A fast, interactive CLI tool to install, configure, and operate Slack Nebula — wrapping certs, firewall policy, service control, connectivity checks, and scheduled updates into one easy-to-use tool.

• 🚀 Install & Update Nebula from official releases (arch/OS aware).
• 🛡 Certificate management – list, generate, view, remove, check expiry, and revoke with reasons.
• 📝 Configuration management – interactively edit config.yml with validation to prevent bad deploys.
• 🔥 Firewall management – control inbound/outbound rules, defaults, and conntrack settings.
• 📡 Connectivity tools – multi-node reachability & latency table; optional iperf3 bandwidth checks.
• 📋 Service orchestration – manage all enabled servers, with per-server status.
• ⏪ Update Nebula with rollback if download or config validation fails.
• ⏰ Auto-update scheduler – via cron (nebula-manager --auto-update-nebula).
• 🆕 First-run setup – auto-downloads and installs a config template if none exists.
• ⚙️ Config-driven multi-server management via nebula-manager.conf.

You can run nebula-manager either directly from the downloaded script or install it system-wide.

curl -fsSL https://raw.githubusercontent.com/jordanhillis/nebula-manager/refs/heads/main/nebula-manager.sh -o nebula-manager.sh
chmod +x nebula-manager.sh

Then run it with:

sudo ./nebula-manager

sudo curl -fsSL https://raw.githubusercontent.com/jordanhillis/nebula-manager/refs/heads/main/nebula-manager.sh -o /usr/local/bin/nebula-manager
sudo chmod +x /usr/local/bin/nebula-manager

Then use it from anywhere with:

sudo nebula-manager

Nebula Manager will check for and optionally install all required tools on the first run.
You can skip this check by setting ignore_dependency_check in nebula-manager.conf, but it is recommended to ensure these are installed:

Required: curl, wget, tar, jq, yq, systemd (systemctl), iputils-ping
Optional: iperf3 (for bandwidth tests)

/

sudo apt update
sudo apt install -y awk curl findutils grep jq sed sudo systemd tar wget yq coreutils iperf3 iputils-ping

/ / /

sudo dnf install -y curl findutils grep jq sed sudo systemd tar wget yq coreutils iperf3 iputils

(On RHEL-like systems, iputils provides ping.)

Nebula Manager reads an INI‑style config (with sections) located by default at:

/etc/nebula/nebula-manager.conf

Nebula Manager can run without a pre-existing config file — if none is found, it automatically downloads the template from this repository and saves it to the path specified by the --config option or the SERVER_CONF variable in the script.

You can change the default in the script by editing SERVER_CONF, or without editing the script by passing a flag:

./nebula-manager.sh --config=/path/to/nebula-manager.conf

or 

nebula-manager --config=/path/to/nebula-manager.conf

• Comments use # (inline comments supported).
• Sections use [global] and [server.<name>].
• Keys are key=value.

Each enabled server becomes targetable for operations

[global]
bin_path=/usr/local/bin
cert_folder=certs
use_color=true
use_icons=true
disable_version_check=false
ignore_dependency_check=false
ignore_nebula_update=false

[server.edge-1]
dir=/etc/nebula/edge-1
service=/etc/systemd/system/nebula-edge1.service
enabled=true

[server.lighthouse]
dir=/etc/nebula/lighthouse
service=/etc/systemd/system/nebula-lighthouse.service
enabled=true

[server.lab]
dir=/etc/nebula/lab
service=/etc/systemd/system/nebula-lab.service
enabled=false

Add a server by appending a new section to nebula-manager.conf:

[server.edge-2]
dir=/etc/nebula/edge-2
service=/etc/systemd/system/nebula-edge2.service
enabled=true

• Ensure the referenced Nebula dir contains a valid config.yml (the script will download a template one if it doesn't exist).
• Ensure the systemd unit exists and points to that config (the script will download a template one if it doesn't exist).

Disable or remove a server:

• Set enabled=false to temporarily exclude it from batch operations, or
• Delete the [server.<name>] section to remove it entirely.

Run the tool and use the TUI to:

• Manage services (start/stop).
• Edit and validate config.yml safely.
• Add/remove firewall rules; adjust defaults/conntrack.
• Manage certificates (list/issue/revoke with reasons).
• Check node connectivity & latency; optionally run iperf3 tests.
• Update Nebula with rollback if something fails.

• --config=/path/to/nebula-manager.conf – override config location (no script edits).
• --auto-update-nebula – check GitHub for latest Nebula and update if newer.
• --version – print script version.

Many capabilities are menu‑driven. For consistency, prefer the menu unless you have a dedicated automation need.

If you’re new to Nebula or want the canonical details, start here:

• Nebula Docs (home): https://nebula.defined.net/docs/
• Quick Start: https://nebula.defined.net/docs/guides/quick-start/
• Configuration Reference (all keys): https://nebula.defined.net/docs/config/
• static_host_map explainer: https://nebula.defined.net/docs/config/static-host-map/
• Example config.yml: https://raw.githubusercontent.com/slackhq/nebula/master/examples/config.yml
• Guides (how-tos): https://nebula.defined.net/docs/guides/
• Releases (downloads): https://github.com/slackhq/nebula/releases
• GitHub repo / Issues / Discussions: https://github.com/slackhq/nebula

Looking for more answers?

👉 Check out the Full FAQ on GitHub Wiki »

• Always review the script before running it, especially when installing as root.
• Keep backups of your config.yml and certificates before making changes.
• Only run Nebula Manager on trusted systems — it manages cryptographic keys.

MIT — free to use, modify, and distribute.

Pull requests are welcome. For major changes, open an issue first to discuss what you’d like to change.

Created by Jordan Hillis. Contributions welcome!