usertool.pl: match recent key length updates
[girocco.git] / install.sh
blob93b1cbfa6c5f77ed3c0b6a74913d5efd3766799d
1 #!/bin/sh
2 # The Girocco installation script
3 # We will OVERWRITE basedir!
5 set -e
7 [ -n "$MAKE" ] || MAKE="$(MAKEFLAGS= make -s gnu_make_command_name | grep '^gnu_make_command_name=' | sed 's/^[^=]*=//')"
8 if [ -z "$MAKE" ]; then
9 echo "ERROR: cannot determine name of the GNU make command" >&2
10 echo "Please set MAKE to the name of the GNU make executable" >&2
11 exit 1
14 # Run perl module checker
15 if ! [ -f toolbox/check-perl-modules.pl ] || ! [ -x toolbox/check-perl-modules.pl ]; then
16 echo "ERROR: missing toolbox/check-perl-modules.pl!" >&2
17 exit 1
20 # What Config should we use?
21 [ -n "$GIROCCO_CONF" ] || GIROCCO_CONF=Girocco::Config
22 echo "*** Initializing using $GIROCCO_CONF..."
24 # First run Girocco::Config consistency checks
25 perl -I. -M$GIROCCO_CONF -e ''
27 . ./shlib.sh
28 umask 0022
29 "$var_perl_bin" toolbox/check-perl-modules.pl
31 # Config.pm already checked $cfg_reporoot to require an absolute path, but
32 # we also require it does not contain a : or ; that would cause problems when
33 # used in GIT_ALTERNATE_OBJECT_DIRECTORIES
34 probch=':;'
35 case "$cfg_reporoot" in *[$probch]*)
36 echo "fatal: \$Girocco::Config::reporoot may not contain ':' or ';' characters" >&2
37 exit 1
38 esac
40 # $1 must exist and be a dir
41 # $2 may exist but must be a dir
42 # $3 must not exist
43 # After call $2 will be renamed to $3 (if $2 existed)
44 # And $1 will be renamed to $2
45 quick_move() {
46 [ -n "$1" ] && [ -n "$2" ] && [ -n "$3" ] || { echo "fatal: quick_move: bad args: '$1' '$2' '$3'" >&2; exit 1; }
47 ! [ -e "$3" ] || { echo "fatal: quick_move: already exists: $3" >&2; exit 1; }
48 [ -d "$1" ] || { echo "fatal: quick_move: no such dir: $1" >&2; exit 1; }
49 ! [ -e "$2" ] || [ -d "$2" ] || { echo "fatal: quick_move: not a dir: $2" >&2; exit 1; }
50 perl -e 'rename($ARGV[1], $ARGV[2]) or die "rename failed: $!\n" if -d $ARGV[1];
51 rename($ARGV[0], $ARGV[1]) or die "rename failed: $!\n"; exit 0;' "$1" "$2" "$3" || {
52 echo "fatal: quick_move: rename failed" >&2
53 exit 1
55 ! [ -d "$1" ] && [ -d "$2" ] || {
56 echo "fatal: quick_move: rename failed" >&2
57 exit 1
61 check_sh_builtin() (
62 "unset" -f command
63 "command" "$var_sh_bin" -c '{ "unset" -f unalias command "$1" || :; "unalias" "$1" || :; } >/dev/null 2>&1; "command" -v "$1"' "$var_sh_bin" "$1"
64 ) 2>/dev/null
66 owngroup=
67 [ -z "$cfg_owning_group" ] || owngroup=":$cfg_owning_group"
68 if [ -n "$cfg_httpspushurl" ] && [ -z "$cfg_certsdir" ]; then
69 echo "ERROR: \$httpspushurl is set but \$certsdir is not!" >&2
70 echo "ERROR: perhaps you have an incorrect Config.pm?" >&2
71 exit 1
75 # Check for extra required tools
76 if [ "${cfg_xmllint_readme:-0}" != "0" ] && ! command -v xmllint >/dev/null; then
77 echo "ERROR: \$xmllint_readme set but xmllint not in \$PATH!" >&2
78 exit 1
82 echo "*** Checking for compiled utilities..."
83 if ! [ -f src/can_user_push ] || ! [ -x src/can_user_push ]; then
84 echo "ERROR: src/can_user_push is not built! Did you _REALLY_ read INSTALL?" >&2
85 echo "ERROR: perhaps you forgot to run make?" >&2
86 exit 1
88 if ! [ -f src/can_user_push_http ] || ! [ -x src/can_user_push_http ]; then
89 echo "ERROR: src/can_user_push_http is not built! Did you _REALLY_ read INSTALL?" >&2
90 echo "ERROR: perhaps you forgot to run make?" >&2
91 exit 1
93 if ! [ -f src/getent ] || ! [ -x src/getent ]; then
94 echo "ERROR: src/getent is not built! Did you _REALLY_ read INSTALL?" >&2
95 echo "ERROR: perhaps you forgot to run make?" >&2
96 exit 1
98 if ! [ -f src/get_user_uuid ] || ! [ -x src/get_user_uuid ]; then
99 echo "ERROR: src/get_user_uuid is not built! Did you _REALLY_ read INSTALL?" >&2
100 echo "ERROR: perhaps you forgot to run make?" >&2
101 exit 1
103 if ! [ -f src/list_packs ] || ! [ -x src/list_packs ]; then
104 echo "ERROR: src/list_packs is not built! Did you _REALLY_ read INSTALL?" >&2
105 echo "ERROR: perhaps you forgot to run make?" >&2
106 exit 1
108 if ! [ -f src/peek_packet ] || ! [ -x src/peek_packet ]; then
109 echo "ERROR: src/peek_packet is not built! Did you _REALLY_ read INSTALL?" >&2
110 echo "ERROR: perhaps you forgot to run make?" >&2
111 exit 1
113 if ! [ -f src/rangecgi ] || ! [ -x src/rangecgi ]; then
114 echo "ERROR: src/rangecgi is not built! Did you _REALLY_ read INSTALL?" >&2
115 echo "ERROR: perhaps you forgot to run make?" >&2
116 exit 1
118 if ! [ -f src/readlink ] || ! [ -x src/readlink ]; then
119 echo "ERROR: src/readlink is not built! Did you _REALLY_ read INSTALL?" >&2
120 echo "ERROR: perhaps you forgot to run make?" >&2
121 exit 1
123 if ! [ -f src/strftime ] || ! [ -x src/strftime ]; then
124 echo "ERROR: src/strftime is not built! Did you _REALLY_ read INSTALL?" >&2
125 echo "ERROR: perhaps you forgot to run make?" >&2
126 exit 1
128 if ! [ -f src/throttle ] || ! [ -x src/throttle ]; then
129 echo "ERROR: src/throttle is not built! Did you _REALLY_ read INSTALL?" >&2
130 echo "ERROR: perhaps you forgot to run make?" >&2
131 exit 1
133 if ! [ -f src/ulimit512 ] || ! [ -x src/ulimit512 ]; then
134 echo "ERROR: src/ulimit512 is not built! Did you _REALLY_ read INSTALL?" >&2
135 echo "ERROR: perhaps you forgot to run make?" >&2
136 exit 1
140 echo "*** Checking for ezcert..."
141 if ! [ -f ezcert.git/CACreateCert ] || ! [ -x ezcert.git/CACreateCert ]; then
142 echo "ERROR: ezcert.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
143 exit 1
147 echo "*** Checking for git..."
148 case "$cfg_git_bin" in /*) :;; *)
149 echo 'ERROR: $Girocco::Config::git_bin must be set to an absolute path' >&2
150 exit 1
151 esac
152 if ! [ -f "$cfg_git_bin" ] || ! [ -x "$cfg_git_bin" ]; then
153 echo "ERROR: $cfg_git_bin does not exist or is not executable" >&2
154 exit 1
156 if ! git_version="$("$cfg_git_bin" version)" || [ -z "$git_version" ]; then
157 echo "ERROR: $cfg_git_bin version failed" >&2
158 exit 1
160 case "$git_version" in
161 [Gg]"it version "*) :;;
163 echo "ERROR: '$cfg_git_bin version' output does not start with 'git version '" >&2
164 exit 1
165 esac
166 echo "Found $cfg_git_bin $git_version"
167 git_vernum="$(echo "$git_version" | sed -ne 's/^[^0-9]*\([0-9][0-9]*\(\.[0-9][0-9]*\)*\).*$/\1/p')"
168 echo "*** Checking Git $git_vernum for compatibility..."
169 if [ "$(vcmp "$git_vernum" 1.6.6)" -lt 0 ]; then
170 echo 'ERROR: $Girocco::Config::git_bin must be at least Git version 1.6.6'
171 exit 1
173 if [ "$(vcmp "$git_vernum" 1.6.6.3)" -lt 0 ]; then
174 echo 'WARNING: $Girocco::Config::git_bin version < 1.6.6.3, clients will not see useful error messages'
176 if [ "$(vcmp "$git_vernum" 1.7.3)" -lt 0 ]; then
177 cat <<'EOT'
180 *** SEVERE WARNING: $Girocco::Config::git_bin is set to a version of Git before 1.7.3
183 Some Girocco functionality will be gracefully disabled and other things will
184 just not work at all such as race condition protection against simultaneous
185 client pushes and server garbage collections.
189 if [ -n "$cfg_mirror" ] && [ "$(vcmp "$git_vernum" 1.7.5)" -lt 0 ]; then
190 echo 'WARNING: $Girocco::Config::git_bin version < 1.7.5 and mirroring enabled, some sources can cause an infinite fetch loop'
192 if [ "$(vcmp "$git_vernum" 1.7.6.6)" -lt 0 ]; then
193 echo 'WARNING: $Girocco::Config::git_bin version < 1.7.6.6, performance may be degraded'
195 if [ "$(uname -m 2>/dev/null)" = "x86_64" ] && [ "$(vcmp "$git_vernum" 1.7.11)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.12.0)" -lt 0 ]; then
196 echo 'WARNING: $Girocco::Config::git_bin version >= 1.7.11 and < 2.12.0 and x86_64, make sure Git built WITHOUT XDL_FAST_HASH'
197 echo 'WARNING: See https://mid.mail-archive.com/20141222041944.GA441@peff.net for details'
199 if [ "$(vcmp "$git_vernum" 1.8.4.2)" -ge 0 ] && [ -n "$cfg_mirror" ] && [ "$(vcmp "$git_vernum" 2)" -lt 0 ]; then
200 echo 'WARNING: $Girocco::Config::git_bin version >= 1.8.4.2 and < 2.0.0, git-daemon needs write access for shallow clones'
201 echo 'WARNING: $Girocco::Config::git_bin version >= 1.8.4.2 and < 2.0.0, shallow clones will leave repository turds'
203 if [ "$(vcmp "$git_vernum" 1.8.4.3)" -lt 0 ]; then
204 echo 'WARNING: $Girocco::Config::git_bin version < 1.8.4.3, clients will not receive symref=HEAD:refs/heads/...'
206 if [ "$(vcmp "$git_vernum" 2.1)" -lt 0 ]; then
207 echo 'WARNING: $Girocco::Config::git_bin version < 2.1.0, pack bitmaps will not be available'
209 if [ "$(vcmp "$git_vernum" 2.1)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.1.3)" -lt 0 ]; then
210 echo 'WARNING: $Girocco::Config::git_bin version >= 2.1.0 and < 2.1.3, pack bitmaps may not be reliable, please upgrade to at least Git version 2.1.3'
212 if [ "$(vcmp "$git_vernum" 2.2)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.3.2)" -lt 0 ]; then
213 cat <<'EOT'
216 *** ERROR: $Girocco::Config::git_bin is set to an incompatible version of Git
219 Git versions starting with 2.2.0 and continuing up through 2.3.1 are incompatible
220 with Girocco due to various unresolved issues. Please either downgrade to 2.1.4
221 or earlier or, more preferred, upgrade to 2.3.2 (ideally 2.4.11) or later.
223 In order to bypass this check you will have to modify install.sh in which case
224 USE THE SELECTED GIT BINARY AT YOUR OWN RISK!
227 exit 1
229 if [ "$(vcmp "$git_vernum" 2.3.3)" -lt 0 ]; then
230 echo 'WARNING: $Girocco::Config::git_bin version < 2.3.3, performance will be sub-optimal'
232 if [ "$(vcmp "$git_vernum" 2.4.4)" -lt 0 ]; then
233 echo 'WARNING: $Girocco::Config::git_bin version < 2.4.4, many refs smart HTTP fetches can deadlock'
235 if [ "$(vcmp "$git_vernum" 2.10.1)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.12.3)" -lt 0 ]; then
236 echo 'WARNING: $Girocco::Config::git_bin version >= 2.10.1 and < 2.12.3, --pickaxe-regex can segfault'
237 echo 'WARNING: If gitweb pickaxe regular expression searches are enabled, --pickaxe-regex will be used'
238 echo 'WARNING: See the fix at http://repo.or.cz/git.git/f53c5de29cec68e3 for details'
239 echo 'WARNING: The fix is trivial and easily cherry-picked into a custom 2.10.1 - 2.12.2 build'
240 echo 'WARNING: Leaving the gitweb/gitweb_config.perl "regexp" feature off as recommended avoids the issue'
242 secmsg=
243 if [ "$(vcmp "$git_vernum" 2.4.11)" -lt 0 ]; then
244 secmsg='prior to 2.4.11'
246 if [ "$(vcmp "$git_vernum" 2.5)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.5.5)" -lt 0 ]; then
247 secmsg='2.5.x prior to 2.5.5'
249 if [ "$(vcmp "$git_vernum" 2.6)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.6.6)" -lt 0 ]; then
250 secmsg='2.6.x prior to 2.6.6'
252 if [ "$(vcmp "$git_vernum" 2.7)" -ge 0 ] && [ "$(vcmp "$git_vernum" 2.7.4)" -lt 0 ]; then
253 secmsg='2.7.x prior to 2.7.4'
255 if [ -n "$secmsg" ]; then
256 cat <<EOT
259 *** SEVERE WARNING: \$Girocco::Config::git_bin is set to a version of Git $secmsg
262 Security issues exist in Git versions prior to 2.4.11, 2.5.x prior to 2.5.5,
263 2.6.x prior to 2.6.6 and 2.7.x prior to 2.7.4.
265 Besides the security fixes included in later versions, versions prior to
266 2.2.0 may accidentally prune unreachable loose objects earlier than
267 intended. Since Git version 2.4.11 is the minimum version to include all
268 security fixes to date, it should be considered the absolute minimum
269 version of Git to use when running Girocco.
271 This is not enforced, but Git is easy to build from the git.git submodule
272 and upgrading to GIT VERSION 2.4.11 OR LATER IS HIGHLY RECOMMENDED.
274 We will now pause for a moment so you can reflect on this warning.
277 sleep 60
279 if [ -n "$cfg_mirror" ] && [ "$cfg_mirror" != 0 ] && grep -q ns_parserr "$cfg_git_bin"; then
280 cat <<'EOT'
283 *** WARNING: $Girocco::Config::git_bin is set to a questionable Git binary
286 You appear to have enabled mirroring and the Git binary you have selected
287 appears to contain an experimental patch that cannot be disabled. This
288 patch can generate invalid network DNS traffic and/or cause long delays
289 when fetching using the "git:" protocol when no port number is specified.
290 It may also end up retrieving repsitory contents from a host other than
291 the one specified in the "git:" URL when the port is omitted.
293 You are advised to either build your own version of Git (the problem patch
294 is not part of the official Git repository) or disable mirroring (via the
295 $Girocco::Config:mirror setting) to avoid these potential problems.
297 USE THE SELECTED GIT BINARY AT YOUR OWN RISK!
300 sleep 5
303 test_nc_U() {
304 [ -n "$1" ] || return 1
305 _cmdnc="$(command -v "$1" 2>/dev/null)" || :
306 [ -n "$_cmdnc" ] && [ -f "$_cmdnc" ] && [ -x "$_cmdnc" ] || return 1
307 _tmpdir="$(mktemp -d /tmp/nc-u-XXXXXX)"
308 [ -n "$_tmpdir" ] && [ -d "$_tmpdir" ] || return 1
309 >"$_tmpdir/output"
310 (sleep 3 | "$_cmdnc" -l -U "$_tmpdir/socket" 2>/dev/null >"$_tmpdir/output" || >"$_tmpdir/failed")&
311 _bgpid="$!"
312 sleep 1
313 echo "testing" | "$_cmdnc" -w 1 -U "$_tmpdir/socket" >/dev/null 2>&1 || >"$_tmpdir/failed"
314 sleep 1
315 kill "$_bgpid" >/dev/null 2>&1 || :
316 read -r _result <"$_tmpdir/output" || :
317 _bad=
318 ! [ -e "$_tmpdir/failed" ] || _bad=1
319 rm -rf "$_tmpdir"
320 [ -z "$_bad" ] && [ "$_result" = "testing" ]
321 } >/dev/null 2>&1
323 echo "*** Verifying \$Girocco::Config::nc_openbsd_bin supports -U option..."
324 test_nc_U "$var_nc_openbsd_bin" || {
325 echo "ERROR: invalid Girocco::Config::nc_openbsd_bin setting" >&2
326 echo "ERROR: \"$var_nc_openbsd_bin\" does not grok the -U option" >&2
327 if [ "$(uname -s 2>/dev/null)" = "DragonFly" ]; then
328 echo "ERROR: see the src/dragonfly/README file for a solution" >&2
330 exit 1
333 echo "*** Verifying selected POSIX sh is sane..."
334 shbin="$var_sh_bin"
335 [ -n "$shbin" ] && [ -f "$shbin" ] && [ -x "$shbin" ] && [ "$("$shbin" -c 'echo sh $(( 1 + 1 ))' 2>/dev/null)" = "sh 2" ] || {
336 echo 'ERROR: invalid $Girocco::Config::posix_sh_bin setting' >&2
337 exit 1
339 [ "$(check_sh_builtin command)" = "command" ] || {
340 echo 'ERROR: invalid $Girocco::Config::posix_sh_bin setting (does not understand command -v)' >&2
341 exit 1
343 sh_not_builtin=
344 sh_extra_chroot_installs=
345 badsh=
346 for sbi in cd pwd read umask unset unalias; do
347 if [ "$(check_sh_builtin "$sbi")" != "$sbi" ]; then
348 echo "ERROR: invalid \$Girocco::Config::posix_sh_bin setting (missing built-in $sbi)" >&2
349 badsh=1
351 done
352 [ -z "$badsh" ] || exit 1
353 for sbi in '[' echo printf test; do
354 if ! extra="$(check_sh_builtin "$sbi")"; then
355 echo "ERROR: invalid \$Girocco::Config::posix_sh_bin setting (missing command $sbi)" >&2
356 badsh=1
357 continue
359 if [ "$extra" != "$sbi" ]; then
360 case "$extra" in /*) :;; *)
361 echo "ERROR: invalid \$Girocco::Config::posix_sh_bin setting (bad command -v $sbi result: $extra)" >&2
362 badsh=1
363 continue
364 esac
365 withspc=
366 case "$extra" in *" "*) withspc=1; esac
367 [ -z "$withspc" ] && [ -f "$extra" ] && [ -r "$extra" ] && [ -x "$extra" ] || {
368 echo "ERROR: invalid \$Girocco::Config::posix_sh_bin setting (unusable command -v $sbi result: $extra)" >&2
369 badsh=1
370 continue
372 echo "WARNING: slow \$Girocco::Config::posix_sh_bin setting (not built-in $sbi)" >&2
373 sh_not_builtin="$sh_not_builtin $sbi"
374 sh_extra_chroot_installs="$sh_extra_chroot_installs $extra"
376 done
377 [ -z "$badsh" ] || exit 1
378 [ -z "$sh_extra_chroot_installs" ] || {
379 echo "WARNING: the selected POSIX sh implements these as non-built-in:$sh_not_builtin" >&2
380 echo "WARNING: as a result it will run slower than necessary" >&2
381 echo "WARNING: consider building and switching to dash which can be found at:" >&2
382 echo "WARNING: http://gondor.apana.org.au/~herbert/dash/" >&2
383 echo "WARNING: (download a tarball from the files section or clone the Git repository" >&2
384 echo "WARNING: and checkout the latest tag, run autogen.sh, configure and build)" >&2
385 echo "WARNING: dash is licensed under the 3-clause BSD license" >&2
388 echo "*** Verifying xargs is sane..."
389 _xargsr="$(</dev/null command xargs printf %s -r)" || :
390 xtest1="$(</dev/null command xargs $_xargsr printf 'test %s ' 2>&1)" || :
391 xtest2="$(printf '%s\n' one two | command xargs $_xargsr printf 'test %s ' 2>&1)" || :
392 [ -z "$xtest1" ] && [ "$xtest2" = "test one test two " ] || {
393 echo 'ERROR: xargs is unusable' >&2
394 echo 'ERROR: either `test -z "$(</dev/null xargs echo test 2>&1)"`' >&2
395 echo 'ERROR: or `test -z "$(</dev/null xargs -r echo test 2>&1)"`' >&2
396 echo 'ERROR: must be true, but neither is' >&2
397 exit 1
400 echo "*** Verifying selected perl is sane..."
401 perlbin="$var_perl_bin"
402 [ -n "$perlbin" ] && [ -f "$perlbin" ] && [ -x "$perlbin" ] && [ "$("$perlbin" -wle 'print STDOUT "perl ", + ( 1 + 1 )' 2>/dev/null)" = "perl 2" ] || {
403 echo 'ERROR: invalid $Girocco::Config::perl_bin setting' >&2
404 exit 1
407 echo "*** Verifying selected gzip is sane..."
408 gzipbin="$var_gzip_bin"
409 [ -n "$gzipbin" ] && [ -f "$gzipbin" ] && [ -x "$gzipbin" ] && "$gzipbin" -V 2>&1 | grep -q gzip &&
410 [ "$(echo Girocco | "$gzipbin" -c -n -9 | "$gzipbin" -c -d)" = "Girocco" ] || {
411 echo 'ERROR: invalid $Girocco::Config::gzip_bin setting' >&2
412 exit 1
415 echo "*** Verifying basedir, webroot and cgiroot paths..."
416 # Make sure $cfg_basedir, $cfg_webroot and $cfg_cgiroot are absolute paths
417 case "$cfg_basedir" in /*) :;; *)
418 echo "ERROR: invalid Girocco::Config::basedir setting" >&2
419 echo "ERROR: \"$cfg_basedir\" must be an absolute path (start with '/')" >&2
420 exit 1
421 esac
422 case "$cfg_webroot" in /*) :;; *)
423 echo "ERROR: invalid Girocco::Config::webroot setting" >&2
424 echo "ERROR: \"$cfg_webroot\" must be an absolute path (start with '/')" >&2
425 exit 1
426 esac
427 case "$cfg_cgiroot" in /*) :;; *)
428 echo "ERROR: invalid Girocco::Config::cgiroot setting" >&2
429 echo "ERROR: \"$cfg_cgiroot\" must be an absolute path (start with '/')" >&2
430 exit 1
431 esac
433 # return the input with trailing slashes stripped but return "/" for all "/"s
434 striptrsl() {
435 [ -n "$1" ] || return 0
436 _s="${1##*[!/]}"
437 [ "$_s" != "$1" ] || _s="${_s#?}"
438 printf "%s\n" "${1%$_s}"
441 # a combination of realpath + dirname where the realpath of the deepest existing
442 # directory is returned with the rest of the non-existing components appended
443 # and trailing slashes and multiple slashes are removed
444 realdir() {
445 _d="$(striptrsl "$1")"
446 if [ "$_d" = "/" ] || [ -z "$_d" ]; then
447 echo "$_d"
448 return 0
450 _c=""
451 while ! [ -d "$_d" ]; do
452 _c="/$(basename "$_d")$_c"
453 _d="$(dirname "$_d")"
454 [ "$_d" != "/" ] || _c="${_c#/}"
455 done
456 printf "%s%s\n" "$(cd "$_d" && pwd -P)" "$_c"
459 # Use basedir, webroot and cgiroot for easier control of filesystem locations
460 # Wherever we are writing/copying/installing files we use these, but where we
461 # are editing, adding config settings or printing advice we always stick to the
462 # cfg_xxx Config variable versions. These are like a set of DESTDIR variables.
463 # Only the file system directories that could be asynchronously accessed (by
464 # the web server, jobd.pl, taskd.pl or incoming pushes) get these special vars.
465 # The chroot is handled specially and does not need one of these.
466 # We must be careful to allow cgiroot and/or webroot to be under basedir in which
467 # case the prior contents of cgiroot and/or webroot are discarded.
468 rbasedir="$(realdir "$cfg_basedir")"
469 rwebroot="$(realdir "$cfg_webroot")"
470 rcgiroot="$(realdir "$cfg_cgiroot")"
471 case "$rbasedir" in "$rwebroot"/?*)
472 echo "ERROR: invalid Girocco::Config::basedir setting; must not be under webroot" >&2
473 exit 1
474 esac
475 case "$rbasedir" in "$rcgiroot"/?*)
476 echo "ERROR: invalid Girocco::Config::basedir setting; must not be under cgiroot" >&2
477 exit 1
478 esac
479 if [ "$rwebroot" = "$rcgiroot" ]; then
480 echo "ERROR: invalid Girocco::Config::webroot and Girocco::Config::cgiroot settings; must not be the same" >&2
481 exit 1
483 case "$rcgiroot" in "$rwebroot"/?*)
484 echo "ERROR: invalid Girocco::Config::cgiroot setting; must not be under webroot" >&2
485 exit 1
486 esac
487 case "$rwebroot" in "$rcgiroot"/?*)
488 echo "ERROR: invalid Girocco::Config::webroot setting; must not be under cgiroot" >&2
489 exit 1
490 esac
491 basedir="$rbasedir-new"
492 case "$rwebroot" in
493 "$rbasedir"/?*)
494 webroot="$basedir${rwebroot#$rbasedir}"
495 webrootsub=1
498 webroot="$rwebroot-new"
499 webrootsub=
501 esac
502 case "$rcgiroot" in
503 "$rbasedir"/?*)
504 cgiroot="$basedir${rcgiroot#$rbasedir}"
505 cgirootsub=1
508 cgiroot="$rcgiroot-new"
509 cgirootsub=
511 esac
513 echo "*** Setting up basedir..."
515 chown_make() {
516 if [ "$LOGNAME" = root ] && [ -n "$SUDO_USER" ] && [ "$SUDO_USER" != root ]; then
517 find -H "$@" -user root -exec chown "$SUDO_USER:$(id -gn "$SUDO_USER")" '{}' + 2>/dev/null || :
518 elif [ "$LOGNAME" = root ] && { [ -z "$SUDO_USER" ] || [ "$SUDO_USER" = root ]; }; then
519 echo "*** WARNING: running make as root w/o sudo may leave root-owned: $*"
523 "$MAKE" --no-print-directory --silent apache.conf
524 chown_make apache.conf
525 "$MAKE" --no-print-directory --silent -C src
526 chown_make src
527 rm -fr "$basedir"
528 mkdir -p "$basedir" "$basedir/gitweb" "$basedir/cgi"
529 cp cgi/*.cgi "$basedir/cgi"
530 cp -pR Girocco jobd taskd html jobs toolbox hooks apache.conf shlib.sh bin screen "$basedir"
531 find -H "$basedir" -type l -exec rm -f '{}' +
532 cp -p src/can_user_push src/can_user_push_http src/get_user_uuid src/list_packs src/peek_packet \
533 src/rangecgi src/readlink src/strftime src/throttle src/ulimit512 \
534 ezcert.git/CACreateCert cgi/authrequired.cgi cgi/snapshot.cgi \
535 "$basedir/bin"
536 cp -p gitweb/*.sh gitweb/*.perl "$basedir/gitweb"
537 if [ -n "$cfg_httpspushurl" ]; then
538 [ -z "$cfg_pretrustedroot" ] || rm -f "$basedir"/html/rootcert.html
539 else
540 rm -f "$basedir"/html/rootcert.html "$basedir"/html/httpspush.html
542 [ -n "$cfg_mob" ] || rm -f "$basedir"/html/mob.html
544 # Put the correct Config in place
545 [ "$GIROCCO_CONF" = "Girocco::Config" ] || cp "$(echo "$GIROCCO_CONF" | sed 's#::#/#g; s/$/.pm/')" "$basedir/Girocco/Config.pm"
547 # Create symbolic links to selected binaries
548 ln -s "$cfg_git_bin" "$basedir/bin/git"
549 ln -s "$shbin" "$basedir/bin/sh"
550 ln -s "$perlbin" "$basedir/bin/perl"
551 ln -s "$gzipbin" "$basedir/bin/gzip"
553 echo "*** Preprocessing scripts..."
554 SHBIN="$shbin" && export SHBIN
555 PERLBIN="$perlbin" && export PERLBIN
556 perl -I. -M$GIROCCO_CONF -i -p \
557 -e 's/^#!.*perl/#!$ENV{PERLBIN}/ if $. == 1;' \
558 -e 's/^#!.*sh/#!$ENV{SHBIN}/ if $. == 1;' \
559 -e 's/(?<!")\@basedir\@/"$Girocco::Config::basedir"/g;' \
560 -e 's/(?<=")\@basedir\@/$Girocco::Config::basedir/g;' \
561 -e 's/__BASE''DIR__/$Girocco::Config::basedir/g;' \
562 -e 's/\@reporoot\@/"$Girocco::Config::reporoot"/g;' \
563 -e 's/\@shbin\@/"$ENV{SHBIN}"/g;' \
564 -e 's/\@perlbin\@/"$ENV{PERLBIN}"/g;' \
565 -e 's/\@jailreporoot\@/"$Girocco::Config::jailreporoot"/g;' \
566 -e 's/\@chroot\@/"$Girocco::Config::chroot"/g;' \
567 -e 's/\@webadmurl\@/"$Girocco::Config::webadmurl"/g;' \
568 -e 's/\@screen_acl_file\@/"$Girocco::Config::screen_acl_file"/g;' \
569 -e 's/\@mob\@/"$Girocco::Config::mob"/g;' \
570 -e 's/\@autogchack\@/"$Girocco::Config::autogchack"/g;' \
571 -e 's/\@git_server_ua\@/"$Girocco::Config::git_server_ua"/g;' \
572 -e 's/\@defined_git_server_ua\@/defined($Girocco::Config::git_server_ua)/ge;' \
573 -e 's/\@git_no_mmap\@/"$Girocco::Config::git_no_mmap"/g;' \
574 -e 's/\@big_file_threshold\@/"'"$var_big_file_threshold"'"/g;' \
575 -e 's/\@upload_pack_window\@/"'"$var_upload_window"'"/g;' \
576 -e 's/\@fetch_stash_refs\@/"$Girocco::Config::fetch_stash_refs"/g;' \
577 -e 'close ARGV if eof;' \
578 "$basedir"/jobs/*.sh "$basedir"/jobd/*.sh \
579 "$basedir"/taskd/*.sh "$basedir"/gitweb/*.sh \
580 "$basedir"/shlib.sh "$basedir"/hooks/* \
581 "$basedir"/toolbox/*.sh "$basedir"/toolbox/*.pl \
582 "$basedir"/toolbox/reports/*.sh \
583 "$basedir"/bin/git-* "$basedir"/bin/*.sh \
584 "$basedir"/bin/create-* "$basedir"/bin/update-* \
585 "$basedir"/bin/*.cgi "$basedir"/screen/*
586 perl -I. -M$GIROCCO_CONF -i -p \
587 -e 's/__BASE''DIR__/$Girocco::Config::basedir/g;' \
588 "$basedir"/cgi/*.cgi "$basedir"/gitweb/*.perl \
589 "$basedir"/jobd/*.pl "$basedir"/taskd/*.pl
590 perl -i -p \
591 -e 's/^#!.*perl/#!$ENV{PERLBIN}/ if $. == 1;' \
592 -e 'close ARGV if eof;' \
593 "$basedir"/jobd/jobd.pl "$basedir"/taskd/taskd.pl \
594 "$basedir"/bin/sendmail.pl "$basedir"/bin/CACreateCert
595 perl -i -p \
596 -e 's/^#!.*perl/#!$ENV{PERLBIN}/ if $. == 1;' \
597 -e 's/^#!.*sh/#!$ENV{SHBIN}/ if $. == 1;' \
598 -e 'close ARGV if eof;' \
599 "$basedir"/bin/format-readme "$basedir/cgi"/*.cgi
600 unset PERLBIN
601 unset SHBIN
603 # Dump all the cfg_ and defined_ variables to shlib_vars.sh
604 get_girocco_config_var_list >"$basedir"/shlib_vars.sh
606 echo "*** Setting up darcs-fast-export from bzr-fastimport.git..."
607 if ! [ -f bzr-fastimport.git/exporters/darcs/darcs-fast-export ] ||
608 ! [ -x bzr-fastimport.git/exporters/darcs/darcs-fast-export ]; then
609 echo "ERROR: bzr-fastimport.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
610 exit 1
612 mkdir -p "$basedir"/bin
613 cp bzr-fastimport.git/exporters/darcs/darcs-fast-export "$basedir"/bin
615 echo "*** Setting up hg-fast-export from fast-export.git..."
616 if ! [ -f fast-export.git/hg-fast-export.py ] || ! [ -f fast-export.git/hg2git.py ]; then
617 echo "ERROR: fast-export.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
618 exit 1
620 mkdir -p "$basedir"/bin
621 cp fast-export.git/hg-fast-export.py fast-export.git/hg2git.py "$basedir"/bin
623 echo "*** Setting up markdown from markdown.git..."
624 if ! [ -f markdown.git/Markdown.pl ]; then
625 echo "ERROR: markdown.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
626 exit 1
628 mkdir -p "$basedir"/bin
629 (PERLBIN="$perlbin" && export PERLBIN &&
630 perl -p -e 's/^#!.*perl/#!$ENV{PERLBIN}/ if $. == 1;' \
631 markdown.git/Markdown.pl >"$basedir"/bin/Markdown.pl.$$ &&
632 chmod a+x "$basedir"/bin/Markdown.pl.$$ &&
633 mv -f "$basedir"/bin/Markdown.pl.$$ "$basedir"/bin/Markdown.pl)
634 test $? -eq 0
636 # Some permission sanity on basedir/bin just in case
637 find -H "$basedir"/bin -type f -exec chmod go-w '{}' +
638 chown -R -h "$cfg_mirror_user""$owngroup" "$basedir"/bin
640 if [ -n "$cfg_mirror" ]; then
641 echo "--- Remember to start $cfg_basedir/taskd/taskd.pl"
643 echo "--- Also remember to either start $cfg_basedir/jobd/jobd.pl, or add this"
644 echo "--- to the crontab of $cfg_mirror_user (adjust frequency on number of repos):"
645 echo "*/30 * * * * /usr/bin/nice -n 18 $cfg_basedir/jobd/jobd.pl -q --all-once"
648 echo "*** Setting up repository root..."
649 [ -d "$cfg_reporoot" ] || {
650 mkdir -p "$cfg_reporoot"
651 chown "$cfg_mirror_user""$owngroup" "$cfg_reporoot" ||
652 echo "WARNING: Cannot chown $cfg_mirror_user$owngroup $cfg_reporoot"
654 [ -z "$cfg_owning_group" ] ||
655 chgrp "$cfg_owning_group" "$cfg_reporoot" || echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_reporoot"
656 chmod 02775 "$cfg_reporoot" || echo "WARNING: Cannot chmod $cfg_reporoot properly"
657 mkdir -p "$cfg_reporoot/_recyclebin" "$cfg_reporoot/_global/hooks"
658 chown "$cfg_mirror_user""$owngroup" "$cfg_reporoot/_recyclebin" "$cfg_reporoot/_global" "$cfg_reporoot/_global/hooks" ||
659 echo "WARNING: Cannot chown $cfg_mirror_user$owngroup $cfg_reporoot/{_recyclebin,_global} properly"
660 if [ "$cfg_owning_group" ]; then
661 chgrp "$cfg_owning_group" "$cfg_reporoot/_recyclebin" || echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_reporoot/_recyclebin"
662 chgrp -R "$cfg_owning_group" "$cfg_reporoot/_global" || echo "WARNING: Cannot chgrp -R $cfg_owning_group $cfg_reporoot/_global"
664 chmod 02775 "$cfg_reporoot/_recyclebin" || echo "WARNING: Cannot chmod $cfg_reporoot/_recyclebin properly"
665 chmod 00755 "$cfg_reporoot/_global" "$cfg_reporoot/_global/hooks" || echo "WARNING: Cannot chmod $cfg_reporoot/_global properly"
668 if [ "${cfg_disable_jailsetup:-0}" = "0" ] && [ -n "$cfg_chrooted" ]; then
669 echo "*** Setting up chroot jail for pushing..."
670 if [ "$(id -u)" -eq 0 ]; then
671 # jailsetup may install things from $cfg_basedir/bin into the
672 # chroot so we do a mini-update of just that portion now
673 mkdir -p "$cfg_basedir"
674 rm -rf "$cfg_basedir/bin-new"
675 cp -pR "$basedir/bin" "$cfg_basedir/bin-new" >/dev/null 2>&1
676 rm -rf "$cfg_basedir/bin-old"
677 quick_move "$cfg_basedir/bin-new" "$cfg_basedir/bin" "$cfg_basedir/bin-old"
678 rm -rf "$cfg_basedir/bin-old"
679 if [ -n "$sh_extra_chroot_installs" ]; then
680 GIROCCO_CHROOT_EXTRA_INSTALLS="$sh_extra_chroot_installs"
681 export GIROCCO_CHROOT_EXTRA_INSTALLS
683 ./jailsetup.sh
684 unset GIROCCO_CHROOT_EXTRA_INSTALLS
685 else
686 echo "WARNING: Skipping jail setup, not root"
691 echo "*** Setting up jail configuration (project database)..."
692 [ "$(id -u)" -eq 0 ] || ./jailsetup.sh dbonly
693 mkdir -p "$cfg_chroot" "$cfg_chroot/etc"
694 touch "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group"
695 chown "$cfg_mirror_user""$owngroup" "$cfg_chroot/etc" ||
696 echo "WARNING: Cannot chown $cfg_mirror_user$owngroup $cfg_chroot/etc"
697 chown "$cfg_cgi_user""$owngroup" "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group" ||
698 echo "WARNING: Cannot chown $cfg_cgi_user$owngroup the etc/passwd and/or etc/group files"
699 chmod g+w "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group" ||
700 echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
701 chmod 02775 "$cfg_chroot/etc" || echo "WARNING: Cannot chmod 02775 $cfg_chroot/etc"
704 echo "*** Setting up global hook scripts..."
705 # It is absolutely CRUCIAL that hook script replacements are done atomically!
706 # Otherwise an incoming push might slip in and fail to run the hook script!
707 # The underlying rename(2) function call provides this and mv will use it.
708 # First add hook scripts
709 hooks="pre-auto-gc pre-receive post-commit post-receive update"
710 for hook in $hooks; do
711 cat "$basedir/hooks/$hook" >"$cfg_reporoot/_global/hooks/$hook.$$"
712 chown "$cfg_mirror_user""$owngroup" "$cfg_reporoot/_global/hooks/$hook.$$" ||
713 echo "WARNING: Cannot chown $cfg_reporoot/_global/hooks/$hook"
714 chmod 0755 "$cfg_reporoot/_global/hooks/$hook.$$"
715 mv -f "$cfg_reporoot/_global/hooks/$hook.$$" "$cfg_reporoot/_global/hooks/$hook"
716 done
717 # Then remove any hook scripts that do not belong
718 for hook in "$cfg_reporoot/_global/hooks"/*; do
719 hook="${hook##*/}"
720 [ -f "$cfg_reporoot/_global/hooks/$hook" ] || continue
721 case " $hooks " in *" $hook "*);;*)
722 rm -f "$cfg_reporoot/_global/hooks/$hook" ||
723 echo "WARNING: Cannot remove extraneous $cfg_reporoot/_global/hooks/$hook"
724 esac
725 done
728 echo "*** Setting up gitweb from git.git..."
729 if ! [ -f git.git/Makefile ]; then
730 echo "ERROR: git.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
731 exit 1
734 # We do not wholesale replace either webroot or cgiroot unless they are under
735 # basedir so if they exist and are not we make a copy to start working on them.
736 # We make a copy using -p which can result in some warnings so we suppress
737 # error output as it's of no consequence in this case.
738 rm -rf "$webroot" "$cgiroot"
739 [ -n "$webrootsub" ] || ! [ -d "$rwebroot" ] || cp -pR "$rwebroot" "$webroot" >/dev/null 2>&1 || :
740 [ -n "$cgirootsub" ] || ! [ -d "$rcgiroot" ] || cp -pR "$rcgiroot" "$cgiroot" >/dev/null 2>&1 || :
741 mkdir -p "$webroot" "$cgiroot"
744 cd git.git &&
745 "$MAKE" --no-print-directory --silent NO_SUBDIR=: bindir="$(dirname "$cfg_git_bin")" \
746 GITWEB_CONFIG="$cfg_basedir/gitweb/gitweb_config.perl" SHELL_PATH="$shbin" gitweb &&
747 chown_make gitweb &&
748 PERLBIN="$perlbin" && export PERLBIN &&
749 perl -p -e 's/^#!.*perl/#!$ENV{PERLBIN}/ if $. == 1;' \
750 -e 's/^(\s*use\s+warnings\s*;.*)$/#$1/;' gitweb/gitweb.cgi >"$cgiroot"/gitweb.cgi.$$ &&
751 chmod a+x "$cgiroot"/gitweb.cgi.$$ &&
752 chown_make "$cgiroot"/gitweb.cgi.$$ &&
753 mv -f "$cgiroot"/gitweb.cgi.$$ "$cgiroot"/gitweb.cgi &&
754 cp gitweb/static/*.png gitweb/static/*.css gitweb/static/*.js "$webroot"
756 test $? -eq 0
759 echo "*** Setting up git-browser from git-browser.git..."
760 if ! [ -f git-browser.git/git-browser.cgi ]; then
761 echo "ERROR: git-browser.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
762 exit 1
764 mkdir -p "$webroot"/git-browser "$cgiroot"
766 cd git-browser.git &&
767 CFG="$cfg_basedir/gitweb/git-browser.conf" && export CFG &&
768 PERLBIN="$perlbin" && export PERLBIN && perl -p \
769 -e 's/^#!.*perl/#!$ENV{PERLBIN}/ if $. == 1;' \
770 -e 's/"git-browser\.conf"/"$ENV{"CFG"}"/' git-browser.cgi >"$cgiroot"/git-browser.cgi.$$ &&
771 chmod a+x "$cgiroot"/git-browser.cgi.$$ &&
772 chown_make "$cgiroot"/git-browser.cgi.$$ &&
773 mv -f "$cgiroot"/git-browser.cgi.$$ "$cgiroot"/git-browser.cgi &&
774 cp -r *.html *.js *.css js.lib "$webroot"/git-browser &&
775 cp -r JSON "$cgiroot"
777 test $? -eq 0
778 rm -f "$webroot"/git-browser/index.html
779 cat >"$basedir/gitweb"/git-browser.conf.$$ <<-EOT
780 gitbin: $cfg_git_bin
781 warehouse: $cfg_reporoot
782 doconfig: $cfg_basedir/gitweb/gitbrowser_config.perl
784 chown_make "$basedir/gitweb"/git-browser.conf.$$
785 mv -f "$basedir/gitweb"/git-browser.conf.$$ "$basedir/gitweb"/git-browser.conf
786 cat >"$webroot"/git-browser/GitConfig.js.$$ <<-EOT
787 cfg_gitweb_url="$cfg_gitweburl/"
788 cfg_browsercgi_url="$cfg_webadmurl/git-browser.cgi"
790 chown_make "$webroot"/git-browser/GitConfig.js.$$
791 mv -f "$webroot"/git-browser/GitConfig.js.$$ "$webroot"/git-browser/GitConfig.js
794 echo "*** Setting up our part of the website..."
795 mkdir -p "$webroot" "$cgiroot"
796 cp "$basedir"/bin/snapshot.cgi "$basedir/cgi"
797 cp "$basedir"/bin/authrequired.cgi "$basedir/cgi"
798 [ -n "$cfg_httpspushurl" ] || rm -f "$basedir/cgi"/usercert.cgi "$cgiroot"/usercert.cgi
799 cp "$basedir/cgi"/*.cgi "$cgiroot"
800 rm -rf "$basedir/cgi"
801 [ -z "$cfg_webreporoot" ] || { rm -f "$cfg_webreporoot" && ln -s "$cfg_reporoot" "$cfg_webreporoot"; }
802 if [ -z "$cfg_httpspushurl" ] || [ -n "$cfg_pretrustedroot" ]; then
803 grep -v 'rootcert[.]html' gitweb/indextext.html >"$basedir/gitweb/indextext.html"
804 else
805 cp gitweb/indextext.html "$basedir/gitweb"
807 mv "$basedir"/html/*.css "$basedir"/html/*.js "$webroot"
808 cp mootools.js "$webroot"
809 cp htaccess "$webroot/.htaccess"
810 cp cgi/htaccess "$cgiroot/.htaccess"
811 cp git-favicon.ico "$webroot/favicon.ico"
812 cp robots.txt "$webroot"
813 cat gitweb/gitweb.css >>"$webroot"/gitweb.css
816 if [ -n "$cfg_httpspushurl" ]; then
817 echo "*** Setting up SSL certificates..."
818 bits=2048
819 if [ "$cfg_rsakeylength" -gt "$bits" ] 2>/dev/null; then
820 bits="$cfg_rsakeylength"
822 mkdir -p "$cfg_certsdir"
823 [ -d "$cfg_certsdir" ]
824 wwwcertcn=
825 if [ -e "$cfg_certsdir/girocco_www_crt.pem" ]; then
826 wwwcertcn="$(
827 openssl x509 -in "$cfg_certsdir/girocco_www_crt.pem" -noout -subject |
828 sed -e 's,[^/]*,,'
831 wwwcertdns=
832 if [ -n "$cfg_wwwcertaltnames" ]; then
833 for dnsopt in $cfg_wwwcertaltnames; do
834 wwwcertdns="${wwwcertdns:+$wwwcertdns }--dns $dnsopt"
835 done
837 wwwcertdnsfile=
838 if [ -r "$cfg_certsdir/girocco_www_crt.dns" ]; then
839 wwwcertdnsfile="$(cat "$cfg_certsdir/girocco_www_crt.dns")"
841 needroot=
842 [ -e "$cfg_certsdir/girocco_client_crt.pem" ] &&
843 [ -e "$cfg_certsdir/girocco_client_key.pem" ] &&
844 [ -e "$cfg_certsdir/girocco_www_key.pem" ] &&
845 [ -e "$cfg_certsdir/girocco_www_crt.pem" ] && [ "$wwwcertcn" = "/CN=$cfg_httpsdnsname" ] &&
846 [ -e "$cfg_certsdir/girocco_root_crt.pem" ] || needroot=1
847 if [ -n "$needroot" ] && ! [ -e "$cfg_certsdir/girocco_root_key.pem" ]; then
848 rm -f "$cfg_certsdir/girocco_root_crt.pem" "$cfg_certsdir/girocco_root_key.pem"
849 umask 0077
850 openssl genrsa -f4 -out "$cfg_certsdir/girocco_root_key.pem" $bits
851 chmod 0600 "$cfg_certsdir/girocco_root_key.pem"
852 rm -f "$cfg_certsdir/girocco_root_crt.pem"
853 umask 0022
854 echo "Created new root key"
856 if ! [ -e "$cfg_certsdir/girocco_root_crt.pem" ]; then
857 "$basedir/bin/CACreateCert" --root --key "$cfg_certsdir/girocco_root_key.pem" \
858 --out "$cfg_certsdir/girocco_root_crt.pem" "girocco $cfg_nickname root certificate"
859 rm -f "$cfg_certsdir/girocco_www_crt.pem" "$cfg_certsdir/girocco_www_chain.pem"
860 rm -f "$cfg_certsdir/girocco_client_crt.pem" "$cfg_certsdir/girocco_client_suffix.pem"
861 rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
862 rm -f "$cfg_chroot/etc/sshcerts"/*.pem
863 echo "Created new root certificate"
865 if ! [ -e "$cfg_certsdir/girocco_www_key.pem" ]; then
866 umask 0077
867 openssl genrsa -f4 -out "$cfg_certsdir/girocco_www_key.pem" $bits
868 chmod 0600 "$cfg_certsdir/girocco_www_key.pem"
869 rm -f "$cfg_certsdir/girocco_www_crt.pem"
870 umask 0022
871 echo "Created new www key"
873 if ! [ -e "$cfg_certsdir/girocco_www_crt.pem" ] ||
874 [ "$wwwcertcn" != "/CN=$cfg_httpsdnsname" ] || [ "$wwwcertdns" != "$wwwcertdnsfile" ]; then
875 openssl rsa -in "$cfg_certsdir/girocco_www_key.pem" -pubout |
876 "$basedir/bin/CACreateCert" --server --key "$cfg_certsdir/girocco_root_key.pem" \
877 --cert "$cfg_certsdir/girocco_root_crt.pem" $wwwcertdns \
878 --out "$cfg_certsdir/girocco_www_crt.pem" "$cfg_httpsdnsname"
879 printf '%s\n' "$wwwcertdns" >"$cfg_certsdir/girocco_www_crt.dns"
880 echo "Created www certificate"
882 if ! [ -e "$cfg_certsdir/girocco_www_chain.pem" ]; then
883 cat "$cfg_certsdir/girocco_root_crt.pem" >"$cfg_certsdir/girocco_www_chain.pem"
884 echo "Created www certificate chain file"
886 if ! [ -e "$cfg_certsdir/girocco_client_key.pem" ]; then
887 umask 0037
888 openssl genrsa -f4 -out "$cfg_certsdir/girocco_client_key.pem" $bits
889 chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
890 rm -f "$cfg_certsdir/girocco_client_crt.pem"
891 umask 0022
892 echo "Created new client key"
894 if ! [ -e "$cfg_certsdir/girocco_client_crt.pem" ]; then
895 openssl rsa -in "$cfg_certsdir/girocco_client_key.pem" -pubout |
896 "$basedir/bin/CACreateCert" --subca --key "$cfg_certsdir/girocco_root_key.pem" \
897 --cert "$cfg_certsdir/girocco_root_crt.pem" \
898 --out "$cfg_certsdir/girocco_client_crt.pem" "girocco $cfg_nickname client authority"
899 rm -f "$cfg_certsdir/girocco_client_suffix.pem"
900 rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
901 rm -f "$cfg_chroot/etc/sshcerts"/*.pem
902 echo "Created client certificate"
904 if ! [ -e "$cfg_certsdir/girocco_client_suffix.pem" ]; then
905 cat "$cfg_certsdir/girocco_client_crt.pem" >"$cfg_certsdir/girocco_client_suffix.pem"
906 echo "Created client certificate suffix file"
908 if [ -z "$cfg_pretrustedroot" ]; then
909 cat "$cfg_rootcert" >"$webroot/${cfg_nickname}_root_cert.pem"
910 else
911 rm -f "$webroot/${cfg_nickname}_root_cert.pem"
913 if [ -n "$cfg_mob" ]; then
914 if ! [ -e "$cfg_certsdir/girocco_mob_user_key.pem" ]; then
915 openssl genrsa -f4 -out "$cfg_certsdir/girocco_mob_user_key.pem" $bits
916 chmod 0644 "$cfg_certsdir/girocco_mob_user_key.pem"
917 rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
918 echo "Created new mob user key"
920 if ! [ -e "$cfg_certsdir/girocco_mob_user_crt.pem" ]; then
921 openssl rsa -in "$cfg_mobuserkey" -pubout |
922 "$basedir/bin/CACreateCert" --client --key "$cfg_clientkey" \
923 --cert "$cfg_clientcert" \
924 --out "$cfg_certsdir/girocco_mob_user_crt.pem" 'mob'
925 echo "Created mob user client certificate"
927 cat "$cfg_mobuserkey" >"$webroot/${cfg_nickname}_mob_key.pem"
928 cat "$cfg_mobusercert" "$cfg_clientcertsuffix" >"$webroot/${cfg_nickname}_mob_user.pem"
929 else
930 rm -f "$webroot/${cfg_nickname}_mob_key.pem" "$webroot/${cfg_nickname}_mob_user.pem"
932 else
933 rm -f "$webroot/${cfg_nickname}_root_cert.pem"
934 rm -f "$webroot/${cfg_nickname}_mob_key.pem" "$webroot/${cfg_nickname}_mob_user.pem"
938 echo "*** Finalizing permissions and moving into place..."
939 chown -R -h "$cfg_mirror_user""$owngroup" "$basedir" "$webroot" "$cgiroot"
940 [ -z "$cfg_httpspushurl" ] || chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_certsdir"
942 # This should always be the very last thing install.sh does
943 rm -rf "$rbasedir-old" "$rwebroot-old" "$rcgiroot-old"
944 quick_move "$basedir" "$rbasedir" "$rbasedir-old"
945 [ -n "$webrootsub" ] || quick_move "$webroot" "$rwebroot" "$rwebroot-old"
946 [ -n "$cgirootsub" ] || quick_move "$cgiroot" "$rcgiroot" "$rcgiroot-old"
947 rm -rf "$rbasedir-old" "$rwebroot-old" "$rcgiroot-old"
948 echo "--- Update hooks and config with $cfg_basedir/toolbox/update-all-projects.sh"
949 ! [ -S "$cfg_chroot/etc/taskd.socket" ] || {
950 echo "*** Requesting graceful restart of running taskd (and, if running, jobd)..."
951 touch "$cfg_chroot/etc/taskd.restart"
952 chown_make "$cfg_chroot/etc/taskd.restart"
953 trap ':' PIPE
954 echo "nop" | nc_openbsd -w 5 -U "$cfg_chroot/etc/taskd.socket" || :
955 trap - PIPE