mirror of
https://github.com/netbirdio/netbird.git
synced 2026-05-20 23:59:55 +00:00
e3c23c263b
Two follow-ups to the WebTransport/ALPN-mux landing:
Deployment templates publish UDP alongside TCP for the relay so the
single ALPN-multiplexed socket can serve raw QUIC and WebTransport
clients on the same port as the existing WebSocket transport.
- docker-compose.yml.tmpl: adds the matching `/udp` mapping; the relay
was already binding both stacks, the host port just wasn't published.
- docker-compose.yml.tmpl.traefik: WebTransport is the awkward case —
Traefik can't proxy WT sessions, so the relay container now publishes
UDP/443 directly and obtains its own Let's Encrypt cert (separate
volume), while the TCP /relay route stays behind Traefik unchanged so
WS-only clients keep working.
Management server learned to advertise per-relay transport hints:
- Config gains an optional `Endpoints []{URL, Transports}` block on the
Relay section, mirrored to clients as RelayConfig.endpoints.
- `Addresses` is still emitted as RelayConfig.urls so older agents keep
working unchanged.
- A single BuildRelayConfigProto helper is the only place that builds
the proto, called from both toNetbirdConfig and the token push paths.
The GeoDNS case is operator-asserted, not probed: a single URL fans out
to several physical relays, and the Transports list must already be the
intersection of what every backend supports. Documented on the config
struct — if any backend behind a hostname can't speak h3, the operator
drops "wt" from that hostname's list and no client tries it there.
149 lines
5.5 KiB
Bash
149 lines
5.5 KiB
Bash
## Most settings are being done automatically with the sourced variables from setup.env, but you can edit if you need some customization
|
|
|
|
# Management API
|
|
|
|
# Management API port
|
|
NETBIRD_MGMT_API_PORT=${NETBIRD_MGMT_API_PORT:-33073}
|
|
# Management API endpoint address, used by the Dashboard
|
|
NETBIRD_MGMT_API_ENDPOINT=https://$NETBIRD_DOMAIN:$NETBIRD_MGMT_API_PORT
|
|
# Management Certificate file path. These are generated by the Dashboard container
|
|
NETBIRD_LETSENCRYPT_DOMAIN=$NETBIRD_DOMAIN
|
|
NETBIRD_MGMT_API_CERT_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAIN/fullchain.pem"
|
|
# Management Certificate key file path.
|
|
NETBIRD_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAIN/privkey.pem"
|
|
# By default Management single account mode is enabled and domain set to $NETBIRD_DOMAIN, you may want to set this to your user's email domain
|
|
NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN=$NETBIRD_DOMAIN
|
|
NETBIRD_MGMT_DNS_DOMAIN=${NETBIRD_MGMT_DNS_DOMAIN:-netbird.selfhosted}
|
|
NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=${NETBIRD_MGMT_IDP_SIGNKEY_REFRESH:-false}
|
|
NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=${NETBIRD_MGMT_DISABLE_DEFAULT_POLICY:-false}
|
|
|
|
# Signal
|
|
NETBIRD_SIGNAL_PROTOCOL="http"
|
|
NETBIRD_SIGNAL_PORT=${NETBIRD_SIGNAL_PORT:-10000}
|
|
|
|
# Relay
|
|
NETBIRD_RELAY_DOMAIN=${NETBIRD_RELAY_DOMAIN:-$NETBIRD_DOMAIN}
|
|
NETBIRD_RELAY_PORT=${NETBIRD_RELAY_PORT:-33080}
|
|
NETBIRD_RELAY_ENDPOINT=${NETBIRD_RELAY_ENDPOINT:-rel://$NETBIRD_RELAY_DOMAIN:$NETBIRD_RELAY_PORT}
|
|
# Relay auth secret
|
|
NETBIRD_RELAY_AUTH_SECRET=
|
|
|
|
# Turn
|
|
TURN_DOMAIN=${NETBIRD_TURN_DOMAIN:-$NETBIRD_DOMAIN}
|
|
|
|
NETBIRD_TURN_EXTERNAL_IP=${NETBIRD_TURN_EXTERNAL_IP}
|
|
|
|
# Turn credentials
|
|
# User
|
|
TURN_USER=self
|
|
# Password. If empty, the configure.sh will generate one with openssl
|
|
TURN_PASSWORD=
|
|
# Min port
|
|
TURN_MIN_PORT=${TURN_MIN_PORT:-49152}
|
|
# Max port
|
|
TURN_MAX_PORT=${TURN_MAX_PORT:-65535}
|
|
|
|
VOLUME_PREFIX="netbird-"
|
|
MGMT_VOLUMESUFFIX="mgmt"
|
|
SIGNAL_VOLUMESUFFIX="signal"
|
|
LETSENCRYPT_VOLUMESUFFIX="letsencrypt"
|
|
# Dedicated Let's Encrypt store for the relay. Required only by the Traefik
|
|
# deployment, where the relay runs its own ACME client to terminate TLS on
|
|
# UDP/443 for WebTransport + raw QUIC (Traefik can't proxy WebTransport).
|
|
RELAY_LE_VOLUMESUFFIX="relay-letsencrypt"
|
|
|
|
NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
|
|
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE:-$NETBIRD_AUTH_AUDIENCE}
|
|
NETBIRD_AUTH_DEVICE_AUTH_SCOPE=${NETBIRD_AUTH_DEVICE_AUTH_SCOPE:-openid}
|
|
NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-false}
|
|
|
|
|
|
NETBIRD_DISABLE_ANONYMOUS_METRICS=${NETBIRD_DISABLE_ANONYMOUS_METRICS:-false}
|
|
NETBIRD_TOKEN_SOURCE=${NETBIRD_TOKEN_SOURCE:-accessToken}
|
|
|
|
# PKCE authorization flow
|
|
NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS=${NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS:-"53000"}
|
|
NETBIRD_AUTH_PKCE_USE_ID_TOKEN=${NETBIRD_AUTH_PKCE_USE_ID_TOKEN:-false}
|
|
NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN=${NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN:-false}
|
|
NETBIRD_AUTH_PKCE_LOGIN_FLAG=${NETBIRD_AUTH_PKCE_LOGIN_FLAG:-0}
|
|
NETBIRD_AUTH_PKCE_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
|
|
|
|
# Dashboard
|
|
|
|
# The default setting is to transmit the audience to the IDP during authorization. However,
|
|
# if your IDP does not have this capability, you can turn this off by setting it to false.
|
|
NETBIRD_DASH_AUTH_USE_AUDIENCE=${NETBIRD_DASH_AUTH_USE_AUDIENCE:-true}
|
|
NETBIRD_DASH_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
|
|
|
|
# Store config
|
|
NETBIRD_STORE_CONFIG_ENGINE=${NETBIRD_STORE_CONFIG_ENGINE:-"sqlite"}
|
|
|
|
# Image tags
|
|
NETBIRD_DASHBOARD_TAG=${NETBIRD_DASHBOARD_TAG:-"latest"}
|
|
NETBIRD_SIGNAL_TAG=${NETBIRD_SIGNAL_TAG:-"latest"}
|
|
NETBIRD_MANAGEMENT_TAG=${NETBIRD_MANAGEMENT_TAG:-"latest"}
|
|
COTURN_TAG=${COTURN_TAG:-"latest"}
|
|
NETBIRD_RELAY_TAG=${NETBIRD_RELAY_TAG:-"latest"}
|
|
|
|
# exports
|
|
export NETBIRD_DOMAIN
|
|
export NETBIRD_TURN_DOMAIN
|
|
export NETBIRD_AUTH_CLIENT_ID
|
|
export NETBIRD_AUTH_CLIENT_SECRET
|
|
export NETBIRD_AUTH_AUDIENCE
|
|
export NETBIRD_AUTH_AUTHORITY
|
|
export NETBIRD_USE_AUTH0
|
|
export NETBIRD_AUTH_SUPPORTED_SCOPES
|
|
export NETBIRD_AUTH_JWT_CERTS
|
|
export NETBIRD_LETSENCRYPT_EMAIL
|
|
export NETBIRD_MGMT_API_PORT
|
|
export NETBIRD_MGMT_API_ENDPOINT
|
|
export NETBIRD_LETSENCRYPT_DOMAIN
|
|
export NETBIRD_MGMT_API_CERT_FILE
|
|
export NETBIRD_MGMT_API_CERT_KEY_FILE
|
|
export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER
|
|
export NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID
|
|
export NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT
|
|
export NETBIRD_AUTH_REDIRECT_URI
|
|
export NETBIRD_AUTH_SILENT_REDIRECT_URI
|
|
export TURN_DOMAIN
|
|
export TURN_USER
|
|
export TURN_PASSWORD
|
|
export TURN_MIN_PORT
|
|
export TURN_MAX_PORT
|
|
export VOLUME_PREFIX
|
|
export MGMT_VOLUMESUFFIX
|
|
export SIGNAL_VOLUMESUFFIX
|
|
export LETSENCRYPT_VOLUMESUFFIX
|
|
export RELAY_LE_VOLUMESUFFIX
|
|
export NETBIRD_DISABLE_ANONYMOUS_METRICS
|
|
export NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN
|
|
export NETBIRD_MGMT_DNS_DOMAIN
|
|
export NETBIRD_MGMT_IDP_SIGNKEY_REFRESH
|
|
export NETBIRD_SIGNAL_PROTOCOL
|
|
export NETBIRD_SIGNAL_PORT
|
|
export NETBIRD_AUTH_USER_ID_CLAIM
|
|
export NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
|
|
export NETBIRD_TOKEN_SOURCE
|
|
export NETBIRD_AUTH_DEVICE_AUTH_SCOPE
|
|
export NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN
|
|
export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT
|
|
export NETBIRD_AUTH_PKCE_USE_ID_TOKEN
|
|
export NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN
|
|
export NETBIRD_AUTH_PKCE_LOGIN_FLAG
|
|
export NETBIRD_AUTH_PKCE_AUDIENCE
|
|
export NETBIRD_DASH_AUTH_USE_AUDIENCE
|
|
export NETBIRD_DASH_AUTH_AUDIENCE
|
|
export NETBIRD_STORE_CONFIG_ENGINE
|
|
export NETBIRD_DASHBOARD_TAG
|
|
export NETBIRD_SIGNAL_TAG
|
|
export NETBIRD_MANAGEMENT_TAG
|
|
export COTURN_TAG
|
|
export NETBIRD_TURN_EXTERNAL_IP
|
|
export NETBIRD_RELAY_DOMAIN
|
|
export NETBIRD_RELAY_PORT
|
|
export NETBIRD_RELAY_ENDPOINT
|
|
export NETBIRD_RELAY_AUTH_SECRET
|
|
export NETBIRD_RELAY_TAG
|
|
export NETBIRD_MGMT_DISABLE_DEFAULT_POLICY
|