Merge branch 'drybjed-network-redesign'

debops · Jul 12, 2017 · 2479ac3 · 2479ac3
2 parents fe55283 + 7a06ea6
commit 2479ac3
Show file tree

Hide file tree

Showing 35 changed files with 1,116 additions and 552 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -19,7 +19,95 @@ new release.
 `debops.tinc master`_ - unreleased
 ----------------------------------
 
-.. _debops.tinc master: https://github.com/debops/ansible-tinc/compare/v0.3.0...master
+.. _debops.tinc master: https://github.com/debops/ansible-tinc/compare/v0.4.0...master
+
+
+`debops.tinc v0.4.0`_ - 2017-07-12
+----------------------------------
+
+.. _debops.tinc v0.4.0: https://github.com/debops/ansible-tinc/compare/v0.3.0...v0.4.0
+
+Added
+~~~~~
+
+- The memlock :command:`ulimit` limit will be configured in the
+  :command:`systemd` unit to avoid issues with memory limits when the
+  ``--mlock`` option is enabled. [drybjed_]
+
+- By default Tinc network connections configured with :command:`dhclient` will
+  use a ``100`` metric value to impose lower priority in the routing table.
+  This should mitigate issues with default routes pointing inside the VPN.
+  [drybjed_]
+
+- The YAML dictionaries that configure Tinc networks support more parameters
+  related to :file:`tinc.conf`, the ``tinc_options`` parameter might not be
+  needed if the default options are good enough. [drybjed_]
+
+- The ``state: 'absent'`` network state should now correctly disable the given
+  network in :command:`systemd` and remove the network configuration files from
+  :file:`/etc/tinc/` directory. [drybjed_]
+
+- Add support for configuration of DNS nameservers and search domains using
+  :command:`resolvconf` script when the network interfaces are configured
+  statically. [drybjed_]
+
+- Support for persistent configuration of TemplateBasedVM on `Qubes OS`_ out of
+  the box using the debops.persistent_paths_ role. [ypid_]
+
+Changed
+~~~~~~~
+
+- The ``tinc_*_networks`` variables have been redesigned. They are now YAML
+  dictionary variables that use dictionaries do define the Tinc networks. The
+  old notation using YAML lists can still be used, but different data models
+  cannot be combined in the same variable. You most likely will want to update
+  your inventory. [drybjed_]
+
+- The mesh configuration is now dynamically generated using lookup templates,
+  the autogenerated values can be easily changed if necessary using the YAML
+  dictionary parameters. [drybjed_]
+
+- The size of the memlocked memory is based on the size of the RSA keys in use
+  instead of being static. [drybjed_]
+
+- The host files will include public IPv4 and IPv6 host addresses by default,
+  along with host's FQDN. [drybjed_]
+
+- The template lookups that configure other Ansible roles have been moved from
+  the ``debops.tinc/env`` role to the ``debops.tinc`` default variables. This
+  allows easier changes in the configuration if necessary. [drybjed_]
+
+- The :command:`systemd` Tinc units have been updated to start the Tinc tunnels
+  after normal network configuration is established. This should ensure the
+  correct interface order and bridge connection configuration. [drybjed_]
+
+- Make sure that the :command:`systemd` Tinc units correctly execute the
+  :command:`tinc-down` scripts on service shutdown. [drybjed_]
+
+- Change the naming scheme of the debops.ferm_ configuration files in
+  anticipation of the upcoming changes. You might need to remove the old
+  firewall configuration files to avoid duplicate rule entries. [drybjed_]
+
+Removed
+~~~~~~~
+
+- The ``tinc_*_mesh0`` variables have been removed. The configuration of the
+  default Tinc ``mesh0`` network is now defined in the
+  :envvar:`tinc__default_networks` variable and can be easily augmented if
+  needed using ``tinc__*_networks`` variables in the Ansible inventory.
+  [drybjed_]
+
+- Support for the ``[debops_service_tinc_mesh0]`` inventory group has been
+  removed, the default ``mesh0`` network will include the hosts in the
+  ``[debops_service_tinc]`` group. You can add hosts to the
+  ``[debops_service_tinc_aux]`` group that will have Tinc installed and
+  configured but will not be included in the default hosts list.
+
+- The :command:`dhclient` hook configuration has been removed, role should
+  remove the hook automatically if it's installed on the host. The
+  functionality will be reimplemented in another role. Changed network route
+  metric should fix the issues with the default route configured by
+  :command:`dhclient`. [drybjed_]
 
 
 `debops.tinc v0.3.0`_ - 2016-11-21
@@ -30,11 +118,11 @@ new release.
 Added
 ~~~~~
 
-- Add :envvar:`tinc__address_family_mesh0` and :envvar:`tinc__compression_mesh0`. [ser_]
+- Add ``tinc__address_family_mesh0`` and ``tinc__compression_mesh0``. [ser_]
 
-- Add :envvar:`tinc__mlock_mesh0`. [ypid_]
+- Add ``tinc__mlock_mesh0``. [ypid_]
 
-- Allow to configure nodes as clients using :envvar:`tinc__client_hosts`. [ypid_]
+- Allow to configure nodes as clients using ``tinc__client_hosts``. [ypid_]
 
 - Add support to block default route and DNS servers offered via DHCPv4 over a
   Tinc network. Tinc nodes will not accept default routes thought the mesh
@@ -55,10 +143,10 @@ Changed
 - Rename undocumented ``delete`` option for :ref:`tinc__ref_networks` to
   ``state`` and document it. [ypid_]
 
-- :envvar:`tinc__inventory_hosts_mesh0` now refers to all hosts in the Ansible
+- ``tinc__inventory_hosts_mesh0`` now refers to all hosts in the Ansible
   inventory that are participating in the ``mesh0`` network. [ypid_]
 
-- Rename ``tinc__connect_to_mesh0`` to :envvar:`tinc__reachable_peer_hosts_mesh0`.
+- Rename ``tinc__connect_to_mesh0`` to ``tinc__reachable_peer_hosts_mesh0``.
   [ypid_]
 
 - Increased default RSA key size from ``4096`` to ``8192`` bits as suggested by
@@ -98,7 +186,7 @@ Changed
 ~~~~~~~
 
 - Use the same value type in :envvar:`tinc__host_addresses_fqdn` and
-  :envvar:`tinc__host_addresses_ip` for consistency. [drybjed_]
+  :envvar:`tinc__host_addresses_ip_public` for consistency. [drybjed_]
 
 - Support both strings and lists in :envvar:`tinc__host_addresses`. [drybjed_]
 

diff --git a/COPYRIGHT b/COPYRIGHT
@@ -1,8 +1,8 @@
 debops.tinc - Configure tinc mesh VPN network
 
-Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
-Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
-Copyright (C) 2015-2016 DebOps https://debops.org/
+Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2015-2017 DebOps https://debops.org/
 
 This Ansible role is part of DebOps.
 

diff --git a/UPGRADE.rst b/UPGRADE.rst
@@ -7,6 +7,65 @@ The upgrade notes only describe necessary changes that you might need to make
 to your setup in order to use a new role release. Refer to the
 :ref:`tinc__ref_changelog` for more details about what has changed.
 
+.. _tinc__ref_upgrade_nodes_v0.4:
+
+Upgrade from v0.3.X to v0.4.X
+-----------------------------
+
+The ``tinc__*_networks`` variables have been redesigned and now use YAML
+dictionaries instead of lists by default. This allows for easier modification
+of existing networks from the inventory. The role still supports YAML lists,
+but there might be some issues with duplicated configuration.
+
+Conversion to the new format is pretty simple, but cannot be reliably performed
+by a script. If in your inventory you have entries similar to:
+
+.. code-block:: yaml
+
+   tinc__host_networks:
+
+     - name: 'mesh0'
+       port: '655'
+
+     - name: 'mesh1'
+       port: '656'
+
+You can switch them to the new format by changing them to:
+
+.. code-block:: yaml
+
+   tinc__host_networks:
+
+     'mesh0':
+       name: 'mesh0'
+       port: '655'
+
+     'mesh1':
+       name: 'mesh1'
+       port: '656'
+
+If you use the ``name`` parameter, the dictionary keys can be arbitrary,
+otherwise they will be used as the network names.
+
+The autogenerated interface names have been changed, the role checks if the
+network name starts with ``tun`` or ``tap`` and uses the network name as the
+interface name, otherwise the network interfaces will have the form
+``<device_type>-<network_name>``, for example ``tun-mesh0``. To prevent that,
+include the ``interface`` parameter in the network configuration.
+
+The :command:`systemd` units have been adjusted to start the Tinc networks
+after normal networking is configured (the ``network-online.target`` is
+reached). To review the dependency order of a given Tinc service, you can use
+the command:
+
+.. code-block:: console
+
+   systemd-analyze critical-chain tinc.service
+
+You might need to reboot the host to see the correct order in all related
+services.
+
+
 .. _tinc__ref_upgrade_nodes_v0.3:
 
 Upgrade from v0.2.X to v0.3.X