Move webserver configuration to nginx state

2017-08-20 13:56:10 +02:00 · 2017-08-20 13:56:10 +02:00 · c4dcf12a0a
commit c4dcf12a0a
parent 9a557fa69f
5 changed files with 50 additions and 50 deletions
--- a/states/webserver/init.sls
+++ b/states/webserver/init.sls
@ -1,51 +1,2 @@
 include:
  - nginx
-
-/etc/nginx/conf.d/logformat.conf:
-  file.managed:
-    - user: root
-    - group: root
-    - mode: 0644
-    - source: salt://webserver/nginx-logformat.conf
-    - require:
-      - pkg: nginx
-    - watch_in:
-      - service: nginx
-
-{% set ssldir = salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') %}
-
-generate-dhparam-nginx:
-  cmd.run:
-    - name: openssl dhparam -out {{ ssldir }}/dhparams.pem 2048
-    - umask: 022
-    - runas: root
-    - timeout: 300
-    - output_loglevel: debug
-    - creates: {{ ssldir }}/dhparams.pem
-    - require_in:
-      - file: /etc/nginx/conf.d/ssl.conf
-    - watch_in:
-      - service: nginx
-
-/etc/nginx/conf.d/ssl.conf:
-  file.managed:
-    - user: root
-    - group: root
-    - mode: 0644
-    - source: salt://webserver/nginx-ssl.conf
-    - template: jinja
-    - require:
-      - pkg: nginx
-    - watch_in:
-      - service: nginx
-
-/etc/nginx/snippets/security.conf:
-  file.managed:
-    - user: root
-    - group: root
-    - mode: 0644
-    - source: salt://webserver/nginx-security.conf
-    - require:
-      - pkg: nginx
-    - watch_in:
-      - service: nginx
--- a/states/webserver/nginx-logformat.conf
+++ b/states/webserver/nginx-logformat.conf
@ -1,4 +0,0 @@
-log_format main '$remote_addr - $remote_user [$time_local]  '
-                '$server_name '
-                '"$request" $status $body_bytes_sent '
-                '"$http_referer" "$http_user_agent"';
--- a/states/webserver/nginx-security.conf
+++ b/states/webserver/nginx-security.conf
@ -1,19 +0,0 @@
-# Security - Basic configuration
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-        expires max;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    # Deny access to hidden files
-    location ~ /\. {
-        deny all;
-        access_log off;
-        log_not_found off;
-    }
--- a/states/webserver/nginx-ssl.conf
+++ b/states/webserver/nginx-ssl.conf
@ -1,15 +0,0 @@
-# Default TLS settings
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_ciphers kEECDH+AESGCM:kEECDH+AES:kEECDH:EDH+AESGCM:kEDH+AES:kEDH:AESGCM:ALL:!LOW:!EXP:!MD5:!aNULL:!eNULL:!RC4:!DSS;
-ssl_prefer_server_ciphers on;
-ssl_session_cache shared:SSL:10m;
-
-ssl_dhparam {{ salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') }}/dhparams.pem;
-
-# OCSP stapling
-ssl_stapling on;
-ssl_stapling_verify on;
-
-# use Google's DNS
-resolver 8.8.8.8;
-resolver_timeout 5s;