From e9dcc564f06c4f6b7580c153e8adbf345636b0b8 Mon Sep 17 00:00:00 2001
From: Patrick <patrick@failmail.dev>
Date: Sun, 24 Mar 2024 21:06:11 +0100
Subject: [PATCH] feat: netbird working

---
 hosts/elisabeth/guests.nix                    |   2 +
 .../elisabeth/secrets/kanidm/secrets.nix.age  | Bin 1920 -> 1973 bytes
 .../netbird/generated/dhparams.pem.age        | Bin 0 -> 1422 bytes
 hosts/patricknix/default.nix                  |   7 ++-
 hosts/patricknix/net.nix                      |   6 +--
 modules/netbird-dashboard.nix                 |  12 ++++--
 modules/netbird-server.nix                    |   5 ++-
 modules/services/netbird.nix                  |  40 +++++++++++-------
 8 files changed, 47 insertions(+), 25 deletions(-)
 create mode 100644 hosts/elisabeth/secrets/netbird/generated/dhparams.pem.age

diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix
index c936136..61a7bfc 100644
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@@ -103,6 +103,8 @@ in {
           };
           extraConfig = ''
             client_max_body_size 500M ;
+            client_header_timeout 1d;
+            client_body_timeout 1d;
           '';
         };
       }
diff --git a/hosts/elisabeth/secrets/kanidm/secrets.nix.age b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
index ca3aa4e8d747f48621a8cfd1a291a169cc2d039b..08c0487efcddf05ee1d09e33413deec2d5519d18 100644
GIT binary patch
delta 1946
zcmZwE`9IVN1Hf^Lj;ZJ*+h*pGLX4R)Ct}Ul9A?aEPP3I}%spdnGh@i4<3a1_P};Sn
z!<JS=i_~^W)XNrXl?YEuhg_*-S@G=i{P?_H&tLF<eO{kEo^_swAWk3|t78%pBmxv1
z6^4uFTIj??R2l`)(Ii$|a*Bbc6(@)5C1O>A4a72w6<8uq&lXYRSVS0HVpGxS5-~@S
zfEL3n4kA%%O#{?01~UN%f<{9ODl60whQ>gIT(*XXhv0D<A}=Kl2bZUXOK}(@KnqK7
zsxca&Bwhg%2gfo2d$NgOkffMn<8dIhhM|%;#4tHhpr#<<07-?_GbsW@oGz6>6!3%D
zIF=eig_&&v#s6R;l0rqXLGWlBK?`80I0`%%fgma4;RHS#;OP@#L>es?rjRF+0Gd^b
zkjq3U8;FFESoCDB%4V{Y91Jy95v=2i!qVbxdN!M$=s<JAkrb{90Y^!2N13kcoH{a^
zCrRcI4KfCaph!+bn~90)M3#abPG(BAD7)E6lrhvsm<nSBi2<@2OVTK@8a-7;7NwAk
z30j^Kr4%dqR<)E&5F_OPoK2?dc;^2b0;5af<zYq{9;JvQFmy6bVz3kLFrm>1v_qld
zn9vp*mu(MENMj``K|HfiVz5#)I+j$b6G^RMb_dEBYgb#4cxF7-%88fTELsFZKxNwg
zi^W3~CYjhQgBVB<1eYHKF+#LK)^HG>X^M|CYKXByR2slwrSiD~LV|{)A`?_pokHVO
zqojJ8LM^ldDoY$MO%E4hrFK3-py!K_X6t{3K%o#DkB(LI6kHe<PF2V_N@bXeMq?nz
zRt=uc<Ku(1Tm#ZZ)Y=TzWRPaO2pG;axZRt7Wd4|4_>)>VQZV|2L#Ztm^u&J8qWykx
zLxs<ApZt*^kN)1JuFh&b%Buv1{sSf9Kdr9MooVy-g5R4Qtt<)&y|i<m3e3uX(fQmr
z^^-qRb7=MTy_Kepx0n5B=e2Qru+GK^pi=(x^RC$(_ccR^t(+4twREt@YH7~GH~srz
z63DY>zBkXWd+@9z{EV`sZkxYlOXYOBpT7Eei4t4U<)U|QpLV)WY+Evfy}vI=K33M6
z-E#TT?c2+RK=ji`>j=98OTMO#d3lHm1og@u$(#Ovw?#DX5KdoR-CEF_Z^^#W+Unc=
z+iEh2{TR2MK<9Qqfk#BYo)0-G0WLl*S5)O0F^<oRc8qKXaSMu>Pk?WL5x*zcYYU$g
z=k3gI;`7St>0oD5gZf+?X-0C={#rw*aoNll_tYktueRq0^ba?#h(17RAa5`Afn-*d
zz+p|FJ303RC$ei=PJN5INxd0;{TY=1LeZ0{?eKeueC^GBzSaf(Xk=NRspA|i>dPi8
zF!(cB)BWH@lOu4?#`<WPyC3J}JkGncvM;xM;^dF7Er*@GPv=8IT0?f9xiy0jO|lf{
ze5A*6UuA5Q*U#aKNdG8y-BnRBF^A4Q-Z+ijIsA)=Fdn=hDRPTy#^X?&>TW=F@rS?y
zspI0u%X#C-JR~LOC}BLeaDFOlDR$k=;DOWp8gB~YVyIH_u0JB?I6u%*=wa=mMEu~<
z9C|Q7SZi}?HvPzSoo&Q!E-4>da8^v*K@g<vdYQTZiD0hZGpV%o$hC;kDIvcIRH<-V
zJ~OoP)BRz8meq4+&8j=HEwTc{aEGD#a9_onmcbMk^x79b@95Vi7KtHsx`zt~QAttm
zRmCAL$1gi5w<mJMKi#d5TtrR(i_I_xHXR!a^~Y2@kLdq36`6@yG=YF3{i{@FL(O!F
zJc6gmjcJa$bhal-P|HiKb9bjmk}wTnK#c6SfZW9^(_7x<Rq3}3xh=R>_4wF%%N<(d
z#UqQqOkY@@?Zy5jWECuLBdZH)^I0~k*!VQ-@b!s@mj?a6GK|ZOzQ2O6n_O-!xb305
zD?brF>0EH#?Nx}^ade$&KEu)-MeW9nU0zpPr*(NVHEdauZ2CA`w%>lE0lK_B8vX;W
zGvK|n=#ka8_dR8QS&_?ky7yq$FHMKPCkcJ@*f=oMw!9NYScqA=H~m!eo~f!+g=*~L
ze9!E`+%~-Eb*eztme7&6SVsvDEjP53mWQAD?8K&>vv<2qtr4Ah-0C%Wn!7;;Uins0
zm|eDP>s`-%uWF8!;o~Pe_Sz(K37seTc>{lbJ)EGoFw)m{+Fy-hVHtN-eudZCQZj+b
zUw4PzN_E@j7KDrq=*4ew<_rcBaz<L<=}UYw`ZT`ZQ2C|lhY6oHx17-2!5G20!WC@q
zYG+D0^~Q5yUgg0hlvAci_XoF@P&b?$nCsegaQtW$?QIumF@BD9M&4|Eap5%BSXitv
z_pR5=F+)2gUX!UHOjCAORQrA3QMX$5P3Fbf1Ll{8HEaLMYj!OWhEpyqq%u!&gB>gG
zH9rLh$NV!ZDYq1GhpvBL38FR*oqs4D`eVoX-+Q?mcvmu5Ti0G~JL?%q?Tg&q!!Ai_
z8o-y&Z?3vA(B79-5cucVjm(Ba2V%ZF6M;u-O0$9ln;x8W^Ui7=Ae`@>pA)uU%AUQm
XyYIw@uLi0}t7gY5S{snu#`?bjm1|JZ

delta 1893
zcmZvZ_gj+(0)Rzin9~v~NEJmCp-Kd@6I9TANys8(d`W;%kqk1(Bs-BaGKyM_B16D>
zC>2CGR0OdO1Q8y<1!5673Mg*ikRet*NAK>(d!G9X-sgSaMxWh2`9aQfK$#AhjYJe*
zN9U-CXo{F(R>2byT&7KpPY_!blr)Z#Vy4Nsa!4YWfK^b`FgD4W1c#diky@IP&7_dU
zELc1ar3PZ{b`@Q&;_%aHknorwz0wk{M`Ex+i9C*qPY5D7G6Yd@5`(XSgAxwft|7;h
zoeF7`%|c`%P%1S`VZ<}JdWHg{1g#KanwiYeM}jsTD}#*|u}!9Uku{cwmvfjHj?Ah_
zFbkxKLO?_o|1V4!D_7F2K?E!crL`iF230(gMomo87|Cj-9Z0aMq{c`dk{&13!xfq+
zgcxKBF%V5!5?h0dr`gFELp<K3jzcD?(-3+x9UCQ2R2oqDbgG7CVAB-Hq(YXPpA&0{
z<1^x7ZDOvNK<5f989b>Yk&Q)1*|a=MdJ>5z{ZBm($H3KMAxJh%<PggRFg_V{pp8^q
z0@5mQaM%<@tO_IL&~-S1R-{R^5?TLW1ZG!bBL#>^9ofMa5}7is+Ta90fr`Qq%IPX{
zlorsd><&GsOpoJ0K$1woMZ@%X76G9aS#Us-L6Rghn-n-6M;|XF3yc`00IS2t$&&uN
z$RN%n>8S=nxZIE?GNuIqVQbMr0tgDlgt4$>nSlTa4-XHri`62A*oK2k@DzeT1|XdR
zyUa|L8cBL#h8%{0V<Rz4nt}j;4jqIv>ZtE5EiWw&fO_TPhHrVF4xZS?pkqDhCwKKE
zXS1oe<44~-4Y2V}EF^5@K=^e(mh~d5Zio=SM?-EseE)M@P>4$9B8f(hHpd|As_m7g
z(d_qk?WqsPGNPXl|2ZR>m^<dY`o&VZ^cvI~n{ne{(OA*;dhaV)o&C<!nKRvAp=0%K
z#}C)0e0L7TIUH<%`LZ)_I?zS<6meo`eg!(bm+JPakX$m*=N8EQX<oM{b+~D2RcXZr
z6=JBNtI5$4UnB9CWU04|fZC?UannxHhRK3m%-kcC)8MAh_dVJt3jVsx=}~Y>`W%~@
za(W?jtJf8v3M#$~>*~5f^$lM9Y<Li8sao&ZN<X(PS{NEUo!ngcV))cRWTw|w0lz2g
z&#G08&+i7@dG&SA!OYeTPoJco+P7q|Z_mhg(#EETYYrlv5AGnUlbOaoKK;#(S0=79
zyZ8#BnajFxJ%t~(Z@B)2wBJbxsM?wF4;DFhJ>%w^P@;D8rWb8nCMzMXp1+JQcz)sg
zuh5VN?)zy;K36o?{`VcVs%g&aykyBAfX6~vD&$;Xe@;KEc{bJc>ol;?Ff+EUeLh5a
z1ep7Hgfy}$9C=ss>sv<)tPlBIfjQ7Kac1K6@AK@huW$Y(BHf%5z%$M`b3%V8MbRz}
zA~wjFo=E>mpLw~p_ghA{soLT9I_n-yy1MfZttyMIwl0>8?|+s9&nsH4we;mh>BbR<
z?id0t=X7G>%bu)1&!1eh#W!O|RE4*7QS)hz-`VzkceCb=E;a#m8#hKfyHk%r&#%7`
z5gJB~@!nV8v$uDHBEW3)cOJR?Lx*DQgLGgj3qLtKxO_qA=iU2d9$Qn3dO^51rOJWd
zvUSCZY=!UBy;OKb@`F7imJcCAyXGK{+R7<E#`}Hh>z9~tU%~3xuWlOXM_8lyQ5$Eb
z&@<~3G~?SV9c_)^wzJ9hgMN)>@ZJ2tO}EkK3o93QlB*9ruKaxU?NKM_jzT}G3`ttk
zccP~DLPQEUq`qos^?<N5XCugMUwm|#&p}?ri>}=sVQc*2R=&>OzuNcD$(UZ45Vg*I
zy1Dtl=njldSM=$Y4GJqR)w`Op@KrEi;GL@weel3NmJvJKB#8x%yN{0)pKQAxP3Gly
z!UJm1w;;!d$1_JP&Jb8~oBLWqz5E3GWx~&`Q_-k%YGk2qSwVlGs;=`HKA7SPep%$%
zzgjYs&;aJykY#tvE)#d!3*5U#Q?8X%3s<-PHe~9Et+f&JZ2F0{iqP0<>E7~tZ$7QN
z7_oGBvt^3G_@wv4`8)%2BdTt*BYs?2Vrb3v04{`It>fo7=>x3oBlso8pJGY~-l4qT
zUfD8hni`_7p*(0lv+rs;OR~!YUGu_j*IcNSP29Yrc*}zXw4uJOq;w>5#>J119Xn&%
zwW<0#!}r9j%$41<@eeQPgXGV|TvOZ0*5ON`rE<5w?ctfDklAtlub_VN*Zyg@X)1?%
z1M5;w+46}MPIIy4oAT8CXU=cWsGPqdY!Rb<Gw|VGxFu|_I(N3~U6<u?wS->aF7p~4
z)V7}8Ydky_gaKBXz!u^<Y3?^)qz`?Gq&4%I^%!YyT5d$z;v35MWdZlQzc3Xqgez0Z
zX6n_GpCug|CnN6MJ{9sYYtG~5(lm7JVX-g4c9CL7t<PIsv#_5VS-v&3Kh?2dIA*3o
aI){1Cfb`#Q)yLExA4B(b=T5ck%>OsPfjYAQ

diff --git a/hosts/elisabeth/secrets/netbird/generated/dhparams.pem.age b/hosts/elisabeth/secrets/netbird/generated/dhparams.pem.age
new file mode 100644
index 0000000000000000000000000000000000000000..2e98730bb2e70a75a25b90454bd483d20fc92962
GIT binary patch
literal 1422
zcmY+=_ft~`0KjpqiW;qgh+5C9DNw7thJ=ubip|R)A@haoQh~heokun<Mu(mQ6kOn?
za1KNTR4P&sPm#KcC{{UHRaz?Gs0t2{LhBFx!N1^h-*2W~i_zL(#P4t!?Y1~OqQ`pT
zQJ5sO0#78yQ_(oR*a_MLOoSt(F?jZPHifM7D_8`8>6UwKCcBhtPZ8s}*31L~$|`V+
z_4X8)m!J#K`9vm6pmSAr5DyaEHZcUSC;_#Z?Qt4GJm<aOFnTZ!JduP}NFcM6hNcDB
z8l_yM!)o9xB`9(NIH?K3@gb1L<!dEm4MD;I6?%$FOT$Abz#{e}bCSvN8Y$OFOyGI=
z9Ely2!Ezf(sNfoK8mydSKsd@|hx7wW#nKx&UNp_0s)f`pua0F0EJB0H!XnYFFp&*7
zD14dE&nM}eUPMEdskD$4C6&l5YCcT0ks!Jgr0e_^DiabCR6?xGiKIZ{<anu(V})=M
z9qt2*=&_1i5Sm7%AS{m0X0Y=>k<lcei>-dHQjCZabmjzx08S;k30gU#b}Rfm6jP$g
zbYO)9w_GidQ|Ss4%tQ1_hRK#<bhC+E04otFaV87FVfoPdzl-eAD^yMwIScpSZ=+a`
zu(>W%Kw}VTwLXVQh)+&VW$097*k`by#7wW7<u$6<YBPz76-d==Cc%xR33#A~sAe$?
zcD*?(*_f$~7gFALS+OEG3ZqA~nORyiC*6rcVK5l9OD<*;=w1g`MPc%@Qjq|GngDnO
zpwohd`2gRib32J<KxdIiaHy`OBW-6tcP}di8u}W_(jLsVy+EI0-6_t%8jcmb>|lsP
zJ9saI8HeHq?SxABSjEm@#ovE~l90}gqsme?*zL!}cC1)nx;9)m(Rg#DclXOILr32Z
zTkxi!Ulj<6>>_Qxc>x)>OFtGfhNiJ)bvJS;cg9*;dDME%;|Eo@i$0O%sjJe>#P15f
zo(PGrU#@0MChlBZx`~wr&il=400vIywrz6b%k%l?f|VfrGQIp_RNWrgb82XI&9BdQ
zt<L%sDrww2`p?@{Wh-+tvQ7J+w8%S)dPYLOm*w|upa4%RN@Jrrv1tq2Mso&^_-3_?
z%l<sQm>iC&`K4&E8un^6?Iym;^CY_nrZxrlgVj@x?Aq(ge17(*IAd-2>W4V|bzRIt
z+3tuN$m`YHcC}u4lk@ZC$S>xW9q;E9AC}>NV%};2r-u=6SDXF1(k(V#^SQElR|;MX
zZ4M7an(+_AR;;^lT<MEeQ)Av;m|Ajgk8D-HGOs9I-J@W&&p8x=s-#5>b*)&xb=%T9
z=y*|Fb^8Kpa4O~A0akN;_son(@ch1r!P2p)+3Tam-%T$*g=s8(J(1Viba6-5lbt#s
zJ3Ec~X6?O>^pb;>&A%tQ?+3%@Udg+-=7-vod%K~UqeBOqS60nTvM-N*8cGRUGHu=D
z8Pu}DRaQn!df%FDkJP&tZuN0ff{{JXiUX#eSDOYL3iMgAD9BqA@nEFM@%9kVaLwCm
z+FXBkY&>W2>a9uF4-3jJecPLl9uyj(+*<RD_=>tk<twW;=1xKfQv0nX+S=iF+fxV1
zcXf8opA&ul$L)o~lTm>F>ZX%@Gm1@rEkbU+NkuglaH!|II-90$$$!<cE+Q}XtKnm}
zLIzJ)Ptn$Yw4obE&YARtod`3#?#EsSC+|+g77vfMZ0JZ#^e{_@$Y*Mn$Sw`@uMsz<
zh>ZIt9tTf!HCDt0q$1{8JU(f>z+M$h!{#-gZ2R&|`m&hY=TEfn>!dKkCQ!F#eO7X(
zcb?!)59w`?T?;&IpXXfMVA%EyEOephQ_>IbD_gJFUbbbd^_%R9h|7W7ovwrb0=G?J
A1^@s6

literal 0
HcmV?d00001

diff --git a/hosts/patricknix/default.nix b/hosts/patricknix/default.nix
index 254bd99..e3ba368 100644
--- a/hosts/patricknix/default.nix
+++ b/hosts/patricknix/default.nix
@@ -40,8 +40,10 @@
   };
   hidpi = true;
   services.xserver = {
-    layout = "de";
-    xkbVariant = "bone";
+    xkb = {
+      layout = "de";
+      variant = "bone";
+    };
     libinput = {
       touchpad = lib.mkForce {
         accelSpeed = "0.5";
@@ -54,4 +56,5 @@
   nixpkgs.config.permittedInsecurePackages = lib.trace "remove when possible" [
     "nix-2.16.2"
   ];
+  services.netbird.enable = true;
 }
diff --git a/hosts/patricknix/net.nix b/hosts/patricknix/net.nix
index ebacb8e..297a09f 100644
--- a/hosts/patricknix/net.nix
+++ b/hosts/patricknix/net.nix
@@ -35,7 +35,7 @@
   systemd.network.networks = {
     "01-lan1" = {
       DHCP = "yes";
-      matchConfig.MACAddress = config.secrets.secrets.local.networking.lan1.mac;
+      matchConfig.MACAddress = config.secrets.secrets.local.networking.lan01.mac;
       networkConfig = {
         IPv6PrivacyExtensions = "yes";
         MulticastDNS = true;
@@ -46,7 +46,7 @@
     };
     "02-lan1" = {
       DHCP = "yes";
-      matchConfig.MACAddress = config.secrets.secrets.local.networking.lan2.mac;
+      matchConfig.MACAddress = config.secrets.secrets.local.networking.lan02.mac;
       networkConfig = {
         IPv6PrivacyExtensions = "yes";
         MulticastDNS = true;
@@ -57,7 +57,7 @@
     };
     "01-wlan1" = {
       DHCP = "yes";
-      matchConfig.MACAddress = config.secrets.secrets.local.networking.wlan1.mac;
+      matchConfig.MACAddress = config.secrets.secrets.local.networking.wlan01.mac;
       networkConfig = {
         IPv6PrivacyExtensions = "yes";
         MulticastDNS = true;
diff --git a/modules/netbird-dashboard.nix b/modules/netbird-dashboard.nix
index 6f40045..666a39e 100644
--- a/modules/netbird-dashboard.nix
+++ b/modules/netbird-dashboard.nix
@@ -55,8 +55,8 @@ in {
           USE_AUTH0 = false; #${USE_AUTH0:-true}
           AUTH_SUPPORTED_SCOPES = "openid profile email"; #${AUTH_SUPPORTED_SCOPES:-openid profile email api offline_access email_verified}
 
-          NETBIRD_MGMT_API_ENDPOINT = config.services.netbird-server.domain; #$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
-          NETBIRD_MGMT_GRPC_API_ENDPOINT = config.services.netbird-server.domain; #${NETBIRD_MGMT_GRPC_API_ENDPOINT}
+          NETBIRD_MGMT_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; #$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
+          NETBIRD_MGMT_GRPC_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; #${NETBIRD_MGMT_GRPC_API_ENDPOINT}
           #NETBIRD_HOTJAR_TRACK_ID=${NETBIRD_HOTJAR_TRACK_ID}
           #NETBIRD_GOOGLE_ANALYTICS_ID=${NETBIRD_GOOGLE_ANALYTICS_ID}
           NETBIRD_TOKEN_SOURCE = "idToken";
@@ -97,9 +97,15 @@ in {
             locations = {
               "/" = {
                 root = "${deriv}/";
-                tryFiles = "$uri /index.html";
+                tryFiles = "$uri $uri.html $uri/ =404";
               };
             };
+            extraConfig = ''
+              error_page 404 /404.html;
+              location = /404.html {
+                 internal;
+              }
+            '';
           };
         };
       };
diff --git a/modules/netbird-server.nix b/modules/netbird-server.nix
index 3d96266..e00b860 100644
--- a/modules/netbird-server.nix
+++ b/modules/netbird-server.nix
@@ -117,10 +117,11 @@ in {
           };
           HttpConfig = {
             Address = "0.0.0.0:${toString cfg.port}";
+            AuthAudience = "netbird";
             #"AuthIssuer" = "$NETBIRD_AUTH_AUTHORITY";
             #"AuthAudience" = "$NETBIRD_AUTH_AUDIENCE";
             #"AuthKeysLocation" = "$NETBIRD_AUTH_JWT_CERTS";
-            AuthUserIDClaim = "sub";
+            AuthUserIDClaim = "preferred_username";
             #"CertFile" = "$NETBIRD_MGMT_API_CERT_FILE";
             #"CertKey" = "$NETBIRD_MGMT_API_CERT_KEY_FILE";
             #"IdpSignKeyRefreshEnabled" = "$NETBIRD_MGMT_IDP_SIGNKEY_REFRESH";
@@ -229,7 +230,7 @@ in {
             } \
               --idp-sign-key-refresh-enabled \
               --port ${builtins.toString cfg.port} \
-              --log-file consolef
+              --log-file console
           '';
           # TODO add extraCOmmandLine option
           Restart = "always";
diff --git a/modules/services/netbird.nix b/modules/services/netbird.nix
index ac9fa7c..12a5e56 100644
--- a/modules/services/netbird.nix
+++ b/modules/services/netbird.nix
@@ -25,31 +25,41 @@
     # TODO remove
     oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration";
     singleAccountModeDomain = "netbird.patrick";
+    # todo disabel metrics
     settings = {
       HttpConfig = {
-        AuthIssuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird";
-        AuthKeysLocation = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/public_key.jwk";
+        #AuthIssuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird";
+        #AuthKeysLocation = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/public_key.jwk";
+        AuthAudience = "netbird";
       };
       # Seems to be only useful for idp that netbird supports
       IdpManagerConfig.ClientConfig = {
-        Issuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird";
-        TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token";
-      };
-      DeviceAuthorizationFlow = {
-        Provider = "none";
-        ProviderConfig = {
-          AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/";
-          ClientID = "netbird";
-          #ClientSecret = "";
-          TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token";
-          #RedirectURLs = ["http://localhost:53000"];
-        };
+        #Issuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird";
+        #TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token";
       };
+      #DeviceAuthorizationFlow = {
+      #  Provider = "none";
+      #  ProviderConfig = {
+      #    AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/";
+      #    ClientID = "netbird";
+      #    #ClientSecret = "";
+      #    TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token";
+      #    #RedirectURLs = ["http://localhost:53000"];
+      #  };
+      #};
       PKCEAuthorizationFlow.ProviderConfig = {
-        AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/";
+        #AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/";
       };
     };
   };
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/netbird-mgmt";
+      mode = "440";
+      user = "netbird";
+    }
+  ];
+  services.nginx.recommendedSetup = true;
   services.coturn = {
     enable = true;