sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: fix grpc configuration issue causing device logins to fail

Browse source
This commit is contained in:
oddlama 2024-05-16 00:43:13 +02:00
parent 5c354c8ec8
commit 590266c793
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
1 changed files with 18 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

30
hosts/ward/guests/netbird.nix
View file

@ -9,7 +9,10 @@
in { in {
wireguard.proxy-sentinel = { wireguard.proxy-sentinel = {
client.via = "sentinel"; client.via = "sentinel";
firewallRuleForNode.sentinel.allowedTCPPorts = [3000 3001]; firewallRuleForNode.sentinel.allowedTCPPorts = [
config.services.netbird.server.management.port
config.services.netbird.server.signal.port
];
}; };
# Mirror the original coturn password # Mirror the original coturn password
@ -44,13 +47,17 @@ in {
dashboard.settings.AUTH_AUTHORITY = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird"; dashboard.settings.AUTH_AUTHORITY = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird";
management = { management = {
port = 3000;
dnsDomain = "internal.${config.repo.secrets.global.domains.me}"; dnsDomain = "internal.${config.repo.secrets.global.domains.me}";
singleAccountModeDomain = "home.lan"; singleAccountModeDomain = "home.lan";
oidcConfigEndpoint = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird/.well-known/openid-configuration"; oidcConfigEndpoint = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird/.well-known/openid-configuration";
turnDomain = sentinelCfg.networking.providedDomains.coturn; turnDomain = sentinelCfg.networking.providedDomains.coturn;
turnPort = sentinelCfg.services.coturn.tls-listening-port; turnPort = sentinelCfg.services.coturn.tls-listening-port;
settings = { settings = {
HttpConfig = {
# Audience must be set here, otherwise the grpc server will not initialize the jwt validator causing:
# failed validating JWT token sent from peer [...] no jwt validator set
AuthAudience = "netbird";
};
TURNConfig = { TURNConfig = {
Secret._secret = config.age.secrets.coturn-secret.path; Secret._secret = config.age.secrets.coturn-secret.path;
Turns = [ Turns = [
@ -72,30 +79,26 @@ in {
networking.providedDomains.netbird = netbirdDomain; networking.providedDomains.netbird = netbirdDomain;
services.nginx = { services.nginx = {
upstreams.netbird = {
servers."${config.wireguard.proxy-sentinel.ipv4}:80" = {};
extraConfig = ''
zone netbird 64k;
keepalive 5;
'';
};
upstreams.netbird-mgmt = { upstreams.netbird-mgmt = {
servers."${config.wireguard.proxy-sentinel.ipv4}:3000" = {}; servers."${config.wireguard.proxy-sentinel.ipv4}:${builtins.toString config.services.netbird.server.management.port}" = {};
extraConfig = '' extraConfig = ''
zone netbird 64k; zone netbird 64k;
keepalive 5; keepalive 5;
''; '';
}; };
upstreams.netbird-signal = { upstreams.netbird-signal = {
servers."${config.wireguard.proxy-sentinel.ipv4}:3001" = {}; servers."${config.wireguard.proxy-sentinel.ipv4}:${builtins.toString config.services.netbird.server.signal.port}" = {};
extraConfig = '' extraConfig = ''
zone netbird 64k; zone netbird 64k;
keepalive 5; keepalive 5;
''; '';
}; };
virtualHosts.${netbirdDomain} = { virtualHosts.${netbirdDomain} = {
forceSSL = true; forceSSL = true;
useACMEWildcardHost = true; useACMEWildcardHost = true;
locations = { locations = {
"/" = { "/" = {
root = config.services.netbird.server.dashboard.finalDrv; root = config.services.netbird.server.dashboard.finalDrv;
@ -105,6 +108,7 @@ in {
"/signalexchange.SignalExchange/".extraConfig = '' "/signalexchange.SignalExchange/".extraConfig = ''
grpc_pass grpc://netbird-signal; grpc_pass grpc://netbird-signal;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
grpc_read_timeout 1d; grpc_read_timeout 1d;
grpc_send_timeout 1d; grpc_send_timeout 1d;
grpc_socket_keepalive on; grpc_socket_keepalive on;
@ -114,16 +118,18 @@ in {
"/management.ManagementService/".extraConfig = '' "/management.ManagementService/".extraConfig = ''
grpc_pass grpc://netbird-mgmt; grpc_pass grpc://netbird-mgmt;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
grpc_read_timeout 1d; grpc_read_timeout 1d;
grpc_send_timeout 1d; grpc_send_timeout 1d;
grpc_socket_keepalive on; grpc_socket_keepalive on;
''; '';
}; };
# client_body_timeout is necessary so that grpc connections do not get closed early, see https://stackoverflow.com/a/67805465
extraConfig = '' extraConfig = ''
client_max_body_size 500M ;
client_header_timeout 1d; client_header_timeout 1d;
client_body_timeout 1d; client_body_timeout 1d;
client_max_body_size 512M;
''; '';
}; };
}; };