nixos/netbird: harden and extend options

[nazarewk]

Description of changes

I have recently extensively tested and fixed all features of Netbird in my own implementation of multi-instance Netbird installations.

While doing so I discovered another multi-instance implementation got merged into nixpkgs #246055 which is slightly different, but still a solid base to upstream the rest of my changes:

• running as DynamicUser it's own user with minimal set of permissions
  • it was there before, but was lacking some of capabilities,
• made some configurations situational
• add more unmanaged interface configurations
• quality of life improvements:
  • configure log level for each interface
  • optionally turn off starting during boot
  • openFirewall by default
  • add shortcuts/wrappers for each created instance

I think it's a pretty good time to upstream, because I will be extensively using it at work: just launched my first Colmena-managed NixOS into GCE.

There are plans to support multi-account connections on the same daemon in Q2/2024 (see the slack message), but it's not known what shape it will take at all.

I decided to implement following significant changes:

• instances must specify a port they will be listening on as it doesn't make much sense to give an immediately conflicting default,
• aliased tunnels to clients, because a word tunnel does not exist in Netbird's nomenclature (unlike some other VPNs) and is pretty misleading. Also clients.* play nicely with my plan to implement a server in near future.
• skipped destructuring expressions (eg: {name, ...}: name -> client: client.name) because they make the code very hard to follow and update with increased number of options,

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[nazarewk]

(And this still modifies old release notes)

any idea how to prevent that? nixpkgs is not activatable without this modification

[Mic92]

I'd merge but NixOS tests seem to be broken or hanging? @Mic92 how to unblock this?

Fixing the test? I am not using netbird and have currently other things on my list. Sorry.

[fricklerhandwerk]

I'm not sure if and how the test is even broken. All that's observable is that it's running seemingly forever, and I wondered how to re-trigger it or something. Is any of that ofborg stuff documented anywhere @dasJ?

[nazarewk]

I'd merge but NixOS tests seem to be broken or hanging? @Mic92 how to unblock this?

Fixing the test? I am not using netbird and have currently other things on my list. Sorry.

I'll adress remaining things this week. Otherwise I didn't touch it apart from rebasing for months already.

[nazarewk]

I have fixed the tests (I did some incompatible changes to the module on the way), but even though I've added option rename, the manual still doesn't build:

nixpkgs/nixos/modules/services/networking/netbird.nix

Lines 75 to 77 in c65c0c2

	imports = [
	(mkRenamedOptionModule [ "services" "netbird" "tunnels" ] [ "services" "netbird" "clients" ])
	];

[nazarewk]

I have fixed the tests (I did some incompatible changes to the module on the way), but even though I've added option rename, the manual still doesn't build:

nixpkgs/nixos/modules/services/networking/netbird.nix

Lines 75 to 77 in c65c0c2

	imports = [
	(mkRenamedOptionModule [ "services" "netbird" "tunnels" ] [ "services" "netbird" "clients" ])
	];

seems like there is some (actually quite a lot, just not AS relevant as this one) precedent to removing & editing old release notes:
e3812e1#diff-9538c800780031db3dfa7746f5a36fbbc895c60fdc896385bedd36940927427dL79-L81

[nazarewk]

I have fixed the tests (I did some incompatible changes to the module on the way), but even though I've added option rename, the manual still doesn't build:

nixpkgs/nixos/modules/services/networking/netbird.nix

Lines 75 to 77 in c65c0c2

	imports = [
	(mkRenamedOptionModule [ "services" "netbird" "tunnels" ] [ "services" "netbird" "clients" ])
	];

seems like there is some (actually quite a lot, just not AS relevant as this one) precedent to removing & editing old release notes: e3812e1#diff-9538c800780031db3dfa7746f5a36fbbc895c60fdc896385bedd36940927427dL79-L81

As per #287236 (comment) , I am temporarily using mkAliasOptionModule until there is a better implementation to build release notes without errors.

[fricklerhandwerk]

Thanks a great deal for sticking through it, and sorry for the long delay.