feat: Add Netbird VPN support and fix Tailscale auto-connect#43
Conversation
Replace tailscale_enabled with vpn_provider variable supporting "tailscale", "netbird", or "" (disabled). Add Netbird installation tasks with auto-connect via setup key and optional self-hosted management URL. Fix the unused tailscale_authkey by implementing the auto-connect task with no_log for credential protection. Convert inline sudoers to a Jinja2 template with conditional VPN permissions based on the selected provider.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a538f634d3
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
On minimal Debian/Ubuntu hosts, gnupg is not preinstalled. The Netbird setup pipes the signing key through gpg --dearmor, which fails without it. Add a prerequisite package install step matching the Docker task pattern.
|
Thanks for the context here. I swept through the related work, and this is now duplicate or superseded. Keep open. The PR contains useful Netbird and Tailscale auth-key work that is not already on current main, but it is not merge-ready because it breaks the existing Canonical path: Close this stale PR. The latest review rated it F, the branch still lacks merge-ready proof, and there has been no human follow-up after the durable review. So I’m closing this here because the remaining work is already tracked in the canonical issue. Review detailsBest possible solution: Close this stale PR. The latest review rated it F, the branch still lacks merge-ready proof, and there has been no human follow-up after the durable review. Do we have a high-confidence way to reproduce the issue? Yes for the Tailscale auth-key subproblem by source inspection: current main declares and documents Is this the best way to solve the issue? No, not as currently shaped; the provider abstraction is plausible, but the branch needs to preserve or explicitly migrate Security review: Security review needs attention: The diff changes VPN trust and service-user network-control boundaries, so it needs maintainer-visible proof and acceptance before merge.
AGENTS.md: found and applied where relevant. What I checked:
Likely related people:
Codex review notes: model internal, reasoning high; reviewed against bc4d0a9be681. |
|
ClawSweeper PR egg 🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat. Where did the egg go?
|
Summary
vpn_providervariable ("tailscale","netbird", or"")tailscale_authkeyvariable was defined and documented but never used in any task. Now it auto-connects withno_log: truefor credential protectionnetbird_management_urlfor self-hosted instancesChanges
New files
roles/openclaw/tasks/netbird-linux.yml— Netbird installation, service setup, auto-connectroles/openclaw/templates/sudoers-openclaw.j2— Templated sudoers with conditional VPN permsModified files
roles/openclaw/defaults/main.yml— Newvpn_provider,netbird_setup_key,netbird_management_urlvariablesroles/openclaw/tasks/main.yml— VPN provider routingroles/openclaw/tasks/tailscale-linux.yml— Added auto-connect taskroles/openclaw/tasks/firewall-linux.yml— Added Netbird UDP 51820 ruleroles/openclaw/tasks/user.yml— Switched from inline copy to templateTest plan
ansible-playbook --syntax-checkpassesvpn_providerdefaults to"")