sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
boma/roles/base/tasks/mesh.yml

81 lines
2.5 KiB
YAML
Raw Normal View History

feat(base): NetBird agent enrollment concern (mesh) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 16:04:46 +02:00
---
# NetBird agent enrollment (ADR-016). Additive only — no firewall change here.
- name: Install NetBird apt prerequisites
ansible.builtin.apt:
name: [ca-certificates, curl, gnupg]
state: present
update_cache: true
when: base__mesh_manage | bool
tags: [mesh]
- name: Ensure /etc/apt/keyrings exists
ansible.builtin.file:
path: /etc/apt/keyrings
state: directory
mode: "0755"
when: base__mesh_manage | bool
tags: [mesh]
- name: Add the NetBird APT GPG key
ansible.builtin.get_url:
url: https://pkgs.netbird.io/debian/public.key
dest: /etc/apt/keyrings/netbird.asc
mode: "0644"
when: base__mesh_manage | bool
tags: [mesh]
- name: Add the NetBird APT repository
ansible.builtin.apt_repository:
repo: >-
deb [signed-by=/etc/apt/keyrings/netbird.asc]
https://pkgs.netbird.io/debian stable main
filename: netbird
state: present
when: base__mesh_manage | bool
tags: [mesh]
# The apt pin string can't be confirmed from docs — it might be a bare "0.72.4" or
# carry a packaging suffix. The live deploy task confirms the exact on-host string.
- name: Install the NetBird agent (pinned)
ansible.builtin.apt:
name: "netbird={{ base__mesh_version }}"
state: present
update_cache: true
when: base__mesh_manage | bool
tags: [mesh]
- name: Check current NetBird connection status
ansible.builtin.command: netbird status
register: _netbird_status
changed_when: false
failed_when: false
when: base__mesh_manage | bool
tags: [mesh]
- name: Enrol this host in the mesh
ansible.builtin.command: >-
netbird up
--management-url {{ base__mesh_management_url }}
--setup-key {{ base__mesh_setup_key }}
register: _netbird_up
changed_when: _netbird_up.rc == 0
when:
- base__mesh_manage | bool
- "'Management: Connected' not in (_netbird_status.stdout | default(''))"
no_log: true # setup key is on the argv
tags: [mesh]
feat(base): pin the NetBird coordinator FQDN in /etc/hosts (mesh DNS-resilience) Adds base__mesh_coordinator_pin (default empty = no-op). When set + base__mesh_enabled, a lineinfile task writes "<ip> <fqdn>" to /etc/hosts so a managed mesh host survives a local-DNS hiccup (the 2026-06-18 incident class). FQDN derived from base__mesh_management_url via regex_replace (no community.general). Gated on base__mesh_enabled | bool and pin length; the coordinator host (askari/offsite_hosts) stays exempt. Production pin wired for ubongo (77.42.120.136). Molecule dns_servers fix included (Docker/NetBird DNS incompatibility). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-20 11:22:40 +02:00
- name: Pin the NetBird coordinator FQDN in /etc/hosts (DNS-resilience, ADR-016 availability / R8)
ansible.builtin.lineinfile:
path: /etc/hosts
regexp: '\s{{ _coordinator_fqdn | regex_escape }}$'
line: "{{ base__mesh_coordinator_pin }} {{ _coordinator_fqdn }}"
state: present
unsafe_writes: true # /etc/hosts is a bind mount in Docker; atomic rename is impossible
vars:
_coordinator_fqdn: "{{ base__mesh_management_url | regex_replace('^https?://', '') | regex_replace('[:/].*', '') }}"
when:
- base__mesh_enabled | bool
- base__mesh_coordinator_pin | length > 0
tags: [mesh]
Reference in a new issue Copy permalink