File README.fedora of Package phabricator

Post Installation Setup Instructions for Fedora
===============================================

Some things need doing to get Phabricator to run, that we cannot do to you.
They need to be self-inflicted. So, here you go.

POSIX filesystem permissions, user accounts, sudo rights
--------------------------------------------------------

A user and group 'phabricator' is created for you by the package.

A split between the POSIX user account that phabricator uses, and the POSIX
user account that runs the web interface services, and the POSIX user used
by individuals or bots to interface with the source code repositories is
recommended, and this document outlines the additional actions you need to
take.

You would want your users to be able to use git with URLs such as:

ssh://git@dev.example.org/diffusion/R/repo.git

This means a POSIX user 'git' would need to be created:

```
getent passwd git >/dev/null || \
    useradd -r -d "/var/lib/git" -s /sbin/nologin \
    -c "Git Service User" git
```

Make sure it holds no password and is unlocked:

```
passwd -d git
passwd -uf git
```

Make the user 'git' a member of the group 'phabricator':

```
getent group phabricator | grep -q git || \
    gpasswd -a git phabricator >/dev/null 2>&1 || :
```

Make sure that the user 'git' can sudo, without a password, and use git-core
applications as the 'phabricator' account, so that not all repositories need
to be made world-readable and world-writeable:

```
cat > %{buildroot}%{_sysconfdir}/sudoers.d/git << EOF
git ALL=(phabricator) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack
EOF
```

#.  Phabricator would like to be able to allow a POSIX user such as 'git' to
    sudo without a password so that that POSIX user can be allowed access to
    git repositories without those being world-readable and world-writeable.

#.  The apache user, that runs the Phabricator PHP code, also needs access to
    the GIT repositories. It needs at least read access, but hypothetically
    speaking, it could be provided write access. Write access through the web-
    interface is outside of the scope of this document.

Allow apache to sudo to phabricator without a password, to execute (only) the
git-http-backend:

```
cat > %{buildroot}%{_sysconfdir}/sudoers.d/apache << EOF
apache ALL=(phabricator) SETENV: NOPASSWD: /usr/libexec/git-core/git-http-backend
EOF
```

PHP Curl CA Bundle Configuration
--------------------------------

Ensure you have `curl.cainfo` in `/etc/pki/tls/certs/ca-bundle.crt` set to
`/etc/pki/tls/certs/ca-bundle.crt`, or any other valid CA Bundle.