feat: netbird working

2024-03-24 21:06:11 +01:00 · 2024-03-24 21:06:11 +01:00 · e9dcc564f0
parent 03e0b54183
commit e9dcc564f0
8 changed files with 47 additions and 25 deletions
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -103,6 +103,8 @@ in {
          };
          extraConfig = ''
            client_max_body_size 500M ;
+            client_header_timeout 1d;
+            client_body_timeout 1d;
          '';
        };
      }
--- a/hosts/elisabeth/secrets/kanidm/secrets.nix.age
+++ b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
--- a/hosts/elisabeth/secrets/netbird/generated/dhparams.pem.age
+++ b/hosts/elisabeth/secrets/netbird/generated/dhparams.pem.age
--- a/hosts/patricknix/default.nix
+++ b/hosts/patricknix/default.nix
@ -40,8 +40,10 @@
  };
  hidpi = true;
  services.xserver = {
+    xkb = {
      layout = "de";
-    xkbVariant = "bone";
+      variant = "bone";
+    };
    libinput = {
      touchpad = lib.mkForce {
        accelSpeed = "0.5";
@ -54,4 +56,5 @@
  nixpkgs.config.permittedInsecurePackages = lib.trace "remove when possible" [
    "nix-2.16.2"
  ];
+  services.netbird.enable = true;
 }
--- a/hosts/patricknix/net.nix
+++ b/hosts/patricknix/net.nix
@ -35,7 +35,7 @@
  systemd.network.networks = {
    "01-lan1" = {
      DHCP = "yes";
-      matchConfig.MACAddress = config.secrets.secrets.local.networking.lan1.mac;
+      matchConfig.MACAddress = config.secrets.secrets.local.networking.lan01.mac;
      networkConfig = {
        IPv6PrivacyExtensions = "yes";
        MulticastDNS = true;
@ -46,7 +46,7 @@
    };
    "02-lan1" = {
      DHCP = "yes";
-      matchConfig.MACAddress = config.secrets.secrets.local.networking.lan2.mac;
+      matchConfig.MACAddress = config.secrets.secrets.local.networking.lan02.mac;
      networkConfig = {
        IPv6PrivacyExtensions = "yes";
        MulticastDNS = true;
@ -57,7 +57,7 @@
    };
    "01-wlan1" = {
      DHCP = "yes";
-      matchConfig.MACAddress = config.secrets.secrets.local.networking.wlan1.mac;
+      matchConfig.MACAddress = config.secrets.secrets.local.networking.wlan01.mac;
      networkConfig = {
        IPv6PrivacyExtensions = "yes";
        MulticastDNS = true;
--- a/modules/netbird-dashboard.nix
+++ b/modules/netbird-dashboard.nix
@ -55,8 +55,8 @@ in {
          USE_AUTH0 = false; #${USE_AUTH0:-true}
          AUTH_SUPPORTED_SCOPES = "openid profile email"; #${AUTH_SUPPORTED_SCOPES:-openid profile email api offline_access email_verified}

-          NETBIRD_MGMT_API_ENDPOINT = config.services.netbird-server.domain; #$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
-          NETBIRD_MGMT_GRPC_API_ENDPOINT = config.services.netbird-server.domain; #${NETBIRD_MGMT_GRPC_API_ENDPOINT}
+          NETBIRD_MGMT_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; #$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
+          NETBIRD_MGMT_GRPC_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; #${NETBIRD_MGMT_GRPC_API_ENDPOINT}
          #NETBIRD_HOTJAR_TRACK_ID=${NETBIRD_HOTJAR_TRACK_ID}
          #NETBIRD_GOOGLE_ANALYTICS_ID=${NETBIRD_GOOGLE_ANALYTICS_ID}
          NETBIRD_TOKEN_SOURCE = "idToken";
@ -97,9 +97,15 @@ in {
            locations = {
              "/" = {
                root = "${deriv}/";
-                tryFiles = "$uri /index.html";
+                tryFiles = "$uri $uri.html $uri/ =404";
              };
            };
+            extraConfig = ''
+              error_page 404 /404.html;
+              location = /404.html {
+                 internal;
+              }
+            '';
          };
        };
      };
--- a/modules/netbird-server.nix
+++ b/modules/netbird-server.nix
@ -117,10 +117,11 @@ in {
          };
          HttpConfig = {
            Address = "0.0.0.0:${toString cfg.port}";
+            AuthAudience = "netbird";
            #"AuthIssuer" = "$NETBIRD_AUTH_AUTHORITY";
            #"AuthAudience" = "$NETBIRD_AUTH_AUDIENCE";
            #"AuthKeysLocation" = "$NETBIRD_AUTH_JWT_CERTS";
-            AuthUserIDClaim = "sub";
+            AuthUserIDClaim = "preferred_username";
            #"CertFile" = "$NETBIRD_MGMT_API_CERT_FILE";
            #"CertKey" = "$NETBIRD_MGMT_API_CERT_KEY_FILE";
            #"IdpSignKeyRefreshEnabled" = "$NETBIRD_MGMT_IDP_SIGNKEY_REFRESH";
@ -229,7 +230,7 @@ in {
            } \
              --idp-sign-key-refresh-enabled \
              --port ${builtins.toString cfg.port} \
-              --log-file consolef
+              --log-file console
          '';
          # TODO add extraCOmmandLine option
          Restart = "always";
--- a/modules/services/netbird.nix
+++ b/modules/services/netbird.nix
@ -25,31 +25,41 @@
    # TODO remove
    oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration";
    singleAccountModeDomain = "netbird.patrick";
+    # todo disabel metrics
    settings = {
      HttpConfig = {
-        AuthIssuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird";
-        AuthKeysLocation = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/public_key.jwk";
+        #AuthIssuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird";
+        #AuthKeysLocation = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/public_key.jwk";
+        AuthAudience = "netbird";
      };
      # Seems to be only useful for idp that netbird supports
      IdpManagerConfig.ClientConfig = {
-        Issuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird";
-        TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token";
-      };
-      DeviceAuthorizationFlow = {
-        Provider = "none";
-        ProviderConfig = {
-          AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/";
-          ClientID = "netbird";
-          #ClientSecret = "";
-          TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token";
-          #RedirectURLs = ["http://localhost:53000"];
-        };
+        #Issuer = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird";
+        #TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token";
      };
+      #DeviceAuthorizationFlow = {
+      #  Provider = "none";
+      #  ProviderConfig = {
+      #    AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/";
+      #    ClientID = "netbird";
+      #    #ClientSecret = "";
+      #    TokenEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/token";
+      #    #RedirectURLs = ["http://localhost:53000"];
+      #  };
+      #};
      PKCEAuthorizationFlow.ProviderConfig = {
-        AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/";
+        #AuthorizationEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/ui/oauth2/";
      };
    };
  };
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/netbird-mgmt";
+      mode = "440";
+      user = "netbird";
+    }
+  ];
+  services.nginx.recommendedSetup = true;
  services.coturn = {
    enable = true;