Building Chargen.One

I've written this in case anyone else wants to try and build their own instance of #Chargen.One on OpenBSD. If you're looking for the easy route to getting Writefreely working, then docker is the way. This is the hard way, but as a federated blogging site with the *BSD community in mind, I felt it important that it runs on a BSD of some sort.

There are two systems involved in Chargen.One, a build system and a deployment system. There is actually a test environment but that's the same as the deployment environment. The build environment is called c0, the deployment is c1. Both run OpenBSD 6.4 at the time of writing.

This post covers setting up the initial webserver with nginx and letsencrypt. Part two will cover the mysql config, part 3 the build and part 4 my deployment process.

Initial housekeeping

On the build system, start by following the process detailed in man afterboot.

I used an OpenBSD.Amsterdam VM for the deployment system, so there's some tweaks to implement before you start.

Installing Nginx and Lets Encrypt

On both c0 and c1 it's the same. As root, run pkg_add nginx. Update /etc/newsyslog.conf as per the info in /usr/local/share/doc/pkg-readmes/nginx.

Preparing Nginx for LetsEncrypt

Add the line include acme.conf; to c1's port 80 server block below root /var/www/htdocs;

Now create a /etc/nginx/acme.conf file with the following

location ^~ /.well-known/acme-challenge {
    alias /var/www/acme;
    try_files $uri =404;

Preparing LetsEncrypt

We'll configure C1 to use LetsEncrypt. All content will be served over HTTPS, with only the reader accessible over HTTP for older systems.

Create a domain entry at the bottom of /etc/acme-client.conf file like the following:

domain {
        domain key "/etc/ssl/private/"
        domain certificate "/etc/ssl/"
        domain full chain certificate "/etc/ssl/"
        sign with letsencrypt

Getting certs and a working HTTPS setup

Restart nginx, run acme-client -vAD and you should have working certs. Now it's time to configure HTTPS. The commented out defaults are reasonably sane at the time of writing, just change things to point to your certs. Here's what I had set up. We'll change this later.

    server {
        listen       443;
        root         /var/www/htdocs;

        ssl                  on;
        ssl_certificate      /etc/ssl/;
        ssl_certificate_key  /etc/ssl/private/;

        ssl_session_timeout  5m;
        ssl_session_cache    shared:SSL:1m;

        ssl_ciphers  HIGH:!aNULL:!MD5:!RC4;
        ssl_prefer_server_ciphers   on;