Erweiterung 2 Lighthouses möglich
This commit is contained in:
@@ -1,61 +1,40 @@
|
||||
pki:
|
||||
# every node needs a copy of the CA certificate,
|
||||
# and its own certificate and key, ONLY.
|
||||
#
|
||||
ca: /opt/nebula/ca.crt
|
||||
cert: /opt/nebula/{{ inventory_hostname }}.crt
|
||||
key: /opt/nebula/{{ inventory_hostname }}.key
|
||||
|
||||
static_host_map:
|
||||
# how to find one or more lighthouse nodes
|
||||
# you do NOT need every node to be listed here!
|
||||
#
|
||||
# format "Nebula IP": ["public IP or hostname:port"]
|
||||
#
|
||||
"{{ nebula_lighthouse_internal_ip_addr }}": ["{{ nebula_lighthouse_public_hostname }}:{{ nebula_lighthouse_public_port }}"]
|
||||
{% for lh in _nebula_lighthouses_computed %}
|
||||
"{{ lh.internal_ip }}": ["{{ lh.public_hostname }}:{{ lh.public_port }}"]
|
||||
{% endfor %}
|
||||
|
||||
lighthouse:
|
||||
interval: 60
|
||||
|
||||
# if you're a lighthouse, say you're a lighthouse
|
||||
#
|
||||
am_lighthouse: false
|
||||
|
||||
hosts:
|
||||
# If you're a lighthouse, this section should be EMPTY
|
||||
# or commented out. If you're NOT a lighthouse, list
|
||||
# lighthouse nodes here, one per line, in the following
|
||||
# format:
|
||||
#
|
||||
- "{{ nebula_lighthouse_internal_ip_addr }}"
|
||||
{% for lh in _nebula_lighthouses_computed %}
|
||||
- "{{ lh.internal_ip }}"
|
||||
{% endfor %}
|
||||
|
||||
listen:
|
||||
# 0.0.0.0 means "all interfaces," which is probably what you want
|
||||
#
|
||||
host: 0.0.0.0
|
||||
port: 4242
|
||||
|
||||
# "punchy" basically means "send frequent keepalive packets"
|
||||
# so that your router won't expire and close your NAT tunnels.
|
||||
#
|
||||
punchy: true
|
||||
|
||||
relay:
|
||||
am_relay: false
|
||||
use_relays: {{ nebula_node_use_lighthouse_as_relay }}
|
||||
relays:
|
||||
- {{ nebula_lighthouse_internal_ip_addr }}
|
||||
{% for lh in _nebula_lighthouses_computed %}
|
||||
{% if lh.is_relay | default(true) %}
|
||||
- {{ lh.internal_ip }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
# "punch_back" allows the other node to try punching out to you,
|
||||
# if you're having trouble punching out to it. Useful for stubborn
|
||||
# networks with symmetric NAT, etc.
|
||||
#
|
||||
punch_back: true
|
||||
|
||||
tun:
|
||||
# sensible defaults. don't monkey with these unless
|
||||
# you're CERTAIN you know what you're doing.
|
||||
#
|
||||
dev: neb0
|
||||
drop_local_broadcast: false
|
||||
drop_multicast: false
|
||||
@@ -96,15 +75,6 @@ sshd:
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# you NEED this firewall section.
|
||||
#
|
||||
# Nebula has its own firewall in addition to anything
|
||||
# your system has in place, and it's all default deny.
|
||||
#
|
||||
# So if you don't specify some rules here, you'll drop
|
||||
# all traffic, and curse and wonder why you can't ping
|
||||
# one node from another.
|
||||
#
|
||||
firewall:
|
||||
outbound_action: {{ nebula_firewall_block_action }}
|
||||
inbound_action: {{ nebula_firewall_block_action }}
|
||||
@@ -114,10 +84,6 @@ firewall:
|
||||
default_timeout: 10m
|
||||
max_connections: 100000
|
||||
|
||||
# since everything is default deny, all rules you
|
||||
# actually SPECIFY here are allow rules.
|
||||
#
|
||||
|
||||
outbound:
|
||||
{% for rule in nebula_outbound_rules %}
|
||||
- port: {{ rule.port }}
|
||||
|
||||
Reference in New Issue
Block a user