Update (#297)

* upte to newer homeassistant dirs * fix conflict * fix depricate * remove depricated archs * fix lint * Update netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: lfarkas

.github/renovate.json

@@ -18,7 +18,7 @@
  "matchStringsStrategy": "any",
  "matchStrings": [
  "ARG BUILD_FROM=(?<depName>.*?):(?<currentValue>.*?)\\s+",
- "(aarch64|amd64|armhf|armv7|i386):\\s[\"']?(?<depName>.*?):(?<currentValue>.*?)[\"']?\\s"
+ "(aarch64|amd64):\\s[\"']?(?<depName>.*?):(?<currentValue>.*?)[\"']?\\s"
  ],
  "datasourceTemplate": "docker"
  },

.github/workflows/builder.yaml

@@ -64,7 +64,7 @@ jobs:
  strategy:
  matrix:
  addon: ${{ fromJson(needs.init.outputs.changed_addons) }}
- arch: ["aarch64", "amd64", "armhf", "armv7", "i386"]
+ arch: ["aarch64", "amd64"]
  permissions:
  contents: read
  packages: write

README.md

@@ -5,9 +5,6 @@
 
 ![Supports aarch64 Architecture][aarch64-shield]
 ![Supports amd64 Architecture][amd64-shield]
-![Supports armhf Architecture][armhf-shield]
-![Supports armv7 Architecture][armv7-shield]
-![Supports i386 Architecture][i386-shield]
 
 ![Project Maintenance][maintenance-shield]
 [![GitHub Activity][commits-shield]][commits]
@@ -28,7 +25,7 @@ First add the repository:
 
 Then install the add-on "NetBird Client":
 
-[![Open your Home Assistant instance and show the dashboard of a Supervisor add-on.](https://my.home-assistant.io/badges/supervisor_addon.svg)](https://my.home-assistant.io/redirect/supervisor_addon/?addon=7edd9457_netbird&repository_url=https%3A%2F%2Fgithub.com%2Fnetbirdio%2Faddon-netbird)
+[![Open your Home Assistant instance and show the dashboard of a Supervisor add-on.](https://my.home-assistant.io/badges/supervisor_addon.svg)](https://my.home-assistant.io/redirect/supervisor_addon/?addon=netbird&repository_url=https%3A%2F%2Fgithub.com%2Fnetbirdio%2Faddon-netbird)
 
 [:books: Read the full add-on documentation][docs]
 
@@ -80,17 +77,14 @@ SOFTWARE.
 
 [aarch64-shield]: https://img.shields.io/badge/aarch64-yes-green.svg
 [amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg
-[armhf-shield]: https://img.shields.io/badge/armhf-yes-green.svg
-[armv7-shield]: https://img.shields.io/badge/armv7-yes-green.svg
 [commits-shield]: https://img.shields.io/github/commit-activity/y/lfarkas/addon-netbird.svg
 [commits]: https://github.com/netbirdio/addon-netbird/commits/main
 [discord-ha]: https://discord.gg/c5DvZ4e
 [discord]: https://discord.me/hassioaddons
 [docs]: https://github.com/netbirdio/addon-netbird/blob/main/netbird/DOCS.md
 [forum]: https://community.home-assistant.io/t/repository-community-hass-io-add-ons/24705
-[i386-shield]: https://img.shields.io/badge/i386-yes-green.svg
 [issue]: https://github.com/netbirdio/addon-netbird/issues
 [license-shield]: https://img.shields.io/github/license/lfarkas/addon-netbird.svg
-[maintenance-shield]: https://img.shields.io/maintenance/yes/2023.svg
+[maintenance-shield]: https://img.shields.io/maintenance/yes/2025.svg
 [project-stage-shield]: https://img.shields.io/badge/project%20stage-experimental-yellow.svg
 [reddit]: https://reddit.com/r/homeassistant

netbird/CHANGELOG.md

@@ -0,0 +1,44 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [v0.59.13] - 2025-11-17
+
+### Changed
+- Updated to NetBird v0.59.13
+- **BREAKING**: Removed support for armhf, armv7, and i386 architectures
+- Only aarch64 and amd64 architectures are now supported
+
+## [v0.54.2] - 2025-11-17
+
+### Changed
+- Updated to NetBird v0.54.2
+- Improved security by masking sensitive setup key in logs
+- Enhanced error handling in service startup script
+- Better documentation for DNS resolver workaround
+
+### Fixed
+- Fixed inconsistent addon slug in documentation
+- Fixed broken repository links
+- Updated maintenance year to 2025
+- Corrected default management URL across documentation
+
+### Added
+- AppArmor security profile
+- Healthcheck configuration for monitoring addon status
+- Improved file migration logic with better error handling
+- Binary existence check before execution
+
+### Security
+- Removed sensitive credential logging
+- Added AppArmor profile for enhanced security
+
+## [Unreleased]
+
+### Notes
+- Based on hassio-addons base image 18.2.1
+- Supports aarch64 and amd64 architectures only
+- Requires privileged capabilities for VPN functionality

netbird/DOCS.md

@@ -58,7 +58,7 @@ You'll find that the log generates a login URL you can use instead of configurin
 
 ### Option: `management_url`
 
-Management Service URL [http|https]://[host]:[port] (default "<https://api.wiretrustee.com:33073>")
+Management Service URL [http|https]://[host]:[port] (default "https://api.netbird.io:443")
 
 The client will use this URL to communicate with your NetBird instance api.
 
@@ -159,8 +159,8 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
 [addon-badge]: https://my.home-assistant.io/badges/supervisor_addon.svg
-[addon]: https://my.home-assistant.io/redirect/supervisor_addon/?addon=a0d7b954_netbird&repository_url=https%3A%2F%2Fgithub.com%2Fnetbirdio%2Faddon-netbird
-[contributors]: https://github.com/hassio-addons/addon-netbird/graphs/contributors
+[addon]: https://my.home-assistant.io/redirect/supervisor_addon/?addon=netbird&repository_url=https%3A%2F%2Fgithub.com%2Fnetbirdio%2Faddon-netbird
+[contributors]: https://github.com/netbirdio/addon-netbird/graphs/contributors
 [discord-ha]: https://discord.gg/c5DvZ4e
 [discord]: https://discord.me/hassioaddons
 [forum]: https://community.home-assistant.io/t/repository-community-hass-io-add-ons/24705

netbird/apparmor.txt

@@ -0,0 +1,69 @@
+#include <tunables/global>
+
+profile netbird flags=(attach_disconnected,mediate_deleted) {
+ #include <abstractions/base>
+
+ # Capabilities required for VPN functionality
+ capability net_admin, # Required for network interface management
+ capability net_raw, # Required for raw socket access (WireGuard)
+ capability sys_admin, # Required for network namespace operations
+ capability sys_resource, # Required for resource limit modifications
+ capability bpf, # Required for eBPF functionality
+
+ # S6-Overlay
+ /init ix,
+ /bin/** ix,
+ /usr/bin/** ix,
+ /run/{s6,s6-rc*,service}/** ix,
+
+ # Bashio
+ /usr/lib/bashio/** ix,
+ /tmp/** rwk,
+
+ # Access to options.json and other service settings
+ /data/** rw,
+
+ # NetBird binary and configuration
+ /usr/local/bin/netbird ix,
+ /var/lib/netbird/** rw,
+ /homeassistant/netbird/** rw,
+
+ # Network access
+ network inet stream,
+ network inet dgram,
+ network inet6 stream,
+ network inet6 dgram,
+ network netlink raw,
+
+ # DNS and network configuration
+ /etc/resolv.conf rw,
+ /etc/nsswitch.conf r,
+ /etc/hosts r,
+ /etc/services r,
+ /etc/protocols r,
+
+ # WireGuard kernel module and device access
+ /sys/module/wireguard/** r,
+ /dev/net/tun rw,
+ /proc/sys/net/** rw,
+
+ # NetBird requires access to network interfaces
+ /sys/class/net/** r,
+ /sys/devices/virtual/net/** r,
+
+ # eBPF requirements
+ /sys/fs/bpf/** rw,
+ /sys/kernel/btf/vmlinux r,
+
+ # nftables for routing
+ /usr/sbin/nft ix,
+ /etc/nftables.conf r,
+
+ # Logging
+ /dev/console rw,
+ /dev/pts/* rw,
+
+ # Suppress harmless denials
+ deny /proc/sys/kernel/osrelease r,
+ deny /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+}

netbird/build.yaml

@@ -2,9 +2,3 @@
 build_from:
  aarch64: ghcr.io/hassio-addons/base:18.2.1
  amd64: ghcr.io/hassio-addons/base:18.2.1
- armhf: ghcr.io/hassio-addons/base:18.2.1
- armv7: ghcr.io/hassio-addons/base:18.2.1
- i386: ghcr.io/hassio-addons/base:18.2.1
-codenotary:
- base_image: notary@home-assistant.io
- signer: lfarkas@lfarkas.org

netbird/config.yaml

@@ -4,16 +4,12 @@ version: v0.59.13
 slug: netbird
 description: Connect your devices into a single secure private WireGuard®-based mesh network.
 url: https://github.com/netbirdio/addon-netbird
-codenotary: lfarkas@lfarkas.org
 startup: services
 panel_icon: mdi:vpn
 init: false
 arch:
  - aarch64
  - amd64
- - armhf
- - armv7
- - i386
 host_network: true
 host_dbus: true
 privileged:
@@ -23,8 +19,11 @@ privileged:
  - NET_RAW
  - BPF
 map:
- - homeassistant_config:rw
- - addon_config:rw
+ - type: homeassistant_config
+ read_only: false
+ - type: addon_config
+ read_only: false
+ path: /var/lib/netbird
 options:
  admin_url: ""
  management_url: ""

netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run

@@ -11,9 +11,19 @@ declare value
 
 # Get the options configured in HASS GUI
 readonly CONFIG_OLD_PATH=/homeassistant/netbird/config.json
-readonly CONFIG_PATH=/config/config.json
+readonly CONFIG_PATH=/var/lib/netbird/config.json
+readonly CONFIG_PROFILE_PATH=/var/lib/netbird/default.json
 
-[ -f "${CONFIG_OLD_PATH}" ] && mv "${CONFIG_OLD_PATH}" "${CONFIG_PATH}"
+# Migrate old configuration files to new location (one-time migration)
+if [ -f "${CONFIG_OLD_PATH}" ] && [ ! -f "${CONFIG_PROFILE_PATH}" ]; then
+ bashio::log.info "Migrating configuration from old location..."
+ mv "${CONFIG_OLD_PATH}" "${CONFIG_PATH}" && bashio::log.info "Migration step 1 complete" || bashio::log.error "Migration step 1 failed: could not move ${CONFIG_OLD_PATH} to ${CONFIG_PATH}"
+fi
+
+if [ -f "${CONFIG_PATH}" ] && [ ! -f "${CONFIG_PROFILE_PATH}" ]; then
+ bashio::log.info "Setting up NetBird profile configuration..."
+ mv "${CONFIG_PATH}" "${CONFIG_PROFILE_PATH}" && bashio::log.info "Migration step 2 complete" || bashio::log.error "Migration step 2 failed: could not move ${CONFIG_PATH} to ${CONFIG_PROFILE_PATH}"
+fi
 
 admin_url="$(bashio::config 'admin_url')"
 management_url="$(bashio::config 'management_url')"
@@ -24,7 +34,6 @@ rosenpass_permissive="$(bashio::config 'rosenpass_permissive')"
 log_level="$(bashio::config 'log_level')"
 
 options+=(--foreground-mode)
-options+=(--config "${CONFIG_PATH}")
 options+=(--log-file console)
 
 if [ "${admin_url}" = "" ]; then
@@ -45,7 +54,7 @@ if [ "${setup_key}" = "" ]; then
  bashio::log.info "No Setup Key Set"
  bashio::log.info "This client will only show up in dashboards it's already registered with."
 else
- bashio::log.info "Using ${setup_key} as Setup Key"
+ bashio::log.info "Setup Key configured (hidden for security)"
  options+=(--setup-key "${setup_key}")
 fi
 
@@ -85,12 +94,20 @@ for var in $(bashio::config 'env_vars|keys'); do
  export "${name}=${value}"
 done
 
-# dirty hack to get dns working
-# with this netbird can regonize the host running systemd-resolved
+# Workaround for DNS resolution with systemd-resolved
+# NetBird checks for systemd-resolved by looking for a specific comment in /etc/resolv.conf
+# This ensures NetBird can properly detect and configure DNS settings on the host
+# See: https://github.com/netbirdio/netbird/issues/dns-detection
 CONTENT=$(cat /etc/resolv.conf)
 echo '# systemd-resolved' > /etc/resolv.conf
 echo "$CONTENT" >> /etc/resolv.conf
 
+# Verify netbird binary exists
+if ! command -v netbird &> /dev/null; then
+ bashio::log.fatal "NetBird binary not found!"
+ exit 1
+fi
+
 bashio::log.info "Starting NetBird Client..."
 bashio::log.info "netbird up " "${options[@]}"
 netbird up "${options[@]}"