commit 9bb9c26f4601cfa708d21dbacd048d4bba460670
author Ales Komarek <ales.komarek@tcpcloud.eu> Sat Apr 09 10:10:13 2016 +0200
committer Ales Komarek <ales.komarek@tcpcloud.eu> Sat Apr 09 10:10:13 2016 +0200
tree b7e77640aff612cdf7013c6ad252e277fd50ade9
parent 05957dbfa60dfc007370cdcaaefa33bd551bec50

Salt PKI

nginx/files/_ssl.conf

diff --git a/nginx/files/_ssl.conf b/nginx/files/_ssl.conf
index ac6d841..a30ea4a 100644
--- a/nginx/files/_ssl.conf
+++ b/nginx/files/_ssl.conf
@@ -4,9 +4,10 @@
   ssl on;
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout  10m;
-  {%- if site.ssl.engine is not defined %}
-  ssl_certificate_key /etc/ssl/private/{{ site.host.name }}.key;
 
+  {%- if site.ssl.engine is not defined %}
+
+  ssl_certificate_key /etc/ssl/private/{{ site.host.name }}.key;
   {%- if site.ssl.chain is defined or site.ssl.authority is defined %}
   ssl_certificate /etc/ssl/certs/{{ site.host.name }}-with-chain.crt;
   {%- else %}
@@ -16,12 +17,18 @@
   {%- elif site.ssl.engine == 'letsencrypt' %}
 
   {%- set cert = site.ssl.get("certificate", site.host.name) %}
-
   ssl_certificate         /etc/letsencrypt/live/{{ cert }}/fullchain.pem;
   ssl_certificate_key     /etc/letsencrypt/live/{{ cert }}/privkey.pem;
   ssl_trusted_certificate /etc/letsencrypt/live/{{ cert }}/fullchain.pem;
   {%- include "nginx/files/_letsencrypt.conf" %}
+
+  {%- elif site.ssl.engine == 'salt' %}
+
+  ssl_certificate_key /etc/ssl/private/{{ site.host.name }}.key;
+  ssl_certificate /etc/ssl/certs/{{ site.host.name }}-with-chain.crt;
+
   {%- endif %}
+
   {%- set ssl_mode = site.ssl.get('mode', 'secure') %}
   {%- include "nginx/files/_ssl_"+ssl_mode+".conf" %}
   {%- endif %}

nginx/server/sites.sls

diff --git a/nginx/server/sites.sls b/nginx/server/sites.sls
index 00c1721..168d99f 100644
--- a/nginx/server/sites.sls
+++ b/nginx/server/sites.sls
@@ -1,5 +1,10 @@
 {%- from "nginx/map.jinja" import server with context %}
 
+{%- if pillar.salt.minion.cert is defined %}
+include:
+- salt.minion.cert
+{%- endif %}
+
 {%- set ssl_certificates = {} %}
 
 {%- for site_name, site in server.get('site', {}).iteritems() %}
@@ -59,6 +64,17 @@
 
 {%- endif %}
 
+{%- elif site.ssl.engine == 'salt' %}
+
+nginx_init_{{ site.host.name }}_tls:
+  cmd.wait:
+  - name: "cat /etc/ssl/certs/{{ site.host.name }}.crt /etc/ssl/certs/ca-{{ site.ssl.authority }}.crt > /etc/ssl/certs/{{ site.host.name }}-with-chain.crt"
+  - watch:
+    - x509: /etc/ssl/certs/{{ site.host.name }}.crt
+    - x509: /etc/ssl/certs/ca-{{ site.ssl.authority }}.crt
+  - watch_in:
+    - service: nginx_service
+
 {%- endif %}
 
 {% endif %}