add Rosenpass support

Author: lfarkas

netbird/DOCS.md

@@ -20,6 +20,8 @@ comparison to installing any other Home Assistant add-on.
 1. Install the "NetBird" add-on.
 1. If you are using the central NetBird instance you can either use the URL generated in the log or you can use a `setup_key`. If hosting your own then you'll want to set `admin_url` & `management_url` and again only need to set up the `setup_key` if you don't want to login via the log generated URL.
 1. If you would like to change the auto generated hostname (which is the docker container id in case of hassio) set the `hostname`.
+1. If you would like to enable Rosenpass set the `rosenpass` to `true`.
+1. If you would like to enable Rosenpass in permissive way set the `rosenpass_permissive` to true.
 1. Start the "NetBird" add-on.
 1. Feels free to check the logs for `NetBird` to make sure its booted correctly.
 1. This client will show up in your NetBird dashboard.
@@ -73,6 +75,20 @@ Hostname in the NetBird network (used to during registration)
 
 This hostname will be used in the Peers to identify your machine.
 
+### Option: `rosenpass`
+
+Rosenpass can be enabled by setting a flag on client start-up.
+
+Rosenpass is a post-quantum secure key-exchange protocol that enhances WireGuard
+VPNs against quantum computer attacks. It employs advanced cryptographic methods
+Classic McEliece and Kyber.
+
+### Option: `rosenpass_permissive`
+
+Rosenpass can be enabled in permissive way.
+
+Enabling Rosenpass on one peer assumes that all peers have Rosenpass enabled. If one of the peers does not enable this feature or run an older version that lacks Rosenpass, the connection won't work. To allow non-Rosenpass enabled peers to connect to a Rosenpass peer, the permissive mode can be activated. In this case, the NetBird client will default to a standard WireGuard connection without pre-shared keys for those connections that don't support Rosenpass. It will continue negotiating PSKs with Rosenpass for the rest, ensuring enhanced security wherever possible.
+
 ### Option: `env_vars`
 
 Extra environment variables

netbird/config.yaml

@@ -30,12 +30,16 @@ options:
   management_url: ""
   setup_key: ""
   hostname: ""
+  rosenpass: false
+  rosenpass_permissive: false
   env_vars: []
 schema:
   admin_url: str
   management_url: str
   setup_key: str
   hostname: str
+  rosenpass: bool
+  rosenpass_permissive: bool
   env_vars:
     - name: match(^NB_([A-Z0-9_])+$)
       value: str

netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run

@@ -19,6 +19,8 @@ admin_url="$(bashio::config 'admin_url')"
 management_url="$(bashio::config 'management_url')"
 setup_key="$(bashio::config 'setup_key')"
 hostname="$(bashio::config 'hostname')"
+rosenpass="$(bashio::config 'rosenpass')"
+rosenpass_permissive="$(bashio::config 'rosenpass_permissive')"
 log_level="$(bashio::config 'log_level')"
 
 options+=(--foreground-mode)
@@ -55,6 +57,18 @@ else
     options+=(--hostname "${hostname}")
 fi
 
+if ! ${rosenpass}; then
+    bashio::log.info "Rosenpass disabled"
+    options+=(--enable-rosenpass=false)
+else
+    bashio::log.info "Rosenpass enabled"
+    options+=(--enable-rosenpass)
+    if ${rosenpass_permissive}; then
+        bashio::log.info "Rosenpass permissive mode enabled"
+        options+=(--rosenpass-permissive)
+    fi
+fi
+
 if [ "${log_level}" = "" ] || [ "${log_level}" = "null" ]; then
     bashio::log.info "No log level Set"
     bashio::log.info "This client will use the default logging."

netbird/translations/en.yaml

@@ -29,6 +29,18 @@ configuration:
     description: >-
       Hostname of the client (default "netbird-client")
       This is the name of the client that will be displayed in the NetBird dashboard.
+  rosenpass:
+    name: Rosenpass
+    description: >-
+      Rosenpass can be enabled by setting a flag on client start-up.
+      Rosenpass is a post-quantum secure key-exchange protocol that enhances WireGuard
+      VPNs against quantum computer attacks. It employs advanced cryptographic methods
+      Classic McEliece and Kyber.
+  rosenpass_permissive:
+    name: Rosenpass Permissive
+    description: >-
+      Rosenpass permissive mode can be enabled by setting a flag on client start-up.
+      This mode allows the client to connect to a non-Rosenpass server.
   env_vars:
     name: Extra environment variables
     description: >-