Title: Host your Cryptpad web office suite with OpenBSD | |
Author: Solène | |
Date: 14 December 2020 | |
Tags: web openbsd | |
Description: | |
In this article I will explain how to deploy your own cryptpad instance | |
with OpenBSD. | |
Cryptpad official website | |
Cryptpad is a web office suite featuring easy real time collaboration | |
on documents. Cryptpad is written in JavaScript and the daemon acts as | |
a web server. | |
# Pre-requisites | |
You need to install the packages git, node, automake and autoconfig to | |
be able to fetch the sources and run the program. | |
```shell command | |
# pkg_add node git autoconf--%2.69 automake--%1.16 | |
``` | |
Another web front-end software will be required to allow TLS | |
connections and secure the network access to the Cryptpad instance. | |
This can be relayd, haproxy, nginx or lighttpd. I'll cover the setup | |
using httpd, and relayd. Note that Cryptpad developers will provide | |
support only to Nginx users. | |
# Installation | |
I really recommend using dedicated users daemons. We will create a new | |
user with the command: | |
```shell command | |
# useradd -m _cryptpad | |
``` | |
Then we will continue the software installation as the `_cryptpad` | |
user. | |
```shell command | |
# su -l _cryptpad | |
``` | |
We will mainly follow the official instructions with some exceptions to | |
adapt to OpenBSD: | |
Official installation guide | |
```shell command | |
$ git clone https://github.com/xwiki-labs/cryptpad | |
$ cd cryptpad | |
$ env AUTOMAKE_VERSION=1.16 AUTOCONF_VERSION=2.69 CC=clang CXX=clang++ npm inst… | |
$ env AUTOMAKE_VERSION=1.16 AUTOCONF_VERSION=2.69 CC=clang CXX=clang++ npm inst… | |
$ node_modules/.bin/bower install | |
$ cp config/config.example.js config/config.js | |
``` | |
# Configuration | |
There are a few variables important to customize: | |
* "httpUnsafeOrigin" should be set to the public address on which | |
cryptpad will be available. This will certainly be a HTTPS link with an | |
hostname. I will use https://cryptpad.kongroo.eu | |
* "httpSafeOrigin" should be set to a public address which is different | |
than the previous one. Cryptpad requires two different addresses to | |
work. I will use https://api.cryptpad.kongroo.eu | |
* "adminEmail" must be set to a valid email used by the admin | |
(certainly you) | |
# Make a rc file to start the service | |
We need to automatically start the service properly with the system. | |
Create the file /etc/rc.d/cryptpad | |
```script file to run cryptpad as a service from /etc/rc | |
#!/bin/ksh | |
daemon="/usr/local/bin/node" | |
daemon_flags="server" | |
daemon_user="_cryptpad" | |
location="/home/_cryptpad/cryptpad" | |
. /etc/rc.d/rc.subr | |
rc_start() { | |
${rcexec} "cd ${location}; ${daemon} ${daemon_flags}" | |
} | |
rc_bg=YES | |
rc_cmd $1 | |
``` | |
Enable the service and start it with rcctl | |
```shell commands | |
# rcctl enable cryptpad | |
# rcctl start cryptpad | |
``` | |
# Operating | |
## Make an admin account | |
Register yourself on your Cryptpad instance then visit the *Settings* | |
page of your profile: copy your public signing key. | |
Edit Cryptpad file config.js and search for the pattern "adminKeys", | |
uncomment it by removing the "/* */" around and delete the example key | |
and paste your key as follow: | |
```configuration file sample | |
adminKeys: [ | |
"[[email protected]/YzfbEYwZq6Xhl7ET6AHD01w3QqOE7STYgGglgSTgWfk=]", | |
], | |
``` | |
Restart Cryptpad, the user is now admin and has access to a new | |
administration panel from the web application. | |
## Backups | |
In the cryptpad directory, you need to backup `data` and `datastore` | |
directories. | |
# Extra configuration | |
In this section I will explain how to configure generate your TLS | |
certificate with acme-client and how to configure httpd and relayd to | |
publish cryptpad. I consider it besides the current article because if | |
you have nginx and already a setup to generate certificates, you don't | |
need it. If you start from scratch, it's the easiest way to get the job | |
done. | |
Acme client man page | |
Httpd man page and | |
Relayd man page | |
From here, I consider you use OpenBSD and you have blank configuration | |
files. | |
I'll use the domain **kongroo.eu** as an example. | |
## httpd | |
We will use httpd in a very simple way. It will only listen on port 80 | |
for all domain to allow acme-client to work and also to automatically | |
redirect http requests to https. | |
```shell commands | |
# cp /etc/examples/httpd.conf /etc/httpd.conf | |
# rcctl enable httpd | |
# rcctl start httpd | |
``` | |
## acme-client | |
We will use the example file as a default: | |
```shell commands | |
# cp /etc/examples/acme-client.conf /etc/acme-client.conf | |
``` | |
Edit `/etc/acme-client.conf` and change the last domain block, replace | |
`example.com` and `secure.example.com` with your domains, like | |
`cryptpad.kongroo.eu` and `api.cryptpad.kongroo.eu` as alternative | |
name. | |
For convenience, you will want to replace the path for the full chain | |
certificate to have `hostname.crt` instead of `hostname.fullchain.pem` | |
to match relayd expectations. | |
This looks like this paragraph on my setup: | |
```Configuration file sample | |
domain kongroo.eu { | |
alternative names { api.cryptpad.kongroo.eu cryptpad.kongroo.eu } | |
domain key "/etc/ssl/private/kongroo.eu.key" | |
domain full chain certificate "/etc/ssl/kongroo.eu.crt" | |
sign with buypass | |
} | |
``` | |
Note that with the default acme-client.conf file, you can use | |
*letsencrypt* or *buypass* as a certification authority. | |
acme-client.conf man page | |
You should be able to create your certificates now. | |
```shell command | |
# acme-client kongroo.eu | |
``` | |
Done! | |
You will want the certificate to be renewed automatically and relayd to | |
restart upon certificate change. As stated by acme-client.conf man | |
page, add this to your root crontab using `crontab -e`: | |
```crontab entry | |
~ * * * * acme-client kongroo.eu && rcctl reload relayd | |
``` | |
## relayd | |
This configuration is quite easy, replace `kongroo.eu` with your | |
domain. | |
Create a /etc/relayd.conf file with the following content: | |
relayd.conf man page | |
```Configuration file sample | |
tcp protocol "https" { | |
tls keypair kongroo.eu | |
} | |
relay "https" { | |
listen on egress port 443 tls | |
protocol https | |
forward to 127.0.0.1 port 3000 | |
} | |
``` | |
Enable and start relayd using rcctl: | |
```shell commands | |
# rcctl enable relayd | |
# rcctl start relayd | |
``` | |
## Conclusion | |
You should be able to reach your Cryptpad instance using the public URL | |
now. Congratulations! |