
Nebula VPN split configuration
October 31, 2024
We have had Nebula VPN within the Fedora repositories for a couple of years. A couple of months ago, I changed the default systemd service unit. More specifically, this is the change:
-ExecStart=/usr/bin/nebula -config /etc/nebula/config.yml
+ExecStart=/usr/bin/nebula -config /etc/nebula
Although the change is only a few characters, this change allows for a much more flexible use of Nebula.
Before this change, the configuration could only be placed in the config.yaml
file.
After this change, all YAML files in the folders will be read, merged, and used as configuration.
I see three significant advantages to this:
- Ability to quickly share some parts of the configuration across multiple hosts.
- Ability to easily automate the management of Nebula configuration with configuration management systems.
- Ability to override some fields in specific hosts or situations.
Nebula configuration uses the YAML format, which is already fairly convenient by itself, but with this change, managing nebula nodes should become even more convenient.
Nebula reads the configuration folder by reading all YAML files in alphabetical order. Nebula will use the keys and values found to populate the configuration in every read file.
As an example, if there are the following two files:
punchy:
punch: true
punchy:
respond: true
The result will be the following:
punchy:
punch: true
respond: true
If the same array is present in multiple files, the values of the array are added together like in the following example:
lighthouse:
hosts:
- 192.168.1.1
lighthouse:
hosts:
- 192.168.1.2
The result will be the following:
lighthouse:
hosts:
- 192.168.1.1
- 192.168.1.2
In case the same key of a non-array is configured twice, the latest occurrence of it will be considered, so - assuming that the files are alphabetically sorted in the appearing order - the following configuration files:
tun:
dev: nebula
tun:
dev: nebula1
This will result in the following:
tun:
dev: nebula1
It is also possible to check the exact configuration that Nebula created by merging the configuration files by running:
nebula -test -config /etc/nebula
I understand this change will potentially be detrimental for people with multiple configurations for different VPNs in the /etc/nebula
folder.
For those cases, I suggest creating sub-folders for the various VPN configurations and then tweaking the systemd service unit to ensure that the correct folder is picked up.