One may want to provide ikiwiki hosting with git+ssh access and web server located at different hosts. Here's a description for such a setup, using password-less SSH as a way of communication between these two hosts.
Git server
Let's create a user called ikiwiki_example
. This user gets SSH
access restricted to GIT pull/push, using git-shell
as a shell.
The root (bare) repository:
- is stored in
~ikiwki_example/ikiwiki_example.git
- is owned by
ikiwiki_example:ikiwiki_example
- has permissions 0700
The master repository's post-update hook connects via SSH to
webserver
as user ikiwiki_example
, in order to run
~/bin/ikiwiki.update
on webserver
; this post-update hook, located
in ~ikiwki_example/ikiwiki_example.git/hooks/post-update
, is
executable and contains:
#!/bin/sh
/usr/bin/ssh ikiwiki_example@webserver bin/ikiwiki.update
Password-less SSH must be setup to make this possible; one can
restrict gitserver:ikiwiki_example
to be able to run only the needed
command on the web server, using such a line in
webserver:~ikiwiki_example/.ssh/authorized_keys
:
command="bin/ikiwiki.update",from="gitserver.example.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa ...
Web server
Let's create a user called ikiwiki_example
on webserver
. She needs
to have write permission to the destination directory.
The working tree repository (srcdir
):
- is stored in
~ikiwki_example/src
- is owned by
ikiwiki_example:ikiwiki_example
- has permissions 0700
- has the following origin:
ikiwiki_example@gitserver:ikiwiki_example.git
The CGI wrapper is generated with ownership set to
ikiwiki_example:ikiwiki_example
and permissions 06755
.
Password-less SSH must be setup so that ikiwiki_example@webserver
is
allowed to push to the master repository. As told earlier, SSH access
to ikiwiki_example@gitserver
is restricted to GIT pull/push, which
is just what we need.
The Git wrapper is generated in ~ikiwiki_example/bin/ikiwiki.update
:
git_wrapper => '/home/ikiwiki_example/bin/ikiwiki.update'
As previously explained, this wrapper is run over SSH by the master repository's post-update hook; it pulls updates from the master repository and triggers a wiki refresh.