Port the NetBird client listens on.

Log level of the NetBird daemon.

Primary name for use (as a suffix) in:

• systemd service name,
• hardened user name and group,
• systemd *Directory= names,
• desktop application identification,

Start the service with the system

A systemd service name to use (without .service suffix).

Name of the network interface managed by this client.

Opens up firewall port for communication between NetBird peers directly over LAN or public IP, without using (internet-hosted) TURN servers as intermediaries.

Additional configuration that exists before the first start and later overrides the existing values in config.json

Environment for the netbird service, used to pass configuration options.

Hardened service:

• runs as a dedicated user with minimal set of permissions (see caveats),
• restricts daemon configuration socket access to dedicated user group (you can grant access to it with users.users."<user>".extraGroups = [ netbird-‹name› ]),

Even though the local system resources access is restricted:

• CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,
• older kernels don't have CAP_BPF and use CAP_SYS_ADMIN instead,

Known security features that are not (yet) integrated into the module:

• 2024-02-14: rosenpass is an experimental feature configurable solely through --enable-rosenpass flag on the netbird up command, see the docs

Opens up internal firewall ports for the NetBird's network interface.