pki:
  ca: /etc/nebula/ca.crt
  cert: /etc/nebula/config.crt
  key: /etc/nebula/config.key

static_host_map:
  # Primary lighthouse (InterServer datacenter)
  "{{ lighthouse_nebula_ip }}": ["{{ lighthouse_bridge_ip }}:4242", "{{ lighthouse_public_ip }}:4242"]
  # Home lighthouse (Dell) for reduced latency from home
  "{{ home_lighthouse_nebula_ip }}": ["{{ home_lighthouse_public_ip }}:4242"]

lighthouse:
  am_lighthouse: false
  interval: 60
  hosts:
    - "{{ lighthouse_nebula_ip }}"
    - "{{ home_lighthouse_nebula_ip }}"

punchy:
  punch: true
  respond: true

relay:
  relays:
    - "{{ lighthouse_nebula_ip }}"
    - "{{ home_lighthouse_nebula_ip }}"

listen:
  host: 0.0.0.0
  port: 0

tun:
  dev: nebula1
  drop_local_broadcast: true
  drop_multicast: true

firewall:
  conntrack:
    tcp_timeout: 12h
    udp_timeout: 3m
    default_timeout: 10m

  outbound:
    - port: any
      proto: any
      host: any

  inbound:
    # Admin (laptop) has full access
    - port: any
      proto: any
      group: admin

    # Infrastructure can talk to each other
    - port: any
      proto: any
      group: infrastructure

    # Projects can access infrastructure services
    - port: any
      proto: any
      group: projects

    # AD domain machines can reach infrastructure (DNS forwarding, etc.)
    - port: any
      proto: any
      group: ad

    # Allow ICMP from anyone (ping)
    - port: any
      proto: icmp
      host: any