address = "0.0.0.0:${toString cfg.port}";
2024-03-24 21:06:11 +01:00
AuthAudience = "netbird";
2024-03-19 23:13:24 +01:00
#"AuthIssuer" = "$NETBIRD_AUTH_AUTHORITY";
#"AuthAudience" = "$NETBIRD_AUTH_AUDIENCE";
#"AuthKeysLocation" = "$NETBIRD_AUTH_JWT_CERTS";
2024-03-24 21:06:11 +01:00
AuthUserIDClaim = "preferred_username";
2024-03-19 23:13:24 +01:00
#"CertFile" = "$NETBIRD_MGMT_API_CERT_FILE";
#"CertKey" = "$NETBIRD_MGMT_API_CERT_KEY_FILE";
#"IdpSignKeyRefreshEnabled" = "$NETBIRD_MGMT_IDP_SIGNKEY_REFRESH";
OIDCConfigEndpoint = cfg.oidcConfigEndpoint;
};
IdpManagerConfig = {
ManagerType = "none";
ClientConfig = {
#"Issuer" = "$NETBIRD_AUTH_AUTHORITY";
#TokenEndpoint = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
ClientID = "netbird-manager";
ClientSecret = lib.trace "oho wer stiehlt meine zugäneg zuerts" "$NETBIRD_IDP_MGMT_CLIENT_SECRET";
GrantType = "client_credentials";
};
#"ExtraConfig" = "$NETBIRD_IDP_MGMT_EXTRA_CONFIG";
#"Auth0ClientCredentials" = null;
#"AzureClientCredentials" = null;
#"KeycloakClientCredentials" = null;
#"ZitadelClientCredentials" = null;
};
2024-03-21 20:39:59 +01:00
DeviceAuthorizationFlow = {
#Provider = "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER";
ProviderConfig = {
Audience = "netbird";
#"AuthorizationEndpoint" = "";
#"Domain" = "$NETBIRD_AUTH0_DOMAIN";
#"ClientID" = "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID";
#"ClientSecret" = "";
#"TokenEndpoint" = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
#"DeviceAuthEndpoint" = "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT";
Scope = "openid profile email";
#"UseIDToken" = "$NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN";
#"RedirectURLs" = null;
};
};
2024-03-19 23:13:24 +01:00
PKCEAuthorizationFlow = {
ProviderConfig = {
2024-03-21 20:39:59 +01:00
Audience = "netbird";
2024-03-19 23:13:24 +01:00
ClientID = "netbird";
2024-03-21 20:39:59 +01:00
ClientSecret = lib.trace "oho bei zo vielen sicherheitzlücken" "";
2024-03-19 23:13:24 +01:00
Domain = "";
#AuthorizationEndpoint = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
#TokenEndpoint = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
Scope = "openid profile email";
2024-03-21 20:39:59 +01:00
RedirectURLs = ["http://localhost:53000"];
UseIDToken = true;
2024-03-19 23:13:24 +01:00
};
};
};
};
};
};
2024-03-21 20:39:59 +01:00
config = mkIf cfg.enable {
systemd.services = {
netbird-signal = {
after = ["network.target"];
wantedBy = ["netbird-management.service"];
restartTriggers = [
configFile
];
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/netbird-signal run \
--log-file console \
--port ${builtins.toString cfg.signalPort}
'';
Restart = "always";
RuntimeDirectory = "netbird-mgmt";
StateDirectory = "netbird-mgmt";
WorkingDirectory = "/var/lib/netbird-mgmt";
2024-03-19 23:13:24 +01:00
};
2024-03-21 20:39:59 +01:00
unitConfig = {
StartLimitInterval = 5;
StartLimitBurst = 10;
2024-03-19 23:13:24 +01:00
};
2024-03-21 20:39:59 +01:00
stopIfChanged = false;
};
2024-03-19 23:13:24 +01:00
2024-03-21 20:39:59 +01:00
netbird-management = {
description = "The management server for Netbird, a wireguard VPN";
documentation = ["https://netbird.io/docs/"];
after = [
"network.target"
"netbird-setup.service"
];
wantedBy = ["multi-user.target"];
wants = [
"netbird-signal.service"
"netbird-setup.service"
];
restartTriggers = [
configFile
];
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/netbird-mgmt management \
--config ${configFile} \
--datadir /var/lib/netbird-mgmt/data \
--disable-anonymous-metrics \
${
if cfg.singleAccountModeDomain == null
then "--disable-single-account-mode"
else "--single-account-mode-domain ${cfg.singleAccountModeDomain}"
} \
--idp-sign-key-refresh-enabled \
--port ${builtins.toString cfg.port} \
2024-03-24 21:06:11 +01:00
--log-file console
2024-03-21 20:39:59 +01:00
'';
# TODO add extraCOmmandLine option
Restart = "always";
RuntimeDirectory = "netbird-mgmt";
StateDirectory = [
"netbird-mgmt"
"netbird-mgmt/data"
2024-03-19 23:13:24 +01:00
];
2024-03-21 20:39:59 +01:00
WorkingDirectory = "/var/lib/netbird-mgmt";
2024-03-19 23:13:24 +01:00
};
2024-03-21 20:39:59 +01:00
unitConfig = {
StartLimitInterval = 5;
StartLimitBurst = 10;
};
stopIfChanged = false;
2024-03-19 23:13:24 +01:00
};
};
2024-03-21 20:39:59 +01:00
};
2024-03-19 23:13:24 +01:00
}