readme edit

2024-01-27 20:30:05 +01:00 · 2024-01-27 20:30:05 +01:00 · c6bfaabfe3
commit c6bfaabfe3
parent 76fe30e7c3
7 changed files with 102 additions and 70 deletions
--- a/KeepAliveD_config/KPAVD-VM-1.conf
+++ b/KeepAliveD_config/KPAVD-VM-1.conf
@ -7,14 +7,14 @@ vrrp_script track_npm {

 vrrp_instance <YOUR_MASTER_INSTANCE> {
    state MASTER
-    interface eth0
-    virtual_router_id 40
+    interface <KAD_NET>
+    virtual_router_id 10
    priority 100
    advert_int 1

    unicast_src_ip <MASTER_NODE_IP>
    unicast_peer {
-        <>
+        <BACKUP_NODE_IP>
    }

    authentication {
@ -23,7 +23,7 @@ vrrp_instance <YOUR_MASTER_INSTANCE> {
    }

    virtual_ipaddress {
-        <VIP>/<MASK>
+        <VIP>/<MASK> dev <DMZ_NIC>
    }

    track_script {
--- a/KeepAliveD_config/KPAVD-VM-2.conf
+++ b/KeepAliveD_config/KPAVD-VM-2.conf
@ -7,14 +7,14 @@ vrrp_script track_npm {

 vrrp_instance NPM-V1 {
    state BACKUP
-    interface eth0
-    virtual_router_id 40
-    priority 10
+    interface <KAD_NET>
+    virtual_router_id 10
+    priority 95
    advert_int 1

    unicast_src_ip <NODE_IP>
    unicast_peer {
-        <PEER_IP>
+        <BACKUP_NODE_IP>
    }

    authentication {
@ -23,7 +23,7 @@ vrrp_instance NPM-V1 {
    }

    virtual_ipaddress {
-        <VIRTUAL_IP>/<SUBNETMASK>
+        <VIP>/<MASK> dev <DMZ_NIC>
    }

    track_script {
--- a/KeepAliveD_config/KPAVD-VM-3.conf
+++ b/KeepAliveD_config/KPAVD-VM-3.conf
@ -7,14 +7,14 @@ vrrp_script track_npm {

 vrrp_instance NPM-V1 {
    state BACKUP
-    interface eth0
-    virtual_router_id 40
-    priority 11
+    interface <KAD_NET>
+    virtual_router_id 10
+    priority 90
    advert_int 1

    unicast_src_ip <NODE_IP>
    unicast_peer {
-        <PEER_IP>
+        <BACKUP_NODE_IP>
    }

    authentication {
@ -23,7 +23,7 @@ vrrp_instance NPM-V1 {
    }

    virtual_ipaddress {
-        <VIRTUAL_IP>/<SUBNETMASK>
+        <VIP>/<MASK> dev <DMZ_NIC>
    }

    track_script {
--- a/KeepAliveD_config/rsync_between_nodes.sh
+++ b/KeepAliveD_config/rsync_between_nodes.sh
@ -1,55 +0,0 @@
-#!/bin/bash
-
-# CHECK IF ALL ARGUMENTS HAVE BEEN PASSED
-if [ -z $1 ] || [ -z $2 ] || [ -z $3 ]; then
-
-    echo "You need to pass three arguments."
-    echo "frst argument == container name"
-    echo "scnd argument == local_username"
-    echo "thrd argument == remote_username" 
-
-    exit
-
-fi
-
-# RSYNC FUNCTION
-rsync_npmz () {
-    # $1 == local_username input
-    # $2 == remote_username input
-
-    # NODE-1
-    rsync -avru /home/$1/npm/ $2@<NODE_1_IP>:/home/$2/npm/
-
-    # NODE-2
-    rsync -avru /home/$1/npm/ $2@<NODE_2_IP>:/home/$2/npm/
-
-}
-
-# DEF VARIABLE NAMES
-container_name=$1
-local_username=$2
-remote_username=$3
-
-state_restarting=$(sudo docker inspect --format="{{.State.Restarting}}" "$container_name")
-state_running=$(sudo docker inspect --format="{{.State.Running}}" "$container_name" 2> /dev/null)
-
-# MAIN CODE
-if [ "$state_restarting" = "false" ] && [ "$state_running" = "true" ]; then
-
-    echo "Container is up, that's goood."
-
-    sleep 30;
-
-    rsync_npmz $local_username $remote_username
-
-else
-    echo "Container is down, tho it should not be."
-    
-    rsync_npmz $local_username $remote_username
-fi
-
-# AFTER RSYNCING
-sudo docker-compose -f "/home/$local_username/npm/docker-compose.yml" up
-
-echo "NPM has been started."
-echo "Bye"
--- a/README.md
+++ b/README.md
@ -1,4 +1,68 @@
 # Nginx-Proxy-Manager-KeepAliveD
-KeepAliveD with NPM for a HA cluster
+KeepAliveD with NPM for a HA "cluster".
+
+In short, it is a simple failover using a KAD with a VIP on DMZ. 
+
+This repo assumes that you have 3 nodes. If you have 2 nodes then do not include VM-3 file and edit .conf files so that you only have one unicast_peer. 
+
+If you have more than 3 nodes then copy KPAVD-VM-3.conf and edit it 
+
+At the bottom I've written some examples on how to divide traffic for better security.
+
+## Requirements
+Docker
+
+KeepAliveD
+
+Access to internet
+
+Docker Healthcheck configured with NPM container. Check file |docker-compose.yml| for an example.


+## Installation and editing configs
+
+Download repo as zip or clone it. 
+
+Place KPAVD-VM-<> in /etc/keepalived/
+
+Change <KAD_NET> to an interface where KAD on nodes will communicate.
+
+Then edit <MASTER_NODE_IP> in the KPAVD-VM-1.conf and <NODE_IP> in the rest of the .conf files. 
+
+After that edit <BACKUP_NODE_IP> in all three config files and/or add more if needed.. Remember to not include |unicast_src_ip| in the |unicast_peer| list.
+
+Change VIP under |virtual_ipaddress| so that it should resemble 192.168.1.5/24 dev enp1s0. If you do plan to have Virtual IP on different NIC then remove |dev <DMZ_NIC>|, allthough I think it is better to set it on a specific interface. Then you will not wake up one day to see VIP on a random interface.
+
+Place the |check_docker_container.sh| in your preferable folder. I suggest placing it together with config file. After that edit path after |script| so that it would point to the script. Lastly change <name_of_your_container> to one that your NPM container has. 
+
+Lastly edit <CHANGE_TO_8-CHARACTER_PASSWORD>. Note that it should be 8-characters long.
+
+After everything mentioned above restart keepalived service and it should work.
+
+## Short config explanation
+
+### vrrp_script
+
+interval 5 -- Runs script every 5 seconds. It means that downtime should be for about 5 seconds. You can tweak it to a lower number but then set rise to a higher number.
+
+fall 1 -- Number of times after which a node is put into FAULT STATE. Can be set to 0 or removed completely.
+
+rise 30 -- After 30 succesfull runs node is put into MASTER/BACKUP STATE. It is set to 30 as I need to wait around 150 for NPM to route traffic again. If it comes back faster for you then it can be lowered from 30.
+
+### vrrp_instance
+
+virtual_router_id -- ID of VRRP instance. All nodes need to have the same id.
+
+priority -- Priority of a particular node. Higher priority means that a node will be a MASTER node before ones with lower prioruty
+
+## Example bare-minimum setup
+VLAN10-DMZ -- Here will the VIP be. Configure ACLs so that this would be accessible from your preferred VLANs.
+
+VLAN20-Internal -- Network that should not have any open ports. It also needs to have access to internet in order to download KAD, Docker, etc.
+
+## More secure setup
+VLAN30-SSH-MGT -- It is used for SSHing into nodes. The purpose of creating it is to setup sshd_config to only respond to address set on that vlan.
+
+VLAN50-KPAVD -- Fully enclosed network. Preferably without access to a gateway. It is only for communication between nodes.
+
+Also set up UFW or iptables.
--- a/KeepAliveD_config/check_docker_container.sh
+++ b/KeepAliveD_config/check_docker_container.sh
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,23 @@
+version: '3.5'
+services:
+
+  # Official setup instructions https://nginxproxymanager.com/setup/
+  nginx-proxy-manager:
+    image: jc21/nginx-proxy-manager:2.10.4
+    restart: unless-stopped
+    container_name: revprox  # This is the container name that will be passed to script
+    ports:
+      - 80:80  
+      - 443:443
+      - <MGT_IP>:81:81  # Only allow connections to dashboardfrom something like management vlan 
+    volumes:
+      - ./NPM_data/:/data
+      - ./NPM_letsencrypt/:/etc/letsencrypt
+    environment:
+      PUID: 1000
+      PGID: 1000
+    healthcheck:
+      test: ["CMD", "/bin/check-health"]
+      start_period: 150s
+      interval: 10s
+      timeout: 3s