forked from chr4/salt-nginx
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pillar.example
37 lines (29 loc) · 1.58 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# vim: ft=sls
nginx:
# Default SSL values which will be written to the http context.
# This values can be overwritten in each server context individually.
ssl_protocols: 'TLSv1.2 TLSv1.3'
ssl_ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256' # noqa: 204
# ssl_conf_command can be specified multiple times, therefore it needs to be a list.
# Each string needs to hold all arguments for ssl_conf_command, like in the example below.
# An empty list ([], the default) results in no entries added to nginx.conf
ssl_conf_command: ['Options PrioritizeChaCha', 'Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384']
ssl_session_cache: 'shared:SSL:10m'
ssl_prefer_server_ciphers: 'on'
ssl_stapling: 'off'
ssl_stapling_verify: 'off'
ssl_session_tickets: 'off'
letsencrypt:
domain: example.com
altnames: www.example.com alt.example.com
contact_email: [email protected]
acme_challenge_dir: /etc/ssl/acme/challenges
acme_certificate_dir: /etc/ssl/acme/certs
# Services to restart (via systemctl restart $service)
# NOTE: restart is used instead of reload, because nginx apparently doesn't reload
# certificates upon reload
services: [nginx]
# Define CA to be used, helpful to choose stagig letsencrypt CA or other CAs for testing
# Possible options: letsencrypt, letsencrypt-test, zerossl, buypass, buypass-test
# https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/config#L24
ca: letsencrypt