don't repeat yourself / copy and paste programming

Olexander Shtepa isk на cupid.com
Пт Ноя 25 11:47:52 UTC 2011


>  А не поделитесь, пожалуйста, темплейтом Puppet'a для nginx?

Большинство манифестов заточено на нашу внутреннюю архитектуру, поэтому не могу показать.
Но некоторыми не специфическими поделится могу.

Вот реальный пример, как эти манифесты используются у нас (убрал несущественное здесь и поменял имена/IP):

class site::front::example_com {
    nginx::vhost_front { "example.com":
        ip           => "1.2.3.4",
        ssl          => true,
        ssl_only     => true,
        default_trap => "redirect",
        proxy_pass   => "backend123",
        custom       => "client_max_body_size 64m;",
    }
}

node "front3" inherits "front_common" {
    include nginx::front
    include site::front::example_com
}
----------- следущая часть -----------
class nginx::base {
    package { "nginx": ensure => present }

    service { "nginx":
        enable     => true,
        ensure     => running,
        hasrestart => false,
        restart    => "/sbin/service nginx reload",
        hasstatus  => true,
        require    => Package["nginx"],
    }

    File {
        mode    => 0644,
        owner   => "root",
        group   => "root",
        require => Package["nginx"],
    }

    file { [ "/etc/nginx", "/etc/nginx/vhosts" ]:
        ensure => directory,
        mode   => 0755,
    }

    file { "/etc/nginx/mime.types":
        source => "puppet:///nginx/mime.types",
        notify => Service["nginx"],
    }
}

define nginx::conf($keepalive=false,
                   $pid="/var/run/nginx.pid",
                   $error_log="/var/log/nginx/error.log",
                   $worker_processes=1,
                   $worker_rlimit_nofile=2000,
                   $worker_connections=2000,
                   $log_format_combh=false,
                   $gzip=false,
                   $ssl=false,
                   $maps=false,
                   $resolver="",
                   $upstreams=false) {
    file { "$name":
        owner   => "root",
        group   => "root",
        mode    => 0644,
        content => template("nginx/nginx.conf.erb"),
        notify  => $notify,
    }
}

class nginx::front inherits nginx::base {
    nginx::conf { "/etc/nginx/nginx.conf":
        notify               => Service["nginx"],
        keepalive            => true,
        worker_processes     => 4,
        worker_rlimit_nofile => 20000,
        worker_connections   => 20000,
        gzip                 => true,
        ssl                  => true,
        resolver             => "192.168.1.110",
        upstreams            => true,
        maps                 => true,
    }

    File {
        mode    => 0644,
        owner   => "root",
        group   => "root",
        require => Package["nginx"],
        notify  => Service["nginx"],
    }

    file {
        "/etc/nginx/upstreams.conf": source => "puppet:///nginx/upstreams.conf";
        "/etc/nginx/maps.conf":      source => "puppet:///nginx/maps.conf";
    }
}

define nginx::vhost_front(
    $ip,
    $port=80,
    $port_ssl=443,
    $aliases=[],
    $custom="",
    $custom_ssl="",
    $default=false,
    $default_trap="",
    $ssl=false,
    $ssl_aliases=false,
    $ssl_cert="",
    $ssl_only=false,
    $proxy_pass="",
    $redirect="",
    $log=true,
    $trap_redirect="$name") {
    $main_name=$name
    $trap_redirect_schema = $ssl_only ? {
        true  => "https",
        false => "http",
    }
    $default_trap_action = $default_trap ? {
        "redirect" => "rewrite ^ ${trap_redirect_schema}://$trap_redirect/ permanent;",
        "404"      => "return 404;",
        default    => "",
    }
    file { "/etc/nginx/vhosts/$name.conf":
        owner   => "root",
        group   => "root",
        mode    => 0644,
        content => template("nginx/vhost_front.conf.erb"),
        notify  => Service["nginx"],
    }
    if $ssl {
        pki::nginx::cert { "$name": notify => Service["nginx"] }
    }
}
----------- следущая часть -----------
# Managed by puppet

user nginx;
worker_processes <%= worker_processes %>;
worker_rlimit_nofile <%= worker_rlimit_nofile %>;
timer_resolution 1ms;

error_log <%= error_log %>;
pid <%= pid %>;

events {
    use epoll;
    worker_connections <%= worker_connections %>;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] $request '
                      '"$status" $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    log_format  combt '$remote_addr - $remote_user [$time_local] '
                      '"$request" $status $body_bytes_sent '
                      '"$http_referer" "$http_user_agent" $request_time';
    log_format  full  '$time_local $scheme $host '
                      '$remote_addr "$request" "$http_referer" "$http_user_agent" $remote_user $request_length '
                      '$pipe $request_time $status $bytes_sent $body_bytes_sent';
    log_format  bad   '$time_local $scheme $host '
                      '$remote_addr "$request" "$http_referer" "$http_user_agent" $remote_user $request_length '
                      '$pipe $request_time $status $bytes_sent $body_bytes_sent';
<% if log_format_combh -%>
    log_format  combh '$remote_addr - $remote_user [$time_local] '
                      '"$request" $status $body_bytes_sent '
                      '"$http_referer" "$http_user_agent" $host';
<% end -%>

    access_log    off;
    log_not_found off;

    sendfile   on;
    tcp_nopush on;

    keepalive_timeout <% if keepalive %>65<% else %>0<% end %>;
    tcp_nodelay       on;
<% if gzip -%>

    gzip            on;
    gzip_buffers    8 4k;
    gzip_min_length 1100;
    gzip_types      text/css application/x-javascript;
    gzip_disable    "MSIE [1-6]\.(?!.*SV1)";
<% end -%>
<% if ssl -%>

    ssl_protocols       SSLv3 TLSv1;
    ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:RC4-MD5:DES-CBC3-SHA;
    ssl_session_cache   shared:SSL:20m;
    ssl_session_timeout 30m;
<% end -%>
<% if !resolver.empty? -%>

    resolver <%= resolver %>;
<% end -%>

    client_header_buffer_size 2k;
    large_client_header_buffers 4 8k;
    client_max_body_size 10m;
    proxy_connect_timeout 1s;
    proxy_read_timeout 1h;
    proxy_buffer_size 32k;
    proxy_buffers 64 4k;

    server_names_hash_bucket_size 128;

<% if upstreams -%>
    include /etc/nginx/upstreams.conf;
<% end -%>
<%if maps -%>
    include /etc/nginx/maps.conf;
<% end -%>
    include /etc/nginx/vhosts/*.conf;
}
----------- следущая часть -----------
#Managed by Puppet

<% if !default_trap.empty? -%>
# trap for bad Host requests
<% if !ssl_only -%>
server {
    listen <%= ip %>:<%= port %> default;
    server_name _;
<% if log -%>
    access_log /var/log/nginx/bad.log bad;
<% end -%>

    <%= default_trap_action %>
}
<% end -%>
<% if ssl -%>
server {
    listen <%= ip %>:<%= port_ssl %> default;
    server_name _;

    ssl on;
<% if ssl_cert.empty? -%>
    ssl_certificate     /etc/pki/nginx/ssl.crt/<%= main_name %>.crt;
    ssl_certificate_key /etc/pki/nginx/ssl.key/<%= main_name %>.key;
<% else -%>
    ssl_certificate     /etc/pki/nginx/ssl.crt/<%= ssl_cert %>.crt;
    ssl_certificate_key /etc/pki/nginx/ssl.key/<%= ssl_cert %>.key;
<% end -%>
<% if log -%>
    access_log /var/log/nginx/bad.log bad;
<% end -%>

    <%= default_trap_action %>
}
<% end -%>

<% end -%>
<% if !ssl_only -%>
server {
    listen <%= ip %>:<%= port %><% if default %> default<% end %>;
    server_name <%= main_name %><% aliases.each do |arg| %> <%= arg %><% end %>;
<% if log -%>
    access_log /var/log/nginx/access_log full;
<% end -%>

<% if !proxy_pass.empty? -%>
    location / {
        proxy_pass http://<%= proxy_pass %>;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
<% if ssl -%>
        proxy_set_header X-SCHEME $scheme;
<% end -%>
        proxy_redirect off;
    }
<% end -%>
<% if !redirect.empty? -%>
    rewrite <%= redirect %> permanent;
<% end -%>
<%= custom -%>
}
<% end -%>
<% if ssl -%>
server {
    listen <%= ip %>:<%= port_ssl %>;
    server_name <%= main_name %><% if ssl_aliases %><% aliases.each do |arg| %> <%= arg %><% end %><% end %>;
<% if log -%>
    access_log /var/log/nginx/access_log full;
<% end -%>

    ssl on;
<% if ssl_cert.empty? -%>
    ssl_certificate     /etc/pki/nginx/ssl.crt/<%= main_name %>.crt;
    ssl_certificate_key /etc/pki/nginx/ssl.key/<%= main_name %>.key;
<% else -%>
    ssl_certificate     /etc/pki/nginx/ssl.crt/<%= ssl_cert %>.crt;
    ssl_certificate_key /etc/pki/nginx/ssl.key/<%= ssl_cert %>.key;
<% end -%>

<% if !proxy_pass.empty? -%>
    location / {
        proxy_pass http://<%= proxy_pass %>;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
<% if ssl -%>
        proxy_set_header X-SCHEME $scheme;
<% end -%>
        proxy_redirect off;
    }
<% end -%>
<% if !custom_ssl.empty? -%>
<%= custom_ssl -%>
<% else -%>
<%= custom -%>
<% end -%>
}
<% end -%>


Подробная информация о списке рассылки nginx-ru