diff --git a/modules/netbird-dashboard.nix b/modules/netbird-dashboard.nix index 666a39e..b3d8814 100644 --- a/modules/netbird-dashboard.nix +++ b/modules/netbird-dashboard.nix @@ -31,11 +31,17 @@ in { default = "localhost"; }; settings = mkOption { + description = '' + An attr set that will be used as environment to build the dashboard. + Any values that you set here will be templated into the frontend + and thas be freely available for anyone that can reach your website. + The exact values sadly aren't documented anywhere. An starting point + when searching for valid values is this [script](https://github.com/netbirdio/dashboard/blob/main/docker/init_react_envs.sh) + The only mandatory value is 'AUTH_AUTHORITY' as we cannot set a default value here. + ''; type = types.submodule { freeformType = types.attrsOf (types.oneOf [types.str types.bool]); config = { - #AUTH_AUTHORITY = ""; #${AUTH_AUTHORITY:-https://$AUTH0_DOMAIN} - #AUTH_CLIENT_ID = ""; #${AUTH_CLIENT_ID:-$AUTH0_CLIENT_ID} # Due to how the backend and frontend work this secret will be templated into the backend # and then served statically from your website # This enables you to login without the normally needed indirection through the backend @@ -48,19 +54,18 @@ in { # To actually do something one still needs to have login # data and this secret so this being public will not # suffice for anything just decreasing security - AUTH_CLIENT_SECRET = ""; #${AUTH_CLIENT_SECRET} - AUTH_AUDIENCE = "netbird"; #${AUTH_AUDIENCE:-$AUTH0_AUDIENCE} - #AUTH_REDIRECT_URI=${AUTH_REDIRECT_URI} - #AUTH_SILENT_REDIRECT_URI=${AUTH_SILENT_REDIRECT_URI} - USE_AUTH0 = false; #${USE_AUTH0:-true} - AUTH_SUPPORTED_SCOPES = "openid profile email"; #${AUTH_SUPPORTED_SCOPES:-openid profile email api offline_access email_verified} + AUTH_CLIENT_SECRET = ""; + AUTH_CLIENT_ID = "netbird"; + # AUTH_AUDIENCE must be set for your devices to be able to log in + AUTH_AUDIENCE = "netbird"; + USE_AUTH0 = false; + AUTH_SUPPORTED_SCOPES = "openid profile email"; - NETBIRD_MGMT_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; #$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//') - NETBIRD_MGMT_GRPC_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; #${NETBIRD_MGMT_GRPC_API_ENDPOINT} - #NETBIRD_HOTJAR_TRACK_ID=${NETBIRD_HOTJAR_TRACK_ID} - #NETBIRD_GOOGLE_ANALYTICS_ID=${NETBIRD_GOOGLE_ANALYTICS_ID} + # While you could override this to use http I would recommend to not do that + # as it will greatly impact the security of your application + NETBIRD_MGMT_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; + NETBIRD_MGMT_GRPC_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; NETBIRD_TOKEN_SOURCE = "idToken"; - #NETBIRD_DRAG_QUERY_PARAMS=${NETBIRD_DRAG_QUERY_PARAMS:-false} }; }; }; diff --git a/modules/netbird-server.nix b/modules/netbird-server.nix index e00b860..ce47478 100644 --- a/modules/netbird-server.nix +++ b/modules/netbird-server.nix @@ -21,6 +21,7 @@ in { options.services.netbird-server = { enable = mkEnableOption "netbird, a self hosted wireguard VPN"; package = mkPackageOption pkgs "netbird" {}; + enableCoturn = mkEnableOption "the coturn service for running the TURN/STUN server"; domain = mkOption { description = "The domain of your netbird instance"; }; @@ -72,6 +73,20 @@ in { }; settings = mkOption { default = {}; + description = '' + This will be converted to json and used as the management config. + Sadly the exact configuration is undocumented there only exists + this [template](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/management.json.tmpl) + The default values are usable, for a normal setup you don't need to set anything here. + Be advised that any secret you set in here will be in the nix store + and thus world readable. For compliant setups you don't need these secrets + as you should use a oidc public client, some client, e.g. google do not support + this without a secret, which is why you sometimes need to set a secret here. + This is not a problem as this secret will be exposed on your server publicly and only allows + client to initiate a authorization flow. + Even though the template contains oidc values you don't need to set any except for the + ConfigEndpoint as netbird will fetch the rest. + ''; type = types.submodule { freeformType = formatType.type; config = { @@ -118,53 +133,24 @@ in { HttpConfig = { Address = "0.0.0.0:${toString cfg.port}"; AuthAudience = "netbird"; - #"AuthIssuer" = "$NETBIRD_AUTH_AUTHORITY"; - #"AuthAudience" = "$NETBIRD_AUTH_AUDIENCE"; - #"AuthKeysLocation" = "$NETBIRD_AUTH_JWT_CERTS"; AuthUserIDClaim = "preferred_username"; - #"CertFile" = "$NETBIRD_MGMT_API_CERT_FILE"; - #"CertKey" = "$NETBIRD_MGMT_API_CERT_KEY_FILE"; - #"IdpSignKeyRefreshEnabled" = "$NETBIRD_MGMT_IDP_SIGNKEY_REFRESH"; OIDCConfigEndpoint = cfg.oidcConfigEndpoint; }; IdpManagerConfig = { ManagerType = "none"; - ClientConfig = { - #"Issuer" = "$NETBIRD_AUTH_AUTHORITY"; - #TokenEndpoint = "$NETBIRD_AUTH_TOKEN_ENDPOINT"; - ClientID = "netbird-manager"; - ClientSecret = lib.trace "oho wer stiehlt meine zugäneg zuerts" "$NETBIRD_IDP_MGMT_CLIENT_SECRET"; - GrantType = "client_credentials"; - }; - #"ExtraConfig" = "$NETBIRD_IDP_MGMT_EXTRA_CONFIG"; - #"Auth0ClientCredentials" = null; - #"AzureClientCredentials" = null; - #"KeycloakClientCredentials" = null; - #"ZitadelClientCredentials" = null; }; DeviceAuthorizationFlow = { - #Provider = "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER"; ProviderConfig = { Audience = "netbird"; - #"AuthorizationEndpoint" = ""; - #"Domain" = "$NETBIRD_AUTH0_DOMAIN"; - #"ClientID" = "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID"; - #"ClientSecret" = ""; - #"TokenEndpoint" = "$NETBIRD_AUTH_TOKEN_ENDPOINT"; - #"DeviceAuthEndpoint" = "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT"; Scope = "openid profile email"; - #"UseIDToken" = "$NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN"; - #"RedirectURLs" = null; }; }; PKCEAuthorizationFlow = { ProviderConfig = { Audience = "netbird"; ClientID = "netbird"; - ClientSecret = lib.trace "oho bei zo vielen sicherheitzlücken" ""; + ClientSecret = ""; Domain = ""; - #AuthorizationEndpoint = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT"; - #TokenEndpoint = "$NETBIRD_AUTH_TOKEN_ENDPOINT"; Scope = "openid profile email"; RedirectURLs = ["http://localhost:53000"]; UseIDToken = true; @@ -175,6 +161,24 @@ in { }; }; config = mkIf cfg.enable { + services.coturn = mkIf cfg.enableCoturn { + enable = true; + + realm = cfg.dorain; + lt-cred-mech = true; + no-cli = true; + + # Official documentation says that external-ip has to be + # an IP which is not true as [this](https://github.com/coturn/coturn/blob/9b1cca1fbe909e7cc7c7ac28865f9c190af3515b/src/client/ns_turn_ioaddr.c#L234) + # will resolve and dns name as well + extraConfig = '' + fingerprint + + user=${cfg.turn.userName}:${cfg.turn.password} + no-software-attribute + external-ip=${cfg.domain} + ''; + }; systemd.services = { netbird-signal = { after = ["network.target"]; @@ -222,7 +226,7 @@ in { ${cfg.package}/bin/netbird-mgmt management \ --config ${configFile} \ --datadir /var/lib/netbird-mgmt/data \ - --disable-anonymous-metrics \ + --disable-anonymous-metrics=true \ ${ if cfg.singleAccountModeDomain == null then "--disable-single-account-mode" diff --git a/modules/services/netbird.nix b/modules/services/netbird.nix index 12a5e56..74ae540 100644 --- a/modules/services/netbird.nix +++ b/modules/services/netbird.nix @@ -16,7 +16,6 @@ domain = "netbird.${config.secrets.secrets.global.domains.web}"; settings = { AUTH_AUTHORITY = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird"; - AUTH_CLIENT_ID = "netbird"; }; }; services.netbird-server = { @@ -25,32 +24,6 @@ # TODO remove oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration"; singleAccountModeDomain = "netbird.patrick"; - # todo disabel metrics - settings = { - HttpConfig = { - #AuthIssuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird"; - #AuthKeysLocation = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/public_key.jwk"; - AuthAudience = "netbird"; - }; - # Seems to be only useful for idp that netbird supports - IdpManagerConfig.ClientConfig = { - #Issuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird"; - #TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token"; - }; - #DeviceAuthorizationFlow = { - # Provider = "none"; - # ProviderConfig = { - # AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/"; - # ClientID = "netbird"; - # #ClientSecret = ""; - # TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token"; - # #RedirectURLs = ["http://localhost:53000"]; - # }; - #}; - PKCEAuthorizationFlow.ProviderConfig = { - #AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/"; - }; - }; }; environment.persistence."/persist".directories = [ { @@ -59,20 +32,4 @@ user = "netbird"; } ]; - services.nginx.recommendedSetup = true; - services.coturn = { - enable = true; - - realm = "netbird.${config.secrets.secrets.global.domains.web}"; - lt-cred-mech = true; - no-cli = true; - - extraConfig = '' - fingerprint - - user=turn:netbird - no-software-attribute - external-ip=87.170.9.213 - ''; - }; }