boma/roles/netbird_coordinator/defaults/main.yml

---
# NetBird coordinator (self-hosted mesh-VPN control plane, ADR-016).
# Combined server image (Management + Signal + Relay + STUN) plus the dashboard UI.
netbird_coordinator__server_image: "netbirdio/netbird-server:0.72.4"
netbird_coordinator__dashboard_image: "netbirdio/dashboard:v2.39.0"
netbird_coordinator__base_dir: /opt/services/netbird
netbird_coordinator__domain: netbird.askari.wingu.me

# Disable NetBird's GeoLite2 geolocation (download + lookups). boma uses no geo posture
# (ACL is Allow-All), and the combined server treats a failed GeoLite2 download as FATAL —
# so a transient egress loss (NAT wiped on `nft flush`, or the boot window before Docker
# re-adds NAT) would crash-loop the whole control plane (FRICTION 2026-06-17 #4). Disabling
# removes that dependency. Revisit if a future ACL sub-project wants geo-based posture.
netbird_coordinator__disable_geolocation: true

# Source IP ranges Caddy fronts NetBird from, rendered into config.yaml
# server.reverseProxy.trustedHTTPProxies. NetBird trusts X-Forwarded-* only from
# these. MUST cover the Caddy container's source IP on the boma Docker network —
# verify the actual bridge subnet at deploy (docker network inspect boma) and tighten.
netbird_coordinator__trusted_proxies: ["172.16.0.0/12"]

netbird_coordinator__manage: true  # set false in Molecule to render without Docker

# access__*/backup__* are the ADR-021/022 CROSS-ROLE conventions — shared field names that
# render ACCESS.md/BACKUP.md and drive /check-access · /check-backup. They intentionally do
# NOT carry the netbird_coordinator__ prefix, so each is marked `# noqa: var-naming[no-role-prefix]`
# (ansible-lint's role-prefix rule has no per-prefix allowlist; keeping it enabled elsewhere).

# Operational-access record (ADR-021) — source of truth for ACCESS.md + /check-access.
# Compose project name defaults to the base_dir basename (= "netbird"), not the role name.
access__service: netbird_coordinator  # noqa: var-naming[no-role-prefix]
access__compose_project: netbird  # noqa: var-naming[no-role-prefix]
access__compose_path: "{{ netbird_coordinator__base_dir }}/docker-compose.yml"  # noqa: var-naming[no-role-prefix]
access__containers: [netbird-server, netbird-dashboard]  # noqa: var-naming[no-role-prefix]
access__log:  # noqa: var-naming[no-role-prefix]
  loki_labels: { service: netbird }   # intent; Loki/Alloy pipeline is ADR-018 (pending)
access__api:  # noqa: var-naming[no-role-prefix]
  enabled: true
  # Management REST API at /api (+ gRPC), via Caddy, behind the embedded Dex IdP.
  # Needs a Dex-issued JWT — no unauthenticated admin port (metrics :9090 / health
  # :9000 are in-container only). Admin surface is the dashboard at the same host.
  base_url: "https://{{ netbird_coordinator__domain }}"
  health_path: "/api"
  auth:
    vault_ref: null   # no static token — auth is a per-session Dex-issued JWT (dashboard login)
    note: "Bearer JWT from the embedded Dex IdP; /check-access can't curl this unauthenticated"

# Backup contract (ADR-022). STATEFUL — boma's first. Encrypted SQLite datastore in the
# netbird_data volume (/var/lib/netbird): peers, setup keys, ACLs, embedded-IdP users.
# Decryptable only with vault.netbird.datastore_key (lives in the vault, its own backup).
# Off-site capture is PENDING the fisi pull node + restic repo (ADR-022 Plan 2, not built)
# — an accepted gap for now; see BACKUP.md.
backup__service: netbird_coordinator  # noqa: var-naming[no-role-prefix]
backup__state: true  # noqa: var-naming[no-role-prefix]
backup__paths:  # noqa: var-naming[no-role-prefix]
  - /var/lib/netbird   # netbird_data named volume — encrypted SQLite store
backup__dumps: []  # noqa: var-naming[no-role-prefix]  # embedded SQLite, no logical dump cmd
backup__quiesce: false  # noqa: var-naming[no-role-prefix]  # file-level copy; flip true if inconsistent