diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index c936136..61a7bfc 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -103,6 +103,8 @@ in { }; extraConfig = '' client_max_body_size 500M ; + client_header_timeout 1d; + client_body_timeout 1d; ''; }; } diff --git a/hosts/elisabeth/secrets/kanidm/secrets.nix.age b/hosts/elisabeth/secrets/kanidm/secrets.nix.age index ca3aa4e..08c0487 100644 Binary files a/hosts/elisabeth/secrets/kanidm/secrets.nix.age and b/hosts/elisabeth/secrets/kanidm/secrets.nix.age differ diff --git a/hosts/elisabeth/secrets/netbird/generated/dhparams.pem.age b/hosts/elisabeth/secrets/netbird/generated/dhparams.pem.age new file mode 100644 index 0000000..2e98730 Binary files /dev/null and b/hosts/elisabeth/secrets/netbird/generated/dhparams.pem.age differ diff --git a/hosts/patricknix/default.nix b/hosts/patricknix/default.nix index 254bd99..e3ba368 100644 --- a/hosts/patricknix/default.nix +++ b/hosts/patricknix/default.nix @@ -40,8 +40,10 @@ }; hidpi = true; services.xserver = { - layout = "de"; - xkbVariant = "bone"; + xkb = { + layout = "de"; + variant = "bone"; + }; libinput = { touchpad = lib.mkForce { accelSpeed = "0.5"; @@ -54,4 +56,5 @@ nixpkgs.config.permittedInsecurePackages = lib.trace "remove when possible" [ "nix-2.16.2" ]; + services.netbird.enable = true; } diff --git a/hosts/patricknix/net.nix b/hosts/patricknix/net.nix index ebacb8e..297a09f 100644 --- a/hosts/patricknix/net.nix +++ b/hosts/patricknix/net.nix @@ -35,7 +35,7 @@ systemd.network.networks = { "01-lan1" = { DHCP = "yes"; - matchConfig.MACAddress = config.secrets.secrets.local.networking.lan1.mac; + matchConfig.MACAddress = config.secrets.secrets.local.networking.lan01.mac; networkConfig = { IPv6PrivacyExtensions = "yes"; MulticastDNS = true; @@ -46,7 +46,7 @@ }; "02-lan1" = { DHCP = "yes"; - matchConfig.MACAddress = config.secrets.secrets.local.networking.lan2.mac; + matchConfig.MACAddress = config.secrets.secrets.local.networking.lan02.mac; networkConfig = { IPv6PrivacyExtensions = "yes"; MulticastDNS = true; @@ -57,7 +57,7 @@ }; "01-wlan1" = { DHCP = "yes"; - matchConfig.MACAddress = config.secrets.secrets.local.networking.wlan1.mac; + matchConfig.MACAddress = config.secrets.secrets.local.networking.wlan01.mac; networkConfig = { IPv6PrivacyExtensions = "yes"; MulticastDNS = true; diff --git a/modules/netbird-dashboard.nix b/modules/netbird-dashboard.nix index 6f40045..666a39e 100644 --- a/modules/netbird-dashboard.nix +++ b/modules/netbird-dashboard.nix @@ -55,8 +55,8 @@ in { USE_AUTH0 = false; #${USE_AUTH0:-true} AUTH_SUPPORTED_SCOPES = "openid profile email"; #${AUTH_SUPPORTED_SCOPES:-openid profile email api offline_access email_verified} - NETBIRD_MGMT_API_ENDPOINT = config.services.netbird-server.domain; #$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//') - NETBIRD_MGMT_GRPC_API_ENDPOINT = config.services.netbird-server.domain; #${NETBIRD_MGMT_GRPC_API_ENDPOINT} + NETBIRD_MGMT_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; #$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//') + NETBIRD_MGMT_GRPC_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; #${NETBIRD_MGMT_GRPC_API_ENDPOINT} #NETBIRD_HOTJAR_TRACK_ID=${NETBIRD_HOTJAR_TRACK_ID} #NETBIRD_GOOGLE_ANALYTICS_ID=${NETBIRD_GOOGLE_ANALYTICS_ID} NETBIRD_TOKEN_SOURCE = "idToken"; @@ -97,9 +97,15 @@ in { locations = { "/" = { root = "${deriv}/"; - tryFiles = "$uri /index.html"; + tryFiles = "$uri $uri.html $uri/ =404"; }; }; + extraConfig = '' + error_page 404 /404.html; + location = /404.html { + internal; + } + ''; }; }; }; diff --git a/modules/netbird-server.nix b/modules/netbird-server.nix index 3d96266..e00b860 100644 --- a/modules/netbird-server.nix +++ b/modules/netbird-server.nix @@ -117,10 +117,11 @@ in { }; HttpConfig = { Address = "0.0.0.0:${toString cfg.port}"; + AuthAudience = "netbird"; #"AuthIssuer" = "$NETBIRD_AUTH_AUTHORITY"; #"AuthAudience" = "$NETBIRD_AUTH_AUDIENCE"; #"AuthKeysLocation" = "$NETBIRD_AUTH_JWT_CERTS"; - AuthUserIDClaim = "sub"; + AuthUserIDClaim = "preferred_username"; #"CertFile" = "$NETBIRD_MGMT_API_CERT_FILE"; #"CertKey" = "$NETBIRD_MGMT_API_CERT_KEY_FILE"; #"IdpSignKeyRefreshEnabled" = "$NETBIRD_MGMT_IDP_SIGNKEY_REFRESH"; @@ -229,7 +230,7 @@ in { } \ --idp-sign-key-refresh-enabled \ --port ${builtins.toString cfg.port} \ - --log-file consolef + --log-file console ''; # TODO add extraCOmmandLine option Restart = "always"; diff --git a/modules/services/netbird.nix b/modules/services/netbird.nix index ac9fa7c..12a5e56 100644 --- a/modules/services/netbird.nix +++ b/modules/services/netbird.nix @@ -25,31 +25,41 @@ # TODO remove oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration"; singleAccountModeDomain = "netbird.patrick"; + # todo disabel metrics settings = { HttpConfig = { - AuthIssuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird"; - AuthKeysLocation = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/public_key.jwk"; + #AuthIssuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird"; + #AuthKeysLocation = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/public_key.jwk"; + AuthAudience = "netbird"; }; # Seems to be only useful for idp that netbird supports IdpManagerConfig.ClientConfig = { - Issuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird"; - TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token"; - }; - DeviceAuthorizationFlow = { - Provider = "none"; - ProviderConfig = { - AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/"; - ClientID = "netbird"; - #ClientSecret = ""; - TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token"; - #RedirectURLs = ["http://localhost:53000"]; - }; + #Issuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird"; + #TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token"; }; + #DeviceAuthorizationFlow = { + # Provider = "none"; + # ProviderConfig = { + # AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/"; + # ClientID = "netbird"; + # #ClientSecret = ""; + # TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token"; + # #RedirectURLs = ["http://localhost:53000"]; + # }; + #}; PKCEAuthorizationFlow.ProviderConfig = { - AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/"; + #AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/"; }; }; }; + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/netbird-mgmt"; + mode = "440"; + user = "netbird"; + } + ]; + services.nginx.recommendedSetup = true; services.coturn = { enable = true;