first cut web deploy

koji-setup/koji-add-builder.sh

@@ -63,16 +63,8 @@ fi
 sudo -u kojiadmin koji add-host "$KOJI_BUILD_FQDN" "$RPM_ARCH"
 # Add the host to the createrepo channel
 sudo -u kojiadmin koji add-host-to-channel "$KOJI_BUILD_FQDN" createrepo
-# A note on capacity
+# Add server capacity
 sudo -u kojiadmin koji edit-host --capacity="$KOJID_CAPACITY" "$KOJI_BUILD_FQDN"
-# Generate a certificate for the builder
-if [ ! -f $SCRIPT_DIR/koji-gencert.sh ] ; then
-    curl $SILENT $SCRIPT_GIT/koji-gencert.sh > $SCRIPT_DIR/koji-gencert.sh
-fi
-cp $SCRIPT_DIR/koji-gencert.sh $KOJI_PKI_DIR/.
-pushd "$KOJI_PKI_DIR"
-./koji-gencert.sh "$KOJI_BUILD_FQDN" "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/CN=$KOJI_BUILD_FQDN"
-popd
 # check if local install or remote
 if [[ $KOJI_BUILD_FQDN = $KOJI_HUB_FQDN ]] ; then
     # deploy locally

koji-setup/koji-deploy-hub.sh

@@ -168,10 +168,13 @@ sudo -u koji psql koji koji < /usr/share/doc/koji/docs/schema.sql
 # Authorize Koji-web and Koji-hub resources
 cat > "$POSTGRES_DIR"/data/pg_hba.conf <<- EOF
 #TYPE    DATABASE    USER    CIDR-ADDRESS    METHOD
-host     koji        all     127.0.0.1/32    trust
-host     koji        all     ::1/128         trust
-local    koji        all                     trust
+local    koji        koji                    trust
+local    all         postgres                peer
 EOF
+# possible alternatives
+#host     koji        koji    127.0.0.1/32    trust
+#host     koji        koji    ::1/128         trust
+
 systemctl reload postgresql
 
 # Bootstrapping the initial koji admin user into the PostgreSQL database
@@ -259,7 +262,7 @@ setsebool -P httpd_can_network_connect 1
 cat > /etc/koji.conf <<- EOF
 [koji]
 server = $KOJI_URL/kojihub
-weburl = $KOJI_URL/koji
+weburl = $KOJI_WEB_URL/koji
 topurl = $KOJI_URL/kojifiles
 topdir = $KOJI_DIR
 cert = ~/.koji/client.crt
@@ -272,7 +275,7 @@ EOF
 mkdir -p "$KOJI_DIR"/{packages,repos,work,scratch,repos-dist}
 chown -R "$HTTPD_USER":"$HTTPD_USER" "$KOJI_DIR"
 
-# twealk SELinux to allow $HTTPD_USER write access
+# tweak SELinux to allow $HTTPD_USER write access
 setsebool -P allow_httpd_anon_write=1
 semanage fcontext -a -t public_content_rw_t "$KOJI_DIR(/.*)?"
 restorecon -r -v $KOJI_DIR
@@ -335,11 +338,9 @@ firewall-cmd --reload
 # enable and start the httpd service
 systemctl enable --now httpd
 
-
 ## TEST KOJI CONNECTIVITY
 sudo -u kojiadmin koji moshimoshi
 
-
 ## KOJIRA - DNF|YUM REPOSITORY CREATION AND MAINTENANCE
 # Add the user entry for the kojira user
 sudo -u kojiadmin koji add-user kojira

koji-setup/koji-deploy-web.sh

@@ -0,0 +1,132 @@
+#!/bin/bash
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+$KOJI_WEB_FQDN=$1
+DEBUG=
+SILENT="-s"
+QUIET="-q"
+for param in $2 ; do
+  if [ $param ] ; then
+    case $param in
+	    debug )
+		    DEBUG="debug" ;;
+    esac
+  else
+	  break
+  fi
+done
+
+if [ $DEBUG ] ; then
+    set -xe
+    SILENT=
+    QUIET="-v"
+fi
+
+# load required parameters
+SCRIPT_DIR="$(dirname "$(realpath "$0")")"
+if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then
+    echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting"
+    exit 1
+fi
+source "$SCRIPT_DIR"/koji-parameters.sh
+
+# Install all the required packages (some live in the epel repo, so we may need to install that too)
+if [[ -z $(dnf list installed | grep epel-release) ]] ; then
+    dnf config-manager --set-enabled powertools $QUIET
+	dnf install -y epel-release $QUIET
+fi
+dnf install -y mod_ssl koji-web $QUIET
+
+# install locally
+mkdir -p /etc/kojiweb
+cat > /etc/kojiweb/web.conf <<- EOF
+[web]
+SiteName = koji
+KojiHubURL = $KOJI_URL/kojihub
+KojiFilesURL = $KOJI_URL/kojifiles
+WebCert = $KOJI_PKI_DIR/kojiweb.pem
+ClientCA = $KOJI_PKI_DIR/koji_ca_cert.crt
+KojiHubCA = $KOJI_PKI_DIR/koji_ca_cert.crt
+LoginTimeout = 72
+Secret = NITRA_IS_NOT_CLEAR
+LibPath = /usr/share/koji-web/lib
+LiteralFooter = True
+EOF
+
+mkdir -p /etc/httpd/conf.d
+cat > /etc/httpd/conf.d/kojiweb.conf <<- EOF
+Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py"
+<Directory "/usr/share/koji-web/scripts">
+    Options ExecCGI
+    SetHandler wsgi-script
+    Require all granted
+</Directory>
+Alias /koji-static "/usr/share/koji-web/static"
+<Directory "/usr/share/koji-web/static">
+    Options None
+    AllowOverride None
+    Require all granted
+</Directory>
+EOF
+
+# SELinux changes to allow httpd network access
+setsebool -P httpd_can_network_connect 1
+
+## Apache Configuration Files
+mkdir -p /etc/httpd/conf.d
+cat > /etc/httpd/conf.d/ssl.conf <<- EOF
+ServerName $KOJI_WEB_FQDN
+
+Listen 443 https
+
+#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+#SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+
+SSLRandomSeed startup file:/dev/urandom  256
+SSLRandomSeed connect builtin
+
+<VirtualHost _default_:443>
+    ErrorLog /var/log/httpd/ssl_error_log
+    TransferLog /var/log/httpd/ssl_access_log
+    LogLevel warn
+
+    SSLEngine on
+    SSLHonorCipherOrder on
+    SSLCipherSuite PROFILE=SYSTEM
+    SSLProxyCipherSuite PROFILE=SYSTEM
+
+    SSLCertificateFile $KOJI_PKI_DIR/kojihub.pem
+    SSLCertificateKeyFile $KOJI_PKI_DIR/private/kojihub.key
+    SSLCertificateChainFile $KOJI_PKI_DIR/koji_ca_cert.crt
+    SSLCACertificateFile $KOJI_PKI_DIR/koji_ca_cert.crt
+    SSLVerifyClient require
+    SSLVerifyDepth 10
+
+    <FilesMatch "\.(cgi|shtml|phtml|php3?)$">
+        SSLOptions +StdEnvVars
+    </FilesMatch>
+    <Directory "/var/www/cgi-bin">
+        SSLOptions +StdEnvVars
+    </Directory>
+
+    CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+</VirtualHost>
+EOF
+
+mkdir -p /etc/httpd/conf.modules.d
+cat > /etc/httpd/conf.modules.d/wsgi.conf <<- EOF
+WSGISocketPrefix /run/httpd/wsgi
+EOF
+cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF
+LoadModule ssl_module lib/httpd/modules/mod_ssl.so
+EOF
+
+# allow httpd access through firewall
+firewall-cmd --permanent --add-service=http
+firewall-cmd --permanent --add-service=https
+firewall-cmd --reload
+
+# enable and start the httpd service
+systemctl enable --now httpd