sjat
f83d68d7a0
Adds base__mesh_coordinator_pin (default empty = no-op). When set + base__mesh_enabled, a lineinfile task writes "<ip> <fqdn>" to /etc/hosts so a managed mesh host survives a local-DNS hiccup (the 2026-06-18 incident class). FQDN derived from base__mesh_management_url via regex_replace (no community.general). Gated on base__mesh_enabled | bool and pin length; the coordinator host (askari/offsite_hosts) stays exempt. Production pin wired for ubongo (77.42.120.136). Molecule dns_servers fix included (Docker/NetBird DNS incompatibility). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
80 lines
2.5 KiB
YAML
80 lines
2.5 KiB
YAML
---
|
|
# NetBird agent enrollment (ADR-016). Additive only — no firewall change here.
|
|
- name: Install NetBird apt prerequisites
|
|
ansible.builtin.apt:
|
|
name: [ca-certificates, curl, gnupg]
|
|
state: present
|
|
update_cache: true
|
|
when: base__mesh_manage | bool
|
|
tags: [mesh]
|
|
|
|
- name: Ensure /etc/apt/keyrings exists
|
|
ansible.builtin.file:
|
|
path: /etc/apt/keyrings
|
|
state: directory
|
|
mode: "0755"
|
|
when: base__mesh_manage | bool
|
|
tags: [mesh]
|
|
|
|
- name: Add the NetBird APT GPG key
|
|
ansible.builtin.get_url:
|
|
url: https://pkgs.netbird.io/debian/public.key
|
|
dest: /etc/apt/keyrings/netbird.asc
|
|
mode: "0644"
|
|
when: base__mesh_manage | bool
|
|
tags: [mesh]
|
|
|
|
- name: Add the NetBird APT repository
|
|
ansible.builtin.apt_repository:
|
|
repo: >-
|
|
deb [signed-by=/etc/apt/keyrings/netbird.asc]
|
|
https://pkgs.netbird.io/debian stable main
|
|
filename: netbird
|
|
state: present
|
|
when: base__mesh_manage | bool
|
|
tags: [mesh]
|
|
|
|
# The apt pin string can't be confirmed from docs — it might be a bare "0.72.4" or
|
|
# carry a packaging suffix. The live deploy task confirms the exact on-host string.
|
|
- name: Install the NetBird agent (pinned)
|
|
ansible.builtin.apt:
|
|
name: "netbird={{ base__mesh_version }}"
|
|
state: present
|
|
update_cache: true
|
|
when: base__mesh_manage | bool
|
|
tags: [mesh]
|
|
|
|
- name: Check current NetBird connection status
|
|
ansible.builtin.command: netbird status
|
|
register: _netbird_status
|
|
changed_when: false
|
|
failed_when: false
|
|
when: base__mesh_manage | bool
|
|
tags: [mesh]
|
|
|
|
- name: Enrol this host in the mesh
|
|
ansible.builtin.command: >-
|
|
netbird up
|
|
--management-url {{ base__mesh_management_url }}
|
|
--setup-key {{ base__mesh_setup_key }}
|
|
register: _netbird_up
|
|
changed_when: _netbird_up.rc == 0
|
|
when:
|
|
- base__mesh_manage | bool
|
|
- "'Management: Connected' not in (_netbird_status.stdout | default(''))"
|
|
no_log: true # setup key is on the argv
|
|
tags: [mesh]
|
|
|
|
- name: Pin the NetBird coordinator FQDN in /etc/hosts (DNS-resilience, ADR-016 availability / R8)
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/hosts
|
|
regexp: '\s{{ _coordinator_fqdn | regex_escape }}$'
|
|
line: "{{ base__mesh_coordinator_pin }} {{ _coordinator_fqdn }}"
|
|
state: present
|
|
unsafe_writes: true # /etc/hosts is a bind mount in Docker; atomic rename is impossible
|
|
vars:
|
|
_coordinator_fqdn: "{{ base__mesh_management_url | regex_replace('^https?://', '') | regex_replace('[:/].*', '') }}"
|
|
when:
|
|
- base__mesh_enabled | bool
|
|
- base__mesh_coordinator_pin | length > 0
|
|
tags: [mesh]
|