rdelaage
/
gmid
mirror of https://github.com/omar-polo/gmid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
gmid/site/quickstart.gmi

137 lines
4.7 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# gmid quickstart guide
gmid can be run in two different “modes”:
* configless: a quick way to serve a directory tree from the shell, useful for testing a capsule before uploading it
* daemon mode: gmid reads the configuration file and runs in the background
To run gmid in the “configless” mode, just type:
```serve a directory tree from the shell
$ gmid path/to/dir
```
gmid will then generate a certificate inside ~/.local/share/gmid and serve the given directory locally.
## Setting up a capsule with gmid
To host a Gemini capsule you need to run gmid in “daemon” mode, and so a configuration file is needed. The format of the configuration file is described in the manpage and is quite flexible, but something like the following should be enough to start:
```sample configuration file
# /etc/gmid.conf
server "example.com" {
cert "/etc/ssl/example.com.pem"
key "/etc/ssl/private/example.com.key"
# path to the root directory of your capsule
root "/var/gemini/example.com"
}
```
A certificate is needed for the capsule. Generate one for e.g. using contrib/gencert:
=> https://git.omarpolo.com/gmid/tree/contrib/gencert contrib/gencert
```generate a certificate using contrib/gencert
$ ./contrib/gencert example.com
Generating a 4096 bit RSA private key
.................................................++++
..........++++
writing new private key to './example.com.key'
-----
Generated files:
./example.com.pem : certificate
./example.com.key : private key
```
Move example.com.pem and example.com.key to a safe place and double check that the cert and key options in the configuration points to these files.
For example, save them in /etc/ssl/ (as root)
```how to save the certificate and private key in /etc/ssl
# mkdir -p /etc/ssl/private
# chown 700 /etc/ssl/private
# mv example.com.pem /etc/ssl/
# mv example.com.key /etc/ssl/private/
```
Then running gmid is as easy as
```running gmid
$ gmid -c /etc/gmid.conf
```
Congratulations, your capsule is online!
## Securing your gmid installation
gmid employs various techniques to prevent the damage caused by bugs, but some steps needs to be done manually.
If gmid was installed from your distribution package manager, chance are that it already does all of this and is also providing a service to run gmid automatically (e.g. a rc script, a systemd unit file, …) Otherwise, its heavily suggested to create at least a dedicated user.
### A dedicated user
Ideally, gmid should be started as root and drop privileges to a local user. This way, the certificates can be readable only by root. For example, on GNU/linux systems a gmid user can be created with:
```how to create the gmid user
# useradd --system --no-create-home -s /bin/nologin -c "gmid Gemini server" gmid
```
Please consult your OS documentation for more information on the matter.
The configuration then needs to be adjusted to include the user directive at the top:
```how to use the user option
# /etc/gmid.conf
user "gmid"
server "example.com" { … }
```
gmid then needs to be started with root privileges, but will then switch to the provided user automatically. If by accident the user option is omitted and gmid is running as root, it will complain loudly in the logs.
### chroot
Its a common practice for system daemons to chroot themselves into a directory. From here on Ill assume /var/gemini, but it can be any directory.
A chroot on UNIX-like OS is an operation that changes the “apparent” root directory (i.e. the “/”) from the current process and its child. Think of it like imprisoning a process into a directory and never letting it escape until it terminates.
Using a chroot may complicate the use of CGI scripts, because then all the dependencies of the scripts (sh, perl, libraries…) need to be installed inside the chroot too. For this very reason gmid supports FastCGI.
The chroot feature requires a dedicate user, see the previous section.
To chroot gmid inside a directory, use the chroot directive in the configuration file:
```how to use the chroot option
# /etc/gmid.conf
user "gmid"
# the given directory, /var/gemini in this case, must exists.
chroot "/var/gemini"
```
Note that once chroot is in place, every root directive is implicitly relative to the chroot, but cert and key arent!
For example, given the following configuration:
```example configuration using chroot
# /etc/gmid.conf
user "gmid"
chroot "/var/gemini"
server "example.com" {
cert "/etc/ssl/example.com.pem"
key "/etc/ssl/example.com.key"
root "/example.com"
}
```
The certificate and the key path are the specified ones, but the root directory of the virtual host is actually “/var/gemini/example.com/”.
Reference in New Issue View Git Blame Copy Permalink