Erweiterung 2 Lighthouses möglich
This commit is contained in:
@@ -1,87 +1,56 @@
|
||||
pki:
|
||||
# every node needs a copy of ca.crt, <client-name>.key,
|
||||
# and <client-name>.crt
|
||||
ca: /opt/nebula/ca.crt
|
||||
cert: /opt/nebula/{{ nebula_lighthouse_hostname }}.crt
|
||||
key: /opt/nebula/{{ nebula_lighthouse_hostname }}.key
|
||||
cert: /opt/nebula/{{ _lh.hostname }}.crt
|
||||
key: /opt/nebula/{{ _lh.hostname }}.key
|
||||
|
||||
static_host_map:
|
||||
# how to find one or more lighthouse nodes
|
||||
# you do NOT need every node to be listed here!
|
||||
# Similar to "trackers" for torrents
|
||||
#
|
||||
# format "<internal-nebula-ip-addr>": ["<pub-ip-addr>:[port] or <hostname>:[port]"]
|
||||
#
|
||||
"{{ nebula_lighthouse_internal_ip_addr }}": ["{{ nebula_lighthouse_public_hostname }}:{{ nebula_lighthouse_public_port }}"]
|
||||
{% for lh in _nebula_lighthouses_computed %}
|
||||
"{{ lh.internal_ip }}": ["{{ lh.public_hostname }}:{{ lh.public_port }}"]
|
||||
{% endfor %}
|
||||
|
||||
lighthouse:
|
||||
interval: 60
|
||||
|
||||
# if you're a lighthouse, say you're a lighthouse
|
||||
#
|
||||
am_lighthouse: true
|
||||
|
||||
hosts:
|
||||
# If you're a lighthouse, this section should be EMPTY
|
||||
# or commented out. If you're NOT a lighthouse, list
|
||||
# lighthouse nodes here, one per line, in the following
|
||||
# format:
|
||||
#
|
||||
# - "192.168.77.1"
|
||||
|
||||
{% if nebula_lighthouse_remote_allow_list|length > 0 %}
|
||||
# remote_allow_list controls IP ranges that this node will consider when handshaking
|
||||
{% if nebula_lighthouse_remote_allow_list | length > 0 %}
|
||||
remote_allow_list:
|
||||
{% for cidr, allow in nebula_lighthouse_remote_allow_list.items() %}
|
||||
{% for cidr, allow in nebula_lighthouse_remote_allow_list.items() %}
|
||||
'{{ cidr }}': {{ allow | lower }}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if nebula_lighthouse_local_allow_list|length > 0 %}
|
||||
# local_allow_list filters which local IP addresses we advertise to the lighthouses
|
||||
{% if nebula_lighthouse_local_allow_list | length > 0 %}
|
||||
local_allow_list:
|
||||
{% if nebula_lighthouse_local_allow_list.interfaces is defined %}
|
||||
{% if nebula_lighthouse_local_allow_list.interfaces is defined %}
|
||||
interfaces:
|
||||
{% for interface, allow in nebula_lighthouse_local_allow_list.interfaces.items() %}
|
||||
{% for interface, allow in nebula_lighthouse_local_allow_list.interfaces.items() %}
|
||||
'{{ interface }}': {{ allow | lower }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% for key, value in nebula_lighthouse_local_allow_list.items() %}
|
||||
{% if key != 'interfaces' %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% for key, value in nebula_lighthouse_local_allow_list.items() %}
|
||||
{% if key != 'interfaces' %}
|
||||
'{{ key }}': {{ value | lower }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if nebula_lighthouse_extra_config|length > 0 %}
|
||||
{{- nebula_lighthouse_extra_config | to_nice_yaml | indent(2) }}
|
||||
{% endif %}
|
||||
{% if nebula_lighthouse_extra_config | length > 0 %}
|
||||
{{- nebula_lighthouse_extra_config | to_nice_yaml | indent(2) }}
|
||||
{% endif %}
|
||||
|
||||
listen:
|
||||
# 0.0.0.0 means "all interfaces," which is probably what you want
|
||||
#
|
||||
host: 0.0.0.0
|
||||
port: {{ nebula_lighthouse_public_port }}
|
||||
port: {{ _lh.public_port }}
|
||||
|
||||
# "punchy" basically means "send frequent keepalive packets"
|
||||
# so that your router won't expire and close your NAT tunnels.
|
||||
#
|
||||
punchy: true
|
||||
|
||||
# "punch_back" allows the other node to try punching out to you,
|
||||
# if you're having trouble punching out to it. Useful for stubborn
|
||||
# networks with symmetric NAT, etc.
|
||||
#
|
||||
punch_back: true
|
||||
|
||||
relay:
|
||||
am_relay: {{ nebula_lighthouse_is_relay }}
|
||||
am_relay: {{ _lh.is_relay | default(true) }}
|
||||
use_relays: false
|
||||
|
||||
tun:
|
||||
# sensible defaults. don't monkey with these unless
|
||||
# you're CERTAIN you know what you're doing.
|
||||
#
|
||||
dev: neb0
|
||||
drop_local_broadcast: false
|
||||
drop_multicast: false
|
||||
@@ -102,15 +71,26 @@ stats:
|
||||
interval: {{ nebula_metrics_prometheus_interval }}
|
||||
{% endif %}
|
||||
|
||||
# you NEED this firewall section.
|
||||
#
|
||||
# Nebula has its own firewall in addition to anything
|
||||
# your system has in place, and it's all default deny.
|
||||
#
|
||||
# So if you don't specify some rules here, you'll drop
|
||||
# all traffic, and curse and wonder why you can't ping
|
||||
# one node from another.
|
||||
#
|
||||
{% if nebula_sshd_enabled %}
|
||||
sshd:
|
||||
enabled: {{ nebula_sshd_enabled }}
|
||||
listen: {{ nebula_sshd_listen }}
|
||||
host_key: /opt/nebula/ssh_host_ed25519_key
|
||||
{% if nebula_sshd_authorized_users %}
|
||||
authorized_users:
|
||||
{% for sshd_user in nebula_sshd_authorized_users %}
|
||||
- user: {{ sshd_user.user }}
|
||||
keys:
|
||||
{% for ssh_key in sshd_user.get('keys', []) %}
|
||||
- "{{ ssh_key }}"
|
||||
{% endfor %}
|
||||
{% for file_key in nebula_sshd_key_registry.get(sshd_user.user, []) %}
|
||||
- "{{ file_key }}"
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
firewall:
|
||||
outbound_action: {{ nebula_firewall_block_action }}
|
||||
inbound_action: {{ nebula_firewall_block_action }}
|
||||
@@ -120,10 +100,6 @@ firewall:
|
||||
default_timeout: 10m
|
||||
max_connections: 100000
|
||||
|
||||
# since everything is default deny, all rules you
|
||||
# actually SPECIFY here are allow rules.
|
||||
#
|
||||
|
||||
outbound:
|
||||
{% for rule in nebula_outbound_rules %}
|
||||
- port: {{ rule.port }}
|
||||
|
||||
Reference in New Issue
Block a user