Default variables

Network configuration

tinc__networks

List of Tinc Virtual Private Networks to configure. See tinc__networks for more details.

tinc__networks: []
tinc__default_networks

List of default networks which are created by the debops.tinc role.

tinc__default_networks: [ '{{ tinc__network_mesh0 }}' ]

The ‘mesh0’ Tinc VPN configuration

Default Tinc VPN created by the debops.tinc role. It will create a mesh network between hosts in a switch mode. One of the hosts should provide a bridge to which the tun0 interface will be connected; on that bridge you should configure DHCP and DNS server to provide interface configuration.

tinc__network_mesh0

The dictionary variable which defines the mesh0 network. See tinc__networks for more details about available options. Some of the configuration parameters are exposed in their own default variables to make simple config changes easier.

tinc__network_mesh0:
  name: 'mesh0'
  interface: '{{ tinc__interface_mesh0 }}'
  hwaddr: '{{ tinc__hwaddr_mesh0 }}'
  bridge: '{{ tinc__bridge_mesh0 }}'
  link_type: '{{ tinc__link_type_mesh0 }}'
  boot: '{{ tinc__boot_mesh0 }}'
  port: '655'
  mlock: True
  chroot: True
  allow: '{{ tinc__allow_mesh0 }}'
  user: '{{ tinc__user }}'
  tinc_exclude_addresses: '{{ tinc__exclude_addresses_mesh0 }}'
  tinc_options:
    Mode: 'switch'
    DeviceType: 'tap'
    Cipher: 'aes-256-cbc'
    Digest: 'SHA512'
    ConnectTo: '{{ tinc__connect_to_mesh0 }}'
tinc__interface_mesh0

Name of the network interface to use for the Tinc mesh0 VPN.

tinc__interface_mesh0: 'tap-mesh0'
tinc__exclude_interface_mesh0

This is a list of all of the IPv4 and IPv6 addresses which are set on the VPN interface, when it’s configured. This list gathers these IP addresses so that they can be excluded from the Tinc VPN public key files.

tinc__exclude_interface_mesh0: '{{
  (([ hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv4"]["address"] ])
    if (tinc__interface_mesh0 and hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv4"]|d()) else []) +
  ((hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv4_secondaries"]|map(attribute="address")|list)
    if (tinc__interface_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv4_secondaries"]|d())) else []) +
  ((hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv6"]|map(attribute="address")|list)
    if (tinc__interface_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__interface_mesh0|replace("-","_"))]["ipv6"]|d())) else [])
  }}'

Link type to set for the Tinc mesh0 VPN. If empty, debops.tinc defaults to a standalone network interface with dhclient requesting network configuration using DHCP. Possible values are:

  • static: set the Tinc interface in a “static” mode with an IP address, optionally attached to a network bridge. This should usually be done just on 1 host in the mesh to provide DHCP/DNS services.
tinc__link_type_mesh0: ''
tinc__hwaddr_mesh0

Specify the Media Access Control address of the Tinc mesh0 interface. If not specified, a randomized stable MAC address will be generated automatically. Set the MAC address value to '*' to generate a random hardware address.

tinc__hwaddr_mesh0: ''
tinc__boot_mesh0

Specify if the Tinc mesh0 network should be started at boot.

tinc__boot_mesh0: True
tinc__bridge_mesh0

Name of the bridge to connect the interface of the Tinc mesh0 VPN. This should be set on a host that provides the DHCP and DNS services for the mesh.

tinc__bridge_mesh0: ''
tinc__exclude_bridge_mesh0

This is a list of all of the IPv4 and IPv6 addresses which are set on the bridge interface, when it’s configured. This list gathers these IP addresses so that they can be excluded from the Tinc VPN public key files.

tinc__exclude_bridge_mesh0: '{{
  (([ hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv4"]["address"] ])
    if (tinc__bridge_mesh0 and hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv4"]|d()) else []) +
  ((hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv4_secondaries"]|map(attribute="address")|list)
    if (tinc__bridge_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv4_secondaries"]|d())) else []) +
  ((hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv6"]|map(attribute="address")|list)
    if (tinc__bridge_mesh0 and (hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]|d() and
        hostvars[inventory_hostname]["ansible_"+(tinc__bridge_mesh0|replace("-","_"))]["ipv6"]|d())) else [])
  }}'
tinc__allow_mesh0

List of IP addresses or CIDR subnets which will be allowed to connect to the Tinc mesh0 VPN port (655) through the firewall. If this list is empty, any IP address can connect.

tinc__allow_mesh0: []
tinc__connect_to_mesh0

List of hosts specified as the ConnectTo option in the Tinc configuration file of the mesh0 network.

tinc__connect_to_mesh0: '{{ tinc__inventory_hosts_mesh0 + tinc__external_hosts_mesh0 }}'
tinc__exclude_addresses_mesh0

List of FQDN or IP addresses which should be exluded from the public key file of a given host. This list excludes the IP addresses of the mesh interface as well as the bridge interface, so that Tinc doesn’t try to connect to remote hosts over the VPN connection.

tinc__exclude_addresses_mesh0: '{{ tinc__exclude_interface_mesh0 + tinc__exclude_bridge_mesh0 }}'
tinc__inventory_hosts_mesh0

List of other hosts in the Ansible inventory that are participating in the mesh0 network besides the current one. They will be listed in the ConnectTo option. This only makes sense if specified hosts have a public IP address. If not, you might want to specify the list of hosts to connect to manually, otherwise Tinc will try and connect to the unreachable hosts all the time.

tinc__inventory_hosts_mesh0: '{{ (groups.debops_service_tinc_mesh0
                                  if groups.debops_service_tinc_mesh0|d()
                                  else []) | difference([ tinc__hostname ]) }}'
tinc__external_hosts_mesh0

List of hosts to connect to which are not in the Ansible inventory. You should provide the corresponding public key files through the directories in secret/ directory.

tinc__external_hosts_mesh0: []

APT packages

tinc__base_packages

List of APT packages to install for tinc support.

tinc__base_packages: [ 'tinc' ]
tinc__packages

List of additional APT packages to install during tinc configuration.

tinc__packages: []

Ansible inventory parameters

tinc__inventory_groups

List of Ansible inventory groups which are used by debops.tinc role to manage separate tinc networks. Each group will have corresponding directory in the secret/ store on Ansible Controller.

The default Ansible group debops_service_tinc_mesh0 specifies hosts that are participating in the mesh0 VPN.

tinc__inventory_groups: [ 'debops_service_tinc_mesh0' ]
tinc__inventory_hosts

This list defines what hosts in Ansible inventory participate in a Tinc VPN. They will have their own directories in secret/ store on Ansible Controller used to distribute public host keys.

tinc__inventory_hosts: '{{ groups.debops_service_tinc
                           if groups.debops_service_tinc|d()
                           else [] }}'
tinc__inventory_hostname

Name of this node in Ansible inventory. This variable is used during the file upload/download to have consistent mapping between directories and Ansible inventory.

tinc__inventory_hostname: '{{ inventory_hostname }}'
tinc__hostname

Name of this node used in configuration files thruought the mesh. Don’t change this unless you know what you are doing.

tinc__hostname: '{{ inventory_hostname_short }}'

Application environment

tinc__user

System user account which is used to run tincd.

tinc__user: 'tinc-vpn'
tinc__group

System group which is used to access tincd configuration files.

tinc__group: 'tinc-vpn'
tinc__home

Home directory of the tincd user.

tinc__home: '/etc/tinc'
tinc__ulimit_options

List of options passed to ulimit command before starting tincd processs. Set maximum size of address space locked into memory, in KB.

tinc__ulimit_options: '-l {{ (1024 * 64) }}'
tinc__extra_options

String with extra options to be passed to all tincd instances in the /etc/default/tinc config file

tinc__extra_options: ''
tinc__systemd

Enable support for systemd if it’s detected as the init system.

tinc__systemd: '{{ True
                   if (ansible_service_mgr|d() and
                       ansible_service_mgr == "systemd")
                   else False }}'

tinc daemon configuration

tinc__rsa_key_length

Length of the RSA private key generated on each node

tinc__rsa_key_length: '4096'
tinc__hwaddr_prefix

A stable MAC address prefix that will make sure that the randomly generated MAC address of any Tinc interface is located within a set of Locally Administered Address Ranges. https://serverfault.com/questions/40712/

tinc__hwaddr_prefix: 'de'
tinc__host_addresses

List of FQDN or IP addresses which are included in the public key file of a given host. Other hosts will use these addresses to connect to that host.

tinc__host_addresses: '{{ tinc__host_addresses_fqdn }}'
tinc__host_addresses_fqdn

Include the host FQDN if public IP addresses are available.

tinc__host_addresses_fqdn: '{{ [ ansible_fqdn ]
                               if ((ansible_all_ipv4_addresses + (ansible_all_ipv6_addresses |
                                   difference(ansible_all_ipv6_addresses | ipaddr("link-local")))
                                   ) | ipaddr("public")) else [] }}'
tinc__host_addresses_ip

Include all public and private IP addresses, without IPv6 link-local.

tinc__host_addresses_ip: '{{ ansible_all_ipv4_addresses + (ansible_all_ipv6_addresses |
                             difference(ansible_all_ipv6_addresses | ipaddr("link-local"))) }}'
tinc__exclude_host_addresses

List of FQDN host entries or IP addresses which should be excluded from the list of connection addresses in the public key file.

tinc__exclude_host_addresses: []

Kernel modules

tinc__modprobe

Load required kernel modules if they are not present, and ensure that they are loaded at boot time.

tinc__modprobe: True
tinc__modprobe_modules

List of kernel modules to load.

tinc__modprobe_modules: [ 'tun' ]

Configuration of other Ansible roles

tinc__apt_preferences__dependent_list

Configuration of debops.apt_preferences role.

tinc__apt_preferences__dependent_list:

  - package: 'tinc'
    backports: [ 'wheezy' ]
    reason:  'Backport installed on Wheezy for version parity with Debian Jessie'
    by_role: 'debops.tinc'