Files F419508

No OneTemporary
Actions

File Metadata

Created
Sun, Dec 22, 12:03 PM

View Options

diff --git a/tools/site/puppet/modules/phabricator/manifests/config.pp b/tools/site/puppet/modules/phabricator/manifests/config.pp
index 11dfeb9..f1f50f8 100644
--- a/tools/site/puppet/modules/phabricator/manifests/config.pp
+++ b/tools/site/puppet/modules/phabricator/manifests/config.pp
@@ -1,193 +1,190 @@
# Configures Phabricator.
#
# @summary Configures Arcanist, libphutil and Phabricator.
# @private
#
class phabricator::config {
assert_private()
$notify = Class['php::fpm::service']
# NOTE: Group 'phabricator' managed in basics/init.pp
user {
default:
ensure => 'present',
managehome => false,
system => true;
$phabricator::daemon_user:
gid => $phabricator::group,
comment => 'Phabricator Daemons',
home => "${phabricator::install_dir}/phabricator/support/empty",
shell => '/usr/sbin/nologin';
$phabricator::vcs_user:
gid => $phabricator::group,
comment => 'Phabricator VCS',
home => $phabricator::repo_dir,
shell => '/bin/sh';
}
file {
default:
- owner => 'root',
group => $phabricator::group;
$phabricator::logs_dir:
+ owner => $phabricator::www_user,
ensure => 'directory',
- group => undef,
mode => '0775';
$phabricator::repo_dir:
ensure => 'directory',
owner => $phabricator::www_user,
mode => '0750';
$phabricator::install_dir:
ensure => 'directory',
owner => $phabricator::admin_user;
$phabricator::storage_dir:
ensure => 'directory',
owner => $phabricator::www_user;
$phabricator::dumps_dir:
ensure => 'directory',
owner => $phabricator::admin_user;
"/home/${phabricator::admin_user}/.ssh/bitbucket_id_rsa":
owner => 'xreate',
mode => 'u=rw,g=,o=',
source => "${phabricator::secrets_dir}bitbucket_id_rsa",
ensure => file;
'phabricator/conf/local.json':
ensure => 'file',
path => "${phabricator::install_dir}/phabricator/conf/local/local.json",
content => inline_template("<%= scope['phabricator::config'].to_json %>"),
mode => '0640',
notify => $notify,
owner => 'root',
group => $phabricator::group,
require => Vcsrepo['phabricator'];
#Xreate Docs
"${phabricator::install_dir}phabricator/webroot/rsrc/css/xreate-docs":
ensure => link,
target => "${phabricator::install_dir}/xreate-docs/css",
owner => $phabricator::daemon_user,
group => $phabricator::group,
require => Vcsrepo['phabricator'];
["${phabricator::install_dir}xreate-docs/conf", $phabricator::xreate_docs_path]:
ensure => 'directory',
owner=>$phabricator::admin_user,
require=>Vcsrepo['xreate-docs'];
"${phabricator::install_dir}xreate-docs/conf/local.json":
ensure => 'file',
content => inline_template("<%= scope['phabricator::xreate_docs_config'].to_json %>"),
require => [Vcsrepo['xreate-docs']];
}
#Configure Bitbucket:
sshkey {
'bitbucket.org':
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw=='
}
class { 'ssh::client':
options => {
"Host *" => {
'HashKnownHosts' => false,
}
}
}
::ssh::client::config::user {
$phabricator::admin_user:
ensure => present,
options => {
'Host bitbucket.org' => {
'Hostname' => 'bitbucket.org',
'User' => 'git',
'IdentityFile' => '~/.ssh/bitbucket_id_rsa'
}
}
}
logrotate::rule { 'phabricator':
ensure => 'present',
- path => $phabricator::log_access_path,
+ path => [$phabricator::log_access_path, "${phabricator::logs_dir}ssh.log"],
compress => true,
delaycompress => true,
ifempty => false,
missingok => true,
rotate_every => 'week',
rotate => 40
}
# TODO: We should be able to tighten these permissions as follows:
#
# - `/usr/bin/git`, `/usr/bin/git-receive-pack`, `/usr/bin/git-upload-pack`
# and `/usr/lib/git-core/git-http-backend` should only be required if the
# node is //hosting// Diffusion repositories.
# - `/usr/bin/ssh` should only be required if the node is //serving// (either
# directly or by proxy) Diffusion repositories.
#
if $phabricator::manage_diffusion {
# lint:ignore:strict_indent
sudo::conf { "${phabricator::vcs_user}:${phabricator::daemon_user}":
ensure => 'present',
content => sprintf(
'%s ALL=(%s) SETENV: NOPASSWD: %s',
$phabricator::vcs_user,
"${phabricator::daemon_user}:${phabricator::group}",
join([
'/usr/bin/git',
'/usr/bin/git-receive-pack',
'/usr/bin/git-upload-pack',
'/usr/bin/ssh',
], ', '),
),
}
# lint:endignore
#PHP
include php::params
# lint:ignore:strict_indent
sudo::conf { "${php::params::fpm_user}:${phabricator::daemon_user}":
ensure => 'present',
content => sprintf(
'%s ALL=(%s) SETENV: NOPASSWD: %s',
$php::params::fpm_user,
"${phabricator::daemon_user}:${phabricator::group}",
join([
'/usr/bin/git',
'/usr/bin/ssh',
'/usr/lib/git-core/git-http-backend',
], ', '),
),
}
# lint:endignore
# lint:ignore:strict_indent
ssh::server::config::setting { $phabricator::vcs_user:
key => "Match User ${phabricator::vcs_user}",
# TODO: This seems quite hacky.
value => join([
'',
"AuthorizedKeysCommand ${phabricator::install_dir}/phabricator/bin/ssh-auth",
"AuthorizedKeysCommandUser ${phabricator::vcs_user}",
], "\n "),
}
# lint:endignore
}
-
- # TODO: Add `logrotate` rules for Phabricator's access and SSH logs.
}
diff --git a/tools/site/puppet/modules/phabricator/manifests/nginx.pp b/tools/site/puppet/modules/phabricator/manifests/nginx.pp
index 03071ed..da97503 100644
--- a/tools/site/puppet/modules/phabricator/manifests/nginx.pp
+++ b/tools/site/puppet/modules/phabricator/manifests/nginx.pp
@@ -1,55 +1,55 @@
class phabricator::nginx {
class {'nginx':
client_max_body_size => '32M'
}
- $access_log = "${nginx::params::log_dir}/${phabricator::server_url}.${nginx::params::http_access_log_file}"
- $error_log = "${nginx::params::log_dir}/${phabricator::server_url}.${nginx::params::nginx_error_log_file}"
+ $access_log = "${phabricator::logs_dir}nginx-access.log"
+ $error_log = "${phabricator::logs_dir}nginx-error.log"
nginx::resource::server {$phabricator::server_url:
ensure => present,
use_default_location => false,
www_root => "${phabricator::install_dir}phabricator/webroot",
access_log => $access_log,
error_log => $error_log,
rewrite_www_to_non_www => true,
notify => Class['php::fpm::service']
}
nginx::resource::location{'/':
ensure => present,
server => $phabricator::server_url,
index_files => ['index.php'],
rewrite_rules => ['^/(.*)$ /index.php?__path__=/$1 last']
}
nginx::resource::location{'/index.php':
ensure => present,
server => $phabricator::server_url,
fastcgi => "unix:${phabricator::fpm_socket}",
fastcgi_index => 'index.php',
fastcgi_param => {
'REDIRECT_STATUS'=> '200',
'SCRIPT_FILENAME'=> '$document_root$fastcgi_script_name',
'QUERY_STRING'=> '$query_string',
'REQUEST_METHOD'=> '$request_method',
'CONTENT_TYPE'=> '$content_type',
'CONTENT_LENGTH'=> '$content_length',
'SCRIPT_NAME'=> '$fastcgi_script_name',
'GATEWAY_INTERFACE'=> 'CGI/1.1',
'SERVER_SOFTWARE'=> 'nginx/$nginx_version',
'REMOTE_ADDR'=> '$remote_addr'
}
}
logrotate::rule { 'nginx':
ensure => 'present',
path => [$access_log, $error_log],
compress => true,
delaycompress => true,
ifempty => false,
missingok => true,
rotate_every => 'week',
rotate => 40
}
}
diff --git a/tools/site/puppet/modules/xreate_org/manifests/init.pp b/tools/site/puppet/modules/xreate_org/manifests/init.pp
index dfb8535..41ae4bc 100644
--- a/tools/site/puppet/modules/xreate_org/manifests/init.pp
+++ b/tools/site/puppet/modules/xreate_org/manifests/init.pp
@@ -1,168 +1,168 @@
class xreate_org(
String $url,
String $install_dir,
String $db_user,
String $secrets_dir,
String $init_db,
String $xreate_docs_path,
String $doxy_docs_path,
String $phabricator_ctl,
String $init_repo,
){
$db_pass = file("${secrets_dir}mysql-pwd-${db_user}")[0, -2]
$storage_dir = '/var/local/storage/'
$backups_dir = '/var/local/backups/'
$admin_user = 'xreate' #Defined in basics/init.pp!
$group = 'phabricator' #Defined in basics/init.pp!
include basics
class {'phabricator::mysql':
user => $db_user,
password => $db_pass
}
class { 'phabricator':
server_url => $url,
secrets_dir => $secrets_dir,
init_db =>$init_db,
xreate_docs_path => $xreate_docs_path,
ctl => $phabricator_ctl,
#DB
storage_upgrade_user => $db_user,
storage_upgrade_password => $db_pass,
#REPO
init_repo => $init_repo,
#USERS:
admin_user => $admin_user,
daemon_user => 'phabd',
vcs_user => 'xreate-repo',
www_user => 'www-data',
group => $group,
#URLS:
arcanist_url => 'ssh://git@bitbucket.org/pgess/xreate-arcanist.git',
phabricator_url => 'ssh://git@bitbucket.org/pgess/xreate-phabricator.git',
libphutil_url => 'ssh://git@bitbucket.org/pgess/xreate-libphutil.git',
xreate_docs_url => 'ssh://git@bitbucket.org/pgess/xreate-docs.git',
#Path stored in DB: phabrcator_repository.repository.localPath
repo_dir => '/var/local/repo/',
storage_dir => $storage_dir,
dumps_dir => '/var/local/dumps/',
install_dir => $install_dir,
- logs_dir => '/var/log/',
+ logs_dir => '/var/log/xreate.org/',
pid_dir => '/run/',
install_fonts => false,
manage_diffusion => true,
config_hash => {
#EMAIL:
"metamta.default-address"=> "bot@xreate.org",
"cluster.mailers" => [
{
"key" => "xreate-mailer",
"type" => "smtp",
"options" => {
"host"=> "smtp.zoho.com",
"port"=> 465,
"user" => "bot@xreate.org",
"password" => "UeqiFxzkBdF1Ln0uwcTn",
"protocol" => "ssl"
}
}],
"phabricator.base-uri" => "http://${url}",
"phabricator.tail-title" => "Xreate",
"phabricator.show-prototypes" => true,
"storage.default-namespace"=> "phabricator",
'storage.local-disk.path' => $storage_dir,
'mysql.host' => '127.0.0.1',
'mysql.user' => $db_user,
'mysql.pass' => $db_pass,
#MODULES:
'load-libraries' => {
'xreate' => "${install_dir}/xreate-docs/src/"
},
#DIFFUSION:
'diffusion.allow-http-auth' => true,
#UI:
'ui.header-color' => 'dark',
'ui.logo' => { "logoImagePHID"=> null, "wordmarkText" => "Xreate" },
'ui.footer-items'=> [
{ "name"=> "Email: pr.h7@xreate.org" },
{ "name"=> "2019 Xreate.org" },
{ "name"=> "Powered by Phabricator" }
],
'phabricator.uninstalled-applications'=> {
'PhabricatorConpherenceApplication' => true,
'PhabricatorNuanceApplication' => true,
'PhabricatorPholioApplication' => true,
'PhabricatorAlmanacApplication' => true,
'PhabricatorBadgesApplication' => true,
'PhabricatorCalendarApplication' => true,
'PhabricatorChatLogApplication' => true,
'PhabricatorCountdownApplication' => true,
'PhabricatorDivinerApplication' => true,
'PhabricatorDrydockApplication' => true,
'PhabricatorFactApplication' => true,
'PhabricatorFlagsApplication' => true,
'PhabricatorFundApplication' => true,
'PhabricatorHarbormasterApplication' => true,
'PhabricatorHeraldApplication' => true,
'PhabricatorLegalpadApplication' => true,
'PhabricatorMacroApplication' => true,
'PhabricatorOwnersApplication' => true,
'PhabricatorPackagesApplication' => true,
'PhabricatorPhluxApplication' => true,
'PhabricatorPhortuneApplication' => true,
'PhabricatorPhragmentApplication' => true,
'PhabricatorPhrequentApplication' => true,
'PhabricatorPhurlApplication' => true,
'PhabricatorReleephApplication' => true,
'PhabricatorSlowvoteApplication' => true,
'PhabricatorTokensApplication' => true,
'PhabricatorMultimeterApplication' => true,
'PhabricatorPHPASTApplication' => true,
'PhabricatorUIExamplesApplication' => true,
'PhabricatorXHProfApplication' => true,
'PhabricatorOAuthServerApplication' => true
}
},
}
#remove default NGINX sites
$nginx_sites = "${nginx::params::conf_dir}/sites-enabled"
file {"${nginx_sites}/default":
ensure => absent
}
#Doxygen Documentation
file{
$doxy_docs_path:
ensure => 'directory',
owner=>$phabricator::admin_user,
group => $group;
}
nginx::resource::location{ '^~ /api':
location_alias => "${doxy_docs_path}",
index_files => ['index.html'],
server => $xreate_org::url,
}
#Port redirects
$redirects = hiera_hash('redirects',{})
notice($redirects)
create_resources('basics::redir',$redirects)
}

Event Timeline

Email: pr.h7@xreate.org · 2019 Xreate.org · Powered by Phabricator