roles/koji-web: Deploy the Koji Web UI

The *koji-web* role installs and configures the Koji Web GUI front-end for Koji. It requires Apache and mod_wsgi. A client certificate is required for authentication to the hub, and must be placed in the host-specific subdirectory of `certs/koji`.
2018-08-12 10:08:01 -05:00
parent 6341d972f6
commit da4ec1612c
6 changed files with 188 additions and 0 deletions
--- a/roles/koji-web/templates/kojiweb.httpd.conf.j2
+++ b/roles/koji-web/templates/kojiweb.httpd.conf.j2
@@ -0,0 +1,72 @@
+<VirtualHost _default_:443>
+	Include conf.d/ssl.include
+
+	SSLCertificateFile {{ apache_ssl_certificate }}
+	SSLCertificateKeyFile {{ apache_ssl_certificate_key }}
+	SSLCertificateChainFile {{ apache_ssl_certificate }}
+	SSLCACertificateFile {{ apache_ssl_ca_certificate }}
+
+	RewriteEngine On
+	RewriteRule ^/?$ /koji/ [R=301,L]
+</VirtualHost>
+
+RewriteEngine On
+RewriteCond %{HTTPS} !on
+RewriteRule /koji/.* https://{{ kojiweb_hostname }}$0 [R=301,L]
+
+#We use wsgi by default
+#Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py"
+#(configuration goes in /etc/kojiweb/web.conf)
+
+WSGIDaemonProcess kojiweb \
+	user=koji \
+	group=koji \
+	display-name=%{GROUP}
+WSGIScriptAlias /koji /usr/share/koji-web/scripts/wsgi_publisher.py \
+	process-group=koji
+
+<Directory "/usr/share/koji-web/scripts/">
+    <IfVersion < 2.4>
+        Order allow,deny
+        Allow from all
+    </IfVersion>
+    <IfVersion >= 2.4>
+        Require all granted
+    </IfVersion>
+</Directory>
+
+# uncomment this to enable authentication via Kerberos
+# <Location /koji/login>
+#     AuthType Kerberos
+#     AuthName "Koji Web UI"
+#     KrbMethodNegotiate on
+#     KrbMethodK5Passwd off
+#     KrbServiceName HTTP
+#     KrbAuthRealm EXAMPLE.COM
+#     Krb5Keytab /etc/httpd.keytab
+#     KrbSaveCredentials off
+#     Require valid-user
+#     ErrorDocument 401 /koji-static/errors/unauthorized.html
+# </Location>
+
+# uncomment this to enable authentication via SSL client certificates
+<Location /koji/login>
+    SSLVerifyClient optional
+    SSLVerifyDepth  10
+    SSLOptions +StdEnvVars
+    ErrorDocument 401 /koji-static/errors/unauthorized.html
+</Location>
+
+Alias /koji-static/ "/usr/share/koji-web/static/"
+
+<Directory "/usr/share/koji-web/static/">
+    Options None
+    AllowOverride None
+    <IfVersion < 2.4>
+        Order allow,deny
+        Allow from all
+    </IfVersion>
+    <IfVersion >= 2.4>
+        Require all granted
+    </IfVersion>
+</Directory>