feat: add NetBird self-hosted mesh VPN agent#2147
Conversation
…uide Add comprehensive NetBird subagent covering self-hosted WireGuard mesh VPN with SSO, ACLs, REST API, and Terraform provider. Includes aidevops integration patterns for AI worker provisioning, access control groups, private DNS, and API automation. Companion Cloudron app packaging repo created at ~/Git/cloudron/netbird-app/.
Summary of ChangesHello @marcusquinn, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces NetBird as a robust, self-hosted WireGuard mesh VPN solution, providing extensive documentation for its setup, configuration, and integration into various environments. The primary goal is to offer an alternative to proprietary VPN solutions, emphasizing full control, API-driven automation, and suitability for complex AI worker provisioning and secure access scenarios. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
|
No actionable comments were generated in the recent review. 🎉 WalkthroughAdds a new, extensive NetBird self‑hosted mesh‑VPN documentation file and updates the agent taxonomy to include Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🔍 Code Quality Report�[0;35m[MONITOR]�[0m Code Review Monitoring Report �[0;34m[INFO]�[0m Latest Quality Status: �[0;34m[INFO]�[0m Recent monitoring activity: 📈 Current Quality Metrics
Generated on: Sun Feb 22 16:22:09 UTC 2026 Generated by AI DevOps Framework Code Review Monitoring |
|
Warning Gemini encountered an error creating the review. You can try again by commenting |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.agents/subagent-index.toon (2)
79-79:⚠️ Potential issue | 🟡 Minor
providers/unbuiltdoesn't match the AI summary or PR description — likely a copy-paste error.The AI summary states this entry's
key_filesshould beproviders/crft-lookup|openexplorer|wappalyzer, and the PR description specifically namescrft-lookupas the frontend technology detection provider. Line 56 already has an entry forproviders/crft-lookupwith a distinct purpose ("Website research"), so neither are duplicates — butproviders/unbuiltas a key_files value for this entry looks like it was pasted from a different in-progress file.🐛 Proposed fix
-tools/research/,Tech stack research - frontend technology detection providers,providers/unbuilt +tools/research/,Tech stack research - frontend technology detection providers,providers/crft-lookup🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.agents/subagent-index.toon at line 79, The entry in .agents/subagent-index.toon has an incorrect key_files value ("providers/unbuilt") that doesn't match the AI summary/PR; update that entry's key_files to "providers/crft-lookup|openexplorer|wappalyzer" so it matches the described provider set (refer to the entry currently using key_files and the existing providers/crft-lookup entry to confirm intent) and remove the stray "providers/unbuilt" value.
25-25:⚠️ Potential issue | 🟠 MajorUpdate TOON subagent count from
[55]to[56].The header declares 55 entries but the block contains 56 (lines 26–82 inclusive). This mismatch will cause the TOON parser to silently drop the last entry (
providers/wappalyzer) or fail parsing.Proposed fix
-<!--TOON:subagents[55]{folder,purpose,key_files}: +<!--TOON:subagents[56]{folder,purpose,key_files}:🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.agents/subagent-index.toon at line 25, The TOON header token "TOON:subagents[55]{folder,purpose,key_files}" is out of sync with the block (56 entries) causing the parser to drop or fail on the final entry; update the numeric count from 55 to 56 in that header so it reads "TOON:subagents[56]{folder,purpose,key_files}" (ensure the change is made in .agents/subagent-index.toon) to include the final entry "providers/wappalyzer".
🧹 Nitpick comments (2)
.agents/services/networking/netbird.md (2)
225-230:expires_in: 86400(24 h) may be too short for reusable AI worker provisioning keys.A reusable setup key with a 24-hour expiry works for a single provisioning run, but if worker provisioning is spread across multiple days (scaling events, CI reprovisioning), the key will expire and new workers will silently fail to join the mesh. Consider documenting longer expiry values (e.g., 604800 for 7 days) or noting that admins should regenerate the key for each provisioning campaign.
💡 Suggested documentation note
"type": "reusable", - "expires_in": 86400, + "expires_in": 604800, # 7 days; adjust to match your provisioning window "auto_groups": ["ai-workers"],🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.agents/services/networking/netbird.md around lines 225 - 230, Update the reusable setup key configuration around the "aidevops-workers" block where "expires_in": 86400 is set: change the expiry to a longer default (for example 604800) or add a clear documentation note beside that JSON snippet advising admins to use longer expiries or to regenerate keys for multi-day provisioning campaigns; ensure the guidance references the "name": "aidevops-workers" and "expires_in" fields so readers know which value to adjust and why.
341-349: Terraform: declarenetbird_groupbefore thenetbird_setup_keythat references it.
netbird_setup_key.workersreferencesnetbird_group.ai_workers.id(line 344) butnetbird_group.ai_workersis declared after it (lines 347–349). Terraform resolves the dependency graph regardless of order, so this works, but conventional IaC style places dependencies before their dependants for readability.♻️ Proposed reorder
+resource "netbird_group" "ai_workers" { + name = "ai-workers" +} + resource "netbird_setup_key" "workers" { name = "aidevops-workers" type = "reusable" auto_groups = [netbird_group.ai_workers.id] } - -resource "netbird_group" "ai_workers" { - name = "ai-workers" -}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.agents/services/networking/netbird.md around lines 341 - 349, The Terraform resources are declared in reverse-readability order: netbird_setup_key.workers references netbird_group.ai_workers.id but netbird_group.ai_workers is defined after it; reorder the declarations so the resource block for netbird_group "ai_workers" appears before the resource block for netbird_setup_key "workers" to make the dependency explicit and improve readability (leave the resource names netbird_group.ai_workers and netbird_setup_key.workers unchanged).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.agents/services/networking/netbird.md:
- Line 110: Change the single word "addon" to the hyphenated form "add-on" in
the Netbird documentation sentence ("For Cloudron deployments, use the
PostgreSQL addon.") so it reads "For Cloudron deployments, use the PostgreSQL
add-on." Update this exact sentence in .agents/services/networking/netbird.md to
fix the spelling.
- Around line 83-87: Replace the unsafe "curl ... | bash" usage that references
the unversioned getting-started.sh and relies on frontmatter bash: true by
pinning the installer URL to a specific release tag (not latest), adding a
verification step (checksum or signature) before executing, and/or switching the
automated examples to package-manager install commands; specifically update the
NETBIRD_DOMAIN quickstart snippet and all other occurrences of
getting-started.sh (noted at lines around 156, 185, 193, 237) to use a tagged
release URL and include clear verification instructions instead of piping
directly to bash.
- Around line 356-358: The manifest incorrectly suggests using tcpPorts for the
STUN service; change the manifest to declare UDP 3478 under the udpPorts field
instead of tcpPorts so NAT traversal works correctly. Locate references to
tcpPorts and the STUN/3478 binding in the manifest and replace them with
udpPorts entries (ensuring the dashboard + API remain behind the HTTP proxy
unchanged). Verify the manifest schema usage for udpPorts and update any
documentation lines that claimed tcpPorts supports UDP to reference udpPorts.
- Around line 400-403: Comment: The note saying "--disable-auto-connect" forces
relay is misleading. Update the .agents/services/networking/netbird.md snippet:
either remove the two lines "netbird up --disable-auto-connect" and the
preceding "Force relay (debug connectivity)" header, or change the header and
comment to accurately describe that "--disable-auto-connect" prevents
auto-connecting on daemon start (it does not force TURN/relay); if you want to
show how to check relay status, replace with the existing correct command
"netbird status --detail" and mention that it shows "direct" vs "relayed".
Reference: the netbird up invocation and the --disable-auto-connect flag in this
diff and the netbird status --detail command shown elsewhere.
---
Outside diff comments:
In @.agents/subagent-index.toon:
- Line 79: The entry in .agents/subagent-index.toon has an incorrect key_files
value ("providers/unbuilt") that doesn't match the AI summary/PR; update that
entry's key_files to "providers/crft-lookup|openexplorer|wappalyzer" so it
matches the described provider set (refer to the entry currently using key_files
and the existing providers/crft-lookup entry to confirm intent) and remove the
stray "providers/unbuilt" value.
- Line 25: The TOON header token "TOON:subagents[55]{folder,purpose,key_files}"
is out of sync with the block (56 entries) causing the parser to drop or fail on
the final entry; update the numeric count from 55 to 56 in that header so it
reads "TOON:subagents[56]{folder,purpose,key_files}" (ensure the change is made
in .agents/subagent-index.toon) to include the final entry
"providers/wappalyzer".
---
Nitpick comments:
In @.agents/services/networking/netbird.md:
- Around line 225-230: Update the reusable setup key configuration around the
"aidevops-workers" block where "expires_in": 86400 is set: change the expiry to
a longer default (for example 604800) or add a clear documentation note beside
that JSON snippet advising admins to use longer expiries or to regenerate keys
for multi-day provisioning campaigns; ensure the guidance references the "name":
"aidevops-workers" and "expires_in" fields so readers know which value to adjust
and why.
- Around line 341-349: The Terraform resources are declared in
reverse-readability order: netbird_setup_key.workers references
netbird_group.ai_workers.id but netbird_group.ai_workers is defined after it;
reorder the declarations so the resource block for netbird_group "ai_workers"
appears before the resource block for netbird_setup_key "workers" to make the
dependency explicit and improve readability (leave the resource names
netbird_group.ai_workers and netbird_setup_key.workers unchanged).
| ```bash | ||
| # Set your domain and run the installer | ||
| export NETBIRD_DOMAIN=netbird.example.com | ||
| curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash | ||
| ``` |
There was a problem hiding this comment.
curl | bash with an unversioned latest URL is a supply-chain risk in an automated provisioning context.
Because bash: true is enabled in this subagent's frontmatter, AI workers can execute the shell code blocks directly. The quickstart URL getting-started.sh is both unversioned (latest) and piped directly to bash — if the CDN or release is tampered with, every AI-provisioned worker would silently execute attacker-controlled code. The same pattern repeats across multiple client install sections (lines 156, 185, 193, 237).
Recommended mitigations:
- Pin the script to a specific release tag instead of
latest. - Add a verification step (checksum or signature) before executing.
- In automated pipelines, prefer the package-manager install path (
apt/brew) over the bootstrap script.
🛡️ Proposed safer quickstart pattern
-# Set your domain and run the installer
-export NETBIRD_DOMAIN=netbird.example.com
-curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
+# Set your domain and run the installer (pin to a specific version for reproducibility)
+export NETBIRD_DOMAIN=netbird.example.com
+NETBIRD_VERSION="v0.35.0" # pin to verified release
+curl -fsSL "https://github.com/netbirdio/netbird/releases/download/${NETBIRD_VERSION}/getting-started.sh" \
+ -o /tmp/netbird-setup.sh
+# Verify checksum before executing (see release page for SHA256)
+bash /tmp/netbird-setup.sh🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.agents/services/networking/netbird.md around lines 83 - 87, Replace the
unsafe "curl ... | bash" usage that references the unversioned
getting-started.sh and relies on frontmatter bash: true by pinning the installer
URL to a specific release tag (not latest), adding a verification step (checksum
or signature) before executing, and/or switching the automated examples to
package-manager install commands; specifically update the NETBIRD_DOMAIN
quickstart snippet and all other occurrences of getting-started.sh (noted at
lines around 156, 185, 193, 237) to use a tagged release URL and include clear
verification instructions instead of piping directly to bash.
…on details - Add OIDC identity provider API examples and JWT group sync docs - Add Cloudron OIDC addon integration details (no Keycloak needed) - Add Cloudron TURN addon integration - Add reverse proxy feature section (beta, requires Traefik) - Document Cloudron reverse proxy incompatibility (TLS passthrough) - Add Cloudron addon compatibility table - Update comparison table with reverse proxy and JWT group sync - Add links to OIDC, reverse proxy, and Cloudron package repos
🔍 Code Quality Report�[0;35m[MONITOR]�[0m Code Review Monitoring Report �[0;34m[INFO]�[0m Latest Quality Status: �[0;34m[INFO]�[0m Recent monitoring activity: 📈 Current Quality Metrics
Generated on: Sun Feb 22 17:36:39 UTC 2026 Generated by AI DevOps Framework Code Review Monitoring |
- Add recommended VPS specs table (1 vCPU/2GB for <25 peers, ~$4-6/mo) - Add full installation walkthrough with Traefik and reverse proxy - Add DNS records table for management + proxy wildcard - Add manual upgrade procedure with backup steps - Add auto-update script using NetBird version API - Add cron and aidevops remote dispatch integration - Add health monitoring examples (version, peer count, connectivity)
🔍 Code Quality Report�[0;35m[MONITOR]�[0m Code Review Monitoring Report �[0;34m[INFO]�[0m Latest Quality Status: �[0;34m[INFO]�[0m Recent monitoring activity: 📈 Current Quality Metrics
Generated on: Sun Feb 22 17:39:49 UTC 2026 Generated by AI DevOps Framework Code Review Monitoring |
Coolify uses Traefik natively, enabling full NetBird feature support including the reverse proxy feature that Cloudron cannot provide. Documents step-by-step deployment via Coolify's Docker Compose build pack with Traefik labels, UDP port mapping, and persistent storage. Adds feature comparison table across all three deployment options.
🔍 Code Quality Report�[0;35m[MONITOR]�[0m Code Review Monitoring Report �[0;34m[INFO]�[0m Latest Quality Status: �[0;34m[INFO]�[0m Recent monitoring activity: 📈 Current Quality Metrics
Generated on: Sun Feb 22 17:42:34 UTC 2026 Generated by AI DevOps Framework Code Review Monitoring |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
.agents/services/networking/netbird.md (1)
468-468: Nit: prefer "incompatible" over "not compatible".The LanguageTool static analysis suggests tightening this phrasing.
✏️ Proposed fix
-- **Requires Traefik** -- not compatible with nginx-based reverse proxies (including Cloudron) +- **Requires Traefik** -- incompatible with nginx-based reverse proxies (including Cloudron)🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.agents/services/networking/netbird.md at line 468, Replace the phrase "**not compatible with nginx-based reverse proxies (including Cloudron)**" with "**incompatible with nginx-based reverse proxies (including Cloudron)**" in the NetBird documentation string (the line containing "Requires Traefik") to tighten the wording.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.agents/services/networking/netbird.md:
- Line 153: Replace the incorrect blanket statement "Hetzner firewalls are
stateless" (the numbered gotcha heading and its sentence) with a corrected note
that distinguishes Hetzner Dedicated (Robot) firewalls from Hetzner Cloud
firewalls: state that Hetzner Cloud firewalls are stateful and the original
warning only applies to Dedicated/Robot servers, and update the guidance to
recommend opening ephemeral UDP/STUN ports only for dedicated-server (Robot)
deployments while leaving Cloud VM quickstart instructions unchanged; target the
heading "6. **Hetzner firewalls are stateless**" and the following sentence to
make this clarification.
- Around line 190-199: The snippet uses an unpinned Docker image reference
"netbirdio/netbird:latest" which is a supply-chain risk; update the `docker run`
image to a specific immutable identifier (either a fixed version tag like
`netbirdio/netbird:vX.Y.Z` or a content digest `netbirdio/netbird@sha256:...`)
and document the chosen tag in the README so AI workers don't pull `latest`;
locate the `docker run` invocation in this markdown (the block containing
`--name netbird` and `netbirdio/netbird:latest`) and replace the image ref
accordingly, and if you have an image-update process, add a note to rotate the
pinned tag/digest when you intentionally upgrade.
- Around line 129-140: The health-check curl invocation that calls
"https://netbird.example.com/api/instance/version" currently uses the wrong
Authorization prefix ("Authorization: Bearer <PAT>"); update that header to use
the Personal Access Token scheme by changing the header to "Authorization: Token
<PAT>" so the PAT consumed earlier is sent with the correct prefix.
---
Duplicate comments:
In @.agents/services/networking/netbird.md:
- Line 401: Update the spelling of "addon" to "add-on" in the sentence that
currently reads "Cloudron's OIDC addon provides credentials that are registered
as a 'Generic OIDC' identity provider in NetBird via the REST API on startup."
Replace "addon" with "add-on" so the line reads "Cloudron's OIDC add-on provides
credentials..." to match the prior correction on the earlier flag.
- Around line 496-499: The comment "# Force relay (debug connectivity)" is
misleading because the flag shown ("netbird up --disable-auto-connect") does not
force relay; update the documentation line to accurately describe the flag's
behavior—e.g., change the comment to something like "Disable auto-connect
(useful for debugging connectivity; does not force relay)" or provide the
correct command/flag that actually forces relay if that was intended; ensure the
text near "netbird up --disable-auto-connect" clearly states it disables
automatic connection rather than forcing relay.
- Line 390: Update the heading "Cloudron addons used" to use the same spelling
as the earlier flag by changing it to "Cloudron add-on used" (or "Cloudron
add-ons used" if plural context demands "add-on(s)") so it matches the prior
usage on line 110; specifically edit the markdown heading text "Cloudron addons
used" to "Cloudron add-on(s) used" to correct the spelling and keep consistency
across the document.
- Line 176: Replace the repeated unversioned "curl -fsSL
https://pkgs.netbird.io/install.sh | sh" install pattern with a pinned,
verifiable install flow: reference a versioned installer URL or explicit package
release, download the installer to a temporary file (e.g., via curl -fSL -o),
verify its integrity using a provided SHA256 checksum or GPG signature, and only
then execute it; update each occurrence of the exact string "curl -fsSL
https://pkgs.netbird.io/install.sh | sh" so they point to the versioned artifact
and include the checksum/GPG verification step before running the script.
- Line 384: The table row for "STUN (UDP 3478)" incorrectly lists the manifest
option as `tcpPorts`; update that entry to `udpPorts` so the STUN UDP 3478 port
is exposed via the UDP manifest option instead of TCP (search for the string
"STUN (UDP 3478)" and replace `tcpPorts` with `udpPorts` in that table row).
- Around line 83-87: Replace the unpinned "curl | bash" pipeline (the command
that downloads
https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh
and pipes to bash) with a safe three-step flow: 1) pin the installer URL to a
specific release tag (not "latest") and download the script to disk (e.g.,
getting-started.sh), 2) fetch the expected checksum for that same release (from
the release assets or a signed checksum file) and verify the downloaded file
with a cryptographic hash check (sha256sum or shasum -a 256), and 3) only if the
checksum matches, run the downloaded script with bash; reference the exact
command string in the doc to help reviewers locate the change and include brief
instructions to abort on mismatch to avoid executing unverified code.
---
Nitpick comments:
In @.agents/services/networking/netbird.md:
- Line 468: Replace the phrase "**not compatible with nginx-based reverse
proxies (including Cloudron)**" with "**incompatible with nginx-based reverse
proxies (including Cloudron)**" in the NetBird documentation string (the line
containing "Requires Traefik") to tighten the wording.
| ```bash | ||
| docker run -d \ | ||
| --name netbird \ | ||
| --cap-add NET_ADMIN \ | ||
| --cap-add SYS_ADMIN \ | ||
| -v netbird-client:/etc/netbird \ | ||
| netbirdio/netbird:latest \ | ||
| up --setup-key <SETUP_KEY> \ | ||
| --management-url https://netbird.example.com | ||
| ``` |
There was a problem hiding this comment.
Pin the Docker image tag — latest is a supply-chain risk in this provisioning context.
With bash: true, an AI worker can execute this snippet directly. netbirdio/netbird:latest resolves to whatever was most recently pushed, meaning a broken or tampered image update silently rolls out to every AI-provisioned worker.
🛡️ Proposed fix
docker run -d \
--name netbird \
--cap-add NET_ADMIN \
--cap-add SYS_ADMIN \
-v netbird-client:/etc/netbird \
- netbirdio/netbird:latest \
+ netbirdio/netbird:v0.65.1 \ # pin to a verified release tag
up --setup-key <SETUP_KEY> \
--management-url https://netbird.example.com📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ```bash | |
| docker run -d \ | |
| --name netbird \ | |
| --cap-add NET_ADMIN \ | |
| --cap-add SYS_ADMIN \ | |
| -v netbird-client:/etc/netbird \ | |
| netbirdio/netbird:latest \ | |
| up --setup-key <SETUP_KEY> \ | |
| --management-url https://netbird.example.com | |
| ``` | |
| docker run -d \ | |
| --name netbird \ | |
| --cap-add NET_ADMIN \ | |
| --cap-add SYS_ADMIN \ | |
| -v netbird-client:/etc/netbird \ | |
| netbirdio/netbird:v0.65.1 \ | |
| up --setup-key <SETUP_KEY> \ | |
| --management-url https://netbird.example.com |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.agents/services/networking/netbird.md around lines 190 - 199, The snippet
uses an unpinned Docker image reference "netbirdio/netbird:latest" which is a
supply-chain risk; update the `docker run` image to a specific immutable
identifier (either a fixed version tag like `netbirdio/netbird:vX.Y.Z` or a
content digest `netbirdio/netbird@sha256:...`) and document the chosen tag in
the README so AI workers don't pull `latest`; locate the `docker run` invocation
in this markdown (the block containing `--name netbird` and
`netbirdio/netbird:latest`) and replace the image ref accordingly, and if you
have an image-update process, add a note to rotate the pinned tag/digest when
you intentionally upgrade.
…fSense, and more Add Dokploy as alternative Traefik-based PaaS for server hosting alongside Coolify. Expand client installation section with platform-specific guides for Proxmox LXC (TUN passthrough), Synology (reboot script), pfSense (static port NAT), OPNSense, and TrueNAS. Add comprehensive client platform compatibility table with gotchas for each platform.
🔍 Code Quality Report�[0;35m[MONITOR]�[0m Code Review Monitoring Report �[0;34m[INFO]�[0m Latest Quality Status: �[0;34m[INFO]�[0m Recent monitoring activity: 📈 Current Quality Metrics
Generated on: Sun Feb 22 17:47:31 UTC 2026 Generated by AI DevOps Framework Code Review Monitoring |
- Fix PAT auth headers: Bearer -> Token (5 occurrences) - Fix Hetzner firewall gotcha: Cloud is stateful, only Robot is stateless - Fix --disable-auto-connect comment: does not force relay - Fix Terraform resource ordering: group before setup_key - Fix setup key expiry: 86400 -> 604800 (7 days for multi-day provisioning) - Fix spelling: addon -> add-on (8 occurrences) - Fix Cloudron STUN port: tcpPorts -> udpPorts - Fix wording: not compatible -> incompatible - Add production note about pinning installer versions
🔍 Code Quality Report�[0;35m[MONITOR]�[0m Code Review Monitoring Report �[0;34m[INFO]�[0m Latest Quality Status: �[0;34m[INFO]�[0m Recent monitoring activity: 📈 Current Quality Metrics
Generated on: Sun Feb 22 17:51:55 UTC 2026 Generated by AI DevOps Framework Code Review Monitoring |
|
- Pin getting-started.sh installer to versioned release tag (not latest) with download-then-verify pattern instead of curl|bash pipeline - Pin Docker images (netbirdio/netbird, dashboard, proxy) to v0.35.0 instead of :latest to prevent supply-chain risk in automated provisioning - Fix Authorization header: Bearer -> Token for Personal Access Token usage (Bearer is for OAuth JWTs; PAT scheme uses Token prefix) - Fix worker provisioning script to prefer package manager over unversioned install.sh pipe to sh - Declare Terraform netbird_group before netbird_setup_key that references it - Add comment clarifying Terraform resource dependency order - Fix subagent-index.toon: replace stray providers/unbuilt key_files value with correct providers/crft-lookup|openexplorer|wappalyzer Previously addressed in PR #2147 commits (already in file): - udpPorts (not tcpPorts) for STUN UDP 3478 manifest option - --disable-auto-connect comment accuracy (daemon start, not force relay) - addon -> add-on spelling throughout - Hetzner firewall stateless/stateful distinction - expires_in 604800 (7 days) for reusable setup keys - Authorization: Token for all health/monitoring API calls Closes #3272
- Pin getting-started.sh installer to versioned release tag (not latest) with download-then-verify pattern instead of curl|bash pipeline - Pin Docker images (netbirdio/netbird, dashboard, proxy) to v0.35.0 instead of :latest to prevent supply-chain risk in automated provisioning - Fix Authorization header: Bearer -> Token for Personal Access Token usage (Bearer is for OAuth JWTs; PAT scheme uses Token prefix) - Fix worker provisioning script to prefer package manager over unversioned install.sh pipe to sh - Declare Terraform netbird_group before netbird_setup_key that references it - Add comment clarifying Terraform resource dependency order - Fix subagent-index.toon: replace stray providers/unbuilt key_files value with correct providers/crft-lookup|openexplorer|wappalyzer Previously addressed in PR #2147 commits (already in file): - udpPorts (not tcpPorts) for STUN UDP 3478 manifest option - --disable-auto-connect comment accuracy (daemon start, not force relay) - addon -> add-on spelling throughout - Hetzner firewall stateless/stateful distinction - expires_in 604800 (7 days) for reusable setup keys - Authorization: Token for all health/monitoring API calls Closes #3272
1 participant
Summary
services/networking/netbird.md) covering self-hosted WireGuard mesh VPN with SSO, ACLs, REST API, and Terraform providersubagent-index.toonto register NetBird alongside Tailscale in the networking domain~/Git/cloudron/netbird-app/(separate repo for git.cloudron.io submission)Why NetBird
After evaluating Tailscale, Headscale, Netmaker, Firezone, OmniEdge, and NetBird:
aidevops Integration Patterns
The agent documents:
Summary by CodeRabbit
Documentation
New Features