From 09a23d90f39f4d00da24dd24bc496c4b231b1b10 Mon Sep 17 00:00:00 2001 From: mathieui Date: Mon, 4 Jan 2021 22:35:43 +0100 Subject: [PATCH] Initial commit --- README.md | 6 +++ handlers/main.yml | 12 ++++++ tasks/main.yml | 89 +++++++++++++++++++++++++++++++++++++++ templates/nets.boot.j2 | 1 + templates/tinc-down.j2 | 4 ++ templates/tinc-up.j2 | 4 ++ templates/tinc.conf.j2 | 3 ++ templates/tinc.service.j2 | 11 +++++ 8 files changed, 130 insertions(+) create mode 100644 README.md create mode 100644 handlers/main.yml create mode 100644 tasks/main.yml create mode 100644 templates/nets.boot.j2 create mode 100644 templates/tinc-down.j2 create mode 100644 templates/tinc-up.j2 create mode 100644 templates/tinc.conf.j2 create mode 100644 templates/tinc.service.j2 diff --git a/README.md b/README.md new file mode 100644 index 0000000..3087734 --- /dev/null +++ b/README.md @@ -0,0 +1,6 @@ +# Ansible tinc role + +Based on https://github.com/thisismitch/ansible-tinc + +TODO: documentation + diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..b277879 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,12 @@ +--- + +- name: restart tinc + systemd: + name: "tinc@{{ netname }}" + state: restarted + enabled: true + +- name: reload tinc + service: + name: "tinc@{{ netname }}" + state: reloaded diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..d005b4a --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,89 @@ +--- + +- name: ensure tinc netname directory exists + file: + path: "/etc/tinc/{{ netname }}/hosts" + recurse: True + state: directory + +- name: ensure tinc.conf contains connection to all other nodes + template: + src: tinc.conf.j2 + dest: "/etc/tinc/{{ netname }}/tinc.conf" + notify: + - reload tinc + +- name: create tinc-up file + template: + src: tinc-up.j2 + dest: "/etc/tinc/{{ netname }}/tinc-up" + mode: 0755 + notify: + - restart tinc + +- name: create tinc-down file + template: + src: tinc-down.j2 + dest: "/etc/tinc/{{ netname }}/tinc-down" + mode: 0755 + notify: + - restart tinc + +- name: ensure tinc hosts file binds to physical ip address + lineinfile: + dest: "/etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}" + line: "Address = {{ ansible_host }}" + create: yes + notify: + - restart tinc + +- name: ensure tinc hosts file has virtual ip address + lineinfile: + dest: "/etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}" + line: "Subnet = {{ vpn_ip }}/32" + create: yes + notify: + - restart tinc + +- name: check whether /etc/tinc/netname/hosts/inventory_hostname contains "-----END RSA PUBLIC KEY-----" + command: awk '/^-----END RSA PUBLIC KEY-----$/' "/etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}" + changed_when: "public_key.stdout != '-----END RSA PUBLIC KEY-----'" + register: public_key + +# this is necessary because the public key will not be generated (non-interactively) if the private key already exists +- name: delete private key and regenerate keypair if public key is absent from tinc hosts file + file: + path: /etc/tinc/{{ netname }}/rsa_key.priv + state: absent + when: public_key.changed + +- name: create tinc private key (and append public key to tincd hosts file) + shell: tincd -n {{ netname }} -K4096 + args: + creates: /etc/tinc/{{ netname }}/rsa_key.priv + notify: + - restart tinc + +- name: fetch tinc hosts file after key creation + fetch: + src: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }} + dest: fetch/{{ inventory_hostname }} + flat: yes + notify: + - reload tinc + +- name: sync the fetched tinc hosts files on each host + synchronize: + src: fetch/ + dest: /etc/tinc/{{ netname }}/hosts/ + notify: + - reload tinc + +- name: run handlers + meta: flush_handlers + +- name: ensure tinc is started + systemd: + name: "tinc@{{ netname }}" + enabled: true + state: started diff --git a/templates/nets.boot.j2 b/templates/nets.boot.j2 new file mode 100644 index 0000000..bba075b --- /dev/null +++ b/templates/nets.boot.j2 @@ -0,0 +1 @@ +{{ netname }} diff --git a/templates/tinc-down.j2 b/templates/tinc-down.j2 new file mode 100644 index 0000000..88d8e4b --- /dev/null +++ b/templates/tinc-down.j2 @@ -0,0 +1,4 @@ +#!/bin/sh +ip route del {{ net_addr }}/{{ net_cidr }} dev $INTERFACE +ip addr del {{ vpn_ip }}/32 dev $INTERFACE +ip link set $INTERFACE down diff --git a/templates/tinc-up.j2 b/templates/tinc-up.j2 new file mode 100644 index 0000000..1a10b28 --- /dev/null +++ b/templates/tinc-up.j2 @@ -0,0 +1,4 @@ +#!/bin/sh +ip link set $INTERFACE up +ip addr add {{ vpn_ip }}/32 dev $INTERFACE +ip route add {{ net_addr }}/{{ net_cidr }} dev $INTERFACE diff --git a/templates/tinc.conf.j2 b/templates/tinc.conf.j2 new file mode 100644 index 0000000..25de566 --- /dev/null +++ b/templates/tinc.conf.j2 @@ -0,0 +1,3 @@ +Name = {{ inventory_hostname }} +Device = /dev/net/tun +ConnectTo = {{ TO PARAMETRIZE }} diff --git a/templates/tinc.service.j2 b/templates/tinc.service.j2 new file mode 100644 index 0000000..c92b89e --- /dev/null +++ b/templates/tinc.service.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=tinc vpn +After=network.target + +[Service] +Type=forking +ExecStart=/usr/sbin/tincd -n {{ netname }} +ExecReload=/usr/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target