nginx
Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >= 4.0.0
Start using this module
Add this module to your Puppetfile:
mod 'qtechnologies-nginx', '1.3.3'Learn more about managing modules with a PuppetfileDocumentation
puppet-nginx
Puppet module to manage standard web application configuration in Nginx.
This module sets up NGINX virtual hosts according to hiera data. It is fairly contrived in it's approach, aiming to be easy to consume for cases already predefined in the template - it is not very flexible outside of these scenarios. Having said that, additional deployment types could be added - I expect they can remain fairly standard.
Some features require the inclusion of qtechnologies/psgi and/or qtechnologies/phpfpm. stdlib is always a requirement.
It supports Let's Encrypt to some degree (certbot). It will look for domains in /etc/letsencrypt/live and configure NGINX to use these certs if it finds a matching domain. It will also make it possible for certbot to always do verification on port 80 (certbot won't do this on port 443). It will also create a fact called: letsencrypt_live_domains which lists the domains in /etc/letsencrypt/live.
Currently only tested on SUSE, but other platforms should work with the right hiera data - especially regarding the user/group nginx runs as.
Instructions
Include this module in your preferred manner. E.g.:
include nginx
or
class { 'nginx': }
NB If you include this module, it will manage the vhosts.d - i.e. delete any definitions that are not in hiera.
Define some hiera data like this:
################################################################################
#
# NGINX Virtual Web servers
#
################################################################################
nginx::web_root_parent: /webroot
nginx::web_server_names:
'wiki.example.com':
to_ssl: temporary
web_root: /var/www/wiki
content: psgi
psgi:
server: Twiggy
'webmail.example.com':
content: php
'javaservice.example.com':
content: localport
local_port: 8001
'www.example.com':
content: php
pool_ini:
pm.max_children: 12
to_ssl: permanent
alternates:
- example.com
Module globals
nginx::web_root_parent is where the virtual hosts (web server names) are served from unless web_root is specified for a specific web server name. You can also override these defaults in hiera, if required:
nginx::package_name: nginx
nginx::service_name: nginx
nginx::conf_dir: /etc/nginx
nginx::log_dir: /var/log/nginx
nginx::socket_dir: /var/sockets
nginx::cert_dir: /etc/nginx/certs
nginx::user: wwwrun
nginx::group: www
nginx::workers: 2
nginx::snh_bucket_size: 64
Domains (Virtual Servers) to configure
Define a hash as nginx::web_server_names - this hash will be merged from across all your hiera data matching the node. Each key is the main domain you are hosting (web server name/virtual host). Each of these keys contains a hash with these keys:
to_ssl- temporary or permanent. Redirect from http to https.web_root- per web server name specified web directory root.content- psgi, php, owncloud, opencart.psgi- proxies a PSGI application through a UNIX socketlocalport- proxies any HTTP service running on the localhost on specified port (default 8080)php- proxies PHP-FPM through a UNIX socketowncloud- proxies PHP-FPM through a UNIX socket, but with some recommended owncloud settingsnextcloud- proxies PHP-FPM through a UNIX socket, but with some recommended owncloud settingsopencart- proxies PHP-FPM through a UNIX socket, but with some recommended opencart settings
pool_ini- for PHP FPM. It can be used to overwrite the global pool ini data. It is merged, so you only need to specify differences.psgi- parameters that can be passed to the PSGI module to override the PSGI global settings for this web server name only. It is merged, so you only need to specify differences.alternates- an array of alternate server names. They will all redirect to the main web server name, rather than acting as alternate server names in the web server.app_environment- the application deployment environment. E.g. production, test, development, etc. Currently only meaningful to PSGI apps by determining whether the service should be automatically started. Defaults to production.
Let's Encrypt (certbot)
This module will not automatically configure Let's Encrypt. You need to do it manually using instructions on this page, in short do this:
# Once only
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
# Repeat for each domain group (certificate request)
./path/to/certbot-auto certonly --webroot \
-w /webroot/example -d example.com -d www.example.com \
-w /webroot/thing -d thing.is -d m.thing.is
But once you do this for a domain, this puppet module will detect the new certificate and configure Nginx to use it rather than any previously configured certs (presumably self-signed).
Issues
It has only been tested on SUSE systems, using SUSE paths - patches for other platforms are welcome - we just need to create internal hiera data for the OS family.
Dependencies
- puppetlabs/stdlib (>= 4.0.0 < 10.0.0)
- qtechnologies/phpfpm (>= 1.1.0 < 10.0.0)
- qtechnologies/psgi (>= 1.1.0 < 10.0.0)
Copyright 2016 Q-Technologies
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.