Skip to content

Latest commit

 

History

History
269 lines (181 loc) · 9.59 KB

CHANGES.rst

File metadata and controls

269 lines (181 loc) · 9.59 KB

Changelog

debops.tinc

This project adheres to Semantic Versioning and human-readable changelog.

The current role maintainer_ is drybjed_.

Refer to the :ref:`tinc__ref_upgrade_nodes` when you intend to upgrade to a new release.

debops.tinc master - unreleased

debops.tinc v0.4.0 - 2017-07-12

Added

  • The memlock :command:`ulimit` limit will be configured in the :command:`systemd` unit to avoid issues with memory limits when the --mlock option is enabled. [drybjed_]
  • By default Tinc network connections configured with :command:`dhclient` will use a 100 metric value to impose lower priority in the routing table. This should mitigate issues with default routes pointing inside the VPN. [drybjed_]
  • The YAML dictionaries that configure Tinc networks support more parameters related to :file:`tinc.conf`, the tinc_options parameter might not be needed if the default options are good enough. [drybjed_]
  • The state: 'absent' network state should now correctly disable the given network in :command:`systemd` and remove the network configuration files from :file:`/etc/tinc/` directory. [drybjed_]
  • Add support for configuration of DNS nameservers and search domains using :command:`resolvconf` script when the network interfaces are configured statically. [drybjed_]
  • Support for persistent configuration of TemplateBasedVM on `Qubes OS`_ out of the box using the debops.persistent_paths_ role. [ypid_]

Changed

  • The tinc_*_networks variables have been redesigned. They are now YAML dictionary variables that use dictionaries do define the Tinc networks. The old notation using YAML lists can still be used, but different data models cannot be combined in the same variable. You most likely will want to update your inventory. [drybjed_]
  • The mesh configuration is now dynamically generated using lookup templates, the autogenerated values can be easily changed if necessary using the YAML dictionary parameters. [drybjed_]
  • The size of the memlocked memory is based on the size of the RSA keys in use instead of being static. [drybjed_]
  • The host files will include public IPv4 and IPv6 host addresses by default, along with host's FQDN. [drybjed_]
  • The template lookups that configure other Ansible roles have been moved from the debops.tinc/env role to the debops.tinc default variables. This allows easier changes in the configuration if necessary. [drybjed_]
  • The :command:`systemd` Tinc units have been updated to start the Tinc tunnels after normal network configuration is established. This should ensure the correct interface order and bridge connection configuration. [drybjed_]
  • Make sure that the :command:`systemd` Tinc units correctly execute the :command:`tinc-down` scripts on service shutdown. [drybjed_]
  • Change the naming scheme of the debops.ferm_ configuration files in anticipation of the upcoming changes. You might need to remove the old firewall configuration files to avoid duplicate rule entries. [drybjed_]

Removed

  • The tinc_*_mesh0 variables have been removed. The configuration of the default Tinc mesh0 network is now defined in the :envvar:`tinc__default_networks` variable and can be easily augmented if needed using tinc__*_networks variables in the Ansible inventory. [drybjed_]
  • Support for the [debops_service_tinc_mesh0] inventory group has been removed, the default mesh0 network will include the hosts in the [debops_service_tinc] group. You can add hosts to the [debops_service_tinc_aux] group that will have Tinc installed and configured but will not be included in the default hosts list.
  • The :command:`dhclient` hook configuration has been removed, role should remove the hook automatically if it's installed on the host. The functionality will be reimplemented in another role. Changed network route metric should fix the issues with the default route configured by :command:`dhclient`. [drybjed_]

debops.tinc v0.3.0 - 2016-11-21

Added

  • Add tinc__address_family_mesh0 and tinc__compression_mesh0. [ser_]
  • Add tinc__mlock_mesh0. [ypid_]
  • Allow to configure nodes as clients using tinc__client_hosts. [ypid_]
  • Add support to block default route and DNS servers offered via DHCPv4 over a Tinc network. Tinc nodes will not accept default routes thought the mesh network anymore. Furthermore allow to adjust the metric of routes created based on those offered via DHCPv4. [ypid_]
  • Ensure that highly sensitive files are not checked into version control when for example :program:`etckeeper` is used for tracking changes in :file:`/etc`. Note that sensitive files which are already tracked by version control will need to be manually deleted from version control history! Refer to :envvar:`tinc__vcs_ignore_patterns` for more details. [ypid_]

Changed

  • Update to DebOps Standards v0.2.1. [ypid_]
  • Rename undocumented delete option for :ref:`tinc__ref_networks` to state and document it. [ypid_]
  • tinc__inventory_hosts_mesh0 now refers to all hosts in the Ansible inventory that are participating in the mesh0 network. [ypid_]
  • Rename tinc__connect_to_mesh0 to tinc__reachable_peer_hosts_mesh0. [ypid_]
  • Increased default RSA key size from 4096 to 8192 bits as suggested by https://bettercrypto.org. Note that this increases the initial key generation from a few seconds to a few minutes which should be justifiable. [ypid_]
  • Update documentation to use debops.ifupdown_ instead of the deprecated debops.subnetwork role. [ypid_]
  • Set the correct version in the upgrade notes and update the upgrade script name. [drybjed_]

Fixed

  • Redundancy and deviation in documentation. [ypid_]
  • Don’t connect to the Tinc daemon node itself when working with FQDNs. [ypid_]
  • Don’t rely on the legacy :command:`brctl` command to be installed (which was not ensured by this role) and instead use tools from the iproute2 package. [ypid_]

debops.tinc v0.2.1 - 2016-02-29

Added

  • Add a way to exclude addresses from the public key host files. The default mesh0 configuration will automatically gather all relevant IP addresses and exclude them from the host files. [drybjed_]

Changed

debops.tinc v0.2.0 - 2016-02-22

Changed

  • Rewrite of the debops.tinc role.

    The role now supports management of multiple Tinc VPNs at the same time. By default a mesh0 network is established, which uses the Switch mode and DHCP to manage network configuration.

    The new role doesn't use ifupdown configuration to manage the network interfaces, instead custom tinc-up and tinc-down scripts take care of setting up and tearing down the virtual Ethernet interface used by the VPN.

    If systemd is detected on a host, the role installs custom service units that allow to manage each Tinc VPN separately from the others. The role uses these units as needed to start/stop/restart the daemons.

    Configuration for debops.etc_services_, debops.ferm_ and debops.secret_ Ansible roles is generated dynamically by custom templates. This requires a customized Ansible playbook (see the documentation).

    Public RSA host keys are not distributed using YAML text blocks. Instead, debops.secret_ role manages as set of directories which can be used to deploy public keys to the hosts in the mesh. [drybjed_]

debops.tinc v0.1.1 - 2015-11-30

Added

  • New variable tinc_interface_auto which controls if VPN interface will be started at boot time, and if Ansible will automatically manage it during playbook runs if any changes occur. [drybjed_]

Changed

  • Change the tinc_host_port type from Int to String, so that there are no issues with the debops.ferm_ role. [drybjed_]
  • Wrap the name of the VPN node and replace all hyphens with underscores, which is a tinc requirement. [drybjed_]

Fixed

  • Fix wrong name of the variable in host template. [drybjed_]

debops.tinc v0.1.0 - 2015-05-20

Added