smeserver-koji/koji-setup/koji-deploy-web.sh
2023-09-12 16:59:13 +10:00

144 lines
3.6 KiB
Bash

#!/bin/bash
# SPDX-License-Identifier: Apache-2.0
set -e
KOJI_WEB_FQDN=$1
DEBUG=
SILENT="-s"
QUIET="-q"
for param in $2 ; do
if [ $param ] ; then
case $param in
debug )
DEBUG="debug" ;;
esac
else
break
fi
done
if [ $DEBUG ] ; then
set -xe
SILENT=
QUIET="-v"
fi
# load required parameters
SCRIPT_DIR="$(dirname "$(realpath "$0")")"
if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then
echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting"
exit 1
fi
source "$SCRIPT_DIR"/koji-parameters.sh
# Install all the required packages (some live in the epel repo, so we may need to install that too)
if [[ -z $(dnf list installed | grep epel-release) ]] ; then
dnf config-manager --set-enabled powertools $QUIET
dnf install -y epel-release $QUIET
fi
dnf install -y mod_ssl koji-web $QUIET
# install locally
mkdir -p /etc/kojiweb
cat > /etc/kojiweb/web.conf <<- EOF
[web]
SiteName = koji
KojiHubURL = $KOJI_URL/kojihub
KojiFilesURL = $KOJI_URL/kojifiles
WebCert = $KOJI_PKI_DIR/kojiweb.pem
ClientCA = $KOJI_PKI_DIR/koji_ca_cert.crt
KojiHubCA = $KOJI_PKI_DIR/koji_ca_cert.crt
LoginTimeout = 72
Secret = NITRA_IS_NOT_CLEAR
LibPath = /usr/share/koji-web/lib
LiteralFooter = True
EOF
if [[ ! -d /etc/httpd/conf.d ]] ; then mkdir -p /etc/httpd/conf.d ; fi
cat > /etc/httpd/conf.d/kojiweb.conf <<- EOF
Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py"
<Directory "/usr/share/koji-web/scripts">
Options ExecCGI
SetHandler wsgi-script
Require all granted
</Directory>
Alias /koji-static "/usr/share/koji-web/static"
<Directory "/usr/share/koji-web/static">
Options None
AllowOverride None
Require all granted
</Directory>
<Location /koji/login>
SSLOptions +StdEnvVars
</Location>
EOF
# if NOT on the hub, setup the standard httpd settings
if [[ ! $KOJI_WEB_FQDN = $KOJI_HUB_FQDN ]] ; then
## Apache ssl Configuration File
cat > /etc/httpd/conf.d/ssl.conf <<- EOF
ServerName $KOJI_WEB_FQDN
Listen 443 https
#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
#SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
<VirtualHost _default_:443>
ErrorLog /var/log/httpd/ssl_error_log
TransferLog /var/log/httpd/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile $KOJI_PKI_DIR/kojihub.pem
SSLCertificateKeyFile $KOJI_PKI_DIR/private/kojihub.key
SSLCertificateChainFile $KOJI_PKI_DIR/koji_ca_cert.crt
SSLCACertificateFile $KOJI_PKI_DIR/koji_ca_cert.crt
SSLVerifyClient require
SSLVerifyDepth 10
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
EOF
# SELinux changes to allow httpd network access
setsebool -P httpd_can_network_connect 1
mkdir -p /etc/httpd/conf.modules.d
cat > /etc/httpd/conf.modules.d/wsgi.conf <<- EOF
WSGISocketPrefix /run/httpd/wsgi
EOF
cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
EOF
# allow httpd access through firewall
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
# enable and start the httpd service
systemctl enable --now httpd
else
# we need to restart the httpd service
systemctl restart httpd
fi