Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 7e73ba7b0734c3651a46f285018dc2bd53fc9201 / . / charts / auth / templates / lighthouse-config.yaml
blob: f4444e0b05ff51a96a58484d327731ab8bd326fe [file] [log] [blame]
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]1apiVersion: v1
2kind: ConfigMap
3metadata:
4 name: {{ .Values.ui.nebula.lighthouse.name }}
5 namespace: {{ .Release.Namespace }}
6data:
giolekva7e73ba72021-12-03 13:14:20 +0400[diff] [blame^]7 lighthouse.yaml: |
8 # This is the nebula example configuration file. You must edit, at a minimum, the static_host_map, lighthouse, and firewall sections
9 # Some options in this file are HUPable, including the pki section. (A HUP will reload credentials from disk without affecting existing tunnels)
10
11 # PKI defines the location of credentials for this node. Each of these can also be inlined by using the yaml ": |" syntax.
12 pki:
13 # The CAs that are accepted by this node. Must contain one or more certificates created by 'nebula-cert ca'
14 ##ca: /etc/nebula/ca/ca.crt
15 ca: /etc/nebula/lighthouse/ca.crt
16 cert: /etc/nebula/lighthouse/host.crt
17 key: /etc/nebula/lighthouse/host.key
18 #blocklist is a list of certificate fingerprints that we will refuse to talk to
19 #blocklist:
20 # - c99d4e650533b92061b09918e838a5a0a6aaee21eed1d12fd937682865936c72
21
22 # The static host map defines a set of hosts with fixed IP addresses on the internet (or any network).
23 # A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel.
24 # The syntax is:
25 # "{nebula ip}": ["{routable ip/dns name}:{routable port}"]
26 # Example, if your lighthouse has the nebula IP of 192.168.100.1 and has the real ip address of 100.64.22.11 and runs on port 4243:
27 static_host_map:
28 "{{ .Values.ui.nebula.lighthouse.internalIP }}": ["{{ .Values.ui.nebula.lighthouse.externalIP }}>:{{ .Values.ui.nebula.lighthouse.port }}>"]
29
30
31 lighthouse:
32 # am_lighthouse is used to enable lighthouse functionality for a node. This should ONLY be true on nodes
33 # you have configured to be lighthouses in your network
34 am_lighthouse: false
35 # serve_dns optionally starts a dns listener that responds to various queries and can even be
36 # delegated to for resolution
37 #serve_dns: false
38 #dns:
39 # The DNS host defines the IP to bind the dns listener to. This also allows binding to the nebula node IP.
40 #host: 0.0.0.0
41 #port: 53
42 # interval is the number of seconds between updates from this node to a lighthouse.
43 # during updates, a node sends information about its current IP addresses to each node.
44 interval: 60
45 # hosts is a list of lighthouse hosts this node should report to and query from
46 # IMPORTANT: THIS SHOULD BE EMPTY ON LIGHTHOUSE NODES
47 # IMPORTANT2: THIS SHOULD BE LIGHTHOUSES' NEBULA IPs, NOT LIGHTHOUSES' REAL ROUTABLE IPs
48 hosts:
49 - {{ .Values.ui.nebula.lighthouse.internalIP }}
50
51 # remote_allow_list allows you to control ip ranges that this node will
52 # consider when handshaking to another node. By default, any remote IPs are
53 # allowed. You can provide CIDRs here with `true` to allow and `false` to
54 # deny. The most specific CIDR rule applies to each remote. If all rules are
55 # "allow", the default will be "deny", and vice-versa. If both "allow" and
56 # "deny" rules are present, then you MUST set a rule for "0.0.0.0/0" as the
57 # default.
58 #remote_allow_list:
59 # Example to block IPs from this subnet from being used for remote IPs.
60 #"172.16.0.0/12": false
61
62 # A more complicated example, allow public IPs but only private IPs from a specific subnet
63 #"0.0.0.0/0": true
64 #"10.0.0.0/8": false
65 #"10.42.42.0/24": true
66
67 # local_allow_list allows you to filter which local IP addresses we advertise
68 # to the lighthouses. This uses the same logic as `remote_allow_list`, but
69 # additionally, you can specify an `interfaces` map of regular expressions
70 # to match against interface names. The regexp must match the entire name.
71 # All interface rules must be either true or false (and the default will be
72 # the inverse). CIDR rules are matched after interface name rules.
73 # Default is all local IP addresses.
74 #local_allow_list:
75 # Example to block tun0 and all docker interfaces.
76 #interfaces:
77 #tun0: false
78 #'docker.*': false
79 # Example to only advertise this subnet to the lighthouse.
80 #"10.0.0.0/8": true
81
82 # Port Nebula will be listening on. The default here is 4243. For a lighthouse node, the port should be defined,
83 # however using port 0 will dynamically assign a port and is recommended for roaming nodes.
84 listen:
85 # To listen on both any ipv4 and ipv6 use "[::]"
86 host: "[::]"
87 port: 4243
88 # Sets the max number of packets to pull from the kernel for each syscall (under systems that support recvmmsg)
89 # default is 64, does not support reload
90 #batch: 64
91 # Configure socket buffers for the udp side (outside), leave unset to use the system defaults. Values will be doubled by the kernel
92 # Default is net.core.rmem_default and net.core.wmem_default (/proc/sys/net/core/rmem_default and /proc/sys/net/core/rmem_default)
93 # Maximum is limited by memory in the system, SO_RCVBUFFORCE and SO_SNDBUFFORCE is used to avoid having to raise the system wide
94 # max, net.core.rmem_max and net.core.wmem_max
95 #read_buffer: 10485760
96 #write_buffer: 10485760
97
98 # EXPERIMENTAL: This option is currently only supported on linux and may
99 # change in future minor releases.
100 #
101 # Routines is the number of thread pairs to run that consume from the tun and UDP queues.
102 # Currently, this defaults to 1 which means we have 1 tun queue reader and 1
103 # UDP queue reader. Setting this above one will set IFF_MULTI_QUEUE on the tun
104 # device and SO_REUSEPORT on the UDP socket to allow multiple queues.
105 #routines: 1
106
107 punchy:
108 # Continues to punch inbound/outbound at a regular interval to avoid expiration of firewall nat mappings
109 punch: true
110
111 # respond means that a node you are trying to reach will connect back out to you if your hole punching fails
112 # this is extremely useful if one node is behind a difficult nat, such as a symmetric NAT
113 # Default is false
114 #respond: true
115
116 # delays a punch response for misbehaving NATs, default is 1 second, respond must be true to take effect
117 #delay: 1s
118
119 # Cipher allows you to choose between the available ciphers for your network. Options are chachapoly or aes
120 # IMPORTANT: this value must be identical on ALL NODES/LIGHTHOUSES. We do not/will not support use of different ciphers simultaneously!
121 cipher: chachapoly
122
123 # Local range is used to define a hint about the local network range, which speeds up discovering the fastest
124 # path to a network adjacent nebula node.
125 #local_range: "172.16.0.0/24"
126
127 # sshd can expose informational and administrative functions via ssh this is a
128 #sshd:
129 # Toggles the feature
130 #enabled: true
131 # Host and port to listen on, port 22 is not allowed for your safety
132 #listen: 127.0.0.1:2222
133 # A file containing the ssh host private key to use
134 # A decent way to generate one: ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
135 #host_key: ./ssh_host_ed25519_key
136 # A file containing a list of authorized public keys
137 #authorized_users:
138 #- user: steeeeve
139 # keys can be an array of strings or single string
140 #keys:
141 #- "ssh public key string"
142
143 # Configure the private interface. Note: addr is baked into the nebula certificate
144 tun:
145 # When tun is disabled, a lighthouse can be started without a local tun interface (and therefore without root)
146 disabled: false
147 # Name of the device
148 dev: nebula1
149 # Toggles forwarding of local broadcast packets, the address of which depends on the ip/mask encoded in pki.cert
150 drop_local_broadcast: false
151 # Toggles forwarding of multicast packets
152 drop_multicast: false
153 # Sets the transmit queue length, if you notice lots of transmit drops on the tun it may help to raise this number. Default is 500
154 tx_queue: 500
155 # Default MTU for every packet, safe setting is (and the default) 1300 for internet based traffic
156 mtu: 1300
157 # Route based MTU overrides, you have known vpn ip paths that can support larger MTUs you can increase/decrease them here
158 routes:
159 #- mtu: 8800
160 # route: 10.0.0.0/16
161 # Unsafe routes allows you to route traffic over nebula to non-nebula nodes
162 # Unsafe routes should be avoided unless you have hosts/services that cannot run nebula
163 # NOTE: The nebula certificate of the "via" node *MUST* have the "route" defined as a subnet in its certificate
164 unsafe_routes:
165 #- route: 172.16.1.0/24
166 # via: 192.168.100.99
167 # mtu: 1300 #mtu will default to tun mtu if this option is not sepcified
168
169
170 # TODO
171 # Configure logging level
172 logging:
173 # panic, fatal, error, warning, info, or debug. Default is info
174 level: info
175 # json or text formats currently available. Default is text
176 format: text
177 # Disable timestamp logging. useful when output is redirected to logging system that already adds timestamps. Default is false
178 #disable_timestamp: true
179 # timestamp format is specified in Go time format, see:
180 # https://golang.org/pkg/time/#pkg-constants
181 # default when `format: json`: "2006-01-02T15:04:05Z07:00" (RFC3339)
182 # default when `format: text`:
183 # when TTY attached: seconds since beginning of execution
184 # otherwise: "2006-01-02T15:04:05Z07:00" (RFC3339)
185 # As an example, to log as RFC3339 with millisecond precision, set to:
186 #timestamp_format: "2006-01-02T15:04:05.000Z07:00"
187
188 #stats:
189 #type: graphite
190 #prefix: nebula
191 #protocol: tcp
192 #host: 127.0.0.1:9999
193 #interval: 10s
194
195 #type: prometheus
196 #listen: 127.0.0.1:8080
197 #path: /metrics
198 #namespace: prometheusns
199 #subsystem: nebula
200 #interval: 10s
201
202 # enables counter metrics for meta packets
203 # e.g.: `messages.tx.handshake`
204 # NOTE: `message.{tx,rx}.recv_error` is always emitted
205 #message_metrics: false
206
207 # enables detailed counter metrics for lighthouse packets
208 # e.g.: `lighthouse.rx.HostQuery`
209 #lighthouse_metrics: false
210
211 # Handshake Manager Settings
212 #handshakes:
213 # Handshakes are sent to all known addresses at each interval with a linear backoff,
214 # Wait try_interval after the 1st attempt, 2 * try_interval after the 2nd, etc, until the handshake is older than timeout
215 # A 100ms interval with the default 10 retries will give a handshake 5.5 seconds to resolve before timing out
216 #try_interval: 100ms
217 #retries: 20
218 # trigger_buffer is the size of the buffer channel for quickly sending handshakes
219 # after receiving the response for lighthouse queries
220 #trigger_buffer: 64
221
222
223 # Nebula security group configuration
224 firewall:
225 conntrack:
226 tcp_timeout: 12m
227 udp_timeout: 3m
228 default_timeout: 10m
229 max_connections: 100000
230
231 # The firewall is default deny. There is no way to write a deny rule.
232 # Rules are comprised of a protocol, port, and one or more of host, group, or CIDR
233 # Logical evaluation is roughly: port AND proto AND (ca_sha OR ca_name) AND (host OR group OR groups OR cidr)
234 # - port: Takes `0` or `any` as any, a single number `80`, a range `200-901`, or `fragment` to match second and further fragments of fragmented packets (since there is no port available).
235 # code: same as port but makes more sense when talking about ICMP, TODO: this is not currently implemented in a way that works, use `any`
236 # proto: `any`, `tcp`, `udp`, or `icmp`
237 # host: `any` or a literal hostname, ie `test-host`
238 # group: `any` or a literal group name, ie `default-group`
239 # groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass
240 # cidr: a CIDR, `0.0.0.0/0` is any.
241 # ca_name: An issuing CA name
242 # ca_sha: An issuing CA shasum
243
244 outbound:
245 # Allow all outbound traffic from this node
246 - port: any
247 proto: any
248 host: any
249
250 inbound:
251 - port: any
252 proto: any
253 host: any