Add Client Settings documentation section (#612)

* Add Block Inbound Connections documentation to Client settings

Document the previously undocumented "Block Inbound Connections" client
setting (introduced in v0.46.0). Adds a dedicated feature page under
Client > Settings, updates the sidebar navigation, and adds the
--block-inbound flag to the CLI reference.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Move Post-Quantum Cryptography to Client settings and add systray notes

Move the Rosenpass/post-quantum cryptography page from manage/integrations/
to client/ under the new Settings section. Add redirects for the old URL.
Also add systray toggle instructions to both the Quantum-Resistance and
Lazy Connections pages.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Rename post-quantum cryptography page and fix hydration error

Drop the "Enable" prefix from the page title and filename for a cleaner
topic name. Update redirects and navigation. Fix hydration mismatch
caused by a <div> (Button component) nested inside a <p> tag.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

next.config.mjs

@@ -454,7 +454,17 @@ const nextConfig = {
             // documentation redirects for integrations
             {
                 source: '/how-to/enable-post-quantum-cryptography',
-                destination: '/manage/integrations/enable-post-quantum-cryptography',
+                destination: '/client/post-quantum-cryptography',
+                permanent: true,
+            },
+            {
+                source: '/manage/integrations/enable-post-quantum-cryptography',
+                destination: '/client/post-quantum-cryptography',
+                permanent: true,
+            },
+            {
+                source: '/client/enable-post-quantum-cryptography',
+                destination: '/client/post-quantum-cryptography',
                 permanent: true,
             },
             {

src/pages/client/block-inbound-connections.mdx

@@ -0,0 +1,55 @@
+import {Note} from "@/components/mdx";
+
+# Block Inbound Connections
+
+The Block Inbound Connections setting prevents all inbound connections to the local machine and any networks it routes. When enabled, the NetBird client will drop all incoming peer traffic — including peer-to-peer connections, routed network traffic, and SSH — regardless of access control policies configured in the management service.
+
+This is a client-side override that takes precedence over any policies received from the management service.
+
+<Note>
+    Available since NetBird <strong>v0.46.0</strong>.
+</Note>
+
+## When to use it
+
+- **Outbound-only peers**: A machine that only needs to access remote resources but should never be reachable by other peers.
+- **Temporary lockdown**: Quickly block all inbound access to a machine without modifying server-side policies.
+- **Defense-in-depth**: Add a client-side layer of protection alongside your access control policies.
+
+## What it blocks
+
+When Block Inbound Connections is enabled, the client will not add any inbound firewall rules. This means:
+
+- **Peer connections**: Other peers cannot initiate connections to this machine.
+- **Routed network traffic**: If this peer acts as a routing peer, inbound traffic to its routed networks is also blocked.
+- **SSH access**: NetBird SSH connections to this peer are blocked.
+
+<Note>
+    This setting overrides all policies from the management service. Even if an access control policy explicitly allows traffic to this peer, inbound connections will still be blocked.
+</Note>
+
+## Enabling via the system tray
+
+1. Click the NetBird icon in the system tray.
+2. Go to **Settings**.
+3. Click **Block Inbound Connections** to toggle the setting.
+
+When enabled, a checkmark will appear next to the menu item.
+
+## Enabling via the CLI
+
+You can enable Block Inbound Connections when starting the NetBird client:
+
+```bash
+netbird up --block-inbound
+```
+
+To disable it, run:
+
+```bash
+netbird up --block-inbound=false
+```
+
+<Note>
+    When toggling this setting via the CLI, the system tray UI may not reflect the change until the NetBird GUI is restarted.
+</Note>

src/pages/client/post-quantum-cryptography.mdx

@@ -1,6 +1,6 @@
 import {Note} from "@/components/mdx";
 
-# Enable post-quantum cryptography
+# Post-quantum cryptography
 Post-quantum cryptography aims to mitigate risks associated with quantum computing's potential to undermine existing encryption methods.
 Current concerns include the possibility of bad actors collecting encrypted network traffic to decrypt it once quantum computers become available.
 This 'harvest and decrypt later' strategy threatens the confidentiality of presently secure communications.
@@ -24,6 +24,15 @@ that automatically rotates and applies WireGuard pre-shared keys to every point-
 <Note>
     This is still an experimental feature, may contain bugs, and is not supported on mobile devices.
 </Note>
+
+### Enabling via the system tray
+
+1. Click the NetBird icon in the system tray.
+2. Go to **Settings**.
+3. Click **Enable Quantum-Resistance** to toggle the setting.
+
+### Enabling via the CLI
+
 Rosenpass can be enabled by setting a flag on client start-up.
 ```bash
 netbird up --enable-rosenpass
@@ -60,9 +69,9 @@ netbird up --enable-rosenpass --rosenpass-permissive
 
 
 ## Get started
-<p float="center" >
+<div>
     <Button name="button" className="button-5" onClick={() => window.open("https://netbird.io/pricing")}>Use NetBird</Button>
-</p>
+</div>
 
 - Make sure to [star us on GitHub](https://github.com/netbirdio/netbird)
 - Follow us [on X](https://x.com/netbird)

src/pages/get-started/cli.mdx

@@ -97,6 +97,7 @@ The command will check if the peer is logged in and connect to the management se
       --interface-name string                 Wireguard interface name (default "utun100")
       --rosenpass-permissive                  [Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.
       --wireguard-port uint16                 Wireguard interface listening port (default 51820)
+      --block-inbound                         Block inbound connections. If enabled, the client will not allow any inbound connections to the local machine nor routed networks. This overrides any policies received from the management service.
 ```
 #### Usage
 The minimal form of running the command is:

src/pages/manage/peers/lazy-connection.mdx

@@ -42,6 +42,14 @@ Once a connection between two peers is established, it will remain open only if
 The default inactivity threshold is <strong>60 minutes</strong>, and can be configured via the <code>NB_LAZY_CONN_INACTIVITY_THRESHOLD</code> environment variable (`60`).
 </Note>
 
+## Enabling via the system tray
+
+You can toggle Lazy Connections directly from the NetBird system tray:
+
+1. Click the NetBird icon in the system tray.
+2. Go to **Settings**.
+3. Click **Enable Lazy Connections** to toggle the setting.
+
 ## Enabling Lazy Connections on agent
 
 Lazy connections are disabled by default. You can enable Lazy Connections using the following environment variable: