{ config, lib, inputs, ... }: { options.sysconfig = { services.netbird.enable = lib.options.mkOption { type = lib.types.bool; default = false; }; virtualization.netbird = { enable = lib.options.mkOption { type = lib.types.bool; default = false; }; }; }; config = { services.netbird = { enable = config.sysconfig.services.netbird.enable; }; networking = { firewall = lib.mkIf config.sysconfig.virtualization.netbird.enable { allowedUDPPorts = [ 3478 ]; allowedUDPPortRanges = [{ from = 51100; to = 56100; }]; }; nat.internalInterfaces = [ "ve-netbird" ]; }; sops.secrets."netbird/coturnPass" = lib.mkIf config.sysconfig.virtualization.netbird.enable {}; containers.netbird = lib.mkIf config.sysconfig.virtualization.netbird.enable { autoStart = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.23"; forwardPorts = [ { hostPort = 3478; containerPort = 3478; protocol = "udp"; } ] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 51100 + y) (56100 - 51100)); extraFlags = [ "--load-credential=coturnPass:${config.sops.secrets."netbird/coturnPass".path}" ]; config = { services.nginx.virtualHosts."vpn.blunkall.us" = { listen = [ { addr = "0.0.0.0"; port = 80; ssl = false; } ]; }; services.netbird = { server = { enable = true; enableNginx = true; domain = "vpn.blunkall.us"; dashboard = { enable = true; enableNginx = true; settings = { AUTH_AUTHORITY = "https://auth.blunkall.us/realms/General"; AUTH_CLIENT_ID = "netbird"; AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api"; AUTH_AUDIENCE = "netbird"; USE_AUTH0 = false; NETBIRD_TOKEN_SOURCE = "accessToken"; }; package = let pkgs-us = import inputs.nixpkgs-us { system = "x86_64-linux"; config.allowUnfree = true; }; in pkgs-us.netbird-dashboard; }; management = { enable = true; enableNginx = true; disableAnonymousMetrics = true; dnsDomain = "vpn"; turnDomain = "vpn.blunkall.us"; turnPort = 3478; logLevel = "DEBUG"; oidcConfigEndpoint = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; settings = { "TURNConfig" = { "Turns" = [ { "Proto" = "udp"; "URI" = "turn:vpn.blunkall.us:3478"; "Username" = "netbird"; "Password"._secret = "/etc/netbird/coturnPass"; } ]; "Secret"._secret = "/etc/netbird/coturnPass"; }; "DataStoreEncryptionKey" = null; "HttpConfig" = { "Address" = "0.0.0.0:443"; "AuthIssuer" = "https://auth.blunkall.us/realms/General"; "AuthAudience" = "netbird"; "AuthKeysLocation" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/certs"; "AuthUserIDClaim" = ""; "CertFile" = ""; "CertKey" = ""; "IdpSignKeyRefreshEnabled" = false; "OIDCConfigEndpoint" = "https://auth.blunkall.us/realms/General/.well-known/openid-configuration"; }; "DeviceAuthorizationFlow" = { "Provider" = "none"; "ProviderConfig" = { "Audience" = "netbird"; "AuthorizationEndpoint" = ""; "Domain" = ""; "ClientID" = ""; "ClientSecret" = ""; "TokenEndpoint" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/token"; "DeviceAuthEndpoint" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/auth/device"; "Scope" = "openid"; "UseIDToken" = false; "RedirectURLs" = null; }; }; "IdpManagerConfig" = { "ManagerType" = "keycloak"; "ClientConfig" = { "Issuer" = "https://auth.blunkall.us/realms/General"; "TokenEndpoint" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/token"; "ClientID" = "netbird-backend"; "ClientSecret" = "QuqjTOAHKE6N6jJqkB1F1RGo3kqUhEdg"; "GrantType" = "client_credentials"; }; "ExtraConfig" = { "AdminEndpoint" = "https://auth.blunkall.us/admin/realms/General"; }; "Auth0ClientCredentials" = null; "AzureClientCredentials" = null; "KeycloakClientCredentials" = null; "ZitadelClientCredentials" = null; }; "PKCEAuthorizationFlow" = { "ProviderConfig" = { "Audience" = "netbird"; "ClientID" = "netbird"; "ClientSecret" = ""; "Domain" = ""; "AuthorizationEndpoint" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/auth"; "TokenEndpoint" = "https://auth.blunkall.us/realms/General/protocol/openid-connect/token"; "Scope" = "openid profile email offline_access api"; "RedirectURLs" = [ "http://localhost:53000" ]; "UseIDToken" = false; "DisablePromptLogin" = false; }; }; }; port = 443; }; coturn = { enable = true; user = "netbird"; passwordFile = "/etc/netbird/coturnPass"; openPorts = map (x: x) (builtins.genList (y: 51100 + y) (56100 - 51100)); }; signal = { enable = true; enableNginx = true; }; }; }; systemd.services.secrets_setup = { wantedBy = [ "netbird-management.service" "coturn.service" ]; serviceConfig = { LoadCredential = [ "coturnPass" ]; }; script = '' cat ''${CREDENTIALS_DIRECTORY}/coturnPass > /etc/netbird/coturnPass ''; }; networking.firewall = { allowedTCPPorts = [ 80 ]; allowedUDPPorts = [ 3478 ]; allowedUDPPortRanges = [{ from = 51100; to = 56100; }]; }; system.stateVersion = "25.05"; }; }; }; }