patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

chore: netbird cleanup

Browse source
This commit is contained in:
Patrick 2024-03-25 18:59:06 +01:00
parent e9dcc564f0
commit 466f1a7291
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
3 changed files with 53 additions and 87 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
modules/netbird-dashboard.nix
View file

@ -31,11 +31,17 @@ in {
default = "localhost"; default = "localhost";
}; };
settings = mkOption { settings = mkOption {
description = ''
An attr set that will be used as environment to build the dashboard.
Any values that you set here will be templated into the frontend
and thas be freely available for anyone that can reach your website.
The exact values sadly aren't documented anywhere. An starting point
when searching for valid values is this [script](https://github.com/netbirdio/dashboard/blob/main/docker/init_react_envs.sh)
The only mandatory value is 'AUTH_AUTHORITY' as we cannot set a default value here.
'';
type = types.submodule { type = types.submodule {
freeformType = types.attrsOf (types.oneOf [types.str types.bool]); freeformType = types.attrsOf (types.oneOf [types.str types.bool]);
config = { config = {
#AUTH_AUTHORITY = ""; #${AUTH_AUTHORITY:-https://$AUTH0_DOMAIN}
#AUTH_CLIENT_ID = ""; #${AUTH_CLIENT_ID:-$AUTH0_CLIENT_ID}
# Due to how the backend and frontend work this secret will be templated into the backend # Due to how the backend and frontend work this secret will be templated into the backend
# and then served statically from your website # and then served statically from your website
# This enables you to login without the normally needed indirection through the backend # This enables you to login without the normally needed indirection through the backend
@ -48,19 +54,18 @@ in {
# To actually do something one still needs to have login # To actually do something one still needs to have login
# data and this secret so this being public will not # data and this secret so this being public will not
# suffice for anything just decreasing security # suffice for anything just decreasing security
AUTH_CLIENT_SECRET = ""; #${AUTH_CLIENT_SECRET} AUTH_CLIENT_SECRET = "";
AUTH_AUDIENCE = "netbird"; #${AUTH_AUDIENCE:-$AUTH0_AUDIENCE} AUTH_CLIENT_ID = "netbird";
#AUTH_REDIRECT_URI=${AUTH_REDIRECT_URI} # AUTH_AUDIENCE must be set for your devices to be able to log in
#AUTH_SILENT_REDIRECT_URI=${AUTH_SILENT_REDIRECT_URI} AUTH_AUDIENCE = "netbird";
USE_AUTH0 = false; #${USE_AUTH0:-true} USE_AUTH0 = false;
AUTH_SUPPORTED_SCOPES = "openid profile email"; #${AUTH_SUPPORTED_SCOPES:-openid profile email api offline_access email_verified} AUTH_SUPPORTED_SCOPES = "openid profile email";
NETBIRD_MGMT_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; #$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//') # While you could override this to use http I would recommend to not do that
NETBIRD_MGMT_GRPC_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; #${NETBIRD_MGMT_GRPC_API_ENDPOINT} # as it will greatly impact the security of your application
#NETBIRD_HOTJAR_TRACK_ID=${NETBIRD_HOTJAR_TRACK_ID} NETBIRD_MGMT_API_ENDPOINT = "https://${config.services.netbird-server.domain}";
#NETBIRD_GOOGLE_ANALYTICS_ID=${NETBIRD_GOOGLE_ANALYTICS_ID} NETBIRD_MGMT_GRPC_API_ENDPOINT = "https://${config.services.netbird-server.domain}";
NETBIRD_TOKEN_SOURCE = "idToken"; NETBIRD_TOKEN_SOURCE = "idToken";
#NETBIRD_DRAG_QUERY_PARAMS=${NETBIRD_DRAG_QUERY_PARAMS:-false}
}; };
}; };
}; };

66
modules/netbird-server.nix
View file

@ -21,6 +21,7 @@ in {
options.services.netbird-server = { options.services.netbird-server = {
enable = mkEnableOption "netbird, a self hosted wireguard VPN"; enable = mkEnableOption "netbird, a self hosted wireguard VPN";
package = mkPackageOption pkgs "netbird" {}; package = mkPackageOption pkgs "netbird" {};
enableCoturn = mkEnableOption "the coturn service for running the TURN/STUN server";
domain = mkOption { domain = mkOption {
description = "The domain of your netbird instance"; description = "The domain of your netbird instance";
}; };
@ -72,6 +73,20 @@ in {
}; };
settings = mkOption { settings = mkOption {
default = {}; default = {};
description = ''
This will be converted to json and used as the management config.
Sadly the exact configuration is undocumented there only exists
this [template](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/management.json.tmpl)
The default values are usable, for a normal setup you don't need to set anything here.
Be advised that any secret you set in here will be in the nix store
and thus world readable. For compliant setups you don't need these secrets
as you should use a oidc public client, some client, e.g. google do not support
this without a secret, which is why you sometimes need to set a secret here.
This is not a problem as this secret will be exposed on your server publicly and only allows
client to initiate a authorization flow.
Even though the template contains oidc values you don't need to set any except for the
ConfigEndpoint as netbird will fetch the rest.
'';
type = types.submodule { type = types.submodule {
freeformType = formatType.type; freeformType = formatType.type;
config = { config = {
@ -118,53 +133,24 @@ in {
HttpConfig = { HttpConfig = {
Address = "0.0.0.0:${toString cfg.port}"; Address = "0.0.0.0:${toString cfg.port}";
AuthAudience = "netbird"; AuthAudience = "netbird";
#"AuthIssuer" = "$NETBIRD_AUTH_AUTHORITY";
#"AuthAudience" = "$NETBIRD_AUTH_AUDIENCE";
#"AuthKeysLocation" = "$NETBIRD_AUTH_JWT_CERTS";
AuthUserIDClaim = "preferred_username"; AuthUserIDClaim = "preferred_username";
#"CertFile" = "$NETBIRD_MGMT_API_CERT_FILE";
#"CertKey" = "$NETBIRD_MGMT_API_CERT_KEY_FILE";
#"IdpSignKeyRefreshEnabled" = "$NETBIRD_MGMT_IDP_SIGNKEY_REFRESH";
OIDCConfigEndpoint = cfg.oidcConfigEndpoint; OIDCConfigEndpoint = cfg.oidcConfigEndpoint;
}; };
IdpManagerConfig = { IdpManagerConfig = {
ManagerType = "none"; ManagerType = "none";
ClientConfig = {
#"Issuer" = "$NETBIRD_AUTH_AUTHORITY";
#TokenEndpoint = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
ClientID = "netbird-manager";
ClientSecret = lib.trace "oho wer stiehlt meine zugäneg zuerts" "$NETBIRD_IDP_MGMT_CLIENT_SECRET";
GrantType = "client_credentials";
};
#"ExtraConfig" = "$NETBIRD_IDP_MGMT_EXTRA_CONFIG";
#"Auth0ClientCredentials" = null;
#"AzureClientCredentials" = null;
#"KeycloakClientCredentials" = null;
#"ZitadelClientCredentials" = null;
}; };
DeviceAuthorizationFlow = { DeviceAuthorizationFlow = {
#Provider = "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER";
ProviderConfig = { ProviderConfig = {
Audience = "netbird"; Audience = "netbird";
#"AuthorizationEndpoint" = "";
#"Domain" = "$NETBIRD_AUTH0_DOMAIN";
#"ClientID" = "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID";
#"ClientSecret" = "";
#"TokenEndpoint" = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
#"DeviceAuthEndpoint" = "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT";
Scope = "openid profile email"; Scope = "openid profile email";
#"UseIDToken" = "$NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN";
#"RedirectURLs" = null;
}; };
}; };
PKCEAuthorizationFlow = { PKCEAuthorizationFlow = {
ProviderConfig = { ProviderConfig = {
Audience = "netbird"; Audience = "netbird";
ClientID = "netbird"; ClientID = "netbird";
ClientSecret = lib.trace "oho bei zo vielen sicherheitzlücken" ""; ClientSecret = "";
Domain = ""; Domain = "";
#AuthorizationEndpoint = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
#TokenEndpoint = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
Scope = "openid profile email"; Scope = "openid profile email";
RedirectURLs = ["http://localhost:53000"]; RedirectURLs = ["http://localhost:53000"];
UseIDToken = true; UseIDToken = true;
@ -175,6 +161,24 @@ in {
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.coturn = mkIf cfg.enableCoturn {
enable = true;
realm = cfg.dorain;
lt-cred-mech = true;
no-cli = true;
# Official documentation says that external-ip has to be
# an IP which is not true as [this](https://github.com/coturn/coturn/blob/9b1cca1fbe909e7cc7c7ac28865f9c190af3515b/src/client/ns_turn_ioaddr.c#L234)
# will resolve and dns name as well
extraConfig = ''
fingerprint
user=${cfg.turn.userName}:${cfg.turn.password}
no-software-attribute
external-ip=${cfg.domain}
'';
};
systemd.services = { systemd.services = {
netbird-signal = { netbird-signal = {
after = ["network.target"]; after = ["network.target"];
@ -222,7 +226,7 @@ in {
${cfg.package}/bin/netbird-mgmt management \ ${cfg.package}/bin/netbird-mgmt management \
--config ${configFile} \ --config ${configFile} \
--datadir /var/lib/netbird-mgmt/data \ --datadir /var/lib/netbird-mgmt/data \
--disable-anonymous-metrics \ --disable-anonymous-metrics=true \
${ ${
if cfg.singleAccountModeDomain == null if cfg.singleAccountModeDomain == null
then "--disable-single-account-mode" then "--disable-single-account-mode"

43
modules/services/netbird.nix
View file

@ -16,7 +16,6 @@
domain = "netbird.${config.secrets.secrets.global.domains.web}"; domain = "netbird.${config.secrets.secrets.global.domains.web}";
settings = { settings = {
AUTH_AUTHORITY = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird"; AUTH_AUTHORITY = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird";
AUTH_CLIENT_ID = "netbird";
}; };
}; };
services.netbird-server = { services.netbird-server = {
@ -25,32 +24,6 @@
# TODO remove # TODO remove
oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration"; oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration";
singleAccountModeDomain = "netbird.patrick"; singleAccountModeDomain = "netbird.patrick";
# todo disabel metrics
settings = {
HttpConfig = {
#AuthIssuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird";
#AuthKeysLocation = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/public_key.jwk";
AuthAudience = "netbird";
};
# Seems to be only useful for idp that netbird supports
IdpManagerConfig.ClientConfig = {
#Issuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird";
#TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token";
};
#DeviceAuthorizationFlow = {
# Provider = "none";
# ProviderConfig = {
# AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/";
# ClientID = "netbird";
# #ClientSecret = "";
# TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token";
# #RedirectURLs = ["http://localhost:53000"];
# };
#};
PKCEAuthorizationFlow.ProviderConfig = {
#AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/";
};
};
}; };
environment.persistence."/persist".directories = [ environment.persistence."/persist".directories = [
{ {
@ -59,20 +32,4 @@
user = "netbird"; user = "netbird";
} }
]; ];
services.nginx.recommendedSetup = true;
services.coturn = {
enable = true;
realm = "netbird.${config.secrets.secrets.global.domains.web}";
lt-cred-mech = true;
no-cli = true;
extraConfig = ''
fingerprint
user=turn:netbird
no-software-attribute
external-ip=87.170.9.213
'';
};
} }