diff --git a/handlers/main.yml b/handlers/main.yml index 4ac838d..66b1025 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,27 +1,33 @@ --- - - name: restart mysql service: - name: mysqld - state: restarted - enabled: yes + name: mysqld + state: restarted + enabled: yes - name: restart nginx service: name: nginx state: restarted - name: restart haproxy service: - name: haproxy - state: restarted + name: haproxy + state: restarted - name: reload haproxy service: name: haproxy state: reloaded - name: restart php-fpm service: name: php-fpm state: restarted + +- name: restart sshd_phabricator + service: + name: sshd_phabricator + state: restarted + enabled: yes + diff --git a/main.yml b/main.yml index 39990af..a88a3b0 100644 --- a/main.yml +++ b/main.yml @@ -1,46 +1,47 @@ +--- - name: Create Instances hosts: 127.0.0.1 connection: local gather_facts: false vars_files: - "vars/main.yml" tasks: - include: tasks/create-instances.yml - name: Configure Jump Server hosts: lbs vars_files: - "vars/main.yml" user: centos sudo: yes tasks: #- debug: var=hostvars - include: tasks/common.yml - include: tasks/configure-jump.yml handlers: - include: handlers/main.yml - name: Configure Databases hosts: dbs vars_files: - "vars/main.yml" user: centos sudo: yes tasks: - include: tasks/common.yml - include: tasks/configure-dbs.yml handlers: - include: handlers/main.yml - name: Configure App hosts: app vars_files: - "vars/main.yml" user: centos sudo: yes tasks: - include: tasks/common.yml - include: tasks/configure-app.yml handlers: - include: handlers/main.yml diff --git a/tasks/configure-app.yml b/tasks/configure-app.yml index ece1756..c712444 100644 --- a/tasks/configure-app.yml +++ b/tasks/configure-app.yml @@ -1,105 +1,130 @@ --- - yum: name="{{ item }}" state=latest update_cache=yes with_items: - git - screen - vim - ntp - nginx - php - php-fpm - php-mysql - php-gd - php-mbstring - php-posix - php-apc - php-pear - pcre-devel ## Users - user: name="{{ phd_user }}" -- user: name="{{ vcs_user }}" - user: name="{{ www_user }}" +- user: + name: "{{ vcs_user }}" + password: "NP" + shell: "/bin/sh" + - name: Create sudoers template: src: sudoers dest: "/etc/sudoers.d/phabricator" mode: 0440 owner: root group: root validate: "/usr/sbin/visudo -cf %s" ## Nginx - name: Install nginx yum: name=nginx state=present - name: Autostart nginx command: chkconfig nginx on - name: Copy nginx config template: src=phabricator.conf dest=/etc/nginx/conf.d/phabricator.conf notify: restart nginx # PHP CGI - name: Autostart php-fpm command: chkconfig php-fpm on - name: Copy php.ini configuration template: src=php.ini dest=/etc/php.ini notify: restart php-fpm - name: Install APC command: pecl install apc +# SSH +- name: SSH hook for phabricator + template: + src: phabricator_ssh_hook.sh + dest: /usr/libexec/phabricator_ssh_hook.sh + group: "{{ phd_user }}" + mode: 0755 + +- name: SSHd config for phabricator + template: + src: phabricator_sshd_config + dest: /etc/ssh/sshd_config.phabricator + mode: 0640 + +- name: SSHd systemd service for phabricator + template: + src: phabricator_sshd_init + dest: /usr/lib/systemd/system/sshd_phabricator.service + mode: 0640 + notify: restart sshd_phabricator + ## Phabricator # Source: https://github.com/relrod/phabricator-ansible - name: Create directory file: state=directory path=/srv/www owner="{{ phd_user }}" - name: Create tmp directory file: state=directory path=/var/tmp/phd/ owner="{{ phd_user }}" - name: Clone facebook/libphutil git: repo=https://github.com/facebook/libphutil.git dest=/srv/www/facebook/libphutil sudo_user: "{{ phd_user }}" - name: Clone facebook/arcanist git: repo=https://github.com/facebook/arcanist.git dest=/srv/www/facebook/arcanist sudo_user: "{{ phd_user }}" - name: Clone facebook/phabricator to {{ phabricator_path }} git: repo=https://github.com/facebook/phabricator.git dest=/srv/www/facebook/phabricator sudo_user: "{{ phd_user }}" - name: Create a conf/custom directory. file: state=directory path={{ phabricator_path }}/conf/custom sudo_user: "{{ phd_user }}" - name: Place a starting-point custom config in {{ phabricator_path }}conf/custom/myconfig.conf.php template: src=myconfig.conf.php dest={{ phabricator_path }}conf/custom/myconfig.conf.php sudo_user: "{{ phd_user }}" - name: Include the config shell: echo 'custom/myconfig' > {{ phabricator_path }}conf/local/ENVIRONMENT sudo_user: "{{ phd_user }}" - name: Migrate the database command: chdir={{ phabricator_path }} ./bin/storage upgrade --force sudo_user: "{{ phd_user }}" - name: Create the repository directory - file: state=directory path="{{ repositories_path }}" owner="{{ phd_user }}" + file: state=directory path="{{ repositories_path }}" owner="{{ phd_user }}" group="{{ phd_user }}" ## Application - name: Start PHD daemons command: chdir={{ phabricator_path }} ./bin/phd restart sudo_user: "{{ phd_user }}" diff --git a/tasks/configure-dbs.yml b/tasks/configure-dbs.yml index 0b24f90..4f74613 100644 --- a/tasks/configure-dbs.yml +++ b/tasks/configure-dbs.yml @@ -1,32 +1,31 @@ --- - yum: name=http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm state=present - yum: name="{{ item }}" state=latest update_cache=yes with_items: - vim - git - ntp - mysql-community-server - MySQL-python - name: Copy mysql config template: src=my.cnf dest=/etc/my.cnf - notify: restart mysql - name: Copy phabricator stop words copy: src=stopwords.txt dest=/srv/stopwords.txt notify: restart mysql - name: Create database user mysql_user: state=present user={{ mysql_user }} password={{ mysql_pass}} priv=*.*:ALL host={{ groups['app'][0] }} diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2 index c9de570..eaf54af 100644 --- a/templates/haproxy.cfg.j2 +++ b/templates/haproxy.cfg.j2 @@ -1,41 +1,50 @@ global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user root group root daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats level admin defaults - mode http + mode tcp log global - option httplog + option tcplog option dontlognull - option http-server-close - option forwardfor except 127.0.0.0/8 + option forceclose option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 frontend public bind *:80 default_backend app backend app balance roundrobin {% for host in groups['app'] %} server {{ host }} {{ hostvars[host]['inventory_hostname'] }}:80 {% endfor %} +frontend sshd + bind *:1234 + default_backend ssh + timeout client 1h + +backend ssh + {% for host in groups['app'] %} + server localhost-bitbucket-ssh {{ hostvars[host]['inventory_hostname'] }}:1234 check port 1234 + {% endfor %} + diff --git a/templates/myconfig.conf.php b/templates/myconfig.conf.php index 529cec1..f15b895 100644 --- a/templates/myconfig.conf.php +++ b/templates/myconfig.conf.php @@ -1,19 +1,22 @@ 'http://{{ domain }}/', 'phabricator.timezone' => 'Europe/London', 'mysql.host' => "{{ groups['dbs'][0] }}", 'mysql.pass' => '{{ mysql_pass }}', 'mysql.user' => '{{ mysql_user }}', 'amazon-s3.access-key' => '{{ s3_access_key }}', 'amazon-s3.secret-key' => '{{ s3_secret_key }}', 'storage.s3.bucket' => '{{ s3_bucket }}', 'auth.require-approval' => false, 'pygments.enabled' => true, 'metamta.default-address' => 'phabricator@{{domain}}', 'metamta.domain' => '{{domain}}', + + 'phd.user' => '{{ phd_user }}', + 'diffusion.ssh-user' => '{{ vcs_user }}', ) + phabricator_read_config_file('development'); diff --git a/templates/phabricator_ssh_hook.sh b/templates/phabricator_ssh_hook.sh new file mode 100644 index 0000000..519f54c --- /dev/null +++ b/templates/phabricator_ssh_hook.sh @@ -0,0 +1,10 @@ +#!/bin/sh +VCSUSER="{{ vcs_user }}" +ROOT="{{ phabricator_path }}" + +if [ "$1" != "$VCSUSER" ]; +then + exit 1 +fi + +exec "$ROOT/bin/ssh-auth" $@ diff --git a/templates/phabricator_sshd_config b/templates/phabricator_sshd_config new file mode 100644 index 0000000..beb3a60 --- /dev/null +++ b/templates/phabricator_sshd_config @@ -0,0 +1,18 @@ +AuthorizedKeysCommand /usr/libexec/phabricator_ssh_hook.sh +AuthorizedKeysCommandUser {{ vcs_user }} +AllowUsers {{ vcs_user }} + +Port 1234 +Protocol 2 +PermitRootLogin no +AllowAgentForwarding no +AllowTcpForwarding no +PrintMotd no +PrintLastLog no +PasswordAuthentication no +AuthorizedKeysFile none +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +PidFile /var/run/sshd_phabricator.pid diff --git a/templates/phabricator_sshd_init b/templates/phabricator_sshd_init new file mode 100644 index 0000000..094920e --- /dev/null +++ b/templates/phabricator_sshd_init @@ -0,0 +1,14 @@ +[Unit] +Description=OpenSSH Phabricator +After=network.target + +[Service] +EnvironmentFile=/etc/sysconfig/sshd +ExecStart=/usr/sbin/sshd -D $OPTIONS -f /etc/ssh/sshd_config.phabricator +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartSec=42s + +[Install] +WantedBy=multi-user.target diff --git a/templates/sudoers b/templates/sudoers index 26cda3b..cae955d 100644 --- a/templates/sudoers +++ b/templates/sudoers @@ -1,3 +1,3 @@ -{{ vcs-user }} ALL=({{ daemon-user }}) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack -{{ www-user }} ALL=({{ daemon-user }}) SETENV: NOPASSWD: /usr/libexec/git-core/git-http-backend +{{ vcs_user }} ALL=({{ phd_user }}) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack +{{ www_user }} ALL=({{ phd_user }}) SETENV: NOPASSWD: /usr/libexec/git-core/git-http-backend