tpiccioli
/
ansible-roles
forked from ISTI-ansible-roles/ansible-roles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request 'Remove the keepalived and unbound-resolver roles. They have their own repository now.' (#215) from adellam/ansible-roles:master into master

This commit is contained in:
Andrea Dell'Amico 2020-06-17 18:50:31 +02:00
parent 90b7e6e3aa 847d406983
commit 06b2198ac0
14 changed files with 0 additions and 523 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
library/roles/keepalived/defaults/main.yml
View File

@ -1,62 +0,0 @@
---
# http://www.keepalived.org/
#
keepalived_install: False
keepalived_enabled: '{{ keepalived_install }}'
keepalived_version: 1.1.20
keepalived_repo: 'ppa:keepalived/stable'
keepalived_pkg_state: latest
# Use 'keepalived={{ keepalived_version }}' if you want a specific version
keepalived_pkgs:
- keepalived
keepalived_use_unicast: False
keepalived_unicast_src_ip: '{{ ansible_default_ipv4.address }}'
keepalived_unicast_peer_ip:
- 127.0.0.1
- 127.0.0.2
keepalived_mcast_addr: 224.0.0.0/8
keepalived_floating_ip1: 127.0.0.1
keepalived_script1_name: keepalived_check_service_status
# We set haproxy as the default because most of our keepalived use is haproxy related
keepalived_service_to_check: 'haproxy'
keepalived_script1_check: '/bin/pidof {{ keepalived_service_to_check }}'
keepalived_instance1_name: 'VRRP_1'
keepalived_interface1_name: '{{ ansible_default_ipv4.interface }}'
keepalived_initial_state: 'MASTER'
keepalived_inst_priority: 100
keepalived_vrouter_id: 51
keepalived_non_local_bind: True
keepalived_enable_script_security: True
keepalived_script_username: keepalived_script
keepalived_script_user_home: '/var/lib/keepalived'
keepalived_runtime_dir: /run/keepalived
keepalived_nagios_check: False
keepalived_notify_script: /usr/local/bin/keepalived_notify
keepalived_check_script: '/usr/local/bin/{{ keepalived_script1_name }}'
# The service must install its own script if it is too complex to be managed by the provided one
keepalived_scripts:
- name: '{{ keepalived_script1_name }}'
script: '{{ keepalived_check_script }}'
# In seconds
interval: 2
# Priority increment
weight: 2
keepalived_instances:
- name: '{{ keepalived_instance1_name }}'
interface: '{{ keepalived_interface1_name }}'
state: '{{ keepalived_initial_state }}'
vrouter_id: '{{ keepalived_vrouter_id }}'
notify: '{{ keepalived_notify_script }}'
priority: '{{ keepalived_inst_priority }}'
nopreempt: True
v_addr:
- '{{ keepalived_floating_ip1 }}'
track_script:
- '{{ keepalived_script1_name }}'
track_interface:
- '{{ keepalived_interface1_name }}'

57
library/roles/keepalived/files/check_keepalived_state
View File

@ -1,57 +0,0 @@
#!/bin/bash
#
# echo $1 $2 is in $3 state > /var/run/keepalive.state
#
###############################################################
# Check Keepalived State #
# #
# Author: Zhivko Todorov <ztodorov@neterra.net> #
# Date: 01-Dec-2015 #
# Version: 0.0.1 #
# License: GPL #
###############################################################
# set to 'true' if the host is supposed to be in MASTER state
# or set to 'false' if the host is supposed to be in BACKUP state
# nrpe cannot receive external variables UNLESS is forced in config
MASTER='true'
# checking if there are alive keepalived processes so we can trust the content of the notify 'state' file
KEEPALIVENUM=`ps uax|grep '/usr/sbin/keepalived'|grep -v grep|wc -l|tr -d "\n"`
if [ $KEEPALIVENUM -gt 0 ]; then
KEEPALIVESTATE=`cat /var/run/keepalive.state`
if [ "$MASTER" == "true" ]; then
if [[ $KEEPALIVESTATE == *"MASTER"* ]];then
echo $KEEPALIVESTATE
exit 0
fi
if [[ $KEEPALIVESTATE == *"BACKUP"* ]];then
echo $KEEPALIVESTATE
exit 0
fi
else
if [[ $KEEPALIVESTATE == *"BACKUP"* ]];then
echo $KEEPALIVESTATE
exit 0
fi
if [[ $KEEPALIVESTATE == *"MASTER"* ]];then
echo $KEEPALIVESTATE
exit 2
fi
fi
fi
echo "Keepalived is in UNKNOWN state"
exit 3

4
library/roles/keepalived/handlers/main.yml
View File

@ -1,4 +0,0 @@
---
- name: restart keepalived
service: name=keepalived state=restarted
when: keepalived_enabled

100
library/roles/keepalived/tasks/main.yml
View File

@ -1,100 +0,0 @@
---
- block:
- name: Install the keepalived repository
apt_repository: repo={{ keepalived_repo }} update_cache=yes
when: ansible_distribution_major_version <= '16'
- name: Install the keepalived package
apt: name={{ keepalived_pkgs }} state={{ keepalived_pkg_state }} cache_valid_time=1800
tags: keepalived
when:
- keepalived_install | bool
- ansible_distribution_file_variety == "Debian"
- block:
- name: Install the user that the keepalived scripts will run under
user: name={{ keepalived_script_username }} home={{ keepalived_script_user_home }} createhome=no shell=/usr/sbin/nologin system=yes
- name: Create the keepalive script user directory
file: dest={{ keepalived_script_user_home }} state=directory owner={{ keepalived_script_username }} group={{ keepalived_script_username }} mode=0750
- name: Create the tmpfile entry for the keepalived runtime directory
template: src=tmpfile_keepalived.conf.j2 dest=/usr/lib/tmpfiles.d/keepalived.conf owner=root group=root mode=0644
when: ansible_service_mgr == 'systemd'
- name: Install the keepalived configuration
template: src=keepalived.conf.j2 dest=/etc/keepalived/keepalived.conf owner=root group=root mode=0600
notify: restart keepalived
- name: Install the keepalived default check script
template: src=keepalived_check_service_status.sh.j2 dest=/usr/local/bin/keepalived_check_service_status owner=root group=root mode=0755
notify: restart keepalived
- name: Install the keepalived notify scripts
template: src=keepalived_notify.sh.j2 dest={{ item.notify }} owner=root group={{ keepalived_script_username }} mode=0754
with_items: '{{ keepalived_instances }}'
- name: Set the kernel net.ipv4.ip_nonlocal_bind sysctl
sysctl:
reload: yes
state: present
name: net.ipv4.ip_nonlocal_bind
sysctl_set: yes
sysctl_file: /etc/sysctl.d/90-keepalived
value: 1
when: keepalived_non_local_bind | bool
- name: Disable the kernel net.ipv4.ip_nonlocal_bind sysctl if not needed
sysctl:
reload: yes
state: absent
name: net.ipv4.ip_nonlocal_bind
sysctl_set: yes
sysctl_file: /etc/sysctl.d/90-keepalived
value: 1
when: not keepalived_non_local_bind | bool
- name: Ensure that keepalived is started and enabled
service: name=keepalived state=started enabled=yes
when: keepalived_enabled | bool
- name: Ensure that keepalived is stopped and disabled
service: name=keepalived state=stopped enabled=no
when: not keepalived_enabled | bool
tags: [ 'keepalived', 'keepalived_conf' ]
when: keepalived_install | bool
- block:
- name: Install the keepalived NRPE nagios check
copy: src=check_keepalived_state dest={{ nagios_plugins_dir }}/check_keepalived_state owner=root group=root mode=0555
with_items: '{{ keepalived_instances }}'
- name: Install the keepalived NRPE command configuration
template: src=keepalived-nrpe.cfg.j2 dest={{ nrpe_include_dir }}/keepalived-nrpe.cfg owner=root group=root mode=0444
notify: Reload NRPE server
tags: keepalived
when:
- keepalived_install | bool
- keepalived_nagios_check | bool
- block:
- name: Remove the keepalived package if we do not want it
apt: name={{ keepalived_pkgs }} state=absent
- name: Remove the keepalived notify scripts
file: dest={{ item.notify }} state=absent
with_items: '{{ keepalived_instances }}'
- name: Remove the keepalived NRPE check
file: dest={{ nagios_plugins_dir }}/check_keepalived_state state=absent
with_items: '{{ keepalived_instances }}'
- name: Remove the keepalived NRPE command configuration
file: dest={{ nrpe_include_dir }}/keepalived-nrpe.cfg state=absent
tags: keepalived
when: not keepalived_install | bool

6
library/roles/keepalived/templates/keepalived-nrpe.cfg.j2
View File

@ -1,6 +0,0 @@
#
command[check_keepalived]={{ nagios_plugins_dir }}/check_keepalived_state
# Restart keepalived (via handler)
command[global_restart_keepalived]=/usr/bin/sudo /etc/init.d/keepalived restart

88
library/roles/keepalived/templates/keepalived.conf.j2
View File

@ -1,88 +0,0 @@
global_defs {
{% if keepalived_enable_script_security %}
enable_script_security
{% if ansible_distribution_file_variety == "Debian" and ansible_distribution_major_version == '18' %}
script_user root
{% else %}
script_user {{ keepalived_script_username }}
{% endif %}
{% endif %}
}
{% for script in keepalived_scripts %}
vrrp_script {{ script.name }} {
script "{{ script.script }}"
interval {{ script.interval | default(1) }}
weight {{ script.weight | default(2) }}
fall {{ script.fall | default(3) }}
rise {{ script.raise | default(2) }}
timeout {{ script.timeout | default(5) }}
}
{% endfor %}
{% for instance in keepalived_instances %}
vrrp_instance {{ instance.name }} {
interface {{ instance.interface }}
{% if instance.state is defined %}
{% if instance.nopreempt is defined and instance.nopreempt %}
state BACKUP
{% else %}
state {{ instance.state }}
{% endif %}
{% endif %}
virtual_router_id {{ instance.vrouter_id }}
priority {{ instance.priority }}
{% if instance.notify is defined %}
notify {{ instance.notify }}
{% endif %}
{% if instance.nopreempt is defined and instance.nopreempt %}
nopreempt
{% endif %}
{% if instance.authentication is defined %}
authentication {
auth_type {{ instance.authentication }}
auth_pass {{ instance.authpass }}
}
{% endif %}
virtual_ipaddress {
{% for addr in instance.v_addr %}
{{ addr }}
{% endfor %}
}
track_script {
{% for trk in instance.track_script %}
{{ trk }}
{% endfor %}
}
{% if instance.track_interface is defined %}
track_interface {
{% for if in instance.track_interface %}
{{ if }}
{% endfor %}
}
{% endif %}
{% if keepalived_use_unicast %}
unicast_src_ip {{ instance.keepalived_unicast_src_ip }}
unicast_peer {
{% for ipaddr in instance.keepalived_unicast_peer_ip %}
{{ ipaddr }}
{% endfor %}
}
{% endif %}
}
{% endfor %}

19
library/roles/keepalived/templates/keepalived_check_service_status.sh.j2
View File

@ -1,19 +0,0 @@
#!/bin/bash
{% if ansible_distribution_file_variety == "Debian" and ansible_distribution_major_version == '18' %}
am_i_master=$( grep MASTER {{ keepalived_runtime_dir }}/keepalive.state )
keepalive_master=$?
if [ $keepalive_master -eq 0 ] ; then
{% for instance in keepalived_instances %}
{% for addr in instance.v_addr %}
float_ip=$( ip addr show | grep {{ addr }} )
retval=$?
[ $retval -eq 1 ] && /bin/systemctl restart keepalived
{% endfor %}
{% endfor %}
fi
{% endif %}
{{ keepalived_script1_check }}
exit $?

19
library/roles/keepalived/templates/keepalived_notify.sh.j2
View File

@ -1,19 +0,0 @@
#!/bin/bash
#
# echo $1 $2 is in $3 state > /var/lib/keepalived/keepalive.state
#
umask 022
export PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:$PATH"
TYPE=$1
NAME=$2
STATE=$3
RETVAL=0
{% if keepalived_notify_extra_params is defined %}
{{ keepalived_notify_extra_params }}
{% endif %}
echo "$TYPE $NAME is in $STATE state" > {{ keepalived_runtime_dir }}/keepalive.state
exit $RETVAL

1
library/roles/keepalived/templates/tmpfile_keepalived.conf.j2
View File

@ -1 +0,0 @@
d {{ keepalived_runtime_dir }} 0775 {{ keepalived_script_username }} {{ keepalived_script_username }}

52
library/roles/unbound-resolver/defaults/main.yml
View File

@ -1,52 +0,0 @@
---
unbound_pkgs:
- unbound
- unbound-anchor
- unbound-host
- dnsutils
unbound_interfaces:
- '0.0.0.0'
- '::0'
unbound_allowed_clients:
- { cidr: '0.0.0.0/0', policy: 'allow' }
unbound_prefetch: 'yes'
unbound_verbosity: 1
unbound_threads: '{{ ansible_processor_count }}'
unbound_remote_control: 'yes'
unbound_remote_IP: '127.0.0.1'
unbound_rrset_cache_size: 100m
unbound_rrset_msg_cache_size: 50m
# Larger socket buffer. OS may need config.
unbound_so_rcvbuf: 4m
unbound_so_sndbuf: 4m
# Faster UDP with multithreading (only on Linux).
unbound_so_reuseport: 'yes'
# with libevent
unbound_num_queries_per_thread: 4096
unbound_max_negative_ttl: 3600
unbound_hide_identity: 'yes'
unbound_hide_version: 'yes'
unbound_qname_minimisation: 'no'
unbound_val_clean_additional: 'yes'
# The following is experimental
unbound_use_caps_for_id: 'no'
unbound_unwanted_reply_threshold: '10000000'
unbound_do_not_query_localhost: 'no'
unbound_rrset_roundrobin: 'yes'
unbound_unblock_lan_zones: 'no'
unbound_do_ipv6: 'yes'
unbound_private_addresses: []
unbound_private_domains: []
# Stub zones
# One of stub_host or stub_addr must be defined
# stub_prime and stub_first are both optional, default 'yes'
#unbound_stub_zones:
# - { name: '', stub_addr: '', stub_host: '', stub_prime: '', stub_first: '' }

4
library/roles/unbound-resolver/handlers/main.yml
View File

@ -1,4 +0,0 @@
---
- name: Restart unbound
service: name=unbound state=restarted

24
library/roles/unbound-resolver/tasks/main.yml
View File

@ -1,24 +0,0 @@
---
- block:
- name: Install the unbound resolver packages
apt: pkg={{ unbound_pkgs }} state=present cache_valid_time=1800 update_cache=yes
- name: Install the unbound config files
template: src={{ item }} dest=/etc/unbound/unbound.conf.d/{{ item }}
with_items:
- unbound-server.conf
- unbound-remote-control.conf
notify: Restart unbound
tags: [ 'unbound', 'unbound_conf' ]
- name: On bionic, stop systemd-resolvd because it interferes
service: name=systemd-resolved state=stopped enabled=no
when:
- ansible_distribution == "Ubuntu"
- ansible_service_mgr == 'systemd'
- ansible_distribution_major_version >= '18'
- name: Ensure that the unbound service is started and enabled
service: name=unbound state=restarted enabled=yes
tags: [ 'unbound' ]

6
library/roles/unbound-resolver/templates/unbound-remote-control.conf
View File

@ -1,6 +0,0 @@
remote-control:
control-enable: {{ unbound_remote_control }}
{% if unbound_remote_IP is defined %}
control-interface: '{{ unbound_remote_IP }}'
{% endif %}

81
library/roles/unbound-resolver/templates/unbound-server.conf
View File

@ -1,81 +0,0 @@
server:
{% for interface in unbound_interfaces %}
interface: {{ interface }}
{% endfor %}
{% if keepalived_install is defined and keepalived_install %}
ip-transparent: yes
{% endif %}
interface-automatic: yes
{% for net in unbound_allowed_clients %}
access-control: {{ net.cidr }} {{ net.policy }}
{% endfor %}
verbosity: {{ unbound_verbosity }}
# use all CPUs
num-threads: {{ unbound_threads }}
prefetch: {{ unbound_prefetch }}
# power of 2 close to num-threads
msg-cache-slabs: {{ unbound_threads }}
rrset-cache-slabs: {{ unbound_threads }}
infra-cache-slabs: {{ unbound_threads }}
key-cache-slabs: {{ unbound_threads }}
# more cache memory, rrset=msg*2
rrset-cache-size: {{ unbound_rrset_cache_size }}
msg-cache-size: {{ unbound_rrset_msg_cache_size }}
# more outgoing connections
# depends on number of cores: 1024/cores - 50
outgoing-range: {{ 1024 * unbound_threads - 50 }}
# Larger socket buffer. OS may need config.
so-rcvbuf: {{ unbound_so_rcvbuf }}
so-sndbuf: {{ unbound_so_sndbuf }}
# Negative TTL
cache-max-negative-ttl: {{ unbound_max_negative_ttl }}
# Faster UDP with multithreading (only on Linux).
so-reuseport: {{ unbound_so_reuseport }}
# with libevent
num-queries-per-thread: {{ unbound_num_queries_per_thread }}
hide-identity: {{ unbound_hide_identity }}
hide-version: {{ unbound_hide_version }}
qname-minimisation: {{ unbound_qname_minimisation }}
# The following is experimental
use-caps-for-id: {{ unbound_use_caps_for_id }}
unwanted-reply-threshold: {{ unbound_unwanted_reply_threshold }}
do-not-query-localhost: {{ unbound_do_not_query_localhost }}
rrset-roundrobin: {{ unbound_rrset_roundrobin }}
val-clean-additional: {{ unbound_val_clean_additional }}
unblock-lan-zones: {{ unbound_unblock_lan_zones }}
do-ip6: {{ unbound_do_ipv6 }}
#
{% if ansible_service_mgr == 'systemd' %}
use-systemd: yes
do-daemonize: no
{% endif %}
{% for cidr in unbound_private_addresses %}
private-address: {{ cidr }}
{% endfor %}
{% for dom in unbound_private_domains %}
private-domain: {{ dom }}
{% endfor %}
{% if unbound_stub_zones is defined %}
{% for zone in unbound_stub_zones %}
stub-zone:
name: {{ zone.name }}
{% if zone.stub_host is defined %}
stub-host: {{ zone.stub_host }}
{% endif %}
{% if zone.stub_addr is defined %}
stub-addr: {{ zone.stub_addr }}
{% endif %}
stub-prime: {{ zone.stub_prime | default('no') }}
stub-first: {{ zone.stub_first | default('yes') }}
{% endfor %}
{% endif %}