ansible/roles/phabricator/tasks/main.yml

- name: ensure packages required for phabricator are installed (yum)
  yum: name={{ item }} state=present enablerepo={{ extra_enablerepos }}
  with_items:
    - MySQL-python
    - git
    - httpd
    - mod_ssl
    - php
    - php-cli
    - php-mysql
    - php-process
    - php-devel
    - php-gd
    - php-mbstring
    - php-opcache
    - python-pygments
    - libphutil
    - arcanist
    - phabricator
    - libsemanage-python
    - libselinux-python
    - policycoreutils-python
  when: ansible_distribution_major_version|int < 22

- name: ensure packages required for phabricator are installed (dnf)
  dnf: name={{ item }} state=present enablerepo={{ extra_enablerepos }}
  with_items:
    - MySQL-python
    - git
    - httpd
    - mod_ssl
    - php
    - php-cli
    - php-mysql
    - php-process
    - php-devel
    - php-gd
    - php-mbstring
    - php-opcache
    - python-pygments
    - libphutil
    - arcanist
    - phabricator
    - libsemanage-python
    - libselinux-python
    - policycoreutils-python
    - policycoreutils-python-utils
  when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined

- name: create mariadb user for phabricator
  mysql_user:
    name: "{{ mariadb_user }}"
    host: 'localhost'
    password: "{{ mariadb_password }}"
    priv: "*.*:ALL"
    state: present
    login_user: root
    login_password: "{{ mariadb_root_password }}"
    login_host: "127.0.0.1"
  delegate_to: "{{ inventory_hostname }}"

- name: ensure backup directory exists
  file: path={{ backup_dir }} state=directory owner=root group=root mode=1755

- name: generate phabricator mysql backup cronjob
  template: src=phabricator-mariadb-dump.cron.j2 dest=/etc/cron.d/phabricator-mariadb-dump.cron owner=root group=root mode=0644

- name: create phabricator daemon user
  user: name={{ phabricator_daemon_user }}

- name: add apache user to daemon user group
  user: name=apache groups={{ phabricator_daemon_user }}

- name: create vcs user
  user: name={{ phabricator_vcs_user }} password={{ phabricator_vcs_user_password }} groups={{ phabricator_daemon_user }}
  when: enable_phabricator_git

- name: add vcs user to sudoers to write as daemon user with restrictions for git
  lineinfile: "dest=/etc/sudoers state=present line='{{ phabricator_vcs_user }} ALL=({{ phabricator_daemon_user }}) SETENV: NOPASSWD: /usr/libexec/git-core/git-upload-pack, /usr/libexec/git-core/git-receive-pack'"

- name: remove tty requirement for sudo by git user
  lineinfile: "dest=/etc/sudoers state=present line='Defaults:{{phabricator_vcs_user }} !requiretty'"

- name: add apache user to sudoers to write as daemon user with restrictions for git
  lineinfile: "dest=/etc/sudoers state=present line='apache ALL=({{ phabricator_daemon_user }}) SETENV: NOPASSWD: /usr/libexec/git-core/git-http-backend'"

- name: remove tty requirement for sudo by git user
  lineinfile: "dest=/etc/sudoers state=present line='Defaults:apache !requiretty'"

- name: update php.ini
  copy: src=php.ini dest=/etc/php.d/php.ini owner=root group=root mode=0644
  notify:
  - reload httpd

- name: update php-opcache config
  copy:
    src: "10-opcache.ini"
    dest: /etc/php.d/10-opcache.ini
    owner: root
    group: root
    mode: 0644

- name: create git repo root for phabricator
  file: path={{ phabricator_repodir }} state=directory owner={{ phabricator_daemon_user }} group={{ phabricator_daemon_user }} mode=1755
  when: enable_phabricator_git

- name: create file directory for phabricator
  file: path={{ phabricator_filedir }} state=directory owner=apache group=apache mode=1755

- name: create log directory for phabricator
  file: path=/var/log/phabricator state=directory owner={{ phabricator_daemon_user }} group={{ phabricator_daemon_user }} mode=1775

# disabling phabricator env
#- name: generate phabricator environment
#  template: src=ENVIRONMENT.j2 dest={{ phabroot }}/phabricator/conf/local/ENVIRONMENT owner=apache group=apache mode=0644

- name: copy phabricator configuration settings
  template: src=local.json.j2 dest={{ phabroot }}/phabricator/conf/local/local.json owner=apache group=apache mode=0644
  notify:
   - restart phd

- name: copy phabricator custom login plugin
  template: src=CustomLoginHandler.php.j2 dest={{ phabroot }}/phabricator/src/extensions/CustomLoginHandler.php owner=apache group=apache mode=0644
  notify:
   - restart phd

# this isn't well supported upstream right now, disabling
#- name: generate chatbot config
#  template: src=chatbot-config.json.j2 dest={{ phabroot }}/phabricator/resources/chatbot/config.json owner=apache group=apache mode=0644

- name: upgrade phabricator storage
  command: chdir={{ phabroot }}/phabricator bin/storage upgrade --force

- name: generate phabricator git hook
  template: src=phabricator-ssh-hook.sh.j2 dest=/etc/phabricator-ssh-hook.sh owner=root group=root mode=0755
  when: enable_phabricator_git

- name: generate phabricator ssh config for vcs
  template: src=phabricator-sshd.conf.j2 dest=/etc/ssh/phabricator-sshd.conf owner=root group=root mode=0600
  when: enable_phabricator_git

- name: generate phabricator ssh service file
  template: src=phabricator-sshd.service.j2 dest=/lib/systemd/system/phabricator-sshd.service owner=root group=root mode=0644
  when: enable_phabricator_git

- name: start and enable phabricator sshd service
  service: name=phabricator-sshd enabled=yes state=started
  when: enable_phabricator_git

- name: check to see if sshd port is already known by selinux
  shell: semanage port -l | grep ssh
  register: sshd_selinux_port
  always_run: yes
  changed_when: false

- name: allow alternate sshd port
  command: semanage port -a -t ssh_port_t -p tcp {{ sshd_port }}
  when: sshd_selinux_port.stdout.find('{{ sshd_port }}') == -1

- name: generate phabricator phd service file
  template: src=phd.service.j2 dest=/lib/systemd/system/phd.service owner=root group=root mode=0644

- name: create directory for phd pids
  file: path=/var/run/phabricator state=directory owner={{ phabricator_daemon_user }} group={{ phabricator_daemon_user }} mode=1755

- name: start and enable phabricator phd service
  service: name=phd enabled=yes state=started

- name: Install the SSL cert
  copy:
      src: "{{ private}}/files/httpd/{{ sslcertfile }}"
      dest: /etc/pki/tls/certs/{{ sslcertfile }}
      owner: root
      group: root
      mode: 0600

- name: Install the SSL key
  copy:
      src: "{{ private}}/files/httpd/{{ sslkeyfile }}"
      dest: /etc/pki/tls/private/{{ sslkeyfile }}
      owner: root
      group: root
      mode: 0600

- name: Install the SSL intermediate cert
  copy:
      src: "{{ private}}/files/httpd/{{ sslintermediatecertfile }}"
      dest: /etc/pki/tls/certs/{{ sslintermediatecertfile }}
      owner: root
      group: root
      mode: 0600
  when: sslintermediatecertfile != ''


- name: copy phabricator httpd config
  template: src=phabricator.conf.j2 dest=/etc/httpd/conf.d/phabricator.conf owner=root group=root mode=0644
  notify:
  - reload httpd