Tinc setup

roles/tinc/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+api_floating_ip: 192.168.66.253
+netname: meshvpn
+scw_private_domain: priv.cloud.scaleway.com
+tinc_primary_router: proxy0
+tinc_route_default_ip: 192.168.66.1
+tinc_route_get_ip: 169.254.42.42
+vpn_interface: tun0
+vpn_netmask: 255.255.255.0
+vpn_subnet_cidr_netmask: 32

roles/tinc/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+- name: restart tinc
+  systemd:
+    name: "{{ item }}"
+    state: restarted
+  with_items:
+    - tinc
+
+- name: reload tinc
+  systemd:
+    name: "{{ item }}"
+    state: reloaded
+  with_items:
+    - tinc

roles/tinc/tasks/main.yml

@@ -0,0 +1,142 @@
+---
+- name: install tinc
+  apt:
+    name: tinc
+    state: latest
+
+- name: ensure tinc netname directory exists
+  file:
+    path: /etc/tinc/{{ netname }}/hosts
+    recurse: True
+    state: directory
+
+- name: create /etc/tinc/nets.boot file from template
+  template:
+    src: nets.boot.j2
+    dest: /etc/tinc/nets.boot
+  notify:
+    - restart tinc
+
+- name: ensure tinc.conf contains connection to all other nodes
+  template:
+    src: tinc.conf.j2
+    dest: /etc/tinc/{{ netname }}/tinc.conf
+  notify:
+    - restart tinc
+    - reload tinc
+
+- name: create tinc-up file
+  template:
+    src: tinc-up.j2
+    dest: /etc/tinc/{{ netname }}/tinc-up
+    mode: 0755
+  notify:
+    - restart tinc
+
+- name: create tinc-down file
+  template:
+    src: tinc-down.j2
+    dest: /etc/tinc/{{ netname }}/tinc-down
+    mode: 0755
+  notify:
+    - restart tinc
+
+- name: ensure tinc hosts file binds to scaleway dns address
+  block:
+    - shell: "/usr/local/bin/scw-metadata ID"
+      register: scw_id
+
+    - lineinfile:
+        dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
+        line: "Address = {{ scw_id.stdout }}.{{ scw_private_domain }}"
+        create: yes
+      notify:
+        - restart tinc
+  when: tinc_ignore_scaleway_dns | default(False) | bool == False
+
+- name: ensure tinc hosts file binds to physical ip address
+  lineinfile:
+    dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
+    line: |-
+      {%- if "k8s_proxy" in group_names -%}
+        {%- set interface = 'ansible_' + tinc_private_interface | default('eth0') -%}
+        Address = {{ vars[interface].ipv4.address }}
+      {%- else -%}
+        Address = {{ ansible_eth0.ipv4.address }}
+      {%- endif -%}
+    create: yes
+  notify:
+    - restart tinc
+  when: tinc_ignore_scaleway_dns | default(False) | bool == True
+
+- name: ensure subnet ip address is properly set in tinc host file
+  lineinfile:
+    dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
+    line: "Subnet = {{ vpn_ip }}/{{ vpn_subnet_cidr_netmask }}"
+    create: yes
+  notify:
+    - restart tinc
+
+# in case of multimaster we need to add a subnet line
+- name: ensure that keepalived ip is properly set in tinc host file on k8s_masters
+  lineinfile:
+    dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
+    line: "Subnet = {{ api_floating_ip }}/{{ vpn_subnet_cidr_netmask }}"
+    create: yes
+  when: groups.k8s_masters | length > 1
+
+- name: check whether /etc/tinc/netname/hosts/inventory_hostname contains "-----END RSA PUBLIC KEY-----"
+  command: awk '/^-----END RSA PUBLIC KEY-----$/'  /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
+  changed_when: "public_key.stdout != '-----END RSA PUBLIC KEY-----'"
+  register: public_key
+
+# this is necessary because the public key will not be generated (non-interactively) if the private key already exists
+- name: delete private key and regenerate keypair if public key is absent from tinc hosts file
+  file:
+    path: /etc/tinc/{{ netname }}/rsa_key.priv
+    state: absent
+  when: public_key.changed
+
+- name: create tinc private key (and append public key to tincd hosts file)
+  shell: tincd -n {{ netname }} -K4096
+  args:
+    creates: /etc/tinc/{{ netname }}/rsa_key.priv
+  notify:
+    - restart tinc
+
+- name: fetch tinc hosts file after key creation
+  fetch:
+    src: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
+    dest: fetch/{{ inventory_hostname }}
+    flat: yes
+  notify:
+    - reload tinc
+
+- name: sync the fetched tinc hosts files on each host
+  synchronize:
+    src: fetch/
+    dest: /etc/tinc/{{ netname }}/hosts/
+    use_ssh_args: yes
+  notify:
+    - reload tinc
+
+- meta: flush_handlers
+
+- name: start tinc on boot
+  systemd:
+    name: tinc
+    enabled: yes
+    state: started
+
+- name: ensure tun0 exists
+  shell: "ip a s"
+  register: result
+  until: result.stdout.find("tun0") != -1
+  retries: 200
+  delay: 10
+  changed_when: False
+
+- name: add nodes to /etc/hosts (ansible_inventory resolves to vpn_ip)
+  lineinfile: dest=/etc/hosts regexp='.*{{ item }}$' line="{{ hostvars[item].vpn_ip }} {{item}}" state=present
+  when: hostvars[item].vpn_ip is defined
+  with_items: "{{ play_hosts }}"

roles/tinc/templates/nets.boot.j2

@@ -0,0 +1 @@
+{{ netname }}

roles/tinc/templates/tinc-down.j2

@@ -0,0 +1,2 @@
+#!/bin/sh
+ifconfig {{ vpn_interface }} down

roles/tinc/templates/tinc-up.j2

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+ifconfig {{ vpn_interface }} {{ vpn_ip }} netmask {{ vpn_netmask }}
+
+{% if inventory_hostname != tinc_primary_router %}
+ROUTE_GET_IP={{ tinc_route_get_ip }}
+INTERFACE=$(ip route get $ROUTE_GET_IP | head -n1 | sed -E 's/.+ dev ([^ ]+).+/\1/')
+GATEWAY=$(ip route | awk '$3 == "'$INTERFACE'" { print $1 }' | cut -d'/' -f1)
+
+ip route add 10.0.0.0/8 via $GATEWAY dev $INTERFACE
+ip route add 169.254.0.0/16 via $GATEWAY dev $INTERFACE
+ip route add 172.16.0.0/12 via $GATEWAY dev $INTERFACE
+ip route add 192.168.0.0/16 via $GATEWAY dev $INTERFACE
+
+ip route replace default via {{ tinc_route_default_ip }}
+{% endif %}

roles/tinc/templates/tinc.conf.j2

@@ -0,0 +1,10 @@
+Name = {{ inventory_hostname }}
+AddressFamily = ipv4
+Interface = {{ vpn_interface }}
+Mode = switch
+{% for host in play_hosts %}
+{% if inventory_hostname != hostvars[host]['inventory_hostname'] %}
+ConnectTo = {{ hostvars[host]['inventory_hostname'] }}
+{% endif %}
+{% endfor %}
+