initial commit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

roles/nebula/tasks/main.yml

@@ -0,0 +1,69 @@
+- name: Allow Nebula UDP traffic
+  ufw:
+    rule: allow
+    port: "{{ nebula_port }}"
+    proto: udp
+
+- name: Download Nebula release
+  unarchive:
+    src: "https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz"
+    dest: /usr/local/bin/
+    remote_src: true
+    creates: /usr/local/bin/nebula
+    include:
+      - nebula
+      - nebula-cert
+
+- name: Create Nebula config directory
+  file:
+    path: /etc/nebula
+    state: directory
+    owner: root
+    group: root
+    mode: "0700"
+
+- name: Generate Nebula CA
+  command: >
+    nebula-cert ca
+    -name "linderhof"
+    -out-crt /etc/nebula/ca.crt
+    -out-key /etc/nebula/ca.key
+  args:
+    creates: /etc/nebula/ca.key
+
+- name: Generate host certificate
+  command: >
+    nebula-cert sign
+    -ca-crt /etc/nebula/ca.crt
+    -ca-key /etc/nebula/ca.key
+    -name "lighthouse"
+    -ip "{{ nebula_lighthouse_ip }}/{{ nebula_subnet.split('/')[1] }}"
+    -out-crt /etc/nebula/host.crt
+    -out-key /etc/nebula/host.key
+  args:
+    creates: /etc/nebula/host.key
+
+- name: Deploy Nebula config
+  template:
+    src: config.yml.j2
+    dest: /etc/nebula/config.yml
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Restart nebula
+
+- name: Deploy Nebula systemd unit
+  template:
+    src: nebula.service.j2
+    dest: /etc/systemd/system/nebula.service
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart nebula
+
+- name: Enable and start Nebula
+  systemd:
+    name: nebula
+    enabled: true
+    state: started
+    daemon_reload: true