boma/roles/base/tasks/mesh.yml

---
# NetBird agent enrollment (ADR-016). Additive only — no firewall change here.
- name: Install NetBird apt prerequisites
  ansible.builtin.apt:
    name: [ca-certificates, curl, gnupg]
    state: present
    update_cache: true
  when: base__mesh_manage | bool
  tags: [mesh]

- name: Ensure /etc/apt/keyrings exists
  ansible.builtin.file:
    path: /etc/apt/keyrings
    state: directory
    mode: "0755"
  when: base__mesh_manage | bool
  tags: [mesh]

- name: Add the NetBird APT GPG key
  ansible.builtin.get_url:
    url: https://pkgs.netbird.io/debian/public.key
    dest: /etc/apt/keyrings/netbird.asc
    mode: "0644"
  when: base__mesh_manage | bool
  tags: [mesh]

- name: Add the NetBird APT repository
  ansible.builtin.apt_repository:
    repo: >-
      deb [signed-by=/etc/apt/keyrings/netbird.asc]
      https://pkgs.netbird.io/debian stable main
    filename: netbird
    state: present
  when: base__mesh_manage | bool
  tags: [mesh]

# The apt pin string can't be confirmed from docs — it might be a bare "0.72.4" or
# carry a packaging suffix. The live deploy task confirms the exact on-host string.
- name: Install the NetBird agent (pinned)
  ansible.builtin.apt:
    name: "netbird={{ base__mesh_version }}"
    state: present
    update_cache: true
  when: base__mesh_manage | bool
  tags: [mesh]

- name: Check current NetBird connection status
  ansible.builtin.command: netbird status
  register: _netbird_status
  changed_when: false
  failed_when: false
  when: base__mesh_manage | bool
  tags: [mesh]

- name: Enrol this host in the mesh
  ansible.builtin.command: >-
    netbird up
    --management-url {{ base__mesh_management_url }}
    --setup-key {{ base__mesh_setup_key }}
  register: _netbird_up
  changed_when: _netbird_up.rc == 0
  when:
    - base__mesh_manage | bool
    - "'Management: Connected' not in (_netbird_status.stdout | default(''))"
  no_log: true   # setup key is on the argv
  tags: [mesh]

- name: Pin the NetBird coordinator FQDN in /etc/hosts (DNS-resilience, ADR-016 availability / R8)
  ansible.builtin.lineinfile:
    path: /etc/hosts
    regexp: '^\S+\s+{{ _coordinator_fqdn | regex_escape }}\s*$'
    line: "{{ base__mesh_coordinator_pin }} {{ _coordinator_fqdn }}"
    state: present
    # /etc/hosts is bind-mounted in the Docker Molecule container (atomic rename → EBUSY);
    # this is a fallback only — production VMs still write atomically.
    unsafe_writes: true
  vars:
    _coordinator_fqdn: "{{ base__mesh_management_url | regex_replace('^https?://', '') | regex_replace('[:/].*', '') }}"
  when:
    - base__mesh_enabled | bool
    - base__mesh_coordinator_pin | length > 0
  tags: [mesh]
feat(base): NetBird agent enrollment concern (mesh) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-17 16:04:46 +02:00			`---`
			`# NetBird agent enrollment (ADR-016). Additive only — no firewall change here.`
			`- name: Install NetBird apt prerequisites`
			`ansible.builtin.apt:`
			`name: [ca-certificates, curl, gnupg]`
			`state: present`
			`update_cache: true`
			`when: base__mesh_manage \| bool`
			`tags: [mesh]`

			`- name: Ensure /etc/apt/keyrings exists`
			`ansible.builtin.file:`
			`path: /etc/apt/keyrings`
			`state: directory`
			`mode: "0755"`
			`when: base__mesh_manage \| bool`
			`tags: [mesh]`

			`- name: Add the NetBird APT GPG key`
			`ansible.builtin.get_url:`
			`url: https://pkgs.netbird.io/debian/public.key`
			`dest: /etc/apt/keyrings/netbird.asc`
			`mode: "0644"`
			`when: base__mesh_manage \| bool`
			`tags: [mesh]`

			`- name: Add the NetBird APT repository`
			`ansible.builtin.apt_repository:`
			`repo: >-`
			`deb [signed-by=/etc/apt/keyrings/netbird.asc]`
			`https://pkgs.netbird.io/debian stable main`
			`filename: netbird`
			`state: present`
			`when: base__mesh_manage \| bool`
			`tags: [mesh]`

			`# The apt pin string can't be confirmed from docs — it might be a bare "0.72.4" or`
			`# carry a packaging suffix. The live deploy task confirms the exact on-host string.`
			`- name: Install the NetBird agent (pinned)`
			`ansible.builtin.apt:`
			`name: "netbird={{ base__mesh_version }}"`
			`state: present`
			`update_cache: true`
			`when: base__mesh_manage \| bool`
			`tags: [mesh]`

			`- name: Check current NetBird connection status`
			`ansible.builtin.command: netbird status`
			`register: _netbird_status`
			`changed_when: false`
			`failed_when: false`
			`when: base__mesh_manage \| bool`
			`tags: [mesh]`

			`- name: Enrol this host in the mesh`
			`ansible.builtin.command: >-`
			`netbird up`
			`--management-url {{ base__mesh_management_url }}`
			`--setup-key {{ base__mesh_setup_key }}`
			`register: _netbird_up`
			`changed_when: _netbird_up.rc == 0`
			`when:`
			`- base__mesh_manage \| bool`
			`- "'Management: Connected' not in (_netbird_status.stdout \| default(''))"`
			`no_log: true # setup key is on the argv`
			`tags: [mesh]`
feat(base): pin the NetBird coordinator FQDN in /etc/hosts (mesh DNS-resilience) Adds base__mesh_coordinator_pin (default empty = no-op). When set + base__mesh_enabled, a lineinfile task writes "<ip> <fqdn>" to /etc/hosts so a managed mesh host survives a local-DNS hiccup (the 2026-06-18 incident class). FQDN derived from base__mesh_management_url via regex_replace (no community.general). Gated on base__mesh_enabled \| bool and pin length; the coordinator host (askari/offsite_hosts) stays exempt. Production pin wired for ubongo (77.42.120.136). Molecule dns_servers fix included (Docker/NetBird DNS incompatibility). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-20 11:22:40 +02:00
			`- name: Pin the NetBird coordinator FQDN in /etc/hosts (DNS-resilience, ADR-016 availability / R8)`
			`ansible.builtin.lineinfile:`
			`path: /etc/hosts`
fix: address whole-branch review (anchor pin regexp, ADR-016 backup note, verify comment) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-20 11:41:19 +02:00			`regexp: '^\S+\s+{{ _coordinator_fqdn \| regex_escape }}\s*$'`
feat(base): pin the NetBird coordinator FQDN in /etc/hosts (mesh DNS-resilience) Adds base__mesh_coordinator_pin (default empty = no-op). When set + base__mesh_enabled, a lineinfile task writes "<ip> <fqdn>" to /etc/hosts so a managed mesh host survives a local-DNS hiccup (the 2026-06-18 incident class). FQDN derived from base__mesh_management_url via regex_replace (no community.general). Gated on base__mesh_enabled \| bool and pin length; the coordinator host (askari/offsite_hosts) stays exempt. Production pin wired for ubongo (77.42.120.136). Molecule dns_servers fix included (Docker/NetBird DNS incompatibility). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-20 11:22:40 +02:00			`line: "{{ base__mesh_coordinator_pin }} {{ _coordinator_fqdn }}"`
			`state: present`
fix(base): confine /etc/hosts unsafe-write fallback to the Docker Molecule env Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-20 11:31:15 +02:00			`# /etc/hosts is bind-mounted in the Docker Molecule container (atomic rename → EBUSY);`
			`# this is a fallback only — production VMs still write atomically.`
			`unsafe_writes: true`
feat(base): pin the NetBird coordinator FQDN in /etc/hosts (mesh DNS-resilience) Adds base__mesh_coordinator_pin (default empty = no-op). When set + base__mesh_enabled, a lineinfile task writes "<ip> <fqdn>" to /etc/hosts so a managed mesh host survives a local-DNS hiccup (the 2026-06-18 incident class). FQDN derived from base__mesh_management_url via regex_replace (no community.general). Gated on base__mesh_enabled \| bool and pin length; the coordinator host (askari/offsite_hosts) stays exempt. Production pin wired for ubongo (77.42.120.136). Molecule dns_servers fix included (Docker/NetBird DNS incompatibility). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-06-20 11:22:40 +02:00			`vars:`
			`_coordinator_fqdn: "{{ base__mesh_management_url \| regex_replace('^https?://', '') \| regex_replace('[:/].*', '') }}"`
			`when:`
			`- base__mesh_enabled \| bool`
			`- base__mesh_coordinator_pin \| length > 0`
			`tags: [mesh]`