debops / ansible-tinc Goto Github PK

Configure tinc mesh VPN network

License: GNU General Public License v3.0

Shell 100.00%

ansible-tinc's Introduction

DebOps

Your Debian-based data center in a box

The DebOps project provides a set of general-purpose Ansible roles that can be used to manage Debian or Ubuntu hosts. In addition, a default set of Ansible playbooks can be used to apply the provided roles in a controlled way, using Ansible inventory groups.

The roles are written with a high customization in mind, which can be done using Ansible inventory. This way the role and playbook code can be shared between multiple environments, with different configuration in to each one.

Services can be managed on a single host, or spread between multiple hosts. DebOps provides support for different SQL and NoSQL databases, web servers, programming languages and specialized applications useful in a data center environment or in a cluster. The project can also be used to deploy virtualization environments using KVM/libvirt, Docker or LXC technologies to manage virtual machines and/or containers.

You can find out more about DebOps features on the project's documentation page.

Quick start

Start a Docker container which acts as an Ansible Controller host with DebOps support, based on Debian Buster:

docker run -it --rm debops/debops
cd src/controller ; debops run common --diff

Or, create a Vagrant VM which acts as an Ansible Controller host:

git clone https://github.com/debops/debops
cd debops && vagrant up && vagrant ssh
cd src/controller ; debops run common --diff

You can use configuration in the src/controller subdirectory to try out DebOps against the container/VM, or create your own DebOps project directory using debops project init command.

More quick start tips can be found in the DebOps quick start guide.

Installation

You can install the DebOps Python package, which includes the DebOps roles and playbooks, as well as additional scripts which can be used to setup separate project directories and run Ansible in a convenient way. To install the Python package with Ansible and other required dependencies, run the command:

pip install --user debops[ansible]

Alternatively, DebOps roles are available on Ansible Galaxy as an Ansible Collection which can be installed using the ansible-galaxy command:

ansible-galaxy collection install debops.debops

Read the installation instructions in the DebOps documentation for more details about required software and dependencies.

Getting started

Ansible uses SSH to connect to and manage the hosts. DebOps enforces the SSH security by disabling password authentication, therefore using SSH keys to connect to the hosts is strongly recommended. This can be changed using the inventory variables.

During initial deployments you might find that the firewall created by DebOps blocked you from accessing the hosts. Because of that it's advisable to have an out-of-band console access to the host which can be used to login and troubleshoot the connection.

Create a new environment within a DebOps "project directory", add some hosts in the Ansible inventory and run the default DebOps playbook against them to configure them:

# Create a new environment
debops project init ~/src/projects/my-environment
cd ~/src/projects/my-environment

# Modify the 'ansible/inventory/hosts' file to suit your needs, for example
# uncomment the local host to configure it with DebOps

# Run the full playbook against all hosts in the inventory
debops run site

# Run the common playbook against specific host in the inventory
debops run common -l <hostname>

You should read the Getting Started with DebOps guide for a more in-depth explanation of how the project can be used to manage multiple hosts via Ansible.

Development

Create a fork of this repository and clone it to your workstation. Create a development DebOps environment and symlink the forked repository in it. Now you can create new playbooks/roles in the forked repository and see their results in the development environment.

git clone [email protected]:<username>/debops ~/src/github.com/<username>/debops
cd ~/src/github.com/<username>/debops
git remote add upstream https://github.com/debops/debops.git

debops project init ~/src/projects/debops-devel
cd ~/src/projects/debops-devel
ln -s ~/src/github.com/<username>/debops debops

You can pull latest changes to the project from the upstream repository:

cd ~/src/github.com/<username>/debops
git checkout master
git fetch upstream
git rebase upstream/master

Read the development guide file for more details about the DebOps development process.

Contributing

DebOps development is done via a distributed development model. New features and changes are prepared in a fork of the official repository and are published to the original repository via GitHub pull requests. PRs are reviewed by the DebOps developer team and if accepted, are merged in the main repository.

GPG-signed git commits are preferred to ensure authenticity.

Read the contributing guide file for more details about how to contribute to DebOps.

Licensing

The DebOps project is licensed under the GNU General Public License 3.0 or later. You can find full text of the license in the LICENSES/GPL-3.0-or-later.txt file.

Some files included with the DebOps project use a different license. The licenses are marked in these files using the SPDX license identifiers and can be found in the LICENSES/ subdirectory. They are also included in the project tarballs, Ansible Collections and Python packages. The project uses the REUSE Specification and its associated tool to check and verify copyright and license information in all files.

ansible-tinc's People

Contributors

Stargazers

Watchers

Forkers

mccutchenjp80 kghost drybjed jinnko ser ypid kerel-fs pavelliano chrko dafaulkens topdata-cloud

ansible-tinc's Issues

dashes not supported in Name = <value> of tinc.conf

The advice is to fix etc/tinc/network/tinc.conf.j2:

Name = {{ tinc_hostname | replace("-","_") }}

Thought, I might think that it might need to be defaults/main.yml to change:

tinc_hostname: '{{ inventory_hostname_short | replace("-","_") }}'

(Or both? ;)

systemd service misses EXTRA options

Need to replace templates/etc/systemd/system/[email protected] line 9:
ExecStart=/usr/sbin/tincd -D -n %i -o Interface=%i --mlock --chroot --user={{ tinc_user }}

with the following:
ExecStart=/usr/sbin/tincd -D {{ tinc_extra_options }} -n %i -o Interface=%i --mlock --chroot --user={{ tinc_user }}

help - how to customize template tinc-up.j2?

I need to force a couple of routes in tinc-up.j2 for just one specific host but I don't get how to do it.

I realize that this is probably more "lack of understanding of the whole debops structure" than "a debops.tinc issue". I apologize for this.

However, I see in main.yml

src: 'etc/tinc/network/tinc-up.j2'

I suppose that I can put tinc-up.j2 in some prioritized subdir in my ansible tree but I don't get where and with which structure so that my custom template will apply to just one machine.

Constantly interrupted in step "Download public keys per host"

https://github.com/debops/ansible-tinc/blob/master/tasks/main.yml#L192

In my opinion is a logical fallacy.
In defalts have a variable but it is not where it is not used tinc__inventory_hosts.

Or are incorrect logic

cat group_var/pve.yml
tinc__inventory_hosts: []
tinc__connect_to_mesh_pve: '{{ tinc__inventory_hosts_mesh_pve }}'
tinc__inventory_hosts_mesh_pve: '{{ (groups.pve if groups.pve|d() else []) | difference([ tinc__hostname ]) }}'
tinc__default_networks: []
tinc__inventory_groups: []
tinc__networks: [ '{{ tinc__network_mesh_pve }}' ]
tinc__host_addresses: '{{ tinc__host_addresses_ip }}'
tinc__network_mesh_pve:
  name: 'mesh_pve'
  interface: 'mesh_pve'
  hwaddr: ''
  bridge: ''
  link_type: 'static'
  boot: True
  port: '655'
  mlock: True
  chroot: True
  allow: ''
  user: '{{ tinc__user }}'
  tinc_options:
    Mode: 'switch'
    DeviceType: 'tap'
    Cipher: 'aes-256-cbc'
    Digest: 'SHA512'
    ConnectTo: '{{ tinc__connect_to_mesh_pve }}'

...
TASK [debops.tinc : Download public keys per network] **************************
ok: [pve6.pve.mpautina.ru] => (item={u'bridge': u'', u'chroot': True, u'name': u'mesh_pve', u'boot': True, u'interface': u'mesh_pve', u'tinc_options': {u'ConnectTo': [u'pve32.pve.mpautina.ru', u'pve6.pve.mpautina.ru'], u'Cipher': u'aes-256-cbc', u'DeviceType': u'tap', u'Mode': u'switch', u'Digest': u'SHA512'}, u'mlock': True, u'allow': u'', u'hwaddr': u'', u'port': u'655', u'link_type': u'static', u'user': u'tinc-vpn'})
ok: [pve32.pve.mpautina.ru] => (item={u'bridge': u'', u'chroot': True, u'name': u'mesh_pve', u'boot': True, u'interface': u'mesh_pve', u'tinc_options': {u'ConnectTo': [u'pve32.pve.mpautina.ru', u'pve6.pve.mpautina.ru'], u'Cipher': u'aes-256-cbc', u'DeviceType': u'tap', u'Mode': u'switch', u'Digest': u'SHA512'}, u'mlock': True, u'allow': u'', u'hwaddr': u'', u'port': u'655', u'link_type': u'static', u'user': u'tinc-vpn'})

TASK [debops.tinc : Download public keys for all hosts] ************************
ok: [pve6.pve.mpautina.ru] => (item={u'bridge': u'', u'chroot': True, u'name': u'mesh_pve', u'boot': True, u'interface': u'mesh_pve', u'tinc_options': {u'ConnectTo': [u'pve32.pve.mpautina.ru', u'pve6.pve.mpautina.ru'], u'Cipher': u'aes-256-cbc', u'DeviceType': u'tap', u'Mode': u'switch', u'Digest': u'SHA512'}, u'mlock': True, u'allow': u'', u'hwaddr': u'', u'port': u'655', u'link_type': u'static', u'user': u'tinc-vpn'})
ok: [pve32.pve.mpautina.ru] => (item={u'bridge': u'', u'chroot': True, u'name': u'mesh_pve', u'boot': True, u'interface': u'mesh_pve', u'tinc_options': {u'ConnectTo': [u'pve32.pve.mpautina.ru', u'pve6.pve.mpautina.ru'], u'Cipher': u'aes-256-cbc', u'DeviceType': u'tap', u'Mode': u'switch', u'Digest': u'SHA512'}, u'mlock': True, u'allow': u'', u'hwaddr': u'', u'port': u'655', u'link_type': u'static', u'user': u'tinc-vpn'})

TASK [debops.tinc : Download public keys per group] ****************************

TASK [debops.tinc : Download public keys per host] *****************************
failed: [pve32.pve.mpautina.ru] => (item={u'bridge': u'', u'chroot': True, u'name': u'mesh_pve', u'boot': True, u'interface': u'mesh_pve', u'tinc_options': {u'ConnectTo': [u'pve32.pve.mpautina.ru', u'pve6.pve.mpautina.ru'], u'Cipher': u'aes-256-cbc', u'DeviceType': u'tap', u'Mode': u'switch', u'Digest': u'SHA512'}, u'mlock': True, u'allow': u'', u'hwaddr': u'', u'port': u'655', u'link_type': u'static', u'user': u'tinc-vpn'}) => {"failed": true, "item": {"allow": "", "boot": true, "bridge": "", "chroot": true, "hwaddr": "", "interface": "mesh_pve", "link_type": "static", "mlock": true, "name": "mesh_pve", "port": "655", "tinc_options": {"Cipher": "aes-256-cbc", "ConnectTo": ["pve32.pve.mpautina.ru", "pve6.pve.mpautina.ru"], "DeviceType": "tap", "Digest": "SHA512", "Mode": "switch"}, "user": "tinc-vpn"}, "msg": "could not find src=/etc/secret/tinc/networks/mesh_pve/by-host/pve32/hosts"}
failed: [pve6.pve.mpautina.ru] => (item={u'bridge': u'', u'chroot': True, u'name': u'mesh_pve', u'boot': True, u'interface': u'mesh_pve', u'tinc_options': {u'ConnectTo': [u'pve32.pve.mpautina.ru', u'pve6.pve.mpautina.ru'], u'Cipher': u'aes-256-cbc', u'DeviceType': u'tap', u'Mode': u'switch', u'Digest': u'SHA512'}, u'mlock': True, u'allow': u'', u'hwaddr': u'', u'port': u'655', u'link_type': u'static', u'user': u'tinc-vpn'}) => {"failed": true, "item": {"allow": "", "boot": true, "bridge": "", "chroot": true, "hwaddr": "", "interface": "mesh_pve", "link_type": "static", "mlock": true, "name": "mesh_pve", "port": "655", "tinc_options": {"Cipher": "aes-256-cbc", "ConnectTo": ["pve32.pve.mpautina.ru", "pve6.pve.mpautina.ru"], "DeviceType": "tap", "Digest": "SHA512", "Mode": "switch"}, "user": "tinc-vpn"}, "msg": "could not find src=/etc/secret/tinc/networks/mesh_pve/by-host/pve6/hosts"}

could not find src=/etc/secret/tinc/networks/mesh_pve/by-host/pve32/hosts

Feature request: add options to allow static addressing

Hi,
I think it would be useful to manualy set IP address to every host in the mesh network. I'm thinking about something like this - part of host_vars:

tinc__networks:
  (...)
  link_type: static_ip
    - address: 1.2.3.4
    - netmask: 24
  (...)

Right now as I understand it is not possible. What do you think about this idea?

Proposal: remove dhclient configuration from debops.tinc

I'm redesigning the debops.tinc role to use new configuration and remove excessive variables like tinc__*_mesh0 (really, who thought that would be a good idea in the first place?). Druing this I've looked a bit closer at the dhclient configuration the role adds and what really the issue is, and I think this should be removed from the role in the current state, and replaced with more lean solution.

The issue is that when DHCP is used to configure the Tinc clients on the mesh network, the DHCP server offers certain parameters like default route, DNS nameservers and search domains and probably some other configuration. Without any additional work these parameters my disrupt host connectivity - for example the hosts picks the route through the Tinc VPN instead of the more correct route through the normal network interface.

The current solution is to install a hook script, which filters some DHCP parameters like default routers, etc. on the Tinc VPN network interfaces. The idea is good, but I feel that the debops.tinc role is a bad place to set that up. This should be moved to the (currently not existing) dhclient role. Currently in debops.tinc the method is essentially blacklisting certain network interfaces from configuring network parameters; I think that the better way would be to whitelist interfaces instead, which should be easily doable via a dedicated dhclient role.

Blacklisting default routers received from the Tinc VPN is also not that useful in the context of the debops.tinc role. What I would want to do instead, is to define a higher metric, say 100, for the Tinc network interfaces by default. This should ensure that any default route received from the DHCP server will have a higher "cost" and won't be preferred by the operating system. If you don't want to publish a default route through the VPN... fix your DHCP server to not publish such things (debops.dnsmasq allows to control that easily using dnsmasq__router variable).

The same goes for the nameservers and search domains - if your VPN DHCP server does not offer such things, disable them in your DHCP offerings. If it does but your DNS server inside the VPN is making your client network configuration wonky, I think that the issue is on the DNS server side and should be fixed there.

@ypid, since you introduced the dhclient hook script in the role, what do you think about this proposal?

Persistent config on Qubes OS using `debops.persistent_paths`

Implemented in: drybjed#2

tinc.conf generated with wrong hostname if inventory_hostname is fqdn

Hello,

I'm using FQDN in my ansible inventory file and found follow issue.

Because tinc_hostname defined as inventory_hostname_short that uses for generate hosts files, and tinc_connect_to uses items from group inventory I'm getting wrong ConnectTo values in
tinc.conf.

Example:
tinc.conf

Name = openvz21
ConnectTo = openvz3.example.com
ConnectTo = openvz21.example.com

Hosts dir

$ ls hosts/
openvz21  openvz21.d  openvz3

But if I change tinc_hostname to inventory_hostname somehow task Create persistent copy of host public key is failed.

tinc_host_configuration needs to be reconsidered

in router mode, there is a need for multiple subnet: lines. having tinc_host_configuration only a dictionary, makes only only Subnet: line "valid".

Yes, I've resorted to using capitalization to hack passed this problem (see below), but that's not clean and intuitive:

#There is a problem in the debops.tinc: subnet must be unique keys as it's a dict, not a list,
#so use capitilization to unique them...
tinc_host_configuration:
  subnet: '10.255.253.0/24'
  Subnet: '{{tinc_host_net_ip}}'

Tests fail on travis but shown as passing

Thanks a lot! I'm checking out debops and so far it is pretty awesome.

Just a heads up. The tests on travis fail because the nodes can't find each other. The tests are marked as successful though!
https://travis-ci.org/debops/ansible-tinc

NOTIFIED: [ansible-tinc | Reload tinc configuration] ************************** 
failed: [localhost] => {"changed": true, "cmd": ["tincd", "-n", "mesh0", "-kHUP"], "delta": "0:00:00.013472", "end": "2015-08-27 14:37:46.808564", "rc": 1, "start": "2015-08-27 14:37:46.795092", "warnings": []}
stderr: No other tincd is running for net `mesh0'.

I had the same issue locally, but after setting the connection type to static like described in the docs, it worked.

tinc_connection_type: 'static'

This is already set in the test-suite, though.