--- # NetBird agent enrollment (ADR-016). Additive only — no firewall change here. - name: Install NetBird apt prerequisites ansible.builtin.apt: name: [ca-certificates, curl, gnupg] state: present update_cache: true when: base__mesh_manage | bool tags: [mesh] - name: Ensure /etc/apt/keyrings exists ansible.builtin.file: path: /etc/apt/keyrings state: directory mode: "0755" when: base__mesh_manage | bool tags: [mesh] - name: Add the NetBird APT GPG key ansible.builtin.get_url: url: https://pkgs.netbird.io/debian/public.key dest: /etc/apt/keyrings/netbird.asc mode: "0644" when: base__mesh_manage | bool tags: [mesh] - name: Add the NetBird APT repository ansible.builtin.apt_repository: repo: >- deb [signed-by=/etc/apt/keyrings/netbird.asc] https://pkgs.netbird.io/debian stable main filename: netbird state: present when: base__mesh_manage | bool tags: [mesh] # The apt pin string can't be confirmed from docs — it might be a bare "0.72.4" or # carry a packaging suffix. The live deploy task confirms the exact on-host string. - name: Install the NetBird agent (pinned) ansible.builtin.apt: name: "netbird={{ base__mesh_version }}" state: present update_cache: true when: base__mesh_manage | bool tags: [mesh] - name: Check current NetBird connection status ansible.builtin.command: netbird status register: _netbird_status changed_when: false failed_when: false when: base__mesh_manage | bool tags: [mesh] - name: Enrol this host in the mesh ansible.builtin.command: >- netbird up --management-url {{ base__mesh_management_url }} --setup-key {{ base__mesh_setup_key }} register: _netbird_up changed_when: _netbird_up.rc == 0 when: - base__mesh_manage | bool - "'Management: Connected' not in (_netbird_status.stdout | default(''))" no_log: true # setup key is on the argv tags: [mesh]