Slack Nebula is an overlay network. Basically an on-demand VPN mesh system, Nebula allows hosts in different networks and locations to auto-create encrypted communication channels between each other. A virtual interface is provided to the operating system, and a unique IP address. Once communication has been established, the nodes see each other as being on the same LAN.
Nebula uses certificate files for authentication between nodes. The nebula-cert binary executable allows you to create the CA certificate and key files, and subsequent files for each host. You specify the Nebula hostname, IP address, the certificate duration of validity, and groups to which a host belongs. (Groups are used for firewall rules, as Nebula provides its own stateful firewall.)
Creating a relatively small network with only a few nodes is no problem to do manually with nebula-cert. But when there are more than a few nodes, it can become a very tedious and cumbersome process, particularly when you have more than a simple group configuration for firewall rules. A shell script is always an option for automation, and this was my original thought for how to deal with it, but I wasn't too enthusiastic with the idea, particularly since I have many firewall groups. After some thought, I decided the best solution would be to write a program that allowed JSON to be used to specify your desired Nebula network configuration, and have the program run nebula-cert to create the certificates necessary to satisfy the specification.
Since Go is generally my language tool of choice for writing commandline programs, I used it to develop Nebulizer.
Nebulizer takes JSON input either from a file, or from standard input. So you have flexibility in providing it the data to work on.
An example of the JSON used to create a network:
{
"ca": {
"name":"My Nebula Overlay Network",
"duration": 730
},
"hosts": [
{
"hostname": "lighthouse.nebula.mydomain.com",
"ip": "172.28.1.1/25",
"groups": []
},
{
"hostname": "server1.nebula.mydomain.com",
"ip": "172.28.1.2/25",
"groups": [
"servers",
"app-backend"
]
},
{
"hostname": "laptop.nebula.mydomain.com",
"ip": "172.28.1.3/25",
"duration": 365,
"groups": [
"admin",
"laptops",
"mod",
"bobnet"
]
}
]
}
Once you have your network specification, you simply run Nebulizer and it will create all the certificates for you. It will detect existing certs in the directory and skip them, to prevent accidentally overwriting existing ones. (You can override this if you like.)
nebulizer -f mynetwork.json
If you want to host your JSON on an HTTP server, or have it dynamically created via an API, then you would want to make use of the standard input functionality, maybe like so:
curl https://myapiserver.com/generate-my-network.php | nebulizer
The above command will retrieve the JSON from the provided URL and pipe it into Nebulizer on the fly.
Get it from GitHub at https://github.com/ruhnet/nebulizer
Add new comment