**This is an old revision of the document!**
Table of Contents
Setup dokuwiki using podman (rootless)
The goal of this howto is to
- set up a dokuwiki container using docker (and not e. g. podman, slightly different)
- use an SMB share for storing the data
- on a server using enforcing SELinux (Centos 7)
Mount the data on an SMB share
Add something similar to this to your /etc/fstab:
//vmhost/dokumente/dokuwiki /home/<user>/dokuwiki-data cifs credentials=/root/.cifs,vers=3.0,uid=1000,gid=1000,context=system_u:object_r:container_file_t:s0,noexec,nosuid 0 0
Note: on an SELinux enabled system you need the set the SEContext correctly (as in exactly what you see in a directory that works in a container with ls -lZ)
The credentials can be stored in a file only root can read. Use the highest number for vers possible, it maybe even better to use the smb3 filesystem with posix in newer versions of Linux.
sudo mount $(pwd)/dokuwiki-data
Create the container and managing lifecycle via docker
We use an “official” container image. This image assumes to run as a docker and therefore root image. We run it using podmans pseudo root (mapped to the current user) technology. That's why we only use the root user. This is mapped to the current user automatically. php-fpm tries hard to prevent users from running it as root. We need to change the startup options using this script $HOME/dokuwiki-svc-php-fpm-run:
#!/usr/bin/with-contenv bash # shellcheck shell=bash exec /usr/sbin/php-fpm82 -F -R
quadlet is the podman way of running containers using systemd:
[Unit] Description=Wiki for documenting various service setups [Container] Image=lscr.io/linuxserver/dokuwiki:latest Environment=PUID=0 Environment=PGID=0 Environment=TZ=Europe/Vienna PublishPort=50080:80 PublishPort=50443:443 Volume=/home/$USER/dokuwiki:/config:z Volume=/home/$USER/dokuwiki-data/:/config/dokuwiki/data/:z Volume=/home/$USER/dokuwiki-svc-php-fpm-run:/etc/s6-overlay/s6-rc.d/svc-php-fpm/run:z AutoUpdate=registry [Install] WantedBy=multi-user.target
Replace $USER so it points to the correct user directory.
This creates a dokuwiki service with the correct podman call and also enables auto updates using podman auto-update
systemctl --user daemon-reload systemctl --user start dokuwiki systemctl --user status dokuwiki systemctl --user enable dokuwiki # by default user processes will be terminated after logout sudo loginctl enable-linger $USER
Reverse proxy on the host using apache
/etc/httpd/conf.d/sites-enabled/dokuwiki.siam.homeunux.net.conf
<VirtualHost *:80> ServerName dokuwiki.machine-deck.jeffries-tube.at ServerAlias dokuwiki.machine-deck.jeffries-tube.at Redirect / https://dokuwiki.machine-deck.jeffries-tube.at/ </VirtualHost> <VirtualHost *:443> ServerName dokuwiki.machine-deck.jeffries-tube.at ServerAlias dokuwiki.machine-deck.jeffries-tube.at Include /etc/httpd/conf.d/shared/ssl.conf AllowEncodedSlashes NoDecode SSLProxyEngine On ProxyPreserveHost On # cert is issued for collaboraonline.example.com and we proxy to localhost SSLProxyVerify None SSLProxyCheckPeerCN Off SSLProxyCheckPeerName Off # static html, js, images, etc. served from coolwsd # browser is the client part of Collabora Online ProxyPass / https://127.0.0.1:50443/ retry=0 ProxyPassReverse / https://127.0.0.1:50443/
Add the new virtual host to Let's encrypt
setenforce 0 systemctl stop httpd sudo docker run -it --rm --name certbot \ -v "/etc/letsencrypt:/etc/letsencrypt" \ -v "/var/lib/letsencrypt:/var/lib/letsencrypt" -v "/var/log/letsencrypt/:/var/log/letsencrypt/" \ -p 80:80 -p 443:443 \ certbot/certbot certonly --standalone -d [... the other letsencrypt domains],dokuwiki.machine-deck.jeffries-tube.at systemctl start httpd setenforce 1
Auto update
podman auto-update --dry-run --format "{{.Image}} {{.Updated}}" # lscr.io/linuxserver/dokuwiki:latest pending podman auto-update