debops.tinc default variables

Network configuration


List of Tinc Virtual Private Networks to configure. See tinc__networks for more details.

tinc__networks: []

List of default networks which are created by the debops.tinc role.

tinc__default_networks: [ '{{ tinc__network_mesh0 }}' ]

The 'mesh0' Tinc VPN configuration

Default Tinc VPN created by the debops.tinc role. It will create a mesh network between hosts in switch mode. One of the hosts should provide a bridge to which the tap* interface will be connected; on that bridge you should configure DHCP or other means of interface auto configuration.


The dictionary variable which defines the mesh0 network. See tinc__networks for more details about available options. Some of the configuration parameters are exposed in their own default variables to make simple config changes easier.

  name: 'mesh0'
  interface: '{{ tinc__interface_mesh0 }}'
  hwaddr: '{{ tinc__hwaddr_mesh0 }}'
  bridge: '{{ tinc__bridge_mesh0 }}'
  link_type: '{{ tinc__link_type_mesh0 }}'
  boot: '{{ tinc__boot_mesh0 }}'
  port: '655'
  node_reachable: '{{ tinc__inventory_hostname not in tinc__client_hosts_mesh0 }}'
  mlock: '{{ tinc__mlock_mesh0 }}'
  chroot: True
  allow: '{{ tinc__allow_mesh0 }}'
  user: '{{ tinc__user }}'
  tinc_exclude_addresses: '{{ tinc__exclude_addresses_mesh0 }}'
    Mode: 'switch'
    DeviceType: 'tap'
    Cipher: 'aes-256-cbc'
    Digest: 'SHA512'
    Compression: '{{ tinc__compression_mesh0 }}'
    AddressFamily: '{{ tinc__address_family_mesh0 }}'
    ConnectTo: '{{ tinc__reachable_peer_hosts_mesh0 }}'

Name of the network interface to use for the Tinc mesh0 VPN. For more details refer to item.interface.

tinc__interface_mesh0: 'tap-mesh0'

List of interfaces for which routes offered via DHCPv4 are denied and not applied to the systems routing table.

  - '{{ tinc__interface_mesh0 }}'

List of dicts consisting of interface and metric. The metric is applied to IPv4 routing table entries generated from the routes offered via DHCPv4.

tinc__route_metric_from_interface: []

List of interfaces for which DNS servers offered via DHCPv4 are ignored and not used by the system. This might be useful when you want to operate with multiple VPN connections simultaneously and use other means of "client-side split DNS" for example the --server parameter from dnsmasq.

tinc__deny_dns_servers_from_interface: []

This is a list of all of the IPv4 and IPv6 addresses which are set on the VPN interface, when it's configured. This list gathers these IP addresses so that they can be excluded from the Tinc VPN public key files.

tinc__exclude_interface_mesh0: '{{
  (([ hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv4"]["address"] ])
    if (tinc__interface_mesh0 and hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv4"]|d()) else []) +
    if (tinc__interface_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv4_secondaries"]|d())) else []) +
    if (tinc__interface_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv6"]|d())) else [])

Link type to set for the Tinc mesh0 VPN. For more details refer to item.link_type.

tinc__link_type_mesh0: ''

Specify the Media Access Control address of the Tinc mesh0 interface. For more details refer to item.hwaddr.

tinc__hwaddr_mesh0: ''

Specify if the Tinc mesh0 network should be started at boot. For more details refer to item.boot.

tinc__boot_mesh0: True

Name of the bridge to connect the interface of the Tinc mesh0 VPN. For more details refer to item.bridge.

tinc__bridge_mesh0: ''

This is a list of all of the IPv4 and IPv6 addresses which are set on the bridge interface, when it's configured. This list gathers these IP addresses so that they can be excluded from the Tinc VPN public key files.

tinc__exclude_bridge_mesh0: '{{
  (([ hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv4"]["address"] ])
    if (tinc__bridge_mesh0 and hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv4"]|d()) else []) +
    if (tinc__bridge_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv4_secondaries"]|d())) else []) +
    if (tinc__bridge_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv6"]|d())) else [])

If present and True, tincd will be executed with the --mlock option which will lock the daemon's memory in RAM, preventing the system from moving it to the swap space. For more details refer to item.mlock.

tinc__mlock_mesh0: True

List of IP addresses or CIDR subnets which will be allowed to connect to the Tinc mesh0 VPN port (655). For more details refer to item.allow.

tinc__allow_mesh0: []

Default compression level as the Compression option in the Tinc configuration file of the mesh0 network. This option sets the level of compression used for UDP packets. Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib), 10 (fast lzo) and 11 (best lzo).

tinc__compression_mesh0: '0'

ipv4 | ipv6 | any (any)

Default address family as the AddressFamily option in the Tinc configuration file of the mesh0 network. This option affects the address family of listening and outgoing sockets. If "any" is selected, then depending on the operating system both IPv4 and IPv6 or just IPv6 listening sockets will be created.

tinc__address_family_mesh0: 'any'

List of FQDN or IP addresses which should be excluded from the public key file of a given host. For more details refer to item.tinc_exclude_addresses.

tinc__exclude_addresses_mesh0: '{{ tinc__exclude_interface_mesh0 + tinc__exclude_bridge_mesh0 }}'

List of all hosts in the Ansible inventory that are participating in the mesh0 network. They will be the base for the hosts listed in the ConnectTo option. This only makes sense if the specified hosts have a public IP address. If not, you might want to specify the list of hosts to connect to manually, otherwise Tinc will try to connect to the unreachable hosts all the time.

tinc__inventory_hosts_mesh0: '{{ groups.debops_service_tinc_mesh0
                                 if groups.debops_service_tinc_mesh0|d()
                                 else [] }}'

List of hosts in the Ansible inventory that are participating in the mesh0 network except the tinc__inventory_hostname or the tinc__hostname.

tinc__inventory_peer_hosts_mesh0: '{{ tinc__inventory_hosts_mesh0 | difference([ tinc__hostname, tinc__inventory_hostname ]) }}'

List of hosts to connect to which are not in the Ansible inventory. You should provide the corresponding public key files through the directories in the secret/ directory.

tinc__external_hosts_mesh0: []

List of hosts which are considered to be clients. That means that other Tinc nodes will not try to connect to the hosts in that list and that no ports will be opened in the firewall of those hosts. Note that Tinc does not have a concept of servers/clients, all nodes are technically equal.

tinc__client_hosts: []

List of hosts which are considered to be clients in mesh0. In case have multiple Tinc networks and want different clients in the mesh0 network.

tinc__client_hosts_mesh0: '{{ tinc__client_hosts }}'

List of peers that are participating in the mesh0 network except the tinc__inventory_hostname or the tinc__hostname.

tinc__all_peer_hosts_mesh0: '{{ tinc__inventory_peer_hosts_mesh0 | union(tinc__external_hosts_mesh0) }}'

List of hosts specified as the ConnectTo option in the Tinc configuration file of the mesh0 network.

tinc__reachable_peer_hosts_mesh0: '{{ tinc__all_peer_hosts_mesh0 | difference(tinc__client_hosts_mesh0) }}'

APT packages


List of APT packages to install for tinc support.

tinc__base_packages: [ 'tinc' ]

List of additional APT packages to install during tinc configuration.

tinc__packages: []

Ansible inventory parameters


List of Ansible inventory groups which are used by the debops.tinc role to manage separate tinc networks. Each group will have corresponding a directory in the secret/ store on the Ansible Controller.

The default Ansible group debops_service_tinc_mesh0 specifies hosts that are participating in the mesh0 VPN.

tinc__inventory_groups: [ 'debops_service_tinc_mesh0' ]

This list defines which hosts in Ansible inventory participate in a Tinc VPN. They will have their own directories in the secret/ store on the Ansible Controller used to distribute public host keys.

tinc__inventory_hosts: '{{ groups.debops_service_tinc|d([]) }}'

Name of this node in Ansible’s inventory. This variable is used during the file upload/download to have consistent mapping between directories and Ansible’s inventory.

tinc__inventory_hostname: '{{ inventory_hostname }}'

Name of this node used in configuration files of the mesh. Don't change this unless you know what you are doing.

tinc__hostname: '{{ inventory_hostname_short }}'

Application environment


System user account which is used to run tincd. For more details refer to item.user.

tinc__user: 'tinc-vpn'

System group which is used to access tincd configuration files.

tinc__group: 'tinc-vpn'

Home directory of the tincd user.

tinc__home: '/etc/tinc'

List of options passed to ulimit command before starting tincd processes. Set the maximum size of address space locked into memory, in KB.

tinc__ulimit_options: '-l {{ (1024 * 64) }}'

String with extra options to be passed to all tincd instances in the /etc/default/tinc config file

tinc__extra_options: ''

Enable support for systemd if it is detected as the init system.

tinc__systemd: '{{ True
                   if (ansible_service_mgr|d("unknown") == "systemd")
                   else False }}'

This list of ignore patterns for files below /etc/tinc that version control systems should ignore. /etc is not tracked by default by a version control system. This definition exists preliminary in case you decide to use etckeeper for example to track changes in /etc.

Note that currently, only git as version control system is supported. If you use another version control system, be sure to add support for it to this role. Ignore patterns are specified using the .gitignore file format documented in gitignore(5). By default, any file below /etc/tinc/ called rsa_key.priv will not be tracked.


When you started using this role before version 0.3.0 and sensitive files are already tracked by version control you will need to manually deleted them from version control history!

tinc__vcs_ignore_patterns: [ 'rsa_key.priv' ]

tinc daemon configuration


Length of the RSA private key generated on each node.

tinc__rsa_key_length: '8192'

A stable MAC address prefix that will make sure that the randomly generated MAC address of any Tinc interface is located within a set of Locally Administered Address Ranges.

tinc__hwaddr_prefix: 'de'

List of FQDN or IP addresses which are included in the public key file of a given host. Other hosts will use these addresses to connect to that host.

tinc__host_addresses: '{{ tinc__host_addresses_fqdn }}'

Include the host FQDN if public IP addresses are available.

tinc__host_addresses_fqdn: '{{ [ ansible_fqdn ]
                               if ((ansible_all_ipv4_addresses|d([]) + (ansible_all_ipv6_addresses|d([]) |
                                   difference(ansible_all_ipv6_addresses|d([]) | ipaddr("link-local")))
                                   ) | ipaddr("public")) else [] }}'

Include all public and private IP addresses, without IPv6 link-local.

tinc__host_addresses_ip: '{{ ansible_all_ipv4_addresses|d([]) + (ansible_all_ipv6_addresses|d([]) |
                             difference(ansible_all_ipv6_addresses|d([]) | ipaddr("link-local"))) }}'

List of FQDN host entries or IP addresses which should be excluded from the list of connection addresses in the public key file.

tinc__exclude_host_addresses: []

Kernel modules


Load required kernel modules if they are not present, and ensure that they are loaded at boot time.

tinc__modprobe: True

List of kernel modules to load.

tinc__modprobe_modules: [ 'tun' ]

Configuration for other Ansible roles


Configuration of debops.apt_preferences role.


  - package: 'tinc'
    backports: [ 'wheezy' ]
    reason:  'Backport installed on Wheezy for version parity with Debian Jessie'
    by_role: 'debops.tinc'