diff --git a/pillar/id/discourse01_infra_opensuse_org.sls b/pillar/id/discourse01_infra_opensuse_org.sls index 00fab09..ede05fb 100644 --- a/pillar/id/discourse01_infra_opensuse_org.sls +++ b/pillar/id/discourse01_infra_opensuse_org.sls @@ -3,7 +3,8 @@ grains: country: de hostusage: - discourse - roles: [] + roles: + - discourse reboot_safe: yes salt_cluster: opensuse virt_cluster: atreju diff --git a/pillar/role/discourse.sls b/pillar/role/discourse.sls new file mode 100644 index 0000000..ffb68b6 --- /dev/null +++ b/pillar/role/discourse.sls @@ -0,0 +1,183 @@ +include: + - role.common.nginx + +nginx: + ng: + servers: + managed: + forums.opensuse.org.conf: + config: + - types: + - text/csv: csv + - application/wasm: wasm + - proxy_cache_path: /var/lib/nginx/cache/ inactive=1440m levels=1:2 keys_zone=one:10m max_size=600m + - proxy_buffer_size: 8k + - map $http_x_forwarded_proto $thescheme: + - default: $scheme + - https: https + - log_format: log_discourse '[$time_local] "$http_host" $remote_addr "$request" "$http_user_agent" "$sent_http_x_discourse_route" $status $bytes_sent "$http_referer" $upstream_response_time $request_time "$upstream_http_x_discourse_username" "$upstream_http_x_discourse_trackview" "$upstream_http_x_queue_time" "$upstream_http_x_redis_calls" "$upstream_http_x_redis_time" "$upstream_http_x_sql_calls" "$upstream_http_x_sql_time"' + - geo $bypass_cache: + - default: 0 + - 127.0.0.1: 1 + - '::1': 1 + - server: + - server_name: forums.opensuse.org + - server_tokens: "off" + - listen: + - 80 + - default_server + - access_log: /var/log/nginx/discourse.access.log log_discourse + - gzip: "on" + - gzip_vary: "on" + - gzip_min_length: 1000 + - gzip_comp_level: 5 + - gzip_types: application/json text/css text/javascript application/x-javascript application/javascript image/svg+xml application/wasm + - gzip_proxied: any + - sendfile: "on" + - keepalive_timeout: 65 + - client_max_body_size: 10m + - set: $public /srv/www/vhosts/discourse/public + - etag: "off" + - location ^~ /backups/: + - internal: + - location /favicon.ico: + - return: 204 + - access_log: "off" + - log_not_found: "off" + - location /: + - root: $public + - add_header: ETag "" + - location ~ ^/uploads/short-url/: + - proxy_set_header: Host $http_host + - proxy_set_header: X-Real-IP $remote_addr + - proxy_set_header: X-Request-Start "t=${msec}" + - proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for + - proxy_set_header: X-Forwarded-Proto $thescheme + - proxy_pass: http://discourse + - break + - location ~ ^/secure-media-uploads/: + - proxy_set_header: Host $http_host + - proxy_set_header: X-Real-IP $remote_addr + - proxy_set_header: X-Request-Start "t=${msec}" + - proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for + - proxy_set_header: X-Forwarded-Proto $thescheme + - proxy_pass: http://discourse + - break + - location ~* (fonts|assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico|otf)$: + - expires: 1y + - add_header: Cache-Control public,immutable + - add_header: Access-Control-Allow-Origin * + - location = /srv/status: + - access_log: "off" + - log_not_found: "off" + - proxy_set_header: Host $http_host + - proxy_set_header: X-Real-IP $remote_addr + - proxy_set_header: X-Request-Start "t=${msec}" + - proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for + - proxy_set_header: X-Forwarded-Proto $thescheme + - proxy_pass: http://discourse + - break + - location ~ ^/javascripts/: + - expires: 1d + - add_header: Cache-Control public,immutable + - add_header: Access-Control-Allow-Origin * + - location ~ ^/assets/(?.+)$: + - expires: 1y + - brotli_static: "on" + - gzip_static: "on" + - add_header: Cache-Control public,immutable + - break + - location ~ ^/plugins/: + - expires: 1y + - add_header: Cache-Control public,immutable + - add_header: Access-Control-Allow-Origin * + - location ~ /images/emoji/: + - expires: 1y + - add_header: Cache-Control public,immutable + - add_header: Access-Control-Allow-Origin * + - location ~ ^/uploads/: + - proxy_set_header: Host $http_host + - proxy_set_header: X-Real-IP $remote_addr + - proxy_set_header: X-Request-Start "t=${msec}" + - proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for + - proxy_set_header: X-Forwarded-Proto $thescheme + - proxy_set_header: X-Sendfile-Type X-Accel-Redirect + - proxy_set_header: X-Accel-Mapping $public/=/downloads/ + - expires: 1y + - add_header: Cache-Control public,immutable + - location ~ /stylesheet-cache/: + - add_header: Access-Control-Allow-Origin * + - try_files: $uri =404 + - location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|ico|webp)$: + - add_header: Access-Control-Allow-Origin * + - try_files: $uri =404 + # Intentionally left blank + # https://github.com/discourse/discourse/commit/31e31ef44973dc4daaee2f010d71588ea5873b53#diff-e79d9fceaf4e304b8b83b0aa41729344b3266e90105e574b1a8cb26413c307e1 + - location ~* \.(svg)$: + - + - location ~ /_?optimized/: + - add_header: Access-Control-Allow-Origin * + - try_files: $uri =404 + - proxy_pass: http://discourse + - break + - location ~ ^/admin/backups/: + - proxy_set_header: Host $http_host + - proxy_set_header: X-Real-IP $remote_addr + - proxy_set_header: X-Request-Start "t=${msec}" + - proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for + - proxy_set_header: X-Forwarded-Proto $thescheme + - proxy_set_header: X-Sendfile-Type X-Accel-Redirect + - proxy_set_header: X-Accel-Mapping $public/=/downloads/ + - proxy_pass: http://discourse + - break + - location ~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker): + - proxy_set_header: Host $http_host + - proxy_set_header: X-Real-IP $remote_addr + - proxy_set_header: X-Request-Start "t=${msec}" + - proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for + - proxy_set_header: X-Forwarded-Proto $thescheme + - proxy_ignore_headers: "Set-Cookie" + - proxy_hide_header: "Set-Cookie" + - proxy_hide_header: "X-Discourse-Username" + - proxy_hide_header: "X-Runtime" + - proxy_cache: one + - proxy_cache_key: "$scheme,$host,$request_uri" + - proxy_cache_valid: 200 301 302 7d + - proxy_cache_valid: any 1m + - proxy_cache_bypass: $bypass_cache + - proxy_pass: http://discourse + - break + - location /message-bus/: + - proxy_set_header: Host $http_host + - proxy_set_header: X-Real-IP $remote_addr + - proxy_set_header: X-Request-Start "t=${msec}" + - proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for + - proxy_set_header: X-Forwarded-Proto $thescheme + - proxy_http_version: 1.1 + - proxy_buffering: "off" + - proxy_pass: http://discourse + - break + - try_files: $uri @discourse + - location /downloads/: + - internal + - alias: $public/ + - location @discourse: + - root: $public + - proxy_set_header: Host $http_host + - proxy_set_header: X-Real-IP $remote_addr + - proxy_set_header: X-Request-Start "t=${msec}" + - proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for + - proxy_set_header: X-Forwarded-Proto $thescheme + - proxy_pass: http://discourse + enabled: True + +zypper: + repositories: + devel:languages:ruby: + baseurl: http://download.infra.opensuse.org/repositories/devel:/languages:/ruby/$releasever/ + priority: 100 + refresh: True + darix:apps: + baseurl: http://download.infra.opensuse.org/repositories/home:/darix:/apps/$releasever/ + priority: 100 + refresh: True diff --git a/salt/profile/discourse/init.sls b/salt/profile/discourse/init.sls new file mode 100644 index 0000000..7e0639d --- /dev/null +++ b/salt/profile/discourse/init.sls @@ -0,0 +1,34 @@ +discourse_pgks: + pkg.installed: + - pkgs: + - discourse + +discourse_target: + service.running: + - name: discourse.target + - enable: True + +discourse_update_service: + service.running: + - name: discourse-update + - enable: True + +discourse_puma_service: + service.running: + - name: discourse-puma + - enable: True + +discourse_sidekiq_service: + service.running: + - name: discourse-puma + - enable: True + +discourse_restart: + module.wait: + - name: service.restart + - m_name: discourse.target + - require: + - service: discourse_update_service + - service: discourse_puma_service + - service: discourse_sidekiq_service + - service: discourse_target diff --git a/salt/role/discourse.sls b/salt/role/discourse.sls new file mode 100644 index 0000000..dcd3fdd --- /dev/null +++ b/salt/role/discourse.sls @@ -0,0 +1,3 @@ +include: + - profile.web.server.nginx + - profile.discourse