Blunkall-Technologies/Olympus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

secure netbird

Browse Source
This commit is contained in:
Nathan
2025-07-29 16:54:53 -05:00
parent e5678174a3
commit b99f231b43
2 changed files with 113 additions and 289 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
system-config/configuration/homebox/secrets/secrets.yaml
View File

@@ -9,6 +9,8 @@ gitea:
dbpass: ENC[AES256_GCM,data:hVRLXACRECNSnXRn8BEP0ZFT,iv:zuIvzStek6OEu+P4Nh8Wsq9eRVt/zP8KGVXYZWjSvW0=,tag:m4t8vKNGhz8NqkDWbCRgnA==,type:str]
keycloak:
dbpass: ENC[AES256_GCM,data:tc4wIAqzY7nonBhz8s+YdAux,iv:Wg0b0/xnl6cANLTOJWBsX+gw1iF8Q/GvO/iKyKwqJrM=,tag:LORKRmo4RjcrVbPNhk2A9Q==,type:str]
netbird:
coturnPass: ENC[AES256_GCM,data:zB6P9RyTTKkXEOIhOyeJuF4Y,iv:8SWVfcdmMnXQJxezu3uanrlmFhR+hxXEJ3T7KA+YZqE=,tag:1H21K3kbZOuLOdN2zufWJw==,type:str]
gitlab:
db_pass: ENC[AES256_GCM,data:N3KvXkXql/PDjxZSpGo/Apr/,iv:OOzhR4BEmV3T01PA50vqdJMg7D2OGKHn/8hiqKEaOd4=,tag:jzdonXH/D/5kZ5Cld2W//w==,type:str]
root_pass: ENC[AES256_GCM,data:bALaUkoJw3N0ugZP/4MCnEsD,iv:LJdJpXlyzA6o00UVlK+l5WCCFIL/sT/fQNjI8wA5LAg=,tag:BYk1o/rjubyEpeHbgYA1Sg==,type:str]
@@ -33,7 +35,7 @@ sops:
S0NMRGJSeks0Q0UrVnZmUVdyU2NqVm8KLu2kQpD1fJdU0fTdR9A2cTQzRp+waJ6M
8vA+E8xYb2U4d7m0YnwKkGzw0CBPb0BvdEgvWvqpFViftoDwRv5KGA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-24T21:07:16Z"
mac: ENC[AES256_GCM,data:+Eh1FN8Oafxuk19uvQf29S4YjQRvg/4VLWq4Si80bsQ47wxi+746GJHc4lr0WKYAjGjJNgLY+QPBnf8UEoTwYLD44gilZw14BJLSDnbfliNsAxCqAaSptARbR44H59hJSEkcSBR4dHILZ1yEgdYYCvlx4pWLgatpO4htJzAeEo0=,iv:MgpokCHKskMTMIz2UG9C/P51VUnFsJ/RCd/hKSBbDUU=,tag:IkvMrnhjskVspabGwDXvGQ==,type:str]
lastmodified: "2025-07-29T21:54:33Z"
mac: ENC[AES256_GCM,data:FdEOqSuTYZzl2T9QOJ3G+MlgZIvlLi3YhL9aOP3bws1N6MLfQcSgkQbhS4Nz4dQBpebOQ2OdT0QinFgXC7QyveiFefh1K1IxVAyRkwMd1xeCwbf2J/ERunCdJ7QsNh6pGJtTcv0h/gvviEVQ2S4FTmpFOjrLSUJI7kz92FI3vd4=,iv:1lOKQzHtG0kYcFLtn522uYrXE96Vq1a6qTj3/SkLSyI=,tag:69spH8TETUv3KYzH9eQcMA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

396
system-config/services/containers/netbird/default.nix
View File

@@ -26,295 +26,102 @@
allowedUDPPorts = [ 3478 33073 ];
allowedUDPPortRanges = [{ from = 49152; to = 54152; }];
};
/*
containers.netbird-dashboard = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
sops.secrets."netbird/coturnPass" = {};
containers.netbird = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.23";
forwardPorts = [
{
hostPort = 3478;
containerPort = 3478;
protocol = "udp";
}
] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152));
extraFlags = [
"--load-credential=coturnPass:${config.sops.secrets."netbird/coturnPass".path}"
];
config = {
services.nginx.virtualHosts."vpn.blunkall.us" = {
listen = [
{
addr = "0.0.0.0";
port = 80;
ssl = false;
}
];
};
services.netbird = {
server = {
enableNginx = false;
management = {
port = 80;
};
enable = true;
enableNginx = true;
domain = "vpn.blunkall.us";
dashboard = {
enable = true;
domain = "vpn.blunkall.us";
enableNginx = true;
settings = {
AUTH_AUTHORITY = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration";
AUTH_AUTHORITY = "https://auth.blunkall.us/realms/General";
AUTH_CLIENT_ID = "netbird";
AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api";
AUTH_AUDIENCE = "netbird";
USE_AUTH0 = false;
NETBIRD_TOKEN_SOURCE = "accessToken";
};
managementServer = "192.168.100.24";
package = let
pkgs-us = import inputs.nixpkgs-us {
system = "x86_64-linux";
config.allowUnfree = true;
};
in pkgs-us.netbird-dashboard;
};
};
};
networking.firewall = {
allowedTCPPorts = [ 80 ];
};
system.stateVersion = "25.05";
};
};
containers.netbird-management = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.24";
bindMounts = {
"/etc/netbird/data" = {
hostPath = "/ssd1/Netbird/mgmt";
isReadOnly = false;
};
};
config = {
services.netbird = {
server = {
enableNginx = false;
management = {
enable = true;
domain = "mgmt.blunkall.us";
enableNginx = true;
disableAnonymousMetrics = true;
dnsDomain = "vpn";
turnDomain = "coturn.blunkall.us";
turnDomain = "vpn.blunkall.us";
turnPort = 3478;
logLevel = "DEBUG";
oidcConfigEndpoint = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration";
settings = {
"TURNConfig" = {
"Turns" = [
{
"Proto" = "udp";
"URI" = "turn:coturn.blunkall.us:3478";
"Username" = "netbird";
"Password" = "password";
}
];
};
"TURNConfig" = {
"Turns" = [
{
"Proto" = "udp";
"URI" = "turn:vpn.blunkall.us:3478";
"Username" = "netbird";
"Password"._secret = "/etc/netbird/coturnPass";
}
];
};
#Datadir = "/etc/netbird/data";
DataStoreEncryptionKey = "770A8A65DA156D24EE2A093277530142";
};
"DataStoreEncryptionKey" = null;
port = 80;
};
};
};
networking.firewall = {
allowedTCPPorts = [ 80 ];
};
system.stateVersion = "25.05";
};
};
containers.netbird-coturn = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.25";
forwardPorts = [
{
hostPort = 3478;
containerPort = 3478;
protocol = "udp";
}
] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152));
bindMounts = {
};
config = {
services.netbird = {
server = {
enableNginx = false;
coturn = {
enable = true;
domain = "coturn.blunkall.us";
user = "netbird";
password = "password";
openPorts = map (x: x) (builtins.genList (y: 49152 + y) (54152 - 49152));
};
};
};
networking.firewall = {
allowedTCPPorts = [ 33080 ];
allowedUDPPorts = [ 3478 ];
allowedUDPPortRanges = [{ from = 49152; to = 54152; }];
};
system.stateVersion = "25.05";
};
};
containers.netbird-signal = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.26";
config = {
services.netbird = {
server = {
enableNginx = false;
signal = {
enable = true;
port = 80;
domain = "signal.blunkall.us";
};
};
};
networking.firewall = {
allowedTCPPorts = [ 80 ];
};
system.stateVersion = "25.05";
};
};
*/
containers.netbird = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.23";
forwardPorts = [
/*
{
hostPort = 33080;
containerPort = 33080;
protocol = "tcp";
}
{
hostPort = 33073;
containerPort = 33073;
protocol = "udp";
}
*/
{
hostPort = 3478;
containerPort = 3478;
protocol = "udp";
}
] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152));
config = {
services.nginx.virtualHosts."vpn.blunkall.us" = {
listen = [
{
addr = "0.0.0.0";
port = 80;
ssl = false;
}
];
};
services.netbird = {
server = {
enable = true;
enableNginx = true;
domain = "vpn.blunkall.us";
dashboard = {
enable = true;
enableNginx = true;
settings = {
AUTH_AUTHORITY = "https://auth.blunkall.us/realms/General";
AUTH_CLIENT_ID = "netbird";
AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api";
AUTH_AUDIENCE = "netbird";
USE_AUTH0 = false;
NETBIRD_TOKEN_SOURCE = "accessToken";
};
package = let
pkgs-us = import inputs.nixpkgs-us {
system = "x86_64-linux";
config.allowUnfree = true;
};
in pkgs-us.netbird-dashboard;
};
management = {
enable = true;
enableNginx = true;
disableAnonymousMetrics = true;
disableSingleAccountMode = true;
dnsDomain = "vpn";
turnDomain = "vpn.blunkall.us";
turnPort = 3478;
logLevel = "DEBUG";
oidcConfigEndpoint = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration";
settings = {
"TURNConfig" = {
"Turns" = [
{
"Proto" = "udp";
"URI" = "turn:vpn.blunkall.us:3478";
"Username" = "netbird";
"Password" = "password";
}
];
};
"DataStoreEncryptionKey" = null;
/*"ReverseProxy" = {
"TrustedHTTPProxies" = [ "192.168.100.11" ];
"TrustedHTTPProxiesCount" = 1;
};*/
"HttpConfig" = {
"Address" = "0.0.0.0:443";
"HttpConfig" = {
"Address" = "0.0.0.0:443";
"AuthIssuer" = "https://auth.blunkall.us/realms/General";
"AuthAudience" = "netbird";
"AuthKeysLocation" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/certs";
@@ -323,10 +130,10 @@
"CertKey" = "";
"IdpSignKeyRefreshEnabled" = false;
"OIDCConfigEndpoint" = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration";
};
};
"DeviceAuthorizationFlow" = {
"Provider" = "none";
"DeviceAuthorizationFlow" = {
"Provider" = "none";
"ProviderConfig" = {
"Audience" = "netbird";
"AuthorizationEndpoint" = "";
@@ -339,10 +146,10 @@
"UseIDToken" = false;
"RedirectURLs" = null;
};
};
};
"IdpManagerConfig" = {
"ManagerType" = "keycloak";
"IdpManagerConfig" = {
"ManagerType" = "keycloak";
"ClientConfig" = {
"Issuer" = "https://auth.blunkall.us/realms/General";
"TokenEndpoint" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/token";
@@ -358,11 +165,11 @@
"AzureClientCredentials" = null;
"KeycloakClientCredentials" = null;
"ZitadelClientCredentials" = null;
};
};
"PKCEAuthorizationFlow" = {
"ProviderConfig" = {
"Audience" = "netbird";
"PKCEAuthorizationFlow" = {
"ProviderConfig" = {
"Audience" = "netbird";
"ClientID" = "netbird";
"ClientSecret" = "";
"Domain" = "";
@@ -374,41 +181,56 @@
];
"UseIDToken" = false;
"DisablePromptLogin" = false;
};
};
};
port = 443;
};
port = 443;
coturn = {
enable = true;
user = "netbird";
password = "password";
passwordFile = "/etc/netbird/coturnPass";
openPorts = map (x: x) (builtins.genList (y: 49152 + y) (54152 - 49152));
};
signal = {
enable = true;
enableNginx = true;
};
};
coturn = {
enable = true;
systemd.services.secrets_setup = {
wantedBy = [ "netbird-management.service" "coturn.service" ];
user = "netbird";
password = "password";
serviceConfig = {
LoadCredential = [
"coturnPass"
];
};
openPorts = map (x: x) (builtins.genList (y: 49152 + y) (54152 - 49152));
script = ''
cat ''${CREDENTIALS_DIRECTORY}/coturnPass > /etc/netbird/coturnPass
'';
};
signal = {
enable = true;
enableNginx = true;
#port = 10000;
};
};
};
networking.firewall = {
allowedTCPPorts = [ 80 443 8080 33073 33080 ];
allowedUDPPorts = [ 3478 33073 ];
allowedUDPPortRanges = [{ from = 49152; to = 54152; }];
};
networking.firewall = {
allowedTCPPorts = [ 80 ];
allowedUDPPorts = [ 3478 ];
allowedUDPPortRanges = [{ from = 49152; to = 54152; }];
};
system.stateVersion = "25.05";
system.stateVersion = "25.05";
};
};
};
};