BREAKING CHANGE: all previous `nginx` based configurations must be reviewed; `nginx.ng` usage must be promoted to `nginx` and any uses of the original `nginx` will have to be converted.tags/v1.0.0
:local: | :local: | ||||
``nginx`` | ``nginx`` | ||||
--------- | |||||
Runs the states to install nginx, configure the common files, and the users. | |||||
``nginx.common`` | |||||
---------------- | |||||
Ensures standard nginx files are in place, and configures enabled sites. | |||||
``nginx.luajit2`` | |||||
----------------- | |||||
Installs luajit. | |||||
``nginx.openresty`` | |||||
------------------- | |||||
Installs openresty. | |||||
``nginx.package`` | |||||
----------------- | |||||
Installs the nginx package via package manager. | |||||
``nginx.source`` | |||||
---------------- | |||||
Installs nginx via the source files. | |||||
``nginx.users`` | |||||
--------------- | |||||
Installs apache utils, and configures nginx users specified in the pillar. | |||||
This requires `basicauth <https://github.com/saltstack/salt-contrib/blob/master/modules/basicauth.py>`_ | |||||
from `salt-contrib <https://github.com/saltstack/salt-contrib/>`_ (either add it to your salt or ship | |||||
this single file in your `_modules` directory see `Dynamic Module Distribution | |||||
<https://docs.saltstack.com/en/latest/ref/file_server/dynamic-modules.html>`_ | |||||
Next-generation, alternate approach | |||||
=================================== | |||||
The following states provide an alternate approach to managing Nginx and Nginx | |||||
servers, as well as code organization. Please provide feedback by filing issues, | |||||
discussing in ``#salt`` in Freenode and the mailing list as normal. | |||||
.. contents:: | |||||
:local: | |||||
``nginx.ng`` | |||||
------------ | ------------ | ||||
Meta-state for inclusion of all ng states. | |||||
Meta-state for inclusion of all states. | |||||
**Note:** nginx.ng requires the merge parameter of salt.modules.pillar.get(), | |||||
**Note:** nginx requires the merge parameter of salt.modules.pillar.get(), | |||||
first available in the Helium release. | first available in the Helium release. | ||||
``nginx.ng.pkg`` | |||||
``nginx.pkg`` | |||||
-------------------- | -------------------- | ||||
Installs nginx from package, from the distribution repositories, the official nginx repo or the ppa from Launchpad. | Installs nginx from package, from the distribution repositories, the official nginx repo or the ppa from Launchpad. | ||||
``nginx.ng.src`` | |||||
``nginx.src`` | |||||
-------------------- | -------------------- | ||||
Builds and installs nginx from source. | Builds and installs nginx from source. | ||||
``nginx.ng.certificates`` | |||||
``nginx.certificates`` | |||||
------------------- | ------------------- | ||||
Manages the deployment of nginx certificates. | Manages the deployment of nginx certificates. | ||||
``nginx.ng.config`` | |||||
``nginx.config`` | |||||
------------------- | ------------------- | ||||
Manages the nginx main server configuration file. | Manages the nginx main server configuration file. | ||||
``nginx.ng.service`` | |||||
``nginx.service`` | |||||
-------------------- | -------------------- | ||||
Manages the startup and running state of the nginx service. | Manages the startup and running state of the nginx service. | ||||
``nginx.ng.servers_config`` | |||||
``nginx.servers_config`` | |||||
-------------------------- | -------------------------- | ||||
Manages virtual host files. This state only manages the content of the files | Manages virtual host files. This state only manages the content of the files | ||||
and does not bind them to service calls. | and does not bind them to service calls. | ||||
``nginx.ng.servers`` | |||||
``nginx.servers`` | |||||
------------------- | ------------------- | ||||
Manages nginx virtual hosts files and binds them to service calls. | Manages nginx virtual hosts files and binds them to service calls. | ||||
``nginx.ng.passenger`` | |||||
``nginx.passenger`` | |||||
---------------------- | ---------------------- | ||||
Installs and configures Phusion Passenger module for nginx. You need to enable | Installs and configures Phusion Passenger module for nginx. You need to enable |
To avoid this situation we can use the `pillar mechanism <http://docs.saltstack.com/en/latest/topics/pillar/>`_, which is designed to provide controlled access to data from the minions based on some selection rules. As pillar data could be easily integrated in the `Jinja <http://docs.saltstack.com/en/latest/topics/tutorials/pillar.html>`_ templates, it is a good mechanism to store values to be used in the final rendering of state files and templates. | To avoid this situation we can use the `pillar mechanism <http://docs.saltstack.com/en/latest/topics/pillar/>`_, which is designed to provide controlled access to data from the minions based on some selection rules. As pillar data could be easily integrated in the `Jinja <http://docs.saltstack.com/en/latest/topics/tutorials/pillar.html>`_ templates, it is a good mechanism to store values to be used in the final rendering of state files and templates. | ||||
There are a variety of approaches on the usage of pillar and templates as seen in the `saltstack-formulas <https://github.com/saltstack-formulas>`_' repositories. `Some <https://github.com/saltstack-formulas/nginx-formula/pull/18>`_ `developments <https://github.com/saltstack-formulas/php-formula/pull/14>`_ stress the initial purpose of pillar data into a storage for most of the possible variables for a determined system configuration. This, in my opinion, is shifting too much load from the original template files approach. Adding up some `non-trivial Jinja <https://github.com/spsoit/nginx-formula/blob/81de880fe0276dd9488ffa15bc78944c0fc2b919/nginx/ng/files/nginx.conf>`_ code as essential part of composing the state file definitely makes SaltStack state files (hence formulas) more difficult to read. The extreme of this approach is that we could end up with a new render mechanism, implemented in Jinja, storing everything needed in pillar data to compose configurations. Additionally, we are establishing a strong dependency with the Jinja renderer. | |||||
There are a variety of approaches on the usage of pillar and templates as seen in the `saltstack-formulas <https://github.com/saltstack-formulas>`_' repositories. `Some <https://github.com/saltstack-formulas/nginx-formula/pull/18>`_ `developments <https://github.com/saltstack-formulas/php-formula/pull/14>`_ stress the initial purpose of pillar data into a storage for most of the possible variables for a determined system configuration. This, in my opinion, is shifting too much load from the original template files approach. Adding up some `non-trivial Jinja <https://github.com/spsoit/nginx-formula/blob/81de880fe0276dd9488ffa15bc78944c0fc2b919/nginx/files/nginx.conf>`_ code as essential part of composing the state file definitely makes SaltStack state files (hence formulas) more difficult to read. The extreme of this approach is that we could end up with a new render mechanism, implemented in Jinja, storing everything needed in pillar data to compose configurations. Additionally, we are establishing a strong dependency with the Jinja renderer. | |||||
In opposition to the *put the code in file_roots and the data in pillars* approach, there is the *pillar as a store for a set of key-values* approach. A full-blown configuration file abstracted in pillar and jinja is complicated to develop, understand and maintain. I think a better and simpler approach is to keep a configuration file templated using just a basic (non-extensive but extensible) set of pillar values. | In opposition to the *put the code in file_roots and the data in pillars* approach, there is the *pillar as a store for a set of key-values* approach. A full-blown configuration file abstracted in pillar and jinja is complicated to develop, understand and maintain. I think a better and simpler approach is to keep a configuration file templated using just a basic (non-extensive but extensible) set of pillar values. | ||||
state_top: | state_top: | ||||
base: | base: | ||||
'*': | '*': | ||||
- nginx.ng | |||||
- nginx | |||||
pillars: | pillars: | ||||
top.sls: | top.sls: | ||||
base: | base: |
{% from 'nginx/ng/map.jinja' import nginx with context %} | |||||
{% from 'nginx/map.jinja' import nginx with context %} | |||||
include: | include: | ||||
- nginx.ng.service | |||||
- nginx.service | |||||
{% set certificates_path = salt['pillar.get']('nginx:ng:certificates_path', '/etc/nginx/ssl') %} | |||||
{% set certificates_path = salt['pillar.get']('nginx:certificates_path', '/etc/nginx/ssl') %} | |||||
{%- for dh_param, value in salt['pillar.get']('nginx:ng:dh_param', {}).items() %} | |||||
{%- for dh_param, value in salt['pillar.get']('nginx:dh_param', {}).items() %} | |||||
{%- if value is string %} | {%- if value is string %} | ||||
create_nginx_dhparam_{{ dh_param }}_key: | create_nginx_dhparam_{{ dh_param }}_key: | ||||
file.managed: | file.managed: | ||||
- name: {{ certificates_path }}/{{ dh_param }} | - name: {{ certificates_path }}/{{ dh_param }} | ||||
- contents_pillar: nginx:ng:dh_param:{{ dh_param }} | |||||
- contents_pillar: nginx:dh_param:{{ dh_param }} | |||||
- makedirs: True | - makedirs: True | ||||
- watch_in: | - watch_in: | ||||
- service: nginx_service | - service: nginx_service | ||||
{%- endif %} | {%- endif %} | ||||
{%- endfor %} | {%- endfor %} | ||||
{%- for domain in salt['pillar.get']('nginx:ng:certificates', {}).keys() %} | |||||
{%- for domain in salt['pillar.get']('nginx:certificates', {}).keys() %} | |||||
nginx_{{ domain }}_ssl_certificate: | nginx_{{ domain }}_ssl_certificate: | ||||
file.managed: | file.managed: | ||||
- name: {{ certificates_path }}/{{ domain }}.crt | - name: {{ certificates_path }}/{{ domain }}.crt | ||||
- makedirs: True | - makedirs: True | ||||
{% if salt['pillar.get']("nginx:ng:certificates:{}:public_cert_pillar".format(domain)) %} | |||||
- contents_pillar: {{salt['pillar.get']('nginx:ng:certificates:{}:public_cert_pillar'.format(domain))}} | |||||
{% if salt['pillar.get']("nginx:certificates:{}:public_cert_pillar".format(domain)) %} | |||||
- contents_pillar: {{salt['pillar.get']('nginx:certificates:{}:public_cert_pillar'.format(domain))}} | |||||
{% else %} | {% else %} | ||||
- contents_pillar: nginx:ng:certificates:{{ domain }}:public_cert | |||||
- contents_pillar: nginx:certificates:{{ domain }}:public_cert | |||||
{% endif %} | {% endif %} | ||||
- watch_in: | - watch_in: | ||||
- service: nginx_service | - service: nginx_service | ||||
{% if salt['pillar.get']("nginx:ng:certificates:{}:private_key".format(domain)) or salt['pillar.get']("nginx:ng:certificates:{}:private_key_pillar".format(domain))%} | |||||
{% if salt['pillar.get']("nginx:certificates:{}:private_key".format(domain)) or salt['pillar.get']("nginx:certificates:{}:private_key_pillar".format(domain))%} | |||||
nginx_{{ domain }}_ssl_key: | nginx_{{ domain }}_ssl_key: | ||||
file.managed: | file.managed: | ||||
- name: {{ certificates_path }}/{{ domain }}.key | - name: {{ certificates_path }}/{{ domain }}.key | ||||
- mode: 600 | - mode: 600 | ||||
- makedirs: True | - makedirs: True | ||||
{% if salt['pillar.get']("nginx:ng:certificates:{}:private_key_pillar".format(domain)) %} | |||||
- contents_pillar: {{salt['pillar.get']('nginx:ng:certificates:{}:private_key_pillar'.format(domain))}} | |||||
{% if salt['pillar.get']("nginx:certificates:{}:private_key_pillar".format(domain)) %} | |||||
- contents_pillar: {{salt['pillar.get']('nginx:certificates:{}:private_key_pillar'.format(domain))}} | |||||
{% else %} | {% else %} | ||||
- contents_pillar: nginx:ng:certificates:{{ domain }}:private_key | |||||
- contents_pillar: nginx:certificates:{{ domain }}:private_key | |||||
{% endif %} | {% endif %} | ||||
- watch_in: | - watch_in: | ||||
- service: nginx_service | - service: nginx_service |
{% from "nginx/map.jinja" import nginx as nginx_map with context %} | |||||
{% set nginx = pillar.get('nginx', {}) -%} | |||||
{% set home = nginx.get('home', nginx_map.home) -%} | |||||
{% set conf_dir = nginx.get('conf_dir', nginx_map.conf_dir) -%} | |||||
{% set conf_template = nginx.get('conf_template', 'salt://nginx/templates/config.jinja') -%} | |||||
{{ home }}: | |||||
file: | |||||
- directory | |||||
- user: {{ nginx_map.default_user }} | |||||
- group: {{ nginx_map.default_group }} | |||||
- mode: 0755 | |||||
- makedirs: True | |||||
- require: | |||||
{%- if pillar.get('nginx', {}).get('install_from_source', false) %} | |||||
- user: {{ nginx_map.default_user }} | |||||
- group: {{ nginx_map.default_group }} | |||||
{%- else %} | |||||
- pkg: nginx | |||||
{% endif %} | |||||
/usr/share/nginx: | |||||
file: | |||||
- directory | |||||
{% for filename in ('default', 'example_ssl') %} | |||||
{{ conf_dir }}/conf.d/{{ filename }}.conf: | |||||
file.absent | |||||
{% endfor %} | |||||
{{ conf_dir }}: | |||||
file.directory: | |||||
- user: root | |||||
- group: root | |||||
- makedirs: True | |||||
{{ conf_dir }}/nginx.conf: | |||||
file: | |||||
- managed | |||||
- template: jinja | |||||
- user: root | |||||
- group: root | |||||
- mode: 644 | |||||
- source: {{ conf_template }} | |||||
- require: | |||||
- file: {{ conf_dir }} | |||||
- context: | |||||
default_user: {{ nginx_map.default_user }} | |||||
default_group: {{ nginx_map.default_group }} | |||||
{% if nginx.get('init_conf_dirs', True) %} | |||||
{% for dir in ('sites-enabled', 'sites-available') %} | |||||
{{ conf_dir }}/{{ dir }}: | |||||
file.directory: | |||||
- user: root | |||||
- group: root | |||||
{% endfor -%} | |||||
{% endif %} |
# nginx.ng.config | |||||
# nginx.config | |||||
# | # | ||||
# Manages the main nginx server configuration file. | # Manages the main nginx server configuration file. | ||||
{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} | |||||
{% from 'nginx/map.jinja' import nginx, sls_block with context %} | |||||
{% if nginx.install_from_source %} | {% if nginx.install_from_source %} | ||||
nginx_log_dir: | nginx_log_dir: | ||||
{% if 'source_path' in nginx.server.config %} | {% if 'source_path' in nginx.server.config %} | ||||
{% set source_path = nginx.server.config.source_path %} | {% set source_path = nginx.server.config.source_path %} | ||||
{% else %} | {% else %} | ||||
{% set source_path = 'salt://nginx/ng/files/nginx.conf' %} | |||||
{% set source_path = 'salt://nginx/files/nginx.conf' %} | |||||
{% endif %} | {% endif %} | ||||
nginx_config: | nginx_config: | ||||
file.managed: | file.managed: |
{% from "nginx/map.jinja" import nginx as nginx_map with context %} | |||||
# nginx | |||||
# | |||||
# Meta-state to fully install nginx. | |||||
{% from 'nginx/map.jinja' import nginx, sls_block with context %} | |||||
include: | include: | ||||
- nginx.common | |||||
{% if salt['pillar.get']('nginx:use_upstart', nginx_map['use_upstart']) %} | |||||
- nginx.upstart | |||||
{% elif salt['pillar.get']('nginx:use_sysvinit', nginx_map['use_sysvinit']) %} | |||||
- nginx.sysvinit | |||||
{% endif %} | |||||
{% if pillar.get('nginx', {}).get('user_auth_enabled', true) %} | |||||
- nginx.users | |||||
{% endif %} | |||||
{% if pillar.get('nginx', {}).get('install_from_source', false) %} | |||||
- nginx.source | |||||
{% else %} | |||||
- nginx.package | |||||
{% endif -%} | |||||
- nginx.config | |||||
- nginx.service | |||||
{% if nginx.snippets is defined %} | |||||
- nginx.snippets | |||||
{% endif %} | |||||
- nginx.servers | |||||
- nginx.certificates | |||||
extend: | |||||
nginx_service: | |||||
service: | |||||
- listen: | |||||
- file: nginx_config | |||||
- require: | |||||
- file: nginx_config | |||||
nginx_config: | |||||
file: | |||||
- require: | |||||
{% if nginx.install_from_source %} | |||||
- cmd: nginx_install | |||||
{% else %} | |||||
- pkg: nginx_install | |||||
{% endif %} |
{% set nginx = pillar.get('nginx', {}) -%} | |||||
{% set home = nginx.get('home', '/var/www') -%} | |||||
{% set source = nginx.get('source_root', '/usr/local/src') -%} | |||||
get-luajit2: | |||||
file.managed: | |||||
- name: {{ source }}/luajit.tar.gz | |||||
- source: http://luajit.org/download/LuaJIT-2.0.1.tar.gz | |||||
- source_hash: sha1=330492aa5366e4e60afeec72f15e44df8a794db5 | |||||
cmd.wait: | |||||
- cwd: {{ nginx_home }} | |||||
- name: tar -zxf {{ source }}/luajit.tar.gz -C {{ source }} | |||||
- watch: | |||||
- file: get-luajit2 | |||||
- require_in: | |||||
- cmd: nginx |
{% set nginx = salt['grains.filter_by']({ | |||||
'Debian': { | |||||
'apache_utils': 'apache2-utils', | |||||
'group_action': 'pkg.installed', | |||||
'group_pkg': 'build-essential', | |||||
'libpcre_dev': 'libpcre3-dev', | |||||
'libssl_dev': 'libssl-dev', | |||||
'pid_path': '/var/run/nginx.pid', | |||||
'package': 'nginx-full', | |||||
'default_user': 'www-data', | |||||
'default_group': 'www-data', | |||||
'disable_before_rename': False, | |||||
'old_init_disable': 'update-rc.d -f nginx remove', | |||||
'use_upstart': True, | |||||
'use_sysvinit': False, | |||||
'home': '/var/www', | |||||
'conf_dir': '/etc/nginx', | |||||
'log_dir': '/var/log/nginx', | |||||
'sbin_dir': '/usr/sbin', | |||||
'install_prefix': '/usr/local/nginx', | |||||
'make_flags': '-j2' | |||||
{% macro sls_block(dict) %} | |||||
{% for key, value in dict.items() %} | |||||
- {{ key }}: {{ value|json(sort_keys=False) }} | |||||
{% endfor %} | |||||
{% endmacro %} | |||||
{% set nginx = salt['pillar.get']('nginx', { | |||||
'lookup': salt['grains.filter_by']({ | |||||
'Debian': { | |||||
'package': 'nginx', | |||||
'passenger_package': 'passenger', | |||||
'passenger_config_file': '/etc/nginx/conf.d/passenger.conf', | |||||
'service': 'nginx', | |||||
'webuser': 'www-data', | |||||
'conf_file': '/etc/nginx/nginx.conf', | |||||
'server_available': '/etc/nginx/sites-available', | |||||
'server_enabled': '/etc/nginx/sites-enabled', | |||||
'snippets_dir': '/etc/nginx/snippets', | |||||
'server_use_symlink': True, | |||||
'pid_file': '/run/nginx.pid', | |||||
'openssl_package': 'openssl', | |||||
}, | |||||
'CentOS': { | |||||
'package': 'nginx', | |||||
'passenger_package': 'passenger', | |||||
'passenger_config_file': '/etc/nginx/conf.d/passenger.conf', | |||||
'service': 'nginx', | |||||
'webuser': 'nginx', | |||||
'conf_file': '/etc/nginx/nginx.conf', | |||||
'server_available': '/etc/nginx/conf.d', | |||||
'server_enabled': '/etc/nginx/conf.d', | |||||
'snippets_dir': '/etc/nginx/snippets', | |||||
'server_use_symlink': False, | |||||
'pid_file': '/run/nginx.pid', | |||||
'rh_os_releasever': '$releasever', | |||||
'gpg_check': False, | |||||
'gpg_key': 'http://nginx.org/keys/nginx_signing.key', | |||||
'openssl_package': 'openssl', | |||||
}, | |||||
'RedHat': { | |||||
'package': 'nginx', | |||||
'passenger_package': 'passenger', | |||||
'passenger_config_file': '/etc/nginx/conf.d/passenger.conf', | |||||
'service': 'nginx', | |||||
'webuser': 'nginx', | |||||
'conf_file': '/etc/nginx/nginx.conf', | |||||
'server_available': '/etc/nginx/conf.d', | |||||
'server_enabled': '/etc/nginx/conf.d', | |||||
'snippets_dir': '/etc/nginx/snippets', | |||||
'server_use_symlink': False, | |||||
'pid_file': '/run/nginx.pid', | |||||
'rh_os_releasever': '$releasever', | |||||
'gpg_check': False, | |||||
'gpg_key': 'http://nginx.org/keys/nginx_signing.key', | |||||
'passenger': { | |||||
'passenger_root': '/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini', | |||||
'passenger_instance_registry_dir': ' /var/run/passenger-instreg', | |||||
'passenger_ruby': '/usr/bin/ruby', | |||||
}, | |||||
'openssl_package': 'openssl', | |||||
}, | |||||
'Suse': { | |||||
'package': 'nginx', | |||||
'service': 'nginx', | |||||
'webuser': 'nginx', | |||||
'conf_file': '/etc/nginx/nginx.conf', | |||||
'server_available': '/etc/nginx/vhosts.d', | |||||
'server_enabled': '/etc/nginx/vhosts.d', | |||||
'snippets_dir': '/etc/nginx/snippets', | |||||
'server_use_symlink': False, | |||||
'pid_file': '/run/nginx.pid', | |||||
'gpg_check': True, | |||||
'gpg_key': 'http://download.opensuse.org/repositories/server:/http/openSUSE_{{ grains.osrelease }}/repodata/repomd.xml.key', | |||||
'openssl_package': 'openssl', | |||||
}, | |||||
'Arch': { | |||||
'package': 'nginx', | |||||
'service': 'nginx', | |||||
'webuser': 'http', | |||||
'conf_file': '/etc/nginx/nginx.conf', | |||||
'server_available': '/etc/nginx/sites-available', | |||||
'server_enabled': '/etc/nginx/sites-enabled', | |||||
'snippets_dir': '/etc/nginx/snippets', | |||||
'server_use_symlink': True, | |||||
'openssl_package': 'openssl', | |||||
}, | |||||
'Gentoo': { | |||||
'package': 'www-servers/nginx', | |||||
'service': 'nginx', | |||||
'webuser': 'nginx', | |||||
'conf_file': '/etc/nginx/nginx.conf', | |||||
'server_available': '/etc/nginx/sites-available', | |||||
'server_enabled': '/etc/nginx/sites-enabled', | |||||
'snippets_dir': '/etc/nginx/snippets', | |||||
'server_use_symlink': True, | |||||
'openssl_package': 'dev-libs/openssl', | |||||
}, | |||||
'FreeBSD': { | |||||
'package': 'nginx', | |||||
'passenger_package': 'passenger', | |||||
'service': 'nginx', | |||||
'webuser': 'www', | |||||
'conf_file': '/usr/local/etc/nginx/nginx.conf', | |||||
'server_available': '/usr/local/etc/nginx/sites-available', | |||||
'server_enabled': '/usr/local/etc/nginx/sites-enabled', | |||||
'snippets_dir': '/usr/local/etc/nginx/snippets', | |||||
'server_use_symlink': True, | |||||
'pid_file': '/var/run/nginx.pid', | |||||
}, | |||||
}, default='Debian' ), | |||||
'install_from_source': False, | |||||
'install_from_ppa': False, | |||||
'install_from_repo': False, | |||||
'install_from_phusionpassenger': False, | |||||
'ppa_version': 'stable', | |||||
'source_version': '1.10.0', | |||||
'source_hash': '8ed647c3dd65bc4ced03b0e0f6bf9e633eff6b01bac772bcf97077d58bc2be4d', | |||||
'source': { | |||||
'opts': {}, | |||||
}, | }, | ||||
'RedHat': { | |||||
'apache_utils': 'httpd-tools', | |||||
'group_action': 'pkg.group_installed', | |||||
'group_pkg': 'Development Tools', | |||||
'libpcre_dev': 'pcre-devel', | |||||
'libssl_dev': 'openssl-devel', | |||||
'pid_path': '/run/nginx.pid', | |||||
'package': 'nginx', | |||||
'default_user': 'nginx', | |||||
'default_group': 'nginx', | |||||
'disable_before_rename': True, | |||||
'old_init_disable': 'chkconfig --del nginx', | |||||
'use_upstart': True, | |||||
'use_sysvinit': False, | |||||
'home': '/var/www', | |||||
'conf_dir': '/etc/nginx', | |||||
'log_dir': '/var/log/nginx', | |||||
'sbin_dir': '/usr/sbin', | |||||
'install_prefix': '/usr/local/nginx', | |||||
'make_flags': '-j2' | |||||
'package': { | |||||
'opts': {}, | |||||
}, | }, | ||||
'Suse': { | |||||
'apache_utils': 'apache2-utils', | |||||
'group_action': 'pkg.installed', | |||||
'group_pkg': 'patterns-devel-base-devel_rpm_build', | |||||
'libpcre_dev': 'pcre-devel', | |||||
'libssl_dev': 'openssl-devel', | |||||
'pid_path': '/run/nginx.pid', | |||||
'package': 'nginx', | |||||
'default_user': 'nginx', | |||||
'default_group': 'nginx', | |||||
'disable_before_rename': True, | |||||
'old_init_disable': 'chkconfig --del nginx', | |||||
'use_upstart': False, | |||||
'use_sysvinit': False, | |||||
'home': '/srv/www', | |||||
'conf_dir': '/etc/nginx', | |||||
'log_dir': '/var/log/nginx', | |||||
'sbin_dir': '/usr/sbin', | |||||
'install_prefix': '/usr/local/nginx', | |||||
'make_flags': '-j2' | |||||
'service': { | |||||
'enable': True, | |||||
'opts': {}, | |||||
}, | }, | ||||
}, grain='os_family', merge=salt['pillar.get']('nginx:lookup'), default='Debian') %} | |||||
'server': { | |||||
'opts': {}, | |||||
'config': { | |||||
'worker_processes': 'auto', | |||||
'events': { | |||||
'worker_connections': 768, | |||||
}, | |||||
'http': { | |||||
'sendfile': 'on', | |||||
'tcp_nopush': 'on', | |||||
'tcp_nodelay': 'on', | |||||
'keepalive_timeout': '65', | |||||
'types_hash_max_size': '2048', | |||||
'default_type': 'application/octet-stream', | |||||
'access_log': '/var/log/nginx/access.log', | |||||
'error_log': '/var/log/nginx/error.log', | |||||
'gzip': 'off', | |||||
'gzip_disable': '"msie6"', | |||||
'include': [ | |||||
'mime.types', | |||||
'conf.d/*.conf', | |||||
'sites-enabled/*', | |||||
], | |||||
}, | |||||
}, | |||||
}, | |||||
'servers': { | |||||
'disabled_postfix': '.disabled', | |||||
'symlink_opts': {}, | |||||
'rename_opts': {}, | |||||
'managed_opts': { | |||||
'makedirs': True, | |||||
}, | |||||
'dir_opts': { | |||||
'makedirs': True, | |||||
}, | |||||
'managed': {}, | |||||
}, | |||||
'passenger': { | |||||
'passenger_root': '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', | |||||
'passenger_ruby': '/usr/bin/ruby', | |||||
}, | |||||
}, merge=True) %} | |||||
{% if 'user' not in nginx.server.config %} | |||||
{% do nginx.server.config.update({ | |||||
'user': nginx.lookup.webuser, | |||||
})%} | |||||
{% endif %} | |||||
{% if 'pid' not in nginx.server.config and 'pid_file' in nginx.lookup %} | |||||
{% do nginx.server.config.update({ | |||||
'pid': nginx.lookup.pid_file, | |||||
})%} | |||||
{% endif %} | |||||
{% if salt['grains.get']('os_family') == 'RedHat' %} | |||||
{% do nginx.passenger.update({ | |||||
'passenger_root': '/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini', | |||||
'passenger_instance_registry_dir': '/var/run/passenger-instreg', | |||||
})%} | |||||
{% if salt['grains.get']('osfinger') == 'CentOS-6' %} | |||||
{% do nginx.server.config.update({ | |||||
'pid': '/var/run/nginx.pid', | |||||
})%} | |||||
{% do nginx.passenger.update({ | |||||
'passenger_root': '/usr/lib/ruby/1.8/phusion_passenger/locations.ini', | |||||
})%} | |||||
{% endif %} | |||||
{% endif %} |
# nginx.ng | |||||
# | |||||
# Meta-state to fully install nginx. | |||||
{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} | |||||
include: | |||||
- nginx.ng.config | |||||
- nginx.ng.service | |||||
{% if nginx.snippets is defined %} | |||||
- nginx.ng.snippets | |||||
{% endif %} | |||||
- nginx.ng.servers | |||||
- nginx.ng.certificates | |||||
extend: | |||||
nginx_service: | |||||
service: | |||||
- listen: | |||||
- file: nginx_config | |||||
- require: | |||||
- file: nginx_config | |||||
nginx_config: | |||||
file: | |||||
- require: | |||||
{% if nginx.install_from_source %} | |||||
- cmd: nginx_install | |||||
{% else %} | |||||
- pkg: nginx_install | |||||
{% endif %} |
{% macro sls_block(dict) %} | |||||
{% for key, value in dict.items() %} | |||||
- {{ key }}: {{ value|json(sort_keys=False) }} | |||||
{% endfor %} | |||||
{% endmacro %} | |||||
{% set nginx = salt['pillar.get']('nginx:ng', { | |||||
'lookup': salt['grains.filter_by']({ | |||||
'Debian': { | |||||
'package': 'nginx', | |||||
'passenger_package': 'passenger', | |||||
'passenger_config_file': '/etc/nginx/conf.d/passenger.conf', | |||||
'service': 'nginx', | |||||
'webuser': 'www-data', | |||||
'conf_file': '/etc/nginx/nginx.conf', | |||||
'server_available': '/etc/nginx/sites-available', | |||||
'server_enabled': '/etc/nginx/sites-enabled', | |||||
'snippets_dir': '/etc/nginx/snippets', | |||||
'server_use_symlink': True, | |||||
'pid_file': '/run/nginx.pid', | |||||
'openssl_package': 'openssl', | |||||
}, | |||||
'CentOS': { | |||||
'package': 'nginx', | |||||
'passenger_package': 'passenger', | |||||
'passenger_config_file': '/etc/nginx/conf.d/passenger.conf', | |||||
'service': 'nginx', | |||||
'webuser': 'nginx', | |||||
'conf_file': '/etc/nginx/nginx.conf', | |||||
'server_available': '/etc/nginx/conf.d', | |||||
'server_enabled': '/etc/nginx/conf.d', | |||||
'snippets_dir': '/etc/nginx/snippets', | |||||
'server_use_symlink': False, | |||||
'pid_file': '/run/nginx.pid', | |||||
'rh_os_releasever': '$releasever', | |||||
'gpg_check': False, | |||||
'gpg_key': 'http://nginx.org/keys/nginx_signing.key', | |||||
'openssl_package': 'openssl', | |||||
}, | |||||
'RedHat': { | |||||
'package': 'nginx', | |||||
'passenger_package': 'passenger', | |||||
'passenger_config_file': '/etc/nginx/conf.d/passenger.conf', | |||||
'service': 'nginx', | |||||
'webuser': 'nginx', | |||||
'conf_file': '/etc/nginx/nginx.conf', | |||||
'server_available': '/etc/nginx/conf.d', | |||||
'server_enabled': '/etc/nginx/conf.d', | |||||
'snippets_dir': '/etc/nginx/snippets', | |||||
'server_use_symlink': False, | |||||
'pid_file': '/run/nginx.pid', | |||||
'rh_os_releasever': '$releasever', | |||||
'gpg_check': False, | |||||
'gpg_key': 'http://nginx.org/keys/nginx_signing.key', | |||||
'passenger': { | |||||
'passenger_root': '/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini', | |||||
'passenger_instance_registry_dir': ' /var/run/passenger-instreg', | |||||
'passenger_ruby': '/usr/bin/ruby', | |||||
}, | |||||
'openssl_package': 'openssl', | |||||
}, | |||||
'Suse': { | |||||
'package': 'nginx', | |||||
'service': 'nginx', | |||||
'webuser': 'nginx', | |||||
'conf_file': '/etc/nginx/nginx.conf', | |||||
'server_available': '/etc/nginx/vhosts.d', | |||||
'server_enabled': '/etc/nginx/vhosts.d', | |||||
'snippets_dir': '/etc/nginx/snippets', | |||||
'server_use_symlink': False, | |||||
'pid_file': '/run/nginx.pid', | |||||
'gpg_check': True, | |||||
'gpg_key': 'http://download.opensuse.org/repositories/server:/http/openSUSE_{{ grains.osrelease }}/repodata/repomd.xml.key', | |||||
'openssl_package': 'openssl', | |||||
}, | |||||
'Arch': { | |||||
'package': 'nginx', | |||||
'service': 'nginx', | |||||
'webuser': 'http', | |||||
'conf_file': '/etc/nginx/nginx.conf', | |||||
'server_available': '/etc/nginx/sites-available', | |||||
'server_enabled': '/etc/nginx/sites-enabled', | |||||
'snippets_dir': '/etc/nginx/snippets', | |||||
'server_use_symlink': True, | |||||
'openssl_package': 'openssl', | |||||
}, | |||||
'Gentoo': { | |||||
'package': 'www-servers/nginx', | |||||
'service': 'nginx', | |||||
'webuser': 'nginx', | |||||
'conf_file': '/etc/nginx/nginx.conf', | |||||
'server_available': '/etc/nginx/sites-available', | |||||
'server_enabled': '/etc/nginx/sites-enabled', | |||||
'snippets_dir': '/etc/nginx/snippets', | |||||
'server_use_symlink': True, | |||||
'openssl_package': 'dev-libs/openssl', | |||||
}, | |||||
'FreeBSD': { | |||||
'package': 'nginx', | |||||
'passenger_package': 'passenger', | |||||
'service': 'nginx', | |||||
'webuser': 'www', | |||||
'conf_file': '/usr/local/etc/nginx/nginx.conf', | |||||
'server_available': '/usr/local/etc/nginx/sites-available', | |||||
'server_enabled': '/usr/local/etc/nginx/sites-enabled', | |||||
'snippets_dir': '/usr/local/etc/nginx/snippets', | |||||
'server_use_symlink': True, | |||||
'pid_file': '/var/run/nginx.pid', | |||||
}, | |||||
}, default='Debian' ), | |||||
'install_from_source': False, | |||||
'install_from_ppa': False, | |||||
'install_from_repo': False, | |||||
'install_from_phusionpassenger': False, | |||||
'ppa_version': 'stable', | |||||
'source_version': '1.10.0', | |||||
'source_hash': '8ed647c3dd65bc4ced03b0e0f6bf9e633eff6b01bac772bcf97077d58bc2be4d', | |||||
'source': { | |||||
'opts': {}, | |||||
}, | |||||
'package': { | |||||
'opts': {}, | |||||
}, | |||||
'service': { | |||||
'enable': True, | |||||
'opts': {}, | |||||
}, | |||||
'server': { | |||||
'opts': {}, | |||||
'config': { | |||||
'worker_processes': 'auto', | |||||
'events': { | |||||
'worker_connections': 768, | |||||
}, | |||||
'http': { | |||||
'sendfile': 'on', | |||||
'tcp_nopush': 'on', | |||||
'tcp_nodelay': 'on', | |||||
'keepalive_timeout': '65', | |||||
'types_hash_max_size': '2048', | |||||
'default_type': 'application/octet-stream', | |||||
'access_log': '/var/log/nginx/access.log', | |||||
'error_log': '/var/log/nginx/error.log', | |||||
'gzip': 'off', | |||||
'gzip_disable': '"msie6"', | |||||
'include': [ | |||||
'mime.types', | |||||
'conf.d/*.conf', | |||||
'sites-enabled/*', | |||||
], | |||||
}, | |||||
}, | |||||
}, | |||||
'servers': { | |||||
'disabled_postfix': '.disabled', | |||||
'symlink_opts': {}, | |||||
'rename_opts': {}, | |||||
'managed_opts': { | |||||
'makedirs': True, | |||||
}, | |||||
'dir_opts': { | |||||
'makedirs': True, | |||||
}, | |||||
'managed': {}, | |||||
}, | |||||
'passenger': { | |||||
'passenger_root': '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', | |||||
'passenger_ruby': '/usr/bin/ruby', | |||||
}, | |||||
}, merge=True) %} | |||||
{% if 'user' not in nginx.server.config %} | |||||
{% do nginx.server.config.update({ | |||||
'user': nginx.lookup.webuser, | |||||
})%} | |||||
{% endif %} | |||||
{% if 'pid' not in nginx.server.config and 'pid_file' in nginx.lookup %} | |||||
{% do nginx.server.config.update({ | |||||
'pid': nginx.lookup.pid_file, | |||||
})%} | |||||
{% endif %} | |||||
{% if salt['grains.get']('os_family') == 'RedHat' %} | |||||
{% do nginx.passenger.update({ | |||||
'passenger_root': '/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini', | |||||
'passenger_instance_registry_dir': '/var/run/passenger-instreg', | |||||
})%} | |||||
{% if salt['grains.get']('osfinger') == 'CentOS-6' %} | |||||
{% do nginx.server.config.update({ | |||||
'pid': '/var/run/nginx.pid', | |||||
})%} | |||||
{% do nginx.passenger.update({ | |||||
'passenger_root': '/usr/lib/ruby/1.8/phusion_passenger/locations.ini', | |||||
})%} | |||||
{% endif %} | |||||
{% endif %} |
{% set nginx = pillar.get('nginx', {}) -%} | |||||
{% set home = nginx.get('home', '/var/www') -%} | |||||
{% set source = nginx.get('source_root', '/usr/local/src') -%} | |||||
{% set openresty = nginx.get('openresty', {}) -%} | |||||
{% set openresty_version = openresty.get('version', '1.2.7.8') -%} | |||||
{% set openresty_checksum = openresty.get('checksum', 'sha1=f8bee501529ffec33f9cabc00ea4ca512a8d7b59') -%} | |||||
{% set openresty_package = source + '/openresty-' + openresty_version + '.tar.gz' -%} | |||||
get-openresty: | |||||
file.managed: | |||||
- name: {{ openresty_package }} | |||||
- source: http://openresty.org/download/ngx_openresty-{{ openresty_version }}.tar.gz | |||||
- source_hash: {{ openresty_checksum }} | |||||
cmd.wait: | |||||
- cwd: {{ source }} | |||||
- name: tar -zxf {{ openresty_package }} -C {{ home }} | |||||
- watch: | |||||
- file: get-openresty | |||||
install_openresty: | |||||
cmd.wait: | |||||
- cwd: {{ home }}/ngx_openresty-{{ openresty_version }} | |||||
- names: | |||||
- ./configure --with-luajit \ | |||||
--with-http_drizzle_module \ | |||||
--with-http_postgres_module \ | |||||
--with-http_iconv_module | |||||
- make && make install | |||||
- watch: | |||||
- cmd: get-openresty |
{% from "nginx/map.jinja" import nginx with context %} | |||||
{% set use_upstart = salt['pillar.get']('nginx:use_upstart', nginx['use_upstart']) %} | |||||
{% if use_upstart %} | |||||
nginx-old-init: | |||||
file.rename: | |||||
- name: /usr/share/nginx/init.d | |||||
- source: /etc/init.d/nginx | |||||
- require_in: | |||||
- file: nginx | |||||
- require: | |||||
- pkg: nginx | |||||
- force: True | |||||
{% if grains.get('os_family') == 'Debian' %} | |||||
# Don't dpkg-divert if we are not Debian based! | |||||
cmd.wait: | |||||
- name: dpkg-divert --divert /usr/share/nginx/init.d --add /etc/init.d/nginx | |||||
- require: | |||||
- module: nginx-old-init | |||||
- watch: | |||||
- file: nginx-old-init | |||||
- require_in: | |||||
- file: nginx | |||||
{% endif %} | |||||
module.wait: | |||||
- name: cmd.run | |||||
- cmd: sh -c "kill `cat /var/run/nginx.pid`" | |||||
- watch: | |||||
- file: nginx-old-init | |||||
- require_in: | |||||
- file: nginx | |||||
- onlyif: [ -e /var/run/nginx.pid ] | |||||
# RedHat requires the init file in place to chkconfig off | |||||
{% if nginx['disable_before_rename'] %} | |||||
{% set _in = '_in' %} | |||||
{% else %} | |||||
{% set _in = '' %} | |||||
{% endif %} | |||||
nginx-old-init-disable: | |||||
cmd.run: | |||||
- name: {{ nginx.old_init_disable }} | |||||
- require{{ _in }}: | |||||
- module: nginx-old-init | |||||
- onlyif: [ -f /etc/init.d/nginx ] | |||||
{% endif %} | |||||
{% if grains.get('os_family') == 'Debian' %} | |||||
{% set repo_source = pillar.get('nginx', {}).get('repo_source', 'default') %} | |||||
{% set use_ppa = repo_source == 'ppa' and grains.get('os') == 'Ubuntu' %} | |||||
{% set use_official = repo_source == 'official' and grains.get('os') in ('Ubuntu', 'Debian') %} | |||||
nginx-ppa-repo: | |||||
pkgrepo: | |||||
{%- if use_ppa %} | |||||
- managed | |||||
{%- else %} | |||||
- absent | |||||
{%- endif %} | |||||
- humanname: nginx-ppa-{{ grains['oscodename'] }} | |||||
- name: deb http://ppa.launchpad.net/nginx/{{ pillar.get('nginx', {}).get('repo_version', 'stable') }}/ubuntu {{ grains['oscodename'] }} main | |||||
- file: /etc/apt/sources.list.d/nginx-{{ pillar.get('nginx', {}).get('repo_version', 'stable') }}-{{ grains['oscodename'] }}.list | |||||
- dist: {{ grains['oscodename'] }} | |||||
- keyid: C300EE8C | |||||
- keyserver: keyserver.ubuntu.com | |||||
- require_in: | |||||
- pkg: nginx | |||||
- watch_in: | |||||
- pkg: nginx | |||||
nginx-official-repo: | |||||
pkgrepo: | |||||
{%- if use_official %} | |||||
- managed | |||||
{%- else %} | |||||
- absent | |||||
{%- endif %} | |||||
- humanname: nginx apt repo | |||||
- name: deb http://nginx.org/packages/{{ grains['os'].lower() }}/ {{ grains['oscodename'] }} nginx | |||||
- file: /etc/apt/sources.list.d/nginx-official-{{ grains['oscodename'] }}.list | |||||
- keyid: ABF5BD827BD9BF62 | |||||
- keyserver: keyserver.ubuntu.com | |||||
- require_in: | |||||
- pkg: nginx | |||||
- watch_in: | |||||
- pkg: nginx | |||||
{% endif %} | |||||
nginx: | |||||
pkg.installed: | |||||
- name: {{ nginx.package }} | |||||
{% if use_upstart %} | |||||
file.managed: | |||||
- name: /etc/init/nginx.conf | |||||
- template: jinja | |||||
- user: root | |||||
- group: root | |||||
- mode: 440 | |||||
- source: salt://nginx/templates/upstart.jinja | |||||
- require: | |||||
- pkg: nginx | |||||
- file: nginx-old-init | |||||
- module: nginx-old-init | |||||
{% endif %} | |||||
service.running: | |||||
- enable: True | |||||
- restart: True | |||||
- watch: | |||||
{% if use_upstart %} | |||||
- file: nginx | |||||
{% endif %} | |||||
{% set conf_dir = salt['pillar.get']('nginx:conf_dir', '/etc/nginx') %} | |||||
- file: {{ conf_dir }}/nginx.conf | |||||
- file: {{ conf_dir }}/conf.d/default.conf | |||||
- file: {{ conf_dir }}/conf.d/example_ssl.conf | |||||
- pkg: nginx | |||||
# Create 'service' symlink for tab completion. | |||||
# This is not supported in os_family RedHat and likely only works in | |||||
# Debian-based distros | |||||
{% if use_upstart and grains['os_family'] == 'Debian' %} | |||||
/etc/init.d/nginx: | |||||
file.symlink: | |||||
- target: /lib/init/upstart-job | |||||
- force: True | |||||
{% endif %} |
# nginx.ng.passenger | |||||
# nginx.passenger | |||||
# | # | ||||
# Manages installation of passenger from repo. | # Manages installation of passenger from repo. | ||||
# Requires install_from_phusionpassenger = True | # Requires install_from_phusionpassenger = True | ||||
{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} | |||||
{% from 'nginx/map.jinja' import nginx, sls_block with context %} | |||||
{% if salt['grains.get']('os_family') in ['Debian', 'RedHat'] %} | {% if salt['grains.get']('os_family') in ['Debian', 'RedHat'] %} | ||||
include: | include: | ||||
- nginx.ng.pkg | |||||
- nginx.ng.service | |||||
- nginx.pkg | |||||
- nginx.service | |||||
passenger_install: | passenger_install: | ||||
pkg.installed: | pkg.installed: | ||||
file.managed: | file.managed: | ||||
{{ sls_block(nginx.server.opts) }} | {{ sls_block(nginx.server.opts) }} | ||||
- name: {{ nginx.lookup.passenger_config_file }} | - name: {{ nginx.lookup.passenger_config_file }} | ||||
- source: salt://nginx/ng/files/nginx.conf | |||||
- source: salt://nginx/files/nginx.conf | |||||
- template: jinja | - template: jinja | ||||
- context: | - context: | ||||
config: {{ nginx.passenger|json() }} | config: {{ nginx.passenger|json() }} |
# nginx.ng.pkg | |||||
# nginx.pkg | |||||
# | # | ||||
# Manages installation of nginx from pkg. | # Manages installation of nginx from pkg. | ||||
{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} | |||||
{% from 'nginx/map.jinja' import nginx, sls_block with context %} | |||||
{%- if nginx.install_from_repo %} | {%- if nginx.install_from_repo %} | ||||
{% set from_official = true %} | {% set from_official = true %} | ||||
{% set from_ppa = false %} | {% set from_ppa = false %} |
# nginx.ng.servers | |||||
# nginx.servers | |||||
# | # | ||||
# Manages virtual hosts and their relationship to the nginx service. | # Manages virtual hosts and their relationship to the nginx service. | ||||
{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} | |||||
{% from 'nginx/ng/servers_config.sls' import server_states with context %} | |||||
{% from 'nginx/ng/service.sls' import service_function with context %} | |||||
{% from 'nginx/map.jinja' import nginx, sls_block with context %} | |||||
{% from 'nginx/servers_config.sls' import server_states with context %} | |||||
{% from 'nginx/service.sls' import service_function with context %} | |||||
{% macro file_requisites(states) %} | {% macro file_requisites(states) %} | ||||
{%- for state in states %} | {%- for state in states %} | ||||
{% endmacro %} | {% endmacro %} | ||||
include: | include: | ||||
- nginx.ng.service | |||||
- nginx.ng.servers_config | |||||
- nginx.service | |||||
- nginx.servers_config | |||||
{% if server_states|length() > 0 %} | {% if server_states|length() > 0 %} | ||||
nginx_service_reload: | nginx_service_reload: |
# nginx.ng.servers_config | |||||
# nginx.servers_config | |||||
# | # | ||||
# Manages the configuration of virtual host files. | # Manages the configuration of virtual host files. | ||||
{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} | |||||
{% from 'nginx/map.jinja' import nginx, sls_block with context %} | |||||
{% set server_states = [] %} | {% set server_states = [] %} | ||||
# Simple path concatenation. | # Simple path concatenation. | ||||
{% if 'source_path' in settings.config %} | {% if 'source_path' in settings.config %} | ||||
{% set source_path = settings.config.source_path %} | {% set source_path = settings.config.source_path %} | ||||
{% else %} | {% else %} | ||||
{% set source_path = 'salt://nginx/ng/files/server.conf' %} | |||||
{% set source_path = 'salt://nginx/files/server.conf' %} | |||||
{% endif %} | {% endif %} | ||||
{{ conf_state_id }}: | {{ conf_state_id }}: | ||||
file.managed: | file.managed: |
# nginx.ng.service | |||||
# nginx.service | |||||
# | # | ||||
# Manages the nginx service. | # Manages the nginx service. | ||||
{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} | |||||
{% from 'nginx/map.jinja' import nginx, sls_block with context %} | |||||
{% set service_function = {True:'running', False:'dead'}.get(nginx.service.enable) %} | {% set service_function = {True:'running', False:'dead'}.get(nginx.service.enable) %} | ||||
include: | include: | ||||
{% if nginx.install_from_source %} | {% if nginx.install_from_source %} | ||||
- nginx.ng.src | |||||
- nginx.src | |||||
{% else %} | {% else %} | ||||
- nginx.ng.pkg | |||||
- nginx.pkg | |||||
{% endif %} | {% endif %} | ||||
{% if nginx.install_from_source %} | {% if nginx.install_from_source %} | ||||
nginx_systemd_service_file: | nginx_systemd_service_file: | ||||
file.managed: | file.managed: | ||||
- name: /lib/systemd/system/nginx.service | - name: /lib/systemd/system/nginx.service | ||||
- source: salt://nginx/ng/files/nginx.service | |||||
- source: salt://nginx/files/nginx.service | |||||
{% endif %} | {% endif %} | ||||
nginx_service: | nginx_service: | ||||
- enable: {{ nginx.service.enable }} | - enable: {{ nginx.service.enable }} | ||||
- require: | - require: | ||||
{% if nginx.install_from_source %} | {% if nginx.install_from_source %} | ||||
- sls: nginx.ng.src | |||||
- sls: nginx.src | |||||
{% else %} | {% else %} | ||||
- sls: nginx.ng.pkg | |||||
- sls: nginx.pkg | |||||
{% endif %} | {% endif %} | ||||
- listen: | - listen: | ||||
{% if nginx.install_from_source %} | {% if nginx.install_from_source %} |
# nginx.ng.snippet | |||||
# nginx.snippet | |||||
# | # | ||||
# Manages creation of snippets | # Manages creation of snippets | ||||
{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} | |||||
{% from 'nginx/map.jinja' import nginx, sls_block with context %} | |||||
nginx_snippets_dir: | nginx_snippets_dir: | ||||
file.directory: | file.directory: | ||||
nginx_snippet_{{ snippet }}: | nginx_snippet_{{ snippet }}: | ||||
file.managed: | file.managed: | ||||
- name: {{ nginx.lookup.snippets_dir }}/{{ snippet }}.conf | - name: {{ nginx.lookup.snippets_dir }}/{{ snippet }}.conf | ||||
- source: salt://nginx/ng/files/server.conf | |||||
- source: salt://nginx/files/server.conf | |||||
- template: jinja | - template: jinja | ||||
- context: | - context: | ||||
config: {{ config|json() }} | config: {{ config|json() }} |
{% from "nginx/map.jinja" import nginx as nginx_map with context %} | |||||
{% set nginx = pillar.get('nginx', {}) -%} | |||||
{% set use_sysvinit = nginx.get('use_sysvinit', nginx_map['use_sysvinit']) %} | |||||
{% set version = nginx.get('version', '1.6.2') -%} | |||||
{% set tarball_url = nginx.get('tarball_url', 'http://nginx.org/download/nginx-' + version + '.tar.gz') -%} | |||||
{% set checksum = nginx.get('checksum', 'sha256=b5608c2959d3e7ad09b20fc8f9e5bd4bc87b3bc8ba5936a513c04ed8f1391a18') -%} | |||||
{% set home = nginx.get('home', nginx_map['home']) -%} | |||||
{% set base_temp_dir = nginx.get('base_temp_dir', '/tmp') -%} | |||||
{% set source = nginx.get('source_root', '/usr/local/src') -%} | |||||
{% set conf_dir = nginx.get('conf_dir', nginx_map['conf_dir']) -%} | |||||
{% set conf_only = nginx.get('conf_only', false) -%} | |||||
{% set log_dir = nginx.get('log_dir', nginx_map['log_dir']) -%} | |||||
{% set pid_path = nginx.get('pid_path', nginx_map['pid_path']) -%} | |||||
{% set lock_path = nginx.get('lock_path', '/var/lock/nginx.lock') -%} | |||||
{% set sbin_dir = nginx.get('sbin_dir', nginx_map['sbin_dir']) -%} | |||||
{% set install_prefix = nginx.get('install_prefix', nginx_map['install_prefix']) -%} | |||||
{% set with_items = nginx.get('with', ['debug', 'http_dav_module', 'http_stub_status_module', 'pcre', 'ipv6']) -%} | |||||
{% set without_items = nginx.get('without', []) -%} | |||||
{% set make_flags = nginx.get('make_flags', nginx_map['make_flags']) -%} | |||||
{% set service_name = nginx.get('service_name', 'nginx') %} | |||||
{% set service_enable = nginx.get('service_enable', True) %} | |||||
{% set nginx_package = source + '/nginx-' + version + '.tar.gz' -%} | |||||
{% set nginx_source = source + "/nginx-" + version -%} | |||||
{% set nginx_modules_dir = source + "/nginx-modules" -%} | |||||
include: | |||||
- nginx.common | |||||
{% if nginx.get('with_luajit', false) %} | |||||
- nginx.luajit2 | |||||
{% endif -%} | |||||
{% if nginx.get('with_openresty', false) %} | |||||
- nginx.openresty | |||||
{% endif -%} | |||||
nginx_group: | |||||
group.present: | |||||
- name: {{ nginx_map.default_group }} | |||||
nginx_user: | |||||
file.directory: | |||||
- name: {{ home }} | |||||
- user: {{ nginx_map.default_user }} | |||||
- group: {{ nginx_map.default_group }} | |||||
- mode: 0755 | |||||
- require: | |||||
- user: nginx_user | |||||
- group: nginx_group | |||||
user.present: | |||||
- name: {{ nginx_map.default_user }} | |||||
- home: {{ home }} | |||||
- groups: | |||||
- {{ nginx_map.default_group }} | |||||
- require: | |||||
- group: nginx_group | |||||
{{ nginx_modules_dir }}: | |||||
file: | |||||
- directory | |||||
- makedirs: True | |||||
get-build-tools: | |||||
{% if grains['saltversion'] < '2015.8.0' and grains['os_family'] == 'RedHat' %} | |||||
module.run: | |||||
- name: pkg.group_install | |||||
- m_name: {{ nginx_map.group_pkg }} | |||||
{% else %} | |||||
{{ nginx_map.group_action }}: | |||||
- name: {{ nginx_map.group_pkg }} | |||||
{% endif %} | |||||
get-nginx: | |||||
pkg.installed: | |||||
- names: | |||||
- {{ nginx_map.libpcre_dev }} | |||||
- {{ nginx_map.libssl_dev }} | |||||
file.managed: | |||||
- name: {{ nginx_package }} | |||||
- source: {{ tarball_url }} | |||||
- source_hash: {{ checksum }} | |||||
- require: | |||||
- file: {{ nginx_modules_dir }} | |||||
cmd.wait: | |||||
- cwd: {{ source }} | |||||
- name: tar --transform "s,^$(tar --list -zf nginx-{{ version }}.tar.gz | head -n 1),nginx-{{ version }}/," -zxf {{ nginx_package }} | |||||
- require: | |||||
- pkg: get-nginx | |||||
- file: get-nginx | |||||
- watch: | |||||
- file: get-nginx | |||||
{% for name, module in nginx.get('modules', {}).items() -%} | |||||
get-nginx-{{name}}: | |||||
file.managed: | |||||
- name: {{ nginx_modules_dir }}/{{name}}.tar.gz | |||||
- source: {{ module['source'] }} | |||||
- source_hash: {{ module['source_hash'] }} | |||||
cmd.wait: | |||||
- cwd: {{ nginx_modules_dir }} | |||||
- names: | |||||
- tar --transform "s,^$(tar --list -zf {{name}}.tar.gz | head -n 1),{{name}}/," -zxf {{name}}.tar.gz | |||||
- watch: | |||||
- file: get-nginx-{{name}} | |||||
- require_in: | |||||
- cmd: nginx | |||||
{% endfor -%} | |||||
{% if nginx.get('ngx_devel_kit', true) -%} | |||||
get-ngx_devel_kit: | |||||
file.managed: | |||||
- name: {{ source }}/ngx_devel_kit.tar.gz | |||||
- source: https://github.com/simpl/ngx_devel_kit/archive/v0.2.18.tar.gz | |||||
- source_hash: sha1=e21ba642f26047661ada678b21eef001ee2121d8 | |||||
cmd.wait: | |||||
- cwd: {{ source }} | |||||
- name: tar -zxf {{ source }}/ngx_devel_kit.tar.gz -C {{ source }} | |||||
- watch: | |||||
- file: get-ngx_devel_kit | |||||
{% endif %} | |||||
is-nginx-source-modified: | |||||
cmd.run: | |||||
- cwd: {{ source }} | |||||
- stateful: True | |||||
- names: | |||||
- if [ ! -d "nginx-{{ version }}" ]; then | |||||
echo "changed=yes comment='Tarball has not yet been extracted'"; | |||||
exit 0; | |||||
fi; | |||||
cd "nginx-{{ version }}"; | |||||
m=$(find . \! -name "build.*" -newer {{ sbin_dir }}/nginx -print -quit); | |||||
r=$?; | |||||
if [ x$r != x0 ]; then | |||||
echo "changed=yes comment='binary file does not exist or other find error'"; | |||||
exit 0; | |||||
fi; | |||||
if [ x$m != "x" ]; then | |||||
echo "changed=yes comment='source files are newer than binary'"; | |||||
exit 0; | |||||
fi; | |||||
echo "changed=no comment='source files are older than binary'" | |||||
{% for name, module in nginx.get('modules', {}).items() -%} | |||||
is-nginx-module-modified-{{name}}: | |||||
cmd.run: | |||||
- cwd: {{ nginx_modules_dir }}/{{name}} | |||||
- stateful: True | |||||
- names: | |||||
- m=$(find . \! -name "build.*" -newer {{ sbin_dir }}/nginx -print -quit); | |||||
r=$?; | |||||
if [ x$r != x0 ]; then | |||||
echo "changed=yes comment='binary file does not exist or other find error'"; | |||||
exit 0; | |||||
fi; | |||||
if [ x$m != "x" ]; then | |||||
echo "changed=yes comment='module source files are newer than binary'"; | |||||
exit 0; | |||||
fi; | |||||
echo "changed=no comment='module source files are older than binary'" | |||||
{% endfor -%} | |||||
nginx: | |||||
cmd.wait: | |||||
- cwd: {{ nginx_source }} | |||||
- names: | |||||
- ( | |||||
{%- if nginx.get('debug_symbols', false) %} | |||||
CFLAGS="-g -O0" ./configure --conf-path={{ conf_dir }}/nginx.conf | |||||
{%- else %} | |||||
./configure --conf-path={{ conf_dir }}/nginx.conf | |||||
{%- endif %} | |||||
--sbin-path={{ sbin_dir }}/nginx | |||||
--user={{ nginx_map.default_user }} | |||||
--group={{ nginx_map.default_group }} | |||||
--prefix={{ install_prefix }} | |||||
--http-log-path={{ log_dir }}/access.log | |||||
--error-log-path={{ log_dir }}/error.log | |||||
--pid-path={{ pid_path }} | |||||
--lock-path={{ lock_path }} | |||||
--http-client-body-temp-path={{ base_temp_dir }}/body | |||||
--http-proxy-temp-path={{ base_temp_dir }}/proxy | |||||
--http-fastcgi-temp-path={{ base_temp_dir }}/fastcgi | |||||
--http-uwsgi-temp-path={{ base_temp_dir }}/temp_uwsgi | |||||
--http-scgi-temp-path={{ base_temp_dir }}/temp_scgi | |||||
{%- for name, module in nginx.get('modules', {}).items() %} | |||||
--add-module={{nginx_modules_dir}}/{{name}} | |||||
{%- endfor %} | |||||
{%- for name in with_items %} | |||||
--with-{{ name }} | |||||
{%- endfor %} | |||||
{%- for name in without_items %} | |||||
--without-{{ name }} | |||||
{%- endfor %} | |||||
&& make {{ make_flags }} | |||||
&& make install | |||||
) | |||||
{#- If they want to silence the compiler output, then save it to file so we can reference it later if needed #} | |||||
{%- if nginx.get('silence_compiler', true) %} | |||||
> {{ nginx_source }}/build.out 2> {{ nginx_source }}/build.err; | |||||
{#- If the build process failed, write stderr to stderr and exit with the error code #} | |||||
r=$?; | |||||
if [ x$r != x0 ]; then | |||||
cat {{ nginx_source }}/build.err 1>&2; {#- copy err output to stderr #} | |||||
exit $r; | |||||
fi; | |||||
{% endif %} | |||||
- watch: | |||||
- cmd: get-nginx | |||||
- cmd: is-nginx-source-modified | |||||
{% for name, module in nginx.get('modules', {}).items() -%} | |||||
- cmd: is-nginx-module-modified-{{name}} | |||||
- file: get-nginx-{{name}} | |||||
{% endfor %} | |||||
{% if use_sysvinit %} | |||||
- watch_in: | |||||
{% set logger_types = ('access', 'error') %} | |||||
{% for log_type in logger_types %} | |||||
- service: nginx-logger-{{ log_type }} | |||||
{% endfor %} | |||||
{% endif %} | |||||
- require: | |||||
- cmd: get-nginx | |||||
{% for name, module in nginx.get('modules', {}).items() -%} | |||||
- file: get-nginx-{{name}} | |||||
{% endfor %} | |||||
{% if use_sysvinit %} | |||||
file: | |||||
- managed | |||||
- template: jinja | |||||
- name: /etc/init.d/{{ service_name }} | |||||
- source: salt://nginx/templates/nginx.init.jinja | |||||
- user: root | |||||
- group: root | |||||
- mode: 0755 | |||||
- context: | |||||
service_name: {{ service_name }} | |||||
sbin_dir: {{ sbin_dir }} | |||||
pid_path: {{ pid_path }} | |||||
{% endif %} | |||||
service: | |||||
{% if service_enable %} | |||||
- running | |||||
- enable: True | |||||
- restart: True | |||||
{% else %} | |||||
- dead | |||||
- enable: False | |||||
{% endif %} | |||||
- name: {{ service_name }} | |||||
- watch: | |||||
- cmd: nginx | |||||
- file: {{ conf_dir }}/nginx.conf | |||||
- require: | |||||
- cmd: nginx | |||||
- file: {{ conf_dir }}/nginx.conf | |||||
{% for file in nginx.get('delete_confs', []) %} | |||||
{{ conf_dir }}/{{ file }}: | |||||
file: | |||||
- absent | |||||
- require_in: | |||||
- service: nginx | |||||
{% endfor %} | |||||
{% for file in nginx.get('delete_htdocs', []) %} | |||||
{{ install_prefix }}/html/{{ file }}: | |||||
file: | |||||
- absent | |||||
- require_in: | |||||
- service: nginx | |||||
{% endfor %} |
# nginx.ng.src | |||||
# nginx.src | |||||
# | # | ||||
# Manages installation of nginx from source. | # Manages installation of nginx from source. | ||||
{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} | |||||
{% from 'nginx/map.jinja' import nginx, sls_block with context %} | |||||
nginx_deps: | nginx_deps: | ||||
pkg.installed: | pkg.installed: | ||||
nginx_configure: | nginx_configure: | ||||
cmd.run: | cmd.run: | ||||
- name: ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path={{ nginx.lookup.conf_file or '/etc/nginx/nginx.conf' }} {{ nginx.source.opts | join(' ') }} | |||||
- name: ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path={{ nginx.lookup.conf_file }} {{ nginx.source.opts | join(' ') }} | |||||
- cwd: /tmp/nginx-{{ nginx.source_version }} | - cwd: /tmp/nginx-{{ nginx.source_version }} | ||||
- onchanges: | - onchanges: | ||||
- archive: nginx_download | - archive: nginx_download |
{% set nginx = pillar.get('nginx', {}) -%} | |||||
{% set log_dir = nginx.get('log_dir', '/var/log/nginx') -%} | |||||
{% set logger_types = ('access', 'error') %} | |||||
{% for log_type in logger_types %} | |||||
{{ log_dir }}/{{ log_type }}.log: | |||||
file.absent | |||||
nginx-logger-{{ log_type }}: | |||||
file: | |||||
- managed | |||||
- name: /etc/init.d/nginx-logger-{{ log_type }} | |||||
- template: jinja | |||||
- user: root | |||||
- group: root | |||||
- mode: 755 | |||||
- source: | |||||
- salt://nginx/templates/{{ grains['os_family'] }}-sysvinit-logger.jinja | |||||
- salt://nginx/templates/sysvinit-logger.jinja | |||||
- context: | |||||
type: {{ log_type }} | |||||
service: | |||||
- running | |||||
- enable: True | |||||
- restart: True | |||||
- require: | |||||
- file: nginx-logger-{{ log_type }} | |||||
- require_in: | |||||
- service: nginx | |||||
{% endfor %} | |||||
/etc/logrotate.d/nginx: | |||||
file.absent |
#!/bin/bash | |||||
# /etc/init.d/nginx-logger-{{ type }} | |||||
# | |||||
# chkconfig: 345 84 16 | |||||
# description: Nginx logger for {{ type }} | |||||
# processname: nginx-logger-{{ type }} | |||||
NAME=nginx-logger-{{ type }} | |||||
DESC="syslog forwarder for nginx {{type}} logs" | |||||
DAEMON=/usr/bin/logger | |||||
DAEMON_ARGS=" -f /var/log/nginx/{{ type }}.fifo -t nginx -p {% if type == 'error' %}warn{% else %}debug{% endif %}" | |||||
PIDFILE=/var/run/$NAME.pid | |||||
SCRIPTNAME=/etc/init.d/$NAME | |||||
# Exit if the daemon program isn't installed | |||||
[ -x "$DAEMON" ] || exit 0 | |||||
# Read configuration variable file if it is present | |||||
[ -r /etc/default/$NAME ] && . /etc/default/$NAME | |||||
. /etc/init.d/functions | |||||
do_start() { | |||||
# Return | |||||
# 0 if daemon has been started | |||||
# 1 if daemon was already running | |||||
# 2 if daemon could not be started | |||||
echo -n "Starting $NAME" | |||||
pid=$(cat $PIDFILE 2>/dev/null) | |||||
if [ -n "$pid" ]; then | |||||
failure | |||||
echo | |||||
return 1; | |||||
fi | |||||
if [ ! -r /var/log/nginx/{{ type }}.fifo ]; then | |||||
mkdir -p /var/log/nginx | |||||
mkfifo /var/log/nginx/{{ type }}.fifo | |||||
chown root.root /var/log/nginx/{{ type }}.fifo | |||||
chmod 660 /var/log/nginx/{{ type }}.fifo | |||||
fi | |||||
$DAEMON $DAEMON_ARGS & | |||||
ERROR=$? | |||||
PID=$! | |||||
if [ $ERROR -eq 0 ]; then | |||||
success | |||||
echo | |||||
echo $PID > $PIDFILE | |||||
else | |||||
failure | |||||
echo | |||||
exit 2 | |||||
fi | |||||
} | |||||
do_stop() { | |||||
# Return | |||||
# 0 if daemon has been stopped | |||||
# 1 if daemon was already stopped | |||||
# 2 if daemon could not be stopped | |||||
# other if a failure occurred | |||||
echo -n Stopping $NAME | |||||
pid=$(cat $PIDFILE 2>/dev/null) | |||||
if [ $? -eq 0 ]; then | |||||
echo $pid | xargs kill 2&1>/dev/null | |||||
success | |||||
RETVAL=0 | |||||
else | |||||
failure | |||||
RETVAL=1 | |||||
fi | |||||
echo | |||||
[ "$RETVAL" = 2 ] && return 2 | |||||
rm -f $PIDFILE | |||||
return "$RETVAL" | |||||
} | |||||
case "$1" in | |||||
start) | |||||
do_start | |||||
;; | |||||
stop) | |||||
do_stop | |||||
;; | |||||
status) | |||||
status -p "$PIDFILE" "$DAEMON" && exit 0 || exit $? | |||||
;; | |||||
restart|force-reload) | |||||
do_stop | |||||
do_start | |||||
;; | |||||
*) | |||||
echo "Usage: /etc/init.d/nginx-logger-{{ type }} {start|stop|status|restart|force-reload}" >&2 | |||||
exit 3 | |||||
;; | |||||
esac | |||||
exit 0 |
{% set nginx = pillar.get('nginx', {}) -%} | |||||
# defaults passed via context from the map.jinja | |||||
{% set user = nginx.get('user', default_user) -%} | |||||
{% set group = nginx.get('group', default_group) -%} | |||||
user {{ user }} {{ group }}; | |||||
worker_processes {{ nginx.get('worker_processes', 1) }}; | |||||
{% set worker_rlimit_nofile = nginx.get('worker_rlimit_nofile', '') -%} | |||||
{% if worker_rlimit_nofile -%} | |||||
worker_rlimit_nofile {{ worker_rlimit_nofile }}; | |||||
{% endif -%} | |||||
{% set error_log_location = nginx.get('error_log',{}).get('location', '/var/log/nginx/error.fifo') -%} | |||||
{% set error_log_level = nginx.get('error_log',{}).get('level', 'warn') -%} | |||||
error_log {{ ' '.join([error_log_location, error_log_level]) }}; | |||||
pid {{ nginx.get('pid', '/var/run/nginx.pid') }}; | |||||
{% if not 'systemd' in salt['test.provider']('service') -%} | |||||
daemon {{ nginx.get('daemon', 'on') }}; | |||||
{%- endif %} | |||||
events { | |||||
worker_connections {{ nginx.get('events', {}).get('worker_connections', 1024) }}; | |||||
{% set use = nginx.get('events', {}).get('use', '') -%} | |||||
{% if use -%} | |||||
use {{ use }}; | |||||
{% endif %} | |||||
} | |||||
http { | |||||
{% if 'set_real_ips' in nginx -%} | |||||
{% for ip in nginx.get('set_real_ips', {}).get('from_ips', []) -%} | |||||
set_real_ip_from {{ ip }}; | |||||
{% endfor -%} | |||||
real_ip_header {{ nginx.get('set_real_ips', {}).get('real_ip_header', 'X-Forwarded-For') }}; | |||||
{% endif -%} | |||||
include /etc/nginx/mime.types; | |||||
default_type {{ nginx.get('default_type', 'application/octet-stream') }}; | |||||
log_format main '$scheme://$host:$server_port$uri$is_args$args $remote_addr:$remote_user "$request" $request_time $request_length:$bytes_sent $status "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; | |||||
access_log /var/log/nginx/access.fifo main; | |||||
sendfile {{ nginx.get('sendfile', 'on') }}; | |||||
#tcp_nopush on; | |||||
keepalive_timeout {{ nginx.get('keepalive_timeout', 65) }}; | |||||
server_names_hash_bucket_size {{ nginx.get('server_names_hash_bucket_size', 128) }}; | |||||
server_names_hash_max_size {{ nginx.get('server_names_hash_max_size', 1024) }}; | |||||
types_hash_max_size {{ nginx.get('types_hash_max_size', 8192) }}; | |||||
gzip {{ nginx.get('gzip', 'on') }}; | |||||
gzip_vary {{ nginx.get('gzip_vary', 'on') }}; | |||||
gzip_proxied {{ nginx.get('gzip_proxied', 'any') }}; | |||||
gzip_comp_level {{ nginx.get('gzip_comp_level', 6) }}; | |||||
gzip_buffers {{ nginx.get('gzip_buffers', '16 8k') }}; | |||||
gzip_http_version {{ nginx.get('gzip_http_version', '1.1') }}; | |||||
gzip_types {{ nginx.get('gzip_types', ['text/plain', 'text/css', 'application/json', 'application/x-javascript', 'text/xml', 'application/xml', 'application/xml+rss', 'text/javascript'])|join(' ') }}; | |||||
gzip_disable "{{ nginx.get('gzip_disable', 'msie6') }}"; | |||||
# turn on nginx_status on localhost | |||||
server { | |||||
listen 127.0.0.1:80; | |||||
server_name 127.0.0.1; | |||||
location /nginx_status { | |||||
stub_status on; | |||||
access_log off; | |||||
allow 127.0.0.1; | |||||
deny all; | |||||
} | |||||
} | |||||
{% if pillar['nginx'] is defined -%} | |||||
{% if pillar['nginx']['redirect_numeric_ip']|default(False) -%} | |||||
server { | |||||
server_name {% for ip in salt['network.interfaces']()['eth0']['inet'] %}{{ ip['address'] }}:80{% if not loop.last %} {% endif %}{% endfor %}; | |||||
return 302 {{ pillar['nginx']['redirect_numeric_ip'] }}; | |||||
access_log off; | |||||
} | |||||
{% endif -%} | |||||
{% endif %} | |||||
include /etc/nginx/conf.d/*.conf; | |||||
include /etc/nginx/sites-enabled/*.conf; | |||||
} |
#!/bin/sh | |||||
### BEGIN INIT INFO | |||||
# Provides: {{ service_name }} | |||||
# Required-Start: $local_fs $remote_fs $network $syslog | |||||
# Required-Stop: $local_fs $remote_fs $network $syslog | |||||
# Default-Start: 2 3 4 5 | |||||
# Default-Stop: 0 1 6 | |||||
# Short-Description: starts the {{ service_name }} web server | |||||
# Description: starts {{ service_name }} using start-stop-daemon | |||||
### END INIT INFO | |||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin | |||||
DAEMON={{ sbin_dir }}/nginx | |||||
NAME={{ service_name }} | |||||
DESC={{ service_name }} | |||||
# Include nginx defaults if available | |||||
if [ -f /etc/default/$NAME ]; then | |||||
. /etc/default/$NAME | |||||
fi | |||||
test -x $DAEMON || exit 0 | |||||
set -e | |||||
. /lib/lsb/init-functions | |||||
test_nginx_config() { | |||||
if $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1; then | |||||
return 0 | |||||
else | |||||
$DAEMON -t $DAEMON_OPTS | |||||
return $? | |||||
fi | |||||
} | |||||
case "$1" in | |||||
start) | |||||
echo -n "Starting $DESC: " | |||||
test_nginx_config | |||||
# Check if the ULIMIT is set in /etc/default/nginx | |||||
if [ -n "$ULIMIT" ]; then | |||||
# Set the ulimits | |||||
ulimit $ULIMIT | |||||
fi | |||||
start-stop-daemon --start --quiet --pidfile {{ pid_path }} \ | |||||
--exec $DAEMON -- $DAEMON_OPTS || true | |||||
echo "$NAME." | |||||
;; | |||||
stop) | |||||
echo -n "Stopping $DESC: " | |||||
start-stop-daemon --stop --quiet --pidfile {{ pid_path }} \ | |||||
--exec $DAEMON || true | |||||
echo "$NAME." | |||||
;; | |||||
restart|force-reload) | |||||
echo -n "Restarting $DESC: " | |||||
start-stop-daemon --stop --quiet --pidfile \ | |||||
{{ pid_path }} --exec $DAEMON || true | |||||
sleep 1 | |||||
test_nginx_config | |||||
# Check if the ULIMIT is set in /etc/default/nginx | |||||
if [ -n "$ULIMIT" ]; then | |||||
# Set the ulimits | |||||
ulimit $ULIMIT | |||||
fi | |||||
start-stop-daemon --start --quiet --pidfile \ | |||||
{{ pid_path }} --exec $DAEMON -- $DAEMON_OPTS || true | |||||
echo "$NAME." | |||||
;; | |||||
reload) | |||||
echo -n "Reloading $DESC configuration: " | |||||
test_nginx_config | |||||
start-stop-daemon --stop --signal HUP --quiet --pidfile {{ pid_path }} \ | |||||
--exec $DAEMON || true | |||||
echo "$NAME." | |||||
;; | |||||
configtest|testconfig) | |||||
echo -n "Testing $DESC configuration: " | |||||
if test_nginx_config; then | |||||
echo "$NAME." | |||||
else | |||||
exit $? | |||||
fi | |||||
;; | |||||
status) | |||||
status_of_proc -p {{ pid_path }} "$DAEMON" nginx && exit 0 || exit $? | |||||
;; | |||||
*) | |||||
echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2 | |||||
exit 1 | |||||
;; | |||||
esac | |||||
exit 0 |
#!/bin/bash | |||||
# /etc/init.d/nginx-logger-{{ type }} | |||||
# | |||||
### BEGIN INIT INFO | |||||
# Provides: nginx-logger-{{ type }} | |||||
# Required-Start: $local_fs $remote_fs $network $syslog | |||||
# Required-Stop: $local_fs $remote_fs $network $syslog | |||||
# Default-Start: 2 3 4 5 | |||||
# Default-Stop: 0 1 6 | |||||
# Short-Description: starts the nginx-logger-{{ type }} | |||||
# Description: starts nginx-logger-{{ type }} using start-stop-daemon | |||||
### END INIT INFO | |||||
NAME=nginx-logger-{{ type }} | |||||
DESC="syslog forwarder for nginx {{type}} logs" | |||||
DAEMON=/usr/bin/logger | |||||
DAEMON_ARGS=" -f /var/log/nginx/{{ type }}.fifo -t nginx -p {% if type == 'error' %}warn{% else %}debug{% endif %}" | |||||
PIDFILE=/var/run/$NAME.pid | |||||
SCRIPTNAME=/etc/init.d/$NAME | |||||
# Exit if the daemon program isn't installed | |||||
[ -x "$DAEMON" ] || exit 0 | |||||
# Read configuration variable file if it is present | |||||
[ -r /etc/default/$NAME ] && . /etc/default/$NAME | |||||
. /lib/lsb/init-functions | |||||
do_start() { | |||||
# Return | |||||
# 0 if daemon has been started | |||||
# 1 if daemon was already running | |||||
# 2 if daemon could not be started | |||||
pid=$(pidofproc -p $PIDFILE $DAEMON) | |||||
if [ -n "$pid" ]; then | |||||
return 1; | |||||
fi | |||||
if [ ! -r /var/log/nginx/{{ type }}.fifo ]; then | |||||
mkdir -p /var/log/nginx | |||||
mkfifo /var/log/nginx/{{ type }}.fifo | |||||
chown root.root /var/log/nginx/{{ type }}.fifo | |||||
chmod 660 /var/log/nginx/{{ type }}.fifo | |||||
fi | |||||
start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_ARGS | |||||
} | |||||
do_stop() { | |||||
# Return | |||||
# 0 if daemon has been stopped | |||||
# 1 if daemon was already stopped | |||||
# 2 if daemon could not be stopped | |||||
# other if a failure occurred | |||||
pids=$(pidof -x $DAEMON) | |||||
if [ $? -eq 0 ]; then | |||||
echo $pids | xargs kill 2&1>/dev/null | |||||
RETVAL=0 | |||||
else | |||||
RETVAL=1 | |||||
fi | |||||
[ "$RETVAL" = 2 ] && return 2 | |||||
rm -f $PIDFILE | |||||
return "$RETVAL" | |||||
} | |||||
case "$1" in | |||||
start) | |||||
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" | |||||
do_start | |||||
case "$?" in | |||||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; | |||||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; | |||||
esac | |||||
;; | |||||
stop) | |||||
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" | |||||
do_stop | |||||
case "$?" in | |||||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; | |||||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; | |||||
esac | |||||
;; | |||||
status) | |||||
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? | |||||
;; | |||||
restart|force-reload) | |||||
[ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME" | |||||
do_stop | |||||
case "$?" in | |||||
0|1) | |||||
do_start | |||||
case "$?" in | |||||
0) log_end_msg 0 ;; | |||||
1) log_end_msg 1 ;; # Old process still running | |||||
*) log_end_msg 1 ;; # Failed to start | |||||
esac | |||||
;; | |||||
*) | |||||
# Failed to stop | |||||
log_end_msg 1 | |||||
;; | |||||
esac | |||||
;; | |||||
*) | |||||
echo "Usage: /etc/init.d/nginx-logger-{{ type }} {start|stop|status|restart|force-reload}" >&2 | |||||
exit 3 | |||||
;; | |||||
esac | |||||
exit 0 |
# {{ pillar.get('message_do_not_modify', '') }} | |||||
# startup script for Nginx loggers | |||||
start on starting nginx | |||||
stop on runlevel [!2345] | |||||
respawn | |||||
pre-start script | |||||
if [ ! -r /var/log/nginx/{{ type }}.fifo ]; then | |||||
mkdir -p /var/log/nginx | |||||
mkfifo /var/log/nginx/{{ type }}.fifo | |||||
chown root.root /var/log/nginx/{{ type }}.fifo | |||||
chmod 660 /var/log/nginx/{{ type }}.fifo | |||||
fi | |||||
end script | |||||
emits nginx-logger-{{ type }} | |||||
exec logger -f /var/log/nginx/{{ type }}.fifo -t nginx -p {% if type == 'error' %}warn{% else %}debug{% endif %} |
# nginx | |||||
description "nginx http daemon" | |||||
author "George Shammas <georgyo@gmail.com>" | |||||
start on (runlevel [345] and started network) | |||||
stop on (runlevel [!345] or stopping network) | |||||
env DAEMON=/usr/sbin/nginx | |||||
expect fork | |||||
respawn | |||||
respawn limit 10 5 | |||||
#oom never | |||||
pre-start script | |||||
$DAEMON -t | |||||
if [ $? -ne 0 ] | |||||
then exit $? | |||||
fi | |||||
end script | |||||
exec $DAEMON |
{% set logger_types = ('access', 'error') %} | |||||
{% for log_type in logger_types %} | |||||
/var/log/nginx/{{ log_type }}.log: | |||||
file.absent | |||||
nginx-logger-{{ log_type }}: | |||||
file: | |||||
- managed | |||||
- name: /etc/init/nginx-logger-{{ log_type }}.conf | |||||
- template: jinja | |||||
- user: root | |||||
- group: root | |||||
- mode: 440 | |||||
- source: salt://nginx/templates/upstart-logger.jinja | |||||
- context: | |||||
type: {{ log_type }} | |||||
service: | |||||
- running | |||||
- enable: True | |||||
- require: | |||||
- file: nginx-logger-{{ log_type }} | |||||
- require_in: | |||||
- service: nginx | |||||
{% endfor %} | |||||
/etc/logrotate.d/nginx: | |||||
file.absent |
{% from "nginx/map.jinja" import nginx with context %} | |||||
{% set htauth = nginx.get('htpasswd', '/etc/nginx/.htpasswd') -%} | |||||
htpasswd: | |||||
pkg.installed: | |||||
- name: {{ nginx.apache_utils }} | |||||
touch {{ htauth }}: | |||||
cmd.run: | |||||
- creates: {{ htauth }} | |||||
make sure {{ htauth }} exists: | |||||
file.managed: | |||||
- name: {{ htauth }} | |||||
- makedirs: True | |||||
{% for name, user in pillar.get('users', {}).items() %} | |||||
{% if user['webauth'] is defined -%} | |||||
nginx_user_{{name}}: | |||||
module.run: | |||||
- name: basicauth.adduser | |||||
- user: {{ name }} | |||||
- passwd: {{ user['webauth'] }} | |||||
- path: {{ htauth }} | |||||
- require: | |||||
- pkg: htpasswd | |||||
{% endif -%} | |||||
{% endfor %} |
#===== | |||||
# nginx: see `nginx.ng` state instead. | |||||
#====== | |||||
nginx: | |||||
install_from_source: True | |||||
use_upstart: True | |||||
use_sysvinit: False | |||||
user_auth_enabled: True | |||||
with_luajit: False | |||||
with_openresty: True | |||||
repo_version: development # Must be using ppa install by setting `repo_source = ppa` | |||||
set_real_ips: # NOTE: to use this, nginx must have http_realip module enabled | |||||
from_ips: | |||||
- 10.10.10.0/24 | |||||
real_ip_header: X-Forwarded-For | |||||
modules: | |||||
headers-more: | |||||
source: http://github.com/agentzh/headers-more-nginx-module/tarball/v0.21 | |||||
source_hash: sha1=dbf914cbf3f7b6cb7e033fa7b7c49e2f8879113b | |||||
#pid: /var/run/nginx.pid | |||||
# Directory location must exist (i.e. it's /run/nginx.pid on EL7) | |||||
# ======== | # ======== | ||||
# nginx.ng | |||||
# nginx (previously named nginx:ng) | |||||
# ======== | # ======== | ||||
nginx: | nginx: | ||||
ng: | |||||
# The following three `install_from_` options are mutually exclusive. If none is used, the distro's provided | |||||
# package will be installed. If one of the `install_from` option is set to `True`, the state will | |||||
# make sure the other two repos are removed. | |||||
# Use the official's nginx repo binaries | |||||
install_from_repo: false | |||||
# Use Phusionpassenger's repo to install nginx and passenger binaries | |||||
# Debian, Centos, Ubuntu and Redhat are currently available | |||||
install_from_phusionpassenger: false | |||||
# PPA install | |||||
install_from_ppa: false | |||||
# Set to 'stable', 'development' (mainline), 'community', or 'nightly' for each build accordingly ( https://launchpad.net/~nginx ) | |||||
ppa_version: 'stable' | |||||
# Source install | |||||
source_version: '1.10.0' | |||||
source_hash: '' | |||||
# These are usually set by grains in map.jinja | |||||
# Typically you can comment these out. | |||||
lookup: | |||||
package: nginx-custom (can be a list) | |||||
service: nginx | |||||
webuser: www-data | |||||
conf_file: /etc/nginx/nginx.conf | |||||
server_available: /etc/nginx/sites-available | |||||
server_enabled: /etc/nginx/sites-enabled | |||||
server_use_symlink: True | |||||
# If you install nginx+passenger from phusionpassenger in Debian, these values will probably be needed | |||||
passenger_package: libnginx-mod-http-passenger | |||||
passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf | |||||
# This is required for RedHat like distros (Amazon Linux) that don't follow semantic versioning for $releasever | |||||
rh_os_releasever: '6' | |||||
# Currently it can be used on rhel/centos/suse when installing from repo | |||||
gpg_check: True | |||||
pid_file: /var/run/nginx.pid ### prevents rendering SLS error nginx.server.config.pid undefined ### | |||||
# Source compilation is not currently a part of nginx.ng | |||||
from_source: False | |||||
source: | |||||
opts: {} | |||||
package: | |||||
opts: {} # this partially exposes parameters of pkg.installed | |||||
service: | |||||
enable: True # Whether or not the service will be enabled/running or dead | |||||
opts: {} # this partially exposes parameters of service.running / service.dead | |||||
##--- --- - - - - - - -- - - - - -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ## | |||||
## You can use snippets to define often repeated configuration once and include it later | |||||
## The letsencrypt example below is consumed by "- include: 'snippets/letsencrypt.conf'" | |||||
##--- --- - - - - - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ## | |||||
snippets: | |||||
letsencrypt: | |||||
- location ^~ /.well-known/acme-challenge/: | |||||
- proxy_pass: http://localhost:9999 | |||||
cloudflare_proxy: | |||||
- set_real_ip_from: 103.21.244.0/22 | |||||
- set_real_ip_from: 103.22.200.0/22 | |||||
- set_real_ip_from: 104.16.0.0/12 | |||||
- set_real_ip_from: 108.162.192.0/18 | |||||
blacklist: | |||||
- map $http_user_agent $bad_bot: | |||||
- default: 0 | |||||
- '~*^Lynx': 0 | |||||
- '~*malicious': 1 | |||||
- '~*bot': 1 | |||||
- '~*crawler': 1 | |||||
- '~*bandit': 1 | |||||
- libwww-perl: 1 | |||||
- '~(?i)(httrack|htmlparser|libwww)': 1 | |||||
upstream_netdata_tcp: | |||||
- upstream netdata: | |||||
- server: 127.0.0.1:19999 | |||||
- keepalive: 64 | |||||
server: | |||||
opts: {} # this partially exposes file.managed parameters as they relate to the main nginx.conf file | |||||
#-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - # | |||||
# nginx.conf (main server) declarations | |||||
# dictionaries map to blocks {} and lists cause the same declaration to repeat with different values | |||||
# see also http://nginx.org/en/docs/example.html | |||||
#-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - # | |||||
config: | |||||
include: 'snippets/letsencrypt.conf' | |||||
source_path: salt://path_to_nginx_conf_file/nginx.conf # IMPORTANT: This option is mutually exclusive with the rest of the | |||||
# options; if it is found other options (worker_processes: 4 and so | |||||
# on) are not processed and just upload the file from source | |||||
worker_processes: 4 | |||||
load_module: modules/ngx_http_lua_module.so # pass as very first in configuration; otherwise nginx will fail to start | |||||
#pid: /var/run/nginx.pid # Directory location must exist (i.e. it's /run/nginx.pid on EL7) | |||||
events: | |||||
worker_connections: 1024 | |||||
http: | |||||
sendfile: 'on' | |||||
include: | |||||
#### Note: Syntax issues in these files generate nginx [emerg] errors on startup. #### | |||||
- /etc/nginx/mime.types | |||||
### module ngx_http_log_module example | |||||
log_format: |- | |||||
main '$remote_addr - $remote_user [$time_local] $status ' | |||||
'"$request" $body_bytes_sent "$http_referer" ' | |||||
'"$http_user_agent" "$http_x_forwarded_for"' | |||||
access_log: [] #suppress default access_log option from being added | |||||
### module nngx_stream_core_module | |||||
### https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example | |||||
stream: | |||||
upstream lb-1000: | |||||
- server: | |||||
- hostname1.example.com:1000 | |||||
- hostname2.example.com:1000 | |||||
upstream stream_backend: | |||||
least_conn: '' | |||||
'server backend1.example.com:12345 weight=5': | |||||
'server backend2.example.com:12345 max_fails=2 fail_timeout=30s': | |||||
'server backend3.example.com:12345 max_conns=3': | |||||
upstream dns_servers: | |||||
least_conn: | |||||
'server 192.168.136.130:53': | |||||
'server 192.168.136.131:53': | |||||
'server 192.168.136.132:53': | |||||
server: | |||||
listen: 1000 | |||||
proxy_pass: lb-1000 | |||||
'server ': | |||||
listen: '53 udp' | |||||
proxy_pass: dns_servers | |||||
'server ': | |||||
listen: 12346 | |||||
proxy_pass: backend4.example.com:12346 | |||||
servers: | |||||
disabled_postfix: .disabled # a postfix appended to files when doing non-symlink disabling | |||||
symlink_opts: {} # partially exposes file.symlink params when symlinking enabled sites | |||||
rename_opts: {} # partially exposes file.rename params when not symlinking disabled/enabled sites | |||||
managed_opts: {} # partially exposes file.managed params for managed server files | |||||
dir_opts: {} # partially exposes file.directory params for site available/enabled and snippets dirs | |||||
##################### | |||||
# server declarations; placed by default in server "available" directory | |||||
##################### | |||||
managed: | |||||
mysite: # relative filename of server file (defaults to '/etc/nginx/sites-available/mysite') | |||||
# may be True, False, or None where True is enabled, False, disabled, and None indicates no action | |||||
enabled: True | |||||
# Remove the site config file shipped by nginx (i.e. '/etc/nginx/sites-available/default' by default) | |||||
# It also remove the symlink (if it is exists). | |||||
# The site MUST be disabled before delete it (if not the nginx is not reloaded). | |||||
#deleted: True | |||||
#available_dir: /etc/nginx/sites-available-custom # custom directory (not sites-available) for server filename | |||||
#enabled_dir: /etc/nginx/sites-enabled-custom # custom directory (not sites-enabled) for server filename | |||||
disabled_name: mysite.aint_on # an alternative disabled name to be use when not symlinking | |||||
overwrite: True # overwrite an existing server file or not | |||||
# May be a list of config options or None, if None, no server file will be managed/templated | |||||
# Take server directives as lists of dictionaries. If the dictionary value is another list of | |||||
# dictionaries a block {} will be started with the dictionary key name | |||||
config: | |||||
- server: | |||||
- server_name: localhost | |||||
- listen: | |||||
- '80 default_server' | |||||
- listen: | |||||
- '443 ssl' | |||||
- index: 'index.html index.htm' | |||||
- location ~ .htm: | |||||
- try_files: '$uri $uri/ =404' | |||||
- test: something else | |||||
- include: 'snippets/letsencrypt.conf' | |||||
# Or a slightly more compact alternative syntax: | |||||
- server: | |||||
- server_name: localhost | |||||
- listen: | |||||
- '80 default_server' | |||||
- '443 ssl' | |||||
- index: 'index.html index.htm' | |||||
- location ~ .htm: | |||||
- try_files: '$uri $uri/ =404' | |||||
- test: something else | |||||
- include: 'snippets/letsencrypt.conf' | |||||
# both of those output: | |||||
# server { | |||||
# server_name localhost; | |||||
# listen 80 default_server; | |||||
# listen 443 ssl; | |||||
# index index.html index.htm; | |||||
# location ~ .htm { | |||||
# try_files $uri $uri/ =404; | |||||
# test something else; | |||||
# } | |||||
# } | |||||
mysite2: # Using source_path options to upload the file instead of templating all the file | |||||
enabled: True | |||||
available_dir: /etc/nginx/sites-available | |||||
enabled_dir: /etc/nginx/sites-enabled | |||||
config: | |||||
source_path: salt://path-to-site-file/mysite2 | |||||
# Below configuration becomes handy if you want to create custom configuration files | |||||
# for example if you want to create /usr/local/etc/nginx/http_options.conf with | |||||
# the following content: | |||||
# sendfile on; | |||||
# tcp_nopush on; | |||||
# tcp_nodelay on; | |||||
# send_iowait 12000; | |||||
http_options.conf: | |||||
enabled: True | |||||
available_dir: /usr/local/etc/nginx | |||||
enabled_dir: /usr/local/etc/nginx | |||||
config: | |||||
- sendfile: 'on' | |||||
- tcp_nopush: 'on' | |||||
- tcp_nodelay: 'on' | |||||
- send_iowait: 12000 | |||||
certificates_path: '/etc/nginx/ssl' # Use this if you need to deploy below certificates in a custom path. | |||||
# If you're doing SSL termination, you can deploy certificates this way. | |||||
# The private one(s) should go in a separate pillar file not in version | |||||
# control (or use encrypted pillar data). | |||||
certificates: | |||||
'www.example.com': | |||||
# choose one of: deploying this cert by pillar (e.g. in combination with ext_pillar and file_tree) | |||||
# public_cert_pillar: certs:example.com:fullchain.pem | |||||
# private_key_pillar: certs:example.com:privkey.pem | |||||
# or directly pasting the cert | |||||
public_cert: | | |||||
-----BEGIN CERTIFICATE----- | |||||
(Your Primary SSL certificate: www.example.com.crt) | |||||
-----END CERTIFICATE----- | |||||
-----BEGIN CERTIFICATE----- | |||||
(Your Intermediate certificate: ExampleCA.crt) | |||||
-----END CERTIFICATE----- | |||||
-----BEGIN CERTIFICATE----- | |||||
(Your Root certificate: TrustedRoot.crt) | |||||
-----END CERTIFICATE----- | |||||
private_key: | | |||||
-----BEGIN RSA PRIVATE KEY----- | |||||
(Your Private Key: www.example.com.key) | |||||
-----END RSA PRIVATE KEY----- | |||||
dh_param: | |||||
'mydhparam1.pem': | | |||||
-----BEGIN DH PARAMETERS----- | |||||
(Your custom DH prime) | |||||
-----END DH PARAMETERS----- | |||||
# or to generate one on-the-fly | |||||
'mydhparam2.pem': | |||||
keysize: 2048 | |||||
# Passenger configuration | |||||
# Default passenger configuration is provided, and will be deployed in | |||||
# /etc/nginx/conf.d/passenger.conf | |||||
passenger: | |||||
passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini | |||||
passenger_ruby: /usr/bin/ruby | |||||
passenger_instance_registry_dir: /var/run/passenger-instreg | |||||
# The following three `install_from_` options are mutually exclusive. If none is used, the distro's provided | |||||
# package will be installed. If one of the `install_from` option is set to `True`, the state will | |||||
# make sure the other two repos are removed. | |||||
# Use the official's nginx repo binaries | |||||
install_from_repo: false | |||||
# Use Phusionpassenger's repo to install nginx and passenger binaries | |||||
# Debian, Centos, Ubuntu and Redhat are currently available | |||||
install_from_phusionpassenger: false | |||||
# PPA install | |||||
install_from_ppa: false | |||||
# Set to 'stable', 'development' (mainline), 'community', or 'nightly' for each build accordingly ( https://launchpad.net/~nginx ) | |||||
ppa_version: 'stable' | |||||
# Source install | |||||
source_version: '1.10.0' | |||||
source_hash: '' | |||||
# These are usually set by grains in map.jinja | |||||
# Typically you can comment these out. | |||||
lookup: | |||||
package: nginx-custom (can be a list) | |||||
service: nginx | |||||
webuser: www-data | |||||
conf_file: /etc/nginx/nginx.conf | |||||
server_available: /etc/nginx/sites-available | |||||
server_enabled: /etc/nginx/sites-enabled | |||||
server_use_symlink: True | |||||
# If you install nginx+passenger from phusionpassenger in Debian, these values will probably be needed | |||||
passenger_package: libnginx-mod-http-passenger | |||||
passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf | |||||
# This is required for RedHat like distros (Amazon Linux) that don't follow semantic versioning for $releasever | |||||
rh_os_releasever: '6' | |||||
# Currently it can be used on rhel/centos/suse when installing from repo | |||||
gpg_check: True | |||||
pid_file: /var/run/nginx.pid ### prevents rendering SLS error nginx.server.config.pid undefined ### | |||||
# Source compilation is not currently a part of nginx | |||||
from_source: False | |||||
source: | |||||
opts: {} | |||||
package: | |||||
opts: {} # this partially exposes parameters of pkg.installed | |||||
service: | |||||
enable: True # Whether or not the service will be enabled/running or dead | |||||
opts: {} # this partially exposes parameters of service.running / service.dead | |||||
##--- --- - - - - - - -- - - - - -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ## | |||||
## You can use snippets to define often repeated configuration once and include it later | |||||
## The letsencrypt example below is consumed by "- include: 'snippets/letsencrypt.conf'" | |||||
##--- --- - - - - - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ## | |||||
snippets: | |||||
letsencrypt: | |||||
- location ^~ /.well-known/acme-challenge/: | |||||
- proxy_pass: http://localhost:9999 | |||||
cloudflare_proxy: | |||||
- set_real_ip_from: 103.21.244.0/22 | |||||
- set_real_ip_from: 103.22.200.0/22 | |||||
- set_real_ip_from: 104.16.0.0/12 | |||||
- set_real_ip_from: 108.162.192.0/18 | |||||
blacklist: | |||||
- map $http_user_agent $bad_bot: | |||||
- default: 0 | |||||
- '~*^Lynx': 0 | |||||
- '~*malicious': 1 | |||||
- '~*bot': 1 | |||||
- '~*crawler': 1 | |||||
- '~*bandit': 1 | |||||
- libwww-perl: 1 | |||||
- '~(?i)(httrack|htmlparser|libwww)': 1 | |||||
upstream_netdata_tcp: | |||||
- upstream netdata: | |||||
- server: 127.0.0.1:19999 | |||||
- keepalive: 64 | |||||
server: | |||||
opts: {} # this partially exposes file.managed parameters as they relate to the main nginx.conf file | |||||
#-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - # | |||||
# nginx.conf (main server) declarations | |||||
# dictionaries map to blocks {} and lists cause the same declaration to repeat with different values | |||||
# see also http://nginx.org/en/docs/example.html | |||||
#-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - # | |||||
config: | |||||
include: 'snippets/letsencrypt.conf' | |||||
source_path: salt://path_to_nginx_conf_file/nginx.conf # IMPORTANT: This option is mutually exclusive with the rest of the | |||||
# options; if it is found other options (worker_processes: 4 and so | |||||
# on) are not processed and just upload the file from source | |||||
worker_processes: 4 | |||||
load_module: modules/ngx_http_lua_module.so # pass as very first in configuration; otherwise nginx will fail to start | |||||
#pid: /var/run/nginx.pid # Directory location must exist (i.e. it's /run/nginx.pid on EL7) | |||||
events: | |||||
worker_connections: 1024 | |||||
http: | |||||
sendfile: 'on' | |||||
include: | |||||
#### Note: Syntax issues in these files generate nginx [emerg] errors on startup. #### | |||||
- /etc/nginx/mime.types | |||||
### module ngx_http_log_module example | |||||
log_format: |- | |||||
main '$remote_addr - $remote_user [$time_local] $status ' | |||||
'"$request" $body_bytes_sent "$http_referer" ' | |||||
'"$http_user_agent" "$http_x_forwarded_for"' | |||||
access_log: [] #suppress default access_log option from being added | |||||
### module nngx_stream_core_module | |||||
### https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example | |||||
stream: | |||||
upstream lb-1000: | |||||
- server: | |||||
- hostname1.example.com:1000 | |||||
- hostname2.example.com:1000 | |||||
upstream stream_backend: | |||||
least_conn: '' | |||||
'server backend1.example.com:12345 weight=5': | |||||
'server backend2.example.com:12345 max_fails=2 fail_timeout=30s': | |||||
'server backend3.example.com:12345 max_conns=3': | |||||
upstream dns_servers: | |||||
least_conn: | |||||
'server 192.168.136.130:53': | |||||
'server 192.168.136.131:53': | |||||
'server 192.168.136.132:53': | |||||
server: | |||||
listen: 1000 | |||||
proxy_pass: lb-1000 | |||||
'server ': | |||||
listen: '53 udp' | |||||
proxy_pass: dns_servers | |||||
'server ': | |||||
listen: 12346 | |||||
proxy_pass: backend4.example.com:12346 | |||||
servers: | |||||
disabled_postfix: .disabled # a postfix appended to files when doing non-symlink disabling | |||||
symlink_opts: {} # partially exposes file.symlink params when symlinking enabled sites | |||||
rename_opts: {} # partially exposes file.rename params when not symlinking disabled/enabled sites | |||||
managed_opts: {} # partially exposes file.managed params for managed server files | |||||
dir_opts: {} # partially exposes file.directory params for site available/enabled and snippets dirs | |||||
##################### | |||||
# server declarations; placed by default in server "available" directory | |||||
##################### | |||||
managed: | |||||
mysite: # relative filename of server file (defaults to '/etc/nginx/sites-available/mysite') | |||||
# may be True, False, or None where True is enabled, False, disabled, and None indicates no action | |||||
enabled: True | |||||
# Remove the site config file shipped by nginx (i.e. '/etc/nginx/sites-available/default' by default) | |||||
# It also remove the symlink (if it is exists). | |||||
# The site MUST be disabled before delete it (if not the nginx is not reloaded). | |||||
#deleted: True | |||||
#available_dir: /etc/nginx/sites-available-custom # custom directory (not sites-available) for server filename | |||||
#enabled_dir: /etc/nginx/sites-enabled-custom # custom directory (not sites-enabled) for server filename | |||||
disabled_name: mysite.aint_on # an alternative disabled name to be use when not symlinking | |||||
overwrite: True # overwrite an existing server file or not | |||||
# May be a list of config options or None, if None, no server file will be managed/templated | |||||
# Take server directives as lists of dictionaries. If the dictionary value is another list of | |||||
# dictionaries a block {} will be started with the dictionary key name | |||||
config: | |||||
- server: | |||||
- server_name: localhost | |||||
- listen: | |||||
- '80 default_server' | |||||
- listen: | |||||
- '443 ssl' | |||||
- index: 'index.html index.htm' | |||||
- location ~ .htm: | |||||
- try_files: '$uri $uri/ =404' | |||||
- test: something else | |||||
- include: 'snippets/letsencrypt.conf' | |||||
# Or a slightly more compact alternative syntax: | |||||
- server: | |||||
- server_name: localhost | |||||
- listen: | |||||
- '80 default_server' | |||||
- '443 ssl' | |||||
- index: 'index.html index.htm' | |||||
- location ~ .htm: | |||||
- try_files: '$uri $uri/ =404' | |||||
- test: something else | |||||
- include: 'snippets/letsencrypt.conf' | |||||
# both of those output: | |||||
# server { | |||||
# server_name localhost; | |||||
# listen 80 default_server; | |||||
# listen 443 ssl; | |||||
# index index.html index.htm; | |||||
# location ~ .htm { | |||||
# try_files $uri $uri/ =404; | |||||
# test something else; | |||||
# } | |||||
# } | |||||
mysite2: # Using source_path options to upload the file instead of templating all the file | |||||
enabled: True | |||||
available_dir: /etc/nginx/sites-available | |||||
enabled_dir: /etc/nginx/sites-enabled | |||||
config: | |||||
source_path: salt://path-to-site-file/mysite2 | |||||
# Below configuration becomes handy if you want to create custom configuration files | |||||
# for example if you want to create /usr/local/etc/nginx/http_options.conf with | |||||
# the following content: | |||||
# sendfile on; | |||||
# tcp_nopush on; | |||||
# tcp_nodelay on; | |||||
# send_iowait 12000; | |||||
http_options.conf: | |||||
enabled: True | |||||
available_dir: /usr/local/etc/nginx | |||||
enabled_dir: /usr/local/etc/nginx | |||||
config: | |||||
- sendfile: 'on' | |||||
- tcp_nopush: 'on' | |||||
- tcp_nodelay: 'on' | |||||
- send_iowait: 12000 | |||||
certificates_path: '/etc/nginx/ssl' # Use this if you need to deploy below certificates in a custom path. | |||||
# If you're doing SSL termination, you can deploy certificates this way. | |||||
# The private one(s) should go in a separate pillar file not in version | |||||
# control (or use encrypted pillar data). | |||||
certificates: | |||||
'www.example.com': | |||||
# choose one of: deploying this cert by pillar (e.g. in combination with ext_pillar and file_tree) | |||||
# public_cert_pillar: certs:example.com:fullchain.pem | |||||
# private_key_pillar: certs:example.com:privkey.pem | |||||
# or directly pasting the cert | |||||
public_cert: | | |||||
-----BEGIN CERTIFICATE----- | |||||
(Your Primary SSL certificate: www.example.com.crt) | |||||
-----END CERTIFICATE----- | |||||
-----BEGIN CERTIFICATE----- | |||||
(Your Intermediate certificate: ExampleCA.crt) | |||||
-----END CERTIFICATE----- | |||||
-----BEGIN CERTIFICATE----- | |||||
(Your Root certificate: TrustedRoot.crt) | |||||
-----END CERTIFICATE----- | |||||
private_key: | | |||||
-----BEGIN RSA PRIVATE KEY----- | |||||
(Your Private Key: www.example.com.key) | |||||
-----END RSA PRIVATE KEY----- | |||||
dh_param: | |||||
'mydhparam1.pem': | | |||||
-----BEGIN DH PARAMETERS----- | |||||
(Your custom DH prime) | |||||
-----END DH PARAMETERS----- | |||||
# or to generate one on-the-fly | |||||
'mydhparam2.pem': | |||||
keysize: 2048 | |||||
# Passenger configuration | |||||
# Default passenger configuration is provided, and will be deployed in | |||||
# /etc/nginx/conf.d/passenger.conf | |||||
passenger: | |||||
passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini | |||||
passenger_ruby: /usr/bin/ruby | |||||
passenger_instance_registry_dir: /var/run/passenger-instreg |
# - create 'mysite' site | # - create 'mysite' site | ||||
nginx: | nginx: | ||||
ng: | |||||
snippets: | |||||
letsencrypt: | |||||
- location ^~ /.well-known/acme-challenge/: | |||||
- proxy_pass: http://localhost:9999 | |||||
server: | |||||
config: | |||||
http: | |||||
### module ngx_http_log_module example | |||||
log_format: |- | |||||
main '$remote_addr - $remote_user [$time_local] $status ' | |||||
'"$request" $body_bytes_sent "$http_referer" ' | |||||
'"$http_user_agent" "$http_x_forwarded_for"' | |||||
servers: | |||||
managed: | |||||
default: | |||||
deleted: True | |||||
enabled: False | |||||
config: {} | |||||
snippets: | |||||
letsencrypt: | |||||
- location ^~ /.well-known/acme-challenge/: | |||||
- proxy_pass: http://localhost:9999 | |||||
server: | |||||
config: | |||||
http: | |||||
### module ngx_http_log_module example | |||||
log_format: |- | |||||
main '$remote_addr - $remote_user [$time_local] $status ' | |||||
'"$request" $body_bytes_sent "$http_referer" ' | |||||
'"$http_user_agent" "$http_x_forwarded_for"' | |||||
servers: | |||||
managed: | |||||
default: | |||||
deleted: True | |||||
enabled: False | |||||
config: {} | |||||
mysite: | |||||
enabled: True | |||||
config: | |||||
- server: | |||||
- server_name: localhost | |||||
- listen: | |||||
- '80 default_server' | |||||
- index: 'index.html index.htm' | |||||
- location ~ .htm: | |||||
- try_files: '$uri $uri/ =404' | |||||
- include: 'snippets/letsencrypt.conf' | |||||
mysite: | |||||
enabled: True | |||||
config: | |||||
- server: | |||||
- server_name: localhost | |||||
- listen: | |||||
- '80 default_server' | |||||
- index: 'index.html index.htm' | |||||
- location ~ .htm: | |||||
- try_files: '$uri $uri/ =404' | |||||
- include: 'snippets/letsencrypt.conf' | |||||