pki: # every node needs a copy of ca.crt, .key, # and .crt ca: /opt/nebula/ca.crt cert: /opt/nebula/{{ nebula_lighthouse_hostname }}.crt key: /opt/nebula/{{ nebula_lighthouse_hostname }}.key static_host_map: # how to find one or more lighthouse nodes # you do NOT need every node to be listed here! # Similar to "trackers" for torrents # # format "": [":[port] or :[port]"] # "{{ nebula_lighthouse_internal_ip_addr }}": ["{{ nebula_lighthouse_public_hostname }}:{{ nebula_lighthouse_public_port }}"] lighthouse: interval: 60 # if you're a lighthouse, say you're a lighthouse # am_lighthouse: true hosts: # If you're a lighthouse, this section should be EMPTY # or commented out. If you're NOT a lighthouse, list # lighthouse nodes here, one per line, in the following # format: # # - "192.168.77.1" {% if nebula_lighthouse_remote_allow_list|length > 0 %} # remote_allow_list controls IP ranges that this node will consider when handshaking remote_allow_list: {% for cidr, allow in nebula_lighthouse_remote_allow_list.items() %} '{{ cidr }}': {{ allow | lower }} {% endfor %} {% endif %} {% if nebula_lighthouse_local_allow_list|length > 0 %} # local_allow_list filters which local IP addresses we advertise to the lighthouses local_allow_list: {% if nebula_lighthouse_local_allow_list.interfaces is defined %} interfaces: {% for interface, allow in nebula_lighthouse_local_allow_list.interfaces.items() %} '{{ interface }}': {{ allow | lower }} {% endfor %} {% endif %} {% for key, value in nebula_lighthouse_local_allow_list.items() %} {% if key != 'interfaces' %} '{{ key }}': {{ value | lower }} {% endif %} {% endfor %} {% endif %} {% if nebula_lighthouse_extra_config|length > 0 %} {{- nebula_lighthouse_extra_config | to_nice_yaml | indent(2) }} {% endif %} listen: # 0.0.0.0 means "all interfaces," which is probably what you want # host: 0.0.0.0 port: {{ nebula_lighthouse_public_port }} # "punchy" basically means "send frequent keepalive packets" # so that your router won't expire and close your NAT tunnels. # punchy: true # "punch_back" allows the other node to try punching out to you, # if you're having trouble punching out to it. Useful for stubborn # networks with symmetric NAT, etc. # punch_back: true relay: am_relay: {{ nebula_lighthouse_is_relay }} use_relays: false tun: # sensible defaults. don't monkey with these unless # you're CERTAIN you know what you're doing. # dev: neb0 drop_local_broadcast: false drop_multicast: false tx_queue: 500 mtu: 1300 routes: logging: level: info format: text {% if nebula_metrics_prometheus_enabled %} stats: type: prometheus listen: {{ nebula_metrics_prometheus_listen }} path: {{ nebula_metrics_prometheus_path }} namespace: {{ nebula_metrics_prometheus_namespace }} interval: {{ nebula_metrics_prometheus_interval }} {% endif %} # you NEED this firewall section. # # Nebula has its own firewall in addition to anything # your system has in place, and it's all default deny. # # So if you don't specify some rules here, you'll drop # all traffic, and curse and wonder why you can't ping # one node from another. # firewall: outbound_action: {{ nebula_firewall_block_action }} inbound_action: {{ nebula_firewall_block_action }} conntrack: tcp_timeout: 120h udp_timeout: 3m default_timeout: 10m max_connections: 100000 # since everything is default deny, all rules you # actually SPECIFY here are allow rules. # outbound: {% for rule in nebula_outbound_rules %} - port: {{ rule.port }} proto: {{ rule.proto }} host: {{ rule.host }} {% endfor %} inbound: {% for rule in nebula_inbound_rules %} - port: {{ rule.port }} proto: {{ rule.proto }} host: {{ rule.host }} {% endfor %}