SaltStack nginx formula, including automated letsencrypt certificates
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
contrib
files
include
LICENSE
README.md
acme.sls
acmemap.jinja
baseconf.sls
cert.sls
init.sls
iptables.sls
logging.sls
logrotate.sls
map.jinja
pki.sls
selinux.sls
vhosts.sls

README.md

SaltStack nginx formula

It sets up a "fire and forget" nginx server, that gets SSL certificates from letsencrypt and renews them periodically.

The states can be parameterized using the stateconf renderer (see here)

Supported Platforms

  • CentOS 7

Parameters

* conf:
    user(string, optional): User to run nginx as, distro default will be used
        if missing
    group(string, optional): Group to run nginx as, distro default will be used
        if missing
    reverse_proxy(optional):
      force_https(bool, False): Redirect all HTTP requests to HTTPS
      protocol(list of strings): Protocols to use, available: 'http', 'https'
      ssl:
        simple(bool, False): Use simple SSL config (no HSTS, OCSP)
      upstream:
        servernames(list of strings): Server names to listen on
        url(string): URL to proxy to
        protocols(list of strings, optional): Override reverse_proxy:protocol
            per server
        redirect_from(list of strings, optional): Additional server names to
            redirect from
        additional_params(dict): additional options to set (key => value)
    static_content(string, False):
      protocol(string): Protocol to use, either 'http' or 'https'
      server_name(string): The servername for the server
      autoindex(bool, False): Generate auto index for directories
    ipv6(bool, False): Also use IPv6
    acme_backend(optional):
      ip(string): IP address of the acme backend
    acme(bool, False): Act as an ACME backend
    cgi(optional):
      socket(string): Path to local CGI socket to use
      params(dict string => string): Additional CGI params to use
    local_status(bool, True): Expose nginx status to localhost

* iptables:
    ipv6(bool, False): See conf:ipv6
    public(bool, False): Listen on the PUBLIC zone instead of LOCAL

* pki:
    domains(list):
      names(list of strings): SSL domain names, first one is primary name
      ssl_cert(bool, False): Use domain specific cert
      master_dhparams(bool, False): Use 'dhparams.pem' from the 'ssl' pillar

* selinux:
    network_connect(bool, False): Allow nginx to connect to the network (most
        likely needed for reverse proxying)