AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

test netbird-server

Browse Source
This commit is contained in:
Dmitriy Kholkin 2024-06-30 13:51:14 +03:00
parent f56f99d107
commit 36d3ebd510
Signed by: AtaraxiaDev
GPG Key ID: FD266B810DF48DF2
4 changed files with 155 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
machines/Home-Hypervisor/default.nix
View File

@ -24,6 +24,7 @@ in {
# customProfiles.media-stack
# customProfiles.metrics
# customProfiles.minio
customProfiles.netbird-server
customProfiles.nginx
# customProfiles.ocis
# customProfiles.onlyoffice

3
machines/Home-Hypervisor/dns-mapping.nix
View File

@ -18,6 +18,7 @@
{ name = "lib.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "medusa.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "net.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "openbooks.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "pdf.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
{ name = "qbit.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
@ -50,6 +51,7 @@
{ name = "lib.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "medusa.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "net.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "openbooks.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "pdf.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
{ name = "qbit.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
@ -85,6 +87,7 @@
"/ldap.ataraxiadev.com/192.168.0.10"
"/lib.ataraxiadev.com/192.168.0.10"
"/medusa.ataraxiadev.com/192.168.0.10"
"/net.ataraxiadev.com/192.168.0.10"
"/openbooks.ataraxiadev.com/192.168.0.10"
"/pdf.ataraxiadev.com/192.168.0.10"
"/qbit.ataraxiadev.com/192.168.0.10"

102
profiles/servers/netbird-server.nix Normal file
View File

@ -0,0 +1,102 @@
{ config, lib, inputs, ... }:
let
svc-pass = config.sops.secrets.netbird-svc-pass.path;
store-key = config.sops.secrets.netbird-store-key.path;
domain = "net.ataraxiadev.com";
client-id = "GI2nPUZfBoAOgYWoQpWHopE4awUz3Tx3W5LYOaz1";
issuer = "https://auth.ataraxiadev.com/application/o/netbird";
scopes = "openid profile email offline_access api groups";
in {
sops.secrets = let
cfg = {
sopsFile = inputs.self.secretsDir + /home-hypervisor/netbird.yaml;
restartUnits = [ "netbird-management.service" ];
};
in {
netbird-store-key = cfg;
netbird-svc-pass = cfg;
};
services.netbird.server = {
enable = true;
inherit domain;
enableNginx = true;
coturn.enable = false;
signal.logLevel = "INFO";
dashboard.settings = {
AUTH_AUTHORITY = issuer;
AUTH_CLIENT_ID = client-id;
AUTH_SUPPORTED_SCOPES = scopes;
};
management = {
disableAnonymousMetrics = lib.mkForce true;
logLevel = "INFO";
dnsDomain = "netbird.local";
singleAccountModeDomain = "netbird.local";
oidcConfigEndpoint = "${issuer}/.well-known/openid-configuration";
turnDomain = config.services.coturn.realm;
turnPort = config.services.coturn.listening-port;
settings = {
DataStoreEncryptionKey._secret = store-key;
DeviceAuthorizationFlow = {
Provider = "hosted";
ProviderConfig = {
Audience = client-id;
ClientID = client-id;
DeviceAuthEndpoint = "https://auth.ataraxiadev.com/application/o/device/";
RedirectURLs = null;
Scope = "openid";
TokenEndpoint = "https://auth.ataraxiadev.com/application/o/token/";
UseIDToken = false;
};
};
HttpConfig = {
AuthAudience = client-id;
AuthIssuer = "https://auth.ataraxiadev.com/application/o/netbird/";
AuthKeysLocation = "https://auth.ataraxiadev.com/application/o/netbird/jwks/";
# AuthUserIDClaim = "";
IdpSignKeyRefreshEnabled = false;
};
IdpManagerConfig = {
ManagerType = "authentik";
ClientConfig = {
ClientID = client-id;
GrantType = "client_credentials";
Issuer = "https://auth.ataraxiadev.com/application/o/netbird/";
TokenEndpoint = "https://auth.ataraxiadev.com/application/o/token/";
};
ExtraConfig = {
Password._secret = svc-pass;
Username = "Netbird";
};
};
PKCEAuthorizationFlow = {
ProviderConfig = {
Audience = client-id;
AuthorizationEndpoint = "https://auth.ataraxiadev.com/application/o/authorize/";
ClientID = client-id;
Scope = scopes;
TokenEndpoint = "https://auth.ataraxiadev.com/application/o/token/";
UseIDToken = false;
};
};
TURNConfig = {
Secret._secret = config.sops.secrets.auth-secret.path;
TimeBasedCredentials = true;
# Not used, supress nix warnind about world-readable password
# Password._secret = config.sops.secrets.auth-secret.path;
};
};
};
};
services.nginx.virtualHosts.${domain} = {
useACMEHost = "ataraxiadev.com";
enableACME = false;
forceSSL = true;
};
persist.state.directories = [ "/var/lib/netbird-mgmt" ];
}

49
secrets/home-hypervisor/netbird.yaml Normal file
View File

@ -0,0 +1,49 @@
netbird-store-key: ENC[AES256_GCM,data:hTT3ggwgbp4ioozh/HJ+zB9A+l2ZH/mPe3HPtWe63YuV7NfM1Gu+C8vZ/4w=,iv:Uvuk+AESXhDjQ1/qfb7T/qgJopL+f3NJr0j80S6Gsuc=,tag:iM40VvO8Ir73JZVckjuwGg==,type:str]
netbird-svc-pass: ENC[AES256_GCM,data:it+Wgt73w1QO89xpy2NGxOZy46RgGpNwdFaspcfW3ZMI9maZTwEZF9CE0fuaFPcrCBVDabG9RpRqWJAG,iv:kJBz8mKbmwatJFnoFnOj9EkCnRFzA0OfrSEGfcuyk1A=,tag:B3Rg7Pg4dwA0TPj/0anQJQ==,type:str]
netbird-client-id: ENC[AES256_GCM,data:g+4/d0tPqGITND56MFaTrr3AZlNIvmeHVgB1J/PYI6GPf8HzD6M4/Q==,iv:fljPA983TjTnISE9HmyieK9lzdQDc3wvEXIvvu8vI0A=,tag:aPPMf66EyUZK0qHJrquX0g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-06-29T16:49:33Z"
mac: ENC[AES256_GCM,data:lLhXyjhsUSg2OGuwPgyNI6u9KKJrtE2G7/uBynu/Iw/cmqBBPGTArzFZRMBjLY7Pit9ZN0YWPLTL2fH8AdNXc6Hq1LgArR29WRgaN0A8sw+HfyVgH2wX79Rvh1ddInOkXRLm8LQYr/Iy9M9N3eWhIZc7jmgj0Vx0Jfhne0atO34=,iv:padr7hsmHMSf+YXhSxN4NyNxNN2fX98oGgVvhfPCsLY=,tag:YydiCnuPvpvI7oou5TQfyw==,type:str]
pgp:
- created_at: "2024-06-29T14:21:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMAwcagTG/Fm6AAQf8DQg7f6Qw6JSjyEgi63R0TaCi5MpM/OOWPym7zBoVyyO7
MM7KQVcaG3nAFyaQZutg1wk+VtiJXA5fjsbQiVJ+VPO2csb8HU6uq7Xtbripu0mP
C+KL6HaKlzsRBSKexjGYXn5Pu5/ZVcnigQiq5Ih56tHIE0FUx+LdHJ2m1IQ0lNXJ
56PdHNUQNd/qRRyJDw8x+vro0uZljR7cmZPV6TaglxdtBO668JzU7NfEBwbfQMmf
0Z6XTE6+1c+N4KWSU1zvko5qcA1UhSLB21CkQcMvs71pkWobDbInEDaYkyhyy0UP
Bn8cSpHMOOv3XaanHCNwPACNKDE6J9UkXYA/By2ky9JYAcVH0H4slVsTePOIMjtm
LvHvpj9PSwvhJrgiEb2aNQ7QdLmghmkkuZSGmCDdHStV2a4I+t7PzVOzJ/RGnTiu
6aJRFW1XRQr26CeW5OozmMat1z3iZm0O3w==
=OdzC
-----END PGP MESSAGE-----
fp: ad382d058c964607b7bbf01b071a8131bf166e80
- created_at: "2024-06-29T14:21:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA187ia82lSDGAQ/7BdvWFd8kzGcCSHU3C1wHVmTr73X7vfYnnk5jAdD1iuEd
lizTw+pT4pv76Qp+y/VWhPutY3ZsfchsMQ1cZDYfcaVk3ozq3gx4+DnZMEtXc7FK
Y933+ru70L3XPQJ1daAwJogNJosq5icovGirPUc6f4a23ix0h7whkv+TwB5jrF/Z
cHTVCxth0B9Ol3Q+pvIlf3dH7LntYJOmtDR4rICRE6LILxTAV23fVCJPEqXy9Fbm
J+/i9vKOOtc6qP5wwMpIUeQu7rTeELjV32WaaCAOf/rfNDtnatNScmWjcqlQ3/0a
XNipo+ptcrj+3UxmVGHLvHuPg7mrRaAYFHA5oEeQHPWklfsjSwQgknqpRSQ+7vmY
4rQaI5Yrx0D/a3S8zWY5t51X6YLFu7jSeSu8uZ3ToBmAUWmSZmcWgHV60oONlkE8
Orsw3c4yNfGl/GY27yUrRGCFMeVsDiCTKkXUQgii+m4cPoxzDS/IS3QvPULV42u9
rj9u1853WsbDUDsf9lyFYfgmU6E1Az5KhtQXhdifL9SZtdEmJmfApbrlOcmx1QCS
jwP/3tgF8KR7vmfU+XN1BXZt71fY27Qysc+JNXVT2bAIpfBS/XJGHyFAeRuYne/S
syPX6O+SA6+oHjA/tGrrekVUsD98NG+3bL0NJUckIlkjPYnUZ1FnpVqnIcGFdZXS
WAEMP2QAkpnNDEYnYufQmzGU3XWscN8iQcBSLkfwTvRYh9gt0yEKdGnR9yDoxa40
/0nIV7JgPvv/CRHFO7lcQtKP97SJC5UDjWYSPS2XL5bPA4gSvVWEN1c=
=OlmE
-----END PGP MESSAGE-----
fp: a32018133c7afbfd05d5b2795f3b89af369520c6
unencrypted_suffix: _unencrypted
version: 3.8.1