Saltstack Official Nginx Formula

certificates.sls 2.3KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667
  1. {% from 'nginx/map.jinja' import nginx with context %}
  2. include:
  3. - nginx.service
  4. {% set certificates_path = salt['pillar.get']('nginx:certificates_path', '/etc/nginx/ssl') %}
  5. prepare_certificates_path_dir:
  6. file.directory:
  7. - name: {{ certificates_path }}
  8. - makedirs: True
  9. {%- for dh_param, value in salt['pillar.get']('nginx:dh_param', {}).items() %}
  10. {%- if value is string %}
  11. create_nginx_dhparam_{{ dh_param }}_key:
  12. file.managed:
  13. - name: {{ certificates_path }}/{{ dh_param }}
  14. - contents_pillar: nginx:dh_param:{{ dh_param }}
  15. - makedirs: True
  16. - require:
  17. - file: prepare_certificates_path_dir
  18. - watch_in:
  19. - service: nginx_service
  20. {%- else %}
  21. generate_nginx_dhparam_{{ dh_param }}_key:
  22. pkg.installed:
  23. - name: {{ nginx.lookup.openssl_package }}
  24. cmd.run:
  25. - name: openssl dhparam -out {{ dh_param }} {{ value.get('keysize', 2048) }}
  26. - cwd: {{ certificates_path }}
  27. - creates: {{ certificates_path }}/{{ dh_param }}
  28. - require:
  29. - file: prepare_certificates_path_dir
  30. - pkg: generate_nginx_dhparam_{{ dh_param }}_key
  31. - watch_in:
  32. - service: nginx_service
  33. {%- endif %}
  34. {%- endfor %}
  35. {%- for domain in salt['pillar.get']('nginx:certificates', {}).keys() %}
  36. nginx_{{ domain }}_ssl_certificate:
  37. file.managed:
  38. - name: {{ certificates_path }}/{{ domain }}.crt
  39. - makedirs: True
  40. {% if salt['pillar.get']("nginx:certificates:{}:public_cert_pillar".format(domain)) %}
  41. - contents_pillar: {{ salt['pillar.get']('nginx:certificates:{}:public_cert_pillar'.format(domain)) }}
  42. {% else %}
  43. - contents_pillar: nginx:certificates:{{ domain }}:public_cert
  44. {% endif %}
  45. - watch_in:
  46. - service: nginx_service
  47. {% if salt['pillar.get']("nginx:certificates:{}:private_key".format(domain)) or salt['pillar.get']("nginx:certificates:{}:private_key_pillar".format(domain)) %}
  48. nginx_{{ domain }}_ssl_key:
  49. file.managed:
  50. - name: {{ certificates_path }}/{{ domain }}.key
  51. - mode: 600
  52. - makedirs: True
  53. {% if salt['pillar.get']("nginx:certificates:{}:private_key_pillar".format(domain)) %}
  54. - contents_pillar: {{ salt['pillar.get']('nginx:certificates:{}:private_key_pillar'.format(domain)) }}
  55. {% else %}
  56. - contents_pillar: nginx:certificates:{{ domain }}:private_key
  57. {% endif %}
  58. - watch_in:
  59. - service: nginx_service
  60. {% endif %}
  61. {%- endfor %}