Provided by: nebula_1.6.1+dfsg-3_amd64 
NAME
nebula.yml - nebula configuration files
DESCRIPTION
Configuration file for nebula(1) are written in YAML. Each section is described below:
pki
The PKI section defines the location of credentials
ca
Path to the CA certificate
cert
Path to this node's certificate file
key
Path to this node's key file
static_host_map
The static host map defines a set of hosts with fixed IP addresses on the internet.
Multiple addresses may be defined and Nebula will try each when establishing a tunnel.
lighthouse
The lighthouse section allows the entablement and configuration of lighthouse behavior. In
Nebula, lighthouses are nodes with ip fixed addresses which other nodes can use to located
each other.
am_lighthouse
Enables lighthouse behavior on this node. Should ONLY be true on nodes you have
configured to be lighthouses on your network.
interval
Number of seconds between updates from this node to a lighthouse. When a lighthouse
receives an update, it sends information about its current IP address to each node.
hosts A list of lighthouse nodes this node should report to and query from. Should be
empty on lighthouse nodes.
serve_dns
Starts a DNS listener which responds to various queries (VAGUE) and be delegated
for resolution.
listen
Control the port and interface on which nebula listens.
host Set the ip to which nebula binds
port Set the port to which nebula binds
punchy
punch Continue to punch inbound/outbound at a regular interval to avoid expiration of
firewall NAT mapping
respond
Configure the node to reach out and connect to you if your hole punching fails.
This is extremely useful if one node is behind a difficult NAT, such as a symmetric
NAT.
delay Delay a punch response for misbehaving NATs, default is 1 second, respond must be
true to take effect
cipher
Choose between the available ciphers for your network. Options are "chachapoly" or "aes."
Must be identical across all nodes on a network.
sshd
SSHD can expose information and administrative function via ssh
enabled
If true, this enables SSHD administration
listen Host and port to listen on. (Port 22 is not allowed.)
host_key
A file containing a list of authorized public keys
authorized_users
A list of users each with an array of keys
tun
disabled
When tun is disabled, a lighthouse can be started without a local run interface
(and therefore without root)
dev The name of the device
drop_local_broadcast
Toggles forwarding of local broadcast packets, the address of which depends on the
ip/mask encoded in the pki.cert
drop_multicast
Drop the forwarding of multicast packets
tx_queue
Sets the transmit queue length. (If you notice lots of transmit drops on the tun it
may help to raise this number. Defaults to 500.
mtu Default MTU for every packet, safe setting is (and the default) 1300 for internet
based traffic.
unsafe_routes
Unsafe routes allows you to route traffic over nebula to non-nebula nodes. Unsafe
routes should be avoided unless you have hosts/services that cannot run nebula.
logging
Configure logging
level Configure the logging level. Must be one of panic, fatal, error, warning, info, or
debug.
format Either json or text
disable_timestamp
Disables timestamp logging. Useful when redirected into to a logging system which
appends a time stamp. Defaults to false.
stats
Enable a statistics exporter.
type Type of statistics exporter. Either "prometheus" or "graphite"
interval
Interval to provide updates for either graphite or prometheus.
prefix Prefix for graphite
protocol
Protocol for graphite
host Listener for graphite
listen IP and port to bind the prometheus listener
path Path on which metrics are supplied in prometheus
namespace
Prometheus namespace
subsystem
Prometheus subsystem
message_metrics
Enables counter metrics for meta packets. (e.g. message.tx.handshake)
lighthouse_metrics
Enables detailed counter metrics for lighthouse packets (e.g.
lighthouse.rx.HostQuery)
handshakes
Handshakes are sent to all known addresses at each interval with a linear back off.
try_interval
Nebula waits try_interval after the first attempt, 2 * try_interval on the second
attempt, until the handshake is older than timeout. This allows you to control this
interval.
retries
Number of retries before timing out
trigger_buffer
Size of the buffer channel for quickly sending handshakes after receiving the
response for lighthouse queries
firewall
The firewall is default deny. There is no way to write a deny rule. Rules are comprised of
a protocol, port, and one or more of host, group, or CIDR. Logical evaluation is roughly:
port AND proto AND (ca_sha OR ca_name) AND (host OR group OR groups OR CIDR)
outbound
Section containing rules which apply to traffic send from this node. See the rules
section.
inbound
Section containing rules which apply to traffic send to this node from other hosts.
See the rules section.
rules
Rules are written in the outbound and inbound sections described above.
proto
Protocol. One of "any", "tcp", "udp", or "icmp"
host
"any" or literal hostname
group
"any" or literal group name
groups
Same as group but accepts a list of values. Certificate has to contain all groups
to pass.
cidr
a CIDR, "0.0.0.0/0" is any
ca_name
An issuing CA name
ca_sum
An issuing CA shasum
EXAMPLES
There is a example configuration file in the FILES section below.
Configuration files placed in /etc/nebula can take advantage of the built-in systemd
templates. For example, if you have a nebula configuration /etc/nebula/office.yml
[#] systemctl enable nebula@office.service
FILES
/etc/nebula
Contains configuration files for nebula(1). This provides a designated place to
store configuration data and credentials. Configuration files placed in this
directory can take advantage of the provided systemd template unit.
/usr/share/doc/nebula/examples/config.yml
See this example configuration file.
SEE ALSO
nebula(1), nebula-cert(1)