refactor(netbird): use port registry and named IP variables

refactor(ports): add netbird port definitions
2026-02-27 16:03:12 +01:00 · 2026-02-27 16:03:08 +01:00
25 changed files with 443 additions and 253 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -82,11 +82,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1771355198,
+        "lastModified": 1771881364,
-        "narHash": "sha256-89m5VKxIs8QNiIvLsxHu5NpyhDsoXTtoN801IAurnW4=",
+        "narHash": "sha256-A5uE/hMium5of/QGC6JwF5TGoDAfpNtW00T0s9u/PN8=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "92fceb111901a6f13e81199be4fab95fce86a5c9",
+        "rev": "a4cb7bf73f264d40560ba527f9280469f1f081c6",
        "type": "github"
      },
      "original": {
@@ -162,11 +162,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1771422582,
+        "lastModified": 1772164835,
-        "narHash": "sha256-xK5kl3OBZaF1VwziVMX+SZ2LT9Fbu5o8vRDt78uR7no=",
+        "narHash": "sha256-zRcwrZDeBfYipqv/7K7TqsfPb87LFU6b7JhoNUGSnvQ=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "b3ccd4bb262f4e6d3248b46cede92b90c4a42094",
+        "rev": "2a39b0828bbffce0d73769a61e46e780488d098b",
        "type": "github"
      },
      "original": {
@@ -246,11 +246,11 @@
        "openspec": "openspec"
      },
      "locked": {
-        "lastModified": 1771433707,
+        "lastModified": 1772041931,
-        "narHash": "sha256-O6S4YB16lN9ACb2Z6lEWxE22IyUhb+Z3mJgQJw3hpA4=",
+        "narHash": "sha256-NQOQrGtR1EXM33JSVUt5Sz5MburSxWU7t9iZrJk9gQo=",
        "ref": "refs/heads/master",
-        "rev": "58312b2ca2fdf5e0f753e496b4902a523cbb96aa",
+        "rev": "e22774539ac26071b1bc0e6e8272df3c3ec732f2",
-        "revCount": 120,
+        "revCount": 132,
        "type": "git",
        "url": "https://code.m3ta.dev/m3tam3re/nixpkgs"
      },
@@ -393,11 +393,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1770917518,
+        "lastModified": 1771574031,
-        "narHash": "sha256-XSwv/tVrNo/L8SPH8Lx9xZH1PrZd/3Z3J/0SH7Xertg=",
+        "narHash": "sha256-yKeO6auxI8PrBZOdt/LVRDm+bh939E60l4iZKo1ExeA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3f4a3c08f2f318ee29fc8a2689f390071a94aaf0",
+        "rev": "ab43bb60c7d266a4a285e863d89c1e69cd124dd5",
        "type": "github"
      },
      "original": {
@@ -409,11 +409,11 @@
    },
    "nixpkgs-master_2": {
      "locked": {
-        "lastModified": 1771426280,
+        "lastModified": 1772174770,
-        "narHash": "sha256-EJOpj/ha/y7cLBHqPWCbYh4fFM83mO/c9bYm8zVVRkY=",
+        "narHash": "sha256-/9F05YcHccOaI4dIsWk4G9oKEK07Oc3TeK5O7S3Mu8Q=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "85680c67a23fe3cc29b85d4568e984185c58e0c9",
+        "rev": "337e35331766eb979303e7639914c8a80cc02649",
        "type": "github"
      },
      "original": {
@@ -425,11 +425,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1771208521,
+        "lastModified": 1771903837,
-        "narHash": "sha256-X01Q3DgSpjeBpapoGA4rzKOn25qdKxbPnxHeMLNoHTU=",
+        "narHash": "sha256-sdaqdnsQCv3iifzxwB22tUwN/fSHoN7j2myFW5EIkGk=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "fa56d7d6de78f5a7f997b0ea2bc6efd5868ad9e8",
+        "rev": "e764fc9a405871f1f6ca3d1394fb422e0a0c3951",
        "type": "github"
      },
      "original": {
@@ -457,11 +457,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1770562336,
+        "lastModified": 1771369470,
-        "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=",
+        "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d6c71932130818840fc8fe9509cf50be8c64634f",
+        "rev": "0182a361324364ae3f436a63005877674cf45efb",
        "type": "github"
      },
      "original": {
@@ -489,11 +489,11 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1771008912,
+        "lastModified": 1771848320,
-        "narHash": "sha256-gf2AmWVTs8lEq7z/3ZAsgnZDhWIckkb+ZnAo5RzSxJg=",
+        "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "a82ccc39b39b621151d6732718e3e250109076fa",
+        "rev": "2fc6539b481e1d2569f25f8799236694180c0993",
        "type": "github"
      },
      "original": {
@@ -527,11 +527,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1771425294,
+        "lastModified": 1772169824,
-        "narHash": "sha256-owiQE9oINf1cgaulbrr2sMjelk2cmR8rkxLRPYYL6Kg=",
+        "narHash": "sha256-KF4t5iagvmzUCT/ukiMbKg+hG+raFm+qs4zRWJouho8=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "242d44cd6af365da2dfa77422263b29d0ac9f39f",
+        "rev": "9d6c360577861a5218dbf453b84483075e6b56d2",
        "type": "github"
      },
      "original": {
@@ -548,16 +548,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1771271829,
+        "lastModified": 1772031356,
-        "narHash": "sha256-43vPMyO7DsAgKrh0Wmt7jLDYCWUsaj30nBITreyYgX8=",
+        "narHash": "sha256-PA3/P5nUDlrKD6xjDXFoNNF8U2Wzz2JeeY4H+CzWWgY=",
        "owner": "anomalyco",
        "repo": "opencode",
-        "rev": "d8c25bfeb44771cc3a3ba17bf8de6ad2add9de2c",
+        "rev": "de2bc25677b419d2af0da8b6a24a05d3f22b67a8",
        "type": "github"
      },
      "original": {
        "owner": "anomalyco",
-        "ref": "v1.2.6",
+        "ref": "v1.2.14",
        "repo": "opencode",
        "type": "github"
      }
@@ -570,11 +570,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1771409495,
+        "lastModified": 1771554066,
-        "narHash": "sha256-LplnuO/OHSFL8S8iwQ16CZTjlPxRV9XohkKxL3uA5Sc=",
+        "narHash": "sha256-nQPz81Um+4zhEeNz1o55Ix1DoBEM3CxeABAmOJkgIac=",
        "owner": "Fission-AI",
        "repo": "OpenSpec",
-        "rev": "5fd8e9d66c3b6b116e7af814a6013c2d9c4958dd",
+        "rev": "4ba26902dfecf6f54c5a729993e012a57f4e2877",
        "type": "github"
      },
      "original": {
--- a/home/features/desktop/hyprland.nix
+++ b/home/features/desktop/hyprland.nix
@@ -122,6 +122,7 @@ in {
          "match:title branchdialog, float on"
          "match:class pavucontrol-qt, float on"
          "match:class pavucontrol, float on"
          "match:class class:^(espanso)$, float on"
          # wlogout
          "match:class wlogout, fullscreen on"
          "match:title wlogout, float on"
--- a/home/features/desktop/media.nix
+++ b/home/features/desktop/media.nix
@@ -19,22 +19,22 @@ in {
      amf
      blueberry
      ffmpeg_6-full
      gimp
      gst_all_1.gstreamer
      gst_all_1.gst-vaapi
      handbrake
      inkscape
      kdePackages.kdenlive
      krita
      libation
      #makemkv
      pamixer
      pavucontrol
      qpwgraph
      v4l-utils
-      #plexamp
+      plexamp
      # uxplay
      # vlc
-      # webcord
+      webcord
      # yt-dlp
      unimatrix
    ];
--- a/hosts/common/ports.nix
+++ b/hosts/common/ports.nix
@@ -18,6 +18,10 @@
      wireguard = 51820;
      tailscale = 41641;
      headscale = 3009;
      netbird-stun = 3478;
      netbird-proxy = 8443;
      netbird-metrics = 9090;
      netbird-health = 9000;
      # Containers & web apps
      gitea = 3030;
--- a/hosts/m3-ares/services/default.nix
+++ b/hosts/m3-ares/services/default.nix
@@ -6,7 +6,6 @@
    ./postgres.nix
    ./restic.nix
    ./sound.nix
    ./tailscale.nix
    ./udev.nix
    ./wireguard.nix
  ];
--- a/hosts/m3-ares/services/tailscale.nix
+++ b/hosts/m3-ares/services/tailscale.nix
@@ -1,12 +0,0 @@
 {config, ...}: {
  services.tailscale = {
    enable = true;
    authKeyFile = config.age.secrets.tailscale-key.path;
    useRoutingFeatures = "both";
    extraUpFlags = [
      "--login-server=https://va.m3tam3re.com"
      "--accept-routes"
      "--ssh"
    ];
  };
 }
--- a/hosts/m3-atlas/secrets.nix
+++ b/hosts/m3-atlas/secrets.nix
@@ -11,6 +11,24 @@
      littlelink-m3tam3re = {file = ../../secrets/littlelink-m3tam3re.age;};
      minio-root-cred = {file = ../../secrets/minio-root-cred.age;};
      n8n-env = {file = ../../secrets/n8n-env.age;};
      netbird-auth-secret = {
        file = ../../secrets/netbird-auth-secret.age;
      };
      netbird-db-password = {
        file = ../../secrets/netbird-db-password.age;
      };
      netbird-encryption-key = {
        file = ../../secrets/netbird-encryption-key.age;
      };
      netbird-dashboard-env = {
        file = ../../secrets/netbird-dashboard-env.age;
      };
      netbird-server-env = {
        file = ../../secrets/netbird-server-env.age;
      };
      netbird-proxy-env = {
        file = ../../secrets/netbird-proxy-env.age;
      };
      paperless-key = {file = ../../secrets/paperless-key.age;};
      restreamer-env = {file = ../../secrets/restreamer-env.age;};
      searx = {file = ../../secrets/searx.age;};
--- a/hosts/m3-atlas/services/containers/default.nix
+++ b/hosts/m3-atlas/services/containers/default.nix
@@ -5,6 +5,7 @@
    ./kestra.nix
    ./littlelink.nix
    ./matomo.nix
    ./netbird.nix
    # ./n8n.nix
    # ./pangolin.nix
    ./restreamer.nix
--- a/hosts/m3-atlas/services/containers/netbird.nix
+++ b/hosts/m3-atlas/services/containers/netbird.nix
@@ -0,0 +1,245 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  serviceName = "netbird";
  stunPort = config.m3ta.ports.get "netbird-stun";
  proxyTlsPort = config.m3ta.ports.get "netbird-proxy";
  metricsPort = config.m3ta.ports.get "netbird-metrics";
  healthPort = config.m3ta.ports.get "netbird-health";
  postgresPort = config.m3ta.ports.get "postgres";
  wireguardPort = config.m3ta.ports.get "wireguard";
  domain = "v.m3ta.dev";
  proxyDomain = "p.m3ta.dev";
  ipBase = "10.89.0";
  ipOffset = 50;
  dashboardIp = "${ipBase}.${toString ipOffset}";
  serverIp = "${ipBase}.${toString (ipOffset + 1)}";
  proxyIp = "${ipBase}.${toString (ipOffset + 2)}";
  # Database configuration
  dbName = "netbird";
  dbUser = "netbird";
  dbHost = "${ipBase}.1";
  # NetBird config as Nix attribute set
  netbirdConfig = {
    server = {
      listenAddress = ":80";
      exposedAddress = "https://${domain}:443";
      stunPorts = [stunPort];
      metricsPort = metricsPort;
      healthcheckAddress = ":${toString healthPort}";
      logLevel = "info";
      logFile = "console";
      dataDir = "/var/lib/netbird";
      auth = {
        issuer = "https://${domain}/oauth2";
        # localAuthDisabled = true;
        signKeyRefreshEnabled = true;
        dashboardRedirectURIs = [
          "https://${domain}/nb-auth"
          "https://${domain}/nb-silent-auth"
        ];
        cliRedirectURIs = ["http://localhost:53000/"];
      };
      reverseProxy = {
        trustedHTTPProxies = ["${ipBase}.1/32"];
      };
      # Proxy feature
      proxy = {
        enabled = true;
        domain = proxyDomain;
      };
      store = {
        engine = "postgres";
        postgres = {
          host = dbHost;
          port = postgresPort;
          database = dbName;
          username = dbUser;
        };
      };
    };
  };
  # Generate YAML from Nix attribute set
  yamlFormat = pkgs.formats.yaml {};
  configYamlBase = yamlFormat.generate "netbird-config-base.yaml" netbirdConfig;
  # Script that injects secrets at runtime
  configGenScript = pkgs.writeShellScript "netbird-gen-config" ''
    set -euo pipefail
    AUTH_SECRET=$(cat "$1")
    DB_PASSWORD=$(cat "$2")
    ENCRYPTION_KEY=$(cat "$3")
    ${pkgs.yq-go}/bin/yq eval "
      .server.authSecret = \"$AUTH_SECRET\" |
      .server.store.encryptionKey = \"$ENCRYPTION_KEY\" |
      .server.store.postgres.password = \"$DB_PASSWORD\"
    " ${configYamlBase}
  '';
 in {
  age.secrets."${serviceName}-auth-secret".file = ../../../../secrets/${serviceName}-auth-secret.age;
  age.secrets."${serviceName}-db-password".file = ../../../../secrets/${serviceName}-db-password.age;
  age.secrets."${serviceName}-encryption-key".file = ../../../../secrets/${serviceName}-encryption-key.age;
  age.secrets."${serviceName}-dashboard-env".file = ../../../../secrets/${serviceName}-dashboard-env.age;
  age.secrets."${serviceName}-server-env".file = ../../../../secrets/${serviceName}-server-env.age;
  age.secrets."${serviceName}-proxy-env".file = ../../../../secrets/${serviceName}-proxy-env.age;
  # Oneshot systemd service that generates the config with injected secrets
  systemd.services."${serviceName}-config" = {
    description = "Generate NetBird config with secrets";
    wantedBy = ["multi-user.target"];
    before = ["podman-${serviceName}-server.service"];
    requiredBy = ["podman-${serviceName}-server.service"];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = pkgs.writeShellScript "netbird-write-config" ''
        mkdir -p /var/lib/${serviceName}
        ${configGenScript} \
          ${config.age.secrets."${serviceName}-auth-secret".path} \
          ${config.age.secrets."${serviceName}-db-password".path} \
          ${config.age.secrets."${serviceName}-encryption-key".path} \
          > /var/lib/${serviceName}/config.yaml
        chmod 600 /var/lib/${serviceName}/config.yaml
      '';
    };
  };
  virtualisation.oci-containers.containers = {
    "${serviceName}-dashboard" = {
      image = "netbirdio/dashboard:latest";
      autoStart = true;
      environmentFiles = [config.age.secrets."${serviceName}-dashboard-env".path];
      extraOptions = [
        "--ip=${dashboardIp}"
        "--network=web"
      ];
    };
    "${serviceName}-server" = {
      image = "netbirdio/netbird-server:latest";
      autoStart = true;
      ports = ["${toString stunPort}:${toString stunPort}/udp"];
      environmentFiles = [config.age.secrets."${serviceName}-server-env".path];
      volumes = [
        "${serviceName}_data:/var/lib/netbird"
        "/var/lib/${serviceName}/config.yaml:/etc/netbird/config.yaml:ro"
      ];
      cmd = ["--config" "/etc/netbird/config.yaml"];
      extraOptions = [
        "--ip=${serverIp}"
        "--network=web"
      ];
    };
    "${serviceName}-proxy" = {
      image = "netbirdio/reverse-proxy:latest";
      autoStart = true;
      ports = ["${toString wireguardPort}:${toString wireguardPort}/udp"];
      volumes = [
        "${serviceName}_proxy_certs:/certs"
      ];
      environmentFiles = [config.age.secrets."${serviceName}-proxy-env".path];
      cmd = [
        "--domain=${proxyDomain}"
        "--mgmt=https://${domain}:443"
        "--addr=:${toString proxyTlsPort}"
        "--cert-dir=/certs"
        "--acme-certs"
        "--trusted-proxies=${ipBase}.1/32"
      ];
      dependsOn = ["${serviceName}-server"];
      extraOptions = [
        "--ip=${proxyIp}"
        "--network=web"
      ];
    };
  };
  services.traefik.dynamicConfigOptions = {
    # HTTP services and routers
    http = {
      services = {
        "${serviceName}-dashboard".loadBalancer.servers = [
          {url = "http://${dashboardIp}:80/";}
        ];
        "${serviceName}-server".loadBalancer.servers = [
          {url = "http://${serverIp}:80/";}
        ];
        "${serviceName}-server-h2c".loadBalancer.servers = [
          {url = "h2c://${serverIp}:80";}
        ];
      };
      routers = {
        # gRPC (Signal + Management)
        "${serviceName}-grpc" = {
          rule = "Host(`${domain}`) && (PathPrefix(`/signalexchange.SignalExchange/`) || PathPrefix(`/management.ManagementService/`) || PathPrefix(`/management.ProxyService/`))";
          entrypoints = "websecure";
          tls.certResolver = "godaddy";
          service = "${serviceName}-server-h2c";
          priority = 100;
        };
        # Backend (relay, WebSocket, API, OAuth2)
        "${serviceName}-backend" = {
          rule = "Host(`${domain}`) && (PathPrefix(`/relay`) || PathPrefix(`/ws-proxy/`) || PathPrefix(`/api`) || PathPrefix(`/oauth2`))";
          entrypoints = "websecure";
          tls.certResolver = "godaddy";
          service = "${serviceName}-server";
          priority = 100;
        };
        # Dashboard (catch-all, lowest priority)
        "${serviceName}-dashboard" = {
          rule = "Host(`${domain}`)";
          entrypoints = "websecure";
          tls.certResolver = "godaddy";
          service = "${serviceName}-dashboard";
          priority = 1;
        };
      };
    };
    # TCP for proxy TLS passthrough
    tcp = {
      services."${serviceName}-proxy-tls".loadBalancer.servers = [
        {address = "${proxyIp}:${toString proxyTlsPort}";}
      ];
      routers."${serviceName}-proxy-passthrough" = {
        entryPoints = ["websecure"];
        rule = "HostSNI(`*`)";
        service = "${serviceName}-proxy-tls";
        priority = 1;
        tls.passthrough = true;
      };
    };
    # ServersTransport for Proxy Protocol v2 (optional)
    serversTransports."pp-v2" = {
      proxyProtocol.version = 2;
    };
  };
  networking.firewall.allowedUDPPorts = [
    stunPort # STUN
    wireguardPort # WireGuard for proxy
  ];
 }
--- a/hosts/m3-atlas/services/default.nix
+++ b/hosts/m3-atlas/services/default.nix
@@ -3,15 +3,12 @@
    ./containers
    ./gitea.nix
    ./gitea-actions-runner.nix
    ./headscale.nix
    ./minio.nix
    ./mysql.nix
    ./n8n.nix
    ./outline.nix
    ./paperless.nix
    ./postgres.nix
    ./searx.nix
    ./tailscale.nix
    ./traefik.nix
    ./vaultwarden.nix
    ./wastebin.nix
--- a/hosts/m3-atlas/services/headscale.nix
+++ b/hosts/m3-atlas/services/headscale.nix
@@ -1,118 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: {
  # Define a new option for the admin user
  options.services.headscale = {
    adminUser = lib.mkOption {
      type = lib.types.str;
      default = "m3tam3re@m3ta.loc";
      description = "Username for the headscale admin user";
    };
  };
  config = let
    adminUser = config.services.headscale.adminUser;
    aclConfig = {
      # Groups definition
      groups = {
        "group:admins" = ["${adminUser}"];
      };
      acls = [
        # Allow all connections within the tailnet
        {
          action = "accept";
          src = ["*"];
          dst = ["*:*"];
        }
        # Allow admin to connect to their own services
        {
          action = "accept";
          src = ["${adminUser}"];
          dst = ["${adminUser}:*"];
        }
      ];
      # Auto-approvers section for routes
      autoApprovers = {
        routes = {
          "0.0.0.0/0" = ["${adminUser}"];
          "10.0.0.0/8" = ["${adminUser}"];
          "192.168.0.0/16" = ["${adminUser}"];
        };
        exitNode = ["${adminUser}"];
      };
    };
    # Convert to HuJSON format with comments
    aclHuJson = ''
      // Headscale ACL Policy - Generated by NixOS
      // Admin user: ${adminUser}
      ${builtins.toJSON aclConfig}
    '';
    aclFile = pkgs.writeText "acl-policy.hujson" aclHuJson;
  in {
    services = {
      headscale = {
        enable = true;
        adminUser = "m3tam3re@m3ta.loc";
        port = 3009;
        settings = {
          server_url = "https://va.m3tam3re.com";
          dns = {
            base_domain = "m3ta.loc";
            nameservers.global = ["8.8.8.8"];
          };
          logtail.enabled = false;
          policy.path = "${aclFile}";
        };
      };
    };
    # Create a systemd service to ensure the admin user exists
    systemd.services.headscale-ensure-admin = lib.mkIf config.services.headscale.enable {
      description = "Ensure Headscale admin user exists";
      after = ["headscale.service"];
      requires = ["headscale.service"];
      wantedBy = ["multi-user.target"];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        User = "headscale";
        Group = "headscale";
      };
      script = ''
        # Check if user exists and create if needed
        if ! ${pkgs.headscale}/bin/headscale users list | grep -q "${adminUser}"; then
          echo "Creating headscale admin user: ${adminUser}"
          ${pkgs.headscale}/bin/headscale users create "${adminUser}"
        else
          echo "Headscale admin user ${adminUser} already exists"
        fi
      '';
    };
    # Traefik configuration for headscale
    services.traefik.dynamicConfigOptions.http = {
      services.headscale.loadBalancer.servers = [
        {
          url = "http://localhost:3009/";
        }
      ];
      routers.headscale = {
        rule = "Host(`va.m3tam3re.com`)";
        tls = {
          certResolver = "godaddy";
        };
        service = "headscale";
        entrypoints = "websecure";
      };
    };
  };
 }
--- a/hosts/m3-atlas/services/n8n.nix
+++ b/hosts/m3-atlas/services/n8n.nix
@@ -1,8 +1,16 @@
-{config, ...}: {
+{
  config,
  lib,
  ...
 }: {
  services.n8n = {
    enable = true;
    environment.WEBHOOK_URL = "https://wf.m3tam3re.com";
  };
  # Temporary fix for upstream module
  systemd.services.n8n.serviceConfig.LoadCredential = lib.mkForce [];
  systemd.services.n8n.environment.N8N_RUNNERS_AUTH_TOKEN_FILE = lib.mkForce null;
  systemd.services.n8n.serviceConfig = {
    EnvironmentFile = ["${config.age.secrets.n8n-env.path}"];
  };
--- a/hosts/m3-atlas/services/outline.nix
+++ b/hosts/m3-atlas/services/outline.nix
@@ -1,33 +0,0 @@
 {
  services.outline = {
    enable = true;
    port = 3019;
    publicUrl = "https://ol.m3ta.dev";
    databaseUrl = "postgresql://outline:outline@127.0.0.1:5432/outline";
    storage = {
      storageType = "local";
    };
  };
  systemd.services.outline.serviceConfig = {
    Environment = [
      "PGSSLMODE=disable"
    ];
  };
  # Traefik configuration specific to littlelink
  services.traefik.dynamicConfigOptions.http = {
    services.outline.loadBalancer.servers = [
      {
        url = "http://localhost:3019/";
      }
    ];
    routers.outline = {
      rule = "Host(`ol.m3ta.dev`)";
      tls = {
        certResolver = "godaddy";
      };
      service = "outline";
      entrypoints = "websecure";
    };
  };
 }
--- a/hosts/m3-atlas/services/postgres.nix
+++ b/hosts/m3-atlas/services/postgres.nix
@@ -26,6 +26,7 @@
      # Podman network connections for Baserow
      host    baserow      baserow      10.89.0.0/24    scram-sha-256
      host    kestra       kestra       10.89.0.0/24    scram-sha-256
      host    netbird      netbird      10.89.0.0/24    scram-sha-256
      # Deny all other connections
      local   all       all       reject
--- a/hosts/m3-atlas/services/tailscale.nix
+++ b/hosts/m3-atlas/services/tailscale.nix
@@ -1,28 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: {
  services.tailscale = {
    enable = true;
    authKeyFile = config.age.secrets.tailscale-key.path;
    useRoutingFeatures = "both";
    extraUpFlags = [
      "--login-server=${config.services.headscale.settings.server_url}"
      "--advertise-exit-node"
      "--accept-routes"
      "--ssh=true"
    ];
  };
  services.networkd-dispatcher = lib.mkIf config.services.tailscale.enable {
    enable = true;
    rules."50-tailscale" = {
      onState = ["routable"];
      script = ''
        NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ")
        ${pkgs.ethtool}/bin/ethtool -K "$NETDEV" rx-udp-gro-forwarding on rx-gro-list off
      '';
    };
  };
 }
--- a/hosts/m3-kratos/services/default.nix
+++ b/hosts/m3-kratos/services/default.nix
@@ -1,22 +1,24 @@
-{
+{pkgs, ...}: {
  imports = [
    ./containers
    ./mem0.nix
    ./n8n.nix
    ./postgres.nix
    ./sound.nix
    ./tailscale.nix
    ./udev.nix
    ./wireguard.nix
  ];
  services = {
    hypridle.enable = true;
    espanso = {
      enable = true;
      package = pkgs.espanso-wayland;
    };
    printing.enable = true;
    gvfs.enable = true;
    trezord.enable = true;
    gnome.gnome-keyring.enable = true;
    qdrant.enable = true;
    stirling-pdf.enable = true;
    avahi = {
      enable = true;
      nssmdns4 = true;
--- a/hosts/m3-kratos/services/n8n.nix
+++ b/hosts/m3-kratos/services/n8n.nix
@@ -1,12 +1,13 @@
-{
+{lib, ...}: {
  services.n8n = {
    enable = true;
    openFirewall = true;
  };
  systemd.services.n8n = {
    environment = {
      N8N_SECURE_COOKIE = "false";
      N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = "false";
    };
  };
  # Temporary fix for upstream module
  systemd.services.n8n.serviceConfig.LoadCredential = lib.mkForce [];
  systemd.services.n8n.environment.N8N_RUNNERS_AUTH_TOKEN_FILE = lib.mkForce null;
 }
--- a/hosts/m3-kratos/services/tailscale.nix
+++ b/hosts/m3-kratos/services/tailscale.nix
@@ -1,13 +0,0 @@
 {config, ...}: {
  services.tailscale = {
    enable = true;
    authKeyFile = config.age.secrets.tailscale-key.path;
    useRoutingFeatures = "both";
    extraUpFlags = [
      "--login-server=https://va.m3tam3re.com"
      "--accept-routes"
      "--ssh"
      "--reset"
    ];
  };
 }
--- a/secrets.nix
+++ b/secrets.nix
@@ -21,6 +21,12 @@ in {
  "secrets/kestra-env.age".publicKeys = systems ++ users;
  "secrets/minio-root-cred.age".publicKeys = systems ++ users;
  "secrets/n8n-env.age".publicKeys = systems ++ users;
  "secrets/netbird-auth-secret.age".publicKeys = systems ++ users;
  "secrets/netbird-db-password.age".publicKeys = systems ++ users;
  "secrets/netbird-encryption-key.age".publicKeys = systems ++ users;
  "secrets/netbird-dashboard-env.age".publicKeys = systems ++ users;
  "secrets/netbird-server-env.age".publicKeys = systems ++ users;
  "secrets/netbird-proxy-env.age".publicKeys = systems ++ users;
  "secrets/paperless-key.age".publicKeys = systems ++ users;
  "secrets/ref-key.age".publicKeys = systems ++ users;
  "secrets/exa-key.age".publicKeys = systems ++ users;
--- a/secrets/netbird-auth-secret.age
+++ b/secrets/netbird-auth-secret.age
@@ -0,0 +1,22 @@
 age-encryption.org/v1
 -> ssh-ed25519 4NLKrw 8RHoP6X3KpWlot1bjJ7k2RKYucu6QRB8yvtVyj5sEDA
 mtffN452PGzO4CcyE0GhFcNwI7fr7Aq3bgaohE6PwEQ
 -> ssh-ed25519 5kwcsA 3232LkSUcKzcW+ZMnKL8rqDYK933OA8RqnRxy7lRGAo
 ZexaJBmpEkalgIc0/xCVN/7kF70KcKDXi3jJb+AWR/8
 -> ssh-ed25519 9d4YIQ L1LGlKGk6l5ajdoG0B7vVdO/6rBwRQsK8mV/vz8DLmI
 6lRnaGFyykil752Vctnd8W1qNATuQv069BAiYU0vg6U
 -> ssh-ed25519 3Bcr1w PzlTqlD68Wdxct/8S59FDWPWQPpw0WpIBVYh4eIkP3I
 wM2Y9/kpr+X1Q1b6QdFP2R25FsLl2zEFZltieraOWps
 -> ssh-rsa DQlE7w
 bm/GpjLWe9QONNTgC6U1jPQOkh0in5iOSfl15kYrWPMf1YDdLoM8vMBium8ph61o
 UmgLZ5/vcaZYnxwTA7Bgc8+JJrsWyU9WJZa1eK63Y/ARLyt3FCWSkPl2XJUgYMC1
 feH9f05PkPaK1aIVn4EpUlaoDbBHUEhnzgDRAXAGKpDcKJvthTXMD7iYgeyIuXv5
 jy7mRSlSfp4BddXEghVuI48sBoc9FZKL8FW75vPLkb2NJfGYqwp+ObJG2sSGJPp2
 57/BL/9/Gny5AuKnT1ATU18zZZ+RBCJGllwFpwTM21FQJUlE8mchHURxdARbeRAq
 HvcG+lHbQzpqwdIMY9KuqtuxeIGeXjWDmrzy8ELzbRnawibnVLBPPB1eUecngub6
 qtUYBNgHVDFwEEIKj3+YVAf/Aqn9KJnGpvt2PtEs9vMIgHlDZUl8ZgTned5UT+xi
 sEAHWFO94HfhOSH5FjySQspr3h4Iuq9JG1mO0nJZlTH7F4fV+ORP0yj3ZKgN58Bl
 --- OkS1vA83+ysvD8XdKZKhUCJtkidazlyykV3DPx+hHnQ
 Ê®RvŸd´þÜ,½VˆýÝ×É\\
 SénÜ¼ìG
--- a/secrets/netbird-dashboard-env.age
+++ b/secrets/netbird-dashboard-env.age
@@ -0,0 +1,23 @@
 age-encryption.org/v1
 -> ssh-ed25519 4NLKrw 2QPrjjS+dYcsz6bEDrO+17xOvMks/F/M4/hye07E4mE
 o9fzb0UPpOi2dMOdokj0G8EN5Xl2fuaSI44+s3Q3qJo
 -> ssh-ed25519 5kwcsA IK3S9pEWPOu62wEkk7mnXmJV2jRIilU3zya2dWnpPQM
 mJlzNqEl/4VJBsZ+3nVPa2CUarEXEyVUdfi0su7Da7E
 -> ssh-ed25519 9d4YIQ oKeyxlW5CgztS5/jesZhbcs4niy8/OwQgHiaxlQx8HQ
 AfIRhoUVBnUTHNOcpkrLVBHGCDhMEqnJyO3yVH6X/LU
 -> ssh-ed25519 3Bcr1w Dtd00E0mNqcGERCz3Z2OW/dXeooqHxQ7LRogktUvjXs
 SvPN9IJxdCPP8IQNRRzf8KExuL25GLXI/pBLAMP/OOU
 -> ssh-rsa DQlE7w
 UryjSuArbwCvTODDu9xEfAGyeLyiuUlIedYKNAPN2McYTPQUztMZnoSjeVJt9ZQo
 pOvWbLX9jr+XiwyJ7IluZvT4qDF+34//tdQ1rTNy5qfNy+Uz7na7hzwKw75AWSaZ
 Lkzk5KvjAH5inJVYLX/6t9WO3oDKCRyQjBBXPccNOwgPpJnEVv7mLC9vvZbb9zTX
 IWWqdf2MS0LilBS0lN9qazt7ADs36Bs7F9w/g14V4iw9ZdyrCn2qroxIBajTEDuD
 wtfVegenL957gLf8GD6oouKwh8Qml6zLWlQWWQByechQ2Epzg413cdC3hYkH011v
 8uSw8K+SsoefBLHvqLiptsex0fRiAveC7Zd9+lrjTSebsEJrYJo8j7ulBNTMyt/N
 +gJ/4CIdNt49OgxRF1Y7VlhsGVSy6GYGbmyiRJALnACLpjVZR5gOg4ufM4DSAaeZ
 fEUb7jRa3+yB85wpP4jd7MLLZKF66GtJmjRSYbLSrCvnXFLdQQy5p2fUxBFz5KA+
 --- kTN/LSjBvqTzTcO3sVY3fPEZG52JgarkBlY7L/1Npxg
 Mýœ¹JÒÝ¦MmÌ(¥6m’Ë§QMtói¥cJâ$ÙdÛ¨ŸßÙ¯ý‡aŠŒRŸ³5gKÉóÎxàkg‚óÉ“Äù…tŸ3ªT(Ô³QåÞ3«Ø½Q
 ¬Ü_èl,¦³a‘ÛY4Üwã‚}Œ°Jž%Ð½½²øn"L¤Ž®ÌyÝ`w5´´µä¨<C3A4>ÑÌ	A§{‰âA9<V3z¥R	a%_ù5(
 ¼@ËÉËå·DbD¥*LAö„/tØÉV•àk<C3A0>Ç¼úÿ/f½2¬cAÅAïÙ*m‡CúˆÙ*è+”oqý¡2½MŽïý„Ž©Ævçt¹˜ÊŠ6[‘!#d»ácW}FOö<xK¨ñÖòíÝ‹`ï.t·™ŽO¤ØÃá’«‰%gä±
--- a/secrets/netbird-db-password.age
+++ b/secrets/netbird-db-password.age
--- a/secrets/netbird-encryption-key.age
+++ b/secrets/netbird-encryption-key.age
@@ -0,0 +1,21 @@
 age-encryption.org/v1
 -> ssh-ed25519 4NLKrw NLamAuw7V60OB3MTyRALKoCnLxgM6SiCqOg/XS+yEVI
 aemlH3y+fSUZwTKn/liurPIK80wa99Dh0EMWSKCfdu0
 -> ssh-ed25519 5kwcsA sC0jWG6Hrphab3Za9qlQuToasQACdtvhdQrvHRQrdkA
 mmI/Le4sgd4+0M64c9v0yKomytRPo8ZYZCp86kilSaw
 -> ssh-ed25519 9d4YIQ rTv0fzkzVdH5FmdQtlJsLrvt/gO/ZIjVJ5TTbf19fSk
 TMCl0zEUEd5z1MHr/2uimJPrW26FRavMsGJHevXh/uo
 -> ssh-ed25519 3Bcr1w oWeZqIZsrgmbFvbJgGZEzy/xcT+ic/1eVo8r2tgMLRc
 0L67L46LpOQteobHmwZMka+rGHZmhH6YvOj6NpXHRm4
 -> ssh-rsa DQlE7w
 AaW55WhemFjgE4y92rtKTD0QnttwEdfk3siGRA26/igwWxawqgr6eejNAGtyyVZp
 BcUyzGIR4oo7f6NU8ArcHvycMBIxKVUazJQ9tS02gjQCor+w8Ts578VDYp16SxGd
 FuporQIEuVIVhBaRmm5p4SepUfJ8+wGPz/YXLnmt4bCvf0xZw+AsXGLuZeGIMJsW
 PQqFZsn7dpB8PPJ7tcAYFb4QX2bE3gmNIja5gUSaOV6mn2FYAU8cFDrfuUIhSHqU
 2pWFBv4s7P1N7iKQmAnveG539jyXgzC2FAWKWG+yWuM0yg/wK5owaHNHOt2LXUsb
 rNdacOJFJWykBqvM89dk+vY9RkbZsjLuKAZlNnxVcklCOw3pdGEJZvknZudJ2cGv
 S9aE+3mqn4T91cIgO9XvXEjMxGUquDjDAQu7vSaBcwAZN9nUaGg/mq4UaYmqAVOr
 4BZmrnU1HCJ4vxCAcLZ5t0F6kXPDgLaQ67HzNkRXZzauzbxCTwmrvpxPjMQyStg0
 --- PtWD49Fm8l/54CB8q3L1vHD5EAu4EWp7j4p5lIM9wg4
 ÆaýÞÿK(¿ÎþÈ!Åò³8´“ýcp ¥MiVÑo'ˆR~–`7`3¤`lIobè_‹]Ú„¡5€$¦À>Lxyvp;ìÝ{Þ8NóÒ¤wÿ
--- a/secrets/netbird-proxy-env.age
+++ b/secrets/netbird-proxy-env.age
@@ -0,0 +1,21 @@
 age-encryption.org/v1
 -> ssh-ed25519 4NLKrw SsQNRQTJVF4hcSVRmnYd7dHK+SCuMIPOIzFWyZp9WBg
 sZz8th/4uY3T2UOs5C5exXhLmFo7AGrj+QxQwnuJ/ng
 -> ssh-ed25519 5kwcsA uxdOaVZDDQLyV+vUJhG4mv16zfn3eOZWx9PpwoQje2M
 gk7vrd7V9mwVXzh987C8A8QeQTxDfPBNT75QPMACnoE
 -> ssh-ed25519 9d4YIQ G1OGiK+CYjXs3DPb2OHLoKAA2T5tNm/0ciFR3mZmmFA
 qHW4cvm29OdKpt5Ia5boWx479z2vGKDwddTKeMc57Hc
 -> ssh-ed25519 3Bcr1w lef+8thtDVWKeydqHku+8BzSxLCOyQ5o91RfwJU8Lyk
 mWaQo4uxW1X+freu16rUPYWgZtt0P1L7lHuXJ32DXx8
 -> ssh-rsa DQlE7w
 mdrcYIsmXXPsHXSyAZ9RJtBuKMxHphbuPhagAq2A8/w7hgEQLDLCaSh939uBiIX/
 YsRtVwN/YuvPoWCyl3Dns02gzaAEsxwfvA7dMbxR1ErHhlFLL/71zJMtA6gbDjZB
 vzkUGHmkCp1M54je8GH7Tn3RxoE9ylqWX8Ja8xmw8xpgaqTc1eTOmiX056IyXsGi
 kn/f3C/qBZO46CdjlTQL83Ntw+4yKMozUndwakxkMV/nQTbv+sX/vNiz6mYLItgI
 LkD18niPLO2rjLNBOo2MAHBZqMB5PJze3ZxN4LOgnqHiv64sGPE2JA0LcnWSkp/O
 LFzPlH01Bqmy9Wi8x0SIsKt7z5vJRuoUmlJ5D+QVwOmxO6KVs+BrUZE6KzrJsXZJ
 12oqsiDyz4fJ+XJuDC4sYcl3bXnjIGEMD7sZIR+8F4RjK+IZJzRh/rX7YeFfVYAq
 xJXAmXSPA9lBK4fkBHSi2X9QhSoOgXzHpK6I2ny5tgl2dYHHTvikuure1D646xVq
 --- 6IeZk49jY+uLeHciC2dG1d/joRo4DnVPpgytWzPJjus
 T¼@™]FäŠÍ½|¤¶0„\O“ì²C|•@"å¡0ÄÆœ?ýÙú˜ÿ4¯D]+Ò@±Iz*({±b“B^šÃÙ´Ëñ<t¦³ÙR-?Ò³)
--- a/secrets/netbird-server-env.age
+++ b/secrets/netbird-server-env.age
@@ -0,0 +1,24 @@
 age-encryption.org/v1
 -> ssh-ed25519 4NLKrw oEe3RAkN0nCoiAEGWBs5NNcqTPqrJfSbsAW3Wg9mG0A
 c04EeyHGDUwXrYdwhV37fu/wiAwk7ATBLvs/nAeFpH4
 -> ssh-ed25519 5kwcsA D6RT7Az3STvBs+QcPDby/8O6iIH+5k/701einsc/+hc
 JBUWr6TSOjjkTlbQuGfu/iaXebdy6wSF1ZMKzETPacw
 -> ssh-ed25519 9d4YIQ 4G2u1OgO0LaWDdVqndDb34z9VXC7OyLul1yLEgbKExs
 maFwiYmX4p7ZhrxOE9vBs1FH31g+LxuiLY2crzU7K00
 -> ssh-ed25519 3Bcr1w omrCT+k8GZoBZnoARMgel08EiRf+f/p6ux5+ERpI0Dk
 evobZrcUSxCfOsJUnbxAgWklt7t725TqqsK6z9Jsios
 -> ssh-rsa DQlE7w
 Ik9Lg9iR2mxmmqiFscIMhCUrmTcr2UgOwf/XjPP1FwM2s4uF10vMFE0iIZxmouDZ
 L4Ro7OiLYiXZsiDNQsTu5psmU0mxNEA3pTfr1MDP2dMYbyfe7xKMEmf5tzZr9FzA
 3UBs1vWujEaA0CIA94W5hUvmniptmhxe4dMPZQrTX6eCfthfd+Fg07QCVgriO4ry
 H2YxeFMlNaG5SSl5CAmanYlbjwCUvQDuIOLH2tqyhKGyMvRBZmLu+moaJ9RBXaUZ
 u+1PCanbkhZXoxFo5jVabBWwryUMbz+ZuKsfXX1HZxSO7GPwWiOE4qRP5jvMWR1B
 pq1F3zLiutUSWeg4caNRQj9GBD4khN40Z8ZDdcMG/dnWVcyLZ9pZMAbGPCB094Lm
 G0bbKZdr78Est0fb5fOcfZgrFD46olFPMqb6e28S0T2mCf0uNuFM3+HsLAHeK188
 nN0QtgxWv1ABixcage4EFRIKMZkkqXBJbkErXiHWUOuOBz0lldl9RadbDCuT0yXe
 --- 0KbtreSHr3k7839f78+IZVafLFzrXdlpJiJ9afGkV2A
 dfë®Ý.è®+2?ÁØõ4ÿ¢ÿ»pl¯v/ûÅèäÏËµ-âŸ3
 Ã˜Š„¬¯B|æT¡ÁëN½giÊò<C38A>?H‚¢@»!X©ÈüJ¹€á¼omï§kº¥pç4FÝpåY°xÁ•ÜRÛY
 ÀZ<‚É|pí]ldÎÐAò1ÿ‚µv
 z:˜¢–
Author	SHA1	Message	Date
m3tm3re	a9022a4f55	refactor(netbird): use port registry and named IP variables	2026-02-27 16:03:12 +01:00
m3tm3re	fa9747f3e9	refactor(ports): add netbird port definitions	2026-02-27 16:03:08 +01:00