nemesis/hubris: import keepalived configuration
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful

Add shared configuration to cluster.denc.web-proxy.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
This commit is contained in:
Georg Pfuetzenreuter 2023-02-08 20:52:57 +01:00
parent 974014937f
commit 863244ad86
Signed by: Georg
GPG Key ID: 1ED2F138E7E6FF57

View File

@ -2,13 +2,70 @@
{%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%} {%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%}
{%- set stapler = 'http://gaia.syscid.com:8900/' -%} {%- set stapler = 'http://gaia.syscid.com:8900/' -%}
{%- set resolver = '192.168.0.115' -%} {%- set resolver = '192.168.0.115' -%}
{%- set mailer = '192.168.0.120' -%}
{%- set ha4 = '81.16.19.62' -%}
{%- set ha6 = '2a03:4000:20:21f::' -%}
keepalived:
config:
global_defs:
notification_email:
- system@lysergic.dev
notification_email_from: failover@{{ grains['host'] }}.lysergic.dev
smtp_server: {{ mailer }}
smtp_connect_timeout: 30
router_id: SSO_FO
vrrp_script:
check_nginx_port:
script: '"/usr/bin/curl -kfsSm2 https://[::1]:443"'
weight: 5
interval: 3
timeout: 3
check_nginx_process:
{#- this is not a good check but better than nothing #}
script: '"/usr/bin/pgrep nginx"'
weight: 4
interval: 2
timeout: 10
check_useless_process:
{#- this is only used for debugging #}
script: '"/usr/bin/pgrep useless.sh"'
weight: 4
interval: 2
timeout: 3
vrrp_instance:
DENCWC:
state: MASTER
interface: eth1
priority: 100
virtual_router_id: 100
advert_int: 5
smtp_alert: true
notify_master: '"/usr/local/bin/failover --all"'
promote_secondaries: true
mcast_src_ip: 192.168.0.50
authentication:
auth_type: PASS
auth_pass: ${'secret_keepalived:vrrp_instance:DENCWC'}
virtual_ipaddress:
- {{ ha4 }}/32 dev eth0 label failover
virtual_ipaddress_excluded:
- {{ ha6 }}/64 dev eth0
{%- for i in [1, 2, 3] %}
- {{ ha6 }}{{ i }}/64 dev eth0
{%- endfor %}
track_script:
{#- - check_nginx_port # to-do: this is currently bugged, check script locks up #}
- check_nginx_process
track_interface:
- eth0
nginx: nginx:
snippets: snippets:
listen_ha: listen_ha:
- listen: - listen:
- 81.16.19.62:443 ssl http2 - {{ ha4 }}:443 ssl http2
- '[2a03:4000:20:21f::]:443 ssl http2' - '[{{ ha6 }}]:443 ssl http2'
proxy: proxy:
- proxy_set_header: - proxy_set_header:
- Host $host - Host $host
@ -75,8 +132,8 @@ nginx:
config: config:
- server: - server:
- listen: - listen:
- 81.16.19.62:80 default_server - {{ ha4 }}:80 default_server
- '[2a03:4000:20:21f::]:80 default_server' - '[{{ ha6 }}]:80 default_server'
- include: snippets/robots - include: snippets/robots
- location /: - location /:
- return: 301 https://$host$request_uri - return: 301 https://$host$request_uri