initial commit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

roles/nebula/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+# UDP port for nebula tunnel traffic
+nebula_port: 4242

roles/nebula/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Restart nebula
+  service:
+    name: nebula
+    state: restarted

roles/nebula/tasks/main.yml

@@ -0,0 +1,69 @@
+- name: Allow Nebula UDP traffic
+  ufw:
+    rule: allow
+    port: "{{ nebula_port }}"
+    proto: udp
+
+- name: Download Nebula release
+  unarchive:
+    src: "https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz"
+    dest: /usr/local/bin/
+    remote_src: true
+    creates: /usr/local/bin/nebula
+    include:
+      - nebula
+      - nebula-cert
+
+- name: Create Nebula config directory
+  file:
+    path: /etc/nebula
+    state: directory
+    owner: root
+    group: root
+    mode: "0700"
+
+- name: Generate Nebula CA
+  command: >
+    nebula-cert ca
+    -name "linderhof"
+    -out-crt /etc/nebula/ca.crt
+    -out-key /etc/nebula/ca.key
+  args:
+    creates: /etc/nebula/ca.key
+
+- name: Generate host certificate
+  command: >
+    nebula-cert sign
+    -ca-crt /etc/nebula/ca.crt
+    -ca-key /etc/nebula/ca.key
+    -name "lighthouse"
+    -ip "{{ nebula_lighthouse_ip }}/{{ nebula_subnet.split('/')[1] }}"
+    -out-crt /etc/nebula/host.crt
+    -out-key /etc/nebula/host.key
+  args:
+    creates: /etc/nebula/host.key
+
+- name: Deploy Nebula config
+  template:
+    src: config.yml.j2
+    dest: /etc/nebula/config.yml
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Restart nebula
+
+- name: Deploy Nebula systemd unit
+  template:
+    src: nebula.service.j2
+    dest: /etc/systemd/system/nebula.service
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart nebula
+
+- name: Enable and start Nebula
+  systemd:
+    name: nebula
+    enabled: true
+    state: started
+    daemon_reload: true

roles/nebula/templates/config.yml.j2

@@ -0,0 +1,40 @@
+pki:
+  ca: /etc/nebula/ca.crt
+  cert: /etc/nebula/host.crt
+  key: /etc/nebula/host.key
+
+static_host_map: {}
+
+lighthouse:
+  am_lighthouse: true
+  interval: 60
+
+listen:
+  host: 0.0.0.0
+  port: {{ nebula_port }}
+
+punchy:
+  punch: true
+
+tun:
+  dev: nebula1
+  drop_local_broadcast: false
+  drop_multicast: false
+
+logging:
+  level: info
+  format: text
+
+firewall:
+  conntrack:
+    tcp_timeout: 12m
+    udp_timeout: 3m
+    default_timeout: 10m
+  outbound:
+    - port: any
+      proto: any
+      host: any
+  inbound:
+    - port: any
+      proto: any
+      host: any

roles/nebula/templates/nebula.service.j2

@@ -0,0 +1,13 @@
+[Unit]
+Description=Nebula Overlay Network
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/nebula -config /etc/nebula/config.yml
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target