Merge pull request #2467 from alexbelgium/codex/create-simple-netbird-server-setup

Rework NetBird server add-on into quickstart layout with Caddy and relay/STUN
2026-03-13 16:34:22 +01:00 · 2026-02-08 19:31:48 +01:00
parent f09d49bb18 00c59234fd
commit 397c086deb
11 changed files with 205 additions and 268 deletions
--- a/netbird-server/DOCS.md
+++ b/netbird-server/DOCS.md
@@ -1,35 +1,36 @@
-# NetBird Server (monolithic)
+# NetBird Server (quickstart)

-This add-on runs the NetBird self-hosted server stack in a single container (Management + Signal + Dashboard + Coturn). It does **not** use Home Assistant ingress. Access the Dashboard directly via the configured port.
+This add-on runs the NetBird self-hosted server stack in a single container (Management + Signal + Relay/STUN + Dashboard) and ships a built-in Caddy reverse proxy, matching the official NetBird self-hosted quickstart flow. It does **not** use Home Assistant ingress.

-NetBird relies on gRPC. If you place the Management/Signal endpoints behind a reverse proxy, it **must** support HTTP/2 + gRPC proxying. See the NetBird reverse-proxy guide for supported configurations: <https://docs.netbird.io/selfhosted/reverse-proxy>.
-
-The NetBird self-hosted guide includes up-to-date port requirements and legacy port notes: <https://docs.netbird.io/selfhosted/selfhosted-guide>.
-
-The Dashboard container requires the `NETBIRD_MGMT_API_ENDPOINT` environment variable (the add-on injects this automatically) as described in the NetBird dashboard README: <https://github.com/netbirdio/dashboard#readme>.
+NetBird relies on gRPC. The built-in Caddy configuration is pre-wired to proxy both HTTP and gRPC endpoints as recommended in the quickstart guide: <https://docs.netbird.io/selfhosted/selfhosted-quickstart>.

 ## Quick start

 1. Install the add-on.
-2. Start the add-on and verify all services are running in the log output.
-3. Stop the add-on, edit the generated `management.json` to configure your Identity Provider (IdP).
-4. Update `/config/netbird/dashboard/env` with the `NETBIRD_MGMT_API_ENDPOINT` and `AUTH_*` values for the dashboard.
-5. Start the add-on again and access the dashboard at `http://<HA_HOST>:8080`.
+2. Set the `domain` option to your public NetBird domain (e.g., `netbird.example.com`).
+3. Start the add-on and verify all services are running in the log output.
+4. Access the dashboard at `https://<your-domain>` and complete the onboarding flow.

 ## Configuration

-This add-on starts with zero configuration options. It writes default configs into `/config/netbird` and runs on the standard NetBird ports.
+This add-on generates the standard quickstart configuration files in `/config/netbird` and reuses them on subsequent starts.
+
+### Required options
+- `domain`: Public domain that resolves to your Home Assistant host (e.g., `netbird.example.com`).

 ### Dashboard environment overrides
 Edit `/config/netbird/dashboard/env` to configure the dashboard UI:

 - `NETBIRD_MGMT_API_ENDPOINT`: Public URL of the management API (for example, `https://netbird.example.com`).
- `AUTH_AUTHORITY`, `AUTH_CLIENT_ID`, `AUTH_CLIENT_SECRET`, `AUTH_AUDIENCE`, `AUTH_SUPPORTED_SCOPES`, `USE_AUTH0`: OIDC settings for the dashboard UI.
+- `NETBIRD_MGMT_GRPC_API_ENDPOINT`: Public URL for the gRPC API (typically the same as above).
+- `AUTH_*`: OIDC settings for the dashboard UI (pre-filled for the embedded IdP).

 ### Generated configuration
 On first start, the add-on creates:
- `management.json` in `$data_dir/management/`
- `turnserver.conf` in `$data_dir/turn/`
+- `management.json` in `/config/netbird/management/`
+- `relay.env` in `/config/netbird/relay/`
+- `dashboard.env` in `/config/netbird/dashboard/`
+- `Caddyfile` in `/config/netbird/`

 If you need advanced settings, stop the add-on and edit these files. The add-on will keep your edits on restart.

@@ -37,14 +38,12 @@ If you need advanced settings, stop the add-on and edit these files. The add-on

 Default ports exposed by this add-on:

- `33073/tcp`: Management API (HTTP/gRPC)
- `10000/tcp`: Signal gRPC
- `8080/tcp`: Dashboard
- `3478/udp`: Coturn STUN/TURN
-
-If you have legacy (< v0.29) clients, review the legacy port notes in the NetBird self-hosted guide and ensure your firewall/forwarding rules are compatible.
+- `80/tcp`: Caddy HTTP (ACME HTTP-01)
+- `443/tcp`: Caddy HTTPS (Dashboard + APIs)
+- `443/udp`: Caddy HTTP/3 (optional)
+- `3478/udp`: Relay STUN

 ## Notes

- This add-on does **not** handle TLS certificates. Place it behind your existing reverse proxy if you need HTTPS.
- Coturn requires a UDP relay port range (defaults to `49152-65535`). Ensure this range is allowed in your firewall when using TURN relaying.
+- This add-on uses NetBird's embedded IdP (Dex) and matches the official quickstart layout.
+- If you already run your own reverse proxy, you can disable Caddy by editing the generated `Caddyfile` or by terminating TLS upstream and forwarding requests to port 80.
--- a/netbird-server/Dockerfile
+++ b/netbird-server/Dockerfile
@@ -16,13 +16,11 @@

 ARG NETBIRD_VERSION=0.64.5
 ARG DASHBOARD_VERSION=2.31.0
-ARG COTURN_VERSION=4.6.2

 FROM netbirdio/management:${NETBIRD_VERSION} AS netbird-management
 FROM netbirdio/signal:${NETBIRD_VERSION} AS netbird-signal
 FROM netbirdio/relay:${NETBIRD_VERSION} AS netbird-relay
 FROM netbirdio/dashboard:${DASHBOARD_VERSION} AS netbird-dashboard
-FROM coturn/coturn:${COTURN_VERSION} AS netbird-coturn

 #################
 # 2 Base Image  #
@@ -67,7 +65,7 @@ ADD "https://raw.githubusercontent.com/alexbelgium/hassio-addons/master/.templat
 RUN chmod 744 /ha_automodules.sh && /ha_automodules.sh "$MODULES" && rm /ha_automodules.sh

 # Manual apps
-ENV PACKAGES="nginx gettext ca-certificates"
+ENV PACKAGES="nginx gettext ca-certificates caddy openssl"

 # Automatic apps & bashio
 ADD "https://raw.githubusercontent.com/alexbelgium/hassio-addons/master/.templates/ha_autoapps.sh" "/ha_autoapps.sh"
@@ -80,8 +78,6 @@ RUN chmod 744 /ha_autoapps.sh && /ha_autoapps.sh "$PACKAGES" && rm /ha_autoapps.
 COPY --from=netbird-management /go/bin/netbird-mgmt /usr/local/bin/netbird-mgmt
 COPY --from=netbird-signal /go/bin/netbird-signal /usr/local/bin/netbird-signal
 COPY --from=netbird-relay /go/bin/netbird-relay /usr/local/bin/netbird-relay
-COPY --from=netbird-coturn /usr/bin/turnserver /usr/local/bin/turnserver
-
 COPY --from=netbird-dashboard /usr/share/nginx/html /usr/share/nginx/html
 COPY --from=netbird-dashboard /usr/local/init_react_envs.sh /usr/local/bin/init_react_envs.sh

--- a/netbird-server/config.yaml
+++ b/netbird-server/config.yaml
@@ -1,25 +1,27 @@
 arch:
  - aarch64
  - amd64
-description: "\U0001F426 NetBird self-hosted server stack (management, signal, dashboard, coturn)"
+description: "\U0001F426 NetBird self-hosted server stack (management, signal, relay, dashboard, Caddy)"
 image: ghcr.io/alexbelgium/netbird-server-{arch}
 init: false
 ingress: false
 map:
  - addon_config:rw
 name: NetBird Server
-options: {}
-schema: {}
+options:
+  domain: netbird.example.com
+schema:
+  domain: str
 slug: netbird-server
 ports:
-  33073/tcp: 33073
-  10000/tcp: 10000
-  8080/tcp: 8080
+  80/tcp: 80
+  443/tcp: 443
+  443/udp: 443
  3478/udp: 3478
 ports_description:
-  33073/tcp: Management API (HTTP/gRPC)
-  10000/tcp: Signal gRPC
-  8080/tcp: NetBird Dashboard (HTTP)
-  3478/udp: Coturn STUN/TURN
+  80/tcp: Caddy HTTP (ACME HTTP-01)
+  443/tcp: Caddy HTTPS (dashboard + APIs)
+  443/udp: Caddy HTTP/3 (optional)
+  3478/udp: NetBird Relay STUN
 url: https://github.com/alexbelgium/hassio-addons
-version: 0.64.5-1
+version: 0.64.5-2
--- a/netbird-server/rootfs/etc/cont-init.d/00-config.sh
+++ b/netbird-server/rootfs/etc/cont-init.d/00-config.sh
@@ -4,107 +4,53 @@ set -euo pipefail

 # ==============================================================================
 # Home Assistant Add-on: NetBird Server
-# Configures NetBird services
+# Configures NetBird services (quickstart layout)
 # ==============================================================================

 create_or_load_secret() {
  local secret_file="$1"
-  local provided_value="$2"
+  local generator="$2"
  local generated=""

-  if [[ -n "$provided_value" ]]; then
-    echo "$provided_value"
-    return
-  fi
-
  if [[ -f "$secret_file" ]]; then
    cat "$secret_file"
    return
  fi

-  generated=$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32)
+  generated=$(eval "$generator")
  echo "$generated" > "$secret_file"
  chmod 600 "$secret_file"
  echo "$generated"
 }

-extract_port() {
-  local address="$1"
-  echo "${address##*:}"
-}
-
 DATA_DIR="/config/netbird"
-DOMAIN="localhost"
-MANAGEMENT_LISTEN="0.0.0.0:33073"
-SIGNAL_LISTEN="0.0.0.0:10000"
-DASHBOARD_LISTEN="0.0.0.0:8080"
-TURN_LISTEN_PORT=3478
-TURN_REALM="netbird"
-TURN_EXTERNAL_IP=""
-TURN_MIN_PORT=49152
-TURN_MAX_PORT=65535
-TURN_USER="netbird"
-TURN_PASSWORD=""
-IDP_MANAGER_TYPE="none"
-AUTH_AUTHORITY=""
-AUTH_AUDIENCE=""
-AUTH_JWT_CERTS=""
-AUTH_USER_ID_CLAIM="sub"
-AUTH_OIDC_CONFIGURATION_ENDPOINT=""
-AUTH_TOKEN_ENDPOINT=""
-IDP_CLIENT_ID=""
-IDP_CLIENT_SECRET=""
-DISABLE_DEFAULT_POLICY=false
-DISABLE_DASHBOARD=false
-ENABLE_RELAY=false
-RELAY_EXPOSED_ADDRESS=""
-RELAY_AUTH_SECRET=""
+DOMAIN="$(bashio::config 'domain')"
+NETBIRD_STUN_PORT=3478
+MANAGEMENT_PORT=8081
+DASHBOARD_PORT=8080
+SIGNAL_PORT=8083
+SIGNAL_GRPC_PORT=10000
+RELAY_PORT=8084

-MANAGEMENT_PORT=$(extract_port "$MANAGEMENT_LISTEN")
-SIGNAL_PORT=$(extract_port "$SIGNAL_LISTEN")
-DASHBOARD_PORT=$(extract_port "$DASHBOARD_LISTEN")
-
-if [[ -z "$AUTH_AUTHORITY" || -z "$AUTH_AUDIENCE" || -z "$AUTH_JWT_CERTS" ]]; then
-  bashio::log.warning "OIDC configuration is incomplete. Edit ${DATA_DIR}/management/management.json to finish setup."
+if [[ -z "$DOMAIN" || "$DOMAIN" == "netbird.example.com" ]]; then
+  bashio::log.error "Set a valid domain in the add-on configuration (domain cannot be empty or netbird.example.com)."
+  bashio::exit.nok
 fi

+NETBIRD_PORT=443
+NETBIRD_HTTP_PROTOCOL="https"
+NETBIRD_RELAY_PROTO="rels"
+CADDY_SECURE_DOMAIN=", ${DOMAIN}:${NETBIRD_PORT}"
+
 mkdir -p "$DATA_DIR" \
  "$DATA_DIR/management" \
-  "$DATA_DIR/turn" \
  "$DATA_DIR/secrets" \
  "$DATA_DIR/dashboard" \
-  "$DATA_DIR/relay"
+  "$DATA_DIR/relay" \
+  "$DATA_DIR/caddy"

-TURN_PASSWORD=$(create_or_load_secret "$DATA_DIR/secrets/turn_password" "$TURN_PASSWORD")
-TURN_SECRET=$(create_or_load_secret "$DATA_DIR/secrets/turn_secret" "")
-DATASTORE_ENC_KEY=$(create_or_load_secret "$DATA_DIR/secrets/management_datastore_key" "")
-
-if [[ "$ENABLE_RELAY" == "true" ]]; then
-  if [[ -z "$RELAY_EXPOSED_ADDRESS" || -z "$RELAY_AUTH_SECRET" ]]; then
-    bashio::log.error "Relay is enabled, but relay_exposed_address or relay_auth_secret is missing."
-    bashio::exit.nok
-  fi
-  rm -f /etc/services.d/relay/down
-  RELAY_JSON=$(cat <<RELAY
-{
-  "Addresses": ["${RELAY_EXPOSED_ADDRESS}"],
-  "CredentialsTTL": "24h",
-  "Secret": "${RELAY_AUTH_SECRET}"
-}
-RELAY
-)
-else
-  bashio::log.info "Relay service disabled."
-  touch /etc/services.d/relay/down
-  RELAY_JSON="null"
-fi
-
-if [[ "$DISABLE_DASHBOARD" == "true" ]]; then
-  bashio::log.info "Dashboard service disabled."
-  touch /etc/services.d/dashboard/down
-else
-  rm -f /etc/services.d/dashboard/down
-fi
+DATASTORE_ENC_KEY=$(create_or_load_secret "$DATA_DIR/secrets/management_datastore_key" "openssl rand -base64 32")
+RELAY_AUTH_SECRET=$(create_or_load_secret "$DATA_DIR/secrets/relay_auth_secret" "openssl rand -base64 32 | sed 's/=//g'")

 # Generate management config if missing
 MANAGEMENT_CONFIG="$DATA_DIR/management/management.json"
@@ -115,65 +61,27 @@ if [[ ! -f "$MANAGEMENT_CONFIG" ]]; then
  "Stuns": [
    {
      "Proto": "udp",
-      "URI": "stun:${DOMAIN}:${TURN_LISTEN_PORT}",
-      "Username": "",
-      "Password": null
+      "URI": "stun:${DOMAIN}:${NETBIRD_STUN_PORT}"
    }
  ],
-  "TURNConfig": {
-    "Turns": [
-      {
-        "Proto": "udp",
-        "URI": "turn:${DOMAIN}:${TURN_LISTEN_PORT}",
-        "Username": "${TURN_USER}",
-        "Password": "${TURN_PASSWORD}"
-      }
-    ],
-    "CredentialsTTL": "12h",
-    "Secret": "${TURN_SECRET}",
-    "TimeBasedCredentials": false
+  "Relay": {
+    "Addresses": ["${NETBIRD_RELAY_PROTO}://${DOMAIN}:${NETBIRD_PORT}"],
+    "CredentialsTTL": "24h",
+    "Secret": "${RELAY_AUTH_SECRET}"
  },
-  "Relay": ${RELAY_JSON},
  "Signal": {
-    "Proto": "http",
-    "URI": "${DOMAIN}:${SIGNAL_PORT}",
-    "Username": "",
-    "Password": null
+    "Proto": "${NETBIRD_HTTP_PROTOCOL}",
+    "URI": "${DOMAIN}:${NETBIRD_PORT}"
  },
-  "ReverseProxy": {
-    "TrustedHTTPProxies": [],
-    "TrustedHTTPProxiesCount": 0,
-    "TrustedPeers": [
-      "0.0.0.0/0"
-    ]
-  },
-  "DisableDefaultPolicy": ${DISABLE_DEFAULT_POLICY},
  "Datadir": "${DATA_DIR}/management",
  "DataStoreEncryptionKey": "${DATASTORE_ENC_KEY}",
-  "StoreConfig": {
-    "Engine": "sqlite"
-  },
-  "HttpConfig": {
-    "Address": "${MANAGEMENT_LISTEN}",
-    "AuthIssuer": "${AUTH_AUTHORITY}",
-    "AuthAudience": "${AUTH_AUDIENCE}",
-    "AuthKeysLocation": "${AUTH_JWT_CERTS}",
-    "AuthUserIDClaim": "${AUTH_USER_ID_CLAIM}",
-    "CertFile": "",
-    "CertKey": "",
-    "IdpSignKeyRefreshEnabled": false,
-    "OIDCConfigEndpoint": "${AUTH_OIDC_CONFIGURATION_ENDPOINT}"
-  },
-  "IdpManagerConfig": {
-    "ManagerType": "${IDP_MANAGER_TYPE}",
-    "ClientConfig": {
-      "Issuer": "${AUTH_AUTHORITY}",
-      "TokenEndpoint": "${AUTH_TOKEN_ENDPOINT}",
-      "ClientID": "${IDP_CLIENT_ID}",
-      "ClientSecret": "${IDP_CLIENT_SECRET}",
-      "GrantType": "client_credentials"
-    },
-    "ExtraConfig": {}
+  "EmbeddedIdP": {
+    "Enabled": true,
+    "Issuer": "${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}/oauth2",
+    "DashboardRedirectURIs": [
+      "${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}/nb-auth",
+      "${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}/nb-silent-auth"
+    ]
  }
 }
 CONFIG
@@ -181,50 +89,87 @@ else
  bashio::log.info "Using existing management config at ${MANAGEMENT_CONFIG}."
 fi

-# Generate Coturn config if missing
-TURN_CONFIG="$DATA_DIR/turn/turnserver.conf"
-if [[ ! -f "$TURN_CONFIG" ]]; then
-  TURN_EXTERNAL_IP_LINE=""
-  if [[ -n "$TURN_EXTERNAL_IP" ]]; then
-    TURN_EXTERNAL_IP_LINE="external-ip=${TURN_EXTERNAL_IP}"
-  fi
-
-  cat <<CONFIG > "$TURN_CONFIG"
-listening-port=${TURN_LISTEN_PORT}
-realm=${TURN_REALM}
-fingerprint
-lt-cred-mech
-user=${TURN_USER}:${TURN_PASSWORD}
-${TURN_EXTERNAL_IP_LINE}
-min-port=${TURN_MIN_PORT}
-max-port=${TURN_MAX_PORT}
+# Generate relay env file if missing
+RELAY_ENV_FILE="$DATA_DIR/relay/relay.env"
+if [[ ! -f "$RELAY_ENV_FILE" ]]; then
+  bashio::log.info "Generating relay env file at ${RELAY_ENV_FILE}."
+  cat <<CONFIG > "$RELAY_ENV_FILE"
+NB_LOG_LEVEL=info
+NB_LISTEN_ADDRESS=:${RELAY_PORT}
+NB_EXPOSED_ADDRESS=${NETBIRD_RELAY_PROTO}://${DOMAIN}:${NETBIRD_PORT}
+NB_AUTH_SECRET=${RELAY_AUTH_SECRET}
+NB_ENABLE_STUN=true
+NB_STUN_LOG_LEVEL=info
+NB_STUN_PORTS=${NETBIRD_STUN_PORT}
 CONFIG
-else
-  bashio::log.info "Using existing Coturn config at ${TURN_CONFIG}."
 fi

-# Generate dashboard nginx config
-sed "s/__DASHBOARD_PORT__/${DASHBOARD_PORT}/g" \
-  /usr/local/share/netbird-dashboard/default.conf.tmpl \
-  > /etc/nginx/http.d/default.conf
-
-mkdir -p /run/nginx
-chmod +x /usr/local/bin/init_react_envs.sh
-
 # Generate dashboard env file if missing
 DASHBOARD_ENV_FILE="$DATA_DIR/dashboard/env"
 if [[ ! -f "$DASHBOARD_ENV_FILE" ]]; then
  bashio::log.info "Generating dashboard env file at ${DASHBOARD_ENV_FILE}."
-  cat <<'ENV' > "$DASHBOARD_ENV_FILE"
-# NetBird dashboard environment overrides.
-# Example: NETBIRD_MGMT_API_ENDPOINT="https://netbird.example.com"
-NETBIRD_MGMT_API_ENDPOINT=""
-AUTH_AUTHORITY=""
-AUTH_CLIENT_ID=""
-AUTH_CLIENT_SECRET=""
-AUTH_AUDIENCE=""
-AUTH_SUPPORTED_SCOPES="openid profile email api offline_access email_verified"
-USE_AUTH0="false"
-ENV
+  cat <<CONFIG > "$DASHBOARD_ENV_FILE"
+# Endpoints
+NETBIRD_MGMT_API_ENDPOINT=${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}
+NETBIRD_MGMT_GRPC_API_ENDPOINT=${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}
+# OIDC - using embedded IdP
+AUTH_AUDIENCE=netbird-dashboard
+AUTH_CLIENT_ID=netbird-dashboard
+AUTH_CLIENT_SECRET=
+AUTH_AUTHORITY=${NETBIRD_HTTP_PROTOCOL}://${DOMAIN}/oauth2
+USE_AUTH0=false
+AUTH_SUPPORTED_SCOPES=openid profile email groups
+AUTH_REDIRECT_URI=/nb-auth
+AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
+# SSL
+NGINX_SSL_PORT=443
+# Letsencrypt
+LETSENCRYPT_DOMAIN=none
+CONFIG
  chmod 600 "$DASHBOARD_ENV_FILE"
 fi
+
+# Generate Caddyfile if missing
+CADDYFILE="$DATA_DIR/Caddyfile"
+if [[ ! -f "$CADDYFILE" ]]; then
+  bashio::log.info "Generating Caddyfile at ${CADDYFILE}."
+  cat <<CONFIG > "$CADDYFILE"
+{
+  servers {
+    protocols h1 h2 h2c
+  }
+}
+
+(security_headers) {
+  header * {
+    Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
+    X-Content-Type-Options "nosniff"
+    X-Frame-Options "SAMEORIGIN"
+    X-XSS-Protection "1; mode=block"
+    -Server
+    Referrer-Policy strict-origin-when-cross-origin
+  }
+}
+
+:80${CADDY_SECURE_DOMAIN} {
+  import security_headers
+  # relay
+  reverse_proxy /relay* 127.0.0.1:${RELAY_PORT}
+  # Signal
+  reverse_proxy /ws-proxy/signal* 127.0.0.1:${SIGNAL_PORT}
+  reverse_proxy /signalexchange.SignalExchange/* h2c://127.0.0.1:${SIGNAL_GRPC_PORT}
+  # Management
+  reverse_proxy /api/* 127.0.0.1:${MANAGEMENT_PORT}
+  reverse_proxy /ws-proxy/management* 127.0.0.1:${MANAGEMENT_PORT}
+  reverse_proxy /management.ManagementService/* h2c://127.0.0.1:${MANAGEMENT_PORT}
+  reverse_proxy /oauth2/* 127.0.0.1:${MANAGEMENT_PORT}
+  # Dashboard
+  reverse_proxy /* 127.0.0.1:${DASHBOARD_PORT}
+}
+CONFIG
+else
+  bashio::log.info "Using existing Caddyfile at ${CADDYFILE}."
+fi
+
+mkdir -p /run/nginx
+chmod +x /usr/local/bin/init_react_envs.sh
--- a/netbird-server/rootfs/etc/nginx/http.d/default.conf
+++ b/netbird-server/rootfs/etc/nginx/http.d/default.conf
@@ -0,0 +1,11 @@
+server {
+  listen 8080;
+  server_name _;
+
+  root /usr/share/nginx/html;
+  index index.html;
+
+  location / {
+    try_files $uri /index.html;
+  }
+}
--- a/netbird-server/rootfs/etc/services.d/caddy/run
+++ b/netbird-server/rootfs/etc/services.d/caddy/run
@@ -0,0 +1,24 @@
+#!/usr/bin/with-contenv bashio
+# shellcheck shell=bash
+set -euo pipefail
+
+# ==============================================================================
+# Home Assistant Add-on: NetBird Server
+# Runs Caddy reverse proxy
+# ==============================================================================
+
+DATA_DIR="/config/netbird"
+CADDYFILE="${DATA_DIR}/Caddyfile"
+
+if [[ ! -f "$CADDYFILE" ]]; then
+  bashio::log.error "Missing Caddyfile at ${CADDYFILE}."
+  bashio::exit.nok
+fi
+
+export XDG_DATA_HOME="${DATA_DIR}/caddy/data"
+export XDG_CONFIG_HOME="${DATA_DIR}/caddy/config"
+
+mkdir -p "$XDG_DATA_HOME" "$XDG_CONFIG_HOME"
+
+bashio::log.info "Starting Caddy..."
+exec caddy run --config "$CADDYFILE" --adapter caddyfile
--- a/netbird-server/rootfs/etc/services.d/coturn/run
+++ b/netbird-server/rootfs/etc/services.d/coturn/run
@@ -1,19 +0,0 @@
-#!/usr/bin/with-contenv bashio
-# shellcheck shell=bash
-set -euo pipefail
-
-# ==============================================================================
-# Home Assistant Add-on: NetBird Server
-# Runs Coturn
-# ==============================================================================
-
-DATA_DIR="/config/netbird"
-TURN_CONFIG="$DATA_DIR/turn/turnserver.conf"
-
-if [[ ! -f "$TURN_CONFIG" ]]; then
-  bashio::log.error "Missing Coturn configuration at ${TURN_CONFIG}."
-  bashio::exit.nok
-fi
-
-bashio::log.info "Starting Coturn..."
-exec /usr/local/bin/turnserver -c "$TURN_CONFIG" --log-file stdout
--- a/netbird-server/rootfs/etc/services.d/dashboard/run
+++ b/netbird-server/rootfs/etc/services.d/dashboard/run
@@ -7,46 +7,17 @@ set -euo pipefail
 # Runs the NetBird Dashboard
 # ==============================================================================

-DOMAIN="localhost"
-EXTERNAL_BASE_URL=""
-MANAGEMENT_LISTEN="0.0.0.0:33073"
-AUTH_AUTHORITY=""
-AUTH_CLIENT_ID=""
-AUTH_CLIENT_SECRET=""
-AUTH_AUDIENCE=""
-AUTH_SUPPORTED_SCOPES="openid profile email api offline_access email_verified"
-USE_AUTH0="false"
-NETBIRD_MGMT_API_ENDPOINT=""
-
-MANAGEMENT_PORT="${MANAGEMENT_LISTEN##*:}"
-
 ENV_FILE="/config/netbird/dashboard/env"
 if [[ -f "$ENV_FILE" ]]; then
  set -a
  # shellcheck disable=SC1090
  . "$ENV_FILE"
  set +a
-fi
-
-if [[ -n "$NETBIRD_MGMT_API_ENDPOINT" ]]; then
-  NETBIRD_MGMT_API_ENDPOINT="$NETBIRD_MGMT_API_ENDPOINT"
-elif [[ -n "$EXTERNAL_BASE_URL" ]]; then
-  NETBIRD_MGMT_API_ENDPOINT="$EXTERNAL_BASE_URL"
-elif [[ -n "$DOMAIN" ]]; then
-  NETBIRD_MGMT_API_ENDPOINT="http://${DOMAIN}:${MANAGEMENT_PORT}"
 else
-  bashio::log.warning "external_base_url and domain are empty; defaulting NETBIRD_MGMT_API_ENDPOINT to localhost."
-  NETBIRD_MGMT_API_ENDPOINT="http://127.0.0.1:${MANAGEMENT_PORT}"
+  bashio::log.error "Missing dashboard env file at ${ENV_FILE}."
+  bashio::exit.nok
 fi

-export AUTH_AUTHORITY
-export AUTH_CLIENT_ID
-export AUTH_CLIENT_SECRET
-export AUTH_AUDIENCE
-export AUTH_SUPPORTED_SCOPES
-export USE_AUTH0
-export NETBIRD_MGMT_API_ENDPOINT
-
 bashio::log.info "Preparing NetBird Dashboard assets..."
 /usr/local/bin/init_react_envs.sh

--- a/netbird-server/rootfs/etc/services.d/management/run
+++ b/netbird-server/rootfs/etc/services.d/management/run
@@ -10,6 +10,7 @@ set -euo pipefail
 DATA_DIR="/config/netbird"
 LOG_LEVEL="info"
 MANAGEMENT_CONFIG="$DATA_DIR/management/management.json"
+MANAGEMENT_PORT=8081

 if [[ ! -f "$MANAGEMENT_CONFIG" ]]; then
  bashio::log.error "Missing management configuration at ${MANAGEMENT_CONFIG}."
@@ -19,5 +20,10 @@ fi
 bashio::log.info "Starting NetBird Management..."
 exec /usr/local/bin/netbird-mgmt management \
  --config "$MANAGEMENT_CONFIG" \
+  --port "$MANAGEMENT_PORT" \
  --log-level "$LOG_LEVEL" \
-  --log-file console
+  --log-file console \
+  --disable-anonymous-metrics=false \
+  --single-account-mode-domain=netbird.selfhosted \
+  --dns-domain=netbird.selfhosted \
+  --idp-sign-key-refresh-enabled
--- a/netbird-server/rootfs/etc/services.d/relay/run
+++ b/netbird-server/rootfs/etc/services.d/relay/run
@@ -4,17 +4,20 @@ set -euo pipefail

 # ==============================================================================
 # Home Assistant Add-on: NetBird Server
-# Runs the NetBird Relay (optional)
+# Runs the NetBird Relay (includes embedded STUN)
 # ==============================================================================

-LOG_LEVEL="info"
-RELAY_EXPOSED_ADDRESS=""
-RELAY_AUTH_SECRET=""
+RELAY_ENV_FILE="/config/netbird/relay/relay.env"
+
+if [[ -f "$RELAY_ENV_FILE" ]]; then
+  set -a
+  # shellcheck disable=SC1090
+  . "$RELAY_ENV_FILE"
+  set +a
+else
+  bashio::log.error "Missing relay env file at ${RELAY_ENV_FILE}."
+  bashio::exit.nok
+fi

 bashio::log.info "Starting NetBird Relay..."
-exec /usr/local/bin/netbird-relay \
-  --listen-address ":33080" \
-  --exposed-address "$RELAY_EXPOSED_ADDRESS" \
-  --auth-secret "$RELAY_AUTH_SECRET" \
-  --log-level "$LOG_LEVEL" \
-  --log-file console
+exec /usr/local/bin/netbird-relay
--- a/netbird-server/rootfs/etc/services.d/signal/run
+++ b/netbird-server/rootfs/etc/services.d/signal/run
@@ -7,9 +7,8 @@ set -euo pipefail
 # Runs the NetBird Signal service
 # ==============================================================================

-SIGNAL_LISTEN="0.0.0.0:10000"
+SIGNAL_PORT=8083
 LOG_LEVEL="info"
-SIGNAL_PORT="${SIGNAL_LISTEN##*:}"

 bashio::log.info "Starting NetBird Signal on port ${SIGNAL_PORT}..."
 exec /usr/local/bin/netbird-signal run \