diff --git a/infrastructure_files/base.setup.env b/infrastructure_files/base.setup.env index 2d74e3a66..e62b02a08 100644 --- a/infrastructure_files/base.setup.env +++ b/infrastructure_files/base.setup.env @@ -7,14 +7,18 @@ NETBIRD_MGMT_API_PORT=33073 # Management API endpoint address, used by the Dashboard NETBIRD_MGMT_API_ENDPOINT=https://$NETBIRD_DOMAIN:$NETBIRD_MGMT_API_PORT # Management Certficate file path. These are generated by the Dashboard container -NETBIRD_MGMT_API_CERT_FILE="/etc/letsencrypt/live/$NETBIRD_DOMAIN/fullchain.pem" +NETBIRD_MGMT_API_CERT_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAIN/fullchain.pem" # Management Certficate key file path. -NETBIRD_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$NETBIRD_DOMAIN/privkey.pem" +NETBIRD_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAIN/privkey.pem" # By default Management single account mode is enabled and domain set to $NETBIRD_DOMAIN, you may want to set this to your user's email domain NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN=$NETBIRD_DOMAIN NETBIRD_MGMT_DNS_DOMAIN=${NETBIRD_MGMT_DNS_DOMAIN:-netbird.selfhosted} -# Turn credentials +# Signal +NETBIRD_SIGNAL_PROTOCOL="http" +NETBIRD_SIGNAL_PORT=10000 + +# Turn credentials # User TURN_USER=self # Password. If empty, the configure.sh will generate one with openssl @@ -61,4 +65,6 @@ export SIGNAL_VOLUMESUFFIX export LETSENCRYPT_VOLUMESUFFIX export NETBIRD_DISABLE_ANONYMOUS_METRICS export NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN -export NETBIRD_MGMT_DNS_DOMAIN \ No newline at end of file +export NETBIRD_MGMT_DNS_DOMAIN +export NETBIRD_SIGNAL_PROTOCOL +export NETBIRD_SIGNAL_PORT diff --git a/infrastructure_files/configure.sh b/infrastructure_files/configure.sh index ed6367171..501098a57 100755 --- a/infrastructure_files/configure.sh +++ b/infrastructure_files/configure.sh @@ -121,6 +121,32 @@ if [[ ! -z "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}" ]]; then export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted" fi +# Check if letsencrypt was disabled +if [[ "$NETBIRD_DISABLE_LETSENCRYPT" == "true" ]] +then + export NETBIRD_DASHBOARD_ENDPOINT="https://$NETBIRD_DOMAIN:443" + export NETBIRD_SIGNAL_ENDPOINT="https://$NETBIRD_DOMAIN:$NETBIRD_SIGNAL_PORT" + + echo "Letsencrypt was disabled, the Https-endpoints cannot be used anymore" + echo " and a reverse-proxy with Https needs to be placed in front of netbird!" + echo "The following forwards have to be setup:" + echo "- $NETBIRD_DASHBOARD_ENDPOINT -http-> dashboard:80" + echo "- $NETBIRD_MGMT_API_ENDPOINT/api -http-> management:$NETBIRD_MGMT_API_PORT" + echo "- $NETBIRD_MGMT_API_ENDPOINT/management.ManagementService/ -grpc-> management:$NETBIRD_MGMT_API_PORT" + echo "- $NETBIRD_SIGNAL_ENDPOINT/signalexchange.SignalExchange/ -grpc-> signal:80" + echo "You most likely also have to change NETBIRD_MGMT_API_ENDPOINT in base.setup.env and port-mappings in docker-compose.yml.tmpl and rerun this script." + echo " The target of the forwards depends on your setup. Beware of the gRPC protocol instead of http for management and signal!" + echo "You are also free to remove any occurences of the Letsencrypt-volume $LETSENCRYPT_VOLUMENAME" + echo "" + + export NETBIRD_SIGNAL_PROTOCOL="https" + unset NETBIRD_LETSENCRYPT_DOMAIN + unset NETBIRD_MGMT_API_CERT_FILE + unset NETBIRD_MGMT_API_CERT_KEY_FILE +else + export NETBIRD_LETSENCRYPT_DOMAIN="$NETBIRD_DOMAIN" +fi + env | grep NETBIRD envsubst < docker-compose.yml.tmpl > docker-compose.yml diff --git a/infrastructure_files/docker-compose.yml.tmpl b/infrastructure_files/docker-compose.yml.tmpl index 296201710..c8febdea7 100644 --- a/infrastructure_files/docker-compose.yml.tmpl +++ b/infrastructure_files/docker-compose.yml.tmpl @@ -8,20 +8,25 @@ services: - 80:80 - 443:443 environment: + # Endpoints + - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT + - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT + # OIDC - AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE - AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID - AUTH_AUTHORITY=$NETBIRD_AUTH_AUTHORITY - USE_AUTH0=$NETBIRD_USE_AUTH0 - AUTH_SUPPORTED_SCOPES=$NETBIRD_AUTH_SUPPORTED_SCOPES - - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT - - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT - - NGINX_SSL_PORT=443 - - LETSENCRYPT_DOMAIN=$NETBIRD_DOMAIN - - LETSENCRYPT_EMAIL=$NETBIRD_LETSENCRYPT_EMAIL - AUTH_REDIRECT_URI=$NETBIRD_AUTH_REDIRECT_URI - AUTH_SILENT_REDIRECT_URI=$NETBIRD_AUTH_SILENT_REDIRECT_URI + # SSL + - NGINX_SSL_PORT=443 + # Letsencrypt + - LETSENCRYPT_DOMAIN=$NETBIRD_LETSENCRYPT_DOMAIN + - LETSENCRYPT_EMAIL=$NETBIRD_LETSENCRYPT_EMAIL volumes: - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt/ + # Signal signal: image: netbirdio/signal:latest @@ -32,7 +37,8 @@ services: - 10000:80 # # port and command for Let's Encrypt validation # - 443:443 - # command: ["--letsencrypt-domain", "$NETBIRD_DOMAIN", "--log-file", "console"] + # command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"] + # Management management: image: netbirdio/management:latest @@ -46,8 +52,15 @@ services: ports: - $NETBIRD_MGMT_API_PORT:443 #API port # # command for Let's Encrypt validation without dashboard container - # command: ["--letsencrypt-domain", "$NETBIRD_DOMAIN", "--log-file", "console"] - command: ["--port", "443", "--log-file", "console", "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS", "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN", "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN"] + # command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"] + command: [ + "--port", "443", + "--log-file", "console", + "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS", + "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN", + "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN" + ] + # Coturn coturn: image: coturn/coturn @@ -60,6 +73,7 @@ services: network_mode: host command: - -c /etc/turnserver.conf + volumes: $MGMT_VOLUMENAME: $SIGNAL_VOLUMENAME: diff --git a/infrastructure_files/docker-compose.yml.tmpl.traefik b/infrastructure_files/docker-compose.yml.tmpl.traefik new file mode 100644 index 000000000..9c1e0fd03 --- /dev/null +++ b/infrastructure_files/docker-compose.yml.tmpl.traefik @@ -0,0 +1,99 @@ +version: "3" +services: + #UI dashboard + dashboard: + image: wiretrustee/dashboard:latest + restart: unless-stopped + #ports: + # - 80:80 + # - 443:443 + environment: + # Endpoints + - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT + - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT + # OIDC + - AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE + - AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID + - AUTH_AUTHORITY=$NETBIRD_AUTH_AUTHORITY + - USE_AUTH0=$NETBIRD_USE_AUTH0 + - AUTH_SUPPORTED_SCOPES=$NETBIRD_AUTH_SUPPORTED_SCOPES + - AUTH_REDIRECT_URI=$NETBIRD_AUTH_REDIRECT_URI + - AUTH_SILENT_REDIRECT_URI=$NETBIRD_AUTH_SILENT_REDIRECT_URI + # SSL + - NGINX_SSL_PORT=443 + # Letsencrypt + - LETSENCRYPT_DOMAIN=$NETBIRD_LETSENCRYPT_DOMAIN + - LETSENCRYPT_EMAIL=$NETBIRD_LETSENCRYPT_EMAIL + volumes: + - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt/ + labels: + - traefik.enable=true + - traefik.http.routers.netbird-dashboard.rule=Host(`$NETBIRD_DOMAIN`) + - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80 + + # Signal + signal: + image: netbirdio/signal:latest + restart: unless-stopped + volumes: + - $SIGNAL_VOLUMENAME:/var/lib/netbird + #ports: + # - 10000:80 + # # port and command for Let's Encrypt validation + # - 443:443 + # command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"] + labels: + - traefik.enable=true + - traefik.http.routers.netbird-signal.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/signalexchange.SignalExchange/`) + - traefik.http.services.netbird-signal.loadbalancer.server.port=80 + - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c + + # Management + management: + image: netbirdio/management:latest + restart: unless-stopped + depends_on: + - dashboard + volumes: + - $MGMT_VOLUMENAME:/var/lib/netbird + - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt:ro + - ./management.json:/etc/netbird/management.json + #ports: + # - $NETBIRD_MGMT_API_PORT:443 #API port + # # command for Let's Encrypt validation without dashboard container + # command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"] + command: [ + "--port", "443", + "--log-file", "console", + "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS", + "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN", + "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN" + ] + labels: + - traefik.enable=true + - traefik.http.routers.netbird-api.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/api`) + - traefik.http.routers.netbird-api.service=netbird-api + - traefik.http.services.netbird-api.loadbalancer.server.port=443 + + - traefik.http.routers.netbird-management.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/management.ManagementService/`) + - traefik.http.routers.netbird-management.service=netbird-management + - traefik.http.services.netbird-management.loadbalancer.server.port=443 + - traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c + + # Coturn + coturn: + image: coturn/coturn + restart: unless-stopped + domainname: $NETBIRD_DOMAIN + volumes: + - ./turnserver.conf:/etc/turnserver.conf:ro + # - ./privkey.pem:/etc/coturn/private/privkey.pem:ro + # - ./cert.pem:/etc/coturn/certs/cert.pem:ro + network_mode: host + command: + - -c /etc/turnserver.conf + +volumes: + $MGMT_VOLUMENAME: + $SIGNAL_VOLUMENAME: + $LETSENCRYPT_VOLUMENAME: diff --git a/infrastructure_files/management.json.tmpl b/infrastructure_files/management.json.tmpl index f3b08101c..cb02c8f24 100644 --- a/infrastructure_files/management.json.tmpl +++ b/infrastructure_files/management.json.tmpl @@ -21,8 +21,8 @@ "TimeBasedCredentials": false }, "Signal": { - "Proto": "http", - "URI": "$NETBIRD_DOMAIN:10000", + "Proto": "$NETBIRD_SIGNAL_PROTOCOL", + "URI": "$NETBIRD_DOMAIN:$NETBIRD_SIGNAL_PORT", "Username": "", "Password": null }, diff --git a/infrastructure_files/setup.env.example b/infrastructure_files/setup.env.example index 09f407225..9703d3e4c 100644 --- a/infrastructure_files/setup.env.example +++ b/infrastructure_files/setup.env.example @@ -2,7 +2,11 @@ ## # Dashboard domain. e.g. app.mydomain.com NETBIRD_DOMAIN="" -# OIDC configuration e.g., https://example.eu.auth0.com/.well-known/openid-configuration + +# ------------------------------------------- +# OIDC +# e.g., https://example.eu.auth0.com/.well-known/openid-configuration +# ------------------------------------------- NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="" NETBIRD_AUTH_AUDIENCE="" # e.g. netbird-client @@ -13,13 +17,21 @@ NETBIRD_AUTH_CLIENT_ID="" NETBIRD_USE_AUTH0="false" NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none" NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="" -# e.g. hello@mydomain.com -NETBIRD_LETSENCRYPT_EMAIL="" + # if your IDP provider doesn't support fragmented URIs, configure custom # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain. # NETBIRD_AUTH_REDIRECT_URI="/peers" # NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers" +# ------------------------------------------- +# Letsencrypt +# ------------------------------------------- +# Disable letsencrypt +# if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead +NETBIRD_DISABLE_LETSENCRYPT=false +# e.g. hello@mydomain.com +NETBIRD_LETSENCRYPT_EMAIL="" + # Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection NETBIRD_DISABLE_ANONYMOUS_METRICS=false # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted