Install
First, download and verify the software:
$ ftp http://deb.debian.org/debian/pool/main/i/ikiwiki/ikiwiki_3.20200202.3.orig.tar.xz $ ftp http://deb.debian.org/debian/pool/main/i/ikiwiki/ikiwiki_3.20200202.3-1.dsc $ ftp https://keys.openpgp.org/vks/v1/by-fingerprint/DA98F25C0871C49A59EAFF2C4DE8FF2A63C7CC90
You may need to install GPG:
$ doas pkg_add gnupg
$ gpg --import DA98F25C0871C49A59EAFF2C4DE8FF2A63C7CC90
$ gpg --verify ikiwiki_3.20200202.3-1.dsc
gpg: Signature made Thu Feb 13 05:12:05 2020 EST
gpg:                using RSA key 36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F
gpg:                issuer "smcv@debian.org"
gpg: Good signature from "Simon McVittie <smcv@pseudorandom.co.uk>" [unknown]
gpg:                 aka "Simon McVittie <smcv@debian.org>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: DA98 F25C 0871 C49A 59EA  FF2C 4DE8 FF2A 63C7 CC90
     Subkey fingerprint: 36EC 5A64 48A4 F5EF 79BE  FE98 E05A E147 8F81 4C4F
$ sha256 ikiwiki_3.20200202.3.orig.tar.xz                                
SHA256 (ikiwiki_3.20200202.3.orig.tar.xz) = 594f13bcee8959356376a42eed6c5a8e295d325724b1c09f9395404e3262796a
$ rm DA98F25C0871C49A59EAFF2C4DE8FF2A63C7CC90
Once the signature and hash has been confirmed, you can extract the software:
$ doas pkg_add xz $ unxz ikiwiki_3.20200202.3.orig.tar.xz $ tar xvf ikiwiki_3.20200202.3.orig.tar
Install the required dependencies:
$ doas pkg_add p5-CGI-FormBuilder p5-CGI-Session p5-Class-Date \ p5-HTML-Parser p5-HTML-Scrubber p5-HTML-Template p5-Text-Markdown \ p5-URI p5-XML-Simple p5-YAML-XS p5-CGI gmake git $ cpan Mail::Sendmail
If you did not configure CPAN to use sudo, you may need to run make with doas:
$ cd ~/.cpan/build/Mail-Sendmail* $ doas make install
Next, build ikiwiki:
$ cd ~/ikiwiki-3.20200202.3 $ ./Makefile.PL $ gmake $ doas gmake install
Copy to chroot:
$ doas mkdir -p /var/www/usr/local/libdata/perl5/ $ doas cp -R /usr/local/libdata/perl5/site_perl /var/www/usr/local/libdata/perl5/ $ doas mkdir -p /var/www/usr/local/share/ikiwiki $ doas cp -R /usr/local/share/ikiwiki /var/www/usr/local/share/ $ doas mkdir -p /var/www/usr/local/sbin $ doas cp -R /usr/local/sbin/ikiwiki-mass-rebuild /var/www/usr/local/sbin/ $ doas mkdir -p /var/www/usr/local/lib/w3m/cgi-bin/ $ doas cp -R /usr/local/lib/w3m/cgi-bin/ikiwiki-w3m.cgi /var/www/usr/local/lib/w3m/cgi-bin/ $ doas mkdir -p /var/www/usr/local/bin $ doas cp /usr/local/bin/ikiwiki* /var/www/usr/local/bin/ $ doas mkdir -p /var/www/etc/ $ doas cp -R /etc/ikiwiki /var/www/etc/ $ doas mkdir -p /var/www/usr/libdata/ $ doas cp -R /usr/libdata/perl5 /var/www/usr/libdata/
We will need to copy the Mail::Sendmail module into the chroot. Assuming cpan installed it locally (not using sudo), we run:
$ doas cp -R ~/perl5/lib/perl5/Mail/Sendmail.pm /var/www/usr/local/libdata/perl5/site_perl/Mail/
Set up unbound and place this inside /var/www/etc/resolv.conf:
lookup file bind nameserver 127.0.0.1
We will need to setup a chroot for perl:
$ doas mkdir -p /var/www/usr/{bin,lib,libexec}
$ doas cp /usr/bin/perl /var/www/usr/bin/
$ doas cp -p /usr/lib/lib{c,m,perl}.so* /var/www/usr/lib/
$ doas cp /usr/libexec/ld.so /var/www/usr/libexec/
Next, setup a chroot for git:
$ doas cp /usr/local/bin/git{,-upload-pack,-shell,-upload-archive,-receive-pack} /var/www/usr/local/bin/
$ doas cp /usr/lib/libz.so.7.0 /var/www/usr/lib/
$ doas cp /usr/local/lib/{libiconv.so.7.1,libintl.so.7.0} /var/www/usr/local/lib/
$ doas cp /usr/lib/{libpthread.so.27.0,libc.so.97.0} /var/www/usr/lib/
$ doas cp /usr/libexec/ld.so /var/www/usr/libexec/
In order to run ikiwiki inside a chroot, git must also be inside the chroot. However, git requires certain devices files which inside the /var partition. By default, OpenBSD mounts /var with the nodev flag for security.
To resolve this, we have two options:
- Mount a separate partition as /var/www/dev which allows devices (more complex)
- Remount /var to allow device files (less secure)
WARNING: Do not copy the instructions below blindly. You may wipe out data irreversibly if you format the wrong partition.
To mount a separate partition, you will need to create a new partition, add it to /etc/fstab, and mount it.
$ doas disklabel -E sd0 Label editor (enter '?' for help at any prompt) sd0> a a ... @]
Then write the changes to disk and quit:
sd0*> w sd0> q No label changes.
Next, you'll want to format the partition:
$ doas newfs sd0a
Next, edit /etc/fstab and mount /var/www/dev.
WARNING: Mounting /var to allow device files will compromise OpenBSD security
Another option is to remount /var to allow device files.
$ doas mount -u -o dev /var
Make sure to also update /etc/fstab.
Create device files
$ doas mkdir -p /var/www/dev $ doas mknod -m 644 /var/www/dev/random c 45 0 $ doas mknod -m 644 /var/www/dev/urandom c 45 2 $ doas mknod -m 666 /var/www/dev/null c 2 2
$ export SRCDIR=/var/www/wiki/markdown/ $ export DESTDIR=/var/www/htdocs/wiki/ $ doas mkdir -p $SRCDIR $DESTDIR $ doas chown $USER:daemon $SRCDIR $DESTDIR $ vim $SRCDIR/index.mdwn
Put this inside the sample index page:
Welcome to your new wiki. All wikis are supposed to have a [[SandBox]], so this one does too. ---- This wiki is powered by [ikiwiki](http://ikiwiki.info).
Then setup the wiki:
$ ikiwiki --verbose $SRCDIR $DESTDIR --url=https://example.com/
To dump the setup file:
$ doas chown -R $USER:daemon /var/www/wiki/ $ ikiwiki $SRCDIR $DESTDIR --url=http://example.com/ --dumpsetup /var/www/wiki/ikiwiki.setup
Edit ikiwiki.setup with correct values. Then, rebuild:
# where the source of the wiki is located srcdir: /var/www/wiki/markdown/ # where to build the wiki destdir: /var/www/htdocs/wiki/ # base url to the wiki url: https://example.com/ # url to the ikiwiki.cgi cgiurl: 'https://example.com/ikiwiki.cgi' # do not adjust cgiurl if CGI is accessed via different URL reverse_proxy: 0 # filename of cgi wrapper to generate cgi_wrapper: '/var/www/htdocs/wiki/ikiwiki.cgi' # mode for cgi_wrapper (can safely be made suid) cgi_wrappermode: 00755 # number of seconds to delay CGI requests when overloaded cgi_overload_delay: '' # message to display when overloaded (may contain html) cgi_overload_message: '' # enable optimization of only refreshing committed changes? only_committed_changes: 0 # rcs backend to use rcs: 'git' # plugins to add to the default configuration add_plugins: - goodstuff - websetup ... allow_symlinks_before_srcdir: 1
We create the wiki itself and initialize the git repo:
$ export REPOSITORY=/var/git/wiki/ $ doas mkdir -p /var/git/
Make sure you have write access:
$ doas chmod g+w /var/git/ $ ikiwiki-makerepo git $SRCDIR $REPOSITORY
Next, we move the git repo and create a symbolic link:
$ doas mkdir -p /var/www/var/git/ $ doas mv /var/git/wiki /var/www/var/git/ $ doas ln -s /var/www/var/git/wiki /var/git/wiki
By default, cgi_wrapper is configured to use SUIDs, but on OpenBSD, /var is usually mounted nosuid. For this reason, we edit cgi_wrappermode to be 00755 instead of 06755.
$ ikiwiki --setup /var/www/wiki/ikiwiki.setup
Next we make sure that ikiwiki can write to /var/www/wiki. It is necessary to create a symlink because when the CGI script attempts to open this directory, it actually visits /var/www/var/www/wiki:
$ doas mkdir -p /var/www/var/www/wiki $ doas ln -s /wiki/markdown /var/www/var/www/wiki/markdown $ doas chown -R www:daemon $SRCDIR
Create the htdocs folder:
$ doas mkdir -p /var/www/var/www/htdocs $ doas mv /var/www/htdocs/wiki /var/www/var/www/htdocs/
And set up a necessary symlink:
$ doas ln -s /var/www/htdocs/wiki/ /var/www/htdocs/wiki
Edit /etc/httpd.conf to handle the CGI script. Replace example.com with your server:
server "example.com" {
	listen on * port 80
	root "/htdocs/wiki"
	location "*.cgi" {
		fastcgi
	}
	location "/.well-known/acme-challenge/*" {
		root "/acme"
		request strip 2
	}
}
server "example.com" {
	listen on * tls port 443
		tls {
		certificate "/etc/ssl/example.com.fullchain.pem"
		key "/etc/ssl/private/example.com.key"
	}
	root "/htdocs/wiki"
	location "*.cgi" {
		fastcgi
	}
	location "/.well-known/acme-challenge/*" {
		root "/acme"
		request strip 2
	}
}
Enable Fast CGI:
$ doas rcctl enable slowcgi $ doas rcctl start slowcgi
You will want to download the markdown files:
$ ftp https://ircnow.org/software/ikiwiki-markdown.tgz $ tar xvzf ikiwiki-markdown.tgz $ doas mv ircnow/* /var/www/wiki/markdown/ $ rmdir ircnow/
Then rebuild ikiwiki:
$ ikiwiki --rebuild --setup /var/www/wiki/ikiwiki.setup
Set the correct file ownership:
$ doas chown -R www:daemon /var/www/wiki/ $ doas chown -R www:daemon /var/www//var/www/htdocs/wiki/
