Default variables

Network configuration


List of Tinc Virtual Private Networks to configure. See tinc__networks for more details.

tinc__networks: []

List of default networks which are created by the debops.tinc role.

tinc__default_networks: [ '{{ tinc__network_mesh0 }}' ]

The ‘mesh0’ Tinc VPN configuration

Default Tinc VPN created by the debops.tinc role. It will create a mesh network between hosts in a switch mode. One of the hosts should provide a bridge to which the tun0 interface will be connected; on that bridge you should configure DHCP and DNS server to provide interface configuration.


The dictionary variable which defines the mesh0 network. See tinc__networks for more details about available options. Some of the configuration parameters are exposed in their own default variables to make simple config changes easier.

  name: 'mesh0'
  interface: '{{ tinc__interface_mesh0 }}'
  hwaddr: '{{ tinc__hwaddr_mesh0 }}'
  bridge: '{{ tinc__bridge_mesh0 }}'
  link_type: '{{ tinc__link_type_mesh0 }}'
  boot: '{{ tinc__boot_mesh0 }}'
  port: '655'
  mlock: True
  chroot: True
  allow: '{{ tinc__allow_mesh0 }}'
  user: '{{ tinc__user }}'
  tinc_exclude_addresses: '{{ tinc__exclude_addresses_mesh0 }}'
    Mode: 'switch'
    DeviceType: 'tap'
    Cipher: 'aes-256-cbc'
    Digest: 'SHA512'
    ConnectTo: '{{ tinc__connect_to_mesh0 }}'

Name of the network interface to use for the Tinc mesh0 VPN.

tinc__interface_mesh0: 'tap-mesh0'

This is a list of all of the IPv4 and IPv6 addresses which are set on the VPN interface, when it’s configured. This list gathers these IP addresses so that they can be excluded from the Tinc VPN public key files.

tinc__exclude_interface_mesh0: '{{
  (([ hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv4"]["address"] ])
    if (tinc__interface_mesh0 and hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv4"]|d()) else []) +
    if (tinc__interface_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv4_secondaries"]|d())) else []) +
    if (tinc__interface_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv6"]|d())) else [])

Link type to set for the Tinc mesh0 VPN. If empty, debops.tinc defaults to a standalone network interface with dhclient requesting network configuration using DHCP. Possible values are:

  • static: set the Tinc interface in a “static” mode with an IP address, optionally attached to a network bridge. This should usually be done just on 1 host in the mesh to provide DHCP/DNS services.
tinc__link_type_mesh0: ''

Specify the Media Access Control address of the Tinc mesh0 interface. If not specified, a randomized stable MAC address will be generated automatically. Set the MAC address value to '*' to generate a random hardware address.

tinc__hwaddr_mesh0: ''

Specify if the Tinc mesh0 network should be started at boot.

tinc__boot_mesh0: True

Name of the bridge to connect the interface of the Tinc mesh0 VPN. This should be set on a host that provides the DHCP and DNS services for the mesh.

tinc__bridge_mesh0: ''

This is a list of all of the IPv4 and IPv6 addresses which are set on the bridge interface, when it’s configured. This list gathers these IP addresses so that they can be excluded from the Tinc VPN public key files.

tinc__exclude_bridge_mesh0: '{{
  (([ hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv4"]["address"] ])
    if (tinc__bridge_mesh0 and hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv4"]|d()) else []) +
    if (tinc__bridge_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv4_secondaries"]|d())) else []) +
    if (tinc__bridge_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv6"]|d())) else [])

List of IP addresses or CIDR subnets which will be allowed to connect to the Tinc mesh0 VPN port (655) through the firewall. If this list is empty, any IP address can connect.

tinc__allow_mesh0: []

List of hosts specified as the ConnectTo option in the Tinc configuration file of the mesh0 network.

tinc__connect_to_mesh0: '{{ tinc__inventory_hosts_mesh0 + tinc__external_hosts_mesh0 }}'

List of FQDN or IP addresses which should be exluded from the public key file of a given host. This list excludes the IP addresses of the mesh interface as well as the bridge interface, so that Tinc doesn’t try to connect to remote hosts over the VPN connection.

tinc__exclude_addresses_mesh0: '{{ tinc__exclude_interface_mesh0 + tinc__exclude_bridge_mesh0 }}'

List of other hosts in the Ansible inventory that are participating in the mesh0 network besides the current one. They will be listed in the ConnectTo option. This only makes sense if specified hosts have a public IP address. If not, you might want to specify the list of hosts to connect to manually, otherwise Tinc will try and connect to the unreachable hosts all the time.

tinc__inventory_hosts_mesh0: '{{ (groups.debops_service_tinc_mesh0
                                  if groups.debops_service_tinc_mesh0|d()
                                  else []) | difference([ tinc__hostname ]) }}'

List of hosts to connect to which are not in the Ansible inventory. You should provide the corresponding public key files through the directories in secret/ directory.

tinc__external_hosts_mesh0: []

APT packages


List of APT packages to install for tinc support.

tinc__base_packages: [ 'tinc' ]

List of additional APT packages to install during tinc configuration.

tinc__packages: []

Ansible inventory parameters


List of Ansible inventory groups which are used by debops.tinc role to manage separate tinc networks. Each group will have corresponding directory in the secret/ store on Ansible Controller.

The default Ansible group debops_service_tinc_mesh0 specifies hosts that are participating in the mesh0 VPN.

tinc__inventory_groups: [ 'debops_service_tinc_mesh0' ]

This list defines what hosts in Ansible inventory participate in a Tinc VPN. They will have their own directories in secret/ store on Ansible Controller used to distribute public host keys.

tinc__inventory_hosts: '{{ groups.debops_service_tinc
                           if groups.debops_service_tinc|d()
                           else [] }}'

Name of this node in Ansible inventory. This variable is used during the file upload/download to have consistent mapping between directories and Ansible inventory.

tinc__inventory_hostname: '{{ inventory_hostname }}'

Name of this node used in configuration files thruought the mesh. Don’t change this unless you know what you are doing.

tinc__hostname: '{{ inventory_hostname_short }}'

Application environment


System user account which is used to run tincd.

tinc__user: 'tinc-vpn'

System group which is used to access tincd configuration files.

tinc__group: 'tinc-vpn'

Home directory of the tincd user.

tinc__home: '/etc/tinc'

List of options passed to ulimit command before starting tincd processs. Set maximum size of address space locked into memory, in KB.

tinc__ulimit_options: '-l {{ (1024 * 64) }}'

String with extra options to be passed to all tincd instances in the /etc/default/tinc config file

tinc__extra_options: ''

Enable support for systemd if it’s detected as the init system.

tinc__systemd: '{{ True
                   if (ansible_service_mgr|d() and
                       ansible_service_mgr == "systemd")
                   else False }}'

tinc daemon configuration


Length of the RSA private key generated on each node

tinc__rsa_key_length: '4096'

A stable MAC address prefix that will make sure that the randomly generated MAC address of any Tinc interface is located within a set of Locally Administered Address Ranges.

tinc__hwaddr_prefix: 'de'

List of FQDN or IP addresses which are included in the public key file of a given host. Other hosts will use these addresses to connect to that host.

tinc__host_addresses: '{{ tinc__host_addresses_fqdn }}'

Include the host FQDN if public IP addresses are available.

tinc__host_addresses_fqdn: '{{ [ ansible_fqdn ]
                               if ((ansible_all_ipv4_addresses + (ansible_all_ipv6_addresses |
                                   difference(ansible_all_ipv6_addresses | ipaddr("link-local")))
                                   ) | ipaddr("public")) else [] }}'

Include all public and private IP addresses, without IPv6 link-local.

tinc__host_addresses_ip: '{{ ansible_all_ipv4_addresses + (ansible_all_ipv6_addresses |
                             difference(ansible_all_ipv6_addresses | ipaddr("link-local"))) }}'

List of FQDN host entries or IP addresses which should be excluded from the list of connection addresses in the public key file.

tinc__exclude_host_addresses: []

Kernel modules


Load required kernel modules if they are not present, and ensure that they are loaded at boot time.

tinc__modprobe: True

List of kernel modules to load.

tinc__modprobe_modules: [ 'tun' ]

Configuration of other Ansible roles


Configuration of debops.apt_preferences role.


  - package: 'tinc'
    backports: [ 'wheezy' ]
    reason:  'Backport installed on Wheezy for version parity with Debian Jessie'
    by_role: 'debops.tinc'