.TH nebula.yml "5" "July 2021" "nebula 1.4.0" .SH NAME .B nebula.yml - nebula configuration files .SH DESCRIPTION Configuration file for nebula(1) are written in YAML. Each section is described below: .SS pki The PKI section defines the location of credentials .IP ca Path to the CA certificate .IP cert Path to this node's certificate file .IP key Path to this node's key file .SS static_host_map The static host map defines a set of hosts with fixed IP addresses on the internet. Multiple addresses may be defined and Nebula will try each when establishing a tunnel. .SS lighthouse The lighthouse section allows the entablement and configuration of lighthouse behavior. In Nebula, lighthouses are nodes with ip fixed addresses which other nodes can use to located each other. .IP am_lighthouse Enables lighthouse behavior on this node. Should ONLY be true on nodes you have configured to be lighthouses on your network. .IP interval Number of seconds between updates from this node to a lighthouse. When a lighthouse receives an update, it sends information about its current IP address to each node. .IP hosts A list of lighthouse nodes this node should report to and query from. Should be empty on lighthouse nodes. .IP serve_dns Starts a DNS listener which responds to various queries (VAGUE) and be delegated for resolution. .SS listen Control the port and interface on which nebula listens. .IP host Set the ip to which nebula binds .IP port Set the port to which nebula binds .SS punchy .IP punch Continue to punch inbound/outbound at a regular interval to avoid expiration of firewall NAT mapping .IP respond Configure the node to reach out and connect to you if your hole punching fails. This is extremely useful if one node is behind a difficult NAT, such as a symmetric NAT. .IP delay Delay a punch response for misbehaving NATs, default is 1 second, respond must be true to take effect .SS cipher Choose between the available ciphers for your network. Options are "chachapoly" or "aes." Must be identical across all nodes on a network. .SS sshd SSHD can expose information and administrative function via ssh .IP enabled If true, this enables SSHD administration .IP listen Host and port to listen on. (Port 22 is not allowed.) .IP host_key A file containing a list of authorized public keys .IP authorized_users A list of users each with an array of keys .SS tun .IP disabled When tun is disabled, a lighthouse can be started without a local run interface (and therefore without root) .IP dev The name of the device .IP drop_local_broadcast Toggles forwarding of local broadcast packets, the address of which depends on the ip/mask encoded in the pki.cert .IP drop_multicast Drop the forwarding of multicast packets .IP tx_queue Sets the transmit queue length. (If you notice lots of transmit drops on the tun it may help to raise this number. Defaults to 500. .IP mtu Default MTU for every packet, safe setting is (and the default) 1300 for internet based traffic. .IP unsafe_routes Unsafe routes allows you to route traffic over nebula to non-nebula nodes. Unsafe routes should be avoided unless you have hosts/services that cannot run nebula. .SS logging Configure logging .IP level Configure the logging level. Must be one of panic, fatal, error, warning, info, or debug. .IP format Either json or text .IP disable_timestamp Disables timestamp logging. Useful when redirected into to a logging system which appends a time stamp. Defaults to false. .SS stats Enable a statistics exporter. .IP type Type of statistics exporter. Either "prometheus" or "graphite" .IP interval Interval to provide updates for either graphite or prometheus. .IP prefix Prefix for graphite .IP protocol Protocol for graphite .IP host Listener for graphite .IP listen IP and port to bind the prometheus listener .IP path Path on which metrics are supplied in prometheus .IP namespace Prometheus namespace .IP subsystem Prometheus subsystem .IP message_metrics Enables counter metrics for meta packets. (e.g. message.tx.handshake) .IP lighthouse_metrics Enables detailed counter metrics for lighthouse packets (e.g. lighthouse.rx.HostQuery) .SS handshakes Handshakes are sent to all known addresses at each interval with a linear back off. .IP try_interval Nebula waits try_interval after the first attempt, 2 * try_interval on the second attempt, until the handshake is older than timeout. This allows you to control this interval. .IP retries Number of retries before timing out .IP trigger_buffer Size of the buffer channel for quickly sending handshakes after receiving the response for lighthouse queries .SS firewall The firewall is default deny. There is no way to write a deny rule. Rules are comprised of a protocol, port, and one or more of host, group, or CIDR. Logical evaluation is roughly: port AND proto AND (ca_sha OR ca_name) AND (host OR group OR groups OR CIDR) .IP outbound Section containing rules which apply to traffic send from this node. See the rules section. .IP inbound Section containing rules which apply to traffic send to this node from other hosts. See the rules section. .SS rules Rules are written in the outbound and inbound sections described above. .IP proto Protocol. One of "any", "tcp", "udp", or "icmp" .IP host "any" or literal hostname .IP group "any" or literal group name .IP groups Same as group but accepts a list of values. Certificate has to contain all groups to pass. .IP cidr a CIDR, "0.0.0.0/0" is any .IP ca_name An issuing CA name .IP ca_sum An issuing CA shasum .SH EXAMPLES .P There is a example configuration file in the FILES section below. .P Configuration files placed in /etc/nebula can take advantage of the built-in systemd templates. For example, if you have a nebula configuration /etc/nebula/office.yml [#] systemctl enable nebula@office.service .SH FILES .IP /etc/nebula Contains configuration files for nebula(1). This provides a designated place to store configuration data and credentials. Configuration files placed in this directory can take advantage of the provided systemd template unit. .IP /usr/share/doc/nebula/examples/config.yml See this example configuration file. .SH SEE ALSO nebula(1), nebula-cert(1)