Init some skeleton nebula stuff

2021-01-25 21:53:04 +00:00 · 2021-01-25 21:53:04 +00:00 · a44a79031a
commit a44a79031a
parent 0ecd884a9a
9 changed files with 93 additions and 0 deletions
--- a/ansible/group_vars/all/nebula.yml
+++ b/ansible/group_vars/all/nebula.yml
@ -0,0 +1,5 @@
+nebula:
+  subnet: 10.23.2.0/24
+  clients:
+    casey:
+      ip: 10.23.2.1
--- a/ansible/host_vars/casey.yml
+++ b/ansible/host_vars/casey.yml
@ -0,0 +1 @@
+nebula_is_lighthouse: true
--- a/ansible/main.yml
+++ b/ansible/main.yml
@ -12,6 +12,7 @@
 - hosts: casey
  roles:
    - gateway
+    - nebula

 - hosts:
    - walker
--- a/ansible/roles/nebula/defaults/main.yml
+++ b/ansible/roles/nebula/defaults/main.yml
@ -0,0 +1 @@
+nebula_is_lighthouse: false
--- a/ansible/roles/nebula/files/nebula.yml
+++ b/ansible/roles/nebula/files/nebula.yml
@ -0,0 +1,55 @@
+pki:
+  ca: /etc/nebula/ca.crt
+  cert: /etc/nebula/host.crt
+  key: /etc/nebula/host.key
+
+static_host_map:
+  "{{ nebula_lighthouse_ip }}": ["{{ nebula_lighthouse_public_ip }}:{{ nebula_lighthouse_port }}"]
+
+
+lighthouse:
+  am_lighthouse: "{{ nebula_is_lighthouse | lower }}"
+  interval: 60
+  hosts:
+    {% if not nebula_is_lighthouse %}
+    - "{{ nebula_lighthouse_ip }}"
+    {% endif %}
+
+listen:
+  host: 0.0.0.0
+  port: "{{ nebula_is_lighthouse | ternary(nebula_lighthouse_port, 0) }}"
+
+punchy:
+  punch: true
+
+tun:
+  disabled: false
+  dev: nebula1
+  drop_local_broadcast: false
+  drop_multicast: false
+  tx_queue: 500
+  mtu: 1300
+  routes:
+  unsafe_routes:
+
+
+logging:
+  level: info
+  format: text
+
+firewall:
+  conntrack:
+    tcp_timeout: 12m
+    udp_timeout: 3m
+    default_timeout: 10m
+    max_connections: 100000
+
+  outbound:
+    - port: any
+      proto: any
+      host: any
+
+  inbound:
+    - port: any
+      proto: any
+      host: any
--- a/ansible/roles/nebula/tasks/main.yml
+++ b/ansible/roles/nebula/tasks/main.yml
@ -0,0 +1,19 @@
+- name: Install Nebula
+  package:
+    name: nebula
+  when: ansible_os_family == 'Archlinux'
+  become: true
+
+- name: Create nebula directory
+  file:
+    path: /etc/nebula
+    state: directory
+    mode: "0700"
+  become: true
+
+- name: Install nebula config
+  template:
+    src: files/nebula.yml
+    dest: /etc/nebula/config.yml
+    mode: "0600"
+  become: true
--- a/ansible/roles/nebula/vars/main.yml
+++ b/ansible/roles/nebula/vars/main.yml
@ -0,0 +1,3 @@
+nebula_lighthouse_public_ip: "{{ hosts.casey_ip }}"
+nebula_lighthouse_ip: "{{ nebula.clients.casey.ip }}"
+nebula_lighthouse_port: 6328
--- a/ansible/yamllint.yml
+++ b/ansible/yamllint.yml
@ -4,6 +4,7 @@ ignore: |
  ansible/galaxy_roles
  ansible/group_vars/all/hosts.yml
  ansible/roles/traefik/files/traefik.yml
+  ansible/roles/nebula/files/nebula.yml

 rules:
  document-start: disable
--- a/terraform/casey_vps.tf
+++ b/terraform/casey_vps.tf
@ -57,3 +57,10 @@ resource "vultr_firewall_rule" "casey_mc" {
  from_port         = 25566
  network           = "0.0.0.0/0"
 }
+
+resource "vultr_firewall_rule" "casey_nebula" {
+  firewall_group_id = vultr_firewall_group.casey.id
+  protocol          = "tcp"
+  from_port         = 6328
+  network           = "0.0.0.0/0"
+}