Page MenuHomeDevCentral
Files F24894959

No OneTemporary
Actions

View Options

diff --git a/roles/webserver-legacy/account/init.sls b/roles/webserver-alkane/account/init.sls
similarity index 52%
rename from roles/webserver-legacy/account/init.sls
rename to roles/webserver-alkane/account/init.sls
index 967c22b..df078d4 100644
--- a/roles/webserver-legacy/account/init.sls
+++ b/roles/webserver-alkane/account/init.sls
@@ -1,25 +1,31 @@
# -------------------------------------------------------------
-# Salt — Sites to provision on the legacy web server
-#
-# Currently, this is deployed to ysul.nasqueron.org
+# Salt — Sites to provision
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
-webserver_legacy_group:
- group.present:
- - name: web
- - gid: 9003
- - system: True
+# -------------------------------------------------------------
+# User groups for domains served
+#
+# Those account are mostly intended for static content,
+# to allow users to access it through group.
+#
+# The user will often be "deploy" to allow continuous delivery.
+# This is provisioned by the core role.
+#
+# Back-ends runs under their own separate account.
+#
+# The 9003 group matches "web" group, see webserver-core/nginx
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for domains_group in pillar['web_domains'] %}
{% for domain in pillar['web_domains'][domains_group] %}
webserver_user_{{ domain }}:
user.present:
- name: {{ domain }}
- gid: 9003
- createhome: False
- fullname: Websites account for {{ domain }}
{% endfor %}
{% endfor %}
diff --git a/roles/webserver-alkane/init.sls b/roles/webserver-alkane/init.sls
index 68351f4..061c8e9 100644
--- a/roles/webserver-alkane/init.sls
+++ b/roles/webserver-alkane/init.sls
@@ -1,9 +1,10 @@
# -------------------------------------------------------------
# Salt :: Alkane :: Nasqueron PaaS for static and PHP sites
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
+ - .account
- .alkane
diff --git a/roles/webserver-core/nginx/config.sls b/roles/webserver-core/nginx/config.sls
index 15ae87e..b94de43 100644
--- a/roles/webserver-core/nginx/config.sls
+++ b/roles/webserver-core/nginx/config.sls
@@ -1,77 +1,95 @@
# -------------------------------------------------------------
# Salt — Webserver core units for all webservers roles
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
{% from "roles/webserver-core/map.jinja" import options, certbot_dir with context %}
+# -------------------------------------------------------------
+# Accounts - web group
+#
+# A group shared between nginx, back-end and content directories
+# to allow ACL giving access to the nginx process.
+#
+# This group will so be used by:
+# - nginx process (configured in nginx.conf)
+# - back-end UNIX sockets like php-fpm sockets can be 660
+# - more private folders can use 007 as umask
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+webserver_core_group:
+ group.present:
+ - name: web
+ - gid: 9003
+ - system: True
+
# -------------------------------------------------------------
# Base configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/nginx/nginx.conf:
file.managed:
- source: salt://roles/webserver-core/nginx/files/nginx.conf
- template: jinja
- context:
nginx_dir: {{ dirs.etc }}/nginx
nginx_options: {{ options }}
# -------------------------------------------------------------
# includes folder
#
# :: general configuration
# :: application-specific code
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
webserver_core_nginx_includes:
file.recurse:
- name: {{ dirs.etc }}/nginx/includes
- source: salt://roles/webserver-core/nginx/files/includes
- dir_mode: 755
- file_mode: 644
- template: jinja
- context:
nginx_dir: {{ dirs.etc }}/nginx
nginx_options: {{ options }}
certbot_dir: {{ certbot_dir }}
# -------------------------------------------------------------
# Parameters for Diffie-Hellman
#
# Some ciphers still require DH exchange. They contain "DHE" in
# the name, e.g. DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
webserver_core_nginx_dh:
cmd.run:
- name: openssl dhparam -out {{ dirs.etc }}/nginx/dhparams.pem 4096
- creates: {{ dirs.etc }}/nginx/dhparams.pem
# -------------------------------------------------------------
# OCSP - Online Certificate Status Protocol
#
# To allow nginx to verify TLS certificate presented by CA
# when it makes requests to the CRL, a bundle of CA certificates
# should be available.
#
# To generate the bundle file on this repository, use `make`.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/usr/local/share/certs/ocsp-ca-certs.pem:
file.managed:
- source: salt://roles/webserver-core/nginx/files/ocsp-ca-certs.pem
- makedirs: True
- mode: 644
# -------------------------------------------------------------
# vhost folder
#
# To be filled by the specific web role or unit
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{{ dirs.etc }}/nginx/vhosts:
file.directory
diff --git a/roles/webserver-core/nginx/files/nginx.conf b/roles/webserver-core/nginx/files/nginx.conf
index 950aa3c..43b6c35 100644
--- a/roles/webserver-core/nginx/files/nginx.conf
+++ b/roles/webserver-core/nginx/files/nginx.conf
@@ -1,58 +1,58 @@
# -------------------------------------------------------------
# nginx :: configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Source file: roles/webserver-core/nginx/files/nginx.conf
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
-user {{ nginx_options["www_user"] }};
+user {{ nginx_options["www_user"] }} web;
worker_processes auto;
error_log /var/log/nginx/error.log;
{% if "pid_path" in nginx_options -%}
pid {{ nginx_options["pid_path"] }};
{%- endif %}
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# Optimizing how packets are sent
# Reference: https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 64M;
server_names_hash_bucket_size 128;
include mime.types;
default_type text/plain;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Base
include vhosts/000-fallback.conf;
include vhosts/001-server.conf;
# Services hosted
include vhosts/*/*.conf;
}
diff --git a/roles/webserver-legacy/init.sls b/roles/webserver-legacy/init.sls
index b64b570..d520409 100644
--- a/roles/webserver-legacy/init.sls
+++ b/roles/webserver-legacy/init.sls
@@ -1,16 +1,16 @@
# -------------------------------------------------------------
# Salt — Sites to provision on the legacy web server
#
# Currently, this is deployed to ysul.nasqueron.org
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- - .account
+ - roles/webserver-alkane/account
- .directories
- .nginx
- .static-sites
- .php-sites
- .tweaks

File Metadata

Mime Type
text/x-diff
Expires
Wed, Mar 18, 13:26 (14 h, 14 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3540013
Default Alt Text
(8 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator