Add nginx profiles

network/files/firewall_rules.nft.jinja

@@ -1,5 +1,4 @@
-# This file is managed by Saltstack. (State {{ STATE }})
+## This file is managed by Saltstack. (state: {{ sls }})
-
 #!/usr/sbin/nft
 
 table inet filter {
@@ -9,4 +8,4 @@ table inet filter {
     tcp dport {{ port }} accept
     {%- endfor %}
   }
-}
+}

network/firewall.sls

@@ -9,7 +9,6 @@ network_firewall_rules:
     - source: salt://{{ tpldir }}/files/firewall_rules.nft.jinja
     - template: jinja
     - context:
-        STATE: {{ sls }}
         ALLOWED_PORTS: [80, 443, 25565, 51871]
     - user: root
     - group: root

nginx/files/matrix.conf

@@ -0,0 +1,16 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name chat.noveria.org;
+
+  location ~ ^(/_matrix|/_synapse/client) {
+    proxy_pass http://localhost:8007;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Host $host;
+    
+    client_max_body_size 50M;
+    proxy_http_version 1.1
+  }
+}

nginx/files/nginx.conf.jinja

@@ -0,0 +1,52 @@
+## THIS FILE IS MANAGED USING SALT (state: {{ sls }})
+# /etc/nginx/nginx.conf
+
+qworker_processes auto;
+pcre_jit on;
+
+error_log {{ log_dir }}/error.log warn;
+
+include /etc/nginx/modules/*.conf;
+include /etc/nginx/conf.d/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    server_tokens off;
+
+    client_max_body_size 1m;
+
+    sendfile on;
+
+    tcp_nopush on;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+
+    ssl_prefer_server_ciphers on;
+
+    ssl_session_cache shared:SSL:2m;
+
+    ssl_session_timeout 1h;
+
+    ssl_session_ticketrs off;
+
+    gzip_vary on;
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log {{ log_dir }}/access.log main;
+
+    include {{ sites_enabled_dir }}/*.conf;
+}

nginx/init.sls

@@ -1,17 +1,4 @@
-{% from tpldir+"/map.jinja" import nginx with context %}
+include:
-{% set profiles = salt.pillar.get("nginx.profiles", []) %}
+  - .pkg
-
+  - .service
-nginx_pkg:
+  - .profiles
-  pkg.installed:
-    - pkgs:
-      - nginx
-
-nginx_service:
-  service.running:
-    - name: nginx
-    - running: True
-    - require:
-      - nginx_pkg
-
-{% for profile in profiles %}
-{% endfor %}

nginx/map.jinja

@@ -1,3 +1,7 @@
+{% set dir = '/etc/nginx' %}
+
 {% set nginx = {
-  'dir': ''
+  'log_dir': '/var/log/nginx'
+  'sites_dir': '%s/sites-available' % dir,
+  'sites_enabled_dir': '%s/sites-enabled' % dir
 }%}

nginx/pkg.sls

@@ -0,0 +1,17 @@
+{% from tpldir+"/map.jinja" import nginx with context %}
+
+nginx_pkg_pkgs:
+  pkg.installed:
+    - pkgs:
+      - nginx
+
+nginx_pkg_config:
+  file.managed:
+    - name: /etc/nginx/nginx.conf
+    - source: salt://{{ tpldir }}/files/nginx.conf.jinja
+    - template: jinja
+    - context:
+        log_dir: {{ nginx.log_dir }}
+        sites_enabled_dir: {{ nginx.sites_enabled_dir }}
+    - require:
+      - nginx_pkg_pkgs

nginx/profiles.sls

@@ -0,0 +1,36 @@
+{% from tpldir+"/map.jinja" import nginx with context %}
+{% set profiles = salt.pillar.get("nginx.profiles", []) %}
+
+include:
+  - .pkg
+
+nginx_profiles_sites_dir:
+  file.directory:
+    - name: {{ nginx.sites_dir }}
+    - user: root
+    - group: root
+    - file_mode: '0644'
+    - dir_mode: '0755'
+    - require:
+      - nginx_pkg_pkgs
+
+nginx_profiles_sites_enabled_dir:
+  file.directory: 
+    - name: {{ nginx.sites_enabled_dir }}
+    - user: root
+    - group: root
+    - file_mode: '0644'
+    - dir_mode: '0755'
+    - require:
+      - nginx_pkg_pkgs
+
+{% for profile in profiles %}
+nginx_{{ profile }}}_enable:
+  file.symlink:
+    - name: {{ nginx.sites_enabled_dir }}/{{ profile }}.conf
+    - target: {{ nginx.sites_dir }}/{{ profile }}.conf
+    - force: True
+    - require:
+      - nginx_profiles_sites_dir
+      - nginx_profiles_sites_enabled_dir
+{% endfor %}

nginx/service.sls

@@ -0,0 +1,9 @@
+include:
+  - .pkg
+
+nginx_service_running:
+  service.running:
+    - name: nginx
+    - enabled: True
+    - require:
+      - nginx_pkg_pkgs