[infra] Unify self-hosted deployment paths in getting-started.sh

Make getting-started.sh the single entry point for all self-hosted
deployments. The wizard now asks two independent questions - identity
provider (built-in vs standalone OIDC) and architecture (combined
netbird-server vs separate management/signal/relay containers) - and
renders the matching Docker Compose deployment with full reverse-proxy
parity (built-in Traefik, external Traefik, Nginx, NPM, Caddy, manual).

Highlights:
- setup.env contract: every wizard answer is persisted; --non-interactive
  re-renders idempotently from the file (IaC), --render-only generates
  without starting services. Secrets are generated once and appended so
  re-renders never rotate them.
- Split architecture renders a modern management.json (embedded Dex or
  external OIDC via PKCE), drops coturn entirely (the relay container
  serves STUN via NB_ENABLE_STUN), and optionally adds a PostgreSQL
  container when the postgres engine is selected without a DSN.
- The standalone-IdP path is framed around its real differentiator:
  multi-account support. The built-in IdP supports external SSO
  connectors but enforces single account mode.
- configure.sh, getting-started-with-dex.sh and
  getting-started-with-zitadel.sh print deprecation banners; their
  templates are frozen pending removal.
- New tests/test-render.sh validates all 8 combos (JSON validity,
  compose config, idempotent re-render, combined+external rejection)
  and runs in CI as the test-render-matrix job.

.github/workflows/test-infrastructure-files.yml

@@ -16,6 +16,20 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  test-render-matrix:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install jq
+        run: sudo apt-get install -y jq
+
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run getting-started.sh render tests
+        run: bash infrastructure_files/tests/test-render.sh
+
   test-docker-compose:
     runs-on: ubuntu-latest
     strategy:

client/embed/embed.go

@@ -279,10 +279,6 @@ func (c *Client) Start(startCtx context.Context) error {
 
 	select {
 	case <-startCtx.Done():
-		// Cancel the client context before stopping: Engine.Start blocks on the
-		// signal stream while holding the engine mutex and only unblocks on
-		// cancellation. Stopping first would deadlock on that mutex.
-		cancel()
 		if stopErr := client.Stop(); stopErr != nil {
 			return fmt.Errorf("stop error after context done. Stop error: %w. Context done: %w", stopErr, startCtx.Err())
 		}

client/embed/embed_test.go

@@ -1,168 +0,0 @@
-package embed
-
-import (
-	"context"
-	"net"
-	"testing"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc"
-
-	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
-	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
-	"github.com/netbirdio/netbird/management/internals/modules/peers"
-	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager"
-	"github.com/netbirdio/netbird/management/internals/server/config"
-	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
-	mgmt "github.com/netbirdio/netbird/management/server"
-	"github.com/netbirdio/netbird/management/server/activity"
-	nbcache "github.com/netbirdio/netbird/management/server/cache"
-	"github.com/netbirdio/netbird/management/server/groups"
-	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
-	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
-	"github.com/netbirdio/netbird/management/server/job"
-	"github.com/netbirdio/netbird/management/server/permissions"
-	"github.com/netbirdio/netbird/management/server/settings"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/netbirdio/netbird/management/server/types"
-	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
-	"github.com/netbirdio/netbird/util"
-)
-
-const testSetupKey = "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
-
-// TestClientStartTimeoutRollback reproduces a deadlock between Engine.Start and
-// Engine.Stop. The signal endpoint accepts gRPC connections but never serves the
-// SignalExchange service, so Engine.Start parks in WaitStreamConnected while
-// holding the engine mutex. When the Start context expires, the rollback path
-// calls ConnectClient.Stop, which must not block forever acquiring that mutex.
-func TestClientStartTimeoutRollback(t *testing.T) {
-	signalAddr := startBlackholeSignal(t)
-	mgmAddr := startManagement(t, signalAddr)
-
-	wgPort := 0
-	client, err := New(Options{
-		DeviceName:    "embed-rollback-test",
-		SetupKey:      testSetupKey,
-		ManagementURL: "http://" + mgmAddr,
-		WireguardPort: &wgPort,
-	})
-	require.NoError(t, err, "embed client creation must succeed")
-
-	startCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	startErr := make(chan error, 1)
-	go func() {
-		startErr <- client.Start(startCtx)
-	}()
-
-	select {
-	case err := <-startErr:
-		require.ErrorIs(t, err, context.DeadlineExceeded)
-	case <-time.After(60 * time.Second):
-		t.Fatal("client.Start did not return after its context expired: Engine.Stop deadlocked against Engine.Start waiting for the signal stream")
-	}
-}
-
-// startBlackholeSignal starts a gRPC server without the SignalExchange service
-// registered. Connections succeed, but the signal stream can never be
-// established, which keeps Engine.Start parked in WaitStreamConnected.
-func startBlackholeSignal(t *testing.T) string {
-	t.Helper()
-
-	lis, err := net.Listen("tcp", "localhost:0")
-	require.NoError(t, err)
-
-	s := grpc.NewServer()
-	go func() {
-		if err := s.Serve(lis); err != nil {
-			t.Error(err)
-		}
-	}()
-	t.Cleanup(s.Stop)
-
-	return lis.Addr().String()
-}
-
-func startManagement(t *testing.T, signalAddr string) string {
-	t.Helper()
-
-	cfg := &config.Config{
-		Stuns:      []*config.Host{},
-		TURNConfig: &config.TURNConfig{},
-		Relay: &config.Relay{
-			Addresses:      []string{"127.0.0.1:1234"},
-			CredentialsTTL: util.Duration{Duration: time.Hour},
-			Secret:         "222222222222222222",
-		},
-		Signal: &config.Host{
-			Proto: "http",
-			URI:   signalAddr,
-		},
-		Datadir:    t.TempDir(),
-		HttpConfig: nil,
-	}
-
-	lis, err := net.Listen("tcp", "localhost:0")
-	require.NoError(t, err)
-
-	s := grpc.NewServer()
-
-	testStore, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", cfg.Datadir)
-	require.NoError(t, err)
-	t.Cleanup(cleanUp)
-
-	eventStore := &activity.InMemoryEventStore{}
-
-	permissionsManager := permissions.NewManager(testStore)
-	peersManager := peers.NewManager(testStore, permissionsManager)
-	jobManager := job.NewJobManager(nil, testStore, peersManager)
-
-	cacheStore, err := nbcache.NewStore(context.Background(), 100*time.Millisecond, 300*time.Millisecond, 100)
-	require.NoError(t, err)
-
-	iv, err := validator.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore, cacheStore)
-	require.NoError(t, err)
-	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
-	require.NoError(t, err)
-
-	ctrl := gomock.NewController(t)
-	t.Cleanup(ctrl.Finish)
-	settingsMockManager := settings.NewMockManager(ctrl)
-	settingsMockManager.EXPECT().
-		GetSettings(gomock.Any(), gomock.Any(), gomock.Any()).
-		Return(&types.Settings{}, nil).
-		AnyTimes()
-	settingsMockManager.EXPECT().
-		GetExtraSettings(gomock.Any(), gomock.Any()).
-		Return(&types.ExtraSettings{}, nil).
-		AnyTimes()
-
-	groupsManager := groups.NewManagerMock()
-
-	updateManager := update_channel.NewPeersUpdateManager(metrics)
-	requestBuffer := mgmt.NewAccountRequestBuffer(context.Background(), testStore)
-	networkMapController := controller.NewController(context.Background(), testStore, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(testStore, peersManager), cfg)
-	accountManager, err := mgmt.BuildManager(context.Background(), cfg, testStore, networkMapController, jobManager, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
-	require.NoError(t, err)
-
-	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, cfg.TURNConfig, cfg.Relay, settingsMockManager, groupsManager)
-	require.NoError(t, err)
-
-	mgmtServer, err := nbgrpc.NewServer(cfg, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil, nil)
-	require.NoError(t, err)
-	mgmtProto.RegisterManagementServiceServer(s, mgmtServer)
-
-	go func() {
-		if err := s.Serve(lis); err != nil {
-			t.Error(err)
-		}
-	}()
-	t.Cleanup(s.Stop)
-
-	return lis.Addr().String()
-}

infrastructure_files/configure.sh

@@ -1,6 +1,20 @@
 #!/bin/bash
 set -e
 
+echo "**********************************************************************************"
+echo "* DEPRECATION NOTICE                                                             *"
+echo "*                                                                                *"
+echo "* configure.sh and its templates are deprecated and will be removed in a future  *"
+echo "* release. Use getting-started.sh instead, which now covers multi-container      *"
+echo "* deployments with your own OIDC provider:                                       *"
+echo "*                                                                                *"
+echo "*   ./getting-started.sh                  # interactive wizard                   *"
+echo "*   ./getting-started.sh --non-interactive  # render from setup.env (IaC)        *"
+echo "*                                                                                *"
+echo "* Migration guide: https://docs.netbird.io/selfhosted/selfhosted-guide           *"
+echo "**********************************************************************************"
+echo ""
+
 if ! which curl >/dev/null 2>&1; then
   echo "This script uses curl fetch OpenID configuration from IDP."
   echo "Please install curl and re-run the script https://curl.se/"

infrastructure_files/getting-started-with-dex.sh

@@ -5,6 +5,15 @@ set -e
 # NetBird Getting Started with Dex IDP
 # This script sets up NetBird with Dex as the identity provider
 
+echo "**********************************************************************************"
+echo "* DEPRECATION NOTICE                                                             *"
+echo "*                                                                                *"
+echo "* getting-started-with-dex.sh is deprecated and will be removed in a future      *"
+echo "* release. The built-in identity provider IS Dex, embedded in the NetBird        *"
+echo "* server - no separate container needed. Use getting-started.sh instead.         *"
+echo "**********************************************************************************"
+echo ""
+
 # Sed pattern to strip base64 padding characters
 SED_STRIP_PADDING='s/=//g'
 

infrastructure_files/getting-started-with-zitadel.sh

@@ -2,6 +2,17 @@
 
 set -e
 
+echo "**********************************************************************************"
+echo "* DEPRECATION NOTICE                                                             *"
+echo "*                                                                                *"
+echo "* getting-started-with-zitadel.sh is deprecated and will be removed in a future  *"
+echo "* release. Use getting-started.sh instead: pick the built-in IdP for the         *"
+echo "* simplest setup, or choose 'your own OIDC provider' to connect a Zitadel        *"
+echo "* instance you manage (see                                                       *"
+echo "* https://docs.netbird.io/selfhosted/identity-providers/zitadel).                *"
+echo "**********************************************************************************"
+echo ""
+
 handle_request_command_status() {
   PARSED_RESPONSE=$1
   FUNCTION_NAME=$2

infrastructure_files/setup.env.example

@@ -1,117 +1,111 @@
-## example file, you can copy this file to setup.env and update its values
-##
+# NetBird deployment configuration - example file
+#
+# Copy to setup.env, fill in the values, and render the deployment with:
+#   ./getting-started.sh --non-interactive
+#
+# Running ./getting-started.sh without flags starts an interactive wizard that
+# writes this file for you. Re-rendering from the same file is idempotent, so
+# it is safe to keep setup.env under configuration management (IaC).
+#
+# NOTE: the legacy configure.sh variable set (NETBIRD_TURN_DOMAIN, coturn,
+# per-service ports, NETBIRD_DISABLE_LETSENCRYPT, ...) is deprecated together
+# with configure.sh. See https://docs.netbird.io/selfhosted/selfhosted-guide
 
-# Image tags
-# you can force specific tags for each component; will be set to latest if empty
-NETBIRD_DASHBOARD_TAG=""
-NETBIRD_SIGNAL_TAG=""
-NETBIRD_MANAGEMENT_TAG=""
-COTURN_TAG=""
-NETBIRD_RELAY_TAG=""
-
-# Dashboard domain. e.g. app.mydomain.com
+# Your NetBird domain, e.g. netbird.mydomain.com (required)
 NETBIRD_DOMAIN=""
 
-# TURN server domain. e.g. turn.mydomain.com
-# if not specified it will assume NETBIRD_DOMAIN
-NETBIRD_TURN_DOMAIN=""
+# Deployment architecture:
+#   combined - single netbird-server container (management + signal + relay + STUN)
+#   split    - separate management, signal and relay containers (for scale-out,
+#              required when using your own OIDC provider)
+NETBIRD_ARCHITECTURE="combined"
 
-# TURN server public IP address
-# required for a connection involving peers in
-# the same network as the server and external peers
-# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
-NETBIRD_TURN_EXTERNAL_IP=""
+# Identity provider:
+#   embedded - built-in IdP with local users (simplest)
+#   external - your own OIDC provider (requires NETBIRD_ARCHITECTURE=split)
+NETBIRD_IDP_MODE="embedded"
 
 # -------------------------------------------
-# OIDC
-#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
+# External OIDC provider (NETBIRD_IDP_MODE=external)
+# See https://docs.netbird.io/selfhosted/identity-providers
 # -------------------------------------------
+# e.g. https://keycloak.example.com/realms/netbird/.well-known/openid-configuration
 NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=""
-# The default setting is to transmit the audience to the IDP during authorization. However,
-# if your IDP does not have this capability, you can turn this off by setting it to false.
-#NETBIRD_DASH_AUTH_USE_AUDIENCE=false
-NETBIRD_AUTH_AUDIENCE=""
-# e.g. netbird-client
+# OAuth client ID registered for NetBird, e.g. netbird
 NETBIRD_AUTH_CLIENT_ID=""
-# indicates the scopes that will be requested to the IDP
-NETBIRD_AUTH_SUPPORTED_SCOPES=""
-# NETBIRD_AUTH_CLIENT_SECRET is required only by Google workspace.
-# NETBIRD_AUTH_CLIENT_SECRET=""
-# if you want to use a custom claim for the user ID instead of 'sub', set it here
-# NETBIRD_AUTH_USER_ID_CLAIM=""
-# indicates whether to use Auth0 or not: true or false
+# Client secret, only if your IdP requires one (e.g. Google Workspace)
+NETBIRD_AUTH_CLIENT_SECRET=""
+# JWT audience; defaults to the client ID when empty
+NETBIRD_AUTH_AUDIENCE=""
+# Scopes requested from the IdP
+NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email"
+# Set to true only for Auth0
 NETBIRD_USE_AUTH0="false"
-# if your IDP provider doesn't support fragmented URIs, configure custom
-# redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
-# NETBIRD_AUTH_REDIRECT_URI="/peers"
-# NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers"
-# Updates the preference to use id tokens instead of access token on dashboard
-# Okta and Gitlab IDPs can benefit from this
-# NETBIRD_TOKEN_SOURCE="idToken"
-# -------------------------------------------
-# OIDC Device Authorization Flow
-# -------------------------------------------
-NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
-NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
-# Some IDPs requires different audience, scopes and to use id token for device authorization flow
-# you can customize here:
-NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
-NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
-NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
-# -------------------------------------------
-# OIDC PKCE Authorization Flow
-# -------------------------------------------
-# Comma separated port numbers. if already in use, PKCE flow will choose an available port from the list as an alternative
-# eg. 53000,54000
-NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS="53000"
-# -------------------------------------------
-# IDP Management
-# -------------------------------------------
+# Token the dashboard sends to the management API: accessToken or idToken
+# (Okta and GitLab benefit from idToken)
+NETBIRD_TOKEN_SOURCE="accessToken"
+
+# Device authorization flow for headless clients (optional)
+#NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
+
+# IdP management API for user/group sync (optional)
 # eg. zitadel, auth0, azure, keycloak
-NETBIRD_MGMT_IDP="none"
-# Some IDPs requires different client id and client secret for management api
-NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
-NETBIRD_IDP_MGMT_CLIENT_SECRET=""
-# Required when setting up with Keycloak "https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird"
-# NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT=
-# With some IDPs may be needed enabling automatic refresh of signing keys on expire
-# NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=false
-# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
-# -------------------------------------------
-# Letsencrypt
-# -------------------------------------------
-# Disable letsencrypt
-#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
-NETBIRD_DISABLE_LETSENCRYPT=false
-# e.g. hello@mydomain.com
-NETBIRD_LETSENCRYPT_EMAIL=""
-# -------------------------------------------
-# Extra settings
-# -------------------------------------------
-# Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
-NETBIRD_DISABLE_ANONYMOUS_METRICS=false
-# DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
-NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
-# Disable default all-to-all policy for new accounts
-NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=false
-# -------------------------------------------
-# Relay settings
-# -------------------------------------------
-# Relay server domain. e.g. relay.mydomain.com
-# if not specified it will assume NETBIRD_DOMAIN
-NETBIRD_RELAY_DOMAIN=""
+#NETBIRD_MGMT_IDP=""
+#NETBIRD_IDP_MGMT_CLIENT_ID=""
+#NETBIRD_IDP_MGMT_CLIENT_SECRET=""
 
-# Relay server connection port. If none is supplied
-# it will default to 33080
-# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
-NETBIRD_RELAY_PORT=""
+# -------------------------------------------
+# Reverse proxy
+# -------------------------------------------
+# 0 = built-in Traefik (automatic TLS via Let's Encrypt)
+# 1 = existing Traefik instance (labels)
+# 2 = Nginx (config template is generated)
+# 3 = Nginx Proxy Manager (advanced config is generated)
+# 4 = external Caddy (Caddyfile snippet is generated)
+# 5 = other/manual
+NETBIRD_REVERSE_PROXY_TYPE="0"
+# Let's Encrypt notification email (required for type 0)
+NETBIRD_TRAEFIK_ACME_EMAIL=""
+# Settings for an existing Traefik instance (type 1)
+NETBIRD_TRAEFIK_EXTERNAL_NETWORK=""
+NETBIRD_TRAEFIK_ENTRYPOINT="websecure"
+NETBIRD_TRAEFIK_CERTRESOLVER=""
+# Bind container ports to 127.0.0.1 only (types 2-5)
+NETBIRD_BIND_LOCALHOST_ONLY="true"
+# Docker network of your reverse proxy, if it runs in Docker (types 2-4)
+NETBIRD_EXTERNAL_PROXY_NETWORK=""
 
-# Management API connecting port. If none is supplied
-# it will default to 33073
-# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
-NETBIRD_MGMT_API_PORT=""
+# -------------------------------------------
+# NetBird Proxy and CrowdSec
+# (combined architecture with built-in Traefik only)
+# -------------------------------------------
+NETBIRD_ENABLE_PROXY="false"
+NETBIRD_ENABLE_CROWDSEC="false"
 
-# Signal service connecting port. If none is supplied
-# it will default to 10000
-# should be updated to match TLS-port of reverse proxy when netbird is running behind reverse proxy
-NETBIRD_SIGNAL_PORT=""
+# -------------------------------------------
+# Datastore
+# -------------------------------------------
+# sqlite or postgres. With postgres and an empty DSN a PostgreSQL container is
+# added to the deployment (split architecture only).
+NETBIRD_STORE_CONFIG_ENGINE="sqlite"
+NETBIRD_STORE_ENGINE_POSTGRES_DSN=""
+NETBIRD_POSTGRES_PASSWORD=""
+
+# -------------------------------------------
+# Secrets
+# Generated automatically on first run and appended to setup.env.
+# Keep them stable across re-renders or peers will lose connectivity.
+# -------------------------------------------
+NETBIRD_RELAY_AUTH_SECRET=""
+NETBIRD_DATASTORE_ENC_KEY=""
+
+# -------------------------------------------
+# Docker image overrides (optional)
+# -------------------------------------------
+#DASHBOARD_IMAGE="netbirdio/dashboard:latest"
+#NETBIRD_SERVER_IMAGE="netbirdio/netbird-server:latest"
+#MANAGEMENT_IMAGE="netbirdio/management:latest"
+#SIGNAL_IMAGE="netbirdio/signal:latest"
+#RELAY_IMAGE="netbirdio/relay:latest"
+#POSTGRES_IMAGE="postgres:16-alpine"
+#TRAEFIK_IMAGE="traefik:v3.6"

infrastructure_files/tests/test-render.sh

@@ -0,0 +1,196 @@
+#!/bin/bash
+# Render-validation tests for getting-started.sh.
+# Runs the script in --non-interactive --render-only mode for every supported
+# architecture / IdP / reverse-proxy combination and validates the generated
+# files. Requires jq; uses `docker compose config` when docker is available.
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+GETTING_STARTED="$SCRIPT_DIR/../getting-started.sh"
+WORK_DIR=$(mktemp -d)
+trap 'rm -rf "$WORK_DIR"' EXIT
+
+FAILURES=0
+
+compose_validate() {
+  if docker compose version &>/dev/null; then
+    docker compose -f "$1" config -q
+    return $?
+  fi
+  if command -v docker-compose &>/dev/null; then
+    docker-compose -f "$1" config -q
+    return $?
+  fi
+  # Without docker fall back to a structural sanity check
+  grep -q "^services:" "$1"
+  return $?
+}
+
+write_oidc_fixture() {
+  # A file:// OpenID discovery document stands in for a real IdP
+  cat > "$1" <<EOF
+{
+  "issuer": "https://idp.example.org/realms/netbird",
+  "authorization_endpoint": "https://idp.example.org/realms/netbird/protocol/openid-connect/auth",
+  "token_endpoint": "https://idp.example.org/realms/netbird/protocol/openid-connect/token",
+  "jwks_uri": "https://idp.example.org/realms/netbird/protocol/openid-connect/certs",
+  "device_authorization_endpoint": "https://idp.example.org/realms/netbird/protocol/openid-connect/auth/device"
+}
+EOF
+}
+
+run_case() {
+  local name="$1"
+  shift
+  local expected_files=("$@")
+  local case_dir="$WORK_DIR/$name"
+  mkdir -p "$case_dir"
+
+  # setup.env content is provided on stdin
+  cat > "$case_dir/setup.env"
+
+  echo "--- case: $name"
+  if ! (cd "$case_dir" && bash "$GETTING_STARTED" --non-interactive --render-only > render.log 2>&1); then
+    echo "FAIL($name): render exited non-zero"
+    tail -5 "$case_dir/render.log" | sed 's/^/    /'
+    FAILURES=$((FAILURES + 1))
+    return 0
+  fi
+
+  for f in "${expected_files[@]}"; do
+    if [[ ! -f "$case_dir/$f" ]]; then
+      echo "FAIL($name): expected file $f was not generated"
+      FAILURES=$((FAILURES + 1))
+    fi
+  done
+
+  if [[ -f "$case_dir/management.json" ]] && ! jq . "$case_dir/management.json" > /dev/null; then
+    echo "FAIL($name): management.json is not valid JSON"
+    FAILURES=$((FAILURES + 1))
+  fi
+
+  if [[ -f "$case_dir/docker-compose.yml" ]] && ! compose_validate "$case_dir/docker-compose.yml"; then
+    echo "FAIL($name): docker-compose.yml failed validation"
+    FAILURES=$((FAILURES + 1))
+  fi
+
+  # Re-rendering from the persisted setup.env must be byte-identical (idempotent)
+  local checksums_before checksums_after
+  checksums_before=$(cd "$case_dir" && sha256sum docker-compose.yml dashboard.env config.yaml management.json 2>/dev/null || true)
+  if ! (cd "$case_dir" && bash "$GETTING_STARTED" --non-interactive --render-only > render2.log 2>&1); then
+    echo "FAIL($name): re-render exited non-zero"
+    FAILURES=$((FAILURES + 1))
+    return 0
+  fi
+  checksums_after=$(cd "$case_dir" && sha256sum docker-compose.yml dashboard.env config.yaml management.json 2>/dev/null || true)
+  if [[ "$checksums_before" != "$checksums_after" ]]; then
+    echo "FAIL($name): re-render from setup.env is not idempotent"
+    FAILURES=$((FAILURES + 1))
+  fi
+  return 0
+}
+
+OIDC_FIXTURE="$WORK_DIR/openid-configuration-fixture.json"
+write_oidc_fixture "$OIDC_FIXTURE"
+
+run_case combined-embedded-traefik docker-compose.yml config.yaml dashboard.env <<EOF
+NETBIRD_DOMAIN="netbird.example.org"
+NETBIRD_ARCHITECTURE="combined"
+NETBIRD_IDP_MODE="embedded"
+NETBIRD_REVERSE_PROXY_TYPE="0"
+NETBIRD_TRAEFIK_ACME_EMAIL="admin@example.org"
+EOF
+
+run_case combined-embedded-nginx docker-compose.yml config.yaml dashboard.env nginx-netbird.conf <<EOF
+NETBIRD_DOMAIN="netbird.example.org"
+NETBIRD_ARCHITECTURE="combined"
+NETBIRD_IDP_MODE="embedded"
+NETBIRD_REVERSE_PROXY_TYPE="2"
+EOF
+
+run_case split-embedded-traefik docker-compose.yml management.json dashboard.env <<EOF
+NETBIRD_DOMAIN="netbird.example.org"
+NETBIRD_ARCHITECTURE="split"
+NETBIRD_IDP_MODE="embedded"
+NETBIRD_REVERSE_PROXY_TYPE="0"
+NETBIRD_TRAEFIK_ACME_EMAIL="admin@example.org"
+EOF
+
+run_case split-embedded-external-traefik docker-compose.yml management.json dashboard.env <<EOF
+NETBIRD_DOMAIN="netbird.example.org"
+NETBIRD_ARCHITECTURE="split"
+NETBIRD_IDP_MODE="embedded"
+NETBIRD_REVERSE_PROXY_TYPE="1"
+NETBIRD_TRAEFIK_ENTRYPOINT="websecure"
+NETBIRD_TRAEFIK_CERTRESOLVER="letsencrypt"
+EOF
+
+run_case split-external-nginx-postgres docker-compose.yml management.json dashboard.env nginx-netbird.conf <<EOF
+NETBIRD_DOMAIN="netbird.example.org"
+NETBIRD_ARCHITECTURE="split"
+NETBIRD_IDP_MODE="external"
+NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="file://$OIDC_FIXTURE"
+NETBIRD_AUTH_CLIENT_ID="netbird"
+NETBIRD_AUTH_CLIENT_SECRET="some-secret"
+NETBIRD_REVERSE_PROXY_TYPE="2"
+NETBIRD_STORE_CONFIG_ENGINE="postgres"
+EOF
+
+run_case split-external-manual docker-compose.yml management.json dashboard.env <<EOF
+NETBIRD_DOMAIN="netbird.example.org"
+NETBIRD_ARCHITECTURE="split"
+NETBIRD_IDP_MODE="external"
+NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="file://$OIDC_FIXTURE"
+NETBIRD_AUTH_CLIENT_ID="netbird"
+NETBIRD_REVERSE_PROXY_TYPE="5"
+NETBIRD_BIND_LOCALHOST_ONLY="false"
+EOF
+
+# Auto-forced split must be accepted when no architecture is given with external IdP
+run_case split-external-defaulted docker-compose.yml management.json dashboard.env <<EOF
+NETBIRD_DOMAIN="netbird.example.org"
+NETBIRD_IDP_MODE="external"
+NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="file://$OIDC_FIXTURE"
+NETBIRD_AUTH_CLIENT_ID="netbird"
+NETBIRD_REVERSE_PROXY_TYPE="5"
+EOF
+
+# Invalid combination must fail: combined + external IdP
+echo "--- case: combined-external-rejected"
+REJECT_DIR="$WORK_DIR/combined-external-rejected"
+mkdir -p "$REJECT_DIR"
+cat > "$REJECT_DIR/setup.env" <<EOF
+NETBIRD_DOMAIN="netbird.example.org"
+NETBIRD_ARCHITECTURE="combined"
+NETBIRD_IDP_MODE="external"
+NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="file://$OIDC_FIXTURE"
+NETBIRD_AUTH_CLIENT_ID="netbird"
+NETBIRD_REVERSE_PROXY_TYPE="5"
+EOF
+if (cd "$REJECT_DIR" && bash "$GETTING_STARTED" --non-interactive --render-only > render.log 2>&1); then
+  echo "FAIL(combined-external-rejected): combined + external IdP was not rejected"
+  FAILURES=$((FAILURES + 1))
+fi
+
+# Spot-check rendered content
+SPLIT_EXT="$WORK_DIR/split-external-nginx-postgres"
+if [[ -f "$SPLIT_EXT/management.json" ]]; then
+  [[ $(jq -r '.HttpConfig.AuthIssuer' "$SPLIT_EXT/management.json") == "https://idp.example.org/realms/netbird" ]] || { echo "FAIL: external AuthIssuer mismatch"; FAILURES=$((FAILURES + 1)); }
+  [[ $(jq -r '.EmbeddedIdP' "$SPLIT_EXT/management.json") == "null" ]] || { echo "FAIL: external mode must not configure EmbeddedIdP"; FAILURES=$((FAILURES + 1)); }
+  [[ $(jq -r '.StoreConfig.Engine' "$SPLIT_EXT/management.json") == "postgres" ]] || { echo "FAIL: postgres engine not set"; FAILURES=$((FAILURES + 1)); }
+  grep -q "postgres:" "$SPLIT_EXT/docker-compose.yml" || { echo "FAIL: postgres container missing"; FAILURES=$((FAILURES + 1)); }
+fi
+
+SPLIT_EMB="$WORK_DIR/split-embedded-traefik"
+if [[ -f "$SPLIT_EMB/management.json" ]]; then
+  [[ $(jq -r '.EmbeddedIdP.Enabled' "$SPLIT_EMB/management.json") == "true" ]] || { echo "FAIL: embedded IdP not enabled in split mode"; FAILURES=$((FAILURES + 1)); }
+  [[ $(jq -r '.Relay.Addresses[0]' "$SPLIT_EMB/management.json") == "rels://netbird.example.org:443" ]] || { echo "FAIL: relay address mismatch"; FAILURES=$((FAILURES + 1)); }
+fi
+
+echo ""
+if [[ $FAILURES -gt 0 ]]; then
+  echo "$FAILURES test(s) failed"
+  exit 1
+fi
+echo "All render tests passed"

management/internals/modules/reverseproxy/service/manager/l4_port_test.go

@@ -488,195 +488,6 @@ func TestUpdate_AllowsPortChange(t *testing.T) {
 	assert.Equal(t, uint16(54321), updated.ListenPort, "explicit port change should be applied")
 }
 
-func TestUpdate_PreservesPortWhenCustomPortsNotSupported(t *testing.T) {
-	mgr, testStore, _ := setupL4Test(t, boolPtr(false))
-	ctx := context.Background()
-
-	existing := seedService(t, testStore, "tcp-svc", "tcp", testCluster, testCluster, 12345)
-
-	updated := &rpservice.Service{
-		ID:           existing.ID,
-		AccountID:    testAccountID,
-		Name:         "tcp-svc-renamed",
-		Mode:         "tcp",
-		Domain:       testCluster,
-		ProxyCluster: testCluster,
-		ListenPort:   0,
-		Enabled:      true,
-		Targets: []*rpservice.Target{
-			{AccountID: testAccountID, TargetId: testPeerID, TargetType: rpservice.TargetTypePeer, Protocol: "tcp", Port: 9090, Enabled: true},
-		},
-	}
-
-	_, err := mgr.persistServiceUpdate(ctx, testAccountID, updated)
-	require.NoError(t, err, "update must not be rejected by the custom-port capability check")
-	assert.Equal(t, uint16(12345), updated.ListenPort, "existing listen port should be preserved on unsupported cluster")
-}
-
-func TestUpdate_PreservesPortWhenCustomPortsUnknown(t *testing.T) {
-	mgr, testStore, _ := setupL4Test(t, nil)
-	ctx := context.Background()
-
-	existing := seedService(t, testStore, "tcp-svc", "tcp", testCluster, testCluster, 12345)
-
-	updated := &rpservice.Service{
-		ID:           existing.ID,
-		AccountID:    testAccountID,
-		Name:         "tcp-svc-renamed",
-		Mode:         "tcp",
-		Domain:       testCluster,
-		ProxyCluster: testCluster,
-		ListenPort:   0,
-		Enabled:      true,
-		Targets: []*rpservice.Target{
-			{AccountID: testAccountID, TargetId: testPeerID, TargetType: rpservice.TargetTypePeer, Protocol: "tcp", Port: 9090, Enabled: true},
-		},
-	}
-
-	_, err := mgr.persistServiceUpdate(ctx, testAccountID, updated)
-	require.NoError(t, err, "update must not be rejected when cluster capability is unknown")
-	assert.Equal(t, uint16(12345), updated.ListenPort, "existing listen port should be preserved when capability is unknown")
-}
-
-func TestUpdate_RejectsPortChangeWhenCustomPortsNotSupported(t *testing.T) {
-	mgr, testStore, _ := setupL4Test(t, boolPtr(false))
-	ctx := context.Background()
-
-	existing := seedService(t, testStore, "tcp-svc", "tcp", testCluster, testCluster, 12345)
-
-	updated := &rpservice.Service{
-		ID:           existing.ID,
-		AccountID:    testAccountID,
-		Name:         "tcp-svc",
-		Mode:         "tcp",
-		Domain:       testCluster,
-		ProxyCluster: testCluster,
-		ListenPort:   54321,
-		Enabled:      true,
-		Targets: []*rpservice.Target{
-			{AccountID: testAccountID, TargetId: testPeerID, TargetType: rpservice.TargetTypePeer, Protocol: "tcp", Port: 9090, Enabled: true},
-		},
-	}
-
-	_, err := mgr.persistServiceUpdate(ctx, testAccountID, updated)
-	require.Error(t, err, "explicit port change on update must be rejected on unsupported clusters")
-	assert.Contains(t, err.Error(), "custom ports not supported on target cluster")
-}
-
-func TestUpdate_TLSPortChangeAllowedWhenNotSupported(t *testing.T) {
-	mgr, testStore, _ := setupL4Test(t, boolPtr(false))
-	ctx := context.Background()
-
-	existing := seedService(t, testStore, "tls-svc", "tls", "app.example.com", testCluster, 443)
-
-	updated := &rpservice.Service{
-		ID:           existing.ID,
-		AccountID:    testAccountID,
-		Name:         "tls-svc",
-		Mode:         "tls",
-		Domain:       "app.example.com",
-		ProxyCluster: testCluster,
-		ListenPort:   9999,
-		Enabled:      true,
-		Targets: []*rpservice.Target{
-			{AccountID: testAccountID, TargetId: testPeerID, TargetType: rpservice.TargetTypePeer, Protocol: "tcp", Port: 8443, Enabled: true},
-		},
-	}
-
-	_, err := mgr.persistServiceUpdate(ctx, testAccountID, updated)
-	require.NoError(t, err, "TLS port change uses SNI routing and is exempt from the custom-port check")
-	assert.Equal(t, uint16(9999), updated.ListenPort, "TLS port change should be applied")
-}
-
-func TestValidateL4PortDiffOnClusterDiff(t *testing.T) {
-	tests := []struct {
-		name        string
-		mode        string
-		customPorts *bool
-		newPort     uint16
-		oldPort     uint16
-		wantErr     bool
-	}{
-		{"tcp port change unsupported", "tcp", boolPtr(false), 54321, 12345, true},
-		{"tcp port change unknown capability", "tcp", nil, 54321, 12345, true},
-		{"udp port change unsupported", "udp", boolPtr(false), 54321, 12345, true},
-		{"tcp first port assignment unsupported", "tcp", boolPtr(false), 54321, 0, true},
-		{"tcp port change supported", "tcp", boolPtr(true), 54321, 12345, false},
-		{"tcp port unchanged unsupported", "tcp", boolPtr(false), 12345, 12345, false},
-		{"tcp zero port unsupported", "tcp", boolPtr(false), 0, 12345, false},
-		{"tls port change unsupported", "tls", boolPtr(false), 9999, 443, false},
-		{"http mode ignored", "http", boolPtr(false), 54321, 12345, false},
-		{"empty mode ignored", "", boolPtr(false), 54321, 12345, false},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			newSvc := &rpservice.Service{Mode: tc.mode, ListenPort: tc.newPort, ProxyCluster: testCluster}
-			oldSvc := &rpservice.Service{Mode: tc.mode, ListenPort: tc.oldPort, ProxyCluster: testCluster}
-
-			err := validateL4PortDiffOnClusterDiff(tc.customPorts, newSvc, oldSvc)
-			if tc.wantErr {
-				assert.Error(t, err, "port diff should be rejected for %s", tc.name)
-			} else {
-				assert.NoError(t, err, "port diff should be allowed for %s", tc.name)
-			}
-		})
-	}
-}
-
-func TestUpdate_PortConflictRejected(t *testing.T) {
-	mgr, testStore, _ := setupL4Test(t, boolPtr(true))
-	ctx := context.Background()
-
-	seedService(t, testStore, "tcp-a", "tcp", "tcp-a."+testCluster, testCluster, 5432)
-	svcB := seedService(t, testStore, "tcp-b", "tcp", "tcp-b."+testCluster, testCluster, 6543)
-
-	updated := &rpservice.Service{
-		ID:           svcB.ID,
-		AccountID:    testAccountID,
-		Name:         "tcp-b",
-		Mode:         "tcp",
-		Domain:       "tcp-b." + testCluster,
-		ProxyCluster: testCluster,
-		ListenPort:   5432,
-		Enabled:      true,
-		Targets: []*rpservice.Target{
-			{AccountID: testAccountID, TargetId: testPeerID, TargetType: rpservice.TargetTypePeer, Protocol: "tcp", Port: 9090, Enabled: true},
-		},
-	}
-
-	_, err := mgr.persistServiceUpdate(ctx, testAccountID, updated)
-	require.Error(t, err, "updating to a port held by another service should be rejected")
-	assert.Contains(t, err.Error(), "already in use")
-}
-
-func TestUpdate_AutoAssignsWhenNoPort(t *testing.T) {
-	mgr, testStore, _ := setupL4Test(t, boolPtr(false))
-	ctx := context.Background()
-
-	existing := seedService(t, testStore, "tcp-svc", "tcp", testCluster, testCluster, 0)
-
-	updated := &rpservice.Service{
-		ID:           existing.ID,
-		AccountID:    testAccountID,
-		Name:         "tcp-svc",
-		Mode:         "tcp",
-		Domain:       testCluster,
-		ProxyCluster: testCluster,
-		ListenPort:   0,
-		Enabled:      true,
-		Targets: []*rpservice.Target{
-			{AccountID: testAccountID, TargetId: testPeerID, TargetType: rpservice.TargetTypePeer, Protocol: "tcp", Port: 9090, Enabled: true},
-		},
-	}
-
-	_, err := mgr.persistServiceUpdate(ctx, testAccountID, updated)
-	require.NoError(t, err)
-	assert.True(t, updated.ListenPort >= autoAssignPortMin && updated.ListenPort <= autoAssignPortMax,
-		"auto-assigned port %d should be in range [%d, %d]", updated.ListenPort, autoAssignPortMin, autoAssignPortMax)
-	assert.True(t, updated.PortAutoAssigned, "PortAutoAssigned should be set when update triggers auto-assignment")
-}
-
 func TestCreateServiceFromPeer_TCP(t *testing.T) {
 	mgr, _, _ := setupL4Test(t, boolPtr(false))
 	ctx := context.Background()

management/internals/modules/reverseproxy/service/manager/manager.go

@@ -338,7 +338,7 @@ func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *
 			}
 		}
 
-		if err := m.ensureL4Port(ctx, transaction, svc, customPorts, false); err != nil {
+		if err := m.ensureL4Port(ctx, transaction, svc, customPorts); err != nil {
 			return err
 		}
 
@@ -367,11 +367,11 @@ func (m *Manager) clusterCustomPorts(ctx context.Context, svc *service.Service)
 
 // ensureL4Port auto-assigns a listen port when needed and validates cluster support.
 // customPorts must be pre-computed via clusterCustomPorts before entering a transaction.
-func (m *Manager) ensureL4Port(ctx context.Context, tx store.Store, svc *service.Service, customPorts *bool, serviceUpdate bool) error {
+func (m *Manager) ensureL4Port(ctx context.Context, tx store.Store, svc *service.Service, customPorts *bool) error {
 	if !service.IsL4Protocol(svc.Mode) {
 		return nil
 	}
-	if service.IsPortBasedProtocol(svc.Mode) && svc.ListenPort > 0 && !serviceUpdate && (customPorts == nil || !*customPorts) {
+	if service.IsPortBasedProtocol(svc.Mode) && svc.ListenPort > 0 && (customPorts == nil || !*customPorts) {
 		if svc.Source != service.SourceEphemeral {
 			return status.Errorf(status.InvalidArgument, "custom ports not supported on cluster %s", svc.ProxyCluster)
 		}
@@ -465,7 +465,7 @@ func (m *Manager) persistNewEphemeralService(ctx context.Context, accountID, pee
 			return err
 		}
 
-		if err := m.ensureL4Port(ctx, transaction, svc, customPorts, false); err != nil {
+		if err := m.ensureL4Port(ctx, transaction, svc, customPorts); err != nil {
 			return err
 		}
 
@@ -651,22 +651,12 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 	m.preserveListenPort(service, existingService)
 	updateInfo.serviceEnabledChanged = existingService.Enabled != service.Enabled
 
-	// if the service is being updated, and we decide in the future to allow mode update,
-	// we should reconsider the currently assigned port if not 0 for clusters that don't support custom ports
-	if err := validateL4PortDiffOnClusterDiff(customPorts, service, existingService); err != nil {
+	if err := m.ensureL4Port(ctx, transaction, service, customPorts); err != nil {
 		return err
 	}
-
-	if err := m.ensureL4Port(ctx, transaction, service, customPorts, true); err != nil {
-		return err
-	}
-
-	// we can try carrying the previous service port into a new cluster, if this becomes a problem for multiple users,
-	// we should reconsider adding another check
 	if err := m.checkPortConflict(ctx, transaction, service); err != nil {
 		return err
 	}
-
 	if err := transaction.UpdateService(ctx, service); err != nil {
 		return fmt.Errorf("update service: %w", err)
 	}
@@ -674,21 +664,6 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 	return nil
 }
 
-// validateL4PortDiffOnClusterDiff checks if custom L4 ports are configured and validates port changes across clusters.
-// It ensures no port changes if custom ports are unsupported for a given cluster and protocol mode.
-// Returns an error if validation fails, otherwise returns nil.
-func validateL4PortDiffOnClusterDiff(customPorts *bool, newSVC, oldSVC *service.Service) error {
-	if !service.IsPortBasedProtocol(newSVC.Mode) || (customPorts != nil && *customPorts) {
-		return nil
-	}
-
-	if newSVC.ListenPort != 0 && newSVC.ListenPort != oldSVC.ListenPort {
-		return status.Errorf(status.InvalidArgument, "custom ports not supported on target cluster %s", newSVC.ProxyCluster)
-	}
-
-	return nil
-}
-
 // handleDomainChange validates the new domain is free inside the transaction
 // and applies the pre-resolved cluster (computed outside the tx by
 // resolveEffectiveCluster). It must NOT call clusterDeriver here: that talks

management/internals/shared/grpc/conversion.go

@@ -8,8 +8,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/hashicorp/go-version"
-	nbversion "github.com/netbirdio/netbird/version"
 	log "github.com/sirupsen/logrus"
 	goproto "google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/timestamppb"
@@ -30,23 +28,6 @@ import (
 	"github.com/netbirdio/netbird/shared/sshauth"
 )
 
-const (
-	// deprecatedRemotePeersVersion is the version of Netbird that introduced the NetworkMap.RemotePeers field, deprecated in favor of RemotePeers.
-	deprecatedRemotePeersVersion = "0.29.3"
-)
-
-// precomputedDeprecatedRemotePeersConstraint is the parsed ">= 0.29.3" constraint,
-// built once at init since the bound is a compile-time constant.
-var precomputedDeprecatedRemotePeersConstraint version.Constraints
-
-func init() {
-	constraint, err := version.NewConstraint(">= " + deprecatedRemotePeersVersion)
-	if err != nil {
-		panic("parse deprecated remote peers version constraint: " + err.Error())
-	}
-	precomputedDeprecatedRemotePeersConstraint = constraint
-}
-
 func toNetbirdConfig(config *nbconfig.Config, turnCredentials *Token, relayToken *Token, extraSettings *types.ExtraSettings) *proto.NetbirdConfig {
 	if config == nil {
 		return nil
@@ -174,11 +155,7 @@ func ToSyncResponse(ctx context.Context, config *nbconfig.Config, httpConfig *nb
 
 	remotePeers := make([]*proto.RemotePeerConfig, 0, len(networkMap.Peers)+len(networkMap.OfflinePeers))
 	remotePeers = appendRemotePeerConfig(remotePeers, networkMap.Peers, dnsName, includeIPv6)
-
-	if !shouldSkipSendingDeprecatedRemotePeers(peer.Meta.WtVersion) {
-		response.RemotePeers = remotePeers
-	}
-
+	response.RemotePeers = remotePeers
 	response.NetworkMap.RemotePeers = remotePeers
 	response.RemotePeersIsEmpty = len(remotePeers) == 0
 	response.NetworkMap.RemotePeersIsEmpty = response.RemotePeersIsEmpty
@@ -269,19 +246,6 @@ func buildAuthorizedUsersProto(ctx context.Context, authorizedUsers map[string]m
 	return hashedUsers, machineUsers
 }
 
-func shouldSkipSendingDeprecatedRemotePeers(peerVersion string) bool {
-	if nbversion.IsDevelopmentVersion(peerVersion) {
-		return true
-	}
-
-	peerNBVersion, err := version.NewVersion(peerVersion)
-	if err != nil {
-		return false
-	}
-
-	return precomputedDeprecatedRemotePeersConstraint.Check(peerNBVersion)
-}
-
 func appendRemotePeerConfig(dst []*proto.RemotePeerConfig, peers []*nbpeer.Peer, dnsName string, includeIPv6 bool) []*proto.RemotePeerConfig {
 	for _, rPeer := range peers {
 		allowedIPs := []string{rPeer.IP.String() + "/32"}
@@ -399,6 +363,7 @@ func toProtocolFirewallRules(rules []*types.FirewallRule, includeIPv6, useSource
 	return result
 }
 
+
 // populateSourcePrefixes sets SourcePrefixes on fwRule and returns any
 // additional rules needed (e.g. a v6 wildcard clone when the peer IP is unspecified).
 func populateSourcePrefixes(fwRule *proto.FirewallRule, rule *types.FirewallRule, includeIPv6 bool) []*proto.FirewallRule {

management/internals/shared/grpc/conversion_test.go

@@ -202,42 +202,6 @@ func TestBuildJWTConfig_Audiences(t *testing.T) {
 	}
 }
 
-// TestShouldSkipSendingDeprecatedRemotePeers covers the version gate that
-// stops populating the deprecated top-level SyncResponse.RemotePeers field for
-// peers new enough to read RemotePeers off the NetworkMap. Development builds
-// are treated as latest and skip the field. The gate otherwise fails safe: a
-// release version older than the boundary, or one that can't be parsed (empty,
-// garbage, prereleases of the boundary) still receives the deprecated field so
-// older/unknown clients keep working.
-func TestShouldSkipSendingDeprecatedRemotePeers(t *testing.T) {
-	tests := []struct {
-		name        string
-		peerVersion string
-		wantSkip    bool
-	}{
-		{"exact boundary skips", "0.29.3", true},
-		{"newer patch skips", "0.29.4", true},
-		{"newer minor skips", "0.30.0", true},
-		{"newer major skips", "1.0.0", true},
-		{"v-prefixed newer skips", "v0.30.0", true},
-		{"development build skips", "development", true},
-		{"development build with commit skips", "development-abc123def456-dirty", true},
-		{"older patch keeps field", "0.29.2", false},
-		{"older minor keeps field", "0.28.0", false},
-		{"prerelease of boundary keeps field", "0.29.3-SNAPSHOT", false},
-		{"tagged dev prerelease keeps field", "v0.31.1-dev", false},
-		{"empty version keeps field", "", false},
-		{"garbage version keeps field", "not-a-version", false},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			got := shouldSkipSendingDeprecatedRemotePeers(tc.peerVersion)
-			assert.Equal(t, tc.wantSkip, got, "skip decision for peer version %q", tc.peerVersion)
-		})
-	}
-}
-
 // TestEncodeSessionExpiresAt pins the wire encoding the client's
 // applySessionDeadline depends on:
 //

shared/management/client/client_test.go

@@ -322,21 +322,15 @@ func TestClient_Sync(t *testing.T) {
 		if resp.GetNetbirdConfig() == nil {
 			t.Error("expecting non nil NetbirdConfig got nil")
 		}
-		// we test network map peers from 0.29.3 and dev builds
-		if len(resp.GetRemotePeers()) != 0 {
-			t.Error("expecting top-level RemotePeers to be empty for v0.29.3+ clients")
-		}
-		networkMap := resp.GetNetworkMap()
-		if len(networkMap.GetRemotePeers()) != 1 {
-			t.Errorf("expecting RemotePeers size %d got %d", 1, len(networkMap.GetRemotePeers()))
+		if len(resp.GetRemotePeers()) != 1 {
+			t.Errorf("expecting RemotePeers size %d got %d", 1, len(resp.GetRemotePeers()))
 			return
 		}
-
-		if networkMap.GetRemotePeersIsEmpty() {
+		if resp.GetRemotePeersIsEmpty() == true {
 			t.Error("expecting RemotePeers property to be false, got true")
 		}
-		if networkMap.GetRemotePeers()[0].GetWgPubKey() != remoteKey.PublicKey().String() {
-			t.Errorf("expecting RemotePeer public key %s got %s", remoteKey.PublicKey().String(), networkMap.GetRemotePeers()[0].GetWgPubKey())
+		if resp.GetRemotePeers()[0].GetWgPubKey() != remoteKey.PublicKey().String() {
+			t.Errorf("expecting RemotePeer public key %s got %s", remoteKey.PublicKey().String(), resp.GetRemotePeers()[0].GetWgPubKey())
 		}
 	case <-time.After(3 * time.Second):
 		t.Error("timeout waiting for test to finish")