nebula: update

nebula/defaults.yaml

@@ -3,7 +3,7 @@
 ---
 nebula:
   enabled: false
-  version: 1.5.2-2
+  version: 1.7.2-1
 
   am_lighthouse: false
   lighthouses:

nebula/files/config.yml.jinja

@@ -123,6 +123,21 @@ firewall:
     proto: udp
     host: any
 {%- if "docker06.in.ffmuc.net" == grains["id"] %}
+  # Allow connections for http backend of broker.ffmuc.net
+  - port: 5000
+    proto: tcp
+    group: webfrontend
+  # Allow connections for mqtt backend of broker.ffmuc.net
+  - port: 1883
+    proto: tcp
+    host: any
+  # Allow MQTT replicas
+  - port: 4370
+    proto: tcp
+    host: any
+  - port: 5369
+    proto: tcp
+    host: any
     # Allow pushing to graylog via filebeat
   - port: 5044
     proto: tcp
@@ -133,6 +148,13 @@ firewall:
     host: any
 {%- endif %}
 {%- if "docker04.in.ffmuc.net" == grains["id"] %}
+  # Allow MQTT replicas
+  - port: 4370
+    proto: tcp
+    host: any
+  - port: 5369
+    proto: tcp
+    host: any
   # Allow connections for draw
   - port: 5001
     proto: tcp
@@ -145,6 +167,10 @@ firewall:
   - port: 1883
     proto: tcp
     host: any
+  # Allow connections for mqtt backend of broker.ffmuc.net
+  - port: 1884
+    proto: tcp
+    host: any
   # Allow connections for etherpad
   - port: 8081
     proto: tcp
@@ -153,6 +179,10 @@ firewall:
   - port: 8084
     proto: tcp
     group: webfrontend
+  # Allow connections for hedgedoc
+  - port: 8085
+    proto: tcp
+    group: webfrontend
   # Allow connections for excalidraw.ffmuc.net
   - port: 8090
     proto: tcp
@@ -189,6 +219,21 @@ firewall:
     group: webfrontend
 {%- endif %}
 {%- if "docker05.in.ffmuc.net" == grains["id"] %}
+  # Allow MQTT replicas
+  - port: 4370
+    proto: tcp
+    host: any
+  - port: 5369
+    proto: tcp
+    host: any
+  # Allow connections for mqtt backend of broker.ffmuc.net
+  - port: 5000
+    proto: tcp
+    group: webfrontend
+  # Allow connections for http backend of broker.ffmuc.net
+  - port: 1883
+    proto: tcp
+    host: any
   # Allow connections for chat.ffmuc.net
   - port: 8000
     proto: tcp
@@ -281,6 +326,21 @@ firewall:
     group: webfrontend
 {%- endif %}
 {%- if "docker07.in.ffmuc.net" == grains["id"] %}
+  # Allow connections for http backend of broker.ffmuc.net
+  - port: 5000
+    proto: tcp
+    group: webfrontend
+  # Allow connections for mqtt backend of broker.ffmuc.net
+  - port: 1883
+    proto: tcp
+    host: any
+  # Allow MQTT replicas
+  - port: 4370
+    proto: tcp
+    host: any
+  - port: 5369
+    proto: tcp
+    host: any
   # Elastiflow Logstash
   - port: 2055
     proto: udp
@@ -307,6 +367,12 @@ firewall:
   - port: 8081
     proto: tcp
     group: webfrontend
+  - port: 9443
+    proto: tcp
+    group: webfrontend
+  - port: 2055
+    proto: udp
+    group: webfrontend
 {%- endif %}
 {%- if 'metrics.in.ffmuc.net' == grains["id"] %}
   # Allow stats access

nebula/files/nebula.service

@@ -1,13 +1,13 @@
 [Unit]
 Description=nebula
-Wants=basic.target network.target
-After=basic.target network.target
+Wants=basic.target network-online.target nss-lookup.target time-sync.target
+After=basic.target network.target network-online.target
 Before=snmpd.service
 
 [Service]
+Type=notify
+NotifyAccess=main
 SyslogIdentifier=nebula
-StandardOutput=syslog
-StandardError=syslog
 ExecReload=/bin/kill -HUP $MAINPID
 ExecStart=/usr/local/bin/nebula -config /etc/nebula/config.yml
 Restart=always

nebula/init.sls

@@ -10,7 +10,7 @@ include:
 
 /etc/nebula/ca.crt:
   file.managed:
-    - source: salt://nebula/cert/ca-ffmuc.crt
+    - source: salt://nebula/cert/ca.crt
     - require:
         - file: /etc/nebula/config.yml
         - file: /etc/nebula/{{ grains['id'] }}.crt
@@ -61,11 +61,15 @@ nebula-service:
     - name: nebula
     - require:
         - file: /etc/nebula/config.yml
+        - file: /etc/nebula/ca.crt
         - file: /etc/nebula/{{ grains['id'] }}.crt
         - file: /etc/nebula/{{ grains['id'] }}.key
         - pkg: nebula-pkg
     - watch:
         - file: /etc/nebula/config.yml
+        - file: /etc/nebula/ca.crt
+        - file: /etc/nebula/{{ grains['id'] }}.crt
+        - file: /etc/nebula/{{ grains['id'] }}.key
 
 {% else %}
 {# remove old config to allow migration to new file destination #}