self-hosting/roles/tinc/tasks/main.yml

---
- name: Install tinc
  apt:
    name: tinc
    state: latest

- name: Ensure tinc netname directory exists
  file:
    path: /etc/tinc/{{ netname }}/hosts
    recurse: True
    state: directory

- name: Create /etc/tinc/nets.boot file from template
  template:
    src: nets.boot.j2
    dest: /etc/tinc/nets.boot
  notify:
    - restart tinc

- name: Ensure tinc.conf contains connection to all other nodes
  template:
    src: tinc.conf.j2
    dest: /etc/tinc/{{ netname }}/tinc.conf
  notify:
    - restart tinc
    - reload tinc

- name: Create tinc-up file
  template:
    src: tinc-up.j2
    dest: /etc/tinc/{{ netname }}/tinc-up
    mode: 0755
  notify:
    - restart tinc

- name: Create tinc-down file
  template:
    src: tinc-down.j2
    dest: /etc/tinc/{{ netname }}/tinc-down
    mode: 0755
  notify:
    - restart tinc

- name: Ensure tinc hosts file binds to scaleway dns address
  block:
    - name: Gather Scaleway instance ID
      shell: "/usr/local/bin/scw-metadata ID"
      register: scw_id
      changed_when: no

    - lineinfile:
        dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
        line: "Address = {{ scw_id.stdout }}.{{ scw_private_domain }}"
        create: yes
      notify:
        - restart tinc
  when: tinc_ignore_scaleway_dns | default(False) | bool == False

- name: Ensure tinc hosts file binds to physical ip address
  lineinfile:
    dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
    line: |-
        Address = {{ ansible_eth0.ipv4.address }}
    create: yes
  notify:
    - restart tinc
  when: tinc_ignore_scaleway_dns | default(False) | bool == True

- name: Ensure subnet ip address is properly set in tinc host file
  lineinfile:
    dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
    line: "Subnet = {{ vpn_ip }}/{{ vpn_subnet_cidr_netmask }}"
    create: yes
  notify:
    - restart tinc

- name: Check whether /etc/tinc/netname/hosts/inventory_hostname contains "-----END RSA PUBLIC KEY-----"
  command: awk '/^-----END RSA PUBLIC KEY-----$/'  /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
  changed_when: "public_key.stdout != '-----END RSA PUBLIC KEY-----'"
  register: public_key

# this is necessary because the public key will not be generated (non-interactively) if the private key already exists
- name: Delete private key and regenerate keypair if public key is absent from tinc hosts file
  file:
    path: /etc/tinc/{{ netname }}/rsa_key.priv
    state: absent
  when: public_key.changed

- name: Create tinc private key (and append public key to tincd hosts file)
  shell: tincd -n {{ netname }} -K4096
  args:
    creates: /etc/tinc/{{ netname }}/rsa_key.priv
  notify:
    - restart tinc

- block:
  - name: Fetch tinc hosts file after key creation
    fetch:
      src: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
      dest: fetch/{{ inventory_hostname }}
      flat: yes
    changed_when: false

  - name: Sync the fetched tinc hosts files on each host
    synchronize:
      src: fetch/
      dest: /etc/tinc/{{ netname }}/hosts/
      use_ssh_args: yes
    notify:
      - reload tinc

  always:
  - name: Remove fetched files
    local_action:
      module: file
      path: fetch
      state: absent
    run_once: True
    changed_when: false


- meta: flush_handlers

- name: Start tinc on boot
  systemd:
    name: tinc@{{ netname }}
    enabled: yes
    state: started

- name: Ensure tun0 exists
  shell: "ip a s"
  register: result
  until: result.stdout.find("tun0") != -1
  retries: 200
  delay: 10
  changed_when: False

- name: Add nodes to /etc/hosts (ansible_inventory resolves to vpn_ip)
  lineinfile: dest=/etc/hosts regexp='.*{{ item }}$' line="{{ hostvars[item].vpn_ip }} {{item}}" state=present
  when: hostvars[item].vpn_ip is defined
  with_items: "{{ play_hosts }}"