patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity
nix-config/config/services/netbird.nix

125 lines
3.2 KiB
Nix
Raw Blame History

{
config,
lib,
globals,
...
}:
{
wireguard.services = {
client.via = "nucnix";
firewallRuleForNode.nucnix-nginx.allowedTCPPorts = [
80 # dashboard
3000 # management
8012 # signal
33080 # relay
];
};
networking.nftables.chains.forward.from-netbird = {
after = [ "conntrack" ];
rules = [
"iifname nb-main oifname { lan-home, lan-services } accept"
];
};
age.secrets.coturnPassword = {
generator.script = "alnum";
owner = "turnserver";
};
age.secrets.coturnSecret = {
generator.script = "alnum";
owner = "turnserver";
};
age.secrets.relaySecret = {
generator.script = "alnum";
owner = "turnserver";
};
age.secrets.dataEnc = {
generator.script =
{ pkgs, ... }:
''
${lib.getExe pkgs.openssl} rand -base64 32
'';
group = "netbird";
};
networking.firewall.allowedUDPPorts = [
3478
]; # STUN/TURN server
services.netbird = {
clients.main = {
port = 51820;
environment = {
NB_MANAGEMENT_URL = "https://${globals.services.netbird.domain}";
NB_ADMIN_URL = "https://${globals.services.netbird.domain}";
NB_HOSTNAME = "home";
};
};
server = {
enable = true;
inherit (globals.services.netbird) domain;
dashboard = {
enableNginx = true;
settings = {
AUTH_AUTHORITY = "https://${globals.services.kanidm.domain}/oauth2/openid/netbird";
# Fix Kanidm not supporting fragmented URIs
AUTH_REDIRECT_URI = "/peers";
AUTH_SILENT_REDIRECT_URI = "/add-peers";
};
};
relay = {
authSecretFile = config.age.secrets.relaySecret.path;
settings.NB_EXPOSED_ADDRESS = "rels://${globals.services.netbird.domain}:443";
};
coturn = {
enable = true;
passwordFile = config.age.secrets.coturnPassword.path;
};
management = {
port = 3000;
# DNS server should do the lookup this is not used
dnsDomain = "internal.invalid";
singleAccountModeDomain = "netbird.patrick";
oidcConfigEndpoint = "https://${globals.services.kanidm.domain}/oauth2/openid/netbird/.well-known/openid-configuration";
settings = {
TURNConfig = {
Secret._secret = config.age.secrets.coturnSecret.path;
};
Signal.URI = "${globals.services.netbird.domain}:443";
HttpConfig = {
# This is not possible
# failed validating JWT token sent from peer y1ParZkbzVMQGeU/KMycYl75v90i2O6EwgO1YQZnSFs= with error rpc error: code = Internal desc = unable to fetch account with claims, err: user ID is empty
#AuthUserIDClaim = "preferred_username";
AuthAudience = "netbird";
};
DataStoreEncryptionKey._secret = config.age.secrets.dataEnc.path;
};
};
};
};
systemd.services.netbird-management.serviceConfig = {
Restart = "always";
RestartSec = 60;
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/netbird-mgmt";
mode = "440";
user = "netbird";
}
{
directory = "/var/lib/netbird-main";
mode = "440";
user = "netbird-main";
}
];
}
Reference in a new issue View git blame Copy permalink