archy/apps/netbird-dashboard/manifest.yml

app:
  id: netbird-dashboard
  name: NetBird Dashboard
  version: "2.38.0"
  description: NetBird management dashboard (SPA). Internal stack member served through the netbird proxy.
  category: networking

  # Hyphen name matches runtime references + the live container (adoption).
  # Alias `netbird-dashboard` is the short hostname the proxy's nginx proxies to.
  container_name: netbird-dashboard

  container:
    image: docker.io/netbirdio/dashboard:v2.38.0
    pull_policy: if-not-present
    network: netbird-net
    network_aliases: [netbird-dashboard]
    # The dashboard SPA bakes its API/OIDC base URL from these at container
    # start. They must point at the proxy's public HTTPS origin (8087) so the
    # browser uses a secure context (window.crypto.subtle / OIDC PKCE, #15).
    # {{HOST_IP}} is the node's primary host IP, resolved at apply time.
    derived_env:
      - key: NETBIRD_MGMT_API_ENDPOINT
        template: "https://{{HOST_IP}}:8087"
      - key: NETBIRD_MGMT_GRPC_API_ENDPOINT
        template: "https://{{HOST_IP}}:8087"
      - key: AUTH_AUTHORITY
        template: "https://{{HOST_IP}}:8087/oauth2"

  dependencies:
    - app_id: netbird-server

  resources:
    memory_limit: 256Mi

  security:
    # cap-drop=ALL is applied by the orchestrator. The dashboard image runs
    # nginx (master as root, drops workers) binding :80 — needs the worker-drop
    # caps + NET_BIND_SERVICE for the privileged port.
    capabilities: [CHOWN, DAC_OVERRIDE, SETGID, SETUID, NET_BIND_SERVICE]
    readonly_root: false
    network_policy: isolated

  # Internal only — reached container-to-container by the proxy via netbird-net.
  ports: []

  volumes: []

  environment:
    - AUTH_AUDIENCE=netbird-dashboard
    - AUTH_CLIENT_ID=netbird-dashboard
    - AUTH_CLIENT_SECRET=
    - USE_AUTH0=false
    - AUTH_SUPPORTED_SCOPES=openid profile email groups
    - AUTH_REDIRECT_URI=/nb-auth
    - AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
    - NETBIRD_TOKEN_SOURCE=idToken
    - NGINX_SSL_PORT=443
    - LETSENCRYPT_DOMAIN=none

  health_check:
    type: tcp
    endpoint: localhost:80
    interval: 30s
    timeout: 5s
    retries: 5
    start_period: 20s

  metadata:
    author: NetBird
    icon: /assets/img/app-icons/netbird.svg
    website: https://netbird.io
    repo: https://github.com/netbirdio/dashboard
    license: BSD-3-Clause
    tags:
      - networking
      - vpn
      - dashboard
feat(netbird): manifest-driven migration via reusable orchestrator primitives Migrate the netbird stack (server/dashboard/proxy) off ~500 lines of per-app Rust to 3 declarative manifests, adding 4 reusable primitives: - SecretGenKind::Base64 (netbird relay authSecret + sqlite store encryptionKey) - GeneratedCert schema + ensure_manifest_certs (self-signed TLS so the dashboard gets a secure context for OIDC PKCE — issue #15; https proxy on 8087 preserved) - templated GeneratedFile render: {{HOST_IP}}/{{HOST_MDNS}}/{{NETWORK_GATEWAY}} (aardvark resolver for the #15 stale-IP fix) /{{secret:NAME}} (never logged) - legacy create_container now honours port.protocol (3478/udp STUN) install_netbird_stack routes via the orchestrator first (legacy kept as fallback, mirroring indeedhub); launch URL derives https://{host_ip}:8087 from host facts. Legacy Rust deletion deferred to post-live-verify. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-23 13:39:53 -04:00			`app:`
			`id: netbird-dashboard`
			`name: NetBird Dashboard`
			`version: "2.38.0"`
			`description: NetBird management dashboard (SPA). Internal stack member served through the netbird proxy.`
			`category: networking`

			`# Hyphen name matches runtime references + the live container (adoption).`
			# Alias `netbird-dashboard` is the short hostname the proxy's nginx proxies to.
			`container_name: netbird-dashboard`

			`container:`
			`image: docker.io/netbirdio/dashboard:v2.38.0`
			`pull_policy: if-not-present`
			`network: netbird-net`
			`network_aliases: [netbird-dashboard]`
			`# The dashboard SPA bakes its API/OIDC base URL from these at container`
			`# start. They must point at the proxy's public HTTPS origin (8087) so the`
			`# browser uses a secure context (window.crypto.subtle / OIDC PKCE, #15).`
			`# {{HOST_IP}} is the node's primary host IP, resolved at apply time.`
			`derived_env:`
			`- key: NETBIRD_MGMT_API_ENDPOINT`
			`template: "https://{{HOST_IP}}:8087"`
			`- key: NETBIRD_MGMT_GRPC_API_ENDPOINT`
			`template: "https://{{HOST_IP}}:8087"`
			`- key: AUTH_AUTHORITY`
			`template: "https://{{HOST_IP}}:8087/oauth2"`

			`dependencies:`
			`- app_id: netbird-server`

			`resources:`
			`memory_limit: 256Mi`

			`security:`
			`# cap-drop=ALL is applied by the orchestrator. The dashboard image runs`
			`# nginx (master as root, drops workers) binding :80 — needs the worker-drop`
			`# caps + NET_BIND_SERVICE for the privileged port.`
			`capabilities: [CHOWN, DAC_OVERRIDE, SETGID, SETUID, NET_BIND_SERVICE]`
			`readonly_root: false`
			`network_policy: isolated`

			`# Internal only — reached container-to-container by the proxy via netbird-net.`
			`ports: []`

			`volumes: []`

			`environment:`
			`- AUTH_AUDIENCE=netbird-dashboard`
			`- AUTH_CLIENT_ID=netbird-dashboard`
			`- AUTH_CLIENT_SECRET=`
			`- USE_AUTH0=false`
			`- AUTH_SUPPORTED_SCOPES=openid profile email groups`
			`- AUTH_REDIRECT_URI=/nb-auth`
			`- AUTH_SILENT_REDIRECT_URI=/nb-silent-auth`
			`- NETBIRD_TOKEN_SOURCE=idToken`
			`- NGINX_SSL_PORT=443`
			`- LETSENCRYPT_DOMAIN=none`

			`health_check:`
			`type: tcp`
			`endpoint: localhost:80`
			`interval: 30s`
			`timeout: 5s`
			`retries: 5`
			`start_period: 20s`

			`metadata:`
			`author: NetBird`
			`icon: /assets/img/app-icons/netbird.svg`
			`website: https://netbird.io`
			`repo: https://github.com/netbirdio/dashboard`
			`license: BSD-3-Clause`
			`tags:`
			`- networking`
			`- vpn`
			`- dashboard`