From 23fbb901fd570f6d663904a23ff064cf9e9dccdd Mon Sep 17 00:00:00 2001
From: Levente Farkas <lfarkas@lfarkas.org>
Date: Thu, 20 Nov 2025 20:16:02 +0100
Subject: [PATCH 1/2] next try to cleanup addon

---
 .github/renovate.json                         |  2 +-
 README.md                                     |  8 +---
 netbird/CHANGELOG.md                          | 44 +++++++++++++++++++
 netbird/DOCS.md                               |  4 +-
 netbird/build.yaml                            |  3 --
 netbird/config.yaml                           |  3 --
 .../rootfs/etc/s6-overlay/s6-rc.d/netbird/run |  7 +--
 7 files changed, 52 insertions(+), 19 deletions(-)
 create mode 100644 netbird/CHANGELOG.md

diff --git a/.github/renovate.json b/.github/renovate.json
index e8dd271..e20bf87 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -18,7 +18,7 @@
       "matchStringsStrategy": "any",
       "matchStrings": [
         "ARG BUILD_FROM=(?<depName>.*?):(?<currentValue>.*?)\\s+",
-        "(aarch64|amd64|armhf|armv7|i386):\\s[\"']?(?<depName>.*?):(?<currentValue>.*?)[\"']?\\s"
+        "(aarch64|amd64):\\s[\"']?(?<depName>.*?):(?<currentValue>.*?)[\"']?\\s"
       ],
       "datasourceTemplate": "docker"
     },
diff --git a/README.md b/README.md
index 490dbd9..328c776 100644
--- a/README.md
+++ b/README.md
@@ -5,9 +5,6 @@
 
 ![Supports aarch64 Architecture][aarch64-shield]
 ![Supports amd64 Architecture][amd64-shield]
-![Supports armhf Architecture][armhf-shield]
-![Supports armv7 Architecture][armv7-shield]
-![Supports i386 Architecture][i386-shield]
 
 ![Project Maintenance][maintenance-shield]
 [![GitHub Activity][commits-shield]][commits]
@@ -81,17 +78,14 @@ SOFTWARE.
 
 [aarch64-shield]: https://img.shields.io/badge/aarch64-yes-green.svg
 [amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg
-[armhf-shield]: https://img.shields.io/badge/armhf-yes-green.svg
-[armv7-shield]: https://img.shields.io/badge/armv7-yes-green.svg
 [commits-shield]: https://img.shields.io/github/commit-activity/y/lfarkas/addon-netbird.svg
 [commits]: https://github.com/netbirdio/addon-netbird/commits/main
 [discord-ha]: https://discord.gg/c5DvZ4e
 [discord]: https://discord.me/hassioaddons
 [docs]: https://github.com/netbirdio/addon-netbird/blob/main/netbird/DOCS.md
 [forum]: https://community.home-assistant.io/t/repository-community-hass-io-add-ons/24705
-[i386-shield]: https://img.shields.io/badge/i386-yes-green.svg
 [issue]: https://github.com/netbirdio/addon-netbird/issues
 [license-shield]: https://img.shields.io/github/license/lfarkas/addon-netbird.svg
-[maintenance-shield]: https://img.shields.io/maintenance/yes/2023.svg
+[maintenance-shield]: https://img.shields.io/maintenance/yes/2025.svg
 [project-stage-shield]: https://img.shields.io/badge/project%20stage-experimental-yellow.svg
 [reddit]: https://reddit.com/r/homeassistant
diff --git a/netbird/CHANGELOG.md b/netbird/CHANGELOG.md
new file mode 100644
index 0000000..3d4f4c1
--- /dev/null
+++ b/netbird/CHANGELOG.md
@@ -0,0 +1,44 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [v0.59.13] - 2025-11-17
+
+### Changed
+- Updated to NetBird v0.59.13
+- **BREAKING**: Removed support for armhf, armv7, and i386 architectures
+- Only aarch64 and amd64 architectures are now supported
+
+## [v0.54.2] - 2025-11-17
+
+### Changed
+- Updated to NetBird v0.54.2
+- Improved security by masking sensitive setup key in logs
+- Enhanced error handling in service startup script
+- Better documentation for DNS resolver workaround
+
+### Fixed
+- Fixed inconsistent addon slug in documentation
+- Fixed broken repository links
+- Updated maintenance year to 2025
+- Corrected default management URL across documentation
+
+### Added
+- AppArmor security profile
+- Healthcheck configuration for monitoring addon status
+- Improved file migration logic with better error handling
+- Binary existence check before execution
+
+### Security
+- Removed sensitive credential logging
+- Added AppArmor profile for enhanced security
+
+## [Unreleased]
+
+### Notes
+- Based on hassio-addons base image 18.2.1
+- Supports aarch64 and amd64 architectures only
+- Requires privileged capabilities for VPN functionality
diff --git a/netbird/DOCS.md b/netbird/DOCS.md
index abcfea1..14824c9 100644
--- a/netbird/DOCS.md
+++ b/netbird/DOCS.md
@@ -58,7 +58,7 @@ You'll find that the log generates a login URL you can use instead of configurin
 
 ### Option: `management_url`
 
-Management Service URL [http|https]://[host]:[port] (default "<https://api.wiretrustee.com:33073>")
+Management Service URL [http|https]://[host]:[port] (default "<https://api.netbird.io/>")
 
 The client will use this URL to communicate with your NetBird instance api.
 
@@ -160,7 +160,7 @@ SOFTWARE.
 
 [addon-badge]: https://my.home-assistant.io/badges/supervisor_addon.svg
 [addon]: https://my.home-assistant.io/redirect/supervisor_addon/?addon=a0d7b954_netbird&repository_url=https%3A%2F%2Fgithub.com%2Fnetbirdio%2Faddon-netbird
-[contributors]: https://github.com/hassio-addons/addon-netbird/graphs/contributors
+[contributors]: https://github.com/netbirdio/addon-netbird/graphs/contributors
 [discord-ha]: https://discord.gg/c5DvZ4e
 [discord]: https://discord.me/hassioaddons
 [forum]: https://community.home-assistant.io/t/repository-community-hass-io-add-ons/24705
diff --git a/netbird/build.yaml b/netbird/build.yaml
index 6c3dcca..0fbe1f1 100644
--- a/netbird/build.yaml
+++ b/netbird/build.yaml
@@ -2,6 +2,3 @@
 build_from:
   aarch64: ghcr.io/hassio-addons/base:19.0.0
   amd64: ghcr.io/hassio-addons/base:19.0.0
-  armhf: ghcr.io/hassio-addons/base:19.0.0
-  armv7: ghcr.io/hassio-addons/base:19.0.0
-  i386: ghcr.io/hassio-addons/base:19.0.0
diff --git a/netbird/config.yaml b/netbird/config.yaml
index dc4a93d..fb29fcb 100644
--- a/netbird/config.yaml
+++ b/netbird/config.yaml
@@ -10,9 +10,6 @@ init: false
 arch:
   - aarch64
   - amd64
-  - armhf
-  - armv7
-  - i386
 host_network: true
 host_dbus: true
 privileged:
diff --git a/netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run b/netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run
index 18a495b..615a2e3 100755
--- a/netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run
+++ b/netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run
@@ -45,7 +45,7 @@ if [ "${setup_key}" = "" ]; then
     bashio::log.info "No Setup Key Set"
     bashio::log.info "This client will only show up in dashboards it's already registered with."
 else
-    bashio::log.info "Using ${setup_key} as Setup Key"
+    bashio::log.info "Setup Key configured (hidden for security)"
     options+=(--setup-key "${setup_key}")
 fi
 
@@ -85,8 +85,9 @@ for var in $(bashio::config 'env_vars|keys'); do
     export "${name}=${value}"
 done
 
-# dirty hack to get dns working
-# with this netbird can regonize the host running systemd-resolved
+# Workaround for DNS resolution with systemd-resolved
+# NetBird checks for systemd-resolved by looking for a specific comment in /etc/resolv.conf
+# This ensures NetBird can properly detect and configure DNS settings on the host
 CONTENT=$(cat /etc/resolv.conf)
 echo '# systemd-resolved' > /etc/resolv.conf
 echo "$CONTENT" >> /etc/resolv.conf

From a3f62c6fbc968af07674e8eb90d636b53826d698 Mon Sep 17 00:00:00 2001
From: Levente Farkas <lfarkas@lfarkas.org>
Date: Mon, 24 Nov 2025 15:06:37 +0100
Subject: [PATCH 2/2] Add runtime validation for environment variables
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added security validation to ensure environment variable names match
the expected NB_* pattern before exporting them. This provides
defense-in-depth alongside the schema validation.

- Validates env var names match ^NB_([A-Z0-9_])+$ pattern
- Logs warning and skips invalid variable names
- Prevents potential security issues from malformed input

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run b/netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run
index 615a2e3..cf6db7f 100755
--- a/netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run
+++ b/netbird/rootfs/etc/s6-overlay/s6-rc.d/netbird/run
@@ -81,6 +81,13 @@ fi
 for var in $(bashio::config 'env_vars|keys'); do
     name=$(bashio::config "env_vars[${var}].name")
     value=$(bashio::config "env_vars[${var}].value")
+
+    # Validate that the variable name matches the expected pattern (NB_*)
+    if [[ ! "${name}" =~ ^NB_([A-Z0-9_])+$ ]]; then
+        bashio::log.warning "Skipping invalid environment variable name: ${name} (must match pattern NB_[A-Z0-9_]+)"
+        continue
+    fi
+
     bashio::log.info "Setting ${name} to ${value}"
     export "${name}=${value}"
 done