add env variables, custom server, improve ssl, plugins

pull/7967/head
Cyril Rohr 5 years ago
parent 01e546cf5e
commit 55b60f1cea
  1. 14
      help/installation-and-operations/configuration/README.md
  2. 84
      help/installation-and-operations/configuration/environment/README.md
  3. 53
      help/installation-and-operations/configuration/plugins/README.md
  4. 61
      help/installation-and-operations/configuration/server/README.md
  5. 22
      help/installation-and-operations/configuration/server/docker-compose.yml
  6. 17
      help/installation-and-operations/configuration/server/nginx.conf
  7. 19
      help/installation-and-operations/configuration/ssl/README.md
  8. 54
      help/installation-and-operations/operation/faq/README.md

@ -7,11 +7,11 @@ sidebar_navigation:
# Advanced configuration
| ----------- | :---------- |
| [List of supported environment variables](#TODO) | TODO: The full list of environment variables you can use to override the default configuration |
| [Configuring SSL](#TODO) | How to configure SSL so that your OpenProject installation is available over HTTPS |
| [Configuring outbound emails](#TODO) | How to configure outbound emails for notifications, etc. |
| [List of supported environment variables](./environment) | The full list of environment variables you can use to override the default configuration |
| [Configuring SSL](./ssl) | How to configure SSL so that your OpenProject installation is available over HTTPS |
| [Configuring outbound emails](./outbound-emails) | How to configure outbound emails for notifications, etc. |
| [Configuring inbound emails](#TODO) | TODO: How to configure inbound emails for work package updates directly from an email |
| [Configuring a custom database](#TODO) | How to use an external database |
| [Configuring a custom web server](#TODO) | TODO: How to use a custom web server (e.g. NginX) with your OpenProject installation |
| [Configuring a custom web server](#TODO) | TODO: How to use a custom caching server with your OpenProject installation |
| [Adding plugins](#TODO) | TODO: How to add plugins to your OpenProject installation |
| [Configuring a custom database](./database) | How to use an external database |
| [Configuring a custom web server](./server) | How to use a custom web server (e.g. NginX) with your OpenProject installation |
| [Configuring a custom caching server](#TODO) | TODO: How to use a custom caching server with your OpenProject installation |
| [Adding plugins](./plugins) | How to add plugins to your OpenProject installation |

@ -0,0 +1,84 @@
---
sidebar_navigation:
title: Environment variables
priority: 10
---
# Supported environment variables
Below is the full list of supported environment variables that can be used to override the default configuration of your OpenProject installation:
```
OPENPROJECT_EDITION (default="standard")
OPENPROJECT_ATTACHMENTS__STORAGE (default="file")
OPENPROJECT_ATTACHMENTS__STORAGE__PATH (default=nil)
OPENPROJECT_ATTACHMENTS__GRACE__PERIOD (default=180)
OPENPROJECT_AUTOLOGIN__COOKIE__NAME (default="autologin")
OPENPROJECT_AUTOLOGIN__COOKIE__PATH (default="/")
OPENPROJECT_AUTOLOGIN__COOKIE__SECURE (default=false)
OPENPROJECT_DATABASE__CIPHER__KEY (default=nil)
OPENPROJECT_SHOW__COMMUNITY__LINKS (default=true)
OPENPROJECT_LOG__LEVEL (default="info")
OPENPROJECT_SCM__GIT__COMMAND (default=nil)
OPENPROJECT_SCM__SUBVERSION__COMMAND (default=nil)
OPENPROJECT_SCM__LOCAL__CHECKOUT__PATH (default="repositories")
OPENPROJECT_DISABLE__BROWSER__CACHE (default=true)
OPENPROJECT_RAILS__CACHE__STORE (default=nil)
OPENPROJECT_CACHE__EXPIRES__IN__SECONDS (default=nil)
OPENPROJECT_CACHE__NAMESPACE (default=nil)
OPENPROJECT_CACHE__MEMCACHE__SERVER (default=nil)
OPENPROJECT_SESSION__STORE (default=:cache_store)
OPENPROJECT_SESSION__COOKIE__NAME (default="_open_project_session")
OPENPROJECT_DROP__OLD__SESSIONS__ON__LOGOUT (default=true)
OPENPROJECT_DROP__OLD__SESSIONS__ON__LOGIN (default=false)
OPENPROJECT_RAILS__RELATIVE__URL__ROOT (default="")
OPENPROJECT_RAILS__FORCE__SSL (default=false)
OPENPROJECT_RAILS__ASSET__HOST (default=nil)
OPENPROJECT_ENABLE__INTERNAL__ASSETS__SERVER (default=false)
OPENPROJECT_FORCE__HELP__LINK (default=nil)
OPENPROJECT_FORCE__FORMATTING__HELP__LINK (default=nil)
OPENPROJECT_IMPRESSUM__LINK (default=nil)
OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER (default="asc")
OPENPROJECT_EMAIL__DELIVERY__CONFIGURATION (default="inapp")
OPENPROJECT_EMAIL__DELIVERY__METHOD (default=nil)
OPENPROJECT_SMTP__ADDRESS (default=nil)
OPENPROJECT_SMTP__PORT (default=nil)
OPENPROJECT_SMTP__DOMAIN (default=nil)
OPENPROJECT_SMTP__AUTHENTICATION (default=nil)
OPENPROJECT_SMTP__USER__NAME (default=nil)
OPENPROJECT_SMTP__PASSWORD (default=nil)
OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO (default=nil)
OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE (default=nil)
OPENPROJECT_SENDMAIL__LOCATION (default="/usr/sbinsendmail")
OPENPROJECT_SENDMAIL__ARGUMENTS (default="-i")
OPENPROJECT_DISABLE__PASSWORD__LOGIN (default=false)
OPENPROJECT_AUTH__SOURCE__SSO (default=nil)
OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER (default=nil)
OPENPROJECT_INTERNAL__PASSWORD__CONFIRMATION (default=true)
OPENPROJECT_DISABLE__PASSWORD__CHOICE (default=false)
OPENPROJECT_OVERRIDE__BCRYPT__COST__FACTOR (default=nil)
OPENPROJECT_DISABLED__MODULES (default=[])
OPENPROJECT_HIDDEN__MENU__ITEMS (default={})
OPENPROJECT_BLACKLISTED__ROUTES (default=[])
OPENPROJECT_APIV3__ENABLE__BASIC__AUTH (default=true)
OPENPROJECT_ONBOARDING__VIDEO__URL (default="https://player.vimeo.com/video/163426858?autoplay=1")
OPENPROJECT_ONBOARDING__ENABLED (default=true)
OPENPROJECT_YOUTUBE__CHANNEL (default="https://www.youtube.com/c/OpenProjectCommunity")
OPENPROJECT_EE__MANAGER__VISIBLE (default=true)
OPENPROJECT_HEALTH__CHECKS__AUTHENTICATION__PASSWORD (default=nil)
OPENPROJECT_HEALTH__CHECKS__JOBS__QUEUE__COUNT__THRESHOLD (default=50)
OPENPROJECT_HEALTH__CHECKS__JOBS__NEVER__RAN__MINUTES__AGO (default=5)
OPENPROJECT_AFTER__LOGIN__DEFAULT__REDIRECT__URL (default=nil)
OPENPROJECT_AFTER__FIRST__LOGIN__REDIRECT__URL (default=nil)
OPENPROJECT_MAIN__CONTENT__LANGUAGE (default="english")
OPENPROJECT_CROWDIN__IN__CONTEXT__TRANSLATIONS (default=true)
OPENPROJECT_GRAVATAR__FALLBACK__IMAGE (default="404")
OPENPROJECT_REGISTRATION__FOOTER (default={})
OPENPROJECT_SECURITY__BADGE__DISPLAYED (default=true)
OPENPROJECT_INSTALLATION__TYPE (default="manual")
OPENPROJECT_SECURITY__BADGE__URL (default="https://releases.openproject.com/v1/check.svg")
OPENPROJECT_MIGRATION__CHECK__ON__EXCEPTIONS (default=true)
OPENPROJECT_SHOW__PENDING__MIGRATIONS__WARNING (default=true)
OPENPROJECT_SHOW__WARNING__BARS (default=true)
OPENPROJECT_SHOW__STORAGE__INFORMATION (default=true)
```

@ -0,0 +1,53 @@
---
sidebar_navigation:
title: Adding plugins
priority: 0
---
# Adding plugins
Note: this guide only applies if you've installed OpenProject using our DEB/RPM packages.
A [number of plugins](https://www.openproject.org/plugins/) exist for use with OpenProject. Most plugins that are maintained by us are shipping with OpenProject, however there are several plugins contributed by the community.
Previously, using them in a packaged installation was not possible without losing your changes on every upgrade. With the following steps, you can now use third party plugins.
Note: We cannot guarantee upgrade compatibility for third party plugins nor do we provide support for them. Please carefully check whether the plugins you use are available in newer versions before upgrading your installation.
## Add a custom Gemfile
If you have a plugin you wish to add to your packaged OpenProject installation, create a separate Gemfile with the Gem dependencies, such as the following:
```
group :opf_plugins do
gem 'openproject-emoji', git: 'https://github.com/tessi/openproject-emoji.git', :branch => 'op-5-stable'
end
```
The group `:opf_plugins` is generally recommended, but only required for plugins with custom frontend code that is picked up by webpack and output into their respective bundles.
We suggest to store the Gemfile under `/etc/openproject/Gemfile.custom`, but the choice is up to you, just make sure the openproject user is able to read it.
## Propagate the Gemfile to the package
You have to tell your installation to use the custom gemfile via a config setting:
```
openproject config:set CUSTOM_PLUGIN_GEMFILE=/etc/openproject/Gemfile.custom
```
If your plugin links into the Angular frontend, you will need to set the following environment variable to ensure it gets recompiled. Please note that NPM dependencies will be installed during the installation, and the angular CLI compilation will take place which will delay the configuration process by a few minutes.
```
openproject config:set RECOMPILE_ANGULAR_ASSETS="true"
```
## Re-run the installer
To re-bundle the application including the new plugins, as well as running migrations and precompiling their assets, simply re-run the installer while using the same configuration as before.
```
openproject configure
```
Using configure will take your previous decisions in the installer and simply re-apply them, which is an idempotent operation. It will detect the Gemfile config option being set and re-bundle the application with the additional plugins.

@ -0,0 +1,61 @@
---
sidebar_navigation:
title: Configuring a custom web server
priority: 5
---
# Configuring a custom web server
Both the packaged and docker-based installations ship with Apache as the default web server, because the Git and SVN repository integrations (when OpenProject manages the repositories) only work with that web server.
For a packaged-based installation, if for instance you wish to use NginX, you will need to skip the web server installation when asked in the initial configuration, and then configure NginX yourself so that it forwards traffic to the OpenProject web process (listening by default on 127.0.0.1:6000).If using SSL/TLS, please ensure you set the header value `X-Forwarded-Proto https` so OpenProject can correctly produce responses.
For a docker-based installation, you will need to switch to the single-process launch mode, where you would launch one or more containers for the `web` process, one container for the `worker` process, and then setup a web server of your choice in another container that forwards traffic to the `web` container(s). A simplified Compose file would look like:
```yaml
version: '3'
services:
database:
image: postgres:10
environment:
- POSTGRES_PASSWORD=p4ssw0rd
- POSTGRES_DB=openproject
nginx:
image: nginx
volumes:
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
ports:
- "8080:80"
web: &openproject
environment:
- DATABASE_URL=postgres://postgres:p4ssw0rd@database/openproject
image: openproject/community:10
command: ./docker/web
worker:
<<: *openproject
command: ./docker/worker
```
And the corresponding NginX configuration file would look like:
```
# default.conf
upstream app {
server web:8080;
}
server {
listen 80;
server_name _;
location / {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://app/;
}
}
```

@ -0,0 +1,22 @@
version: '3'
services:
database:
image: postgres:10
environment:
- POSTGRES_PASSWORD=p4ssw0rd
- POSTGRES_DB=openproject
nginx:
image: nginx
volumes:
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
ports:
- "8080:80"
web: &openproject
environment:
- DATABASE_URL=postgres://postgres:p4ssw0rd@database/openproject
image: openproject/community:10
command: ./docker/web
worker:
<<: *openproject
command: ./docker/worker

@ -0,0 +1,17 @@
upstream app {
server web:8080;
}
server {
listen 80;
server_name _;
location / {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://app/;
}
}

@ -29,3 +29,22 @@ If you really want to enable SSL from within the container, you could try
mounting a custom apache2 directory when you launch the container with `-v
my/apache2/conf:/etc/apache2`. This would entirely replace the configuration
we're using.
## Create a free SSL certificate using let's encrypt
You can get an SSL certificate for free via Let's Encrypt.
Here is how you do it using [certbot](https://github.com/certbot/certbot):
curl https://dl.eff.org/certbot-auto > /usr/local/bin/certbot-auto
chmod a+x /usr/local/bin/certbot-auto
certbot-auto certonly --webroot --webroot-path /opt/openproject/public -d openprojecct.mydomain.com
This requires your OpenProject server to be available from the Internet on port 443 or 80.
If this works the certificate (`cert.pem`) and private key (`privkey.pem`) will be created under `/etc/letsencrypt/live/openproject.mydomain.com/`. Configure these for OpenProject to use by running `openproject reconfigure` and choosing yes when the wizard asks for SSL.
Now this Let's Encryt certificate is only valid for 90 days. To renew it automatically all you have to do is to add the following entry to your crontab (run `crontab -e`):
0 1 * * * certbot-auto renew --quiet --post-hook "service apache2 restart"
This will execute `certbot renew` every day at 1am. The command checks if the certificate is expired and renews it if that is the case. The web server is restarted in a post hook in order for it to pick up the new certificate.

@ -9,13 +9,6 @@ sidebar_navigation:
TODO: review
## How can I install an OpenProject plugin?
Our [official installation page][install-page] has instructions on how to customize your OpenProject installation.
Please note that customization is not yet supported for Docker-based installations.
[install-page]: https://www.openproject.org/download-and-installation/
## How to migrate from Bitnami to the official OpenProject installation packages?
Please follow the following steps:
@ -33,33 +26,21 @@ Please follow the following steps:
[bitnami-backup]: https://docs.bitnami.com/installer/apps/openproject/
## Can I use NginX instead of Apache webserver?
Yes, but you will lose the ability to enable Git/SVN repository integration. Note that the OpenProject installer does not support NginX, so you will have to ask to disable the Apache2 integration when running the installer, and then configure NginX yourself so that it forwards traffic to the OpenProject web process (listening by default on 127.0.0.1:6000). If using SSL/TLS, please ensure you set the header value `X-Forwarded-Proto https` so OpenProject can correctly produce responses. [For more information, please visit our forums](https://community.openproject.com/projects/openproject/boards).
## Can I use MySQL instead of PostgreSQL?
OpenProject has traditionally supported both MySQL and PostgreSQL, but in order to optimize for performance and SQL functionality, it is unfeasible to support both DBMS that are becoming more and more disjunct when trying to use more modern SQL features. This shift has started some years ago when full-text search was added for PostgreSQL, but at the time MySQL did not yet support it - and as of yet many distributions still do not support MySQL 8 natively.
This led us to the path of removing support in the upcoming stable releases of OpenProject in order to focus on these goals. [Please see our blog post on the matter for additional notes](https://www.openproject.org/deprecating-mysql-support/).
## How can I migrate my existing MySQL database to PostgreSQL ?
Older installations of OpenProject are likely installed with a MySQL installation because the installer shipped with an option to auto-install it. With [pgloader](https://pgloader.io), it is trivially easy to convert a dump between MySQL and PostgreSQL installation. [We have prepared a guide](https://www.openproject.org/operations/upgrading/migrating-packaged-openproject-database-postgresql/) on how to migrate to a PostgreSQL database if you previously used MySQL.
## My favorite linux distribution is not listed. What can I do?
You can either try the manual installation, or ask in the forum whether this could be added to the list of supported distributions. We try to support recent major distributions, but due to maintenance and operations cost cannot freely add to that list.
## What is the better option to run OpenProject in production environments: docker or linux packages?
We recommend the Linux packages [if you have a compatible distribution](https://www.openproject.org/system-requirements/) and a separate machine for OpenProject, since it will allow for the easiest and most flexible setup. Use a docker-based image either for quickly spinning up an environment or if you have knowledge in setting up and maintaing docker-based installations.
@ -67,62 +48,31 @@ We recommend the Linux packages [if you have a compatible distribution](https://
Please note we currently do not yet provide a docker-compose based image, [please see this ticket for a timeline](https://community.openproject.com/wp/30551) and help us contribute one!
## Do you provide different release channels?
Yes! We release OpenProject in separate release channels that you can try out. For production environments, **always** use the `stable/MAJOR` (e.g., stable/9) package source that will receive stable and release updates. Every major upgrade will result in a source switch (from `stable/7` to `stable/8` for example).
A closer look at the available branches:
* [stable/9](https://packager.io/gh/opf/openproject/refs/stable/9): Latest stable releases, starting with 9.0.0 until the last minor and patch releases of 9.X.Y are released, this will receive updates.
* [release/9.0](https://packager.io/gh/opf/openproject/refs/release/9.0): Regular (usually daily) release builds for the current next patch release (or for the first release in this version, such as 9.0.0). This will contain early bugfixes before they are being release into stable. **Do not use in production**. But, for upgrading to the next major version, this can be regarded as a _release candidate channel_ that you can use to test your upgrade on a copy of your production environment.
* [stable/10](https://packager.io/gh/opf/openproject/refs/stable/10): Latest stable releases, starting with 10.0.0 until the last minor and patch releases of 10.X.Y are released, this will receive updates.
* [release/10.0](https://packager.io/gh/opf/openproject/refs/release/10.0): Regular (usually daily) release builds for the current next patch release (or for the first release in this version, such as 10.0.0). This will contain early bugfixes before they are being release into stable. **Do not use in production**. But, for upgrading to the next major version, this can be regarded as a _release candidate channel_ that you can use to test your upgrade on a copy of your production environment.
* [dev](https://packager.io/gh/opf/openproject/refs/dev): Daily builds of the current development build of OpenProject. While we try to keep this operable, this may result in broken code and/or migrations from time to time. Use when you're interested what the next release of OpenProject will look like. **Do not use in production!**
For more information, please visit our dedicated [page regarding release candidates and channels](https://www.openproject.org/download-and-installation/release-candidate/).
## How to upgrade my OpenProject installation?
Please refer to the documentation at https://www.openproject.org/operations/upgrading/
## What skills should I have for the installation?
If you use the packaged installation, you should have a basic knowledge of Linux and the command-line terminal.
If you use the docker images, you need to be familiar with Docker and Docker volumes.
## Why don't you support Windows?
Ruby support on Windows is notoriously difficult, however you might be able to run the Docker image, or use the unofficial Windows stack provided by [Bitnami](https://bitnami.com/stack/openproject/installer). We would welcome feedback and reported experiences on running OpenProject on Windows, please reach out to us if you can contribute some information.
## How to backup and restore my OpenProject installation?
Please refer to the [backup documentation](../backing-up) for the packaged installation.
## How can I install a free SSL certificate using let's encrypt?
You can get an SSL certificate for free via Let's Encrypt.
Here is how you do it using [certbot](https://github.com/certbot/certbot):
curl https://dl.eff.org/certbot-auto > /usr/local/bin/certbot-auto
chmod a+x /usr/local/bin/certbot-auto
certbot-auto certonly --webroot --webroot-path /opt/openproject/public -d openprojecct.mydomain.com
This requires your OpenProject server to be available from the Internet on port 443 or 80.
If this works the certificate (`cert.pem`) and private key (`privkey.pem`) will be created under `/etc/letsencrypt/live/openproject.mydomain.com/`. Configure these for OpenProject to use by running `openproject reconfigure` and choosing yes when the wizard asks for SSL.
Now this Let's Encryt certificate is only valid for 90 days. To renew it automatically all you have to do is to add the following entry to your crontab (run `crontab -e`):
0 1 * * * certbot-auto renew --quiet --post-hook "service apache2 restart"
This will execute `certbot renew` every day at 1am. The command checks if the certificate is expired and renews it if that is the case. The web server is restarted in a post hook in order for it to pick up the new certificate.

Loading…
Cancel
Save