tis-remote-repo-nginx
1.3.1-21
Package for installing nginx for remote repositories agents
4334 downloads
Download
See build result See VirusTotal scan
- package : tis-remote-repo-nginx
- name : Remote Repository NGINX
- version : 1.3.1-21
- categories : System and network
- maintainer : WAPT Team,Tranquil IT,Hubert TOUVET,Evan BLAUDY,Jimmy PELÉ
- editor :
- licence :
- locale :
- target_os : linux
- impacted_process :
- architecture : all
- signature_date : 2022-03-23 11:50
- size : 10.62 Ko
- homepage : https://www.wapt.fr/en/doc/wapt-replication/index.html
- depends :
package : tis-remote-repo-nginx
version : 1.3.1-21
architecture : all
section : base
priority : optional
name : Remote Repository NGINX
categories : System and network
maintainer : WAPT Team,Tranquil IT,Hubert TOUVET,Evan BLAUDY,Jimmy PELÉ
description : Package for installing nginx for remote repositories agents
depends : tis-remote-repo-conf
conflicts :
maturity : PROD
locale :
target_os : linux
min_wapt_version : 1.8.2
sources : https://nginx.org/en/download.html
installed_size :
impacted_process :
description_fr :
description_pl :
description_de :
description_es :
description_pt :
description_it :
description_nl :
description_ru :
audit_schedule :
editor :
keywords :
licence :
homepage : https://www.wapt.fr/en/doc/wapt-replication/index.html
package_uuid : dacea952-e653-48db-acfd-2c90f2fbcca9
valid_from :
valid_until :
forced_install_on :
changelog : https://nginx.org/en/CHANGES
min_os_version :
max_os_version :
icon_sha256sum : cc84c091e5b69b2c2c902cba5f4e34ff5e71494f3f3d376fb640d5b68d242a56
signer : Tranquil IT
signer_fingerprint: 8c5127a75392be9cc9afd0dbae1222a673072c308c14d88ab246e23832e8c6bb
signature : QnMG0Dr0m/dRNXcm76Q45Q6EsUyvfMWo0OCqiUESVqoKCV1XyxYqk3hDpMAVm1PqK4Q7OadqqwCq0rjjTz2gySxqUJngmjdjDhERI3UD6gFO9/2hyRUMah2wrZM2HbGjyTLjQbRdCYn7CMfDM5SJr7jFUbEzPcmBWin4dRIKEylUtJ8Td1ku4ybHaL9PokKVidYyr183jHtrW6XmXPKJ0iesxj+rKRYD3UlekN9NBJVE9FQDwxUrOOdgdcW5aVycTWZmcSJ14VVS7PqecEX3a3lbgnXnWFfnxhLVqBLb+RX//hkQkHBK8mkYfmmzlylGBySrQwY4gaRbdt1eg8tT4Q==
signature_date : 2022-03-23T11:50:17.206489
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes# -*- coding: utf-8 -*-
from setuphelpers import *
uninstallkey = []
def install():
import re
import nginxparser
import jinja2
import datetime
import subprocess
from waptcrypto import SSLCertificate,SSLPrivateKey
try:
import grp
except:
raise Exception("This package have to be installed on Linux")
def generate_dhparam(NGINX_GID):
dh_filename = '/etc/ssl/certs/dhparam.pem'
if not os.path.exists(dh_filename):
print(run('openssl dhparam -out %s 2048' % dh_filename))
os.chown(dh_filename, 0, NGINX_GID) #pylint: disable=no-member
os.chmod(dh_filename, 0o640) #pylint: disable=no-member
def selinux_rules(local_repo):
""" SELinux httpd security rules """
run('setsebool -P httpd_can_network_connect 1')
run('setsebool -P httpd_setrlimit on')
for sepath in ('wapt','wapt-host','waptwua'):
path = makepath(local_repo,sepath)
mkdirs(path)
try:
run('semanage fcontext -a -t httpd_sys_content_t "%s(/.*)?"' % (path))
except:
run('semanage fcontext -m -t httpd_sys_content_t "%s(/.*)?"' % (path))
run('restorecon -R -v %s' % (path))
def nginx_set_worker_limit(nginx_conf):
already_set=False
for entries in nginx_conf:
if entries[0]=='worker_rlimit_nofile':
print( "Nginx - worker_rlimit_nofile already set")
already_set=True
if not already_set:
nginx_conf.insert(3,['worker_rlimit_nofile', '32768'])
return nginx_conf
def make_httpd_config(waptservice_dir, fqdn, local_repo):
ssl_dir = makepath(waptservice_dir,'nginx','ssl')
scripts_dir = makepath(waptservice_dir, 'scripts')
wapt_ssl_key_file = makepath(ssl_dir,'key.pem')
wapt_ssl_cert_file = makepath(ssl_dir,'cert.pem')
# write the apache configuration fragment
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(scripts_dir))
template = jinja_env.get_template('wapt.nginxconfig.template')
template_vars = {
'wapt_repository_path': local_repo,
'windows': False,
'debian': type_debian(),
'redhat': type_redhat(),
'force_https': False,
'wapt_ssl_key_file': wapt_ssl_key_file,
'wapt_ssl_cert_file': wapt_ssl_cert_file,
'fqdn': fqdn,
'use_ssl_client_auth' : False,
'clients_signing_certificate' : False,
}
print('Nginx - creating wapt.conf virtualhost')
config_string = template.render(template_vars)
if type_debian():
dst_file_path = '/etc/nginx/sites-available/wapt.conf'
if not os.path.exists('/etc/nginx/sites-enabled/wapt.conf'):
print(run('ln -s /etc/nginx/sites-available/wapt.conf /etc/nginx/sites-enabled/wapt.conf'))
if os.path.exists('/etc/nginx/sites-enabled/default'):
os.unlink('/etc/nginx/sites-enabled/default')
elif type_redhat():
dst_file_path = '/etc/nginx/conf.d/wapt.conf'
with open(dst_file_path, 'wt') as dst_file:
dst_file.write(config_string)
# create keys for https:// access
if not os.path.exists(wapt_ssl_key_file) or not os.path.exists(wapt_ssl_cert_file):
print('Nginx - generate self-signed certs')
key = SSLPrivateKey(wapt_ssl_key_file)
if not os.path.isfile(wapt_ssl_key_file):
print('Create SSL RSA Key %s' % wapt_ssl_key_file)
key.create()
key.save_as_pem()
if os.path.isfile(wapt_ssl_cert_file):
crt = SSLCertificate(wapt_ssl_cert_file)
if crt.cn != fqdn:
os.rename(wapt_ssl_cert_file,"%s-%s.old" % (wapt_ssl_cert_file,'{:%Y%m%d-%Hh%Mm%Ss}'.format(datetime.datetime.now())))
crt = key.build_sign_certificate(cn=fqdn,dnsname=fqdn,is_code_signing=False)
print('Create X509 cert %s' % wapt_ssl_cert_file)
crt.save_as_pem(wapt_ssl_cert_file)
else:
crt = key.build_sign_certificate(cn=fqdn,dnsname=fqdn,is_code_signing=False)
print('Create X509 cert %s' % wapt_ssl_cert_file)
crt.save_as_pem(wapt_ssl_cert_file)
def nginx_clean_default_vhost(nginx_conf):
for entry in nginx_conf:
if entry[0]==['http']:
for subentry in entry[1]:
if subentry[0]==['server']:
print('Nginx - removing default vhost')
entry[1].remove(subentry)
return nginx_conf
def enable_nginx():
print(run('systemctl enable nginx'))
def restart_nginx():
print(run('systemctl restart nginx'))
def nginx_cleanup():
with open('/etc/nginx/nginx.conf','r') as read_conf:
nginx_conf = nginxparser.load(read_conf)
nginx_conf = nginx_set_worker_limit(nginx_conf)
nginx_conf = nginx_clean_default_vhost(nginx_conf)
with open("/etc/nginx/nginx.conf", "w") as nginx_conf_file:
nginx_conf_file.write(nginxparser.dumps(nginx_conf))
def setup_firewall():
""" Add permanent rules for firewalld """
if type_redhat():
output = run('firewall-cmd --list-ports')
if '443/tcp' in output and '80/tcp' in output:
print("Firewall already configured, skipping firewalld configuration")
elif subprocess.call(['firewall-cmd', '--state'], stdout=open(os.devnull, 'w')) == 0:
run('firewall-cmd --permanent --add-port=443/tcp')
run('firewall-cmd --permanent --add-port=80/tcp')
run('firewall-cmd --reload')
else:
run('firewall-offline-cmd --add-port=443/tcp')
run('firewall-offline-cmd --add-port=80/tcp')
print("Install nginx to permit WAPTAgent to become a repository")
if type_debian():
install_apt('nginx')
NGINX_GID = grp.getgrnam('www-data').gr_gid
elif type_redhat():
install_yum('nginx')
NGINX_GID = grp.getgrnam('nginx').gr_gid
else:
raise Exception("Distribution not supported yet")
print("Create WAPTService directories for nginx")
for dirname in ['nginx','scripts']:
mkdirs(makepath(WAPT.wapt_base_dir,'waptservice',dirname))
for dirname in ['ssl']:
mkdirs(makepath(WAPT.wapt_base_dir,'waptservice','nginx',dirname))
copytree2('scripts',makepath(WAPT.wapt_base_dir,'waptservice','scripts'))
local_repo = inifile_readstring(WAPT.config_filename,'repo-sync','local_repo_path') or makepath(WAPT.wapt_base_dir,'repository')
# SELinux rules for CentOS/RedHat
if type_redhat():
if re.match('^SELinux status:.*enabled', run('sestatus')):
print('Redhat/Centos detected, tweaking SELinux rules')
selinux_rules(local_repo)
print('Nginx - SELinux correctly configured for Nginx reverse proxy')
fqdn = get_fqdn()
# Nginx configuration
generate_dhparam(NGINX_GID)
nginx_cleanup()
make_httpd_config(makepath(WAPT.wapt_base_dir,'waptservice'), fqdn,local_repo)
print("Testing NGINX configuration")
run('nginx -t')
enable_nginx()
restart_nginx()
try:
setup_firewall()
except:
pass
def update_package():
# Initializing variables
version = control.version.split('-')[0]
# Incrementing version of the package
control.version = '%s-%s'%(version,int(control.version.split('-')[-1])+1)
control.save_control_to_wapt()
print('Changing package version to: %s in WAPT\\control' % control.version)
96d4a60bd9b13f8db52dcb92ec6703061f826abf2eb4dd18a623a7659904fe6d : setup.py
201fb8f3d2d6f21d7ed177afe64e7919b93c2ff0eb0e9b6f9fc1f44efc0860ae : scripts/wapt.nginxconfig.template
cc84c091e5b69b2c2c902cba5f4e34ff5e71494f3f3d376fb640d5b68d242a56 : WAPT/icon.png
a5a97261381e1d0ad46ee15916abec9c2631d0201f5cc50ceb0197a165a0bbbf : WAPT/certificate.crt
413da59f57731e6dd7368c81f5cd757e037d4b935e742d9e9e16f5a23ebd394e : luti.json
bb914c28bfd31cae21579e192cef4a40c2eb53fcd040d4c4582f58bf8025a431 : nginxparser.py
02fdb52143fd3a73024582d12be24bcf145565e6572914cbe09797e0f75e81de : WAPT/control