124 lines
3.8 KiB
YAML
124 lines
3.8 KiB
YAML
|
---
|
||
|
################################################################################
|
||
|
# These are the defaults for this role. Commented items are values that can be
|
||
|
# set but are not automatically. If they are defined, they will be used in tasks
|
||
|
# or templates as necessary.
|
||
|
################################################################################
|
||
|
# nebula high level system items
|
||
|
nebula_version: "1.8.2"
|
||
|
nebula_nodename: "{{ ansible_facts.hostname }}"
|
||
|
|
||
|
# This attempts to do a package installation of nebula. For the case of Rocky
|
||
|
# Linux, the SIG/Core infra repo has it available. EPEL may have it available.
|
||
|
nebula_use_native_package: true
|
||
|
nebula_service_name: "nebula.service"
|
||
|
nebula_config_dir: "/etc/nebula"
|
||
|
# these only apply when native package is set to false and you want to change
|
||
|
# where things go.
|
||
|
nebula_download_dir: "/opt"
|
||
|
nebula_local_bin_dir: "/usr/local/bin"
|
||
|
nebula_pkg_bin_dir: "/usr/bin"
|
||
|
|
||
|
# nebula member configuration items
|
||
|
nebula_is_ca: false
|
||
|
nebula_is_member: true
|
||
|
nebula_ca_name: "RESF Nebula CA"
|
||
|
nebula_ca_life: "175200h"
|
||
|
nebula_ca_wait_timeout_secs: "300"
|
||
|
# nebula_ca_host: somehost.example.com
|
||
|
|
||
|
nebula_groups: []
|
||
|
nebula_am_lighthouse: false
|
||
|
nebula_lighthouse_interval: "60"
|
||
|
# nebula_routable_ip: "X.X.X.X"
|
||
|
# nebula_ip: "X.X.X.X/24"
|
||
|
|
||
|
# nebula listening settings
|
||
|
# leaving buffers unset will use the system settings.
|
||
|
# see: https://nebula.defined.net/docs/config/listen/
|
||
|
nebula_listen_host: "0.0.0.0"
|
||
|
nebula_listen_port: "4242"
|
||
|
# nebula_listen_batch: "64"
|
||
|
# nebula_listen_read_buffer: "10485760"
|
||
|
# nebula_listen_write_buffer: "10485760"
|
||
|
# nebula_listen_send_recv_error: always
|
||
|
|
||
|
# static_map settings
|
||
|
# this role doesn't support DNS names (yet anyway). so these settings are here
|
||
|
# for when we do.
|
||
|
nebula_static_map: false
|
||
|
# nebula_static_map_cadence: "30s"
|
||
|
# nebula_static_map_network: "ip4"
|
||
|
# nebula_static_map_lookup_timeout: "250ms"
|
||
|
|
||
|
# punchy settings - use this for NAT situations. most cases there are NAT
|
||
|
# situations.
|
||
|
# see: https://nebula.defined.net/docs/config/punchy/
|
||
|
nebula_punchy_punch: true
|
||
|
# nebula_punchy_respond: true
|
||
|
# nebula_punchy_respond_delay: "5s"
|
||
|
# nebula_punchy_delay: "1s"
|
||
|
|
||
|
# cipher options
|
||
|
# AES is the default. Most hardware supports this. ALL NODES MUST HAVE THE SAME
|
||
|
# CIPHER OPTION SET.
|
||
|
nebula_cipher: "aes"
|
||
|
|
||
|
# tun settings
|
||
|
# see: https://nebula.defined.net/docs/config/tun/
|
||
|
nebula_tun_disabled: false
|
||
|
nebula_tun_dev: "rneb01"
|
||
|
nebula_tun_drop_local_broadcast: false
|
||
|
nebula_tun_drop_multicast: false
|
||
|
nebula_tun_tx_queue: "500"
|
||
|
nebula_tun_mtu: "1300"
|
||
|
# set this to true if you want to let the system route table handle unsafe
|
||
|
# routes instead of nebula.
|
||
|
nebula_use_system_route_table: false
|
||
|
# Use this to set an MTU override.
|
||
|
nebula_routes: []
|
||
|
# Use this to route nebula traffic to non-nebula nodes. Avoid this in
|
||
|
# normal cases. See documentation.
|
||
|
nebula_unsafe_routes: []
|
||
|
|
||
|
# logging settings
|
||
|
# see: https://nebula.defined.net/docs/config/logging/
|
||
|
nebula_logging_level: "info"
|
||
|
nebula_logging_format: "text"
|
||
|
nebula_logging_disable_timestamp: false
|
||
|
# nebula_logging_timestamp_format: "2006-01-02T15:04:05Z07:00"
|
||
|
|
||
|
# firewall settings
|
||
|
# see: https://nebula.defined.net/docs/config/firewall/
|
||
|
nebula_firewall_conntrack_tcp_timeout: "12m"
|
||
|
nebula_firewall_conntrack_udp_timeout: "3m"
|
||
|
nebula_firewall_conntrack_default_timeout: "10m"
|
||
|
# nebula_firewall_outbound_action: "drop"
|
||
|
# nebula_firewall_inbound_action: "drop"
|
||
|
|
||
|
nebula_firewall_inbound_rules:
|
||
|
- port: any
|
||
|
proto: any
|
||
|
host: any
|
||
|
|
||
|
nebula_firewall_outbound_rules:
|
||
|
- port: any
|
||
|
proto: any
|
||
|
host: any
|
||
|
|
||
|
# nebula certificate configuration items
|
||
|
# nebula_cert_public_key: |
|
||
|
# nebula_cert_private_key: |
|
||
|
nebula_pki_disconnect_invalid: true
|
||
|
nebula_pki_blocklist: []
|
||
|
|
||
|
nebula_nonmanaged_certs_download_dir: "/var/tmp"
|
||
|
nebula_nonmanaged_member_certs: {}
|
||
|
|
||
|
# nebula_ca_config_dir: "/etc/nebula"
|
||
|
# nebula_ca_bin_dir: "/usr/bin"
|
||
|
|
||
|
# nebula_preferred_ranges: []
|
||
|
# nebula_routines: 1
|
||
|
...
|