Saltstack Official Nginx Formula
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.

357 lines
13KB

  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. # ========
  5. # nginx (previously named nginx:ng)
  6. # ========
  7. nginx:
  8. # The following three `install_from_` options are mutually exclusive. If none
  9. # is used, the distro's provided package will be installed. If one of the
  10. # `install_from` option is set to `true`, the state will make sure the other
  11. # two repos are removed.
  12. # Use the official's nginx repo binaries
  13. install_from_repo: false
  14. # Use Phusionpassenger's repo to install nginx and passenger binaries
  15. # Debian, Centos, Ubuntu and Redhat are currently available
  16. install_from_phusionpassenger: false
  17. # PPA install
  18. install_from_ppa: false
  19. # Set to 'stable', 'development' (mainline), 'community', or 'nightly' for
  20. # each build accordingly ( https://launchpad.net/~nginx )
  21. ppa_version: 'stable'
  22. # Source install
  23. source_version: '1.10.0'
  24. source_hash: ''
  25. # These are usually set by grains in map.jinja
  26. # Typically you can comment these out.
  27. lookup:
  28. package: nginx-custom (can be a list)
  29. service: nginx
  30. webuser: www-data
  31. conf_file: /etc/nginx/nginx.conf
  32. server_available: /etc/nginx/sites-available
  33. server_enabled: /etc/nginx/sites-enabled
  34. server_use_symlink: true
  35. # If you install nginx+passenger from phusionpassenger in Debian, these
  36. # values will probably be needed
  37. passenger_package: libnginx-mod-http-passenger
  38. passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf
  39. # This is required for RedHat like distros (Amazon Linux) that don't follow
  40. # semantic versioning for $releasever
  41. rh_os_releasever: '6'
  42. # Currently it can be used on rhel/centos/suse when installing from repo
  43. gpg_check: true
  44. ### prevents rendering SLS error nginx.server.config.pid undefined ###
  45. pid_file: /var/run/nginx.pid
  46. # Source compilation is not currently a part of nginx
  47. from_source: false
  48. source:
  49. opts: {}
  50. package:
  51. opts: {} # this partially exposes parameters of pkg.installed
  52. service:
  53. enable: true # Whether or not the service will be enabled/running or dead
  54. opts: {} # this partially exposes parameters of service.running / service.dead
  55. ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
  56. ## You can use snippets to define often repeated configuration once and
  57. ## include it later # The letsencrypt example below is consumed by "- include:
  58. ## 'snippets/letsencrypt.conf'" # Files or Templates can be retrieved by TOFS
  59. ## with snippet name ( Fallback to server.conf )
  60. ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
  61. snippets:
  62. letsencrypt.conf:
  63. - location ^~ /.well-known/acme-challenge/:
  64. - proxy_pass: http://localhost:9999
  65. cloudflare_proxy.conf:
  66. - set_real_ip_from: 103.21.244.0/22
  67. - set_real_ip_from: 103.22.200.0/22
  68. - set_real_ip_from: 104.16.0.0/12
  69. - set_real_ip_from: 108.162.192.0/18
  70. blacklist.conf:
  71. - map $http_user_agent $bad_bot:
  72. - default: 0
  73. - '~*^Lynx': 0
  74. - '~*malicious': 1
  75. - '~*bot': 1
  76. - '~*crawler': 1
  77. - '~*bandit': 1
  78. - libwww-perl: 1
  79. - '~(?i)(httrack|htmlparser|libwww)': 1
  80. upstream_netdata_tcp.conf:
  81. - upstream netdata:
  82. - server: 127.0.0.1:19999
  83. - keepalive: 64
  84. server:
  85. # this partially exposes file.managed parameters as they relate to the main
  86. # nginx.conf file
  87. opts: {}
  88. ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
  89. # nginx.conf (main server) declarations dictionaries map to blocks {} and
  90. # lists cause the same declaration to repeat with different values see also
  91. # http://nginx.org/en/docs/example.html Nginx config file or template can
  92. # be retrieved by TOFS ( Fallback to nginx.conf )
  93. ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
  94. config:
  95. include: 'snippets/letsencrypt.conf'
  96. # IMPORTANT: This option is mutually exclusive with TOFS and the rest of
  97. # the options; if it is found other options (worker_processes: 4 and so
  98. # on) are not processed and just upload the file from source
  99. source_path: salt://path_to_nginx_conf_file/nginx.conf
  100. worker_processes: 4
  101. # pass as very first in configuration; otherwise nginx will fail to start
  102. load_module: modules/ngx_http_lua_module.so
  103. # Directory location must exist (i.e. it's /run/nginx.pid on EL7)
  104. # pid: /var/run/nginx.pid
  105. events:
  106. worker_connections: 1024
  107. http:
  108. sendfile: 'on'
  109. include:
  110. #### Note: Syntax issues in these files generate nginx [emerg] errors
  111. #### on startup.
  112. - /etc/nginx/mime.types
  113. ### module ngx_http_log_module example
  114. log_format: |-
  115. main '$remote_addr - $remote_user [$time_local] $status '
  116. '"$request" $body_bytes_sent "$http_referer" '
  117. '"$http_user_agent" "$http_x_forwarded_for"'
  118. access_log: [] # suppress default access_log option from being added
  119. # module nngx_stream_core_module
  120. # yamllint disable-line rule:line-length
  121. # https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example
  122. stream:
  123. upstream lb-1000:
  124. - server:
  125. - hostname1.example.com:1000
  126. - hostname2.example.com:1000
  127. upstream stream_backend:
  128. least_conn: ''
  129. 'server backend1.example.com:12345 weight=5': ~
  130. 'server backend2.example.com:12345 max_fails=2 fail_timeout=30s': ~
  131. 'server backend3.example.com:12345 max_conns=3': ~
  132. upstream dns_servers:
  133. least_conn: ''
  134. 'server 192.168.136.130:53': ~
  135. 'server 192.168.136.131:53': ~
  136. 'server 192.168.136.132:53': ~
  137. server:
  138. listen: 1000
  139. proxy_pass: lb-1000
  140. 'server ':
  141. listen: '53 udp'
  142. proxy_pass: dns_servers
  143. 'server ':
  144. listen: 12346
  145. proxy_pass: backend4.example.com:12346
  146. servers:
  147. # a postfix appended to files when doing non-symlink disabling
  148. disabled_postfix: .disabled
  149. # partially exposes file.symlink params when symlinking enabled sites
  150. symlink_opts: {}
  151. # partially exposes file.rename params when not symlinking disabled/enabled sites
  152. rename_opts: {}
  153. # partially exposes file.managed params for managed server files
  154. managed_opts: {}
  155. # partially exposes file.directory params for site available/enabled and
  156. # snippets dirs
  157. dir_opts: {}
  158. #####################
  159. # server declarations; placed by default in server "available" directory
  160. #####################
  161. managed:
  162. # relative filename of server file
  163. # (defaults to '/etc/nginx/sites-available/mysite')
  164. mysite:
  165. # may be true, false, or None where true is enabled, false, disabled,
  166. # and None indicates no action
  167. enabled: true
  168. # Remove the site config file shipped by nginx
  169. # (i.e. '/etc/nginx/sites-available/default' by default)
  170. # It also remove the symlink (if it is exists).
  171. # The site MUST be disabled before delete it (if not the nginx is not
  172. # reloaded).
  173. # deleted: true
  174. # custom directory (not sites-available) for server filename
  175. # available_dir: /etc/nginx/sites-available-custom
  176. # custom directory (not sites-enabled) for server filename
  177. # enabled_dir: /etc/nginx/sites-enabled-custom
  178. # an alternative disabled name to be use when not symlinking
  179. disabled_name: mysite.aint_on
  180. # overwrite an existing server file or not
  181. overwrite: true
  182. # May be a list of config options or None, if None, no server file will
  183. # be managed/templated Take server directives as lists of dictionaries.
  184. # If the dictionary value is another list of dictionaries a block {}
  185. # will be started with the dictionary key name
  186. config:
  187. # both of the methods below lead to the output:
  188. # server {
  189. # server_name localhost;
  190. # listen 80 default_server;
  191. # listen 443 ssl;
  192. # index index.html index.htm;
  193. # location ~ .htm {
  194. # try_files $uri $uri/ =404;
  195. # test something else;
  196. # }
  197. # }
  198. - server:
  199. - server_name: localhost
  200. - listen:
  201. - '80 default_server'
  202. - listen:
  203. - '443 ssl'
  204. - index: 'index.html index.htm'
  205. - location ~ .htm:
  206. - try_files: '$uri $uri/ =404'
  207. - test: something else
  208. - include: 'snippets/letsencrypt.conf'
  209. # Or a slightly more compact alternative syntax:
  210. - server:
  211. - server_name: localhost
  212. - listen:
  213. - '80 default_server'
  214. - '443 ssl'
  215. - index: 'index.html index.htm'
  216. - location ~ .htm:
  217. - try_files: '$uri $uri/ =404'
  218. - test: something else
  219. - include: 'snippets/letsencrypt.conf'
  220. # Using source_path options to upload the file instead of templating all the file
  221. mysite2:
  222. enabled: true
  223. available_dir: /etc/nginx/sites-available
  224. enabled_dir: /etc/nginx/sites-enabled
  225. config:
  226. # IMPORTANT: This field is mutually exclusive with TOFS and other
  227. # config options, it just uploads the specified file
  228. source_path: salt://path-to-site-file/mysite2
  229. # Below configuration becomes handy if you want to create custom
  230. # configuration files for example if you want to create
  231. # /usr/local/etc/nginx/http_options.conf with the following content:
  232. # sendfile on;
  233. # tcp_nopush on;
  234. # tcp_nodelay on;
  235. # send_iowait 12000;
  236. http_options.conf:
  237. enabled: true
  238. available_dir: /usr/local/etc/nginx
  239. enabled_dir: /usr/local/etc/nginx
  240. config:
  241. - sendfile: 'on'
  242. - tcp_nopush: 'on'
  243. - tcp_nodelay: 'on'
  244. - send_iowait: 12000
  245. # Use this if you need to deploy below certificates in a custom path.
  246. certificates_path: '/etc/nginx/ssl'
  247. # If you're doing SSL termination, you can deploy certificates this way.
  248. # The private one(s) should go in a separate pillar file not in version
  249. # control (or use encrypted pillar data).
  250. certificates:
  251. 'www.example.com':
  252. # choose one of: deploying this cert by pillar (e.g. in combination with
  253. # ext_pillar and file_tree)
  254. # public_cert_pillar: certs:example.com:fullchain.pem
  255. # private_key_pillar: certs:example.com:privkey.pem
  256. # or directly pasting the cert
  257. public_cert: |
  258. -----BEGIN CERTIFICATE-----
  259. (Your Primary SSL certificate: www.example.com.crt)
  260. -----END CERTIFICATE-----
  261. -----BEGIN CERTIFICATE-----
  262. (Your Intermediate certificate: ExampleCA.crt)
  263. -----END CERTIFICATE-----
  264. -----BEGIN CERTIFICATE-----
  265. (Your Root certificate: TrustedRoot.crt)
  266. -----END CERTIFICATE-----
  267. private_key: |
  268. -----BEGIN RSA PRIVATE KEY-----
  269. (Your Private Key: www.example.com.key)
  270. -----END RSA PRIVATE KEY-----
  271. dh_param:
  272. 'mydhparam1.pem': |
  273. -----BEGIN DH PARAMETERS-----
  274. (Your custom DH prime)
  275. -----END DH PARAMETERS-----
  276. # or to generate one on-the-fly
  277. 'mydhparam2.pem':
  278. keysize: 2048
  279. # Passenger configuration
  280. # Default passenger configuration is provided, and will be deployed in
  281. # /etc/nginx/conf.d/passenger.conf
  282. # Passenger conf can be retrieved by TOFS ( Fallback to nginx.conf )
  283. passenger:
  284. passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
  285. passenger_ruby: /usr/bin/ruby
  286. passenger_instance_registry_dir: /var/run/passenger-instreg
  287. tofs:
  288. # The files_switch key serves as a selector for alternative
  289. # directories under the formula files directory. See TOFS pattern
  290. # doc for more info.
  291. # Note: Any value not evaluated by `config.get` will be used literally.
  292. # This can be used to set custom paths, as many levels deep as required.
  293. # files_switch:
  294. # - any/path/can/be/used/here
  295. # - id
  296. # - role
  297. # - osfinger
  298. # - os
  299. # - os_family
  300. #
  301. # All aspects of path/file resolution are customisable using the options below.
  302. # This is unnecessary in most cases; there are sensible defaults.
  303. # Default path: salt://{{ path_prefix }}/{{ dirs.files }}/{{ dirs.default }}
  304. # I.e.: salt://nginx/files/default
  305. # path_prefix: template_alt
  306. # dirs:
  307. # files: files_alt
  308. # default: default_alt
  309. source_files:
  310. nginx_config_file_managed:
  311. - alt_nginx.conf
  312. passenger_config_file_managed:
  313. - alt_nginx.conf
  314. server_conf_file_managed:
  315. - alt_server.conf
  316. nginx_systemd_service_file:
  317. - alt_nginx.service
  318. nginx_snippet_file_managed:
  319. - alt_server.conf