smeserver-koji/koji-setup/koji-deploy-web.sh
2023-11-19 12:21:54 +11:00

218 lines
7.2 KiB
Bash

#!/bin/bash
# SPDX-License-Identifier: Apache-2.0
set -e
KOJI_WEB_FQDN=
DEBUG=
SILENT="-s"
QUIET="-q"
for param in $1 $2 ; do
if [ $param ] ; then
case $param in
debug )
DEBUG="debug" ;;
* )
KOJI_WEB_FQDN=$param ;;
esac
else
break
fi
done
if [ $DEBUG ] ; then
set -xe
SILENT=
QUIET="-v"
fi
# load required parameters
SCRIPT_DIR="$(dirname "$(realpath "$0")")"
if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then
echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting"
exit 1
fi
source "$SCRIPT_DIR"/koji-parameters.sh
# if no build server given, deploy locally
if [[ -z $KOJI_WEB_FQDN ]] ; then KOJI_WEB_FQDN=$KOJI_HUB_FQDN ; fi
# check if local or remote deploy
if [[ "$KOJI_WEB_FQDN" != "$(hostname -f)" ]] ; then
if [[ $DEBUG ]] ; then echo "Deploying remotely to $KOJI_WEB_FQDN" ; fi
# deploy remotely to $KOJI_WEB_FQDN
# We make all the changes required on the hub and then re-run this script on $KOJI_WEB_FQDN
# check that I can conmnect
if [ ! $(nc -z $KOJI_WEB_FQDN 22 2>&1 | grep succeeded) ] ; then
echo "I cannot connect to $KOJI_WEB_FQDN! Is it online? "
echo "Options:"
echo "- turn on the server"
echo "- add this server into the /etc/hosts file on this server"
exit 1
fi
# update hub config files to point at web server
sed -i 's,KojiWebURL.*,KojiWebURL = http://$KOJI_WEB_FQDN/koji,g' /etc/koji-hub/hub.conf
sed -i 's,weburl.*,weburl = http://$KOJI_WEB_FQDN/koji,g' /etc/koji.conf
# check if nfs has been installed on the hub (only need to install once)
if [[ -z $(dnf list installed | grep nfs-server) ]] ; then
# add nfs share for koji files direcory to hub
curl $SILENT $SCRIPT_GIT/koji-deploy-nfs-server.sh > $SCRIPT_DIR/koji-deploy-nfs-server.sh
chmod o+x $SCRIPT_DIR/koji-deploy-nfs-server.sh
koji-deploy-nfs-server.sh $DEBUG
fi
# add web server to nfs exports line for /mnt/koji
sed -i '/^\/mnt\/koji/ s/$/ $KOJI_WEB_FQDN(ro,no_root_squash)/g' /etc/exports
# generate a hub ssh key if there isn't one already (for scp & ssh to web server)
if [ ! -f /root/.ssh/id-rsa ] ; then
# create a ssh key on build server
mkdir -p ~/.ssh
ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ""
fi
# copy the server key into authorized keys on the web server
ssh-copy-id -i ~/.ssh/id_rsa.pub $KOJI_WEB_FQDN
# find the IP of the web server
WEB_IP=$(ssh root@$KOJI_WEB_FQDN "hostname -I")
# add web server into allowed access to db
cat >> "$POSTGRES_DIR"/data/pg_hba.conf <<- EOF
host koji koji $WEB_IP/32 scram-sha-256
EOF
systemctl reload postgresql
# copy across the ssl keys
ssh $QUIET root@$KOJI_WEB_FQDN mkdir -p $KOJI_PKI_DIR/private
scp $QUIET $KOJI_PKI_DIR/kojiweb.pem root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/.
scp $QUIET $KOJI_PKI_DIR/kojihub.pem root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/.
scp $QUIET $KOJI_PKI_DIR/private/kojihub.key root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/private/.
scp $QUIET $KOJI_PKI_DIR/koji_ca_cert.crt root@$KOJI_WEB_FQDN:$KOJI_PKI_DIR/.
# copy across the parameter files (we built them on the hub)
ssh $QUIET root@$KOJI_WEB_FQDN mkdir -p $SCRIPT_DIR
scp $QUIET $SCRIPT_DIR/koji-parameters.sh root@$KOJI_WEB_FQDN:$SCRIPT_DIR/koji-parameters.sh
# pull down the required scripts
ssh $QUIET root@$KOJI_WEB_FQDN "curl $SILENT $SCRIPT_GIT/koji-deploy-nfs-client.sh > $SCRIPT_DIR/koji-deploy-nfs-client.sh"
ssh $QUIET root@$KOJI_WEB_FQDN "curl $SILENT $SCRIPT_GIT/koji-deploy-web.sh > $SCRIPT_DIR/koji-deploy-web.sh"
# make them executeable
ssh $QUIET root@$KOJI_WEB_FQDN "chmod o+x $SCRIPT_DIR/*"
# connect to nfs share
ssh $QUIET root@$KOJI_WEB_FQDN $SCRIPT_DIR/koji-deploy-nfs-client.sh $DEBUG
# ssh into the new web server to do the local configuration
ssh $QUIET root@$KOJI_WEB_FQDN $SCRIPT_DIR/koji-deploy-web.sh $KOJI_WEB_FQDN $DEBUG
exit 0
fi
# This is the local deploy part
if [[ $DEBUG ]] ; then echo "Deploying locally to $KOJI_WEB_FQDN" ; fi
# Install all the required packages (some live in the epel repo, so we may need to install that too)
if [[ -z $(dnf list installed | grep epel-release) ]] ; then
dnf config-manager --set-enabled powertools $QUIET
dnf install -y epel-release $QUIET
fi
dnf install -y mod_ssl koji-web $QUIET
# install locally
# create secret
SECRET="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 32)"
# create config files
mkdir -p /etc/kojiweb
cat > /etc/kojiweb/web.conf <<- EOF
[web]
SiteName = koji
KojiHubURL = $KOJI_URL/kojihub
KojiFilesURL = $KOJI_URL/kojifiles
WebCert = $KOJI_PKI_DIR/kojiweb.pem
ClientCA = $KOJI_PKI_DIR/koji_ca_cert.crt
KojiHubCA = $KOJI_PKI_DIR/koji_ca_cert.crt
LoginTimeout = 72
Secret = "$SECRET"
LibPath = /usr/share/koji-web/lib
LiteralFooter = True
EOF
if [[ ! -d /etc/httpd/conf.d ]] ; then mkdir -p /etc/httpd/conf.d ; fi
cat > /etc/httpd/conf.d/kojiweb.conf <<- EOF
Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py"
<Directory "/usr/share/koji-web/scripts">
Options ExecCGI
SetHandler wsgi-script
Require all granted
</Directory>
Alias /koji-static "/usr/share/koji-web/static"
<Directory "/usr/share/koji-web/static">
Options None
AllowOverride None
Require all granted
</Directory>
<Location /koji/login>
SSLOptions +StdEnvVars
</Location>
EOF
# if NOT on the hub, setup the standard httpd settings
if [[ $KOJI_WEB_FQDN != $KOJI_HUB_FQDN ]] ; then
## Apache ssl Configuration File
cat > /etc/httpd/conf.d/ssl.conf <<- EOF
ServerName $KOJI_WEB_FQDN
Listen 443 https
#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
#SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
<VirtualHost _default_:443>
ErrorLog /var/log/httpd/ssl_error_log
TransferLog /var/log/httpd/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile $KOJI_PKI_DIR/kojihub.pem
SSLCertificateKeyFile $KOJI_PKI_DIR/private/kojihub.key
SSLCertificateChainFile $KOJI_PKI_DIR/koji_ca_cert.crt
SSLCACertificateFile $KOJI_PKI_DIR/koji_ca_cert.crt
SSLVerifyClient require
SSLVerifyDepth 10
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
EOF
# SELinux changes to allow httpd network access
setsebool -P httpd_can_network_connect 1
mkdir -p /etc/httpd/conf.modules.d
cat > /etc/httpd/conf.modules.d/wsgi.conf <<- EOF
WSGISocketPrefix /run/httpd/wsgi
EOF
cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
EOF
# allow httpd access through firewall
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
# enable and start the httpd service
systemctl enable --now httpd
else
# we need to restart the httpd service
systemctl restart httpd
fi