2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
17 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
26 alt_domain
=fastmail.wiki
29 domain
=phab.iankelling.org
30 alt_domain
=iankellingusercontent.org
35 pass
=`cat /p/c/machine_specific/$HOSTNAME/phabricator_admin`
36 webroot
=/usr
/share
/phabricator
/webroot
39 email
=ian@iankelling.org
42 fbin
() { bin
=$1; shift; sudo
/usr
/share
/phabricator
/bin
/$bin "$@"; }
43 fsetd
() { fbin config
set --database "$@"; }
45 # phabricator complained about wanting arcanist first
46 pi arcanist
/unstable mercurial
48 for x
in /a
/bin
/bash_unpublished
/*; do source $x; done
50 # duplicated in mediawiki setup. todo fix that.
51 s DEBIAN_FRONTEND
=noninteractive pi mysql-server
52 cd # mysql_secure_installation writes some temp files to the current dir,
53 # so we need to make sure it's writable.
54 if echo exit|mysql
-u root
-p"$dbpass"; then
55 echo -e "$dbpass\nn\n\n\n\n" | mysql_secure_installation
57 echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
60 mysql
-u root
-p$dbpass <<EOF
61 grant all privileges on \`phabricator\\_%\`.* to 'phabricator'@localhost identified by '$pass';
65 s debconf-set-selections
<<EOF
66 phabricator phabricator/pwd_check password $pass
67 phabricator phabricator/phabricator_mysql_pwd password $pass
68 phabricator phabricator/webserver select None
69 phabricator phabricator/phabricator_mysql_user string phabricator
70 phabricator phabricator/mysql_host string localhost
71 # Domain name or subdomain name used by phabricator:
72 phabricator phabricator/domain_name string $domain
77 pi phabricator
/unstable
79 # debian sets http, but we want https
80 s
sed -i --follow-symlinks 's/http:/https:/' /usr
/share
/phabricator
/conf
/local
/local.json
83 acme-tiny-wrapper
$domain
84 acme-tiny-wrapper
$alt_domain
86 for x
in $domain $alt_domain; do
87 apache-site
-r $webroot - $x <<EOF
89 RewriteRule ^/rsrc/(.*) - [L,QSA]
90 RewriteRule ^/favicon.ico - [L,QSA]
91 RewriteRule ^/php5-fcgi - [L]
92 RewriteRule ^(.*)\$ /index.php?__path__=\$1 [B,L,QSA]
93 <Directory "$webroot">
100 # Before I figured out how to setup the admin in the script,
101 # this would limit the site to localhost,
102 # and access it through an ssh tunnel until its secure.
103 #phab-site -p 127.0.0.1:443
105 # settings are stored in conf/local/local.json.
106 # some settings could also be stored in the database with
107 # --database arg. database has higher priority than
110 # if you need to restart phabricator, just ser restart apache2
111 # https://secure.phabricator.com/book/phabricator/article/restarting/
113 # to reset things, you can do.
114 # fbin storage destroy; pu phabricator; phab-sel; pi phabricator/unstable
115 # # but under debian, prolly better to purge, cause db gets created on install
118 # On first run went to the website, registered manually, then
119 # went through the gui setup items to get the configuration below.
125 # expect's exits with 0 by default on timeout of an expect command.
126 # You can modify this, but it was simpler to use an irregular code to detect
129 # The expect lines use shell type globbing. They are not actually
130 # needed, but they make the script likely to fail if the questions
131 # content changes drastically, and make the script self documenting.
133 # adds a short delay after each send for more reliable operation
134 # (reference: comment in any autoexpect generated script)
135 set force_conservative 0
136 spawn "/usr/share/phabricator/bin/accountadmin"
137 # If we've already set our user, detect different prompt and exit
138 # expect basics: when the last alternative matches, there is no need
139 # to specify an action, we just continue.
142 -nocase "enter a username" exit
146 expect -nocase timeout {exit 1} "username"
148 expect -nocase timeout {exit 1} "create*y/n"
150 expect -nocase timeout {exit 1} "name"
152 expect -nocase timeout {exit 1} "email"
154 expect -nocase timeout {exit 1} "password"
156 expect -nocase timeout {exit 1} "bot"
158 expect -nocase timeout {exit 1} "admin"
160 expect -nocase timeout {exit 1} "save"
168 # this tipped me over to using a debian package
169 # https://secure.phabricator.com/T4181
171 fsetd auth.require-approval false
173 # phabricator recommends going from 16 to at least 32
174 sudo
sed -ri 's/(^\s*max_allowed_packet)[[:space:]=].*/\1 = 100M/' /etc
/mysql
/my.cnf
178 key
="$1" value
="$2" section
="$3" file="$4"
179 sudo
sed -ri "/ *\[$section\]/,/^ *\[[^]]+\]/{/^\s*$key[[:space:]=]/d};/ *\[$section\]/a $key = $value" "$file"
182 setd
() { setini
"$@" mysqld
/etc
/mysql
/my.cnf
; }
184 # error instead of data corruption:
185 setd sql_mode STRICT_ALL_TABLES
186 setd ft_stopword_file
/usr
/share
/phabricator
/resources
/sql
/stopwords.txt
187 setd ft_min_word_len
3
188 # mysql full text search for word1 word2 will and them instead of or them:
189 setd ft_boolean_syntax
"' |-><()~*:\"\"&^'"
190 # default is 128M. recommended starting point is 40% of ram.
191 setd innodb_buffer_pool_size
1600M
193 # this files stopwork, and min_word_len
194 mysql
-u root
-p$dbpass <<'EOF'
195 REPAIR TABLE phabricator_search.search_documentfield;
198 fsetd pygments.enabled true
199 fbin config
set security.alternate-file-domain https
://$alt_domain
201 setini opcache.validate_timestamps
'"0"' opcache
/etc
/php
5/apache
2/php.ini
202 setini post_max_size
100M PHP
/etc
/php
5/apache
2/php.ini
204 fsetd metamta.default-address phabricator@
$domain
205 fsetd metamta.domain
$domain
210 # Not sure if this is needed. while developing this script, mysql went down
211 # for a bit and the daemons died.
214 # todo, setup inbound email:
215 # https://secure.phabricator.com/book/phabricator/article/configuring_inbound_email/
218 # https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/
219 # unmatchable password, allows login only via ssh, sudo, etc.
221 # I tried having no home dir, (-d /nonexistent),
222 # but I got an error message on test sshing,
223 sudo useradd
-p '*' -m --system -s /bin
/sh vcs ||
[[ $?
== 9 ]]
225 # you'd think the debian package would set this. todo: check on a fresh
227 fbin config
set phd.user phabricator
228 fbin config
set diffusion.ssh-user vcs
230 option
="ALL=(phabricator) SETENV: NOPASSWD:"
231 www_files
=$
(which git hg|
sed ':a;N;s/\n/, /;ta')
232 vcs_files
=$
(which git git-upload-pack git-receive-pack hg|
sed ':a;N;s/\n/, /;ta')
233 [[ $www_files && $vcs_files ]] ||
exit 1
234 www_files
="$www_files, /usr/lib/git-core/git-http-backend"
235 sudo
dd of
=/etc
/sudoers.d
/phabricator
<<EOF
236 www-data $option $www_files
237 vcs $option $vcs_files
240 # Found this due to red x in the ui after setting up a test repo.
241 # todo: debian package should do this for us. see also:
242 # https://phab.iank.bid/config/edit/environment.append-paths/
243 sudo lnf
/usr
/lib
/git-core
/git-http-backend
/usr
/share
/phabricator
/support
/bin
245 fbin config
set diffusion.allow-http-auth true
247 # couldn't find a really appropriate place for it. It needs parent dir
248 # permissions to be root:root.
249 file=/usr
/share
/phabricator-local-ssh-hook.sh
250 # from /usr/share/phabricator/resources/sshd/phabricator-ssh-hook.sh
251 sudo
dd of
=$file <<'EOF'
253 # For debugging, you can temporarily do:
254 # exec >/tmp/plog 2>&1
255 # This script executes as the vcs user
256 if [ "$1" != vcs ]; then exit 1; fi
257 exec "/usr/share/phabricator/bin/ssh-auth" $@
261 sudo
dd of
=/etc
/ssh
/sshd_config.phabricator
<<EOF
262 AuthorizedKeysCommand $file
263 AuthorizedKeysCommandUser vcs
269 AllowAgentForwarding no
270 AllowTcpForwarding no
273 PasswordAuthentication no
274 AuthorizedKeysFile none
276 PidFile /var/run/sshd-phabricator.pid
279 sudo
dd of
=/etc
/systemd
/system
/phabricator-ssh.service
<<'EOF'
281 Description=OpenBSD Secure Shell server for phabricator repos
282 After=network.target auditd.service
283 ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
286 ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator
287 ExecReload=/bin/kill -HUP $MAINPID
292 WantedBy=multi-user.target
295 sudo systemctl daemon-reload
297 # got this error upon ssh, figured out a solution.
298 # [2016-06-10 06:40:15] EXCEPTION: (AphrontInvalidCredentialsQueryException) #1045: Access denied for user 'root'@'localhost' (using password: NO) at [<phutil>/src/aphront/storage/connection/mysql/AphrontBaseMySQLDatabaseConnection.php:306]
299 # arcanist(), phabricator(), phutil()
301 s usermod
-a -G vcs www-data
302 s usermod
-a -G vcs ian
303 s usermod
-a -G vcs phabricator
304 s chown root
:vcs
/usr
/share
/phabricator
/conf
/local
/local.json
305 fbin config
set diffusion.ssh-port
$ssh_port
307 fsetd policy.allow-public true
315 # todo, finish next steps here:
316 # notably, backup/restore
317 # https://secure.phabricator.com/book/phabricator/article/configuration_guide/
320 fbin auth recover iank
323 # go to link above, then
324 # https://$domain/auth/config/new/
325 # and add username/pass auth provider.
330 # beginnings of automating those last manual steps:
333 # for setting the auto provider, we can use the api.
334 #arc set-config default https://$domain
336 # but first we have to generate an api key by getting
337 # https://phab.iank.bid/conduit/login/
338 # to do that, we've got to login to the url login.
339 # We've got to post to a url on the login page,
340 # then record 2 cookies: phuser and phsid
341 # It also does a 302 for us to do 2 more pages related to auth/login.
343 # we need to post to the right url (didn't record it, with these params)
345 #allowRegistration:"1"
353 # phabricator/ $ ./bin/repository edit rT --as iank --local-path ...