2022-06-17 10:54:26 +02:00
|
|
|
---
|
|
|
|
|
2024-04-04 18:40:39 +02:00
|
|
|
# Configure and restart minifirewall before starting the VRRP service
|
2024-02-06 08:40:55 +01:00
|
|
|
|
|
|
|
- name: Check if a recent minifirewall is present
|
|
|
|
ansible.builtin.stat:
|
|
|
|
path: /etc/minifirewall.d/
|
|
|
|
register: _minifirewall_dir
|
|
|
|
|
|
|
|
- ansible.builtin.set_fact:
|
|
|
|
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
|
|
|
|
|
|
|
|
- name: VRRP output is authorized in minifirewall
|
2024-04-18 15:18:42 +02:00
|
|
|
ansible.builtin.blockinfile:
|
2024-02-06 08:40:55 +01:00
|
|
|
path: /etc/minifirewall.d/vrrpd
|
2024-04-18 15:18:42 +02:00
|
|
|
marker: "## {mark} ANSIBLE MANAGED OUTPUT RULES FOR VRID {{ vrrp_address.id }}"
|
|
|
|
block: |
|
|
|
|
/sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}
|
2024-02-06 08:40:55 +01:00
|
|
|
create: yes
|
|
|
|
mode: "0600"
|
|
|
|
owner: "root"
|
|
|
|
group: "root"
|
|
|
|
notify: "{{ minifirewall_restart_handler_name }}"
|
2024-04-18 15:18:42 +02:00
|
|
|
when:
|
|
|
|
- vrrp_manage_minifirewall | bool
|
|
|
|
- _minifirewall_dir.stat.exists
|
2024-02-06 08:40:55 +01:00
|
|
|
|
|
|
|
- name: VRRP input is authorized in minifirewall
|
2024-04-18 15:18:42 +02:00
|
|
|
ansible.builtin.blockinfile:
|
2024-02-06 08:40:55 +01:00
|
|
|
path: /etc/minifirewall.d/vrrpd
|
2024-04-18 15:18:42 +02:00
|
|
|
marker: "## {mark} ANSIBLE MANAGED INPUT RULES FOR VRID {{ vrrp_address.id }}"
|
|
|
|
block: |
|
|
|
|
{% if vrrp_address.peers | default([]) | length <= 0 %}
|
2024-05-13 10:22:03 +02:00
|
|
|
/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }}
|
2024-04-18 15:18:42 +02:00
|
|
|
{% else %}
|
2024-05-13 10:22:03 +02:00
|
|
|
{% for peer in vrrp_address.peers %}
|
|
|
|
/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}
|
|
|
|
{% endfor %}
|
2024-04-18 15:18:42 +02:00
|
|
|
{% endif %}
|
2024-02-06 08:40:55 +01:00
|
|
|
create: yes
|
|
|
|
mode: "0600"
|
|
|
|
owner: "root"
|
|
|
|
group: "root"
|
|
|
|
notify: "{{ minifirewall_restart_handler_name }}"
|
2024-04-18 15:18:42 +02:00
|
|
|
when:
|
|
|
|
- vrrp_manage_minifirewall | bool
|
|
|
|
- _minifirewall_dir.stat.exists
|
2024-04-04 18:40:39 +02:00
|
|
|
|
|
|
|
- name: Flush handlers to restart minifirewall
|
|
|
|
ansible.builtin.meta: flush_handlers
|
2024-04-18 15:18:42 +02:00
|
|
|
when:
|
|
|
|
- vrrp_manage_minifirewall | bool
|
|
|
|
- _minifirewall_dir.stat.exists
|
2024-04-04 18:40:39 +02:00
|
|
|
|
|
|
|
|
|
|
|
# Configure VRRP service
|
|
|
|
|
|
|
|
- name: set unit name
|
|
|
|
ansible.builtin.set_fact:
|
|
|
|
vrrp_systemd_unit_name: "vrrp-{{ vrrp_address.id }}.service"
|
|
|
|
|
|
|
|
- name: add systemd unit
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: vrrp.service.j2
|
|
|
|
dest: "/etc/systemd/system/{{ vrrp_systemd_unit_name }}"
|
|
|
|
force: true
|
|
|
|
register: vrrp_systemd_unit
|
|
|
|
|
|
|
|
- name: enable and start systemd unit
|
|
|
|
ansible.builtin.systemd:
|
|
|
|
name: "{{ vrrp_systemd_unit_name }}"
|
|
|
|
daemon_reload: yes
|
|
|
|
enabled: yes
|
|
|
|
state: "{{ vrrp_address.state }}"
|
|
|
|
when:
|
|
|
|
- vrrp_systemd_unit is changed
|
|
|
|
- not ansible_check_mode
|