--- - name: Install tinc apt: name: tinc state: latest - name: Ensure tinc netname directory exists file: path: /etc/tinc/{{ netname }}/hosts recurse: True state: directory - name: Create /etc/tinc/nets.boot file from template template: src: nets.boot.j2 dest: /etc/tinc/nets.boot notify: - restart tinc - name: Ensure tinc.conf contains connection to all other nodes template: src: tinc.conf.j2 dest: /etc/tinc/{{ netname }}/tinc.conf notify: - restart tinc - reload tinc - name: Create tinc-up file template: src: tinc-up.j2 dest: /etc/tinc/{{ netname }}/tinc-up mode: 0755 notify: - restart tinc - name: Create tinc-down file template: src: tinc-down.j2 dest: /etc/tinc/{{ netname }}/tinc-down mode: 0755 notify: - restart tinc - name: Ensure tinc hosts file binds to scaleway dns address block: - name: Gather Scaleway instance ID shell: "/usr/local/bin/scw-metadata ID" register: scw_id changed_when: no - lineinfile: dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }} line: "Address = {{ scw_id.stdout }}.{{ scw_private_domain }}" create: yes notify: - restart tinc when: tinc_ignore_scaleway_dns | default(False) | bool == False - name: Ensure tinc hosts file binds to physical ip address lineinfile: dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }} line: |- Address = {{ ansible_eth0.ipv4.address }} create: yes notify: - restart tinc when: tinc_ignore_scaleway_dns | default(False) | bool == True - name: Ensure subnet ip address is properly set in tinc host file lineinfile: dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }} line: "Subnet = {{ vpn_ip }}/{{ vpn_subnet_cidr_netmask }}" create: yes notify: - restart tinc - name: Check whether /etc/tinc/netname/hosts/inventory_hostname contains "-----END RSA PUBLIC KEY-----" command: awk '/^-----END RSA PUBLIC KEY-----$/' /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }} changed_when: "public_key.stdout != '-----END RSA PUBLIC KEY-----'" register: public_key # this is necessary because the public key will not be generated (non-interactively) if the private key already exists - name: Delete private key and regenerate keypair if public key is absent from tinc hosts file file: path: /etc/tinc/{{ netname }}/rsa_key.priv state: absent when: public_key.changed - name: Create tinc private key (and append public key to tincd hosts file) shell: tincd -n {{ netname }} -K4096 args: creates: /etc/tinc/{{ netname }}/rsa_key.priv notify: - restart tinc - name: Fetch tinc hosts file after key creation fetch: src: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }} dest: fetch/{{ inventory_hostname }} flat: yes notify: - reload tinc - name: Sync the fetched tinc hosts files on each host synchronize: src: fetch/ dest: /etc/tinc/{{ netname }}/hosts/ use_ssh_args: yes notify: - reload tinc - meta: flush_handlers - name: Start tinc on boot systemd: name: tinc@{{ netname }} enabled: yes state: started - name: Ensure tun0 exists shell: "ip a s" register: result until: result.stdout.find("tun0") != -1 retries: 200 delay: 10 changed_when: False - name: Add nodes to /etc/hosts (ansible_inventory resolves to vpn_ip) lineinfile: dest=/etc/hosts regexp='.*{{ item }}$' line="{{ hostvars[item].vpn_ip }} {{item}}" state=present when: hostvars[item].vpn_ip is defined with_items: "{{ play_hosts }}"