boma/roles/netbird_coordinator/templates/config.yaml.j2
sjat ab1b0678ab feat(netbird): coordinator service role (combined server + dashboard, v0.72.4)
First real service role. NetBird v0.72.4 self-hosted control plane: single
netbirdio/netbird-server:0.72.4 (management + signal + relay + STUN + embedded
Dex) plus netbirdio/dashboard:v2.39.0, both on the shared boma Docker network so
the M4a Caddy fronts them. Renders docker-compose.yml + config.yaml (secrets from
vault.netbird.*, no_log) + dashboard.env. STUN 3478/udp host-exposed; everything
else via the proxy. netbird_coordinator__manage gates the compose-up for Molecule.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-15 17:49:57 +02:00

26 lines
960 B
Django/Jinja

# {{ ansible_managed }}
server:
listenAddress: ":80"
exposedAddress: "https://{{ netbird_coordinator__domain }}:443"
stunPorts: [3478]
metricsPort: 9090
healthcheckAddress: ":9000"
logLevel: "info"
logFile: "console"
authSecret: "{{ vault.netbird.auth_secret }}"
dataDir: "/var/lib/netbird"
auth:
issuer: "https://{{ netbird_coordinator__domain }}/oauth2"
signKeyRefreshEnabled: true
dashboardRedirectURIs:
- "https://{{ netbird_coordinator__domain }}/nb-auth"
- "https://{{ netbird_coordinator__domain }}/nb-silent-auth"
cliRedirectURIs:
- "http://localhost:53000/"
reverseProxy:
# to_json (not a loop) so an empty override renders [] not YAML null —
# null would mean "trust no proxy" and silently break X-Forwarded-* from Caddy.
trustedHTTPProxies: {{ netbird_coordinator__trusted_proxies | to_json }}
store:
engine: "sqlite"
encryptionKey: "{{ vault.netbird.datastore_key }}"