StefanMewes/Nebula-Ansible-Role
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

config/lighthouse: add support for remote and local allow lists

Browse Source
This commit is contained in:
Matt Burchett
2025-09-20 06:07:45 +00:00
committed by Andrew Paglusch
parent 394aabc1d8
commit c6f6548f97
3 changed files with 56 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@@ -33,6 +33,22 @@ You can read more about Nebula [on the official repo](https://github.com/slackhq
nebula_outbound_rules:
- { port: "any", proto: "any", host: "any" }
# Example lighthouse remote_allow_list configuration
# Controls IP ranges that this node will consider when handshaking
nebula_lighthouse_remote_allow_list:
'172.16.0.0/12': false # Block this subnet
'0.0.0.0/0': true # Allow all other IPs
'10.0.0.0/8': false # Block private range
'10.42.42.0/24': true # Allow specific subnet
# Example lighthouse local_allow_list configuration
# Filters which local IP addresses are advertised to the lighthouses
nebula_lighthouse_local_allow_list:
interfaces:
tun0: false # Block tun0 interface
'docker.*': false # Block all docker interfaces
'10.0.0.0/8': true # Only advertise this subnet
roles:
- role: nebula
```

13
defaults/main.yml
View File

@@ -17,6 +17,19 @@ nebula_lighthouse_public_port: 4242
nebula_lighthouse_is_relay: true
nebula_lighthouse_extra_config: {}
# Lighthouse remote_allow_list configuration
# Controls IP ranges that this node will consider when handshaking to another node
# Format: CIDR: boolean (true to allow, false to deny)
# If all rules are "allow", default will be "deny", and vice-versa
# If both "allow" and "deny" rules are present, you MUST set a rule for "0.0.0.0/0" as default
nebula_lighthouse_remote_allow_list: {}
# Lighthouse local_allow_list configuration
# Filters which local IP addresses are advertised to the lighthouses
# Can specify interfaces map of regular expressions to match against interface names
# Format: CIDR: boolean or interfaces: { interface_regex: boolean }
nebula_lighthouse_local_allow_list: {}
nebula_metrics_prometheus_enabled: false
nebula_metrics_prometheus_listen: "127.0.0.1:4244"
nebula_metrics_prometheus_path: "/metrics"

29
templates/lighthouse_config.yml.j2
View File

@@ -28,9 +28,34 @@ lighthouse:
# format:
#
# - "192.168.77.1"
{% if nebula_lighthouse_extra_config|length > 0 %}
{{- nebula_lighthouse_extra_config | to_nice_yaml | indent(2) }}
{% if nebula_lighthouse_remote_allow_list|length > 0 %}
# remote_allow_list controls IP ranges that this node will consider when handshaking
remote_allow_list:
{% for cidr, allow in nebula_lighthouse_remote_allow_list.items() %}
'{{ cidr }}': {{ allow | lower }}
{% endfor %}
{% endif %}
{% if nebula_lighthouse_local_allow_list|length > 0 %}
# local_allow_list filters which local IP addresses we advertise to the lighthouses
local_allow_list:
{% if nebula_lighthouse_local_allow_list.interfaces is defined %}
interfaces:
{% for interface, allow in nebula_lighthouse_local_allow_list.interfaces.items() %}
'{{ interface }}': {{ allow | lower }}
{% endfor %}
{% endif %}
{% for key, value in nebula_lighthouse_local_allow_list.items() %}
{% if key != 'interfaces' %}
'{{ key }}': {{ value | lower }}
{% endif %}
{% endfor %}
{% endif %}
{% if nebula_lighthouse_extra_config|length > 0 %}
{{- nebula_lighthouse_extra_config | to_nice_yaml | indent(2) }}
{% endif %}
listen:
# 0.0.0.0 means "all interfaces," which is probably what you want