35 \<^medskip> |
35 \<^medskip> |
36 The following Phabricator instances may serve as examples: |
36 The following Phabricator instances may serve as examples: |
37 |
37 |
38 \<^item> Phabricator development \<^url>\<open>https://secure.phabricator.com\<close> |
38 \<^item> Phabricator development \<^url>\<open>https://secure.phabricator.com\<close> |
39 \<^item> Wikimedia development \<^url>\<open>https://phabricator.wikimedia.org\<close> |
39 \<^item> Wikimedia development \<^url>\<open>https://phabricator.wikimedia.org\<close> |
40 \<^item> Blender development \<^url>\<open>https://developer.blender.org/\<close> |
40 \<^item> Blender development \<^url>\<open>https://developer.blender.org\<close> |
41 \<^item> Mercurial development \<^url>\<open>https://phab.mercurial-scm.org\<close> |
41 \<^item> Mercurial development \<^url>\<open>https://phab.mercurial-scm.org\<close> |
42 \<^item> Isabelle development \<^url>\<open>https://isabelle-dev.sketis.net\<close> |
42 \<^item> Isabelle development \<^url>\<open>https://isabelle-dev.sketis.net\<close> |
43 |
43 |
44 \<^medskip> Initial Phabricator configuration requires many details to be done |
44 \<^medskip> Initial Phabricator configuration requires many details to be done |
45 right.\<^footnote>\<open>See also |
45 right.\<^footnote>\<open>See also |
59 subtle dependencies on system packages and configuration that is assumed by |
59 subtle dependencies on system packages and configuration that is assumed by |
60 the Isabelle setup tool. |
60 the Isabelle setup tool. |
61 |
61 |
62 For production use, a proper \<^emph>\<open>Virtual Server\<close> or \<^emph>\<open>Root Server\<close> product |
62 For production use, a proper \<^emph>\<open>Virtual Server\<close> or \<^emph>\<open>Root Server\<close> product |
63 from a hosting provider will be required, including an Internet Domain Name |
63 from a hosting provider will be required, including an Internet Domain Name |
64 (a pseudo sub-domain in the style of Apache is sufficient). |
64 (\secref{sec:phabricator-domain}). |
65 |
65 |
66 Initial experimentation also works on a local host, e.g.\ via |
66 Initial experimentation also works on a local host, e.g.\ via |
67 VirtualBox\<^footnote>\<open>\<^url>\<open>https://www.virtualbox.org\<close>\<close>. The public domain \<^verbatim>\<open>lvh.me\<close> is |
67 VirtualBox\<^footnote>\<open>\<^url>\<open>https://www.virtualbox.org\<close>\<close>. The public domain \<^verbatim>\<open>lvh.me\<close> is |
68 used below: it maps arbitrary subdomains to \<^verbatim>\<open>localhost\<close>. |
68 used by default: it maps arbitrary subdomains to \<^verbatim>\<open>localhost\<close>. |
69 |
69 |
70 All administrative commands need to be run as \<^verbatim>\<open>root\<close> user (e.g.\ via |
70 All administrative commands need to be run as \<^verbatim>\<open>root\<close> user (e.g.\ via |
71 \<^verbatim>\<open>sudo\<close>). Note that Isabelle refers to user-specific configuration in the |
71 \<^verbatim>\<open>sudo\<close>). Note that Isabelle refers to user-specific configuration in the |
72 user home directory via @{setting ISABELLE_HOME_USER} |
72 user home directory via @{setting ISABELLE_HOME_USER} |
73 (\secref{sec:settings}); that may be different or absent for the root user |
73 (\secref{sec:settings}); that may be different or absent for the root user |
79 |
79 |
80 text \<open> |
80 text \<open> |
81 Isabelle can manage multiple named Phabricator installations: this allows to |
81 Isabelle can manage multiple named Phabricator installations: this allows to |
82 separate administrative responsibilities, e.g.\ different approaches to user |
82 separate administrative responsibilities, e.g.\ different approaches to user |
83 management for different projects. Subsequently we always use the default |
83 management for different projects. Subsequently we always use the default |
84 name ``\<^verbatim>\<open>vcs\<close>'': it will appear in file and directory locations, internal |
84 name ``\<^verbatim>\<open>vcs\<close>'': the name will appear in file and directory locations, |
85 database names and URLs. |
85 internal database names and URLs. |
86 |
86 |
87 The initial setup works as follows (with full Linux package upgrade): |
87 The initial setup works as follows (with full Linux package upgrade): |
88 |
88 |
89 @{verbatim [display] \<open> isabelle phabricator_setup -U -M:\<close>} |
89 @{verbatim [display] \<open> isabelle phabricator_setup -U -M:\<close>} |
90 |
90 |
91 After installing many packages, cloning the Phabricator distribution, |
91 After installing many packages, cloning the Phabricator distribution, |
92 initializing the MySQL database and Apache, the tool prints an URL for |
92 initializing the MySQL database and Apache, the tool prints an URL for |
93 further configuration. The following needs to be provided by the web |
93 further configuration. Now the following needs to be provided by the web |
94 interface: |
94 interface. |
95 |
95 |
96 \<^item> An initial user that will get administrator rights. There is no need to |
96 \<^item> An initial user that will get administrator rights. There is no need to |
97 create a special \<^verbatim>\<open>admin\<close> account. Instead, a regular user that will take |
97 create a special \<^verbatim>\<open>admin\<close> account. Instead, a regular user that will take |
98 over this responsibility can be used here. Subsequently we assume that |
98 over this responsibility can be used here. Subsequently we assume that |
99 user \<^verbatim>\<open>makarius\<close> becomes the initial administrator. |
99 user \<^verbatim>\<open>makarius\<close> becomes the initial administrator. |
103 overview of \<^emph>\<open>Setup Issues\<close>: following these hints quickly leads to the |
103 overview of \<^emph>\<open>Setup Issues\<close>: following these hints quickly leads to the |
104 place where a regular \<^emph>\<open>Username/Password\<close> provider can be added. |
104 place where a regular \<^emph>\<open>Username/Password\<close> provider can be added. |
105 |
105 |
106 Alternatively, Phabricator can delegate the responsibility of |
106 Alternatively, Phabricator can delegate the responsibility of |
107 authentication to big corporations like Google and Facebook, but these can |
107 authentication to big corporations like Google and Facebook, but these can |
108 be ignored. Genuine self-hosting means to manage users directly, without |
108 be easily ignored. Genuine self-hosting means to manage users directly, |
109 outsourcing of authentication. |
109 without outsourcing of authentication. |
110 |
110 |
111 \<^item> A proper password for the administrator can now be set, e.g.\ by the |
111 \<^item> A proper password for the administrator can now be set, e.g.\ by the |
112 following command: |
112 following command: |
113 |
113 |
114 @{verbatim [display] \<open> isabelle phabricator bin/auth recover makarius\<close>} |
114 @{verbatim [display] \<open> isabelle phabricator bin/auth recover makarius\<close>} |
118 |
118 |
119 Any further users will be able to provide a password directly, because the |
119 Any further users will be able to provide a password directly, because the |
120 Auth Provider is already active. |
120 Auth Provider is already active. |
121 |
121 |
122 \<^item> The list of Phabricator \<^bold>\<open>Setup Issues\<close> should be studied with some |
122 \<^item> The list of Phabricator \<^bold>\<open>Setup Issues\<close> should be studied with some |
123 care, to make sure that no serious problems are remaining. The request to |
123 care, to make sure that no serious problems are remaining. For example, |
124 lock the configuration can be fulfilled as follows: |
124 the request to lock the configuration can be fulfilled as follows: |
125 |
125 |
126 @{verbatim [display] \<open> isabelle phabricator bin/auth lock\<close>} |
126 @{verbatim [display] \<open> isabelle phabricator bin/auth lock\<close>} |
127 |
127 |
128 \<^medskip> A few other Setup Issues might be relevant as well, e.g.\ the timezone |
128 \<^medskip> A few other Setup Issues might be relevant as well, e.g.\ the timezone |
129 of the server. Some more exotic points can be ignored: Phabricator |
129 of the server. Some more exotic points can be ignored: Phabricator |
130 provides careful explanations about what it thinks could be wrong, always |
130 provides careful explanations about what it thinks could be wrong, while |
131 leaving some room for interpretation. |
131 leaving some room for interpretation. |
132 \<close> |
132 \<close> |
133 |
133 |
134 |
134 |
135 subsection \<open>Mailer configuration\<close> |
135 subsection \<open>Mailer configuration\<close> |
165 \<^verbatim>\<open>key\<close> field in the JSON file identifies the name of the configuration that |
165 \<^verbatim>\<open>key\<close> field in the JSON file identifies the name of the configuration that |
166 will be overwritten each time, when taking over the parameters via |
166 will be overwritten each time, when taking over the parameters via |
167 \<^verbatim>\<open>isabelle phabricator_setup_mail\<close>. |
167 \<^verbatim>\<open>isabelle phabricator_setup_mail\<close>. |
168 |
168 |
169 \<^medskip> |
169 \<^medskip> |
170 This is how to query the current mail configuration: |
170 The effective mail configuration can be queried like this: |
171 |
171 |
172 @{verbatim [display] \<open> isabelle phabricator bin/config get cluster.mailers\<close>} |
172 @{verbatim [display] \<open> isabelle phabricator bin/config get cluster.mailers\<close>} |
173 \<close> |
173 \<close> |
174 |
174 |
175 |
175 |
177 |
177 |
178 text \<open> |
178 text \<open> |
179 SSH configuration is optional, but important to access hosted repositories |
179 SSH configuration is optional, but important to access hosted repositories |
180 with public-key authentication. |
180 with public-key authentication. |
181 |
181 |
182 The subsequent configuration is convenient, but also ambitious: it takes |
182 The subsequent configuration is convenient (and ambitious): it takes away |
183 away the standard port 22 from the operating system and assigns it to |
183 the standard port 22 from the operating system and assigns it to |
184 Isabelle/Phabricator: |
184 Isabelle/Phabricator. |
185 |
185 |
186 @{verbatim [display] \<open> isabelle phabricator_setup_ssh -p 22 -q 222\<close>} |
186 @{verbatim [display] \<open> isabelle phabricator_setup_ssh -p 22 -q 222\<close>} |
187 |
187 |
188 Afterwards, remote login to the server host needs to use that alternative |
188 Afterwards, remote login to the server host needs to use that alternative |
189 port 222. If there is a problem with it, the administrator can usually |
189 port 222. If there is a problem connecting again, the administrator can |
190 connect to a remote console via some web interface of the virtual server |
190 usually access a remote console via some web interface of the virtual server |
191 provider. |
191 provider. |
192 |
192 |
193 \<^medskip> |
193 \<^medskip> |
194 The following alternative is more modest: it uses port 2222 for Phabricator, |
194 The following alternative is more modest: it uses port 2222 for Phabricator, |
195 and retains port 22 for the operating system: |
195 and retains port 22 for the operating system. |
196 |
196 |
197 @{verbatim [display] \<open> isabelle phabricator_setup_ssh -p 2222 -q 22\<close>} |
197 @{verbatim [display] \<open> isabelle phabricator_setup_ssh -p 2222 -q 22\<close>} |
198 |
198 |
199 \<^medskip> |
199 \<^medskip> |
200 The tool can be invoked multiple times with different parameters; ports are |
200 The tool can be invoked multiple times with different parameters; ports are |
201 changed back and forth each time and services restarted. |
201 changed back and forth each time and services restarted. |
202 \<close> |
202 \<close> |
203 |
203 |
204 |
204 |
205 subsection \<open>Public domain name and HTTPS configuration\<close> |
205 subsection \<open>Public domain name and HTTPS configuration \label{sec:phabricator-domain}\<close> |
206 |
206 |
207 text \<open> |
207 text \<open> |
208 So far the Phabricator server has been accessible only on \<^verbatim>\<open>localhost\<close> (via |
208 So far the Phabricator server has been accessible only on \<^verbatim>\<open>localhost\<close> (via |
209 the alias \<^verbatim>\<open>lvh.me\<close>). Proper configuration of a public Internet domain name |
209 the alias \<^verbatim>\<open>lvh.me\<close>). Proper configuration of a public Internet domain name |
210 (with HTTPS certificate from \<^emph>\<open>Let's Encrypt\<close>) works as follows. |
210 (with HTTPS certificate from \<^emph>\<open>Let's Encrypt\<close>) works as follows. |
227 \<^url>\<open>https://certbot.eff.org/lets-encrypt/ubuntubionic-apache\<close>. Run |
227 \<^url>\<open>https://certbot.eff.org/lets-encrypt/ubuntubionic-apache\<close>. Run |
228 \<^verbatim>\<open>certbot\<close> interactively and let it operate on the domain |
228 \<^verbatim>\<open>certbot\<close> interactively and let it operate on the domain |
229 \<^verbatim>\<open>vcs.example.org\<close>. |
229 \<^verbatim>\<open>vcs.example.org\<close>. |
230 |
230 |
231 \<^item> Inform Phabricator about its new domain name like this: |
231 \<^item> Inform Phabricator about its new domain name like this: |
232 @{verbatim [display] \<open> isabelle phabricator bin/config set |
232 @{verbatim [display] \<open> isabelle phabricator bin/config set \ |
233 phabricator.base-uri https://vcs.example.org\<close>} |
233 phabricator.base-uri https://vcs.example.org\<close>} |
234 |
234 |
235 \<^item> Visit the website \<^verbatim>\<open>https://vcs.example.org\<close> and continue Phabricator |
235 \<^item> Visit the website \<^verbatim>\<open>https://vcs.example.org\<close> and configure Phabricator |
236 configuration as described before. The following options are particularly |
236 as described before. The following options are particularly relevant for a |
237 relevant for a public website: |
237 public website: |
238 |
238 |
239 \<^item> \<^emph>\<open>Auth Provider / Username/Password\<close>: disable \<^emph>\<open>Allow Registration\<close> to |
239 \<^item> \<^emph>\<open>Auth Provider / Username/Password\<close>: disable \<^emph>\<open>Allow Registration\<close> to |
240 avoid arbitrary registrants; users can be invited via email instead. |
240 avoid uncontrolled registrants; users can still be invited via email |
|
241 instead. |
241 |
242 |
242 \<^item> Enable \<^verbatim>\<open>policy.allow-public\<close> to allow read-only access to resources, |
243 \<^item> Enable \<^verbatim>\<open>policy.allow-public\<close> to allow read-only access to resources, |
243 without requiring user registration. |
244 without requiring user registration. |
244 \<close> |
245 \<close> |
245 |
246 |
256 (subdirectory \<^verbatim>\<open>repo\<close>). |
257 (subdirectory \<^verbatim>\<open>repo\<close>). |
257 |
258 |
258 \<^enum> Multiple \<^emph>\<open>MySQL databases\<close> with a common prefix derived from the |
259 \<^enum> Multiple \<^emph>\<open>MySQL databases\<close> with a common prefix derived from the |
259 installation name --- the same name is used as database user name. |
260 installation name --- the same name is used as database user name. |
260 |
261 |
261 The Linux root user may invoke \<^verbatim>\<open>/usr/local/bin/isabelle-phabricator-dump\<close> |
262 The root user may invoke \<^verbatim>\<open>/usr/local/bin/isabelle-phabricator-dump\<close> |
262 to create a complete database dump within the root directory. Afterwards it |
263 to create a complete database dump within the root directory. Afterwards it |
263 is sufficient to make a conventional \<^bold>\<open>file-system backup\<close> of everything. To |
264 is sufficient to make a conventional \<^bold>\<open>file-system backup\<close> of everything. To |
264 restore the database state, see the explanations on \<^verbatim>\<open>mysqldump\<close> in |
265 restore the database state, see the explanations on \<^verbatim>\<open>mysqldump\<close> in |
265 \<^url>\<open>https://secure.phabricator.com/book/phabricator/article/configuring_backups\<close>. |
266 \<^url>\<open>https://secure.phabricator.com/book/phabricator/article/configuring_backups\<close>. |
266 |
267 |
273 |
274 |
274 For example, copying a database snapshot from one installation to another |
275 For example, copying a database snapshot from one installation to another |
275 works as follows. Run on the first installation root directory: |
276 works as follows. Run on the first installation root directory: |
276 |
277 |
277 @{verbatim [display] \<open> phabricator/bin/storage dump > dump1.sql |
278 @{verbatim [display] \<open> phabricator/bin/storage dump > dump1.sql |
278 phabricator/bin/storage renamespace --from phabricator_vcs |
279 phabricator/bin/storage renamespace --from phabricator_vcs \ |
279 --to phabricator_xyz --input dump1.sql --output dump2.sql\<close>} |
280 --to phabricator_xyz --input dump1.sql --output dump2.sql\<close>} |
280 |
281 |
281 Now run on the second installation root directory: |
282 Them run on the second installation root directory: |
282 @{verbatim [display] \<open> phabricator/bin/storage destroy |
283 @{verbatim [display] \<open> phabricator/bin/storage destroy |
283 phabricator/bin/storage shell < dump2.sql\<close>} |
284 phabricator/bin/storage shell < .../dump2.sql\<close>} |
284 |
285 |
285 Local configuration in \<^verbatim>\<open>phabricator/config/local/\<close> and hosted repositories |
286 Local configuration in \<^verbatim>\<open>phabricator/config/local/\<close> and hosted repositories |
286 need to be treated separately within the file-system. For the latter |
287 need to be treated separately within the file-system. For the latter |
287 see also these tools: |
288 see also these tools: |
288 @{verbatim [display] \<open> phabricator/bin/repository help list-paths |
289 @{verbatim [display] \<open> phabricator/bin/repository help list-paths |
366 |
367 |
367 |
368 |
368 subsection \<open>\<^verbatim>\<open>isabelle phabricator_setup\<close>\<close> |
369 subsection \<open>\<^verbatim>\<open>isabelle phabricator_setup\<close>\<close> |
369 |
370 |
370 text \<open> |
371 text \<open> |
371 The @{tool_def phabricator_setup} installs a fresh Phabricator instance on |
372 The @{tool_def phabricator_setup} tool installs a fresh Phabricator instance |
372 Ubuntu 18.04 LTS: |
373 on Ubuntu 18.04 LTS: |
373 @{verbatim [display] \<open>Usage: isabelle phabricator_setup [OPTIONS] |
374 @{verbatim [display] \<open>Usage: isabelle phabricator_setup [OPTIONS] |
374 |
375 |
375 Options are: |
376 Options are: |
376 -M SOURCE install Mercurial from source: local PATH, or URL, or ":" |
377 -M SOURCE install Mercurial from source: local PATH, or URL, or ":" |
377 -R DIR repository directory (default: "/var/www/phabricator-NAME/repo") |
378 -R DIR repository directory (default: "/var/www/phabricator-NAME/repo") |
399 procedure for de-installation. In the worst case, it might be better to |
400 procedure for de-installation. In the worst case, it might be better to |
400 re-install the virtual machine from a clean image. |
401 re-install the virtual machine from a clean image. |
401 |
402 |
402 \<^medskip> |
403 \<^medskip> |
403 Option \<^verbatim>\<open>-U\<close> ensures a full update of system packages, before installing |
404 Option \<^verbatim>\<open>-U\<close> ensures a full update of system packages, before installing |
404 further packages required by Phabricator. This might require to reboot. |
405 further packages required by Phabricator. This might require a reboot. |
405 |
406 |
406 Option \<^verbatim>\<open>-M:\<close> installs a standard Mercurial release from source: this works |
407 Option \<^verbatim>\<open>-M:\<close> installs a standard Mercurial release from source: this works |
407 better than the package provided by Ubuntu 18.04. Alternatively, an explicit |
408 better than the package provided by Ubuntu 18.04. Alternatively, an explicit |
408 file path or URL the source archive (\<^verbatim>\<open>.tar.gz\<close>) may be here. This option is |
409 file path or URL the source archive (\<^verbatim>\<open>.tar.gz\<close>) may be here. This option is |
409 recommended for production use, but it requires to \<^emph>\<open>uninstall\<close> existing |
410 recommended for production use, but it requires to \<^emph>\<open>uninstall\<close> existing |
428 |
429 |
429 |
430 |
430 subsection \<open>\<^verbatim>\<open>isabelle phabricator_setup_mail\<close>\<close> |
431 subsection \<open>\<^verbatim>\<open>isabelle phabricator_setup_mail\<close>\<close> |
431 |
432 |
432 text \<open> |
433 text \<open> |
433 The @{tool_def phabricator_setup_mail} provides mail configuration for an |
434 The @{tool_def phabricator_setup_mail} tool provides mail configuration for |
434 existing Phabricator installation: |
435 an existing Phabricator installation: |
435 @{verbatim [display] \<open>Usage: isabelle phabricator_setup_mail [OPTIONS] |
436 @{verbatim [display] \<open>Usage: isabelle phabricator_setup_mail [OPTIONS] |
436 |
437 |
437 Options are: |
438 Options are: |
438 -T USER send test mail to Phabricator user |
439 -T USER send test mail to Phabricator user |
439 -f FILE config file (default: "mailers.json" within |
440 -f FILE config file (default: "mailers.json" within |
470 |
471 |
471 |
472 |
472 subsection \<open>\<^verbatim>\<open>isabelle phabricator_setup_ssh\<close>\<close> |
473 subsection \<open>\<^verbatim>\<open>isabelle phabricator_setup_ssh\<close>\<close> |
473 |
474 |
474 text \<open> |
475 text \<open> |
475 The @{tool_def phabricator_setup_ssh} configures a special SSH service |
476 The @{tool_def phabricator_setup_ssh} tool configures a special SSH service |
476 for all Phabricator installations: |
477 for all Phabricator installations: |
477 @{verbatim [display] \<open>Usage: isabelle phabricator_setup_ssh [OPTIONS] |
478 @{verbatim [display] \<open>Usage: isabelle phabricator_setup_ssh [OPTIONS] |
478 |
479 |
479 Options are: |
480 Options are: |
480 -p PORT sshd port for Phabricator servers (default: 2222) |
481 -p PORT sshd port for Phabricator servers (default: 2222) |