Add disable letsencrypt (#747)

Add NETBIRD_DISABLE_LETSENCRYPT support to explicit disable let's encrypt Organize the setup.env.example variables into sections Add traefik example
2024-11-22 08:03:30 +01:00 · 2023-04-04 00:21:40 +02:00 · 2023-04-04 00:21:40 +02:00 · 5993982cca
commit 5993982cca
parent 86f9051a30
6 changed files with 174 additions and 17 deletions
--- a/infrastructure_files/base.setup.env
+++ b/infrastructure_files/base.setup.env
@ -7,14 +7,18 @@ NETBIRD_MGMT_API_PORT=33073
 # Management API endpoint address, used by the Dashboard
 NETBIRD_MGMT_API_ENDPOINT=https://$NETBIRD_DOMAIN:$NETBIRD_MGMT_API_PORT
 # Management Certficate file path. These are generated by the Dashboard container
-NETBIRD_MGMT_API_CERT_FILE="/etc/letsencrypt/live/$NETBIRD_DOMAIN/fullchain.pem"
+NETBIRD_MGMT_API_CERT_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAIN/fullchain.pem"
 # Management Certficate key file path.
-NETBIRD_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$NETBIRD_DOMAIN/privkey.pem"
+NETBIRD_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAIN/privkey.pem"
 # By default Management single account mode is enabled and domain set to $NETBIRD_DOMAIN, you may want to set this to your user's email domain
 NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN=$NETBIRD_DOMAIN
 NETBIRD_MGMT_DNS_DOMAIN=${NETBIRD_MGMT_DNS_DOMAIN:-netbird.selfhosted}
-# Turn credentials

+# Signal
+NETBIRD_SIGNAL_PROTOCOL="http"
+NETBIRD_SIGNAL_PORT=10000
+
+# Turn credentials
 # User
 TURN_USER=self
 # Password. If empty, the configure.sh will generate one with openssl
@ -61,4 +65,6 @@ export SIGNAL_VOLUMESUFFIX
 export LETSENCRYPT_VOLUMESUFFIX
 export NETBIRD_DISABLE_ANONYMOUS_METRICS
 export NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN
-export NETBIRD_MGMT_DNS_DOMAIN
+export NETBIRD_MGMT_DNS_DOMAIN
+export NETBIRD_SIGNAL_PROTOCOL
+export NETBIRD_SIGNAL_PORT
--- a/infrastructure_files/configure.sh
+++ b/infrastructure_files/configure.sh
@ -121,6 +121,32 @@ if [[ ! -z "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}" ]]; then
    export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
 fi

+# Check if letsencrypt was disabled
+if [[ "$NETBIRD_DISABLE_LETSENCRYPT" == "true" ]]
+then
+  export NETBIRD_DASHBOARD_ENDPOINT="https://$NETBIRD_DOMAIN:443"
+  export NETBIRD_SIGNAL_ENDPOINT="https://$NETBIRD_DOMAIN:$NETBIRD_SIGNAL_PORT"
+
+  echo "Letsencrypt was disabled, the Https-endpoints cannot be used anymore"
+  echo " and a reverse-proxy with Https needs to be placed in front of netbird!"
+  echo "The following forwards have to be setup:"
+  echo "- $NETBIRD_DASHBOARD_ENDPOINT -http-> dashboard:80"
+  echo "- $NETBIRD_MGMT_API_ENDPOINT/api -http-> management:$NETBIRD_MGMT_API_PORT"
+  echo "- $NETBIRD_MGMT_API_ENDPOINT/management.ManagementService/ -grpc-> management:$NETBIRD_MGMT_API_PORT"
+  echo "- $NETBIRD_SIGNAL_ENDPOINT/signalexchange.SignalExchange/ -grpc-> signal:80"
+  echo "You most likely also have to change NETBIRD_MGMT_API_ENDPOINT in base.setup.env and port-mappings in docker-compose.yml.tmpl and rerun this script."
+  echo " The target of the forwards depends on your setup. Beware of the gRPC protocol instead of http for management and signal!"
+  echo "You are also free to remove any occurences of the Letsencrypt-volume $LETSENCRYPT_VOLUMENAME"
+  echo ""
+
+  export NETBIRD_SIGNAL_PROTOCOL="https"
+  unset NETBIRD_LETSENCRYPT_DOMAIN
+  unset NETBIRD_MGMT_API_CERT_FILE
+  unset NETBIRD_MGMT_API_CERT_KEY_FILE
+else
+  export NETBIRD_LETSENCRYPT_DOMAIN="$NETBIRD_DOMAIN"
+fi
+
 env | grep NETBIRD

 envsubst < docker-compose.yml.tmpl > docker-compose.yml
--- a/infrastructure_files/docker-compose.yml.tmpl
+++ b/infrastructure_files/docker-compose.yml.tmpl
@ -8,20 +8,25 @@ services:
      - 80:80
      - 443:443
    environment:
+      # Endpoints
+      - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
+      - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
+      # OIDC
      - AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
      - AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
      - AUTH_AUTHORITY=$NETBIRD_AUTH_AUTHORITY
      - USE_AUTH0=$NETBIRD_USE_AUTH0
      - AUTH_SUPPORTED_SCOPES=$NETBIRD_AUTH_SUPPORTED_SCOPES
-      - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
-      - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
-      - NGINX_SSL_PORT=443
-      - LETSENCRYPT_DOMAIN=$NETBIRD_DOMAIN
-      - LETSENCRYPT_EMAIL=$NETBIRD_LETSENCRYPT_EMAIL
      - AUTH_REDIRECT_URI=$NETBIRD_AUTH_REDIRECT_URI
      - AUTH_SILENT_REDIRECT_URI=$NETBIRD_AUTH_SILENT_REDIRECT_URI
+      # SSL
+      - NGINX_SSL_PORT=443
+      # Letsencrypt
+      - LETSENCRYPT_DOMAIN=$NETBIRD_LETSENCRYPT_DOMAIN
+      - LETSENCRYPT_EMAIL=$NETBIRD_LETSENCRYPT_EMAIL
    volumes:
      - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt/
+
  # Signal
  signal:
    image: netbirdio/signal:latest
@ -32,7 +37,8 @@ services:
      - 10000:80
  #      # port and command for Let's Encrypt validation
  #      - 443:443
-  #    command: ["--letsencrypt-domain", "$NETBIRD_DOMAIN", "--log-file", "console"]
+  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
+
  # Management
  management:
    image: netbirdio/management:latest
@ -46,8 +52,15 @@ services:
    ports:
      - $NETBIRD_MGMT_API_PORT:443 #API port
  #    # command for Let's Encrypt validation without dashboard container
-  #    command: ["--letsencrypt-domain", "$NETBIRD_DOMAIN", "--log-file", "console"]
-    command: ["--port", "443", "--log-file", "console", "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS", "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN", "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN"]
+  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
+    command: [
+      "--port", "443",
+      "--log-file", "console",
+      "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS",
+      "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN",
+      "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN"
+      ]
+  
  # Coturn
  coturn:
    image: coturn/coturn
@ -60,6 +73,7 @@ services:
    network_mode: host
    command:
      - -c /etc/turnserver.conf
+
 volumes:
  $MGMT_VOLUMENAME:
  $SIGNAL_VOLUMENAME:
--- a/infrastructure_files/docker-compose.yml.tmpl.traefik
+++ b/infrastructure_files/docker-compose.yml.tmpl.traefik
@ -0,0 +1,99 @@
+version: "3"
+services:
+  #UI dashboard
+  dashboard:
+    image: wiretrustee/dashboard:latest
+    restart: unless-stopped
+    #ports:
+    #  - 80:80
+    #  - 443:443
+    environment:
+      # Endpoints
+      - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
+      - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
+      # OIDC
+      - AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
+      - AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
+      - AUTH_AUTHORITY=$NETBIRD_AUTH_AUTHORITY
+      - USE_AUTH0=$NETBIRD_USE_AUTH0
+      - AUTH_SUPPORTED_SCOPES=$NETBIRD_AUTH_SUPPORTED_SCOPES
+      - AUTH_REDIRECT_URI=$NETBIRD_AUTH_REDIRECT_URI
+      - AUTH_SILENT_REDIRECT_URI=$NETBIRD_AUTH_SILENT_REDIRECT_URI
+      # SSL
+      - NGINX_SSL_PORT=443
+      # Letsencrypt
+      - LETSENCRYPT_DOMAIN=$NETBIRD_LETSENCRYPT_DOMAIN
+      - LETSENCRYPT_EMAIL=$NETBIRD_LETSENCRYPT_EMAIL
+    volumes:
+      - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt/
+    labels:
+    - traefik.enable=true
+    - traefik.http.routers.netbird-dashboard.rule=Host(`$NETBIRD_DOMAIN`)
+    - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80
+
+  # Signal
+  signal:
+    image: netbirdio/signal:latest
+    restart: unless-stopped
+    volumes:
+      - $SIGNAL_VOLUMENAME:/var/lib/netbird
+    #ports:
+    #  - 10000:80
+  #      # port and command for Let's Encrypt validation
+  #      - 443:443
+  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
+    labels:
+    - traefik.enable=true
+    - traefik.http.routers.netbird-signal.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/signalexchange.SignalExchange/`)
+    - traefik.http.services.netbird-signal.loadbalancer.server.port=80
+    - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c
+
+  # Management
+  management:
+    image: netbirdio/management:latest
+    restart: unless-stopped
+    depends_on:
+      - dashboard
+    volumes:
+      - $MGMT_VOLUMENAME:/var/lib/netbird
+      - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt:ro
+      - ./management.json:/etc/netbird/management.json
+    #ports:
+    #  - $NETBIRD_MGMT_API_PORT:443 #API port
+  #    # command for Let's Encrypt validation without dashboard container
+  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
+    command: [
+      "--port", "443",
+      "--log-file", "console",
+      "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS",
+      "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN",
+      "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN"
+      ]
+    labels:
+    - traefik.enable=true
+    - traefik.http.routers.netbird-api.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/api`)
+    - traefik.http.routers.netbird-api.service=netbird-api
+    - traefik.http.services.netbird-api.loadbalancer.server.port=443
+
+    - traefik.http.routers.netbird-management.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/management.ManagementService/`)
+    - traefik.http.routers.netbird-management.service=netbird-management
+    - traefik.http.services.netbird-management.loadbalancer.server.port=443
+    - traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c
+
+  # Coturn
+  coturn:
+    image: coturn/coturn
+    restart: unless-stopped
+    domainname: $NETBIRD_DOMAIN
+    volumes:
+      - ./turnserver.conf:/etc/turnserver.conf:ro
+    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
+    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
+    network_mode: host
+    command:
+      - -c /etc/turnserver.conf
+
+volumes:
+  $MGMT_VOLUMENAME:
+  $SIGNAL_VOLUMENAME:
+  $LETSENCRYPT_VOLUMENAME:
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@ -21,8 +21,8 @@
        "TimeBasedCredentials": false
    },
    "Signal": {
-        "Proto": "http",
-        "URI": "$NETBIRD_DOMAIN:10000",
+        "Proto": "$NETBIRD_SIGNAL_PROTOCOL",
+        "URI": "$NETBIRD_DOMAIN:$NETBIRD_SIGNAL_PORT",
        "Username": "",
        "Password": null
    },
--- a/infrastructure_files/setup.env.example
+++ b/infrastructure_files/setup.env.example
@ -2,7 +2,11 @@
 ##
 # Dashboard domain. e.g. app.mydomain.com
 NETBIRD_DOMAIN=""
-# OIDC configuration e.g., https://example.eu.auth0.com/.well-known/openid-configuration
+
+# -------------------------------------------
+# OIDC
+#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
+# -------------------------------------------
 NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=""
 NETBIRD_AUTH_AUDIENCE=""
 # e.g. netbird-client
@ -13,13 +17,21 @@ NETBIRD_AUTH_CLIENT_ID=""
 NETBIRD_USE_AUTH0="false"
 NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
 NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
-# e.g. hello@mydomain.com
-NETBIRD_LETSENCRYPT_EMAIL=""
+
 # if your IDP provider doesn't support fragmented URIs, configure custom
 # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
 # NETBIRD_AUTH_REDIRECT_URI="/peers"
 # NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers"

+# -------------------------------------------
+# Letsencrypt
+# -------------------------------------------
+# Disable letsencrypt
+#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
+NETBIRD_DISABLE_LETSENCRYPT=false
+# e.g. hello@mydomain.com
+NETBIRD_LETSENCRYPT_EMAIL=""
+
 # Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
 NETBIRD_DISABLE_ANONYMOUS_METRICS=false
 # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted