diff --git a/nginx/init.sls b/nginx/init.sls new file mode 100644 index 0000000..75c1380 --- /dev/null +++ b/nginx/init.sls @@ -0,0 +1,107 @@ +include: + - nginx.users + +{% for filename in ('default', 'example_ssl') %} +/etc/nginx/conf.d/{{ filename }}.conf: + file.absent +{% endfor %} + +/etc/nginx/nginx.conf: + file: + - managed + - template: jinja + - user: root + - group: root + - mode: 440 + - source: salt://nginx/templates/config.jinja + - require: + - pkg: nginx + +nginx-old-init: + file: + - rename + - name: /usr/share/nginx/init.d + - source: /etc/init.d/nginx + - require: + - pkg: nginx + cmd: + - wait + - name: dpkg-divert --divert /usr/share/nginx/init.d --add /etc/init.d/nginx + - require: + - module: nginx-old-init + - watch: + - file: nginx-old-init + module: + - wait + - name: cmd.run + - cmd: kill `cat /var/run/nginx.pid` + - watch: + - file: nginx-old-init + +nginx-old-init-disable: + cmd: + - wait + - name: update-rc.d -f nginx remove + - require: + - module: nginx-old-init + - watch: + - file: nginx-old-init + +{% set logger_types = ('access', 'error') %} + +{% for log_type in logger_types %} +/var/log/nginx/{{ log_type }}.log: + file.absent + +nginx-logger-{{ log_type }}: + file: + - managed + - name: /etc/init/nginx-logger-{{ log_type }}.conf + - template: jinja + - user: root + - group: root + - mode: 440 + - source: salt://nginx/templates/upstart-logger.jinja + - context: + type: {{ log_type }} + service: + - running + - enable: True + - require: + - file: nginx-logger-{{ log_type }} + - pkg: nginx +{% endfor %} + +/etc/logrotate.d/nginx: + file: + - absent + +nginx: + pkg: + - installed + - name: nginx + file: + - managed + - name: /etc/init/nginx.conf + - template: jinja + - user: root + - group: root + - mode: 440 + - source: salt://nginx/templates/upstart.jinja + - require: + - pkg: nginx + - file: nginx-old-init + - module: nginx-old-init + service: + - running + - enable: True + - watch: + - file: nginx + - file: /etc/nginx/nginx.conf + - file: /etc/nginx/conf.d/default.conf + - file: /etc/nginx/conf.d/example_ssl.conf + - pkg: nginx + - require: +{% for log_type in logger_types %} + - service: nginx-logger-{{ log_type }} +{% endfor %} diff --git a/nginx/templates/config.jinja b/nginx/templates/config.jinja new file mode 100644 index 0000000..693be56 --- /dev/null +++ b/nginx/templates/config.jinja @@ -0,0 +1,58 @@ +{% set nginx = pillar.get('nginx', {}) -%} +{% set user = nginx.get('user', 'www-data') -%} +{% set group = nginx.get('group', 'www-data') -%} +user {{ user }} {{ group }}; +worker_processes {{ nginx.get('worker_processes', 1) }}; + +error_log /var/log/nginx/error.fifo warn; +pid {{ nginx.get('pid', '/var/run/nginx.pid') }}; +daemon {{ nginx.get('daemon', 'off') }}; + +events { + worker_connections {{ nginx.get('events', {}).get('worker_connections', 1024) }}; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + log_format main '$scheme://$host:$server_port$uri$is_args$args $remote_addr:$remote_user "$request" $request_time $request_length:$bytes_sent $status "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; + access_log /var/log/nginx/access.fifo main; + sendfile {{ nginx.get('sendfile', 'on') }}; + #tcp_nopush on; + keepalive_timeout {{ nginx.get('keepalive_timeout', 65) }}; + server_names_hash_bucket_size {{ nginx.get('server_names_hash_bucket_size', 128) }}; + server_names_hash_max_size {{ nginx.get('server_names_hash_max_size', 1024) }}; + types_hash_max_size {{ nginx.get('types_hash_max_size', 8192) }}; + + gzip {{ nginx.get('gzip', 'on') }}; + gzip_vary {{ nginx.get('gzip_vary', 'on') }}; + gzip_proxied {{ nginx.get('gzip_proxied', 'any') }}; + gzip_comp_level {{ nginx.get('gzip_comp_level', 6) }}; + gzip_buffers {{ nginx.get('gzip_buffers', '16 8k') }}; + gzip_http_version {{ nginx.get('gzip_http_version', '1.1') }}; + gzip_types {{ nginx.get('gzip_types', ['text/plain', 'text/css', 'application/json', 'application/x-javascript', 'text/xml', 'application/xml', 'application/xml+rss', 'text/javascript'])|join(' ') }}; + + # turn on nginx_status on localhost + server { + listen 127.0.0.1:80; + server_name 127.0.0.1; + location /nginx_status { + stub_status on; + access_log off; + allow 127.0.0.1; + deny all; + } + } +{% if pillar['nginx'] is defined -%} +{% if pillar['nginx']['redirect_numeric_ip']|default(False) %} + server { + server_name {% for ip in salt['network.interfaces']()['eth0']['inet'] %}{{ ip['address'] }}:80{% if not loop.last %} {% endif %}{% endfor %}; + return 302 {{ pillar['nginx']['redirect_numeric_ip'] }}; + access_log off; + } +{% endif %} +{% endif %} + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*.conf; +} diff --git a/nginx/templates/upstart-logger.jinja b/nginx/templates/upstart-logger.jinja new file mode 100644 index 0000000..e5356ad --- /dev/null +++ b/nginx/templates/upstart-logger.jinja @@ -0,0 +1,19 @@ +# {{ pillar['message_do_not_modify'] }} +# startup script for Nginx loggers + +start on starting nginx +stop on runlevel [!2345] + +respawn + +pre-start script + if [ ! -r /var/log/nginx/{{ type }}.fifo ]; then + mkfifo /var/log/nginx/{{ type }}.fifo + chown root.root /var/log/nginx/{{ type }}.fifo + chmod 660 /var/log/nginx/{{ type }}.fifo + fi +end script + +emits nginx-logger-{{ type }} + +exec logger -f /var/log/nginx/{{ type }}.fifo -t nginx -p {% if type == 'error' %}warn{% else %}debug{% endif %} diff --git a/nginx/templates/upstart.jinja b/nginx/templates/upstart.jinja new file mode 100644 index 0000000..3257cbe --- /dev/null +++ b/nginx/templates/upstart.jinja @@ -0,0 +1,8 @@ +# startup script for Nginx + +respawn + +start on filesystem or runlevel [2345] +stop on runlevel [!2345] + +exec /usr/sbin/nginx -c /etc/nginx/nginx.conf diff --git a/nginx/users.sls b/nginx/users.sls new file mode 100644 index 0000000..1d820bc --- /dev/null +++ b/nginx/users.sls @@ -0,0 +1,21 @@ +{% set nginx = pillar.get('nginx', {}) -%} +{% set htauth = nginx.get('htpasswd', '/etc/nginx/.htpasswd') -%} + +htpasswd: + pkg.installed: + - name: apache2-utils + +{% for name, user in pillar.get('users', {}).items() %} +{% if user['webauth'] is defined -%} + +nginx_user_{{name}}: + module.run: + - name: basicauth.adduser + - user: {{ name }} + - passwd: {{ user['webauth'] }} + - path: {{ htauth }} + - require: + - pkg: htpasswd + +{% endif -%} +{% endfor %} \ No newline at end of file