One may want to provide ikiwiki hosting with git+ssh access and web server located at different hosts. Here's a description for such a setup, using password-less SSH as a way of communication between these two hosts.

Git server

Let's create a user called ikiwiki_example. This user gets SSH access restricted to GIT pull/push, using git-shell as a shell.

The root (bare) repository:

  • is stored in ~ikiwki_example/ikiwiki_example.git
  • is owned by ikiwiki_example:ikiwiki_example
  • has permissions 0700

The master repository's post-update hook connects via SSH to webserver as user ikiwiki_example, in order to run ~/bin/ikiwiki.update on webserver; this post-update hook, located in ~ikiwki_example/ikiwiki_example.git/hooks/post-update, is executable and contains:

#!/bin/sh
/usr/bin/ssh ikiwiki_example@webserver bin/ikiwiki.update

Password-less SSH must be setup to make this possible; one can restrict gitserver:ikiwiki_example to be able to run only the needed command on the web server, using such a line in webserver:~ikiwiki_example/.ssh/authorized_keys:

command="bin/ikiwiki.update",from="gitserver.example.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa ...

Web server

Let's create a user called ikiwiki_example on webserver. She needs to have write permission to the destination directory.

The working tree repository (srcdir):

  • is stored in ~ikiwki_example/src
  • is owned by ikiwiki_example:ikiwiki_example
  • has permissions 0700
  • has the following origin: ikiwiki_example@gitserver:ikiwiki_example.git

The CGI wrapper is generated with ownership set to ikiwiki_example:ikiwiki_example and permissions 06755.

Password-less SSH must be setup so that ikiwiki_example@webserver is allowed to push to the master repository. As told earlier, SSH access to ikiwiki_example@gitserver is restricted to GIT pull/push, which is just what we need.

The Git wrapper is generated in ~ikiwiki_example/bin/ikiwiki.update:

git_wrapper => '/home/ikiwiki_example/bin/ikiwiki.update'

As previously explained, this wrapper is run over SSH by the master repository's post-update hook; it pulls updates from the master repository and triggers a wiki refresh.