feat: Create role

README.md

@@ -58,12 +58,12 @@ Passer en unicast en utilisant cette liste d'IP.
 
 *<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
 
-### keepalived_notify
+### keepalived_notify_script_enabled
 
-Dictionnaire comportant des booléens permettant d'activer les scripts en fonction de l'état.<br>
-Les scripts sont déployés dans `/srv/keepalived/notify_{master,backup,fault,stop}.sh`.
+Booléen permettant d'activer le script de notification.<br>
+Le script est déployé dans `/etc/keepalived/notify.sh`.
 
-*<span style="text-decoration: underline">Valeur par défaut:</span> `false` (pour chaque état)*
+*<span style="text-decoration: underline">Valeur par défaut:</span> `false`*
 
 ### keepalived_track_scripts
 

defaults/main.yml

@@ -13,21 +13,22 @@ keepalived_ipv6: ""
 
 keepalived_peers: []
 
-keepalived_notify:
-  - master: false
-  - backup: false
-  - fault: false
-  - stop: false
+keepalived_notify_enable: false
+keepalived_notify_pre: {}
+keepalived_notify_is_master: {}
+keepalived_notify_is_backup: {}
+keepalived_notify_is_fault: {}
+keepalived_notify_by_default: {}
 
 keepalived_track_scripts: []
-# Exemple:
+# Example:
 #  - name: check_haproxy_8080
 #    command: /usr/bin/nc -zv 127.0.0.1 8080
 #  - name: check_haproxy_8081
 #    command: /usr/bin/nc -zv 127.0.0.1 8081
 
 keepalived_track_processes: []
-# Exemple:
+# Example:
 #  - name: check_haproxy
 #    search: /usr/sbin/haproxy
 #    quorum: 2

handlers/main.yml

@@ -1,7 +1,7 @@
 ---
 # handlers file for keepalived
 
-- name: Redémarrer keepalived.service
+- name: Restart keepalived.service
   become: true
   ansible.builtin.systemd:
     state: restarted

meta/main.yml

@@ -1,7 +1,7 @@
 galaxy_info:
   namespace: ykn
   author: pulsar89.5
-  description: Rôle de déploiement de keepalived
+  description: Deploy keepalived
 
   license: GPL-3.0-or-later
 

tasks/configuration.yml

@@ -0,0 +1,37 @@
+---
+# tasks file for keepalived
+
+- name: Deploy configuration
+  ansible.builtin.template:
+    src: keepalived.j2
+    dest: /etc/keepalived/keepalived.conf
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  become: true
+  notify: Restart keepalived.service
+
+- name: Deploy sudoers configuration
+  ansible.builtin.template:
+    src: sudoers.j2
+    dest: /etc/sudoers.d/keepalived_script
+    owner: root
+    group: keepalived_script
+    mode: u=rwx,g=rx,o=
+    validate: /usr/sbin/visudo -cf %s
+  when:
+    - keepalived_notify_enable
+    - keepalived_sudoers_cmd | length > 0
+  become: true
+  notify: Restart keepalived.service
+
+- name: Deploy notify script
+  ansible.builtin.template:
+    src: notify.bash.j2
+    dest: /etc/keepalived/notify.bash
+    owner: root
+    group: keepalived_script
+    mode: u=rwx,g=rx,o=
+  when: keepalived_notify_enable
+  become: true
+  notify: Restart keepalived.service

tasks/installation.yml

@@ -0,0 +1,7 @@
+---
+# tasks file for keepalived
+
+- name: Install keepalived
+  ansible.builtin.apt:
+    name: keepalived
+  become: true

tasks/main.yml

@@ -1,37 +1,10 @@
 ---
 # tasks file for keepalived
 
-- name: Installer le paquet
-  ansible.builtin.apt:
-    name: keepalived
-  become: true
+- name: Import installation tasks
+  ansible.builtin.import_tasks:
+    file: installation.yml
 
-- name: Déployer la configuration
-  ansible.builtin.template:
-    owner: root
-    group: root
-    mode: u=rw,g=r,o=r
-    src: keepalived.j2
-    dest: /etc/keepalived/keepalived.conf
-  become: true
-  notify: Redémarrer keepalived.service
-
-- name: Créer le dossier de déploiement des scripts
-  ansible.builtin.file:
-    path: /srv/keepalived
-    owner: root
-    group: root
-    mode: u=rwX,g=rX,o=
-    state: directory
-  become: true
-
-- name: Déployer les scripts
-  ansible.builtin.copy:
-    src: keepalived/notify_{{ state }}.sh
-    dest: /srv/keepalived/
-    mode: u=r,g=r,o=
-  loop: "{{ keepalived_notify }}"
-  loop_control:
-    index_var: state
-  become: true
-  notify: Redémarrer keepalived.service
+- name: Import configuration tasks
+  ansible.builtin.import_tasks:
+    file: configuration.yml

templates/keepalived.j2

@@ -13,13 +13,14 @@ global_defs {
     smtp_connect_timeout 30
 {% endif %}
 
+  script_user keepalived_script
   enable_script_security
   max_auto_priority 50
 }
 
 {% for script in keepalived_track_scripts %}
 vrrp_script {{ script.name }} {
-  script {{ script.command }}
+  script "{{ script.command }}"
   interval {{ script.interval }}
 }
 {% endfor %}
@@ -41,8 +42,13 @@ vrrp_instance VIP_{{ keepalived_uid }} {
   advert_int 1
 
 {% if keepalived_peers | length > 0 %}
+  unicast_src_ip {{ ansible_facts[keepalived_interface]['ipv4']['address'] }}
   unicast_peer {
-    {{ keepalived_peers | join('\n') | indent(width=4) }}
+{% for peer in keepalived_peers %}
+{% if peer != ansible_facts[keepalived_interface]['ipv4']['address'] %}
+    {{ peer }}
+{% endif %}
+{% endfor %}
   }
 {% endif %}
 
@@ -58,17 +64,8 @@ vrrp_instance VIP_{{ keepalived_uid }} {
   }
 {% endif %}
 
-{% if keepalived_notify_master | length > 0 %}
-  notify_master {{ keepalived_notify_master.dst }}
-{% endif %}
-{% if keepalived_notify_backup | length > 0 %}
-  notify_master {{ keepalived_notify_backup.dst }}
-{% endif %}
-{% if keepalived_notify_fault | length > 0 %}
-  notify_master {{ keepalived_notify_fault.dst }}
-{% endif %}
-{% if keepalived_notify_stop | length > 0 %}
-  notify_master {{ keepalived_notify_stop.dst }}
+{% if keepalived_notify_enable %}
+  notify /etc/keepalived/notify.bash
 {% endif %}
 
 {% if keepalived_track_scripts | length > 0 %}

templates/notify.bash.j2

@@ -0,0 +1,38 @@
+#!/bin/bash
+# {{ ansible_managed }}
+
+TYPE=$1
+NAME=$2
+STATE=$3
+
+{% if keepalived_notify_pre | length > 0 %}
+{{ keepalived_notify_pre }}
+{% endif %}
+
+# Use keepalived state
+case $STATE in
+{% if keepalived_notify_is_master | length > 0 %}
+  "MASTER")
+    {{ keepalived_notify_is_master | indent(4) }}
+    exit 0
+  ;;
+{% endif %}
+{% if keepalived_notify_is_backup | length > 0 %}
+  "BACKUP")
+    {{ keepalived_notify_is_backup | indent(4) }}
+    exit 0
+  ;;
+{% endif %}
+{% if keepalived_notify_is_fault | length > 0 %}
+  "FAULT")
+    {{ keepalived_notify_is_fault | indent(4) }}
+    exit 0
+  ;;
+{% endif %}
+{% if keepalived_notify_by_default | length > 0 %}
+  *)
+    {{ keepalived_notify_by_default | indent(4) }}
+    exit 1
+  ;;
+{% endif %}
+esac

templates/sudoers.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+{% for cmd in keepalived_sudoers_cmd %}
+keepalived_script ALL=(ALL) NOPASSWD:{{ cmd }}
+{% endfor %}

vars/main.yml

@@ -0,0 +1,9 @@
+---
+# vars file for keepalived
+
+users:
+  - name: keepalived_script
+    comment: "Dedicated user for keepalived script"
+    update_password: on_create
+    password_lock: true
+    shell: /bin/bash