mirror of
https://src.koozali.org/infra/smeserver-koji.git
synced 2024-11-22 09:37:28 +01:00
136 lines
3.3 KiB
Bash
136 lines
3.3 KiB
Bash
#!/bin/bash
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
set -e
|
|
KOJI_WEB_FQDN=$1
|
|
DEBUG=
|
|
SILENT="-s"
|
|
QUIET="-q"
|
|
for param in $2 ; do
|
|
if [ $param ] ; then
|
|
case $param in
|
|
debug )
|
|
DEBUG="debug" ;;
|
|
esac
|
|
else
|
|
break
|
|
fi
|
|
done
|
|
|
|
if [ $DEBUG ] ; then
|
|
set -xe
|
|
SILENT=
|
|
QUIET="-v"
|
|
fi
|
|
|
|
# load required parameters
|
|
SCRIPT_DIR="$(dirname "$(realpath "$0")")"
|
|
if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then
|
|
echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting"
|
|
exit 1
|
|
fi
|
|
source "$SCRIPT_DIR"/koji-parameters.sh
|
|
|
|
# Install all the required packages (some live in the epel repo, so we may need to install that too)
|
|
if [[ -z $(dnf list installed | grep epel-release) ]] ; then
|
|
dnf config-manager --set-enabled powertools $QUIET
|
|
dnf install -y epel-release $QUIET
|
|
fi
|
|
dnf install -y mod_ssl koji-web $QUIET
|
|
|
|
# install locally
|
|
mkdir -p /etc/kojiweb
|
|
cat > /etc/kojiweb/web.conf <<- EOF
|
|
[web]
|
|
SiteName = koji
|
|
KojiHubURL = $KOJI_URL/kojihub
|
|
KojiFilesURL = $KOJI_URL/kojifiles
|
|
WebCert = $KOJI_PKI_DIR/kojiweb.pem
|
|
ClientCA = $KOJI_PKI_DIR/koji_ca_cert.crt
|
|
KojiHubCA = $KOJI_PKI_DIR/koji_ca_cert.crt
|
|
LoginTimeout = 72
|
|
Secret = NITRA_IS_NOT_CLEAR
|
|
LibPath = /usr/share/koji-web/lib
|
|
LiteralFooter = True
|
|
EOF
|
|
|
|
mkdir -p /etc/httpd/conf.d
|
|
cat > /etc/httpd/conf.d/kojiweb.conf <<- EOF
|
|
Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py"
|
|
<Directory "/usr/share/koji-web/scripts">
|
|
Options ExecCGI
|
|
SetHandler wsgi-script
|
|
Require all granted
|
|
</Directory>
|
|
Alias /koji-static "/usr/share/koji-web/static"
|
|
<Directory "/usr/share/koji-web/static">
|
|
Options None
|
|
AllowOverride None
|
|
Require all granted
|
|
</Directory>
|
|
<Location /koji/login>
|
|
SSLOptions +StdEnvVars
|
|
</Location>
|
|
EOF
|
|
|
|
# SELinux changes to allow httpd network access
|
|
setsebool -P httpd_can_network_connect 1
|
|
|
|
## Apache Configuration Files
|
|
mkdir -p /etc/httpd/conf.d
|
|
cat > /etc/httpd/conf.d/ssl.conf <<- EOF
|
|
ServerName $KOJI_WEB_FQDN
|
|
|
|
Listen 443 https
|
|
|
|
#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
|
|
|
|
#SSLSessionCache shmcb:/run/httpd/sslcache(512000)
|
|
|
|
SSLRandomSeed startup file:/dev/urandom 256
|
|
SSLRandomSeed connect builtin
|
|
|
|
<VirtualHost _default_:443>
|
|
ErrorLog /var/log/httpd/ssl_error_log
|
|
TransferLog /var/log/httpd/ssl_access_log
|
|
LogLevel warn
|
|
|
|
SSLEngine on
|
|
SSLHonorCipherOrder on
|
|
SSLCipherSuite PROFILE=SYSTEM
|
|
SSLProxyCipherSuite PROFILE=SYSTEM
|
|
|
|
SSLCertificateFile $KOJI_PKI_DIR/kojihub.pem
|
|
SSLCertificateKeyFile $KOJI_PKI_DIR/private/kojihub.key
|
|
SSLCertificateChainFile $KOJI_PKI_DIR/koji_ca_cert.crt
|
|
SSLCACertificateFile $KOJI_PKI_DIR/koji_ca_cert.crt
|
|
SSLVerifyClient require
|
|
SSLVerifyDepth 10
|
|
|
|
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
|
|
SSLOptions +StdEnvVars
|
|
</FilesMatch>
|
|
<Directory "/var/www/cgi-bin">
|
|
SSLOptions +StdEnvVars
|
|
</Directory>
|
|
|
|
CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
|
|
</VirtualHost>
|
|
EOF
|
|
|
|
mkdir -p /etc/httpd/conf.modules.d
|
|
cat > /etc/httpd/conf.modules.d/wsgi.conf <<- EOF
|
|
WSGISocketPrefix /run/httpd/wsgi
|
|
EOF
|
|
cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF
|
|
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
|
|
EOF
|
|
|
|
# allow httpd access through firewall
|
|
firewall-cmd --permanent --add-service=http
|
|
firewall-cmd --permanent --add-service=https
|
|
firewall-cmd --reload
|
|
|
|
# enable and start the httpd service
|
|
systemctl enable --now httpd
|