From 13a9aedc3f0c810c9e42bfe2320fb54fd2c11517 Mon Sep 17 00:00:00 2001 From: Nathan Date: Fri, 25 Jul 2025 16:57:43 -0500 Subject: [PATCH] netbird --- .../configuration/homebox/default.nix | 2 +- .../services/containers/netbird/default.nix | 35 +++++++++++++++++-- .../services/containers/traefik/default.nix | 8 ++--- 3 files changed, 37 insertions(+), 8 deletions(-) diff --git a/system-config/configuration/homebox/default.nix b/system-config/configuration/homebox/default.nix index 48abaab..3caed72 100644 --- a/system-config/configuration/homebox/default.nix +++ b/system-config/configuration/homebox/default.nix @@ -264,7 +264,7 @@ gitea.enable = true; homeassistant.enable = false; ntfy.enable = false; - netbird.enable = false; + netbird.enable = true; rustdesk.enable = false; #broken keycloak.enable = true; }; diff --git a/system-config/services/containers/netbird/default.nix b/system-config/services/containers/netbird/default.nix index c6b46a8..a4976cf 100644 --- a/system-config/services/containers/netbird/default.nix +++ b/system-config/services/containers/netbird/default.nix @@ -21,6 +21,12 @@ enable = config.sysconfig.opts.netbird.enable; }; + networking.firewall = { + allowedTCPPorts = [ 80 443 33073 33080 10000 ]; + allowedUDPPorts = [ 3478 ]; + allowedUDPPortRanges = [{ from = 49152; to = 54152; }]; + }; + containers.netbird = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable { autoStart = true; @@ -29,8 +35,14 @@ localAddress = "192.168.100.21"; forwardPorts = [ + + { + hostPort = 3478; + containerPort = 3478; + protocol = "udp"; + } - ]; + ] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152)); bindMounts = { @@ -52,7 +64,7 @@ dnsDomain = "vpn"; - oidcConfigEndpoint = "https://auth.blunkall.us/application/o/netbird/.well-known/openid-configuration"; + oidcConfigEndpoint = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; settings = {}; }; @@ -61,7 +73,24 @@ enable = true; settings = { - AUTH_AUTHORITY = "https://auth.blunkall.us/application/o/netbird/.well-known/openid-configuration"; + NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; + AUTH_AUTHORITY = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; + NETBIRD_AUTH_CLIENT_ID = "netbird"; + NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID = "netbird"; + NETBIRD_MGMT_IDP = "keycloak"; + NETBIRD_IDP_MGMT_CLIENT_ID = "netbird-backend"; + NETBIRD_IDP_MGMT_CLIENT_SECRET = "QuqjTOAHKE6N6jJqkB1F1RGo3kqUhEdg"; + NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT = "https://auth.blunkall.us/admin/realms/General"; + NETBIRD_USE_AUTH0 = false; + NETBIRD_AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api"; + NETBIRD_AUTH_AUDIENCE = "netbird"; + + NETBIRD_DISABLE_LETSENCRYPT = true; + NETBIRD_MGMT_API_PORT = "443"; + NETBIRD_SIGNAL_PORT = "443"; + + TURN_MIN_PORT = "49152"; + TURN_MAX_PORT = "54152"; }; }; diff --git a/system-config/services/containers/traefik/default.nix b/system-config/services/containers/traefik/default.nix index 79b0e6e..489e20a 100644 --- a/system-config/services/containers/traefik/default.nix +++ b/system-config/services/containers/traefik/default.nix @@ -170,7 +170,7 @@ tls.certResolver = "cloudflare"; };*/ - /*netbird = { + netbird = { entryPoints = [ "websecure" ]; rule = "Host(`vpn.blunkall.us`)"; service = "netbird"; @@ -193,7 +193,7 @@ rule = "Host(`vpn.blunkall.us`) && PathPrefix(`/signalexchange.SignalExchange`)"; service = "netbirdSignal"; tls.certResolver = "cloudflare"; - };*/ + }; }; middlewares = { @@ -225,14 +225,14 @@ #ntfy.loadBalancer.servers = [ { url = "http://192.168.100.19"; } ]; - /*netbird.loadBalancer = { + netbird.loadBalancer = { passHostHeader = true; servers = [ { url = "http://192.168.100.21"; } ]; }; netbirdApi.loadBalancer.servers = [ { url = "http://192.168.100.21:33073"; } ]; netbirdMgmt.loadBalancer.servers = [ { url = "h2c://192.168.100.21:33073"; } ]; netbirdSignal.loadBalancer.servers = [ { url = "h2c://192.168.100.21:10000"; } ]; -*/ + #homeassistant.loadBalancer.servers = [ { url = "http://192.168.100.10:8123"; } ]; };