90 lines
2.3 KiB
YAML
90 lines
2.3 KiB
YAML
---
|
|
|
|
- name: ensure tinc netname directory exists
|
|
file:
|
|
path: "/etc/tinc/{{ netname }}/hosts"
|
|
recurse: True
|
|
state: directory
|
|
|
|
- name: ensure tinc.conf contains connection to all other nodes
|
|
template:
|
|
src: tinc.conf.j2
|
|
dest: "/etc/tinc/{{ netname }}/tinc.conf"
|
|
notify:
|
|
- reload tinc
|
|
|
|
- name: create tinc-up file
|
|
template:
|
|
src: tinc-up.j2
|
|
dest: "/etc/tinc/{{ netname }}/tinc-up"
|
|
mode: 0755
|
|
notify:
|
|
- restart tinc
|
|
|
|
- name: create tinc-down file
|
|
template:
|
|
src: tinc-down.j2
|
|
dest: "/etc/tinc/{{ netname }}/tinc-down"
|
|
mode: 0755
|
|
notify:
|
|
- restart tinc
|
|
|
|
- name: ensure tinc hosts file binds to physical ip address
|
|
lineinfile:
|
|
dest: "/etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}"
|
|
line: "Address = {{ ansible_host }}"
|
|
create: yes
|
|
notify:
|
|
- restart tinc
|
|
|
|
- name: ensure tinc hosts file has virtual ip address
|
|
lineinfile:
|
|
dest: "/etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}"
|
|
line: "Subnet = {{ vpn_ip }}/32"
|
|
create: yes
|
|
notify:
|
|
- restart tinc
|
|
|
|
- name: check whether /etc/tinc/netname/hosts/inventory_hostname contains "-----END RSA PUBLIC KEY-----"
|
|
command: awk '/^-----END RSA PUBLIC KEY-----$/' "/etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}"
|
|
changed_when: "public_key.stdout != '-----END RSA PUBLIC KEY-----'"
|
|
register: public_key
|
|
|
|
# this is necessary because the public key will not be generated (non-interactively) if the private key already exists
|
|
- name: delete private key and regenerate keypair if public key is absent from tinc hosts file
|
|
file:
|
|
path: /etc/tinc/{{ netname }}/rsa_key.priv
|
|
state: absent
|
|
when: public_key.changed
|
|
|
|
- name: create tinc private key (and append public key to tincd hosts file)
|
|
shell: tincd -n {{ netname }} -K4096
|
|
args:
|
|
creates: /etc/tinc/{{ netname }}/rsa_key.priv
|
|
notify:
|
|
- restart tinc
|
|
|
|
- name: fetch tinc hosts file after key creation
|
|
fetch:
|
|
src: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
|
|
dest: fetch/{{ inventory_hostname }}
|
|
flat: yes
|
|
notify:
|
|
- reload tinc
|
|
|
|
- name: sync the fetched tinc hosts files on each host
|
|
synchronize:
|
|
src: fetch/
|
|
dest: /etc/tinc/{{ netname }}/hosts/
|
|
notify:
|
|
- reload tinc
|
|
|
|
- name: run handlers
|
|
meta: flush_handlers
|
|
|
|
- name: ensure tinc is started
|
|
systemd:
|
|
name: "tinc@{{ netname }}"
|
|
enabled: true
|
|
state: started
|