-
Notifications
You must be signed in to change notification settings - Fork 416
/
Copy pathpillar.example
386 lines (346 loc) · 14.4 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# ========
# nginx (previously named nginx:ng)
# ========
nginx:
# The following three `install_from_` options are mutually exclusive. If none
# is used, the distro's provided package will be installed. If one of the
# `install_from` option is set to `true`, the state will make sure the other
# two repos are removed.
# Use the official's nginx repo binaries
install_from_repo: false
# Use Phusionpassenger's repo to install nginx and passenger binaries
# Debian, Centos, Ubuntu and Redhat are currently available
install_from_phusionpassenger: false
# PPA install
install_from_ppa: false
# Set to 'stable', 'development' (mainline), 'community', or 'nightly' for
# each build accordingly ( https://launchpad.net/~nginx )
ppa_version: 'stable'
# Use openSUSE devel (server:http) repository to install nginx.
# If not set, the server_http repository will be removed if it exists.
install_from_opensuse_devel: false
# Source install
source_version: '1.10.0'
source_hash: ''
# Check the configuration before applying:
# To prevent applying a configuration that might break nginx, set this
# parameter to true so the configuration is checked BEFORE applying. If
# the check fails, the state will fail and it won't be deployed.
# CAVEAT: As the configuration file is created in a temp dir, it can't
# have relative references or it will fail to check. You'll need to
# specify full paths where required (ie, `include`, `load_module`,
# `snippets`, etc.0
# Defaults to false
check_config_before_apply: false
# These are usually set by grains in map.jinja
# Typically you can comment these out.
lookup:
package: nginx-custom (can be a list)
service: nginx
webuser: www-data
conf_file: /etc/nginx/nginx.conf
server_available: /etc/nginx/sites-available
server_enabled: /etc/nginx/sites-enabled
server_use_symlink: true
# If you install nginx+passenger from phusionpassenger in Debian, these
# values will probably be needed
passenger_package: libnginx-mod-http-passenger
passenger_config_file: /etc/nginx/conf.d/mod-http-passenger.conf
# This is required for RedHat like distros (Amazon Linux) that don't follow
# semantic versioning for $releasever
rh_os_releasever: '6'
# Currently it can be used on rhel/centos/suse when installing from repo
gpg_check: true
### prevents rendering SLS error nginx.server.config.pid undefined ###
pid_file: /var/run/nginx.pid
# Source compilation is not currently a part of nginx
from_source: false
source:
opts: {}
package:
opts: {} # this partially exposes parameters of pkg.installed
service:
enable: true # Whether or not the service will be enabled/running or dead
opts: {} # this partially exposes parameters of service.running / service.dead
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
## You can use snippets to define often repeated configuration once and
## include it later # The letsencrypt example below is consumed by "- include:
## 'snippets/letsencrypt.conf'" # Files or Templates can be retrieved by TOFS
## with snippet name ( Fallback to server.conf )
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
snippets:
letsencrypt.conf:
- location ^~ /.well-known/acme-challenge/:
- proxy_pass: http://localhost:9999
cloudflare_proxy.conf:
- set_real_ip_from: 103.21.244.0/22
- set_real_ip_from: 103.22.200.0/22
- set_real_ip_from: 104.16.0.0/12
- set_real_ip_from: 108.162.192.0/18
blacklist.conf:
- map $http_user_agent $bad_bot:
- default: 0
- '~*^Lynx': 0
- '~*malicious': 1
- '~*bot': 1
- '~*crawler': 1
- '~*bandit': 1
- libwww-perl: 1
- '~(?i)(httrack|htmlparser|libwww)': 1
upstream_netdata_tcp.conf:
- upstream netdata:
- server: 127.0.0.1:19999
- keepalive: 64
server:
# this partially exposes file.managed parameters as they relate to the main
# nginx.conf file
opts: {}
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
# nginx.conf (main server) declarations dictionaries map to blocks {} and
# lists cause the same declaration to repeat with different values see also
# http://nginx.org/en/docs/example.html Nginx config file or template can
# be retrieved by TOFS ( Fallback to nginx.conf )
## - - -- - - -- -- - - --- -- - -- - - - -- - - - - -- - - - -- - - - -- - ##
config:
include: 'snippets/letsencrypt.conf'
# IMPORTANT: This option is mutually exclusive with TOFS and the rest of
# the options; if it is found other options (worker_processes: 4 and so
# on) are not processed and just upload the file from source
source_path: salt://path_to_nginx_conf_file/nginx.conf
worker_processes: 4
# pass as very first in configuration; otherwise nginx will fail to start
load_module: modules/ngx_http_lua_module.so
# Directory location must exist (i.e. it's /run/nginx.pid on EL7)
# pid: /var/run/nginx.pid
events:
worker_connections: 1024
http:
sendfile: 'on'
include:
#### Note: Syntax issues in these files generate nginx [emerg] errors
#### on startup.
- /etc/nginx/mime.types
### module ngx_http_log_module example
log_format: |-
main '$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
access_log: [] # suppress default access_log option from being added
# module nngx_stream_core_module
# yamllint disable-line rule:line-length
# https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/#example
stream:
upstream lb-1000:
- server:
- hostname1.example.com:1000
- hostname2.example.com:1000
upstream stream_backend:
least_conn: ''
'server backend1.example.com:12345 weight=5': ~
'server backend2.example.com:12345 max_fails=2 fail_timeout=30s': ~
'server backend3.example.com:12345 max_conns=3': ~
upstream dns_servers:
least_conn: ''
'server 192.168.136.130:53': ~
'server 192.168.136.131:53': ~
'server 192.168.136.132:53': ~
server:
listen: 1000
proxy_pass: lb-1000
'server ':
listen: '53 udp'
proxy_pass: dns_servers
'server ':
listen: 12346
proxy_pass: backend4.example.com:12346
servers:
# a postfix appended to files when doing non-symlink disabling
disabled_postfix: .disabled
# partially exposes file.symlink params when symlinking enabled sites
symlink_opts: {}
# partially exposes file.rename params when not symlinking disabled/enabled sites
rename_opts: {}
# partially exposes file.managed params for managed server files
managed_opts: {}
# partially exposes file.directory params for site available/enabled and
# snippets dirs
dir_opts: {}
# let the choice to purge site-available and site-enable folders before add new ones
# (if True it removes all non-salt-managed files)
purge_servers_config: false
#####################
# server declarations; placed by default in server "available" directory
#####################
managed:
# relative filename of server file
# (defaults to '/etc/nginx/sites-available/mysite')
mysite:
# may be true, false, or None where true is enabled, false, disabled,
# and None indicates no action
enabled: true
# This let's you add dependencies on other resources being applied for a
# particular vhost
# A common case is when you use this formula together with letsencrypt's,
# validating through nginx: you need nginx running (to validate the vhost) but
# can't have the ssl vhost up until the certificate is created (because it
# won't exist and will make nginx fail to load the configuration)
#
# An example, when using LE to create the cert for 'some.host.domain':
# requires:
# cmd: create-initial-cert-some.host.domain
requires: {}
# Remove the site config file shipped by nginx
# (i.e. '/etc/nginx/sites-available/default' by default)
# It also remove the symlink (if it is exists).
# The site MUST be disabled before delete it (if not the nginx is not
# reloaded).
# deleted: true
# custom directory (not sites-available) for server filename
# available_dir: /etc/nginx/sites-available-custom
# custom directory (not sites-enabled) for server filename
# enabled_dir: /etc/nginx/sites-enabled-custom
# an alternative disabled name to be use when not symlinking
disabled_name: mysite.aint_on
# overwrite an existing server file or not
overwrite: true
# May be a list of config options or None, if None, no server file will
# be managed/templated Take server directives as lists of dictionaries.
# If the dictionary value is another list of dictionaries a block {}
# will be started with the dictionary key name
config:
# both of the methods below lead to the output:
# server {
# server_name localhost;
# listen 80 default_server;
# listen 443 ssl;
# index index.html index.htm;
# location ~ .htm {
# try_files $uri $uri/ =404;
# test something else;
# }
# }
- server:
- server_name: localhost
- listen:
- '80 default_server'
- listen:
- '443 ssl'
- index: 'index.html index.htm'
- location ~ .htm:
- try_files: '$uri $uri/ =404'
- test: something else
- include: 'snippets/letsencrypt.conf'
# Or a slightly more compact alternative syntax:
- server:
- server_name: localhost
- listen:
- '80 default_server'
- '443 ssl'
- index: 'index.html index.htm'
- location ~ .htm:
- try_files: '$uri $uri/ =404'
- test: something else
- include: 'snippets/letsencrypt.conf'
# Using source_path options to upload the file instead of templating all the file
mysite2:
enabled: true
available_dir: /etc/nginx/sites-available
enabled_dir: /etc/nginx/sites-enabled
config:
# IMPORTANT: This field is mutually exclusive with TOFS and other
# config options, it just uploads the specified file
source_path: salt://path-to-site-file/mysite2
# Below configuration becomes handy if you want to create custom
# configuration files for example if you want to create
# /usr/local/etc/nginx/http_options.conf with the following content:
# sendfile on;
# tcp_nopush on;
# tcp_nodelay on;
# send_iowait 12000;
http_options.conf:
enabled: true
available_dir: /usr/local/etc/nginx
enabled_dir: /usr/local/etc/nginx
config:
- sendfile: 'on'
- tcp_nopush: 'on'
- tcp_nodelay: 'on'
- send_iowait: 12000
# Use this if you need to deploy below certificates in a custom path.
certificates_path: '/etc/nginx/ssl'
# If you're doing SSL termination, you can deploy certificates this way.
# The private one(s) should go in a separate pillar file not in version
# control (or use encrypted pillar data).
certificates:
'www.example.com':
# choose one of: deploying this cert by pillar (e.g. in combination with
# ext_pillar and file_tree)
# public_cert_pillar: certs:example.com:fullchain.pem
# private_key_pillar: certs:example.com:privkey.pem
# or directly pasting the cert
public_cert: |
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: www.example.com.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: ExampleCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: www.example.com.key)
-----END RSA PRIVATE KEY-----
dh_param:
'mydhparam1.pem': |
-----BEGIN DH PARAMETERS-----
(Your custom DH prime)
-----END DH PARAMETERS-----
# or to generate one on-the-fly
'mydhparam2.pem':
keysize: 2048
# Passenger configuration
# Default passenger configuration is provided, and will be deployed in
# /etc/nginx/conf.d/passenger.conf
# Passenger conf can be retrieved by TOFS ( Fallback to nginx.conf )
passenger:
passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
passenger_ruby: /usr/bin/ruby
passenger_instance_registry_dir: /var/run/passenger-instreg
tofs:
# The files_switch key serves as a selector for alternative
# directories under the formula files directory. See TOFS pattern
# doc for more info.
# Note: Any value not evaluated by `config.get` will be used literally.
# This can be used to set custom paths, as many levels deep as required.
# files_switch:
# - any/path/can/be/used/here
# - id
# - role
# - osfinger
# - os
# - os_family
#
# All aspects of path/file resolution are customisable using the options below.
# This is unnecessary in most cases; there are sensible defaults.
# Default path: salt://< path_prefix >/< dirs.files >/< dirs.default >
# I.e.: salt://nginx/files/default
# path_prefix: template_alt
# dirs:
# files: files_alt
# default: default_alt
source_files:
nginx_config_file_managed:
- alt_nginx.conf
passenger_config_file_managed:
- alt_nginx.conf
server_conf_file_managed:
- alt_server.conf
nginx_systemd_service_file:
- alt_nginx.service
nginx_snippet_file_managed:
- alt_server.conf