Initial commit

README.md

@@ -0,0 +1,6 @@
+# Ansible tinc role
+
+Based on https://github.com/thisismitch/ansible-tinc
+
+TODO: documentation
+

handlers/main.yml

@@ -0,0 +1,12 @@
+---
+
+- name: restart tinc
+  systemd:
+    name: "tinc@{{ netname }}"
+    state: restarted
+    enabled: true
+
+- name: reload tinc
+  service:
+    name: "tinc@{{ netname }}"
+    state: reloaded

tasks/main.yml

@@ -0,0 +1,89 @@
+---
+
+- name: ensure tinc netname directory exists
+  file:
+    path: "/etc/tinc/{{ netname }}/hosts"
+    recurse: True
+    state: directory
+
+- name: ensure tinc.conf contains connection to all other nodes
+  template:
+    src: tinc.conf.j2
+    dest: "/etc/tinc/{{ netname }}/tinc.conf"
+  notify:
+    - reload tinc
+
+- name: create tinc-up file
+  template:
+    src: tinc-up.j2
+    dest: "/etc/tinc/{{ netname }}/tinc-up"
+    mode: 0755
+  notify:
+    - restart tinc
+
+- name: create tinc-down file
+  template:
+    src: tinc-down.j2
+    dest: "/etc/tinc/{{ netname }}/tinc-down"
+    mode: 0755
+  notify:
+    - restart tinc
+
+- name: ensure tinc hosts file binds to physical ip address
+  lineinfile:
+    dest: "/etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}"
+    line: "Address = {{ ansible_host }}"
+    create: yes
+  notify:
+    - restart tinc
+
+- name: ensure tinc hosts file has virtual ip address
+  lineinfile:
+    dest: "/etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}"
+    line: "Subnet = {{ vpn_ip }}/32"
+    create: yes
+  notify:
+    - restart tinc
+
+- name: check whether /etc/tinc/netname/hosts/inventory_hostname contains "-----END RSA PUBLIC KEY-----"
+  command: awk '/^-----END RSA PUBLIC KEY-----$/'  "/etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}"
+  changed_when: "public_key.stdout != '-----END RSA PUBLIC KEY-----'"
+  register: public_key
+
+# this is necessary because the public key will not be generated (non-interactively) if the private key already exists
+- name: delete private key and regenerate keypair if public key is absent from tinc hosts file
+  file:
+    path: /etc/tinc/{{ netname }}/rsa_key.priv
+    state: absent
+  when: public_key.changed
+
+- name: create tinc private key (and append public key to tincd hosts file)
+  shell: tincd -n {{ netname }} -K4096
+  args:
+    creates: /etc/tinc/{{ netname }}/rsa_key.priv
+  notify:
+    - restart tinc
+
+- name: fetch tinc hosts file after key creation
+  fetch:
+    src: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
+    dest: fetch/{{ inventory_hostname }}
+    flat: yes
+  notify:
+    - reload tinc
+
+- name: sync the fetched tinc hosts files on each host
+  synchronize:
+    src: fetch/
+    dest: /etc/tinc/{{ netname }}/hosts/
+  notify:
+    - reload tinc
+
+- name: run handlers
+  meta: flush_handlers
+
+- name: ensure tinc is started
+  systemd:
+    name: "tinc@{{ netname }}"
+    enabled: true
+    state: started

templates/nets.boot.j2

@@ -0,0 +1 @@
+{{ netname }}

templates/tinc-down.j2

@@ -0,0 +1,4 @@
+#!/bin/sh
+ip route del {{ net_addr }}/{{ net_cidr }} dev $INTERFACE
+ip addr del {{ vpn_ip }}/32 dev $INTERFACE
+ip link set $INTERFACE down

templates/tinc-up.j2

@@ -0,0 +1,4 @@
+#!/bin/sh
+ip link set $INTERFACE up
+ip addr add {{ vpn_ip }}/32 dev $INTERFACE
+ip route add {{ net_addr }}/{{ net_cidr }} dev $INTERFACE

templates/tinc.conf.j2

@@ -0,0 +1,3 @@
+Name = {{ inventory_hostname }}
+Device = /dev/net/tun
+ConnectTo = {{ TO PARAMETRIZE }}

templates/tinc.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=tinc vpn
+After=network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/tincd -n {{ netname }}
+ExecReload=/usr/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target