Define your Nebula mesh network once, generate validated configs for every host
Project description
nebula-config-kit
Stop hand-crafting Nebula configs. Define your mesh network once, generate configs for every host.
nebula-config-kit is a Python library and CLI for managing Nebula overlay network configurations. It takes a single declarative YAML file describing your entire network — hosts, lighthouses, relays, firewall rules — and generates validated, ready-to-deploy Nebula configs for each node.
Why?
Managing a Nebula mesh network means juggling per-host YAML files that share 90% of their content but differ in subtle, error-prone ways. nebula-config-kit solves this:
- Single source of truth — one config file defines your entire network topology
- Type-safe validation — Pydantic models catch misconfigurations before deployment (duplicate IPs, missing lighthouses, invalid rules)
- Automatic resolution — lighthouse maps, relay lists, and firewall rules are computed per-host from your network definition
- PKI integration — built-in certificate management via pki-kit (CA creation, host cert signing, revocation)
- Comment-preserving templates — generated configs retain the original Nebula YAML comments for readability
Quick start
Install
# With CLI
pip install nebula-config-kit[cli]
# Library only
pip install nebula-config-kit
Define your network
Create nebula-network.config.yml:
network:
cidr: 10.10.0.0/16
certs:
ca_name: "My Network CA"
ca_duration: 3650d
host_duration: 365d
hosts:
defaults:
listen_port: 4242
tun_dev: nebula1
hosts:
lighthouse1:
nebula_ip: 10.10.0.1
public_endpoints: ["203.0.113.10"]
webserver:
nebula_ip: 10.10.0.10
database:
nebula_ip: 10.10.0.20
firewall:
security_groups:
icmp:
port: any
proto: icmp
direction: any
ssh:
port: 22
proto: tcp
direction: in
https:
port: 443
proto: tcp
direction: in
firewall_default:
all: [icmp]
firewall_rules:
webserver:
all: [ssh, https]
database:
webserver: [ssh]
Generate configs
# List all hosts
nebula-config hosts list
# Show resolved details for a host
nebula-config hosts show webserver
# Generate a complete Nebula config
nebula-config config generate webserver -o webserver.yml
Use as a library
from pathlib import Path
from nebula_config_kit import load_config, resolve_host, generate_host_config
from nebula_config_kit.types import HostName
config = load_config(path=Path("nebula-network.config.yml"))
host = resolve_host(name=HostName("webserver"), config=config)
Features
Host resolution
Hosts inherit from defaults and can override any setting. Lighthouses are auto-detected from hosts with public_endpoints. Relays are identified by the am_relay flag. Each host gets a resolved config with the correct static host map, lighthouse list, and relay list — excluding itself.
Security groups & firewall
Define reusable security groups, assign them to hosts or host groups, and nebula-config-kit resolves the full inbound/outbound firewall ruleset per host. Default rules apply to all hosts unless overridden.
PKI management
Integrated certificate lifecycle:
- CA key and certificate generation
- Host certificate signing with correct Nebula IP and groups
- Certificate revocation
- Validity tracking and renewal hints
- SOPS-encrypted key storage support
CLI output formats
# Table (default), JSON, or YAML
nebula-config hosts list --output json
nebula-config hosts show database --output yaml
Custom templates
Override the built-in Nebula config template to include your own settings:
nebula-config config generate webserver --template my-template.yml
Configuration
| Environment Variable | Default | Description |
|---|---|---|
NEBULA_NETWORK_CONFIG |
nebula-network.config.yml |
Path to network config file |
NEBULA_CONFIG_KIT_PKI_PATH |
. |
Root directory for PKI stores |
NEBULA_CONFIG_KIT_PKI_NAME |
default |
PKI instance name |
NEBULA_CONFIG_KIT_SOPS_ARGS |
— | Extra SOPS arguments for encrypted keys |
NEBULA_CONFIG_KIT_OUTPUT_FORMAT |
table |
CLI output format: table, json, yaml |
Development
Requires Python 3.12+ and uv.
# Install dependencies
uv sync --all-extras
# Run tests
just test
# Lint + type check
just lint
# All checks
just check
License
See LICENSE for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file nebula_config_kit-0.0.1.tar.gz.
File metadata
- Download URL: nebula_config_kit-0.0.1.tar.gz
- Upload date:
- Size: 21.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.8.16
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ffccc18658b41fda5d5d2fccf247b81cd9a00d90f9753f88023cf32e8d986b33
|
|
| MD5 |
c4826ac5f966763c43ff71c2c6f8c379
|
|
| BLAKE2b-256 |
1903217d80531513fdbccaf2c62b703ad473fe10caf6547257504934e593a612
|
File details
Details for the file nebula_config_kit-0.0.1-py3-none-any.whl.
File metadata
- Download URL: nebula_config_kit-0.0.1-py3-none-any.whl
- Upload date:
- Size: 27.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.8.16
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0e3e5d2b223f866062f95dae28a6e3272e2f5a4f25b762a1a32a32dfc7de527f
|
|
| MD5 |
70320e89952263368e051b6a8b70d228
|
|
| BLAKE2b-256 |
d8df7ebeef7500c99599ee104c5d9dad4d296645e5e66007cf3c02e6198f5924
|
