Add support for site.ssl.key_file, etc.
diff --git a/nginx/server/sites.sls b/nginx/server/sites.sls
index fcdacd8..aa87142 100644
--- a/nginx/server/sites.sls
+++ b/nginx/server/sites.sls
@@ -8,13 +8,18 @@
{%- if site.get('ssl', {'enabled': False}).enabled and site.host.name not in ssl_certificates.keys() %}
{%- set _dummy = ssl_certificates.update({site.host.name: []}) %}
+{%- set ca_file=site.ssl.get('ca_file', '') %}
+{%- set key_file=site.ssl.get('key_file', '/etc/ssl/private/{0}.key'.format(site.host.name)) %}
+{%- set cert_file=site.ssl.get('cert_file', '/etc/ssl/certs/{0}.crt'.format(site.host.name)) %}
+{%- set chain_file=site.ssl.get('chain_file', '/etc/ssl/certs/{0}-with-chain.crt'.format(site.host.name)) %}
+
{%- if site.ssl.engine is not defined %}
{%- if site.ssl.key is defined %}
{{ site.host.name }}_public_cert:
file.managed:
- - name: /etc/ssl/certs/{{ site.host.name }}.crt
+ - name: {{ cert_file }}
{%- if site.ssl.cert is defined %}
- contents_pillar: nginx:server:site:{{ site_name }}:ssl:cert
{%- else %}
@@ -24,10 +29,11 @@
- pkg: nginx_packages
- watch_in:
- service: nginx_service
+ - cmd: nginx_init_{{ site.host.name }}_tls
{{ site.host.name }}_private_key:
file.managed:
- - name: /etc/ssl/private/{{ site.host.name }}.key
+ - name: {{ key_file }}
{%- if site.ssl.key is defined %}
- contents_pillar: nginx:server:site:{{ site_name }}:ssl:key
{%- else %}
@@ -36,12 +42,15 @@
- mode: 400
- require:
- pkg: nginx_packages
+ - watch_in:
+ - cmd: nginx_init_{{ site.host.name }}_tls
{%- if site.ssl.chain is defined or site.ssl.authority is defined %}
+{%- set ca_file=site.ssl.get('ca_file', '/etc/ssl/certs/{0}-ca-chain.crt'.format(site.host.name)) %}
{{ site.host.name }}_ca_chain:
file.managed:
- - name: /etc/ssl/certs/{{ site.host.name }}-ca-chain.crt
+ - name: {{ ca_file }}
{%- if site.ssl.chain is defined %}
- contents_pillar: nginx:server:site:{{ site_name }}:ssl:chain
{%- else %}
@@ -49,30 +58,28 @@
{%- endif %}
- require:
- pkg: nginx_packages
+ - watch_in:
+ - cmd: nginx_init_{{ site.host.name }}_tls
+
+{% endif %}
+
+{% endif %}
+
+{% else %}
+{# site.ssl engine is defined #}
+
+{%- if site.ssl.authority is defined %}
+{%- set ca_file=site.ssl.get('ca_file', '/etc/ssl/certs/ca-{0}.crt'.format(site.ssl.authority)) %}
+{% endif %}
+
+{% endif %}
nginx_init_{{ site.host.name }}_tls:
cmd.wait:
- - name: "cat /etc/ssl/certs/{{ site.host.name }}.crt /etc/ssl/certs/{{ site.host.name }}-ca-chain.crt > /etc/ssl/certs/{{ site.host.name }}-with-chain.crt"
- - watch:
- - file: /etc/ssl/certs/{{ site.host.name }}.crt
- - file: /etc/ssl/certs/{{ site.host.name }}-ca-chain.crt
+ - name: "cat {{ cert_file }} {{ ca_file }} > {{ chain_file }}"
- watch_in:
- service: nginx_service
-{%- endif %}
-
-{%- endif %}
-
-{%- elif site.ssl.engine == 'salt' %}
-
-nginx_init_{{ site.host.name }}_tls:
- cmd.run:
- - name: "cat /etc/ssl/certs/{{ site.host.name }}.crt /etc/ssl/certs/ca-{{ site.ssl.authority }}.crt > /etc/ssl/certs/{{ site.host.name }}-with-chain.crt"
- - watch_in:
- - service: nginx_service
-
-{%- endif %}
-
{% endif %}
diff --git a/tests/pillar/horizon_with_ssl_extra.sls b/tests/pillar/horizon_with_ssl_extra.sls
new file mode 100644
index 0000000..cf7291a
--- /dev/null
+++ b/tests/pillar/horizon_with_ssl_extra.sls
@@ -0,0 +1,39 @@
+salt:
+ minion:
+ enabled: true
+nginx:
+ server:
+ enabled: true
+ extras: false
+ bind:
+ address: 127.0.0.1
+ protocol: tcp
+ site:
+ horizon_site01:
+ enabled: true
+ type: horizon
+ name: site01
+ host:
+ name: horizon.domain.com
+ ssl:
+ enabled: true
+ authority: salt_master_ca
+ ca_file: /etc/ssl/certs/RSA_Security_2048_v3.pem
+ key_file: /etc/ssl/private/ssl-cert-snakeoil.key
+ cert_file: /etc/ssl/certs/RSA_Security_2048_v3.pem
+ chain_file: /tmp/temp_chain_file.crt
+ horizon_site02:
+ enabled: true
+ type: horizon
+ name: site02
+ host:
+ name: horizon.domain.com
+ ssl:
+ enabled: true
+ engine: salt
+ authority: salt_master_ca
+ ca_file: /etc/ssl/certs/RSA_Security_2048_v3.pem
+ key_file: /etc/ssl/private/ssl-cert-snakeoil.key
+ cert_file: /etc/ssl/certs/RSA_Security_2048_v3.pem
+ chain_file: /tmp/temp_chain_file02.crt
+
diff --git a/tests/pillar/horizon_with_ssl_extra2.sls b/tests/pillar/horizon_with_ssl_extra2.sls
new file mode 100644
index 0000000..5f546e1
--- /dev/null
+++ b/tests/pillar/horizon_with_ssl_extra2.sls
@@ -0,0 +1,38 @@
+salt:
+ minion:
+ enabled: true
+nginx:
+ server:
+ enabled: true
+ extras: false
+ bind:
+ address: 127.0.0.1
+ protocol: tcp
+ site:
+ horizon_site01:
+ enabled: true
+ type: horizon
+ name: site01
+ host:
+ name: horizon.domain.com
+ ssl:
+ enabled: false
+ ca_file: /etc/ssl/certs/RSA_Security_2048_v3.pem
+ key_file: /etc/ssl/private/ssl-cert-snakeoil.key
+ cert_file: /etc/ssl/certs/RSA_Security_2048_v3.pem
+ chain_file: /tmp/temp_chain_file.crt
+ horizon_site02:
+ enabled: true
+ type: proxy
+ name: site02
+ host:
+ name: horizon.domain.com
+ ssl:
+ enabled: true
+ engine: salt
+ authority: salt_master_ca
+ ca_file: /etc/ssl/certs/RSA_Security_2048_v3.pem
+ key_file: /etc/ssl/private/ssl-cert-snakeoil.key
+ cert_file: /etc/ssl/certs/RSA_Security_2048_v3.pem
+ chain_file: /tmp/temp_chain_file02.crt
+