pki:
  ca: /opt/nebula/ca.crt
  cert: /opt/nebula/{{ _lh.hostname }}.crt
  key: /opt/nebula/{{ _lh.hostname }}.key

static_host_map:
{% for lh in _nebula_lighthouses_computed %}
  "{{ lh.internal_ip }}": ["{{ lh.public_hostname }}:{{ lh.public_port }}"]
{% endfor %}

lighthouse:
  interval: 60
  am_lighthouse: true
  hosts:

{% if nebula_lighthouse_remote_allow_list | length > 0 %}
  remote_allow_list:
{% for cidr, allow in nebula_lighthouse_remote_allow_list.items() %}
    '{{ cidr }}': {{ allow | lower }}
{% endfor %}
{% endif %}

{% if nebula_lighthouse_local_allow_list | length > 0 %}
  local_allow_list:
{% if nebula_lighthouse_local_allow_list.interfaces is defined %}
    interfaces:
{% for interface, allow in nebula_lighthouse_local_allow_list.interfaces.items() %}
      '{{ interface }}': {{ allow | lower }}
{% endfor %}
{% endif %}
{% for key, value in nebula_lighthouse_local_allow_list.items() %}
{% if key != 'interfaces' %}
    '{{ key }}': {{ value | lower }}
{% endif %}
{% endfor %}
{% endif %}

{% if nebula_lighthouse_extra_config | length > 0 %}
{{- nebula_lighthouse_extra_config | to_nice_yaml | indent(2) }}
{% endif %}

listen:
  host: 0.0.0.0
  port: {{ _lh.public_port }}

punchy: true
punch_back: true

relay:
  am_relay: {{ _lh.is_relay | default(true) }}
  use_relays: false

tun:
  dev: neb0
  drop_local_broadcast: false
  drop_multicast: false
  tx_queue: 500
  mtu: 1300
  routes:

logging:
  level: info
  format: text

{% if nebula_metrics_prometheus_enabled %}
stats:
  type: prometheus
  listen: {{ nebula_metrics_prometheus_listen }}
  path: {{ nebula_metrics_prometheus_path }}
  namespace: {{ nebula_metrics_prometheus_namespace }}
  interval: {{ nebula_metrics_prometheus_interval }}
{% endif %}

{% if nebula_sshd_enabled %}
sshd:
  enabled: {{ nebula_sshd_enabled }}
  listen: {{ nebula_sshd_listen }}
  host_key: /opt/nebula/ssh_host_ed25519_key
{% if nebula_sshd_authorized_users %}
  authorized_users:
{% for sshd_user in nebula_sshd_authorized_users %}
    - user: {{ sshd_user.user }}
      keys:
{% for ssh_key in sshd_user.get('keys', []) %}
        - "{{ ssh_key }}"
{% endfor %}
{% for file_key in nebula_sshd_key_registry.get(sshd_user.user, []) %}
        - "{{ file_key }}"
{% endfor %}
{% endfor %}
{% endif %}
{% endif %}

firewall:
  outbound_action: {{ nebula_firewall_block_action }}
  inbound_action: {{ nebula_firewall_block_action }}
  conntrack:
    tcp_timeout: 120h
    udp_timeout: 3m
    default_timeout: 10m
    max_connections: 100000

  outbound:
{% for rule in nebula_outbound_rules %}
    - port: {{ rule.port }}
      proto: {{ rule.proto }}
      host: {{ rule.host }}
{% endfor %}

  inbound:
{% for rule in nebula_inbound_rules %}
    - port: {{ rule.port }}
      proto: {{ rule.proto }}
      host: {{ rule.host }}
{% endfor %}