From 187b0440c888d58f4873f634103ecebf00c91fa5 Mon Sep 17 00:00:00 2001 From: CroneKorkN Date: Sun, 22 Jun 2025 09:49:27 +0200 Subject: [PATCH] nginx use expected dirs and allow websockets in proxy pass --- bundles/grafana/metadata.py | 4 ++++ bundles/nginx/files/nginx.conf | 10 +++++++++- bundles/nginx/items.py | 20 +++++++++++++++++--- bundles/nginx/metadata.py | 1 + data/grafana/vhost.conf | 7 +------ data/nginx/proxy_pass.conf | 4 ++++ 6 files changed, 36 insertions(+), 10 deletions(-) diff --git a/bundles/grafana/metadata.py b/bundles/grafana/metadata.py index 4ac5259..5b68a2b 100644 --- a/bundles/grafana/metadata.py +++ b/bundles/grafana/metadata.py @@ -69,6 +69,9 @@ defaults = { }, }, }, + 'nginx': { + 'has_websockets': True, + }, } @@ -144,6 +147,7 @@ def dns(metadata): def nginx(metadata): return { 'nginx': { + 'has_websockets': True, 'vhosts': { metadata.get('grafana/hostname'): { 'content': 'grafana/vhost.conf', diff --git a/bundles/nginx/files/nginx.conf b/bundles/nginx/files/nginx.conf index f4beed0..ef45635 100644 --- a/bundles/nginx/files/nginx.conf +++ b/bundles/nginx/files/nginx.conf @@ -31,5 +31,13 @@ http { } % endif - include /etc/nginx/sites/*; + + % if has_websockets: + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + % endif + + include /etc/nginx/sites-enabled/*; } diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py index b8f5849..5f80b74 100644 --- a/bundles/nginx/items.py +++ b/bundles/nginx/items.py @@ -9,7 +9,7 @@ directories = { 'svc_systemd:nginx:restart', }, }, - '/etc/nginx/sites': { + '/etc/nginx/sites-available': { 'purge': True, 'triggers': { 'svc_systemd:nginx:restart', @@ -25,6 +25,13 @@ directories = { 'purge': True, 'owner': 'www-data', }, + + # temp + '/var/www/certbot': { + 'owner': 'www-data', + 'group': 'www-data', + 'mode': '0755', + } } files = { @@ -33,6 +40,7 @@ files = { 'context': { 'modules': node.metadata.get('nginx/modules'), 'worker_processes': node.metadata.get('vm/cores'), + 'has_websockets': node.metadata.get('nginx/has_websockets'), }, 'triggers': { 'svc_systemd:nginx:restart', @@ -75,6 +83,12 @@ files = { }, } +symlinks = { + '/etc/nginx/sites-enabled': { + 'target': '/etc/nginx/sites-available', + }, +} + actions = { 'nginx-generate-dhparam': { 'command': 'openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096', @@ -93,7 +107,7 @@ svc_systemd = { for name, config in node.metadata.get('nginx/vhosts').items(): - files[f'/etc/nginx/sites/{name}'] = { + files[f'/etc/nginx/sites-available/{name}'] = { 'content': Template(filename=join(repo.path, 'data', config['content'])).render( server_name=name, **config.get('context', {}), @@ -109,6 +123,6 @@ for name, config in node.metadata.get('nginx/vhosts').items(): } if name in node.metadata.get('letsencrypt/domains'): - files[f'/etc/nginx/sites/{name}']['needs'].append( + files[f'/etc/nginx/sites-available/{name}']['needs'].append( f'action:letsencrypt_ensure-some-certificate_{name}', ) diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index a5ab350..37f3f8a 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -18,6 +18,7 @@ defaults = { 'nginx': { 'vhosts': {}, 'modules': set(), + 'has_websockets': False, }, 'systemd': { 'units': { diff --git a/data/grafana/vhost.conf b/data/grafana/vhost.conf index c8c395e..81ba4d6 100644 --- a/data/grafana/vhost.conf +++ b/data/grafana/vhost.conf @@ -1,13 +1,8 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ${server_name}; - + ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem; diff --git a/data/nginx/proxy_pass.conf b/data/nginx/proxy_pass.conf index 7d3069f..d682396 100644 --- a/data/nginx/proxy_pass.conf +++ b/data/nginx/proxy_pass.conf @@ -8,6 +8,10 @@ server { location / { proxy_set_header X-Real-IP $remote_addr; +% if websockets: + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; +% endif proxy_pass ${target}; } }