web-proxy: IPv6 listener brackets

Add logic to wrap IPv6 listening addresses in brackets, to prevent nginx from failing to start. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-05 19:19:27 +01:00 · 2023-02-05 19:19:27 +01:00 · e3e4caaabe
commit e3e4caaabe
parent 119e97805d
2 changed files with 12 additions and 3 deletions
--- a/pillar/map.jinja
+++ b/pillar/map.jinja
@ -9,6 +9,8 @@
 {#- START Listener detection logic -#}

 {%- set listen_ips = [] -%}
+{%- set listen_ips4 = [] -%}
+{%- set listen_ips6 = [] -%}
 {%- set minion = grains['id'] -%}
 {%- set legal6s = ('fd29', '2a01:4f8:11e:2200') -%}
 {%- set ip4s = salt.saltutil.runner('mine.get', tgt=minion, fun='network.ip_addrs', tgt_type='glob') -%}
@ -16,11 +18,13 @@
 {%- if minion in ip4s -%}{%- for ip in ip4s[minion] -%}
 {%- if salt['network.is_private'](ip) -%}
 {%- do listen_ips.append(ip) -%}
+{%- do listen_ips4.append(ip) -%}
 {%- endif -%}
 {%- endfor -%}{%- endif -%}
 {%- if minion in ip6s -%}{%- for ip in ip6s[minion] -%}
 {%- if ip.startswith(legal6s) -%}
 {%- do listen_ips.append(ip) -%}
+{%- do listen_ips6.append(ip) -%}
 {%- endif -%}
 {%- endfor -%}{%- endif -%}

--- a/pillar/role/web-proxy.sls
+++ b/pillar/role/web-proxy.sls
@ -1,4 +1,4 @@
-{%- from slspath ~ '/../map.jinja' import listen_ips -%}
+{%- from slspath ~ '/../map.jinja' import listen_ips, listen_ips4, listen_ips6 -%}

 nginx:
  snippets:
@ -23,9 +23,14 @@ nginx:
        - fastcgi_param: SCRIPT_FILENAME $document_root$fastcgi_script_name
    {%- if listen_ips | length %}
    listen:
-      {%- for ip in listen_ips %}
-      - listen: {{ ip }}:443 ssl http2
+      {%- for ip4 in listen_ips4 %}
+      - listen: {{ ip4 }}:443 ssl http2
      {%- endfor %}
+      {%- if listen_ips6 | length %}
+      {%- for ip6 in listen_ips6 %}
+      - listen: '[{{ ip6 }}]:443 ssl http2'
+      {%- endfor %}
+      {%- endif %}
    {%- endif %}

 firewalld: