gvasalt/states/webserver/site_macros.nginx

{#
macros for nginx configuration files
#}
{% macro logfiles(server_name, ssl=False) -%}
  access_log {{ salt['pillar.get']('nginx:logdir', '/var/log/nginx') }}/{{ server_name }}{% if ssl %}-ssl{% endif %}.access.log;
  error_log {{ salt['pillar.get']('nginx:logdir', '/var/log/nginx') }}/{{ server_name }}{% if ssl %}-ssl{% endif %}.error.log;
{%- endmacro %}

{% macro server_definition(server_name, ssl=False, ipv6_address=none, letsencrypt=false, servernames=[]) -%}
server {
  server_name {{ server_name }}{%- for othername in servernames %}
  {%- if othername != server_name %} {{ othername }}{% endif -%}
  {% endfor -%};
{% if ssl %}
{%- if server_name == salt['grains.get']('nginx:default_servername') %}
  listen 443 default_server ssl;
  listen [::]:443 default_server ssl;
{%- else %}
  listen 443 ssl;
  listen [::]:443;
{%- endif %}
{%- if letsencrypt %}

  ssl_certificate /etc/letsencrypt/live/{{ server_name }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ server_name }}/privkey.pem;

  # OCSP stapling
  ssl_trusted_certificate /etc/letsencrypt/live/{{ server_name }}/chain.pem;
{%- else %}

  ssl_certificate {{ salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') }}/{{ server_name }}.crt.pem;
  ssl_certificate_key {{ salt['pillar.get']('nginx:sslkeydir', '/etc/nginx/ssl/private') }}/{{ server_name }}.key.pem;

  {%- if ca_certificate is defined and ca_certificate is not none %}
  # OCSP stapling
  ssl_trusted_certificate {{ ca_certificate }};
  {%- endif %}
{%- endif %}
{%- else %}
  listen 80;
  listen [::]:80;
{%- endif %}

  {{ logfiles(server_name, ssl) }}
{%- if not ssl %}
{%- if letsencrypt %}

  location /.well-known/acme-challenge {
    root /srv/www/acme-challenge/{{ server_name }};
  }
{%- endif %}

  location / {
    return 301 https://$host$request_uri;
  }
{%- endif %}
{%- endmacro %}