Georg Pfuetzenreuter
9ec7ed2b31
All modern openSUSE releases (Leap 15.x, Tumbleweed) ship nginx in the default repositories. The devel repository should not be used unless the user knows what they are doing. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
387 lines
14 KiB
YAML
387 lines
14 KiB
YAML
# -*- coding: utf-8 -*-
|
|
# vim: ft=yaml
|
|
---
|
|
# ========
|
|
# nginx (previously named nginx:ng)
|
|
# ========
|
|
|
|
nginx:
|
|
# The following three `install_from_` options are mutually exclusive. If none
|
|
# is used, the distro's provided package will be installed. If one of the
|
|
# `install_from` option is set to `true`, the state will make sure the other
|
|
# two repos are removed.
|
|
|
|
# Use the official's nginx repo binaries
|
|
install_from_repo: false
|
|
|
|
# Use Phusionpassenger's repo to install nginx and passenger binaries
|
|
# Debian, Centos, Ubuntu and Redhat are currently available
|
|
install_from_phusionpassenger: false
|
|
|
|
# PPA install
|
|
install_from_ppa: false
|
|
# Set to 'stable', 'development' (mainline), 'community', or 'nightly' for
|
|
# each build accordingly ( https://launchpad.net/~nginx )
|
|
ppa_version: 'stable'
|
|
|
|
# Use openSUSE devel (server:http) repository to install nginx.
|
|
# If not set, the server_http repository will be removed if it exists.
|
|
install_from_opensuse_devel: false
|
|
|
|
# Source install
|
|
source_version: '1.10.0'
|
|
source_hash: ''
|
|
|
|
# Check the configuration before applying:
|
|
# To prevent applying a configuration that might break nginx, set this
|
|
# parameter to true so the configuration is checked BEFORE applying. If
|
|
# the check fails, the state will fail and it won't be deployed.
|
|
# CAVEAT: As the configuration file is created in a temp dir, it can't
|
|
# have relative references or it will fail to check. You'll need to
|
|
# specify full paths where required (ie, `include`, `load_module`,
|
|
# `snippets`, etc.0
|
|
# Defaults to false
|
|
check_config_before_apply: false
|
|
|
|
# These are usually set by grains in map.jinja
|
|
# Typically you can comment these out.
|
|
lookup:
|
|
package: nginx-custom (can be a list)
|
|
service: nginx
|
|
webuser: www-data
|
|
conf_file: /etc/nginx/nginx.conf
|
|
server_available: /etc/nginx/sites-available
|
|
server_enabled: /etc/nginx/sites-enabled
|
|
server_use_symlink: true
|
|
# If you install nginx+passenger from phusionpassenger in Debian, these
|
|
# values will probably be needed
|
|
passenger_package: libnginx-mod-http-passenger
|
|
passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf
|
|
|
|
# This is required for RedHat like distros (Amazon Linux) that don't follow
|
|
# semantic versioning for $releasever
|
|
rh_os_releasever: '6'
|
|
# Currently it can be used on rhel/centos/suse when installing from repo
|
|
gpg_check: true
|
|
### prevents rendering SLS error nginx.server.config.pid undefined ###
|
|
pid_file: /var/run/nginx.pid
|
|
|
|
|
|
# Source compilation is not currently a part of nginx
|
|
from_source: false
|
|
|
|
source:
|
|
opts: {}
|
|
|
|
package:
|
|
opts: {} # this partially exposes parameters of pkg.installed
|
|
|
|
service:
|
|
enable: true # Whether or not the service will be enabled/running or dead
|
|
opts: {} # this partially exposes parameters of service.running / service.dead
|
|
|
|
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
|
|
## You can use snippets to define often repeated configuration once and
|
|
## include it later # The letsencrypt example below is consumed by "- include:
|
|
## 'snippets/letsencrypt.conf'" # Files or Templates can be retrieved by TOFS
|
|
## with snippet name ( Fallback to server.conf )
|
|
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
|
|
snippets:
|
|
letsencrypt.conf:
|
|
- location ^~ /.well-known/acme-challenge/:
|
|
- proxy_pass: http://localhost:9999
|
|
cloudflare_proxy.conf:
|
|
- set_real_ip_from: 103.21.244.0/22
|
|
- set_real_ip_from: 103.22.200.0/22
|
|
- set_real_ip_from: 104.16.0.0/12
|
|
- set_real_ip_from: 108.162.192.0/18
|
|
blacklist.conf:
|
|
- map $http_user_agent $bad_bot:
|
|
- default: 0
|
|
- '~*^Lynx': 0
|
|
- '~*malicious': 1
|
|
- '~*bot': 1
|
|
- '~*crawler': 1
|
|
- '~*bandit': 1
|
|
- libwww-perl: 1
|
|
- '~(?i)(httrack|htmlparser|libwww)': 1
|
|
upstream_netdata_tcp.conf:
|
|
- upstream netdata:
|
|
- server: 127.0.0.1:19999
|
|
- keepalive: 64
|
|
|
|
server:
|
|
# this partially exposes file.managed parameters as they relate to the main
|
|
# nginx.conf file
|
|
opts: {}
|
|
|
|
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
|
|
# nginx.conf (main server) declarations dictionaries map to blocks {} and
|
|
# lists cause the same declaration to repeat with different values see also
|
|
# http://nginx.org/en/docs/example.html Nginx config file or template can
|
|
# be retrieved by TOFS ( Fallback to nginx.conf )
|
|
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
|
|
config:
|
|
include: 'snippets/letsencrypt.conf'
|
|
# IMPORTANT: This option is mutually exclusive with TOFS and the rest of
|
|
# the options; if it is found other options (worker_processes: 4 and so
|
|
# on) are not processed and just upload the file from source
|
|
source_path: salt://path_to_nginx_conf_file/nginx.conf
|
|
worker_processes: 4
|
|
# pass as very first in configuration; otherwise nginx will fail to start
|
|
load_module: modules/ngx_http_lua_module.so
|
|
# Directory location must exist (i.e. it's /run/nginx.pid on EL7)
|
|
# pid: /var/run/nginx.pid
|
|
events:
|
|
worker_connections: 1024
|
|
http:
|
|
sendfile: 'on'
|
|
include:
|
|
#### Note: Syntax issues in these files generate nginx [emerg] errors
|
|
#### on startup.
|
|
- /etc/nginx/mime.types
|
|
|
|
### module ngx_http_log_module example
|
|
log_format: |-
|
|
main '$remote_addr - $remote_user [$time_local] $status '
|
|
'"$request" $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for"'
|
|
access_log: [] # suppress default access_log option from being added
|
|
|
|
# module nngx_stream_core_module
|
|
# yamllint disable-line rule:line-length
|
|
# https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example
|
|
stream:
|
|
upstream lb-1000:
|
|
- server:
|
|
- hostname1.example.com:1000
|
|
- hostname2.example.com:1000
|
|
upstream stream_backend:
|
|
least_conn: ''
|
|
'server backend1.example.com:12345 weight=5': ~
|
|
'server backend2.example.com:12345 max_fails=2 fail_timeout=30s': ~
|
|
'server backend3.example.com:12345 max_conns=3': ~
|
|
upstream dns_servers:
|
|
least_conn: ''
|
|
'server 192.168.136.130:53': ~
|
|
'server 192.168.136.131:53': ~
|
|
'server 192.168.136.132:53': ~
|
|
server:
|
|
listen: 1000
|
|
proxy_pass: lb-1000
|
|
'server ':
|
|
listen: '53 udp'
|
|
proxy_pass: dns_servers
|
|
'server ':
|
|
listen: 12346
|
|
proxy_pass: backend4.example.com:12346
|
|
|
|
|
|
servers:
|
|
# a postfix appended to files when doing non-symlink disabling
|
|
disabled_postfix: .disabled
|
|
# partially exposes file.symlink params when symlinking enabled sites
|
|
symlink_opts: {}
|
|
# partially exposes file.rename params when not symlinking disabled/enabled sites
|
|
rename_opts: {}
|
|
# partially exposes file.managed params for managed server files
|
|
managed_opts: {}
|
|
# partially exposes file.directory params for site available/enabled and
|
|
# snippets dirs
|
|
dir_opts: {}
|
|
# let the choice to purge site-available and site-enable folders before add new ones
|
|
# (if True it removes all non-salt-managed files)
|
|
purge_servers_config: false
|
|
|
|
|
|
#####################
|
|
# server declarations; placed by default in server "available" directory
|
|
#####################
|
|
managed:
|
|
|
|
# relative filename of server file
|
|
# (defaults to '/etc/nginx/sites-available/mysite')
|
|
mysite:
|
|
# may be true, false, or None where true is enabled, false, disabled,
|
|
# and None indicates no action
|
|
enabled: true
|
|
|
|
# This let's you add dependencies on other resources being applied for a
|
|
# particular vhost
|
|
# A common case is when you use this formula together with letsencrypt's,
|
|
# validating through nginx: you need nginx running (to validate the vhost) but
|
|
# can't have the ssl vhost up until the certificate is created (because it
|
|
# won't exist and will make nginx fail to load the configuration)
|
|
#
|
|
# An example, when using LE to create the cert for 'some.host.domain':
|
|
# requires:
|
|
# cmd: create-initial-cert-some.host.domain
|
|
requires: {}
|
|
|
|
# Remove the site config file shipped by nginx
|
|
# (i.e. '/etc/nginx/sites-available/default' by default)
|
|
# It also remove the symlink (if it is exists).
|
|
# The site MUST be disabled before delete it (if not the nginx is not
|
|
# reloaded).
|
|
# deleted: true
|
|
|
|
# custom directory (not sites-available) for server filename
|
|
# available_dir: /etc/nginx/sites-available-custom
|
|
# custom directory (not sites-enabled) for server filename
|
|
# enabled_dir: /etc/nginx/sites-enabled-custom
|
|
# an alternative disabled name to be use when not symlinking
|
|
disabled_name: mysite.aint_on
|
|
# overwrite an existing server file or not
|
|
overwrite: true
|
|
|
|
# May be a list of config options or None, if None, no server file will
|
|
# be managed/templated Take server directives as lists of dictionaries.
|
|
# If the dictionary value is another list of dictionaries a block {}
|
|
# will be started with the dictionary key name
|
|
config:
|
|
# both of the methods below lead to the output:
|
|
# server {
|
|
# server_name localhost;
|
|
# listen 80 default_server;
|
|
# listen 443 ssl;
|
|
# index index.html index.htm;
|
|
# location ~ .htm {
|
|
# try_files $uri $uri/ =404;
|
|
# test something else;
|
|
# }
|
|
# }
|
|
|
|
- server:
|
|
- server_name: localhost
|
|
- listen:
|
|
- '80 default_server'
|
|
- listen:
|
|
- '443 ssl'
|
|
- index: 'index.html index.htm'
|
|
- location ~ .htm:
|
|
- try_files: '$uri $uri/ =404'
|
|
- test: something else
|
|
- include: 'snippets/letsencrypt.conf'
|
|
|
|
# Or a slightly more compact alternative syntax:
|
|
- server:
|
|
- server_name: localhost
|
|
- listen:
|
|
- '80 default_server'
|
|
- '443 ssl'
|
|
- index: 'index.html index.htm'
|
|
- location ~ .htm:
|
|
- try_files: '$uri $uri/ =404'
|
|
- test: something else
|
|
- include: 'snippets/letsencrypt.conf'
|
|
|
|
|
|
# Using source_path options to upload the file instead of templating all the file
|
|
mysite2:
|
|
enabled: true
|
|
available_dir: /etc/nginx/sites-available
|
|
enabled_dir: /etc/nginx/sites-enabled
|
|
config:
|
|
# IMPORTANT: This field is mutually exclusive with TOFS and other
|
|
# config options, it just uploads the specified file
|
|
source_path: salt://path-to-site-file/mysite2
|
|
|
|
# Below configuration becomes handy if you want to create custom
|
|
# configuration files for example if you want to create
|
|
# /usr/local/etc/nginx/http_options.conf with the following content:
|
|
|
|
# sendfile on;
|
|
# tcp_nopush on;
|
|
# tcp_nodelay on;
|
|
# send_iowait 12000;
|
|
|
|
http_options.conf:
|
|
enabled: true
|
|
available_dir: /usr/local/etc/nginx
|
|
enabled_dir: /usr/local/etc/nginx
|
|
config:
|
|
- sendfile: 'on'
|
|
- tcp_nopush: 'on'
|
|
- tcp_nodelay: 'on'
|
|
- send_iowait: 12000
|
|
|
|
# Use this if you need to deploy below certificates in a custom path.
|
|
certificates_path: '/etc/nginx/ssl'
|
|
# If you're doing SSL termination, you can deploy certificates this way.
|
|
# The private one(s) should go in a separate pillar file not in version
|
|
# control (or use encrypted pillar data).
|
|
certificates:
|
|
'www.example.com':
|
|
|
|
# choose one of: deploying this cert by pillar (e.g. in combination with
|
|
# ext_pillar and file_tree)
|
|
# public_cert_pillar: certs:example.com:fullchain.pem
|
|
# private_key_pillar: certs:example.com:privkey.pem
|
|
# or directly pasting the cert
|
|
public_cert: |
|
|
-----BEGIN CERTIFICATE-----
|
|
(Your Primary SSL certificate: www.example.com.crt)
|
|
-----END CERTIFICATE-----
|
|
-----BEGIN CERTIFICATE-----
|
|
(Your Intermediate certificate: ExampleCA.crt)
|
|
-----END CERTIFICATE-----
|
|
-----BEGIN CERTIFICATE-----
|
|
(Your Root certificate: TrustedRoot.crt)
|
|
-----END CERTIFICATE-----
|
|
private_key: |
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
(Your Private Key: www.example.com.key)
|
|
-----END RSA PRIVATE KEY-----
|
|
|
|
dh_param:
|
|
'mydhparam1.pem': |
|
|
-----BEGIN DH PARAMETERS-----
|
|
(Your custom DH prime)
|
|
-----END DH PARAMETERS-----
|
|
# or to generate one on-the-fly
|
|
'mydhparam2.pem':
|
|
keysize: 2048
|
|
|
|
# Passenger configuration
|
|
# Default passenger configuration is provided, and will be deployed in
|
|
# /etc/nginx/conf.d/passenger.conf
|
|
# Passenger conf can be retrieved by TOFS ( Fallback to nginx.conf )
|
|
passenger:
|
|
passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
|
|
passenger_ruby: /usr/bin/ruby
|
|
passenger_instance_registry_dir: /var/run/passenger-instreg
|
|
|
|
tofs:
|
|
# The files_switch key serves as a selector for alternative
|
|
# directories under the formula files directory. See TOFS pattern
|
|
# doc for more info.
|
|
# Note: Any value not evaluated by `config.get` will be used literally.
|
|
# This can be used to set custom paths, as many levels deep as required.
|
|
# files_switch:
|
|
# - any/path/can/be/used/here
|
|
# - id
|
|
# - role
|
|
# - osfinger
|
|
# - os
|
|
# - os_family
|
|
#
|
|
# All aspects of path/file resolution are customisable using the options below.
|
|
# This is unnecessary in most cases; there are sensible defaults.
|
|
# Default path: salt://< path_prefix >/< dirs.files >/< dirs.default >
|
|
# I.e.: salt://nginx/files/default
|
|
# path_prefix: template_alt
|
|
# dirs:
|
|
# files: files_alt
|
|
# default: default_alt
|
|
source_files:
|
|
nginx_config_file_managed:
|
|
- alt_nginx.conf
|
|
passenger_config_file_managed:
|
|
- alt_nginx.conf
|
|
server_conf_file_managed:
|
|
- alt_server.conf
|
|
nginx_systemd_service_file:
|
|
- alt_nginx.service
|
|
nginx_snippet_file_managed:
|
|
- alt_server.conf
|