|
Sasi Olin |
4663db |
include:
|
|
Jacob Michalskie |
0eac15 |
{% if salt['grains.get']('include_secrets', True) %}
|
|
Jacob Michalskie |
0eac15 |
- secrets.role.discourse
|
|
Jacob Michalskie |
0eac15 |
{% endif %}
|
|
Sasi Olin |
4663db |
- role.common.nginx
|
|
Sasi Olin |
4663db |
|
|
Jacob Michalskie |
b2e287 |
profile:
|
|
Jacob Michalskie |
b2e287 |
postfix:
|
|
Jacob Michalskie |
b2e287 |
maincf:
|
|
Jacob Michalskie |
77a678 |
inet_interfaces: all
|
|
Jacob Michalskie |
404f91 |
smtputf8_enable: 'no'
|
|
Jacob Michalskie |
f03e5f |
compatibility_level: 2
|
|
 |
1d464f |
export_environment: 'TZ LANG'
|
|
Jacob Michalskie |
404f91 |
append_dot_mydomain: 'no'
|
|
Jacob Michalskie |
f03e5f |
mydestination: localhost
|
|
|
1d464f |
mynetworks: '127.0.0.0/8 [::1]/128 [fe80::]/64'
|
|
Jacob Michalskie |
3e4d81 |
transport_maps: lmdb:/etc/postfix/transport
|
|
Jacob Michalskie |
52d852 |
smtpd_recipient_restrictions: permit_mynetworks, check_policy_service unix:private/policy
|
|
Jacob Michalskie |
b2e287 |
mastercf:
|
|
Jacob Michalskie |
a151f4 |
discourse: unix - n n - - pipe user=nobody:nogroup argv=/usr/bin/receive-mail ${recipient}
|
|
Jacob Michalskie |
a151f4 |
policy: unix - n n - - spawn user=nobody argv=/usr/bin/discourse-smtp-fast-rejection
|
|
Jacob Michalskie |
b2e287 |
aliases:
|
|
Jacob Michalskie |
b2e287 |
discourse: root
|
|
Jacob Michalskie |
b2e287 |
# We need to set up transport map with `$domain discourse:` line for every domain
|
|
Jacob Michalskie |
b2e287 |
discourse:
|
|
Jacob Michalskie |
b2e287 |
database_user: discourse
|
|
Jacob Michalskie |
b2e287 |
database_name: discourse
|
|
|
8737c8 |
database_host: postgresql.infra.opensuse.org
|
|
|
6c2bf7 |
hostname: forums.opensuse.org
|
|
|
6c2bf7 |
smtp_domain: forums.opensuse.org
|
|
Jacob Michalskie |
63f800 |
# secret_key, maxmind and db password live in secrets/role/discourse.sls
|
|
Jacob Michalskie |
b2e287 |
|
|
Sasi Olin |
4663db |
nginx:
|
|
|
a20cbc |
server:
|
|
|
a20cbc |
config:
|
|
|
a20cbc |
load_module:
|
|
|
a20cbc |
- /usr/lib64/nginx/modules/ngx_http_brotli_static_module.so
|
|
|
a20cbc |
- /usr/lib64/nginx/modules/ngx_http_brotli_filter_module.so
|
|
|
a20cbc |
servers:
|
|
|
a20cbc |
managed:
|
|
|
a20cbc |
forums.opensuse.org.conf:
|
|
|
a20cbc |
config:
|
|
|
a20cbc |
- upstream discourse:
|
|
|
a20cbc |
- server: 'unix:/srv/www/vhosts/discourse/tmp/sockets/puma.sock'
|
|
|
a20cbc |
- types:
|
|
|
a20cbc |
- text/csv: csv
|
|
|
a20cbc |
- proxy_cache_path: /var/lib/nginx/cache/ inactive=1440m levels=1:2 keys_zone=one:10m max_size=600m
|
|
|
a20cbc |
- proxy_buffer_size: 8k
|
|
|
a20cbc |
- map $http_x_forwarded_proto $thescheme:
|
|
|
a20cbc |
- default: $scheme
|
|
|
a20cbc |
- https: https
|
|
|
00b05b |
- log_format: >-
|
|
|
00b05b |
log_discourse
|
|
|
00b05b |
'[$time_local] "$http_host" $remote_addr "$request" "$http_user_agent" "$sent_http_x_discourse_route"
|
|
|
00b05b |
$status $bytes_sent "$http_referer" $upstream_response_time $request_time "$upstream_http_x_discourse_username"
|
|
|
00b05b |
"$upstream_http_x_discourse_trackview" "$upstream_http_x_queue_time" "$upstream_http_x_redis_calls"
|
|
|
00b05b |
"$upstream_http_x_redis_time" "$upstream_http_x_sql_calls" "$upstream_http_x_sql_time"'
|
|
|
a20cbc |
- geo $bypass_cache:
|
|
|
a20cbc |
- default: 0
|
|
|
a20cbc |
- 127.0.0.1: 1
|
|
|
a20cbc |
- '::1': 1
|
|
|
a20cbc |
- server:
|
|
|
a20cbc |
- server_name: forums.opensuse.org
|
|
|
a20cbc |
- server_tokens: "off"
|
|
|
68e999 |
- listen: '[::]:80 default_server'
|
|
|
16192e |
- access_log: /var/log/nginx/discourse.access.log log_discourse flush=2m gzip=8
|
|
|
a20cbc |
- gzip: "on"
|
|
|
a20cbc |
- gzip_vary: "on"
|
|
|
a20cbc |
- gzip_min_length: 1000
|
|
|
a20cbc |
- gzip_comp_level: 5
|
|
|
a20cbc |
- gzip_types: application/json text/css text/javascript application/x-javascript application/javascript image/svg+xml application/wasm
|
|
|
a20cbc |
- gzip_proxied: any
|
|
|
a20cbc |
- sendfile: "on"
|
|
|
a20cbc |
- keepalive_timeout: 65
|
|
|
a20cbc |
- client_max_body_size: 10m
|
|
|
a20cbc |
- set: $public /srv/www/vhosts/discourse/public
|
|
|
a20cbc |
- etag: "off"
|
|
|
a20cbc |
- location ^~ /backups/:
|
|
|
a20cbc |
- internal: ''
|
|
|
a20cbc |
- location /favicon.ico:
|
|
|
a20cbc |
- return: 204
|
|
|
a20cbc |
- access_log: "off"
|
|
|
a20cbc |
- log_not_found: "off"
|
|
|
a20cbc |
- location /:
|
|
|
a20cbc |
- root: $public
|
|
|
a20cbc |
- add_header: ETag ""
|
|
|
a20cbc |
- location ~ ^/uploads/short-url/:
|
|
|
a20cbc |
- proxy_set_header: Host $http_host
|
|
|
a20cbc |
- proxy_set_header: X-Real-IP $remote_addr
|
|
|
a20cbc |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
|
a20cbc |
- proxy_pass: http://discourse
|
|
|
a20cbc |
- break
|
|
|
a20cbc |
- location ~ ^/secure-media-uploads/:
|
|
|
a20cbc |
- proxy_set_header: Host $http_host
|
|
|
a20cbc |
- proxy_set_header: X-Real-IP $remote_addr
|
|
|
a20cbc |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
|
a20cbc |
- proxy_pass: http://discourse
|
|
|
a20cbc |
- break
|
|
|
a20cbc |
- location ~* (fonts|assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico|otf)$:
|
|
|
a20cbc |
- expires: 1y
|
|
|
a20cbc |
- add_header: Cache-Control public,immutable
|
|
|
a20cbc |
- add_header: Access-Control-Allow-Origin *
|
|
|
a20cbc |
- location = /srv/status:
|
|
|
a20cbc |
- access_log: "off"
|
|
|
a20cbc |
- log_not_found: "off"
|
|
|
a20cbc |
- proxy_set_header: Host $http_host
|
|
|
a20cbc |
- proxy_set_header: X-Real-IP $remote_addr
|
|
|
a20cbc |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
|
a20cbc |
- proxy_pass: http://discourse
|
|
|
a20cbc |
- break
|
|
|
a20cbc |
- location ~ ^/javascripts/:
|
|
|
a20cbc |
- expires: 1d
|
|
|
a20cbc |
- add_header: Cache-Control public,immutable
|
|
|
a20cbc |
- add_header: Access-Control-Allow-Origin *
|
|
|
a20cbc |
- location ~ ^/assets/(?<asset_path>.+)$:
|
|
|
a20cbc |
- expires: 1y
|
|
|
a20cbc |
{%- if not grains['host'].startswith('runner-') %} {#- ugly, but required for tests due to the modules being commented out above #}
|
|
|
a20cbc |
- brotli_static: "on"
|
|
|
a20cbc |
{%- endif %}
|
|
|
a20cbc |
- gzip_static: "on"
|
|
|
a20cbc |
- add_header: Cache-Control public,immutable
|
|
|
a20cbc |
- break
|
|
|
a20cbc |
- location ~ ^/plugins/:
|
|
|
a20cbc |
- expires: 1y
|
|
|
a20cbc |
- add_header: Cache-Control public,immutable
|
|
|
a20cbc |
- add_header: Access-Control-Allow-Origin *
|
|
|
a20cbc |
- location ~ /images/emoji/:
|
|
|
a20cbc |
- expires: 1y
|
|
|
a20cbc |
- add_header: Cache-Control public,immutable
|
|
|
a20cbc |
- add_header: Access-Control-Allow-Origin *
|
|
|
a20cbc |
- location ~ ^/uploads/:
|
|
|
a20cbc |
- proxy_set_header: Host $http_host
|
|
|
a20cbc |
- proxy_set_header: X-Real-IP $remote_addr
|
|
|
a20cbc |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
|
a20cbc |
- proxy_set_header: X-Sendfile-Type X-Accel-Redirect
|
|
|
a20cbc |
- proxy_set_header: X-Accel-Mapping $public/=/downloads/
|
|
|
a20cbc |
- expires: 1y
|
|
|
a20cbc |
- add_header: Cache-Control public,immutable
|
|
|
a20cbc |
- location ~ /stylesheet-cache/:
|
|
|
a20cbc |
- add_header: Access-Control-Allow-Origin *
|
|
|
a20cbc |
- try_files: $uri =404
|
|
|
a20cbc |
- location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|ico|webp)$:
|
|
|
a20cbc |
- add_header: Access-Control-Allow-Origin *
|
|
|
a20cbc |
- try_files: $uri =404
|
|
|
a20cbc |
# Intentionally left blank
|
|
|
a20cbc |
# https://github.com/discourse/discourse/commit/31e31ef44973dc4daaee2f010d71588ea5873b53#diff-e79d9fceaf4e304b8b83b0aa41729344b3266e90105e574b1a8cb26413c307e1
|
|
|
a20cbc |
- location ~* \.(svg)$:
|
|
|
a20cbc |
-
|
|
|
a20cbc |
- location ~ /_?optimized/:
|
|
|
a20cbc |
- add_header: Access-Control-Allow-Origin *
|
|
|
a20cbc |
- try_files: $uri =404
|
|
|
a20cbc |
- proxy_pass: http://discourse
|
|
|
a20cbc |
- break
|
|
|
a20cbc |
- location ~ ^/admin/backups/:
|
|
|
a20cbc |
- proxy_set_header: Host $http_host
|
|
|
a20cbc |
- proxy_set_header: X-Real-IP $remote_addr
|
|
|
a20cbc |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
|
a20cbc |
- proxy_set_header: X-Sendfile-Type X-Accel-Redirect
|
|
|
a20cbc |
- proxy_set_header: X-Accel-Mapping $public/=/downloads/
|
|
|
a20cbc |
- proxy_pass: http://discourse
|
|
|
a20cbc |
- break
|
|
|
00b05b |
- location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker): # noqa 204
|
|
|
a20cbc |
- proxy_set_header: Host $http_host
|
|
|
a20cbc |
- proxy_set_header: X-Real-IP $remote_addr
|
|
|
a20cbc |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
|
a20cbc |
- proxy_ignore_headers: "Set-Cookie"
|
|
|
a20cbc |
- proxy_hide_header: "Set-Cookie"
|
|
|
a20cbc |
- proxy_hide_header: "X-Discourse-Username"
|
|
|
a20cbc |
- proxy_hide_header: "X-Runtime"
|
|
|
a20cbc |
- proxy_cache: one
|
|
|
a20cbc |
- proxy_cache_key: "$scheme,$host,$request_uri"
|
|
|
a20cbc |
- proxy_cache_valid: 200 301 302 7d
|
|
|
a20cbc |
- proxy_cache_valid: any 1m
|
|
|
a20cbc |
- proxy_cache_bypass: $bypass_cache
|
|
|
a20cbc |
- proxy_pass: http://discourse
|
|
|
a20cbc |
- break
|
|
|
a20cbc |
- location /message-bus/:
|
|
|
a20cbc |
- proxy_set_header: Host $http_host
|
|
|
a20cbc |
- proxy_set_header: X-Real-IP $remote_addr
|
|
|
a20cbc |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
|
a20cbc |
- proxy_http_version: 1.1
|
|
|
a20cbc |
- proxy_buffering: "off"
|
|
|
a20cbc |
- proxy_pass: http://discourse
|
|
|
a20cbc |
- break
|
|
|
a20cbc |
- try_files: $uri @discourse
|
|
|
a20cbc |
- location /downloads/:
|
|
|
a20cbc |
- internal: ''
|
|
|
a20cbc |
- alias: $public/
|
|
|
a20cbc |
- location @discourse:
|
|
|
a20cbc |
- root: $public
|
|
|
a20cbc |
- proxy_set_header: Host $http_host
|
|
|
a20cbc |
- proxy_set_header: X-Real-IP $remote_addr
|
|
|
a20cbc |
- proxy_set_header: X-Request-Start "t=${msec}"
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
|
|
|
a20cbc |
- proxy_set_header: X-Forwarded-Proto $thescheme
|
|
|
a20cbc |
- proxy_pass: http://discourse
|
|
|
a20cbc |
- location /showthread.php/:
|
|
|
a20cbc |
- rewrite: '^/showthread.php/([0-9]*) /thread/$1 permanent'
|
|
|
a20cbc |
- location /content.php/:
|
|
|
a20cbc |
- rewrite: '^/content.php/([0-9]*) /article/$1 permanent'
|
|
|
a20cbc |
- location /entry.php/:
|
|
|
a20cbc |
- rewrite: '^/entry.php/([0-9]*) /blog/$1 permanent'
|
|
|
a20cbc |
- if ($arg_signup = true):
|
|
|
a20cbc |
- return: 301 https://idp-portal.suse.com/univention/self-service/#page=createaccount
|
|
|
a20cbc |
enabled: True
|
|
Sasi Olin |
05c4b5 |
|
|
Sasi Olin |
05c4b5 |
zypper:
|
|
Sasi Olin |
05c4b5 |
repositories:
|
|
Sasi Olin |
05c4b5 |
darix:apps:
|
|
|
a63309 |
baseurl: http://download-prg.infra.opensuse.org/repositories/home:/darix:/apps/openSUSE_Tumbleweed/
|
|
Sasi Olin |
05c4b5 |
priority: 100
|
|
Sasi Olin |
05c4b5 |
refresh: True
|
|
|
8b1f9d |
openSUSE:infrastructure:discourse:
|
|
|
a63309 |
baseurl: http://download-prg.infra.opensuse.org/repositories/openSUSE:/infrastructure:/discourse/openSUSE_Tumbleweed/
|
|
|
8b1f9d |
priority: 100
|
|
|
8b1f9d |
refresh: True
|