{ config, lib, self, ... }: let cfg = config.modules.services.netbird; hostname = config.networking.hostName; in { options.modules.services.netbird = { enable = lib.mkEnableOption "netbird"; coordinatorDomain = lib.mkOption { type = lib.types.str; default = "netbird.vimium.net"; }; meshDomain = lib.mkOption { type = lib.types.str; default = "mesh.vimium.net"; }; }; config = lib.mkIf cfg.enable { age.secrets."passwords/services/netbird/data-store-encryption-key" = { file = "${self.inputs.secrets}/passwords/services/netbird/data-store-encryption-key.age"; }; services.netbird = { enable = true; }; services.netbird.server = { domain = cfg.coordinatorDomain; enable = true; enableNginx = true; dashboard.settings = { AUTH_AUTHORITY = "https://auth.vimium.com/oauth2/openid/netbird"; }; management = rec { disableAnonymousMetrics = true; dnsDomain = cfg.meshDomain; oidcConfigEndpoint = "https://auth.vimium.com/oauth2/openid/netbird/.well-known/openid-configuration"; settings = { DataStoreEncryptionKey = { _secret = config.age.secrets."passwords/services/netbird/data-store-encryption-key".path; }; HttpConfig = { AuthAudience = "netbird"; }; StoreConfig = { Engine = "sqlite"; }; TURNConfig = { Secret._secret = config.age.secrets."passwords/services/coturn/static-auth-secret".path; TimeBasedCredentials = true; }; PKCEAuthorizationFlow.ProviderConfig = { AuthorizationEndpoint = "https://auth.vimium.com/ui/oauth2"; TokenEndpoint = "https://auth.vimium.com/oauth2/token"; }; }; singleAccountModeDomain = dnsDomain; turnDomain = config.services.coturn.realm; turnPort = config.services.coturn.listening-port; }; }; systemd.services.netbird-signal.serviceConfig.RestartSec = "60"; systemd.services.netbird-management.serviceConfig.RestartSec = "60"; services.nginx.virtualHosts."netbird.vimium.net" = { enableACME = true; forceSSL = true; }; }; }