{"id":5129,"date":"2020-11-02T19:05:38","date_gmt":"2020-11-02T18:05:38","guid":{"rendered":"https:\/\/rakhesh.com\/?p=5129"},"modified":"2020-11-02T19:23:55","modified_gmt":"2020-11-02T18:23:55","slug":"gitea-on-openbsd-6-8","status":"publish","type":"post","link":"https:\/\/rakhesh.com\/linux-bsd\/gitea-on-openbsd-6-8\/","title":{"rendered":"Gitea on OpenBSD 6.8"},"content":{"rendered":"
I signed up for OpenBSD.amsterdam<\/a> this weekend. They give you OpenBSD VMs hosted on OpenBSD (how cool is that! I never see the point of having FreeBSD or OpenBSD hosted on KVM running on Linux… might as well just use Linux then!).<\/p>\n I had tried it last year but gave up as the latency was bad (I was in Dubai, and OpenBSD virtualization has packet drops etc). Fast-forward a year and I am in a different country and 2 OpenBSD releases have happened since then… so I figured why not give it a shot again.<\/p>\n I am an OpenBSD fan boy even though I am no expert in it. Back during my Uni days I spent a lot of time on the BSDs and OpenBSD was the one I liked working a lot with. Maybe I am feeding into the hype of it being secure and preferrring security over performance etc., but something about the fact that here is an OS that stands for something and is not afraid to compromise other aspects for it appeals to me. There’s a reason why I started with Linux as opposed to Windows years ago – I liked the philosophy of GNU, open source, and the decentralization that Linux stands for – and from there it was a short step to discovering the BSDs and liking what they stand for. Even on Linux I actively dislike Ubuntu; I can’t put a finger on why, but I just find it not to represent why I started using Linux. I like Debian and Arch Linux (and Manjaro) because I feel like they stand for something and I have similar feeling towards OpenBSD. There’s a simplicity and philosophy about it that appeals to me and even though something like Anyways, enough digressing!<\/p>\n I signed up for OpenBSD.amsterdam this weekend, setup FDE<\/a> on it, and next I wanted to setup Gitea<\/a>. You’ll recall my mentioning Gitea in a recent post on Gogs<\/a> and there is a Gitea package on OpenBSD so I went with that.<\/p>\n Installing Gitea is straightforward:<\/p>\n As part of installing it tells you the following:<\/p>\n To configure Gitea edit This defines your Gitea URLs etc and what protocol it should listen to, what ports & IP address etc. NOTE<\/strong>: Change the URLs to match you configuration.<\/p>\n Gitea has its own web server and you can use that if you want (either directly or put it behind Actually, when I setup Gitea the first time I didn’t take the route above. I was impatient and just wanted it up and running so I could quickly do the initial config. So what I did is set the protocol to The I did the following from my home machine:<\/p>\n This opens and SSH session to the OpenBSD VM, does not open a console ( After this I setup Now that Gitea is installed and configured and listening on OpenBSD comes with its own ACME client<\/a> so one doesn’t need something like This is a copy of the example configuration at If you already have To do that I created If you are not starting fresh like me you probably don’t need all of this as you’d have an The config file defines a web server listening on port 80 that forwards to port 443. It defines a URL The config file also defines a web server listening on port 443 with TLS. This one is similar to the port 80 config but the bits of interest (or addition to your existing config) are these:<\/p>\n The first block defines the TLS keys and certificate chain – notice the path matches what we defined in After this restart Don’t go to So request for a certificate (line 1 is the command):<\/p>\n Assuming you had no errors and the certs were created like above, we are good to go.<\/p>\n Now Assuming all went fine so far, enable httpd so it launches automatically going forward:<\/p>\n Also do This will renew the certificate whenever it is about to expire and reload That’s all, now you can start playing with Gitea.<\/p>\n","protected":false},"excerpt":{"rendered":" I signed up for OpenBSD.amsterdam this weekend. They give you OpenBSD VMs hosted on OpenBSD (how cool is that! I never see the point of having FreeBSD or OpenBSD hosted on KVM running on Linux… might as well just use Linux then!). I had tried it last year but gave up as the latency was … Continue reading Gitea on OpenBSD 6.8<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[76],"tags":[947,103,948,946,268,377,949],"jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/posts\/5129"}],"collection":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/comments?post=5129"}],"version-history":[{"count":0,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/posts\/5129\/revisions"}],"wp:attachment":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/media?parent=5129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/categories?post=5129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/tags?post=5129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}vmd<\/code> might not be as performant as KVM or bhyve nor have similar features, I’d still want to use it. You can see it when playing with OpenBSD software like
PF<\/code> or
httpd<\/code> or
relayd<\/code> etc. Even the
rc.d<\/code> system is opinionated.<\/p>\n
Install & Configure Gitea<\/h3>\n
doas pkg_add gitea<\/pre>\n
Install notice:\r\nIf you are upgrading from gitea-<1.7.1, please note the following changes:\r\n\r\n* Configuration file location has changed from \/etc\/gitea\/conf\/app.ini\r\n to \/etc\/gitea\/app.ini\r\n\r\n* GITEA_CUSTOM directory location has changed from \/etc\/gitea\r\n to \/var\/gitea\/custom\r\n\r\n* Default ROOT_PATH for logs has changed from \/var\/gitea\/log\r\n to \/var\/log\/gitea<\/pre>\n
\/etc\/gitea\/app.ini<\/code> (as root or
doas<\/code>). The config cheat sheet<\/a> has info on what the options mean. I made the following changes in the
[Server]<\/code> section:<\/p>\n
[server]\r\n; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'.\r\nPROTOCOL = fcgi\r\nDOMAIN = git.example.com\r\nROOT_URL = https:\/\/git.example.com\/\r\n; when STATIC_URL_PREFIX is empty it will follow ROOT_URL\r\nSTATIC_URL_PREFIX =\r\n; The address to listen on. Either a IPv4\/IPv6 address or the path to a unix socket.\r\nHTTP_ADDR = 127.0.0.1\r\n; The port to listen on. Leave empty when using a unix socket.\r\nHTTP_PORT = 3000\r\n<\/pre>\n
relayd<\/code>). I don’t want to, so I set the protocol to be
fcgi<\/code> to have it listening via the FastCGI protocol on 127.0.0.1:3000 and I will have the web server pass on requests to this
IP:port<\/code>.<\/p>\n
Aside<\/h4>\n
http<\/code> instead of
fcgi<\/code>:<\/p>\n
[server]\r\n; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'.\r\nPROTOCOL = http\r\nDOMAIN = git.example.com\r\nROOT_URL = https:\/\/git.example.com\/\r\n; when STATIC_URL_PREFIX is empty it will follow ROOT_URL\r\nSTATIC_URL_PREFIX =\r\n; The address to listen on. Either a IPv4\/IPv6 address or the path to a unix socket.\r\nHTTP_ADDR = 127.0.0.1\r\n; The port to listen on. Leave empty when using a unix socket.\r\nHTTP_PORT = 3000<\/pre>\n
ssh -L 127.0.0.1:3000:127.0.0.1:3000 -N <my openbsd vm><\/pre>\n
-N<\/code>), and forwards
127.0.0.1:3000<\/code> on the local machine to
127.0.0.1:3000<\/code> on the OpenBSD VM. Thus I could then go to
http:\/\/127.0.0.1:3000<\/code> on my home machine and quickly configure Gitea and play around with it (e.g. create my initial user, disable new registrations etc).<\/p>\n
httpd<\/code> as I detail below and changed the Gitea config to use
fcgi<\/code> instead.<\/p>\n
Setting up the web server and SSL<\/h3>\n
127.0.0.1:3000<\/code> over the FastCGI protocol I want to setup OpenBSD’s web server
httpd<\/code> to forward requests to this. I also want to setup SSL certs from Let’s Encrypt.<\/p>\n
certbot<\/code> (although it too is packaged<\/a> if the default ACME client isn’t enough; the package name is
certbot<\/code>). I created
\/etc\/acme-client.conf<\/code> with the following:<\/p>\n
#\r\n# $OpenBSD: acme-client.conf,v 1.4 2020\/09\/17 09:13:06 florian Exp $\r\n#\r\nauthority letsencrypt {\r\n api url \"https:\/\/acme-v02.api.letsencrypt.org\/directory\"\r\n account key \"\/etc\/acme\/letsencrypt-privkey.pem\"\r\n}\r\n\r\nauthority letsencrypt-staging {\r\n api url \"https:\/\/acme-staging-v02.api.letsencrypt.org\/directory\"\r\n account key \"\/etc\/acme\/letsencrypt-staging-privkey.pem\"\r\n}\r\n\r\nauthority buypass {\r\n api url \"https:\/\/api.buypass.com\/acme\/directory\"\r\n account key \"\/etc\/acme\/buypass-privkey.pem\"\r\n contact \"mailto:me@example.com\"\r\n}\r\n\r\nauthority buypass-test {\r\n api url \"https:\/\/api.test4.buypass.no\/acme\/directory\"\r\n account key \"\/etc\/acme\/buypass-test-privkey.pem\"\r\n contact \"mailto:me@example.com\"\r\n}\r\n\r\ndomain git.example.com {\r\n alternative names { gitea.example.com }\r\n domain key \"\/etc\/ssl\/private\/git.example.com.key\"\r\n domain full chain certificate \"\/etc\/ssl\/git.example.com.fullchain.pem\"\r\n sign with letsencrypt\r\n<\/pre>\n
\/etc\/examples\/acme-client.conf <\/code>with the
domain<\/code> block being what I modified from the default to suit my needs. This file defines the letsencrypt URLs etc. and what the
domain<\/code> bit defines is how my domain (git.example.com in this case, with an alternate name of gitea.example.com) is to be configured. This section defines which letsencrypt service to use (the production one or the staging one) and where to store the keys etc. We’ll refer to this key locations later.<\/p>\n
httpd<\/code> configured you can request for a certificate now. Since I was doing a fresh install I had to configure
httpd<\/code> first.<\/p>\n
\/etc\/httpd.conf<\/code>:<\/p>\n
# $OpenBSD: httpd.conf,v 1.20 2018\/06\/13 15:08:24 reyk Exp $\r\n\r\n# default http server to redirect the request scheme \"http\" to \"https\"\r\nserver \"git.example.com\" {\r\n listen on * port 80\r\n\r\n # Enable the TCP NODELAY option for this connection. This is recommended to avoid delays in the data stream.\r\n tcp nodelay\r\n log style forwarded\r\n\r\n # ACME challenge\r\n location \"\/.well-known\/acme-challenge\/*\" {\r\n root \"\/acme\"\r\n request strip 2\r\n }\r\n\r\n location * {\r\n block return 302 \"https:\/\/$HTTP_HOST$REQUEST_URI\"\r\n }\r\n}\r\n\r\n# default https server\r\nserver \"git.example.com\" {\r\n listen on * tls port 443\r\n\r\n # Signal to the receiving user agent that this host and all sub domains of the host's domain should be considered HSTS hosts.\r\n hsts subdomains\r\n\r\n # Enable the TCP NODELAY option for this connection. This is recommended to avoid delays in the data stream.\r\n tcp nodelay\r\n log style forwarded\r\n\r\n # ACME challenge over TLS\r\n location \"\/.well-known\/acme-challenge\/*\" {\r\n root \"\/acme\"\r\n request strip 2\r\n }\r\n\r\n tls {\r\n certificate \"\/etc\/ssl\/git.example.com.fullchain.pem\"\r\n key \"\/etc\/ssl\/private\/git.eample.com.key\"\r\n }\r\n\r\n location \"\/*\" {\r\n fastcgi socket tcp 127.0.0.1 3000\r\n }\r\n}<\/pre>\n
httpd.conf<\/code> file already with existing config. I didn’t, so I copied from
\/etc\/examples\/httpd.conf<\/code> and modified a bit.<\/p>\n
\/.well-known\/acme-challenge\/<\/code> which is a well known URL<\/a> used for ACME challenges. It also sets up some logging options.<\/p>\n
tls {\r\n certificate \"\/etc\/ssl\/git.example.com.fullchain.pem\"\r\n key \"\/etc\/ssl\/private\/git.eample.com.key\"\r\n }\r\n\r\n location \"\/*\" {\r\n fastcgi socket tcp 127.0.0.1 3000\r\n }<\/pre>\n
acme-client.conf<\/code> earlier. And the second block sends all requests to the root path to
127.0.0.1:3000<\/code> over FastCGI.<\/p>\n
httpd<\/code> if it is already running (or else do
doas rcctl -f start httpd<\/code> if you are starting it for the first time (the
-f<\/code> is to force a start as by default
\/etc\/rc.conf<\/code> has
httpd<\/code> disabled) and assuming all went well you now have OpenBSD’s web server up and running.<\/p>\n
git.example.com<\/code> yet though as it won’t work. The port 80 website will redirect you to the TLS version but we don’t have certs yet.<\/p>\n
$ doas acme-client -v git.example.com\r\nacme-client: https:\/\/acme-v02.api.letsencrypt.org\/directory: directories\r\nacme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248\r\nacme-client: dochngreq: https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/8311450110\r\nacme-client: challenge, token: 3FNcXFGJA9o8Abhz7oG-dbxJqn9fFlXBju9uEzgpTMI, uri: https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/8311450110\/EHMT3A, status: 2\r\nacme-client: dochngreq: https:\/\/acme-v02.api.letsencrypt.org\/acme\/authz-v3\/8311552003\r\nacme-client: challenge, token: RAK5HCRkjN6_L5xmt_a9sEdTkZOLB04ZMuoL3vRgJiE, uri: https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/8311552003\/09IovQ, status: 0\r\nacme-client: \/var\/www\/acme\/RAK5HCRkjN6_L5xmt_a9sEdTkZOLB04ZMuoL3vRgJiE: created\r\nacme-client: https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/8311552003\/09IovQ: challenge\r\nacme-client: order.status 1\r\nacme-client: https:\/\/acme-v02.api.letsencrypt.org\/acme\/finalize\/101093471\/6000021232: certificate\r\nacme-client: order.status 3\r\nacme-client: https:\/\/acme-v02.api.letsencrypt.org\/acme\/cert\/03612fca44640b5b4429c5710a8b9b274cc8: certificate\r\nacme-client: \/etc\/ssl\/git.example.com.fullchain.pem: created<\/pre>\n
doas rcctl reload httpd<\/code> and browsing to
https:\/\/git.example.com<\/code> should show you the Gitea page.<\/p>\n
Final Touches<\/h3>\n
doas rcctl enable httpd<\/pre>\n
crontab -e<\/code> as root and add the following line:<\/p>\n
~ * * * * acme-client git.example.com && rcctl reload httpd<\/pre>\n
httpd<\/code>.<\/p>\n