+++ /dev/null
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Copyright (C) 2016 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-
-# Automated phabricator setup. Not currently using it,
-# but it worked last time I tried it.
-
-if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi
-
-set -x
-
-
-# lj is test server
-case $HOSTNAME in
- lj)
- domain=phab.iank.bid
- alt_domain=fastmail.wiki
- ;;
- lk)
- domain=phab.iankelling.org
- alt_domain=iankellingusercontent.org
- ;;
-esac
-
-
-pass=`cat /p/c/machine_specific/$HOSTNAME/phabricator_admin`
-webroot=/usr/share/phabricator/webroot
-user=iank
-name="Ian Kelling"
-email=ian@iankelling.org
-ssh_port=222
-
-fbin() { bin=$1; shift; sudo /usr/share/phabricator/bin/$bin "$@"; }
-fsetd() { fbin config set --database "$@"; }
-
-# phabricator complained about wanting arcanist first
-pi arcanist/unstable mercurial
-
-# duplicated in mediawiki setup. todo fix that.
-s DEBIAN_FRONTEND=noninteractive pi mysql-server
-cd # mysql_secure_installation writes some temp files to the current dir,
-# so we need to make sure it's writable.
-if echo exit|mysql -u root -p"$dbpass"; then
- echo -e "$dbpass\nn\n\n\n\n" | mysql_secure_installation
-else
- echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
-fi
-
-mysql -u root -p$dbpass <<EOF
-grant all privileges on \`phabricator\\_%\`.* to 'phabricator'@localhost identified by '$pass';
-EOF
-
-phab-sel() {
- s debconf-set-selections<<EOF
-phabricator phabricator/pwd_check password $pass
-phabricator phabricator/phabricator_mysql_pwd password $pass
-phabricator phabricator/webserver select None
-phabricator phabricator/phabricator_mysql_user string phabricator
-phabricator phabricator/mysql_host string localhost
-# Domain name or subdomain name used by phabricator:
-phabricator phabricator/domain_name string $domain
-EOF
-}
-phab-sel
-
-pi phabricator/unstable
-
-# debian sets http, but we want https
-s sed -i --follow-symlinks 's/http:/https:/' /usr/share/phabricator/conf/local/local.json
-
-
-acme-tiny-wrapper $domain
-acme-tiny-wrapper $alt_domain
-
-for x in $domain $alt_domain; do
- web-conf -r $webroot - $x <<EOF
-RewriteEngine on
-RewriteRule ^/rsrc/(.*) - [L,QSA]
-RewriteRule ^/favicon.ico - [L,QSA]
-RewriteRule ^/php5-fcgi - [L]
-RewriteRule ^(.*)\$ /index.php?__path__=\$1 [B,L,QSA]
-<Directory "$webroot">
- Require all granted
-</Directory>
-EOF
-done
-
-
-# Before I figured out how to setup the admin in the script,
-# this would limit the site to localhost,
-# and access it through an ssh tunnel until its secure.
-#phab-site -p 127.0.0.1:443
-
-# settings are stored in conf/local/local.json.
-# some settings could also be stored in the database with
-# --database arg. database has higher priority than
-# the config file.
-
-# if you need to restart phabricator, just ser restart apache2
-# https://secure.phabricator.com/book/phabricator/article/restarting/
-
-# to reset things, you can do.
-# fbin storage destroy; pu phabricator; phab-sel; pi phabricator/unstable
-# # but under debian, prolly better to purge, cause db gets created on install
-
-
-# On first run went to the website, registered manually, then
-# went through the gui setup items to get the configuration below.
-
-
-#expect "*"
-#sleep 1
-
-# expect's exits with 0 by default on timeout of an expect command.
-# You can modify this, but it was simpler to use an irregular code to detect
-# actual success.
-sudo expect -d <<EOF
-# The expect lines use shell type globbing. They are not actually
-# needed, but they make the script likely to fail if the questions
-# content changes drastically, and make the script self documenting.
-
-# adds a short delay after each send for more reliable operation
-# (reference: comment in any autoexpect generated script)
-set force_conservative 0
-spawn "/usr/share/phabricator/bin/accountadmin"
-# If we've already set our user, detect different prompt and exit
-# expect basics: when the last alternative matches, there is no need
-# to specify an action, we just continue.
-expect {
- timeout {exit 1}
- -nocase "enter a username" exit
- -nocase "y/n"
-}
-send "y\r"
-expect -nocase timeout {exit 1} "username"
-send "$user\r"
-expect -nocase timeout {exit 1} "create*y/n"
-send "y\r"
-expect -nocase timeout {exit 1} "name"
-send "$name\r"
-expect -nocase timeout {exit 1} "email"
-send "$email\r"
-expect -nocase timeout {exit 1} "password"
-send "$pass\r"
-expect -nocase timeout {exit 1} "bot"
-send "n\r"
-expect -nocase timeout {exit 1} "admin"
-send "y\r"
-expect -nocase timeout {exit 1} "save"
-send "y\r"
-expect eof
-exit
-EOF
-
-
-
-# this tipped me over to using a debian package
-# https://secure.phabricator.com/T4181
-
-fsetd auth.require-approval false
-
-# phabricator recommends going from 16 to at least 32
-sudo sed -ri 's/(^\s*max_allowed_packet)[[:space:]=].*/\1 = 100M/' /etc/mysql/my.cnf
-
-
-setini() {
- key="$1" value="$2" section="$3" file="$4"
- sudo sed -ri "/ *\[$section\]/,/^ *\[[^]]+\]/{/^\s*$key[[:space:]=]/d};/ *\[$section\]/a $key = $value" "$file"
-}
-
-setd() { setini "$@" mysqld /etc/mysql/my.cnf; }
-
-# error instead of data corruption:
-setd sql_mode STRICT_ALL_TABLES
-setd ft_stopword_file /usr/share/phabricator/resources/sql/stopwords.txt
-setd ft_min_word_len 3
-# mysql full text search for word1 word2 will and them instead of or them:
-setd ft_boolean_syntax "' |-><()~*:\"\"&^'"
-# default is 128M. recommended starting point is 40% of ram.
-setd innodb_buffer_pool_size 1600M
-
-# this files stopwork, and min_word_len
-mysql -u root -p$dbpass <<'EOF'
-REPAIR TABLE phabricator_search.search_documentfield;
-EOF
-
-fsetd pygments.enabled true
-fbin config set security.alternate-file-domain https://$alt_domain
-
-setini opcache.validate_timestamps '"0"' opcache /etc/php5/apache2/php.ini
-setini post_max_size 100M PHP /etc/php5/apache2/php.ini
-
-fsetd metamta.default-address phabricator@$domain
-fsetd metamta.domain $domain
-
-
-ser restart mysql
-
-# Not sure if this is needed. while developing this script, mysql went down
-# for a bit and the daemons died.
-
-
-# todo, setup inbound email:
-# https://secure.phabricator.com/book/phabricator/article/configuring_inbound_email/
-
-
-# https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/
-# unmatchable password, allows login only via ssh, sudo, etc.
-# this is standard.
-# I tried having no home dir, (-d /nonexistent),
-# but I got an error message on test sshing,
-sudo useradd -p '*' -m --system -s /bin/sh vcs || [[ $? == 9 ]]
-
-# you'd think the debian package would set this. todo: check on a fresh
-# machine
-fbin config set phd.user phabricator
-fbin config set diffusion.ssh-user vcs
-
-option="ALL=(phabricator) SETENV: NOPASSWD:"
-www_files=$(which git hg|sed ':a;N;s/\n/, /;ta')
-vcs_files=$(which git git-upload-pack git-receive-pack hg|sed ':a;N;s/\n/, /;ta')
-[[ $www_files && $vcs_files ]] || exit 1
-www_files="$www_files, /usr/lib/git-core/git-http-backend"
-sudo dd of=/etc/sudoers.d/phabricator <<EOF
-www-data $option $www_files
-vcs $option $vcs_files
-EOF
-
-# Found this due to red x in the ui after setting up a test repo.
-# todo: debian package should do this for us. see also:
-# https://phab.iank.bid/config/edit/environment.append-paths/
-sudo lnf /usr/lib/git-core/git-http-backend /usr/share/phabricator/support/bin
-
-fbin config set diffusion.allow-http-auth true
-
-# couldn't find a really appropriate place for it. It needs parent dir
-# permissions to be root:root.
-file=/usr/share/phabricator-local-ssh-hook.sh
-# from /usr/share/phabricator/resources/sshd/phabricator-ssh-hook.sh
-sudo dd of=$file <<'EOF'
-#!/bin/sh
-# For debugging, you can temporarily do:
-# exec >/tmp/plog 2>&1
-# This script executes as the vcs user
-if [ "$1" != vcs ]; then exit 1; fi
-exec "/usr/share/phabricator/bin/ssh-auth" $@
-EOF
-sudo chmod 755 $file
-
-sudo dd of=/etc/ssh/sshd_config.phabricator <<EOF
-AuthorizedKeysCommand $file
-AuthorizedKeysCommandUser vcs
-AllowUsers vcs
-
-Port $ssh_port
-Protocol 2
-PermitRootLogin no
-AllowAgentForwarding no
-AllowTcpForwarding no
-PrintMotd no
-PrintLastLog no
-PasswordAuthentication no
-AuthorizedKeysFile none
-
-PidFile /var/run/sshd-phabricator.pid
-EOF
-
-sudo dd of=/etc/systemd/system/phabricator-ssh.service <<'EOF'
-[Unit]
-Description=OpenBSD Secure Shell server for phabricator repos
-After=network.target auditd.service
-ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
-
-[Service]
-ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator
-ExecReload=/bin/kill -HUP $MAINPID
-KillMode=process
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-sudo systemctl daemon-reload
-
-# got this error upon ssh, figured out a solution.
-# [2016-06-10 06:40:15] EXCEPTION: (AphrontInvalidCredentialsQueryException) #1045: Access denied for user 'root'@'localhost' (using password: NO) at [<phutil>/src/aphront/storage/connection/mysql/AphrontBaseMySQLDatabaseConnection.php:306]
-# arcanist(), phabricator(), phutil()
-
-s usermod -a -G vcs www-data
-s usermod -a -G vcs iank
-s usermod -a -G vcs phabricator
-s chown root:vcs /usr/share/phabricator/conf/local/local.json
-fbin config set diffusion.ssh-port $ssh_port
-
-fsetd policy.allow-public true
-
-sgo phabricator-ssh
-
-ser restart apache2
-sgo phabricator
-
-
-# todo, finish next steps here:
-# notably, backup/restore
-# https://secure.phabricator.com/book/phabricator/article/configuration_guide/
-
-
-fbin auth recover iank
-
-cat <<EOF
-# go to link above, then
-# https://$domain/auth/config/new/
-# and add username/pass auth provider.
-EOF
-
-
-
-# beginnings of automating those last manual steps:
-
-
-# for setting the auto provider, we can use the api.
-#arc set-config default https://$domain
-#
-# but first we have to generate an api key by getting
-# https://phab.iank.bid/conduit/login/
-# to do that, we've got to login to the url login.
-# We've got to post to a url on the login page,
-# then record 2 cookies: phuser and phsid
-# It also does a 302 for us to do 2 more pages related to auth/login.
-
-# we need to post to the right url (didn't record it, with these params)
-#allowLogin:"1"
-#allowRegistration:"1"
-#allowLink:"1"
-#allowUnlink:"1"
-
-
-#Serve over HTTP
-#
-#
-# phabricator/ $ ./bin/repository edit rT --as iank --local-path ...
-
-#
iankelling.org / git / distro-setup / blobdiff