first pass at phabricator role, updating qadevel-stg for phab

inventory/group_vars/qadevel-stg

@@ -20,6 +20,23 @@ virt_install_command: /usr/bin/virt-install -n {{ inventory_hostname }} -r {{ me
                  --network=bridge=br0,model=virtio --autostart --noautoconsole
 
 sshd_config: ssh/sshd_config.qadevel
+external_hostname: qadevel-stg.qa.fedoraproject.org
+
+mariadb_host: db-qa01.qa.fedoraproject.org
+mariadb_user: {{ qadevel_stg_mariadb_user }}
+mariadb_password: {{ qadevel_stg_mariadb_password }}
+phabricator_db_name: phabricator-stg
+phabricator_vcs_user: git
+phabricator_daemon_user: phabdaemon
+phabroot: /usr/share/
+phabricator_filedir: /var/lib/phabricator/files
+phabricator_repodir: /var/lib/phabricator/repos
+phabricator_header_color: 'fluttershy'
+phabricator_mail_enabled: False
+ircnick: fedoraqabot
+backup_dir: /srv/backup
+backup_username: root
+backup_ssh_pubkey: ssh-dss AAAAB3NzaC1kc3MAAACBAJr3xqn/hHIXeth+NuXPu9P91FG9jozF3Q1JaGmg6szo770rrmhiSsxso/Ibm2mObqQLCyfm/qSOQRynv6tL3tQVHA6EEx0PNacnBcOV7UowR5kd4AYv82K1vQhof3YTxOMmNIOrdy6deDqIf4sLz1TDHvEDwjrxtFf8ugyZWNbTAAAAFQCS5puRZF4gpNbaWxe6gLzm3rBeewAAAIBcEd6pRatE2Qc/dW0YwwudTEaOCUnHmtYs2PHKbOPds0+Woe1aWH38NiE+CmklcUpyRsGEf3O0l5vm3VrVlnfuHpgt/a/pbzxm0U6DGm2AebtqEmaCX3CIuYzKhG5wmXqJ/z+Hc5MDj2mn2TchHqsk1O8VZM+1Ml6zX3Hl4vvBsQAAAIALDt5NFv6GLuid8eik/nn8NORd9FJPDBJxgVqHNIm08RMC6aI++fqwkBhVPFKBra5utrMKQmnKs/sOWycLYTqqcSMPdWSkdWYjBCSJ/QNpyN4laCmPWLgb3I+2zORgR0EjeV2e/46geS0MWLmeEsFwztpSj4Tv4e18L8Dsp2uB2Q==  root@backup03-rdiff-backup
 
 buildmaster_db_host: localhost
 buildmaster_template: ci.master.cfg.j2
@@ -31,7 +48,6 @@ buildslave_dir: /home/buildslave/slave
 buildslave_poll_interval: 1800
 master_dir: /home/buildmaster/master
 master_user: buildmaster
-external_hostname: qadevel-stg.qa.fedoraproject.org
 deployment_type: qadevel-stg
 tcp_ports: [ 80, 443, "{{ buildslave_port }}", 222 ]
 

roles/phabricator/files/apc.ini

@@ -0,0 +1,70 @@
+; Enable apc extension module
+extension = apc.so
+
+; Options for the APC module version >= 3.1.3
+; See http://www.php.net/manual/en/apc.configuration.php
+
+; This can be set to 0 to disable APC. 
+apc.enabled=1
+; The number of shared memory segments to allocate for the compiler cache. 
+apc.shm_segments=1
+; The size of each shared memory segment, with M/G suffix
+apc.shm_size=64M
+; A "hint" about the number of distinct source files that will be included or 
+; requested on your web server. Set to zero or omit if you are not sure;
+apc.num_files_hint=1024
+; Just like num_files_hint, a "hint" about the number of distinct user cache
+; variables to store.  Set to zero or omit if you are not sure;
+apc.user_entries_hint=4096
+; The number of seconds a cache entry is allowed to idle in a slot in case this
+; cache entry slot is needed by another entry.
+apc.ttl=7200
+; use the SAPI request start time for TTL
+apc.use_request_time=1
+; The number of seconds a user cache entry is allowed to idle in a slot in case
+; this cache entry slot is needed by another entry.
+apc.user_ttl=7200
+; The number of seconds that a cache entry may remain on the garbage-collection list. 
+apc.gc_ttl=3600
+; On by default, but can be set to off and used in conjunction with positive
+; apc.filters so that files are only cached if matched by a positive filter.
+apc.cache_by_default=1
+; A comma-separated list of POSIX extended regular expressions.
+apc.filters
+; The mktemp-style file_mask to pass to the mmap module 
+apc.mmap_file_mask=/tmp/apc.XXXXXX
+; This file_update_protection setting puts a delay on caching brand new files.
+apc.file_update_protection=2
+; Setting this enables APC for the CLI version of PHP (Mostly for testing and debugging).
+apc.enable_cli=0
+; Prevents large files from being cached
+apc.max_file_size=1M
+; Whether to stat the main script file and the fullpath includes.
+apc.stat=0
+; Vertification with ctime will avoid problems caused by programs such as svn or rsync by making 
+; sure inodes have not changed since the last stat. APC will normally only check mtime.
+apc.stat_ctime=0
+; Whether to canonicalize paths in stat=0 mode or fall back to stat behaviour
+apc.canonicalize=0
+; With write_lock enabled, only one process at a time will try to compile an 
+; uncached script while the other processes will run uncached
+apc.write_lock=1
+; Logs any scripts that were automatically excluded from being cached due to early/late binding issues.
+apc.report_autofilter=0
+; RFC1867 File Upload Progress hook handler
+apc.rfc1867=0
+apc.rfc1867_prefix =upload_
+apc.rfc1867_name=APC_UPLOAD_PROGRESS
+apc.rfc1867_freq=0
+apc.rfc1867_ttl=3600
+; Optimize include_once and require_once calls and avoid the expensive system calls used.
+apc.include_once_override=0
+apc.lazy_classes=0
+apc.lazy_functions=0
+; Enables APC handling of signals, such as SIGSEGV, that write core files when signaled. 
+; APC will attempt to unmap the shared memory segment in order to exclude it from the core file
+apc.coredump_unmap=0
+; Records a md5 hash of files. 
+apc.file_md5=0
+; not documented
+apc.preload_path

roles/phabricator/tasks/main.yml

@@ -0,0 +1,97 @@
+- name: ensure packages required for phabricator are installed (fedora)
+  action: yum name={{ item }} state=latest
+  with_items:
+    - git
+    - httpd
+    - mod_ssl
+    - php
+    - php-cli
+    - php-mysql
+    - php-process
+    - php-devel
+    - php-gd
+    - php-mbstring
+    - libphutil
+    - arcanist
+    - phabricator
+
+- name: create mariadb database
+  mysql_db: login_host={{ mariadb_host }} name={{ phabricator_db_name }}
+
+- name: create mariadb user for phabricator
+  mysql_user: host={{ mariadb_host }} name={{ mariadb_user }} password={{ mariadb_password }} priv={{ phabricator_db_name }}.*:ALL state=present
+
+- name: create phabricator daemon user
+  user: name={{ phabricator_daemon_user }}
+
+- name: create vcs user
+  user: name={{ phabricator_vcs_user }} password={{ phabricator_vcs_password  }} }}
+
+- name: add vcs user to sudoers to write as daemon user with restrictions for git
+  lineinfile: "dest=/etc/sudoers state=present line='{{ phabricator_vcs_user }} ALL=({{ phabricator_daemon_user }}) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack'"
+
+- name: remove tty requirement for sudo by git user
+  lineinfile: "dest=/etc/sudoers state=present line='Defaults:{{phabricator_vcs_user }} !requiretty'"
+
+- name: update php.ini
+  copy: src=php.ini dest=/etc/php.d/php.ini owner=root group=root mode=0644
+  notify:
+  - restart httpd
+
+- name: update apc.ini
+  copy: src=apc.ini dest=/etc/php.d/apc.ini owner=root group=root mode=0644
+  when: is_rhel
+  notify:
+  - restart httpd
+
+- name: create git repo root for phabricator
+  file: path={{ phabricator_repodir }} state=directory owner={{ phabricator_daemon_user }} group={{ phabricator_daemon_user }} mode=1755
+
+- name: create file directory for phabricator
+  file: path={{ phabricator_filedir }} state=directory owner=apache group=apache mode=1755
+
+- name: create log directory for phabricator
+  file: path=/var/log/phabricator state=directory owner={{ phabricator_daemon_user }} group=apache mode=1775
+
+- name: generate phabricator config
+  template: src={{ phabricator_config_filename }}.conf.php.j2 dest={{ phabroot }}/phabricator/conf/{{ phabricator_config_filename }}.conf.php owner=apache group=apache mode=0644
+
+- name: generate phabricator environment
+  template: src=ENVIRONMENT.j2 dest={{ phabroot }}/phabricator/conf/local/ENVIRONMENT owner=apache group=apache mode=0644
+
+- name: copy phabricator configuration settings
+  template: src=local.json.j2 dest={{ phabroot }}/phabricator/conf/local/local.json owner=apache group=apache mode=0644
+
+- name: generate chatbot config
+  template: src=chatbot-config.json.j2 dest={{ phabroot }}/phabricator/resources/chatbot/config.json owner=apache group=apache mode=0644
+
+- name: upgrade phabricator storage
+  command: chdir={{ phabroot }}/phabricator bin/storage upgrade --force
+
+- name: generate phabricator git hook
+  template: src=phabricator-ssh-hook.sh.j2 dest=/etc/phabricator-ssh-hook.sh owner=root group=root mode=0755
+
+- name: generate phabricator ssh config for vcs
+  template: src=phabricator-sshd.conf.j2 dest=/etc/ssh/phabricator-sshd.conf owner=root group=root mode=0600
+
+- name: generate phabricator ssh service file
+  template: src=phabricator-sshd.service.j2 dest=/lib/systemd/system/phabricator-sshd.service owner=root group=root mode=0644
+
+- name: start and enable phabricator sshd service
+  service: name=phabricator-sshd enabled=yes state=started
+
+- name: generate phabricator phd service file
+  template: src=phd.service.j2 dest=/lib/systemd/system/phd.service owner=root group=root mode=0644
+
+- name: create directory for phd pids
+  file: path=/var/run/phabricator state=directory owner={{ phabricator_daemon_user }} group={{ phabricator_daemon_user }} mode=1755
+
+- name: start and enable phabricator phd service
+  service: name=phd enabled=yes state=started
+
+- name: copy phabricator httpd config
+  template: src=phabricator.conf.j2 dest=/etc/httpd/conf.d/phabricator.conf owner=root group=root mode=0644
+  notify:
+  - restart httpd
+
+

roles/phabricator/templates/ENVIRONMENT.j2

@@ -0,0 +1 @@
+{{ phabricator_config_filename }}

roles/phabricator/templates/chatbot-config.json.j2

@@ -0,0 +1,27 @@
+{
+  "server" : "irc.freenode.net",
+  "port" : 6667,
+  "nick" : "{{ircnick}}",
+  "nickpass" : "{{ircnickpass}}",
+  "join" : [
+    "#fedora-qa-devel"
+  ],
+  "handlers" : [
+    "PhabricatorBotObjectNameHandler",
+    "PhabricatorBotSymbolHandler",
+    "PhabricatorBotLogHandler",
+    "PhabricatorBotWhatsNewHandler",
+    "PhabricatorBotDifferentialNotificationHandler",
+    "PhabricatorBotMacroHandler"
+  ],
+
+  "conduit.uri" : "https://phab.{{hostname}}/",
+  "conduit.user" : "{{ircnick}}",
+  "conduit.cert" : "{{irc_conduit_cert}}",
+
+  "macro.size" : 48,
+  "macro.aspect" : 0.66,
+
+  "notification.channels" : ["#fedora-qa-devel"]
+}
+

roles/phabricator/templates/local.json.j2

@@ -0,0 +1,5 @@
+{
+  "load-libraries"       : [],
+  "phabricator.base-uri" : "https:\/\/phab.{{ hostname }}\/"
+}
+

roles/phabricator/templates/phabricator-ssh-hook.sh.j2

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# NOTE: Replace this with the username that you expect users to connect with.
+VCSUSER="{{ phabricator_vcs_user }}"
+
+# NOTE: Replace this with the path to your Phabricator directory.
+ROOT="{{ phabroot }}/phabricator"
+
+if [ "$1" != "$VCSUSER" ];
+then
+exit 1
+fi
+
+exec "$ROOT/bin/ssh-auth" $@

roles/phabricator/templates/phabricator-sshd.conf.j2

@@ -0,0 +1,22 @@
+# NOTE: You must have OpenSSHD 6.2 or newer; support for AuthorizedKeysCommand
+# was added in this version.
+
+# NOTE: Edit these to the correct values for your setup.
+
+AuthorizedKeysCommand /etc/phabricator-ssh-hook.sh
+AuthorizedKeysCommandUser {{ phabricator_vcs_user }}
+
+# You may need to tweak these options, but mostly they just turn off everything
+# dangerous.
+
+Port 22
+Protocol 2
+PermitRootLogin no
+AllowAgentForwarding no
+AllowTcpForwarding no
+PrintMotd no
+PrintLastLog no
+PasswordAuthentication no
+AuthorizedKeysFile none
+
+PidFile /var/run/sshd-phabricator.pid

roles/phabricator/templates/phabricator-sshd.service.j2

@@ -0,0 +1,12 @@
+[Unit]
+Description=OpenSSH server daemon for Phabricator
+After=syslog.target network.target auditd.service
+
+[Service]
+ExecStartPre=/usr/sbin/sshd-keygen
+ExecStart=/usr/sbin/sshd -f /etc/ssh/phabricator-sshd.conf -D $OPTIONS
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target

roles/phabricator/templates/phabricator-sshd.socket.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenSSH Server Socket
+Conflicts=sshd.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target

roles/phabricator/templates/phabricator.conf.j2

@@ -0,0 +1,93 @@
+NameVirtualHost *:443
+
+<VirtualHost *:443>
+  # Change this to the domain which points to your host.
+  ServerName phab.{{hostname}}
+
+  # Use separate log files for the SSL virtual host; note that LogLevel
+  # is not inherited from httpd.conf.
+  ErrorLog logs/phab_error_log
+  TransferLog logs/phab_access_log
+  LogLevel warn
+
+  #   SSL Engine Switch:
+  #   Enable/Disable SSL for this virtual host.
+  SSLEngine on
+
+  #   SSL Protocol support:
+  # List the enable protocol levels with which clients will be able to
+  # connect.  Disable SSLv2 access by default:
+  SSLProtocol all -SSLv2
+
+  #   SSL Cipher Suite:
+  # List the ciphers that the client is permitted to negotiate.
+  # See the mod_ssl documentation for a complete list.
+  #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+  #   Server Certificate:
+  # Point SSLCertificateFile at a PEM encoded certificate.  If
+  # the certificate is encrypted, then you will be prompted for a
+  # pass phrase.  Note that a kill -HUP will prompt again.  A new
+  # certificate can be generated using the genkey(1) command.
+  SSLCertificateFile /etc/pki/tls/certs/{{ sslcertfile }}
+
+  #   Server Private Key:
+  #   If the key is not combined with the certificate, use this
+  #   directive to point at the key file.  Keep in mind that if
+  #   you've both a RSA and a DSA private key you can configure
+  #   both in parallel (to also allow the use of DSA ciphers, etc.)
+  SSLCertificateKeyFile /etc/pki/tls/private/{{ sslkeyfile }}
+
+  #   Server Certificate Chain:
+  #   Point SSLCertificateChainFile at a file containing the
+  #   concatenation of PEM encoded CA certificates which form the
+  #   certificate chain for the server certificate. Alternatively
+  #   the referenced file can be the same as SSLCertificateFile
+  #   when the CA certificates are directly appended to the server
+  #   certificate for convinience.
+  #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+  {% if sslintermediatecertfile is defined %}
+  SSLCertificateChainFile /etc/pki/tls/certs/{{ sslintermediatecertfile }}
+  {% endif %}
+
+  #   Certificate Authority (CA):
+  #   Set the CA certificate verification path where to find CA
+  #   certificates for client authentication or alternatively one
+  #   huge file containing all of them (file must be PEM encoded)
+  #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+  # Change this to the path where you put 'phabricator' when you checked it
+  # out from GitHub when following the Installation Guide.
+  #
+  # Make sure you include "/webroot" at the end!
+  DocumentRoot {{phabroot}}/phabricator/webroot
+
+  RewriteEngine on
+  RewriteRule ^/rsrc/(.*)     -                       [L,QSA]
+  RewriteRule ^/favicon.ico   -                       [L,QSA]
+  RewriteRule ^(.*)$          /index.php?__path__=$1  [B,L,QSA]
+</VirtualHost>
+
+
+<VirtualHost *:80>
+  # Change this to the domain which points to your host.
+  ServerName phab.{{hostname}}
+
+  RewriteEngine on
+  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
+</VirtualHost>
+
+
+<Directory "{{ phabroot }}/phabricator/webroot">
+  AllowOverride None
+  #Require all granted
+  <IfModule mod_authz_core.c>
+      # Apache 2.4
+      Require all granted
+  </IfModule>
+  <IfModule !mod_auth_core.c>
+      Order allow,deny
+      Allow from all
+  </IfModule>
+</Directory>

roles/phabricator/templates/phd.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Phabricator Daemons
+After=httpd.service
+
+[Service]
+Type=forking
+ExecStart={{ phabroot }}/phabricator/bin/phd start
+ExecStop={{ phabroot }}/phabricator/bin/phd stop
+ExecRestart={{ phabroot}}/phabricator/bin/phd restart
+User={{ phabricator_daemon_user }}
+Group={{ phabricator_daemon_user }}

roles/phabricator/templates/qadevelconfig.conf.php.j2

@@ -0,0 +1,29 @@
+<?php
+
+//'welcome.html' => '<h1>Fedora QA Devel Phabricator</h1><p>The Fedora QA Devel team uses this phabricator instance for tracking issues, code reviews and some documentation. <ul><li>lists</li><li><a href="http://roshi.fedorapeople.org/dexy/">Links to docs</a></li><li>...</li></ul></p>',
+return array(
+  'mysql.host' => '{{ mariadb_host }}',
+  'mysql.user' => '{{ mariadb_user }}',
+  'mysql.pass' => '{{ mariadb_password }}',
+  'log.access.path' => '/var/log/phabricator/access.log',
+  'log.ssh.path' => '/var/log/phabricator/ssh.log',
+  'phd.pid-directory' => '/var/run/phabricator/',
+  'phd.log-directory' => '/var/log/phabricator/',
+  'phd.user' => '{{ phabricator_daemon_user }}',
+  'environment.append-paths' => ['/usr/libexec/git-core/'],
+  'diffusion.ssh-user' => '{{ phabricator_vcs_user }}',
+  'welcome.html' => '{{ lookup("file", files + "/phabricator-welcome.html") }}',
+  'ui.header-color' => '{{ phabricator_header_color }}',
+  'metamta.default-address' => 'phab@{{ external_hostname }}',
+  'metamta.domain' => '{{ external_hostname }}',
+  'metamta.reply-handler-domain' => '{{ external_hostname }}',
+  'metamta.mail-adapter' => '{{ 'PhabricatorMailImplementationPHPMailerLiteAdapter' if phabricator_mail_enabled else 'PhabricatorMailImplementationTestAdapter'}}',
+  'phabricator.uninstalled-applications' => array(
+        'PhabricatorApplicationPhame' => true,
+        'PhabricatorApplicationDiviner' => true,
+        'PhabricatorApplicationLegalpad' => true,
+        'PhabricatorApplicationDrydock' => true,
+        'PhabricatorApplicationHarbormaster' => true,
+        'PhabricatorApplicationOAuthServer' => true,
+        'PhabricatorApplicationPhortune' => true)
+);