mirror of
https://github.com/netbirdio/netbird.git
synced 2026-07-18 20:49:56 +00:00
119 lines
4.8 KiB
Plaintext
119 lines
4.8 KiB
Plaintext
# NetBird deployment configuration - example file
|
|
#
|
|
# Copy to setup.env, fill in the values, and render the deployment with:
|
|
# ./getting-started.sh --non-interactive
|
|
#
|
|
# Running ./getting-started.sh without flags starts an interactive wizard that
|
|
# writes this file for you. Re-rendering from the same file is idempotent, so
|
|
# it is safe to keep setup.env under configuration management (IaC).
|
|
#
|
|
# NOTE: the legacy configure.sh variable set (NETBIRD_TURN_DOMAIN, coturn,
|
|
# per-service ports, NETBIRD_DISABLE_LETSENCRYPT, ...) is deprecated together
|
|
# with configure.sh. See https://docs.netbird.io/selfhosted/selfhosted-guide
|
|
|
|
# Your NetBird domain, e.g. netbird.mydomain.com (required)
|
|
NETBIRD_DOMAIN=""
|
|
|
|
# Deployment architecture:
|
|
# combined - single netbird-server container (management + signal + relay + STUN)
|
|
# split - separate management, signal and relay containers (for scale-out,
|
|
# required when using your own OIDC provider)
|
|
NETBIRD_ARCHITECTURE="combined"
|
|
|
|
# Identity provider:
|
|
# embedded - built-in IdP with local users (simplest)
|
|
# external - your own OIDC provider (requires NETBIRD_ARCHITECTURE=split)
|
|
NETBIRD_IDP_MODE="embedded"
|
|
|
|
# -------------------------------------------
|
|
# External OIDC provider (NETBIRD_IDP_MODE=external)
|
|
# See https://docs.netbird.io/selfhosted/identity-providers
|
|
# -------------------------------------------
|
|
# e.g. https://keycloak.example.com/realms/netbird/.well-known/openid-configuration
|
|
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=""
|
|
# OAuth client ID registered for NetBird, e.g. netbird
|
|
NETBIRD_AUTH_CLIENT_ID=""
|
|
# Client secret, only if your IdP requires one (e.g. Google Workspace)
|
|
NETBIRD_AUTH_CLIENT_SECRET=""
|
|
# JWT audience; defaults to the client ID when empty
|
|
NETBIRD_AUTH_AUDIENCE=""
|
|
# Scopes requested from the IdP
|
|
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email"
|
|
# Set to true only for Auth0
|
|
NETBIRD_USE_AUTH0="false"
|
|
# Token the dashboard sends to the management API: accessToken or idToken
|
|
# (Okta and GitLab benefit from idToken)
|
|
NETBIRD_TOKEN_SOURCE="accessToken"
|
|
|
|
# Device authorization flow for headless clients (optional)
|
|
#NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
|
|
|
|
# IdP management API for user/group sync (optional)
|
|
# eg. zitadel, auth0, azure, keycloak
|
|
#NETBIRD_MGMT_IDP=""
|
|
# Enable IdP signing-key refresh when required by your provider (e.g. Zitadel)
|
|
#NETBIRD_MGMT_IDP_SIGNKEY_REFRESH="false"
|
|
#NETBIRD_IDP_MGMT_CLIENT_ID=""
|
|
#NETBIRD_IDP_MGMT_CLIENT_SECRET=""
|
|
# Provider-specific IdP-manager settings (converted to ExtraConfig CamelCase keys)
|
|
# e.g. Keycloak AdminEndpoint, Zitadel ManagementEndpoint, PocketID ApiToken
|
|
#NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT=""
|
|
#NETBIRD_IDP_MGMT_EXTRA_MANAGEMENT_ENDPOINT=""
|
|
#NETBIRD_IDP_MGMT_EXTRA_API_TOKEN=""
|
|
|
|
# -------------------------------------------
|
|
# Reverse proxy
|
|
# -------------------------------------------
|
|
# 0 = built-in Traefik (automatic TLS via Let's Encrypt)
|
|
# 1 = existing Traefik instance (labels)
|
|
# 2 = Nginx (config template is generated)
|
|
# 3 = Nginx Proxy Manager (advanced config is generated)
|
|
# 4 = external Caddy (Caddyfile snippet is generated)
|
|
# 5 = other/manual
|
|
NETBIRD_REVERSE_PROXY_TYPE="0"
|
|
# Let's Encrypt notification email (required for type 0)
|
|
NETBIRD_TRAEFIK_ACME_EMAIL=""
|
|
# Settings for an existing Traefik instance (type 1)
|
|
NETBIRD_TRAEFIK_EXTERNAL_NETWORK=""
|
|
NETBIRD_TRAEFIK_ENTRYPOINT="websecure"
|
|
NETBIRD_TRAEFIK_CERTRESOLVER=""
|
|
# Bind container ports to 127.0.0.1 only (types 2-5)
|
|
NETBIRD_BIND_LOCALHOST_ONLY="true"
|
|
# Docker network of your reverse proxy, if it runs in Docker (types 2-4)
|
|
NETBIRD_EXTERNAL_PROXY_NETWORK=""
|
|
|
|
# -------------------------------------------
|
|
# NetBird Proxy and CrowdSec
|
|
# (combined architecture with built-in Traefik only)
|
|
# -------------------------------------------
|
|
NETBIRD_ENABLE_PROXY="false"
|
|
NETBIRD_ENABLE_CROWDSEC="false"
|
|
|
|
# -------------------------------------------
|
|
# Datastore
|
|
# -------------------------------------------
|
|
# sqlite or postgres. With postgres and an empty DSN a PostgreSQL container is
|
|
# added to the deployment (split architecture only).
|
|
NETBIRD_STORE_CONFIG_ENGINE="sqlite"
|
|
NETBIRD_STORE_ENGINE_POSTGRES_DSN=""
|
|
NETBIRD_POSTGRES_PASSWORD=""
|
|
|
|
# -------------------------------------------
|
|
# Secrets
|
|
# Generated automatically on first run and appended to setup.env.
|
|
# Keep them stable across re-renders or peers will lose connectivity.
|
|
# -------------------------------------------
|
|
NETBIRD_RELAY_AUTH_SECRET=""
|
|
NETBIRD_DATASTORE_ENC_KEY=""
|
|
|
|
# -------------------------------------------
|
|
# Docker image overrides (optional)
|
|
# -------------------------------------------
|
|
#DASHBOARD_IMAGE="netbirdio/dashboard:latest"
|
|
#NETBIRD_SERVER_IMAGE="netbirdio/netbird-server:latest"
|
|
#MANAGEMENT_IMAGE="netbirdio/management:latest"
|
|
#SIGNAL_IMAGE="netbirdio/signal:latest"
|
|
#RELAY_IMAGE="netbirdio/relay:latest"
|
|
#POSTGRES_IMAGE="postgres:16-alpine"
|
|
#TRAEFIK_IMAGE="traefik:v3.6"
|