infrastructure/ansible/roles/nebula/tasks/main.yml

- name: Create config directory
  file:
    path: /etc/nebula
    state: directory
    mode: "0700"
  become: true

- name: Install binaries
  unarchive:
    src: https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz
    dest: /usr/bin
    remote_src: true
    mode: "0755"
  become: true
  notify: restart nebula

- name: Install config
  template:
    src: files/nebula.yml
    dest: /etc/nebula/config.yml
    mode: "0600"
  become: true
  notify: restart nebula

- name: Install CA certificate
  template:
    src: files/ca.crt
    dest: /etc/nebula/ca.crt
    mode: "0600"
  become: true
  notify: restart nebula

- name: Install client certificates
  template:
    src: files/certs/{{ item }}
    dest: /etc/nebula/{{ item }}
    mode: "0600"
  loop:
    - "{{ ansible_hostname }}.key"
    - "{{ ansible_hostname }}.crt"
  become: true
  notify: restart nebula

- name: Install service
  get_url:
    url: https://raw.githubusercontent.com/slackhq/nebula/v{{ nebula_version }}/dist/arch/nebula.service
    dest: /usr/lib/systemd/system/nebula.service
    mode: "0644"
  become: true

- name: Enable service
  service:
    name: nebula
    enabled: true
  become: true

- name: Enable unsafe routing
  iptables:
    table: nat
    chain: POSTROUTING
    out_interface: ens18
    source: "{{ nebula.cidr }}"
    jump: MASQUERADE
  notify: persist iptables
  become: true
  when: ansible_hostname == "ingress"
Add platform-agnostic installation of nebula 2021-01-30 19:10:52 +00:00			`- name: Create config directory`
Init some skeleton nebula stuff 2021-01-25 21:53:04 +00:00			`file:`
			`path: /etc/nebula`
			`state: directory`
			`mode: "0700"`
			`become: true`

Add platform-agnostic installation of nebula 2021-01-30 19:10:52 +00:00			`- name: Install binaries`
			`unarchive:`
			`src: https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz`
			`dest: /usr/bin`
Update yamllint to fix dependency issue I think this still validates everything we need it to 2022-01-11 20:51:12 +00:00			`remote_src: true`
Add platform-agnostic installation of nebula 2021-01-30 19:10:52 +00:00			`mode: "0755"`
			`become: true`
			`notify: restart nebula`

			`- name: Install config`
Init some skeleton nebula stuff 2021-01-25 21:53:04 +00:00			`template:`
			`src: files/nebula.yml`
			`dest: /etc/nebula/config.yml`
			`mode: "0600"`
			`become: true`
Add platform-agnostic installation of nebula 2021-01-30 19:10:52 +00:00			`notify: restart nebula`

Provision nebula certs using Ansible 2021-01-30 20:06:31 +00:00			`- name: Install CA certificate`
			`template:`
			`src: files/ca.crt`
			`dest: /etc/nebula/ca.crt`
			`mode: "0600"`
			`become: true`
			`notify: restart nebula`

			`- name: Install client certificates`
			`template:`
			`src: files/certs/{{ item }}`
			`dest: /etc/nebula/{{ item }}`
			`mode: "0600"`
			`loop:`
Use hostname rather than fqdn 2021-03-04 16:06:43 +00:00			`- "{{ ansible_hostname }}.key"`
			`- "{{ ansible_hostname }}.crt"`
Provision nebula certs using Ansible 2021-01-30 20:06:31 +00:00			`become: true`
			`notify: restart nebula`

Add platform-agnostic installation of nebula 2021-01-30 19:10:52 +00:00			`- name: Install service`
			`get_url:`
			`url: https://raw.githubusercontent.com/slackhq/nebula/v{{ nebula_version }}/dist/arch/nebula.service`
			`dest: /usr/lib/systemd/system/nebula.service`
Provision nebula certs using Ansible 2021-01-30 20:06:31 +00:00			`mode: "0644"`
Add platform-agnostic installation of nebula 2021-01-30 19:10:52 +00:00			`become: true`

			`- name: Enable service`
			`service:`
			`name: nebula`
			`enabled: true`
			`become: true`
Enable unsafe routing to PVE network over nebula 2021-01-30 22:59:56 +00:00
			`- name: Enable unsafe routing`
			`iptables:`
			`table: nat`
			`chain: POSTROUTING`
			`out_interface: ens18`
Keep track of IPs for PVE hosts Yea they're all random, I'll deal with that later 2021-01-31 12:46:43 +00:00			`source: "{{ nebula.cidr }}"`
Enable unsafe routing to PVE network over nebula 2021-01-30 22:59:56 +00:00			`jump: MASQUERADE`
			`notify: persist iptables`
			`become: true`
Use hostname rather than fqdn 2021-03-04 16:06:43 +00:00			`when: ansible_hostname == "ingress"`