|
Sasi Olin |
4663db |
include:
|
|
Jacob Michalskie |
0eac15 |
{% if salt['grains.get']('include_secrets', True) %}
|
|
Jacob Michalskie |
0eac15 |
- secrets.role.discourse
|
|
Jacob Michalskie |
0eac15 |
{% endif %}
|
|
Sasi Olin |
4663db |
- role.common.nginx
|
|
Sasi Olin |
4663db |
|
|
Jacob Michalskie |
b2e287 |
profile:
|
|
Jacob Michalskie |
b2e287 |
postfix:
|
|
Jacob Michalskie |
b2e287 |
maincf:
|
|
Jacob Michalskie |
404f91 |
smtputf8_enable: 'no'
|
|
Jacob Michalskie |
f03e5f |
compatibility_level: 2
|
|
Jacob Michalskie |
f03e5f |
export_environment: 'TZ LANG'
|
|
Jacob Michalskie |
404f91 |
append_dot_mydomain: 'no'
|
|
Jacob Michalskie |
f03e5f |
mydestination: localhost
|
|
Jacob Michalskie |
f03e5f |
mynetworks: '127.0.0.0/8 [::1]/128 [fe80::]/64'
|
|
Jacob Michalskie |
f03e5f |
transport_maps: hash:/etc/postfix/transport
|
|
Jacob Michalskie |
f03e5f |
smtpd_recipient_restrictions: check_policy_service unix:private/policy
|
|
Jacob Michalskie |
b2e287 |
mastercf:
|
|
Jacob Michalskie |
a151f4 |
discourse: unix - n n - - pipe user=nobody:nogroup argv=/usr/bin/receive-mail ${recipient}
|
|
Jacob Michalskie |
a151f4 |
policy: unix - n n - - spawn user=nobody argv=/usr/bin/discourse-smtp-fast-rejection
|
|
Jacob Michalskie |
b2e287 |
aliases:
|
|
Jacob Michalskie |
b2e287 |
discourse: root
|
|
Jacob Michalskie |
b2e287 |
# We need to set up transport map with `$domain discourse:` line for every domain
|
|
Jacob Michalskie |
b2e287 |
discourse:
|
|
Jacob Michalskie |
b2e287 |
database_user: discourse
|
|
Jacob Michalskie |
b2e287 |
database_name: discourse
|
|
Jacob Michalskie |
b2e287 |
database_host: mirrordb2.infra.opensuse.org
|
|
Jacob Michalskie |
b2e287 |
hostname: discourse.opensuse.org
|
|
Jacob Michalskie |
b2e287 |
smtp_domain: opensuse.org
|
|
Jacob Michalskie |
63f800 |
# secret_key, maxmind and db password live in secrets/role/discourse.sls
|
|
Jacob Michalskie |
b2e287 |
|
|
Sasi Olin |
4663db |
nginx:
|
|
Sasi Olin |
4663db |
ng:
|
|
Jacob Michalskie |
368ab2 |
config:
|
|
Jacob Michalskie |
368ab2 |
- load_module: /usr/lib64/nginx/modules/ngx_http_brotli_static_module.so
|
|
Jacob Michalskie |
368ab2 |
- load_module: /usr/lib64/nginx/modules/ngx_http_brotli_filter_module.so
|
|
Sasi Olin |
4663db |
servers:
|
|
Sasi Olin |
4663db |
managed:
|
|
Sasi Olin |
4663db |
forums.opensuse.org.conf:
|
|
Sasi Olin |
4663db |
config:
|
|
Jacob Michalskie |
255ac8 |
- upstream discourse:
|
|
Jacob Michalskie |
255ac8 |
- server: 'unix:/srv/www/vhosts/discourse/tmp/sockets/puma.sock'
|
|
Sasi Olin |
4663db |
- types:
|
|
Sasi Olin |
4663db |
- text/csv: csv
|
|
Sasi Olin |
4663db |
- application/wasm: wasm
|
|
Sasi Olin |
4663db |
- proxy_cache_path: /var/lib/nginx/cache/ inactive=1440m levels=1:2 keys_zone=one:10m max_size=600m
|
|
Sasi Olin |
4663db |
- proxy_buffer_size: 8k
|
|
Sasi Olin |
4663db |
- map $http_x_forwarded_proto $thescheme:
|
|
Sasi Olin |
4663db |
- default: $scheme
|
|
Sasi Olin |
4663db |
- https: https
|
|
Sasi Olin |
4663db |
- log_format: log_discourse '[$time_local] "$http_host" $remote_addr "$request" "$http_user_agent" "$sent_http_x_discourse_route" $status $bytes_sent "$http_referer" $upstream_response_time $request_time "$upstream_http_x_discourse_username" "$upstream_http_x_discourse_trackview" "$upstream_http_x_queue_time" "$upstream_http_x_redis_calls" "$upstream_http_x_redis_time" "$upstream_http_x_sql_calls" "$upstream_http_x_sql_time"'
|
|
Sasi Olin |
4663db |
- geo $bypass_cache:
|
|
Sasi Olin |
4663db |
- default: 0
|
|
Sasi Olin |
4663db |
- 127.0.0.1: 1
|
|
Sasi Olin |
4663db |
- '::1': 1
|
|
Sasi Olin |
4663db |
- server:
|
|
Sasi Olin |
4663db |
- server_name: forums.opensuse.org
|
|
Sasi Olin |
8e5c35 |
- server_tokens: "off"
|
|
Sasi Olin |
4663db |
- listen:
|
|
Sasi Olin |
4663db |
- 80
|
|
Sasi Olin |
4663db |
- default_server
|
|
Sasi Olin |
4663db |
- access_log: /var/log/nginx/discourse.access.log log_discourse
|
|
Sasi Olin |
31b698 |
- gzip: "on"
|
|
Sasi Olin |
31b698 |
- gzip_vary: "on"
|
|
Sasi Olin |
4663db |
- gzip_min_length: 1000
|
|
Sasi Olin |
4663db |
- gzip_comp_level: 5
|
|
Sasi Olin |
4663db |
- gzip_types: application/json text/css text/javascript application/x-javascript application/javascript image/svg+xml application/wasm
|
|
Sasi Olin |
4663db |
- gzip_proxied: any
|
|
Sasi Olin |
31b698 |
- sendfile: "on"
|
|
Sasi Olin |
4663db |
- keepalive_timeout: 65
|
|
Sasi Olin |
4663db |
- client_max_body_size: 10m
|
|
Sasi Olin |
4663db |
- set: $public /srv/www/vhosts/discourse/public
|
|
Sasi Olin |
8e5c35 |
- etag: "off"
|
|
Sasi Olin |
4663db |
- location ^~ /backups/:
|
|
Jacob Michalskie |
7d639c |
- internal: ''
|
|
Sasi Olin |
4663db |
- location /favicon.ico:
|
|
Sasi Olin |
4663db |
- return: 204
|
|
Sasi Olin |
8e5c35 |
- access_log: "off"
|
|
Sasi Olin |
8e5c35 |
- log_not_found: "off"
|
|
Sasi Olin |
4663db |
- location /:
|
|
Sasi Olin |
4663db |
- root: $public
|
|
Sasi Olin |
4663db |
- add_header: ETag ""
|
|
Sasi Olin |
4663db |
- location ~ ^/uploads/short-url/:
|
|
Sasi Olin |
4663db |
- proxy_set_header: Host $http_host
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Real-IP $remote_addr
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
Sasi Olin |
4663db |
- proxy_pass: http://discourse
|
|
Sasi Olin |
4663db |
- break
|
|
Sasi Olin |
6c56f6 |
- location ~ ^/secure-media-uploads/:
|
|
Sasi Olin |
4663db |
- proxy_set_header: Host $http_host
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Real-IP $remote_addr
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
Sasi Olin |
4663db |
- proxy_pass: http://discourse
|
|
Sasi Olin |
4663db |
- break
|
|
Sasi Olin |
4663db |
- location ~* (fonts|assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico|otf)$:
|
|
Sasi Olin |
4663db |
- expires: 1y
|
|
Sasi Olin |
4663db |
- add_header: Cache-Control public,immutable
|
|
Sasi Olin |
4663db |
- add_header: Access-Control-Allow-Origin *
|
|
Sasi Olin |
4663db |
- location = /srv/status:
|
|
Sasi Olin |
8e5c35 |
- access_log: "off"
|
|
Sasi Olin |
8e5c35 |
- log_not_found: "off"
|
|
Sasi Olin |
4663db |
- proxy_set_header: Host $http_host
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Real-IP $remote_addr
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
Sasi Olin |
4663db |
- proxy_pass: http://discourse
|
|
Sasi Olin |
4663db |
- break
|
|
Sasi Olin |
4663db |
- location ~ ^/javascripts/:
|
|
Sasi Olin |
4663db |
- expires: 1d
|
|
Sasi Olin |
4663db |
- add_header: Cache-Control public,immutable
|
|
Sasi Olin |
4663db |
- add_header: Access-Control-Allow-Origin *
|
|
Sasi Olin |
4663db |
- location ~ ^/assets/(?<asset_path>.+)$:
|
|
Sasi Olin |
4663db |
- expires: 1y
|
|
Sasi Olin |
31b698 |
- brotli_static: "on"
|
|
Sasi Olin |
31b698 |
- gzip_static: "on"
|
|
Sasi Olin |
4663db |
- add_header: Cache-Control public,immutable
|
|
Sasi Olin |
4663db |
- break
|
|
Sasi Olin |
4663db |
- location ~ ^/plugins/:
|
|
Sasi Olin |
4663db |
- expires: 1y
|
|
Sasi Olin |
4663db |
- add_header: Cache-Control public,immutable
|
|
Sasi Olin |
4663db |
- add_header: Access-Control-Allow-Origin *
|
|
Sasi Olin |
4663db |
- location ~ /images/emoji/:
|
|
Sasi Olin |
4663db |
- expires: 1y
|
|
Sasi Olin |
4663db |
- add_header: Cache-Control public,immutable
|
|
Sasi Olin |
4663db |
- add_header: Access-Control-Allow-Origin *
|
|
Sasi Olin |
4663db |
- location ~ ^/uploads/:
|
|
Sasi Olin |
4663db |
- proxy_set_header: Host $http_host
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Real-IP $remote_addr
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Sendfile-Type X-Accel-Redirect
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Accel-Mapping $public/=/downloads/
|
|
Sasi Olin |
4663db |
- expires: 1y
|
|
Sasi Olin |
4663db |
- add_header: Cache-Control public,immutable
|
|
Sasi Olin |
4663db |
- location ~ /stylesheet-cache/:
|
|
Sasi Olin |
4663db |
- add_header: Access-Control-Allow-Origin *
|
|
Sasi Olin |
4663db |
- try_files: $uri =404
|
|
Sasi Olin |
4663db |
- location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|ico|webp)$:
|
|
Sasi Olin |
4663db |
- add_header: Access-Control-Allow-Origin *
|
|
Sasi Olin |
4663db |
- try_files: $uri =404
|
|
Sasi Olin |
e3072f |
# Intentionally left blank
|
|
Sasi Olin |
e3072f |
# https://github.com/discourse/discourse/commit/31e31ef44973dc4daaee2f010d71588ea5873b53#diff-e79d9fceaf4e304b8b83b0aa41729344b3266e90105e574b1a8cb26413c307e1
|
|
Sasi Olin |
4663db |
- location ~* \.(svg)$:
|
|
Sasi Olin |
4663db |
-
|
|
Sasi Olin |
4663db |
- location ~ /_?optimized/:
|
|
Sasi Olin |
4663db |
- add_header: Access-Control-Allow-Origin *
|
|
Sasi Olin |
4663db |
- try_files: $uri =404
|
|
Sasi Olin |
4663db |
- proxy_pass: http://discourse
|
|
Sasi Olin |
4663db |
- break
|
|
Sasi Olin |
4663db |
- location ~ ^/admin/backups/:
|
|
Sasi Olin |
4663db |
- proxy_set_header: Host $http_host
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Real-IP $remote_addr
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Sendfile-Type X-Accel-Redirect
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Accel-Mapping $public/=/downloads/
|
|
Sasi Olin |
4663db |
- proxy_pass: http://discourse
|
|
Sasi Olin |
4663db |
- break
|
|
Sasi Olin |
4663db |
- location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker):
|
|
Sasi Olin |
4663db |
- proxy_set_header: Host $http_host
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Real-IP $remote_addr
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
Sasi Olin |
4663db |
- proxy_ignore_headers: "Set-Cookie"
|
|
Sasi Olin |
4663db |
- proxy_hide_header: "Set-Cookie"
|
|
Sasi Olin |
4663db |
- proxy_hide_header: "X-Discourse-Username"
|
|
Sasi Olin |
4663db |
- proxy_hide_header: "X-Runtime"
|
|
Sasi Olin |
4663db |
- proxy_cache: one
|
|
Sasi Olin |
4663db |
- proxy_cache_key: "$scheme,$host,$request_uri"
|
|
Sasi Olin |
4663db |
- proxy_cache_valid: 200 301 302 7d
|
|
Sasi Olin |
4663db |
- proxy_cache_valid: any 1m
|
|
Sasi Olin |
4663db |
- proxy_cache_bypass: $bypass_cache
|
|
Sasi Olin |
4663db |
- proxy_pass: http://discourse
|
|
Sasi Olin |
4663db |
- break
|
|
Sasi Olin |
4663db |
- location /message-bus/:
|
|
Sasi Olin |
4663db |
- proxy_set_header: Host $http_host
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Real-IP $remote_addr
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
Sasi Olin |
4663db |
- proxy_http_version: 1.1
|
|
Sasi Olin |
8e5c35 |
- proxy_buffering: "off"
|
|
Sasi Olin |
4663db |
- proxy_pass: http://discourse
|
|
Sasi Olin |
4663db |
- break
|
|
Sasi Olin |
4663db |
- try_files: $uri @discourse
|
|
Sasi Olin |
4663db |
- location /downloads/:
|
|
Jacob Michalskie |
7d639c |
- internal: ''
|
|
Sasi Olin |
4663db |
- alias: $public/
|
|
Sasi Olin |
4663db |
- location @discourse:
|
|
Sasi Olin |
4663db |
- root: $public
|
|
Sasi Olin |
4663db |
- proxy_set_header: Host $http_host
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Real-IP $remote_addr
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
Sasi Olin |
4663db |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
Sasi Olin |
4663db |
- proxy_pass: http://discourse
|
|
Sasi Olin |
4663db |
enabled: True
|
|
Sasi Olin |
05c4b5 |
|
|
Sasi Olin |
05c4b5 |
zypper:
|
|
Sasi Olin |
05c4b5 |
repositories:
|
|
Sasi Olin |
05c4b5 |
devel:languages:ruby:
|
|
Sasi Olin |
05c4b5 |
baseurl: http://download.infra.opensuse.org/repositories/devel:/languages:/ruby/$releasever/
|
|
Sasi Olin |
05c4b5 |
priority: 100
|
|
Sasi Olin |
05c4b5 |
refresh: True
|
|
Sasi Olin |
05c4b5 |
darix:apps:
|
|
Sasi Olin |
05c4b5 |
baseurl: http://download.infra.opensuse.org/repositories/home:/darix:/apps/$releasever/
|
|
Sasi Olin |
05c4b5 |
priority: 100
|
|
Sasi Olin |
05c4b5 |
refresh: True
|