Merge branch 'master' of ssh://git.onelab.eu/git/myslice

diff --git a/apache/APACHE.notes b/apache/APACHE.notes
new file mode 100644 (file)
index 0000000..7c77e4b
--- /dev/null
+++ b/apache/APACHE.notes
@@ -0,0 +1,29 @@
+The apache config as it ships in unfold.conf defines a port
+(currently 443) where SSL client-auth is enforced
+
+The idea being to have the browser prompting our user for a
+certificate - instead of leaving that optional, which we believe is
+something nobody will ever use if it's optional.
+
+A few notes and caveats must be outlined though below; see also unfold-init-ssl.sh about that
+
+* as of this writing quite a lot of what is below would be taken care
+  of by the packaging stuff once/if it works; 
+  the notes below are intended to help in this respect.
+
+* all the local material for this deployment gets into /etc/unfold/
+
+* I could not find a way to have client-auth without server auth;
+  this is totally weird, and stupid, but just so
+  so there is a need to install a (probably self-signed) cert 
+  and related key in 
+/etc/unfold/myslice.cert
+/etc/unfold/myslice.key
+  see init-ssl.sh for how to create these
+
+* Now the trusted roots - that we do need in our case - are expected in 
+/etc/unfold/trusted_roots
+ this of course is a user choice, e.g.:
+/etc/unfold/trusted_roots/plc.gid
+/etc/unfold/trusted_roots/ple.gid
+

diff --git a/apache/unfold.conf b/apache/unfold.conf
index 61bb49f..ff3de7f 100644 (file)
--- a/apache/unfold.conf
+++ b/apache/unfold.conf
@@ -1,6 +1,6 @@
 <VirtualHost *:80>
        WSGIDaemonProcess unfold processes=2 threads=25
-       WSGIProcessGroup unfold
+       WSGIProcessGroup  unfold
        CustomLog ${APACHE_LOG_DIR}/unfold-access.log common
        ErrorLog ${APACHE_LOG_DIR}/unfold-error.log
         WSGIScriptAlias / /usr/share/unfold/apache/unfold.wsgi
@@ -25,8 +25,8 @@
 # this to be optional on that port
 
 <VirtualHost *:443>
-       WSGIDaemonProcess myslice-ssl processes=2 threads=25
-       WSGIProcessGroup myslice-ssl
+       WSGIDaemonProcess unfold-ssl processes=2 threads=25
+       WSGIProcessGroup  unfold-ssl
        CustomLog ${APACHE_LOG_DIR}/myslice-ssl-access.log common
        ErrorLog ${APACHE_LOG_DIR}/myslice-ssl-error.log
         WSGIScriptAlias / /usr/share/unfold/apache/unfold.wsgi

diff --git a/debian/unfold.postinst b/debian/unfold.postinst
index 77a479e..dd5c680 100644 (file)
--- a/debian/unfold.postinst
+++ b/debian/unfold.postinst
@@ -3,9 +3,13 @@
 # update-rc.d unfold defaults
 [ -d /var/unfold ] || mkdir /var/unfold
 chown -R www-data.www-data /var/unfold
+chmod -R 700 /var/unfold
+# upgrading from older packages -- temporary 
+[ -f /usr/share/unfold/myslice.sqlite3 ] && mv -f /usr/share/unfold/myslice.sqlite3 /var/unfold
+rm -f /etc/apache2/sites*/myslice.conf
+# upgrading end
 /usr/share/unfold/manage.py syncdb
 /usr/share/unfold/manage.py migrate
-chmod 700 /var/unfold/unfold.sqlite3
 a2dissite default
 a2ensite unfold.conf
 service apache2 restart

diff --git a/unfold/wsgi.py b/unfold/wsgi.py
new file mode 120000 (symlink)
index 0000000..579c87b
--- /dev/null
+++ b/unfold/wsgi.py
@@ -0,0 +1 @@
+../apache/unfold.wsgi
\ No newline at end of file

diff --git a/unfold/wsgi.readme b/unfold/wsgi.readme
new file mode 100644 (file)
index 0000000..7c287ed
--- /dev/null
+++ b/unfold/wsgi.readme
@@ -0,0 +1,9 @@
+not quite sure where to store the wsgi application file in the codebase
+it used to be in unfold/wsgi.py but that looked a bit awkward
+one of the reasons for that is, the apache/ config (apache/unfold.conf)
+needs to reference the installed wsgi file, so we'd rather not have this
+installed in the python library where names are not known in advance
+--
+So at some point it was decided to have it moved with the apache/ config
+The symlink here is only for the django development server to find it at run time
+see settings.py and the definition of WSGI_APPLICATION