253 lines
8.1 KiB
Nix
253 lines
8.1 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: let
|
|
inherit
|
|
(lib)
|
|
mkEnableOption
|
|
mkOption
|
|
types
|
|
mkPackageOption
|
|
mkIf
|
|
;
|
|
cfg = config.services.netbird-server;
|
|
|
|
configFile = formatType.generate "config.json" cfg.settings;
|
|
|
|
formatType = pkgs.formats.json {};
|
|
in {
|
|
options.services.netbird-server = {
|
|
enable = mkEnableOption "netbird, a self hosted wireguard VPN";
|
|
package = mkPackageOption pkgs "netbird" {};
|
|
domain = mkOption {
|
|
description = "The domain of your netbird instance";
|
|
};
|
|
port = mkOption {
|
|
description = "The port the management interface will listen on";
|
|
type = types.port;
|
|
default = 3000;
|
|
};
|
|
oidcConfigEndpoint = mkOption {
|
|
type = types.str;
|
|
example = "https://example.eu.auth0.com/.well-known/openid-configuration";
|
|
description = "The oidc discovery endpoint";
|
|
};
|
|
signalPort = mkOption {
|
|
description = "The listening port for the signal protocol";
|
|
default = 3001;
|
|
type = types.port;
|
|
};
|
|
|
|
singleAccountModeDomain = mkOption {
|
|
description = "Optional domain for single account mode, set to null to disable singleAccountMode";
|
|
type = types.nullOr types.str;
|
|
default = "netbird.selfhosted";
|
|
example = null;
|
|
};
|
|
|
|
turn = {
|
|
domain = mkOption {
|
|
description = "The domain under which the TURN server is reachable";
|
|
type = types.str;
|
|
example = "localhost";
|
|
default = cfg.domain;
|
|
};
|
|
port = mkOption {
|
|
description = "The port under which the TURN server is reachable";
|
|
type = types.port;
|
|
default = 3478;
|
|
};
|
|
userName = mkOption {
|
|
description = "The Username for logging into your turn server";
|
|
type = types.str;
|
|
default = "netbird";
|
|
};
|
|
password = mkOption {
|
|
description = "The password for logging into your turn server";
|
|
type = types.str;
|
|
default = lib.trace "should not be part of the final config" "netbird";
|
|
};
|
|
};
|
|
settings = mkOption {
|
|
default = {};
|
|
type = types.submodule {
|
|
freeformType = formatType.type;
|
|
config = {
|
|
Stuns = [
|
|
{
|
|
Proto = "udp";
|
|
Uri = "turn:${cfg.turn.domain}:${toString cfg.turn.port}";
|
|
Username = "";
|
|
Password = null;
|
|
}
|
|
];
|
|
TURNConfig = {
|
|
Turns = [
|
|
{
|
|
Proto = "udp";
|
|
Uri = "stun:${cfg.turn.domain}:${toString cfg.turn.port}";
|
|
Username = cfg.turn.userName;
|
|
Password = cfg.turn.password;
|
|
}
|
|
];
|
|
CredentialsTTL = "12h";
|
|
Secret = lib.trace "this should probably be an option as well" "secret";
|
|
TimeBasedCredentials = false;
|
|
};
|
|
|
|
Signal = {
|
|
Proto = "https";
|
|
URI = "${cfg.domain}:443";
|
|
Username = "";
|
|
Password = null;
|
|
};
|
|
ReverseProxy = {
|
|
TrustedHTTPProxies = [];
|
|
TrustedHTTPProxiesCount = 0;
|
|
TrustedPeers = [
|
|
"0.0.0.0/0"
|
|
];
|
|
};
|
|
Datadir = "/var/lib/netbird-mgmt";
|
|
DataStoreEncryptionKey = lib.trace "uppsi wuppsi ich hab mein netbird unsiccccccher gemacht" "X4/obyAolDVhjGsz8NDb4TJqgCfwmCA7lOtJFHt9L3w=";
|
|
StoreConfig = {
|
|
Engine = "sqlite";
|
|
};
|
|
HttpConfig = {
|
|
Address = "0.0.0.0:${toString cfg.port}";
|
|
AuthAudience = "netbird";
|
|
#"AuthIssuer" = "$NETBIRD_AUTH_AUTHORITY";
|
|
#"AuthAudience" = "$NETBIRD_AUTH_AUDIENCE";
|
|
#"AuthKeysLocation" = "$NETBIRD_AUTH_JWT_CERTS";
|
|
AuthUserIDClaim = "preferred_username";
|
|
#"CertFile" = "$NETBIRD_MGMT_API_CERT_FILE";
|
|
#"CertKey" = "$NETBIRD_MGMT_API_CERT_KEY_FILE";
|
|
#"IdpSignKeyRefreshEnabled" = "$NETBIRD_MGMT_IDP_SIGNKEY_REFRESH";
|
|
OIDCConfigEndpoint = cfg.oidcConfigEndpoint;
|
|
};
|
|
IdpManagerConfig = {
|
|
ManagerType = "none";
|
|
ClientConfig = {
|
|
#"Issuer" = "$NETBIRD_AUTH_AUTHORITY";
|
|
#TokenEndpoint = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
|
|
ClientID = "netbird-manager";
|
|
ClientSecret = lib.trace "oho wer stiehlt meine zugäneg zuerts" "$NETBIRD_IDP_MGMT_CLIENT_SECRET";
|
|
GrantType = "client_credentials";
|
|
};
|
|
#"ExtraConfig" = "$NETBIRD_IDP_MGMT_EXTRA_CONFIG";
|
|
#"Auth0ClientCredentials" = null;
|
|
#"AzureClientCredentials" = null;
|
|
#"KeycloakClientCredentials" = null;
|
|
#"ZitadelClientCredentials" = null;
|
|
};
|
|
DeviceAuthorizationFlow = {
|
|
#Provider = "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER";
|
|
ProviderConfig = {
|
|
Audience = "netbird";
|
|
#"AuthorizationEndpoint" = "";
|
|
#"Domain" = "$NETBIRD_AUTH0_DOMAIN";
|
|
#"ClientID" = "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID";
|
|
#"ClientSecret" = "";
|
|
#"TokenEndpoint" = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
|
|
#"DeviceAuthEndpoint" = "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT";
|
|
Scope = "openid profile email";
|
|
#"UseIDToken" = "$NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN";
|
|
#"RedirectURLs" = null;
|
|
};
|
|
};
|
|
PKCEAuthorizationFlow = {
|
|
ProviderConfig = {
|
|
Audience = "netbird";
|
|
ClientID = "netbird";
|
|
ClientSecret = lib.trace "oho bei zo vielen sicherheitzlücken" "";
|
|
Domain = "";
|
|
#AuthorizationEndpoint = "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT";
|
|
#TokenEndpoint = "$NETBIRD_AUTH_TOKEN_ENDPOINT";
|
|
Scope = "openid profile email";
|
|
RedirectURLs = ["http://localhost:53000"];
|
|
UseIDToken = true;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
config = mkIf cfg.enable {
|
|
systemd.services = {
|
|
netbird-signal = {
|
|
after = ["network.target"];
|
|
wantedBy = ["netbird-management.service"];
|
|
restartTriggers = [
|
|
configFile
|
|
];
|
|
|
|
serviceConfig = {
|
|
ExecStart = ''
|
|
${cfg.package}/bin/netbird-signal run \
|
|
--log-file console \
|
|
--port ${builtins.toString cfg.signalPort}
|
|
'';
|
|
Restart = "always";
|
|
RuntimeDirectory = "netbird-mgmt";
|
|
StateDirectory = "netbird-mgmt";
|
|
WorkingDirectory = "/var/lib/netbird-mgmt";
|
|
};
|
|
unitConfig = {
|
|
StartLimitInterval = 5;
|
|
StartLimitBurst = 10;
|
|
};
|
|
stopIfChanged = false;
|
|
};
|
|
|
|
netbird-management = {
|
|
description = "The management server for Netbird, a wireguard VPN";
|
|
documentation = ["https://netbird.io/docs/"];
|
|
after = [
|
|
"network.target"
|
|
"netbird-setup.service"
|
|
];
|
|
wantedBy = ["multi-user.target"];
|
|
wants = [
|
|
"netbird-signal.service"
|
|
"netbird-setup.service"
|
|
];
|
|
restartTriggers = [
|
|
configFile
|
|
];
|
|
|
|
serviceConfig = {
|
|
ExecStart = ''
|
|
${cfg.package}/bin/netbird-mgmt management \
|
|
--config ${configFile} \
|
|
--datadir /var/lib/netbird-mgmt/data \
|
|
--disable-anonymous-metrics \
|
|
${
|
|
if cfg.singleAccountModeDomain == null
|
|
then "--disable-single-account-mode"
|
|
else "--single-account-mode-domain ${cfg.singleAccountModeDomain}"
|
|
} \
|
|
--idp-sign-key-refresh-enabled \
|
|
--port ${builtins.toString cfg.port} \
|
|
--log-file console
|
|
'';
|
|
# TODO add extraCOmmandLine option
|
|
Restart = "always";
|
|
RuntimeDirectory = "netbird-mgmt";
|
|
StateDirectory = [
|
|
"netbird-mgmt"
|
|
"netbird-mgmt/data"
|
|
];
|
|
WorkingDirectory = "/var/lib/netbird-mgmt";
|
|
};
|
|
unitConfig = {
|
|
StartLimitInterval = 5;
|
|
StartLimitBurst = 10;
|
|
};
|
|
stopIfChanged = false;
|
|
};
|
|
};
|
|
};
|
|
}
|