# allow to use phinx without composer.json and not remove install file
# COPR Ligenix's spec file for xibo
#
# Copyright (c) 2022-2024 Jean-Marc Liger 
#
# License: CC-BY-SA
# http://creativecommons.org/licenses/by-sa/4.0/
#
# Please, preserve the changelog entries
#

%global with_selinux 1

%if 0%{?fedora} || 0%{?rhel} >= 8
# httpd 2.4 with httpd-filesystem
%global with_httpd 1
# nginx 1.6 with nginx-filesystem
%global with_nginx 1
%else
%global with_httpd 0
%global with_nginx 0
%endif

%global version_string 4.1.2
%global version_major %(ver=%{version_string}; echo ${ver%.*.*})


Name:           xibo
Version:        %{lua:ver = string.gsub(rpm.expand("%{version_string}"), "-", "~"); print(ver)}
Release:        1%{?dist}
Summary:        Xibo Open Source Digital Signage
Summary(fr):    Xibo Signalisateur Numérique Open Source

License:        AGPLv3+
URL:            https://xibosignage.com/
Source0:        https://github.com/xibosignage/%{name}-cms/releases/download/%{version_string}/%{name}-cms-%{version_string}.tar.gz

BuildArch:      noarch
BuildRequires:  gettext
BuildRequires:  systemd

%description
Xibo is a powerful Open Source Digital Signage with several platforms display player. 

This package provides the Xibo content management system and message relay.

%description -l fr

Ce package fournit le système de gestion de contenu et le relai de message Xibo.


%package cms
Summary:        Xibo content management system
Summary(fr):    Système de gestion de contenu Xibo

%if %{with_httpd}
Requires:       httpd-filesystem
Requires:       mod_xsendfile
%endif
%if %{with_nginx}
Requires:       nginx-filesystem
%endif
%if %{with_httpd} || %{with_nginx}
Requires:       webserver
Requires:       php(httpd)
%else
Requires:       httpd
Requires:       mod_php
Requires:       mod_xsendfile
%endif
Requires:       php(language) >= 8.1.0
Requires:       php-fpm
Requires:       php-cli
Requires:       php-common
Requires:       php-ctype
Requires:       php-curl
Requires:       php-dom
Requires:       php-iconv
Requires:       php-fileinfo
Requires:       php-gd
Requires:       php-gettext
Requires:       php-json
Requires:       php-mbstring
Requires:       php-mysqlnd
Requires:       php-pdo
Requires:       php-phar
%if %{with_selinux}
Requires:       php-selinux
%endif
Requires:       php-simplexml
Requires:       php-soap
Requires:       php-xml
Requires:       php-zip
Requires:       php-zlib
Requires:       php-zmq
Requires:       zeromq

%if 0%{?fedora} || 0%{?rhel} >= 8
# optional
Recommends:     %{name}-xmr = %{version}-%{release}
%else
Requires:       %{name}-xmr = %{version}-%{release}
%endif

Requires:       cronie


%description cms
Xibo is a powerful Open Source Digital Signage with several platforms display player. 

This package provides the Xibo content management system.

%description -l fr cms
Xibo est un puissant Signaliseur Numérique Open Source et un lecteur d'affichage multiplateforme.

Ce package fournit le système de gestion de contenu.


%package xmr
Summary:        Xibo message relay
Summary(fr):    Relai de message Xibo

Requires(post):   systemd
Requires(preun):  systemd
Requires(postun): systemd

%description xmr
Xibo is a powerful Open Source Digital Signage with several platforms display player. 

This package provides the Xibo message relay.

%description xmr -l fr
Xibo est un puissant Digital Signage Open Source et un lecteur d'affichage multiplateforme.

Ce package fournit le relai de message Xibo.


%prep
%setup -q -n %{name}-cms-%{version_string}

# remove unused files
find vendor -name '.git*' -exec rm -rf {} + -print
find vendor -name '*.xml*' -delete -print
find vendor -name '*.yml*' -delete -print
find vendor -name '*.orig' -delete -print
find vendor -name 'composer.*' -delete -print
find vendor -name 'Dockerfile' -delete -print
find vendor -name '.docker*' -delete -print

find vendor -name '*.bin' -delete -print
find vendor -name '*.py' -delete -print
find vendor -name '*.sh' -delete -print

# directories not in apache space
find vendor -name .htaccess -delete -print

# fix permission files
find . -type f -exec chmod 644 {} \;
find vendor/bin -type f -exec chmod u+x {} \;

# fix LSB directories
for f in $(grep -r "PROJECT_ROOT . '/cache'" | cut -d":" -f1 | sort -u); do
        sed -i -e "s/PROJECT_ROOT . '\/cache'/'\%{_localstatedir}\/lib\/%{name}\/cache'/g" $f
done
sed -i -e "s/\"library_location\",  title, \"\"/\"library_location\",  title, \"\%{_localstatedir}\/lib\/%{name}\/library\"/g" views/install-step6.twig
sed -i -e "s/PROJECT_ROOT . '\/library\/install_log.txt'/'\%{_localstatedir}\/log\/%{name}\/install_log.txt'/g" web/install/index.php
for f in $(grep -r "PROJECT_ROOT . '/web/settings.php'" | cut -d":" -f1 | sort -u); do
        sed -i -e "s/PROJECT_ROOT . '\/web\/settings.php'/'\%{_sysconfdir}\/%{name}\/settings.php'/g" $f
done
sed -i -e "s/PROJECT_ROOT . '\/web'/'\%{_sysconfdir}\/%{name}'/g" lib/Helper/Environment.php
sed -i -e "s/'web\/settings.php'/'\%{_sysconfdir}\/%{name}\/settings.php'/g" phinx.php
sed -i -e "s/'settings.php'/'\%{_sysconfdir}\/%{name}\/settings.php'/g" web/index.php
sed -i -e "s/'\/var\/www\/cms\/custom\/settings-custom.php'/'\%{_sysconfdir}\/%{name}\/settings-custom.php'/g" lib/Helper/Install.php
for f in $(grep -r "/var/www/cms" | cut -d":" -f1 | sort -u); do
        sed -i -e "s/\/var\/www\/cms/\%{_prefix}\/share\/%{name}/g" $f
done

# fix install from localhost
sed -i -e "s/'Location: install\/1'/'Location: '.\$_SERVER['REQUEST_SCHEME'].':\/\/'.\$_SERVER['SERVER_NAME'].\$_SERVER['CONTEXT_PREFIX'].'\/install\/index.php\/1'/g" web/index.php

cat >cron <<EOF
# Xibo core
# Run cron to execute task even when no user connected
* * * * * apache %{_bindir}/php %{_datadir}/%{name}/bin/xtr.php
EOF

cat >httpd <<EOF
Alias /%{name} %{_datadir}/%{name}/web

<Directory %{_datadir}/%{name}/web>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    RewriteBase /xibo/

    <IfModule mod_authz_core.c>
        Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Allow from all
    </IfModule>
</Directory>

<Directory /usr/share/xibo/web/install>

    # Install is only allowed via local access (from the Xibo server).
    # Add your IP address if you need it for remote installation,
    # but remember to remove it after installation for security.

    <IfModule mod_authz_core.c>
        # Apache 2.4
        Require local
        # Require ip ##.##.##.##
    </IfModule>
    <IfModule !mod_authz_core.c>
        # Apache 2.2
        Order Deny,Allow
        Deny from All
        Allow from 127.0.0.1
        Allow from ::1
    </IfModule>

    ErrorDocument 403 "<p><b>Restricted area.</b><br />Only local access allowed.<br />Check your configuration or contact your administrator.</p>"
</Directory>

XSendFile on
XSendFilePath %{_localstatedir}/lib/%{name}/library
EOF

cat >nginx <<EOF
location / {
    try_files $uri /index.php?$args;
}

location /api/authorize {
    try_files $uri /api/authorize/index.php?args;
}

location /api {
    try_files $uri /api/index.php?$args;
}

location /install {
    try_files $uri /install/index.php?$args;
}

location /maint {
    try_files $uri /maint/index.php?$args;
}

location /maintenance {
    try_files $uri /index.php?$args;
}
EOF

cat >fpm <<EOF
max_execution_time=0
memory_limit=-1
EOF

cat >xmr <<EOF
{
"listenOn": "tcp://127.0.0.1:5555",
"pubOn": ["tcp://*:9505"],
"debug": false
}
EOF

cat >systemd <<EOF
[Unit]
Description=Xibo Message Relay ZeroMQ Service
After=network.target

[Service]
User=apache
Group=apache
ExecStart=%{_bindir}/php %{_datadir}/%{name}/vendor/xibosignage/xibo-xmr/bin/xmr.phar
Restart=always
KillMode=process
RestartSec=500ms

[Install]
WantedBy=multi-user.target
EOF

cat >readme <<EOF
This package has been build with security enhanced by design:

The Xibo CMS %{version} source code has been patch to be LSB compliant, easy to install with full SELinux support.

The settings were moved outside of the DocumentRoot in %{_sysconfdir}/%{name} repository.

The private data store was automatically predefined as The %{_localstatedir}/lib/%{name}/library repository.

Installation with apache is now configured to be done under localhost/xibo.


Required CLI configuration for Xibo CMS:

timedatectl set-timezone Europe/Paris

edit file %{_syconfdir}/php.ini:
date.timezone = Europe/Paris

edit file %{_syconfdir}/my.cnf.d/mariadb-server.cnf in the [Mysqld] section :
innodb_file_per_table=1

systemctl enable [mariadb|mysqld] [httpd|nginx] php-fpm
systemctl start [mariadb|mysqld] [httpd|nginx] php-fpm

mysql_secure_installation

mysql -u root -p
CREATE DATABASE %{name} CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER '%{name}'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON %{name}.* TO '%{name}'@'localhost';
FLUSH PRIVILEGES;


Addtional CLI configuration fot Xibo CMS with SELinux in enforcing mode :

setsebool -P httpd_can_network_connect_db on ; getsebool -a | grep httpd | grep "> on"


Addtional CLI configuration fot Xibo XMR with Firewalld in active mode :

firewall-cmd --add-port=9505/tcp --permanent ; firewall-cmd --reload
EOF

cat >upgrade <<EOF
To upgrade this Xibo CMS %{version}, run in a terminal :

cd %{_datadir}/%{name} ; vendor/bin/phinx migrate -c phinx.php > %{_localstatedir}/log/%{name}/upgrade_%{version}.log ; cat %{_localstatedir}/log/%{name}/upgrade_%{version}.log
EOF


%build


%install
# application
mkdir -p %{buildroot}%{_datadir}/%{name}
cp -a *.php %{buildroot}%{_datadir}/%{name}/
for i in bin ca-certs custom db lib locale modules reports tasks vendor views web
do cp -ar $i %{buildroot}%{_datadir}/%{name}/$i
done

mkdir -p %{buildroot}%{_localstatedir}/lib/%{name}/{cache,library}

# apache
install -Dpm 0644 httpd %{buildroot}%{_sysconfdir}/httpd/conf.d/%{name}.conf

# nginx
%if %{with_nginx}
install -Dpm 0644 nginx %{buildroot}%{_sysconfdir}/nginx/default.d/%{name}.conf
%endif

# php-fpm install
install -Dpm 0644 fpm %{buildroot}%{_datadir}/%{name}/web/install/.user.ini

# config
mkdir -p %{buildroot}%{_sysconfdir}/%{name}
touch %{buildroot}%{_sysconfdir}/%{name}/settings.php
touch %{buildroot}%{_sysconfdir}/%{name}/settings-custom.php

# log
mkdir -p %{buildroot}%{_localstatedir}/log/%{name}
touch %{buildroot}%{_localstatedir}/log/%{name}/install_log.txt

# cron
install -Dpm 0644 cron %{buildroot}%{_sysconfdir}/cron.d/%{name}

# xmr
install -Dpm 0644 xmr %{buildroot}%{_datadir}/%{name}/vendor/xibosignage/xibo-xmr/bin/config.json

# systemd
install -Dpm 0644 systemd %{buildroot}%{_unitdir}/%{name}.service

# doc
install -Dpm 0644 readme README.Fedora
install -Dpm 0644 upgrade UPGRADE.Fedora

# lang
for i in %{buildroot}%{_datadir}/%{name}/locale/*
do
  lang=$(basename $i)
  echo "%lang(${lang:0:2}) %{_datadir}/%{name}/locale/${lang}"
done > %{name}.lang


%post cms
%if %{with_selinux}
(
# create xibo file context
semanage fcontext -a -s system_u -t httpd_sys_rw_content_t -r s0 "%{_sysconfdir}/%{name}(/.*)?"
semanage fcontext -a -s system_u -t httpd_sys_content_t    -r s0 "%{_datadir}/%{name}(/.*)?"
semanage fcontext -a -s system_u -t httpd_cache_t          -r s0 "%{_localstatedir}/lib/%{name}/cache(/.*)?"
semanage fcontext -a -s system_u -t httpd_var_lib_t        -r s0 "%{_localstatedir}/lib/%{name}/library(/.*)?"
semanage fcontext -a -s system_u -t httpd_log_t            -r s0 "%{_localstatedir}/log/%{name}(/.*)?"
# apply to files created by xibo rpm
restorecon -R %{_sysconfdir}/%{name}
restorecon -R %{_datadir}/%{name}
restorecon -R %{_localstatedir}/lib/%{name}/cache
restorecon -R %{_localstatedir}/lib/%{name}/library
restorecon -R %{_localstatedir}/log/%{name}

# set httpd permissions
getsebool httpd_can_network_connect | grep "> on"  >/dev/null || setsebool -P httpd_can_network_connect on
getsebool httpd_can_sendmail | grep "> on"  >/dev/null || setsebool -P httpd_can_sendmail on
) &>/dev/null
%endif

%{_bindir}/systemctl condrestart httpd > /dev/null 2>&1 || :

%postun cms
%if %{with_selinux}
if [ "$1" -eq "0" ]; then
    # remove xibo file context
    (
    semanage fcontext -d "%{_sysconfdir}/%{name}(/.*)?"
    semanage fcontext -d "%{_datadir}/%{name}(/.*)?"
    semanage fcontext -d "%{_localstatedir}/lib/%{name}/cache(/.*)?"
    semanage fcontext -d "%{_localstatedir}/lib/%{name}/library(/.*)?"
    semanage fcontext -d "%{_localstatedir}/log/%{name}(/.*)?"
    ) &>/dev/null
fi
%endif

%{_bindir}/systemctl condrestart httpd > /dev/null 2>&1 || :


%post xmr
%systemd_post %{name}.service

%preun xmr
%systemd_preun %{name}.service


%files cms -f %{name}.lang
%{!?_licensedir:%global license %%doc}
%doc *.md *.Fedora
%license LICENSE

%attr(2770,root,apache) %dir %{_sysconfdir}/%{name}
%ghost %config(noreplace,missingok) %{_sysconfdir}/%{name}/settings.php
%ghost %config(noreplace,missingok) %{_sysconfdir}/%{name}/settings-custom.php
%config(noreplace) %{_sysconfdir}/cron.d/%{name}
%config(noreplace) %{_sysconfdir}/httpd/conf.d/%{name}.conf
%if %{with_nginx}
%config(noreplace) %{_sysconfdir}/nginx/default.d/%{name}.conf
%endif

# this folder can contain private information (cache, files, ...)
%dir %{_localstatedir}/lib/%{name}
%attr(2770,root,apache) %{_localstatedir}/lib/%{name}/cache
%attr(2770,root,apache) %{_localstatedir}/lib/%{name}/library

%dir %{_datadir}/%{name}
%{_datadir}/%{name}/*.php
%{_datadir}/%{name}/bin
%{_datadir}/%{name}/ca-certs
%{_datadir}/%{name}/custom
%{_datadir}/%{name}/db
%{_datadir}/%{name}/lib
%{_datadir}/%{name}/modules
%{_datadir}/%{name}/reports
%{_datadir}/%{name}/tasks
%{_datadir}/%{name}/vendor
%{_datadir}/%{name}/views
%{_datadir}/%{name}/web
%dir %{_datadir}/%{name}/locale

%attr(2770,apache,root) %dir %{_localstatedir}/log/%{name}
%ghost %config(noreplace,missingok) %{_localstatedir}/log/%{name}/install_log.txt

# we put xmr in a separate package
%exclude %{_datadir}/%{name}/vendor/xibosignage/xibo-xmr/


%files xmr
%{_datadir}/%{name}/vendor/xibosignage/xibo-xmr/

%{_unitdir}/%{name}.service


%changelog
* Mon Nov 18 2024 Jean-Marc Liger <ligenix@iscp.fr> - 4.1.2-1
- Update to 4.1.2
  see https://xibosignage.com/blog/4-1-2-released

* Sat Oct 12 2024 Jean-Marc Liger <ligenix@iscp.fr> - 4.1.1-1
- Update to 4.1.1
  see https://xibosignage.com/blog/4-1-1-released

* Tue Sep 03 2024 Jean-Marc Liger <ligenix@iscp.fr> - 4.1.0-1
- Update to 4.1.0
  see https://xibosignage.com/blog/4-1-0-released

* Tue Aug 27 2024 Jean-Marc Liger <ligenix@iscp.fr> - 4.1.0-rc3-0
- Update to 4.1.0-rc3

* Tue Aug 13 2024 Jean-Marc Liger <ligenix@iscp.fr> - 4.1.0-rc2-0
- Update to 4.1.0-rc2

* Thu Jul 25 2024 Jean-Marc Liger <ligenix@iscp.fr> - 4.1.0-rc1-0
- Update to 4.1.0-rc1

* Thu Jul 25 2024 Jean-Marc Liger <ligenix@iscp.fr> - 4.1.0-beta-0
- Update to 4.1.0-beta

* Thu May 02 2024 Jean-Marc Liger <ligenix@iscp.fr> - 4.1.0-alpha-0
- Update to 4.1.0-alpha

* Sun Apr 14 2024 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.10-1
- Update to 4.0.10
  see https://xibosignage.com/blog/4.0.10-released

* Tue Mar 26 2024 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.9-1
- Update to 4.0.9
  see https://xibosignage.com/blog/4.0.9-released

* Fri Mar 15 2024 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.8-1
- Update to 4.0.8
  see https://xibosignage.com/blog/4.0.8-released

* Fri Feb 16 2024 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.7-1
- Update to 4.0.7
  see https://xibosignage.com/blog/4.0.7-released

* Tue Nov 14 2023 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.6-1
- Update to 4.0.6
  see https://xibosignage.com/blog/4.0.6-released

* Tue Nov 14 2023 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.5-1
- Update to 4.0.5
  see https://xibosignage.com/blog/4.0.5-released

* Wed Oct 11 2023 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.4-1
- Update to 4.0.4
  see https://xibosignage.com/blog/4-0-4-released

* Wed Sep 20 2023 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.3-1
- Update to 4.0.3
  see https://xibosignage.com/blog/4-0-3-released

* Tue Sep 12 2023 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.2-1
- Update to 4.0.2
  see https://xibosignage.com/blog/4-0-2-released

* Sun Sep 10 2023 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.1-1
- Update to 4.0.1
  see https://xibosignage.com/blog/4-0-1-released

* Tue Sep 05 2023 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.0-1
- Update to 4.0.0
  see https://xibosignage.com/blog/announcing-xibo-v4

* Mon Aug 21 2023 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.0-rc2-1
- Update to 4.0.0-rc2
  see https://community.xibo.org.uk/t/cms-4-0-0-rc2-released/29854
- Add SELinux post instructions for xibo-cms

* Wed Aug 09 2023 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.0-rc1-1
- Update to 4.0.0-rc1
  see https://community.xibo.org.uk/t/cms-4-0-0-rc1-released/29807

* Thu Jul 27 2023 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.0-beta-1
- Fix vendor/bin permissions

* Thu Jul 27 2023 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.0-beta-0
- Update to 4.0.0-beta
  see https://community.xibo.org.uk/t/cms-4-0-0-beta-released/29714

* Sat Jul 15 2023 Jean-Marc Liger <ligenix@iscp.fr> - 4.0.0-alpha2-0
- Update to 4.0.0-alpha2
  see https://community.xibo.org.uk/t/cms-4-0-0-alpha2-released/29636
- Add long awaited support for PHP >= 8.1

* Sun Nov 13 2022 Jean-Marc Liger <ligenix@iscp.fr> - 3.2.2-1
- Update to 3.2.2
  see https://xibosignage.com/blog/3-2-2-released

* Sun Nov 13 2022 Jean-Marc Liger <ligenix@iscp.fr> - 3.2.1-3
- Fix xmr config.json

* Fri Nov 11 2022 Jean-Marc Liger <ligenix@iscp.fr> - 3.2.1-2
- Fix missing vendor/*/bin directories
- Add upgrade doc #Nicolas Meneceur

* Thu Nov 10 2022 Jean-Marc Liger <ligenix@iscp.fr> - 3.2.1-1
- Update to 3.2.1
  see https://xibosignage.com/blog/3-2-1-released
- Fix apache localhost install

* Sun Nov 06 2022 Jean-Marc Liger <ligenix@iscp.fr> - 3.1.5-3
- Fix install_log.txt attributes
- Add apache RewriteBase for localhost, workaround is still need for install

* Sun Nov 06 2022 Jean-Marc Liger <ligenix@iscp.fr> - 3.1.5-2
- Fix apache install infinity loop with localhost #Nicolas Meneceur
- Add apache XSendFilePath directive #Nicolas Meneceur

* Thu Nov 03 2022 Jean-Marc Liger <ligenix@iscp.fr> - 3.1.5-1
- Update to 3.1.5
  see https://xibosignage.com/blog/3-1-5-released

* Wed Nov 02 2022 Jean-Marc Liger <ligenix@iscp.fr> - 3.1.4-1
- Initial RPM 3.1.4
  see https://xibosignage.com/blog/3-1-4-released