# Nebula Configuration ({{ ansible_managed }})

# PKI
pki:
  ca: {{ nebula_config_dir }}/ca.crt
  cert: {{ nebula_config_dir }}/{{ nebula_nodename }}.crt
  key: {{ nebula_config_dir }}/{{ nebula_nodename }}.key
{% if nebula_pki_disconnect_invalid %}
  disconnect_invalid: {{ nebula_pki_disconnect_invalid }}
{% endif %}
{% if nebula_pki_blocklist|length >= 1 %}
  blocklist:
    {{ nebula_pki_blocklist | to_nice_yaml(indent=2) | indent(width=4) }}
{% endif %}

# static host map
static_host_map:
{% for host in ansible_play_hosts_all %}
{% if (hostvars[host]['nebula_am_lighthouse']|default(false)) and (hostvars[host]['nebula_is_member']|default(true)) %}
  "{{ hostvars[host]['nebula_ip'].split('/')[0] }}": ["{{ hostvars[host]['nebula_routable_ip']|default('NONE')  }}:{{ hostvars[host]['nebula_listen_port']|default('4242') }}"]
{% endif %}
{% endfor %}

{% if nebula_static_map %}
static_map:
{% if nebula_static_map_cadence is defined %}
  cadence: {{ nebula_static_map_cadence }}
{% endif %}
{% if nebula_static_map_network is defined %}
  network: {{ nebula_static_map_network }}
{% endif %}
{% if nebula_static_map_network is defined %}
  lookup_timeout: {{ nebula_static_map_lookup_timeout }}
{% endif %}
{% endif %}

# lighthouse configuration
lighthouse:
  am_lighthouse: {{ nebula_am_lighthouse }}
  interval: {{ nebula_lighthouse_interval }}
  hosts:
{% if not nebula_am_lighthouse %}
{% for host in ansible_play_hosts_all %}
{% if (hostvars[host]['nebula_am_lighthouse']|default(false)) and (hostvars[host]['nebula_is_member']|default(true)) %}
    - '{{ hostvars[host]['nebula_ip'].split('/')[0] }}'
{% endif %}
{% endfor %}
{% endif %}

# listen configuration
listen:
  host: {{ nebula_listen_host }}
  port: {{ nebula_listen_port }}
{% if nebula_listen_batch is defined %}
  batch: {{ nebula_listen_batch }}
{% endif %}
{% if nebula_listen_read_buffer is defined %}
  read_buffer: {{ nebula_listen_read_buffer }}
{% endif %}
{% if nebula_listen_write_buffer is defined %}
  write_buffer: {{ nebula_listen_write_buffer }}
{% endif %}
{% if nebula_listen_send_recv_error is defined %}
  send_recv_error: {{ nebula_listen_send_recv_error }}
{% endif %}

# punchy
punchy:
  punch: {{ nebula_punchy_punch }}
{% if nebula_punchy_respond is defined %}
  repond: {{ nebula_punchy_respond }}
{% endif %}
{% if nebula_punchy_respond_delay is defined %}
  repond_delay: {{ nebula_punchy_respond_delay }}
{% endif %}
{% if nebula_punchy_delay is defined %}
  delay: {{ nebula_punchy_delay }}
{% endif %}

{% if nebula_cipher is defined %}
# cipher
cipher: {{ nebula_cipher }}
{% endif %}
{% if nebula_preferred_ranges|length >= 1 %}
preferred_ranges: {{ nebula_preferred_ranges }}
{% endif %}
{% if nebula_routines is defined %}
routines: {{ nebula_routines }}
{% endif %}

# tun
tun:
  disabled: {{ nebula_tun_disabled }}
  dev: {{ nebula_tun_dev }}
  drop_local_broadcast: {{ nebula_tun_drop_local_broadcast }}
  drop_multicast: {{ nebula_tun_drop_multicast }}
  tx_queue: {{ nebula_tun_tx_queue }}
  mtu: {{ nebula_tun_mtu }}
{% if nebula_use_system_route_table %}
  use_system_route_table: {{ nebula_use_system_route_table }}
{% if nebula_routes|length >= 1 %}
  routes:
    {{ nebula_routes|to_nice_yaml(indent=2)|indent(width=4) }}
{% else %}
  routes:
{% endif %}
{% if nebula_unsafe_routes|length >= 1 %}
  unsafe_routes: 
    {{ nebula_unsafe_routes|to_nice_yaml(indent=2)|indent(width=4) }}
{% else %}
  unsafe_routes:
{% endif %}

# logging
logging:
  level: {{ nebula_logging_level }}
  format: {{ nebula_logging_format }}
  disable_timestamp: {{ nebula_logging_disable_timestamp }}

firewall:
{% if nebula_default_local_cidr_any is defined %}
  default_local_cidr_any: {{ default_local_cidr_any }}
{% endif %}
{% if nebula_firewall_outbound_action is defined %}
  outbound_action: {{ nebula_firewall_outbound_action }}
{% endif %}
{% if nebula_firewall_inbound_action is defined %}
  inbound_action: {{ nebula_firewall_inbound_action }}
{% endif %}
  conntrack:
    tcp_timeout: {{ nebula_firewall_conntrack_tcp_timeout }}
    udp_timeout: {{ nebula_firewall_conntrack_udp_timeout }}
    default_timeout: {{ nebula_firewall_conntrack_default_timeout }}
  inbound:
    {{ nebula_firewall_inbound_rules | to_nice_yaml(indent=2) | indent(width=4) }}
  outbound:
    {{ nebula_firewall_outbound_rules | to_nice_yaml(indent=2) | indent(width=4) }}