Franziska Kunsmann
5c1eba0d58
All checks were successful
bundlewrap/pipeline/head This commit looks good
173 lines
4.8 KiB
Python
173 lines
4.8 KiB
Python
defaults = {
|
|
'apt': {
|
|
'repos': {
|
|
'nginx': {
|
|
'items': [
|
|
'deb http://nginx.org/packages/{os} {os_release} nginx',
|
|
],
|
|
},
|
|
},
|
|
'packages': {
|
|
'nginx': {},
|
|
},
|
|
},
|
|
'backups': {
|
|
'paths': {
|
|
'/var/www',
|
|
},
|
|
},
|
|
'icinga2_api': {
|
|
'nginx': {
|
|
'services': {
|
|
'NGINX PROCESS': {
|
|
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit nginx',
|
|
},
|
|
'NGINX STATUS': {
|
|
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_nginx_status',
|
|
},
|
|
},
|
|
},
|
|
},
|
|
'nginx': {
|
|
'worker_connections': 768,
|
|
'use_ssl_for_all_connections': True,
|
|
},
|
|
}
|
|
|
|
|
|
@metadata_reactor.provides(
|
|
'nginx/worker_processes',
|
|
)
|
|
def worker_processes(metadata):
|
|
return {
|
|
'nginx': {
|
|
'worker_processes': metadata.get('vm/cpu', 2),
|
|
},
|
|
}
|
|
|
|
|
|
@metadata_reactor.provides(
|
|
'letsencrypt/domains',
|
|
'letsencrypt/reload_after',
|
|
)
|
|
def letsencrypt(metadata):
|
|
if not node.has_bundle('letsencrypt'):
|
|
raise DoNotRunAgain
|
|
|
|
domains = {}
|
|
|
|
for vhost, config in metadata.get('nginx/vhosts', {}).items():
|
|
domain = config.get('domain', vhost)
|
|
domains[domain] = config.get('domain_aliases', set())
|
|
|
|
return {
|
|
'letsencrypt': {
|
|
'domains': domains,
|
|
'reload_after': {
|
|
'nginx',
|
|
},
|
|
},
|
|
}
|
|
|
|
|
|
@metadata_reactor.provides(
|
|
'nginx/vhosts',
|
|
)
|
|
def index_files(metadata):
|
|
vhosts = {}
|
|
|
|
for vhost, config in metadata.get('nginx/vhosts', {}).items():
|
|
vhosts[vhost] = {
|
|
'index': [
|
|
'index.html',
|
|
'index.htm',
|
|
],
|
|
}
|
|
|
|
if config.get('php', False):
|
|
# If we're using PHP, make sure index.php is tried first
|
|
vhosts[vhost]['index'].insert(0, 'index.php')
|
|
|
|
|
|
return {
|
|
'nginx': {
|
|
'vhosts': vhosts,
|
|
},
|
|
}
|
|
|
|
|
|
@metadata_reactor.provides(
|
|
'icinga2_api/nginx/services',
|
|
)
|
|
def monitoring(metadata):
|
|
services = {}
|
|
|
|
for vname, vconfig in metadata.get('nginx/vhosts', {}).items():
|
|
domain = vconfig.get('domain', vname)
|
|
|
|
if metadata.get('nginx/use_ssl_for_all_connections'):
|
|
scheme = 'https'
|
|
else:
|
|
scheme = 'http'
|
|
|
|
if 'website_check_path' in vconfig and 'website_check_string' in vconfig:
|
|
services['NGINX VHOST {} CONTENT'.format(vname)] = {
|
|
'check_command': 'check_http_wget',
|
|
'vars.http_wget_contains': vconfig['website_check_string'],
|
|
'vars.http_wget_url': '{}://{}{}'.format(scheme, domain, vconfig['website_check_path']),
|
|
'vars.notification.sms': True,
|
|
}
|
|
|
|
if vconfig.get('check_ssl', metadata.get('nginx/use_ssl_for_all_connections')):
|
|
services['NGINX VHOST {} CERTIFICATE'.format(vname)] = {
|
|
'check_command': 'check_https_cert_at_url',
|
|
'vars.domain': domain,
|
|
'vars.notification.mail': True,
|
|
}
|
|
|
|
max_connections = metadata.get('nginx/worker_connections') * metadata.get('nginx/worker_processes')
|
|
connections_warn = int(max_connections * 0.8)
|
|
connections_crit = int(max_connections * 0.9)
|
|
|
|
services['NGINX STATUS'] = {
|
|
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_nginx_status --warn={},-1,-1 --critical={},-1,-1 -H 127.0.0.1:22999'.format(connections_warn, connections_crit),
|
|
}
|
|
|
|
return {
|
|
'icinga2_api': {
|
|
'nginx': {
|
|
'services': services,
|
|
},
|
|
},
|
|
}
|
|
|
|
|
|
@metadata_reactor.provides(
|
|
'iptables/bundle_rules/nginx',
|
|
)
|
|
def iptables(metadata):
|
|
identifiers = metadata.get('nginx/restrict-to', set())
|
|
rules = set()
|
|
|
|
if identifiers:
|
|
for identifier in sorted(identifiers):
|
|
resolved = repo.libs.tools.resolve_identifier(repo, identifier)
|
|
|
|
for address in resolved['ipv4']:
|
|
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT')
|
|
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT')
|
|
|
|
for address in resolved['ipv6']:
|
|
rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT')
|
|
rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT')
|
|
else:
|
|
rules.add('iptables_both -A INPUT -p tcp --dport 80 -j ACCEPT')
|
|
rules.add('iptables_both -A INPUT -p tcp --dport 443 -j ACCEPT')
|
|
|
|
return {
|
|
'iptables': {
|
|
'bundle_rules': {
|
|
'nginx': list(sorted(rules)),
|
|
},
|
|
},
|
|
}
|