@@ -0,0 +1,23 @@ | |||
include: | |||
- nginx.ng.service | |||
{%- for domain in salt['pillar.get']('nginx:ng:certificates', {}).keys() %} | |||
nginx_{{ domain }}_ssl_certificate: | |||
file.managed: | |||
- name: /etc/nginx/ssl/{{ domain }}.crt | |||
- makedirs: True | |||
- contents_pillar: nginx:ng:certificates:{{ domain }}:public_cert | |||
- watch_in: | |||
- service: nginx_service | |||
nginx_{{ domain }}_ssl_key: | |||
file.managed: | |||
- name: /etc/nginx/ssl/{{ domain }}.key | |||
- mode: 600 | |||
- makedirs: True | |||
- contents_pillar: nginx:ng:certificates:{{ domain }}:private_key | |||
- watch_in: | |||
- service: nginx_service | |||
{%- endfor %} |
@@ -6,6 +6,7 @@ include: | |||
- nginx.ng.config | |||
- nginx.ng.service | |||
- nginx.ng.vhosts | |||
- nginx.ng.certificates | |||
extend: | |||
nginx_service: |
@@ -106,3 +106,23 @@ nginx: | |||
# test something else; | |||
# } | |||
# } | |||
# If you're doing SSL termination, you can deploy certificates this way. | |||
# The private one(s) should go in a separate pillar file not in version | |||
# control (or use encrypted pillar data). | |||
certificates: | |||
'www.example.com': | |||
public_cert: | | |||
-----BEGIN CERTIFICATE----- | |||
(Your Primary SSL certificate: www.example.com.crt) | |||
-----END CERTIFICATE----- | |||
-----BEGIN CERTIFICATE----- | |||
(Your Intermediate certificate: ExampleCA.crt) | |||
-----END CERTIFICATE----- | |||
-----BEGIN CERTIFICATE----- | |||
(Your Root certificate: TrustedRoot.crt) | |||
-----END CERTIFICATE----- | |||
private_key: | | |||
-----BEGIN RSA PRIVATE KEY----- | |||
(Your Private Key: www.example.com.key) | |||
-----END RSA PRIVATE KEY----- |