From d28ff2232d117049ee99613eee7a72dec99f2bb7 Mon Sep 17 00:00:00 2001
From: Krzysztof Nazarewski <gpg@kdn.im>
Date: Mon, 3 Nov 2025 16:03:39 +0100
Subject: [PATCH] nixos/netbird: open up 0.59.0+ DNS forwarder port

---
 nixos/modules/services/networking/netbird.nix | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/networking/netbird.nix b/nixos/modules/services/networking/netbird.nix
index a39e81a5a5ec..ba2c1be37c52 100644
--- a/nixos/modules/services/networking/netbird.nix
+++ b/nixos/modules/services/networking/netbird.nix
@@ -231,6 +231,14 @@ in
                 '';
               };
 
+              openInternalFirewall = mkOption {
+                type = bool;
+                default = true;
+                description = ''
+                  Opens up internal firewall ports for the NetBird's network interface.
+                '';
+              };
+
               hardened = mkOption {
                 type = bool;
                 default = true;
@@ -502,8 +510,11 @@ in
         interfaces = listToAttrs (
           toClientList (client: {
             name = client.interface;
-            value.allowedUDPPorts = optionals client.openFirewall [
-              5353 # required for the DNS forwarding/routing to work
+            value.allowedUDPPorts = optionals client.openInternalFirewall [
+              # note: those should be opened up by NetBird itself, but it needs additional
+              #  NixOS -specific debugging and tweaking before it works
+              5353 # <0.59.0 DNS forwarder port, kept for compatibility with those clients
+              22054 # >=0.59.0 DNS forwarder port
             ];
           })
         );