diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
index f525e6a7fc4d..c3c3a5d92ecf 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@@ -205,6 +205,13 @@
services.outline.
+
+
+ netbird, a zero
+ configuration VPN. Available as
+ services.netbird.
+
+
persistent-evdev,
diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md
index f0a0a026d8aa..0e0ae598b342 100644
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@@ -76,6 +76,9 @@ In addition to numerous new and upgraded packages, this release has the followin
- [Outline](https://www.getoutline.com/), a wiki and knowledge base similar to Notion. Available as [services.outline](#opt-services.outline.enable).
+- [netbird](https://netbird.io), a zero configuration VPN.
+ Available as [services.netbird](options.html#opt-services.netbird.enable).
+
- [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable).
- [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable).
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 31a4107b3eeb..e632a760f892 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -861,6 +861,7 @@
./services/networking/nbd.nix
./services/networking/ndppd.nix
./services/networking/nebula.nix
+ ./services/networking/netbird.nix
./services/networking/networkmanager.nix
./services/networking/nextdns.nix
./services/networking/nftables.nix
diff --git a/nixos/modules/services/networking/netbird.nix b/nixos/modules/services/networking/netbird.nix
new file mode 100644
index 000000000000..806b72d5f3a7
--- /dev/null
+++ b/nixos/modules/services/networking/netbird.nix
@@ -0,0 +1,64 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ cfg = config.services.netbird;
+ kernel = config.boot.kernelPackages;
+ interfaceName = "wt0";
+in {
+ meta.maintainers = with maintainers; [ misuzu ];
+
+ options.services.netbird = {
+ enable = mkEnableOption "Netbird daemon";
+ package = mkOption {
+ type = types.package;
+ default = pkgs.netbird;
+ defaultText = literalExpression "pkgs.netbird";
+ description = "The package to use for netbird";
+ };
+ };
+
+ config = mkIf cfg.enable {
+ boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;
+
+ environment.systemPackages = [ cfg.package ];
+
+ networking.dhcpcd.denyInterfaces = [ interfaceName ];
+
+ systemd.network.networks."50-netbird" = mkIf config.networking.useNetworkd {
+ matchConfig = {
+ Name = interfaceName;
+ };
+ linkConfig = {
+ Unmanaged = true;
+ ActivationPolicy = "manual";
+ };
+ };
+
+ systemd.services.netbird = {
+ description = "A WireGuard-based mesh network that connects your devices into a single private network";
+ documentation = [ "https://netbird.io/docs/" ];
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ AmbientCapabilities = [ "CAP_NET_ADMIN" ];
+ DynamicUser = true;
+ Environment = [
+ "NB_CONFIG=/var/lib/netbird/config.json"
+ "NB_LOG_FILE=console"
+ ];
+ ExecStart = "${cfg.package}/bin/netbird service run";
+ Restart = "always";
+ RuntimeDirectory = "netbird";
+ StateDirectory = "netbird";
+ WorkingDirectory = "/var/lib/netbird";
+ };
+ unitConfig = {
+ StartLimitInterval = 5;
+ StartLimitBurst = 10;
+ };
+ stopIfChanged = false;
+ };
+ };
+}