bundlewrap/bundles/nginx/metadata.py

217 lines
5.6 KiB
Python
Raw Permalink Normal View History

2021-03-21 09:30:04 +00:00
from bundlewrap.metadata import atomic
2020-08-18 13:27:55 +00:00
defaults = {
'apt': {
'repos': {
'nginx': {
'items': {
'deb http://nginx.org/packages/{os} {os_release} nginx',
},
2020-03-14 09:56:19 +00:00
},
2020-08-18 13:27:55 +00:00
},
'packages': {
'nginx': {},
2020-04-13 07:52:26 +00:00
},
2020-08-18 13:27:55 +00:00
},
2020-11-13 11:37:26 +00:00
'backups': {
'paths': {
'/var/www',
},
},
2020-11-10 09:57:04 +00:00
'icinga2_api': {
'nginx': {
'services': {
'NGINX PROCESS': {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit nginx',
},
'NGINX STATUS': {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_nginx_status',
},
},
},
},
2020-08-18 13:27:55 +00:00
'nginx': {
'worker_connections': 768,
2020-08-18 13:27:55 +00:00
},
2021-06-01 14:52:03 +00:00
'pacman': {
'packages': {
'nginx': {},
},
},
2020-08-18 13:27:55 +00:00
}
2021-04-23 17:31:28 +00:00
if node.has_bundle('telegraf'):
defaults['telegraf'] = {
'input_plugins': {
'builtin': {
'nginx': [{
'urls': ['http://localhost:22999/server_status'],
}],
},
},
}
@metadata_reactor.provides(
'nginx/worker_processes',
)
def worker_processes(metadata):
return {
'nginx': {
'worker_processes': metadata.get('vm/cpu', 2),
},
}
@metadata_reactor.provides(
'letsencrypt/domains',
'letsencrypt/reload_after',
'nginx/vhosts',
)
def letsencrypt(metadata):
if not node.has_bundle('letsencrypt'):
2020-08-18 13:27:55 +00:00
raise DoNotRunAgain
domains = {}
vhosts = {}
for vhost, config in metadata.get('nginx/vhosts', {}).items():
2021-05-23 15:41:19 +00:00
if config.get('ssl', 'letsencrypt') == 'letsencrypt':
domain = config.get('domain', vhost)
domains[domain] = config.get('domain_aliases', set())
vhosts[vhost] = {
'ssl': 'letsencrypt',
'force_domain': True,
2021-05-23 15:41:19 +00:00
}
return {
'letsencrypt': {
'domains': domains,
'reload_after': {
'nginx',
},
},
'nginx': {
'vhosts': vhosts,
},
2020-08-18 13:27:55 +00:00
}
@metadata_reactor.provides(
'nginx/vhosts',
)
def index_files(metadata):
vhosts = {}
for vhost, config in metadata.get('nginx/vhosts', {}).items():
if 'index' in config:
continue
vhosts[vhost] = {
'index': [
'index.html',
'index.htm',
],
}
if config.get('php', False):
# If we're using PHP, make sure index.php is tried first
vhosts[vhost]['index'].insert(0, 'index.php')
return {
'nginx': {
'vhosts': vhosts,
},
}
2020-11-10 09:57:04 +00:00
@metadata_reactor.provides(
'icinga2_api/nginx/services',
)
2020-11-10 09:57:04 +00:00
def monitoring(metadata):
services = {}
for vname, vconfig in metadata.get('nginx/vhosts', {}).items():
domain = vconfig.get('domain', vname)
if vconfig['ssl']:
2020-11-21 09:30:05 +00:00
scheme = 'https'
else:
scheme = 'http'
2020-11-10 09:57:04 +00:00
if 'website_check_path' in vconfig and 'website_check_string' in vconfig:
services['NGINX VHOST {} CONTENT'.format(vname)] = {
'check_command': 'check_http_wget',
'vars.http_wget_contains': vconfig['website_check_string'],
2020-11-21 09:30:05 +00:00
'vars.http_wget_url': '{}://{}{}'.format(scheme, domain, vconfig['website_check_path']),
'vars.notification.sms': True,
2020-11-10 09:57:04 +00:00
}
if vconfig.get('check_ssl', vconfig['ssl']):
services['NGINX VHOST {} CERTIFICATE: {}'.format(vname, vconfig['ssl'])] = {
2020-12-18 12:28:08 +00:00
'check_command': 'check_https_cert_at_url',
2020-11-10 09:57:04 +00:00
'vars.domain': domain,
'vars.notification.mail': True,
2020-11-10 09:57:04 +00:00
}
max_connections = metadata.get('nginx/worker_connections') * metadata.get('nginx/worker_processes')
connections_warn = int(max_connections * 0.8)
connections_crit = int(max_connections * 0.9)
services['NGINX STATUS'] = {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_nginx_status --warn={},-1,-1 --critical={},-1,-1 -H 127.0.0.1:22999'.format(connections_warn, connections_crit),
}
return {
'icinga2_api': {
'nginx': {
'services': services,
},
},
}
2020-11-16 15:35:01 +00:00
@metadata_reactor.provides(
2023-09-24 18:59:58 +00:00
'firewall/port_rules',
'firewall/port_rules',
)
def firewall(metadata):
2020-11-16 15:35:01 +00:00
return {
'firewall': {
2021-03-21 09:30:04 +00:00
'port_rules': {
2023-09-24 18:59:58 +00:00
'80/tcp': atomic(metadata.get('nginx/restrict-to', {'*'})),
'443/tcp': atomic(metadata.get('nginx/restrict-to', {'*'})),
2020-11-16 15:35:01 +00:00
},
},
}
@metadata_reactor.provides(
'telegraf/input_plugins/tail',
)
def telegraf_anon_timing(metadata):
result = {}
for vname, vconfig in metadata.get('nginx/vhosts', {}).items():
if not vconfig.get('timing_log', True):
continue
result[f'nginx-{vname}'] = {
'files': [f'/var/log/nginx-timing/{vname}.log'],
'from_beginning': False,
'grok_patterns': ['%{LOGPATTERN}'],
'grok_custom_patterns': 'LOGPATTERN \[%{HTTPDATE:ts:ts-httpd}\] %{NUMBER:request_time:float} (?:%{NUMBER:upstream_response_time:float}|-) "%{WORD:verb:tag} %{NOTSPACE:request} HTTP/%{NUMBER:http_version:float}" %{NUMBER:resp_code:tag}',
'data_format': 'grok',
'name_override': 'nginx_timing',
}
return {
'telegraf': {
'input_plugins': {
'tail': result,
},
},
}