Refactor (#1)

- Migrated the authentication page from XML to a fully custom PHP implementation for better control and flexibility
- Service is now started on installation and persisted via an RC file for automatic restart after system reboot
- Added support for start/stop/restart actions via the pfSense service shortcuts

Author: bcmmbaga

.github/workflows/release.yml

@@ -0,0 +1,74 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+    branches:
+      - main
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  release:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build
+        id: build
+        uses: vmactions/freebsd-vm@v1
+        with:
+          usesh: true
+          copyback: true
+          release: "15.0"
+          prepare: |
+            pkg install -y git go124 ca_root_nss poudriere
+            git clone -b devel --depth 1 --single-branch https://github.com/pfsense/FreeBSD-ports.git /usr/ports
+          run: |
+            set -ex
+            cd pfSense-pkg-NetBird
+            make
+            make package
+            cd ../netbird
+            make makesum
+            make package
+
+      - name: Upload pfSense package artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: pfSense-package
+          path: pfSense-pkg-NetBird/work/pkg/pfSense-pkg-NetBird-*.pkg
+          retention-days: 3
+
+      - name: Upload FreeBSD package artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: FreeBSD-package
+          path: netbird/work/pkg/netbird-*.pkg
+          retention-days: 3
+
+      - name: Create Release
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: actions/create-release@v1
+        with:
+          tag_name: ${{ github.ref_name }}
+          release_name: Release ${{ github.ref_name }}
+          draft: false
+          prerelease: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload packages to release page
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: softprops/action-gh-release@v1
+        with:
+          files: |
+              pfSense-pkg-NetBird/work/pkg/pfSense-pkg-NetBird-*.pkg
+              netbird/work/pkg/netbird-*.pkg
+        env:
+            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

assets/netbird.png

@@ -0,0 +1,30 @@
+PORTNAME=	netbird
+DISTVERSIONPREFIX=	v
+DISTVERSION=	0.49.0
+CATEGORIES=	security net net-vpn
+
+MAINTAINER=	[email protected]
+COMMENT=	Peer-to-peer VPN that seamlessly connects your devices
+WWW=		https://netbird.io/
+
+LICENSE=	BSD3CLAUSE
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+NOT_FOR_ARCHS=	i386
+NOT_FOR_ARCHS_REASON=	"no 32-bit builds supported"
+
+RUN_DEPENDS=	ca_root_nss>0:security/ca_root_nss
+
+USES=		go:modules
+USE_RC_SUBR=	netbird
+
+GO_MODULE=	github.com/netbirdio/netbird
+GO_TARGET=	./client:netbird
+GO_BUILDFLAGS=	-tags freebsd -o ${PORTNAME} -ldflags \
+		"-s -w -X github.com/netbirdio/netbird/version.version=${DISTVERSION}"
+
+WRKSRC=		${WRKDIR}/netbird-${DISTVERSION}
+
+PLIST_FILES=	bin/netbird
+
+.include <bsd.port.mk>

netbird/Makefile

@@ -0,0 +1,18 @@
+#!/bin/sh
+#
+# PROVIDE: netbird
+# REQUIRE: SERVERS
+# KEYWORD: shutdown
+#
+
+. /etc/rc.subr
+
+name="netbird"
+netbird_env="IS_DAEMON=1"
+pidfile="/var/run/${name}.pid"
+command="/usr/sbin/daemon"
+daemon_args="-P ${pidfile} -r -t \"${name}: daemon\""
+command_args="${daemon_args} /usr/local/bin/netbird service run --config /var/db/netbird/config.json --log-level info --daemon-addr unix:///var/run/netbird.sock --log-file /var/log/netbird/client.log"
+
+run_rc_command "$1"
+

netbird/files/netbird.in

@@ -0,0 +1,18 @@
+NetBird is an open-source WireGuard-based overlay network combined with
+Zero Trust Network Access, providing secure and reliable connectivity
+to internal resources.
+
+Key features:
+- Zero-config VPN: Easily create secure connections between devices without
+manual network setup.
+- Built on WireGuard: Leverages WireGuard's high-performance encryption for
+fast and secure communication.
+- Self-hosted or Cloud-managed: Users can deploy their own NetBird management
+server or use NetBird Cloud for centralized control.
+- Access Control & Routing: Fine-grained access control policies and automatic
+network routing simplify connectivity.
+- This FreeBSD port provides the NetBird client daemon and CLI tools, allowing
+FreeBSD systems to join a NetBird mesh network and securely communicate with
+other peers.
+
+For more details, visit: https://netbird.io

netbird/pkg-descr

@@ -0,0 +1,11 @@
+[
+{ type: install
+  message: <<EOM
+At this time this code is new, unvetted, possibly buggy, and should be
+considered "experimental". It might contain security issues. We gladly
+welcome your testing and bug reports, but do keep in mind that this code
+is new, so some caution should be exercised at the moment for using it
+in mission critical environments.
+EOM
+}
+]

netbird/pkg-message

@@ -34,18 +34,24 @@
         <name>NetBird</name>
         <section>VPN</section>
         <configfile>netbird.xml</configfile>
-        <url>/pkg_edit.php?xml=netbird/netbird_auth.xml</url>
+        <url>/netbird_auth.php</url>
     </menu>
     <menu>
         <name>NetBird</name>
         <section>Status</section>
         <configfile>netbird.xml</configfile>
         <url>/netbird_status.php</url>
     </menu>
+    <service>
+        <name>netbird</name>
+        <rcfile>netbird.sh</rcfile>
+        <executable>netbird</executable>
+        <description>NetBird secure overlay network</description>
+    </service>
     <tabs>
         <tab>
             <text>Authentication</text>
-            <url>pkg_edit.php?xml=netbird/netbird_auth.xml</url>
+            <url>netbird_auth.php</url>
         </tab>
         <tab>
             <text>Settings</text>
@@ -250,6 +256,12 @@
 		]]>
     </note>
 
+    <custom_php_install_command>
+        <![CDATA[netbird_install();]]>
+    </custom_php_install_command>
+    <custom_php_pre_deinstall_command>
+        <![CDATA[netbird_deinstall();]]>
+    </custom_php_pre_deinstall_command>
     <custom_php_after_head_command>
         <![CDATA[netbird_display_connection_info();]]>
     </custom_php_after_head_command>

pfSense-pkg-NetBird/files/usr/local/pkg/netbird.xml

@@ -20,47 +20,56 @@
  */
 
 require_once('service-utils.inc');
+require_once("config.inc");
+require_once("util.inc");
 
 define('NETBIRD_BIN', '/usr/local/bin/netbird');
+define('NETBIRD_CONFIG', '/var/db/netbird/config.json');
 define('PKG_BIN', '/usr/sbin/pkg');
 
 
 function netbird_resync_config()
 {
-    if (netbird_is_connected()) {
-        if (!netbird_disconnect()) {
-            return;
-        }
-    }
-
+    $json = file_get_contents(NETBIRD_CONFIG);
+    $config = json_decode($json, true);
 
-    $cmd = [NETBIRD_BIN, 'up'];
+    if (!is_array($config)) {
+        log_error("Invalid netbird configuration");
+        return;
+    }
 
     if (!empty($_POST['wireguardport'])) {
-        $cmd[] = '--wireguard-port=' . escapeshellarg((int)$_POST['wireguardport']);
-    }
-    if (!empty($_POST['loglevel'])) {
-        $cmd[] = '--log-level=' . escapeshellarg($_POST['loglevel']);
+        $config['WgPort'] = (int)$_POST['wireguardport'];
     }
 
-    $options = [
-        'enablessh'            => ['--allow-server-ssh', true],
-        'blockinboundconn'     => ['--block-inbound', true],
-        'allowfirewallconfig'    => ['--disable-firewall', false],
-        'enabledns'            => ['--disable-dns', false],
-        'accesslan'            => ['--block-lan-access', false],
-        'allowclientroutes'    => ['--disable-client-routes', false],
-        'allowserverroutes'    => ['--disable-server-routes', false],
-        'enablerosenpass'      => ['--enable-rosenpass', true],
-        'rosenpasspermissive'  => ['--rosenpass-permissive', true],
+    $config_map = [
+        'enablessh' => ['ServerSSHAllowed', true],
+        'blockinboundconn' => ['BlockInbound', true],
+        'allowfirewallconfig' => ['DisableFirewall', false],
+        'enabledns' => ['DisableDNS', false],
+        'accesslan' => ['BlockLANAccess', false],
+        'allowclientroutes' => ['DisableClientRoutes', false],
+        'allowserverroutes' => ['DisableServerRoutes', false],
+        'enablerosenpass' => ['RosenpassEnabled', true],
+        'rosenpasspermissive' => ['RosenpassPermissive', true],
     ];
 
-    foreach ($options as $key => [$flag, $enabled_value]) {
-        $is_checked = ($_POST[$key] ?? '') === 'on';
-        $cmd[] = $flag . '=' . ($is_checked === $enabled_value ? 'true' : 'false');
+    foreach ($config_map as $post_key => [$json_key, $enabled_val]) {
+        $checked = ($_POST[$post_key] ?? '') === 'on';
+        $config[$json_key] = ($checked === $enabled_val);
     }
 
-    exec(implode(' ', $cmd));
+    file_put_contents(NETBIRD_CONFIG, json_encode($config, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
+
+
+    if (netbird_is_connected()) {
+        if (!netbird_disconnect()) {
+            return;
+        }
+
+        $cmd = implode(' ', [NETBIRD_BIN, 'up']);
+        exec($cmd);
+    }
 }
 
 
@@ -114,7 +123,7 @@ function netbird_display_connection_info(): void
         $type = 'danger';
         $closable = false;
     } elseif (!netbird_is_connected()) {
-        $message = gettext('NetBird is not connected. Refresh or check the NetBird status page.');
+        $message = gettext('NetBird is not connected.');
         $type = 'warning';
         $closable = false;
     } else {
@@ -125,4 +134,38 @@ function netbird_display_connection_info(): void
 
     print_info_box($message, $type, $closable ? 'close' : false);
 }
+
+function netbird_write_rcfile() {
+    $rc['file'] = 'netbird.sh';
+    $rc['start'] .= "/usr/local/bin/netbird service start\n\t";
+    $rc['stop'] .= "/usr/local/bin/netbird service stop\n\t";
+    $rc['restart'] .= "/usr/local/bin/netbird service restart\n\t";
+    write_rcfile($rc);
+}
+
+function netbird_install()
+{
+    netbird_write_rcfile();
+
+    if (!netbird_is_running()){
+        $cmd = implode(' ', [NETBIRD_BIN, 'service', 'start']);
+        exec($cmd);
+    }
+}
+
+function netbird_deinstall()
+{
+    global $config;
+
+    if (netbird_is_running()) {
+        stop_service("netbird");
+    }
+
+    unlink_if_exists(NETBIRD_CONFIG);
+
+    if (isset($config['installedpackages']['netbird'])) {
+        unset($config['installedpackages']['netbird']);
+        write_config("Removed netbird configuration");
+    }
+}
 ?>