Add nginx files from omnibus-chef-server

Repo https://github.com/opscode/omnibus-chef-server.git Revision 8fc56f1e0c20cd8109d85d512b1d81066951ad8a

Add nginx files from omnibus-chef-server
1f3c9ea0 · Jacob Vosmaer · 4b40b09a · 1f3c9ea0 · 1f3c9ea0 · 1f3c9ea0
Commit 1f3c9ea0 authored 11 years ago by Jacob Vosmaer
--- a/files/gitlab-cookbooks/gitlab/recipes/nginx.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/nginx.rb
+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+nginx_dir = node['chef_server']['nginx']['dir']
+nginx_etc_dir = File.join(nginx_dir, "etc")
+nginx_cache_dir = File.join(nginx_dir, "cache")
+nginx_cache_tmp_dir = File.join(nginx_dir, "cache-tmp")
+nginx_html_dir = File.join(nginx_dir, "html")
+nginx_ca_dir = File.join(nginx_dir, "ca")
+nginx_log_dir = node['chef_server']['nginx']['log_directory']
+
+[
+  nginx_dir,
+  nginx_etc_dir,
+  nginx_cache_dir,
+  nginx_cache_tmp_dir,
+  nginx_html_dir,
+  nginx_ca_dir,
+  nginx_log_dir,
+].each do |dir_name|
+  directory dir_name do
+    owner node['chef_server']['user']['username']
+    mode '0700'
+    recursive true
+  end
+end
+
+ssl_keyfile = File.join(nginx_ca_dir, "#{node['chef_server']['nginx']['server_name']}.key")
+ssl_crtfile = File.join(nginx_ca_dir, "#{node['chef_server']['nginx']['server_name']}.crt")
+ssl_signing_conf = File.join(nginx_ca_dir, "#{node['chef_server']['nginx']['server_name']}-ssl.conf")
+
+unless File.exists?(ssl_keyfile) && File.exists?(ssl_crtfile) && File.exists?(ssl_signing_conf)
+  file ssl_keyfile do
+    owner "root"
+    group "root"
+    mode "0644"
+    content `/opt/chef-server/embedded/bin/openssl genrsa 2048`
+    not_if { File.exists?(ssl_keyfile) }
+  end
+
+  file ssl_signing_conf do
+    owner "root"
+    group "root"
+    mode "0644"
+    not_if { File.exists?(ssl_signing_conf) }
+    content <<-EOH
+  [ req ]
+  distinguished_name = req_distinguished_name
+  prompt = no
+
+  [ req_distinguished_name ]
+  C                      = #{node['chef_server']['nginx']['ssl_country_name']}
+  ST                     = #{node['chef_server']['nginx']['ssl_state_name']}
+  L                      = #{node['chef_server']['nginx']['ssl_locality_name']}
+  O                      = #{node['chef_server']['nginx']['ssl_company_name']}
+  OU                     = #{node['chef_server']['nginx']['ssl_organizational_unit_name']}
+  CN                     = #{node['chef_server']['nginx']['server_name']}
+  emailAddress           = #{node['chef_server']['nginx']['ssl_email_address']}
+  EOH
+  end
+
+  ruby_block "create crtfile" do
+    block do
+      r = Chef::Resource::File.new(ssl_crtfile, run_context)
+      r.owner "root"
+      r.group "root"
+      r.mode "0644"
+      r.content `/opt/chef-server/embedded/bin/openssl req -config '#{ssl_signing_conf}' -new -x509 -nodes -sha1 -days 3650 -key #{ssl_keyfile}`
+      r.not_if { File.exists?(ssl_crtfile) }
+      r.run_action(:create)
+    end
+  end
+end
+
+node.default['chef_server']['nginx']['ssl_certificate'] ||= ssl_crtfile
+node.default['chef_server']['nginx']['ssl_certificate_key'] ||= ssl_keyfile
+
+remote_directory nginx_html_dir do
+  source "html"
+  files_backup false
+  files_owner "root"
+  files_group "root"
+  files_mode "0644"
+  owner node['chef_server']['user']['username']
+  mode "0700"
+end
+
+nginx_config = File.join(nginx_etc_dir, "nginx.conf")
+nginx_vars = node['chef_server']['nginx'].to_hash.merge({
+  :chef_https_config => File.join(nginx_etc_dir, "chef_https_lb.conf"),
+  :chef_http_config => File.join(nginx_etc_dir, "chef_http_lb.conf")
+})
+
+# We will always render an HTTP and HTTPS config for the Chef API but the HTTP
+# config file will only be active if the user set `nginx['enable_non_ssl']` to
+# true. Default behavior is to redirect all HTTP requests to HTTPS.
+["https", "http"].each do |server_proto|
+  config_key = "chef_#{server_proto}_config".to_sym
+  lb_config = nginx_vars[config_key]
+
+  server_port = (server_proto == 'https') ?
+                 nginx_vars['ssl_port'] :
+                 nginx_vars['non_ssl_port']
+
+  template lb_config do
+    source "nginx_chef_api_lb.conf.erb"
+    owner "root"
+    group "root"
+    mode "0644"
+    variables(nginx_vars.merge({
+      :server_proto => server_proto,
+      :server_port => server_port
+    }))
+    notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
+  end
+
+end
+
+template nginx_config do
+  source "nginx.conf.erb"
+  owner "root"
+  group "root"
+  mode "0644"
+  variables nginx_vars
+  notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
+end
+
+runit_service "nginx" do
+  down node['chef_server']['nginx']['ha']
+  options({
+    :log_directory => nginx_log_dir
+  }.merge(params))
+end
+
+if node['chef_server']['bootstrap']['enable']
+	execute "/opt/chef-server/bin/chef-server-ctl start nginx" do
+		retries 20
+	end
+end
+
--- a/files/gitlab-cookbooks/gitlab/recipes/nginx_disable.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/nginx_disable.rb
+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+runit_service "nginx" do
+  action :disable
+end
+
--- a/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb
+user <%= node['chef_server']['user']['username'] %> <%= node['chef_server']['user']['username']%>;
+worker_processes <%= @worker_processes %>;
+error_log /var/log/chef-server/nginx/error.log<%= node['chef_server']['lb']['debug'] ? " debug" : "" %>;
+
+daemon off;
+
+events {
+  worker_connections <%= @worker_connections %>;
+}
+
+http {
+  log_format opscode '$remote_addr - $remote_user [$time_local]  '
+                    '"$request" $status "$request_time" $body_bytes_sent '
+                    '"$http_referer" "$http_user_agent" "$upstream_addr" "$upstream_status" "$upstream_response_time" "$http_x_chef_version" "$http_x_ops_sign" "$http_x_ops_userid" "$http_x_ops_timestamp" "$http_x_ops_content_hash" $request_length';
+
+  sendfile <%= @sendfile %>;
+  tcp_nopush <%= @tcp_nopush %>;
+  tcp_nodelay <%= @tcp_nodelay %>;
+
+  keepalive_timeout <%= @keepalive_timeout %>;
+
+  gzip <%= @gzip %>;
+  gzip_http_version <%= @gzip_http_version %>;
+  gzip_comp_level <%= @gzip_comp_level %>;
+  gzip_proxied <%= @gzip_proxied %>;
+  gzip_types <%= @gzip_types.join(' ') %>;
+
+  include /opt/chef-server/embedded/conf/mime.types;
+
+  <%- node['chef_server']['lb']['upstream'].each do |uname, servers| -%>
+  upstream <%= uname.gsub(/-/, '_') %> {
+    <%- servers.each do |server| -%>
+    server <%= server %>:<%= node['chef_server'][uname]['port'] %>;
+    <%- end -%>
+  }
+  <%- end -%>
+
+  # external lb config for Chef API
+  <%- if node['chef_server']['lb']['enable'] -%>
+  proxy_cache_path  <%= File.join(@dir, "cache") %> levels=1:2 keys_zone=webui-cache:50m max_size=<%= @cache_max_size %> inactive=600m;
+  proxy_temp_path <%= File.join(@dir, "cache-tmp") %>;
+
+  # We support three options: serve nothing on non_ssl_port (80),
+  # redirect to https, or actually serve the API.
+  <%- if @non_ssl_port -%>
+  <%- if @enable_non_ssl -%>
+
+  # Chef HTTP API
+  include <%= @chef_http_config %>;
+  <%- else -%>
+
+  server {
+    listen <%= @non_ssl_port %>;
+    access_log /var/log/chef-server/nginx/rewrite-port-<%= @non_ssl_port %>.log;
+    return 301 https://$host:<%= @ssl_port %>$request_uri;
+  }
+  <%- end -%>
+  <%-  end -%>
+
+  # Chef HTTPS API
+  include <%= @chef_https_config %>;
+  <%- end -%>
+}
--- a/files/gitlab-cookbooks/gitlab/templates/default/nginx_chef_api_lb.conf.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx_chef_api_lb.conf.erb
+server {
+  listen <%= @server_port %>;
+  server_name <%= @server_name %>;
+  access_log /var/log/chef-server/nginx/access.log opscode;
+
+  <% if @server_proto == "https" -%>
+  ssl on;
+  ssl_certificate <%= @ssl_certificate %>;
+  ssl_certificate_key <%= @ssl_certificate_key %>;
+
+  ssl_session_timeout 5m;
+
+  ssl_protocols <%= @ssl_protocols %>;
+  ssl_ciphers <%= @ssl_ciphers %>;
+  ssl_prefer_server_ciphers on;
+
+  <% end -%>
+  root <%= File.join(@dir, "html") %>;
+
+  client_max_body_size <%= @client_max_body_size %>;
+
+  proxy_set_header Host $host:$server_port;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto <%= @server_proto %>;
+  proxy_pass_request_headers on;
+  proxy_connect_timeout   1;
+  proxy_send_timeout      300;
+  proxy_read_timeout      300;
+
+  error_page 404 =404 /404.html;
+  error_page 503 =503 /503.json;
+
+  location /nginx_status {
+    stub_status on;
+    access_log   off;
+    allow 127.0.0.1;
+    deny all;
+  }
+
+  location /version {
+    types { }
+    default_type text/plain;
+    alias /opt/chef-server/version-manifest.txt;
+  }
+
+  location /docs {
+    index index.html ;
+    alias /opt/chef-server/docs;
+  }
+
+  # bookshelf
+  location ~ "/<%= node['chef_server']['erchef']['s3_bucket'] %>/{0,1}.*$" {
+    proxy_pass http://bookshelf;
+  }
+
+  location ~ "^/(?:stylesheets|javascripts|images|facebox|css|favicon|robots|humans)/{0,1}.*$" {
+    if ($http_x_chef_version ~* "^(\d+\.\d+?)\..+$") {
+      error_page 400 =400 /400-chef_client_manage.json;
+      return 400;
+    }
+    proxy_pass http://chef_server_webui;
+    proxy_pass_request_headers off;
+    proxy_cache webui-cache;
+    proxy_cache_valid 200 302 300m;
+    proxy_cache_valid 404 1m;
+  }
+
+ location = /_status {
+    proxy_pass http://erchef/_status;
+  }
+
+ location = /_status/ {
+    proxy_pass http://erchef/_status;
+  }
+
+  location / {
+    set $my_upstream erchef;
+    if ($http_x_ops_userid = "") {
+      set $my_upstream chef_server_webui;
+    }
+    proxy_redirect http://$my_upstream /;
+    proxy_pass http://$my_upstream;
+  }
+}
--- a/files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-log-run.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-log-run.erb
+#!/bin/sh
+exec svlogd -tt <%= @options[:log_directory] %>
--- a/files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-run.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-run.erb
+#!/bin/sh
+exec 2>&1
+exec chpst -P /opt/chef-server/embedded/sbin/nginx -c <%= File.join(node['chef_server']['nginx']['dir'], "etc", "nginx.conf") %>
+