Uses keepalived, certbot, and haproxy to setup a ha load balancer that can also handle letsencrypt certs.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Jeff Baskin fe36ef0a9c Allowed haproxy to bind to virtual ip. 2 months ago
defaults Added haproxy restart so new certs would be read. 4 months ago
handlers Added haproxy. 4 months ago
meta Initial Commit. 4 months ago
tasks Allowed haproxy to bind to virtual ip. 2 months ago
templates Allowed haproxy to bind to virtual ip. 2 months ago
.gitignore Added haproxy. 4 months ago
README.md Updated the readme. 4 months ago

README.md

Entrance Role

This module sets up two or more servers as an entry point to your network. This includes setting up floating IPs, routers, and a cert requester.

Role Variables

entrance_group: Ansible group to be used for entrance servers.

  • defaults to "entrance"

entrance_certbot_email: Email address to receive certbot notifications.

entrance_certbot_live_dir: Directory containing the certbot certs.

  • defaults to "/etc/letsencrypt/live"

entrance_certbot_port: Port assigned to certbot.

  • defaults to 8090

entrance_domains: List of domains for certbot.

entrance_certbot_hour: The hour to run the certbot update script.

  • defaults to 2 AM.

entrance_certbot_minute: The minute to run the certbot update script.

  • defaults to 30.

entrance_notify: A list email addresses to send haproxy alerts to.

entrance_smtp: The email server to send the alerts to.

entrance_bridge: The network interface to be used.

  • defaults to "enp0s3"

entrance_passwd: haproxy password

entrance_fipv4: List of floating version 4 addreses.

entrance_fipv6: List of floating version 6 addresses.

entrance_admins: List of user name and passwords access haproxy stats page.

  • user: User name: defaults to "admin"
  • password: Password: defaults to "admin"

entrance_ha_stat_port: Port for haproxy stats page.

  • defaults to "9000"

entranct_haproxy_dir: Directory containing haproxy config files.

  • defaults to "/etc/haproxy"

entrance_haproxy_cert_dir: Directory containing the haproxy certs.

  • defaults to "{{ entranct_haproxy_dir }}/ssl"

entrance_proxy_config: The configuration setup for haproxy

  • See defaults/main.yml for example

entrance_ports: List of port settings to open in the firewall.

  • defaults to '- "{{ entrance_ha_stat_port }}/tcp"'

entrance_services: List of services to open in the firewall.

  • defaults to http and https

Requirements

It is assumed that the certbot /etc/letsencrypt and the haproxy /etc/haproxy/ssl directories are shared across machines. Otherwise the certs will not be available or updatable when the machine fails over. The system will correct when the certbot cron job is run, but it means no secure access until it is run.

Additionally, haproxy may fail on the first run. If no certs are available in the ssl directory, haproxy will fail on start up. To resolve this issue, run the certbot cron job to create the certs.
Once the certs are available, haproxy should start.

platform tags
fedora all

License

MIT