From d6799088c4a78bc7d573dcd565e2fe53a8aaad3e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 20 Sep 2020 14:36:43 +0200 Subject: [PATCH] bundles/nginx: add metadata option to disable https --- bundles/nginx/files/site_template | 5 +++++ bundles/nginx/items.py | 31 +++++++++++++++++-------------- bundles/nginx/metadata.py | 1 + 3 files changed, 23 insertions(+), 14 deletions(-) diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template index 465b1ee..d4fc252 100644 --- a/bundles/nginx/files/site_template +++ b/bundles/nginx/files/site_template @@ -3,6 +3,7 @@ server { root ${webroot if webroot else '/var/www/{}/'.format(domain)}; index ${index if index else 'index.html index.htm'}; +% if node.metadata['nginx']['use_ssl_for_all_connections']: listen 443 ssl http2; listen [::]:443 ssl http2; @@ -14,6 +15,10 @@ server { ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; +% else: + listen 80 http2; + listen [::]:80 http2; +% endif resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py index a14fcb2..659e5b7 100644 --- a/bundles/nginx/items.py +++ b/bundles/nginx/items.py @@ -1,8 +1,3 @@ -# TODO rework this to support specifying a certificate instead of -# relying on letsencrypt for the specific domain (for example to -# support wildcard certificates -assert node.has_bundle('letsencrypt'), 'nginx needs letsencrypt' - directories = { '/etc/nginx/sites': { 'purge': True, @@ -20,12 +15,6 @@ files = { 'svc_systemd:nginx:restart', }, }, - '/etc/nginx/sites/000-port80.conf': { - 'source': 'port80.conf', - 'triggers': { - 'svc_systemd:nginx:restart', - }, - }, '/etc/nginx/sites/stub_status': { 'triggers': { 'svc_systemd:nginx:restart', @@ -41,6 +30,19 @@ svc_systemd = { }, } +if node.metadata['nginx']['use_ssl_for_all_connections']: + # TODO rework this to support specifying a certificate instead of + # relying on letsencrypt for the specific domain (for example to + # support wildcard certificates + assert node.has_bundle('letsencrypt'), 'nginx needs letsencrypt' + + files['/etc/nginx/sites/000-port80.conf'] = { + 'source': 'port80.conf', + 'triggers': { + 'svc_systemd:nginx:restart', + }, + } + for domain, config in node.metadata.get('nginx', {}).get('vhosts', {}).items(): files['/etc/nginx/sites/{}'.format(domain)] = { 'source': 'site_template', @@ -49,10 +51,11 @@ for domain, config in node.metadata.get('nginx', {}).get('vhosts', {}).items(): 'domain': domain, **config }, - 'needs': { - 'action:letsencrypt_update_certificates', - }, + 'needs': set(), 'triggers': { 'svc_systemd:nginx:restart', }, } + + if node.metadata['nginx']['use_ssl_for_all_connections']: + files['/etc/nginx/sites/{}'.format(domain)]['needs'].add('action:letsencrypt_update_certificates') diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index c99b167..3f31328 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -18,6 +18,7 @@ defaults = { }, 'nginx': { 'worker_connections': 768, + 'use_ssl_for_all_connections': True, }, }