This guide works fairly well on all recent Debian based OS (tested on Debain and Ubuntu).
This may follow some not best practice methods but it does for the most part. This guide will :
- Install NodeJS and a NodeJS version manager (
nhere) - Install MongoDB
- Install the latest Wekan release
- Add a service script so that a
wekanuser can run it - Configure a Nginx reverse proxy for Wekan
This guide takes the main steps of the Wekan wiki section
To install NodeJS please do it via your package manager thanks to NodeJS Repository. Choose your platform and the current LTS version (currently the v4.x).
A good thing is that npm comes with your NodeJS install. We are going to install n, a version manager for NodeJS (basically n installs locally the binaries of the desired version in /usr/local/n/versions/ and you can use the one you need for each application).
So in order to install n globally run:
sudo npm install -g n
Since Wekan runs on Node 0.10.40, install it by running:
sudo n 0.10.40
We will use this later when we install the actual application.
To install MongoDB, please refer to the MongoDB installation doc. For Ubuntu 15 and Ubuntu 16, I would recommand using Debian 8 (or Debian 7) packages for now (I had problems with the Ubuntu 14 packages that were solved by using the Debian ones).
As you are probably going to be running this in a production environment (even if it is only on 1 server), we are going to set-up a Replica Set.
To do so add this at the end of your MongoDB config file (probably /etc/mongod.conf):
replication:
replSetName: "001-rs"
Restart your MongoDB server. Then open a MongoDB console and initialize the set:
mongo
rs.initiate()exit
After a few seconds the prompte should change for something like 001-rs:PRIMARY>, you can now type exit and continue with the rest of the guide.
We are going to install Wekan on /var/lib/wekan/, so create this directory and go in it. You should probably continue this section as root or just type sudo in front of your command a lot.
So we are creating the directory, getting the latest release from GitHub (0.10.1 at the time I am writting) and extracting it:
mkdir -p /var/lib/wekan/
cd /var/lib/wekan/
wget https://github.com/wekan/wekan/releases/download/v0.10.1/wekan-0.10.1.tar.gz
tar xzvf wekan-0.10.1.tar.gz
You should now have a bundle/ folder that appered in your install directory. We are going to install Wekan dependencies thanks to NPM, run:
cd bundle/programs/server
npm install
We are all set, everything is installed. Now, off to the part where we add all the nice things so that it runs nicely without breaking a sweat.
So that we don't have to make Wekan run in a screen and so that it can be launched when your server boots, we are going to create a systemd service.
First, let's create a wekan user so that root does not run your Wekan application.
adduser wekan --disabled-login --no-create-home
You can still su wekan if needed but it hasn't any password and you can't login as wekan from the outside.
We also make our new user own all the Wekan install directory so that it can run it without any problem:
chown -R wekan:wekan /var/lib/wekan
Now create a file named wekan.service in /etc/systemd/system/, thanks to your favorite text editor with the following content:
[Unit]
Description=Wekan Server
After=syslog.target
After=network.target
[Service]
Type=simple
Restart=always
StandardOutput=syslog
SyslogIdentifier=Wekan
User=wekan
Group=wekan
Environment=MONGO_URL=mongodb://127.0.0.1:27017/wekan
Environment=ROOT_URL=https://example.com
Environment=PORT=4000
Environment=MAIL_URL=smtp://user:[email protected]:25/
WorkingDirectory=/var/lib/wekan
ExecStart=/usr/local/n/versions/node/0.10.40/bin/node /var/lib/wekan/bundle/main.js
[Install]
WantedBy=multi-user.target
Your are of course invited to change the ROOT_URL, PORT and MAIL_URL to your own configuration.
To enable the service so that it starts with your host and to start it now, run:
systemctl enable wekan.service
systemctl start wekan.service
If you do not seem to be able to find wekan.service with the auto completion, run systemctl daemon-reload and try again.
Now we are going to set this up behind a nginx reverse proxy. So if it's not already done, install nginx with your current package manager.
If you already have a certificate for your domain you can use it here. If you don't, you can generate a self signed certificate or even better, use Let's Encrypt to have trusted (and 100% free) certificate (I may post a Let's Encrypt guide another day, but I'll link it here).
Create a wekan conf file in /etc/nginx/site-available/ with the following conf:
upstream wekan {
server 127.0.0.1:4000;
}
server {
listen 80;
listen [::]:80;
server_name example.com;
location / {
# tell users to go to SSL version this time
if ($ssl_protocol = "") {
rewrite ^ https://$server_name$request_uri? permanent;
}
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name example.com;
add_header Strict-Transport-Security "max-age=15768000";
ssl_certificate /path/to/your/certificat.pem;
ssl_certificate_key /path/to/your/key.pem;
ssl_dhparam /path/to/your/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
error_page 497 https://$host:$server_port$request_uri;
location / {
proxy_pass http://wekan;
proxy_http_version 1.1;
proxy_set_header Host $host:$server_port;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Nginx-Proxy true;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_send_timeout 86400;
proxy_read_timeout 86400;
}
}
Things to change here:
example.comin both the 80 and 443 vhosts- The paths to your certificate, its key and your dhparam file
The HTTPS configuration was created thanks to Mozilla SSL Configurator Generator on Intermediate to allow most clients to access (if you want a stricter HTTPS conf, use the Modern option in the generator).
You can know activate this conf file:
ln -s /etc/nginx/site-available/wekan /etc/nginx/site-enabled/wekan
systemctl reload nginx.service
Your Wekan instance should now be available where you wanted to put it! I may do a script to automate all of this and an update script soon, so stay tuned!
The service script is adapted from Rocket.Chat Ansible Role.
Good tutorial!!!