nginx: autogenerate ff-frontend.conf

nginx/ff-frontend.conf

@@ -0,0 +1,75 @@
+#
+# FF Frontend configuration (Salt managed)
+#
+
+{%- set acme_thumbprint = salt['pillar.get']('acme:thumbprint', False) %}
+
+{%- for domain, config in pillar.get('frontend', {}).items()|sort if 'file' not in config %}
+  {%- set https = domain in salt['pillar.get']('cert', {}) and salt['pillar.get']('frontend:' ~ domain ~ ':https', True) %}
+  {%- set http = salt['pillar.get']('frontend:' ~ domain ~ ':http', not https) %}
+  {%- set host = salt['pillar.get']('frontend:' ~ domain ~ ':host', domain) %}
+
+#
+# {{ domain }}
+server {
+  {%- if http %}
+	listen 80{% if http == 'default_server' %} default_server{% endif %};
+	listen [::]:80{% if http == 'default_server' %} default_server{% endif %};
+  {%- endif %}
+  {%- if https %}
+	listen 443{% if https == 'default_server' %} default_server{% endif %};
+	listen [::]:443{% if https == 'default_server' %} default_server{% endif %};
+  {%- endif %}
+
+  {#- set server_name #}
+  {%- if 'server_name' in config %}
+	server_name {{ config.server_name }};
+  {%- elif 'domains' in config %}
+    {%- set domains = config.domains %}
+    {%- do domains.append(domain) %}
+	server_name ~^({{ domains|join('|') }})$;
+  {%- else %}
+	server_name "{{ domain }}";
+  {%- endif %}
+
+  {%- if https %}
+	ssl on;
+	ssl_certificate /etc/ssl/certs/{{ domain }}.cert.pem;
+	ssl_certificate_key /etc/ssl/private/{{ domain }}.key.pem;
+  {%- endif %}
+
+  {%- if 'proxy_pass' in config %}
+	location / {
+		proxy_pass		{{ config.proxy_pass }};
+		proxy_redirect		default;
+		proxy_set_header	Host "{{ host }}";
+		proxy_set_header	X-Forwarded-For $remote_addr;
+	}
+  {%- elif 'redirect' in config %}
+	location / {
+		return 302 {{ config.redirect }};
+	}
+  {%- elif 'location' in config %}
+    {%- for location, loc_conf in config.location.items()|sort %}
+	location {{ location }} {
+      {%- if 'proxy_pass' in loc_conf %}
+        {%- set loc_host = salt['pillar.get']('frontend:' ~ domain ~ ':location:' ~ location ~ ':host', host) %}
+		proxy_pass		{{ loc_conf.proxy_pass }};
+		proxy_redirect		default;
+		proxy_set_header	Host "{{ loc_host }}";
+		proxy_set_header	X-Forwarded-For $remote_addr;
+      {%- elif 'redirect' in loc_conf %}
+		return 302 {{ loc_conf.redirect }};
+      {%- endif %}
+	}
+    {% endfor %}
+  {%- endif %}
+
+  {%- if acme_thumbprint %}
+	location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
+		default_type text/plain;
+		return 200 "$1.{{ acme_thumbprint }}";
+	}
+  {%- endif %}
+}
+{%- endfor %}

nginx/init.sls

@@ -63,6 +63,30 @@ nginx-cache:
       - cmd: nginx-configtest
 {% endfor %}
 
+{% if 'frontend' in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':roles', []) %}
+  {% for domain, config in pillar.get('frontend', {}).items()|sort %}
+    {% if 'file' in config %}
+/etc/nginx/sites-enabled/{{domain}}:
+  file.managed:
+    - source: salt://nginx/{{config.file}}
+    - template: jinja
+    - require:
+      - pkg: nginx
+    - watch_in:
+      - cmd: nginx-configtest
+    {% endif %}
+  {% endfor %}
+
+/etc/nginx/sites-enabled/ff-frontend.conf:
+  file.managed:
+    - source: salt://nginx/ff-frontend.conf
+    - template: jinja
+    - require:
+      - pkg: nginx
+    - watch_in:
+      - cmd: nginx-configtest
+{% endif %}
+
 # Test configuration before reload
 nginx-configtest:
   cmd.wait: