diff --git a/puppet/modules/nginx b/puppet/modules/nginx deleted file mode 160000 index 154e8cb..0000000 --- a/puppet/modules/nginx +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 154e8cb9f34495e10d107c77bce7b44187d8ce1a diff --git a/puppet/modules/nginx/LICENSE b/puppet/modules/nginx/LICENSE new file mode 100644 index 0000000..4c6dc84 --- /dev/null +++ b/puppet/modules/nginx/LICENSE @@ -0,0 +1,12 @@ + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/puppet/modules/nginx/Modulefile b/puppet/modules/nginx/Modulefile new file mode 100644 index 0000000..038b4d8 --- /dev/null +++ b/puppet/modules/nginx/Modulefile @@ -0,0 +1,8 @@ +name 'BenoitCattie-nginx' +version '0.0.2' +source 'https://github.com/BenoitCattie/puppet-nginx.git' +author 'BenoitCattie' +license 'APACHE2' +summary 'Basic module for configuring nginx via puppet' +description 'Basic module for configuring nginx via puppet. You can easily create fcgi vhost with this module.' +project_page 'http://github.com/BenoitCattie/puppet-nginx' diff --git a/puppet/modules/nginx/README b/puppet/modules/nginx/README new file mode 100644 index 0000000..a970323 --- /dev/null +++ b/puppet/modules/nginx/README @@ -0,0 +1,116 @@ +# Nginx Recipe # +Author : Benoit CATTIE +Version : 0.2 +Licence : Apache + +Basic module for configuring nginx via puppet. + +Based in part on apache2 module code by Sam Quigley , Tim Stoop and David Schmitt + +## Class: nginx ## + +Parameters (used in nginx.conf.erb) : + * $user. Defaults to 'www-data'. + * $worker_processes. Defaults to '1'. + * $worker_connections. Defaults to '1024'. + * $error_log. Default to undef + * $pid_file. Default to undef + * $access_log. Default to undef + +Install nginx. +Create config directories : + * /etc/nginx/conf.d for http config snippet + * /etc/nginx/includes for sites includes + * /etc/nginx/sites-enabled + * /etc/nginx/sites-available + * /etc/nginx/ssl + +Provide 4 definitions : + * nginx::config (http config snippet) + * nginx::site (http site) + * nginx::site_include (site includes) + * nginx::fcgi::site (fcgi php site) + +Templates: + - nginx.conf.erb => /etc/nginx/nginx.conf + + +### Define nginx::config ### + +Installs a config snippet in /etc/nginx/conf.d. + +Parameters : + * ensure: typically set to "present" or "absent". Defaults to "present" + * content: set the content of the config snipppet. Defaults to 'template("nginx/${name}.conf.erb")' + * order: specifies the load order for this config snippet. Defaults to "500" + + +### Define: nginx::site ### + +Install a nginx site in /etc/nginx/sites-available (and symlink in /etc/nginx/sites-enabled). + +Parameters : + * ensure: typically set to "present" or "absent". Defaults to "present" + * content: site definition (should be a template). + +### Define: nginx::site_include ### + +Define: site_include + +Define a site config include in /etc/nginx/includes + +Parameters : + * ensure: typically set to "present" or "absent". Defaults to "present" + * content: include definition (should be a template). + + +## Class nginx::fcgi ## + +Manage nginx fcgi configuration. +Provide nginx::fcgi::site + +Templates : + * nginx/includes/fastcgi_params.erb + +### Define: nginx::fcgi::site ### + +Create a fcgi site config from template using parameters. +You can use my php5-fpm class to manage fastcgi servers. + +Parameters : + * ensure: typically set to "present" or "absent". Defaults to "present" + * root: document root (Required) + * index: nginx index directive. Defaults to "index.php" + * fastcgi_pass : port or socket on which the FastCGI-server is listening (Required) + * server_name : server_name directive (could be an array) + * listen : address/port the server listen to. Defaults to 80. Auto enable ssl if 443 + * access_log : custom acces logs. Defaults to /var/log/nginx/$name_access.log + * include : custom include for the site (could be an array). Include files must exists + to avoid nginx reload errors. Use with nginx::site_include + * ssl_certificate : ssl_certificate path. If empty auto-generating ssl cert + * ssl_certificate_key : ssl_certificate_key path. If empty auto-generating ssl cert key + See http://wiki.nginx.org for details. + +Templates : + * nginx/fcgi_site.erb + +Sample Usage : + + include nginx + include nginx::fcgi + + nginx::fcgi::site {"default": + root => "/var/www/nginx-default", + fastcgi_pass => "127.0.0.1:9000", + server_name => ["localhost", "$hostname", "$fqdn"], + } + + nginx::fcgi::site {"default-ssl": + listen => "443", + root => "/var/www/nginx-default", + fastcgi_pass => "127.0.0.1:9000", + server_name => "$fqdn", + } + +## CHANGELOG ## +- v0.2 : * ssl support diff --git a/puppet/modules/nginx/manifests/config.pp b/puppet/modules/nginx/manifests/config.pp new file mode 100644 index 0000000..d277353 --- /dev/null +++ b/puppet/modules/nginx/manifests/config.pp @@ -0,0 +1,27 @@ +# Define: nginx::config +# +# Define a nginx config snippet. Places all config snippets into +# /etc/nginx/conf.d, where they will be automatically loaded by http module +# +# +# Parameters : +# * ensure: typically set to "present" or "absent". Defaults to "present" +# * content: set the content of the config snipppet. Defaults to 'template("nginx/${name}.conf.erb")' +# * order: specifies the load order for this config snippet. Defaults to "500" +# +define nginx::config($ensure='present', $content=undef, $order='500') { + $real_content = $content ? { + undef => template("nginx/${name}.conf.erb"), + default => $content, + } + + file { "${nginx::nginx_conf}/${order}-${name}.conf": + ensure => $ensure, + content => $real_content, + mode => '0644', + owner => 'root', + group => 'root', + notify => Service['nginx'], + } +} + diff --git a/puppet/modules/nginx/manifests/fcgi.pp b/puppet/modules/nginx/manifests/fcgi.pp new file mode 100644 index 0000000..802a161 --- /dev/null +++ b/puppet/modules/nginx/manifests/fcgi.pp @@ -0,0 +1,13 @@ +# Class: nginx::fcgi +# +# Manage nginx fcgi configuration. +# Provide nginx::fcgi::site +# +# Templates : +# * nginx/includes/fastcgi_params.erb +# +class nginx::fcgi inherits nginx { + nginx::site_include { 'fastcgi_params': + content => template('nginx/includes/fastcgi_params.erb'), + } +} diff --git a/puppet/modules/nginx/manifests/fcgi/site.pp b/puppet/modules/nginx/manifests/fcgi/site.pp new file mode 100644 index 0000000..02f05e6 --- /dev/null +++ b/puppet/modules/nginx/manifests/fcgi/site.pp @@ -0,0 +1,86 @@ +# Define: nginx::fcgi::site +# +# Create a fcgi site config from template using parameters. +# You can use my php5-fpm class to manage fastcgi servers. +# +# Parameters : +# * ensure: typically set to "present" or "absent". Defaults to "present" +# * root: document root (Required) +# * fastcgi_pass : port or socket on which the FastCGI-server is listening (Required) +# * server_name : server_name directive (could be an array) +# * listen : address/port the server listen to. Defaults to 80. Auto enable ssl if 443 +# * access_log : custom acces logs. Defaults to /var/log/nginx/$name_access.log +# * include : custom include for the site (could be an array). Include files must exists +# to avoid nginx reload errors. Use with nginx::site_include +# * ssl_certificate : ssl_certificate path. If empty auto-generating ssl cert +# * ssl_certificate_key : ssl_certificate_key path. If empty auto-generating ssl cert key +# See http://wiki.nginx.org for details. +# +# Templates : +# * nginx/fcgi_site.erb +# +# Sample Usage : +# nginx::fcgi::site { 'default': +# root => '/var/www/nginx-default', +# fastcgi_pass => '127.0.0.1:9000', +# server_name => ['localhost', $hostname, $fqdn], +# } +# +# nginx::fcgi::site { 'default-ssl': +# listen => '443', +# root => '/var/www/nginx-default', +# fastcgi_pass => '127.0.0.1:9000', +# server_name => $fqdn, +# } +# +define nginx::fcgi::site( + $root, + $fastcgi_pass, + $ensure = 'present', + $index = 'index.php', + $include = '', + $listen = '80', + $server_name = undef, + $access_log = undef, + $ssl_certificate = undef, + $ssl_certificate_key = undef, + $ssl_session_timeout = '5m') { + + $real_server_name = $server_name ? { + undef => $name, + default => $server_name, + } + + $real_access_log = $access_log ? { + undef => "/var/log/nginx/${name}_access.log", + default => $access_log, + } + + # Autogenerating ssl certs + if $listen == '443' and $ensure == 'present' and ($ssl_certificate == undef or $ssl_certificate_key == undef) { + exec { "generate-${name}-certs": + command => "/usr/bin/openssl req -new -inform PEM -x509 -nodes -days 999 -subj \ + '/C=ZZ/ST=AutoSign/O=AutoSign/localityName=AutoSign/commonName=${real_server_name}/organizationalUnitName=AutoSign/emailAddress=AutoSign/' \ + -newkey rsa:2048 -out /etc/nginx/ssl/${name}.pem -keyout /etc/nginx/ssl/${name}.key", + unless => "/usr/bin/test -f /etc/nginx/ssl/${name}.pem", + require => File['/etc/nginx/ssl'], + notify => Service['nginx'], + } + } + + $real_ssl_certificate = $ssl_certificate ? { + undef => "/etc/nginx/ssl/${name}.pem", + default => $ssl_certificate, + } + + $real_ssl_certificate_key = $ssl_certificate_key ? { + undef => "/etc/nginx/ssl/${name}.key", + default => $ssl_certificate_key, + } + + nginx::site { $name: + ensure => $ensure, + content => template('nginx/fcgi_site.erb'), + } +} + diff --git a/puppet/modules/nginx/manifests/init.pp b/puppet/modules/nginx/manifests/init.pp new file mode 100644 index 0000000..edde534 --- /dev/null +++ b/puppet/modules/nginx/manifests/init.pp @@ -0,0 +1,102 @@ +# Class: nginx +# +# Install nginx. +# +# Parameters: +# * $user. Defaults to 'www-data'. +# * $worker_processes. Defaults to '1'. +# * $worker_connections. Defaults to '1024'. +# * $error_log. Default to undef +# * $pid_file. Default to undef +# * $access_log. Default to undef +# +# Create config directories : +# * /etc/nginx/conf.d for http config snippet +# * /etc/nginx/includes for sites includes +# +# Provide 3 definitions : +# * nginx::config (http config snippet) +# * nginx::site (http site) +# * nginx::site_include (site includes) +# +# Templates: +# - nginx.conf.erb => /etc/nginx/nginx.conf +# +class nginx ( + $user = 'www-data', + $worker_processes = '1', + $worker_connections = '1024', + $error_log = undef, + $pid_file = undef, + $access_log = undef +){ + $nginx_includes = '/etc/nginx/includes' + $nginx_conf = '/etc/nginx/conf.d' + + case $::operatingsystem { + centos,fedora,rhel: { + $nginx_packages = ['nginx', 'GeoIP', 'gd', 'libXpm', 'libxslt'] + } + debian,ubuntu: { + $nginx_packages = 'nginx-extras' + } + } + if ! defined(Package[$nginx_packages]) { + package { $nginx_packages: + ensure => installed + } + } + + #restart-command is a quick-fix here, until http://projects.puppetlabs.com/issues/1014 is solved + service { 'nginx': + ensure => running, + enable => true, + hasrestart => true, + require => File['/etc/nginx/nginx.conf'], + restart => '/etc/init.d/nginx reload' + } + + file { '/etc/nginx/nginx.conf': + ensure => present, + mode => '0644', + owner => 'root', + group => 'root', + content => template('nginx/nginx.conf.erb'), + notify => Service['nginx'], + require => Package[$nginx_packages], + } + + file { $nginx_conf: + ensure => directory, + mode => '0644', + owner => 'root', + group => 'root', + require => Package[$nginx_packages], + } + + file { '/etc/nginx/ssl': + ensure => directory, + mode => '0644', + owner => 'root', + group => 'root', + require => Package[$nginx_packages], + } + + file { $nginx_includes: + ensure => directory, + mode => '0644', + owner => 'root', + group => 'root', + require => Package[$nginx_packages], + } + + # Nuke default files + file { '/etc/nginx/fastcgi_params': + ensure => absent, + require => Package[$nginx_packages], + } + + file { '/etc/nginx/sites-enabled/default': + ensure => absent, + } +} diff --git a/puppet/modules/nginx/manifests/install_site.pp b/puppet/modules/nginx/manifests/install_site.pp new file mode 100644 index 0000000..15fe8b9 --- /dev/null +++ b/puppet/modules/nginx/manifests/install_site.pp @@ -0,0 +1,42 @@ +# Define: install_site +# +# Install nginx vhost +# This definition is private, not intended to be called directly +# +define nginx::install_site($content=undef) { + # first, make sure the site config exists + case $content { + undef: { + file { "/etc/nginx/sites-available/${name}": + ensure => present, + mode => '0644', + owner => 'root', + group => 'root', + alias => "sites-${name}", + notify => Service['nginx'], + require => Package[$nginx::nginx_packages], + } + } + default: { + file { "/etc/nginx/sites-available/${name}": + ensure => present, + mode => '0644', + owner => 'root', + group => 'root', + alias => "sites-$name", + content => $content, + require => Package[$nginx::nginx_packages], + notify => Service['nginx'], + } + } + } + + # now, enable it. + exec { "ln -s /etc/nginx/sites-available/${name} /etc/nginx/sites-enabled/${name}": + unless => "/bin/sh -c '[ -L /etc/nginx/sites-enabled/${name} ] && \ + [ /etc/nginx/sites-enabled/${name} -ef /etc/nginx/sites-available/${name} ]'", + path => ['/usr/bin/', '/bin/'], + notify => Service['nginx'], + require => File["sites-${name}"], + } +} diff --git a/puppet/modules/nginx/manifests/site.pp b/puppet/modules/nginx/manifests/site.pp new file mode 100644 index 0000000..94abdb5 --- /dev/null +++ b/puppet/modules/nginx/manifests/site.pp @@ -0,0 +1,27 @@ +# Define: nginx::site +# +# Install a nginx site in /etc/nginx/sites-available (and symlink in /etc/nginx/sites-enabled). +# +# +# Parameters : +# * ensure: typically set to "present" or "absent". Defaults to "present" +# * content: site definition (should be a template). +# +define nginx::site($ensure='present', $content='') { + case $ensure { + 'present' : { + nginx::install_site { $name: + content => $content + } + } + 'absent' : { + exec { "/bin/rm -f /etc/nginx/sites-enabled/${name}": + onlyif => "/bin/sh -c '[ -L /etc/nginx/sites-enabled/${name} ] && \ + [ /etc/nginx/sites-enabled/$name -ef /etc/nginx/sites-available/${name} ]'", + notify => Service['nginx'], + require => Package[$nginx::nginx_packages], + } + } + default: { err ("Unknown ensure value: '$ensure'") } + } +} diff --git a/puppet/modules/nginx/manifests/site_include.pp b/puppet/modules/nginx/manifests/site_include.pp new file mode 100644 index 0000000..7e7181b --- /dev/null +++ b/puppet/modules/nginx/manifests/site_include.pp @@ -0,0 +1,20 @@ +# Define: site_include +# +# Define a site config include in /etc/nginx/includes +# +# Parameters : +# * ensure: typically set to "present" or "absent". Defaults to "present" +# * content: include definition (should be a template). +# +define nginx::site_include($ensure='present', $content='') { + file { "${nginx::nginx_includes}/${name}.inc": + ensure => $ensure, + mode => '0644', + owner => 'root', + group => 'root', + content => $content, + require => File[$nginx::nginx_includes], + notify => Service['nginx'], + } +} + diff --git a/puppet/modules/nginx/templates/fcgi_site.erb b/puppet/modules/nginx/templates/fcgi_site.erb new file mode 100644 index 0000000..7cb13f1 --- /dev/null +++ b/puppet/modules/nginx/templates/fcgi_site.erb @@ -0,0 +1,39 @@ +server { + listen <%= listen %> ; + + server_name <% real_server_name.each do |s_n| -%><%= s_n %> <% end -%>; + + access_log <%= real_access_log %>; + + root <%= root %>; + +<% if listen == '443' %> + ssl on; + ssl_certificate <%= real_ssl_certificate %>; + ssl_certificate_key <%= real_ssl_certificate_key %>; + + ssl_session_timeout <%= ssl_session_timeout %>; + + ssl_protocols SSLv2 SSLv3 TLSv1; + ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; + ssl_prefer_server_ciphers on; +<% end -%> + location / { + index <%= index %>; + } + + location ~ \.php$ { + fastcgi_pass <%= fastcgi_pass %>; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/includes/fastcgi_params.inc; + } + + location ~ /\.ht { + deny all; + } + +<% if include != '' %> <%include.each do |inc| %>include <%= inc %>; + <% end -%><% end -%> +} + diff --git a/puppet/modules/nginx/templates/includes/fastcgi_params.erb b/puppet/modules/nginx/templates/includes/fastcgi_params.erb new file mode 100644 index 0000000..087e363 --- /dev/null +++ b/puppet/modules/nginx/templates/includes/fastcgi_params.erb @@ -0,0 +1,23 @@ +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; + diff --git a/puppet/modules/nginx/templates/nginx.conf.erb b/puppet/modules/nginx/templates/nginx.conf.erb new file mode 100644 index 0000000..06c0077 --- /dev/null +++ b/puppet/modules/nginx/templates/nginx.conf.erb @@ -0,0 +1,36 @@ +user <%= @user %>; +worker_processes <%= @worker_processes %>; + +<% if @error_log %> +error_log <%= @error_log %>; +<% end %> +<% if @pid_file %> +pid <%= @pid_file %>; +<% end %> + +events { + worker_connections <%= @worker_connections %>; +} + +http { + include /etc/nginx/mime.types; + + <% if @access_log %> + access_log <%= @access_log %>; + <% end %> + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + tcp_nodelay on; + + gzip on; + gzip_disable "MSIE [1-6]\.(?!.*SV1)"; + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + + server_tokens off; +} -- libgit2 0.21.2