#!/bin/bash # SPDX-License-Identifier: Apache-2.0 set -e DEBUG= SILENT="-s" QUIET="-q" for param in $1 $2 ; do if [ $param ] ; then case $param in debug ) DEBUG="debug" ;; esac else break fi done if [ $DEBUG ] ; then set -xe SILENT= QUIET="-v" fi # load required parameters SCRIPT_DIR="$(dirname "$(realpath "$0")")" if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting" exit 1 fi source "$SCRIPT_DIR"/koji-parameters.sh # pull down any required scripts if [ ! -f $SCRIPTS_DIR/koji-gencert.sh ] ; then curl $SILENT $SCRIPT_GIT/koji-gencert.sh > $SCRIPT_DIR/koji-gencert.sh chmod o+x $SCRIPT_DIR/koji-gencert.sh fi # Install all the required packages (some live in the epel repo, so we need to install that too) dnf config-manager --set-enabled powertools $QUIET if [[ -z $(dnf list installed | grep epel-release) ]] ; then dnf install -y epel-release $QUIET fi dnf install -y koji-hub mod_ssl koji koji-web koji-utils policycoreutils-python-utils $QUIET dnf module enable postgresql:10 -y $QUIET dnf install -y postgresql-server $QUIET ## SETTING UP SSL CERTIFICATES FOR AUTHENTICATION mkdir -p "$KOJI_PKI_DIR"/{certs,private} RANDFILE="$KOJI_PKI_DIR"/.rand dd if=/dev/urandom of="$RANDFILE" bs=256 count=1 # Certificate generation cat > "$KOJI_PKI_DIR"/ssl.cnf <<- EOF HOME = $KOJI_PKI_DIR RANDFILE = $RANDFILE [ca] default_ca = ca_default [ca_default] dir = $KOJI_PKI_DIR certs = \$dir/certs crl_dir = \$dir/crl database = \$dir/index.txt new_certs_dir = \$dir/newcerts certificate = \$dir/%s_ca_cert.pem private_key = \$dir/private/%s_ca_key.pem serial = \$dir/serial crl = \$dir/crl.pem x509_extensions = usr_cert name_opt = ca_default cert_opt = ca_default default_days = 3650 default_crl_days = 30 default_md = sha512 preserve = no policy = policy_match [policy_match] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [req] default_bits = 4096 default_keyfile = privkey.pem default_md = sha512 distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extensions to add to the self signed cert string_mask = MASK:0x2002 [req_distinguished_name] countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [req_attributes] challengePassword = A challenge password challengePassword_min = 8 challengePassword_max = 64 unstructuredName = An optional company name [usr_cert] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always [v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true EOF # Generate and trust CA touch "$KOJI_PKI_DIR"/index.txt echo 01 > "$KOJI_PKI_DIR"/serial openssl genrsa -out "$KOJI_PKI_DIR"/private/koji_ca_cert.key 2048 openssl req -subj "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=koji_ca/CN=$KOJI_HUB_FQDN" -config "$KOJI_PKI_DIR"/ssl.cnf -new -x509 -days 3650 -key "$KOJI_PKI_DIR"/private/koji_ca_cert.key -out "$KOJI_PKI_DIR"/koji_ca_cert.crt -extensions v3_ca mkdir -p /etc/ca-certs/trusted # Generate the koji component certificates and the admin certificate and generate a PKCS12 user certificate (for web browser) pushd "$KOJI_PKI_DIR" "$SCRIPT_DIR"/koji-gencert.sh kojiweb "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojiweb/CN=$KOJI_HUB_FQDN" $DEBUG "$SCRIPT_DIR"/koji-gencert.sh kojihub "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojihub/CN=$KOJI_HUB_FQDN" $DEBUG "$SCRIPT_DIR"/koji-gencert.sh kojiadmin "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojiadmin" $DEBUG "$SCRIPT_DIR"/koji-gencert.sh kojira "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojira" $DEBUG popd # Copy certificates into ~/.koji for kojiadmin useradd kojiadmin ADMIN_KOJI_DIR="$(echo ~kojiadmin)"/.koji mkdir -p "$ADMIN_KOJI_DIR" cp -f "$KOJI_PKI_DIR"/kojiadmin.pem "$ADMIN_KOJI_DIR"/client.crt cp -f "$KOJI_PKI_DIR"/koji_ca_cert.crt "$ADMIN_KOJI_DIR"/clientca.crt cp -f "$KOJI_PKI_DIR"/koji_ca_cert.crt "$ADMIN_KOJI_DIR"/serverca.crt chown -R kojiadmin:kojiadmin "$ADMIN_KOJI_DIR" ## POSTGRESQL SERVER # Initialize PostgreSQL DB mkdir -p "$POSTGRES_DIR" chown -R "$POSTGRES_USER":"$POSTGRES_USER" "$POSTGRES_DIR" sudo -u "$POSTGRES_USER" initdb --pgdata "$POSTGRES_DIR"/data systemctl enable --now postgresql # Setup User Accounts useradd -r koji # Setup PostgreSQL and populate schema sudo -u "$POSTGRES_USER" createuser --no-superuser --no-createrole --no-createdb koji sudo -u "$POSTGRES_USER" createdb -O koji koji sudo -u koji psql koji koji < /usr/share/doc/koji/docs/schema.sql # Authorize Koji-web and Koji-hub resources cat > "$POSTGRES_DIR"/data/pg_hba.conf <<- EOF #TYPE DATABASE USER CIDR-ADDRESS METHOD local koji koji trust local all postgres peer EOF # possible alternatives #host koji koji 127.0.0.1/32 trust #host koji koji ::1/128 trust # increase the max connections as koji appears to be very chatty sed -i "/^max_connections =/ s/100/1000/" "/var/lib/pgsql/data/postgresql.conf" systemctl restart postgresql # Bootstrapping the initial koji admin user into the PostgreSQL database # SSL Certificate authentication sudo -u koji psql -c "insert into users (name, status, usertype) values ('kojiadmin', 0, 0);" # Give yourself admin permissions sudo -u koji psql -c "insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);" ## KOJI CONFIGURATION FILES # Koji Hub mkdir -p /etc/koji-hub cat > /etc/koji-hub/hub.conf <<- EOF [hub] DBName = koji DBUser = koji KojiDir = $KOJI_DIR DNUsernameComponent = CN ProxyDNs = C=$COUNTRY_CODE,ST=$STATE,L=$LOCATION,O=$ORGANIZATION,OU=kojiweb,CN=$KOJI_HUB_FQDN LoginCreatesUser = On KojiWebURL = $KOJI_WEB_URL/koji DisableNotifications = True EOF mkdir -p /etc/httpd/conf.d cat > /etc/httpd/conf.d/kojihub.conf <<- EOF Alias /kojihub /usr/share/koji-hub/kojiapp.py Options ExecCGI SetHandler wsgi-script Require all granted Alias /kojifiles "$KOJI_DIR" Options Indexes SymLinksIfOwnerMatch AllowOverride None Require all granted SSLVerifyClient require SSLVerifyDepth 10 SSLOptions +StdEnvVars EOF # SELinux changes to allow db access setsebool -P httpd_can_network_connect_db 1 # SELinux changes to allow httpd network access setsebool -P httpd_can_network_connect 1 # Koji CLI cat > /etc/koji.conf <<- EOF [koji] server = $KOJI_URL/kojihub weburl = $KOJI_WEB_URL/koji topurl = $KOJI_URL/kojifiles topdir = $KOJI_DIR cert = ~/.koji/client.crt serverca = ~/.koji/serverca.crt anon_retry = true EOF ## KOJI APPLICATION HOSTING # Koji Filesystem Skeleton mkdir -p "$KOJI_DIR"/{packages,repos,work,scratch,repos-dist} chown -R "$HTTPD_USER":"$HTTPD_USER" "$KOJI_DIR" # tweak SELinux to allow $HTTPD_USER write access setsebool -P allow_httpd_anon_write=1 semanage fcontext -a -t public_content_rw_t "$KOJI_DIR(/.*)?" restorecon -r -v $KOJI_DIR ## Apache Configuration Files mkdir -p /etc/httpd/conf.d cat > /etc/httpd/conf.d/ssl.conf <<- EOF ServerName $KOJI_HUB_FQDN Listen 443 https #SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog #SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin ErrorLog /var/log/httpd/ssl_error_log TransferLog /var/log/httpd/ssl_access_log LogLevel warn SSLEngine on SSLHonorCipherOrder on SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM SSLCertificateFile $KOJI_PKI_DIR/kojihub.pem SSLCertificateKeyFile $KOJI_PKI_DIR/private/kojihub.key SSLCertificateChainFile $KOJI_PKI_DIR/koji_ca_cert.crt SSLCACertificateFile $KOJI_PKI_DIR/koji_ca_cert.crt SSLVerifyClient require SSLVerifyDepth 10 SSLOptions +StdEnvVars SSLOptions +StdEnvVars CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" EOF mkdir -p /etc/httpd/conf.modules.d cat > /etc/httpd/conf.modules.d/wsgi.conf <<- EOF WSGISocketPrefix /run/httpd/wsgi EOF cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF LoadModule ssl_module lib/httpd/modules/mod_ssl.so EOF # Firewall stuff if systemctl status iptables >/dev/null 2>&1; then # set iptables rules for http and https fi if firewall-cmd --state >/dev/null 2>&1; then # allow httpd access through firewall firewall-cmd --permanent --add-service=http firewall-cmd --permanent --add-service=https firewall-cmd --reload fi # enable and start the httpd service systemctl enable --now httpd ## TEST KOJI CONNECTIVITY sudo -u kojiadmin koji moshimoshi ## KOJIRA - DNF|YUM REPOSITORY CREATION AND MAINTENANCE # Add the user entry for the kojira user sudo -u kojiadmin koji add-user kojira sudo -u kojiadmin koji grant-permission repo kojira # Kojira Configuration Files mkdir -p /etc/kojira cat > /etc/kojira/kojira.conf <<- EOF [kojira] server=$KOJI_URL/kojihub topdir=$KOJI_DIR logfile=/var/log/kojira.log cert = $KOJI_PKI_DIR/kojira.pem serverca = $KOJI_PKI_DIR/koji_ca_cert.crt EOF # Ensure postgresql is started prior to running kojira service mkdir -p /etc/systemd/system/kojira.service.d cat > /etc/systemd/system/kojira.service.d/after-postgresql.conf <