aboutsummaryrefslogtreecommitdiff
path: root/scripts/hostclass/dav_server
blob: e39b08caabef31a68626cf9a5ae15719f6b1e38f (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
#!/bin/sh

: ${davical_username:='s-davical'}
: ${davical_dbname:='davical'}
: ${davical_dbhost:="$postgres_host"}
: ${davical_admin_email:="$root_mail_alias"}
: ${davical_access_role:='dav-access'}
: ${davical_repo:='https://gitlab.com/davical-project/davical.git'}
: ${davical_branch:='master'}
: ${davical_awl_repo:='https://gitlab.com/davical-project/awl.git'}
: ${davical_awl_branch:='master'}
: ${davical_admins:=''}

davical_dn="uid=${davical_username},${robots_basedn}"
davical_repo_dir=/usr/local/www/davical
davical_awl_repo_dir=/usr/local/share/awl
davical_webroot="${davical_repo_dir}/htdocs"
davical_https_cert="${nginx_conf_dir}/davical.crt"
davical_https_key="${nginx_conf_dir}/davical.key"
davical_https_cacert="${nginx_conf_dir}/davical.ca.crt"
davical_keytab="${keytab_dir}/davical.keytab"
davical_client_keytab="${keytab_dir}/davical.client.keytab"
davical_fpm_socket=/var/run/fpm-davical.sock

davical_psql(){
  postgres_run --host="$davical_dbhost" --dbname="$davical_dbname" "$@"
}

# Install required packages.
pkg install -y \
  git-lite \
  nginx \
  php${php_version} \
  php${php_version}-calendar \
  php${php_version}-curl \
  php${php_version}-gettext \
  php${php_version}-iconv \
  php${php_version}-ldap \
  php${php_version}-opcache \
  php${php_version}-pdo_pgsql \
  php${php_version}-pgsql \
  php${php_version}-session \
  php${php_version}-xml \
  p5-DBD-Pg \
  p5-DBI \
  p5-YAML

# Install davical from git.
[ -d "$davical_repo_dir" ]     || git clone "$davical_repo"     "$davical_repo_dir"
[ -d "$davical_awl_repo_dir" ] || git clone "$davical_awl_repo" "$davical_awl_repo_dir"

# Update git repos.
git -C "$davical_repo_dir"     pull --ff-only
git -C "$davical_repo_dir"     switch "$davical_branch"
git -C "$davical_awl_repo_dir" pull --ff-only
git -C "$davical_awl_repo_dir" switch "$davical_awl_branch"

# Create davical principal and keytab.
ldap_add "$davical_dn" <<EOF
objectClass: account
uid: ${davical_username}
EOF
add_principal -nokey -x "dn=${davical_dn}" "$davical_username"

ktadd -k "$davical_client_keytab" "$davical_username"
chgrp "$nginx_user" "$davical_client_keytab"
chmod 640 "$davical_client_keytab"

nginx_uid=$(id -u "$nginx_user")
install_directory -o "$nginx_user" -m 0700 "/var/krb5/user/${nginx_uid}"
ln -snfv "$davical_client_keytab" "/var/krb5/user/${nginx_uid}/client.keytab"

# Create HTTP principal and keytab.
add_principal -nokey -x "containerdn=${services_basedn}" "HTTP/${fqdn}"

ktadd -k "$davical_keytab" "HTTP/${fqdn}"
chgrp "$nginx_user" "$davical_keytab"
chmod 640 "$davical_keytab"

ln -snfv "$davical_keytab" "/var/krb5/user/${nginx_uid}/keytab"

# Generate davical configuration.
install_template -m 0644 \
  "${davical_repo_dir}/config/config.php" \
  "${davical_repo_dir}/config/administration.yml"

# Create postgres user and database.
postgres_create_role "$davical_dbhost" "$davical_username"
postgres_create_database "$davical_dbhost" "$davical_dbname"

# Initialize davical database.
if ! davical_psql -c 'SELECT 1 FROM awl_db_revision'; then
  davical_psql \
    -f "${davical_awl_repo_dir}/dba/awl-tables.sql" \
    -f "${davical_awl_repo_dir}/dba/schema-management.sql" \
    -f "${davical_repo_dir}/dba/davical.sql"

  PGPASSWORD="$boxconf_password" PGSSLMODE=require \
    "${davical_repo_dir}/dba/update-davical-database" --debug --nopatch

  davical_psql -f "${davical_repo_dir}/dba/base-data.sql"

  PGPASSWORD="$boxconf_password" PGSSLMODE=require \
    "${davical_repo_dir}/dba/update-davical-database" --debug

  davical_psql -c "delete from usr where username = 'admin'"
fi

if [ -n "$davical_admins" ]; then
  # Note: This won't work until each admin in $davical_admins has logged in
  #       at least once.
  davical_psql -c \
    "INSERT INTO role_member (user_no, role_no)
     SELECT user_no, (SELECT role_no FROM roles WHERE role_name  = 'Admin')
     FROM usr
     WHERE username in ('$(join "','" $davical_admins)')
     ON CONFLICT DO NOTHING"
fi

# Copy TLS certificate for nginx.
install_certificate     nginx "$davical_https_cert"
install_certificate_key nginx "$davical_https_key"

# Generate nginx configuration.
install_file -m 0644 "${nginx_conf_dir}/fastcgi_params"
install_template -m 0644 \
  "${nginx_conf_dir}/nginx.conf" \
  "${nginx_conf_dir}/vhosts.conf"

# Generate php-fpm configuration.
install_file -m 0644 \
  /usr/local/etc/php.ini \
  /usr/local/etc/php-fpm.conf
install_template -m 0644 \
  /usr/local/etc/php-fpm.d/davical.conf
> /usr/local/etc/php-fpm.d/www.conf

# Enable and start daemons.
sysrc -v \
  nginx_enable=YES \
  php_fpm_enable=YES
service nginx restart
service php_fpm restart

# Sync groups from LDAP.
su -m "$nginx_user" -c "${davical_repo_dir}/scripts/cron-sync-ldap.php ${fqdn}"

# Create cron job for keeping LDAP groups up-to-date.
install_template -m 0644 /etc/cron.d/davical

# Create access role.
ldap_add "cn=${davical_access_role},${roles_basedn}" <<EOF
objectClass: groupOfMembers
cn: ${davical_access_role}
EOF