1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
Server startup
==============
Server startup can be done in many ways, and the ideas are probably
many. Here's one of the possibilities, which is mostly a shameless
rip-off from the monotone-server package in Debian.
The monotone server really depends on a few sections of information:
- configuration information, which is controlled by the admin and
goes into /etc/monotone.
- dynamic information, which is the database itself and other things
belonging with it. My suggestion is /var/lib/monotone.
- a script to start, stop and restart the server process.
Creating the monotone user
--------------------------
For the sake of safety, the best is to run the monotone server process
under its own user. On Debian, it would be done like this:
adduser --system --group --home /var/lib/monotone --no-create-home \
--disabled-password --quiet --gecos "Monotone" monotone
On FreeBSD, I'd do it like this (haven't tested, honestly):
adduser -d /var/lib/monotone -k /dev/null -w no -M 0750 -s /bin/false -S \
monotone
Creating and populating directories
-----------------------------------
Now, time to create the other directories and populate them, set safer
permissions and populate them. Let's start on the directories:
mkdir /etc/monotone /etc/monotone/hooks.d
mkdir /var/lib/monotone/keys /var/log/monotone
Now, time to populate them. Copy the following files (found in this
directory) to /etc/monotone:
- serverrc This is a very simple file, all it does is load hooks
with their corresponding configuration from
/etc/monotone/hooks.d
Copy your choice of the following files (from the monotone contrib/
directory) to /etc/monotone/hooks.d:
- get_passphrase_from_file.lua
This will use the file passphrases in the monotone
configuration directory (in this setup, it's
/etc/monotone) to open any key it needs to use, for
example the server key.
- authorize_remote_automate.lua
This will use the file remote-automate-permissions in
the monotone configuration directory to permit remote
automate operations to select users, through their
keys.
- monotone-mail-notify.lua, monotone-mail-notify.sh
This will send an email notification to an email
address of your choice, for the branches of your
choice. Read the comments at the top of
monotone-mail-notify.lua for details.
Note: it needs mime-construct and source-highlight.
There are more hooks to be found, have a look!
Creating the database and server key
------------------------------------
Now, it's time to generate a server database and key. Let's start
with the database:
mtn --db /var/lib/monotone/default.mtn db init \
--no-standard-rcfiles \
--keydir=/var/lib/monotone/keys --confdir=/etc/monotone
Then, let's create the server key. For simplicity, I'm placing the
key name (no spaces allowed here!) and password in shell variables
(change anything within braces ({}) to things of your choice), and
create /etc/monotone/passphrases:
KEYNAME="{servername}@{domain}"
KEYPASS="{I REALLY HOPE YOU USE SOMETHING SMARTER THAN THIS ;-)}"
yes "$KEYPASS" | \
mtn --db /var/lib/monotone/default.mtn genkey $KEYNAME --quiet \
--no-standard-rcfiles \
--keydir=/var/lib/monotone/keys --confdir=/etc/monotone
echo "$KEYNAME \"$KEYPASS\"" > /etc/monotone/passphrases
Setting up permissions
----------------------
Finally, you might want to start on /etc/monotone/read-permissions and
/etc/monotone/write-permissions. You can use the examples from
monotone's example directory to see how it should be done.
Another way is to create the directories /etc/monotone/read-permissions.d
and /etc/monotone/write-permissions.d, which can hold separate files
with setups as you choose to separate it. If you do this, there's a
simple and useful script in monotone's contrib/ directory called
mtn_makepermissions that compiles the files in read-permissions.d and
write-permissions into the files read-permissions and write-permissions
that monotone depends on.
Ownership and protection
------------------------
At this point, things are set up, and it's time to get protective.
First of all, let's make sure the monotone user owns everything:
chown -R monotone:monotone /etc/monotone
chown -R monotone:monotone /var/lib/monotone
chown -R monotone:monotone /var/log/monotone
Now, set the permissions where it may be important:
chmod 0750 /etc/monotone
chmod 0750 /var/lib/monotone
chmod -R 0640 /etc/monotone/write-permissions*
chmod -R 0640 /etc/monotone/read-permissions*
chmod 0640 /etc/monotone/serverrc
chmod 0600 /var/lib/monotone/default.mtn
chmod 0400 /etc/monotone/passphrases
Server startup
--------------
The last bit is the server startup. It can be done in one of several
ways.
daemontools:
If you prefer to use daemontools (from http://cr.yp.to/daemontools.html),
set up the service by copying monotone.run (found in this directory)
to to your service directory (let's assume you have your services in
/var/services), like this:
mkdir /var/services/monotone
cp monotone.run /var/services/monotone/run
Now, all you have to do is start it:
svc -u /var/services/monotone
SysV init style:
If you prefer to use something toward SysV init style, copy
monotone.init to /etc/init.d and make softlinks to /etc/rc?.d, as
follows. Note that this script depends on sudo and that root has
permission to run as the user monotone.
cp monotone.init /etc/init.d/monotone
for starter in /etc/rc[2-5].d; do ln -s /etc/init.d/monotone $starter; done
for killer in /etc/rc[0126].d; do ln -s /etc/init.d/monotone $killer; done
To start it, all you have to do is this:
/etc/init.d/monotone start
|
