nix-config/modules/nixos/services/netbird.nix

{ config, lib, self, ... }:

let
  cfg = config.modules.services.netbird;
  hostname = config.networking.hostName;
in {
  options.modules.services.netbird = {
    enable = lib.mkEnableOption "netbird";
    coordinatorDomain = lib.mkOption {
      type = lib.types.str;
      default = "netbird.vimium.net";
    };
    meshDomain = lib.mkOption {
      type = lib.types.str;
      default = "mesh.vimium.net";
    };
  };

  config = lib.mkIf cfg.enable {
    age.secrets."passwords/services/netbird/data-store-encryption-key" = {
      file = "${self.inputs.secrets}/passwords/services/netbird/data-store-encryption-key.age";
    };

    services.netbird = {
      enable = true;
    };

    services.netbird.server = {
      domain = cfg.coordinatorDomain;
      enable = true;
      enableNginx = true;
      dashboard.settings = {
        AUTH_AUTHORITY = "https://auth.vimium.com/oauth2/openid/netbird";
      };
      management = rec {
        disableAnonymousMetrics = true;
        dnsDomain = cfg.meshDomain;
        oidcConfigEndpoint = "https://auth.vimium.com/oauth2/openid/netbird/.well-known/openid-configuration";
        settings = {
          DataStoreEncryptionKey = {
            _secret = config.age.secrets."passwords/services/netbird/data-store-encryption-key".path;
          };
          HttpConfig = {
            AuthAudience = "netbird";
          };
          StoreConfig = { Engine = "sqlite"; };
          TURNConfig = {
            Secret._secret = config.age.secrets."passwords/services/coturn/static-auth-secret".path;
            TimeBasedCredentials = true;
          };
          PKCEAuthorizationFlow.ProviderConfig = {
            AuthorizationEndpoint = "https://auth.vimium.com/ui/oauth2";
            TokenEndpoint = "https://auth.vimium.com/oauth2/token";
          };
        };
        singleAccountModeDomain = dnsDomain;
        turnDomain = config.services.coturn.realm;
        turnPort = config.services.coturn.listening-port;
      };
    };

    systemd.services.netbird-signal.serviceConfig.RestartSec = "60";
    systemd.services.netbird-management.serviceConfig.RestartSec = "60";

    services.nginx.virtualHosts."netbird.vimium.net" = {
      enableACME = true;
      forceSSL = true;
    };
  };
}