WIP! - Infrastructure - WIP!
Setup Guide
Static Sites

Static Sites

We also want different users to be able to host static sites through our host. Since we don’t want to give ssh access access to the host directly, we will instead create a jail in which we will set up users intended to upload files to the system. These files will be made accessible to our caddy jail as a read-only mount.

This system can easily be extended for a large number of static sites. We use this documentation-site as an example for how the system works.

Directories

Each static site will need a directory that will be the webroot of that site. We create these on the root host under /usr/local/www/.

mkdir -p /usr/local/www/docs

Jail Creation 

bastille create staticsites 14.2-RELEASE 10.0.0.100/8 bastille0

We set up a user for each static site to be hosted. Let’s set one up for the docs site:

Caution

Make sure to create the user in the staticsites jail through a bastille command and not on the rootsystem of the host.

bastille cmd staticsites adduser

Name the user docs and use the defaults for all the options. Choose a complex password for the user.

Mount Directory

We can mount a directory from the host into a jail with the bastille mount command.

bastille mount staticsites /usr/local/www/docs /usr/home/docs/www nullfs rw 0 0

Note

We mount the directory into /usr/home/docs and not /home/docs because in the jail, /home is a symlink to /usr/home.

Besides the rw mount options, we also need to give the mounted directory the correct permissions, so that the docs user is able to write into it.

bastille cmd staticsites chown docs:docs /home/docs/www

Now we can mount the same directory into the caddy jail.

bastille mount caddy /usr/local/www/docs /usr/local/www/docs nullfs ro 0 0

Caution

Make sure to use the ro mount option, so that anything from inside the caddy jail only has read access.

Caddyfile

Now lets add a rule to our Caddyfile to serve files from this directory at the docs.* subdomain

micro /usr/local/bastille/jails/caddy/root/usr/local/etc/caddy/Caddyfile
/usr/local/etc/caddy/Caddyfile
docs.ezdk.org {
     root * /usr/local/www/docs
     file_server
}

and reload the config

bastille service caddy caddy reload

SSH Setup

We still need a way to upload our files to the staticsites jail. For this we will run sshd inside the jail:

bastille sysrc staticsites sshd_enable=YES
bastille service staticsites sshd start

We can work with the default settings for now. But we need some port forwarding to access it from the internet. Since port 22 is already used by our root host, we will forward port 2222 to port 22 on the jail

bastille rdr staticsites tcp 2222 22

Lets log in to test if everything works

ssh -p 2222 docs@ez1.ezdk.org

Uploading files

We can use any kind of mechanism to put files into ~/www of the docs user. E.g. SCP:

scp -p 2222 -r ./public/* docs@ez1.ezdk:~/www/
XMPP