Import denc webcluster (nemesis/hubris) #12

Merged
Georg merged 8 commits from import-denc-webcluster into production 2023-02-12 14:25:55 +01:00
11 changed files with 367 additions and 0 deletions

View File

@ -0,0 +1,206 @@
{%- from 'map.jinja' import nginx_crtkeypair -%}
{%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%}
{%- set stapler = 'http://gaia.syscid.com:8900/' -%}
{%- set resolver = '192.168.0.115' -%}
{%- set mailer = '192.168.0.120' -%}
{%- set ha4 = '81.16.19.62' -%}
{%- set ha6 = '2a03:4000:20:21f::' -%}
keepalived:
config:
global_defs:
notification_email:
- system@lysergic.dev
notification_email_from: failover@{{ grains['host'] }}.lysergic.dev
smtp_server: {{ mailer }}
smtp_connect_timeout: 30
router_id: SSO_FO
vrrp_script:
check_nginx_port:
script: '"/usr/bin/curl -kfsSm2 https://[::1]:443"'
weight: 5
interval: 3
timeout: 3
check_nginx_process:
{#- this is not a good check but better than nothing #}
script: '"/usr/bin/pgrep nginx"'
weight: 4
interval: 2
timeout: 10
check_useless_process:
{#- this is only used for debugging #}
script: '"/usr/bin/pgrep useless.sh"'
weight: 4
interval: 2
timeout: 3
vrrp_instance:
DENCWC:
state: MASTER
interface: eth1
priority: 100
virtual_router_id: 100
advert_int: 5
smtp_alert: true
notify_master: '"/usr/local/bin/failover --all"'
promote_secondaries: true
mcast_src_ip: 192.168.0.50
authentication:
auth_type: PASS
auth_pass: ${'secret_keepalived:vrrp_instance:DENCWC'}
virtual_ipaddress:
- {{ ha4 }}/32 dev eth0 label failover
virtual_ipaddress_excluded:
- {{ ha6 }}/64 dev eth0
{%- for i in [1, 2, 3] %}
- {{ ha6 }}{{ i }}/64 dev eth0
{%- endfor %}
track_script:
{#- - check_nginx_port # to-do: this is currently bugged, check script locks up #}
- check_nginx_process
track_interface:
- eth0
nginx:
snippets:
listen_ha:
- listen:
- {{ ha4 }}:443 ssl http2
- '[{{ ha6 }}]:443 ssl http2'
proxy:
- proxy_set_header:
- Host $host
- X-Real-IP $remote_addr
- X-Forwarded-For $proxy_add_x_forwarded_for
- X-Forwarded-Host $host
- X-Forwarded-Server $host
- X-Forwarded-Port $server_port
- X-Forwarded-Proto $scheme
- proxy_ssl_trusted_certificate: /etc/pki/trust/anchors/backend-ca.crt
tls:
- ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
{#- certificate snippets, to-do: merge snippets/tls include into crtkeypair #}
{{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }}
- include: snippets/tls
{{ nginx_crtkeypair('libertacasanet', 'libertacasa.net') | indent }}
- include: snippets/tls
{{ nginx_crtkeypair('libsso', 'libsso.net') | indent }}
- include: snippets/tls
{{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }}
- include: snippets/tls
tls_syscidsso:
- ssl_trusted_certificate: {{ trustcrt }}
- ssl_client_certificate: {{ trustcrt }}
- ssl_certificate: /etc/ssl/syscid/sso.syscid.com.crt
- ssl_certificate_key: /etc/ssl/syscid/sso.syscid.com.key
- ssl_ocsp: 'on'
- ssl_ocsp_responder: {{ stapler }}
- ssl_stapling: 'on'
- ssl_stapling_responder: {{ stapler }}
- ssl_stapling_verify: 'on'
- ssl_verify_client: 'on'
- resolver: {{ resolver }} ipv6=off
- include: snippets.d/tls
servers:
managed:
jboss-cluster.conf:
available_dir: /etc/nginx/conf.d
config:
- proxy_cache_path: /var/cache/nginx/sso_public keys_zone=cache_sso_public:10m
- proxy_cache_path: /var/cache/nginx/sso_private keys_zone=cache_sso_private:10m
- upstream jboss:
- ip: hash
- server:
- theia.backend.syscid.com:8443
- orpheus.backend.syscid.com:8443
- selene.backend.syscid.com:8443
bookstack.conf:
config:
- server:
- include:
- snippets/listen
- snippets/tls_libertacasa
- server_name: libertacasa.info libcasa.info
- location /:
- proxy_pass: https://bookstack.themis.backend.syscid.com
- proxy_http_version: 1.1
- client_max_body_size: 20M
http.conf:
config:
- server:
- listen:
- {{ ha4 }}:80 default_server
- '[{{ ha6 }}]:80 default_server'
- include: snippets/robots
- location /:
- return: 301 https://$host$request_uri
privatebin.conf:
config:
- server:
- include:
- snippets/listen
- snippets/tls_lysergic
- server_name: pasta.lysergic.dev
- location /:
- proxy_pass: https://privatebin.themis.backend.syscid.com
- proxy_http_version: 1.1
- client_max_body_size: 50M
sso_private.conf:
config:
- server:
- include:
- snippets/listen
- snippets/tls_syscidsso
- server_name: sso.syscid.com
- root: /srv/www/sso.syscid.com
- location = /: []
- location /index.html: []
- location /:
- proxy_pass: https://jboss
- proxy_cache: cache_sso_private
- include: snippets/proxy
- proxy_buffer_size: 256k
- proxy_buffers: 4 512k
- proxy_busy_buffers_size: 512k
- error_log: /var/log/nginx/sso_private.error.log
- access_log: /var/log/nginx/sso_private.access.log combined
sso_public.conf:
config:
- server:
- include:
- snippets/listen
- snippets/tls_libsso
- server_name: sso.casa www.sso.casa
- location /:
- root: /srv/www/sso.casa
- server:
- include:
- snippets/listen
- snippets/tls_libsso
- server_name: libsso.net www.libsso.net
- location /:
- root: /srv/www/libsso.net
- location /auth: {#- compat, consider removing #}
- rewrite: '^/auth(.*)$ https://libsso.net$1 break'
{%- for path in ['realms', 'resources', 'js'] %}
- location /{{ path }}:
- proxy_pass: https://jboss/{{ path }}
- proxy_cache: cache_sso_public
{#- - proxy_ssl_verify: on #to-do: enable this #}
- include: snippets/proxy
{%- endfor %}
{%- for path in ['admin', 'welcome', 'metrics', 'health' ] %}
- location /{{ path }}:
- return: https://liberta.casa/
{%- endfor %}
- proxy_buffer_size: 256k
- proxy_buffers: 4 512k
- proxy_busy_buffers_size: 512k
- error_log: /var/log/nginx/libsso_public.error.log
- access_log: /var/log/nginx/libsso_public.access.log combined

View File

@ -26,6 +26,10 @@ firewalld:
public:
short: Public
{{ firewall_interfaces(public) }}
{%- if backend | length %}
backend:
{{ firewall_interfaces(backend) }}
{%- endif %}
{%- endif %}
mine_functions:

View File

@ -0,0 +1,2 @@
include:
- cluster.denc.web-proxy

View File

@ -0,0 +1,2 @@
include:
- cluster.denc.web-proxy

View File

@ -0,0 +1,2 @@
include:
- role.ha-node

8
pillar/role/ha-node.sls Normal file
View File

@ -0,0 +1,8 @@
firewalld:
zones:
internal:
services:
- vrrp
backend:
protocols:
- udp

View File

@ -0,0 +1,7 @@
keepalived_script_user:
user.present:
- name: keepalived_script
- createhome: False
- home: /var/lib/keepalived
- shell: /usr/sbin/nologin
- system: True

View File

@ -0,0 +1,14 @@
This profile installs a script switching failover IP addresses between Netcup hosted VM's.
Required pillar:
```
profile:
netcup_failover:
scp_user: 12345
scp_pass: xxxx
scp_server: v9876
mac_address: ff:ff:ff:ff:ff
ip4_address: xx.xx.xx.xx/32
ip6_address: 'foo:bar::/64'
```

View File

@ -0,0 +1,109 @@
{%- set header = salt['pillar.get']('managed_header_pound') -%}
{%- set mypillar = salt['pillar.get']('profile:netcup_failover') -%}
#!/bin/sh
# Floating IP switching script utilizing the Netcup API
{{ header }}
SCP_USER='{{ mypillar['scp_user'] }}'
SCP_PASS='{{ mypillar['scp_pass'] }}'
SCP_SERVER='{{ mypillar['scp_server'] }}'
MAC='{{ mypillar['mac_address'] }}'
IP_v4='{{ mypillar['ip4_address'] }}'
IP_v6='{{ mypillar['ip6_address'] }}'
URL="https://www.servercontrolpanel.de/WSEndUser?xsd=1" ### ?xsd=1 ?wsdl
usage () {
echo "$0 [--ipv4 | --ipv6 | --all] [--debug]"
exit 2
}
init () {
construct "$1"
run
parse
}
construct () {
if [ "$1" = "ip4" ];
then
local IP="$IP_v4"
fi
if [ "$1" = "ip6" ];
then
local IP="$IP_v6"
fi
local CIDR="${IP#*/}"
local IP="`echo $IP | sed "s?/$CIDR??"`"
if [ "$DEBUG" = "true" ];
then
echo "[DEBUG] Initiating: $1"
echo "[DEBUG] IP Address: $IP"
echo "[DEBUG] CIDR Mask: $CIDR"
fi
XML_BODY="<SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:ns1='http://enduser.service.web.vcp.netcup.de/'><SOAP-ENV:Body><ns1:changeIPRouting><loginName>$SCP_USER</loginName><password>$SCP_PASS</password><routedIP>$IP</routedIP><routedMask>$CIDR</routedMask><destinationVserverName>$SCP_SERVER</destinationVserverName><destinationInterfaceMAC>$MAC</destinationInterfaceMAC></ns1:changeIPRouting></SOAP-ENV:Body></SOAP-ENV:Envelope>"
if [ "$DEBUG" = "true" ];
then
echo "[DEBUG] Payload: $XML_BODY"
fi
}
request () {
curl -s -H 'Content-Type: text/xml' -H 'SOAPAction:' -d "$XML_BODY" -X POST "$URL"
}
run () {
RESPONSE=`request`
if [ "$DEBUG" = "true" ];
then
echo "[DEBUG] Response: $RESPONSE"
fi
}
parse () {
local IFS='&'
local check_invalid="validation error&IP already assigned&true"
for check in $check_invalid;
do
if [ "$DEBUG" = "true" ];
then
echo "[DEBUG] Parsing: $check"
fi
if [ "${RESPONSE#*$check}" = "$RESPONSE" ];
then
result="Not found"
fi
if [ "${RESPONSE#*$check}" != "$RESPONSE" ];
then
result="Found"
fi
echo "Check for \"$check\": $result"
done
}
MODE="$1"
if [ "$2" = "--debug" ];
then
DEBUG="true"
echo "[DEBUG] Script invoked at `date`"
fi
case "$MODE" in
"--ipv4" )
init ip4
;;
"--ipv6" )
init ip6
;;
"--all" )
init ip6
init ip4
;;
* )
usage
;;
esac

View File

@ -0,0 +1,10 @@
include:
- profile.keepalived_script_user
/usr/local/bin/failover:
file.managed:
- user: keepalived_script
- group: wheel
- mode: 750
- template: jinja
- source: salt://{{ slspath }}/files/failover.sh.j2

3
salt/role/ha-netcup.sls Normal file
View File

@ -0,0 +1,3 @@
include:
- profile.netcup_failover
- role.ha-node