chore: 清理调试脚本并收敛到 Ansible 流程

移除已废弃的调试/验证脚本与空目录，统一文档与脚本说明到 ansible-playbook 的部署方式，避免失效引用和误用路径。 Made-with: Cursor
2026-03-23 19:18:55 +08:00
parent 8a54cac61f
commit be97836e0d
92 changed files with 3463 additions and 4855 deletions
--- a/ansible/files/01-07-haproxy/README.md
+++ b/ansible/files/01-07-haproxy/README.md
@@ -0,0 +1,38 @@
+# 01-07 HAProxy 配置
+
+## 核心目标
+
+本目录下的 **所有 `*.cfg` 必须可被 HAProxy 正确解析并符合文档意图**。验证分两层：
+
+| 层次 | 含义 | 如何验证 |
+|------|------|----------|
+| **① 语法正确** | `haproxy -c -f <cfg>` 无致命错误 | 见下文「仅校验 cfg」或主验证脚本第 2 步 |
+| **② 运行与后端** | 在 OpenWrt 上实际监听 18080/18443 时，经第三方主机 curl 可达 K3s/Traefik 后端 | `./scripts/01-07-verify-haproxy.sh`（完整流程，含 curl） |
+
+仓库内 **frontend 已统一为 `18080` / `18443`**（与 LuCI 的 80/443 分离）；backend 仍指向各节点 **80/443**（Traefik 入口）。按环境修改 `192.168.2.61`～`192.168.2.64`。
+
+## 仅校验本目录 cfg（不跑 curl）
+
+仅需确认 **① 语法**，在仓库根目录执行：
+
+```bash
+./scripts/01-07-verify-haproxy.sh --cfg-only
+```
+
+会将本目录全部 `*.cfg` 拷到 OpenWrt 的 `/tmp/haproxy-verify/`，对每台文件执行 `haproxy -c`（与 OpenWrt 上安装的 HAProxy 版本一致）。
+
+**说明**：`haproxy-https.cfg` 含 `ssl crt /etc/ssl/haproxy.pem`；若路由器上**没有**该 pem，语法检查可能失败，脚本会标为 `[SKIP]`。在 OpenWrt 放置有效 pem 后应能通过 `haproxy -c`。
+
+## 文件一览
+
+| 文件 | 说明（对应 `docs/01-07-openwrt-haproxy.md`） |
+|------|-----------------------------------------------|
+| `haproxy-no-check.cfg` | §2 最简；§3.1 在其 `server` 行加 `check` |
+| `haproxy-http.cfg` | §3.2 HTTP 健康检查（明文 80 后端） |
+| `haproxy-tls.cfg` | §3.3 TLS 握手检查（443 后端，`mode tcp`） |
+| `haproxy-https.cfg` | §3.4 HTTPS 应用层检查（需 HAProxy 终结 TLS，由 HAProxy 提供证书） |
+| `haproxy-proxy-http-tls.cfg` | §5 PROXY + HTTP/TLS 检查 |
+
+## 与 Ansible / OpenWrt
+
+可与 Ansible 共用（复制到 OpenWrt 或通过 playbook 下发）。一键把 **uhttpd 80/443 + HAProxy 18080/18443** 落到路由器见 `scripts/01-07-deploy-openwrt-haproxy.sh`。
--- a/ansible/files/01-07-haproxy/haproxy-http.cfg
+++ b/ansible/files/01-07-haproxy/haproxy-http.cfg
@@ -0,0 +1,38 @@
+# 01-07 HAProxy - 3.2 HTTP 健康检查（80 明文）
+# backend k3s_http 增加 option httpchk GET /
+# 文档：docs/01-07-openwrt-haproxy.md 第 3.2 节
+global
+    log /dev/log local0
+    maxconn 4096
+
+defaults
+    mode http
+    option httplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+
+frontend http_in
+    bind *:18080
+    default_backend k3s_http
+
+frontend https_in
+    bind *:18443
+    mode tcp
+    default_backend k3s_https
+
+backend k3s_http
+    option httpchk GET /
+    balance roundrobin
+    server ylc61 192.168.2.61:80 check
+    server ylc62 192.168.2.62:80 check
+    server ylc63 192.168.2.63:80 check
+    server ylc64 192.168.2.64:80 check
+
+backend k3s_https
+    mode tcp
+    balance roundrobin
+    server ylc61 192.168.2.61:443 check
+    server ylc62 192.168.2.62:443 check
+    server ylc63 192.168.2.63:443 check
+    server ylc64 192.168.2.64:443 check
--- a/ansible/files/01-07-haproxy/haproxy-https.cfg
+++ b/ansible/files/01-07-haproxy/haproxy-https.cfg
@@ -0,0 +1,41 @@
+# 01-07 HAProxy - 3.4 HTTPS 健康检查（443 应用层，HAProxy 终结 TLS，由 HAProxy 提供证书）
+# frontend 需 bind *:443 ssl，backend mode http 连 K3s:443 做 HTTP over TLS 检查
+# 将 your-ingress.example.com 改为实际 Host；将 /etc/ssl/haproxy.pem 改为实际证书路径
+# 自签/内网 CA 用 verify none，生产建议 ca-file
+# 文档：docs/01-07-openwrt-haproxy.md 第 3.4 节
+global
+    log /dev/log local0
+    maxconn 4096
+
+defaults
+    mode http
+    option httplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+
+frontend http_in
+    bind *:18080
+    default_backend k3s_http
+
+frontend https_in
+    bind *:18443 ssl crt /etc/ssl/haproxy.pem
+    mode http
+    default_backend k3s_https
+
+backend k3s_http
+    balance roundrobin
+    server ylc61 192.168.2.61:80 check
+    server ylc62 192.168.2.62:80 check
+    server ylc63 192.168.2.63:80 check
+    server ylc64 192.168.2.64:80 check
+
+backend k3s_https
+    mode http
+    option httpchk GET / HTTP/1.1\r\nHost:\ your-ingress.example.com
+    default-server ssl verify none
+    balance roundrobin
+    server ylc61 192.168.2.61:443 check
+    server ylc62 192.168.2.62:443 check
+    server ylc63 192.168.2.63:443 check
+    server ylc64 192.168.2.64:443 check
--- a/ansible/files/01-07-haproxy/haproxy-no-check.cfg
+++ b/ansible/files/01-07-haproxy/haproxy-no-check.cfg
@@ -0,0 +1,38 @@
+# 01-07 OpenWrt HAProxy 负载均衡 - 原生最简（无健康检查）
+# 文档：docs/01-07-openwrt-haproxy.md 第 2 节
+# 将 192.168.2.61～64 按实际 K3s 节点 IP 修改
+# 如需健康检查，见第 3 节对应 cfg
+global
+    log /dev/log local0
+    maxconn 4096
+
+defaults
+    mode http
+    option httplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+
+frontend http_in
+    bind *:18080
+    default_backend k3s_http
+
+frontend https_in
+    bind *:18443
+    mode tcp
+    default_backend k3s_https
+
+backend k3s_http
+    balance roundrobin
+    server ylc61 192.168.2.61:80
+    server ylc62 192.168.2.62:80
+    server ylc63 192.168.2.63:80
+    server ylc64 192.168.2.64:80
+
+backend k3s_https
+    mode tcp
+    balance roundrobin
+    server ylc61 192.168.2.61:443
+    server ylc62 192.168.2.62:443
+    server ylc63 192.168.2.63:443
+    server ylc64 192.168.2.64:443
--- a/ansible/files/01-07-haproxy/haproxy-proxy-http-tls.cfg
+++ b/ansible/files/01-07-haproxy/haproxy-proxy-http-tls.cfg
@@ -0,0 +1,39 @@
+# 01-07 HAProxy - 健康检查升级（HTTP+TLS）+ PROXY Protocol
+# 组合：k3s_http 用 option httpchk，k3s_https 用 ssl-hello-chk，均带 send-proxy-v2
+# 文档：docs/01-07-openwrt-haproxy.md 第 5 节「健康检查与 PROXY 组合」
+global
+    log /dev/log local0
+    maxconn 4096
+
+defaults
+    mode http
+    option httplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+
+frontend http_in
+    bind *:18080
+    default_backend k3s_http
+
+frontend https_in
+    bind *:18443
+    mode tcp
+    default_backend k3s_https
+
+backend k3s_http
+    option httpchk GET /
+    balance roundrobin
+    server ylc61 192.168.2.61:80 check send-proxy-v2
+    server ylc62 192.168.2.62:80 check send-proxy-v2
+    server ylc63 192.168.2.63:80 check send-proxy-v2
+    server ylc64 192.168.2.64:80 check send-proxy-v2
+
+backend k3s_https
+    mode tcp
+    option ssl-hello-chk
+    balance roundrobin
+    server ylc61 192.168.2.61:443 check send-proxy-v2
+    server ylc62 192.168.2.62:443 check send-proxy-v2
+    server ylc63 192.168.2.63:443 check send-proxy-v2
+    server ylc64 192.168.2.64:443 check send-proxy-v2
--- a/ansible/files/01-07-haproxy/haproxy-tls.cfg
+++ b/ansible/files/01-07-haproxy/haproxy-tls.cfg
@@ -0,0 +1,38 @@
+# 01-07 HAProxy - 3.3 TLS 健康检查（443 握手，mode tcp）
+# backend k3s_https 增加 option ssl-hello-chk
+# 文档：docs/01-07-openwrt-haproxy.md 第 3.3 节
+global
+    log /dev/log local0
+    maxconn 4096
+
+defaults
+    mode http
+    option httplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+
+frontend http_in
+    bind *:18080
+    default_backend k3s_http
+
+frontend https_in
+    bind *:18443
+    mode tcp
+    default_backend k3s_https
+
+backend k3s_http
+    balance roundrobin
+    server ylc61 192.168.2.61:80 check
+    server ylc62 192.168.2.62:80 check
+    server ylc63 192.168.2.63:80 check
+    server ylc64 192.168.2.64:80 check
+
+backend k3s_https
+    mode tcp
+    option ssl-hello-chk
+    balance roundrobin
+    server ylc61 192.168.2.61:443 check
+    server ylc62 192.168.2.62:443 check
+    server ylc63 192.168.2.63:443 check
+    server ylc64 192.168.2.64:443 check