apache.conf.in: do not allow accelerated access to '_' projects

[girocco.git] / install.sh

#!/bin/sh
# The Girocco installation script
# We will OVERWRITE basedir!

set -e

if [ -z "$MAKE" ]; then
        echo "ERROR: MAKE not set" >&2
        echo "Please run install.sh using 'make install'" >&2
        echo "or set MAKE to the name of the GNU make executable" >&2
        exit 1
fi

# Run perl module checker
if [ ! -x toolbox/check-perl-modules.pl ]; then
        echo "ERROR: missing toolbox/check-perl-modules.pl!" >&2
        exit 1
fi
toolbox/check-perl-modules.pl

# What Config should we use?
[ -n "$GIROCCO_CONF" ] || GIROCCO_CONF=Girocco::Config
echo "*** Initializing using $GIROCCO_CONF..."

# First run Girocco::Config consistency checks
perl -I. -M$GIROCCO_CONF -e ''

. ./shlib.sh

owngroup=""
[ -z "$cfg_owning_group" ] || owngroup=":$cfg_owning_group"
if [ -n "$cfg_httpspushurl" -a -z "$cfg_certsdir" ]; then
        echo "ERROR: \$httpspushurl is set but \$certsdir is not!" >&2
        echo "ERROR: perhaps you have an incorrect Config.pm?" >&2
        exit 1
fi


echo "*** Checking for compiled utilities..."
if [ ! -x src/can_user_push ]; then
        echo "ERROR: src/can_user_push is not built! Did you _REALLY_ read INSTALL?" >&2
        echo "ERROR: perhaps you forgot to run make?" >&2
        exit 1
fi
if [ ! -x src/can_user_push_http ]; then
        echo "ERROR: src/can_user_push_http is not built! Did you _REALLY_ read INSTALL?" >&2
        echo "ERROR: perhaps you forgot to run make?" >&2
        exit 1
fi
if [ ! -x src/getent ]; then
        echo "ERROR: src/getent is not built! Did you _REALLY_ read INSTALL?" >&2
        echo "ERROR: perhaps you forgot to run make?" >&2
        exit 1
fi
if [ ! -x src/get_user_uuid ]; then
        echo "ERROR: src/get_user_uuid is not built! Did you _REALLY_ read INSTALL?" >&2
        echo "ERROR: perhaps you forgot to run make?" >&2
        exit 1
fi
if [ ! -x src/peek_packet ]; then
        echo "ERROR: src/peek_packet is not built! Did you _REALLY_ read INSTALL?" >&2
        echo "ERROR: perhaps you forgot to run make?" >&2
        exit 1
fi


echo "*** Checking for ezcert..."
if [ ! -f ezcert.git/CACreateCert ]; then
        echo "ERROR: ezcert.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
        exit 1
fi


echo "*** Checking for git..."
if [ ! -x "$cfg_git_bin" ]; then
        echo "ERROR: $cfg_git_bin does not exist or is not executable" >&2
        exit 1
fi
if ! git_version="$("$cfg_git_bin" --version)"; then
        echo "ERROR: $cfg_git_bin --version failed" >&2
        exit 1
fi
case "$git_version" in
        "git version "*) :;;
        *)
                echo "ERROR: '$cfg_git_bin --version' output does not start with 'git version '" >&2
                exit 1
esac
case "$cfg_git_bin" in /*) :;; *)
        echo 'ERROR: $Girocco::Config::git_bin must be set to an absolute path' >&2
        exit 1
esac
if [ -n "$cfg_mirror" -a "$cfg_mirror" != 0 ] && grep -q ns_parserr "$cfg_git_bin"; then
        cat <<'EOT'

***
*** WARNING: $Girocco::Config:git_bin is set to a questionable Git binary
***

You appear to have enabled mirroring and the Git binary you have selected
appears to contain an experimental patch that cannot be disabled.  This
patch can generate invalid network DNS traffic and/or cause long delays
when fetching using the "git:" protocol when no port number is specified.
It may also end up retrieving repsitory contents from a host other than
the one specified in the "git:" URL when the port is omitted.

You are advised to either build your own version of Git (the problem patch
is not part of the official Git repository) or disable mirroring (via the
$Girocco::Config:mirror setting) to avoid these potential problems.

USE THE SELECTED GIT BINARY AT YOUR OWN RISK!

EOT
fi


chown_make() {
        if [ "$LOGNAME" = root -a -n "$SUDO_USER" -a "$SUDO_USER" != root ]; then
                find "$@" -user root -print0 2>/dev/null | \
                xargs $(: | xargs echo -r) -0 chown "$SUDO_USER:$(id -gn "$SUDO_USER")"
        elif [ "$LOGNAME" = root -a -z "$SUDO_USER" -o "$SUDO_USER" = root ]; then
                echo "*** WARNING: running make as root w/o sudo may leave root-owned: $*"
        fi
}

echo "*** Setting up basedir..."
"$MAKE" --no-print-directory --quiet apache.conf
chown_make apache.conf
"$MAKE" --no-print-directory --quiet -C src
chown_make src
rm -fr "$cfg_basedir"
mkdir -p "$cfg_basedir"
cp -pR Girocco jobd taskd gitweb html jobs toolbox hooks apache.conf shlib.sh bin screen "$cfg_basedir"
cp -p src/can_user_push src/can_user_push_http src/get_user_uuid src/peek_packet \
        ezcert.git/CACreateCert cgi/authrequired.cgi "$cfg_basedir/bin"
[ -n "$cfg_httpspushurl" ] || rm -f "$cfg_basedir"/html/rootcert.html "$cfg_basedir"/html/httpspush.html
[ -n "$cfg_mob" ] || rm -f "$cfg_basedir"/html/mob.html

# Put the correct Config in place
[ "$GIROCCO_CONF" = "Girocco::Config" ] || cp "$(echo "$GIROCCO_CONF" | sed 's#::#/#g; s/$/.pm/')" "$cfg_basedir/Girocco/Config.pm"


echo "*** Preprocessing scripts..."
perl -I. -M$GIROCCO_CONF -i -p \
        -e 's/(?<!")\@basedir\@/"$Girocco::Config::basedir"/g;' \
        -e 's/(?<=")\@basedir\@/$Girocco::Config::basedir/g;' \
        -e 's/\@reporoot\@/"$Girocco::Config::reporoot"/g;' \
        -e 's/\@jailreporoot\@/"$Girocco::Config::jailreporoot"/g;' \
        -e 's/\@chroot\@/"$Girocco::Config::chroot"/g;' \
        -e 's/\@webadmurl\@/"$Girocco::Config::webadmurl"/g;' \
        -e 's/\@screen_acl_file\@/"$Girocco::Config::screen_acl_file"/g;' \
        -e 's/\@mob\@/"$Girocco::Config::mob"/g;' \
        -e 's/\@git_server_ua\@/"$Girocco::Config::git_server_ua"/g;' \
        -e 's/\@defined_git_server_ua\@/defined($Girocco::Config::git_server_ua)/ge;' \
        "$cfg_basedir"/jobs/*.sh "$cfg_basedir"/jobd/*.sh \
        "$cfg_basedir"/taskd/*.sh "$cfg_basedir"/gitweb/*.sh \
        "$cfg_basedir"/shlib.sh "$cfg_basedir"/hooks/* \
        "$cfg_basedir"/toolbox/*.sh "$cfg_basedir"/toolbox/*.pl \
        "$cfg_basedir"/toolbox/reports/*.sh \
        "$cfg_basedir"/bin/git-* \
        "$cfg_basedir"/bin/create-* "$cfg_basedir"/bin/update-* \
        "$cfg_basedir"/bin/authrequired.cgi "$cfg_basedir"/screen/*

# Dump all the cfg_ and defined_ variables to shlib_vars.sh
get_girocco_config_var_list > "$cfg_basedir"/shlib_vars.sh

if [ -n "$cfg_mirror" ]; then
        echo "--- Remember to start $cfg_basedir/taskd/taskd.pl"
fi
echo "--- Also remember to either start $cfg_basedir/jobd/jobd.sh, or add this"
echo "--- to the crontab of $cfg_mirror_user (adjust frequency on number of repos):"
echo "*/30 * * * * /usr/bin/nice -n 18 $cfg_basedir/jobd/jobd.sh -q --all-once"


echo "*** Setting up repository root..."
mkdir -p "$cfg_reporoot" "$cfg_reporoot-recyclebin"
if [ "$cfg_owning_group" ]; then
        chgrp "$cfg_owning_group" "$cfg_reporoot" || echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_reporoot"
        chgrp "$cfg_owning_group" "$cfg_reporoot-recyclebin" || echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_reporoot-recyclebin"
fi
chmod 02775 "$cfg_reporoot" || echo "WARNING: Cannot chmod $cfg_reporoot properly"
chmod 02775 "$cfg_reporoot-recyclebin" || echo "WARNING: Cannot chmod $cfg_reporoot-recyclebin properly"


if [ -n "$cfg_chrooted" ]; then
        echo "*** Setting up chroot jail for pushing..."
        if [ "$(id -u)" -eq 0 ]; then
                ./jailsetup.sh
        else
                echo "WARNING: Skipping jail setup, not root"
        fi
fi


echo "*** Setting up jail configuration (project database)..."
[ "$(id -u)" -eq 0 ] || ./jailsetup.sh dbonly
mkdir -p "$cfg_chroot" "$cfg_chroot/etc"
touch "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group"
chown "$cfg_mirror_user""$owngroup" "$cfg_chroot/etc" ||
        echo "WARNING: Cannot chown $cfg_mirror_user$owngroup $cfg_chroot/etc"
chown "$cfg_cgi_user""$owngroup" "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group" ||
        echo "WARNING: Cannot chown $cfg_cgi_user$owngroup the files"
chmod g+w "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group" ||
        echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
chmod 02775 "$cfg_chroot/etc" || echo "WARNING: Cannot chmod 02775 $cfg_chroot/etc"

echo "*** Setting up gitweb from git.git..."
if [ ! -f git.git/Makefile ]; then
        echo "ERROR: git.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
        exit 1
fi
mkdir -p "$cfg_webroot" "$cfg_cgiroot"
(cd git.git && "$MAKE" --no-print-directory --quiet NO_SUBDIR=: bindir="$(dirname "$cfg_git_bin")" gitweb && \
        chown_make gitweb && \
        cp gitweb/gitweb.cgi "$cfg_cgiroot" && \
        cp gitweb/static/*.png gitweb/static/*.css gitweb/static/*.js "$cfg_webroot")


echo "*** Setting up git-browser from git-browser.git..."
if [ ! -f git-browser.git/git-browser.cgi ]; then
        echo "ERROR: git-browser.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
        exit 1
fi
mkdir -p "$cfg_webroot"/git-browser "$cfg_cgiroot"
(cd git-browser.git && cp git-browser.cgi "$cfg_cgiroot" \
        && cp -r *.html *.js *.css js.lib JSON "$cfg_webroot"/git-browser)
rm -f "$cfg_webroot"/git-browser/index.html
ln -sf "$cfg_webroot/git-browser/JSON" "$cfg_cgiroot"
cat >"$cfg_cgiroot"/git-browser.conf <<EOT
gitbin: $cfg_git_bin
warehouse: $cfg_reporoot
EOT
cat >"$cfg_webroot"/git-browser/GitConfig.js <<EOT
cfg_gitweb_url="$cfg_gitweburl/"
cfg_browsercgi_url="$cfg_webadmurl/git-browser.cgi"
EOT


echo "*** Setting up darcs-fast-export from bzr-fastimport.git..."
if [ ! -d bzr-fastimport.git/exporters/darcs/ ]; then
        echo "ERROR: bzr-fastimport.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
        exit 1
fi
mkdir -p "$cfg_basedir"/bin
cp bzr-fastimport.git/exporters/darcs/darcs-fast-export "$cfg_basedir"/bin


echo "*** Setting up hg-fast-export from fast-export.git..."
if [ ! -f fast-export.git/hg-fast-export.py -o ! -f fast-export.git/hg2git.py ]; then
        echo "ERROR: fast-export.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
        exit 1
fi
mkdir -p "$cfg_basedir"/bin
cp fast-export.git/hg-fast-export.py fast-export.git/hg2git.py "$cfg_basedir"/bin


echo "*** Setting up our part of the website..."
mkdir -p "$cfg_webroot" "$cfg_cgiroot"
cp cgi/*.cgi gitweb/gitweb_config.perl "$cfg_cgiroot"
rm -f "$cfg_cgiroot"/authrequired.cgi
[ -z "$cfg_httpspushurl" ] || cp "$cfg_basedir"/bin/authrequired.cgi "$cfg_cgiroot"
[ -n "$cfg_httpspushurl" ] || rm -f "$cfg_cgiroot"/usercert.cgi
ln -fs "$cfg_basedir"/Girocco "$cfg_cgiroot"
[ -z "$cfg_webreporoot" ] || { rm -f "$cfg_webreporoot" && ln -s "$cfg_reporoot" "$cfg_webreporoot"; }
if [ -z "$cfg_httpspushurl" ]; then
        grep -v 'rootcert[.]html' gitweb/indextext.html > "$cfg_webroot/indextext.html"
else
        cp gitweb/indextext.html "$cfg_webroot"
fi
mv "$cfg_basedir"/html/*.css "$cfg_basedir"/html/*.js "$cfg_webroot"
cp mootools.js "$cfg_webroot"
cp htaccess "$cfg_webroot/.htaccess"
cp git-favicon.ico "$cfg_webroot/favicon.ico"
cp robots.txt "$cfg_webroot"
cat gitweb/gitweb.css >>"$cfg_webroot"/gitweb.css


if [ -n "$cfg_httpspushurl" ]; then
        echo "*** Setting up SSL certificates..."
        bits=2048
        if [ "$cfg_rsakeylength" -gt "$bits" ] 2>/dev/null; then
            bits="$cfg_rsakeylength"
        fi
        mkdir -p "$cfg_certsdir"
        [ -d "$cfg_certsdir" ]
        wwwcertcn=
        if [ -e "$cfg_certsdir/girocco_www_crt.pem" ]; then
                wwwcertcn="$( \
                        openssl x509 -in "$cfg_certsdir/girocco_www_crt.pem" -noout -subject | \
                        sed -e 's,[^/]*,,' \
                )"
        fi
        needroot=
        [ -e "$cfg_certsdir/girocco_client_crt.pem" -a \
        -e "$cfg_certsdir/girocco_client_key.pem" -a \
        -e "$cfg_certsdir/girocco_www_key.pem" -a \
        -e "$cfg_certsdir/girocco_www_crt.pem" -a "$wwwcertcn" = "/CN=$cfg_httpsdnsname" -a \
        -e "$cfg_certsdir/girocco_root_crt.pem" ] || needroot=1
        if [ -n "$needroot" -a ! -e "$cfg_certsdir/girocco_root_key.pem" ]; then
                rm -f "$cfg_certsdir/girocco_root_crt.pem" "$cfg_certsdir/girocco_root_key.pem"
                openssl genrsa -f4 -out "$cfg_certsdir/girocco_root_key.pem" $bits
                chmod 0600 "$cfg_certsdir/girocco_root_key.pem"
                rm -f "$cfg_certsdir/girocco_root_crt.pem"
                echo "Created new root key"
        fi
        if [ ! -e "$cfg_certsdir/girocco_root_crt.pem" ]; then
                ezcert.git/CACreateCert --root --key "$cfg_certsdir/girocco_root_key.pem" \
                        --out "$cfg_certsdir/girocco_root_crt.pem" "girocco $cfg_nickname root certificate"
                rm -f "$cfg_certsdir/girocco_www_crt.pem" "$cfg_certsdir/girocco_www_chain.pem"
                rm -f "$cfg_certsdir/girocco_client_crt.pem" "$cfg_certsdir/girocco_client_suffix.pem"
                rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
                rm -f "$cfg_chroot/etc/sshcerts"/*.pem
                echo "Created new root certificate"
        fi
        if [ ! -e "$cfg_certsdir/girocco_www_key.pem" ]; then
                openssl genrsa -f4 -out "$cfg_certsdir/girocco_www_key.pem" $bits
                chmod 0600 "$cfg_certsdir/girocco_www_key.pem"
                rm -f "$cfg_certsdir/girocco_www_crt.pem"
                echo "Created new www key"
        fi
        if [ ! -e "$cfg_certsdir/girocco_www_crt.pem" -o "$wwwcertcn" != "/CN=$cfg_httpsdnsname" ]; then
                openssl rsa -in "$cfg_certsdir/girocco_www_key.pem" -pubout |
                ezcert.git/CACreateCert --server --key "$cfg_certsdir/girocco_root_key.pem" \
                        --cert "$cfg_certsdir/girocco_root_crt.pem" \
                        --out "$cfg_certsdir/girocco_www_crt.pem" "$cfg_httpsdnsname"
                echo "Created www certificate"
        fi
        if [ ! -e "$cfg_certsdir/girocco_www_chain.pem" ]; then
                cat "$cfg_certsdir/girocco_root_crt.pem" > "$cfg_certsdir/girocco_www_chain.pem"
                echo "Created www certificate chain file"
        fi
        if [ ! -e "$cfg_certsdir/girocco_client_key.pem" ]; then
                openssl genrsa -f4 -out "$cfg_certsdir/girocco_client_key.pem" $bits
                chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
                rm -f "$cfg_certsdir/girocco_client_crt.pem"
                echo "Created new client key"
        fi
        if [ ! -e "$cfg_certsdir/girocco_client_crt.pem" ]; then
                openssl rsa -in "$cfg_certsdir/girocco_client_key.pem" -pubout |
                ezcert.git/CACreateCert --subca --key "$cfg_certsdir/girocco_root_key.pem" \
                        --cert "$cfg_certsdir/girocco_root_crt.pem" \
                        --out "$cfg_certsdir/girocco_client_crt.pem" "girocco $cfg_nickname client authority"
                rm -f "$cfg_certsdir/girocco_client_suffix.pem"
                rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
                rm -f "$cfg_chroot/etc/sshcerts"/*.pem
                echo "Created client certificate"
        fi
        if [ ! -e "$cfg_certsdir/girocco_client_suffix.pem" ]; then
                cat "$cfg_certsdir/girocco_client_crt.pem" > "$cfg_certsdir/girocco_client_suffix.pem"
                echo "Created client certificate suffix file"
        fi
        cat "$cfg_rootcert" > "$cfg_webroot/${cfg_nickname}_root_cert.pem"
        if [ -n "$cfg_mob" ]; then
                if [ ! -e "$cfg_certsdir/girocco_mob_user_key.pem" ]; then
                        openssl genrsa -f4 -out "$cfg_certsdir/girocco_mob_user_key.pem" $bits
                        chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
                        rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
                        echo "Created new mob user key"
                fi
                if [ ! -e "$cfg_certsdir/girocco_mob_user_crt.pem" ]; then
                        openssl rsa -in "$cfg_mobuserkey" -pubout |
                        ezcert.git/CACreateCert --client --key "$cfg_clientkey" \
                                --cert "$cfg_clientcert" \
                                --out "$cfg_certsdir/girocco_mob_user_crt.pem" 'mob'
                        echo "Created mob user client certificate"
                fi
                cat "$cfg_mobuserkey" > "$cfg_webroot/${cfg_nickname}_mob_key.pem"
                cat "$cfg_mobusercert" "$cfg_clientcertsuffix" > "$cfg_webroot/${cfg_nickname}_mob_user.pem"
        else
                rm -f "$cfg_webroot/${cfg_nickname}_mob_key.pem" "$cfg_webroot/${cfg_nickname}_mob_user.pem"
        fi
else
        rm -f "$cfg_webroot/${cfg_nickname}_root_cert.pem"
        rm -f "$cfg_webroot/${cfg_nickname}_mob_key.pem" "$cfg_webroot/${cfg_nickname}_mob_user.pem"
fi


echo "*** Finalizing permissions..."
chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_basedir" "$cfg_webroot" "$cfg_cgiroot"
[ -z "$cfg_httpspushurl" ] || chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_certsdir"