Update to 2022-01-26 18:00

roles/taiga/templates/back/config.py.j2

@@ -0,0 +1,220 @@
+# -*- coding: utf-8 -*-
+import os
+
+from .common import *
+
+#########################################
+## GENERIC
+#########################################
+
+DEBUG = False
+
+#ADMINS = (
+#    ("Admin", "example@example.com"),
+#)
+
+DATABASES = {
+  'default': {
+    'ENGINE': 'django.db.backends.postgresql',
+    'NAME': '{{ taiga_db_name }}',
+    'USER': '{{ taiga_db_user }}',
+    'PASSWORD': '{{ taiga_db_pass }}',
+    'HOST': '{{ taiga_db_server }}',
+    'PORT': '{{ taiga_db_port }}',
+  }
+}
+
+SECRET_KEY = "{{ taiga_secret_key }}"
+
+TAIGA_SITES_SCHEME = "{{ taiga_public_url | urlsplit('scheme') }}"
+TAIGA_SITES_DOMAIN = "{{ taiga_public_url | urlsplit('hostname') }}"
+FORCE_SCRIPT_NAME = "{{ (taiga_public_url | urlsplit('path') == '/') | ternary('', taiga_public_url | urlsplit('path')) }}"
+
+TAIGA_URL = f"{ TAIGA_SITES_SCHEME }://{ TAIGA_SITES_DOMAIN }{ FORCE_SCRIPT_NAME }"
+SITES = {
+        "api": { "name": "api", "scheme": TAIGA_SITES_SCHEME, "domain": TAIGA_SITES_DOMAIN },
+        "front": { "name": "front", "scheme": TAIGA_SITES_SCHEME, "domain": f"{ TAIGA_SITES_DOMAIN }{ FORCE_SCRIPT_NAME }" }
+}
+
+# Setting DEFAULT_PROJECT_SLUG_PREFIX to false
+# removes the username from project slug
+DEFAULT_PROJECT_SLUG_PREFIX = False
+
+#########################################
+## MEDIA AND STATIC
+#########################################
+
+MEDIA_ROOT = '{{ taiga_root_dir }}/data/media/'
+MEDIA_URL = f"{ TAIGA_URL }/media/"
+DEFAULT_FILE_STORAGE = "taiga_contrib_protected.storage.ProtectedFileSystemStorage"
+THUMBNAIL_DEFAULT_STORAGE = DEFAULT_FILE_STORAGE
+
+# STATIC_ROOT = '/home/taiga/static'
+STATIC_URL = f"{ TAIGA_URL }/static/"
+
+#########################################
+## EMAIL
+#########################################
+# https://docs.djangoproject.com/en/3.1/topics/email/
+EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
+CHANGE_NOTIFICATIONS_MIN_INTERVAL = 120  # seconds
+
+DEFAULT_FROM_EMAIL = '{{ taiga_email_from }}'
+EMAIL_USE_TLS = {{ taiga_smtp_tls | ternary('True', 'False') }}
+EMAIL_USE_SSL = {{ taiga_smtp_ssl | ternary('True', 'False') }}
+EMAIL_HOST = '{{ taiga_smtp_server }}'
+EMAIL_PORT = {{ taiga_smtp_port }}
+{% if taiga_smtp_user is defined and taiga_smtp_pass is defined %}
+EMAIL_HOST_USER = '{{ taiga_smtp_user }}'
+EMAIL_HOST_PASSWORD = '{{ taiga_smtp_pass }}'
+{% endif %}
+
+#########################################
+## EVENTS
+#########################################
+EVENTS_PUSH_BACKEND = "taiga.events.backends.rabbitmq.EventsPushBackend"
+EVENTS_PUSH_BACKEND_OPTIONS = {
+  "url": "amqp://{{ taiga_amqp_user }}:{{ taiga_amqp_pass }}@{{ taiga_amqp_server }}:{{ taiga_amqp_port }}/{{ taiga_amqp_vhost }}"
+}
+
+
+#########################################
+## TAIGA ASYNC
+#########################################
+CELERY_ENABLED = os.getenv('CELERY_ENABLED', 'True') == 'True'
+
+from kombu import Queue  # noqa
+
+CELERY_BROKER_URL = "amqp://{{ taiga_amqp_user }}:{{ taiga_amqp_pass }}@{{ taiga_amqp_server }}:{{ taiga_amqp_port }}/{{ taiga_amqp_vhost }}"
+CELERY_RESULT_BACKEND = None # for a general installation, we don't need to store the results
+CELERY_ACCEPT_CONTENT = ['pickle', ]  # Values are 'pickle', 'json', 'msgpack' and 'yaml'
+CELERY_TASK_SERIALIZER = "pickle"
+CELERY_RESULT_SERIALIZER = "pickle"
+CELERY_TIMEZONE = "{{ system_tz | default('Europe/Paris') }}"
+CELERY_TASK_DEFAULT_QUEUE = 'tasks'
+CELERY_QUEUES = (
+  Queue('tasks', routing_key='task.#'),
+  Queue('transient', routing_key='transient.#', delivery_mode=1)
+)
+CELERY_TASK_DEFAULT_EXCHANGE = 'tasks'
+CELERY_TASK_DEFAULT_EXCHANGE_TYPE = 'topic'
+CELERY_TASK_DEFAULT_ROUTING_KEY = 'task.default'
+
+
+#########################################
+## CONTRIBS
+#########################################
+# INSTALLED_APPS += [
+#     "taiga_contrib_slack",
+#     "taiga_contrib_github_auth",
+#     "taiga_contrib_gitlab_auth"
+# ]
+#
+# GITHUB_API_CLIENT_ID = "changeme"
+# GITHUB_API_CLIENT_SECRET = "changeme"
+#
+# GITLAB_API_CLIENT_ID = "changeme"
+# GITLAB_API_CLIENT_SECRET = "changeme"
+# GITLAB_URL = "changeme"
+
+
+#########################################
+## TELEMETRY
+#########################################
+
+ENABLE_TELEMETRY = False
+
+#########################################
+##  REGISTRATION
+#########################################
+
+PUBLIC_REGISTER_ENABLED = False
+
+#########################################
+## THROTTLING
+#########################################
+
+#REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"] = {
+#    "anon-write": "20/min",
+#    "user-write": None,
+#    "anon-read": None,
+#    "user-read": None,
+#    "import-mode": None,
+#    "import-dump-mode": "1/minute",
+#    "create-memberships": None,
+#    "login-fail": None,
+#    "register-success": None,
+#    "user-detail": None,
+#    "user-update": None,
+#}
+
+# This list should contain:
+#  - Taiga users IDs
+#  - Valid clients IP addresses (X-Forwarded-For header)
+#REST_FRAMEWORK["DEFAULT_THROTTLE_WHITELIST"] = []
+
+# LIMIT ALLOWED DOMAINS FOR REGISTER AND INVITE
+# None or [] values in USER_EMAIL_ALLOWED_DOMAINS means allow any domain
+#USER_EMAIL_ALLOWED_DOMAINS = None
+
+# PUCLIC OR PRIVATE NUMBER OF PROJECT PER USER
+#MAX_PRIVATE_PROJECTS_PER_USER = None # None == no limit
+#MAX_PUBLIC_PROJECTS_PER_USER = None # None == no limit
+#MAX_MEMBERSHIPS_PRIVATE_PROJECTS = None # None == no limit
+#MAX_MEMBERSHIPS_PUBLIC_PROJECTS = None # None == no limit
+
+
+#########################################
+## SITEMAP
+#########################################
+
+# If is True /front/sitemap.xml show a valid sitemap of taiga-front client
+#FRONT_SITEMAP_ENABLED = False
+#FRONT_SITEMAP_CACHE_TIMEOUT = 24*60*60  # In second
+
+
+#########################################
+## FEEDBACK
+#########################################
+
+# Note: See config in taiga-front too
+FEEDBACK_ENABLED = False
+#FEEDBACK_EMAIL = "support@taiga.io"
+
+
+#########################################
+## STATS
+#########################################
+
+#STATS_ENABLED = False
+#STATS_CACHE_TIMEOUT = 60*60  # In second
+
+
+#########################################
+## IMPORTERS
+#########################################
+
+# Configuration for the GitHub importer
+# Remember to enable it in the front client too.
+#IMPORTERS["github"] = {
+#    "active": True,
+#    "client_id": "XXXXXX_get_a_valid_client_id_from_github_XXXXXX",
+#    "client_secret": "XXXXXX_get_a_valid_client_secret_from_github_XXXXXX"
+#}
+
+# Configuration for the Trello importer
+# Remember to enable it in the front client too.
+#IMPORTERS["trello"] = {
+#    "active": True, # Enable or disable the importer
+#    "api_key": "XXXXXX_get_a_valid_api_key_from_trello_XXXXXX",
+#    "secret_key": "XXXXXX_get_a_valid_secret_key_from_trello_XXXXXX"
+#}
+
+# Configuration for the Jira importer
+# Remember to enable it in the front client too.
+#IMPORTERS["jira"] = {
+#    "active": True, # Enable or disable the importer
+#    "consumer_key": "XXXXXX_get_a_valid_consumer_key_from_jira_XXXXXX",
+#    "cert": "XXXXXX_get_a_valid_cert_from_jira_XXXXXX",
+#    "pub_cert": "XXXXXX_get_a_valid_pub_cert_from_jira_XXXXXX"
+#}

roles/taiga/templates/events/env.j2

@@ -0,0 +1,4 @@
+RABBITMQ_URL="amqp://{{ taiga_amqp_user }}:{{ taiga_amqp_pass }}@{{ taiga_amqp_server }}:{{ taiga_amqp_port }}/{{ taiga_amqp_vhost }}"
+SECRET="{{ taiga_secret_key }}"
+WEB_SOCKET_SERVER_PORT={{ taiga_ports['events'] }}
+APP_PORT=3023

roles/taiga/templates/front/conf.json.j2

@@ -0,0 +1,29 @@
+{
+    "api": "{{ taiga_public_url }}/api/v1/",
+    "eventsUrl": "{{ taiga_public_url | regex_replace('^http','ws') }}/events",
+    "baseHref": "{{ (taiga_public_url | urlsplit('path') == '') | ternary('/', taiga_public_url | urlsplit('path')) }}",
+    "eventsMaxMissedHeartbeats": 5,
+    "eventsHeartbeatIntervalTime": 60000,
+    "eventsReconnectTryInterval": 10000,
+    "debug": false,
+    "debugInfo": false,
+    "defaultLanguage": "en",
+    "themes": ["taiga"],
+    "defaultTheme": "taiga",
+    "defaultLoginEnabled": true,
+    "publicRegisterEnabled": {{ taiga_user_registration | ternary('true', 'false') }},
+    "feedbackEnabled": true,
+    "supportUrl": "https://resources.taiga.io",
+    "privacyPolicyUrl": null,
+    "termsOfServiceUrl": null,
+    "maxUploadFileSize": {{ taiga_max_upload_file_size }},
+    "contribPlugins": [],
+    "tagManager": { "accountId": null },
+    "tribeHost": null,
+    "enableAsanaImporter": false,
+    "enableGithubImporter": false,
+    "enableJiraImporter": false,
+    "enableTrelloImporter": false,
+    "gravatar": false,
+    "rtlLanguages": ["ar", "fa", "he"]
+}

roles/taiga/templates/nginx.conf.j2

@@ -0,0 +1,76 @@
+server {
+  listen 443 ssl http2;
+  server_name {{ taiga_public_url | urlsplit('hostname') }};
+
+  large_client_header_buffers 4 32k;
+  client_max_body_size {{ taiga_max_upload_file_size }}M;
+  charset utf-8;
+
+  # Frontend
+  location / {
+    alias {{ taiga_root_dir }}/app/front/dist/;
+    index index.html;
+    try_files $uri $uri/ index.html =404;
+  }
+
+  # API
+  location /api/ {
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Scheme $scheme;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_pass http://127.0.0.1:{{ taiga_ports['back'] }}/api/;
+    proxy_redirect off;
+  }
+
+  # Admin
+  location /admin/ {
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Scheme $scheme;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_pass http://127.0.0.1:{{ taiga_ports['back'] }}/admin/;
+    proxy_redirect off;
+  }
+
+  # Static files
+  location /static/ {
+    alias {{ taiga_root_dir }}/app/back/static/;
+  }
+
+  # Media
+  location /_protected/ {
+    internal;
+    alias {{ taiga_root_dir }}/data/media/;
+    add_header Content-disposition "attachment";
+  }
+
+  # Unprotected section
+  location /media/exports/ {
+    alias {{ taiga_root_dir }}/data/media/exports/;
+    add_header Content-disposition "attachment";
+  }
+
+  location /media/ {
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Scheme $scheme;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_pass http://127.0.0.1:{{ taiga_ports['protected'] }}/;
+    proxy_redirect off;
+  }
+
+  # Events
+  location /events {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_connect_timeout 7d;
+    proxy_send_timeout 7d;
+    proxy_read_timeout 7d;
+    proxy_pass http://127.0.0.1:{{ taiga_ports['events'] }}/events;
+  }
+}

roles/taiga/templates/post-backup.j2

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -eo pipefail
+
+rm -f {{ taiga_root_dir }}/backup/*

roles/taiga/templates/pre-backup.j2

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -eo pipefail
+
+PGPASSWORD='{{ taiga_db_pass }}' /usr/pgsql-14/bin/pg_dump \
+  --clean \
+  --create \
+  --username={{ taiga_db_user | quote }} \
+  --host={{ taiga_db_server | quote }} \
+  --port={{ taiga_db_port }} \
+  {{ taiga_db_name | quote }} | \
+  zstd -c > {{ taiga_root_dir }}/backup/{{ taiga_db_name | quote }}.sql.zst
+

roles/taiga/templates/protected/env.j2

@@ -0,0 +1,3 @@
+SECRET_KEY={{ taiga_secret_key }}
+MAX_AGE=300
+TAIGA_SUBPATH={{ taiga_public_url | urlsplit('path') }}

roles/taiga/templates/taiga-async.service.j2

@@ -0,0 +1,25 @@
+[Unit]
+Description=Taiga async
+After=network.target rabbitmq-server.service
+
+[Service]
+User={{ taiga_user }}
+Group={{ taiga_user }}
+Environment=PYTHONUNBUFFERED=true
+Environment=DJANGO_SETTINGS_MODULE=settings.config
+WorkingDirectory={{ taiga_root_dir }}/app/back
+ExecStart={{ taiga_root_dir }}/venv/bin/celery -A taiga.celery worker -B --concurrency 4 -l INFO --schedule={{ taiga_root_dir }}/data/celerybeat-schedule
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=1024M
+SyslogIdentifier=taiga-async
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target
+

roles/taiga/templates/taiga-back.service.j2

@@ -0,0 +1,24 @@
+[Unit]
+Description=Taiga backend
+After=network.target rabbitmq-server.service
+
+[Service]
+User={{ taiga_user }}
+Group={{ taiga_user }}
+Environment=PYTHONUNBUFFERED=true
+Environment=DJANGO_SETTINGS_MODULE=settings.config
+WorkingDirectory={{ taiga_root_dir }}/app/back
+ExecStart={{ taiga_root_dir }}/venv/bin/gunicorn --workers 4 --timeout 60 --log-level=info --access-logfile - --bind 127.0.0.1:{{ taiga_ports['back'] }} taiga.wsgi
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=1024M
+SyslogIdentifier=taiga-back
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/taiga/templates/taiga-events.service.j2

@@ -0,0 +1,23 @@
+[Unit]
+Description=Taiga events
+After=network.target rabbitmq-server.service
+
+[Service]
+User={{ taiga_user }}
+Group={{ taiga_user }}
+WorkingDirectory={{ taiga_root_dir }}/app/events
+ExecStart=/bin/npm run start:production
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=512M
+SyslogIdentifier=taiga-events
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target
+

roles/taiga/templates/taiga-protected.service.j2

@@ -0,0 +1,23 @@
+[Unit]
+Description=Taiga protected
+After=network.target rabbitmq-server.service
+
+[Service]
+User={{ taiga_user }}
+Group={{ taiga_user }}
+Environment=PYTHONUNBUFFERED=true
+WorkingDirectory={{ taiga_root_dir }}/app/protected
+ExecStart={{ taiga_root_dir }}/venv/bin/gunicorn --workers 4 --timeout 60 --log-level=info --access-logfile - --bind 127.0.0.1:{{ taiga_ports['protected'] }} server:app
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=512M
+SyslogIdentifier=taiga-protected
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target