API tools faq
paste
Advertisement
Guest User

netbird

a guest
Aug 21st, 2024
99
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.77 KB | None | 0 0
raw download clone embed print report
  1. docker-compose.yml:
  2.  
  3. services:
  4. #UI dashboard
  5. dashboard:
  6. image: netbirdio/dashboard:latest
  7. container_name: NetBird-Dashboard
  8. restart: unless-stopped
  9. #ports:
  10. # - 80:80
  11. # - 443:443
  12. environment:
  13. # Endpoints
  14. - NETBIRD_MGMT_API_ENDPOINT=https://netbird.example.com:443
  15. - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://netbird.example.com:443
  16. # OIDC
  17. - AUTH_AUDIENCE=redacted
  18. - AUTH_CLIENT_ID=redacted
  19. - AUTH_CLIENT_SECRET=
  20. - AUTH_AUTHORITY=https://authelia.example.com
  21. - USE_AUTH0=false
  22. - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
  23. - AUTH_REDIRECT_URI=
  24. - AUTH_SILENT_REDIRECT_URI=
  25. - NETBIRD_TOKEN_SOURCE=accessToken
  26. # SSL
  27. - NGINX_SSL_PORT=443
  28. # Letsencrypt
  29. - LETSENCRYPT_DOMAIN=
  30. - LETSENCRYPT_EMAIL=
  31. networks:
  32. - proxynet
  33. logging:
  34. driver: "json-file"
  35. options:
  36. max-size: "500m"
  37. max-file: "2"
  38.  
  39. # Signal
  40. signal:
  41. image: netbirdio/signal:latest
  42. container_name: NetBird-Signal
  43. restart: unless-stopped
  44. volumes:
  45. - /mnt/user/appdata/netbird/signal:/var/lib/netbird
  46. #ports:
  47. # - 443:80
  48. # # port and command for Let's Encrypt validation
  49. # - 443:443
  50. # command: ["--letsencrypt-domain", "", "--log-file", "console"]
  51. networks:
  52. - proxynet
  53. logging:
  54. driver: "json-file"
  55. options:
  56. max-size: "500m"
  57. max-file: "2"
  58.  
  59. # Management
  60. management:
  61. image: netbirdio/management:latest
  62. container_name: NetBird-Management
  63. restart: unless-stopped
  64. depends_on:
  65. - dashboard
  66. volumes:
  67. - /mnt/user/appdata/netbird/mgmt:/var/lib/netbird
  68. - /mnt/user/appdata/netbird/management.json:/etc/netbird/management.json
  69. #ports:
  70. # - 443:443 #API port
  71. # # command for Let's Encrypt validation without dashboard container
  72. # command: ["--letsencrypt-domain", "", "--log-file", "console"]
  73. command: [
  74. "--port", "443",
  75. "--log-file", "console",
  76. "--log-level", "info",
  77. "--disable-anonymous-metrics=false",
  78. "--single-account-mode-domain=netbird.example.com",
  79. "--dns-domain=netbird.selfhosted"
  80. ]
  81. networks:
  82. - proxynet
  83. logging:
  84. driver: "json-file"
  85. options:
  86. max-size: "500m"
  87. max-file: "2"
  88.  
  89. # Coturn
  90. coturn:
  91. image: coturn/coturn:latest
  92. container_name: NetBird-Coturn
  93. restart: unless-stopped
  94. domainname: netbird.example.com
  95. volumes:
  96. - /mnt/user/appdata/netbird/turnserver.conf:/etc/turnserver.conf:ro
  97. # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
  98. # - ./cert.pem:/etc/coturn/certs/cert.pem:ro
  99. network_mode: host
  100. command:
  101. - -c /etc/turnserver.conf
  102. logging:
  103. driver: "json-file"
  104. options:
  105. max-size: "500m"
  106. max-file: "2"
  107.  
  108. networks:
  109. proxynet:
  110. external: true
  111.  
  112.  
  113. configuration.yml (Authelia)
  114.  
  115. ##
  116. ## Identity Providers
  117. ##
  118. identity_providers:
  119.  
  120. ##
  121. ## OpenID Connect (Identity Provider)
  122. ##
  123. ## It's recommended you read the documentation before configuration of this section:
  124. ## https://www.authelia.com/c/oidc
  125. oidc:
  126. ## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
  127. ## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
  128. hmac_secret: 'redacted'
  129.  
  130. ## The JWK's issuer option configures multiple JSON Web Keys. It's required that at least one of the JWK's
  131. ## configured has the RS256 algorithm. For RSA keys (RS or PS) the minimum is a 2048 bit key.
  132. jwks:
  133. ## Key ID embedded into the JWT header for key matching. Must be an alphanumeric string with 7 or less characters.
  134. ## This value is automatically generated if not provided. It's recommended to not configure this.
  135. - key_id: 'authelia-key'
  136.  
  137. ## The key algorithm used with this key.
  138. algorithm: 'RS256'
  139.  
  140. ## The key use expected with this key. Currently only 'sig' is supported.
  141. use: 'sig'
  142.  
  143. ## Required Private Key in PEM DER form.
  144. key: |
  145. -----BEGIN RSA PRIVATE KEY-----
  146. redacted
  147. -----END RSA PRIVATE KEY-----
  148.  
  149. ## Optional matching certificate chain in PEM DER form that matches the key. All certificates within the chain
  150. ## must be valid and current, and from top to bottom each certificate must be signed by the subsequent one.
  151. # certificate_chain: |
  152. # -----BEGIN CERTIFICATE-----
  153. # ...
  154. # -----END CERTIFICATE-----
  155. # -----BEGIN CERTIFICATE-----
  156. # ...
  157. # -----END CERTIFICATE-----
  158.  
  159. ## Enables additional debug messages.
  160. enable_client_debug_messages: false
  161.  
  162. ## SECURITY NOTICE: It's not recommended changing this option and values below 8 are strongly discouraged.
  163. minimum_parameter_entropy: 8
  164.  
  165. ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never'
  166. ## for security reasons.
  167. enforce_pkce: 'public_clients_only'
  168.  
  169. ## SECURITY NOTICE: It's not recommended changing this option. We encourage you to read the documentation and fully
  170. ## understanding it before enabling this option.
  171. enable_jwt_access_token_stateless_introspection: false
  172.  
  173. ## The signing algorithm used for signing the discovery and metadata responses. An issuer JWK with a matching
  174. ## algorithm must be available when configured. Most clients completely ignore this and it has a performance cost.
  175. discovery_signed_response_alg: 'none'
  176.  
  177. ## The signing key id used for signing the discovery and metadata responses. An issuer JWK with a matching key id
  178. ## must be available when configured. Most clients completely ignore this and it has a performance cost.
  179. discovery_signed_response_key_id: ''
  180.  
  181. ## Authorization Policies which can be utilized by clients. The 'policy_name' is an arbitrary value that you pick
  182. ## which is utilized as the value for the 'authorization_policy' on the client.
  183. authorization_policies:
  184. policy_name:
  185. default_policy: 'two_factor'
  186. rules:
  187. - policy: 'one_factor'
  188. subject: 'group:services'
  189.  
  190. ## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this
  191. ## syntax the lifespans can be customized per-client.
  192. lifespans:
  193. ## Configures the default/fallback lifespan for given token types. This behaviour applies to all clients and all
  194. ## grant types but you can override this behaviour using the custom lifespans.
  195. access_token: '1 hour'
  196. authorize_code: '1 minute'
  197. id_token: '1 hour'
  198. refresh_token: '90 minutes'
  199.  
  200. ## Cross-Origin Resource Sharing (CORS) settings.
  201. cors:
  202. ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
  203. endpoints:
  204. - 'authorization'
  205. - 'pushed-authorization-request'
  206. - 'token'
  207. - 'revocation'
  208. - 'introspection'
  209. - 'userinfo'
  210.  
  211. ## List of allowed origins.
  212. ## Any origin with https is permitted unless this option is configured or the
  213. ## allowed_origins_from_client_redirect_uris option is enabled.
  214. allowed_origins:
  215. - 'https://photos.example.com'
  216. - 'https://netbird.example.com'
  217.  
  218. ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
  219. ## provided they have the scheme http or https and do not have the hostname of localhost.
  220. allowed_origins_from_client_redirect_uris: true
  221.  
  222. ## Clients is a list of known clients and their configuration.
  223. clients:
  224. ## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a
  225. ## configuration.
  226. ## Immich Client
  227. - client_id: 'redacted'
  228.  
  229. ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
  230. client_name: 'immich'
  231.  
  232. ## The client secret is a shared secret between Authelia and the consumer of this client.
  233. # yamllint disable-line rule:line-length
  234. client_secret: 'redacted' # The digest of 'insecure_secret'.
  235.  
  236. ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
  237. ## necessary. It is critical to read the documentation for more information.
  238. # sector_identifier_uri: 'https://example.com/sector.json'
  239.  
  240. ## Sets the client to public. This should typically not be set, please see the documentation for usage.
  241. public: false
  242.  
  243. ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
  244. redirect_uris:
  245. - 'https://photos.example.com/auth/login'
  246. - 'https://photos.example.com/user-settings'
  247. - 'app.immich:/'
  248.  
  249. ## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as
  250. ## URIs to fetch Request Objects.
  251. # request_uris:
  252. # - 'https://oidc.example.com:8080/oidc/request-object.jwk'
  253.  
  254. ## Audience this client is allowed to request.
  255. # audience: []
  256.  
  257. ## Scopes this client is allowed to request.
  258. scopes:
  259. - 'openid'
  260. # - 'groups'
  261. - 'email'
  262. - 'profile'
  263. - 'offline_access'
  264.  
  265. ## Grant Types configures which grants this client can obtain.
  266. ## It's not recommended to define this unless you know what you're doing.
  267. grant_types:
  268. - 'refresh_token'
  269. - 'authorization_code'
  270.  
  271. ## Response Types configures which responses this client can be sent.
  272. ## It's not recommended to define this unless you know what you're doing.
  273. response_types:
  274. - 'code'
  275.  
  276. ## Response Modes configures which response modes this client supports.
  277. response_modes:
  278. - 'form_post'
  279. - 'query'
  280. - 'fragment'
  281.  
  282. ## The policy to require for this client; one_factor or two_factor. Can also be the key names for the
  283. ## authorization policies section.
  284. authorization_policy: 'two_factor'
  285.  
  286. ## The custom lifespan name to use for this client. This must be configured independent of the client before
  287. ## utilization. Custom lifespans are reusable similar to authorization policies.
  288. # lifespan: ''
  289.  
  290. ## The consent mode controls how consent is obtained.
  291. # consent_mode: 'auto'
  292.  
  293. ## This value controls the duration a consent on this client remains remembered when the consent mode is
  294. ## configured as 'auto' or 'pre-configured' in the duration common syntax.
  295. # pre_configured_consent_duration: '1 week'
  296.  
  297. ## Requires the use of Pushed Authorization Requests for this client when set to true.
  298. require_pushed_authorization_requests: false
  299.  
  300. ## Enforces the use of PKCE for this client when set to true.
  301. # require_pkce: false
  302.  
  303. ## Enforces the use of PKCE for this client when configured, and enforces the specified challenge method.
  304. ## Options are 'plain' and 'S256'.
  305. # pkce_challenge_method: 'S256'
  306.  
  307. ## The permitted client authentication method for the Token Endpoint for this client.
  308. ## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it
  309. ## defaults to 'none' per the specifications.
  310. # token_endpoint_auth_method: 'client_secret_basic'
  311.  
  312. ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
  313. ## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method.
  314. # token_endpoint_auth_signing_alg: 'RS256'
  315.  
  316. ## The signing algorithm which must be used for request objects. A client JWK with a matching algorithm must be
  317. ## available if configured.
  318. # request_object_signing_alg: 'RS256'
  319.  
  320. ## The signing algorithm used for signing the authorization response. An issuer JWK with a matching algorithm
  321. ## must be available when configured. Configuring this value enables the JWT Secured Authorization Response
  322. ## Mode (JARM) for this client. JARM is not understood by a majority of clients so you should only configure
  323. ## this when you know it's supported.
  324. ## Has no effect if authorization_signed_response_key_id is configured.
  325. # authorization_signed_response_alg: 'none'
  326.  
  327. ## The signing key id used for signing the authorization response. An issuer JWK with a matching key id must be
  328. ## available when configured. Configuring this value enables the JWT Secured Authorization Response Mode (JARM)
  329. ## for this client. JARM is not understood by a majority of clients so you should only configure this when you
  330. ## know it's supported.
  331. # authorization_signed_response_key_id: ''
  332.  
  333. ## The signing algorithm used for ID Tokens. An issuer JWK with a matching algorithm must be available when
  334. ## configured. Has no effect if id_token_signed_response_key_id is configured.
  335. # id_token_signed_response_alg: 'RS256'
  336.  
  337. ## The signing key id used for ID Tokens. An issuer JWK with a matching key id must be available when
  338. ## configured.
  339. # id_token_signed_response_key_id: ''
  340.  
  341. ## The signing algorithm used for Access Tokens. An issuer JWK with a matching algorithm must be available.
  342. ## Has no effect if access_token_signed_response_key_id is configured. Values other than 'none' enable RFC9068
  343. ## for this client.
  344. # access_token_signed_response_alg: 'none'
  345.  
  346. ## The signing key id used for Access Tokens. An issuer JWK with a matching key id must be available when
  347. ## configured. Values other than a blank value enable RFC9068 for this client.
  348. # access_token_signed_response_key_id: ''
  349.  
  350. ## The signing algorithm used for User Info responses. An issuer JWK with a matching algorithm must be
  351. ## available. Has no effect if userinfo_signing_key_id is configured.
  352. userinfo_signed_response_alg: 'none'
  353.  
  354. ## The signing key id used for User Info responses. An issuer JWK with a matching key id must be available when
  355. ## configured.
  356. # userinfo_signed_response_key_id: ''
  357.  
  358. ## The signing algorithm used for Introspection responses. An issuer JWK with a matching algorithm must be
  359. ## available when configured. Has no effect if introspection_signed_response_key_id is configured.
  360. # introspection_signed_response_alg: 'none'
  361.  
  362. ## The signing key id used for Introspection responses. An issuer JWK with a matching key id must be available
  363. ## when configured.
  364. # introspection_signed_response_key_id: ''
  365.  
  366. ## Trusted public keys configuration for request object signing for things such as 'private_key_jwt'.
  367. ## URL of the HTTPS endpoint which serves the keys. Please note the 'jwks_uri' and the 'jwks' option below
  368. ## are mutually exclusive.
  369. # jwks_uri: 'https://app.example.com/jwks.json'
  370.  
  371. ## Trusted public keys configuration for request object signing for things such as 'private_key_jwt'.
  372. ## List of JWKs known and registered with this client. It's recommended to use the 'jwks_uri' option if
  373. ## available due to key rotation. Please note the 'jwks' and the 'jwks_uri' option above are mutually exclusive.
  374. # jwks:
  375. # -
  376. ## Key ID used to match the JWT's to an individual identifier. This option is required if configured.
  377. # key_id: 'example'
  378.  
  379. ## The key algorithm expected with this key.
  380. # algorithm: 'RS256'
  381.  
  382. ## The key use expected with this key. Currently only 'sig' is supported.
  383. # use: 'sig'
  384.  
  385. ## Required Public Key in PEM DER form.
  386. # key: |
  387. # -----BEGIN RSA PUBLIC KEY-----
  388. # ...
  389. # -----END RSA PUBLIC KEY-----
  390.  
  391. ## The matching certificate chain in PEM DER form that matches the key if available.
  392. # certificate_chain: |
  393. # -----BEGIN CERTIFICATE-----
  394. # ...
  395. # -----END CERTIFICATE-----
  396. # -----BEGIN CERTIFICATE-----
  397. # ...
  398. # -----END CERTIFICATE-----
  399.  
  400. ## Netbird Client
  401. - client_id: 'redacted'
  402. client_name: 'Netbird'
  403. client_secret:
  404. public: true
  405. redirect_uris:
  406. - 'https://netbird.example.com'
  407. - 'https://netbird.example.com/auth/callback'
  408. - 'https://netbird.example.com/a/oauth_response'
  409. - 'http://localhost:53000/auth/callback'
  410. - 'https://netbird.example.com/callback'
  411. - 'https://authelia.example.com/*'
  412. - 'https://authelia.example.com/oauth2/callback'
  413. - 'https://netbird.example.com/oauth2/callback'
  414. scopes:
  415. - 'openid'
  416. - 'email'
  417. - 'profile'
  418. - 'offline_access'
  419. - 'api'
  420.  
  421. ## Grant Types configures which grants this client can obtain.
  422. ## It's not recommended to define this unless you know what you're doing.
  423. grant_types:
  424. - 'authorization_code'
  425. - 'refresh_token'
  426.  
  427. ## Response Types configures which responses this client can be sent.
  428. ## It's not recommended to define this unless you know what you're doing.
  429. response_types:
  430. - 'code'
  431.  
  432. ## Response Modes configures which response modes this client supports.
  433. response_modes:
  434. - 'form_post'
  435. - 'query'
  436. - 'fragment'
  437.  
  438. ## The policy to require for this client; one_factor or two_factor. Can also be the key names for the
  439. ## authorization policies section.
  440. authorization_policy: 'two_factor' # Adjust based on your security requirements
  441.  
  442.  
  443. ...
  444.  
  445.  
  446. netbird.subdomain.conf (SWAG)
  447.  
  448. server {
  449. listen 443 ssl;
  450. listen [::]:443 ssl;
  451.  
  452. server_name netbird.example.com;
  453.  
  454. include /config/nginx/ssl.conf;
  455.  
  456. client_max_body_size 128M;
  457. client_header_timeout 1d;
  458. client_body_timeout 1d;
  459.  
  460. location / {
  461. include /config/nginx/proxy.conf;
  462. include /config/nginx/resolver.conf;
  463. set $upstream_app NetBird-Dashboard;
  464. set $upstream_port 80;
  465. set $upstream_proto http;
  466. proxy_pass $upstream_proto://$upstream_app:$upstream_port;
  467. }
  468.  
  469. location /api {
  470. include /config/nginx/proxy.conf;
  471. include /config/nginx/resolver.conf;
  472. set $upstream_app NetBird-Management;
  473. set $upstream_port 443;
  474. set $upstream_proto http;
  475. proxy_pass $upstream_proto://$upstream_app:$upstream_port;
  476. }
  477.  
  478. location /signalexchange.SignalExchange/ {
  479. include /config/nginx/proxy.conf;
  480. include /config/nginx/resolver.conf;
  481.  
  482. grpc_read_timeout 1d;
  483. grpc_send_timeout 1d;
  484. grpc_socket_keepalive on;
  485.  
  486. set $upstream_app NetBird-Signal;
  487. set $upstream_port 80;
  488. set $upstream_proto grpc;
  489. grpc_pass $upstream_proto://$upstream_app:$upstream_port;
  490. }
  491.  
  492. location /management.ManagementService/ {
  493. include /config/nginx/proxy.conf;
  494. include /config/nginx/resolver.conf;
  495.  
  496. grpc_read_timeout 1d;
  497. grpc_send_timeout 1d;
  498. grpc_socket_keepalive on;
  499.  
  500. set $upstream_app NetBird-Management;
  501. set $upstream_port 443;
  502. set $upstream_proto grpc;
  503. grpc_pass $upstream_proto://$upstream_app:$upstream_port;
  504. }
  505. }
  506.  
  507.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!