mirror of
https://src.koozali.org/infra/smeserver-koji.git
synced 2024-11-21 17:17:28 +01:00
218 lines
7.2 KiB
Bash
218 lines
7.2 KiB
Bash
#!/bin/bash
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
set -e
|
|
KOJI_WEB_FQDN=
|
|
DEBUG=
|
|
SILENT="-s"
|
|
QUIET="-q"
|
|
for param in $1 $2 ; do
|
|
if [ $param ] ; then
|
|
case $param in
|
|
debug )
|
|
DEBUG="debug" ;;
|
|
* )
|
|
KOJI_WEB_FQDN=$param ;;
|
|
esac
|
|
else
|
|
break
|
|
fi
|
|
done
|
|
|
|
if [ $DEBUG ] ; then
|
|
set -xe
|
|
SILENT=
|
|
QUIET="-v"
|
|
fi
|
|
|
|
# load required parameters
|
|
SCRIPT_DIR="$(dirname "$(realpath "$0")")"
|
|
if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then
|
|
echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting"
|
|
exit 1
|
|
fi
|
|
source "$SCRIPT_DIR"/koji-parameters.sh
|
|
|
|
# if no build server given, deploy locally
|
|
if [[ -z $KOJI_WEB_FQDN ]] ; then KOJI_WEB_FQDN=$KOJI_HUB_FQDN ; fi
|
|
|
|
# check if local or remote deploy
|
|
if [[ "$KOJI_WEB_FQDN" != "$(hostname -f)" ]] ; then
|
|
if [[ $DEBUG ]] ; then echo "Deploying remotely to $KOJI_WEB_FQDN" ; fi
|
|
# deploy remotely to $KOJI_WEB_FQDN
|
|
# We make all the changes required on the hub and then re-run this script on $KOJI_WEB_FQDN
|
|
|
|
# check that I can conmnect
|
|
if [ ! $(nc -z $KOJI_WEB_FQDN 22 2>&1 | grep succeeded) ] ; then
|
|
echo "I cannot connect to $KOJI_WEB_FQDN! Is it online? "
|
|
echo "Options:"
|
|
echo "- turn on the server"
|
|
echo "- add this server into the /etc/hosts file on this server"
|
|
exit 1
|
|
fi
|
|
# update hub config files to point at web server
|
|
sed -i 's,KojiWebURL.*,KojiWebURL = http://$KOJI_WEB_FQDN/koji,g' /etc/koji-hub/hub.conf
|
|
sed -i 's,weburl.*,weburl = http://$KOJI_WEB_FQDN/koji,g' /etc/koji.conf
|
|
# check if nfs has been installed on the hub (only need to install once)
|
|
if [[ -z $(dnf list installed | grep nfs-server) ]] ; then
|
|
# add nfs share for koji files direcory to hub
|
|
curl $SILENT $SCRIPT_GIT/koji-deploy-nfs-server.sh > $SCRIPT_DIR/koji-deploy-nfs-server.sh
|
|
chmod o+x $SCRIPT_DIR/koji-deploy-nfs-server.sh
|
|
koji-deploy-nfs-server.sh $DEBUG
|
|
fi
|
|
|
|
# add web server to nfs exports line for /mnt/koji
|
|
sed -i '/^\/mnt\/koji/ s/$/ $KOJI_WEB_FQDN(ro,no_root_squash)/g' /etc/exports
|
|
# generate a hub ssh key if there isn't one already (for scp & ssh to web server)
|
|
if [ ! -f /root/.ssh/id-rsa ] ; then
|
|
# create a ssh key on build server
|
|
mkdir -p ~/.ssh
|
|
ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ""
|
|
fi
|
|
# copy the server key into authorized keys on the web server
|
|
ssh-copy-id -i ~/.ssh/id_rsa.pub $KOJI_WEB_FQDN
|
|
# find the IP of the web server
|
|
WEB_IP=$(ssh root@$KOJI_WEB_FQDN "hostname -I")
|
|
# add web server into allowed access to db
|
|
cat >> "$POSTGRES_DIR"/data/pg_hba.conf <<- EOF
|
|
host koji koji $WEB_IP/32 scram-sha-256
|
|
EOF
|
|
systemctl reload postgresql
|
|
# copy across the ssl keys
|
|
ssh $QUIET root@$KOJI_WEB_FQDN mkdir -p $KOJI_PKI_DIR/private
|
|
scp $QUIET $KOJI_PKI_DIR/kojiweb.pem root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/.
|
|
scp $QUIET $KOJI_PKI_DIR/kojihub.pem root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/.
|
|
scp $QUIET $KOJI_PKI_DIR/private/kojihub.key root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/private/.
|
|
scp $QUIET $KOJI_PKI_DIR/koji_ca_cert.crt root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/.
|
|
# copy across the parameter files (we built them on the hub)
|
|
ssh $QUIET root@$KOJI_WEB_FQDN mkdir -p $SCRIPT_DIR
|
|
scp $QUIET $SCRIPT_DIR/koji-parameters.sh root@$KOJI_WEB_FQDN:$SCRIPT_DIR/koji-parameters.sh
|
|
# pull down the required scripts
|
|
ssh $QUIET root@$KOJI_WEB_FQDN "curl $SILENT $SCRIPT_GIT/koji-deploy-nfs-client.sh > $SCRIPT_DIR/koji-deploy-nfs-client.sh"
|
|
ssh $QUIET root@$KOJI_WEB_FQDN "curl $SILENT $SCRIPT_GIT/koji-deploy-web.sh > $SCRIPT_DIR/koji-deploy-web.sh"
|
|
# make them executeable
|
|
ssh $QUIET root@$KOJI_WEB_FQDN "chmod o+x $SCRIPT_DIR/*"
|
|
|
|
# connect to nfs share
|
|
ssh $QUIET root@$KOJI_WEB_FQDN $SCRIPT_DIR/koji-deploy-nfs-client.sh $DEBUG
|
|
# ssh into the new web server to do the local configuration
|
|
ssh $QUIET root@$KOJI_WEB_FQDN $SCRIPT_DIR/koji-deploy-web.sh $KOJI_WEB_FQDN $DEBUG
|
|
exit 0
|
|
fi
|
|
|
|
# This is the local deploy part
|
|
if [[ $DEBUG ]] ; then echo "Deploying locally to $KOJI_WEB_FQDN" ; fi
|
|
# Install all the required packages (some live in the epel repo, so we may need to install that too)
|
|
if [[ -z $(dnf list installed | grep epel-release) ]] ; then
|
|
dnf config-manager --set-enabled powertools $QUIET
|
|
dnf install -y epel-release $QUIET
|
|
fi
|
|
dnf install -y mod_ssl koji-web $QUIET
|
|
|
|
# install locally
|
|
# create secret
|
|
SECRET="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 32)"
|
|
# create config files
|
|
mkdir -p /etc/kojiweb
|
|
cat > /etc/kojiweb/web.conf <<- EOF
|
|
[web]
|
|
SiteName = koji
|
|
KojiHubURL = $KOJI_URL/kojihub
|
|
KojiFilesURL = $KOJI_URL/kojifiles
|
|
WebCert = $KOJI_PKI_DIR/kojiweb.pem
|
|
ClientCA = $KOJI_PKI_DIR/koji_ca_cert.crt
|
|
KojiHubCA = $KOJI_PKI_DIR/koji_ca_cert.crt
|
|
LoginTimeout = 72
|
|
Secret = "$SECRET"
|
|
LibPath = /usr/share/koji-web/lib
|
|
LiteralFooter = True
|
|
EOF
|
|
|
|
if [[ ! -d /etc/httpd/conf.d ]] ; then mkdir -p /etc/httpd/conf.d ; fi
|
|
cat > /etc/httpd/conf.d/kojiweb.conf <<- EOF
|
|
Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py"
|
|
<Directory "/usr/share/koji-web/scripts">
|
|
Options ExecCGI
|
|
SetHandler wsgi-script
|
|
Require all granted
|
|
</Directory>
|
|
Alias /koji-static "/usr/share/koji-web/static"
|
|
<Directory "/usr/share/koji-web/static">
|
|
Options None
|
|
AllowOverride None
|
|
Require all granted
|
|
</Directory>
|
|
<Location /koji/login>
|
|
SSLOptions +StdEnvVars
|
|
</Location>
|
|
EOF
|
|
|
|
|
|
# if NOT on the hub, setup the standard httpd settings
|
|
if [[ $KOJI_WEB_FQDN != $KOJI_HUB_FQDN ]] ; then
|
|
|
|
## Apache ssl Configuration File
|
|
cat > /etc/httpd/conf.d/ssl.conf <<- EOF
|
|
ServerName $KOJI_WEB_FQDN
|
|
|
|
Listen 443 https
|
|
|
|
#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
|
|
|
|
#SSLSessionCache shmcb:/run/httpd/sslcache(512000)
|
|
|
|
SSLRandomSeed startup file:/dev/urandom 256
|
|
SSLRandomSeed connect builtin
|
|
|
|
<VirtualHost _default_:443>
|
|
ErrorLog /var/log/httpd/ssl_error_log
|
|
TransferLog /var/log/httpd/ssl_access_log
|
|
LogLevel warn
|
|
|
|
SSLEngine on
|
|
SSLHonorCipherOrder on
|
|
SSLCipherSuite PROFILE=SYSTEM
|
|
SSLProxyCipherSuite PROFILE=SYSTEM
|
|
|
|
SSLCertificateFile $KOJI_PKI_DIR/kojihub.pem
|
|
SSLCertificateKeyFile $KOJI_PKI_DIR/private/kojihub.key
|
|
SSLCertificateChainFile $KOJI_PKI_DIR/koji_ca_cert.crt
|
|
SSLCACertificateFile $KOJI_PKI_DIR/koji_ca_cert.crt
|
|
SSLVerifyClient require
|
|
SSLVerifyDepth 10
|
|
|
|
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
|
|
SSLOptions +StdEnvVars
|
|
</FilesMatch>
|
|
<Directory "/var/www/cgi-bin">
|
|
SSLOptions +StdEnvVars
|
|
</Directory>
|
|
|
|
CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
|
|
</VirtualHost>
|
|
EOF
|
|
|
|
# SELinux changes to allow httpd network access
|
|
setsebool -P httpd_can_network_connect 1
|
|
|
|
mkdir -p /etc/httpd/conf.modules.d
|
|
cat > /etc/httpd/conf.modules.d/wsgi.conf <<- EOF
|
|
WSGISocketPrefix /run/httpd/wsgi
|
|
EOF
|
|
cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF
|
|
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
|
|
EOF
|
|
|
|
# allow httpd access through firewall
|
|
firewall-cmd --permanent --add-service=http
|
|
firewall-cmd --permanent --add-service=https
|
|
firewall-cmd --reload
|
|
|
|
# enable and start the httpd service
|
|
systemctl enable --now httpd
|
|
|
|
else
|
|
# we need to restart the httpd service
|
|
systemctl restart httpd
|
|
fi
|