traefik+keycloak+netbird bootstrapped

.gitignore

@@ -1,3 +1,4 @@
 .env
 ./traefik/acme.json
 .temp
+./netbird/infrastructure_files/setup.env

README.md

@@ -0,0 +1,3 @@
+# Настройка и запуск
+# TODO
+- [ ] Пока оно не особо обновляется: docker-compose отдельный для Netbird и для Traefik + Keycloak. Надо вот над чем подумать: пихаемость конфиго

docker-compose.yml

@@ -1,4 +1,5 @@
 services:
+  # Keycloak part
   traefik:
     image: traefik:v2.11
     restart: unless-stopped
@@ -7,48 +8,12 @@ services:
       - "443:443"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./../../../traefik/traefik.yml:/etc/traefik/traefik.yml:ro
-      - ./traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro
+      - ./../../../traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro
-      - ./traefik/acme.json:/acme.json
+      - ./../../../traefik/acme.json:/acme.json
     labels:
       - "traefik.enable=true"
 
-  signal:
-    image: netbirdio/signal:latest
-    restart: unless-stopped
-    environment:
-      - SIGNAL_ADDR=signal.dev.d3h.space:51820
-    ports:
-      - "51820:51820/udp"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.signal.rule=Host(`signal.dev.d3h.space`)"
-      - "traefik.http.routers.signal.entrypoints=websecure"
-      - "traefik.http.routers.signal.tls.certresolver=letsencrypt"
-
-  management:
-    image: netbirdio/management:latest
-    restart: unless-stopped
-    volumes:
-      - ./management:/etc/netbird
-      - ./management:/var/lib/netbird
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.management.rule=Host(`management.dev.d3h.space`)"
-      - "traefik.http.routers.management.entrypoints=websecure"
-      - "traefik.http.routers.management.tls.certresolver=letsencrypt"
-
-  dashboard:
-    image: netbirdio/dashboard:latest
-    restart: unless-stopped
-    environment:
-      - NB_MANAGEMENT_URL=http://management:80
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dashboard.rule=Host(`dashboard.dev.d3h.space`)"
-      - "traefik.http.routers.dashboard.entrypoints=websecure"
-      - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
-
   postgres:
     image: postgres:16
     restart: unless-stopped
@@ -57,7 +22,7 @@ services:
       POSTGRES_USER: ${POSTGRES_USER}
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
     volumes:
-      - ./pgdata:/var/lib/postgresql/data
+      - ./../../../pgdata:/var/lib/postgresql/data
 
   keycloak:
     image: quay.io/keycloak/keycloak:latest
@@ -97,3 +62,156 @@ services:
       - "traefik.http.routers.keycloak-http.entrypoints=web"
       - "traefik.http.routers.keycloak-http.middlewares=redirect-to-https"
     entrypoint: ["/opt/keycloak/bin/kc.sh", "start"]
+
+
+  # UI dashboard
+  dashboard:
+    image: netbirdio/dashboard:latest
+    restart: unless-stopped
+    #ports:
+    #  - 80:80
+    #  - 443:443
+    environment:
+      # Endpoints
+      - NETBIRD_MGMT_API_ENDPOINT=https://dashboard.dev.d3h.space:33073
+      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://dashboard.dev.d3h.space:33073
+      # OIDC
+      - AUTH_AUDIENCE=netbird-client
+      - AUTH_CLIENT_ID=netbird-client
+      - AUTH_CLIENT_SECRET=
+      - AUTH_AUTHORITY=https://keycloak.dev.d3h.space/realms/netbird
+      - USE_AUTH0=false
+      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
+      - AUTH_REDIRECT_URI=
+      - AUTH_SILENT_REDIRECT_URI=
+      - NETBIRD_TOKEN_SOURCE=accessToken
+      # SSL
+      # - NGINX_SSL_PORT=443
+      # Letsencrypt
+      # - LETSENCRYPT_DOMAIN=dashboard.dev.d3h.space
+      # - LETSENCRYPT_EMAIL=dv-d3h@outlook.com
+    volumes:
+      - netbird-letsencrypt:/etc/letsencrypt/
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.netbird-dashboard.rule=Host(`dashboard.dev.d3h.space`)
+      - traefik.http.routers.netbird-dashboard.entrypoints=web
+      - traefik.http.routers.netbird-dashboard.middlewares=redirect-to-https
+      - traefik.http.routers.netbird-dashboard-https.rule=Host(`dashboard.dev.d3h.space`)
+      - traefik.http.routers.netbird-dashboard-https.entrypoints=websecure
+      - traefik.http.routers.netbird-dashboard-https.tls.certresolver=letsencrypt
+      - traefik.http.routers.netbird-dashboard-https.service=netbird-dashboard
+      - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # Signal
+  signal:
+    image: netbirdio/signal:latest
+    restart: unless-stopped
+    volumes:
+      - netbird-signal:/var/lib/netbird
+    #ports:
+    #  - 10000:80
+  #      # port and command for Let's Encrypt validation
+  #      - 443:443
+  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
+    labels:
+    - traefik.enable=true
+    - traefik.http.routers.netbird-signal.rule=Host(`dashboard.dev.d3h.space`) && PathPrefix(`/signalexchange.SignalExchange/`)
+    - traefik.http.services.netbird-signal.loadbalancer.server.port=10000
+    - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # Relay
+  relay:
+    image: netbirdio/relay:latest
+    restart: unless-stopped
+    environment:
+    - NB_LOG_LEVEL=info
+    - NB_LISTEN_ADDRESS=:33080
+    - NB_EXPOSED_ADDRESS=dashboard.dev.d3h.space:33080
+    # todo: change to a secure secret
+    - NB_AUTH_SECRET=tjJzDDOdYOpzBCGfhsn4XO+Yc5rV+/9FX/+cjjd0tJA
+    # ports:
+    #   - 33080:33080
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+    labels:
+    - traefik.enable=true
+    - traefik.http.routers.netbird-relay.rule=Host(`dashboard.dev.d3h.space`) && PathPrefix(`/relay`)
+    - traefik.http.services.netbird-relay.loadbalancer.server.port=33080
+
+  # Management
+  management:
+    image: netbirdio/management:latest
+    restart: unless-stopped
+    depends_on:
+      - dashboard
+    volumes:
+      - netbird-mgmt:/var/lib/netbird
+      - netbird-letsencrypt:/etc/letsencrypt:ro
+      - ./management.json:/etc/netbird/management.json
+    #ports:
+    #  - 33073:443 #API port
+  #    # command for Let's Encrypt validation without dashboard container
+  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
+    command: [
+      "--port", "33073",
+      "--log-file", "console",
+      "--log-level", "info",
+      "--disable-anonymous-metrics=false",
+      "--single-account-mode-domain=dashboard.dev.d3h.space",
+      "--dns-domain=netbird.selfhosted"
+      ]
+    labels:
+    - traefik.enable=true
+    - traefik.http.routers.netbird-api.rule=Host(`dashboard.dev.d3h.space`) && PathPrefix(`/api`)
+    - traefik.http.routers.netbird-api.service=netbird-api
+    - traefik.http.services.netbird-api.loadbalancer.server.port=33073
+
+    - traefik.http.routers.netbird-management.rule=Host(`dashboard.dev.d3h.space`) && PathPrefix(`/management.ManagementService/`)
+    - traefik.http.routers.netbird-management.service=netbird-management
+    - traefik.http.services.netbird-management.loadbalancer.server.port=33073
+    - traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+    environment:
+      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=
+      - NETBIRD_STORE_ENGINE_MYSQL_DSN=
+
+  # Coturn
+  coturn:
+    image: coturn/coturn:latest
+    restart: unless-stopped
+    domainname: dashboard.dev.d3h.space
+    volumes:
+      - ./turnserver.conf:/etc/turnserver.conf:ro
+    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
+    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
+    network_mode: host
+    command:
+      - -c /etc/turnserver.conf
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+volumes:
+  netbird-mgmt:
+  netbird-signal:
+  netbird-letsencrypt:

docker-compose.yml.bak

@@ -0,0 +1,63 @@
+services:
+  traefik:
+    image: traefik:v2.11
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro
+      - ./traefik/acme.json:/acme.json
+    labels:
+      - "traefik.enable=true"
+
+  postgres:
+    image: postgres:16
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    volumes:
+      - ./pgdata:/var/lib/postgresql/data
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:latest
+    restart: unless-stopped
+    ports:
+      - "8080"  # для доступа из других контейнеров и дебага
+    environment:
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+      KC_DB: postgres
+      KC_DB_URL_HOST: postgres
+      KC_DB_URL_DATABASE: ${POSTGRES_DB}
+      KC_DB_USERNAME: ${POSTGRES_USER}
+      KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
+      KC_PROXY: edge
+      KC_HTTP_ENABLED: true
+      KC_HOSTNAME: keycloak.dev.d3h.space
+      KC_HOSTNAME_STRICT: true
+      KC_HOSTNAME_STRICT_HTTPS: true
+      KC_PROXY_HEADERS: xforwarded
+      KC_FRONTEND_URL: https://keycloak.dev.d3h.space
+      KC_HOSTNAME_URL: https://keycloak.dev.d3h.space
+    depends_on:
+      - postgres
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.keycloak.rule=Host(`keycloak.dev.d3h.space`)"
+      - "traefik.http.routers.keycloak.entrypoints=websecure"
+      - "traefik.http.routers.keycloak.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.keycloak.middlewares=keycloak-https-headers"
+      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
+      - "traefik.http.middlewares.keycloak-https-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.middlewares.keycloak-https-headers.headers.customrequestheaders.X-Forwarded-Scheme=https"
+      - "traefik.http.middlewares.keycloak-https-headers.headers.customrequestheaders.X-Forwarded-Host=keycloak.dev.d3h.space"
+
+      - "traefik.http.routers.keycloak-http.rule=Host(`keycloak.dev.d3h.space`)"
+      - "traefik.http.routers.keycloak-http.entrypoints=web"
+      - "traefik.http.routers.keycloak-http.middlewares=redirect-to-https"
+    entrypoint: ["/opt/keycloak/bin/kc.sh", "start"]

docker-compose.yml.example

@@ -0,0 +1,217 @@
+services:
+  # Keycloak part
+  traefik:
+    image: traefik:v2.11
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./../../../traefik/traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./../../../traefik/dynamic.yml:/etc/traefik/dynamic.yml:ro
+      - ./../../../traefik/acme.json:/acme.json
+    labels:
+      - "traefik.enable=true"
+
+  postgres:
+    image: postgres:16
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    volumes:
+      - ./../../../pgdata:/var/lib/postgresql/data
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:latest
+    restart: unless-stopped
+    ports:
+      - "8080"  # для доступа из других контейнеров и дебага
+    environment:
+      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
+      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+      KC_DB: postgres
+      KC_DB_URL_HOST: postgres
+      KC_DB_URL_DATABASE: ${POSTGRES_DB}
+      KC_DB_USERNAME: ${POSTGRES_USER}
+      KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
+      KC_PROXY: edge
+      KC_HTTP_ENABLED: true
+      KC_HOSTNAME: keycloak.dev.d3h.space
+      KC_HOSTNAME_STRICT: true
+      KC_HOSTNAME_STRICT_HTTPS: true
+      KC_PROXY_HEADERS: xforwarded
+      KC_FRONTEND_URL: https://keycloak.dev.d3h.space
+      KC_HOSTNAME_URL: https://keycloak.dev.d3h.space
+    depends_on:
+      - postgres
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.keycloak.rule=Host(`keycloak.dev.d3h.space`)"
+      - "traefik.http.routers.keycloak.entrypoints=websecure"
+      - "traefik.http.routers.keycloak.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.keycloak.middlewares=keycloak-https-headers"
+      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
+      - "traefik.http.middlewares.keycloak-https-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.middlewares.keycloak-https-headers.headers.customrequestheaders.X-Forwarded-Scheme=https"
+      - "traefik.http.middlewares.keycloak-https-headers.headers.customrequestheaders.X-Forwarded-Host=keycloak.dev.d3h.space"
+
+      - "traefik.http.routers.keycloak-http.rule=Host(`keycloak.dev.d3h.space`)"
+      - "traefik.http.routers.keycloak-http.entrypoints=web"
+      - "traefik.http.routers.keycloak-http.middlewares=redirect-to-https"
+    entrypoint: ["/opt/keycloak/bin/kc.sh", "start"]
+
+
+  # UI dashboard
+  dashboard:
+    image: netbirdio/dashboard:latest
+    restart: unless-stopped
+    #ports:
+    #  - 80:80
+    #  - 443:443
+    environment:
+      # Endpoints
+      - NETBIRD_MGMT_API_ENDPOINT=https://dashboard.dev.d3h.space:33073
+      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://dashboard.dev.d3h.space:33073
+      # OIDC
+      - AUTH_AUDIENCE=netbird-client
+      - AUTH_CLIENT_ID=netbird-client
+      - AUTH_CLIENT_SECRET=
+      - AUTH_AUTHORITY=https://keycloak.dev.d3h.space/realms/netbird
+      - USE_AUTH0=false
+      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
+      - AUTH_REDIRECT_URI=
+      - AUTH_SILENT_REDIRECT_URI=
+      - NETBIRD_TOKEN_SOURCE=accessToken
+      # SSL
+      # - NGINX_SSL_PORT=443
+      # Letsencrypt
+      # - LETSENCRYPT_DOMAIN=dashboard.dev.d3h.space
+      # - LETSENCRYPT_EMAIL=dv-d3h@outlook.com
+    volumes:
+      - netbird-letsencrypt:/etc/letsencrypt/
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.netbird-dashboard.rule=Host(`dashboard.dev.d3h.space`)
+      - traefik.http.routers.netbird-dashboard.entrypoints=web
+      - traefik.http.routers.netbird-dashboard.middlewares=redirect-to-https
+      - traefik.http.routers.netbird-dashboard-https.rule=Host(`dashboard.dev.d3h.space`)
+      - traefik.http.routers.netbird-dashboard-https.entrypoints=websecure
+      - traefik.http.routers.netbird-dashboard-https.tls.certresolver=letsencrypt
+      - traefik.http.routers.netbird-dashboard-https.service=netbird-dashboard
+      - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # Signal
+  signal:
+    image: netbirdio/signal:latest
+    restart: unless-stopped
+    volumes:
+      - netbird-signal:/var/lib/netbird
+    #ports:
+    #  - 10000:80
+  #      # port and command for Let's Encrypt validation
+  #      - 443:443
+  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
+    labels:
+    - traefik.enable=true
+    - traefik.http.routers.netbird-signal.rule=Host(`dashboard.dev.d3h.space`) && PathPrefix(`/signalexchange.SignalExchange/`)
+    - traefik.http.services.netbird-signal.loadbalancer.server.port=10000
+    - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # Relay
+  relay:
+    image: netbirdio/relay:latest
+    restart: unless-stopped
+    environment:
+    - NB_LOG_LEVEL=info
+    - NB_LISTEN_ADDRESS=:33080
+    - NB_EXPOSED_ADDRESS=dashboard.dev.d3h.space:33080
+    # todo: change to a secure secret
+    - NB_AUTH_SECRET=tjJzDDOdYOpzBCGfhsn4XO+Yc5rV+/9FX/+cjjd0tJA
+    # ports:
+    #   - 33080:33080
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+    labels:
+    - traefik.enable=true
+    - traefik.http.routers.netbird-relay.rule=Host(`dashboard.dev.d3h.space`) && PathPrefix(`/relay`)
+    - traefik.http.services.netbird-relay.loadbalancer.server.port=33080
+
+  # Management
+  management:
+    image: netbirdio/management:latest
+    restart: unless-stopped
+    depends_on:
+      - dashboard
+    volumes:
+      - netbird-mgmt:/var/lib/netbird
+      - netbird-letsencrypt:/etc/letsencrypt:ro
+      - ./management.json:/etc/netbird/management.json
+    #ports:
+    #  - 33073:443 #API port
+  #    # command for Let's Encrypt validation without dashboard container
+  #    command: ["--letsencrypt-domain", "", "--log-file", "console"]
+    command: [
+      "--port", "33073",
+      "--log-file", "console",
+      "--log-level", "info",
+      "--disable-anonymous-metrics=false",
+      "--single-account-mode-domain=dashboard.dev.d3h.space",
+      "--dns-domain=netbird.selfhosted"
+      ]
+    labels:
+    - traefik.enable=true
+    - traefik.http.routers.netbird-api.rule=Host(`dashboard.dev.d3h.space`) && PathPrefix(`/api`)
+    - traefik.http.routers.netbird-api.service=netbird-api
+    - traefik.http.services.netbird-api.loadbalancer.server.port=33073
+
+    - traefik.http.routers.netbird-management.rule=Host(`dashboard.dev.d3h.space`) && PathPrefix(`/management.ManagementService/`)
+    - traefik.http.routers.netbird-management.service=netbird-management
+    - traefik.http.services.netbird-management.loadbalancer.server.port=33073
+    - traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+    environment:
+      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=
+      - NETBIRD_STORE_ENGINE_MYSQL_DSN=
+
+  # Coturn
+  coturn:
+    image: coturn/coturn:latest
+    restart: unless-stopped
+    domainname: dashboard.dev.d3h.space
+    volumes:
+      - ./turnserver.conf:/etc/turnserver.conf:ro
+    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
+    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
+    network_mode: host
+    command:
+      - -c /etc/turnserver.conf
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+volumes:
+  netbird-mgmt:
+  netbird-signal:
+  netbird-letsencrypt:

netbird/infrastructure_files/artifacts/pgdata/PG_VERSION

@@ -0,0 +1 @@
+16