Files
netbird/infrastructure_files/setup.env.example

119 lines
4.8 KiB
Plaintext

# NetBird deployment configuration - example file
#
# Copy to setup.env, fill in the values, and render the deployment with:
# ./getting-started.sh --non-interactive
#
# Running ./getting-started.sh without flags starts an interactive wizard that
# writes this file for you. Re-rendering from the same file is idempotent, so
# it is safe to keep setup.env under configuration management (IaC).
#
# NOTE: the legacy configure.sh variable set (NETBIRD_TURN_DOMAIN, coturn,
# per-service ports, NETBIRD_DISABLE_LETSENCRYPT, ...) is deprecated together
# with configure.sh. See https://docs.netbird.io/selfhosted/selfhosted-guide
# Your NetBird domain, e.g. netbird.mydomain.com (required)
NETBIRD_DOMAIN=""
# Deployment architecture:
# combined - single netbird-server container (management + signal + relay + STUN)
# split - separate management, signal and relay containers (for scale-out,
# required when using your own OIDC provider)
NETBIRD_ARCHITECTURE="combined"
# Identity provider:
# embedded - built-in IdP with local users (simplest)
# external - your own OIDC provider (requires NETBIRD_ARCHITECTURE=split)
NETBIRD_IDP_MODE="embedded"
# -------------------------------------------
# External OIDC provider (NETBIRD_IDP_MODE=external)
# See https://docs.netbird.io/selfhosted/identity-providers
# -------------------------------------------
# e.g. https://keycloak.example.com/realms/netbird/.well-known/openid-configuration
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=""
# OAuth client ID registered for NetBird, e.g. netbird
NETBIRD_AUTH_CLIENT_ID=""
# Client secret, only if your IdP requires one (e.g. Google Workspace)
NETBIRD_AUTH_CLIENT_SECRET=""
# JWT audience; defaults to the client ID when empty
NETBIRD_AUTH_AUDIENCE=""
# Scopes requested from the IdP
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email"
# Set to true only for Auth0
NETBIRD_USE_AUTH0="false"
# Token the dashboard sends to the management API: accessToken or idToken
# (Okta and GitLab benefit from idToken)
NETBIRD_TOKEN_SOURCE="accessToken"
# Device authorization flow for headless clients (optional)
#NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
# IdP management API for user/group sync (optional)
# eg. zitadel, auth0, azure, keycloak
#NETBIRD_MGMT_IDP=""
# Enable IdP signing-key refresh when required by your provider (e.g. Zitadel)
#NETBIRD_MGMT_IDP_SIGNKEY_REFRESH="false"
#NETBIRD_IDP_MGMT_CLIENT_ID=""
#NETBIRD_IDP_MGMT_CLIENT_SECRET=""
# Provider-specific IdP-manager settings (converted to ExtraConfig CamelCase keys)
# e.g. Keycloak AdminEndpoint, Zitadel ManagementEndpoint, PocketID ApiToken
#NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT=""
#NETBIRD_IDP_MGMT_EXTRA_MANAGEMENT_ENDPOINT=""
#NETBIRD_IDP_MGMT_EXTRA_API_TOKEN=""
# -------------------------------------------
# Reverse proxy
# -------------------------------------------
# 0 = built-in Traefik (automatic TLS via Let's Encrypt)
# 1 = existing Traefik instance (labels)
# 2 = Nginx (config template is generated)
# 3 = Nginx Proxy Manager (advanced config is generated)
# 4 = external Caddy (Caddyfile snippet is generated)
# 5 = other/manual
NETBIRD_REVERSE_PROXY_TYPE="0"
# Let's Encrypt notification email (required for type 0)
NETBIRD_TRAEFIK_ACME_EMAIL=""
# Settings for an existing Traefik instance (type 1)
NETBIRD_TRAEFIK_EXTERNAL_NETWORK=""
NETBIRD_TRAEFIK_ENTRYPOINT="websecure"
NETBIRD_TRAEFIK_CERTRESOLVER=""
# Bind container ports to 127.0.0.1 only (types 2-5)
NETBIRD_BIND_LOCALHOST_ONLY="true"
# Docker network of your reverse proxy, if it runs in Docker (types 2-4)
NETBIRD_EXTERNAL_PROXY_NETWORK=""
# -------------------------------------------
# NetBird Proxy and CrowdSec
# (combined architecture with built-in Traefik only)
# -------------------------------------------
NETBIRD_ENABLE_PROXY="false"
NETBIRD_ENABLE_CROWDSEC="false"
# -------------------------------------------
# Datastore
# -------------------------------------------
# sqlite or postgres. With postgres and an empty DSN a PostgreSQL container is
# added to the deployment (split architecture only).
NETBIRD_STORE_CONFIG_ENGINE="sqlite"
NETBIRD_STORE_ENGINE_POSTGRES_DSN=""
NETBIRD_POSTGRES_PASSWORD=""
# -------------------------------------------
# Secrets
# Generated automatically on first run and appended to setup.env.
# Keep them stable across re-renders or peers will lose connectivity.
# -------------------------------------------
NETBIRD_RELAY_AUTH_SECRET=""
NETBIRD_DATASTORE_ENC_KEY=""
# -------------------------------------------
# Docker image overrides (optional)
# -------------------------------------------
#DASHBOARD_IMAGE="netbirdio/dashboard:latest"
#NETBIRD_SERVER_IMAGE="netbirdio/netbird-server:latest"
#MANAGEMENT_IMAGE="netbirdio/management:latest"
#SIGNAL_IMAGE="netbirdio/signal:latest"
#RELAY_IMAGE="netbirdio/relay:latest"
#POSTGRES_IMAGE="postgres:16-alpine"
#TRAEFIK_IMAGE="traefik:v3.6"