diff --git a/tools/site/puppet/modules/phabricator/manifests/config.pp b/tools/site/puppet/modules/phabricator/manifests/config.pp index 11dfeb9..f1f50f8 100644 --- a/tools/site/puppet/modules/phabricator/manifests/config.pp +++ b/tools/site/puppet/modules/phabricator/manifests/config.pp @@ -1,193 +1,190 @@ # Configures Phabricator. # # @summary Configures Arcanist, libphutil and Phabricator. # @private # class phabricator::config { assert_private() $notify = Class['php::fpm::service'] # NOTE: Group 'phabricator' managed in basics/init.pp user { default: ensure => 'present', managehome => false, system => true; $phabricator::daemon_user: gid => $phabricator::group, comment => 'Phabricator Daemons', home => "${phabricator::install_dir}/phabricator/support/empty", shell => '/usr/sbin/nologin'; $phabricator::vcs_user: gid => $phabricator::group, comment => 'Phabricator VCS', home => $phabricator::repo_dir, shell => '/bin/sh'; } file { default: - owner => 'root', group => $phabricator::group; $phabricator::logs_dir: + owner => $phabricator::www_user, ensure => 'directory', - group => undef, mode => '0775'; $phabricator::repo_dir: ensure => 'directory', owner => $phabricator::www_user, mode => '0750'; $phabricator::install_dir: ensure => 'directory', owner => $phabricator::admin_user; $phabricator::storage_dir: ensure => 'directory', owner => $phabricator::www_user; $phabricator::dumps_dir: ensure => 'directory', owner => $phabricator::admin_user; "/home/${phabricator::admin_user}/.ssh/bitbucket_id_rsa": owner => 'xreate', mode => 'u=rw,g=,o=', source => "${phabricator::secrets_dir}bitbucket_id_rsa", ensure => file; 'phabricator/conf/local.json': ensure => 'file', path => "${phabricator::install_dir}/phabricator/conf/local/local.json", content => inline_template("<%= scope['phabricator::config'].to_json %>"), mode => '0640', notify => $notify, owner => 'root', group => $phabricator::group, require => Vcsrepo['phabricator']; #Xreate Docs "${phabricator::install_dir}phabricator/webroot/rsrc/css/xreate-docs": ensure => link, target => "${phabricator::install_dir}/xreate-docs/css", owner => $phabricator::daemon_user, group => $phabricator::group, require => Vcsrepo['phabricator']; ["${phabricator::install_dir}xreate-docs/conf", $phabricator::xreate_docs_path]: ensure => 'directory', owner=>$phabricator::admin_user, require=>Vcsrepo['xreate-docs']; "${phabricator::install_dir}xreate-docs/conf/local.json": ensure => 'file', content => inline_template("<%= scope['phabricator::xreate_docs_config'].to_json %>"), require => [Vcsrepo['xreate-docs']]; } #Configure Bitbucket: sshkey { 'bitbucket.org': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==' } class { 'ssh::client': options => { "Host *" => { 'HashKnownHosts' => false, } } } ::ssh::client::config::user { $phabricator::admin_user: ensure => present, options => { 'Host bitbucket.org' => { 'Hostname' => 'bitbucket.org', 'User' => 'git', 'IdentityFile' => '~/.ssh/bitbucket_id_rsa' } } } logrotate::rule { 'phabricator': ensure => 'present', - path => $phabricator::log_access_path, + path => [$phabricator::log_access_path, "${phabricator::logs_dir}ssh.log"], compress => true, delaycompress => true, ifempty => false, missingok => true, rotate_every => 'week', rotate => 40 } # TODO: We should be able to tighten these permissions as follows: # # - `/usr/bin/git`, `/usr/bin/git-receive-pack`, `/usr/bin/git-upload-pack` # and `/usr/lib/git-core/git-http-backend` should only be required if the # node is //hosting// Diffusion repositories. # - `/usr/bin/ssh` should only be required if the node is //serving// (either # directly or by proxy) Diffusion repositories. # if $phabricator::manage_diffusion { # lint:ignore:strict_indent sudo::conf { "${phabricator::vcs_user}:${phabricator::daemon_user}": ensure => 'present', content => sprintf( '%s ALL=(%s) SETENV: NOPASSWD: %s', $phabricator::vcs_user, "${phabricator::daemon_user}:${phabricator::group}", join([ '/usr/bin/git', '/usr/bin/git-receive-pack', '/usr/bin/git-upload-pack', '/usr/bin/ssh', ], ', '), ), } # lint:endignore #PHP include php::params # lint:ignore:strict_indent sudo::conf { "${php::params::fpm_user}:${phabricator::daemon_user}": ensure => 'present', content => sprintf( '%s ALL=(%s) SETENV: NOPASSWD: %s', $php::params::fpm_user, "${phabricator::daemon_user}:${phabricator::group}", join([ '/usr/bin/git', '/usr/bin/ssh', '/usr/lib/git-core/git-http-backend', ], ', '), ), } # lint:endignore # lint:ignore:strict_indent ssh::server::config::setting { $phabricator::vcs_user: key => "Match User ${phabricator::vcs_user}", # TODO: This seems quite hacky. value => join([ '', "AuthorizedKeysCommand ${phabricator::install_dir}/phabricator/bin/ssh-auth", "AuthorizedKeysCommandUser ${phabricator::vcs_user}", ], "\n "), } # lint:endignore } - - # TODO: Add `logrotate` rules for Phabricator's access and SSH logs. } diff --git a/tools/site/puppet/modules/phabricator/manifests/nginx.pp b/tools/site/puppet/modules/phabricator/manifests/nginx.pp index 03071ed..da97503 100644 --- a/tools/site/puppet/modules/phabricator/manifests/nginx.pp +++ b/tools/site/puppet/modules/phabricator/manifests/nginx.pp @@ -1,55 +1,55 @@ class phabricator::nginx { class {'nginx': client_max_body_size => '32M' } - $access_log = "${nginx::params::log_dir}/${phabricator::server_url}.${nginx::params::http_access_log_file}" - $error_log = "${nginx::params::log_dir}/${phabricator::server_url}.${nginx::params::nginx_error_log_file}" + $access_log = "${phabricator::logs_dir}nginx-access.log" + $error_log = "${phabricator::logs_dir}nginx-error.log" nginx::resource::server {$phabricator::server_url: ensure => present, use_default_location => false, www_root => "${phabricator::install_dir}phabricator/webroot", access_log => $access_log, error_log => $error_log, rewrite_www_to_non_www => true, notify => Class['php::fpm::service'] } nginx::resource::location{'/': ensure => present, server => $phabricator::server_url, index_files => ['index.php'], rewrite_rules => ['^/(.*)$ /index.php?__path__=/$1 last'] } nginx::resource::location{'/index.php': ensure => present, server => $phabricator::server_url, fastcgi => "unix:${phabricator::fpm_socket}", fastcgi_index => 'index.php', fastcgi_param => { 'REDIRECT_STATUS'=> '200', 'SCRIPT_FILENAME'=> '$document_root$fastcgi_script_name', 'QUERY_STRING'=> '$query_string', 'REQUEST_METHOD'=> '$request_method', 'CONTENT_TYPE'=> '$content_type', 'CONTENT_LENGTH'=> '$content_length', 'SCRIPT_NAME'=> '$fastcgi_script_name', 'GATEWAY_INTERFACE'=> 'CGI/1.1', 'SERVER_SOFTWARE'=> 'nginx/$nginx_version', 'REMOTE_ADDR'=> '$remote_addr' } } logrotate::rule { 'nginx': ensure => 'present', path => [$access_log, $error_log], compress => true, delaycompress => true, ifempty => false, missingok => true, rotate_every => 'week', rotate => 40 } } diff --git a/tools/site/puppet/modules/xreate_org/manifests/init.pp b/tools/site/puppet/modules/xreate_org/manifests/init.pp index dfb8535..41ae4bc 100644 --- a/tools/site/puppet/modules/xreate_org/manifests/init.pp +++ b/tools/site/puppet/modules/xreate_org/manifests/init.pp @@ -1,168 +1,168 @@ class xreate_org( String $url, String $install_dir, String $db_user, String $secrets_dir, String $init_db, String $xreate_docs_path, String $doxy_docs_path, String $phabricator_ctl, String $init_repo, ){ $db_pass = file("${secrets_dir}mysql-pwd-${db_user}")[0, -2] $storage_dir = '/var/local/storage/' $backups_dir = '/var/local/backups/' $admin_user = 'xreate' #Defined in basics/init.pp! $group = 'phabricator' #Defined in basics/init.pp! include basics class {'phabricator::mysql': user => $db_user, password => $db_pass } class { 'phabricator': server_url => $url, secrets_dir => $secrets_dir, init_db =>$init_db, xreate_docs_path => $xreate_docs_path, ctl => $phabricator_ctl, #DB storage_upgrade_user => $db_user, storage_upgrade_password => $db_pass, #REPO init_repo => $init_repo, #USERS: admin_user => $admin_user, daemon_user => 'phabd', vcs_user => 'xreate-repo', www_user => 'www-data', group => $group, #URLS: arcanist_url => 'ssh://git@bitbucket.org/pgess/xreate-arcanist.git', phabricator_url => 'ssh://git@bitbucket.org/pgess/xreate-phabricator.git', libphutil_url => 'ssh://git@bitbucket.org/pgess/xreate-libphutil.git', xreate_docs_url => 'ssh://git@bitbucket.org/pgess/xreate-docs.git', #Path stored in DB: phabrcator_repository.repository.localPath repo_dir => '/var/local/repo/', storage_dir => $storage_dir, dumps_dir => '/var/local/dumps/', install_dir => $install_dir, - logs_dir => '/var/log/', + logs_dir => '/var/log/xreate.org/', pid_dir => '/run/', install_fonts => false, manage_diffusion => true, config_hash => { #EMAIL: "metamta.default-address"=> "bot@xreate.org", "cluster.mailers" => [ { "key" => "xreate-mailer", "type" => "smtp", "options" => { "host"=> "smtp.zoho.com", "port"=> 465, "user" => "bot@xreate.org", "password" => "UeqiFxzkBdF1Ln0uwcTn", "protocol" => "ssl" } }], "phabricator.base-uri" => "http://${url}", "phabricator.tail-title" => "Xreate", "phabricator.show-prototypes" => true, "storage.default-namespace"=> "phabricator", 'storage.local-disk.path' => $storage_dir, 'mysql.host' => '127.0.0.1', 'mysql.user' => $db_user, 'mysql.pass' => $db_pass, #MODULES: 'load-libraries' => { 'xreate' => "${install_dir}/xreate-docs/src/" }, #DIFFUSION: 'diffusion.allow-http-auth' => true, #UI: 'ui.header-color' => 'dark', 'ui.logo' => { "logoImagePHID"=> null, "wordmarkText" => "Xreate" }, 'ui.footer-items'=> [ { "name"=> "Email: pr.h7@xreate.org" }, { "name"=> "2019 Xreate.org" }, { "name"=> "Powered by Phabricator" } ], 'phabricator.uninstalled-applications'=> { 'PhabricatorConpherenceApplication' => true, 'PhabricatorNuanceApplication' => true, 'PhabricatorPholioApplication' => true, 'PhabricatorAlmanacApplication' => true, 'PhabricatorBadgesApplication' => true, 'PhabricatorCalendarApplication' => true, 'PhabricatorChatLogApplication' => true, 'PhabricatorCountdownApplication' => true, 'PhabricatorDivinerApplication' => true, 'PhabricatorDrydockApplication' => true, 'PhabricatorFactApplication' => true, 'PhabricatorFlagsApplication' => true, 'PhabricatorFundApplication' => true, 'PhabricatorHarbormasterApplication' => true, 'PhabricatorHeraldApplication' => true, 'PhabricatorLegalpadApplication' => true, 'PhabricatorMacroApplication' => true, 'PhabricatorOwnersApplication' => true, 'PhabricatorPackagesApplication' => true, 'PhabricatorPhluxApplication' => true, 'PhabricatorPhortuneApplication' => true, 'PhabricatorPhragmentApplication' => true, 'PhabricatorPhrequentApplication' => true, 'PhabricatorPhurlApplication' => true, 'PhabricatorReleephApplication' => true, 'PhabricatorSlowvoteApplication' => true, 'PhabricatorTokensApplication' => true, 'PhabricatorMultimeterApplication' => true, 'PhabricatorPHPASTApplication' => true, 'PhabricatorUIExamplesApplication' => true, 'PhabricatorXHProfApplication' => true, 'PhabricatorOAuthServerApplication' => true } }, } #remove default NGINX sites $nginx_sites = "${nginx::params::conf_dir}/sites-enabled" file {"${nginx_sites}/default": ensure => absent } #Doxygen Documentation file{ $doxy_docs_path: ensure => 'directory', owner=>$phabricator::admin_user, group => $group; } nginx::resource::location{ '^~ /api': location_alias => "${doxy_docs_path}", index_files => ['index.html'], server => $xreate_org::url, } #Port redirects $redirects = hiera_hash('redirects',{}) notice($redirects) create_resources('basics::redir',$redirects) }