Saltstack Official Nginx Formula
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

392 行
14KB

  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. # ========
  5. # nginx (previously named nginx:ng)
  6. # ========
  7. nginx:
  8. # The following three `install_from_` options are mutually exclusive. If none
  9. # is used, the distro's provided package will be installed. If one of the
  10. # `install_from` option is set to `true`, the state will make sure the other
  11. # two repos are removed.
  12. # Use the official's nginx repo binaries
  13. install_from_repo: false
  14. # Use Phusionpassenger's repo to install nginx and passenger binaries
  15. # Debian, Centos, Ubuntu and Redhat are currently available
  16. install_from_phusionpassenger: false
  17. # PPA install
  18. install_from_ppa: false
  19. # Set to 'stable', 'development' (mainline), 'community', or 'nightly' for
  20. # each build accordingly ( https://launchpad.net/~nginx )
  21. ppa_version: 'stable'
  22. # Source install
  23. source_version: '1.10.0'
  24. source_hash: ''
  25. # Check the configuration before applying:
  26. # To prevent applying a configuration that might break nginx, set this
  27. # parameter to true so the configuration is checked BEFORE applying. If
  28. # the check fails, the state will fail and it won't be deployed.
  29. # CAVEAT: As the configuration file is created in a temp dir, it can't
  30. # have relative references or it will fail to check. You'll need to
  31. # specify full paths where required (ie, `include`, `load_module`,
  32. # `snippets`, etc.0
  33. # Defaults to false
  34. check_config_before_apply: false
  35. # These are usually set by grains in map.jinja
  36. # Typically you can comment these out.
  37. lookup:
  38. package: nginx-custom (can be a list)
  39. service: nginx
  40. webuser: www-data
  41. conf_file: /etc/nginx/nginx.conf
  42. server_available: /etc/nginx/sites-available
  43. server_enabled: /etc/nginx/sites-enabled
  44. server_use_symlink: true
  45. # If you install nginx+passenger from phusionpassenger in Debian, these
  46. # values will probably be needed
  47. passenger_package: libnginx-mod-http-passenger
  48. passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf
  49. # This is required for RedHat like distros (Amazon Linux) that don't follow
  50. # semantic versioning for $releasever
  51. rh_os_releasever: '6'
  52. # Currently it can be used on rhel/centos/suse when installing from repo
  53. gpg_check: true
  54. ### prevents rendering SLS error nginx.server.config.pid undefined ###
  55. pid_file: /var/run/nginx.pid
  56. # Source compilation is not currently a part of nginx
  57. from_source: false
  58. source:
  59. opts: {}
  60. package:
  61. opts: {} # this partially exposes parameters of pkg.installed
  62. service:
  63. enable: true # Whether or not the service will be enabled/running or dead
  64. opts: {} # this partially exposes parameters of service.running / service.dead
  65. ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
  66. ## You can use snippets to define often repeated configuration once and
  67. ## include it later # The letsencrypt example below is consumed by "- include:
  68. ## 'snippets/letsencrypt.conf'" # Files or Templates can be retrieved by TOFS
  69. ## with snippet name ( Fallback to server.conf )
  70. ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
  71. snippets:
  72. letsencrypt.conf:
  73. - location ^~ /.well-known/acme-challenge/:
  74. - proxy_pass: http://localhost:9999
  75. cloudflare_proxy.conf:
  76. - set_real_ip_from: 103.21.244.0/22
  77. - set_real_ip_from: 103.22.200.0/22
  78. - set_real_ip_from: 104.16.0.0/12
  79. - set_real_ip_from: 108.162.192.0/18
  80. blacklist.conf:
  81. - map $http_user_agent $bad_bot:
  82. - default: 0
  83. - '~*^Lynx': 0
  84. - '~*malicious': 1
  85. - '~*bot': 1
  86. - '~*crawler': 1
  87. - '~*bandit': 1
  88. - libwww-perl: 1
  89. - '~(?i)(httrack|htmlparser|libwww)': 1
  90. upstream_netdata_tcp.conf:
  91. - upstream netdata:
  92. - server: 127.0.0.1:19999
  93. - keepalive: 64
  94. streams:
  95. example_stream:
  96. - upstream some_upstream:
  97. - server: '10.0.0.1:8000'
  98. - server: '10.0.0.2:8000'
  99. - server:
  100. - listen: 7000
  101. - proxy_pass: some_upstream
  102. server:
  103. # this partially exposes file.managed parameters as they relate to the main
  104. # nginx.conf file
  105. opts: {}
  106. ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
  107. # nginx.conf (main server) declarations dictionaries map to blocks {} and
  108. # lists cause the same declaration to repeat with different values see also
  109. # http://nginx.org/en/docs/example.html Nginx config file or template can
  110. # be retrieved by TOFS ( Fallback to nginx.conf )
  111. ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
  112. config:
  113. include: 'snippets/letsencrypt.conf'
  114. # IMPORTANT: This option is mutually exclusive with TOFS and the rest of
  115. # the options; if it is found other options (worker_processes: 4 and so
  116. # on) are not processed and just upload the file from source
  117. source_path: salt://path_to_nginx_conf_file/nginx.conf
  118. worker_processes: 4
  119. # pass as very first in configuration; otherwise nginx will fail to start
  120. load_module: modules/ngx_http_lua_module.so
  121. # Directory location must exist (i.e. it's /run/nginx.pid on EL7)
  122. # pid: /var/run/nginx.pid
  123. events:
  124. worker_connections: 1024
  125. http:
  126. sendfile: 'on'
  127. include:
  128. #### Note: Syntax issues in these files generate nginx [emerg] errors
  129. #### on startup.
  130. - /etc/nginx/mime.types
  131. ### module ngx_http_log_module example
  132. log_format: |-
  133. main '$remote_addr - $remote_user [$time_local] $status '
  134. '"$request" $body_bytes_sent "$http_referer" '
  135. '"$http_user_agent" "$http_x_forwarded_for"'
  136. access_log: [] # suppress default access_log option from being added
  137. # module nngx_stream_core_module
  138. # yamllint disable-line rule:line-length
  139. # https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example
  140. stream:
  141. upstream lb-1000:
  142. - server:
  143. - hostname1.example.com:1000
  144. - hostname2.example.com:1000
  145. upstream stream_backend:
  146. least_conn: ''
  147. 'server backend1.example.com:12345 weight=5': ~
  148. 'server backend2.example.com:12345 max_fails=2 fail_timeout=30s': ~
  149. 'server backend3.example.com:12345 max_conns=3': ~
  150. upstream dns_servers:
  151. least_conn: ''
  152. 'server 192.168.136.130:53': ~
  153. 'server 192.168.136.131:53': ~
  154. 'server 192.168.136.132:53': ~
  155. server:
  156. listen: 1000
  157. proxy_pass: lb-1000
  158. 'server ':
  159. listen: '53 udp'
  160. proxy_pass: dns_servers
  161. 'server ':
  162. listen: 12346
  163. proxy_pass: backend4.example.com:12346
  164. servers:
  165. # a postfix appended to files when doing non-symlink disabling
  166. disabled_postfix: .disabled
  167. # partially exposes file.symlink params when symlinking enabled sites
  168. symlink_opts: {}
  169. # partially exposes file.rename params when not symlinking disabled/enabled sites
  170. rename_opts: {}
  171. # partially exposes file.managed params for managed server files
  172. managed_opts: {}
  173. # partially exposes file.directory params for site available/enabled and
  174. # snippets dirs
  175. dir_opts: {}
  176. # let the choice to purge site-available and site-enable folders before add new ones
  177. # (if True it removes all non-salt-managed files)
  178. purge_servers_config: false
  179. #####################
  180. # server declarations; placed by default in server "available" directory
  181. #####################
  182. managed:
  183. # relative filename of server file
  184. # (defaults to '/etc/nginx/sites-available/mysite')
  185. mysite:
  186. # may be true, false, or None where true is enabled, false, disabled,
  187. # and None indicates no action
  188. enabled: true
  189. # This let's you add dependencies on other resources being applied for a
  190. # particular vhost
  191. # A common case is when you use this formula together with letsencrypt's,
  192. # validating through nginx: you need nginx running (to validate the vhost) but
  193. # can't have the ssl vhost up until the certificate is created (because it
  194. # won't exist and will make nginx fail to load the configuration)
  195. #
  196. # An example, when using LE to create the cert for 'some.host.domain':
  197. # requires:
  198. # cmd: create-initial-cert-some.host.domain
  199. requires: {}
  200. # Remove the site config file shipped by nginx
  201. # (i.e. '/etc/nginx/sites-available/default' by default)
  202. # It also remove the symlink (if it is exists).
  203. # The site MUST be disabled before delete it (if not the nginx is not
  204. # reloaded).
  205. # deleted: true
  206. # custom directory (not sites-available) for server filename
  207. # available_dir: /etc/nginx/sites-available-custom
  208. # custom directory (not sites-enabled) for server filename
  209. # enabled_dir: /etc/nginx/sites-enabled-custom
  210. # an alternative disabled name to be use when not symlinking
  211. disabled_name: mysite.aint_on
  212. # overwrite an existing server file or not
  213. overwrite: true
  214. # May be a list of config options or None, if None, no server file will
  215. # be managed/templated Take server directives as lists of dictionaries.
  216. # If the dictionary value is another list of dictionaries a block {}
  217. # will be started with the dictionary key name
  218. config:
  219. # both of the methods below lead to the output:
  220. # server {
  221. # server_name localhost;
  222. # listen 80 default_server;
  223. # listen 443 ssl;
  224. # index index.html index.htm;
  225. # location ~ .htm {
  226. # try_files $uri $uri/ =404;
  227. # test something else;
  228. # }
  229. # }
  230. - server:
  231. - server_name: localhost
  232. - listen:
  233. - '80 default_server'
  234. - listen:
  235. - '443 ssl'
  236. - index: 'index.html index.htm'
  237. - location ~ .htm:
  238. - try_files: '$uri $uri/ =404'
  239. - test: something else
  240. - include: 'snippets/letsencrypt.conf'
  241. # Or a slightly more compact alternative syntax:
  242. - server:
  243. - server_name: localhost
  244. - listen:
  245. - '80 default_server'
  246. - '443 ssl'
  247. - index: 'index.html index.htm'
  248. - location ~ .htm:
  249. - try_files: '$uri $uri/ =404'
  250. - test: something else
  251. - include: 'snippets/letsencrypt.conf'
  252. # Using source_path options to upload the file instead of templating all the file
  253. mysite2:
  254. enabled: true
  255. available_dir: /etc/nginx/sites-available
  256. enabled_dir: /etc/nginx/sites-enabled
  257. config:
  258. # IMPORTANT: This field is mutually exclusive with TOFS and other
  259. # config options, it just uploads the specified file
  260. source_path: salt://path-to-site-file/mysite2
  261. # Below configuration becomes handy if you want to create custom
  262. # configuration files for example if you want to create
  263. # /usr/local/etc/nginx/http_options.conf with the following content:
  264. # sendfile on;
  265. # tcp_nopush on;
  266. # tcp_nodelay on;
  267. # send_iowait 12000;
  268. http_options.conf:
  269. enabled: true
  270. available_dir: /usr/local/etc/nginx
  271. enabled_dir: /usr/local/etc/nginx
  272. config:
  273. - sendfile: 'on'
  274. - tcp_nopush: 'on'
  275. - tcp_nodelay: 'on'
  276. - send_iowait: 12000
  277. # Use this if you need to deploy below certificates in a custom path.
  278. certificates_path: '/etc/nginx/ssl'
  279. # If you're doing SSL termination, you can deploy certificates this way.
  280. # The private one(s) should go in a separate pillar file not in version
  281. # control (or use encrypted pillar data).
  282. certificates:
  283. 'www.example.com':
  284. # choose one of: deploying this cert by pillar (e.g. in combination with
  285. # ext_pillar and file_tree)
  286. # public_cert_pillar: certs:example.com:fullchain.pem
  287. # private_key_pillar: certs:example.com:privkey.pem
  288. # or directly pasting the cert
  289. public_cert: |
  290. -----BEGIN CERTIFICATE-----
  291. (Your Primary SSL certificate: www.example.com.crt)
  292. -----END CERTIFICATE-----
  293. -----BEGIN CERTIFICATE-----
  294. (Your Intermediate certificate: ExampleCA.crt)
  295. -----END CERTIFICATE-----
  296. -----BEGIN CERTIFICATE-----
  297. (Your Root certificate: TrustedRoot.crt)
  298. -----END CERTIFICATE-----
  299. private_key: |
  300. -----BEGIN RSA PRIVATE KEY-----
  301. (Your Private Key: www.example.com.key)
  302. -----END RSA PRIVATE KEY-----
  303. dh_param:
  304. 'mydhparam1.pem': |
  305. -----BEGIN DH PARAMETERS-----
  306. (Your custom DH prime)
  307. -----END DH PARAMETERS-----
  308. # or to generate one on-the-fly
  309. 'mydhparam2.pem':
  310. keysize: 2048
  311. # Passenger configuration
  312. # Default passenger configuration is provided, and will be deployed in
  313. # /etc/nginx/conf.d/passenger.conf
  314. # Passenger conf can be retrieved by TOFS ( Fallback to nginx.conf )
  315. passenger:
  316. passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
  317. passenger_ruby: /usr/bin/ruby
  318. passenger_instance_registry_dir: /var/run/passenger-instreg
  319. tofs:
  320. # The files_switch key serves as a selector for alternative
  321. # directories under the formula files directory. See TOFS pattern
  322. # doc for more info.
  323. # Note: Any value not evaluated by `config.get` will be used literally.
  324. # This can be used to set custom paths, as many levels deep as required.
  325. # files_switch:
  326. # - any/path/can/be/used/here
  327. # - id
  328. # - role
  329. # - osfinger
  330. # - os
  331. # - os_family
  332. #
  333. # All aspects of path/file resolution are customisable using the options below.
  334. # This is unnecessary in most cases; there are sensible defaults.
  335. # Default path: salt://< path_prefix >/< dirs.files >/< dirs.default >
  336. # I.e.: salt://nginx/files/default
  337. # path_prefix: template_alt
  338. # dirs:
  339. # files: files_alt
  340. # default: default_alt
  341. source_files:
  342. nginx_config_file_managed:
  343. - alt_nginx.conf
  344. passenger_config_file_managed:
  345. - alt_nginx.conf
  346. server_conf_file_managed:
  347. - alt_server.conf
  348. nginx_systemd_service_file:
  349. - alt_nginx.service
  350. nginx_snippet_file_managed:
  351. - alt_server.conf