1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
[[!meta date="2008-10-19 18:33:59 -0400"]]
One may want to provide ikiwiki hosting with [[rcs/git]]+ssh access and web
server located at different hosts. Here's a description for such
a setup, using password-less SSH as a way of communication between
these two hosts.
[[!img separate-webserver.svg size=490x align=right]]
Git server
==========
Let's create a user called `ikiwiki_example`. This user gets SSH
access restricted to GIT pull/push, using `git-shell` as a shell.
The root (bare) repository:
- is stored in `~ikiwki_example/ikiwiki_example.git`
- is owned by `ikiwiki_example:ikiwiki_example`
- has permissions 0700
The master repository's post-update hook connects via SSH to
`webserver` as user `ikiwiki_example`, in order to run
`~/bin/ikiwiki.update` on `webserver`; this post-update hook, located
in `~ikiwki_example/ikiwiki_example.git/hooks/post-update`, is
executable and contains:
#!/bin/sh
/usr/bin/ssh ikiwiki_example@webserver bin/ikiwiki.update
Password-less SSH must be setup to make this possible; one can
restrict `gitserver:ikiwiki_example` to be able to run only the needed
command on the web server, using such a line in
`webserver:~ikiwiki_example/.ssh/authorized_keys`:
command="bin/ikiwiki.update",from="gitserver.example.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa ...
Web server
==========
Let's create a user called `ikiwiki_example` on `webserver`. She needs
to have write permission to the destination directory.
The working tree repository (`srcdir`):
- is stored in `~ikiwki_example/src`
- is owned by `ikiwiki_example:ikiwiki_example`
- has permissions 0700
- has the following origin: `ikiwiki_example@gitserver:ikiwiki_example.git`
The CGI wrapper is generated with ownership set to
`ikiwiki_example:ikiwiki_example` and permissions `06755`.
Password-less SSH must be setup so that `ikiwiki_example@webserver` is
allowed to push to the master repository. As told earlier, SSH access
to `ikiwiki_example@gitserver` is restricted to GIT pull/push, which
is just what we need.
The Git wrapper is generated in `~ikiwiki_example/bin/ikiwiki.update`:
git_wrapper => '/home/ikiwiki_example/bin/ikiwiki.update'
As previously explained, this wrapper is run over SSH by the master
repository's post-update hook; it pulls updates from the master
repository and triggers a wiki refresh.
|