netbird/client/ui-wails/frontend/settings.md

# Settings — Tabs & Controls

Each row has a title and short description. Booleans default to **toggle switch**; pick another control only when noted.

Tab order: **General · Network · Security · SSH · Advanced · Troubleshooting · About**.

---

## 1. General

App behavior + how the client connects.

### General

- **Connect on startup** — `disableAutoConnect` (inverted) · *toggle switch*
  - Automatically connect to NetBird when the app launches.
- **Show notifications** — `disableNotifications` (inverted) · *toggle switch*
  - Show desktop notifications for connection events and updates.

### Connection

- **Management Server** — `managementUrl` · *label + help text + (text input next to inline Save button)*
  - Help text sits between the label and the input. The NetBird management server this client connects to; saving reconnects to apply the new server. Save button persists explicitly (in addition to the global debounced auto-save) since changing the server triggers a reconnect.

---

## 2. Network

Routing and DNS — how the daemon reaches peers and resolves names.

### Connectivity

- **Lazy connections** — `lazyConnectionEnabled` · *toggle switch*
  - Only establish peer tunnels on first traffic instead of eagerly at startup.
- **Network monitor** — `networkMonitor` · *toggle switch*
  - Reconnect automatically when the host network changes (Wi-Fi switch, VPN, sleep/wake).

### Routing & DNS

- **Enable DNS** — `disableDns` (inverted) · *toggle switch*
  - Apply NetBird-managed DNS settings to the host resolver.
- **Enable client routes** — `disableClientRoutes` (inverted) · *toggle switch*
  - Accept routes advertised by other peers so this client can reach their networks.
- **Enable server routes** — `disableServerRoutes` (inverted) · *toggle switch*
  - Advertise this host's local routes to other peers.

---

## 3. Security

Firewall and on-the-wire encryption — what's blocked and how the tunnel is protected.

### Firewall

- **Block inbound traffic** — `blockInbound` · *toggle switch*
  - Drop all unsolicited inbound traffic on the NetBird interface.
- **Block LAN access** — `blockLanAccess` · *toggle switch*
  - Prevent peers from reaching this host's local network.

### Encryption

- **Quantum-resistant encryption** — `rosenpassEnabled` · *toggle switch*
  - Add a post-quantum key exchange (Rosenpass) on top of WireGuard.
  - **Permissive mode** — `rosenpassPermissive` · *toggle switch* (nested, only when above is on)
    - Allow connections to peers without quantum-resistance support.

---

## 4. SSH

NetBird SSH server config. Master switch at the top; sub-toggles greyed out when the master is off.

### Server

- **Allow SSH** — `serverSshAllowed` · *toggle switch* (master)
  - Run the NetBird SSH server on this host so other peers can connect to it.

### Capabilities

- **Allow root login** — `enableSshRoot` · *toggle switch*
  - Permit incoming SSH sessions to authenticate as `root`.
- **Enable SFTP** — `enableSshSftp` · *toggle switch*
  - Allow file transfers over the NetBird SSH server.
- **Local port forwarding** — `enableSshLocalPortForwarding` · *toggle switch*
  - Allow clients to forward local ports through this host.
- **Remote port forwarding** — `enableSshRemotePortForwarding` · *toggle switch*
  - Allow clients to expose remote ports back through this host.

### Authentication

- **Disable SSH auth** — `disableSshAuth` · *toggle switch*
  - Skip JWT authentication for incoming SSH sessions. **Insecure — diagnostics only.**
- **JWT cache TTL** — `sshJwtCacheTtl` · *number input (seconds)*
  - How long verified JWTs are cached before re-validation.

---

## 5. Advanced

Power-user knobs: tunnel security, interface tuning, and log verbosity.

### Security

- **Pre-shared key** — `preSharedKey` · *label + help text + password input with reveal toggle*
  - Help text sits between the label and the input. Optional WireGuard pre-shared key for an extra layer of symmetric encryption; must match the value on every peer.

### Interface

- **Name** — `interfaceName` · *text input*
  - Name of the WireGuard network interface created on this host.
- **WireGuard Port** — `wireguardPort` · *number input*
  - Local UDP port the WireGuard interface listens on.
- **MTU** — `mtu` · *number input*
  - Maximum transmission unit for the WireGuard interface.

---

## 6. Troubleshooting

Everything you reach for when something is wrong.

### Debug bundle

- **Anonymize** — *toggle switch*
  - Strip IPs, hostnames, and peer names from the bundle before saving.
- **Include system info** — *toggle switch*
  - Add OS, kernel, and network interface details to the bundle.
- **Upload on create** — *toggle switch*
  - When on, reveals an upload URL field and uploads the bundle after creation.
- **Create Bundle** — *button* → progress indicator → resulting path or upload URL.

---

## 7. About

Two-row layout. Top row pairs the app icon with the product name + versions; everything else stacks below full-width.

**Top row** (icon left, info right):

1. **App icon** — `netbird-app-icon.svg`, `w-24 h-24`, rounded corners, subtle border (`border-nb-gray-800`).
2. **NetBird** heading + version lines:
   - **GUI v{x.y.z}** — from `frontend/package.json` at build time
   - **Client v{x.y.z}** — from `Status.daemonVersion`

**Below the top row**, in order:

3. **Update banner** *(visible only when an event in `Status.events` carries `metadata["new_version_available"]`)* — "Version X.Y.Z is available." + a **What's new?** link → GitHub release page for that version, plus a **Restart now** primary button → `Update.Trigger()`.
4. **Copyright** — "© {current year} NetBird. All Rights Reserved." (year from `new Date().getFullYear()`).
5. **Legal links** — Imprint · Privacy · CLA · Terms of Service. Each opens via Wails `Browser.OpenURL` with `window.open` fallback.