[discourse_docker.git] / templates / web.template.yml

env:
  # You can have redis on a different box
  RAILS_ENV: 'production'
  UNICORN_WORKERS: 3
  UNICORN_SIDEKIQS: 1
  # this gives us very good cache coverage, 96 -> 99
  # in practice it is 1-2% perf improvement
  RUBY_GLOBAL_METHOD_CACHE_SIZE: 131072

  DISCOURSE_DB_SOCKET: /var/run/postgresql
  DISCOURSE_DB_HOST:
  DISCOURSE_DB_PORT:


params:
  # SSH key is required for remote access into the container
  version: tests-passed

  home: /var/www/discourse
  upload_size: 10m

run:
  # see: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
  - replace:
      filename: /usr/local/etc/ImageMagick-6/policy.xml
      from: "<policymap>"
      to: |
        <policymap>
          <policy domain="coder" rights="none" pattern="EPHEMERAL" />
          <policy domain="coder" rights="none" pattern="URL" />
          <policy domain="coder" rights="none" pattern="HTTPS" />
          <policy domain="coder" rights="none" pattern="MVG" />
          <policy domain="coder" rights="none" pattern="MSL" />
          <policy domain="coder" rights="none" pattern="TEXT" />
          <policy domain="coder" rights="none" pattern="SHOW" />
          <policy domain="coder" rights="none" pattern="WIN" />
          <policy domain="coder" rights="none" pattern="PLT" />

  - exec: /usr/local/bin/ruby -e 'if ENV["DISCOURSE_SMTP_ADDRESS"] == "smtp.example.com"; puts "Aborting! Mail is not configured!"; exit 1; end'
  - exec: /usr/local/bin/ruby -e 'if ENV["DISCOURSE_HOSTNAME"] == "discourse.example.com"; puts "Aborting! Domain is not configured!"; exit 1; end'
  - exec: chown -R discourse /home/discourse
  - file:
     path: /etc/runit/1.d/copy-env
     chmod: "+x"
     contents: |
        #!/bin/bash
        env > ~/boot_env
        conf=/var/www/discourse/config/discourse.conf

        # find DISCOURSE_ env vars, strip the leader, lowercase the key
        /usr/local/bin/ruby -e 'ENV.each{|k,v| puts "#{$1.downcase} = #{v}" if k =~ /^DISCOURSE_(.*)/}' > $conf

  - file:
     path: /etc/runit/1.d/enable-brotli
     chmod: "+x"
     contents: |
        #!/bin/bash
        [ ! -z "$COMPRESS_BROTLI" ] && sed -i "s/. brotli/  brotli/" /etc/nginx/conf.d/discourse.conf || sed -i "s/. brotli/# brotli/" /etc/nginx/conf.d/discourse.conf

  - file:
     path: /etc/runit/1.d/ensure-web-nginx-read
     chmod: "+x"
     contents: |
        #!/bin/bash
        mkdir -p /var/log/nginx
        chgrp -R www-data /var/log/nginx
        chgrp www-data /var/log/nginx

  - file:
     path: /etc/service/unicorn/run
     chmod: "+x"
     contents: |
        #!/bin/bash
        exec 2>&1
        # redis
        # postgres
        cd $home
        chown -R discourse:www-data /shared/log/rails
        LD_PRELOAD=/usr/lib/libjemalloc.so.1 HOME=/home/discourse USER=discourse exec chpst -u discourse:www-data -U discourse:www-data bundle exec config/unicorn_launcher -E production -c config/unicorn.conf.rb

  - file:
     path: /etc/service/nginx/run
     chmod: "+x"
     contents: |
        #!/bin/sh
        exec 2>&1
        exec /usr/sbin/nginx

  - file:
     path: /etc/runit/3.d/01-nginx
     chmod: "+x"
     contents: |
       #!/bin/bash
       sv stop nginx

  - file:
     path: /etc/runit/3.d/02-unicorn
     chmod: "+x"
     contents: |
       #!/bin/bash
       sv stop unicorn

  - exec:
      cd: $home
      hook: code
      cmd:
        - git reset --hard
        - git clean -f
        - git remote set-branches --add origin master
        - git pull
        - git fetch origin $version
        - git checkout $version
        - mkdir -p tmp/pids
        - mkdir -p tmp/sockets
        - touch tmp/.gitkeep
        - mkdir -p                    /shared/log/rails
        - bash -c "touch -a           /shared/log/rails/{production,production_errors,unicorn.stdout,unicorn.stderr}.log"
        - bash -c "ln    -s           /shared/log/rails/{production,production_errors,unicorn.stdout,unicorn.stderr}.log $home/log"
        - bash -c "mkdir -p           /shared/{uploads,backups}"
        - bash -c "ln    -s           /shared/{uploads,backups} $home/public"
        - chown -R discourse:www-data /shared/log/rails /shared/uploads /shared/backups

  - exec:
      cmd:
        - "cp $home/config/nginx.sample.conf /etc/nginx/conf.d/discourse.conf"
        - "rm /etc/nginx/sites-enabled/default"
        - "mkdir -p /var/nginx/cache"

  - replace:
      filename: /etc/nginx/nginx.conf
      from: pid /run/nginx.pid;
      to: daemon off;

  - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /upstream[^\}]+\}/m
      to: "upstream discourse {
        server 127.0.0.1:3000;
      }"

  - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /server_name.+$/
      to: server_name _ ;

  - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /client_max_body_size.+$/
      to: client_max_body_size $upload_size ;

  - exec:
      cmd: echo "done configuring web"
      hook: web_config

  - exec:
      cd: $home
      hook: web
      cmd:
        # ensure we are on latest bundler
        - gem update bundler
        - chown -R discourse $home

  - exec:
      cd: $home
      hook: bundle_exec
      cmd:
        - su discourse -c 'bundle install --deployment --verbose --without test --without development'
        - su discourse -c 'bundle exec rake db:migrate'
        - su discourse -c 'bundle exec rake assets:precompile'

  - file:
     path: /usr/local/bin/discourse
     chmod: +x
     contents: |
       #!/bin/bash
       (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec script/discourse "$@")

  - file:
     path: /usr/local/bin/rails
     chmod: +x
     contents: |
       #!/bin/bash
       # If they requested a console, load pry instead
       if [ "$*" == "c" -o "$*" == "console" ]
       then
        (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec pry -r ./config/environment)
       else
        (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec script/rails "$@")
       fi

  - file:
     path: /usr/local/bin/rake
     chmod: +x
     contents: |
       #!/bin/bash
       (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec bin/rake "$@")

  - file:
     path: /etc/update-motd.d/10-web
     chmod: +x
     contents: |
       #!/bin/bash
       echo
       echo Use: rails, rake or discourse to execute commands in production
       echo

  - file:
     path: /etc/logrotate.d/rails
     contents: |
        /shared/log/rails/*.log
        {
                rotate 14
                dateext
                daily
                missingok
                notifempty
                delaycompress
                compress
                postrotate
                sv 1 unicorn
                endscript
        }

  - file:
     path: /etc/logrotate.d/nginx
     contents: |
        /var/log/nginx/*.log {
          daily
          missingok
          rotate 14
          compress
          delaycompress
          notifempty
          create 0640 www-data www-data
          sharedscripts
          postrotate
            sv 1 nginx
          endscript
        }

  # move state out of the container this fancy is done to support rapid rebuilds of containers,
  # we store anacron and logrotate state outside the container to ensure its maintained across builds
  # later move this snipped into an intialization script
  # we also ensure all the symlinks we need to /shared are in place in the correct structure
  # this allows us to bootstrap on one machine and then run on another
  - file:
      path: /etc/runit/1.d/00-ensure-links
      chmod: +x
      contents: |
        #!/bin/bash
        if [[ ! -L /var/lib/logrotate ]]; then
          rm -fr /var/lib/logrotate
          mkdir -p /shared/state/logrotate
          ln -s /shared/state/logrotate /var/lib/logrotate
        fi
        if [[ ! -L /var/spool/anacron ]]; then
          rm -fr /var/spool/anacron
          mkdir -p /shared/state/anacron-spool
          ln -s /shared/state/anacron-spool /var/spool/anacron
        fi
        if [[ ! -d /shared/log/rails ]]; then
          mkdir -p /shared/log/rails
          chown -R discourse:www-data /shared/log/rails
        fi
        if [[ ! -d /shared/uploads ]]; then
          mkdir -p /shared/uploads
          chown -R discourse:www-data /shared/uploads
        fi
        if [[ ! -d /shared/backups ]]; then
          mkdir -p /shared/backups
          chown -R discourse:www-data /shared/backups
        fi

  # change login directory to Discourse home
  - file:
     path: /root/.bash_profile
     chmod: 644
     contents: |
        cd $home
Commit	Line	Data
9fb5f2d3	1	env:
9fb5f2d3	2	# You can have redis on a different box
9fb5f2d3 SS	3	RAILS_ENV: 'production'
9fb5f2d3 SS	4	UNICORN_WORKERS: 3
42b06eef	5	UNICORN_SIDEKIQS: 1
5819e899 S	6	# this gives us very good cache coverage, 96 -> 99
5819e899 S	7	# in practice it is 1-2% perf improvement
54e43936	8	RUBY_GLOBAL_METHOD_CACHE_SIZE: 131072
9fb5f2d3	9
9be8f5b9	10	DISCOURSE_DB_SOCKET: /var/run/postgresql
c148f4c9 SS	11	DISCOURSE_DB_HOST:
c148f4c9 SS	12	DISCOURSE_DB_PORT:
38000fc6 SS	13
38000fc6 SS	14
9fb5f2d3 SS	15	params:
9fb5f2d3 SS	16	# SSH key is required for remote access into the container
b56a2bd7	17	version: tests-passed
9fb5f2d3 SS	18
9fb5f2d3 SS	19	home: /var/www/discourse
44c59d37	20	upload_size: 10m
9fb5f2d3	21
9fb5f2d3	22	run:
d321b1b8	23	# see: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
d47aa69b S	24	- replace:
	25	filename: /usr/local/etc/ImageMagick-6/policy.xml
	26	from: "<policymap>"
	27	to: \|
	28	<policymap>
	29	<policy domain="coder" rights="none" pattern="EPHEMERAL" />
ada30c34	30	<policy domain="coder" rights="none" pattern="URL" />
d47aa69b S	31	<policy domain="coder" rights="none" pattern="HTTPS" />
	32	<policy domain="coder" rights="none" pattern="MVG" />
	33	<policy domain="coder" rights="none" pattern="MSL" />
ada30c34 MT	34	<policy domain="coder" rights="none" pattern="TEXT" />
	35	<policy domain="coder" rights="none" pattern="SHOW" />
	36	<policy domain="coder" rights="none" pattern="WIN" />
	37	<policy domain="coder" rights="none" pattern="PLT" />
d47aa69b	38
b7f9f4c7	39	- exec: /usr/local/bin/ruby -e 'if ENV["DISCOURSE_SMTP_ADDRESS"] == "smtp.example.com"; puts "Aborting! Mail is not configured!"; exit 1; end'
28aa70d0	40	- exec: /usr/local/bin/ruby -e 'if ENV["DISCOURSE_HOSTNAME"] == "discourse.example.com"; puts "Aborting! Domain is not configured!"; exit 1; end'
cc81fc95	41	- exec: chown -R discourse /home/discourse
87f8d0b3	42	- file:
089518ef	43	path: /etc/runit/1.d/copy-env
87f8d0b3 SS	44	chmod: "+x"
	45	contents: \|
	46	#!/bin/bash
c4498636	47	env > ~/boot_env
87f8d0b3	48	conf=/var/www/discourse/config/discourse.conf
87f8d0b3	49
1cb802ad	50	# find DISCOURSE_ env vars, strip the leader, lowercase the key
797864e6	51	/usr/local/bin/ruby -e 'ENV.each{\|k,v\| puts "#{$1.downcase} = #{v}" if k =~ /^DISCOURSE_(.*)/}' > $conf
1cb802ad	52
f132a635 S	53	- file:
	54	path: /etc/runit/1.d/enable-brotli
	55	chmod: "+x"
	56	contents: \|
	57	#!/bin/bash
	58	[ ! -z "$COMPRESS_BROTLI" ] && sed -i "s/. brotli/ brotli/" /etc/nginx/conf.d/discourse.conf \|\| sed -i "s/. brotli/# brotli/" /etc/nginx/conf.d/discourse.conf
	59
b3d252a0	60	- file:
4316c5e5 S	61	path: /etc/runit/1.d/ensure-web-nginx-read
	62	chmod: "+x"
	63	contents: \|
b3d252a0	64	#!/bin/bash
2191df8b	65	mkdir -p /var/log/nginx
b3d252a0 S	66	chgrp -R www-data /var/log/nginx
b3d252a0 S	67	chgrp www-data /var/log/nginx
4316c5e5	68
9fb5f2d3 SS	69	- file:
	70	path: /etc/service/unicorn/run
	71	chmod: "+x"
	72	contents: \|
	73	#!/bin/bash
	74	exec 2>&1
9fb5f2d3 SS	75	# redis
	76	# postgres
	77	cd $home
6d00b2fa	78	chown -R discourse:www-data /shared/log/rails
56e5e6c2	79	LD_PRELOAD=/usr/lib/libjemalloc.so.1 HOME=/home/discourse USER=discourse exec chpst -u discourse:www-data -U discourse:www-data bundle exec config/unicorn_launcher -E production -c config/unicorn.conf.rb
9fb5f2d3	80
9fb5f2d3 SS	81	- file:
	82	path: /etc/service/nginx/run
	83	chmod: "+x"
	84	contents: \|
	85	#!/bin/sh
	86	exec 2>&1
	87	exec /usr/sbin/nginx
	88
074f2b6a S	89	- file:
	90	path: /etc/runit/3.d/01-nginx
	91	chmod: "+x"
	92	contents: \|
	93	#!/bin/bash
	94	sv stop nginx
	95
	96	- file:
	97	path: /etc/runit/3.d/02-unicorn
	98	chmod: "+x"
	99	contents: \|
	100	#!/bin/bash
	101	sv stop unicorn
	102
9fb5f2d3 SS	103	- exec:
	104	cd: $home
	105	hook: code
	106	cmd:
	107	- git reset --hard
	108	- git clean -f
36c6b609	109	- git remote set-branches --add origin master
d9c1b419 S	110	- git pull
d9c1b419 S	111	- git fetch origin $version
9fb5f2d3	112	- git checkout $version
9fb5f2d3 SS	113	- mkdir -p tmp/pids
9fb5f2d3 SS	114	- mkdir -p tmp/sockets
b150cad1	115	- touch tmp/.gitkeep
e56a65f6	116	- mkdir -p /shared/log/rails
b6227eb0	117	- bash -c "touch -a /shared/log/rails/{production,production_errors,unicorn.stdout,unicorn.stderr}.log"
e56a65f6 MB	118	- bash -c "ln -s /shared/log/rails/{production,production_errors,unicorn.stdout,unicorn.stderr}.log $home/log"
	119	- bash -c "mkdir -p /shared/{uploads,backups}"
	120	- bash -c "ln -s /shared/{uploads,backups} $home/public"
	121	- chown -R discourse:www-data /shared/log/rails /shared/uploads /shared/backups
c4498636	122
9fb5f2d3 SS	123	- exec:
	124	cmd:
	125	- "cp $home/config/nginx.sample.conf /etc/nginx/conf.d/discourse.conf"
	126	- "rm /etc/nginx/sites-enabled/default"
69c891fd	127	- "mkdir -p /var/nginx/cache"
9fb5f2d3 SS	128
	129	- replace:
	130	filename: /etc/nginx/nginx.conf
	131	from: pid /run/nginx.pid;
	132	to: daemon off;
	133
	134	- replace:
	135	filename: "/etc/nginx/conf.d/discourse.conf"
	136	from: /upstream[^\}]+\}/m
	137	to: "upstream discourse {
	138	server 127.0.0.1:3000;
	139	}"
	140
	141	- replace:
	142	filename: "/etc/nginx/conf.d/discourse.conf"
	143	from: /server_name.+$/
	144	to: server_name _ ;
	145
6e23c775	146	- replace:
	147	filename: "/etc/nginx/conf.d/discourse.conf"
	148	from: /client_max_body_size.+$/
	149	to: client_max_body_size $upload_size ;
	150
9e8e16a8 SS	151	- exec:
	152	cmd: echo "done configuring web"
	153	hook: web_config
	154
9fb5f2d3 SS	155	- exec:
9fb5f2d3 SS	156	cd: $home
62418f96	157	hook: web
9fb5f2d3	158	cmd:
e64b0a0b S	159	# ensure we are on latest bundler
e64b0a0b S	160	- gem update bundler
9fb5f2d3	161	- chown -R discourse $home
70710fa0 EG	162
	163	- exec:
	164	cd: $home
	165	hook: bundle_exec
	166	cmd:
e56a65f6 MB	167	- su discourse -c 'bundle install --deployment --verbose --without test --without development'
	168	- su discourse -c 'bundle exec rake db:migrate'
	169	- su discourse -c 'bundle exec rake assets:precompile'
9fb5f2d3	170
553a4fc9 S	171	- file:
	172	path: /usr/local/bin/discourse
	173	chmod: +x
	174	contents: \|
	175	#!/bin/bash
8a02b91e	176	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec script/discourse "$@")
553a4fc9 S	177
	178	- file:
	179	path: /usr/local/bin/rails
	180	chmod: +x
	181	contents: \|
	182	#!/bin/bash
cbfcacda	183	# If they requested a console, load pry instead
d16335a6	184	if [ "$" == "c" -o "$" == "console" ]
cbfcacda	185	then
8a02b91e	186	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec pry -r ./config/environment)
cbfcacda	187	else
8a02b91e	188	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec script/rails "$@")
cbfcacda	189	fi
553a4fc9 S	190
	191	- file:
	192	path: /usr/local/bin/rake
	193	chmod: +x
	194	contents: \|
	195	#!/bin/bash
8a02b91e	196	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec bin/rake "$@")
553a4fc9 S	197
	198	- file:
	199	path: /etc/update-motd.d/10-web
	200	chmod: +x
	201	contents: \|
	202	#!/bin/bash
	203	echo
	204	echo Use: rails, rake or discourse to execute commands in production
	205	echo
	206
be82e068 S	207	- file:
	208	path: /etc/logrotate.d/rails
	209	contents: \|
	210	/shared/log/rails/*.log
	211	{
	212	rotate 14
	213	dateext
	214	daily
	215	missingok
	216	notifempty
	217	delaycompress
	218	compress
	219	postrotate
	220	sv 1 unicorn
	221	endscript
	222	}
55737024	223
5d256035 S	224	- file:
	225	path: /etc/logrotate.d/nginx
	226	contents: \|
	227	/var/log/nginx/*.log {
	228	daily
	229	missingok
	230	rotate 14
	231	compress
	232	delaycompress
	233	notifempty
b3d252a0	234	create 0640 www-data www-data
5d256035 S	235	sharedscripts
	236	postrotate
	237	sv 1 nginx
	238	endscript
	239	}
55737024	240
25a7de18 S	241	# move state out of the container this fancy is done to support rapid rebuilds of containers,
	242	# we store anacron and logrotate state outside the container to ensure its maintained across builds
	243	# later move this snipped into an intialization script
be55cb66 S	244	# we also ensure all the symlinks we need to /shared are in place in the correct structure
	245	# this allows us to bootstrap on one machine and then run on another
	246	- file:
	247	path: /etc/runit/1.d/00-ensure-links
	248	chmod: +x
	249	contents: \|
	250	#!/bin/bash
	251	if [[ ! -L /var/lib/logrotate ]]; then
	252	rm -fr /var/lib/logrotate
	253	mkdir -p /shared/state/logrotate
	254	ln -s /shared/state/logrotate /var/lib/logrotate
	255	fi
	256	if [[ ! -L /var/spool/anacron ]]; then
	257	rm -fr /var/spool/anacron
	258	mkdir -p /shared/state/anacron-spool
	259	ln -s /shared/state/anacron-spool /var/spool/anacron
	260	fi
	261	if [[ ! -d /shared/log/rails ]]; then
	262	mkdir -p /shared/log/rails
	263	chown -R discourse:www-data /shared/log/rails
	264	fi
	265	if [[ ! -d /shared/uploads ]]; then
	266	mkdir -p /shared/uploads
	267	chown -R discourse:www-data /shared/uploads
	268	fi
	269	if [[ ! -d /shared/backups ]]; then
	270	mkdir -p /shared/backups
	271	chown -R discourse:www-data /shared/backups
	272	fi
0c456e8c EG	273
	274	# change login directory to Discourse home
	275	- file:
	276	path: /root/.bash_profile
	277	chmod: 644
	278	contents: \|
	279	cd $home