Initial commit
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
new file mode 100644
index 0000000..92e2145
--- /dev/null
+++ b/CHANGELOG.rst
@@ -0,0 +1,6 @@
+nginx formula
+=============
+
+0.0.1 (2015-08-03)
+
+- Initial formula setup
\ No newline at end of file
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..33fc124
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,13 @@
+Copyright (c) 2014-2015 tcp cloud
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/README.rst b/README.rst
new file mode 100644
index 0000000..2c9a554
--- /dev/null
+++ b/README.rst
@@ -0,0 +1,139 @@
+
+=====
+Nginx
+=====
+
+Nginx is an open source reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer, HTTP cache, and a web server (origin server). The nginx project started with a strong focus on high concurrency, high performance and low memory usage.
+
+Sample pillars
+==============
+
+Gitlab server setup
+
+.. code-block:: yaml
+
+ nginx:
+ server:
+ enabled: true
+ bind:
+ address: '0.0.0.0'
+ ports:
+ - 80
+ site:
+ gitlab_domain:
+ enabled: true
+ type: gitlab
+ name: domain
+ ssl:
+ enabled: true
+ key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ ...
+ cert: |
+ xyz
+ chain: |
+ my_chain..
+ host:
+ name: gitlab.domain.com
+ port: 80
+
+Simple static HTTP site
+
+.. code-block:: yaml
+
+ nginx:
+ server:
+ site:
+ nginx_static_site01:
+ enabled: true
+ type: static
+ name: site01
+ host:
+ name: gitlab.domain.com
+ port: 80
+
+Simple HTTP proxy
+
+.. code-block:: yaml
+
+ nginx:
+ server:
+ site:
+ nginx_proxy_site01:
+ enabled: true
+ type: proxy
+ name: site01
+ proxy:
+ host: local.domain.com
+ port: 80
+ protocol: http
+ host:
+ name: gitlab.domain.com
+ port: 80
+
+Simple Websocket proxy
+
+.. code-block:: yaml
+
+ nginx:
+ server:
+ site:
+ nginx_proxy_site02:
+ enabled: true
+ type: proxy
+ name: site02
+ proxy:
+ websocket: true
+ host: local.domain.com
+ port: 80
+ protocol: http
+ host:
+ name: gitlab.domain.com
+ port: 80
+
+Content filtering proxy
+
+.. code-block:: yaml
+
+ nginx:
+ server:
+ enabled: true
+ site:
+ nginx_proxy_site03:
+ enabled: true
+ type: proxy
+ name: site03
+ proxy:
+ host: local.domain.com
+ port: 80
+ protocol: http
+ filter:
+ search: https://www.domain.com
+ replace: http://10.10.10.10
+ host:
+ name: gitlab.domain.com
+ port: 80
+
+Gitlab server with user for basic auth
+
+.. code-block:: yaml
+
+ nginx:
+ server:
+ enabled: true
+ user:
+ username1:
+ enabled: true
+ password: magicunicorn
+ htpasswd: htpasswd-site1
+ username2:
+ enabled: true
+ password: magicunicorn
+
+Read more
+=========
+
+* http://wiki.nginx.org/Main
+* https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
+* http://nginx.com/resources/admin-guide/reverse-proxy/
+* https://mozilla.github.io/server-side-tls/ssl-config-generator/
diff --git a/VERSION b/VERSION
new file mode 100644
index 0000000..3b04cfb
--- /dev/null
+++ b/VERSION
@@ -0,0 +1 @@
+0.2
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..0c97bff
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,11 @@
+salt-formula-nginx (0.2) trusty; urgency=medium
+
+ * First public release
+
+ -- Filip Pytloun <filip.pytloun@tcpcloud.eu> Tue, 06 Oct 2015 16:38:49 +0200
+
+salt-formula-nginx (0.1) trusty; urgency=medium
+
+ * Initial release
+
+ -- Filip Pytloun <filip.pytloun@tcpcloud.eu> Thu, 13 Aug 2015 23:23:41 +0200
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..37b7206
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,15 @@
+Source: salt-formula-nginx
+Maintainer: Filip Pytloun <filip.pytloun@tcpcloud.eu>
+Section: admin
+Priority: optional
+Build-Depends: debhelper (>= 9)
+Standards-Version: 3.9.6
+Homepage: http://www.tcpcloud.eu
+Vcs-Browser: https://github.com/tcpcloud/salt-formula-nginx
+Vcs-Git: https://github.com/tcpcloud/salt-formula-nginx.git
+
+Package: salt-formula-nginx
+Architecture: all
+Depends: ${misc:Depends}, salt-master, reclass
+Description: Nginx Salt formula
+ Install and configure nginx server.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..d51aa4b
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,15 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: salt-formula-nginx
+Upstream-Contact: Filip Pytloun <filip.pytloun@tcpcloud.eu>
+Source: https://github.com/tcpcloud/salt-formula-nginx
+
+Files: *
+Copyright: 2014-2015 tcp cloud
+License: Apache-2.0
+ Copyright (C) 2014-2015 tcp cloud
+ .
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ .
+ On a Debian system you can find a copy of this license in
+ /usr/share/common-licenses/Apache-2.0.
diff --git a/debian/docs b/debian/docs
new file mode 100644
index 0000000..d585829
--- /dev/null
+++ b/debian/docs
@@ -0,0 +1,3 @@
+README.rst
+CHANGELOG.rst
+VERSION
diff --git a/debian/install b/debian/install
new file mode 100644
index 0000000..36c83c3
--- /dev/null
+++ b/debian/install
@@ -0,0 +1,2 @@
+nginx/* /usr/share/salt-formulas/env/nginx/
+metadata/service/* /usr/share/salt-formulas/reclass/service/nginx/
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..abde6ef
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,5 @@
+#!/usr/bin/make -f
+
+%:
+ dh $@
+
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
diff --git a/metadata/service/server/single.yml b/metadata/service/server/single.yml
new file mode 100644
index 0000000..063e77e
--- /dev/null
+++ b/metadata/service/server/single.yml
@@ -0,0 +1,10 @@
+applications:
+- nginx
+parameters:
+ nginx:
+ server:
+ enabled: true
+ extras: false
+ bind:
+ address: 0.0.0.0
+ protocol: tcp
diff --git a/nginx/files/_auth.conf b/nginx/files/_auth.conf
new file mode 100644
index 0000000..2cc3653
--- /dev/null
+++ b/nginx/files/_auth.conf
@@ -0,0 +1,11 @@
+
+ {%- if site.auth is defined %}
+ {%- if site.auth.engine == 'basic' %}
+ auth_basic "Restricted";
+ {%- if site.auth.htpasswd is defined %}
+ auth_basic_user_file /etc/nginx/{{ site.auth.htpasswd }};
+ {%- else %}
+ auth_basic_user_file /etc/nginx/htpasswd;
+ {%- endif %}
+ {%- endif %}
+ {%- endif %}
diff --git a/nginx/files/_log.conf b/nginx/files/_log.conf
new file mode 100644
index 0000000..dd9a4b8
--- /dev/null
+++ b/nginx/files/_log.conf
@@ -0,0 +1,3 @@
+
+ access_log /var/log/nginx/{{ site_name }}-access.log;
+ error_log /var/log/nginx/{{ site_name }}-error.log;
diff --git a/nginx/files/_name.conf b/nginx/files/_name.conf
new file mode 100644
index 0000000..4dbcf27
--- /dev/null
+++ b/nginx/files/_name.conf
@@ -0,0 +1,4 @@
+
+ listen {% if site.host.address is defined %}{{ site.host.address }}:{% endif %}{% if site.host.port is defined %}{{ site.host.port }}{% else %}80{% endif %}{% if site.get('ssl', {'enabled': False}).get('enabled', False) %} ssl{% endif %};
+
+ server_name {{ site.host.name }}{%- if site.host.aliases is defined %} {{ site.host.aliases|join(' ') }}{%- endif %};
diff --git a/nginx/files/_ssl.conf b/nginx/files/_ssl.conf
new file mode 100644
index 0000000..7c7e6a9
--- /dev/null
+++ b/nginx/files/_ssl.conf
@@ -0,0 +1,9 @@
+
+ {%- if site.get('ssl', {'enabled': False}).get('enabled', False) %}
+ ssi on;
+ ssl on;
+ ssl_certificate /etc/ssl/certs/{{ site.host.name }}.crt;
+ ssl_certificate_key /etc/ssl/private/{{ site.host.name }}.key;
+ {%- set ssl_mode = site.ssl.get('mode', 'secure') %}
+ {%- include "nginx/files/_ssl_"+ssl_mode+".conf" %}
+ {%- endif %}
diff --git a/nginx/files/_ssl_normal.conf b/nginx/files/_ssl_normal.conf
new file mode 100644
index 0000000..0412c32
--- /dev/null
+++ b/nginx/files/_ssl_normal.conf
@@ -0,0 +1,6 @@
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+ssl_prefer_server_ciphers on;
+ssl_ecdh_curve secp521r1;
+
diff --git a/nginx/files/_ssl_secure.conf b/nginx/files/_ssl_secure.conf
new file mode 100644
index 0000000..0ae8811
--- /dev/null
+++ b/nginx/files/_ssl_secure.conf
@@ -0,0 +1,5 @@
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
+ssl_prefer_server_ciphers on;
+ssl_ecdh_curve secp521r1;
diff --git a/nginx/files/collectd.conf b/nginx/files/collectd.conf
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/nginx/files/collectd.conf
diff --git a/nginx/files/nginx.conf b/nginx/files/nginx.conf
new file mode 100644
index 0000000..ecdc059
--- /dev/null
+++ b/nginx/files/nginx.conf
@@ -0,0 +1,95 @@
+user www-data;
+worker_processes 4;
+pid /run/nginx.pid;
+
+events {
+ worker_connections 768;
+ # multi_accept on;
+}
+
+http {
+
+ ##
+ # Basic Settings
+ ##
+
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+ # server_tokens off;
+
+ server_names_hash_bucket_size 128;
+ # server_name_in_redirect off;
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ ##
+ # Logging Settings
+ ##
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log;
+
+ ##
+ # Gzip Settings
+ ##
+
+ gzip on;
+ gzip_disable "msie6";
+
+ # gzip_vary on;
+ # gzip_proxied any;
+ # gzip_comp_level 6;
+ # gzip_buffers 16 8k;
+ # gzip_http_version 1.1;
+ # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+ ##
+ # nginx-naxsi config
+ ##
+ # Uncomment it if you installed nginx-naxsi
+ ##
+
+ #include /etc/nginx/naxsi_core.rules;
+
+ ##
+ # nginx-passenger config
+ ##
+ # Uncomment it if you installed nginx-passenger
+ ##
+
+ #passenger_root /usr;
+ #passenger_ruby /usr/bin/ruby;
+
+ ##
+ # Virtual Host Configs
+ ##
+
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+# # See sample authentication script at:
+# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+# # auth_http localhost/auth.php;
+# # pop3_capabilities "TOP" "USER";
+# # imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+# server {
+# listen localhost:110;
+# protocol pop3;
+# proxy on;
+# }
+#
+# server {
+# listen localhost:143;
+# protocol imap;
+# proxy on;
+# }
+#}
diff --git a/nginx/files/proxy.conf b/nginx/files/proxy.conf
new file mode 100644
index 0000000..ea53ffb
--- /dev/null
+++ b/nginx/files/proxy.conf
@@ -0,0 +1,75 @@
+{%- set site = salt['pillar.get']('nginx:server:site:'+site_name) %}
+
+server {
+
+ {%- include "nginx/files/_name.conf" %}
+ {%- include "nginx/files/_ssl.conf" %}
+
+ {%- if site.get('ssl', {'enabled': False}).get('enabled', False) %}
+ ssl_session_cache shared:SSL:10m;
+ {%- endif %}
+
+ {%- if site.get('underscores_in_headers', False) %}
+ underscores_in_headers on;
+ {%- endif %}
+
+ location / {
+ proxy_pass {{ site.proxy.protocol }}://{{ site.proxy.host }}:{{ site.proxy.port }};
+
+ {%- if site.proxy.websocket is defined %}
+
+ proxy_set_header Host $host;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+
+ {%- else %}
+
+ {%- if site.proxy.size is defined %}
+ client_max_body_size {{ site.proxy.size }}m;
+ {%- if site.proxy.size > 200 %}
+ client_body_buffer_size 200m;
+ {%- else %}
+ client_body_buffer_size 20m;
+ {%- endif %}
+ {%- else %}
+ client_max_body_size 20m;
+ client_body_buffer_size 20m;
+ {% endif %}
+
+ {%- if site.proxy.timeout is defined %}
+ proxy_connect_timeout {{ site.proxy.timeout }};
+ proxy_send_timeout {{ site.proxy.timeout }};
+ proxy_read_timeout {{ site.proxy.timeout }};
+ send_timeout {{ site.proxy.timeout }};
+ {%- else %}
+ proxy_connect_timeout 600;
+ proxy_send_timeout 600;
+ proxy_read_timeout 600;
+ send_timeout 600;
+ {%- endif %}
+
+ {%- if site.proxy.filter is defined %}
+ sub_filter '{{ site.proxy.filter.search }}' '{{ site.proxy.filter.replace }}';
+ sub_filter_types *;
+ sub_filter_once off;
+ {%- endif %}
+
+ {%- if site.get('ssl', {'enabled': False}).get('enabled', False) %}
+ proxy_redirect http:// https://;
+ {%- else %}
+ proxy_redirect off;
+ {%- endif %}
+ proxy_buffering off;
+
+ proxy_http_version 1.1;
+
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Protocol $scheme;
+
+ {%- endif %}
+
+ }
+
+}
diff --git a/nginx/files/redirect.conf b/nginx/files/redirect.conf
new file mode 100644
index 0000000..b31424b
--- /dev/null
+++ b/nginx/files/redirect.conf
@@ -0,0 +1,11 @@
+{%- set site = salt['pillar.get']('nginx:server:site:'+site_name) %}
+
+server {
+ listen {{ site.host.get("port", 80) }};
+ server_name {{ site.host.name }}{%- if site.host.aliases is defined %} {{ site.host.aliases|join(' ') }}{%- endif %};
+ {%- if site.redirect is defined %}
+ rewrite ^(.*) {{ site.redirect.get('protocol', 'http') }}://{{ site.redirect.get('host', '$server_name') }}{{ site.redirect.get('path', '$1') }} permanent;
+ {%- else %}
+ rewrite ^(.*) https://$server_name$1 permanent;
+ {%- endif %}
+}
diff --git a/nginx/files/sensu.conf b/nginx/files/sensu.conf
new file mode 100644
index 0000000..d9417c3
--- /dev/null
+++ b/nginx/files/sensu.conf
@@ -0,0 +1,25 @@
+{%- from "nginx/map.jinja" import server with context -%}
+local_nginx_server_proc:
+ command: "PATH=$PATH:/usr/lib64/nagios/plugins:/usr/lib/nagios/plugins check_procs -C nginx -u root -c 1:1"
+ interval: 60
+ occurrences: 1
+ subscribers:
+ - local-nginx-server
+local_nginx_server_worker_procs:
+ command: "PATH=$PATH:/usr/lib64/nagios/plugins:/usr/lib/nagios/plugins check_procs -C nginx -u www-data -c 1:20"
+ interval: 60
+ occurrences: 1
+ subscribers:
+ - local-nginx-server
+{%- for site_name, site in server.get('site', {}).iteritems() %}
+{%- if site.enabled %}
+{%- if site.get('check', True) %}
+remote_nginx_server_http_{{ site.host.name }}_{{ site.host.get('port', '80') }}:
+ command: "PATH=$PATH:/usr/lib64/nagios/plugins:/usr/lib/nagios/plugins check_http -H {{ site.host.name }} -p {{ site.host.get('port', '80') }} -w 5 -c 10 -f follow{% if site.get('ssl', {}).get('enabled', False) %} -S{% endif %}"
+ interval: 60
+ occurrences: 2
+ subscribers:
+ - remote-network
+{%- endif %}
+{%- endif %}
+{%- endfor %}
\ No newline at end of file
diff --git a/nginx/files/static.conf b/nginx/files/static.conf
new file mode 100644
index 0000000..308e207
--- /dev/null
+++ b/nginx/files/static.conf
@@ -0,0 +1,41 @@
+{%- set site = salt['pillar.get']('nginx:server:site:'+site_name) %}
+
+server {
+
+ {%- include "nginx/files/_name.conf" %}
+ {%- include "nginx/files/_log.conf" %}
+ {%- include "nginx/files/_ssl.conf" %}
+
+ location / {
+ {%- if site.root is defined %}
+ root {{ site.root }};
+ {%- else %}
+ root /srv/static/sites/{{ site.name }}{% if site.path is defined %}/{{ site.path }}{% endif %};
+ {%- endif %}
+
+ index index.html index.htm;
+
+ {%- if site.webdav is defined %}
+
+ {%- if site.webdav.methods is defined %}
+ autoindex on;
+ dav_methods {{ site.webdav.methods }};
+ {%- endif %}
+ {%- if site.webdav.ext_methods is defined %}
+ dav_ext_methods {{ site.webdav.ext_methods }};
+ {%- endif %}
+ {%- if site.webdav.access is defined %}
+ dav_access {{ site.webdav.access }};
+ {%- endif %}
+
+ {%- endif %}
+
+ {%- if site.client_max_body_size is defined %}
+ client_max_body_size {{ site.client_max_body_size }};
+ {%- endif %}
+
+ {%- include "nginx/files/_auth.conf" %}
+
+ }
+
+}
diff --git a/nginx/init.sls b/nginx/init.sls
new file mode 100644
index 0000000..2be163b
--- /dev/null
+++ b/nginx/init.sls
@@ -0,0 +1,5 @@
+
+include:
+{%- if pillar.nginx.server is defined %}
+- nginx.server
+{%- endif %}
diff --git a/nginx/map.jinja b/nginx/map.jinja
new file mode 100644
index 0000000..3993139
--- /dev/null
+++ b/nginx/map.jinja
@@ -0,0 +1,9 @@
+
+{% set server = salt['grains.filter_by']({
+ 'Debian': {
+ 'pkgs': ['nginx', 'apache2-utils'],
+ 'service': 'nginx',
+ 'vhost_dir': '/etc/nginx/sites-available',
+ 'log_dir': '/var/log/nginx',
+ },
+}, merge=salt['pillar.get']('nginx:server')) %}
diff --git a/nginx/server.sls b/nginx/server.sls
new file mode 100644
index 0000000..14ac15a
--- /dev/null
+++ b/nginx/server.sls
@@ -0,0 +1,42 @@
+{%- from "nginx/map.jinja" import server with context %}
+{%- if server.enabled %}
+
+include:
+ - nginx.server.users
+ - nginx.server.sites
+
+nginx_packages:
+ pkg.installed:
+ - names: {{ server.pkgs }}
+
+{%- if server.extras %}
+nginx_extra_packages:
+ pkg.installed:
+ - name: nginx-extras
+{%- endif %}
+
+/etc/nginx/sites-enabled/default:
+ file.absent:
+ - require:
+ - pkg: nginx_packages
+
+/etc/nginx/sites-available/default:
+ file.absent:
+ - require:
+ - pkg: nginx_packages
+
+/etc/nginx/nginx.conf:
+ file.managed:
+ - source: salt://nginx/files/nginx.conf
+ - require:
+ - pkg: nginx_packages
+ - watch_in:
+ - service: nginx_service
+
+nginx_service:
+ service.running:
+ - name: {{ server.service }}
+ - require:
+ - pkg: nginx_packages
+
+{%- endif %}
diff --git a/nginx/server/sites.sls b/nginx/server/sites.sls
new file mode 100644
index 0000000..1ca1559
--- /dev/null
+++ b/nginx/server/sites.sls
@@ -0,0 +1,87 @@
+{%- from "nginx/map.jinja" import server with context %}
+
+{%- for site_name, site in server.get('site', {}).iteritems() %}
+{%- if site.enabled %}
+
+{% if site.ssl is defined and site.ssl.enabled %}
+
+{{ site.host.name }}_public_cert_{{ loop.index }}:
+ file.managed:
+ - name: /etc/ssl/certs/{{ site.host.name }}.crt
+ {%- if site.ssl.cert is defined %}
+ - contents_pillar: nginx:server:site:{{ site_name }}:cert
+ {%- else %}
+ - source: salt://pki/{{ site.ssl.authority }}/certs/{{ site.host.name }}.cert.pem
+ {%- endif %}
+ - require:
+ - pkg: nginx_packages
+ - watch_in:
+ - service: nginx_service
+
+{{ site.host.name }}_private_key_{{ loop.index }}:
+ file.managed:
+ - name: /etc/ssl/private/{{ site.host.name }}.key
+ {%- if site.ssl.key is defined %}
+ - contents_pillar: nginx:server:site:{{ site_name }}:key
+ {%- else %}
+ - source: salt://pki/{{ site.ssl.authority }}/certs/{{ site.host.name }}.key.pem
+ {%- endif %}
+ - mode: 400
+ - require:
+ - pkg: nginx_packages
+
+{{ site.host.name }}_ca_chain_{{ loop.index }}:
+ file.managed:
+ - name: /etc/ssl/certs/{{ site.host.name }}-ca-chain.crt
+ {%- if site.ssl.chain is defined %}
+ - contents_pillar: nginx:server:site:{{ site_name }}:chain
+ {%- else %}
+ - source: salt://pki/{{ site.ssl.authority }}/{{ site.ssl.authority }}-chain.cert.pem
+ {%- endif %}
+ - require:
+ - pkg: nginx_packages
+
+nginx_init_{{ site.host.name }}_tls_{{ loop.index }}:
+ cmd.wait:
+ - name: "cat /etc/ssl/certs/{{ site.host.name }}.crt /etc/ssl/certs/{{ site.host.name }}-ca-chain.crt > /etc/ssl/certs/{{ site.host.name }}-with-chain.crt"
+ - watch:
+ - file: /etc/ssl/certs/{{ site.host.name }}.crt
+ - file: /etc/ssl/certs/{{ site.host.name }}-ca-chain.crt
+ - watch_in:
+ - service: nginx_service
+
+{% endif %}
+
+/etc/nginx/sites-available/{{ site.type }}_{{ site.name }}.conf:
+ file.managed:
+ {%- if site.type == 'nginx_proxy' %}
+ - source: salt://nginx/files/proxy.conf
+ {%- elif site.type == 'nginx_redirect' %}
+ - source: salt://nginx/files/redirect.conf
+ {%- elif site.type == 'nginx_static' %}
+ - source: salt://nginx/files/static.conf
+ {%- else %}
+ - source: salt://{{ site.type }}/files/nginx.conf
+ {%- endif %}
+ - template: jinja
+ - require:
+ - pkg: nginx_packages
+ - watch_in:
+ - service: nginx_service
+ - defaults:
+ site_name: "{{ site_name }}"
+
+/etc/nginx/sites-enabled/{{ site.type }}_{{ site.name }}.conf:
+ file.symlink:
+ - target: /etc/nginx/sites-available/{{ site.type }}_{{ site.name }}.conf
+
+{%- else %}
+
+/etc/nginx/sites-available/{{ site.type }}_{{ site.name }}.conf:
+ file.absent
+
+/etc/nginx/sites-enabled/{{ site.type }}_{{ site.name }}.conf:
+ file.absent
+
+{%- endif %}
+{%- endfor %}
diff --git a/nginx/server/users.sls b/nginx/server/users.sls
new file mode 100644
index 0000000..8679f58
--- /dev/null
+++ b/nginx/server/users.sls
@@ -0,0 +1,32 @@
+{%- from "nginx/map.jinja" import server with context %}
+
+{%- for user_name, user in server.get('user', {}).iteritems() %}
+{%- if user.enabled %}
+
+nginx_setup_user_{{ user_name }}:
+ webutil.user_exists:
+ - name: {{ user_name }}
+ {%- if user.htpasswd is defined %}
+ - htpasswd_file: /etc/nginx/{{ user.htpasswd }}
+ {%- else %}
+ - htpasswd_file: /etc/nginx/htpasswd
+ {%- endif %}
+ - password: {{ user.password }}
+ {%- if user.opts is defined %}
+ - options: '{{ user.opts }}'
+ {%- endif %}
+
+{%- else %}
+
+nginx_setup_user_{{ user_name }}_absent:
+ module.run:
+ - name: htpasswd.userdel
+ - user: {{ user_name }}
+ {%- if user.htpasswd is defined %}
+ - pwfile: /etc/nginx/{{ user.htpasswd }}
+ {%- else %}
+ - pwfile: /etc/nginx/htpasswd
+ {%- endif %}
+
+{%- endif %}
+{%- endfor %}