bundlewrap/bundles/nginx/metadata.py
Franziska Kunsmann 2d856a1e9a
All checks were successful
bundlewrap/pipeline/head This commit looks good
bundles/nginx: add iptables rules
2020-11-16 16:43:57 +01:00

149 lines
4 KiB
Python

defaults = {
'apt': {
'repos': {
'nginx': {
'items': [
'deb http://nginx.org/packages/{os} {os_release} nginx',
],
},
},
'packages': {
'nginx': {},
},
},
'backups': {
'paths': {
'/var/www',
},
},
'icinga2_api': {
'nginx': {
'services': {
'NGINX PROCESS': {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit nginx',
},
'NGINX STATUS': {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_nginx_status',
},
},
},
},
'nginx': {
'worker_connections': 768,
'use_ssl_for_all_connections': True,
},
}
@metadata_reactor
def worker_processes(metadata):
return {
'nginx': {
'worker_processes': metadata.get('vm/cpu', 2),
},
}
@metadata_reactor
def letsencrypt(metadata):
if not node.has_bundle('letsencrypt'):
raise DoNotRunAgain
domains = {}
for vhost, config in metadata.get('nginx/vhosts', {}).items():
domain = config.get('domain', vhost)
domains[domain] = config.get('domain_aliases', set())
return {
'letsencrypt': {
'domains': domains,
'reload_after': {
'nginx',
},
},
}
@metadata_reactor
def index_files(metadata):
vhosts = {}
for vhost, config in metadata.get('nginx/vhosts', {}).items():
vhosts[vhost] = {
'index': [
'index.html',
'index.htm',
],
}
if config.get('php', False):
# If we're using PHP, make sure index.php is tried first
vhosts[vhost]['index'].insert(0, 'index.php')
return {
'nginx': {
'vhosts': vhosts,
},
}
@metadata_reactor
def monitoring(metadata):
services = {}
for vname, vconfig in metadata.get('nginx/vhosts', {}).items():
domain = vconfig.get('domain', vname)
if 'website_check_path' in vconfig and 'website_check_string' in vconfig:
services['NGINX VHOST {} CONTENT'.format(vname)] = {
'check_command': 'check_http_wget',
'vars.http_wget_contains': vconfig['website_check_string'],
'vars.http_wget_url': '{}{}'.format(domain, vconfig['website_check_path']),
}
if vconfig.get('check_ssl', False):
services['NGINX VHOST {} CERTIFICATE'.format(vname)] = {
'check_command': 'check_vhost_https_cert_at_url',
'vars.domain': domain,
}
max_connections = metadata.get('nginx/worker_connections') * metadata.get('nginx/worker_processes')
connections_warn = int(max_connections * 0.8)
connections_crit = int(max_connections * 0.9)
services['NGINX STATUS'] = {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_nginx_status --warn={},-1,-1 --critical={},-1,-1 -H 127.0.0.1:22999'.format(connections_warn, connections_crit),
}
return {
'icinga2_api': {
'nginx': {
'services': services,
},
},
}
@metadata_reactor
def iptables(metadata):
interfaces = metadata.get('nginx/restrict-to-interfaces', set())
iptables = []
if len(interfaces):
for iface in sorted(interfaces):
iptables.append(f'iptables -A INPUT -i {iface} -p tcp --dport 80 -j ACCEPT')
iptables.append(f'iptables -A INPUT -i {iface} -p tcp --dport 443 -j ACCEPT')
else:
iptables.append('iptables -A INPUT -p tcp --dport 80 -j ACCEPT')
iptables.append('iptables -A INPUT -p tcp --dport 443 -j ACCEPT')
return {
'iptables': {
'bundle_rules': {
'nginx': iptables,
},
},
}