First real service role. NetBird v0.72.4 self-hosted control plane: single netbirdio/netbird-server:0.72.4 (management + signal + relay + STUN + embedded Dex) plus netbirdio/dashboard:v2.39.0, both on the shared boma Docker network so the M4a Caddy fronts them. Renders docker-compose.yml + config.yaml (secrets from vault.netbird.*, no_log) + dashboard.env. STUN 3478/udp host-exposed; everything else via the proxy. netbird_coordinator__manage gates the compose-up for Molecule. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
26 lines
960 B
Django/Jinja
26 lines
960 B
Django/Jinja
# {{ ansible_managed }}
|
|
server:
|
|
listenAddress: ":80"
|
|
exposedAddress: "https://{{ netbird_coordinator__domain }}:443"
|
|
stunPorts: [3478]
|
|
metricsPort: 9090
|
|
healthcheckAddress: ":9000"
|
|
logLevel: "info"
|
|
logFile: "console"
|
|
authSecret: "{{ vault.netbird.auth_secret }}"
|
|
dataDir: "/var/lib/netbird"
|
|
auth:
|
|
issuer: "https://{{ netbird_coordinator__domain }}/oauth2"
|
|
signKeyRefreshEnabled: true
|
|
dashboardRedirectURIs:
|
|
- "https://{{ netbird_coordinator__domain }}/nb-auth"
|
|
- "https://{{ netbird_coordinator__domain }}/nb-silent-auth"
|
|
cliRedirectURIs:
|
|
- "http://localhost:53000/"
|
|
reverseProxy:
|
|
# to_json (not a loop) so an empty override renders [] not YAML null —
|
|
# null would mean "trust no proxy" and silently break X-Forwarded-* from Caddy.
|
|
trustedHTTPProxies: {{ netbird_coordinator__trusted_proxies | to_json }}
|
|
store:
|
|
engine: "sqlite"
|
|
encryptionKey: "{{ vault.netbird.datastore_key }}"
|