diff --git a/system-config/configuration/homebox/secrets/secrets.yaml b/system-config/configuration/homebox/secrets/secrets.yaml index cbe0b16..8ef55cc 100644 --- a/system-config/configuration/homebox/secrets/secrets.yaml +++ b/system-config/configuration/homebox/secrets/secrets.yaml @@ -9,6 +9,8 @@ gitea: dbpass: ENC[AES256_GCM,data:hVRLXACRECNSnXRn8BEP0ZFT,iv:zuIvzStek6OEu+P4Nh8Wsq9eRVt/zP8KGVXYZWjSvW0=,tag:m4t8vKNGhz8NqkDWbCRgnA==,type:str] keycloak: dbpass: ENC[AES256_GCM,data:tc4wIAqzY7nonBhz8s+YdAux,iv:Wg0b0/xnl6cANLTOJWBsX+gw1iF8Q/GvO/iKyKwqJrM=,tag:LORKRmo4RjcrVbPNhk2A9Q==,type:str] +netbird: + coturnPass: ENC[AES256_GCM,data:zB6P9RyTTKkXEOIhOyeJuF4Y,iv:8SWVfcdmMnXQJxezu3uanrlmFhR+hxXEJ3T7KA+YZqE=,tag:1H21K3kbZOuLOdN2zufWJw==,type:str] gitlab: db_pass: ENC[AES256_GCM,data:N3KvXkXql/PDjxZSpGo/Apr/,iv:OOzhR4BEmV3T01PA50vqdJMg7D2OGKHn/8hiqKEaOd4=,tag:jzdonXH/D/5kZ5Cld2W//w==,type:str] root_pass: ENC[AES256_GCM,data:bALaUkoJw3N0ugZP/4MCnEsD,iv:LJdJpXlyzA6o00UVlK+l5WCCFIL/sT/fQNjI8wA5LAg=,tag:BYk1o/rjubyEpeHbgYA1Sg==,type:str] @@ -33,7 +35,7 @@ sops: S0NMRGJSeks0Q0UrVnZmUVdyU2NqVm8KLu2kQpD1fJdU0fTdR9A2cTQzRp+waJ6M 8vA+E8xYb2U4d7m0YnwKkGzw0CBPb0BvdEgvWvqpFViftoDwRv5KGA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-24T21:07:16Z" - mac: ENC[AES256_GCM,data:+Eh1FN8Oafxuk19uvQf29S4YjQRvg/4VLWq4Si80bsQ47wxi+746GJHc4lr0WKYAjGjJNgLY+QPBnf8UEoTwYLD44gilZw14BJLSDnbfliNsAxCqAaSptARbR44H59hJSEkcSBR4dHILZ1yEgdYYCvlx4pWLgatpO4htJzAeEo0=,iv:MgpokCHKskMTMIz2UG9C/P51VUnFsJ/RCd/hKSBbDUU=,tag:IkvMrnhjskVspabGwDXvGQ==,type:str] + lastmodified: "2025-07-29T21:54:33Z" + mac: ENC[AES256_GCM,data:FdEOqSuTYZzl2T9QOJ3G+MlgZIvlLi3YhL9aOP3bws1N6MLfQcSgkQbhS4Nz4dQBpebOQ2OdT0QinFgXC7QyveiFefh1K1IxVAyRkwMd1xeCwbf2J/ERunCdJ7QsNh6pGJtTcv0h/gvviEVQ2S4FTmpFOjrLSUJI7kz92FI3vd4=,iv:1lOKQzHtG0kYcFLtn522uYrXE96Vq1a6qTj3/SkLSyI=,tag:69spH8TETUv3KYzH9eQcMA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/system-config/services/containers/netbird/default.nix b/system-config/services/containers/netbird/default.nix index 5a2f179..fc06ecd 100644 --- a/system-config/services/containers/netbird/default.nix +++ b/system-config/services/containers/netbird/default.nix @@ -26,295 +26,102 @@ allowedUDPPorts = [ 3478 33073 ]; allowedUDPPortRanges = [{ from = 49152; to = 54152; }]; }; -/* - containers.netbird-dashboard = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable { + + sops.secrets."netbird/coturnPass" = {}; + + containers.netbird = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.23"; - + forwardPorts = [ + + { + hostPort = 3478; + containerPort = 3478; + protocol = "udp"; + } + + + ] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152)); + + + extraFlags = [ + "--load-credential=coturnPass:${config.sops.secrets."netbird/coturnPass".path}" + ]; + config = { + services.nginx.virtualHosts."vpn.blunkall.us" = { + listen = [ + { + addr = "0.0.0.0"; + port = 80; + ssl = false; + } + ]; + }; + + services.netbird = { server = { - enableNginx = false; - management = { - port = 80; - }; + enable = true; + enableNginx = true; + domain = "vpn.blunkall.us"; dashboard = { enable = true; - domain = "vpn.blunkall.us"; + enableNginx = true; settings = { - AUTH_AUTHORITY = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; + AUTH_AUTHORITY = "https://auth.blunkall.us/realms/General"; + AUTH_CLIENT_ID = "netbird"; + AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api"; + AUTH_AUDIENCE = "netbird"; + USE_AUTH0 = false; + NETBIRD_TOKEN_SOURCE = "accessToken"; }; - managementServer = "192.168.100.24"; + + package = let + pkgs-us = import inputs.nixpkgs-us { + system = "x86_64-linux"; + config.allowUnfree = true; + }; + in pkgs-us.netbird-dashboard; }; - }; - }; - - networking.firewall = { - allowedTCPPorts = [ 80 ]; - }; - - system.stateVersion = "25.05"; - }; - }; - - - containers.netbird-management = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable { - - autoStart = true; - privateNetwork = true; - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.24"; - - bindMounts = { - "/etc/netbird/data" = { - hostPath = "/ssd1/Netbird/mgmt"; - isReadOnly = false; - }; - }; - - config = { - - services.netbird = { - server = { - enableNginx = false; management = { enable = true; - domain = "mgmt.blunkall.us"; + enableNginx = true; disableAnonymousMetrics = true; dnsDomain = "vpn"; - turnDomain = "coturn.blunkall.us"; + turnDomain = "vpn.blunkall.us"; turnPort = 3478; + logLevel = "DEBUG"; + oidcConfigEndpoint = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; settings = { - "TURNConfig" = { - "Turns" = [ - { - "Proto" = "udp"; - "URI" = "turn:coturn.blunkall.us:3478"; - "Username" = "netbird"; - "Password" = "password"; - } - ]; - }; + "TURNConfig" = { + "Turns" = [ + { + "Proto" = "udp"; + "URI" = "turn:vpn.blunkall.us:3478"; + "Username" = "netbird"; + "Password"._secret = "/etc/netbird/coturnPass"; + } + ]; + }; - #Datadir = "/etc/netbird/data"; - DataStoreEncryptionKey = "770A8A65DA156D24EE2A093277530142"; - }; + "DataStoreEncryptionKey" = null; - port = 80; - }; - }; - }; - - networking.firewall = { - allowedTCPPorts = [ 80 ]; - }; - - system.stateVersion = "25.05"; - }; - }; - - - containers.netbird-coturn = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable { - - autoStart = true; - privateNetwork = true; - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.25"; - - forwardPorts = [ - - { - hostPort = 3478; - containerPort = 3478; - protocol = "udp"; - } - - ] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152)); - - bindMounts = { - - }; - - - config = { - - services.netbird = { - server = { - enableNginx = false; - coturn = { - enable = true; - domain = "coturn.blunkall.us"; - - user = "netbird"; - password = "password"; - - openPorts = map (x: x) (builtins.genList (y: 49152 + y) (54152 - 49152)); - }; - }; - }; - - networking.firewall = { - allowedTCPPorts = [ 33080 ]; - allowedUDPPorts = [ 3478 ]; - allowedUDPPortRanges = [{ from = 49152; to = 54152; }]; - }; - - system.stateVersion = "25.05"; - }; - }; - - - containers.netbird-signal = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable { - - autoStart = true; - privateNetwork = true; - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.26"; - - config = { - - services.netbird = { - server = { - enableNginx = false; - - signal = { - enable = true; - port = 80; - domain = "signal.blunkall.us"; - }; - }; - }; - - networking.firewall = { - allowedTCPPorts = [ 80 ]; - }; - - system.stateVersion = "25.05"; - }; - }; - -*/ - containers.netbird = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable { - - autoStart = true; - privateNetwork = true; - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.23"; - - forwardPorts = [ - /* - { - hostPort = 33080; - containerPort = 33080; - protocol = "tcp"; - } - - { - hostPort = 33073; - containerPort = 33073; - protocol = "udp"; - } -*/ - { - hostPort = 3478; - containerPort = 3478; - protocol = "udp"; - } - - - ] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152)); - - - config = { - - services.nginx.virtualHosts."vpn.blunkall.us" = { - listen = [ - { - addr = "0.0.0.0"; - port = 80; - ssl = false; - } - ]; - }; - - - services.netbird = { - server = { - enable = true; - enableNginx = true; - domain = "vpn.blunkall.us"; - - dashboard = { - enable = true; - enableNginx = true; - settings = { - AUTH_AUTHORITY = "https://auth.blunkall.us/realms/General"; - AUTH_CLIENT_ID = "netbird"; - AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api"; - AUTH_AUDIENCE = "netbird"; - USE_AUTH0 = false; - NETBIRD_TOKEN_SOURCE = "accessToken"; - }; - - package = let - pkgs-us = import inputs.nixpkgs-us { - system = "x86_64-linux"; - config.allowUnfree = true; - }; - in pkgs-us.netbird-dashboard; - }; - management = { - enable = true; - - enableNginx = true; - - disableAnonymousMetrics = true; - - disableSingleAccountMode = true; - - dnsDomain = "vpn"; - - turnDomain = "vpn.blunkall.us"; - turnPort = 3478; - - logLevel = "DEBUG"; - - oidcConfigEndpoint = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; - - settings = { - "TURNConfig" = { - "Turns" = [ - { - "Proto" = "udp"; - "URI" = "turn:vpn.blunkall.us:3478"; - "Username" = "netbird"; - "Password" = "password"; - } - ]; - }; - - "DataStoreEncryptionKey" = null; - - /*"ReverseProxy" = { - "TrustedHTTPProxies" = [ "192.168.100.11" ]; - "TrustedHTTPProxiesCount" = 1; - };*/ - - "HttpConfig" = { - "Address" = "0.0.0.0:443"; + "HttpConfig" = { + "Address" = "0.0.0.0:443"; "AuthIssuer" = "https://auth.blunkall.us/realms/General"; "AuthAudience" = "netbird"; "AuthKeysLocation" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/certs"; @@ -323,10 +130,10 @@ "CertKey" = ""; "IdpSignKeyRefreshEnabled" = false; "OIDCConfigEndpoint" = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; - }; + }; - "DeviceAuthorizationFlow" = { - "Provider" = "none"; + "DeviceAuthorizationFlow" = { + "Provider" = "none"; "ProviderConfig" = { "Audience" = "netbird"; "AuthorizationEndpoint" = ""; @@ -339,10 +146,10 @@ "UseIDToken" = false; "RedirectURLs" = null; }; - }; + }; - "IdpManagerConfig" = { - "ManagerType" = "keycloak"; + "IdpManagerConfig" = { + "ManagerType" = "keycloak"; "ClientConfig" = { "Issuer" = "https://auth.blunkall.us/realms/General"; "TokenEndpoint" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/token"; @@ -358,11 +165,11 @@ "AzureClientCredentials" = null; "KeycloakClientCredentials" = null; "ZitadelClientCredentials" = null; - }; + }; - "PKCEAuthorizationFlow" = { - "ProviderConfig" = { - "Audience" = "netbird"; + "PKCEAuthorizationFlow" = { + "ProviderConfig" = { + "Audience" = "netbird"; "ClientID" = "netbird"; "ClientSecret" = ""; "Domain" = ""; @@ -374,41 +181,56 @@ ]; "UseIDToken" = false; "DisablePromptLogin" = false; + }; }; + }; + port = 443; }; - port = 443; + coturn = { + enable = true; + + user = "netbird"; + password = "password"; + passwordFile = "/etc/netbird/coturnPass"; + + openPorts = map (x: x) (builtins.genList (y: 49152 + y) (54152 - 49152)); + }; + + signal = { + enable = true; + enableNginx = true; + }; }; - coturn = { - enable = true; + systemd.services.secrets_setup = { + wantedBy = [ "netbird-management.service" "coturn.service" ]; - user = "netbird"; - password = "password"; + serviceConfig = { + LoadCredential = [ + "coturnPass" + ]; + }; - openPorts = map (x: x) (builtins.genList (y: 49152 + y) (54152 - 49152)); + script = '' + cat ''${CREDENTIALS_DIRECTORY}/coturnPass > /etc/netbird/coturnPass + ''; }; - signal = { - enable = true; - enableNginx = true; - #port = 10000; - }; }; - }; - networking.firewall = { - allowedTCPPorts = [ 80 443 8080 33073 33080 ]; - allowedUDPPorts = [ 3478 33073 ]; - allowedUDPPortRanges = [{ from = 49152; to = 54152; }]; - }; + networking.firewall = { + allowedTCPPorts = [ 80 ]; + allowedUDPPorts = [ 3478 ]; + allowedUDPPortRanges = [{ from = 49152; to = 54152; }]; + }; - system.stateVersion = "25.05"; + system.stateVersion = "25.05"; + }; }; }; - };