diff --git a/docs/source/server_howto.rst b/docs/source/server_howto.rst index 26d9e7eb..da80affb 100644 --- a/docs/source/server_howto.rst +++ b/docs/source/server_howto.rst @@ -648,6 +648,7 @@ Configuration Files ------------------- * ``/etc/koji-hub/hub.conf`` +* ``/etc/koji-hub/hub.conf.d/*`` * ``/etc/httpd/conf/httpd.conf`` * ``/etc/httpd/conf.d/kojihub.conf`` * ``/etc/httpd/conf.d/ssl.conf`` (when using ssl auth) @@ -766,6 +767,16 @@ Apache to connect to the remote PostgreSQL server:: root@localhost$ setsebool -P httpd_can_network_connect_db=1 +Note, that database connection parameters (password) are sensitive values. +Config is installed by default with 0640 root/apache file permissions. If you're +not installing hub from rpm double-check these permissions. + +Furthermore, you can install any config file in ``/etc/koji-hub/hub.conf.d`` +directory. These files are read *at first* and main config is allowed to +override all these values. So, you can use e.g. +``/etc/koji-hub/hub.conf.d/secret.conf`` for sensitive values. Typical usecase +for separate config is :doc:`policy ` configuration file. + Authentication Configuration ---------------------------- @@ -914,6 +925,7 @@ Configuration Files * ``/etc/httpd/conf.d/kojiweb.conf`` * ``/etc/httpd/conf.d/ssl.conf`` * ``/etc/kojiweb/web.conf`` +* ``/etc/kojiweb/web.conf.d/*`` Install Koji-Web ---------------- @@ -973,7 +985,14 @@ it should use to access the hub, the koji packages and its own web interface. You will also need to tell kojiweb where it can find the SSL certificates for each of these components. If you are using SSL authentication, the "WebCert" line below must contain both the public **and** private key. You will also want -to change the last line in the example below to a unique password. +to change the last line in the example below to a unique password. Also check +the file permissions (due to Secret value) if you're not installing koji web +from rpm (0640, root/apache by default). + +Furthermore, you can install any config file in ``/etc/kojiweb/web.conf.d`` +directory. These files are read *at first* and main config is allowed to +override all these values. So, you can use e.g. +``/etc/kojiweb/web.conf.d/secret.conf`` for sensitive values. :: diff --git a/hub/hub.conf b/hub/hub.conf index 8b14bc27..dae14da4 100644 --- a/hub/hub.conf +++ b/hub/hub.conf @@ -11,6 +11,7 @@ DBName = koji DBUser = koji #DBHost = db.example.com #DBPort = 5432 +#Note, that db password is sensitive and this file shouldn't be publicly readable. #DBPass = example_password KojiDir = /mnt/koji diff --git a/koji.spec b/koji.spec index 6d3b2aee..8ba39e97 100644 --- a/koji.spec +++ b/koji.spec @@ -500,9 +500,9 @@ rm -rf $RPM_BUILD_ROOT %if 0%{py3_support} > 1 %files hub -%config(noreplace) /etc/httpd/conf.d/kojihub.conf +%config(noreplace) %attr(0640, root, apache) /etc/httpd/conf.d/kojihub.conf %dir /etc/koji-hub -%config(noreplace) /etc/koji-hub/hub.conf +%config(noreplace) %attr(0640, root, apache) /etc/koji-hub/hub.conf %dir /etc/koji-hub/hub.conf.d %{_sbindir}/koji-sweep-db %if %{use_systemd} diff --git a/www/conf/web.conf b/www/conf/web.conf index cd176b00..2be8578e 100644 --- a/www/conf/web.conf +++ b/www/conf/web.conf @@ -21,7 +21,7 @@ KojiFilesURL = http://server.example.com/kojifiles LoginTimeout = 72 -# This must be changed and uncommented before deployment +# This must be CHANGED to random value and uncommented before deployment # Secret = CHANGE_ME LibPath = /usr/share/koji-web/lib