diff --git a/ansible/host_vars/casey.yml b/ansible/host_vars/casey.yml index e1b093a..eace308 100644 --- a/ansible/host_vars/casey.yml +++ b/ansible/host_vars/casey.yml @@ -1,2 +1,3 @@ nebula_is_lighthouse: true +nebula_listen_port: "{{ nebula_lighthouse_port }}" ssh_extra_allowed_users: f2b@{{ nebula.cidr }} f2b@{{ pve_hosts.internal_cidr }} diff --git a/ansible/host_vars/ingress.yml b/ansible/host_vars/ingress.yml new file mode 100644 index 0000000..62fa34d --- /dev/null +++ b/ansible/host_vars/ingress.yml @@ -0,0 +1,2 @@ +# Listen on a static port so it can be opened in the firewall +nebula_listen_port: "{{ nebula_lighthouse_port }}" diff --git a/ansible/roles/ingress/files/nftables.conf b/ansible/roles/ingress/files/nftables.conf index 1b8c5b0..436cd74 100644 --- a/ansible/roles/ingress/files/nftables.conf +++ b/ansible/roles/ingress/files/nftables.conf @@ -12,6 +12,9 @@ table inet filter { iif lo accept tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept + + # Allow nebula + udp dport {{ nebula_listen_port }} accept; } chain POSTROUTING { diff --git a/ansible/roles/ingress/tasks/firewall.yml b/ansible/roles/ingress/tasks/firewall.yml index 84424a1..10a35f4 100644 --- a/ansible/roles/ingress/tasks/firewall.yml +++ b/ansible/roles/ingress/tasks/firewall.yml @@ -9,7 +9,7 @@ dest: /etc/nftables.conf validate: nft -c -f %s become: true - notify: reload firewall + notify: reload nftables - name: Enable nftables service: diff --git a/ansible/roles/nebula/defaults/main.yml b/ansible/roles/nebula/defaults/main.yml index 7c5e620..9149efd 100644 --- a/ansible/roles/nebula/defaults/main.yml +++ b/ansible/roles/nebula/defaults/main.yml @@ -1 +1,2 @@ nebula_is_lighthouse: false +nebula_listen_port: 0 diff --git a/ansible/roles/nebula/files/nebula.yml b/ansible/roles/nebula/files/nebula.yml index 67396d7..71e89d3 100644 --- a/ansible/roles/nebula/files/nebula.yml +++ b/ansible/roles/nebula/files/nebula.yml @@ -17,7 +17,7 @@ lighthouse: listen: host: 0.0.0.0 - port: "{{ nebula_is_lighthouse | ternary(nebula_lighthouse_port, 0) }}" + port: "{{ nebula_listen_port }}" punchy: punch: true