2022-06-17 10:54:26 +02:00
|
|
|
---
|
|
|
|
|
2024-04-04 18:40:39 +02:00
|
|
|
# Configure and restart minifirewall before starting the VRRP service
|
2024-02-06 08:40:55 +01:00
|
|
|
|
|
|
|
- name: Check if a recent minifirewall is present
|
|
|
|
ansible.builtin.stat:
|
|
|
|
path: /etc/minifirewall.d/
|
|
|
|
register: _minifirewall_dir
|
|
|
|
|
|
|
|
- ansible.builtin.set_fact:
|
|
|
|
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
|
|
|
|
|
|
|
|
- name: VRRP output is authorized in minifirewall
|
|
|
|
lineinfile:
|
|
|
|
path: /etc/minifirewall.d/vrrpd
|
|
|
|
line: "/sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}"
|
|
|
|
regexp: "# Allow VRRP output on {{ vrrp_address.interface }}$"
|
|
|
|
create: yes
|
|
|
|
mode: "0600"
|
|
|
|
owner: "root"
|
|
|
|
group: "root"
|
|
|
|
notify: "{{ minifirewall_restart_handler_name }}"
|
|
|
|
when: _minifirewall_dir.stat.exists
|
|
|
|
|
|
|
|
- name: VRRP input is authorized in minifirewall
|
|
|
|
lineinfile:
|
|
|
|
path: /etc/minifirewall.d/vrrpd
|
|
|
|
line: "/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}"
|
|
|
|
regexp: "# Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}"
|
|
|
|
create: yes
|
|
|
|
mode: "0600"
|
|
|
|
owner: "root"
|
|
|
|
group: "root"
|
|
|
|
loop: "{{ vrrp_address.peers | default([]) }}"
|
|
|
|
loop_control:
|
|
|
|
loop_var: peer
|
|
|
|
notify: "{{ minifirewall_restart_handler_name }}"
|
|
|
|
when: _minifirewall_dir.stat.exists
|
2024-04-04 18:40:39 +02:00
|
|
|
|
|
|
|
- name: Flush handlers to restart minifirewall
|
|
|
|
ansible.builtin.meta: flush_handlers
|
|
|
|
when: _minifirewall_dir.stat.exists
|
|
|
|
|
|
|
|
|
|
|
|
# Configure VRRP service
|
|
|
|
|
|
|
|
- name: set unit name
|
|
|
|
ansible.builtin.set_fact:
|
|
|
|
vrrp_systemd_unit_name: "vrrp-{{ vrrp_address.id }}.service"
|
|
|
|
|
|
|
|
- name: add systemd unit
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: vrrp.service.j2
|
|
|
|
dest: "/etc/systemd/system/{{ vrrp_systemd_unit_name }}"
|
|
|
|
force: true
|
|
|
|
register: vrrp_systemd_unit
|
|
|
|
|
|
|
|
- name: enable and start systemd unit
|
|
|
|
ansible.builtin.systemd:
|
|
|
|
name: "{{ vrrp_systemd_unit_name }}"
|
|
|
|
daemon_reload: yes
|
|
|
|
enabled: yes
|
|
|
|
state: "{{ vrrp_address.state }}"
|
|
|
|
when:
|
|
|
|
- vrrp_systemd_unit is changed
|
|
|
|
- not ansible_check_mode
|