diff --git a/vms/autoinstall/maipo-160-phabricator.cfg b/vms/autoinstall/maipo-160-phabricator.cfg index 8cb38d4..10cd686 100644 --- a/vms/autoinstall/maipo-160-phabricator.cfg +++ b/vms/autoinstall/maipo-160-phabricator.cfg @@ -1,240 +1,265 @@ lang en_US.UTF-8 keyboard us timezone --utc Europe/Zurich text skipx auth --useshadow --enablemd5 selinux --permissive firewall --enabled firstboot --disabled zerombr clearpart --all --initlabel autopart rootpw --plaintext Welcome2KolabSystems bootloader --location=mbr services --enabled=NetworkManager --disabled=network network --hostname=kolab.example.org reboot repo --name=epel --baseurl=http://download.fedoraproject.org/pub/epel/7/x86_64/ repo --name=updates --baseurl=http://mirror.switch.ch/ftp/mirror/centos/7/updates/x86_64/ repo --name=kolab-winterfell --baseurl=http://obs.kolabsys.com/repositories/Kolab:/Winterfell/CentOS_7/ repo --name=vanmeeuwen-phabricator --baseurl=http://obs.kolabsys.com/repositories/home:/vanmeeuwen:/phabricator/CentOS_7/ %packages epel-release vim-enhanced arcanist git httpd libphutil mariadb-server phabricator php php-pecl-apcu php-mysqlnd yum-plugin-priorities %end %post # Set the default runlevel to 3 # https://bugzilla.redhat.com/show_bug.cgi?id=440058 sed -i -r -e 's/^id:[0-6]:initdefault:$/id:3:initdefault:/g' /etc/inittab # Insert SSH key mkdir -p /root/.ssh/ cat >/root/.ssh/authorized_keys < /etc/yum.repos.d/kolab-16.repo << EOF [kolab-16] name=Kolab:16 (CentOS_7) type=rpm-md baseurl=http://obs.kolabsys.com/repositories/Kolab:/16/CentOS_7/ gpgcheck=1 enabled=1 priority=60 EOF cat > /etc/yum.repos.d/kolab-winterfell.repo << EOF [kolab-winterfell] name=Kolab:Winterfell (CentOS_7) type=rpm-md baseurl=http://obs.kolabsys.com/repositories/Kolab:/Winterfell/CentOS_7/ gpgcheck=1 enabled=1 priority=60 EOF cat > /etc/yum.repos.d/vanmeeuwen-phabricator.repo << EOF [vanmeeuwen-phabricator] name=home:vanmeeuwen:phabricator (CentOS_7) type=rpm-md baseurl=http://obs.kolabsys.com/repositories/home:/vanmeeuwen:/phabricator/CentOS_7/ gpgcheck=1 enabled=1 priority=60 EOF rpm --import https://ssl.kolabsys.com/community.asc useradd -c "Phabricator" phabricator useradd -c "Git" git gpasswd -a git phabricator goasswd -a apache phabricator sed \ -e 's/^Port 22/Port 992/g' \ /etc/ssh/sshd_config \ > /etc/ssh/sshd_config.admin cat > /etc/ssh/sshd_config << EOF # NOTE: You must have OpenSSHD 6.2 or newer; support for AuthorizedKeysCommand # was added in this version. # NOTE: Edit these to the correct values for your setup. AuthorizedKeysCommand /usr/local/bin/phabricator-ssh-hook AuthorizedKeysCommandUser git AllowUsers git # You may need to tweak these options, but mostly they just turn off everything # dangerous. HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key SyslogFacility AUTHPRIV Port 22 Protocol 2 PermitRootLogin no AllowAgentForwarding no AllowTcpForwarding no PrintMotd no PrintLastLog no PasswordAuthentication no AuthorizedKeysFile none PidFile /var/run/sshd.pid EOF cat > /etc/systemd/system/ssh-admin.service << EOF [Unit] Description=OpenSSH server daemon After=syslog.target network.target auditd.service [Service] EnvironmentFile=/etc/sysconfig/sshd ExecStartPre=/usr/sbin/sshd-keygen ExecStart=/usr/sbin/sshd -D \$OPTIONS -f /etc/ssh/sshd_config.admin ExecReload=/bin/kill -HUP \$MAINPID KillMode=process Restart=on-failure RestartSec=42s [Install] WantedBy=multi-user.target EOF systemctl enable ssh-admin cat > /etc/sudoers.d/apache << EOF apache ALL=(phabricator) SETENV: NOPASSWD: /usr/libexec/git-core/git-http-backend EOF cat > /etc/sudoers.d/git << EOF git ALL=(phabricator) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack EOF sed -i -e '/requiretty/d' /etc/sudoers cat > /usr/local/bin/phabricator-ssh-hook << EOF #!/bin/sh # NOTE: Replace this with the username that you expect users to connect with. VCSUSER="git" # NOTE: Replace this with the path to your Phabricator directory. ROOT="/usr/share/phabricator" if [ "\$1" != "\$VCSUSER" ]; then exit 1 fi exec "\$ROOT/bin/ssh-auth" \$@ EOF cat > /etc/httpd/conf.d/phabricator.conf << EOF ServerName phabricator ServerAdmin root@localhost DocumentRoot /usr/share/phabricator/webroot/ RewriteEngine on RewriteRule ^/ws/(.*) - [L,QSA] RewriteRule ^/rsrc/(.*) - [L,QSA] RewriteRule ^/favicon.ico - [L,QSA] RewriteRule ^(.*)$ /index.php?__path__=$1 [B,L,QSA] Require all granted ProxyRequests Off ProxyPass /ws/ ws://localhost:22280/ EOF systemctl start mariadb systemctl enable mariadb systemctl disable firewalld systemctl enable httpd > /etc/httpd/conf.d/welcome.conf pushd /usr/share/phabricator mkdir -p \ /var/log/phabricator \ + /var/run/phabricator \ /var/lib/phabricator/files \ /var/lib/phabricator/repos chown -R phabricator:phabricator \ /var/log/phabricator \ + /var/run/phabricator \ /var/lib/phabricator cat > conf/local/local.json << EOF { "phd.garbage-collection": { "drydock.logs": 604800 }, + "phd.log-directory": "/var/log/phabricator/", + "phd.pid-directory": "/var/run/phabricator/", "log.ssh.path": "/var/log/phabricator/ssh.log", "log.access.path": "/var/log/phabricator/access.log", "phabricator.base-uri": "/", "phabricator.show-prototypes": true, "diffusion.ssh-user": "git", "phd.user": "phabricator", "environment.append-paths": [ "/usr/libexec/git-core/" ], "storage.local-disk.path": "/var/lib/phabricator/files", "repository.default-local-path": "/var/lib/phabricator/repos", "mysql.pass": "", "mysql.user": "root", "mysql.host": "localhost" } EOF bin/storage upgrade --force +cat > /etc/systemd/system/phd.service << EOF +[Unit] +Description=phabricator-phd +After=syslog.target network.target +User=phabricator +Group=phabricator + +[Service] +Type=oneshot +Enviroment="PATH=/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/usr/bin:/bin" +ExecStart=/usr/share/phabricator/bin/phd start +ExecStop=/usr/share/phabricator/bin/phd stop +RemainAfterExit=yes +PIDFile=/var/run/phabricator/phd.pid + +[Install] +WantedBy=multi-user.target +EOF + +systemctl enable phd + %end