From 0fc507055df7fa62db83bcc31aabebecb96c87d2 Mon Sep 17 00:00:00 2001 From: Eric Veiras Galisson Date: Fri, 10 May 2019 23:07:18 +0200 Subject: [PATCH] refactor: replace old `nginx` with `nginx.ng` BREAKING CHANGE: all previous `nginx` based configurations must be reviewed; `nginx.ng` usage must be promoted to `nginx` and any uses of the original `nginx` will have to be converted. --- docs/README.rst | 69 +-- docs/TOFS_pattern.rst | 2 +- kitchen.yml | 2 +- nginx/{ng => }/certificates.sls | 26 +- nginx/common.sls | 58 --- nginx/{ng => }/config.sls | 6 +- nginx/{ng => }/files/nginx.conf | 0 nginx/{ng => }/files/nginx.service | 0 nginx/{ng => }/files/server.conf | 0 nginx/init.sls | 42 +- nginx/luajit2.sls | 16 - nginx/map.jinja | 256 +++++++--- nginx/ng/init.sls | 30 -- nginx/ng/map.jinja | 197 ------- nginx/openresty.sls | 31 -- nginx/package.sls | 128 ----- nginx/{ng => }/passenger.sls | 10 +- nginx/{ng => }/pkg.sls | 4 +- nginx/{ng => }/servers.sls | 12 +- nginx/{ng => }/servers_config.sls | 6 +- nginx/{ng => }/service.sls | 14 +- nginx/{ng => }/snippets.sls | 6 +- nginx/source.sls | 277 ---------- nginx/{ng => }/src.sls | 6 +- nginx/sysvinit.sls | 34 -- nginx/templates/RedHat-sysvinit-logger.jinja | 100 ---- nginx/templates/config.jinja | 79 --- nginx/templates/nginx.init.jinja | 101 ---- nginx/templates/sysvinit-logger.jinja | 113 ---- nginx/templates/upstart-logger.jinja | 20 - nginx/templates/upstart.jinja | 23 - nginx/upstart.sls | 28 - nginx/users.sls | 30 -- pillar.example | 509 +++++++++---------- test/salt/default/pillar/nginx.sls | 59 ++- 35 files changed, 550 insertions(+), 1744 deletions(-) rename nginx/{ng => }/certificates.sls (50%) delete mode 100644 nginx/common.sls rename nginx/{ng => }/config.sls (82%) rename nginx/{ng => }/files/nginx.conf (100%) rename nginx/{ng => }/files/nginx.service (100%) rename nginx/{ng => }/files/server.conf (100%) delete mode 100644 nginx/luajit2.sls delete mode 100644 nginx/ng/init.sls delete mode 100644 nginx/ng/map.jinja delete mode 100644 nginx/openresty.sls delete mode 100644 nginx/package.sls rename nginx/{ng => }/passenger.sls (82%) rename nginx/{ng => }/pkg.sls (98%) rename nginx/{ng => }/servers.sls (66%) rename nginx/{ng => }/servers_config.sls (97%) rename nginx/{ng => }/service.sls (76%) rename nginx/{ng => }/snippets.sls (75%) delete mode 100644 nginx/source.sls rename nginx/{ng => }/src.sls (84%) delete mode 100644 nginx/sysvinit.sls delete mode 100644 nginx/templates/RedHat-sysvinit-logger.jinja delete mode 100644 nginx/templates/config.jinja delete mode 100644 nginx/templates/nginx.init.jinja delete mode 100644 nginx/templates/sysvinit-logger.jinja delete mode 100644 nginx/templates/upstart-logger.jinja delete mode 100644 nginx/templates/upstart.jinja delete mode 100644 nginx/upstart.sls delete mode 100644 nginx/users.sls diff --git a/docs/README.rst b/docs/README.rst index cf15a6b..103ff29 100644 --- a/docs/README.rst +++ b/docs/README.rst @@ -17,99 +17,50 @@ Available states :local: ``nginx`` ---------- - -Runs the states to install nginx, configure the common files, and the users. - -``nginx.common`` ----------------- - -Ensures standard nginx files are in place, and configures enabled sites. - -``nginx.luajit2`` ------------------ - -Installs luajit. - -``nginx.openresty`` -------------------- - -Installs openresty. - -``nginx.package`` ------------------ - -Installs the nginx package via package manager. - -``nginx.source`` ----------------- - -Installs nginx via the source files. - -``nginx.users`` ---------------- - -Installs apache utils, and configures nginx users specified in the pillar. -This requires `basicauth `_ -from `salt-contrib `_ (either add it to your salt or ship -this single file in your `_modules` directory see `Dynamic Module Distribution -`_ - -Next-generation, alternate approach -=================================== - -The following states provide an alternate approach to managing Nginx and Nginx -servers, as well as code organization. Please provide feedback by filing issues, -discussing in ``#salt`` in Freenode and the mailing list as normal. - -.. contents:: - :local: - -``nginx.ng`` ------------ -Meta-state for inclusion of all ng states. +Meta-state for inclusion of all states. -**Note:** nginx.ng requires the merge parameter of salt.modules.pillar.get(), +**Note:** nginx requires the merge parameter of salt.modules.pillar.get(), first available in the Helium release. -``nginx.ng.pkg`` +``nginx.pkg`` -------------------- Installs nginx from package, from the distribution repositories, the official nginx repo or the ppa from Launchpad. -``nginx.ng.src`` +``nginx.src`` -------------------- Builds and installs nginx from source. -``nginx.ng.certificates`` +``nginx.certificates`` ------------------- Manages the deployment of nginx certificates. -``nginx.ng.config`` +``nginx.config`` ------------------- Manages the nginx main server configuration file. -``nginx.ng.service`` +``nginx.service`` -------------------- Manages the startup and running state of the nginx service. -``nginx.ng.servers_config`` +``nginx.servers_config`` -------------------------- Manages virtual host files. This state only manages the content of the files and does not bind them to service calls. -``nginx.ng.servers`` +``nginx.servers`` ------------------- Manages nginx virtual hosts files and binds them to service calls. -``nginx.ng.passenger`` +``nginx.passenger`` ---------------------- Installs and configures Phusion Passenger module for nginx. You need to enable diff --git a/docs/TOFS_pattern.rst b/docs/TOFS_pattern.rst index e6c3013..9bf860b 100644 --- a/docs/TOFS_pattern.rst +++ b/docs/TOFS_pattern.rst @@ -39,7 +39,7 @@ Using SaltStack is a simple and effective way to implement configuration managem To avoid this situation we can use the `pillar mechanism `_, which is designed to provide controlled access to data from the minions based on some selection rules. As pillar data could be easily integrated in the `Jinja `_ templates, it is a good mechanism to store values to be used in the final rendering of state files and templates. -There are a variety of approaches on the usage of pillar and templates as seen in the `saltstack-formulas `_' repositories. `Some `_ `developments `_ stress the initial purpose of pillar data into a storage for most of the possible variables for a determined system configuration. This, in my opinion, is shifting too much load from the original template files approach. Adding up some `non-trivial Jinja `_ code as essential part of composing the state file definitely makes SaltStack state files (hence formulas) more difficult to read. The extreme of this approach is that we could end up with a new render mechanism, implemented in Jinja, storing everything needed in pillar data to compose configurations. Additionally, we are establishing a strong dependency with the Jinja renderer. +There are a variety of approaches on the usage of pillar and templates as seen in the `saltstack-formulas `_' repositories. `Some `_ `developments `_ stress the initial purpose of pillar data into a storage for most of the possible variables for a determined system configuration. This, in my opinion, is shifting too much load from the original template files approach. Adding up some `non-trivial Jinja `_ code as essential part of composing the state file definitely makes SaltStack state files (hence formulas) more difficult to read. The extreme of this approach is that we could end up with a new render mechanism, implemented in Jinja, storing everything needed in pillar data to compose configurations. Additionally, we are establishing a strong dependency with the Jinja renderer. In opposition to the *put the code in file_roots and the data in pillars* approach, there is the *pillar as a store for a set of key-values* approach. A full-blown configuration file abstracted in pillar and jinja is complicated to develop, understand and maintain. I think a better and simpler approach is to keep a configuration file templated using just a basic (non-extensive but extensible) set of pillar values. diff --git a/kitchen.yml b/kitchen.yml index aed3636..2c949ca 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -72,7 +72,7 @@ provisioner: state_top: base: '*': - - nginx.ng + - nginx pillars: top.sls: base: diff --git a/nginx/ng/certificates.sls b/nginx/certificates.sls similarity index 50% rename from nginx/ng/certificates.sls rename to nginx/certificates.sls index 27e1396..e088dd2 100644 --- a/nginx/ng/certificates.sls +++ b/nginx/certificates.sls @@ -1,16 +1,16 @@ -{% from 'nginx/ng/map.jinja' import nginx with context %} +{% from 'nginx/map.jinja' import nginx with context %} include: - - nginx.ng.service + - nginx.service -{% set certificates_path = salt['pillar.get']('nginx:ng:certificates_path', '/etc/nginx/ssl') %} +{% set certificates_path = salt['pillar.get']('nginx:certificates_path', '/etc/nginx/ssl') %} -{%- for dh_param, value in salt['pillar.get']('nginx:ng:dh_param', {}).items() %} +{%- for dh_param, value in salt['pillar.get']('nginx:dh_param', {}).items() %} {%- if value is string %} create_nginx_dhparam_{{ dh_param }}_key: file.managed: - name: {{ certificates_path }}/{{ dh_param }} - - contents_pillar: nginx:ng:dh_param:{{ dh_param }} + - contents_pillar: nginx:dh_param:{{ dh_param }} - makedirs: True - watch_in: - service: nginx_service @@ -30,30 +30,30 @@ generate_nginx_dhparam_{{ dh_param }}_key: {%- endif %} {%- endfor %} -{%- for domain in salt['pillar.get']('nginx:ng:certificates', {}).keys() %} +{%- for domain in salt['pillar.get']('nginx:certificates', {}).keys() %} nginx_{{ domain }}_ssl_certificate: file.managed: - name: {{ certificates_path }}/{{ domain }}.crt - makedirs: True -{% if salt['pillar.get']("nginx:ng:certificates:{}:public_cert_pillar".format(domain)) %} - - contents_pillar: {{salt['pillar.get']('nginx:ng:certificates:{}:public_cert_pillar'.format(domain))}} +{% if salt['pillar.get']("nginx:certificates:{}:public_cert_pillar".format(domain)) %} + - contents_pillar: {{salt['pillar.get']('nginx:certificates:{}:public_cert_pillar'.format(domain))}} {% else %} - - contents_pillar: nginx:ng:certificates:{{ domain }}:public_cert + - contents_pillar: nginx:certificates:{{ domain }}:public_cert {% endif %} - watch_in: - service: nginx_service -{% if salt['pillar.get']("nginx:ng:certificates:{}:private_key".format(domain)) or salt['pillar.get']("nginx:ng:certificates:{}:private_key_pillar".format(domain))%} +{% if salt['pillar.get']("nginx:certificates:{}:private_key".format(domain)) or salt['pillar.get']("nginx:certificates:{}:private_key_pillar".format(domain))%} nginx_{{ domain }}_ssl_key: file.managed: - name: {{ certificates_path }}/{{ domain }}.key - mode: 600 - makedirs: True -{% if salt['pillar.get']("nginx:ng:certificates:{}:private_key_pillar".format(domain)) %} - - contents_pillar: {{salt['pillar.get']('nginx:ng:certificates:{}:private_key_pillar'.format(domain))}} +{% if salt['pillar.get']("nginx:certificates:{}:private_key_pillar".format(domain)) %} + - contents_pillar: {{salt['pillar.get']('nginx:certificates:{}:private_key_pillar'.format(domain))}} {% else %} - - contents_pillar: nginx:ng:certificates:{{ domain }}:private_key + - contents_pillar: nginx:certificates:{{ domain }}:private_key {% endif %} - watch_in: - service: nginx_service diff --git a/nginx/common.sls b/nginx/common.sls deleted file mode 100644 index ce79f73..0000000 --- a/nginx/common.sls +++ /dev/null @@ -1,58 +0,0 @@ -{% from "nginx/map.jinja" import nginx as nginx_map with context %} -{% set nginx = pillar.get('nginx', {}) -%} -{% set home = nginx.get('home', nginx_map.home) -%} -{% set conf_dir = nginx.get('conf_dir', nginx_map.conf_dir) -%} -{% set conf_template = nginx.get('conf_template', 'salt://nginx/templates/config.jinja') -%} - -{{ home }}: - file: - - directory - - user: {{ nginx_map.default_user }} - - group: {{ nginx_map.default_group }} - - mode: 0755 - - makedirs: True - - require: - {%- if pillar.get('nginx', {}).get('install_from_source', false) %} - - user: {{ nginx_map.default_user }} - - group: {{ nginx_map.default_group }} - {%- else %} - - pkg: nginx - {% endif %} - -/usr/share/nginx: - file: - - directory - -{% for filename in ('default', 'example_ssl') %} -{{ conf_dir }}/conf.d/{{ filename }}.conf: - file.absent -{% endfor %} - -{{ conf_dir }}: - file.directory: - - user: root - - group: root - - makedirs: True - -{{ conf_dir }}/nginx.conf: - file: - - managed - - template: jinja - - user: root - - group: root - - mode: 644 - - source: {{ conf_template }} - - require: - - file: {{ conf_dir }} - - context: - default_user: {{ nginx_map.default_user }} - default_group: {{ nginx_map.default_group }} - -{% if nginx.get('init_conf_dirs', True) %} -{% for dir in ('sites-enabled', 'sites-available') %} -{{ conf_dir }}/{{ dir }}: - file.directory: - - user: root - - group: root -{% endfor -%} -{% endif %} diff --git a/nginx/ng/config.sls b/nginx/config.sls similarity index 82% rename from nginx/ng/config.sls rename to nginx/config.sls index 1fc5dfa..b1757cb 100644 --- a/nginx/ng/config.sls +++ b/nginx/config.sls @@ -1,8 +1,8 @@ -# nginx.ng.config +# nginx.config # # Manages the main nginx server configuration file. -{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} +{% from 'nginx/map.jinja' import nginx, sls_block with context %} {% if nginx.install_from_source %} nginx_log_dir: @@ -15,7 +15,7 @@ nginx_log_dir: {% if 'source_path' in nginx.server.config %} {% set source_path = nginx.server.config.source_path %} {% else %} -{% set source_path = 'salt://nginx/ng/files/nginx.conf' %} +{% set source_path = 'salt://nginx/files/nginx.conf' %} {% endif %} nginx_config: file.managed: diff --git a/nginx/ng/files/nginx.conf b/nginx/files/nginx.conf similarity index 100% rename from nginx/ng/files/nginx.conf rename to nginx/files/nginx.conf diff --git a/nginx/ng/files/nginx.service b/nginx/files/nginx.service similarity index 100% rename from nginx/ng/files/nginx.service rename to nginx/files/nginx.service diff --git a/nginx/ng/files/server.conf b/nginx/files/server.conf similarity index 100% rename from nginx/ng/files/server.conf rename to nginx/files/server.conf diff --git a/nginx/init.sls b/nginx/init.sls index 8e4d042..1898bab 100644 --- a/nginx/init.sls +++ b/nginx/init.sls @@ -1,18 +1,30 @@ -{% from "nginx/map.jinja" import nginx as nginx_map with context %} +# nginx +# +# Meta-state to fully install nginx. + +{% from 'nginx/map.jinja' import nginx, sls_block with context %} include: - - nginx.common -{% if salt['pillar.get']('nginx:use_upstart', nginx_map['use_upstart']) %} - - nginx.upstart -{% elif salt['pillar.get']('nginx:use_sysvinit', nginx_map['use_sysvinit']) %} - - nginx.sysvinit -{% endif %} -{% if pillar.get('nginx', {}).get('user_auth_enabled', true) %} - - nginx.users -{% endif %} -{% if pillar.get('nginx', {}).get('install_from_source', false) %} - - nginx.source -{% else %} - - nginx.package -{% endif -%} + - nginx.config + - nginx.service + {% if nginx.snippets is defined %} + - nginx.snippets + {% endif %} + - nginx.servers + - nginx.certificates +extend: + nginx_service: + service: + - listen: + - file: nginx_config + - require: + - file: nginx_config + nginx_config: + file: + - require: + {% if nginx.install_from_source %} + - cmd: nginx_install + {% else %} + - pkg: nginx_install + {% endif %} diff --git a/nginx/luajit2.sls b/nginx/luajit2.sls deleted file mode 100644 index e24459f..0000000 --- a/nginx/luajit2.sls +++ /dev/null @@ -1,16 +0,0 @@ -{% set nginx = pillar.get('nginx', {}) -%} -{% set home = nginx.get('home', '/var/www') -%} -{% set source = nginx.get('source_root', '/usr/local/src') -%} - -get-luajit2: - file.managed: - - name: {{ source }}/luajit.tar.gz - - source: http://luajit.org/download/LuaJIT-2.0.1.tar.gz - - source_hash: sha1=330492aa5366e4e60afeec72f15e44df8a794db5 - cmd.wait: - - cwd: {{ nginx_home }} - - name: tar -zxf {{ source }}/luajit.tar.gz -C {{ source }} - - watch: - - file: get-luajit2 - - require_in: - - cmd: nginx \ No newline at end of file diff --git a/nginx/map.jinja b/nginx/map.jinja index 67f93ee..c99790d 100644 --- a/nginx/map.jinja +++ b/nginx/map.jinja @@ -1,65 +1,197 @@ -{% set nginx = salt['grains.filter_by']({ - 'Debian': { - 'apache_utils': 'apache2-utils', - 'group_action': 'pkg.installed', - 'group_pkg': 'build-essential', - 'libpcre_dev': 'libpcre3-dev', - 'libssl_dev': 'libssl-dev', - 'pid_path': '/var/run/nginx.pid', - 'package': 'nginx-full', - 'default_user': 'www-data', - 'default_group': 'www-data', - 'disable_before_rename': False, - 'old_init_disable': 'update-rc.d -f nginx remove', - 'use_upstart': True, - 'use_sysvinit': False, - 'home': '/var/www', - 'conf_dir': '/etc/nginx', - 'log_dir': '/var/log/nginx', - 'sbin_dir': '/usr/sbin', - 'install_prefix': '/usr/local/nginx', - 'make_flags': '-j2' +{% macro sls_block(dict) %} + {% for key, value in dict.items() %} + - {{ key }}: {{ value|json(sort_keys=False) }} + {% endfor %} +{% endmacro %} + +{% set nginx = salt['pillar.get']('nginx', { + 'lookup': salt['grains.filter_by']({ + 'Debian': { + 'package': 'nginx', + 'passenger_package': 'passenger', + 'passenger_config_file': '/etc/nginx/conf.d/passenger.conf', + 'service': 'nginx', + 'webuser': 'www-data', + 'conf_file': '/etc/nginx/nginx.conf', + 'server_available': '/etc/nginx/sites-available', + 'server_enabled': '/etc/nginx/sites-enabled', + 'snippets_dir': '/etc/nginx/snippets', + 'server_use_symlink': True, + 'pid_file': '/run/nginx.pid', + 'openssl_package': 'openssl', + }, + 'CentOS': { + 'package': 'nginx', + 'passenger_package': 'passenger', + 'passenger_config_file': '/etc/nginx/conf.d/passenger.conf', + 'service': 'nginx', + 'webuser': 'nginx', + 'conf_file': '/etc/nginx/nginx.conf', + 'server_available': '/etc/nginx/conf.d', + 'server_enabled': '/etc/nginx/conf.d', + 'snippets_dir': '/etc/nginx/snippets', + 'server_use_symlink': False, + 'pid_file': '/run/nginx.pid', + 'rh_os_releasever': '$releasever', + 'gpg_check': False, + 'gpg_key': 'http://nginx.org/keys/nginx_signing.key', + 'openssl_package': 'openssl', + }, + 'RedHat': { + 'package': 'nginx', + 'passenger_package': 'passenger', + 'passenger_config_file': '/etc/nginx/conf.d/passenger.conf', + 'service': 'nginx', + 'webuser': 'nginx', + 'conf_file': '/etc/nginx/nginx.conf', + 'server_available': '/etc/nginx/conf.d', + 'server_enabled': '/etc/nginx/conf.d', + 'snippets_dir': '/etc/nginx/snippets', + 'server_use_symlink': False, + 'pid_file': '/run/nginx.pid', + 'rh_os_releasever': '$releasever', + 'gpg_check': False, + 'gpg_key': 'http://nginx.org/keys/nginx_signing.key', + 'passenger': { + 'passenger_root': '/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini', + 'passenger_instance_registry_dir': ' /var/run/passenger-instreg', + 'passenger_ruby': '/usr/bin/ruby', + }, + 'openssl_package': 'openssl', + }, + 'Suse': { + 'package': 'nginx', + 'service': 'nginx', + 'webuser': 'nginx', + 'conf_file': '/etc/nginx/nginx.conf', + 'server_available': '/etc/nginx/vhosts.d', + 'server_enabled': '/etc/nginx/vhosts.d', + 'snippets_dir': '/etc/nginx/snippets', + 'server_use_symlink': False, + 'pid_file': '/run/nginx.pid', + 'gpg_check': True, + 'gpg_key': 'http://download.opensuse.org/repositories/server:/http/openSUSE_{{ grains.osrelease }}/repodata/repomd.xml.key', + 'openssl_package': 'openssl', + }, + 'Arch': { + 'package': 'nginx', + 'service': 'nginx', + 'webuser': 'http', + 'conf_file': '/etc/nginx/nginx.conf', + 'server_available': '/etc/nginx/sites-available', + 'server_enabled': '/etc/nginx/sites-enabled', + 'snippets_dir': '/etc/nginx/snippets', + 'server_use_symlink': True, + 'openssl_package': 'openssl', + }, + 'Gentoo': { + 'package': 'www-servers/nginx', + 'service': 'nginx', + 'webuser': 'nginx', + 'conf_file': '/etc/nginx/nginx.conf', + 'server_available': '/etc/nginx/sites-available', + 'server_enabled': '/etc/nginx/sites-enabled', + 'snippets_dir': '/etc/nginx/snippets', + 'server_use_symlink': True, + 'openssl_package': 'dev-libs/openssl', + }, + 'FreeBSD': { + 'package': 'nginx', + 'passenger_package': 'passenger', + 'service': 'nginx', + 'webuser': 'www', + 'conf_file': '/usr/local/etc/nginx/nginx.conf', + 'server_available': '/usr/local/etc/nginx/sites-available', + 'server_enabled': '/usr/local/etc/nginx/sites-enabled', + 'snippets_dir': '/usr/local/etc/nginx/snippets', + 'server_use_symlink': True, + 'pid_file': '/var/run/nginx.pid', + }, + }, default='Debian' ), + 'install_from_source': False, + 'install_from_ppa': False, + 'install_from_repo': False, + 'install_from_phusionpassenger': False, + 'ppa_version': 'stable', + 'source_version': '1.10.0', + 'source_hash': '8ed647c3dd65bc4ced03b0e0f6bf9e633eff6b01bac772bcf97077d58bc2be4d', + 'source': { + 'opts': {}, }, - 'RedHat': { - 'apache_utils': 'httpd-tools', - 'group_action': 'pkg.group_installed', - 'group_pkg': 'Development Tools', - 'libpcre_dev': 'pcre-devel', - 'libssl_dev': 'openssl-devel', - 'pid_path': '/run/nginx.pid', - 'package': 'nginx', - 'default_user': 'nginx', - 'default_group': 'nginx', - 'disable_before_rename': True, - 'old_init_disable': 'chkconfig --del nginx', - 'use_upstart': True, - 'use_sysvinit': False, - 'home': '/var/www', - 'conf_dir': '/etc/nginx', - 'log_dir': '/var/log/nginx', - 'sbin_dir': '/usr/sbin', - 'install_prefix': '/usr/local/nginx', - 'make_flags': '-j2' + 'package': { + 'opts': {}, }, - 'Suse': { - 'apache_utils': 'apache2-utils', - 'group_action': 'pkg.installed', - 'group_pkg': 'patterns-devel-base-devel_rpm_build', - 'libpcre_dev': 'pcre-devel', - 'libssl_dev': 'openssl-devel', - 'pid_path': '/run/nginx.pid', - 'package': 'nginx', - 'default_user': 'nginx', - 'default_group': 'nginx', - 'disable_before_rename': True, - 'old_init_disable': 'chkconfig --del nginx', - 'use_upstart': False, - 'use_sysvinit': False, - 'home': '/srv/www', - 'conf_dir': '/etc/nginx', - 'log_dir': '/var/log/nginx', - 'sbin_dir': '/usr/sbin', - 'install_prefix': '/usr/local/nginx', - 'make_flags': '-j2' + 'service': { + 'enable': True, + 'opts': {}, }, -}, grain='os_family', merge=salt['pillar.get']('nginx:lookup'), default='Debian') %} + 'server': { + 'opts': {}, + 'config': { + 'worker_processes': 'auto', + 'events': { + 'worker_connections': 768, + }, + 'http': { + 'sendfile': 'on', + 'tcp_nopush': 'on', + 'tcp_nodelay': 'on', + 'keepalive_timeout': '65', + 'types_hash_max_size': '2048', + 'default_type': 'application/octet-stream', + 'access_log': '/var/log/nginx/access.log', + 'error_log': '/var/log/nginx/error.log', + 'gzip': 'off', + 'gzip_disable': '"msie6"', + 'include': [ + 'mime.types', + 'conf.d/*.conf', + 'sites-enabled/*', + ], + }, + }, + }, + 'servers': { + 'disabled_postfix': '.disabled', + 'symlink_opts': {}, + 'rename_opts': {}, + 'managed_opts': { + 'makedirs': True, + }, + 'dir_opts': { + 'makedirs': True, + }, + 'managed': {}, + }, + 'passenger': { + 'passenger_root': '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', + 'passenger_ruby': '/usr/bin/ruby', + }, +}, merge=True) %} + +{% if 'user' not in nginx.server.config %} +{% do nginx.server.config.update({ + 'user': nginx.lookup.webuser, +})%} +{% endif %} + +{% if 'pid' not in nginx.server.config and 'pid_file' in nginx.lookup %} +{% do nginx.server.config.update({ + 'pid': nginx.lookup.pid_file, +})%} +{% endif %} + +{% if salt['grains.get']('os_family') == 'RedHat' %} +{% do nginx.passenger.update({ + 'passenger_root': '/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini', + 'passenger_instance_registry_dir': '/var/run/passenger-instreg', +})%} + {% if salt['grains.get']('osfinger') == 'CentOS-6' %} + {% do nginx.server.config.update({ + 'pid': '/var/run/nginx.pid', + })%} + {% do nginx.passenger.update({ + 'passenger_root': '/usr/lib/ruby/1.8/phusion_passenger/locations.ini', + })%} + {% endif %} +{% endif %} diff --git a/nginx/ng/init.sls b/nginx/ng/init.sls deleted file mode 100644 index 411aeec..0000000 --- a/nginx/ng/init.sls +++ /dev/null @@ -1,30 +0,0 @@ -# nginx.ng -# -# Meta-state to fully install nginx. - -{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} - -include: - - nginx.ng.config - - nginx.ng.service - {% if nginx.snippets is defined %} - - nginx.ng.snippets - {% endif %} - - nginx.ng.servers - - nginx.ng.certificates - -extend: - nginx_service: - service: - - listen: - - file: nginx_config - - require: - - file: nginx_config - nginx_config: - file: - - require: - {% if nginx.install_from_source %} - - cmd: nginx_install - {% else %} - - pkg: nginx_install - {% endif %} diff --git a/nginx/ng/map.jinja b/nginx/ng/map.jinja deleted file mode 100644 index 9e1f5e2..0000000 --- a/nginx/ng/map.jinja +++ /dev/null @@ -1,197 +0,0 @@ -{% macro sls_block(dict) %} - {% for key, value in dict.items() %} - - {{ key }}: {{ value|json(sort_keys=False) }} - {% endfor %} -{% endmacro %} - -{% set nginx = salt['pillar.get']('nginx:ng', { - 'lookup': salt['grains.filter_by']({ - 'Debian': { - 'package': 'nginx', - 'passenger_package': 'passenger', - 'passenger_config_file': '/etc/nginx/conf.d/passenger.conf', - 'service': 'nginx', - 'webuser': 'www-data', - 'conf_file': '/etc/nginx/nginx.conf', - 'server_available': '/etc/nginx/sites-available', - 'server_enabled': '/etc/nginx/sites-enabled', - 'snippets_dir': '/etc/nginx/snippets', - 'server_use_symlink': True, - 'pid_file': '/run/nginx.pid', - 'openssl_package': 'openssl', - }, - 'CentOS': { - 'package': 'nginx', - 'passenger_package': 'passenger', - 'passenger_config_file': '/etc/nginx/conf.d/passenger.conf', - 'service': 'nginx', - 'webuser': 'nginx', - 'conf_file': '/etc/nginx/nginx.conf', - 'server_available': '/etc/nginx/conf.d', - 'server_enabled': '/etc/nginx/conf.d', - 'snippets_dir': '/etc/nginx/snippets', - 'server_use_symlink': False, - 'pid_file': '/run/nginx.pid', - 'rh_os_releasever': '$releasever', - 'gpg_check': False, - 'gpg_key': 'http://nginx.org/keys/nginx_signing.key', - 'openssl_package': 'openssl', - }, - 'RedHat': { - 'package': 'nginx', - 'passenger_package': 'passenger', - 'passenger_config_file': '/etc/nginx/conf.d/passenger.conf', - 'service': 'nginx', - 'webuser': 'nginx', - 'conf_file': '/etc/nginx/nginx.conf', - 'server_available': '/etc/nginx/conf.d', - 'server_enabled': '/etc/nginx/conf.d', - 'snippets_dir': '/etc/nginx/snippets', - 'server_use_symlink': False, - 'pid_file': '/run/nginx.pid', - 'rh_os_releasever': '$releasever', - 'gpg_check': False, - 'gpg_key': 'http://nginx.org/keys/nginx_signing.key', - 'passenger': { - 'passenger_root': '/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini', - 'passenger_instance_registry_dir': ' /var/run/passenger-instreg', - 'passenger_ruby': '/usr/bin/ruby', - }, - 'openssl_package': 'openssl', - }, - 'Suse': { - 'package': 'nginx', - 'service': 'nginx', - 'webuser': 'nginx', - 'conf_file': '/etc/nginx/nginx.conf', - 'server_available': '/etc/nginx/vhosts.d', - 'server_enabled': '/etc/nginx/vhosts.d', - 'snippets_dir': '/etc/nginx/snippets', - 'server_use_symlink': False, - 'pid_file': '/run/nginx.pid', - 'gpg_check': True, - 'gpg_key': 'http://download.opensuse.org/repositories/server:/http/openSUSE_{{ grains.osrelease }}/repodata/repomd.xml.key', - 'openssl_package': 'openssl', - }, - 'Arch': { - 'package': 'nginx', - 'service': 'nginx', - 'webuser': 'http', - 'conf_file': '/etc/nginx/nginx.conf', - 'server_available': '/etc/nginx/sites-available', - 'server_enabled': '/etc/nginx/sites-enabled', - 'snippets_dir': '/etc/nginx/snippets', - 'server_use_symlink': True, - 'openssl_package': 'openssl', - }, - 'Gentoo': { - 'package': 'www-servers/nginx', - 'service': 'nginx', - 'webuser': 'nginx', - 'conf_file': '/etc/nginx/nginx.conf', - 'server_available': '/etc/nginx/sites-available', - 'server_enabled': '/etc/nginx/sites-enabled', - 'snippets_dir': '/etc/nginx/snippets', - 'server_use_symlink': True, - 'openssl_package': 'dev-libs/openssl', - }, - 'FreeBSD': { - 'package': 'nginx', - 'passenger_package': 'passenger', - 'service': 'nginx', - 'webuser': 'www', - 'conf_file': '/usr/local/etc/nginx/nginx.conf', - 'server_available': '/usr/local/etc/nginx/sites-available', - 'server_enabled': '/usr/local/etc/nginx/sites-enabled', - 'snippets_dir': '/usr/local/etc/nginx/snippets', - 'server_use_symlink': True, - 'pid_file': '/var/run/nginx.pid', - }, - }, default='Debian' ), - 'install_from_source': False, - 'install_from_ppa': False, - 'install_from_repo': False, - 'install_from_phusionpassenger': False, - 'ppa_version': 'stable', - 'source_version': '1.10.0', - 'source_hash': '8ed647c3dd65bc4ced03b0e0f6bf9e633eff6b01bac772bcf97077d58bc2be4d', - 'source': { - 'opts': {}, - }, - 'package': { - 'opts': {}, - }, - 'service': { - 'enable': True, - 'opts': {}, - }, - 'server': { - 'opts': {}, - 'config': { - 'worker_processes': 'auto', - 'events': { - 'worker_connections': 768, - }, - 'http': { - 'sendfile': 'on', - 'tcp_nopush': 'on', - 'tcp_nodelay': 'on', - 'keepalive_timeout': '65', - 'types_hash_max_size': '2048', - 'default_type': 'application/octet-stream', - 'access_log': '/var/log/nginx/access.log', - 'error_log': '/var/log/nginx/error.log', - 'gzip': 'off', - 'gzip_disable': '"msie6"', - 'include': [ - 'mime.types', - 'conf.d/*.conf', - 'sites-enabled/*', - ], - }, - }, - }, - 'servers': { - 'disabled_postfix': '.disabled', - 'symlink_opts': {}, - 'rename_opts': {}, - 'managed_opts': { - 'makedirs': True, - }, - 'dir_opts': { - 'makedirs': True, - }, - 'managed': {}, - }, - 'passenger': { - 'passenger_root': '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', - 'passenger_ruby': '/usr/bin/ruby', - }, -}, merge=True) %} - -{% if 'user' not in nginx.server.config %} -{% do nginx.server.config.update({ - 'user': nginx.lookup.webuser, -})%} -{% endif %} - -{% if 'pid' not in nginx.server.config and 'pid_file' in nginx.lookup %} -{% do nginx.server.config.update({ - 'pid': nginx.lookup.pid_file, -})%} -{% endif %} - -{% if salt['grains.get']('os_family') == 'RedHat' %} -{% do nginx.passenger.update({ - 'passenger_root': '/usr/share/ruby/vendor_ruby/phusion_passenger/locations.ini', - 'passenger_instance_registry_dir': '/var/run/passenger-instreg', -})%} - {% if salt['grains.get']('osfinger') == 'CentOS-6' %} - {% do nginx.server.config.update({ - 'pid': '/var/run/nginx.pid', - })%} - {% do nginx.passenger.update({ - 'passenger_root': '/usr/lib/ruby/1.8/phusion_passenger/locations.ini', - })%} - {% endif %} -{% endif %} diff --git a/nginx/openresty.sls b/nginx/openresty.sls deleted file mode 100644 index 23764df..0000000 --- a/nginx/openresty.sls +++ /dev/null @@ -1,31 +0,0 @@ -{% set nginx = pillar.get('nginx', {}) -%} -{% set home = nginx.get('home', '/var/www') -%} -{% set source = nginx.get('source_root', '/usr/local/src') -%} - -{% set openresty = nginx.get('openresty', {}) -%} -{% set openresty_version = openresty.get('version', '1.2.7.8') -%} -{% set openresty_checksum = openresty.get('checksum', 'sha1=f8bee501529ffec33f9cabc00ea4ca512a8d7b59') -%} -{% set openresty_package = source + '/openresty-' + openresty_version + '.tar.gz' -%} - -get-openresty: - file.managed: - - name: {{ openresty_package }} - - source: http://openresty.org/download/ngx_openresty-{{ openresty_version }}.tar.gz - - source_hash: {{ openresty_checksum }} - cmd.wait: - - cwd: {{ source }} - - name: tar -zxf {{ openresty_package }} -C {{ home }} - - watch: - - file: get-openresty - -install_openresty: - cmd.wait: - - cwd: {{ home }}/ngx_openresty-{{ openresty_version }} - - names: - - ./configure --with-luajit \ - --with-http_drizzle_module \ - --with-http_postgres_module \ - --with-http_iconv_module - - make && make install - - watch: - - cmd: get-openresty diff --git a/nginx/package.sls b/nginx/package.sls deleted file mode 100644 index 3229ae2..0000000 --- a/nginx/package.sls +++ /dev/null @@ -1,128 +0,0 @@ -{% from "nginx/map.jinja" import nginx with context %} -{% set use_upstart = salt['pillar.get']('nginx:use_upstart', nginx['use_upstart']) %} -{% if use_upstart %} -nginx-old-init: - file.rename: - - name: /usr/share/nginx/init.d - - source: /etc/init.d/nginx - - require_in: - - file: nginx - - require: - - pkg: nginx - - force: True -{% if grains.get('os_family') == 'Debian' %} -# Don't dpkg-divert if we are not Debian based! - cmd.wait: - - name: dpkg-divert --divert /usr/share/nginx/init.d --add /etc/init.d/nginx - - require: - - module: nginx-old-init - - watch: - - file: nginx-old-init - - require_in: - - file: nginx -{% endif %} - module.wait: - - name: cmd.run - - cmd: sh -c "kill `cat /var/run/nginx.pid`" - - watch: - - file: nginx-old-init - - require_in: - - file: nginx - - onlyif: [ -e /var/run/nginx.pid ] - -# RedHat requires the init file in place to chkconfig off -{% if nginx['disable_before_rename'] %} - {% set _in = '_in' %} -{% else %} - {% set _in = '' %} -{% endif %} - -nginx-old-init-disable: - cmd.run: - - name: {{ nginx.old_init_disable }} - - require{{ _in }}: - - module: nginx-old-init - - onlyif: [ -f /etc/init.d/nginx ] -{% endif %} - -{% if grains.get('os_family') == 'Debian' %} - -{% set repo_source = pillar.get('nginx', {}).get('repo_source', 'default') %} -{% set use_ppa = repo_source == 'ppa' and grains.get('os') == 'Ubuntu' %} -{% set use_official = repo_source == 'official' and grains.get('os') in ('Ubuntu', 'Debian') %} - -nginx-ppa-repo: - pkgrepo: - {%- if use_ppa %} - - managed - {%- else %} - - absent - {%- endif %} - - humanname: nginx-ppa-{{ grains['oscodename'] }} - - name: deb http://ppa.launchpad.net/nginx/{{ pillar.get('nginx', {}).get('repo_version', 'stable') }}/ubuntu {{ grains['oscodename'] }} main - - file: /etc/apt/sources.list.d/nginx-{{ pillar.get('nginx', {}).get('repo_version', 'stable') }}-{{ grains['oscodename'] }}.list - - dist: {{ grains['oscodename'] }} - - keyid: C300EE8C - - keyserver: keyserver.ubuntu.com - - require_in: - - pkg: nginx - - watch_in: - - pkg: nginx - -nginx-official-repo: - pkgrepo: - {%- if use_official %} - - managed - {%- else %} - - absent - {%- endif %} - - humanname: nginx apt repo - - name: deb http://nginx.org/packages/{{ grains['os'].lower() }}/ {{ grains['oscodename'] }} nginx - - file: /etc/apt/sources.list.d/nginx-official-{{ grains['oscodename'] }}.list - - keyid: ABF5BD827BD9BF62 - - keyserver: keyserver.ubuntu.com - - require_in: - - pkg: nginx - - watch_in: - - pkg: nginx - -{% endif %} - -nginx: - pkg.installed: - - name: {{ nginx.package }} -{% if use_upstart %} - file.managed: - - name: /etc/init/nginx.conf - - template: jinja - - user: root - - group: root - - mode: 440 - - source: salt://nginx/templates/upstart.jinja - - require: - - pkg: nginx - - file: nginx-old-init - - module: nginx-old-init -{% endif %} - service.running: - - enable: True - - restart: True - - watch: -{% if use_upstart %} - - file: nginx -{% endif %} -{% set conf_dir = salt['pillar.get']('nginx:conf_dir', '/etc/nginx') %} - - file: {{ conf_dir }}/nginx.conf - - file: {{ conf_dir }}/conf.d/default.conf - - file: {{ conf_dir }}/conf.d/example_ssl.conf - - pkg: nginx - -# Create 'service' symlink for tab completion. -# This is not supported in os_family RedHat and likely only works in -# Debian-based distros -{% if use_upstart and grains['os_family'] == 'Debian' %} -/etc/init.d/nginx: - file.symlink: - - target: /lib/init/upstart-job - - force: True -{% endif %} diff --git a/nginx/ng/passenger.sls b/nginx/passenger.sls similarity index 82% rename from nginx/ng/passenger.sls rename to nginx/passenger.sls index 7b6eefd..49fe598 100644 --- a/nginx/ng/passenger.sls +++ b/nginx/passenger.sls @@ -1,14 +1,14 @@ -# nginx.ng.passenger +# nginx.passenger # # Manages installation of passenger from repo. # Requires install_from_phusionpassenger = True -{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} +{% from 'nginx/map.jinja' import nginx, sls_block with context %} {% if salt['grains.get']('os_family') in ['Debian', 'RedHat'] %} include: - - nginx.ng.pkg - - nginx.ng.service + - nginx.pkg + - nginx.service passenger_install: pkg.installed: @@ -27,7 +27,7 @@ passenger_config: file.managed: {{ sls_block(nginx.server.opts) }} - name: {{ nginx.lookup.passenger_config_file }} - - source: salt://nginx/ng/files/nginx.conf + - source: salt://nginx/files/nginx.conf - template: jinja - context: config: {{ nginx.passenger|json() }} diff --git a/nginx/ng/pkg.sls b/nginx/pkg.sls similarity index 98% rename from nginx/ng/pkg.sls rename to nginx/pkg.sls index e53032f..280c8be 100644 --- a/nginx/ng/pkg.sls +++ b/nginx/pkg.sls @@ -1,8 +1,8 @@ -# nginx.ng.pkg +# nginx.pkg # # Manages installation of nginx from pkg. -{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} +{% from 'nginx/map.jinja' import nginx, sls_block with context %} {%- if nginx.install_from_repo %} {% set from_official = true %} {% set from_ppa = false %} diff --git a/nginx/ng/servers.sls b/nginx/servers.sls similarity index 66% rename from nginx/ng/servers.sls rename to nginx/servers.sls index 7365a46..abf6a64 100644 --- a/nginx/ng/servers.sls +++ b/nginx/servers.sls @@ -1,10 +1,10 @@ -# nginx.ng.servers +# nginx.servers # # Manages virtual hosts and their relationship to the nginx service. -{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} -{% from 'nginx/ng/servers_config.sls' import server_states with context %} -{% from 'nginx/ng/service.sls' import service_function with context %} +{% from 'nginx/map.jinja' import nginx, sls_block with context %} +{% from 'nginx/servers_config.sls' import server_states with context %} +{% from 'nginx/service.sls' import service_function with context %} {% macro file_requisites(states) %} {%- for state in states %} @@ -13,8 +13,8 @@ {% endmacro %} include: - - nginx.ng.service - - nginx.ng.servers_config + - nginx.service + - nginx.servers_config {% if server_states|length() > 0 %} nginx_service_reload: diff --git a/nginx/ng/servers_config.sls b/nginx/servers_config.sls similarity index 97% rename from nginx/ng/servers_config.sls rename to nginx/servers_config.sls index 3ee5782..43000ca 100644 --- a/nginx/ng/servers_config.sls +++ b/nginx/servers_config.sls @@ -1,8 +1,8 @@ -# nginx.ng.servers_config +# nginx.servers_config # # Manages the configuration of virtual host files. -{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} +{% from 'nginx/map.jinja' import nginx, sls_block with context %} {% set server_states = [] %} # Simple path concatenation. @@ -104,7 +104,7 @@ nginx_server_available_dir: {% if 'source_path' in settings.config %} {% set source_path = settings.config.source_path %} {% else %} -{% set source_path = 'salt://nginx/ng/files/server.conf' %} +{% set source_path = 'salt://nginx/files/server.conf' %} {% endif %} {{ conf_state_id }}: file.managed: diff --git a/nginx/ng/service.sls b/nginx/service.sls similarity index 76% rename from nginx/ng/service.sls rename to nginx/service.sls index 59fe80f..5d58fc1 100644 --- a/nginx/ng/service.sls +++ b/nginx/service.sls @@ -1,22 +1,22 @@ -# nginx.ng.service +# nginx.service # # Manages the nginx service. -{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} +{% from 'nginx/map.jinja' import nginx, sls_block with context %} {% set service_function = {True:'running', False:'dead'}.get(nginx.service.enable) %} include: {% if nginx.install_from_source %} - - nginx.ng.src + - nginx.src {% else %} - - nginx.ng.pkg + - nginx.pkg {% endif %} {% if nginx.install_from_source %} nginx_systemd_service_file: file.managed: - name: /lib/systemd/system/nginx.service - - source: salt://nginx/ng/files/nginx.service + - source: salt://nginx/files/nginx.service {% endif %} nginx_service: @@ -26,9 +26,9 @@ nginx_service: - enable: {{ nginx.service.enable }} - require: {% if nginx.install_from_source %} - - sls: nginx.ng.src + - sls: nginx.src {% else %} - - sls: nginx.ng.pkg + - sls: nginx.pkg {% endif %} - listen: {% if nginx.install_from_source %} diff --git a/nginx/ng/snippets.sls b/nginx/snippets.sls similarity index 75% rename from nginx/ng/snippets.sls rename to nginx/snippets.sls index 8635f2d..3ceb2cc 100644 --- a/nginx/ng/snippets.sls +++ b/nginx/snippets.sls @@ -1,8 +1,8 @@ -# nginx.ng.snippet +# nginx.snippet # # Manages creation of snippets -{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} +{% from 'nginx/map.jinja' import nginx, sls_block with context %} nginx_snippets_dir: file.directory: @@ -13,7 +13,7 @@ nginx_snippets_dir: nginx_snippet_{{ snippet }}: file.managed: - name: {{ nginx.lookup.snippets_dir }}/{{ snippet }}.conf - - source: salt://nginx/ng/files/server.conf + - source: salt://nginx/files/server.conf - template: jinja - context: config: {{ config|json() }} diff --git a/nginx/source.sls b/nginx/source.sls deleted file mode 100644 index c7b257f..0000000 --- a/nginx/source.sls +++ /dev/null @@ -1,277 +0,0 @@ -{% from "nginx/map.jinja" import nginx as nginx_map with context %} - -{% set nginx = pillar.get('nginx', {}) -%} -{% set use_sysvinit = nginx.get('use_sysvinit', nginx_map['use_sysvinit']) %} -{% set version = nginx.get('version', '1.6.2') -%} -{% set tarball_url = nginx.get('tarball_url', 'http://nginx.org/download/nginx-' + version + '.tar.gz') -%} -{% set checksum = nginx.get('checksum', 'sha256=b5608c2959d3e7ad09b20fc8f9e5bd4bc87b3bc8ba5936a513c04ed8f1391a18') -%} -{% set home = nginx.get('home', nginx_map['home']) -%} -{% set base_temp_dir = nginx.get('base_temp_dir', '/tmp') -%} -{% set source = nginx.get('source_root', '/usr/local/src') -%} - -{% set conf_dir = nginx.get('conf_dir', nginx_map['conf_dir']) -%} -{% set conf_only = nginx.get('conf_only', false) -%} -{% set log_dir = nginx.get('log_dir', nginx_map['log_dir']) -%} -{% set pid_path = nginx.get('pid_path', nginx_map['pid_path']) -%} -{% set lock_path = nginx.get('lock_path', '/var/lock/nginx.lock') -%} -{% set sbin_dir = nginx.get('sbin_dir', nginx_map['sbin_dir']) -%} - -{% set install_prefix = nginx.get('install_prefix', nginx_map['install_prefix']) -%} -{% set with_items = nginx.get('with', ['debug', 'http_dav_module', 'http_stub_status_module', 'pcre', 'ipv6']) -%} -{% set without_items = nginx.get('without', []) -%} -{% set make_flags = nginx.get('make_flags', nginx_map['make_flags']) -%} - -{% set service_name = nginx.get('service_name', 'nginx') %} -{% set service_enable = nginx.get('service_enable', True) %} - -{% set nginx_package = source + '/nginx-' + version + '.tar.gz' -%} -{% set nginx_source = source + "/nginx-" + version -%} -{% set nginx_modules_dir = source + "/nginx-modules" -%} - -include: - - nginx.common -{% if nginx.get('with_luajit', false) %} - - nginx.luajit2 -{% endif -%} -{% if nginx.get('with_openresty', false) %} - - nginx.openresty -{% endif -%} - - -nginx_group: - group.present: - - name: {{ nginx_map.default_group }} - -nginx_user: - file.directory: - - name: {{ home }} - - user: {{ nginx_map.default_user }} - - group: {{ nginx_map.default_group }} - - mode: 0755 - - require: - - user: nginx_user - - group: nginx_group - user.present: - - name: {{ nginx_map.default_user }} - - home: {{ home }} - - groups: - - {{ nginx_map.default_group }} - - require: - - group: nginx_group - -{{ nginx_modules_dir }}: - file: - - directory - - makedirs: True - -get-build-tools: -{% if grains['saltversion'] < '2015.8.0' and grains['os_family'] == 'RedHat' %} - module.run: - - name: pkg.group_install - - m_name: {{ nginx_map.group_pkg }} -{% else %} - {{ nginx_map.group_action }}: - - name: {{ nginx_map.group_pkg }} -{% endif %} - -get-nginx: - pkg.installed: - - names: - - {{ nginx_map.libpcre_dev }} - - {{ nginx_map.libssl_dev }} - - file.managed: - - name: {{ nginx_package }} - - source: {{ tarball_url }} - - source_hash: {{ checksum }} - - require: - - file: {{ nginx_modules_dir }} - cmd.wait: - - cwd: {{ source }} - - name: tar --transform "s,^$(tar --list -zf nginx-{{ version }}.tar.gz | head -n 1),nginx-{{ version }}/," -zxf {{ nginx_package }} - - require: - - pkg: get-nginx - - file: get-nginx - - watch: - - file: get-nginx - -{% for name, module in nginx.get('modules', {}).items() -%} -get-nginx-{{name}}: - file.managed: - - name: {{ nginx_modules_dir }}/{{name}}.tar.gz - - source: {{ module['source'] }} - - source_hash: {{ module['source_hash'] }} - cmd.wait: - - cwd: {{ nginx_modules_dir }} - - names: - - tar --transform "s,^$(tar --list -zf {{name}}.tar.gz | head -n 1),{{name}}/," -zxf {{name}}.tar.gz - - watch: - - file: get-nginx-{{name}} - - require_in: - - cmd: nginx -{% endfor -%} - -{% if nginx.get('ngx_devel_kit', true) -%} -get-ngx_devel_kit: - file.managed: - - name: {{ source }}/ngx_devel_kit.tar.gz - - source: https://github.com/simpl/ngx_devel_kit/archive/v0.2.18.tar.gz - - source_hash: sha1=e21ba642f26047661ada678b21eef001ee2121d8 - cmd.wait: - - cwd: {{ source }} - - name: tar -zxf {{ source }}/ngx_devel_kit.tar.gz -C {{ source }} - - watch: - - file: get-ngx_devel_kit -{% endif %} - -is-nginx-source-modified: - cmd.run: - - cwd: {{ source }} - - stateful: True - - names: - - if [ ! -d "nginx-{{ version }}" ]; then - echo "changed=yes comment='Tarball has not yet been extracted'"; - exit 0; - fi; - cd "nginx-{{ version }}"; - m=$(find . \! -name "build.*" -newer {{ sbin_dir }}/nginx -print -quit); - r=$?; - if [ x$r != x0 ]; then - echo "changed=yes comment='binary file does not exist or other find error'"; - exit 0; - fi; - if [ x$m != "x" ]; then - echo "changed=yes comment='source files are newer than binary'"; - exit 0; - fi; - echo "changed=no comment='source files are older than binary'" - -{% for name, module in nginx.get('modules', {}).items() -%} -is-nginx-module-modified-{{name}}: - cmd.run: - - cwd: {{ nginx_modules_dir }}/{{name}} - - stateful: True - - names: - - m=$(find . \! -name "build.*" -newer {{ sbin_dir }}/nginx -print -quit); - r=$?; - if [ x$r != x0 ]; then - echo "changed=yes comment='binary file does not exist or other find error'"; - exit 0; - fi; - if [ x$m != "x" ]; then - echo "changed=yes comment='module source files are newer than binary'"; - exit 0; - fi; - echo "changed=no comment='module source files are older than binary'" -{% endfor -%} - -nginx: - cmd.wait: - - cwd: {{ nginx_source }} - - names: - - ( - {%- if nginx.get('debug_symbols', false) %} - CFLAGS="-g -O0" ./configure --conf-path={{ conf_dir }}/nginx.conf - {%- else %} - ./configure --conf-path={{ conf_dir }}/nginx.conf - {%- endif %} - --sbin-path={{ sbin_dir }}/nginx - --user={{ nginx_map.default_user }} - --group={{ nginx_map.default_group }} - --prefix={{ install_prefix }} - --http-log-path={{ log_dir }}/access.log - --error-log-path={{ log_dir }}/error.log - --pid-path={{ pid_path }} - --lock-path={{ lock_path }} - --http-client-body-temp-path={{ base_temp_dir }}/body - --http-proxy-temp-path={{ base_temp_dir }}/proxy - --http-fastcgi-temp-path={{ base_temp_dir }}/fastcgi - --http-uwsgi-temp-path={{ base_temp_dir }}/temp_uwsgi - --http-scgi-temp-path={{ base_temp_dir }}/temp_scgi - {%- for name, module in nginx.get('modules', {}).items() %} - --add-module={{nginx_modules_dir}}/{{name}} - {%- endfor %} - {%- for name in with_items %} - --with-{{ name }} - {%- endfor %} - {%- for name in without_items %} - --without-{{ name }} - {%- endfor %} - && make {{ make_flags }} - && make install - ) - {#- If they want to silence the compiler output, then save it to file so we can reference it later if needed #} - {%- if nginx.get('silence_compiler', true) %} - > {{ nginx_source }}/build.out 2> {{ nginx_source }}/build.err; - {#- If the build process failed, write stderr to stderr and exit with the error code #} - r=$?; - if [ x$r != x0 ]; then - cat {{ nginx_source }}/build.err 1>&2; {#- copy err output to stderr #} - exit $r; - fi; - {% endif %} - - watch: - - cmd: get-nginx - - cmd: is-nginx-source-modified - {% for name, module in nginx.get('modules', {}).items() -%} - - cmd: is-nginx-module-modified-{{name}} - - file: get-nginx-{{name}} - {% endfor %} -{% if use_sysvinit %} - - watch_in: - {% set logger_types = ('access', 'error') %} - {% for log_type in logger_types %} - - service: nginx-logger-{{ log_type }} - {% endfor %} -{% endif %} - - require: - - cmd: get-nginx - {% for name, module in nginx.get('modules', {}).items() -%} - - file: get-nginx-{{name}} - {% endfor %} -{% if use_sysvinit %} - file: - - managed - - template: jinja - - name: /etc/init.d/{{ service_name }} - - source: salt://nginx/templates/nginx.init.jinja - - user: root - - group: root - - mode: 0755 - - context: - service_name: {{ service_name }} - sbin_dir: {{ sbin_dir }} - pid_path: {{ pid_path }} -{% endif %} - service: -{% if service_enable %} - - running - - enable: True - - restart: True -{% else %} - - dead - - enable: False -{% endif %} - - name: {{ service_name }} - - watch: - - cmd: nginx - - file: {{ conf_dir }}/nginx.conf - - require: - - cmd: nginx - - file: {{ conf_dir }}/nginx.conf - -{% for file in nginx.get('delete_confs', []) %} -{{ conf_dir }}/{{ file }}: - file: - - absent - - require_in: - - service: nginx -{% endfor %} - -{% for file in nginx.get('delete_htdocs', []) %} -{{ install_prefix }}/html/{{ file }}: - file: - - absent - - require_in: - - service: nginx -{% endfor %} diff --git a/nginx/ng/src.sls b/nginx/src.sls similarity index 84% rename from nginx/ng/src.sls rename to nginx/src.sls index 1bd1c85..b97b8b9 100644 --- a/nginx/ng/src.sls +++ b/nginx/src.sls @@ -1,8 +1,8 @@ -# nginx.ng.src +# nginx.src # # Manages installation of nginx from source. -{% from 'nginx/ng/map.jinja' import nginx, sls_block with context %} +{% from 'nginx/map.jinja' import nginx, sls_block with context %} nginx_deps: pkg.installed: @@ -23,7 +23,7 @@ nginx_download: nginx_configure: cmd.run: - - name: ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path={{ nginx.lookup.conf_file or '/etc/nginx/nginx.conf' }} {{ nginx.source.opts | join(' ') }} + - name: ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path={{ nginx.lookup.conf_file }} {{ nginx.source.opts | join(' ') }} - cwd: /tmp/nginx-{{ nginx.source_version }} - onchanges: - archive: nginx_download diff --git a/nginx/sysvinit.sls b/nginx/sysvinit.sls deleted file mode 100644 index f7a6450..0000000 --- a/nginx/sysvinit.sls +++ /dev/null @@ -1,34 +0,0 @@ -{% set nginx = pillar.get('nginx', {}) -%} -{% set log_dir = nginx.get('log_dir', '/var/log/nginx') -%} - -{% set logger_types = ('access', 'error') %} - -{% for log_type in logger_types %} -{{ log_dir }}/{{ log_type }}.log: - file.absent - -nginx-logger-{{ log_type }}: - file: - - managed - - name: /etc/init.d/nginx-logger-{{ log_type }} - - template: jinja - - user: root - - group: root - - mode: 755 - - source: - - salt://nginx/templates/{{ grains['os_family'] }}-sysvinit-logger.jinja - - salt://nginx/templates/sysvinit-logger.jinja - - context: - type: {{ log_type }} - service: - - running - - enable: True - - restart: True - - require: - - file: nginx-logger-{{ log_type }} - - require_in: - - service: nginx -{% endfor %} - -/etc/logrotate.d/nginx: - file.absent diff --git a/nginx/templates/RedHat-sysvinit-logger.jinja b/nginx/templates/RedHat-sysvinit-logger.jinja deleted file mode 100644 index 7da36f4..0000000 --- a/nginx/templates/RedHat-sysvinit-logger.jinja +++ /dev/null @@ -1,100 +0,0 @@ -#!/bin/bash -# /etc/init.d/nginx-logger-{{ type }} -# -# chkconfig: 345 84 16 -# description: Nginx logger for {{ type }} -# processname: nginx-logger-{{ type }} - -NAME=nginx-logger-{{ type }} -DESC="syslog forwarder for nginx {{type}} logs" -DAEMON=/usr/bin/logger -DAEMON_ARGS=" -f /var/log/nginx/{{ type }}.fifo -t nginx -p {% if type == 'error' %}warn{% else %}debug{% endif %}" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME - -# Exit if the daemon program isn't installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -. /etc/init.d/functions - -do_start() { - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - echo -n "Starting $NAME" - pid=$(cat $PIDFILE 2>/dev/null) - if [ -n "$pid" ]; then - failure - echo - return 1; - fi - - if [ ! -r /var/log/nginx/{{ type }}.fifo ]; then - mkdir -p /var/log/nginx - mkfifo /var/log/nginx/{{ type }}.fifo - chown root.root /var/log/nginx/{{ type }}.fifo - chmod 660 /var/log/nginx/{{ type }}.fifo - fi - - $DAEMON $DAEMON_ARGS & - ERROR=$? - PID=$! - if [ $ERROR -eq 0 ]; then - success - echo - echo $PID > $PIDFILE - else - failure - echo - exit 2 - fi -} - -do_stop() { - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - echo -n Stopping $NAME - pid=$(cat $PIDFILE 2>/dev/null) - if [ $? -eq 0 ]; then - echo $pid | xargs kill 2&1>/dev/null - success - RETVAL=0 - else - failure - RETVAL=1 - fi - echo - - [ "$RETVAL" = 2 ] && return 2 - rm -f $PIDFILE - return "$RETVAL" -} - -case "$1" in - start) - do_start - ;; - stop) - do_stop - ;; - status) - status -p "$PIDFILE" "$DAEMON" && exit 0 || exit $? - ;; - restart|force-reload) - do_stop - do_start - ;; - *) - echo "Usage: /etc/init.d/nginx-logger-{{ type }} {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -exit 0 diff --git a/nginx/templates/config.jinja b/nginx/templates/config.jinja deleted file mode 100644 index 3d0a94f..0000000 --- a/nginx/templates/config.jinja +++ /dev/null @@ -1,79 +0,0 @@ -{% set nginx = pillar.get('nginx', {}) -%} -# defaults passed via context from the map.jinja -{% set user = nginx.get('user', default_user) -%} -{% set group = nginx.get('group', default_group) -%} -user {{ user }} {{ group }}; -worker_processes {{ nginx.get('worker_processes', 1) }}; -{% set worker_rlimit_nofile = nginx.get('worker_rlimit_nofile', '') -%} -{% if worker_rlimit_nofile -%} -worker_rlimit_nofile {{ worker_rlimit_nofile }}; -{% endif -%} - -{% set error_log_location = nginx.get('error_log',{}).get('location', '/var/log/nginx/error.fifo') -%} -{% set error_log_level = nginx.get('error_log',{}).get('level', 'warn') -%} -error_log {{ ' '.join([error_log_location, error_log_level]) }}; -pid {{ nginx.get('pid', '/var/run/nginx.pid') }}; -{% if not 'systemd' in salt['test.provider']('service') -%} -daemon {{ nginx.get('daemon', 'on') }}; -{%- endif %} - -events { - worker_connections {{ nginx.get('events', {}).get('worker_connections', 1024) }}; - {% set use = nginx.get('events', {}).get('use', '') -%} - {% if use -%} - use {{ use }}; - {% endif %} -} - -http { - {% if 'set_real_ips' in nginx -%} - {% for ip in nginx.get('set_real_ips', {}).get('from_ips', []) -%} - set_real_ip_from {{ ip }}; - {% endfor -%} - real_ip_header {{ nginx.get('set_real_ips', {}).get('real_ip_header', 'X-Forwarded-For') }}; - - {% endif -%} - include /etc/nginx/mime.types; - default_type {{ nginx.get('default_type', 'application/octet-stream') }}; - log_format main '$scheme://$host:$server_port$uri$is_args$args $remote_addr:$remote_user "$request" $request_time $request_length:$bytes_sent $status "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.fifo main; - sendfile {{ nginx.get('sendfile', 'on') }}; - #tcp_nopush on; - keepalive_timeout {{ nginx.get('keepalive_timeout', 65) }}; - server_names_hash_bucket_size {{ nginx.get('server_names_hash_bucket_size', 128) }}; - server_names_hash_max_size {{ nginx.get('server_names_hash_max_size', 1024) }}; - types_hash_max_size {{ nginx.get('types_hash_max_size', 8192) }}; - - gzip {{ nginx.get('gzip', 'on') }}; - gzip_vary {{ nginx.get('gzip_vary', 'on') }}; - gzip_proxied {{ nginx.get('gzip_proxied', 'any') }}; - gzip_comp_level {{ nginx.get('gzip_comp_level', 6) }}; - gzip_buffers {{ nginx.get('gzip_buffers', '16 8k') }}; - gzip_http_version {{ nginx.get('gzip_http_version', '1.1') }}; - gzip_types {{ nginx.get('gzip_types', ['text/plain', 'text/css', 'application/json', 'application/x-javascript', 'text/xml', 'application/xml', 'application/xml+rss', 'text/javascript'])|join(' ') }}; - gzip_disable "{{ nginx.get('gzip_disable', 'msie6') }}"; - - # turn on nginx_status on localhost - server { - listen 127.0.0.1:80; - server_name 127.0.0.1; - location /nginx_status { - stub_status on; - access_log off; - allow 127.0.0.1; - deny all; - } - } -{% if pillar['nginx'] is defined -%} -{% if pillar['nginx']['redirect_numeric_ip']|default(False) -%} - server { - server_name {% for ip in salt['network.interfaces']()['eth0']['inet'] %}{{ ip['address'] }}:80{% if not loop.last %} {% endif %}{% endfor %}; - return 302 {{ pillar['nginx']['redirect_numeric_ip'] }}; - access_log off; - } -{% endif -%} -{% endif %} - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*.conf; -} diff --git a/nginx/templates/nginx.init.jinja b/nginx/templates/nginx.init.jinja deleted file mode 100644 index e3086c7..0000000 --- a/nginx/templates/nginx.init.jinja +++ /dev/null @@ -1,101 +0,0 @@ -#!/bin/sh - -### BEGIN INIT INFO -# Provides: {{ service_name }} -# Required-Start: $local_fs $remote_fs $network $syslog -# Required-Stop: $local_fs $remote_fs $network $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: starts the {{ service_name }} web server -# Description: starts {{ service_name }} using start-stop-daemon -### END INIT INFO - -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -DAEMON={{ sbin_dir }}/nginx -NAME={{ service_name }} -DESC={{ service_name }} - -# Include nginx defaults if available -if [ -f /etc/default/$NAME ]; then - . /etc/default/$NAME -fi - -test -x $DAEMON || exit 0 - -set -e - -. /lib/lsb/init-functions - -test_nginx_config() { - if $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1; then - return 0 - else - $DAEMON -t $DAEMON_OPTS - return $? - fi -} - -case "$1" in - start) - echo -n "Starting $DESC: " - test_nginx_config - # Check if the ULIMIT is set in /etc/default/nginx - if [ -n "$ULIMIT" ]; then - # Set the ulimits - ulimit $ULIMIT - fi - start-stop-daemon --start --quiet --pidfile {{ pid_path }} \ - --exec $DAEMON -- $DAEMON_OPTS || true - echo "$NAME." - ;; - - stop) - echo -n "Stopping $DESC: " - start-stop-daemon --stop --quiet --pidfile {{ pid_path }} \ - --exec $DAEMON || true - echo "$NAME." - ;; - - restart|force-reload) - echo -n "Restarting $DESC: " - start-stop-daemon --stop --quiet --pidfile \ - {{ pid_path }} --exec $DAEMON || true - sleep 1 - test_nginx_config - # Check if the ULIMIT is set in /etc/default/nginx - if [ -n "$ULIMIT" ]; then - # Set the ulimits - ulimit $ULIMIT - fi - start-stop-daemon --start --quiet --pidfile \ - {{ pid_path }} --exec $DAEMON -- $DAEMON_OPTS || true - echo "$NAME." - ;; - - reload) - echo -n "Reloading $DESC configuration: " - test_nginx_config - start-stop-daemon --stop --signal HUP --quiet --pidfile {{ pid_path }} \ - --exec $DAEMON || true - echo "$NAME." - ;; - - configtest|testconfig) - echo -n "Testing $DESC configuration: " - if test_nginx_config; then - echo "$NAME." - else - exit $? - fi - ;; - - status) - status_of_proc -p {{ pid_path }} "$DAEMON" nginx && exit 0 || exit $? - ;; - *) - echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2 - exit 1 - ;; -esac - -exit 0 diff --git a/nginx/templates/sysvinit-logger.jinja b/nginx/templates/sysvinit-logger.jinja deleted file mode 100644 index bb8d530..0000000 --- a/nginx/templates/sysvinit-logger.jinja +++ /dev/null @@ -1,113 +0,0 @@ -#!/bin/bash -# /etc/init.d/nginx-logger-{{ type }} -# - -### BEGIN INIT INFO -# Provides: nginx-logger-{{ type }} -# Required-Start: $local_fs $remote_fs $network $syslog -# Required-Stop: $local_fs $remote_fs $network $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: starts the nginx-logger-{{ type }} -# Description: starts nginx-logger-{{ type }} using start-stop-daemon -### END INIT INFO - -NAME=nginx-logger-{{ type }} -DESC="syslog forwarder for nginx {{type}} logs" -DAEMON=/usr/bin/logger -DAEMON_ARGS=" -f /var/log/nginx/{{ type }}.fifo -t nginx -p {% if type == 'error' %}warn{% else %}debug{% endif %}" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME - -# Exit if the daemon program isn't installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -. /lib/lsb/init-functions - -do_start() { - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - pid=$(pidofproc -p $PIDFILE $DAEMON) - if [ -n "$pid" ]; then - return 1; - fi - - if [ ! -r /var/log/nginx/{{ type }}.fifo ]; then - mkdir -p /var/log/nginx - mkfifo /var/log/nginx/{{ type }}.fifo - chown root.root /var/log/nginx/{{ type }}.fifo - chmod 660 /var/log/nginx/{{ type }}.fifo - fi - - start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_ARGS -} - -do_stop() { - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - pids=$(pidof -x $DAEMON) - if [ $? -eq 0 ]; then - echo $pids | xargs kill 2&1>/dev/null - RETVAL=0 - else - RETVAL=1 - fi - - [ "$RETVAL" = 2 ] && return 2 - rm -f $PIDFILE - return "$RETVAL" -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - restart|force-reload) - [ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - echo "Usage: /etc/init.d/nginx-logger-{{ type }} {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -exit 0 diff --git a/nginx/templates/upstart-logger.jinja b/nginx/templates/upstart-logger.jinja deleted file mode 100644 index 9dc2cb8..0000000 --- a/nginx/templates/upstart-logger.jinja +++ /dev/null @@ -1,20 +0,0 @@ -# {{ pillar.get('message_do_not_modify', '') }} -# startup script for Nginx loggers - -start on starting nginx -stop on runlevel [!2345] - -respawn - -pre-start script - if [ ! -r /var/log/nginx/{{ type }}.fifo ]; then - mkdir -p /var/log/nginx - mkfifo /var/log/nginx/{{ type }}.fifo - chown root.root /var/log/nginx/{{ type }}.fifo - chmod 660 /var/log/nginx/{{ type }}.fifo - fi -end script - -emits nginx-logger-{{ type }} - -exec logger -f /var/log/nginx/{{ type }}.fifo -t nginx -p {% if type == 'error' %}warn{% else %}debug{% endif %} diff --git a/nginx/templates/upstart.jinja b/nginx/templates/upstart.jinja deleted file mode 100644 index 64bab02..0000000 --- a/nginx/templates/upstart.jinja +++ /dev/null @@ -1,23 +0,0 @@ -# nginx - -description "nginx http daemon" -author "George Shammas " - -start on (runlevel [345] and started network) -stop on (runlevel [!345] or stopping network) - -env DAEMON=/usr/sbin/nginx - -expect fork -respawn -respawn limit 10 5 -#oom never - -pre-start script - $DAEMON -t - if [ $? -ne 0 ] - then exit $? - fi -end script - -exec $DAEMON diff --git a/nginx/upstart.sls b/nginx/upstart.sls deleted file mode 100644 index adc6fdd..0000000 --- a/nginx/upstart.sls +++ /dev/null @@ -1,28 +0,0 @@ -{% set logger_types = ('access', 'error') %} - -{% for log_type in logger_types %} -/var/log/nginx/{{ log_type }}.log: - file.absent - -nginx-logger-{{ log_type }}: - file: - - managed - - name: /etc/init/nginx-logger-{{ log_type }}.conf - - template: jinja - - user: root - - group: root - - mode: 440 - - source: salt://nginx/templates/upstart-logger.jinja - - context: - type: {{ log_type }} - service: - - running - - enable: True - - require: - - file: nginx-logger-{{ log_type }} - - require_in: - - service: nginx -{% endfor %} - -/etc/logrotate.d/nginx: - file.absent diff --git a/nginx/users.sls b/nginx/users.sls deleted file mode 100644 index aadf49c..0000000 --- a/nginx/users.sls +++ /dev/null @@ -1,30 +0,0 @@ -{% from "nginx/map.jinja" import nginx with context %} -{% set htauth = nginx.get('htpasswd', '/etc/nginx/.htpasswd') -%} - -htpasswd: - pkg.installed: - - name: {{ nginx.apache_utils }} - -touch {{ htauth }}: - cmd.run: - - creates: {{ htauth }} - -make sure {{ htauth }} exists: - file.managed: - - name: {{ htauth }} - - makedirs: True - -{% for name, user in pillar.get('users', {}).items() %} -{% if user['webauth'] is defined -%} - -nginx_user_{{name}}: - module.run: - - name: basicauth.adduser - - user: {{ name }} - - passwd: {{ user['webauth'] }} - - path: {{ htauth }} - - require: - - pkg: htpasswd - -{% endif -%} -{% endfor %} diff --git a/pillar.example b/pillar.example index b193660..887cbc1 100644 --- a/pillar.example +++ b/pillar.example @@ -1,306 +1,283 @@ -#===== -# nginx: see `nginx.ng` state instead. -#====== -nginx: - install_from_source: True - use_upstart: True - use_sysvinit: False - user_auth_enabled: True - with_luajit: False - with_openresty: True - repo_version: development # Must be using ppa install by setting `repo_source = ppa` - set_real_ips: # NOTE: to use this, nginx must have http_realip module enabled - from_ips: - - 10.10.10.0/24 - real_ip_header: X-Forwarded-For - modules: - headers-more: - source: http://github.com/agentzh/headers-more-nginx-module/tarball/v0.21 - source_hash: sha1=dbf914cbf3f7b6cb7e033fa7b7c49e2f8879113b - #pid: /var/run/nginx.pid - # Directory location must exist (i.e. it's /run/nginx.pid on EL7) - # ======== -# nginx.ng +# nginx (previously named nginx:ng) # ======== nginx: - ng: - # The following three `install_from_` options are mutually exclusive. If none is used, the distro's provided - # package will be installed. If one of the `install_from` option is set to `True`, the state will - # make sure the other two repos are removed. + # The following three `install_from_` options are mutually exclusive. If none is used, the distro's provided + # package will be installed. If one of the `install_from` option is set to `True`, the state will + # make sure the other two repos are removed. - # Use the official's nginx repo binaries - install_from_repo: false + # Use the official's nginx repo binaries + install_from_repo: false - # Use Phusionpassenger's repo to install nginx and passenger binaries - # Debian, Centos, Ubuntu and Redhat are currently available - install_from_phusionpassenger: false + # Use Phusionpassenger's repo to install nginx and passenger binaries + # Debian, Centos, Ubuntu and Redhat are currently available + install_from_phusionpassenger: false - # PPA install - install_from_ppa: false - # Set to 'stable', 'development' (mainline), 'community', or 'nightly' for each build accordingly ( https://launchpad.net/~nginx ) - ppa_version: 'stable' + # PPA install + install_from_ppa: false + # Set to 'stable', 'development' (mainline), 'community', or 'nightly' for each build accordingly ( https://launchpad.net/~nginx ) + ppa_version: 'stable' - # Source install - source_version: '1.10.0' - source_hash: '' + # Source install + source_version: '1.10.0' + source_hash: '' - # These are usually set by grains in map.jinja - # Typically you can comment these out. - lookup: - package: nginx-custom (can be a list) - service: nginx - webuser: www-data - conf_file: /etc/nginx/nginx.conf - server_available: /etc/nginx/sites-available - server_enabled: /etc/nginx/sites-enabled - server_use_symlink: True - # If you install nginx+passenger from phusionpassenger in Debian, these values will probably be needed - passenger_package: libnginx-mod-http-passenger - passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf + # These are usually set by grains in map.jinja + # Typically you can comment these out. + lookup: + package: nginx-custom (can be a list) + service: nginx + webuser: www-data + conf_file: /etc/nginx/nginx.conf + server_available: /etc/nginx/sites-available + server_enabled: /etc/nginx/sites-enabled + server_use_symlink: True + # If you install nginx+passenger from phusionpassenger in Debian, these values will probably be needed + passenger_package: libnginx-mod-http-passenger + passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf - # This is required for RedHat like distros (Amazon Linux) that don't follow semantic versioning for $releasever - rh_os_releasever: '6' - # Currently it can be used on rhel/centos/suse when installing from repo - gpg_check: True - pid_file: /var/run/nginx.pid ### prevents rendering SLS error nginx.server.config.pid undefined ### + # This is required for RedHat like distros (Amazon Linux) that don't follow semantic versioning for $releasever + rh_os_releasever: '6' + # Currently it can be used on rhel/centos/suse when installing from repo + gpg_check: True + pid_file: /var/run/nginx.pid ### prevents rendering SLS error nginx.server.config.pid undefined ### - # Source compilation is not currently a part of nginx.ng - from_source: False + # Source compilation is not currently a part of nginx + from_source: False - source: - opts: {} + source: + opts: {} - package: - opts: {} # this partially exposes parameters of pkg.installed + package: + opts: {} # this partially exposes parameters of pkg.installed - service: - enable: True # Whether or not the service will be enabled/running or dead - opts: {} # this partially exposes parameters of service.running / service.dead + service: + enable: True # Whether or not the service will be enabled/running or dead + opts: {} # this partially exposes parameters of service.running / service.dead - ##--- --- - - - - - - -- - - - - -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ## - ## You can use snippets to define often repeated configuration once and include it later - ## The letsencrypt example below is consumed by "- include: 'snippets/letsencrypt.conf'" - ##--- --- - - - - - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ## - snippets: - letsencrypt: - - location ^~ /.well-known/acme-challenge/: - - proxy_pass: http://localhost:9999 - cloudflare_proxy: - - set_real_ip_from: 103.21.244.0/22 - - set_real_ip_from: 103.22.200.0/22 - - set_real_ip_from: 104.16.0.0/12 - - set_real_ip_from: 108.162.192.0/18 - blacklist: - - map $http_user_agent $bad_bot: - - default: 0 - - '~*^Lynx': 0 - - '~*malicious': 1 - - '~*bot': 1 - - '~*crawler': 1 - - '~*bandit': 1 - - libwww-perl: 1 - - '~(?i)(httrack|htmlparser|libwww)': 1 - upstream_netdata_tcp: - - upstream netdata: - - server: 127.0.0.1:19999 - - keepalive: 64 + ##--- --- - - - - - - -- - - - - -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ## + ## You can use snippets to define often repeated configuration once and include it later + ## The letsencrypt example below is consumed by "- include: 'snippets/letsencrypt.conf'" + ##--- --- - - - - - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ## + snippets: + letsencrypt: + - location ^~ /.well-known/acme-challenge/: + - proxy_pass: http://localhost:9999 + cloudflare_proxy: + - set_real_ip_from: 103.21.244.0/22 + - set_real_ip_from: 103.22.200.0/22 + - set_real_ip_from: 104.16.0.0/12 + - set_real_ip_from: 108.162.192.0/18 + blacklist: + - map $http_user_agent $bad_bot: + - default: 0 + - '~*^Lynx': 0 + - '~*malicious': 1 + - '~*bot': 1 + - '~*crawler': 1 + - '~*bandit': 1 + - libwww-perl: 1 + - '~(?i)(httrack|htmlparser|libwww)': 1 + upstream_netdata_tcp: + - upstream netdata: + - server: 127.0.0.1:19999 + - keepalive: 64 - server: - opts: {} # this partially exposes file.managed parameters as they relate to the main nginx.conf file + server: + opts: {} # this partially exposes file.managed parameters as they relate to the main nginx.conf file - #-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - # - # nginx.conf (main server) declarations - # dictionaries map to blocks {} and lists cause the same declaration to repeat with different values - # see also http://nginx.org/en/docs/example.html - #-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - # - config: - include: 'snippets/letsencrypt.conf' - source_path: salt://path_to_nginx_conf_file/nginx.conf # IMPORTANT: This option is mutually exclusive with the rest of the - # options; if it is found other options (worker_processes: 4 and so - # on) are not processed and just upload the file from source - worker_processes: 4 - load_module: modules/ngx_http_lua_module.so # pass as very first in configuration; otherwise nginx will fail to start - #pid: /var/run/nginx.pid # Directory location must exist (i.e. it's /run/nginx.pid on EL7) - events: - worker_connections: 1024 - http: - sendfile: 'on' - include: - #### Note: Syntax issues in these files generate nginx [emerg] errors on startup. #### - - /etc/nginx/mime.types + #-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - # + # nginx.conf (main server) declarations + # dictionaries map to blocks {} and lists cause the same declaration to repeat with different values + # see also http://nginx.org/en/docs/example.html + #-- - - - - -- - - -- - - - - -- - - -- - - - -- - - - - - -- - - - - - -- - - - - -- - - - - -- - - # + config: + include: 'snippets/letsencrypt.conf' + source_path: salt://path_to_nginx_conf_file/nginx.conf # IMPORTANT: This option is mutually exclusive with the rest of the + # options; if it is found other options (worker_processes: 4 and so + # on) are not processed and just upload the file from source + worker_processes: 4 + load_module: modules/ngx_http_lua_module.so # pass as very first in configuration; otherwise nginx will fail to start + #pid: /var/run/nginx.pid # Directory location must exist (i.e. it's /run/nginx.pid on EL7) + events: + worker_connections: 1024 + http: + sendfile: 'on' + include: + #### Note: Syntax issues in these files generate nginx [emerg] errors on startup. #### + - /etc/nginx/mime.types - ### module ngx_http_log_module example - log_format: |- - main '$remote_addr - $remote_user [$time_local] $status ' - '"$request" $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"' - access_log: [] #suppress default access_log option from being added + ### module ngx_http_log_module example + log_format: |- + main '$remote_addr - $remote_user [$time_local] $status ' + '"$request" $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"' + access_log: [] #suppress default access_log option from being added - ### module nngx_stream_core_module - ### https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example - stream: - upstream lb-1000: - - server: - - hostname1.example.com:1000 - - hostname2.example.com:1000 - upstream stream_backend: - least_conn: '' - 'server backend1.example.com:12345 weight=5': - 'server backend2.example.com:12345 max_fails=2 fail_timeout=30s': - 'server backend3.example.com:12345 max_conns=3': - upstream dns_servers: - least_conn: - 'server 192.168.136.130:53': - 'server 192.168.136.131:53': - 'server 192.168.136.132:53': - server: - listen: 1000 - proxy_pass: lb-1000 - 'server ': - listen: '53 udp' - proxy_pass: dns_servers - 'server ': - listen: 12346 - proxy_pass: backend4.example.com:12346 + ### module nngx_stream_core_module + ### https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example + stream: + upstream lb-1000: + - server: + - hostname1.example.com:1000 + - hostname2.example.com:1000 + upstream stream_backend: + least_conn: '' + 'server backend1.example.com:12345 weight=5': + 'server backend2.example.com:12345 max_fails=2 fail_timeout=30s': + 'server backend3.example.com:12345 max_conns=3': + upstream dns_servers: + least_conn: + 'server 192.168.136.130:53': + 'server 192.168.136.131:53': + 'server 192.168.136.132:53': + server: + listen: 1000 + proxy_pass: lb-1000 + 'server ': + listen: '53 udp' + proxy_pass: dns_servers + 'server ': + listen: 12346 + proxy_pass: backend4.example.com:12346 - servers: - disabled_postfix: .disabled # a postfix appended to files when doing non-symlink disabling - symlink_opts: {} # partially exposes file.symlink params when symlinking enabled sites - rename_opts: {} # partially exposes file.rename params when not symlinking disabled/enabled sites - managed_opts: {} # partially exposes file.managed params for managed server files - dir_opts: {} # partially exposes file.directory params for site available/enabled and snippets dirs + servers: + disabled_postfix: .disabled # a postfix appended to files when doing non-symlink disabling + symlink_opts: {} # partially exposes file.symlink params when symlinking enabled sites + rename_opts: {} # partially exposes file.rename params when not symlinking disabled/enabled sites + managed_opts: {} # partially exposes file.managed params for managed server files + dir_opts: {} # partially exposes file.directory params for site available/enabled and snippets dirs - ##################### - # server declarations; placed by default in server "available" directory - ##################### - managed: + ##################### + # server declarations; placed by default in server "available" directory + ##################### + managed: - mysite: # relative filename of server file (defaults to '/etc/nginx/sites-available/mysite') - # may be True, False, or None where True is enabled, False, disabled, and None indicates no action - enabled: True + mysite: # relative filename of server file (defaults to '/etc/nginx/sites-available/mysite') + # may be True, False, or None where True is enabled, False, disabled, and None indicates no action + enabled: True - # Remove the site config file shipped by nginx (i.e. '/etc/nginx/sites-available/default' by default) - # It also remove the symlink (if it is exists). - # The site MUST be disabled before delete it (if not the nginx is not reloaded). - #deleted: True + # Remove the site config file shipped by nginx (i.e. '/etc/nginx/sites-available/default' by default) + # It also remove the symlink (if it is exists). + # The site MUST be disabled before delete it (if not the nginx is not reloaded). + #deleted: True - #available_dir: /etc/nginx/sites-available-custom # custom directory (not sites-available) for server filename - #enabled_dir: /etc/nginx/sites-enabled-custom # custom directory (not sites-enabled) for server filename - disabled_name: mysite.aint_on # an alternative disabled name to be use when not symlinking - overwrite: True # overwrite an existing server file or not + #available_dir: /etc/nginx/sites-available-custom # custom directory (not sites-available) for server filename + #enabled_dir: /etc/nginx/sites-enabled-custom # custom directory (not sites-enabled) for server filename + disabled_name: mysite.aint_on # an alternative disabled name to be use when not symlinking + overwrite: True # overwrite an existing server file or not - # May be a list of config options or None, if None, no server file will be managed/templated - # Take server directives as lists of dictionaries. If the dictionary value is another list of - # dictionaries a block {} will be started with the dictionary key name - config: - - server: - - server_name: localhost - - listen: - - '80 default_server' - - listen: - - '443 ssl' - - index: 'index.html index.htm' - - location ~ .htm: - - try_files: '$uri $uri/ =404' - - test: something else - - include: 'snippets/letsencrypt.conf' + # May be a list of config options or None, if None, no server file will be managed/templated + # Take server directives as lists of dictionaries. If the dictionary value is another list of + # dictionaries a block {} will be started with the dictionary key name + config: + - server: + - server_name: localhost + - listen: + - '80 default_server' + - listen: + - '443 ssl' + - index: 'index.html index.htm' + - location ~ .htm: + - try_files: '$uri $uri/ =404' + - test: something else + - include: 'snippets/letsencrypt.conf' - # Or a slightly more compact alternative syntax: + # Or a slightly more compact alternative syntax: - - server: - - server_name: localhost - - listen: - - '80 default_server' - - '443 ssl' - - index: 'index.html index.htm' - - location ~ .htm: - - try_files: '$uri $uri/ =404' - - test: something else - - include: 'snippets/letsencrypt.conf' + - server: + - server_name: localhost + - listen: + - '80 default_server' + - '443 ssl' + - index: 'index.html index.htm' + - location ~ .htm: + - try_files: '$uri $uri/ =404' + - test: something else + - include: 'snippets/letsencrypt.conf' - # both of those output: - # server { - # server_name localhost; - # listen 80 default_server; - # listen 443 ssl; - # index index.html index.htm; - # location ~ .htm { - # try_files $uri $uri/ =404; - # test something else; - # } - # } + # both of those output: + # server { + # server_name localhost; + # listen 80 default_server; + # listen 443 ssl; + # index index.html index.htm; + # location ~ .htm { + # try_files $uri $uri/ =404; + # test something else; + # } + # } - mysite2: # Using source_path options to upload the file instead of templating all the file - enabled: True - available_dir: /etc/nginx/sites-available - enabled_dir: /etc/nginx/sites-enabled - config: - source_path: salt://path-to-site-file/mysite2 + mysite2: # Using source_path options to upload the file instead of templating all the file + enabled: True + available_dir: /etc/nginx/sites-available + enabled_dir: /etc/nginx/sites-enabled + config: + source_path: salt://path-to-site-file/mysite2 - # Below configuration becomes handy if you want to create custom configuration files - # for example if you want to create /usr/local/etc/nginx/http_options.conf with - # the following content: + # Below configuration becomes handy if you want to create custom configuration files + # for example if you want to create /usr/local/etc/nginx/http_options.conf with + # the following content: - # sendfile on; - # tcp_nopush on; - # tcp_nodelay on; - # send_iowait 12000; + # sendfile on; + # tcp_nopush on; + # tcp_nodelay on; + # send_iowait 12000; - http_options.conf: - enabled: True - available_dir: /usr/local/etc/nginx - enabled_dir: /usr/local/etc/nginx - config: - - sendfile: 'on' - - tcp_nopush: 'on' - - tcp_nodelay: 'on' - - send_iowait: 12000 + http_options.conf: + enabled: True + available_dir: /usr/local/etc/nginx + enabled_dir: /usr/local/etc/nginx + config: + - sendfile: 'on' + - tcp_nopush: 'on' + - tcp_nodelay: 'on' + - send_iowait: 12000 - certificates_path: '/etc/nginx/ssl' # Use this if you need to deploy below certificates in a custom path. - # If you're doing SSL termination, you can deploy certificates this way. - # The private one(s) should go in a separate pillar file not in version - # control (or use encrypted pillar data). - certificates: - 'www.example.com': + certificates_path: '/etc/nginx/ssl' # Use this if you need to deploy below certificates in a custom path. + # If you're doing SSL termination, you can deploy certificates this way. + # The private one(s) should go in a separate pillar file not in version + # control (or use encrypted pillar data). + certificates: + 'www.example.com': - # choose one of: deploying this cert by pillar (e.g. in combination with ext_pillar and file_tree) - # public_cert_pillar: certs:example.com:fullchain.pem - # private_key_pillar: certs:example.com:privkey.pem - # or directly pasting the cert - public_cert: | - -----BEGIN CERTIFICATE----- - (Your Primary SSL certificate: www.example.com.crt) - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - (Your Intermediate certificate: ExampleCA.crt) - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - (Your Root certificate: TrustedRoot.crt) - -----END CERTIFICATE----- - private_key: | - -----BEGIN RSA PRIVATE KEY----- - (Your Private Key: www.example.com.key) - -----END RSA PRIVATE KEY----- + # choose one of: deploying this cert by pillar (e.g. in combination with ext_pillar and file_tree) + # public_cert_pillar: certs:example.com:fullchain.pem + # private_key_pillar: certs:example.com:privkey.pem + # or directly pasting the cert + public_cert: | + -----BEGIN CERTIFICATE----- + (Your Primary SSL certificate: www.example.com.crt) + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + (Your Intermediate certificate: ExampleCA.crt) + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + (Your Root certificate: TrustedRoot.crt) + -----END CERTIFICATE----- + private_key: | + -----BEGIN RSA PRIVATE KEY----- + (Your Private Key: www.example.com.key) + -----END RSA PRIVATE KEY----- - dh_param: - 'mydhparam1.pem': | - -----BEGIN DH PARAMETERS----- - (Your custom DH prime) - -----END DH PARAMETERS----- - # or to generate one on-the-fly - 'mydhparam2.pem': - keysize: 2048 + dh_param: + 'mydhparam1.pem': | + -----BEGIN DH PARAMETERS----- + (Your custom DH prime) + -----END DH PARAMETERS----- + # or to generate one on-the-fly + 'mydhparam2.pem': + keysize: 2048 - # Passenger configuration - # Default passenger configuration is provided, and will be deployed in - # /etc/nginx/conf.d/passenger.conf - passenger: - passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini - passenger_ruby: /usr/bin/ruby - passenger_instance_registry_dir: /var/run/passenger-instreg + # Passenger configuration + # Default passenger configuration is provided, and will be deployed in + # /etc/nginx/conf.d/passenger.conf + passenger: + passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini + passenger_ruby: /usr/bin/ruby + passenger_instance_registry_dir: /var/run/passenger-instreg diff --git a/test/salt/default/pillar/nginx.sls b/test/salt/default/pillar/nginx.sls index 274895c..0439343 100644 --- a/test/salt/default/pillar/nginx.sls +++ b/test/salt/default/pillar/nginx.sls @@ -5,35 +5,34 @@ # - create 'mysite' site nginx: - ng: - snippets: - letsencrypt: - - location ^~ /.well-known/acme-challenge/: - - proxy_pass: http://localhost:9999 - server: - config: - http: - ### module ngx_http_log_module example - log_format: |- - main '$remote_addr - $remote_user [$time_local] $status ' - '"$request" $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"' - servers: - managed: - default: - deleted: True - enabled: False - config: {} + snippets: + letsencrypt: + - location ^~ /.well-known/acme-challenge/: + - proxy_pass: http://localhost:9999 + server: + config: + http: + ### module ngx_http_log_module example + log_format: |- + main '$remote_addr - $remote_user [$time_local] $status ' + '"$request" $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"' + servers: + managed: + default: + deleted: True + enabled: False + config: {} - mysite: - enabled: True - config: - - server: - - server_name: localhost - - listen: - - '80 default_server' - - index: 'index.html index.htm' - - location ~ .htm: - - try_files: '$uri $uri/ =404' - - include: 'snippets/letsencrypt.conf' + mysite: + enabled: True + config: + - server: + - server_name: localhost + - listen: + - '80 default_server' + - index: 'index.html index.htm' + - location ~ .htm: + - try_files: '$uri $uri/ =404' + - include: 'snippets/letsencrypt.conf'