diff --git a/playbook3_haproxy.yml b/playbook3_haproxy.yml index c4636d4..a6a0c22 100644 --- a/playbook3_haproxy.yml +++ b/playbook3_haproxy.yml @@ -1,84 +1,175 @@ --- -- name: Configure Keepalived for HA Proxy (ALT Linux) +- name: Configure Nginx Load Balancer (ALT Linux) hosts: proxy become: true vars: vip_address: "172.16.1.253" - vip_cidr: "23" - vrrp_instance: "VI_1" - vrrp_id: 51 - auth_pass: "ansible_secure_pass" - master_priority: 150 - backup_priority: 100 + backend_servers: "{{ groups['server'] }}" + backend_port: 443 + stats_port: 9000 + server_name: "www.au.team" + ssl_cert_path: "/etc/nginx/ssl/www.au.team.crt" + ssl_key_path: "/etc/nginx/ssl/www.au.team.key" tasks: - - name: Install keepalived package (ALT Linux) + - name: Install Nginx package (ALT Linux) ansible.builtin.package: - name: keepalived + name: nginx state: present + # update_cache: no # Не обновляем кэш автоматически + ignore_errors: true # Игнорируем ошибки если пакет не найден tags: - - keepalived + - nginx - - name: Detect network interface + - name: Install Nginx if package cache is outdated + ansible.builtin.command: + cmd: apt-get install -y nginx + when: nginx_install is failed + register: nginx_install_cmd + tags: + - nginx + + - name: Create SSL directory for Nginx + ansible.builtin.file: + path: /etc/nginx/ssl + state: directory + mode: '0755' + owner: root + group: root + tags: + - ssl + + - name: Copy SSL certificate to Nginx (from web server) ansible.builtin.shell: | - ip -br link show | grep -E 'UP|UNKNOWN' | grep -v 'lo' | awk '{print $1}' | head -1 - register: detected_interface - changed_when: false + cat /etc/angie/ssl/www.au.team.crt /etc/angie/ssl/www.au.team.key > /etc/nginx/ssl/www.au.team.pem + chmod 600 /etc/nginx/ssl/www.au.team.pem + args: + creates: /etc/nginx/ssl/www.au.team.pem tags: - - keepalived + - ssl - - name: Set interface fact - ansible.builtin.set_fact: - network_interface: "{{ detected_interface.stdout | default('eth0') }}" + - name: Create directories for Nginx config + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: '0755' + owner: root + group: root + loop: + - /etc/nginx/conf.d + - /etc/nginx/sites-available + - /etc/nginx/sites-enabled tags: - - keepalived + - nginx - - name: Debug - show detected interface - ansible.builtin.debug: - msg: "Using network interface: {{ network_interface }}" - tags: - - keepalived - - - name: Configure keepalived.conf (simple config without health check) + - name: Configure Nginx upstream for backend servers ansible.builtin.copy: content: | - global_defs { - router_id {{ inventory_hostname }} + upstream backend_servers { + least_conn; + {% for server in backend_servers %} + server {{ hostvars[server]['ansible_host'] | default(server) }}:{{ backend_port }} weight=1 max_fails=3 fail_timeout=30s; + {% endfor %} } - - vrrp_instance {{ vrrp_instance }} { - state {% if inventory_hostname == 'ha1-cod' %}MASTER{% else %}BACKUP{% endif %} - interface {{ network_interface }} - virtual_router_id {{ vrrp_id }} - priority {% if inventory_hostname == 'ha1-cod' %}{{ master_priority }}{% else %}{{ backup_priority }}{% endif %} - advert_int 1 - authentication { - auth_type PASS - auth_pass {{ auth_pass }} - } - virtual_ipaddress { - {{ vip_address }}/{{ vip_cidr }} - } - } - dest: /etc/keepalived/keepalived.conf + dest: /etc/nginx/conf.d/upstream.conf mode: '0644' backup: true - notify: Restart keepalived + notify: Reload nginx tags: - - keepalived + - nginx - - name: Enable and start keepalived service + - name: Configure Nginx vhost with SSL and load balancing + ansible.builtin.copy: + content: | + # HTTP server - redirect to HTTPS + server { + listen {{ vip_address }}:80; + listen [::]:80; + server_name {{ server_name }}; + return 301 https://$host$request_uri; + } + + # HTTPS server with load balancing + server { + listen {{ vip_address }}:443 ssl; + listen [::]:443 ssl; + server_name {{ server_name }}; + + ssl_certificate /etc/nginx/ssl/www.au.team.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + # Proxy to backend servers + location / { + proxy_pass https://backend_servers; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_ssl_verify off; + proxy_connect_timeout 10s; + proxy_send_timeout 30s; + proxy_read_timeout 30s; + } + + # HSTS header + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + } + + # Stats server + server { + listen {{ vip_address }}:{{ stats_port }}; + server_name {{ server_name }}; + + location / { + stub_status on; + allow 127.0.0.1; + allow 10.0.0.0/8; + allow 172.16.0.0/12; + allow 192.168.0.0/16; + deny all; + } + + location /haproxy_stats { + return 200 "Nginx Stats\nActive connections: $connections_active\n"; + add_header Content-Type text/plain; + } + } + dest: /etc/nginx/sites-available/www.au.team.conf + mode: '0644' + backup: true + notify: Reload nginx + tags: + - nginx + + - name: Enable site configuration + ansible.builtin.file: + src: /etc/nginx/sites-available/www.au.team.conf + dest: /etc/nginx/sites-enabled/www.au.team.conf + state: link + notify: Reload nginx + tags: + - nginx + + - name: Remove default Nginx site + ansible.builtin.file: + path: /etc/nginx/sites-enabled/default + state: absent + ignore_errors: true + tags: + - nginx + + - name: Enable and start Nginx service ansible.builtin.systemd: - name: keepalived + name: nginx enabled: true state: started - daemon_reload: true tags: - - keepalived + - nginx handlers: - - name: Restart keepalived + - name: Reload nginx ansible.builtin.systemd: - name: keepalived - state: restarted - daemon_reload: true \ No newline at end of file + name: nginx + state: reloaded \ No newline at end of file