Add Pangolin and Netbird

blueprints/netbird/README.md

@@ -0,0 +1,44 @@
+# Netbird Template for Dokploy
+
+## Overview
+
+Netbird is a WireGuard-based mesh VPN and zero-trust networking platform. This template deploys the Netbird management server, signal server, relay, dashboard, and Coturn (TURN server) for use with Dokploy.
+
+## Services
+
+- **netbird-management** – Management API and configuration (HTTPS, port 443)
+- **netbird-signal** – Signal exchange server for peer coordination (port 10000)
+- **netbird-relay** – Relay service for peer connections (port 33080)
+- **netbird-dashboard** – Web UI (port 80)
+- **coturn** – TURN server for NAT traversal (runs with `network_mode: host`; uses ports 3478, 5349, and UDP relay range 49152–65535)
+
+## Domain routing
+
+Configure a domain in Dokploy for this deployment. The template assigns:
+
+- **netbird-dashboard** (port 80) – Dashboard UI
+- **netbird-management** (port 443) – Management API
+
+Traefik will route traffic to these services by hostname.
+
+## Signal and Relay ports (client connectivity)
+
+Netbird **clients** (desktop, mobile, or other hosts) must be able to reach:
+
+- **Signal:** port **10000** (TCP)
+- **Relay:** port **33080** (TCP)
+
+When deploying via Dokploy, these ports are only exposed on the internal Docker network by default. For clients outside the host to connect:
+
+1. **Dokploy / host:** Expose ports 10000 and 33080 on the host (e.g. via Dokploy port settings, firewall rules, or a reverse proxy that forwards TCP to these services), or  
+2. Ensure your deployment environment (e.g. cloud security groups, firewall) allows traffic to the host on 10000 and 33080 and that your compose/stack publishes these ports if you are not using Dokploy’s domain-only routing.
+
+Without Signal and Relay reachable from client networks, peers will not be able to establish connections.
+
+## Coturn (TURN)
+
+The **coturn** service runs with `network_mode: host` so the TURN relay can use the full UDP port range (49152–65535) and behave correctly for NAT traversal. No other TURN/STUN service should use the same ports on the host.
+
+## Configuration
+
+Set the required variables in the Dokploy deployment (domain, Let’s Encrypt email, auth client ID/secret, relay auth secret, TURN username/password, etc.) as defined in `template.toml`.

blueprints/netbird/docker-compose.yml

@@ -0,0 +1,79 @@
+version: "3.8"
+
+services:
+  netbird-management:
+    image: ghcr.io/netbirdio/netbird:0.63.0-rootless
+    restart: unless-stopped
+    command: netbird-mgmt management
+    expose:
+      - "443"
+    volumes:
+      - netbird-management:/var/lib/netbird
+      - netbird-ssl:/etc/letsencrypt:ro
+    environment:
+      - NETBIRD_MGMT_API_ENDPOINT=${NETBIRD_MGMT_API_ENDPOINT}
+      - NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN=${NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN}
+      - NETBIRD_MGMT_DNS_DOMAIN=${NETBIRD_MGMT_DNS_DOMAIN}
+      - NETBIRD_DISABLE_ANONYMOUS_METRICS=${NETBIRD_DISABLE_ANONYMOUS_METRICS}
+      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=${NETBIRD_STORE_ENGINE_POSTGRES_DSN}
+      - NETBIRD_STORE_ENGINE_MYSQL_DSN=${NETBIRD_STORE_ENGINE_MYSQL_DSN}
+      - NETBIRD_MGMT_API_CERT_FILE=${NETBIRD_MGMT_API_CERT_FILE}
+      - NETBIRD_MGMT_API_CERT_KEY_FILE=${NETBIRD_MGMT_API_CERT_KEY_FILE}
+
+  netbird-signal:
+    image: ghcr.io/netbirdio/netbird:0.63.0-rootless
+    restart: unless-stopped
+    command: netbird-signal
+    volumes:
+      - netbird-signal:/var/lib/netbird
+      - netbird-ssl:/etc/letsencrypt:ro
+    environment:
+      - NETBIRD_SIGNAL_PORT=${NETBIRD_SIGNAL_PORT}
+      - NETBIRD_MGMT_API_CERT_FILE=${NETBIRD_MGMT_API_CERT_FILE}
+      - NETBIRD_MGMT_API_CERT_KEY_FILE=${NETBIRD_MGMT_API_CERT_KEY_FILE}
+    depends_on:
+      - netbird-management
+
+  netbird-relay:
+    image: ghcr.io/netbirdio/netbird:0.63.0-rootless
+    restart: unless-stopped
+    command: netbird-relay
+    environment:
+      - NB_LOG_LEVEL=${NB_LOG_LEVEL}
+      - NB_LISTEN_ADDRESS=${NB_LISTEN_ADDRESS}
+      - NB_EXPOSED_ADDRESS=${NB_EXPOSED_ADDRESS}
+      - NB_AUTH_SECRET=${NB_AUTH_SECRET}
+
+  netbird-dashboard:
+    image: ghcr.io/netbirdio/netbird:0.63.0-rootless
+    restart: unless-stopped
+    command: netbird-dashboard
+    expose:
+      - "80"
+    volumes:
+      - netbird-ssl:/etc/letsencrypt:ro
+    environment:
+      - NETBIRD_MGMT_API_ENDPOINT=${NETBIRD_MGMT_API_ENDPOINT}
+      - NETBIRD_MGMT_GRPC_API_ENDPOINT=${NETBIRD_MGMT_GRPC_API_ENDPOINT}
+      - AUTH_AUDIENCE=${AUTH_AUDIENCE}
+      - AUTH_CLIENT_ID=${AUTH_CLIENT_ID}
+      - AUTH_CLIENT_SECRET=${AUTH_CLIENT_SECRET}
+      - AUTH_AUTHORITY=${AUTH_AUTHORITY}
+      - AUTH_REDIRECT_URI=${AUTH_REDIRECT_URI}
+      - AUTH_SILENT_REDIRECT_URI=${AUTH_SILENT_REDIRECT_URI}
+      - USE_AUTH0=${USE_AUTH0}
+      - LETSENCRYPT_DOMAIN=${LETSENCRYPT_DOMAIN}
+      - LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL}
+    depends_on:
+      - netbird-management
+
+  coturn:
+    image: coturn/coturn:latest
+    restart: unless-stopped
+    network_mode: host
+    command: -c /etc/turnserver.conf
+
+volumes:
+  netbird-management:
+  netbird-signal:
+  netbird-ssl:

blueprints/netbird/template.toml

@@ -0,0 +1,86 @@
+[variables]
+main_domain = "${domain}"
+mgmt_api_port = "443"
+signal_port = "10000"
+relay_port = "33080"
+relay_auth_secret = "${password:32}"
+turn_username = "${username}"
+turn_password = "${password:32}"
+mgmt_api_endpoint = "https://${main_domain}"
+mgmt_grpc_api_endpoint = "https://${main_domain}"
+dns_domain = "netbird.selfhosted"
+letsencrypt_domain = "${main_domain}"
+letsencrypt_email = "${email}"
+auth_client_id = "${uuid}"
+auth_client_secret = "${password:32}"
+auth_authority = "https://${main_domain}/oauth2"
+auth_audience = "${uuid}"
+auth_redirect_uri = "https://${main_domain}/nb-auth"
+auth_silent_redirect_uri = "https://${main_domain}/nb-silent-auth"
+mgmt_cert_file = "/etc/letsencrypt/live/${letsencrypt_domain}/fullchain.pem"
+mgmt_cert_key_file = "/etc/letsencrypt/live/${letsencrypt_domain}/privkey.pem"
+nb_listen_address = ":${relay_port}"
+nb_exposed_address = "${main_domain}:${relay_port}"
+
+[config]
+[[config.domains]]
+serviceName = "netbird-dashboard"
+port = 80
+host = "${main_domain}"
+
+[[config.domains]]
+serviceName = "netbird-management"
+port = 443
+host = "${main_domain}"
+
+env = [
+  "NETBIRD_MGMT_API_ENDPOINT=${mgmt_api_endpoint}",
+  "NETBIRD_MGMT_GRPC_API_ENDPOINT=${mgmt_grpc_api_endpoint}",
+  "NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN=",
+  "NETBIRD_MGMT_DNS_DOMAIN=${dns_domain}",
+  "NETBIRD_DISABLE_ANONYMOUS_METRICS=false",
+  "NETBIRD_MGMT_API_CERT_FILE=${mgmt_cert_file}",
+  "NETBIRD_MGMT_API_CERT_KEY_FILE=${mgmt_cert_key_file}",
+  "NETBIRD_SIGNAL_PORT=${signal_port}",
+  "NB_LOG_LEVEL=info",
+  "NB_LISTEN_ADDRESS=${nb_listen_address}",
+  "NB_EXPOSED_ADDRESS=${nb_exposed_address}",
+  "NB_AUTH_SECRET=${relay_auth_secret}",
+  "AUTH_AUDIENCE=${auth_audience}",
+  "AUTH_CLIENT_ID=${auth_client_id}",
+  "AUTH_CLIENT_SECRET=${auth_client_secret}",
+  "AUTH_AUTHORITY=${auth_authority}",
+  "AUTH_REDIRECT_URI=${auth_redirect_uri}",
+  "AUTH_SILENT_REDIRECT_URI=${auth_silent_redirect_uri}",
+  "USE_AUTH0=false",
+  "LETSENCRYPT_DOMAIN=${letsencrypt_domain}",
+  "LETSENCRYPT_EMAIL=${letsencrypt_email}",
+  "TURN_USERNAME=${turn_username}",
+  "TURN_PASSWORD=${turn_password}"
+]
+
+[[config.mounts]]
+serviceName = "coturn"
+filePath = "/etc/turnserver.conf"
+content = """
+listening-port=3478
+tls-listening-port=5349
+listening-ip=0.0.0.0
+external-ip=${main_domain}
+relay-ip=0.0.0.0
+server-name=${main_domain}
+realm=${main_domain}
+user=${turn_username}:${turn_password}
+no-cli
+no-tls
+no-dtls
+no-stdout-log
+log-file=/var/log/turnserver.log
+verbose
+fingerprint
+lt-cred-mech
+userdb=/var/lib/turn/turndb
+web-admin
+web-admin-ip=0.0.0.0
+web-admin-port=8080
+"""