[discourse_docker.git] / templates / web.template.yml

env:
  # You can have redis on a different box
  RAILS_ENV: 'production'
  UNICORN_WORKERS: 3
  UNICORN_SIDEKIQS: 1
  # this gives us very good cache coverage, 96 -> 99
  # in practice it is 1-2% perf improvement
  RUBY_GLOBAL_METHOD_CACHE_SIZE: 131072
  # stop heap doubling in size so aggressively, this conserves memory
  RUBY_GC_HEAP_GROWTH_MAX_SLOTS: 40000
  RUBY_GC_HEAP_INIT_SLOTS: 400000
  RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR: 1.5

  DISCOURSE_DB_SOCKET: /var/run/postgresql
  DISCOURSE_DB_HOST:
  DISCOURSE_DB_PORT:


params:
  version: tests-passed

  home: /var/www/discourse
  upload_size: 10m

run:
  - exec: thpoff echo "thpoff is installed!"
  - exec: /usr/local/bin/ruby -e 'if ENV["DISCOURSE_SMTP_ADDRESS"] == "smtp.example.com"; puts "Aborting! Mail is not configured!"; exit 1; end'
  - exec: /usr/local/bin/ruby -e 'if ENV["DISCOURSE_HOSTNAME"] == "discourse.example.com"; puts "Aborting! Domain is not configured!"; exit 1; end'
  - exec: /usr/local/bin/ruby -e 'if (ENV["DISCOURSE_CDN_URL"] || "")[0..1] == "//"; puts "Aborting! CDN must have a protocol specified. Once fixed you should rebake your posts now to correct all posts."; exit 1; end'
  - exec: chown -R discourse /home/discourse
  # TODO: move to base image (anacron can not be fired up using rc.d)
  - exec: rm -f /etc/cron.d/anacron
  - file:
     path: /etc/cron.d/anacron
     contents: |
        SHELL=/bin/sh
        PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

        30 7    * * *   root	/usr/sbin/anacron -s >/dev/null
  - file:
     path: /etc/runit/1.d/copy-env
     chmod: "+x"
     contents: |
        #!/bin/bash
        env > ~/boot_env
        conf=/var/www/discourse/config/discourse.conf

        # find DISCOURSE_ env vars, strip the leader, lowercase the key
        /usr/local/bin/ruby -e 'ENV.each{|k,v| puts "#{$1.downcase} = '\''#{v}'\''" if k =~ /^DISCOURSE_(.*)/}' > $conf

  - file:
     path: /etc/service/unicorn/run
     chmod: "+x"
     contents: |
        #!/bin/bash
        exec 2>&1
        # redis
        # postgres
        cd $home
        chown -R discourse:www-data /shared/log/rails
        LD_PRELOAD=$RUBY_ALLOCATOR HOME=/home/discourse USER=discourse exec thpoff chpst -u discourse:www-data -U discourse:www-data bundle exec config/unicorn_launcher -E production -c config/unicorn.conf.rb

  - file:
     path: /etc/service/nginx/run
     chmod: "+x"
     contents: |
        #!/bin/sh
        exec 2>&1
        exec /usr/sbin/nginx

  - file:
     path: /etc/runit/3.d/01-nginx
     chmod: "+x"
     contents: |
       #!/bin/bash
       sv stop nginx

  - file:
     path: /etc/runit/3.d/02-unicorn
     chmod: "+x"
     contents: |
       #!/bin/bash
       sv stop unicorn

  - exec:
      cd: $home
      hook: code
      cmd:
        - git reset --hard
        - git clean -f
        - git remote set-branches --add origin master
        - git remote set-branches origin $version
        - git fetch --depth 1 origin $version
        - git checkout $version
        - mkdir -p tmp
        - chown discourse:www-data tmp
        - mkdir -p tmp/pids
        - mkdir -p tmp/sockets
        - touch tmp/.gitkeep
        - mkdir -p                    /shared/log/rails
        - bash -c "touch -a           /shared/log/rails/{production,production_errors,unicorn.stdout,unicorn.stderr,sidekiq}.log"
        - bash -c "ln    -s           /shared/log/rails/{production,production_errors,unicorn.stdout,unicorn.stderr,sidekiq}.log $home/log"
        - bash -c "mkdir -p           /shared/{uploads,backups}"
        - bash -c "ln    -s           /shared/{uploads,backups} $home/public"
        - bash -c "mkdir -p           /shared/tmp/{backups,restores}"
        - bash -c "ln    -s           /shared/tmp/{backups,restores} $home/tmp"
        - chown -R discourse:www-data /shared/log/rails /shared/uploads /shared/backups /shared/tmp
        # scrub broken symlinks from plugins that have been removed
        - find public/plugins/ -maxdepth 1 -xtype l -delete

  - exec:
      cmd:
        - "cp $home/config/nginx.sample.conf /etc/nginx/conf.d/discourse.conf"
        - "rm /etc/nginx/sites-enabled/default"
        - "mkdir -p /var/nginx/cache"

  - replace:
      filename: /etc/nginx/nginx.conf
      from: pid /run/nginx.pid;
      to: daemon off;

  - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /upstream[^\}]+\}/m
      to: "upstream discourse {
        server 127.0.0.1:3000;
      }"

  - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /server_name.+$/
      to: server_name _ ;

  - replace:
      filename: "/etc/nginx/conf.d/discourse.conf"
      from: /client_max_body_size.+$/
      to: client_max_body_size $upload_size ;

  - exec:
      cmd: echo "done configuring web"
      hook: web_config

  - exec:
      cd: $home
      hook: web
      cmd:
        # ensure we are on latest bundler
        - gem update bundler
        - find $home ! -user discourse -exec chown discourse {} \+

  - exec:
      cd: $home
      hook: bundle_exec
      cmd:
        - su discourse -c 'bundle install --deployment --retry 3 --jobs 4 --verbose --without test development'

  - exec:
      cd: $home
      cmd:
        - su discourse -c 'bundle exec rake plugin:pull_compatible_all'
      raise_on_fail: false

  - exec:
      cd: $home
      hook: db_migrate
      cmd:
        - su discourse -c 'bundle exec rake db:migrate'
  - exec:
      cd: $home
      hook: assets_precompile
      cmd:
        - su discourse -c 'bundle exec rake themes:update assets:precompile'

  - file:
     path: /usr/local/bin/discourse
     chmod: +x
     contents: |
       #!/bin/bash
       (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec script/discourse "$@")

  - file:
     path: /usr/local/bin/rails
     chmod: +x
     contents: |
       #!/bin/bash
       # If they requested a console, load pry instead
       if [ "$*" == "c" -o "$*" == "console" ]
       then
        (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec pry -r ./config/environment)
       else
        (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec script/rails "$@")
       fi

  - file:
     path: /usr/local/bin/rake
     chmod: +x
     contents: |
       #!/bin/bash
       (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec bin/rake "$@")

  - file:
     path: /usr/local/bin/rbtrace
     chmod: +x
     contents: |
       #!/bin/bash
       (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec rbtrace "$@")

  - file:
     path: /usr/local/bin/stackprof
     chmod: +x
     contents: |
       #!/bin/bash
       (cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec stackprof "$@")

  - file:
     path: /etc/update-motd.d/10-web
     chmod: +x
     contents: |
       #!/bin/bash
       echo
       echo Use: rails, rake or discourse to execute commands in production
       echo

  - file:
     path: /etc/logrotate.d/rails
     contents: |
        /shared/log/rails/*.log
        {
                rotate 7
                dateext
                daily
                missingok
                delaycompress
                compress
                postrotate
                sv 1 unicorn
                endscript
        }

  - file:
     path: /etc/logrotate.d/nginx
     contents: |
        /var/log/nginx/*.log {
          daily
          missingok
          rotate 7
          compress
          delaycompress
          create 0644 www-data www-data
          sharedscripts
          postrotate
            sv 1 nginx
          endscript
        }

  # move state out of the container this fancy is done to support rapid rebuilds of containers,
  # we store anacron and logrotate state outside the container to ensure its maintained across builds
  # later move this snipped into an intialization script
  # we also ensure all the symlinks we need to /shared are in place in the correct structure
  # this allows us to bootstrap on one machine and then run on another
  - file:
      path: /etc/runit/1.d/00-ensure-links
      chmod: +x
      contents: |
        #!/bin/bash
        if [[ ! -L /var/lib/logrotate ]]; then
          rm -fr /var/lib/logrotate
          mkdir -p /shared/state/logrotate
          ln -s /shared/state/logrotate /var/lib/logrotate
        fi
        if [[ ! -L /var/spool/anacron ]]; then
          rm -fr /var/spool/anacron
          mkdir -p /shared/state/anacron-spool
          ln -s /shared/state/anacron-spool /var/spool/anacron
        fi
        if [[ ! -d /shared/log/rails ]]; then
          mkdir -p /shared/log/rails
          chown -R discourse:www-data /shared/log/rails
        fi
        if [[ ! -d /shared/uploads ]]; then
          mkdir -p /shared/uploads
          chown -R discourse:www-data /shared/uploads
        fi
        if [[ ! -d /shared/backups ]]; then
          mkdir -p /shared/backups
          chown -R discourse:www-data /shared/backups
        fi

        rm -rf /shared/tmp/{backups,restores}
        mkdir -p /shared/tmp/{backups,restores}
        chown -R discourse:www-data /shared/tmp/{backups,restores}
  - file:
      path: /etc/runit/1.d/01-cleanup-web-pids
      chmod: +x
      contents: |
        #!/bin/bash
        /bin/rm -f /var/www/discourse/tmp/pids/*.pid
  # change login directory to Discourse home
  - file:
     path: /root/.bash_profile
     chmod: 644
     contents: |
        cd $home

  - file:
     path: /usr/local/etc/ImageMagick-7/policy.xml
     contents: |
        <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE policymap [
          <!ELEMENT policymap (policy)+>
          <!ATTLIST policymap xmlns CDATA #FIXED ''>
          <!ELEMENT policy EMPTY>
          <!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED
            name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED
            stealth NMTOKEN #IMPLIED value CDATA #IMPLIED>
        ]>
        <!--
          Configure ImageMagick policies.

          Domains include system, delegate, coder, filter, path, or resource.

          Rights include none, read, write, execute and all.  Use | to combine them,
          for example: "read | write" to permit read from, or write to, a path.

          Use a glob expression as a pattern.

          Suppose we do not want users to process MPEG video images:

            <policy domain="delegate" rights="none" pattern="mpeg:decode" />

          Here we do not want users reading images from HTTP:

            <policy domain="coder" rights="none" pattern="HTTP" />

          The /repository file system is restricted to read only.  We use a glob
          expression to match all paths that start with /repository:

            <policy domain="path" rights="read" pattern="/repository/*" />

          Lets prevent users from executing any image filters:

            <policy domain="filter" rights="none" pattern="*" />

          Any large image is cached to disk rather than memory:

            <policy domain="resource" name="area" value="1GP"/>

          Define arguments for the memory, map, area, width, height and disk resources
          with SI prefixes (.e.g 100MB).  In addition, resource policies are maximums
          for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
          exceeds policy maximum so memory limit is 1GB).

          Rules are processed in order.  Here we want to restrict ImageMagick to only
          read or write a small subset of proven web-safe image types:

            <policy domain="delegate" rights="none" pattern="*" />
            <policy domain="filter" rights="none" pattern="*" />
            <policy domain="coder" rights="none" pattern="*" />
            <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
        -->
        <policymap>
          <!-- <policy domain="system" name="shred" value="2"/> -->
          <!-- <policy domain="system" name="precision" value="6"/> -->
          <!-- <policy domain="system" name="memory-map" value="anonymous"/> -->
          <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
          <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
          <policy domain="resource" name="memory" value="1GiB"/>
          <policy domain="resource" name="map" value="2GiB"/>
          <policy domain="resource" name="width" value="64KP"/>
          <policy domain="resource" name="height" value="64KP"/>
          <!-- <policy domain="resource" name="list-length" value="128"/> -->
          <policy domain="resource" name="area" value="4GP"/>
          <policy domain="resource" name="disk" value="8GiB"/>
          <!-- <policy domain="resource" name="file" value="768"/> -->
          <!-- <policy domain="resource" name="thread" value="4"/> -->
          <!-- <policy domain="resource" name="throttle" value="0"/> -->
          <!-- <policy domain="resource" name="time" value="3600"/> -->
          <!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
          <policy domain="module" rights="none" pattern="{PS,PS2,PS3,EPS,PDF,XPS}" />
          <!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> -->
          <!-- <policy domain="path" rights="none" pattern="@*" /> -->
          <!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
          <!-- <policy domain="cache" name="synchronize" value="True"/> -->
          <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
        </policymap>
Commit	Line	Data
9fb5f2d3	1	env:
9fb5f2d3	2	# You can have redis on a different box
9fb5f2d3 SS	3	RAILS_ENV: 'production'
9fb5f2d3 SS	4	UNICORN_WORKERS: 3
42b06eef	5	UNICORN_SIDEKIQS: 1
5819e899 S	6	# this gives us very good cache coverage, 96 -> 99
5819e899 S	7	# in practice it is 1-2% perf improvement
54e43936	8	RUBY_GLOBAL_METHOD_CACHE_SIZE: 131072
5d1848f5 S	9	# stop heap doubling in size so aggressively, this conserves memory
	10	RUBY_GC_HEAP_GROWTH_MAX_SLOTS: 40000
	11	RUBY_GC_HEAP_INIT_SLOTS: 400000
	12	RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR: 1.5
9fb5f2d3	13
9be8f5b9	14	DISCOURSE_DB_SOCKET: /var/run/postgresql
c148f4c9 SS	15	DISCOURSE_DB_HOST:
c148f4c9 SS	16	DISCOURSE_DB_PORT:
38000fc6 SS	17
38000fc6 SS	18
9fb5f2d3	19	params:
b56a2bd7	20	version: tests-passed
9fb5f2d3 SS	21
9fb5f2d3 SS	22	home: /var/www/discourse
44c59d37	23	upload_size: 10m
9fb5f2d3	24
9fb5f2d3	25	run:
b1572a5e	26	- exec: thpoff echo "thpoff is installed!"
b7f9f4c7	27	- exec: /usr/local/bin/ruby -e 'if ENV["DISCOURSE_SMTP_ADDRESS"] == "smtp.example.com"; puts "Aborting! Mail is not configured!"; exit 1; end'
28aa70d0	28	- exec: /usr/local/bin/ruby -e 'if ENV["DISCOURSE_HOSTNAME"] == "discourse.example.com"; puts "Aborting! Domain is not configured!"; exit 1; end'
4a3ebfac	29	- exec: /usr/local/bin/ruby -e 'if (ENV["DISCOURSE_CDN_URL"] \|\| "")[0..1] == "//"; puts "Aborting! CDN must have a protocol specified. Once fixed you should rebake your posts now to correct all posts."; exit 1; end'
cc81fc95	30	- exec: chown -R discourse /home/discourse
573617ea S	31	# TODO: move to base image (anacron can not be fired up using rc.d)
	32	- exec: rm -f /etc/cron.d/anacron
	33	- file:
	34	path: /etc/cron.d/anacron
	35	contents: \|
	36	SHELL=/bin/sh
	37	PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
	38
	39	30 7 * * * root /usr/sbin/anacron -s >/dev/null
87f8d0b3	40	- file:
089518ef	41	path: /etc/runit/1.d/copy-env
87f8d0b3 SS	42	chmod: "+x"
	43	contents: \|
	44	#!/bin/bash
c4498636	45	env > ~/boot_env
87f8d0b3	46	conf=/var/www/discourse/config/discourse.conf
87f8d0b3	47
1cb802ad	48	# find DISCOURSE_ env vars, strip the leader, lowercase the key
087e1101	49	/usr/local/bin/ruby -e 'ENV.each{\|k,v\| puts "#{$1.downcase} = '\''#{v}'\''" if k =~ /^DISCOURSE_(.*)/}' > $conf
8fc088ab	50
9fb5f2d3 SS	51	- file:
	52	path: /etc/service/unicorn/run
	53	chmod: "+x"
	54	contents: \|
	55	#!/bin/bash
	56	exec 2>&1
9fb5f2d3 SS	57	# redis
	58	# postgres
	59	cd $home
6d00b2fa	60	chown -R discourse:www-data /shared/log/rails
1404e881	61	LD_PRELOAD=$RUBY_ALLOCATOR HOME=/home/discourse USER=discourse exec thpoff chpst -u discourse:www-data -U discourse:www-data bundle exec config/unicorn_launcher -E production -c config/unicorn.conf.rb
9fb5f2d3	62
9fb5f2d3 SS	63	- file:
	64	path: /etc/service/nginx/run
	65	chmod: "+x"
	66	contents: \|
	67	#!/bin/sh
	68	exec 2>&1
	69	exec /usr/sbin/nginx
	70
074f2b6a S	71	- file:
	72	path: /etc/runit/3.d/01-nginx
	73	chmod: "+x"
	74	contents: \|
	75	#!/bin/bash
	76	sv stop nginx
	77
	78	- file:
	79	path: /etc/runit/3.d/02-unicorn
	80	chmod: "+x"
	81	contents: \|
	82	#!/bin/bash
	83	sv stop unicorn
	84
9fb5f2d3 SS	85	- exec:
	86	cd: $home
	87	hook: code
	88	cmd:
	89	- git reset --hard
	90	- git clean -f
36c6b609	91	- git remote set-branches --add origin master
e2eb0857 RSS	92	- git remote set-branches origin $version
e2eb0857 RSS	93	- git fetch --depth 1 origin $version
9fb5f2d3	94	- git checkout $version
5f7f0953 SS	95	- mkdir -p tmp
5f7f0953 SS	96	- chown discourse:www-data tmp
9fb5f2d3 SS	97	- mkdir -p tmp/pids
9fb5f2d3 SS	98	- mkdir -p tmp/sockets
b150cad1	99	- touch tmp/.gitkeep
e56a65f6	100	- mkdir -p /shared/log/rails
024ebc40 DT	101	- bash -c "touch -a /shared/log/rails/{production,production_errors,unicorn.stdout,unicorn.stderr,sidekiq}.log"
024ebc40 DT	102	- bash -c "ln -s /shared/log/rails/{production,production_errors,unicorn.stdout,unicorn.stderr,sidekiq}.log $home/log"
e56a65f6 MB	103	- bash -c "mkdir -p /shared/{uploads,backups}"
e56a65f6 MB	104	- bash -c "ln -s /shared/{uploads,backups} $home/public"
f390d78f GS	105	- bash -c "mkdir -p /shared/tmp/{backups,restores}"
	106	- bash -c "ln -s /shared/tmp/{backups,restores} $home/tmp"
	107	- chown -R discourse:www-data /shared/log/rails /shared/uploads /shared/backups /shared/tmp
d587158a MB	108	# scrub broken symlinks from plugins that have been removed
d587158a MB	109	- find public/plugins/ -maxdepth 1 -xtype l -delete
c4498636	110
9fb5f2d3 SS	111	- exec:
	112	cmd:
	113	- "cp $home/config/nginx.sample.conf /etc/nginx/conf.d/discourse.conf"
	114	- "rm /etc/nginx/sites-enabled/default"
69c891fd	115	- "mkdir -p /var/nginx/cache"
9fb5f2d3 SS	116
	117	- replace:
	118	filename: /etc/nginx/nginx.conf
	119	from: pid /run/nginx.pid;
	120	to: daemon off;
	121
	122	- replace:
	123	filename: "/etc/nginx/conf.d/discourse.conf"
	124	from: /upstream[^\}]+\}/m
	125	to: "upstream discourse {
	126	server 127.0.0.1:3000;
	127	}"
	128
	129	- replace:
	130	filename: "/etc/nginx/conf.d/discourse.conf"
	131	from: /server_name.+$/
	132	to: server_name _ ;
	133
6e23c775	134	- replace:
	135	filename: "/etc/nginx/conf.d/discourse.conf"
	136	from: /client_max_body_size.+$/
	137	to: client_max_body_size $upload_size ;
	138
9e8e16a8 SS	139	- exec:
	140	cmd: echo "done configuring web"
	141	hook: web_config
	142
9fb5f2d3 SS	143	- exec:
9fb5f2d3 SS	144	cd: $home
62418f96	145	hook: web
9fb5f2d3	146	cmd:
e64b0a0b S	147	# ensure we are on latest bundler
e64b0a0b S	148	- gem update bundler
aef8682f	149	- find $home ! -user discourse -exec chown discourse {} \+
70710fa0 EG	150
	151	- exec:
	152	cd: $home
	153	hook: bundle_exec
	154	cmd:
b8866fb9	155	- su discourse -c 'bundle install --deployment --retry 3 --jobs 4 --verbose --without test development'
8026a344	156
2c8a7546 JW	157	- exec:
	158	cd: $home
	159	cmd:
	160	- su discourse -c 'bundle exec rake plugin:pull_compatible_all'
	161	raise_on_fail: false
	162
5716d28f SS	163	- exec:
	164	cd: $home
	165	hook: db_migrate
	166	cmd:
e56a65f6	167	- su discourse -c 'bundle exec rake db:migrate'
5716d28f SS	168	- exec:
	169	cd: $home
	170	hook: assets_precompile
	171	cmd:
308dbfef DU	172	- su discourse -c 'bundle exec rake themes:update assets:precompile'
308dbfef DU	173
553a4fc9 S	174	- file:
	175	path: /usr/local/bin/discourse
	176	chmod: +x
	177	contents: \|
	178	#!/bin/bash
8a02b91e	179	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec script/discourse "$@")
553a4fc9 S	180
	181	- file:
	182	path: /usr/local/bin/rails
	183	chmod: +x
	184	contents: \|
	185	#!/bin/bash
cbfcacda	186	# If they requested a console, load pry instead
d16335a6	187	if [ "$" == "c" -o "$" == "console" ]
cbfcacda	188	then
8a02b91e	189	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec pry -r ./config/environment)
cbfcacda	190	else
8a02b91e	191	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec script/rails "$@")
cbfcacda	192	fi
553a4fc9 S	193
	194	- file:
	195	path: /usr/local/bin/rake
	196	chmod: +x
	197	contents: \|
	198	#!/bin/bash
8a02b91e	199	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec bin/rake "$@")
553a4fc9	200
e9505520 S	201	- file:
	202	path: /usr/local/bin/rbtrace
	203	chmod: +x
	204	contents: \|
	205	#!/bin/bash
755fff35	206	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec rbtrace "$@")
e9505520 S	207
	208	- file:
	209	path: /usr/local/bin/stackprof
	210	chmod: +x
	211	contents: \|
	212	#!/bin/bash
755fff35	213	(cd /var/www/discourse && RAILS_ENV=production sudo -H -E -u discourse bundle exec stackprof "$@")
e9505520	214
553a4fc9 S	215	- file:
	216	path: /etc/update-motd.d/10-web
	217	chmod: +x
	218	contents: \|
	219	#!/bin/bash
	220	echo
	221	echo Use: rails, rake or discourse to execute commands in production
	222	echo
	223
be82e068 S	224	- file:
	225	path: /etc/logrotate.d/rails
	226	contents: \|
	227	/shared/log/rails/*.log
	228	{
bfe8ac94	229	rotate 7
be82e068 S	230	dateext
	231	daily
	232	missingok
be82e068 S	233	delaycompress
	234	compress
	235	postrotate
	236	sv 1 unicorn
	237	endscript
	238	}
55737024	239
5d256035 S	240	- file:
	241	path: /etc/logrotate.d/nginx
	242	contents: \|
	243	/var/log/nginx/*.log {
	244	daily
	245	missingok
bfe8ac94	246	rotate 7
5d256035 S	247	compress
5d256035 S	248	delaycompress
8fc088ab	249	create 0644 www-data www-data
5d256035 S	250	sharedscripts
	251	postrotate
	252	sv 1 nginx
	253	endscript
	254	}
55737024	255
25a7de18 S	256	# move state out of the container this fancy is done to support rapid rebuilds of containers,
	257	# we store anacron and logrotate state outside the container to ensure its maintained across builds
	258	# later move this snipped into an intialization script
be55cb66 S	259	# we also ensure all the symlinks we need to /shared are in place in the correct structure
	260	# this allows us to bootstrap on one machine and then run on another
	261	- file:
	262	path: /etc/runit/1.d/00-ensure-links
	263	chmod: +x
	264	contents: \|
	265	#!/bin/bash
	266	if [[ ! -L /var/lib/logrotate ]]; then
	267	rm -fr /var/lib/logrotate
	268	mkdir -p /shared/state/logrotate
	269	ln -s /shared/state/logrotate /var/lib/logrotate
	270	fi
	271	if [[ ! -L /var/spool/anacron ]]; then
	272	rm -fr /var/spool/anacron
	273	mkdir -p /shared/state/anacron-spool
	274	ln -s /shared/state/anacron-spool /var/spool/anacron
	275	fi
	276	if [[ ! -d /shared/log/rails ]]; then
	277	mkdir -p /shared/log/rails
	278	chown -R discourse:www-data /shared/log/rails
	279	fi
	280	if [[ ! -d /shared/uploads ]]; then
	281	mkdir -p /shared/uploads
	282	chown -R discourse:www-data /shared/uploads
	283	fi
	284	if [[ ! -d /shared/backups ]]; then
	285	mkdir -p /shared/backups
	286	chown -R discourse:www-data /shared/backups
	287	fi
0c456e8c	288
f390d78f GS	289	rm -rf /shared/tmp/{backups,restores}
	290	mkdir -p /shared/tmp/{backups,restores}
	291	chown -R discourse:www-data /shared/tmp/{backups,restores}
ca39457f SS	292	- file:
	293	path: /etc/runit/1.d/01-cleanup-web-pids
	294	chmod: +x
	295	contents: \|
	296	#!/bin/bash
	297	/bin/rm -f /var/www/discourse/tmp/pids/*.pid
0c456e8c EG	298	# change login directory to Discourse home
	299	- file:
	300	path: /root/.bash_profile
	301	chmod: 644
	302	contents: \|
	303	cd $home
7b3d1c51	304
	305	- file:
	306	path: /usr/local/etc/ImageMagick-7/policy.xml
	307	contents: \|
	308	<?xml version="1.0" encoding="UTF-8"?>
	309	<!DOCTYPE policymap [
	310	<!ELEMENT policymap (policy)+>
	311	<!ATTLIST policymap xmlns CDATA #FIXED ''>
	312	<!ELEMENT policy EMPTY>
	313	<!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED
	314	name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED
	315	stealth NMTOKEN #IMPLIED value CDATA #IMPLIED>
	316	]>
	317	<!--
	318	Configure ImageMagick policies.
	319
	320	Domains include system, delegate, coder, filter, path, or resource.
	321
	322	Rights include none, read, write, execute and all. Use \| to combine them,
	323	for example: "read \| write" to permit read from, or write to, a path.
	324
	325	Use a glob expression as a pattern.
	326
	327	Suppose we do not want users to process MPEG video images:
	328
	329	<policy domain="delegate" rights="none" pattern="mpeg:decode" />
	330
	331	Here we do not want users reading images from HTTP:
	332
	333	<policy domain="coder" rights="none" pattern="HTTP" />
	334
	335	The /repository file system is restricted to read only. We use a glob
	336	expression to match all paths that start with /repository:
	337
	338	<policy domain="path" rights="read" pattern="/repository/*" />
	339
	340	Lets prevent users from executing any image filters:
	341
	342	<policy domain="filter" rights="none" pattern="*" />
	343
	344	Any large image is cached to disk rather than memory:
	345
	346	<policy domain="resource" name="area" value="1GP"/>
	347
	348	Define arguments for the memory, map, area, width, height and disk resources
	349	with SI prefixes (.e.g 100MB). In addition, resource policies are maximums
	350	for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
	351	exceeds policy maximum so memory limit is 1GB).
	352
	353	Rules are processed in order. Here we want to restrict ImageMagick to only
	354	read or write a small subset of proven web-safe image types:
	355
	356	<policy domain="delegate" rights="none" pattern="*" />
	357	<policy domain="filter" rights="none" pattern="*" />
	358	<policy domain="coder" rights="none" pattern="*" />
	359	<policy domain="coder" rights="read\|write" pattern="{GIF,JPEG,PNG,WEBP}" />
	360	-->
	361	<policymap>
	362	<!-- <policy domain="system" name="shred" value="2"/> -->
	363	<!-- <policy domain="system" name="precision" value="6"/> -->
	364	<!-- <policy domain="system" name="memory-map" value="anonymous"/> -->
	365	<!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
	366	<!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
	367	<policy domain="resource" name="memory" value="1GiB"/>
368	<policy domain="resource" name="map" value="2GiB"/>
369	<policy domain="resource" name="width" value="64KP"/>
370	<policy domain="resource" name="height" value="64KP"/>
371	<!-- <policy domain="resource" name="list-length" value="128"/> -->
372	<policy domain="resource" name="area" value="4GP"/>
373	<policy domain="resource" name="disk" value="8GiB"/>
374	<!-- <policy domain="resource" name="file" value="768"/> -->
375	<!-- <policy domain="resource" name="thread" value="4"/> -->
376	<!-- <policy domain="resource" name="throttle" value="0"/> -->
377	<!-- <policy domain="resource" name="time" value="3600"/> -->
378	<!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
379	<policy domain="module" rights="none" pattern="{PS,PS2,PS3,EPS,PDF,XPS}" />
380	<!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> -->
381	<!-- <policy domain="path" rights="none" pattern="@*" /> -->
382	<!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
383	<!-- <policy domain="cache" name="synchronize" value="True"/> -->
384	<!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
385	</policymap>