Wiki.js is an elegant looking wiki based on Markdown. It supports LDAP and many more authentication mechanisms. In this guide we describe how to install Wiki.js on Ubuntu 16.04.

Prerequisites

  • An Ubuntu 16.04 instance.

Install curl, Node.js v8.x and build-essential:

# apt -y install curl
# curl -sL https://deb.nodesource.com/setup_8.x | bash -
# apt -y install nodejs build-essential

Install MongoDB v3.4

# apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6
# echo "deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-3.4.list
# apt update
# apt -y install mongodb-org

Start MongoDB:

# systemctl start mongodb

Enable MongoDB at startup:

# systemctl enable mongodb

Install git

The version that comes with Ubuntu 16.04 fills the minimum requirements so there is no need to install it from upstream.

# apt -y install git

Install Wiki.js

# mkdir /srv/wiki.js
# cd /srv/wiki.js
# npm install wiki.js@latest

You will get this message:

> Browse to http://your-server:3000/ to configure your wiki! (Replaced your-server with the hostname or IP of your server!)
▐   ⠂    ▌ I'll wait until you're done ;)

Do as the message says. Let the wizard wait until we are done, and open another shell to work with.

Setup nginx

Install Nginx:

# apt -y install nginx

Create this VirtualHost configuration (/etc/nginx/sites-available/wiki.example.com.conf):

server {
    listen      [::]:80 ipv6only=off;
    server_name wiki.example.com;
    return      301 https://$server_name$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name  wiki.example.com;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    ssl_prefer_server_ciphers on;

    ssl_certificate /etc/nginx/ssl/wiki.example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/wiki.example.com.key;
    ssl_trusted_certificate /etc/nginx/ssl/CA.crt;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_next_upstream error timeout http_502 http_503 http_504;
    }
}

Enable the wiki.example.com VirtualHost:

# cd /etc/nginx/sites-enabled/
# ln -s ../sites-available/wiki.example.com.conf
# unlink default

Restart Nginx:

# systemctl restart nginx

Configure Wiki.js

After the installation you will be asked if you wish to run the configuration wizard. Select this and continue:

Yes, run configuration wizard on port 3000 (recommended)

Now browse to http://wiki.example.com/ and follow the installation wizard:

  • Welcome!: Start
  • System Check (if all good): Continue
  • General:
    • Site title: ExampleWiki
    • Host: https://wiki.example.com
    • Port: 3000
    • Site UI Language: English
    • Public Access: Not selected
    • Press: Continue
  • Important Considerations: Continue
  • Database: mongodb://localhost:27017/wiki
  • Database Check: Continue:
  • Paths:
    • Local Data Path: ./data
    • Local Repository Path: ./repo
  • Git Repository: Skip this step
  • Git Repository Check: Continue
  • Administrator Account
    • Administrator Email: admin@example.com
    • Password: MySecretCombination
    • ConfirmPassword: MySecretCombination
  • Finalizing: Start

Enable Wiki.js on startup

# npm install -g pm2
# pm2 startup
# pm2 save

Setup LDAP

This is an optional step for those wishing to integrate Wiki.js in their LDAP infrastructure.

Trust CUT IST ISSUING CA

Connect to the LDAP (AD) server and get all certificates:

openssl s_client -showcerts -connect dcs03ist00.lim.tepak.int:636 | tee ldap.log

Hit ‘Ctrl-C’ to end the command.

The certificate with the ID ‘1’ in ldap.log is the ISSUING CA certificate. Extract the CUT IST ISSUING CA certificate and save it in cut_issuing_ca.crt:

-----BEGIN CERTIFICATE-----
MIIF7DCCA9SgAwIBAgITcgAAAAakujIFDl5tvQAAAAAABjANBgkqhkiG9w0BAQsF
ADBNMQswCQYDVQQGEwJDWTEoMCYGA1UEChMfQ1lQUlVTIFVOSVZFUlNJVFkgT0Yg
VEVDSE5PTE9HWTEUMBIGA1UEAxMLQ1VUIFJPT1QgQ0EwHhcNMTUwMzA5MTAyMjAy
WhcNMjAwMzA5MTAzMjAyWjBeMRMwEQYKCZImiZPyLGQBGRYDaW50MRUwEwYKCZIm
iZPyLGQBGRYFdGVwYWsxEzARBgoJkiaJk/IsZAEZFgNsaW0xGzAZBgNVBAMTEkNV
VCBJU1QgSVNTVUlORyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMPHOqer+ovT+Y99lI4dSYa+XHAnCaup8vbLE9x4iKEjq9gfYq8Gs3Aujx6h32Y8
DLJcKHgxlzqwn6zzq2YSDziFPCka5bAZswaFqvD6fm22oujRmlUBDrW37OsP3nwJ
gT5GMUSzvE0ZvcdjotCm2iBDfGryJgU3PFgAvPXVyFq8bV1jTYBP8sqsWssIdOMg
doN8RLKj6gwJIwA1cvhvnuePU6a2HlHI314GaUqNtyX5PZ5VbUNIQXBt+McPNP0d
sg8yKzfBtl6V4U9xheKmdKxfIB0rN1L/uqzoewIrwUXab7l9kbSYoKqiPZkYnpEi
TQ8msXa/6TL0grQR085sugUCAwEAAaOCAbIwggGuMBAGCSsGAQQBgjcVAQQDAgEA
MB0GA1UdDgQWBBR0NThxWu0JH7JLfLf75h9dis6S6DCBnwYDVR0gBIGXMIGUMIGR
BgsrBgEEAYLiewEBATCBgTBOBggrBgEFBQcCAjBCHkAAQwBlAHIAdABpAGYAaQBj
AGEAdABpAG8AbgAgAFAAcgBhAGMAdABpAGMAZQAgAFMAdABhAHQAZQBtAGUAbgB0
MC8GCCsGAQUFBwIBFiNodHRwczovL3BraS5jdXQuYWMuY3kvcGtpL2Nwcy5odG1s
ADAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0T
AQH/BAUwAwEB/zAfBgNVHSMEGDAWgBSY/OKi6F/HKZRvR0574L5dNf4KwzA5BgNV
HR8EMjAwMC6gLKAqhihodHRwOi8vcGtpLmN1dC5hYy5jeS9jcmwvQ1VULVJPT1Qt
Q0EuY3JsMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcwAoYoaHR0cDovL3BraS5j
dXQuYWMuY3kvcGtpL0NVVC1ST09ULUNBLmNydDANBgkqhkiG9w0BAQsFAAOCAgEA
IVJPKacKldP8WEFkCNGJq9PIFr5R0MuD6DUSifnnj94Z004ET29+C3sesUsWHMLd
p1LA+6pmF8JUAUg5Zzab2gV3vHVorYIPlPs2IorhTlnl5k9UCAjBuT3HV1kcCt2R
L601KYIYN3QIiVaA3k7xOPp+Y9nL/OlvjE3S6MVeC2WJYl1Ai+eZWQpL/SvAA8vH
NQzCqqNUnCT1zr9Uei71r0elgtoevsRmWRVWPmOl4Sft0amJ5fXDhYvN0KiktDTt
SeBy+YY48vzbhTRPFhUsj84ePyQcBqtLWQlyhmFs8b+gtSbmYWA1AnWgA+/Fd37Z
k75/x8qqnyZ4BFBKzEzukIKyapnRf8ARzL6oHo7XIXmkUb4cBzf5asNkqRRcUxrl
IEPGuGjr0+yo49f0uP3v+xE+Vyam27B3A4hhrgyqIe26/FxlbkyHT7BLhxCSu7kX
hymb9rZwGy8LR6JVCHhOllXm0eaKiRxFBYcgofekgUfjL5Coip6wAzabtrqE38zX
EkQ6sFi4hFM2ifVKA6lU1OUfeK1j5hEcmGzyCS+4aWXeY9/tTlDj28Z04cp34jla
Oc2Q4VBmO6yA1d6L22o9gTb4gvTcghHOJezWeo5PFsSD+GmJfq4JLvaHk9gsbb5D
099bze3eSDCISoR5ce6mdkD6pr5PfsVfZHhSktc4nk4=
-----END CERTIFICATE-----

Verify the certificate with:

openssl x509 -text -in cut_issuing_ca.crt

Add the CUT ISSUING CA in the trusted chain of the system:

cp cut_issuing_ca.crt /usr/local/share/ca-certificates/
update-ca-certificates

Configure LDAP for Wiki.js

Make these changes in /srv/wiki.js/config.yml:

  ldap:
    enabled: true
    url: 'ldap://ldap.example.com:389'
    bindDn: 'cn=wiki,ou=dsa,dc=example,dc=com'
    bindCredentials: 'MyLDAPCredentials'
    searchBase: 'ou=people,dc=example,dc=com'
    searchFilter: '(uid={{username}})'
    tlsEnabled: true
    tlsCertPath: '/etc/ssl/certs/ca-certificates.crt'

Give Access permissions to authenticated users

Visit the Admin URL:

https://wiki.example.com/admin

Click on ‘Users’. You will get a list of users. You can give ‘Read and Write’ access to them from the ‘Access Rights’ field and you can upgrade them to ‘Global Administrators’ from the ‘Role Override’ field.

NOTE: For LDAP the users need to login first before they are allowed to write.

Enjoy your newly created Wiki!

References

  • https://docs.requarks.io/wiki
  • https://nodejs.org/en/download/package-manager/#debian-and-ubuntu-based-linux-distributions
  • https://docs.mongodb.com/manual/tutorial/install-mongodb-on-ubuntu/

These are the instructions for installing an [ORCID](http://orcid.org/)[^orcid] authentication node. We will be using the [simple-orcid-auth-node](https://github.com/ORCID/simple-orcid-auth-node)[^soan] developed by the ORCID organization.

### Assumptions

* An Ubuntu 16.04 server machine but works on 14.04x with some minor changes.
* A FQDN, let’s say *orcid.example.com*.
* Server IP is 10.2.2.2 in our case.
* Create an *orcid* user: `sudo useradd -r -m -d /var/www/html/orcid orcid`.
* For Ubuntu 14.04 it is better to use */var/www/orcid* instead of */var/www/html/orcid*.
* Also use `service restart` on 14.04.x instead of `systemctl restart `.

### Installing *simple-orcid-auth-node*

* Install necessary packages (as a privileged user):

“`
$ sudo apt -y install nginx nodejs npm
“`

__NOTE: If you are using Ubuntu 14.04.x do not install the [node](http://packages.ubuntu.com/trusty/node) package. This package is completely unrelated with [nodejs](https://nodejs.org/en/).__[^node]

* Download and extract *simple-orcid-auth-node* (as the *orcid* user):

“`
sudo su – orcid
wget https://github.com/rcpeters/simple-orcid-auth-node/archive/master.tar.gz
tar xvzf master.tar.gz
“`

* Install the application:

“`
$ cd simple-orcid-auth-node-master/
$ npm install
“`

* Test run the application (as the *orcid* user):

“`
$ nodejs client-app.js
server started on 8000
“`

Looks OK. Now point your Hit CTRL^C and move on.

__NOTE: If you prefer using the legacy `node client-app.js` invocation, you need to install the [nodejs-legacy](http://packages.ubuntu.com/xenial/nodejs-legacy) package as well.__

### Setting ORCID as an autostart service

* Autostart using *systemd*[^systemd] (Ubuntu 16.04):

* Create the */etc/systemd/system/orcid.service* service definition (as the *root* user):

$ cat > /etc/systemd/system/orcid.service << EOF
[Service]
ExecStart=/usr/bin/nodejs /var/www/html/orcid/simple-orcid-auth-node-master/client-app.js
WorkingDirectory=/var/www/html/orcid/simple-orcid-auth-node-master
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=orcid
User=orcid
Group=orcid
Environment=NODE_ENV=production
[Install] WantedBy=multi-user.target EOF

* Reload *systemd* and start the service:

“`
$ sudo systemctl daemon-reload
$ sudo systemctl start orcid.service
“`

* Verify that the service is started:

$ sudo systemctl status orcid.service
● orcid.service
   Loaded: loaded (/etc/systemd/system/orcid.service; disabled; vendor preset: enabled)
   Active: active (running) since Wed 2016-04-27 09:00:16 UTC; 37s ago
 Main PID: 11141 (nodejs)
    Tasks: 5 (limit: 512)
   Memory: 24.1M
      CPU: 268ms
   CGroup: /system.slice/orcid.service
           └─11141 /usr/bin/nodejs /var/www/html/orcid/simple-orcid-auth-node-master/client-app.js
Apr 27 09:00:16 orcid systemd[1]: Started orcid.service. Apr 27 09:00:16 orcid orcid[11141]: server started on 8000

* Autostart using *sysv-init* (Ubuntu 14.04.x):

* Prepare a *sysv-init* startup script or use mine for convinience:

“`
$ cd /etc/init.d
$ wget https://raw.githubusercontent.com/theodotos/arena/master/orcid
$ chmod +x orcid
$ update-rc.d orcid enable
$ update-rc.d orcid defaults
“`

Now *orcid* should be able to autostart after a reboot.

### Setting up nginx

* Prepare this configuration:

$ cat > /etc/nginx/sites-available/orcid << EOF
server {
    listen 80;     listen [::]:80 ipv6only=on;
    server_name orcid.example.com;
    access_log /var/log/nginx/orcid.access.log;     error_log /var/log/nginx/orcid.error.log;
    location / {         proxy_pass http://localhost:8000/;         proxy_set_header Host \$host;         proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;     } } EOF

* Enable the *orcid* site:

“`
$ cd /etc/nginx/sites-enabled/
$ sudo ln -s /etc/nginx/sites-available/orcid
“`

* Uncomment the following line in */etc/nginx/nginx.conf*[^nginx]:

“`
server_names_hash_bucket_size 64;
“`

* Restart *nginx*:

“`
$ sudo systemctl restart nginx.service
“`

* Verify *nginx* with `sudo systemctl status nginx.service`

Now you can visit the http://orcid.example.com site and test your setup

### Going to production

The default *simple-orcid-auth-node* is using the sandbox ORCID service which is ideal for testing. This is how the configuration file (*helpers/config.js*) looks like:

“`
module.exports = config = {
// Config for OAuth2
CLIENT_ID: ‘APP-O9TUKAPVLALU1SOJ’,
CLIENT_SECRET: ‘0eafb938-020e-45a6-a148-3c222171d9d8’,
AUTHORIZE_URI: ‘https://sandbox.orcid.org/oauth/authorize’,
TOKEN_EXCHANGE_URI: ‘https://api.sandbox.orcid.org/oauth/token’,
CODE_CALLBACK_URI: ‘http://localhost:8000/authorization-code-callback’,
// General server config
PORT: ‘8000’,
SERVER_IP: ‘127.0.0.1’,
}

“`

This setup will not work in production. You have to modify the **CLIENT_ID** and **CLIENT_SECRET** variables with your own credentials and change the **AUTHORIZE_URI** and **TOKEN_EXCHANGE_URI** to point to the production ORCID services:

module.exports = config = {
  // Config for OAuth2 
  CLIENT_ID: 'APP-HSGSHJS335353GSGSG',
  CLIENT_SECRET: '56d4eb21-6622-8483-3422-f53f3fs53sfs35f',
  AUTHORIZE_URI: 'https://orcid.org/oauth/authorize',
  TOKEN_EXCHANGE_URI: 'https://api.orcid.org/oauth/token',
  CODE_CALLBACK_URI: 'http://localhost:8000/authorization-code-callback',
  // General server config
  PORT: '8000',
  SERVER_IP: '127.0.0.1',
}
...

Restart *nginx* and *orcid* when done:

“`
$ sudo systemctl restart nginx.service orcid.service
“`

References
———-

[^orcid]: https://en.wikipedia.org/wiki/ORCID
[^soan]: https://github.com/ORCID/simple-orcid-auth-node
[^node]: https://github.com/ORCID/simple-orcid-auth-node/issues/3
[^systemd]: https://www.digitalocean.com/community/tutorials/how-to-deploy-node-js-applications-using-systemd-and-nginx
[^nginx]: http://charles.lescampeurs.org/2008/11/14/fix-nginx-increase-server_names_hash_bucket_size