don't repeat yourself / copy and paste programming
Olexander Shtepa
isk на cupid.com
Пт Ноя 25 11:47:52 UTC 2011
> А не поделитесь, пожалуйста, темплейтом Puppet'a для nginx?
Большинство манифестов заточено на нашу внутреннюю архитектуру, поэтому не могу показать.
Но некоторыми не специфическими поделится могу.
Вот реальный пример, как эти манифесты используются у нас (убрал несущественное здесь и поменял имена/IP):
class site::front::example_com {
nginx::vhost_front { "example.com":
ip => "1.2.3.4",
ssl => true,
ssl_only => true,
default_trap => "redirect",
proxy_pass => "backend123",
custom => "client_max_body_size 64m;",
}
}
node "front3" inherits "front_common" {
include nginx::front
include site::front::example_com
}
----------- следущая часть -----------
class nginx::base {
package { "nginx": ensure => present }
service { "nginx":
enable => true,
ensure => running,
hasrestart => false,
restart => "/sbin/service nginx reload",
hasstatus => true,
require => Package["nginx"],
}
File {
mode => 0644,
owner => "root",
group => "root",
require => Package["nginx"],
}
file { [ "/etc/nginx", "/etc/nginx/vhosts" ]:
ensure => directory,
mode => 0755,
}
file { "/etc/nginx/mime.types":
source => "puppet:///nginx/mime.types",
notify => Service["nginx"],
}
}
define nginx::conf($keepalive=false,
$pid="/var/run/nginx.pid",
$error_log="/var/log/nginx/error.log",
$worker_processes=1,
$worker_rlimit_nofile=2000,
$worker_connections=2000,
$log_format_combh=false,
$gzip=false,
$ssl=false,
$maps=false,
$resolver="",
$upstreams=false) {
file { "$name":
owner => "root",
group => "root",
mode => 0644,
content => template("nginx/nginx.conf.erb"),
notify => $notify,
}
}
class nginx::front inherits nginx::base {
nginx::conf { "/etc/nginx/nginx.conf":
notify => Service["nginx"],
keepalive => true,
worker_processes => 4,
worker_rlimit_nofile => 20000,
worker_connections => 20000,
gzip => true,
ssl => true,
resolver => "192.168.1.110",
upstreams => true,
maps => true,
}
File {
mode => 0644,
owner => "root",
group => "root",
require => Package["nginx"],
notify => Service["nginx"],
}
file {
"/etc/nginx/upstreams.conf": source => "puppet:///nginx/upstreams.conf";
"/etc/nginx/maps.conf": source => "puppet:///nginx/maps.conf";
}
}
define nginx::vhost_front(
$ip,
$port=80,
$port_ssl=443,
$aliases=[],
$custom="",
$custom_ssl="",
$default=false,
$default_trap="",
$ssl=false,
$ssl_aliases=false,
$ssl_cert="",
$ssl_only=false,
$proxy_pass="",
$redirect="",
$log=true,
$trap_redirect="$name") {
$main_name=$name
$trap_redirect_schema = $ssl_only ? {
true => "https",
false => "http",
}
$default_trap_action = $default_trap ? {
"redirect" => "rewrite ^ ${trap_redirect_schema}://$trap_redirect/ permanent;",
"404" => "return 404;",
default => "",
}
file { "/etc/nginx/vhosts/$name.conf":
owner => "root",
group => "root",
mode => 0644,
content => template("nginx/vhost_front.conf.erb"),
notify => Service["nginx"],
}
if $ssl {
pki::nginx::cert { "$name": notify => Service["nginx"] }
}
}
----------- следущая часть -----------
# Managed by puppet
user nginx;
worker_processes <%= worker_processes %>;
worker_rlimit_nofile <%= worker_rlimit_nofile %>;
timer_resolution 1ms;
error_log <%= error_log %>;
pid <%= pid %>;
events {
use epoll;
worker_connections <%= worker_connections %>;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format combt '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $request_time';
log_format full '$time_local $scheme $host '
'$remote_addr "$request" "$http_referer" "$http_user_agent" $remote_user $request_length '
'$pipe $request_time $status $bytes_sent $body_bytes_sent';
log_format bad '$time_local $scheme $host '
'$remote_addr "$request" "$http_referer" "$http_user_agent" $remote_user $request_length '
'$pipe $request_time $status $bytes_sent $body_bytes_sent';
<% if log_format_combh -%>
log_format combh '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $host';
<% end -%>
access_log off;
log_not_found off;
sendfile on;
tcp_nopush on;
keepalive_timeout <% if keepalive %>65<% else %>0<% end %>;
tcp_nodelay on;
<% if gzip -%>
gzip on;
gzip_buffers 8 4k;
gzip_min_length 1100;
gzip_types text/css application/x-javascript;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
<% end -%>
<% if ssl -%>
ssl_protocols SSLv3 TLSv1;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:RC4-MD5:DES-CBC3-SHA;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 30m;
<% end -%>
<% if !resolver.empty? -%>
resolver <%= resolver %>;
<% end -%>
client_header_buffer_size 2k;
large_client_header_buffers 4 8k;
client_max_body_size 10m;
proxy_connect_timeout 1s;
proxy_read_timeout 1h;
proxy_buffer_size 32k;
proxy_buffers 64 4k;
server_names_hash_bucket_size 128;
<% if upstreams -%>
include /etc/nginx/upstreams.conf;
<% end -%>
<%if maps -%>
include /etc/nginx/maps.conf;
<% end -%>
include /etc/nginx/vhosts/*.conf;
}
----------- следущая часть -----------
#Managed by Puppet
<% if !default_trap.empty? -%>
# trap for bad Host requests
<% if !ssl_only -%>
server {
listen <%= ip %>:<%= port %> default;
server_name _;
<% if log -%>
access_log /var/log/nginx/bad.log bad;
<% end -%>
<%= default_trap_action %>
}
<% end -%>
<% if ssl -%>
server {
listen <%= ip %>:<%= port_ssl %> default;
server_name _;
ssl on;
<% if ssl_cert.empty? -%>
ssl_certificate /etc/pki/nginx/ssl.crt/<%= main_name %>.crt;
ssl_certificate_key /etc/pki/nginx/ssl.key/<%= main_name %>.key;
<% else -%>
ssl_certificate /etc/pki/nginx/ssl.crt/<%= ssl_cert %>.crt;
ssl_certificate_key /etc/pki/nginx/ssl.key/<%= ssl_cert %>.key;
<% end -%>
<% if log -%>
access_log /var/log/nginx/bad.log bad;
<% end -%>
<%= default_trap_action %>
}
<% end -%>
<% end -%>
<% if !ssl_only -%>
server {
listen <%= ip %>:<%= port %><% if default %> default<% end %>;
server_name <%= main_name %><% aliases.each do |arg| %> <%= arg %><% end %>;
<% if log -%>
access_log /var/log/nginx/access_log full;
<% end -%>
<% if !proxy_pass.empty? -%>
location / {
proxy_pass http://<%= proxy_pass %>;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
<% if ssl -%>
proxy_set_header X-SCHEME $scheme;
<% end -%>
proxy_redirect off;
}
<% end -%>
<% if !redirect.empty? -%>
rewrite <%= redirect %> permanent;
<% end -%>
<%= custom -%>
}
<% end -%>
<% if ssl -%>
server {
listen <%= ip %>:<%= port_ssl %>;
server_name <%= main_name %><% if ssl_aliases %><% aliases.each do |arg| %> <%= arg %><% end %><% end %>;
<% if log -%>
access_log /var/log/nginx/access_log full;
<% end -%>
ssl on;
<% if ssl_cert.empty? -%>
ssl_certificate /etc/pki/nginx/ssl.crt/<%= main_name %>.crt;
ssl_certificate_key /etc/pki/nginx/ssl.key/<%= main_name %>.key;
<% else -%>
ssl_certificate /etc/pki/nginx/ssl.crt/<%= ssl_cert %>.crt;
ssl_certificate_key /etc/pki/nginx/ssl.key/<%= ssl_cert %>.key;
<% end -%>
<% if !proxy_pass.empty? -%>
location / {
proxy_pass http://<%= proxy_pass %>;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
<% if ssl -%>
proxy_set_header X-SCHEME $scheme;
<% end -%>
proxy_redirect off;
}
<% end -%>
<% if !custom_ssl.empty? -%>
<%= custom_ssl -%>
<% else -%>
<%= custom -%>
<% end -%>
}
<% end -%>
Подробная информация о списке рассылки nginx-ru