Isso is a self-hosted alternative to Disqus (comments on websites).

I installed it. You can comment on my blog without loading third party sites or creating any accounts now. You can even comment anonymously. Please don't abuse this, or I will turn it off.

Installing the server

See: https://posativ.org/isso/docs/quickstart/

I modified the Debian isso package's systemd init script, /lib/systemd/system/isso.service, to start Isso's Python server directly, and not through GUnicorn, which I could not get working easily. This loses performance (I just have one worker thread, this means ~40 requests/second tops; totally not enough for my high-traffic site).

(You can find the location of the systemd script and anything else installed by the Debian package using dpkg -L isso | less).

# Enable automatic startup on system boot using systemd
$ sudo systemctl enable isso
# Start it right now also
$ sudo systemctl start isso

I preferred Debian's package because it conveniently creates an isso user. This was the only one with write rights to the comment DB. Still, e-mails are sensitive data, so I changed it so that no users other than isso and root have read rights either: sudo chmod 600 /var/lib/isso/comments.db

The Debian package config is in /etc/isso.d/enabled/. But that is an empty directory, somehow to be interpreted by GUnicorn. I also hammered the SystemD service to use a fixed file /etc/isso.d/enabled/isso.cfg. It's not like you have tens of configs.

My config, in order to have the /isso/ virtual subdir instead of a subdomain which would require a separate SSL certificate:

[general]

; database location, check permissions, automatically created if not exists
dbpath = /var/lib/isso/comments.db

; your website or blog (not the location of Isso!)
host = 
        http://danuker.go.ro
        https://danuker.go.ro

[server]
listen = http://localhost:1550
public-endpoint = https://danuker.go.ro/isso/
reload = off
profile = off

[guard]
enabled = true
ratelimit = 2
direct-reply = 5
reply-to-self = false
require-author = false
require-email = false

[hash]
salt = <censored>
algorithm = pbkdf2

[admin]
enabled = true
password = <censored>

Importing old comments

I decided to import the old comments from Disqus. Given that the original users wanted to publish them, it is clear they would have wanted this as well.

scp -P 22 -r disqus-export.xml dan@danuker.go.ro:/home/dan/disqus-export.xml
mosh dan@danuker.go.ro
# (enter password)
sudo su
# (enter password again)
isso -c /etc/isso.d/enabled/isso.cfg import /home/dan/disqus-export.xml

Apache

I use an Apache server instead of the illustrated Nginx. I had to learn to use the ProxyPass and ProxyPassReverse directives in my /etc/apache2/sites-enabled/ configs. In case you want its endpoint to be on /isso/ and run the isso server on port 1550, Here they are:

# Proxy for Isso commenting
ProxyPass /isso/ http://localhost:1550/
ProxyPassReverse /isso/ http://localhost:1550/

Installing the client

Integration in your website (without NodeJS/Bower/NPM optimization crud). I just hammered this into the comment section of the pelican-bootstrap3 theme:

<script data-isso="isso/"
        data-isso-reply-to-self="false"
        data-isso-require-author="false"
        data-isso-require-email="false"
        data-isso-avatar="true"
        data-isso-avatar-bg="#f0f0f0"
        data-isso-vote="true"
        data-isso-feed="false"
        src="issojs/embed.js"></script>

<div id="isso-thread">
</div>

Rant on JS

I did not want to use any NodeJS/Bower/NPM package managers. I don't want Bower and NPM and browserify and whatnot for a script that validates 3 forms and sends a post request. To me they look like trojan horses. Sure, PyPi is not much different, but Python includes string padding without needing to install another shady 3rd party dependency that could go rogue at any moment.

Luckily, the Debian and PyPi packages contain the standalone embeddable JS files, with all dependencies included.

No e-mail notification of reply

I didn't bother setting up e-mail notifications. If you want to see what people reply to your discussion, bookmark the page and visit it later.

Legal issues

See all I have to say on the Privacy statement page.