User.pm: make sure sshkeys get trimmed before saving
[girocco.git] / install.sh
blobd2f50f6895869c6623ccb502aecd26fc3ffd52c5
1 #!/bin/sh
2 # The Girocco installation script
3 # We will OVERWRITE basedir!
5 set -e
7 # What Config should we use?
8 [ -n "$GIROCCO_CONF" ] || GIROCCO_CONF=Girocco::Config
9 echo "*** Initializing using $GIROCCO_CONF..."
11 # First run Girocco::Config consistency checks
12 perl -I. -M$GIROCCO_CONF -e ''
14 . ./shlib.sh
16 owngroup=""
17 [ -z "$cfg_owning_group" ] || owngroup=":$cfg_owning_group"
18 if [ -n "$cfg_httpspushurl" -a -z "$cfg_certsdir" ]; then
19 echo "ERROR: \$httpspushurl is set but \$certsdir is not!" >&2
20 echo "ERROR: perhaps you have an incorrect Config.pm?" >&2
21 exit 1;
25 echo "*** Checking for compiled utilities..."
26 if [ ! -f src/can_user_push ]; then
27 echo "ERROR: src/can_user_push is not built! Did you _REALLY_ read INSTALL?" >&2
28 echo "ERROR: perhaps you forgot to run make?" >&2
29 exit 1;
33 echo "*** Checking for ezcert..."
34 if [ ! -f ezcert.git/CACreateCert ]; then
35 echo "ERROR: ezcert.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
36 exit 1;
40 echo "*** Setting up basedir..."
41 rm -fr "$cfg_basedir"
42 mkdir -p "$cfg_basedir"
43 cp -pR Girocco jobd taskd gitweb html jobs toolbox hooks apache.conf shlib.sh bin screen "$cfg_basedir"
44 cp -p src/can_user_push ezcert.git/CACreateCert "$cfg_basedir/bin"
45 [ -n "$cfg_httpspushurl" ] || rm -f "$cfg_basedir"/html/rootcert.html "$cfg_basedir"/html/httpspush.html
46 [ -n "$cfg_mob" ] || rm -f "$cfg_basedir"/html/mob.html
48 # Put the correct Config in place
49 [ "$GIROCCO_CONF" = "Girocco::Config" ] || cp "$(echo "$GIROCCO_CONF" | sed 's#::#/#g; s/$/.pm/')" "$cfg_basedir/Girocco/Config.pm"
52 echo "*** Preprocessing scripts..."
53 perl -I. -M$GIROCCO_CONF -i -p \
54 -e 's/(?<!")\@basedir\@/"$Girocco::Config::basedir"/g;' -e 's/(?<=")\@basedir\@/$Girocco::Config::basedir/g;' \
55 -e 's/\@reporoot\@/"$Girocco::Config::reporoot"/g;' -e 's/\@jailreporoot\@/"$Girocco::Config::jailreporoot"/g;' \
56 -e 's/\@webadmurl\@/"$Girocco::Config::webadmurl"/g;' -e 's/\@screen_acl_file\@/"$Girocco::Config::screen_acl_file"/g;' \
57 -e 's/\@mob\@/"$Girocco::Config::mob"/g;' "$cfg_basedir"/jobs/*.sh "$cfg_basedir"/jobd/*.sh \
58 "$cfg_basedir"/taskd/*.sh "$cfg_basedir"/gitweb/*.sh "$cfg_basedir"/shlib.sh "$cfg_basedir"/hooks/* \
59 "$cfg_basedir"/toolbox/* "$cfg_basedir"/bin/git-* "$cfg_basedir"/screen/*
62 if [ -n "$cfg_mirror" ]; then
63 echo "--- Remember to start $cfg_basedir/taskd/taskd.pl"
65 echo "--- Also remember to either start $cfg_basedir/jobd/jobd.sh, or add this"
66 echo "--- to the crontab of $cfg_mirror_user (adjust frequency on number of repos):"
67 echo "*/30 * * * * /usr/bin/nice -n 18 $cfg_basedir/jobd/jobd.sh -q --all-once"
70 echo "*** Setting up repository root..."
71 mkdir -p "$cfg_reporoot" "$cfg_reporoot-recyclebin"
72 if [ "$cfg_owning_group" ]; then
73 chown :"$cfg_owning_group" "$cfg_reporoot" || echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_reporoot"
74 chown :"$cfg_owning_group" "$cfg_reporoot-recyclebin" || echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_reporoot-recyclebin"
76 chmod 02775 "$cfg_reporoot" || echo "WARNING: Cannot chmod $cfg_reporoot properly"
77 chmod 02775 "$cfg_reporoot-recyclebin" || echo "WARNING: Cannot chmod $cfg_reporoot-recyclebin properly"
80 if [ -n "$cfg_chrooted" ]; then
81 echo "*** Setting up chroot jail for pushing..."
82 if [ "$(id -u)" -eq 0 ]; then
83 ./jailsetup.sh
84 else
85 echo "WARNING: Skipping jail setup, not root"
90 echo "*** Setting up jail configuration (project database)..."
91 [ "$(id -u)" -eq 0 ] || ./jailsetup.sh dbonly
92 mkdir -p "$cfg_chroot" "$cfg_chroot/etc"
93 touch "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group"
94 chown "$cfg_mirror_user""$owngroup" "$cfg_chroot/etc" ||
95 echo "WARNING: Cannot chown $cfg_mirror_user$owngroup $cfg_chroot/etc"
96 chown "$cfg_cgi_user""$owngroup" "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group" ||
97 echo "WARNING: Cannot chown $cfg_cgi_user$owngroup the files"
98 chmod g+w "$cfg_chroot/etc/passwd" "$cfg_chroot/etc/group" ||
99 echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
100 chmod 02775 "$cfg_chroot/etc" || echo "WARNING: Cannot chmod 02775 $cfg_chroot/etc"
103 echo "*** Setting up gitweb from git.git..."
104 if [ ! -f git.git/Makefile ]; then
105 echo "ERROR: git.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
106 exit 1;
108 mkdir -p "$cfg_webroot" "$cfg_cgiroot"
109 (cd git.git && make --quiet gitweb/gitweb.cgi && cp gitweb/gitweb.cgi "$cfg_cgiroot" \
110 && cp gitweb/*.png gitweb/*.css gitweb/*.js "$cfg_webroot")
113 echo "*** Setting up git-browser from git-browser.git..."
114 if [ ! -f git-browser.git/git-browser.cgi ]; then
115 echo "ERROR: git-browser.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
116 exit 1;
118 mkdir -p "$cfg_webroot"/git-browser "$cfg_cgiroot"
119 (cd git-browser.git && cp git-browser.cgi "$cfg_cgiroot" \
120 && cp -r *.html *.js *.css js.lib/ JSON/ "$cfg_webroot"/git-browser)
121 ln -sf "$cfg_webroot/git-browser/JSON" "$cfg_cgiroot"
122 cat >"$cfg_cgiroot"/git-browser.conf <<EOT
123 gitbin: $cfg_git_bin
124 warehouse: $cfg_reporoot
126 cat >"$cfg_webroot"/git-browser/GitConfig.js <<EOT
127 cfg_gitweb_url="$cfg_gitweburl/"
128 cfg_browsercgi_url="$cfg_webadmurl/git-browser.cgi"
132 echo "*** Setting up darcs-fast-export from bzr-fastimport.git..."
133 if [ ! -d bzr-fastimport.git/exporters/darcs/ ]; then
134 echo "ERROR: bzr-fastimport.git is not checked out! Did you _REALLY_ read INSTALL?" >&2
135 exit 1;
137 mkdir -p "$cfg_basedir"/bin
138 cp bzr-fastimport.git/exporters/darcs/darcs-fast-export "$cfg_basedir"/bin
141 echo "*** Setting up our part of the website..."
142 mkdir -p "$cfg_webroot" "$cfg_cgiroot"
143 cp cgi/*.cgi gitweb/gitweb_config.perl "$cfg_cgiroot"
144 [ -n "$cfg_httpspushurl" ] || rm -f "$cfg_cgiroot/usercert.cgi"
145 ln -fs "$cfg_basedir"/Girocco "$cfg_cgiroot"
146 [ -z "$cfg_webreporoot" ] || { rm -f "$cfg_webreporoot" && ln -s "$cfg_reporoot" "$cfg_webreporoot"; }
147 if [ -z "$cfg_httpspushurl" ]; then
148 grep -v 'rootcert[.]html' gitweb/indextext.html > "$cfg_webroot/indextext.html"
149 else
150 cp gitweb/indextext.html "$cfg_webroot"
152 mv "$cfg_basedir"/html/*.css "$cfg_basedir"/html/*.js "$cfg_webroot"
153 cp mootools.js "$cfg_webroot"
154 cp htaccess "$cfg_webroot/.htaccess"
155 cp git-favicon.ico "$cfg_webroot/favicon.ico"
156 cp robots.txt "$cfg_webroot"
157 cat gitweb/gitweb.css >>"$cfg_webroot"/gitweb.css
160 if [ -n "$cfg_httpspushurl" ]; then
161 echo "*** Setting up SSL certificates..."
162 mkdir -p "$cfg_certsdir"
163 [ -d "$cfg_certsdir" ]
164 wwwcertcn=
165 if [ -e "$cfg_certsdir/girocco_www_crt.pem" ]; then
166 wwwcertcn="$( \
167 openssl x509 -in "$cfg_certsdir/girocco_www_crt.pem" -noout -subject | \
168 sed -e 's,[^/]*,,' \
171 needroot=
172 [ -e "$cfg_certsdir/girocco_client_crt.pem" -a \
173 -e "$cfg_certsdir/girocco_client_key.pem" -a \
174 -e "$cfg_certsdir/girocco_www_key.pem" -a \
175 -e "$cfg_certsdir/girocco_www_crt.pem" -a "$wwwcertcn" = "/CN=$cfg_httpsdnsname" -a \
176 -e "$cfg_certsdir/girocco_root_crt.pem" ] || needroot=1
177 if [ -n "$needroot" -a ! -e "$cfg_certsdir/girocco_root_key.pem" ]; then
178 rm -f "$cfg_certsdir/girocco_root_crt.pem" "$cfg_certsdir/girocco_root_key.pem"
179 openssl genrsa -f4 -out "$cfg_certsdir/girocco_root_key.pem" 2048
180 chmod 0600 "$cfg_certsdir/girocco_root_key.pem"
181 rm -f "$cfg_certsdir/girocco_root_crt.pem"
182 echo "Created new root key"
184 if [ ! -e "$cfg_certsdir/girocco_root_crt.pem" ]; then
185 ezcert.git/CACreateCert --root --key "$cfg_certsdir/girocco_root_key.pem" \
186 --out "$cfg_certsdir/girocco_root_crt.pem" "girocco $cfg_nickname root certificate"
187 rm -f "$cfg_certsdir/girocco_www_crt.pem" "$cfg_certsdir/girocco_www_chain.pem"
188 rm -f "$cfg_certsdir/girocco_client_crt.pem" "$cfg_certsdir/girocco_client_suffix.pem"
189 rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
190 rm -f "$cfg_chroot/etc/sshcerts"/*.pem
191 echo "Created new root certificate"
193 if [ ! -e "$cfg_certsdir/girocco_www_key.pem" ]; then
194 openssl genrsa -f4 -out "$cfg_certsdir/girocco_www_key.pem" 2048
195 chmod 0600 "$cfg_certsdir/girocco_www_key.pem"
196 rm -f "$cfg_certsdir/girocco_www_crt.pem"
197 echo "Created new www key"
199 if [ ! -e "$cfg_certsdir/girocco_www_crt.pem" -o "$wwwcertcn" != "/CN=$cfg_httpsdnsname" ]; then
200 openssl rsa -in "$cfg_certsdir/girocco_www_key.pem" -pubout |
201 ezcert.git/CACreateCert --server --key "$cfg_certsdir/girocco_root_key.pem" \
202 --cert "$cfg_certsdir/girocco_root_crt.pem" \
203 --out "$cfg_certsdir/girocco_www_crt.pem" "$cfg_httpsdnsname"
204 echo "Created www certificate"
206 if [ ! -e "$cfg_certsdir/girocco_www_chain.pem" ]; then
207 cat "$cfg_certsdir/girocco_root_crt.pem" > "$cfg_certsdir/girocco_www_chain.pem"
208 echo "Created www certificate chain file"
210 if [ ! -e "$cfg_certsdir/girocco_client_key.pem" ]; then
211 openssl genrsa -f4 -out "$cfg_certsdir/girocco_client_key.pem" 2048
212 chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
213 rm -f "$cfg_certsdir/girocco_client_crt.pem"
214 echo "Created new client key"
216 if [ ! -e "$cfg_certsdir/girocco_client_crt.pem" ]; then
217 openssl rsa -in "$cfg_certsdir/girocco_client_key.pem" -pubout |
218 ezcert.git/CACreateCert --subca --key "$cfg_certsdir/girocco_root_key.pem" \
219 --cert "$cfg_certsdir/girocco_root_crt.pem" \
220 --out "$cfg_certsdir/girocco_client_crt.pem" "girocco $cfg_nickname client authority"
221 rm -f "$cfg_certsdir/girocco_client_suffix.pem"
222 rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
223 rm -f "$cfg_chroot/etc/sshcerts"/*.pem
224 echo "Created client certificate"
226 if [ ! -e "$cfg_certsdir/girocco_client_suffix.pem" ]; then
227 cat "$cfg_certsdir/girocco_client_crt.pem" > "$cfg_certsdir/girocco_client_suffix.pem"
228 echo "Created client certificate suffix file"
230 cat "$cfg_rootcert" > "$cfg_webroot/${cfg_nickname}_root_cert.pem"
231 if [ -n "$cfg_mob" ]; then
232 if [ ! -e "$cfg_certsdir/girocco_mob_user_key.pem" ]; then
233 openssl genrsa -f4 -out "$cfg_certsdir/girocco_mob_user_key.pem" 2048
234 chmod 0640 "$cfg_certsdir/girocco_client_key.pem"
235 rm -f "$cfg_certsdir/girocco_mob_user_crt.pem"
236 echo "Created new mob user key"
238 if [ ! -e "$cfg_certsdir/girocco_mob_user_crt.pem" ]; then
239 openssl rsa -in "$cfg_mobuserkey" -pubout |
240 ezcert.git/CACreateCert --client --key "$cfg_clientkey" \
241 --cert "$cfg_clientcert" \
242 --out "$cfg_certsdir/girocco_mob_user_crt.pem" 'mob'
243 echo "Created mob user client certificate"
245 cat "$cfg_mobuserkey" > "$cfg_webroot/${cfg_nickname}_mob_key.pem"
246 cat "$cfg_mobusercert" "$cfg_clientcertsuffix" > "$cfg_webroot/${cfg_nickname}_mob_user.pem"
247 else
248 rm -f "$cfg_webroot/${cfg_nickname}_mob_key.pem" "$cfg_webroot/${cfg_nickname}_mob_user.pem"
250 else
251 rm -f "$cfg_webroot/${cfg_nickname}_root_cert.pem"
252 rm -f "$cfg_webroot/${cfg_nickname}_mob_key.pem" "$cfg_webroot/${cfg_nickname}_mob_user.pem"
256 echo "*** Finalizing permissions..."
257 chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_basedir" "$cfg_webroot" "$cfg_cgiroot"
258 [ -z "$cfg_httpspushurl" ] || chown -R -h "$cfg_mirror_user""$owngroup" "$cfg_certsdir"