#!/bin/bash # SPDX-License-Identifier: Apache-2.0 set -e KOJI_WEB_FQDN=$1 DEBUG= SILENT="-s" QUIET="-q" for param in $2 ; do if [ $param ] ; then case $param in debug ) DEBUG="debug" ;; esac else break fi done if [ $DEBUG ] ; then set -xe SILENT= QUIET="-v" fi # load required parameters SCRIPT_DIR="$(dirname "$(realpath "$0")")" if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting" exit 1 fi source "$SCRIPT_DIR"/koji-parameters.sh # Install all the required packages (some live in the epel repo, so we may need to install that too) if [[ -z $(dnf list installed | grep epel-release) ]] ; then dnf config-manager --set-enabled powertools $QUIET dnf install -y epel-release $QUIET fi dnf install -y mod_ssl koji-web $QUIET # install locally mkdir -p /etc/kojiweb cat > /etc/kojiweb/web.conf <<- EOF [web] SiteName = koji KojiHubURL = $KOJI_URL/kojihub KojiFilesURL = $KOJI_URL/kojifiles WebCert = $KOJI_PKI_DIR/kojiweb.pem ClientCA = $KOJI_PKI_DIR/koji_ca_cert.crt KojiHubCA = $KOJI_PKI_DIR/koji_ca_cert.crt LoginTimeout = 72 Secret = NITRA_IS_NOT_CLEAR LibPath = /usr/share/koji-web/lib LiteralFooter = True EOF if [[ ! -d /etc/httpd/conf.d ]] ; then mkdir -p /etc/httpd/conf.d ; fi cat > /etc/httpd/conf.d/kojiweb.conf <<- EOF Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py" Options ExecCGI SetHandler wsgi-script Require all granted Alias /koji-static "/usr/share/koji-web/static" Options None AllowOverride None Require all granted SSLOptions +StdEnvVars EOF # if NOT on the hub, setup the standard httpd settings if [[ ! $KOJI_WEB_FQDN = $KOJI_HUB_FQDN ]] ; then ## Apache ssl Configuration File cat > /etc/httpd/conf.d/ssl.conf <<- EOF ServerName $KOJI_WEB_FQDN Listen 443 https #SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog #SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin ErrorLog /var/log/httpd/ssl_error_log TransferLog /var/log/httpd/ssl_access_log LogLevel warn SSLEngine on SSLHonorCipherOrder on SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM SSLCertificateFile $KOJI_PKI_DIR/kojihub.pem SSLCertificateKeyFile $KOJI_PKI_DIR/private/kojihub.key SSLCertificateChainFile $KOJI_PKI_DIR/koji_ca_cert.crt SSLCACertificateFile $KOJI_PKI_DIR/koji_ca_cert.crt SSLVerifyClient require SSLVerifyDepth 10 SSLOptions +StdEnvVars SSLOptions +StdEnvVars CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" EOF # SELinux changes to allow httpd network access setsebool -P httpd_can_network_connect 1 mkdir -p /etc/httpd/conf.modules.d cat > /etc/httpd/conf.modules.d/wsgi.conf <<- EOF WSGISocketPrefix /run/httpd/wsgi EOF cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF LoadModule ssl_module lib/httpd/modules/mod_ssl.so EOF # allow httpd access through firewall firewall-cmd --permanent --add-service=http firewall-cmd --permanent --add-service=https firewall-cmd --reload # enable and start the httpd service systemctl enable --now httpd else # we need to restart the httpd service systemctl restart httpd fi