WIP: add vrrp addresses via Ansible

2022-06-17 10:54:26 +02:00 · 2022-06-17 10:54:26 +02:00 · a1995f0e74
parent a38a174b83
commit a1995f0e74
4 changed files with 81 additions and 5 deletions
--- a/vrrpd/defaults/main.yml
+++ b/vrrpd/defaults/main.yml
@ -0,0 +1,13 @@
+---
+
+vrrp_addresses: []
+# - {
+#     interface: Null         # the interface name to run on
+#     delay: 10               # the advertisement interval (in sec) (default: 1)
+#     id: Null                # the id of the virtual server [1-255]
+#     priority: Null          # the priority of this host in the virtual server (default: 100)
+#     authentication: Null    # authentification type: auth=(none|pw/hexkey|ah/hexkey) hexkey=0x[0-9a-fA-F]+
+#     label: Null             # use this name is syslog messages (helps when several vrid are running)
+#     ip: Null                # the ip address(es) (and optionnaly subnet mask) of the virtual server
+#     state: Null             # 'started' or 'stopped'
+#   }
--- a/vrrpd/tasks/ip.yml
+++ b/vrrpd/tasks/ip.yml
@ -0,0 +1,20 @@
+---
+
+- name: set unit name
+  set_fact:
+    vrrp_systemd_unit_name: "vrrp-{{ vrrp_address.id }}.service"
+
+- name: add systemd unit
+  template:
+    src: vrrp.service.j2
+    dest: "/etc/systemd/system/vrrp-{{ vrrp_systemd_unit_name }}"
+    force: yes
+  register: vrrp_systemd_unit
+
+- name: enable and start systemd unit
+  systemd:
+    name: "{{ vrrp_systemd_unit_name }}"
+    daemon_reload: yes
+    enabled: yes
+    state: "{{ vrrp_address.state }}"
+  when: vrrp_systemd_unit is changed
--- a/vrrpd/tasks/main.yml
+++ b/vrrpd/tasks/main.yml
@ -14,7 +14,36 @@
  tags:
    - vrrpd

- name: Adjust sysctl config
+- name: Adjust sysctl config (except rp_filter)
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    sysctl_file: /etc/sysctl.d/vrrpd.conf
+    sysctl_set: yes
+    state: present
+  loop:
+    - { name: 'net.ipv4.conf.all.arp_ignore', value: 1 }
+    - { name: 'net.ipv4.conf.all.arp_announce', value: 2 }
+    - { name: 'net.ipv4.ip_nonlocal_bind', value: 1 }
+  tags:
+    - vrrpd
+
+- name: look if rp_filter is managed by minifirewall
+  command: grep "SYSCTL_RP_FILTER=" /etc/default/minifirewall
+  failed_when: False
+  changed_when: False
+  check_mode: no
+  register: grep_sysctl_rp_filter_minifirewall
+
+- name: Configure SYSCTL_RP_FILTER in minifirewall
+  lineinfile:
+    dest: "/etc/default/minifirewall"
+    line: "SYSCTL_RP_FILTER='0'"
+    regexp: "SYSCTL_RP_FILTER=('|\").*('|\")"
+    create: no
+  when: grep_sysctl_rp_filter_minifirewall.rc == 0
+
+- name: Adjust sysctl config (only rp_filter)
  sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
@ -23,10 +52,13 @@
    state: present
  loop:
    - { name: 'net.ipv4.conf.default.rp_filter', value: 0 }
-    - { name: 'net.ipv4.conf.eth0.rp_filter', value: 0 }
    - { name: 'net.ipv4.conf.all.rp_filter', value: 0 }
-    - { name: 'net.ipv4.conf.all.arp_ignore', value: 1 }
-    - { name: 'net.ipv4.conf.all.arp_announce', value: 2 }
-    - { name: 'net.ipv4.ip_nonlocal_bind', value: 1 }
+  when: grep_sysctl_rp_filter_minifirewall.rc != 0
  tags:
    - vrrpd
+
+- name: Create VRRP address
+  include: ip.yml
+  loop: "{{ vrrp_addresses }}"
+  loop_control:
+    loop_var: "vrrp_address"
--- a/vrrpd/templates/vrrp.service.j2
+++ b/vrrpd/templates/vrrp.service.j2
@ -0,0 +1,11 @@
+[Unit]
+Description=VRRP Daemon for IP {{ vrrp_address.ip }} on {{ vrrp_address.interface }}
+After=network.target
+
+[Service]
+ExecStart=/usr/sbin/vrrpd -i {{ vrrp_address.interface | mandatory }} -x -D -d {{ vrrp_address.delay | mandatory }} -v {{ vrrp_address.id | mandatory }} -p {{ vrrp_address.priority | mandatory }} -a {{ vrrp_address.authentication | mandatory }} -l {{ vrrp_address.label | mandatory }} {{ vrrp_address.ip | mandatory }}
+
+Type=forking
+
+[Install]
+WantedBy=default.target