diff --git a/tools/site/puppet/modules/phabricator/manifests/config.pp b/tools/site/puppet/modules/phabricator/manifests/config.pp index f1f50f8..241fa87 100644 --- a/tools/site/puppet/modules/phabricator/manifests/config.pp +++ b/tools/site/puppet/modules/phabricator/manifests/config.pp @@ -1,190 +1,190 @@ # Configures Phabricator. # # @summary Configures Arcanist, libphutil and Phabricator. # @private # class phabricator::config { assert_private() $notify = Class['php::fpm::service'] # NOTE: Group 'phabricator' managed in basics/init.pp user { default: ensure => 'present', managehome => false, system => true; $phabricator::daemon_user: gid => $phabricator::group, comment => 'Phabricator Daemons', home => "${phabricator::install_dir}/phabricator/support/empty", shell => '/usr/sbin/nologin'; $phabricator::vcs_user: gid => $phabricator::group, comment => 'Phabricator VCS', home => $phabricator::repo_dir, shell => '/bin/sh'; } file { default: group => $phabricator::group; $phabricator::logs_dir: owner => $phabricator::www_user, ensure => 'directory', mode => '0775'; $phabricator::repo_dir: ensure => 'directory', - owner => $phabricator::www_user, + owner => $phabricator::daemon_user, mode => '0750'; $phabricator::install_dir: ensure => 'directory', owner => $phabricator::admin_user; $phabricator::storage_dir: ensure => 'directory', owner => $phabricator::www_user; $phabricator::dumps_dir: ensure => 'directory', owner => $phabricator::admin_user; "/home/${phabricator::admin_user}/.ssh/bitbucket_id_rsa": owner => 'xreate', mode => 'u=rw,g=,o=', source => "${phabricator::secrets_dir}bitbucket_id_rsa", ensure => file; 'phabricator/conf/local.json': ensure => 'file', path => "${phabricator::install_dir}/phabricator/conf/local/local.json", content => inline_template("<%= scope['phabricator::config'].to_json %>"), mode => '0640', notify => $notify, owner => 'root', group => $phabricator::group, require => Vcsrepo['phabricator']; #Xreate Docs "${phabricator::install_dir}phabricator/webroot/rsrc/css/xreate-docs": ensure => link, target => "${phabricator::install_dir}/xreate-docs/css", owner => $phabricator::daemon_user, group => $phabricator::group, require => Vcsrepo['phabricator']; ["${phabricator::install_dir}xreate-docs/conf", $phabricator::xreate_docs_path]: ensure => 'directory', owner=>$phabricator::admin_user, require=>Vcsrepo['xreate-docs']; "${phabricator::install_dir}xreate-docs/conf/local.json": ensure => 'file', content => inline_template("<%= scope['phabricator::xreate_docs_config'].to_json %>"), require => [Vcsrepo['xreate-docs']]; } #Configure Bitbucket: sshkey { 'bitbucket.org': type => 'ssh-rsa', key => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==' } class { 'ssh::client': options => { "Host *" => { 'HashKnownHosts' => false, } } } ::ssh::client::config::user { $phabricator::admin_user: ensure => present, options => { 'Host bitbucket.org' => { 'Hostname' => 'bitbucket.org', 'User' => 'git', 'IdentityFile' => '~/.ssh/bitbucket_id_rsa' } } } logrotate::rule { 'phabricator': ensure => 'present', path => [$phabricator::log_access_path, "${phabricator::logs_dir}ssh.log"], compress => true, delaycompress => true, ifempty => false, missingok => true, rotate_every => 'week', rotate => 40 } # TODO: We should be able to tighten these permissions as follows: # # - `/usr/bin/git`, `/usr/bin/git-receive-pack`, `/usr/bin/git-upload-pack` # and `/usr/lib/git-core/git-http-backend` should only be required if the # node is //hosting// Diffusion repositories. # - `/usr/bin/ssh` should only be required if the node is //serving// (either # directly or by proxy) Diffusion repositories. # if $phabricator::manage_diffusion { # lint:ignore:strict_indent sudo::conf { "${phabricator::vcs_user}:${phabricator::daemon_user}": ensure => 'present', content => sprintf( '%s ALL=(%s) SETENV: NOPASSWD: %s', $phabricator::vcs_user, "${phabricator::daemon_user}:${phabricator::group}", join([ '/usr/bin/git', '/usr/bin/git-receive-pack', '/usr/bin/git-upload-pack', '/usr/bin/ssh', ], ', '), ), } # lint:endignore #PHP include php::params # lint:ignore:strict_indent sudo::conf { "${php::params::fpm_user}:${phabricator::daemon_user}": ensure => 'present', content => sprintf( '%s ALL=(%s) SETENV: NOPASSWD: %s', $php::params::fpm_user, "${phabricator::daemon_user}:${phabricator::group}", join([ '/usr/bin/git', '/usr/bin/ssh', '/usr/lib/git-core/git-http-backend', ], ', '), ), } # lint:endignore # lint:ignore:strict_indent ssh::server::config::setting { $phabricator::vcs_user: key => "Match User ${phabricator::vcs_user}", # TODO: This seems quite hacky. value => join([ '', "AuthorizedKeysCommand ${phabricator::install_dir}/phabricator/bin/ssh-auth", "AuthorizedKeysCommandUser ${phabricator::vcs_user}", ], "\n "), } # lint:endignore } } diff --git a/tools/site/puppet/modules/phabricator/manifests/install.pp b/tools/site/puppet/modules/phabricator/manifests/install.pp index eedaff3..207372c 100644 --- a/tools/site/puppet/modules/phabricator/manifests/install.pp +++ b/tools/site/puppet/modules/phabricator/manifests/install.pp @@ -1,178 +1,179 @@ # Installs Phabricator. # # @summary Installs Arcanist, libphutil and Phabricator. # @private # class phabricator::install { assert_private() # The `php::packages` class requires `Class['apt::update']` unconditionally, # but the `apt::update` class may not have been defined. See # https://github.com/voxpupuli/puppet-php/pull/323. include apt include git $notify = Class['php::fpm::service'] # Ensure that the CLI is installed before any extensions are installed. Class['php::cli'] -> Php::Extension <| |> vcsrepo { default: ensure => 'latest', provider => 'git', user => $phabricator::admin_user, group => $phabricator::group, require => Ssh::Client::Config::User[$phabricator::admin_user], notify => $notify; 'arcanist': path => "${phabricator::install_dir}/arcanist", source => $phabricator::arcanist_url; 'libphutil': path => "${phabricator::install_dir}/libphutil", source => $phabricator::libphutil_url; 'phabricator': path => "${phabricator::install_dir}/phabricator", source => $phabricator::phabricator_url; 'xreate-docs': path => "${phabricator::install_dir}/xreate-docs", source => $phabricator::xreate_docs_url } class refresh { exec { default: refreshonly => true, user => $phabricator::admin_user, group => $phabricator::group, cwd => "${phabricator::install_dir}", path =>['/bin', '/usr/bin'], logoutput => true, subscribe => [ Vcsrepo['xreate-docs'], File['phabricator/conf/local.json'] ]; 'arc liberate': command => "${phabricator::install_dir}arcanist/bin/arc liberate --upgrade", cwd => "${phabricator::install_dir}xreate-docs"; "${phabricator::install_dir}libphutil/scripts/phutil_rebuild_map.php libphutil/src/":; 'celerity map': command => "${phabricator::install_dir}phabricator/bin/celerity map"; } } class storage { $storage_upgrade_flags = shellquote( [ '--force', "--user=${phabricator::storage_upgrade_user}", "--password=${phabricator::storage_upgrade_password}", ] ) if !empty($phabricator::init_db) { notice ("Restore DB from dump!") exec {'db update': command => "${phabricator::ctl} dump-restore ${phabricator::init_db}", timeout => 1800, onlyif => [ "test -e ${phabricator::ctl}", "test -e ${phabricator::init_db}", ], unless => '/usr/bin/mysql -uroot -e "show databases;" | grep phabricator', path => ['/bin', '/usr/bin'], subscribe => Class['phabricator::mysql'], notify => [Class['php::fpm::service'], Service['phd']] } } else { exec { 'db update': command => Sensitive.new("${phabricator::install_dir}phabricator/bin/storage upgrade ${storage_upgrade_flags}"), unless => '/usr/bin/mysql -uroot -e "show databases;" | grep phabricator', timeout => 0, user => $phabricator::admin_user, group => $phabricator::group, path =>['/bin', '/usr/bin'], logoutput => true, require => [ Class['php::cli'], File['phabricator/conf/local.json'], Vcsrepo['arcanist'], Vcsrepo['libphutil'] ], subscribe => [ Vcsrepo['phabricator'], Class['phabricator::mysql'], File['phabricator/conf/local.json'], ], notify => [Class['php::fpm::service'], Service['phd']] } } } class{'phabricator::install::refresh': } class{'phabricator::install::storage': require=>Class['phabricator::install::refresh']} #Repo archive {"${phabricator::init_repo}": extract => true, extract_path => $phabricator::repo_dir, creates => "${phabricator::repo_dir}/1", cleanup => false, + user => $phabricator::daemon_user } $repositories = ['rXR'] $repositories.each | $rep | { exec{"${phabricator::install_dir}phabricator/bin/repository update ${rep}": refreshonly => true, subscribe => Archive["${phabricator::init_repo}"], path => '/usr/bin/', logoutput => true } } # These packages are required in order to compile XHPAST. ensure_packages(['g++', 'make']) exec { 'build_xhpast.php': command => "${phabricator::install_dir}/libphutil/scripts/build_xhpast.php", refreshonly => true, require => [ Class['php::cli'], Package['g++'], Package['make'], ], subscribe => Vcsrepo['libphutil'], } if $phabricator::install_fonts { debconf { 'msttcorefonts/accepted-mscorefonts-eula': ensure => 'present', package => 'ttf-mscorefonts-installer', type => 'select', value => bool2str(true), before => Package['ttf-mscorefonts-installer'], } package { 'ttf-mscorefonts-installer': ensure => 'latest', } $font_file_ensure = 'link' } else { $font_file_ensure = 'absent' } file { "${phabricator::install_dir}/phabricator/resources/font/impact.ttf": ensure => $font_file_ensure, target => '/usr/share/fonts/truetype/msttcorefonts/Impact.ttf', require => Vcsrepo['phabricator'], } }