From 5d8347c66dcb265ffc96f50bd052d69b46473ba8 Mon Sep 17 00:00:00 2001 From: Patrick Date: Thu, 21 Nov 2024 14:27:48 +0100 Subject: [PATCH] nixos/netbird: introduce relay server nixos/netbird: introduce proxy for unified nginx setup --- .../networking/netbird/management.nix | 3 +-- .../services/networking/netbird/proxy.nix | 22 +++++++++---------- .../services/networking/netbird/relay.nix | 3 +-- .../services/networking/netbird/server.md | 1 + .../services/networking/netbird/server.nix | 5 +++-- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/nixos/modules/services/networking/netbird/management.nix b/nixos/modules/services/networking/netbird/management.nix index fee4f7a3da201..654ce3b082771 100644 --- a/nixos/modules/services/networking/netbird/management.nix +++ b/nixos/modules/services/networking/netbird/management.nix @@ -66,7 +66,6 @@ let Signal = { Proto = "https"; - URI = "localhost:${builtins.toString cfg.signal.port}"; Username = ""; Password = null; }; @@ -371,7 +370,7 @@ in assertions = [ { - assertion = cfg.port != cfg.metricsPort; + assertion = cfg.management.port != cfg.management.etricsPort; message = "The primary listen port cannot be the same as the listen port for the metrics endpoint"; } ]; diff --git a/nixos/modules/services/networking/netbird/proxy.nix b/nixos/modules/services/networking/netbird/proxy.nix index 998ddbad212cf..440f3c1d710a3 100644 --- a/nixos/modules/services/networking/netbird/proxy.nix +++ b/nixos/modules/services/networking/netbird/proxy.nix @@ -4,6 +4,7 @@ let mkEnableOption mkIf mkOption + mkDefault ; inherit (lib.types) str; cfg = config.services.netbird.server.proxy; @@ -44,10 +45,19 @@ in enable = true; virtualHosts.${cfg.domain} = { + forceSSL = mkDefault true; + extraConfig = '' + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; locations = { "/" = { proxyPass = "http://${cfg.dashboardAddress}"; - proxyWebSockets = true; + proxyWebsockets = true; }; "/api".proxyPass = "http://${cfg.managementAddress}"; @@ -56,8 +66,6 @@ in # see https://stackoverflow.com/a/67805465 client_body_timeout 1d; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - grpc_pass grpc://${cfg.managementAddress}; grpc_read_timeout 1d; grpc_send_timeout 1d; @@ -69,8 +77,6 @@ in # see https://stackoverflow.com/a/67805465 client_body_timeout 1d; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - grpc_pass grpc://${cfg.signalAddress}; grpc_read_timeout 1d; grpc_send_timeout 1d; @@ -84,12 +90,6 @@ in proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; - # Forward headers - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - # Timeout settings proxy_read_timeout 3600s; proxy_send_timeout 3600s; diff --git a/nixos/modules/services/networking/netbird/relay.nix b/nixos/modules/services/networking/netbird/relay.nix index 38af7fb1b2865..01c4186505b0c 100644 --- a/nixos/modules/services/networking/netbird/relay.nix +++ b/nixos/modules/services/networking/netbird/relay.nix @@ -79,7 +79,6 @@ in config = mkIf cfg.enable { services.netbird.server.relay.settings = { NB_LISTEN_ADDRESS = mkDefault ":${builtins.toString cfg.port}"; - NB_EXPOSED_ADDRESS = mkDefault "rel://${cfg.domain}:${builtins.toString cfg.port}"; NB_METRICS_PORT = mkDefault "9092"; # Upstream default is 9090 but this would clash for nixos where all services run on the same host }; systemd.services.netbird-relay = { @@ -88,7 +87,7 @@ in environment = cfg.settings; script = '' - export NB_AUTH_SECRET="(<${cfg.authSecretFile})" + export NB_AUTH_SECRET="$(<${cfg.authSecretFile})" ${getExe' cfg.package "netbird-relay"} ''; serviceConfig = { diff --git a/nixos/modules/services/networking/netbird/server.md b/nixos/modules/services/networking/netbird/server.md index d5c137f4fff98..ffda72c0626a4 100644 --- a/nixos/modules/services/networking/netbird/server.md +++ b/nixos/modules/services/networking/netbird/server.md @@ -28,6 +28,7 @@ services.netbird.server = { management = { oidcConfigEndpoint = "https://sso.example.selfhosted/oauth2/openid/netbird/.well-known/openid-configuration"; + settings.Signal.URI = "publicly reachable signal endpoint"; }; }; ``` diff --git a/nixos/modules/services/networking/netbird/server.nix b/nixos/modules/services/networking/netbird/server.nix index 5d02a4017328b..237f70ba3327f 100644 --- a/nixos/modules/services/networking/netbird/server.nix +++ b/nixos/modules/services/networking/netbird/server.nix @@ -55,9 +55,10 @@ in } // (optionalAttrs cfg.coturn.enable rec { turnDomain = cfg.domain; - turnPort = config.services.coturn.tls-listening-port; + turnPort = config.services.coturn.listening-port; # We cannot merge a list of attrsets so we have to redefine the whole list settings = { + Signal.URI = mkDefault "${cfg.domain}:${builtins.toString cfg.signal.port}"; TURNConfig.Turns = mkDefault [ { Proto = "udp"; @@ -78,7 +79,7 @@ in }; relay = { - settings.NB_EXPOSED_ADDRESS = "rel://${cfg.domain}/${builtins.toString cfg.relay.port}"; + settings.NB_EXPOSED_ADDRESS = mkDefault "rel://${cfg.domain}/${builtins.toString cfg.relay.port}"; enable = mkDefault cfg.enable; };