add --settings-file option and stub out settings file for replica

Uses click's ability to create a file handle from an option, adds a
settings-replica.yaml.

See README.md for an example.

README.md

@@ -33,6 +33,12 @@ Update instance settings from `settings.yaml`:
 ./settings update
 ```
 
+Update replica instance from `settings-replica.yaml`:
+
+```sh
+./settings --instance https://gitlab-replica.wikimedia.org --settings-file ./settings-replica.yaml update
+```
+
 Apply project settings (at the moment, this disables wikis and issue tracking
 for any projects that have turned it on):
 

settings

@@ -26,7 +26,7 @@ from gitlab_settings.util import diffsettings
 @click.option(
     '--instance',
     default='https://gitlab.wikimedia.org',
-    help='Instance to configure.'
+    help='URL of instance to configure.'
     )
 
 @click.option(
@@ -36,9 +36,19 @@ from gitlab_settings.util import diffsettings
          'Better idea: Set GITLAB_TOKEN in environment.'
     )
 
+@click.option(
+    '--settings-file',
+    default='settings.yaml',
+    type=click.File(),
+    help='Path to YAML file containing settings.'
+    )
+
 @click.pass_context
 
-def cli(ctx, instance, token):
+def cli(ctx, instance, token, settings_file):
+    """
+    Configure a GitLab instance from settings.yaml
+    """
     ctx.obj['instance'] = instance
     ctx.obj['url'] = ctx.obj['instance'] + '/api/v4/application/settings'
     ctx.obj['token'] = token
@@ -47,6 +57,8 @@ def cli(ctx, instance, token):
         'PRIVATE-TOKEN': ctx.obj['token']
         }
 
+    ctx.obj['settings_file'] = settings_file
+
 @click.command()
 @click.pass_context
 def view(ctx):
@@ -69,9 +81,8 @@ def diff(ctx):
     req.raise_for_status()
     original_instance_settings = req.json()
 
-    # Get the settings we want to apply from YAML file in the repo:
-    with open('settings.yaml') as f:
-        local_settings = yaml.safe_load(f)
+    # Get the settings we want to apply from specified YAML file:
+    local_settings = yaml.safe_load(ctx.obj['settings_file'])
 
     click.echo("Difference between local settings file and instance settings:")
 
@@ -91,9 +102,8 @@ def update(ctx):
         sys.exit()
     original_instance_settings = req.json()
 
-    # Get the settings we want to apply from YAML file in the repo:
-    with open('settings.yaml') as f:
-        local_settings = yaml.safe_load(f)
+    # Get the settings we want to apply from specified YAML file:
+    local_settings = yaml.safe_load(ctx.obj['settings_file'])
 
     click.echo()
     click.echo("Difference between local settings file and instance settings:")

settings-replica.yaml

+# Settings for backup Wikimedia production GitLab instance, gitlab2001,
+# at https://gitlab-replica.wikimedia.org/
+#
+# Settings reference: https://docs.gitlab.com/ce/api/settings.html
+#
+# True / false values here should be booleans - necessary type juggling to turn
+# these into strings for the API is handled in the script.
+#
+# Settings not modeled here:
+#
+#   - Accept Let's Encrypt ToS: Admin Area, Settings, Preferences, Pages, I have
+#     read and agree to the Let's Encrypt Terms of Service: checked
+
+# Disable public sign up: Admin Area, Settings, General, Sign-up restrictions,
+# Sign-up enabled: unchecked
+signup_enabled: false
+
+# Set up logout redirection: Admin Area, Settings, General, Sign-in
+# restrictions, After sign-out path: https://<IDP server>/logout, where <IDP
+# server> is the base URL of the CAS server, like idp.wmcloud.org or
+# idp.wikimedia.org
+after_sign_out_path: "https://idp.wikimedia.org/logout"
+
+# Set up private commit emails hostname: Admin Area, Settings, Preferences,
+# Email, Custom hostname (for private commit emails):
+# users.noreply.<gitlab.domain>, where <gitlab domain> is the base URL of the
+# GitLab server, like gitlab.wikimedia.org
+commit_email_hostname: "users.noreply.gitlab.wikimedia.org"
+
+# Set up Password authentication: Admin Area, Settings, Sign-in restrictions,
+# Password authentication enabled for web interface: unchecked
+password_authentication_enabled_for_web: false
+
+# Set up Git over https Password authentication: Admin Area, Settings, Sign-in
+# restrictions, Password authentication enabled for Git over HTTP(S): unchecked
+password_authentication_enabled_for_git: false
+
+# Disable third party offers: Admin Area, Settings, General, Third party
+# offers, Do not display offers from third parties within GitLab: checked
+hide_third_party_offers: true
+
+# Default branch name: Admin Area, Settings, Repository, Default initial branch name: set to main
+default_branch_name: "main"
+
+# Restrict unauthenticated requests: Admin Area, Settings, Network, User and IP
+# Rate Limits, Enable unauthenticated request rate limit: checked
+throttle_unauthenticated_enabled: false
+throttle_unauthenticated_period_in_seconds: 3600
+throttle_unauthenticated_requests_per_period: 3600
+
+# Restrict outbound requests: Admin Area, Settings, Network, Outbound requests,
+# Allow requests to the local network from web hooks and services: unchecked
+allow_local_requests_from_hooks_and_services: false
+
+# Restrict outbound requests: Admin Area, Settings, Network, Outbound requests,
+# Allow requests to the local network from system hooks: unchecked
+allow_local_requests_from_system_hooks: false
+
+# Restrict protected paths: Admin Area, Settings, Network, Protected Paths,
+# Enable protected paths rate limit: checked
+throttle_protected_paths_enabled: true
+
+# Enable Prometheus metrics: Admin Area, Settings, Metrics and profiling,
+# Metrics - Prometheus, Enable Prometheus Metrics: checked
+prometheus_metrics_enabled: true
+
+# Disable Auto DevOps pipeline: Admin Area, Settings, CI/CD, Continuous
+# Integration and Deployment, Default to Auto DevOps pipeline for all projects:
+# unchecked
+auto_devops_enabled: false
+
+# Set abuse reports email: Admin Area, Settings, Reporting, Abuse reports,
+# Abuse reports notification email: set to external abuse reports email
+abuse_notification_email: "bbearnes@wikimedia.org"
+
+# Set up RSA SSH keys: Admin Area, Settings, General, Visibility and access
+# controls, RSA SSH keys: select must be at least 2048 bits
+rsa_key_restriction: 2048
+
+# Forbid DSA SSH keys: Admin Area, Settings, General, Visibility and access
+# controls, DSA SSH keys: select are forbidden
+dsa_key_restriction: -1
+
+# Disable being OAuth provider: Admin Area, Settings, General, Account and
+# limit, Allow users to register any application to use GitLab as an OAuth
+# provider: unchecked
+user_oauth_applications: false
+
+# Turn off Gravatar for privacy / data exfiltration reasons:
+# Admin Area, Settings, Account and Limit, Gravatar enabled unchecked
+gravatar_enabled: false
+
+# Set /explore as the default landing page for non-signed-in users - a better
+# experience than being immediately sent to a login form:
+home_page_url: "https://gitlab-replica.wikimedia.org/explore"
+
+# Restrict available visibility levels for new projection creation to public:
+restricted_visibility_levels:
+  - internal
+  - private
+
+# Set default project & group visibility to public:
+# Admin area, Settings, Visibility and access controls
+default_project_visibility: "public"
+default_group_visibility: "public"
+
+# List of accepted import sources: Admin Area, Settings, General, Visibility
+# and access controls, Import sources:
+import_sources:
+  - github
+  - bitbucket
+  - bitbucket_server
+  - gitlab
+  - google_code
+  - fogbugz
+  - git
+  - gitlab_project
+  - gitea
+  - manifest
+  - phabricator

settings.yaml

+# Settings for primary Wikimedia production GitLab instance, gitlab1001,
+# at https://gitlab.wikimedia.org/
+#
 # Settings reference: https://docs.gitlab.com/ce/api/settings.html
 #
 # True / false values here should be booleans - necessary type juggling to turn