Allow nebula through firewall

2023-11-03 18:06:36 +00:00 · 2023-11-03 18:06:36 +00:00 · 850278ab19
commit 850278ab19
parent b1284877a3
6 changed files with 9 additions and 2 deletions
--- a/ansible/host_vars/casey.yml
+++ b/ansible/host_vars/casey.yml
@ -1,2 +1,3 @@
 nebula_is_lighthouse: true
+nebula_listen_port: "{{ nebula_lighthouse_port }}"
 ssh_extra_allowed_users: f2b@{{ nebula.cidr }} f2b@{{ pve_hosts.internal_cidr }}
--- a/ansible/host_vars/ingress.yml
+++ b/ansible/host_vars/ingress.yml
@ -0,0 +1,2 @@
+# Listen on a static port so it can be opened in the firewall
+nebula_listen_port: "{{ nebula_lighthouse_port }}"
--- a/ansible/roles/ingress/files/nftables.conf
+++ b/ansible/roles/ingress/files/nftables.conf
@ -12,6 +12,9 @@ table inet filter {
        iif lo accept

        tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept
+
+        # Allow nebula
+        udp dport {{ nebula_listen_port }} accept;
    }

    chain POSTROUTING {
--- a/ansible/roles/ingress/tasks/firewall.yml
+++ b/ansible/roles/ingress/tasks/firewall.yml
@ -9,7 +9,7 @@
    dest: /etc/nftables.conf
    validate: nft -c -f %s
  become: true
-  notify: reload firewall
+  notify: reload nftables

 - name: Enable nftables
  service:
--- a/ansible/roles/nebula/defaults/main.yml
+++ b/ansible/roles/nebula/defaults/main.yml
@ -1 +1,2 @@
 nebula_is_lighthouse: false
+nebula_listen_port: 0
--- a/ansible/roles/nebula/files/nebula.yml
+++ b/ansible/roles/nebula/files/nebula.yml
@ -17,7 +17,7 @@ lighthouse:

 listen:
  host: 0.0.0.0
-  port: "{{ nebula_is_lighthouse | ternary(nebula_lighthouse_port, 0) }}"
+  port: "{{ nebula_listen_port }}"

 punchy:
  punch: true