diff --git a/network.yml b/network.yml index 9c5dbb0..d61db7f 100755 --- a/network.yml +++ b/network.yml @@ -20,9 +20,11 @@ roles: - unbound -- hosts: routeur-edc-backup.adm.auro.re # temporaire + +# Déploiement du service re2o aurore-firewall et keepalived +- hosts: routeur-edc*.adm.auro.re roles: - - aurore-firewall + - router # WIP: Deploy authoritative DNS servers diff --git a/roles/aurore-firewall/tasks/main.yml b/roles/aurore-firewall/tasks/main.yml deleted file mode 100644 index 691cb71..0000000 --- a/roles/aurore-firewall/tasks/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Install aurore-firewall (re2o-service) - import_role: - name: re2o-service - vars: - service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git - service_name: aurore-firewall - service_version: aurore - service_config: - hostname: re2o.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" - - -- name: Configure aurore-firewall - template: - src: firewall_config.py - dest: /var/local/re2o-services/aurore-firewall/firewall_config.py - mode: 0644 diff --git a/roles/router/handlers/main.yml b/roles/router/handlers/main.yml new file mode 100644 index 0000000..11ba484 --- /dev/null +++ b/roles/router/handlers/main.yml @@ -0,0 +1,9 @@ +- name: restart keepalived + systemd: + state: restarted + name: keepalived + +- name: run aurore-firewall + command: python3 main.py --force + args: + chdir: /var/local/re2o-services/aurore-firewall/ diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml new file mode 100644 index 0000000..6073afe --- /dev/null +++ b/roles/router/tasks/main.yml @@ -0,0 +1,49 @@ +--- + +- name: Enable IPv4 packet forwarding + sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: yes + +- name: Install aurore-firewall (re2o-service) + import_role: + name: re2o-service + vars: + service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git + service_name: aurore-firewall + service_version: aurore + service_config: + hostname: re2o.auro.re + username: service-user + password: "{{ vault_serviceuser_passwd }}" + notify: run aurore-firewall + +- name: Configure aurore-firewall + template: + src: firewall_config.py + dest: /var/local/re2o-services/aurore-firewall/firewall_config.py + mode: 0644 + notify: run aurore-firewall + +- name: Install keepalived + apt: + name: keepalived + update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Configure keepalived + template: + src: keepalived.conf + dest: /etc/keepalived/keepalived.conf + mode: 0644 + notify: restart keepalived + + +- name: Configure cron + template: + src: cron.d/re2o-services + dest: /etc/cron.d/re2o-services + mode: 0644 diff --git a/roles/router/templates/cron.d/re2o-services b/roles/router/templates/cron.d/re2o-services new file mode 100644 index 0000000..e732887 --- /dev/null +++ b/roles/router/templates/cron.d/re2o-services @@ -0,0 +1,3 @@ +# Régénération du firewall +*/5 * * * * root /usr/bin/python3 /var/local/re2o-services/aurore-firewall/main.py +@reboot root /usr/bin/python3 /var/local/re2o-services/aurore-firewall/main.py --force diff --git a/roles/aurore-firewall/templates/firewall_config.py b/roles/router/templates/firewall_config.py similarity index 89% rename from roles/aurore-firewall/templates/firewall_config.py rename to roles/router/templates/firewall_config.py index 052c6d2..d78707d 100644 --- a/roles/aurore-firewall/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -26,7 +26,8 @@ ### Give me a role -role = ['''routeur{{ apartment_block_id }}{{ 'backup' if "backup" in inventory_hostname else '' }}'''] +# routeur4 = routeur IPv4 +role = ['routeur4'] ### Specify each interface role @@ -58,7 +59,9 @@ nat = [ }, 'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16', 'extra_nat' : { - '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{ apartment_block_id }}' + '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{ + apartment_block_id }}', + '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}' } } ] diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf new file mode 100644 index 0000000..3f15878 --- /dev/null +++ b/roles/router/templates/keepalived.conf @@ -0,0 +1,58 @@ +# {{ ansible_managed }} +global_defs { + notification_email { + monitoring.aurore@lists.crans.org + } + notification_email_from routeur-edc-backup@auro.re + smtp_server smtp.crans.org +} + + +vrrp_instance VI_ROUT_{{ apartment_block }} { + {% if 'backup' in inventory_hostname %} + state BACKUP + priority 100 + {% else %} + state MASTER + priority 150 + {% endif %} + + + # Interface used for VRRP communication. + interface ens18 + + # Shared by MASTER and BACKUP + virtual_router_id {{ apartment_block_id }} + + # Timeout in seconds before failover kicks in. + advert_int 2 + + + # Used to authenticate VRRP communication between master and backup. + authentication { + auth_type PASS + auth_pass pLOP # temporary password; DO NOT USE + } + + smtp_alert + + virtual_ipaddress { + # Routing subnet + 10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global + + # Public subnet: wired + 45.66.108.25{{ apartment_block_id }}/24 brd 45.66.108.255 dev ens19 scope global + # Public subnet: wifi + 45.66.109.25{{ apartment_block_id }}/24 brd 45.66.109.255 dev ens19 scope global + + # Wired + 10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global + # Wifi + 10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global + } + + virtual_routes { + # 10.129.0.1 is Yggdrasil + src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19 + } +}