bundles/nginx: add metadata option to disable https

This commit is contained in:
Franzi 2020-09-20 14:36:43 +02:00
parent 2ac2982463
commit d6799088c4
Signed by: kunsi
GPG key ID: 12E3D2136B818350
3 changed files with 23 additions and 14 deletions

View file

@ -3,6 +3,7 @@ server {
root ${webroot if webroot else '/var/www/{}/'.format(domain)}; root ${webroot if webroot else '/var/www/{}/'.format(domain)};
index ${index if index else 'index.html index.htm'}; index ${index if index else 'index.html index.htm'};
% if node.metadata['nginx']['use_ssl_for_all_connections']:
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
@ -14,6 +15,10 @@ server {
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
% else:
listen 80 http2;
listen [::]:80 http2;
% endif
resolver 8.8.8.8 8.8.4.4 valid=300s; resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s; resolver_timeout 5s;

View file

@ -1,8 +1,3 @@
# TODO rework this to support specifying a certificate instead of
# relying on letsencrypt for the specific domain (for example to
# support wildcard certificates
assert node.has_bundle('letsencrypt'), 'nginx needs letsencrypt'
directories = { directories = {
'/etc/nginx/sites': { '/etc/nginx/sites': {
'purge': True, 'purge': True,
@ -20,12 +15,6 @@ files = {
'svc_systemd:nginx:restart', 'svc_systemd:nginx:restart',
}, },
}, },
'/etc/nginx/sites/000-port80.conf': {
'source': 'port80.conf',
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/sites/stub_status': { '/etc/nginx/sites/stub_status': {
'triggers': { 'triggers': {
'svc_systemd:nginx:restart', 'svc_systemd:nginx:restart',
@ -41,6 +30,19 @@ svc_systemd = {
}, },
} }
if node.metadata['nginx']['use_ssl_for_all_connections']:
# TODO rework this to support specifying a certificate instead of
# relying on letsencrypt for the specific domain (for example to
# support wildcard certificates
assert node.has_bundle('letsencrypt'), 'nginx needs letsencrypt'
files['/etc/nginx/sites/000-port80.conf'] = {
'source': 'port80.conf',
'triggers': {
'svc_systemd:nginx:restart',
},
}
for domain, config in node.metadata.get('nginx', {}).get('vhosts', {}).items(): for domain, config in node.metadata.get('nginx', {}).get('vhosts', {}).items():
files['/etc/nginx/sites/{}'.format(domain)] = { files['/etc/nginx/sites/{}'.format(domain)] = {
'source': 'site_template', 'source': 'site_template',
@ -49,10 +51,11 @@ for domain, config in node.metadata.get('nginx', {}).get('vhosts', {}).items():
'domain': domain, 'domain': domain,
**config **config
}, },
'needs': { 'needs': set(),
'action:letsencrypt_update_certificates',
},
'triggers': { 'triggers': {
'svc_systemd:nginx:restart', 'svc_systemd:nginx:restart',
}, },
} }
if node.metadata['nginx']['use_ssl_for_all_connections']:
files['/etc/nginx/sites/{}'.format(domain)]['needs'].add('action:letsencrypt_update_certificates')

View file

@ -18,6 +18,7 @@ defaults = {
}, },
'nginx': { 'nginx': {
'worker_connections': 768, 'worker_connections': 768,
'use_ssl_for_all_connections': True,
}, },
} }