Skip to main content

Linux: Trac and Subversion on Ubuntu with Nginx and SSL

I just setup Trac and Subversion on Ubuntu. I decided to proxy tracd behind Nginx so that I could use SSL. I used ssh to access svn. I got email and commit hooks for everything working. I used runit to run tracd. In all, it took me about four days. Here's a brain dump of my notes:
Set up Trac and Subversion:
  Setup runit:
    touch /etc/inittab  # Latest Ubuntu uses "upstart" instead of the sysv init.
    apt-get install runit
    initctl start runsvdir
    initctl status runsvdir
  While still on oldserver, I took care of some Trac setup:
    Setup permissions:
      See: http://trac.edgewall.org/wiki/TracPermissions
      trac-admin:
        permission list
        permission remove anonymous '*'
        permission remove authenticated '*'
        permission add authenticated BROWSER_VIEW CHANGESET_VIEW FILE_VIEW LOG_VIEW MILESTONE_VIEW REPORT_SQL_VIEW REPORT_VIEW ROADMAP_VIEW SEARCH_VIEW TICKET_CREATE TICKET_MODIFY TICKET_VIEW TIMELINE_VIEW WIKI_CREA
    TE WIKI_MODIFY WIKI_VIEW
        Note: The above matches the default, but with no anonymous access.
        permission add jj TRAC_ADMIN
    Went through the admin section in the GUI and setup everything.
    Fixed inconsistent version field ("" vs. None):
      sqlite3 db/trac.db:
        update ticket set version = null;
  apt-get install subversion-tools python-subversion
  apt-get install python-pysqlite2
  easy_install docutils:
    /usr/bin/rst2newlatex.py
    /usr/bin/rst2xml.py
    /usr/bin/rstpep2html.py
    /usr/bin/rst2s5.py
    /usr/bin/rst2latex.py
    /usr/bin/rst2pseudoxml.py
    /usr/bin/rst2html.py
  easy_install pygments:
    /usr/bin/pygmentize
  easy_install pytz
  Setup users:
    Used "adduser" to create users.
    Grabbed their passwords from /etc/shadow on oldserver.
    addgroup committers
    Added the users to the committers group.
  Setup svn:
    mkdir -p /var/lib/svn
    svnadmin create /var/lib/svn/example
    Copied our svn repository db from oldserver to /var/lib/svn/example/db.
    chgrp -R committers /var/lib/svn/example/db
  Setup trac:
    easy_install Trac:
      /usr/bin/trac-admin
      /usr/bin/tracd
      +Genshi-0.5.1-py2.5-linux-i686.egg
    mkdir -p /var/lib/trac
    cd /var/lib/trac
    trac-admin example initenv:
      I pointed it at the svn repo path, but otherwise used the default
      settings.
    Copied stuff from our trac instance on oldserver to
      /var/lib/trac/example/attachments and /var/lib/trac/example/db.
    I chose not to keep our trac.ini since Trac has changed so much.
    I chose not to keep our passwords file since they were too easy.
    htpasswd -c /var/lib/trac/example/conf/users.htpasswd jj
    Edited /var/lib/trac/example/conf/trac.ini.
    adduser trac  # Used a throwaway password.
    vipw          # Changed home to /var/lib/trac and set shell to /bin/false.
    chown -R trac:trac /var/lib/trac  # Per the instructions.  Weird.
    find /var/lib/trac/example/attachments -type d -exec chmod 755 '{}' \;
    find /var/lib/trac/example/attachments -type f -exec chmod 644 '{}' \;
    trac-admin /var/lib/trac/example resync
    Setup trac under runit:
      Setup logging:
        mkdir -p /etc/sv/trac/log
        mkdir -p /var/log/trac

        cat > /etc/sv/trac/log/run << __END__
#!/bin/sh

exec 2>&1
exec chpst -u trac:trac svlogd -tt /var/log/trac
__END__

        chmod +x /etc/sv/trac/log/run
        chown -R trac:trac /var/log/trac
      Setup trac:

        cat > /etc/sv/trac/run << __END__
#!/bin/sh

exec 2>&1
exec chpst -u trac:trac tracd -s --hostname=localhost --port 9115 --basic-auth='*',/var/lib/trac/example/conf/users.htpasswd,'24 Hr. Diner' /var/lib/trac/example
__END__

        chmod +x /etc/sv/trac/run
        ln -s /etc/sv/trac /etc/service/
  Setup Nginx to proxy to Trac and handle SSL:
    cd /etc/nginx
    openssl req -new -x509 -nodes -out development.example.com.crt \
      -keyout development.example.com.key
    Edit sites-available/default.
    /etc/init.d/nginx restart
  Setup post-commit hook:
    cd /var/lib/svn/example/hooks
    wget http://trac.edgewall.org/browser/trunk/contrib/trac-post-commit-hook?format=txt \
      -O trac-post-commit-hook
    chmod +x trac-post-commit-hook
    cp post-commit.tmpl post-commit
    chmod +x post-commit
    Edited post-commit.
    mkdir /var/lib/trac/example/.egg-cache
    chown -R trac:committers \
      /var/lib/trac/example/.egg-cache \
      /var/lib/trac/example/db
    chmod 775 /var/lib/trac/example/.egg-cache \
              /var/lib/trac/example/db
    chmod 664 /var/lib/trac/example/db/trac.db
  Setup trac notifications:
    Edit /var/lib/trac/example/conf/trac.ini.
    sv restart trac
Here's the most important part of Nginx's sites-available/default:
# Put Trac on HTTPS on port 9443.
server {
 listen   9443;
 server_name  development.example.com;

 access_log  /var/log/nginx/development.access.log;
 error_log  /var/log/nginx/development.error.log;

 ssl  on;
 ssl_certificate  /etc/nginx/development.example.com.crt;
 ssl_certificate_key /etc/nginx/development.example.com.key;

 ssl_session_timeout  5m;

 ssl_protocols  SSLv2 SSLv3 TLSv1;
 ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
 ssl_prefer_server_ciphers   on;

 location / {
  root   html;
  index  index.html index.htm;
  proxy_pass http://127.0.0.1:9115;
 }
}
Here's the most important part of svn's post-commit hook:
REPOS="$1"
REV="$2"
MAILING_LIST="commits@example.com"
TRAC_ENV="/var/lib/trac/example"

/usr/share/subversion/hook-scripts/commit-email.pl "$REPOS" "$REV" \
    "$MAILING_LIST"
/usr/bin/python /var/lib/svn/example/hooks/trac-post-commit-hook \
    -p "$TRAC_ENV" -r "$REV"
Here are the changes I made to trac.ini:
===================================================================
--- var/lib/trac/example/conf/trac.ini (revision 464)
+++ var/lib/trac/example/conf/trac.ini (revision 475)
@@ -58,13 +58,13 @@
 mime_encoding = base64
 smtp_always_bcc = 
 smtp_always_cc = 
-smtp_default_domain = 
-smtp_enabled = false
-smtp_from = trac@localhost
+smtp_default_domain = example.com
+smtp_enabled = true
+smtp_from = trac@development.example.com
 smtp_from_name = 
 smtp_password = 
 smtp_port = 25
-smtp_replyto = trac@localhost
+smtp_replyto = ops@example.com
 smtp_server = localhost
 smtp_subject_prefix = __default__
 smtp_user = 
@@ -152,7 +152,7 @@
 authz_file = 
 authz_module_name = 
 auto_reload = False
-base_url = 
+base_url = https://development.example.com:9443
 check_auth_ip = true
 database = sqlite:db/trac.db
 default_charset = iso-8859-15
@@ -166,7 +166,7 @@
 repository_type = svn
 show_email_addresses = false
 timeout = 20
-use_base_url_for_redirect = False
+use_base_url_for_redirect = True
 
 [wiki]
 ignore_missing_pages = false
Wow, that was painful!
Labels:

Comments

jjinux said…
If you're trying to read something, and it gets cut off by the CSS, just look at the HTML source. Sorry about that.

If you don't know how to install Python egg's via easy_install, start with:

Setup distutils:
wget http://peak.telecommunity.com/dist/ez_setup.py
python ez_setup.py
2:59 PM
jjinux said…
Sorry it's so terse and messy looking. There actually is a method to my madness, but the heredocs mess up the look of the indentation.
3:00 PM
Unknown said…
Hi,
You can use naraio. It comes with Apache, subversion, trac and openldap . Naraio is very in installation with
trac and subversion.
You can download from http://opensourcedevelopment.net
Regards
12:12 AM
Post a Comment

Popular posts from this blog

Drawing Sierpinski's Triangle in Minecraft Using Python

In his keynote at PyCon, Eben Upton, the Executive Director of the Rasberry Pi Foundation, mentioned that not only has Minecraft been ported to the Rasberry Pi, but you can even control it with Python . Since four of my kids are avid Minecraft fans, I figured this might be a good time to teach them to program using Python. So I started yesterday with the goal of programming something cool for Minecraft and then showing it off at the San Francisco Python Meetup in the evening. The first problem that I faced was that I didn't have a Rasberry Pi. You can't hack Minecraft by just installing the Minecraft client. Speaking of which, I didn't have the Minecraft client installed either ;) My kids always play it on their Nexus 7s. I found an open source Minecraft server called Bukkit that "provides the means to extend the popular Minecraft multiplayer server." Then I found a plugin called RaspberryJuice that implements a subset of the Minecraft Pi modding API for B
4 comments
Read more

Ubuntu 20.04 on a 2015 15" MacBook Pro

I decided to give Ubuntu 20.04 a try on my 2015 15" MacBook Pro. I didn't actually install it; I just live booted from a USB thumb drive which was enough to try out everything I wanted. In summary, it's not perfect, and issues with my camera would prevent me from switching, but given the right hardware, I think it's a really viable option. The first thing I wanted to try was what would happen if I plugged in a non-HiDPI screen given that my laptop has a HiDPI screen. Without sub-pixel scaling, whatever scale rate I picked for one screen would apply to the other. However, once I turned on sub-pixel scaling, I was able to pick different scale rates for the internal and external displays. That looked ok. I tried plugging in and unplugging multiple times, and it didn't crash. I doubt it'd work with my Thunderbolt display at work, but it worked fine for my HDMI displays at home. I even plugged it into my TV, and it stuck to the 100% scaling I picked for the othe
1 comment
Read more

Creating Windows 10 Boot Media for a Lenovo Thinkpad T410 Using Only a Mac and a Linux Machine

TL;DR: Giovanni and I struggled trying to get Windows 10 installed on the Lenovo Thinkpad T410. We struggled a lot trying to create the installation media because we only had a Mac and a Linux machine to work with. Everytime we tried to boot the USB thumb drive, it just showed us a blinking cursor. At the end, we finally realized that Windows 10 wasn't supported on this laptop :-/ I've heard that it took Thomas Edison 100 tries to figure out the right material to use as a lightbulb filament. Well, I'm no Thomas Edison, but I thought it might be noteworthy to document our attempts at getting it to boot off a USB thumb drive: Download the ISO. Attempt 1: Use Etcher. Etcher says it doesn't work for Windows. Attempt 2: Use Boot Camp Assistant. It doesn't have that feature anymore. Attempt 3: Use Disk Utility on a Mac. Erase a USB thumb drive: Format: ExFAT Scheme: GUID Partition Map Mount the ISO. Copy everything from
2 comments
Read more