Remove old roles and fix idempotency issues

roles/tinc/tasks/main.yml

@@ -1,23 +1,23 @@
 ---
-- name: install tinc
+- name: Install tinc
   apt:
     name: tinc
     state: latest
 
-- name: ensure tinc netname directory exists
+- name: Ensure tinc netname directory exists
   file:
     path: /etc/tinc/{{ netname }}/hosts
     recurse: True
     state: directory
 
-- name: create /etc/tinc/nets.boot file from template
+- name: Create /etc/tinc/nets.boot file from template
   template:
     src: nets.boot.j2
     dest: /etc/tinc/nets.boot
   notify:
     - restart tinc
 
-- name: ensure tinc.conf contains connection to all other nodes
+- name: Ensure tinc.conf contains connection to all other nodes
   template:
     src: tinc.conf.j2
     dest: /etc/tinc/{{ netname }}/tinc.conf
@@ -25,7 +25,7 @@
     - restart tinc
     - reload tinc
 
-- name: create tinc-up file
+- name: Create tinc-up file
   template:
     src: tinc-up.j2
     dest: /etc/tinc/{{ netname }}/tinc-up
@@ -33,7 +33,7 @@
   notify:
     - restart tinc
 
-- name: create tinc-down file
+- name: Create tinc-down file
   template:
     src: tinc-down.j2
     dest: /etc/tinc/{{ netname }}/tinc-down
@@ -41,10 +41,12 @@
   notify:
     - restart tinc
 
-- name: ensure tinc hosts file binds to scaleway dns address
+- name: Ensure tinc hosts file binds to scaleway dns address
   block:
-    - shell: "/usr/local/bin/scw-metadata ID"
+    - name: Gather Scaleway instance ID
+      shell: "/usr/local/bin/scw-metadata ID"
       register: scw_id
+      changed_when: no
 
     - lineinfile:
         dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
@@ -54,7 +56,7 @@
         - restart tinc
   when: tinc_ignore_scaleway_dns | default(False) | bool == False
 
-- name: ensure tinc hosts file binds to physical ip address
+- name: Ensure tinc hosts file binds to physical ip address
   lineinfile:
     dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
     line: |-
@@ -69,7 +71,7 @@
     - restart tinc
   when: tinc_ignore_scaleway_dns | default(False) | bool == True
 
-- name: ensure subnet ip address is properly set in tinc host file
+- name: Ensure subnet ip address is properly set in tinc host file
   lineinfile:
     dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
     line: "Subnet = {{ vpn_ip }}/{{ vpn_subnet_cidr_netmask }}"
@@ -78,33 +80,33 @@
     - restart tinc
 
 # in case of multimaster we need to add a subnet line
-- name: ensure that keepalived ip is properly set in tinc host file on k8s_masters
+- name: Ensure that keepalived ip is properly set in tinc host file on k8s_masters
   lineinfile:
     dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
     line: "Subnet = {{ api_floating_ip }}/{{ vpn_subnet_cidr_netmask }}"
     create: yes
   when: groups.k8s_masters | length > 1
 
-- name: check whether /etc/tinc/netname/hosts/inventory_hostname contains "-----END RSA PUBLIC KEY-----"
+- name: Check whether /etc/tinc/netname/hosts/inventory_hostname contains "-----END RSA PUBLIC KEY-----"
   command: awk '/^-----END RSA PUBLIC KEY-----$/'  /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
   changed_when: "public_key.stdout != '-----END RSA PUBLIC KEY-----'"
   register: public_key
 
 # this is necessary because the public key will not be generated (non-interactively) if the private key already exists
-- name: delete private key and regenerate keypair if public key is absent from tinc hosts file
+- name: Delete private key and regenerate keypair if public key is absent from tinc hosts file
   file:
     path: /etc/tinc/{{ netname }}/rsa_key.priv
     state: absent
   when: public_key.changed
 
-- name: create tinc private key (and append public key to tincd hosts file)
+- name: Create tinc private key (and append public key to tincd hosts file)
   shell: tincd -n {{ netname }} -K4096
   args:
     creates: /etc/tinc/{{ netname }}/rsa_key.priv
   notify:
     - restart tinc
 
-- name: fetch tinc hosts file after key creation
+- name: Fetch tinc hosts file after key creation
   fetch:
     src: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
     dest: fetch/{{ inventory_hostname }}
@@ -112,7 +114,7 @@
   notify:
     - reload tinc
 
-- name: sync the fetched tinc hosts files on each host
+- name: Sync the fetched tinc hosts files on each host
   synchronize:
     src: fetch/
     dest: /etc/tinc/{{ netname }}/hosts/
@@ -122,13 +124,13 @@
 
 - meta: flush_handlers
 
-- name: start tinc on boot
+- name: Start tinc on boot
   systemd:
     name: tinc
     enabled: yes
     state: started
 
-- name: ensure tun0 exists
+- name: Ensure tun0 exists
   shell: "ip a s"
   register: result
   until: result.stdout.find("tun0") != -1
@@ -136,7 +138,7 @@
   delay: 10
   changed_when: False
 
-- name: add nodes to /etc/hosts (ansible_inventory resolves to vpn_ip)
+- name: Add nodes to /etc/hosts (ansible_inventory resolves to vpn_ip)
   lineinfile: dest=/etc/hosts regexp='.*{{ item }}$' line="{{ hostvars[item].vpn_ip }} {{item}}" state=present
   when: hostvars[item].vpn_ip is defined
   with_items: "{{ play_hosts }}"

roles/tinc/templates/tinc.conf.j2

@@ -2,7 +2,7 @@ Name = {{ inventory_hostname }}
 AddressFamily = ipv4
 Interface = {{ vpn_interface }}
 Mode = switch
-{% for host in play_hosts %}
+{% for host in play_hosts | sort %}
 {% if inventory_hostname != hostvars[host]['inventory_hostname'] %}
 ConnectTo = {{ hostvars[host]['inventory_hostname'] }}
 {% endif %}