bundlewrap/bundles/nginx/metadata.py
2021-02-15 14:16:35 +01:00

173 lines
4.8 KiB
Python

defaults = {
'apt': {
'repos': {
'nginx': {
'items': [
'deb http://nginx.org/packages/{os} {os_release} nginx',
],
},
},
'packages': {
'nginx': {},
},
},
'backups': {
'paths': {
'/var/www',
},
},
'icinga2_api': {
'nginx': {
'services': {
'NGINX PROCESS': {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit nginx',
},
'NGINX STATUS': {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_nginx_status',
},
},
},
},
'nginx': {
'worker_connections': 768,
'use_ssl_for_all_connections': True,
},
}
@metadata_reactor.provides(
'nginx/worker_processes',
)
def worker_processes(metadata):
return {
'nginx': {
'worker_processes': metadata.get('vm/cpu', 2),
},
}
@metadata_reactor.provides(
'letsencrypt/domains',
'letsencrypt/reload_after',
)
def letsencrypt(metadata):
if not node.has_bundle('letsencrypt'):
raise DoNotRunAgain
domains = {}
for vhost, config in metadata.get('nginx/vhosts', {}).items():
domain = config.get('domain', vhost)
domains[domain] = config.get('domain_aliases', set())
return {
'letsencrypt': {
'domains': domains,
'reload_after': {
'nginx',
},
},
}
@metadata_reactor.provides(
'nginx/vhosts',
)
def index_files(metadata):
vhosts = {}
for vhost, config in metadata.get('nginx/vhosts', {}).items():
vhosts[vhost] = {
'index': [
'index.html',
'index.htm',
],
}
if config.get('php', False):
# If we're using PHP, make sure index.php is tried first
vhosts[vhost]['index'].insert(0, 'index.php')
return {
'nginx': {
'vhosts': vhosts,
},
}
@metadata_reactor.provides(
'icinga2_api/nginx/services',
)
def monitoring(metadata):
services = {}
for vname, vconfig in metadata.get('nginx/vhosts', {}).items():
domain = vconfig.get('domain', vname)
if metadata.get('nginx/use_ssl_for_all_connections'):
scheme = 'https'
else:
scheme = 'http'
if 'website_check_path' in vconfig and 'website_check_string' in vconfig:
services['NGINX VHOST {} CONTENT'.format(vname)] = {
'check_command': 'check_http_wget',
'vars.http_wget_contains': vconfig['website_check_string'],
'vars.http_wget_url': '{}://{}{}'.format(scheme, domain, vconfig['website_check_path']),
'vars.notification.sms': True,
}
if vconfig.get('check_ssl', metadata.get('nginx/use_ssl_for_all_connections')):
services['NGINX VHOST {} CERTIFICATE'.format(vname)] = {
'check_command': 'check_https_cert_at_url',
'vars.domain': domain,
'vars.notification.mail': True,
}
max_connections = metadata.get('nginx/worker_connections') * metadata.get('nginx/worker_processes')
connections_warn = int(max_connections * 0.8)
connections_crit = int(max_connections * 0.9)
services['NGINX STATUS'] = {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_nginx_status --warn={},-1,-1 --critical={},-1,-1 -H 127.0.0.1:22999'.format(connections_warn, connections_crit),
}
return {
'icinga2_api': {
'nginx': {
'services': services,
},
},
}
@metadata_reactor.provides(
'iptables/bundle_rules/nginx',
)
def iptables(metadata):
identifiers = metadata.get('nginx/restrict-to', set())
rules = set()
if identifiers:
for identifier in sorted(identifiers):
resolved = repo.libs.tools.resolve_identifier(repo, identifier)
for address in resolved['ipv4']:
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT')
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT')
for address in resolved['ipv6']:
rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT')
rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT')
else:
rules.add('iptables_both -A INPUT -p tcp --dport 80 -j ACCEPT')
rules.add('iptables_both -A INPUT -p tcp --dport 443 -j ACCEPT')
return {
'iptables': {
'bundle_rules': {
'nginx': list(sorted(rules)),
},
},
}