forked from evolix/ansible-roles
vrrpd: configure minifirewall with blocks instead of lines
This commit is contained in:
parent
f8e92d2eeb
commit
42ad242aaf
|
@ -23,7 +23,8 @@ The **patch** part is incremented if multiple releases happen the same month
|
||||||
* nrpe: !disk1 exclude filesystem type overlay
|
* nrpe: !disk1 exclude filesystem type overlay
|
||||||
* postfix/amavis: max servers is now 3 (previously 2)
|
* postfix/amavis: max servers is now 3 (previously 2)
|
||||||
* roundcube: Use /var/log/roundcube directly
|
* roundcube: Use /var/log/roundcube directly
|
||||||
* vrrpd : configure and restart minifirewall before starting VRRP
|
* vrrpd: configure and restart minifirewall before starting VRRP
|
||||||
|
* vrrpd: configure minifirewall with blocks instead of lines
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
|
|
|
@ -9,9 +9,12 @@ vrrp_addresses: []
|
||||||
# priority: Null # the priority of this host in the virtual server (default: 100)
|
# priority: Null # the priority of this host in the virtual server (default: 100)
|
||||||
# authentication: Null # authentification type: auth=(none|pw/hexkey|ah/hexkey) hexkey=0x[0-9a-fA-F]+
|
# authentication: Null # authentification type: auth=(none|pw/hexkey|ah/hexkey) hexkey=0x[0-9a-fA-F]+
|
||||||
# label: Null # use this name is syslog messages (helps when several vrid are running)
|
# label: Null # use this name is syslog messages (helps when several vrid are running)
|
||||||
# ip: Null # the ip address(es) (and optionnaly subnet mask) of the virtual server
|
# ip: Null # the IP address(es) (and optionnaly subnet mask) of the virtual server
|
||||||
|
# peers: [IP1, IP2] # list of peers (IP), for minifirewall rules
|
||||||
# state: Null # 'started' or 'stopped'
|
# state: Null # 'started' or 'stopped'
|
||||||
# }
|
# }
|
||||||
|
|
||||||
|
vrrp_manage_minifirewall: true
|
||||||
|
|
||||||
minifirewall_restart_if_needed: True
|
minifirewall_restart_if_needed: True
|
||||||
minifirewall_restart_force: False
|
minifirewall_restart_force: False
|
||||||
|
|
|
@ -11,35 +11,46 @@
|
||||||
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
|
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
|
||||||
|
|
||||||
- name: VRRP output is authorized in minifirewall
|
- name: VRRP output is authorized in minifirewall
|
||||||
lineinfile:
|
ansible.builtin.blockinfile:
|
||||||
path: /etc/minifirewall.d/vrrpd
|
path: /etc/minifirewall.d/vrrpd
|
||||||
line: "/sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}"
|
marker: "## {mark} ANSIBLE MANAGED OUTPUT RULES FOR VRID {{ vrrp_address.id }}"
|
||||||
regexp: "# Allow VRRP output on {{ vrrp_address.interface }}$"
|
block: |
|
||||||
|
/sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}
|
||||||
create: yes
|
create: yes
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
owner: "root"
|
owner: "root"
|
||||||
group: "root"
|
group: "root"
|
||||||
notify: "{{ minifirewall_restart_handler_name }}"
|
notify: "{{ minifirewall_restart_handler_name }}"
|
||||||
when: _minifirewall_dir.stat.exists
|
when:
|
||||||
|
- vrrp_manage_minifirewall | bool
|
||||||
|
- _minifirewall_dir.stat.exists
|
||||||
|
|
||||||
- name: VRRP input is authorized in minifirewall
|
- name: VRRP input is authorized in minifirewall
|
||||||
lineinfile:
|
ansible.builtin.blockinfile:
|
||||||
path: /etc/minifirewall.d/vrrpd
|
path: /etc/minifirewall.d/vrrpd
|
||||||
line: "/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}"
|
marker: "## {mark} ANSIBLE MANAGED INPUT RULES FOR VRID {{ vrrp_address.id }}"
|
||||||
regexp: "# Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}"
|
block: |
|
||||||
|
{% if vrrp_address.peers | default([]) | length <= 0 %}
|
||||||
|
/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }}
|
||||||
|
{% else %}
|
||||||
|
{% for peer in vrrp_address.peers %}
|
||||||
|
/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
create: yes
|
create: yes
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
owner: "root"
|
owner: "root"
|
||||||
group: "root"
|
group: "root"
|
||||||
loop: "{{ vrrp_address.peers | default([]) }}"
|
|
||||||
loop_control:
|
|
||||||
loop_var: peer
|
|
||||||
notify: "{{ minifirewall_restart_handler_name }}"
|
notify: "{{ minifirewall_restart_handler_name }}"
|
||||||
when: _minifirewall_dir.stat.exists
|
when:
|
||||||
|
- vrrp_manage_minifirewall | bool
|
||||||
|
- _minifirewall_dir.stat.exists
|
||||||
|
|
||||||
- name: Flush handlers to restart minifirewall
|
- name: Flush handlers to restart minifirewall
|
||||||
ansible.builtin.meta: flush_handlers
|
ansible.builtin.meta: flush_handlers
|
||||||
when: _minifirewall_dir.stat.exists
|
when:
|
||||||
|
- vrrp_manage_minifirewall | bool
|
||||||
|
- _minifirewall_dir.stat.exists
|
||||||
|
|
||||||
|
|
||||||
# Configure VRRP service
|
# Configure VRRP service
|
||||||
|
|
Loading…
Reference in a new issue