diff --git a/KeepAliveD_config/KPAVD-VM-1.conf b/KPAVD-VM-1.conf similarity index 81% rename from KeepAliveD_config/KPAVD-VM-1.conf rename to KPAVD-VM-1.conf index e0f0622..dbaa325 100644 --- a/KeepAliveD_config/KPAVD-VM-1.conf +++ b/KPAVD-VM-1.conf @@ -7,14 +7,14 @@ vrrp_script track_npm { vrrp_instance { state MASTER - interface eth0 - virtual_router_id 40 + interface + virtual_router_id 10 priority 100 advert_int 1 unicast_src_ip unicast_peer { - <> + } authentication { @@ -23,7 +23,7 @@ vrrp_instance { } virtual_ipaddress { - / + / dev } track_script { diff --git a/KeepAliveD_config/KPAVD-VM-2.conf b/KPAVD-VM-2.conf similarity index 77% rename from KeepAliveD_config/KPAVD-VM-2.conf rename to KPAVD-VM-2.conf index da13047..f8ac8af 100644 --- a/KeepAliveD_config/KPAVD-VM-2.conf +++ b/KPAVD-VM-2.conf @@ -7,14 +7,14 @@ vrrp_script track_npm { vrrp_instance NPM-V1 { state BACKUP - interface eth0 - virtual_router_id 40 - priority 10 + interface + virtual_router_id 10 + priority 95 advert_int 1 unicast_src_ip unicast_peer { - + } authentication { @@ -23,7 +23,7 @@ vrrp_instance NPM-V1 { } virtual_ipaddress { - / + / dev } track_script { diff --git a/KeepAliveD_config/KPAVD-VM-3.conf b/KPAVD-VM-3.conf similarity index 77% rename from KeepAliveD_config/KPAVD-VM-3.conf rename to KPAVD-VM-3.conf index 3a329bb..1317a1e 100644 --- a/KeepAliveD_config/KPAVD-VM-3.conf +++ b/KPAVD-VM-3.conf @@ -7,14 +7,14 @@ vrrp_script track_npm { vrrp_instance NPM-V1 { state BACKUP - interface eth0 - virtual_router_id 40 - priority 11 + interface + virtual_router_id 10 + priority 90 advert_int 1 unicast_src_ip unicast_peer { - + } authentication { @@ -23,7 +23,7 @@ vrrp_instance NPM-V1 { } virtual_ipaddress { - / + / dev } track_script { diff --git a/KeepAliveD_config/rsync_between_nodes.sh b/KeepAliveD_config/rsync_between_nodes.sh deleted file mode 100644 index 6f33899..0000000 --- a/KeepAliveD_config/rsync_between_nodes.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -# CHECK IF ALL ARGUMENTS HAVE BEEN PASSED -if [ -z $1 ] || [ -z $2 ] || [ -z $3 ]; then - - echo "You need to pass three arguments." - echo "frst argument == container name" - echo "scnd argument == local_username" - echo "thrd argument == remote_username" - - exit - -fi - -# RSYNC FUNCTION -rsync_npmz () { - # $1 == local_username input - # $2 == remote_username input - - # NODE-1 - rsync -avru /home/$1/npm/ $2@:/home/$2/npm/ - - # NODE-2 - rsync -avru /home/$1/npm/ $2@:/home/$2/npm/ - -} - -# DEF VARIABLE NAMES -container_name=$1 -local_username=$2 -remote_username=$3 - -state_restarting=$(sudo docker inspect --format="{{.State.Restarting}}" "$container_name") -state_running=$(sudo docker inspect --format="{{.State.Running}}" "$container_name" 2> /dev/null) - -# MAIN CODE -if [ "$state_restarting" = "false" ] && [ "$state_running" = "true" ]; then - - echo "Container is up, that's goood." - - sleep 30; - - rsync_npmz $local_username $remote_username - -else - echo "Container is down, tho it should not be." - - rsync_npmz $local_username $remote_username -fi - -# AFTER RSYNCING -sudo docker-compose -f "/home/$local_username/npm/docker-compose.yml" up - -echo "NPM has been started." -echo "Bye" diff --git a/README.md b/README.md index 30b6006..bfae139 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,68 @@ # Nginx-Proxy-Manager-KeepAliveD -KeepAliveD with NPM for a HA cluster +KeepAliveD with NPM for a HA "cluster". + +In short, it is a simple failover using a KAD with a VIP on DMZ. + +This repo assumes that you have 3 nodes. If you have 2 nodes then do not include VM-3 file and edit .conf files so that you only have one unicast_peer. + +If you have more than 3 nodes then copy KPAVD-VM-3.conf and edit it + +At the bottom I've written some examples on how to divide traffic for better security. + +## Requirements +Docker + +KeepAliveD + +Access to internet + +Docker Healthcheck configured with NPM container. Check file |docker-compose.yml| for an example. +## Installation and editing configs + +Download repo as zip or clone it. + +Place KPAVD-VM-<> in /etc/keepalived/ + +Change to an interface where KAD on nodes will communicate. + +Then edit in the KPAVD-VM-1.conf and in the rest of the .conf files. + +After that edit in all three config files and/or add more if needed.. Remember to not include |unicast_src_ip| in the |unicast_peer| list. + +Change VIP under |virtual_ipaddress| so that it should resemble 192.168.1.5/24 dev enp1s0. If you do plan to have Virtual IP on different NIC then remove |dev |, allthough I think it is better to set it on a specific interface. Then you will not wake up one day to see VIP on a random interface. + +Place the |check_docker_container.sh| in your preferable folder. I suggest placing it together with config file. After that edit path after |script| so that it would point to the script. Lastly change to one that your NPM container has. + +Lastly edit . Note that it should be 8-characters long. + +After everything mentioned above restart keepalived service and it should work. + +## Short config explanation + +### vrrp_script + +interval 5 -- Runs script every 5 seconds. It means that downtime should be for about 5 seconds. You can tweak it to a lower number but then set rise to a higher number. + +fall 1 -- Number of times after which a node is put into FAULT STATE. Can be set to 0 or removed completely. + +rise 30 -- After 30 succesfull runs node is put into MASTER/BACKUP STATE. It is set to 30 as I need to wait around 150 for NPM to route traffic again. If it comes back faster for you then it can be lowered from 30. + +### vrrp_instance + +virtual_router_id -- ID of VRRP instance. All nodes need to have the same id. + +priority -- Priority of a particular node. Higher priority means that a node will be a MASTER node before ones with lower prioruty + +## Example bare-minimum setup +VLAN10-DMZ -- Here will the VIP be. Configure ACLs so that this would be accessible from your preferred VLANs. + +VLAN20-Internal -- Network that should not have any open ports. It also needs to have access to internet in order to download KAD, Docker, etc. + +## More secure setup +VLAN30-SSH-MGT -- It is used for SSHing into nodes. The purpose of creating it is to setup sshd_config to only respond to address set on that vlan. + +VLAN50-KPAVD -- Fully enclosed network. Preferably without access to a gateway. It is only for communication between nodes. + +Also set up UFW or iptables. diff --git a/KeepAliveD_config/check_docker_container.sh b/check_docker_container.sh similarity index 100% rename from KeepAliveD_config/check_docker_container.sh rename to check_docker_container.sh diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..42fed9a --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,23 @@ +version: '3.5' +services: + + # Official setup instructions https://nginxproxymanager.com/setup/ + nginx-proxy-manager: + image: jc21/nginx-proxy-manager:2.10.4 + restart: unless-stopped + container_name: revprox # This is the container name that will be passed to script + ports: + - 80:80 + - 443:443 + - :81:81 # Only allow connections to dashboardfrom something like management vlan + volumes: + - ./NPM_data/:/data + - ./NPM_letsencrypt/:/etc/letsencrypt + environment: + PUID: 1000 + PGID: 1000 + healthcheck: + test: ["CMD", "/bin/check-health"] + start_period: 150s + interval: 10s + timeout: 3s