Switch to terraform

ansible/netbird/templates/Caddyfile-no-ssl.j2

@@ -0,0 +1,35 @@
+# =============================================================================
+# NetBird v1.6 Caddyfile - No-SSL Mode (HTTP only, LAN access)
+# =============================================================================
+# WARNING: This configuration transmits data in plaintext.
+# Only use on isolated/air-gapped networks.
+{
+  servers :80 {
+    protocols h1 h2c
+  }
+  # Disable automatic HTTPS
+  auto_https off
+}
+
+:80 {
+    # Embedded IdP OAuth2 endpoints
+    reverse_proxy /oauth2/* management:80
+    reverse_proxy /.well-known/openid-configuration management:80
+    reverse_proxy /.well-known/jwks.json management:80
+
+    # NetBird Relay
+    reverse_proxy /relay* relay:80
+
+    # NetBird Signal (gRPC)
+    reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000
+
+    # NetBird Management API (gRPC)
+    reverse_proxy /management.ManagementService/* h2c://management:80
+
+    # NetBird Management REST API
+    reverse_proxy /api/* management:80
+
+    # NetBird Dashboard (catch-all)
+    reverse_proxy /* dashboard:80
+}
+}

ansible/netbird/templates/Caddyfile-ssl-ip.j2

@@ -0,0 +1,61 @@
+# =============================================================================
+# NetBird v1.6 Caddyfile - SSL Mode with Public IP (Self-Signed)
+# =============================================================================
+# Uses Caddy's internal CA to generate self-signed certificates for IP access.
+# Note: Let's Encrypt IP certificates are supported but Caddy's implementation
+# is incomplete (issue #7399). Using self-signed as reliable fallback.
+{
+  servers :80,:443 {
+    protocols h1 h2c h2
+  }
+  # Required for IP-based TLS - clients don't send SNI for IP addresses
+  # Docker networking makes Caddy see internal IPs, so we need default_sni
+  default_sni {{ netbird_domain }}
+}
+
+(security_headers) {
+    header * {
+        Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        X-XSS-Protection "1; mode=block"
+        -Server
+        Referrer-Policy strict-origin-when-cross-origin
+    }
+}
+
+:80 {
+    # Redirect HTTP to HTTPS
+    redir https://{host}{uri} permanent
+}
+
+# Bind to IP address explicitly so Caddy knows what certificate to generate
+https://{{ netbird_domain }} {
+    # Use Caddy's internal CA for self-signed certificate
+    tls internal {
+        protocols tls1.2 tls1.3
+    }
+
+    import security_headers
+
+    # Embedded IdP OAuth2 endpoints
+    reverse_proxy /oauth2/* management:80
+    reverse_proxy /.well-known/openid-configuration management:80
+    reverse_proxy /.well-known/jwks.json management:80
+
+    # NetBird Relay
+    reverse_proxy /relay* relay:80
+
+    # NetBird Signal (gRPC)
+    reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000
+
+    # NetBird Management API (gRPC)
+    reverse_proxy /management.ManagementService/* h2c://management:80
+
+    # NetBird Management REST API
+    reverse_proxy /api/* management:80
+
+    # NetBird Dashboard (catch-all)
+    reverse_proxy /* dashboard:80
+}
+}

ansible/netbird/templates/Caddyfile-ssl.j2

@@ -0,0 +1,45 @@
+# =============================================================================
+# NetBird v1.6 Caddyfile - SSL Mode (Let's Encrypt)
+# =============================================================================
+{
+  servers :80,:443 {
+    protocols h1 h2c h2 h3
+  }
+  email {{ letsencrypt_email }}
+}
+
+(security_headers) {
+    header * {
+        Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        X-XSS-Protection "1; mode=block"
+        -Server
+        Referrer-Policy strict-origin-when-cross-origin
+    }
+}
+
+{{ netbird_domain }} {
+    import security_headers
+
+    # Embedded IdP OAuth2 endpoints
+    reverse_proxy /oauth2/* management:80
+    reverse_proxy /.well-known/openid-configuration management:80
+    reverse_proxy /.well-known/jwks.json management:80
+
+    # NetBird Relay
+    reverse_proxy /relay* relay:80
+
+    # NetBird Signal (gRPC)
+    reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000
+
+    # NetBird Management API (gRPC)
+    reverse_proxy /management.ManagementService/* h2c://management:80
+
+    # NetBird Management REST API
+    reverse_proxy /api/* management:80
+
+    # NetBird Dashboard (catch-all)
+    reverse_proxy /* dashboard:80
+}
+}

ansible/netbird/templates/dashboard.env.j2

@@ -0,0 +1,22 @@
+# =============================================================================
+# NetBird Dashboard Environment (v1.6 - Embedded IdP)
+# =============================================================================
+# Uses NetBird's embedded IdP - no external auth required
+
+# Endpoints
+NETBIRD_MGMT_API_ENDPOINT={{ netbird_protocol }}://{{ netbird_domain }}
+NETBIRD_MGMT_GRPC_API_ENDPOINT={{ netbird_protocol }}://{{ netbird_domain }}
+
+# OIDC - using embedded IdP
+AUTH_AUDIENCE=netbird-dashboard
+AUTH_CLIENT_ID=netbird-dashboard
+AUTH_CLIENT_SECRET=
+AUTH_AUTHORITY={{ netbird_protocol }}://{{ netbird_domain }}/oauth2
+USE_AUTH0=false
+AUTH_SUPPORTED_SCOPES=openid profile email groups
+AUTH_REDIRECT_URI=/nb-auth
+AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
+
+# SSL (handled by Caddy)
+NGINX_SSL_PORT=443
+LETSENCRYPT_DOMAIN=none

ansible/netbird/templates/docker-compose.yml.j2

@@ -0,0 +1,97 @@
+# =============================================================================
+# NetBird v1.6 - Lightweight Deployment (No Authentik, No Caddy)
+# =============================================================================
+# Services: Dashboard, Signal, Relay, Management, Coturn
+# Caddy is deployed separately as shared reverse proxy.
+
+services:
+  # ---------------------------------------------------------------------------
+  # NetBird Dashboard
+  # ---------------------------------------------------------------------------
+  dashboard:
+    image: netbirdio/dashboard:{{ dashboard_version }}
+    restart: unless-stopped
+    networks: [netbird]
+    env_file:
+      - {{ netbird_base_dir }}/dashboard.env
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # ---------------------------------------------------------------------------
+  # NetBird Signal Server
+  # ---------------------------------------------------------------------------
+  signal:
+    image: netbirdio/signal:{{ netbird_version }}
+    restart: unless-stopped
+    networks: [netbird]
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # ---------------------------------------------------------------------------
+  # NetBird Relay Server
+  # ---------------------------------------------------------------------------
+  relay:
+    image: netbirdio/relay:{{ netbird_version }}
+    restart: unless-stopped
+    networks: [netbird]
+    env_file:
+      - {{ netbird_base_dir }}/relay.env
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # ---------------------------------------------------------------------------
+  # NetBird Management Server
+  # ---------------------------------------------------------------------------
+  management:
+    image: netbirdio/management:{{ netbird_version }}
+    restart: unless-stopped
+    networks: [netbird]
+    volumes:
+      - netbird_management:/var/lib/netbird
+      - {{ netbird_base_dir }}/management.json:/etc/netbird/management.json
+    command: [
+      "--port", "80",
+      "--log-file", "console",
+      "--log-level", "info",
+      "--disable-anonymous-metrics=false",
+      "--single-account-mode-domain={{ single_account_domain | default(netbird_domain) }}",
+      "--dns-domain={{ netbird_dns_domain }}"
+    ]
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+  # ---------------------------------------------------------------------------
+  # Coturn TURN/STUN Server
+  # ---------------------------------------------------------------------------
+  coturn:
+    image: coturn/coturn:{{ coturn_version }}
+    restart: unless-stopped
+    volumes:
+      - {{ netbird_base_dir }}/turnserver.conf:/etc/coturn/turnserver.conf:ro
+    network_mode: host
+    command:
+      - "-c"
+      - "/etc/coturn/turnserver.conf"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "500m"
+        max-file: "2"
+
+volumes:
+  netbird_management:
+
+networks:
+  netbird:

ansible/netbird/templates/management.json.j2

@@ -0,0 +1,49 @@
+{
+  "Stuns": [
+    {
+      "Proto": "udp",
+      "URI": "stun:{{ netbird_domain }}:3478"
+    }
+  ],
+  "TURNConfig": {
+    "Turns": [
+      {
+        "Proto": "udp",
+        "URI": "turn:{{ netbird_domain }}:3478",
+        "Username": "{{ turn_user }}",
+        "Password": "{{ turn_password }}"
+      }
+    ],
+    "TimeBasedCredentials": false
+  },
+  "Relay": {
+    "Addresses": [
+      "{{ relay_protocol }}://{{ netbird_domain }}:{{ relay_port }}/relay"
+    ],
+    "CredentialsTTL": "168h",
+    "Secret": "{{ relay_secret }}"
+  },
+  "Signal": {
+    "Proto": "{{ netbird_protocol }}",
+    "URI": "{{ netbird_domain }}:{{ signal_port }}"
+  },
+  "Datadir": "/var/lib/netbird",
+  "DataStoreEncryptionKey": "{{ encryption_key }}",
+  "StoreConfig": {
+    "Engine": "sqlite"
+  },
+  "HttpConfig": {
+    "Address": "0.0.0.0:80"
+  },
+  "IdpManagerConfig": {
+    "ManagerType": "none"
+  },
+  "EmbeddedIdP": {
+    "Enabled": true,
+    "Issuer": "{{ netbird_protocol }}://{{ netbird_domain }}/oauth2",
+    "DashboardRedirectURIs": [
+      "{{ netbird_protocol }}://{{ netbird_domain }}/nb-auth",
+      "{{ netbird_protocol }}://{{ netbird_domain }}/nb-silent-auth"
+    ]
+  }
+}

ansible/netbird/templates/relay.env.j2

@@ -0,0 +1,8 @@
+# =============================================================================
+# NetBird Relay Environment
+# =============================================================================
+
+NB_LOG_LEVEL=info
+NB_LISTEN_ADDRESS=:80
+NB_EXPOSED_ADDRESS={{ relay_protocol }}://{{ netbird_domain }}:{{ relay_port }}/relay
+NB_AUTH_SECRET={{ relay_secret }}

ansible/netbird/templates/turnserver.conf.j2

@@ -0,0 +1,15 @@
+# =============================================================================
+# Coturn TURN/STUN Server Configuration
+# =============================================================================
+
+listening-port=3478
+external-ip={{ ansible_default_ipv4.address }}
+relay-ip={{ ansible_default_ipv4.address }}
+fingerprint
+lt-cred-mech
+user={{ turn_user }}:{{ turn_password }}
+realm={{ netbird_domain }}
+log-file=stdout
+no-tls
+no-dtls
+no-cli