feat(netbird_coordinator): disable geolocation so no-egress startup can't FATAL the control plane

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

roles/netbird_coordinator/README.md

@@ -46,6 +46,7 @@ upstream support; WS/gRPC need long timeouts (Caddy sets none by default).
 | `netbird_coordinator__domain` | `netbird.askari.wingu.me` | Public hostname; feeds `exposedAddress`, the OIDC issuer, redirect URIs, and the dashboard endpoints |
 | `netbird_coordinator__trusted_proxies` | `["172.16.0.0/12"]` | Source ranges NetBird trusts `X-Forwarded-*` from (`server.reverseProxy.trustedHTTPProxies`). Must cover Caddy's source IP on the boma network — verify the actual bridge subnet at deploy |
 | `netbird_coordinator__manage` | `true` | Set `false` in Molecule to render templates without a Docker daemon |
+| `netbird_coordinator__disable_geolocation` | `true` | sets `NB_DISABLE_GEOLOCATION` so a no-egress startup can't FATAL the server on the GeoLite2 download (FRICTION 2026-06-17 #4) |
 
 Production overrides live in `inventories/production/group_vars/`.
 

roles/netbird_coordinator/defaults/main.yml

@@ -6,6 +6,13 @@ netbird_coordinator__dashboard_image: "netbirdio/dashboard:v2.39.0"
 netbird_coordinator__base_dir: /opt/services/netbird
 netbird_coordinator__domain: netbird.askari.wingu.me
 
+# Disable NetBird's GeoLite2 geolocation (download + lookups). boma uses no geo posture
+# (ACL is Allow-All), and the combined server treats a failed GeoLite2 download as FATAL —
+# so a transient egress loss (NAT wiped on `nft flush`, or the boot window before Docker
+# re-adds NAT) would crash-loop the whole control plane (FRICTION 2026-06-17 #4). Disabling
+# removes that dependency. Revisit if a future ACL sub-project wants geo-based posture.
+netbird_coordinator__disable_geolocation: true
+
 # Source IP ranges Caddy fronts NetBird from, rendered into config.yaml
 # server.reverseProxy.trustedHTTPProxies. NetBird trusts X-Forwarded-* only from
 # these. MUST cover the Caddy container's source IP on the boma Docker network —

roles/netbird_coordinator/molecule/default/verify.yml

@@ -30,3 +30,12 @@
           - "'v2.39.0' in (_compose.content | b64decode)"
         fail_msg: "docker-compose.yml is missing pinned image tags"
         success_msg: "docker-compose.yml pins both image tags"
+
+    - name: "Assert geolocation is disabled (FRICTION 2026-06-17 #4 — no geo-DB download FATAL)"
+      ansible.builtin.assert:
+        that:
+          - "'NB_DISABLE_GEOLOCATION: \"true\"' in (_compose.content | b64decode)"
+        fail_msg: >-
+          compose must set NB_DISABLE_GEOLOCATION=true so a no-egress startup can't FATAL
+          the coordinator on the GeoLite2 download
+        success_msg: "geolocation disabled in compose"

roles/netbird_coordinator/templates/docker-compose.yml.j2

@@ -16,6 +16,10 @@ services:
     container_name: netbird-server
     restart: unless-stopped
     command: ["--config", "/etc/netbird/config.yaml"]
+    environment:
+      # Disable geolocation so a no-egress startup can't FATAL the control plane
+      # (FRICTION 2026-06-17 #4). boma uses no geo posture (ACL Allow-All).
+      NB_DISABLE_GEOLOCATION: "{{ netbird_coordinator__disable_geolocation | string | lower }}"
     ports:
       - "3478:3478/udp"
     volumes: