keepalived: initial config
This commit is contained in:
parent
26524eccc5
commit
e58ee1c4b5
7 changed files with 128 additions and 23 deletions
|
@ -20,9 +20,11 @@
|
||||||
roles:
|
roles:
|
||||||
- unbound
|
- unbound
|
||||||
|
|
||||||
- hosts: routeur-edc-backup.adm.auro.re # temporaire
|
|
||||||
|
# Déploiement du service re2o aurore-firewall et keepalived
|
||||||
|
- hosts: routeur-edc*.adm.auro.re
|
||||||
roles:
|
roles:
|
||||||
- aurore-firewall
|
- router
|
||||||
|
|
||||||
|
|
||||||
# WIP: Deploy authoritative DNS servers
|
# WIP: Deploy authoritative DNS servers
|
||||||
|
|
|
@ -1,19 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install aurore-firewall (re2o-service)
|
|
||||||
import_role:
|
|
||||||
name: re2o-service
|
|
||||||
vars:
|
|
||||||
service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git
|
|
||||||
service_name: aurore-firewall
|
|
||||||
service_version: aurore
|
|
||||||
service_config:
|
|
||||||
hostname: re2o.auro.re
|
|
||||||
username: service-user
|
|
||||||
password: "{{ vault_serviceuser_passwd }}"
|
|
||||||
|
|
||||||
|
|
||||||
- name: Configure aurore-firewall
|
|
||||||
template:
|
|
||||||
src: firewall_config.py
|
|
||||||
dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
|
|
||||||
mode: 0644
|
|
9
roles/router/handlers/main.yml
Normal file
9
roles/router/handlers/main.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
- name: restart keepalived
|
||||||
|
systemd:
|
||||||
|
state: restarted
|
||||||
|
name: keepalived
|
||||||
|
|
||||||
|
- name: run aurore-firewall
|
||||||
|
command: python3 main.py --force
|
||||||
|
args:
|
||||||
|
chdir: /var/local/re2o-services/aurore-firewall/
|
49
roles/router/tasks/main.yml
Normal file
49
roles/router/tasks/main.yml
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Enable IPv4 packet forwarding
|
||||||
|
sysctl:
|
||||||
|
name: net.ipv4.ip_forward
|
||||||
|
value: '1'
|
||||||
|
sysctl_set: yes
|
||||||
|
|
||||||
|
- name: Install aurore-firewall (re2o-service)
|
||||||
|
import_role:
|
||||||
|
name: re2o-service
|
||||||
|
vars:
|
||||||
|
service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git
|
||||||
|
service_name: aurore-firewall
|
||||||
|
service_version: aurore
|
||||||
|
service_config:
|
||||||
|
hostname: re2o.auro.re
|
||||||
|
username: service-user
|
||||||
|
password: "{{ vault_serviceuser_passwd }}"
|
||||||
|
notify: run aurore-firewall
|
||||||
|
|
||||||
|
- name: Configure aurore-firewall
|
||||||
|
template:
|
||||||
|
src: firewall_config.py
|
||||||
|
dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
|
||||||
|
mode: 0644
|
||||||
|
notify: run aurore-firewall
|
||||||
|
|
||||||
|
- name: Install keepalived
|
||||||
|
apt:
|
||||||
|
name: keepalived
|
||||||
|
update_cache: true
|
||||||
|
register: apt_result
|
||||||
|
retries: 3
|
||||||
|
until: apt_result is succeeded
|
||||||
|
|
||||||
|
- name: Configure keepalived
|
||||||
|
template:
|
||||||
|
src: keepalived.conf
|
||||||
|
dest: /etc/keepalived/keepalived.conf
|
||||||
|
mode: 0644
|
||||||
|
notify: restart keepalived
|
||||||
|
|
||||||
|
|
||||||
|
- name: Configure cron
|
||||||
|
template:
|
||||||
|
src: cron.d/re2o-services
|
||||||
|
dest: /etc/cron.d/re2o-services
|
||||||
|
mode: 0644
|
3
roles/router/templates/cron.d/re2o-services
Normal file
3
roles/router/templates/cron.d/re2o-services
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
# Régénération du firewall
|
||||||
|
*/5 * * * * root /usr/bin/python3 /var/local/re2o-services/aurore-firewall/main.py
|
||||||
|
@reboot root /usr/bin/python3 /var/local/re2o-services/aurore-firewall/main.py --force
|
|
@ -26,7 +26,8 @@
|
||||||
|
|
||||||
### Give me a role
|
### Give me a role
|
||||||
|
|
||||||
role = ['''routeur{{ apartment_block_id }}{{ 'backup' if "backup" in inventory_hostname else '' }}''']
|
# routeur4 = routeur IPv4
|
||||||
|
role = ['routeur4']
|
||||||
|
|
||||||
|
|
||||||
### Specify each interface role
|
### Specify each interface role
|
||||||
|
@ -58,7 +59,9 @@ nat = [
|
||||||
},
|
},
|
||||||
'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
|
'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
|
||||||
'extra_nat' : {
|
'extra_nat' : {
|
||||||
'10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{ apartment_block_id }}'
|
'10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
|
||||||
|
apartment_block_id }}',
|
||||||
|
'10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
58
roles/router/templates/keepalived.conf
Normal file
58
roles/router/templates/keepalived.conf
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
global_defs {
|
||||||
|
notification_email {
|
||||||
|
monitoring.aurore@lists.crans.org
|
||||||
|
}
|
||||||
|
notification_email_from routeur-edc-backup@auro.re
|
||||||
|
smtp_server smtp.crans.org
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
vrrp_instance VI_ROUT_{{ apartment_block }} {
|
||||||
|
{% if 'backup' in inventory_hostname %}
|
||||||
|
state BACKUP
|
||||||
|
priority 100
|
||||||
|
{% else %}
|
||||||
|
state MASTER
|
||||||
|
priority 150
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
|
||||||
|
# Interface used for VRRP communication.
|
||||||
|
interface ens18
|
||||||
|
|
||||||
|
# Shared by MASTER and BACKUP
|
||||||
|
virtual_router_id {{ apartment_block_id }}
|
||||||
|
|
||||||
|
# Timeout in seconds before failover kicks in.
|
||||||
|
advert_int 2
|
||||||
|
|
||||||
|
|
||||||
|
# Used to authenticate VRRP communication between master and backup.
|
||||||
|
authentication {
|
||||||
|
auth_type PASS
|
||||||
|
auth_pass pLOP # temporary password; DO NOT USE
|
||||||
|
}
|
||||||
|
|
||||||
|
smtp_alert
|
||||||
|
|
||||||
|
virtual_ipaddress {
|
||||||
|
# Routing subnet
|
||||||
|
10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global
|
||||||
|
|
||||||
|
# Public subnet: wired
|
||||||
|
45.66.108.25{{ apartment_block_id }}/24 brd 45.66.108.255 dev ens19 scope global
|
||||||
|
# Public subnet: wifi
|
||||||
|
45.66.109.25{{ apartment_block_id }}/24 brd 45.66.109.255 dev ens19 scope global
|
||||||
|
|
||||||
|
# Wired
|
||||||
|
10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global
|
||||||
|
# Wifi
|
||||||
|
10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
|
||||||
|
}
|
||||||
|
|
||||||
|
virtual_routes {
|
||||||
|
# 10.129.0.1 is Yggdrasil
|
||||||
|
src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue