diff --git a/hosts/AZ-CLD-1/services/containers/litellm.nix b/hosts/AZ-CLD-1/services/containers/litellm.nix index 2b4d018..9e2e3c9 100644 --- a/hosts/AZ-CLD-1/services/containers/litellm.nix +++ b/hosts/AZ-CLD-1/services/containers/litellm.nix @@ -9,7 +9,7 @@ in { virtualisation.oci-containers.containers.${serviceName} = { #image = "ghcr.io/berriai/litellm:v1.78.5-stable"; - image = "docker.litellm.ai/berriai/litellm:v1.81.12-stable"; + image = "docker.litellm.ai/berriai/litellm:v1.81.14-stable.gpt-5.4_patch"; ports = ["127.0.0.1:${toString servicePort}:4000"]; environmentFiles = [config.age.secrets.litellm-env.path]; environment = { diff --git a/hosts/AZ-CLD-1/services/containers/netbird.nix b/hosts/AZ-CLD-1/services/containers/netbird.nix index e9127a4..a126735 100644 --- a/hosts/AZ-CLD-1/services/containers/netbird.nix +++ b/hosts/AZ-CLD-1/services/containers/netbird.nix @@ -15,12 +15,18 @@ ipBase = "10.89.0"; ipOffset = 50; + # Derived IPs + gatewayIp = "${ipBase}.1"; + dashboardIp = "${ipBase}.${toString ipOffset}"; + serverIp = "${ipBase}.${toString (ipOffset + 1)}"; + proxyIp = "${ipBase}.${toString (ipOffset + 2)}"; + # Database configuration dbName = "netbird"; dbUser = "netbird"; - dbHost = "${ipBase}.1"; + dbHost = gatewayIp; - # NetBird config als Nix attribute set + # NetBird config as Nix attribute set netbirdConfig = { server = { listenAddress = ":80"; @@ -44,7 +50,7 @@ }; reverseProxy = { - trustedHTTPProxies = ["${ipBase}.1/32"]; + trustedHTTPProxies = ["${gatewayIp}/32"]; }; # Proxy Feature @@ -65,11 +71,11 @@ }; }; - # YAML generieren + # Generate YAML config yamlFormat = pkgs.formats.yaml {}; configYamlBase = yamlFormat.generate "netbird-config-base.yaml" netbirdConfig; - # Script das Secrets zur Runtime injiziert + # Script to inject secrets at runtime configGenScript = pkgs.writeShellScript "netbird-gen-config" '' set -euo pipefail @@ -91,7 +97,7 @@ in { age.secrets."${serviceName}-server-env".file = ../../../../secrets/${serviceName}-server-env.age; age.secrets."${serviceName}-proxy-env".file = ../../../../secrets/${serviceName}-proxy-env.age; - # Systemd oneshot Service der die Config generiert + # Systemd oneshot service to generate config with secrets systemd.services."${serviceName}-config" = { description = "Generate NetBird config with secrets"; wantedBy = ["multi-user.target"]; @@ -117,9 +123,10 @@ in { "${serviceName}-dashboard" = { image = "netbirdio/dashboard:latest"; autoStart = true; + ports = ["127.0.0.1:${toString servicePort}:80"]; environmentFiles = [config.age.secrets."${serviceName}-dashboard-env".path]; extraOptions = [ - "--ip=${ipBase}.${toString ipOffset}" + "--ip=${dashboardIp}" "--network=web" ]; }; @@ -135,7 +142,7 @@ in { ]; cmd = ["--config" "/etc/netbird/config.yaml"]; extraOptions = [ - "--ip=${ipBase}.${toString (ipOffset + 1)}" + "--ip=${serverIp}" "--network=web" ]; }; @@ -149,35 +156,35 @@ in { ]; environmentFiles = [config.age.secrets."${serviceName}-proxy-env".path]; cmd = [ - "--domain=p.az-gruppe.com" + "--domain=${proxyDomain}" "--mgmt=https://${domain}:443" "--addr=:8443" "--cert-dir=/certs" "--acme-certs" - "--trusted-proxies=${ipBase}.1/32" + "--trusted-proxies=${gatewayIp}/32" ]; dependsOn = ["${serviceName}-server"]; extraOptions = [ - "--ip=${ipBase}.${toString (ipOffset + 2)}" + "--ip=${proxyIp}" "--network=web" ]; }; }; services.traefik.dynamicConfigOptions = { - # HTTP Services und Routers + # HTTP services and routers http = { services = { "${serviceName}-dashboard".loadBalancer.servers = [ - {url = "http://${ipBase}.${toString ipOffset}:80/";} + {url = "http://localhost:${toString servicePort}/";} ]; "${serviceName}-server".loadBalancer.servers = [ - {url = "http://${ipBase}.${toString (ipOffset + 1)}:80/";} + {url = "http://${serverIp}:80/";} ]; "${serviceName}-server-h2c".loadBalancer.servers = [ - {url = "h2c://${ipBase}.${toString (ipOffset + 1)}:80";} + {url = "h2c://${serverIp}:80";} ]; }; @@ -199,7 +206,7 @@ in { priority = 100; }; - # Dashboard (catch-all, niedrigste Priorität) + # Dashboard (catch-all, lowest priority) "${serviceName}-dashboard" = { rule = "Host(`${domain}`)"; entrypoints = "websecure"; @@ -210,10 +217,10 @@ in { }; }; - # TCP für Proxy TLS Passthrough + # TCP for proxy TLS passthrough tcp = { services."${serviceName}-proxy-tls".loadBalancer.servers = [ - {address = "${ipBase}.${toString (ipOffset + 2)}:8443";} + {address = "${proxyIp}:8443";} ]; routers."${serviceName}-proxy-passthrough" = { @@ -225,7 +232,7 @@ in { }; }; - # ServersTransport für Proxy Protocol v2 (optional) + # ServersTransport for proxy protocol v2 (optional) serversTransports."pp-v2" = { proxyProtocol.version = 2; }; @@ -233,6 +240,6 @@ in { networking.firewall.allowedUDPPorts = [ 3478 # STUN - 51820 # WireGuard für Proxy + 51820 # WireGuard for proxy ]; } diff --git a/hosts/AZ-PRM-1/services/default.nix b/hosts/AZ-PRM-1/services/default.nix index e81fa9a..7522076 100644 --- a/hosts/AZ-PRM-1/services/default.nix +++ b/hosts/AZ-PRM-1/services/default.nix @@ -3,6 +3,7 @@ ./containers ./n8n.nix + ./netbird.nix ./pgadmin.nix ./postgres.nix ./traefik.nix diff --git a/hosts/AZ-PRM-1/services/netbird.nix b/hosts/AZ-PRM-1/services/netbird.nix index 10cc079..84ae8ed 100644 --- a/hosts/AZ-PRM-1/services/netbird.nix +++ b/hosts/AZ-PRM-1/services/netbird.nix @@ -1,5 +1,8 @@ {pkgs, ...}: { - services.netbird.enable = true; + services.netbird = { + enable = true; + package = pkgs.unstable.netbird; + }; systemd.services.netbird = { environment = { diff --git a/lib/ports.nix b/lib/ports.nix index 3036464..4dd742e 100644 --- a/lib/ports.nix +++ b/lib/ports.nix @@ -16,6 +16,7 @@ ntfy-sh = 3033; it-tools = 3035; zammad-hr = 3036; + netbird = 3038; zammad-hr-elasticsearch = 3037; # Docker services (3100-3199 range)