diff --git a/nginx/ng/certificates.sls b/nginx/ng/certificates.sls new file mode 100644 index 0000000..3064110 --- /dev/null +++ b/nginx/ng/certificates.sls @@ -0,0 +1,23 @@ +include: + - nginx.ng.service + +{%- for domain in salt['pillar.get']('nginx:ng:certificates', {}).keys() %} + +nginx_{{ domain }}_ssl_certificate: + file.managed: + - name: /etc/nginx/ssl/{{ domain }}.crt + - makedirs: True + - contents_pillar: nginx:ng:certificates:{{ domain }}:public_cert + - watch_in: + - service: nginx_service + +nginx_{{ domain }}_ssl_key: + file.managed: + - name: /etc/nginx/ssl/{{ domain }}.key + - mode: 600 + - makedirs: True + - contents_pillar: nginx:ng:certificates:{{ domain }}:private_key + - watch_in: + - service: nginx_service + +{%- endfor %} diff --git a/nginx/ng/init.sls b/nginx/ng/init.sls index f3f8cb2..692263a 100644 --- a/nginx/ng/init.sls +++ b/nginx/ng/init.sls @@ -6,6 +6,7 @@ include: - nginx.ng.config - nginx.ng.service - nginx.ng.vhosts + - nginx.ng.certificates extend: nginx_service: diff --git a/pillar.example b/pillar.example index cfcc078..109225b 100644 --- a/pillar.example +++ b/pillar.example @@ -107,3 +107,23 @@ nginx: # test something else; # } # } + + # If you're doing SSL termination, you can deploy certificates this way. + # The private one(s) should go in a separate pillar file not in version + # control (or use encrypted pillar data). + certificates: + 'www.example.com': + public_cert: | + -----BEGIN CERTIFICATE----- + (Your Primary SSL certificate: www.example.com.crt) + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + (Your Intermediate certificate: ExampleCA.crt) + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + (Your Root certificate: TrustedRoot.crt) + -----END CERTIFICATE----- + private_key: | + -----BEGIN RSA PRIVATE KEY----- + (Your Private Key: www.example.com.key) + -----END RSA PRIVATE KEY-----