Blunkall-Technologies/Olympus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

secure netbird

Browse Source
This commit is contained in:
Nathan
2025-07-29 16:54:53 -05:00
parent e5678174a3
commit b99f231b43
2 changed files with 113 additions and 289 deletions
Download Patch File Download Diff File Expand all files Collapse all files

396
system-config/services/containers/netbird/default.nix
View File

@@ -26,295 +26,102 @@
allowedUDPPorts = [ 3478 33073 ];
allowedUDPPortRanges = [{ from = 49152; to = 54152; }];
};
/*
containers.netbird-dashboard = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
sops.secrets."netbird/coturnPass" = {};
containers.netbird = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.23";
forwardPorts = [
{
hostPort = 3478;
containerPort = 3478;
protocol = "udp";
}
] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152));
extraFlags = [
"--load-credential=coturnPass:${config.sops.secrets."netbird/coturnPass".path}"
];
config = {
services.nginx.virtualHosts."vpn.blunkall.us" = {
listen = [
{
addr = "0.0.0.0";
port = 80;
ssl = false;
}
];
};
services.netbird = {
server = {
enableNginx = false;
management = {
port = 80;
};
enable = true;
enableNginx = true;
domain = "vpn.blunkall.us";
dashboard = {
enable = true;
domain = "vpn.blunkall.us";
enableNginx = true;
settings = {
AUTH_AUTHORITY = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration";
AUTH_AUTHORITY = "https://auth.blunkall.us/realms/General";
AUTH_CLIENT_ID = "netbird";
AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api";
AUTH_AUDIENCE = "netbird";
USE_AUTH0 = false;
NETBIRD_TOKEN_SOURCE = "accessToken";
};
managementServer = "192.168.100.24";
package = let
pkgs-us = import inputs.nixpkgs-us {
system = "x86_64-linux";
config.allowUnfree = true;
};
in pkgs-us.netbird-dashboard;
};
};
};
networking.firewall = {
allowedTCPPorts = [ 80 ];
};
system.stateVersion = "25.05";
};
};
containers.netbird-management = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.24";
bindMounts = {
"/etc/netbird/data" = {
hostPath = "/ssd1/Netbird/mgmt";
isReadOnly = false;
};
};
config = {
services.netbird = {
server = {
enableNginx = false;
management = {
enable = true;
domain = "mgmt.blunkall.us";
enableNginx = true;
disableAnonymousMetrics = true;
dnsDomain = "vpn";
turnDomain = "coturn.blunkall.us";
turnDomain = "vpn.blunkall.us";
turnPort = 3478;
logLevel = "DEBUG";
oidcConfigEndpoint = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration";
settings = {
"TURNConfig" = {
"Turns" = [
{
"Proto" = "udp";
"URI" = "turn:coturn.blunkall.us:3478";
"Username" = "netbird";
"Password" = "password";
}
];
};
"TURNConfig" = {
"Turns" = [
{
"Proto" = "udp";
"URI" = "turn:vpn.blunkall.us:3478";
"Username" = "netbird";
"Password"._secret = "/etc/netbird/coturnPass";
}
];
};
#Datadir = "/etc/netbird/data";
DataStoreEncryptionKey = "770A8A65DA156D24EE2A093277530142";
};
"DataStoreEncryptionKey" = null;
port = 80;
};
};
};
networking.firewall = {
allowedTCPPorts = [ 80 ];
};
system.stateVersion = "25.05";
};
};
containers.netbird-coturn = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.25";
forwardPorts = [
{
hostPort = 3478;
containerPort = 3478;
protocol = "udp";
}
] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152));
bindMounts = {
};
config = {
services.netbird = {
server = {
enableNginx = false;
coturn = {
enable = true;
domain = "coturn.blunkall.us";
user = "netbird";
password = "password";
openPorts = map (x: x) (builtins.genList (y: 49152 + y) (54152 - 49152));
};
};
};
networking.firewall = {
allowedTCPPorts = [ 33080 ];
allowedUDPPorts = [ 3478 ];
allowedUDPPortRanges = [{ from = 49152; to = 54152; }];
};
system.stateVersion = "25.05";
};
};
containers.netbird-signal = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.26";
config = {
services.netbird = {
server = {
enableNginx = false;
signal = {
enable = true;
port = 80;
domain = "signal.blunkall.us";
};
};
};
networking.firewall = {
allowedTCPPorts = [ 80 ];
};
system.stateVersion = "25.05";
};
};
*/
containers.netbird = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.23";
forwardPorts = [
/*
{
hostPort = 33080;
containerPort = 33080;
protocol = "tcp";
}
{
hostPort = 33073;
containerPort = 33073;
protocol = "udp";
}
*/
{
hostPort = 3478;
containerPort = 3478;
protocol = "udp";
}
] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152));
config = {
services.nginx.virtualHosts."vpn.blunkall.us" = {
listen = [
{
addr = "0.0.0.0";
port = 80;
ssl = false;
}
];
};
services.netbird = {
server = {
enable = true;
enableNginx = true;
domain = "vpn.blunkall.us";
dashboard = {
enable = true;
enableNginx = true;
settings = {
AUTH_AUTHORITY = "https://auth.blunkall.us/realms/General";
AUTH_CLIENT_ID = "netbird";
AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api";
AUTH_AUDIENCE = "netbird";
USE_AUTH0 = false;
NETBIRD_TOKEN_SOURCE = "accessToken";
};
package = let
pkgs-us = import inputs.nixpkgs-us {
system = "x86_64-linux";
config.allowUnfree = true;
};
in pkgs-us.netbird-dashboard;
};
management = {
enable = true;
enableNginx = true;
disableAnonymousMetrics = true;
disableSingleAccountMode = true;
dnsDomain = "vpn";
turnDomain = "vpn.blunkall.us";
turnPort = 3478;
logLevel = "DEBUG";
oidcConfigEndpoint = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration";
settings = {
"TURNConfig" = {
"Turns" = [
{
"Proto" = "udp";
"URI" = "turn:vpn.blunkall.us:3478";
"Username" = "netbird";
"Password" = "password";
}
];
};
"DataStoreEncryptionKey" = null;
/*"ReverseProxy" = {
"TrustedHTTPProxies" = [ "192.168.100.11" ];
"TrustedHTTPProxiesCount" = 1;
};*/
"HttpConfig" = {
"Address" = "0.0.0.0:443";
"HttpConfig" = {
"Address" = "0.0.0.0:443";
"AuthIssuer" = "https://auth.blunkall.us/realms/General";
"AuthAudience" = "netbird";
"AuthKeysLocation" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/certs";
@@ -323,10 +130,10 @@
"CertKey" = "";
"IdpSignKeyRefreshEnabled" = false;
"OIDCConfigEndpoint" = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration";
};
};
"DeviceAuthorizationFlow" = {
"Provider" = "none";
"DeviceAuthorizationFlow" = {
"Provider" = "none";
"ProviderConfig" = {
"Audience" = "netbird";
"AuthorizationEndpoint" = "";
@@ -339,10 +146,10 @@
"UseIDToken" = false;
"RedirectURLs" = null;
};
};
};
"IdpManagerConfig" = {
"ManagerType" = "keycloak";
"IdpManagerConfig" = {
"ManagerType" = "keycloak";
"ClientConfig" = {
"Issuer" = "https://auth.blunkall.us/realms/General";
"TokenEndpoint" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/token";
@@ -358,11 +165,11 @@
"AzureClientCredentials" = null;
"KeycloakClientCredentials" = null;
"ZitadelClientCredentials" = null;
};
};
"PKCEAuthorizationFlow" = {
"ProviderConfig" = {
"Audience" = "netbird";
"PKCEAuthorizationFlow" = {
"ProviderConfig" = {
"Audience" = "netbird";
"ClientID" = "netbird";
"ClientSecret" = "";
"Domain" = "";
@@ -374,41 +181,56 @@
];
"UseIDToken" = false;
"DisablePromptLogin" = false;
};
};
};
port = 443;
};
port = 443;
coturn = {
enable = true;
user = "netbird";
password = "password";
passwordFile = "/etc/netbird/coturnPass";
openPorts = map (x: x) (builtins.genList (y: 49152 + y) (54152 - 49152));
};
signal = {
enable = true;
enableNginx = true;
};
};
coturn = {
enable = true;
systemd.services.secrets_setup = {
wantedBy = [ "netbird-management.service" "coturn.service" ];
user = "netbird";
password = "password";
serviceConfig = {
LoadCredential = [
"coturnPass"
];
};
openPorts = map (x: x) (builtins.genList (y: 49152 + y) (54152 - 49152));
script = ''
cat ''${CREDENTIALS_DIRECTORY}/coturnPass > /etc/netbird/coturnPass
'';
};
signal = {
enable = true;
enableNginx = true;
#port = 10000;
};
};
};
networking.firewall = {
allowedTCPPorts = [ 80 443 8080 33073 33080 ];
allowedUDPPorts = [ 3478 33073 ];
allowedUDPPortRanges = [{ from = 49152; to = 54152; }];
};
networking.firewall = {
allowedTCPPorts = [ 80 ];
allowedUDPPorts = [ 3478 ];
allowedUDPPortRanges = [{ from = 49152; to = 54152; }];
};
system.stateVersion = "25.05";
system.stateVersion = "25.05";
};
};
};
};