Merge pull request #153 from EvaSDK/add_dhparam_creation

Add dhparam creation
2017-12-16 09:26:20 +01:00 · 2017-12-16 09:26:20 +01:00 · 4204505489
commit 4204505489
parent 1b616bf3fc 43c4eca3bb
3 changed files with 44 additions and 2 deletions
--- a/nginx/ng/certificates.sls
+++ b/nginx/ng/certificates.sls
@ -1,7 +1,35 @@
 {% from 'nginx/ng/map.jinja' import nginx with context %}
 include:
  - nginx.ng.service
 {% set certificates_path = salt['pillar.get']('nginx:ng:certificates_path', '/etc/nginx/ssl') %}
 {%- for dh_param, value in salt.pillar.get('nginx:ng:dh_param').items() %}
 {%- if value is string %}
 create_nginx_dhparam_{{ dh_param }}_key:
  file.managed:
    - name: {{ certificates_path }}/{{ dh_param }}
    - contents_pillar: nginx:ng:dh_param:{{ dh_param }}
    - makedirs: True
    - watch_in:
      - service: nginx_service
 {%- else %}
 generate_nginx_dhparam_{{ dh_param }}_key:
  pkg.installed:
    - name: {{ nginx.lookup.openssl_package }}
  file.directory:
    - name: {{ certificates_path }}
    - makedirs: True
  cmd.run:
    - name: openssl dhparam -out {{ dh_param }} {{ value.get('keysize', 2048) }}
    - cwd: {{ certificates_path }}
    - creates: {{ certificates_path }}/{{ dh_param }}
    - watch_in:
      - service: nginx_service
 {%- endif %}
 {%- endfor %}
 {%- for domain in salt['pillar.get']('nginx:ng:certificates', {}).keys() %}
 nginx_{{ domain }}_ssl_certificate:
--- a/nginx/ng/map.jinja
+++ b/nginx/ng/map.jinja
@ -16,6 +16,7 @@
            'server_enabled': '/etc/nginx/sites-enabled',
            'server_use_symlink': True,
            'pid_file': '/run/nginx.pid',
            'openssl_package': 'openssl',
        },
        'CentOS': {
            'package': 'nginx',
@ -30,6 +31,7 @@
            'rh_os_releasever': '$releasever',
            'gpg_check': False,
            'gpg_key': 'http://nginx.org/keys/nginx_signing.key',
            'openssl_package': 'openssl',
        },
        'RedHat': {
            'package': 'nginx',
@ -49,6 +51,7 @@
              'passenger_instance_registry_dir': ' /var/run/passenger-instreg',
              'passenger_ruby': '/usr/bin/ruby',
            },
            'openssl_package': 'openssl',
        },
        'Suse': {
            'package': 'nginx',
@ -60,7 +63,8 @@
            'server_use_symlink': False,
            'pid_file': '/run/nginx.pid',
            'gpg_check': True,
-            'gpg_key': 'http://download.opensuse.org/repositories/server:/http/openSUSE_13.2/repodata/repomd.xml.key'
+            'gpg_key': 'http://download.opensuse.org/repositories/server:/http/openSUSE_13.2/repodata/repomd.xml.key',
            'openssl_package': 'openssl',
        },
        'Arch': {
            'package': 'nginx',
@ -70,6 +74,7 @@
            'server_available': '/etc/nginx/sites-available',
            'server_enabled': '/etc/nginx/sites-enabled',
            'server_use_symlink': True,
            'openssl_package': 'openssl',
        },
        'Gentoo': {
            'package': 'www-servers/nginx',
@ -79,6 +84,7 @@
            'server_available': '/etc/nginx/sites-available',
            'server_enabled': '/etc/nginx/sites-enabled',
            'server_use_symlink': True,
            'openssl_package': 'dev-libs/openssl',
        },
        'FreeBSD': {
            'package': 'nginx',
--- a/pillar.example
+++ b/pillar.example
@ -173,6 +173,15 @@ nginx:
          (Your Private Key: www.example.com.key)
          -----END RSA PRIVATE KEY-----
    dh_param:
      'mydhparam1.pem': |
        -----BEGIN DH PARAMETERS-----
        (Your custom DH prime)
        -----END DH PARAMETERS-----
      # or to generate one on-the-fly
      'mydhparam2.pem':
        keysize: 2048
    # Passenger configuration
    # Default passenger configuration is provided, and will be deployed in
    # /etc/nginx/conf.d/passenger.conf
@ -180,4 +189,3 @@ nginx:
      passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
      passenger_ruby: /usr/bin/ruby
      passenger_instance_registry_dir: /var/run/passenger-instreg