This project adheres to Semantic Versioning and human-readable changelog.

The current role maintainer is drybjed.

Refer to the Upgrade notes when you intend to upgrade to a new release.

debops.tinc master - unreleased

debops.tinc v0.3.0 - 2016-11-21


  • Add tinc__address_family_mesh0 and tinc__compression_mesh0. [ser]
  • Add tinc__mlock_mesh0. [ypid]
  • Allow to configure nodes as clients using tinc__client_hosts. [ypid]
  • Add support to block default route and DNS servers offered via DHCPv4 over a Tinc network. Tinc nodes will not accept default routes thought the mesh network anymore. Furthermore allow to adjust the metric of routes created based on those offered via DHCPv4. [ypid]
  • Ensure that highly sensitive files are not checked into version control when for example etckeeper is used for tracking changes in /etc. Note that sensitive files which are already tracked by version control will need to be manually deleted from version control history! Refer to tinc__vcs_ignore_patterns for more details. [ypid]


  • Update to DebOps Standards v0.2.1. [ypid]
  • Rename undocumented delete option for tinc__networks to state and document it. [ypid]
  • tinc__inventory_hosts_mesh0 now refers to all hosts in the Ansible inventory that are participating in the mesh0 network. [ypid]
  • Rename tinc__connect_to_mesh0 to tinc__reachable_peer_hosts_mesh0. [ypid]
  • Increased default RSA key size from 4096 to 8192 bits as suggested by Note that this increases the initial key generation from a few seconds to a few minutes which should be justifiable. [ypid]
  • Update documentation to use debops.ifupdown instead of the deprecated debops.subnetwork role. [ypid]
  • Set the correct version in the upgrade notes and update the upgrade script name. [drybjed]


  • Redundancy and deviation in documentation. [ypid]
  • Don’t connect to the Tinc daemon node itself when working with FQDNs. [ypid]
  • Don’t rely on the legacy brctl command to be installed (which was not ensured by this role) and instead use tools from the iproute2 package. [ypid]

debops.tinc v0.2.1 - 2016-02-29


  • Add a way to exclude addresses from the public key host files. The default mesh0 configuration will automatically gather all relevant IP addresses and exclude them from the host files. [drybjed]


debops.tinc v0.2.0 - 2016-02-22


  • Rewrite of the debops.tinc role.

    The role now supports management of multiple Tinc VPNs at the same time. By default a mesh0 network is established, which uses the Switch mode and DHCP to manage network configuration.

    The new role doesn't use ifupdown configuration to manage the network interfaces, instead custom tinc-up and tinc-down scripts take care of setting up and tearing down the virtual Ethernet interface used by the VPN.

    If systemd is detected on a host, the role installs custom service units that allow to manage each Tinc VPN separately from the others. The role uses these units as needed to start/stop/restart the daemons.

    Configuration for debops.etc_services, debops.ferm and debops.secret Ansible roles is generated dynamically by custom templates. This requires a customized Ansible playbook (see the documentation).

    Public RSA host keys are not distributed using YAML text blocks. Instead, debops.secret role manages as set of directories which can be used to deploy public keys to the hosts in the mesh. [drybjed]

debops.tinc v0.1.1 - 2015-11-30


  • New variable tinc_interface_auto which controls if VPN interface will be started at boot time, and if Ansible will automatically manage it during playbook runs if any changes occur. [drybjed]


  • Change the tinc_host_port type from Int to String, so that there are no issues with the debops.ferm role. [drybjed]
  • Wrap the name of the VPN node and replace all hyphens with underscores, which is a tinc requirement. [drybjed]


  • Fix wrong name of the variable in host template. [drybjed]

debops.tinc v0.1.0 - 2015-05-20