diff --git a/container/hub/Dockerfile b/container/hub/Dockerfile
index ffac99e..ef3b86b 100644
--- a/container/hub/Dockerfile
+++ b/container/hub/Dockerfile
@@ -1,8 +1,19 @@
FROM quay.io/osbuild/koji:v1
+RUN dnf -y upgrade \
+ && dnf -y \
+ --setopt=fastestmirror=True \
+ --setopt=install_weak_deps=False \
+ install \
+ koji-web \
+ && dnf clean all
+
COPY container/hub/hub.conf /etc/koji-hub/hub.conf
COPY container/hub/ssl.conf /etc/httpd/conf.d/ssl.conf
COPY plugins/hub/osbuild.py /usr/lib/koji-hub-plugins/
COPY container/hub/run-hub.sh /app/run-hub.sh
+COPY container/hub/web.conf /etc/kojiweb/web.conf
+COPY container/hub/kojiweb.conf /etc/httpd/conf.d/kojiweb.conf
+
ENTRYPOINT /app/run-hub.sh
diff --git a/container/hub/kojiweb.conf b/container/hub/kojiweb.conf
new file mode 100644
index 0000000..c0be93c
--- /dev/null
+++ b/container/hub/kojiweb.conf
@@ -0,0 +1,45 @@
+#We use wsgi by default
+Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py"
+#(configuration goes in /etc/kojiweb/web.conf)
+
+# Python 3 Cheetah expectes unicode everywhere, apache's default lang is C
+# which is not sufficient to open our templates
+WSGIDaemonProcess koji lang=C.UTF-8
+WSGIProcessGroup koji
+
+
+ Options ExecCGI
+ SetHandler wsgi-script
+ WSGIApplicationGroup %{GLOBAL}
+ # ^ works around an OpenSSL issue
+ # see: https://cryptography.io/en/latest/faq/#starting-cryptography-using-mod-wsgi-produces-an-internalerror-during-a-call-in-register-osrandom-engine
+
+ Order allow,deny
+ Allow from all
+
+ = 2.4>
+ Require all granted
+
+
+
+
+ AuthType GSSAPI
+ AuthName "Koji Web UI"
+ GssapiCredStore keytab:/share/kojiweb.keytab
+ Require valid-user
+ ErrorDocument 401 /koji-static/errors/unauthorized.html
+
+
+Alias /koji-static/ "/usr/share/koji-web/static/"
+
+
+ Options None
+ AllowOverride None
+
+ Order allow,deny
+ Allow from all
+
+ = 2.4>
+ Require all granted
+
+
diff --git a/container/hub/web.conf b/container/hub/web.conf
new file mode 100644
index 0000000..bfbc724
--- /dev/null
+++ b/container/hub/web.conf
@@ -0,0 +1,16 @@
+
+[web]
+SiteName = koji
+KojiHubURL = http://org.osbuild.koji.koji/kojihub
+KojiFilesURL = http://org.osbuild.koji.koji/kojifiles
+
+KrbRDNS = False
+WebPrincipal = HTTP/org.osbuild.koji.web@LOCAL
+WebKeytab = /share/kojiweb.keytab
+WebCCache = /var/tmp/kojiweb.ccache
+
+KojiHubCA = /share/ca-crt.pem
+LoginTimeout = 72
+# Secret = CHANGE_ME
+LibPath = /usr/share/koji-web/lib
+LiteralFooter = True
diff --git a/run-koji-container.sh b/run-koji-container.sh
index 746540a..97d77ca 100755
--- a/run-koji-container.sh
+++ b/run-koji-container.sh
@@ -85,6 +85,11 @@ koji_start() {
kdc_exec kadmin.local -r LOCAL add_principal -randkey HTTP/localhost@LOCAL
kdc_exec kadmin.local -r LOCAL ktadd -k /share/koji.keytab HTTP/localhost@LOCAL
+ # for koji web
+ kdc_exec kadmin.local -r LOCAL add_principal -randkey HTTP/org.osbuild.koji.web@LOCAL
+ kdc_exec kadmin.local -r LOCAL ktadd -k /share/kojiweb.keytab HTTP/org.osbuild.koji.web@LOCAL
+ kdc_exec chmod 644 /share/kojiweb.keytab
+
# compile/org.osbuild.koji.kojid@LOCAL for koji builder
kdc_exec kadmin.local -r LOCAL add_principal -randkey compile/org.osbuild.koji.kojid@LOCAL
kdc_exec kadmin.local -r LOCAL ktadd -k /share/kojid.keytab compile/org.osbuild.koji.kojid@LOCAL