group_vars/keepalived.yml

 ---
 glob_keepalived:
   mail_source: keepalived@crans.org
-  mail_destination: shirenn@crans.org
+  mail_destination: root@crans.org
   smtp_server: smtp.adm.crans.org
+  routeur_id: "{{ ansible_hostname }}"
   pool:
     VI_ALL:
       password: "{{ vault.keepalived.password }}"
@@ -11,14 +12,18 @@ glob_keepalived:
       notify: /var/local/services/keepalived/keepalived.py
       zones:
         - vlan: srv
-          ipv4: 185.230.79.61/26
-          ipv6: 2a0c:700:2::ff:fe01:9902/64
+          ipv4: 185.230.79.62/26
+          ipv6: 2a0c:700:2::ff:fe00:9902/64
         - vlan: srv_nat
-          ipv4: 172.16.3.199/24
-          ipv6: 2a0c:700:3::ff:fe01:9903/64
+          ipv4: 172.16.3.99/24
+          ipv6: 2a0c:700:3::ff:fe00:9903/64
         - vlan: adh
-          ipv4: 185.230.78.199/24
-          ipv6: 2a0c:700:12::ff:fe01:9912/48
+          ipv4: 185.230.78.99/24
+          ipv6: 2a0c:700:12::ff:fe00:9912/48
+        - vlan: aurore
+          ipv4: 185.230.79.253/29
+          brd: no
+          ipv6: 2a0c:700:28::1/64
 
 glob_service_keepalived:
   name: keepalived

host_vars/routeur-daniel.adm.crans.org/bird.yml

+---
+loc_bird:
+  ipv4:
+    id: 185.230.79.253
+    binds:
+      - 185.230.79.253
+    statics:
+      - 185.230.78.0/23
+    bgps:
+      - name: aurore
+        allow_local_as: 1
+        local_as: 204515
+        remote:
+          as: 43619
+          address: 185.230.79.254
+  ipv6:
+    id: 185.230.79.253
+    binds:
+      - 2a0c:700:28::1
+    statics:
+      - 2a0c:700::/36
+    bgps:
+      - name: aurore
+        allow_local_as: 1
+        local_as: 204515
+        remote:
+          as: 43619
+          address: 2a0c:700:28::2

host_vars/routeur-daniel.adm.crans.org/keepalived.yml

@@ -2,8 +2,8 @@
 loc_keepalived:
   instances:
     - name: VI_ALL
-      state: MASTER
-      priority: 150
+      state: BACKUP
+      priority: 100
 
 loc_service_keepalived:
   git:
@@ -14,3 +14,5 @@ loc_service_keepalived:
       VI_ALL:
         - isc-dhcp-server
         - radvd
+        - bird
+        - bird6

host_vars/routeur-daniel.adm.crans.org/vars.yml

@@ -4,7 +4,6 @@ interfaces:
   via: ens19
   aurore: ens20
   renater: ens21
-  interco: ens22
-  srv: ens23
-  srv_nat: ens1
-  adh: enp1s2
+  srv: ens22
+  srv_nat: ens23
+  adh: ens1

host_vars/routeur-gulp.cachan-adm.crans.org/bird.yml

 ---
 loc_bird:
-  bgp:
-    as: 204515
-    remote_as: 8218
-    ipv4:
-      router_id: 158.255.113.73
-      bind_address: 158.255.113.73
-      network:
-        - 185.230.76.0/24
-        - 185.230.78.0/23
-      neighbor: 158.255.113.72
-    ipv6:
-      router_id: 185.230.79.62
-      bind_address: 2001:1b48:2:103::bb:2
-      network:
-        - 2a0c:700::/36
-        - 2a0c:700:3000::/36
-      neighbor: 2001:1b48:2:103::bb:1
-
+  ipv4:
+    id: 158.255.113.73
+    binds:
+      - 158.255.113.73
+    statics:
+      - 185.230.76.0/24
+    bgps:
+      - name: zayo
+        allow_local_as: 1
+        local_as: 204515
+        remote:
+          as: 8218
+          address: 158.255.113.72
+  ipv6:
+    id: 185.230.79.62
+    binds:
+      - 2001:1b48:2:103::bb:2
+    statics:
+      - 2a0c:700:3000::/36
+    bgps:
+      - name: zayo
+        allow_local_as: 1
+        local_as: 204515
+        remote:
+          as: 8218
+          address: 2001:1b48:2:103::bb:1

host_vars/routeur-jack.adm.crans.org/bird.yml

+---
+loc_bird:
+  ipv4:
+    id: 185.230.79.253
+    binds:
+      - 185.230.79.253
+    statics:
+      - 185.230.78.0/23
+    bgps:
+      - name: aurore
+        allow_local_as: 1
+        local_as: 204515
+        remote:
+          as: 43619
+          address: 185.230.79.254
+  ipv6:
+    id: 185.230.79.253
+    binds:
+      - 2a0c:700:28::1
+    statics:
+      - 2a0c:700::/36
+    bgps:
+      - name: aurore
+        allow_local_as: 1
+        local_as: 204515
+        remote:
+          as: 43619
+          address: 2a0c:700:28::2

host_vars/routeur-jack.adm.crans.org/keepalived.yml

@@ -3,7 +3,7 @@ loc_keepalived:
   instances:
     - name: VI_ALL
       state: BACKUP
-      priority: 100
+      priority: 50
 
 loc_service_keepalived:
   git:
@@ -14,3 +14,5 @@ loc_service_keepalived:
       VI_ALL:
         - isc-dhcp-server
         - radvd
+        - bird
+        - bird6

host_vars/routeur-jack.adm.crans.org/vars.yml

@@ -4,7 +4,6 @@ interfaces:
   via: ens19
   aurore: ens20
   renater: ens21
-  interco: ens22
-  srv: ens23
-  srv_nat: ens1
-  adh: ens2
+  srv: ens22
+  srv_nat: ens23
+  adh: ens1

host_vars/routeur-sam.adm.crans.org/bird.yml

+---
+loc_bird:
+  ipv4:
+    id: 185.230.79.253
+    binds:
+      - 185.230.79.253
+    statics:
+      - 185.230.78.0/23
+    bgps:
+      - name: aurore
+        allow_local_as: 1
+        local_as: 204515
+        remote:
+          as: 43619
+          address: 185.230.79.254
+  ipv6:
+    id: 185.230.79.253
+    binds:
+      - 2a0c:700:28::1
+    statics:
+      - 2a0c:700::/36
+    bgps:
+      - name: aurore
+        allow_local_as: 1
+        local_as: 204515
+        remote:
+          as: 43619
+          address: 2a0c:700:28::2

host_vars/routeur-sam.adm.crans.org/keepalived.yml

+---
+loc_keepalived:
+  instances:
+    - name: VI_ALL
+      state: MASTER
+      priority: 150
+
+loc_service_keepalived:
+  git:
+    remote: https://gitlab.adm.crans.org/nounous/keepalived.git
+    version: master
+  config:
+    services:
+      VI_ALL:
+        - isc-dhcp-server
+        - radvd
+        - bird
+        - bird6

host_vars/routeur-sam.adm.crans.org/vars.yml

 ---
 interfaces:
   adm: ens18
-  srv: ens19
-  srv_nat: ens20
-  adh: ens22
+  via: ens19
+  aurore: ens20
+  renater: ens21
+  srv: ens22
+  srv_nat: ens23
+  adh: ens1

hosts

@@ -20,6 +20,9 @@ belenios.adm.crans.org
 [bird]
 routeur-gulp.cachan-adm.crans.org
 
+[bird:children]
+routeurs_vm
+
 [blackbox]
 monitoring.adm.crans.org
 
@@ -96,8 +99,14 @@ irc.adm.crans.org
 [jitsi]
 jitsi.adm.crans.org
 
-[keepalived:children]
-routeurs_vm
+[keepalived]
+routeur-daniel.adm.crans.org
+routeur-jack.adm.crans.org
+routeur-sam.adm.crans.org
+
+# Don't deploy keepalived on routeur-gulp
+# [keepalived:children]
+# routeurs_vm
 
 [linx]
 linx.adm.crans.org

plays/routeurs.yml

@@ -6,4 +6,5 @@
 - import_playbook: firewall.yml
 - import_playbook: dns-recursive.yml
 - import_playbook: prefix-delegation.yml
+- import_playbook: radvd.yml
 - import_playbook: keepalived.yml

roles/bird/templates/bird/bird.conf.j2

@@ -9,21 +9,21 @@
 
 # Change this into your BIRD router ID. It's a world-wide unique identification
 # of your router, usually one of router's IPv4 addresses.
-router id {{ bird.bgp.ipv4.router_id }};
+router id {{ bird.ipv4.id }};
+
+{% for bind in bird.ipv4.binds %}
+listen bgp address {{ bind }} port 179;
+{% endfor %}
 
-listen bgp address {{ bird.bgp.ipv4.bind_address }} port 179;
 
 # The Kernel protocol is not a real routing protocol. Instead of communicating
 # with other routers in the network, it performs synchronization of BIRD's
 # routing tables with the OS kernel.
 protocol kernel {
-	persist;
+#	persist;
 	scan time 60;
 	import none;
-	export filter {
-		if ( net ~ [ {{ bird.bgp.ipv4.network | join(', ') }} ] ) then reject;
-		accept;
-	};
+	export all;
 }
 
 # The Device protocol is not a real routing protocol. It doesn't generate any
@@ -34,14 +34,19 @@ protocol device {
 }
 
 protocol static {
-{% for ip in bird.bgp.ipv4.network %}
-	route {{ ip }} reject;
+{% for static in bird.ipv4.statics %}
+	route {{ static }} reject;
 {% endfor %}
 }
 
-protocol bgp zayo {
-	local as {{ bird.bgp.as }};
-	neighbor {{ bird.bgp.ipv4.neighbor }} as {{ bird.bgp.remote_as }};
+{% for bgp in bird.ipv4.bgps %}
+protocol bgp {{ bgp.name }} {
+	local as {{ bgp.local_as }};
+{% if bgp.allow_local_as is defined %}
+	allow local as {{ bgp.allow_local_as }};
+{% endif %}
+	neighbor {{ bgp.remote.address }} as {{ bgp.remote.as }};
 	import all;
 	export all;
 }
+{% endfor %}

roles/bird/templates/bird/bird6.conf.j2

@@ -9,21 +9,20 @@
 
 # Change this into your BIRD router ID. It's a world-wide unique identification
 # of your router, usually one of router's IPv6 addresses.
-router id {{ bird.bgp.ipv6.router_id }};
+router id {{ bird.ipv6.id }};
 
-listen bgp address {{ bird.bgp.ipv6.bind_address }} port 179;
+{% for bind in bird.ipv6.binds %}
+listen bgp address {{ bind }} port 179;
+{% endfor %}
 
 # The Kernel protocol is not a real routing protocol. Instead of communicating
 # with other routers in the network, it performs synchronization of BIRD's
 # routing tables with the OS kernel.
 protocol kernel {
-	persist;
+#	persist;
 	scan time 60;
 	import none;
-	export filter {
-		if ( net ~ [ {{ bird.bgp.ipv6.network | join(', ') }} ] ) then reject;
-		accept;
-	};
+	export all;
 }
 
 # The Device protocol is not a real routing protocol. It doesn't generate any
@@ -34,14 +33,19 @@ protocol device {
 }
 
 protocol static {
-{% for ip in bird.bgp.ipv6.network %}
-	route {{ ip }} reject;
+{% for route in bird.ipv6.statics %}
+	route {{ route }} reject;
 {% endfor %}
 }
 
-protocol bgp zayo {
-	local as {{ bird.bgp.as }};
-	neighbor {{ bird.bgp.ipv6.neighbor }} as {{ bird.bgp.remote_as }};
+{%for bgp in bird.ipv6.bgps %}
+protocol bgp {{ bgp.name }} {
+	local as {{ bgp.local_as }};
+{% if bgp.allow_local_as is defined %}
+	allow local as {{ bgp.allow_local_as }};
+{% endif %}
+	neighbor {{ bgp.remote.address }} as {{ bgp.remote.as }};
 	import all;
 	export all;
 }
+{% endfor %}

roles/keepalived/tasks/main.yml

 ---
+- name: Add buster-backports to apt sources
+  apt_repository:
+    repo: deb {{ debian_mirror }} buster-backports main
+    state: present
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version | int == 10
+    - ansible_distribution_release == "buster"
+
+- name: Use buster-backports to install keepalived
+  template:
+    src: apt/preferences.d/keepalived.j2
+    dest: /etc/apt/preferences.d/keepalived
+    owner: root
+    group: root
+    mode: 0644
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version | int == 10
+    - ansible_distribution_release == "buster"
+
 - name: Install keepalived
   apt:
     update_cache: true
@@ -14,8 +35,25 @@
     mode: 0644
   notify: Reload keepalived.service
 
+- name: Create keepalived service directory for systemd
+  file:
+    path: /etc/systemd/system/keepalived.service.d
+    owner: root
+    group: root
+    mode: 0755
+    state: directory
+
+- name: Override keepalived StopPost to stop some services after keepalived switch
+  template:
+    src: systemd/system/keepalived.service.d/override.conf.j2
+    dest: /etc/systemd/system/keepalived.service.d/override.conf
+    owner: root
+    group: root
+    mode: 0644
+
 - name: Start and enable keepalived
   service:
     name: keepalived
+    daemon-reload: true
     state: started
     enabled: yes

roles/keepalived/templates/apt/preferences.d/keepalived.j2

+{{ ansible_header | comment }}
+
+
+Package: keepalived
+Pin: release n=buster-backports
+Pin-Priority: 900
+

roles/keepalived/templates/keepalived/keepalived.conf.j2

@@ -4,6 +4,7 @@ global_defs {
   notification_email { {{ keepalived.mail_destination }} }
   notification_email_from {{ keepalived.mail_source }}
   smtp_server {{ keepalived.smtp_server }}
+  router_id {{ keepalived.routeur_id }}
 }
 
 {% for instance in keepalived.instances %}
@@ -15,10 +16,6 @@ vrrp_instance {{ instance.name }} {
   interface {{ interfaces.adm }}
   virtual_router_id {{ keepalived.pool[instance.name].id }}
   advert_int 2
-  authentication {
-    auth_type PASS
-    auth_pass {{ keepalived.pool[instance.name].password }}
-  }
 
 {% if keepalived.pool[instance.name].notify is defined %}
   notify {{ keepalived.pool[instance.name].notify }}
@@ -44,10 +41,6 @@ vrrp_instance {{ instance.name }}6 {
   interface {{ interfaces.adm }}
   virtual_router_id {{ keepalived.pool[instance.name].id }}
   advert_int 2
-  authentication {
-    auth_type PASS
-    auth_pass {{ keepalived.pool[instance.name].password }}
-  }
 
   virtual_ipaddress {
 {% for zone in keepalived.pool[instance.name].zones %}

roles/keepalived/templates/systemd/system/keepalived.service.d/override.conf.j2

+{{ ansible_header | comment }}
+
+[Service]
+ExecStopPost=/bin/sh -c "{% for instance in keepalived.instances %}/var/local/services/keepalived/keepalived.py INSTANCE {{ instance.name }} STOP {{ instance.priority }}; {% endfor %}"