paulbsd/paulbsd-salt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated nginx state
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Paul 2022-10-10 10:19:42 +02:00
parent ebbb961d6d
commit dec9fc6770
17 changed files with 185 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
states/nginx/config.sls
View File

@ -11,10 +11,10 @@ nginx-config-{{ configfile }}:
- group: {{ nginx.config.group }} - group: {{ nginx.config.group }}
- watch_in: - watch_in:
- service: nginx-service - service: nginx-service
- watch: #- watch:
- pki: pki-fetched # - pki: pki-fetched
- require: #- require:
- sls: acme.* # - sls: acme.*
{%- endfor %} {%- endfor %}
nginx-config-wipe-default: nginx-config-wipe-default:
@ -58,6 +58,7 @@ nginx-sites-available-{{ key }}:
dirs: {{ vhost.dirs|default([]) }} dirs: {{ vhost.dirs|default([]) }}
headers: {{ vhost.headers|default({}) }} headers: {{ vhost.headers|default({}) }}
php_socket_file: {{ nginx.config.php_socket_file }} php_socket_file: {{ nginx.config.php_socket_file }}
geoip: {{ nginx.config.geoip }}
nginx-site-enabled-{{ key }}: nginx-site-enabled-{{ key }}:
file.symlink: file.symlink:

4
states/nginx/defaults.yaml
View File

@ -6,8 +6,12 @@ nginx:
- nginx-extras - nginx-extras
config: config:
dir: /etc/nginx dir: /etc/nginx
geoip: false
user: www-data user: www-data
group: www-data group: www-data
workers: 4
http_port: 8080
https_port: 4443
php_socket_file: /run/php/php-fpm.sock php_socket_file: /run/php/php-fpm.sock
subdirs: subdirs:
- auth - auth

2
states/nginx/map.jinja
View File

@ -2,5 +2,5 @@
{%- set nginx = salt['pillar.get']('nginx', default=defaults.nginx, merge=True) -%} {%- set nginx = salt['pillar.get']('nginx', default=defaults.nginx, merge=True) -%}
{%- set users = salt['pillar.get']('htpasswds', merge=True) -%} {%- set users = salt['pillar.get']('htpasswds') -%}
{%- set net = salt['pillar.get']('net') -%} {%- set net = salt['pillar.get']('net') -%}

19
states/nginx/templates/access.j2
View File

@ -1,9 +1,14 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "nginx/map.jinja" import net with context %} {%- from "nginx/map.jinja" import net with context %}
{%- for key, value in net.ipv4_networks.items() %} real_ip_header X-Forwarded-For;
allow {{ value.ip }}/{{ value.mask }}; geo $allow {
{%- endfor %} {%- for key, value in net.ipv4_networks.items() %}
{%- for key, value in net.ipv6_networks.items() %} #allow {{ value.ip }}/{{ value.mask }};
allow {{ value.ip }}/{{ value.mask }}; {{ value.ip }}/{{ value.mask }} 1;
{%- endfor %} {%- endfor %}
deny all; {%- for key, value in net.ipv6_networks.items() %}
#allow {{ value.ip }}/{{ value.mask }};
{{ value.ip }}/{{ value.mask }} 1;
{%- endfor %}
default 0;
}

5
states/nginx/templates/http.j2
View File

@ -1,4 +1,5 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "nginx/map.jinja" import nginx with context %}
listen 80; listen {{ nginx.config.http_port }};
listen [::]:80; listen [::]:{{ nginx.config.http_port }};

5
states/nginx/templates/https.j2
View File

@ -1,4 +1,5 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "nginx/map.jinja" import nginx with context %}
listen 443 ssl http2; listen {{ nginx.config.https_port }} ssl http2;
listen [::]:443 ssl http2; listen [::]:{{ nginx.config.https_port }} ssl http2;

41
states/nginx/templates/nginx.conf.j2
View File

@ -1,8 +1,13 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} ## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
{%- from "nginx/map.jinja" import nginx with context %}
user www-data; {%- if nginx.config.geoip %}
load_module modules/ngx_http_geoip2_module.so;
{%- endif%}
worker_processes 4; user {{ nginx.config.user }};
worker_processes {{ nginx.config.workers }};
error_log /var/log/nginx/error.log; error_log /var/log/nginx/error.log;
error_log syslog:server=localhost:514 info; error_log syslog:server=localhost:514 info;
@ -18,9 +23,23 @@ http {
include ssl_params; include ssl_params;
charset utf-8; charset utf-8;
include access;
{%- if nginx.config.geoip %}
geoip2 /usr/share/GeoIP/GeoLite2-ASN.mmdb {
$geoip2_asn default=0 autonomous_system_number;
$geoip2_org default=ISP autonomous_system_organization;
}
geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
$geoip2_country_name default=England country names en;
$geoip2_city_name default=London city names en;
}
{%- endif %}
include sites-enabled/*; include sites-enabled/*;
log_format main '$remote_addr - $remote_user [$time_iso8601] ' log_format main '$http_x_forwarded_for - $remote_user [$time_iso8601] '
'"$request" $status $body_bytes_sent ' '"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"'; '"$http_referer" "$http_user_agent"';
@ -36,12 +55,18 @@ http {
fastcgi_intercept_errors on; fastcgi_intercept_errors on;
fastcgi_read_timeout 300; fastcgi_read_timeout 300;
server { gzip on;
listen 80 default_server; gzip_vary on;
listen 443 default_server ssl; gzip_min_length 1024;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
listen [::]:80 default_server; server {
listen [::]:443 default_server ssl; listen {{ nginx.config.http_port }} default_server;
listen [::]:{{ nginx.config.http_port }} default_server;
listen {{ nginx.config.https_port }} default_server ssl http2;
listen [::]:{{ nginx.config.https_port }} default_server ssl http2;
root /var/www/html; root /var/www/html;
index index.html; index index.html;

13
states/nginx/templates/types/dip.j2
View File

@ -2,16 +2,16 @@
server { server {
include http; include http;
server_name {{ vhost_name }};
if ($http_accept != '*/*') {
return 301 https://$server_name$request_uri;
}
server_name {{ vhost_name }}; server_name {{ vhost_name }};
{%- if not proxy %} {%- if not proxy %}
root "{{ root_dir }}"; root "{{ root_dir }}";
{%- endif %} {%- endif %}
if ($http_accept != '*/*') {
return 301 https://$server_name$request_uri;
}
{%- for key,value in headers.items() %} {%- for key,value in headers.items() %}
add_header {{ key }} "{{ value }}"; add_header {{ key }} "{{ value }}";
{%- endfor %} {%- endfor %}
@ -46,7 +46,10 @@ server {
server { server {
include https; include https;
{%- if internal_access %} {%- if internal_access %}
include access; #include access;
if ($allow = 0) {
return 403;
}
{%- endif %} {%- endif %}
server_name {{ vhost_name }}; server_name {{ vhost_name }};
{%- if not proxy %} {%- if not proxy %}

67
states/nginx/templates/types/fdp.j2
View File

@ -1,67 +0,0 @@
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
server {
include http;
server_name {{ vhost_name }};
return 301 https://$server_name$request_uri;
}
server {
include https;
{%- if internal_access %}
include access;
{%- endif %}
server_name {{ vhost_name }};
{%- if not proxy %}
root "{{ root_dir }}";
{%- endif %}
{%- for key,value in headers.items() %}
add_header {{ key }} "{{ value }}";
{%- endfor %}
location / {
{%- if proxy %}
proxy_pass {{ proxy_pass }};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header AppVhost $host;
{%- if not cache %}
proxy_no_cache 1;
proxy_cache_bypass 1;
{%- endif %}
{%- endif %}
{%- if autoindex %}
autoindex on;
autoindex_localtime on;
{%- else %}
index index.html index.rss;
{% endif %}
{%- if auth %}
auth_basic "Restricted area";
auth_basic_user_file {{ config_dir }}/auth/htpasswd;
{%- endif %}
}
{%- for dir in dirs %}
location {{ dir.name }} {
alias {{ dir.alias }};
}
{%- endfor %}
location /socket.io {
proxy_pass {{ proxy_pass }};
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header AppVhost $host;
}
location /robots.txt {
return 200 "User-agent: *\r\nDisallow: /";
}
}

5
states/nginx/templates/types/rd.j2
View File

@ -9,7 +9,10 @@ server {
server { server {
include https; include https;
{%- if internal_access %} {%- if internal_access %}
include access; #include access;
if ($allow = 0) {
return 403;
}
{%- endif %} {%- endif %}
server_name {{ vhost_name }}; server_name {{ vhost_name }};
{%- if not proxy %} {%- if not proxy %}

5
states/nginx/templates/types/simple.j2
View File

@ -9,7 +9,10 @@ server {
server { server {
include https; include https;
{%- if internal_access %} {%- if internal_access %}
include access; #include access;
if ($allow = 0) {
return 403;
}
{%- endif %} {%- endif %}
server_name {{ vhost_name }}; server_name {{ vhost_name }};
{%- if not proxy %} {%- if not proxy %}

5
states/nginx/templates/types/vaultwarden.j2
View File

@ -9,7 +9,10 @@ server {
server { server {
include https; include https;
{%- if internal_access %} {%- if internal_access %}
include access; #include access;
if ($allow = 0) {
return 403;
}
{%- endif %} {%- endif %}
server_name {{ vhost_name }}; server_name {{ vhost_name }};
{%- if not proxy %} {%- if not proxy %}