NetBird provides zero-trust style remote access: WireGuard data plane, coordination via management and signal, optional relay and STUN, and network routes into private RFC1918 prefixes. MOOD MNKY runs the control plane self-hosted on the DATA LAN; pfSense is the single authoritative subnet-routing peer for site VLANs.Documentation Index
Fetch the complete documentation index at: https://docs.moodmnky.com/llms.txt
Use this file to discover all available pages before exploring further.
Runtime location
| Item | Value |
|---|---|
| Host | LXC 102 on MNKY-HQ (10.0.0.20 on DATA / vmbr1) |
| Orchestration | Docker Compose (dashboard + combined netbird-server) |
| Published ports (host) | 8080 (dashboard UI), 8081 (management stack), 3478/udp (STUN) |
Exact Compose paths and image tags live in your infrastructure repo (
docker-compose.yml on the NetBird host). Prefer pinning image digests in production.User-facing URLs
- Dashboard / API (public hostname):
https://netbird.moodmnky.com - Management gRPC/API: same host; TLS terminated at Traefik (
10.0.0.25) - Embedded IdP / OAuth: issuer under the same hostname (see server
config.yamlon the LXC)
netbird.moodmnky.com to the internal proxy so traffic does not hairpin via the WAN IP.
Server configuration themes
The management process listens on :80 inside the container;trustedHTTPProxies must include the reverse proxy (e.g. 10.0.0.25/32) so X-Forwarded-* headers are trusted.
Sensitive keys (authSecret, encryptionKey, etc.) belong only in private config — never in Mintlify or public git.
Control plane inventory (API snapshot, 2026-03-25)
Values below are stable identifiers from the management API (not secrets). Re-verify withGET /api/routes and GET /api/peers after changes.
Hub peer (subnet router)
| Field | Value |
|---|---|
| Peer name | pfSense.mnkylab.moodmnky.com |
| DNS label | pfsense.netbird.moodmnky.com |
| Peer ID | d6vgvoc2h96c73a46nrg |
Enabled network routes (via pfSense)
| Network | Metric | Masquerade | Description | Route ID |
|---|---|---|---|---|
10.0.0.0/24 | 50 | yes | DATA LAN via pfSense hub | d6uqt842h96c73dgjj1g |
10.1.0.0/24 | 50 | yes | MOOD VLAN | d72100vljorc73cnd3dg |
10.2.0.0/24 | 50 | yes | SAGE VLAN | d72100vljorc73cnd3eg |
10.3.0.0/24 | 50 | yes | CODE VLAN | d72100vljorc73cnd3fg |
10.4.0.0/24 | 50 | yes | CASA VLAN | d721017ljorc73cnd3gg |
10.0.13.0/24 | 50 | yes | DATA internal segment (vmbr1 on DATA-MNKY) | d721507ljorc73cnfnhg |
network_id: mnky-datacenter. Distribution: classic routes are typically distributed to peers in Datacenter. Access control on the primary DATA route (10.0.0.0/24 via pfSense) also includes Remote-Operators so laptops and approved Android peers (e.g. NVIDIA Shield) can use the route when they are in both groups—re-verify IDs in the dashboard after changes.
Android TV / Shield (remote SMB to TrueNAS)
The Shield NetBird peer (mdarcy) is in All, Datacenter, and Remote-Operators. With DisableClientRoutes off, the 10.0.0.0/24 route can reach TRUNAS_IP (SMB / rclone) while traveling. At home, the same overlay route can overlap the physical LAN and break local 10.x reachability—disconnect NetBird or disable only that network route in the app when on-site.
Suggested Shield app toggles: disable NetBird DNS (SMB uses IPs); keep NetBird firewall on; do not force relay unless connectivity fails; Rosenpass is not a priority on Android. See Storage and network for Termux / rclone patterns (no secrets in docs).
Role groups (2026-03-26)
NetBird groups are flat (no nested subgroups). Peers can belong to multiple groups. BesidesAll and Datacenter, operators use Hypervisors, Infra-Edge, Monitoring, Apps, Remote-Operators, BreakGlass (empty), and External (untrusted). Remote-Operators remain in Datacenter so LAN routes stay available; segmentation is layered with access policies and DNS nameserver groups. See internal docs/network/05 and 07 for the matrix and automation script.
De-duplication
Duplicate10.0.0.0/24 routes that previously pointed at Proxmox nodes or Traefik were disabled so only pfSense advertises DATA. See internal doc docs/network/05-netbird-control-plane-inventory.md for the full disabled route ID table.
API access (operators)
Set environment
Export
NETBIRD_MANAGEMENT_URL (e.g. https://netbird.moodmnky.com) and a Personal Access Token from your secrets store — not from git.Call the API
Use header
Authorization: Token <PAT> on endpoints such as GET /api/peers, GET /api/routes, GET /api/networks, GET /api/groups.Policies, DNS & SSH
Default (All, protocol: all) still provides full mesh while additive policies document Remote-Operators → Monitoring / Infra-Edge (TCP) and NetBird SSH → Hypervisors. Split DNS: nameserver group Internal mnky.internal (pfSense) (name unchanged) forwards these zones to pfSense Unbound at 10.0.0.1:53 for peers in Remote-Operators and Datacenter:
mnky.internal— internal-only stub names (e.g. experiments).moodmnky.local— optional second internal suffix if you use it for host overrides.mnkylab.moodmnky.com— LAN / DHCP-style hostnames from pfSense (e.g.grafana.mnkylab.moodmnky.com→ monitoring CT).
:3000) unless the app listens on 80/443 or a reverse proxy fronts it — public moodmnky.com apps use Traefik + Coolify + Cloudflare separately. Details: NetBird policies & universal SSH and internal docs/network/05, 07.
Related documentation
- Edge network overview — full stack breakdown
- NetBird policies & universal SSH — cleanup + SSH + future tightening
- pfSense edge — port forwards and
wt0 - Alignment & validation — paths and checklist
- Media workloads (Jellyfin/*arr), MOOD-MNKY LXC NetBird peer, and LAN / overlay URLs (Jellyfin + qBittorrent): Media Stack (see Access hostnames)