nemesis/hubris: import keepalived configuration

Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-08 20:52:57 +01:00 · 2023-02-08 20:52:57 +01:00 · 303b06ae8c
commit 303b06ae8c
parent a0a21a17db
1 changed files with 61 additions and 4 deletions
--- a/pillar/cluster/denc/web-proxy.sls
+++ b/pillar/cluster/denc/web-proxy.sls
@ -2,13 +2,70 @@
 {%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%}
 {%- set stapler = 'http://gaia.syscid.com:8900/' -%}
 {%- set resolver = '192.168.0.115' -%}
+{%- set mailer = '192.168.0.120' -%}
+{%- set ha4 = '81.16.19.62' -%}
+{%- set ha6 = '2a03:4000:20:21f::' -%}
+
+keepalived:
+  config:
+    global_defs:
+      notification_email:
+        - system@lysergic.dev
+      notification_email_from: failover@{{ grains['host'] }}.lysergic.dev
+      smtp_server: {{ mailer }}
+      smtp_connect_timeout: 30
+      router_id: SSO_FO
+    vrrp_script:
+      check_nginx_port:
+        script: '"/usr/bin/curl -kfsSm2 https://[::1]:443"'
+        weight: 5
+        interval: 3
+        timeout: 3
+      check_nginx_process:
+        {#- this is not a good check but better than nothing #}
+        script: '"/usr/bin/pgrep nginx"'
+        weight: 4
+        interval: 2
+        timeout: 10
+      check_useless_process:
+        {#- this is only used for debugging #}
+        script: '"/usr/bin/pgrep useless.sh"'
+        weight: 4
+        interval: 2
+        timeout: 3
+    vrrp_instance:
+      DENCWC:
+        state: MASTER
+        interface: eth1
+        priority: 100
+        virtual_router_id: 100
+        advert_int: 5
+        smtp_alert: true
+        notify_master: '"/usr/local/bin/failover --all"'
+        promote_secondaries: true
+        mcast_src_ip: 192.168.0.50
+        authentication:
+          auth_type: PASS
+          auth_pass: ${'secret_keepalived:vrrp_instance:DENCWC'}
+        virtual_ipaddress:
+          - {{ ha4 }}/32 dev eth0 label failover
+        virtual_ipaddress_excluded:
+          - {{ ha6 }}/64 dev eth0
+          {%- for i in [1, 2, 3] %}
+          - {{ ha6 }}{{ i }}/64 dev eth0
+          {%- endfor %}
+        track_script:
+          {#- - check_nginx_port # to-do: this is currently bugged, check script locks up #}
+          - check_nginx_process
+        track_interface:
+          - eth0

 nginx:
  snippets:
    listen_ha:
      - listen:
-        - 81.16.19.62:443 ssl http2
-        - '[2a03:4000:20:21f::]:443 ssl http2'
+        - {{ ha4 }}:443 ssl http2
+        - '[{{ ha6 }}]:443 ssl http2'
    proxy:
      - proxy_set_header:
        - Host                $host
@ -75,8 +132,8 @@ nginx:
        config:
          - server:
            - listen:
-              - 81.16.19.62:80 default_server
-              - '[2a03:4000:20:21f::]:80 default_server'
+              - {{ ha4 }}:80 default_server
+              - '[{{ ha6 }}]:80 default_server'
              - include: snippets/robots
              - location /:
                - return: 301 https://$host$request_uri