mirror of
https://src.koozali.org/infra/smeserver-koji.git
synced 2024-12-04 22:57:59 +01:00
346 lines
11 KiB
Bash
346 lines
11 KiB
Bash
#!/bin/bash
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
set -e
|
|
DEBUG=
|
|
SILENT="-s"
|
|
QUIET="-q"
|
|
for param in $1 $2 ; do
|
|
if [ $param ] ; then
|
|
case $param in
|
|
debug )
|
|
DEBUG="debug" ;;
|
|
esac
|
|
else
|
|
break
|
|
fi
|
|
done
|
|
|
|
if [ $DEBUG ] ; then
|
|
set -xe
|
|
SILENT=
|
|
QUIET="-v"
|
|
fi
|
|
|
|
# load required parameters
|
|
SCRIPT_DIR="$(dirname "$(realpath "$0")")"
|
|
if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then
|
|
echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting"
|
|
exit 1
|
|
fi
|
|
source "$SCRIPT_DIR"/koji-parameters.sh
|
|
|
|
# pull down any required scripts
|
|
if [ ! -f $SCRIPTS_DIR/koji-gencert.sh ] ; then
|
|
curl $SILENT $SCRIPT_GIT/koji-gencert.sh > $SCRIPT_DIR/koji-gencert.sh
|
|
chmod o+x $SCRIPT_DIR/koji-gencert.sh
|
|
fi
|
|
|
|
# Install all the required packages (some live in the epel repo, so we need to install that too)
|
|
dnf config-manager --set-enabled powertools $QUIET
|
|
if [[ -z $(dnf list installed | grep epel-release) ]] ; then
|
|
dnf install -y epel-release $QUIET
|
|
fi
|
|
dnf install -y koji-hub mod_ssl koji koji-web koji-utils policycoreutils-python-utils $QUIET
|
|
dnf module enable postgresql:10 -y $QUIET
|
|
dnf install -y postgresql-server $QUIET
|
|
|
|
## SETTING UP SSL CERTIFICATES FOR AUTHENTICATION
|
|
mkdir -p "$KOJI_PKI_DIR"/{certs,private}
|
|
RANDFILE="$KOJI_PKI_DIR"/.rand
|
|
dd if=/dev/urandom of="$RANDFILE" bs=256 count=1
|
|
|
|
# Certificate generation
|
|
cat > "$KOJI_PKI_DIR"/ssl.cnf <<- EOF
|
|
HOME = $KOJI_PKI_DIR
|
|
RANDFILE = $RANDFILE
|
|
|
|
[ca]
|
|
default_ca = ca_default
|
|
|
|
[ca_default]
|
|
dir = $KOJI_PKI_DIR
|
|
certs = \$dir/certs
|
|
crl_dir = \$dir/crl
|
|
database = \$dir/index.txt
|
|
new_certs_dir = \$dir/newcerts
|
|
certificate = \$dir/%s_ca_cert.pem
|
|
private_key = \$dir/private/%s_ca_key.pem
|
|
serial = \$dir/serial
|
|
crl = \$dir/crl.pem
|
|
x509_extensions = usr_cert
|
|
name_opt = ca_default
|
|
cert_opt = ca_default
|
|
default_days = 3650
|
|
default_crl_days = 30
|
|
default_md = sha512
|
|
preserve = no
|
|
policy = policy_match
|
|
|
|
[policy_match]
|
|
countryName = match
|
|
stateOrProvinceName = match
|
|
organizationName = match
|
|
organizationalUnitName = optional
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
|
|
[req]
|
|
default_bits = 4096
|
|
default_keyfile = privkey.pem
|
|
default_md = sha512
|
|
distinguished_name = req_distinguished_name
|
|
attributes = req_attributes
|
|
x509_extensions = v3_ca # The extensions to add to the self signed cert
|
|
string_mask = MASK:0x2002
|
|
|
|
[req_distinguished_name]
|
|
countryName = Country Name (2 letter code)
|
|
countryName_min = 2
|
|
countryName_max = 2
|
|
stateOrProvinceName = State or Province Name (full name)
|
|
localityName = Locality Name (eg, city)
|
|
0.organizationName = Organization Name (eg, company)
|
|
organizationalUnitName = Organizational Unit Name (eg, section)
|
|
commonName = Common Name (eg, your name or your server\'s hostname)
|
|
commonName_max = 64
|
|
emailAddress = Email Address
|
|
emailAddress_max = 64
|
|
|
|
[req_attributes]
|
|
challengePassword = A challenge password
|
|
challengePassword_min = 8
|
|
challengePassword_max = 64
|
|
unstructuredName = An optional company name
|
|
|
|
[usr_cert]
|
|
basicConstraints = CA:FALSE
|
|
nsComment = "OpenSSL Generated Certificate"
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid,issuer:always
|
|
|
|
[v3_ca]
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always,issuer:always
|
|
basicConstraints = CA:true
|
|
EOF
|
|
|
|
# Generate and trust CA
|
|
touch "$KOJI_PKI_DIR"/index.txt
|
|
echo 01 > "$KOJI_PKI_DIR"/serial
|
|
openssl genrsa -out "$KOJI_PKI_DIR"/private/koji_ca_cert.key 2048
|
|
openssl req -subj "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=koji_ca/CN=$KOJI_HUB_FQDN" -config "$KOJI_PKI_DIR"/ssl.cnf -new -x509 -days 3650 -key "$KOJI_PKI_DIR"/private/koji_ca_cert.key -out "$KOJI_PKI_DIR"/koji_ca_cert.crt -extensions v3_ca
|
|
mkdir -p /etc/ca-certs/trusted
|
|
|
|
# Generate the koji component certificates and the admin certificate and generate a PKCS12 user certificate (for web browser)
|
|
pushd "$KOJI_PKI_DIR"
|
|
"$SCRIPT_DIR"/koji-gencert.sh kojiweb "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojiweb/CN=$KOJI_HUB_FQDN" $DEBUG
|
|
"$SCRIPT_DIR"/koji-gencert.sh kojihub "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojihub/CN=$KOJI_HUB_FQDN" $DEBUG
|
|
"$SCRIPT_DIR"/koji-gencert.sh kojiadmin "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojiadmin" $DEBUG
|
|
"$SCRIPT_DIR"/koji-gencert.sh kojira "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojira" $DEBUG
|
|
popd
|
|
|
|
# Copy certificates into ~/.koji for kojiadmin
|
|
useradd kojiadmin
|
|
ADMIN_KOJI_DIR="$(echo ~kojiadmin)"/.koji
|
|
mkdir -p "$ADMIN_KOJI_DIR"
|
|
cp -f "$KOJI_PKI_DIR"/kojiadmin.pem "$ADMIN_KOJI_DIR"/client.crt
|
|
cp -f "$KOJI_PKI_DIR"/koji_ca_cert.crt "$ADMIN_KOJI_DIR"/clientca.crt
|
|
cp -f "$KOJI_PKI_DIR"/koji_ca_cert.crt "$ADMIN_KOJI_DIR"/serverca.crt
|
|
chown -R kojiadmin:kojiadmin "$ADMIN_KOJI_DIR"
|
|
|
|
|
|
## POSTGRESQL SERVER
|
|
# Initialize PostgreSQL DB
|
|
mkdir -p "$POSTGRES_DIR"
|
|
chown -R "$POSTGRES_USER":"$POSTGRES_USER" "$POSTGRES_DIR"
|
|
sudo -u "$POSTGRES_USER" initdb --pgdata "$POSTGRES_DIR"/data
|
|
systemctl enable --now postgresql
|
|
|
|
# Setup User Accounts
|
|
useradd -r koji
|
|
|
|
# Setup PostgreSQL and populate schema
|
|
sudo -u "$POSTGRES_USER" createuser --no-superuser --no-createrole --no-createdb koji
|
|
sudo -u "$POSTGRES_USER" createdb -O koji koji
|
|
sudo -u koji psql koji koji < /usr/share/koji/schema.sql
|
|
|
|
# Authorize Koji-web and Koji-hub resources
|
|
cat > "$POSTGRES_DIR"/data/pg_hba.conf <<- EOF
|
|
#TYPE DATABASE USER CIDR-ADDRESS METHOD
|
|
local koji koji trust
|
|
local all postgres peer
|
|
EOF
|
|
# possible alternatives
|
|
#host koji koji 127.0.0.1/32 trust
|
|
#host koji koji ::1/128 trust
|
|
|
|
# increase the max connections as koji appears to be very chatty
|
|
sed -i "/^max_connections =/ s/100/1000/" "/var/lib/pgsql/data/postgresql.conf"
|
|
|
|
systemctl restart postgresql
|
|
|
|
# Bootstrapping the initial koji admin user into the PostgreSQL database
|
|
# SSL Certificate authentication
|
|
sudo -u koji psql -c "insert into users (name, status, usertype) values ('kojiadmin', 0, 0);"
|
|
|
|
# Give yourself admin permissions
|
|
sudo -u koji psql -c "insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);"
|
|
|
|
## KOJI CONFIGURATION FILES
|
|
# Koji Hub
|
|
mkdir -p /etc/koji-hub
|
|
cat > /etc/koji-hub/hub.conf <<- EOF
|
|
[hub]
|
|
DBName = koji
|
|
DBUser = koji
|
|
KojiDir = $KOJI_DIR
|
|
DNUsernameComponent = CN
|
|
ProxyDNs = C=$COUNTRY_CODE,ST=$STATE,L=$LOCATION,O=$ORGANIZATION,OU=kojiweb,CN=$KOJI_HUB_FQDN
|
|
LoginCreatesUser = On
|
|
KojiWebURL = $KOJI_WEB_URL/koji
|
|
DisableNotifications = True
|
|
EOF
|
|
|
|
mkdir -p /etc/httpd/conf.d
|
|
cat > /etc/httpd/conf.d/kojihub.conf <<- EOF
|
|
Alias /kojihub /usr/share/koji-hub/kojiapp.py
|
|
<Directory "/usr/share/koji-hub">
|
|
Options ExecCGI
|
|
SetHandler wsgi-script
|
|
Require all granted
|
|
</Directory>
|
|
Alias /kojifiles "$KOJI_DIR"
|
|
<Directory "$KOJI_DIR">
|
|
Options Indexes SymLinksIfOwnerMatch
|
|
AllowOverride None
|
|
Require all granted
|
|
</Directory>
|
|
<Location /kojihub/ssllogin>
|
|
SSLVerifyClient require
|
|
SSLVerifyDepth 10
|
|
SSLOptions +StdEnvVars
|
|
</Location>
|
|
EOF
|
|
|
|
# SELinux changes to allow db access
|
|
setsebool -P httpd_can_network_connect_db 1
|
|
|
|
# SELinux changes to allow httpd network access
|
|
setsebool -P httpd_can_network_connect 1
|
|
|
|
# Koji CLI
|
|
cat > /etc/koji.conf <<- EOF
|
|
[koji]
|
|
server = $KOJI_URL/kojihub
|
|
weburl = $KOJI_WEB_URL/koji
|
|
topurl = $KOJI_URL/kojifiles
|
|
topdir = $KOJI_DIR
|
|
cert = ~/.koji/client.crt
|
|
serverca = ~/.koji/serverca.crt
|
|
anon_retry = true
|
|
EOF
|
|
|
|
## KOJI APPLICATION HOSTING
|
|
# Koji Filesystem Skeleton
|
|
mkdir -p "$KOJI_DIR"/{packages,repos,work,scratch,repos-dist}
|
|
chown -R "$HTTPD_USER":"$HTTPD_USER" "$KOJI_DIR"
|
|
|
|
# tweak SELinux to allow $HTTPD_USER write access
|
|
setsebool -P allow_httpd_anon_write=1
|
|
semanage fcontext -a -t public_content_rw_t "$KOJI_DIR(/.*)?"
|
|
restorecon -r -v $KOJI_DIR
|
|
|
|
## Apache Configuration Files
|
|
mkdir -p /etc/httpd/conf.d
|
|
cat > /etc/httpd/conf.d/ssl.conf <<- EOF
|
|
ServerName $KOJI_HUB_FQDN
|
|
|
|
Listen 443 https
|
|
|
|
#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
|
|
|
|
#SSLSessionCache shmcb:/run/httpd/sslcache(512000)
|
|
|
|
SSLRandomSeed startup file:/dev/urandom 256
|
|
SSLRandomSeed connect builtin
|
|
|
|
<VirtualHost _default_:443>
|
|
ErrorLog /var/log/httpd/ssl_error_log
|
|
TransferLog /var/log/httpd/ssl_access_log
|
|
LogLevel warn
|
|
|
|
SSLEngine on
|
|
SSLHonorCipherOrder on
|
|
SSLCipherSuite PROFILE=SYSTEM
|
|
SSLProxyCipherSuite PROFILE=SYSTEM
|
|
|
|
SSLCertificateFile $KOJI_PKI_DIR/kojihub.pem
|
|
SSLCertificateKeyFile $KOJI_PKI_DIR/private/kojihub.key
|
|
SSLCertificateChainFile $KOJI_PKI_DIR/koji_ca_cert.crt
|
|
SSLCACertificateFile $KOJI_PKI_DIR/koji_ca_cert.crt
|
|
SSLVerifyClient require
|
|
SSLVerifyDepth 10
|
|
|
|
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
|
|
SSLOptions +StdEnvVars
|
|
</FilesMatch>
|
|
<Directory "/var/www/cgi-bin">
|
|
SSLOptions +StdEnvVars
|
|
</Directory>
|
|
|
|
CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
|
|
</VirtualHost>
|
|
EOF
|
|
|
|
mkdir -p /etc/httpd/conf.modules.d
|
|
cat > /etc/httpd/conf.modules.d/wsgi.conf <<- EOF
|
|
WSGISocketPrefix /run/httpd/wsgi
|
|
EOF
|
|
cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF
|
|
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
|
|
EOF
|
|
|
|
# Firewall stuff
|
|
if systemctl status iptables >/dev/null 2>&1; then
|
|
# set iptables rules for http and https
|
|
if [ $DEBUG ] ; then echo "iptables here - should we be setting something?" ; fi
|
|
fi
|
|
if firewall-cmd --state >/dev/null 2>&1; then
|
|
# allow httpd access through firewall
|
|
firewall-cmd --permanent --add-service=http
|
|
firewall-cmd --permanent --add-service=https
|
|
firewall-cmd --reload
|
|
fi
|
|
|
|
# enable and start the httpd service
|
|
systemctl enable --now httpd
|
|
|
|
## TEST KOJI CONNECTIVITY
|
|
sudo -u kojiadmin koji moshimoshi
|
|
|
|
## KOJIRA - DNF|YUM REPOSITORY CREATION AND MAINTENANCE
|
|
# Add the user entry for the kojira user
|
|
sudo -u kojiadmin koji add-user kojira
|
|
sudo -u kojiadmin koji grant-permission repo kojira
|
|
|
|
# Kojira Configuration Files
|
|
mkdir -p /etc/kojira
|
|
cat > /etc/kojira/kojira.conf <<- EOF
|
|
[kojira]
|
|
server=$KOJI_URL/kojihub
|
|
topdir=$KOJI_DIR
|
|
logfile=/var/log/kojira.log
|
|
cert = $KOJI_PKI_DIR/kojira.pem
|
|
serverca = $KOJI_PKI_DIR/koji_ca_cert.crt
|
|
EOF
|
|
|
|
# Ensure postgresql is started prior to running kojira service
|
|
mkdir -p /etc/systemd/system/kojira.service.d
|
|
cat > /etc/systemd/system/kojira.service.d/after-postgresql.conf <<EOF
|
|
[Unit]
|
|
After=postgresql.service
|
|
EOF
|
|
|
|
systemctl enable --now kojira
|