debops.tinc default variables

Network configuration

This is a set of YAML dictionary variables which contain configuration of Tinc mesh networks. Each network is a YAML dictionary with specific parameters. See tinc__networks for more details.

tinc__default_networks

YAML dictionary that contains the configuration of the default Tinc mesh network.

tinc__default_networks:
  'mesh0':
    port: '655'
tinc__networks

YAML dictionary that contains the configuration of the Tinc mesh networks configured on all hosts in the Ansible inventory.

tinc__networks: {}
tinc__group_networks

YAML dictionary that contains the configuration of the Tinc mesh networks configured on a group of hosts in Ansible inventory.

tinc__group_networks: {}
tinc__host_networks

YAML dictionary that contains the configuration of the Tinc mesh networks configured on specific hosts in Ansible inventory.

tinc__host_networks: {}
tinc__combined_networks

YAML dictionary which contains configuration of Tinc networks combined using other dictionaries configured in the Ansible inventory. This variable is used by the role tasks and templates.

tinc__combined_networks: '{{ lookup("template",
                             "lookup/tinc__combined_networks.j2",
                             convert_data=False) | from_yaml }}'

APT packages

tinc__base_packages

List of APT packages to install for tinc support.

tinc__base_packages: [ 'tinc' ]
tinc__packages

List of additional APT packages to install during tinc configuration.

tinc__packages: []

Ansible inventory parameters

tinc__inventory_hosts

This list defines which hosts in Ansible inventory participate in a Tinc VPN. They will have their own directories in the secret/ store on the Ansible Controller used to distribute public host keys.

tinc__inventory_hosts: '{{ groups.debops_service_tinc | d([]) }}'
tinc__inventory_self

This list specifies what inventory hostnames the node considers as its own. These hostnames will be ignored when they appear on the list of the hosts to connect to.

tinc__inventory_self:
  - '{{ tinc__hostname }}'
  - '{{ tinc__inventory_hostname }}'
tinc__inventory_hostname

Name of this node in Ansible’s inventory. This variable is used during the file upload/download to have consistent mapping between directories and Ansible’s inventory.

tinc__inventory_hostname: '{{ inventory_hostname }}'
tinc__hostname

Name of this node used in configuration files of the mesh. Don't change this unless you know what you are doing.

tinc__hostname: '{{ inventory_hostname_short }}'

Application environment

tinc__user

System user account which is used to run tincd. For more details refer to item.user.

tinc__user: 'tinc-vpn'
tinc__group

System group which is used to access tincd configuration files.

tinc__group: 'tinc-vpn'
tinc__home

Home directory of the tincd user.

tinc__home: '/etc/tinc'
tinc__ulimit_memlock

Specify the maximum amount of memory that shouldn't be moved to swap ("memlock) by the kernel. This value is passed to the ulimit command and defined in the tinc systemd unit file.

tinc__ulimit_memlock: '{{ (1024 * tinc__rsa_key_length | int * 16) }}'
tinc__ulimit_options

List of options passed to ulimit command before starting tincd processes. Set the maximum size of address space locked into memory, in KB.

tinc__ulimit_options: '-l {{ tinc__ulimit_memlock }}'
tinc__extra_options

String with extra options to be passed to all tincd instances in the /etc/default/tinc config file and systemd unit.

tinc__extra_options: ''
tinc__systemd

Enable support for systemd if it is detected as the init system.

tinc__systemd: '{{ True
                   if (ansible_service_mgr | d("unknown") == "systemd")
                   else False }}'
tinc__vcs_ignore_patterns

This list of ignore patterns for files below /etc/tinc that version control systems should ignore. /etc is not tracked by default by a version control system. This definition exists preliminary in case you decide to use etckeeper for example to track changes in /etc.

Note that currently, only git as version control system is supported. If you use another version control system, be sure to add support for it to this role. Ignore patterns are specified using the .gitignore file format documented in gitignore(5). By default, any file below /etc/tinc/ called rsa_key.priv will not be tracked.

Note

When you started using this role before version 0.3.0 and sensitive files are already tracked by version control you will need to manually deleted them from version control history!

tinc__vcs_ignore_patterns: [ 'rsa_key.priv' ]

tinc daemon configuration

tinc__rsa_key_length

Length of the RSA private key generated on each node.

tinc__rsa_key_length: '8192'
tinc__hwaddr_prefix

A stable MAC address prefix that will make sure that the randomly generated MAC address of any Tinc interface is located within a set of Locally Administered Address Ranges. https://serverfault.com/questions/40712/ Reserved prefixes: [0-9a-f]2, [0-9a-f]6, [0-9a-f]a, [0-9a-f]e.

tinc__hwaddr_prefix: 'de'
tinc__metric

The default route metric configured by the dhclient daemon.

tinc__metric: '100'
tinc__host_addresses

List of FQDN or IP addresses which are included in the public key file of a given host. Other hosts will use these addresses to connect to that host.

tinc__host_addresses: '{{ tinc__host_addresses_fqdn +
                          tinc__host_addresses_ip_public }}'
tinc__host_addresses_fqdn

Include the host FQDN if public IP addresses are available.

tinc__host_addresses_fqdn: '{{ [ansible_fqdn]
                               if ((ansible_all_ipv4_addresses | d([])
                                    + (ansible_all_ipv6_addresses | d([])
                                       | difference(ansible_all_ipv6_addresses | d([])
                                                    | ansible.utils.ipaddr("link-local"))))
                                   | ansible.utils.ipaddr("public"))
                               else [] }}'
tinc__host_addresses_ip_public

Include all public IP addresses, without IPv6 link-local.

tinc__host_addresses_ip_public: '{{ (ansible_all_ipv4_addresses | d([])
                                     + (ansible_all_ipv6_addresses | d([])
                                        | difference(ansible_all_ipv6_addresses | d([])
                                                     | ansible.utils.ipaddr("link-local"))))
                                    | ansible.utils.ipaddr("public") }}'
tinc__host_addresses_ip_private

Include all private IP addresses, without IPv6 link-local.

tinc__host_addresses_ip_private: '{{ (ansible_all_ipv4_addresses | d([])
                                      + (ansible_all_ipv6_addresses | d([])
                                         | difference(ansible_all_ipv6_addresses | d([])
                                                      | ansible.utils.ipaddr("link-local"))))
                                     | ansible.utils.ipaddr("private") }}'
tinc__exclude_addresses

List of FQDN host entries or IP addresses which should be excluded from the list of connection addresses in the public key file.

tinc__exclude_addresses: '{{ lookup("template",
                             "lookup/tinc__exclude_addresses.j2",
                             convert_data=False) | from_yaml }}'

Kernel modules

tinc__modprobe

Load required kernel modules if they are not present, and ensure that they are loaded at boot time.

tinc__modprobe: True
tinc__modprobe_modules

List of kernel modules to load.

tinc__modprobe_modules: [ 'tun' ]

Configuration for other Ansible roles

tinc__secret__directories

Configuration for the debops.secret.

tinc__secret__directories: '{{ lookup("template",
                               "lookup/tinc__secret_directories.j2",
                               convert_data=False) | from_yaml }}'
tinc__etc_services__dependent_list

Configuration for the debops.etc_services.

tinc__etc_services__dependent_list: '{{ lookup("template",
                                        "lookup/tinc__etc_services__dependent_list.j2",
                                        convert_data=False) | from_yaml }}'
tinc__ferm__dependent_rules

Configuration for the debops.ferm.

tinc__ferm__dependent_rules: '{{ lookup("template",
                                 "lookup/tinc__ferm__dependent_rules.j2",
                                 convert_data=False) | from_yaml }}'
tinc__persistent_paths__dependent_paths

Configuration for the debops.persistent_paths.

Note that when the same network gets deleted and then added again to tinc__combined_networks, the role might need two runs to also update the defaults file in the persistent location.

Note that bind-dirs in Qubes OS currently does not restore symlinks (only their destination). (/etc/systemd/system/multi-user.target.wants/tinc.service is a symlink). This works for ypid as he does not want auto start on Qubes OS AppVMs anyway. If you need it on Qubes OS, feel free to discuss and patch bind-dirs.

tinc__persistent_paths__dependent_paths:

  '50_debops_tinc':
    by_role: 'debops.tinc'
    paths: |
      {{ [
        '/etc/tinc',
        '/etc/systemd/system/tinc.service',
        '/etc/systemd/system/tinc@.service',
        '/etc/systemd/system/multi-user.target.wants/tinc.service',
      ] + ((ansible_local.tinc.networks.keys() | map("regex_replace", "^", "/etc/default/tinc-") | list)
           if (ansible_local.tinc.networks | d())
           else [])
      }}