defaults = { 'apt': { 'repos': { 'nginx': { 'items': [ 'deb http://nginx.org/packages/{os} {os_release} nginx', ], }, }, 'packages': { 'nginx': {}, }, }, 'backups': { 'paths': { '/var/www', }, }, 'icinga2_api': { 'nginx': { 'services': { 'NGINX PROCESS': { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit nginx', }, 'NGINX STATUS': { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_nginx_status', }, }, }, }, 'nginx': { 'worker_connections': 768, 'use_ssl_for_all_connections': True, }, } @metadata_reactor.provides( 'nginx/worker_processes', ) def worker_processes(metadata): return { 'nginx': { 'worker_processes': metadata.get('vm/cpu', 2), }, } @metadata_reactor.provides( 'letsencrypt/domains', 'letsencrypt/reload_after', ) def letsencrypt(metadata): if not node.has_bundle('letsencrypt'): raise DoNotRunAgain domains = {} for vhost, config in metadata.get('nginx/vhosts', {}).items(): domain = config.get('domain', vhost) domains[domain] = config.get('domain_aliases', set()) return { 'letsencrypt': { 'domains': domains, 'reload_after': { 'nginx', }, }, } @metadata_reactor.provides( 'nginx/vhosts', ) def index_files(metadata): vhosts = {} for vhost, config in metadata.get('nginx/vhosts', {}).items(): vhosts[vhost] = { 'index': [ 'index.html', 'index.htm', ], } if config.get('php', False): # If we're using PHP, make sure index.php is tried first vhosts[vhost]['index'].insert(0, 'index.php') return { 'nginx': { 'vhosts': vhosts, }, } @metadata_reactor.provides( 'icinga2_api/nginx/services', ) def monitoring(metadata): services = {} for vname, vconfig in metadata.get('nginx/vhosts', {}).items(): domain = vconfig.get('domain', vname) if metadata.get('nginx/use_ssl_for_all_connections'): scheme = 'https' else: scheme = 'http' if 'website_check_path' in vconfig and 'website_check_string' in vconfig: services['NGINX VHOST {} CONTENT'.format(vname)] = { 'check_command': 'check_http_wget', 'vars.http_wget_contains': vconfig['website_check_string'], 'vars.http_wget_url': '{}://{}{}'.format(scheme, domain, vconfig['website_check_path']), 'vars.notification.sms': True, } if vconfig.get('check_ssl', metadata.get('nginx/use_ssl_for_all_connections')): services['NGINX VHOST {} CERTIFICATE'.format(vname)] = { 'check_command': 'check_https_cert_at_url', 'vars.domain': domain, 'vars.notification.mail': True, } max_connections = metadata.get('nginx/worker_connections') * metadata.get('nginx/worker_processes') connections_warn = int(max_connections * 0.8) connections_crit = int(max_connections * 0.9) services['NGINX STATUS'] = { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_nginx_status --warn={},-1,-1 --critical={},-1,-1 -H 127.0.0.1:22999'.format(connections_warn, connections_crit), } return { 'icinga2_api': { 'nginx': { 'services': services, }, }, } @metadata_reactor.provides( 'iptables/bundle_rules/nginx', ) def iptables(metadata): identifiers = metadata.get('nginx/restrict-to', set()) rules = set() if identifiers: for identifier in sorted(identifiers): resolved = repo.libs.tools.resolve_identifier(repo, identifier) for address in resolved['ipv4']: rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT') rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT') for address in resolved['ipv6']: rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT') rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT') else: rules.add('iptables_both -A INPUT -p tcp --dport 80 -j ACCEPT') rules.add('iptables_both -A INPUT -p tcp --dport 443 -j ACCEPT') return { 'iptables': { 'bundle_rules': { 'nginx': list(sorted(rules)), }, }, }