shahab/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Netbird | set up netbird vpn

Browse Source
This commit is contained in:
Shahab Dogar
2025-11-29 13:20:50 +05:00
parent 2c57f8005d
commit 69bdd52df6
4 changed files with 319 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

218
netbird/values.yaml Normal file
View File

@@ -0,0 +1,218 @@
fullnameOverride: netbird
management:
configmap: |-
{
"Stuns": [
{
"Proto": "udp",
"URI": "{{ .STUN_SERVER }}",
"Username": "",
"Password": ""
}
],
"TURNConfig": {
"TimeBasedCredentials": false,
"CredentialsTTL": "12h0m0s",
"Secret": "secret",
"Turns": [
{
"Proto": "udp",
"URI": "{{ .TURN_SERVER }}",
"Username": "{{ .TURN_SERVER_USER }}",
"Password": "{{ .TURN_SERVER_PASSWORD }}"
}
]
},
"Relay": {
"Addresses": ["rels://vpn.dogar.dev:443/relay"],
"CredentialsTTL": "24h",
"Secret": "{{ .RELAY_PASSWORD }}"
},
"Signal": {
"Proto": "https",
"URI": "vpn.dogar.dev:443",
"Username": "",
"Password": ""
},
"Datadir": "/var/lib/netbird/",
"DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}",
"HttpConfig": {
"LetsEncryptDomain": "",
"CertFile": "",
"CertKey": "",
"AuthAudience": "{{ .IDP_CLIENT_ID }}",
"AuthIssuer": "https://auth.dogar.dev/application/o/netbird/",
"AuthUserIDClaim": "",
"AuthKeysLocation": "https://auth.dogar.dev/application/o/netbird/jwks/",
"OIDCConfigEndpoint": "https://auth.dogar.dev/application/o/netbird/.well-known/openid-configuration",
"IdpSignKeyRefreshEnabled": false
},
"IdpManagerConfig": {
"ManagerType": "authentik",
"ClientConfig": {
"Issuer": "https://auth.dogar.dev/application/o/netbird",
"TokenEndpoint": "https://auth.dogar.dev/application/o/token/",
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"Password": "{{ .IDP_SERVICE_ACCOUNT_PASSWORD }}",
"Username": "{{ .IDP_SERVICE_ACCOUNT_USER }}"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"Domain": "auth.dogar.dev",
"Audience": "{{ .IDP_CLIENT_ID }}",
"TokenEndpoint": "https://auth.dogar.dev/application/o/token/",
"DeviceAuthEndpoint": "https://auth.dogar.dev/application/o/device/",
"AuthorizationEndpoint": "",
"Scope": "openid",
"UseIDToken": false,
"RedirectURLs": null
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"Domain": "",
"Audience": "{{ .IDP_CLIENT_ID }}",
"TokenEndpoint": "https://auth.dogar.dev/application/o/token/",
"DeviceAuthEndpoint": "",
"AuthorizationEndpoint": "https://auth.dogar.dev/application/o/authorize/",
"Scope": "openid profile email offline_access api",
"UseIDToken": false,
"RedirectURLs": ["http://localhost:53000"]
}
},
"StoreConfig": {
"Engine": "postgres"
},
"ReverseProxy": {
"TrustedHTTPProxies": null,
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": null
}
}
persistentVolume:
enabled: true
storageClass: longhorn
size: 1Gi
envFromSecret:
NETBIRD_STORE_ENGINE_POSTGRES_DSN: netbird/postgresDSN
STUN_SERVER: netbird/stunServer
TURN_SERVER: netbird/turnServer
TURN_SERVER_USER: netbird/turnServerUser
TURN_SERVER_PASSWORD: netbird/turnServerPassword
RELAY_PASSWORD: netbird/relayPassword
IDP_CLIENT_ID: netbird/idpClientID
IDP_SERVICE_ACCOUNT_USER: netbird/idpServiceAccountUser
IDP_SERVICE_ACCOUNT_PASSWORD: netbird/idpServiceAccountPassword
DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 180
periodSeconds: 10
timeoutSeconds: 3
tcpSocket:
port: http
volumes:
- name: postgres-ssl-bundle
secret:
secretName: netbird-postgres-ssl-bundle
volumeMounts:
- name: postgres-ssl-bundle
mountPath: /etc/ssl/certs/postgres-ssl-bundle
readOnly: true
signal:
enabled: true
relay:
envFromSecret:
NB_AUTH_SECRET: netbird/relayPassword
env:
NB_LOG_LEVEL: info
NB_LISTEN_ADDRESS: ":33080"
NB_EXPOSED_ADDRESS: rels://vpn.dogar.dev:443/relay
dashboard:
enabled: true
env:
# Endpoints
NETBIRD_MGMT_API_ENDPOINT: https://vpn.dogar.dev:443
NETBIRD_MGMT_GRPC_API_ENDPOINT: https://vpn.dogar.dev:443
# OIDC
AUTH_CLIENT_SECRET:
AUTH_AUTHORITY: https://auth.dogar.dev/application/o/netbird/
USE_AUTH0: false
AUTH_SUPPORTED_SCOPES: openid profile email offline_access api
AUTH_REDIRECT_URI:
AUTH_SILENT_REDIRECT_URI:
NETBIRD_TOKEN_SOURCE: accessToken
NGINX_SSL_PORT:
LETSENCRYPT_DOMAIN:
LETSENCRYPT_EMAIL:
envFromSecret:
AUTH_CLIENT_ID: netbird/idpClientID
AUTH_AUDIENCE: netbird/idpClientID
extraManifests:
- apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: netbird
namespace: netbird
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`vpn.dogar.dev`) && !PathPrefix(`/api`) && !PathPrefix(`/management`) && !PathPrefix(`/signalexchange`) && !PathPrefix(`/relay`)
services:
- name: netbird-dashboard
namespace: netbird
passHostHeader: true
port: 80
- kind: Rule
match: Host(`vpn.dogar.dev`) && PathPrefix(`/api`)
services:
- name: netbird-management
namespace: netbird
passHostHeader: true
port: 80
- kind: Rule
match: Host(`vpn.dogar.dev`) && PathPrefix(`/relay`)
services:
- name: netbird-relay
namespace: netbird
passHostHeader: true
port: 33080
- kind: Rule
match: Host(`vpn.dogar.dev`) && PathPrefix(`/management`)
services:
- name: netbird-management
namespace: netbird
passHostHeader: true
port: 80
scheme: h2c
- kind: Rule
match: Host(`vpn.dogar.dev`) && PathPrefix(`/signalexchange`)
services:
- name: netbird-signal
namespace: netbird
passHostHeader: true
port: 80
scheme: h2c
tls:
secretName: netbird-tls