Switch to terraform

2026-02-15 18:37:15 +02:00
commit a7062b43ab
70 changed files with 6063 additions and 0 deletions
--- a/ansible/netbird/generate-vault.sh
+++ b/ansible/netbird/generate-vault.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+# =============================================================================
+# Generate vault.yml with random passwords
+# =============================================================================
+# Usage: ./generate-vault.sh
+# Output: group_vars/vault.yml (ready to encrypt)
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+VAULT_FILE="$SCRIPT_DIR/group_vars/vault.yml"
+
+# Generate alphanumeric passwords (no special chars - safe for connection strings)
+generate_password() {
+    local length=${1:-32}
+    openssl rand -base64 48 | tr -d '/+=\n' | head -c "$length"
+}
+
+# Generate base64 encryption key (for AES-256-GCM)
+generate_encryption_key() {
+    openssl rand -base64 32
+}
+
+echo "Generating vault.yml with random passwords..."
+
+cat > "$VAULT_FILE" << EOF
+---
+# =============================================================================
+# NetBird v1.6 Vault Secrets
+# =============================================================================
+# Generated: $(date -Iseconds)
+# Encrypt with: ansible-vault encrypt group_vars/vault.yml
+
+# TURN server password
+vault_turn_password: "$(generate_password 32)"
+
+# Relay secret
+vault_relay_secret: "$(generate_password 32)"
+
+# Encryption key for embedded IdP (AES-256-GCM)
+# CRITICAL: Back this up! Loss prevents recovery of user data.
+vault_encryption_key: "$(generate_encryption_key)"
+
+# =============================================================================
+# User Provisioning
+# =============================================================================
+
+# Initial admin password (for setup-bootstrap.yml)
+vault_admin_password: "$(generate_password 20)"
+
+# Service user PAT for API automation
+# LEAVE EMPTY - fill after running setup-bootstrap.yml and creating PAT in dashboard
+vault_netbird_service_pat: ""
+EOF
+
+echo ""
+echo "Generated: $VAULT_FILE"
+echo ""
+echo "Contents:"
+echo "----------------------------------------"
+cat "$VAULT_FILE"
+echo "----------------------------------------"
+echo ""
+echo "Next steps:"
+echo "  1. Review the file above"
+echo "  2. Encrypt: ansible-vault encrypt group_vars/vault.yml"
+echo "  3. Deploy: ansible-playbook -i inventory.yml playbook-ssl-ip.yml --ask-vault-pass"
+echo "  4. Bootstrap: ansible-playbook -i inventory.yml setup-bootstrap.yml --ask-vault-pass"
+echo "  5. Create service user PAT in dashboard, add to vault.yml"
+echo "  6. Groups: ansible-playbook -i inventory.yml setup-groups.yml --ask-vault-pass"
+echo "  7. Users: ansible-playbook -i inventory.yml setup-users.yml --ask-vault-pass"