I still use the old installation method with caddy and split services. I want to switch to traffik and the one service variant. I could do the switch step by step and change the configuration.
But, is it possible to make a backup (which is mainly stopping services and copy directories to backup), drop installation, reinstall with the up-to-date installation script and then play back the backup.
The second variant could be less error-prone, I get a up-to-date clean installation but do not need to re-setup the system.
OK, I just tried the migration script. This worked out in principle. I got a Traefik based instance with all my existing data. As far as I understand I cannot define service for the top level domain, if I use the top level domains for a webserver, too. For the top-level domain to work, I would need to point the CNAME entry to netbird, which result in the webserver not getting called.
I was also able to define services now and it in principle seem to work.
However (now comes the I’m stupit part). As UI hints, I will expose the services to the internet. I can add manual authentication in front of it, but it will be exposed. The documentation clearly states this :-/
That, though, I do not want. I want my service only getting exposed to people in netbird network. I want TLS, I want certificates. It is OK, if DNS is visible, but traffic must always be blocked. It looks like this is not possible (yet?)?
So I restored the backup (worked fine, too), and returned to my current solution, redirecting traffic to the netbird IPs in the Caddy Proxy, which will only work, if in VPN.
I tried to get configure Traefik, to support this usecase, too, similar to caddy, but failed.
The proxy should be as iso capable within netbird. You have the ability to give people a certain amount of groups and one of the conditions that you can apply to. The proxy is that if you are in a group you get access to a proxy location. This way you can give people the group that need to be able to access the service if they are not even connected to another bird. But do you need access to the service and the moment authenticate with netbird? They still go through the proxy?
You still need a group over the SSO. That’s the only real way to lock it behind a “vpn”, the meaning of the proxy system is to replicate a cloudflare tunnel of sorts. Reach something behind a firewall from it’s computer.
Configuring the proxy with SSO and groups, still exposes the services and also requires SSO login if I’m within netbird network for access.
We are leaving the original topic somehow, but nevertheless, here is the background. It sounds like this should be a feature request?
I want to publish some service to my family. I do not want to expose these service outside the VPN, but some services at least should be usable from mobile and if not at home. Some services require https, some support OAuth. This requires TLS and public certificates (if I do not want to make use of a private CA).
Currently I realize this with DNS entries that point to the netbird IP (100.x.x.x.) of the netbird installation. For the DNS entries and the letsencrypt certificates I need further reverse proxy configuration ….
So I already have Authentik login, Password Manager, Calendar, Image Store…partly with OAuth via Authentik. I’m happy, but setup is to be managed.
It seems, like all of this now netbird can do, too (especially domain handling, certificates…). But it tries to expose it and in turn add another authentication layer.
It would be nice, if I could get the domain and certificate handling - without the exposing of services. It sounds, like this should be simple. It is just not the current proxy use case.
I know that via user login my services indirectly are exposed. If there is a weak password, the system can get compromised. But I want just this one point. Especially I do not want to expose a password manager anyhow.