Add NetBird module

2024-08-23 09:40:01 +01:00 · 2024-08-23 09:40:01 +01:00 · decc27afd7
commit decc27afd7
parent bdd73f1ef8
4 changed files with 71 additions and 1 deletions
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@ -80,6 +80,10 @@

  modules = rec {
    databases.postgresql.enable = true;
+    networking = {
+      netbird.enable = true;
+      tailscale.enable = lib.mkForce false;
+    };
    services = {
      borgmatic = {
        enable = true;
@ -96,7 +100,7 @@
        matrixIntegration = true;
      };
      gitea.enable = true;
-      headscale.enable = true;
+      headscale.enable = false;
      matrix = {
        enable = true;
        bridges = {
--- a/modules/default.nix
+++ b/modules/default.nix
@ -32,6 +32,7 @@
    ./editors/neovim
    ./editors/vscode.nix
    ./hardware/presonus-studio.nix
+    ./networking/netbird.nix
    ./networking/tailscale.nix
    ./networking/wireless.nix
    ./security/gpg.nix
--- a/modules/networking/netbird.nix
+++ b/modules/networking/netbird.nix
@ -0,0 +1,61 @@
+{ config, lib, self, ... }:
+
+let
+  cfg = config.modules.networking.netbird;
+  hostname = config.networking.hostName;
+in {
+  options.modules.networking.netbird = {
+    enable = lib.mkEnableOption "netbird";
+    coordinatorDomain = lib.mkOption {
+      type = lib.types.str;
+      default = "netbird.vimium.net";
+    };
+    meshDomain = lib.mkOption {
+      type = lib.types.str;
+      default = "mesh.vimium.net";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    age.secrets."passwords/services/netbird/data-store-encryption-key" = {
+      file = "${self.inputs.secrets}/passwords/services/netbird/data-store-encryption-key.age";
+    };
+
+    services.netbird = {
+      enable = true;
+    };
+
+    services.netbird.server = {
+      domain = cfg.coordinatorDomain;
+      enable = true;
+      enableNginx = true;
+      dashboard.settings.AUTH_AUTHORITY = "https://auth.vimium.com/oauth2/openid/netbird";
+      management = rec {
+        disableAnonymousMetrics = true;
+        dnsDomain = cfg.meshDomain;
+        oidcConfigEndpoint = "https://auth.vimium.com/oauth2/openid/netbird/.well-known/openid-configuration";
+        settings = {
+          DataStoreEncryptionKey = {
+            _secret = config.age.secrets."passwords/services/netbird/data-store-encryption-key".path;
+          };
+          HttpConfig = {
+            AuthAudience = "netbird";
+          };
+          StoreConfig = { Engine = "sqlite"; };
+          TURNConfig = {
+            Secret._secret = config.age.secrets."passwords/services/coturn/static-auth-secret".path;
+            TimeBasedCredentials = true;
+          };
+        };
+        singleAccountModeDomain = dnsDomain;
+        turnDomain = config.services.coturn.realm;
+        turnPort = config.services.coturn.listening-port;
+      };
+    };
+
+    services.nginx.virtualHosts."netbird.vimium.net" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}
--- a/modules/services/matrix/default.nix
+++ b/modules/services/matrix/default.nix
@ -171,6 +171,10 @@ in {
      };
    } else {});

+    nixpkgs.config.permittedInsecurePackages = [
+      "jitsi-meet-1.0.8043"
+    ];
+
    services.matrix-synapse = {
      enable = true;
      enableRegistrationScript = true;