diff --git a/docs/decisions/016-mesh-vpn.md b/docs/decisions/016-mesh-vpn.md index ec7361f..02c2a70 100644 --- a/docs/decisions/016-mesh-vpn.md +++ b/docs/decisions/016-mesh-vpn.md @@ -116,7 +116,7 @@ allocated for it. address as a mesh-independent secondary path, so a mesh/coordinator outage never blocks on-LAN SSH and Ansible stays off the mesh (Security; Recovery & operations). - The mesh survives a homelab outage because the coordinator is off-site on `askari`, - with its management datastore backed up encrypted off `askari` and peers keeping + with its management datastore **intended** to be backed up encrypted off `askari` (not yet built — see the Availability amendment / R8) and peers keeping last-known config through a brief coordinator outage (Recovery & operations). - Choosing NetBird over plain OPNsense WireGuard, Tailscale, Tailscale+Headscale, an on-cluster coordinator, a `ubongo` subnet router, and a standalone IdP gains diff --git a/roles/base/molecule/default/verify.yml b/roles/base/molecule/default/verify.yml index 51962fb..d3069aa 100644 --- a/roles/base/molecule/default/verify.yml +++ b/roles/base/molecule/default/verify.yml @@ -111,6 +111,6 @@ - name: Assert the coordinator FQDN is pinned to the fixture IP (DNS-resilience / R8) ansible.builtin.assert: that: - - "'203.0.113.9 netbird.askari.wingu.me' in (_etchosts.content | b64decode)" + - "'203.0.113.9 netbird.askari.wingu.me' in (_etchosts.content | b64decode)" # slurp content is always base64 fail_msg: "base__mesh_coordinator_pin did not render the /etc/hosts coordinator pin" success_msg: "coordinator FQDN pinned in /etc/hosts" diff --git a/roles/base/tasks/mesh.yml b/roles/base/tasks/mesh.yml index 17a8b1e..01badf0 100644 --- a/roles/base/tasks/mesh.yml +++ b/roles/base/tasks/mesh.yml @@ -68,7 +68,7 @@ - name: Pin the NetBird coordinator FQDN in /etc/hosts (DNS-resilience, ADR-016 availability / R8) ansible.builtin.lineinfile: path: /etc/hosts - regexp: '\s{{ _coordinator_fqdn | regex_escape }}$' + regexp: '^\S+\s+{{ _coordinator_fqdn | regex_escape }}\s*$' line: "{{ base__mesh_coordinator_pin }} {{ _coordinator_fqdn }}" state: present # /etc/hosts is bind-mounted in the Docker Molecule container (atomic rename → EBUSY);