nginx-formula/pillar.example
Georg Pfuetzenreuter 9ec7ed2b31
feat(opensuse): optional openSUSE devel repository
All modern openSUSE releases (Leap 15.x, Tumbleweed) ship nginx in the
default repositories. The devel repository should not be used unless the
user knows what they are doing.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-30 04:54:40 +01:00

387 lines
14 KiB
YAML

# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# ========
# nginx (previously named nginx:ng)
# ========
nginx:
# The following three `install_from_` options are mutually exclusive. If none
# is used, the distro's provided package will be installed. If one of the
# `install_from` option is set to `true`, the state will make sure the other
# two repos are removed.
# Use the official's nginx repo binaries
install_from_repo: false
# Use Phusionpassenger's repo to install nginx and passenger binaries
# Debian, Centos, Ubuntu and Redhat are currently available
install_from_phusionpassenger: false
# PPA install
install_from_ppa: false
# Set to 'stable', 'development' (mainline), 'community', or 'nightly' for
# each build accordingly ( https://launchpad.net/~nginx )
ppa_version: 'stable'
# Use openSUSE devel (server:http) repository to install nginx.
# If not set, the server_http repository will be removed if it exists.
install_from_opensuse_devel: false
# Source install
source_version: '1.10.0'
source_hash: ''
# Check the configuration before applying:
# To prevent applying a configuration that might break nginx, set this
# parameter to true so the configuration is checked BEFORE applying. If
# the check fails, the state will fail and it won't be deployed.
# CAVEAT: As the configuration file is created in a temp dir, it can't
# have relative references or it will fail to check. You'll need to
# specify full paths where required (ie, `include`, `load_module`,
# `snippets`, etc.0
# Defaults to false
check_config_before_apply: false
# These are usually set by grains in map.jinja
# Typically you can comment these out.
lookup:
package: nginx-custom (can be a list)
service: nginx
webuser: www-data
conf_file: /etc/nginx/nginx.conf
server_available: /etc/nginx/sites-available
server_enabled: /etc/nginx/sites-enabled
server_use_symlink: true
# If you install nginx+passenger from phusionpassenger in Debian, these
# values will probably be needed
passenger_package: libnginx-mod-http-passenger
passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf
# This is required for RedHat like distros (Amazon Linux) that don't follow
# semantic versioning for $releasever
rh_os_releasever: '6'
# Currently it can be used on rhel/centos/suse when installing from repo
gpg_check: true
### prevents rendering SLS error nginx.server.config.pid undefined ###
pid_file: /var/run/nginx.pid
# Source compilation is not currently a part of nginx
from_source: false
source:
opts: {}
package:
opts: {} # this partially exposes parameters of pkg.installed
service:
enable: true # Whether or not the service will be enabled/running or dead
opts: {} # this partially exposes parameters of service.running / service.dead
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
## You can use snippets to define often repeated configuration once and
## include it later # The letsencrypt example below is consumed by "- include:
## 'snippets/letsencrypt.conf'" # Files or Templates can be retrieved by TOFS
## with snippet name ( Fallback to server.conf )
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
snippets:
letsencrypt.conf:
- location ^~ /.well-known/acme-challenge/:
- proxy_pass: http://localhost:9999
cloudflare_proxy.conf:
- set_real_ip_from: 103.21.244.0/22
- set_real_ip_from: 103.22.200.0/22
- set_real_ip_from: 104.16.0.0/12
- set_real_ip_from: 108.162.192.0/18
blacklist.conf:
- map $http_user_agent $bad_bot:
- default: 0
- '~*^Lynx': 0
- '~*malicious': 1
- '~*bot': 1
- '~*crawler': 1
- '~*bandit': 1
- libwww-perl: 1
- '~(?i)(httrack|htmlparser|libwww)': 1
upstream_netdata_tcp.conf:
- upstream netdata:
- server: 127.0.0.1:19999
- keepalive: 64
server:
# this partially exposes file.managed parameters as they relate to the main
# nginx.conf file
opts: {}
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
# nginx.conf (main server) declarations dictionaries map to blocks {} and
# lists cause the same declaration to repeat with different values see also
# http://nginx.org/en/docs/example.html Nginx config file or template can
# be retrieved by TOFS ( Fallback to nginx.conf )
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
config:
include: 'snippets/letsencrypt.conf'
# IMPORTANT: This option is mutually exclusive with TOFS and the rest of
# the options; if it is found other options (worker_processes: 4 and so
# on) are not processed and just upload the file from source
source_path: salt://path_to_nginx_conf_file/nginx.conf
worker_processes: 4
# pass as very first in configuration; otherwise nginx will fail to start
load_module: modules/ngx_http_lua_module.so
# Directory location must exist (i.e. it's /run/nginx.pid on EL7)
# pid: /var/run/nginx.pid
events:
worker_connections: 1024
http:
sendfile: 'on'
include:
#### Note: Syntax issues in these files generate nginx [emerg] errors
#### on startup.
- /etc/nginx/mime.types
### module ngx_http_log_module example
log_format: |-
main '$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
access_log: [] # suppress default access_log option from being added
# module nngx_stream_core_module
# yamllint disable-line rule:line-length
# https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example
stream:
upstream lb-1000:
- server:
- hostname1.example.com:1000
- hostname2.example.com:1000
upstream stream_backend:
least_conn: ''
'server backend1.example.com:12345 weight=5': ~
'server backend2.example.com:12345 max_fails=2 fail_timeout=30s': ~
'server backend3.example.com:12345 max_conns=3': ~
upstream dns_servers:
least_conn: ''
'server 192.168.136.130:53': ~
'server 192.168.136.131:53': ~
'server 192.168.136.132:53': ~
server:
listen: 1000
proxy_pass: lb-1000
'server ':
listen: '53 udp'
proxy_pass: dns_servers
'server ':
listen: 12346
proxy_pass: backend4.example.com:12346
servers:
# a postfix appended to files when doing non-symlink disabling
disabled_postfix: .disabled
# partially exposes file.symlink params when symlinking enabled sites
symlink_opts: {}
# partially exposes file.rename params when not symlinking disabled/enabled sites
rename_opts: {}
# partially exposes file.managed params for managed server files
managed_opts: {}
# partially exposes file.directory params for site available/enabled and
# snippets dirs
dir_opts: {}
# let the choice to purge site-available and site-enable folders before add new ones
# (if True it removes all non-salt-managed files)
purge_servers_config: false
#####################
# server declarations; placed by default in server "available" directory
#####################
managed:
# relative filename of server file
# (defaults to '/etc/nginx/sites-available/mysite')
mysite:
# may be true, false, or None where true is enabled, false, disabled,
# and None indicates no action
enabled: true
# This let's you add dependencies on other resources being applied for a
# particular vhost
# A common case is when you use this formula together with letsencrypt's,
# validating through nginx: you need nginx running (to validate the vhost) but
# can't have the ssl vhost up until the certificate is created (because it
# won't exist and will make nginx fail to load the configuration)
#
# An example, when using LE to create the cert for 'some.host.domain':
# requires:
# cmd: create-initial-cert-some.host.domain
requires: {}
# Remove the site config file shipped by nginx
# (i.e. '/etc/nginx/sites-available/default' by default)
# It also remove the symlink (if it is exists).
# The site MUST be disabled before delete it (if not the nginx is not
# reloaded).
# deleted: true
# custom directory (not sites-available) for server filename
# available_dir: /etc/nginx/sites-available-custom
# custom directory (not sites-enabled) for server filename
# enabled_dir: /etc/nginx/sites-enabled-custom
# an alternative disabled name to be use when not symlinking
disabled_name: mysite.aint_on
# overwrite an existing server file or not
overwrite: true
# May be a list of config options or None, if None, no server file will
# be managed/templated Take server directives as lists of dictionaries.
# If the dictionary value is another list of dictionaries a block {}
# will be started with the dictionary key name
config:
# both of the methods below lead to the output:
# server {
# server_name localhost;
# listen 80 default_server;
# listen 443 ssl;
# index index.html index.htm;
# location ~ .htm {
# try_files $uri $uri/ =404;
# test something else;
# }
# }
- server:
- server_name: localhost
- listen:
- '80 default_server'
- listen:
- '443 ssl'
- index: 'index.html index.htm'
- location ~ .htm:
- try_files: '$uri $uri/ =404'
- test: something else
- include: 'snippets/letsencrypt.conf'
# Or a slightly more compact alternative syntax:
- server:
- server_name: localhost
- listen:
- '80 default_server'
- '443 ssl'
- index: 'index.html index.htm'
- location ~ .htm:
- try_files: '$uri $uri/ =404'
- test: something else
- include: 'snippets/letsencrypt.conf'
# Using source_path options to upload the file instead of templating all the file
mysite2:
enabled: true
available_dir: /etc/nginx/sites-available
enabled_dir: /etc/nginx/sites-enabled
config:
# IMPORTANT: This field is mutually exclusive with TOFS and other
# config options, it just uploads the specified file
source_path: salt://path-to-site-file/mysite2
# Below configuration becomes handy if you want to create custom
# configuration files for example if you want to create
# /usr/local/etc/nginx/http_options.conf with the following content:
# sendfile on;
# tcp_nopush on;
# tcp_nodelay on;
# send_iowait 12000;
http_options.conf:
enabled: true
available_dir: /usr/local/etc/nginx
enabled_dir: /usr/local/etc/nginx
config:
- sendfile: 'on'
- tcp_nopush: 'on'
- tcp_nodelay: 'on'
- send_iowait: 12000
# Use this if you need to deploy below certificates in a custom path.
certificates_path: '/etc/nginx/ssl'
# If you're doing SSL termination, you can deploy certificates this way.
# The private one(s) should go in a separate pillar file not in version
# control (or use encrypted pillar data).
certificates:
'www.example.com':
# choose one of: deploying this cert by pillar (e.g. in combination with
# ext_pillar and file_tree)
# public_cert_pillar: certs:example.com:fullchain.pem
# private_key_pillar: certs:example.com:privkey.pem
# or directly pasting the cert
public_cert: |
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: www.example.com.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: ExampleCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: www.example.com.key)
-----END RSA PRIVATE KEY-----
dh_param:
'mydhparam1.pem': |
-----BEGIN DH PARAMETERS-----
(Your custom DH prime)
-----END DH PARAMETERS-----
# or to generate one on-the-fly
'mydhparam2.pem':
keysize: 2048
# Passenger configuration
# Default passenger configuration is provided, and will be deployed in
# /etc/nginx/conf.d/passenger.conf
# Passenger conf can be retrieved by TOFS ( Fallback to nginx.conf )
passenger:
passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
passenger_ruby: /usr/bin/ruby
passenger_instance_registry_dir: /var/run/passenger-instreg
tofs:
# The files_switch key serves as a selector for alternative
# directories under the formula files directory. See TOFS pattern
# doc for more info.
# Note: Any value not evaluated by `config.get` will be used literally.
# This can be used to set custom paths, as many levels deep as required.
# files_switch:
# - any/path/can/be/used/here
# - id
# - role
# - osfinger
# - os
# - os_family
#
# All aspects of path/file resolution are customisable using the options below.
# This is unnecessary in most cases; there are sensible defaults.
# Default path: salt://< path_prefix >/< dirs.files >/< dirs.default >
# I.e.: salt://nginx/files/default
# path_prefix: template_alt
# dirs:
# files: files_alt
# default: default_alt
source_files:
nginx_config_file_managed:
- alt_nginx.conf
passenger_config_file_managed:
- alt_nginx.conf
server_conf_file_managed:
- alt_server.conf
nginx_systemd_service_file:
- alt_nginx.service
nginx_snippet_file_managed:
- alt_server.conf