Netmaker
How to install netmaker | non HA
- docker | docker compose installed
-
domain prep
-
dashboard.domain
- api.domain
- broker.domain
- turn.domain
- turnapi.domain
Make sure domains do not exceed more than one sub.domain.com (api.sub.domain.com - is bad for SSL)
Bash
wget -O mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/docker/mosquitto.conf
wget -q -O wait.sh https://raw.githubusercontent.com/gravitl/netmaker/master/docker/wait.sh
chmod +x wait.sh
Bash
wget https://raw.githubusercontent.com/gravitl/netmaker/master/scripts/netmaker.default.env
cp netmaker.default.env netmaker.env
Bash
# generate random strings for the master key and TURN and MQ passwords with the command
tr -dc A-Za-z0-9 </dev/urandom | head -c 30 ; echo ''
I've skipped caddy:
Tweak docker-compose.yml:
YAML
version: "3.8"
services:
netmaker:
container_name: netmaker
image: gravitl/netmaker:$SERVER_IMAGE_TAG
env_file: .env
restart: always
volumes:
- ./dnsconfig:/root/config/dnsconfig
- ./sqldata:/root/data
environment:
# config-dependant vars
- STUN_LIST=stun1.netmaker.io:3478,stun2.netmaker.io:3478,stun1.l.google.com:19302,stun2.l.google.com:19302
# The domain/host IP indicating the mq broker address
- BROKER_ENDPOINT=wss://broker-${NM_DOMAIN} # For EMQX broker use `BROKER_ENDPOINT=wss://broker-${NM_DOMAIN}/mqtt`
# For EMQX broker (uncomment the two lines below)
#- BROKER_TYPE=emqx
#- EMQX_REST_ENDPOINT=http://mq:18083
# The base domain of netmaker
- SERVER_NAME=${NM_DOMAIN}
- SERVER_API_CONN_STRING=api-${NM_DOMAIN}:443
# Address of the CoreDNS server. Defaults to SERVER_HOST
- COREDNS_ADDR=${SERVER_HOST}
# Overrides SERVER_HOST if set. Useful for making HTTP available via different interfaces/networks.
- SERVER_HTTP_HOST=api-${NM_DOMAIN}
# domain for your turn server
- TURN_SERVER_HOST=turn-${NM_DOMAIN}
# domain of the turn api server
- TURN_SERVER_API_HOST=https://turnapi-${NM_DOMAIN}
ports:
- 8081:8081
netmaker-ui:
container_name: netmaker-ui
image: gravitl/netmaker-ui:$UI_IMAGE_TAG
env_file: .env
environment:
# config-dependant vars
# URL where UI will send API requests. Change based on SERVER_HOST, SERVER_HTTP_HOST, and API_PORT
BACKEND_URL: "https://api-${NM_DOMAIN}"
depends_on:
- netmaker
links:
- "netmaker:api"
restart: always
ports:
- 8082:80
coredns:
container_name: coredns
image: coredns/coredns:1.10.1
command: -conf /root/dnsconfig/Corefile
env_file: .env
depends_on:
- netmaker
restart: always
volumes:
- ./dnsconfig:/root/dnsconfig
mq:
container_name: mq
image: eclipse-mosquitto:2.0.15-openssl
env_file: .env
depends_on:
- netmaker
restart: unless-stopped
command: [ "/mosquitto/config/wait.sh" ]
volumes:
- ./mosquitto.conf:/mosquitto/config/mosquitto.conf
- ./wait.sh:/mosquitto/config/wait.sh
- ./mosquitto_logs:/mosquitto/log
- ./mosquitto_data:/mosquitto/data
ports:
- 1883:1883
turn:
container_name: turn
image: gravitl/turnserver:v1.0.0
env_file: .env
environment:
# config-dependant vars
- USERNAME=${TURN_USERNAME}
- PASSWORD=${TURN_PASSWORD}
# domain for your turn server
- TURN_SERVER_HOST=turn-${NM_DOMAIN}
network_mode: "host"
volumes:
- ./turn_server:/etc/config
restart: always
move netmaker.env to .env
Bash
# Email used for SSL certificates
NM_EMAIL=[email protected]
# The base domain of netmaker
NM_DOMAIN=netmaker.example.com
# Public IP of machine
SERVER_HOST=<public IP>
# The admin master key for accessing the API. Change this in any production installation.
MASTER_KEY=XXXXXXXXXXXXXXXXXXXXXXXX
# The username to set for turn api access
TURN_USERNAME=admin
# The password to set for turn api access
TURN_PASSWORD=password
# The username to set for MQ access
MQ_USERNAME=admin
# The password to set for MQ access
MQ_PASSWORD=password
INSTALL_TYPE=ce # community edition
NETMAKER_TENANT_ID=
LICENSE_KEY=
SERVER_IMAGE_TAG=v0.21.2
UI_IMAGE_TAG=v0.21.2
# used for HA - identifies this server vs other servers
NODE_ID=netmaker-server-1
METRICS_EXPORTER=off
PROMETHEUS=off
# Enables DNS Mode, meaning all nodes will set hosts file for private dns settings
DNS_MODE=on
# Enable auto update of netclient ? ENUM:- enabled,disabled | default=enabled
NETCLIENT_AUTO_UPDATE=enabled
# The HTTP API port for Netmaker. Used for API calls / communication from front end.
# If changed, need to change port of BACKEND_URL for netmaker-ui.
API_PORT=8081
EXPORTER_API_PORT=8085
# The "allowed origin" for API requests. Change to restrict where API requests can come from with comma-separated
# URLs. ex:- https://dashboard.netmaker.domain1.com,https://dashboard.netmaker.domain2.com
CORS_ALLOWED_ORIGIN=*
# Show keys permanently in UI (until deleted) as opposed to 1-time display.
DISPLAY_KEYS=on
# Database to use - sqlite, postgres, or rqlite
DATABASE=sqlite
# The address of the mq server. If running from docker compose it will be "mq". Otherwise, need to input address.
# If using "host networking", it will find and detect the IP of the mq container.
# For EMQX websockets use `SERVER_BROKER_ENDPOINT=ws://mq:8083/mqtt`
SERVER_BROKER_ENDPOINT=ws://mq:1883
# The reachable port of STUN on the server
STUN_PORT=3478
# Logging verbosity level - 1, 2, or 3
VERBOSITY=1
# Port to access turn server
TURN_PORT=3479
# Config for using turn, accepts either true/false
USE_TURN=true
DEBUG_MODE=off
TURN_API_PORT=8089
# Enables the REST backend (API running on API_PORT at SERVER_HTTP_HOST).
# Change to "off" to turn off.
REST_BACKEND=on
# If turned "on", Server will not set Host based on remote IP check.
# This is already overridden if SERVER_HOST is set. Turned "off" by default.
DISABLE_REMOTE_IP_CHECK=off
# Whether or not to send telemetry data to help improve Netmaker. Switch to "off" to opt out of sending telemetry.
TELEMETRY=on
###
#
# OAuth section
#
###
# "<azure-ad|github|google|oidc>"
AUTH_PROVIDER=
# "<client id of your oauth provider>"
CLIENT_ID=
# "<client secret of your oauth provider>"
CLIENT_SECRET=
# "https://dashboard.<netmaker base domain>"
FRONTEND_URL=
# "<only for azure, you may optionally specify the tenant for the OAuth>"
AZURE_TENANT=
# https://oidc.yourprovider.com - URL of oidc provider
OIDC_ISSUER=
# Duration of JWT token validity in seconds
JWT_VALIDITY_DURATION=43200
# Auto disable a user's connecteds clients bassed on JWT token expiration
RAC_AUTO_DISABLE="true"
Used nginx for proxy:
It's even better to use docker service as destination (instead of IP) if nginx proxy manager and netmaker are in the same docker network.