67 lines
1.8 KiB
YAML
67 lines
1.8 KiB
YAML
---
|
|
# This tasks rely on TripleO's dynamic inventory being used.
|
|
- name: Set private-or-clear networks fact
|
|
set_fact:
|
|
private_or_clear_networks: ["ctlplane"]
|
|
|
|
- name: Set private networks fact
|
|
set_fact:
|
|
private_networks: "{{ enabled_networks|difference(private_or_clear_networks) }}"
|
|
|
|
- name: Are we using Opportunistic IPSEC tunnels?
|
|
set_fact:
|
|
ipsec_type: opportunistic
|
|
when: use_opportunistic_ipsec|bool
|
|
|
|
- name: Are we using node-to-node IPSEC tunnels?
|
|
set_fact:
|
|
ipsec_type: node-to-node
|
|
when: not use_opportunistic_ipsec|bool
|
|
|
|
- name: Add uniqueids = no to ipsec setup configuration
|
|
lineinfile:
|
|
dest: /etc/ipsec.conf
|
|
regexp: '^\s+uniqueids'
|
|
insertafter: '^config setup'
|
|
line: "\tuniqueids=no"
|
|
when: not use_opportunistic_ipsec|bool
|
|
notify:
|
|
- Restart ipsec
|
|
|
|
- name: Get pacemaker status
|
|
systemd:
|
|
name: pacemaker
|
|
register: pacemaker_status
|
|
|
|
- name: Determine if pacemaker is running
|
|
set_fact:
|
|
pacemaker_running: "{{ pacemaker_status.status.ActiveState == 'active' }}"
|
|
|
|
# Permissions gotten from http://www.linux-ha.org/doc/dev-guides/_installing_and_packaging_resource_agents.html
|
|
- name: Install TripleO IPSEC resource agent
|
|
copy:
|
|
src: ipsec-resource-agent.sh
|
|
dest: /usr/lib/ocf/resource.d/heartbeat/ipsec
|
|
mode: '0755'
|
|
force: no
|
|
register: resource_agent
|
|
when: pacemaker_running
|
|
|
|
- include_tasks: ipsec-conf.yml
|
|
with_items: "{{ private_networks }}"
|
|
vars:
|
|
policy: private
|
|
type: "{{ ipsec_type }}"
|
|
|
|
# Unfortunately the ctlplane currently has issues when non-opportunistic
|
|
# tunnels are used. It will reject any connection and hold packets for
|
|
# some reason.
|
|
- include_tasks: ipsec-conf.yml
|
|
with_items: "{{ private_or_clear_networks }}"
|
|
vars:
|
|
policy: private-or-clear
|
|
type: "{{ ipsec_type }}"
|
|
when: use_opportunistic_ipsec|bool
|
|
|
|
- meta: flush_handlers
|