Simplify NetBird server quickstart addon

netbird-server/rootfs/etc/cont-init.d/00-config.sh

@@ -4,107 +4,53 @@ set -euo pipefail
 
 # ==============================================================================
 # Home Assistant Add-on: NetBird Server
-# Configures NetBird services
+# Configures NetBird services (quickstart layout)
 # ==============================================================================
 
 create_or_load_secret() {
   local secret_file="$1"
-  local provided_value="$2"
+  local generator="$2"
   local generated=""
 
-  if [[ -n "$provided_value" ]]; then
-    echo "$provided_value"
-    return
-  fi
-
   if [[ -f "$secret_file" ]]; then
     cat "$secret_file"
     return
   fi
 
-  generated=$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32)
+  generated=$(eval "$generator")
   echo "$generated" > "$secret_file"
   chmod 600 "$secret_file"
   echo "$generated"
 }
 
-extract_port() {
-  local address="$1"
-  echo "${address##*:}"
-}
-
 DATA_DIR="/config/netbird"
-DOMAIN="localhost"
-MANAGEMENT_LISTEN="0.0.0.0:33073"
-SIGNAL_LISTEN="0.0.0.0:10000"
-DASHBOARD_LISTEN="0.0.0.0:8080"
-TURN_LISTEN_PORT=3478
-TURN_REALM="netbird"
-TURN_EXTERNAL_IP=""
-TURN_MIN_PORT=49152
-TURN_MAX_PORT=65535
-TURN_USER="netbird"
-TURN_PASSWORD=""
-IDP_MANAGER_TYPE="none"
-AUTH_AUTHORITY=""
-AUTH_AUDIENCE=""
-AUTH_JWT_CERTS=""
-AUTH_USER_ID_CLAIM="sub"
-AUTH_OIDC_CONFIGURATION_ENDPOINT=""
-AUTH_TOKEN_ENDPOINT=""
-IDP_CLIENT_ID=""
-IDP_CLIENT_SECRET=""
-DISABLE_DEFAULT_POLICY=false
-DISABLE_DASHBOARD=false
-ENABLE_RELAY=false
-RELAY_EXPOSED_ADDRESS=""
-RELAY_AUTH_SECRET=""
+DOMAIN="$(bashio::config 'domain')"
+NETBIRD_STUN_PORT=3478
+MANAGEMENT_PORT=8081
+DASHBOARD_PORT=8080
+SIGNAL_PORT=8083
+SIGNAL_GRPC_PORT=10000
+RELAY_PORT=8084
 
-MANAGEMENT_PORT=$(extract_port "$MANAGEMENT_LISTEN")
-SIGNAL_PORT=$(extract_port "$SIGNAL_LISTEN")
-DASHBOARD_PORT=$(extract_port "$DASHBOARD_LISTEN")
-
-if [[ -z "$AUTH_AUTHORITY" || -z "$AUTH_AUDIENCE" || -z "$AUTH_JWT_CERTS" ]]; then
-  bashio::log.warning "OIDC configuration is incomplete. Edit ${DATA_DIR}/management/management.json to finish setup."
+if [[ -z "$DOMAIN" || "$DOMAIN" == "netbird.example.com" ]]; then
+  bashio::log.error "Set a valid domain in the add-on configuration (domain cannot be empty or netbird.example.com)."
+  bashio::exit.nok
 fi
 
+NETBIRD_PORT=443
+NETBIRD_HTTP_PROTOCOL="https"
+NETBIRD_RELAY_PROTO="rels"
+CADDY_SECURE_DOMAIN=", ${DOMAIN}:${NETBIRD_PORT}"
+
 mkdir -p "$DATA_DIR" \
   "$DATA_DIR/management" \
-  "$DATA_DIR/turn" \
   "$DATA_DIR/secrets" \
   "$DATA_DIR/dashboard" \
-  "$DATA_DIR/relay"
+  "$DATA_DIR/relay" \
+  "$DATA_DIR/caddy"
 
-TURN_PASSWORD=$(create_or_load_secret "$DATA_DIR/secrets/turn_password" "$TURN_PASSWORD")
-TURN_SECRET=$(create_or_load_secret "$DATA_DIR/secrets/turn_secret" "")
-DATASTORE_ENC_KEY=$(create_or_load_secret "$DATA_DIR/secrets/management_datastore_key" "")
-
-if [[ "$ENABLE_RELAY" == "true" ]]; then
-  if [[ -z "$RELAY_EXPOSED_ADDRESS" || -z "$RELAY_AUTH_SECRET" ]]; then
-    bashio::log.error "Relay is enabled, but relay_exposed_address or relay_auth_secret is missing."
-    bashio::exit.nok
-  fi
-  rm -f /etc/services.d/relay/down
-  RELAY_JSON=$(cat <<RELAY
-{
-  "Addresses": ["${RELAY_EXPOSED_ADDRESS}"],
-  "CredentialsTTL": "24h",
-  "Secret": "${RELAY_AUTH_SECRET}"
-}
-RELAY
-)
-else
-  bashio::log.info "Relay service disabled."
-  touch /etc/services.d/relay/down
-  RELAY_JSON="null"
-fi
-
-if [[ "$DISABLE_DASHBOARD" == "true" ]]; then
-  bashio::log.info "Dashboard service disabled."
-  touch /etc/services.d/dashboard/down
-else
-  rm -f /etc/services.d/dashboard/down
-fi
+DATASTORE_ENC_KEY=$(create_or_load_secret "$DATA_DIR/secrets/management_datastore_key" "openssl rand -base64 32")
+RELAY_AUTH_SECRET=$(create_or_load_secret "$DATA_DIR/secrets/relay_auth_secret" "openssl rand -base64 32 | sed 's/=//g'")
 
 # Generate management config if missing
 MANAGEMENT_CONFIG="$DATA_DIR/management/management.json"
@@ -115,65 +61,27 @@ if [[ ! -f "$MANAGEMENT_CONFIG" ]]; then
   "Stuns": [
     {
       "Proto": "udp",
-      "URI": "stun:${DOMAIN}:${TURN_LISTEN_PORT}",
-      "Username": "",
-      "Password": null
+      "URI": "stun:${DOMAIN}:${NETBIRD_STUN_PORT}"
     }
   ],
-  "TURNConfig": {
-    "Turns": [
-      {
-        "Proto": "udp",
-        "URI": "turn:${DOMAIN}:${TURN_LISTEN_PORT}",
-        "Username": "${TURN_USER}",
-        "Password": "${TURN_PASSWORD}"
-      }
-    ],
-    "CredentialsTTL": "12h",
-    "Secret": "${TURN_SECRET}",
-    "TimeBasedCredentials": false
+  "Relay": {
+    "Addresses": ["${NETBIRD_RELAY_PROTO}://${DOMAIN}:${NETBIRD_PORT}"],
+    "CredentialsTTL": "24h",
+    "Secret": "${RELAY_AUTH_SECRET}"
   },
-  "Relay": ${RELAY_JSON},
   "Signal": {
-    "Proto": "http",
-    "URI": "${DOMAIN}:${SIGNAL_PORT}",
-    "Username": "",
-    "Password": null
+    "Proto": "${NETBIRD_HTTP_PROTOCOL}",
+    "URI": "${DOMAIN}:${NETBIRD_PORT}"
   },
-  "ReverseProxy": {
-    "TrustedHTTPProxies": [],
-    "TrustedHTTPProxiesCount": 0,
-    "TrustedPeers": [
-      "0.0.0.0/0"
-    ]
-  },
-  "DisableDefaultPolicy": ${DISABLE_DEFAULT_POLICY},
   "Datadir": "${DATA_DIR}/management",
   "DataStoreEncryptionKey": "${DATASTORE_ENC_KEY}",
-  "StoreConfig": {
-    "Engine": "sqlite"
-  },
-  "HttpConfig": {
-    "Address": "${MANAGEMENT_LISTEN}",
-    "AuthIssuer": "${AUTH_AUTHORITY}",
-    "AuthAudience": "${AUTH_AUDIENCE}",
-    "AuthKeysLocation": "${AUTH_JWT_CERTS}",
-    "AuthUserIDClaim": "${AUTH_USER_ID_CLAIM}",
-    "CertFile": "",
-    "CertKey": "",
-    "IdpSignKeyRefreshEnabled": false,
-    "OIDCConfigEndpoint": "${AUTH_OIDC_CONFIGURATION_ENDPOINT}"
-  },
-  "IdpManagerConfig": {
-    "ManagerType": "${IDP_MANAGER_TYPE}",
-    "ClientConfig": {
-      "Issuer": "${AUTH_AUTHORITY}",
-      "TokenEndpoint": "${AUTH_TOKEN_ENDPOINT}",
-      "ClientID": "${IDP_CLIENT_ID}",
-      "ClientSecret": "${IDP_CLIENT_SECRET}",
-      "GrantType": "client_credentials"
-    },
-    "ExtraConfig": {}
+  "EmbeddedIdP": {
+    "Enabled": true,
+    "Issuer": "${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}/oauth2",
+    "DashboardRedirectURIs": [
+      "${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}/nb-auth",
+      "${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}/nb-silent-auth"
+    ]
   }
 }
 CONFIG
@@ -181,50 +89,87 @@ else
   bashio::log.info "Using existing management config at ${MANAGEMENT_CONFIG}."
 fi
 
-# Generate Coturn config if missing
-TURN_CONFIG="$DATA_DIR/turn/turnserver.conf"
-if [[ ! -f "$TURN_CONFIG" ]]; then
-  TURN_EXTERNAL_IP_LINE=""
-  if [[ -n "$TURN_EXTERNAL_IP" ]]; then
-    TURN_EXTERNAL_IP_LINE="external-ip=${TURN_EXTERNAL_IP}"
-  fi
-
-  cat <<CONFIG > "$TURN_CONFIG"
-listening-port=${TURN_LISTEN_PORT}
-realm=${TURN_REALM}
-fingerprint
-lt-cred-mech
-user=${TURN_USER}:${TURN_PASSWORD}
-${TURN_EXTERNAL_IP_LINE}
-min-port=${TURN_MIN_PORT}
-max-port=${TURN_MAX_PORT}
+# Generate relay env file if missing
+RELAY_ENV_FILE="$DATA_DIR/relay/relay.env"
+if [[ ! -f "$RELAY_ENV_FILE" ]]; then
+  bashio::log.info "Generating relay env file at ${RELAY_ENV_FILE}."
+  cat <<CONFIG > "$RELAY_ENV_FILE"
+NB_LOG_LEVEL=info
+NB_LISTEN_ADDRESS=:${RELAY_PORT}
+NB_EXPOSED_ADDRESS=${NETBIRD_RELAY_PROTO}://${DOMAIN}:${NETBIRD_PORT}
+NB_AUTH_SECRET=${RELAY_AUTH_SECRET}
+NB_ENABLE_STUN=true
+NB_STUN_LOG_LEVEL=info
+NB_STUN_PORTS=${NETBIRD_STUN_PORT}
 CONFIG
-else
-  bashio::log.info "Using existing Coturn config at ${TURN_CONFIG}."
 fi
 
-# Generate dashboard nginx config
-sed "s/__DASHBOARD_PORT__/${DASHBOARD_PORT}/g" \
-  /usr/local/share/netbird-dashboard/default.conf.tmpl \
-  > /etc/nginx/http.d/default.conf
-
-mkdir -p /run/nginx
-chmod +x /usr/local/bin/init_react_envs.sh
-
 # Generate dashboard env file if missing
 DASHBOARD_ENV_FILE="$DATA_DIR/dashboard/env"
 if [[ ! -f "$DASHBOARD_ENV_FILE" ]]; then
   bashio::log.info "Generating dashboard env file at ${DASHBOARD_ENV_FILE}."
-  cat <<'ENV' > "$DASHBOARD_ENV_FILE"
-# NetBird dashboard environment overrides.
-# Example: NETBIRD_MGMT_API_ENDPOINT="https://netbird.example.com"
-NETBIRD_MGMT_API_ENDPOINT=""
-AUTH_AUTHORITY=""
-AUTH_CLIENT_ID=""
-AUTH_CLIENT_SECRET=""
-AUTH_AUDIENCE=""
-AUTH_SUPPORTED_SCOPES="openid profile email api offline_access email_verified"
-USE_AUTH0="false"
-ENV
+  cat <<CONFIG > "$DASHBOARD_ENV_FILE"
+# Endpoints
+NETBIRD_MGMT_API_ENDPOINT=${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}
+NETBIRD_MGMT_GRPC_API_ENDPOINT=${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}
+# OIDC - using embedded IdP
+AUTH_AUDIENCE=netbird-dashboard
+AUTH_CLIENT_ID=netbird-dashboard
+AUTH_CLIENT_SECRET=
+AUTH_AUTHORITY=${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}/oauth2
+USE_AUTH0=false
+AUTH_SUPPORTED_SCOPES=openid profile email groups
+AUTH_REDIRECT_URI=/nb-auth
+AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
+# SSL
+NGINX_SSL_PORT=443
+# Letsencrypt
+LETSENCRYPT_DOMAIN=none
+CONFIG
   chmod 600 "$DASHBOARD_ENV_FILE"
 fi
+
+# Generate Caddyfile if missing
+CADDYFILE="$DATA_DIR/Caddyfile"
+if [[ ! -f "$CADDYFILE" ]]; then
+  bashio::log.info "Generating Caddyfile at ${CADDYFILE}."
+  cat <<CONFIG > "$CADDYFILE"
+{
+  servers {
+    protocols h1 h2 h2c
+  }
+}
+
+(security_headers) {
+  header * {
+    Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
+    X-Content-Type-Options "nosniff"
+    X-Frame-Options "SAMEORIGIN"
+    X-XSS-Protection "1; mode=block"
+    -Server
+    Referrer-Policy strict-origin-when-cross-origin
+  }
+}
+
+:80${CADDY_SECURE_DOMAIN} {
+  import security_headers
+  # relay
+  reverse_proxy /relay* 127.0.0.1:${RELAY_PORT}
+  # Signal
+  reverse_proxy /ws-proxy/signal* 127.0.0.1:${SIGNAL_PORT}
+  reverse_proxy /signalexchange.SignalExchange/* h2c://127.0.0.1:${SIGNAL_GRPC_PORT}
+  # Management
+  reverse_proxy /api/* 127.0.0.1:${MANAGEMENT_PORT}
+  reverse_proxy /ws-proxy/management* 127.0.0.1:${MANAGEMENT_PORT}
+  reverse_proxy /management.ManagementService/* h2c://127.0.0.1:${MANAGEMENT_PORT}
+  reverse_proxy /oauth2/* 127.0.0.1:${MANAGEMENT_PORT}
+  # Dashboard
+  reverse_proxy /* 127.0.0.1:${DASHBOARD_PORT}
+}
+CONFIG
+else
+  bashio::log.info "Using existing Caddyfile at ${CADDYFILE}."
+fi
+
+mkdir -p /run/nginx
+chmod +x /usr/local/bin/init_react_envs.sh