dsc-rs 0.10.15

Discourse CLI tool for managing multiple Discourse forums: track installs, run upgrades over SSH, manage emojis, sync topics and categories as Markdown, and more.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486

use anyhow::{anyhow, Context, Result};
use serde::de::Deserializer;
use serde::{Deserialize, Serialize};
use std::ffi::OsString;
use std::fs;
use std::path::{Path, PathBuf};

/// Env var pointing at an explicit config file path. Wins over the discovered
/// search hierarchy; missing-file is an error, not a silent fall-through.
pub const ENV_CONFIG: &str = "DSC_CONFIG";

/// Env var pointing at the user config-home directory. Defaults to
/// `$XDG_CONFIG_HOME/dsc`, which itself defaults to `~/.config/dsc`.
/// `dsc` looks for `dsc.toml` inside this directory.
pub const ENV_CONFIG_HOME: &str = "DSC_CONFIG_HOME";

fn deserialize_opt_string_empty_as_none<'de, D>(deserializer: D) -> Result<Option<String>, D::Error>
where
    D: Deserializer<'de>,
{
    let value = Option::<String>::deserialize(deserializer)?;
    Ok(value.and_then(|s| if s.is_empty() { None } else { Some(s) }))
}

fn deserialize_opt_u64_zero_as_none<'de, D>(deserializer: D) -> Result<Option<u64>, D::Error>
where
    D: Deserializer<'de>,
{
    let value = Option::<u64>::deserialize(deserializer)?;
    Ok(value.and_then(|v| if v == 0 { None } else { Some(v) }))
}

/// Top-level configuration for dsc.
#[derive(Debug, Serialize, Deserialize, Default, Clone)]
pub struct Config {
    #[serde(default)]
    pub discourse: Vec<DiscourseConfig>,
    #[serde(default)]
    pub harden: HardenConfig,
}

/// User overrides for `dsc harden` defaults. Every field is optional;
/// anything left unset falls back to the built-in defaults applied in
/// `commands::harden::resolve_options`. CLI flags override this block on
/// a per-run basis.
#[derive(Debug, Serialize, Deserialize, Default, Clone)]
pub struct HardenConfig {
    /// Username for the new sudo-enabled non-root account. Default: `discourse`.
    #[serde(default, deserialize_with = "deserialize_opt_string_empty_as_none")]
    pub new_user: Option<String>,
    /// SSH port to move the daemon to in stage 2. Default: 2227.
    #[serde(default, deserialize_with = "deserialize_opt_u64_zero_as_none")]
    pub ssh_port: Option<u64>,
    /// URL to fetch the Docker installer from. Default: `https://get.docker.com`.
    #[serde(default, deserialize_with = "deserialize_opt_string_empty_as_none")]
    pub docker_install_url: Option<String>,
    /// Whether to install Docker rootless. Default: true.
    #[serde(default)]
    pub docker_rootless: Option<bool>,
    /// Swap file size in GB. 0 to skip. Default: 2.
    #[serde(default)]
    pub swap_size_gb: Option<u32>,
    /// Cap on journald disk use. Default: `500M`.
    #[serde(default, deserialize_with = "deserialize_opt_string_empty_as_none")]
    pub journald_max_use: Option<String>,
    /// Timezone to set via `timedatectl`. Default: `UTC`.
    #[serde(default, deserialize_with = "deserialize_opt_string_empty_as_none")]
    pub timezone: Option<String>,
    /// Whether to enable unattended security upgrades. Default: true.
    #[serde(default)]
    pub unattended_security_upgrades: Option<bool>,
    /// Whether to install fail2ban. Default: true.
    #[serde(default)]
    pub fail2ban: Option<bool>,
    /// Whether to install mosh and open UDP 60000-61000. Default: false.
    #[serde(default)]
    pub mosh: Option<bool>,
    /// Override sshd `Ciphers` line. Defaults to dsc's policy overlay
    /// (drop legacy algorithms while preserving upstream defaults).
    #[serde(default, deserialize_with = "deserialize_opt_string_empty_as_none")]
    pub sshd_ciphers: Option<String>,
    /// Override sshd `KexAlgorithms` line. Defaults to dsc's policy overlay
    /// (prefer PQ-hybrid first, disable legacy SHA-1 DH groups).
    #[serde(default, deserialize_with = "deserialize_opt_string_empty_as_none")]
    pub sshd_kex: Option<String>,
    /// Override sshd `MACs` line. Defaults to dsc's policy overlay
    /// (disable legacy SHA-1/MD5 and short UMAC variants).
    #[serde(default, deserialize_with = "deserialize_opt_string_empty_as_none")]
    pub sshd_macs: Option<String>,
    /// Extra ufw `allow` rules applied after the standard set
    /// (e.g. `["3000/tcp", "192.168.1.0/24"]`).
    #[serde(default)]
    pub extra_ufw_allow: Option<Vec<String>>,
}

/// Configuration for a single Discourse install.
#[derive(Debug, Serialize, Deserialize, Default, Clone)]
pub struct DiscourseConfig {
    pub name: String,
    pub baseurl: String,
    #[serde(default, deserialize_with = "deserialize_opt_string_empty_as_none")]
    pub fullname: Option<String>,
    #[serde(default, deserialize_with = "deserialize_opt_string_empty_as_none")]
    pub apikey: Option<String>,
    #[serde(default, deserialize_with = "deserialize_opt_string_empty_as_none")]
    pub api_username: Option<String>,
    #[serde(default)]
    pub tags: Option<Vec<String>>,
    #[serde(default, deserialize_with = "deserialize_opt_u64_zero_as_none")]
    pub changelog_topic_id: Option<u64>,
    #[serde(default, deserialize_with = "deserialize_opt_string_empty_as_none")]
    pub ssh_host: Option<String>,
    #[serde(default)]
    pub docker_rootless: Option<bool>,
}

/// Load configuration from a TOML file.
pub fn load_config(path: &Path) -> Result<Config> {
    if !path.exists() {
        return Ok(Config::default());
    }
    let raw = fs::read_to_string(path).with_context(|| format!("reading {}", path.display()))?;
    let config: Config = toml::from_str(&raw).with_context(|| "parsing config")?;
    warn_on_discourse_names(&config);
    Ok(config)
}

/// Save configuration to a TOML file.
pub fn save_config(path: &Path, config: &Config) -> Result<()> {
    let raw = toml::to_string_pretty(config).with_context(|| "serializing config")?;
    write_config_file(path, raw.as_bytes())?;
    Ok(())
}

#[cfg(unix)]
fn write_config_file(path: &Path, raw: &[u8]) -> Result<()> {
    use std::io::Write;
    use std::os::unix::fs::{OpenOptionsExt, PermissionsExt};

    let mut file = fs::OpenOptions::new()
        .create(true)
        .truncate(true)
        .write(true)
        .mode(0o600)
        .open(path)
        .with_context(|| format!("writing {}", path.display()))?;
    file.write_all(raw)
        .with_context(|| format!("writing {}", path.display()))?;

    let metadata = fs::metadata(path).with_context(|| format!("reading {}", path.display()))?;
    let mode = metadata.permissions().mode() & 0o777;
    if mode & 0o077 != 0 {
        if let Err(err) = fs::set_permissions(path, fs::Permissions::from_mode(0o600)) {
            eprintln!(
                "Warning: unable to tighten permissions on {}: {}",
                path.display(),
                err
            );
        }
    }
    Ok(())
}

#[cfg(not(unix))]
fn write_config_file(path: &Path, raw: &[u8]) -> Result<()> {
    fs::write(path, raw).with_context(|| format!("writing {}", path.display()))?;
    Ok(())
}

/// Find a discourse by name.
pub fn find_discourse<'a>(config: &'a Config, name: &str) -> Option<&'a DiscourseConfig> {
    config.discourse.iter().find(|d| d.name == name)
}

/// Find a discourse by name (mutable).
pub fn find_discourse_mut<'a>(
    config: &'a mut Config,
    name: &str,
) -> Option<&'a mut DiscourseConfig> {
    config.discourse.iter_mut().find(|d| d.name == name)
}

fn warn_on_discourse_names(config: &Config) {
    for discourse in &config.discourse {
        if discourse.name.chars().any(|ch| ch.is_whitespace()) {
            eprintln!(
                "Warning: discourse name '{}' contains whitespace. Prefer a short, slugified name without spaces; use 'fullname' for display.",
                discourse.name
            );
        }
    }
}

/// Where the active config came from. Used by `dsc config` to label the
/// active path so the user understands why a file outside the standard
/// hierarchy is in use.
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum ConfigSource {
    /// Explicit `--config`/`-c` flag.
    Flag(PathBuf),
    /// `$DSC_CONFIG` env var.
    EnvVar(PathBuf),
    /// First existing path from the search hierarchy.
    Discovered(PathBuf),
    /// No file found anywhere; fallback to `./dsc.toml` (created on first
    /// write command).
    Default(PathBuf),
}

impl ConfigSource {
    /// Resolved path, regardless of how it was selected.
    pub fn path(&self) -> &Path {
        match self {
            Self::Flag(p) | Self::EnvVar(p) | Self::Discovered(p) | Self::Default(p) => p,
        }
    }

    /// Short human label for the source, e.g. `via --config flag`.
    pub fn label(&self) -> &'static str {
        match self {
            Self::Flag(_) => "via --config flag",
            Self::EnvVar(_) => "via $DSC_CONFIG",
            Self::Discovered(_) => "from search hierarchy",
            Self::Default(_) => "default (no config found)",
        }
    }
}

/// Resolve which config file to use, honouring the documented precedence:
///
/// 1. `--config <path>` / `-c` flag
/// 2. `$DSC_CONFIG` env var
/// 3. `./dsc.toml`
/// 4. `$DSC_CONFIG_HOME/dsc.toml` (default: `$XDG_CONFIG_HOME/dsc` -> `~/.config/dsc`)
/// 5. `$XDG_CONFIG_DIRS` entries (Unix only)
/// 6. `/etc/dsc/dsc.toml`, `/etc/dsc.toml`, `/usr/local/etc/dsc.toml` (Unix only)
///
/// Explicit selectors (1, 2) error if the named file does not exist; the
/// discovered hierarchy (3-6) silently skips missing entries. If nothing
/// matches, falls back to `./dsc.toml`.
pub fn resolve_config_source(flag: Option<PathBuf>) -> Result<ConfigSource> {
    resolve_config_source_with_env(flag, |k| std::env::var_os(k))
}

fn resolve_config_source_with_env<F>(flag: Option<PathBuf>, env: F) -> Result<ConfigSource>
where
    F: Fn(&str) -> Option<OsString> + Copy,
{
    if let Some(path) = flag {
        if !path.exists() {
            return Err(anyhow!(
                "config file not found: {} (specified via --config)",
                path.display()
            ));
        }
        return Ok(ConfigSource::Flag(path));
    }

    if let Some(raw) = env(ENV_CONFIG) {
        let path = PathBuf::from(raw);
        if !path.exists() {
            return Err(anyhow!(
                "config file not found: {} (specified via ${})",
                path.display(),
                ENV_CONFIG
            ));
        }
        return Ok(ConfigSource::EnvVar(path));
    }

    let candidates = config_search_paths_with_env(env);
    if let Some(found) = candidates.into_iter().find(|c| c.exists()) {
        return Ok(ConfigSource::Discovered(found));
    }

    Ok(ConfigSource::Default(PathBuf::from("dsc.toml")))
}

/// Returns the ordered list of candidate paths that `dsc` searches for a
/// config file when neither `--config` nor `$DSC_CONFIG` is set.
///
/// Order (first match wins):
/// 1. `./dsc.toml`
/// 2. `$DSC_CONFIG_HOME/dsc.toml` (default: `$XDG_CONFIG_HOME/dsc` -> `~/.config/dsc`)
/// 3. `$XDG_CONFIG_DIRS` entries as `<dir>/dsc/dsc.toml` (Unix only)
/// 4. `/etc/dsc/dsc.toml` (Unix only)
/// 5. `/etc/dsc.toml` (Unix only)
/// 6. `/usr/local/etc/dsc.toml` (Unix only)
pub fn config_search_paths() -> Vec<PathBuf> {
    config_search_paths_with_env(|k| std::env::var_os(k))
}

fn config_search_paths_with_env<F>(env: F) -> Vec<PathBuf>
where
    F: Fn(&str) -> Option<OsString>,
{
    let mut candidates = vec![PathBuf::from("dsc.toml")];

    // $DSC_CONFIG_HOME -> $XDG_CONFIG_HOME/dsc -> $HOME/.config/dsc
    let config_home: Option<PathBuf> = env(ENV_CONFIG_HOME)
        .map(PathBuf::from)
        .or_else(|| env("XDG_CONFIG_HOME").map(|x| PathBuf::from(x).join("dsc")))
        .or_else(|| env("HOME").map(|h| PathBuf::from(h).join(".config").join("dsc")));
    if let Some(dir) = config_home {
        candidates.push(dir.join("dsc.toml"));
    }

    #[cfg(unix)]
    {
        if let Some(xdg_config_dirs) = env("XDG_CONFIG_DIRS") {
            for dir in std::env::split_paths(&xdg_config_dirs) {
                candidates.push(dir.join("dsc").join("dsc.toml"));
            }
        } else {
            candidates.push(PathBuf::from("/etc/xdg/dsc/dsc.toml"));
        }
        candidates.push(PathBuf::from("/etc/dsc/dsc.toml"));
        candidates.push(PathBuf::from("/etc/dsc.toml"));
        candidates.push(PathBuf::from("/usr/local/etc/dsc.toml"));
    }

    candidates
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::collections::HashMap;
    use std::ffi::{OsStr, OsString};
    use std::path::PathBuf;

    /// Build an env lookup closure over a fixed map. `None` for missing.
    fn env_from<'a>(
        pairs: &'a HashMap<&'static str, OsString>,
    ) -> impl Fn(&str) -> Option<OsString> + Copy + 'a {
        move |k: &str| pairs.get(k).cloned()
    }

    fn osstr<S: AsRef<OsStr>>(s: S) -> OsString {
        s.as_ref().to_os_string()
    }

    #[test]
    fn flag_wins_over_env_and_discovery() {
        let dir = tempfile::tempdir().expect("tempdir");
        let flag_file = dir.path().join("flag.toml");
        let env_file = dir.path().join("env.toml");
        std::fs::write(&flag_file, "").unwrap();
        std::fs::write(&env_file, "").unwrap();

        let mut env = HashMap::new();
        env.insert(ENV_CONFIG, osstr(&env_file));
        let source =
            resolve_config_source_with_env(Some(flag_file.clone()), env_from(&env)).unwrap();
        assert!(matches!(source, ConfigSource::Flag(_)));
        assert_eq!(source.path(), flag_file);
    }

    #[test]
    fn missing_flag_path_errors() {
        let dir = tempfile::tempdir().expect("tempdir");
        let missing = dir.path().join("nope.toml");
        let env: HashMap<&'static str, OsString> = HashMap::new();
        let err = resolve_config_source_with_env(Some(missing), env_from(&env)).unwrap_err();
        assert!(err.to_string().contains("--config"));
    }

    #[test]
    fn dsc_config_env_wins_over_discovery() {
        let dir = tempfile::tempdir().expect("tempdir");
        let env_file = dir.path().join("env.toml");
        std::fs::write(&env_file, "").unwrap();
        let home_dir = dir.path().join("home");
        let dsc_dir = home_dir.join(".config").join("dsc");
        std::fs::create_dir_all(&dsc_dir).unwrap();
        std::fs::write(dsc_dir.join("dsc.toml"), "").unwrap();

        let mut env = HashMap::new();
        env.insert(ENV_CONFIG, osstr(&env_file));
        env.insert("HOME", osstr(&home_dir));
        let source = resolve_config_source_with_env(None, env_from(&env)).unwrap();
        assert!(matches!(source, ConfigSource::EnvVar(_)));
        assert_eq!(source.path(), env_file);
    }

    #[test]
    fn missing_dsc_config_env_path_errors() {
        let dir = tempfile::tempdir().expect("tempdir");
        let missing = dir.path().join("missing.toml");
        let mut env = HashMap::new();
        env.insert(ENV_CONFIG, osstr(&missing));
        let err = resolve_config_source_with_env(None, env_from(&env)).unwrap_err();
        assert!(err.to_string().contains("$DSC_CONFIG"));
    }

    #[test]
    fn dsc_config_home_redirects_step_4() {
        let dir = tempfile::tempdir().expect("tempdir");
        let custom_home = dir.path().join("custom");
        std::fs::create_dir_all(&custom_home).unwrap();
        std::fs::write(custom_home.join("dsc.toml"), "").unwrap();

        let mut env = HashMap::new();
        env.insert(ENV_CONFIG_HOME, osstr(&custom_home));
        let candidates = config_search_paths_with_env(env_from(&env));

        // Step 1: ./dsc.toml; step 2: $DSC_CONFIG_HOME/dsc.toml
        assert_eq!(candidates[0], PathBuf::from("dsc.toml"));
        assert_eq!(candidates[1], custom_home.join("dsc.toml"));
    }

    #[test]
    fn unset_config_home_reproduces_home_config_dsc() {
        // With nothing set except HOME, step 2 must resolve to
        // $HOME/.config/dsc/dsc.toml (today's behaviour).
        let dir = tempfile::tempdir().expect("tempdir");
        let home = dir.path().to_path_buf();
        let mut env = HashMap::new();
        env.insert("HOME", osstr(&home));
        let candidates = config_search_paths_with_env(env_from(&env));
        assert_eq!(candidates[0], PathBuf::from("dsc.toml"));
        assert_eq!(
            candidates[1],
            home.join(".config").join("dsc").join("dsc.toml")
        );
    }

    #[test]
    fn xdg_config_home_default_used_when_dsc_config_home_unset() {
        // $XDG_CONFIG_HOME set, $DSC_CONFIG_HOME unset -> step 2 is
        // $XDG_CONFIG_HOME/dsc/dsc.toml.
        let dir = tempfile::tempdir().expect("tempdir");
        let xdg = dir.path().join("xdg");
        let mut env = HashMap::new();
        env.insert("XDG_CONFIG_HOME", osstr(&xdg));
        let candidates = config_search_paths_with_env(env_from(&env));
        assert_eq!(candidates[1], xdg.join("dsc").join("dsc.toml"));
    }

    #[test]
    fn dsc_config_home_overrides_xdg_config_home() {
        let dir = tempfile::tempdir().expect("tempdir");
        let xdg = dir.path().join("xdg");
        let dsc_home = dir.path().join("custom_dsc_home");
        let mut env = HashMap::new();
        env.insert("XDG_CONFIG_HOME", osstr(&xdg));
        env.insert(ENV_CONFIG_HOME, osstr(&dsc_home));
        let candidates = config_search_paths_with_env(env_from(&env));
        assert_eq!(candidates[1], dsc_home.join("dsc.toml"));
    }

    #[test]
    fn unset_everything_resolution_matches_legacy_order() {
        // Regression guard: with no env set, search order must be
        // exactly:
        //   1. ./dsc.toml
        //   (no step 2: no HOME -> no config-home candidate)
        //   3+. Unix system paths
        let env: HashMap<&'static str, OsString> = HashMap::new();
        let candidates = config_search_paths_with_env(env_from(&env));
        assert_eq!(candidates[0], PathBuf::from("dsc.toml"));
        #[cfg(unix)]
        {
            assert!(candidates.contains(&PathBuf::from("/etc/xdg/dsc/dsc.toml")));
            assert!(candidates.contains(&PathBuf::from("/etc/dsc/dsc.toml")));
            assert!(candidates.contains(&PathBuf::from("/etc/dsc.toml")));
            assert!(candidates.contains(&PathBuf::from("/usr/local/etc/dsc.toml")));
        }
    }

    #[test]
    fn no_config_anywhere_returns_default() {
        let dir = tempfile::tempdir().expect("tempdir");
        // Point HOME at an empty dir so step 2 misses too. CWD-relative
        // `dsc.toml` may or may not exist depending on test runner pwd,
        // so we just assert the Default variant is reachable when nothing
        // is set.
        let mut env = HashMap::new();
        env.insert("HOME", osstr(dir.path()));
        // Only assert the source type when ./dsc.toml truly does not exist.
        if !PathBuf::from("dsc.toml").exists() {
            let source = resolve_config_source_with_env(None, env_from(&env)).unwrap();
            assert!(matches!(source, ConfigSource::Default(_)));
        }
    }
}