From 496bbb827102c0b7314df8f65a1258680c8086fe Mon Sep 17 00:00:00 2001
From: JuliusFreudenberger <julius+git@jfreudenberger.de>
Date: Thu, 30 Apr 2026 23:06:41 +0200
Subject: [PATCH] Add combined module for netbird client native and in
 container

Native will be used for SSH access, the container is rootless and will
be used for reverse proxying services.
---
 modules/netbird-client.nix | 99 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 99 insertions(+)
 create mode 100644 modules/netbird-client.nix

diff --git a/modules/netbird-client.nix b/modules/netbird-client.nix
new file mode 100644
index 0000000..e2b04db
--- /dev/null
+++ b/modules/netbird-client.nix
@@ -0,0 +1,99 @@
+{
+  pkgs,
+  pkgs-unstable,
+  utils,
+  config,
+  lib,
+  ...
+}:
+let
+
+  cfg = config.services.netbird-client;
+
+  clientVersion = "0.69.0";
+
+  clientConfiguration = lib.types.submodule {
+    options = {
+      setupKey = lib.mkOption {
+        description = "Setup Key for this client";
+        type = lib.types.str;
+      };
+    };
+  };
+
+in {
+
+  options.services.netbird-client = {
+    enable = lib.mkEnableOption "Netbird client, with possiblities for host connection and for docker based connection.";
+    managementUrl = lib.mkOption {
+      description = "Management URL of netbird server.";
+      type = lib.types.str;
+    };
+    host = lib.mkOption {
+      description = "Configuration for host connection";
+      type = clientConfiguration;
+    };
+    docker = lib.mkOption {
+      description = "Configuration for docker connection";
+      type = clientConfiguration;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.netbird = {
+      package = pkgs-unstable.netbird;
+      useRoutingFeatures = "both";
+      clients.wt0 = {
+        hardened = false;
+        login = {
+          enable = true;
+          setupKeyFile = (pkgs.writeText "setupKey" cfg.host.setupKey).outPath;
+        };
+        port = 51820;
+        environment = {
+          NB_MANAGEMENT_URL = cfg.managementUrl;
+        };
+      };
+    };
+    systemd.services.${config.services.netbird.clients.wt0.service.name}.path = [ pkgs.shadow ];
+
+    virtualisation.oci-containers.containers = {
+      netbird = {
+        image = "netbirdio/netbird:${clientVersion}-rootless";
+        autoStart = true;
+        hostname = "${config.networking.hostName}-docker";
+        networks = [
+          "webproxy"
+        ];
+        environment = {
+          NB_MANAGEMENT_URL = cfg.managementUrl;
+          PEER_NAME = "${config.networking.hostName}-docker";
+          NB_SETUP_KEY = cfg.docker.setupKey;
+        };
+        extraOptions = [
+          ''--mount=type=volume,source=netbird_client_data,target=/var/lib/netbird,volume-driver=local''
+        ];
+      };
+    };
+
+    systemd.services."docker-netbird" = {
+      after = [
+        "docker-network-webproxy.service"
+      ];
+      requires = [
+        "docker-network-webproxy.service"
+      ];
+    };
+
+
+    systemd.services."docker-network-webproxy" = {
+      path = [ pkgs.docker ];
+      serviceConfig = {
+        Type = "oneshot";
+      };
+      script = ''
+        docker network inspect webproxy || docker network create webproxy --ipv4 --ipv6 --subnet=172.20.0.0/16 --gateway=172.20.0.1
+      '';
+    };
+  };
+}