From 9f8538f892378c1dec7540f09659ba45b74cc935 Mon Sep 17 00:00:00 2001 From: "Trez.One" Date: Thu, 13 Mar 2025 18:30:07 -0400 Subject: [PATCH] Netbird configuration to use Authelia. --- .gitignore | 3 +- .../app-configs/authelia_configuration.yml.j2 | 36 +- .../app-configs/netbird_management.json.j2 | 54 +-- docker-compose.yml | 388 +++++++++--------- 4 files changed, 244 insertions(+), 237 deletions(-) diff --git a/.gitignore b/.gitignore index 0e64181a..21336815 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ **/.cache_ggshield ansible/collections/ansible_collections/ -**/.env \ No newline at end of file +**/.env +**/netbird_openid-configuration.json.j2 \ No newline at end of file diff --git a/ansible/app-configs/authelia_configuration.yml.j2 b/ansible/app-configs/authelia_configuration.yml.j2 index 1628d560..4d4cfbcb 100644 --- a/ansible/app-configs/authelia_configuration.yml.j2 +++ b/ansible/app-configs/authelia_configuration.yml.j2 @@ -1,3 +1,6 @@ +{% set vault_addr = 'https://vault.trez.wtf' %} +{% set secrets_path = 'rinoa-docker/env' %} +# yaml-language-server: $schema=https://www.authelia.com/schemas/latest/json-schema/configuration.json --- theme: auto default_2fa_method: "totp" @@ -134,4 +137,35 @@ notifier: startup_check_address: 'test@authelia.com' disable_require_tls: true disable_starttls: true - disable_html_emails: false \ No newline at end of file + disable_html_emails: false +identity_providers: + oidc: + hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}' + jwks: + key_id: 'netbird' + key: {{ secret "/config/secrets/oidc/jwks/netbird_private.pem" | mindent 10 "|" | msquote }} + certificate_chain: {{ secret "/config/secrets/oidc/jwks/netbird_chain.pem" | mindent 10 "|" | msquote }} + cors: + allowed_origins_from_client_redirect_uris: true + endpoints: + - 'userinfo' + - 'authorization' + - 'token' + - 'revocation' + - 'introspection' + clients: + - client_id: 'netbird' + client_name: 'NetBird' + client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}' + public: false + authorization_policy: 'two_factor' + redirect_uris: + - 'https://vpn.trez.wtf/peers' + - 'https://vpn.trez.wtf/add-peers' + - 'http://localhost' + scopes: + - 'openid' + - 'email' + - 'profile' + userinfo_signed_response_alg: 'none' + token_endpoint_auth_method: 'client_secret_post' \ No newline at end of file diff --git a/ansible/app-configs/netbird_management.json.j2 b/ansible/app-configs/netbird_management.json.j2 index 3004c918..80d2bb29 100644 --- a/ansible/app-configs/netbird_management.json.j2 +++ b/ansible/app-configs/netbird_management.json.j2 @@ -47,60 +47,30 @@ }, "HttpConfig": { "Address": "0.0.0.0:33073", - "AuthIssuer": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}", - "AuthAudience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}", - "AuthKeysLocation": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/keys", + "AuthIssuer": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}", + "AuthAudience": "netbird", + "AuthKeysLocation": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/jwks.json", "AuthUserIDClaim": "", "CertFile": "", "CertKey": "", "IdpSignKeyRefreshEnabled": true, - "OIDCConfigEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration" - }, - "IdpManagerConfig": { - "ManagerType": "zitadel", - "ClientConfig": { - "Issuer": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}", - "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token", - "ClientID": "netbird", - "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_SECRET'] }}", - "GrantType": "client_credentials" - }, - "ExtraConfig": { - "ManagementEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/management/v1" - }, - "Auth0ClientCredentials": null, - "AzureClientCredentials": null, - "KeycloakClientCredentials": null, - "ZitadelClientCredentials": null - }, - "DeviceAuthorizationFlow": { - "Provider": "hosted", - "ProviderConfig": { - "Audience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}", - "AuthorizationEndpoint": "", - "Domain": "", - "ClientID": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}", - "ClientSecret": "", - "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token", - "DeviceAuthEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/device_authorization", - "Scope": "openid", - "UseIDToken": false, - "RedirectURLs": null - } + "OIDCConfigEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/.well-known/openid-configuration" }, + "IdpManagerConfig": {}, + "DeviceAuthorizationFlow": {}, "PKCEAuthorizationFlow": { "ProviderConfig": { - "Audience": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}", - "ClientID": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['NETBIRD_ZITADEL_CLIENT_ID'] }}", - "ClientSecret": "", + "Audience": "netbird", + "ClientID": "netbird", + "ClientSecret": "{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}", "Domain": "", - "AuthorizationEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/authorize", - "TokenEndpoint": "https://id.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/oauth/v2/token", + "AuthorizationEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/authorization", + "TokenEndpoint": "https://auth.{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['MY_TLD'] }}/api/oidc/token", "Scope": "openid profile email offline_access api", "RedirectURLs": [ "http://localhost:53000" ], - "UseIDToken": false + "UseIDToken": true } } } diff --git a/docker-compose.yml b/docker-compose.yml index d62c07cd..05f301ac 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -202,9 +202,10 @@ services: AUTHELIA_SESSION_SECRET: ${AUTHELIA_SESSION_SECRET} AUTHELIA_STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY} AUTHELIA_STORAGE_POSTGRES_PASSWORD: ${AUTHELIA_STORAGE_POSTGRES_PASSWORD} - # PGID: ${PGID} - # PUID: ${PUID} + PGID: ${PGID} + PUID: ${PUID} TZ: ${TZ} + X_AUTHELIA_CONFIG_FILTERS: template expose: - 9091 image: authelia/authelia:master @@ -1268,77 +1269,77 @@ services: restart: always volumes: - ${DOCKER_VOLUME_STORAGE}/backups/docker_volume_bkups:/archive - - authelia-pg-db:/data/authelia-pg-db:ro - - bitmagnet-pg-db:/data/bitmagnet-pg-db:ro - - bunkerweb-storage:/data/bunkerweb-storage:ro - - castopod-media:/data/castopod-media:ro - - crowdsec-config:/data/crowdsec-config:ro - - crowdsec-db:/data/crowdsec-db:ro - - dawarich_db_data:/data/dawarich_db_data:ro - - dawarich_shared:/data/dawarich_shared:ro - - dawarich_public:/data/dawarich_public:ro - - dawarich_watched:/data/dawarich_watched:ro - - dbgate-data:/data/dbgate-data:ro - - docker-volume-bkup-data:/data/docker-volume-bkup-data:ro - - fastenhealth-cache:/data/fastenhealth-cache:ro - - fastenhealth-db:/data/fastenhealth-db:ro - - filebeat_etc:/data/filebeat_etc:ro - - filebeat_var:/data/filebeat_var:ro - - gitea-pg-db:/data/gitea-pg-db:ro - - hortusfox_app_backup:/data/hortusfox_app_backup:ro - - hortusfox_app_images:/data/hortusfox_app_images:ro - - hortusfox_app_logs:/data/hortusfox_app_logs:ro - - hortusfox_app_migrate:/data/hortusfox_app_migrate:ro - - hortusfox_app_themes:/data/hortusfox_app_themes:ro - - hortusfox_db_data:/data/hortusfox_db_data:ro - - immich-model-cache:/data/immich-model-cache:ro - - influxdb2-data:/data/influxdb2-data:ro - - influxdb2-config:/data/influxdb2-config:ro - - invidious-postgres:/data/invidious-postgres:ro - - invoice-ninja_cache:/data/invoice-ninja_cache:ro - - invoice-ninja_public:/data/invoice-ninja_public:ro - - invoice-ninja_storage:/data/invoice-ninja_storage:ro - - jitsi-web-admin-theme:/data/jitsi-web-admin-theme:ro - - jitsi-web-admin-upload:/data/jitsi-web-admin-upload:ro - - joplin_data:/data/joplin_data:ro - - librechat-pg-data:/data/librechat-pg-data:ro - - libretranslate_models:/data/libretranslate_models:ro - - lldap_data:/data/lldap_data:ro - - mastodon-pg-db:/data/mastodon-pg-db:ro - - mixpost-storage:/data/mixpost-storage:ro - - mixpost-logs:/data/mixpost-logs:ro - - mongodb_config:/data/mongodb_config:ro - - mongodb_data:/data/mongodb_data:ro - - n8n-data:/data/n8n-data:ro - - netbird-mgmt:/data/netbird-mgmt:ro - - netbird-signal:/data/netbird-signal:ro - - netbird-letsencrypt:/data/netbird-letsencrypt:ro - - nextcloud_aio_mastercontainer:/data/nextcloud_aio_mastercontainer:ro - - ollama:/data/ollama:ro - - open-webui:/data/open-webui:ro - - paperless-ngx-data:/data/paperless-ngx-data:ro - - paperless-ngx-media:/data/paperless-ngx-media:ro - - paperless-ngx-pg:/data/paperless-ngx-pg:ro - - peppermint-pg-data:/data/peppermint-pg-data:ro - - pgbackweb-data:/data/pgbackweb-data:ro - - plausible-db-data:/data/plausible-db-data:ro - - plausible-event-data:/data/plausible-event-data:ro - - plausible-event-logs:/data/plausible-event-logs:ro - - portainer-data:/data/portainer-data:ro - - reactive-resume-pg:/data/reactive-resume-pg:ro - - semaphore_config:/data/semaphore_config:ro - - semaphore_data:/data/semaphore_data:ro - - semaphore_tmp:/data/semaphore_tmp:ro - - sonarqube-data:/data/sonarqube-data:ro - - sonarqube-db:/data/sonarqube-db:ro - - sonarqube-db-data:/data/sonarqube-db-data:ro - - sonarqube-extensions:/data/sonarqube-extensions:ro - - sonarqube-logs:/data/sonarqube-logs:ro - - sonarqube-temp:/data/sonarqube-temp:ro - - tandoor-pg:/data/tandoor-pg:ro - - unmanic-cache:/data/unmanic-cache:ro - - wallos-db:/data/wallos-db:ro - - wallos-logos:/data/wallos-logos:ro + - authelia-pg-db:/backup/authelia-pg-db:ro + - bitmagnet-pg-db:/backup/bitmagnet-pg-db:ro + - bunkerweb-storage:/backup/bunkerweb-storage:ro + - castopod-media:/backup/castopod-media:ro + - crowdsec-config:/backup/crowdsec-config:ro + - crowdsec-db:/backup/crowdsec-db:ro + - dawarich_db_data:/backup/dawarich_db_data:ro + - dawarich_shared:/backup/dawarich_shared:ro + - dawarich_public:/backup/dawarich_public:ro + - dawarich_watched:/backup/dawarich_watched:ro + - dbgate-data:/backup/dbgate-data:ro + - docker-volume-bkup-data:/backup/docker-volume-bkup-data:ro + - fastenhealth-cache:/backup/fastenhealth-cache:ro + - fastenhealth-db:/backup/fastenhealth-db:ro + - filebeat_etc:/backup/filebeat_etc:ro + - filebeat_var:/backup/filebeat_var:ro + - gitea-pg-db:/backup/gitea-pg-db:ro + - hortusfox_app_backup:/backup/hortusfox_app_backup:ro + - hortusfox_app_images:/backup/hortusfox_app_images:ro + - hortusfox_app_logs:/backup/hortusfox_app_logs:ro + - hortusfox_app_migrate:/backup/hortusfox_app_migrate:ro + - hortusfox_app_themes:/backup/hortusfox_app_themes:ro + - hortusfox_db_data:/backup/hortusfox_db_data:ro + - immich-model-cache:/backup/immich-model-cache:ro + - influxdb2-data:/backup/influxdb2-data:ro + - influxdb2-config:/backup/influxdb2-config:ro + - invidious-postgres:/backup/invidious-postgres:ro + - invoice-ninja_cache:/backup/invoice-ninja_cache:ro + - invoice-ninja_public:/backup/invoice-ninja_public:ro + - invoice-ninja_storage:/backup/invoice-ninja_storage:ro + - jitsi-web-admin-theme:/backup/jitsi-web-admin-theme:ro + - jitsi-web-admin-upload:/backup/jitsi-web-admin-upload:ro + - joplin_data:/backup/joplin_data:ro + - librechat-pg-data:/backup/librechat-pg-data:ro + - libretranslate_models:/backup/libretranslate_models:ro + - lldap_data:/backup/lldap_data:ro + - mastodon-pg-db:/backup/mastodon-pg-db:ro + - mixpost-storage:/backup/mixpost-storage:ro + - mixpost-logs:/backup/mixpost-logs:ro + - mongodb_config:/backup/mongodb_config:ro + - mongodb_data:/backup/mongodb_data:ro + - n8n-data:/backup/n8n-data:ro + - netbird-mgmt:/backup/netbird-mgmt:ro + - netbird-signal:/backup/netbird-signal:ro + - netbird-letsencrypt:/backup/netbird-letsencrypt:ro + - nextcloud_aio_mastercontainer:/backup/nextcloud_aio_mastercontainer:ro + - ollama:/backup/ollama:ro + - open-webui:/backup/open-webui:ro + - paperless-ngx-data:/backup/paperless-ngx-data:ro + - paperless-ngx-media:/backup/paperless-ngx-media:ro + - paperless-ngx-pg:/backup/paperless-ngx-pg:ro + - peppermint-pg-data:/backup/peppermint-pg-data:ro + - pgbackweb-data:/backup/pgbackweb-data:ro + - plausible-db-data:/backup/plausible-db-data:ro + - plausible-event-data:/backup/plausible-event-data:ro + - plausible-event-logs:/backup/plausible-event-logs:ro + - portainer-data:/backup/portainer-data:ro + - reactive-resume-pg:/backup/reactive-resume-pg:ro + - semaphore_config:/backup/semaphore_config:ro + - semaphore_data:/backup/semaphore_data:ro + - semaphore_tmp:/backup/semaphore_tmp:ro + - sonarqube-data:/backup/sonarqube-data:ro + - sonarqube-db:/backup/sonarqube-db:ro + - sonarqube-db-data:/backup/sonarqube-db-data:ro + - sonarqube-extensions:/backup/sonarqube-extensions:ro + - sonarqube-logs:/backup/sonarqube-logs:ro + - sonarqube-temp:/backup/sonarqube-temp:ro + - tandoor-pg:/backup/tandoor-pg:ro + - unmanic-cache:/backup/unmanic-cache:ro + - wallos-db:/backup/wallos-db:ro + - wallos-logos:/backup/wallos-logos:ro docuseal: container_name: docuseal image: docuseal/docuseal:latest @@ -1792,6 +1793,10 @@ services: immich-pg-db: condition: service_started required: true + immich-machine-learning: + condition: service_started + required: true + restart: true environment: DB_DATABASE_NAME: immich DB_HOSTNAME: immich-pg-db @@ -3337,8 +3342,8 @@ services: homepage.widget.type: navidrome homepage.widget.url: http://navidrome:4533 homepage.widget.user: admin - homepage.widget.token: e8a9e97b29aa963fa4729c633289d232 - homepage.widget.salt: v5Z93Z + homepage.widget.token: ${NAVIDROME_HOMEPAGE_TOKEN} + homepage.widget.salt: ${NAVIDROME_HOMEPAGE_SALT} swag: enable swag_port: 4533 swag_proto: http @@ -3383,123 +3388,121 @@ services: target: /app/api # (API: OPTION 2) use when debugging issues # - ${DOCKER_VOLUME_CONFIG}/netalertx/api:/app/api - # netbird-dashboard: - # container_name: netbird-dashboard - # environment: - # # Endpoints - # NETBIRD_MGMT_API_ENDPOINT: https://netbird.${MY_TLD}:33073 - # NETBIRD_MGMT_GRPC_API_ENDPOINT: https://netbird.${MY_TLD}:33073 - # # OIDC - # AUTH_AUDIENCE: ${NETBIRD_ZITADEL_CLIENT_ID} - # AUTH_CLIENT_ID: ${NETBIRD_ZITADEL_CLIENT_ID} - # AUTH_CLIENT_SECRET: ${NETBIRD_ZITADEL_CLIENT_SECRET} - # AUTH_AUTHORITY: https://id.${MY_TLD} - # USE_AUTH0: false - # AUTH_SUPPORTED_SCOPES: openid profile email offline_access api - # AUTH_REDIRECT_URI: /auth - # AUTH_SILENT_REDIRECT_URI: /silent-auth - # NETBIRD_TOKEN_SOURCE: accessToken - # # SSL - # NGINX_SSL_PORT: 443 - # # Letsencrypt - # LETSENCRYPT_DOMAIN: - # LETSENCRYPT_EMAIL: - # image: netbirdio/dashboard:latest - # labels: - # homepage.group: Privacy/Security - # homepage.name: Netbird - # homepage.href: https://netbird.${MY_TLD} - # homepage.icon: netbird.svg - # homepage.description: Peer-to-peer private network and centralized access control system - # swag: enable - # swag_proto: http - # swag_port: 80 - # swag_auth: authelia - # swag_url: netbird.${MY_TLD} - # swag_server_custom_directive: | - # location /signalexchange.SignalExchange/ { - # grpc_pass grpc://netbird-signal:80; - # #grpc_ssl_verify off; - # grpc_read_timeout 1d; - # grpc_send_timeout 1d; - # grpc_socket_keepalive on; - # } - # # Proxy Management http endpoint - # location /api { - # proxy_pass http://netbird-management:443; - # } - # # Proxy Management grpc endpoint - # location /management.ManagementService/ { - # grpc_pass grpc://netbird-management:443; - # #grpc_ssl_verify off; - # grpc_read_timeout 1d; - # grpc_send_timeout 1d; - # grpc_socket_keepalive on; - # } - # swag.uptime-kuma.enabled: true - # swag.uptime-kuma.monitor.url: https://netbird.${MY_TLD} - # ports: - # - 32908:80 - # - 36610:443 - # restart: unless-stopped - # volumes: - # - netbird-letsencrypt:/etc/letsencrypt/ - # netbird-signal: - # container_name: netbird-signal - # image: netbirdio/signal:latest - # ports: - # - 10001:80 - # restart: unless-stopped - # volumes: - # - netbird-signal:/var/lib/netbird - # netbird-relay: - # container_name: netbird-relay - # image: netbirdio/relay:latest - # restart: unless-stopped - # environment: - # NB_LOG_LEVEL: info - # NB_LISTEN_ADDRESS: :33080 - # NB_EXPOSED_ADDRESS: netbird.${MY_TLD}:33080 - # # todo: change to a secure secret - # NB_AUTH_SECRET: ${NETBIRD_RELAY_AUTH_SECRET} - # ports: - # - 33080:33080 - # netbird-management: - # command: [ - # "--port", "443", - # "--log-file", "console", - # "--log-level", "info", - # "--disable-anonymous-metrics=false", - # "--single-account-mode-domain=netbird.${MY_TLD}", - # "--dns-domain=netbird.selfhosted" - # ] - # container_name: netbird-management - # depends_on: - # netbird-dashboard: - # condition: service_started - # environment: - # NETBIRD_STORE_ENGINE_POSTGRES_DSN: - # NETBIRD_STORE_ENGINE_MYSQL_DSN: - # image: netbirdio/management:latest - # restart: unless-stopped - # volumes: - # - netbird-mgmt:/var/lib/netbird - # - netbird-letsencrypt:/etc/letsencrypt:ro - # - ${DOCKER_VOLUME_CONFIG}/netbird/management.json:/etc/netbird/management.json - # ports: - # - 23833:443 #API port - # netbird-coturn: - # command: - # - -c /etc/turnserver.conf - # container_name: netbird-coturn - # image: coturn/coturn:latest - # restart: unless-stopped - # #domainname: netbird.${MY_TLD} # only needed when TLS is enabled - # volumes: - # - ${DOCKER_VOLUME_CONFIG}/netbird/turnserver.conf:/etc/turnserver.conf:ro - # - ${DOCKER_VOLUME_CONFIG}/netbird/privkey.pem:/etc/coturn/private/privkey.pem:ro - # - ${DOCKER_VOLUME_CONFIG}/netbird/cert.pem:/etc/coturn/certs/cert.pem:ro - # network_mode: host + netbird-dashboard: + container_name: netbird-dashboard + environment: + # Endpoints + NETBIRD_MGMT_API_ENDPOINT: https://vpn.${MY_TLD} + NETBIRD_MGMT_GRPC_API_ENDPOINT: https://vpn.${MY_TLD} + # OIDC + AUTH_AUDIENCE: none + AUTH_CLIENT_ID: netbird + AUTH_CLIENT_SECRET: ${AUTHELIA_NETBIRD_CLIENT_SECRET} + AUTH_AUTHORITY: https://auth.${MY_TLD} + USE_AUTH0: false + AUTH_SUPPORTED_SCOPES: openid profile email offline_access api + AUTH_REDIRECT_URI: /peers + AUTH_SILENT_REDIRECT_URI: /add-peers + NETBIRD_TOKEN_SOURCE: idToken + # SSL + NGINX_SSL_PORT: 443 + # Letsencrypt + LETSENCRYPT_DOMAIN: + LETSENCRYPT_EMAIL: + image: netbirdio/dashboard:latest + labels: + homepage.group: Privacy/Security + homepage.name: Netbird + homepage.href: https://vpn.${MY_TLD} + homepage.icon: netbird.svg + homepage.description: Peer-to-peer private network and centralized access control system + swag: enable + swag_proto: http + swag_port: 80 + swag_auth: authelia + swag_url: vpn.${MY_TLD} + swag_server_custom_directive: | + location /signalexchange.SignalExchange/ { + grpc_pass grpc://netbird-signal; + #grpc_ssl_verify off; + grpc_read_timeout 1d; + grpc_send_timeout 1d; + grpc_socket_keepalive on; + } + # Proxy Management http endpoint + location /api { + proxy_pass http://netbird-management; + } + # Proxy Management grpc endpoint + location /management.ManagementService/ { + grpc_pass grpc://netbird-management; + #grpc_ssl_verify off; + grpc_read_timeout 1d; + grpc_send_timeout 1d; + grpc_socket_keepalive on; + } + swag.uptime-kuma.enabled: true + swag.uptime-kuma.monitor.url: https://vpn.${MY_TLD} + ports: + - 32908:80 + - 36610:443 + restart: unless-stopped + volumes: + - netbird-letsencrypt:/etc/letsencrypt/ + netbird-signal: + container_name: netbird-signal + image: netbirdio/signal:latest + ports: + - 10001:80 + restart: unless-stopped + volumes: + - netbird-signal:/var/lib/netbird + netbird-relay: + image: netbirdio/relay:latest + restart: unless-stopped + environment: + NB_LOG_LEVEL: info + NB_LISTEN_ADDRESS: :33080 + NB_EXPOSED_ADDRESS: vpn.${MY_TLD}:33080 + # todo: change to a secure secret + NB_AUTH_SECRET: ${NETBIRD_RELAY_AUTH_SECRET} + ports: + - 33080:33080 + netbird-management: + command: [ + "--port", "443", + "--log-file", "console", + "--log-level", "info", + "--disable-anonymous-metrics=false", + "--single-account-mode-domain=vpn.${MY_TLD}", + "--dns-domain=vpn.trez.wtf" + ] + container_name: netbird-management + depends_on: + netbird-dashboard: + condition: service_started + environment: + NETBIRD_STORE_ENGINE_POSTGRES_DSN: + NETBIRD_STORE_ENGINE_MYSQL_DSN: + image: netbirdio/management:latest + restart: unless-stopped + volumes: + - netbird-mgmt:/var/lib/netbird + - netbird-letsencrypt:/etc/letsencrypt:ro + - ${DOCKER_VOLUME_CONFIG}/netbird/management.json:/etc/netbird/management.json + ports: + - 33073:443 #API port + netbird-coturn: + command: + - -c /etc/turnserver.conf + container_name: netbird-coturn + image: coturn/coturn:latest + restart: unless-stopped + #domainname: vpn.${MY_TLD} # only needed when TLS is enabled + volumes: + - ${DOCKER_VOLUME_CONFIG}/netbird/turnserver.conf:/etc/turnserver.conf:ro + # - ${DOCKER_VOLUME_CONFIG}/netbird/privkey.pem:/etc/coturn/private/privkey.pem:ro + # - ${DOCKER_VOLUME_CONFIG}/netbird/cert.pem:/etc/coturn/certs/cert.pem:ro nextcloud: container_name: nextcloud-aio-mastercontainer environment: @@ -4899,7 +4902,6 @@ services: swag: condition: service_started required: true - restart: true environment: PGID: ${PGID} PUID: ${PUID}