Title: Host your Cryptpad web office suite with OpenBSD
Author: Solène
Date: 14 December 2020
Tags: web openbsd
Description:
In this article I will explain how to deploy your own cryptpad instance
with OpenBSD.
(HTM) Cryptpad official website
Cryptpad is a web office suite featuring easy real time collaboration
on documents. Cryptpad is written in JavaScript and the daemon acts as
a web server.
# Pre-requisites
You need to install the packages git, node, automake and autoconfig to
be able to fetch the sources and run the program.
```shell command
# pkg_add node git autoconf--%2.69 automake--%1.16
```
Another web front-end software will be required to allow TLS
connections and secure the network access to the Cryptpad instance.
This can be relayd, haproxy, nginx or lighttpd. I'll cover the setup
using httpd, and relayd. Note that Cryptpad developers will provide
support only to Nginx users.
# Installation
I really recommend using dedicated users daemons. We will create a new
user with the command:
```shell command
# useradd -m _cryptpad
```
Then we will continue the software installation as the `_cryptpad`
user.
```shell command
# su -l _cryptpad
```
We will mainly follow the official instructions with some exceptions to
adapt to OpenBSD:
(HTM) Official installation guide
```shell command
$ git clone https://github.com/xwiki-labs/cryptpad
$ cd cryptpad
$ env AUTOMAKE_VERSION=1.16 AUTOCONF_VERSION=2.69 CC=clang CXX=clang++ npm install
$ env AUTOMAKE_VERSION=1.16 AUTOCONF_VERSION=2.69 CC=clang CXX=clang++ npm install bower
$ node_modules/.bin/bower install
$ cp config/config.example.js config/config.js
```
# Configuration
There are a few variables important to customize:
* "httpUnsafeOrigin" should be set to the public address on which
cryptpad will be available. This will certainly be a HTTPS link with an
hostname. I will use https://cryptpad.kongroo.eu
* "httpSafeOrigin" should be set to a public address which is different
than the previous one. Cryptpad requires two different addresses to
work. I will use https://api.cryptpad.kongroo.eu
* "adminEmail" must be set to a valid email used by the admin
(certainly you)
# Make a rc file to start the service
We need to automatically start the service properly with the system.
Create the file /etc/rc.d/cryptpad
```script file to run cryptpad as a service from /etc/rc
#!/bin/ksh
daemon="/usr/local/bin/node"
daemon_flags="server"
daemon_user="_cryptpad"
location="/home/_cryptpad/cryptpad"
. /etc/rc.d/rc.subr
rc_start() {
${rcexec} "cd ${location}; ${daemon} ${daemon_flags}"
}
rc_bg=YES
rc_cmd $1
```
Enable the service and start it with rcctl
```shell commands
# rcctl enable cryptpad
# rcctl start cryptpad
```
# Operating
## Make an admin account
Register yourself on your Cryptpad instance then visit the *Settings*
page of your profile: copy your public signing key.
Edit Cryptpad file config.js and search for the pattern "adminKeys",
uncomment it by removing the "/* */" around and delete the example key
and paste your key as follow:
```configuration file sample
adminKeys: [
"[solene@cryptpad.kongroo.eu/YzfbEYwZq6Xhl7ET6AHD01w3QqOE7STYgGglgSTgWfk=]",
],
```
Restart Cryptpad, the user is now admin and has access to a new
administration panel from the web application.
## Backups
In the cryptpad directory, you need to backup `data` and `datastore`
directories.
# Extra configuration
In this section I will explain how to configure generate your TLS
certificate with acme-client and how to configure httpd and relayd to
publish cryptpad. I consider it besides the current article because if
you have nginx and already a setup to generate certificates, you don't
need it. If you start from scratch, it's the easiest way to get the job
done.
(HTM) Acme client man page
(HTM) Httpd man page and
(HTM) Relayd man page
From here, I consider you use OpenBSD and you have blank configuration
files.
I'll use the domain **kongroo.eu** as an example.
## httpd
We will use httpd in a very simple way. It will only listen on port 80
for all domain to allow acme-client to work and also to automatically
redirect http requests to https.
```shell commands
# cp /etc/examples/httpd.conf /etc/httpd.conf
# rcctl enable httpd
# rcctl start httpd
```
## acme-client
We will use the example file as a default:
```shell commands
# cp /etc/examples/acme-client.conf /etc/acme-client.conf
```
Edit `/etc/acme-client.conf` and change the last domain block, replace
`example.com` and `secure.example.com` with your domains, like
`cryptpad.kongroo.eu` and `api.cryptpad.kongroo.eu` as alternative
name.
For convenience, you will want to replace the path for the full chain
certificate to have `hostname.crt` instead of `hostname.fullchain.pem`
to match relayd expectations.
This looks like this paragraph on my setup:
```Configuration file sample
domain kongroo.eu {
alternative names { api.cryptpad.kongroo.eu cryptpad.kongroo.eu }
domain key "/etc/ssl/private/kongroo.eu.key"
domain full chain certificate "/etc/ssl/kongroo.eu.crt"
sign with buypass
}
```
Note that with the default acme-client.conf file, you can use
*letsencrypt* or *buypass* as a certification authority.
(HTM) acme-client.conf man page
You should be able to create your certificates now.
```shell command
# acme-client kongroo.eu
```
Done!
You will want the certificate to be renewed automatically and relayd to
restart upon certificate change. As stated by acme-client.conf man
page, add this to your root crontab using `crontab -e`:
```crontab entry
~ * * * * acme-client kongroo.eu && rcctl reload relayd
```
## relayd
This configuration is quite easy, replace `kongroo.eu` with your
domain.
Create a /etc/relayd.conf file with the following content:
(HTM) relayd.conf man page
```Configuration file sample
tcp protocol "https" {
tls keypair kongroo.eu
}
relay "https" {
listen on egress port 443 tls
protocol https
forward to 127.0.0.1 port 3000
}
```
Enable and start relayd using rcctl:
```shell commands
# rcctl enable relayd
# rcctl start relayd
```
## Conclusion
You should be able to reach your Cryptpad instance using the public URL
now. Congratulations!