Parcourir la source

refactor: replace old `nginx` with `nginx.ng`

BREAKING CHANGE: all previous `nginx` based configurations must be reviewed;
`nginx.ng` usage must be promoted to `nginx` and any uses of the original
`nginx` will have to be converted.
tags/v1.0.0
Eric Veiras Galisson il y a 5 ans
Parent
révision
0fc507055d
35 fichiers modifiés avec 586 ajouts et 1780 suppressions
  1. +10
    -59
      docs/README.rst
  2. +1
    -1
      docs/TOFS_pattern.rst
  3. +1
    -1
      kitchen.yml
  4. +13
    -13
      nginx/certificates.sls
  5. +0
    -58
      nginx/common.sls
  6. +3
    -3
      nginx/config.sls
  7. +0
    -0
      nginx/files/nginx.conf
  8. +0
    -0
      nginx/files/nginx.service
  9. +0
    -0
      nginx/files/server.conf
  10. +27
    -15
      nginx/init.sls
  11. +0
    -16
      nginx/luajit2.sls
  12. +194
    -62
      nginx/map.jinja
  13. +0
    -30
      nginx/ng/init.sls
  14. +0
    -197
      nginx/ng/map.jinja
  15. +0
    -31
      nginx/openresty.sls
  16. +0
    -128
      nginx/package.sls
  17. +5
    -5
      nginx/passenger.sls
  18. +2
    -2
      nginx/pkg.sls
  19. +6
    -6
      nginx/servers.sls
  20. +3
    -3
      nginx/servers_config.sls
  21. +7
    -7
      nginx/service.sls
  22. +3
    -3
      nginx/snippets.sls
  23. +0
    -277
      nginx/source.sls
  24. +3
    -3
      nginx/src.sls
  25. +0
    -34
      nginx/sysvinit.sls
  26. +0
    -100
      nginx/templates/RedHat-sysvinit-logger.jinja
  27. +0
    -79
      nginx/templates/config.jinja
  28. +0
    -101
      nginx/templates/nginx.init.jinja
  29. +0
    -113
      nginx/templates/sysvinit-logger.jinja
  30. +0
    -20
      nginx/templates/upstart-logger.jinja
  31. +0
    -23
      nginx/templates/upstart.jinja
  32. +0
    -28
      nginx/upstart.sls
  33. +0
    -30
      nginx/users.sls
  34. +279
    -302
      pillar.example
  35. +29
    -30
      test/salt/default/pillar/nginx.sls

+ 10
- 59
docs/README.rst Voir le fichier

@@ -17,99 +17,50 @@ Available states
:local:

``nginx``
---------

Runs the states to install nginx, configure the common files, and the users.

``nginx.common``
----------------

Ensures standard nginx files are in place, and configures enabled sites.

``nginx.luajit2``
-----------------

Installs luajit.

``nginx.openresty``
-------------------

Installs openresty.

``nginx.package``
-----------------

Installs the nginx package via package manager.

``nginx.source``
----------------

Installs nginx via the source files.

``nginx.users``
---------------

Installs apache utils, and configures nginx users specified in the pillar.
This requires `basicauth <https://github.com/saltstack/salt-contrib/blob/master/modules/basicauth.py>`_
from `salt-contrib <https://github.com/saltstack/salt-contrib/>`_ (either add it to your salt or ship
this single file in your `_modules` directory see `Dynamic Module Distribution
<https://docs.saltstack.com/en/latest/ref/file_server/dynamic-modules.html>`_

Next-generation, alternate approach
===================================

The following states provide an alternate approach to managing Nginx and Nginx
servers, as well as code organization. Please provide feedback by filing issues,
discussing in ``#salt`` in Freenode and the mailing list as normal.

.. contents::
:local:

``nginx.ng``
------------

Meta-state for inclusion of all ng states.
Meta-state for inclusion of all states.

**Note:** nginx.ng requires the merge parameter of salt.modules.pillar.get(),
**Note:** nginx requires the merge parameter of salt.modules.pillar.get(),
first available in the Helium release.

``nginx.ng.pkg``
``nginx.pkg``
--------------------

Installs nginx from package, from the distribution repositories, the official nginx repo or the ppa from Launchpad.

``nginx.ng.src``
``nginx.src``
--------------------

Builds and installs nginx from source.

``nginx.ng.certificates``
``nginx.certificates``
-------------------

Manages the deployment of nginx certificates.

``nginx.ng.config``
``nginx.config``
-------------------

Manages the nginx main server configuration file.

``nginx.ng.service``
``nginx.service``
--------------------

Manages the startup and running state of the nginx service.

``nginx.ng.servers_config``
``nginx.servers_config``
--------------------------

Manages virtual host files. This state only manages the content of the files
and does not bind them to service calls.

``nginx.ng.servers``
``nginx.servers``
-------------------

Manages nginx virtual hosts files and binds them to service calls.

``nginx.ng.passenger``
``nginx.passenger``
----------------------

Installs and configures Phusion Passenger module for nginx. You need to enable

+ 1
- 1
docs/TOFS_pattern.rst Voir le fichier

@@ -39,7 +39,7 @@ Using SaltStack is a simple and effective way to implement configuration managem

To avoid this situation we can use the `pillar mechanism <http://docs.saltstack.com/en/latest/topics/pillar/>`_, which is designed to provide controlled access to data from the minions based on some selection rules. As pillar data could be easily integrated in the `Jinja <http://docs.saltstack.com/en/latest/topics/tutorials/pillar.html>`_ templates, it is a good mechanism to store values to be used in the final rendering of state files and templates.

There are a variety of approaches on the usage of pillar and templates as seen in the `saltstack-formulas <https://github.com/saltstack-formulas>`_' repositories. `Some <https://github.com/saltstack-formulas/nginx-formula/pull/18>`_ `developments <https://github.com/saltstack-formulas/php-formula/pull/14>`_ stress the initial purpose of pillar data into a storage for most of the possible variables for a determined system configuration. This, in my opinion, is shifting too much load from the original template files approach. Adding up some `non-trivial Jinja <https://github.com/spsoit/nginx-formula/blob/81de880fe0276dd9488ffa15bc78944c0fc2b919/nginx/ng/files/nginx.conf>`_ code as essential part of composing the state file definitely makes SaltStack state files (hence formulas) more difficult to read. The extreme of this approach is that we could end up with a new render mechanism, implemented in Jinja, storing everything needed in pillar data to compose configurations. Additionally, we are establishing a strong dependency with the Jinja renderer.
There are a variety of approaches on the usage of pillar and templates as seen in the `saltstack-formulas <https://github.com/saltstack-formulas>`_' repositories. `Some <https://github.com/saltstack-formulas/nginx-formula/pull/18>`_ `developments <https://github.com/saltstack-formulas/php-formula/pull/14>`_ stress the initial purpose of pillar data into a storage for most of the possible variables for a determined system configuration. This, in my opinion, is shifting too much load from the original template files approach. Adding up some `non-trivial Jinja <https://github.com/spsoit/nginx-formula/blob/81de880fe0276dd9488ffa15bc78944c0fc2b919/nginx/files/nginx.conf>`_ code as essential part of composing the state file definitely makes SaltStack state files (hence formulas) more difficult to read. The extreme of this approach is that we could end up with a new render mechanism, implemented in Jinja, storing everything needed in pillar data to compose configurations. Additionally, we are establishing a strong dependency with the Jinja renderer.

In opposition to the *put the code in file_roots and the data in pillars* approach, there is the *pillar as a store for a set of key-values* approach. A full-blown configuration file abstracted in pillar and jinja is complicated to develop, understand and maintain. I think a better and simpler approach is to keep a configuration file templated using just a basic (non-extensive but extensible) set of pillar values.


+ 1
- 1
kitchen.yml Voir le fichier

@@ -72,7 +72,7 @@ provisioner:
state_top:
base:
'*':
- nginx.ng
- nginx
pillars:
top.sls:
base:

nginx/ng/certificates.sls → nginx/certificates.sls Voir le fichier

@@ -1,16 +1,16 @@
{% from 'nginx/ng/map.jinja' import nginx with context %}
{% from 'nginx/map.jinja' import nginx with context %}

include:
- nginx.ng.service
- nginx.service

{% set certificates_path = salt['pillar.get']('nginx:ng:certificates_path', '/etc/nginx/ssl') %}
{% set certificates_path = salt['pillar.get']('nginx:certificates_path', '/etc/nginx/ssl') %}

{%- for dh_param, value in salt['pillar.get']('nginx:ng:dh_param', {}).items() %}
{%- for dh_param, value in salt['pillar.get']('nginx:dh_param', {}).items() %}
{%- if value is string %}
create_nginx_dhparam_{{ dh_param }}_key:
file.managed:
- name: {{ certificates_path }}/{{ dh_param }}
- contents_pillar: nginx:ng:dh_param:{{ dh_param }}
- contents_pillar: nginx:dh_param:{{ dh_param }}
- makedirs: True
- watch_in:
- service: nginx_service
@@ -30,30 +30,30 @@ generate_nginx_dhparam_{{ dh_param }}_key:
{%- endif %}
{%- endfor %}

{%- for domain in salt['pillar.get']('nginx:ng:certificates', {}).keys() %}
{%- for domain in salt['pillar.get']('nginx:certificates', {}).keys() %}

nginx_{{ domain }}_ssl_certificate:
file.managed:
- name: {{ certificates_path }}/{{ domain }}.crt
- makedirs: True
{% if salt['pillar.get']("nginx:ng:certificates:{}:public_cert_pillar".format(domain)) %}
- contents_pillar: {{salt['pillar.get']('nginx:ng:certificates:{}:public_cert_pillar'.format(domain))}}
{% if salt['pillar.get']("nginx:certificates:{}:public_cert_pillar".format(domain)) %}
- contents_pillar: {{salt['pillar.get']('nginx:certificates:{}:public_cert_pillar'.format(domain))}}
{% else %}
- contents_pillar: nginx:ng:certificates:{{ domain }}:public_cert
- contents_pillar: nginx:certificates:{{ domain }}:public_cert
{% endif %}
- watch_in:
- service: nginx_service

{% if salt['pillar.get']("nginx:ng:certificates:{}:private_key".format(domain)) or salt['pillar.get']("nginx:ng:certificates:{}:private_key_pillar".format(domain))%}
{% if salt['pillar.get']("nginx:certificates:{}:private_key".format(domain)) or salt['pillar.get']("nginx:certificates:{}:private_key_pillar".format(domain))%}
nginx_{{ domain }}_ssl_key:
file.managed:
- name: {{ certificates_path }}/{{ domain }}.key
- mode: 600
- makedirs: True
{% if salt['pillar.get']("nginx:ng:certificates:{}:private_key_pillar".format(domain)) %}
- contents_pillar: {{salt['pillar.get']('nginx:ng:certificates:{}:private_key_pillar'.format(domain))}}
{% if salt['pillar.get']("nginx:certificates:{}:private_key_pillar".format(domain)) %}
- contents_pillar: {{salt['pillar.get']('nginx:certificates:{}:private_key_pillar'.format(domain))}}
{% else %}
- contents_pillar: nginx:ng:certificates:{{ domain }}:private_key
- contents_pillar: nginx:certificates:{{ domain }}:private_key
{% endif %}
- watch_in:
- service: nginx_service

+ 0
- 58
nginx/common.sls Voir le fichier

@@ -1,58 +0,0 @@
{% from "nginx/map.jinja" import nginx as nginx_map with context %}
{% set nginx = pillar.get('nginx', {}) -%}
{% set home = nginx.get('home', nginx_map.home) -%}
{% set conf_dir = nginx.get('conf_dir', nginx_map.conf_dir) -%}
{% set conf_template = nginx.get('conf_template', 'salt://nginx/templates/config.jinja') -%}

{{ home }}:
file:
- directory
- user: {{ nginx_map.default_user }}
- group: {{ nginx_map.default_group }}
- mode: 0755
- makedirs: True
- require:
{%- if pillar.get('nginx', {}).get('install_from_source', false) %}
- user: {{ nginx_map.default_user }}
- group: {{ nginx_map.default_group }}
{%- else %}
- pkg: nginx
{% endif %}

/usr/share/nginx:
file:
- directory

{% for filename in ('default', 'example_ssl') %}
{{ conf_dir }}/conf.d/{{ filename }}.conf:
file.absent
{% endfor %}

{{ conf_dir }}:
file.directory:
- user: root
- group: root
- makedirs: True

{{ conf_dir }}/nginx.conf:
file:
- managed
- template: jinja
- user: root
- group: root
- mode: 644
- source: {{ conf_template }}
- require:
- file: {{ conf_dir }}
- context:
default_user: {{ nginx_map.default_user }}
default_group: {{ nginx_map.default_group }}

{% if nginx.get('init_conf_dirs', True) %}
{% for dir in ('sites-enabled', 'sites-available') %}
{{ conf_dir }}/{{ dir }}:
file.directory:
- user: root
- group: root
{% endfor -%}
{% endif %}

nginx/ng/config.sls → nginx/config.sls Voir le fichier

@@ -1,8 +1,8 @@
# nginx.ng.config
# nginx.config
#
# Manages the main nginx server configuration file.

{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %}
{% from 'nginx/map.jinja' import nginx, sls_block with context %}

{% if nginx.install_from_source %}
nginx_log_dir:
@@ -15,7 +15,7 @@ nginx_log_dir:
{% if 'source_path' in nginx.server.config %}
{% set source_path = nginx.server.config.source_path %}
{% else %}
{% set source_path = 'salt://nginx/ng/files/nginx.conf' %}
{% set source_path = 'salt://nginx/files/nginx.conf' %}
{% endif %}
nginx_config:
file.managed:

nginx/ng/files/nginx.conf → nginx/files/nginx.conf Voir le fichier


nginx/ng/files/nginx.service → nginx/files/nginx.service Voir le fichier


nginx/ng/files/server.conf → nginx/files/server.conf Voir le fichier


+ 27
- 15
nginx/init.sls Voir le fichier

@@ -1,18 +1,30 @@
{% from "nginx/map.jinja" import nginx as nginx_map with context %}
# nginx
#
# Meta-state to fully install nginx.

{% from 'nginx/map.jinja' import nginx, sls_block with context %}

include:
- nginx.common
{% if salt['pillar.get']('nginx:use_upstart', nginx_map['use_upstart']) %}
- nginx.upstart
{% elif salt['pillar.get']('nginx:use_sysvinit', nginx_map['use_sysvinit']) %}
- nginx.sysvinit
{% endif %}
{% if pillar.get('nginx', {}).get('user_auth_enabled', true) %}
- nginx.users
{% endif %}
{% if pillar.get('nginx', {}).get('install_from_source', false) %}
- nginx.source
{% else %}
- nginx.package
{% endif -%}
- nginx.config
- nginx.service
{% if nginx.snippets is defined %}
- nginx.snippets
{% endif %}
- nginx.servers
- nginx.certificates

extend:
nginx_service:
service:
- listen:
- file: nginx_config
- require:
- file: nginx_config
nginx_config:
file:
- require:
{% if nginx.install_from_source %}
- cmd: nginx_install
{% else %}
- pkg: nginx_install
{% endif %}

+ 0
- 16
nginx/luajit2.sls Voir le fichier

@@ -1,16 +0,0 @@
{% set nginx = pillar.get('nginx', {}) -%}
{% set home = nginx.get('home', '/var/www') -%}
{% set source = nginx.get('source_root', '/usr/local/src') -%}

get-luajit2:
file.managed:
- name: {{ source }}/luajit.tar.gz
- source: http://luajit.org/download/LuaJIT-2.0.1.tar.gz
- source_hash: sha1=330492aa5366e4e60afeec72f15e44df8a794db5
cmd.wait:
- cwd: {{ nginx_home }}
- name: tar -zxf {{ source }}/luajit.tar.gz -C {{ source }}
- watch:
- file: get-luajit2
- require_in:
- cmd: nginx

+ 194
- 62
nginx/map.jinja Voir le fichier

@@ -1,65 +1,197 @@
{% set nginx = salt['grains.filter_by']({
'Debian': {
'apache_utils': 'apache2-utils',
'group_action': 'pkg.installed',
'group_pkg': 'build-essential',
'libpcre_dev': 'libpcre3-dev',
'libssl_dev': 'libssl-dev',
'pid_path': '/var/run/nginx.pid',
'package': 'nginx-full',
'default_user': 'www-data',
'default_group': 'www-data',
'disable_before_rename': False,
'old_init_disable': 'update-rc.d -f nginx remove',
'use_upstart': True,
'use_sysvinit': False,
'home': '/var/www',
'conf_dir': '/etc/nginx',
'log_dir': '/var/log/nginx',
'sbin_dir': '/usr/sbin',
'install_prefix': '/usr/local/nginx',
'make_flags': '-j2'
{% macro sls_block(dict) %}
{% for key, value in dict.items() %}
- {{ key }}: {{ value|json(sort_keys=False) }}
{% endfor %}
{% endmacro %}

{% set nginx = salt['pillar.get']('nginx', {
'lookup': salt['grains.filter_by']({
'Debian': {
'package': 'nginx',
'passenger_package': 'passenger',
'passenger_config_file': '/etc/nginx/conf.d/passenger.conf',
'service': 'nginx',
'webuser': 'www-data',
'conf_file': '/etc/nginx/nginx.conf',
'server_available': '/etc/nginx/sites-available',
'server_enabled': '/etc/nginx/sites-enabled',
'snippets_dir': '/etc/nginx/snippets',
'server_use_symlink': True,
'pid_file': '/run/nginx.pid',
'openssl_package': 'openssl',
},
'CentOS': {
'package': 'nginx',
'passenger_package': 'passenger',
'passenger_config_file': '/etc/nginx/conf.d/passenger.conf',
'service': 'nginx',
'webuser': 'nginx',
'conf_file': '/etc/nginx/nginx.conf',
'server_available': '/etc/nginx/conf.d',
'server_enabled': '/etc/nginx/conf.d',
'snippets_dir': '/etc/nginx/snippets',
'server_use_symlink': False,
'pid_file': '/run/nginx.pid',
'rh_os_releasever': '$releasever',
'gpg_check': False,
'gpg_key': 'http://nginx.org/keys/nginx_signing.key',
'openssl_package': 'openssl',
},
'RedHat': {
'package': 'nginx',
'passenger_package': 'passenger',
'passenger_config_file': '/etc/nginx/conf.d/passenger.conf',
'service': 'nginx',
'webuser': 'nginx',
'conf_file': '/etc/nginx/nginx.conf',
'server_available': '/etc/nginx/conf.d',
'server_enabled': '/etc/nginx/conf.d',
'snippets_dir': '/etc/nginx/snippets',
'server_use_symlink': False,
'pid_file': '/run/nginx.pid',
'rh_os_releasever': '$releasever',
'gpg_check': False,
'gpg_key': 'http://nginx.org/keys/nginx_signing.key',
'passenger': {
'passenger_root': '/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini',
'passenger_instance_registry_dir': ' /var/run/passenger-instreg',
'passenger_ruby': '/usr/bin/ruby',
},
'openssl_package': 'openssl',
},
'Suse': {
'package': 'nginx',
'service': 'nginx',
'webuser': 'nginx',
'conf_file': '/etc/nginx/nginx.conf',
'server_available': '/etc/nginx/vhosts.d',
'server_enabled': '/etc/nginx/vhosts.d',
'snippets_dir': '/etc/nginx/snippets',
'server_use_symlink': False,
'pid_file': '/run/nginx.pid',
'gpg_check': True,
'gpg_key': 'http://download.opensuse.org/repositories/server:/http/openSUSE_{{ grains.osrelease }}/repodata/repomd.xml.key',
'openssl_package': 'openssl',
},
'Arch': {
'package': 'nginx',
'service': 'nginx',
'webuser': 'http',
'conf_file': '/etc/nginx/nginx.conf',
'server_available': '/etc/nginx/sites-available',
'server_enabled': '/etc/nginx/sites-enabled',
'snippets_dir': '/etc/nginx/snippets',
'server_use_symlink': True,
'openssl_package': 'openssl',
},
'Gentoo': {
'package': 'www-servers/nginx',
'service': 'nginx',
'webuser': 'nginx',
'conf_file': '/etc/nginx/nginx.conf',
'server_available': '/etc/nginx/sites-available',
'server_enabled': '/etc/nginx/sites-enabled',
'snippets_dir': '/etc/nginx/snippets',
'server_use_symlink': True,
'openssl_package': 'dev-libs/openssl',
},
'FreeBSD': {
'package': 'nginx',
'passenger_package': 'passenger',
'service': 'nginx',
'webuser': 'www',
'conf_file': '/usr/local/etc/nginx/nginx.conf',
'server_available': '/usr/local/etc/nginx/sites-available',
'server_enabled': '/usr/local/etc/nginx/sites-enabled',
'snippets_dir': '/usr/local/etc/nginx/snippets',
'server_use_symlink': True,
'pid_file': '/var/run/nginx.pid',
},
}, default='Debian' ),
'install_from_source': False,
'install_from_ppa': False,
'install_from_repo': False,
'install_from_phusionpassenger': False,
'ppa_version': 'stable',
'source_version': '1.10.0',
'source_hash': '8ed647c3dd65bc4ced03b0e0f6bf9e633eff6b01bac772bcf97077d58bc2be4d',
'source': {
'opts': {},
},
'RedHat': {
'apache_utils': 'httpd-tools',
'group_action': 'pkg.group_installed',
'group_pkg': 'Development Tools',
'libpcre_dev': 'pcre-devel',
'libssl_dev': 'openssl-devel',
'pid_path': '/run/nginx.pid',
'package': 'nginx',
'default_user': 'nginx',
'default_group': 'nginx',
'disable_before_rename': True,
'old_init_disable': 'chkconfig --del nginx',
'use_upstart': True,
'use_sysvinit': False,
'home': '/var/www',
'conf_dir': '/etc/nginx',
'log_dir': '/var/log/nginx',
'sbin_dir': '/usr/sbin',
'install_prefix': '/usr/local/nginx',
'make_flags': '-j2'
'package': {
'opts': {},
},
'Suse': {
'apache_utils': 'apache2-utils',
'group_action': 'pkg.installed',
'group_pkg': 'patterns-devel-base-devel_rpm_build',
'libpcre_dev': 'pcre-devel',
'libssl_dev': 'openssl-devel',
'pid_path': '/run/nginx.pid',
'package': 'nginx',
'default_user': 'nginx',
'default_group': 'nginx',
'disable_before_rename': True,
'old_init_disable': 'chkconfig --del nginx',
'use_upstart': False,
'use_sysvinit': False,
'home': '/srv/www',
'conf_dir': '/etc/nginx',
'log_dir': '/var/log/nginx',
'sbin_dir': '/usr/sbin',
'install_prefix': '/usr/local/nginx',
'make_flags': '-j2'
'service': {
'enable': True,
'opts': {},
},
}, grain='os_family', merge=salt['pillar.get']('nginx:lookup'), default='Debian') %}
'server': {
'opts': {},
'config': {
'worker_processes': 'auto',
'events': {
'worker_connections': 768,
},
'http': {
'sendfile': 'on',
'tcp_nopush': 'on',
'tcp_nodelay': 'on',
'keepalive_timeout': '65',
'types_hash_max_size': '2048',
'default_type': 'application/octet-stream',
'access_log': '/var/log/nginx/access.log',
'error_log': '/var/log/nginx/error.log',
'gzip': 'off',
'gzip_disable': '"msie6"',
'include': [
'mime.types',
'conf.d/*.conf',
'sites-enabled/*',
],
},
},
},
'servers': {
'disabled_postfix': '.disabled',
'symlink_opts': {},
'rename_opts': {},
'managed_opts': {
'makedirs': True,
},
'dir_opts': {
'makedirs': True,
},
'managed': {},
},
'passenger': {
'passenger_root': '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini',
'passenger_ruby': '/usr/bin/ruby',
},
}, merge=True) %}

{% if 'user' not in nginx.server.config %}
{% do nginx.server.config.update({
'user': nginx.lookup.webuser,
})%}
{% endif %}

{% if 'pid' not in nginx.server.config and 'pid_file' in nginx.lookup %}
{% do nginx.server.config.update({
'pid': nginx.lookup.pid_file,
})%}
{% endif %}

{% if salt['grains.get']('os_family') == 'RedHat' %}
{% do nginx.passenger.update({
'passenger_root': '/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini',
'passenger_instance_registry_dir': '/var/run/passenger-instreg',
})%}
{% if salt['grains.get']('osfinger') == 'CentOS-6' %}
{% do nginx.server.config.update({
'pid': '/var/run/nginx.pid',
})%}
{% do nginx.passenger.update({
'passenger_root': '/usr/lib/ruby/1.8/phusion_passenger/locations.ini',
})%}
{% endif %}
{% endif %}

+ 0
- 30
nginx/ng/init.sls Voir le fichier

@@ -1,30 +0,0 @@
# nginx.ng
#
# Meta-state to fully install nginx.

{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %}

include:
- nginx.ng.config
- nginx.ng.service
{% if nginx.snippets is defined %}
- nginx.ng.snippets
{% endif %}
- nginx.ng.servers
- nginx.ng.certificates

extend:
nginx_service:
service:
- listen:
- file: nginx_config
- require:
- file: nginx_config
nginx_config:
file:
- require:
{% if nginx.install_from_source %}
- cmd: nginx_install
{% else %}
- pkg: nginx_install
{% endif %}

+ 0
- 197
nginx/ng/map.jinja Voir le fichier

@@ -1,197 +0,0 @@
{% macro sls_block(dict) %}
{% for key, value in dict.items() %}
- {{ key }}: {{ value|json(sort_keys=False) }}
{% endfor %}
{% endmacro %}

{% set nginx = salt['pillar.get']('nginx:ng', {
'lookup': salt['grains.filter_by']({
'Debian': {
'package': 'nginx',
'passenger_package': 'passenger',
'passenger_config_file': '/etc/nginx/conf.d/passenger.conf',
'service': 'nginx',
'webuser': 'www-data',
'conf_file': '/etc/nginx/nginx.conf',
'server_available': '/etc/nginx/sites-available',
'server_enabled': '/etc/nginx/sites-enabled',
'snippets_dir': '/etc/nginx/snippets',
'server_use_symlink': True,
'pid_file': '/run/nginx.pid',
'openssl_package': 'openssl',
},
'CentOS': {
'package': 'nginx',
'passenger_package': 'passenger',
'passenger_config_file': '/etc/nginx/conf.d/passenger.conf',
'service': 'nginx',
'webuser': 'nginx',
'conf_file': '/etc/nginx/nginx.conf',
'server_available': '/etc/nginx/conf.d',
'server_enabled': '/etc/nginx/conf.d',
'snippets_dir': '/etc/nginx/snippets',
'server_use_symlink': False,
'pid_file': '/run/nginx.pid',
'rh_os_releasever': '$releasever',
'gpg_check': False,
'gpg_key': 'http://nginx.org/keys/nginx_signing.key',
'openssl_package': 'openssl',
},
'RedHat': {
'package': 'nginx',
'passenger_package': 'passenger',
'passenger_config_file': '/etc/nginx/conf.d/passenger.conf',
'service': 'nginx',
'webuser': 'nginx',
'conf_file': '/etc/nginx/nginx.conf',
'server_available': '/etc/nginx/conf.d',
'server_enabled': '/etc/nginx/conf.d',
'snippets_dir': '/etc/nginx/snippets',
'server_use_symlink': False,
'pid_file': '/run/nginx.pid',
'rh_os_releasever': '$releasever',
'gpg_check': False,
'gpg_key': 'http://nginx.org/keys/nginx_signing.key',
'passenger': {
'passenger_root': '/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini',
'passenger_instance_registry_dir': ' /var/run/passenger-instreg',
'passenger_ruby': '/usr/bin/ruby',
},
'openssl_package': 'openssl',
},
'Suse': {
'package': 'nginx',
'service': 'nginx',
'webuser': 'nginx',
'conf_file': '/etc/nginx/nginx.conf',
'server_available': '/etc/nginx/vhosts.d',
'server_enabled': '/etc/nginx/vhosts.d',
'snippets_dir': '/etc/nginx/snippets',
'server_use_symlink': False,
'pid_file': '/run/nginx.pid',
'gpg_check': True,
'gpg_key': 'http://download.opensuse.org/repositories/server:/http/openSUSE_{{ grains.osrelease }}/repodata/repomd.xml.key',
'openssl_package': 'openssl',
},
'Arch': {
'package': 'nginx',
'service': 'nginx',
'webuser': 'http',
'conf_file': '/etc/nginx/nginx.conf',
'server_available': '/etc/nginx/sites-available',
'server_enabled': '/etc/nginx/sites-enabled',
'snippets_dir': '/etc/nginx/snippets',
'server_use_symlink': True,
'openssl_package': 'openssl',
},
'Gentoo': {
'package': 'www-servers/nginx',
'service': 'nginx',
'webuser': 'nginx',
'conf_file': '/etc/nginx/nginx.conf',
'server_available': '/etc/nginx/sites-available',
'server_enabled': '/etc/nginx/sites-enabled',
'snippets_dir': '/etc/nginx/snippets',
'server_use_symlink': True,
'openssl_package': 'dev-libs/openssl',
},
'FreeBSD': {
'package': 'nginx',
'passenger_package': 'passenger',
'service': 'nginx',
'webuser': 'www',
'conf_file': '/usr/local/etc/nginx/nginx.conf',
'server_available': '/usr/local/etc/nginx/sites-available',
'server_enabled': '/usr/local/etc/nginx/sites-enabled',
'snippets_dir': '/usr/local/etc/nginx/snippets',
'server_use_symlink': True,
'pid_file': '/var/run/nginx.pid',
},
}, default='Debian' ),
'install_from_source': False,
'install_from_ppa': False,
'install_from_repo': False,
'install_from_phusionpassenger': False,
'ppa_version': 'stable',
'source_version': '1.10.0',
'source_hash': '8ed647c3dd65bc4ced03b0e0f6bf9e633eff6b01bac772bcf97077d58bc2be4d',
'source': {
'opts': {},
},
'package': {
'opts': {},
},
'service': {
'enable': True,
'opts': {},
},
'server': {
'opts': {},
'config': {
'worker_processes': 'auto',
'events': {
'worker_connections': 768,
},
'http': {
'sendfile': 'on',
'tcp_nopush': 'on',
'tcp_nodelay': 'on',
'keepalive_timeout': '65',
'types_hash_max_size': '2048',
'default_type': 'application/octet-stream',
'access_log': '/var/log/nginx/access.log',
'error_log': '/var/log/nginx/error.log',
'gzip': 'off',
'gzip_disable': '"msie6"',
'include': [
'mime.types',
'conf.d/*.conf',
'sites-enabled/*',
],
},
},
},
'servers': {
'disabled_postfix': '.disabled',
'symlink_opts': {},
'rename_opts': {},
'managed_opts': {
'makedirs': True,
},
'dir_opts': {
'makedirs': True,
},
'managed': {},
},
'passenger': {
'passenger_root': '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini',
'passenger_ruby': '/usr/bin/ruby',
},
}, merge=True) %}

{% if 'user' not in nginx.server.config %}
{% do nginx.server.config.update({
'user': nginx.lookup.webuser,
})%}
{% endif %}

{% if 'pid' not in nginx.server.config and 'pid_file' in nginx.lookup %}
{% do nginx.server.config.update({
'pid': nginx.lookup.pid_file,
})%}
{% endif %}

{% if salt['grains.get']('os_family') == 'RedHat' %}
{% do nginx.passenger.update({
'passenger_root': '/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini',
'passenger_instance_registry_dir': '/var/run/passenger-instreg',
})%}
{% if salt['grains.get']('osfinger') == 'CentOS-6' %}
{% do nginx.server.config.update({
'pid': '/var/run/nginx.pid',
})%}
{% do nginx.passenger.update({
'passenger_root': '/usr/lib/ruby/1.8/phusion_passenger/locations.ini',
})%}
{% endif %}
{% endif %}

+ 0
- 31
nginx/openresty.sls Voir le fichier

@@ -1,31 +0,0 @@
{% set nginx = pillar.get('nginx', {}) -%}
{% set home = nginx.get('home', '/var/www') -%}
{% set source = nginx.get('source_root', '/usr/local/src') -%}

{% set openresty = nginx.get('openresty', {}) -%}
{% set openresty_version = openresty.get('version', '1.2.7.8') -%}
{% set openresty_checksum = openresty.get('checksum', 'sha1=f8bee501529ffec33f9cabc00ea4ca512a8d7b59') -%}
{% set openresty_package = source + '/openresty-' + openresty_version + '.tar.gz' -%}

get-openresty:
file.managed:
- name: {{ openresty_package }}
- source: http://openresty.org/download/ngx_openresty-{{ openresty_version }}.tar.gz
- source_hash: {{ openresty_checksum }}
cmd.wait:
- cwd: {{ source }}
- name: tar -zxf {{ openresty_package }} -C {{ home }}
- watch:
- file: get-openresty

install_openresty:
cmd.wait:
- cwd: {{ home }}/ngx_openresty-{{ openresty_version }}
- names:
- ./configure --with-luajit \
--with-http_drizzle_module \
--with-http_postgres_module \
--with-http_iconv_module
- make && make install
- watch:
- cmd: get-openresty

+ 0
- 128
nginx/package.sls Voir le fichier

@@ -1,128 +0,0 @@
{% from "nginx/map.jinja" import nginx with context %}
{% set use_upstart = salt['pillar.get']('nginx:use_upstart', nginx['use_upstart']) %}
{% if use_upstart %}
nginx-old-init:
file.rename:
- name: /usr/share/nginx/init.d
- source: /etc/init.d/nginx
- require_in:
- file: nginx
- require:
- pkg: nginx
- force: True
{% if grains.get('os_family') == 'Debian' %}
# Don't dpkg-divert if we are not Debian based!
cmd.wait:
- name: dpkg-divert --divert /usr/share/nginx/init.d --add /etc/init.d/nginx
- require:
- module: nginx-old-init
- watch:
- file: nginx-old-init
- require_in:
- file: nginx
{% endif %}
module.wait:
- name: cmd.run
- cmd: sh -c "kill `cat /var/run/nginx.pid`"
- watch:
- file: nginx-old-init
- require_in:
- file: nginx
- onlyif: [ -e /var/run/nginx.pid ]

# RedHat requires the init file in place to chkconfig off
{% if nginx['disable_before_rename'] %}
{% set _in = '_in' %}
{% else %}
{% set _in = '' %}
{% endif %}

nginx-old-init-disable:
cmd.run:
- name: {{ nginx.old_init_disable }}
- require{{ _in }}:
- module: nginx-old-init
- onlyif: [ -f /etc/init.d/nginx ]
{% endif %}

{% if grains.get('os_family') == 'Debian' %}

{% set repo_source = pillar.get('nginx', {}).get('repo_source', 'default') %}
{% set use_ppa = repo_source == 'ppa' and grains.get('os') == 'Ubuntu' %}
{% set use_official = repo_source == 'official' and grains.get('os') in ('Ubuntu', 'Debian') %}

nginx-ppa-repo:
pkgrepo:
{%- if use_ppa %}
- managed
{%- else %}
- absent
{%- endif %}
- humanname: nginx-ppa-{{ grains['oscodename'] }}
- name: deb http://ppa.launchpad.net/nginx/{{ pillar.get('nginx', {}).get('repo_version', 'stable') }}/ubuntu {{ grains['oscodename'] }} main
- file: /etc/apt/sources.list.d/nginx-{{ pillar.get('nginx', {}).get('repo_version', 'stable') }}-{{ grains['oscodename'] }}.list
- dist: {{ grains['oscodename'] }}
- keyid: C300EE8C
- keyserver: keyserver.ubuntu.com
- require_in:
- pkg: nginx
- watch_in:
- pkg: nginx

nginx-official-repo:
pkgrepo:
{%- if use_official %}
- managed
{%- else %}
- absent
{%- endif %}
- humanname: nginx apt repo
- name: deb http://nginx.org/packages/{{ grains['os'].lower() }}/ {{ grains['oscodename'] }} nginx
- file: /etc/apt/sources.list.d/nginx-official-{{ grains['oscodename'] }}.list
- keyid: ABF5BD827BD9BF62
- keyserver: keyserver.ubuntu.com
- require_in:
- pkg: nginx
- watch_in:
- pkg: nginx

{% endif %}

nginx:
pkg.installed:
- name: {{ nginx.package }}
{% if use_upstart %}
file.managed:
- name: /etc/init/nginx.conf
- template: jinja
- user: root
- group: root
- mode: 440
- source: salt://nginx/templates/upstart.jinja
- require:
- pkg: nginx
- file: nginx-old-init
- module: nginx-old-init
{% endif %}
service.running:
- enable: True
- restart: True
- watch:
{% if use_upstart %}
- file: nginx
{% endif %}
{% set conf_dir = salt['pillar.get']('nginx:conf_dir', '/etc/nginx') %}
- file: {{ conf_dir }}/nginx.conf
- file: {{ conf_dir }}/conf.d/default.conf
- file: {{ conf_dir }}/conf.d/example_ssl.conf
- pkg: nginx

# Create 'service' symlink for tab completion.
# This is not supported in os_family RedHat and likely only works in
# Debian-based distros
{% if use_upstart and grains['os_family'] == 'Debian' %}
/etc/init.d/nginx:
file.symlink:
- target: /lib/init/upstart-job
- force: True
{% endif %}

nginx/ng/passenger.sls → nginx/passenger.sls Voir le fichier

@@ -1,14 +1,14 @@
# nginx.ng.passenger
# nginx.passenger
#
# Manages installation of passenger from repo.
# Requires install_from_phusionpassenger = True

{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %}
{% from 'nginx/map.jinja' import nginx, sls_block with context %}

{% if salt['grains.get']('os_family') in ['Debian', 'RedHat'] %}
include:
- nginx.ng.pkg
- nginx.ng.service
- nginx.pkg
- nginx.service

passenger_install:
pkg.installed:
@@ -27,7 +27,7 @@ passenger_config:
file.managed:
{{ sls_block(nginx.server.opts) }}
- name: {{ nginx.lookup.passenger_config_file }}
- source: salt://nginx/ng/files/nginx.conf
- source: salt://nginx/files/nginx.conf
- template: jinja
- context:
config: {{ nginx.passenger|json() }}

nginx/ng/pkg.sls → nginx/pkg.sls Voir le fichier

@@ -1,8 +1,8 @@
# nginx.ng.pkg
# nginx.pkg
#
# Manages installation of nginx from pkg.

{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %}
{% from 'nginx/map.jinja' import nginx, sls_block with context %}
{%- if nginx.install_from_repo %}
{% set from_official = true %}
{% set from_ppa = false %}

nginx/ng/servers.sls → nginx/servers.sls Voir le fichier

@@ -1,10 +1,10 @@
# nginx.ng.servers
# nginx.servers
#
# Manages virtual hosts and their relationship to the nginx service.

{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %}
{% from 'nginx/ng/servers_config.sls' import server_states with context %}
{% from 'nginx/ng/service.sls' import service_function with context %}
{% from 'nginx/map.jinja' import nginx, sls_block with context %}
{% from 'nginx/servers_config.sls' import server_states with context %}
{% from 'nginx/service.sls' import service_function with context %}

{% macro file_requisites(states) %}
{%- for state in states %}
@@ -13,8 +13,8 @@
{% endmacro %}

include:
- nginx.ng.service
- nginx.ng.servers_config
- nginx.service
- nginx.servers_config

{% if server_states|length() > 0 %}
nginx_service_reload:

nginx/ng/servers_config.sls → nginx/servers_config.sls Voir le fichier

@@ -1,8 +1,8 @@
# nginx.ng.servers_config
# nginx.servers_config
#
# Manages the configuration of virtual host files.

{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %}
{% from 'nginx/map.jinja' import nginx, sls_block with context %}
{% set server_states = [] %}

# Simple path concatenation.
@@ -104,7 +104,7 @@ nginx_server_available_dir:
{% if 'source_path' in settings.config %}
{% set source_path = settings.config.source_path %}
{% else %}
{% set source_path = 'salt://nginx/ng/files/server.conf' %}
{% set source_path = 'salt://nginx/files/server.conf' %}
{% endif %}
{{ conf_state_id }}:
file.managed:

nginx/ng/service.sls → nginx/service.sls Voir le fichier

@@ -1,22 +1,22 @@
# nginx.ng.service
# nginx.service
#
# Manages the nginx service.

{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %}
{% from 'nginx/map.jinja' import nginx, sls_block with context %}
{% set service_function = {True:'running', False:'dead'}.get(nginx.service.enable) %}

include:
{% if nginx.install_from_source %}
- nginx.ng.src
- nginx.src
{% else %}
- nginx.ng.pkg
- nginx.pkg
{% endif %}

{% if nginx.install_from_source %}
nginx_systemd_service_file:
file.managed:
- name: /lib/systemd/system/nginx.service
- source: salt://nginx/ng/files/nginx.service
- source: salt://nginx/files/nginx.service
{% endif %}

nginx_service:
@@ -26,9 +26,9 @@ nginx_service:
- enable: {{ nginx.service.enable }}
- require:
{% if nginx.install_from_source %}
- sls: nginx.ng.src
- sls: nginx.src
{% else %}
- sls: nginx.ng.pkg
- sls: nginx.pkg
{% endif %}
- listen:
{% if nginx.install_from_source %}

nginx/ng/snippets.sls → nginx/snippets.sls Voir le fichier

@@ -1,8 +1,8 @@
# nginx.ng.snippet
# nginx.snippet
#
# Manages creation of snippets

{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %}
{% from 'nginx/map.jinja' import nginx, sls_block with context %}

nginx_snippets_dir:
file.directory:
@@ -13,7 +13,7 @@ nginx_snippets_dir:
nginx_snippet_{{ snippet }}:
file.managed:
- name: {{ nginx.lookup.snippets_dir }}/{{ snippet }}.conf
- source: salt://nginx/ng/files/server.conf
- source: salt://nginx/files/server.conf
- template: jinja
- context:
config: {{ config|json() }}

+ 0
- 277
nginx/source.sls Voir le fichier

@@ -1,277 +0,0 @@
{% from "nginx/map.jinja" import nginx as nginx_map with context %}

{% set nginx = pillar.get('nginx', {}) -%}
{% set use_sysvinit = nginx.get('use_sysvinit', nginx_map['use_sysvinit']) %}
{% set version = nginx.get('version', '1.6.2') -%}
{% set tarball_url = nginx.get('tarball_url', 'http://nginx.org/download/nginx-' + version + '.tar.gz') -%}
{% set checksum = nginx.get('checksum', 'sha256=b5608c2959d3e7ad09b20fc8f9e5bd4bc87b3bc8ba5936a513c04ed8f1391a18') -%}
{% set home = nginx.get('home', nginx_map['home']) -%}
{% set base_temp_dir = nginx.get('base_temp_dir', '/tmp') -%}
{% set source = nginx.get('source_root', '/usr/local/src') -%}

{% set conf_dir = nginx.get('conf_dir', nginx_map['conf_dir']) -%}
{% set conf_only = nginx.get('conf_only', false) -%}
{% set log_dir = nginx.get('log_dir', nginx_map['log_dir']) -%}
{% set pid_path = nginx.get('pid_path', nginx_map['pid_path']) -%}
{% set lock_path = nginx.get('lock_path', '/var/lock/nginx.lock') -%}
{% set sbin_dir = nginx.get('sbin_dir', nginx_map['sbin_dir']) -%}

{% set install_prefix = nginx.get('install_prefix', nginx_map['install_prefix']) -%}
{% set with_items = nginx.get('with', ['debug', 'http_dav_module', 'http_stub_status_module', 'pcre', 'ipv6']) -%}
{% set without_items = nginx.get('without', []) -%}
{% set make_flags = nginx.get('make_flags', nginx_map['make_flags']) -%}

{% set service_name = nginx.get('service_name', 'nginx') %}
{% set service_enable = nginx.get('service_enable', True) %}

{% set nginx_package = source + '/nginx-' + version + '.tar.gz' -%}
{% set nginx_source = source + "/nginx-" + version -%}
{% set nginx_modules_dir = source + "/nginx-modules" -%}

include:
- nginx.common
{% if nginx.get('with_luajit', false) %}
- nginx.luajit2
{% endif -%}
{% if nginx.get('with_openresty', false) %}
- nginx.openresty
{% endif -%}


nginx_group:
group.present:
- name: {{ nginx_map.default_group }}

nginx_user:
file.directory:
- name: {{ home }}
- user: {{ nginx_map.default_user }}
- group: {{ nginx_map.default_group }}
- mode: 0755
- require:
- user: nginx_user
- group: nginx_group
user.present:
- name: {{ nginx_map.default_user }}
- home: {{ home }}
- groups:
- {{ nginx_map.default_group }}
- require:
- group: nginx_group

{{ nginx_modules_dir }}:
file:
- directory
- makedirs: True

get-build-tools:
{% if grains['saltversion'] < '2015.8.0' and grains['os_family'] == 'RedHat' %}
module.run:
- name: pkg.group_install
- m_name: {{ nginx_map.group_pkg }}
{% else %}
{{ nginx_map.group_action }}:
- name: {{ nginx_map.group_pkg }}
{% endif %}

get-nginx:
pkg.installed:
- names:
- {{ nginx_map.libpcre_dev }}
- {{ nginx_map.libssl_dev }}

file.managed:
- name: {{ nginx_package }}
- source: {{ tarball_url }}
- source_hash: {{ checksum }}
- require:
- file: {{ nginx_modules_dir }}
cmd.wait:
- cwd: {{ source }}
- name: tar --transform "s,^$(tar --list -zf nginx-{{ version }}.tar.gz | head -n 1),nginx-{{ version }}/," -zxf {{ nginx_package }}
- require:
- pkg: get-nginx
- file: get-nginx
- watch:
- file: get-nginx

{% for name, module in nginx.get('modules', {}).items() -%}
get-nginx-{{name}}:
file.managed:
- name: {{ nginx_modules_dir }}/{{name}}.tar.gz
- source: {{ module['source'] }}
- source_hash: {{ module['source_hash'] }}
cmd.wait:
- cwd: {{ nginx_modules_dir }}
- names:
- tar --transform "s,^$(tar --list -zf {{name}}.tar.gz | head -n 1),{{name}}/," -zxf {{name}}.tar.gz
- watch:
- file: get-nginx-{{name}}
- require_in:
- cmd: nginx
{% endfor -%}

{% if nginx.get('ngx_devel_kit', true) -%}
get-ngx_devel_kit:
file.managed:
- name: {{ source }}/ngx_devel_kit.tar.gz
- source: https://github.com/simpl/ngx_devel_kit/archive/v0.2.18.tar.gz
- source_hash: sha1=e21ba642f26047661ada678b21eef001ee2121d8
cmd.wait:
- cwd: {{ source }}
- name: tar -zxf {{ source }}/ngx_devel_kit.tar.gz -C {{ source }}
- watch:
- file: get-ngx_devel_kit
{% endif %}

is-nginx-source-modified:
cmd.run:
- cwd: {{ source }}
- stateful: True
- names:
- if [ ! -d "nginx-{{ version }}" ]; then
echo "changed=yes comment='Tarball has not yet been extracted'";
exit 0;
fi;
cd "nginx-{{ version }}";
m=$(find . \! -name "build.*" -newer {{ sbin_dir }}/nginx -print -quit);
r=$?;
if [ x$r != x0 ]; then
echo "changed=yes comment='binary file does not exist or other find error'";
exit 0;
fi;
if [ x$m != "x" ]; then
echo "changed=yes comment='source files are newer than binary'";
exit 0;
fi;
echo "changed=no comment='source files are older than binary'"

{% for name, module in nginx.get('modules', {}).items() -%}
is-nginx-module-modified-{{name}}:
cmd.run:
- cwd: {{ nginx_modules_dir }}/{{name}}
- stateful: True
- names:
- m=$(find . \! -name "build.*" -newer {{ sbin_dir }}/nginx -print -quit);
r=$?;
if [ x$r != x0 ]; then
echo "changed=yes comment='binary file does not exist or other find error'";
exit 0;
fi;
if [ x$m != "x" ]; then
echo "changed=yes comment='module source files are newer than binary'";
exit 0;
fi;
echo "changed=no comment='module source files are older than binary'"
{% endfor -%}

nginx:
cmd.wait:
- cwd: {{ nginx_source }}
- names:
- (
{%- if nginx.get('debug_symbols', false) %}
CFLAGS="-g -O0" ./configure --conf-path={{ conf_dir }}/nginx.conf
{%- else %}
./configure --conf-path={{ conf_dir }}/nginx.conf
{%- endif %}
--sbin-path={{ sbin_dir }}/nginx
--user={{ nginx_map.default_user }}
--group={{ nginx_map.default_group }}
--prefix={{ install_prefix }}
--http-log-path={{ log_dir }}/access.log
--error-log-path={{ log_dir }}/error.log
--pid-path={{ pid_path }}
--lock-path={{ lock_path }}
--http-client-body-temp-path={{ base_temp_dir }}/body
--http-proxy-temp-path={{ base_temp_dir }}/proxy
--http-fastcgi-temp-path={{ base_temp_dir }}/fastcgi
--http-uwsgi-temp-path={{ base_temp_dir }}/temp_uwsgi
--http-scgi-temp-path={{ base_temp_dir }}/temp_scgi
{%- for name, module in nginx.get('modules', {}).items() %}
--add-module={{nginx_modules_dir}}/{{name}}
{%- endfor %}
{%- for name in with_items %}
--with-{{ name }}
{%- endfor %}
{%- for name in without_items %}
--without-{{ name }}
{%- endfor %}
&& make {{ make_flags }}
&& make install
)
{#- If they want to silence the compiler output, then save it to file so we can reference it later if needed #}
{%- if nginx.get('silence_compiler', true) %}
> {{ nginx_source }}/build.out 2> {{ nginx_source }}/build.err;
{#- If the build process failed, write stderr to stderr and exit with the error code #}
r=$?;
if [ x$r != x0 ]; then
cat {{ nginx_source }}/build.err 1>&2; {#- copy err output to stderr #}
exit $r;
fi;
{% endif %}
- watch:
- cmd: get-nginx
- cmd: is-nginx-source-modified
{% for name, module in nginx.get('modules', {}).items() -%}
- cmd: is-nginx-module-modified-{{name}}
- file: get-nginx-{{name}}
{% endfor %}
{% if use_sysvinit %}
- watch_in:
{% set logger_types = ('access', 'error') %}
{% for log_type in logger_types %}
- service: nginx-logger-{{ log_type }}
{% endfor %}
{% endif %}
- require:
- cmd: get-nginx
{% for name, module in nginx.get('modules', {}).items() -%}
- file: get-nginx-{{name}}
{% endfor %}
{% if use_sysvinit %}
file:
- managed
- template: jinja
- name: /etc/init.d/{{ service_name }}
- source: salt://nginx/templates/nginx.init.jinja
- user: root
- group: root
- mode: 0755
- context:
service_name: {{ service_name }}
sbin_dir: {{ sbin_dir }}
pid_path: {{ pid_path }}
{% endif %}
service:
{% if service_enable %}
- running
- enable: True
- restart: True
{% else %}
- dead
- enable: False
{% endif %}
- name: {{ service_name }}
- watch:
- cmd: nginx
- file: {{ conf_dir }}/nginx.conf
- require:
- cmd: nginx
- file: {{ conf_dir }}/nginx.conf

{% for file in nginx.get('delete_confs', []) %}
{{ conf_dir }}/{{ file }}:
file:
- absent
- require_in:
- service: nginx
{% endfor %}

{% for file in nginx.get('delete_htdocs', []) %}
{{ install_prefix }}/html/{{ file }}:
file:
- absent
- require_in:
- service: nginx
{% endfor %}

nginx/ng/src.sls → nginx/src.sls Voir le fichier

@@ -1,8 +1,8 @@
# nginx.ng.src
# nginx.src
#
# Manages installation of nginx from source.

{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %}
{% from 'nginx/map.jinja' import nginx, sls_block with context %}

nginx_deps:
pkg.installed:
@@ -23,7 +23,7 @@ nginx_download:

nginx_configure:
cmd.run:
- name: ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path={{ nginx.lookup.conf_file or '/etc/nginx/nginx.conf' }} {{ nginx.source.opts | join(' ') }}
- name: ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path={{ nginx.lookup.conf_file }} {{ nginx.source.opts | join(' ') }}
- cwd: /tmp/nginx-{{ nginx.source_version }}
- onchanges:
- archive: nginx_download

+ 0
- 34
nginx/sysvinit.sls Voir le fichier

@@ -1,34 +0,0 @@
{% set nginx = pillar.get('nginx', {}) -%}
{% set log_dir = nginx.get('log_dir', '/var/log/nginx') -%}

{% set logger_types = ('access', 'error') %}

{% for log_type in logger_types %}
{{ log_dir }}/{{ log_type }}.log:
file.absent

nginx-logger-{{ log_type }}:
file:
- managed
- name: /etc/init.d/nginx-logger-{{ log_type }}
- template: jinja
- user: root
- group: root
- mode: 755
- source:
- salt://nginx/templates/{{ grains['os_family'] }}-sysvinit-logger.jinja
- salt://nginx/templates/sysvinit-logger.jinja
- context:
type: {{ log_type }}
service:
- running
- enable: True
- restart: True
- require:
- file: nginx-logger-{{ log_type }}
- require_in:
- service: nginx
{% endfor %}

/etc/logrotate.d/nginx:
file.absent

+ 0
- 100
nginx/templates/RedHat-sysvinit-logger.jinja Voir le fichier

@@ -1,100 +0,0 @@
#!/bin/bash
# /etc/init.d/nginx-logger-{{ type }}
#
# chkconfig: 345 84 16
# description: Nginx logger for {{ type }}
# processname: nginx-logger-{{ type }}

NAME=nginx-logger-{{ type }}
DESC="syslog forwarder for nginx {{type}} logs"
DAEMON=/usr/bin/logger
DAEMON_ARGS=" -f /var/log/nginx/{{ type }}.fifo -t nginx -p {% if type == 'error' %}warn{% else %}debug{% endif %}"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the daemon program isn't installed
[ -x "$DAEMON" ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

. /etc/init.d/functions

do_start() {
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
echo -n "Starting $NAME"
pid=$(cat $PIDFILE 2>/dev/null)
if [ -n "$pid" ]; then
failure
echo
return 1;
fi

if [ ! -r /var/log/nginx/{{ type }}.fifo ]; then
mkdir -p /var/log/nginx
mkfifo /var/log/nginx/{{ type }}.fifo
chown root.root /var/log/nginx/{{ type }}.fifo
chmod 660 /var/log/nginx/{{ type }}.fifo
fi

$DAEMON $DAEMON_ARGS &
ERROR=$?
PID=$!
if [ $ERROR -eq 0 ]; then
success
echo
echo $PID > $PIDFILE
else
failure
echo
exit 2
fi
}

do_stop() {
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
echo -n Stopping $NAME
pid=$(cat $PIDFILE 2>/dev/null)
if [ $? -eq 0 ]; then
echo $pid | xargs kill 2&1>/dev/null
success
RETVAL=0
else
failure
RETVAL=1
fi
echo

[ "$RETVAL" = 2 ] && return 2
rm -f $PIDFILE
return "$RETVAL"
}

case "$1" in
start)
do_start
;;
stop)
do_stop
;;
status)
status -p "$PIDFILE" "$DAEMON" && exit 0 || exit $?
;;
restart|force-reload)
do_stop
do_start
;;
*)
echo "Usage: /etc/init.d/nginx-logger-{{ type }} {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac

exit 0

+ 0
- 79
nginx/templates/config.jinja Voir le fichier

@@ -1,79 +0,0 @@
{% set nginx = pillar.get('nginx', {}) -%}
# defaults passed via context from the map.jinja
{% set user = nginx.get('user', default_user) -%}
{% set group = nginx.get('group', default_group) -%}
user {{ user }} {{ group }};
worker_processes {{ nginx.get('worker_processes', 1) }};
{% set worker_rlimit_nofile = nginx.get('worker_rlimit_nofile', '') -%}
{% if worker_rlimit_nofile -%}
worker_rlimit_nofile {{ worker_rlimit_nofile }};
{% endif -%}

{% set error_log_location = nginx.get('error_log',{}).get('location', '/var/log/nginx/error.fifo') -%}
{% set error_log_level = nginx.get('error_log',{}).get('level', 'warn') -%}
error_log {{ ' '.join([error_log_location, error_log_level]) }};
pid {{ nginx.get('pid', '/var/run/nginx.pid') }};
{% if not 'systemd' in salt['test.provider']('service') -%}
daemon {{ nginx.get('daemon', 'on') }};
{%- endif %}

events {
worker_connections {{ nginx.get('events', {}).get('worker_connections', 1024) }};
{% set use = nginx.get('events', {}).get('use', '') -%}
{% if use -%}
use {{ use }};
{% endif %}
}

http {
{% if 'set_real_ips' in nginx -%}
{% for ip in nginx.get('set_real_ips', {}).get('from_ips', []) -%}
set_real_ip_from {{ ip }};
{% endfor -%}
real_ip_header {{ nginx.get('set_real_ips', {}).get('real_ip_header', 'X-Forwarded-For') }};

{% endif -%}
include /etc/nginx/mime.types;
default_type {{ nginx.get('default_type', 'application/octet-stream') }};
log_format main '$scheme://$host:$server_port$uri$is_args$args $remote_addr:$remote_user "$request" $request_time $request_length:$bytes_sent $status "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.fifo main;
sendfile {{ nginx.get('sendfile', 'on') }};
#tcp_nopush on;
keepalive_timeout {{ nginx.get('keepalive_timeout', 65) }};
server_names_hash_bucket_size {{ nginx.get('server_names_hash_bucket_size', 128) }};
server_names_hash_max_size {{ nginx.get('server_names_hash_max_size', 1024) }};
types_hash_max_size {{ nginx.get('types_hash_max_size', 8192) }};

gzip {{ nginx.get('gzip', 'on') }};
gzip_vary {{ nginx.get('gzip_vary', 'on') }};
gzip_proxied {{ nginx.get('gzip_proxied', 'any') }};
gzip_comp_level {{ nginx.get('gzip_comp_level', 6) }};
gzip_buffers {{ nginx.get('gzip_buffers', '16 8k') }};
gzip_http_version {{ nginx.get('gzip_http_version', '1.1') }};
gzip_types {{ nginx.get('gzip_types', ['text/plain', 'text/css', 'application/json', 'application/x-javascript', 'text/xml', 'application/xml', 'application/xml+rss', 'text/javascript'])|join(' ') }};
gzip_disable "{{ nginx.get('gzip_disable', 'msie6') }}";

# turn on nginx_status on localhost
server {
listen 127.0.0.1:80;
server_name 127.0.0.1;
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
}
{% if pillar['nginx'] is defined -%}
{% if pillar['nginx']['redirect_numeric_ip']|default(False) -%}
server {
server_name {% for ip in salt['network.interfaces']()['eth0']['inet'] %}{{ ip['address'] }}:80{% if not loop.last %} {% endif %}{% endfor %};
return 302 {{ pillar['nginx']['redirect_numeric_ip'] }};
access_log off;
}
{% endif -%}
{% endif %}

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
}

+ 0
- 101
nginx/templates/nginx.init.jinja Voir le fichier

@@ -1,101 +0,0 @@
#!/bin/sh

### BEGIN INIT INFO
# Provides: {{ service_name }}
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts the {{ service_name }} web server
# Description: starts {{ service_name }} using start-stop-daemon
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON={{ sbin_dir }}/nginx
NAME={{ service_name }}
DESC={{ service_name }}

# Include nginx defaults if available
if [ -f /etc/default/$NAME ]; then
. /etc/default/$NAME
fi

test -x $DAEMON || exit 0

set -e

. /lib/lsb/init-functions

test_nginx_config() {
if $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1; then
return 0
else
$DAEMON -t $DAEMON_OPTS
return $?
fi
}

case "$1" in
start)
echo -n "Starting $DESC: "
test_nginx_config
# Check if the ULIMIT is set in /etc/default/nginx
if [ -n "$ULIMIT" ]; then
# Set the ulimits
ulimit $ULIMIT
fi
start-stop-daemon --start --quiet --pidfile {{ pid_path }} \
--exec $DAEMON -- $DAEMON_OPTS || true
echo "$NAME."
;;

stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --pidfile {{ pid_path }} \
--exec $DAEMON || true
echo "$NAME."
;;

restart|force-reload)
echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --pidfile \
{{ pid_path }} --exec $DAEMON || true
sleep 1
test_nginx_config
# Check if the ULIMIT is set in /etc/default/nginx
if [ -n "$ULIMIT" ]; then
# Set the ulimits
ulimit $ULIMIT
fi
start-stop-daemon --start --quiet --pidfile \
{{ pid_path }} --exec $DAEMON -- $DAEMON_OPTS || true
echo "$NAME."
;;

reload)
echo -n "Reloading $DESC configuration: "
test_nginx_config
start-stop-daemon --stop --signal HUP --quiet --pidfile {{ pid_path }} \
--exec $DAEMON || true
echo "$NAME."
;;

configtest|testconfig)
echo -n "Testing $DESC configuration: "
if test_nginx_config; then
echo "$NAME."
else
exit $?
fi
;;

status)
status_of_proc -p {{ pid_path }} "$DAEMON" nginx && exit 0 || exit $?
;;
*)
echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2
exit 1
;;
esac

exit 0

+ 0
- 113
nginx/templates/sysvinit-logger.jinja Voir le fichier

@@ -1,113 +0,0 @@
#!/bin/bash
# /etc/init.d/nginx-logger-{{ type }}
#

### BEGIN INIT INFO
# Provides: nginx-logger-{{ type }}
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts the nginx-logger-{{ type }}
# Description: starts nginx-logger-{{ type }} using start-stop-daemon
### END INIT INFO

NAME=nginx-logger-{{ type }}
DESC="syslog forwarder for nginx {{type}} logs"
DAEMON=/usr/bin/logger
DAEMON_ARGS=" -f /var/log/nginx/{{ type }}.fifo -t nginx -p {% if type == 'error' %}warn{% else %}debug{% endif %}"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the daemon program isn't installed
[ -x "$DAEMON" ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

. /lib/lsb/init-functions

do_start() {
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
pid=$(pidofproc -p $PIDFILE $DAEMON)
if [ -n "$pid" ]; then
return 1;
fi

if [ ! -r /var/log/nginx/{{ type }}.fifo ]; then
mkdir -p /var/log/nginx
mkfifo /var/log/nginx/{{ type }}.fifo
chown root.root /var/log/nginx/{{ type }}.fifo
chmod 660 /var/log/nginx/{{ type }}.fifo
fi

start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_ARGS
}

do_stop() {
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
pids=$(pidof -x $DAEMON)
if [ $? -eq 0 ]; then
echo $pids | xargs kill 2&1>/dev/null
RETVAL=0
else
RETVAL=1
fi

[ "$RETVAL" = 2 ] && return 2
rm -f $PIDFILE
return "$RETVAL"
}

case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
restart|force-reload)
[ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
echo "Usage: /etc/init.d/nginx-logger-{{ type }} {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac

exit 0

+ 0
- 20
nginx/templates/upstart-logger.jinja Voir le fichier

@@ -1,20 +0,0 @@
# {{ pillar.get('message_do_not_modify', '') }}
# startup script for Nginx loggers

start on starting nginx
stop on runlevel [!2345]

respawn

pre-start script
if [ ! -r /var/log/nginx/{{ type }}.fifo ]; then
mkdir -p /var/log/nginx
mkfifo /var/log/nginx/{{ type }}.fifo
chown root.root /var/log/nginx/{{ type }}.fifo
chmod 660 /var/log/nginx/{{ type }}.fifo
fi
end script

emits nginx-logger-{{ type }}

exec logger -f /var/log/nginx/{{ type }}.fifo -t nginx -p {% if type == 'error' %}warn{% else %}debug{% endif %}

+ 0
- 23
nginx/templates/upstart.jinja Voir le fichier

@@ -1,23 +0,0 @@
# nginx

description "nginx http daemon"
author "George Shammas <georgyo@gmail.com>"

start on (runlevel [345] and started network)
stop on (runlevel [!345] or stopping network)

env DAEMON=/usr/sbin/nginx

expect fork
respawn
respawn limit 10 5
#oom never

pre-start script
$DAEMON -t
if [ $? -ne 0 ]
then exit $?
fi
end script

exec $DAEMON

+ 0
- 28
nginx/upstart.sls Voir le fichier

@@ -1,28 +0,0 @@
{% set logger_types = ('access', 'error') %}

{% for log_type in logger_types %}
/var/log/nginx/{{ log_type }}.log:
file.absent

nginx-logger-{{ log_type }}:
file:
- managed
- name: /etc/init/nginx-logger-{{ log_type }}.conf
- template: jinja
- user: root
- group: root
- mode: 440
- source: salt://nginx/templates/upstart-logger.jinja
- context:
type: {{ log_type }}
service:
- running
- enable: True
- require:
- file: nginx-logger-{{ log_type }}
- require_in:
- service: nginx
{% endfor %}

/etc/logrotate.d/nginx:
file.absent

+ 0
- 30
nginx/users.sls Voir le fichier

@@ -1,30 +0,0 @@
{% from "nginx/map.jinja" import nginx with context %}
{% set htauth = nginx.get('htpasswd', '/etc/nginx/.htpasswd') -%}

htpasswd:
pkg.installed:
- name: {{ nginx.apache_utils }}

touch {{ htauth }}:
cmd.run:
- creates: {{ htauth }}

make sure {{ htauth }} exists:
file.managed:
- name: {{ htauth }}
- makedirs: True

{% for name, user in pillar.get('users', {}).items() %}
{% if user['webauth'] is defined -%}

nginx_user_{{name}}:
module.run:
- name: basicauth.adduser
- user: {{ name }}
- passwd: {{ user['webauth'] }}
- path: {{ htauth }}
- require:
- pkg: htpasswd

{% endif -%}
{% endfor %}

+ 279
- 302
pillar.example Voir le fichier

@@ -1,306 +1,283 @@
#=====
# nginx: see `nginx.ng` state instead.
#======
nginx:
install_from_source: True
use_upstart: True
use_sysvinit: False
user_auth_enabled: True
with_luajit: False
with_openresty: True
repo_version: development # Must be using ppa install by setting `repo_source = ppa`
set_real_ips: # NOTE: to use this, nginx must have http_realip module enabled
from_ips:
- 10.10.10.0/24
real_ip_header: X-Forwarded-For
modules:
headers-more:
source: http://github.com/agentzh/headers-more-nginx-module/tarball/v0.21
source_hash: sha1=dbf914cbf3f7b6cb7e033fa7b7c49e2f8879113b
#pid: /var/run/nginx.pid
# Directory location must exist (i.e. it's /run/nginx.pid on EL7)

# ========
# nginx.ng
# nginx (previously named nginx:ng)
# ========

nginx:
ng:
# The following three `install_from_` options are mutually exclusive. If none is used, the distro's provided
# package will be installed. If one of the `install_from` option is set to `True`, the state will
# make sure the other two repos are removed.

# Use the official's nginx repo binaries
install_from_repo: false

# Use Phusionpassenger's repo to install nginx and passenger binaries
# Debian, Centos, Ubuntu and Redhat are currently available
install_from_phusionpassenger: false

# PPA install
install_from_ppa: false
# Set to 'stable', 'development' (mainline), 'community', or 'nightly' for each build accordingly ( https://launchpad.net/~nginx )
ppa_version: 'stable'

# Source install
source_version: '1.10.0'
source_hash: ''

# These are usually set by grains in map.jinja
# Typically you can comment these out.
lookup:
package: nginx-custom (can be a list)
service: nginx
webuser: www-data
conf_file: /etc/nginx/nginx.conf
server_available: /etc/nginx/sites-available
server_enabled: /etc/nginx/sites-enabled
server_use_symlink: True
# If you install nginx+passenger from phusionpassenger in Debian, these values will probably be needed
passenger_package: libnginx-mod-http-passenger
passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf

# This is required for RedHat like distros (Amazon Linux) that don't follow semantic versioning for $releasever
rh_os_releasever: '6'
# Currently it can be used on rhel/centos/suse when installing from repo
gpg_check: True
pid_file: /var/run/nginx.pid ### prevents rendering SLS error nginx.server.config.pid undefined ###


# Source compilation is not currently a part of nginx.ng
from_source: False

source:
opts: {}

package:
opts: {} # this partially exposes parameters of pkg.installed

service:
enable: True # Whether or not the service will be enabled/running or dead
opts: {} # this partially exposes parameters of service.running / service.dead

##--- --- - - - - - - -- - - - - -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
## You can use snippets to define often repeated configuration once and include it later
## The letsencrypt example below is consumed by "- include: 'snippets/letsencrypt.conf'"
##--- --- - - - - - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
snippets:
letsencrypt:
- location ^~ /.well-known/acme-challenge/:
- proxy_pass: http://localhost:9999
cloudflare_proxy:
- set_real_ip_from: 103.21.244.0/22
- set_real_ip_from: 103.22.200.0/22
- set_real_ip_from: 104.16.0.0/12
- set_real_ip_from: 108.162.192.0/18
blacklist:
- map $http_user_agent $bad_bot:
- default: 0
- '~*^Lynx': 0
- '~*malicious': 1
- '~*bot': 1
- '~*crawler': 1
- '~*bandit': 1
- libwww-perl: 1
- '~(?i)(httrack|htmlparser|libwww)': 1
upstream_netdata_tcp:
- upstream netdata:
- server: 127.0.0.1:19999
- keepalive: 64


server:
opts: {} # this partially exposes file.managed parameters as they relate to the main nginx.conf file

#-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - #
# nginx.conf (main server) declarations
# dictionaries map to blocks {} and lists cause the same declaration to repeat with different values
# see also http://nginx.org/en/docs/example.html
#-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - #
config:
include: 'snippets/letsencrypt.conf'
source_path: salt://path_to_nginx_conf_file/nginx.conf # IMPORTANT: This option is mutually exclusive with the rest of the
# options; if it is found other options (worker_processes: 4 and so
# on) are not processed and just upload the file from source
worker_processes: 4
load_module: modules/ngx_http_lua_module.so # pass as very first in configuration; otherwise nginx will fail to start
#pid: /var/run/nginx.pid # Directory location must exist (i.e. it's /run/nginx.pid on EL7)
events:
worker_connections: 1024
http:
sendfile: 'on'
include:
#### Note: Syntax issues in these files generate nginx [emerg] errors on startup. ####
- /etc/nginx/mime.types

### module ngx_http_log_module example
log_format: |-
main '$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
access_log: [] #suppress default access_log option from being added

### module nngx_stream_core_module
### https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example
stream:
upstream lb-1000:
- server:
- hostname1.example.com:1000
- hostname2.example.com:1000
upstream stream_backend:
least_conn: ''
'server backend1.example.com:12345 weight=5':
'server backend2.example.com:12345 max_fails=2 fail_timeout=30s':
'server backend3.example.com:12345 max_conns=3':
upstream dns_servers:
least_conn:
'server 192.168.136.130:53':
'server 192.168.136.131:53':
'server 192.168.136.132:53':
server:
listen: 1000
proxy_pass: lb-1000
'server ':
listen: '53 udp'
proxy_pass: dns_servers
'server ':
listen: 12346
proxy_pass: backend4.example.com:12346


servers:
disabled_postfix: .disabled # a postfix appended to files when doing non-symlink disabling
symlink_opts: {} # partially exposes file.symlink params when symlinking enabled sites
rename_opts: {} # partially exposes file.rename params when not symlinking disabled/enabled sites
managed_opts: {} # partially exposes file.managed params for managed server files
dir_opts: {} # partially exposes file.directory params for site available/enabled and snippets dirs


#####################
# server declarations; placed by default in server "available" directory
#####################
managed:

mysite: # relative filename of server file (defaults to '/etc/nginx/sites-available/mysite')
# may be True, False, or None where True is enabled, False, disabled, and None indicates no action
enabled: True

# Remove the site config file shipped by nginx (i.e. '/etc/nginx/sites-available/default' by default)
# It also remove the symlink (if it is exists).
# The site MUST be disabled before delete it (if not the nginx is not reloaded).
#deleted: True

#available_dir: /etc/nginx/sites-available-custom # custom directory (not sites-available) for server filename
#enabled_dir: /etc/nginx/sites-enabled-custom # custom directory (not sites-enabled) for server filename
disabled_name: mysite.aint_on # an alternative disabled name to be use when not symlinking
overwrite: True # overwrite an existing server file or not

# May be a list of config options or None, if None, no server file will be managed/templated
# Take server directives as lists of dictionaries. If the dictionary value is another list of
# dictionaries a block {} will be started with the dictionary key name
config:
- server:
- server_name: localhost
- listen:
- '80 default_server'
- listen:
- '443 ssl'
- index: 'index.html index.htm'
- location ~ .htm:
- try_files: '$uri $uri/ =404'
- test: something else
- include: 'snippets/letsencrypt.conf'

# Or a slightly more compact alternative syntax:

- server:
- server_name: localhost
- listen:
- '80 default_server'
- '443 ssl'
- index: 'index.html index.htm'
- location ~ .htm:
- try_files: '$uri $uri/ =404'
- test: something else
- include: 'snippets/letsencrypt.conf'

# both of those output:
# server {
# server_name localhost;
# listen 80 default_server;
# listen 443 ssl;
# index index.html index.htm;
# location ~ .htm {
# try_files $uri $uri/ =404;
# test something else;
# }
# }

mysite2: # Using source_path options to upload the file instead of templating all the file
enabled: True
available_dir: /etc/nginx/sites-available
enabled_dir: /etc/nginx/sites-enabled
config:
source_path: salt://path-to-site-file/mysite2

# Below configuration becomes handy if you want to create custom configuration files
# for example if you want to create /usr/local/etc/nginx/http_options.conf with
# the following content:

# sendfile on;
# tcp_nopush on;
# tcp_nodelay on;
# send_iowait 12000;

http_options.conf:
enabled: True
available_dir: /usr/local/etc/nginx
enabled_dir: /usr/local/etc/nginx
config:
- sendfile: 'on'
- tcp_nopush: 'on'
- tcp_nodelay: 'on'
- send_iowait: 12000

certificates_path: '/etc/nginx/ssl' # Use this if you need to deploy below certificates in a custom path.
# If you're doing SSL termination, you can deploy certificates this way.
# The private one(s) should go in a separate pillar file not in version
# control (or use encrypted pillar data).
certificates:
'www.example.com':

# choose one of: deploying this cert by pillar (e.g. in combination with ext_pillar and file_tree)
# public_cert_pillar: certs:example.com:fullchain.pem
# private_key_pillar: certs:example.com:privkey.pem
# or directly pasting the cert
public_cert: |
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: www.example.com.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: ExampleCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: www.example.com.key)
-----END RSA PRIVATE KEY-----

dh_param:
'mydhparam1.pem': |
-----BEGIN DH PARAMETERS-----
(Your custom DH prime)
-----END DH PARAMETERS-----
# or to generate one on-the-fly
'mydhparam2.pem':
keysize: 2048

# Passenger configuration
# Default passenger configuration is provided, and will be deployed in
# /etc/nginx/conf.d/passenger.conf
passenger:
passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
passenger_ruby: /usr/bin/ruby
passenger_instance_registry_dir: /var/run/passenger-instreg
# The following three `install_from_` options are mutually exclusive. If none is used, the distro's provided
# package will be installed. If one of the `install_from` option is set to `True`, the state will
# make sure the other two repos are removed.

# Use the official's nginx repo binaries
install_from_repo: false

# Use Phusionpassenger's repo to install nginx and passenger binaries
# Debian, Centos, Ubuntu and Redhat are currently available
install_from_phusionpassenger: false

# PPA install
install_from_ppa: false
# Set to 'stable', 'development' (mainline), 'community', or 'nightly' for each build accordingly ( https://launchpad.net/~nginx )
ppa_version: 'stable'

# Source install
source_version: '1.10.0'
source_hash: ''

# These are usually set by grains in map.jinja
# Typically you can comment these out.
lookup:
package: nginx-custom (can be a list)
service: nginx
webuser: www-data
conf_file: /etc/nginx/nginx.conf
server_available: /etc/nginx/sites-available
server_enabled: /etc/nginx/sites-enabled
server_use_symlink: True
# If you install nginx+passenger from phusionpassenger in Debian, these values will probably be needed
passenger_package: libnginx-mod-http-passenger
passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf

# This is required for RedHat like distros (Amazon Linux) that don't follow semantic versioning for $releasever
rh_os_releasever: '6'
# Currently it can be used on rhel/centos/suse when installing from repo
gpg_check: True
pid_file: /var/run/nginx.pid ### prevents rendering SLS error nginx.server.config.pid undefined ###


# Source compilation is not currently a part of nginx
from_source: False

source:
opts: {}

package:
opts: {} # this partially exposes parameters of pkg.installed

service:
enable: True # Whether or not the service will be enabled/running or dead
opts: {} # this partially exposes parameters of service.running / service.dead

##--- --- - - - - - - -- - - - - -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
## You can use snippets to define often repeated configuration once and include it later
## The letsencrypt example below is consumed by "- include: 'snippets/letsencrypt.conf'"
##--- --- - - - - - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
snippets:
letsencrypt:
- location ^~ /.well-known/acme-challenge/:
- proxy_pass: http://localhost:9999
cloudflare_proxy:
- set_real_ip_from: 103.21.244.0/22
- set_real_ip_from: 103.22.200.0/22
- set_real_ip_from: 104.16.0.0/12
- set_real_ip_from: 108.162.192.0/18
blacklist:
- map $http_user_agent $bad_bot:
- default: 0
- '~*^Lynx': 0
- '~*malicious': 1
- '~*bot': 1
- '~*crawler': 1
- '~*bandit': 1
- libwww-perl: 1
- '~(?i)(httrack|htmlparser|libwww)': 1
upstream_netdata_tcp:
- upstream netdata:
- server: 127.0.0.1:19999
- keepalive: 64


server:
opts: {} # this partially exposes file.managed parameters as they relate to the main nginx.conf file

#-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - #
# nginx.conf (main server) declarations
# dictionaries map to blocks {} and lists cause the same declaration to repeat with different values
# see also http://nginx.org/en/docs/example.html
#-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - #
config:
include: 'snippets/letsencrypt.conf'
source_path: salt://path_to_nginx_conf_file/nginx.conf # IMPORTANT: This option is mutually exclusive with the rest of the
# options; if it is found other options (worker_processes: 4 and so
# on) are not processed and just upload the file from source
worker_processes: 4
load_module: modules/ngx_http_lua_module.so # pass as very first in configuration; otherwise nginx will fail to start
#pid: /var/run/nginx.pid # Directory location must exist (i.e. it's /run/nginx.pid on EL7)
events:
worker_connections: 1024
http:
sendfile: 'on'
include:
#### Note: Syntax issues in these files generate nginx [emerg] errors on startup. ####
- /etc/nginx/mime.types

### module ngx_http_log_module example
log_format: |-
main '$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
access_log: [] #suppress default access_log option from being added

### module nngx_stream_core_module
### https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example
stream:
upstream lb-1000:
- server:
- hostname1.example.com:1000
- hostname2.example.com:1000
upstream stream_backend:
least_conn: ''
'server backend1.example.com:12345 weight=5':
'server backend2.example.com:12345 max_fails=2 fail_timeout=30s':
'server backend3.example.com:12345 max_conns=3':
upstream dns_servers:
least_conn:
'server 192.168.136.130:53':
'server 192.168.136.131:53':
'server 192.168.136.132:53':
server:
listen: 1000
proxy_pass: lb-1000
'server ':
listen: '53 udp'
proxy_pass: dns_servers
'server ':
listen: 12346
proxy_pass: backend4.example.com:12346


servers:
disabled_postfix: .disabled # a postfix appended to files when doing non-symlink disabling
symlink_opts: {} # partially exposes file.symlink params when symlinking enabled sites
rename_opts: {} # partially exposes file.rename params when not symlinking disabled/enabled sites
managed_opts: {} # partially exposes file.managed params for managed server files
dir_opts: {} # partially exposes file.directory params for site available/enabled and snippets dirs


#####################
# server declarations; placed by default in server "available" directory
#####################
managed:

mysite: # relative filename of server file (defaults to '/etc/nginx/sites-available/mysite')
# may be True, False, or None where True is enabled, False, disabled, and None indicates no action
enabled: True

# Remove the site config file shipped by nginx (i.e. '/etc/nginx/sites-available/default' by default)
# It also remove the symlink (if it is exists).
# The site MUST be disabled before delete it (if not the nginx is not reloaded).
#deleted: True

#available_dir: /etc/nginx/sites-available-custom # custom directory (not sites-available) for server filename
#enabled_dir: /etc/nginx/sites-enabled-custom # custom directory (not sites-enabled) for server filename
disabled_name: mysite.aint_on # an alternative disabled name to be use when not symlinking
overwrite: True # overwrite an existing server file or not

# May be a list of config options or None, if None, no server file will be managed/templated
# Take server directives as lists of dictionaries. If the dictionary value is another list of
# dictionaries a block {} will be started with the dictionary key name
config:
- server:
- server_name: localhost
- listen:
- '80 default_server'
- listen:
- '443 ssl'
- index: 'index.html index.htm'
- location ~ .htm:
- try_files: '$uri $uri/ =404'
- test: something else
- include: 'snippets/letsencrypt.conf'

# Or a slightly more compact alternative syntax:

- server:
- server_name: localhost
- listen:
- '80 default_server'
- '443 ssl'
- index: 'index.html index.htm'
- location ~ .htm:
- try_files: '$uri $uri/ =404'
- test: something else
- include: 'snippets/letsencrypt.conf'

# both of those output:
# server {
# server_name localhost;
# listen 80 default_server;
# listen 443 ssl;
# index index.html index.htm;
# location ~ .htm {
# try_files $uri $uri/ =404;
# test something else;
# }
# }

mysite2: # Using source_path options to upload the file instead of templating all the file
enabled: True
available_dir: /etc/nginx/sites-available
enabled_dir: /etc/nginx/sites-enabled
config:
source_path: salt://path-to-site-file/mysite2

# Below configuration becomes handy if you want to create custom configuration files
# for example if you want to create /usr/local/etc/nginx/http_options.conf with
# the following content:

# sendfile on;
# tcp_nopush on;
# tcp_nodelay on;
# send_iowait 12000;

http_options.conf:
enabled: True
available_dir: /usr/local/etc/nginx
enabled_dir: /usr/local/etc/nginx
config:
- sendfile: 'on'
- tcp_nopush: 'on'
- tcp_nodelay: 'on'
- send_iowait: 12000

certificates_path: '/etc/nginx/ssl' # Use this if you need to deploy below certificates in a custom path.
# If you're doing SSL termination, you can deploy certificates this way.
# The private one(s) should go in a separate pillar file not in version
# control (or use encrypted pillar data).
certificates:
'www.example.com':

# choose one of: deploying this cert by pillar (e.g. in combination with ext_pillar and file_tree)
# public_cert_pillar: certs:example.com:fullchain.pem
# private_key_pillar: certs:example.com:privkey.pem
# or directly pasting the cert
public_cert: |
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: www.example.com.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: ExampleCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: www.example.com.key)
-----END RSA PRIVATE KEY-----

dh_param:
'mydhparam1.pem': |
-----BEGIN DH PARAMETERS-----
(Your custom DH prime)
-----END DH PARAMETERS-----
# or to generate one on-the-fly
'mydhparam2.pem':
keysize: 2048

# Passenger configuration
# Default passenger configuration is provided, and will be deployed in
# /etc/nginx/conf.d/passenger.conf
passenger:
passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
passenger_ruby: /usr/bin/ruby
passenger_instance_registry_dir: /var/run/passenger-instreg

+ 29
- 30
test/salt/default/pillar/nginx.sls Voir le fichier

@@ -5,35 +5,34 @@
# - create 'mysite' site

nginx:
ng:
snippets:
letsencrypt:
- location ^~ /.well-known/acme-challenge/:
- proxy_pass: http://localhost:9999
server:
config:
http:
### module ngx_http_log_module example
log_format: |-
main '$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
servers:
managed:
default:
deleted: True
enabled: False
config: {}
snippets:
letsencrypt:
- location ^~ /.well-known/acme-challenge/:
- proxy_pass: http://localhost:9999
server:
config:
http:
### module ngx_http_log_module example
log_format: |-
main '$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
servers:
managed:
default:
deleted: True
enabled: False
config: {}

mysite:
enabled: True
config:
- server:
- server_name: localhost
- listen:
- '80 default_server'
- index: 'index.html index.htm'
- location ~ .htm:
- try_files: '$uri $uri/ =404'
- include: 'snippets/letsencrypt.conf'
mysite:
enabled: True
config:
- server:
- server_name: localhost
- listen:
- '80 default_server'
- index: 'index.html index.htm'
- location ~ .htm:
- try_files: '$uri $uri/ =404'
- include: 'snippets/letsencrypt.conf'


Chargement…
Annuler
Enregistrer