infrastructure/ansible/roles/nebula/tasks/main.yml

66 lines
1.4 KiB
YAML

- name: Create config directory
file:
path: /etc/nebula
state: directory
mode: "0700"
become: true
- name: Install binaries
unarchive:
src: https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz
dest: /usr/bin
remote_src: yes
mode: "0755"
become: true
notify: restart nebula
- name: Install config
template:
src: files/nebula.yml
dest: /etc/nebula/config.yml
mode: "0600"
become: true
notify: restart nebula
- name: Install CA certificate
template:
src: files/ca.crt
dest: /etc/nebula/ca.crt
mode: "0600"
become: true
notify: restart nebula
- name: Install client certificates
template:
src: files/certs/{{ item }}
dest: /etc/nebula/{{ item }}
mode: "0600"
loop:
- "{{ ansible_hostname }}.key"
- "{{ ansible_hostname }}.crt"
become: true
notify: restart nebula
- name: Install service
get_url:
url: https://raw.githubusercontent.com/slackhq/nebula/v{{ nebula_version }}/dist/arch/nebula.service
dest: /usr/lib/systemd/system/nebula.service
mode: "0644"
become: true
- name: Enable service
service:
name: nebula
enabled: true
become: true
- name: Enable unsafe routing
iptables:
table: nat
chain: POSTROUTING
out_interface: ens18
source: "{{ nebula.cidr }}"
jump: MASQUERADE
notify: persist iptables
become: true
when: ansible_hostname == "ingress"