66 lines
1.4 KiB
YAML
66 lines
1.4 KiB
YAML
- name: Create config directory
|
|
file:
|
|
path: /etc/nebula
|
|
state: directory
|
|
mode: "0700"
|
|
become: true
|
|
|
|
- name: Install binaries
|
|
unarchive:
|
|
src: https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz
|
|
dest: /usr/bin
|
|
remote_src: yes
|
|
mode: "0755"
|
|
become: true
|
|
notify: restart nebula
|
|
|
|
- name: Install config
|
|
template:
|
|
src: files/nebula.yml
|
|
dest: /etc/nebula/config.yml
|
|
mode: "0600"
|
|
become: true
|
|
notify: restart nebula
|
|
|
|
- name: Install CA certificate
|
|
template:
|
|
src: files/ca.crt
|
|
dest: /etc/nebula/ca.crt
|
|
mode: "0600"
|
|
become: true
|
|
notify: restart nebula
|
|
|
|
- name: Install client certificates
|
|
template:
|
|
src: files/certs/{{ item }}
|
|
dest: /etc/nebula/{{ item }}
|
|
mode: "0600"
|
|
loop:
|
|
- "{{ ansible_fqdn }}.key"
|
|
- "{{ ansible_fqdn }}.crt"
|
|
become: true
|
|
notify: restart nebula
|
|
|
|
- name: Install service
|
|
get_url:
|
|
url: https://raw.githubusercontent.com/slackhq/nebula/v{{ nebula_version }}/dist/arch/nebula.service
|
|
dest: /usr/lib/systemd/system/nebula.service
|
|
mode: "0644"
|
|
become: true
|
|
|
|
- name: Enable service
|
|
service:
|
|
name: nebula
|
|
enabled: true
|
|
become: true
|
|
|
|
- name: Enable unsafe routing
|
|
iptables:
|
|
table: nat
|
|
chain: POSTROUTING
|
|
out_interface: ens18
|
|
source: "{{ nebula.cidr }}"
|
|
jump: MASQUERADE
|
|
notify: persist iptables
|
|
become: true
|
|
when: ansible_fqdn == "ingress"
|