#!/bin/bash
# SPDX-License-Identifier: Apache-2.0
set -e
DEBUG=
SILENT="-s"
QUIET="-q"
for param in $1 $2 ; do
if [ $param ] ; then
case $param in
debug )
DEBUG="debug" ;;
esac
else
break
fi
done
if [ $DEBUG ] ; then
set -xe
SILENT=
QUIET="-v"
fi
# load required parameters
SCRIPT_DIR="$(dirname "$(realpath "$0")")"
if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then
echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting"
exit 1
fi
source "$SCRIPT_DIR"/koji-parameters.sh
# pull down any required scripts
if [ ! -f $SCRIPTS_DIR/koji-gencert.sh ] ; then
curl $SILENT $SCRIPT_GIT/koji-gencert.sh > $SCRIPT_DIR/koji-gencert.sh
chmod o+x $SCRIPT_DIR/koji-gencert.sh
fi
# Install all the required packages (some live in the epel repo, so we need to install that too)
dnf config-manager --set-enabled powertools $QUIET
if [[ -z $(dnf list installed | grep epel-release) ]] ; then
dnf install -y epel-release $QUIET
fi
dnf install -y koji-hub mod_ssl koji koji-web koji-utils policycoreutils-python-utils $QUIET
dnf module enable postgresql:10 -y $QUIET
dnf install -y postgresql-server $QUIET
## SETTING UP SSL CERTIFICATES FOR AUTHENTICATION
mkdir -p "$KOJI_PKI_DIR"/{certs,private}
RANDFILE="$KOJI_PKI_DIR"/.rand
dd if=/dev/urandom of="$RANDFILE" bs=256 count=1
# Certificate generation
cat > "$KOJI_PKI_DIR"/ssl.cnf <<- EOF
HOME = $KOJI_PKI_DIR
RANDFILE = $RANDFILE
[ca]
default_ca = ca_default
[ca_default]
dir = $KOJI_PKI_DIR
certs = \$dir/certs
crl_dir = \$dir/crl
database = \$dir/index.txt
new_certs_dir = \$dir/newcerts
certificate = \$dir/%s_ca_cert.pem
private_key = \$dir/private/%s_ca_key.pem
serial = \$dir/serial
crl = \$dir/crl.pem
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
default_crl_days = 30
default_md = sha512
preserve = no
policy = policy_match
[policy_match]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 4096
default_keyfile = privkey.pem
default_md = sha512
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = MASK:0x2002
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[req_attributes]
challengePassword = A challenge password
challengePassword_min = 8
challengePassword_max = 64
unstructuredName = An optional company name
[usr_cert]
basicConstraints = CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
EOF
# Generate and trust CA
touch "$KOJI_PKI_DIR"/index.txt
echo 01 > "$KOJI_PKI_DIR"/serial
openssl genrsa -out "$KOJI_PKI_DIR"/private/koji_ca_cert.key 2048
openssl req -subj "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=koji_ca/CN=$KOJI_HUB_FQDN" -config "$KOJI_PKI_DIR"/ssl.cnf -new -x509 -days 3650 -key "$KOJI_PKI_DIR"/private/koji_ca_cert.key -out "$KOJI_PKI_DIR"/koji_ca_cert.crt -extensions v3_ca
mkdir -p /etc/ca-certs/trusted
# Generate the koji component certificates and the admin certificate and generate a PKCS12 user certificate (for web browser)
pushd "$KOJI_PKI_DIR"
"$SCRIPT_DIR"/koji-gencert.sh kojiweb "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojiweb/CN=$KOJI_HUB_FQDN" $DEBUG
"$SCRIPT_DIR"/koji-gencert.sh kojihub "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojihub/CN=$KOJI_HUB_FQDN" $DEBUG
"$SCRIPT_DIR"/koji-gencert.sh kojiadmin "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojiadmin" $DEBUG
"$SCRIPT_DIR"/koji-gencert.sh kojira "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojira" $DEBUG
popd
# Copy certificates into ~/.koji for kojiadmin
useradd kojiadmin
ADMIN_KOJI_DIR="$(echo ~kojiadmin)"/.koji
mkdir -p "$ADMIN_KOJI_DIR"
cp -f "$KOJI_PKI_DIR"/kojiadmin.pem "$ADMIN_KOJI_DIR"/client.crt
cp -f "$KOJI_PKI_DIR"/koji_ca_cert.crt "$ADMIN_KOJI_DIR"/clientca.crt
cp -f "$KOJI_PKI_DIR"/koji_ca_cert.crt "$ADMIN_KOJI_DIR"/serverca.crt
chown -R kojiadmin:kojiadmin "$ADMIN_KOJI_DIR"
## POSTGRESQL SERVER
# Initialize PostgreSQL DB
mkdir -p "$POSTGRES_DIR"
chown -R "$POSTGRES_USER":"$POSTGRES_USER" "$POSTGRES_DIR"
sudo -u "$POSTGRES_USER" initdb --pgdata "$POSTGRES_DIR"/data
systemctl enable --now postgresql
# Setup User Accounts
useradd -r koji
# Setup PostgreSQL and populate schema
sudo -u "$POSTGRES_USER" createuser --no-superuser --no-createrole --no-createdb koji
sudo -u "$POSTGRES_USER" createdb -O koji koji
sudo -u koji psql koji koji < /usr/share/koji/schema.sql
# Authorize Koji-web and Koji-hub resources
cat > "$POSTGRES_DIR"/data/pg_hba.conf <<- EOF
#TYPE DATABASE USER CIDR-ADDRESS METHOD
local koji koji trust
local all postgres peer
EOF
# possible alternatives
#host koji koji 127.0.0.1/32 trust
#host koji koji ::1/128 trust
# increase the max connections as koji appears to be very chatty
sed -i "/^max_connections =/ s/100/1000/" "/var/lib/pgsql/data/postgresql.conf"
systemctl restart postgresql
# Bootstrapping the initial koji admin user into the PostgreSQL database
# SSL Certificate authentication
sudo -u koji psql -c "insert into users (name, status, usertype) values ('kojiadmin', 0, 0);"
# Give yourself admin permissions
sudo -u koji psql -c "insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);"
## KOJI CONFIGURATION FILES
# Koji Hub
mkdir -p /etc/koji-hub
cat > /etc/koji-hub/hub.conf <<- EOF
[hub]
DBName = koji
DBUser = koji
KojiDir = $KOJI_DIR
DNUsernameComponent = CN
ProxyDNs = C=$COUNTRY_CODE,ST=$STATE,L=$LOCATION,O=$ORGANIZATION,OU=kojiweb,CN=$KOJI_HUB_FQDN
LoginCreatesUser = On
KojiWebURL = $KOJI_WEB_URL/koji
DisableNotifications = True
EOF
mkdir -p /etc/httpd/conf.d
cat > /etc/httpd/conf.d/kojihub.conf <<- EOF
Alias /kojihub /usr/share/koji-hub/kojiapp.py
Options ExecCGI
SetHandler wsgi-script
Require all granted
Alias /kojifiles "$KOJI_DIR"
Options Indexes SymLinksIfOwnerMatch
AllowOverride None
Require all granted
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars
EOF
# SELinux changes to allow db access
setsebool -P httpd_can_network_connect_db 1
# SELinux changes to allow httpd network access
setsebool -P httpd_can_network_connect 1
# Koji CLI
cat > /etc/koji.conf <<- EOF
[koji]
server = $KOJI_URL/kojihub
weburl = $KOJI_WEB_URL/koji
topurl = $KOJI_URL/kojifiles
topdir = $KOJI_DIR
cert = ~/.koji/client.crt
serverca = ~/.koji/serverca.crt
anon_retry = true
EOF
## KOJI APPLICATION HOSTING
# Koji Filesystem Skeleton
mkdir -p "$KOJI_DIR"/{packages,repos,work,scratch,repos-dist}
chown -R "$HTTPD_USER":"$HTTPD_USER" "$KOJI_DIR"
# tweak SELinux to allow $HTTPD_USER write access
setsebool -P allow_httpd_anon_write=1
semanage fcontext -a -t public_content_rw_t "$KOJI_DIR(/.*)?"
restorecon -r -v $KOJI_DIR
## Apache Configuration Files
mkdir -p /etc/httpd/conf.d
cat > /etc/httpd/conf.d/ssl.conf <<- EOF
ServerName $KOJI_HUB_FQDN
Listen 443 https
#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
#SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
ErrorLog /var/log/httpd/ssl_error_log
TransferLog /var/log/httpd/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile $KOJI_PKI_DIR/kojihub.pem
SSLCertificateKeyFile $KOJI_PKI_DIR/private/kojihub.key
SSLCertificateChainFile $KOJI_PKI_DIR/koji_ca_cert.crt
SSLCACertificateFile $KOJI_PKI_DIR/koji_ca_cert.crt
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
EOF
mkdir -p /etc/httpd/conf.modules.d
cat > /etc/httpd/conf.modules.d/wsgi.conf <<- EOF
WSGISocketPrefix /run/httpd/wsgi
EOF
cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
EOF
# Firewall stuff
if systemctl status iptables >/dev/null 2>&1; then
# set iptables rules for http and https
if [ $DEBUG ] ; then echo "iptables here - should we be setting something?" ; fi
fi
if firewall-cmd --state >/dev/null 2>&1; then
# allow httpd access through firewall
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
fi
# enable and start the httpd service
systemctl enable --now httpd
## TEST KOJI CONNECTIVITY
sudo -u kojiadmin koji moshimoshi
## KOJIRA - DNF|YUM REPOSITORY CREATION AND MAINTENANCE
# Add the user entry for the kojira user
sudo -u kojiadmin koji add-user kojira
sudo -u kojiadmin koji grant-permission repo kojira
# Kojira Configuration Files
mkdir -p /etc/kojira
cat > /etc/kojira/kojira.conf <<- EOF
[kojira]
server=$KOJI_URL/kojihub
topdir=$KOJI_DIR
logfile=/var/log/kojira.log
cert = $KOJI_PKI_DIR/kojira.pem
serverca = $KOJI_PKI_DIR/koji_ca_cert.crt
EOF
# Ensure postgresql is started prior to running kojira service
mkdir -p /etc/systemd/system/kojira.service.d
cat > /etc/systemd/system/kojira.service.d/after-postgresql.conf <