Puppet Class: phabricator::config

Defined in:
manifests/config.pp

Summary

Configures Arcanist, libphutil and Phabricator.

Overview

Configures Phabricator.



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
 
# File 'manifests/config.pp', line 6

class phabricator::config {
  assert_private()

  # TODO: This is dirty, but otherwise `$php::fpm` may not be defined.
  include php

  if $php::fpm {
    $notify = Class['php::fpm::service']
  } else {
    $notify = []
  }

  group { $phabricator::group:
    ensure => 'present',
    system => true,
  }

  user {
    default:
      ensure     => 'present',
      gid        => $phabricator::group,
      managehome => false,
      system     => true;

    $phabricator::daemon_user:
      comment => 'Phabricator Daemons',
      home    => "${phabricator::install_dir}/phabricator/support/empty",
      shell   => '/usr/sbin/nologin';

    $phabricator::vcs_user:
      comment => 'Phabricator VCS',
      home    => $phabricator::repo_dir,
      shell   => '/bin/sh';
  }

  file {
    default:
      owner => 'root',
      group => $phabricator::group;

    $phabricator::logs_dir:
      ensure => 'directory',
      mode   => '0775';

    $phabricator::repo_dir:
      ensure => 'directory',
      owner  => $phabricator::daemon_user,
      mode   => '0750';

    'phabricator/conf/local.json':
      ensure  => 'file',
      path    => "${phabricator::install_dir}/phabricator/conf/local/local.json",
      mode    => '0640',
      notify  => $notify,
      require => Vcsrepo['phabricator'],

      # TODO: Use an EPP template instead of an ERB template.
      content => inline_template("<%= scope['phabricator::config'].to_json %>");
  }

  if $phabricator::storage_upgrade {
    $storage_upgrade_flags = shellquote(
      [
        '--force',
        "--user=${phabricator::storage_upgrade_user}",
        "--password=${phabricator::storage_upgrade_password}",
      ]
    )

    # TODO: We should possibly use `onlyif` or `unless` instead of `refreshonly`.
    exec { 'bin/storage upgrade':
      command     => Sensitive.new("${phabricator::install_dir}/phabricator/bin/storage upgrade ${storage_upgrade_flags}"),
      refreshonly => true,
      timeout     => 0,
      require     => [
        Class['php::cli'],
        File['phabricator/conf/local.json'],
        Php::Extension['mysql'],
        Vcsrepo['arcanist'],
        Vcsrepo['libphutil'],
      ],
      subscribe   => Vcsrepo['phabricator'],
    }
  }

  # TODO: We should be able to tighten these permissions as follows:
  #
  # - `/usr/bin/git`, `/usr/bin/git-receive-pack`, `/usr/bin/git-upload-pack`
  #   and `/usr/lib/git-core/git-http-backend` should only be required if the
  #   node is //hosting// Diffusion repositories.
  # - `/usr/bin/ssh` should only be required if the node is //serving// (either
  #   directly or by proxy) Diffusion repositories.
  #
  if $phabricator::manage_diffusion {
    # lint:ignore:strict_indent
    sudo::conf { "${phabricator::vcs_user}:${phabricator::daemon_user}":
      ensure  => 'present',
      content => sprintf(
        '%s ALL=(%s) SETENV: NOPASSWD: %s',
        $phabricator::vcs_user,
        "${phabricator::daemon_user}:${phabricator::group}",
        join([
          '/usr/bin/git',
          '/usr/bin/git-receive-pack',
          '/usr/bin/git-upload-pack',
          '/usr/bin/ssh',
        ], ', '),
      ),
    }
    # lint:endignore

    if $php::fpm {
      include php::params

      # lint:ignore:strict_indent
      sudo::conf { "${php::params::fpm_user}:${phabricator::daemon_user}":
        ensure  => 'present',
        content => sprintf(
          '%s ALL=(%s) SETENV: NOPASSWD: %s',
          $php::params::fpm_user,
          "${phabricator::daemon_user}:${phabricator::group}",
          join([
            '/usr/bin/git',
            '/usr/bin/ssh',
            '/usr/lib/git-core/git-http-backend',
          ], ', '),
        ),
      }
      # lint:endignore
    }

    # lint:ignore:strict_indent
    ssh::server::config::setting { $phabricator::vcs_user:
      key   => "Match User ${phabricator::vcs_user}",

      # TODO: This seems quite hacky.
      value => join([
        '',
        "AuthorizedKeysCommand ${phabricator::install_dir}/phabricator/bin/ssh-auth",
        "AuthorizedKeysCommandUser ${phabricator::vcs_user}",
      ], "\n  "),
    }
    # lint:endignore

  }

  # TODO: Add `logrotate` rules for Phabricator's access and SSH logs.
}