chore: netbird module optimized
This commit is contained in:
@@ -15,12 +15,18 @@
|
||||
ipBase = "10.89.0";
|
||||
ipOffset = 50;
|
||||
|
||||
# Derived IPs
|
||||
gatewayIp = "${ipBase}.1";
|
||||
dashboardIp = "${ipBase}.${toString ipOffset}";
|
||||
serverIp = "${ipBase}.${toString (ipOffset + 1)}";
|
||||
proxyIp = "${ipBase}.${toString (ipOffset + 2)}";
|
||||
|
||||
# Database configuration
|
||||
dbName = "netbird";
|
||||
dbUser = "netbird";
|
||||
dbHost = "${ipBase}.1";
|
||||
dbHost = gatewayIp;
|
||||
|
||||
# NetBird config als Nix attribute set
|
||||
# NetBird config as Nix attribute set
|
||||
netbirdConfig = {
|
||||
server = {
|
||||
listenAddress = ":80";
|
||||
@@ -44,7 +50,7 @@
|
||||
};
|
||||
|
||||
reverseProxy = {
|
||||
trustedHTTPProxies = ["${ipBase}.1/32"];
|
||||
trustedHTTPProxies = ["${gatewayIp}/32"];
|
||||
};
|
||||
|
||||
# Proxy Feature
|
||||
@@ -65,11 +71,11 @@
|
||||
};
|
||||
};
|
||||
|
||||
# YAML generieren
|
||||
# Generate YAML config
|
||||
yamlFormat = pkgs.formats.yaml {};
|
||||
configYamlBase = yamlFormat.generate "netbird-config-base.yaml" netbirdConfig;
|
||||
|
||||
# Script das Secrets zur Runtime injiziert
|
||||
# Script to inject secrets at runtime
|
||||
configGenScript = pkgs.writeShellScript "netbird-gen-config" ''
|
||||
set -euo pipefail
|
||||
|
||||
@@ -91,7 +97,7 @@ in {
|
||||
age.secrets."${serviceName}-server-env".file = ../../../../secrets/${serviceName}-server-env.age;
|
||||
age.secrets."${serviceName}-proxy-env".file = ../../../../secrets/${serviceName}-proxy-env.age;
|
||||
|
||||
# Systemd oneshot Service der die Config generiert
|
||||
# Systemd oneshot service to generate config with secrets
|
||||
systemd.services."${serviceName}-config" = {
|
||||
description = "Generate NetBird config with secrets";
|
||||
wantedBy = ["multi-user.target"];
|
||||
@@ -117,9 +123,10 @@ in {
|
||||
"${serviceName}-dashboard" = {
|
||||
image = "netbirdio/dashboard:latest";
|
||||
autoStart = true;
|
||||
ports = ["127.0.0.1:${toString servicePort}:80"];
|
||||
environmentFiles = [config.age.secrets."${serviceName}-dashboard-env".path];
|
||||
extraOptions = [
|
||||
"--ip=${ipBase}.${toString ipOffset}"
|
||||
"--ip=${dashboardIp}"
|
||||
"--network=web"
|
||||
];
|
||||
};
|
||||
@@ -135,7 +142,7 @@ in {
|
||||
];
|
||||
cmd = ["--config" "/etc/netbird/config.yaml"];
|
||||
extraOptions = [
|
||||
"--ip=${ipBase}.${toString (ipOffset + 1)}"
|
||||
"--ip=${serverIp}"
|
||||
"--network=web"
|
||||
];
|
||||
};
|
||||
@@ -149,35 +156,35 @@ in {
|
||||
];
|
||||
environmentFiles = [config.age.secrets."${serviceName}-proxy-env".path];
|
||||
cmd = [
|
||||
"--domain=p.az-gruppe.com"
|
||||
"--domain=${proxyDomain}"
|
||||
"--mgmt=https://${domain}:443"
|
||||
"--addr=:8443"
|
||||
"--cert-dir=/certs"
|
||||
"--acme-certs"
|
||||
"--trusted-proxies=${ipBase}.1/32"
|
||||
"--trusted-proxies=${gatewayIp}/32"
|
||||
];
|
||||
dependsOn = ["${serviceName}-server"];
|
||||
extraOptions = [
|
||||
"--ip=${ipBase}.${toString (ipOffset + 2)}"
|
||||
"--ip=${proxyIp}"
|
||||
"--network=web"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.traefik.dynamicConfigOptions = {
|
||||
# HTTP Services und Routers
|
||||
# HTTP services and routers
|
||||
http = {
|
||||
services = {
|
||||
"${serviceName}-dashboard".loadBalancer.servers = [
|
||||
{url = "http://${ipBase}.${toString ipOffset}:80/";}
|
||||
{url = "http://localhost:${toString servicePort}/";}
|
||||
];
|
||||
|
||||
"${serviceName}-server".loadBalancer.servers = [
|
||||
{url = "http://${ipBase}.${toString (ipOffset + 1)}:80/";}
|
||||
{url = "http://${serverIp}:80/";}
|
||||
];
|
||||
|
||||
"${serviceName}-server-h2c".loadBalancer.servers = [
|
||||
{url = "h2c://${ipBase}.${toString (ipOffset + 1)}:80";}
|
||||
{url = "h2c://${serverIp}:80";}
|
||||
];
|
||||
};
|
||||
|
||||
@@ -199,7 +206,7 @@ in {
|
||||
priority = 100;
|
||||
};
|
||||
|
||||
# Dashboard (catch-all, niedrigste Priorität)
|
||||
# Dashboard (catch-all, lowest priority)
|
||||
"${serviceName}-dashboard" = {
|
||||
rule = "Host(`${domain}`)";
|
||||
entrypoints = "websecure";
|
||||
@@ -210,10 +217,10 @@ in {
|
||||
};
|
||||
};
|
||||
|
||||
# TCP für Proxy TLS Passthrough
|
||||
# TCP for proxy TLS passthrough
|
||||
tcp = {
|
||||
services."${serviceName}-proxy-tls".loadBalancer.servers = [
|
||||
{address = "${ipBase}.${toString (ipOffset + 2)}:8443";}
|
||||
{address = "${proxyIp}:8443";}
|
||||
];
|
||||
|
||||
routers."${serviceName}-proxy-passthrough" = {
|
||||
@@ -225,7 +232,7 @@ in {
|
||||
};
|
||||
};
|
||||
|
||||
# ServersTransport für Proxy Protocol v2 (optional)
|
||||
# ServersTransport for proxy protocol v2 (optional)
|
||||
serversTransports."pp-v2" = {
|
||||
proxyProtocol.version = 2;
|
||||
};
|
||||
@@ -233,6 +240,6 @@ in {
|
||||
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
3478 # STUN
|
||||
51820 # WireGuard für Proxy
|
||||
51820 # WireGuard for proxy
|
||||
];
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user