Page MenuHomeDevCentral
Files F3768594

No OneTemporary
Actions

View Options

diff --git a/roles/webserver-core/nginx/config.sls b/roles/webserver-core/nginx/config.sls
index b94de43..733f947 100644
--- a/roles/webserver-core/nginx/config.sls
+++ b/roles/webserver-core/nginx/config.sls
@@ -1,95 +1,118 @@
# -------------------------------------------------------------
# Salt — Webserver core units for all webservers roles
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
{% from "roles/webserver-core/map.jinja" import options, certbot_dir with context %}
+{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
+
# -------------------------------------------------------------
# Accounts - web group
#
# A group shared between nginx, back-end and content directories
# to allow ACL giving access to the nginx process.
#
# This group will so be used by:
# - nginx process (configured in nginx.conf)
# - back-end UNIX sockets like php-fpm sockets can be 660
# - more private folders can use 007 as umask
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
webserver_core_group:
group.present:
- name: web
- gid: 9003
- system: True
# -------------------------------------------------------------
# Base configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/nginx/nginx.conf:
file.managed:
- source: salt://roles/webserver-core/nginx/files/nginx.conf
- template: jinja
- context:
nginx_dir: {{ dirs.etc }}/nginx
nginx_options: {{ options }}
# -------------------------------------------------------------
# includes folder
#
# :: general configuration
# :: application-specific code
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
webserver_core_nginx_includes:
file.recurse:
- name: {{ dirs.etc }}/nginx/includes
- source: salt://roles/webserver-core/nginx/files/includes
- dir_mode: 755
- file_mode: 644
- template: jinja
- context:
nginx_dir: {{ dirs.etc }}/nginx
nginx_options: {{ options }}
certbot_dir: {{ certbot_dir }}
# -------------------------------------------------------------
# Parameters for Diffie-Hellman
#
# Some ciphers still require DH exchange. They contain "DHE" in
# the name, e.g. DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
webserver_core_nginx_dh:
cmd.run:
- name: openssl dhparam -out {{ dirs.etc }}/nginx/dhparams.pem 4096
- creates: {{ dirs.etc }}/nginx/dhparams.pem
# -------------------------------------------------------------
# OCSP - Online Certificate Status Protocol
#
# To allow nginx to verify TLS certificate presented by CA
# when it makes requests to the CRL, a bundle of CA certificates
# should be available.
#
# To generate the bundle file on this repository, use `make`.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/usr/local/share/certs/ocsp-ca-certs.pem:
file.managed:
- source: salt://roles/webserver-core/nginx/files/ocsp-ca-certs.pem
- makedirs: True
- mode: 644
+# -------------------------------------------------------------
+# Logs
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/var/log/www:
+ file.directory:
+ - user: {{ options["www_user"] }}
+ - group: web
+ - dir_mode: 711
+
+{% if has_selinux %}
+selinux_context_nginx_logs:
+ selinux.fcontext_policy_present:
+ - name: /var/log/www
+ - sel_type: httpd_log_t
+
+selinux_context_nginx_logs_applied:
+ selinux.fcontext_policy_applied:
+ - name: /var/log/www
+{% endif %}
+
# -------------------------------------------------------------
# vhost folder
#
# To be filled by the specific web role or unit
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/nginx/vhosts:
file.directory
diff --git a/roles/webserver-core/nginx/files/nginx.conf b/roles/webserver-core/nginx/files/nginx.conf
index 43b6c35..9c5c784 100644
--- a/roles/webserver-core/nginx/files/nginx.conf
+++ b/roles/webserver-core/nginx/files/nginx.conf
@@ -1,58 +1,58 @@
# -------------------------------------------------------------
# nginx :: configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Source file: roles/webserver-core/nginx/files/nginx.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
user {{ nginx_options["www_user"] }} web;
worker_processes auto;
-error_log /var/log/nginx/error.log;
+error_log /var/log/www/error.log;
{% if "pid_path" in nginx_options -%}
pid {{ nginx_options["pid_path"] }};
{%- endif %}
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
- access_log /var/log/nginx/access.log main;
+ access_log /var/log/www/access.log main;
# Optimizing how packets are sent
# Reference: https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 64M;
server_names_hash_bucket_size 128;
include mime.types;
default_type text/plain;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Base
include vhosts/000-fallback.conf;
include vhosts/001-server.conf;
# Services hosted
include vhosts/*/*.conf;
}
diff --git a/roles/webserver-legacy/directories/init.sls b/roles/webserver-legacy/directories/init.sls
index bbc0d6a..4699f69 100644
--- a/roles/webserver-legacy/directories/init.sls
+++ b/roles/webserver-legacy/directories/init.sls
@@ -1,40 +1,30 @@
# -------------------------------------------------------------
# Salt — Sites to provision on the legacy web server
#
# Currently, this is deployed to ysul.nasqueron.org
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
/var/wwwroot:
file.directory:
- group: web
- dir_mode: 711
-/var/log/www:
- file.directory:
- - group: web
- - dir_mode: 711
-
{% for domains_group in pillar['web_domains'] %}
{% for domain in pillar['web_domains'][domains_group] %}
webserver_directory_{{ domain }}:
file.directory:
- name: /var/wwwroot/{{ domain }}
- user: {{ domain }}
- group: web
- dir_mode: 711
/var/log/www/{{ domain }}:
file.directory:
- user: {{ domain }}
- group: web
- dir_mode: 711
{% endfor %}
{% endfor %}
-
-/var/run/web:
- file.directory:
- - group: web
- - dir_mode: 711
diff --git a/roles/webserver-legacy/php-sites/php-fpm.sls b/roles/webserver-legacy/php-sites/php-fpm.sls
index 275c8b7..158771f 100644
--- a/roles/webserver-legacy/php-sites/php-fpm.sls
+++ b/roles/webserver-legacy/php-sites/php-fpm.sls
@@ -1,94 +1,101 @@
# -------------------------------------------------------------
# Salt — Provision PHP websites — php-fpm pools
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
# -------------------------------------------------------------
# Configuration : instances
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for instance, config in pillar['php_fpm_instances'].items() %}
php-fpm_config_{{ instance }}:
file.managed:
- name: {{ dirs.etc }}/php-fpm.d/{{ instance }}.conf
- source: salt://roles/webserver-legacy/php-sites/files/php-fpm.conf
- template: jinja
- context:
instance: {{ instance }}
{{ dirs.etc }}/php-fpm.d/{{ instance }}-pools:
file.directory
{% endfor %}
# -------------------------------------------------------------
# Configuration : pools
+#
+# Sockets are created in /var/run/web/<site user>/php-fpm.sock
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+/var/run/web:
+ file.directory:
+ - group: web
+ - dir_mode: 711
+
{% for fqdn, site in pillar['web_php_sites'].items() %}
php-fpm_pool_{{ site['user'] }}:
file.managed:
- name: {{ dirs.etc }}/php-fpm.d/{{ site['php-fpm'] }}-pools/{{ site['user'] }}.conf
- source: salt://roles/webserver-legacy/php-sites/files/php-fpm-pool.conf
- template: jinja
- context:
fqdn: {{ fqdn }}
domain: {{ site['domain'] }}
subdomain: {{ site['subdomain'] }}
user: {{ site['user' ] }}
display_errors: {{ site['display_errors']|default('off') }}
slow_delay: {{ site['slow_delay']|default('5s') }}
env : {{ site['env']|default({}) }}
capabilities: {{ site['capabilities']|default([]) }}
/var/log/www/{{ site['domain' ] }}/{{ site['subdomain' ] }}-php.log:
file.managed:
- replace: False
- user: {{ site['user'] }}
- group: web
- chmod: 600
{% endfor %}
# -------------------------------------------------------------
# Service
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if grains['os'] == 'FreeBSD' %}
{% set instances = " ".join(pillar['php_fpm_instances'].keys()) %}
# roles/webserver-legacy/php-sites/files/rc/php-fpm
/usr/local/etc/rc.d/php-fpm:
file.managed:
- source: salt://roles/webserver-legacy/php-sites/files/rc/php-fpm
- mode: 755
/etc/rc.conf.d/php_fpm:
file.directory
/etc/rc.conf.d/php_fpm/instances:
file.managed:
- source: salt://roles/webserver-legacy/php-sites/files/rc/instances
- template: jinja
- context:
instances: {{ instances }}
{% for instance, config in pillar['php_fpm_instances'].items() %}
/etc/rc.conf.d/php_fpm/{{ instance }}:
file.managed:
- source: salt://roles/webserver-legacy/php-sites/files/rc/per_instance
- template: jinja
- context:
instance: {{ instance }}
command: {{ config['command'] | default('') }}
{% endfor %}
{% endif %}

File Metadata

Mime Type
text/x-diff
Expires
Mon, Nov 25, 08:59 (1 d, 11 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2259556
Default Alt Text
(10 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator