StefanMewes/Nebula-Ansible-Role
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

make it a role

Browse Source
This commit is contained in:
root
2021-08-26 03:13:18 +00:00
commit 390d6042ab
14 changed files with 487 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
templates/lighthouse.service.j2
+16
View File
@@ -0,0 +1,16 @@
[Unit]
Description=Nebula Lighthouse
Wants=basic.target
After=basic.target network.target
[Service]
SyslogIdentifier=nebula
StandardOutput=syslog
StandardError=syslog
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/opt/nebula/nebula -config /opt/nebula/config.yml
Restart=always
RestartSec=42s
[Install]
WantedBy=multi-user.target
templates/lighthouse_config.yml.j2
+96
View File
@@ -0,0 +1,96 @@
pki:
# every node needs a copy of ca.crt, <client-name>.key,
# and <client-name>.crt
ca: /opt/nebula/ca.crt
cert: /opt/nebula/lighthouse.crt
key: /opt/nebula/lighthouse.key
static_host_map:
# how to find one or more lighthouse nodes
# you do NOT need every node to be listed here!
# Similar to "trackers" for torrents
#
# format "<internal-nebula-ip-addr>": ["<pub-ip-addr>:[port] or <hostname>:[port]"]
#
"{{ nebula_lighthouse_internal_ip_addr }}": ["{{ nebula_lighthouse_public_hostname }}:{{ nebula_lighthouse_public_port }}"]
lighthouse:
interval: 60
# if you're a lighthouse, say you're a lighthouse
#
am_lighthouse: true
hosts:
# If you're a lighthouse, this section should be EMPTY
# or commented out. If you're NOT a lighthouse, list
# lighthouse nodes here, one per line, in the following
# format:
#
# - "192.168.77.1"
listen:
# 0.0.0.0 means "all interfaces," which is probably what you want
#
host: 0.0.0.0
port: {{ nebula_lighthouse_public_port }}
# "punchy" basically means "send frequent keepalive packets"
# so that your router won't expire and close your NAT tunnels.
#
punchy: true
# "punch_back" allows the other node to try punching out to you,
# if you're having trouble punching out to it. Useful for stubborn
# networks with symmetric NAT, etc.
#
punch_back: true
tun:
# sensible defaults. don't monkey with these unless
# you're CERTAIN you know what you're doing.
#
dev: neb0
drop_local_broadcast: false
drop_multicast: false
tx_queue: 500
mtu: 1300
routes:
logging:
level: info
format: text
# you NEED this firewall section.
#
# Nebula has its own firewall in addition to anything
# your system has in place, and it's all default deny.
#
# So if you don't specify some rules here, you'll drop
# all traffic, and curse and wonder why you can't ping
# one node from another.
#
firewall:
conntrack:
tcp_timeout: 120h
udp_timeout: 3m
default_timeout: 10m
max_connections: 100000
# since everything is default deny, all rules you
# actually SPECIFY here are allow rules.
#
outbound:
{% for rule in nebula_default_outbound_rules %}
- port: {{ rule.port }}
proto: {{ rule.proto }}
host: {{ rule.host }}
{% endfor %}
inbound:
{% for rule in nebula_default_outbound_rules %}
- port: {{ rule.port }}
proto: {{ rule.proto }}
host: {{ rule.host }}
{% endfor %}
templates/nebula-check.sh.j2
+7
View File
@@ -0,0 +1,7 @@
#!/bin/bash
PATH=/usr/bin:/bin:/sbin:/usr/sbin
test="$(ping -q -w10 -W2 {{ nebula_lighthouse_internal_ip_addr }} 2>/dev/null | grep -oP '\d{1,3}(?=%)')"
if [ "$test" == "100" ]; then
logger -s -p user.emerg '!!! Unable to reach Nebula server. Bouncing tunnel neb0... !!!'
systemctl restart nebula.service
fi
templates/node.service.j2
+16
View File
@@ -0,0 +1,16 @@
[Unit]
Description=nebula
Wants=basic.target
After=basic.target network.target
[Service]
SyslogIdentifier=nebula
StandardOutput=syslog
StandardError=syslog
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/opt/nebula/nebula -config /opt/nebula/config.yml
Restart=always
RestartSec=42s
[Install]
WantedBy=multi-user.target
templates/node_config.yml.j2
+96
View File
@@ -0,0 +1,96 @@
pki:
# every node needs a copy of the CA certificate,
# and its own certificate and key, ONLY.
#
ca: /opt/nebula/ca.crt
cert: /opt/nebula/{{ inventory_hostname }}.crt
key: /opt/nebula/{{ inventory_hostname }}.key
static_host_map:
# how to find one or more lighthouse nodes
# you do NOT need every node to be listed here!
#
# format "Nebula IP": ["public IP or hostname:port"]
#
"{{ nebula_lighthouse_internal_ip_addr }}": ["{{ nebula_lighthouse_public_hostname }}:{{ nebula_lighthouse_public_port }}"]
lighthouse:
interval: 60
# if you're a lighthouse, say you're a lighthouse
#
am_lighthouse: false
hosts:
# If you're a lighthouse, this section should be EMPTY
# or commented out. If you're NOT a lighthouse, list
# lighthouse nodes here, one per line, in the following
# format:
#
- "{{ nebula_lighthouse_internal_ip_addr }}"
listen:
# 0.0.0.0 means "all interfaces," which is probably what you want
#
host: 0.0.0.0
port: 4242
# "punchy" basically means "send frequent keepalive packets"
# so that your router won't expire and close your NAT tunnels.
#
punchy: true
# "punch_back" allows the other node to try punching out to you,
# if you're having trouble punching out to it. Useful for stubborn
# networks with symmetric NAT, etc.
#
punch_back: true
tun:
# sensible defaults. don't monkey with these unless
# you're CERTAIN you know what you're doing.
#
dev: neb0
drop_local_broadcast: false
drop_multicast: false
tx_queue: 500
mtu: 1300
routes:
logging:
level: info
format: text
# you NEED this firewall section.
#
# Nebula has its own firewall in addition to anything
# your system has in place, and it's all default deny.
#
# So if you don't specify some rules here, you'll drop
# all traffic, and curse and wonder why you can't ping
# one node from another.
#
firewall:
conntrack:
tcp_timeout: 120h
udp_timeout: 3m
default_timeout: 10m
max_connections: 100000
# since everything is default deny, all rules you
# actually SPECIFY here are allow rules.
#
outbound:
{% for rule in nebula_default_outbound_rules %}
- port: {{ rule.port }}
proto: {{ rule.proto }}
host: {{ rule.host }}
{% endfor %}
inbound:
{% for rule in nebula_default_outbound_rules %}
- port: {{ rule.port }}
proto: {{ rule.proto }}
host: {{ rule.host }}
{% endfor %}