From ab328a2f791b6dfda0289821a09f998ee9bc3781 Mon Sep 17 00:00:00 2001 From: sjat Date: Fri, 19 Jun 2026 17:15:33 +0200 Subject: [PATCH] feat(netbird_coordinator): disable geolocation so no-egress startup can't FATAL the control plane Co-Authored-By: Claude Opus 4.8 (1M context) --- roles/netbird_coordinator/README.md | 1 + roles/netbird_coordinator/defaults/main.yml | 7 +++++++ roles/netbird_coordinator/molecule/default/verify.yml | 9 +++++++++ .../netbird_coordinator/templates/docker-compose.yml.j2 | 4 ++++ 4 files changed, 21 insertions(+) diff --git a/roles/netbird_coordinator/README.md b/roles/netbird_coordinator/README.md index 4145535..414e9a1 100644 --- a/roles/netbird_coordinator/README.md +++ b/roles/netbird_coordinator/README.md @@ -46,6 +46,7 @@ upstream support; WS/gRPC need long timeouts (Caddy sets none by default). | `netbird_coordinator__domain` | `netbird.askari.wingu.me` | Public hostname; feeds `exposedAddress`, the OIDC issuer, redirect URIs, and the dashboard endpoints | | `netbird_coordinator__trusted_proxies` | `["172.16.0.0/12"]` | Source ranges NetBird trusts `X-Forwarded-*` from (`server.reverseProxy.trustedHTTPProxies`). Must cover Caddy's source IP on the boma network — verify the actual bridge subnet at deploy | | `netbird_coordinator__manage` | `true` | Set `false` in Molecule to render templates without a Docker daemon | +| `netbird_coordinator__disable_geolocation` | `true` | sets `NB_DISABLE_GEOLOCATION` so a no-egress startup can't FATAL the server on the GeoLite2 download (FRICTION 2026-06-17 #4) | Production overrides live in `inventories/production/group_vars/`. diff --git a/roles/netbird_coordinator/defaults/main.yml b/roles/netbird_coordinator/defaults/main.yml index 369e55d..a767ab3 100644 --- a/roles/netbird_coordinator/defaults/main.yml +++ b/roles/netbird_coordinator/defaults/main.yml @@ -6,6 +6,13 @@ netbird_coordinator__dashboard_image: "netbirdio/dashboard:v2.39.0" netbird_coordinator__base_dir: /opt/services/netbird netbird_coordinator__domain: netbird.askari.wingu.me +# Disable NetBird's GeoLite2 geolocation (download + lookups). boma uses no geo posture +# (ACL is Allow-All), and the combined server treats a failed GeoLite2 download as FATAL — +# so a transient egress loss (NAT wiped on `nft flush`, or the boot window before Docker +# re-adds NAT) would crash-loop the whole control plane (FRICTION 2026-06-17 #4). Disabling +# removes that dependency. Revisit if a future ACL sub-project wants geo-based posture. +netbird_coordinator__disable_geolocation: true + # Source IP ranges Caddy fronts NetBird from, rendered into config.yaml # server.reverseProxy.trustedHTTPProxies. NetBird trusts X-Forwarded-* only from # these. MUST cover the Caddy container's source IP on the boma Docker network — diff --git a/roles/netbird_coordinator/molecule/default/verify.yml b/roles/netbird_coordinator/molecule/default/verify.yml index 0d657f3..5e38ec2 100644 --- a/roles/netbird_coordinator/molecule/default/verify.yml +++ b/roles/netbird_coordinator/molecule/default/verify.yml @@ -30,3 +30,12 @@ - "'v2.39.0' in (_compose.content | b64decode)" fail_msg: "docker-compose.yml is missing pinned image tags" success_msg: "docker-compose.yml pins both image tags" + + - name: "Assert geolocation is disabled (FRICTION 2026-06-17 #4 — no geo-DB download FATAL)" + ansible.builtin.assert: + that: + - "'NB_DISABLE_GEOLOCATION: \"true\"' in (_compose.content | b64decode)" + fail_msg: >- + compose must set NB_DISABLE_GEOLOCATION=true so a no-egress startup can't FATAL + the coordinator on the GeoLite2 download + success_msg: "geolocation disabled in compose" diff --git a/roles/netbird_coordinator/templates/docker-compose.yml.j2 b/roles/netbird_coordinator/templates/docker-compose.yml.j2 index f84c922..c37f6fc 100644 --- a/roles/netbird_coordinator/templates/docker-compose.yml.j2 +++ b/roles/netbird_coordinator/templates/docker-compose.yml.j2 @@ -16,6 +16,10 @@ services: container_name: netbird-server restart: unless-stopped command: ["--config", "/etc/netbird/config.yaml"] + environment: + # Disable geolocation so a no-egress startup can't FATAL the control plane + # (FRICTION 2026-06-17 #4). boma uses no geo posture (ACL Allow-All). + NB_DISABLE_GEOLOCATION: "{{ netbird_coordinator__disable_geolocation | string | lower }}" ports: - "3478:3478/udp" volumes: