fix: small conflicts

chore: switching env var for NB_PROXY_DOMAIN
chore: build
2026-04-02 15:43:47 -04:00 · 2026-02-12 18:41:57 +01:00 · 2026-02-12 18:35:30 +01:00 · 2026-02-12 17:42:03 +01:00 · 2026-02-12 17:18:23 +01:00 · 2026-02-12 17:18:23 +01:00
256 changed files with 4345 additions and 32146 deletions
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -39,7 +39,7 @@ jobs:
            else
              echo "✓ No problematic dependencies found"
            fi
-          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name "proxy" -not -name "combined" -not -name ".git*" | sort)
+          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name "proxy" -not -name ".git*" | sort)

          echo ""
          if [ $FOUND_ISSUES -eq 1 ]; then
@@ -88,7 +88,7 @@ jobs:
              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")

              # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\)" | head -1)
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" | head -1)

              if [ -n "$BSD_IMPORTER" ]; then
                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -43,5 +43,5 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy)

--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -97,16 +97,6 @@ jobs:
        working-directory: relay
        run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .

-      - name: Build combined
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: combined
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build combined 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: combined
-        run: CGO_ENABLED=1 GOARCH=386 go build -o combined-386 .
-
  test:
    name: "Client / Unit"
    needs: [build-cache]
@@ -154,7 +144,7 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy)

  test_client_on_docker:
    name: "Client (Docker) / Unit"
@@ -214,7 +204,7 @@ jobs:
            sh -c ' \
              apk update; apk add --no-cache \
                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /client/ui -e /upload-server)
            '

  test_relay:
@@ -409,19 +399,12 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
-
      - name: download mysql image
        if: matrix.store == 'mysql'
        run: docker pull mlsmaycon/warmed-mysql:8
@@ -504,18 +487,15 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
+      - name: download mysql image
+        if: matrix.store == 'mysql'
+        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
        run: |
@@ -596,18 +576,15 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      - name: docker login for root user
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        env:
-          DOCKER_USER: ${{ secrets.DOCKER_USER }}
-          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
+      - name: download mysql image
+        if: matrix.store == 'mysql'
+        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
        run: |
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -63,7 +63,7 @@ jobs:
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' })" >> $env:GITHUB_ENV
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' })" >> $env:GITHUB_ENV

      - name: test
        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,7 +19,7 @@ jobs:
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans
          skip: go.mod,go.sum,**/proxy/web/**
  golangci:
    strategy:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -160,7 +160,7 @@ jobs:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Log in to the GitHub container registry
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
@@ -176,7 +176,6 @@ jobs:
      - name: Generate windows syso arm64
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
-        id: goreleaser
        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
@@ -186,19 +185,6 @@ jobs:
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-      - name: Tag and push PR images (amd64 only)
-        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
-        run: |
-          PR_TAG="pr-${{ github.event.pull_request.number }}"
-          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
-            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
-            grep '^ghcr.io/' | while read -r SRC; do
-              IMG_NAME="${SRC%%:*}"
-              DST="${IMG_NAME}:${PR_TAG}"
-              echo "Tagging ${SRC} -> ${DST}"
-              docker tag "$SRC" "$DST"
-              docker push "$DST"
-            done
      - name: upload non tags for debug purposes
        uses: actions/upload-artifact@v4
        with:
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -106,26 +106,6 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"

-  - id: netbird-server
-    dir: combined
-    env:
-      - CGO_ENABLED=1
-      - >-
-        {{- if eq .Runtime.Goos "linux" }}
-          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
-          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
-        {{- end }}
-    binary: netbird-server
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
  - id: netbird-upload
    dir: upload-server
    env: [CGO_ENABLED=0]
@@ -140,20 +120,6 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"

-  - id: netbird-proxy
-    dir: proxy/cmd/proxy
-    env: [CGO_ENABLED=0]
-    binary: netbird-proxy
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
 universal_binaries:
  - id: netbird

@@ -554,104 +520,6 @@ dockers:
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-    ids:
-      - netbird-server
-    goarch: amd64
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-    ids:
-      - netbird-server
-    goarch: arm64
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-    ids:
-      - netbird-server
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-    ids:
-      - netbird-proxy
-    goarch: amd64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-    ids:
-      - netbird-proxy
-    goarch: arm64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-    ids:
-      - netbird-proxy
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
  - name_template: netbirdio/netbird:{{ .Version }}
    image_templates:
@@ -730,18 +598,6 @@ docker_manifests:
      - netbirdio/upload:{{ .Version }}-arm
      - netbirdio/upload:{{ .Version }}-amd64

-  - name_template: netbirdio/netbird-server:{{ .Version }}
-    image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: netbirdio/netbird-server:latest
-    image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-
  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
@@ -819,43 +675,6 @@ docker_manifests:
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird-server:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird-server:latest
-    image_templates:
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:latest
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:latest
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
 brews:
  - ids:
      - default
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/, relay/ and combined/.
+This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.

 BSD 3-Clause License
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -4,7 +4,7 @@
 #   sudo podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   sudo podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest

-FROM alpine:3.23.3
+FROM alpine:3.23.2
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache \
    bash \
--- a/client/android/env_list.go
+++ b/client/android/env_list.go
@@ -1,19 +1,10 @@
 package android

-import (
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
+import "github.com/netbirdio/netbird/client/internal/peer"

 var (
-	// EnvKeyNBForceRelay Exported for Android java client to force relay connections
+	// EnvKeyNBForceRelay Exported for Android java client
 	EnvKeyNBForceRelay = peer.EnvKeyNBForceRelay
-
-	// EnvKeyNBLazyConn Exported for Android java client to configure lazy connection
-	EnvKeyNBLazyConn = lazyconn.EnvEnableLazyConn
-
-	// EnvKeyNBInactivityThreshold Exported for Android java client to configure connection inactivity threshold
-	EnvKeyNBInactivityThreshold = lazyconn.EnvInactivityThreshold
 )

 // EnvList wraps a Go map for export to Java
--- a/client/cmd/expose.go
+++ b/client/cmd/expose.go
@@ -1,194 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"os/signal"
-	"regexp"
-	"strconv"
-	"strings"
-	"syscall"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/util"
-)
-
-var pinRegexp = regexp.MustCompile(`^\d{6}$`)
-
-var (
-	exposePin        string
-	exposePassword   string
-	exposeUserGroups []string
-	exposeDomain     string
-	exposeNamePrefix string
-	exposeProtocol   string
-)
-
-var exposeCmd = &cobra.Command{
-	Use:     "expose <port>",
-	Short:   "Expose a local port via the NetBird reverse proxy",
-	Args:    cobra.ExactArgs(1),
-	Example: "netbird expose --with-password safe-pass 8080",
-	RunE:    exposeFn,
-}
-
-func init() {
-	exposeCmd.Flags().StringVar(&exposePin, "with-pin", "", "Protect the exposed service with a 6-digit PIN (e.g. --with-pin 123456)")
-	exposeCmd.Flags().StringVar(&exposePassword, "with-password", "", "Protect the exposed service with a password (e.g. --with-password my-secret)")
-	exposeCmd.Flags().StringSliceVar(&exposeUserGroups, "with-user-groups", nil, "Restrict access to specific user groups with SSO (e.g. --with-user-groups devops,Backend)")
-	exposeCmd.Flags().StringVar(&exposeDomain, "with-custom-domain", "", "Custom domain for the exposed service, must be configured to your account (e.g. --with-custom-domain myapp.example.com)")
-	exposeCmd.Flags().StringVar(&exposeNamePrefix, "with-name-prefix", "", "Prefix for the generated service name (e.g. --with-name-prefix my-app)")
-	exposeCmd.Flags().StringVar(&exposeProtocol, "protocol", "http", "Protocol to use, http/https is supported (e.g. --protocol http)")
-}
-
-func validateExposeFlags(cmd *cobra.Command, portStr string) (uint64, error) {
-	port, err := strconv.ParseUint(portStr, 10, 32)
-	if err != nil {
-		return 0, fmt.Errorf("invalid port number: %s", portStr)
-	}
-	if port == 0 || port > 65535 {
-		return 0, fmt.Errorf("invalid port number: must be between 1 and 65535")
-	}
-
-	if !isProtocolValid(exposeProtocol) {
-		return 0, fmt.Errorf("unsupported protocol %q: only 'http' or 'https' are supported", exposeProtocol)
-	}
-
-	if exposePin != "" && !pinRegexp.MatchString(exposePin) {
-		return 0, fmt.Errorf("invalid pin: must be exactly 6 digits")
-	}
-
-	if cmd.Flags().Changed("with-password") && exposePassword == "" {
-		return 0, fmt.Errorf("password cannot be empty")
-	}
-
-	if cmd.Flags().Changed("with-user-groups") && len(exposeUserGroups) == 0 {
-		return 0, fmt.Errorf("user groups cannot be empty")
-	}
-
-	return port, nil
-}
-
-func isProtocolValid(exposeProtocol string) bool {
-	return strings.ToLower(exposeProtocol) == "http" || strings.ToLower(exposeProtocol) == "https"
-}
-
-func exposeFn(cmd *cobra.Command, args []string) error {
-	SetFlagsFromEnvVars(rootCmd)
-
-	if err := util.InitLog(logLevel, util.LogConsole); err != nil {
-		log.Errorf("failed initializing log %v", err)
-		return err
-	}
-
-	cmd.Root().SilenceUsage = false
-
-	port, err := validateExposeFlags(cmd, args[0])
-	if err != nil {
-		return err
-	}
-
-	cmd.Root().SilenceUsage = true
-
-	ctx, cancel := context.WithCancel(cmd.Context())
-	defer cancel()
-
-	sigCh := make(chan os.Signal, 1)
-	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
-	go func() {
-		<-sigCh
-		cancel()
-	}()
-
-	conn, err := DialClientGRPCServer(ctx, daemonAddr)
-	if err != nil {
-		return fmt.Errorf("connect to daemon: %w", err)
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Debugf("failed to close daemon connection: %v", err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-
-	protocol, err := toExposeProtocol(exposeProtocol)
-	if err != nil {
-		return err
-	}
-
-	stream, err := client.ExposeService(ctx, &proto.ExposeServiceRequest{
-		Port:       uint32(port),
-		Protocol:   protocol,
-		Pin:        exposePin,
-		Password:   exposePassword,
-		UserGroups: exposeUserGroups,
-		Domain:     exposeDomain,
-		NamePrefix: exposeNamePrefix,
-	})
-	if err != nil {
-		return fmt.Errorf("expose service: %w", err)
-	}
-
-	if err := handleExposeReady(cmd, stream, port); err != nil {
-		return err
-	}
-
-	return waitForExposeEvents(cmd, ctx, stream)
-}
-
-func toExposeProtocol(exposeProtocol string) (proto.ExposeProtocol, error) {
-	switch strings.ToLower(exposeProtocol) {
-	case "http":
-		return proto.ExposeProtocol_EXPOSE_HTTP, nil
-	case "https":
-		return proto.ExposeProtocol_EXPOSE_HTTPS, nil
-	default:
-		return 0, fmt.Errorf("unsupported protocol %q: only 'http' or 'https' are supported", exposeProtocol)
-	}
-}
-
-func handleExposeReady(cmd *cobra.Command, stream proto.DaemonService_ExposeServiceClient, port uint64) error {
-	event, err := stream.Recv()
-	if err != nil {
-		return fmt.Errorf("receive expose event: %w", err)
-	}
-
-	switch e := event.Event.(type) {
-	case *proto.ExposeServiceEvent_Ready:
-		cmd.Println("Service exposed successfully!")
-		cmd.Printf("  Name:     %s\n", e.Ready.ServiceName)
-		cmd.Printf("  URL:      %s\n", e.Ready.ServiceUrl)
-		cmd.Printf("  Domain:   %s\n", e.Ready.Domain)
-		cmd.Printf("  Protocol: %s\n", exposeProtocol)
-		cmd.Printf("  Port:     %d\n", port)
-		cmd.Println()
-		cmd.Println("Press Ctrl+C to stop exposing.")
-		return nil
-	default:
-		return fmt.Errorf("unexpected expose event: %T", event.Event)
-	}
-}
-
-func waitForExposeEvents(cmd *cobra.Command, ctx context.Context, stream proto.DaemonService_ExposeServiceClient) error {
-	for {
-		_, err := stream.Recv()
-		if err != nil {
-			if ctx.Err() != nil {
-				cmd.Println("\nService stopped.")
-				//nolint:nilerr
-				return nil
-			}
-			if errors.Is(err, io.EOF) {
-				return fmt.Errorf("connection to daemon closed unexpectedly")
-			}
-			return fmt.Errorf("stream error: %w", err)
-		}
-	}
-}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -22,7 +22,6 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"

-	daddr "github.com/netbirdio/netbird/client/internal/daemonaddr"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )

@@ -81,15 +80,6 @@ var (
 		Short:        "",
 		Long:         "",
 		SilenceUsage: true,
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			SetFlagsFromEnvVars(cmd.Root())
-
-			// Don't resolve for service commands — they create the socket, not connect to it.
-			if !isServiceCmd(cmd) {
-				daemonAddr = daddr.ResolveUnixDaemonAddr(daemonAddr)
-			}
-			return nil
-		},
 	}
 )

@@ -154,7 +144,6 @@ func init() {
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)
 	rootCmd.AddCommand(profileCmd)
-	rootCmd.AddCommand(exposeCmd)

 	networksCMD.AddCommand(routesListCmd)
 	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)
@@ -396,6 +385,7 @@ func migrateToNetbird(oldPath, newPath string) bool {
 }

 func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
+	SetFlagsFromEnvVars(rootCmd)
 	cmd.SetOut(cmd.OutOrStdout())

 	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
@@ -408,13 +398,3 @@ func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {

 	return conn, nil
 }
-
-// isServiceCmd returns true if cmd is the "service" command or a child of it.
-func isServiceCmd(cmd *cobra.Command) bool {
-	for c := cmd; c != nil; c = c.Parent() {
-		if c.Name() == "service" {
-			return true
-		}
-	}
-	return false
-}
--- a/client/firewall/uspfilter/nat.go
+++ b/client/firewall/uspfilter/nat.go
@@ -358,9 +358,9 @@ func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	// Fast path for IPv4 addresses (4 bytes) - most common case
 	if len(oldBytes) == 4 && len(newBytes) == 4 {
 		sum += uint32(^binary.BigEndian.Uint16(oldBytes[0:2]))
-		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4])) //nolint:gosec // length checked above
+		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4]))
 		sum += uint32(binary.BigEndian.Uint16(newBytes[0:2]))
-		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4])) //nolint:gosec // length checked above
+		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4]))
 	} else {
 		// Fallback for other lengths
 		for i := 0; i < len(oldBytes)-1; i += 2 {
--- a/client/iface/configurer/uapi.go
+++ b/client/iface/configurer/uapi.go
@@ -5,18 +5,20 @@ package configurer
 import (
 	"net"

+	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/ipc"
 )

 func openUAPI(deviceName string) (net.Listener, error) {
 	uapiSock, err := ipc.UAPIOpen(deviceName)
 	if err != nil {
+		log.Errorf("failed to open uapi socket: %v", err)
 		return nil, err
 	}

 	listener, err := ipc.UAPIListen(deviceName, uapiSock)
 	if err != nil {
-		_ = uapiSock.Close()
+		log.Errorf("failed to listen on uapi socket: %v", err)
 		return nil, err
 	}

--- a/client/iface/configurer/usp.go
+++ b/client/iface/configurer/usp.go
@@ -54,14 +54,6 @@ func NewUSPConfigurer(device *device.Device, deviceName string, activityRecorder
 	return wgCfg
 }

-func NewUSPConfigurerNoUAPI(device *device.Device, deviceName string, activityRecorder *bind.ActivityRecorder) *WGUSPConfigurer {
-	return &WGUSPConfigurer{
-		device:           device,
-		deviceName:       deviceName,
-		activityRecorder: activityRecorder,
-	}
-}
-
 func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error {
 	log.Debugf("adding Wireguard private key")
 	key, err := wgtypes.ParseKey(privateKey)
--- a/client/iface/device/device_netstack.go
+++ b/client/iface/device/device_netstack.go
@@ -79,7 +79,7 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 		device.NewLogger(wgLogLevel(), "[netbird] "),
 	)

-	t.configurer = configurer.NewUSPConfigurerNoUAPI(t.device, t.name, t.bind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		if cErr := tunIface.Close(); cErr != nil {
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -331,11 +331,8 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		state.Set(StatusConnected)

 		if runningChan != nil {
-			select {
-			case <-runningChan:
-			default:
-				close(runningChan)
-			}
+			close(runningChan)
+			runningChan = nil
 		}

 		<-engineCtx.Done()
--- a/client/internal/daemonaddr/resolve.go
+++ b/client/internal/daemonaddr/resolve.go
@@ -1,60 +0,0 @@
-//go:build !windows && !ios && !android
-
-package daemonaddr
-
-import (
-	"os"
-	"path/filepath"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-)
-
-var scanDir = "/var/run/netbird"
-
-// setScanDir overrides the scan directory (used by tests).
-func setScanDir(dir string) {
-	scanDir = dir
-}
-
-// ResolveUnixDaemonAddr checks whether the default Unix socket exists and, if not,
-// scans /var/run/netbird/ for a single .sock file to use instead. This handles the
-// mismatch between the netbird@.service template (which places the socket under
-// /var/run/netbird/<instance>.sock) and the CLI default (/var/run/netbird.sock).
-func ResolveUnixDaemonAddr(addr string) string {
-	if !strings.HasPrefix(addr, "unix://") {
-		return addr
-	}
-
-	sockPath := strings.TrimPrefix(addr, "unix://")
-	if _, err := os.Stat(sockPath); err == nil {
-		return addr
-	}
-
-	entries, err := os.ReadDir(scanDir)
-	if err != nil {
-		return addr
-	}
-
-	var found []string
-	for _, e := range entries {
-		if e.IsDir() {
-			continue
-		}
-		if strings.HasSuffix(e.Name(), ".sock") {
-			found = append(found, filepath.Join(scanDir, e.Name()))
-		}
-	}
-
-	switch len(found) {
-	case 1:
-		resolved := "unix://" + found[0]
-		log.Debugf("Default daemon socket not found, using discovered socket: %s", resolved)
-		return resolved
-	case 0:
-		return addr
-	default:
-		log.Warnf("Default daemon socket not found and multiple sockets discovered in %s; pass --daemon-addr explicitly", scanDir)
-		return addr
-	}
-}
--- a/client/internal/daemonaddr/resolve_stub.go
+++ b/client/internal/daemonaddr/resolve_stub.go
@@ -1,8 +0,0 @@
-//go:build windows || ios || android
-
-package daemonaddr
-
-// ResolveUnixDaemonAddr is a no-op on platforms that don't use Unix sockets.
-func ResolveUnixDaemonAddr(addr string) string {
-	return addr
-}
--- a/client/internal/daemonaddr/resolve_test.go
+++ b/client/internal/daemonaddr/resolve_test.go
@@ -1,121 +0,0 @@
-//go:build !windows && !ios && !android
-
-package daemonaddr
-
-import (
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-// createSockFile creates a regular file with a .sock extension.
-// ResolveUnixDaemonAddr uses os.Stat (not net.Dial), so a regular file is
-// sufficient and avoids Unix socket path-length limits on macOS.
-func createSockFile(t *testing.T, path string) {
-	t.Helper()
-	if err := os.WriteFile(path, nil, 0o600); err != nil {
-		t.Fatalf("failed to create test sock file at %s: %v", path, err)
-	}
-}
-
-func TestResolveUnixDaemonAddr_DefaultExists(t *testing.T) {
-	tmp := t.TempDir()
-	sock := filepath.Join(tmp, "netbird.sock")
-	createSockFile(t, sock)
-
-	addr := "unix://" + sock
-	got := ResolveUnixDaemonAddr(addr)
-	if got != addr {
-		t.Errorf("expected %s, got %s", addr, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_SingleDiscovered(t *testing.T) {
-	tmp := t.TempDir()
-
-	// Default socket does not exist
-	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
-
-	// Create a scan dir with one socket
-	sd := filepath.Join(tmp, "netbird")
-	if err := os.MkdirAll(sd, 0o755); err != nil {
-		t.Fatal(err)
-	}
-	instanceSock := filepath.Join(sd, "main.sock")
-	createSockFile(t, instanceSock)
-
-	origScanDir := scanDir
-	setScanDir(sd)
-	t.Cleanup(func() { setScanDir(origScanDir) })
-
-	got := ResolveUnixDaemonAddr(defaultAddr)
-	expected := "unix://" + instanceSock
-	if got != expected {
-		t.Errorf("expected %s, got %s", expected, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_MultipleDiscovered(t *testing.T) {
-	tmp := t.TempDir()
-
-	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
-
-	sd := filepath.Join(tmp, "netbird")
-	if err := os.MkdirAll(sd, 0o755); err != nil {
-		t.Fatal(err)
-	}
-	createSockFile(t, filepath.Join(sd, "main.sock"))
-	createSockFile(t, filepath.Join(sd, "other.sock"))
-
-	origScanDir := scanDir
-	setScanDir(sd)
-	t.Cleanup(func() { setScanDir(origScanDir) })
-
-	got := ResolveUnixDaemonAddr(defaultAddr)
-	if got != defaultAddr {
-		t.Errorf("expected original %s, got %s", defaultAddr, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_NoSocketsFound(t *testing.T) {
-	tmp := t.TempDir()
-
-	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
-
-	sd := filepath.Join(tmp, "netbird")
-	if err := os.MkdirAll(sd, 0o755); err != nil {
-		t.Fatal(err)
-	}
-
-	origScanDir := scanDir
-	setScanDir(sd)
-	t.Cleanup(func() { setScanDir(origScanDir) })
-
-	got := ResolveUnixDaemonAddr(defaultAddr)
-	if got != defaultAddr {
-		t.Errorf("expected original %s, got %s", defaultAddr, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_NonUnixAddr(t *testing.T) {
-	addr := "tcp://127.0.0.1:41731"
-	got := ResolveUnixDaemonAddr(addr)
-	if got != addr {
-		t.Errorf("expected %s, got %s", addr, got)
-	}
-}
-
-func TestResolveUnixDaemonAddr_ScanDirMissing(t *testing.T) {
-	tmp := t.TempDir()
-
-	defaultAddr := "unix://" + filepath.Join(tmp, "netbird.sock")
-
-	origScanDir := scanDir
-	setScanDir(filepath.Join(tmp, "nonexistent"))
-	t.Cleanup(func() { setScanDir(origScanDir) })
-
-	got := ResolveUnixDaemonAddr(defaultAddr)
-	if got != defaultAddr {
-		t.Errorf("expected original %s, got %s", defaultAddr, got)
-	}
-}
--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -14,8 +14,6 @@ import (
 	"strings"
 	"sync"

-	"github.com/hashicorp/go-multierror"
-	nberrors "github.com/netbirdio/netbird/client/errors"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/maps"

@@ -24,7 +22,6 @@ import (

 const (
 	netbirdDNSStateKeyFormat            = "State:/Network/Service/NetBird-%s/DNS"
-	netbirdDNSStateKeyIndexedFormat     = "State:/Network/Service/NetBird-%s-%d/DNS"
 	globalIPv4State                     = "State:/Network/Global/IPv4"
 	primaryServiceStateKeyFormat        = "State:/Network/Service/%s/DNS"
 	keySupplementalMatchDomains         = "SupplementalMatchDomains"
@@ -38,14 +35,6 @@ const (
 	searchSuffix                        = "Search"
 	matchSuffix                         = "Match"
 	localSuffix                         = "Local"
-
-	// maxDomainsPerResolverEntry is the max number of domains per scutil resolver key.
-	// scutil's d.add has maxArgs=101 (key + * + 99 values), so 99 is the hard cap.
-	maxDomainsPerResolverEntry = 50
-
-	// maxDomainBytesPerResolverEntry is the max total bytes of domain strings per key.
-	// scutil has an undocumented ~2048 byte value buffer; we stay well under it.
-	maxDomainBytesPerResolverEntry = 1500
 )

 type systemConfigurator struct {
@@ -95,23 +84,28 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 		searchDomains = append(searchDomains, strings.TrimSuffix(""+dConf.Domain, "."))
 	}

-	if err := s.removeKeysContaining(matchSuffix); err != nil {
-		log.Warnf("failed to remove old match keys: %v", err)
-	}
+	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
+	var err error
 	if len(matchDomains) != 0 {
-		if err := s.addBatchedDomains(matchSuffix, matchDomains, config.ServerIP, config.ServerPort, false); err != nil {
-			return fmt.Errorf("add match domains: %w", err)
-		}
+		err = s.addMatchDomains(matchKey, strings.Join(matchDomains, " "), config.ServerIP, config.ServerPort)
+	} else {
+		log.Infof("removing match domains from the system")
+		err = s.removeKeyFromSystemConfig(matchKey)
+	}
+	if err != nil {
+		return fmt.Errorf("add match domains: %w", err)
 	}
 	s.updateState(stateManager)

-	if err := s.removeKeysContaining(searchSuffix); err != nil {
-		log.Warnf("failed to remove old search keys: %v", err)
-	}
+	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
 	if len(searchDomains) != 0 {
-		if err := s.addBatchedDomains(searchSuffix, searchDomains, config.ServerIP, config.ServerPort, true); err != nil {
-			return fmt.Errorf("add search domains: %w", err)
-		}
+		err = s.addSearchDomains(searchKey, strings.Join(searchDomains, " "), config.ServerIP, config.ServerPort)
+	} else {
+		log.Infof("removing search domains from the system")
+		err = s.removeKeyFromSystemConfig(searchKey)
+	}
+	if err != nil {
+		return fmt.Errorf("add search domains: %w", err)
 	}
 	s.updateState(stateManager)

@@ -155,7 +149,8 @@ func (s *systemConfigurator) restoreHostDNS() error {

 func (s *systemConfigurator) getRemovableKeysWithDefaults() []string {
 	if len(s.createdKeys) == 0 {
-		return s.discoverExistingKeys()
+		// return defaults for startup calls
+		return []string{getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix), getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)}
 	}

 	keys := make([]string, 0, len(s.createdKeys))
@@ -165,47 +160,6 @@ func (s *systemConfigurator) getRemovableKeysWithDefaults() []string {
 	return keys
 }

-// discoverExistingKeys probes scutil for all NetBird DNS keys that may exist.
-// This handles the case where createdKeys is empty (e.g., state file lost after unclean shutdown).
-func (s *systemConfigurator) discoverExistingKeys() []string {
-	dnsKeys, err := getSystemDNSKeys()
-	if err != nil {
-		log.Errorf("failed to get system DNS keys: %v", err)
-		return nil
-	}
-
-	var keys []string
-
-	for _, suffix := range []string{searchSuffix, matchSuffix, localSuffix} {
-		key := getKeyWithInput(netbirdDNSStateKeyFormat, suffix)
-		if strings.Contains(dnsKeys, key) {
-			keys = append(keys, key)
-		}
-	}
-
-	for _, suffix := range []string{searchSuffix, matchSuffix} {
-		for i := 0; ; i++ {
-			key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, suffix, i)
-			if !strings.Contains(dnsKeys, key) {
-				break
-			}
-			keys = append(keys, key)
-		}
-	}
-
-	return keys
-}
-
-// getSystemDNSKeys gets all DNS keys
-func getSystemDNSKeys() (string, error) {
-	command := "list .*DNS\nquit\n"
-	out, err := runSystemConfigCommand(command)
-	if err != nil {
-		return "", err
-	}
-	return string(out), nil
-}
-
 func (s *systemConfigurator) removeKeyFromSystemConfig(key string) error {
 	line := buildRemoveKeyOperation(key)
 	_, err := runSystemConfigCommand(wrapCommand(line))
@@ -230,11 +184,12 @@ func (s *systemConfigurator) addLocalDNS() error {
 		return nil
 	}

-	domainsStr := strings.Join(s.systemDNSSettings.Domains, " ")
-	if err := s.addDNSState(localKey, domainsStr, s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort, true); err != nil {
-		return fmt.Errorf("add local dns state: %w", err)
+	if err := s.addSearchDomains(
+		localKey,
+		strings.Join(s.systemDNSSettings.Domains, " "), s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort,
+	); err != nil {
+		return fmt.Errorf("add search domains: %w", err)
 	}
-	s.createdKeys[localKey] = struct{}{}

 	return nil
 }
@@ -325,77 +280,28 @@ func (s *systemConfigurator) getOriginalNameservers() []netip.Addr {
 	return slices.Clone(s.origNameservers)
 }

-// splitDomainsIntoBatches splits domains into batches respecting both element count and byte size limits.
-func splitDomainsIntoBatches(domains []string) [][]string {
-	if len(domains) == 0 {
-		return nil
+func (s *systemConfigurator) addSearchDomains(key, domains string, ip netip.Addr, port int) error {
+	err := s.addDNSState(key, domains, ip, port, true)
+	if err != nil {
+		return fmt.Errorf("add dns state: %w", err)
 	}

-	var batches [][]string
-	var current []string
-	currentBytes := 0
+	log.Infof("added %d search domains to the state. Domain list: %s", len(strings.Split(domains, " ")), domains)

-	for _, d := range domains {
-		domainLen := len(d)
-		newBytes := currentBytes + domainLen
-		if currentBytes > 0 {
-			newBytes++ // space separator
-		}
+	s.createdKeys[key] = struct{}{}

-		if len(current) > 0 && (len(current) >= maxDomainsPerResolverEntry || newBytes > maxDomainBytesPerResolverEntry) {
-			batches = append(batches, current)
-			current = nil
-			currentBytes = 0
-		}
-
-		current = append(current, d)
-		if currentBytes > 0 {
-			currentBytes += 1 + domainLen
-		} else {
-			currentBytes = domainLen
-		}
-	}
-
-	if len(current) > 0 {
-		batches = append(batches, current)
-	}
-
-	return batches
+	return nil
 }

-// removeKeysContaining removes all created keys that contain the given substring.
-func (s *systemConfigurator) removeKeysContaining(suffix string) error {
-	var toRemove []string
-	for key := range s.createdKeys {
-		if strings.Contains(key, suffix) {
-			toRemove = append(toRemove, key)
-		}
-	}
-	var multiErr *multierror.Error
-	for _, key := range toRemove {
-		if err := s.removeKeyFromSystemConfig(key); err != nil {
-			multiErr = multierror.Append(multiErr, fmt.Errorf("couldn't remove key %s: %w", key, err))
-		}
-	}
-	return nberrors.FormatErrorOrNil(multiErr)
-}
-
-// addBatchedDomains splits domains into batches and creates indexed scutil keys for each batch.
-func (s *systemConfigurator) addBatchedDomains(suffix string, domains []string, ip netip.Addr, port int, enableSearch bool) error {
-	batches := splitDomainsIntoBatches(domains)
-
-	for i, batch := range batches {
-		key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, suffix, i)
-		domainsStr := strings.Join(batch, " ")
-
-		if err := s.addDNSState(key, domainsStr, ip, port, enableSearch); err != nil {
-			return fmt.Errorf("add dns state for batch %d: %w", i, err)
-		}
-
-		s.createdKeys[key] = struct{}{}
+func (s *systemConfigurator) addMatchDomains(key, domains string, dnsServer netip.Addr, port int) error {
+	err := s.addDNSState(key, domains, dnsServer, port, false)
+	if err != nil {
+		return fmt.Errorf("add dns state: %w", err)
 	}

-	log.Infof("added %d %s domains across %d resolver entries", len(domains), suffix, len(batches))
+	log.Infof("added %d match domains to the state. Domain list: %s", len(strings.Split(domains, " ")), domains)
+
+	s.createdKeys[key] = struct{}{}

 	return nil
 }
@@ -458,6 +364,7 @@ func (s *systemConfigurator) flushDNSCache() error {
 	if out, err := cmd.CombinedOutput(); err != nil {
 		return fmt.Errorf("restart mDNSResponder: %w, output: %s", err, out)
 	}
+
 	log.Info("flushed DNS cache")
 	return nil
 }
--- a/client/internal/dns/host_darwin_test.go
+++ b/client/internal/dns/host_darwin_test.go
@@ -3,10 +3,7 @@
 package dns

 import (
-	"bufio"
-	"bytes"
 	"context"
-	"fmt"
 	"net/netip"
 	"os/exec"
 	"path/filepath"
@@ -52,22 +49,17 @@ func TestDarwinDNSUncleanShutdownCleanup(t *testing.T) {

 	require.NoError(t, sm.PersistState(context.Background()))

+	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
+	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
 	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)

-	// Collect all created keys for cleanup verification
-	createdKeys := make([]string, 0, len(configurator.createdKeys))
-	for key := range configurator.createdKeys {
-		createdKeys = append(createdKeys, key)
-	}
-
 	defer func() {
-		for _, key := range createdKeys {
+		for _, key := range []string{searchKey, matchKey, localKey} {
 			_ = removeTestDNSKey(key)
 		}
-		_ = removeTestDNSKey(localKey)
 	}()

-	for _, key := range createdKeys {
+	for _, key := range []string{searchKey, matchKey, localKey} {
 		exists, err := checkDNSKeyExists(key)
 		require.NoError(t, err)
 		if exists {
@@ -91,223 +83,13 @@ func TestDarwinDNSUncleanShutdownCleanup(t *testing.T) {
 	err = shutdownState.Cleanup()
 	require.NoError(t, err)

-	for _, key := range createdKeys {
+	for _, key := range []string{searchKey, matchKey, localKey} {
 		exists, err := checkDNSKeyExists(key)
 		require.NoError(t, err)
 		assert.False(t, exists, "Key %s should NOT exist after cleanup", key)
 	}
 }

-// generateShortDomains generates domains like a.com, b.com, ..., aa.com, ab.com, etc.
-func generateShortDomains(count int) []string {
-	domains := make([]string, 0, count)
-	for i := range count {
-		label := ""
-		n := i
-		for {
-			label = string(rune('a'+n%26)) + label
-			n = n/26 - 1
-			if n < 0 {
-				break
-			}
-		}
-		domains = append(domains, label+".com")
-	}
-	return domains
-}
-
-// generateLongDomains generates domains like subdomain-000.department.organization-name.example.com
-func generateLongDomains(count int) []string {
-	domains := make([]string, 0, count)
-	for i := range count {
-		domains = append(domains, fmt.Sprintf("subdomain-%03d.department.organization-name.example.com", i))
-	}
-	return domains
-}
-
-// readDomainsFromKey reads the SupplementalMatchDomains array back from scutil for a given key.
-func readDomainsFromKey(t *testing.T, key string) []string {
-	t.Helper()
-
-	cmd := exec.Command(scutilPath)
-	cmd.Stdin = strings.NewReader(fmt.Sprintf("open\nshow %s\nquit\n", key))
-	out, err := cmd.Output()
-	require.NoError(t, err, "scutil show should succeed")
-
-	var domains []string
-	inArray := false
-	scanner := bufio.NewScanner(bytes.NewReader(out))
-	for scanner.Scan() {
-		line := strings.TrimSpace(scanner.Text())
-		if strings.HasPrefix(line, "SupplementalMatchDomains") && strings.Contains(line, "<array>") {
-			inArray = true
-			continue
-		}
-		if inArray {
-			if line == "}" {
-				break
-			}
-			// lines look like: "0 : a.com"
-			parts := strings.SplitN(line, " : ", 2)
-			if len(parts) == 2 {
-				domains = append(domains, parts[1])
-			}
-		}
-	}
-	require.NoError(t, scanner.Err())
-	return domains
-}
-
-func TestSplitDomainsIntoBatches(t *testing.T) {
-	tests := []struct {
-		name            string
-		domains         []string
-		expectedCount   int
-		checkAllPresent bool
-	}{
-		{
-			name:          "empty",
-			domains:       nil,
-			expectedCount: 0,
-		},
-		{
-			name:            "under_limit",
-			domains:         generateShortDomains(10),
-			expectedCount:   1,
-			checkAllPresent: true,
-		},
-		{
-			name:            "at_element_limit",
-			domains:         generateShortDomains(50),
-			expectedCount:   1,
-			checkAllPresent: true,
-		},
-		{
-			name:            "over_element_limit",
-			domains:         generateShortDomains(51),
-			expectedCount:   2,
-			checkAllPresent: true,
-		},
-		{
-			name:            "triple_element_limit",
-			domains:         generateShortDomains(150),
-			expectedCount:   3,
-			checkAllPresent: true,
-		},
-		{
-			name:            "long_domains_hit_byte_limit",
-			domains:         generateLongDomains(50),
-			checkAllPresent: true,
-		},
-		{
-			name:            "500_short_domains",
-			domains:         generateShortDomains(500),
-			expectedCount:   10,
-			checkAllPresent: true,
-		},
-		{
-			name:            "500_long_domains",
-			domains:         generateLongDomains(500),
-			checkAllPresent: true,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			batches := splitDomainsIntoBatches(tc.domains)
-
-			if tc.expectedCount > 0 {
-				assert.Len(t, batches, tc.expectedCount, "expected %d batches", tc.expectedCount)
-			}
-
-			// Verify each batch respects limits
-			for i, batch := range batches {
-				assert.LessOrEqual(t, len(batch), maxDomainsPerResolverEntry,
-					"batch %d exceeds element limit", i)
-
-				totalBytes := 0
-				for j, d := range batch {
-					if j > 0 {
-						totalBytes++
-					}
-					totalBytes += len(d)
-				}
-				assert.LessOrEqual(t, totalBytes, maxDomainBytesPerResolverEntry,
-					"batch %d exceeds byte limit (%d bytes)", i, totalBytes)
-			}
-
-			if tc.checkAllPresent {
-				var all []string
-				for _, batch := range batches {
-					all = append(all, batch...)
-				}
-				assert.Equal(t, tc.domains, all, "all domains should be present in order")
-			}
-		})
-	}
-}
-
-// TestMatchDomainBatching writes increasing numbers of domains via the batching mechanism
-// and verifies all domains are readable across multiple scutil keys.
-func TestMatchDomainBatching(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping scutil integration test in short mode")
-	}
-
-	testCases := []struct {
-		name      string
-		count     int
-		generator func(int) []string
-	}{
-		{"short_10", 10, generateShortDomains},
-		{"short_50", 50, generateShortDomains},
-		{"short_100", 100, generateShortDomains},
-		{"short_200", 200, generateShortDomains},
-		{"short_500", 500, generateShortDomains},
-		{"long_10", 10, generateLongDomains},
-		{"long_50", 50, generateLongDomains},
-		{"long_100", 100, generateLongDomains},
-		{"long_200", 200, generateLongDomains},
-		{"long_500", 500, generateLongDomains},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			configurator := &systemConfigurator{
-				createdKeys: make(map[string]struct{}),
-			}
-
-			defer func() {
-				for key := range configurator.createdKeys {
-					_ = removeTestDNSKey(key)
-				}
-			}()
-
-			domains := tc.generator(tc.count)
-			err := configurator.addBatchedDomains(matchSuffix, domains, netip.MustParseAddr("100.64.0.1"), 53, false)
-			require.NoError(t, err)
-
-			batches := splitDomainsIntoBatches(domains)
-			t.Logf("wrote %d domains across %d batched keys", tc.count, len(batches))
-
-			// Read back all domains from all batched keys
-			var got []string
-			for i := range batches {
-				key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, matchSuffix, i)
-				exists, err := checkDNSKeyExists(key)
-				require.NoError(t, err)
-				require.True(t, exists, "key %s should exist", key)
-
-				got = append(got, readDomainsFromKey(t, key)...)
-			}
-
-			t.Logf("read back %d/%d domains from %d keys", len(got), tc.count, len(batches))
-			assert.Equal(t, tc.count, len(got), "all domains should be readable")
-			assert.Equal(t, domains, got, "domains should match in order")
-		})
-	}
-}
-
 func checkDNSKeyExists(key string) (bool, error) {
 	cmd := exec.Command(scutilPath)
 	cmd.Stdin = strings.NewReader("show " + key + "\nquit\n")
@@ -376,15 +158,15 @@ func setupTestConfigurator(t *testing.T) (*systemConfigurator, *statemanager.Man
 		createdKeys: make(map[string]struct{}),
 	}

+	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
+	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
+	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
+
 	cleanup := func() {
 		_ = sm.Stop(context.Background())
-		for key := range configurator.createdKeys {
+		for _, key := range []string{searchKey, matchKey, localKey} {
 			_ = removeTestDNSKey(key)
 		}
-		// Also clean up old-format keys and local key in case they exist
-		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix))
-		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix))
-		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix))
 	}

 	return configurator, sm, cleanup
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -42,8 +42,6 @@ const (
 	dnsPolicyConfigConfigOptionsKey     = "ConfigOptions"
 	dnsPolicyConfigConfigOptionsValue   = 0x8

-	nrptMaxDomainsPerRule = 50
-
 	interfaceConfigPath          = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
 	interfaceConfigNameServerKey = "NameServer"
 	interfaceConfigSearchListKey = "SearchList"
@@ -200,11 +198,10 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager

 	if len(matchDomains) != 0 {
 		count, err := r.addDNSMatchPolicy(matchDomains, config.ServerIP)
-		// Update count even on error to ensure cleanup covers partially created rules
-		r.nrptEntryCount = count
 		if err != nil {
 			return fmt.Errorf("add dns match policy: %w", err)
 		}
+		r.nrptEntryCount = count
 	} else {
 		r.nrptEntryCount = 0
 	}
@@ -242,33 +239,23 @@ func (r *registryConfigurator) addDNSSetupForAll(ip netip.Addr) error {
 func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr) (int, error) {
 	// if the gpo key is present, we need to put our DNS settings there, otherwise our config might be ignored
 	// see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/8cc31cb9-20cb-4140-9e85-3e08703b4745
+	for i, domain := range domains {
+		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
+		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)

-	// We need to batch domains into chunks and create one NRPT rule per batch.
-	ruleIndex := 0
-	for i := 0; i < len(domains); i += nrptMaxDomainsPerRule {
-		end := i + nrptMaxDomainsPerRule
-		if end > len(domains) {
-			end = len(domains)
+		singleDomain := []string{domain}
+
+		if err := r.configureDNSPolicy(localPath, singleDomain, ip); err != nil {
+			return i, fmt.Errorf("configure DNS Local policy for domain %s: %w", domain, err)
 		}
-		batchDomains := domains[i:end]
-
-		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, ruleIndex)
-		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, ruleIndex)
-
-		if err := r.configureDNSPolicy(localPath, batchDomains, ip); err != nil {
-			return ruleIndex, fmt.Errorf("configure DNS Local policy for rule %d: %w", ruleIndex, err)
-		}
-
-		// Increment immediately so the caller's cleanup path knows about this rule
-		ruleIndex++

 		if r.gpo {
-			if err := r.configureDNSPolicy(gpoPath, batchDomains, ip); err != nil {
-				return ruleIndex, fmt.Errorf("configure gpo DNS policy for rule %d: %w", ruleIndex-1, err)
+			if err := r.configureDNSPolicy(gpoPath, singleDomain, ip); err != nil {
+				return i, fmt.Errorf("configure gpo DNS policy: %w", err)
 			}
 		}

-		log.Debugf("added NRPT rule %d with %d domains", ruleIndex-1, len(batchDomains))
+		log.Debugf("added NRPT entry for domain: %s", domain)
 	}

 	if r.gpo {
@@ -277,8 +264,8 @@ func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr
 		}
 	}

-	log.Infof("added %d NRPT rules for %d domains", ruleIndex, len(domains))
-	return ruleIndex, nil
+	log.Infof("added %d separate NRPT entries. Domain list: %s", len(domains), domains)
+	return len(domains), nil
 }

 func (r *registryConfigurator) configureDNSPolicy(policyPath string, domains []string, ip netip.Addr) error {
--- a/client/internal/dns/host_windows_test.go
+++ b/client/internal/dns/host_windows_test.go
@@ -12,7 +12,6 @@ import (

 // TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
 // when the number of match domains decreases between configuration changes.
-// With batching enabled (50 domains per rule), we need enough domains to create multiple rules.
 func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping registry integration test in short mode")
@@ -38,60 +37,51 @@ func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 		gpo:  false,
 	}

-	// Create 125 domains which will result in 3 NRPT rules (50+50+25)
-	domains125 := make([]DomainConfig, 125)
-	for i := 0; i < 125; i++ {
-		domains125[i] = DomainConfig{
-			Domain:    fmt.Sprintf("domain%d.com", i+1),
-			MatchOnly: true,
-		}
-	}
-
-	config125 := HostDNSConfig{
+	config5 := HostDNSConfig{
 		ServerIP: testIP,
-		Domains:  domains125,
+		Domains: []DomainConfig{
+			{Domain: "domain1.com", MatchOnly: true},
+			{Domain: "domain2.com", MatchOnly: true},
+			{Domain: "domain3.com", MatchOnly: true},
+			{Domain: "domain4.com", MatchOnly: true},
+			{Domain: "domain5.com", MatchOnly: true},
+		},
 	}

-	err = cfg.applyDNSConfig(config125, nil)
+	err = cfg.applyDNSConfig(config5, nil)
 	require.NoError(t, err)

-	// Verify 3 NRPT rules exist
-	assert.Equal(t, 3, cfg.nrptEntryCount, "Should create 3 NRPT rules for 125 domains")
-	for i := 0; i < 3; i++ {
+	// Verify all 5 entries exist
+	for i := 0; i < 5; i++ {
 		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
 		require.NoError(t, err)
-		assert.True(t, exists, "NRPT rule %d should exist after first config", i)
+		assert.True(t, exists, "Entry %d should exist after first config", i)
 	}

-	// Reduce to 75 domains which will result in 2 NRPT rules (50+25)
-	domains75 := make([]DomainConfig, 75)
-	for i := 0; i < 75; i++ {
-		domains75[i] = DomainConfig{
-			Domain:    fmt.Sprintf("domain%d.com", i+1),
-			MatchOnly: true,
-		}
-	}
-
-	config75 := HostDNSConfig{
+	config2 := HostDNSConfig{
 		ServerIP: testIP,
-		Domains:  domains75,
+		Domains: []DomainConfig{
+			{Domain: "domain1.com", MatchOnly: true},
+			{Domain: "domain2.com", MatchOnly: true},
+		},
 	}

-	err = cfg.applyDNSConfig(config75, nil)
+	err = cfg.applyDNSConfig(config2, nil)
 	require.NoError(t, err)

-	// Verify first 2 NRPT rules exist
-	assert.Equal(t, 2, cfg.nrptEntryCount, "Should create 2 NRPT rules for 75 domains")
+	// Verify first 2 entries exist
 	for i := 0; i < 2; i++ {
 		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
 		require.NoError(t, err)
-		assert.True(t, exists, "NRPT rule %d should exist after second config", i)
+		assert.True(t, exists, "Entry %d should exist after second config", i)
 	}

-	// Verify rule 2 is cleaned up
-	exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, 2))
-	require.NoError(t, err)
-	assert.False(t, exists, "NRPT rule 2 should NOT exist after reducing to 75 domains")
+	// Verify entries 2-4 are cleaned up
+	for i := 2; i < 5; i++ {
+		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
+		require.NoError(t, err)
+		assert.False(t, exists, "Entry %d should NOT exist after reducing to 2 domains", i)
+	}
 }

 func registryKeyExists(path string) (bool, error) {
@@ -107,106 +97,6 @@ func registryKeyExists(path string) (bool, error) {
 }

 func cleanupRegistryKeys(*testing.T) {
-	// Clean up more entries to account for batching tests with many domains
-	cfg := &registryConfigurator{nrptEntryCount: 20}
+	cfg := &registryConfigurator{nrptEntryCount: 10}
 	_ = cfg.removeDNSMatchPolicies()
 }
-
-// TestNRPTDomainBatching verifies that domains are correctly batched into NRPT rules.
-func TestNRPTDomainBatching(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping registry integration test in short mode")
-	}
-
-	defer cleanupRegistryKeys(t)
-	cleanupRegistryKeys(t)
-
-	testIP := netip.MustParseAddr("100.64.0.1")
-
-	// Create a test interface registry key so updateSearchDomains doesn't fail
-	testGUID := "{12345678-1234-1234-1234-123456789ABC}"
-	interfacePath := `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\` + testGUID
-	testKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, interfacePath, registry.SET_VALUE)
-	require.NoError(t, err, "Should create test interface registry key")
-	testKey.Close()
-	defer func() {
-		_ = registry.DeleteKey(registry.LOCAL_MACHINE, interfacePath)
-	}()
-
-	cfg := &registryConfigurator{
-		guid: testGUID,
-		gpo:  false,
-	}
-
-	testCases := []struct {
-		name              string
-		domainCount       int
-		expectedRuleCount int
-	}{
-		{
-			name:              "Less than 50 domains (single rule)",
-			domainCount:       30,
-			expectedRuleCount: 1,
-		},
-		{
-			name:              "Exactly 50 domains (single rule)",
-			domainCount:       50,
-			expectedRuleCount: 1,
-		},
-		{
-			name:              "51 domains (two rules)",
-			domainCount:       51,
-			expectedRuleCount: 2,
-		},
-		{
-			name:              "100 domains (two rules)",
-			domainCount:       100,
-			expectedRuleCount: 2,
-		},
-		{
-			name:              "125 domains (three rules: 50+50+25)",
-			domainCount:       125,
-			expectedRuleCount: 3,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			// Clean up before each subtest
-			cleanupRegistryKeys(t)
-
-			// Generate domains
-			domains := make([]DomainConfig, tc.domainCount)
-			for i := 0; i < tc.domainCount; i++ {
-				domains[i] = DomainConfig{
-					Domain:    fmt.Sprintf("domain%d.com", i+1),
-					MatchOnly: true,
-				}
-			}
-
-			config := HostDNSConfig{
-				ServerIP: testIP,
-				Domains:  domains,
-			}
-
-			err := cfg.applyDNSConfig(config, nil)
-			require.NoError(t, err)
-
-			// Verify that exactly expectedRuleCount rules were created
-			assert.Equal(t, tc.expectedRuleCount, cfg.nrptEntryCount,
-				"Should create %d NRPT rules for %d domains", tc.expectedRuleCount, tc.domainCount)
-
-			// Verify all expected rules exist
-			for i := 0; i < tc.expectedRuleCount; i++ {
-				exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-				require.NoError(t, err)
-				assert.True(t, exists, "NRPT rule %d should exist", i)
-			}
-
-			// Verify no extra rules were created
-			exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, tc.expectedRuleCount))
-			require.NoError(t, err)
-			assert.False(t, exists, "No NRPT rule should exist at index %d", tc.expectedRuleCount)
-		})
-	}
-}
--- a/client/internal/dns/mgmt/mgmt.go
+++ b/client/internal/dns/mgmt/mgmt.go
@@ -376,9 +376,9 @@ func (m *Resolver) extractDomainsFromServerDomains(serverDomains dnsconfig.Serve
 		}
 	}

-	// Flow receiver domain is intentionally excluded from caching.
-	// Cloud providers may rotate the IP behind this domain; a stale cached record
-	// causes TLS certificate verification failures on reconnect.
+	if serverDomains.Flow != "" {
+		domains = append(domains, serverDomains.Flow)
+	}

 	for _, stun := range serverDomains.Stuns {
 		if stun != "" {
--- a/client/internal/dns/mgmt/mgmt_test.go
+++ b/client/internal/dns/mgmt/mgmt_test.go
@@ -391,8 +391,7 @@ func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
 	}
 	assert.Len(t, resolver.GetCachedDomains(), 3)

-	// Update with partial ServerDomains (only flow domain - flow is intentionally excluded from
-	// caching to prevent TLS failures from stale records, so all existing domains are preserved)
+	// Update with partial ServerDomains (only flow domain - new type, should preserve all existing)
 	partialDomains := dnsconfig.ServerDomains{
 		Flow: "github.com",
 	}
@@ -401,10 +400,10 @@ func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
 		t.Skipf("Skipping test due to DNS resolution failure: %v", err)
 	}

-	assert.Len(t, removedDomains, 0, "Should not remove any domains when only flow domain is provided")
+	assert.Len(t, removedDomains, 0, "Should not remove any domains when adding new type")

 	finalDomains := resolver.GetCachedDomains()
-	assert.Len(t, finalDomains, 3, "Flow domain is not cached; all original domains should be preserved")
+	assert.Len(t, finalDomains, 4, "Should have all original domains plus new flow domain")

 	domainStrings := make([]string, len(finalDomains))
 	for i, d := range finalDomains {
@@ -413,5 +412,5 @@ func TestResolver_PartialUpdateAddsNewTypePreservesExisting(t *testing.T) {
 	assert.Contains(t, domainStrings, "example.org")
 	assert.Contains(t, domainStrings, "google.com")
 	assert.Contains(t, domainStrings, "cloudflare.com")
-	assert.NotContains(t, domainStrings, "github.com")
+	assert.Contains(t, domainStrings, "github.com")
 }
--- a/client/internal/dns/mock_server.go
+++ b/client/internal/dns/mock_server.go
@@ -84,18 +84,3 @@ func (m *MockServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
 func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	return nil
 }
-
-// BeginBatch mock implementation of BeginBatch from Server interface
-func (m *MockServer) BeginBatch() {
-	// Mock implementation - no-op
-}
-
-// EndBatch mock implementation of EndBatch from Server interface
-func (m *MockServer) EndBatch() {
-	// Mock implementation - no-op
-}
-
-// CancelBatch mock implementation of CancelBatch from Server interface
-func (m *MockServer) CancelBatch() {
-	// Mock implementation - no-op
-}
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -45,9 +45,6 @@ type IosDnsManager interface {
 type Server interface {
 	RegisterHandler(domains domain.List, handler dns.Handler, priority int)
 	DeregisterHandler(domains domain.List, priority int)
-	BeginBatch()
-	EndBatch()
-	CancelBatch()
 	Initialize() error
 	Stop()
 	DnsIP() netip.Addr
@@ -90,7 +87,6 @@ type DefaultServer struct {
 	currentConfigHash  uint64
 	handlerChain       *HandlerChain
 	extraDomains       map[domain.Domain]int
-	batchMode          bool

 	mgmtCacheResolver *mgmt.Resolver

@@ -238,9 +234,7 @@ func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler
 		// convert to zone with simple ref counter
 		s.extraDomains[toZone(domain)]++
 	}
-	if !s.batchMode {
-		s.applyHostConfig()
-	}
+	s.applyHostConfig()
 }

 func (s *DefaultServer) registerHandler(domains []string, handler dns.Handler, priority int) {
@@ -269,41 +263,9 @@ func (s *DefaultServer) DeregisterHandler(domains domain.List, priority int) {
 			delete(s.extraDomains, zone)
 		}
 	}
-	if !s.batchMode {
-		s.applyHostConfig()
-	}
-}
-
-// BeginBatch starts batch mode for DNS handler registration/deregistration.
-// In batch mode, applyHostConfig() is not called after each handler operation,
-// allowing multiple handlers to be registered/deregistered efficiently.
-// Must be followed by EndBatch() to apply the accumulated changes.
-func (s *DefaultServer) BeginBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode enabled")
-	s.batchMode = true
-}
-
-// EndBatch ends batch mode and applies all accumulated DNS configuration changes.
-func (s *DefaultServer) EndBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode disabled, applying accumulated changes")
-	s.batchMode = false
 	s.applyHostConfig()
 }

-// CancelBatch cancels batch mode without applying accumulated changes.
-// This is useful when operations fail partway through and you want to
-// discard partial state rather than applying it.
-func (s *DefaultServer) CancelBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode cancelled, discarding accumulated changes")
-	s.batchMode = false
-}
-
 func (s *DefaultServer) deregisterHandler(domains []string, priority int) {
 	log.Debugf("deregistering handler with priority %d for %v", priority, domains)

@@ -561,7 +523,6 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 		s.currentConfig.RouteAll = false
 	}

-	// Always apply host config for management updates, regardless of batch mode
 	s.applyHostConfig()

 	s.shutdownWg.Add(1)
@@ -926,7 +887,6 @@ func (s *DefaultServer) upstreamCallbacks(
 			}
 		}

-		// Always apply host config when nameserver goes down, regardless of batch mode
 		s.applyHostConfig()

 		go func() {
@@ -962,7 +922,6 @@ func (s *DefaultServer) upstreamCallbacks(
 			s.registerHandler([]string{nbdns.RootZone}, handler, priority)
 		}

-		// Always apply host config when nameserver reactivates, regardless of batch mode
 		s.applyHostConfig()

 		s.updateNSState(nsGroup, nil, true)
--- a/client/internal/dns/server_export_test.go
+++ b/client/internal/dns/server_export_test.go
@@ -18,12 +18,7 @@ func TestGetServerDns(t *testing.T) {
 		t.Errorf("invalid dns server instance: %s", err)
 	}

-	mockSrvB, ok := srvB.(*MockServer)
-	if !ok {
-		t.Errorf("returned server is not a MockServer")
-	}
-
-	if mockSrvB != srv {
+	if srvB != srv {
 		t.Errorf("mismatch dns instances")
 	}
 }
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -351,13 +351,9 @@ func (u *upstreamResolverBase) waitUntilResponse() {
 		return fmt.Errorf("upstream check call error")
 	}

-	err := backoff.Retry(operation, backoff.WithContext(exponentialBackOff, u.ctx))
+	err := backoff.Retry(operation, exponentialBackOff)
 	if err != nil {
-		if errors.Is(err, context.Canceled) {
-			log.Debugf("upstream retry loop exited for upstreams %s", u.upstreamServersString())
-		} else {
-			log.Warnf("upstream retry loop exited for upstreams %s: %v", u.upstreamServersString(), err)
-		}
+		log.Warn(err)
 		return
 	}

--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -28,15 +28,14 @@ import (
 	"github.com/netbirdio/netbird/client/firewall"
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/device"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
+	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	"github.com/netbirdio/netbird/client/internal/dnsfwd"
-	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/internal/ingressgw"
 	"github.com/netbirdio/netbird/client/internal/netflow"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
@@ -54,11 +53,13 @@ import (
 	"github.com/netbirdio/netbird/client/internal/updatemanager"
 	"github.com/netbirdio/netbird/client/jobexec"
 	cProto "github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/shared/management/domain"
+	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
+
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
-	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	auth "github.com/netbirdio/netbird/shared/relay/auth/hmac"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
@@ -74,6 +75,7 @@ import (
 const (
 	PeerConnectionTimeoutMax = 45000 // ms
 	PeerConnectionTimeoutMin = 30000 // ms
+	connInitLimit            = 200
 	disableAutoUpdate        = "disabled"
 )

@@ -206,6 +208,7 @@ type Engine struct {
 	syncRespMux         sync.RWMutex
 	persistSyncResponse bool
 	latestSyncResponse  *mgmProto.SyncResponse
+	connSemaphore       *semaphoregroup.SemaphoreGroup
 	flowManager         nftypes.FlowManager

 	// auto-update
@@ -221,8 +224,6 @@ type Engine struct {

 	jobExecutor   *jobexec.Executor
 	jobExecutorWG sync.WaitGroup
-
-	exposeManager *expose.Manager
 }

 // Peer is an instance of the Connection Peer
@@ -265,6 +266,7 @@ func NewEngine(
 		statusRecorder: statusRecorder,
 		stateManager:   stateManager,
 		checks:         checks,
+		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
 		probeStunTurn:  relay.NewStunTurnProbe(relay.DefaultCacheTTL),
 		jobExecutor:    jobexec.NewExecutor(),
 	}
@@ -417,7 +419,6 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 		e.cancel()
 	}
 	e.ctx, e.cancel = context.WithCancel(e.clientCtx)
-	e.exposeManager = expose.NewManager(e.ctx, e.mgmClient)

 	wgIface, err := e.newWgIface()
 	if err != nil {
@@ -800,7 +801,7 @@ func (e *Engine) handleAutoUpdateVersion(autoUpdateSettings *mgmProto.AutoUpdate

 	disabled := autoUpdateSettings.Version == disableAutoUpdate

-	// stop and cleanup if disabled
+	// Stop and cleanup if disabled
 	if e.updateManager != nil && disabled {
 		log.Infof("auto-update is disabled, stopping update manager")
 		e.updateManager.Stop()
@@ -1538,6 +1539,7 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 		IFaceDiscover:  e.mobileDep.IFaceDiscover,
 		RelayManager:   e.relayManager,
 		SrWatcher:      e.srWatcher,
+		Semaphore:      e.connSemaphore,
 	}
 	peerConn, err := peer.NewConn(config, serviceDependencies)
 	if err != nil {
@@ -1560,10 +1562,8 @@ func (e *Engine) receiveSignalEvents() {
 		defer e.shutdownWg.Done()
 		// connect to a stream of messages coming from the signal server
 		err := e.signal.Receive(e.ctx, func(msg *sProto.Message) error {
-			start := time.Now()
 			e.syncMsgMux.Lock()
 			defer e.syncMsgMux.Unlock()
-			gotLock := time.Since(start)

 			// Check context INSIDE lock to ensure atomicity with shutdown
 			if e.ctx.Err() != nil {
@@ -1587,8 +1587,6 @@ func (e *Engine) receiveSignalEvents() {
 					return err
 				}

-				log.Debugf("receiveMSG: took %s to get lock for peer %s with session id %s", gotLock, msg.Key, offerAnswer.SessionID)
-
 				if msg.Body.Type == sProto.Body_OFFER {
 					conn.OnRemoteOffer(*offerAnswer)
 				} else {
@@ -1822,18 +1820,11 @@ func (e *Engine) GetRouteManager() routemanager.Manager {
 	return e.routeManager
 }

-// GetFirewallManager returns the firewall manager.
+// GetFirewallManager returns the firewall manager
 func (e *Engine) GetFirewallManager() firewallManager.Manager {
 	return e.firewall
 }

-// GetExposeManager returns the expose session manager.
-func (e *Engine) GetExposeManager() *expose.Manager {
-	e.syncMsgMux.Lock()
-	defer e.syncMsgMux.Unlock()
-	return e.exposeManager
-}
-
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {
 	iface, err := net.InterfaceByName(ifaceName)
 	if err != nil {
--- a/client/internal/expose/manager.go
+++ b/client/internal/expose/manager.go
@@ -1,95 +0,0 @@
-package expose
-
-import (
-	"context"
-	"time"
-
-	mgm "github.com/netbirdio/netbird/shared/management/client"
-	log "github.com/sirupsen/logrus"
-)
-
-const renewTimeout = 10 * time.Second
-
-// Response holds the response from exposing a service.
-type Response struct {
-	ServiceName string
-	ServiceURL  string
-	Domain      string
-}
-
-type Request struct {
-	NamePrefix string
-	Domain     string
-	Port       uint16
-	Protocol   int
-	Pin        string
-	Password   string
-	UserGroups []string
-}
-
-type ManagementClient interface {
-	CreateExpose(ctx context.Context, req mgm.ExposeRequest) (*mgm.ExposeResponse, error)
-	RenewExpose(ctx context.Context, domain string) error
-	StopExpose(ctx context.Context, domain string) error
-}
-
-// Manager handles expose session lifecycle via the management client.
-type Manager struct {
-	mgmClient ManagementClient
-	ctx       context.Context
-}
-
-// NewManager creates a new expose Manager using the given management client.
-func NewManager(ctx context.Context, mgmClient ManagementClient) *Manager {
-	return &Manager{mgmClient: mgmClient, ctx: ctx}
-}
-
-// Expose creates a new expose session via the management server.
-func (m *Manager) Expose(ctx context.Context, req Request) (*Response, error) {
-	log.Infof("exposing service on port %d", req.Port)
-	resp, err := m.mgmClient.CreateExpose(ctx, toClientExposeRequest(req))
-	if err != nil {
-		return nil, err
-	}
-
-	log.Infof("expose session created for %s", resp.Domain)
-
-	return fromClientExposeResponse(resp), nil
-}
-
-func (m *Manager) KeepAlive(ctx context.Context, domain string) error {
-	ticker := time.NewTicker(30 * time.Second)
-	defer ticker.Stop()
-	defer m.stop(domain)
-
-	for {
-		select {
-		case <-ctx.Done():
-			log.Infof("context canceled, stopping keep alive for %s", domain)
-
-			return nil
-		case <-ticker.C:
-			if err := m.renew(ctx, domain); err != nil {
-				log.Errorf("renewing expose session for %s: %v", domain, err)
-				return err
-			}
-		}
-	}
-}
-
-// renew extends the TTL of an active expose session.
-func (m *Manager) renew(ctx context.Context, domain string) error {
-	renewCtx, cancel := context.WithTimeout(ctx, renewTimeout)
-	defer cancel()
-	return m.mgmClient.RenewExpose(renewCtx, domain)
-}
-
-// stop terminates an active expose session.
-func (m *Manager) stop(domain string) {
-	stopCtx, cancel := context.WithTimeout(m.ctx, renewTimeout)
-	defer cancel()
-	err := m.mgmClient.StopExpose(stopCtx, domain)
-	if err != nil {
-		log.Warnf("Failed stopping expose session for %s: %v", domain, err)
-	}
-}
--- a/client/internal/expose/manager_test.go
+++ b/client/internal/expose/manager_test.go
@@ -1,95 +0,0 @@
-package expose
-
-import (
-	"context"
-	"errors"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	daemonProto "github.com/netbirdio/netbird/client/proto"
-	mgm "github.com/netbirdio/netbird/shared/management/client"
-)
-
-func TestManager_Expose_Success(t *testing.T) {
-	mock := &mgm.MockClient{
-		CreateExposeFunc: func(ctx context.Context, req mgm.ExposeRequest) (*mgm.ExposeResponse, error) {
-			return &mgm.ExposeResponse{
-				ServiceName: "my-service",
-				ServiceURL:  "https://my-service.example.com",
-				Domain:      "my-service.example.com",
-			}, nil
-		},
-	}
-
-	m := NewManager(context.Background(), mock)
-	result, err := m.Expose(context.Background(), Request{Port: 8080})
-	require.NoError(t, err)
-	assert.Equal(t, "my-service", result.ServiceName, "service name should match")
-	assert.Equal(t, "https://my-service.example.com", result.ServiceURL, "service URL should match")
-	assert.Equal(t, "my-service.example.com", result.Domain, "domain should match")
-}
-
-func TestManager_Expose_Error(t *testing.T) {
-	mock := &mgm.MockClient{
-		CreateExposeFunc: func(ctx context.Context, req mgm.ExposeRequest) (*mgm.ExposeResponse, error) {
-			return nil, errors.New("permission denied")
-		},
-	}
-
-	m := NewManager(context.Background(), mock)
-	_, err := m.Expose(context.Background(), Request{Port: 8080})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "permission denied", "error should propagate")
-}
-
-func TestManager_Renew_Success(t *testing.T) {
-	mock := &mgm.MockClient{
-		RenewExposeFunc: func(ctx context.Context, domain string) error {
-			assert.Equal(t, "my-service.example.com", domain, "domain should be passed through")
-			return nil
-		},
-	}
-
-	m := NewManager(context.Background(), mock)
-	err := m.renew(context.Background(), "my-service.example.com")
-	require.NoError(t, err)
-}
-
-func TestManager_Renew_Timeout(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	mock := &mgm.MockClient{
-		RenewExposeFunc: func(ctx context.Context, domain string) error {
-			return ctx.Err()
-		},
-	}
-
-	m := NewManager(ctx, mock)
-	err := m.renew(ctx, "my-service.example.com")
-	require.Error(t, err)
-}
-
-func TestNewRequest(t *testing.T) {
-	req := &daemonProto.ExposeServiceRequest{
-		Port:       8080,
-		Protocol:   daemonProto.ExposeProtocol_EXPOSE_HTTPS,
-		Pin:        "123456",
-		Password:   "secret",
-		UserGroups: []string{"group1", "group2"},
-		Domain:     "custom.example.com",
-		NamePrefix: "my-prefix",
-	}
-
-	exposeReq := NewRequest(req)
-
-	assert.Equal(t, uint16(8080), exposeReq.Port, "port should match")
-	assert.Equal(t, int(daemonProto.ExposeProtocol_EXPOSE_HTTPS), exposeReq.Protocol, "protocol should match")
-	assert.Equal(t, "123456", exposeReq.Pin, "pin should match")
-	assert.Equal(t, "secret", exposeReq.Password, "password should match")
-	assert.Equal(t, []string{"group1", "group2"}, exposeReq.UserGroups, "user groups should match")
-	assert.Equal(t, "custom.example.com", exposeReq.Domain, "domain should match")
-	assert.Equal(t, "my-prefix", exposeReq.NamePrefix, "name prefix should match")
-}
--- a/client/internal/expose/request.go
+++ b/client/internal/expose/request.go
@@ -1,39 +0,0 @@
-package expose
-
-import (
-	daemonProto "github.com/netbirdio/netbird/client/proto"
-	mgm "github.com/netbirdio/netbird/shared/management/client"
-)
-
-// NewRequest converts a daemon ExposeServiceRequest to a management ExposeServiceRequest.
-func NewRequest(req *daemonProto.ExposeServiceRequest) *Request {
-	return &Request{
-		Port:       uint16(req.Port),
-		Protocol:   int(req.Protocol),
-		Pin:        req.Pin,
-		Password:   req.Password,
-		UserGroups: req.UserGroups,
-		Domain:     req.Domain,
-		NamePrefix: req.NamePrefix,
-	}
-}
-
-func toClientExposeRequest(req Request) mgm.ExposeRequest {
-	return mgm.ExposeRequest{
-		NamePrefix: req.NamePrefix,
-		Domain:     req.Domain,
-		Port:       req.Port,
-		Protocol:   req.Protocol,
-		Pin:        req.Pin,
-		Password:   req.Password,
-		UserGroups: req.UserGroups,
-	}
-}
-
-func fromClientExposeResponse(response *mgm.ExposeResponse) *Response {
-	return &Response{
-		ServiceName: response.ServiceName,
-		Domain:      response.Domain,
-		ServiceURL:  response.ServiceURL,
-	}
-}
--- a/client/internal/networkmonitor/check_change_common.go
+++ b/client/internal/networkmonitor/check_change_common.go
@@ -22,56 +22,51 @@ func prepareFd() (int, error) {

 func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Nexthop) error {
 	for {
-		// Wait until fd is readable or context is cancelled, to avoid a busy-loop
-		// when the routing socket returns EAGAIN (e.g. immediately after wakeup).
-		if err := waitReadable(ctx, fd); err != nil {
-			return err
-		}
-
-		buf := make([]byte, 2048)
-		n, err := unix.Read(fd, buf)
-		if err != nil {
-			if errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EINTR) {
-				continue
-			}
-			if errors.Is(err, unix.EBADF) || errors.Is(err, unix.EINVAL) {
-				return fmt.Errorf("routing socket closed: %w", err)
-			}
-			return fmt.Errorf("read routing socket: %w", err)
-		}
-
-		if n < unix.SizeofRtMsghdr {
-			log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
-			continue
-		}
-
-		msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
-
-		switch msg.Type {
-		// handle route changes
-		case unix.RTM_ADD, syscall.RTM_DELETE:
-			route, err := parseRouteMessage(buf[:n])
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+			buf := make([]byte, 2048)
+			n, err := unix.Read(fd, buf)
 			if err != nil {
-				log.Debugf("Network monitor: error parsing routing message: %v", err)
+				if !errors.Is(err, unix.EBADF) && !errors.Is(err, unix.EINVAL) {
+					log.Warnf("Network monitor: failed to read from routing socket: %v", err)
+				}
+				continue
+			}
+			if n < unix.SizeofRtMsghdr {
+				log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
 				continue
 			}

-			if route.Dst.Bits() != 0 {
-				continue
-			}
+			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))

-			intf := "<nil>"
-			if route.Interface != nil {
-				intf = route.Interface.Name
-			}
 			switch msg.Type {
-			case unix.RTM_ADD:
-				log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
-				return nil
-			case unix.RTM_DELETE:
-				if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
-					log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
+			// handle route changes
+			case unix.RTM_ADD, syscall.RTM_DELETE:
+				route, err := parseRouteMessage(buf[:n])
+				if err != nil {
+					log.Debugf("Network monitor: error parsing routing message: %v", err)
+					continue
+				}
+
+				if route.Dst.Bits() != 0 {
+					continue
+				}
+
+				intf := "<nil>"
+				if route.Interface != nil {
+					intf = route.Interface.Name
+				}
+				switch msg.Type {
+				case unix.RTM_ADD:
+					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
 					return nil
+				case unix.RTM_DELETE:
+					if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
+						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
+						return nil
+					}
 				}
 			}
 		}
@@ -95,33 +90,3 @@ func parseRouteMessage(buf []byte) (*systemops.Route, error) {

 	return systemops.MsgToRoute(msg)
 }
-
-// waitReadable blocks until fd has data to read, or ctx is cancelled.
-func waitReadable(ctx context.Context, fd int) error {
-	var fdset unix.FdSet
-	if fd < 0 || fd/unix.NFDBITS >= len(fdset.Bits) {
-		return fmt.Errorf("fd %d out of range for FdSet", fd)
-	}
-
-	for {
-		if err := ctx.Err(); err != nil {
-			return err
-		}
-
-		fdset = unix.FdSet{}
-		fdset.Set(fd)
-		// Use a 1-second timeout so we can re-check ctx periodically.
-		tv := unix.Timeval{Sec: 1}
-		n, err := unix.Select(fd+1, &fdset, nil, nil, &tv)
-		if err != nil {
-			if errors.Is(err, unix.EINTR) {
-				continue
-			}
-			return fmt.Errorf("select on routing socket: %w", err)
-		}
-		if n > 0 {
-			return nil
-		}
-		// timeout — loop back and re-check ctx
-	}
-}
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -3,6 +3,7 @@ package peer
 import (
 	"context"
 	"fmt"
+	"math/rand"
 	"net"
 	"net/netip"
 	"runtime"
@@ -24,6 +25,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/route"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
+	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 )

 type ServiceDependencies struct {
@@ -32,6 +34,7 @@ type ServiceDependencies struct {
 	IFaceDiscover      stdnet.ExternalIFaceDiscover
 	RelayManager       *relayClient.Manager
 	SrWatcher          *guard.SRWatcher
+	Semaphore          *semaphoregroup.SemaphoreGroup
 	PeerConnDispatcher *dispatcher.ConnectionDispatcher
 }

@@ -108,8 +111,9 @@ type Conn struct {
 	wgProxyRelay wgproxy.Proxy
 	handshaker   *Handshaker

-	guard *guard.Guard
-	wg    sync.WaitGroup
+	guard     *guard.Guard
+	semaphore *semaphoregroup.SemaphoreGroup
+	wg        sync.WaitGroup

 	// debug purpose
 	dumpState *stateDump
@@ -135,6 +139,7 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 		iFaceDiscover:   services.IFaceDiscover,
 		relayManager:    services.RelayManager,
 		srWatcher:       services.SrWatcher,
+		semaphore:       services.Semaphore,
 		statusRelay:     worker.NewAtomicStatus(),
 		statusICE:       worker.NewAtomicStatus(),
 		dumpState:       dumpState,
@@ -149,10 +154,15 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 // It will try to establish a connection using ICE and in parallel with relay. The higher priority connection type will
 // be used.
 func (conn *Conn) Open(engineCtx context.Context) error {
+	if err := conn.semaphore.Add(engineCtx); err != nil {
+		return err
+	}
+
 	conn.mu.Lock()
 	defer conn.mu.Unlock()

 	if conn.opened {
+		conn.semaphore.Done()
 		return nil
 	}

@@ -163,6 +173,7 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 	relayIsSupportedLocally := conn.workerRelay.RelayIsSupportedLocally()
 	workerICE, err := NewWorkerICE(conn.ctx, conn.Log, conn.config, conn, conn.signaler, conn.iFaceDiscover, conn.statusRecorder, relayIsSupportedLocally)
 	if err != nil {
+		conn.semaphore.Done()
 		return err
 	}
 	conn.workerICE = workerICE
@@ -196,6 +207,10 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 	conn.wg.Add(1)
 	go func() {
 		defer conn.wg.Done()
+
+		conn.waitInitialRandomSleepTime(conn.ctx)
+		conn.semaphore.Done()
+
 		conn.guard.Start(conn.ctx, conn.onGuardEvent)
 	}()
 	conn.opened = true
@@ -395,7 +410,7 @@ func (conn *Conn) onICEConnectionIsReady(priority conntype.ConnPriority, iceConn
 	conn.doOnConnected(iceConnInfo.RosenpassPubKey, iceConnInfo.RosenpassAddr)
 }

-func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {
+func (conn *Conn) onICEStateDisconnected() {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()

@@ -415,18 +430,14 @@ func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {
 	if conn.isReadyToUpgrade() {
 		conn.Log.Infof("ICE disconnected, set Relay to active connection")
 		conn.dumpState.SwitchToRelay()
-		if sessionChanged {
-			conn.resetEndpoint()
-		}
-
-		// todo consider to move after the ConfigureWGEndpoint
 		conn.wgProxyRelay.Work()

 		presharedKey := conn.presharedKey(conn.rosenpassRemoteKey)
-		if err := conn.endpointUpdater.SwitchWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
+		if err := conn.endpointUpdater.ConfigureWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
 			conn.Log.Errorf("failed to switch to relay conn: %v", err)
 		}

+		conn.wgProxyRelay.Work()
 		conn.currentConnPriority = conntype.Relay
 	} else {
 		conn.Log.Infof("ICE disconnected, do not switch to Relay. Reset priority to: %s", conntype.None.String())
@@ -488,22 +499,20 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
 		return
 	}

-	controller := isController(conn.config)
+	wgProxy.Work()
+	presharedKey := conn.presharedKey(rci.rosenpassPubKey)

-	if controller {
-		wgProxy.Work()
-	}
 	conn.enableWgWatcherIfNeeded()
-	if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), conn.presharedKey(rci.rosenpassPubKey)); err != nil {
+
+	if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), presharedKey); err != nil {
 		if err := wgProxy.CloseConn(); err != nil {
 			conn.Log.Warnf("Failed to close relay connection: %v", err)
 		}
 		conn.Log.Errorf("Failed to update WireGuard peer configuration: %v", err)
 		return
 	}
-	if !controller {
-		wgProxy.Work()
-	}
+
+	wgConfigWorkaround()
 	conn.rosenpassRemoteKey = rci.rosenpassPubKey
 	conn.currentConnPriority = conntype.Relay
 	conn.statusRelay.SetConnected()
@@ -655,6 +664,19 @@ func (conn *Conn) doOnConnected(remoteRosenpassPubKey []byte, remoteRosenpassAdd
 	}
 }

+func (conn *Conn) waitInitialRandomSleepTime(ctx context.Context) {
+	maxWait := 300
+	duration := time.Duration(rand.Intn(maxWait)) * time.Millisecond
+
+	timeout := time.NewTimer(duration)
+	defer timeout.Stop()
+
+	select {
+	case <-ctx.Done():
+	case <-timeout.C:
+	}
+}
+
 func (conn *Conn) isRelayed() bool {
 	switch conn.currentConnPriority {
 	case conntype.Relay, conntype.ICETurn:
@@ -735,17 +757,6 @@ func (conn *Conn) newProxy(remoteConn net.Conn) (wgproxy.Proxy, error) {
 	return wgProxy, nil
 }

-func (conn *Conn) resetEndpoint() {
-	if !isController(conn.config) {
-		return
-	}
-	conn.Log.Infof("reset wg endpoint")
-	conn.wgWatcher.Reset()
-	if err := conn.endpointUpdater.RemoveEndpointAddress(); err != nil {
-		conn.Log.Warnf("failed to remove endpoint address before update: %v", err)
-	}
-}
-
 func (conn *Conn) isReadyToUpgrade() bool {
 	return conn.wgProxyRelay != nil && conn.currentConnPriority != conntype.Relay
 }
@@ -851,3 +862,9 @@ func isController(config ConnConfig) bool {
 func isRosenpassEnabled(remoteRosenpassPubKey []byte) bool {
 	return remoteRosenpassPubKey != nil
 }
+
+// wgConfigWorkaround is a workaround for the issue with WireGuard configuration update
+// When update a peer configuration in near to each other time, the second update can be ignored by WireGuard
+func wgConfigWorkaround() {
+	time.Sleep(100 * time.Millisecond)
+}
--- a/client/internal/peer/conn_test.go
+++ b/client/internal/peer/conn_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/util"
+	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 )

 var testDispatcher = dispatcher.NewConnectionDispatcher()
@@ -52,6 +53,7 @@ func TestConn_GetKey(t *testing.T) {

 	sd := ServiceDependencies{
 		SrWatcher:          swWatcher,
+		Semaphore:          semaphoregroup.NewSemaphoreGroup(1),
 		PeerConnDispatcher: testDispatcher,
 	}
 	conn, err := NewConn(connConf, sd)
@@ -69,6 +71,7 @@ func TestConn_OnRemoteOffer(t *testing.T) {
 	sd := ServiceDependencies{
 		StatusRecorder:     NewRecorder("https://mgm"),
 		SrWatcher:          swWatcher,
+		Semaphore:          semaphoregroup.NewSemaphoreGroup(1),
 		PeerConnDispatcher: testDispatcher,
 	}
 	conn, err := NewConn(connConf, sd)
@@ -107,6 +110,7 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 	sd := ServiceDependencies{
 		StatusRecorder:     NewRecorder("https://mgm"),
 		SrWatcher:          swWatcher,
+		Semaphore:          semaphoregroup.NewSemaphoreGroup(1),
 		PeerConnDispatcher: testDispatcher,
 	}
 	conn, err := NewConn(connConf, sd)
--- a/client/internal/peer/endpoint.go
+++ b/client/internal/peer/endpoint.go
@@ -34,27 +34,28 @@ func NewEndpointUpdater(log *logrus.Entry, wgConfig WgConfig, initiator bool) *E
 	}
 }

+// ConfigureWGEndpoint sets up the WireGuard endpoint configuration.
+// The initiator immediately configures the endpoint, while the non-initiator
+// waits for a fallback period before configuring to avoid handshake congestion.
 func (e *EndpointUpdater) ConfigureWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
 	e.mu.Lock()
 	defer e.mu.Unlock()

 	if e.initiator {
-		e.log.Debugf("configure up WireGuard as initiator")
-		return e.configureAsInitiator(addr, presharedKey)
+		e.log.Debugf("configure up WireGuard as initiatr")
+		return e.updateWireGuardPeer(addr, presharedKey)
 	}

-	e.log.Debugf("configure up WireGuard as responder")
-	return e.configureAsResponder(addr, presharedKey)
-}
-
-func (e *EndpointUpdater) SwitchWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
 	// prevent to run new update while cancel the previous update
 	e.waitForCloseTheDelayedUpdate()

-	return e.updateWireGuardPeer(addr, presharedKey)
+	var ctx context.Context
+	ctx, e.cancelFunc = context.WithCancel(context.Background())
+	e.updateWg.Add(1)
+	go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
+
+	e.log.Debugf("configure up WireGuard and wait for handshake")
+	return e.updateWireGuardPeer(nil, presharedKey)
 }

 func (e *EndpointUpdater) RemoveWgPeer() error {
@@ -65,38 +66,6 @@ func (e *EndpointUpdater) RemoveWgPeer() error {
 	return e.wgConfig.WgInterface.RemovePeer(e.wgConfig.RemoteKey)
 }

-func (e *EndpointUpdater) RemoveEndpointAddress() error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	e.waitForCloseTheDelayedUpdate()
-	return e.wgConfig.WgInterface.RemoveEndpointAddress(e.wgConfig.RemoteKey)
-}
-
-func (e *EndpointUpdater) configureAsInitiator(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	if err := e.updateWireGuardPeer(addr, presharedKey); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (e *EndpointUpdater) configureAsResponder(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	// prevent to run new update while cancel the previous update
-	e.waitForCloseTheDelayedUpdate()
-
-	e.log.Debugf("configure up WireGuard and wait for handshake")
-	var ctx context.Context
-	ctx, e.cancelFunc = context.WithCancel(context.Background())
-	e.updateWg.Add(1)
-	go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
-
-	if err := e.updateWireGuardPeer(nil, presharedKey); err != nil {
-		e.waitForCloseTheDelayedUpdate()
-		return err
-	}
-	return nil
-}
-
 func (e *EndpointUpdater) waitForCloseTheDelayedUpdate() {
 	if e.cancelFunc == nil {
 		return
@@ -132,9 +101,3 @@ func (e *EndpointUpdater) updateWireGuardPeer(endpoint *net.UDPAddr, presharedKe
 		presharedKey,
 	)
 }
-
-// wgConfigWorkaround is a workaround for the issue with WireGuard configuration update
-// When update a peer configuration in near to each other time, the second update can be ignored by WireGuard
-func wgConfigWorkaround() {
-	time.Sleep(100 * time.Millisecond)
-}
--- a/client/internal/peer/wg_watcher.go
+++ b/client/internal/peer/wg_watcher.go
@@ -32,8 +32,6 @@ type WGWatcher struct {

 	enabled   bool
 	muEnabled sync.RWMutex
-
-	resetCh chan struct{}
 }

 func NewWGWatcher(log *log.Entry, wgIfaceStater WGInterfaceStater, peerKey string, stateDump *stateDump) *WGWatcher {
@@ -42,7 +40,6 @@ func NewWGWatcher(log *log.Entry, wgIfaceStater WGInterfaceStater, peerKey strin
 		wgIfaceStater: wgIfaceStater,
 		peerKey:       peerKey,
 		stateDump:     stateDump,
-		resetCh:       make(chan struct{}, 1),
 	}
 }

@@ -79,15 +76,6 @@ func (w *WGWatcher) IsEnabled() bool {
 	return w.enabled
 }

-// Reset signals the watcher that the WireGuard peer has been reset and a new
-// handshake is expected. This restarts the handshake timeout from scratch.
-func (w *WGWatcher) Reset() {
-	select {
-	case w.resetCh <- struct{}{}:
-	default:
-	}
-}
-
 // wgStateCheck help to check the state of the WireGuard handshake and relay connection
 func (w *WGWatcher) periodicHandshakeCheck(ctx context.Context, onDisconnectedFn func(), enabledTime time.Time, initialHandshake time.Time) {
 	w.log.Infof("WireGuard watcher started")
@@ -117,12 +105,6 @@ func (w *WGWatcher) periodicHandshakeCheck(ctx context.Context, onDisconnectedFn
 			w.stateDump.WGcheckSuccess()

 			w.log.Debugf("WireGuard watcher reset timer: %v", resetTime)
-		case <-w.resetCh:
-			w.log.Infof("WireGuard watcher received peer reset, restarting handshake timeout")
-			lastHandshake = time.Time{}
-			enabledTime = time.Now()
-			timer.Stop()
-			timer.Reset(wgHandshakeOvertime)
 		case <-ctx.Done():
 			w.log.Infof("WireGuard watcher stopped")
 			return
--- a/client/internal/peer/worker_ice.go
+++ b/client/internal/peer/worker_ice.go
@@ -52,9 +52,8 @@ type WorkerICE struct {
 	// increase by one when disconnecting the agent
 	// with it the remote peer can discard the already deprecated offer/answer
 	// Without it the remote peer may recreate a workable ICE connection
-	sessionID            ICESessionID
-	remoteSessionChanged bool
-	muxAgent             sync.Mutex
+	sessionID ICESessionID
+	muxAgent  sync.Mutex

 	localUfrag string
 	localPwd   string
@@ -107,7 +106,6 @@ func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 			return
 		}
 		w.log.Debugf("agent already exists, recreate the connection")
-		w.remoteSessionChanged = true
 		w.agentDialerCancel()
 		if w.agent != nil {
 			if err := w.agent.Close(); err != nil {
@@ -308,17 +306,13 @@ func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent
 	w.conn.onICEConnectionIsReady(selectedPriority(pair), ci)
 }

-func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.CancelFunc) bool {
+func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.CancelFunc) {
 	cancel()
 	if err := agent.Close(); err != nil {
 		w.log.Warnf("failed to close ICE agent: %s", err)
 	}

 	w.muxAgent.Lock()
-	defer w.muxAgent.Unlock()
-
-	sessionChanged := w.remoteSessionChanged
-	w.remoteSessionChanged = false

 	if w.agent == agent {
 		// consider to remove from here and move to the OnNewOffer
@@ -331,7 +325,7 @@ func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.C
 		w.agentConnecting = false
 		w.remoteSessionID = ""
 	}
-	return sessionChanged
+	w.muxAgent.Unlock()
 }

 func (w *WorkerICE) punchRemoteWGPort(pair *ice.CandidatePair, remoteWgPort int) {
@@ -432,11 +426,11 @@ func (w *WorkerICE) onConnectionStateChange(agent *icemaker.ThreadSafeAgent, dia
 			// ice.ConnectionStateClosed happens when we recreate the agent. For the P2P to TURN switch important to
 			// notify the conn.onICEStateDisconnected changes to update the current used priority

-			sessionChanged := w.closeAgent(agent, dialerCancel)
+			w.closeAgent(agent, dialerCancel)

 			if w.lastKnownState == ice.ConnectionStateConnected {
 				w.lastKnownState = ice.ConnectionStateDisconnected
-				w.conn.onICEStateDisconnected(sessionChanged)
+				w.conn.onICEStateDisconnected()
 			}
 		default:
 			return
--- a/client/internal/profilemanager/config.go
+++ b/client/internal/profilemanager/config.go
@@ -198,7 +198,7 @@ func getConfigDirForUser(username string) (string, error) {

 	configDir := filepath.Join(DefaultConfigPathDir, username)
 	if _, err := os.Stat(configDir); os.IsNotExist(err) {
-		if err := os.MkdirAll(configDir, 0700); err != nil {
+		if err := os.MkdirAll(configDir, 0600); err != nil {
 			return "", err
 		}
 	}
@@ -206,15 +206,9 @@ func getConfigDirForUser(username string) (string, error) {
 	return configDir, nil
 }

-func fileExists(path string) (bool, error) {
+func fileExists(path string) bool {
 	_, err := os.Stat(path)
-	if err == nil {
-		return true, nil
-	}
-	if os.IsNotExist(err) {
-		return false, nil
-	}
-	return false, err
+	return !os.IsNotExist(err)
 }

 // createNewConfig creates a new config generating a new Wireguard key and saving to file
@@ -641,11 +635,7 @@ func isPreSharedKeyHidden(preSharedKey *string) bool {

 // UpdateConfig update existing configuration according to input configuration and return with the configuration
 func UpdateConfig(input ConfigInput) (*Config, error) {
-	configExists, err := fileExists(input.ConfigPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if config file exists: %w", err)
-	}
-	if !configExists {
+	if !fileExists(input.ConfigPath) {
 		return nil, fmt.Errorf("config file %s does not exist", input.ConfigPath)
 	}

@@ -654,11 +644,7 @@ func UpdateConfig(input ConfigInput) (*Config, error) {

 // UpdateOrCreateConfig reads existing config or generates a new one
 func UpdateOrCreateConfig(input ConfigInput) (*Config, error) {
-	configExists, err := fileExists(input.ConfigPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if config file exists: %w", err)
-	}
-	if !configExists {
+	if !fileExists(input.ConfigPath) {
 		log.Infof("generating new config %s", input.ConfigPath)
 		cfg, err := createNewConfig(input)
 		if err != nil {
@@ -671,7 +657,7 @@ func UpdateOrCreateConfig(input ConfigInput) (*Config, error) {
 	if isPreSharedKeyHidden(input.PreSharedKey) {
 		input.PreSharedKey = nil
 	}
-	err = util.EnforcePermission(input.ConfigPath)
+	err := util.EnforcePermission(input.ConfigPath)
 	if err != nil {
 		log.Errorf("failed to enforce permission on config dir: %v", err)
 	}
@@ -798,12 +784,7 @@ func ReadConfig(configPath string) (*Config, error) {

 // ReadConfig read config file and return with Config. If it is not exists create a new with default values
 func readConfig(configPath string, createIfMissing bool) (*Config, error) {
-	configExists, err := fileExists(configPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if config file exists: %w", err)
-	}
-
-	if configExists {
+	if fileExists(configPath) {
 		err := util.EnforcePermission(configPath)
 		if err != nil {
 			log.Errorf("failed to enforce permission on config dir: %v", err)
@@ -850,11 +831,7 @@ func DirectWriteOutConfig(path string, config *Config) error {
 // DirectUpdateOrCreateConfig is like UpdateOrCreateConfig but uses direct (non-atomic) writes.
 // Use this on platforms where atomic writes are blocked (e.g., tvOS sandbox).
 func DirectUpdateOrCreateConfig(input ConfigInput) (*Config, error) {
-	configExists, err := fileExists(input.ConfigPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if config file exists: %w", err)
-	}
-	if !configExists {
+	if !fileExists(input.ConfigPath) {
 		log.Infof("generating new config %s", input.ConfigPath)
 		cfg, err := createNewConfig(input)
 		if err != nil {
--- a/client/internal/profilemanager/service.go
+++ b/client/internal/profilemanager/service.go
@@ -256,11 +256,7 @@ func (s *ServiceManager) AddProfile(profileName, username string) error {
 	}

 	profPath := filepath.Join(configDir, profileName+".json")
-	profileExists, err := fileExists(profPath)
-	if err != nil {
-		return fmt.Errorf("failed to check if profile exists: %w", err)
-	}
-	if profileExists {
+	if fileExists(profPath) {
 		return ErrProfileAlreadyExists
 	}

@@ -289,11 +285,7 @@ func (s *ServiceManager) RemoveProfile(profileName, username string) error {
 		return fmt.Errorf("cannot remove profile with reserved name: %s", defaultProfileName)
 	}
 	profPath := filepath.Join(configDir, profileName+".json")
-	profileExists, err := fileExists(profPath)
-	if err != nil {
-		return fmt.Errorf("failed to check if profile exists: %w", err)
-	}
-	if !profileExists {
+	if !fileExists(profPath) {
 		return ErrProfileNotFound
 	}

--- a/client/internal/profilemanager/state.go
+++ b/client/internal/profilemanager/state.go
@@ -20,11 +20,7 @@ func (pm *ProfileManager) GetProfileState(profileName string) (*ProfileState, er
 	}

 	stateFile := filepath.Join(configDir, profileName+".state.json")
-	stateFileExists, err := fileExists(stateFile)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if profile state file exists: %w", err)
-	}
-	if !stateFileExists {
+	if !fileExists(stateFile) {
 		return nil, errors.New("profile state file does not exist")
 	}

--- a/client/internal/routemanager/client/client.go
+++ b/client/internal/routemanager/client/client.go
@@ -263,14 +263,8 @@ func (w *Watcher) watchPeerStatusChanges(ctx context.Context, peerKey string, pe
 		case <-closer:
 			return
 		case routerStates := <-subscription.Events():
-			select {
-			case peerStateUpdate <- routerStates:
-				log.Debugf("triggered route state update for Peer: %s", peerKey)
-			case <-ctx.Done():
-				return
-			case <-closer:
-				return
-			}
+			peerStateUpdate <- routerStates
+			log.Debugf("triggered route state update for Peer: %s", peerKey)
 		}
 	}
 }
--- a/client/internal/routemanager/dnsinterceptor/handler.go
+++ b/client/internal/routemanager/dnsinterceptor/handler.go
@@ -351,11 +351,6 @@ func (d *DnsInterceptor) writeMsg(w dns.ResponseWriter, r *dns.Msg, logger *log.
 				logger.Errorf("failed to update domain prefixes: %v", err)
 			}

-			// Allow time for route changes to be applied before sending
-			// the DNS response (relevant on iOS where setTunnelNetworkSettings
-			// is asynchronous).
-			waitForRouteSettlement(logger)
-
 			d.replaceIPsInDNSResponse(r, newPrefixes, logger)
 		}
 	}
--- a/client/internal/routemanager/dnsinterceptor/handler_ios.go
+++ b/client/internal/routemanager/dnsinterceptor/handler_ios.go
@@ -1,20 +0,0 @@
-//go:build ios
-
-package dnsinterceptor
-
-import (
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const routeSettleDelay = 500 * time.Millisecond
-
-// waitForRouteSettlement introduces a short delay on iOS to allow
-// setTunnelNetworkSettings to apply route changes before the DNS
-// response reaches the application. Without this, the first request
-// to a newly resolved domain may bypass the tunnel.
-func waitForRouteSettlement(logger *log.Entry) {
-	logger.Tracef("waiting %v for iOS route settlement", routeSettleDelay)
-	time.Sleep(routeSettleDelay)
-}
--- a/client/internal/routemanager/dnsinterceptor/handler_nonios.go
+++ b/client/internal/routemanager/dnsinterceptor/handler_nonios.go
@@ -1,12 +0,0 @@
-//go:build !ios
-
-package dnsinterceptor
-
-import log "github.com/sirupsen/logrus"
-
-func waitForRouteSettlement(_ *log.Entry) {
-	// No-op on non-iOS platforms: route changes are applied synchronously by
-	// the kernel, so no settlement delay is needed before the DNS response
-	// reaches the application. The delay is only required on iOS where
-	// setTunnelNetworkSettings applies routes asynchronously.
-}
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -346,23 +346,6 @@ func (m *DefaultManager) updateSystemRoutes(newRoutes route.HAMap) error {
 	}

 	var merr *multierror.Error
-
-	// Begin batch mode to avoid calling applyHostConfig() after each DNS handler operation
-	batchStarted := false
-	if m.dnsServer != nil {
-		m.dnsServer.BeginBatch()
-		batchStarted = true
-		defer func() {
-			if merr != nil {
-				// On error, cancel batch to discard partial DNS state
-				m.dnsServer.CancelBatch()
-			} else {
-				// On success, apply accumulated DNS changes
-				m.dnsServer.EndBatch()
-			}
-		}()
-	}
-
 	for id, handler := range toRemove {
 		if err := handler.RemoveRoute(); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("remove route %s: %w", handler.String(), err))
@@ -393,7 +376,6 @@ func (m *DefaultManager) updateSystemRoutes(newRoutes route.HAMap) error {
 		m.activeRoutes[id] = handler
 	}

-	_ = batchStarted // Mark as used
 	return nberrors.FormatErrorOrNil(merr)
 }

--- a/client/internal/sleep/handler/handler.go
+++ b/client/internal/sleep/handler/handler.go
@@ -1,80 +0,0 @@
-package handler
-
-import (
-	"context"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal"
-)
-
-type Agent interface {
-	Up(ctx context.Context) error
-	Down(ctx context.Context) error
-	Status() (internal.StatusType, error)
-}
-
-type SleepHandler struct {
-	agent Agent
-
-	mu sync.Mutex
-	// sleepTriggeredDown indicates whether the sleep handler triggered the last client down, to avoid unnecessary up on wake
-	sleepTriggeredDown bool
-}
-
-func New(agent Agent) *SleepHandler {
-	return &SleepHandler{
-		agent: agent,
-	}
-}
-
-func (s *SleepHandler) HandleWakeUp(ctx context.Context) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if !s.sleepTriggeredDown {
-		log.Info("skipping up because wasn't sleep down")
-		return nil
-	}
-
-	// avoid other wakeup runs if sleep didn't make the computer sleep
-	s.sleepTriggeredDown = false
-
-	log.Info("running up after wake up")
-	err := s.agent.Up(ctx)
-	if err != nil {
-		log.Errorf("running up failed: %v", err)
-		return err
-	}
-
-	log.Info("running up command executed successfully")
-	return nil
-}
-
-func (s *SleepHandler) HandleSleep(ctx context.Context) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	status, err := s.agent.Status()
-	if err != nil {
-		return err
-	}
-
-	if status != internal.StatusConnecting && status != internal.StatusConnected {
-		log.Infof("skipping setting the agent down because status is %s", status)
-		return nil
-	}
-
-	log.Info("running down after system started sleeping")
-
-	if err = s.agent.Down(ctx); err != nil {
-		log.Errorf("running down failed: %v", err)
-		return err
-	}
-
-	s.sleepTriggeredDown = true
-
-	log.Info("running down executed successfully")
-	return nil
-}
--- a/client/internal/sleep/handler/handler_test.go
+++ b/client/internal/sleep/handler/handler_test.go
@@ -1,153 +0,0 @@
-package handler
-
-import (
-	"context"
-	"errors"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal"
-)
-
-type mockAgent struct {
-	upErr     error
-	downErr   error
-	statusErr error
-	status    internal.StatusType
-	upCalls   int
-}
-
-func (m *mockAgent) Up(_ context.Context) error {
-	m.upCalls++
-	return m.upErr
-}
-
-func (m *mockAgent) Down(_ context.Context) error {
-	return m.downErr
-}
-
-func (m *mockAgent) Status() (internal.StatusType, error) {
-	return m.status, m.statusErr
-}
-
-func newHandler(status internal.StatusType) (*SleepHandler, *mockAgent) {
-	agent := &mockAgent{status: status}
-	return New(agent), agent
-}
-
-func TestHandleWakeUp_SkipsWhenFlagFalse(t *testing.T) {
-	h, agent := newHandler(internal.StatusIdle)
-
-	err := h.HandleWakeUp(context.Background())
-
-	require.NoError(t, err)
-	assert.Equal(t, 0, agent.upCalls, "Up should not be called when flag is false")
-}
-
-func TestHandleWakeUp_ResetsFlagBeforeUp(t *testing.T) {
-	h, _ := newHandler(internal.StatusIdle)
-	h.sleepTriggeredDown = true
-
-	// Even if Up fails, flag should be reset
-	_ = h.HandleWakeUp(context.Background())
-
-	assert.False(t, h.sleepTriggeredDown, "flag must be reset before calling Up")
-}
-
-func TestHandleWakeUp_CallsUpWhenFlagSet(t *testing.T) {
-	h, agent := newHandler(internal.StatusIdle)
-	h.sleepTriggeredDown = true
-
-	err := h.HandleWakeUp(context.Background())
-
-	require.NoError(t, err)
-	assert.Equal(t, 1, agent.upCalls)
-	assert.False(t, h.sleepTriggeredDown)
-}
-
-func TestHandleWakeUp_ReturnsErrorFromUp(t *testing.T) {
-	h, agent := newHandler(internal.StatusIdle)
-	h.sleepTriggeredDown = true
-	agent.upErr = errors.New("up failed")
-
-	err := h.HandleWakeUp(context.Background())
-
-	assert.ErrorIs(t, err, agent.upErr)
-	assert.False(t, h.sleepTriggeredDown, "flag should still be reset even when Up fails")
-}
-
-func TestHandleWakeUp_SecondCallIsNoOp(t *testing.T) {
-	h, agent := newHandler(internal.StatusIdle)
-	h.sleepTriggeredDown = true
-
-	_ = h.HandleWakeUp(context.Background())
-	err := h.HandleWakeUp(context.Background())
-
-	require.NoError(t, err)
-	assert.Equal(t, 1, agent.upCalls, "second wakeup should be no-op")
-}
-
-func TestHandleSleep_SkipsForNonActiveStates(t *testing.T) {
-	tests := []struct {
-		name   string
-		status internal.StatusType
-	}{
-		{"Idle", internal.StatusIdle},
-		{"NeedsLogin", internal.StatusNeedsLogin},
-		{"LoginFailed", internal.StatusLoginFailed},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			h, _ := newHandler(tt.status)
-
-			err := h.HandleSleep(context.Background())
-
-			require.NoError(t, err)
-			assert.False(t, h.sleepTriggeredDown)
-		})
-	}
-}
-
-func TestHandleSleep_ProceedsForActiveStates(t *testing.T) {
-	tests := []struct {
-		name   string
-		status internal.StatusType
-	}{
-		{"Connecting", internal.StatusConnecting},
-		{"Connected", internal.StatusConnected},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			h, _ := newHandler(tt.status)
-
-			err := h.HandleSleep(context.Background())
-
-			require.NoError(t, err)
-			assert.True(t, h.sleepTriggeredDown)
-		})
-	}
-}
-
-func TestHandleSleep_ReturnsErrorFromStatus(t *testing.T) {
-	agent := &mockAgent{statusErr: errors.New("status error")}
-	h := New(agent)
-
-	err := h.HandleSleep(context.Background())
-
-	assert.ErrorIs(t, err, agent.statusErr)
-	assert.False(t, h.sleepTriggeredDown)
-}
-
-func TestHandleSleep_ReturnsErrorFromDown(t *testing.T) {
-	agent := &mockAgent{status: internal.StatusConnected, downErr: errors.New("down failed")}
-	h := New(agent)
-
-	err := h.HandleSleep(context.Background())
-
-	assert.ErrorIs(t, err, agent.downErr)
-	assert.False(t, h.sleepTriggeredDown, "flag should not be set when Down fails")
-}
--- a/client/ios/NetBirdSDK/env_list.go
+++ b/client/ios/NetBirdSDK/env_list.go
@@ -2,10 +2,7 @@

 package NetBirdSDK

-import (
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
+import "github.com/netbirdio/netbird/client/internal/peer"

 // EnvList is an exported struct to be bound by gomobile
 type EnvList struct {
@@ -35,13 +32,3 @@ func (el *EnvList) AllItems() map[string]string {
 func GetEnvKeyNBForceRelay() string {
 	return peer.EnvKeyNBForceRelay
 }
-
-// GetEnvKeyNBLazyConn Exports the environment variable for the iOS client
-func GetEnvKeyNBLazyConn() string {
-	return lazyconn.EnvEnableLazyConn
-}
-
-// GetEnvKeyNBInactivityThreshold Exports the environment variable for the iOS client
-func GetEnvKeyNBInactivityThreshold() string {
-	return lazyconn.EnvInactivityThreshold
-}
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.6
-// 	protoc        v6.33.3
+// 	protoc        v6.32.1
 // source: daemon.proto

 package proto
@@ -88,58 +88,6 @@ func (LogLevel) EnumDescriptor() ([]byte, []int) {
 	return file_daemon_proto_rawDescGZIP(), []int{0}
 }

-type ExposeProtocol int32
-
-const (
-	ExposeProtocol_EXPOSE_HTTP  ExposeProtocol = 0
-	ExposeProtocol_EXPOSE_HTTPS ExposeProtocol = 1
-	ExposeProtocol_EXPOSE_TCP   ExposeProtocol = 2
-	ExposeProtocol_EXPOSE_UDP   ExposeProtocol = 3
-)
-
-// Enum value maps for ExposeProtocol.
-var (
-	ExposeProtocol_name = map[int32]string{
-		0: "EXPOSE_HTTP",
-		1: "EXPOSE_HTTPS",
-		2: "EXPOSE_TCP",
-		3: "EXPOSE_UDP",
-	}
-	ExposeProtocol_value = map[string]int32{
-		"EXPOSE_HTTP":  0,
-		"EXPOSE_HTTPS": 1,
-		"EXPOSE_TCP":   2,
-		"EXPOSE_UDP":   3,
-	}
-)
-
-func (x ExposeProtocol) Enum() *ExposeProtocol {
-	p := new(ExposeProtocol)
-	*p = x
-	return p
-}
-
-func (x ExposeProtocol) String() string {
-	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
-}
-
-func (ExposeProtocol) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_proto_enumTypes[1].Descriptor()
-}
-
-func (ExposeProtocol) Type() protoreflect.EnumType {
-	return &file_daemon_proto_enumTypes[1]
-}
-
-func (x ExposeProtocol) Number() protoreflect.EnumNumber {
-	return protoreflect.EnumNumber(x)
-}
-
-// Deprecated: Use ExposeProtocol.Descriptor instead.
-func (ExposeProtocol) EnumDescriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{1}
-}
-
 // avoid collision with loglevel enum
 type OSLifecycleRequest_CycleType int32

@@ -174,11 +122,11 @@ func (x OSLifecycleRequest_CycleType) String() string {
 }

 func (OSLifecycleRequest_CycleType) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_proto_enumTypes[2].Descriptor()
+	return file_daemon_proto_enumTypes[1].Descriptor()
 }

 func (OSLifecycleRequest_CycleType) Type() protoreflect.EnumType {
-	return &file_daemon_proto_enumTypes[2]
+	return &file_daemon_proto_enumTypes[1]
 }

 func (x OSLifecycleRequest_CycleType) Number() protoreflect.EnumNumber {
@@ -226,11 +174,11 @@ func (x SystemEvent_Severity) String() string {
 }

 func (SystemEvent_Severity) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_proto_enumTypes[3].Descriptor()
+	return file_daemon_proto_enumTypes[2].Descriptor()
 }

 func (SystemEvent_Severity) Type() protoreflect.EnumType {
-	return &file_daemon_proto_enumTypes[3]
+	return &file_daemon_proto_enumTypes[2]
 }

 func (x SystemEvent_Severity) Number() protoreflect.EnumNumber {
@@ -281,11 +229,11 @@ func (x SystemEvent_Category) String() string {
 }

 func (SystemEvent_Category) Descriptor() protoreflect.EnumDescriptor {
-	return file_daemon_proto_enumTypes[4].Descriptor()
+	return file_daemon_proto_enumTypes[3].Descriptor()
 }

 func (SystemEvent_Category) Type() protoreflect.EnumType {
-	return &file_daemon_proto_enumTypes[4]
+	return &file_daemon_proto_enumTypes[3]
 }

 func (x SystemEvent_Category) Number() protoreflect.EnumNumber {
@@ -5652,224 +5600,6 @@ func (x *InstallerResultResponse) GetErrorMsg() string {
 	return ""
 }

-type ExposeServiceRequest struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	Port          uint32                 `protobuf:"varint,1,opt,name=port,proto3" json:"port,omitempty"`
-	Protocol      ExposeProtocol         `protobuf:"varint,2,opt,name=protocol,proto3,enum=daemon.ExposeProtocol" json:"protocol,omitempty"`
-	Pin           string                 `protobuf:"bytes,3,opt,name=pin,proto3" json:"pin,omitempty"`
-	Password      string                 `protobuf:"bytes,4,opt,name=password,proto3" json:"password,omitempty"`
-	UserGroups    []string               `protobuf:"bytes,5,rep,name=user_groups,json=userGroups,proto3" json:"user_groups,omitempty"`
-	Domain        string                 `protobuf:"bytes,6,opt,name=domain,proto3" json:"domain,omitempty"`
-	NamePrefix    string                 `protobuf:"bytes,7,opt,name=name_prefix,json=namePrefix,proto3" json:"name_prefix,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *ExposeServiceRequest) Reset() {
-	*x = ExposeServiceRequest{}
-	mi := &file_daemon_proto_msgTypes[85]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *ExposeServiceRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*ExposeServiceRequest) ProtoMessage() {}
-
-func (x *ExposeServiceRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[85]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use ExposeServiceRequest.ProtoReflect.Descriptor instead.
-func (*ExposeServiceRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{85}
-}
-
-func (x *ExposeServiceRequest) GetPort() uint32 {
-	if x != nil {
-		return x.Port
-	}
-	return 0
-}
-
-func (x *ExposeServiceRequest) GetProtocol() ExposeProtocol {
-	if x != nil {
-		return x.Protocol
-	}
-	return ExposeProtocol_EXPOSE_HTTP
-}
-
-func (x *ExposeServiceRequest) GetPin() string {
-	if x != nil {
-		return x.Pin
-	}
-	return ""
-}
-
-func (x *ExposeServiceRequest) GetPassword() string {
-	if x != nil {
-		return x.Password
-	}
-	return ""
-}
-
-func (x *ExposeServiceRequest) GetUserGroups() []string {
-	if x != nil {
-		return x.UserGroups
-	}
-	return nil
-}
-
-func (x *ExposeServiceRequest) GetDomain() string {
-	if x != nil {
-		return x.Domain
-	}
-	return ""
-}
-
-func (x *ExposeServiceRequest) GetNamePrefix() string {
-	if x != nil {
-		return x.NamePrefix
-	}
-	return ""
-}
-
-type ExposeServiceEvent struct {
-	state protoimpl.MessageState `protogen:"open.v1"`
-	// Types that are valid to be assigned to Event:
-	//
-	//	*ExposeServiceEvent_Ready
-	Event         isExposeServiceEvent_Event `protobuf_oneof:"event"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *ExposeServiceEvent) Reset() {
-	*x = ExposeServiceEvent{}
-	mi := &file_daemon_proto_msgTypes[86]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *ExposeServiceEvent) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*ExposeServiceEvent) ProtoMessage() {}
-
-func (x *ExposeServiceEvent) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[86]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use ExposeServiceEvent.ProtoReflect.Descriptor instead.
-func (*ExposeServiceEvent) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{86}
-}
-
-func (x *ExposeServiceEvent) GetEvent() isExposeServiceEvent_Event {
-	if x != nil {
-		return x.Event
-	}
-	return nil
-}
-
-func (x *ExposeServiceEvent) GetReady() *ExposeServiceReady {
-	if x != nil {
-		if x, ok := x.Event.(*ExposeServiceEvent_Ready); ok {
-			return x.Ready
-		}
-	}
-	return nil
-}
-
-type isExposeServiceEvent_Event interface {
-	isExposeServiceEvent_Event()
-}
-
-type ExposeServiceEvent_Ready struct {
-	Ready *ExposeServiceReady `protobuf:"bytes,1,opt,name=ready,proto3,oneof"`
-}
-
-func (*ExposeServiceEvent_Ready) isExposeServiceEvent_Event() {}
-
-type ExposeServiceReady struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	ServiceName   string                 `protobuf:"bytes,1,opt,name=service_name,json=serviceName,proto3" json:"service_name,omitempty"`
-	ServiceUrl    string                 `protobuf:"bytes,2,opt,name=service_url,json=serviceUrl,proto3" json:"service_url,omitempty"`
-	Domain        string                 `protobuf:"bytes,3,opt,name=domain,proto3" json:"domain,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *ExposeServiceReady) Reset() {
-	*x = ExposeServiceReady{}
-	mi := &file_daemon_proto_msgTypes[87]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *ExposeServiceReady) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*ExposeServiceReady) ProtoMessage() {}
-
-func (x *ExposeServiceReady) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[87]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use ExposeServiceReady.ProtoReflect.Descriptor instead.
-func (*ExposeServiceReady) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{87}
-}
-
-func (x *ExposeServiceReady) GetServiceName() string {
-	if x != nil {
-		return x.ServiceName
-	}
-	return ""
-}
-
-func (x *ExposeServiceReady) GetServiceUrl() string {
-	if x != nil {
-		return x.ServiceUrl
-	}
-	return ""
-}
-
-func (x *ExposeServiceReady) GetDomain() string {
-	if x != nil {
-		return x.Domain
-	}
-	return ""
-}
-
 type PortInfo_Range struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Start         uint32                 `protobuf:"varint,1,opt,name=start,proto3" json:"start,omitempty"`
@@ -5880,7 +5610,7 @@ type PortInfo_Range struct {

 func (x *PortInfo_Range) Reset() {
 	*x = PortInfo_Range{}
-	mi := &file_daemon_proto_msgTypes[89]
+	mi := &file_daemon_proto_msgTypes[86]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -5892,7 +5622,7 @@ func (x *PortInfo_Range) String() string {
 func (*PortInfo_Range) ProtoMessage() {}

 func (x *PortInfo_Range) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[89]
+	mi := &file_daemon_proto_msgTypes[86]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -6419,25 +6149,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\x16InstallerResultRequest\"O\n" +
 	"\x17InstallerResultResponse\x12\x18\n" +
 	"\asuccess\x18\x01 \x01(\bR\asuccess\x12\x1a\n" +
-	"\berrorMsg\x18\x02 \x01(\tR\berrorMsg\"\xe6\x01\n" +
-	"\x14ExposeServiceRequest\x12\x12\n" +
-	"\x04port\x18\x01 \x01(\rR\x04port\x122\n" +
-	"\bprotocol\x18\x02 \x01(\x0e2\x16.daemon.ExposeProtocolR\bprotocol\x12\x10\n" +
-	"\x03pin\x18\x03 \x01(\tR\x03pin\x12\x1a\n" +
-	"\bpassword\x18\x04 \x01(\tR\bpassword\x12\x1f\n" +
-	"\vuser_groups\x18\x05 \x03(\tR\n" +
-	"userGroups\x12\x16\n" +
-	"\x06domain\x18\x06 \x01(\tR\x06domain\x12\x1f\n" +
-	"\vname_prefix\x18\a \x01(\tR\n" +
-	"namePrefix\"Q\n" +
-	"\x12ExposeServiceEvent\x122\n" +
-	"\x05ready\x18\x01 \x01(\v2\x1a.daemon.ExposeServiceReadyH\x00R\x05readyB\a\n" +
-	"\x05event\"p\n" +
-	"\x12ExposeServiceReady\x12!\n" +
-	"\fservice_name\x18\x01 \x01(\tR\vserviceName\x12\x1f\n" +
-	"\vservice_url\x18\x02 \x01(\tR\n" +
-	"serviceUrl\x12\x16\n" +
-	"\x06domain\x18\x03 \x01(\tR\x06domain*b\n" +
+	"\berrorMsg\x18\x02 \x01(\tR\berrorMsg*b\n" +
 	"\bLogLevel\x12\v\n" +
 	"\aUNKNOWN\x10\x00\x12\t\n" +
 	"\x05PANIC\x10\x01\x12\t\n" +
@@ -6446,14 +6158,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\x04WARN\x10\x04\x12\b\n" +
 	"\x04INFO\x10\x05\x12\t\n" +
 	"\x05DEBUG\x10\x06\x12\t\n" +
-	"\x05TRACE\x10\a*S\n" +
-	"\x0eExposeProtocol\x12\x0f\n" +
-	"\vEXPOSE_HTTP\x10\x00\x12\x10\n" +
-	"\fEXPOSE_HTTPS\x10\x01\x12\x0e\n" +
-	"\n" +
-	"EXPOSE_TCP\x10\x02\x12\x0e\n" +
-	"\n" +
-	"EXPOSE_UDP\x10\x032\xac\x15\n" +
+	"\x05TRACE\x10\a2\xdd\x14\n" +
 	"\rDaemonService\x126\n" +
 	"\x05Login\x12\x14.daemon.LoginRequest\x1a\x15.daemon.LoginResponse\"\x00\x12K\n" +
 	"\fWaitSSOLogin\x12\x1b.daemon.WaitSSOLoginRequest\x1a\x1c.daemon.WaitSSOLoginResponse\"\x00\x12-\n" +
@@ -6492,8 +6197,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\x0fStartCPUProfile\x12\x1e.daemon.StartCPUProfileRequest\x1a\x1f.daemon.StartCPUProfileResponse\"\x00\x12Q\n" +
 	"\x0eStopCPUProfile\x12\x1d.daemon.StopCPUProfileRequest\x1a\x1e.daemon.StopCPUProfileResponse\"\x00\x12N\n" +
 	"\x11NotifyOSLifecycle\x12\x1a.daemon.OSLifecycleRequest\x1a\x1b.daemon.OSLifecycleResponse\"\x00\x12W\n" +
-	"\x12GetInstallerResult\x12\x1e.daemon.InstallerResultRequest\x1a\x1f.daemon.InstallerResultResponse\"\x00\x12M\n" +
-	"\rExposeService\x12\x1c.daemon.ExposeServiceRequest\x1a\x1a.daemon.ExposeServiceEvent\"\x000\x01B\bZ\x06/protob\x06proto3"
+	"\x12GetInstallerResult\x12\x1e.daemon.InstallerResultRequest\x1a\x1f.daemon.InstallerResultResponse\"\x00B\bZ\x06/protob\x06proto3"

 var (
 	file_daemon_proto_rawDescOnce sync.Once
@@ -6507,222 +6211,214 @@ func file_daemon_proto_rawDescGZIP() []byte {
 	return file_daemon_proto_rawDescData
 }

-var file_daemon_proto_enumTypes = make([]protoimpl.EnumInfo, 5)
-var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 91)
+var file_daemon_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
+var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 88)
 var file_daemon_proto_goTypes = []any{
 	(LogLevel)(0),                              // 0: daemon.LogLevel
-	(ExposeProtocol)(0),                        // 1: daemon.ExposeProtocol
-	(OSLifecycleRequest_CycleType)(0),          // 2: daemon.OSLifecycleRequest.CycleType
-	(SystemEvent_Severity)(0),                  // 3: daemon.SystemEvent.Severity
-	(SystemEvent_Category)(0),                  // 4: daemon.SystemEvent.Category
-	(*EmptyRequest)(nil),                       // 5: daemon.EmptyRequest
-	(*OSLifecycleRequest)(nil),                 // 6: daemon.OSLifecycleRequest
-	(*OSLifecycleResponse)(nil),                // 7: daemon.OSLifecycleResponse
-	(*LoginRequest)(nil),                       // 8: daemon.LoginRequest
-	(*LoginResponse)(nil),                      // 9: daemon.LoginResponse
-	(*WaitSSOLoginRequest)(nil),                // 10: daemon.WaitSSOLoginRequest
-	(*WaitSSOLoginResponse)(nil),               // 11: daemon.WaitSSOLoginResponse
-	(*UpRequest)(nil),                          // 12: daemon.UpRequest
-	(*UpResponse)(nil),                         // 13: daemon.UpResponse
-	(*StatusRequest)(nil),                      // 14: daemon.StatusRequest
-	(*StatusResponse)(nil),                     // 15: daemon.StatusResponse
-	(*DownRequest)(nil),                        // 16: daemon.DownRequest
-	(*DownResponse)(nil),                       // 17: daemon.DownResponse
-	(*GetConfigRequest)(nil),                   // 18: daemon.GetConfigRequest
-	(*GetConfigResponse)(nil),                  // 19: daemon.GetConfigResponse
-	(*PeerState)(nil),                          // 20: daemon.PeerState
-	(*LocalPeerState)(nil),                     // 21: daemon.LocalPeerState
-	(*SignalState)(nil),                        // 22: daemon.SignalState
-	(*ManagementState)(nil),                    // 23: daemon.ManagementState
-	(*RelayState)(nil),                         // 24: daemon.RelayState
-	(*NSGroupState)(nil),                       // 25: daemon.NSGroupState
-	(*SSHSessionInfo)(nil),                     // 26: daemon.SSHSessionInfo
-	(*SSHServerState)(nil),                     // 27: daemon.SSHServerState
-	(*FullStatus)(nil),                         // 28: daemon.FullStatus
-	(*ListNetworksRequest)(nil),                // 29: daemon.ListNetworksRequest
-	(*ListNetworksResponse)(nil),               // 30: daemon.ListNetworksResponse
-	(*SelectNetworksRequest)(nil),              // 31: daemon.SelectNetworksRequest
-	(*SelectNetworksResponse)(nil),             // 32: daemon.SelectNetworksResponse
-	(*IPList)(nil),                             // 33: daemon.IPList
-	(*Network)(nil),                            // 34: daemon.Network
-	(*PortInfo)(nil),                           // 35: daemon.PortInfo
-	(*ForwardingRule)(nil),                     // 36: daemon.ForwardingRule
-	(*ForwardingRulesResponse)(nil),            // 37: daemon.ForwardingRulesResponse
-	(*DebugBundleRequest)(nil),                 // 38: daemon.DebugBundleRequest
-	(*DebugBundleResponse)(nil),                // 39: daemon.DebugBundleResponse
-	(*GetLogLevelRequest)(nil),                 // 40: daemon.GetLogLevelRequest
-	(*GetLogLevelResponse)(nil),                // 41: daemon.GetLogLevelResponse
-	(*SetLogLevelRequest)(nil),                 // 42: daemon.SetLogLevelRequest
-	(*SetLogLevelResponse)(nil),                // 43: daemon.SetLogLevelResponse
-	(*State)(nil),                              // 44: daemon.State
-	(*ListStatesRequest)(nil),                  // 45: daemon.ListStatesRequest
-	(*ListStatesResponse)(nil),                 // 46: daemon.ListStatesResponse
-	(*CleanStateRequest)(nil),                  // 47: daemon.CleanStateRequest
-	(*CleanStateResponse)(nil),                 // 48: daemon.CleanStateResponse
-	(*DeleteStateRequest)(nil),                 // 49: daemon.DeleteStateRequest
-	(*DeleteStateResponse)(nil),                // 50: daemon.DeleteStateResponse
-	(*SetSyncResponsePersistenceRequest)(nil),  // 51: daemon.SetSyncResponsePersistenceRequest
-	(*SetSyncResponsePersistenceResponse)(nil), // 52: daemon.SetSyncResponsePersistenceResponse
-	(*TCPFlags)(nil),                           // 53: daemon.TCPFlags
-	(*TracePacketRequest)(nil),                 // 54: daemon.TracePacketRequest
-	(*TraceStage)(nil),                         // 55: daemon.TraceStage
-	(*TracePacketResponse)(nil),                // 56: daemon.TracePacketResponse
-	(*SubscribeRequest)(nil),                   // 57: daemon.SubscribeRequest
-	(*SystemEvent)(nil),                        // 58: daemon.SystemEvent
-	(*GetEventsRequest)(nil),                   // 59: daemon.GetEventsRequest
-	(*GetEventsResponse)(nil),                  // 60: daemon.GetEventsResponse
-	(*SwitchProfileRequest)(nil),               // 61: daemon.SwitchProfileRequest
-	(*SwitchProfileResponse)(nil),              // 62: daemon.SwitchProfileResponse
-	(*SetConfigRequest)(nil),                   // 63: daemon.SetConfigRequest
-	(*SetConfigResponse)(nil),                  // 64: daemon.SetConfigResponse
-	(*AddProfileRequest)(nil),                  // 65: daemon.AddProfileRequest
-	(*AddProfileResponse)(nil),                 // 66: daemon.AddProfileResponse
-	(*RemoveProfileRequest)(nil),               // 67: daemon.RemoveProfileRequest
-	(*RemoveProfileResponse)(nil),              // 68: daemon.RemoveProfileResponse
-	(*ListProfilesRequest)(nil),                // 69: daemon.ListProfilesRequest
-	(*ListProfilesResponse)(nil),               // 70: daemon.ListProfilesResponse
-	(*Profile)(nil),                            // 71: daemon.Profile
-	(*GetActiveProfileRequest)(nil),            // 72: daemon.GetActiveProfileRequest
-	(*GetActiveProfileResponse)(nil),           // 73: daemon.GetActiveProfileResponse
-	(*LogoutRequest)(nil),                      // 74: daemon.LogoutRequest
-	(*LogoutResponse)(nil),                     // 75: daemon.LogoutResponse
-	(*GetFeaturesRequest)(nil),                 // 76: daemon.GetFeaturesRequest
-	(*GetFeaturesResponse)(nil),                // 77: daemon.GetFeaturesResponse
-	(*GetPeerSSHHostKeyRequest)(nil),           // 78: daemon.GetPeerSSHHostKeyRequest
-	(*GetPeerSSHHostKeyResponse)(nil),          // 79: daemon.GetPeerSSHHostKeyResponse
-	(*RequestJWTAuthRequest)(nil),              // 80: daemon.RequestJWTAuthRequest
-	(*RequestJWTAuthResponse)(nil),             // 81: daemon.RequestJWTAuthResponse
-	(*WaitJWTTokenRequest)(nil),                // 82: daemon.WaitJWTTokenRequest
-	(*WaitJWTTokenResponse)(nil),               // 83: daemon.WaitJWTTokenResponse
-	(*StartCPUProfileRequest)(nil),             // 84: daemon.StartCPUProfileRequest
-	(*StartCPUProfileResponse)(nil),            // 85: daemon.StartCPUProfileResponse
-	(*StopCPUProfileRequest)(nil),              // 86: daemon.StopCPUProfileRequest
-	(*StopCPUProfileResponse)(nil),             // 87: daemon.StopCPUProfileResponse
-	(*InstallerResultRequest)(nil),             // 88: daemon.InstallerResultRequest
-	(*InstallerResultResponse)(nil),            // 89: daemon.InstallerResultResponse
-	(*ExposeServiceRequest)(nil),               // 90: daemon.ExposeServiceRequest
-	(*ExposeServiceEvent)(nil),                 // 91: daemon.ExposeServiceEvent
-	(*ExposeServiceReady)(nil),                 // 92: daemon.ExposeServiceReady
-	nil,                                        // 93: daemon.Network.ResolvedIPsEntry
-	(*PortInfo_Range)(nil),                     // 94: daemon.PortInfo.Range
-	nil,                                        // 95: daemon.SystemEvent.MetadataEntry
-	(*durationpb.Duration)(nil),                // 96: google.protobuf.Duration
-	(*timestamppb.Timestamp)(nil),              // 97: google.protobuf.Timestamp
+	(OSLifecycleRequest_CycleType)(0),          // 1: daemon.OSLifecycleRequest.CycleType
+	(SystemEvent_Severity)(0),                  // 2: daemon.SystemEvent.Severity
+	(SystemEvent_Category)(0),                  // 3: daemon.SystemEvent.Category
+	(*EmptyRequest)(nil),                       // 4: daemon.EmptyRequest
+	(*OSLifecycleRequest)(nil),                 // 5: daemon.OSLifecycleRequest
+	(*OSLifecycleResponse)(nil),                // 6: daemon.OSLifecycleResponse
+	(*LoginRequest)(nil),                       // 7: daemon.LoginRequest
+	(*LoginResponse)(nil),                      // 8: daemon.LoginResponse
+	(*WaitSSOLoginRequest)(nil),                // 9: daemon.WaitSSOLoginRequest
+	(*WaitSSOLoginResponse)(nil),               // 10: daemon.WaitSSOLoginResponse
+	(*UpRequest)(nil),                          // 11: daemon.UpRequest
+	(*UpResponse)(nil),                         // 12: daemon.UpResponse
+	(*StatusRequest)(nil),                      // 13: daemon.StatusRequest
+	(*StatusResponse)(nil),                     // 14: daemon.StatusResponse
+	(*DownRequest)(nil),                        // 15: daemon.DownRequest
+	(*DownResponse)(nil),                       // 16: daemon.DownResponse
+	(*GetConfigRequest)(nil),                   // 17: daemon.GetConfigRequest
+	(*GetConfigResponse)(nil),                  // 18: daemon.GetConfigResponse
+	(*PeerState)(nil),                          // 19: daemon.PeerState
+	(*LocalPeerState)(nil),                     // 20: daemon.LocalPeerState
+	(*SignalState)(nil),                        // 21: daemon.SignalState
+	(*ManagementState)(nil),                    // 22: daemon.ManagementState
+	(*RelayState)(nil),                         // 23: daemon.RelayState
+	(*NSGroupState)(nil),                       // 24: daemon.NSGroupState
+	(*SSHSessionInfo)(nil),                     // 25: daemon.SSHSessionInfo
+	(*SSHServerState)(nil),                     // 26: daemon.SSHServerState
+	(*FullStatus)(nil),                         // 27: daemon.FullStatus
+	(*ListNetworksRequest)(nil),                // 28: daemon.ListNetworksRequest
+	(*ListNetworksResponse)(nil),               // 29: daemon.ListNetworksResponse
+	(*SelectNetworksRequest)(nil),              // 30: daemon.SelectNetworksRequest
+	(*SelectNetworksResponse)(nil),             // 31: daemon.SelectNetworksResponse
+	(*IPList)(nil),                             // 32: daemon.IPList
+	(*Network)(nil),                            // 33: daemon.Network
+	(*PortInfo)(nil),                           // 34: daemon.PortInfo
+	(*ForwardingRule)(nil),                     // 35: daemon.ForwardingRule
+	(*ForwardingRulesResponse)(nil),            // 36: daemon.ForwardingRulesResponse
+	(*DebugBundleRequest)(nil),                 // 37: daemon.DebugBundleRequest
+	(*DebugBundleResponse)(nil),                // 38: daemon.DebugBundleResponse
+	(*GetLogLevelRequest)(nil),                 // 39: daemon.GetLogLevelRequest
+	(*GetLogLevelResponse)(nil),                // 40: daemon.GetLogLevelResponse
+	(*SetLogLevelRequest)(nil),                 // 41: daemon.SetLogLevelRequest
+	(*SetLogLevelResponse)(nil),                // 42: daemon.SetLogLevelResponse
+	(*State)(nil),                              // 43: daemon.State
+	(*ListStatesRequest)(nil),                  // 44: daemon.ListStatesRequest
+	(*ListStatesResponse)(nil),                 // 45: daemon.ListStatesResponse
+	(*CleanStateRequest)(nil),                  // 46: daemon.CleanStateRequest
+	(*CleanStateResponse)(nil),                 // 47: daemon.CleanStateResponse
+	(*DeleteStateRequest)(nil),                 // 48: daemon.DeleteStateRequest
+	(*DeleteStateResponse)(nil),                // 49: daemon.DeleteStateResponse
+	(*SetSyncResponsePersistenceRequest)(nil),  // 50: daemon.SetSyncResponsePersistenceRequest
+	(*SetSyncResponsePersistenceResponse)(nil), // 51: daemon.SetSyncResponsePersistenceResponse
+	(*TCPFlags)(nil),                           // 52: daemon.TCPFlags
+	(*TracePacketRequest)(nil),                 // 53: daemon.TracePacketRequest
+	(*TraceStage)(nil),                         // 54: daemon.TraceStage
+	(*TracePacketResponse)(nil),                // 55: daemon.TracePacketResponse
+	(*SubscribeRequest)(nil),                   // 56: daemon.SubscribeRequest
+	(*SystemEvent)(nil),                        // 57: daemon.SystemEvent
+	(*GetEventsRequest)(nil),                   // 58: daemon.GetEventsRequest
+	(*GetEventsResponse)(nil),                  // 59: daemon.GetEventsResponse
+	(*SwitchProfileRequest)(nil),               // 60: daemon.SwitchProfileRequest
+	(*SwitchProfileResponse)(nil),              // 61: daemon.SwitchProfileResponse
+	(*SetConfigRequest)(nil),                   // 62: daemon.SetConfigRequest
+	(*SetConfigResponse)(nil),                  // 63: daemon.SetConfigResponse
+	(*AddProfileRequest)(nil),                  // 64: daemon.AddProfileRequest
+	(*AddProfileResponse)(nil),                 // 65: daemon.AddProfileResponse
+	(*RemoveProfileRequest)(nil),               // 66: daemon.RemoveProfileRequest
+	(*RemoveProfileResponse)(nil),              // 67: daemon.RemoveProfileResponse
+	(*ListProfilesRequest)(nil),                // 68: daemon.ListProfilesRequest
+	(*ListProfilesResponse)(nil),               // 69: daemon.ListProfilesResponse
+	(*Profile)(nil),                            // 70: daemon.Profile
+	(*GetActiveProfileRequest)(nil),            // 71: daemon.GetActiveProfileRequest
+	(*GetActiveProfileResponse)(nil),           // 72: daemon.GetActiveProfileResponse
+	(*LogoutRequest)(nil),                      // 73: daemon.LogoutRequest
+	(*LogoutResponse)(nil),                     // 74: daemon.LogoutResponse
+	(*GetFeaturesRequest)(nil),                 // 75: daemon.GetFeaturesRequest
+	(*GetFeaturesResponse)(nil),                // 76: daemon.GetFeaturesResponse
+	(*GetPeerSSHHostKeyRequest)(nil),           // 77: daemon.GetPeerSSHHostKeyRequest
+	(*GetPeerSSHHostKeyResponse)(nil),          // 78: daemon.GetPeerSSHHostKeyResponse
+	(*RequestJWTAuthRequest)(nil),              // 79: daemon.RequestJWTAuthRequest
+	(*RequestJWTAuthResponse)(nil),             // 80: daemon.RequestJWTAuthResponse
+	(*WaitJWTTokenRequest)(nil),                // 81: daemon.WaitJWTTokenRequest
+	(*WaitJWTTokenResponse)(nil),               // 82: daemon.WaitJWTTokenResponse
+	(*StartCPUProfileRequest)(nil),             // 83: daemon.StartCPUProfileRequest
+	(*StartCPUProfileResponse)(nil),            // 84: daemon.StartCPUProfileResponse
+	(*StopCPUProfileRequest)(nil),              // 85: daemon.StopCPUProfileRequest
+	(*StopCPUProfileResponse)(nil),             // 86: daemon.StopCPUProfileResponse
+	(*InstallerResultRequest)(nil),             // 87: daemon.InstallerResultRequest
+	(*InstallerResultResponse)(nil),            // 88: daemon.InstallerResultResponse
+	nil,                                        // 89: daemon.Network.ResolvedIPsEntry
+	(*PortInfo_Range)(nil),                     // 90: daemon.PortInfo.Range
+	nil,                                        // 91: daemon.SystemEvent.MetadataEntry
+	(*durationpb.Duration)(nil),                // 92: google.protobuf.Duration
+	(*timestamppb.Timestamp)(nil),              // 93: google.protobuf.Timestamp
 }
 var file_daemon_proto_depIdxs = []int32{
-	2,  // 0: daemon.OSLifecycleRequest.type:type_name -> daemon.OSLifecycleRequest.CycleType
-	96, // 1: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
-	28, // 2: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
-	97, // 3: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
-	97, // 4: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
-	96, // 5: daemon.PeerState.latency:type_name -> google.protobuf.Duration
-	26, // 6: daemon.SSHServerState.sessions:type_name -> daemon.SSHSessionInfo
-	23, // 7: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
-	22, // 8: daemon.FullStatus.signalState:type_name -> daemon.SignalState
-	21, // 9: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
-	20, // 10: daemon.FullStatus.peers:type_name -> daemon.PeerState
-	24, // 11: daemon.FullStatus.relays:type_name -> daemon.RelayState
-	25, // 12: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
-	58, // 13: daemon.FullStatus.events:type_name -> daemon.SystemEvent
-	27, // 14: daemon.FullStatus.sshServerState:type_name -> daemon.SSHServerState
-	34, // 15: daemon.ListNetworksResponse.routes:type_name -> daemon.Network
-	93, // 16: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
-	94, // 17: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
-	35, // 18: daemon.ForwardingRule.destinationPort:type_name -> daemon.PortInfo
-	35, // 19: daemon.ForwardingRule.translatedPort:type_name -> daemon.PortInfo
-	36, // 20: daemon.ForwardingRulesResponse.rules:type_name -> daemon.ForwardingRule
+	1,  // 0: daemon.OSLifecycleRequest.type:type_name -> daemon.OSLifecycleRequest.CycleType
+	92, // 1: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	27, // 2: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
+	93, // 3: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
+	93, // 4: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
+	92, // 5: daemon.PeerState.latency:type_name -> google.protobuf.Duration
+	25, // 6: daemon.SSHServerState.sessions:type_name -> daemon.SSHSessionInfo
+	22, // 7: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
+	21, // 8: daemon.FullStatus.signalState:type_name -> daemon.SignalState
+	20, // 9: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
+	19, // 10: daemon.FullStatus.peers:type_name -> daemon.PeerState
+	23, // 11: daemon.FullStatus.relays:type_name -> daemon.RelayState
+	24, // 12: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
+	57, // 13: daemon.FullStatus.events:type_name -> daemon.SystemEvent
+	26, // 14: daemon.FullStatus.sshServerState:type_name -> daemon.SSHServerState
+	33, // 15: daemon.ListNetworksResponse.routes:type_name -> daemon.Network
+	89, // 16: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
+	90, // 17: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
+	34, // 18: daemon.ForwardingRule.destinationPort:type_name -> daemon.PortInfo
+	34, // 19: daemon.ForwardingRule.translatedPort:type_name -> daemon.PortInfo
+	35, // 20: daemon.ForwardingRulesResponse.rules:type_name -> daemon.ForwardingRule
 	0,  // 21: daemon.GetLogLevelResponse.level:type_name -> daemon.LogLevel
 	0,  // 22: daemon.SetLogLevelRequest.level:type_name -> daemon.LogLevel
-	44, // 23: daemon.ListStatesResponse.states:type_name -> daemon.State
-	53, // 24: daemon.TracePacketRequest.tcp_flags:type_name -> daemon.TCPFlags
-	55, // 25: daemon.TracePacketResponse.stages:type_name -> daemon.TraceStage
-	3,  // 26: daemon.SystemEvent.severity:type_name -> daemon.SystemEvent.Severity
-	4,  // 27: daemon.SystemEvent.category:type_name -> daemon.SystemEvent.Category
-	97, // 28: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
-	95, // 29: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
-	58, // 30: daemon.GetEventsResponse.events:type_name -> daemon.SystemEvent
-	96, // 31: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
-	71, // 32: daemon.ListProfilesResponse.profiles:type_name -> daemon.Profile
-	1,  // 33: daemon.ExposeServiceRequest.protocol:type_name -> daemon.ExposeProtocol
-	92, // 34: daemon.ExposeServiceEvent.ready:type_name -> daemon.ExposeServiceReady
-	33, // 35: daemon.Network.ResolvedIPsEntry.value:type_name -> daemon.IPList
-	8,  // 36: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
-	10, // 37: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
-	12, // 38: daemon.DaemonService.Up:input_type -> daemon.UpRequest
-	14, // 39: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
-	16, // 40: daemon.DaemonService.Down:input_type -> daemon.DownRequest
-	18, // 41: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
-	29, // 42: daemon.DaemonService.ListNetworks:input_type -> daemon.ListNetworksRequest
-	31, // 43: daemon.DaemonService.SelectNetworks:input_type -> daemon.SelectNetworksRequest
-	31, // 44: daemon.DaemonService.DeselectNetworks:input_type -> daemon.SelectNetworksRequest
-	5,  // 45: daemon.DaemonService.ForwardingRules:input_type -> daemon.EmptyRequest
-	38, // 46: daemon.DaemonService.DebugBundle:input_type -> daemon.DebugBundleRequest
-	40, // 47: daemon.DaemonService.GetLogLevel:input_type -> daemon.GetLogLevelRequest
-	42, // 48: daemon.DaemonService.SetLogLevel:input_type -> daemon.SetLogLevelRequest
-	45, // 49: daemon.DaemonService.ListStates:input_type -> daemon.ListStatesRequest
-	47, // 50: daemon.DaemonService.CleanState:input_type -> daemon.CleanStateRequest
-	49, // 51: daemon.DaemonService.DeleteState:input_type -> daemon.DeleteStateRequest
-	51, // 52: daemon.DaemonService.SetSyncResponsePersistence:input_type -> daemon.SetSyncResponsePersistenceRequest
-	54, // 53: daemon.DaemonService.TracePacket:input_type -> daemon.TracePacketRequest
-	57, // 54: daemon.DaemonService.SubscribeEvents:input_type -> daemon.SubscribeRequest
-	59, // 55: daemon.DaemonService.GetEvents:input_type -> daemon.GetEventsRequest
-	61, // 56: daemon.DaemonService.SwitchProfile:input_type -> daemon.SwitchProfileRequest
-	63, // 57: daemon.DaemonService.SetConfig:input_type -> daemon.SetConfigRequest
-	65, // 58: daemon.DaemonService.AddProfile:input_type -> daemon.AddProfileRequest
-	67, // 59: daemon.DaemonService.RemoveProfile:input_type -> daemon.RemoveProfileRequest
-	69, // 60: daemon.DaemonService.ListProfiles:input_type -> daemon.ListProfilesRequest
-	72, // 61: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
-	74, // 62: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
-	76, // 63: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
-	78, // 64: daemon.DaemonService.GetPeerSSHHostKey:input_type -> daemon.GetPeerSSHHostKeyRequest
-	80, // 65: daemon.DaemonService.RequestJWTAuth:input_type -> daemon.RequestJWTAuthRequest
-	82, // 66: daemon.DaemonService.WaitJWTToken:input_type -> daemon.WaitJWTTokenRequest
-	84, // 67: daemon.DaemonService.StartCPUProfile:input_type -> daemon.StartCPUProfileRequest
-	86, // 68: daemon.DaemonService.StopCPUProfile:input_type -> daemon.StopCPUProfileRequest
-	6,  // 69: daemon.DaemonService.NotifyOSLifecycle:input_type -> daemon.OSLifecycleRequest
-	88, // 70: daemon.DaemonService.GetInstallerResult:input_type -> daemon.InstallerResultRequest
-	90, // 71: daemon.DaemonService.ExposeService:input_type -> daemon.ExposeServiceRequest
-	9,  // 72: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
-	11, // 73: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
-	13, // 74: daemon.DaemonService.Up:output_type -> daemon.UpResponse
-	15, // 75: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
-	17, // 76: daemon.DaemonService.Down:output_type -> daemon.DownResponse
-	19, // 77: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
-	30, // 78: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
-	32, // 79: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
-	32, // 80: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
-	37, // 81: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
-	39, // 82: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
-	41, // 83: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
-	43, // 84: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
-	46, // 85: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
-	48, // 86: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
-	50, // 87: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
-	52, // 88: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
-	56, // 89: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
-	58, // 90: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
-	60, // 91: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
-	62, // 92: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
-	64, // 93: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
-	66, // 94: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
-	68, // 95: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
-	70, // 96: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
-	73, // 97: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
-	75, // 98: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
-	77, // 99: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
-	79, // 100: daemon.DaemonService.GetPeerSSHHostKey:output_type -> daemon.GetPeerSSHHostKeyResponse
-	81, // 101: daemon.DaemonService.RequestJWTAuth:output_type -> daemon.RequestJWTAuthResponse
-	83, // 102: daemon.DaemonService.WaitJWTToken:output_type -> daemon.WaitJWTTokenResponse
-	85, // 103: daemon.DaemonService.StartCPUProfile:output_type -> daemon.StartCPUProfileResponse
-	87, // 104: daemon.DaemonService.StopCPUProfile:output_type -> daemon.StopCPUProfileResponse
-	7,  // 105: daemon.DaemonService.NotifyOSLifecycle:output_type -> daemon.OSLifecycleResponse
-	89, // 106: daemon.DaemonService.GetInstallerResult:output_type -> daemon.InstallerResultResponse
-	91, // 107: daemon.DaemonService.ExposeService:output_type -> daemon.ExposeServiceEvent
-	72, // [72:108] is the sub-list for method output_type
-	36, // [36:72] is the sub-list for method input_type
-	36, // [36:36] is the sub-list for extension type_name
-	36, // [36:36] is the sub-list for extension extendee
-	0,  // [0:36] is the sub-list for field type_name
+	43, // 23: daemon.ListStatesResponse.states:type_name -> daemon.State
+	52, // 24: daemon.TracePacketRequest.tcp_flags:type_name -> daemon.TCPFlags
+	54, // 25: daemon.TracePacketResponse.stages:type_name -> daemon.TraceStage
+	2,  // 26: daemon.SystemEvent.severity:type_name -> daemon.SystemEvent.Severity
+	3,  // 27: daemon.SystemEvent.category:type_name -> daemon.SystemEvent.Category
+	93, // 28: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
+	91, // 29: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
+	57, // 30: daemon.GetEventsResponse.events:type_name -> daemon.SystemEvent
+	92, // 31: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	70, // 32: daemon.ListProfilesResponse.profiles:type_name -> daemon.Profile
+	32, // 33: daemon.Network.ResolvedIPsEntry.value:type_name -> daemon.IPList
+	7,  // 34: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
+	9,  // 35: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
+	11, // 36: daemon.DaemonService.Up:input_type -> daemon.UpRequest
+	13, // 37: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
+	15, // 38: daemon.DaemonService.Down:input_type -> daemon.DownRequest
+	17, // 39: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
+	28, // 40: daemon.DaemonService.ListNetworks:input_type -> daemon.ListNetworksRequest
+	30, // 41: daemon.DaemonService.SelectNetworks:input_type -> daemon.SelectNetworksRequest
+	30, // 42: daemon.DaemonService.DeselectNetworks:input_type -> daemon.SelectNetworksRequest
+	4,  // 43: daemon.DaemonService.ForwardingRules:input_type -> daemon.EmptyRequest
+	37, // 44: daemon.DaemonService.DebugBundle:input_type -> daemon.DebugBundleRequest
+	39, // 45: daemon.DaemonService.GetLogLevel:input_type -> daemon.GetLogLevelRequest
+	41, // 46: daemon.DaemonService.SetLogLevel:input_type -> daemon.SetLogLevelRequest
+	44, // 47: daemon.DaemonService.ListStates:input_type -> daemon.ListStatesRequest
+	46, // 48: daemon.DaemonService.CleanState:input_type -> daemon.CleanStateRequest
+	48, // 49: daemon.DaemonService.DeleteState:input_type -> daemon.DeleteStateRequest
+	50, // 50: daemon.DaemonService.SetSyncResponsePersistence:input_type -> daemon.SetSyncResponsePersistenceRequest
+	53, // 51: daemon.DaemonService.TracePacket:input_type -> daemon.TracePacketRequest
+	56, // 52: daemon.DaemonService.SubscribeEvents:input_type -> daemon.SubscribeRequest
+	58, // 53: daemon.DaemonService.GetEvents:input_type -> daemon.GetEventsRequest
+	60, // 54: daemon.DaemonService.SwitchProfile:input_type -> daemon.SwitchProfileRequest
+	62, // 55: daemon.DaemonService.SetConfig:input_type -> daemon.SetConfigRequest
+	64, // 56: daemon.DaemonService.AddProfile:input_type -> daemon.AddProfileRequest
+	66, // 57: daemon.DaemonService.RemoveProfile:input_type -> daemon.RemoveProfileRequest
+	68, // 58: daemon.DaemonService.ListProfiles:input_type -> daemon.ListProfilesRequest
+	71, // 59: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
+	73, // 60: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
+	75, // 61: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
+	77, // 62: daemon.DaemonService.GetPeerSSHHostKey:input_type -> daemon.GetPeerSSHHostKeyRequest
+	79, // 63: daemon.DaemonService.RequestJWTAuth:input_type -> daemon.RequestJWTAuthRequest
+	81, // 64: daemon.DaemonService.WaitJWTToken:input_type -> daemon.WaitJWTTokenRequest
+	83, // 65: daemon.DaemonService.StartCPUProfile:input_type -> daemon.StartCPUProfileRequest
+	85, // 66: daemon.DaemonService.StopCPUProfile:input_type -> daemon.StopCPUProfileRequest
+	5,  // 67: daemon.DaemonService.NotifyOSLifecycle:input_type -> daemon.OSLifecycleRequest
+	87, // 68: daemon.DaemonService.GetInstallerResult:input_type -> daemon.InstallerResultRequest
+	8,  // 69: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
+	10, // 70: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
+	12, // 71: daemon.DaemonService.Up:output_type -> daemon.UpResponse
+	14, // 72: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
+	16, // 73: daemon.DaemonService.Down:output_type -> daemon.DownResponse
+	18, // 74: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
+	29, // 75: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
+	31, // 76: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
+	31, // 77: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
+	36, // 78: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
+	38, // 79: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
+	40, // 80: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
+	42, // 81: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
+	45, // 82: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
+	47, // 83: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
+	49, // 84: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
+	51, // 85: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
+	55, // 86: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
+	57, // 87: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
+	59, // 88: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
+	61, // 89: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
+	63, // 90: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
+	65, // 91: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
+	67, // 92: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
+	69, // 93: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
+	72, // 94: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
+	74, // 95: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
+	76, // 96: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
+	78, // 97: daemon.DaemonService.GetPeerSSHHostKey:output_type -> daemon.GetPeerSSHHostKeyResponse
+	80, // 98: daemon.DaemonService.RequestJWTAuth:output_type -> daemon.RequestJWTAuthResponse
+	82, // 99: daemon.DaemonService.WaitJWTToken:output_type -> daemon.WaitJWTTokenResponse
+	84, // 100: daemon.DaemonService.StartCPUProfile:output_type -> daemon.StartCPUProfileResponse
+	86, // 101: daemon.DaemonService.StopCPUProfile:output_type -> daemon.StopCPUProfileResponse
+	6,  // 102: daemon.DaemonService.NotifyOSLifecycle:output_type -> daemon.OSLifecycleResponse
+	88, // 103: daemon.DaemonService.GetInstallerResult:output_type -> daemon.InstallerResultResponse
+	69, // [69:104] is the sub-list for method output_type
+	34, // [34:69] is the sub-list for method input_type
+	34, // [34:34] is the sub-list for extension type_name
+	34, // [34:34] is the sub-list for extension extendee
+	0,  // [0:34] is the sub-list for field type_name
 }

 func init() { file_daemon_proto_init() }
@@ -6743,16 +6439,13 @@ func file_daemon_proto_init() {
 	file_daemon_proto_msgTypes[58].OneofWrappers = []any{}
 	file_daemon_proto_msgTypes[69].OneofWrappers = []any{}
 	file_daemon_proto_msgTypes[75].OneofWrappers = []any{}
-	file_daemon_proto_msgTypes[86].OneofWrappers = []any{
-		(*ExposeServiceEvent_Ready)(nil),
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_proto_rawDesc), len(file_daemon_proto_rawDesc)),
-			NumEnums:      5,
-			NumMessages:   91,
+			NumEnums:      4,
+			NumMessages:   88,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -103,9 +103,6 @@ service DaemonService {
  rpc NotifyOSLifecycle(OSLifecycleRequest) returns(OSLifecycleResponse) {}

  rpc GetInstallerResult(InstallerResultRequest) returns (InstallerResultResponse) {}
-
-  // ExposeService exposes a local port via the NetBird reverse proxy
-  rpc ExposeService(ExposeServiceRequest) returns (stream ExposeServiceEvent) {}
 }


@@ -804,32 +801,3 @@ message InstallerResultResponse {
  bool success = 1;
  string errorMsg = 2;
 }
-
-enum ExposeProtocol {
-  EXPOSE_HTTP = 0;
-  EXPOSE_HTTPS = 1;
-  EXPOSE_TCP = 2;
-  EXPOSE_UDP = 3;
-}
-
-message ExposeServiceRequest {
-  uint32 port = 1;
-  ExposeProtocol protocol = 2;
-  string pin = 3;
-  string password = 4;
-  repeated string user_groups = 5;
-  string domain = 6;
-  string name_prefix = 7;
-}
-
-message ExposeServiceEvent {
-  oneof event {
-    ExposeServiceReady ready = 1;
-  }
-}
-
-message ExposeServiceReady {
-  string service_name = 1;
-  string service_url = 2;
-  string domain = 3;
-}
--- a/client/proto/daemon_grpc.pb.go
+++ b/client/proto/daemon_grpc.pb.go
@@ -76,8 +76,6 @@ type DaemonServiceClient interface {
 	StopCPUProfile(ctx context.Context, in *StopCPUProfileRequest, opts ...grpc.CallOption) (*StopCPUProfileResponse, error)
 	NotifyOSLifecycle(ctx context.Context, in *OSLifecycleRequest, opts ...grpc.CallOption) (*OSLifecycleResponse, error)
 	GetInstallerResult(ctx context.Context, in *InstallerResultRequest, opts ...grpc.CallOption) (*InstallerResultResponse, error)
-	// ExposeService exposes a local port via the NetBird reverse proxy
-	ExposeService(ctx context.Context, in *ExposeServiceRequest, opts ...grpc.CallOption) (DaemonService_ExposeServiceClient, error)
 }

 type daemonServiceClient struct {
@@ -426,38 +424,6 @@ func (c *daemonServiceClient) GetInstallerResult(ctx context.Context, in *Instal
 	return out, nil
 }

-func (c *daemonServiceClient) ExposeService(ctx context.Context, in *ExposeServiceRequest, opts ...grpc.CallOption) (DaemonService_ExposeServiceClient, error) {
-	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[1], "/daemon.DaemonService/ExposeService", opts...)
-	if err != nil {
-		return nil, err
-	}
-	x := &daemonServiceExposeServiceClient{stream}
-	if err := x.ClientStream.SendMsg(in); err != nil {
-		return nil, err
-	}
-	if err := x.ClientStream.CloseSend(); err != nil {
-		return nil, err
-	}
-	return x, nil
-}
-
-type DaemonService_ExposeServiceClient interface {
-	Recv() (*ExposeServiceEvent, error)
-	grpc.ClientStream
-}
-
-type daemonServiceExposeServiceClient struct {
-	grpc.ClientStream
-}
-
-func (x *daemonServiceExposeServiceClient) Recv() (*ExposeServiceEvent, error) {
-	m := new(ExposeServiceEvent)
-	if err := x.ClientStream.RecvMsg(m); err != nil {
-		return nil, err
-	}
-	return m, nil
-}
-
 // DaemonServiceServer is the server API for DaemonService service.
 // All implementations must embed UnimplementedDaemonServiceServer
 // for forward compatibility
@@ -520,8 +486,6 @@ type DaemonServiceServer interface {
 	StopCPUProfile(context.Context, *StopCPUProfileRequest) (*StopCPUProfileResponse, error)
 	NotifyOSLifecycle(context.Context, *OSLifecycleRequest) (*OSLifecycleResponse, error)
 	GetInstallerResult(context.Context, *InstallerResultRequest) (*InstallerResultResponse, error)
-	// ExposeService exposes a local port via the NetBird reverse proxy
-	ExposeService(*ExposeServiceRequest, DaemonService_ExposeServiceServer) error
 	mustEmbedUnimplementedDaemonServiceServer()
 }

@@ -634,9 +598,6 @@ func (UnimplementedDaemonServiceServer) NotifyOSLifecycle(context.Context, *OSLi
 func (UnimplementedDaemonServiceServer) GetInstallerResult(context.Context, *InstallerResultRequest) (*InstallerResultResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetInstallerResult not implemented")
 }
-func (UnimplementedDaemonServiceServer) ExposeService(*ExposeServiceRequest, DaemonService_ExposeServiceServer) error {
-	return status.Errorf(codes.Unimplemented, "method ExposeService not implemented")
-}
 func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}

 // UnsafeDaemonServiceServer may be embedded to opt out of forward compatibility for this service.
@@ -1283,27 +1244,6 @@ func _DaemonService_GetInstallerResult_Handler(srv interface{}, ctx context.Cont
 	return interceptor(ctx, in, info, handler)
 }

-func _DaemonService_ExposeService_Handler(srv interface{}, stream grpc.ServerStream) error {
-	m := new(ExposeServiceRequest)
-	if err := stream.RecvMsg(m); err != nil {
-		return err
-	}
-	return srv.(DaemonServiceServer).ExposeService(m, &daemonServiceExposeServiceServer{stream})
-}
-
-type DaemonService_ExposeServiceServer interface {
-	Send(*ExposeServiceEvent) error
-	grpc.ServerStream
-}
-
-type daemonServiceExposeServiceServer struct {
-	grpc.ServerStream
-}
-
-func (x *daemonServiceExposeServiceServer) Send(m *ExposeServiceEvent) error {
-	return x.ServerStream.SendMsg(m)
-}
-
 // DaemonService_ServiceDesc is the grpc.ServiceDesc for DaemonService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -1454,11 +1394,6 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			Handler:       _DaemonService_SubscribeEvents_Handler,
 			ServerStreams: true,
 		},
-		{
-			StreamName:    "ExposeService",
-			Handler:       _DaemonService_ExposeService_Handler,
-			ServerStreams: true,
-		},
 	},
 	Metadata: "daemon.proto",
 }
--- a/client/server/lifecycle.go
+++ b/client/server/lifecycle.go
@@ -0,0 +1,77 @@
+package server
+
+import (
+	"context"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+// NotifyOSLifecycle handles operating system lifecycle events by executing appropriate logic based on the request type.
+func (s *Server) NotifyOSLifecycle(callerCtx context.Context, req *proto.OSLifecycleRequest) (*proto.OSLifecycleResponse, error) {
+	switch req.GetType() {
+	case proto.OSLifecycleRequest_WAKEUP:
+		return s.handleWakeUp(callerCtx)
+	case proto.OSLifecycleRequest_SLEEP:
+		return s.handleSleep(callerCtx)
+	default:
+		log.Errorf("unknown OSLifecycleRequest type: %v", req.GetType())
+	}
+	return &proto.OSLifecycleResponse{}, nil
+}
+
+// handleWakeUp processes a wake-up event by triggering the Up command if the system was previously put to sleep.
+// It resets the sleep state and logs the process. Returns a response or an error if the Up command fails.
+func (s *Server) handleWakeUp(callerCtx context.Context) (*proto.OSLifecycleResponse, error) {
+	if !s.sleepTriggeredDown.Load() {
+		log.Info("skipping up because wasn't sleep down")
+		return &proto.OSLifecycleResponse{}, nil
+	}
+
+	// avoid other wakeup runs if sleep didn't make the computer sleep
+	s.sleepTriggeredDown.Store(false)
+
+	log.Info("running up after wake up")
+	_, err := s.Up(callerCtx, &proto.UpRequest{})
+	if err != nil {
+		log.Errorf("running up failed: %v", err)
+		return &proto.OSLifecycleResponse{}, err
+	}
+
+	log.Info("running up command executed successfully")
+	return &proto.OSLifecycleResponse{}, nil
+}
+
+// handleSleep handles the sleep event by initiating a "down" sequence if the system is in a connected or connecting state.
+func (s *Server) handleSleep(callerCtx context.Context) (*proto.OSLifecycleResponse, error) {
+	s.mutex.Lock()
+
+	state := internal.CtxGetState(s.rootCtx)
+	status, err := state.Status()
+	if err != nil {
+		s.mutex.Unlock()
+		return &proto.OSLifecycleResponse{}, err
+	}
+
+	if status != internal.StatusConnecting && status != internal.StatusConnected {
+		log.Infof("skipping setting the agent down because status is %s", status)
+		s.mutex.Unlock()
+		return &proto.OSLifecycleResponse{}, nil
+	}
+	s.mutex.Unlock()
+
+	log.Info("running down after system started sleeping")
+
+	_, err = s.Down(callerCtx, &proto.DownRequest{})
+	if err != nil {
+		log.Errorf("running down failed: %v", err)
+		return &proto.OSLifecycleResponse{}, err
+	}
+
+	s.sleepTriggeredDown.Store(true)
+
+	log.Info("running down executed successfully")
+	return &proto.OSLifecycleResponse{}, nil
+}
--- a/client/server/lifecycle_test.go
+++ b/client/server/lifecycle_test.go
@@ -0,0 +1,219 @@
+package server
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+func newTestServer() *Server {
+	ctx := internal.CtxInitState(context.Background())
+	return &Server{
+		rootCtx:        ctx,
+		statusRecorder: peer.NewRecorder(""),
+	}
+}
+
+func TestNotifyOSLifecycle_WakeUp_SkipsWhenNotSleepTriggered(t *testing.T) {
+	s := newTestServer()
+
+	// sleepTriggeredDown is false by default
+	assert.False(t, s.sleepTriggeredDown.Load())
+
+	resp, err := s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_WAKEUP,
+	})
+
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	assert.False(t, s.sleepTriggeredDown.Load(), "flag should remain false")
+}
+
+func TestNotifyOSLifecycle_Sleep_SkipsWhenStatusIdle(t *testing.T) {
+	s := newTestServer()
+
+	state := internal.CtxGetState(s.rootCtx)
+	state.Set(internal.StatusIdle)
+
+	resp, err := s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_SLEEP,
+	})
+
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	assert.False(t, s.sleepTriggeredDown.Load(), "flag should remain false when status is Idle")
+}
+
+func TestNotifyOSLifecycle_Sleep_SkipsWhenStatusNeedsLogin(t *testing.T) {
+	s := newTestServer()
+
+	state := internal.CtxGetState(s.rootCtx)
+	state.Set(internal.StatusNeedsLogin)
+
+	resp, err := s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_SLEEP,
+	})
+
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	assert.False(t, s.sleepTriggeredDown.Load(), "flag should remain false when status is NeedsLogin")
+}
+
+func TestNotifyOSLifecycle_Sleep_SetsFlag_WhenConnecting(t *testing.T) {
+	s := newTestServer()
+
+	state := internal.CtxGetState(s.rootCtx)
+	state.Set(internal.StatusConnecting)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	s.actCancel = cancel
+
+	resp, err := s.NotifyOSLifecycle(ctx, &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_SLEEP,
+	})
+
+	require.NoError(t, err)
+	assert.NotNil(t, resp, "handleSleep returns not nil response on success")
+	assert.True(t, s.sleepTriggeredDown.Load(), "flag should be set after sleep when connecting")
+}
+
+func TestNotifyOSLifecycle_Sleep_SetsFlag_WhenConnected(t *testing.T) {
+	s := newTestServer()
+
+	state := internal.CtxGetState(s.rootCtx)
+	state.Set(internal.StatusConnected)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	s.actCancel = cancel
+
+	resp, err := s.NotifyOSLifecycle(ctx, &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_SLEEP,
+	})
+
+	require.NoError(t, err)
+	assert.NotNil(t, resp, "handleSleep returns not nil response on success")
+	assert.True(t, s.sleepTriggeredDown.Load(), "flag should be set after sleep when connected")
+}
+
+func TestNotifyOSLifecycle_WakeUp_ResetsFlag(t *testing.T) {
+	s := newTestServer()
+
+	// Manually set the flag to simulate prior sleep down
+	s.sleepTriggeredDown.Store(true)
+
+	// WakeUp will try to call Up which fails without proper setup, but flag should reset first
+	_, _ = s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_WAKEUP,
+	})
+
+	assert.False(t, s.sleepTriggeredDown.Load(), "flag should be reset after WakeUp attempt")
+}
+
+func TestNotifyOSLifecycle_MultipleWakeUpCalls(t *testing.T) {
+	s := newTestServer()
+
+	// First wakeup without prior sleep - should be no-op
+	resp, err := s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_WAKEUP,
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	assert.False(t, s.sleepTriggeredDown.Load())
+
+	// Simulate prior sleep
+	s.sleepTriggeredDown.Store(true)
+
+	// First wakeup after sleep - should reset flag
+	_, _ = s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_WAKEUP,
+	})
+	assert.False(t, s.sleepTriggeredDown.Load())
+
+	// Second wakeup - should be no-op
+	resp, err = s.NotifyOSLifecycle(context.Background(), &proto.OSLifecycleRequest{
+		Type: proto.OSLifecycleRequest_WAKEUP,
+	})
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	assert.False(t, s.sleepTriggeredDown.Load())
+}
+
+func TestHandleWakeUp_SkipsWhenFlagFalse(t *testing.T) {
+	s := newTestServer()
+
+	resp, err := s.handleWakeUp(context.Background())
+
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+}
+
+func TestHandleWakeUp_ResetsFlagBeforeUp(t *testing.T) {
+	s := newTestServer()
+	s.sleepTriggeredDown.Store(true)
+
+	// Even if Up fails, flag should be reset
+	_, _ = s.handleWakeUp(context.Background())
+
+	assert.False(t, s.sleepTriggeredDown.Load(), "flag must be reset before calling Up")
+}
+
+func TestHandleSleep_SkipsForNonActiveStates(t *testing.T) {
+	tests := []struct {
+		name   string
+		status internal.StatusType
+	}{
+		{"Idle", internal.StatusIdle},
+		{"NeedsLogin", internal.StatusNeedsLogin},
+		{"LoginFailed", internal.StatusLoginFailed},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := newTestServer()
+			state := internal.CtxGetState(s.rootCtx)
+			state.Set(tt.status)
+
+			resp, err := s.handleSleep(context.Background())
+
+			require.NoError(t, err)
+			require.NotNil(t, resp)
+			assert.False(t, s.sleepTriggeredDown.Load())
+		})
+	}
+}
+
+func TestHandleSleep_ProceedsForActiveStates(t *testing.T) {
+	tests := []struct {
+		name   string
+		status internal.StatusType
+	}{
+		{"Connecting", internal.StatusConnecting},
+		{"Connected", internal.StatusConnected},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := newTestServer()
+			state := internal.CtxGetState(s.rootCtx)
+			state.Set(tt.status)
+
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+			s.actCancel = cancel
+
+			resp, err := s.handleSleep(ctx)
+
+			require.NoError(t, err)
+			assert.NotNil(t, resp)
+			assert.True(t, s.sleepTriggeredDown.Load())
+		})
+	}
+}
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -21,9 +21,7 @@ import (
 	gstatus "google.golang.org/grpc/status"

 	"github.com/netbirdio/netbird/client/internal/auth"
-	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
-	sleephandler "github.com/netbirdio/netbird/client/internal/sleep/handler"
 	"github.com/netbirdio/netbird/client/system"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
 	"github.com/netbirdio/netbird/shared/management/domain"
@@ -87,7 +85,8 @@ type Server struct {
 	profilesDisabled       bool
 	updateSettingsDisabled bool

-	sleepHandler *sleephandler.SleepHandler
+	// sleepTriggeredDown holds a state indicated if the sleep handler triggered the last client down
+	sleepTriggeredDown atomic.Bool

 	jwtCache *jwtCache
 }
@@ -101,7 +100,7 @@ type oauthAuthFlow struct {

 // New server instance constructor.
 func New(ctx context.Context, logFile string, configFile string, profilesDisabled bool, updateSettingsDisabled bool) *Server {
-	s := &Server{
+	return &Server{
 		rootCtx:                ctx,
 		logFile:                logFile,
 		persistSyncResponse:    true,
@@ -111,10 +110,6 @@ func New(ctx context.Context, logFile string, configFile string, profilesDisable
 		updateSettingsDisabled: updateSettingsDisabled,
 		jwtCache:               newJWTCache(),
 	}
-	agent := &serverAgent{s}
-	s.sleepHandler = sleephandler.New(agent)
-
-	return s
 }

 func (s *Server) Start() error {
@@ -641,6 +636,8 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR

 		return s.waitForUp(callerCtx)
 	}
+	defer s.mutex.Unlock()
+
 	if err := restoreResidualState(callerCtx, s.profileManager.GetStatePath()); err != nil {
 		log.Warnf(errRestoreResidualState, err)
 	}
@@ -652,12 +649,10 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	// not in the progress or already successfully established connection.
 	status, err := state.Status()
 	if err != nil {
-		s.mutex.Unlock()
 		return nil, err
 	}

 	if status != internal.StatusIdle {
-		s.mutex.Unlock()
 		return nil, fmt.Errorf("up already in progress: current status %s", status)
 	}

@@ -674,20 +669,17 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	s.actCancel = cancel

 	if s.config == nil {
-		s.mutex.Unlock()
 		return nil, fmt.Errorf("config is not defined, please call login command first")
 	}

 	activeProf, err := s.profileManager.GetActiveProfileState()
 	if err != nil {
-		s.mutex.Unlock()
 		log.Errorf("failed to get active profile state: %v", err)
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}

 	if msg != nil && msg.ProfileName != nil {
 		if err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
-			s.mutex.Unlock()
 			log.Errorf("failed to switch profile: %v", err)
 			return nil, fmt.Errorf("failed to switch profile: %w", err)
 		}
@@ -695,7 +687,6 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR

 	activeProf, err = s.profileManager.GetActiveProfileState()
 	if err != nil {
-		s.mutex.Unlock()
 		log.Errorf("failed to get active profile state: %v", err)
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}
@@ -704,7 +695,6 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR

 	config, _, err := s.getConfig(activeProf)
 	if err != nil {
-		s.mutex.Unlock()
 		log.Errorf("failed to get active profile config: %v", err)
 		return nil, fmt.Errorf("failed to get active profile config: %w", err)
 	}
@@ -723,7 +713,6 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	}
 	go s.connectWithRetryRuns(ctx, s.config, s.statusRecorder, doAutoUpdate, s.clientRunningChan, s.clientGiveUpChan)

-	s.mutex.Unlock()
 	return s.waitForUp(callerCtx)
 }

@@ -1323,60 +1312,6 @@ func (s *Server) WaitJWTToken(
 	}, nil
 }

-// ExposeService exposes a local port via the NetBird reverse proxy.
-func (s *Server) ExposeService(req *proto.ExposeServiceRequest, srv proto.DaemonService_ExposeServiceServer) error {
-	s.mutex.Lock()
-	if !s.clientRunning {
-		s.mutex.Unlock()
-		return gstatus.Errorf(codes.FailedPrecondition, "client is not running, run 'netbird up' first")
-	}
-	connectClient := s.connectClient
-	s.mutex.Unlock()
-
-	if connectClient == nil {
-		return gstatus.Errorf(codes.FailedPrecondition, "client not initialized")
-	}
-
-	engine := connectClient.Engine()
-	if engine == nil {
-		return gstatus.Errorf(codes.FailedPrecondition, "engine not initialized")
-	}
-
-	mgr := engine.GetExposeManager()
-	if mgr == nil {
-		return gstatus.Errorf(codes.Internal, "expose manager not available")
-	}
-
-	ctx := srv.Context()
-
-	exposeCtx, exposeCancel := context.WithTimeout(ctx, 30*time.Second)
-	defer exposeCancel()
-
-	mgmReq := expose.NewRequest(req)
-	result, err := mgr.Expose(exposeCtx, *mgmReq)
-	if err != nil {
-		return err
-	}
-
-	if err := srv.Send(&proto.ExposeServiceEvent{
-		Event: &proto.ExposeServiceEvent_Ready{
-			Ready: &proto.ExposeServiceReady{
-				ServiceName: result.ServiceName,
-				ServiceUrl:  result.ServiceURL,
-				Domain:      result.Domain,
-			},
-		},
-	}); err != nil {
-		return err
-	}
-
-	err = mgr.KeepAlive(ctx, result.Domain)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
 func isUnixRunningDesktop() bool {
 	if runtime.GOOS != "linux" && runtime.GOOS != "freebsd" {
 		return false
--- a/client/server/sleep.go
+++ b/client/server/sleep.go
@@ -1,46 +0,0 @@
-package server
-
-import (
-	"context"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-// serverAgent adapts Server to the handler.Agent and handler.StatusChecker interfaces
-type serverAgent struct {
-	s *Server
-}
-
-func (a *serverAgent) Up(ctx context.Context) error {
-	_, err := a.s.Up(ctx, &proto.UpRequest{})
-	return err
-}
-
-func (a *serverAgent) Down(ctx context.Context) error {
-	_, err := a.s.Down(ctx, &proto.DownRequest{})
-	return err
-}
-
-func (a *serverAgent) Status() (internal.StatusType, error) {
-	return internal.CtxGetState(a.s.rootCtx).Status()
-}
-
-// NotifyOSLifecycle handles operating system lifecycle events by executing appropriate logic based on the request type.
-func (s *Server) NotifyOSLifecycle(callerCtx context.Context, req *proto.OSLifecycleRequest) (*proto.OSLifecycleResponse, error) {
-	switch req.GetType() {
-	case proto.OSLifecycleRequest_WAKEUP:
-		if err := s.sleepHandler.HandleWakeUp(callerCtx); err != nil {
-			return &proto.OSLifecycleResponse{}, err
-		}
-	case proto.OSLifecycleRequest_SLEEP:
-		if err := s.sleepHandler.HandleSleep(callerCtx); err != nil {
-			return &proto.OSLifecycleResponse{}, err
-		}
-	default:
-		log.Errorf("unknown OSLifecycleRequest type: %v", req.GetType())
-	}
-	return &proto.OSLifecycleResponse{}, nil
-}
--- a/client/ssh/client/client.go
+++ b/client/ssh/client/client.go
@@ -19,7 +19,6 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"

-	"github.com/netbirdio/netbird/client/internal/daemonaddr"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/proto"
 	nbssh "github.com/netbirdio/netbird/client/ssh"
@@ -269,7 +268,7 @@ func getDefaultDaemonAddr() string {
 	if runtime.GOOS == "windows" {
 		return DefaultDaemonAddrWindows
 	}
-	return daemonaddr.ResolveUnixDaemonAddr(DefaultDaemonAddr)
+	return DefaultDaemonAddr
 }

 // DialOptions contains options for SSH connections
--- a/combined/Dockerfile
+++ b/combined/Dockerfile
@@ -1,5 +0,0 @@
-FROM ubuntu:24.04
-RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
-ENTRYPOINT [ "/go/bin/netbird-server" ]
-CMD ["--config", "/etc/netbird/config.yaml"]
-COPY netbird-server /go/bin/netbird-server
--- a/combined/Dockerfile.multistage
+++ b/combined/Dockerfile.multistage
@@ -1,25 +0,0 @@
-FROM golang:1.25-bookworm AS builder
-WORKDIR /app
-
-# Install build dependencies
-RUN apt-get update && apt-get install -y gcc libc6-dev git && rm -rf /var/lib/apt/lists/*
-
-COPY go.mod go.sum ./
-RUN go mod download
-
-COPY . .
-
-# Build with version info from git (matching goreleaser ldflags)
-RUN CGO_ENABLED=1 GOOS=linux go build \
-    -ldflags="-s -w \
-    -X github.com/netbirdio/netbird/version.version=$(git describe --tags --always --dirty 2>/dev/null || echo 'dev') \
-    -X main.commit=$(git rev-parse --short HEAD 2>/dev/null || echo 'unknown') \
-    -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) \
-    -X main.builtBy=docker" \
-    -o netbird-server ./combined
-
-FROM ubuntu:24.04
-RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
-ENTRYPOINT [ "/go/bin/netbird-server" ]
-CMD ["--config", "/etc/netbird/config.yaml"]
-COPY --from=builder /app/netbird-server /go/bin/netbird-server
--- a/combined/LICENSE
+++ b/combined/LICENSE
@@ -1,661 +0,0 @@
-                    GNU AFFERO GENERAL PUBLIC LICENSE
-                       Version 3, 19 November 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU Affero General Public License is a free, copyleft license for
-software and other kinds of works, specifically designed to ensure
-cooperation with the community in the case of network server software.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-our General Public Licenses are intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  Developers that use our General Public Licenses protect your rights
-with two steps: (1) assert copyright on the software, and (2) offer
-you this License which gives you legal permission to copy, distribute
-and/or modify the software.
-
-  A secondary benefit of defending all users' freedom is that
-improvements made in alternate versions of the program, if they
-receive widespread use, become available for other developers to
-incorporate.  Many developers of free software are heartened and
-encouraged by the resulting cooperation.  However, in the case of
-software used on network servers, this result may fail to come about.
-The GNU General Public License permits making a modified version and
-letting the public access it on a server without ever releasing its
-source code to the public.
-
-  The GNU Affero General Public License is designed specifically to
-ensure that, in such cases, the modified source code becomes available
-to the community.  It requires the operator of a network server to
-provide the source code of the modified version running there to the
-users of that server.  Therefore, public use of a modified version, on
-a publicly accessible server, gives the public access to the source
-code of the modified version.
-
-  An older license, called the Affero General Public License and
-published by Affero, was designed to accomplish similar goals.  This is
-a different license, not a version of the Affero GPL, but Affero has
-released a new version of the Affero GPL which permits relicensing under
-this license.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU Affero General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Remote Network Interaction; Use with the GNU General Public License.
-
-  Notwithstanding any other provision of this License, if you modify the
-Program, your modified version must prominently offer all users
-interacting with it remotely through a computer network (if your version
-supports such interaction) an opportunity to receive the Corresponding
-Source of your version by providing access to the Corresponding Source
-from a network server at no charge, through some standard or customary
-means of facilitating copying of software.  This Corresponding Source
-shall include the Corresponding Source for any work covered by version 3
-of the GNU General Public License that is incorporated pursuant to the
-following paragraph.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the work with which it is combined will remain governed by version
-3 of the GNU General Public License.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU Affero General Public License from time to time.  Such new versions
-will be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU Affero General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU Affero General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU Affero General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Affero General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU Affero General Public License for more details.
-
-    You should have received a copy of the GNU Affero General Public License
-    along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If your software can interact with users remotely through a computer
-network, you should also make sure that it provides a way for users to
-get its source.  For example, if your program is a web application, its
-interface could display a "Source" link that leads users to an archive
-of the code.  There are many ways you could offer source, and different
-solutions will be better for different programs; see section 13 for the
-specific requirements.
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU AGPL, see
-<https://www.gnu.org/licenses/>.
--- a/combined/cmd/config.go
+++ b/combined/cmd/config.go
@@ -1,765 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"os"
-	"path"
-	"path/filepath"
-	"strings"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"gopkg.in/yaml.v3"
-
-	"github.com/netbirdio/netbird/management/server/idp"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/util/crypt"
-
-	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
-)
-
-// CombinedConfig is the root configuration for the combined server.
-// The combined server is primarily a Management server with optional embedded
-// Signal, Relay, and STUN services.
-//
-// Architecture:
-//   - Management: Always runs locally (this IS the management server)
-//   - Signal: Runs locally by default; disabled if server.signalUri is set
-//   - Relay: Runs locally by default; disabled if server.relays is set
-//   - STUN: Runs locally on port 3478 by default; disabled if server.stuns is set
-//
-// All user-facing settings are under "server". The relay/signal/management
-// fields are internal and populated automatically from server settings.
-type CombinedConfig struct {
-	Server ServerConfig `yaml:"server"`
-
-	// Internal configs - populated from Server settings, not user-configurable
-	Relay      RelayConfig      `yaml:"-"`
-	Signal     SignalConfig     `yaml:"-"`
-	Management ManagementConfig `yaml:"-"`
-}
-
-// ServerConfig contains server-wide settings
-// In simplified mode, this contains all configuration
-type ServerConfig struct {
-	ListenAddress      string    `yaml:"listenAddress"`
-	MetricsPort        int       `yaml:"metricsPort"`
-	HealthcheckAddress string    `yaml:"healthcheckAddress"`
-	LogLevel           string    `yaml:"logLevel"`
-	LogFile            string    `yaml:"logFile"`
-	TLS                TLSConfig `yaml:"tls"`
-
-	// Simplified config fields (used when relay/signal/management sections are omitted)
-	ExposedAddress string `yaml:"exposedAddress"` // Public address with protocol (e.g., "https://example.com:443")
-	StunPorts      []int  `yaml:"stunPorts"`      // STUN ports (empty to disable local STUN)
-	AuthSecret     string `yaml:"authSecret"`     // Shared secret for relay authentication
-	DataDir        string `yaml:"dataDir"`        // Data directory for all services
-
-	// External service overrides (simplified mode)
-	// When these are set, the corresponding local service is NOT started
-	// and these values are used for client configuration instead
-	Stuns     []HostConfig `yaml:"stuns"`     // External STUN servers (disables local STUN)
-	Relays    RelaysConfig `yaml:"relays"`    // External relay servers (disables local relay)
-	SignalURI string       `yaml:"signalUri"` // External signal server (disables local signal)
-
-	// Management settings (simplified mode)
-	DisableAnonymousMetrics bool               `yaml:"disableAnonymousMetrics"`
-	DisableGeoliteUpdate    bool               `yaml:"disableGeoliteUpdate"`
-	Auth                    AuthConfig         `yaml:"auth"`
-	Store                   StoreConfig        `yaml:"store"`
-	ActivityStore           StoreConfig        `yaml:"activityStore"`
-	AuthStore               StoreConfig        `yaml:"authStore"`
-	ReverseProxy            ReverseProxyConfig `yaml:"reverseProxy"`
-}
-
-// TLSConfig contains TLS/HTTPS settings
-type TLSConfig struct {
-	CertFile    string            `yaml:"certFile"`
-	KeyFile     string            `yaml:"keyFile"`
-	LetsEncrypt LetsEncryptConfig `yaml:"letsencrypt"`
-}
-
-// LetsEncryptConfig contains Let's Encrypt settings
-type LetsEncryptConfig struct {
-	Enabled    bool     `yaml:"enabled"`
-	DataDir    string   `yaml:"dataDir"`
-	Domains    []string `yaml:"domains"`
-	Email      string   `yaml:"email"`
-	AWSRoute53 bool     `yaml:"awsRoute53"`
-}
-
-// RelayConfig contains relay service settings
-type RelayConfig struct {
-	Enabled        bool       `yaml:"enabled"`
-	ExposedAddress string     `yaml:"exposedAddress"`
-	AuthSecret     string     `yaml:"authSecret"`
-	LogLevel       string     `yaml:"logLevel"`
-	Stun           StunConfig `yaml:"stun"`
-}
-
-// StunConfig contains embedded STUN service settings
-type StunConfig struct {
-	Enabled  bool   `yaml:"enabled"`
-	Ports    []int  `yaml:"ports"`
-	LogLevel string `yaml:"logLevel"`
-}
-
-// SignalConfig contains signal service settings
-type SignalConfig struct {
-	Enabled  bool   `yaml:"enabled"`
-	LogLevel string `yaml:"logLevel"`
-}
-
-// ManagementConfig contains management service settings
-type ManagementConfig struct {
-	Enabled                 bool               `yaml:"enabled"`
-	LogLevel                string             `yaml:"logLevel"`
-	DataDir                 string             `yaml:"dataDir"`
-	DnsDomain               string             `yaml:"dnsDomain"`
-	DisableAnonymousMetrics bool               `yaml:"disableAnonymousMetrics"`
-	DisableGeoliteUpdate    bool               `yaml:"disableGeoliteUpdate"`
-	DisableDefaultPolicy    bool               `yaml:"disableDefaultPolicy"`
-	Auth                    AuthConfig         `yaml:"auth"`
-	Stuns                   []HostConfig       `yaml:"stuns"`
-	Relays                  RelaysConfig       `yaml:"relays"`
-	SignalURI               string             `yaml:"signalUri"`
-	Store                   StoreConfig        `yaml:"store"`
-	ReverseProxy            ReverseProxyConfig `yaml:"reverseProxy"`
-}
-
-// AuthConfig contains authentication/identity provider settings
-type AuthConfig struct {
-	Issuer                string            `yaml:"issuer"`
-	LocalAuthDisabled     bool              `yaml:"localAuthDisabled"`
-	SignKeyRefreshEnabled bool              `yaml:"signKeyRefreshEnabled"`
-	Storage               AuthStorageConfig `yaml:"storage"`
-	DashboardRedirectURIs []string          `yaml:"dashboardRedirectURIs"`
-	CLIRedirectURIs       []string          `yaml:"cliRedirectURIs"`
-	Owner                 *AuthOwnerConfig  `yaml:"owner,omitempty"`
-}
-
-// AuthStorageConfig contains auth storage settings
-type AuthStorageConfig struct {
-	Type string `yaml:"type"`
-	File string `yaml:"file"`
-}
-
-// AuthOwnerConfig contains initial admin user settings
-type AuthOwnerConfig struct {
-	Email    string `yaml:"email"`
-	Password string `yaml:"password"`
-}
-
-// HostConfig represents a STUN/TURN/Signal host
-type HostConfig struct {
-	URI      string `yaml:"uri"`
-	Proto    string `yaml:"proto,omitempty"` // udp, dtls, tcp, http, https - defaults based on URI scheme
-	Username string `yaml:"username,omitempty"`
-	Password string `yaml:"password,omitempty"`
-}
-
-// RelaysConfig contains external relay server settings for clients
-type RelaysConfig struct {
-	Addresses      []string `yaml:"addresses"`
-	CredentialsTTL string   `yaml:"credentialsTTL"`
-	Secret         string   `yaml:"secret"`
-}
-
-// StoreConfig contains database settings
-type StoreConfig struct {
-	Engine        string `yaml:"engine"`
-	EncryptionKey string `yaml:"encryptionKey"`
-	DSN           string `yaml:"dsn"`  // Connection string for postgres or mysql engines
-	File          string `yaml:"file"` // SQLite database file path (optional, defaults to dataDir)
-}
-
-// ReverseProxyConfig contains reverse proxy settings
-type ReverseProxyConfig struct {
-	TrustedHTTPProxies      []string `yaml:"trustedHTTPProxies"`
-	TrustedHTTPProxiesCount uint     `yaml:"trustedHTTPProxiesCount"`
-	TrustedPeers            []string `yaml:"trustedPeers"`
-}
-
-// DefaultConfig returns a CombinedConfig with default values
-func DefaultConfig() *CombinedConfig {
-	return &CombinedConfig{
-		Server: ServerConfig{
-			ListenAddress:      ":443",
-			MetricsPort:        9090,
-			HealthcheckAddress: ":9000",
-			LogLevel:           "info",
-			LogFile:            "console",
-			StunPorts:          []int{3478},
-			DataDir:            "/var/lib/netbird/",
-			Auth: AuthConfig{
-				Storage: AuthStorageConfig{
-					Type: "sqlite3",
-				},
-			},
-			Store: StoreConfig{
-				Engine: "sqlite",
-			},
-		},
-		Relay: RelayConfig{
-			// LogLevel inherited from Server.LogLevel via ApplySimplifiedDefaults
-			Stun: StunConfig{
-				Enabled: false,
-				Ports:   []int{3478},
-				// LogLevel inherited from Server.LogLevel via ApplySimplifiedDefaults
-			},
-		},
-		Signal: SignalConfig{
-			// LogLevel inherited from Server.LogLevel via ApplySimplifiedDefaults
-		},
-		Management: ManagementConfig{
-			DataDir: "/var/lib/netbird/",
-			Auth: AuthConfig{
-				Storage: AuthStorageConfig{
-					Type: "sqlite3",
-				},
-			},
-			Relays: RelaysConfig{
-				CredentialsTTL: "12h",
-			},
-			Store: StoreConfig{
-				Engine: "sqlite",
-			},
-		},
-	}
-}
-
-// hasRequiredSettings returns true if the configuration has the required server settings
-func (c *CombinedConfig) hasRequiredSettings() bool {
-	return c.Server.ExposedAddress != ""
-}
-
-// parseExposedAddress extracts protocol, host, and host:port from the exposed address
-// Input format: "https://example.com:443" or "http://example.com:8080" or "example.com:443"
-// Returns: protocol ("https" or "http"), hostname only, and host:port
-func parseExposedAddress(exposedAddress string) (protocol, hostname, hostPort string) {
-	// Default to https if no protocol specified
-	protocol = "https"
-	hostPort = exposedAddress
-
-	// Check for protocol prefix
-	if strings.HasPrefix(exposedAddress, "https://") {
-		protocol = "https"
-		hostPort = strings.TrimPrefix(exposedAddress, "https://")
-	} else if strings.HasPrefix(exposedAddress, "http://") {
-		protocol = "http"
-		hostPort = strings.TrimPrefix(exposedAddress, "http://")
-	}
-
-	// Extract hostname (without port)
-	hostname = hostPort
-	if host, _, err := net.SplitHostPort(hostPort); err == nil {
-		hostname = host
-	}
-
-	return protocol, hostname, hostPort
-}
-
-// ApplySimplifiedDefaults populates internal relay/signal/management configs from server settings.
-// Management is always enabled. Signal, Relay, and STUN are enabled unless external
-// overrides are configured (server.signalUri, server.relays, server.stuns).
-func (c *CombinedConfig) ApplySimplifiedDefaults() {
-	if !c.hasRequiredSettings() {
-		return
-	}
-
-	// Parse exposed address to extract protocol and hostname
-	exposedProto, exposedHost, exposedHostPort := parseExposedAddress(c.Server.ExposedAddress)
-
-	// Check for external service overrides
-	hasExternalRelay := len(c.Server.Relays.Addresses) > 0
-	hasExternalSignal := c.Server.SignalURI != ""
-	hasExternalStuns := len(c.Server.Stuns) > 0
-
-	// Default stunPorts to [3478] if not specified and no external STUN
-	if len(c.Server.StunPorts) == 0 && !hasExternalStuns {
-		c.Server.StunPorts = []int{3478}
-	}
-
-	c.applyRelayDefaults(exposedProto, exposedHostPort, hasExternalRelay, hasExternalStuns)
-	c.applySignalDefaults(hasExternalSignal)
-	c.applyManagementDefaults(exposedHost)
-
-	// Auto-configure client settings (stuns, relays, signalUri)
-	c.autoConfigureClientSettings(exposedProto, exposedHost, exposedHostPort, hasExternalStuns, hasExternalRelay, hasExternalSignal)
-}
-
-// applyRelayDefaults configures the relay service if no external relay is configured.
-func (c *CombinedConfig) applyRelayDefaults(exposedProto, exposedHostPort string, hasExternalRelay, hasExternalStuns bool) {
-	if hasExternalRelay {
-		return
-	}
-
-	c.Relay.Enabled = true
-	relayProto := "rel"
-	if exposedProto == "https" {
-		relayProto = "rels"
-	}
-	c.Relay.ExposedAddress = fmt.Sprintf("%s://%s", relayProto, exposedHostPort)
-	c.Relay.AuthSecret = c.Server.AuthSecret
-	if c.Relay.LogLevel == "" {
-		c.Relay.LogLevel = c.Server.LogLevel
-	}
-
-	// Enable local STUN only if no external STUN servers and stunPorts are configured
-	if !hasExternalStuns && len(c.Server.StunPorts) > 0 {
-		c.Relay.Stun.Enabled = true
-		c.Relay.Stun.Ports = c.Server.StunPorts
-		if c.Relay.Stun.LogLevel == "" {
-			c.Relay.Stun.LogLevel = c.Server.LogLevel
-		}
-	}
-}
-
-// applySignalDefaults configures the signal service if no external signal is configured.
-func (c *CombinedConfig) applySignalDefaults(hasExternalSignal bool) {
-	if hasExternalSignal {
-		return
-	}
-
-	c.Signal.Enabled = true
-	if c.Signal.LogLevel == "" {
-		c.Signal.LogLevel = c.Server.LogLevel
-	}
-}
-
-// applyManagementDefaults configures the management service (always enabled).
-func (c *CombinedConfig) applyManagementDefaults(exposedHost string) {
-	c.Management.Enabled = true
-	if c.Management.LogLevel == "" {
-		c.Management.LogLevel = c.Server.LogLevel
-	}
-	if c.Management.DataDir == "" || c.Management.DataDir == "/var/lib/netbird/" {
-		c.Management.DataDir = c.Server.DataDir
-	}
-	c.Management.DnsDomain = exposedHost
-	c.Management.DisableAnonymousMetrics = c.Server.DisableAnonymousMetrics
-	c.Management.DisableGeoliteUpdate = c.Server.DisableGeoliteUpdate
-	// Copy auth config from server if management auth issuer is not set
-	if c.Management.Auth.Issuer == "" && c.Server.Auth.Issuer != "" {
-		c.Management.Auth = c.Server.Auth
-	}
-
-	// Copy store config from server if not set
-	if c.Management.Store.Engine == "" || c.Management.Store.Engine == "sqlite" {
-		if c.Server.Store.Engine != "" {
-			c.Management.Store = c.Server.Store
-		}
-	}
-
-	// Copy reverse proxy config from server
-	if len(c.Server.ReverseProxy.TrustedHTTPProxies) > 0 || c.Server.ReverseProxy.TrustedHTTPProxiesCount > 0 || len(c.Server.ReverseProxy.TrustedPeers) > 0 {
-		c.Management.ReverseProxy = c.Server.ReverseProxy
-	}
-}
-
-// autoConfigureClientSettings sets up STUN/relay/signal URIs for clients
-// External overrides from server config take precedence over auto-generated values
-func (c *CombinedConfig) autoConfigureClientSettings(exposedProto, exposedHost, exposedHostPort string, hasExternalStuns, hasExternalRelay, hasExternalSignal bool) {
-	// Determine relay protocol from exposed protocol
-	relayProto := "rel"
-	if exposedProto == "https" {
-		relayProto = "rels"
-	}
-
-	// Configure STUN servers for clients
-	if hasExternalStuns {
-		// Use external STUN servers from server config
-		c.Management.Stuns = c.Server.Stuns
-	} else if len(c.Server.StunPorts) > 0 && len(c.Management.Stuns) == 0 {
-		// Auto-configure local STUN servers for all ports
-		for _, port := range c.Server.StunPorts {
-			c.Management.Stuns = append(c.Management.Stuns, HostConfig{
-				URI: fmt.Sprintf("stun:%s:%d", exposedHost, port),
-			})
-		}
-	}
-
-	// Configure relay for clients
-	if hasExternalRelay {
-		// Use external relay config from server
-		c.Management.Relays = c.Server.Relays
-	} else if len(c.Management.Relays.Addresses) == 0 {
-		// Auto-configure local relay
-		c.Management.Relays.Addresses = []string{
-			fmt.Sprintf("%s://%s", relayProto, exposedHostPort),
-		}
-	}
-	if c.Management.Relays.Secret == "" {
-		c.Management.Relays.Secret = c.Server.AuthSecret
-	}
-	if c.Management.Relays.CredentialsTTL == "" {
-		c.Management.Relays.CredentialsTTL = "12h"
-	}
-
-	// Configure signal for clients
-	if hasExternalSignal {
-		// Use external signal URI from server config
-		c.Management.SignalURI = c.Server.SignalURI
-	} else if c.Management.SignalURI == "" {
-		// Auto-configure local signal
-		c.Management.SignalURI = fmt.Sprintf("%s://%s", exposedProto, exposedHostPort)
-	}
-}
-
-// LoadConfig loads configuration from a YAML file
-func LoadConfig(configPath string) (*CombinedConfig, error) {
-	cfg := DefaultConfig()
-
-	if configPath == "" {
-		return cfg, nil
-	}
-
-	data, err := os.ReadFile(configPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read config file: %w", err)
-	}
-
-	if err := yaml.Unmarshal(data, cfg); err != nil {
-		return nil, fmt.Errorf("failed to parse config file: %w", err)
-	}
-
-	// Populate internal configs from server settings
-	cfg.ApplySimplifiedDefaults()
-
-	return cfg, nil
-}
-
-// Validate validates the configuration
-func (c *CombinedConfig) Validate() error {
-	if c.Server.ExposedAddress == "" {
-		return fmt.Errorf("server.exposedAddress is required")
-	}
-	if c.Server.DataDir == "" {
-		return fmt.Errorf("server.dataDir is required")
-	}
-
-	// Validate STUN ports
-	seen := make(map[int]bool)
-	for _, port := range c.Server.StunPorts {
-		if port <= 0 || port > 65535 {
-			return fmt.Errorf("invalid server.stunPorts value %d: must be between 1 and 65535", port)
-		}
-		if seen[port] {
-			return fmt.Errorf("duplicate STUN port %d in server.stunPorts", port)
-		}
-		seen[port] = true
-	}
-
-	// authSecret is required only if running local relay (no external relay configured)
-	hasExternalRelay := len(c.Server.Relays.Addresses) > 0
-	if !hasExternalRelay && c.Server.AuthSecret == "" {
-		return fmt.Errorf("server.authSecret is required when running local relay")
-	}
-
-	return nil
-}
-
-// HasTLSCert returns true if TLS certificate files are configured
-func (c *CombinedConfig) HasTLSCert() bool {
-	return c.Server.TLS.CertFile != "" && c.Server.TLS.KeyFile != ""
-}
-
-// HasLetsEncrypt returns true if Let's Encrypt is configured
-func (c *CombinedConfig) HasLetsEncrypt() bool {
-	return c.Server.TLS.LetsEncrypt.Enabled &&
-		c.Server.TLS.LetsEncrypt.DataDir != "" &&
-		len(c.Server.TLS.LetsEncrypt.Domains) > 0
-}
-
-// parseExplicitProtocol parses an explicit protocol string to nbconfig.Protocol
-func parseExplicitProtocol(proto string) (nbconfig.Protocol, bool) {
-	switch strings.ToLower(proto) {
-	case "udp":
-		return nbconfig.UDP, true
-	case "dtls":
-		return nbconfig.DTLS, true
-	case "tcp":
-		return nbconfig.TCP, true
-	case "http":
-		return nbconfig.HTTP, true
-	case "https":
-		return nbconfig.HTTPS, true
-	default:
-		return "", false
-	}
-}
-
-// parseStunProtocol determines protocol for STUN/TURN servers.
-// stun: → UDP, stuns: → DTLS, turn: → UDP, turns: → DTLS
-// Explicit proto overrides URI scheme. Defaults to UDP.
-func parseStunProtocol(uri, proto string) nbconfig.Protocol {
-	if proto != "" {
-		if p, ok := parseExplicitProtocol(proto); ok {
-			return p
-		}
-	}
-
-	uri = strings.ToLower(uri)
-	switch {
-	case strings.HasPrefix(uri, "stuns:"):
-		return nbconfig.DTLS
-	case strings.HasPrefix(uri, "turns:"):
-		return nbconfig.DTLS
-	default:
-		// stun:, turn:, or no scheme - default to UDP
-		return nbconfig.UDP
-	}
-}
-
-// parseSignalProtocol determines protocol for Signal servers.
-// https:// → HTTPS, http:// → HTTP. Defaults to HTTPS.
-func parseSignalProtocol(uri string) nbconfig.Protocol {
-	uri = strings.ToLower(uri)
-	switch {
-	case strings.HasPrefix(uri, "http://"):
-		return nbconfig.HTTP
-	default:
-		// https:// or no scheme - default to HTTPS
-		return nbconfig.HTTPS
-	}
-}
-
-// stripSignalProtocol removes the protocol prefix from a signal URI.
-// Returns just the host:port (e.g., "selfhosted2.demo.netbird.io:443").
-func stripSignalProtocol(uri string) string {
-	uri = strings.TrimPrefix(uri, "https://")
-	uri = strings.TrimPrefix(uri, "http://")
-	return uri
-}
-
-func buildRelayConfig(relays RelaysConfig) (*nbconfig.Relay, error) {
-	var ttl time.Duration
-	if relays.CredentialsTTL != "" {
-		var err error
-		ttl, err = time.ParseDuration(relays.CredentialsTTL)
-		if err != nil {
-			return nil, fmt.Errorf("invalid relay credentials TTL %q: %w", relays.CredentialsTTL, err)
-		}
-	}
-	return &nbconfig.Relay{
-		Addresses:      relays.Addresses,
-		CredentialsTTL: util.Duration{Duration: ttl},
-		Secret:         relays.Secret,
-	}, nil
-}
-
-// buildEmbeddedIdPConfig builds the embedded IdP configuration.
-// authStore overrides auth.storage when set.
-func (c *CombinedConfig) buildEmbeddedIdPConfig(mgmt ManagementConfig) (*idp.EmbeddedIdPConfig, error) {
-	authStorageType := mgmt.Auth.Storage.Type
-	authStorageDSN := c.Server.AuthStore.DSN
-	if c.Server.AuthStore.Engine != "" {
-		authStorageType = c.Server.AuthStore.Engine
-	}
-	if authStorageType == "" {
-		authStorageType = "sqlite3"
-	}
-	authStorageFile := ""
-	if authStorageType == "postgres" {
-		if authStorageDSN == "" {
-			return nil, fmt.Errorf("authStore.dsn is required when authStore.engine is postgres")
-		}
-	} else {
-		authStorageFile = path.Join(mgmt.DataDir, "idp.db")
-		if c.Server.AuthStore.File != "" {
-			authStorageFile = c.Server.AuthStore.File
-			if !filepath.IsAbs(authStorageFile) {
-				authStorageFile = filepath.Join(mgmt.DataDir, authStorageFile)
-			}
-		}
-	}
-
-	cfg := &idp.EmbeddedIdPConfig{
-		Enabled:               true,
-		Issuer:                mgmt.Auth.Issuer,
-		LocalAuthDisabled:     mgmt.Auth.LocalAuthDisabled,
-		SignKeyRefreshEnabled: mgmt.Auth.SignKeyRefreshEnabled,
-		Storage: idp.EmbeddedStorageConfig{
-			Type: authStorageType,
-			Config: idp.EmbeddedStorageTypeConfig{
-				File: authStorageFile,
-				DSN:  authStorageDSN,
-			},
-		},
-		DashboardRedirectURIs: mgmt.Auth.DashboardRedirectURIs,
-		CLIRedirectURIs:       mgmt.Auth.CLIRedirectURIs,
-	}
-
-	if mgmt.Auth.Owner != nil && mgmt.Auth.Owner.Email != "" {
-		cfg.Owner = &idp.OwnerConfig{
-			Email: mgmt.Auth.Owner.Email,
-			Hash:  mgmt.Auth.Owner.Password,
-		}
-	}
-
-	return cfg, nil
-}
-
-// ToManagementConfig converts CombinedConfig to management server config
-func (c *CombinedConfig) ToManagementConfig() (*nbconfig.Config, error) {
-	mgmt := c.Management
-
-	// Build STUN hosts
-	var stuns []*nbconfig.Host
-	for _, s := range mgmt.Stuns {
-		stuns = append(stuns, &nbconfig.Host{
-			URI:      s.URI,
-			Proto:    parseStunProtocol(s.URI, s.Proto),
-			Username: s.Username,
-			Password: s.Password,
-		})
-	}
-
-	// Build relay config
-	var relayConfig *nbconfig.Relay
-	if len(mgmt.Relays.Addresses) > 0 || mgmt.Relays.Secret != "" {
-		relay, err := buildRelayConfig(mgmt.Relays)
-		if err != nil {
-			return nil, err
-		}
-		relayConfig = relay
-	}
-
-	// Build signal config
-	var signalConfig *nbconfig.Host
-	if mgmt.SignalURI != "" {
-		signalConfig = &nbconfig.Host{
-			URI:   stripSignalProtocol(mgmt.SignalURI),
-			Proto: parseSignalProtocol(mgmt.SignalURI),
-		}
-	}
-
-	// Build store config
-	storeConfig := nbconfig.StoreConfig{
-		Engine: types.Engine(mgmt.Store.Engine),
-	}
-
-	// Build reverse proxy config
-	reverseProxy := nbconfig.ReverseProxy{
-		TrustedHTTPProxiesCount: mgmt.ReverseProxy.TrustedHTTPProxiesCount,
-	}
-	for _, p := range mgmt.ReverseProxy.TrustedHTTPProxies {
-		if prefix, err := netip.ParsePrefix(p); err == nil {
-			reverseProxy.TrustedHTTPProxies = append(reverseProxy.TrustedHTTPProxies, prefix)
-		}
-	}
-	for _, p := range mgmt.ReverseProxy.TrustedPeers {
-		if prefix, err := netip.ParsePrefix(p); err == nil {
-			reverseProxy.TrustedPeers = append(reverseProxy.TrustedPeers, prefix)
-		}
-	}
-
-	// Build HTTP config (required, even if empty)
-	httpConfig := &nbconfig.HttpServerConfig{}
-
-	// Build embedded IDP config (always enabled in combined server)
-	embeddedIdP, err := c.buildEmbeddedIdPConfig(mgmt)
-	if err != nil {
-		return nil, err
-	}
-
-	// Set HTTP config fields for embedded IDP
-	httpConfig.AuthIssuer = mgmt.Auth.Issuer
-	httpConfig.AuthAudience = "netbird-dashboard"
-	httpConfig.AuthClientID = httpConfig.AuthAudience
-	httpConfig.CLIAuthAudience = "netbird-cli"
-	httpConfig.AuthUserIDClaim = "sub"
-	httpConfig.AuthKeysLocation = mgmt.Auth.Issuer + "/keys"
-	httpConfig.OIDCConfigEndpoint = mgmt.Auth.Issuer + "/.well-known/openid-configuration"
-	httpConfig.IdpSignKeyRefreshEnabled = mgmt.Auth.SignKeyRefreshEnabled
-	callbackURL := strings.TrimSuffix(httpConfig.AuthIssuer, "/oauth2")
-	httpConfig.AuthCallbackURL = callbackURL + types.ProxyCallbackEndpointFull
-
-	return &nbconfig.Config{
-		Stuns:                  stuns,
-		Relay:                  relayConfig,
-		Signal:                 signalConfig,
-		Datadir:                mgmt.DataDir,
-		DataStoreEncryptionKey: mgmt.Store.EncryptionKey,
-		HttpConfig:             httpConfig,
-		StoreConfig:            storeConfig,
-		ReverseProxy:           reverseProxy,
-		DisableDefaultPolicy:   mgmt.DisableDefaultPolicy,
-		EmbeddedIdP:            embeddedIdP,
-	}, nil
-}
-
-// ApplyEmbeddedIdPConfig applies embedded IdP configuration to the management config.
-// This mirrors the logic in management/cmd/management.go ApplyEmbeddedIdPConfig.
-func ApplyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config, mgmtPort int, disableSingleAccMode bool) error {
-	if cfg.EmbeddedIdP == nil || !cfg.EmbeddedIdP.Enabled {
-		return nil
-	}
-
-	// Embedded IdP requires single account mode
-	if disableSingleAccMode {
-		return fmt.Errorf("embedded IdP requires single account mode; multiple account mode is not supported with embedded IdP")
-	}
-
-	// Set LocalAddress for embedded IdP, used for internal JWT validation
-	cfg.EmbeddedIdP.LocalAddress = fmt.Sprintf("localhost:%d", mgmtPort)
-
-	// Set storage defaults based on Datadir
-	if cfg.EmbeddedIdP.Storage.Type == "" {
-		cfg.EmbeddedIdP.Storage.Type = "sqlite3"
-	}
-	if cfg.EmbeddedIdP.Storage.Config.File == "" && cfg.Datadir != "" {
-		cfg.EmbeddedIdP.Storage.Config.File = path.Join(cfg.Datadir, "idp.db")
-	}
-
-	issuer := cfg.EmbeddedIdP.Issuer
-
-	// Ensure HttpConfig exists
-	if cfg.HttpConfig == nil {
-		cfg.HttpConfig = &nbconfig.HttpServerConfig{}
-	}
-
-	// Set HttpConfig values from EmbeddedIdP
-	cfg.HttpConfig.AuthIssuer = issuer
-	cfg.HttpConfig.AuthAudience = "netbird-dashboard"
-	cfg.HttpConfig.CLIAuthAudience = "netbird-cli"
-	cfg.HttpConfig.AuthUserIDClaim = "sub"
-	cfg.HttpConfig.AuthKeysLocation = issuer + "/keys"
-	cfg.HttpConfig.OIDCConfigEndpoint = issuer + "/.well-known/openid-configuration"
-	cfg.HttpConfig.IdpSignKeyRefreshEnabled = true
-
-	return nil
-}
-
-// EnsureEncryptionKey generates an encryption key if not set.
-// Unlike management server, we don't write back to the config file.
-func EnsureEncryptionKey(ctx context.Context, cfg *nbconfig.Config) error {
-	if cfg.DataStoreEncryptionKey != "" {
-		return nil
-	}
-
-	log.WithContext(ctx).Infof("DataStoreEncryptionKey is not set, generating a new key")
-	key, err := crypt.GenerateKey()
-	if err != nil {
-		return fmt.Errorf("failed to generate datastore encryption key: %v", err)
-	}
-	cfg.DataStoreEncryptionKey = key
-	keyPreview := key[:8] + "..."
-	log.WithContext(ctx).Warnf("DataStoreEncryptionKey generated (%s); add it to your config file under 'server.store.encryptionKey' to persist across restarts", keyPreview)
-
-	return nil
-}
-
-// LogConfigInfo logs informational messages about the loaded configuration
-func LogConfigInfo(cfg *nbconfig.Config) {
-	if cfg.EmbeddedIdP != nil && cfg.EmbeddedIdP.Enabled {
-		log.Infof("running with the embedded IdP: %v", cfg.EmbeddedIdP.Issuer)
-	}
-	if cfg.Relay != nil {
-		log.Infof("Relay addresses: %v", cfg.Relay.Addresses)
-	}
-}
--- a/combined/cmd/pprof.go
+++ b/combined/cmd/pprof.go
@@ -1,33 +0,0 @@
-//go:build pprof
-// +build pprof
-
-package cmd
-
-import (
-	"net/http"
-	_ "net/http/pprof"
-	"os"
-
-	log "github.com/sirupsen/logrus"
-)
-
-func init() {
-	addr := pprofAddr()
-	go pprof(addr)
-}
-
-func pprofAddr() string {
-	listenAddr := os.Getenv("NB_PPROF_ADDR")
-	if listenAddr == "" {
-		return "localhost:6969"
-	}
-
-	return listenAddr
-}
-
-func pprof(listenAddr string) {
-	log.Infof("listening pprof on: %s\n", listenAddr)
-	if err := http.ListenAndServe(listenAddr, nil); err != nil {
-		log.Fatalf("Failed to start pprof: %v", err)
-	}
-}
--- a/combined/cmd/root.go
+++ b/combined/cmd/root.go
@@ -1,735 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"crypto/sha256"
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"net"
-	"net/http"
-	"os"
-	"os/signal"
-	"strconv"
-	"strings"
-	"sync"
-	"syscall"
-	"time"
-
-	"github.com/coder/websocket"
-	"github.com/hashicorp/go-multierror"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"go.opentelemetry.io/otel/metric"
-	"google.golang.org/grpc"
-
-	"github.com/netbirdio/netbird/encryption"
-	mgmtServer "github.com/netbirdio/netbird/management/internals/server"
-	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
-	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/netbirdio/netbird/relay/healthcheck"
-	relayServer "github.com/netbirdio/netbird/relay/server"
-	"github.com/netbirdio/netbird/relay/server/listener/ws"
-	sharedMetrics "github.com/netbirdio/netbird/shared/metrics"
-	"github.com/netbirdio/netbird/shared/relay/auth"
-	"github.com/netbirdio/netbird/shared/signal/proto"
-	signalServer "github.com/netbirdio/netbird/signal/server"
-	"github.com/netbirdio/netbird/stun"
-	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/util/wsproxy"
-	wsproxyserver "github.com/netbirdio/netbird/util/wsproxy/server"
-)
-
-var (
-	configPath string
-	config     *CombinedConfig
-
-	rootCmd = &cobra.Command{
-		Use:   "combined",
-		Short: "Combined Netbird server (Management + Signal + Relay + STUN)",
-		Long: `Combined Netbird server for self-hosted deployments.
-
-All services (Management, Signal, Relay) are multiplexed on a single port.
-Optional STUN server runs on separate UDP ports.
-
-Configuration is loaded from a YAML file specified with --config.`,
-		SilenceUsage:  true,
-		SilenceErrors: true,
-		RunE:          execute,
-	}
-)
-
-func init() {
-	rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "path to YAML configuration file (required)")
-	_ = rootCmd.MarkPersistentFlagRequired("config")
-
-	rootCmd.AddCommand(newTokenCommands())
-}
-
-func Execute() error {
-	return rootCmd.Execute()
-}
-
-func waitForExitSignal() {
-	osSigs := make(chan os.Signal, 1)
-	signal.Notify(osSigs, syscall.SIGINT, syscall.SIGTERM)
-	<-osSigs
-}
-
-func execute(cmd *cobra.Command, _ []string) error {
-	if err := initializeConfig(); err != nil {
-		return err
-	}
-
-	// Management is required as the base server when signal or relay are enabled
-	if (config.Signal.Enabled || config.Relay.Enabled) && !config.Management.Enabled {
-		return fmt.Errorf("management must be enabled when signal or relay are enabled (provides the base HTTP server)")
-	}
-
-	servers, err := createAllServers(cmd.Context(), config)
-	if err != nil {
-		return err
-	}
-
-	// Register services with management's gRPC server using AfterInit hook
-	setupServerHooks(servers, config)
-
-	// Start management server (this also starts the HTTP listener)
-	if servers.mgmtSrv != nil {
-		if err := servers.mgmtSrv.Start(cmd.Context()); err != nil {
-			cleanupSTUNListeners(servers.stunListeners)
-			return fmt.Errorf("failed to start management server: %w", err)
-		}
-	}
-
-	// Start all other servers
-	wg := sync.WaitGroup{}
-	startServers(&wg, servers.relaySrv, servers.healthcheck, servers.stunServer, servers.metricsServer)
-
-	waitForExitSignal()
-
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-
-	err = shutdownServers(ctx, servers.relaySrv, servers.healthcheck, servers.stunServer, servers.mgmtSrv, servers.metricsServer)
-	wg.Wait()
-	return err
-}
-
-// initializeConfig loads and validates the configuration, then initializes logging.
-func initializeConfig() error {
-	var err error
-	config, err = LoadConfig(configPath)
-	if err != nil {
-		return fmt.Errorf("failed to load config: %w", err)
-	}
-
-	if err := config.Validate(); err != nil {
-		return fmt.Errorf("invalid config: %w", err)
-	}
-
-	if err := util.InitLog(config.Server.LogLevel, config.Server.LogFile); err != nil {
-		return fmt.Errorf("failed to initialize log: %w", err)
-	}
-
-	if dsn := config.Server.Store.DSN; dsn != "" {
-		switch strings.ToLower(config.Server.Store.Engine) {
-		case "postgres":
-			os.Setenv("NB_STORE_ENGINE_POSTGRES_DSN", dsn)
-		case "mysql":
-			os.Setenv("NB_STORE_ENGINE_MYSQL_DSN", dsn)
-		}
-	}
-	if file := config.Server.Store.File; file != "" {
-		os.Setenv("NB_STORE_ENGINE_SQLITE_FILE", file)
-	}
-
-	if engine := config.Server.ActivityStore.Engine; engine != "" {
-		engineLower := strings.ToLower(engine)
-		if engineLower == "postgres" && config.Server.ActivityStore.DSN == "" {
-			return fmt.Errorf("activityStore.dsn is required when activityStore.engine is postgres")
-		}
-		os.Setenv("NB_ACTIVITY_EVENT_STORE_ENGINE", engineLower)
-		if dsn := config.Server.ActivityStore.DSN; dsn != "" {
-			os.Setenv("NB_ACTIVITY_EVENT_POSTGRES_DSN", dsn)
-		}
-	}
-	if file := config.Server.ActivityStore.File; file != "" {
-		os.Setenv("NB_ACTIVITY_EVENT_SQLITE_FILE", file)
-	}
-
-	log.Infof("Starting combined NetBird server")
-	logConfig(config)
-	logEnvVars()
-	return nil
-}
-
-// serverInstances holds all server instances created during startup.
-type serverInstances struct {
-	relaySrv      *relayServer.Server
-	mgmtSrv       *mgmtServer.BaseServer
-	signalSrv     *signalServer.Server
-	healthcheck   *healthcheck.Server
-	stunServer    *stun.Server
-	stunListeners []*net.UDPConn
-	metricsServer *sharedMetrics.Metrics
-}
-
-// createAllServers creates all server instances based on configuration.
-func createAllServers(ctx context.Context, cfg *CombinedConfig) (*serverInstances, error) {
-	metricsServer, err := sharedMetrics.NewServer(cfg.Server.MetricsPort, "")
-	if err != nil {
-		return nil, fmt.Errorf("failed to create metrics server: %w", err)
-	}
-	servers := &serverInstances{
-		metricsServer: metricsServer,
-	}
-
-	_, tlsSupport, err := handleTLSConfig(cfg)
-	if err != nil {
-		return nil, fmt.Errorf("failed to setup TLS config: %w", err)
-	}
-
-	if err := servers.createRelayServer(cfg, tlsSupport); err != nil {
-		return nil, err
-	}
-
-	if err := servers.createManagementServer(ctx, cfg); err != nil {
-		return nil, err
-	}
-
-	if err := servers.createSignalServer(ctx, cfg); err != nil {
-		return nil, err
-	}
-
-	if err := servers.createHealthcheckServer(cfg); err != nil {
-		return nil, err
-	}
-
-	return servers, nil
-}
-
-func (s *serverInstances) createRelayServer(cfg *CombinedConfig, tlsSupport bool) error {
-	if !cfg.Relay.Enabled {
-		return nil
-	}
-
-	var err error
-	s.stunListeners, err = createSTUNListeners(cfg)
-	if err != nil {
-		return err
-	}
-
-	hashedSecret := sha256.Sum256([]byte(cfg.Relay.AuthSecret))
-	authenticator := auth.NewTimedHMACValidator(hashedSecret[:], 24*time.Hour)
-
-	relayCfg := relayServer.Config{
-		Meter:          s.metricsServer.Meter,
-		ExposedAddress: cfg.Relay.ExposedAddress,
-		AuthValidator:  authenticator,
-		TLSSupport:     tlsSupport,
-	}
-
-	s.relaySrv, err = createRelayServer(relayCfg, s.stunListeners)
-	if err != nil {
-		return err
-	}
-
-	log.Infof("Relay server created")
-
-	if len(s.stunListeners) > 0 {
-		s.stunServer = stun.NewServer(s.stunListeners, cfg.Relay.Stun.LogLevel)
-	}
-
-	return nil
-}
-
-func (s *serverInstances) createManagementServer(ctx context.Context, cfg *CombinedConfig) error {
-	if !cfg.Management.Enabled {
-		return nil
-	}
-
-	mgmtConfig, err := cfg.ToManagementConfig()
-	if err != nil {
-		return fmt.Errorf("failed to create management config: %w", err)
-	}
-
-	_, portStr, portErr := net.SplitHostPort(cfg.Server.ListenAddress)
-	if portErr != nil {
-		portStr = "443"
-	}
-	mgmtPort, _ := strconv.Atoi(portStr)
-
-	if err := ApplyEmbeddedIdPConfig(ctx, mgmtConfig, mgmtPort, false); err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to apply embedded IdP config: %w", err)
-	}
-
-	if err := EnsureEncryptionKey(ctx, mgmtConfig); err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to ensure encryption key: %w", err)
-	}
-
-	LogConfigInfo(mgmtConfig)
-
-	s.mgmtSrv, err = createManagementServer(cfg, mgmtConfig)
-	if err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to create management server: %w", err)
-	}
-
-	// Inject externally-managed AppMetrics so management uses the shared metrics server
-	appMetrics, err := telemetry.NewAppMetricsWithMeter(ctx, s.metricsServer.Meter)
-	if err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to create management app metrics: %w", err)
-	}
-	mgmtServer.Inject[telemetry.AppMetrics](s.mgmtSrv, appMetrics)
-
-	log.Infof("Management server created")
-	return nil
-}
-
-func (s *serverInstances) createSignalServer(ctx context.Context, cfg *CombinedConfig) error {
-	if !cfg.Signal.Enabled {
-		return nil
-	}
-
-	var err error
-	s.signalSrv, err = signalServer.NewServer(ctx, s.metricsServer.Meter, "signal_")
-	if err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to create signal server: %w", err)
-	}
-
-	log.Infof("Signal server created")
-	return nil
-}
-
-func (s *serverInstances) createHealthcheckServer(cfg *CombinedConfig) error {
-	hCfg := healthcheck.Config{
-		ListenAddress:  cfg.Server.HealthcheckAddress,
-		ServiceChecker: s.relaySrv,
-	}
-
-	var err error
-	s.healthcheck, err = createHealthCheck(hCfg, s.stunListeners)
-	return err
-}
-
-// setupServerHooks registers services with management's gRPC server.
-func setupServerHooks(servers *serverInstances, cfg *CombinedConfig) {
-	if servers.mgmtSrv == nil {
-		return
-	}
-
-	servers.mgmtSrv.AfterInit(func(s *mgmtServer.BaseServer) {
-		grpcSrv := s.GRPCServer()
-
-		if servers.signalSrv != nil {
-			proto.RegisterSignalExchangeServer(grpcSrv, servers.signalSrv)
-			log.Infof("Signal server registered on port %s", cfg.Server.ListenAddress)
-		}
-
-		s.SetHandlerFunc(createCombinedHandler(grpcSrv, s.APIHandler(), servers.relaySrv, servers.metricsServer.Meter, cfg))
-		if servers.relaySrv != nil {
-			log.Infof("Relay WebSocket handler added (path: /relay)")
-		}
-	})
-}
-
-func startServers(wg *sync.WaitGroup, srv *relayServer.Server, httpHealthcheck *healthcheck.Server, stunServer *stun.Server, metricsServer *sharedMetrics.Metrics) {
-	if srv != nil {
-		instanceURL := srv.InstanceURL()
-		log.Infof("Relay server instance URL: %s", instanceURL.String())
-		log.Infof("Relay WebSocket multiplexed on management port (no separate relay listener)")
-	}
-
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		log.Infof("running metrics server: %s%s", metricsServer.Addr, metricsServer.Endpoint)
-		if err := metricsServer.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
-			log.Fatalf("failed to start metrics server: %v", err)
-		}
-	}()
-
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		if err := httpHealthcheck.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
-			log.Fatalf("failed to start healthcheck server: %v", err)
-		}
-	}()
-
-	if stunServer != nil {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			if err := stunServer.Listen(); err != nil {
-				if errors.Is(err, stun.ErrServerClosed) {
-					return
-				}
-				log.Errorf("STUN server error: %v", err)
-			}
-		}()
-	}
-}
-
-func shutdownServers(ctx context.Context, srv *relayServer.Server, httpHealthcheck *healthcheck.Server, stunServer *stun.Server, mgmtSrv *mgmtServer.BaseServer, metricsServer *sharedMetrics.Metrics) error {
-	var errs error
-
-	if err := httpHealthcheck.Shutdown(ctx); err != nil {
-		errs = multierror.Append(errs, fmt.Errorf("failed to close healthcheck server: %w", err))
-	}
-
-	if stunServer != nil {
-		if err := stunServer.Shutdown(); err != nil {
-			errs = multierror.Append(errs, fmt.Errorf("failed to close STUN server: %w", err))
-		}
-	}
-
-	if srv != nil {
-		if err := srv.Shutdown(ctx); err != nil {
-			errs = multierror.Append(errs, fmt.Errorf("failed to close relay server: %w", err))
-		}
-	}
-
-	if mgmtSrv != nil {
-		log.Infof("shutting down management and signal servers")
-		if err := mgmtSrv.Stop(); err != nil {
-			errs = multierror.Append(errs, fmt.Errorf("failed to close management server: %w", err))
-		}
-	}
-
-	if metricsServer != nil {
-		log.Infof("shutting down metrics server")
-		if err := metricsServer.Shutdown(ctx); err != nil {
-			errs = multierror.Append(errs, fmt.Errorf("failed to close metrics server: %w", err))
-		}
-	}
-
-	return errs
-}
-
-func createHealthCheck(hCfg healthcheck.Config, stunListeners []*net.UDPConn) (*healthcheck.Server, error) {
-	httpHealthcheck, err := healthcheck.NewServer(hCfg)
-	if err != nil {
-		cleanupSTUNListeners(stunListeners)
-		return nil, fmt.Errorf("failed to create healthcheck server: %w", err)
-	}
-	return httpHealthcheck, nil
-}
-
-func createRelayServer(cfg relayServer.Config, stunListeners []*net.UDPConn) (*relayServer.Server, error) {
-	srv, err := relayServer.NewServer(cfg)
-	if err != nil {
-		cleanupSTUNListeners(stunListeners)
-		return nil, fmt.Errorf("failed to create relay server: %w", err)
-	}
-	return srv, nil
-}
-
-func cleanupSTUNListeners(stunListeners []*net.UDPConn) {
-	for _, l := range stunListeners {
-		_ = l.Close()
-	}
-}
-
-func createSTUNListeners(cfg *CombinedConfig) ([]*net.UDPConn, error) {
-	var stunListeners []*net.UDPConn
-	if cfg.Relay.Stun.Enabled {
-		for _, port := range cfg.Relay.Stun.Ports {
-			listener, err := net.ListenUDP("udp", &net.UDPAddr{Port: port})
-			if err != nil {
-				cleanupSTUNListeners(stunListeners)
-				return nil, fmt.Errorf("failed to create STUN listener on port %d: %w", port, err)
-			}
-			stunListeners = append(stunListeners, listener)
-			log.Infof("STUN server listening on UDP port %d", port)
-		}
-	}
-	return stunListeners, nil
-}
-
-func handleTLSConfig(cfg *CombinedConfig) (*tls.Config, bool, error) {
-	tlsCfg := cfg.Server.TLS
-
-	if tlsCfg.LetsEncrypt.AWSRoute53 {
-		log.Debugf("using Let's Encrypt DNS resolver with Route 53 support")
-		r53 := encryption.Route53TLS{
-			DataDir: tlsCfg.LetsEncrypt.DataDir,
-			Email:   tlsCfg.LetsEncrypt.Email,
-			Domains: tlsCfg.LetsEncrypt.Domains,
-		}
-		tc, err := r53.GetCertificate()
-		if err != nil {
-			return nil, false, err
-		}
-		return tc, true, nil
-	}
-
-	if cfg.HasLetsEncrypt() {
-		log.Infof("setting up TLS with Let's Encrypt")
-		certManager, err := encryption.CreateCertManager(tlsCfg.LetsEncrypt.DataDir, tlsCfg.LetsEncrypt.Domains...)
-		if err != nil {
-			return nil, false, fmt.Errorf("failed creating LetsEncrypt cert manager: %w", err)
-		}
-		return certManager.TLSConfig(), true, nil
-	}
-
-	if cfg.HasTLSCert() {
-		log.Debugf("using file based TLS config")
-		tc, err := encryption.LoadTLSConfig(tlsCfg.CertFile, tlsCfg.KeyFile)
-		if err != nil {
-			return nil, false, err
-		}
-		return tc, true, nil
-	}
-
-	return nil, false, nil
-}
-
-func createManagementServer(cfg *CombinedConfig, mgmtConfig *nbconfig.Config) (*mgmtServer.BaseServer, error) {
-	mgmt := cfg.Management
-
-	dnsDomain := mgmt.DnsDomain
-	singleAccModeDomain := dnsDomain
-
-	// Extract port from listen address
-	_, portStr, err := net.SplitHostPort(cfg.Server.ListenAddress)
-	if err != nil {
-		// If no port specified, assume default
-		portStr = "443"
-	}
-	mgmtPort, _ := strconv.Atoi(portStr)
-
-	mgmtSrv := mgmtServer.NewServer(
-		&mgmtServer.Config{
-			NbConfig:                mgmtConfig,
-			DNSDomain:               dnsDomain,
-			MgmtSingleAccModeDomain: singleAccModeDomain,
-			MgmtPort:                mgmtPort,
-			MgmtMetricsPort:         cfg.Server.MetricsPort,
-			DisableMetrics:          mgmt.DisableAnonymousMetrics,
-			DisableGeoliteUpdate:    mgmt.DisableGeoliteUpdate,
-			// Always enable user deletion from IDP in combined server (embedded IdP is always enabled)
-			UserDeleteFromIDPEnabled: true,
-		},
-	)
-
-	return mgmtSrv, nil
-}
-
-// createCombinedHandler creates an HTTP handler that multiplexes Management, Signal (via wsproxy), and Relay WebSocket traffic
-func createCombinedHandler(grpcServer *grpc.Server, httpHandler http.Handler, relaySrv *relayServer.Server, meter metric.Meter, cfg *CombinedConfig) http.Handler {
-	wsProxy := wsproxyserver.New(grpcServer, wsproxyserver.WithOTelMeter(meter))
-
-	var relayAcceptFn func(conn net.Conn)
-	if relaySrv != nil {
-		relayAcceptFn = relaySrv.RelayAccept()
-	}
-
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch {
-		// Native gRPC traffic (HTTP/2 with gRPC content-type)
-		case r.ProtoMajor == 2 && (strings.HasPrefix(r.Header.Get("Content-Type"), "application/grpc") ||
-			strings.HasPrefix(r.Header.Get("Content-Type"), "application/grpc+proto")):
-			grpcServer.ServeHTTP(w, r)
-
-		// WebSocket proxy for Management gRPC
-		case r.URL.Path == wsproxy.ProxyPath+wsproxy.ManagementComponent:
-			wsProxy.Handler().ServeHTTP(w, r)
-
-		// WebSocket proxy for Signal gRPC
-		case r.URL.Path == wsproxy.ProxyPath+wsproxy.SignalComponent:
-			if cfg.Signal.Enabled {
-				wsProxy.Handler().ServeHTTP(w, r)
-			} else {
-				http.Error(w, "Signal service not enabled", http.StatusNotFound)
-			}
-
-		// Relay WebSocket
-		case r.URL.Path == "/relay":
-			if relayAcceptFn != nil {
-				handleRelayWebSocket(w, r, relayAcceptFn, cfg)
-			} else {
-				http.Error(w, "Relay service not enabled", http.StatusNotFound)
-			}
-
-		// Management HTTP API (default)
-		default:
-			httpHandler.ServeHTTP(w, r)
-		}
-	})
-}
-
-// handleRelayWebSocket handles incoming WebSocket connections for the relay service
-func handleRelayWebSocket(w http.ResponseWriter, r *http.Request, acceptFn func(conn net.Conn), cfg *CombinedConfig) {
-	acceptOptions := &websocket.AcceptOptions{
-		OriginPatterns: []string{"*"},
-	}
-
-	wsConn, err := websocket.Accept(w, r, acceptOptions)
-	if err != nil {
-		log.Errorf("failed to accept relay ws connection: %s", err)
-		return
-	}
-
-	connRemoteAddr := r.RemoteAddr
-	if r.Header.Get("X-Real-Ip") != "" && r.Header.Get("X-Real-Port") != "" {
-		connRemoteAddr = net.JoinHostPort(r.Header.Get("X-Real-Ip"), r.Header.Get("X-Real-Port"))
-	}
-
-	rAddr, err := net.ResolveTCPAddr("tcp", connRemoteAddr)
-	if err != nil {
-		_ = wsConn.Close(websocket.StatusInternalError, "internal error")
-		return
-	}
-
-	lAddr, err := net.ResolveTCPAddr("tcp", cfg.Server.ListenAddress)
-	if err != nil {
-		_ = wsConn.Close(websocket.StatusInternalError, "internal error")
-		return
-	}
-
-	log.Debugf("Relay WS client connected from: %s", rAddr)
-
-	conn := ws.NewConn(wsConn, lAddr, rAddr)
-	acceptFn(conn)
-}
-
-// logConfig prints all configuration parameters for debugging
-func logConfig(cfg *CombinedConfig) {
-	log.Info("=== Configuration ===")
-	logServerConfig(cfg)
-	logComponentsConfig(cfg)
-	logRelayConfig(cfg)
-	logManagementConfig(cfg)
-	log.Info("=== End Configuration ===")
-}
-
-func logServerConfig(cfg *CombinedConfig) {
-	log.Info("--- Server ---")
-	log.Infof("  Listen address: %s", cfg.Server.ListenAddress)
-	log.Infof("  Exposed address: %s", cfg.Server.ExposedAddress)
-	log.Infof("  Healthcheck address: %s", cfg.Server.HealthcheckAddress)
-	log.Infof("  Metrics port: %d", cfg.Server.MetricsPort)
-	log.Infof("  Log level: %s", cfg.Server.LogLevel)
-	log.Infof("  Data dir: %s", cfg.Server.DataDir)
-
-	switch {
-	case cfg.HasTLSCert():
-		log.Infof("  TLS: cert=%s, key=%s", cfg.Server.TLS.CertFile, cfg.Server.TLS.KeyFile)
-	case cfg.HasLetsEncrypt():
-		log.Infof("  TLS: Let's Encrypt (domains=%v)", cfg.Server.TLS.LetsEncrypt.Domains)
-	default:
-		log.Info("  TLS: disabled (using reverse proxy)")
-	}
-}
-
-func logComponentsConfig(cfg *CombinedConfig) {
-	log.Info("--- Components ---")
-	log.Infof("  Management: %v (log level: %s)", cfg.Management.Enabled, cfg.Management.LogLevel)
-	log.Infof("  Signal: %v (log level: %s)", cfg.Signal.Enabled, cfg.Signal.LogLevel)
-	log.Infof("  Relay: %v (log level: %s)", cfg.Relay.Enabled, cfg.Relay.LogLevel)
-}
-
-func logRelayConfig(cfg *CombinedConfig) {
-	if !cfg.Relay.Enabled {
-		return
-	}
-	log.Info("--- Relay ---")
-	log.Infof("  Exposed address: %s", cfg.Relay.ExposedAddress)
-	log.Infof("  Auth secret: %s...", maskSecret(cfg.Relay.AuthSecret))
-	if cfg.Relay.Stun.Enabled {
-		log.Infof("  STUN ports: %v (log level: %s)", cfg.Relay.Stun.Ports, cfg.Relay.Stun.LogLevel)
-	} else {
-		log.Info("  STUN: disabled")
-	}
-}
-
-func logManagementConfig(cfg *CombinedConfig) {
-	if !cfg.Management.Enabled {
-		return
-	}
-	log.Info("--- Management ---")
-	log.Infof("  Data dir: %s", cfg.Management.DataDir)
-	log.Infof("  DNS domain: %s", cfg.Management.DnsDomain)
-	log.Infof("  Store engine: %s", cfg.Management.Store.Engine)
-	if cfg.Server.Store.DSN != "" {
-		log.Infof("  Store DSN: %s", maskDSNPassword(cfg.Server.Store.DSN))
-	}
-
-	log.Info("  Auth (embedded IdP):")
-	log.Infof("    Issuer: %s", cfg.Management.Auth.Issuer)
-	log.Infof("    Dashboard redirect URIs: %v", cfg.Management.Auth.DashboardRedirectURIs)
-	log.Infof("    CLI redirect URIs: %v", cfg.Management.Auth.CLIRedirectURIs)
-
-	log.Info("  Client settings:")
-	log.Infof("    Signal URI: %s", cfg.Management.SignalURI)
-	for _, s := range cfg.Management.Stuns {
-		log.Infof("    STUN: %s", s.URI)
-	}
-	if len(cfg.Management.Relays.Addresses) > 0 {
-		log.Infof("    Relay addresses: %v", cfg.Management.Relays.Addresses)
-		log.Infof("    Relay credentials TTL: %s", cfg.Management.Relays.CredentialsTTL)
-	}
-}
-
-// logEnvVars logs all NB_ environment variables that are currently set
-func logEnvVars() {
-	log.Info("=== Environment Variables ===")
-	found := false
-	for _, env := range os.Environ() {
-		if strings.HasPrefix(env, "NB_") {
-			key, _, _ := strings.Cut(env, "=")
-			value := os.Getenv(key)
-			keyLower := strings.ToLower(key)
-			if strings.Contains(keyLower, "secret") || strings.Contains(keyLower, "key") || strings.Contains(keyLower, "password") {
-				value = maskSecret(value)
-			} else if strings.Contains(keyLower, "dsn") {
-				value = maskDSNPassword(value)
-			}
-			log.Infof("  %s=%s", key, value)
-			found = true
-		}
-	}
-	if !found {
-		log.Info("  (none set)")
-	}
-	log.Info("=== End Environment Variables ===")
-}
-
-// maskDSNPassword masks the password in a DSN string.
-// Handles both key=value format ("password=secret") and URI format ("user:secret@host").
-func maskDSNPassword(dsn string) string {
-	// Key=value format: "host=localhost user=nb password=secret dbname=nb"
-	if strings.Contains(dsn, "password=") {
-		parts := strings.Fields(dsn)
-		for i, p := range parts {
-			if strings.HasPrefix(p, "password=") {
-				parts[i] = "password=****"
-			}
-		}
-		return strings.Join(parts, " ")
-	}
-
-	// URI format: "user:password@host..."
-	if atIdx := strings.Index(dsn, "@"); atIdx != -1 {
-		prefix := dsn[:atIdx]
-		if colonIdx := strings.Index(prefix, ":"); colonIdx != -1 {
-			return prefix[:colonIdx+1] + "****" + dsn[atIdx:]
-		}
-	}
-
-	return dsn
-}
-
-// maskSecret returns first 4 chars of secret followed by "..."
-func maskSecret(secret string) string {
-	if len(secret) <= 4 {
-		return "****"
-	}
-	return secret[:4] + "..."
-}
--- a/combined/cmd/token.go
+++ b/combined/cmd/token.go
@@ -1,63 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/formatter/hook"
-	tokencmd "github.com/netbirdio/netbird/management/cmd/token"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/util"
-)
-
-// newTokenCommands creates the token command tree with combined-specific store opener.
-func newTokenCommands() *cobra.Command {
-	return tokencmd.NewCommands(withTokenStore)
-}
-
-// withTokenStore loads the combined YAML config, initializes the store, and calls fn.
-func withTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Store) error) error {
-	if err := util.InitLog("error", "console"); err != nil {
-		return fmt.Errorf("init log: %w", err)
-	}
-
-	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource) //nolint:staticcheck
-
-	cfg, err := LoadConfig(configPath)
-	if err != nil {
-		return fmt.Errorf("load config: %w", err)
-	}
-
-	if dsn := cfg.Server.Store.DSN; dsn != "" {
-		switch strings.ToLower(cfg.Server.Store.Engine) {
-		case "postgres":
-			os.Setenv("NB_STORE_ENGINE_POSTGRES_DSN", dsn)
-		case "mysql":
-			os.Setenv("NB_STORE_ENGINE_MYSQL_DSN", dsn)
-		}
-	}
-	if file := cfg.Server.Store.File; file != "" {
-		os.Setenv("NB_STORE_ENGINE_SQLITE_FILE", file)
-	}
-
-	datadir := cfg.Management.DataDir
-	engine := types.Engine(cfg.Management.Store.Engine)
-
-	s, err := store.NewStore(ctx, engine, datadir, nil, true)
-	if err != nil {
-		return fmt.Errorf("create store: %w", err)
-	}
-	defer func() {
-		if err := s.Close(ctx); err != nil {
-			log.Debugf("close store: %v", err)
-		}
-	}()
-
-	return fn(ctx, s)
-}
--- a/combined/config.yaml.example
+++ b/combined/config.yaml.example
@@ -1,124 +0,0 @@
-# NetBird Combined Server Configuration
-# Copy this file to config.yaml and customize for your deployment
-#
-# This is a Management server with optional embedded Signal, Relay, and STUN services.
-# By default, all services run locally. You can use external services instead by
-# setting the corresponding override fields.
-#
-# Architecture:
-#   - Management: Always runs locally (this IS the management server)
-#   - Signal: Local by default; set 'signalUri' to use external (disables local)
-#   - Relay: Local by default; set 'relays' to use external (disables local)
-#   - STUN: Local on port 3478 by default; set 'stuns' to use external instead
-
-server:
-  # Main HTTP/gRPC port for all services (Management, Signal, Relay)
-  listenAddress: ":443"
-
-  # Public address that peers will use to connect to this server
-  # Used for relay connections and management DNS domain
-  # Format: protocol://hostname:port (e.g., https://server.mycompany.com:443)
-  exposedAddress: "https://server.mycompany.com:443"
-
-  # STUN server ports (defaults to [3478] if not specified; set 'stuns' to use external)
-  # stunPorts:
-  #   - 3478
-
-  # Metrics endpoint port
-  metricsPort: 9090
-
-  # Healthcheck endpoint address
-  healthcheckAddress: ":9000"
-
-  # Logging configuration
-  logLevel: "info"    # Default log level for all components: panic, fatal, error, warn, info, debug, trace
-  logFile: "console"  # "console" or path to log file
-
-  # TLS configuration (optional)
-  tls:
-    certFile: ""
-    keyFile: ""
-    letsencrypt:
-      enabled: false
-      dataDir: ""
-      domains: []
-      email: ""
-      awsRoute53: false
-
-  # Shared secret for relay authentication (required when running local relay)
-  authSecret: "your-secret-key-here"
-
-  # Data directory for all services
-  dataDir: "/var/lib/netbird/"
-
-  # ============================================================================
-  # External Service Overrides (optional)
-  # Use these to point to external Signal, Relay, or STUN servers instead of
-  # running them locally. When set, the corresponding local service is disabled.
-  # ============================================================================
-
-  # External STUN servers - disables local STUN server
-  # stuns:
-  #   - uri: "stun:stun.example.com:3478"
-  #   - uri: "stun:stun.example.com:3479"
-
-  # External relay servers - disables local relay server
-  # relays:
-  #   addresses:
-  #     - "rels://relay.example.com:443"
-  #   credentialsTTL: "12h"
-  #   secret: "relay-shared-secret"
-
-  # External signal server - disables local signal server
-  # signalUri: "https://signal.example.com:443"
-
-  # ============================================================================
-  # Management Settings
-  # ============================================================================
-
-  # Metrics and updates
-  disableAnonymousMetrics: false
-  disableGeoliteUpdate: false
-
-  # Embedded authentication/identity provider (Dex) configuration (always enabled)
-  auth:
-    # OIDC issuer URL - must be publicly accessible
-    issuer: "https://example.com/oauth2"
-    localAuthDisabled: false
-    signKeyRefreshEnabled: false
-    # OAuth2 redirect URIs for dashboard
-    dashboardRedirectURIs:
-      - "https://app.example.com/nb-auth"
-      - "https://app.example.com/nb-silent-auth"
-    # OAuth2 redirect URIs for CLI
-    cliRedirectURIs:
-      - "http://localhost:53000/"
-    # Optional initial admin user
-    # owner:
-    #   email: "admin@example.com"
-    #   password: "initial-password"
-
-  # Store configuration
-  store:
-    engine: "sqlite"  # sqlite, postgres, or mysql
-    dsn: ""  # Connection string for postgres or mysql
-    encryptionKey: ""
-    # file: ""  # Custom SQLite file path (optional, defaults to {dataDir}/store.db)
-
-  # Activity events store configuration (optional, defaults to sqlite in dataDir)
-  # activityStore:
-  #   engine: "sqlite"  # sqlite or postgres
-  #   dsn: ""  # Connection string for postgres
-  #   file: ""  # Custom SQLite file path (optional, defaults to {dataDir}/events.db)
-
-  # Auth (embedded IdP) store configuration (optional, defaults to sqlite3 in dataDir/idp.db)
-  # authStore:
-  #   engine: "sqlite3"  # sqlite3 or postgres
-  #   dsn: ""  # Connection string for postgres (e.g., "host=localhost port=5432 user=postgres password=postgres dbname=netbird_idp sslmode=disable")
-  #   file: ""  # Custom SQLite file path (optional, defaults to {dataDir}/idp.db)
-
-  # Reverse proxy settings (optional)
-  # reverseProxy:
-  #   trustedHTTPProxies: []
-  #   trustedHTTPProxiesCount: 0
-  #   trustedPeers: []
--- a/combined/main.go
+++ b/combined/main.go
@@ -1,13 +0,0 @@
-package main
-
-import (
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/combined/cmd"
-)
-
-func main() {
-	if err := cmd.Execute(); err != nil {
-		log.Fatalf("failed to execute command: %v", err)
-	}
-}
--- a/formatter/txt/formatter.go
+++ b/formatter/txt/formatter.go
@@ -1,6 +1,8 @@
 package txt

 import (
+	"time"
+
 	"github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/formatter/levels"
@@ -16,7 +18,7 @@ type TextFormatter struct {
 func NewTextFormatter() *TextFormatter {
 	return &TextFormatter{
 		levelDesc:       levels.ValidLevelDesc,
-		timestampFormat: "2006-01-02T15:04:05.000Z07:00",
+		timestampFormat: time.RFC3339, // or RFC3339
 	}
 }

--- a/formatter/txt/formatter_test.go
+++ b/formatter/txt/formatter_test.go
@@ -21,6 +21,6 @@ func TestLogTextFormat(t *testing.T) {
 	result, _ := formatter.Format(someEntry)

 	parsedString := string(result)
-	expectedString := "^2021-02-21T01:10:30.000Z WARN \\[(att1: 1, att2: 2|att2: 2, att1: 1)\\] some/fancy/path.go:46: Some Message\\s+$"
+	expectedString := "^2021-02-21T01:10:30Z WARN \\[(att1: 1, att2: 2|att2: 2, att1: 1)\\] some/fancy/path.go:46: Some Message\\s+$"
 	assert.Regexp(t, expectedString, parsedString)
 }
--- a/go.mod
+++ b/go.mod
@@ -40,7 +40,7 @@ require (
 	github.com/c-robinson/iplib v1.0.3
 	github.com/caddyserver/certmagic v0.21.3
 	github.com/cilium/ebpf v0.15.0
-	github.com/coder/websocket v1.8.14
+	github.com/coder/websocket v1.8.13
 	github.com/coreos/go-iptables v0.7.0
 	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/creack/pty v1.1.24
@@ -83,7 +83,6 @@ require (
 	github.com/pion/stun/v3 v3.1.0
 	github.com/pion/transport/v3 v3.1.1
 	github.com/pion/turn/v3 v3.0.1
-	github.com/pires/go-proxyproto v0.11.0
 	github.com/pkg/sftp v1.13.9
 	github.com/prometheus/client_golang v1.23.2
 	github.com/quic-go/quic-go v0.55.0
@@ -93,10 +92,10 @@ require (
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
 	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
 	github.com/stretchr/testify v1.11.1
-	github.com/testcontainers/testcontainers-go v0.37.0
-	github.com/testcontainers/testcontainers-go/modules/mysql v0.37.0
-	github.com/testcontainers/testcontainers-go/modules/postgres v0.37.0
-	github.com/testcontainers/testcontainers-go/modules/redis v0.37.0
+	github.com/testcontainers/testcontainers-go v0.31.0
+	github.com/testcontainers/testcontainers-go/modules/mysql v0.31.0
+	github.com/testcontainers/testcontainers-go/modules/postgres v0.31.0
+	github.com/testcontainers/testcontainers-go/modules/redis v0.31.0
 	github.com/things-go/go-socks5 v0.0.4
 	github.com/ti-mo/conntrack v0.5.1
 	github.com/ti-mo/netfilter v0.5.2
@@ -142,6 +141,7 @@ require (
 	github.com/Masterminds/semver/v3 v3.3.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Microsoft/hcsshim v0.12.3 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
 	github.com/awnumar/memcall v0.4.0 // indirect
@@ -165,16 +165,16 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/containerd/containerd v1.7.29 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/docker v28.0.1+incompatible // indirect
+	github.com/docker/docker v26.1.5+incompatible // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.2 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fredbi/uri v1.1.1 // indirect
 	github.com/fyne-io/gl-js v0.2.0 // indirect
@@ -220,10 +220,9 @@ require (
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae // indirect
-	github.com/magiconair/properties v1.8.10 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mattn/go-sqlite3 v1.14.32 // indirect
-	github.com/mdelapenya/tlscert v0.2.0 // indirect
 	github.com/mdlayher/genetlink v1.3.2 // indirect
 	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
 	github.com/mholt/acmez/v2 v2.0.1 // indirect
@@ -242,7 +241,7 @@ require (
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pion/dtls/v2 v2.2.10 // indirect
 	github.com/pion/dtls/v3 v3.0.9 // indirect
 	github.com/pion/mdns/v2 v2.0.7 // indirect
@@ -256,7 +255,6 @@ require (
 	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/russellhaering/goxmldsig v1.5.0 // indirect
 	github.com/rymdport/portal v0.4.2 // indirect
-	github.com/shirou/gopsutil/v4 v4.25.1 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -33,6 +33,8 @@ github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe
 github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/Microsoft/hcsshim v0.12.3 h1:LS9NXqXhMoqNCplK1ApmVSfB4UnVLRDWRapB6EIlxE0=
+github.com/Microsoft/hcsshim v0.12.3/go.mod h1:Iyl1WVpZzr+UkzjekHZbV8o5Z9ZkxNGx6CtY2Qg/JVQ=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
 github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible h1:hqcTK6ZISdip65SR792lwYJTa/axESA0889D3UlZbLo=
 github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible/go.mod h1:6B1nuc1MUs6c62ODZDl7hVE5Pv7O2XGSkgg2olnq34I=
@@ -105,8 +107,10 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
 github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
-github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
-github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg=
+github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
+github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
+github.com/containerd/containerd v1.7.29 h1:90fWABQsaN9mJhGkoVnuzEY+o1XDPbg9BTC9QTAHnuE=
+github.com/containerd/containerd v1.7.29/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
@@ -131,14 +135,12 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v28.0.1+incompatible h1:FCHjSRdXhNRFjlHMTv4jUNlIBbTeRjrWfeFuJp7jpo0=
-github.com/docker/docker v28.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.1.5+incompatible h1:NEAxTwEjxV6VbBMBoGG3zPqbiJosIApZjxlbrG9q3/g=
+github.com/docker/docker v26.1.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/ebitengine/purego v0.8.2 h1:jPPGWs2sZ1UgOSgD2bClL0MJIqu58nOmIcBuXr62z1I=
-github.com/ebitengine/purego v0.8.2/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/eko/gocache/lib/v4 v4.2.0 h1:MNykyi5Xw+5Wu3+PUrvtOCaKSZM1nUSVftbzmeC7Yuw=
 github.com/eko/gocache/lib/v4 v4.2.0/go.mod h1:7ViVmbU+CzDHzRpmB4SXKyyzyuJ8A3UW3/cszpcqB4M=
 github.com/eko/gocache/store/go_cache/v4 v4.2.2 h1:tAI9nl6TLoJyKG1ujF0CS0n/IgTEMl+NivxtR5R3/hw=
@@ -193,6 +195,8 @@ github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3yg
 github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY=
 github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
 github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
+github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI=
+github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo=
 github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
 github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
 github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
@@ -353,15 +357,13 @@ github.com/lrh3321/ipset-go v0.0.0-20250619021614-54a0a98ace81/go.mod h1:RD8ML/Y
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
 github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae h1:dIZY4ULFcto4tAFlj1FYZl8ztUZ13bdq+PLY+NOfbyI=
 github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
-github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
-github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
+github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
+github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
 github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
 github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
 github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
-github.com/mdelapenya/tlscert v0.2.0 h1:7H81W6Z/4weDvZBNOfQte5GpIMo0lGYEeWbkGp5LJHI=
-github.com/mdelapenya/tlscert v0.2.0/go.mod h1:O4njj3ELLnJjGdkN7M/vIVCpZ+Cf0L6muqOG4tLSl8o=
 github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
 github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
 github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
@@ -435,12 +437,13 @@ github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
 github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
-github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
 github.com/oschwald/maxminddb-golang v1.12.0 h1:9FnTOD0YOhP7DGxGsq4glzpGy5+w7pq50AS6wALUMYs=
 github.com/oschwald/maxminddb-golang v1.12.0/go.mod h1:q0Nob5lTCqyQ8WT6FYgS1L7PXKVVbgiymefNwIjPzgY=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
+github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml/v2 v2.0.9 h1:uH2qQXheeefCCkuBBSLi7jCiSmj3VRh2+Goq2N7Xxu0=
 github.com/pelletier/go-toml/v2 v2.0.9/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
 github.com/petermattis/goid v0.0.0-20250303134427-723919f7f203 h1:E7Kmf11E4K7B5hDti2K2NqPb1nlYlGYsu02S1JNd/Bs=
@@ -471,8 +474,6 @@ github.com/pion/turn/v3 v3.0.1 h1:wLi7BTQr6/Q20R0vt/lHbjv6y4GChFtC33nkYbasoT8=
 github.com/pion/turn/v3 v3.0.1/go.mod h1:MrJDKgqryDyWy1/4NT9TWfXWGMC7UHT6pJIv1+gMeNE=
 github.com/pion/turn/v4 v4.1.1 h1:9UnY2HB99tpDyz3cVVZguSxcqkJ1DsTSZ+8TGruh4fc=
 github.com/pion/turn/v4 v4.1.1/go.mod h1:2123tHk1O++vmjI5VSD0awT50NywDAq5A2NNNU4Jjs8=
-github.com/pires/go-proxyproto v0.11.0 h1:gUQpS85X/VJMdUsYyEgyn59uLJvGqPhJV5YvG68wXH4=
-github.com/pires/go-proxyproto v0.11.0/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -510,8 +511,6 @@ github.com/rymdport/portal v0.4.2 h1:7jKRSemwlTyVHHrTGgQg7gmNPJs88xkbKcIL3NlcmSU
 github.com/rymdport/portal v0.4.2/go.mod h1:kFF4jslnJ8pD5uCi17brj/ODlfIidOxlgUDTO5ncnC4=
 github.com/shirou/gopsutil/v3 v3.24.4 h1:dEHgzZXt4LMNm+oYELpzl9YCqV65Yr/6SfrvgRBtXeU=
 github.com/shirou/gopsutil/v3 v3.24.4/go.mod h1:lTd2mdiOspcqLgAnr9/nGi71NkeMpWKdmhuxm9GusH8=
-github.com/shirou/gopsutil/v4 v4.25.1 h1:QSWkTc+fu9LTAWfkZwZ6j8MSUk4A2LV7rbH0ZqmLjXs=
-github.com/shirou/gopsutil/v4 v4.25.1/go.mod h1:RoUCUpndaJFtT+2zsZzzmhvbfGoDCJ7nFXKJf8GqJbI=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
@@ -553,14 +552,14 @@ github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXl
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/testcontainers/testcontainers-go v0.37.0 h1:L2Qc0vkTw2EHWQ08djon0D2uw7Z/PtHS/QzZZ5Ra/hg=
-github.com/testcontainers/testcontainers-go v0.37.0/go.mod h1:QPzbxZhQ6Bclip9igjLFj6z0hs01bU8lrl2dHQmgFGM=
-github.com/testcontainers/testcontainers-go/modules/mysql v0.37.0 h1:LqUos1oR5iuuzorFnSvxsHNdYdCHB/DfI82CuT58wbI=
-github.com/testcontainers/testcontainers-go/modules/mysql v0.37.0/go.mod h1:vHEEHx5Kf+uq5hveaVAMrTzPY8eeRZcKcl23MRw5Tkc=
-github.com/testcontainers/testcontainers-go/modules/postgres v0.37.0 h1:hsVwFkS6s+79MbKEO+W7A1wNIw1fmkMtF4fg83m6kbc=
-github.com/testcontainers/testcontainers-go/modules/postgres v0.37.0/go.mod h1:Qj/eGbRbO/rEYdcRLmN+bEojzatP/+NS1y8ojl2PQsc=
-github.com/testcontainers/testcontainers-go/modules/redis v0.37.0 h1:9HIY28I9ME/Zmb+zey1p/I1mto5+5ch0wLX+nJdOsQ4=
-github.com/testcontainers/testcontainers-go/modules/redis v0.37.0/go.mod h1:Abu9g/25Qv+FkYVx3U4Voaynou1c+7D0HIhaQJXvk6E=
+github.com/testcontainers/testcontainers-go v0.31.0 h1:W0VwIhcEVhRflwL9as3dhY6jXjVCA27AkmbnZ+UTh3U=
+github.com/testcontainers/testcontainers-go v0.31.0/go.mod h1:D2lAoA0zUFiSY+eAflqK5mcUx/A5hrrORaEQrd0SefI=
+github.com/testcontainers/testcontainers-go/modules/mysql v0.31.0 h1:790+S8ewZYCbG+o8IiFlZ8ZZ33XbNO6zV9qhU6xhlRk=
+github.com/testcontainers/testcontainers-go/modules/mysql v0.31.0/go.mod h1:REFmO+lSG9S6uSBEwIMZCxeI36uhScjTwChYADeO3JA=
+github.com/testcontainers/testcontainers-go/modules/postgres v0.31.0 h1:isAwFS3KNKRbJMbWv+wolWqOFUECmjYZ+sIRZCIBc/E=
+github.com/testcontainers/testcontainers-go/modules/postgres v0.31.0/go.mod h1:ZNYY8vumNCEG9YI59A9d6/YaMY49uwRhmeU563EzFGw=
+github.com/testcontainers/testcontainers-go/modules/redis v0.31.0 h1:5X6GhOdLwV86zcW8sxppJAMtsDC9u+r9tb3biBc9GKs=
+github.com/testcontainers/testcontainers-go/modules/redis v0.31.0/go.mod h1:dKi5xBwy1k4u8yb3saQHu7hMEJwewHXxzbcMAuLiA6o=
 github.com/things-go/go-socks5 v0.0.4 h1:jMQjIc+qhD4z9cITOMnBiwo9dDmpGuXmBlkRFrl/qD0=
 github.com/things-go/go-socks5 v0.0.4/go.mod h1:sh4K6WHrmHZpjxLTCHyYtXYH8OUuD+yZun41NomR1IQ=
 github.com/ti-mo/conntrack v0.5.1 h1:opEwkFICnDbQc0BUXl73PHBK0h23jEIFVjXsqvF4GY0=
@@ -850,7 +849,7 @@ gorm.io/driver/sqlite v1.5.7/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDa
 gorm.io/gorm v1.25.7/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
 gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8=
 gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
-gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
-gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
+gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY=
+gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 gvisor.dev/gvisor v0.0.0-20251031020517-ecfcdd2f171c h1:pfzmXIkkDgydR4ZRP+e1hXywZfYR21FA0Fbk6ptMkiA=
 gvisor.dev/gvisor v0.0.0-20251031020517-ecfcdd2f171c/go.mod h1:/mc6CfwbOm5KKmqoV7Qx20Q+Ja8+vO4g7FuCdlVoAfQ=
--- a/idp/dex/config.go
+++ b/idp/dex/config.go
@@ -5,10 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"log/slog"
-	"net/url"
 	"os"
-	"strconv"
-	"strings"
 	"time"

 	"golang.org/x/crypto/bcrypt"
@@ -198,175 +195,11 @@ func (s *Storage) OpenStorage(logger *slog.Logger) (storage.Storage, error) {
 			return nil, fmt.Errorf("sqlite3 storage requires 'file' config")
 		}
 		return (&sql.SQLite3{File: file}).Open(logger)
-	case "postgres":
-		dsn, _ := s.Config["dsn"].(string)
-		if dsn == "" {
-			return nil, fmt.Errorf("postgres storage requires 'dsn' config")
-		}
-		pg, err := parsePostgresDSN(dsn)
-		if err != nil {
-			return nil, fmt.Errorf("invalid postgres DSN: %w", err)
-		}
-		return pg.Open(logger)
 	default:
 		return nil, fmt.Errorf("unsupported storage type: %s", s.Type)
 	}
 }

-// parsePostgresDSN parses a DSN into a sql.Postgres config.
-// It accepts both URI format (postgres://user:pass@host:port/dbname?sslmode=disable)
-// and libpq key=value format (host=localhost port=5432 dbname=mydb), including quoted values.
-func parsePostgresDSN(dsn string) (*sql.Postgres, error) {
-	var params map[string]string
-	var err error
-
-	if strings.HasPrefix(dsn, "postgres://") || strings.HasPrefix(dsn, "postgresql://") {
-		params, err = parsePostgresURI(dsn)
-	} else {
-		params, err = parsePostgresKeyValue(dsn)
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	host := params["host"]
-	if host == "" {
-		host = "localhost"
-	}
-
-	var port uint16 = 5432
-	if p, ok := params["port"]; ok && p != "" {
-		v, err := strconv.ParseUint(p, 10, 16)
-		if err != nil {
-			return nil, fmt.Errorf("invalid port %q: %w", p, err)
-		}
-		if v == 0 {
-			return nil, fmt.Errorf("invalid port %q: must be non-zero", p)
-		}
-		port = uint16(v)
-	}
-
-	dbname := params["dbname"]
-	if dbname == "" {
-		return nil, fmt.Errorf("dbname is required in DSN")
-	}
-
-	pg := &sql.Postgres{
-		NetworkDB: sql.NetworkDB{
-			Host:     host,
-			Port:     port,
-			Database: dbname,
-			User:     params["user"],
-			Password: params["password"],
-		},
-	}
-
-	if sslMode := params["sslmode"]; sslMode != "" {
-		switch sslMode {
-		case "disable", "allow", "prefer", "require", "verify-ca", "verify-full":
-			pg.SSL.Mode = sslMode
-		default:
-			return nil, fmt.Errorf("unsupported sslmode %q: valid values are disable, allow, prefer, require, verify-ca, verify-full", sslMode)
-		}
-	}
-
-	return pg, nil
-}
-
-// parsePostgresURI parses a postgres:// or postgresql:// URI into parameter key-value pairs.
-func parsePostgresURI(dsn string) (map[string]string, error) {
-	u, err := url.Parse(dsn)
-	if err != nil {
-		return nil, fmt.Errorf("invalid postgres URI: %w", err)
-	}
-
-	params := make(map[string]string)
-
-	if u.User != nil {
-		params["user"] = u.User.Username()
-		if p, ok := u.User.Password(); ok {
-			params["password"] = p
-		}
-	}
-	if u.Hostname() != "" {
-		params["host"] = u.Hostname()
-	}
-	if u.Port() != "" {
-		params["port"] = u.Port()
-	}
-
-	dbname := strings.TrimPrefix(u.Path, "/")
-	if dbname != "" {
-		params["dbname"] = dbname
-	}
-
-	for k, v := range u.Query() {
-		if len(v) > 0 {
-			params[k] = v[0]
-		}
-	}
-
-	return params, nil
-}
-
-// parsePostgresKeyValue parses a libpq key=value DSN string, handling single-quoted values
-// (e.g., password='my pass' host=localhost).
-func parsePostgresKeyValue(dsn string) (map[string]string, error) {
-	params := make(map[string]string)
-	s := strings.TrimSpace(dsn)
-
-	for s != "" {
-		eqIdx := strings.IndexByte(s, '=')
-		if eqIdx < 0 {
-			break
-		}
-		key := strings.TrimSpace(s[:eqIdx])
-
-		value, rest, err := parseDSNValue(s[eqIdx+1:])
-		if err != nil {
-			return nil, fmt.Errorf("%w for key %q", err, key)
-		}
-
-		params[key] = value
-		s = strings.TrimSpace(rest)
-	}
-
-	return params, nil
-}
-
-// parseDSNValue parses the next value from a libpq key=value string positioned after the '='.
-// It returns the parsed value and the remaining unparsed string.
-func parseDSNValue(s string) (value, rest string, err error) {
-	if len(s) > 0 && s[0] == '\'' {
-		return parseQuotedDSNValue(s[1:])
-	}
-	// Unquoted value: read until whitespace.
-	idx := strings.IndexAny(s, " \t\n")
-	if idx < 0 {
-		return s, "", nil
-	}
-	return s[:idx], s[idx:], nil
-}
-
-// parseQuotedDSNValue parses a single-quoted value starting after the opening quote.
-// Libpq uses ” to represent a literal single quote inside quoted values.
-func parseQuotedDSNValue(s string) (value, rest string, err error) {
-	var buf strings.Builder
-	for len(s) > 0 {
-		if s[0] == '\'' {
-			if len(s) > 1 && s[1] == '\'' {
-				buf.WriteByte('\'')
-				s = s[2:]
-				continue
-			}
-			return buf.String(), s[1:], nil
-		}
-		buf.WriteByte(s[0])
-		s = s[1:]
-	}
-	return "", "", fmt.Errorf("unterminated quoted value")
-}
-
 // Validate validates the configuration
 func (c *YAMLConfig) Validate() error {
 	if c.Issuer == "" {
--- a/idp/dex/provider.go
+++ b/idp/dex/provider.go
@@ -99,16 +99,15 @@ func NewProvider(ctx context.Context, config *Config) (*Provider, error) {

 	// Build Dex server config - use Dex's types directly
 	dexConfig := server.Config{
-		Issuer:                     issuer,
-		Storage:                    stor,
-		SkipApprovalScreen:         true,
-		SupportedResponseTypes:     []string{"code"},
-		ContinueOnConnectorFailure: true,
-		Logger:                     logger,
-		PrometheusRegistry:         prometheus.NewRegistry(),
-		RotateKeysAfter:            6 * time.Hour,
-		IDTokensValidFor:           24 * time.Hour,
-		RefreshTokenPolicy:         refreshPolicy,
+		Issuer:                 issuer,
+		Storage:                stor,
+		SkipApprovalScreen:     true,
+		SupportedResponseTypes: []string{"code"},
+		Logger:                 logger,
+		PrometheusRegistry:     prometheus.NewRegistry(),
+		RotateKeysAfter:        6 * time.Hour,
+		IDTokensValidFor:       24 * time.Hour,
+		RefreshTokenPolicy:     refreshPolicy,
 		Web: server.WebConfig{
 			Issuer: "NetBird",
 		},
@@ -261,7 +260,6 @@ func buildDexConfig(yamlConfig *YAMLConfig, stor storage.Storage, logger *slog.L
 	if len(cfg.SupportedResponseTypes) == 0 {
 		cfg.SupportedResponseTypes = []string{"code"}
 	}
-	cfg.ContinueOnConnectorFailure = true
 	return cfg
 }

--- a/idp/dex/provider_test.go
+++ b/idp/dex/provider_test.go
@@ -2,7 +2,6 @@ package dex

 import (
 	"context"
-	"log/slog"
 	"os"
 	"path/filepath"
 	"testing"
@@ -196,64 +195,3 @@ enablePasswordDB: true

 	t.Logf("User lookup successful: rawID=%s, connectorID=%s", rawID, connID)
 }
-
-func TestNewProvider_ContinueOnConnectorFailure(t *testing.T) {
-	ctx := context.Background()
-
-	tmpDir, err := os.MkdirTemp("", "dex-connector-failure-*")
-	require.NoError(t, err)
-	defer os.RemoveAll(tmpDir)
-
-	config := &Config{
-		Issuer:  "http://localhost:5556/dex",
-		Port:    5556,
-		DataDir: tmpDir,
-	}
-
-	provider, err := NewProvider(ctx, config)
-	require.NoError(t, err)
-	defer func() { _ = provider.Stop(ctx) }()
-
-	// The provider should have started successfully even though
-	// ContinueOnConnectorFailure is an internal Dex config field.
-	// We verify the provider is functional by performing a basic operation.
-	assert.NotNil(t, provider.dexServer)
-	assert.NotNil(t, provider.storage)
-}
-
-func TestBuildDexConfig_ContinueOnConnectorFailure(t *testing.T) {
-	tmpDir, err := os.MkdirTemp("", "dex-build-config-*")
-	require.NoError(t, err)
-	defer os.RemoveAll(tmpDir)
-
-	yamlContent := `
-issuer: http://localhost:5556/dex
-storage:
-  type: sqlite3
-  config:
-    file: ` + filepath.Join(tmpDir, "dex.db") + `
-web:
-  http: 127.0.0.1:5556
-enablePasswordDB: true
-`
-	configPath := filepath.Join(tmpDir, "config.yaml")
-	err = os.WriteFile(configPath, []byte(yamlContent), 0644)
-	require.NoError(t, err)
-
-	yamlConfig, err := LoadConfig(configPath)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	stor, err := yamlConfig.Storage.OpenStorage(slog.New(slog.NewTextHandler(os.Stderr, nil)))
-	require.NoError(t, err)
-	defer stor.Close()
-
-	err = initializeStorage(ctx, stor, yamlConfig)
-	require.NoError(t, err)
-
-	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
-	cfg := buildDexConfig(yamlConfig, stor, logger)
-
-	assert.True(t, cfg.ContinueOnConnectorFailure,
-		"buildDexConfig must set ContinueOnConnectorFailure to true so management starts even if an external IdP is down")
-}
--- a/infrastructure_files/getting-started.sh
+++ b/infrastructure_files/getting-started.sh
--- a/infrastructure_files/migrate.sh
+++ b/infrastructure_files/migrate.sh
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -29,11 +29,11 @@ import (
 	"github.com/netbirdio/netbird/util/crypt"
 )

-var newServer = func(cfg *server.Config) server.Server {
-	return server.NewServer(cfg)
+var newServer = func(config *nbconfig.Config, dnsDomain, mgmtSingleAccModeDomain string, mgmtPort int, mgmtMetricsPort int, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled bool) server.Server {
+	return server.NewServer(config, dnsDomain, mgmtSingleAccModeDomain, mgmtPort, mgmtMetricsPort, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled)
 }

-func SetNewServer(fn func(*server.Config) server.Server) {
+func SetNewServer(fn func(config *nbconfig.Config, dnsDomain, mgmtSingleAccModeDomain string, mgmtPort int, mgmtMetricsPort int, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled bool) server.Server) {
 	newServer = fn
 }

@@ -57,7 +57,7 @@ var (
 			// detect whether user specified a port
 			userPort := cmd.Flag("port").Changed

-			config, err = LoadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
+			config, err = loadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
 			if err != nil {
 				return fmt.Errorf("failed reading provided config file: %s: %v", nbconfig.MgmtConfigPath, err)
 			}
@@ -110,17 +110,7 @@ var (
 				mgmtSingleAccModeDomain = ""
 			}

-			srv := newServer(&server.Config{
-				NbConfig:                    config,
-				DNSDomain:                   dnsDomain,
-				MgmtSingleAccModeDomain:     mgmtSingleAccModeDomain,
-				MgmtPort:                    mgmtPort,
-				MgmtMetricsPort:             mgmtMetricsPort,
-				DisableLegacyManagementPort: disableLegacyManagementPort,
-				DisableMetrics:              disableMetrics,
-				DisableGeoliteUpdate:        disableGeoliteUpdate,
-				UserDeleteFromIDPEnabled:    userDeleteFromIDPEnabled,
-			})
+			srv := newServer(config, dnsDomain, mgmtSingleAccModeDomain, mgmtPort, mgmtMetricsPort, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled)
 			go func() {
 				if err := srv.Start(cmd.Context()); err != nil {
 					log.Fatalf("Server error: %v", err)
@@ -145,35 +135,35 @@ var (
 	}
 )

-func LoadMgmtConfig(ctx context.Context, mgmtConfigPath string) (*nbconfig.Config, error) {
+func loadMgmtConfig(ctx context.Context, mgmtConfigPath string) (*nbconfig.Config, error) {
 	loadedConfig := &nbconfig.Config{}
 	if _, err := util.ReadJsonWithEnvSub(mgmtConfigPath, loadedConfig); err != nil {
 		return nil, err
 	}

-	ApplyCommandLineOverrides(loadedConfig)
+	applyCommandLineOverrides(loadedConfig)

 	// Apply EmbeddedIdP config to HttpConfig if embedded IdP is enabled
-	err := ApplyEmbeddedIdPConfig(ctx, loadedConfig)
+	err := applyEmbeddedIdPConfig(ctx, loadedConfig)
 	if err != nil {
 		return nil, err
 	}

-	if err := ApplyOIDCConfig(ctx, loadedConfig); err != nil {
+	if err := applyOIDCConfig(ctx, loadedConfig); err != nil {
 		return nil, err
 	}

-	LogConfigInfo(loadedConfig)
+	logConfigInfo(loadedConfig)

-	if err := EnsureEncryptionKey(ctx, mgmtConfigPath, loadedConfig); err != nil {
+	if err := ensureEncryptionKey(ctx, mgmtConfigPath, loadedConfig); err != nil {
 		return nil, err
 	}

 	return loadedConfig, nil
 }

-// ApplyCommandLineOverrides applies command-line flag overrides to the config
-func ApplyCommandLineOverrides(cfg *nbconfig.Config) {
+// applyCommandLineOverrides applies command-line flag overrides to the config
+func applyCommandLineOverrides(cfg *nbconfig.Config) {
 	if mgmtLetsencryptDomain != "" {
 		cfg.HttpConfig.LetsEncryptDomain = mgmtLetsencryptDomain
 	}
@@ -186,9 +176,9 @@ func ApplyCommandLineOverrides(cfg *nbconfig.Config) {
 	}
 }

-// ApplyEmbeddedIdPConfig populates HttpConfig and EmbeddedIdP storage from config when embedded IdP is enabled.
+// applyEmbeddedIdPConfig populates HttpConfig and EmbeddedIdP storage from config when embedded IdP is enabled.
 // This allows users to only specify EmbeddedIdP config without duplicating values in HttpConfig.
-func ApplyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config) error {
+func applyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config) error {
 	if cfg.EmbeddedIdP == nil || !cfg.EmbeddedIdP.Enabled {
 		return nil
 	}
@@ -237,8 +227,8 @@ func ApplyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config) error {
 	return nil
 }

-// ApplyOIDCConfig fetches and applies OIDC configuration if endpoint is specified
-func ApplyOIDCConfig(ctx context.Context, cfg *nbconfig.Config) error {
+// applyOIDCConfig fetches and applies OIDC configuration if endpoint is specified
+func applyOIDCConfig(ctx context.Context, cfg *nbconfig.Config) error {
 	oidcEndpoint := cfg.HttpConfig.OIDCConfigEndpoint
 	if oidcEndpoint == "" {
 		return nil
@@ -264,16 +254,16 @@ func ApplyOIDCConfig(ctx context.Context, cfg *nbconfig.Config) error {
 		oidcConfig.JwksURI, cfg.HttpConfig.AuthKeysLocation)
 	cfg.HttpConfig.AuthKeysLocation = oidcConfig.JwksURI

-	if err := ApplyDeviceAuthFlowConfig(ctx, cfg, &oidcConfig, oidcEndpoint); err != nil {
+	if err := applyDeviceAuthFlowConfig(ctx, cfg, &oidcConfig, oidcEndpoint); err != nil {
 		return err
 	}
-	ApplyPKCEFlowConfig(ctx, cfg, &oidcConfig)
+	applyPKCEFlowConfig(ctx, cfg, &oidcConfig)

 	return nil
 }

-// ApplyDeviceAuthFlowConfig applies OIDC config to DeviceAuthorizationFlow if enabled
-func ApplyDeviceAuthFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *OIDCConfigResponse, oidcEndpoint string) error {
+// applyDeviceAuthFlowConfig applies OIDC config to DeviceAuthorizationFlow if enabled
+func applyDeviceAuthFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *OIDCConfigResponse, oidcEndpoint string) error {
 	if cfg.DeviceAuthorizationFlow == nil || strings.ToLower(cfg.DeviceAuthorizationFlow.Provider) == string(nbconfig.NONE) {
 		return nil
 	}
@@ -300,8 +290,8 @@ func ApplyDeviceAuthFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcCo
 	return nil
 }

-// ApplyPKCEFlowConfig applies OIDC config to PKCEAuthorizationFlow if configured
-func ApplyPKCEFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *OIDCConfigResponse) {
+// applyPKCEFlowConfig applies OIDC config to PKCEAuthorizationFlow if configured
+func applyPKCEFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *OIDCConfigResponse) {
 	if cfg.PKCEAuthorizationFlow == nil {
 		return
 	}
@@ -314,8 +304,8 @@ func ApplyPKCEFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *
 	cfg.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint = oidcConfig.AuthorizationEndpoint
 }

-// LogConfigInfo logs informational messages about the loaded configuration
-func LogConfigInfo(cfg *nbconfig.Config) {
+// logConfigInfo logs informational messages about the loaded configuration
+func logConfigInfo(cfg *nbconfig.Config) {
 	if cfg.EmbeddedIdP != nil {
 		log.Infof("running with the embedded IdP: %v", cfg.EmbeddedIdP.Issuer)
 	}
@@ -324,8 +314,8 @@ func LogConfigInfo(cfg *nbconfig.Config) {
 	}
 }

-// EnsureEncryptionKey generates and saves a DataStoreEncryptionKey if not set
-func EnsureEncryptionKey(ctx context.Context, configPath string, cfg *nbconfig.Config) error {
+// ensureEncryptionKey generates and saves a DataStoreEncryptionKey if not set
+func ensureEncryptionKey(ctx context.Context, configPath string, cfg *nbconfig.Config) error {
 	if cfg.DataStoreEncryptionKey != "" {
 		return nil
 	}
--- a/management/cmd/management_test.go
+++ b/management/cmd/management_test.go
@@ -30,7 +30,7 @@ func Test_loadMgmtConfig(t *testing.T) {
 		t.Fatalf("failed to create config: %s", err)
 	}

-	cfg, err := LoadMgmtConfig(context.Background(), tmpFile)
+	cfg, err := loadMgmtConfig(context.Background(), tmpFile)
 	if err != nil {
 		t.Fatalf("failed to load management config: %s", err)
 	}
--- a/management/cmd/root.go
+++ b/management/cmd/root.go
@@ -16,22 +16,21 @@ const (
 )

 var (
-	dnsDomain                   string
-	mgmtDataDir                 string
-	logLevel                    string
-	logFile                     string
-	disableMetrics              bool
-	disableSingleAccMode        bool
-	disableGeoliteUpdate        bool
-	idpSignKeyRefreshEnabled    bool
-	userDeleteFromIDPEnabled    bool
-	mgmtPort                    int
-	mgmtMetricsPort             int
-	disableLegacyManagementPort bool
-	mgmtLetsencryptDomain       string
-	mgmtSingleAccModeDomain     string
-	certFile                    string
-	certKey                     string
+	dnsDomain                string
+	mgmtDataDir              string
+	logLevel                 string
+	logFile                  string
+	disableMetrics           bool
+	disableSingleAccMode     bool
+	disableGeoliteUpdate     bool
+	idpSignKeyRefreshEnabled bool
+	userDeleteFromIDPEnabled bool
+	mgmtPort                 int
+	mgmtMetricsPort          int
+	mgmtLetsencryptDomain    string
+	mgmtSingleAccModeDomain  string
+	certFile                 string
+	certKey                  string

 	rootCmd = &cobra.Command{
 		Use:          "netbird-mgmt",
@@ -56,7 +55,6 @@ func Execute() error {

 func init() {
 	mgmtCmd.Flags().IntVar(&mgmtPort, "port", 80, "server port to listen on (defaults to 443 if TLS is enabled, 80 otherwise")
-	mgmtCmd.Flags().BoolVar(&disableLegacyManagementPort, "disable-legacy-port", false, "disabling the old legacy port (33073)")
 	mgmtCmd.Flags().IntVar(&mgmtMetricsPort, "metrics-port", 9090, "metrics endpoint http port. Metrics are accessible under host:metrics-port/metrics")
 	mgmtCmd.Flags().StringVar(&mgmtDataDir, "datadir", defaultMgmtDataDir, "server data directory location")
 	mgmtCmd.Flags().StringVar(&nbconfig.MgmtConfigPath, "config", defaultMgmtConfig, "Netbird config file location. Config params specified via command line (e.g. datadir) have a precedence over configuration from this file")
@@ -83,7 +81,9 @@ func init() {

 	rootCmd.AddCommand(migrationCmd)

-	tc := newTokenCommands()
-	tc.PersistentFlags().StringVar(&nbconfig.MgmtConfigPath, "config", defaultMgmtConfig, "Netbird config file location")
-	rootCmd.AddCommand(tc)
+	tokenCmd.PersistentFlags().StringVar(&nbconfig.MgmtConfigPath, "config", defaultMgmtConfig, "Netbird config file location")
+	tokenCmd.AddCommand(tokenCreateCmd)
+	tokenCmd.AddCommand(tokenListCmd)
+	tokenCmd.AddCommand(tokenRevokeCmd)
+	rootCmd.AddCommand(tokenCmd)
 }
--- a/management/cmd/token.go
+++ b/management/cmd/token.go
@@ -3,24 +3,62 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"os"
+	"strconv"
+	"text/tabwriter"
+	"time"

 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"

 	"github.com/netbirdio/netbird/formatter/hook"
-	tokencmd "github.com/netbirdio/netbird/management/cmd/token"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/util"
 )

-var tokenDatadir string
+var (
+	tokenName     string
+	tokenExpireIn string
+	tokenDatadir  string

-// newTokenCommands creates the token command tree with management-specific store opener.
-func newTokenCommands() *cobra.Command {
-	cmd := tokencmd.NewCommands(withTokenStore)
-	cmd.PersistentFlags().StringVar(&tokenDatadir, "datadir", "", "Override the data directory from config (where store.db is located)")
-	return cmd
+	tokenCmd = &cobra.Command{
+		Use:   "token",
+		Short: "Manage proxy access tokens",
+		Long:  "Commands for creating, listing, and revoking proxy access tokens used by reverse proxy instances to authenticate with the management server.",
+	}
+
+	tokenCreateCmd = &cobra.Command{
+		Use:   "create",
+		Short: "Create a new proxy access token",
+		Long:  "Creates a new proxy access token. The plain text token is displayed only once at creation time.",
+		RunE:  tokenCreateRun,
+	}
+
+	tokenListCmd = &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls"},
+		Short:   "List all proxy access tokens",
+		Long:    "Lists all proxy access tokens with their IDs, names, creation dates, expiration, and revocation status.",
+		RunE:    tokenListRun,
+	}
+
+	tokenRevokeCmd = &cobra.Command{
+		Use:   "revoke [token-id]",
+		Short: "Revoke a proxy access token",
+		Long:  "Revokes a proxy access token by its ID. Revoked tokens can no longer be used for authentication.",
+		Args:  cobra.ExactArgs(1),
+		RunE:  tokenRevokeRun,
+	}
+)
+
+func init() {
+	tokenCmd.PersistentFlags().StringVar(&tokenDatadir, "datadir", "", "Override the data directory from config (where store.db is located)")
+
+	tokenCreateCmd.Flags().StringVar(&tokenName, "name", "", "Name for the token (required)")
+	tokenCreateCmd.Flags().StringVar(&tokenExpireIn, "expires-in", "", "Token expiration duration (e.g., 365d, 24h, 30d). Empty means no expiration")
+	tokenCreateCmd.MarkFlagRequired("name") //nolint
 }

 // withTokenStore initializes logging, loads config, opens the store, and calls fn.
@@ -29,9 +67,10 @@ func withTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Sto
 		return fmt.Errorf("init log: %w", err)
 	}

-	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource) //nolint:staticcheck
+	//nolint
+	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource)

-	config, err := LoadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
+	config, err := loadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
 	if err != nil {
 		return fmt.Errorf("load config: %w", err)
 	}
@@ -53,3 +92,118 @@ func withTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Sto

 	return fn(ctx, s)
 }
+
+func tokenCreateRun(cmd *cobra.Command, _ []string) error {
+	return withTokenStore(cmd, func(ctx context.Context, s store.Store) error {
+		expiresIn, err := parseDuration(tokenExpireIn)
+		if err != nil {
+			return fmt.Errorf("parse expiration: %w", err)
+		}
+
+		generated, err := types.CreateNewProxyAccessToken(tokenName, expiresIn, nil, "CLI")
+		if err != nil {
+			return fmt.Errorf("generate token: %w", err)
+		}
+
+		if err := s.SaveProxyAccessToken(ctx, &generated.ProxyAccessToken); err != nil {
+			return fmt.Errorf("save token: %w", err)
+		}
+
+		fmt.Println("Token created successfully!")                                 //nolint:forbidigo
+		fmt.Printf("Token: %s\n", generated.PlainToken)                            //nolint:forbidigo
+		fmt.Println()                                                              //nolint:forbidigo
+		fmt.Println("IMPORTANT: Save this token now. It will not be shown again.") //nolint:forbidigo
+		fmt.Printf("Token ID: %s\n", generated.ID)                                 //nolint:forbidigo
+
+		return nil
+	})
+}
+
+func tokenListRun(cmd *cobra.Command, _ []string) error {
+	return withTokenStore(cmd, func(ctx context.Context, s store.Store) error {
+		tokens, err := s.GetAllProxyAccessTokens(ctx, store.LockingStrengthNone)
+		if err != nil {
+			return fmt.Errorf("list tokens: %w", err)
+		}
+
+		if len(tokens) == 0 {
+			fmt.Println("No proxy access tokens found.") //nolint:forbidigo
+			return nil
+		}
+
+		w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+		fmt.Fprintln(w, "ID\tNAME\tCREATED\tEXPIRES\tLAST USED\tREVOKED")
+		fmt.Fprintln(w, "--\t----\t-------\t-------\t---------\t-------")
+
+		for _, t := range tokens {
+			expires := "never"
+			if t.ExpiresAt != nil {
+				expires = t.ExpiresAt.Format("2006-01-02")
+			}
+
+			lastUsed := "never"
+			if t.LastUsed != nil {
+				lastUsed = t.LastUsed.Format("2006-01-02 15:04")
+			}
+
+			revoked := "no"
+			if t.Revoked {
+				revoked = "yes"
+			}
+
+			fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n",
+				t.ID,
+				t.Name,
+				t.CreatedAt.Format("2006-01-02"),
+				expires,
+				lastUsed,
+				revoked,
+			)
+		}
+
+		w.Flush()
+
+		return nil
+	})
+}
+
+func tokenRevokeRun(cmd *cobra.Command, args []string) error {
+	return withTokenStore(cmd, func(ctx context.Context, s store.Store) error {
+		tokenID := args[0]
+
+		if err := s.RevokeProxyAccessToken(ctx, tokenID); err != nil {
+			return fmt.Errorf("revoke token: %w", err)
+		}
+
+		fmt.Printf("Token %s revoked successfully.\n", tokenID) //nolint:forbidigo
+		return nil
+	})
+}
+
+// parseDuration parses a duration string with support for days (e.g., "30d", "365d").
+// An empty string returns zero duration (no expiration).
+func parseDuration(s string) (time.Duration, error) {
+	if len(s) == 0 {
+		return 0, nil
+	}
+
+	if s[len(s)-1] == 'd' {
+		d, err := strconv.Atoi(s[:len(s)-1])
+		if err != nil {
+			return 0, fmt.Errorf("invalid day format: %s", s)
+		}
+		if d <= 0 {
+			return 0, fmt.Errorf("duration must be positive: %s", s)
+		}
+		return time.Duration(d) * 24 * time.Hour, nil
+	}
+
+	d, err := time.ParseDuration(s)
+	if err != nil {
+		return 0, err
+	}
+	if d <= 0 {
+		return 0, fmt.Errorf("duration must be positive: %s", s)
+	}
+	return d, nil
+}
--- a/management/cmd/token/token.go
+++ b/management/cmd/token/token.go
@@ -1,185 +0,0 @@
-// Package tokencmd provides reusable cobra commands for managing proxy access tokens.
-// Both the management and combined binaries use these commands, each providing
-// their own StoreOpener to handle config loading and store initialization.
-package tokencmd
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"strconv"
-	"text/tabwriter"
-	"time"
-
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-)
-
-// StoreOpener initializes a store from the command context and calls fn.
-type StoreOpener func(cmd *cobra.Command, fn func(ctx context.Context, s store.Store) error) error
-
-// NewCommands creates the token command tree with the given store opener.
-// Returns the parent "token" command with create, list, and revoke subcommands.
-func NewCommands(opener StoreOpener) *cobra.Command {
-	var (
-		tokenName     string
-		tokenExpireIn string
-	)
-
-	tokenCmd := &cobra.Command{
-		Use:   "token",
-		Short: "Manage proxy access tokens",
-		Long:  "Commands for creating, listing, and revoking proxy access tokens used by reverse proxy instances to authenticate with the management server.",
-	}
-
-	createCmd := &cobra.Command{
-		Use:   "create",
-		Short: "Create a new proxy access token",
-		Long:  "Creates a new proxy access token. The plain text token is displayed only once at creation time.",
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			return opener(cmd, func(ctx context.Context, s store.Store) error {
-				return runCreate(ctx, s, cmd.OutOrStdout(), tokenName, tokenExpireIn)
-			})
-		},
-	}
-	createCmd.Flags().StringVar(&tokenName, "name", "", "Name for the token (required)")
-	createCmd.Flags().StringVar(&tokenExpireIn, "expires-in", "", "Token expiration duration (e.g., 365d, 24h, 30d). Empty means no expiration")
-	if err := createCmd.MarkFlagRequired("name"); err != nil {
-		panic(err)
-	}
-
-	listCmd := &cobra.Command{
-		Use:     "list",
-		Aliases: []string{"ls"},
-		Short:   "List all proxy access tokens",
-		Long:    "Lists all proxy access tokens with their IDs, names, creation dates, expiration, and revocation status.",
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			return opener(cmd, func(ctx context.Context, s store.Store) error {
-				return runList(ctx, s, cmd.OutOrStdout())
-			})
-		},
-	}
-
-	revokeCmd := &cobra.Command{
-		Use:   "revoke [token-id]",
-		Short: "Revoke a proxy access token",
-		Long:  "Revokes a proxy access token by its ID. Revoked tokens can no longer be used for authentication.",
-		Args:  cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return opener(cmd, func(ctx context.Context, s store.Store) error {
-				return runRevoke(ctx, s, cmd.OutOrStdout(), args[0])
-			})
-		},
-	}
-
-	tokenCmd.AddCommand(createCmd, listCmd, revokeCmd)
-	return tokenCmd
-}
-
-func runCreate(ctx context.Context, s store.Store, w io.Writer, name string, expireIn string) error {
-	expiresIn, err := ParseDuration(expireIn)
-	if err != nil {
-		return fmt.Errorf("parse expiration: %w", err)
-	}
-
-	generated, err := types.CreateNewProxyAccessToken(name, expiresIn, nil, "CLI")
-	if err != nil {
-		return fmt.Errorf("generate token: %w", err)
-	}
-
-	if err := s.SaveProxyAccessToken(ctx, &generated.ProxyAccessToken); err != nil {
-		return fmt.Errorf("save token: %w", err)
-	}
-
-	_, _ = fmt.Fprintln(w, "Token created successfully!")
-	_, _ = fmt.Fprintf(w, "Token: %s\n", generated.PlainToken)
-	_, _ = fmt.Fprintln(w)
-	_, _ = fmt.Fprintln(w, "IMPORTANT: Save this token now. It will not be shown again.")
-	_, _ = fmt.Fprintf(w, "Token ID: %s\n", generated.ID)
-	return nil
-}
-
-func runList(ctx context.Context, s store.Store, out io.Writer) error {
-	tokens, err := s.GetAllProxyAccessTokens(ctx, store.LockingStrengthNone)
-	if err != nil {
-		return fmt.Errorf("list tokens: %w", err)
-	}
-
-	if len(tokens) == 0 {
-		_, _ = fmt.Fprintln(out, "No proxy access tokens found.")
-		return nil
-	}
-
-	w := tabwriter.NewWriter(out, 0, 0, 2, ' ', 0)
-	_, _ = fmt.Fprintln(w, "ID\tNAME\tCREATED\tEXPIRES\tLAST USED\tREVOKED")
-	_, _ = fmt.Fprintln(w, "--\t----\t-------\t-------\t---------\t-------")
-
-	for _, t := range tokens {
-		expires := "never"
-		if t.ExpiresAt != nil {
-			expires = t.ExpiresAt.Format("2006-01-02")
-		}
-
-		lastUsed := "never"
-		if t.LastUsed != nil {
-			lastUsed = t.LastUsed.Format("2006-01-02 15:04")
-		}
-
-		revoked := "no"
-		if t.Revoked {
-			revoked = "yes"
-		}
-
-		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n",
-			t.ID,
-			t.Name,
-			t.CreatedAt.Format("2006-01-02"),
-			expires,
-			lastUsed,
-			revoked,
-		)
-	}
-
-	w.Flush()
-
-	return nil
-}
-
-func runRevoke(ctx context.Context, s store.Store, w io.Writer, tokenID string) error {
-	if err := s.RevokeProxyAccessToken(ctx, tokenID); err != nil {
-		return fmt.Errorf("revoke token: %w", err)
-	}
-
-	_, _ = fmt.Fprintf(w, "Token %s revoked successfully.\n", tokenID)
-	return nil
-}
-
-// ParseDuration parses a duration string with support for days (e.g., "30d", "365d").
-// An empty string returns zero duration (no expiration).
-func ParseDuration(s string) (time.Duration, error) {
-	if len(s) == 0 {
-		return 0, nil
-	}
-
-	if s[len(s)-1] == 'd' {
-		d, err := strconv.Atoi(s[:len(s)-1])
-		if err != nil {
-			return 0, fmt.Errorf("invalid day format: %s", s)
-		}
-		if d <= 0 {
-			return 0, fmt.Errorf("duration must be positive: %s", s)
-		}
-		return time.Duration(d) * 24 * time.Hour, nil
-	}
-
-	d, err := time.ParseDuration(s)
-	if err != nil {
-		return 0, err
-	}
-	if d <= 0 {
-		return 0, fmt.Errorf("duration must be positive: %s", s)
-	}
-	return d, nil
-}
--- a/management/cmd/token/token_test.go
+++ b/management/cmd/token/token_test.go
@@ -1,4 +1,4 @@
-package tokencmd
+package cmd

 import (
 	"testing"
@@ -89,7 +89,7 @@ func TestParseDuration(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result, err := ParseDuration(tt.input)
+			result, err := parseDuration(tt.input)
 			if tt.wantErr {
 				assert.Error(t, err)
 				return
--- a/management/internals/controllers/network_map/controller/controller.go
+++ b/management/internals/controllers/network_map/controller/controller.go
@@ -63,8 +63,6 @@ type Controller struct {

 	expNewNetworkMap     bool
 	expNewNetworkMapAIDs map[string]struct{}
-
-	compactedNetworkMap bool
 }

 type bufferUpdate struct {
@@ -87,12 +85,6 @@ func NewController(ctx context.Context, store store.Store, metrics telemetry.App
 		newNetworkMapBuilder = false
 	}

-	compactedNetworkMap, err := strconv.ParseBool(os.Getenv(types.EnvNewNetworkMapCompacted))
-	if err != nil {
-		log.WithContext(ctx).Warnf("failed to parse %s, using default value false: %v", types.EnvNewNetworkMapCompacted, err)
-		compactedNetworkMap = false
-	}
-
 	ids := strings.Split(os.Getenv(network_map.EnvNewNetworkMapAccounts), ",")
 	expIDs := make(map[string]struct{}, len(ids))
 	for _, id := range ids {
@@ -116,8 +108,6 @@ func NewController(ctx context.Context, store store.Store, metrics telemetry.App
 		holder:               types.NewHolder(),
 		expNewNetworkMap:     newNetworkMapBuilder,
 		expNewNetworkMapAIDs: expIDs,
-
-		compactedNetworkMap: compactedNetworkMap,
 	}
 }

@@ -240,12 +230,9 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin

 			var remotePeerNetworkMap *types.NetworkMap

-			switch {
-			case c.experimentalNetworkMap(accountID):
+			if c.experimentalNetworkMap(accountID) {
 				remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, p.AccountID, p.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
-			case c.compactedNetworkMap:
-				remotePeerNetworkMap = account.GetPeerNetworkMapFromComponents(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-			default:
+			} else {
 				remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
 			}

@@ -368,12 +355,9 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe

 	var remotePeerNetworkMap *types.NetworkMap

-	switch {
-	case c.experimentalNetworkMap(accountId):
+	if c.experimentalNetworkMap(accountId) {
 		remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
-	case c.compactedNetworkMap:
-		remotePeerNetworkMap = account.GetPeerNetworkMapFromComponents(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-	default:
+	} else {
 		remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
 	}

@@ -495,12 +479,7 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 	} else {
 		resourcePolicies := account.GetResourcePoliciesMap()
 		routers := account.GetResourceRoutersMap()
-		groupIDToUserIDs := account.GetActiveGroupUsers()
-		if c.compactedNetworkMap {
-			networkMap = account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-		} else {
-			networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
-		}
+		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, account.GetActiveGroupUsers())
 	}

 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
@@ -875,12 +854,7 @@ func (c *Controller) GetNetworkMap(ctx context.Context, peerID string) (*types.N
 		account.InjectProxyPolicies(ctx)
 		resourcePolicies := account.GetResourcePoliciesMap()
 		routers := account.GetResourceRoutersMap()
-		groupIDToUserIDs := account.GetActiveGroupUsers()
-		if c.compactedNetworkMap {
-			networkMap = account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, groupIDToUserIDs)
-		} else {
-			networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, groupIDToUserIDs)
-		}
+		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
 	}

 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
--- a/management/internals/modules/reverseproxy/accesslogs/filter.go
+++ b/management/internals/modules/reverseproxy/accesslogs/filter.go
@@ -3,7 +3,6 @@ package accesslogs
 import (
 	"net/http"
 	"strconv"
-	"strings"
 	"time"
 )

@@ -12,39 +11,15 @@ const (
 	DefaultPageSize = 50
 	// MaxPageSize is the maximum number of records allowed per page
 	MaxPageSize = 100
-
-	// Default sorting
-	DefaultSortBy    = "timestamp"
-	DefaultSortOrder = "desc"
 )

-// Valid sortable fields mapped to their database column names or expressions
-// For multi-column sorts, columns are separated by comma (e.g., "host, path")
-var validSortFields = map[string]string{
-	"timestamp":   "timestamp",
-	"url":         "host, path", // Sort by host first, then path
-	"host":        "host",
-	"path":        "path",
-	"method":      "method",
-	"status_code": "status_code",
-	"duration":    "duration",
-	"source_ip":   "location_connection_ip",
-	"user_id":     "user_id",
-	"auth_method": "auth_method_used",
-	"reason":      "reason",
-}
-
-// AccessLogFilter holds pagination, filtering, and sorting parameters for access logs
+// AccessLogFilter holds pagination and filtering parameters for access logs
 type AccessLogFilter struct {
 	// Page is the current page number (1-indexed)
 	Page int
 	// PageSize is the number of records per page
 	PageSize int

-	// Sorting parameters
-	SortBy    string // Field to sort by: timestamp, url, host, path, method, status_code, duration, source_ip, user_id, auth_method, reason
-	SortOrder string // Sort order: asc or desc (default: desc)
-
 	// Filtering parameters
 	Search     *string    // General search across log ID, host, path, source IP, and user fields
 	SourceIP   *string    // Filter by source IP address
@@ -60,70 +35,82 @@ type AccessLogFilter struct {
 	EndDate    *time.Time // Filter by timestamp <= end_date
 }

-// ParseFromRequest parses pagination, sorting, and filter parameters from HTTP request query parameters
+// ParseFromRequest parses pagination and filter parameters from HTTP request query parameters
 func (f *AccessLogFilter) ParseFromRequest(r *http.Request) {
 	queryParams := r.URL.Query()

-	f.Page = parsePositiveInt(queryParams.Get("page"), 1)
-	f.PageSize = min(parsePositiveInt(queryParams.Get("page_size"), DefaultPageSize), MaxPageSize)
+	f.Page = 1
+	if pageStr := queryParams.Get("page"); pageStr != "" {
+		if page, err := strconv.Atoi(pageStr); err == nil && page > 0 {
+			f.Page = page
+		}
+	}

-	f.SortBy = parseSortField(queryParams.Get("sort_by"))
-	f.SortOrder = parseSortOrder(queryParams.Get("sort_order"))
+	f.PageSize = DefaultPageSize
+	if pageSizeStr := queryParams.Get("page_size"); pageSizeStr != "" {
+		if pageSize, err := strconv.Atoi(pageSizeStr); err == nil && pageSize > 0 {
+			f.PageSize = pageSize
+			if f.PageSize > MaxPageSize {
+				f.PageSize = MaxPageSize
+			}
+		}
+	}

-	f.Search = parseOptionalString(queryParams.Get("search"))
-	f.SourceIP = parseOptionalString(queryParams.Get("source_ip"))
-	f.Host = parseOptionalString(queryParams.Get("host"))
-	f.Path = parseOptionalString(queryParams.Get("path"))
-	f.UserID = parseOptionalString(queryParams.Get("user_id"))
-	f.UserEmail = parseOptionalString(queryParams.Get("user_email"))
-	f.UserName = parseOptionalString(queryParams.Get("user_name"))
-	f.Method = parseOptionalString(queryParams.Get("method"))
-	f.Status = parseOptionalString(queryParams.Get("status"))
-	f.StatusCode = parseOptionalInt(queryParams.Get("status_code"))
-	f.StartDate = parseOptionalRFC3339(queryParams.Get("start_date"))
-	f.EndDate = parseOptionalRFC3339(queryParams.Get("end_date"))
-}
+	if search := queryParams.Get("search"); search != "" {
+		f.Search = &search
+	}

-// parsePositiveInt parses a positive integer from a string, returning defaultValue if invalid
-func parsePositiveInt(s string, defaultValue int) int {
-	if s == "" {
-		return defaultValue
+	if sourceIP := queryParams.Get("source_ip"); sourceIP != "" {
+		f.SourceIP = &sourceIP
 	}
-	if val, err := strconv.Atoi(s); err == nil && val > 0 {
-		return val
-	}
-	return defaultValue
-}

-// parseOptionalString returns a pointer to the string if non-empty, otherwise nil
-func parseOptionalString(s string) *string {
-	if s == "" {
-		return nil
+	if host := queryParams.Get("host"); host != "" {
+		f.Host = &host
 	}
-	return &s
-}

-// parseOptionalInt parses an optional positive integer from a string
-func parseOptionalInt(s string) *int {
-	if s == "" {
-		return nil
+	if path := queryParams.Get("path"); path != "" {
+		f.Path = &path
 	}
-	if val, err := strconv.Atoi(s); err == nil && val > 0 {
-		v := val
-		return &v
-	}
-	return nil
-}

-// parseOptionalRFC3339 parses an optional RFC3339 timestamp from a string
-func parseOptionalRFC3339(s string) *time.Time {
-	if s == "" {
-		return nil
+	if userID := queryParams.Get("user_id"); userID != "" {
+		f.UserID = &userID
 	}
-	if t, err := time.Parse(time.RFC3339, s); err == nil {
-		return &t
+
+	if userEmail := queryParams.Get("user_email"); userEmail != "" {
+		f.UserEmail = &userEmail
+	}
+
+	if userName := queryParams.Get("user_name"); userName != "" {
+		f.UserName = &userName
+	}
+
+	if method := queryParams.Get("method"); method != "" {
+		f.Method = &method
+	}
+
+	if status := queryParams.Get("status"); status != "" {
+		f.Status = &status
+	}
+
+	if statusCodeStr := queryParams.Get("status_code"); statusCodeStr != "" {
+		if statusCode, err := strconv.Atoi(statusCodeStr); err == nil && statusCode > 0 {
+			f.StatusCode = &statusCode
+		}
+	}
+
+	if startDate := queryParams.Get("start_date"); startDate != "" {
+		parsedStartDate, err := time.Parse(time.RFC3339, startDate)
+		if err == nil {
+			f.StartDate = &parsedStartDate
+		}
+	}
+
+	if endDate := queryParams.Get("end_date"); endDate != "" {
+		parsedEndDate, err := time.Parse(time.RFC3339, endDate)
+		if err == nil {
+			f.EndDate = &parsedEndDate
+		}
 	}
-	return nil
 }

 // GetOffset calculates the database offset for pagination
@@ -135,44 +122,3 @@ func (f *AccessLogFilter) GetOffset() int {
 func (f *AccessLogFilter) GetLimit() int {
 	return f.PageSize
 }
-
-// GetSortColumn returns the validated database column name for sorting
-func (f *AccessLogFilter) GetSortColumn() string {
-	if column, ok := validSortFields[f.SortBy]; ok {
-		return column
-	}
-	return validSortFields[DefaultSortBy]
-}
-
-// GetSortOrder returns the validated sort order (ASC or DESC)
-func (f *AccessLogFilter) GetSortOrder() string {
-	if f.SortOrder == "asc" || f.SortOrder == "desc" {
-		return f.SortOrder
-	}
-	return DefaultSortOrder
-}
-
-// parseSortField validates and returns the sort field, defaulting if invalid
-func parseSortField(s string) string {
-	if s == "" {
-		return DefaultSortBy
-	}
-	// Check if the field is valid
-	if _, ok := validSortFields[s]; ok {
-		return s
-	}
-	return DefaultSortBy
-}
-
-// parseSortOrder validates and returns the sort order, defaulting if invalid
-func parseSortOrder(s string) string {
-	if s == "" {
-		return DefaultSortOrder
-	}
-	// Normalize to lowercase
-	s = strings.ToLower(s)
-	if s == "asc" || s == "desc" {
-		return s
-	}
-	return DefaultSortOrder
-}
--- a/management/internals/modules/reverseproxy/accesslogs/filter_test.go
+++ b/management/internals/modules/reverseproxy/accesslogs/filter_test.go
@@ -4,10 +4,8 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"testing"
-	"time"

 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 func TestAccessLogFilter_ParseFromRequest(t *testing.T) {
@@ -161,410 +159,3 @@ func TestAccessLogFilter_GetLimit(t *testing.T) {
 	limit := filter.GetLimit()
 	assert.Equal(t, 25, limit, "GetLimit should return PageSize")
 }
-
-func TestAccessLogFilter_ParseFromRequest_FilterParams(t *testing.T) {
-	startDate := "2024-01-15T10:30:00Z"
-	endDate := "2024-01-16T15:45:00Z"
-
-	req := httptest.NewRequest(http.MethodGet, "/test", nil)
-	q := req.URL.Query()
-	q.Set("search", "test query")
-	q.Set("source_ip", "192.168.1.1")
-	q.Set("host", "example.com")
-	q.Set("path", "/api/users")
-	q.Set("user_id", "user123")
-	q.Set("user_email", "user@example.com")
-	q.Set("user_name", "John Doe")
-	q.Set("method", "GET")
-	q.Set("status", "success")
-	q.Set("status_code", "200")
-	q.Set("start_date", startDate)
-	q.Set("end_date", endDate)
-	req.URL.RawQuery = q.Encode()
-
-	filter := &AccessLogFilter{}
-	filter.ParseFromRequest(req)
-
-	require.NotNil(t, filter.Search)
-	assert.Equal(t, "test query", *filter.Search)
-
-	require.NotNil(t, filter.SourceIP)
-	assert.Equal(t, "192.168.1.1", *filter.SourceIP)
-
-	require.NotNil(t, filter.Host)
-	assert.Equal(t, "example.com", *filter.Host)
-
-	require.NotNil(t, filter.Path)
-	assert.Equal(t, "/api/users", *filter.Path)
-
-	require.NotNil(t, filter.UserID)
-	assert.Equal(t, "user123", *filter.UserID)
-
-	require.NotNil(t, filter.UserEmail)
-	assert.Equal(t, "user@example.com", *filter.UserEmail)
-
-	require.NotNil(t, filter.UserName)
-	assert.Equal(t, "John Doe", *filter.UserName)
-
-	require.NotNil(t, filter.Method)
-	assert.Equal(t, "GET", *filter.Method)
-
-	require.NotNil(t, filter.Status)
-	assert.Equal(t, "success", *filter.Status)
-
-	require.NotNil(t, filter.StatusCode)
-	assert.Equal(t, 200, *filter.StatusCode)
-
-	require.NotNil(t, filter.StartDate)
-	expectedStart, _ := time.Parse(time.RFC3339, startDate)
-	assert.Equal(t, expectedStart, *filter.StartDate)
-
-	require.NotNil(t, filter.EndDate)
-	expectedEnd, _ := time.Parse(time.RFC3339, endDate)
-	assert.Equal(t, expectedEnd, *filter.EndDate)
-}
-
-func TestAccessLogFilter_ParseFromRequest_EmptyFilters(t *testing.T) {
-	req := httptest.NewRequest(http.MethodGet, "/test", nil)
-
-	filter := &AccessLogFilter{}
-	filter.ParseFromRequest(req)
-
-	assert.Nil(t, filter.Search)
-	assert.Nil(t, filter.SourceIP)
-	assert.Nil(t, filter.Host)
-	assert.Nil(t, filter.Path)
-	assert.Nil(t, filter.UserID)
-	assert.Nil(t, filter.UserEmail)
-	assert.Nil(t, filter.UserName)
-	assert.Nil(t, filter.Method)
-	assert.Nil(t, filter.Status)
-	assert.Nil(t, filter.StatusCode)
-	assert.Nil(t, filter.StartDate)
-	assert.Nil(t, filter.EndDate)
-}
-
-func TestAccessLogFilter_ParseFromRequest_InvalidFilters(t *testing.T) {
-	req := httptest.NewRequest(http.MethodGet, "/test", nil)
-	q := req.URL.Query()
-	q.Set("status_code", "invalid")
-	q.Set("start_date", "not-a-date")
-	q.Set("end_date", "2024-99-99")
-	req.URL.RawQuery = q.Encode()
-
-	filter := &AccessLogFilter{}
-	filter.ParseFromRequest(req)
-
-	assert.Nil(t, filter.StatusCode, "invalid status_code should be nil")
-	assert.Nil(t, filter.StartDate, "invalid start_date should be nil")
-	assert.Nil(t, filter.EndDate, "invalid end_date should be nil")
-}
-
-func TestParsePositiveInt(t *testing.T) {
-	tests := []struct {
-		name         string
-		input        string
-		defaultValue int
-		expected     int
-	}{
-		{"empty string", "", 10, 10},
-		{"valid positive int", "25", 10, 25},
-		{"zero", "0", 10, 10},
-		{"negative", "-5", 10, 10},
-		{"invalid string", "abc", 10, 10},
-		{"float", "3.14", 10, 10},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := parsePositiveInt(tt.input, tt.defaultValue)
-			assert.Equal(t, tt.expected, result)
-		})
-	}
-}
-
-func TestParseOptionalString(t *testing.T) {
-	tests := []struct {
-		name     string
-		input    string
-		expected *string
-	}{
-		{"empty string", "", nil},
-		{"valid string", "hello", strPtr("hello")},
-		{"whitespace", "  ", strPtr("  ")},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := parseOptionalString(tt.input)
-			if tt.expected == nil {
-				assert.Nil(t, result)
-			} else {
-				require.NotNil(t, result)
-				assert.Equal(t, *tt.expected, *result)
-			}
-		})
-	}
-}
-
-func TestParseOptionalInt(t *testing.T) {
-	tests := []struct {
-		name     string
-		input    string
-		expected *int
-	}{
-		{"empty string", "", nil},
-		{"valid positive int", "42", intPtr(42)},
-		{"zero", "0", nil},
-		{"negative", "-10", nil},
-		{"invalid string", "abc", nil},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := parseOptionalInt(tt.input)
-			if tt.expected == nil {
-				assert.Nil(t, result)
-			} else {
-				require.NotNil(t, result)
-				assert.Equal(t, *tt.expected, *result)
-			}
-		})
-	}
-}
-
-func TestParseOptionalRFC3339(t *testing.T) {
-	validDate := "2024-01-15T10:30:00Z"
-	expectedTime, _ := time.Parse(time.RFC3339, validDate)
-
-	tests := []struct {
-		name     string
-		input    string
-		expected *time.Time
-	}{
-		{"empty string", "", nil},
-		{"valid RFC3339", validDate, &expectedTime},
-		{"invalid format", "2024-01-15", nil},
-		{"invalid date", "not-a-date", nil},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := parseOptionalRFC3339(tt.input)
-			if tt.expected == nil {
-				assert.Nil(t, result)
-			} else {
-				require.NotNil(t, result)
-				assert.Equal(t, *tt.expected, *result)
-			}
-		})
-	}
-}
-
-func TestAccessLogFilter_SortingDefaults(t *testing.T) {
-	req := httptest.NewRequest(http.MethodGet, "/test", nil)
-
-	filter := &AccessLogFilter{}
-	filter.ParseFromRequest(req)
-
-	assert.Equal(t, DefaultSortBy, filter.SortBy, "SortBy should default to timestamp")
-	assert.Equal(t, DefaultSortOrder, filter.SortOrder, "SortOrder should default to desc")
-	assert.Equal(t, "timestamp", filter.GetSortColumn(), "GetSortColumn should return timestamp")
-	assert.Equal(t, "desc", filter.GetSortOrder(), "GetSortOrder should return desc")
-}
-
-func TestAccessLogFilter_ValidSortFields(t *testing.T) {
-	tests := []struct {
-		name              string
-		sortBy            string
-		expectedColumn    string
-		expectedSortByVal string
-	}{
-		{"timestamp", "timestamp", "timestamp", "timestamp"},
-		{"url", "url", "host, path", "url"},
-		{"host", "host", "host", "host"},
-		{"path", "path", "path", "path"},
-		{"method", "method", "method", "method"},
-		{"status_code", "status_code", "status_code", "status_code"},
-		{"duration", "duration", "duration", "duration"},
-		{"source_ip", "source_ip", "location_connection_ip", "source_ip"},
-		{"user_id", "user_id", "user_id", "user_id"},
-		{"auth_method", "auth_method", "auth_method_used", "auth_method"},
-		{"reason", "reason", "reason", "reason"},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			req := httptest.NewRequest(http.MethodGet, "/test?sort_by="+tt.sortBy, nil)
-
-			filter := &AccessLogFilter{}
-			filter.ParseFromRequest(req)
-
-			assert.Equal(t, tt.expectedSortByVal, filter.SortBy, "SortBy mismatch")
-			assert.Equal(t, tt.expectedColumn, filter.GetSortColumn(), "GetSortColumn mismatch")
-		})
-	}
-}
-
-func TestAccessLogFilter_InvalidSortField(t *testing.T) {
-	tests := []struct {
-		name     string
-		sortBy   string
-		expected string
-	}{
-		{"invalid field", "invalid_field", DefaultSortBy},
-		{"empty field", "", DefaultSortBy},
-		{"malicious input", "timestamp--DROP", DefaultSortBy},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			req := httptest.NewRequest(http.MethodGet, "/test", nil)
-			q := req.URL.Query()
-			q.Set("sort_by", tt.sortBy)
-			req.URL.RawQuery = q.Encode()
-
-			filter := &AccessLogFilter{}
-			filter.ParseFromRequest(req)
-
-			assert.Equal(t, tt.expected, filter.SortBy, "Invalid sort field should default to timestamp")
-			assert.Equal(t, validSortFields[DefaultSortBy], filter.GetSortColumn())
-		})
-	}
-}
-
-func TestAccessLogFilter_SortOrder(t *testing.T) {
-	tests := []struct {
-		name      string
-		sortOrder string
-		expected  string
-	}{
-		{"ascending", "asc", "asc"},
-		{"descending", "desc", "desc"},
-		{"uppercase ASC", "ASC", "asc"},
-		{"uppercase DESC", "DESC", "desc"},
-		{"mixed case Asc", "Asc", "asc"},
-		{"invalid order", "invalid", DefaultSortOrder},
-		{"empty order", "", DefaultSortOrder},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			req := httptest.NewRequest(http.MethodGet, "/test?sort_order="+tt.sortOrder, nil)
-
-			filter := &AccessLogFilter{}
-			filter.ParseFromRequest(req)
-
-			assert.Equal(t, tt.expected, filter.GetSortOrder(), "GetSortOrder mismatch")
-		})
-	}
-}
-
-func TestAccessLogFilter_CompleteSortingScenarios(t *testing.T) {
-	tests := []struct {
-		name           string
-		sortBy         string
-		sortOrder      string
-		expectedColumn string
-		expectedOrder  string
-	}{
-		{
-			name:           "sort by host ascending",
-			sortBy:         "host",
-			sortOrder:      "asc",
-			expectedColumn: "host",
-			expectedOrder:  "asc",
-		},
-		{
-			name:           "sort by duration descending",
-			sortBy:         "duration",
-			sortOrder:      "desc",
-			expectedColumn: "duration",
-			expectedOrder:  "desc",
-		},
-		{
-			name:           "sort by status_code ascending",
-			sortBy:         "status_code",
-			sortOrder:      "asc",
-			expectedColumn: "status_code",
-			expectedOrder:  "asc",
-		},
-		{
-			name:           "invalid sort with valid order",
-			sortBy:         "invalid",
-			sortOrder:      "asc",
-			expectedColumn: "timestamp",
-			expectedOrder:  "asc",
-		},
-		{
-			name:           "valid sort with invalid order",
-			sortBy:         "method",
-			sortOrder:      "invalid",
-			expectedColumn: "method",
-			expectedOrder:  DefaultSortOrder,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			req := httptest.NewRequest(http.MethodGet, "/test?sort_by="+tt.sortBy+"&sort_order="+tt.sortOrder, nil)
-
-			filter := &AccessLogFilter{}
-			filter.ParseFromRequest(req)
-
-			assert.Equal(t, tt.expectedColumn, filter.GetSortColumn())
-			assert.Equal(t, tt.expectedOrder, filter.GetSortOrder())
-		})
-	}
-}
-
-func TestParseSortField(t *testing.T) {
-	tests := []struct {
-		name     string
-		input    string
-		expected string
-	}{
-		{"valid field", "host", "host"},
-		{"empty string", "", DefaultSortBy},
-		{"invalid field", "invalid", DefaultSortBy},
-		{"malicious input", "timestamp--DROP", DefaultSortBy},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := parseSortField(tt.input)
-			assert.Equal(t, tt.expected, result)
-		})
-	}
-}
-
-func TestParseSortOrder(t *testing.T) {
-	tests := []struct {
-		name     string
-		input    string
-		expected string
-	}{
-		{"asc lowercase", "asc", "asc"},
-		{"desc lowercase", "desc", "desc"},
-		{"ASC uppercase", "ASC", "asc"},
-		{"DESC uppercase", "DESC", "desc"},
-		{"invalid", "invalid", DefaultSortOrder},
-		{"empty", "", DefaultSortOrder},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := parseSortOrder(tt.input)
-			assert.Equal(t, tt.expected, result)
-		})
-	}
-}
-
-// Helper functions for creating pointers
-func strPtr(s string) *string {
-	return &s
-}
-
-func intPtr(i int) *int {
-	return &i
-}
--- a/management/internals/modules/reverseproxy/accesslogs/interface.go
+++ b/management/internals/modules/reverseproxy/accesslogs/interface.go
@@ -7,7 +7,4 @@ import (
 type Manager interface {
 	SaveAccessLog(ctx context.Context, proxyLog *AccessLogEntry) error
 	GetAllAccessLogs(ctx context.Context, accountID, userID string, filter *AccessLogFilter) ([]*AccessLogEntry, int64, error)
-	CleanupOldAccessLogs(ctx context.Context, retentionDays int) (int64, error)
-	StartPeriodicCleanup(ctx context.Context, retentionDays, cleanupIntervalHours int)
-	StopPeriodicCleanup()
 }
--- a/management/internals/modules/reverseproxy/accesslogs/manager/manager.go
+++ b/management/internals/modules/reverseproxy/accesslogs/manager/manager.go
@@ -3,7 +3,6 @@ package manager
 import (
 	"context"
 	"strings"
-	"time"

 	log "github.com/sirupsen/logrus"

@@ -20,7 +19,6 @@ type managerImpl struct {
 	store              store.Store
 	permissionsManager permissions.Manager
 	geo                geolocation.Geolocation
-	cleanupCancel      context.CancelFunc
 }

 func NewManager(store store.Store, permissionsManager permissions.Manager, geo geolocation.Geolocation) accesslogs.Manager {
@@ -80,74 +78,6 @@ func (m *managerImpl) GetAllAccessLogs(ctx context.Context, accountID, userID st
 	return logs, totalCount, nil
 }

-// CleanupOldAccessLogs deletes access logs older than the specified retention period
-func (m *managerImpl) CleanupOldAccessLogs(ctx context.Context, retentionDays int) (int64, error) {
-	if retentionDays <= 0 {
-		log.WithContext(ctx).Debug("access log cleanup skipped: retention days is 0 or negative")
-		return 0, nil
-	}
-
-	cutoffTime := time.Now().AddDate(0, 0, -retentionDays)
-	deletedCount, err := m.store.DeleteOldAccessLogs(ctx, cutoffTime)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to cleanup old access logs: %v", err)
-		return 0, err
-	}
-
-	if deletedCount > 0 {
-		log.WithContext(ctx).Infof("cleaned up %d access logs older than %d days", deletedCount, retentionDays)
-	}
-
-	return deletedCount, nil
-}
-
-// StartPeriodicCleanup starts a background goroutine that periodically cleans up old access logs
-func (m *managerImpl) StartPeriodicCleanup(ctx context.Context, retentionDays, cleanupIntervalHours int) {
-	if retentionDays <= 0 {
-		log.WithContext(ctx).Debug("periodic access log cleanup disabled: retention days is 0 or negative")
-		return
-	}
-
-	if cleanupIntervalHours <= 0 {
-		cleanupIntervalHours = 24
-	}
-
-	cleanupCtx, cancel := context.WithCancel(ctx)
-	m.cleanupCancel = cancel
-
-	cleanupInterval := time.Duration(cleanupIntervalHours) * time.Hour
-	ticker := time.NewTicker(cleanupInterval)
-
-	go func() {
-		defer ticker.Stop()
-
-		// Run cleanup immediately on startup
-		log.WithContext(cleanupCtx).Infof("starting access log cleanup routine (retention: %d days, interval: %d hours)", retentionDays, cleanupIntervalHours)
-		if _, err := m.CleanupOldAccessLogs(cleanupCtx, retentionDays); err != nil {
-			log.WithContext(cleanupCtx).Errorf("initial access log cleanup failed: %v", err)
-		}
-
-		for {
-			select {
-			case <-cleanupCtx.Done():
-				log.WithContext(cleanupCtx).Info("stopping access log cleanup routine")
-				return
-			case <-ticker.C:
-				if _, err := m.CleanupOldAccessLogs(cleanupCtx, retentionDays); err != nil {
-					log.WithContext(cleanupCtx).Errorf("periodic access log cleanup failed: %v", err)
-				}
-			}
-		}
-	}()
-}
-
-// StopPeriodicCleanup stops the periodic cleanup routine
-func (m *managerImpl) StopPeriodicCleanup() {
-	if m.cleanupCancel != nil {
-		m.cleanupCancel()
-	}
-}
-
 // resolveUserFilters converts user email/name filters to user ID filter
 func (m *managerImpl) resolveUserFilters(ctx context.Context, accountID string, filter *accesslogs.AccessLogFilter) error {
 	if filter.UserEmail == nil && filter.UserName == nil {
--- a/management/internals/modules/reverseproxy/accesslogs/manager/manager_test.go
+++ b/management/internals/modules/reverseproxy/accesslogs/manager/manager_test.go
@@ -1,281 +0,0 @@
-package manager
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/management/server/store"
-)
-
-func TestCleanupOldAccessLogs(t *testing.T) {
-	tests := []struct {
-		name          string
-		retentionDays int
-		setupMock     func(*store.MockStore)
-		expectedCount int64
-		expectedError bool
-	}{
-		{
-			name:          "cleanup logs older than retention period",
-			retentionDays: 30,
-			setupMock: func(mockStore *store.MockStore) {
-				mockStore.EXPECT().
-					DeleteOldAccessLogs(gomock.Any(), gomock.Any()).
-					DoAndReturn(func(ctx context.Context, olderThan time.Time) (int64, error) {
-						expectedCutoff := time.Now().AddDate(0, 0, -30)
-						timeDiff := olderThan.Sub(expectedCutoff)
-						if timeDiff.Abs() > time.Second {
-							t.Errorf("cutoff time not as expected: got %v, want ~%v", olderThan, expectedCutoff)
-						}
-						return 5, nil
-					})
-			},
-			expectedCount: 5,
-			expectedError: false,
-		},
-		{
-			name:          "no logs to cleanup",
-			retentionDays: 30,
-			setupMock: func(mockStore *store.MockStore) {
-				mockStore.EXPECT().
-					DeleteOldAccessLogs(gomock.Any(), gomock.Any()).
-					Return(int64(0), nil)
-			},
-			expectedCount: 0,
-			expectedError: false,
-		},
-		{
-			name:          "zero retention days skips cleanup",
-			retentionDays: 0,
-			setupMock: func(mockStore *store.MockStore) {
-				// No expectations - DeleteOldAccessLogs should not be called
-			},
-			expectedCount: 0,
-			expectedError: false,
-		},
-		{
-			name:          "negative retention days skips cleanup",
-			retentionDays: -10,
-			setupMock: func(mockStore *store.MockStore) {
-				// No expectations - DeleteOldAccessLogs should not be called
-			},
-			expectedCount: 0,
-			expectedError: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-
-			mockStore := store.NewMockStore(ctrl)
-			tt.setupMock(mockStore)
-
-			manager := &managerImpl{
-				store: mockStore,
-			}
-
-			ctx := context.Background()
-			deletedCount, err := manager.CleanupOldAccessLogs(ctx, tt.retentionDays)
-
-			if tt.expectedError {
-				require.Error(t, err)
-			} else {
-				require.NoError(t, err)
-			}
-			assert.Equal(t, tt.expectedCount, deletedCount, "unexpected number of deleted logs")
-		})
-	}
-}
-
-func TestCleanupWithExactBoundary(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	mockStore := store.NewMockStore(ctrl)
-
-	mockStore.EXPECT().
-		DeleteOldAccessLogs(gomock.Any(), gomock.Any()).
-		DoAndReturn(func(ctx context.Context, olderThan time.Time) (int64, error) {
-			expectedCutoff := time.Now().AddDate(0, 0, -30)
-			timeDiff := olderThan.Sub(expectedCutoff)
-			assert.Less(t, timeDiff.Abs(), time.Second, "cutoff time should be close to expected value")
-			return 1, nil
-		})
-
-	manager := &managerImpl{
-		store: mockStore,
-	}
-
-	ctx := context.Background()
-	deletedCount, err := manager.CleanupOldAccessLogs(ctx, 30)
-
-	require.NoError(t, err)
-	assert.Equal(t, int64(1), deletedCount)
-}
-
-func TestStartPeriodicCleanup(t *testing.T) {
-	t.Run("periodic cleanup disabled with zero retention", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-		// No expectations - cleanup should not run
-
-		manager := &managerImpl{
-			store: mockStore,
-		}
-
-		ctx, cancel := context.WithCancel(context.Background())
-		defer cancel()
-
-		manager.StartPeriodicCleanup(ctx, 0, 1)
-
-		time.Sleep(100 * time.Millisecond)
-
-		// If DeleteOldAccessLogs was called, the test will fail due to unexpected call
-	})
-
-	t.Run("periodic cleanup runs immediately on start", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-
-		mockStore.EXPECT().
-			DeleteOldAccessLogs(gomock.Any(), gomock.Any()).
-			Return(int64(2), nil).
-			Times(1)
-
-		manager := &managerImpl{
-			store: mockStore,
-		}
-
-		ctx, cancel := context.WithCancel(context.Background())
-		defer cancel()
-
-		manager.StartPeriodicCleanup(ctx, 30, 24)
-
-		time.Sleep(200 * time.Millisecond)
-
-		// Expectations verified by gomock on defer ctrl.Finish()
-	})
-
-	t.Run("periodic cleanup stops on context cancel", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-
-		mockStore.EXPECT().
-			DeleteOldAccessLogs(gomock.Any(), gomock.Any()).
-			Return(int64(1), nil).
-			Times(1)
-
-		manager := &managerImpl{
-			store: mockStore,
-		}
-
-		ctx, cancel := context.WithCancel(context.Background())
-
-		manager.StartPeriodicCleanup(ctx, 30, 24)
-
-		time.Sleep(100 * time.Millisecond)
-
-		cancel()
-
-		time.Sleep(200 * time.Millisecond)
-
-	})
-
-	t.Run("cleanup interval defaults to 24 hours when invalid", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-
-		mockStore.EXPECT().
-			DeleteOldAccessLogs(gomock.Any(), gomock.Any()).
-			Return(int64(0), nil).
-			Times(1)
-
-		manager := &managerImpl{
-			store: mockStore,
-		}
-
-		ctx, cancel := context.WithCancel(context.Background())
-		defer cancel()
-
-		manager.StartPeriodicCleanup(ctx, 30, 0)
-
-		time.Sleep(100 * time.Millisecond)
-
-		manager.StopPeriodicCleanup()
-	})
-
-	t.Run("cleanup interval uses configured hours", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-
-		mockStore.EXPECT().
-			DeleteOldAccessLogs(gomock.Any(), gomock.Any()).
-			Return(int64(3), nil).
-			Times(1)
-
-		manager := &managerImpl{
-			store: mockStore,
-		}
-
-		ctx, cancel := context.WithCancel(context.Background())
-		defer cancel()
-
-		manager.StartPeriodicCleanup(ctx, 30, 12)
-
-		time.Sleep(100 * time.Millisecond)
-
-		manager.StopPeriodicCleanup()
-	})
-}
-
-func TestStopPeriodicCleanup(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	mockStore := store.NewMockStore(ctrl)
-
-	mockStore.EXPECT().
-		DeleteOldAccessLogs(gomock.Any(), gomock.Any()).
-		Return(int64(1), nil).
-		Times(1)
-
-	manager := &managerImpl{
-		store: mockStore,
-	}
-
-	ctx := context.Background()
-
-	manager.StartPeriodicCleanup(ctx, 30, 24)
-
-	time.Sleep(100 * time.Millisecond)
-
-	manager.StopPeriodicCleanup()
-
-	time.Sleep(200 * time.Millisecond)
-
-	// Expectations verified by gomock - would fail if more than 1 call happened
-}
-
-func TestStopPeriodicCleanup_NotStarted(t *testing.T) {
-	manager := &managerImpl{}
-
-	// Should not panic if cleanup was never started
-	manager.StopPeriodicCleanup()
-}
--- a/management/internals/modules/reverseproxy/domain/interface.go
+++ b/management/internals/modules/reverseproxy/domain/interface.go
@@ -9,5 +9,4 @@ type Manager interface {
 	CreateDomain(ctx context.Context, accountID, userID, domainName, targetCluster string) (*Domain, error)
 	DeleteDomain(ctx context.Context, accountID, userID, domainID string) error
 	ValidateDomain(ctx context.Context, accountID, userID, domainID string)
-	GetClusterDomains() []string
 }
--- a/management/internals/modules/reverseproxy/domain/manager/manager.go
+++ b/management/internals/modules/reverseproxy/domain/manager/manager.go
@@ -27,21 +27,21 @@ type store interface {
 	DeleteCustomDomain(ctx context.Context, accountID string, domainID string) error
 }

-type proxyManager interface {
-	GetActiveClusterAddresses(ctx context.Context) ([]string, error)
+type proxyURLProvider interface {
+	GetConnectedProxyURLs() []string
 }

 type Manager struct {
 	store              store
 	validator          domain.Validator
-	proxyManager       proxyManager
+	proxyURLProvider   proxyURLProvider
 	permissionsManager permissions.Manager
 }

-func NewManager(store store, proxyMgr proxyManager, permissionsManager permissions.Manager) Manager {
+func NewManager(store store, proxyURLProvider proxyURLProvider, permissionsManager permissions.Manager) Manager {
 	return Manager{
-		store:        store,
-		proxyManager: proxyMgr,
+		store:            store,
+		proxyURLProvider: proxyURLProvider,
 		validator: domain.Validator{
 			Resolver: net.DefaultResolver,
 		},
@@ -67,12 +67,8 @@ func (m Manager) GetDomains(ctx context.Context, accountID, userID string) ([]*d

 	// Add connected proxy clusters as free domains.
 	// The cluster address itself is the free domain base (e.g., "eu.proxy.netbird.io").
-	allowList, err := m.proxyManager.GetActiveClusterAddresses(ctx)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get active proxy cluster addresses: %v", err)
-		return nil, err
-	}
-	log.WithContext(ctx).WithFields(log.Fields{
+	allowList := m.proxyURLAllowList()
+	log.WithFields(log.Fields{
 		"accountID":      accountID,
 		"proxyAllowList": allowList,
 	}).Debug("getting domains with proxy allow list")
@@ -111,10 +107,7 @@ func (m Manager) CreateDomain(ctx context.Context, accountID, userID, domainName
 	}

 	// Verify the target cluster is in the available clusters
-	allowList, err := m.proxyManager.GetActiveClusterAddresses(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get active proxy cluster addresses: %w", err)
-	}
+	allowList := m.proxyURLAllowList()
 	clusterValid := false
 	for _, cluster := range allowList {
 		if cluster == targetCluster {
@@ -228,26 +221,21 @@ func (m Manager) ValidateDomain(ctx context.Context, accountID, userID, domainID
 	}
 }

-// GetClusterDomains returns a list of proxy cluster domains.
-func (m Manager) GetClusterDomains() []string {
-	if m.proxyManager == nil {
-		return nil
+// proxyURLAllowList retrieves a list of currently connected proxies and
+// their URLs
+func (m Manager) proxyURLAllowList() []string {
+	var reverseProxyAddresses []string
+	if m.proxyURLProvider != nil {
+		reverseProxyAddresses = m.proxyURLProvider.GetConnectedProxyURLs()
 	}
-	addresses, err := m.proxyManager.GetActiveClusterAddresses(context.Background())
-	if err != nil {
-		return nil
-	}
-	return addresses
+	return reverseProxyAddresses
 }

 // DeriveClusterFromDomain determines the proxy cluster for a given domain.
 // For free domains (those ending with a known cluster suffix), the cluster is extracted from the domain.
 // For custom domains, the cluster is determined by checking the registered custom domain's target cluster.
 func (m Manager) DeriveClusterFromDomain(ctx context.Context, accountID, domain string) (string, error) {
-	allowList, err := m.proxyManager.GetActiveClusterAddresses(ctx)
-	if err != nil {
-		return "", fmt.Errorf("failed to get active proxy cluster addresses: %w", err)
-	}
+	allowList := m.proxyURLAllowList()
 	if len(allowList) == 0 {
 		return "", fmt.Errorf("no proxy clusters available")
 	}
--- a/management/internals/modules/reverseproxy/service/interface.go
+++ b/management/internals/modules/reverseproxy/service/interface.go
@@ -1,6 +1,6 @@
-package service
+package reverseproxy

-//go:generate go run github.com/golang/mock/mockgen -package service -destination=interface_mock.go -source=./interface.go -build_flags=-mod=mod
+//go:generate go run github.com/golang/mock/mockgen -package reverseproxy -destination=interface_mock.go -source=./interface.go -build_flags=-mod=mod

 import (
 	"context"
@@ -12,17 +12,12 @@ type Manager interface {
 	CreateService(ctx context.Context, accountID, userID string, service *Service) (*Service, error)
 	UpdateService(ctx context.Context, accountID, userID string, service *Service) (*Service, error)
 	DeleteService(ctx context.Context, accountID, userID, serviceID string) error
-	DeleteAllServices(ctx context.Context, accountID, userID string) error
 	SetCertificateIssuedAt(ctx context.Context, accountID, serviceID string) error
-	SetStatus(ctx context.Context, accountID, serviceID string, status Status) error
+	SetStatus(ctx context.Context, accountID, serviceID string, status ProxyStatus) error
 	ReloadAllServicesForAccount(ctx context.Context, accountID string) error
 	ReloadService(ctx context.Context, accountID, serviceID string) error
 	GetGlobalServices(ctx context.Context) ([]*Service, error)
 	GetServiceByID(ctx context.Context, accountID, serviceID string) (*Service, error)
 	GetAccountServices(ctx context.Context, accountID string) ([]*Service, error)
 	GetServiceIDByTargetID(ctx context.Context, accountID string, resourceID string) (string, error)
-	CreateServiceFromPeer(ctx context.Context, accountID, peerID string, req *ExposeServiceRequest) (*ExposeServiceResponse, error)
-	RenewServiceFromPeer(ctx context.Context, accountID, peerID, domain string) error
-	StopServiceFromPeer(ctx context.Context, accountID, peerID, domain string) error
-	StartExposeReaper(ctx context.Context)
 }
--- a/management/internals/modules/reverseproxy/service/interface_mock.go
+++ b/management/internals/modules/reverseproxy/service/interface_mock.go
@@ -1,8 +1,8 @@
 // Code generated by MockGen. DO NOT EDIT.
 // Source: ./interface.go

-// Package service is a generated GoMock package.
-package service
+// Package reverseproxy is a generated GoMock package.
+package reverseproxy

 import (
 	context "context"
@@ -49,35 +49,6 @@ func (mr *MockManagerMockRecorder) CreateService(ctx, accountID, userID, service
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateService", reflect.TypeOf((*MockManager)(nil).CreateService), ctx, accountID, userID, service)
 }

-// CreateServiceFromPeer mocks base method.
-func (m *MockManager) CreateServiceFromPeer(ctx context.Context, accountID, peerID string, req *ExposeServiceRequest) (*ExposeServiceResponse, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "CreateServiceFromPeer", ctx, accountID, peerID, req)
-	ret0, _ := ret[0].(*ExposeServiceResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateServiceFromPeer indicates an expected call of CreateServiceFromPeer.
-func (mr *MockManagerMockRecorder) CreateServiceFromPeer(ctx, accountID, peerID, req interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateServiceFromPeer", reflect.TypeOf((*MockManager)(nil).CreateServiceFromPeer), ctx, accountID, peerID, req)
-}
-
-// DeleteAllServices mocks base method.
-func (m *MockManager) DeleteAllServices(ctx context.Context, accountID, userID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DeleteAllServices", ctx, accountID, userID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// DeleteAllServices indicates an expected call of DeleteAllServices.
-func (mr *MockManagerMockRecorder) DeleteAllServices(ctx, accountID, userID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAllServices", reflect.TypeOf((*MockManager)(nil).DeleteAllServices), ctx, accountID, userID)
-}
-
 // DeleteService mocks base method.
 func (m *MockManager) DeleteService(ctx context.Context, accountID, userID, serviceID string) error {
 	m.ctrl.T.Helper()
@@ -210,20 +181,6 @@ func (mr *MockManagerMockRecorder) ReloadService(ctx, accountID, serviceID inter
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReloadService", reflect.TypeOf((*MockManager)(nil).ReloadService), ctx, accountID, serviceID)
 }

-// RenewServiceFromPeer mocks base method.
-func (m *MockManager) RenewServiceFromPeer(ctx context.Context, accountID, peerID, domain string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "RenewServiceFromPeer", ctx, accountID, peerID, domain)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// RenewServiceFromPeer indicates an expected call of RenewServiceFromPeer.
-func (mr *MockManagerMockRecorder) RenewServiceFromPeer(ctx, accountID, peerID, domain interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RenewServiceFromPeer", reflect.TypeOf((*MockManager)(nil).RenewServiceFromPeer), ctx, accountID, peerID, domain)
-}
-
 // SetCertificateIssuedAt mocks base method.
 func (m *MockManager) SetCertificateIssuedAt(ctx context.Context, accountID, serviceID string) error {
 	m.ctrl.T.Helper()
@@ -239,7 +196,7 @@ func (mr *MockManagerMockRecorder) SetCertificateIssuedAt(ctx, accountID, servic
 }

 // SetStatus mocks base method.
-func (m *MockManager) SetStatus(ctx context.Context, accountID, serviceID string, status Status) error {
+func (m *MockManager) SetStatus(ctx context.Context, accountID, serviceID string, status ProxyStatus) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "SetStatus", ctx, accountID, serviceID, status)
 	ret0, _ := ret[0].(error)
@@ -252,32 +209,6 @@ func (mr *MockManagerMockRecorder) SetStatus(ctx, accountID, serviceID, status i
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetStatus", reflect.TypeOf((*MockManager)(nil).SetStatus), ctx, accountID, serviceID, status)
 }

-// StartExposeReaper mocks base method.
-func (m *MockManager) StartExposeReaper(ctx context.Context) {
-	m.ctrl.T.Helper()
-	m.ctrl.Call(m, "StartExposeReaper", ctx)
-}
-
-// StartExposeReaper indicates an expected call of StartExposeReaper.
-func (mr *MockManagerMockRecorder) StartExposeReaper(ctx interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StartExposeReaper", reflect.TypeOf((*MockManager)(nil).StartExposeReaper), ctx)
-}
-
-// StopServiceFromPeer mocks base method.
-func (m *MockManager) StopServiceFromPeer(ctx context.Context, accountID, peerID, domain string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "StopServiceFromPeer", ctx, accountID, peerID, domain)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// StopServiceFromPeer indicates an expected call of StopServiceFromPeer.
-func (mr *MockManagerMockRecorder) StopServiceFromPeer(ctx, accountID, peerID, domain interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StopServiceFromPeer", reflect.TypeOf((*MockManager)(nil).StopServiceFromPeer), ctx, accountID, peerID, domain)
-}
-
 // UpdateService mocks base method.
 func (m *MockManager) UpdateService(ctx context.Context, accountID, userID string, service *Service) (*Service, error) {
 	m.ctrl.T.Helper()
--- a/management/internals/modules/reverseproxy/service/manager/api.go
+++ b/management/internals/modules/reverseproxy/service/manager/api.go
@@ -6,10 +6,10 @@ import (

 	"github.com/gorilla/mux"

+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
 	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
 	domainmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
-	rpservice "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
@@ -17,11 +17,11 @@ import (
 )

 type handler struct {
-	manager rpservice.Manager
+	manager reverseproxy.Manager
 }

 // RegisterEndpoints registers all service HTTP endpoints.
-func RegisterEndpoints(manager rpservice.Manager, domainManager domainmanager.Manager, accessLogsManager accesslogs.Manager, router *mux.Router) {
+func RegisterEndpoints(manager reverseproxy.Manager, domainManager domainmanager.Manager, accessLogsManager accesslogs.Manager, router *mux.Router) {
 	h := &handler{
 		manager: manager,
 	}
@@ -72,7 +72,7 @@ func (h *handler) createService(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	service := new(rpservice.Service)
+	service := new(reverseproxy.Service)
 	service.FromAPIRequest(&req, userAuth.AccountId)

 	if err = service.Validate(); err != nil {
@@ -130,7 +130,7 @@ func (h *handler) updateService(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	service := new(rpservice.Service)
+	service := new(reverseproxy.Service)
 	service.ID = serviceID
 	service.FromAPIRequest(&req, userAuth.AccountId)

--- a/management/internals/modules/reverseproxy/manager/manager.go
+++ b/management/internals/modules/reverseproxy/manager/manager.go
@@ -0,0 +1,500 @@
+package manager
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/sessionkey"
+	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
+	"github.com/netbirdio/netbird/management/server/account"
+	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/shared/management/status"
+)
+
+const unknownHostPlaceholder = "unknown"
+
+// ClusterDeriver derives the proxy cluster from a domain.
+type ClusterDeriver interface {
+	DeriveClusterFromDomain(ctx context.Context, accountID, domain string) (string, error)
+}
+
+type managerImpl struct {
+	store              store.Store
+	accountManager     account.Manager
+	permissionsManager permissions.Manager
+	proxyGRPCServer    *nbgrpc.ProxyServiceServer
+	clusterDeriver     ClusterDeriver
+}
+
+// NewManager creates a new service manager.
+func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, clusterDeriver ClusterDeriver) reverseproxy.Manager {
+	return &managerImpl{
+		store:              store,
+		accountManager:     accountManager,
+		permissionsManager: permissionsManager,
+		proxyGRPCServer:    proxyGRPCServer,
+		clusterDeriver:     clusterDeriver,
+	}
+}
+
+func (m *managerImpl) GetAllServices(ctx context.Context, accountID, userID string) ([]*reverseproxy.Service, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	services, err := m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get services: %w", err)
+	}
+
+	for _, service := range services {
+		err = m.replaceHostByLookup(ctx, accountID, service)
+		if err != nil {
+			return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
+		}
+	}
+
+	return services, nil
+}
+
+func (m *managerImpl) replaceHostByLookup(ctx context.Context, accountID string, service *reverseproxy.Service) error {
+	for _, target := range service.Targets {
+		switch target.TargetType {
+		case reverseproxy.TargetTypePeer:
+			peer, err := m.store.GetPeerByID(ctx, store.LockingStrengthNone, accountID, target.TargetId)
+			if err != nil {
+				log.WithContext(ctx).Warnf("failed to get peer by id %s for service %s: %v", target.TargetId, service.ID, err)
+				target.Host = unknownHostPlaceholder
+				continue
+			}
+			target.Host = peer.IP.String()
+		case reverseproxy.TargetTypeHost:
+			resource, err := m.store.GetNetworkResourceByID(ctx, store.LockingStrengthNone, accountID, target.TargetId)
+			if err != nil {
+				log.WithContext(ctx).Warnf("failed to get resource by id %s for service %s: %v", target.TargetId, service.ID, err)
+				target.Host = unknownHostPlaceholder
+				continue
+			}
+			target.Host = resource.Prefix.Addr().String()
+		case reverseproxy.TargetTypeDomain:
+			resource, err := m.store.GetNetworkResourceByID(ctx, store.LockingStrengthNone, accountID, target.TargetId)
+			if err != nil {
+				log.WithContext(ctx).Warnf("failed to get resource by id %s for service %s: %v", target.TargetId, service.ID, err)
+				target.Host = unknownHostPlaceholder
+				continue
+			}
+			target.Host = resource.Domain
+		case reverseproxy.TargetTypeSubnet:
+			// For subnets we do not do any lookups on the resource
+		default:
+			return fmt.Errorf("unknown target type: %s", target.TargetType)
+		}
+	}
+	return nil
+}
+
+func (m *managerImpl) GetService(ctx context.Context, accountID, userID, serviceID string) (*reverseproxy.Service, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	service, err := m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, serviceID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get service: %w", err)
+	}
+
+	err = m.replaceHostByLookup(ctx, accountID, service)
+	if err != nil {
+		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
+	}
+	return service, nil
+}
+
+func (m *managerImpl) CreateService(ctx context.Context, accountID, userID string, service *reverseproxy.Service) (*reverseproxy.Service, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	var proxyCluster string
+	if m.clusterDeriver != nil {
+		proxyCluster, err = m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, service.Domain)
+		if err != nil {
+			log.WithError(err).Warnf("could not derive cluster from domain %s, updates will broadcast to all proxy servers", service.Domain)
+			return nil, status.Errorf(status.PreconditionFailed, "could not derive cluster from domain %s: %v", service.Domain, err)
+		}
+	}
+
+	service.AccountID = accountID
+	service.ProxyCluster = proxyCluster
+	service.InitNewRecord()
+	err = service.Auth.HashSecrets()
+	if err != nil {
+		return nil, fmt.Errorf("hash secrets: %w", err)
+	}
+
+	// Generate session JWT signing keys
+	keyPair, err := sessionkey.GenerateKeyPair()
+	if err != nil {
+		return nil, fmt.Errorf("generate session keys: %w", err)
+	}
+	service.SessionPrivateKey = keyPair.PrivateKey
+	service.SessionPublicKey = keyPair.PublicKey
+
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		// Check for duplicate domain
+		existingService, err := transaction.GetServiceByDomain(ctx, accountID, service.Domain)
+		if err != nil {
+			if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
+				return fmt.Errorf("failed to check existing service: %w", err)
+			}
+		}
+		if existingService != nil {
+			return status.Errorf(status.AlreadyExists, "service with domain %s already exists", service.Domain)
+		}
+
+		if err = validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
+			return err
+		}
+
+		if err = transaction.CreateService(ctx, service); err != nil {
+			return fmt.Errorf("failed to create service: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	m.accountManager.StoreEvent(ctx, userID, service.ID, accountID, activity.ServiceCreated, service.EventMeta())
+
+	err = m.replaceHostByLookup(ctx, accountID, service)
+	if err != nil {
+		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
+	}
+
+	m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
+
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return service, nil
+}
+
+func (m *managerImpl) UpdateService(ctx context.Context, accountID, userID string, service *reverseproxy.Service) (*reverseproxy.Service, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Update)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	var oldCluster string
+	var domainChanged bool
+	var serviceEnabledChanged bool
+
+	err = service.Auth.HashSecrets()
+	if err != nil {
+		return nil, fmt.Errorf("hash secrets: %w", err)
+	}
+
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		existingService, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, service.ID)
+		if err != nil {
+			return err
+		}
+
+		oldCluster = existingService.ProxyCluster
+
+		if existingService.Domain != service.Domain {
+			domainChanged = true
+			conflictService, err := transaction.GetServiceByDomain(ctx, accountID, service.Domain)
+			if err != nil {
+				if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
+					return fmt.Errorf("check existing service: %w", err)
+				}
+			}
+			if conflictService != nil && conflictService.ID != service.ID {
+				return status.Errorf(status.AlreadyExists, "service with domain %s already exists", service.Domain)
+			}
+
+			if m.clusterDeriver != nil {
+				newCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, service.Domain)
+				if err != nil {
+					log.WithError(err).Warnf("could not derive cluster from domain %s", service.Domain)
+				}
+				service.ProxyCluster = newCluster
+			}
+		} else {
+			service.ProxyCluster = existingService.ProxyCluster
+		}
+
+		if service.Auth.PasswordAuth != nil && service.Auth.PasswordAuth.Enabled &&
+			existingService.Auth.PasswordAuth != nil && existingService.Auth.PasswordAuth.Enabled &&
+			service.Auth.PasswordAuth.Password == "" {
+			service.Auth.PasswordAuth = existingService.Auth.PasswordAuth
+		}
+
+		if service.Auth.PinAuth != nil && service.Auth.PinAuth.Enabled &&
+			existingService.Auth.PinAuth != nil && existingService.Auth.PinAuth.Enabled &&
+			service.Auth.PinAuth.Pin == "" {
+			service.Auth.PinAuth = existingService.Auth.PinAuth
+		}
+
+		service.Meta = existingService.Meta
+		service.SessionPrivateKey = existingService.SessionPrivateKey
+		service.SessionPublicKey = existingService.SessionPublicKey
+		serviceEnabledChanged = existingService.Enabled != service.Enabled
+
+		if err = validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
+			return err
+		}
+
+		if err = transaction.UpdateService(ctx, service); err != nil {
+			return fmt.Errorf("update service: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	m.accountManager.StoreEvent(ctx, userID, service.ID, accountID, activity.ServiceUpdated, service.EventMeta())
+
+	err = m.replaceHostByLookup(ctx, accountID, service)
+	if err != nil {
+		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
+	}
+
+	oidcCfg := m.proxyGRPCServer.GetOIDCValidationConfig()
+	switch {
+	case domainChanged && oldCluster != service.ProxyCluster:
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", oidcCfg), oldCluster)
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, "", oidcCfg), service.ProxyCluster)
+	case !service.Enabled && serviceEnabledChanged:
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", oidcCfg), service.ProxyCluster)
+	case service.Enabled && serviceEnabledChanged:
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, "", oidcCfg), service.ProxyCluster)
+	default:
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", oidcCfg), service.ProxyCluster)
+	}
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return service, nil
+}
+
+// validateTargetReferences checks that all target IDs reference existing peers or resources in the account.
+func validateTargetReferences(ctx context.Context, transaction store.Store, accountID string, targets []*reverseproxy.Target) error {
+	for _, target := range targets {
+		switch target.TargetType {
+		case reverseproxy.TargetTypePeer:
+			if _, err := transaction.GetPeerByID(ctx, store.LockingStrengthShare, accountID, target.TargetId); err != nil {
+				if sErr, ok := status.FromError(err); ok && sErr.Type() == status.NotFound {
+					return status.Errorf(status.InvalidArgument, "peer target %q not found in account", target.TargetId)
+				}
+				return fmt.Errorf("look up peer target %q: %w", target.TargetId, err)
+			}
+		case reverseproxy.TargetTypeHost, reverseproxy.TargetTypeSubnet, reverseproxy.TargetTypeDomain:
+			if _, err := transaction.GetNetworkResourceByID(ctx, store.LockingStrengthShare, accountID, target.TargetId); err != nil {
+				if sErr, ok := status.FromError(err); ok && sErr.Type() == status.NotFound {
+					return status.Errorf(status.InvalidArgument, "resource target %q not found in account", target.TargetId)
+				}
+				return fmt.Errorf("look up resource target %q: %w", target.TargetId, err)
+			}
+		}
+	}
+	return nil
+}
+
+func (m *managerImpl) DeleteService(ctx context.Context, accountID, userID, serviceID string) error {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return status.NewPermissionDeniedError()
+	}
+
+	var service *reverseproxy.Service
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		var err error
+		service, err = transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, serviceID)
+		if err != nil {
+			return err
+		}
+
+		if err = transaction.DeleteService(ctx, accountID, serviceID); err != nil {
+			return fmt.Errorf("failed to delete service: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	m.accountManager.StoreEvent(ctx, userID, serviceID, accountID, activity.ServiceDeleted, service.EventMeta())
+
+	m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
+
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return nil
+}
+
+// SetCertificateIssuedAt sets the certificate issued timestamp to the current time.
+// Call this when receiving a gRPC notification that the certificate was issued.
+func (m *managerImpl) SetCertificateIssuedAt(ctx context.Context, accountID, serviceID string) error {
+	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		service, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, serviceID)
+		if err != nil {
+			return fmt.Errorf("failed to get service: %w", err)
+		}
+
+		service.Meta.CertificateIssuedAt = time.Now()
+
+		if err = transaction.UpdateService(ctx, service); err != nil {
+			return fmt.Errorf("failed to update service certificate timestamp: %w", err)
+		}
+
+		return nil
+	})
+}
+
+// SetStatus updates the status of the service (e.g., "active", "tunnel_not_created", etc.)
+func (m *managerImpl) SetStatus(ctx context.Context, accountID, serviceID string, status reverseproxy.ProxyStatus) error {
+	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		service, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, serviceID)
+		if err != nil {
+			return fmt.Errorf("failed to get service: %w", err)
+		}
+
+		service.Meta.Status = string(status)
+
+		if err = transaction.UpdateService(ctx, service); err != nil {
+			return fmt.Errorf("failed to update service status: %w", err)
+		}
+
+		return nil
+	})
+}
+
+func (m *managerImpl) ReloadService(ctx context.Context, accountID, serviceID string) error {
+	service, err := m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, serviceID)
+	if err != nil {
+		return fmt.Errorf("failed to get service: %w", err)
+	}
+
+	err = m.replaceHostByLookup(ctx, accountID, service)
+	if err != nil {
+		return fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
+	}
+
+	m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
+
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return nil
+}
+
+func (m *managerImpl) ReloadAllServicesForAccount(ctx context.Context, accountID string) error {
+	services, err := m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return fmt.Errorf("failed to get services: %w", err)
+	}
+
+	for _, service := range services {
+		err = m.replaceHostByLookup(ctx, accountID, service)
+		if err != nil {
+			return fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
+		}
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
+	}
+
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return nil
+}
+
+func (m *managerImpl) GetGlobalServices(ctx context.Context) ([]*reverseproxy.Service, error) {
+	services, err := m.store.GetServices(ctx, store.LockingStrengthNone)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get services: %w", err)
+	}
+
+	for _, service := range services {
+		err = m.replaceHostByLookup(ctx, service.AccountID, service)
+		if err != nil {
+			return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
+		}
+	}
+
+	return services, nil
+}
+
+func (m *managerImpl) GetServiceByID(ctx context.Context, accountID, serviceID string) (*reverseproxy.Service, error) {
+	service, err := m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, serviceID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get service: %w", err)
+	}
+
+	err = m.replaceHostByLookup(ctx, accountID, service)
+	if err != nil {
+		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
+	}
+
+	return service, nil
+}
+
+func (m *managerImpl) GetAccountServices(ctx context.Context, accountID string) ([]*reverseproxy.Service, error) {
+	services, err := m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get services: %w", err)
+	}
+
+	for _, service := range services {
+		err = m.replaceHostByLookup(ctx, accountID, service)
+		if err != nil {
+			return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
+		}
+	}
+
+	return services, nil
+}
+
+func (m *managerImpl) GetServiceIDByTargetID(ctx context.Context, accountID string, resourceID string) (string, error) {
+	target, err := m.store.GetServiceTargetByTargetID(ctx, store.LockingStrengthNone, accountID, resourceID)
+	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Type() == status.NotFound {
+			return "", nil
+		}
+		return "", fmt.Errorf("failed to get service target by resource ID: %w", err)
+	}
+
+	if target == nil {
+		return "", nil
+	}
+
+	return target.ServiceID, nil
+}
--- a/management/internals/modules/reverseproxy/proxy/manager.go
+++ b/management/internals/modules/reverseproxy/proxy/manager.go
@@ -1,36 +0,0 @@
-package proxy
-
-//go:generate go run github.com/golang/mock/mockgen -package proxy -destination=manager_mock.go -source=./manager.go -build_flags=-mod=mod
-
-import (
-	"context"
-	"time"
-
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// Manager defines the interface for proxy operations
-type Manager interface {
-	Connect(ctx context.Context, proxyID, clusterAddress, ipAddress string) error
-	Disconnect(ctx context.Context, proxyID string) error
-	Heartbeat(ctx context.Context, proxyID string) error
-	GetActiveClusterAddresses(ctx context.Context) ([]string, error)
-	CleanupStale(ctx context.Context, inactivityDuration time.Duration) error
-}
-
-// OIDCValidationConfig contains the OIDC configuration needed for token validation.
-type OIDCValidationConfig struct {
-	Issuer             string
-	Audiences          []string
-	KeysLocation       string
-	MaxTokenAgeSeconds int64
-}
-
-// Controller is responsible for managing proxy clusters and routing service updates.
-type Controller interface {
-	SendServiceUpdateToCluster(ctx context.Context, accountID string, update *proto.ProxyMapping, clusterAddr string)
-	GetOIDCValidationConfig() OIDCValidationConfig
-	RegisterProxyToCluster(ctx context.Context, clusterAddr, proxyID string) error
-	UnregisterProxyFromCluster(ctx context.Context, clusterAddr, proxyID string) error
-	GetProxiesForCluster(clusterAddr string) []string
-}
--- a/management/internals/modules/reverseproxy/proxy/manager/controller.go
+++ b/management/internals/modules/reverseproxy/proxy/manager/controller.go
@@ -1,88 +0,0 @@
-package manager
-
-import (
-	"context"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-	"go.opentelemetry.io/otel/metric"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy"
-	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// GRPCController is a concrete implementation that manages proxy clusters and sends updates directly via gRPC.
-type GRPCController struct {
-	proxyGRPCServer *nbgrpc.ProxyServiceServer
-	// Map of cluster address -> set of proxy IDs
-	clusterProxies sync.Map
-	metrics        *metrics
-}
-
-// NewGRPCController creates a new GRPCController.
-func NewGRPCController(proxyGRPCServer *nbgrpc.ProxyServiceServer, meter metric.Meter) (*GRPCController, error) {
-	m, err := newMetrics(meter)
-	if err != nil {
-		return nil, err
-	}
-
-	return &GRPCController{
-		proxyGRPCServer: proxyGRPCServer,
-		metrics:         m,
-	}, nil
-}
-
-// SendServiceUpdateToCluster sends a service update to a specific proxy cluster.
-func (c *GRPCController) SendServiceUpdateToCluster(ctx context.Context, accountID string, update *proto.ProxyMapping, clusterAddr string) {
-	c.proxyGRPCServer.SendServiceUpdateToCluster(ctx, update, clusterAddr)
-	c.metrics.IncrementServiceUpdateSendCount(clusterAddr)
-}
-
-// GetOIDCValidationConfig returns the OIDC validation configuration from the gRPC server.
-func (c *GRPCController) GetOIDCValidationConfig() proxy.OIDCValidationConfig {
-	return c.proxyGRPCServer.GetOIDCValidationConfig()
-}
-
-// RegisterProxyToCluster registers a proxy to a specific cluster for routing.
-func (c *GRPCController) RegisterProxyToCluster(ctx context.Context, clusterAddr, proxyID string) error {
-	if clusterAddr == "" {
-		return nil
-	}
-	proxySet, _ := c.clusterProxies.LoadOrStore(clusterAddr, &sync.Map{})
-	proxySet.(*sync.Map).Store(proxyID, struct{}{})
-	log.WithContext(ctx).Debugf("Registered proxy %s to cluster %s", proxyID, clusterAddr)
-
-	c.metrics.IncrementProxyConnectionCount(clusterAddr)
-
-	return nil
-}
-
-// UnregisterProxyFromCluster removes a proxy from a cluster.
-func (c *GRPCController) UnregisterProxyFromCluster(ctx context.Context, clusterAddr, proxyID string) error {
-	if clusterAddr == "" {
-		return nil
-	}
-	if proxySet, ok := c.clusterProxies.Load(clusterAddr); ok {
-		proxySet.(*sync.Map).Delete(proxyID)
-		log.WithContext(ctx).Debugf("Unregistered proxy %s from cluster %s", proxyID, clusterAddr)
-
-		c.metrics.DecrementProxyConnectionCount(clusterAddr)
-	}
-	return nil
-}
-
-// GetProxiesForCluster returns all proxy IDs registered for a specific cluster.
-func (c *GRPCController) GetProxiesForCluster(clusterAddr string) []string {
-	proxySet, ok := c.clusterProxies.Load(clusterAddr)
-	if !ok {
-		return nil
-	}
-
-	var proxies []string
-	proxySet.(*sync.Map).Range(func(key, _ interface{}) bool {
-		proxies = append(proxies, key.(string))
-		return true
-	})
-	return proxies
-}
--- a/management/internals/modules/reverseproxy/proxy/manager/manager.go
+++ b/management/internals/modules/reverseproxy/proxy/manager/manager.go
@@ -1,115 +0,0 @@
-package manager
-
-import (
-	"context"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"go.opentelemetry.io/otel/metric"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy"
-)
-
-// store defines the interface for proxy persistence operations
-type store interface {
-	SaveProxy(ctx context.Context, p *proxy.Proxy) error
-	UpdateProxyHeartbeat(ctx context.Context, proxyID string) error
-	GetActiveProxyClusterAddresses(ctx context.Context) ([]string, error)
-	CleanupStaleProxies(ctx context.Context, inactivityDuration time.Duration) error
-}
-
-// Manager handles all proxy operations
-type Manager struct {
-	store   store
-	metrics *metrics
-}
-
-// NewManager creates a new proxy Manager
-func NewManager(store store, meter metric.Meter) (*Manager, error) {
-	m, err := newMetrics(meter)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Manager{
-		store:   store,
-		metrics: m,
-	}, nil
-}
-
-// Connect registers a new proxy connection in the database
-func (m Manager) Connect(ctx context.Context, proxyID, clusterAddress, ipAddress string) error {
-	now := time.Now()
-	p := &proxy.Proxy{
-		ID:             proxyID,
-		ClusterAddress: clusterAddress,
-		IPAddress:      ipAddress,
-		LastSeen:       now,
-		ConnectedAt:    &now,
-		Status:         "connected",
-	}
-
-	if err := m.store.SaveProxy(ctx, p); err != nil {
-		log.WithContext(ctx).Errorf("failed to register proxy %s: %v", proxyID, err)
-		return err
-	}
-
-	log.WithContext(ctx).WithFields(log.Fields{
-		"proxyID":        proxyID,
-		"clusterAddress": clusterAddress,
-		"ipAddress":      ipAddress,
-	}).Info("proxy connected")
-
-	return nil
-}
-
-// Disconnect marks a proxy as disconnected in the database
-func (m Manager) Disconnect(ctx context.Context, proxyID string) error {
-	now := time.Now()
-	p := &proxy.Proxy{
-		ID:             proxyID,
-		Status:         "disconnected",
-		DisconnectedAt: &now,
-		LastSeen:       now,
-	}
-
-	if err := m.store.SaveProxy(ctx, p); err != nil {
-		log.WithContext(ctx).Errorf("failed to disconnect proxy %s: %v", proxyID, err)
-		return err
-	}
-
-	log.WithContext(ctx).WithFields(log.Fields{
-		"proxyID": proxyID,
-	}).Info("proxy disconnected")
-
-	return nil
-}
-
-// Heartbeat updates the proxy's last seen timestamp
-func (m Manager) Heartbeat(ctx context.Context, proxyID string) error {
-	if err := m.store.UpdateProxyHeartbeat(ctx, proxyID); err != nil {
-		log.WithContext(ctx).Debugf("failed to update proxy %s heartbeat: %v", proxyID, err)
-		return err
-	}
-	m.metrics.IncrementProxyHeartbeatCount()
-	return nil
-}
-
-// GetActiveClusterAddresses returns all unique cluster addresses for active proxies
-func (m Manager) GetActiveClusterAddresses(ctx context.Context) ([]string, error) {
-	addresses, err := m.store.GetActiveProxyClusterAddresses(ctx)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get active proxy cluster addresses: %v", err)
-		return nil, err
-	}
-	return addresses, nil
-}
-
-// CleanupStale removes proxies that haven't sent heartbeat in the specified duration
-func (m Manager) CleanupStale(ctx context.Context, inactivityDuration time.Duration) error {
-	if err := m.store.CleanupStaleProxies(ctx, inactivityDuration); err != nil {
-		log.WithContext(ctx).Errorf("failed to cleanup stale proxies: %v", err)
-		return err
-	}
-	return nil
-}
--- a/management/internals/modules/reverseproxy/proxy/manager/metrics.go
+++ b/management/internals/modules/reverseproxy/proxy/manager/metrics.go
@@ -1,74 +0,0 @@
-package manager
-
-import (
-	"context"
-
-	"go.opentelemetry.io/otel/attribute"
-	"go.opentelemetry.io/otel/metric"
-)
-
-type metrics struct {
-	proxyConnectionCount   metric.Int64UpDownCounter
-	serviceUpdateSendCount metric.Int64Counter
-	proxyHeartbeatCount    metric.Int64Counter
-}
-
-func newMetrics(meter metric.Meter) (*metrics, error) {
-	proxyConnectionCount, err := meter.Int64UpDownCounter(
-		"management_proxy_connection_count",
-		metric.WithDescription("Number of active proxy connections"),
-		metric.WithUnit("{connection}"),
-	)
-	if err != nil {
-		return nil, err
-	}
-
-	serviceUpdateSendCount, err := meter.Int64Counter(
-		"management_proxy_service_update_send_count",
-		metric.WithDescription("Total number of service updates sent to proxies"),
-		metric.WithUnit("{update}"),
-	)
-	if err != nil {
-		return nil, err
-	}
-
-	proxyHeartbeatCount, err := meter.Int64Counter(
-		"management_proxy_heartbeat_count",
-		metric.WithDescription("Total number of proxy heartbeats received"),
-		metric.WithUnit("{heartbeat}"),
-	)
-	if err != nil {
-		return nil, err
-	}
-
-	return &metrics{
-		proxyConnectionCount:   proxyConnectionCount,
-		serviceUpdateSendCount: serviceUpdateSendCount,
-		proxyHeartbeatCount:    proxyHeartbeatCount,
-	}, nil
-}
-
-func (m *metrics) IncrementProxyConnectionCount(clusterAddr string) {
-	m.proxyConnectionCount.Add(context.Background(), 1,
-		metric.WithAttributes(
-			attribute.String("cluster", clusterAddr),
-		))
-}
-
-func (m *metrics) DecrementProxyConnectionCount(clusterAddr string) {
-	m.proxyConnectionCount.Add(context.Background(), -1,
-		metric.WithAttributes(
-			attribute.String("cluster", clusterAddr),
-		))
-}
-
-func (m *metrics) IncrementServiceUpdateSendCount(clusterAddr string) {
-	m.serviceUpdateSendCount.Add(context.Background(), 1,
-		metric.WithAttributes(
-			attribute.String("cluster", clusterAddr),
-		))
-}
-
-func (m *metrics) IncrementProxyHeartbeatCount() {
-	m.proxyHeartbeatCount.Add(context.Background(), 1)
-}
--- a/management/internals/modules/reverseproxy/proxy/manager_mock.go
+++ b/management/internals/modules/reverseproxy/proxy/manager_mock.go
@@ -1,199 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: ./manager.go
-
-// Package proxy is a generated GoMock package.
-package proxy
-
-import (
-	context "context"
-	reflect "reflect"
-	time "time"
-
-	gomock "github.com/golang/mock/gomock"
-	proto "github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// MockManager is a mock of Manager interface.
-type MockManager struct {
-	ctrl     *gomock.Controller
-	recorder *MockManagerMockRecorder
-}
-
-// MockManagerMockRecorder is the mock recorder for MockManager.
-type MockManagerMockRecorder struct {
-	mock *MockManager
-}
-
-// NewMockManager creates a new mock instance.
-func NewMockManager(ctrl *gomock.Controller) *MockManager {
-	mock := &MockManager{ctrl: ctrl}
-	mock.recorder = &MockManagerMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockManager) EXPECT() *MockManagerMockRecorder {
-	return m.recorder
-}
-
-// CleanupStale mocks base method.
-func (m *MockManager) CleanupStale(ctx context.Context, inactivityDuration time.Duration) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "CleanupStale", ctx, inactivityDuration)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// CleanupStale indicates an expected call of CleanupStale.
-func (mr *MockManagerMockRecorder) CleanupStale(ctx, inactivityDuration interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CleanupStale", reflect.TypeOf((*MockManager)(nil).CleanupStale), ctx, inactivityDuration)
-}
-
-// Connect mocks base method.
-func (m *MockManager) Connect(ctx context.Context, proxyID, clusterAddress, ipAddress string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Connect", ctx, proxyID, clusterAddress, ipAddress)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Connect indicates an expected call of Connect.
-func (mr *MockManagerMockRecorder) Connect(ctx, proxyID, clusterAddress, ipAddress interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Connect", reflect.TypeOf((*MockManager)(nil).Connect), ctx, proxyID, clusterAddress, ipAddress)
-}
-
-// Disconnect mocks base method.
-func (m *MockManager) Disconnect(ctx context.Context, proxyID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Disconnect", ctx, proxyID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Disconnect indicates an expected call of Disconnect.
-func (mr *MockManagerMockRecorder) Disconnect(ctx, proxyID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Disconnect", reflect.TypeOf((*MockManager)(nil).Disconnect), ctx, proxyID)
-}
-
-// GetActiveClusterAddresses mocks base method.
-func (m *MockManager) GetActiveClusterAddresses(ctx context.Context) ([]string, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetActiveClusterAddresses", ctx)
-	ret0, _ := ret[0].([]string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetActiveClusterAddresses indicates an expected call of GetActiveClusterAddresses.
-func (mr *MockManagerMockRecorder) GetActiveClusterAddresses(ctx interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetActiveClusterAddresses", reflect.TypeOf((*MockManager)(nil).GetActiveClusterAddresses), ctx)
-}
-
-// Heartbeat mocks base method.
-func (m *MockManager) Heartbeat(ctx context.Context, proxyID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Heartbeat", ctx, proxyID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Heartbeat indicates an expected call of Heartbeat.
-func (mr *MockManagerMockRecorder) Heartbeat(ctx, proxyID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Heartbeat", reflect.TypeOf((*MockManager)(nil).Heartbeat), ctx, proxyID)
-}
-
-// MockController is a mock of Controller interface.
-type MockController struct {
-	ctrl     *gomock.Controller
-	recorder *MockControllerMockRecorder
-}
-
-// MockControllerMockRecorder is the mock recorder for MockController.
-type MockControllerMockRecorder struct {
-	mock *MockController
-}
-
-// NewMockController creates a new mock instance.
-func NewMockController(ctrl *gomock.Controller) *MockController {
-	mock := &MockController{ctrl: ctrl}
-	mock.recorder = &MockControllerMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockController) EXPECT() *MockControllerMockRecorder {
-	return m.recorder
-}
-
-// GetOIDCValidationConfig mocks base method.
-func (m *MockController) GetOIDCValidationConfig() OIDCValidationConfig {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetOIDCValidationConfig")
-	ret0, _ := ret[0].(OIDCValidationConfig)
-	return ret0
-}
-
-// GetOIDCValidationConfig indicates an expected call of GetOIDCValidationConfig.
-func (mr *MockControllerMockRecorder) GetOIDCValidationConfig() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOIDCValidationConfig", reflect.TypeOf((*MockController)(nil).GetOIDCValidationConfig))
-}
-
-// GetProxiesForCluster mocks base method.
-func (m *MockController) GetProxiesForCluster(clusterAddr string) []string {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetProxiesForCluster", clusterAddr)
-	ret0, _ := ret[0].([]string)
-	return ret0
-}
-
-// GetProxiesForCluster indicates an expected call of GetProxiesForCluster.
-func (mr *MockControllerMockRecorder) GetProxiesForCluster(clusterAddr interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetProxiesForCluster", reflect.TypeOf((*MockController)(nil).GetProxiesForCluster), clusterAddr)
-}
-
-// RegisterProxyToCluster mocks base method.
-func (m *MockController) RegisterProxyToCluster(ctx context.Context, clusterAddr, proxyID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "RegisterProxyToCluster", ctx, clusterAddr, proxyID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// RegisterProxyToCluster indicates an expected call of RegisterProxyToCluster.
-func (mr *MockControllerMockRecorder) RegisterProxyToCluster(ctx, clusterAddr, proxyID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RegisterProxyToCluster", reflect.TypeOf((*MockController)(nil).RegisterProxyToCluster), ctx, clusterAddr, proxyID)
-}
-
-// SendServiceUpdateToCluster mocks base method.
-func (m *MockController) SendServiceUpdateToCluster(ctx context.Context, accountID string, update *proto.ProxyMapping, clusterAddr string) {
-	m.ctrl.T.Helper()
-	m.ctrl.Call(m, "SendServiceUpdateToCluster", ctx, accountID, update, clusterAddr)
-}
-
-// SendServiceUpdateToCluster indicates an expected call of SendServiceUpdateToCluster.
-func (mr *MockControllerMockRecorder) SendServiceUpdateToCluster(ctx, accountID, update, clusterAddr interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SendServiceUpdateToCluster", reflect.TypeOf((*MockController)(nil).SendServiceUpdateToCluster), ctx, accountID, update, clusterAddr)
-}
-
-// UnregisterProxyFromCluster mocks base method.
-func (m *MockController) UnregisterProxyFromCluster(ctx context.Context, clusterAddr, proxyID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "UnregisterProxyFromCluster", ctx, clusterAddr, proxyID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// UnregisterProxyFromCluster indicates an expected call of UnregisterProxyFromCluster.
-func (mr *MockControllerMockRecorder) UnregisterProxyFromCluster(ctx, clusterAddr, proxyID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UnregisterProxyFromCluster", reflect.TypeOf((*MockController)(nil).UnregisterProxyFromCluster), ctx, clusterAddr, proxyID)
-}
--- a/Show More
+++ b/Show More