Blunkall-Technologies/Olympus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

secure netbird

Browse Source
This commit is contained in:
Nathan
2025-07-29 16:54:53 -05:00
parent e5678174a3
commit b99f231b43
2 changed files with 113 additions and 289 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
system-config/configuration/homebox/secrets/secrets.yaml
View File

@@ -9,6 +9,8 @@ gitea:
dbpass: ENC[AES256_GCM,data:hVRLXACRECNSnXRn8BEP0ZFT,iv:zuIvzStek6OEu+P4Nh8Wsq9eRVt/zP8KGVXYZWjSvW0=,tag:m4t8vKNGhz8NqkDWbCRgnA==,type:str] dbpass: ENC[AES256_GCM,data:hVRLXACRECNSnXRn8BEP0ZFT,iv:zuIvzStek6OEu+P4Nh8Wsq9eRVt/zP8KGVXYZWjSvW0=,tag:m4t8vKNGhz8NqkDWbCRgnA==,type:str]
keycloak: keycloak:
dbpass: ENC[AES256_GCM,data:tc4wIAqzY7nonBhz8s+YdAux,iv:Wg0b0/xnl6cANLTOJWBsX+gw1iF8Q/GvO/iKyKwqJrM=,tag:LORKRmo4RjcrVbPNhk2A9Q==,type:str] dbpass: ENC[AES256_GCM,data:tc4wIAqzY7nonBhz8s+YdAux,iv:Wg0b0/xnl6cANLTOJWBsX+gw1iF8Q/GvO/iKyKwqJrM=,tag:LORKRmo4RjcrVbPNhk2A9Q==,type:str]
netbird:
coturnPass: ENC[AES256_GCM,data:zB6P9RyTTKkXEOIhOyeJuF4Y,iv:8SWVfcdmMnXQJxezu3uanrlmFhR+hxXEJ3T7KA+YZqE=,tag:1H21K3kbZOuLOdN2zufWJw==,type:str]
gitlab: gitlab:
db_pass: ENC[AES256_GCM,data:N3KvXkXql/PDjxZSpGo/Apr/,iv:OOzhR4BEmV3T01PA50vqdJMg7D2OGKHn/8hiqKEaOd4=,tag:jzdonXH/D/5kZ5Cld2W//w==,type:str] db_pass: ENC[AES256_GCM,data:N3KvXkXql/PDjxZSpGo/Apr/,iv:OOzhR4BEmV3T01PA50vqdJMg7D2OGKHn/8hiqKEaOd4=,tag:jzdonXH/D/5kZ5Cld2W//w==,type:str]
root_pass: ENC[AES256_GCM,data:bALaUkoJw3N0ugZP/4MCnEsD,iv:LJdJpXlyzA6o00UVlK+l5WCCFIL/sT/fQNjI8wA5LAg=,tag:BYk1o/rjubyEpeHbgYA1Sg==,type:str] root_pass: ENC[AES256_GCM,data:bALaUkoJw3N0ugZP/4MCnEsD,iv:LJdJpXlyzA6o00UVlK+l5WCCFIL/sT/fQNjI8wA5LAg=,tag:BYk1o/rjubyEpeHbgYA1Sg==,type:str]
@@ -33,7 +35,7 @@ sops:
S0NMRGJSeks0Q0UrVnZmUVdyU2NqVm8KLu2kQpD1fJdU0fTdR9A2cTQzRp+waJ6M S0NMRGJSeks0Q0UrVnZmUVdyU2NqVm8KLu2kQpD1fJdU0fTdR9A2cTQzRp+waJ6M
8vA+E8xYb2U4d7m0YnwKkGzw0CBPb0BvdEgvWvqpFViftoDwRv5KGA== 8vA+E8xYb2U4d7m0YnwKkGzw0CBPb0BvdEgvWvqpFViftoDwRv5KGA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-24T21:07:16Z" lastmodified: "2025-07-29T21:54:33Z"
mac: ENC[AES256_GCM,data:+Eh1FN8Oafxuk19uvQf29S4YjQRvg/4VLWq4Si80bsQ47wxi+746GJHc4lr0WKYAjGjJNgLY+QPBnf8UEoTwYLD44gilZw14BJLSDnbfliNsAxCqAaSptARbR44H59hJSEkcSBR4dHILZ1yEgdYYCvlx4pWLgatpO4htJzAeEo0=,iv:MgpokCHKskMTMIz2UG9C/P51VUnFsJ/RCd/hKSBbDUU=,tag:IkvMrnhjskVspabGwDXvGQ==,type:str] mac: ENC[AES256_GCM,data:FdEOqSuTYZzl2T9QOJ3G+MlgZIvlLi3YhL9aOP3bws1N6MLfQcSgkQbhS4Nz4dQBpebOQ2OdT0QinFgXC7QyveiFefh1K1IxVAyRkwMd1xeCwbf2J/ERunCdJ7QsNh6pGJtTcv0h/gvviEVQ2S4FTmpFOjrLSUJI7kz92FI3vd4=,iv:1lOKQzHtG0kYcFLtn522uYrXE96Vq1a6qTj3/SkLSyI=,tag:69spH8TETUv3KYzH9eQcMA==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.10.2

228
system-config/services/containers/netbird/default.nix
View File

@@ -26,187 +26,9 @@
allowedUDPPorts = [ 3478 33073 ]; allowedUDPPorts = [ 3478 33073 ];
allowedUDPPortRanges = [{ from = 49152; to = 54152; }]; allowedUDPPortRanges = [{ from = 49152; to = 54152; }];
}; };
/*
containers.netbird-dashboard = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true; sops.secrets."netbird/coturnPass" = {};
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.23";
config = {
services.netbird = {
server = {
enableNginx = false;
management = {
port = 80;
};
dashboard = {
enable = true;
domain = "vpn.blunkall.us";
settings = {
AUTH_AUTHORITY = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration";
};
managementServer = "192.168.100.24";
};
};
};
networking.firewall = {
allowedTCPPorts = [ 80 ];
};
system.stateVersion = "25.05";
};
};
containers.netbird-management = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.24";
bindMounts = {
"/etc/netbird/data" = {
hostPath = "/ssd1/Netbird/mgmt";
isReadOnly = false;
};
};
config = {
services.netbird = {
server = {
enableNginx = false;
management = {
enable = true;
domain = "mgmt.blunkall.us";
disableAnonymousMetrics = true;
dnsDomain = "vpn";
turnDomain = "coturn.blunkall.us";
turnPort = 3478;
oidcConfigEndpoint = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration";
settings = {
"TURNConfig" = {
"Turns" = [
{
"Proto" = "udp";
"URI" = "turn:coturn.blunkall.us:3478";
"Username" = "netbird";
"Password" = "password";
}
];
};
#Datadir = "/etc/netbird/data";
DataStoreEncryptionKey = "770A8A65DA156D24EE2A093277530142";
};
port = 80;
};
};
};
networking.firewall = {
allowedTCPPorts = [ 80 ];
};
system.stateVersion = "25.05";
};
};
containers.netbird-coturn = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.25";
forwardPorts = [
{
hostPort = 3478;
containerPort = 3478;
protocol = "udp";
}
] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152));
bindMounts = {
};
config = {
services.netbird = {
server = {
enableNginx = false;
coturn = {
enable = true;
domain = "coturn.blunkall.us";
user = "netbird";
password = "password";
openPorts = map (x: x) (builtins.genList (y: 49152 + y) (54152 - 49152));
};
};
};
networking.firewall = {
allowedTCPPorts = [ 33080 ];
allowedUDPPorts = [ 3478 ];
allowedUDPPortRanges = [{ from = 49152; to = 54152; }];
};
system.stateVersion = "25.05";
};
};
containers.netbird-signal = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.26";
config = {
services.netbird = {
server = {
enableNginx = false;
signal = {
enable = true;
port = 80;
domain = "signal.blunkall.us";
};
};
};
networking.firewall = {
allowedTCPPorts = [ 80 ];
};
system.stateVersion = "25.05";
};
};
*/
containers.netbird = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable { containers.netbird = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true; autoStart = true;
@@ -215,19 +37,7 @@
localAddress = "192.168.100.23"; localAddress = "192.168.100.23";
forwardPorts = [ forwardPorts = [
/*
{
hostPort = 33080;
containerPort = 33080;
protocol = "tcp";
}
{
hostPort = 33073;
containerPort = 33073;
protocol = "udp";
}
*/
{ {
hostPort = 3478; hostPort = 3478;
containerPort = 3478; containerPort = 3478;
@@ -238,6 +48,10 @@
] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152)); ] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152));
extraFlags = [
"--load-credential=coturnPass:${config.sops.secrets."netbird/coturnPass".path}"
];
config = { config = {
services.nginx.virtualHosts."vpn.blunkall.us" = { services.nginx.virtualHosts."vpn.blunkall.us" = {
@@ -283,8 +97,6 @@
disableAnonymousMetrics = true; disableAnonymousMetrics = true;
disableSingleAccountMode = true;
dnsDomain = "vpn"; dnsDomain = "vpn";
turnDomain = "vpn.blunkall.us"; turnDomain = "vpn.blunkall.us";
@@ -301,18 +113,13 @@
"Proto" = "udp"; "Proto" = "udp";
"URI" = "turn:vpn.blunkall.us:3478"; "URI" = "turn:vpn.blunkall.us:3478";
"Username" = "netbird"; "Username" = "netbird";
"Password" = "password"; "Password"._secret = "/etc/netbird/coturnPass";
} }
]; ];
}; };
"DataStoreEncryptionKey" = null; "DataStoreEncryptionKey" = null;
/*"ReverseProxy" = {
"TrustedHTTPProxies" = [ "192.168.100.11" ];
"TrustedHTTPProxiesCount" = 1;
};*/
"HttpConfig" = { "HttpConfig" = {
"Address" = "0.0.0.0:443"; "Address" = "0.0.0.0:443";
"AuthIssuer" = "https://auth.blunkall.us/realms/General"; "AuthIssuer" = "https://auth.blunkall.us/realms/General";
@@ -387,6 +194,7 @@
user = "netbird"; user = "netbird";
password = "password"; password = "password";
passwordFile = "/etc/netbird/coturnPass";
openPorts = map (x: x) (builtins.genList (y: 49152 + y) (54152 - 49152)); openPorts = map (x: x) (builtins.genList (y: 49152 + y) (54152 - 49152));
}; };
@@ -394,14 +202,28 @@
signal = { signal = {
enable = true; enable = true;
enableNginx = true; enableNginx = true;
#port = 10000;
};
}; };
}; };
systemd.services.secrets_setup = {
wantedBy = [ "netbird-management.service" "coturn.service" ];
serviceConfig = {
LoadCredential = [
"coturnPass"
];
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/coturnPass > /etc/netbird/coturnPass
'';
};
};
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 80 443 8080 33073 33080 ]; allowedTCPPorts = [ 80 ];
allowedUDPPorts = [ 3478 33073 ]; allowedUDPPorts = [ 3478 ];
allowedUDPPortRanges = [{ from = 49152; to = 54152; }]; allowedUDPPortRanges = [{ from = 49152; to = 54152; }];
}; };