netbird: rework server and include new component #354032
Conversation
d6f32bf to
67b0145
Compare
|
Result of 2 packages blacklisted:
3 packages built:
|
Same here, also on x86_64-linux. :) |
67b0145 to
6f81122
Compare
|
Fellow user of Kanidm/Netbird here. Can confirm that the server is non functional at the moment, again due to clashing ports. services.netbird.server.management.extraOptions = [ "--metrics-port=9091" ];to my configuration. ...Is it worth creating a separate PR to fix Also please let me know if I can help with testing in any way. |
|
Might be a good idea to put the More eyes and people testing are always welcome. I'm just gonna run the new module while I work on this PR for a few weeks and see if anything comes up. Seems like right now the blocker for both of us is kanidm kanidm/kanidm#3217 |
Yeah, can do - I was thinking add an extraOption to signal, and potentially even adding my snippet above as the default for one of them so it works out of the box again? |
|
I would say you could just add your snippet as the default and we can always switch to a dedicated option later, but thinking about it I'm not sure the newest update will work without the relay server packaged and setup so I'm not sure a new PR is worth it if it won't work anyway. |
I'm on nixpkgs |
Oh nice. Wasn't sure how much they already depend on the relay.
Sounds great. I'll try and finish this one soon as well, now that the branchoff happened. |
|
PR opened, input would be appreciated @PatrickDaG |
e72c0c9 to
06554e2
Compare
|
Just realized 25.05 is around the corner #390768. We should probably wait with this PR till after branch of. |
|
I currently have issues with the netbird server components (clients loosing connection to the server), so I will give this PR a spin over the weekend. |
|
Oh, master already has the newest version, so maybe a rebase is in order. |
|
That was fast 😅 |
|
Ok, I've set it up now and it works, but I have two comments:
services.nginx.virtualHosts."${NETBIRD_DOMAIN}" = {
locations."/" = lib.mkForce {
root = config.services.netbird.server.dashboard.finalDrv;
tryFiles = "$uri $uri.html $uri/ =404";
};
};
Let's see if this fixes my issues with the vpn disconnecting and not reconnecting |
|
Good points, thanks. I've added an option to disable proxying of the dashboard and opened a new pull requests to update the dashboard. |
|
Had this running for a week now and it works very well. Either this or the update to 0.43.1 fixed the issues I had with the clients disconnecting and the dashboard showing no clients (even if the underlying wireguard tunnel was still active) |
5266704 to
14cac42
Compare
257cb81 to
bd8ba5d
Compare
nixos/netbird: introduce standalone proxy module
|
@PatrickDaG you might want to review this due to #431976 |
| DataStoreEncryptionKey = "genEVP6j/Yp2EeVujm0zgqXrRos29dQkpvX0hHdEUlQ="; | ||
| StoreConfig = { Engine = "sqlite"; }; | ||
| Datadir = "${stateDir}/data"; | ||
| DataStoreEncryptionKey = "genEVP6j/Yp2EeVujm0zgqXrRos29dQkpvX0hHdEUlQ="; |
There was a problem hiding this comment.
I'm pretty sure there should be a way to supply this value externally instead of putting inside /nix/store
There was a problem hiding this comment.
something like config.d/*.json directory merged recursively by jq before the start of the service could work
There was a problem hiding this comment.
NetBird already natively supports loading this encryption key from a file, with DataStoreEncryptionKey._secret set to an arbitrary path.
This is a pretty hefty rework of the nixos netbird modules.
First of all I split the package into three because currently you cannot have the client installed without the server components coming with it, now it's three packages, a client, a client with gui and a server.
You still have the option to build a package containing everything but I don't think most people need that.
Secondly I wrote a basic test for the server, now we at least know if it starts, which it currently doesn't cause upstream introduced clashing ports for all server, that cannot be disabled.
I would love further testing but I think that would need actually logging in into the kanidm instance inside the testing framework, which is something for another day.
The test also currently depend on #353681.
Netbird is currently switching away from coturn in favour of their own relay implementation, which this pull adds.
Their communication towards whether coturn will be needed going forward is a bit confusing, but I'm pretty sure right now you need both their relay and coturn, maybe in a few updates we can remove coturn.
Lastly I reworked the nginx setup, realizing you don't necesarrily need it, apart from serving the dashboard.
I removed it from all services and the default setup should now work without it, but you have to forward and open all relevant ports, for the management, signal, coturn, dashboard and relay.
To make it easier for people using nginx as a reverse proxy I've added the proxy, module which is written and maintained completely by myself and has no affiliation to upstream netbird. I do plan on using this and think it's valuable to have even just as a documentation of nginx options to use with netbird, but I am scared that people have problems with this module and complain to upstream netbird. Don't really know what to do whether to include or not, feedback appreciated.
In general this isn't extensively tested yet, but I would be very happy if people help me test it.
It has to wait for branch off anyway because it contains a bunch of breaking changes.
Also should probably write more documentation especially regarding the proxy module.
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.