Script to automate setup of humbug-dev as currently configured (untested)

(imported from commit 8dcb85fad9f04dc393198f8ee2afcca23edf7b51)

servers/humbug-dev/.gitignore

@@ -0,0 +1,2 @@
+# Don't check SSL private keys into git!
+*.key

servers/humbug-dev/apache/certs/humbug-self-signed.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE3zCCA8egAwIBAgIJAN3CC4GEIJkwMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
+VQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJp
+ZGdlMS0wKwYDVQQKEyRIdW1idWcsIEluYy4gc2VsZi1zaWduZWQgY2VydGlmaWNh
+dGUxFzAVBgNVBAMUDiouaHVtYnVnaHEuY29tMSIwIAYJKoZIhvcNAQkBFhNrZWVn
+YW5AaHVtYnVnaHEuY29tMB4XDTEyMDgzMTE1MzYzM1oXDTEzMDgzMTE1MzYzM1ow
+gaUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMRIwEAYDVQQH
+EwlDYW1icmlkZ2UxLTArBgNVBAoTJEh1bWJ1ZywgSW5jLiBzZWxmLXNpZ25lZCBj
+ZXJ0aWZpY2F0ZTEXMBUGA1UEAxQOKi5odW1idWdocS5jb20xIjAgBgkqhkiG9w0B
+CQEWE2tlZWdhbkBodW1idWdocS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCjbTp0acK00BTchVi8C3+kJEAJLAwDKhI+D8QZc4S8hzHAqCwfqFPF
+hu1XTsfJo0UJvCzaTardKVEyRC/cnw72GWZxXYb3LLG/Ae8rwgxaB62Za76oAKW7
+DSoXvRAyJhIjaR/bal+ZXtXGbVcM1TWGyNjRi1v3KbZJqfNLarZFC8ihGeiCY1WC
+3l1+pgbzqaNHg/+dJqtMyh0QL7SYduqeY2fzbQeAAUjA4PK/1xK8noytfzlMNxni
+8kzgrsl/fnHoZUYIla5oCe/6HTFhNxZuE9vNjPd2HbFno/DcHnyHaPTxQvMAcAzw
+kx3LimTWWDns7aSwhqGKm8yugE/SXqXDAgMBAAGjggEOMIIBCjAdBgNVHQ4EFgQU
+EXOsgM0f63ErCvqTaD5Wgb1QmTQwgdoGA1UdIwSB0jCBz4AUEXOsgM0f63ErCvqT
+aD5Wgb1QmTShgaukgagwgaUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNo
+dXNldHRzMRIwEAYDVQQHEwlDYW1icmlkZ2UxLTArBgNVBAoTJEh1bWJ1ZywgSW5j
+LiBzZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTEXMBUGA1UEAxQOKi5odW1idWdocS5j
+b20xIjAgBgkqhkiG9w0BCQEWE2tlZWdhbkBodW1idWdocS5jb22CCQDdwguBhCCZ
+MDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQA2JXeDK6DAagyceshJ
+1cNj7RIrIi2BSnAQnDL+kl6tqWRWqFWyYgwkvYc98cZ0Ebu8LBcneQ04zx4pIABe
+5SyU5o1DH4RdEF6eHnfl4cP+eh1QQlpvzc40hukswy7ejzjngYE9HLZULxFPXgiO
+QWcPQ6L6Y09+PgEMHTb+CoWpeosKDp9YzPu5k9unpub3qJlLb0YWbHAtN2Q6lymb
+znYmtRSk05ZtxJ5UgLWMtCZCrqycXE6XD7SysD7YRG9qRxFrCIZJ/gsa1BLTMlbK
+3PNAkSsZVrpbfT77vIP9dcmT/R8tQQCxV02OFJIl8G1T45c+pxaa1vGs0j+riaZA
+R919
+-----END CERTIFICATE-----

servers/humbug-dev/apache/sites/app

@@ -0,0 +1,38 @@
+<VirtualHost *:80>
+    ServerName app.humbughq.com
+    Redirect permanent / https://app.humbughq.com/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName app.humbughq.com
+
+    SSLEngine on
+    SSLCertificateFile /etc/apache2/certs/humbug-self-signed.crt
+    SSLCertificateKeyFile /etc/apache2/certs/humbug-self-signed.key
+
+    Header add Strict-Transport-Security "max-age=15768000"
+
+    RewriteEngine On
+    ProxyPreserveHost On
+    ProxyRequests Off
+
+    <Proxy *>
+       Order deny,allow
+       Allow from all
+
+       AuthType Digest
+       AuthName "wiki"
+       AuthDigestProvider file
+       AuthUserFile /etc/apache2/users/wiki
+       Require valid-user
+    </Proxy>
+
+    ProxyPassReverse /    http://127.0.0.1:9991
+    RewriteRule ^(.*) http://127.0.0.1:9991$1 [P]
+
+    ErrorLog /var/log/apache2/error.log
+    LogLevel warn
+
+    CustomLog /var/log/apache2/access.log combined
+    ServerSignature On
+</VirtualHost>

servers/humbug-dev/apache/sites/humbug-default

@@ -0,0 +1,37 @@
+<VirtualHost *:80>
+	ServerAdmin webmaster@localhost
+        ServerName  dev.humbughq.com
+
+	DocumentRoot /var/www
+	<Directory *>
+		Options FollowSymLinks
+		AllowOverride None
+		Order allow,deny
+		allow from all
+	</Directory>
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	LogLevel warn
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerAdmin webmaster@localhost
+        ServerName  dev.humbughq.com
+
+        SSLEngine on
+        SSLCertificateFile /etc/apache2/certs/humbug-self-signed.crt
+        SSLCertificateKeyFile /etc/apache2/certs/humbug-self-signed.key
+
+	DocumentRoot /var/www
+	<Directory *>
+		Options FollowSymLinks
+		AllowOverride None
+		Order allow,deny
+		allow from all
+	</Directory>
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	LogLevel warn
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>

servers/humbug-dev/apache/sites/wiki

@@ -0,0 +1,38 @@
+<VirtualHost *:80>
+    ServerName wiki.humbughq.com
+    Redirect permanent / https://wiki.humbughq.com/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName wiki.humbughq.com
+
+    SSLEngine on
+    SSLCertificateFile /etc/apache2/certs/humbug-self-signed.crt
+    SSLCertificateKeyFile /etc/apache2/certs/humbug-self-signed.key
+
+    Header add Strict-Transport-Security "max-age=15768000"
+
+    RewriteEngine On
+    ProxyPreserveHost On
+    ProxyRequests Off
+
+    <Proxy *>
+       Order deny,allow
+       Allow from all
+
+       AuthType Digest
+       AuthName "wiki"
+       AuthDigestProvider file
+       AuthUserFile /etc/apache2/users/wiki
+       Require valid-user
+    </Proxy>
+
+    ProxyPassReverse /    http://127.0.0.1:5001
+    RewriteRule ^(.*) http://127.0.0.1:5001$1 [P]
+
+    ErrorLog /var/log/apache2/error.log
+    LogLevel warn
+
+    CustomLog /var/log/apache2/access.log combined
+    ServerSignature On
+</VirtualHost>

servers/humbug-dev/setup.bash

@@ -0,0 +1,65 @@
+#!/bin/bash -xe
+
+# Run the script from the directory where it lives, so we can
+# easily access config files etc.
+cd "$(dirname "$(readlink -f $0)")"
+
+if ! [ -f apache/certs/humbug-self-signed.key ]; then
+    echo "Copy humbug-self-signed.key to $(pwd)/apache/certs, but don't check it into git"
+    exit 1
+fi
+
+# Configure sshd to disallow password logins
+cat >>/etc/ssh/sshd_config <<EOF
+
+# added by setup.bash
+PasswordAuthentication no
+EOF
+service ssh restart
+
+# Create users and secure homedirs
+adduser --disabled-login wiki
+chmod 700 /home/{humbug,wiki}
+
+# Resize the filesystem to fill the EBS volume
+resize2fs /dev/xvda1
+
+# Add squeeze-backports and install packages
+cat >>/etc/apt/sources.list <<EOF
+deb http://backports.debian.org/debian-backports squeeze-backports main
+deb-src http://backports.debian.org/debian-backports squeeze-backports main
+EOF
+apt-get update
+apt-get upgrade
+apt-get install sudo emacs vim screen git python-tz sqlite3 apache2 gitit python-tornado
+apt-get install -t squeeze-backports python-django
+
+# Configure Apache
+a2enmod proxy proxy_http rewrite auth_digest ssl
+rm -f /etc/apache2/sites-enabled/*
+cp apache/sites/* /etc/apache2/sites-available/
+ln -s ../sites-available/humbug-default /etc/apache2/sites-enabled/000-default
+ln -s ../sites-available/wiki           /etc/apache2/sites-enabled/001-wiki
+ln -s ../sites-available/app            /etc/apache2/sites-enabled/002-app
+
+# Create the Apache wiki user database
+mkdir -p /etc/apache2/users
+touch /etc/apache2/users/wiki
+chown www-data:www-data /etc/apache2/users/wiki
+chmod 600 /etc/apache2/users/wiki
+
+# Copy in the self-signed SSL certificate
+mkdir -p /etc/apache2/certs
+cp apache/certs/humbug-self-signed.{crt,key} /etc/apache2/certs/
+chown root:root /etc/apache2/certs/*
+chmod 644 /etc/apache2/certs/*.crt
+chmod 600 /etc/apache2/certs/*.key
+
+# Restart Apache
+service apache2 restart
+
+# Configure the wiki
+mkdir -p /home/wiki/wiki/static/img
+cp wiki/gitit.conf /home/wiki/wiki/
+cp wiki/logo.png   /home/wiki/wiki/static/img/
+chown -R wiki:wiki /home/wiki/wiki

servers/humbug-dev/wiki/gitit.conf

@@ -0,0 +1,234 @@
+# gitit wiki configuration file
+
+port: 5001
+# sets the port on which the web server will run.
+
+wiki-title: Humbug Wiki
+# the title of the wiki.
+
+repository-type: Git
+# specifies the type of repository used for wiki content.
+# Options are Git, Darcs, and Mercurial.
+
+repository-path: wikidata
+# specifies the path of the repository directory.  If it does not
+# exist, gitit will create it on startup.
+
+authentication-method: http
+# 'form' means that users will be logged in and registered
+# using forms in the gitit web interface.  'http' means
+# that gitit will assume that HTTP authentication is in
+# place and take the logged in username from the "Authorization"
+# field of the HTTP request header (in addition,
+# the login/logout and registration links will be
+# suppressed).  'generic' means that gitit will assume that
+# some form of authentication is in place that directly
+# sets REMOTE_USER to the name of the authenticated user
+# (e.g. mod_auth_cas on apache).
+
+user-file: gitit-users
+# specifies the path of the file containing user login information.
+# If it does not exist, gitit will create it (with an empty user list).
+# This file is not used if 'http' is selected for authentication-method.
+
+session-timeout: 360
+# number of minutes of inactivity before a session expires.
+
+static-dir: static
+# specifies the path of the static directory (containing javascript,
+# css, and images).  If it does not exist, gitit will create it
+# and populate it with required scripts, stylesheets, and images.
+
+default-page-type: Markdown
+# specifies the type of markup used to interpret pages in the wiki.
+# Possible values are Markdown, RST, LaTeX, HTML, Markdown+LHS, RST+LHS,
+# and LaTeX+LHS. (The +LHS variants treat the input as
+# literate Haskell. See pandoc's documentation for more details.) If
+# Markdown is selected, pandoc's syntax extensions (for footnotes,
+# delimited code blocks, etc.) will be enabled. Note that pandoc's
+# reStructuredText parser is not complete, so some pages may not be
+# rendered correctly if RST is selected. The same goes for LaTeX and
+# HTML.
+
+math: MathML
+# specifies how LaTeX math is to be displayed.  Possible values
+# are MathML, raw, and jsMath.  If mathml is selected, gitit will
+# convert LaTeX math to MathML and link in a script, MathMLinHTML.js,
+# that allows the MathML to be seen in Gecko browsers, IE +
+# mathplayer, and Opera.  In other browsers you may get a jumble
+# of characters. If raw is selected, the LaTeX math will be displayed
+# as raw LaTeX math. If jsMath is selected, gitit will link to
+# the script /js/jsMath/easy/load.js, and will assume that jsMath
+# has been installed into the js/jsMath directory. This is the most
+# portable solution.
+
+show-lhs-bird-tracks: no
+# specifies whether to show Haskell code blocks in "bird style",
+# with "> " at the beginning of each line.
+
+templates-dir: templates
+# specifies the path of the directory containing page templates.
+# If it does not exist, gitit will create it with default templates.
+# Users may wish to edit the templates to customize the appearance of
+# their wiki. The template files are HStringTemplate templates.
+# Variables to be interpolated appear between $'s. Literal $'s must be
+# backslash-escaped.
+
+log-file: gitit.log
+# specifies the path of gitit's log file.  If it does not exist,
+# gitit will create it. The log is in Apache combined log format.
+
+log-level: WARNING
+# determines how much information is logged.
+# Possible values (from most to least verbose) are DEBUG, INFO,
+# NOTICE, WARNING, ERROR, CRITICAL, ALERT, EMERGENCY.
+
+front-page: Front Page
+# specifies which wiki page is to be used as the wiki's front page.
+# Gitit creates a default front page on startup, if one does not exist
+# already.
+
+no-delete: Front Page, Help
+# specifies pages that cannot be deleted through the web interface.
+# (They can still be deleted directly using git or darcs.)
+# A comma-separated list of page names.  Leave blank to allow
+# every page to be deleted.
+
+no-edit: Help
+# specifies pages that cannot be edited through the web interface.
+# Leave blank to allow every page to be edited.
+
+default-summary: (default commit message)
+# specifies text to be used in the change description if the author
+# leaves the "description" field blank.  If default-summary is blank
+# (the default), the author will be required to fill in the description
+# field.
+
+table-of-contents: yes
+# specifies whether to print a tables of contents (with links to
+# sections) on each wiki page.
+
+plugins:
+# specifies a list of plugins to load.  Plugins may be specified
+# either by their path or by their module name.  If the plugin name
+# starts with Gitit.Plugin., gitit will assume that the plugin is
+# an installed module and will not try to find a source file.
+# Examples:
+# plugins: plugins/DotPlugin.hs, CapitalizeEmphasisPlugin.hs
+# plugins: plugins/DotPlugin
+# plugins: Gitit.Plugin.InterwikiLinks
+
+use-cache: no
+# specifies whether to cache rendered pages.  Note that if use-feed
+# is selected, feeds will be cached regardless of the value of use-cache.
+
+cache-dir: cache
+# directory where rendered pages will be cached
+
+max-upload-size: 100K
+# specifies an upper limit on the size (in bytes) of files uploaded
+# through the wiki's web interface.
+# To disable uploads, set this to 0K.
+# This will result in the uploads link disappearing 
+# and the _upload url becoming inactive.
+
+max-page-size: 100K
+# specifies an upper limit on the size (in bytes) of pages
+
+debug-mode: no
+# if "yes", causes debug information to be logged while gitit is running.
+
+compress-responses: yes
+# specifies whether HTTP responses should be compressed.
+
+mime-types-file: /etc/mime.types
+# specifies the path of a file containing mime type mappings.
+# Each line of the file should contain two fields, separated by
+# whitespace. The first field is the mime type, the second is a
+# file extension.  For example:
+# video/x-ms-wmx                    wmx
+# If the file is not found, some simple defaults will be used.
+
+use-recaptcha: no
+# if "yes", causes gitit to use the reCAPTCHA service
+# (http://recaptcha.net) to prevent bots from creating accounts.
+
+recaptcha-private-key:
+recaptcha-public-key:
+# specifies the public and private keys for the reCAPTCHA service.
+# To get these, you need to create an account at http://recaptcha.net.
+
+access-question: Signup code (from home directory on server)
+access-question-answers: Uqq9p67pR+I3BNah
+# specifies a question that users must answer when they attempt to create
+# an account, along with a comma-separated list of acceptable answers.
+# This can be used to institute a rudimentary password for signing up as
+# a user on the wiki, or as an alternative to reCAPTCHA.
+# Example:
+# access-question:  What is the code given to you by Ms. X?
+# access-question-answers:  RED DOG, red dog
+
+mail-command: sendmail %s
+# specifies the command to use to send notification emails.
+# '%s' will be replaced by the destination email address.
+# The body of the message will be read from stdin.
+# If this field is left blank, password reset will not be offered.
+
+reset-password-message:
+  > From: nobody@$hostname$
+  > To: $useremail$
+  > Subject: Wiki password reset
+  >
+  > Dear $username$:
+  > 
+  > To reset your password, please follow the link below:
+  > http://$hostname$:$port$$resetlink$
+  > 
+  > Yours sincerely,
+  > The Wiki Master
+
+# gives the text of the message that will be sent to the user should she
+# want to reset her password, or change other registration info.
+# The lines must be indented, and must begin with '>'.  The initial
+# spaces and '> ' will be stripped off. $username$ will be replaced
+# by the user's username, $useremail$ by her email address,
+# $hostname$ by the hostname on which the wiki is running (as
+# returned by the hostname system call), $port$ by the port on
+# which the wiki is running, and $resetlink$ by the
+# relative path of a reset link derived from the user's existing
+# hashed password. If your gitit wiki is being proxied to a location
+# other than the root path of $port$, you should change the link to
+# reflect this: for example, to
+# http://$hostname$/path/to/wiki$resetlink$ or
+# http://gitit.$hostname$$resetlink$
+
+use-feed: no
+# specifies whether an ATOM feed should be enabled (for the site and for
+# individual pages)
+
+base-url:
+# the base URL of the wiki, to be used in constructing feed IDs.
+# If this field is left blank, gitit will get the base URL from the
+# request header 'Host'.  For most users, this should be fine, but
+# if you are proxying a gitit instance to a subdirectory URL, you will
+# want to set this manually.
+
+feed-days: 14
+# number of days to be included in feeds.
+
+feed-refresh-time: 60
+# number of minutes to cache feeds before refreshing
+
+pdf-export: no
+# if yes, PDF will appear in export options. PDF will be created using
+# pdflatex, which must be installed and in the path. Note that PDF
+# exports create significant additional server load.
+
+pandoc-user-data:
+# if a directory is specified, this will be searched for pandoc
+# customizations. These can include a templates/ directory for custom
+# templates for various export formats, an S5 directory for custom
+# S5 styles, and a reference.odt for ODT exports. If no directory is
+# specified, $HOME/.pandoc will be searched. See pandoc's README for
+# more information.
+

setup-server

@@ -1,11 +0,0 @@
-#!/bin/sh
-resize2fs /dev/xvda1
-apt-get update
-apt-get upgrade
-apt-get install sudo emacs screen git python-tz
-
-cat >>/etc/apt/sources.list <<EOF
-deb http://backports.debian.org/debian-backports squeeze-backports main
-deb-src http://backports.debian.org/debian-backports squeeze-backports main
-EOF
-apt-get install -t squeeze-backports python-django