...

  private function syncProviders($instance) {
    $viewer = $this->getViewer();
    $instance_name = PhabricatorEnv::getEnvConfig('cluster.instance');

    $configs = id(new PhabricatorAuthProviderConfigQuery())
      ->setViewer($viewer)
      ->execute();
    if (!$configs) {
      $config = id(new PhabricatorAuthProviderConfig())
        ->setProviderClass('PhabricatorPhabricatorAuthProvider')
        ->setProviderType('phabricator')
        ->setProviderDomain('self');
    } else if (count($configs) > 1) {
      throw new Exception(
        pht(
          'This instance ("%s") has more than one authentication provider.',
          $instance_name));
    } else {
      $config = head($configs);
      if ($config->getProviderClass() != 'PhabricatorPhabricatorAuthProvider') {
        throw new Exception(
          pht(
            'This instance ("%s") has the wrong class of authentication '.
            'provider ("%s").',
            $instance_name,
            $config->getProviderClass()));
      }
    }

    $config
      ->setIsEnabled(1)
      ->setShouldAllowLogin(1)
      ->setShouldAllowRegistration(1)
      ->setShouldAllowLink(0)
      ->setShouldAllowUnlink(0)
      ->setShouldTrustEmails(1)
      ->setShouldAutoLogin(1)
      ->setProperties(
        array(
          PhabricatorPhabricatorAuthProvider::PROPERTY_PHABRICATOR_NAME
            => 'phacility',
          PhabricatorPhabricatorAuthProvider::PROPERTY_PHABRICATOR_URI
            => PhacilityServices::getAdminURI(),
          PhabricatorOAuth2AuthProvider::PROPERTY_APP_ID
            => $instance['oauth']['id'],
          PhabricatorOAuth2AuthProvider::PROPERTY_APP_SECRET
            => $instance['oauth']['secret'],
        ))
      ->save();
  }

...