Clean up Ansible templates, fix variable escaping, and remove redundant Terraform mappings.

Author: onelrian

infrastructure/ansible-stack/ha.tfvars.example

@@ -0,0 +1,60 @@
+# =============================================================================
+# NETBIRD HIGH-AVAILABILITY DEPLOYMENT (MULTI-NODE + MANAGED DB)
+# =============================================================================
+# Production-ready configuration with separate roles and High Availability.
+# =============================================================================
+
+# 1. Main Configuration
+netbird_domain  = "vpn.example.com"
+environment     = "prod"
+aws_region      = "us-east-1" # Only needed if creating AWS RDS
+
+# 2. Host Configuration (Distributed roles)
+netbird_hosts = {
+  "management-01" = {
+    public_ip  = "1.2.3.10"
+    private_ip = "10.0.1.10"
+    roles      = ["management"]
+    ssh_user   = "ubuntu"
+  },
+  "relay-01" = {
+    public_ip  = "1.2.3.20"
+    private_ip = "10.0.1.20"
+    roles      = ["relay"]
+    ssh_user   = "ubuntu"
+  },
+  "proxy-01" = {
+    public_ip  = "1.2.3.30"
+    private_ip = "10.0.1.30"
+    roles      = ["proxy"]
+    ssh_user   = "ubuntu"
+  }
+}
+
+# 3. Database (Using Managed AWS RDS PostgreSQL)
+database_type                    = "postgresql"
+database_mode                    = "create"
+cloud_provider                   = "aws"
+postgresql_instance_class        = "db.t3.medium"
+postgresql_storage_gb            = 50
+postgresql_password              = "REPLACE_WITH_SECURE_DB_PASSWORD"
+postgresql_multi_az              = true
+postgresql_backup_retention_days = 30
+enable_ha                        = true
+
+# 4. Identity Provider (Keycloak)
+keycloak_url            = "https://keycloak.example.com"
+keycloak_admin_username = "admin"
+keycloak_admin_password = "REPLACE_WITH_KEYCLOAK_ADMIN_PASSWORD"
+realm_name              = "netbird"
+
+# 5. NetBird Admin Dashboard
+netbird_admin_email    = "admin@example.com"
+netbird_admin_password = "REPLACE_WITH_SECURE_ADMIN_PASSWORD"
+
+# 6. SSH Credentials for Ansible
+ssh_private_key_path = "~/.ssh/id_rsa"
+
+# 7. (Optional) Service secrets - Generated automatically if left empty
+# relay_auth_secret      = ""
+# netbird_encryption_key = ""

infrastructure/ansible-stack/main.tf

@@ -64,9 +64,11 @@ resource "random_id" "netbird_encryption_key" {
 
 resource "local_file" "ansible_inventory" {
   content = templatefile("${path.module}/templates/inventory.yaml.tpl", {
-    netbird_domain    = var.netbird_domain
-    netbird_version   = var.netbird_version
-    netbird_log_level = var.netbird_log_level
+    netbird_domain         = var.netbird_domain
+    netbird_version        = var.netbird_version
+    netbird_log_level      = var.netbird_log_level
+    caddy_version          = var.caddy_version
+    docker_compose_version = var.docker_compose_version
 
     # Database
     database_type        = module.database.database_type
@@ -90,10 +92,6 @@ resource "local_file" "ansible_inventory" {
 
     relay_auth_secret      = var.relay_auth_secret != "" ? var.relay_auth_secret : random_password.relay_auth_secret.result
     netbird_encryption_key = var.netbird_encryption_key != "" ? var.netbird_encryption_key : random_id.netbird_encryption_key.b64_std
-    netbird_log_level      = var.netbird_log_level
-    netbird_version        = var.netbird_version
-    caddy_version          = var.caddy_version
-    docker_compose_version = var.docker_compose_version
 
 
     # Compute relay addresses list for management.json (rels://IP:443 format)

infrastructure/ansible-stack/single-node.tfvars.example

@@ -0,0 +1,35 @@
+# =============================================================================
+# NETBIRD SINGLE-NODE DEPLOYMENT (DOCKER + SQLITE)
+# =============================================================================
+# Simplest possible configuration for testing or small-scale use.
+# All roles (management, signal, dashboard, relay, proxy) on a single server.
+# =============================================================================
+
+# 1. Main Configuration
+netbird_domain  = "vpn.example.com"
+environment     = "dev"
+
+# 2. Host Configuration (One VM for everything)
+netbird_hosts = {
+  "netbird-all-in-one" = {
+    public_ip = "1.2.3.4"
+    roles     = ["management", "relay", "proxy"] # Includes all NetBird services
+    ssh_user  = "ubuntu"
+  }
+}
+
+# 3. Database (SQLite is local to the server)
+database_type        = "sqlite"
+sqlite_database_path = "/var/lib/netbird/store.db"
+
+# 4. Identity Provider (Keycloak)
+keycloak_url            = "https://keycloak.example.com"
+keycloak_admin_username = "admin"
+keycloak_admin_password = "REPLACE_WITH_KEYCLOAK_ADMIN_PASSWORD"
+
+# 5. NetBird Admin Dashboard
+netbird_admin_email    = "admin@example.com"
+netbird_admin_password = "REPLACE_WITH_SECURE_ADMIN_PASSWORD"
+
+# 6. SSH Credentials for Ansible
+ssh_private_key_path = "~/.ssh/id_rsa"

infrastructure/ansible-stack/terraform.tfvars

@@ -1,43 +1,93 @@
-# ============================================
-# NETBIRD DEPLOYMENT CONFIGURATION
-# ============================================
+# =============================================================================
+# NETBIRD TERRAFORM + ANSIBLE STACK - CONFIGURATION EXAMPLE
+# =============================================================================
+# Use this file as a template for your deployment.
+# Copy it to 'terraform.tfvars' and update the values.
+# =============================================================================
 
-# Define your hosts and their roles here
-# Roles: management, relay, proxy
-# For single-node deployment, assign all roles to one host
+# -----------------------------------------------------------------------------
+# 1. Environment & Network
+# -----------------------------------------------------------------------------
+environment     = "prod"
+aws_region      = "us-east-1"
+netbird_domain  = "vpn.example.com"
+
+# -----------------------------------------------------------------------------
+# 2. Inventory Configuration
+# -----------------------------------------------------------------------------
+# Map your servers to roles: management, relay, proxy
+# For a single-node setup, assign all roles to one host.
 netbird_hosts = {
-  "netbird-server" = {
-    public_ip  = "1.2.3.4"
-    private_ip = "10.0.0.1"
+  "netbird-main" = {
+    public_ip  = "1.2.3.4"      # Public IP reachable by clients and Ansible
+    private_ip = "10.0.0.1"    # Optional: Internal IP for inter-service communication
     roles      = ["management", "relay", "proxy"]
-    ssh_user   = "ubuntu"
+    ssh_user   = "ubuntu"       # Default user for Ansible connection
   }
 }
 
-# Database Backend Selection
+# -----------------------------------------------------------------------------
+# 3. Database Selection
+# -----------------------------------------------------------------------------
+
+# --- OPTION A: SQLite (Simpler, local file) ---
 database_type        = "sqlite"
-database_mode        = "existing"
 sqlite_database_path = "/var/lib/netbird/store.db"
-enable_ha            = false
 
-# Common Variables
-netbird_domain  = "vpn.example.com"
-environment     = "prod"
+# --- OPTION B: Existing PostgreSQL (Recommended for production) ---
+# database_type                  = "postgresql"
+# database_mode                  = "existing"
+# existing_postgresql_host       = "db.example.com"
+# existing_postgresql_port       = 5432
+# existing_postgresql_database   = "netbird"
+# existing_postgresql_username   = "netbird_user"
+# existing_postgresql_password   = "REPLACE_WITH_SECURE_PASSWORD"
+# existing_postgresql_sslmode    = "require"
 
-# Keycloak Configuration
-keycloak_url                 = "https://keycloak.example.com/auth"
+# --- OPTION C: Create Managed PostgreSQL (Cloud-native) ---
+# database_type                    = "postgresql"
+# database_mode                    = "create"
+# cloud_provider                   = "aws" # options: aws, gcp, azure
+# postgresql_instance_class        = "db.t3.medium"
+# postgresql_storage_gb            = 20
+# postgresql_database_name         = "netbird"
+# postgresql_username              = "netbird_admin"
+# postgresql_password              = "REPLACE_WITH_SECURE_PASSWORD"
+# postgresql_multi_az              = false # set to true for high availability
+# postgresql_backup_retention_days = 7
+
+# -----------------------------------------------------------------------------
+# 4. Identity Provider (Keycloak) Configuration
+# -----------------------------------------------------------------------------
+# NetBird requires an OIDC provider. This module configures a Keycloak realm.
+keycloak_url                 = "https://keycloak.example.com"
 keycloak_admin_username      = "admin"
-keycloak_admin_password      = "CHANGE_ME"
+keycloak_admin_password      = "REPLACE_WITH_KEYCLOAK_ADMIN_PASSWORD"
 keycloak_use_existing_realm  = false
+realm_name                   = "netbird"
+
+# -----------------------------------------------------------------------------
+# 5. NetBird Application Secrets
+# -----------------------------------------------------------------------------
+# Default NetBird Dashboard Administrator
+netbird_admin_email          = "admin@example.com"
+netbird_admin_password       = "REPLACE_WITH_SECURE_ADMIN_PASSWORD"
 
-# Authentication Secrets (Leave empty to generate automatically)
-relay_auth_secret      = ""
-netbird_encryption_key = ""
-netbird_log_level      = "info"
+# Secrets generation:
+# If left empty, Terraform will generate secure random strings automatically.
+relay_auth_secret            = ""
+netbird_encryption_key       = "" # 32-byte base64 key for sensitive data at rest
+netbird_log_level            = "info"
 
-# Default Administrator
-netbird_admin_email    = "admin@example.com"
-netbird_admin_password = "CHANGE_ME"
+# -----------------------------------------------------------------------------
+# 6. Version Pinning
+# -----------------------------------------------------------------------------
+netbird_version              = "latest"
+caddy_version                = "latest"
+docker_compose_version       = "v2.24.0"
 
-# SSH Configuration for Ansible
-ssh_private_key_path = "~/.ssh/id_rsa"
+# -----------------------------------------------------------------------------
+# 7. Ansible Connection Settings
+# -----------------------------------------------------------------------------
+# Path to the private key used to SSH into 'netbird_hosts'
+ssh_private_key_path         = "~/.ssh/id_rsa"