tis-remote-repo-nginx

1.3.2-22
Package for installing nginx for remote repositories agents
6221 downloads
Download
View on luti logo
tis-remote-repo-nginx icon

  Description 

  • package : tis-remote-repo-nginx
  • version : 1.3.2-22
  • architecture : all
  • categories : System and network
  • maintainer : WAPT Team,Tranquil IT,Hubert TOUVET,Evan BLAUDY,Jimmy PELÉ
  • description : Package for installing nginx for remote repositories agents
  • locale :
  • target_os : linux
  • min_wapt_version : 1.8.2
  • sources : https://nginx.org/en/download.html
  • installed_size :
  • impacted_process :
  • description_fr :
  • description_pl :
  • description_de :
  • description_es :
  • description_pt :
  • description_it :
  • description_nl :
  • description_ru :
  • editor :
  • licence :
  • signature_date : 2022-04-11T19:06:07.468627
  • Homepage : https://www.wapt.fr/en/doc/wapt-replication/index.html
  • Depends :

  Setup.py 

# -*- coding: utf-8 -*-
from setuphelpers import *

uninstallkey = []


def install():

    import re
    import nginxparser
    import jinja2
    import datetime
    import subprocess
    from waptcrypto import SSLCertificate, SSLPrivateKey

    try:
        import grp
    except:
        raise Exception("This package have to be installed on Linux")

    def generate_dhparam(NGINX_GID):
        dh_filename = "/etc/ssl/certs/dhparam.pem"
        if not os.path.exists(dh_filename):
            print(run("openssl dhparam -out %s  2048" % dh_filename))
        os.chown(dh_filename, 0, NGINX_GID)  # pylint: disable=no-member
        os.chmod(dh_filename, 0o640)  # pylint: disable=no-member

    def selinux_rules(local_repo):
        """SELinux httpd security rules"""
        run("setsebool -P httpd_can_network_connect 1")
        run("setsebool -P httpd_setrlimit on")
        for sepath in ("wapt", "wapt-host", "waptwua"):
            path = makepath(local_repo, sepath)
            mkdirs(path)
            try:
                run('semanage fcontext -a -t httpd_sys_content_t "%s(/.*)?"' % (path))
            except:
                run('semanage fcontext -m -t httpd_sys_content_t "%s(/.*)?"' % (path))
            run("restorecon -R -v %s" % (path))

    def nginx_set_worker_limit(nginx_conf):
        already_set = False
        for entries in nginx_conf:
            if entries[0] == "worker_rlimit_nofile":
                print("Nginx - worker_rlimit_nofile already set")
                already_set = True
        if not already_set:
            nginx_conf.insert(3, ["worker_rlimit_nofile", "32768"])
        return nginx_conf

    def make_httpd_config(waptservice_dir, fqdn, local_repo):
        ssl_dir = makepath(waptservice_dir, "nginx", "ssl")
        scripts_dir = makepath(waptservice_dir, "scripts")
        wapt_ssl_key_file = makepath(ssl_dir, "key.pem")
        wapt_ssl_cert_file = makepath(ssl_dir, "cert.pem")

        # write the apache configuration fragment
        jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(scripts_dir))
        template = jinja_env.get_template("wapt.nginxconfig.template")

        template_vars = {
            "wapt_repository_path": local_repo,
            "windows": False,
            "debian": type_debian(),
            "redhat": type_redhat(),
            "force_https": False,
            "wapt_ssl_key_file": wapt_ssl_key_file,
            "wapt_ssl_cert_file": wapt_ssl_cert_file,
            "fqdn": fqdn,
            "use_ssl_client_auth": False,
            "clients_signing_certificate": False,
        }

        print("Nginx - creating wapt.conf virtualhost")

        config_string = template.render(template_vars)
        if type_debian():
            dst_file_path = "/etc/nginx/sites-available/wapt.conf"
            if not os.path.exists("/etc/nginx/sites-enabled/wapt.conf"):
                print(run("ln -s /etc/nginx/sites-available/wapt.conf /etc/nginx/sites-enabled/wapt.conf"))
            if os.path.exists("/etc/nginx/sites-enabled/default"):
                os.unlink("/etc/nginx/sites-enabled/default")

        elif type_redhat():
            dst_file_path = "/etc/nginx/conf.d/wapt.conf"
        with open(dst_file_path, "wt") as dst_file:
            dst_file.write(config_string)

        # create keys for https:// access

        if not os.path.exists(wapt_ssl_key_file) or not os.path.exists(wapt_ssl_cert_file):
            print("Nginx - generate self-signed certs")
            key = SSLPrivateKey(wapt_ssl_key_file)
            if not os.path.isfile(wapt_ssl_key_file):
                print("Create SSL RSA Key %s" % wapt_ssl_key_file)
                key.create()
                key.save_as_pem()

            if os.path.isfile(wapt_ssl_cert_file):
                crt = SSLCertificate(wapt_ssl_cert_file)
                if crt.cn != fqdn:
                    os.rename(wapt_ssl_cert_file, "%s-%s.old" % (wapt_ssl_cert_file, "{:%Y%m%d-%Hh%Mm%Ss}".format(datetime.datetime.now())))
                    crt = key.build_sign_certificate(cn=fqdn, dnsname=fqdn, is_code_signing=False)
                    print("Create X509 cert %s" % wapt_ssl_cert_file)
                    crt.save_as_pem(wapt_ssl_cert_file)
            else:
                crt = key.build_sign_certificate(cn=fqdn, dnsname=fqdn, is_code_signing=False)
                print("Create X509 cert %s" % wapt_ssl_cert_file)
                crt.save_as_pem(wapt_ssl_cert_file)

    def nginx_clean_default_vhost(nginx_conf):
        for entry in nginx_conf:
            if entry[0] == ["http"]:
                for subentry in entry[1]:
                    if subentry[0] == ["server"]:
                        print("Nginx - removing default vhost")
                        entry[1].remove(subentry)
        return nginx_conf

    def enable_nginx():
        print(run("systemctl enable nginx"))

    def restart_nginx():
        print(run("systemctl restart nginx"))

    def nginx_cleanup():
        with open("/etc/nginx/nginx.conf", "r") as read_conf:
            nginx_conf = nginxparser.load(read_conf)
            nginx_conf = nginx_set_worker_limit(nginx_conf)
            nginx_conf = nginx_clean_default_vhost(nginx_conf)
        with open("/etc/nginx/nginx.conf", "w") as nginx_conf_file:
            nginx_conf_file.write(nginxparser.dumps(nginx_conf))

    def setup_firewall():
        """Add permanent rules for firewalld"""
        if type_redhat():
            output = run("firewall-cmd --list-ports")
            if "443/tcp" in output and "80/tcp" in output:
                print("Firewall already configured, skipping firewalld configuration")
            elif subprocess.call(["firewall-cmd", "--state"], stdout=open(os.devnull, "w")) == 0:
                run("firewall-cmd --permanent --add-port=443/tcp")
                run("firewall-cmd --permanent --add-port=80/tcp")
                run("firewall-cmd --reload")
            else:
                run("firewall-offline-cmd --add-port=443/tcp")
                run("firewall-offline-cmd --add-port=80/tcp")

    print("Install nginx to permit WAPTAgent to become a repository")
    if type_debian():
        install_apt("nginx")
        NGINX_GID = grp.getgrnam("www-data").gr_gid
    elif type_redhat():
        install_yum("nginx")
        NGINX_GID = grp.getgrnam("nginx").gr_gid
    else:
        raise Exception("Distribution not supported yet")

    print("Create WAPTService directories for nginx")
    for dirname in ["nginx", "scripts"]:
        mkdirs(makepath(WAPT.wapt_base_dir, "waptservice", dirname))
    for dirname in ["ssl"]:
        mkdirs(makepath(WAPT.wapt_base_dir, "waptservice", "nginx", dirname))

    copytree2("scripts", makepath(WAPT.wapt_base_dir, "waptservice", "scripts"), onreplace=default_overwrite)

    local_repo = inifile_readstring(WAPT.config_filename, "repo-sync", "local_repo_path") or makepath(WAPT.wapt_base_dir, "repository")

    # SELinux rules for CentOS/RedHat
    if type_redhat():
        if re.match("^SELinux status:.*enabled", run("sestatus")):
            print("Redhat/Centos detected, tweaking SELinux rules")
            selinux_rules(local_repo)
            print("Nginx - SELinux correctly configured for Nginx reverse proxy")

    fqdn = get_fqdn()

    # Nginx configuration
    generate_dhparam(NGINX_GID)
    nginx_cleanup()
    make_httpd_config(makepath(WAPT.wapt_base_dir, "waptservice"), fqdn, local_repo)
    print("Testing NGINX configuration")
    run("nginx -t")
    enable_nginx()
    restart_nginx()
    try:
        setup_firewall()
    except:
        pass


def update_package():
    pass

										

  Changelog 



Changelog software url : https://nginx.org/en/CHANGES



No changelog.txt.
									
  manifest.sha256