nixos/netbird: introduce relay server

nixos/netbird: introduce proxy for unified nginx setup
NixOS · Dec 3, 2024 · 5d8347c · 5d8347c
1 parent 4badea1
commit 5d8347c
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 17 deletions.
diff --git a/nixos/modules/services/networking/netbird/management.nix b/nixos/modules/services/networking/netbird/management.nix
@@ -66,7 +66,6 @@ let
 
     Signal = {
       Proto = "https";
-      URI = "localhost:${builtins.toString cfg.signal.port}";
       Username = "";
       Password = null;
     };
@@ -371,7 +370,7 @@ in
 
     assertions = [
       {
-        assertion = cfg.port != cfg.metricsPort;
+        assertion = cfg.management.port != cfg.management.etricsPort;
         message = "The primary listen port cannot be the same as the listen port for the metrics endpoint";
       }
     ];

diff --git a/nixos/modules/services/networking/netbird/proxy.nix b/nixos/modules/services/networking/netbird/proxy.nix
@@ -4,6 +4,7 @@ let
     mkEnableOption
     mkIf
     mkOption
+    mkDefault
     ;
   inherit (lib.types) str;
   cfg = config.services.netbird.server.proxy;
@@ -44,10 +45,19 @@ in
       enable = true;
 
       virtualHosts.${cfg.domain} = {
+        forceSSL = mkDefault true;
+        extraConfig = ''
+          proxy_set_header        X-Real-IP $remote_addr;
+          proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header        X-Scheme $scheme;
+          proxy_set_header        X-Forwarded-Proto https;
+          proxy_set_header        X-Forwarded-Host $host;
+          grpc_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;
+        '';
         locations = {
           "/" = {
             proxyPass = "http://${cfg.dashboardAddress}";
-            proxyWebSockets = true;
+            proxyWebsockets = true;
           };
           "/api".proxyPass = "http://${cfg.managementAddress}";
 
@@ -56,8 +66,6 @@ in
             # see https://stackoverflow.com/a/67805465
             client_body_timeout 1d;
 
-            grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
             grpc_pass grpc://${cfg.managementAddress};
             grpc_read_timeout 1d;
             grpc_send_timeout 1d;
@@ -69,8 +77,6 @@ in
           # see https://stackoverflow.com/a/67805465
           client_body_timeout 1d;
 
-          grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
           grpc_pass grpc://${cfg.signalAddress};
           grpc_read_timeout 1d;
           grpc_send_timeout 1d;
@@ -84,12 +90,6 @@ in
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "Upgrade";
 
-          # Forward headers
-          proxy_set_header Host $http_host;
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header X-Forwarded-Proto $scheme;
-
           # Timeout settings
           proxy_read_timeout 3600s;
           proxy_send_timeout 3600s;

diff --git a/nixos/modules/services/networking/netbird/relay.nix b/nixos/modules/services/networking/netbird/relay.nix
@@ -79,7 +79,6 @@ in
   config = mkIf cfg.enable {
     services.netbird.server.relay.settings = {
       NB_LISTEN_ADDRESS = mkDefault ":${builtins.toString cfg.port}";
-      NB_EXPOSED_ADDRESS = mkDefault "rel://${cfg.domain}:${builtins.toString cfg.port}";
       NB_METRICS_PORT = mkDefault "9092"; # Upstream default is 9090 but this would clash for nixos where all services run on the same host
     };
     systemd.services.netbird-relay = {
@@ -88,7 +87,7 @@ in
       environment = cfg.settings;
 
       script = ''
-        export NB_AUTH_SECRET="(<${cfg.authSecretFile})"
+        export NB_AUTH_SECRET="$(<${cfg.authSecretFile})"
         ${getExe' cfg.package "netbird-relay"}
       '';
       serviceConfig = {

diff --git a/nixos/modules/services/networking/netbird/server.md b/nixos/modules/services/networking/netbird/server.md
@@ -28,6 +28,7 @@ services.netbird.server = {
 
   management = {
     oidcConfigEndpoint = "https://sso.example.selfhosted/oauth2/openid/netbird/.well-known/openid-configuration";
+    settings.Signal.URI = "publicly reachable signal endpoint";
   };
 };
 ```

diff --git a/nixos/modules/services/networking/netbird/server.nix b/nixos/modules/services/networking/netbird/server.nix
@@ -55,9 +55,10 @@ in
         }
         // (optionalAttrs cfg.coturn.enable rec {
           turnDomain = cfg.domain;
-          turnPort = config.services.coturn.tls-listening-port;
+          turnPort = config.services.coturn.listening-port;
           # We cannot merge a list of attrsets so we have to redefine the whole list
           settings = {
+            Signal.URI = mkDefault "${cfg.domain}:${builtins.toString cfg.signal.port}";
             TURNConfig.Turns = mkDefault [
               {
                 Proto = "udp";
@@ -78,7 +79,7 @@ in
       };
 
       relay = {
-        settings.NB_EXPOSED_ADDRESS = "rel://${cfg.domain}/${builtins.toString cfg.relay.port}";
+        settings.NB_EXPOSED_ADDRESS = mkDefault "rel://${cfg.domain}/${builtins.toString cfg.relay.port}";
         enable = mkDefault cfg.enable;
       };
-Original file line number
+Diff line change
@@ Expand Up / @@ -28,6 +28,7 @@ services.netbird.server = { @@
       management = {
         oidcConfigEndpoint = "https://sso.example.selfhosted/oauth2/openid/netbird/.well-known/openid-configuration";
+        settings.Signal.URI = "publicly reachable signal endpoint";
       };
     };
     ```
@@ Expand Down @@