Ansible role to install Nebula Mesh.
The requirements are:
- Ansible version >=2.10
- Linux
- Systemd as init system
This role is tested on:
- Ubuntu 20.04 Focal Fossa
- Python 3.10
- Ansible 2.10
The following variables are available:
| Variable | Default Value | Description |
|---|---|---|
nebula_am_lighthouse |
false |
If member is a lighthouse |
nebula_arch |
amd64 |
Architecture to use to build the download URL |
nebula_bin_dir |
/usr/local/bin |
The directory to install the binaries |
nebula_ca_duration |
175200h (20 years) |
The duration of CA |
nebula_ca_host |
<UNDEFINED> |
The inventory_hostname of the host which should be used as CA. If not defined, exactly 1 play host must have nebula_is_ca variable set to true. Required to be set if nebula_am_lighthouse |
nebula_ca_name |
Nebula CA Org |
The name of the CA |
nebula_ca_wait_timeout_secs |
120 |
Timeout in seconds for members to wait until the CA is ready to issue certificates |
nebula_config_dir |
/etc/nebula |
Directory to keep config and certificates |
nebula_download_checksum |
<UNDEFINED> |
If provided, the checksum will be tested before downloading Nebula from the URL |
nebula_download_dir |
/opt |
The directory to download the tarball |
nebula_download_url |
see defaults/main.yml | The Nebula download URL |
nebula_groups |
[] |
Nebula groups of the member |
nebula_ip |
<UNDEFINED> |
The IP required by Nebula. Needs to contain subnet prefix at the end (e.g. 172.20.0.42/24). Required. |
nebula_is_ca |
false |
If the host is the certificate authority or not. If nebula_ca_host is not defined, exactly 1 play host must have this variable set to true. Required to be set if nebula_am_lighthouse |
nebula_is_member |
true |
If the host should be added to the mesh |
nebula_name |
"{{ ansible_facts.hostname }}" |
Name of the Nebula member |
nebula_routable_ip |
<UNDEFINED> |
The routable IP required by Nebula. If undefined, the public IP of the host will be determined and used |
nebula_service_name |
nebula |
Name of the systemd service |
nebula_version |
see defaults/main.yml | Nebula version to use. See git tags here |
nebula_additional_member_certs_download_dir |
/tmp |
Local directory to download any additional member certificates |
nebula_cert_private_key |
<UNDEFINED> |
Nebula member private key to use. If defined, no private key will be generated on CA but this one will be used. Must be defined together with nebula_cert_public_key |
nebula_cert_public_key |
<UNDEFINED> |
Nebula member public key to use. If defined, no public key will be generated on CA but this one will be siged and used. Must be defined together with nebula_cert_private_key |
nebula_additional_member_certs |
see defaults/main.yml | Dict object of additional member certs with each key being the member name and value being the member configuration. Only used to generate additional certificates on CA. Can be useful to issue certificates to devices that are not managed by Ansible (e.g. Windows or mobile devices) |
nebula_pki_disconnect_invalid |
<UNDEFINED> |
See Nebula configuration reference and example config |
nebula_lighthouse_interval |
60 |
See Nebula configuration reference and example config |
nebula_listen_host |
0.0.0.0 |
See Nebula configuration reference and example config |
nebula_listen_port |
4242 |
See Nebula configuration reference and example config |
nebula_listen_batch |
<UNDEFINED> |
See Nebula configuration reference and example config |
nebula_listen_read_buffer |
<UNDEFINED> |
See Nebula configuration reference and example config |
nebula_listen_write_buffer |
<UNDEFINED> |
See Nebula configuration reference and example config |
nebula_punchy_punch |
true |
See Nebula configuration reference and example config |
nebula_punchy_respond |
<UNDEFINED> |
See Nebula configuration reference and example config |
nebula_punchy_delay |
<UNDEFINED> |
See Nebula configuration reference and example config |
nebula_cipher |
<UNDEFINED> |
See Nebula configuration reference and example config |
nebula_tun_disabled |
false |
See Nebula configuration reference and example config |
nebula_tun_dev |
nebula1 |
See Nebula configuration reference and example config |
nebula_tun_drop_local_broadcast |
false |
See Nebula configuration reference and example config |
nebula_tun_drop_multicast |
false |
See Nebula configuration reference and example config |
nebula_tun_tx_queue |
500 |
See Nebula configuration reference and example config |
nebula_tun_mtu |
1300 |
See Nebula configuration reference and example config |
nebula_logging_level |
info |
See Nebula configuration reference and example config |
nebula_logging_format |
text |
See Nebula configuration reference and example config |
nebula_logging_disable_timestamp |
false |
See Nebula configuration reference and example config |
nebula_firewall_conntrack_tcp_timeout |
12m |
See Nebula configuration reference and example config |
nebula_firewall_conntrack_udp_timeout |
3m |
See Nebula configuration reference and example config |
nebula_firewall_conntrack_default_timeout |
10m |
See Nebula configuration reference and example config |
nebula_firewall_conntrack_max_connections |
100000 |
See Nebula configuration reference and example config |
nebula_firewall_outbound |
see defaults/main.yml | See Nebula configuration reference and example config |
nebula_firewall_inbound |
see defaults/main.yml | See Nebula configuration reference and example config |
Here's a minimalistic example:
- name: Setup Nebula
hosts: servers
become: true
strategy: free
roles:
- role: utkuozdemir.nebulaSee tests/ directory for a concrete example.