From 303b06ae8cae4167bca6bafca71d226b32379941 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Wed, 8 Feb 2023 20:52:57 +0100 Subject: nemesis/hubris: import keepalived configuration Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter --- pillar/cluster/denc/web-proxy.sls | 65 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 61 insertions(+), 4 deletions(-) diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls index 4cf84ab..923369e 100644 --- a/pillar/cluster/denc/web-proxy.sls +++ b/pillar/cluster/denc/web-proxy.sls @@ -2,13 +2,70 @@ {%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%} {%- set stapler = 'http://gaia.syscid.com:8900/' -%} {%- set resolver = '192.168.0.115' -%} +{%- set mailer = '192.168.0.120' -%} +{%- set ha4 = '81.16.19.62' -%} +{%- set ha6 = '2a03:4000:20:21f::' -%} + +keepalived: + config: + global_defs: + notification_email: + - system@lysergic.dev + notification_email_from: failover@{{ grains['host'] }}.lysergic.dev + smtp_server: {{ mailer }} + smtp_connect_timeout: 30 + router_id: SSO_FO + vrrp_script: + check_nginx_port: + script: '"/usr/bin/curl -kfsSm2 https://[::1]:443"' + weight: 5 + interval: 3 + timeout: 3 + check_nginx_process: + {#- this is not a good check but better than nothing #} + script: '"/usr/bin/pgrep nginx"' + weight: 4 + interval: 2 + timeout: 10 + check_useless_process: + {#- this is only used for debugging #} + script: '"/usr/bin/pgrep useless.sh"' + weight: 4 + interval: 2 + timeout: 3 + vrrp_instance: + DENCWC: + state: MASTER + interface: eth1 + priority: 100 + virtual_router_id: 100 + advert_int: 5 + smtp_alert: true + notify_master: '"/usr/local/bin/failover --all"' + promote_secondaries: true + mcast_src_ip: 192.168.0.50 + authentication: + auth_type: PASS + auth_pass: ${'secret_keepalived:vrrp_instance:DENCWC'} + virtual_ipaddress: + - {{ ha4 }}/32 dev eth0 label failover + virtual_ipaddress_excluded: + - {{ ha6 }}/64 dev eth0 + {%- for i in [1, 2, 3] %} + - {{ ha6 }}{{ i }}/64 dev eth0 + {%- endfor %} + track_script: + {#- - check_nginx_port # to-do: this is currently bugged, check script locks up #} + - check_nginx_process + track_interface: + - eth0 nginx: snippets: listen_ha: - listen: - - 81.16.19.62:443 ssl http2 - - '[2a03:4000:20:21f::]:443 ssl http2' + - {{ ha4 }}:443 ssl http2 + - '[{{ ha6 }}]:443 ssl http2' proxy: - proxy_set_header: - Host $host @@ -75,8 +132,8 @@ nginx: config: - server: - listen: - - 81.16.19.62:80 default_server - - '[2a03:4000:20:21f::]:80 default_server' + - {{ ha4 }}:80 default_server + - '[{{ ha6 }}]:80 default_server' - include: snippets/robots - location /: - return: 301 https://$host$request_uri -- cgit v1.2.3