debops.tinc default variables

Network configuration

tinc__networks

List of Tinc Virtual Private Networks to configure. See tinc__networks for more details.

tinc__networks: []
tinc__default_networks

List of default networks which are created by the debops.tinc role.

tinc__default_networks: [ '{{ tinc__network_mesh0 }}' ]

The 'mesh0' Tinc VPN configuration

Default Tinc VPN created by the debops.tinc role. It will create a mesh network between hosts in switch mode. One of the hosts should provide a bridge to which the tap* interface will be connected; on that bridge you should configure DHCP or other means of interface auto configuration.

tinc__network_mesh0

The dictionary variable which defines the mesh0 network. See tinc__networks for more details about available options. Some of the configuration parameters are exposed in their own default variables to make simple config changes easier.

tinc__network_mesh0:
  name: 'mesh0'
  interface: '{{ tinc__interface_mesh0 }}'
  hwaddr: '{{ tinc__hwaddr_mesh0 }}'
  bridge: '{{ tinc__bridge_mesh0 }}'
  link_type: '{{ tinc__link_type_mesh0 }}'
  boot: '{{ tinc__boot_mesh0 }}'
  port: '655'
  node_reachable: '{{ tinc__inventory_hostname not in tinc__client_hosts_mesh0 }}'
  mlock: '{{ tinc__mlock_mesh0 }}'
  chroot: True
  allow: '{{ tinc__allow_mesh0 }}'
  user: '{{ tinc__user }}'
  tinc_exclude_addresses: '{{ tinc__exclude_addresses_mesh0 }}'
  tinc_options:
    Mode: 'switch'
    DeviceType: 'tap'
    Cipher: 'aes-256-cbc'
    Digest: 'SHA512'
    Compression: '{{ tinc__compression_mesh0 }}'
    AddressFamily: '{{ tinc__address_family_mesh0 }}'
    ConnectTo: '{{ tinc__reachable_peer_hosts_mesh0 }}'
tinc__interface_mesh0

Name of the network interface to use for the Tinc mesh0 VPN. For more details refer to item.interface.

tinc__interface_mesh0: 'tap-mesh0'
tinc__deny_default_route_from_interface

List of interfaces for which routes offered via DHCPv4 are denied and not applied to the systems routing table.

tinc__deny_default_route_from_interface:
  - '{{ tinc__interface_mesh0 }}'
tinc__route_metric_from_interface

List of dicts consisting of interface and metric. The metric is applied to IPv4 routing table entries generated from the routes offered via DHCPv4.

tinc__route_metric_from_interface: []
tinc__deny_dns_servers_from_interface

List of interfaces for which DNS servers offered via DHCPv4 are ignored and not used by the system. This might be useful when you want to operate with multiple VPN connections simultaneously and use other means of "client-side split DNS" for example the --server parameter from dnsmasq.

tinc__deny_dns_servers_from_interface: []
tinc__exclude_interface_mesh0

This is a list of all of the IPv4 and IPv6 addresses which are set on the VPN interface, when it's configured. This list gathers these IP addresses so that they can be excluded from the Tinc VPN public key files.

tinc__exclude_interface_mesh0: '{{
  (([ hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv4"]["address"] ])
    if (tinc__interface_mesh0 and hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv4"]|d()) else []) +
  ((hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv4_secondaries"]|map(attribute="address")|list)
    if (tinc__interface_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv4_secondaries"]|d())) else []) +
  ((hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv6"]|map(attribute="address")|list)
    if (tinc__interface_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv6"]|d())) else [])
  }}'

Link type to set for the Tinc mesh0 VPN. For more details refer to item.link_type.

tinc__link_type_mesh0: ''
tinc__hwaddr_mesh0

Specify the Media Access Control address of the Tinc mesh0 interface. For more details refer to item.hwaddr.

tinc__hwaddr_mesh0: ''
tinc__boot_mesh0

Specify if the Tinc mesh0 network should be started at boot. For more details refer to item.boot.

tinc__boot_mesh0: True
tinc__bridge_mesh0

Name of the bridge to connect the interface of the Tinc mesh0 VPN. For more details refer to item.bridge.

tinc__bridge_mesh0: ''
tinc__exclude_bridge_mesh0

This is a list of all of the IPv4 and IPv6 addresses which are set on the bridge interface, when it's configured. This list gathers these IP addresses so that they can be excluded from the Tinc VPN public key files.

tinc__exclude_bridge_mesh0: '{{
  (([ hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv4"]["address"] ])
    if (tinc__bridge_mesh0 and hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv4"]|d()) else []) +
  ((hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv4_secondaries"]|map(attribute="address")|list)
    if (tinc__bridge_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv4_secondaries"]|d())) else []) +
  ((hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv6"]|map(attribute="address")|list)
    if (tinc__bridge_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv6"]|d())) else [])
  }}'
tinc__mlock_mesh0

If present and True, tincd will be executed with the --mlock option which will lock the daemon's memory in RAM, preventing the system from moving it to the swap space. For more details refer to item.mlock.

tinc__mlock_mesh0: True
tinc__allow_mesh0

List of IP addresses or CIDR subnets which will be allowed to connect to the Tinc mesh0 VPN port (655). For more details refer to item.allow.

tinc__allow_mesh0: []
tinc__compression_mesh0

Default compression level as the Compression option in the Tinc configuration file of the mesh0 network. This option sets the level of compression used for UDP packets. Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib), 10 (fast lzo) and 11 (best lzo).

tinc__compression_mesh0: '0'
tinc__address_family_mesh0

ipv4 | ipv6 | any (any)

Default address family as the AddressFamily option in the Tinc configuration file of the mesh0 network. This option affects the address family of listening and outgoing sockets. If "any" is selected, then depending on the operating system both IPv4 and IPv6 or just IPv6 listening sockets will be created.

tinc__address_family_mesh0: 'any'
tinc__exclude_addresses_mesh0

List of FQDN or IP addresses which should be excluded from the public key file of a given host. For more details refer to item.tinc_exclude_addresses.

tinc__exclude_addresses_mesh0: '{{ tinc__exclude_interface_mesh0 + tinc__exclude_bridge_mesh0 }}'
tinc__inventory_hosts_mesh0

List of all hosts in the Ansible inventory that are participating in the mesh0 network. They will be the base for the hosts listed in the ConnectTo option. This only makes sense if the specified hosts have a public IP address. If not, you might want to specify the list of hosts to connect to manually, otherwise Tinc will try to connect to the unreachable hosts all the time.

tinc__inventory_hosts_mesh0: '{{ groups.debops_service_tinc_mesh0
                                 if groups.debops_service_tinc_mesh0|d()
                                 else [] }}'
tinc__inventory_peer_hosts_mesh0

List of hosts in the Ansible inventory that are participating in the mesh0 network except the tinc__inventory_hostname or the tinc__hostname.

tinc__inventory_peer_hosts_mesh0: '{{ tinc__inventory_hosts_mesh0 | difference([ tinc__hostname, tinc__inventory_hostname ]) }}'
tinc__external_hosts_mesh0

List of hosts to connect to which are not in the Ansible inventory. You should provide the corresponding public key files through the directories in the secret/ directory.

tinc__external_hosts_mesh0: []
tinc__client_hosts

List of hosts which are considered to be clients. That means that other Tinc nodes will not try to connect to the hosts in that list and that no ports will be opened in the firewall of those hosts. Note that Tinc does not have a concept of servers/clients, all nodes are technically equal.

tinc__client_hosts: []
tinc__client_hosts_mesh0

List of hosts which are considered to be clients in mesh0. In case have multiple Tinc networks and want different clients in the mesh0 network.

tinc__client_hosts_mesh0: '{{ tinc__client_hosts }}'
tinc__all_peer_hosts_mesh0

List of peers that are participating in the mesh0 network except the tinc__inventory_hostname or the tinc__hostname.

tinc__all_peer_hosts_mesh0: '{{ tinc__inventory_peer_hosts_mesh0 | union(tinc__external_hosts_mesh0) }}'
tinc__reachable_peer_hosts_mesh0

List of hosts specified as the ConnectTo option in the Tinc configuration file of the mesh0 network.

tinc__reachable_peer_hosts_mesh0: '{{ tinc__all_peer_hosts_mesh0 | difference(tinc__client_hosts_mesh0) }}'

APT packages

tinc__base_packages

List of APT packages to install for tinc support.

tinc__base_packages: [ 'tinc' ]
tinc__packages

List of additional APT packages to install during tinc configuration.

tinc__packages: []

Ansible inventory parameters

tinc__inventory_groups

List of Ansible inventory groups which are used by the debops.tinc role to manage separate tinc networks. Each group will have corresponding a directory in the secret/ store on the Ansible Controller.

The default Ansible group debops_service_tinc_mesh0 specifies hosts that are participating in the mesh0 VPN.

tinc__inventory_groups: [ 'debops_service_tinc_mesh0' ]
tinc__inventory_hosts

This list defines which hosts in Ansible inventory participate in a Tinc VPN. They will have their own directories in the secret/ store on the Ansible Controller used to distribute public host keys.

tinc__inventory_hosts: '{{ groups.debops_service_tinc|d([]) }}'
tinc__inventory_hostname

Name of this node in Ansible’s inventory. This variable is used during the file upload/download to have consistent mapping between directories and Ansible’s inventory.

tinc__inventory_hostname: '{{ inventory_hostname }}'
tinc__hostname

Name of this node used in configuration files of the mesh. Don't change this unless you know what you are doing.

tinc__hostname: '{{ inventory_hostname_short }}'

Application environment

tinc__user

System user account which is used to run tincd. For more details refer to item.user.

tinc__user: 'tinc-vpn'
tinc__group

System group which is used to access tincd configuration files.

tinc__group: 'tinc-vpn'
tinc__home

Home directory of the tincd user.

tinc__home: '/etc/tinc'
tinc__ulimit_options

List of options passed to ulimit command before starting tincd processes. Set the maximum size of address space locked into memory, in KB.

tinc__ulimit_options: '-l {{ (1024 * 64) }}'
tinc__extra_options

String with extra options to be passed to all tincd instances in the /etc/default/tinc config file

tinc__extra_options: ''
tinc__systemd

Enable support for systemd if it is detected as the init system.

tinc__systemd: '{{ True
                   if (ansible_service_mgr|d("unknown") == "systemd")
                   else False }}'
tinc__vcs_ignore_patterns

This list of ignore patterns for files below /etc/tinc that version control systems should ignore. /etc is not tracked by default by a version control system. This definition exists preliminary in case you decide to use etckeeper for example to track changes in /etc.

Note that currently, only git as version control system is supported. If you use another version control system, be sure to add support for it to this role. Ignore patterns are specified using the .gitignore file format documented in gitignore(5). By default, any file below /etc/tinc/ called rsa_key.priv will not be tracked.

Note

When you started using this role before version 0.3.0 and sensitive files are already tracked by version control you will need to manually deleted them from version control history!

tinc__vcs_ignore_patterns: [ 'rsa_key.priv' ]

tinc daemon configuration

tinc__rsa_key_length

Length of the RSA private key generated on each node.

tinc__rsa_key_length: '8192'
tinc__hwaddr_prefix

A stable MAC address prefix that will make sure that the randomly generated MAC address of any Tinc interface is located within a set of Locally Administered Address Ranges. https://serverfault.com/questions/40712/

tinc__hwaddr_prefix: 'de'
tinc__host_addresses

List of FQDN or IP addresses which are included in the public key file of a given host. Other hosts will use these addresses to connect to that host.

tinc__host_addresses: '{{ tinc__host_addresses_fqdn }}'
tinc__host_addresses_fqdn

Include the host FQDN if public IP addresses are available.

tinc__host_addresses_fqdn: '{{ [ ansible_fqdn ]
                               if ((ansible_all_ipv4_addresses|d([]) + (ansible_all_ipv6_addresses|d([]) |
                                   difference(ansible_all_ipv6_addresses|d([]) | ipaddr("link-local")))
                                   ) | ipaddr("public")) else [] }}'
tinc__host_addresses_ip

Include all public and private IP addresses, without IPv6 link-local.

tinc__host_addresses_ip: '{{ ansible_all_ipv4_addresses|d([]) + (ansible_all_ipv6_addresses|d([]) |
                             difference(ansible_all_ipv6_addresses|d([]) | ipaddr("link-local"))) }}'
tinc__exclude_host_addresses

List of FQDN host entries or IP addresses which should be excluded from the list of connection addresses in the public key file.

tinc__exclude_host_addresses: []

Kernel modules

tinc__modprobe

Load required kernel modules if they are not present, and ensure that they are loaded at boot time.

tinc__modprobe: True
tinc__modprobe_modules

List of kernel modules to load.

tinc__modprobe_modules: [ 'tun' ]

Configuration for other Ansible roles

tinc__apt_preferences__dependent_list

Configuration of debops.apt_preferences role.

tinc__apt_preferences__dependent_list:

  - package: 'tinc'
    backports: [ 'wheezy' ]
    reason:  'Backport installed on Wheezy for version parity with Debian Jessie'
    by_role: 'debops.tinc'