keepalived: initial config

2020-05-08 15:54:54 +02:00 · 2020-05-08 15:54:54 +02:00 · e58ee1c4b5
commit e58ee1c4b5
parent 26524eccc5
7 changed files with 128 additions and 23 deletions
--- a/network.yml
+++ b/network.yml
@ -20,9 +20,11 @@
  roles:
    - unbound
- hosts: routeur-edc-backup.adm.auro.re # temporaire
+
 # Déploiement du service re2o aurore-firewall et keepalived
 - hosts: routeur-edc*.adm.auro.re
  roles:
-    - aurore-firewall
+    - router
 # WIP: Deploy authoritative DNS servers
--- a/roles/aurore-firewall/tasks/main.yml
+++ b/roles/aurore-firewall/tasks/main.yml
@ -1,19 +0,0 @@
 ---
 - name: Install aurore-firewall (re2o-service)
  import_role:
    name: re2o-service
  vars:
    service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git
    service_name: aurore-firewall
    service_version: aurore
    service_config:
      hostname: re2o.auro.re
      username: service-user
      password: "{{ vault_serviceuser_passwd }}"
 - name: Configure aurore-firewall
  template:
    src: firewall_config.py
    dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
    mode: 0644
--- a/roles/router/handlers/main.yml
+++ b/roles/router/handlers/main.yml
@ -0,0 +1,9 @@
 - name: restart keepalived
  systemd:
    state: restarted
    name: keepalived
 - name: run aurore-firewall
  command: python3 main.py --force
  args:
    chdir: /var/local/re2o-services/aurore-firewall/
--- a/roles/router/tasks/main.yml
+++ b/roles/router/tasks/main.yml
@ -0,0 +1,49 @@
 ---
 - name: Enable IPv4 packet forwarding
  sysctl:
    name: net.ipv4.ip_forward
    value: '1'
    sysctl_set: yes
 - name: Install aurore-firewall (re2o-service)
  import_role:
    name: re2o-service
  vars:
    service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git
    service_name: aurore-firewall
    service_version: aurore
    service_config:
      hostname: re2o.auro.re
      username: service-user
      password: "{{ vault_serviceuser_passwd }}"
  notify: run aurore-firewall
 - name: Configure aurore-firewall
  template:
    src: firewall_config.py
    dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
    mode: 0644
  notify: run aurore-firewall
 - name: Install keepalived
  apt:
    name: keepalived
    update_cache: true
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Configure keepalived
  template:
    src: keepalived.conf
    dest: /etc/keepalived/keepalived.conf
    mode: 0644
  notify: restart keepalived
 - name: Configure cron
  template:
    src: cron.d/re2o-services
    dest: /etc/cron.d/re2o-services
    mode: 0644
--- a/roles/router/templates/cron.d/re2o-services
+++ b/roles/router/templates/cron.d/re2o-services
@ -0,0 +1,3 @@
 # Régénération du firewall
 */5 * * * * root /usr/bin/python3 /var/local/re2o-services/aurore-firewall/main.py
@reboot root /usr/bin/python3 /var/local/re2o-services/aurore-firewall/main.py --force
--- a/roles/aurore-firewall/templates/firewall_config.py
+++ b/roles/aurore-firewall/templates/firewall_config.py
@ -26,7 +26,8 @@
 ### Give me a role
-role = ['''routeur{{ apartment_block_id }}{{ 'backup' if "backup" in inventory_hostname else '' }}''']
+# routeur4 = routeur IPv4
 role = ['routeur4']
 ### Specify each interface role
@ -58,7 +59,9 @@ nat = [
        },
        'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
        'extra_nat' : {
-            '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{ apartment_block_id }}'
+            '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
                apartment_block_id }}',
            '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}'
        }
    }
 ]
--- a/roles/router/templates/keepalived.conf
+++ b/roles/router/templates/keepalived.conf
@ -0,0 +1,58 @@
 # {{ ansible_managed }}
 global_defs {
  notification_email {
    monitoring.aurore@lists.crans.org
  }
  notification_email_from routeur-edc-backup@auro.re
  smtp_server smtp.crans.org
 }
 vrrp_instance VI_ROUT_{{ apartment_block }} {
  {% if 'backup' in inventory_hostname %}
  state BACKUP
  priority 100
  {% else %}
  state MASTER
  priority 150
  {% endif %}
  # Interface used for VRRP communication.
  interface ens18
  # Shared by MASTER and BACKUP
  virtual_router_id {{ apartment_block_id }}
  # Timeout in seconds before failover kicks in.
  advert_int 2
  # Used to authenticate VRRP communication between master and backup.
  authentication {
    auth_type PASS
    auth_pass pLOP # temporary password; DO NOT USE
  }
  smtp_alert
  virtual_ipaddress {
        # Routing subnet
        10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global
        # Public subnet: wired
        45.66.108.25{{ apartment_block_id }}/24 brd 45.66.108.255 dev ens19 scope global
        # Public subnet: wifi
        45.66.109.25{{ apartment_block_id }}/24 brd 45.66.109.255 dev ens19 scope global
        # Wired
        10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global
        # Wifi
        10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
   }
  virtual_routes {
        # 10.129.0.1 is Yggdrasil
        src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19
  }
 }