#!/bin/bash -l
# Copyright (C) 2016 Ian Kelling
# This program is under GPL v. 3 or later, see
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
set -x
# lj is test server
case $HOSTNAME in
lj)
domain=phab.iank.bid
alt_domain=fastmail.wiki
;;
lk)
domain=phab.iankelling.org
alt_domain=iankellingusercontent.org
;;
esac
pass=`cat /p/c/machine_specific/$HOSTNAME/phabricator_admin`
webroot=/usr/share/phabricator/webroot
user=iank
name="Ian Kelling"
email=ian@iankelling.org
ssh_port=222
fbin() { bin=$1; shift; sudo /usr/share/phabricator/bin/$bin "$@"; }
fsetd() { fbin config set --database "$@"; }
# phabricator complained about wanting arcanist first
pi arcanist/unstable mercurial
for x in /a/bin/bash_unpublished/*; do source $x; done
# duplicated in mediawiki setup. todo fix that.
s DEBIAN_FRONTEND=noninteractive pi mysql-server
cd # mysql_secure_installation writes some temp files to the current dir,
# so we need to make sure it's writable.
if echo exit|mysql -u root -p"$dbpass"; then
echo -e "$dbpass\nn\n\n\n\n" | mysql_secure_installation
else
echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
fi
mysql -u root -p$dbpass <
Require all granted
EOF
done
# Before I figured out how to setup the admin in the script,
# this would limit the site to localhost,
# and access it through an ssh tunnel until its secure.
#phab-site -p 127.0.0.1:443
# settings are stored in conf/local/local.json.
# some settings could also be stored in the database with
# --database arg. database has higher priority than
# the config file.
# if you need to restart phabricator, just ser restart apache2
# https://secure.phabricator.com/book/phabricator/article/restarting/
# to reset things, you can do.
# fbin storage destroy; pu phabricator; phab-sel; pi phabricator/unstable
# # but under debian, prolly better to purge, cause db gets created on install
# On first run went to the website, registered manually, then
# went through the gui setup items to get the configuration below.
#expect "*"
#sleep 1
# expect's exits with 0 by default on timeout of an expect command.
# You can modify this, but it was simpler to use an irregular code to detect
# actual success.
sudo expect -d <<()~*:\"\"&^'"
# default is 128M. recommended starting point is 40% of ram.
setd innodb_buffer_pool_size 1600M
# this files stopwork, and min_word_len
mysql -u root -p$dbpass <<'EOF'
REPAIR TABLE phabricator_search.search_documentfield;
EOF
fsetd pygments.enabled true
fbin config set security.alternate-file-domain https://$alt_domain
setini opcache.validate_timestamps '"0"' opcache /etc/php5/apache2/php.ini
setini post_max_size 100M PHP /etc/php5/apache2/php.ini
fsetd metamta.default-address phabricator@$domain
fsetd metamta.domain $domain
ser restart mysql
# Not sure if this is needed. while developing this script, mysql went down
# for a bit and the daemons died.
# todo, setup inbound email:
# https://secure.phabricator.com/book/phabricator/article/configuring_inbound_email/
# https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/
# unmatchable password, allows login only via ssh, sudo, etc.
# this is standard.
# I tried having no home dir, (-d /nonexistent),
# but I got an error message on test sshing,
sudo useradd -p '*' -m --system -s /bin/sh vcs || [[ $? == 9 ]]
# you'd think the debian package would set this. todo: check on a fresh
# machine
fbin config set phd.user phabricator
fbin config set diffusion.ssh-user vcs
option="ALL=(phabricator) SETENV: NOPASSWD:"
www_files=$(which git hg|sed ':a;N;s/\n/, /;ta')
vcs_files=$(which git git-upload-pack git-receive-pack hg|sed ':a;N;s/\n/, /;ta')
[[ $www_files && $vcs_files ]] || exit 1
www_files="$www_files, /usr/lib/git-core/git-http-backend"
sudo dd of=/etc/sudoers.d/phabricator </tmp/plog 2>&1
# This script executes as the vcs user
if [ "$1" != vcs ]; then exit 1; fi
exec "/usr/share/phabricator/bin/ssh-auth" $@
EOF
sudo chmod 755 $file
sudo dd of=/etc/ssh/sshd_config.phabricator </src/aphront/storage/connection/mysql/AphrontBaseMySQLDatabaseConnection.php:306]
# arcanist(), phabricator(), phutil()
s usermod -a -G vcs www-data
s usermod -a -G vcs ian
s usermod -a -G vcs phabricator
s chown root:vcs /usr/share/phabricator/conf/local/local.json
fbin config set diffusion.ssh-port $ssh_port
fsetd policy.allow-public true
sgo phabricator-ssh
ser restart apache2
sgo phabricator
# todo, finish next steps here:
# notably, backup/restore
# https://secure.phabricator.com/book/phabricator/article/configuration_guide/
fbin auth recover iank
cat <