Merge branch 'feature/letsencrypt' into 'master'
Add support for Let's Encrypt via ssl engine.
See merge request !3
diff --git a/README.rst b/README.rst
index 108e558..a619b27 100644
--- a/README.rst
+++ b/README.rst
@@ -153,6 +153,29 @@
name: gitlab.domain.com
port: 80
+Let's Encrypt
+
+.. code-block:: yaml
+
+ nginx:
+ server:
+ enabled: true
+ bind:
+ address: '0.0.0.0'
+ ports:
+ - 443
+ site:
+ gitlab_domain:
+ enabled: true
+ type: gitlab
+ name: domain
+ ssl:
+ enabled: true
+ engine: letsencrypt
+ host:
+ name: gitlab.domain.com
+ port: 443
+
Read more
=========
diff --git a/nginx/files/_letsencrypt.conf b/nginx/files/_letsencrypt.conf
new file mode 100644
index 0000000..94ca952
--- /dev/null
+++ b/nginx/files/_letsencrypt.conf
@@ -0,0 +1,6 @@
+location /.well-known/acme-challenge/ {
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $http_host;
+ proxy_redirect off;
+ proxy_pass http://{{ site.host.name }}:9999/.well-known/acme-challenge/;
+}
\ No newline at end of file
diff --git a/nginx/files/_ssl.conf b/nginx/files/_ssl.conf
index 2288c3f..d83beac 100644
--- a/nginx/files/_ssl.conf
+++ b/nginx/files/_ssl.conf
@@ -4,8 +4,15 @@
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
- ssl_certificate /etc/ssl/certs/{{ site.host.name }}-with-chain.crt;
+ {%- if site.ssl.engine is not defined %}
ssl_certificate_key /etc/ssl/private/{{ site.host.name }}.key;
+ ssl_certificate /etc/ssl/certs/{{ site.host.name }}-with-chain.crt;
+ {%- elif site.ssl.engine == 'letsencrypt' %}
+ ssl_certificate /etc/letsencrypt/live/{{ site.host.name }}/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/{{ site.host.name }}/privkey.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/{{ site.host.name }}/fullchain.pem;
+ {%- include "nginx/files/_letsencrypt.conf" %}
+ {%- endif %}
{%- set ssl_mode = site.ssl.get('mode', 'secure') %}
{%- include "nginx/files/_ssl_"+ssl_mode+".conf" %}
{%- endif %}
diff --git a/nginx/server/sites.sls b/nginx/server/sites.sls
index 250c92a..542a5e0 100644
--- a/nginx/server/sites.sls
+++ b/nginx/server/sites.sls
@@ -5,6 +5,8 @@
{% if site.ssl is defined and site.ssl.enabled %}
+{%- if site.ssl.engine is not defined %}
+
{{ site.host.name }}_public_cert_{{ loop.index }}:
file.managed:
- name: /etc/ssl/certs/{{ site.host.name }}.crt
@@ -50,10 +52,13 @@
- watch_in:
- service: nginx_service
+{%- endif %}
+
{% endif %}
-/etc/nginx/sites-available/{{ site.type }}_{{ site.name }}.conf:
+sites-available-{{ site_name }}:
file.managed:
+ - name: /etc/nginx/sites-available/{{ site.type }}_{{ site.name }}.conf
{%- if site.type == 'nginx_proxy' %}
- source: salt://nginx/files/proxy.conf
{%- elif site.type == 'nginx_redirect' %}
@@ -71,8 +76,9 @@
- defaults:
site_name: "{{ site_name }}"
-/etc/nginx/sites-enabled/{{ site.type }}_{{ site.name }}.conf:
+sites-enabled-{{ site_name }}:
file.symlink:
+ - name: /etc/nginx/sites-enabled/{{ site.type }}_{{ site.name }}.conf
- target: /etc/nginx/sites-available/{{ site.type }}_{{ site.name }}.conf
{%- else %}