# NetBird deployment configuration - example file # # Copy to setup.env, fill in the values, and render the deployment with: # ./getting-started.sh --non-interactive # # Running ./getting-started.sh without flags starts an interactive wizard that # writes this file for you. Re-rendering from the same file is idempotent, so # it is safe to keep setup.env under configuration management (IaC). # # NOTE: the legacy configure.sh variable set (NETBIRD_TURN_DOMAIN, coturn, # per-service ports, NETBIRD_DISABLE_LETSENCRYPT, ...) is deprecated together # with configure.sh. See https://docs.netbird.io/selfhosted/selfhosted-guide # Your NetBird domain, e.g. netbird.mydomain.com (required) NETBIRD_DOMAIN="" # Deployment architecture: # combined - single netbird-server container (management + signal + relay + STUN) # split - separate management, signal and relay containers (for scale-out, # required when using your own OIDC provider) NETBIRD_ARCHITECTURE="combined" # Identity provider: # embedded - built-in IdP with local users (simplest) # external - your own OIDC provider (requires NETBIRD_ARCHITECTURE=split) NETBIRD_IDP_MODE="embedded" # ------------------------------------------- # External OIDC provider (NETBIRD_IDP_MODE=external) # See https://docs.netbird.io/selfhosted/identity-providers # ------------------------------------------- # e.g. https://keycloak.example.com/realms/netbird/.well-known/openid-configuration NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="" # OAuth client ID registered for NetBird, e.g. netbird NETBIRD_AUTH_CLIENT_ID="" # Client secret, only if your IdP requires one (e.g. Google Workspace) NETBIRD_AUTH_CLIENT_SECRET="" # JWT audience; defaults to the client ID when empty NETBIRD_AUTH_AUDIENCE="" # Scopes requested from the IdP NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email" # Set to true only for Auth0 NETBIRD_USE_AUTH0="false" # Token the dashboard sends to the management API: accessToken or idToken # (Okta and GitLab benefit from idToken) NETBIRD_TOKEN_SOURCE="accessToken" # Device authorization flow for headless clients (optional) #NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="" # IdP management API for user/group sync (optional) # eg. zitadel, auth0, azure, keycloak #NETBIRD_MGMT_IDP="" # Enable IdP signing-key refresh when required by your provider (e.g. Zitadel) #NETBIRD_MGMT_IDP_SIGNKEY_REFRESH="false" #NETBIRD_IDP_MGMT_CLIENT_ID="" #NETBIRD_IDP_MGMT_CLIENT_SECRET="" # Provider-specific IdP-manager settings (converted to ExtraConfig CamelCase keys) # e.g. Keycloak AdminEndpoint, Zitadel ManagementEndpoint, PocketID ApiToken #NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT="" #NETBIRD_IDP_MGMT_EXTRA_MANAGEMENT_ENDPOINT="" #NETBIRD_IDP_MGMT_EXTRA_API_TOKEN="" # ------------------------------------------- # Reverse proxy # ------------------------------------------- # 0 = built-in Traefik (automatic TLS via Let's Encrypt) # 1 = existing Traefik instance (labels) # 2 = Nginx (config template is generated) # 3 = Nginx Proxy Manager (advanced config is generated) # 4 = external Caddy (Caddyfile snippet is generated) # 5 = other/manual NETBIRD_REVERSE_PROXY_TYPE="0" # Let's Encrypt notification email (required for type 0) NETBIRD_TRAEFIK_ACME_EMAIL="" # Settings for an existing Traefik instance (type 1) NETBIRD_TRAEFIK_EXTERNAL_NETWORK="" NETBIRD_TRAEFIK_ENTRYPOINT="websecure" NETBIRD_TRAEFIK_CERTRESOLVER="" # Bind container ports to 127.0.0.1 only (types 2-5) NETBIRD_BIND_LOCALHOST_ONLY="true" # Docker network of your reverse proxy, if it runs in Docker (types 2-4) NETBIRD_EXTERNAL_PROXY_NETWORK="" # ------------------------------------------- # NetBird Proxy and CrowdSec # (combined architecture with built-in Traefik only) # ------------------------------------------- NETBIRD_ENABLE_PROXY="false" NETBIRD_ENABLE_CROWDSEC="false" # ------------------------------------------- # Datastore # ------------------------------------------- # sqlite or postgres. With postgres and an empty DSN a PostgreSQL container is # added to the deployment (split architecture only). NETBIRD_STORE_CONFIG_ENGINE="sqlite" NETBIRD_STORE_ENGINE_POSTGRES_DSN="" NETBIRD_POSTGRES_PASSWORD="" # ------------------------------------------- # Secrets # Generated automatically on first run and appended to setup.env. # Keep them stable across re-renders or peers will lose connectivity. # ------------------------------------------- NETBIRD_RELAY_AUTH_SECRET="" NETBIRD_DATASTORE_ENC_KEY="" # ------------------------------------------- # Docker image overrides (optional) # ------------------------------------------- #DASHBOARD_IMAGE="netbirdio/dashboard:latest" #NETBIRD_SERVER_IMAGE="netbirdio/netbird-server:latest" #MANAGEMENT_IMAGE="netbirdio/management:latest" #SIGNAL_IMAGE="netbirdio/signal:latest" #RELAY_IMAGE="netbirdio/relay:latest" #POSTGRES_IMAGE="postgres:16-alpine" #TRAEFIK_IMAGE="traefik:v3.6"