Avatar (Fabio Alessandro Locati|Fale)'s blog

Nebula VPN split configuration

October 31, 2024

We have had Nebula VPN within the Fedora repositories for a couple of years. A couple of months ago, I changed the default systemd service unit. More specifically, this is the change:

-ExecStart=/usr/bin/nebula -config /etc/nebula/config.yml
+ExecStart=/usr/bin/nebula -config /etc/nebula

Although the change is only a few characters, this change allows for a much more flexible use of Nebula. Before this change, the configuration could only be placed in the config.yaml file. After this change, all YAML files in the folders will be read, merged, and used as configuration.

I see three significant advantages to this:

Nebula configuration uses the YAML format, which is already fairly convenient by itself, but with this change, managing nebula nodes should become even more convenient.

Nebula reads the configuration folder by reading all YAML files in alphabetical order. Nebula will use the keys and values found to populate the configuration in every read file.

As an example, if there are the following two files:

punchy:
  punch: true
punchy:
  respond: true

The result will be the following:

punchy:
  punch: true
  respond: true

If the same array is present in multiple files, the values of the array are added together like in the following example:

lighthouse:
  hosts:
  - 192.168.1.1
lighthouse:
  hosts:
  - 192.168.1.2

The result will be the following:

lighthouse:
  hosts:
  - 192.168.1.1
  - 192.168.1.2

In case the same key of a non-array is configured twice, the latest occurrence of it will be considered, so - assuming that the files are alphabetically sorted in the appearing order - the following configuration files:

tun:
  dev: nebula
tun:
  dev: nebula1

This will result in the following:

tun:
  dev: nebula1

It is also possible to check the exact configuration that Nebula created by merging the configuration files by running:

nebula -test -config /etc/nebula

I understand this change will potentially be detrimental for people with multiple configurations for different VPNs in the /etc/nebula folder. For those cases, I suggest creating sub-folders for the various VPN configurations and then tweaking the systemd service unit to ensure that the correct folder is picked up.