nixos/netbird: introduce relay server

nixos/netbird: introduce proxy for unified nginx setup

nixos/modules/services/networking/netbird/dashboard.nix

@@ -39,7 +39,7 @@ in
 
     package = mkPackageOption pkgs "netbird-dashboard" { };
 
-    enableNginx = mkEnableOption "Nginx reverse-proxy to serve the dashboard";
+    enableNginx = mkEnableOption "Nginx to serve the dashboard";
 
     domain = mkOption {
       type = str;

nixos/modules/services/networking/netbird/management.nix

@@ -38,7 +38,7 @@ let
     Stuns = [
       {
         Proto = "udp";
-        URI = "stun:${cfg.turnDomain}:3478";
+        URI = "stun:${cfg.management.turnDomain}:3478";
         Username = "";
         Password = null;
       }
@@ -48,7 +48,7 @@ let
       Turns = [
         {
           Proto = "udp";
-          URI = "turn:${cfg.turnDomain}:${builtins.toString cfg.turnPort}";
+          URI = "turn:${cfg.management.turnDomain}:${builtins.toString cfg.management.turnPort}";
           Username = "netbird";
           Password = "netbird";
         }
@@ -58,10 +58,15 @@ let
       Secret = "not-secure-secret";
       TimeBasedCredentials = false;
     };
+    Relay = {
+      Addresses = [ cfg.relay.settings.NB_EXPOSED_ADDRESS ];
+      CredentialsTTL = "24h";
+      Secret._secret = cfg.relay.authSecretFile;
+    };
 
     Signal = {
       Proto = "https";
-      URI = "${cfg.domain}:443";
+      URI = "localhost:${builtins.toString cfg.signal.port}";
       Username = "";
       Password = null;
     };
@@ -79,9 +84,9 @@ let
     };
 
     HttpConfig = {
-      Address = "127.0.0.1:${builtins.toString cfg.port}";
+      Address = "127.0.0.1:${builtins.toString cfg.management.port}";
       IdpSignKeyRefreshEnabled = true;
-      OIDCConfigEndpoint = cfg.oidcConfigEndpoint;
+      OIDCConfigEndpoint = cfg.management.oidcConfigEndpoint;
     };
 
     IdpManagerConfig = {
@@ -128,18 +133,18 @@ let
     };
   };
 
-  managementConfig = recursiveUpdate defaultSettings cfg.settings;
+  managementConfig = recursiveUpdate defaultSettings cfg.management.settings;
 
   managementFile = settingsFormat.generate "config.json" managementConfig;
 
-  cfg = config.services.netbird.server.management;
+  cfg = config.services.netbird.server;
 in
 
 {
   options.services.netbird.server.management = {
     enable = mkEnableOption "Netbird Management Service";
 
-    package = mkPackageOption pkgs "netbird" { };
+    package = mkPackageOption pkgs "netbird-server" { };
 
     domain = mkOption {
       type = str;
@@ -196,6 +201,12 @@ in
       description = "Internal port of the management server.";
     };
 
+    metricsPort = mkOption {
+      type = port;
+      default = 9090;
+      description = "Internal port of the metrics server.";
+    };
+
     extraOptions = mkOption {
       type = listOf str;
       default = [ ];
@@ -218,7 +229,7 @@ in
           Stuns = [
             {
               Proto = "udp";
-              URI = "stun:''${cfg.turnDomain}:3478";
+              URI = "stun:''${cfg.management.turnDomain}:3478";
               Username = "";
               Password = null;
             }
@@ -228,7 +239,7 @@ in
             Turns = [
               {
                 Proto = "udp";
-                URI = "turn:''${cfg.turnDomain}:3478";
+                URI = "turn:''${cfg.management.turnDomain}:3478";
                 Username = "netbird";
                 Password = "netbird";
               }
@@ -241,7 +252,7 @@ in
 
           Signal = {
             Proto = "https";
-            URI = "''${cfg.domain}:443";
+            URI = "localhost:''${cfg.signal.port}";
             Username = "";
             Password = null;
           };
@@ -257,9 +268,9 @@ in
           StoreConfig = { Engine = "sqlite"; };
 
           HttpConfig = {
-            Address = "127.0.0.1:''${builtins.toString cfg.port}";
+            Address = "127.0.0.1:''${builtins.toString cfg.management.port}";
             IdpSignKeyRefreshEnabled = true;
-            OIDCConfigEndpoint = cfg.oidcConfigEndpoint;
+            OIDCConfigEndpoint = cfg.management.oidcConfigEndpoint;
           };
 
           IdpManagerConfig = {
@@ -334,11 +345,9 @@ in
       default = "INFO";
       description = "Log level of the netbird services.";
     };
-
-    enableNginx = mkEnableOption "Nginx reverse-proxy for the netbird management service";
   };
 
-  config = mkIf cfg.enable {
+  config = mkIf cfg.management.enable {
     warnings =
       concatMap
         (
@@ -373,7 +382,7 @@ in
       serviceConfig = {
         ExecStart = escapeSystemdExecArgs (
           [
-            (getExe' cfg.package "netbird-mgmt")
+            (getExe' cfg.management.package "netbird-mgmt")
             "management"
             # Config file
             "--config"
@@ -383,25 +392,28 @@ in
             "${stateDir}/data"
             # DNS domain
             "--dns-domain"
-            cfg.dnsDomain
+            cfg.management.dnsDomain
             # Port to listen on
             "--port"
-            cfg.port
+            cfg.management.port
+            # Port the internal prometheus server listens on
+            "--metrics-port"
+            cfg.management.metricsPort
             # Log to stdout
             "--log-file"
             "console"
             # Log level
             "--log-level"
-            cfg.logLevel
+            cfg.management.logLevel
             #
             "--idp-sign-key-refresh-enabled"
             # Domain for internal resolution
             "--single-account-mode-domain"
-            cfg.singleAccountModeDomain
+            cfg.management.singleAccountModeDomain
           ]
-          ++ (optional cfg.disableAnonymousMetrics "--disable-anonymous-metrics")
-          ++ (optional cfg.disableSingleAccountMode "--disable-single-account-mode")
-          ++ cfg.extraOptions
+          ++ (optional cfg.management.disableAnonymousMetrics "--disable-anonymous-metrics")
+          ++ (optional cfg.management.disableSingleAccountMode "--disable-single-account-mode")
+          ++ cfg.management.extraOptions
         );
         Restart = "always";
         RuntimeDirectory = "netbird-mgmt";
@@ -434,27 +446,5 @@ in
       stopIfChanged = false;
     };
 
-    services.nginx = mkIf cfg.enableNginx {
-      enable = true;
-
-      virtualHosts.${cfg.domain} = {
-        locations = {
-          "/api".proxyPass = "http://localhost:${builtins.toString cfg.port}";
-
-          "/management.ManagementService/".extraConfig = ''
-            # This is necessary so that grpc connections do not get closed early
-            # see https://stackoverflow.com/a/67805465
-            client_body_timeout 1d;
-
-            grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-            grpc_pass grpc://localhost:${builtins.toString cfg.port};
-            grpc_read_timeout 1d;
-            grpc_send_timeout 1d;
-            grpc_socket_keepalive on;
-          '';
-        };
-      };
-    };
   };
 }

nixos/modules/services/networking/netbird/proxy.nix

@@ -0,0 +1,104 @@
+{ lib, config, ... }:
+let
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    ;
+  inherit (lib.types) str;
+  cfg = config.services.netbird.server.proxy;
+in
+{
+  options.services.netbird.server.proxy = {
+    enable = mkEnableOption "A reverse proxy for netbirds' services";
+
+    enableNginx = mkEnableOption "Nginx reverse-proxy for the netbird signal service";
+
+    signalAddress = mkOption {
+      type = str;
+      description = "The external address to reach the signal service.";
+    };
+
+    relayAddress = mkOption {
+      type = str;
+      description = "The external address to reach the relay service.";
+    };
+
+    managementAddress = mkOption {
+      type = str;
+      description = "The external address to reach the dashboard.";
+    };
+
+    dashboardAddress = mkOption {
+      type = str;
+      description = "The external address to reach the dashboard.";
+    };
+
+    domain = mkOption {
+      type = str;
+      description = "The public domain to reach the proxy";
+    };
+  };
+  config = mkIf cfg.enable {
+    services.nginx = mkIf cfg.enableNginx {
+      enable = true;
+
+      virtualHosts.${cfg.domain} = {
+        locations = {
+          "/" = {
+            proxyPass = "http://${cfg.dashboardAddress}";
+            proxyWebSockets = true;
+          };
+          "/api".proxyPass = "http://${cfg.managementAddress}";
+
+          "/management.ManagementService/".extraConfig = ''
+            # This is necessary so that grpc connections do not get closed early
+            # see https://stackoverflow.com/a/67805465
+            client_body_timeout 1d;
+
+            grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+            grpc_pass grpc://${cfg.managementAddress};
+            grpc_read_timeout 1d;
+            grpc_send_timeout 1d;
+            grpc_socket_keepalive on;
+          '';
+        };
+        locations."/signalexchange.SignalExchange/".extraConfig = ''
+          # This is necessary so that grpc connections do not get closed early
+          # see https://stackoverflow.com/a/67805465
+          client_body_timeout 1d;
+
+          grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+          grpc_pass grpc://${cfg.signalAddress};
+          grpc_read_timeout 1d;
+          grpc_send_timeout 1d;
+          grpc_socket_keepalive on;
+        '';
+        locations."/relay".extraConfig = ''
+          proxy_pass http://${cfg.relayAddress}/relay;
+
+          # WebSocket support
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "Upgrade";
+
+          # Forward headers
+          proxy_set_header Host $http_host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+
+          # Timeout settings
+          proxy_read_timeout 3600s;
+          proxy_send_timeout 3600s;
+          proxy_connect_timeout 60s;
+
+          # Handle upstream errors
+          proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
+        '';
+      };
+    };
+  };
+}