#!/bin/bash # SPDX-License-Identifier: Apache-2.0 set -e KOJI_WEB_FQDN= DEBUG= SILENT="-s" QUIET="-q" for param in $1 $2 ; do if [ $param ] ; then case $param in debug ) DEBUG="debug" ;; * ) KOJI_WEB_FQDN=$param ;; esac else break fi done if [ $DEBUG ] ; then set -xe SILENT= QUIET="-v" fi # load required parameters SCRIPT_DIR="$(dirname "$(realpath "$0")")" if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting" exit 1 fi source "$SCRIPT_DIR"/koji-parameters.sh # if no build server given, deploy locally if [[ -z $KOJI_WEB_FQDN ]] ; then KOJI_WEB_FQDN=$KOJI_HUB_FQDN ; fi # check if local or remote deploy if [[ "$KOJI_WEB_FQDN" != "$(hostname -f)" ]] ; then if [[ $DEBUG ]] ; then echo "Deploying remotely to $KOJI_WEB_FQDN" ; fi # deploy remotely to $KOJI_WEB_FQDN # We make all the changes required on the hub and then re-run this script on $KOJI_WEB_FQDN # check that I can conmnect if [ ! $(nc -z $KOJI_WEB_FQDN 22 2>&1 | grep succeeded) ] ; then echo "I cannot connect to $KOJI_WEB_FQDN! Is it online? " echo "Options:" echo "- turn on the server" echo "- add this server into the /etc/hosts file on this server" exit 1 fi # update hub config files to point at web server sed -i 's,KojiWebURL.*,KojiWebURL = http://$KOJI_WEB_FQDN/koji,g' /etc/koji-hub/hub.conf sed -i 's,weburl.*,weburl = http://$KOJI_WEB_FQDN/koji,g' /etc/koji.conf # check if nfs has been installed on the hub (only need to install once) if [[ -z $(dnf list installed | grep nfs-server) ]] ; then # add nfs share for koji files direcory to hub curl $SILENT $SCRIPT_GIT/koji-deploy-nfs-server.sh > $SCRIPT_DIR/koji-deploy-nfs-server.sh chmod o+x $SCRIPT_DIR/koji-deploy-nfs-server.sh koji-deploy-nfs-server.sh $DEBUG fi # add web server to nfs exports line for /mnt/koji sed -i '/^\/mnt\/koji/ s/$/ $KOJI_WEB_FQDN(ro,no_root_squash)/g' /etc/exports # generate a hub ssh key if there isn't one already (for scp & ssh to web server) if [ ! -f /root/.ssh/id-rsa ] ; then # create a ssh key on build server mkdir -p ~/.ssh ssh-keygen -t rsa -f /root/.ssh/id_rsa -N "" fi # copy the server key into authorized keys on the web server ssh-copy-id -i ~/.ssh/id_rsa.pub $KOJI_WEB_FQDN # find the IP of the web server WEB_IP=$(ssh root@$KOJI_WEB_FQDN "hostname -I") # add web server into allowed access to db cat >> "$POSTGRES_DIR"/data/pg_hba.conf <<- EOF host koji koji $WEB_IP/32 scram-sha-256 EOF systemctl reload postgresql # copy across the ssl keys ssh $QUIET root@$KOJI_WEB_FQDN mkdir -p $KOJI_PKI_DIR/private scp $QUIET $KOJI_PKI_DIR/kojiweb.pem root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/. scp $QUIET $KOJI_PKI_DIR/kojihub.pem root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/. scp $QUIET $KOJI_PKI_DIR/private/kojihub.key root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/private/. scp $QUIET $KOJI_PKI_DIR/koji_ca_cert.crt root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/. # copy across the parameter files (we built them on the hub) ssh $QUIET root@$KOJI_WEB_FQDN mkdir -p $SCRIPT_DIR scp $QUIET $SCRIPT_DIR/koji-parameters.sh root@$KOJI_WEB_FQDN:$SCRIPT_DIR/koji-parameters.sh # pull down the required scripts ssh $QUIET root@$KOJI_WEB_FQDN "curl $SILENT $SCRIPT_GIT/koji-deploy-nfs-client.sh > $SCRIPT_DIR/koji-deploy-nfs-client.sh" ssh $QUIET root@$KOJI_WEB_FQDN "curl $SILENT $SCRIPT_GIT/koji-deploy-web.sh > $SCRIPT_DIR/koji-deploy-web.sh" # make them executeable ssh $QUIET root@$KOJI_WEB_FQDN "chmod o+x $SCRIPT_DIR/*" # connect to nfs share ssh $QUIET root@$KOJI_WEB_FQDN $SCRIPT_DIR/koji-deploy-nfs-client.sh $DEBUG # ssh into the new web server to do the local configuration ssh $QUIET root@$KOJI_WEB_FQDN $SCRIPT_DIR/koji-deploy-web.sh $KOJI_WEB_FQDN $DEBUG exit 0 fi # This is the local deploy part if [[ $DEBUG ]] ; then echo "Deploying locally to $KOJI_WEB_FQDN" ; fi # Install all the required packages (some live in the epel repo, so we may need to install that too) if [[ -z $(dnf list installed | grep epel-release) ]] ; then dnf config-manager --set-enabled powertools $QUIET dnf install -y epel-release $QUIET fi dnf install -y mod_ssl koji-web $QUIET # install locally # create secret SECRET="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 32)" # create config files mkdir -p /etc/kojiweb cat > /etc/kojiweb/web.conf <<- EOF [web] SiteName = koji KojiHubURL = $KOJI_URL/kojihub KojiFilesURL = $KOJI_URL/kojifiles WebCert = $KOJI_PKI_DIR/kojiweb.pem ClientCA = $KOJI_PKI_DIR/koji_ca_cert.crt KojiHubCA = $KOJI_PKI_DIR/koji_ca_cert.crt LoginTimeout = 72 Secret = "$SECRET" LibPath = /usr/share/koji-web/lib LiteralFooter = True EOF if [[ ! -d /etc/httpd/conf.d ]] ; then mkdir -p /etc/httpd/conf.d ; fi cat > /etc/httpd/conf.d/kojiweb.conf <<- EOF Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py" Options ExecCGI SetHandler wsgi-script Require all granted Alias /koji-static "/usr/share/koji-web/static" Options None AllowOverride None Require all granted SSLOptions +StdEnvVars EOF # if NOT on the hub, setup the standard httpd settings if [[ $KOJI_WEB_FQDN != $KOJI_HUB_FQDN ]] ; then ## Apache ssl Configuration File cat > /etc/httpd/conf.d/ssl.conf <<- EOF ServerName $KOJI_WEB_FQDN Listen 443 https #SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog #SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin ErrorLog /var/log/httpd/ssl_error_log TransferLog /var/log/httpd/ssl_access_log LogLevel warn SSLEngine on SSLHonorCipherOrder on SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM SSLCertificateFile $KOJI_PKI_DIR/kojihub.pem SSLCertificateKeyFile $KOJI_PKI_DIR/private/kojihub.key SSLCertificateChainFile $KOJI_PKI_DIR/koji_ca_cert.crt SSLCACertificateFile $KOJI_PKI_DIR/koji_ca_cert.crt SSLVerifyClient require SSLVerifyDepth 10 SSLOptions +StdEnvVars SSLOptions +StdEnvVars CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" EOF # SELinux changes to allow httpd network access setsebool -P httpd_can_network_connect 1 mkdir -p /etc/httpd/conf.modules.d cat > /etc/httpd/conf.modules.d/wsgi.conf <<- EOF WSGISocketPrefix /run/httpd/wsgi EOF cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF LoadModule ssl_module lib/httpd/modules/mod_ssl.so EOF # allow httpd access through firewall firewall-cmd --permanent --add-service=http firewall-cmd --permanent --add-service=https firewall-cmd --reload # enable and start the httpd service systemctl enable --now httpd else # we need to restart the httpd service systemctl restart httpd fi