2 # I, Ian Kelling, follow the GNU license recommendations at
3 # https://www.gnu.org/licenses/license-recommendations.en.html. They
4 # recommend that small programs, < 300 lines, be licensed under the
5 # Apache License 2.0. This file contains or is part of one or more small
6 # programs. If a small program grows beyond 300 lines, I plan to switch
9 # Copyright 2024 Ian Kelling
11 # Licensed under the Apache License, Version 2.0 (the "License");
12 # you may not use this file except in compliance with the License.
13 # You may obtain a copy of the License at
15 # http://www.apache.org/licenses/LICENSE-2.0
17 # Unless required by applicable law or agreed to in writing, software
18 # distributed under the License is distributed on an "AS IS" BASIS,
19 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 # See the License for the specific language governing permissions and
21 # limitations under the License.
23 # Copyright (C) 2016 Ian Kelling
25 # Licensed under the Apache License, Version 2.0 (the "License");
26 # you may not use this file except in compliance with the License.
27 # You may obtain a copy of the License at
29 # http://www.apache.org/licenses/LICENSE-2.0
31 # Unless required by applicable law or agreed to in writing, software
32 # distributed under the License is distributed on an "AS IS" BASIS,
33 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
34 # See the License for the specific language governing permissions and
35 # limitations under the License.
39 # Automated phabricator setup. Not currently using it,
40 # but it worked last time I tried it.
42 if [[ -s ~
/.bashrc
]];then . ~
/.bashrc
;fi
51 alt_domain
=fastmail.wiki
54 domain
=phab.iankelling.org
55 alt_domain
=iankellingusercontent.org
60 pass
=`cat /p/c/machine_specific/$HOSTNAME/phabricator_admin`
61 webroot
=/usr
/share
/phabricator
/webroot
64 email
=ian@iankelling.org
67 fbin
() { bin
=$1; shift; sudo
/usr
/share
/phabricator
/bin
/$bin "$@"; }
68 fsetd
() { fbin config
set --database "$@"; }
70 # phabricator complained about wanting arcanist first
71 pi arcanist
/unstable mercurial
73 # duplicated in mediawiki setup. todo fix that.
74 s DEBIAN_FRONTEND
=noninteractive pi mysql-server
75 cd # mysql_secure_installation writes some temp files to the current dir,
76 # so we need to make sure it's writable.
77 if echo exit|mysql
-u root
-p"$dbpass"; then
78 echo -e "$dbpass\nn\n\n\n\n" | mysql_secure_installation
80 echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
83 mysql
-u root
-p$dbpass <<EOF
84 grant all privileges on \`phabricator\\_%\`.* to 'phabricator'@localhost identified by '$pass';
88 s debconf-set-selections
<<EOF
89 phabricator phabricator/pwd_check password $pass
90 phabricator phabricator/phabricator_mysql_pwd password $pass
91 phabricator phabricator/webserver select None
92 phabricator phabricator/phabricator_mysql_user string phabricator
93 phabricator phabricator/mysql_host string localhost
94 # Domain name or subdomain name used by phabricator:
95 phabricator phabricator/domain_name string $domain
100 pi phabricator
/unstable
102 # debian sets http, but we want https
103 s
sed -i --follow-symlinks 's/http:/https:/' /usr
/share
/phabricator
/conf
/local
/local.json
106 acme-tiny-wrapper
$domain
107 acme-tiny-wrapper
$alt_domain
109 for x
in $domain $alt_domain; do
110 web-conf
-r $webroot - $x <<EOF
112 RewriteRule ^/rsrc/(.*) - [L,QSA]
113 RewriteRule ^/favicon.ico - [L,QSA]
114 RewriteRule ^/php5-fcgi - [L]
115 RewriteRule ^(.*)\$ /index.php?__path__=\$1 [B,L,QSA]
116 <Directory "$webroot">
123 # Before I figured out how to setup the admin in the script,
124 # this would limit the site to localhost,
125 # and access it through an ssh tunnel until its secure.
126 #phab-site -p 127.0.0.1:443
128 # settings are stored in conf/local/local.json.
129 # some settings could also be stored in the database with
130 # --database arg. database has higher priority than
133 # if you need to restart phabricator, just ser restart apache2
134 # https://secure.phabricator.com/book/phabricator/article/restarting/
136 # to reset things, you can do.
137 # fbin storage destroy; pu phabricator; phab-sel; pi phabricator/unstable
138 # # but under debian, prolly better to purge, cause db gets created on install
141 # On first run went to the website, registered manually, then
142 # went through the gui setup items to get the configuration below.
148 # expect's exits with 0 by default on timeout of an expect command.
149 # You can modify this, but it was simpler to use an irregular code to detect
152 # The expect lines use shell type globbing. They are not actually
153 # needed, but they make the script likely to fail if the questions
154 # content changes drastically, and make the script self documenting.
156 # adds a short delay after each send for more reliable operation
157 # (reference: comment in any autoexpect generated script)
158 set force_conservative 0
159 spawn "/usr/share/phabricator/bin/accountadmin"
160 # If we've already set our user, detect different prompt and exit
161 # expect basics: when the last alternative matches, there is no need
162 # to specify an action, we just continue.
165 -nocase "enter a username" exit
169 expect -nocase timeout {exit 1} "username"
171 expect -nocase timeout {exit 1} "create*y/n"
173 expect -nocase timeout {exit 1} "name"
175 expect -nocase timeout {exit 1} "email"
177 expect -nocase timeout {exit 1} "password"
179 expect -nocase timeout {exit 1} "bot"
181 expect -nocase timeout {exit 1} "admin"
183 expect -nocase timeout {exit 1} "save"
191 # this tipped me over to using a debian package
192 # https://secure.phabricator.com/T4181
194 fsetd auth.require-approval false
196 # phabricator recommends going from 16 to at least 32
197 sudo
sed -ri 's/(^\s*max_allowed_packet)[[:space:]=].*/\1 = 100M/' /etc
/mysql
/my.cnf
201 key
="$1" value
="$2" section
="$3" file="$4"
202 sudo
sed -ri "/ *\[$section\]/,/^ *\[[^]]+\]/{/^\s*$key[[:space:]=]/d};/ *\[$section\]/a $key = $value" "$file"
205 setd
() { setini
"$@" mysqld
/etc
/mysql
/my.cnf
; }
207 # error instead of data corruption:
208 setd sql_mode STRICT_ALL_TABLES
209 setd ft_stopword_file
/usr
/share
/phabricator
/resources
/sql
/stopwords.txt
210 setd ft_min_word_len
3
211 # mysql full text search for word1 word2 will and them instead of or them:
212 setd ft_boolean_syntax
"' |-><()~*:\"\"&^'"
213 # default is 128M. recommended starting point is 40% of ram.
214 setd innodb_buffer_pool_size
1600M
216 # this files stopwork, and min_word_len
217 mysql
-u root
-p$dbpass <<'EOF'
218 REPAIR TABLE phabricator_search.search_documentfield;
221 fsetd pygments.enabled true
222 fbin config
set security.alternate-file-domain https
://$alt_domain
224 setini opcache.validate_timestamps
'"0"' opcache
/etc
/php
5/apache
2/php.ini
225 setini post_max_size
100M PHP
/etc
/php
5/apache
2/php.ini
227 fsetd metamta.default-address phabricator@
$domain
228 fsetd metamta.domain
$domain
233 # Not sure if this is needed. while developing this script, mysql went down
234 # for a bit and the daemons died.
237 # todo, setup inbound email:
238 # https://secure.phabricator.com/book/phabricator/article/configuring_inbound_email/
241 # https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/
242 # unmatchable password, allows login only via ssh, sudo, etc.
244 # I tried having no home dir, (-d /nonexistent),
245 # but I got an error message on test sshing,
246 sudo useradd
-p '*' -m --system -s /bin
/sh vcs ||
[[ $?
== 9 ]]
248 # you'd think the debian package would set this. todo: check on a fresh
250 fbin config
set phd.user phabricator
251 fbin config
set diffusion.ssh-user vcs
253 option
="ALL=(phabricator) SETENV: NOPASSWD:"
254 www_files
=$
(which git hg|
sed ':a;N;s/\n/, /;ta')
255 vcs_files
=$
(which git git-upload-pack git-receive-pack hg|
sed ':a;N;s/\n/, /;ta')
256 [[ $www_files && $vcs_files ]] ||
exit 1
257 www_files
="$www_files, /usr/lib/git-core/git-http-backend"
258 sudo
dd of
=/etc
/sudoers.d
/phabricator
<<EOF
259 www-data $option $www_files
260 vcs $option $vcs_files
263 # Found this due to red x in the ui after setting up a test repo.
264 # todo: debian package should do this for us. see also:
265 # https://phab.iank.bid/config/edit/environment.append-paths/
266 sudo lnf
/usr
/lib
/git-core
/git-http-backend
/usr
/share
/phabricator
/support
/bin
268 fbin config
set diffusion.allow-http-auth true
270 # couldn't find a really appropriate place for it. It needs parent dir
271 # permissions to be root:root.
272 file=/usr
/share
/phabricator-local-ssh-hook.sh
273 # from /usr/share/phabricator/resources/sshd/phabricator-ssh-hook.sh
274 sudo
dd of
=$file <<'EOF'
276 # For debugging, you can temporarily do:
277 # exec >/tmp/plog 2>&1
278 # This script executes as the vcs user
279 if [ "$1" != vcs ]; then exit 1; fi
280 exec "/usr/share/phabricator/bin/ssh-auth" $@
284 sudo
dd of
=/etc
/ssh
/sshd_config.phabricator
<<EOF
285 AuthorizedKeysCommand $file
286 AuthorizedKeysCommandUser vcs
292 AllowAgentForwarding no
293 AllowTcpForwarding no
296 PasswordAuthentication no
297 AuthorizedKeysFile none
299 PidFile /var/run/sshd-phabricator.pid
302 sudo
dd of
=/etc
/systemd
/system
/phabricator-ssh.service
<<'EOF'
304 Description=OpenBSD Secure Shell server for phabricator repos
305 After=network.target auditd.service
306 ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
309 ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator
310 ExecReload=/bin/kill -HUP $MAINPID
315 WantedBy=multi-user.target
318 sudo systemctl daemon-reload
320 # got this error upon ssh, figured out a solution.
321 # [2016-06-10 06:40:15] EXCEPTION: (AphrontInvalidCredentialsQueryException) #1045: Access denied for user 'root'@'localhost' (using password: NO) at [<phutil>/src/aphront/storage/connection/mysql/AphrontBaseMySQLDatabaseConnection.php:306]
322 # arcanist(), phabricator(), phutil()
324 s usermod
-a -G vcs www-data
325 s usermod
-a -G vcs iank
326 s usermod
-a -G vcs phabricator
327 s chown root
:vcs
/usr
/share
/phabricator
/conf
/local
/local.json
328 fbin config
set diffusion.ssh-port
$ssh_port
330 fsetd policy.allow-public true
338 # todo, finish next steps here:
339 # notably, backup/restore
340 # https://secure.phabricator.com/book/phabricator/article/configuration_guide/
343 fbin auth recover iank
346 # go to link above, then
347 # https://$domain/auth/config/new/
348 # and add username/pass auth provider.
353 # beginnings of automating those last manual steps:
356 # for setting the auto provider, we can use the api.
357 #arc set-config default https://$domain
359 # but first we have to generate an api key by getting
360 # https://phab.iank.bid/conduit/login/
361 # to do that, we've got to login to the url login.
362 # We've got to post to a url on the login page,
363 # then record 2 cookies: phuser and phsid
364 # It also does a 302 for us to do 2 more pages related to auth/login.
366 # we need to post to the right url (didn't record it, with these params)
368 #allowRegistration:"1"
376 # phabricator/ $ ./bin/repository edit rT --as iank --local-path ...