# -*- coding: utf-8 -*- # vim: ft=yaml --- # ======== # nginx (previously named nginx:ng) # ======== nginx: # The following three `install_from_` options are mutually exclusive. If none # is used, the distro's provided package will be installed. If one of the # `install_from` option is set to `true`, the state will make sure the other # two repos are removed. # Use the official's nginx repo binaries install_from_repo: false # Use Phusionpassenger's repo to install nginx and passenger binaries # Debian, Centos, Ubuntu and Redhat are currently available install_from_phusionpassenger: false # PPA install install_from_ppa: false # Set to 'stable', 'development' (mainline), 'community', or 'nightly' for # each build accordingly ( https://launchpad.net/~nginx ) ppa_version: 'stable' # Source install source_version: '1.10.0' source_hash: '' # Check the configuration before applying: # To prevent applying a configuration that might break nginx, set this # parameter to true so the configuration is checked BEFORE applying. If # the check fails, the state will fail and it won't be deployed. # CAVEAT: As the configuration file is created in a temp dir, it can't # have relative references or it will fail to check. You'll need to # specify full paths where required (ie, `include`, `load_module`, # `snippets`, etc.0 # Defaults to false check_config_before_apply: false # These are usually set by grains in map.jinja # Typically you can comment these out. lookup: package: nginx-custom (can be a list) service: nginx webuser: www-data conf_file: /etc/nginx/nginx.conf server_available: /etc/nginx/sites-available server_enabled: /etc/nginx/sites-enabled server_use_symlink: true # If you install nginx+passenger from phusionpassenger in Debian, these # values will probably be needed passenger_package: libnginx-mod-http-passenger passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf # This is required for RedHat like distros (Amazon Linux) that don't follow # semantic versioning for $releasever rh_os_releasever: '6' # Currently it can be used on rhel/centos/suse when installing from repo gpg_check: true ### prevents rendering SLS error nginx.server.config.pid undefined ### pid_file: /var/run/nginx.pid # Source compilation is not currently a part of nginx from_source: false source: opts: {} package: opts: {} # this partially exposes parameters of pkg.installed service: enable: true # Whether or not the service will be enabled/running or dead opts: {} # this partially exposes parameters of service.running / service.dead ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ## ## You can use snippets to define often repeated configuration once and ## include it later # The letsencrypt example below is consumed by "- include: ## 'snippets/letsencrypt.conf'" # Files or Templates can be retrieved by TOFS ## with snippet name ( Fallback to server.conf ) ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ## snippets: letsencrypt.conf: - location ^~ /.well-known/acme-challenge/: - proxy_pass: http://localhost:9999 cloudflare_proxy.conf: - set_real_ip_from: 103.21.244.0/22 - set_real_ip_from: 103.22.200.0/22 - set_real_ip_from: 104.16.0.0/12 - set_real_ip_from: 108.162.192.0/18 blacklist.conf: - map $http_user_agent $bad_bot: - default: 0 - '~*^Lynx': 0 - '~*malicious': 1 - '~*bot': 1 - '~*crawler': 1 - '~*bandit': 1 - libwww-perl: 1 - '~(?i)(httrack|htmlparser|libwww)': 1 upstream_netdata_tcp.conf: - upstream netdata: - server: 127.0.0.1:19999 - keepalive: 64 server: # this partially exposes file.managed parameters as they relate to the main # nginx.conf file opts: {} ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ## # nginx.conf (main server) declarations dictionaries map to blocks {} and # lists cause the same declaration to repeat with different values see also # http://nginx.org/en/docs/example.html Nginx config file or template can # be retrieved by TOFS ( Fallback to nginx.conf ) ## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ## config: include: 'snippets/letsencrypt.conf' # IMPORTANT: This option is mutually exclusive with TOFS and the rest of # the options; if it is found other options (worker_processes: 4 and so # on) are not processed and just upload the file from source source_path: salt://path_to_nginx_conf_file/nginx.conf worker_processes: 4 # pass as very first in configuration; otherwise nginx will fail to start load_module: modules/ngx_http_lua_module.so # Directory location must exist (i.e. it's /run/nginx.pid on EL7) # pid: /var/run/nginx.pid events: worker_connections: 1024 http: sendfile: 'on' include: #### Note: Syntax issues in these files generate nginx [emerg] errors #### on startup. - /etc/nginx/mime.types ### module ngx_http_log_module example log_format: |- main '$remote_addr - $remote_user [$time_local] $status ' '"$request" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"' access_log: [] # suppress default access_log option from being added # module nngx_stream_core_module # yamllint disable-line rule:line-length # https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example stream: upstream lb-1000: - server: - hostname1.example.com:1000 - hostname2.example.com:1000 upstream stream_backend: least_conn: '' 'server backend1.example.com:12345 weight=5': ~ 'server backend2.example.com:12345 max_fails=2 fail_timeout=30s': ~ 'server backend3.example.com:12345 max_conns=3': ~ upstream dns_servers: least_conn: '' 'server 192.168.136.130:53': ~ 'server 192.168.136.131:53': ~ 'server 192.168.136.132:53': ~ server: listen: 1000 proxy_pass: lb-1000 'server ': listen: '53 udp' proxy_pass: dns_servers 'server ': listen: 12346 proxy_pass: backend4.example.com:12346 servers: # a postfix appended to files when doing non-symlink disabling disabled_postfix: .disabled # partially exposes file.symlink params when symlinking enabled sites symlink_opts: {} # partially exposes file.rename params when not symlinking disabled/enabled sites rename_opts: {} # partially exposes file.managed params for managed server files managed_opts: {} # partially exposes file.directory params for site available/enabled and # snippets dirs dir_opts: {} # let the choice to purge site-available and site-enable folders before add new ones # (if True it removes all non-salt-managed files) purge_servers_config: false ##################### # server declarations; placed by default in server "available" directory ##################### managed: # relative filename of server file # (defaults to '/etc/nginx/sites-available/mysite') mysite: # may be true, false, or None where true is enabled, false, disabled, # and None indicates no action enabled: true # This let's you add dependencies on other resources being applied for a # particular vhost # A common case is when you use this formula together with letsencrypt's, # validating through nginx: you need nginx running (to validate the vhost) but # can't have the ssl vhost up until the certificate is created (because it # won't exist and will make nginx fail to load the configuration) # # An example, when using LE to create the cert for 'some.host.domain': # requires: # cmd: create-initial-cert-some.host.domain requires: {} # Remove the site config file shipped by nginx # (i.e. '/etc/nginx/sites-available/default' by default) # It also remove the symlink (if it is exists). # The site MUST be disabled before delete it (if not the nginx is not # reloaded). # deleted: true # custom directory (not sites-available) for server filename # available_dir: /etc/nginx/sites-available-custom # custom directory (not sites-enabled) for server filename # enabled_dir: /etc/nginx/sites-enabled-custom # an alternative disabled name to be use when not symlinking disabled_name: mysite.aint_on # overwrite an existing server file or not overwrite: true # May be a list of config options or None, if None, no server file will # be managed/templated Take server directives as lists of dictionaries. # If the dictionary value is another list of dictionaries a block {} # will be started with the dictionary key name config: # both of the methods below lead to the output: # server { # server_name localhost; # listen 80 default_server; # listen 443 ssl; # index index.html index.htm; # location ~ .htm { # try_files $uri $uri/ =404; # test something else; # } # } - server: - server_name: localhost - listen: - '80 default_server' - listen: - '443 ssl' - index: 'index.html index.htm' - location ~ .htm: - try_files: '$uri $uri/ =404' - test: something else - include: 'snippets/letsencrypt.conf' # Or a slightly more compact alternative syntax: - server: - server_name: localhost - listen: - '80 default_server' - '443 ssl' - index: 'index.html index.htm' - location ~ .htm: - try_files: '$uri $uri/ =404' - test: something else - include: 'snippets/letsencrypt.conf' # Using source_path options to upload the file instead of templating all the file mysite2: enabled: true available_dir: /etc/nginx/sites-available enabled_dir: /etc/nginx/sites-enabled config: # IMPORTANT: This field is mutually exclusive with TOFS and other # config options, it just uploads the specified file source_path: salt://path-to-site-file/mysite2 # Below configuration becomes handy if you want to create custom # configuration files for example if you want to create # /usr/local/etc/nginx/http_options.conf with the following content: # sendfile on; # tcp_nopush on; # tcp_nodelay on; # send_iowait 12000; http_options.conf: enabled: true available_dir: /usr/local/etc/nginx enabled_dir: /usr/local/etc/nginx config: - sendfile: 'on' - tcp_nopush: 'on' - tcp_nodelay: 'on' - send_iowait: 12000 # Use this if you need to deploy below certificates in a custom path. certificates_path: '/etc/nginx/ssl' # If you're doing SSL termination, you can deploy certificates this way. # The private one(s) should go in a separate pillar file not in version # control (or use encrypted pillar data). certificates: 'www.example.com': # choose one of: deploying this cert by pillar (e.g. in combination with # ext_pillar and file_tree) # public_cert_pillar: certs:example.com:fullchain.pem # private_key_pillar: certs:example.com:privkey.pem # or directly pasting the cert public_cert: | -----BEGIN CERTIFICATE----- (Your Primary SSL certificate: www.example.com.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Intermediate certificate: ExampleCA.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Root certificate: TrustedRoot.crt) -----END CERTIFICATE----- private_key: | -----BEGIN RSA PRIVATE KEY----- (Your Private Key: www.example.com.key) -----END RSA PRIVATE KEY----- dh_param: 'mydhparam1.pem': | -----BEGIN DH PARAMETERS----- (Your custom DH prime) -----END DH PARAMETERS----- # or to generate one on-the-fly 'mydhparam2.pem': keysize: 2048 # Passenger configuration # Default passenger configuration is provided, and will be deployed in # /etc/nginx/conf.d/passenger.conf # Passenger conf can be retrieved by TOFS ( Fallback to nginx.conf ) passenger: passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini passenger_ruby: /usr/bin/ruby passenger_instance_registry_dir: /var/run/passenger-instreg tofs: # The files_switch key serves as a selector for alternative # directories under the formula files directory. See TOFS pattern # doc for more info. # Note: Any value not evaluated by `config.get` will be used literally. # This can be used to set custom paths, as many levels deep as required. # files_switch: # - any/path/can/be/used/here # - id # - role # - osfinger # - os # - os_family # # All aspects of path/file resolution are customisable using the options below. # This is unnecessary in most cases; there are sensible defaults. # Default path: salt://< path_prefix >/< dirs.files >/< dirs.default > # I.e.: salt://nginx/files/default # path_prefix: template_alt # dirs: # files: files_alt # default: default_alt source_files: nginx_config_file_managed: - alt_nginx.conf passenger_config_file_managed: - alt_nginx.conf server_conf_file_managed: - alt_server.conf nginx_systemd_service_file: - alt_nginx.service nginx_snippet_file_managed: - alt_server.conf