first pass at phabricator role, updating qadevel-stg for phab

roles/phabricator/templates/ENVIRONMENT.j2

@@ -0,0 +1 @@
+{{ phabricator_config_filename }}

roles/phabricator/templates/chatbot-config.json.j2

@@ -0,0 +1,27 @@
+{
+  "server" : "irc.freenode.net",
+  "port" : 6667,
+  "nick" : "{{ircnick}}",
+  "nickpass" : "{{ircnickpass}}",
+  "join" : [
+    "#fedora-qa-devel"
+  ],
+  "handlers" : [
+    "PhabricatorBotObjectNameHandler",
+    "PhabricatorBotSymbolHandler",
+    "PhabricatorBotLogHandler",
+    "PhabricatorBotWhatsNewHandler",
+    "PhabricatorBotDifferentialNotificationHandler",
+    "PhabricatorBotMacroHandler"
+  ],
+
+  "conduit.uri" : "https://phab.{{hostname}}/",
+  "conduit.user" : "{{ircnick}}",
+  "conduit.cert" : "{{irc_conduit_cert}}",
+
+  "macro.size" : 48,
+  "macro.aspect" : 0.66,
+
+  "notification.channels" : ["#fedora-qa-devel"]
+}
+

roles/phabricator/templates/local.json.j2

@@ -0,0 +1,5 @@
+{
+  "load-libraries"       : [],
+  "phabricator.base-uri" : "https:\/\/phab.{{ hostname }}\/"
+}
+

roles/phabricator/templates/phabricator-ssh-hook.sh.j2

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# NOTE: Replace this with the username that you expect users to connect with.
+VCSUSER="{{ phabricator_vcs_user }}"
+
+# NOTE: Replace this with the path to your Phabricator directory.
+ROOT="{{ phabroot }}/phabricator"
+
+if [ "$1" != "$VCSUSER" ];
+then
+exit 1
+fi
+
+exec "$ROOT/bin/ssh-auth" $@

roles/phabricator/templates/phabricator-sshd.conf.j2

@@ -0,0 +1,22 @@
+# NOTE: You must have OpenSSHD 6.2 or newer; support for AuthorizedKeysCommand
+# was added in this version.
+
+# NOTE: Edit these to the correct values for your setup.
+
+AuthorizedKeysCommand /etc/phabricator-ssh-hook.sh
+AuthorizedKeysCommandUser {{ phabricator_vcs_user }}
+
+# You may need to tweak these options, but mostly they just turn off everything
+# dangerous.
+
+Port 22
+Protocol 2
+PermitRootLogin no
+AllowAgentForwarding no
+AllowTcpForwarding no
+PrintMotd no
+PrintLastLog no
+PasswordAuthentication no
+AuthorizedKeysFile none
+
+PidFile /var/run/sshd-phabricator.pid

roles/phabricator/templates/phabricator-sshd.service.j2

@@ -0,0 +1,12 @@
+[Unit]
+Description=OpenSSH server daemon for Phabricator
+After=syslog.target network.target auditd.service
+
+[Service]
+ExecStartPre=/usr/sbin/sshd-keygen
+ExecStart=/usr/sbin/sshd -f /etc/ssh/phabricator-sshd.conf -D $OPTIONS
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target

roles/phabricator/templates/phabricator-sshd.socket.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenSSH Server Socket
+Conflicts=sshd.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target

roles/phabricator/templates/phabricator.conf.j2

@@ -0,0 +1,93 @@
+NameVirtualHost *:443
+
+<VirtualHost *:443>
+  # Change this to the domain which points to your host.
+  ServerName phab.{{hostname}}
+
+  # Use separate log files for the SSL virtual host; note that LogLevel
+  # is not inherited from httpd.conf.
+  ErrorLog logs/phab_error_log
+  TransferLog logs/phab_access_log
+  LogLevel warn
+
+  #   SSL Engine Switch:
+  #   Enable/Disable SSL for this virtual host.
+  SSLEngine on
+
+  #   SSL Protocol support:
+  # List the enable protocol levels with which clients will be able to
+  # connect.  Disable SSLv2 access by default:
+  SSLProtocol all -SSLv2
+
+  #   SSL Cipher Suite:
+  # List the ciphers that the client is permitted to negotiate.
+  # See the mod_ssl documentation for a complete list.
+  #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+  #   Server Certificate:
+  # Point SSLCertificateFile at a PEM encoded certificate.  If
+  # the certificate is encrypted, then you will be prompted for a
+  # pass phrase.  Note that a kill -HUP will prompt again.  A new
+  # certificate can be generated using the genkey(1) command.
+  SSLCertificateFile /etc/pki/tls/certs/{{ sslcertfile }}
+
+  #   Server Private Key:
+  #   If the key is not combined with the certificate, use this
+  #   directive to point at the key file.  Keep in mind that if
+  #   you've both a RSA and a DSA private key you can configure
+  #   both in parallel (to also allow the use of DSA ciphers, etc.)
+  SSLCertificateKeyFile /etc/pki/tls/private/{{ sslkeyfile }}
+
+  #   Server Certificate Chain:
+  #   Point SSLCertificateChainFile at a file containing the
+  #   concatenation of PEM encoded CA certificates which form the
+  #   certificate chain for the server certificate. Alternatively
+  #   the referenced file can be the same as SSLCertificateFile
+  #   when the CA certificates are directly appended to the server
+  #   certificate for convinience.
+  #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+  {% if sslintermediatecertfile is defined %}
+  SSLCertificateChainFile /etc/pki/tls/certs/{{ sslintermediatecertfile }}
+  {% endif %}
+
+  #   Certificate Authority (CA):
+  #   Set the CA certificate verification path where to find CA
+  #   certificates for client authentication or alternatively one
+  #   huge file containing all of them (file must be PEM encoded)
+  #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+  # Change this to the path where you put 'phabricator' when you checked it
+  # out from GitHub when following the Installation Guide.
+  #
+  # Make sure you include "/webroot" at the end!
+  DocumentRoot {{phabroot}}/phabricator/webroot
+
+  RewriteEngine on
+  RewriteRule ^/rsrc/(.*)     -                       [L,QSA]
+  RewriteRule ^/favicon.ico   -                       [L,QSA]
+  RewriteRule ^(.*)$          /index.php?__path__=$1  [B,L,QSA]
+</VirtualHost>
+
+
+<VirtualHost *:80>
+  # Change this to the domain which points to your host.
+  ServerName phab.{{hostname}}
+
+  RewriteEngine on
+  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
+</VirtualHost>
+
+
+<Directory "{{ phabroot }}/phabricator/webroot">
+  AllowOverride None
+  #Require all granted
+  <IfModule mod_authz_core.c>
+      # Apache 2.4
+      Require all granted
+  </IfModule>
+  <IfModule !mod_auth_core.c>
+      Order allow,deny
+      Allow from all
+  </IfModule>
+</Directory>

roles/phabricator/templates/phd.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Phabricator Daemons
+After=httpd.service
+
+[Service]
+Type=forking
+ExecStart={{ phabroot }}/phabricator/bin/phd start
+ExecStop={{ phabroot }}/phabricator/bin/phd stop
+ExecRestart={{ phabroot}}/phabricator/bin/phd restart
+User={{ phabricator_daemon_user }}
+Group={{ phabricator_daemon_user }}

roles/phabricator/templates/qadevelconfig.conf.php.j2

@@ -0,0 +1,29 @@
+<?php
+
+//'welcome.html' => '<h1>Fedora QA Devel Phabricator</h1><p>The Fedora QA Devel team uses this phabricator instance for tracking issues, code reviews and some documentation. <ul><li>lists</li><li><a href="http://roshi.fedorapeople.org/dexy/">Links to docs</a></li><li>...</li></ul></p>',
+return array(
+  'mysql.host' => '{{ mariadb_host }}',
+  'mysql.user' => '{{ mariadb_user }}',
+  'mysql.pass' => '{{ mariadb_password }}',
+  'log.access.path' => '/var/log/phabricator/access.log',
+  'log.ssh.path' => '/var/log/phabricator/ssh.log',
+  'phd.pid-directory' => '/var/run/phabricator/',
+  'phd.log-directory' => '/var/log/phabricator/',
+  'phd.user' => '{{ phabricator_daemon_user }}',
+  'environment.append-paths' => ['/usr/libexec/git-core/'],
+  'diffusion.ssh-user' => '{{ phabricator_vcs_user }}',
+  'welcome.html' => '{{ lookup("file", files + "/phabricator-welcome.html") }}',
+  'ui.header-color' => '{{ phabricator_header_color }}',
+  'metamta.default-address' => 'phab@{{ external_hostname }}',
+  'metamta.domain' => '{{ external_hostname }}',
+  'metamta.reply-handler-domain' => '{{ external_hostname }}',
+  'metamta.mail-adapter' => '{{ 'PhabricatorMailImplementationPHPMailerLiteAdapter' if phabricator_mail_enabled else 'PhabricatorMailImplementationTestAdapter'}}',
+  'phabricator.uninstalled-applications' => array(
+        'PhabricatorApplicationPhame' => true,
+        'PhabricatorApplicationDiviner' => true,
+        'PhabricatorApplicationLegalpad' => true,
+        'PhabricatorApplicationDrydock' => true,
+        'PhabricatorApplicationHarbormaster' => true,
+        'PhabricatorApplicationOAuthServer' => true,
+        'PhabricatorApplicationPhortune' => true)
+);