Allow nebula through firewall

ansible/host_vars/casey.yml

@@ -1,2 +1,3 @@
 nebula_is_lighthouse: true
+nebula_listen_port: "{{ nebula_lighthouse_port }}"
 ssh_extra_allowed_users: f2b@{{ nebula.cidr }} f2b@{{ pve_hosts.internal_cidr }}

ansible/host_vars/ingress.yml

@@ -0,0 +1,2 @@
+# Listen on a static port so it can be opened in the firewall
+nebula_listen_port: "{{ nebula_lighthouse_port }}"

ansible/roles/ingress/files/nftables.conf

@@ -12,6 +12,9 @@ table inet filter {
         iif lo accept
 
         tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept
+
+        # Allow nebula
+        udp dport {{ nebula_listen_port }} accept;
     }
 
     chain POSTROUTING {

ansible/roles/ingress/tasks/firewall.yml

@@ -9,7 +9,7 @@
     dest: /etc/nftables.conf
     validate: nft -c -f %s
   become: true
-  notify: reload firewall
+  notify: reload nftables
 
 - name: Enable nftables
   service:

ansible/roles/nebula/defaults/main.yml

@@ -1 +1,2 @@
 nebula_is_lighthouse: false
+nebula_listen_port: 0

ansible/roles/nebula/files/nebula.yml

@@ -17,7 +17,7 @@ lighthouse:
 
 listen:
   host: 0.0.0.0
-  port: "{{ nebula_is_lighthouse | ternary(nebula_lighthouse_port, 0) }}"
+  port: "{{ nebula_listen_port }}"
 
 punchy:
   punch: true