Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- nginx/files/etc/nginx/nginx.conf:
- {%- from 'nginx/map.jinja' import nginx with context -%}
- pid {{ nginx.settings.pid.dir }}/{{ nginx.settings.pid.file }};
- user {{ nginx.settings.user }};
- worker_processes {{ nginx.settings.worker.processes }};
- events {
- worker_connections {{ nginx.settings.events.worker.connections }};
- }
- http {
- access_log {{ nginx.settings.http.log.dir }}/{{ nginx.settings.http.access.log }};
- error_log {{ nginx.settings.http.log.dir }}/{{ nginx.settings.http.error.log }};
- default_type {{ nginx.settings.http.default.type }};
- gzip {{ nginx.settings.http.gzip.value }};
- gzip_disable "{{ nginx.settings.http.gzip.disable }}";
- keepalive_timeout {{ nginx.settings.http.keepalive.timeout }};
- sendfile {{ nginx.settings.http.sendfile }};
- server_names_hash_bucket_size {{ nginx.settings.http.server.names.hash.bucket.size }};
- tcp_nodelay {{ nginx.settings.http.tcp.nodelay }};
- tcp_nopush {{ nginx.settings.http.tcp.nopush }};
- types_hash_max_size {{ nginx.settings.http.types.hash.max.size }};
- {%- for include in nginx.settings.http.includes %}
- include {{ include }};
- {%- endfor %}
- }
- nginx/files.sls:
- {% from 'nginx/map.jinja' import nginx with context %}
- nginx_config_file:
- file.managed:
- - name: {{ nginx.config.dir }}/{{ nginx.config.file }}
- - source: salt://nginx/files{{ nginx.config.dir }}/{{ nginx.config.file }}
- - user: root
- - group: root
- - mode: 0644
- - template: jinja
- nginx_config_sites_enabled_default_file:
- file.absent:
- - name: {{ nginx.config.sites.enabled.dir }}/{{ nginx.config.sites.enabled.default.file }}
- nginx/map.jinja:
- {% import '_grains/map.jinja' as grain %}
- {% load_yaml as defaults %}
- config:
- dir: /etc/nginx
- file: nginx.conf
- sites:
- enabled:
- dir: /etc/nginx/sites-enabled
- default:
- file: default
- pkgs:
- - nginx
- service:
- name: nginx
- settings:
- events:
- worker:
- connections: 768
- http:
- access:
- log: access.log
- default:
- type: application/octet-stream
- error:
- log: error.log
- gzip:
- value: 'on'
- disable: msie6
- includes:
- - /etc/nginx/mime.types
- - /etc/nginx/sites-enabled/*.conf
- keepalive:
- timeout: 65
- log:
- dir: /var/log/nginx
- sendfile: 'on'
- server:
- client:
- max:
- body:
- size: 1G
- names:
- hash:
- bucket:
- size: 128
- ssl:
- ssl_ciphers: EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
- ssl_prefer_server_ciphers: True
- ssl_protocols: TLSv1 TLSv1.1 TLSv1.2
- ssl_session_cache: shared:SSL:10m
- ssl_session_tickets: False
- ssl_session_timeout: 1d
- tcp:
- nodelay: 'on'
- nopush: 'on'
- types:
- hash:
- max:
- size: 2048
- pid:
- dir: /run
- file: nginx.pid
- user: www-data
- worker:
- processes: auto
- state:
- name: nginx
- {% endload %}
- {% set toplevel = salt['pillar.get'](defaults.state.name, default=defaults, merge=True) %}
- {% set env_cluster = salt['pillar.get'](defaults.state.name ~ ':' ~ grain.env ~ ':' ~ grain.cluster, default=toplevel, merge=True) %}
- {% set nginx = env_cluster %}
- jenkins/map.jinja:
- {% import '_grains/map.jinja' as grain %}
- {% from 'default/map.jinja' import default with context %}
- {% from 'nginx/map.jinja' import nginx with context %}
- {% from 'ssl/map.jinja' import ssl with context %}
- {% from "volume/map.jinja" import volume with context %}
- {% set name = 'jenkins' %}
- {% load_yaml as defaults %}
- common:
- account:
- fullname: {{ name }}
- group: {{ name }}
- shell: /bin/bash
- user: {{ name }}
- uid: 10003
- config:
- dir: {{ volume.dir }}/{{ name }}
- data:
- dir: {{ volume.dir }}/{{ name }}
- ssh:
- public_key_file: id_rsa.pub
- private_key_file: id_rsa
- dir: .ssh
- version: 2.22
- volume:
- {{ volume }}
- master:
- bind_address: 127.0.0.1
- breadcrumb:
- file: .{{ name }}_setup_done
- config:
- file: config.xml
- default:
- dir: {{ default.dir }}
- file: {{ name }}
- java:
- max_heap: 2g
- nginx:
- config:
- dir: {{ nginx.config.dir }}
- sites:
- enabled:
- dir: {{ nginx.config.sites.enabled.dir }}
- file: {{ name }}.conf
- ssl:
- {{ nginx.settings.http.ssl }}
- pkgs:
- - {{ name }}
- pillars:
- - {{ name }}:{{ grain.region }}:master:ssh:private_key
- - {{ name }}:{{ grain.region }}:master:ssh:public_key
- {% if grain.account == 'development' %}
- - ldap:password:encoded
- {% endif %}
- port: 8080
- server:
- name: {{ grains['fqdn'] }}
- service:
- name: {{ name }}
- ssl:
- certs:
- dir: {{ ssl.certs.dir }}
- file: {{ ssl.bundles.star.env.cert_nginx }}
- dhparam:
- dir: {{ ssl.config.dir }}
- file: {{ ssl.dhparam.file }}
- key:
- dir: {{ ssl.key.dir }}
- file: {{ ssl.bundles.star.env.key }}
- slave:
- aws:
- config:
- dir: .aws
- file: config
- build:
- config:
- file: build.yml
- pkgs:
- - python3-{{ name }}api
- - mtd-utils
- - u-boot-tools
- - device-tree-compiler
- - python-jenkins
- - python-pexpect
- pillars:
- - deployer:ssh:private_key
- - deployer:ssh:public_key
- - {{ name }}:{{ grain.region }}:slave:artifactory:password
- - {{ name }}:{{ grain.region }}:slave:s3:access_key
- - {{ name }}:{{ grain.region }}:slave:s3:secret_key
- tmp:
- dir: {{ volume.dir }}/tmp
- state:
- name: {{ name }}
- {% endload %}
- {% set toplevel = salt['pillar.get'](defaults.state.name, default=defaults, merge=True) %}
- {% set region = salt['pillar.get'](defaults.state.name ~ ':' ~ grain.region, default=toplevel, merge=True) %}
- {% set jenkins = region %}
- jenkins/files.sls:
- {%- from 'nginx/map.jinja' import nginx with context -%}
- pid {{ nginx.settings.pid.dir }}/{{ nginx.settings.pid.file }};
- user {{ nginx.settings.user }};
- worker_processes {{ nginx.settings.worker.processes }};
- events {
- worker_connections {{ nginx.settings.events.worker.connections }};
- }
- http {
- access_log {{ nginx.settings.http.log.dir }}/{{ nginx.settings.http.access.log }};
- error_log {{ nginx.settings.http.log.dir }}/{{ nginx.settings.http.error.log }};
- default_type {{ nginx.settings.http.default.type }};
- gzip {{ nginx.settings.http.gzip.value }};
- gzip_disable "{{ nginx.settings.http.gzip.disable }}";
- keepalive_timeout {{ nginx.settings.http.keepalive.timeout }};
- sendfile {{ nginx.settings.http.sendfile }};
- server_names_hash_bucket_size {{ nginx.settings.http.server.names.hash.bucket.size }};
- tcp_nodelay {{ nginx.settings.http.tcp.nodelay }};
- tcp_nopush {{ nginx.settings.http.tcp.nopush }};
- types_hash_max_size {{ nginx.settings.http.types.hash.max.size }};
- {%- for include in nginx.settings.http.includes %}
- include {{ include }};
- {%- endfor %}
- }
- jenkins.conf:
- {%- from 'jenkins/map.jinja' import jenkins with context -%}
- upstream jenkins {
- server 127.0.0.1:{{ jenkins.master.port }} fail_timeout=0;
- }
- server {
- listen 80;
- return 301 https://$host$request_uri;
- }
- server {
- listen 443 default_server ssl;
- server_name {{ jenkins.master.server.name }};
- ssl on;
- ssl_certificate {{ jenkins.master.ssl.certs.dir }}/{{ jenkins.master.ssl.certs.file }};
- ssl_certificate_key {{ jenkins.master.ssl.key.dir }}/{{ jenkins.master.ssl.key.file }};
- ssl_dhparam {{ jenkins.master.ssl.dhparam.dir }}/{{ jenkins.master.ssl.dhparam.file }};
- ssl_session_timeout {{ jenkins.master.nginx.ssl.ssl_session_timeout }};
- ssl_session_cache {{ jenkins.master.nginx.ssl.ssl_session_cache }};
- ssl_session_tickets {{ 'on' if jenkins.master.nginx.ssl.ssl_session_tickets else 'off' }};
- ssl_prefer_server_ciphers {{ 'on' if jenkins.master.nginx.ssl.ssl_prefer_server_ciphers else 'off' }};
- ssl_protocols {{ jenkins.master.nginx.ssl.ssl_protocols }};
- ssl_ciphers {{ jenkins.master.nginx.ssl.ssl_ciphers }};
- location / {
- add_header Pragma "no-cache";
- add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
- add_header X-Frame-Options DENY;
- add_header X-Content-Type-Options nosniff;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_redirect http:// https://;
- proxy_pass http://jenkins;
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement