> А не поделитесь, пожалуйста, темплейтом Puppet'a для nginx?

Большинство манифестов заточено на нашу внутреннюю архитектуру, поэтому не могу показать.
Но некоторыми не специфическими поделится могу.

Вот реальный пример, как эти манифесты используются у нас (убрал несущественное здесь и поменял имена/IP):

class site::front::example_com {
nginx::vhost_front { "example.com":
ip => "1.2.3.4",
ssl => true,
ssl_only => true,
default_trap => "redirect",
proxy_pass => "backend123",
custom => "client_max_body_size 64m;",
}
}

node "front3" inherits "front_common" {
include nginx::front
include site::front::example_com
}
class nginx::base {
package { "nginx": ensure => present }

service { "nginx":
enable => true,
ensure => running,
hasrestart => false,
restart => "/sbin/service nginx reload",
hasstatus => true,
require => Package["nginx"],
}

File {
mode => 0644,
owner => "root",
group => "root",
require => Package["nginx"],
}

file { [ "/etc/nginx", "/etc/nginx/vhosts" ]:
ensure => directory,
mode => 0755,
}

file { "/etc/nginx/mime.types":
source => "puppet:///nginx/mime.types",
notify => Service["nginx"],
}
}

define nginx::conf($keepalive=false,
$pid="/var/run/nginx.pid",
$error_log="/var/log/nginx/error.log",
$worker_processes=1,
$worker_rlimit_nofile=2000,
$worker_connections=2000,
$log_format_combh=false,
$gzip=false,
$ssl=false,
$maps=false,
$resolver="",
$upstreams=false) {
file { "$name":
owner => "root",
group => "root",
mode => 0644,
content => template("nginx/nginx.conf.erb"),
notify => $notify,
}
}

class nginx::front inherits nginx::base {
nginx::conf { "/etc/nginx/nginx.conf":
notify => Service["nginx"],
keepalive => true,
worker_processes => 4,
worker_rlimit_nofile => 20000,
worker_connections => 20000,
gzip => true,
ssl => true,
resolver => "192.168.1.110",
upstreams => true,
maps => true,
}

File {
mode => 0644,
owner => "root",
group => "root",
require => Package["nginx"],
notify => Service["nginx"],
}

file {
"/etc/nginx/upstreams.conf": source => "puppet:///nginx/upstreams.conf";
"/etc/nginx/maps.conf": source => "puppet:///nginx/maps.conf";
}
}

define nginx::vhost_front(
$ip,
$port=80,
$port_ssl=443,
$aliases=[],
$custom="",
$custom_ssl="",
$default=false,
$default_trap="",
$ssl=false,
$ssl_aliases=false,
$ssl_cert="",
$ssl_only=false,
$proxy_pass="",
$redirect="",
$log=true,
$trap_redirect="$name") {
$main_name=$name
$trap_redirect_schema = $ssl_only ? {
true => "https",
false => "http",
}
$default_trap_action = $default_trap ? {
"redirect" => "rewrite ^ ${trap_redirect_schema}://$trap_redirect/ permanent;",
"404" => "return 404;",
default => "",
}
file { "/etc/nginx/vhosts/$name.conf":
owner => "root",
group => "root",
mode => 0644,
content => template("nginx/vhost_front.conf.erb"),
notify => Service["nginx"],
}
if $ssl {
pki::nginx::cert { "$name": notify => Service["nginx"] }
}
}
# Managed by puppet

user nginx;
worker_processes <%= worker_processes %>;
worker_rlimit_nofile <%= worker_rlimit_nofile %>;
timer_resolution 1ms;

error_log <%= error_log %>;
pid <%= pid %>;

events {
use epoll;
worker_connections <%= worker_connections %>;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format combt '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $request_time';
log_format full '$time_local $scheme $host '
'$remote_addr "$request" "$http_referer" "$http_user_agent" $remote_user $request_length '
'$pipe $request_time $status $bytes_sent $body_bytes_sent';
log_format bad '$time_local $scheme $host '
'$remote_addr "$request" "$http_referer" "$http_user_agent" $remote_user $request_length '
'$pipe $request_time $status $bytes_sent $body_bytes_sent';
<% if log_format_combh -%>
log_format combh '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $host';
<% end -%>

access_log off;
log_not_found off;

sendfile on;
tcp_nopush on;

keepalive_timeout <% if keepalive %>65<% else %>0<% end %>;
tcp_nodelay on;
<% if gzip -%>

gzip on;
gzip_buffers 8 4k;
gzip_min_length 1100;
gzip_types text/css application/x-javascript;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
<% end -%>
<% if ssl -%>

ssl_protocols SSLv3 TLSv1;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:RC4-MD5:DES-CBC3-SHA;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 30m;
<% end -%>
<% if !resolver.empty? -%>

resolver <%= resolver %>;
<% end -%>

client_header_buffer_size 2k;
large_client_header_buffers 4 8k;
client_max_body_size 10m;
proxy_connect_timeout 1s;
proxy_read_timeout 1h;
proxy_buffer_size 32k;
proxy_buffers 64 4k;

server_names_hash_bucket_size 128;

<% if upstreams -%>
include /etc/nginx/upstreams.conf;
<% end -%>
<%if maps -%>
include /etc/nginx/maps.conf;
<% end -%>
include /etc/nginx/vhosts/*.conf;
}
#Managed by Puppet

<% if !default_trap.empty? -%>
# trap for bad Host requests
<% if !ssl_only -%>
server {
listen <%= ip %>:<%= port %> default;
server_name _;
<% if log -%>
access_log /var/log/nginx/bad.log bad;
<% end -%>

<%= default_trap_action %>
}
<% end -%>
<% if ssl -%>
server {
listen <%= ip %>:<%= port_ssl %> default;
server_name _;

ssl on;
<% if ssl_cert.empty? -%>
ssl_certificate /etc/pki/nginx/ssl.crt/<%= main_name %>.crt;
ssl_certificate_key /etc/pki/nginx/ssl.key/<%= main_name %>.key;
<% else -%>
ssl_certificate /etc/pki/nginx/ssl.crt/<%= ssl_cert %>.crt;
ssl_certificate_key /etc/pki/nginx/ssl.key/<%= ssl_cert %>.key;
<% end -%>
<% if log -%>
access_log /var/log/nginx/bad.log bad;
<% end -%>

<%= default_trap_action %>
}
<% end -%>

<% end -%>
<% if !ssl_only -%>
server {
listen <%= ip %>:<%= port %><% if default %> default<% end %>;
server_name <%= main_name %><% aliases.each do |arg| %> <%= arg %><% end %>;
<% if log -%>
access_log /var/log/nginx/access_log full;
<% end -%>

<% if !proxy_pass.empty? -%>
location / {
proxy_pass http://<%= proxy_pass %>;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
<% if ssl -%>
proxy_set_header X-SCHEME $scheme;
<% end -%>
proxy_redirect off;
}
<% end -%>
<% if !redirect.empty? -%>
rewrite <%= redirect %> permanent;
<% end -%>
<%= custom -%>
}
<% end -%>
<% if ssl -%>
server {
listen <%= ip %>:<%= port_ssl %>;
server_name <%= main_name %><% if ssl_aliases %><% aliases.each do |arg| %> <%= arg %><% end %><% end %>;
<% if log -%>
access_log /var/log/nginx/access_log full;
<% end -%>

ssl on;
<% if ssl_cert.empty? -%>
ssl_certificate /etc/pki/nginx/ssl.crt/<%= main_name %>.crt;
ssl_certificate_key /etc/pki/nginx/ssl.key/<%= main_name %>.key;
<% else -%>
ssl_certificate /etc/pki/nginx/ssl.crt/<%= ssl_cert %>.crt;
ssl_certificate_key /etc/pki/nginx/ssl.key/<%= ssl_cert %>.key;
<% end -%>

<% if !proxy_pass.empty? -%>
location / {
proxy_pass http://<%= proxy_pass %>;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
<% if ssl -%>
proxy_set_header X-SCHEME $scheme;
<% end -%>
proxy_redirect off;
}
<% end -%>
<% if !custom_ssl.empty? -%>
<%= custom_ssl -%>
<% else -%>
<%= custom -%>
<% end -%>
}
<% end -%>
_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru