Puppet Class: phabricator::vcs

Defined in:
modules/phabricator/manifests/vcs.pp

Overview

Parameters:

  • basedir (Stdlib::Unixpath) (defaults to: '/srv/phab')
  • settings (Hash) (defaults to: {})
  • listen_addresses (Array) (defaults to: [])
  • ssh_port (Integer) (defaults to: 22)
  • proxy (String) (defaults to: "http://url-downloader.${::site}.wikimedia.org:8080")


17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# File 'modules/phabricator/manifests/vcs.pp', line 17

class phabricator::vcs (
    Stdlib::Unixpath $basedir = '/srv/phab',
    Hash $settings            = {},
    Array $listen_addresses   = [],
    Integer $ssh_port         = 22,
    String $proxy             = "http://url-downloader.${::site}.wikimedia.org:8080",
) {

    $phd_user = $settings['phd.user']
    $vcs_user = $settings['diffusion.ssh-user']
    $ssh_hook_path = '/usr/libexec/phabricator-ssh-hook.sh'
    $sshd_config = '/etc/ssh/sshd_config.phabricator'

    user { $vcs_user:
        gid        => 'phd',
        shell      => '/bin/sh',
        managehome => true,
        home       => "/var/lib/${vcs_user}",
        system     => true,
    }

    file { "${basedir}/phabricator/scripts/ssh/":
        owner   => $vcs_user,
        recurse => true,
    }

    # git-http-backend needs to be in $PATH
    file { '/usr/local/bin/git-http-backend':
        ensure  => 'link',
        target  => '/usr/lib/git-core/git-http-backend',
        require => Package['git'],
    }

    # Configure all git repositories we host
    file { '/etc/gitconfig':
        content => template('phabricator/vcs/system.gitconfig.erb'),
        require => Package['git'],
        owner   => 'root',
        group   => 'root',
    }

    file { '/usr/libexec':
        ensure => 'directory',
        owner  => 'root',
        group  => 'root',
        mode   => '0755',
    }

    file { $ssh_hook_path:
        content => template('phabricator/vcs/phabricator-ssh-hook.sh.erb'),
        mode    => '0755',
        owner   => 'root',
        group   => 'root',
        require => File['/usr/libexec'],
    }

    if empty($listen_addresses) {
        # Emit a warning but allow listen_address to be empty, this is needed
        # for easier migrations from one server to another
        notify { 'Warning: phabricator::vcs::listen_address is empty': }
    } else {
        # allow ssh connection to IPs in hiera phabricator::vcs::listen_addresses:
        ferm::rule { 'ssh_public':
            rule => template('phabricator/vcs/ferm_rule-ssh_public.erb'),
        }

        file { $sshd_config:
            content => template('phabricator/vcs/sshd_config.phabricator.erb'),
            mode    => '0644',
            owner   => 'root',
            group   => 'root',
            require => Package['openssh-server'],
            notify  => Service['ssh-phab'],
        }

        systemd::service { 'ssh-phab':
            ensure  => 'present',
            content => systemd_template('ssh-phab'),
            require => Package['openssh-server'],
        }
    }

    # phd.user owns repo resources and both vcs and web user
    # must sudo to phd to for repo work.
    sudo::user { $vcs_user:
        privileges => [
            "ALL=(${phd_user}) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack, /usr/bin/svnserve",
        ],
        require    => User[$vcs_user],
    }

    sudo::user { 'www-data':
        privileges => [
            "ALL=(${phd_user}) SETENV: NOPASSWD: /usr/local/bin/git-http-backend",
        ],
        require    => File['/usr/local/bin/git-http-backend'],
    }


}