Merge pull request #5 from rwese/pr-version-support-1.5.0

Pr version support 1.5.0

Author: Trozz

README.md

@@ -8,12 +8,18 @@ Requirements
 
 Currently you need to generate and deploy certificates before running this (see example)
 
+Supported Nebula Version
+------------------------
+
+Currently this role is tested against version `1.5.0`
+
 Role Variables
 --------------
 
 | Variable Name | Type | Purpose | Default | Required |
 |---|---|---|---|---|
-| `nebula_version` | String | Version to download | `1.3.0` | Yes |
+| `nebula_version` | String | Version to download | `1.5.0` | Yes |
+| `nebula_force_install` | Boolean | Force overwrite of the existing nebula binary | `false` | No |
 | `ca` | String | Path to CA file | NA | Yes |
 | `cert` | String | Path to Certificate | NA | Yes |
 | `key` | String | Path to Certificate Key| NA | Yes |

defaults/main.yml

@@ -1,6 +1,9 @@
 ---
 # defaults file for .
-nebula_version: 1.3.0
+nebula_version: 1.5.0
+
+# force overwrite
+nebula_force_install: false
 
 # this will cause net.ipv4.ip_forward to be set to 1 to allow unsafe routes
 enable_ip_forward: false
@@ -36,8 +39,8 @@ listen:
   host: 0.0.0.0
   port: 4242
 
-punchy: true
-punch_back: true
+punchy: "true"
+punch_back: "true"
 
 outbound:
   - port: any

tasks/main.yml

@@ -3,7 +3,7 @@
   when: enable_ip_forward
   sysctl:
     name: net.ipv4.ip_forward
-    value: '1'
+    value: "1"
     state: present
   notify:
     - Restart_nebula
@@ -14,7 +14,7 @@
     dest: /bin
     remote_src: yes
     mode: 0755
-    creates: /bin/nebula
+    creates: "{{ '/bin/nebula' if nebula_force_install == false else '' }}"
   when: ansible_architecture == "x86_64"
 
 - name: Download release from Github (arm64)
@@ -23,7 +23,7 @@
     dest: /bin
     remote_src: yes
     mode: 0755
-    creates: /bin/nebula
+    creates: "{{ '/bin/nebula' if nebula_force_install == false else '' }}"
   when: ansible_architecture == "armv64" or ansible_architecture == "aarch64"
 
 - name: Download release from Github (arm7)
@@ -32,29 +32,29 @@
     dest: /bin
     remote_src: yes
     mode: 0755
-    creates: /bin/nebula
+    creates: "{{ '/bin/nebula' if nebula_force_install == false else '' }}"
   when: ansible_architecture == "armv7l"
 
 - name: Set correct user and group on the nebula binary
   ansible.builtin.file:
     path: /bin/nebula
     owner: root
     group: root
-    mode: '0750'
+    mode: "0750"
 
 - name: Create configuration directory
   file:
     path: /etc/nebula
     state: directory
-    mode: '0750'
+    mode: "0750"
 
 - name: Deploy configuration template
   ansible.builtin.template:
     src: templates/config.yaml.j2
     dest: /etc/nebula/config.yaml
     owner: root
     group: root
-    mode: '0600'
+    mode: "0600"
   register: nebula_config
   notify:
     - Restart_nebula

templates/config.yaml.j2

@@ -38,15 +38,24 @@ listen:
   {% if listen.read_buffer is defined %}read_buffer: {{ listen.read_buffer | default("10485760") }}{% endif %}
   {% if listen.write_buffer is defined %}write_buffer: {{ listen.write_buffer | default("10485760") }}{% endif %}
 
-punchy: {{ punchy }}
-punch_back: {{ punch_back }}
+punchy:
+  # Continues to punch inbound/outbound at a regular interval to avoid expiration of firewall nat mappings
+  punch: {{ punchy }}
+
+  # respond means that a node you are trying to reach will connect back out to you if your hole punching fails
+  # this is extremely useful if one node is behind a difficult nat, such as a symmetric NAT
+  # Default is false
+  respond: {{ punch_back | default("false") }}
+
+  # delays a punch response for misbehaving NATs, default is 1 second, respond must be true to take effect
+  #delay: 1s
 
 {% if cipher is defined %}
 cipher: {{ cipher }}
 {% endif %}
 
 {% if local_range is defined %}
-local_range: "{{ local_range }}"
+preferred_ranges: "{{ local_range }}"
 {% endif %}
 
 {% if sshd is defined %}