From 3e5df7b78a8e57a584d91a62c0883e257ba527ff Mon Sep 17 00:00:00 2001 From: admin Date: Mon, 6 Apr 2026 05:05:33 +0000 Subject: [PATCH] =?UTF-8?q?=D0=9E=D0=B1=D0=BD=D0=BE=D0=B2=D0=B8=D1=82?= =?UTF-8?q?=D1=8C=20playbook3=5Fhaproxy.yml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- playbook3_haproxy.yml | 196 ++++++++++++------------------------------ 1 file changed, 54 insertions(+), 142 deletions(-) diff --git a/playbook3_haproxy.yml b/playbook3_haproxy.yml index 090b4ab..c4636d4 100644 --- a/playbook3_haproxy.yml +++ b/playbook3_haproxy.yml @@ -1,172 +1,84 @@ --- -- name: Configure Nginx Load Balancer (ALT Linux) +- name: Configure Keepalived for HA Proxy (ALT Linux) hosts: proxy become: true vars: vip_address: "172.16.1.253" - backend_servers: "{{ groups['server'] }}" - backend_port: 443 - stats_port: 9000 - server_name: "www.au.team" - ssl_cert_path: "/etc/nginx/ssl/www.au.team.crt" - ssl_key_path: "/etc/nginx/ssl/www.au.team.key" + vip_cidr: "23" + vrrp_instance: "VI_1" + vrrp_id: 51 + auth_pass: "ansible_secure_pass" + master_priority: 150 + backup_priority: 100 tasks: - - name: Update package cache (ALT Linux) - ansible.builtin.command: - cmd: apt-rpm update - changed_when: false - tags: - - nginx - - - name: Install Nginx package (ALT Linux) + - name: Install keepalived package (ALT Linux) ansible.builtin.package: - name: nginx + name: keepalived state: present tags: - - nginx + - keepalived - - name: Create SSL directory for Nginx - ansible.builtin.file: - path: /etc/nginx/ssl - state: directory - mode: '0755' - owner: root - group: root - tags: - - ssl - - - name: Copy SSL certificate to Nginx (from web server) + - name: Detect network interface ansible.builtin.shell: | - cat /etc/angie/ssl/www.au.team.crt /etc/angie/ssl/www.au.team.key > /etc/nginx/ssl/www.au.team.pem - chmod 600 /etc/nginx/ssl/www.au.team.pem - args: - creates: /etc/nginx/ssl/www.au.team.pem + ip -br link show | grep -E 'UP|UNKNOWN' | grep -v 'lo' | awk '{print $1}' | head -1 + register: detected_interface + changed_when: false tags: - - ssl + - keepalived - - name: Create directories for Nginx config - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: '0755' - owner: root - group: root - loop: - - /etc/nginx/conf.d - - /etc/nginx/sites-available - - /etc/nginx/sites-enabled + - name: Set interface fact + ansible.builtin.set_fact: + network_interface: "{{ detected_interface.stdout | default('eth0') }}" tags: - - nginx + - keepalived - - name: Configure Nginx upstream for backend servers + - name: Debug - show detected interface + ansible.builtin.debug: + msg: "Using network interface: {{ network_interface }}" + tags: + - keepalived + + - name: Configure keepalived.conf (simple config without health check) ansible.builtin.copy: content: | - upstream backend_servers { - balance roundrobin; - {% for server in backend_servers %} - server {{ hostvars[server]['ansible_host'] | default(server) }}:{{ backend_port }} weight=1 max_fails=3 fail_timeout=30s; - {% endfor %} + global_defs { + router_id {{ inventory_hostname }} } - dest: /etc/nginx/conf.d/upstream.conf + + vrrp_instance {{ vrrp_instance }} { + state {% if inventory_hostname == 'ha1-cod' %}MASTER{% else %}BACKUP{% endif %} + interface {{ network_interface }} + virtual_router_id {{ vrrp_id }} + priority {% if inventory_hostname == 'ha1-cod' %}{{ master_priority }}{% else %}{{ backup_priority }}{% endif %} + advert_int 1 + authentication { + auth_type PASS + auth_pass {{ auth_pass }} + } + virtual_ipaddress { + {{ vip_address }}/{{ vip_cidr }} + } + } + dest: /etc/keepalived/keepalived.conf mode: '0644' backup: true - notify: Reload nginx + notify: Restart keepalived tags: - - nginx + - keepalived - - name: Configure Nginx vhost with SSL and load balancing - ansible.builtin.copy: - content: | - # HTTP server - redirect to HTTPS - server { - listen {{ vip_address }}:80; - listen [::]:80; - server_name {{ server_name }}; - return 301 https://$host$request_uri; - } - - # HTTPS server with load balancing - server { - listen {{ vip_address }}:443 ssl; - listen [::]:443 ssl; - server_name {{ server_name }}; - - ssl_certificate /etc/nginx/ssl/www.au.team.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - # Proxy to backend servers - location / { - proxy_pass https://backend_servers; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_ssl_verify off; - proxy_connect_timeout 10s; - proxy_send_timeout 30s; - proxy_read_timeout 30s; - } - - # HSTS header - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - } - - # Stats server - server { - listen {{ vip_address }}:{{ stats_port }}; - server_name {{ server_name }}; - - location / { - stub_status on; - allow 127.0.0.1; - allow 10.0.0.0/8; - allow 172.16.0.0/12; - allow 192.168.0.0/16; - deny all; - } - - location /haproxy_stats { - return 200 "Nginx Stats\nActive connections: $connections_active\n"; - add_header Content-Type text/plain; - } - } - dest: /etc/nginx/sites-available/www.au.team.conf - mode: '0644' - backup: true - notify: Reload nginx - tags: - - nginx - - - name: Enable site configuration - ansible.builtin.file: - src: /etc/nginx/sites-available/www.au.team.conf - dest: /etc/nginx/sites-enabled/www.au.team.conf - state: link - notify: Reload nginx - tags: - - nginx - - - name: Remove default Nginx site - ansible.builtin.file: - path: /etc/nginx/sites-enabled/default - state: absent - ignore_errors: true - tags: - - nginx - - - name: Enable and start Nginx service + - name: Enable and start keepalived service ansible.builtin.systemd: - name: nginx + name: keepalived enabled: true state: started + daemon_reload: true tags: - - nginx + - keepalived handlers: - - name: Reload nginx + - name: Restart keepalived ansible.builtin.systemd: - name: nginx - state: reloaded \ No newline at end of file + name: keepalived + state: restarted + daemon_reload: true \ No newline at end of file