Added documentation for vimwiki and LetsEncrypt

This commit is contained in:
David Thurstenson 2017-01-04 21:52:56 -06:00
parent 4950c9cfcc
commit 6d763de6b4
3 changed files with 127 additions and 11 deletions

View File

@ -4,7 +4,7 @@
Create a cert using the interactive menu: Create a cert using the interactive menu:
{{{ {{{class="prettyprint"
# certbot certonly # certbot certonly
}}} }}}
@ -14,12 +14,73 @@ LetsEncrypt Certs are good for a max of 90 days, so automating renewal is a must
Do a dry-run renewal with certbot: Do a dry-run renewal with certbot:
{{{ {{{class="prettyprint"
# certbot renew --dry-run # certbot renew --dry-run
}}} }}}
This will test, and possibly renew all certs that certbot knows about This will test, and possibly renew all certs that certbot knows about
%%Now you can use `certbot renew --quiet` for scripting this renewal. I do mine with a simple systemd script: Now you can use `certbot renew --quiet` for scripting this renewal. I do mine with a simple systemd script:
{{{class="prettyprint"
# /etc/systemd/system/certbot.service
[Unit]
Description=Let's Encrypt renewal
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos
ExecStartPost=/bin/systemctl reload httpd.service
}}}
== Apache Configuration ==
There's a couple of considerations when using ssl certs with Apache. The first is to enable the appropriate modules in httpd.conf:
{{{class="prettyprint"
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
}}}
Also, make sure to configure apache to listen on port 443:
{{{class="prettyprint"
Listen 443
}}}
That will get the basic framework ready for your virtualhost definition. Here is a very simple virtualhost configuration:
{{{class="prettyprint linenums"
<VirtualHost wiki.thurstylark.com:80>
ServerName wiki.thurstylark.com
# Redirect all except the '.wellk-known' path to https.
# This allows automated renewal of ssl certs by certbot
RedirectMatch permanent ^/(?!\.well-known)(.*) https://wiki.thurstylark.com/$1
</VirtualHost>
<VirtualHost wiki.thurstylark.com:443>
ServerName wiki.thurstylark.com
ServerAdmin thurstylark@gmail.com
DocumentRoot "/srv/wiki/"
<Directory "/srv/wiki/">
AllowOverride None
Options None
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/wiki.thurstylark.com/cert.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/wiki.thurstylark.com/chain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/wiki.thurstylark.com/privkey.pem"
</VirtualHost>
}}}
A couple things to note here: First, this defines two virtualhosts, one for port 80 and one for port 443. This is in order to redirect _all_ traffic to HTTPS except for a very small exception.
This exception is what you see on line 5 in the code above. Only `*/.well-known/*` is not redirected because this is the dir that certbot uses for domain validation. Certbot will only validate over http, and will fail if given a 301 redirect. This allows validation to complete successfuly without a configuration change, thus aiding our automation efforts. Everything else gets a 301 redirect to HTTPS.
Lines 20-23 configure Apache to look for the necessary files in the right places. The locations listed here are actually symlinks to the real files, which are kept in an archive. These links are maintained by certbot automagically.
To obtain new certs for a subdomain, copy this config to `/etc/httpd/conf/extra/`, update the config with the appropriate subdomain name, comment out lines 5, 6, 9, 10, and 20-23 to disable the redirect and ssl configuration, and add an include in the main httpd.conf. Once that is all set up, you can run certbot to obtain new certs. Once certbot is finished, you can remove the comments, restart httpd, and begin testing.

View File

@ -2,19 +2,23 @@
== TODO == == TODO ==
* [X] Commit to a repository * [X] Commit to a repository
* [ ] Setup remote to host * [X] Setup remote to host
* [ ] Setup remote to automatically `:VimwikiAll2HTML` after it's been pushed to * [X] Setup remote to automatically `:VimwikiAll2HTML` after it's been pushed to
== Table tweaks == == Table tweaks ==
Tables without any styles are gross, so let's use the styles from Bootstrap. Problem is that Vimwiki doesn't provide a way to add a class to a table element, so we'll do it with JQuery: Tables without any styles are gross, so let's use the styles from Bootstrap. Problem is that Vimwiki doesn't provide a way to add a class to a table element, so we'll do it with JQuery:
{{{class="prettyprint" {{{class="prettyprint"
<script> <head>
$(document).ready(function(){ ...
<script>
$(document).ready(function(){
$("table").addClass("table table-condensed table-hover"); $("table").addClass("table table-condensed table-hover");
}); });
</script> </script>
...
</head>
}}} }}}
This adds `.table`, `.table-condensed`, and `.table-hover` classes to every table element in the whole document. Don't see why it should be any other way for the moment. This adds `.table`, `.table-condensed`, and `.table-hover` classes to every table element in the whole document. Don't see why it should be any other way for the moment.
@ -82,3 +86,54 @@ Now here's a few test lists:
* [ ] Child item 2 * [ ] Child item 2
* [ ] Child item 3 * [ ] Child item 3
* [ ] Child item 4 * [ ] Child item 4
== Push to Deploy ==
The easiest way to manage this wiki, and also allow it to be hosted, is to commit all the wiki documents to a repo, and script the deployment to the wiki's webroot using git's post-receive hook. The origin remote repo also hosts the http server, so it makes things simple. Less simple because it requires a vim plugin to compile the HTML files, but it's still doable.
First part of this solution is the vimrc for the remote machine. This sets the destination for the final html files, the origin wiki files, and the html template page.
{{{class="prettyprint linenums"
set nocompatible
filetype plugin on
syntax on
let g:vimwiki_list = [{
\ 'path': '/tmp/vimwiki/',
\ 'path_html': '/srv/wiki/',
\ 'template_path': '/tmp/vimwiki/html-template',
\ 'template_default': 'index',
\ 'template_ext': '.html'}]
}}}
Note: lines 1-3 are required for vimwiki to work correctly with the post-receive hook. The rest of the config are options for vimwiki directly.
The post-receive hook is a fairly simple bash script. This script is located at `~/git/vimwiki.git/hooks/post-receive`, and is run every time the repo receives a push from downstream.
{{{class="prettyprint linenums"
#!/bin/bash
mkdir /tmp/vimwiki
export GIT_WORK_TREE=/tmp/vimwiki
export GIT_DIR=/home/thurstylark/git/vimwiki.git
git checkout -f
vim -u /tmp/vimwiki/html-template/srv-vimrc -c VimwikiAll2HTML -c q /tmp/vimwiki/index.wiki
cp /tmp/vimwiki/html-template/slate.bootstrap.min.css /srv/wiki/
rm -rf /tmp/vimwiki
}}}
It first makes a directory under /tmp for the contents of the repo, sets `$GIT_WORK_TREE` and `$GIT_DIR`, and does a `git checkout` for all the files in the repo.
Line 9 is where the magic happens. This line runs vim with the vimrc from above, and runs the `:VimwikiAll2HTML` command.
Next, the script copies over the one CSS file that I need to host myself, and lastly, it cleans up the temp dir.
== TODO ==
* [X] Commit to a repository
* [X] Setup remote to host
* [X] Setup remote to automatically `:VimwikiAll2HTML` after it's been pushed to
* [ ] Document push to deploy

View File

@ -18,7 +18,7 @@
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous"> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<!-- Slate theme --> <!-- Slate theme -->
<link rel="stylesheet" href="slate.bootstrap.min.css"> <link rel="stylesheet" href="https://wiki.thurstylark.com/slate.bootstrap.min.css">
<!-- Latest compiled and minified JavaScript --> <!-- Latest compiled and minified JavaScript -->
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>