nix-config/modules/netbird-dashboard.nix
2024-03-24 21:06:11 +01:00

114 lines
4.3 KiB
Nix

{
pkgs,
config,
lib,
...
}: let
inherit
(lib)
mkPackageOption
mkIf
mkEnableOption
mkOption
types
isBool
boolToString
;
toStringEnv = value:
if isBool value
then boolToString value
else toString value;
cfg = config.services.netbird-dashboard;
in {
options.services.netbird-dashboard = {
enable = mkEnableOption "the static netbird dashboard frontend";
package = mkPackageOption pkgs "netbird-dashboard" {};
enableNginx = mkEnableOption "Nginx as a webserver serving the backend";
domain = mkOption {
type = types.str;
description = "The domain under which the dashboard runs.";
default = "localhost";
};
settings = mkOption {
type = types.submodule {
freeformType = types.attrsOf (types.oneOf [types.str types.bool]);
config = {
#AUTH_AUTHORITY = ""; #${AUTH_AUTHORITY:-https://$AUTH0_DOMAIN}
#AUTH_CLIENT_ID = ""; #${AUTH_CLIENT_ID:-$AUTH0_CLIENT_ID}
# Due to how the backend and frontend work this secret will be templated into the backend
# and then served statically from your website
# This enables you to login without the normally needed indirection through the backend
# but this also means anyone that can reach your website can
# fetch this secret, which is why there is no real need to put it into
# special options as its public anyway
# As far as I know leaking this secret is just
# an information leak as one can fetch some basic app
# informations from the IDP
# To actually do something one still needs to have login
# data and this secret so this being public will not
# suffice for anything just decreasing security
AUTH_CLIENT_SECRET = ""; #${AUTH_CLIENT_SECRET}
AUTH_AUDIENCE = "netbird"; #${AUTH_AUDIENCE:-$AUTH0_AUDIENCE}
#AUTH_REDIRECT_URI=${AUTH_REDIRECT_URI}
#AUTH_SILENT_REDIRECT_URI=${AUTH_SILENT_REDIRECT_URI}
USE_AUTH0 = false; #${USE_AUTH0:-true}
AUTH_SUPPORTED_SCOPES = "openid profile email"; #${AUTH_SUPPORTED_SCOPES:-openid profile email api offline_access email_verified}
NETBIRD_MGMT_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; #$(echo $NETBIRD_MGMT_API_ENDPOINT | sed -E 's/(:80|:443)$//')
NETBIRD_MGMT_GRPC_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; #${NETBIRD_MGMT_GRPC_API_ENDPOINT}
#NETBIRD_HOTJAR_TRACK_ID=${NETBIRD_HOTJAR_TRACK_ID}
#NETBIRD_GOOGLE_ANALYTICS_ID=${NETBIRD_GOOGLE_ANALYTICS_ID}
NETBIRD_TOKEN_SOURCE = "idToken";
#NETBIRD_DRAG_QUERY_PARAMS=${NETBIRD_DRAG_QUERY_PARAMS:-false}
};
};
};
};
config = let
deriv = pkgs.runCommand "template-netbird-dashboard" {} ''
cp -r ${cfg.package} ./temp
${
lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: ''export "${name}"="${toStringEnv value}"'') cfg.settings)
}
# replace ENVs in the config
ENV_STR="\$\$USE_AUTH0 \$\$AUTH_AUDIENCE \$\$AUTH_AUTHORITY \$\$AUTH_CLIENT_ID \$\$AUTH_CLIENT_SECRET \$\$AUTH_SUPPORTED_SCOPES \$\$NETBIRD_MGMT_API_ENDPOINT \$\$NETBIRD_MGMT_GRPC_API_ENDPOINT \$\$NETBIRD_HOTJAR_TRACK_ID \$\$NETBIRD_GOOGLE_ANALYTICS_ID \$\$AUTH_REDIRECT_URI \$\$AUTH_SILENT_REDIRECT_URI \$\$NETBIRD_TOKEN_SOURCE \$\$NETBIRD_DRAG_QUERY_PARAMS"
find temp -type d -exec chmod 755 {} \;
OIDC_TRUSTED_DOMAINS="./temp/OidcTrustedDomains.js"
${pkgs.gettext}/bin/envsubst "$ENV_STR" < "$OIDC_TRUSTED_DOMAINS".tmpl > "$OIDC_TRUSTED_DOMAINS"
for f in $(grep -R -l AUTH_SUPPORTED_SCOPES ./); do
${pkgs.gettext}/bin/envsubst "$ENV_STR" < "$f" > "$f".copy
mv -f "$f".copy "$f"
done
mkdir -p $out
cp -r ./temp/. $out/
'';
in
mkIf cfg.enable
{
services.nginx = mkIf cfg.enableNginx {
enable = true;
virtualHosts = {
${cfg.domain} = {
locations = {
"/" = {
root = "${deriv}/";
tryFiles = "$uri $uri.html $uri/ =404";
};
};
extraConfig = ''
error_page 404 /404.html;
location = /404.html {
internal;
}
'';
};
};
};
};
}