Skip to content

Netmaker

Docs Here

How to install netmaker | non HA

  • docker | docker compose installed
  • domain prep

  • dashboard.domain

  • api.domain
  • broker.domain
  • turn.domain
  • turnapi.domain

Make sure domains do not exceed more than one sub.domain.com (api.sub.domain.com - is bad for SSL)

Bash
mkdir netmaker && cd netmaker
Bash
wget -O mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/docker/mosquitto.conf
wget -q -O wait.sh https://raw.githubusercontent.com/gravitl/netmaker/master/docker/wait.sh
chmod +x wait.sh
Bash
wget https://raw.githubusercontent.com/gravitl/netmaker/master/compose/docker-compose.yml
Bash
wget https://raw.githubusercontent.com/gravitl/netmaker/master/scripts/netmaker.default.env
cp netmaker.default.env netmaker.env
Bash
# get your ip with the command 
ip route get 1 | sed -n 's/^.*src \([0-9.]*\) .*$/\1/p'
Bash
# generate random strings for the master key and TURN and MQ passwords with the command 
tr -dc A-Za-z0-9 </dev/urandom | head -c 30 ; echo '' 

I've skipped caddy:

Tweak docker-compose.yml:

YAML
version: "3.8"

services:

  netmaker:
    container_name: netmaker
    image: gravitl/netmaker:$SERVER_IMAGE_TAG
    env_file: .env
    restart: always
    volumes:
      - ./dnsconfig:/root/config/dnsconfig
      - ./sqldata:/root/data
    environment:
      # config-dependant vars
      - STUN_LIST=stun1.netmaker.io:3478,stun2.netmaker.io:3478,stun1.l.google.com:19302,stun2.l.google.com:19302
      # The domain/host IP indicating the mq broker address
      - BROKER_ENDPOINT=wss://broker-${NM_DOMAIN} # For EMQX broker use `BROKER_ENDPOINT=wss://broker-${NM_DOMAIN}/mqtt`
      # For EMQX broker (uncomment the two lines below)
      #- BROKER_TYPE=emqx
      #- EMQX_REST_ENDPOINT=http://mq:18083
      # The base domain of netmaker
      - SERVER_NAME=${NM_DOMAIN}
      - SERVER_API_CONN_STRING=api-${NM_DOMAIN}:443
      # Address of the CoreDNS server. Defaults to SERVER_HOST
      - COREDNS_ADDR=${SERVER_HOST}
      # Overrides SERVER_HOST if set. Useful for making HTTP available via different interfaces/networks.
      - SERVER_HTTP_HOST=api-${NM_DOMAIN}
      # domain for your turn server
      - TURN_SERVER_HOST=turn-${NM_DOMAIN}
      # domain of the turn api server
      - TURN_SERVER_API_HOST=https://turnapi-${NM_DOMAIN}
    ports:
      - 8081:8081

  netmaker-ui:
    container_name: netmaker-ui
    image: gravitl/netmaker-ui:$UI_IMAGE_TAG
    env_file: .env
    environment:
      # config-dependant vars
      # URL where UI will send API requests. Change based on SERVER_HOST, SERVER_HTTP_HOST, and API_PORT
      BACKEND_URL: "https://api-${NM_DOMAIN}"
    depends_on:
      - netmaker
    links:
      - "netmaker:api"
    restart: always
    ports:
      - 8082:80

  coredns:
    container_name: coredns
    image: coredns/coredns:1.10.1
    command: -conf /root/dnsconfig/Corefile
    env_file: .env
    depends_on:
      - netmaker
    restart: always
    volumes:
      - ./dnsconfig:/root/dnsconfig


  mq:
    container_name: mq
    image: eclipse-mosquitto:2.0.15-openssl
    env_file: .env
    depends_on:
      - netmaker
    restart: unless-stopped
    command: [ "/mosquitto/config/wait.sh" ]
    volumes:
      - ./mosquitto.conf:/mosquitto/config/mosquitto.conf
      - ./wait.sh:/mosquitto/config/wait.sh
      - ./mosquitto_logs:/mosquitto/log
      - ./mosquitto_data:/mosquitto/data
    ports:
      - 1883:1883

  turn:
    container_name: turn
    image: gravitl/turnserver:v1.0.0
    env_file: .env
    environment:
      # config-dependant vars
      - USERNAME=${TURN_USERNAME}
      - PASSWORD=${TURN_PASSWORD}
      # domain for your turn server
      - TURN_SERVER_HOST=turn-${NM_DOMAIN}
    network_mode: "host"
    volumes:
      - ./turn_server:/etc/config
    restart: always

move netmaker.env to .env

Bash
# Email used for SSL certificates
NM_EMAIL=[email protected]
# The base domain of netmaker
NM_DOMAIN=netmaker.example.com
# Public IP of machine
SERVER_HOST=<public IP>
# The admin master key for accessing the API. Change this in any production installation.
MASTER_KEY=XXXXXXXXXXXXXXXXXXXXXXXX
# The username to set for turn api access
TURN_USERNAME=admin
# The password to set for turn api access
TURN_PASSWORD=password
# The username to set for MQ access
MQ_USERNAME=admin
# The password to set for MQ access
MQ_PASSWORD=password
INSTALL_TYPE=ce # community edition
NETMAKER_TENANT_ID=
LICENSE_KEY=
SERVER_IMAGE_TAG=v0.21.2
UI_IMAGE_TAG=v0.21.2
# used for HA - identifies this server vs other servers
NODE_ID=netmaker-server-1
METRICS_EXPORTER=off
PROMETHEUS=off
# Enables DNS Mode, meaning all nodes will set hosts file for private dns settings
DNS_MODE=on
# Enable auto update of netclient ? ENUM:- enabled,disabled | default=enabled
NETCLIENT_AUTO_UPDATE=enabled
# The HTTP API port for Netmaker. Used for API calls / communication from front end.
# If changed, need to change port of BACKEND_URL for netmaker-ui.
API_PORT=8081
EXPORTER_API_PORT=8085
# The "allowed origin" for API requests. Change to restrict where API requests can come from with comma-separated
# URLs. ex:- https://dashboard.netmaker.domain1.com,https://dashboard.netmaker.domain2.com
CORS_ALLOWED_ORIGIN=*
# Show keys permanently in UI (until deleted) as opposed to 1-time display.
DISPLAY_KEYS=on
# Database to use - sqlite, postgres, or rqlite
DATABASE=sqlite
# The address of the mq server. If running from docker compose it will be "mq". Otherwise, need to input address.
# If using "host networking", it will find and detect the IP of the mq container.
# For EMQX websockets use `SERVER_BROKER_ENDPOINT=ws://mq:8083/mqtt`
SERVER_BROKER_ENDPOINT=ws://mq:1883 
# The reachable port of STUN on the server
STUN_PORT=3478
# Logging verbosity level - 1, 2, or 3
VERBOSITY=1
# Port to access turn server
TURN_PORT=3479
# Config for using turn, accepts either true/false
USE_TURN=true
DEBUG_MODE=off
TURN_API_PORT=8089
# Enables the REST backend (API running on API_PORT at SERVER_HTTP_HOST).
# Change to "off" to turn off.
REST_BACKEND=on
# If turned "on", Server will not set Host based on remote IP check.
# This is already overridden if SERVER_HOST is set. Turned "off" by default.
DISABLE_REMOTE_IP_CHECK=off
# Whether or not to send telemetry data to help improve Netmaker. Switch to "off" to opt out of sending telemetry.
TELEMETRY=on
###
#
# OAuth section
#
###
# "<azure-ad|github|google|oidc>"
AUTH_PROVIDER=
# "<client id of your oauth provider>"
CLIENT_ID=
# "<client secret of your oauth provider>"
CLIENT_SECRET=
# "https://dashboard.<netmaker base domain>"
FRONTEND_URL=
# "<only for azure, you may optionally specify the tenant for the OAuth>"
AZURE_TENANT=
# https://oidc.yourprovider.com - URL of oidc provider
OIDC_ISSUER=
# Duration of JWT token validity in seconds
JWT_VALIDITY_DURATION=43200
# Auto disable a user's connecteds clients bassed on JWT token expiration
RAC_AUTO_DISABLE="true"

Used nginx for proxy:

It's even better to use docker service as destination (instead of IP) if nginx proxy manager and netmaker are in the same docker network.