diff --git a/conf/discourse_defaults.conf b/conf/discourse_defaults.conf new file mode 100644 index 0000000..598a140 --- /dev/null +++ b/conf/discourse_defaults.conf @@ -0,0 +1,338 @@ +# +# DO NOT EDIT THIS FILE +# If you need to make changes create a file called discourse.conf in this directory with your changes +# On import this file will be imported using ERB +# + +# Discourse supports multiple mechanisms for production config. +# +# 1. You can do nothing and get these defaults (not recommended, you should at least set hostname) +# 2. You can copy this file to config/discourse.conf and amend with your settings +# 3. You can pass in config from your environment, all the settings below are available. +# Append DISCOURSE_ and upper case the setting in ENV. For example: +# to pass in db_timeout of 200 you would use DISCOURSE_DB_TIMEOUT=200 + +# All settings apply to production only + +# connection pool size, sidekiq is set to 5, allowing an extra 3 for bg threads +db_pool = 8 + +# ActiveRecord connection pool timeout in milliseconds +db_timeout = 5000 + +# Database connection timeout in seconds +db_connect_timeout = 5 + +# socket file used to access db +db_socket = + +# host address for db server +# This is set to blank so it tries to use sockets first +db_host = + +# host address for db server when taking a backup via `pg_dump` +# Defaults to `db_host` if not configured +db_backup_host = + +# port running db server, no need to set it +db_port = + +# db server port to use when taking a backup via `pg_dump` +db_backup_port = 5432 + +# database name running discourse +db_name = __DB_NAME__ + +# username accessing database +db_username = __DB_NAME__ + +# password used to access the db +db_password = __DB_PWD__ + +# Disallow prepared statements +# see: https://github.com/rails/rails/issues/21992 +db_prepared_statements = false + +# host address for db replica server +db_replica_host = + +# port running replica db server, defaults to 5432 if not set +db_replica_port = + +db_advisory_locks = true + +# hostname running the forum +hostname = "__DOMAIN__" + +# backup hostname mainly for cdn use +backup_hostname = + +# address of smtp server used to send emails +smtp_address = localhost + +# port of smtp server used to send emails +smtp_port = 25 + +# domain passed to smtp server +smtp_domain = __DOMAIN__ + +# username for smtp server +smtp_user_name = + +# password for smtp server +smtp_password = + +# smtp authentication mechanism +smtp_authentication = plain + +# enable TLS encryption for smtp connections +smtp_enable_start_tls = false + +# mode for verifying smtp server certificates +# to disable, set to 'none' +smtp_openssl_verify_mode = + +# force implicit TLS as per RFC 8314 3.3 +smtp_force_tls = false + +# load MiniProfiler in production, to be used by developers +load_mini_profiler = false + +# Every how many requests should MP profile a request (aka take snapshot) +# Default is never +mini_profiler_snapshots_period = 0 + +# specify the URL of the destination that MiniProfiler should ship snapshots to +# mini_profiler_snapshots_transport_auth_key is required as well +mini_profiler_snapshots_transport_url = + +# authorization key that will be included as a header in requests made by the +# snapshots transporter to the URL specified above. The destination should +# know this key and only accept requests that have this key in the +# `Mini-Profiler-Transport-Auth` header. +mini_profiler_snapshots_transport_auth_key = + +# recommended, cdn used to access assets +cdn_url = + +# The hostname used by the CDN to request assets +cdn_origin_hostname = + +# comma delimited list of emails that have developer level access +developer_emails = __EMAIL__ + +# redis server address +redis_host = localhost + +# redis server port +redis_port = 6379 + +# redis replica server address +redis_replica_host = + +# redis replica server port +redis_replica_port = 6379 + +# redis database +redis_db = __REDIS_DB__ + +# redis password +redis_password = + +# skip configuring client id for cloud providers who support no client commands +redis_skip_client_commands = false + +# uses SSL for all Redis connections if true +redis_use_ssl = false + +# message bus redis server switch +message_bus_redis_enabled = false + +# message bus redis server address +message_bus_redis_host = localhost + +# message bus redis server port +message_bus_redis_port = 6379 + +# message bus redis replica server address +message_bus_redis_replica_host = + +# message bus redis slave server port +message_bus_redis_replica_port = 6379 + +# message bus redis database +message_bus_redis_db = 0 + +# message bus redis password +message_bus_redis_password = + +# skip configuring client id for cloud providers who support no client commands +message_bus_redis_skip_client_commands = false + +# enable Cross-origin Resource Sharing (CORS) directly at the application level +enable_cors = false +cors_origin = '' + +# enable if you really need to serve assets in prd +serve_static_assets = true + +# number of sidekiq workers (launched via unicorn master) +sidekiq_workers = 5 + +# adjust stylesheets to rtl (requires "rtlit" gem) +rtl_css = false + +# connection reaping helps keep connection counts down, postgres +# will not work properly with huge numbers of open connections +# reap connections from pool that are older than 30 seconds +connection_reaper_age = 30 + +# run reap check every 30 seconds +connection_reaper_interval = 30 + +# set to relative URL (for subdirectory hosting) +# IMPORTANT: path must not include a trailing / +# EG: /forum +relative_url_root = __PATH__ + +# increasing this number will increase redis memory use +# this ensures backlog (ability of channels to catch up are capped) +# message bus default cap is 1000, we are winding it down to 100 +message_bus_max_backlog_size = 100 + +# must be a 64 byte hex string, anything else will be ignored with a warning +secret_key_base = + +# fallback path for all assets which are served via the application +# used by static_controller +# in multi host setups this allows you to have old unicorn instances serve +# newly compiled assets +fallback_assets_path = + +# S3 settings used for serving ALL public files +# be sure to configre a CDN as well per cdn_url +s3_bucket = +s3_region = +s3_access_key_id = +s3_secret_access_key = +s3_use_iam_profile = +s3_cdn_url = +s3_endpoint = +s3_http_continue_timeout = +s3_install_cors_rule = + +### rate limits apply to all sites +max_user_api_reqs_per_minute = 20 +max_user_api_reqs_per_day = 2880 + +max_admin_api_reqs_per_key_per_minute = 60 + +max_reqs_per_ip_per_minute = 200 +max_reqs_per_ip_per_10_seconds = 50 + +# applies to asset type routes (avatars/css and so on) +max_asset_reqs_per_ip_per_10_seconds = 200 + +# global rate limiter will simply warn if the limit is exceeded, can be warn+block, warn, block or none +max_reqs_per_ip_mode = block + +# bypass rate limiting any IP resolved as a private IP +max_reqs_rate_limit_on_private = false + +# logged in DoS protection + +# protection will only trigger for requests that queue longer than this amount +force_anonymous_min_queue_seconds = 1 +# only trigger anon if we see more than N requests for this path in last 10 seconds +force_anonymous_min_per_10_seconds = 3 + +# Any requests with the headers Discourse-Background = true will not be allowed to queue +# longer than this amount of time. +# Discourse will rate limit and ask client to try again later. +background_requests_max_queue_length = 0.5 + +# if a message bus request queues for 100ms or longer, we will reject it and ask consumer +# to back off +reject_message_bus_queue_seconds = 0.1 + +# disable search if app server is queueing for longer than this (in seconds) +disable_search_queue_threshold = 1 + +# maximum number of posts rebaked across the cluster in the periodical job +# rebake process is very expensive, on multisite we have to make sure we never +# flood the queue +max_old_rebakes_per_15_minutes = 300 + +# maximum number of log messages in /logs +max_logster_logs = 1000 + +# during precompile update maxmind database if older than N days +# set to 0 to disable +refresh_maxmind_db_during_precompile_days = 2 + +# backup path containing maxmind db files +maxmind_backup_path = + +# register an account at: https://www.maxmind.com/en/geolite2/signup +# then head to profile and get your license key +maxmind_license_key= + +# when enabled the following headers will be added to every response: +# (note, if measurements do not exist for the header they will be omitted) +# +# X-Redis-Calls: 10 +# X-Redis-Time: 1.02 +# X-Sql-Calls: 102 +# X-Sql-Time: 1.02 +# X-Queue-Time: 1.01 +enable_performance_http_headers = false + +# gather JavaScript errors from clients (rate limited to 1 error per IP per minute) +enable_js_error_reporting = true + +# This is probably not a number you want to touch, it controls the number of workers +# we allow mini scheduler to run. Prior to 2019 we ran a single worker. +# On extremely busy setups this could lead to situations where regular jobs would +# starve. Specifically jobs such as "run heartbeat" which keeps sidekiq running. +# Having a high number here is very low risk. Regular jobs are limited in scope and scale. +mini_scheduler_workers = 5 + +# enable compression on anonymous cache redis entries +# this slightly increases the cost of storing cache entries but can make it much +# cheaper to retrieve cache entries when redis is stores on a different machine to the one +# running the web +compress_anon_cache = false + +# Only store entries in redis for anonymous cache if they are observed more than N times +# for a specific key +# +# This ensures there are no pathological cases where we keep storing data in anonymous cache +# never to use it, set to 1 to store immediately, set to 0 to disable anon cache +anon_cache_store_threshold = 2 + +# EXPERIMENTAL - not yet supported in production +# by default admins can install and amend any theme +# you may restrict it so only specific themes are approved +# in allowlist mode all theme updates must happen via git repos +# themes missing from the list are automatically disallowed +# list is a comma seperated list of git repos eg: +# https://github.com/discourse/discourse-custom-header-links.git,https://github.com/discourse/discourse-simple-theme.git +allowed_theme_repos = + +# Demon::EmailSync is used in conjunction with the enable_imap site setting +# to sync N IMAP mailboxes with specific groups. It is a process started in +# unicorn.conf, and it spawns N threads (one for each multisite connection) and +# for each database spans another N threads (one for each configured group). +# +# We want this off by default so the process is not started when it does not +# need to be (e.g. development, test, certain hosting tiers) +enable_email_sync_demon = false + +# we never want to queue more than 10000 digests per 30 minute block +# this can easily lead to blocking sidekiq +# on multisites we recommend a far lower number +max_digests_enqueued_per_30_mins_per_site = 10000 + +# This cluster name can be passed to the /srv/status route to verify +# the application cluster is the same one you are expecting +cluster_name = diff --git a/conf/settings.yml b/conf/settings.yml new file mode 100644 index 0000000..75729a9 --- /dev/null +++ b/conf/settings.yml @@ -0,0 +1,24 @@ +plugins: + ldap_enabled: + default: true + ldap_user_create_mode: + default: 'auto' + ldap_lookup_users_by: + default: 'email' + ldap_hostname: + default: 'localhost' + ldap_port: + default: 389 + ldap_method: + default: 'plain' + ldap_base: + default: 'ou=users,dc=yunohost,dc=org' + ldap_uid: + default: 'uid' + ldap_bind_dn: + default: '' + ldap_password: + default: '' + secret: true + ldap_filter: + default: '' diff --git a/scripts/install b/scripts/install index b34934f..9c94653 100644 --- a/scripts/install +++ b/scripts/install @@ -28,6 +28,7 @@ domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH admin=$YNH_APP_ARG_ADMIN is_public=$YNH_APP_ARG_IS_PUBLIC +email=$(ynh_user_get_info --username=$admin --key=mail) app=$YNH_APP_INSTANCE_NAME @@ -53,6 +54,7 @@ ynh_script_progression --message="Storing installation settings..." ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=admin --value=$admin +ynh_app_setting_set --app=$app --key=email --value=$email #================================================= # STANDARD MODIFICATIONS @@ -137,47 +139,16 @@ ynh_system_user_create --username=$app --home_dir=$final_path --use_shell #================================================= ynh_script_progression --message="Configuring Discourse..." -# Configure database -discourse_config_file="$final_path/config/discourse.conf" -cp $final_path/config/discourse_defaults.conf $discourse_config_file -ynh_replace_string --match_string="db_name = discourse" --replace_string="db_name = $db_name" --target_file="$discourse_config_file" -ynh_replace_string --match_string="db_username = discourse" --replace_string="db_username = $db_name" --target_file="$discourse_config_file" -ynh_replace_string --match_string="db_password =" --replace_string="db_password = $db_pwd" --target_file="$discourse_config_file" - -# Configure hostname -ynh_replace_string --match_string="hostname = \"www.example.com\"" --replace_string="hostname = \"$domain\"" --target_file="$discourse_config_file" -ynh_replace_string --match_string="relative_url_root =" --replace_string="relative_url_root = ${path_url%/}" --target_file="$discourse_config_file" - -# Serve static assets (i.e. images, js, etc.) -ynh_replace_string --match_string="serve_static_assets = false" --replace_string="serve_static_assets = true" --target_file="$discourse_config_file" - -# Don't show miniprofiler -ynh_replace_string --match_string="load_mini_profiler = true" --replace_string="load_mini_profiler = false" --target_file="$discourse_config_file" - -# Configure e-mail server -admin_mail=$(ynh_user_get_info "$admin" mail) -ynh_replace_string --match_string="developer_emails =" --replace_string="developer_emails = $admin_mail" --target_file="$discourse_config_file" -ynh_replace_string --match_string="smtp_address =" --replace_string="smtp_address = localhost" --target_file="$discourse_config_file" -ynh_replace_string --match_string="smtp_domain =" --replace_string="smtp_domain = $domain" --target_file="$discourse_config_file" -ynh_replace_string --match_string="smtp_enable_start_tls = true" --replace_string="smtp_enable_start_tls = false" --target_file="$discourse_config_file" - # Configure redis redis_db=$(ynh_redis_get_free_db) ynh_app_setting_set --app="$app" --key=redis_db --value="$redis_db" -ynh_replace_string --match_string="redis_db = 0" --replace_string="redis_db = $redis_db" --target_file="$discourse_config_file" -# Don't notify on new versions (handled by the YunoHost package) -ynh_replace_string --match_string="new_version_emails = true" --replace_string="new_version_emails = false" --target_file="$discourse_config_file" - -# Calculate and store the config file checksum -ynh_store_file_checksum --file="$discourse_config_file" +ynh_add_config --template="../conf/discourse_defaults.conf" --destination="$final_path/config/discourse.conf" +chmod 400 "$final_path/config/discourse.conf" +chown $app:$app "$final_path/config/discourse.conf" # Configure LDAP plugin -ldap_config_file="$final_path/plugins/discourse-ldap-auth/config/settings.yml" -ynh_replace_string --match_string="adfs.example.com" --replace_string="localhost" --target_file="$ldap_config_file" -ynh_replace_string --match_string="dc=example,dc=com" --replace_string="ou=users,dc=yunohost,dc=org" --target_file="$ldap_config_file" -ynh_replace_string --match_string="sAMAccountName" --replace_string="uid" --target_file="$ldap_config_file" -ynh_store_file_checksum --file="$ldap_config_file" +ynh_add_config --template="../conf/settings.yml" --destination="$final_path/plugins/discourse-ldap-auth/config/settings.yml" # Disable svgo worker echo "svgo: false" > $final_path/.image_optim.yml diff --git a/scripts/restore b/scripts/restore index 8317aed..4f40721 100644 --- a/scripts/restore +++ b/scripts/restore @@ -52,7 +52,7 @@ check_memory_requirements #================================================= # RESTORE THE NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Restoring the nginx configuration..." +ynh_script_progression --message="Restoring the NGINX configuration..." ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" diff --git a/scripts/upgrade b/scripts/upgrade index a94de6a..fe24ed3 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -24,6 +24,7 @@ db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd) redis_db=$(ynh_app_setting_get --app=$app --key=redis_db) unicorn_workers=$(ynh_app_setting_get --app=$app --key=unicorn_workers) +email=$(ynh_app_setting_get --app=$app --key=email) # Check memory requirements check_memory_requirements_upgrade @@ -157,7 +158,7 @@ fi #================================================= # NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Upgrading nginx web server configuration..." +ynh_script_progression --message="Upgrading NGINX web server configuration..." # Create a dedicated nginx config ynh_add_nginx_config @@ -173,7 +174,7 @@ ynh_store_file_checksum --file="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= ynh_script_progression --message="Upgrading dependencies..." -ynh_install_app_dependencies "$pkg_dependencies" +ynh_install_app_dependencies $pkg_dependencies #================================================= # INSTALL RUBY @@ -200,51 +201,16 @@ if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Configuring Discourse..." - # Configure Discourse - discourse_config_file="$final_path/config/discourse.conf" - # Make a backup of the original config file if modified - ynh_backup_if_checksum_is_different --file="$discourse_config_file" - - cp $final_path/config/discourse_defaults.conf $discourse_config_file - - ynh_replace_string --match_string="db_name = discourse" --replace_string="db_name = $db_name" --target_file="$discourse_config_file" - ynh_replace_string --match_string="db_username = discourse" --replace_string="db_username = $db_name" --target_file="$discourse_config_file" - ynh_replace_string --match_string="db_password =" --replace_string="db_password = $db_pwd" --target_file="$discourse_config_file" - # Configure hostname - ynh_replace_string --match_string="hostname = \"www.example.com\"" --replace_string="hostname = \"$domain\"" --target_file="$discourse_config_file" - ynh_replace_string --match_string="relative_url_root =" --replace_string="relative_url_root = ${path_url%/}" --target_file="$discourse_config_file" - # Serve static assets (i.e. images, js, etc.) - ynh_replace_string --match_string="serve_static_assets = false" --replace_string="serve_static_assets = true" --target_file="$discourse_config_file" - # Don't show miniprofiler - ynh_replace_string --match_string="load_mini_profiler = true" --replace_string="load_mini_profiler = false" --target_file="$discourse_config_file" - # Configure e-mail server - admin_mail=$(ynh_user_get_info "$admin" mail) - ynh_replace_string --match_string="developer_emails =" --replace_string="developer_emails = $admin_mail" --target_file="$discourse_config_file" - ynh_replace_string --match_string="smtp_address =" --replace_string="smtp_address = localhost" --target_file="$discourse_config_file" - ynh_replace_string --match_string="smtp_domain =" --replace_string="smtp_domain = $domain" --target_file="$discourse_config_file" - ynh_replace_string --match_string="smtp_enable_start_tls = true" --replace_string="smtp_enable_start_tls = false" --target_file="$discourse_config_file" - # Configure redis - ynh_replace_string --match_string="redis_db = 0" --replace_string="redis_db = $redis_db" --target_file="$discourse_config_file" - # Don't notify on new versions (handled by the YunoHost package) - ynh_replace_string --match_string="new_version_emails = true" --replace_string="new_version_emails = false" --target_file="$discourse_config_file" - - # Calculate and store the config file checksum - ynh_store_file_checksum --file="$discourse_config_file" + ynh_add_config --template="../conf/discourse_defaults.conf" --destination="$final_path/config/discourse.conf" + chmod 400 "$final_path/config/discourse.conf" + chown $app:$app "$final_path/config/discourse.conf" # Configure LDAP plugin - ldap_config_file="$final_path/plugins/discourse-ldap-auth/config/settings.yml" - # Make a backup of the original config file if modified - ynh_backup_if_checksum_is_different "$ldap_config_file" - - ynh_replace_string --match_string="adfs.example.com" --replace_string="localhost" --target_file="$ldap_config_file" - ynh_replace_string --match_string="dc=example,dc=com" --replace_string="ou=users,dc=yunohost,dc=org" --target_file="$ldap_config_file" - ynh_replace_string --match_string="sAMAccountName" --replace_string="uid" --target_file="$ldap_config_file" - - # Calculate and store the config file checksum - ynh_store_file_checksum --file="$ldap_config_file" + ynh_add_config --template="../conf/settings.yml" --destination="$final_path/plugins/discourse-ldap-auth/config/settings.yml" # Disable svgo worker echo "svgo: false" > $final_path/.image_optim.yml + fi #================================================= @@ -405,7 +371,7 @@ ynh_maintenance_mode_OFF #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." +ynh_script_progression --message="Reloading NGINX web server..." ynh_systemd_action --service_name=nginx --action=reload