Provided by: nebula_1.6.1+dfsg-3ubuntu0.23.10.1_amd64 bug

NAME

       nebula.yml - nebula configuration files

DESCRIPTION

       Configuration file for nebula(1) are written in YAML. Each section is described below:

   pki
       The PKI section defines the location of credentials

       ca
                Path to the CA certificate

       cert
                Path to this node's certificate file

       key
                Path to this node's key file

   static_host_map
       The  static  host  map  defines  a  set  of hosts with fixed IP addresses on the internet.
       Multiple addresses may be defined and Nebula will try each when establishing a tunnel.

   lighthouse
       The lighthouse section allows the entablement and configuration of lighthouse behavior. In
       Nebula, lighthouses are nodes with ip fixed addresses which other nodes can use to located
       each other.

       am_lighthouse
              Enables lighthouse behavior on this node. Should ONLY be true  on  nodes  you  have
              configured to be lighthouses on your network.

       interval
              Number of seconds between updates from this node to a lighthouse. When a lighthouse
              receives an update, it sends information about its current IP address to each node.

       hosts  A list of lighthouse nodes this node should report to and  query  from.  Should  be
              empty on lighthouse nodes.

       serve_dns
              Starts  a  DNS  listener which responds to various queries (VAGUE) and be delegated
              for resolution.

   listen
       Control the port and interface on which nebula listens.

       host   Set the ip to which nebula binds

       port   Set the port to which nebula binds

   punchy
       punch  Continue to punch inbound/outbound at a regular interval  to  avoid  expiration  of
              firewall NAT mapping

       respond
              Configure  the  node  to  reach out and connect to you if your hole punching fails.
              This is extremely useful if one node is behind a difficult NAT, such as a symmetric
              NAT.

       delay  Delay  a  punch response for misbehaving NATs, default is 1 second, respond must be
              true to take effect

   cipher
       Choose between the available ciphers for your network. Options are "chachapoly" or  "aes."
       Must be identical across all nodes on a network.

   sshd
       SSHD can expose information and administrative function via ssh

       enabled
              If true, this enables SSHD administration

       listen Host and port to listen on. (Port 22 is not allowed.)

       host_key
              A file containing a list of authorized public keys

       authorized_users
              A list of users each with an array of keys

   tun
       disabled
              When  tun  is  disabled,  a lighthouse can be started without a local run interface
              (and therefore without root)

       dev    The name of the device

       drop_local_broadcast
              Toggles forwarding of local broadcast packets, the address of which depends on  the
              ip/mask encoded in the pki.cert

       drop_multicast
              Drop the forwarding of multicast packets

       tx_queue
              Sets the transmit queue length. (If you notice lots of transmit drops on the tun it
              may help to raise this number. Defaults to 500.

       mtu    Default MTU for every packet, safe setting is (and the default) 1300  for  internet
              based traffic.

       unsafe_routes
              Unsafe  routes  allows you to route traffic over nebula to non-nebula nodes. Unsafe
              routes should be avoided unless you have hosts/services that cannot run nebula.

   logging
       Configure logging

       level  Configure the logging level. Must be one of panic, fatal, error, warning, info,  or
              debug.

       format Either json or text

       disable_timestamp
              Disables  timestamp  logging. Useful when redirected into to a logging system which
              appends a time stamp. Defaults to false.

   stats
       Enable a statistics exporter.

       type   Type of statistics exporter. Either "prometheus" or "graphite"

       interval
              Interval to provide updates for either graphite or prometheus.

       prefix Prefix for graphite

       protocol
              Protocol for graphite

       host   Listener for graphite

       listen IP and port to bind the prometheus listener

       path   Path on which metrics are supplied in prometheus

       namespace
              Prometheus namespace

       subsystem
              Prometheus subsystem

       message_metrics
              Enables counter metrics for meta packets. (e.g. message.tx.handshake)

       lighthouse_metrics
              Enables    detailed    counter    metrics    for    lighthouse    packets     (e.g.
              lighthouse.rx.HostQuery)

   handshakes
       Handshakes are sent to all known addresses at each interval with a linear back off.

       try_interval
              Nebula  waits  try_interval after the first attempt, 2 * try_interval on the second
              attempt, until the handshake is older than timeout. This allows you to control this
              interval.

       retries
              Number of retries before timing out

       trigger_buffer
              Size  of  the  buffer  channel  for  quickly sending handshakes after receiving the
              response for lighthouse queries

   firewall
       The firewall is default deny. There is no way to write a deny rule. Rules are comprised of
       a  protocol, port, and one or more of host, group, or CIDR. Logical evaluation is roughly:
       port AND proto AND (ca_sha OR ca_name) AND (host OR group OR groups OR CIDR)

       outbound
              Section containing rules which apply to traffic send from this node. See the  rules
              section.

       inbound
              Section containing rules which apply to traffic send to this node from other hosts.
              See the rules section.

   rules
       Rules are written in the outbound and inbound sections described above.

       proto
                Protocol. One of "any", "tcp", "udp", or "icmp"

       host
                "any" or literal hostname

       group
                "any" or literal group name

       groups
                Same as group but accepts a list of values. Certificate has to contain all groups
              to pass.

       cidr
                a CIDR, "0.0.0.0/0" is any

       ca_name
                An issuing CA name

       ca_sum
                An issuing CA shasum

EXAMPLES

       There is a example configuration file in the FILES section below.

       Configuration  files  placed  in  /etc/nebula  can  take advantage of the built-in systemd
       templates. For example, if you have a nebula configuration /etc/nebula/office.yml

         [#] systemctl enable nebula@office.service

FILES

       /etc/nebula
              Contains configuration files for nebula(1). This provides  a  designated  place  to
              store  configuration  data  and  credentials.  Configuration  files  placed in this
              directory can take advantage of the provided systemd template unit.

       /usr/share/doc/nebula/examples/config.yml
              See this example configuration file.

SEE ALSO

         nebula(1), nebula-cert(1)