|
- # -*- coding: utf-8 -*-
- # vim: ft=yaml
- ---
- # ========
- # nginx (previously named nginx:ng)
- # ========
-
- nginx:
- # The following three `install_from_` options are mutually exclusive. If none
- # is used, the distro's provided package will be installed. If one of the
- # `install_from` option is set to `true`, the state will make sure the other
- # two repos are removed.
-
- # Use the official's nginx repo binaries
- install_from_repo: false
-
- # Use Phusionpassenger's repo to install nginx and passenger binaries
- # Debian, Centos, Ubuntu and Redhat are currently available
- install_from_phusionpassenger: false
-
- # PPA install
- install_from_ppa: false
- # Set to 'stable', 'development' (mainline), 'community', or 'nightly' for
- # each build accordingly ( https://launchpad.net/~nginx )
- ppa_version: 'stable'
-
- # Use openSUSE devel (server:http) repository to install nginx.
- # If not set, the server_http repository will be removed if it exists.
- install_from_opensuse_devel: false
-
- # Source install
- source_version: '1.10.0'
- source_hash: ''
-
- # Check the configuration before applying:
- # To prevent applying a configuration that might break nginx, set this
- # parameter to true so the configuration is checked BEFORE applying. If
- # the check fails, the state will fail and it won't be deployed.
- # CAVEAT: As the configuration file is created in a temp dir, it can't
- # have relative references or it will fail to check. You'll need to
- # specify full paths where required (ie, `include`, `load_module`,
- # `snippets`, etc.0
- # Defaults to false
- check_config_before_apply: false
-
- # These are usually set by grains in map.jinja
- # Typically you can comment these out.
- lookup:
- package: nginx-custom (can be a list)
- service: nginx
- webuser: www-data
- conf_file: /etc/nginx/nginx.conf
- server_available: /etc/nginx/sites-available
- server_enabled: /etc/nginx/sites-enabled
- server_use_symlink: true
- # If you install nginx+passenger from phusionpassenger in Debian, these
- # values will probably be needed
- passenger_package: libnginx-mod-http-passenger
- passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf
-
- # This is required for RedHat like distros (Amazon Linux) that don't follow
- # semantic versioning for $releasever
- rh_os_releasever: '6'
- # Currently it can be used on rhel/centos/suse when installing from repo
- gpg_check: true
- ### prevents rendering SLS error nginx.server.config.pid undefined ###
- pid_file: /var/run/nginx.pid
-
-
- # Source compilation is not currently a part of nginx
- from_source: false
-
- source:
- opts: {}
-
- package:
- opts: {} # this partially exposes parameters of pkg.installed
-
- service:
- enable: true # Whether or not the service will be enabled/running or dead
- opts: {} # this partially exposes parameters of service.running / service.dead
-
- ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
- ## You can use snippets to define often repeated configuration once and
- ## include it later # The letsencrypt example below is consumed by "- include:
- ## 'snippets/letsencrypt.conf'" # Files or Templates can be retrieved by TOFS
- ## with snippet name ( Fallback to server.conf )
- ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
- snippets:
- letsencrypt.conf:
- - location ^~ /.well-known/acme-challenge/:
- - proxy_pass: http://localhost:9999
- cloudflare_proxy.conf:
- - set_real_ip_from: 103.21.244.0/22
- - set_real_ip_from: 103.22.200.0/22
- - set_real_ip_from: 104.16.0.0/12
- - set_real_ip_from: 108.162.192.0/18
- blacklist.conf:
- - map $http_user_agent $bad_bot:
- - default: 0
- - '~*^Lynx': 0
- - '~*malicious': 1
- - '~*bot': 1
- - '~*crawler': 1
- - '~*bandit': 1
- - libwww-perl: 1
- - '~(?i)(httrack|htmlparser|libwww)': 1
- upstream_netdata_tcp.conf:
- - upstream netdata:
- - server: 127.0.0.1:19999
- - keepalive: 64
-
- server:
- # this partially exposes file.managed parameters as they relate to the main
- # nginx.conf file
- opts: {}
-
- ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
- # nginx.conf (main server) declarations dictionaries map to blocks {} and
- # lists cause the same declaration to repeat with different values see also
- # http://nginx.org/en/docs/example.html Nginx config file or template can
- # be retrieved by TOFS ( Fallback to nginx.conf )
- ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
- config:
- include: 'snippets/letsencrypt.conf'
- # IMPORTANT: This option is mutually exclusive with TOFS.
- # It uploads the file from source and passes the global `nginx` and the
- # `config` dictionnary to the template.
- # `jinja` is assumed as template type.
- source_path: salt://path_to_nginx_conf_file/nginx.conf
- worker_processes: 4
- # pass as very first in configuration; otherwise nginx will fail to start
- load_module: modules/ngx_http_lua_module.so
- # Directory location must exist (i.e. it's /run/nginx.pid on EL7)
- # pid: /var/run/nginx.pid
- events:
- worker_connections: 1024
- http:
- sendfile: 'on'
- include:
- #### Note: Syntax issues in these files generate nginx [emerg] errors
- #### on startup.
- - /etc/nginx/mime.types
-
- ### module ngx_http_log_module example
- log_format: |-
- main '$remote_addr - $remote_user [$time_local] $status '
- '"$request" $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"'
- access_log: [] # suppress default access_log option from being added
-
- # module nngx_stream_core_module
- # yamllint disable-line rule:line-length
- # https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example
- stream:
- upstream lb-1000:
- - server:
- - hostname1.example.com:1000
- - hostname2.example.com:1000
- upstream stream_backend:
- least_conn: ''
- 'server backend1.example.com:12345 weight=5': ~
- 'server backend2.example.com:12345 max_fails=2 fail_timeout=30s': ~
- 'server backend3.example.com:12345 max_conns=3': ~
- upstream dns_servers:
- least_conn: ''
- 'server 192.168.136.130:53': ~
- 'server 192.168.136.131:53': ~
- 'server 192.168.136.132:53': ~
- server:
- listen: 1000
- proxy_pass: lb-1000
- 'server ':
- listen: '53 udp'
- proxy_pass: dns_servers
- 'server ':
- listen: 12346
- proxy_pass: backend4.example.com:12346
-
-
- servers:
- # a postfix appended to files when doing non-symlink disabling
- disabled_postfix: .disabled
- # partially exposes file.symlink params when symlinking enabled sites
- symlink_opts: {}
- # partially exposes file.rename params when not symlinking disabled/enabled sites
- rename_opts: {}
- # partially exposes file.managed params for managed server files
- managed_opts: {}
- # partially exposes file.directory params for site available/enabled and
- # snippets dirs
- dir_opts: {}
- # let the choice to purge site-available and site-enable folders before add new ones
- # (if True it removes all non-salt-managed files)
- purge_servers_config: false
-
-
- #####################
- # server declarations; placed by default in server "available" directory
- #####################
- managed:
-
- # relative filename of server file
- # (defaults to '/etc/nginx/sites-available/mysite')
- mysite:
- # may be true, false, or None where true is enabled, false, disabled,
- # and None indicates no action
- enabled: true
-
- # This let's you add dependencies on other resources being applied for a
- # particular vhost
- # A common case is when you use this formula together with letsencrypt's,
- # validating through nginx: you need nginx running (to validate the vhost) but
- # can't have the ssl vhost up until the certificate is created (because it
- # won't exist and will make nginx fail to load the configuration)
- #
- # An example, when using LE to create the cert for 'some.host.domain':
- # requires:
- # cmd: create-initial-cert-some.host.domain
- requires: {}
-
- # Remove the site config file shipped by nginx
- # (i.e. '/etc/nginx/sites-available/default' by default)
- # It also remove the symlink (if it is exists).
- # The site MUST be disabled before delete it (if not the nginx is not
- # reloaded).
- # deleted: true
-
- # custom directory (not sites-available) for server filename
- # available_dir: /etc/nginx/sites-available-custom
- # custom directory (not sites-enabled) for server filename
- # enabled_dir: /etc/nginx/sites-enabled-custom
- # an alternative disabled name to be use when not symlinking
- disabled_name: mysite.aint_on
- # overwrite an existing server file or not
- overwrite: true
-
- # May be a list of config options or None, if None, no server file will
- # be managed/templated Take server directives as lists of dictionaries.
- # If the dictionary value is another list of dictionaries a block {}
- # will be started with the dictionary key name
- config:
- # both of the methods below lead to the output:
- # server {
- # server_name localhost;
- # listen 80 default_server;
- # listen 443 ssl;
- # index index.html index.htm;
- # location ~ .htm {
- # try_files $uri $uri/ =404;
- # test something else;
- # }
- # }
-
- - server:
- - server_name: localhost
- - listen:
- - '80 default_server'
- - listen:
- - '443 ssl'
- - index: 'index.html index.htm'
- - location ~ .htm:
- - try_files: '$uri $uri/ =404'
- - test: something else
- - include: 'snippets/letsencrypt.conf'
-
- # Or a slightly more compact alternative syntax:
- - server:
- - server_name: localhost
- - listen:
- - '80 default_server'
- - '443 ssl'
- - index: 'index.html index.htm'
- - location ~ .htm:
- - try_files: '$uri $uri/ =404'
- - test: something else
- - include: 'snippets/letsencrypt.conf'
-
-
- # Using source_path options to upload the file instead of templating all the file
- mysite2:
- enabled: true
- available_dir: /etc/nginx/sites-available
- enabled_dir: /etc/nginx/sites-enabled
- config:
- # IMPORTANT: This field is mutually exclusive with TOFS.
- # It uploads the file from source and passes the global `nginx` and the
- # `config` dictionnary to the template.
- # `jinja` is assumed as template type.
- source_path: salt://path-to-site-file/mysite2
- # Example:
- port: 80 # is passed as `config.port` to template located at `source_path`
- custom_key: custom_value
-
- # Below configuration becomes handy if you want to create custom
- # configuration files for example if you want to create
- # /usr/local/etc/nginx/http_options.conf with the following content:
-
- # sendfile on;
- # tcp_nopush on;
- # tcp_nodelay on;
- # send_iowait 12000;
-
- http_options.conf:
- enabled: true
- available_dir: /usr/local/etc/nginx
- enabled_dir: /usr/local/etc/nginx
- config:
- - sendfile: 'on'
- - tcp_nopush: 'on'
- - tcp_nodelay: 'on'
- - send_iowait: 12000
-
- # Use this if you need to deploy below certificates in a custom path.
- certificates_path: '/etc/nginx/ssl'
- # If you're doing SSL termination, you can deploy certificates this way.
- # The private one(s) should go in a separate pillar file not in version
- # control (or use encrypted pillar data).
- certificates:
- 'www.example.com':
-
- # choose one of: deploying this cert by pillar (e.g. in combination with
- # ext_pillar and file_tree)
- # public_cert_pillar: certs:example.com:fullchain.pem
- # private_key_pillar: certs:example.com:privkey.pem
- # or directly pasting the cert
- public_cert: |
- -----BEGIN CERTIFICATE-----
- (Your Primary SSL certificate: www.example.com.crt)
- -----END CERTIFICATE-----
- -----BEGIN CERTIFICATE-----
- (Your Intermediate certificate: ExampleCA.crt)
- -----END CERTIFICATE-----
- -----BEGIN CERTIFICATE-----
- (Your Root certificate: TrustedRoot.crt)
- -----END CERTIFICATE-----
- private_key: |
- -----BEGIN RSA PRIVATE KEY-----
- (Your Private Key: www.example.com.key)
- -----END RSA PRIVATE KEY-----
-
- dh_param:
- 'mydhparam1.pem': |
- -----BEGIN DH PARAMETERS-----
- (Your custom DH prime)
- -----END DH PARAMETERS-----
- # or to generate one on-the-fly
- 'mydhparam2.pem':
- keysize: 2048
-
- # Passenger configuration
- # Default passenger configuration is provided, and will be deployed in
- # /etc/nginx/conf.d/passenger.conf
- # Passenger conf can be retrieved by TOFS ( Fallback to nginx.conf )
- passenger:
- passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
- passenger_ruby: /usr/bin/ruby
- passenger_instance_registry_dir: /var/run/passenger-instreg
-
- tofs:
- # The files_switch key serves as a selector for alternative
- # directories under the formula files directory. See TOFS pattern
- # doc for more info.
- # Note: Any value not evaluated by `config.get` will be used literally.
- # This can be used to set custom paths, as many levels deep as required.
- # files_switch:
- # - any/path/can/be/used/here
- # - id
- # - role
- # - osfinger
- # - os
- # - os_family
- #
- # All aspects of path/file resolution are customisable using the options below.
- # This is unnecessary in most cases; there are sensible defaults.
- # Default path: salt://< path_prefix >/< dirs.files >/< dirs.default >
- # I.e.: salt://nginx/files/default
- # path_prefix: template_alt
- # dirs:
- # files: files_alt
- # default: default_alt
- source_files:
- nginx_config_file_managed:
- - alt_nginx.conf
- passenger_config_file_managed:
- - alt_nginx.conf
- server_conf_file_managed:
- - alt_server.conf
- nginx_systemd_service_file:
- - alt_nginx.service
- nginx_snippet_file_managed:
- - alt_server.conf
|
