diff --git a/vrrpd/defaults/main.yml b/vrrpd/defaults/main.yml new file mode 100644 index 00000000..f5950a14 --- /dev/null +++ b/vrrpd/defaults/main.yml @@ -0,0 +1,13 @@ +--- + +vrrp_addresses: [] +# - { +# interface: Null # the interface name to run on +# delay: 10 # the advertisement interval (in sec) (default: 1) +# id: Null # the id of the virtual server [1-255] +# priority: Null # the priority of this host in the virtual server (default: 100) +# authentication: Null # authentification type: auth=(none|pw/hexkey|ah/hexkey) hexkey=0x[0-9a-fA-F]+ +# label: Null # use this name is syslog messages (helps when several vrid are running) +# ip: Null # the ip address(es) (and optionnaly subnet mask) of the virtual server +# state: Null # 'started' or 'stopped' +# } \ No newline at end of file diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml new file mode 100644 index 00000000..38d75ccb --- /dev/null +++ b/vrrpd/tasks/ip.yml @@ -0,0 +1,20 @@ +--- + +- name: set unit name + set_fact: + vrrp_systemd_unit_name: "vrrp-{{ vrrp_address.id }}.service" + +- name: add systemd unit + template: + src: vrrp.service.j2 + dest: "/etc/systemd/system/vrrp-{{ vrrp_systemd_unit_name }}" + force: yes + register: vrrp_systemd_unit + +- name: enable and start systemd unit + systemd: + name: "{{ vrrp_systemd_unit_name }}" + daemon_reload: yes + enabled: yes + state: "{{ vrrp_address.state }}" + when: vrrp_systemd_unit is changed \ No newline at end of file diff --git a/vrrpd/tasks/main.yml b/vrrpd/tasks/main.yml index 5804cb39..44ebe65a 100644 --- a/vrrpd/tasks/main.yml +++ b/vrrpd/tasks/main.yml @@ -14,7 +14,36 @@ tags: - vrrpd -- name: Adjust sysctl config +- name: Adjust sysctl config (except rp_filter) + sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + sysctl_file: /etc/sysctl.d/vrrpd.conf + sysctl_set: yes + state: present + loop: + - { name: 'net.ipv4.conf.all.arp_ignore', value: 1 } + - { name: 'net.ipv4.conf.all.arp_announce', value: 2 } + - { name: 'net.ipv4.ip_nonlocal_bind', value: 1 } + tags: + - vrrpd + +- name: look if rp_filter is managed by minifirewall + command: grep "SYSCTL_RP_FILTER=" /etc/default/minifirewall + failed_when: False + changed_when: False + check_mode: no + register: grep_sysctl_rp_filter_minifirewall + +- name: Configure SYSCTL_RP_FILTER in minifirewall + lineinfile: + dest: "/etc/default/minifirewall" + line: "SYSCTL_RP_FILTER='0'" + regexp: "SYSCTL_RP_FILTER=('|\").*('|\")" + create: no + when: grep_sysctl_rp_filter_minifirewall.rc == 0 + +- name: Adjust sysctl config (only rp_filter) sysctl: name: "{{ item.name }}" value: "{{ item.value }}" @@ -23,10 +52,13 @@ state: present loop: - { name: 'net.ipv4.conf.default.rp_filter', value: 0 } - - { name: 'net.ipv4.conf.eth0.rp_filter', value: 0 } - { name: 'net.ipv4.conf.all.rp_filter', value: 0 } - - { name: 'net.ipv4.conf.all.arp_ignore', value: 1 } - - { name: 'net.ipv4.conf.all.arp_announce', value: 2 } - - { name: 'net.ipv4.ip_nonlocal_bind', value: 1 } + when: grep_sysctl_rp_filter_minifirewall.rc != 0 tags: - vrrpd + +- name: Create VRRP address + include: ip.yml + loop: "{{ vrrp_addresses }}" + loop_control: + loop_var: "vrrp_address" \ No newline at end of file diff --git a/vrrpd/templates/vrrp.service.j2 b/vrrpd/templates/vrrp.service.j2 new file mode 100644 index 00000000..7bd588d7 --- /dev/null +++ b/vrrpd/templates/vrrp.service.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=VRRP Daemon for IP {{ vrrp_address.ip }} on {{ vrrp_address.interface }} +After=network.target + +[Service] +ExecStart=/usr/sbin/vrrpd -i {{ vrrp_address.interface | mandatory }} -x -D -d {{ vrrp_address.delay | mandatory }} -v {{ vrrp_address.id | mandatory }} -p {{ vrrp_address.priority | mandatory }} -a {{ vrrp_address.authentication | mandatory }} -l {{ vrrp_address.label | mandatory }} {{ vrrp_address.ip | mandatory }} + +Type=forking + +[Install] +WantedBy=default.target \ No newline at end of file