smeserver-koji/koji-setup/koji-deploy-hub.sh

#!/bin/bash
# SPDX-License-Identifier: Apache-2.0

set -e
DEBUG=
SILENT="-s"
QUIET="-q"
for param in $1 $2 ; do
  if [ $param ] ; then
    case $param in
	    debug )
		    DEBUG="debug" ;;
    esac
  else
	  break
  fi
done

if [ $DEBUG ] ; then
    set -xe
    SILENT=
    QUIET="-v"
fi

# load required parameters
SCRIPT_DIR="$(dirname "$(realpath "$0")")"
if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then
    echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting"
    exit 1
fi
source "$SCRIPT_DIR"/koji-parameters.sh

# pull down any required scripts
if [ ! -f $SCRIPTS_DIR/koji-gencert.sh ] ; then
    curl $SILENT $SCRIPT_GIT/koji-gencert.sh > $SCRIPT_DIR/koji-gencert.sh
    chmod o+x $SCRIPT_DIR/koji-gencert.sh
fi

# Install all the required packages (some live in the epel repo, so we need to install that too)
dnf config-manager --set-enabled powertools $QUIET
if [[ -z $(dnf list installed | grep epel-release) ]] ; then
	dnf install -y epel-release $QUIET
fi
dnf install -y koji-hub mod_ssl koji koji-web koji-utils policycoreutils-python-utils $QUIET
dnf module enable postgresql:10 -y $QUIET
dnf install -y postgresql-server $QUIET

## SETTING UP SSL CERTIFICATES FOR AUTHENTICATION
mkdir -p "$KOJI_PKI_DIR"/{certs,private}
RANDFILE="$KOJI_PKI_DIR"/.rand
dd if=/dev/urandom of="$RANDFILE" bs=256 count=1

# Certificate generation
cat > "$KOJI_PKI_DIR"/ssl.cnf <<- EOF
HOME                    = $KOJI_PKI_DIR
RANDFILE                = $RANDFILE

[ca]
default_ca              = ca_default

[ca_default]
dir                     = $KOJI_PKI_DIR
certs                   = \$dir/certs
crl_dir                 = \$dir/crl
database                = \$dir/index.txt
new_certs_dir           = \$dir/newcerts
certificate             = \$dir/%s_ca_cert.pem
private_key             = \$dir/private/%s_ca_key.pem
serial                  = \$dir/serial
crl                     = \$dir/crl.pem
x509_extensions         = usr_cert
name_opt                = ca_default
cert_opt                = ca_default
default_days            = 3650
default_crl_days        = 30
default_md              = sha512
preserve                = no
policy                  = policy_match

[policy_match]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[req]
default_bits            = 4096
default_keyfile         = privkey.pem
default_md              = sha512
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions         = v3_ca # The extensions to add to the self signed cert
string_mask             = MASK:0x2002

[req_distinguished_name]
countryName                     = Country Name (2 letter code)
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (eg, city)
0.organizationName              = Organization Name (eg, company)
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64

[req_attributes]
challengePassword               = A challenge password
challengePassword_min           = 8
challengePassword_max           = 64
unstructuredName                = An optional company name

[usr_cert]
basicConstraints                = CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always

[v3_ca]
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid:always,issuer:always
basicConstraints                = CA:true
EOF

# Generate and trust CA
touch "$KOJI_PKI_DIR"/index.txt
echo 01 > "$KOJI_PKI_DIR"/serial
openssl genrsa -out "$KOJI_PKI_DIR"/private/koji_ca_cert.key 2048
openssl req -subj "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=koji_ca/CN=$KOJI_HUB_FQDN" -config "$KOJI_PKI_DIR"/ssl.cnf -new -x509 -days 3650 -key "$KOJI_PKI_DIR"/private/koji_ca_cert.key -out "$KOJI_PKI_DIR"/koji_ca_cert.crt -extensions v3_ca
mkdir -p /etc/ca-certs/trusted

# Generate the koji component certificates and the admin certificate and generate a PKCS12 user certificate (for web browser)
pushd "$KOJI_PKI_DIR"
"$SCRIPT_DIR"/koji-gencert.sh kojiweb "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojiweb/CN=$KOJI_HUB_FQDN" $DEBUG
"$SCRIPT_DIR"/koji-gencert.sh kojihub "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojihub/CN=$KOJI_HUB_FQDN" $DEBUG
"$SCRIPT_DIR"/koji-gencert.sh kojiadmin "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojiadmin" $DEBUG
"$SCRIPT_DIR"/koji-gencert.sh kojira "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojira" $DEBUG
popd

# Copy certificates into ~/.koji for kojiadmin
useradd kojiadmin
ADMIN_KOJI_DIR="$(echo ~kojiadmin)"/.koji
mkdir -p "$ADMIN_KOJI_DIR"
cp -f "$KOJI_PKI_DIR"/kojiadmin.pem "$ADMIN_KOJI_DIR"/client.crt
cp -f "$KOJI_PKI_DIR"/koji_ca_cert.crt "$ADMIN_KOJI_DIR"/clientca.crt
cp -f "$KOJI_PKI_DIR"/koji_ca_cert.crt "$ADMIN_KOJI_DIR"/serverca.crt
chown -R kojiadmin:kojiadmin "$ADMIN_KOJI_DIR"


## POSTGRESQL SERVER
# Initialize PostgreSQL DB
mkdir -p "$POSTGRES_DIR"
chown -R "$POSTGRES_USER":"$POSTGRES_USER" "$POSTGRES_DIR"
sudo -u "$POSTGRES_USER" initdb --pgdata "$POSTGRES_DIR"/data
systemctl enable --now postgresql

# Setup User Accounts
useradd -r koji

# Setup PostgreSQL and populate schema
sudo -u "$POSTGRES_USER" createuser --no-superuser --no-createrole --no-createdb koji
sudo -u "$POSTGRES_USER" createdb -O koji koji
sudo -u koji psql koji koji < /usr/share/doc/koji/docs/schema.sql

# Authorize Koji-web and Koji-hub resources
cat > "$POSTGRES_DIR"/data/pg_hba.conf <<- EOF
#TYPE    DATABASE    USER    CIDR-ADDRESS    METHOD
local    koji        koji                    trust
local    all         postgres                peer
EOF
# possible alternatives
#host     koji        koji    127.0.0.1/32    trust
#host     koji        koji    ::1/128         trust

# increase the max connections as koji appears to be very chatty
sed -i "/^max_connections =/ s/100/1000/" "/var/lib/pgsql/data/postgresql.conf"

systemctl restart postgresql

# Bootstrapping the initial koji admin user into the PostgreSQL database
# SSL Certificate authentication
sudo -u koji psql -c "insert into users (name, status, usertype) values ('kojiadmin', 0, 0);"

# Give yourself admin permissions
sudo -u koji psql -c "insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);"

## KOJI CONFIGURATION FILES
# Koji Hub
mkdir -p /etc/koji-hub
cat > /etc/koji-hub/hub.conf <<- EOF
[hub]
DBName = koji
DBUser = koji
KojiDir = $KOJI_DIR
DNUsernameComponent = CN
ProxyDNs = C=$COUNTRY_CODE,ST=$STATE,L=$LOCATION,O=$ORGANIZATION,OU=kojiweb,CN=$KOJI_HUB_FQDN
LoginCreatesUser = On
KojiWebURL = $KOJI_WEB_URL/koji
DisableNotifications = True
EOF

mkdir -p /etc/httpd/conf.d
cat > /etc/httpd/conf.d/kojihub.conf <<- EOF
Alias /kojihub /usr/share/koji-hub/kojiapp.py
<Directory "/usr/share/koji-hub">
    Options ExecCGI
    SetHandler wsgi-script
    Require all granted
</Directory>
Alias /kojifiles "$KOJI_DIR"
<Directory "$KOJI_DIR">
    Options Indexes SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted
</Directory>
<Location /kojihub/ssllogin>
    SSLVerifyClient require
    SSLVerifyDepth 10
    SSLOptions +StdEnvVars
</Location>
EOF

# SELinux changes to allow db access
setsebool -P httpd_can_network_connect_db 1

# SELinux changes to allow httpd network access
setsebool -P httpd_can_network_connect 1

# Koji CLI
cat > /etc/koji.conf <<- EOF
[koji]
server = $KOJI_URL/kojihub
weburl = $KOJI_WEB_URL/koji
topurl = $KOJI_URL/kojifiles
topdir = $KOJI_DIR
cert = ~/.koji/client.crt
serverca = ~/.koji/serverca.crt
anon_retry = true
EOF

## KOJI APPLICATION HOSTING
# Koji Filesystem Skeleton
mkdir -p "$KOJI_DIR"/{packages,repos,work,scratch,repos-dist}
chown -R "$HTTPD_USER":"$HTTPD_USER" "$KOJI_DIR"

# tweak SELinux to allow $HTTPD_USER write access
setsebool -P allow_httpd_anon_write=1
semanage fcontext -a -t public_content_rw_t "$KOJI_DIR(/.*)?"
restorecon -r -v $KOJI_DIR

## Apache Configuration Files
mkdir -p /etc/httpd/conf.d
cat > /etc/httpd/conf.d/ssl.conf <<- EOF
ServerName $KOJI_HUB_FQDN

Listen 443 https

#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#SSLSessionCache         shmcb:/run/httpd/sslcache(512000)

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

<VirtualHost _default_:443>
    ErrorLog /var/log/httpd/ssl_error_log
    TransferLog /var/log/httpd/ssl_access_log
    LogLevel warn

    SSLEngine on
    SSLHonorCipherOrder on
    SSLCipherSuite PROFILE=SYSTEM
    SSLProxyCipherSuite PROFILE=SYSTEM

    SSLCertificateFile $KOJI_PKI_DIR/kojihub.pem
    SSLCertificateKeyFile $KOJI_PKI_DIR/private/kojihub.key
    SSLCertificateChainFile $KOJI_PKI_DIR/koji_ca_cert.crt
    SSLCACertificateFile $KOJI_PKI_DIR/koji_ca_cert.crt
    SSLVerifyClient require
    SSLVerifyDepth 10

    <FilesMatch "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>

    CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
EOF

mkdir -p /etc/httpd/conf.modules.d
cat > /etc/httpd/conf.modules.d/wsgi.conf <<- EOF
WSGISocketPrefix /run/httpd/wsgi
EOF
cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
EOF

# Firewall stuff
if systemctl status iptables >/dev/null 2>&1; then
    # set iptables rules for http and https
fi
if firewall-cmd --state >/dev/null 2>&1; then
    # allow httpd access through firewall
    firewall-cmd --permanent --add-service=http
    firewall-cmd --permanent --add-service=https
    firewall-cmd --reload
fi

# enable and start the httpd service
systemctl enable --now httpd

## TEST KOJI CONNECTIVITY
sudo -u kojiadmin koji moshimoshi

## KOJIRA - DNF|YUM REPOSITORY CREATION AND MAINTENANCE
# Add the user entry for the kojira user
sudo -u kojiadmin koji add-user kojira
sudo -u kojiadmin koji grant-permission repo kojira

# Kojira Configuration Files
mkdir -p /etc/kojira
cat > /etc/kojira/kojira.conf <<- EOF
[kojira]
server=$KOJI_URL/kojihub
topdir=$KOJI_DIR
logfile=/var/log/kojira.log
cert = $KOJI_PKI_DIR/kojira.pem
serverca = $KOJI_PKI_DIR/koji_ca_cert.crt
EOF

# Ensure postgresql is started prior to running kojira service
mkdir -p /etc/systemd/system/kojira.service.d
cat > /etc/systemd/system/kojira.service.d/after-postgresql.conf <<EOF
[Unit]
After=postgresql.service
EOF

systemctl enable --now kojira
first cut at add-koji-builder and rename to koji- 2023-09-04 02:51:05 +02:00			`#!/bin/bash`
			`# SPDX-License-Identifier: Apache-2.0`

			`set -e`
			`DEBUG=`
			`SILENT="-s"`
			`QUIET="-q"`
			`for param in $1 $2 ; do`
			`if [ $param ] ; then`
			`case $param in`
			`debug )`
			`DEBUG="debug" ;;`
			`esac`
			`else`
			`break`
			`fi`
			`done`

			`if [ $DEBUG ] ; then`
extra debug 2023-09-04 07:40:55 +02:00			`set -xe`
first cut at add-koji-builder and rename to koji- 2023-09-04 02:51:05 +02:00			`SILENT=`
			`QUIET="-v"`
			`fi`

			`# load required parameters`
			`SCRIPT_DIR="$(dirname "$(realpath "$0")")"`
			`if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then`
			`echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting"`
			`exit 1`
			`fi`
			`source "$SCRIPT_DIR"/koji-parameters.sh`

			`# pull down any required scripts`
			`if [ ! -f $SCRIPTS_DIR/koji-gencert.sh ] ; then`
mistype 2023-09-04 03:23:38 +02:00			`curl $SILENT $SCRIPT_GIT/koji-gencert.sh > $SCRIPT_DIR/koji-gencert.sh`
make gencert executeable 2023-09-04 04:03:23 +02:00			`chmod o+x $SCRIPT_DIR/koji-gencert.sh`
first cut at add-koji-builder and rename to koji- 2023-09-04 02:51:05 +02:00			`fi`

			`# Install all the required packages (some live in the epel repo, so we need to install that too)`
			`dnf config-manager --set-enabled powertools $QUIET`
fix check if already installed 2023-09-04 12:53:48 +02:00			`if [[ -z $(dnf list installed \| grep epel-release) ]] ; then`
			`dnf install -y epel-release $QUIET`
			`fi`
first cut at add-koji-builder and rename to koji- 2023-09-04 02:51:05 +02:00			`dnf install -y koji-hub mod_ssl koji koji-web koji-utils policycoreutils-python-utils $QUIET`
			`dnf module enable postgresql:10 -y $QUIET`
			`dnf install -y postgresql-server $QUIET`

			`## SETTING UP SSL CERTIFICATES FOR AUTHENTICATION`
			`mkdir -p "$KOJI_PKI_DIR"/{certs,private}`
			`RANDFILE="$KOJI_PKI_DIR"/.rand`
			`dd if=/dev/urandom of="$RANDFILE" bs=256 count=1`

			`# Certificate generation`
			`cat > "$KOJI_PKI_DIR"/ssl.cnf <<- EOF`
			`HOME = $KOJI_PKI_DIR`
			`RANDFILE = $RANDFILE`

			`[ca]`
			`default_ca = ca_default`

			`[ca_default]`
			`dir = $KOJI_PKI_DIR`
			`certs = \$dir/certs`
			`crl_dir = \$dir/crl`
			`database = \$dir/index.txt`
			`new_certs_dir = \$dir/newcerts`
			`certificate = \$dir/%s_ca_cert.pem`
			`private_key = \$dir/private/%s_ca_key.pem`
			`serial = \$dir/serial`
			`crl = \$dir/crl.pem`
			`x509_extensions = usr_cert`
			`name_opt = ca_default`
			`cert_opt = ca_default`
			`default_days = 3650`
			`default_crl_days = 30`
			`default_md = sha512`
			`preserve = no`
			`policy = policy_match`

			`[policy_match]`
			`countryName = match`
			`stateOrProvinceName = match`
			`organizationName = match`
			`organizationalUnitName = optional`
			`commonName = supplied`
			`emailAddress = optional`

			`[req]`
			`default_bits = 4096`
			`default_keyfile = privkey.pem`
			`default_md = sha512`
			`distinguished_name = req_distinguished_name`
			`attributes = req_attributes`
			`x509_extensions = v3_ca # The extensions to add to the self signed cert`
			`string_mask = MASK:0x2002`

			`[req_distinguished_name]`
			`countryName = Country Name (2 letter code)`
			`countryName_min = 2`
			`countryName_max = 2`
			`stateOrProvinceName = State or Province Name (full name)`
			`localityName = Locality Name (eg, city)`
			`0.organizationName = Organization Name (eg, company)`
			`organizationalUnitName = Organizational Unit Name (eg, section)`
			`commonName = Common Name (eg, your name or your server\'s hostname)`
			`commonName_max = 64`
			`emailAddress = Email Address`
			`emailAddress_max = 64`

			`[req_attributes]`
			`challengePassword = A challenge password`
			`challengePassword_min = 8`
			`challengePassword_max = 64`
			`unstructuredName = An optional company name`

			`[usr_cert]`
			`basicConstraints = CA:FALSE`
			`nsComment = "OpenSSL Generated Certificate"`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid,issuer:always`

			`[v3_ca]`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid:always,issuer:always`
			`basicConstraints = CA:true`
			`EOF`

			`# Generate and trust CA`
			`touch "$KOJI_PKI_DIR"/index.txt`
			`echo 01 > "$KOJI_PKI_DIR"/serial`
			`openssl genrsa -out "$KOJI_PKI_DIR"/private/koji_ca_cert.key 2048`
			`openssl req -subj "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=koji_ca/CN=$KOJI_HUB_FQDN" -config "$KOJI_PKI_DIR"/ssl.cnf -new -x509 -days 3650 -key "$KOJI_PKI_DIR"/private/koji_ca_cert.key -out "$KOJI_PKI_DIR"/koji_ca_cert.crt -extensions v3_ca`
			`mkdir -p /etc/ca-certs/trusted`

			`# Generate the koji component certificates and the admin certificate and generate a PKCS12 user certificate (for web browser)`
			`pushd "$KOJI_PKI_DIR"`
postgres bug 2023-09-04 07:10:17 +02:00			`"$SCRIPT_DIR"/koji-gencert.sh kojiweb "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojiweb/CN=$KOJI_HUB_FQDN" $DEBUG`
			`"$SCRIPT_DIR"/koji-gencert.sh kojihub "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojihub/CN=$KOJI_HUB_FQDN" $DEBUG`
			`"$SCRIPT_DIR"/koji-gencert.sh kojiadmin "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojiadmin" $DEBUG`
			`"$SCRIPT_DIR"/koji-gencert.sh kojira "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojira" $DEBUG`
first cut at add-koji-builder and rename to koji- 2023-09-04 02:51:05 +02:00			`popd`

			`# Copy certificates into ~/.koji for kojiadmin`
			`useradd kojiadmin`
			`ADMIN_KOJI_DIR="$(echo ~kojiadmin)"/.koji`
			`mkdir -p "$ADMIN_KOJI_DIR"`
			`cp -f "$KOJI_PKI_DIR"/kojiadmin.pem "$ADMIN_KOJI_DIR"/client.crt`
			`cp -f "$KOJI_PKI_DIR"/koji_ca_cert.crt "$ADMIN_KOJI_DIR"/clientca.crt`
			`cp -f "$KOJI_PKI_DIR"/koji_ca_cert.crt "$ADMIN_KOJI_DIR"/serverca.crt`
			`chown -R kojiadmin:kojiadmin "$ADMIN_KOJI_DIR"`


			`## POSTGRESQL SERVER`
			`# Initialize PostgreSQL DB`
			`mkdir -p "$POSTGRES_DIR"`
			`chown -R "$POSTGRES_USER":"$POSTGRES_USER" "$POSTGRES_DIR"`
postgres remnant removed 2023-09-04 07:22:33 +02:00			`sudo -u "$POSTGRES_USER" initdb --pgdata "$POSTGRES_DIR"/data`
first cut at add-koji-builder and rename to koji- 2023-09-04 02:51:05 +02:00			`systemctl enable --now postgresql`

			`# Setup User Accounts`
			`useradd -r koji`

			`# Setup PostgreSQL and populate schema`
			`sudo -u "$POSTGRES_USER" createuser --no-superuser --no-createrole --no-createdb koji`
			`sudo -u "$POSTGRES_USER" createdb -O koji koji`
postgres bug 2023-09-04 07:10:17 +02:00			`sudo -u koji psql koji koji < /usr/share/doc/koji/docs/schema.sql`
first cut at add-koji-builder and rename to koji- 2023-09-04 02:51:05 +02:00
			`# Authorize Koji-web and Koji-hub resources`
postgres bug 2023-09-04 07:10:17 +02:00			`cat > "$POSTGRES_DIR"/data/pg_hba.conf <<- EOF`
first cut at add-koji-builder and rename to koji- 2023-09-04 02:51:05 +02:00			`#TYPE DATABASE USER CIDR-ADDRESS METHOD`
first cut web deploy 2023-09-11 05:02:10 +02:00			`local koji koji trust`
			`local all postgres peer`
first cut at add-koji-builder and rename to koji- 2023-09-04 02:51:05 +02:00			`EOF`
first cut web deploy 2023-09-11 05:02:10 +02:00			`# possible alternatives`
			`#host koji koji 127.0.0.1/32 trust`
			`#host koji koji ::1/128 trust`

increase max connections 2023-11-04 23:33:52 +01:00			`# increase the max connections as koji appears to be very chatty`
			`sed -i "/^max_connections =/ s/100/1000/" "/var/lib/pgsql/data/postgresql.conf"`

restart postgres to activate max_connections 2023-11-07 23:24:40 +01:00			`systemctl restart postgresql`
first cut at add-koji-builder and rename to koji- 2023-09-04 02:51:05 +02:00
			`# Bootstrapping the initial koji admin user into the PostgreSQL database`
			`# SSL Certificate authentication`
			`sudo -u koji psql -c "insert into users (name, status, usertype) values ('kojiadmin', 0, 0);"`

			`# Give yourself admin permissions`
			`sudo -u koji psql -c "insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);"`

			`## KOJI CONFIGURATION FILES`
			`# Koji Hub`
			`mkdir -p /etc/koji-hub`
			`cat > /etc/koji-hub/hub.conf <<- EOF`
			`[hub]`
			`DBName = koji`
			`DBUser = koji`
			`KojiDir = $KOJI_DIR`
			`DNUsernameComponent = CN`
			`ProxyDNs = C=$COUNTRY_CODE,ST=$STATE,L=$LOCATION,O=$ORGANIZATION,OU=kojiweb,CN=$KOJI_HUB_FQDN`
			`LoginCreatesUser = On`
supress duplicate httpd stuff when web on hub 2023-09-12 08:59:13 +02:00			`KojiWebURL = $KOJI_WEB_URL/koji`
first cut at add-koji-builder and rename to koji- 2023-09-04 02:51:05 +02:00			`DisableNotifications = True`
			`EOF`

			`mkdir -p /etc/httpd/conf.d`
			`cat > /etc/httpd/conf.d/kojihub.conf <<- EOF`
			`Alias /kojihub /usr/share/koji-hub/kojiapp.py`
			`<Directory "/usr/share/koji-hub">`
			`Options ExecCGI`
			`SetHandler wsgi-script`
			`Require all granted`
			`</Directory>`
			`Alias /kojifiles "$KOJI_DIR"`
			`<Directory "$KOJI_DIR">`
			`Options Indexes SymLinksIfOwnerMatch`
			`AllowOverride None`
			`Require all granted`
			`</Directory>`
			`<Location /kojihub/ssllogin>`
			`SSLVerifyClient require`
			`SSLVerifyDepth 10`
			`SSLOptions +StdEnvVars`
			`</Location>`
			`EOF`

			`# SELinux changes to allow db access`
			`setsebool -P httpd_can_network_connect_db 1`

			`# SELinux changes to allow httpd network access`
			`setsebool -P httpd_can_network_connect 1`

			`# Koji CLI`
			`cat > /etc/koji.conf <<- EOF`
			`[koji]`
			`server = $KOJI_URL/kojihub`
first cut web deploy 2023-09-11 05:02:10 +02:00			`weburl = $KOJI_WEB_URL/koji`
first cut at add-koji-builder and rename to koji- 2023-09-04 02:51:05 +02:00			`topurl = $KOJI_URL/kojifiles`
			`topdir = $KOJI_DIR`
			`cert = ~/.koji/client.crt`
			`serverca = ~/.koji/serverca.crt`
			`anon_retry = true`
			`EOF`

			`## KOJI APPLICATION HOSTING`
			`# Koji Filesystem Skeleton`
			`mkdir -p "$KOJI_DIR"/{packages,repos,work,scratch,repos-dist}`
			`chown -R "$HTTPD_USER":"$HTTPD_USER" "$KOJI_DIR"`

first cut web deploy 2023-09-11 05:02:10 +02:00			`# tweak SELinux to allow $HTTPD_USER write access`
first cut at add-koji-builder and rename to koji- 2023-09-04 02:51:05 +02:00			`setsebool -P allow_httpd_anon_write=1`
			`semanage fcontext -a -t public_content_rw_t "$KOJI_DIR(/.*)?"`
			`restorecon -r -v $KOJI_DIR`

			`## Apache Configuration Files`
			`mkdir -p /etc/httpd/conf.d`
			`cat > /etc/httpd/conf.d/ssl.conf <<- EOF`
			`ServerName $KOJI_HUB_FQDN`

			`Listen 443 https`

			`#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog`

			`#SSLSessionCache shmcb:/run/httpd/sslcache(512000)`

			`SSLRandomSeed startup file:/dev/urandom 256`
			`SSLRandomSeed connect builtin`

			`<VirtualHost _default_:443>`
			`ErrorLog /var/log/httpd/ssl_error_log`
			`TransferLog /var/log/httpd/ssl_access_log`
			`LogLevel warn`

			`SSLEngine on`
			`SSLHonorCipherOrder on`
			`SSLCipherSuite PROFILE=SYSTEM`
			`SSLProxyCipherSuite PROFILE=SYSTEM`

			`SSLCertificateFile $KOJI_PKI_DIR/kojihub.pem`
			`SSLCertificateKeyFile $KOJI_PKI_DIR/private/kojihub.key`
			`SSLCertificateChainFile $KOJI_PKI_DIR/koji_ca_cert.crt`
			`SSLCACertificateFile $KOJI_PKI_DIR/koji_ca_cert.crt`
			`SSLVerifyClient require`
			`SSLVerifyDepth 10`

			`<FilesMatch "\.(cgi\|shtml\|phtml\|php3?)$">`
			`SSLOptions +StdEnvVars`
			`</FilesMatch>`
			`<Directory "/var/www/cgi-bin">`
			`SSLOptions +StdEnvVars`
			`</Directory>`

			`CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"`
			`</VirtualHost>`
			`EOF`

			`mkdir -p /etc/httpd/conf.modules.d`
			`cat > /etc/httpd/conf.modules.d/wsgi.conf <<- EOF`
			`WSGISocketPrefix /run/httpd/wsgi`
			`EOF`
			`cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF`
			`LoadModule ssl_module lib/httpd/modules/mod_ssl.so`
			`EOF`

Add dummy item for iptables 2024-03-01 22:37:51 +01:00			`# Firewall stuff`
			`if systemctl status iptables >/dev/null 2>&1; then`
			`# set iptables rules for http and https`
			`fi`
only update firewall is installed/running 2024-02-29 01:49:16 +01:00			`if firewall-cmd --state >/dev/null 2>&1; then`
			`# allow httpd access through firewall`
			`firewall-cmd --permanent --add-service=http`
			`firewall-cmd --permanent --add-service=https`
			`firewall-cmd --reload`
			`fi`
first cut at add-koji-builder and rename to koji- 2023-09-04 02:51:05 +02:00
			`# enable and start the httpd service`
			`systemctl enable --now httpd`

			`## TEST KOJI CONNECTIVITY`
			`sudo -u kojiadmin koji moshimoshi`

			`## KOJIRA - DNF\|YUM REPOSITORY CREATION AND MAINTENANCE`
			`# Add the user entry for the kojira user`
			`sudo -u kojiadmin koji add-user kojira`
			`sudo -u kojiadmin koji grant-permission repo kojira`

			`# Kojira Configuration Files`
			`mkdir -p /etc/kojira`
			`cat > /etc/kojira/kojira.conf <<- EOF`
			`[kojira]`
			`server=$KOJI_URL/kojihub`
			`topdir=$KOJI_DIR`
			`logfile=/var/log/kojira.log`
			`cert = $KOJI_PKI_DIR/kojira.pem`
			`serverca = $KOJI_PKI_DIR/koji_ca_cert.crt`
			`EOF`

			`# Ensure postgresql is started prior to running kojira service`
			`mkdir -p /etc/systemd/system/kojira.service.d`
			`cat > /etc/systemd/system/kojira.service.d/after-postgresql.conf <<EOF`
			`[Unit]`
			`After=postgresql.service`
			`EOF`

			`systemctl enable --now kojira`