Implement salt states for gva webinterface

- setup listener and pg_hba.conf for PostgreSQL server - add state code for gva - add macros for nginx and uwsgi with Python 3 support - add pillar data for gva
2020-03-07 18:26:52 +01:00 · 2020-03-07 18:26:52 +01:00 · 2833b78c8a
commit 2833b78c8a
parent 7e246ec1a0
17 changed files with 400 additions and 19 deletions
--- a/states/webserver/site_macros.nginx
+++ b/states/webserver/site_macros.nginx
@ -0,0 +1,57 @@
+{#
+macros for nginx configuration files
+#}
+{% macro logfiles(server_name, ssl=False) -%}
+  access_log {{ salt['pillar.get']('nginx:logdir', '/var/log/nginx') }}/{{ server_name }}{% if ssl %}-ssl{% endif %}.access.log;
+  error_log {{ salt['pillar.get']('nginx:logdir', '/var/log/nginx') }}/{{ server_name }}{% if ssl %}-ssl{% endif %}.error.log;
+{%- endmacro %}
+
+{% macro server_definition(server_name, ssl=False, ipv6_address=none, letsencrypt=false, servernames=[]) -%}
+server {
+  server_name {{ server_name }}{%- for othername in servernames %}
+  {%- if othername != server_name %} {{ othername }}{% endif -%}
+  {% endfor -%};
+{% if ssl %}
+{%- if server_name == salt['grains.get']('nginx:default_servername') %}
+  listen 443 default_server ssl;
+  listen [::]:443 default_server ssl;
+{%- else %}
+  listen 443 ssl;
+  listen [::]:443;
+{%- endif %}
+{%- if letsencrypt %}
+
+  ssl_certificate /etc/letsencrypt/live/{{ server_name }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ server_name }}/privkey.pem;
+
+  # OCSP stapling
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ server_name }}/chain.pem;
+{%- else %}
+
+  ssl_certificate {{ salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') }}/{{ server_name }}.crt.pem;
+  ssl_certificate_key {{ salt['pillar.get']('nginx:sslkeydir', '/etc/nginx/ssl/private') }}/{{ server_name }}.key.pem;
+
+  {%- if ca_certificate is defined and ca_certificate is not none %}
+  # OCSP stapling
+  ssl_trusted_certificate {{ ca_certificate }};
+  {%- endif %}
+{%- endif %}
+{%- else %}
+  listen 80;
+  listen [::]:80;
+{%- endif %}
+
+  {{ logfiles(server_name, ssl) }}
+{%- if not ssl %}
+{%- if letsencrypt %}
+
+  location /.well-known/acme-challenge {
+    root /srv/www/acme-challenge/{{ server_name }};
+  }
+{%- endif %}
+
+  location / {
+    return 301 https://$host$request_uri;
+  }
+{%- endif %}
+{%- endmacro %}
--- a/states/webserver/sslcert.macros.sls
+++ b/states/webserver/sslcert.macros.sls
@ -9,7 +9,7 @@
    - bits: {{ salt['pillar.get']('nginx:keylength:' + domain_name, 2048) }}
    - require:
      - file: {{ nginx_ssl_keydir }}
-      - pkg: python-cryptography
+      - pkg: python3-cryptography
    - require_in:
      - file: /etc/nginx/sites-available/{{ domain_name }}
      - service: nginx
@ -24,7 +24,7 @@
    - require:
      - file: {{ nginx_ssl_certdir }}
      - cmd: {{ certfile }}
-      - pkg: python-cryptography
+      - pkg: python3-cryptography
    - require_in:
      - file: /etc/nginx/sites-available/{{ domain_name }}
      - service: nginx