diff options
| author | Georg Pfuetzenreuter | 2023-02-08 20:52:57 +0100 |
|---|---|---|
| committer | Georg Pfuetzenreuter | 2023-02-12 05:21:43 +0100 |
| commit | 303b06ae8cae4167bca6bafca71d226b32379941 (patch) | |
| tree | fd47fd2d13861cd018b98850d1cd310dc5da2671 | |
| parent | a0a21a17dbde293b3f665a99998cf88c38b8d07b (diff) | |
| download | salt-303b06ae8cae4167bca6bafca71d226b32379941.tar.gz salt-303b06ae8cae4167bca6bafca71d226b32379941.tar.bz2 salt-303b06ae8cae4167bca6bafca71d226b32379941.zip | |
nemesis/hubris: import keepalived configuration
Add shared configuration to cluster.denc.web-proxy.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| -rw-r--r-- | pillar/cluster/denc/web-proxy.sls | 65 |
1 files changed, 61 insertions, 4 deletions
diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls index 4cf84ab..923369e 100644 --- a/pillar/cluster/denc/web-proxy.sls +++ b/pillar/cluster/denc/web-proxy.sls @@ -2,13 +2,70 @@ {%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%} {%- set stapler = 'http://gaia.syscid.com:8900/' -%} {%- set resolver = '192.168.0.115' -%} +{%- set mailer = '192.168.0.120' -%} +{%- set ha4 = '81.16.19.62' -%} +{%- set ha6 = '2a03:4000:20:21f::' -%} + +keepalived: + config: + global_defs: + notification_email: + - system@lysergic.dev + notification_email_from: failover@{{ grains['host'] }}.lysergic.dev + smtp_server: {{ mailer }} + smtp_connect_timeout: 30 + router_id: SSO_FO + vrrp_script: + check_nginx_port: + script: '"/usr/bin/curl -kfsSm2 https://[::1]:443"' + weight: 5 + interval: 3 + timeout: 3 + check_nginx_process: + {#- this is not a good check but better than nothing #} + script: '"/usr/bin/pgrep nginx"' + weight: 4 + interval: 2 + timeout: 10 + check_useless_process: + {#- this is only used for debugging #} + script: '"/usr/bin/pgrep useless.sh"' + weight: 4 + interval: 2 + timeout: 3 + vrrp_instance: + DENCWC: + state: MASTER + interface: eth1 + priority: 100 + virtual_router_id: 100 + advert_int: 5 + smtp_alert: true + notify_master: '"/usr/local/bin/failover --all"' + promote_secondaries: true + mcast_src_ip: 192.168.0.50 + authentication: + auth_type: PASS + auth_pass: ${'secret_keepalived:vrrp_instance:DENCWC'} + virtual_ipaddress: + - {{ ha4 }}/32 dev eth0 label failover + virtual_ipaddress_excluded: + - {{ ha6 }}/64 dev eth0 + {%- for i in [1, 2, 3] %} + - {{ ha6 }}{{ i }}/64 dev eth0 + {%- endfor %} + track_script: + {#- - check_nginx_port # to-do: this is currently bugged, check script locks up #} + - check_nginx_process + track_interface: + - eth0 nginx: snippets: listen_ha: - listen: - - 81.16.19.62:443 ssl http2 - - '[2a03:4000:20:21f::]:443 ssl http2' + - {{ ha4 }}:443 ssl http2 + - '[{{ ha6 }}]:443 ssl http2' proxy: - proxy_set_header: - Host $host @@ -75,8 +132,8 @@ nginx: config: - server: - listen: - - 81.16.19.62:80 default_server - - '[2a03:4000:20:21f::]:80 default_server' + - {{ ha4 }}:80 default_server + - '[{{ ha6 }}]:80 default_server' - include: snippets/robots - location /: - return: 301 https://$host$request_uri |