Attribute set of NetBird client daemons, by default each one will:

1. be manageable using dedicated tooling:

• netbird-<name> script,
• NetBird - netbird-<name> graphical interface when appropriate (see ui.enable),

2. run as a netbird-<name>.service,
3. listen for incoming remote connections on the port 51820 (openFirewall by default),
4. manage the netbird-<name> wireguard interface,
5. use the /var/lib/netbird-/config.json configuration file,
6. override /var/lib/netbird-/config.json with values from /etc/netbird-/config.d/*.json,
7. (hardened) be locally manageable by netbird-<name> system group,

With following caveats:

• multiple daemons will interfere with each other's DNS resolution of netbird.cloud, but should remain fully operational otherwise

Alias of services.netbird.clients.

A system user name for this client instance.

A system group name for this client instance.

Controls presence of netbird-ui wrapper for this NetBird client.

Port the NetBird client listens on.

A system group name for this client instance.

A systemd service name to use (without .service suffix).

A state directory used by NetBird client to store config.json, state.json & resolv.conf.

Log level of the NetBird daemon.

Primary name for use (as a suffix) in:

• systemd service name,
• hardened user name and group,
• systemd *Directory= names,
• desktop application identification,

A systemd service name to use (without .service suffix).

A runtime directory used by NetBird client.

Whether to enable automated login for NetBird client.

A Setup Key file path used for automated login of the machine.

Start the service with the system

A port to serve DNS entries on when dns-resolver.address is enabled.

A systemd service name to use (without .service suffix).

Name of the network interface managed by this client.

Opens up firewall port for communication between NetBird peers directly over LAN or public IP, without using (internet-hosted) TURN servers as intermediaries.

Additional configuration that exists before the first start and later overrides the existing values in config.json

An explicit address that NetBird will serve *.netbird.cloud. (usually) entries on

Environment for the netbird service, used to pass configuration options.

Hardened service:

• runs as a dedicated user with minimal set of permissions (see caveats),
• restricts daemon configuration socket access to dedicated user group (you can grant access to it with users.users."<user>".extraGroups = [ netbird-‹name› ]),

Even though the local system resources access is restricted:

• CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,
• older kernels don't have CAP_BPF and use CAP_SYS_ADMIN instead,

Known security features that are not (yet) integrated into the module:

• 2024-02-14: rosenpass is an experimental feature configurable solely through --enable-rosenpass flag on the netbird up command, see the docs

Opens up internal firewall ports for the NetBird's network interface.

Additional systemd dependencies required to succeed before the Setup Key file becomes available.

Enables backward-compatible NetBird client service