From a31cf04bd7798300926bc2f2d80e6609eaaa1596 Mon Sep 17 00:00:00 2001 From: Paul Norman Date: Tue, 20 May 2025 00:57:56 -0700 Subject: [PATCH 01/16] vectortile: Analyze DBs daily --- .../vectortile/templates/default/render-lowzoom.erb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/cookbooks/vectortile/templates/default/render-lowzoom.erb b/cookbooks/vectortile/templates/default/render-lowzoom.erb index cc8c87ae6..51d630472 100644 --- a/cookbooks/vectortile/templates/default/render-lowzoom.erb +++ b/cookbooks/vectortile/templates/default/render-lowzoom.erb @@ -1,6 +1,11 @@ #!/bin/sh set -eu +# The source daily vaccum is best placed before the tilegen, as it has marginal speed benefits +vacuumdb --analyze \ +-j "<%= node[:vectortile][:replication][:threads] %>" \ +-d "<%= @source_database %>" + <%= @tilekiln_bin %> generate zooms \ --source-dbname "<%= @source_database %>" \ --storage-dbname "<%= @storage_database %>" \ @@ -8,3 +13,8 @@ set -eu --config <%= @config_path %> \ --min-zoom <%= @min_zoom %> \ --max-zoom <%= @max_zoom %> + +# the daily render can add bloat, so the vacuum is done after it on the tile DB +vacuumdb --analyze \ +-j "<%= node[:vectortile][:replication][:threads] %>" \ +-d "<%= @storage_database %>" -- 2.39.5 From 6ce29dd3c1877f59ac1ed3c3c938c484d67fb310 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Wed, 21 May 2025 11:18:32 +0100 Subject: [PATCH 02/16] git: add blobdiff_plain to robots.txt exclusion --- cookbooks/git/templates/default/robots.txt.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/cookbooks/git/templates/default/robots.txt.erb b/cookbooks/git/templates/default/robots.txt.erb index 385fe1645..61efcd142 100644 --- a/cookbooks/git/templates/default/robots.txt.erb +++ b/cookbooks/git/templates/default/robots.txt.erb @@ -5,6 +5,7 @@ Disallow: /*a=search* Disallow: /*/search/* Disallow: /*a=blobdiff* Disallow: /*/blobdiff/* +Disallow: /*/blobdiff_plain/* Disallow: /*a=commitdiff* Disallow: /*/commitdiff/* Disallow: /*a=snapshot* -- 2.39.5 From f7deb52fd18f602bf6ef862c90e81f48cda6e45b Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Thu, 22 May 2025 19:09:16 +0100 Subject: [PATCH 03/16] Manage the social_links table in the API database --- cookbooks/db/files/default/monthly-reindex.sql | 1 + cookbooks/db/recipes/master.rb | 2 ++ 2 files changed, 3 insertions(+) diff --git a/cookbooks/db/files/default/monthly-reindex.sql b/cookbooks/db/files/default/monthly-reindex.sql index ab9ae105b..ffa5faadb 100644 --- a/cookbooks/db/files/default/monthly-reindex.sql +++ b/cookbooks/db/files/default/monthly-reindex.sql @@ -28,6 +28,7 @@ REINDEX (VERBOSE) TABLE CONCURRENTLY oauth_applications; REINDEX (VERBOSE) TABLE CONCURRENTLY redactions; REINDEX (VERBOSE) TABLE CONCURRENTLY reports; REINDEX (VERBOSE) TABLE CONCURRENTLY schema_migrations; +REINDEX (VERBOSE) TABLE CONCURRENTLY social_links; REINDEX (VERBOSE) TABLE CONCURRENTLY user_blocks; REINDEX (VERBOSE) TABLE CONCURRENTLY user_mutes; REINDEX (VERBOSE) TABLE CONCURRENTLY user_preferences; diff --git a/cookbooks/db/recipes/master.rb b/cookbooks/db/recipes/master.rb index 3e57941f7..f27820652 100644 --- a/cookbooks/db/recipes/master.rb +++ b/cookbooks/db/recipes/master.rb @@ -182,6 +182,7 @@ PROMETHEUS_PERMISSIONS = { relations reports schema_migrations + social_links user_blocks user_mutes user_preferences @@ -232,6 +233,7 @@ end oauth_openid_requests_id_seq redactions_id_seq reports_id_seq + social_links_id_seq user_blocks_id_seq user_mutes_id_seq user_roles_id_seq -- 2.39.5 From d1606a78f7674befb9c2e658fe38b5854e0ced3a Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Thu, 22 May 2025 19:47:41 +0100 Subject: [PATCH 04/16] wiki: make robots.txt stricter --- .../wiki/templates/default/robots.txt.erb | 32 +++++++------------ 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/cookbooks/wiki/templates/default/robots.txt.erb b/cookbooks/wiki/templates/default/robots.txt.erb index 8d167108f..45c43d8ff 100644 --- a/cookbooks/wiki/templates/default/robots.txt.erb +++ b/cookbooks/wiki/templates/default/robots.txt.erb @@ -8,29 +8,21 @@ Allow: / User-agent: 008 Disallow: / +User-agent: ZvonilBot +Disallow: / + +User-agent: HTTrack +Disallow: / + User-agent: * +Allow: /w/api.php?action=mobileview& +Allow: /w/load.php? +Disallow: /w/ +Disallow: /api/ +Disallow: /wiki/Special: +Disallow: /wiki/Special%3A Disallow: /index.php/ Disallow: /wiki/Spam -Allow: /w/load.php -Allow: /w/images/ -Allow: /w/skins/ -Disallow: /w/ -Disallow: /wiki/Special:Collection -Disallow: /wiki/Special:Random -Disallow: /wiki/Special%3ARandom -Disallow: /wiki/Special:Search - -User-agent: Exabot -Crawl-delay: 60 - -User-Agent: ImagesiftBot -Crawl-delay: 60 - -User-agent: SemrushBot -Crawl-delay: 60 - -User-agent: SeznamBot -Crawl-delay: 60 Sitemap: https://wiki.openstreetmap.org/sitemap-index-wiki.xml -- 2.39.5 From 7d6eddbe9e8217e6596f068c61b80d9183a2e56c Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Fri, 23 May 2025 11:27:16 +0100 Subject: [PATCH 05/16] wiki: update bots in robots.txt --- cookbooks/wiki/templates/default/robots.txt.erb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/cookbooks/wiki/templates/default/robots.txt.erb b/cookbooks/wiki/templates/default/robots.txt.erb index 45c43d8ff..d8612d6f7 100644 --- a/cookbooks/wiki/templates/default/robots.txt.erb +++ b/cookbooks/wiki/templates/default/robots.txt.erb @@ -8,10 +8,13 @@ Allow: / User-agent: 008 Disallow: / -User-agent: ZvonilBot +User-agent: HTTrack Disallow: / -User-agent: HTTrack +User-agent: DataForSeoBot +Disallow: / + +User-agent: SeznamBot Disallow: / User-agent: * -- 2.39.5 From 54a560c1919fac101870f5dd5d708925836a40e0 Mon Sep 17 00:00:00 2001 From: Sarah Hoffmann Date: Sun, 25 May 2025 14:15:28 +0200 Subject: [PATCH 06/16] nominatim: drop potentially confusing proxy header --- cookbooks/nominatim/templates/default/nginx.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/cookbooks/nominatim/templates/default/nginx.erb b/cookbooks/nominatim/templates/default/nginx.erb index af7ea960b..226c7599a 100644 --- a/cookbooks/nominatim/templates/default/nginx.erb +++ b/cookbooks/nominatim/templates/default/nginx.erb @@ -222,6 +222,7 @@ server { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Proxy-Connection ""; proxy_redirect off; proxy_pass http://nominatim_service; } -- 2.39.5 From 60347c7f1050db37c804048886127357498a2959 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sun, 25 May 2025 15:58:11 +0100 Subject: [PATCH 07/16] Set a short timeout on acme.osm.org --- cookbooks/letsencrypt/templates/default/apache.erb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cookbooks/letsencrypt/templates/default/apache.erb b/cookbooks/letsencrypt/templates/default/apache.erb index 37d1df528..2073622d5 100644 --- a/cookbooks/letsencrypt/templates/default/apache.erb +++ b/cookbooks/letsencrypt/templates/default/apache.erb @@ -23,6 +23,8 @@ SSLCertificateFile /etc/ssl/certs/acme.openstreetmap.org.pem SSLCertificateKeyFile /etc/ssl/private/acme.openstreetmap.org.key + Timeout 5 + DocumentRoot /srv/acme.openstreetmap.org/html -- 2.39.5 From ffcc02249a0f230c69c7328d336d16308e840fdf Mon Sep 17 00:00:00 2001 From: Paul Norman Date: Tue, 27 May 2025 14:50:19 -0700 Subject: [PATCH 08/16] vectortile: set postgres application_name --- cookbooks/vectortile/templates/default/import-planet.erb | 1 + cookbooks/vectortile/templates/default/render-lowzoom.erb | 1 + .../vectortile/templates/default/tilekiln-storage-init.erb | 2 ++ cookbooks/vectortile/templates/default/tiles-rerender.erb | 1 + cookbooks/vectortile/templates/default/vector-update-tile.erb | 1 + 5 files changed, 6 insertions(+) diff --git a/cookbooks/vectortile/templates/default/import-planet.erb b/cookbooks/vectortile/templates/default/import-planet.erb index 3d6110181..f0bac4058 100644 --- a/cookbooks/vectortile/templates/default/import-planet.erb +++ b/cookbooks/vectortile/templates/default/import-planet.erb @@ -8,6 +8,7 @@ set -e export LUA_PATH='/srv/vector.openstreetmap.org/osm2pgsql-themepark/lua/?.lua;;' +export PGAPPNAME='import-planet' # Import the osm2pgsql file specified as an argument, using the locations for spirit osm2pgsql \ diff --git a/cookbooks/vectortile/templates/default/render-lowzoom.erb b/cookbooks/vectortile/templates/default/render-lowzoom.erb index 51d630472..b14550f40 100644 --- a/cookbooks/vectortile/templates/default/render-lowzoom.erb +++ b/cookbooks/vectortile/templates/default/render-lowzoom.erb @@ -1,5 +1,6 @@ #!/bin/sh set -eu +export PGAPPNAME='render-lowzoom' # The source daily vaccum is best placed before the tilegen, as it has marginal speed benefits vacuumdb --analyze \ diff --git a/cookbooks/vectortile/templates/default/tilekiln-storage-init.erb b/cookbooks/vectortile/templates/default/tilekiln-storage-init.erb index 972d0e488..24a799aed 100644 --- a/cookbooks/vectortile/templates/default/tilekiln-storage-init.erb +++ b/cookbooks/vectortile/templates/default/tilekiln-storage-init.erb @@ -3,6 +3,8 @@ # Usage # sudo -u tileupdate tilekiln-storage-init +export PGAPPNAME='tilekiln-storage-init' + <%= @tilekiln_bin %> storage init \ --storage-dbname <%= @storage_database %> \ --config <%= @config_path %> diff --git a/cookbooks/vectortile/templates/default/tiles-rerender.erb b/cookbooks/vectortile/templates/default/tiles-rerender.erb index d1ca4bdab..910560771 100644 --- a/cookbooks/vectortile/templates/default/tiles-rerender.erb +++ b/cookbooks/vectortile/templates/default/tiles-rerender.erb @@ -1,5 +1,6 @@ #!/bin/sh set -eu +export PGAPPNAME='tiles-rerender' cd "<%= @expiry_dir %>" # Only expire z10+ tiles diff --git a/cookbooks/vectortile/templates/default/vector-update-tile.erb b/cookbooks/vectortile/templates/default/vector-update-tile.erb index a356cbb10..3db8220c0 100644 --- a/cookbooks/vectortile/templates/default/vector-update-tile.erb +++ b/cookbooks/vectortile/templates/default/vector-update-tile.erb @@ -6,6 +6,7 @@ set -eu export LUA_PATH='/srv/vector.openstreetmap.org/osm2pgsql-themepark/lua/?.lua;;' +export PGAPPNAME='vector-update' cd "<%= @expiry_dir %>" rm -f z*.txt -- 2.39.5 From c1d5c7196c1bbe8b5dfbed403fcd5ef480985333 Mon Sep 17 00:00:00 2001 From: Paul Norman Date: Tue, 27 May 2025 20:27:46 -0700 Subject: [PATCH 09/16] vectortile: Fix tilekiln application_name --- cookbooks/vectortile/recipes/default.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/cookbooks/vectortile/recipes/default.rb b/cookbooks/vectortile/recipes/default.rb index 1c183078d..3073dcf1a 100644 --- a/cookbooks/vectortile/recipes/default.rb +++ b/cookbooks/vectortile/recipes/default.rb @@ -237,6 +237,7 @@ systemd_service "tilekiln" do wants "postgresql.service" sandbox :enable_network => true restrict_address_families "AF_UNIX" + environment "PGAPPNAME" => "tilekiln" exec_start "#{tilekiln_directory}/bin/tilekiln serve #{tilekiln_mode} --storage-dbname tiles --num-threads #{node[:vectortile][:serve][:threads]} --base-url 'https://vector.openstreetmap.org'" end -- 2.39.5 From eead48217342056a398281e3ad9b692b4250f7c0 Mon Sep 17 00:00:00 2001 From: Paul Norman Date: Tue, 27 May 2025 20:49:33 -0700 Subject: [PATCH 10/16] vectortile: Set application_name for tilekiln-prometheus --- cookbooks/vectortile/recipes/default.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/cookbooks/vectortile/recipes/default.rb b/cookbooks/vectortile/recipes/default.rb index 3073dcf1a..b32fa1050 100644 --- a/cookbooks/vectortile/recipes/default.rb +++ b/cookbooks/vectortile/recipes/default.rb @@ -352,6 +352,7 @@ systemd_service "tilekiln-prometheus" do after "postgresql.service" wants "postgresql.service" sandbox :enable_network => true + environment "PGAPPNAME" => "tilekiln-prometheus" restrict_address_families "AF_UNIX" exec_start "#{tilekiln_directory}/bin/tilekiln prometheus --bind-host #{node[:prometheus][:address]} --storage-dbname tiles" end -- 2.39.5 From 2f6f7c9e4e13750ff0a860b0a24f2ca5099cf44e Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 28 May 2025 18:32:35 +0100 Subject: [PATCH 11/16] Modernise path to renderd run time directory --- cookbooks/tile/templates/default/render-lowzoom.erb | 2 +- cookbooks/tile/templates/default/renderd.conf.erb | 4 ++-- cookbooks/tile/templates/default/tile.conf.erb | 2 +- cookbooks/tile/templates/default/update-lowzoom.erb | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cookbooks/tile/templates/default/render-lowzoom.erb b/cookbooks/tile/templates/default/render-lowzoom.erb index eb3e2e84e..9ed8f0fc0 100644 --- a/cookbooks/tile/templates/default/render-lowzoom.erb +++ b/cookbooks/tile/templates/default/render-lowzoom.erb @@ -15,7 +15,7 @@ function update_<%= style %> render_old \ --timestamp=${timestamp} \ --tile-dir=/srv/tile.openstreetmap.org/tiles \ - --socket=/var/run/renderd/renderd.sock \ + --socket=/run/renderd/renderd.sock \ --num-threads=<%= @threads %> \ --map="<%= style %>" \ --max-load=<%= node.cpu_cores - 1 %> \ diff --git a/cookbooks/tile/templates/default/renderd.conf.erb b/cookbooks/tile/templates/default/renderd.conf.erb index d29c58aa7..40b86ad74 100644 --- a/cookbooks/tile/templates/default/renderd.conf.erb +++ b/cookbooks/tile/templates/default/renderd.conf.erb @@ -1,10 +1,10 @@ # DO NOT EDIT - This file is being maintained by Chef [renderd] -socketname=/var/run/renderd/renderd.sock +socketname=/run/renderd/renderd.sock num_threads=<%= node.cpu_cores - 1 %> tile_dir=/srv/tile.openstreetmap.org/tiles -stats_file=/var/run/renderd/renderd.stats +stats_file=/run/renderd/renderd.stats [mapnik] plugins_dir=/usr/lib/mapnik/<%= node[:tile][:mapnik] %>/input diff --git a/cookbooks/tile/templates/default/tile.conf.erb b/cookbooks/tile/templates/default/tile.conf.erb index 784733731..19f426fbe 100644 --- a/cookbooks/tile/templates/default/tile.conf.erb +++ b/cookbooks/tile/templates/default/tile.conf.erb @@ -1,7 +1,7 @@ # DO NOT EDIT - This file is being maintained by Chef # Set location of renderd socket -ModTileRenderdSocketName /var/run/renderd/renderd.sock +ModTileRenderdSocketName /run/renderd/renderd.sock # Set location of tile directory ModTileTileDir /srv/tile.openstreetmap.org/tiles diff --git a/cookbooks/tile/templates/default/update-lowzoom.erb b/cookbooks/tile/templates/default/update-lowzoom.erb index 0455493d9..7d50f8662 100644 --- a/cookbooks/tile/templates/default/update-lowzoom.erb +++ b/cookbooks/tile/templates/default/update-lowzoom.erb @@ -11,7 +11,7 @@ function update_tiles render_old \ --timestamp=$(stat -c %Y "/srv/tile.openstreetmap.org/styles/<%= @style %>/project.xml") \ --tile-dir=/srv/tile.openstreetmap.org/tiles \ - --socket=/var/run/renderd/renderd.sock \ + --socket=/run/renderd/renderd.sock \ --num-threads=<%= @threads %> \ --map="<%= @style %>" \ --max-load=<%= node.cpu_cores - 1 %> \ -- 2.39.5 From f4d7ffa4de206890c7ed7a5e91c135d3be442099 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 28 May 2025 18:39:20 +0100 Subject: [PATCH 12/16] Move mod_tile configuration to the virtual host --- cookbooks/tile/templates/default/apache.erb | 33 +++++++++++++++++++ .../tile/templates/default/tile.conf.erb | 26 +++++++-------- 2 files changed, 46 insertions(+), 13 deletions(-) diff --git a/cookbooks/tile/templates/default/apache.erb b/cookbooks/tile/templates/default/apache.erb index a1c4e1977..50f6b5a97 100644 --- a/cookbooks/tile/templates/default/apache.erb +++ b/cookbooks/tile/templates/default/apache.erb @@ -19,6 +19,39 @@ DocumentRoot /srv/tile.openstreetmap.org/html ScriptAlias /cgi-bin/ /srv/tile.openstreetmap.org/cgi-bin/ + # Set location of renderd socket + ModTileRenderdSocketName /run/renderd/renderd.sock + + # Set location of tile directory + ModTileTileDir /srv/tile.openstreetmap.org/tiles + + # Time to wait for a re-render before serving a dirty tile + ModTileRequestTimeout 2 + + # Timeout before giving up for a tile to be rendered that is otherwise missing + ModTileMissingRequestTimeout 10 + + # Always try and re-render dirty or missing tiles + ModTileMaxLoadOld 1000 + ModTileMaxLoadMissing 1000 + + # Maximum expiry to set on a tile + ModTileCacheDurationMax 604800 + + # Expiry time for dirty tiles that have been queued for re-rendering + ModTileCacheDurationDirty 900 + + # Minimum expiry time for fresh tiles + ModTileCacheDurationMinimum 10800 + ModTileCacheDurationMediumZoom 13 86400 + ModTileCacheDurationLowZoom 9 518400 + + # Factor controlling effect of last modification time on expiry + ModTileCacheLastModifiedFactor 0.20 + + # Load tile configuration + LoadTileConfigFile /etc/renderd.conf + # Get the real remote IP for requests via a trusted proxy RemoteIPHeader Fastly-Client-IP <% @fastly.sort.each do |address| -%> diff --git a/cookbooks/tile/templates/default/tile.conf.erb b/cookbooks/tile/templates/default/tile.conf.erb index 19f426fbe..81c0fa38d 100644 --- a/cookbooks/tile/templates/default/tile.conf.erb +++ b/cookbooks/tile/templates/default/tile.conf.erb @@ -1,34 +1,34 @@ # DO NOT EDIT - This file is being maintained by Chef # Set location of renderd socket -ModTileRenderdSocketName /run/renderd/renderd.sock +#ModTileRenderdSocketName /run/renderd/renderd.sock # Set location of tile directory -ModTileTileDir /srv/tile.openstreetmap.org/tiles +#ModTileTileDir /srv/tile.openstreetmap.org/tiles # Time to wait for a re-render before serving a dirty tile -ModTileRequestTimeout 2 +#ModTileRequestTimeout 2 # Timeout before giving up for a tile to be rendered that is otherwise missing -ModTileMissingRequestTimeout 10 +#ModTileMissingRequestTimeout 10 # Always try and re-render dirty or missing tiles -ModTileMaxLoadOld 1000 -ModTileMaxLoadMissing 1000 +#ModTileMaxLoadOld 1000 +#ModTileMaxLoadMissing 1000 # Maximum expiry to set on a tile -ModTileCacheDurationMax 604800 +#ModTileCacheDurationMax 604800 # Expiry time for dirty tiles that have been queued for re-rendering -ModTileCacheDurationDirty 900 +#ModTileCacheDurationDirty 900 # Minimum expiry time for fresh tiles -ModTileCacheDurationMinimum 10800 -ModTileCacheDurationMediumZoom 13 86400 -ModTileCacheDurationLowZoom 9 518400 +#ModTileCacheDurationMinimum 10800 +#ModTileCacheDurationMediumZoom 13 86400 +#ModTileCacheDurationLowZoom 9 518400 # Factor controlling effect of last modification time on expiry -ModTileCacheLastModifiedFactor 0.20 +#ModTileCacheLastModifiedFactor 0.20 # Load tile configuration -LoadTileConfigFile /etc/renderd.conf +#LoadTileConfigFile /etc/renderd.conf -- 2.39.5 From ee5f2259db493c59448407ef51f715cd65024337 Mon Sep 17 00:00:00 2001 From: Paul Norman Date: Wed, 28 May 2025 19:31:38 -0700 Subject: [PATCH 13/16] dev: add siege for load testing --- cookbooks/dev/recipes/default.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/cookbooks/dev/recipes/default.rb b/cookbooks/dev/recipes/default.rb index f42c22ee3..4f6a160f7 100644 --- a/cookbooks/dev/recipes/default.rb +++ b/cookbooks/dev/recipes/default.rb @@ -146,6 +146,7 @@ package %w[ python3-venv r-base redis + siege tmux unrar unzip -- 2.39.5 From 8d106912a3baeebaf01aa6f5b40cd1a117c77acb Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Thu, 29 May 2025 11:24:31 +0100 Subject: [PATCH 14/16] community: Upgrade to discourse v3.4.4 --- cookbooks/community/recipes/default.rb | 2 +- cookbooks/community/templates/default/web_only.yml.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/community/recipes/default.rb b/cookbooks/community/recipes/default.rb index 73739ac30..74a95a923 100644 --- a/cookbooks/community/recipes/default.rb +++ b/cookbooks/community/recipes/default.rb @@ -63,7 +63,7 @@ git "/srv/community.openstreetmap.org/docker" do action :sync repository "https://github.com/discourse/discourse_docker.git" # DANGER launch wrapper automatically updates git repo if rebuild method used: https://github.com/discourse/discourse_docker/blob/107ffb40fe8b1ea40e00814468db974a4f3f8e8f/launcher#L799 - revision "721facba644f645211571026d6677b015c15e5d6" + revision "9ebce86fda3d9787d752de6311df15dcab9700f1" user "root" group "root" notifies :run, "notify_group[discourse_container_new_data]" diff --git a/cookbooks/community/templates/default/web_only.yml.erb b/cookbooks/community/templates/default/web_only.yml.erb index fddb054a9..b769cb23d 100644 --- a/cookbooks/community/templates/default/web_only.yml.erb +++ b/cookbooks/community/templates/default/web_only.yml.erb @@ -19,7 +19,7 @@ links: # any extra arguments for Docker? # docker_args: -# Latest Version v3.4.3 +# Latest Version v3.4.4 # Discourse only support tests-passed and stable branches params: version: stable -- 2.39.5 From bd541ea5eb09e03cb1d642e7d12206515237bb05 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Thu, 29 May 2025 11:48:12 +0100 Subject: [PATCH 15/16] community: Use new outlets feature for enabling SSL settings --- cookbooks/community/templates/default/web_only.yml.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cookbooks/community/templates/default/web_only.yml.erb b/cookbooks/community/templates/default/web_only.yml.erb index b769cb23d..20dd62338 100644 --- a/cookbooks/community/templates/default/web_only.yml.erb +++ b/cookbooks/community/templates/default/web_only.yml.erb @@ -117,8 +117,8 @@ hooks: - sudo -H -E -u discourse cp /shared/feeds/update-feeds.atom public/update-feeds.atom after_ssl: - replace: - filename: "/etc/nginx/conf.d/discourse.conf" - from: /add_header.+/ + filename: "/etc/nginx/conf.d/outlets/server/20-https.conf" + from: /add_header Strict-Transport-Security.+/ to: | add_header Strict-Transport-Security 'max-age=63072000' always; ssl_stapling on; -- 2.39.5 From 6402dd91c5da8aa8928419642fc625819b372dec Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Thu, 29 May 2025 12:03:57 +0100 Subject: [PATCH 16/16] community: switch fully to outlets for osm ssl settings --- cookbooks/community/templates/default/web_only.yml.erb | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/cookbooks/community/templates/default/web_only.yml.erb b/cookbooks/community/templates/default/web_only.yml.erb index 20dd62338..51bcc4aaa 100644 --- a/cookbooks/community/templates/default/web_only.yml.erb +++ b/cookbooks/community/templates/default/web_only.yml.erb @@ -116,11 +116,9 @@ hooks: cmd: - sudo -H -E -u discourse cp /shared/feeds/update-feeds.atom public/update-feeds.atom after_ssl: - - replace: - filename: "/etc/nginx/conf.d/outlets/server/20-https.conf" - from: /add_header Strict-Transport-Security.+/ - to: | - add_header Strict-Transport-Security 'max-age=63072000' always; + - file: + path: "/etc/nginx/conf.d/outlets/server/25-https-osm-settings.conf" + contents: | ssl_stapling on; resolver <%= @resolvers.join(" ") %>; resolver_timeout 5s; -- 2.39.5