include:
  - nginx

/etc/nginx/ssl.d:
  file.directory:
    - mode: 700
    - require:
      - file: nginx_conf

/etc/nginx/ssl.d/dummy-cert.pem:
  file.managed:
    - mode: 400
    - contents_pillar: env:certs:dummy-cert.pem
    - require:
      - file: /etc/nginx/ssl.d

/etc/nginx/ssl.d/dummy-key.pem:
  file.managed:
    - mode: 400
    - contents_pillar: env:certs:dummy-key.pem
    - require:
      - file: /etc/nginx/ssl.d

# NOTE: naming the subdirectory 'files-ssl' instead of ssl-files causes it to be
# picked up by the file.recurse in the nginx_conf state, which is only supposed
# to copy the 'files' subdirectory. This causes the empty directories
# /etc/nginx/../files-ssl/conf.d/, /etc/nginx/../files-ssl/include/, etc., to
# be created on the minion (not sure why the contents aren't copied as well).
# This is not a problem of multiple file.recurse states pointing at the same
# destination directory. It also happens if we multiple 'file.managed' states
# here for each individual file.
nginx_conf_ssl:
  file.recurse:
    - name: /etc/nginx
    - source: salt://nginx/ssl-files
    - include_empty: True
    - require:
      - file: /etc/nginx/ssl.d
    - watch:
      - file: /etc/nginx/ssl.d/dummy-cert.pem
      - file: /etc/nginx/ssl.d/dummy-key.pem
    - watch_in:
      - service: nginx