search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
git-http-backend-verify: set http.getanyfile=false when $SmartHTTPOnly
[girocco.git] / install.sh
blob9a991b170b25e28699024985a532ea93a496960f
1 #!/bin/sh
2 # The Girocco installation script
3 # We will OVERWRITE basedir!
4
5 set -e
6
7 [ -n "$MAKE" ] || MAKE="$(make -s gnu_make_command_name | grep '^gnu_make_command_name=' | sed 's/^[^=]*=//')"
8 if [ -z "$MAKE" ]; then
9 echo "ERROR: cannot determine name of the GNU make command" >&2
10 echo "Please set MAKE to the name of the GNU make executable" >&2
11 exit 1
12 fi
13
14 # Run perl module checker
15 if [ ! -x toolbox/check-perl-modules.pl ]; then
16 echo "ERROR: missing toolbox/check-perl-modules.pl!" >&2
17 exit 1
18 fi
19 toolbox/check-perl-modules.pl
20
21 # What Config should we use?
22 [ -n "$GIROCCO_CONF" ] || GIROCCO_CONF=Girocco::Config
23 echo "*** Initializing using $GIROCCO_CONF..."
24
25 # First run Girocco::Config consistency checks
26 perl -I. -M$GIROCCO_CONF -e ''
27
28 . ./shlib.sh
29
30 owngroup=""
31 [ -z "$cfg_owning_group" ] || owngroup=":$cfg_owning_group"
32 if [ -n "$cfg_httpspushurl" -a -z "$cfg_certsdir" ]; then
33 echo "ERROR: \$httpspushurl is set but \$certsdir is not!" >&2
34 echo "ERROR: perhaps you have an incorrect Config.pm?" >&2
35 exit 1
36 fi
37
38
39 # Check for extra required tools
40 if [ -n "$cfg_xmllint_readme" -a "$cfg_xmllint_readme" != "0" ] && ! command -v xmllint >/dev/null; then
41 echo "ERROR: \$xmllint_readme set but xmllint not in \$PATH!" >&2
42 exit 1
43 fi
44
45
46 echo "*** Checking for compiled utilities..."
47 if [ ! -x src/can_user_push ]; then
48 echo "ERROR: src/can_user_push is not built! Did you _REALLY_ read INSTALL?" >&2
49 echo "ERROR: perhaps you forgot to run make?" >&2
50 exit 1
51 fi
52 if [ ! -x src/can_user_push_http ]; then
53 echo "ERROR: src/can_user_push_http is not built! Did you _REALLY_ read INSTALL?" >&2
54 echo "ERROR: perhaps you forgot to run make?" >&2
55 exit 1
56 fi
57 if [ ! -x src/getent ]; then
58 echo "ERROR: src/getent is not built! Did you _REALLY_ read INSTALL?" >&2
59 echo "ERROR: perhaps you forgot to run make?" >&2
60 exit 1
61 fi
62 if [ ! -x src/get_user_uuid ]; then
63 echo "ERROR: src/get_user_uuid is not built! Did you _REALLY_ read INSTALL?" >&2
64 echo "ERROR: perhaps you forgot to run make?" >&2
65 exit 1
66 fi
67 if [ ! -x src/peek_packet ]; then
68 echo "ERROR: src/peek_packet is not built! Did you _REALLY_ read INSTALL?" >&2
69 echo "ERROR: perhaps you forgot to run make?" >&2
70 exit 1
71 fi
72 if [ ! -x src/rangecgi ]; then
73 echo "ERROR: src/rangecgi is not built! Did you _REALLY_ read INSTALL?" >&2
74 echo "ERROR: perhaps you forgot to run make?" >&2
75 exit 1
76 fi
77 if [ ! -x src/throttle ]; then
78 echo "ERROR: src/throttle is not built! Did you _REALLY_ read INSTALL?" >&2
79 echo "ERROR: perhaps you forgot to run make?" >&2
80 exit 1
81 fi
82
83
84 echo "*** Checking for ezcert..."
85 if [ ! -f ezcert.git/CACreateCert ]; then
86 echo "ERROR: ezcert.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
87 exit 1
88 fi
89
90
91 echo "*** Checking for git..."
92 case "$cfg_git_bin" in /*) :;; *)
93 echo 'ERROR: $Girocco::Config::git_bin must be set to an absolute path' >&2
94 exit 1
95 esac
96 if [ ! -x "$cfg_git_bin" ]; then
97 echo "ERROR: $cfg_git_bin does not exist or is not executable" >&2
98 exit 1
99 fi
100 if ! git_version="$("$cfg_git_bin" version)"; then
101 echo "ERROR: $cfg_git_bin version failed" >&2
102 exit 1
103 fi
104 case "$git_version" in
105 [Gg]"it version "*) :;;
106 *)
107 echo "ERROR: '$cfg_git_bin version' output does not start with 'git version '" >&2
108 exit 1
109 esac
110 echo "Found $cfg_git_bin $git_version"
111 git_vernum="$(echo "$git_version" | sed -ne 's/^[^0-9]*\([0-9][0-9]*\(\.[0-9][0-9]*\)*\).*$/\1/p')"
112 echo "*** Checking Git $git_vernum for compatibility..."
113 if [ "$(vcmp "$git_vernum" 1.6.6)" -lt 0 ]; then
114 echo 'ERROR: $Girocco::Config::git_bin must be at least Git version 1.6.6'
115 exit 1
116 fi
117 if [ "$(vcmp "$git_vernum" 1.6.6.3)" -lt 0 ]; then
118 echo 'WARNING: $Girocco::Config::git_bin version < 1.6.6.3, clients will not see useful error messages'
119 fi
120 if [ "$(vcmp "$git_vernum" 1.7.3)" -lt 0 ]; then
121 echo 'WARNING: $Girocco::Config::git_bin version < 1.7.3, some Girocco functionality will be disabled'
122 fi
123 if [ -n "$cfg_mirror" -a "$(vcmp "$git_vernum" 1.7.5)" -lt 0 ]; then
124 echo 'WARNING: $Girocco::Config::git_bin version < 1.7.5 and mirroring enabled, some sources can cause an infinite fetch loop'
125 fi
126 if [ "$(vcmp "$git_vernum" 1.7.6.6)" -lt 0 ]; then
127 echo 'WARNING: $Girocco::Config::git_bin version < 1.7.6.6, performance may be degraded'
128 fi
129 if [ "$(uname -m 2>/dev/null)" = "x86_64" ] && [ "$(vcmp "$git_vernum" 1.7.11)" -ge 0 ]; then
130 echo 'WARNING: $Girocco::Config::git_bin version >= 1.7.11 and x86_64, make sure Git built WITHOUT XDL_FAST_HASH'
131 echo 'WARNING: See http://thread.gmane.org/gmane.comp.version-control.git/261638 for details'
132 fi
133 if [ "$(vcmp "$git_vernum" 1.8.4.2)" -ge 0 ] && [ -n "$cfg_mirror" -a "$(vcmp "$git_vernum" 2)" -lt 0 ]; then
134 echo 'WARNING: $Girocco::Config::git_bin version >= 1.8.4.2 and < 2.0.0, git-daemon needs write access for shallow clones'
135 echo 'WARNING: $Girocco::Config::git_bin version >= 1.8.4.2 and < 2.0.0, shallow clones will leave repository turds'
136 fi
137 if [ "$(vcmp "$git_vernum" 1.8.4.3)" -lt 0 ]; then
138 echo 'WARNING: $Girocco::Config::git_bin version < 1.8.4.3, clients will not receive symref=HEAD:refs/heads/...'
139 fi
140 if [ "$(vcmp "$git_vernum" 2.1)" -lt 0 ]; then
141 echo 'WARNING: $Girocco::Config::git_bin version < 2.1.0, pack bitmaps will not be available'
142 fi
143 if [ "$(vcmp "$git_vernum" 2.1)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.1.3)" -lt 0 ]; then
144 echo 'WARNING: $Girocco::Config::git_bin version >= 2.1.0 and < 2.1.3, pack bitmaps may not be reliable, please upgrade to at least Git version 2.1.3'
145 fi
146 if [ "$(vcmp "$git_vernum" 2.2)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.3.2)" -lt 0 ]; then
147 cat <<'EOT'
148
149 ***
150 *** ERROR: $Girocco::Config::git_bin is set to an incompatible version of Git
151 ***
152
153 Git versions starting with 2.2.0 and continuing up through 2.3.1 are incompatible
154 with Girocco due to various unresolved issues. Please either downgrade to 2.1.4
155 or earlier or, more preferred, upgrade to 2.3.2 (ideally 2.4.11) or later.
156
157 In order to bypass this check you will have to modify install.sh in which case
158 USE THE SELECTED GIT BINARY AT YOUR OWN RISK!
159
160 EOT
161 exit 1
162 fi
163 if [ "$(vcmp "$git_vernum" 2.3.3)" -lt 0 ]; then
164 echo 'WARNING: $Girocco::Config::git_bin version < 2.3.3, performance will be sub-optimal'
165 fi
166 if [ "$(vcmp "$git_vernum" 2.4.4)" -lt 0 ]; then
167 echo 'WARNING: $Girocco::Config::git_bin version < 2.4.4, many refs smart HTTP fetches can deadlock'
168 fi
169 if [ "$(vcmp "$git_vernum" 2.4.11)" -lt 0 ]; then
170 echo 'WARNING: $Girocco::Config::git_bin version < 2.4.11, security issues exist'
171 cat <<'EOT'
172
173 ***
174 *** IMPORTANT: $Girocco::Config::git_bin is set to a version of Git prior to 2.4.11
175 ***
176
177 Besides the security fixes included in 2.4.11, versions prior to 2.2.0
178 may accidentally prune unreachable loose objects earlier than intended.
179 Since Git version 2.4.11 is the minimum version to include all security
180 fixes to date, it should be considered the absolute minimum version of
181 Git to use when running Girocco.
182
183 This is not enforced, but Git is easy to build from the git.git submodule
184 and upgrading to GIT VERSION 2.4.11 OR LATER IS HIGHLY RECOMMENDED.
185
186 EOT
187 fi
188 if [ "$(vcmp "$git_vernum" 2.5)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.5.5)" -lt 0 ]; then
189 echo 'WARNING: $Girocco::Config::git_bin version >= 2.5.0 and < 2.5.5, security issues exist'
190 fi
191 if [ "$(vcmp "$git_vernum" 2.6)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.6.6)" -lt 0 ]; then
192 echo 'WARNING: $Girocco::Config::git_bin version >= 2.6.0 and < 2.6.6, security issues exist'
193 fi
194 if [ "$(vcmp "$git_vernum" 2.7)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.7.4)" -lt 0 ]; then
195 echo 'WARNING: $Girocco::Config::git_bin version >= 2.7.0 and < 2.7.4, security issues exist'
196 fi
197 if [ -n "$cfg_mirror" -a "$cfg_mirror" != 0 ] && grep -q ns_parserr "$cfg_git_bin"; then
198 cat <<'EOT'
199
200 ***
201 *** WARNING: $Girocco::Config::git_bin is set to a questionable Git binary
202 ***
203
204 You appear to have enabled mirroring and the Git binary you have selected
205 appears to contain an experimental patch that cannot be disabled. This
206 patch can generate invalid network DNS traffic and/or cause long delays
207 when fetching using the "git:" protocol when no port number is specified.
208 It may also end up retrieving repsitory contents from a host other than
209 the one specified in the "git:" URL when the port is omitted.
210
211 You are advised to either build your own version of Git (the problem patch
212 is not part of the official Git repository) or disable mirroring (via the
213 $Girocco::Config:mirror setting) to avoid these potential problems.
214
215 USE THE SELECTED GIT BINARY AT YOUR OWN RISK!
216
217 EOT
218 fi
219
220
221 chown_make() {
222 if [ "$LOGNAME" = root -a -n "$SUDO_USER" -a "$SUDO_USER" != root ]; then
223 find "$@" -user root -print0 2>/dev/null | \
224 xargs -0 chown "$SUDO_USER:$(id -gn "$SUDO_USER")"
225 elif [ "$LOGNAME" = root -a -z "$SUDO_USER" -o "$SUDO_USER" = root ]; then
226 echo "*** WARNING: running make as root w/o sudo may leave root-owned: $*"
227 fi
228 }
229
230 echo "*** Setting up basedir..."
231 "$MAKE" --no-print-directory --silent apache.conf
232 chown_make apache.conf
233 "$MAKE" --no-print-directory --silent -C src
234 chown_make src
235 rm -fr "$cfg_basedir"
236 mkdir -p "$cfg_basedir" "$cfg_basedir/gitweb"
237 cp -pR Girocco jobd taskd html jobs toolbox hooks apache.conf shlib.sh bin screen "$cfg_basedir"
238 cp -p src/can_user_push src/can_user_push_http src/get_user_uuid src/peek_packet src/rangecgi \
239 src/throttle ezcert.git/CACreateCert cgi/authrequired.cgi cgi/snapshot.cgi "$cfg_basedir/bin"
240 cp -p gitweb/*.sh gitweb/*.perl "$cfg_basedir/gitweb"
241 [ -n "$cfg_httpspushurl" ] || rm -f "$cfg_basedir"/html/rootcert.html "$cfg_basedir"/html/httpspush.html
242 [ -n "$cfg_mob" ] || rm -f "$cfg_basedir"/html/mob.html
243
244 # Put the correct Config in place
245 [ "$GIROCCO_CONF" = "Girocco::Config" ] || cp "$(echo "$GIROCCO_CONF" | sed 's#::#/#g; s/$/.pm/')" "$cfg_basedir/Girocco/Config.pm"
246
247
248 echo "*** Preprocessing scripts..."
249 perl -I. -M$GIROCCO_CONF -i -p \
250 -e 's/(?<!")\@basedir\@/"$Girocco::Config::basedir"/g;' \
251 -e 's/(?<=")\@basedir\@/$Girocco::Config::basedir/g;' \
252 -e 's/\@reporoot\@/"$Girocco::Config::reporoot"/g;' \
253 -e 's/\@jailreporoot\@/"$Girocco::Config::jailreporoot"/g;' \
254 -e 's/\@chroot\@/"$Girocco::Config::chroot"/g;' \
255 -e 's/\@webadmurl\@/"$Girocco::Config::webadmurl"/g;' \
256 -e 's/\@screen_acl_file\@/"$Girocco::Config::screen_acl_file"/g;' \
257 -e 's/\@mob\@/"$Girocco::Config::mob"/g;' \
258 -e 's/\@git_server_ua\@/"$Girocco::Config::git_server_ua"/g;' \
259 -e 's/\@defined_git_server_ua\@/defined($Girocco::Config::git_server_ua)/ge;' \
260 "$cfg_basedir"/jobs/*.sh "$cfg_basedir"/jobd/*.sh \
261 "$cfg_basedir"/taskd/*.sh "$cfg_basedir"/gitweb/*.sh \
262 "$cfg_basedir"/shlib.sh "$cfg_basedir"/hooks/* \
263 "$cfg_basedir"/toolbox/*.sh "$cfg_basedir"/toolbox/*.pl \
264 "$cfg_basedir"/toolbox/reports/*.sh \
265 "$cfg_basedir"/bin/git-* "$cfg_basedir"/bin/*.sh \
266 "$cfg_basedir"/bin/create-* "$cfg_basedir"/bin/update-* \
267 "$cfg_basedir"/bin/*.cgi "$cfg_basedir"/screen/*
268
269 # Dump all the cfg_ and defined_ variables to shlib_vars.sh
270 get_girocco_config_var_list > "$cfg_basedir"/shlib_vars.sh
271
272 if [ -n "$cfg_mirror" ]; then
273 echo "--- Remember to start $cfg_basedir/taskd/taskd.pl"
274 fi
275 echo "--- Also remember to either start $cfg_basedir/jobd/jobd.sh, or add this"
276 echo "--- to the crontab of $cfg_mirror_user (adjust frequency on number of repos):"
277 echo "*/30 * * * * /usr/bin/nice -n 18 $cfg_basedir/jobd/jobd.sh -q --all-once"
278
279
280 echo "*** Setting up repository root..."
281 mkdir -p "$cfg_reporoot" "$cfg_reporoot/_recyclebin"
282 if [ "$cfg_owning_group" ]; then
283 chgrp "$cfg_owning_group" "$cfg_reporoot" || echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_reporoot"
284 chgrp "$cfg_owning_group" "$cfg_reporoot/_recyclebin" || echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_reporoot/_recyclebin"
285 fi
286 chmod 02775 "$cfg_reporoot" || echo "WARNING: Cannot chmod $cfg_reporoot properly"
287 chmod 02775 "$cfg_reporoot/_recyclebin" || echo "WARNING: Cannot chmod $cfg_reporoot/_recyclebin properly"
288
289
290 if [ -n "$cfg_chrooted" ]; then
291 echo "*** Setting up chroot jail for pushing..."
292 if [ "$(id -u)" -eq 0 ]; then
293 ./jailsetup.sh
294 else
295 echo "WARNING: Skipping jail setup, not root"
296 fi
297 fi
298
299
300 echo "*** Setting up jail configuration (project database)..."
301 [ "$(id -u)" -eq 0 ] || ./jailsetup.sh dbonly
302 mkdir -p "$cfg_chroot" "$cfg_chroot/etc"
303 touch "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group"
304 chown "$cfg_mirror_user""$owngroup" "$cfg_chroot/etc" ||
305 echo "WARNING: Cannot chown $cfg_mirror_user$owngroup $cfg_chroot/etc"
306 chown "$cfg_cgi_user""$owngroup" "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group" ||
307 echo "WARNING: Cannot chown $cfg_cgi_user$owngroup the files"
308 chmod g+w "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group" ||
309 echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
310 chmod 02775 "$cfg_chroot/etc" || echo "WARNING: Cannot chmod 02775 $cfg_chroot/etc"
311
312 echo "*** Setting up gitweb from git.git..."
313 if [ ! -f git.git/Makefile ]; then
314 echo "ERROR: git.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
315 exit 1
316 fi
317 mkdir -p "$cfg_webroot" "$cfg_cgiroot"
318 (cd git.git && "$MAKE" --no-print-directory --silent NO_SUBDIR=: bindir="$(dirname "$cfg_git_bin")" \
319 GITWEB_CONFIG="$cfg_basedir/gitweb/gitweb_config.perl" gitweb && \
320 chown_make gitweb && \
321 perl -pe 's/^(\s*use\s+warnings\s*;.*)$/#$1/' gitweb/gitweb.cgi > "$cfg_cgiroot"/gitweb.cgi.$$ && \
322 chmod a+x "$cfg_cgiroot"/gitweb.cgi.$$ && \
323 chown_make "$cfg_cgiroot"/gitweb.cgi.$$ && \
324 mv -f "$cfg_cgiroot"/gitweb.cgi.$$ "$cfg_cgiroot"/gitweb.cgi && \
325 cp gitweb/static/*.png gitweb/static/*.css gitweb/static/*.js "$cfg_webroot")
326
327
328 echo "*** Setting up git-browser from git-browser.git..."
329 if [ ! -f git-browser.git/git-browser.cgi ]; then
330 echo "ERROR: git-browser.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
331 exit 1
332 fi
333 mkdir -p "$cfg_webroot"/git-browser "$cfg_cgiroot"
334 (cd git-browser.git && \
335 CFG="$cfg_basedir/gitweb/git-browser.conf" perl -pe \
336 's/"git-browser\.conf"/"$ENV{"CFG"}"/' git-browser.cgi > "$cfg_cgiroot"/git-browser.cgi.$$ && \
337 chmod a+x "$cfg_cgiroot"/git-browser.cgi.$$ && \
338 chown_make "$cfg_cgiroot"/git-browser.cgi.$$ && \
339 mv -f "$cfg_cgiroot"/git-browser.cgi.$$ "$cfg_cgiroot"/git-browser.cgi && \
340 cp -r *.html *.js *.css js.lib "$cfg_webroot"/git-browser && \
341 cp -r JSON "$cfg_cgiroot")
342 rm -f "$cfg_webroot"/git-browser/index.html
343 cat >"$cfg_basedir/gitweb"/git-browser.conf.$$ <<EOT
344 gitbin: $cfg_git_bin
345 warehouse: $cfg_reporoot
346 EOT
347 chown_make "$cfg_basedir/gitweb"/git-browser.conf.$$
348 mv -f "$cfg_basedir/gitweb"/git-browser.conf.$$ "$cfg_basedir/gitweb"/git-browser.conf
349 cat >"$cfg_webroot"/git-browser/GitConfig.js.$$ <<EOT
350 cfg_gitweb_url="$cfg_gitweburl/"
351 cfg_browsercgi_url="$cfg_webadmurl/git-browser.cgi"
352 EOT
353 chown_make "$cfg_webroot"/git-browser/GitConfig.js.$$
354 mv -f "$cfg_webroot"/git-browser/GitConfig.js.$$ "$cfg_webroot"/git-browser/GitConfig.js
355
356
357 echo "*** Setting up darcs-fast-export from bzr-fastimport.git..."
358 if [ ! -d bzr-fastimport.git/exporters/darcs/ ]; then
359 echo "ERROR: bzr-fastimport.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
360 exit 1
361 fi
362 mkdir -p "$cfg_basedir"/bin
363 cp bzr-fastimport.git/exporters/darcs/darcs-fast-export "$cfg_basedir"/bin
364
365
366 echo "*** Setting up hg-fast-export from fast-export.git..."
367 if [ ! -f fast-export.git/hg-fast-export.py -o ! -f fast-export.git/hg2git.py ]; then
368 echo "ERROR: fast-export.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
369 exit 1
370 fi
371 mkdir -p "$cfg_basedir"/bin
372 cp fast-export.git/hg-fast-export.py fast-export.git/hg2git.py "$cfg_basedir"/bin
373
374
375 echo "*** Setting up markdown from markdown.git..."
376 if [ ! -f markdown.git/Markdown.pl ]; then
377 echo "ERROR: markdown.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
378 exit 1
379 fi
380 mkdir -p "$cfg_basedir"/bin
381 cp markdown.git/Markdown.pl "$cfg_basedir"/bin
382
383
384 echo "*** Setting up our part of the website..."
385 mkdir -p "$cfg_webroot" "$cfg_cgiroot"
386 cp cgi/*.cgi "$cfg_cgiroot"
387 cp "$cfg_basedir"/bin/snapshot.cgi "$cfg_cgiroot"
388 rm -f "$cfg_cgiroot"/authrequired.cgi
389 [ -z "$cfg_httpspushurl" ] || cp "$cfg_basedir"/bin/authrequired.cgi "$cfg_cgiroot"
390 [ -n "$cfg_httpspushurl" ] || rm -f "$cfg_cgiroot"/usercert.cgi
391 ln -fs "$cfg_basedir"/Girocco "$cfg_cgiroot"
392 [ -z "$cfg_webreporoot" ] || { rm -f "$cfg_webreporoot" && ln -s "$cfg_reporoot" "$cfg_webreporoot"; }
393 if [ -z "$cfg_httpspushurl" ]; then
394 grep -v 'rootcert[.]html' gitweb/indextext.html > "$cfg_basedir/gitweb/indextext.html"
395 else
396 cp gitweb/indextext.html "$cfg_basedir/gitweb"
397 fi
398 mv "$cfg_basedir"/html/*.css "$cfg_basedir"/html/*.js "$cfg_webroot"
399 cp mootools.js "$cfg_webroot"
400 cp htaccess "$cfg_webroot/.htaccess"
401 cp cgi/htaccess "$cfg_cgiroot/.htaccess"
402 cp git-favicon.ico "$cfg_webroot/favicon.ico"
403 cp robots.txt "$cfg_webroot"
404 cat gitweb/gitweb.css >>"$cfg_webroot"/gitweb.css
405
406
407 if [ -n "$cfg_httpspushurl" ]; then
408 echo "*** Setting up SSL certificates..."
409 bits=2048
410 if [ "$cfg_rsakeylength" -gt "$bits" ] 2>/dev/null; then
411 bits="$cfg_rsakeylength"
412 fi
413 mkdir -p "$cfg_certsdir"
414 [ -d "$cfg_certsdir" ]
415 wwwcertcn=
416 if [ -e "$cfg_certsdir/girocco_www_crt.pem" ]; then
417 wwwcertcn="$( \
418 openssl x509 -in "$cfg_certsdir/girocco_www_crt.pem" -noout -subject | \
419 sed -e 's,[^/]*,,' \
420 )"
421 fi
422 wwwcertdns=
423 if [ -n "$cfg_wwwcertaltnames" ]; then
424 for dnsopt in $cfg_wwwcertaltnames; do
425 wwwcertdns="${wwwcertdns:+$wwwcertdns }--dns $dnsopt"
426 done
427 fi
428 wwwcertdnsfile=
429 if [ -r "$cfg_certsdir/girocco_www_crt.dns" ]; then
430 wwwcertdnsfile="$(cat "$cfg_certsdir/girocco_www_crt.dns")"
431 fi
432 needroot=
433 [ -e "$cfg_certsdir/girocco_client_crt.pem" -a \
434 -e "$cfg_certsdir/girocco_client_key.pem" -a \
435 -e "$cfg_certsdir/girocco_www_key.pem" -a \
436 -e "$cfg_certsdir/girocco_www_crt.pem" -a "$wwwcertcn" = "/CN=$cfg_httpsdnsname" -a \
437 -e "$cfg_certsdir/girocco_root_crt.pem" ] || needroot=1
438 if [ -n "$needroot" -a ! -e "$cfg_certsdir/girocco_root_key.pem" ]; then
439 rm -f "$cfg_certsdir/girocco_root_crt.pem" "$cfg_certsdir/girocco_root_key.pem"
440 openssl genrsa -f4 -out "$cfg_certsdir/girocco_root_key.pem" $bits
441 chmod 0600 "$cfg_certsdir/girocco_root_key.pem"
442 rm -f "$cfg_certsdir/girocco_root_crt.pem"
443 echo "Created new root key"
444 fi
445 if [ ! -e "$cfg_certsdir/girocco_root_crt.pem" ]; then
446 ezcert.git/CACreateCert --root --key "$cfg_certsdir/girocco_root_key.pem" \
447 --out "$cfg_certsdir/girocco_root_crt.pem" "girocco $cfg_nickname root certificate"
448 rm -f "$cfg_certsdir/girocco_www_crt.pem" "$cfg_certsdir/girocco_www_chain.pem"
449 rm -f "$cfg_certsdir/girocco_client_crt.pem" "$cfg_certsdir/girocco_client_suffix.pem"
450 rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
451 rm -f "$cfg_chroot/etc/sshcerts"/*.pem
452 echo "Created new root certificate"
453 fi
454 if [ ! -e "$cfg_certsdir/girocco_www_key.pem" ]; then
455 openssl genrsa -f4 -out "$cfg_certsdir/girocco_www_key.pem" $bits
456 chmod 0600 "$cfg_certsdir/girocco_www_key.pem"
457 rm -f "$cfg_certsdir/girocco_www_crt.pem"
458 echo "Created new www key"
459 fi
460 if [ ! -e "$cfg_certsdir/girocco_www_crt.pem" ] || \
461 [ "$wwwcertcn" != "/CN=$cfg_httpsdnsname" ] || [ "$wwwcertdns" != "$wwwcertdnsfile" ]; then
462 openssl rsa -in "$cfg_certsdir/girocco_www_key.pem" -pubout |
463 ezcert.git/CACreateCert --server --key "$cfg_certsdir/girocco_root_key.pem" \
464 --cert "$cfg_certsdir/girocco_root_crt.pem" $wwwcertdns \
465 --out "$cfg_certsdir/girocco_www_crt.pem" "$cfg_httpsdnsname"
466 printf '%s\n' "$wwwcertdns" > "$cfg_certsdir/girocco_www_crt.dns"
467 echo "Created www certificate"
468 fi
469 if [ ! -e "$cfg_certsdir/girocco_www_chain.pem" ]; then
470 cat "$cfg_certsdir/girocco_root_crt.pem" > "$cfg_certsdir/girocco_www_chain.pem"
471 echo "Created www certificate chain file"
472 fi
473 if [ ! -e "$cfg_certsdir/girocco_client_key.pem" ]; then
474 openssl genrsa -f4 -out "$cfg_certsdir/girocco_client_key.pem" $bits
475 chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
476 rm -f "$cfg_certsdir/girocco_client_crt.pem"
477 echo "Created new client key"
478 fi
479 if [ ! -e "$cfg_certsdir/girocco_client_crt.pem" ]; then
480 openssl rsa -in "$cfg_certsdir/girocco_client_key.pem" -pubout |
481 ezcert.git/CACreateCert --subca --key "$cfg_certsdir/girocco_root_key.pem" \
482 --cert "$cfg_certsdir/girocco_root_crt.pem" \
483 --out "$cfg_certsdir/girocco_client_crt.pem" "girocco $cfg_nickname client authority"
484 rm -f "$cfg_certsdir/girocco_client_suffix.pem"
485 rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
486 rm -f "$cfg_chroot/etc/sshcerts"/*.pem
487 echo "Created client certificate"
488 fi
489 if [ ! -e "$cfg_certsdir/girocco_client_suffix.pem" ]; then
490 cat "$cfg_certsdir/girocco_client_crt.pem" > "$cfg_certsdir/girocco_client_suffix.pem"
491 echo "Created client certificate suffix file"
492 fi
493 cat "$cfg_rootcert" > "$cfg_webroot/${cfg_nickname}_root_cert.pem"
494 if [ -n "$cfg_mob" ]; then
495 if [ ! -e "$cfg_certsdir/girocco_mob_user_key.pem" ]; then
496 openssl genrsa -f4 -out "$cfg_certsdir/girocco_mob_user_key.pem" $bits
497 chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
498 rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
499 echo "Created new mob user key"
500 fi
501 if [ ! -e "$cfg_certsdir/girocco_mob_user_crt.pem" ]; then
502 openssl rsa -in "$cfg_mobuserkey" -pubout |
503 ezcert.git/CACreateCert --client --key "$cfg_clientkey" \
504 --cert "$cfg_clientcert" \
505 --out "$cfg_certsdir/girocco_mob_user_crt.pem" 'mob'
506 echo "Created mob user client certificate"
507 fi
508 cat "$cfg_mobuserkey" > "$cfg_webroot/${cfg_nickname}_mob_key.pem"
509 cat "$cfg_mobusercert" "$cfg_clientcertsuffix" > "$cfg_webroot/${cfg_nickname}_mob_user.pem"
510 else
511 rm -f "$cfg_webroot/${cfg_nickname}_mob_key.pem" "$cfg_webroot/${cfg_nickname}_mob_user.pem"
512 fi
513 else
514 rm -f "$cfg_webroot/${cfg_nickname}_root_cert.pem"
515 rm -f "$cfg_webroot/${cfg_nickname}_mob_key.pem" "$cfg_webroot/${cfg_nickname}_mob_user.pem"
516 fi
517
518
519 echo "*** Finalizing permissions..."
520 chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_basedir" "$cfg_webroot" "$cfg_cgiroot"
521 [ -z "$cfg_httpspushurl" ] || chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_certsdir"
The repo.or.cz duct tape "Girocco"