🍄Notes On Setting Up Mycorrhiza

Installing Mycorrhiza on OpenBSD

Mycorrhiza is an excellent wiki, and it's the same software that runs this very website! First, install it on OpenBSD by running # pkg_add mycorrhiza. You can find more details on mycorrhiza.wiki, but instead of using httpd and relayd, I'm using Nginx.

(Thank you to Solene for writing a tutorial on Nginx on OpenBSD.)

Installing Betula on OpenBSD

Betula is a bookmarking service just like Pinboard, but it's built for a single person. Just like Mycorrhiza, it's designed to be easy to deploy. It can also talk to the fediverse!

  • First, follow Betula's installation instructions to build the binary. Copy the binary from go/bin/betula to /usr/local/bin/betula.

  • Create a directory called /var/betula which will hold the SQLite file.

  • Run Betula when the computer starts using cron:

@reboot /usr/local/bin/betula /var/betula/links.betula

Note: Perhaps I can turn this into a package by taking inspiration from Mycorrhiza's Makefile?

Nginx configuration

http {
    include       mime.types;
    default_type  application/octet-stream;
    index         index.html index.htm;

    ...
    
    keepalive_timeout  65;
    gzip  on;
    server_tokens off;

    # Mycorrhiza
    server {
        listen 443 ssl;
        http2 on;
        server_name jagtalon.net;

        ssl_certificate /etc/ssl/jagtalon.net.crt;
        ssl_certificate_key /etc/ssl/private/jagtalon.net.key;

        location / {        
            proxy_pass http://127.0.0.1:1737;
            add_header Onion-Location http://q4yjadza5ad62fie7jx36vcrpyqzjjafo2bbrxkbcaufevrhhkhey6ad.onion$request_uri;
        }
        
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    }

    # Betula    
    server {
        listen 443 ssl;
        http2 on;
        server_name links.jagtalon.net;

        ssl_certificate /etc/ssl/jagtalon.net.crt;
        ssl_certificate_key /etc/ssl/private/jagtalon.net.key;

        location / {        
            proxy_pass http://127.0.0.1:1738;
            proxy_set_header Host $host;
            add_header Onion-Location http://ciyhhtxwyouczbqlganda6ndppahz5uspzha6wr5s3wa4sgvrn3i72id.onion$request_uri;
        }
        
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    }

    # Durian
    server {
        listen 443 ssl;
        http2 on;
        server_name durian-distro.org;
	root /var/www/htdocs/durian-distro.org;
	add_header Onion-Location http://j3rcq2et2mbop4ftzgvcu4pt2wjoij7nyhvnhehe36ge4hebxkhvunyd.onion$request_uri;

        ssl_certificate /etc/ssl/jagtalon.net.crt;
        ssl_certificate_key /etc/ssl/private/jagtalon.net.key;

        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    }

    server {
	listen 80;
	server_name localhost;
	root /var/www/htdocs/durian-distro.org;
    }

    # SSL for Mycorrhiza
    server {
        listen 80;
        server_name jagtalon.net;

        location /.well-known/acme-challenge/ {
            rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
            root /acme;
        } 

        location / {
            return 301 https://$server_name$request_uri;
        }
    }

    # SSL for Betula
    server {
        listen 80;
        server_name links.jagtalon.net;

        location /.well-known/acme-challenge/ {
            rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
            root /acme;
        } 

        location / {
            return 301 https://$server_name$request_uri;
        }
    }

    # SSL for Durian
    server {
        listen 80;
        server_name durian-distro.org;

        location /.well-known/acme-challenge/ {
            rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
            root /acme;
        } 

        location / {
            return 301 https://$server_name$request_uri;
        }
    }
}

Cron for renewing SSL certificates

@daily acme-client -v jagtalon.net && ln -fs /etc/ssl/jagtalon.net.fullchain.pem /etc/ssl/jagtalon.net.crt && rcctl restart nginx

This is the configuration that I have for /etc/acme-client.conf:

authority letsencrypt {
        api url "https://acme-v02.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
        api url "https://acme-staging.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain jagtalon.net {
       alternative names { www.jagtalon.net,jagtalon.com,www.jagtalon.com,links.jagtalon.net,durian-distro.org }
       domain key "/etc/ssl/private/jagtalon.net.key"
       domain certificate "/etc/ssl/jagtalon.net.crt"
       domain full chain certificate "/etc/ssl/jagtalon.net.fullchain.pem"
       sign with letsencrypt
}
contact

No copyright. This website is marked with CC0 1.0. Do whatever you want with anything in here. Steal, copy, distribute, modify, even sell. Fuck private property.