2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 # Automated phabricator setup. Not currently using it,
19 # but it worked last time I tried it.
22 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
31 alt_domain
=fastmail.wiki
34 domain
=phab.iankelling.org
35 alt_domain
=iankellingusercontent.org
40 pass
=`cat /p/c/machine_specific/$HOSTNAME/phabricator_admin`
41 webroot
=/usr
/share
/phabricator
/webroot
44 email
=ian@iankelling.org
47 fbin
() { bin
=$1; shift; sudo
/usr
/share
/phabricator
/bin
/$bin "$@"; }
48 fsetd
() { fbin config
set --database "$@"; }
50 # phabricator complained about wanting arcanist first
51 pi arcanist
/unstable mercurial
53 # duplicated in mediawiki setup. todo fix that.
54 s DEBIAN_FRONTEND
=noninteractive pi mysql-server
55 cd # mysql_secure_installation writes some temp files to the current dir,
56 # so we need to make sure it's writable.
57 if echo exit|mysql
-u root
-p"$dbpass"; then
58 echo -e "$dbpass\nn\n\n\n\n" | mysql_secure_installation
60 echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
63 mysql
-u root
-p$dbpass <<EOF
64 grant all privileges on \`phabricator\\_%\`.* to 'phabricator'@localhost identified by '$pass';
68 s debconf-set-selections
<<EOF
69 phabricator phabricator/pwd_check password $pass
70 phabricator phabricator/phabricator_mysql_pwd password $pass
71 phabricator phabricator/webserver select None
72 phabricator phabricator/phabricator_mysql_user string phabricator
73 phabricator phabricator/mysql_host string localhost
74 # Domain name or subdomain name used by phabricator:
75 phabricator phabricator/domain_name string $domain
80 pi phabricator
/unstable
82 # debian sets http, but we want https
83 s
sed -i --follow-symlinks 's/http:/https:/' /usr
/share
/phabricator
/conf
/local
/local.json
86 acme-tiny-wrapper
$domain
87 acme-tiny-wrapper
$alt_domain
89 for x
in $domain $alt_domain; do
90 web-conf
-r $webroot - $x <<EOF
92 RewriteRule ^/rsrc/(.*) - [L,QSA]
93 RewriteRule ^/favicon.ico - [L,QSA]
94 RewriteRule ^/php5-fcgi - [L]
95 RewriteRule ^(.*)\$ /index.php?__path__=\$1 [B,L,QSA]
96 <Directory "$webroot">
103 # Before I figured out how to setup the admin in the script,
104 # this would limit the site to localhost,
105 # and access it through an ssh tunnel until its secure.
106 #phab-site -p 127.0.0.1:443
108 # settings are stored in conf/local/local.json.
109 # some settings could also be stored in the database with
110 # --database arg. database has higher priority than
113 # if you need to restart phabricator, just ser restart apache2
114 # https://secure.phabricator.com/book/phabricator/article/restarting/
116 # to reset things, you can do.
117 # fbin storage destroy; pu phabricator; phab-sel; pi phabricator/unstable
118 # # but under debian, prolly better to purge, cause db gets created on install
121 # On first run went to the website, registered manually, then
122 # went through the gui setup items to get the configuration below.
128 # expect's exits with 0 by default on timeout of an expect command.
129 # You can modify this, but it was simpler to use an irregular code to detect
132 # The expect lines use shell type globbing. They are not actually
133 # needed, but they make the script likely to fail if the questions
134 # content changes drastically, and make the script self documenting.
136 # adds a short delay after each send for more reliable operation
137 # (reference: comment in any autoexpect generated script)
138 set force_conservative 0
139 spawn "/usr/share/phabricator/bin/accountadmin"
140 # If we've already set our user, detect different prompt and exit
141 # expect basics: when the last alternative matches, there is no need
142 # to specify an action, we just continue.
145 -nocase "enter a username" exit
149 expect -nocase timeout {exit 1} "username"
151 expect -nocase timeout {exit 1} "create*y/n"
153 expect -nocase timeout {exit 1} "name"
155 expect -nocase timeout {exit 1} "email"
157 expect -nocase timeout {exit 1} "password"
159 expect -nocase timeout {exit 1} "bot"
161 expect -nocase timeout {exit 1} "admin"
163 expect -nocase timeout {exit 1} "save"
171 # this tipped me over to using a debian package
172 # https://secure.phabricator.com/T4181
174 fsetd auth.require-approval false
176 # phabricator recommends going from 16 to at least 32
177 sudo
sed -ri 's/(^\s*max_allowed_packet)[[:space:]=].*/\1 = 100M/' /etc
/mysql
/my.cnf
181 key
="$1" value
="$2" section
="$3" file="$4"
182 sudo
sed -ri "/ *\[$section\]/,/^ *\[[^]]+\]/{/^\s*$key[[:space:]=]/d};/ *\[$section\]/a $key = $value" "$file"
185 setd
() { setini
"$@" mysqld
/etc
/mysql
/my.cnf
; }
187 # error instead of data corruption:
188 setd sql_mode STRICT_ALL_TABLES
189 setd ft_stopword_file
/usr
/share
/phabricator
/resources
/sql
/stopwords.txt
190 setd ft_min_word_len
3
191 # mysql full text search for word1 word2 will and them instead of or them:
192 setd ft_boolean_syntax
"' |-><()~*:\"\"&^'"
193 # default is 128M. recommended starting point is 40% of ram.
194 setd innodb_buffer_pool_size
1600M
196 # this files stopwork, and min_word_len
197 mysql
-u root
-p$dbpass <<'EOF'
198 REPAIR TABLE phabricator_search.search_documentfield;
201 fsetd pygments.enabled true
202 fbin config
set security.alternate-file-domain https
://$alt_domain
204 setini opcache.validate_timestamps
'"0"' opcache
/etc
/php
5/apache
2/php.ini
205 setini post_max_size
100M PHP
/etc
/php
5/apache
2/php.ini
207 fsetd metamta.default-address phabricator@
$domain
208 fsetd metamta.domain
$domain
213 # Not sure if this is needed. while developing this script, mysql went down
214 # for a bit and the daemons died.
217 # todo, setup inbound email:
218 # https://secure.phabricator.com/book/phabricator/article/configuring_inbound_email/
221 # https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/
222 # unmatchable password, allows login only via ssh, sudo, etc.
224 # I tried having no home dir, (-d /nonexistent),
225 # but I got an error message on test sshing,
226 sudo useradd
-p '*' -m --system -s /bin
/sh vcs ||
[[ $?
== 9 ]]
228 # you'd think the debian package would set this. todo: check on a fresh
230 fbin config
set phd.user phabricator
231 fbin config
set diffusion.ssh-user vcs
233 option
="ALL=(phabricator) SETENV: NOPASSWD:"
234 www_files
=$
(which git hg|
sed ':a;N;s/\n/, /;ta')
235 vcs_files
=$
(which git git-upload-pack git-receive-pack hg|
sed ':a;N;s/\n/, /;ta')
236 [[ $www_files && $vcs_files ]] ||
exit 1
237 www_files
="$www_files, /usr/lib/git-core/git-http-backend"
238 sudo
dd of
=/etc
/sudoers.d
/phabricator
<<EOF
239 www-data $option $www_files
240 vcs $option $vcs_files
243 # Found this due to red x in the ui after setting up a test repo.
244 # todo: debian package should do this for us. see also:
245 # https://phab.iank.bid/config/edit/environment.append-paths/
246 sudo lnf
/usr
/lib
/git-core
/git-http-backend
/usr
/share
/phabricator
/support
/bin
248 fbin config
set diffusion.allow-http-auth true
250 # couldn't find a really appropriate place for it. It needs parent dir
251 # permissions to be root:root.
252 file=/usr
/share
/phabricator-local-ssh-hook.sh
253 # from /usr/share/phabricator/resources/sshd/phabricator-ssh-hook.sh
254 sudo
dd of
=$file <<'EOF'
256 # For debugging, you can temporarily do:
257 # exec >/tmp/plog 2>&1
258 # This script executes as the vcs user
259 if [ "$1" != vcs ]; then exit 1; fi
260 exec "/usr/share/phabricator/bin/ssh-auth" $@
264 sudo
dd of
=/etc
/ssh
/sshd_config.phabricator
<<EOF
265 AuthorizedKeysCommand $file
266 AuthorizedKeysCommandUser vcs
272 AllowAgentForwarding no
273 AllowTcpForwarding no
276 PasswordAuthentication no
277 AuthorizedKeysFile none
279 PidFile /var/run/sshd-phabricator.pid
282 sudo
dd of
=/etc
/systemd
/system
/phabricator-ssh.service
<<'EOF'
284 Description=OpenBSD Secure Shell server for phabricator repos
285 After=network.target auditd.service
286 ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
289 ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator
290 ExecReload=/bin/kill -HUP $MAINPID
295 WantedBy=multi-user.target
298 sudo systemctl daemon-reload
300 # got this error upon ssh, figured out a solution.
301 # [2016-06-10 06:40:15] EXCEPTION: (AphrontInvalidCredentialsQueryException) #1045: Access denied for user 'root'@'localhost' (using password: NO) at [<phutil>/src/aphront/storage/connection/mysql/AphrontBaseMySQLDatabaseConnection.php:306]
302 # arcanist(), phabricator(), phutil()
304 s usermod
-a -G vcs www-data
305 s usermod
-a -G vcs iank
306 s usermod
-a -G vcs phabricator
307 s chown root
:vcs
/usr
/share
/phabricator
/conf
/local
/local.json
308 fbin config
set diffusion.ssh-port
$ssh_port
310 fsetd policy.allow-public true
318 # todo, finish next steps here:
319 # notably, backup/restore
320 # https://secure.phabricator.com/book/phabricator/article/configuration_guide/
323 fbin auth recover iank
326 # go to link above, then
327 # https://$domain/auth/config/new/
328 # and add username/pass auth provider.
333 # beginnings of automating those last manual steps:
336 # for setting the auto provider, we can use the api.
337 #arc set-config default https://$domain
339 # but first we have to generate an api key by getting
340 # https://phab.iank.bid/conduit/login/
341 # to do that, we've got to login to the url login.
342 # We've got to post to a url on the login page,
343 # then record 2 cookies: phuser and phsid
344 # It also does a 302 for us to do 2 more pages related to auth/login.
346 # we need to post to the right url (didn't record it, with these params)
348 #allowRegistration:"1"
356 # phabricator/ $ ./bin/repository edit rT --as iank --local-path ...