---
################################################################################
# These are the defaults for this role. Commented items are values that can be
# set but are not automatically. If they are defined, they will be used in tasks
# or templates as necessary.
################################################################################
# nebula high level system items
nebula_version: "1.8.2"
nebula_nodename: "{{ ansible_facts.hostname }}"

# This attempts to do a package installation of nebula. For the case of Rocky
# Linux, the SIG/Core infra repo has it available. EPEL may have it available.
nebula_use_native_package: true
nebula_service_name: "nebula.service"
nebula_config_dir: "/etc/nebula"
# these only apply when native package is set to false and you want to change
# where things go.
nebula_download_dir: "/opt"
nebula_local_bin_dir: "/usr/local/bin"
nebula_pkg_bin_dir: "/usr/bin"

# nebula member configuration items
nebula_is_ca: false
nebula_is_member: true
nebula_ca_name: "RESF Nebula CA"
nebula_ca_life: "175200h"
nebula_ca_wait_timeout_secs: "300"
# nebula_ca_host: somehost.example.com

nebula_groups: []
nebula_am_lighthouse: false
nebula_lighthouse_interval: "60"
# nebula_routable_ip: "X.X.X.X"
# nebula_ip: "X.X.X.X/24"

# nebula listening settings
# leaving buffers unset will use the system settings.
# see: https://nebula.defined.net/docs/config/listen/
nebula_listen_host: "0.0.0.0"
nebula_listen_port: "4242"
# nebula_listen_batch: "64"
# nebula_listen_read_buffer: "10485760"
# nebula_listen_write_buffer: "10485760"
# nebula_listen_send_recv_error: always

# static_map settings
# this role doesn't support DNS names (yet anyway). so these settings are here
# for when we do.
nebula_static_map: false
# nebula_static_map_cadence: "30s"
# nebula_static_map_network: "ip4"
# nebula_static_map_lookup_timeout: "250ms"

# punchy settings - use this for NAT situations. most cases there are NAT
# situations.
# see: https://nebula.defined.net/docs/config/punchy/
nebula_punchy_punch: true
# nebula_punchy_respond: true
# nebula_punchy_respond_delay: "5s"
# nebula_punchy_delay: "1s"

# cipher options
# AES is the default. Most hardware supports this. ALL NODES MUST HAVE THE SAME
# CIPHER OPTION SET.
nebula_cipher: "aes"

# tun settings
# see: https://nebula.defined.net/docs/config/tun/
nebula_tun_disabled: false
nebula_tun_dev: "rneb01"
nebula_tun_drop_local_broadcast: false
nebula_tun_drop_multicast: false
nebula_tun_tx_queue: "500"
nebula_tun_mtu: "1300"
# set this to true if you want to let the system route table handle unsafe
# routes instead of nebula.
nebula_use_system_route_table: false
# Use this to set an MTU override.
nebula_routes: []
# Use this to route nebula traffic to non-nebula nodes. Avoid this in
# normal cases. See documentation.
nebula_unsafe_routes: []

# logging settings
# see: https://nebula.defined.net/docs/config/logging/
nebula_logging_level: "info"
nebula_logging_format: "text"
nebula_logging_disable_timestamp: false
# nebula_logging_timestamp_format: "2006-01-02T15:04:05Z07:00"

# firewall settings
# see: https://nebula.defined.net/docs/config/firewall/
nebula_firewall_conntrack_tcp_timeout: "12m"
nebula_firewall_conntrack_udp_timeout: "3m"
nebula_firewall_conntrack_default_timeout: "10m"
# nebula_firewall_outbound_action: "drop"
# nebula_firewall_inbound_action: "drop"

nebula_firewall_inbound_rules:
  - port: any
    proto: any
    host: any

nebula_firewall_outbound_rules:
  - port: any
    proto: any
    host: any

# nebula certificate configuration items
# nebula_cert_public_key: |
# nebula_cert_private_key: |
nebula_pki_disconnect_invalid: true
nebula_pki_blocklist: []

nebula_nonmanaged_certs_download_dir: "/var/tmp"
nebula_nonmanaged_member_certs: {}

# nebula_ca_config_dir: "/etc/nebula"
# nebula_ca_bin_dir: "/usr/bin"

# nebula_preferred_ranges: []
# nebula_routines: 1
...