Replace tailscale with netbird

.terraform.lock.hcl

@@ -106,23 +106,6 @@ provider "registry.opentofu.org/hashicorp/aws" {
   ]
 }
 
-provider "registry.opentofu.org/hashicorp/external" {
-  version = "2.3.5"
-  hashes = [
-    "h1:jcVmeuuz74tdRt2kj0MpUG9AORdlAlRRQ3k61y0r5Vc=",
-    "zh:1fb9aca1f068374a09d438dba84c9d8ba5915d24934a72b6ef66ef6818329151",
-    "zh:3eab30e4fcc76369deffb185b4d225999fc82d2eaaa6484d3b3164a4ed0f7c49",
-    "zh:4f8b7a4832a68080f0bf4f155b56a691832d8a91ce8096dac0f13a90081abc50",
-    "zh:5ff1935612db62e48e4fe6cfb83dfac401b506a5b7b38342217616fbcab70ce0",
-    "zh:993192234d327ec86726041eb6d1efb001e41f32e4518ad8b9b162130b65ee9a",
-    "zh:ce445e68282a2c4b2d1f994a2730406df4ea47914c0932fb4a7eb040a7ec7061",
-    "zh:e305e17216840c54194141fb852839c2cedd6b41abd70cf8d606d6e88ed40e64",
-    "zh:edba65fb241d663c09aa2cbf75026c840e963d5195f27000f216829e49811437",
-    "zh:f306cc6f6ec9beaf75bdcefaadb7b77af320b1f9b56d8f50df5ebd2189a93148",
-    "zh:fb2ff9e1f86796fda87e1f122d40568912a904da51d477461b850d81a0105f3d",
-  ]
-}
-
 provider "registry.opentofu.org/hashicorp/random" {
   version = "3.7.2"
   hashes = [
@@ -219,6 +202,29 @@ provider "registry.opentofu.org/l-with/mailcow" {
   ]
 }
 
+provider "registry.opentofu.org/netbirdio/netbird" {
+  version     = "0.0.7"
+  constraints = "0.0.7"
+  hashes = [
+    "h1:M2OfShNKghRoUZEgvD3DwI5Uagrf4GJyy2QfI+QPF7w=",
+    "zh:0124fc449b2cd6c2480b2070b7afae2134bc5d2aa1bffb6c2d8cdf6b1c75487e",
+    "zh:36bdd659d95c6e946c5dc2d4195e4bd93d45c65b3209c5d78c74bfaeffbbc57a",
+    "zh:643dc1fa617207ca53f6c245593f1decea020ca844dd861b4891dc8881b8ee62",
+    "zh:82ea3052a29cb80e03598824a56761d9ca8a985c1cd3c6ab5efe303daabe7bac",
+    "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
+    "zh:8b5f15f9d7b8720054a5a55a7e308640cc8e563a6984c1e154d20ce5e5f07523",
+    "zh:997d87b0827b64fc872a1d4d011bc9e882b38807db2947960d8384a10d272729",
+    "zh:a00be39fcadeef3078a5ebcace40d7f7826217468c8965dc55740dc9daf04c79",
+    "zh:a4542f5258af44644f354c2af976ba999ce8fbcb6bfefddde19ed30c1ba0c59a",
+    "zh:c06acd71e85f8557cff045845d2c84b5d3c09f1e2637d94a1f28d3fb91d24bc1",
+    "zh:cb55742b7013197a6c5ac9c2e4666a744827d9159cbdc092f81f070591a43d04",
+    "zh:dd8d7a968d988f63ffb1c5f92ae4fee42b3498b97579ebac1d2410e8cb0f6b98",
+    "zh:e32775debbd30283dd1b69a1809324da78d017f9d16fe2ac36d2bf4565927be4",
+    "zh:eaf597ff9f515f6f50349cada7020b07f227e35b0b0977af6e4e22caf1f30db7",
+    "zh:fb4cf6f2c2ea267fdee54192e9692c3d004c7116a26dc256bca4601b9617245a",
+  ]
+}
+
 provider "registry.opentofu.org/ovh/ovh" {
   version     = "0.48.0"
   constraints = "~> 0.48.0"
@@ -262,25 +268,3 @@ provider "registry.opentofu.org/scaleway/scaleway" {
     "zh:d6c1ba9f8b9589e7508c53e071a13e9f2acaf4eb192b9bbb9d981e9f09b7e87d",
   ]
 }
-
-provider "registry.opentofu.org/tailscale/tailscale" {
-  version     = "0.16.2"
-  constraints = "~> 0.16.0"
-  hashes = [
-    "h1:m8r5+K4JWe+tdT4IyryZkAQ7d38GVPtoQ9mzp+5Scaw=",
-    "zh:2a37ef43b88ad8e26ecad79e6b34a896769be2b7d18140f855f6063775367841",
-    "zh:3867d3331b59c8281dd8a742260b22e18750ae84a9bd2009e8f9d90412d2c044",
-    "zh:5e5e5ee08e0ecefa08a0ce7a9281a858f9b3a2a66bc9c06802b1624a1cb3eae0",
-    "zh:6298e8ed55bccd5513060e0d357d055919b3a22146fcfb6c34881efd49ec33f8",
-    "zh:6ce0ab6564fbbc673ab98ce4b7db7d64258a916394436a005d14b25c3ea58ad1",
-    "zh:6fdc1fb66074d2af5124a6988f81efdc77011b185e710629140e87ffb8624956",
-    "zh:7ff7888d77a17b18c9bdc9dfc1bf1e7f98f512410c29d1a8c2e6c21c8fe2a5c4",
-    "zh:9cafb8660daffd5c9c490d4529c7ba3d691fee5e4093b55e73f188b17e34cead",
-    "zh:b11e0e1b6c8485eb832336a69be02dfae151b71350e25288ec7bf0637df35485",
-    "zh:c7371d0dcde253fcd1808f86be2fcfc6e0b6ec82aa714e5dc6b533ba10007d48",
-    "zh:dcddd847b8a03a3b7c9288d68e781d65a3b911ef9cc96df9502a2d069195ae42",
-    "zh:dfd37ec661fe5b1520b595dcb93cca65f716270edc173a393a600c85b3f842d7",
-    "zh:e3b623167859344ed93f4125e97d24c5793246ccb329e4d82b2d9d8e5c356380",
-    "zh:f4d38ec08191ae70ef05ffd3943df1c27e2b11192a02e1979498a59ea1881ee3",
-  ]
-}

dns/functions.js

@@ -36,7 +36,6 @@ function my_host_record(target, host, vpn) {
 	if (vpn) {
 		return [
 			A(target, host.ipv4_address_vpn),
-			AAAA(target, host.ipv6_address_vpn)
 		];
 	}
 	else {

main.tf

@@ -21,6 +21,10 @@ terraform {
       source  = "aminueza/minio"
       version = "~> 3.5.2"
     }
+    netbird = {
+      source = "netbirdio/netbird"
+      version = "0.0.7"
+    }
     ovh = {
       source = "ovh/ovh"
       version = "~> 0.48.0"
@@ -29,10 +33,6 @@ terraform {
       source = "scaleway/scaleway"
       version = "~> 2.53.0"
     }
-    tailscale = {
-      source = "tailscale/tailscale"
-      version = "~> 0.16.0"
-    }
 
     authentik = {
       source = "goauthentik/authentik"
@@ -97,6 +97,10 @@ provider "minio" {
   minio_ssl      = true
 }
 
+provider "netbird" {
+  token          = var.netbird_token        # Required
+}
+
 provider "ovh" {
   endpoint = "ovh-eu"
   application_key = var.ovh_application_key
@@ -113,11 +117,6 @@ provider "scaleway" {
   zone = "nl-ams-1"
 }
 
-provider "tailscale" {
-  api_key = var.tailscale_api_key
-  tailnet = var.tailscale_tailnet
-}
-
 module "infrastructure" {
   source = "./modules/infrastructure"
 

modules/infrastructure/hcloud.tf

@@ -35,7 +35,7 @@ resource "hcloud_server" "nodes" {
   server_type = each.value.server_type
   ssh_keys    = [hcloud_ssh_key.default.id]
   user_data   = templatefile("./templates/cloud-init.yaml.tpl", {
-    tailscale_authkey = each.value.ephemeral ? tailscale_tailnet_key.cloud_init_ephemeral_key.key : tailscale_tailnet_key.cloud_init_key.key,
+    netbird_setup_key = each.value.ephemeral ? netbird_setup_key.cloud_init_ephemeral_key.key : netbird_setup_key.cloud_init_key.key,
     default_ssh_key = var.default_ssh_key.public_key
     hostname        = each.value.hostname
   })

modules/infrastructure/main.tf

@@ -12,6 +12,10 @@ terraform {
       source = "kristofferahl/healthchecksio"
       version = "~> 1.6.0"
     }
+    netbird = {
+      source = "netbirdio/netbird"
+      version = "0.0.7"
+    }
     ovh = {
       source = "ovh/ovh"
       version = "~> 0.48.0"
@@ -20,10 +24,6 @@ terraform {
       source = "scaleway/scaleway"
       version = "~> 2.53.0"
     }
-    tailscale = {
-      source = "tailscale/tailscale"
-      version = "~> 0.16.0"
-    }
   }
 }
 

modules/infrastructure/netbird.tf

@@ -0,0 +1,30 @@
+data "netbird_group" "servers" {
+  name = "servers"
+}
+
+resource "netbird_setup_key" "cloud_init_key" {
+  name        = "Cloud-init key used by opentofu"
+  ephemeral   = false
+  auto_groups = [data.netbird_group.servers.id]
+  type        = "reusable"
+  expiry_seconds = 21600 # 6 hours
+}
+resource "netbird_setup_key" "cloud_init_ephemeral_key" {
+  name        = "Ephemeral cloud-init key used by opentofu"
+  ephemeral   = true
+  auto_groups = [data.netbird_group.servers.id]
+  type        = "reusable"
+  expiry_seconds = 21600 # 6 hours
+}
+
+resource "time_sleep" "wait_for_hosts" {
+  for_each = var.hosts
+  depends_on = [hcloud_server.nodes]
+  create_duration = "60s"
+}
+
+data "netbird_peer" "nodes" {
+  for_each = var.hosts
+  depends_on = [time_sleep.wait_for_hosts]
+  name = each.value.hostname
+}

modules/infrastructure/output.tf

@@ -16,11 +16,7 @@ output "hosts" {
       )
 
       "ipv4_address_vpn" = try(
-        local.tailscale_host_addresses_ipv4[key],
+        data.netbird_peer.nodes[key].ip,
-        null
-      )
-      "ipv6_address_vpn" = try(
-        local.tailscale_host_addresses_ipv6[key],
         null
       )
     }

modules/infrastructure/ovh.tf

@@ -22,26 +22,6 @@ locals {
       },
     }
   ]...)
-
-  tailscale_host_addresses_ipv4 = merge([
-    for host, _ in var.hosts : {
-      "${host}" = [
-        for address in data.tailscale_device.nodes[host].addresses :
-          address
-          if !strcontains(address, ":")
-      ][0]
-    }
-  ]...)
-
-  tailscale_host_addresses_ipv6 = merge([
-    for host, _ in var.hosts : {
-      "${host}" = [
-        for address in data.tailscale_device.nodes[host].addresses :
-          address
-          if strcontains(address, ":")
-      ][0]
-    }
-  ]...)
 }
 
 resource "ovh_domain_zone_record" "server_records" {
@@ -53,22 +33,13 @@ resource "ovh_domain_zone_record" "server_records" {
   target    = each.value.address
 }
 
-resource "ovh_domain_zone_record" "tailscale_vpn_ipv4" {
+resource "ovh_domain_zone_record" "netbird_vpn_ipv4" {
-  for_each  = local.tailscale_host_addresses_ipv4
+  for_each  = data.netbird_peer.nodes
   zone      = "serguzim.net"
-  subdomain = "${each.key}.vpn"
+  subdomain = "${each.value.name}.vpn"
   fieldtype = "A"
   ttl       = 600
-  target    = each.value
+  target    = each.value.ip
-}
-
-resource "ovh_domain_zone_record" "tailscale_vpn_ipv6" {
-  for_each  = local.tailscale_host_addresses_ipv6
-  zone      = "serguzim.net"
-  subdomain = "${each.key}.vpn"
-  fieldtype = "AAAA"
-  ttl       = 600
-  target    = each.value
 }
 
 resource "ovh_domain_zone_record" "gpg_verify" {

modules/infrastructure/tailscale.tf

@@ -1,27 +0,0 @@
-resource "tailscale_tailnet_key" "cloud_init_key" {
-  reusable      = true
-  ephemeral     = false
-  preauthorized = true
-  expiry        = 21600 # 6 hours
-  description   = "Cloud-init key used by opentofu"
-}
-resource "tailscale_tailnet_key" "cloud_init_ephemeral_key" {
-  reusable      = true
-  ephemeral     = true
-  preauthorized = true
-  expiry        = 21600 # 6 hours
-  description   = "Ephemeral cloud-init key used by opentofu"
-}
-
-resource "time_sleep" "wait_for_hosts" {
-  for_each = var.hosts
-  depends_on = [hcloud_server.nodes]
-  create_duration = "60s"
-}
-
-data "tailscale_device" "nodes" {
-  for_each = var.hosts
-  depends_on = [time_sleep.wait_for_hosts]
-  hostname = each.value.hostname
-  wait_for = "60s"
-}

playbooks/roles/software/handlers/main.yml

@@ -1,11 +1,11 @@
 ---
-- name: Restart tailscaled
+- name: Restart netbird
   ansible.builtin.systemd_service:
-    name: tailscaled.service
+    name: netbird.service
     state: restarted
   become: true
 
-- name: Restart tailscaled
+- name: Restart systemd-resolved
   ansible.builtin.systemd_service:
     name: systemd-resolved.service
     state: restarted

playbooks/roles/software/tasks/systemd-resolved.yml

@@ -15,7 +15,7 @@
     group: "root"
   become: true
   notify:
-    - Restart tailscaled
+    - Restart netbird
     - Restart systemd-resolved
 
 - name: Enable and systemd-resolved
@@ -26,7 +26,7 @@
     daemon_reload: true
   become: true
   notify:
-    - Restart tailscaled
+    - Restart netbird
 
 - name: Create resolv.conf symlink
   ansible.builtin.file:

templates/cloud-init.yaml.tpl

@@ -31,10 +31,10 @@ runcmd:
   - sed -i 's/\#\?PermitRootLogin .\+/PermitRootLogin no/' /etc/ssh/sshd_config
   - systemctl restart sshd
 
-  #####################################################################
+  ###############################################################
-  ### Install tailscale ### Install tailscale ### Install tailscale ###
+  ### Install netbird ### Install netbird ### Install netbird ###
-  #####################################################################
+  ###############################################################
-  # One-command install, from https://tailscale.com/download/
+  # One-command install, from https://docs.netbird.io/get-started/install/linux
-  - ['sh', '-c', 'curl -fsSL https://tailscale.com/install.sh | sh']
+  - ['sh', '-c', 'curl -fsSL https://pkgs.netbird.io/install.sh | sh']
-  - ['tailscale', 'up', '--authkey=${tailscale_authkey}', '--hostname=${hostname}']
+  - ['netbird', 'up', '--setup-key=${netbird_setup_key}', '--hostname=${hostname}']
 

variables.tf

@@ -64,6 +64,11 @@ variable "minio_password" {
 }
 
 
+variable "netbird_token" {
+  sensitive = true
+}
+
+
 variable "ovh_application_key" {
   sensitive = true
 }
@@ -111,15 +116,6 @@ variable "scaleway_secret_key" {
 }
 
 
-variable "tailscale_api_key" {
-  sensitive = true
-}
-
-variable "tailscale_tailnet" {
-  sensitive = false
-}
-
-
 variable "default_ssh_key" {
   type = object({
     name = string