refactor(idp): make NetBird single source of truth for authorization

Remove duplicate authorization data from Zitadel IdP. NetBird now stores
all authorization data (account membership, invite status, roles) locally,
while Zitadel only stores identity information (email, name, credentials).

Changes:
- Add PendingInvite field to User struct to track invite status locally
- Simplify IdP Manager interface: remove metadata methods, add GetAllUsers
- Update cache warming to match IdP users against NetBird DB
- Remove addAccountIDToIDPAppMeta and all wt_* metadata writes
- Delete legacy IdP managers (Auth0, Azure, Keycloak, Okta, Google
  Workspace, JumpCloud, Authentik, PocketId) - only Zitadel supported

infrastructure_files/Caddyfile.tmpl

@@ -0,0 +1,83 @@
+{
+	servers :80,:443 {
+		protocols h1 h2c h2 h3
+	}
+}
+
+(security_headers) {
+	header * {
+		# HSTS - use 1 hour for testing, increase to 63072000 (2 years) in production
+		Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
+		# Prevent MIME type sniffing
+		X-Content-Type-Options "nosniff"
+		# Clickjacking protection
+		X-Frame-Options "SAMEORIGIN"
+		# XSS protection
+		X-XSS-Protection "1; mode=block"
+		# Remove server header
+		-Server
+		# Referrer policy
+		Referrer-Policy strict-origin-when-cross-origin
+	}
+}
+
+:${NETBIRD_CADDY_PORT}${CADDY_SECURE_DOMAIN} {
+	import security_headers
+
+	# Relay
+	reverse_proxy /relay* relay:${NETBIRD_RELAY_INTERNAL_PORT}
+
+	# Signal - WebSocket proxy
+	reverse_proxy /ws-proxy/signal* signal:80
+	# Signal - gRPC
+	reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000
+
+	# Management - REST API
+	reverse_proxy /api/* management:80
+	# Management - WebSocket proxy
+	reverse_proxy /ws-proxy/management* management:80
+	# Management - gRPC
+	reverse_proxy /management.ManagementService/* h2c://management:80
+
+	# Zitadel - Admin API
+	reverse_proxy /zitadel.admin.v1.AdminService/* h2c://zitadel:8080
+	reverse_proxy /admin/v1/* h2c://zitadel:8080
+
+	# Zitadel - Auth API
+	reverse_proxy /zitadel.auth.v1.AuthService/* h2c://zitadel:8080
+	reverse_proxy /auth/v1/* h2c://zitadel:8080
+
+	# Zitadel - Management API
+	reverse_proxy /zitadel.management.v1.ManagementService/* h2c://zitadel:8080
+	reverse_proxy /management/v1/* h2c://zitadel:8080
+
+	# Zitadel - System API
+	reverse_proxy /zitadel.system.v1.SystemService/* h2c://zitadel:8080
+	reverse_proxy /system/v1/* h2c://zitadel:8080
+
+	# Zitadel - User API v2
+	reverse_proxy /zitadel.user.v2.UserService/* h2c://zitadel:8080
+
+	# Zitadel - Assets
+	reverse_proxy /assets/v1/* h2c://zitadel:8080
+
+	# Zitadel - UI (login, console, etc.)
+	reverse_proxy /ui/* h2c://zitadel:8080
+
+	# Zitadel - OIDC endpoints
+	reverse_proxy /oidc/v1/* h2c://zitadel:8080
+	reverse_proxy /oauth/v2/* h2c://zitadel:8080
+	reverse_proxy /.well-known/openid-configuration h2c://zitadel:8080
+
+	# Zitadel - SAML
+	reverse_proxy /saml/v2/* h2c://zitadel:8080
+
+	# Zitadel - Other
+	reverse_proxy /openapi/* h2c://zitadel:8080
+	reverse_proxy /debug/* h2c://zitadel:8080
+	reverse_proxy /device/* h2c://zitadel:8080
+	reverse_proxy /device h2c://zitadel:8080
+
+	# Dashboard - catch-all for frontend
+	reverse_proxy /* dashboard:80
+}

infrastructure_files/base.setup.env

@@ -2,29 +2,20 @@
 
 # Management API
 
-# Management API port
-NETBIRD_MGMT_API_PORT=${NETBIRD_MGMT_API_PORT:-33073}
-# Management API endpoint address, used by the Dashboard
-NETBIRD_MGMT_API_ENDPOINT=https://$NETBIRD_DOMAIN:$NETBIRD_MGMT_API_PORT
-# Management Certificate file path. These are generated by the Dashboard container
-NETBIRD_LETSENCRYPT_DOMAIN=$NETBIRD_DOMAIN
-NETBIRD_MGMT_API_CERT_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAIN/fullchain.pem"
-# Management Certificate key file path.
-NETBIRD_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAIN/privkey.pem"
+# Management API endpoint address, used by the Dashboard (Caddy handles TLS)
+NETBIRD_MGMT_API_ENDPOINT=${NETBIRD_HTTP_PROTOCOL:-https}://$NETBIRD_DOMAIN
 # By default Management single account mode is enabled and domain set to $NETBIRD_DOMAIN, you may want to set this to your user's email domain
 NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN=$NETBIRD_DOMAIN
 NETBIRD_MGMT_DNS_DOMAIN=${NETBIRD_MGMT_DNS_DOMAIN:-netbird.selfhosted}
-NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=${NETBIRD_MGMT_IDP_SIGNKEY_REFRESH:-false}
 NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=${NETBIRD_MGMT_DISABLE_DEFAULT_POLICY:-false}
 
 # Signal
-NETBIRD_SIGNAL_PROTOCOL="http"
-NETBIRD_SIGNAL_PORT=${NETBIRD_SIGNAL_PORT:-10000}
+NETBIRD_SIGNAL_PROTOCOL=${NETBIRD_HTTP_PROTOCOL:-https}
+NETBIRD_SIGNAL_PORT=${NETBIRD_SIGNAL_PORT:-443}
 
-# Relay
-NETBIRD_RELAY_DOMAIN=${NETBIRD_RELAY_DOMAIN:-$NETBIRD_DOMAIN}
-NETBIRD_RELAY_PORT=${NETBIRD_RELAY_PORT:-33080}
-NETBIRD_RELAY_ENDPOINT=${NETBIRD_RELAY_ENDPOINT:-rel://$NETBIRD_RELAY_DOMAIN:$NETBIRD_RELAY_PORT}
+# Relay (internal port for Caddy reverse proxy)
+NETBIRD_RELAY_INTERNAL_PORT=${NETBIRD_RELAY_INTERNAL_PORT:-80}
+NETBIRD_RELAY_ENDPOINT=${NETBIRD_RELAY_ENDPOINT:-${NETBIRD_RELAY_PROTO:-rels}://$NETBIRD_DOMAIN:${NETBIRD_RELAY_PORT:-443}}
 # Relay auth secret
 NETBIRD_RELAY_AUTH_SECRET=
 
@@ -141,3 +132,57 @@ export NETBIRD_RELAY_ENDPOINT
 export NETBIRD_RELAY_AUTH_SECRET
 export NETBIRD_RELAY_TAG
 export NETBIRD_MGMT_DISABLE_DEFAULT_POLICY
+
+# Zitadel IdP Configuration
+ZITADEL_TAG=${ZITADEL_TAG:-"v4.7.6"}
+# Zitadel masterkey (32 bytes, auto-generated if not set)
+ZITADEL_MASTERKEY=
+# Zitadel admin credentials (auto-generated if not set)
+ZITADEL_ADMIN_USERNAME=
+ZITADEL_ADMIN_PASSWORD=
+# Zitadel external configuration
+ZITADEL_EXTERNALSECURE=${ZITADEL_EXTERNALSECURE:-true}
+ZITADEL_EXTERNALPORT=${ZITADEL_EXTERNALPORT:-443}
+ZITADEL_TLS_MODE=${ZITADEL_TLS_MODE:-external}
+# Zitadel PAT expiration (1 year from startup)
+ZITADEL_PAT_EXPIRATION=
+# Zitadel management endpoint
+ZITADEL_MANAGEMENT_ENDPOINT=${NETBIRD_HTTP_PROTOCOL:-https}://$NETBIRD_DOMAIN/management/v1
+# HTTP protocol (http or https)
+NETBIRD_HTTP_PROTOCOL=${NETBIRD_HTTP_PROTOCOL:-https}
+# Caddy configuration
+NETBIRD_CADDY_PORT=${NETBIRD_CADDY_PORT:-80}
+CADDY_SECURE_DOMAIN=
+
+# Zitadel OIDC endpoints
+NETBIRD_AUTH_AUTHORITY=${NETBIRD_HTTP_PROTOCOL:-https}://$NETBIRD_DOMAIN
+NETBIRD_AUTH_TOKEN_ENDPOINT=${NETBIRD_AUTH_AUTHORITY}/oauth/v2/token
+NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=${NETBIRD_AUTH_AUTHORITY}/.well-known/openid-configuration
+NETBIRD_AUTH_JWT_CERTS=${NETBIRD_AUTH_AUTHORITY}/.well-known/jwks.json
+NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT=${NETBIRD_AUTH_AUTHORITY}/oauth/v2/authorize
+NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=${NETBIRD_AUTH_AUTHORITY}/oauth/v2/device_authorization
+NETBIRD_AUTH_USER_ID_CLAIM=${NETBIRD_AUTH_USER_ID_CLAIM:-sub}
+NETBIRD_AUTH_SUPPORTED_SCOPES=${NETBIRD_AUTH_SUPPORTED_SCOPES:-"openid profile email offline_access"}
+
+# Zitadel exports
+export ZITADEL_TAG
+export ZITADEL_MASTERKEY
+export ZITADEL_ADMIN_USERNAME
+export ZITADEL_ADMIN_PASSWORD
+export ZITADEL_EXTERNALSECURE
+export ZITADEL_EXTERNALPORT
+export ZITADEL_TLS_MODE
+export ZITADEL_PAT_EXPIRATION
+export ZITADEL_MANAGEMENT_ENDPOINT
+export NETBIRD_HTTP_PROTOCOL
+export NETBIRD_CADDY_PORT
+export CADDY_SECURE_DOMAIN
+export NETBIRD_AUTH_AUTHORITY
+export NETBIRD_AUTH_TOKEN_ENDPOINT
+export NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT
+export NETBIRD_AUTH_JWT_CERTS
+export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT
+export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT
+export NETBIRD_AUTH_USER_ID_CLAIM
+export NETBIRD_AUTH_SUPPORTED_SCOPES
+export NETBIRD_RELAY_INTERNAL_PORT

infrastructure_files/configure.sh

@@ -1,261 +1,137 @@
 #!/bin/bash
 set -e
 
-if ! which curl >/dev/null 2>&1; then
-  echo "This script uses curl fetch OpenID configuration from IDP."
-  echo "Please install curl and re-run the script https://curl.se/"
-  echo ""
-  exit 1
-fi
-
-if ! which jq >/dev/null 2>&1; then
-  echo "This script uses jq to load OpenID configuration from IDP."
-  echo "Please install jq and re-run the script https://stedolan.github.io/jq/"
-  echo ""
-  exit 1
-fi
+# Check required dependencies
+for cmd in curl jq envsubst openssl; do
+  if ! which $cmd >/dev/null 2>&1; then
+    echo "This script requires $cmd. Please install it and re-run."
+    exit 1
+  fi
+done
 
+# Source configuration
 source setup.env
 source base.setup.env
 
-if ! which envsubst >/dev/null 2>&1; then
-  echo "envsubst is needed to run this script"
-  if [[ $(uname) == "Darwin" ]]; then
-    echo "you can install it with homebrew (https://brew.sh):"
-    echo "brew install gettext"
-  else
-    if which apt-get >/dev/null 2>&1; then
-      echo "you can install it by running"
-      echo "apt-get update && apt-get install gettext-base"
-    else
-      echo "you can install it by installing the package gettext with your package manager"
-    fi
-  fi
+# Validate required variables
+if [[ -z "$NETBIRD_DOMAIN" ]]; then
+  echo "NETBIRD_DOMAIN is not set, please update your setup.env file"
   exit 1
 fi
 
-if [[ "x-$NETBIRD_DOMAIN" == "x-" ]]; then
-  echo NETBIRD_DOMAIN is not set, please update your setup.env file
-  echo If you are migrating from old versions, you might need to update your variables prefixes from
-  echo WIRETRUSTEE_.. TO NETBIRD_
+# Check database configuration if using external database
+if [[ "$NETBIRD_STORE_CONFIG_ENGINE" == "postgres" && -z "$NETBIRD_STORE_ENGINE_POSTGRES_DSN" ]]; then
+  echo "Error: NETBIRD_STORE_CONFIG_ENGINE=postgres but NETBIRD_STORE_ENGINE_POSTGRES_DSN is not set."
   exit 1
 fi
 
-# Check if PostgreSQL is set as the store engine
-if [[ "$NETBIRD_STORE_CONFIG_ENGINE" == "postgres" ]]; then
-  # Exit if 'NETBIRD_STORE_ENGINE_POSTGRES_DSN' is not set
-  if [[ -z "$NETBIRD_STORE_ENGINE_POSTGRES_DSN" ]]; then
-    echo "Warning: NETBIRD_STORE_CONFIG_ENGINE=postgres but NETBIRD_STORE_ENGINE_POSTGRES_DSN is not set."
-    echo "Please add the following line to your setup.env file:"
-    echo 'NETBIRD_STORE_ENGINE_POSTGRES_DSN="host=<PG_HOST> user=<PG_USER> password=<PG_PASSWORD> dbname=<PG_DB_NAME> port=<PG_PORT>"'
-    exit 1
-  fi
-  export NETBIRD_STORE_ENGINE_POSTGRES_DSN
+if [[ "$NETBIRD_STORE_CONFIG_ENGINE" == "mysql" && -z "$NETBIRD_STORE_ENGINE_MYSQL_DSN" ]]; then
+  echo "Error: NETBIRD_STORE_CONFIG_ENGINE=mysql but NETBIRD_STORE_ENGINE_MYSQL_DSN is not set."
+  exit 1
 fi
 
-# Check if MySQL is set as the store engine
-if [[ "$NETBIRD_STORE_CONFIG_ENGINE" == "mysql" ]]; then
-  # Exit if 'NETBIRD_STORE_ENGINE_MYSQL_DSN' is not set
-  if [[ -z "$NETBIRD_STORE_ENGINE_MYSQL_DSN" ]]; then
-    echo "Warning: NETBIRD_STORE_CONFIG_ENGINE=mysql but NETBIRD_STORE_ENGINE_MYSQL_DSN is not set."
-    echo "Please add the following line to your setup.env file:"
-    echo 'NETBIRD_STORE_ENGINE_MYSQL_DSN="<username>:<password>@tcp(127.0.0.1:3306)/<database>"'
-    exit 1
-  fi
-  export NETBIRD_STORE_ENGINE_MYSQL_DSN
-fi
-
-# local development or tests
+# Configure for local development vs production
 if [[ $NETBIRD_DOMAIN == "localhost" || $NETBIRD_DOMAIN == "127.0.0.1" ]]; then
   export NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN="netbird.selfhosted"
-  export NETBIRD_MGMT_API_ENDPOINT=http://$NETBIRD_DOMAIN:$NETBIRD_MGMT_API_PORT
-  unset NETBIRD_MGMT_API_CERT_FILE
-  unset NETBIRD_MGMT_API_CERT_KEY_FILE
-fi
-
-# if not provided, we generate a turn password
-if [[ "x-$TURN_PASSWORD" == "x-" ]]; then
-  export TURN_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g')
-fi
-
-TURN_EXTERNAL_IP_CONFIG="#"
-
-if [[ "x-$NETBIRD_TURN_EXTERNAL_IP" == "x-" ]]; then
-  echo "discovering server's public IP"
-  IP=$(curl -s -4 https://jsonip.com | jq -r '.ip')
-  if [[ "x-$IP" != "x-" ]]; then
-    TURN_EXTERNAL_IP_CONFIG="external-ip=$IP"
-  else
-    echo "unable to discover server's public IP"
-  fi
+  export NETBIRD_MGMT_API_ENDPOINT="http://$NETBIRD_DOMAIN"
+  export NETBIRD_HTTP_PROTOCOL="http"
+  export ZITADEL_EXTERNALSECURE="false"
+  export ZITADEL_EXTERNALPORT="80"
+  export ZITADEL_TLS_MODE="disabled"
+  export NETBIRD_RELAY_PROTO="rel"
 else
-  echo "${NETBIRD_TURN_EXTERNAL_IP}"| egrep '([0-9]{1,3}\.){3}[0-9]{1,3}$' > /dev/null
-  if [[ $? -eq 0 ]]; then
-    echo "using provided server's public IP"
-    TURN_EXTERNAL_IP_CONFIG="external-ip=$NETBIRD_TURN_EXTERNAL_IP"
-  else
-    echo "provided NETBIRD_TURN_EXTERNAL_IP $NETBIRD_TURN_EXTERNAL_IP is invalid, please correct it and try again"
-    exit 1
-  fi
+  export NETBIRD_HTTP_PROTOCOL="https"
+  export ZITADEL_EXTERNALSECURE="true"
+  export ZITADEL_EXTERNALPORT="443"
+  export ZITADEL_TLS_MODE="external"
+  export NETBIRD_RELAY_PROTO="rels"
+  export CADDY_SECURE_DOMAIN=", $NETBIRD_DOMAIN:443"
 fi
 
+# Auto-generate secrets if not provided
+[[ -z "$TURN_PASSWORD" ]] && export TURN_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g')
+[[ -z "$NETBIRD_RELAY_AUTH_SECRET" ]] && export NETBIRD_RELAY_AUTH_SECRET=$(openssl rand -base64 32 | sed 's/=//g')
+[[ -z "$ZITADEL_MASTERKEY" ]] && export ZITADEL_MASTERKEY=$(openssl rand -base64 32 | head -c 32)
+
+# Generate Zitadel admin credentials if not provided
+if [[ -z "$ZITADEL_ADMIN_USERNAME" ]]; then
+  export ZITADEL_ADMIN_USERNAME="admin@${NETBIRD_DOMAIN}"
+fi
+if [[ -z "$ZITADEL_ADMIN_PASSWORD" ]]; then
+  export ZITADEL_ADMIN_PASSWORD="$(openssl rand -base64 32 | sed 's/=//g')!"
+fi
+
+# Set Zitadel PAT expiration (1 year from now)
+if [[ "$OSTYPE" == "darwin"* ]]; then
+  export ZITADEL_PAT_EXPIRATION=$(date -u -v+1y "+%Y-%m-%dT%H:%M:%SZ")
+else
+  export ZITADEL_PAT_EXPIRATION=$(date -u -d "+1 year" "+%Y-%m-%dT%H:%M:%SZ")
+fi
+
+# Discover external IP for TURN
+TURN_EXTERNAL_IP_CONFIG="#"
+if [[ -z "$NETBIRD_TURN_EXTERNAL_IP" ]]; then
+  IP=$(curl -s -4 https://jsonip.com | jq -r '.ip' 2>/dev/null || echo "")
+  [[ -n "$IP" ]] && TURN_EXTERNAL_IP_CONFIG="external-ip=$IP"
+elif echo "$NETBIRD_TURN_EXTERNAL_IP" | grep -qE '^([0-9]{1,3}\.){3}[0-9]{1,3}$'; then
+  TURN_EXTERNAL_IP_CONFIG="external-ip=$NETBIRD_TURN_EXTERNAL_IP"
+fi
 export TURN_EXTERNAL_IP_CONFIG
 
-# if not provided, we generate a relay auth secret
-if [[ "x-$NETBIRD_RELAY_AUTH_SECRET" == "x-" ]]; then
-  export NETBIRD_RELAY_AUTH_SECRET=$(openssl rand -base64 32 | sed 's/=//g')
-fi
-
-artifacts_path="./artifacts"
-mkdir -p $artifacts_path
+# Configure endpoints
+export NETBIRD_AUTH_AUTHORITY="${NETBIRD_HTTP_PROTOCOL}://${NETBIRD_DOMAIN}"
+export NETBIRD_AUTH_TOKEN_ENDPOINT="${NETBIRD_AUTH_AUTHORITY}/oauth/v2/token"
+export NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="${NETBIRD_AUTH_AUTHORITY}/.well-known/openid-configuration"
+export NETBIRD_AUTH_JWT_CERTS="${NETBIRD_AUTH_AUTHORITY}/.well-known/jwks.json"
+export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT="${NETBIRD_AUTH_AUTHORITY}/oauth/v2/authorize"
+export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT="${NETBIRD_AUTH_AUTHORITY}/oauth/v2/device_authorization"
+export ZITADEL_MANAGEMENT_ENDPOINT="${NETBIRD_AUTH_AUTHORITY}/management/v1"
+export NETBIRD_RELAY_ENDPOINT="${NETBIRD_RELAY_PROTO}://${NETBIRD_DOMAIN}:${ZITADEL_EXTERNALPORT}"
 
+# Volume names (with backwards compatibility)
 MGMT_VOLUMENAME="${VOLUME_PREFIX}${MGMT_VOLUMESUFFIX}"
 SIGNAL_VOLUMENAME="${VOLUME_PREFIX}${SIGNAL_VOLUMESUFFIX}"
-LETSENCRYPT_VOLUMENAME="${VOLUME_PREFIX}${LETSENCRYPT_VOLUMESUFFIX}"
-# if volume with wiretrustee- prefix already exists, use it, else create new with netbird-
 OLD_PREFIX='wiretrustee-'
-if docker volume ls | grep -q "${OLD_PREFIX}${MGMT_VOLUMESUFFIX}"; then
-  MGMT_VOLUMENAME="${OLD_PREFIX}${MGMT_VOLUMESUFFIX}"
-fi
-if docker volume ls | grep -q "${OLD_PREFIX}${SIGNAL_VOLUMESUFFIX}"; then
-  SIGNAL_VOLUMENAME="${OLD_PREFIX}${SIGNAL_VOLUMESUFFIX}"
-fi
-if docker volume ls | grep -q "${OLD_PREFIX}${LETSENCRYPT_VOLUMESUFFIX}"; then
-  LETSENCRYPT_VOLUMENAME="${OLD_PREFIX}${LETSENCRYPT_VOLUMESUFFIX}"
+docker volume ls 2>/dev/null | grep -q "${OLD_PREFIX}${MGMT_VOLUMESUFFIX}" && MGMT_VOLUMENAME="${OLD_PREFIX}${MGMT_VOLUMESUFFIX}"
+docker volume ls 2>/dev/null | grep -q "${OLD_PREFIX}${SIGNAL_VOLUMESUFFIX}" && SIGNAL_VOLUMENAME="${OLD_PREFIX}${SIGNAL_VOLUMESUFFIX}"
+export MGMT_VOLUMENAME SIGNAL_VOLUMENAME
+
+# Preserve existing encryption key
+if test -f 'management.json'; then
+  encKey=$(jq -r ".DataStoreEncryptionKey" management.json 2>/dev/null || echo "null")
+  [[ "$encKey" != "null" && -n "$encKey" ]] && export NETBIRD_DATASTORE_ENC_KEY="$encKey"
 fi
 
-export MGMT_VOLUMENAME
-export SIGNAL_VOLUMENAME
-export LETSENCRYPT_VOLUMENAME
-
-#backwards compatibility after migrating to generic OIDC with Auth0
-if [[ -z "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" ]]; then
-
-  if [[ -z "${NETBIRD_AUTH0_DOMAIN}" ]]; then
-    # not a backward compatible state
-    echo "NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT property must be set in the setup.env file"
-    exit 1
-  fi
-
-  echo "It seems like you provided an old setup.env file."
-  echo "Since the release of v0.8.10, we introduced a new set of properties."
-  echo "The script is backward compatible and will continue automatically."
-  echo "In the future versions it will be deprecated. Please refer to the documentation to learn about the changes http://netbird.io/docs/getting-started/self-hosting"
-
-  export NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://${NETBIRD_AUTH0_DOMAIN}/.well-known/openid-configuration"
-  export NETBIRD_USE_AUTH0="true"
-  export NETBIRD_AUTH_AUDIENCE=${NETBIRD_AUTH0_AUDIENCE}
-  export NETBIRD_AUTH_CLIENT_ID=${NETBIRD_AUTH0_CLIENT_ID}
-fi
-
-echo "loading OpenID configuration from ${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT} to the openid-configuration.json file"
-curl "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" -q -o ${artifacts_path}/openid-configuration.json
-
-export NETBIRD_AUTH_AUTHORITY=$(jq -r '.issuer' ${artifacts_path}/openid-configuration.json)
-export NETBIRD_AUTH_JWT_CERTS=$(jq -r '.jwks_uri' ${artifacts_path}/openid-configuration.json)
-export NETBIRD_AUTH_TOKEN_ENDPOINT=$(jq -r '.token_endpoint' ${artifacts_path}/openid-configuration.json)
-export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$(jq -r '.device_authorization_endpoint' ${artifacts_path}/openid-configuration.json)
-export NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT=$(jq -r '.authorization_endpoint' ${artifacts_path}/openid-configuration.json)
-
-if [[ ! -z "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}" ]]; then
-  # user enabled Device Authorization Grant feature
-  export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
-fi
-
-if [ "$NETBIRD_TOKEN_SOURCE" = "idToken" ]; then
-    export NETBIRD_AUTH_PKCE_USE_ID_TOKEN=true
-fi
-
-# Check if letsencrypt was disabled
-if [[ "$NETBIRD_DISABLE_LETSENCRYPT" == "true" ]]; then
-  export NETBIRD_DASHBOARD_ENDPOINT="https://$NETBIRD_DOMAIN:443"
-  export NETBIRD_SIGNAL_ENDPOINT="https://$NETBIRD_DOMAIN:$NETBIRD_SIGNAL_PORT"
-  export NETBIRD_RELAY_ENDPOINT="rels://$NETBIRD_DOMAIN:$NETBIRD_RELAY_PORT/relay"
-
-  echo "Letsencrypt was disabled, the Https-endpoints cannot be used anymore"
-  echo " and a reverse-proxy with Https needs to be placed in front of netbird!"
-  echo "The following forwards have to be setup:"
-  echo "- $NETBIRD_DASHBOARD_ENDPOINT -http-> dashboard:80"
-  echo "- $NETBIRD_MGMT_API_ENDPOINT/api -http-> management:$NETBIRD_MGMT_API_PORT"
-  echo "- $NETBIRD_MGMT_API_ENDPOINT/management.ManagementService/ -grpc-> management:$NETBIRD_MGMT_API_PORT"
-  echo "- $NETBIRD_SIGNAL_ENDPOINT/signalexchange.SignalExchange/ -grpc-> signal:80"
-  echo "- $NETBIRD_RELAY_ENDPOINT/ -http-> relay:33080"
-  echo "You most likely also have to change NETBIRD_MGMT_API_ENDPOINT in base.setup.env and port-mappings in docker-compose.yml.tmpl and rerun this script."
-  echo " The target of the forwards depends on your setup. Beware of the gRPC protocol instead of http for management and signal!"
-  echo "You are also free to remove any occurrences of the Letsencrypt-volume $LETSENCRYPT_VOLUMENAME"
-  echo ""
-
-  unset NETBIRD_LETSENCRYPT_DOMAIN
-  unset NETBIRD_MGMT_API_CERT_FILE
-  unset NETBIRD_MGMT_API_CERT_KEY_FILE
-fi
-
-if [[ -n "$NETBIRD_MGMT_API_CERT_FILE" && -n "$NETBIRD_MGMT_API_CERT_KEY_FILE" ]]; then
-  export NETBIRD_SIGNAL_PROTOCOL="https"
-fi
-
-# Check if management identity provider is set
-if [ -n "$NETBIRD_MGMT_IDP" ]; then
-  EXTRA_CONFIG={}
-
-  # extract extra config from all env prefixed with NETBIRD_IDP_MGMT_EXTRA_
-  for var in ${!NETBIRD_IDP_MGMT_EXTRA_*}; do
-    # convert key snake case to camel case
-    key=$(
-      echo "${var#NETBIRD_IDP_MGMT_EXTRA_}" | awk -F "_" \
-        '{for (i=1; i<=NF; i++) {output=output substr($i,1,1) tolower(substr($i,2))} print output}'
-    )
-    value="${!var}"
-
-   echo "$var"
-    EXTRA_CONFIG=$(jq --arg k "$key" --arg v "$value" '.[$k] = $v' <<<"$EXTRA_CONFIG")
-  done
-
-  export NETBIRD_MGMT_IDP
-  export NETBIRD_IDP_MGMT_CLIENT_ID
-  export NETBIRD_IDP_MGMT_CLIENT_SECRET
-  export NETBIRD_IDP_MGMT_EXTRA_CONFIG=$EXTRA_CONFIG
-else
-  export NETBIRD_IDP_MGMT_EXTRA_CONFIG={}
-fi
-
-IFS=',' read -r -a REDIRECT_URL_PORTS <<< "$NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS"
-REDIRECT_URLS=""
-for port in "${REDIRECT_URL_PORTS[@]}"; do
-    REDIRECT_URLS+="\"http://localhost:${port}\","
+# Create artifacts directory and backup existing files
+artifacts_path="./artifacts"
+mkdir -p "$artifacts_path"
+bkp_postfix="$(date +%s)"
+for file in docker-compose.yml management.json turnserver.conf Caddyfile; do
+  [[ -f "${artifacts_path}/${file}" ]] && cp "${artifacts_path}/${file}" "${artifacts_path}/${file}.bkp.${bkp_postfix}"
 done
 
-export NETBIRD_AUTH_PKCE_REDIRECT_URLS=${REDIRECT_URLS%,}
+# Generate configuration files
+envsubst < docker-compose.yml.tmpl > "$artifacts_path/docker-compose.yml"
+envsubst < management.json.tmpl | jq . > "$artifacts_path/management.json"
+envsubst < turnserver.conf.tmpl > "$artifacts_path/turnserver.conf"
+envsubst < Caddyfile.tmpl > "$artifacts_path/Caddyfile"
 
-# Remove audience for providers that do not support it
-if [ "$NETBIRD_DASH_AUTH_USE_AUDIENCE" = "false" ]; then
-    export NETBIRD_DASH_AUTH_AUDIENCE=none
-    export NETBIRD_AUTH_PKCE_AUDIENCE=
-fi
-
-# Read the encryption key
-if test -f 'management.json'; then
-    encKey=$(jq -r  ".DataStoreEncryptionKey" management.json)
-    if [[ "$encKey" != "null" ]]; then
-        export NETBIRD_DATASTORE_ENC_KEY=$encKey
-
-    fi
-fi
-
-env | grep NETBIRD
-
-bkp_postfix="$(date +%s)"
-if test -f "${artifacts_path}/docker-compose.yml"; then
-    cp $artifacts_path/docker-compose.yml "${artifacts_path}/docker-compose.yml.bkp.${bkp_postfix}"
-fi
-
-if test -f "${artifacts_path}/management.json"; then
-    cp $artifacts_path/management.json "${artifacts_path}/management.json.bkp.${bkp_postfix}"
-fi
-
-if test -f "${artifacts_path}/turnserver.conf"; then
-    cp ${artifacts_path}/turnserver.conf "${artifacts_path}/turnserver.conf.bkp.${bkp_postfix}"
-fi
-envsubst <docker-compose.yml.tmpl >$artifacts_path/docker-compose.yml
-envsubst <management.json.tmpl | jq . >$artifacts_path/management.json
-envsubst <turnserver.conf.tmpl >$artifacts_path/turnserver.conf
+# Print summary
+echo ""
+echo "=========================================="
+echo "  NetBird Configuration Complete"
+echo "=========================================="
+echo "  Domain: $NETBIRD_DOMAIN"
+echo "  Protocol: $NETBIRD_HTTP_PROTOCOL"
+echo "  Zitadel: $ZITADEL_TAG (SQLite)"
+echo "=========================================="
+echo ""
+echo "  ADMIN CREDENTIALS (save these!):"
+echo "  Username: $ZITADEL_ADMIN_USERNAME"
+echo "  Password: $ZITADEL_ADMIN_PASSWORD"
+echo ""
+echo "=========================================="
+echo ""
+echo "To start NetBird:"
+echo "  cd $artifacts_path && docker compose up -d"
+echo ""

infrastructure_files/docker-compose.yml.tmpl

@@ -7,108 +7,137 @@ x-default: &default
       max-file: '2'
 
 services:
+  # Caddy reverse proxy
+  caddy:
+    <<: *default
+    image: caddy:2
+    networks: [netbird]
+    ports:
+      - '443:443'
+      - '443:443/udp'
+      - '80:80'
+    volumes:
+      - netbird-caddy-data:/data
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+    depends_on:
+      zitadel:
+        condition: service_healthy
+
   # UI dashboard
   dashboard:
     <<: *default
     image: netbirdio/dashboard:$NETBIRD_DASHBOARD_TAG
-    ports:
-      - 80:80
-      - 443:443
+    networks: [netbird]
     environment:
-      # Endpoints
       - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
       - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
-      # OIDC
-      - AUTH_AUDIENCE=$NETBIRD_DASH_AUTH_AUDIENCE
+      - AUTH_AUDIENCE=$NETBIRD_AUTH_CLIENT_ID
       - AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
-      - AUTH_CLIENT_SECRET=$NETBIRD_AUTH_CLIENT_SECRET
+      - AUTH_CLIENT_SECRET=
       - AUTH_AUTHORITY=$NETBIRD_AUTH_AUTHORITY
-      - USE_AUTH0=$NETBIRD_USE_AUTH0
+      - USE_AUTH0=false
       - AUTH_SUPPORTED_SCOPES=$NETBIRD_AUTH_SUPPORTED_SCOPES
-      - AUTH_REDIRECT_URI=$NETBIRD_AUTH_REDIRECT_URI
-      - AUTH_SILENT_REDIRECT_URI=$NETBIRD_AUTH_SILENT_REDIRECT_URI
+      - AUTH_REDIRECT_URI=/nb-auth
+      - AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
       - NETBIRD_TOKEN_SOURCE=$NETBIRD_TOKEN_SOURCE
-      # SSL
       - NGINX_SSL_PORT=443
-      # Letsencrypt
-      - LETSENCRYPT_DOMAIN=$NETBIRD_LETSENCRYPT_DOMAIN
-      - LETSENCRYPT_EMAIL=$NETBIRD_LETSENCRYPT_EMAIL
-    volumes:
-      - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt/
+      - LETSENCRYPT_DOMAIN=none
+    depends_on:
+      zitadel:
+        condition: service_healthy
 
   # Signal
   signal:
     <<: *default
     image: netbirdio/signal:$NETBIRD_SIGNAL_TAG
-    depends_on:
-          - dashboard
+    networks: [netbird]
     volumes:
       - $SIGNAL_VOLUMENAME:/var/lib/netbird
-      - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt:ro
-    ports:
-      - $NETBIRD_SIGNAL_PORT:80
-  #      # port and command for Let's Encrypt validation
-  #      - 443:443
-  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
-    command: [
-      "--cert-file", "$NETBIRD_MGMT_API_CERT_FILE",
-      "--cert-key", "$NETBIRD_MGMT_API_CERT_KEY_FILE",
-      "--log-file", "console"
-    ]
+    command: ["--log-file", "console"]
 
   # Relay
   relay:
     <<: *default
     image: netbirdio/relay:$NETBIRD_RELAY_TAG
+    networks: [netbird]
     environment:
-    - NB_LOG_LEVEL=info
-    - NB_LISTEN_ADDRESS=:$NETBIRD_RELAY_PORT
-    - NB_EXPOSED_ADDRESS=$NETBIRD_RELAY_ENDPOINT
-    # todo: change to a secure secret
-    - NB_AUTH_SECRET=$NETBIRD_RELAY_AUTH_SECRET
-    ports:
-      - $NETBIRD_RELAY_PORT:$NETBIRD_RELAY_PORT
+      - NB_LOG_LEVEL=info
+      - NB_LISTEN_ADDRESS=:$NETBIRD_RELAY_INTERNAL_PORT
+      - NB_EXPOSED_ADDRESS=$NETBIRD_RELAY_ENDPOINT
+      - NB_AUTH_SECRET=$NETBIRD_RELAY_AUTH_SECRET
 
   # Management
   management:
     <<: *default
     image: netbirdio/management:$NETBIRD_MANAGEMENT_TAG
-    depends_on:
-      - dashboard
+    networks: [netbird]
     volumes:
       - $MGMT_VOLUMENAME:/var/lib/netbird
-      - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt:ro
       - ./management.json:/etc/netbird/management.json
-    ports:
-      - $NETBIRD_MGMT_API_PORT:443 #API port
-  #    # command for Let's Encrypt validation without dashboard container
-  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
     command: [
-      "--port", "443",
+      "--port", "80",
       "--log-file", "console",
       "--log-level", "info",
       "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS",
       "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN",
-      "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN"
-      ]
+      "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN",
+      "--idp-sign-key-refresh-enabled"
+    ]
     environment:
       - NETBIRD_STORE_ENGINE_POSTGRES_DSN=$NETBIRD_STORE_ENGINE_POSTGRES_DSN
       - NETBIRD_STORE_ENGINE_MYSQL_DSN=$NETBIRD_STORE_ENGINE_MYSQL_DSN
-      
+    depends_on:
+      zitadel:
+        condition: service_healthy
+
   # Coturn
   coturn:
     <<: *default
     image: coturn/coturn:$COTURN_TAG
-    #domainname: $TURN_DOMAIN # only needed when TLS is enabled
     volumes:
       - ./turnserver.conf:/etc/turnserver.conf:ro
-    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
-    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
     network_mode: host
     command:
       - -c /etc/turnserver.conf
 
+  # Zitadel Identity Provider (single container with SQLite)
+  zitadel:
+    <<: *default
+    image: ghcr.io/zitadel/zitadel:$ZITADEL_TAG
+    networks: [netbird]
+    command: 'start-from-init --masterkeyFromEnv --tlsMode $ZITADEL_TLS_MODE'
+    environment:
+      - ZITADEL_LOG_LEVEL=info
+      - ZITADEL_MASTERKEY=$ZITADEL_MASTERKEY
+      - ZITADEL_EXTERNALSECURE=$ZITADEL_EXTERNALSECURE
+      - ZITADEL_TLS_ENABLED=false
+      - ZITADEL_EXTERNALPORT=$ZITADEL_EXTERNALPORT
+      - ZITADEL_EXTERNALDOMAIN=$NETBIRD_DOMAIN
+      # SQLite database (no separate PostgreSQL container needed)
+      - ZITADEL_DATABASE_SQLITE_PATH=/data/zitadel.db
+      # First instance: Admin user
+      - ZITADEL_FIRSTINSTANCE_ORG_HUMAN_USERNAME=$ZITADEL_ADMIN_USERNAME
+      - ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORD=$ZITADEL_ADMIN_PASSWORD
+      - ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORDCHANGEREQUIRED=true
+      # First instance: Service account for NetBird management
+      - ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME=netbird-service
+      - ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME=NetBird Service Account
+      - ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINEKEY_TYPE=1
+      - ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE=$ZITADEL_PAT_EXPIRATION
+    volumes:
+      - netbird-zitadel-data:/data
+    healthcheck:
+      test: ["CMD", "/app/zitadel", "ready"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+
 volumes:
   $MGMT_VOLUMENAME:
   $SIGNAL_VOLUMENAME:
-  $LETSENCRYPT_VOLUMENAME:
+  netbird-caddy-data:
+  netbird-zitadel-data:
+
+networks:
+  netbird:

infrastructure_files/management.json.tmpl

@@ -45,18 +45,18 @@
         "Engine": "$NETBIRD_STORE_CONFIG_ENGINE"
     },
     "HttpConfig": {
-        "Address": "0.0.0.0:$NETBIRD_MGMT_API_PORT",
+        "Address": "0.0.0.0:80",
         "AuthIssuer": "$NETBIRD_AUTH_AUTHORITY",
-        "AuthAudience": "$NETBIRD_AUTH_AUDIENCE",
+        "AuthAudience": "$NETBIRD_AUTH_CLIENT_ID",
         "AuthKeysLocation": "$NETBIRD_AUTH_JWT_CERTS",
         "AuthUserIDClaim": "$NETBIRD_AUTH_USER_ID_CLAIM",
-        "CertFile":"$NETBIRD_MGMT_API_CERT_FILE",
-        "CertKey":"$NETBIRD_MGMT_API_CERT_KEY_FILE",
-        "IdpSignKeyRefreshEnabled": $NETBIRD_MGMT_IDP_SIGNKEY_REFRESH,
-        "OIDCConfigEndpoint":"$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT"
+        "CertFile": "",
+        "CertKey": "",
+        "IdpSignKeyRefreshEnabled": true,
+        "OIDCConfigEndpoint": "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT"
     },
     "IdpManagerConfig": {
-        "ManagerType": "$NETBIRD_MGMT_IDP",
+        "ManagerType": "zitadel",
         "ClientConfig": {
             "Issuer": "$NETBIRD_AUTH_AUTHORITY",
             "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
@@ -64,40 +64,28 @@
             "ClientSecret": "$NETBIRD_IDP_MGMT_CLIENT_SECRET",
             "GrantType": "client_credentials"
         },
-        "ExtraConfig": $NETBIRD_IDP_MGMT_EXTRA_CONFIG,
-        "Auth0ClientCredentials": null,
-        "AzureClientCredentials": null,
-        "KeycloakClientCredentials": null,
-        "ZitadelClientCredentials": null
-     },
+        "ExtraConfig": {
+            "ManagementEndpoint": "$ZITADEL_MANAGEMENT_ENDPOINT"
+        }
+    },
     "DeviceAuthorizationFlow": {
-        "Provider": "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER",
+        "Provider": "hosted",
         "ProviderConfig": {
-          "Audience": "$NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE",
-          "AuthorizationEndpoint": "",
-          "Domain": "$NETBIRD_AUTH0_DOMAIN",
-          "ClientID": "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID",
-          "ClientSecret": "",
-          "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
-          "DeviceAuthEndpoint": "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT",
-          "Scope": "$NETBIRD_AUTH_DEVICE_AUTH_SCOPE",
-          "UseIDToken": $NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN,
-          "RedirectURLs": null
-         }
+            "Audience": "$NETBIRD_AUTH_CLIENT_ID_CLI",
+            "ClientID": "$NETBIRD_AUTH_CLIENT_ID_CLI",
+            "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
+            "DeviceAuthEndpoint": "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT",
+            "Scope": "openid"
+        }
     },
     "PKCEAuthorizationFlow": {
         "ProviderConfig": {
-            "Audience": "$NETBIRD_AUTH_PKCE_AUDIENCE",
-            "ClientID": "$NETBIRD_AUTH_CLIENT_ID",
-            "ClientSecret": "$NETBIRD_AUTH_CLIENT_SECRET",
-            "Domain": "",
+            "Audience": "$NETBIRD_AUTH_CLIENT_ID_CLI",
+            "ClientID": "$NETBIRD_AUTH_CLIENT_ID_CLI",
             "AuthorizationEndpoint": "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT",
             "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
-            "Scope": "$NETBIRD_AUTH_SUPPORTED_SCOPES",
-            "RedirectURLs": [$NETBIRD_AUTH_PKCE_REDIRECT_URLS],
-            "UseIDToken": $NETBIRD_AUTH_PKCE_USE_ID_TOKEN,
-            "DisablePromptLogin": $NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN,
-            "LoginFlag": $NETBIRD_AUTH_PKCE_LOGIN_FLAG
+            "Scope": "openid profile email offline_access",
+            "RedirectURLs": ["http://localhost:53000/", "http://localhost:54000/"]
         }
     }
 }

infrastructure_files/setup.env.example

@@ -1,117 +1,65 @@
-## example file, you can copy this file to setup.env and update its values
-##
+# NetBird Self-Hosted Setup Configuration
+# Copy this file to setup.env and configure the required values
 
-# Image tags
-# you can force specific tags for each component; will be set to latest if empty
+# -------------------------------------------
+# Required: Domain Configuration
+# -------------------------------------------
+# Your NetBird domain (e.g., netbird.mydomain.com)
+NETBIRD_DOMAIN=""
+
+# -------------------------------------------
+# Optional: Image Tags
+# -------------------------------------------
+# Leave empty to use 'latest' for all components
 NETBIRD_DASHBOARD_TAG=""
 NETBIRD_SIGNAL_TAG=""
 NETBIRD_MANAGEMENT_TAG=""
 COTURN_TAG=""
 NETBIRD_RELAY_TAG=""
 
-# Dashboard domain. e.g. app.mydomain.com
-NETBIRD_DOMAIN=""
+# Zitadel version (default: v2.64.1)
+ZITADEL_TAG=""
 
-# TURN server domain. e.g. turn.mydomain.com
-# if not specified it will assume NETBIRD_DOMAIN
+# -------------------------------------------
+# Optional: TURN Server Configuration
+# -------------------------------------------
+# TURN server domain (defaults to NETBIRD_DOMAIN)
 NETBIRD_TURN_DOMAIN=""
 
 # TURN server public IP address
-# required for a connection involving peers in
-# the same network as the server and external peers
-# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
+# Required for peers behind NAT to connect
 NETBIRD_TURN_EXTERNAL_IP=""
 
 # -------------------------------------------
-# OIDC
-#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
+# Optional: Database Configuration
 # -------------------------------------------
-NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=""
-# The default setting is to transmit the audience to the IDP during authorization. However,
-# if your IDP does not have this capability, you can turn this off by setting it to false.
-#NETBIRD_DASH_AUTH_USE_AUDIENCE=false
-NETBIRD_AUTH_AUDIENCE=""
-# e.g. netbird-client
-NETBIRD_AUTH_CLIENT_ID=""
-# indicates the scopes that will be requested to the IDP
-NETBIRD_AUTH_SUPPORTED_SCOPES=""
-# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace.
-# NETBIRD_AUTH_CLIENT_SECRET=""
-# if you want to use a custom claim for the user ID instead of 'sub', set it here
-# NETBIRD_AUTH_USER_ID_CLAIM=""
-# indicates whether to use Auth0 or not: true or false
-NETBIRD_USE_AUTH0="false"
-# if your IDP provider doesn't support fragmented URIs, configure custom
-# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
-# NETBIRD_AUTH_REDIRECT_URI="/peers"
-# NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers"
-# Updates the preference to use id tokens instead of access token on dashboard
-# Okta and Gitlab IDPs can benefit from this
-# NETBIRD_TOKEN_SOURCE="idToken"
+# Store engine: sqlite (default), postgres, or mysql
+NETBIRD_STORE_CONFIG_ENGINE=""
+
+# For PostgreSQL:
+# NETBIRD_STORE_ENGINE_POSTGRES_DSN="host=<HOST> user=<USER> password=<PASS> dbname=<DB> port=5432"
+
+# For MySQL:
+# NETBIRD_STORE_ENGINE_MYSQL_DSN="<user>:<pass>@tcp(127.0.0.1:3306)/<db>"
+
 # -------------------------------------------
-# OIDC Device Authorization Flow
+# Optional: Extra Settings
 # -------------------------------------------
-NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
-NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
-# Some IDPs requires different audience, scopes and to use id token for device authorization flow
-# you can customize here:
-NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
-NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
-NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
-# -------------------------------------------
-# OIDC PKCE Authorization Flow
-# -------------------------------------------
-# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
-# eg. 53000,54000
-NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
-# -------------------------------------------
-# IDP Management
-# -------------------------------------------
-# eg. zitadel, auth0, azure, keycloak
-NETBIRD_MGMT_IDP="none"
-# Some IDPs requires different client id and client secret for management api
-NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
-NETBIRD_IDP_MGMT_CLIENT_SECRET=""
-# Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird"
-# NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT=
-# With some IDPs may be needed enabling automatic refresh of signing keys on expire
-# NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=false
-# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
-# -------------------------------------------
-# Letsencrypt
-# -------------------------------------------
-# Disable letsencrypt
-#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
-NETBIRD_DISABLE_LETSENCRYPT=false
-# e.g. hello@mydomain.com
-NETBIRD_LETSENCRYPT_EMAIL=""
-# -------------------------------------------
-# Extra settings
-# -------------------------------------------
-# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
+# Disable anonymous metrics (default: false)
 NETBIRD_DISABLE_ANONYMOUS_METRICS=false
-# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
+
+# DNS domain for peer resolution (default: netbird.selfhosted)
 NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
-# Disable default all-to-all policy for new accounts
+
+# Disable default all-to-all policy for new accounts (default: false)
 NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=false
+
 # -------------------------------------------
-# Relay settings
+# Advanced: Zitadel Client IDs
 # -------------------------------------------
-# Relay server domain. e.g. relay.mydomain.com
-# if not specified it will assume NETBIRD_DOMAIN
-NETBIRD_RELAY_DOMAIN=""
-
-# Relay server connection port. If none is supplied
-# it will default to 33080
-# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
-NETBIRD_RELAY_PORT=""
-
-# Management API connecting port. If none is supplied
-# it will default to 33073
-# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
-NETBIRD_MGMT_API_PORT=""
-
-# Signal service connecting port. If none is supplied
-# it will default to 10000
-# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
-NETBIRD_SIGNAL_PORT=""
+# These are auto-generated by Zitadel on first boot
+# Only set these if migrating from an existing Zitadel setup
+# NETBIRD_AUTH_CLIENT_ID=""
+# NETBIRD_AUTH_CLIENT_ID_CLI=""
+# NETBIRD_IDP_MGMT_CLIENT_ID=""
+# NETBIRD_IDP_MGMT_CLIENT_SECRET=""