debops.tinc default variables

Network configuration

This is a set of YAML dictionary variables which contain configuration of Tinc mesh networks. Each network is a YAML dictionary with specific parameters. See tinc__networks for more details.


YAML dictionary that contains the configuration of the default Tinc mesh network.

    port: '655'

YAML dictionary that contains the configuration of the Tinc mesh networks configured on all hosts in the Ansible inventory.

tinc__networks: {}

YAML dictionary that contains the configuration of the Tinc mesh networks configured on a group of hosts in Ansible inventory.

tinc__group_networks: {}

YAML dictionary that contains the configuration of the Tinc mesh networks configured on specific hosts in Ansible inventory.

tinc__host_networks: {}

YAML dictionary which contains configuration of Tinc networks combined using other dictionaries configured in the Ansible inventory. This variable is used by the role tasks and templates.

tinc__combined_networks: '{{ lookup("template",
                             convert_data=False) | from_yaml }}'

APT packages


List of APT packages to install for tinc support.

tinc__base_packages: [ 'tinc' ]

List of additional APT packages to install during tinc configuration.

tinc__packages: []

Ansible inventory parameters


This list defines which hosts in Ansible inventory participate in a Tinc VPN. They will have their own directories in the secret/ store on the Ansible Controller used to distribute public host keys.

tinc__inventory_hosts: '{{ groups.debops_service_tinc | d([]) }}'

This list specifies what inventory hostnames the node considers as its own. These hostnames will be ignored when they appear on the list of the hosts to connect to.

  - '{{ tinc__hostname }}'
  - '{{ tinc__inventory_hostname }}'

Name of this node in Ansible’s inventory. This variable is used during the file upload/download to have consistent mapping between directories and Ansible’s inventory.

tinc__inventory_hostname: '{{ inventory_hostname }}'

Name of this node used in configuration files of the mesh. Don't change this unless you know what you are doing.

tinc__hostname: '{{ inventory_hostname_short }}'

Application environment


System user account which is used to run tincd. For more details refer to item.user.

tinc__user: 'tinc-vpn'

System group which is used to access tincd configuration files.

tinc__group: 'tinc-vpn'

Home directory of the tincd user.

tinc__home: '/etc/tinc'

Specify the maximum amount of memory that shouldn't be moved to swap ("memlock) by the kernel. This value is passed to the ulimit command and defined in the tinc systemd unit file.

tinc__ulimit_memlock: '{{ (1024 * tinc__rsa_key_length | int * 16) }}'

List of options passed to ulimit command before starting tincd processes. Set the maximum size of address space locked into memory, in KB.

tinc__ulimit_options: '-l {{ tinc__ulimit_memlock }}'

String with extra options to be passed to all tincd instances in the /etc/default/tinc config file and systemd unit.

tinc__extra_options: ''

Enable support for systemd if it is detected as the init system.

tinc__systemd: '{{ True
                   if (ansible_service_mgr | d("unknown") == "systemd")
                   else False }}'

This list of ignore patterns for files below /etc/tinc that version control systems should ignore. /etc is not tracked by default by a version control system. This definition exists preliminary in case you decide to use etckeeper for example to track changes in /etc.

Note that currently, only git as version control system is supported. If you use another version control system, be sure to add support for it to this role. Ignore patterns are specified using the .gitignore file format documented in gitignore(5). By default, any file below /etc/tinc/ called rsa_key.priv will not be tracked.


When you started using this role before version 0.3.0 and sensitive files are already tracked by version control you will need to manually deleted them from version control history!

tinc__vcs_ignore_patterns: [ 'rsa_key.priv' ]

tinc daemon configuration


Length of the RSA private key generated on each node.

tinc__rsa_key_length: '8192'

A stable MAC address prefix that will make sure that the randomly generated MAC address of any Tinc interface is located within a set of Locally Administered Address Ranges. Reserved prefixes: [0-9a-f]2, [0-9a-f]6, [0-9a-f]a, [0-9a-f]e.

tinc__hwaddr_prefix: 'de'

The default route metric configured by the dhclient daemon.

tinc__metric: '100'

List of FQDN or IP addresses which are included in the public key file of a given host. Other hosts will use these addresses to connect to that host.

tinc__host_addresses: '{{ tinc__host_addresses_fqdn +
                          tinc__host_addresses_ip_public }}'

Include the host FQDN if public IP addresses are available.

tinc__host_addresses_fqdn: '{{ [ansible_fqdn]
                               if ((ansible_all_ipv4_addresses | d([])
                                    + (ansible_all_ipv6_addresses | d([])
                                       | difference(ansible_all_ipv6_addresses | d([])
                                                    | ansible.utils.ipaddr("link-local"))))
                                   | ansible.utils.ipaddr("public"))
                               else [] }}'

Include all public IP addresses, without IPv6 link-local.

tinc__host_addresses_ip_public: '{{ (ansible_all_ipv4_addresses | d([])
                                     + (ansible_all_ipv6_addresses | d([])
                                        | difference(ansible_all_ipv6_addresses | d([])
                                                     | ansible.utils.ipaddr("link-local"))))
                                    | ansible.utils.ipaddr("public") }}'

Include all private IP addresses, without IPv6 link-local.

tinc__host_addresses_ip_private: '{{ (ansible_all_ipv4_addresses | d([])
                                      + (ansible_all_ipv6_addresses | d([])
                                         | difference(ansible_all_ipv6_addresses | d([])
                                                      | ansible.utils.ipaddr("link-local"))))
                                     | ansible.utils.ipaddr("private") }}'

List of FQDN host entries or IP addresses which should be excluded from the list of connection addresses in the public key file.

tinc__exclude_addresses: '{{ lookup("template",
                             convert_data=False) | from_yaml }}'

Kernel modules


Load required kernel modules if they are not present, and ensure that they are loaded at boot time.

tinc__modprobe: True

List of kernel modules to load.

tinc__modprobe_modules: [ 'tun' ]

Configuration for other Ansible roles


Configuration for the debops.secret.

tinc__secret__directories: '{{ lookup("template",
                               convert_data=False) | from_yaml }}'

Configuration for the debops.etc_services.

tinc__etc_services__dependent_list: '{{ lookup("template",
                                        convert_data=False) | from_yaml }}'

Configuration for the debops.ferm.

tinc__ferm__dependent_rules: '{{ lookup("template",
                                 convert_data=False) | from_yaml }}'

Configuration for the debops.persistent_paths.

Note that when the same network gets deleted and then added again to tinc__combined_networks, the role might need two runs to also update the defaults file in the persistent location.

Note that bind-dirs in Qubes OS currently does not restore symlinks (only their destination). (/etc/systemd/system/ is a symlink). This works for ypid as he does not want auto start on Qubes OS AppVMs anyway. If you need it on Qubes OS, feel free to discuss and patch bind-dirs.


    by_role: 'debops.tinc'
    paths: |
      {{ [
      ] + ((ansible_local.tinc.networks.keys() | map("regex_replace", "^", "/etc/default/tinc-") | list)
           if (ansible_local.tinc.networks | d())
           else [])