mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-04 03:53:56 +00:00
187 lines
5.4 KiB
Nix
187 lines
5.4 KiB
Nix
|
{
|
||
|
config,
|
||
|
lib,
|
||
|
pkgs,
|
||
|
...
|
||
|
}:
|
||
|
|
||
|
let
|
||
|
inherit (lib)
|
||
|
boolToString
|
||
|
concatStringsSep
|
||
|
hasAttr
|
||
|
isBool
|
||
|
mapAttrs
|
||
|
mkDefault
|
||
|
mkEnableOption
|
||
|
mkIf
|
||
|
mkOption
|
||
|
mkPackageOption
|
||
|
;
|
||
|
|
||
|
inherit (lib.types)
|
||
|
attrsOf
|
||
|
bool
|
||
|
either
|
||
|
package
|
||
|
str
|
||
|
submodule
|
||
|
;
|
||
|
|
||
|
toStringEnv = value: if isBool value then boolToString value else toString value;
|
||
|
|
||
|
cfg = config.services.netbird.server.dashboard;
|
||
|
in
|
||
|
|
||
|
{
|
||
|
options.services.netbird.server.dashboard = {
|
||
|
enable = mkEnableOption "the static netbird dashboard frontend";
|
||
|
|
||
|
package = mkPackageOption pkgs "netbird-dashboard" { };
|
||
|
|
||
|
enableNginx = mkEnableOption "Nginx reverse-proxy to serve the dashboard.";
|
||
|
|
||
|
domain = mkOption {
|
||
|
type = str;
|
||
|
default = "localhost";
|
||
|
description = "The domain under which the dashboard runs.";
|
||
|
};
|
||
|
|
||
|
managementServer = mkOption {
|
||
|
type = str;
|
||
|
description = "The address of the management server, used for the API endpoints.";
|
||
|
};
|
||
|
|
||
|
settings = mkOption {
|
||
|
type = submodule { freeformType = attrsOf (either str bool); };
|
||
|
|
||
|
defaultText = ''
|
||
|
{
|
||
|
AUTH_AUDIENCE = "netbird";
|
||
|
AUTH_CLIENT_ID = "netbird";
|
||
|
AUTH_SUPPORTED_SCOPES = "openid profile email";
|
||
|
NETBIRD_TOKEN_SOURCE = "idToken";
|
||
|
USE_AUTH0 = false;
|
||
|
}
|
||
|
'';
|
||
|
|
||
|
description = ''
|
||
|
An attribute set that will be used to substitute variables when building the dashboard.
|
||
|
Any values set here will be templated into the frontend and be public for anyone that can reach your website.
|
||
|
The exact values sadly aren't documented anywhere.
|
||
|
A starting point when searching for valid values is this [script](https://github.com/netbirdio/dashboard/blob/main/docker/init_react_envs.sh)
|
||
|
The only mandatory value is 'AUTH_AUTHORITY' as we cannot set a default value here.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
finalDrv = mkOption {
|
||
|
readOnly = true;
|
||
|
type = package;
|
||
|
description = ''
|
||
|
The derivation containing the final templated dashboard.
|
||
|
'';
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config = mkIf cfg.enable {
|
||
|
assertions = [
|
||
|
{
|
||
|
assertion = hasAttr "AUTH_AUTHORITY" cfg.settings;
|
||
|
message = "The setting AUTH_AUTHORITY is required for the dasboard to function.";
|
||
|
}
|
||
|
];
|
||
|
|
||
|
services.netbird.server.dashboard = {
|
||
|
settings =
|
||
|
{
|
||
|
# Due to how the backend and frontend work this secret will be templated into the backend
|
||
|
# and then served statically from your website
|
||
|
# This enables you to login without the normally needed indirection through the backend
|
||
|
# but this also means anyone that can reach your website can
|
||
|
# fetch this secret, which is why there is no real need to put it into
|
||
|
# special options as its public anyway
|
||
|
# As far as I know leaking this secret is just
|
||
|
# an information leak as one can fetch some basic app
|
||
|
# informations from the IDP
|
||
|
# To actually do something one still needs to have login
|
||
|
# data and this secret so this being public will not
|
||
|
# suffice for anything just decreasing security
|
||
|
AUTH_CLIENT_SECRET = "";
|
||
|
|
||
|
NETBIRD_MGMT_API_ENDPOINT = cfg.managementServer;
|
||
|
NETBIRD_MGMT_GRPC_API_ENDPOINT = cfg.managementServer;
|
||
|
}
|
||
|
// (mapAttrs (_: mkDefault) {
|
||
|
# Those values have to be easily overridable
|
||
|
AUTH_AUDIENCE = "netbird"; # must be set for your devices to be able to log in
|
||
|
AUTH_CLIENT_ID = "netbird";
|
||
|
AUTH_SUPPORTED_SCOPES = "openid profile email";
|
||
|
NETBIRD_TOKEN_SOURCE = "idToken";
|
||
|
USE_AUTH0 = false;
|
||
|
});
|
||
|
|
||
|
# The derivation containing the templated dashboard
|
||
|
finalDrv =
|
||
|
pkgs.runCommand "netbird-dashboard"
|
||
|
{
|
||
|
nativeBuildInputs = [ pkgs.gettext ];
|
||
|
env = {
|
||
|
ENV_STR = concatStringsSep " " [
|
||
|
"$AUTH_AUDIENCE"
|
||
|
"$AUTH_AUTHORITY"
|
||
|
"$AUTH_CLIENT_ID"
|
||
|
"$AUTH_CLIENT_SECRET"
|
||
|
"$AUTH_REDIRECT_URI"
|
||
|
"$AUTH_SILENT_REDIRECT_URI"
|
||
|
"$AUTH_SUPPORTED_SCOPES"
|
||
|
"$NETBIRD_DRAG_QUERY_PARAMS"
|
||
|
"$NETBIRD_GOOGLE_ANALYTICS_ID"
|
||
|
"$NETBIRD_HOTJAR_TRACK_ID"
|
||
|
"$NETBIRD_MGMT_API_ENDPOINT"
|
||
|
"$NETBIRD_MGMT_GRPC_API_ENDPOINT"
|
||
|
"$NETBIRD_TOKEN_SOURCE"
|
||
|
"$USE_AUTH0"
|
||
|
];
|
||
|
} // (mapAttrs (_: toStringEnv) cfg.settings);
|
||
|
}
|
||
|
''
|
||
|
cp -R ${cfg.package} build
|
||
|
|
||
|
find build -type d -exec chmod 755 {} \;
|
||
|
OIDC_TRUSTED_DOMAINS="build/OidcTrustedDomains.js"
|
||
|
|
||
|
envsubst "$ENV_STR" < "$OIDC_TRUSTED_DOMAINS.tmpl" > "$OIDC_TRUSTED_DOMAINS"
|
||
|
|
||
|
for f in $(grep -R -l AUTH_SUPPORTED_SCOPES build/); do
|
||
|
mv "$f" "$f.copy"
|
||
|
envsubst "$ENV_STR" < "$f.copy" > "$f"
|
||
|
rm "$f.copy"
|
||
|
done
|
||
|
|
||
|
cp -R build $out
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
services.nginx = mkIf cfg.enableNginx {
|
||
|
enable = true;
|
||
|
|
||
|
virtualHosts.${cfg.domain} = {
|
||
|
locations = {
|
||
|
"/" = {
|
||
|
root = cfg.finalDrv;
|
||
|
tryFiles = "$uri $uri.html $uri/ =404";
|
||
|
};
|
||
|
|
||
|
"/404.html".extraConfig = ''
|
||
|
internal;
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
extraConfig = ''
|
||
|
error_page 404 /404.html;
|
||
|
'';
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
}
|