Simplify NetBird server quickstart addon

2026-06-25 00:36:06 +02:00 · 2026-02-08 19:31:20 +01:00
parent 1d538be565
commit 00c59234fd
11 changed files with 205 additions and 268 deletions
--- a/netbird-server/rootfs/etc/cont-init.d/00-config.sh
+++ b/netbird-server/rootfs/etc/cont-init.d/00-config.sh
@@ -4,107 +4,53 @@ set -euo pipefail

 # ==============================================================================
 # Home Assistant Add-on: NetBird Server
-# Configures NetBird services
+# Configures NetBird services (quickstart layout)
 # ==============================================================================

 create_or_load_secret() {
  local secret_file="$1"
-  local provided_value="$2"
+  local generator="$2"
  local generated=""

-  if [[ -n "$provided_value" ]]; then
-    echo "$provided_value"
-    return
-  fi
-
  if [[ -f "$secret_file" ]]; then
    cat "$secret_file"
    return
  fi

-  generated=$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32)
+  generated=$(eval "$generator")
  echo "$generated" > "$secret_file"
  chmod 600 "$secret_file"
  echo "$generated"
 }

-extract_port() {
-  local address="$1"
-  echo "${address##*:}"
-}
-
 DATA_DIR="/config/netbird"
-DOMAIN="localhost"
-MANAGEMENT_LISTEN="0.0.0.0:33073"
-SIGNAL_LISTEN="0.0.0.0:10000"
-DASHBOARD_LISTEN="0.0.0.0:8080"
-TURN_LISTEN_PORT=3478
-TURN_REALM="netbird"
-TURN_EXTERNAL_IP=""
-TURN_MIN_PORT=49152
-TURN_MAX_PORT=65535
-TURN_USER="netbird"
-TURN_PASSWORD=""
-IDP_MANAGER_TYPE="none"
-AUTH_AUTHORITY=""
-AUTH_AUDIENCE=""
-AUTH_JWT_CERTS=""
-AUTH_USER_ID_CLAIM="sub"
-AUTH_OIDC_CONFIGURATION_ENDPOINT=""
-AUTH_TOKEN_ENDPOINT=""
-IDP_CLIENT_ID=""
-IDP_CLIENT_SECRET=""
-DISABLE_DEFAULT_POLICY=false
-DISABLE_DASHBOARD=false
-ENABLE_RELAY=false
-RELAY_EXPOSED_ADDRESS=""
-RELAY_AUTH_SECRET=""
+DOMAIN="$(bashio::config 'domain')"
+NETBIRD_STUN_PORT=3478
+MANAGEMENT_PORT=8081
+DASHBOARD_PORT=8080
+SIGNAL_PORT=8083
+SIGNAL_GRPC_PORT=10000
+RELAY_PORT=8084

-MANAGEMENT_PORT=$(extract_port "$MANAGEMENT_LISTEN")
-SIGNAL_PORT=$(extract_port "$SIGNAL_LISTEN")
-DASHBOARD_PORT=$(extract_port "$DASHBOARD_LISTEN")
-
-if [[ -z "$AUTH_AUTHORITY" || -z "$AUTH_AUDIENCE" || -z "$AUTH_JWT_CERTS" ]]; then
-  bashio::log.warning "OIDC configuration is incomplete. Edit ${DATA_DIR}/management/management.json to finish setup."
+if [[ -z "$DOMAIN" || "$DOMAIN" == "netbird.example.com" ]]; then
+  bashio::log.error "Set a valid domain in the add-on configuration (domain cannot be empty or netbird.example.com)."
+  bashio::exit.nok
 fi

+NETBIRD_PORT=443
+NETBIRD_HTTP_PROTOCOL="https"
+NETBIRD_RELAY_PROTO="rels"
+CADDY_SECURE_DOMAIN=", ${DOMAIN}:${NETBIRD_PORT}"
+
 mkdir -p "$DATA_DIR" \
  "$DATA_DIR/management" \
-  "$DATA_DIR/turn" \
  "$DATA_DIR/secrets" \
  "$DATA_DIR/dashboard" \
-  "$DATA_DIR/relay"
+  "$DATA_DIR/relay" \
+  "$DATA_DIR/caddy"

-TURN_PASSWORD=$(create_or_load_secret "$DATA_DIR/secrets/turn_password" "$TURN_PASSWORD")
-TURN_SECRET=$(create_or_load_secret "$DATA_DIR/secrets/turn_secret" "")
-DATASTORE_ENC_KEY=$(create_or_load_secret "$DATA_DIR/secrets/management_datastore_key" "")
-
-if [[ "$ENABLE_RELAY" == "true" ]]; then
-  if [[ -z "$RELAY_EXPOSED_ADDRESS" || -z "$RELAY_AUTH_SECRET" ]]; then
-    bashio::log.error "Relay is enabled, but relay_exposed_address or relay_auth_secret is missing."
-    bashio::exit.nok
-  fi
-  rm -f /etc/services.d/relay/down
-  RELAY_JSON=$(cat <<RELAY
-{
-  "Addresses": ["${RELAY_EXPOSED_ADDRESS}"],
-  "CredentialsTTL": "24h",
-  "Secret": "${RELAY_AUTH_SECRET}"
-}
-RELAY
-)
-else
-  bashio::log.info "Relay service disabled."
-  touch /etc/services.d/relay/down
-  RELAY_JSON="null"
-fi
-
-if [[ "$DISABLE_DASHBOARD" == "true" ]]; then
-  bashio::log.info "Dashboard service disabled."
-  touch /etc/services.d/dashboard/down
-else
-  rm -f /etc/services.d/dashboard/down
-fi
+DATASTORE_ENC_KEY=$(create_or_load_secret "$DATA_DIR/secrets/management_datastore_key" "openssl rand -base64 32")
+RELAY_AUTH_SECRET=$(create_or_load_secret "$DATA_DIR/secrets/relay_auth_secret" "openssl rand -base64 32 | sed 's/=//g'")

 # Generate management config if missing
 MANAGEMENT_CONFIG="$DATA_DIR/management/management.json"
@@ -115,65 +61,27 @@ if [[ ! -f "$MANAGEMENT_CONFIG" ]]; then
  "Stuns": [
    {
      "Proto": "udp",
-      "URI": "stun:${DOMAIN}:${TURN_LISTEN_PORT}",
-      "Username": "",
-      "Password": null
+      "URI": "stun:${DOMAIN}:${NETBIRD_STUN_PORT}"
    }
  ],
-  "TURNConfig": {
-    "Turns": [
-      {
-        "Proto": "udp",
-        "URI": "turn:${DOMAIN}:${TURN_LISTEN_PORT}",
-        "Username": "${TURN_USER}",
-        "Password": "${TURN_PASSWORD}"
-      }
-    ],
-    "CredentialsTTL": "12h",
-    "Secret": "${TURN_SECRET}",
-    "TimeBasedCredentials": false
+  "Relay": {
+    "Addresses": ["${NETBIRD_RELAY_PROTO}://${DOMAIN}:${NETBIRD_PORT}"],
+    "CredentialsTTL": "24h",
+    "Secret": "${RELAY_AUTH_SECRET}"
  },
-  "Relay": ${RELAY_JSON},
  "Signal": {
-    "Proto": "http",
-    "URI": "${DOMAIN}:${SIGNAL_PORT}",
-    "Username": "",
-    "Password": null
+    "Proto": "${NETBIRD_HTTP_PROTOCOL}",
+    "URI": "${DOMAIN}:${NETBIRD_PORT}"
  },
-  "ReverseProxy": {
-    "TrustedHTTPProxies": [],
-    "TrustedHTTPProxiesCount": 0,
-    "TrustedPeers": [
-      "0.0.0.0/0"
-    ]
-  },
-  "DisableDefaultPolicy": ${DISABLE_DEFAULT_POLICY},
  "Datadir": "${DATA_DIR}/management",
  "DataStoreEncryptionKey": "${DATASTORE_ENC_KEY}",
-  "StoreConfig": {
-    "Engine": "sqlite"
-  },
-  "HttpConfig": {
-    "Address": "${MANAGEMENT_LISTEN}",
-    "AuthIssuer": "${AUTH_AUTHORITY}",
-    "AuthAudience": "${AUTH_AUDIENCE}",
-    "AuthKeysLocation": "${AUTH_JWT_CERTS}",
-    "AuthUserIDClaim": "${AUTH_USER_ID_CLAIM}",
-    "CertFile": "",
-    "CertKey": "",
-    "IdpSignKeyRefreshEnabled": false,
-    "OIDCConfigEndpoint": "${AUTH_OIDC_CONFIGURATION_ENDPOINT}"
-  },
-  "IdpManagerConfig": {
-    "ManagerType": "${IDP_MANAGER_TYPE}",
-    "ClientConfig": {
-      "Issuer": "${AUTH_AUTHORITY}",
-      "TokenEndpoint": "${AUTH_TOKEN_ENDPOINT}",
-      "ClientID": "${IDP_CLIENT_ID}",
-      "ClientSecret": "${IDP_CLIENT_SECRET}",
-      "GrantType": "client_credentials"
-    },
-    "ExtraConfig": {}
+  "EmbeddedIdP": {
+    "Enabled": true,
+    "Issuer": "${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}/oauth2",
+    "DashboardRedirectURIs": [
+      "${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}/nb-auth",
+      "${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}/nb-silent-auth"
+    ]
  }
 }
 CONFIG
@@ -181,50 +89,87 @@ else
  bashio::log.info "Using existing management config at ${MANAGEMENT_CONFIG}."
 fi

-# Generate Coturn config if missing
-TURN_CONFIG="$DATA_DIR/turn/turnserver.conf"
-if [[ ! -f "$TURN_CONFIG" ]]; then
-  TURN_EXTERNAL_IP_LINE=""
-  if [[ -n "$TURN_EXTERNAL_IP" ]]; then
-    TURN_EXTERNAL_IP_LINE="external-ip=${TURN_EXTERNAL_IP}"
-  fi
-
-  cat <<CONFIG > "$TURN_CONFIG"
-listening-port=${TURN_LISTEN_PORT}
-realm=${TURN_REALM}
-fingerprint
-lt-cred-mech
-user=${TURN_USER}:${TURN_PASSWORD}
-${TURN_EXTERNAL_IP_LINE}
-min-port=${TURN_MIN_PORT}
-max-port=${TURN_MAX_PORT}
+# Generate relay env file if missing
+RELAY_ENV_FILE="$DATA_DIR/relay/relay.env"
+if [[ ! -f "$RELAY_ENV_FILE" ]]; then
+  bashio::log.info "Generating relay env file at ${RELAY_ENV_FILE}."
+  cat <<CONFIG > "$RELAY_ENV_FILE"
+NB_LOG_LEVEL=info
+NB_LISTEN_ADDRESS=:${RELAY_PORT}
+NB_EXPOSED_ADDRESS=${NETBIRD_RELAY_PROTO}://${DOMAIN}:${NETBIRD_PORT}
+NB_AUTH_SECRET=${RELAY_AUTH_SECRET}
+NB_ENABLE_STUN=true
+NB_STUN_LOG_LEVEL=info
+NB_STUN_PORTS=${NETBIRD_STUN_PORT}
 CONFIG
-else
-  bashio::log.info "Using existing Coturn config at ${TURN_CONFIG}."
 fi

-# Generate dashboard nginx config
-sed "s/__DASHBOARD_PORT__/${DASHBOARD_PORT}/g" \
-  /usr/local/share/netbird-dashboard/default.conf.tmpl \
-  > /etc/nginx/http.d/default.conf
-
-mkdir -p /run/nginx
-chmod +x /usr/local/bin/init_react_envs.sh
-
 # Generate dashboard env file if missing
 DASHBOARD_ENV_FILE="$DATA_DIR/dashboard/env"
 if [[ ! -f "$DASHBOARD_ENV_FILE" ]]; then
  bashio::log.info "Generating dashboard env file at ${DASHBOARD_ENV_FILE}."
-  cat <<'ENV' > "$DASHBOARD_ENV_FILE"
-# NetBird dashboard environment overrides.
-# Example: NETBIRD_MGMT_API_ENDPOINT="https://netbird.example.com"
-NETBIRD_MGMT_API_ENDPOINT=""
-AUTH_AUTHORITY=""
-AUTH_CLIENT_ID=""
-AUTH_CLIENT_SECRET=""
-AUTH_AUDIENCE=""
-AUTH_SUPPORTED_SCOPES="openid profile email api offline_access email_verified"
-USE_AUTH0="false"
-ENV
+  cat <<CONFIG > "$DASHBOARD_ENV_FILE"
+# Endpoints
+NETBIRD_MGMT_API_ENDPOINT=${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}
+NETBIRD_MGMT_GRPC_API_ENDPOINT=${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}
+# OIDC - using embedded IdP
+AUTH_AUDIENCE=netbird-dashboard
+AUTH_CLIENT_ID=netbird-dashboard
+AUTH_CLIENT_SECRET=
+AUTH_AUTHORITY=${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}/oauth2
+USE_AUTH0=false
+AUTH_SUPPORTED_SCOPES=openid profile email groups
+AUTH_REDIRECT_URI=/nb-auth
+AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
+# SSL
+NGINX_SSL_PORT=443
+# Letsencrypt
+LETSENCRYPT_DOMAIN=none
+CONFIG
  chmod 600 "$DASHBOARD_ENV_FILE"
 fi
+
+# Generate Caddyfile if missing
+CADDYFILE="$DATA_DIR/Caddyfile"
+if [[ ! -f "$CADDYFILE" ]]; then
+  bashio::log.info "Generating Caddyfile at ${CADDYFILE}."
+  cat <<CONFIG > "$CADDYFILE"
+{
+  servers {
+    protocols h1 h2 h2c
+  }
+}
+
+(security_headers) {
+  header * {
+    Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
+    X-Content-Type-Options "nosniff"
+    X-Frame-Options "SAMEORIGIN"
+    X-XSS-Protection "1; mode=block"
+    -Server
+    Referrer-Policy strict-origin-when-cross-origin
+  }
+}
+
+:80${CADDY_SECURE_DOMAIN} {
+  import security_headers
+  # relay
+  reverse_proxy /relay* 127.0.0.1:${RELAY_PORT}
+  # Signal
+  reverse_proxy /ws-proxy/signal* 127.0.0.1:${SIGNAL_PORT}
+  reverse_proxy /signalexchange.SignalExchange/* h2c://127.0.0.1:${SIGNAL_GRPC_PORT}
+  # Management
+  reverse_proxy /api/* 127.0.0.1:${MANAGEMENT_PORT}
+  reverse_proxy /ws-proxy/management* 127.0.0.1:${MANAGEMENT_PORT}
+  reverse_proxy /management.ManagementService/* h2c://127.0.0.1:${MANAGEMENT_PORT}
+  reverse_proxy /oauth2/* 127.0.0.1:${MANAGEMENT_PORT}
+  # Dashboard
+  reverse_proxy /* 127.0.0.1:${DASHBOARD_PORT}
+}
+CONFIG
+else
+  bashio::log.info "Using existing Caddyfile at ${CADDYFILE}."
+fi
+
+mkdir -p /run/nginx
+chmod +x /usr/local/bin/init_react_envs.sh
--- a/netbird-server/rootfs/etc/nginx/http.d/default.conf
+++ b/netbird-server/rootfs/etc/nginx/http.d/default.conf
@@ -0,0 +1,11 @@
+server {
+  listen 8080;
+  server_name _;
+
+  root /usr/share/nginx/html;
+  index index.html;
+
+  location / {
+    try_files $uri /index.html;
+  }
+}
--- a/netbird-server/rootfs/etc/services.d/caddy/run
+++ b/netbird-server/rootfs/etc/services.d/caddy/run
@@ -0,0 +1,24 @@
+#!/usr/bin/with-contenv bashio
+# shellcheck shell=bash
+set -euo pipefail
+
+# ==============================================================================
+# Home Assistant Add-on: NetBird Server
+# Runs Caddy reverse proxy
+# ==============================================================================
+
+DATA_DIR="/config/netbird"
+CADDYFILE="${DATA_DIR}/Caddyfile"
+
+if [[ ! -f "$CADDYFILE" ]]; then
+  bashio::log.error "Missing Caddyfile at ${CADDYFILE}."
+  bashio::exit.nok
+fi
+
+export XDG_DATA_HOME="${DATA_DIR}/caddy/data"
+export XDG_CONFIG_HOME="${DATA_DIR}/caddy/config"
+
+mkdir -p "$XDG_DATA_HOME" "$XDG_CONFIG_HOME"
+
+bashio::log.info "Starting Caddy..."
+exec caddy run --config "$CADDYFILE" --adapter caddyfile
--- a/netbird-server/rootfs/etc/services.d/coturn/run
+++ b/netbird-server/rootfs/etc/services.d/coturn/run
@@ -1,19 +0,0 @@
-#!/usr/bin/with-contenv bashio
-# shellcheck shell=bash
-set -euo pipefail
-
-# ==============================================================================
-# Home Assistant Add-on: NetBird Server
-# Runs Coturn
-# ==============================================================================
-
-DATA_DIR="/config/netbird"
-TURN_CONFIG="$DATA_DIR/turn/turnserver.conf"
-
-if [[ ! -f "$TURN_CONFIG" ]]; then
-  bashio::log.error "Missing Coturn configuration at ${TURN_CONFIG}."
-  bashio::exit.nok
-fi
-
-bashio::log.info "Starting Coturn..."
-exec /usr/local/bin/turnserver -c "$TURN_CONFIG" --log-file stdout
--- a/netbird-server/rootfs/etc/services.d/dashboard/run
+++ b/netbird-server/rootfs/etc/services.d/dashboard/run
@@ -7,46 +7,17 @@ set -euo pipefail
 # Runs the NetBird Dashboard
 # ==============================================================================

-DOMAIN="localhost"
-EXTERNAL_BASE_URL=""
-MANAGEMENT_LISTEN="0.0.0.0:33073"
-AUTH_AUTHORITY=""
-AUTH_CLIENT_ID=""
-AUTH_CLIENT_SECRET=""
-AUTH_AUDIENCE=""
-AUTH_SUPPORTED_SCOPES="openid profile email api offline_access email_verified"
-USE_AUTH0="false"
-NETBIRD_MGMT_API_ENDPOINT=""
-
-MANAGEMENT_PORT="${MANAGEMENT_LISTEN##*:}"
-
 ENV_FILE="/config/netbird/dashboard/env"
 if [[ -f "$ENV_FILE" ]]; then
  set -a
  # shellcheck disable=SC1090
  . "$ENV_FILE"
  set +a
-fi
-
-if [[ -n "$NETBIRD_MGMT_API_ENDPOINT" ]]; then
-  NETBIRD_MGMT_API_ENDPOINT="$NETBIRD_MGMT_API_ENDPOINT"
-elif [[ -n "$EXTERNAL_BASE_URL" ]]; then
-  NETBIRD_MGMT_API_ENDPOINT="$EXTERNAL_BASE_URL"
-elif [[ -n "$DOMAIN" ]]; then
-  NETBIRD_MGMT_API_ENDPOINT="http://${DOMAIN}:${MANAGEMENT_PORT}"
 else
-  bashio::log.warning "external_base_url and domain are empty; defaulting NETBIRD_MGMT_API_ENDPOINT to localhost."
-  NETBIRD_MGMT_API_ENDPOINT="http://127.0.0.1:${MANAGEMENT_PORT}"
+  bashio::log.error "Missing dashboard env file at ${ENV_FILE}."
+  bashio::exit.nok
 fi

-export AUTH_AUTHORITY
-export AUTH_CLIENT_ID
-export AUTH_CLIENT_SECRET
-export AUTH_AUDIENCE
-export AUTH_SUPPORTED_SCOPES
-export USE_AUTH0
-export NETBIRD_MGMT_API_ENDPOINT
-
 bashio::log.info "Preparing NetBird Dashboard assets..."
 /usr/local/bin/init_react_envs.sh

--- a/netbird-server/rootfs/etc/services.d/management/run
+++ b/netbird-server/rootfs/etc/services.d/management/run
@@ -10,6 +10,7 @@ set -euo pipefail
 DATA_DIR="/config/netbird"
 LOG_LEVEL="info"
 MANAGEMENT_CONFIG="$DATA_DIR/management/management.json"
+MANAGEMENT_PORT=8081

 if [[ ! -f "$MANAGEMENT_CONFIG" ]]; then
  bashio::log.error "Missing management configuration at ${MANAGEMENT_CONFIG}."
@@ -19,5 +20,10 @@ fi
 bashio::log.info "Starting NetBird Management..."
 exec /usr/local/bin/netbird-mgmt management \
  --config "$MANAGEMENT_CONFIG" \
+  --port "$MANAGEMENT_PORT" \
  --log-level "$LOG_LEVEL" \
-  --log-file console
+  --log-file console \
+  --disable-anonymous-metrics=false \
+  --single-account-mode-domain=netbird.selfhosted \
+  --dns-domain=netbird.selfhosted \
+  --idp-sign-key-refresh-enabled
--- a/netbird-server/rootfs/etc/services.d/relay/run
+++ b/netbird-server/rootfs/etc/services.d/relay/run
@@ -4,17 +4,20 @@ set -euo pipefail

 # ==============================================================================
 # Home Assistant Add-on: NetBird Server
-# Runs the NetBird Relay (optional)
+# Runs the NetBird Relay (includes embedded STUN)
 # ==============================================================================

-LOG_LEVEL="info"
-RELAY_EXPOSED_ADDRESS=""
-RELAY_AUTH_SECRET=""
+RELAY_ENV_FILE="/config/netbird/relay/relay.env"
+
+if [[ -f "$RELAY_ENV_FILE" ]]; then
+  set -a
+  # shellcheck disable=SC1090
+  . "$RELAY_ENV_FILE"
+  set +a
+else
+  bashio::log.error "Missing relay env file at ${RELAY_ENV_FILE}."
+  bashio::exit.nok
+fi

 bashio::log.info "Starting NetBird Relay..."
-exec /usr/local/bin/netbird-relay \
-  --listen-address ":33080" \
-  --exposed-address "$RELAY_EXPOSED_ADDRESS" \
-  --auth-secret "$RELAY_AUTH_SECRET" \
-  --log-level "$LOG_LEVEL" \
-  --log-file console
+exec /usr/local/bin/netbird-relay
--- a/netbird-server/rootfs/etc/services.d/signal/run
+++ b/netbird-server/rootfs/etc/services.d/signal/run
@@ -7,9 +7,8 @@ set -euo pipefail
 # Runs the NetBird Signal service
 # ==============================================================================

-SIGNAL_LISTEN="0.0.0.0:10000"
+SIGNAL_PORT=8083
 LOG_LEVEL="info"
-SIGNAL_PORT="${SIGNAL_LISTEN##*:}"

 bashio::log.info "Starting NetBird Signal on port ${SIGNAL_PORT}..."
 exec /usr/local/bin/netbird-signal run \