use correct serializer

Ensure schedule never runs with non-positive ticker
Send terminal notification on peer session expiry (#1660 )
2026-04-18 08:16:39 +00:00 · 2024-03-10 06:19:31 +01:00 · 2024-03-10 06:03:07 +01:00 · 2024-03-08 18:28:13 +01:00 · 2024-03-06 23:30:16 +01:00 · 2024-03-06 15:18:53 +01:00
45 changed files with 1259 additions and 893 deletions
--- a/.github/ISSUE_TEMPLATE/bug-issue-report.md
+++ b/.github/ISSUE_TEMPLATE/bug-issue-report.md
@@ -2,7 +2,7 @@
 name: Bug/Issue report
 about: Create a report to help us improve
 title: ''
-labels: ['triage']
+labels: ['triage-needed']
 assignees: ''

 ---
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -162,6 +162,13 @@ jobs:
          test $count -eq 4
        working-directory: infrastructure_files/artifacts

+      - name: test geolocation databases
+        working-directory: infrastructure_files/artifacts
+        run: |
+          sleep 30
+          docker compose exec management ls -l /var/lib/netbird/ | grep -i GeoLite2-City.mmdb
+          docker compose exec management ls -l /var/lib/netbird/ | grep -i geonames.db
+
  test-getting-started-script:
    runs-on: ubuntu-latest
    steps:
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -63,6 +63,14 @@ linters-settings:
    enable:
      - nilness

+  revive:
+    rules:
+      - name: exported
+        severity: warning
+        disabled: false
+        arguments:
+          - "checkPrivateReceivers"
+          - "sayRepetitiveInsteadOfStutters"
  tenv:
    # The option `all` will run against whole test files (`_test.go`) regardless of method/function signatures.
    # Otherwise, only methods that take `*testing.T`, `*testing.B`, and `testing.TB` as arguments are checked.
@@ -93,6 +101,7 @@ linters:
    - nilerr # finds the code that returns nil even if it checks that the error is not nil
    - nilnil # checks that there is no simultaneous return of nil error and an invalid value
    - predeclared # predeclared finds code that shadows one of Go's predeclared identifiers
+    - revive # Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
    - sqlclosecheck # checks that sql.Rows and sql.Stmt are closed
    - thelper # thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers.
    - wastedassign # wastedassign finds wasted assignment statements
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 <p align="center">
- <strong>:hatching_chick: New Release! Self-hosting in under 5 min.</strong>
-  <a href="https://github.com/netbirdio/netbird#quickstart-with-self-hosted-netbird">
+ <strong>:hatching_chick: New Release! Device Posture Checks.</strong>
+  <a href="https://docs.netbird.io/how-to/manage-posture-checks">
       Learn more
     </a>   
 </p>
@@ -42,25 +42,22 @@

 **Secure.** NetBird enables secure remote access by applying granular access policies, while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.

-### Secure peer-to-peer VPN with SSO and MFA in minutes
+### Open-Source Network Security in a Single Platform

-https://user-images.githubusercontent.com/700848/197345890-2e2cded5-7b7a-436f-a444-94e80dd24f46.mov
+![download (2)](https://github.com/netbirdio/netbird/assets/700848/16210ac2-7265-44c1-8d4e-8fae85534dac)

 ### Key features

-| Connectivity                             	                                                                                      | Management                                 	                             | Automation                                    	                            | Platforms    	                        |
-|---------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------|----------------------------------------------------------------------------|---------------------------------------|
-| <ul><li> - \[x] Kernel WireGuard </ul></li>                   	                                                                 | <ul><li> - \[x] [Admin Web UI](https://github.com/netbirdio/dashboard) </ul></li>                           	      | <ul><li> - \[x] [Public API](https://docs.netbird.io/api) </ul></li>                                	     | <ul><li> - \[x] Linux </ul></li>    	 |
-| <ul><li> - \[x] Peer-to-peer connections </ul></li>             	                                                               | <ul><li> - \[x] Auto peer discovery and configuration </ul></li>  	      | <ul><li> - \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) </ul></li>  	     | <ul><li> - \[x] Mac </ul></li>      	 |
-| <ul><li> - \[x] Peer-to-peer encryption </ul></li>              	                                                               | <ul><li> - \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) </ul></li>                       	      | <ul><li> - \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) </ul></li>              	 | <ul><li> - \[x] Windows </ul></li>  	 |
-| <ul><li> - \[x] Connection relay fallback </ul></li>            	                                                               | <ul><li> - \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) </ul></li>                      	      | <ul><li> - \[x] IdP groups sync with JWT </ul></li> 	                      | <ul><li> - \[x] Android </ul></li>  	 |
-| <ul><li> - \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) </ul></li>  	 | <ul><li> - \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access) </ul></li>      	        | 	                                                                          | <ul><li> - \[x] iOS </ul></li>      	 |
-| <ul><li> - \[x] NAT traversal with BPF </ul></li>                                                                               | <ul><li> - \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) </ul></li>                            	      | 	                                                                          | <ul><li> - \[x] Docker </ul></li>   	 |
-| <ul><li> - \[x] Post-quantum-secure connection through [Rosenpass](https://rosenpass.eu) </ul></li>                             | <ul><li> - \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) </ul></li>                      	      | 	                                                                          | <ul><li> - \[x] OpenWRT </ul></li>  	 |
-| 	                                                                                                                               | <ul><li> - \[x] [Activity logging](https://docs.netbird.io/how-to/monitor-system-and-network-activity) </ul></li>                       	      | 	                                                                          | 	                                     |
-| 	                                                                                                                               | <ul><li> - \[x] SSH access management </ul></li>                       	 | 	                                                                          | 	                                     |
-
-
+| Connectivity                                                                                                                 | Management                                                                                               | Security                                                                                                                              | Automation                                                                                                                               | Platforms                                                                               |
+|------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
+| <ul><li> - \[x] Kernel WireGuard </ul></li>                                                                                  | <ul><li> - \[x] [Admin Web UI](https://github.com/netbirdio/dashboard) </ul></li>                        | <ul><li> - \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) </ul></li>           | <ul><li> - \[x] [Public API](https://docs.netbird.io/api) </ul></li>                                                                     | <ul><li> - \[x] Linux </ul></li>                                                        |
+| <ul><li> - \[x] Peer-to-peer connections </ul></li>                                                                          | <ul><li> - \[x] Auto peer discovery and configuration </ul></li>                                         | <ul><li> - \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access) </ul></li>                    | <ul><li> - \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) </ul></li> | <ul><li> - \[x] Mac </ul></li>                                                          |
+| <ul><li> - \[x] Connection relay fallback </ul></li>                                                                         | <ul><li> - \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) </ul></li>     | <ul><li> - \[x] [Activity logging](https://docs.netbird.io/how-to/monitor-system-and-network-activity) </ul></li>                     | <ul><li> - \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) </ul></li>                    | <ul><li> - \[x] Windows </ul></li>                                                      |
+| <ul><li> - \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) </ul></li> | <ul><li> - \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) </ul></li>      | <ul><li> - \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) </ul></li>                              | <ul><li> - \[x] IdP groups sync with JWT </ul></li>                                                                                      | <ul><li> - \[x] Android </ul></li>                                                      |
+| <ul><li> - \[x] NAT traversal with BPF </ul></li>                                                                            | <ul><li> - \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) </ul></li> | <ul><li> -  \[x] Peer-to-peer encryption </ul></li>                                                                                   |                                                                                                                                          | <ul><li> - \[x] iOS </ul></li>                                                          |
+|                                                                                                                              |                                                                                                          | <ul><li> - \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) </ul></li> |                                                                                                                                          | <ul><li> - \[x] OpenWRT </ul></li>                                                      |
+|                                                                                                                              |                                                                                                          | <ui><li> - \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ul></li>           |                                                                                                                                          | <ul><li> - \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) </ul></li> |
+|                                                                                                                              |                                                                                                          |                                                                                                                                       |                                                                                                                                          | <ul><li> - \[x] Docker </ul></li>                                                       |
 ### Quickstart with NetBird Cloud

 - Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)
@@ -109,8 +106,8 @@ export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbird
 See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.

 ### Community projects
-  [NetBird on OpenWRT](https://github.com/messense/openwrt-netbird)
 -  [NetBird installer script](https://github.com/physk/netbird-installer)
+-  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)

 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
--- a/client/internal/auth/oauth.go
+++ b/client/internal/auth/oauth.go
@@ -26,7 +26,7 @@ type HTTPClient interface {
 }

 // AuthFlowInfo holds information for the OAuth 2.0  authorization flow
-type AuthFlowInfo struct {
+type AuthFlowInfo struct { //nolint:revive
 	DeviceCode              string `json:"device_code"`
 	UserCode                string `json:"user_code"`
 	VerificationURI         string `json:"verification_uri"`
--- a/client/internal/dns/file_linux.go
+++ b/client/internal/dns/file_linux.go
@@ -8,6 +8,7 @@ import (
 	"net/netip"
 	"os"
 	"strings"
+	"time"

 	log "github.com/sirupsen/logrus"
 )
@@ -23,10 +24,16 @@ const (
 	fileMaxNumberOfSearchDomains = 6
 )

+const (
+	dnsFailoverTimeout  = 4 * time.Second
+	dnsFailoverAttempts = 1
+)
+
 type fileConfigurator struct {
 	repair *repair

-	originalPerms os.FileMode
+	originalPerms  os.FileMode
+	nbNameserverIP string
 }

 func newFileConfigurator() (hostManager, error) {
@@ -64,7 +71,7 @@ func (f *fileConfigurator) applyDNSConfig(config HostDNSConfig) error {
 	}

 	nbSearchDomains := searchDomains(config)
-	nbNameserverIP := config.ServerIP
+	f.nbNameserverIP = config.ServerIP

 	resolvConf, err := parseBackupResolvConf()
 	if err != nil {
@@ -73,11 +80,11 @@ func (f *fileConfigurator) applyDNSConfig(config HostDNSConfig) error {

 	f.repair.stopWatchFileChanges()

-	err = f.updateConfig(nbSearchDomains, nbNameserverIP, resolvConf)
+	err = f.updateConfig(nbSearchDomains, f.nbNameserverIP, resolvConf)
 	if err != nil {
 		return err
 	}
-	f.repair.watchFileChanges(nbSearchDomains, nbNameserverIP)
+	f.repair.watchFileChanges(nbSearchDomains, f.nbNameserverIP)
 	return nil
 }

@@ -85,10 +92,11 @@ func (f *fileConfigurator) updateConfig(nbSearchDomains []string, nbNameserverIP
 	searchDomainList := mergeSearchDomains(nbSearchDomains, cfg.searchDomains)
 	nameServers := generateNsList(nbNameserverIP, cfg)

+	options := prepareOptionsWithTimeout(cfg.others, int(dnsFailoverTimeout.Seconds()), dnsFailoverAttempts)
 	buf := prepareResolvConfContent(
 		searchDomainList,
 		nameServers,
-		cfg.others)
+		options)

 	log.Debugf("creating managed file %s", defaultResolvConfPath)
 	err := os.WriteFile(defaultResolvConfPath, buf.Bytes(), f.originalPerms)
@@ -131,7 +139,12 @@ func (f *fileConfigurator) backup() error {
 }

 func (f *fileConfigurator) restore() error {
-	err := copyFile(fileDefaultResolvConfBackupLocation, defaultResolvConfPath)
+	err := removeFirstNbNameserver(fileDefaultResolvConfBackupLocation, f.nbNameserverIP)
+	if err != nil {
+		log.Errorf("Failed to remove netbird nameserver from %s on backup restore: %s", fileDefaultResolvConfBackupLocation, err)
+	}
+
+	err = copyFile(fileDefaultResolvConfBackupLocation, defaultResolvConfPath)
 	if err != nil {
 		return fmt.Errorf("restoring %s from %s: %w", defaultResolvConfPath, fileDefaultResolvConfBackupLocation, err)
 	}
@@ -157,7 +170,7 @@ func (f *fileConfigurator) restoreUncleanShutdownDNS(storedDNSAddress *netip.Add
 	currentDNSAddress, err := netip.ParseAddr(resolvConf.nameServers[0])
 	// not a valid first nameserver -> restore
 	if err != nil {
-		log.Errorf("restoring unclean shutdown: parse dns address %s failed: %s", resolvConf.nameServers[1], err)
+		log.Errorf("restoring unclean shutdown: parse dns address %s failed: %s", resolvConf.nameServers[0], err)
 		return restoreResolvConfFile()
 	}

--- a/client/internal/dns/file_parser_linux.go
+++ b/client/internal/dns/file_parser_linux.go
@@ -5,6 +5,7 @@ package dns
 import (
 	"fmt"
 	"os"
+	"regexp"
 	"strings"

 	log "github.com/sirupsen/logrus"
@@ -14,6 +15,9 @@ const (
 	defaultResolvConfPath = "/etc/resolv.conf"
 )

+var timeoutRegex = regexp.MustCompile(`timeout:\d+`)
+var attemptsRegex = regexp.MustCompile(`attempts:\d+`)
+
 type resolvConf struct {
 	nameServers   []string
 	searchDomains []string
@@ -103,3 +107,62 @@ func parseResolvConfFile(resolvConfFile string) (*resolvConf, error) {
 	}
 	return rconf, nil
 }
+
+// prepareOptionsWithTimeout appends timeout to existing options if it doesn't exist,
+// otherwise it adds a new option with timeout and attempts.
+func prepareOptionsWithTimeout(input []string, timeout int, attempts int) []string {
+	configs := make([]string, len(input))
+	copy(configs, input)
+
+	for i, config := range configs {
+		if strings.HasPrefix(config, "options") {
+			config = strings.ReplaceAll(config, "rotate", "")
+			config = strings.Join(strings.Fields(config), " ")
+
+			if strings.Contains(config, "timeout:") {
+				config = timeoutRegex.ReplaceAllString(config, fmt.Sprintf("timeout:%d", timeout))
+			} else {
+				config = strings.Replace(config, "options ", fmt.Sprintf("options timeout:%d ", timeout), 1)
+			}
+
+			if strings.Contains(config, "attempts:") {
+				config = attemptsRegex.ReplaceAllString(config, fmt.Sprintf("attempts:%d", attempts))
+			} else {
+				config = strings.Replace(config, "options ", fmt.Sprintf("options attempts:%d ", attempts), 1)
+			}
+
+			configs[i] = config
+			return configs
+		}
+	}
+
+	return append(configs, fmt.Sprintf("options timeout:%d attempts:%d", timeout, attempts))
+}
+
+// removeFirstNbNameserver removes the given nameserver from the given file if it is in the first position
+// and writes the file back to the original location
+func removeFirstNbNameserver(filename, nameserverIP string) error {
+	resolvConf, err := parseResolvConfFile(filename)
+	if err != nil {
+		return fmt.Errorf("parse backup resolv.conf: %w", err)
+	}
+	content, err := os.ReadFile(filename)
+	if err != nil {
+		return fmt.Errorf("read %s: %w", filename, err)
+	}
+
+	if len(resolvConf.nameServers) > 1 && resolvConf.nameServers[0] == nameserverIP {
+		newContent := strings.Replace(string(content), fmt.Sprintf("nameserver %s\n", nameserverIP), "", 1)
+
+		stat, err := os.Stat(filename)
+		if err != nil {
+			return fmt.Errorf("stat %s: %w", filename, err)
+		}
+		if err := os.WriteFile(filename, []byte(newContent), stat.Mode()); err != nil {
+			return fmt.Errorf("write %s: %w", filename, err)
+		}
+
+	}
+
+	return nil
+}
--- a/client/internal/dns/file_parser_linux_test.go
+++ b/client/internal/dns/file_parser_linux_test.go
@@ -6,6 +6,8 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )

 func Test_parseResolvConf(t *testing.T) {
@@ -172,3 +174,131 @@ nameserver 192.168.0.1
 		t.Errorf("unexpected resolv.conf content: %v", cfg)
 	}
 }
+
+func TestPrepareOptionsWithTimeout(t *testing.T) {
+	tests := []struct {
+		name     string
+		others   []string
+		timeout  int
+		attempts int
+		expected []string
+	}{
+		{
+			name:     "Append new options with timeout and attempts",
+			others:   []string{"some config"},
+			timeout:  2,
+			attempts: 2,
+			expected: []string{"some config", "options timeout:2 attempts:2"},
+		},
+		{
+			name:     "Modify existing options to exclude rotate and include timeout and attempts",
+			others:   []string{"some config", "options rotate someother"},
+			timeout:  3,
+			attempts: 2,
+			expected: []string{"some config", "options attempts:2 timeout:3 someother"},
+		},
+		{
+			name:     "Existing options with timeout and attempts are updated",
+			others:   []string{"some config", "options timeout:4 attempts:3"},
+			timeout:  5,
+			attempts: 4,
+			expected: []string{"some config", "options timeout:5 attempts:4"},
+		},
+		{
+			name:     "Modify existing options, add missing attempts before timeout",
+			others:   []string{"some config", "options timeout:4"},
+			timeout:  4,
+			attempts: 3,
+			expected: []string{"some config", "options attempts:3 timeout:4"},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := prepareOptionsWithTimeout(tc.others, tc.timeout, tc.attempts)
+			assert.Equal(t, tc.expected, result)
+		})
+	}
+}
+
+func TestRemoveFirstNbNameserver(t *testing.T) {
+	testCases := []struct {
+		name       string
+		content    string
+		ipToRemove string
+		expected   string
+	}{
+		{
+			name: "Unrelated nameservers with comments and options",
+			content: `# This is a comment
+options rotate
+nameserver 1.1.1.1
+# Another comment
+nameserver 8.8.4.4
+search example.com`,
+			ipToRemove: "9.9.9.9",
+			expected: `# This is a comment
+options rotate
+nameserver 1.1.1.1
+# Another comment
+nameserver 8.8.4.4
+search example.com`,
+		},
+		{
+			name: "First nameserver matches",
+			content: `search example.com
+nameserver 9.9.9.9
+# oof, a comment
+nameserver 8.8.4.4
+options attempts:5`,
+			ipToRemove: "9.9.9.9",
+			expected: `search example.com
+# oof, a comment
+nameserver 8.8.4.4
+options attempts:5`,
+		},
+		{
+			name: "Target IP not the first nameserver",
+			// nolint:dupword
+			content: `# Comment about the first nameserver
+nameserver 8.8.4.4
+# Comment before our target
+nameserver 9.9.9.9
+options timeout:2`,
+			ipToRemove: "9.9.9.9",
+			// nolint:dupword
+			expected: `# Comment about the first nameserver
+nameserver 8.8.4.4
+# Comment before our target
+nameserver 9.9.9.9
+options timeout:2`,
+		},
+		{
+			name: "Only nameserver matches",
+			content: `options debug
+nameserver 9.9.9.9
+search localdomain`,
+			ipToRemove: "9.9.9.9",
+			expected: `options debug
+nameserver 9.9.9.9
+search localdomain`,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			tempDir := t.TempDir()
+			tempFile := filepath.Join(tempDir, "resolv.conf")
+			err := os.WriteFile(tempFile, []byte(tc.content), 0644)
+			assert.NoError(t, err)
+
+			err = removeFirstNbNameserver(tempFile, tc.ipToRemove)
+			assert.NoError(t, err)
+
+			content, err := os.ReadFile(tempFile)
+			assert.NoError(t, err)
+
+			assert.Equal(t, tc.expected, string(content), "The resulting content should match the expected output.")
+		})
+	}
+}
--- a/client/internal/dns/host_linux.go
+++ b/client/internal/dns/host_linux.go
@@ -65,7 +65,7 @@ func newHostManager(wgInterface string) (hostManager, error) {
 		return nil, err
 	}

-	log.Debugf("discovered mode is: %s", osManager)
+	log.Infof("System DNS manager discovered: %s", osManager)
 	return newHostManagerFromType(wgInterface, osManager)
 }

--- a/client/internal/dns/resolvconf_linux.go
+++ b/client/internal/dns/resolvconf_linux.go
@@ -53,10 +53,12 @@ func (r *resolvconf) applyDNSConfig(config HostDNSConfig) error {
 	searchDomainList := searchDomains(config)
 	searchDomainList = mergeSearchDomains(searchDomainList, r.originalSearchDomains)

+	options := prepareOptionsWithTimeout(r.othersConfigs, int(dnsFailoverTimeout.Seconds()), dnsFailoverAttempts)
+
 	buf := prepareResolvConfContent(
 		searchDomainList,
 		append([]string{config.ServerIP}, r.originalNameServers...),
-		r.othersConfigs)
+		options)

 	// create a backup for unclean shutdown detection before the resolv.conf is changed
 	if err := createUncleanShutdownIndicator(defaultResolvConfPath, resolvConfManager, config.ServerIP); err != nil {
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -5,6 +5,9 @@ import (
 	"sync"
 	"time"

+	"google.golang.org/grpc/codes"
+	gstatus "google.golang.org/grpc/status"
+
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/iface"
 )
@@ -376,6 +379,24 @@ func (d *Status) GetManagementState() ManagementState {
 	}
 }

+// IsLoginRequired determines if a peer's login has expired.
+func (d *Status) IsLoginRequired() bool {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	// if peer is connected to the management then login is not expired
+	if d.managementState {
+		return false
+	}
+
+	s, ok := gstatus.FromError(d.managementError)
+	if ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+		return true
+
+	}
+	return false
+}
+
 func (d *Status) GetSignalState() SignalState {
 	return SignalState{
 		d.signalAddress,
--- a/client/internal/session.go
+++ b/client/internal/session.go
@@ -0,0 +1,82 @@
+package internal
+
+import (
+	"context"
+	"os/exec"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+)
+
+type SessionWatcher struct {
+	ctx   context.Context
+	mutex sync.Mutex
+
+	peerStatusRecorder *peer.Status
+	watchTicker        *time.Ticker
+
+	sendNotification bool
+	onExpireListener func()
+}
+
+// NewSessionWatcher creates a new instance of SessionWatcher.
+func NewSessionWatcher(ctx context.Context, peerStatusRecorder *peer.Status) *SessionWatcher {
+	s := &SessionWatcher{
+		ctx:                ctx,
+		peerStatusRecorder: peerStatusRecorder,
+		watchTicker:        time.NewTicker(2 * time.Second),
+	}
+	go s.startWatcher()
+	return s
+}
+
+// SetOnExpireListener sets the callback func to be called when the session expires.
+func (s *SessionWatcher) SetOnExpireListener(onExpire func()) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+	s.onExpireListener = onExpire
+}
+
+// startWatcher continuously checks if the session requires login and
+// calls the onExpireListener if login is required.
+func (s *SessionWatcher) startWatcher() {
+	for {
+		select {
+		case <-s.ctx.Done():
+			s.watchTicker.Stop()
+			return
+		case <-s.watchTicker.C:
+			managementState := s.peerStatusRecorder.GetManagementState()
+			if managementState.Connected {
+				s.sendNotification = true
+			}
+
+			isLoginRequired := s.peerStatusRecorder.IsLoginRequired()
+			if isLoginRequired && s.sendNotification && s.onExpireListener != nil {
+				s.mutex.Lock()
+				s.onExpireListener()
+				s.sendNotification = false
+				s.mutex.Unlock()
+			}
+		}
+	}
+}
+
+// CheckUIApp checks whether UI application is running.
+func CheckUIApp() bool {
+	cmd := exec.Command("ps", "-ef")
+	output, err := cmd.Output()
+	if err != nil {
+		return false
+	}
+
+	lines := strings.Split(string(output), "\n")
+	for _, line := range lines {
+		if strings.Contains(line, "netbird-ui") && !strings.Contains(line, "grep") {
+			return true
+		}
+	}
+	return false
+}
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -3,6 +3,8 @@ package server
 import (
 	"context"
 	"fmt"
+	"os/exec"
+	"runtime"
 	"sync"
 	"time"

@@ -39,6 +41,7 @@ type Server struct {
 	proto.UnimplementedDaemonServiceServer

 	statusRecorder *peer.Status
+	sessionWatcher *internal.SessionWatcher

 	mgmProbe    *internal.Probe
 	signalProbe *internal.Probe
@@ -116,6 +119,11 @@ func (s *Server) Start() error {
 	s.statusRecorder.UpdateManagementAddress(config.ManagementURL.String())
 	s.statusRecorder.UpdateRosenpass(config.RosenpassEnabled, config.RosenpassPermissive)

+	if s.sessionWatcher == nil {
+		s.sessionWatcher = internal.NewSessionWatcher(s.rootCtx, s.statusRecorder)
+		s.sessionWatcher.SetOnExpireListener(s.onSessionExpire)
+	}
+
 	if !config.DisableAutoConnect {
 		go func() {
 			if err := internal.RunClientWithProbes(ctx, config, s.statusRecorder, s.mgmProbe, s.signalProbe, s.relayProbe, s.wgProbe); err != nil {
@@ -542,6 +550,17 @@ func (s *Server) GetConfig(_ context.Context, _ *proto.GetConfigRequest) (*proto
 	}, nil
 }

+func (s *Server) onSessionExpire() {
+	if runtime.GOOS != "windows" {
+		isUIActive := internal.CheckUIApp()
+		if !isUIActive {
+			if err := sendTerminalNotification(); err != nil {
+				log.Errorf("send session expire terminal notification: %v", err)
+			}
+		}
+	}
+}
+
 func toProtoFullStatus(fullStatus peer.FullStatus) *proto.FullStatus {
 	pbFullStatus := proto.FullStatus{
 		ManagementState: &proto.ManagementState{},
@@ -604,3 +623,31 @@ func toProtoFullStatus(fullStatus peer.FullStatus) *proto.FullStatus {

 	return &pbFullStatus
 }
+
+// sendTerminalNotification sends a terminal notification message
+// to inform the user that the NetBird connection session has expired.
+func sendTerminalNotification() error {
+	message := "NetBird connection session expired\n\nPlease re-authenticate to connect to the network."
+	echoCmd := exec.Command("echo", message)
+	wallCmd := exec.Command("sudo", "wall")
+
+	echoCmdStdout, err := echoCmd.StdoutPipe()
+	if err != nil {
+		return err
+	}
+	wallCmd.Stdin = echoCmdStdout
+
+	if err := echoCmd.Start(); err != nil {
+		return err
+	}
+
+	if err := wallCmd.Start(); err != nil {
+		return err
+	}
+
+	if err := echoCmd.Wait(); err != nil {
+		return err
+	}
+
+	return wallCmd.Wait()
+}
--- a/client/system/info_windows.go
+++ b/client/system/info_windows.go
@@ -165,6 +165,10 @@ func sysProductName() (string, error) {
 	if err != nil {
 		return "", err
 	}
+	// `ComputerSystemProduct` could be empty on some virtualized systems
+	if len(dst) < 1 {
+		return "unknown", nil
+	}
 	return dst[0].Name, nil
 }

--- a/client/ui/client_ui.go
+++ b/client/ui/client_ui.go
@@ -61,7 +61,7 @@ func main() {

 	flag.Parse()

-	a := app.New()
+	a := app.NewWithID("NetBird")
 	a.SetIcon(fyne.NewStaticResource("netbird", iconDisconnectedPNG))

 	client := newServiceClient(daemonAddr, a, showSettings)
@@ -130,9 +130,10 @@ type serviceClient struct {
 	mQuit          *systray.MenuItem

 	// application with main windows.
-	app          fyne.App
-	wSettings    fyne.Window
-	showSettings bool
+	app              fyne.App
+	wSettings        fyne.Window
+	showSettings     bool
+	sendNotification bool

 	// input elements for settings form
 	iMngURL       *widget.Entry
@@ -158,9 +159,10 @@ type serviceClient struct {
 // This constructor also builds the UI elements for the settings window.
 func newServiceClient(addr string, a fyne.App, showSettings bool) *serviceClient {
 	s := &serviceClient{
-		ctx:  context.Background(),
-		addr: addr,
-		app:  a,
+		ctx:              context.Background(),
+		addr:             addr,
+		app:              a,
+		sendNotification: false,

 		showSettings: showSettings,
 		update:       version.NewUpdate(),
@@ -377,9 +379,15 @@ func (s *serviceClient) updateStatus() error {
 		s.updateIndicationLock.Lock()
 		defer s.updateIndicationLock.Unlock()

+		// notify the user when the session has expired
+		if status.Status == string(internal.StatusNeedsLogin) {
+			s.onSessionExpire()
+		}
+
 		var systrayIconState bool
 		if status.Status == string(internal.StatusConnected) && !s.mUp.Disabled() {
 			s.connected = true
+			s.sendNotification = true
 			if s.isUpdateIconActive {
 				systray.SetIcon(s.icUpdateConnected)
 			} else {
@@ -630,6 +638,23 @@ func (s *serviceClient) onUpdateAvailable() {
 	}
 }

+// onSessionExpire sends a notification to the user when the session expires.
+func (s *serviceClient) onSessionExpire() {
+	if s.sendNotification {
+		title := "Connection session expired"
+		if runtime.GOOS == "darwin" {
+			title = "NetBird connection session expired"
+		}
+		s.app.SendNotification(
+			fyne.NewNotification(
+				title,
+				"Please re-authenticate to connect to the network",
+			),
+		)
+		s.sendNotification = false
+	}
+}
+
 func openURL(url string) error {
 	var err error
 	switch runtime.GOOS {
--- a/iface/netstack/tun.go
+++ b/iface/netstack/tun.go
@@ -8,7 +8,7 @@ import (
 	"golang.zx2c4.com/wireguard/tun/netstack"
 )

-type NetStackTun struct {
+type NetStackTun struct { //nolint:revive
 	address       string
 	mtu           int
 	listenAddress string
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@@ -26,6 +26,13 @@
        "Username": "",
        "Password": null
    },
+    "ReverseProxy": {
+        "TrustedHTTPProxies": [],
+        "TrustedHTTPProxiesCount": 0,
+        "TrustedPeers": [
+             "0.0.0.0/0"
+        ]
+    },
    "Datadir": "",
    "DataStoreEncryptionKey": "$NETBIRD_DATASTORE_ENC_KEY",
    "StoreConfig": {
--- a/infrastructure_files/nginx.tmpl.conf
+++ b/infrastructure_files/nginx.tmpl.conf
@@ -46,6 +46,7 @@ server {
    proxy_set_header        X-Scheme $scheme;
    proxy_set_header        X-Forwarded-Proto https;
    proxy_set_header        X-Forwarded-Host $host;
+    grpc_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;

    # Proxy dashboard
    location / {
--- a/management/client/client_test.go
+++ b/management/client/client_test.go
@@ -363,10 +363,11 @@ func Test_SystemMetaDataFromClient(t *testing.T) {
 		WiretrusteeVersion: info.WiretrusteeVersion,
 		KernelVersion:      info.KernelVersion,

-		NetworkAddresses:   protoNetAddr,
-		SysSerialNumber:    info.SystemSerialNumber,
-		SysProductName:     info.SystemProductName,
-		SysManufacturer:    info.SystemManufacturer,
+		NetworkAddresses: protoNetAddr,
+		SysSerialNumber:  info.SystemSerialNumber,
+		SysProductName:   info.SystemProductName,
+		SysManufacturer:  info.SystemManufacturer,
+		Environment:      &mgmtProto.Environment{Cloud: info.Environment.Cloud, Platform: info.Environment.Platform},
 	}

 	assert.Equal(t, ValidKey, actualValidKey)
@@ -407,7 +408,9 @@ func isEqual(a, b *mgmtProto.PeerSystemMeta) bool {
 		a.GetUiVersion() == b.GetUiVersion() &&
 		a.GetSysSerialNumber() == b.GetSysSerialNumber() &&
 		a.GetSysProductName() == b.GetSysProductName() &&
-		a.GetSysManufacturer() == b.GetSysManufacturer()
+		a.GetSysManufacturer() == b.GetSysManufacturer() &&
+		a.GetEnvironment().Cloud == b.GetEnvironment().Cloud &&
+		a.GetEnvironment().Platform == b.GetEnvironment().Platform
 }

 func Test_GetDeviceAuthorizationFlow(t *testing.T) {
--- a/management/client/grpc.go
+++ b/management/client/grpc.go
@@ -26,6 +26,8 @@ import (
 	"github.com/netbirdio/netbird/management/proto"
 )

+const ConnectTimeout = 10 * time.Second
+
 // ConnStateNotifier is a wrapper interface of the status recorders
 type ConnStateNotifier interface {
 	MarkManagementDisconnected(error)
@@ -49,7 +51,7 @@ func NewClient(ctx context.Context, addr string, ourPrivateKey wgtypes.Key, tlsE
 		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
 	}

-	mgmCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	mgmCtx, cancel := context.WithTimeout(ctx, ConnectTimeout)
 	defer cancel()
 	conn, err := grpc.DialContext(
 		mgmCtx,
@@ -318,7 +320,7 @@ func (c *GrpcClient) login(serverKey wgtypes.Key, req *proto.LoginRequest) (*pro
 		log.Errorf("failed to encrypt message: %s", err)
 		return nil, err
 	}
-	mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second)
+	mgmCtx, cancel := context.WithTimeout(c.ctx, ConnectTimeout)
 	defer cancel()
 	resp, err := c.realClient.Login(mgmCtx, &proto.EncryptedMessage{
 		WgPubKey: c.key.PublicKey().String(),
@@ -474,5 +476,9 @@ func infoToMetaData(info *system.Info) *proto.PeerSystemMeta {
 		SysSerialNumber:    info.SystemSerialNumber,
 		SysManufacturer:    info.SystemManufacturer,
 		SysProductName:     info.SystemProductName,
+		Environment: &proto.Environment{
+			Cloud:    info.Environment.Cloud,
+			Platform: info.Environment.Platform,
+		},
 	}
 }
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -43,6 +43,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/metrics"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/version"
 )

 // ManagementLegacyPort is the port that was used before by the Management gRPC server.
@@ -315,6 +316,7 @@ var (
 				}
 			}

+			log.Infof("management server version %s", version.NetbirdVersion())
 			log.Infof("running HTTP server and gRPC server on the same port: %s", listener.Addr().String())
 			serveGRPCWithHTTP(listener, rootHandler, tlsEnabled)

--- a/management/proto/management.pb.go
+++ b/management/proto/management.pb.go
--- a/management/proto/management.proto
+++ b/management/proto/management.proto
@@ -92,6 +92,14 @@ message PeerKeys {
  bytes wgPubKey = 2;
 }

+// Environment is part of the PeerSystemMeta and describes the environment the agent is running in.
+message Environment {
+  // cloud is the cloud provider the agent is running in if applicable.
+  string cloud = 1;
+  // platform is the platform the agent is running on if applicable.
+  string platform = 2;
+}
+
 // PeerSystemMeta is machine meta data like OS and version.
 message PeerSystemMeta {
  string hostname = 1;
@@ -108,6 +116,7 @@ message PeerSystemMeta {
  string sysSerialNumber = 12;
  string sysProductName = 13;
  string sysManufacturer = 14;
+  Environment environment = 15;
 }

 message LoginResponse {
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -72,7 +72,6 @@ type AccountManager interface {
 	CheckUserAccessByJWTGroups(claims jwtclaims.AuthorizationClaims) error
 	GetAccountFromPAT(pat string) (*Account, *User, *PersonalAccessToken, error)
 	DeleteAccount(accountID, userID string) error
-	GetUsage(ctx context.Context, accountID string, start time.Time, end time.Time) (*AccountUsageStats, error)
 	MarkPATUsed(tokenID string) error
 	GetUser(claims jwtclaims.AuthorizationClaims) (*User, error)
 	ListUsers(accountID string) ([]*User, error)
@@ -126,6 +125,7 @@ type AccountManager interface {
 	SavePostureChecks(accountID, userID string, postureChecks *posture.Checks) error
 	DeletePostureChecks(accountID, postureChecksID, userID string) error
 	ListPostureChecks(accountID, userID string) ([]*posture.Checks, error)
+	GetIdpManager() idp.Manager
 }

 type DefaultAccountManager struct {
@@ -205,6 +205,7 @@ type Account struct {

 	// User.Id it was created by
 	CreatedBy              string
+	CreatedAt              time.Time
 	Domain                 string `gorm:"index"`
 	DomainCategory         string
 	IsDomainPrimaryAccount bool
@@ -231,14 +232,6 @@ type Account struct {
 	RulesG []Rule           `json:"-" gorm:"-"`
 }

-// AccountUsageStats represents the current usage statistics for an account
-type AccountUsageStats struct {
-	ActiveUsers int64 `json:"active_users"`
-	TotalUsers  int64 `json:"total_users"`
-	ActivePeers int64 `json:"active_peers"`
-	TotalPeers  int64 `json:"total_peers"`
-}
-
 type UserInfo struct {
 	ID                   string               `json:"id"`
 	Email                string               `json:"email"`
@@ -462,6 +455,11 @@ func (a *Account) GetNextPeerExpiration() (time.Duration, bool) {
 		}
 		_, duration := peer.LoginExpired(a.Settings.PeerLoginExpiration)
 		if nextExpiry == nil || duration < *nextExpiry {
+			// if expiration is below 1s return 1s duration
+			// this avoids issues with ticker that can't be set to < 0
+			if duration < time.Second {
+				return time.Second, true
+			}
 			nextExpiry = &duration
 		}
 	}
@@ -683,6 +681,7 @@ func (a *Account) Copy() *Account {
 	return &Account{
 		Id:                     a.Id,
 		CreatedBy:              a.CreatedBy,
+		CreatedAt:              a.CreatedAt,
 		Domain:                 a.Domain,
 		DomainCategory:         a.DomainCategory,
 		IsDomainPrimaryAccount: a.IsDomainPrimaryAccount,
@@ -900,6 +899,10 @@ func (am *DefaultAccountManager) GetExternalCacheManager() ExternalCacheManager
 	return am.externalCacheManager
 }

+func (am *DefaultAccountManager) GetIdpManager() idp.Manager {
+	return am.idpManager
+}
+
 // UpdateAccountSettings updates Account settings.
 // Only users with role UserRoleAdmin can update the account.
 // User that performs the update has to belong to the account.
@@ -1114,17 +1117,6 @@ func (am *DefaultAccountManager) DeleteAccount(accountID, userID string) error {
 	return nil
 }

-// GetUsage returns the usage stats for the given account.
-// This cannot be used to calculate usage stats for a period in the past as it relies on peers' last seen time.
-func (am *DefaultAccountManager) GetUsage(ctx context.Context, accountID string, start time.Time, end time.Time) (*AccountUsageStats, error) {
-	usageStats, err := am.Store.CalculateUsageStats(ctx, accountID, start, end)
-	if err != nil {
-		return nil, fmt.Errorf("failed to calculate usage stats: %w", err)
-	}
-
-	return usageStats, nil
-}
-
 // GetAccountByUserOrAccountID looks for an account by user or accountID, if no account is provided and
 // userID doesn't have an account associated with it, one account is created
 // domain is used to create a new account if no account is found
@@ -1870,6 +1862,7 @@ func newAccountWithId(accountID, userID, domain string) *Account {

 	acc := &Account{
 		Id:               accountID,
+		CreatedAt:        time.Now().UTC(),
 		SetupKeys:        setupKeys,
 		Network:          network,
 		Peers:            peers,
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -94,6 +94,10 @@ func verifyNewAccountHasDefaultFields(t *testing.T, account *Account, createdBy
 		t.Errorf("expecting newly created account to be created by user %s, got %s", createdBy, account.CreatedBy)
 	}

+	if account.CreatedAt.IsZero() {
+		t.Errorf("expecting newly created account to have a non-zero creation time")
+	}
+
 	if account.Domain != domain {
 		t.Errorf("expecting newly created account to have domain %s, got %s", domain, account.Domain)
 	}
@@ -1473,6 +1477,7 @@ func TestAccount_Copy(t *testing.T) {
 	account := &Account{
 		Id:                     "account1",
 		CreatedBy:              "tester",
+		CreatedAt:              time.Now().UTC(),
 		Domain:                 "test.com",
 		DomainCategory:         "public",
 		IsDomainPrimaryAccount: true,
--- a/management/server/activity/event.go
+++ b/management/server/activity/event.go
@@ -9,7 +9,7 @@ const (
 )

 // ActivityDescriber is an interface that describes an activity
-type ActivityDescriber interface {
+type ActivityDescriber interface { //nolint:revive
 	StringCode() string
 	Message() string
 }
--- a/management/server/file_store.go
+++ b/management/server/file_store.go
@@ -1,8 +1,6 @@
 package server

 import (
-	"context"
-	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
@@ -664,40 +662,3 @@ func (s *FileStore) Close() error {
 func (s *FileStore) GetStoreEngine() StoreEngine {
 	return FileStoreEngine
 }
-
-// CalculateUsageStats returns the usage stats for an account
-// start and end are inclusive.
-func (s *FileStore) CalculateUsageStats(_ context.Context, accountID string, start time.Time, end time.Time) (*AccountUsageStats, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	account, exists := s.Accounts[accountID]
-	if !exists {
-		return nil, fmt.Errorf("account not found")
-	}
-
-	stats := &AccountUsageStats{
-		TotalUsers: 0,
-		TotalPeers: int64(len(account.Peers)),
-	}
-
-	for _, user := range account.Users {
-		if !user.IsServiceUser {
-			stats.TotalUsers++
-		}
-	}
-
-	activeUsers := make(map[string]bool)
-	for _, peer := range account.Peers {
-		lastSeen := peer.Status.LastSeen
-		if lastSeen.Compare(start) >= 0 && lastSeen.Compare(end) <= 0 {
-			if _, exists := account.Users[peer.UserID]; exists && !activeUsers[peer.UserID] {
-				activeUsers[peer.UserID] = true
-				stats.ActiveUsers++
-			}
-			stats.ActivePeers++
-		}
-	}
-
-	return stats, nil
-}
--- a/management/server/file_store_test.go
+++ b/management/server/file_store_test.go
@@ -1,7 +1,6 @@
 package server

 import (
-	"context"
 	"crypto/sha256"
 	"net"
 	"path/filepath"
@@ -658,32 +657,3 @@ func newStore(t *testing.T) *FileStore {

 	return store
 }
-
-func TestFileStore_CalculateUsageStats(t *testing.T) {
-	storeDir := t.TempDir()
-
-	err := util.CopyFileContents("testdata/store_stats.json", filepath.Join(storeDir, "store.json"))
-	require.NoError(t, err)
-
-	store, err := NewFileStore(storeDir, nil)
-	require.NoError(t, err)
-
-	startDate := time.Date(2024, time.February, 1, 0, 0, 0, 0, time.UTC)
-	endDate := startDate.AddDate(0, 1, 0).Add(-time.Nanosecond)
-
-	stats1, err := store.CalculateUsageStats(context.TODO(), "account-1", startDate, endDate)
-	require.NoError(t, err)
-
-	assert.Equal(t, int64(2), stats1.ActiveUsers)
-	assert.Equal(t, int64(4), stats1.TotalUsers)
-	assert.Equal(t, int64(3), stats1.ActivePeers)
-	assert.Equal(t, int64(7), stats1.TotalPeers)
-
-	stats2, err := store.CalculateUsageStats(context.TODO(), "account-2", startDate, endDate)
-	require.NoError(t, err)
-
-	assert.Equal(t, int64(1), stats2.ActiveUsers)
-	assert.Equal(t, int64(2), stats2.TotalUsers)
-	assert.Equal(t, int64(1), stats2.ActivePeers)
-	assert.Equal(t, int64(2), stats2.TotalPeers)
-}
--- a/management/server/geolocation/database.go
+++ b/management/server/geolocation/database.go
@@ -3,6 +3,7 @@ package geolocation
 import (
 	"encoding/csv"
 	"fmt"
+	"io"
 	"net/url"
 	"os"
 	"path"
@@ -35,7 +36,7 @@ func loadGeolocationDatabases(dataDir string) error {
 				if err := decompressTarGzFile(src, dst); err != nil {
 					return err
 				}
-				return os.Rename(path.Join(dst, MMDBFileName), path.Join(dataDir, MMDBFileName))
+				return copyFile(path.Join(dst, MMDBFileName), path.Join(dataDir, MMDBFileName))
 			}
 			if err := loadDatabase(
 				geoLiteCitySha256TarURL,
@@ -185,3 +186,25 @@ func getDatabaseFileName(urlStr string) string {
 	fileName := fmt.Sprintf("%s.%s", path.Base(u.Path), ext)
 	return fileName
 }
+
+// copyFile performs a file copy operation from the source file to the destination.
+func copyFile(src string, dst string) error {
+	srcFile, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer srcFile.Close()
+
+	dstFile, err := os.Create(dst)
+	if err != nil {
+		return err
+	}
+	defer dstFile.Close()
+
+	_, err = io.Copy(dstFile, srcFile)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/management/server/grpcserver.go
+++ b/management/server/grpcserver.go
@@ -288,6 +288,10 @@ func extractPeerMeta(loginReq *proto.LoginRequest) nbpeer.PeerSystemMeta {
 		SystemSerialNumber: loginReq.GetMeta().GetSysSerialNumber(),
 		SystemProductName:  loginReq.GetMeta().GetSysProductName(),
 		SystemManufacturer: loginReq.GetMeta().GetSysManufacturer(),
+		Environment: nbpeer.Environment{
+			Cloud:    loginReq.GetMeta().GetEnvironment().GetCloud(),
+			Platform: loginReq.GetMeta().GetEnvironment().GetPlatform(),
+		},
 	}
 }

--- a/management/server/http/api/openapi.yml
+++ b/management/server/http/api/openapi.yml
@@ -121,7 +121,7 @@ components:
          description: Last time this user performed a login to the dashboard
          type: string
          format: date-time
-          example: 2023-05-05T09:00:35.477782Z
+          example: "2023-05-05T09:00:35.477782Z"
        auto_groups:
          description: Group IDs to auto-assign to peers registered by this user
          type: array
@@ -259,7 +259,7 @@ components:
              description: Last time peer connected to Netbird's management service
              type: string
              format: date-time
-              example: 2023-05-05T10:05:26.420578Z
+              example: "2023-05-05T10:05:26.420578Z"
            os:
              description: Peer's operating system and version
              type: string
@@ -313,7 +313,7 @@ components:
              description: Last time this peer performed log in (authentication). E.g., user authenticated.
              type: string
              format: date-time
-              example: 2023-05-05T09:00:35.477782Z
+              example: "2023-05-05T09:00:35.477782Z"
            approval_required:
              description: (Cloud only) Indicates whether peer needs approval
              type: boolean
@@ -405,7 +405,7 @@ components:
          description: Setup Key expiration date
          type: string
          format: date-time
-          example: 2023-06-01T14:47:22.291057Z
+          example: "2023-06-01T14:47:22.291057Z"
        type:
          description: Setup key type, one-off for single time usage and reusable
          type: string
@@ -426,7 +426,7 @@ components:
          description: Setup key last usage date
          type: string
          format: date-time
-          example: 2023-05-05T09:00:35.477782Z
+          example: "2023-05-05T09:00:35.477782Z"
        state:
          description: Setup key status, "valid", "overused","expired" or "revoked"
          type: string
@@ -441,7 +441,7 @@ components:
          description: Setup key last update date
          type: string
          format: date-time
-          example: 2023-05-05T09:00:35.477782Z
+          example: "2023-05-05T09:00:35.477782Z"
        usage_limit:
          description: A number of times this key can be used. The value of 0 indicates the unlimited usage.
          type: integer
@@ -522,7 +522,7 @@ components:
          description: Date the token expires
          type: string
          format: date-time
-          example: 2023-05-05T14:38:28.977616Z
+          example: "2023-05-05T14:38:28.977616Z"
        created_by:
          description: User ID of the user who created the token
          type: string
@@ -531,12 +531,12 @@ components:
          description: Date the token was created
          type: string
          format: date-time
-          example: 2023-05-02T14:48:20.465209Z
+          example: "2023-05-02T14:48:20.465209Z"
        last_used:
          description: Date the token was last used
          type: string
          format: date-time
-          example: 2023-05-04T12:45:25.9723616Z
+          example: "2023-05-04T12:45:25.9723616Z"
      required:
        - id
        - name
@@ -979,7 +979,7 @@ components:
          type: string
          example: "Germany"
        country_code:
-            $ref: '#/components/schemas/CountryCode'
+          $ref: '#/components/schemas/CountryCode'
      required:
        - country_name
        - country_code
@@ -1197,7 +1197,7 @@ components:
          description: The date and time when the event occurred
          type: string
          format: date-time
-          example: 2023-05-05T10:04:37.473542Z
+          example: "2023-05-05T10:04:37.473542Z"
        activity:
          description: The activity that occurred during the event
          type: string
--- a/management/server/idp/auth0.go
+++ b/management/server/idp/auth0.go
@@ -114,6 +114,22 @@ type auth0Profile struct {
 	LastLogin     string `json:"last_login"`
 }

+// Connections represents a single Auth0 connection
+// https://auth0.com/docs/api/management/v2/connections/get-connections
+type Connection struct {
+	Id                 string            `json:"id"`
+	Name               string            `json:"name"`
+	DisplayName        string            `json:"display_name"`
+	IsDomainConnection bool              `json:"is_domain_connection"`
+	Realms             []string          `json:"realms"`
+	Metadata           map[string]string `json:"metadata"`
+	Options            ConnectionOptions `json:"options"`
+}
+
+type ConnectionOptions struct {
+	DomainAliases []string `json:"domain_aliases"`
+}
+
 // NewAuth0Manager creates a new instance of the Auth0Manager
 func NewAuth0Manager(config Auth0ClientConfig, appMetrics telemetry.AppMetrics) (*Auth0Manager, error) {
 	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
@@ -581,13 +597,13 @@ func (am *Auth0Manager) GetAllAccounts() (map[string][]*UserData, error) {

 	body, err := io.ReadAll(jobResp.Body)
 	if err != nil {
-		log.Debugf("Coudln't read export job response; %v", err)
+		log.Debugf("Couldn't read export job response; %v", err)
 		return nil, err
 	}

 	err = am.helper.Unmarshal(body, &exportJobResp)
 	if err != nil {
-		log.Debugf("Coudln't unmarshal export job response; %v", err)
+		log.Debugf("Couldn't unmarshal export job response; %v", err)
 		return nil, err
 	}

@@ -635,7 +651,7 @@ func (am *Auth0Manager) GetUserByEmail(email string) ([]*UserData, error) {

 	err = am.helper.Unmarshal(body, &userResp)
 	if err != nil {
-		log.Debugf("Coudln't unmarshal export job response; %v", err)
+		log.Debugf("Couldn't unmarshal export job response; %v", err)
 		return nil, err
 	}

@@ -684,13 +700,13 @@ func (am *Auth0Manager) CreateUser(email, name, accountID, invitedByEmail string

 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		log.Debugf("Coudln't read export job response; %v", err)
+		log.Debugf("Couldn't read export job response; %v", err)
 		return nil, err
 	}

 	err = am.helper.Unmarshal(body, &createResp)
 	if err != nil {
-		log.Debugf("Coudln't unmarshal export job response; %v", err)
+		log.Debugf("Couldn't unmarshal export job response; %v", err)
 		return nil, err
 	}

@@ -777,6 +793,56 @@ func (am *Auth0Manager) DeleteUser(userID string) error {
 	return nil
 }

+// GetAllConnections returns detailed list of all connections filtered by given params.
+// Note this method is not part of the IDP Manager interface as this is Auth0 specific.
+func (am *Auth0Manager) GetAllConnections(strategy []string) ([]Connection, error) {
+	var connections []Connection
+
+	q := make(url.Values)
+	q.Set("strategy", strings.Join(strategy, ","))
+
+	req, err := am.createRequest(http.MethodGet, "/api/v2/connections?"+q.Encode(), nil)
+	if err != nil {
+		return connections, err
+	}
+
+	resp, err := am.httpClient.Do(req)
+	if err != nil {
+		log.Debugf("execute get connections request: %v", err)
+		if am.appMetrics != nil {
+			am.appMetrics.IDPMetrics().CountRequestError()
+		}
+		return connections, err
+	}
+
+	defer func() {
+		err = resp.Body.Close()
+		if err != nil {
+			log.Errorf("close get connections request body: %v", err)
+		}
+	}()
+	if resp.StatusCode != 200 {
+		if am.appMetrics != nil {
+			am.appMetrics.IDPMetrics().CountRequestStatusError()
+		}
+		return connections, fmt.Errorf("unable to get connections, statusCode %d", resp.StatusCode)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Debugf("Couldn't read get connections response; %v", err)
+		return connections, err
+	}
+
+	err = am.helper.Unmarshal(body, &connections)
+	if err != nil {
+		log.Debugf("Couldn't unmarshal get connection response; %v", err)
+		return connections, err
+	}
+
+	return connections, err
+}
+
 // checkExportJobStatus checks the status of the job created at CreateExportUsersJob.
 // If the status is "completed", then return the downloadLink
 func (am *Auth0Manager) checkExportJobStatus(jobID string) (bool, string, error) {
--- a/management/server/mock_server/account_mock.go
+++ b/management/server/mock_server/account_mock.go
@@ -1,7 +1,6 @@
 package mock_server

 import (
-	"context"
 	"net"
 	"time"

@@ -11,6 +10,7 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/idp"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
@@ -92,7 +92,7 @@ type MockAccountManager struct {
 	SavePostureChecksFunc           func(accountID, userID string, postureChecks *posture.Checks) error
 	DeletePostureChecksFunc         func(accountID, postureChecksID, userID string) error
 	ListPostureChecksFunc           func(accountID, userID string) ([]*posture.Checks, error)
-	GetUsageFunc                    func(ctx context.Context, accountID string, start, end time.Time) (*server.AccountUsageStats, error)
+	GetIdpManagerFunc               func() idp.Manager
 }

 // GetUsersFromAccount mock implementation of GetUsersFromAccount from server.AccountManager interface
@@ -705,10 +705,10 @@ func (am *MockAccountManager) ListPostureChecks(accountID, userID string) ([]*po
 	return nil, status.Errorf(codes.Unimplemented, "method ListPostureChecks is not implemented")
 }

-// GetUsage mocks GetCurrentUsage of the AccountManager interface
-func (am *MockAccountManager) GetUsage(ctx context.Context, accountID string, start time.Time, end time.Time) (*server.AccountUsageStats, error) {
-	if am.GetUsageFunc != nil {
-		return am.GetUsageFunc(ctx, accountID, start, end)
+// GetIdpManager mocks GetIdpManager of the AccountManager interface
+func (am *MockAccountManager) GetIdpManager() idp.Manager {
+	if am.GetIdpManagerFunc != nil {
+		return am.GetIdpManagerFunc()
 	}
-	return nil, status.Errorf(codes.Unimplemented, "method GetUsage is not implemented")
+	return nil
 }
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -410,6 +410,8 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *nbpeer.P
 		return nil, nil, err
 	}

+	registrationTime := time.Now().UTC()
+
 	newPeer := &nbpeer.Peer{
 		ID:                     xid.New().String(),
 		Key:                    peer.Key,
@@ -419,10 +421,11 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *nbpeer.P
 		Name:                   peer.Meta.Hostname,
 		DNSLabel:               newLabel,
 		UserID:                 userID,
-		Status:                 &nbpeer.PeerStatus{Connected: false, LastSeen: time.Now().UTC()},
+		Status:                 &nbpeer.PeerStatus{Connected: false, LastSeen: registrationTime},
 		SSHEnabled:             false,
 		SSHKey:                 peer.SSHKey,
-		LastLogin:              time.Now().UTC(),
+		LastLogin:              registrationTime,
+		CreatedAt:              registrationTime,
 		LoginExpirationEnabled: addedByUser,
 		Ephemeral:              ephemeral,
 	}
--- a/management/server/peer/peer.go
+++ b/management/server/peer/peer.go
@@ -40,13 +40,15 @@ type Peer struct {
 	LoginExpirationEnabled bool
 	// LastLogin the time when peer performed last login operation
 	LastLogin time.Time
+	// CreatedAt records the time the peer was created
+	CreatedAt time.Time
 	// Indicate ephemeral peer attribute
 	Ephemeral bool
 	// Geo location based on connection IP
 	Location Location `gorm:"embedded;embeddedPrefix:location_"`
 }

-type PeerStatus struct {
+type PeerStatus struct { //nolint:revive
 	// LastSeen is the last time peer was connected to the management service
 	LastSeen time.Time
 	// Connected indicates whether peer is connected to the management service or not
@@ -71,8 +73,14 @@ type NetworkAddress struct {
 	Mac   string
 }

+// Environment is a system environment information
+type Environment struct {
+	Cloud    string
+	Platform string
+}
+
 // PeerSystemMeta is a metadata of a Peer machine system
-type PeerSystemMeta struct {
+type PeerSystemMeta struct { //nolint:revive
 	Hostname           string
 	GoOS               string
 	Kernel             string
@@ -87,6 +95,7 @@ type PeerSystemMeta struct {
 	SystemSerialNumber string
 	SystemProductName  string
 	SystemManufacturer string
+	Environment        Environment `gorm:"serializer:json"`
 }

 func (p PeerSystemMeta) isEqual(other PeerSystemMeta) bool {
@@ -119,7 +128,9 @@ func (p PeerSystemMeta) isEqual(other PeerSystemMeta) bool {
 		p.UIVersion == other.UIVersion &&
 		p.SystemSerialNumber == other.SystemSerialNumber &&
 		p.SystemProductName == other.SystemProductName &&
-		p.SystemManufacturer == other.SystemManufacturer
+		p.SystemManufacturer == other.SystemManufacturer &&
+		p.Environment.Cloud == other.Environment.Cloud &&
+		p.Environment.Platform == other.Environment.Platform
 }

 // AddedWithSSOLogin indicates whether this peer has been added with an SSO login by a user.
@@ -148,6 +159,7 @@ func (p *Peer) Copy() *Peer {
 		SSHEnabled:             p.SSHEnabled,
 		LoginExpirationEnabled: p.LoginExpirationEnabled,
 		LastLogin:              p.LastLogin,
+		CreatedAt:              p.CreatedAt,
 		Ephemeral:              p.Ephemeral,
 		Location:               p.Location,
 	}
@@ -204,7 +216,7 @@ func (p *Peer) FQDN(dnsDomain string) string {

 // EventMeta returns activity event meta related to the peer
 func (p *Peer) EventMeta(dnsDomain string) map[string]any {
-	return map[string]any{"name": p.Name, "fqdn": p.FQDN(dnsDomain), "ip": p.IP}
+	return map[string]any{"name": p.Name, "fqdn": p.FQDN(dnsDomain), "ip": p.IP, "created_at": p.CreatedAt}
 }

 // Copy PeerStatus
--- a/management/server/scheduler.go
+++ b/management/server/scheduler.go
@@ -1,9 +1,10 @@
 package server

 import (
-	log "github.com/sirupsen/logrus"
 	"sync"
 	"time"
+
+	log "github.com/sirupsen/logrus"
 )

 // Scheduler is an interface which implementations can schedule and cancel jobs
@@ -55,14 +56,8 @@ func (wm *DefaultScheduler) cancel(ID string) bool {
 	cancel, ok := wm.jobs[ID]
 	if ok {
 		delete(wm.jobs, ID)
-		select {
-		case cancel <- struct{}{}:
-			log.Debugf("cancelled scheduled job %s", ID)
-		default:
-			log.Warnf("couldn't cancel job %s because there was no routine listening on the cancel event", ID)
-			return false
-		}
-
+		close(cancel)
+		log.Debugf("cancelled scheduled job %s", ID)
 	}
 	return ok
 }
@@ -90,25 +85,50 @@ func (wm *DefaultScheduler) Schedule(in time.Duration, ID string, job func() (ne
 		return
 	}

+	if in < time.Second {
+		log.Warnf("job for %s was scheduled to run in %s which is under 1s. Adjusting that.", ID, in.String())
+		in = time.Second
+	}
+
+	ticker := time.NewTicker(in)
+
 	wm.jobs[ID] = cancel
 	log.Debugf("scheduled a job %s to run in %s. There are %d total jobs scheduled.", ID, in.String(), len(wm.jobs))
 	go func() {
-		select {
-		case <-time.After(in):
-			log.Debugf("time to do a scheduled job %s", ID)
-			runIn, reschedule := job()
-			wm.mu.Lock()
-			defer wm.mu.Unlock()
-			delete(wm.jobs, ID)
-			if reschedule {
-				go wm.Schedule(runIn, ID, job)
+		for {
+			select {
+			case <-ticker.C:
+				select {
+				case <-cancel:
+					log.Debugf("scheduled job %s was canceled, stop timer", ID)
+					ticker.Stop()
+					return
+				default:
+					log.Debugf("time to do a scheduled job %s", ID)
+				}
+				runIn, reschedule := job()
+				if !reschedule {
+					wm.mu.Lock()
+					defer wm.mu.Unlock()
+					delete(wm.jobs, ID)
+					log.Debugf("job %s is not scheduled to run again", ID)
+					ticker.Stop()
+					return
+				}
+				// we need this comparison to avoid resetting the ticker with the same duration and missing the current elapsesed time
+				if runIn != in {
+					if runIn < time.Second {
+						log.Warnf("job for %s was rescheduled to run in %s which is under 1s. Adjusting that.", ID, runIn.String())
+						runIn = time.Second
+					}
+					ticker.Reset(runIn)
+				}
+			case <-cancel:
+				log.Debugf("job %s was canceled, stopping timer", ID)
+				ticker.Stop()
+				return
 			}
-		case <-cancel:
-			log.Debugf("stopped scheduled job %s ", ID)
-			wm.mu.Lock()
-			defer wm.mu.Unlock()
-			delete(wm.jobs, ID)
-			return
 		}
+
 	}()
 }
--- a/management/server/scheduler_test.go
+++ b/management/server/scheduler_test.go
@@ -2,11 +2,12 @@ package server

 import (
 	"fmt"
-	"github.com/stretchr/testify/assert"
 	"math/rand"
 	"sync"
 	"testing"
 	"time"
+
+	"github.com/stretchr/testify/assert"
 )

 func TestScheduler_Performance(t *testing.T) {
@@ -36,15 +37,24 @@ func TestScheduler_Cancel(t *testing.T) {
 	jobID1 := "test-scheduler-job-1"
 	jobID2 := "test-scheduler-job-2"
 	scheduler := NewDefaultScheduler()
-	scheduler.Schedule(2*time.Second, jobID1, func() (nextRunIn time.Duration, reschedule bool) {
-		return 0, false
+	tChan := make(chan struct{})
+	p := []string{jobID1, jobID2}
+	scheduler.Schedule(2*time.Millisecond, jobID1, func() (nextRunIn time.Duration, reschedule bool) {
+		tt := p[0]
+		<-tChan
+		t.Logf("job %s", tt)
+		return 2 * time.Millisecond, true
 	})
-	scheduler.Schedule(2*time.Second, jobID2, func() (nextRunIn time.Duration, reschedule bool) {
-		return 0, false
+	scheduler.Schedule(2*time.Millisecond, jobID2, func() (nextRunIn time.Duration, reschedule bool) {
+		return 2 * time.Millisecond, true
 	})

+	time.Sleep(4 * time.Millisecond)
 	assert.Len(t, scheduler.jobs, 2)
 	scheduler.Cancel([]string{jobID1})
+	close(tChan)
+	p = []string{}
+	time.Sleep(4 * time.Millisecond)
 	assert.Len(t, scheduler.jobs, 1)
 	assert.NotNil(t, scheduler.jobs[jobID2])
 }
--- a/management/server/sqlite_store.go
+++ b/management/server/sqlite_store.go
@@ -1,7 +1,6 @@
 package server

 import (
-	"context"
 	"fmt"
 	"path/filepath"
 	"runtime"
@@ -498,48 +497,3 @@ func (s *SqliteStore) Close() error {
 func (s *SqliteStore) GetStoreEngine() StoreEngine {
 	return SqliteStoreEngine
 }
-
-// CalculateUsageStats returns the usage stats for an account
-// start and end are inclusive.
-func (s *SqliteStore) CalculateUsageStats(ctx context.Context, accountID string, start time.Time, end time.Time) (*AccountUsageStats, error) {
-	stats := &AccountUsageStats{}
-
-	err := s.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {
-		err := tx.Model(&nbpeer.Peer{}).
-			Where("account_id = ? AND peer_status_last_seen BETWEEN ? AND ?", accountID, start, end).
-			Distinct("user_id").
-			Count(&stats.ActiveUsers).Error
-		if err != nil {
-			return fmt.Errorf("get active users: %w", err)
-		}
-
-		err = tx.Model(&User{}).
-			Where("account_id = ? AND is_service_user = ?", accountID, false).
-			Count(&stats.TotalUsers).Error
-		if err != nil {
-			return fmt.Errorf("get total users: %w", err)
-		}
-
-		err = tx.Model(&nbpeer.Peer{}).
-			Where("account_id = ? AND peer_status_last_seen BETWEEN ? AND ?", accountID, start, end).
-			Count(&stats.ActivePeers).Error
-		if err != nil {
-			return fmt.Errorf("get active peers: %w", err)
-		}
-
-		err = tx.Model(&nbpeer.Peer{}).
-			Where("account_id = ?", accountID).
-			Count(&stats.TotalPeers).Error
-		if err != nil {
-			return fmt.Errorf("get total peers: %w", err)
-		}
-
-		return nil
-	})
-
-	if err != nil {
-		return nil, fmt.Errorf("transaction: %w", err)
-	}
-
-	return stats, nil
-}
--- a/management/server/sqlite_store_test.go
+++ b/management/server/sqlite_store_test.go
@@ -1,7 +1,6 @@
 package server

 import (
-	"context"
 	"fmt"
 	"net"
 	"path/filepath"
@@ -347,29 +346,3 @@ func newAccount(store Store, id int) error {

 	return store.SaveAccount(account)
 }
-
-func TestSqliteStore_CalculateUsageStats(t *testing.T) {
-	store := newSqliteStoreFromFile(t, "testdata/store_stats.json")
-	t.Cleanup(func() {
-		require.NoError(t, store.Close())
-	})
-
-	startDate := time.Date(2024, time.February, 1, 0, 0, 0, 0, time.UTC)
-	endDate := startDate.AddDate(0, 1, 0).Add(-time.Nanosecond)
-
-	stats1, err := store.CalculateUsageStats(context.TODO(), "account-1", startDate, endDate)
-	require.NoError(t, err)
-
-	assert.Equal(t, int64(2), stats1.ActiveUsers)
-	assert.Equal(t, int64(4), stats1.TotalUsers)
-	assert.Equal(t, int64(3), stats1.ActivePeers)
-	assert.Equal(t, int64(7), stats1.TotalPeers)
-
-	stats2, err := store.CalculateUsageStats(context.TODO(), "account-2", startDate, endDate)
-	require.NoError(t, err)
-
-	assert.Equal(t, int64(1), stats2.ActiveUsers)
-	assert.Equal(t, int64(2), stats2.TotalUsers)
-	assert.Equal(t, int64(1), stats2.ActivePeers)
-	assert.Equal(t, int64(2), stats2.TotalPeers)
-}
--- a/management/server/store.go
+++ b/management/server/store.go
@@ -1,7 +1,6 @@
 package server

 import (
-	"context"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -42,7 +41,6 @@ type Store interface {
 	// GetStoreEngine should return StoreEngine of the current store implementation.
 	// This is also a method of metrics.DataSource interface.
 	GetStoreEngine() StoreEngine
-	CalculateUsageStats(ctx context.Context, accountID string, start time.Time, end time.Time) (*AccountUsageStats, error)
 }

 type StoreEngine string
--- a/management/server/testdata/store_stats.json
+++ b/management/server/testdata/store_stats.json
@@ -1,161 +0,0 @@
-{
-  "Accounts": {
-    "account-1": {
-      "Id": "account-1",
-      "Domain": "example.com",
-      "Network": {
-        "Id": "af1c8024-ha40-4ce2-9418-34653101fc3c",
-        "Net": {
-          "IP": "100.64.0.0",
-          "Mask": "//8AAA=="
-        },
-        "Dns": null
-      },
-      "Users": {
-        "user-1-account-1": {
-          "Id": "user-1-account-1"
-        },
-        "user-2-account-1": {
-          "Id": "user-2-account-1"
-        },
-        "user-3-account-1": {
-          "Id": "user-3-account-1"
-        },
-        "user-4-account-1": {
-          "Id": "user-4-account-1"
-        },
-        "user-5-account-1": {
-          "Id": "user-5-account-1",
-          "IsServiceUser": true
-        }
-      },
-      "Peers": {
-        "peer-1-account-1": {
-          "ID": "peer-1-account-1",
-          "UserID": "user-1-account-1",
-          "Status": {
-            "LastSeen": "2024-01-01T00:00:00Z"
-          },
-          "Name": "Peer One",
-          "Meta": {
-            "Hostname": "peer1-host"
-          }
-        },
-        "peer-2-account-1": {
-          "ID": "peer-2-account-1",
-          "UserID": "user-2-account-1",
-          "Status": {
-            "LastSeen": "2024-02-29T23:59:59Z"
-          },
-          "Name": "Peer Two",
-          "Meta": {
-            "Hostname": "peer2-host"
-          }
-        },
-        "peer-3-account-1": {
-          "ID": "peer-3-account-1",
-          "UserID": "user-2-account-1",
-          "Status": {
-            "LastSeen": "2024-02-01T12:00:00Z"
-          },
-          "Name": "Peer Three",
-          "Meta": {
-            "Hostname": "peer3-host"
-          }
-        },
-        "peer-4-account-1": {
-          "ID": "peer-4-account-1",
-          "UserID": "user-3-account-1",
-          "Status": {
-            "LastSeen": "2024-02-08T12:00:00Z"
-          },
-          "Name": "Peer Four",
-          "Meta": {
-            "Hostname": "peer4-host"
-          }
-        },
-        "peer-5-account-1": {
-          "ID": "peer-5-account-1",
-          "UserID": "user-3-account-1",
-          "Status": {
-            "LastSeen": "2023-06-01T12:00:00Z"
-          },
-          "Name": "Peer Five",
-          "Meta": {
-            "Hostname": "peer5-host"
-          }
-        },
-        "peer-6-account-1": {
-          "ID": "peer-6-account-1",
-          "UserID": "user-4-account-1",
-          "Status": {
-            "LastSeen": "2024-01-31T23:59:59Z"
-          },
-          "Name": "Peer Six",
-          "Meta": {
-            "Hostname": "peer6-host"
-          }
-        },
-        "peer-7-account-1": {
-          "ID": "peer-7-account-1",
-          "UserID": "user-4-account-1",
-          "Status": {
-            "LastSeen": "2024-03-01T00:00:00Z"
-          },
-          "Name": "Peer Seven",
-          "Meta": {
-            "Hostname": "peer7-host"
-          }
-        }
-      }
-    },
-    "account-2": {
-      "Id": "account-2",
-      "Domain": "example.org",
-      "Network": {
-        "Id": "af1c8024-ha40-4ce2-9418-34653101fc3c",
-        "Net": {
-          "IP": "100.64.0.0",
-          "Mask": "//8AAA=="
-        },
-        "Dns": null
-      },
-      "Users": {
-        "user-1-account-2": {
-          "Id": "user-1-account-2"
-        },
-        "user-2-account-2": {
-          "Id": "user-1-account-2"
-        },
-        "user-3-account-2": {
-          "Id": "user-3-account-2",
-          "IsServiceUser": true
-        }
-      },
-      "Peers": {
-        "peer-1-account-2": {
-          "ID": "peer-1-account-2",
-          "UserID": "user-1-account-2",
-          "Status": {
-            "LastSeen": "2023-08-30T12:00:00Z"
-          },
-          "Name": "Peer One",
-          "Meta": {
-            "Hostname": "peer1-host"
-          }
-        },
-        "peer-2-account-2": {
-          "ID": "peer-2-account-2",
-          "UserID": "user-1-account-2",
-          "Status": {
-            "LastSeen": "2024-02-08T12:00:00Z"
-          },
-          "Name": "Peer Two",
-          "Meta": {
-            "Hostname": "peer2-host"
-          }
-        }
-      }
-    }
-  }
-}
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -85,6 +85,8 @@ type User struct {
 	Blocked bool
 	// LastLogin is the last time the user logged in to IdP
 	LastLogin time.Time
+	// CreatedAt records the time the user was created
+	CreatedAt time.Time

 	// Issued of the user
 	Issued string `gorm:"default:api"`
@@ -173,6 +175,7 @@ func (u *User) Copy() *User {
 		PATs:                 pats,
 		Blocked:              u.Blocked,
 		LastLogin:            u.LastLogin,
+		CreatedAt:            u.CreatedAt,
 		Issued:               u.Issued,
 		IntegrationReference: u.IntegrationReference,
 	}
@@ -188,6 +191,7 @@ func NewUser(id string, role UserRole, isServiceUser bool, nonDeletable bool, se
 		ServiceUserName: serviceUserName,
 		AutoGroups:      autoGroups,
 		Issued:          issued,
+		CreatedAt:       time.Now().UTC(),
 	}
 }

@@ -338,6 +342,7 @@ func (am *DefaultAccountManager) inviteNewUser(accountID, userID string, invite
 		AutoGroups:           invite.AutoGroups,
 		Issued:               invite.Issued,
 		IntegrationReference: invite.IntegrationReference,
+		CreatedAt:            time.Now().UTC(),
 	}
 	account.Users[idpUser.ID] = newUser

@@ -414,7 +419,7 @@ func (am *DefaultAccountManager) ListUsers(accountID string) ([]*User, error) {
 }

 func (am *DefaultAccountManager) deleteServiceUser(account *Account, initiatorUserID string, targetUser *User) {
-	meta := map[string]any{"name": targetUser.ServiceUserName}
+	meta := map[string]any{"name": targetUser.ServiceUserName, "created_at": targetUser.CreatedAt}
 	am.StoreEvent(initiatorUserID, targetUser.Id, account.Id, activity.ServiceUserDeleted, meta)
 	delete(account.Users, targetUser.Id)
 }
@@ -494,13 +499,23 @@ func (am *DefaultAccountManager) deleteRegularUser(account *Account, initiatorUs
 		return err
 	}

+	u, err := account.FindUser(targetUserID)
+	if err != nil {
+		log.Errorf("failed to find user %s for deletion, this should never happen: %s", targetUserID, err)
+	}
+
+	var tuCreatedAt time.Time
+	if u != nil {
+		tuCreatedAt = u.CreatedAt
+	}
+
 	delete(account.Users, targetUserID)
 	err = am.Store.SaveAccount(account)
 	if err != nil {
 		return err
 	}

-	meta := map[string]any{"name": tuName, "email": tuEmail}
+	meta := map[string]any{"name": tuName, "email": tuEmail, "created_at": tuCreatedAt}
 	am.StoreEvent(initiatorUserID, targetUserID, account.Id, activity.UserDeleted, meta)

 	am.updateAccountPeers(account)
--- a/management/server/user_test.go
+++ b/management/server/user_test.go
@@ -273,7 +273,8 @@ func TestUser_Copy(t *testing.T) {
 			},
 		},
 		Blocked:   false,
-		LastLogin: time.Now(),
+		LastLogin: time.Now().UTC(),
+		CreatedAt: time.Now().UTC(),
 		Issued:    "test",
 		IntegrationReference: IntegrationReference{
 			ID:              0,
--- a/signal/client/grpc.go
+++ b/signal/client/grpc.go
@@ -21,11 +21,10 @@ import (
 	"google.golang.org/grpc/status"

 	"github.com/netbirdio/netbird/encryption"
+	"github.com/netbirdio/netbird/management/client"
 	"github.com/netbirdio/netbird/signal/proto"
 )

-const defaultSendTimeout = 5 * time.Second
-
 // ConnStateNotifier is a wrapper interface of the status recorder
 type ConnStateNotifier interface {
 	MarkSignalDisconnected(error)
@@ -71,7 +70,7 @@ func NewClient(ctx context.Context, addr string, key wgtypes.Key, tlsEnabled boo
 		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
 	}

-	sigCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	sigCtx, cancel := context.WithTimeout(ctx, client.ConnectTimeout)
 	defer cancel()
 	conn, err := grpc.DialContext(
 		sigCtx,
@@ -353,7 +352,7 @@ func (c *GrpcClient) Send(msg *proto.Message) error {
 		return err
 	}

-	attemptTimeout := defaultSendTimeout
+	attemptTimeout := client.ConnectTimeout

 	for attempt := 0; attempt < 4; attempt++ {
 		if attempt > 1 {
--- a/signal/cmd/run.go
+++ b/signal/cmd/run.go
@@ -4,7 +4,6 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"golang.org/x/crypto/acme/autocert"
 	"io"
 	"io/fs"
 	"net"
@@ -14,10 +13,14 @@ import (
 	"strings"
 	"time"

+	"golang.org/x/crypto/acme/autocert"
+
 	"github.com/netbirdio/netbird/encryption"
 	"github.com/netbirdio/netbird/signal/proto"
 	"github.com/netbirdio/netbird/signal/server"
 	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/version"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"
@@ -129,6 +132,7 @@ var (
 				log.Infof("running gRPC server: %s", grpcListener.Addr().String())
 			}

+			log.Infof("signal server version %s", version.NetbirdVersion())
 			log.Infof("started Signal Service")

 			SetupCloseHandler()
Author	SHA1	Message	Date
Maycon Santos	820ea80e68	use correct serializer	2024-03-10 06:19:31 +01:00
Maycon Santos	59cf4cd97b	Ensure schedule never runs with non-positive ticker	2024-03-10 06:03:07 +01:00
Bethuel Mmbaga	5a3d9e401f	Send terminal notification on peer session expiry (#1660 ) Send notification through terminal on user session expiration in Linux and macOS, unless UI application is installed to handle it instead.	2024-03-08 18:28:13 +01:00
Maycon Santos	fde1a2196c	add ansible collections contributions (#1675 )	2024-03-06 23:30:16 +01:00
Maycon Santos	0aeb87742a	Return 1s when next expiration is too low (#1672 ) using the login expired issue could cause problems with ticker used in the scheduler This change makes 1s the minimum number returned when rescheduling the peer expiration task	2024-03-06 15:18:53 +01:00
Deniz Adrian	6d747b2f83	Do not fail on virtualized windows systems (#1669 ) this handles virtualized systems without Win32_ComputerSystemProduct entries by returning 'unknown' for system product name Co-authored-by: Bjoern Brauer <zaubernerd@zaubernerd.de>	2024-03-06 14:32:34 +01:00
Viktor Liu	199bf73103	Remove usage stats (#1665 )	2024-03-05 09:45:32 +01:00
Maycon Santos	17f5abc653	Handle canceling schedule and avoid recursive call (#1636 ) Using time.Ticker allows us to avoid recursive calls that may end up in schedule running and possible deadlock if no routine is listening for cancel calls	2024-03-03 10:35:01 +01:00
Maycon Santos	aa935bdae3	Register creation time for peer, user and account (#1654 ) This change register creation time for new peers, users and accounts	2024-03-02 13:49:40 +01:00
Bethuel Mmbaga	452419c4c3	Send UI notification on peer connection session expiry (#1646 ) notify the user when the peer connection session expires after it switches from connected to disconnected and the status is login required	2024-03-01 17:57:17 +01:00
Viktor Liu	17b1099032	Enhance DNS failover reliability (#1637 ) * Fix using wrong array index in log to avoid potential panic * Increase gRPC connection timeout and add the timeout resolv.conf option This makes sure the dns client is able to failover to a second configured nameserver, if present. That is the case then when using the dns `file` manager and a resolv.conf file generated for netbird. * On file backup restore, remove the first NS if it's the netbird NS * Bump dns mangager discovery message from debug to info to ease debugging	2024-03-01 15:17:35 +01:00
pascal-fischer	a4b9e93217	add environment meta from grpc to store (#1651 )	2024-03-01 15:15:56 +01:00
Maycon Santos	63d7957140	Log version when starting management and signal (#1649 ) Output log version at service startup	2024-02-29 16:05:47 +01:00
Maycon Santos	9a6814deff	Enable review linter with exported docs check (#1647 ) Exported function and methods should have comments. This warns on undocumented exported functions and methods.	2024-02-29 16:05:31 +01:00
Misha Bragin	190698bcf2	Add open-source network security image (#1643 )	2024-02-29 14:04:32 +00:00
pascal-fischer	468fa2940b	add quotes to all timestamps in openapi spec (#1642 )	2024-02-29 13:09:43 +01:00
Maycon Santos	79a0647a26	Update bug-issue-report.md label (#1640 )	2024-02-29 10:21:00 +01:00
Maycon Santos	17ceb3bde8	Add reverse proxy settings to management.json template (#1639 ) Add grpc_set_header to the nginx example template	2024-02-28 20:24:28 +01:00
Yury Gargay	5a8f1763a6	Implement Auth0 IdP get all connections method (#1613 )	2024-02-28 16:57:35 +01:00
Bethuel Mmbaga	f64e73ca70	Fix invalid cross-device link when moving geolocation databases (#1638 ) * Fix invalid cross-device link when move geonames db * Add test for geolocation databases in workflow This step checks the existence and proper functioning of geolocation databases, including GeoLite2-City.mmdb and Geonames.db. It will help us ensure that geolocation databases are loaded correctly in the management. * Enable debug mode * Increase sleep duration in geolocation tests	2024-02-28 16:42:33 +03:00