[discourse_docker.git] / templates / web.template.yml

env:
  # You can have redis on a different box
  RAILS_ENV: 'production'
  UNICORN_WORKERS: 3
  UNICORN_SIDEKIQS: 1
  # this gives us very good cache coverage, 96 -> 99
  # in practice it is 1-2% perf improvement
  RUBY_GLOBAL_METHOD_CACHE_SIZE: 131072
  # stop heap doubling in size so aggressively, this conserves memory
  RUBY_GC_HEAP_GROWTH_MAX_SLOTS: 40000
  RUBY_GC_HEAP_INIT_SLOTS: 400000
  RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR: 1.5

  DISCOURSE_DB_SOCKET: /var/run/postgresql
  DISCOURSE_DB_HOST:
  DISCOURSE_DB_PORT:


params:
  # SSH key is required for remote access into the container
  version: tests-passed

  home: /var/www/discourse
  upload_size: 10m

run:
  # see: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
  - replace:
      filename: /usr/local/etc/ImageMagick-6/policy.xml
      from: "<policymap>"
      to: |
        <policymap>
          <policy domain="coder" rights="none" pattern="EPHEMERAL" />
          <policy domain="coder" rights="none" pattern="URL" />
          <policy domain="coder" rights="none" pattern="HTTPS" />
          <policy domain="coder" rights="none" pattern="MVG" />
          <policy domain="coder" rights="none" pattern="MSL" />
          <policy domain="coder" rights="none" pattern="TEXT" />
          <policy domain="coder" rights="none" pattern="SHOW" />
          <policy domain="coder" rights="none" pattern="WIN" />
          <policy domain="coder" rights="none" pattern="PLT" />

  - exec: /usr/local/bin/ruby -e 'if ENV["DISCOURSE_SMTP_ADDRESS"] == "smtp.example.com"; puts "Aborting! Mail is not configured!"; exit 1; end'
  - exec: /usr/local/bin/ruby -e 'if ENV["DISCOURSE_HOSTNAME"] == "discourse.example.com"; puts "Aborting! Domain is not configured!"; exit 1; end'
  - exec: chown -R discourse /home/discourse
  # TODO: move to base image (anacron can not be fired up using rc.d)
  - exec: rm -f /etc/cron.d/anacron
  - file:
     path: /etc/cron.d/anacron
     contents: |
        SHELL=/bin/sh
        PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

        30 7    * * *   root	/usr/sbin/anacron -s >/dev/null
  - file:
     path: /etc/runit/1.d/copy-env
     chmod: "+x"
     contents: |
        #!/bin/bash
        env > ~/boot_env
        conf=/var/www/discourse/config/discourse.conf

        # find DISCOURSE_ env vars, strip the leader, lowercase the key
        /usr/local/bin/ruby -e 'ENV.each{|k,v| puts "#{$1.downcase} = '\''#{v}'\''" if k =~ /^DISCOURSE_(.*)/}' > $conf

  - file:
     path: /etc/runit/1.d/enable-brotli
     chmod: "+x"
     contents: |
        #!/bin/bash
        [ ! -z "$COMPRESS_BROTLI" ] && sed -i "s/. brotli/  brotli/" /etc/nginx/conf.d/discourse.conf || sed -i "s/. brotli/# brotli/" /etc/nginx/conf.d/discourse.conf

  - file:
     path: /etc/service/unicorn/run
     chmod: "+x"
     contents: |
        #!/bin/bash
        exec 2>&1
        # redis
        # postgres
        cd $home
        chown -R discourse:www-data /shared/log/rails
        LD_PRELOAD=$RUBY_ALLOCATOR HOME=/home/discourse USER=discourse exec chpst -u discourse:www-data -U discourse:www-data bundle exec config/unicorn_launcher -E production -c config/unicorn.conf.rb

  - file:
     path: /etc/service/nginx/run
     chmod: "+x"
     contents: |
        #!/bin/sh
        exec 2>&1
        exec /usr/sbin/nginx

  - file:
     path: /etc/runit/3.d/01-nginx
     chmod: "+x"
     contents: |
       #!/bin/bash
       sv stop nginx

  - file:
     path: /etc/runit/3.d/02-unicorn
     chmod: "+x"
     contents: |
       #!/bin/bash
       sv stop unicorn

  - exec:
      cd: $home
      hook: code
      cmd:
        - git reset --hard
        - git clean -f
        - git remote set-branches --add origin master
        - git pull
        - git fetch origin $version
        - git checkout $version
        - mkdir -p tmp/pids
        - mkdir -p tmp/sockets
        - touch tmp/.gitkeep
        - mkdir -p                    /shared/log/rails
        - bash -c "touch -a           /shared/log/rails/{production,production_errors,unicorn.stdout,unicorn.stderr}.log"
        - bash -c "ln    -s           /shared/log/rails/{production,production_errors,unicorn.stdout,unicorn.stderr}.log $home/log"
        - bash -c "mkdir -p           /shared/{uploads,backups}"
        - bash -c "ln    -s           /shared/{uploads,backups} $home/public"
        - chown -R discourse:www-data /shared/log/rails /shared/uploads /shared/backups

  - exec:
      cmd:
        - "cp $home/config/nginx.sample.conf /etc/nginx/conf.d/discourse.conf"
        - "rm /etc/nginx/sites-enabled/default"
        - "mkdir -p /var/nginx/cache"

  - replace:
      filename: /etc/nginx/nginx.conf
      from: pid /run/nginx.pid;
      to: daemon off;

  - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /upstream[^\}]+\}/m
      to: "upstream discourse {
        server 127.0.0.1:3000;
      }"

  - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /server_name.+$/
      to: server_name _ ;

  - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /client_max_body_size.+$/
      to: client_max_body_size $upload_size ;

  - exec:
      cmd: echo "done configuring web"
      hook: web_config

  - exec:
      cd: $home
      hook: web
      cmd:
        # ensure we are on latest bundler
        - gem update bundler
        - chown -R discourse $home

  - exec:
      cd: $home
      hook: bundle_exec
      cmd:
        - su discourse -c 'bundle install --deployment --verbose --without test --without development --retry 3 --jobs 4'
        - su discourse -c 'bundle exec rake db:migrate'
        - su discourse -c 'bundle exec rake assets:precompile'

  - file:
     path: /usr/local/bin/discourse
     chmod: +x
     contents: |
       #!/bin/bash
       (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec script/discourse "$@")

  - file:
     path: /usr/local/bin/rails
     chmod: +x
     contents: |
       #!/bin/bash
       # If they requested a console, load pry instead
       if [ "$*" == "c" -o "$*" == "console" ]
       then
        (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec pry -r ./config/environment)
       else
        (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec script/rails "$@")
       fi

  - file:
     path: /usr/local/bin/rake
     chmod: +x
     contents: |
       #!/bin/bash
       (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec bin/rake "$@")

  - file:
     path: /usr/local/bin/rbtrace
     chmod: +x
     contents: |
       #!/bin/bash
       (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec rbtrace "$@")

  - file:
     path: /usr/local/bin/stackprof
     chmod: +x
     contents: |
       #!/bin/bash
       (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec stackprof "$@")

  - file:
     path: /etc/update-motd.d/10-web
     chmod: +x
     contents: |
       #!/bin/bash
       echo
       echo Use: rails, rake or discourse to execute commands in production
       echo

  - file:
     path: /etc/logrotate.d/rails
     contents: |
        /shared/log/rails/*.log
        {
                rotate 7
                dateext
                daily
                missingok
                delaycompress
                compress
                postrotate
                sv 1 unicorn
                endscript
        }

  - file:
     path: /etc/logrotate.d/nginx
     contents: |
        /var/log/nginx/*.log {
          daily
          missingok
          rotate 7
          compress
          delaycompress
          create 0644 www-data www-data
          sharedscripts
          postrotate
            sv 1 nginx
          endscript
        }

  # move state out of the container this fancy is done to support rapid rebuilds of containers,
  # we store anacron and logrotate state outside the container to ensure its maintained across builds
  # later move this snipped into an intialization script
  # we also ensure all the symlinks we need to /shared are in place in the correct structure
  # this allows us to bootstrap on one machine and then run on another
  - file:
      path: /etc/runit/1.d/00-ensure-links
      chmod: +x
      contents: |
        #!/bin/bash
        if [[ ! -L /var/lib/logrotate ]]; then
          rm -fr /var/lib/logrotate
          mkdir -p /shared/state/logrotate
          ln -s /shared/state/logrotate /var/lib/logrotate
        fi
        if [[ ! -L /var/spool/anacron ]]; then
          rm -fr /var/spool/anacron
          mkdir -p /shared/state/anacron-spool
          ln -s /shared/state/anacron-spool /var/spool/anacron
        fi
        if [[ ! -d /shared/log/rails ]]; then
          mkdir -p /shared/log/rails
          chown -R discourse:www-data /shared/log/rails
        fi
        if [[ ! -d /shared/uploads ]]; then
          mkdir -p /shared/uploads
          chown -R discourse:www-data /shared/uploads
        fi
        if [[ ! -d /shared/backups ]]; then
          mkdir -p /shared/backups
          chown -R discourse:www-data /shared/backups
        fi

  # change login directory to Discourse home
  - file:
     path: /root/.bash_profile
     chmod: 644
     contents: |
        cd $home
Commit	Line	Data
9fb5f2d3	1	env:
9fb5f2d3	2	# You can have redis on a different box
9fb5f2d3 SS	3	RAILS_ENV: 'production'
9fb5f2d3 SS	4	UNICORN_WORKERS: 3
42b06eef	5	UNICORN_SIDEKIQS: 1
5819e899 S	6	# this gives us very good cache coverage, 96 -> 99
5819e899 S	7	# in practice it is 1-2% perf improvement
54e43936	8	RUBY_GLOBAL_METHOD_CACHE_SIZE: 131072
5d1848f5 S	9	# stop heap doubling in size so aggressively, this conserves memory
	10	RUBY_GC_HEAP_GROWTH_MAX_SLOTS: 40000
	11	RUBY_GC_HEAP_INIT_SLOTS: 400000
	12	RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR: 1.5
9fb5f2d3	13
9be8f5b9	14	DISCOURSE_DB_SOCKET: /var/run/postgresql
c148f4c9 SS	15	DISCOURSE_DB_HOST:
c148f4c9 SS	16	DISCOURSE_DB_PORT:
38000fc6 SS	17
38000fc6 SS	18
9fb5f2d3 SS	19	params:
9fb5f2d3 SS	20	# SSH key is required for remote access into the container
b56a2bd7	21	version: tests-passed
9fb5f2d3 SS	22
9fb5f2d3 SS	23	home: /var/www/discourse
44c59d37	24	upload_size: 10m
9fb5f2d3	25
9fb5f2d3	26	run:
d321b1b8	27	# see: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
d47aa69b S	28	- replace:
	29	filename: /usr/local/etc/ImageMagick-6/policy.xml
	30	from: "<policymap>"
	31	to: \|
	32	<policymap>
	33	<policy domain="coder" rights="none" pattern="EPHEMERAL" />
ada30c34	34	<policy domain="coder" rights="none" pattern="URL" />
d47aa69b S	35	<policy domain="coder" rights="none" pattern="HTTPS" />
	36	<policy domain="coder" rights="none" pattern="MVG" />
	37	<policy domain="coder" rights="none" pattern="MSL" />
ada30c34 MT	38	<policy domain="coder" rights="none" pattern="TEXT" />
	39	<policy domain="coder" rights="none" pattern="SHOW" />
	40	<policy domain="coder" rights="none" pattern="WIN" />
	41	<policy domain="coder" rights="none" pattern="PLT" />
d47aa69b	42
b7f9f4c7	43	- exec: /usr/local/bin/ruby -e 'if ENV["DISCOURSE_SMTP_ADDRESS"] == "smtp.example.com"; puts "Aborting! Mail is not configured!"; exit 1; end'
28aa70d0	44	- exec: /usr/local/bin/ruby -e 'if ENV["DISCOURSE_HOSTNAME"] == "discourse.example.com"; puts "Aborting! Domain is not configured!"; exit 1; end'
cc81fc95	45	- exec: chown -R discourse /home/discourse
573617ea S	46	# TODO: move to base image (anacron can not be fired up using rc.d)
	47	- exec: rm -f /etc/cron.d/anacron
	48	- file:
	49	path: /etc/cron.d/anacron
	50	contents: \|
	51	SHELL=/bin/sh
	52	PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
	53
	54	30 7 * * * root /usr/sbin/anacron -s >/dev/null
87f8d0b3	55	- file:
089518ef	56	path: /etc/runit/1.d/copy-env
87f8d0b3 SS	57	chmod: "+x"
	58	contents: \|
	59	#!/bin/bash
c4498636	60	env > ~/boot_env
87f8d0b3	61	conf=/var/www/discourse/config/discourse.conf
87f8d0b3	62
1cb802ad	63	# find DISCOURSE_ env vars, strip the leader, lowercase the key
087e1101	64	/usr/local/bin/ruby -e 'ENV.each{\|k,v\| puts "#{$1.downcase} = '\''#{v}'\''" if k =~ /^DISCOURSE_(.*)/}' > $conf
8fc088ab	65
f132a635 S	66	- file:
	67	path: /etc/runit/1.d/enable-brotli
	68	chmod: "+x"
	69	contents: \|
	70	#!/bin/bash
	71	[ ! -z "$COMPRESS_BROTLI" ] && sed -i "s/. brotli/ brotli/" /etc/nginx/conf.d/discourse.conf \|\| sed -i "s/. brotli/# brotli/" /etc/nginx/conf.d/discourse.conf
	72
9fb5f2d3 SS	73	- file:
	74	path: /etc/service/unicorn/run
	75	chmod: "+x"
	76	contents: \|
	77	#!/bin/bash
	78	exec 2>&1
9fb5f2d3 SS	79	# redis
	80	# postgres
	81	cd $home
6d00b2fa	82	chown -R discourse:www-data /shared/log/rails
f92ac119	83	LD_PRELOAD=$RUBY_ALLOCATOR HOME=/home/discourse USER=discourse exec chpst -u discourse:www-data -U discourse:www-data bundle exec config/unicorn_launcher -E production -c config/unicorn.conf.rb
9fb5f2d3	84
9fb5f2d3 SS	85	- file:
	86	path: /etc/service/nginx/run
	87	chmod: "+x"
	88	contents: \|
	89	#!/bin/sh
	90	exec 2>&1
	91	exec /usr/sbin/nginx
	92
074f2b6a S	93	- file:
	94	path: /etc/runit/3.d/01-nginx
	95	chmod: "+x"
	96	contents: \|
	97	#!/bin/bash
	98	sv stop nginx
	99
	100	- file:
	101	path: /etc/runit/3.d/02-unicorn
	102	chmod: "+x"
	103	contents: \|
	104	#!/bin/bash
	105	sv stop unicorn
	106
9fb5f2d3 SS	107	- exec:
	108	cd: $home
	109	hook: code
	110	cmd:
	111	- git reset --hard
	112	- git clean -f
36c6b609	113	- git remote set-branches --add origin master
d9c1b419 S	114	- git pull
d9c1b419 S	115	- git fetch origin $version
9fb5f2d3	116	- git checkout $version
9fb5f2d3 SS	117	- mkdir -p tmp/pids
9fb5f2d3 SS	118	- mkdir -p tmp/sockets
b150cad1	119	- touch tmp/.gitkeep
e56a65f6	120	- mkdir -p /shared/log/rails
b6227eb0	121	- bash -c "touch -a /shared/log/rails/{production,production_errors,unicorn.stdout,unicorn.stderr}.log"
e56a65f6 MB	122	- bash -c "ln -s /shared/log/rails/{production,production_errors,unicorn.stdout,unicorn.stderr}.log $home/log"
	123	- bash -c "mkdir -p /shared/{uploads,backups}"
	124	- bash -c "ln -s /shared/{uploads,backups} $home/public"
	125	- chown -R discourse:www-data /shared/log/rails /shared/uploads /shared/backups
c4498636	126
9fb5f2d3 SS	127	- exec:
	128	cmd:
	129	- "cp $home/config/nginx.sample.conf /etc/nginx/conf.d/discourse.conf"
	130	- "rm /etc/nginx/sites-enabled/default"
69c891fd	131	- "mkdir -p /var/nginx/cache"
9fb5f2d3 SS	132
	133	- replace:
	134	filename: /etc/nginx/nginx.conf
	135	from: pid /run/nginx.pid;
	136	to: daemon off;
	137
	138	- replace:
	139	filename: "/etc/nginx/conf.d/discourse.conf"
	140	from: /upstream[^\}]+\}/m
	141	to: "upstream discourse {
	142	server 127.0.0.1:3000;
	143	}"
	144
	145	- replace:
	146	filename: "/etc/nginx/conf.d/discourse.conf"
	147	from: /server_name.+$/
	148	to: server_name _ ;
	149
6e23c775	150	- replace:
	151	filename: "/etc/nginx/conf.d/discourse.conf"
	152	from: /client_max_body_size.+$/
	153	to: client_max_body_size $upload_size ;
	154
9e8e16a8 SS	155	- exec:
	156	cmd: echo "done configuring web"
	157	hook: web_config
	158
9fb5f2d3 SS	159	- exec:
9fb5f2d3 SS	160	cd: $home
62418f96	161	hook: web
9fb5f2d3	162	cmd:
e64b0a0b S	163	# ensure we are on latest bundler
e64b0a0b S	164	- gem update bundler
9fb5f2d3	165	- chown -R discourse $home
70710fa0 EG	166
	167	- exec:
	168	cd: $home
	169	hook: bundle_exec
	170	cmd:
c3f65e20	171	- su discourse -c 'bundle install --deployment --verbose --without test --without development --retry 3 --jobs 4'
e56a65f6 MB	172	- su discourse -c 'bundle exec rake db:migrate'
e56a65f6 MB	173	- su discourse -c 'bundle exec rake assets:precompile'
9fb5f2d3	174
553a4fc9 S	175	- file:
	176	path: /usr/local/bin/discourse
	177	chmod: +x
	178	contents: \|
	179	#!/bin/bash
8a02b91e	180	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec script/discourse "$@")
553a4fc9 S	181
	182	- file:
	183	path: /usr/local/bin/rails
	184	chmod: +x
	185	contents: \|
	186	#!/bin/bash
cbfcacda	187	# If they requested a console, load pry instead
d16335a6	188	if [ "$" == "c" -o "$" == "console" ]
cbfcacda	189	then
8a02b91e	190	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec pry -r ./config/environment)
cbfcacda	191	else
8a02b91e	192	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec script/rails "$@")
cbfcacda	193	fi
553a4fc9 S	194
	195	- file:
	196	path: /usr/local/bin/rake
	197	chmod: +x
	198	contents: \|
	199	#!/bin/bash
8a02b91e	200	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec bin/rake "$@")
553a4fc9	201
e9505520 S	202	- file:
	203	path: /usr/local/bin/rbtrace
	204	chmod: +x
	205	contents: \|
	206	#!/bin/bash
755fff35	207	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec rbtrace "$@")
e9505520 S	208
	209	- file:
	210	path: /usr/local/bin/stackprof
	211	chmod: +x
	212	contents: \|
	213	#!/bin/bash
755fff35	214	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec stackprof "$@")
e9505520	215
553a4fc9 S	216	- file:
	217	path: /etc/update-motd.d/10-web
	218	chmod: +x
	219	contents: \|
	220	#!/bin/bash
	221	echo
	222	echo Use: rails, rake or discourse to execute commands in production
	223	echo
	224
be82e068 S	225	- file:
	226	path: /etc/logrotate.d/rails
	227	contents: \|
	228	/shared/log/rails/*.log
	229	{
bfe8ac94	230	rotate 7
be82e068 S	231	dateext
	232	daily
	233	missingok
be82e068 S	234	delaycompress
	235	compress
	236	postrotate
	237	sv 1 unicorn
	238	endscript
	239	}
55737024	240
5d256035 S	241	- file:
	242	path: /etc/logrotate.d/nginx
	243	contents: \|
	244	/var/log/nginx/*.log {
	245	daily
	246	missingok
bfe8ac94	247	rotate 7
5d256035 S	248	compress
5d256035 S	249	delaycompress
8fc088ab	250	create 0644 www-data www-data
5d256035 S	251	sharedscripts
	252	postrotate
	253	sv 1 nginx
	254	endscript
	255	}
55737024	256
25a7de18 S	257	# move state out of the container this fancy is done to support rapid rebuilds of containers,
	258	# we store anacron and logrotate state outside the container to ensure its maintained across builds
	259	# later move this snipped into an intialization script
be55cb66 S	260	# we also ensure all the symlinks we need to /shared are in place in the correct structure
	261	# this allows us to bootstrap on one machine and then run on another
	262	- file:
	263	path: /etc/runit/1.d/00-ensure-links
	264	chmod: +x
	265	contents: \|
	266	#!/bin/bash
	267	if [[ ! -L /var/lib/logrotate ]]; then
	268	rm -fr /var/lib/logrotate
	269	mkdir -p /shared/state/logrotate
	270	ln -s /shared/state/logrotate /var/lib/logrotate
	271	fi
	272	if [[ ! -L /var/spool/anacron ]]; then
	273	rm -fr /var/spool/anacron
	274	mkdir -p /shared/state/anacron-spool
	275	ln -s /shared/state/anacron-spool /var/spool/anacron
	276	fi
	277	if [[ ! -d /shared/log/rails ]]; then
	278	mkdir -p /shared/log/rails
	279	chown -R discourse:www-data /shared/log/rails
	280	fi
	281	if [[ ! -d /shared/uploads ]]; then
	282	mkdir -p /shared/uploads
	283	chown -R discourse:www-data /shared/uploads
	284	fi
	285	if [[ ! -d /shared/backups ]]; then
	286	mkdir -p /shared/backups
	287	chown -R discourse:www-data /shared/backups
	288	fi
0c456e8c EG	289
	290	# change login directory to Discourse home
	291	- file:
	292	path: /root/.bash_profile
	293	chmod: 644
	294	contents: \|
	295	cd $home