keepalived

11 files changed, 116 insertions, 23 deletions

diff --git a/deploy.yml b/deploy.yml
index 415e84a..5b245a3 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -23,3 +23,6 @@
 
 - name: Portainer
   ansible.builtin.import_playbook: playbooks/deploy-portainer.yml
+
+- name: Keepalived
+  ansible.builtin.import_playbook: playbooks/deploy-portainer.yml
diff --git a/group_vars/keepalived.yml b/group_vars/keepalived.yml
new file mode 100644
index 0000000..8beb081
--- /dev/null
+++ b/group_vars/keepalived.yml
@@ -0,0 +1,9 @@
+---
+
+keepalived_interface: "enp6s18"
+keepalived_virtual_ip: "10.128.0.200"
+keepalived_virtual_router_id: 50
+keepalived_priority: 100
+keepalived_healthcheck_script: "/etc/keepalived/healthcheck.sh"
+
+traefik_host: "traefik.{{ traefik_domain }}"
diff --git a/inventory b/inventory
index 0245c9c..9e07919 100644
--- a/inventory
+++ b/inventory
@@ -1,7 +1,7 @@
 [docker]
-swarm-one  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
-swarm-two  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
-swarm-three  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+swarm-two ansible_host=10.128.0.202  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+swarm-three ansible_host=10.128.0.203  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
 
 outbound-one.liz.coffee  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ outbound_one_become_password }}'
 # outbound-two.liz.coffee  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ vpn_become_password }}'
@@ -15,17 +15,22 @@ outbound-one.liz.coffee  ansible_user=serve ansible_connection=ssh ansible_becom
 # outbound-two.liz.coffee  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ vpn_become_password }}'
 
 [ceph]
-swarm-one  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
-swarm-two  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
-swarm-three  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+swarm-two ansible_host=10.128.0.202  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+swarm-three ansible_host=10.128.0.203  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
 
 [swarm]
-swarm-one  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
-swarm-two  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
-swarm-three  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+swarm-two ansible_host=10.128.0.202  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+swarm-three ansible_host=10.128.0.203  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+
+[keepalived]
+swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+swarm-two ansible_host=10.128.0.202  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+swarm-three ansible_host=10.128.0.203  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
 
 [portainer]
-swarm-one  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
 
 [traefik]
-swarm-one  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
diff --git a/playbooks/deploy-keepalived.yml b/playbooks/deploy-keepalived.yml
new file mode 100644
index 0000000..e6fc289
--- /dev/null
+++ b/playbooks/deploy-keepalived.yml
@@ -0,0 +1,7 @@
+---
+
+- name: keepalived setup
+  hosts: keepalived
+  become: true
+  roles:
+    - keepalived
diff --git a/playbooks/deploy-swarm-cluster.yml b/playbooks/deploy-swarm-cluster.yml
index 22dcdb7..945edb9 100644
--- a/playbooks/deploy-swarm-cluster.yml
+++ b/playbooks/deploy-swarm-cluster.yml
@@ -5,19 +5,9 @@
   become: true
   tasks:
     - name: Enable Local Swarm Communications
-      loop: "{{ rfc1918_cgnat_networks }}"
       community.general.ufw:
         rule: allow
-        port: "2377"
-        from: "{{ item }}"
-        state: enabled
-
-    - name: Enable Local Swarm Communications
-      loop: "{{ rfc1918_cgnat_networks }}"
-      community.general.ufw:
-        rule: allow
-        port: "9001"
-        from: "{{ item }}"
+        from: "10.0.0.0/8"
         state: enabled
 
 - name: Setup swarm on init node
diff --git a/playbooks/roles/ceph/tasks/main.yml b/playbooks/roles/ceph/tasks/main.yml
index b554340..b949cce 100644
--- a/playbooks/roles/ceph/tasks/main.yml
+++ b/playbooks/roles/ceph/tasks/main.yml
@@ -23,7 +23,7 @@
       key = {{ ceph_secret }}
     dest: "/etc/ceph/ceph.client.{{ ceph_client_name }}.keyring"
     mode: '0600'
-  
+
 - name: Ensure Ceph Base Exists
   ansible.builtin.file:
     path: "{{ ceph_base }}"
diff --git a/playbooks/roles/keepalived/handlers/main.yml b/playbooks/roles/keepalived/handlers/main.yml
new file mode 100644
index 0000000..cab4124
--- /dev/null
+++ b/playbooks/roles/keepalived/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+
+- name: Restart Keepalived
+  ansible.builtin.service:
+    name: keepalived
+    state: restarted
+    enabled: true
+
diff --git a/playbooks/roles/keepalived/tasks/main.yml b/playbooks/roles/keepalived/tasks/main.yml
new file mode 100644
index 0000000..f888621
--- /dev/null
+++ b/playbooks/roles/keepalived/tasks/main.yml
@@ -0,0 +1,21 @@
+---
+
+- name: Install Keepalived
+  ansible.builtin.apt:
+    name: keepalived
+    state: present
+
+- name: Generate Keepalived Healthcheck Script Pinging Traefik
+  ansible.builtin.template:
+    src: healthcheck.sh.j2
+    dest: "{{ keepalived_healthcheck_script }}"
+    mode: 'a+x'
+
+- name: Generate Keepalived Configuration
+  ansible.builtin.template:
+    src: keepalived.conf.j2
+    dest: /etc/keepalived/keepalived.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart Keepalived
diff --git a/playbooks/roles/keepalived/templates/healthcheck.sh.j2 b/playbooks/roles/keepalived/templates/healthcheck.sh.j2
new file mode 100644
index 0000000..0e6c18b
--- /dev/null
+++ b/playbooks/roles/keepalived/templates/healthcheck.sh.j2
@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+PING_HOSTNAME="{{ traefik_host }}"
+VIRTUAL_IP="{{ keepalived_virtual_ip }}"
+
+function do_ping() {
+    local endpoint_hostname="$1"
+    local vip="$2"
+    curl -s -o /dev/null -w "%{http_code}" --resolve "$endpoint_hostname:443:$vip" "https://$endpoint_hostname/ping"
+}
+
+test "$(do_ping "$PING_HOSTNAME" "$VIRTUAL_IP")" = "200"
diff --git a/playbooks/roles/keepalived/templates/keepalived.conf.j2 b/playbooks/roles/keepalived/templates/keepalived.conf.j2
new file mode 100644
index 0000000..cb9c449
--- /dev/null
+++ b/playbooks/roles/keepalived/templates/keepalived.conf.j2
@@ -0,0 +1,36 @@
+global_defs {
+    script_user nobody
+    enable_script_security
+}
+
+vrrp_script chk_avail {
+    script "{{ keepalived_healthcheck_script }}"
+    interval 1
+    weight 10
+    rise 6
+    fall 1
+}
+
+vrrp_instance {{ inventory_hostname }} {
+    interface {{ keepalived_interface }}
+
+    state BACKUP
+    virtual_router_id {{ keepalived_virtual_router_id }}
+    priority {{ keepalived_priority }}
+    advert_int 1
+
+    unicast_src_ip {{ ansible_host }}
+    unicast_peer {
+    {% for peer in groups['keepalived'] if hostvars[peer]['ansible_host'] != ansible_host %}
+        {{ hostvars[peer]['ansible_host'] }}
+    {% endfor %}
+    }
+
+    virtual_ipaddress {
+        {{ keepalived_virtual_ip }} dev {{ keepalived_interface }}
+    }
+
+    track_script {
+        chk_avail
+    }
+}
diff --git a/playbooks/roles/traefik/templates/stacks/traefik.yml b/playbooks/roles/traefik/templates/stacks/traefik.yml
index a80c261..feac37f 100644
--- a/playbooks/roles/traefik/templates/stacks/traefik.yml
+++ b/playbooks/roles/traefik/templates/stacks/traefik.yml
@@ -16,6 +16,8 @@ entryPoints:
           scheme: https
   websecure:
     address: ":443"
+  dns:
+    address: ":53/udp"
 serversTransport:
   insecureSkipVerify: true
 providers: