--- # NetBird coordinator (self-hosted mesh-VPN control plane, ADR-016). # Combined server image (Management + Signal + Relay + STUN) plus the dashboard UI. netbird_coordinator__server_image: "netbirdio/netbird-server:0.72.4" netbird_coordinator__dashboard_image: "netbirdio/dashboard:v2.39.0" netbird_coordinator__base_dir: /opt/services/netbird netbird_coordinator__domain: netbird.askari.wingu.me # Disable NetBird's GeoLite2 geolocation (download + lookups). boma uses no geo posture # (ACL is Allow-All), and the combined server treats a failed GeoLite2 download as FATAL — # so a transient egress loss (NAT wiped on `nft flush`, or the boot window before Docker # re-adds NAT) would crash-loop the whole control plane (FRICTION 2026-06-17 #4). Disabling # removes that dependency. Revisit if a future ACL sub-project wants geo-based posture. netbird_coordinator__disable_geolocation: true # Source IP ranges Caddy fronts NetBird from, rendered into config.yaml # server.reverseProxy.trustedHTTPProxies. NetBird trusts X-Forwarded-* only from # these. MUST cover the Caddy container's source IP on the boma Docker network — # verify the actual bridge subnet at deploy (docker network inspect boma) and tighten. netbird_coordinator__trusted_proxies: ["172.16.0.0/12"] netbird_coordinator__manage: true # set false in Molecule to render without Docker # access__*/backup__* are the ADR-021/022 CROSS-ROLE conventions — shared field names that # render ACCESS.md/BACKUP.md and drive /check-access · /check-backup. They intentionally do # NOT carry the netbird_coordinator__ prefix, so each is marked `# noqa: var-naming[no-role-prefix]` # (ansible-lint's role-prefix rule has no per-prefix allowlist; keeping it enabled elsewhere). # Operational-access record (ADR-021) — source of truth for ACCESS.md + /check-access. # Compose project name defaults to the base_dir basename (= "netbird"), not the role name. access__service: netbird_coordinator # noqa: var-naming[no-role-prefix] access__compose_project: netbird # noqa: var-naming[no-role-prefix] access__compose_path: "{{ netbird_coordinator__base_dir }}/docker-compose.yml" # noqa: var-naming[no-role-prefix] access__containers: [netbird-server, netbird-dashboard] # noqa: var-naming[no-role-prefix] access__log: # noqa: var-naming[no-role-prefix] loki_labels: { service: netbird } # intent; Loki/Alloy pipeline is ADR-018 (pending) access__api: # noqa: var-naming[no-role-prefix] enabled: true # Management REST API at /api (+ gRPC), via Caddy, behind the embedded Dex IdP. # Needs a Dex-issued JWT — no unauthenticated admin port (metrics :9090 / health # :9000 are in-container only). Admin surface is the dashboard at the same host. base_url: "https://{{ netbird_coordinator__domain }}" health_path: "/api" auth: vault_ref: null # no static token — auth is a per-session Dex-issued JWT (dashboard login) note: "Bearer JWT from the embedded Dex IdP; /check-access can't curl this unauthenticated" # Backup contract (ADR-022). STATEFUL — boma's first. Encrypted SQLite datastore in the # netbird_data volume (/var/lib/netbird): peers, setup keys, ACLs, embedded-IdP users. # Decryptable only with vault.netbird.datastore_key (lives in the vault, its own backup). # Off-site capture is PENDING the fisi pull node + restic repo (ADR-022 Plan 2, not built) # — an accepted gap for now; see BACKUP.md. backup__service: netbird_coordinator # noqa: var-naming[no-role-prefix] backup__state: true # noqa: var-naming[no-role-prefix] backup__paths: # noqa: var-naming[no-role-prefix] - /var/lib/netbird # netbird_data named volume — encrypted SQLite store backup__dumps: [] # noqa: var-naming[no-role-prefix] # embedded SQLite, no logical dump cmd backup__quiesce: false # noqa: var-naming[no-role-prefix] # file-level copy; flip true if inconsistent