From 303b06ae8cae4167bca6bafca71d226b32379941 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Wed, 8 Feb 2023 20:52:57 +0100
Subject: nemesis/hubris: import keepalived configuration

Add shared configuration to cluster.denc.web-proxy.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 pillar/cluster/denc/web-proxy.sls | 65 ++++++++++++++++++++++++++++++++++++---
 1 file changed, 61 insertions(+), 4 deletions(-)

diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls
index 4cf84ab..923369e 100644
--- a/pillar/cluster/denc/web-proxy.sls
+++ b/pillar/cluster/denc/web-proxy.sls
@@ -2,13 +2,70 @@
 {%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%}
 {%- set stapler = 'http://gaia.syscid.com:8900/' -%}
 {%- set resolver = '192.168.0.115' -%}
+{%- set mailer = '192.168.0.120' -%}
+{%- set ha4 = '81.16.19.62' -%}
+{%- set ha6 = '2a03:4000:20:21f::' -%}
+
+keepalived:
+  config:
+    global_defs:
+      notification_email:
+        - system@lysergic.dev
+      notification_email_from: failover@{{ grains['host'] }}.lysergic.dev
+      smtp_server: {{ mailer }}
+      smtp_connect_timeout: 30
+      router_id: SSO_FO
+    vrrp_script:
+      check_nginx_port:
+        script: '"/usr/bin/curl -kfsSm2 https://[::1]:443"'
+        weight: 5
+        interval: 3
+        timeout: 3
+      check_nginx_process:
+        {#- this is not a good check but better than nothing #}
+        script: '"/usr/bin/pgrep nginx"'
+        weight: 4
+        interval: 2
+        timeout: 10
+      check_useless_process:
+        {#- this is only used for debugging #}
+        script: '"/usr/bin/pgrep useless.sh"'
+        weight: 4
+        interval: 2
+        timeout: 3
+    vrrp_instance:
+      DENCWC:
+        state: MASTER
+        interface: eth1
+        priority: 100
+        virtual_router_id: 100
+        advert_int: 5
+        smtp_alert: true
+        notify_master: '"/usr/local/bin/failover --all"'
+        promote_secondaries: true
+        mcast_src_ip: 192.168.0.50
+        authentication:
+          auth_type: PASS
+          auth_pass: ${'secret_keepalived:vrrp_instance:DENCWC'}
+        virtual_ipaddress:
+          - {{ ha4 }}/32 dev eth0 label failover
+        virtual_ipaddress_excluded:
+          - {{ ha6 }}/64 dev eth0
+          {%- for i in [1, 2, 3] %}
+          - {{ ha6 }}{{ i }}/64 dev eth0
+          {%- endfor %}
+        track_script:
+          {#- - check_nginx_port # to-do: this is currently bugged, check script locks up #}
+          - check_nginx_process
+        track_interface:
+          - eth0
 
 nginx:
   snippets:
     listen_ha:
       - listen:
-        - 81.16.19.62:443 ssl http2
-        - '[2a03:4000:20:21f::]:443 ssl http2'
+        - {{ ha4 }}:443 ssl http2
+        - '[{{ ha6 }}]:443 ssl http2'
     proxy:
       - proxy_set_header:
         - Host                $host
@@ -75,8 +132,8 @@ nginx:
         config:
           - server:
             - listen:
-              - 81.16.19.62:80 default_server
-              - '[2a03:4000:20:21f::]:80 default_server'
+              - {{ ha4 }}:80 default_server
+              - '[{{ ha6 }}]:80 default_server'
               - include: snippets/robots
               - location /:
                 - return: 301 https://$host$request_uri
-- 
cgit v1.2.3