projects/arvandor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
arvandor/nebula/README.md
Damien Coles 0c77379ab3 public-ready-init
2026-01-26 00:44:31 -05:00

165 lines
4.0 KiB
Markdown
Raw Blame History

# Nebula Overlay Network
Nebula is a scalable overlay network that provides encrypted connectivity between all VMs regardless of their physical location.
## Architecture
```
┌─────────────┐
│ Lighthouse │
│ 10.10.10.10 │
└──────┬──────┘
┌─────────────────┼─────────────────┐
│ │ │
┌────▼────┐ ┌────▼────┐ ┌────▼────┐
│ VM 1 │ │ VM 2 │ │ VM 3 │
│ 10.10.10.11 │ 10.10.10.20 │ 10.10.10.30
└─────────┘ └─────────┘ └─────────┘
```
## Groups
Nebula uses groups for firewall segmentation:
| Group | Purpose | Can Access |
|-------|---------|------------|
| `admin` | Personal devices | Everything |
| `infrastructure` | Core services | Each other |
| `projects` | Application workloads | Infrastructure |
| `lighthouse` | Nebula relays | - |
| `games` | Game servers | Isolated |
## Setup
### 1. Generate Certificate Authority
```bash
nebula-cert ca -name "Arvandor CA" -duration 87600h
```
This creates:
- `ca.crt` - Certificate (share with all hosts)
- `ca.key` - Private key (keep secure, do not commit!)
### 2. Generate Host Certificates
```bash
# Infrastructure VM example
nebula-cert sign -ca-crt ca.crt -ca-key ca.key \
-name "dns" \
-networks "10.10.10.11/24" \
-groups "infrastructure" \
-out-crt configs/1001/dns/dns.crt \
-out-key configs/1001/dns/dns.key
# Application VM example
nebula-cert sign -ca-crt ca.crt -ca-key ca.key \
-name "app-server" \
-networks "10.10.10.50/24" \
-groups "projects" \
-out-crt configs/4050/app-server/app-server.crt \
-out-key configs/4050/app-server/app-server.key
# Lighthouse
nebula-cert sign -ca-crt ca.crt -ca-key ca.key \
-name "lighthouse" \
-networks "10.10.10.10/24" \
-groups "infrastructure,lighthouse" \
-out-crt configs/1000/lighthouse/lighthouse.crt \
-out-key configs/1000/lighthouse/lighthouse.key
```
### 3. Directory Structure
```
nebula/
├── ca.crt # Certificate authority (commit this)
├── ca.key # CA private key (DO NOT COMMIT)
├── configs/
│ ├── 1000/lighthouse/
│ │ ├── lighthouse.crt
│ │ └── lighthouse.key
│ ├── 1001/dns/
│ │ ├── dns.crt
│ │ └── dns.key
│ └── ...
└── README.md
```
### 4. Deploy with Ansible
The `nebula.yml` playbook deploys certificates and configuration:
```bash
ansible-playbook -i inventory.ini playbooks/nebula.yml --limit "new-vm"
```
## Lighthouse Configuration
The lighthouse requires manual configuration (not managed by Ansible):
```yaml
# /etc/nebula/config.yml on lighthouse
pki:
ca: /etc/nebula/ca.crt
cert: /etc/nebula/config.crt
key: /etc/nebula/config.key
static_host_map: {}
lighthouse:
am_lighthouse: true
serve_dns: false
listen:
host: 0.0.0.0
port: 4242
punchy:
punch: true
respond: true
relay:
am_relay: true
tun:
dev: nebula1
drop_local_broadcast: true
drop_multicast: true
firewall:
conntrack:
tcp_timeout: 12h
udp_timeout: 3m
default_timeout: 10m
outbound:
- port: any
proto: any
host: any
inbound:
- port: any
proto: any
group: admin
- port: any
proto: any
group: infrastructure
- port: any
proto: icmp
host: any
```
## IP Allocation
| VMID Range | Network Segment | Last Octet |
|------------|-----------------|------------|
| 1000-1999 | Management | 10-19 |
| 2000-2999 | Services | 20-29 |
| 3000-3999 | Data | 30-49 |
| 4000-4999 | Workloads | 50-59 |
| 5000-5999 | Monitoring | 90-99 |
Example: VMID 3000 → 10.10.10.30
Reference in New Issue View Git Blame Copy Permalink