-
Notifications
You must be signed in to change notification settings - Fork 39
/
19_lb_services.yml
83 lines (70 loc) · 2.6 KB
/
19_lb_services.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
---
- name: Loadbalancer configuration play
hosts: loadbalancer
become: true
tasks:
- name: Checking internal network interfaces
ansible.builtin.fail:
msg: "{{ host_interface }} not found in {{ ansible_facts.interfaces }}"
when: host_interface not in ansible_facts.interfaces
- name: Adding interface to internal zone # noqa no-changed-when
ansible.builtin.shell: nmcli con mod {{ host_interface }} connection.zone internal && nmcli con mod {{ host_interface }} ipv4.dns {{ hostvars['bastion']['host_ip'] }} # noqa yaml[line-length]
- name: Enable firewalld
ansible.builtin.service:
name: "{{ item }}"
enabled: true
state: started
loop:
- firewalld
- haproxy
# https://access.redhat.com/discussions/1455033
# - name: Adding interface {{ host_interface }} to internal zone
# community.general.nmcli:
# conn_name: "{{ host_interface }}"
# zone: internal
# dns4: "{{ hostvars['bastion']['host_ip'] }}"
# gw4:
# state: present
- name: Setting bastion's IP as DNS for our interface # noqa no-changed-when
ansible.builtin.command: nmcli con mod {{ host_interface }} connection.zone internal ipv4.dns {{ hostvars['bastion']['host_ip'] }}
- name: Refreshing {{ host_interface }} # noqa no-changed-when
ansible.builtin.shell: nmcli con down "{{ host_interface }}"; nmcli con up "{{ host_interface }}"
- name: Adding interface to firewall internal zone
ansible.posix.firewalld:
zone: internal
interface: "{{ host_interface }}"
permanent: true
state: enabled
- name: Allow service for internal zone
ansible.posix.firewalld:
zone: internal
state: enabled
permanent: true
service: "{{ item }}"
loop: "{{ services }}"
- name: Allow ports for internal zone
ansible.posix.firewalld:
zone: internal
state: enabled
permanent: true
port: "{{ item }}"
loop: "{{ internal_zone_port }}"
- name: Reload firewalld service
ansible.builtin.service:
name: firewalld
state: restarted
- name: Enabling selinux boolean for haproxy
ansible.posix.seboolean:
name: haproxy_connect_any
state: true
persistent: true
- name: Firing haproxy template
ansible.builtin.template:
src: templates/haproxy.j2
dest: /etc/haproxy/haproxy.cfg
mode: "0755"
- name: Reload haproxy service
ansible.builtin.service:
name: haproxy
state: restarted
enabled: true