Add config file

conf/discourse_defaults.conf

@@ -0,0 +1,338 @@
+#
+# DO NOT EDIT THIS FILE
+# If you need to make changes create a file called discourse.conf in this directory with your changes
+# On import this file will be imported using ERB
+#
+
+# Discourse supports multiple mechanisms for production config.
+#
+# 1. You can do nothing and get these defaults (not recommended, you should at least set hostname)
+# 2. You can copy this file to config/discourse.conf and amend with your settings
+# 3. You can pass in config from your environment, all the settings below are available.
+#    Append DISCOURSE_ and upper case the setting in ENV. For example:
+#    to pass in db_timeout of 200 you would use DISCOURSE_DB_TIMEOUT=200
+
+# All settings apply to production only
+
+# connection pool size, sidekiq is set to 5, allowing an extra 3 for bg threads
+db_pool = 8
+
+# ActiveRecord connection pool timeout in milliseconds
+db_timeout = 5000
+
+# Database connection timeout in seconds
+db_connect_timeout = 5
+
+# socket file used to access db
+db_socket =
+
+# host address for db server
+# This is set to blank so it tries to use sockets first
+db_host =
+
+# host address for db server when taking a backup via `pg_dump`
+# Defaults to `db_host` if not configured
+db_backup_host =
+
+# port running db server, no need to set it
+db_port =
+
+# db server port to use when taking a backup via `pg_dump`
+db_backup_port = 5432
+
+# database name running discourse
+db_name = __DB_NAME__
+
+# username accessing database
+db_username = __DB_NAME__
+
+# password used to access the db
+db_password = __DB_PWD__
+
+# Disallow prepared statements
+# see: https://github.com/rails/rails/issues/21992
+db_prepared_statements = false
+
+# host address for db replica server
+db_replica_host =
+
+# port running replica db server, defaults to 5432 if not set
+db_replica_port =
+
+db_advisory_locks = true
+
+# hostname running the forum
+hostname = "__DOMAIN__"
+
+# backup hostname mainly for cdn use
+backup_hostname =
+
+# address of smtp server used to send emails
+smtp_address = localhost
+
+# port of smtp server used to send emails
+smtp_port = 25
+
+# domain passed to smtp server
+smtp_domain = __DOMAIN__
+
+# username for smtp server
+smtp_user_name =
+
+# password for smtp server
+smtp_password =
+
+# smtp authentication mechanism
+smtp_authentication = plain
+
+# enable TLS encryption for smtp connections
+smtp_enable_start_tls = false
+
+# mode for verifying smtp server certificates
+# to disable, set to 'none'
+smtp_openssl_verify_mode =
+
+# force implicit TLS as per RFC 8314 3.3
+smtp_force_tls = false
+
+# load MiniProfiler in production, to be used by developers
+load_mini_profiler = false
+
+# Every how many requests should MP profile a request (aka take snapshot)
+# Default is never
+mini_profiler_snapshots_period = 0
+
+# specify the URL of the destination that MiniProfiler should ship snapshots to
+# mini_profiler_snapshots_transport_auth_key is required as well
+mini_profiler_snapshots_transport_url =
+
+# authorization key that will be included as a header in requests made by the
+# snapshots transporter to the URL specified above. The destination should
+# know this key and only accept requests that have this key in the
+# `Mini-Profiler-Transport-Auth` header.
+mini_profiler_snapshots_transport_auth_key =
+
+# recommended, cdn used to access assets
+cdn_url =
+
+# The hostname used by the CDN to request assets
+cdn_origin_hostname =
+
+# comma delimited list of emails that have developer level access
+developer_emails = __EMAIL__
+
+# redis server address
+redis_host = localhost
+
+# redis server port
+redis_port = 6379
+
+# redis replica server address
+redis_replica_host =
+
+# redis replica server port
+redis_replica_port = 6379
+
+# redis database
+redis_db = __REDIS_DB__
+
+# redis password
+redis_password =
+
+# skip configuring client id for cloud providers who support no client commands
+redis_skip_client_commands = false
+
+# uses SSL for all Redis connections if true
+redis_use_ssl = false
+
+# message bus redis server switch
+message_bus_redis_enabled = false
+
+# message bus redis server address
+message_bus_redis_host = localhost
+
+# message bus redis server port
+message_bus_redis_port = 6379
+
+# message bus redis replica server address
+message_bus_redis_replica_host =
+
+# message bus redis slave server port
+message_bus_redis_replica_port = 6379
+
+# message bus redis database
+message_bus_redis_db = 0
+
+# message bus redis password
+message_bus_redis_password =
+
+# skip configuring client id for cloud providers who support no client commands
+message_bus_redis_skip_client_commands = false
+
+# enable Cross-origin Resource Sharing (CORS) directly at the application level
+enable_cors = false
+cors_origin = ''
+
+# enable if you really need to serve assets in prd
+serve_static_assets = true
+
+# number of sidekiq workers (launched via unicorn master)
+sidekiq_workers = 5
+
+# adjust stylesheets to rtl (requires "rtlit" gem)
+rtl_css = false
+
+# connection reaping helps keep connection counts down, postgres
+# will not work properly with huge numbers of open connections
+# reap connections from pool that are older than 30 seconds
+connection_reaper_age = 30
+
+# run reap check every 30 seconds
+connection_reaper_interval = 30
+
+# set to relative URL (for subdirectory hosting)
+# IMPORTANT: path must not include a trailing /
+# EG: /forum
+relative_url_root = __PATH__
+
+# increasing this number will increase redis memory use
+# this ensures backlog (ability of channels to catch up are capped)
+# message bus default cap is 1000, we are winding it down to 100
+message_bus_max_backlog_size = 100
+
+# must be a 64 byte hex string, anything else will be ignored with a warning
+secret_key_base =
+
+# fallback path for all assets which are served via the application
+# used by static_controller
+# in multi host setups this allows you to have old unicorn instances serve
+# newly compiled assets
+fallback_assets_path =
+
+# S3 settings used for serving ALL public files
+# be sure to configre a CDN as well per cdn_url
+s3_bucket =
+s3_region =
+s3_access_key_id =
+s3_secret_access_key =
+s3_use_iam_profile =
+s3_cdn_url =
+s3_endpoint =
+s3_http_continue_timeout =
+s3_install_cors_rule =
+
+### rate limits apply to all sites
+max_user_api_reqs_per_minute = 20
+max_user_api_reqs_per_day = 2880
+
+max_admin_api_reqs_per_key_per_minute = 60
+
+max_reqs_per_ip_per_minute = 200
+max_reqs_per_ip_per_10_seconds = 50
+
+# applies to asset type routes (avatars/css and so on)
+max_asset_reqs_per_ip_per_10_seconds = 200
+
+# global rate limiter will simply warn if the limit is exceeded, can be warn+block, warn, block or none
+max_reqs_per_ip_mode = block
+
+# bypass rate limiting any IP resolved as a private IP
+max_reqs_rate_limit_on_private = false
+
+# logged in DoS protection
+
+# protection will only trigger for requests that queue longer than this amount
+force_anonymous_min_queue_seconds = 1
+# only trigger anon if we see more than N requests for this path in last 10 seconds
+force_anonymous_min_per_10_seconds = 3
+
+# Any requests with the headers Discourse-Background = true will not be allowed to queue
+# longer than this amount of time.
+# Discourse will rate limit and ask client to try again later.
+background_requests_max_queue_length = 0.5
+
+# if a message bus request queues for 100ms or longer, we will reject it and ask consumer
+# to back off
+reject_message_bus_queue_seconds = 0.1
+
+# disable search if app server is queueing for longer than this (in seconds)
+disable_search_queue_threshold = 1
+
+# maximum number of posts rebaked across the cluster in the periodical job
+# rebake process is very expensive, on multisite we have to make sure we never
+# flood the queue
+max_old_rebakes_per_15_minutes = 300
+
+# maximum number of log messages in /logs
+max_logster_logs = 1000
+
+# during precompile update maxmind database if older than N days
+# set to 0 to disable
+refresh_maxmind_db_during_precompile_days = 2
+
+# backup path containing maxmind db files
+maxmind_backup_path =
+
+# register an account at: https://www.maxmind.com/en/geolite2/signup
+# then head to profile and get your license key
+maxmind_license_key=
+
+# when enabled the following headers will be added to every response:
+# (note, if measurements do not exist for the header they will be omitted)
+#
+# X-Redis-Calls: 10
+# X-Redis-Time: 1.02
+# X-Sql-Calls: 102
+# X-Sql-Time: 1.02
+# X-Queue-Time: 1.01
+enable_performance_http_headers = false
+
+# gather JavaScript errors from clients (rate limited to 1 error per IP per minute)
+enable_js_error_reporting = true
+
+# This is probably not a number you want to touch, it controls the number of workers
+# we allow mini scheduler to run. Prior to 2019 we ran a single worker.
+# On extremely busy setups this could lead to situations where regular jobs would
+# starve. Specifically jobs such as "run heartbeat" which keeps sidekiq running.
+# Having a high number here is very low risk. Regular jobs are limited in scope and scale.
+mini_scheduler_workers = 5
+
+# enable compression on anonymous cache redis entries
+# this slightly increases the cost of storing cache entries but can make it much
+# cheaper to retrieve cache entries when redis is stores on a different machine to the one
+# running the web
+compress_anon_cache = false
+
+# Only store entries in redis for anonymous cache if they are observed more than N times
+# for a specific key
+#
+# This ensures there are no pathological cases where we keep storing data in anonymous cache
+# never to use it, set to 1 to store immediately, set to 0 to disable anon cache
+anon_cache_store_threshold = 2
+
+# EXPERIMENTAL - not yet supported in production
+# by default admins can install and amend any theme
+# you may restrict it so only specific themes are approved
+# in allowlist mode all theme updates must happen via git repos
+# themes missing from the list are automatically disallowed
+# list is a comma seperated list of git repos eg:
+# https://github.com/discourse/discourse-custom-header-links.git,https://github.com/discourse/discourse-simple-theme.git
+allowed_theme_repos =
+
+# Demon::EmailSync is used in conjunction with the enable_imap site setting
+# to sync N IMAP mailboxes with specific groups. It is a process started in
+# unicorn.conf, and it spawns N threads (one for each multisite connection) and
+# for each database spans another N threads (one for each configured group).
+#
+# We want this off by default so the process is not started when it does not
+# need to be (e.g. development, test, certain hosting tiers)
+enable_email_sync_demon = false
+
+# we never want to queue more than 10000 digests per 30 minute block
+# this can easily lead to blocking sidekiq
+# on multisites we recommend a far lower number
+max_digests_enqueued_per_30_mins_per_site = 10000
+
+# This cluster name can be passed to the /srv/status route to verify
+# the application cluster is the same one you are expecting
+cluster_name =

conf/settings.yml

@@ -0,0 +1,24 @@
+plugins:
+  ldap_enabled:
+    default: true
+  ldap_user_create_mode:
+    default: 'auto'
+  ldap_lookup_users_by:
+    default: 'email'
+  ldap_hostname:
+    default: 'localhost'
+  ldap_port:
+    default: 389
+  ldap_method:
+    default: 'plain'
+  ldap_base:
+    default: 'ou=users,dc=yunohost,dc=org'
+  ldap_uid:
+    default: 'uid'
+  ldap_bind_dn:
+    default: ''
+  ldap_password:
+    default: ''
+    secret: true
+  ldap_filter:
+    default: ''

scripts/install

@@ -28,6 +28,7 @@ domain=$YNH_APP_ARG_DOMAIN
 path_url=$YNH_APP_ARG_PATH
 admin=$YNH_APP_ARG_ADMIN
 is_public=$YNH_APP_ARG_IS_PUBLIC
+email=$(ynh_user_get_info --username=$admin --key=mail)
 
 app=$YNH_APP_INSTANCE_NAME
 
@@ -53,6 +54,7 @@ ynh_script_progression --message="Storing installation settings..."
 ynh_app_setting_set --app=$app --key=domain --value=$domain
 ynh_app_setting_set --app=$app --key=path --value=$path_url
 ynh_app_setting_set --app=$app --key=admin --value=$admin
+ynh_app_setting_set --app=$app --key=email --value=$email
 
 #=================================================
 # STANDARD MODIFICATIONS
@@ -137,47 +139,16 @@ ynh_system_user_create --username=$app --home_dir=$final_path --use_shell
 #=================================================
 ynh_script_progression --message="Configuring Discourse..."
 
-# Configure database
-discourse_config_file="$final_path/config/discourse.conf"
-cp $final_path/config/discourse_defaults.conf $discourse_config_file
-ynh_replace_string --match_string="db_name = discourse" --replace_string="db_name = $db_name" --target_file="$discourse_config_file"
-ynh_replace_string --match_string="db_username = discourse" --replace_string="db_username = $db_name" --target_file="$discourse_config_file"
-ynh_replace_string --match_string="db_password =" --replace_string="db_password = $db_pwd" --target_file="$discourse_config_file"
-
-# Configure hostname
-ynh_replace_string --match_string="hostname = \"www.example.com\"" --replace_string="hostname = \"$domain\"" --target_file="$discourse_config_file"
-ynh_replace_string --match_string="relative_url_root =" --replace_string="relative_url_root = ${path_url%/}" --target_file="$discourse_config_file"
-
-# Serve static assets (i.e. images, js, etc.)
-ynh_replace_string --match_string="serve_static_assets = false" --replace_string="serve_static_assets = true" --target_file="$discourse_config_file"
-
-# Don't show miniprofiler
-ynh_replace_string --match_string="load_mini_profiler = true" --replace_string="load_mini_profiler = false" --target_file="$discourse_config_file"
-
-# Configure e-mail server
-admin_mail=$(ynh_user_get_info "$admin" mail)
-ynh_replace_string --match_string="developer_emails =" --replace_string="developer_emails = $admin_mail" --target_file="$discourse_config_file"
-ynh_replace_string --match_string="smtp_address =" --replace_string="smtp_address = localhost" --target_file="$discourse_config_file"
-ynh_replace_string --match_string="smtp_domain =" --replace_string="smtp_domain = $domain" --target_file="$discourse_config_file"
-ynh_replace_string --match_string="smtp_enable_start_tls = true" --replace_string="smtp_enable_start_tls = false" --target_file="$discourse_config_file"
-
 # Configure redis
 redis_db=$(ynh_redis_get_free_db)
 ynh_app_setting_set --app="$app" --key=redis_db --value="$redis_db"
-ynh_replace_string --match_string="redis_db = 0" --replace_string="redis_db = $redis_db" --target_file="$discourse_config_file"
 
-# Don't notify on new versions (handled by the YunoHost package)
+ynh_add_config --template="../conf/discourse_defaults.conf" --destination="$final_path/config/discourse.conf"
-ynh_replace_string --match_string="new_version_emails = true" --replace_string="new_version_emails = false" --target_file="$discourse_config_file"
+chmod 400 "$final_path/config/discourse.conf"
-
+chown $app:$app "$final_path/config/discourse.conf"
-# Calculate and store the config file checksum
-ynh_store_file_checksum --file="$discourse_config_file"
 
 # Configure LDAP plugin
-ldap_config_file="$final_path/plugins/discourse-ldap-auth/config/settings.yml"
+ynh_add_config --template="../conf/settings.yml" --destination="$final_path/plugins/discourse-ldap-auth/config/settings.yml"
-ynh_replace_string --match_string="adfs.example.com" --replace_string="localhost" --target_file="$ldap_config_file"
-ynh_replace_string --match_string="dc=example,dc=com" --replace_string="ou=users,dc=yunohost,dc=org" --target_file="$ldap_config_file"
-ynh_replace_string --match_string="sAMAccountName" --replace_string="uid" --target_file="$ldap_config_file"
-ynh_store_file_checksum --file="$ldap_config_file"
 
 # Disable svgo worker
 echo "svgo: false" > $final_path/.image_optim.yml

scripts/restore

@@ -52,7 +52,7 @@ check_memory_requirements
 #=================================================
 # RESTORE THE NGINX CONFIGURATION
 #=================================================
-ynh_script_progression --message="Restoring the nginx configuration..."
+ynh_script_progression --message="Restoring the NGINX configuration..."
 
 ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 

scripts/upgrade

@@ -24,6 +24,7 @@ db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd)
 redis_db=$(ynh_app_setting_get --app=$app --key=redis_db)
 unicorn_workers=$(ynh_app_setting_get --app=$app --key=unicorn_workers)
+email=$(ynh_app_setting_get --app=$app --key=email)
 
 # Check memory requirements
 check_memory_requirements_upgrade
@@ -157,7 +158,7 @@ fi
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
-ynh_script_progression --message="Upgrading nginx web server configuration..."
+ynh_script_progression --message="Upgrading NGINX web server configuration..."
 
 # Create a dedicated nginx config
 ynh_add_nginx_config
@@ -173,7 +174,7 @@ ynh_store_file_checksum --file="/etc/nginx/conf.d/$domain.d/$app.conf"
 #=================================================
 ynh_script_progression --message="Upgrading dependencies..."
 
-ynh_install_app_dependencies "$pkg_dependencies"
+ynh_install_app_dependencies $pkg_dependencies
 
 #=================================================
 # INSTALL RUBY
@@ -200,51 +201,16 @@ if [ "$upgrade_type" == "UPGRADE_APP" ]
 then
 	ynh_script_progression --message="Configuring Discourse..."
 
-	# Configure Discourse
+	ynh_add_config --template="../conf/discourse_defaults.conf" --destination="$final_path/config/discourse.conf"
-	discourse_config_file="$final_path/config/discourse.conf"
+	chmod 400 "$final_path/config/discourse.conf"
-	# Make a backup of the original config file if modified
+	chown $app:$app "$final_path/config/discourse.conf"
-	ynh_backup_if_checksum_is_different --file="$discourse_config_file"
-
-	cp $final_path/config/discourse_defaults.conf $discourse_config_file
-
-	ynh_replace_string --match_string="db_name = discourse" --replace_string="db_name = $db_name" --target_file="$discourse_config_file"
-	ynh_replace_string --match_string="db_username = discourse" --replace_string="db_username = $db_name" --target_file="$discourse_config_file"
-	ynh_replace_string --match_string="db_password =" --replace_string="db_password = $db_pwd" --target_file="$discourse_config_file"
-	# Configure hostname
-	ynh_replace_string --match_string="hostname = \"www.example.com\"" --replace_string="hostname = \"$domain\"" --target_file="$discourse_config_file"
-	ynh_replace_string --match_string="relative_url_root =" --replace_string="relative_url_root = ${path_url%/}" --target_file="$discourse_config_file"
-	# Serve static assets (i.e. images, js, etc.)
-	ynh_replace_string --match_string="serve_static_assets = false" --replace_string="serve_static_assets = true" --target_file="$discourse_config_file"
-	# Don't show miniprofiler
-	ynh_replace_string --match_string="load_mini_profiler = true" --replace_string="load_mini_profiler = false" --target_file="$discourse_config_file"
-	# Configure e-mail server
-	admin_mail=$(ynh_user_get_info "$admin" mail)
-	ynh_replace_string --match_string="developer_emails =" --replace_string="developer_emails = $admin_mail" --target_file="$discourse_config_file"
-	ynh_replace_string --match_string="smtp_address =" --replace_string="smtp_address = localhost" --target_file="$discourse_config_file"
-	ynh_replace_string --match_string="smtp_domain =" --replace_string="smtp_domain = $domain" --target_file="$discourse_config_file"
-	ynh_replace_string --match_string="smtp_enable_start_tls = true" --replace_string="smtp_enable_start_tls = false" --target_file="$discourse_config_file"
-	# Configure redis
-	ynh_replace_string --match_string="redis_db = 0" --replace_string="redis_db = $redis_db" --target_file="$discourse_config_file"
-	# Don't notify on new versions (handled by the YunoHost package)
-	ynh_replace_string --match_string="new_version_emails = true" --replace_string="new_version_emails = false" --target_file="$discourse_config_file"
-
-	# Calculate and store the config file checksum
-	ynh_store_file_checksum --file="$discourse_config_file"
 
 	# Configure LDAP plugin
-	ldap_config_file="$final_path/plugins/discourse-ldap-auth/config/settings.yml"
+	ynh_add_config --template="../conf/settings.yml" --destination="$final_path/plugins/discourse-ldap-auth/config/settings.yml"
-	# Make a backup of the original config file if modified
-	ynh_backup_if_checksum_is_different "$ldap_config_file"
-
-	ynh_replace_string --match_string="adfs.example.com" --replace_string="localhost" --target_file="$ldap_config_file"
-	ynh_replace_string --match_string="dc=example,dc=com" --replace_string="ou=users,dc=yunohost,dc=org" --target_file="$ldap_config_file"
-	ynh_replace_string --match_string="sAMAccountName" --replace_string="uid" --target_file="$ldap_config_file"
-
-	# Calculate and store the config file checksum
-	ynh_store_file_checksum --file="$ldap_config_file"
 
 	# Disable svgo worker
 	echo "svgo: false" > $final_path/.image_optim.yml
+
 fi
 
 #=================================================
@@ -405,7 +371,7 @@ ynh_maintenance_mode_OFF
 #=================================================
 # RELOAD NGINX
 #=================================================
-ynh_script_progression --message="Reloading nginx web server..."
+ynh_script_progression --message="Reloading NGINX web server..."
 
 ynh_systemd_action --service_name=nginx --action=reload