# NetBird Combined Server Configuration # Copy this file to config.yaml and customize for your deployment # # This is a Management server with optional embedded Signal, Relay, and STUN services. # By default, all services run locally. You can use external services instead by # setting the corresponding override fields. # # Architecture: # - Management: Always runs locally (this IS the management server) # - Signal: Local by default; set 'signalUri' to use external (disables local) # - Relay: Local by default; set 'relays' to use external (disables local) # - STUN: Local on port 3478 by default; set 'stuns' to use external instead server: # Main HTTP/gRPC port for all services (Management, Signal, Relay) listenAddress: ":443" # Public address that peers will use to connect to this server # Used for relay connections and management DNS domain # Format: protocol://hostname:port (e.g., https://server.mycompany.com:443) exposedAddress: "https://server.mycompany.com:443" # STUN server ports (defaults to [3478] if not specified; set 'stuns' to use external) # stunPorts: # - 3478 # Metrics endpoint port metricsPort: 9090 # Healthcheck endpoint address healthcheckAddress: ":9000" # Logging configuration logLevel: "info" # Default log level for all components: panic, fatal, error, warn, info, debug, trace logFile: "console" # "console" or path to log file # TLS configuration (optional) tls: certFile: "" keyFile: "" letsencrypt: enabled: false dataDir: "" domains: [] email: "" awsRoute53: false # Shared secret for relay authentication (required when running local relay) authSecret: "your-secret-key-here" # Data directory for all services dataDir: "/var/lib/netbird/" # ============================================================================ # External Service Overrides (optional) # Use these to point to external Signal, Relay, or STUN servers instead of # running them locally. When set, the corresponding local service is disabled. # ============================================================================ # External STUN servers - disables local STUN server # stuns: # - uri: "stun:stun.example.com:3478" # - uri: "stun:stun.example.com:3479" # External relay servers - disables local relay server # relays: # addresses: # - "rels://relay.example.com:443" # credentialsTTL: "12h" # secret: "relay-shared-secret" # External signal server - disables local signal server # signalUri: "https://signal.example.com:443" # ============================================================================ # Management Settings # ============================================================================ # Metrics and updates disableAnonymousMetrics: false disableGeoliteUpdate: false # Embedded authentication/identity provider (Dex) configuration (always enabled) auth: # OIDC issuer URL - must be publicly accessible issuer: "https://example.com/oauth2" localAuthDisabled: false signKeyRefreshEnabled: false # OAuth2 redirect URIs for dashboard dashboardRedirectURIs: - "https://app.example.com/nb-auth" - "https://app.example.com/nb-silent-auth" # OAuth2 redirect URIs for CLI cliRedirectURIs: - "http://localhost:53000/" # Optional initial admin user # owner: # email: "admin@example.com" # password: "initial-password" # Store configuration store: engine: "sqlite" # sqlite, postgres, or mysql dsn: "" # Connection string for postgres or mysql encryptionKey: "" # file: "" # Custom SQLite file path (optional, defaults to {dataDir}/store.db) # Activity events store configuration (optional, defaults to sqlite in dataDir) # activityStore: # engine: "sqlite" # sqlite or postgres # dsn: "" # Connection string for postgres # file: "" # Custom SQLite file path (optional, defaults to {dataDir}/events.db) # Auth (embedded IdP) store configuration (optional, defaults to sqlite3 in dataDir/idp.db) # authStore: # engine: "sqlite3" # sqlite3 or postgres # dsn: "" # Connection string for postgres (e.g., "host=localhost port=5432 user=postgres password=postgres dbname=netbird_idp sslmode=disable") # file: "" # Custom SQLite file path (optional, defaults to {dataDir}/idp.db) # Reverse proxy settings (optional) # reverseProxy: # trustedHTTPProxies: [] # trustedHTTPProxiesCount: 0 # trustedPeers: []