keepalived: initial config

This commit is contained in:
Yohaï-Eliel BERREBY 2020-05-08 15:54:54 +02:00
parent 26524eccc5
commit e58ee1c4b5
7 changed files with 128 additions and 23 deletions

View file

@ -20,9 +20,11 @@
roles:
- unbound
- hosts: routeur-edc-backup.adm.auro.re # temporaire
# Déploiement du service re2o aurore-firewall et keepalived
- hosts: routeur-edc*.adm.auro.re
roles:
- aurore-firewall
- router
# WIP: Deploy authoritative DNS servers

View file

@ -1,19 +0,0 @@
---
- name: Install aurore-firewall (re2o-service)
import_role:
name: re2o-service
vars:
service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git
service_name: aurore-firewall
service_version: aurore
service_config:
hostname: re2o.auro.re
username: service-user
password: "{{ vault_serviceuser_passwd }}"
- name: Configure aurore-firewall
template:
src: firewall_config.py
dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
mode: 0644

View file

@ -0,0 +1,9 @@
- name: restart keepalived
systemd:
state: restarted
name: keepalived
- name: run aurore-firewall
command: python3 main.py --force
args:
chdir: /var/local/re2o-services/aurore-firewall/

View file

@ -0,0 +1,49 @@
---
- name: Enable IPv4 packet forwarding
sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: yes
- name: Install aurore-firewall (re2o-service)
import_role:
name: re2o-service
vars:
service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git
service_name: aurore-firewall
service_version: aurore
service_config:
hostname: re2o.auro.re
username: service-user
password: "{{ vault_serviceuser_passwd }}"
notify: run aurore-firewall
- name: Configure aurore-firewall
template:
src: firewall_config.py
dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
mode: 0644
notify: run aurore-firewall
- name: Install keepalived
apt:
name: keepalived
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure keepalived
template:
src: keepalived.conf
dest: /etc/keepalived/keepalived.conf
mode: 0644
notify: restart keepalived
- name: Configure cron
template:
src: cron.d/re2o-services
dest: /etc/cron.d/re2o-services
mode: 0644

View file

@ -0,0 +1,3 @@
# Régénération du firewall
*/5 * * * * root /usr/bin/python3 /var/local/re2o-services/aurore-firewall/main.py
@reboot root /usr/bin/python3 /var/local/re2o-services/aurore-firewall/main.py --force

View file

@ -26,7 +26,8 @@
### Give me a role
role = ['''routeur{{ apartment_block_id }}{{ 'backup' if "backup" in inventory_hostname else '' }}''']
# routeur4 = routeur IPv4
role = ['routeur4']
### Specify each interface role
@ -58,7 +59,9 @@ nat = [
},
'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
'extra_nat' : {
'10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{ apartment_block_id }}'
'10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
apartment_block_id }}',
'10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}'
}
}
]

View file

@ -0,0 +1,58 @@
# {{ ansible_managed }}
global_defs {
notification_email {
monitoring.aurore@lists.crans.org
}
notification_email_from routeur-edc-backup@auro.re
smtp_server smtp.crans.org
}
vrrp_instance VI_ROUT_{{ apartment_block }} {
{% if 'backup' in inventory_hostname %}
state BACKUP
priority 100
{% else %}
state MASTER
priority 150
{% endif %}
# Interface used for VRRP communication.
interface ens18
# Shared by MASTER and BACKUP
virtual_router_id {{ apartment_block_id }}
# Timeout in seconds before failover kicks in.
advert_int 2
# Used to authenticate VRRP communication between master and backup.
authentication {
auth_type PASS
auth_pass pLOP # temporary password; DO NOT USE
}
smtp_alert
virtual_ipaddress {
# Routing subnet
10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global
# Public subnet: wired
45.66.108.25{{ apartment_block_id }}/24 brd 45.66.108.255 dev ens19 scope global
# Public subnet: wifi
45.66.109.25{{ apartment_block_id }}/24 brd 45.66.109.255 dev ens19 scope global
# Wired
10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global
# Wifi
10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
}
virtual_routes {
# 10.129.0.1 is Yggdrasil
src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19
}
}