{ config, lib, pkgs, ... }: { options.sysconfig.opts = { netbird.enable = lib.options.mkOption { type = lib.types.bool; default = false; }; virtualization.netbird = { enable = lib.options.mkOption { type = lib.types.bool; default = false; }; }; }; config = { services.netbird = { enable = config.sysconfig.opts.netbird.enable; }; networking.firewall = { allowedTCPPorts = [ 33080 ]; allowedUDPPorts = [ 3478 ]; allowedUDPPortRanges = [{ from = 49152; to = 54152; }]; }; /* containers.netbird-dashboard = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.23"; config = { services.netbird = { server = { enableNginx = false; management = { port = 80; }; dashboard = { enable = true; domain = "vpn.blunkall.us"; settings = { AUTH_AUTHORITY = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; }; managementServer = "192.168.100.24"; }; }; }; networking.firewall = { allowedTCPPorts = [ 80 ]; }; system.stateVersion = "25.05"; }; }; containers.netbird-management = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.24"; bindMounts = { "/etc/netbird/data" = { hostPath = "/ssd1/Netbird/mgmt"; isReadOnly = false; }; }; config = { services.netbird = { server = { enableNginx = false; management = { enable = true; domain = "mgmt.blunkall.us"; disableAnonymousMetrics = true; dnsDomain = "vpn"; turnDomain = "coturn.blunkall.us"; turnPort = 3478; oidcConfigEndpoint = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; settings = { "TURNConfig" = { "Turns" = [ { "Proto" = "udp"; "URI" = "turn:coturn.blunkall.us:3478"; "Username" = "netbird"; "Password" = "password"; } ]; }; #Datadir = "/etc/netbird/data"; DataStoreEncryptionKey = "770A8A65DA156D24EE2A093277530142"; }; port = 80; }; }; }; networking.firewall = { allowedTCPPorts = [ 80 ]; }; system.stateVersion = "25.05"; }; }; containers.netbird-coturn = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.25"; forwardPorts = [ { hostPort = 3478; containerPort = 3478; protocol = "udp"; } ] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152)); bindMounts = { }; config = { services.netbird = { server = { enableNginx = false; coturn = { enable = true; domain = "coturn.blunkall.us"; user = "netbird"; password = "password"; openPorts = map (x: x) (builtins.genList (y: 49152 + y) (54152 - 49152)); }; }; }; networking.firewall = { allowedTCPPorts = [ 33080 ]; allowedUDPPorts = [ 3478 ]; allowedUDPPortRanges = [{ from = 49152; to = 54152; }]; }; system.stateVersion = "25.05"; }; }; containers.netbird-signal = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.26"; config = { services.netbird = { server = { enableNginx = false; signal = { enable = true; port = 80; domain = "signal.blunkall.us"; }; }; }; networking.firewall = { allowedTCPPorts = [ 80 ]; }; system.stateVersion = "25.05"; }; }; */ containers.netbird = lib.mkIf config.sysconfig.opts.virtualization.netbird.enable { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.23"; forwardPorts = [ { hostPort = 33080; containerPort = 33080; protocol = "tcp"; } { hostPort = 3478; containerPort = 3478; protocol = "udp"; } ] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 49152 + y) (54152 - 49152)); config = { services.netbird = { server = { enable = true; enableNginx = false; domain = "vpn.blunkall.us"; dashboard = { enable = true; enableNginx = true; settings = { AUTH_AUTHORITY = "https://auth.blunkall.us/realms/General"; AUTH_CLIENT_ID = "netbird"; AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api"; AUTH_AUDIENCE = "netbird"; USE_AUTH0 = false; NETBIRD_TOKEN_SOURCE = "accessToken"; }; }; management = { enable = true; disableAnonymousMetrics = true; dnsDomain = "vpn"; turnDomain = "vpn.blunkall.us"; turnPort = 3478; oidcConfigEndpoint = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; settings = { "TURNConfig" = { "Turns" = [ { "Proto" = "udp"; "URI" = "turn:vpn.blunkall.us:3478"; "Username" = "netbird"; "Password" = "password"; } ]; }; DataStoreEncryptionKey = "770A8A65DA156D24EE2A093277530142"; "ReverseProxy" = { "TrustedHTTPProxies" = [ "192.168.100.11" ]; "TrustedHTTPProxiesCount" = 1; }; "HttpConfig" = { "Address" = "0.0.0.0:443"; "AuthIssuer" = "https://auth.blunkall.us/realms/General"; "AuthAudience" = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; "AuthKeysLocation" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/certs"; "AuthUserIDClaim" = ""; "CertFile" = ""; "CertKey" = ""; "IdpSignKeyRefreshEnabled" = false; "OIDCConfigEndpoint" = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; }; "DeviceAuthorizationFlow" = { "Provider" = "none"; "ProviderConfig" = { "Audience" = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; "AuthorizationEndpoint" = ""; "Domain" = ""; "ClientID" = ""; "ClientSecret" = ""; "TokenEndpoint" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/token"; "DeviceAuthEndpoint" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/auth/device"; "Scope" = "openid"; "UseIDToken" = false; "RedirectURLs" = null; }; }; "IdpManagerConfig" = { "ManagerType" = "keycloak"; "ClientConfig" = { "Issuer" = "https://auth.blunkall.us/realms/General"; "TokenEndpoint" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/token"; "ClientID" = "netbird-backend"; "ClientSecret" = "QuqjTOAHKE6N6jJqkB1F1RGo3kqUhEdg"; "GrantType" = "client_credentials"; }; "ExtraConfig" = { "AdminEndpoint" = "https://auth.blunkall.us/admin/realms/General"; }; "Auth0ClientCredentials" = null; "AzureClientCredentials" = null; "KeycloakClientCredentials" = null; "ZitadelClientCredentials" = null; }; "PKCEAuthorizationFlow" = { "ProviderConfig" = { "Audience" = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; "ClientID" = "netbird"; "ClientSecret" = ""; "Domain" = ""; "AuthorizationEndpoint" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/auth"; "TokenEndpoint" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/token"; "Scope" = "openid profile email offline_access api"; "RedirectURLs" = [ "http://localhost:53000" ]; "UseIDToken" = false; "DisablePromptLogin" = false; }; }; }; port = 80; }; coturn = { enable = true; user = "netbird"; password = "password"; openPorts = map (x: x) (builtins.genList (y: 49152 + y) (54152 - 49152)); }; signal = { enable = true; port = 8080; }; }; }; networking.firewall = { allowedTCPPorts = [ 80 8080 33080 443 ]; allowedUDPPorts = [ 3478 ]; allowedUDPPortRanges = [{ from = 49152; to = 54152; }]; }; system.stateVersion = "25.05"; }; }; }; }