1 0111ad5d 2021-10-09 op <!doctype html>
2 0111ad5d 2021-10-09 op <html lang="en">
4 35340c9f 2021-10-09 op <title>gmid quickstart</title>
5 0111ad5d 2021-10-09 op <meta charset="utf8" />
6 0111ad5d 2021-10-09 op <meta name="viewport" content="width=device-width, initial-scale=1" />
9 0111ad5d 2021-10-09 op font-family: monospace;
10 0111ad5d 2021-10-09 op font-size: 14px;
11 0111ad5d 2021-10-09 op max-width: 780px;
12 0111ad5d 2021-10-09 op margin: 0 auto;
13 0111ad5d 2021-10-09 op padding: 20px;
14 0111ad5d 2021-10-09 op padding-bottom: 80px;
18 0111ad5d 2021-10-09 op content: "# ";
22 0111ad5d 2021-10-09 op margin-top: 40px;
26 0111ad5d 2021-10-09 op content: "## ";
30 0111ad5d 2021-10-09 op content: "### ";
38 0111ad5d 2021-10-09 op blockquote::before {
39 0111ad5d 2021-10-09 op content: "> ";
42 0111ad5d 2021-10-09 op blockquote p {
43 0111ad5d 2021-10-09 op font-style: italic;
44 0111ad5d 2021-10-09 op display: inline;
47 0111ad5d 2021-10-09 op p.link::before {
48 0111ad5d 2021-10-09 op content: "→ ";
51 0111ad5d 2021-10-09 op strong::before { content: "*" }
52 0111ad5d 2021-10-09 op strong::after { content: "*" }
57 0111ad5d 2021-10-09 op background-color: #222;
59 0111ad5d 2021-10-09 op display: block;
60 0111ad5d 2021-10-09 op margin: 2em auto;
64 0111ad5d 2021-10-09 op border-radius: 5px;
68 0111ad5d 2021-10-09 op overflow: auto;
69 0111ad5d 2021-10-09 op padding: 1rem;
70 0111ad5d 2021-10-09 op background-color: #f0f0f0;
71 0111ad5d 2021-10-09 op border-radius: 3px;
75 0111ad5d 2021-10-09 op display: flex;
76 0111ad5d 2021-10-09 op flex-direction: row;
77 0111ad5d 2021-10-09 op justify-content: center;
81 0111ad5d 2021-10-09 op color: #9d109d;
85 0111ad5d 2021-10-09 op display: block;
86 0111ad5d 2021-10-09 op margin: 0 auto;
87 0111ad5d 2021-10-09 op max-width: 100%;
90 0111ad5d 2021-10-09 op @media (prefers-color-scheme: dark) {
92 0111ad5d 2021-10-09 op background-color: #222;
101 0111ad5d 2021-10-09 op background-color: #ddd;
105 0111ad5d 2021-10-09 op background-color: #353535;
109 0111ad5d 2021-10-09 op color: #ff4cff;
113 0111ad5d 2021-10-09 op @media (max-width: 400px) {
114 0111ad5d 2021-10-09 op pre.banner { font-size: 9px; }
117 0111ad5d 2021-10-09 op @media (max-width: 500px) {
118 0111ad5d 2021-10-09 op pre.banner { font-size: 10px; }
125 0111ad5d 2021-10-09 op <a href="/">Home</a> |
126 0111ad5d 2021-10-09 op <a href="contrib.html">contrib</a> |
128 0111ad5d 2021-10-09 op <a href="gmid.1.html">docs</a>
131 0111ad5d 2021-10-09 op <h1>gmid quickstart</h1>
132 0111ad5d 2021-10-09 op <p>gmid can be run in two different “modes”:</p>
134 0111ad5d 2021-10-09 op <dt>configless:</dt>
136 0111ad5d 2021-10-09 op a quick way to serve a directory tree from the shell, useful
137 0111ad5d 2021-10-09 op for testing a capsule before uploading it
139 0111ad5d 2021-10-09 op <dt>daemon mode:</dt>
141 0111ad5d 2021-10-09 op gmid reads the configuration file and runs in the background
144 0111ad5d 2021-10-09 op <p>To run gmid in the “configless” mode, just type:</p>
145 0111ad5d 2021-10-09 op <pre>$ gmid path/to/dir</pre>
147 0111ad5d 2021-10-09 op gmid will then generate a certificate inside ~/.local/share/gmid
148 540d05de 2021-10-09 op and serve the given directory locally.
151 0111ad5d 2021-10-09 op To run gmid in daemon mode a configuration file is needed. The
152 0111ad5d 2021-10-09 op format of the configuration file is described in the manpage and
153 0111ad5d 2021-10-09 op is quite flexible, but for simple setup something like the
154 0111ad5d 2021-10-09 op following should be enough:
156 0111ad5d 2021-10-09 op <pre># /etc/gmid.conf
158 0111ad5d 2021-10-09 op server "example.com" {
159 0111ad5d 2021-10-09 op cert "/path/to/certificate"
160 0111ad5d 2021-10-09 op key "/path/to/private-key"
161 0111ad5d 2021-10-09 op root "/var/gemini/example.com"
164 0111ad5d 2021-10-09 op A X.509 (TLS) certificate can be generated using
165 0111ad5d 2021-10-09 op <a href="https://git.omarpolo.com/gmid/tree/contrib/gencert">contrib/gencert</a>:
167 0111ad5d 2021-10-09 op <pre>$ ./contrib/gencert example.com
168 0111ad5d 2021-10-09 op Generating a 4096 bit RSA private key
169 0111ad5d 2021-10-09 op .................................................++++
170 0111ad5d 2021-10-09 op ..........++++
171 0111ad5d 2021-10-09 op writing new private key to './example.com.key'
174 0111ad5d 2021-10-09 op Generated files:
175 0111ad5d 2021-10-09 op ./example.com.pem : certificate
176 0111ad5d 2021-10-09 op ./example.com.key : private key</pre>
178 35340c9f 2021-10-09 op Optionally, move ‘example.com.pem’ and ‘example.com.key’ to
179 0111ad5d 2021-10-09 op another location.
182 0111ad5d 2021-10-09 op Make sure that the ‘cert’ and ‘key’ options in the configuration
183 0111ad5d 2021-10-09 op file points to these files.
185 0111ad5d 2021-10-09 op <p>Then running gmid is as easy as</p>
186 0111ad5d 2021-10-09 op <pre>$ gmid -c /etc/gmid.conf</pre>
187 0111ad5d 2021-10-09 op <h2>Securing your gmid installation</h2>
189 0111ad5d 2021-10-09 op gmid employs various techniques to prevent the damage caused by
190 0111ad5d 2021-10-09 op bugs, but some steps needs to be done manually.
193 0111ad5d 2021-10-09 op If gmid was installed from your distribution package manager,
194 0111ad5d 2021-10-09 op chance are that it already does all of this and is also
195 0111ad5d 2021-10-09 op providing a service to run gmid automatically (e.g. a systemd
196 0111ad5d 2021-10-09 op unit file, a rc script, …) Otherwise, it’s heavily suggested to
197 0111ad5d 2021-10-09 op create at least a dedicated user.
199 0111ad5d 2021-10-09 op <h3>A dedicated user</h3>
201 35340c9f 2021-10-09 op Ideally, gmid should be started with root privileges and drop
202 0111ad5d 2021-10-09 op privileges to a local user. This way, the created certificates
203 0111ad5d 2021-10-09 op can be readable only by root. For example, on GNU/linux systems
204 0111ad5d 2021-10-09 op a ‘gmid’ user can be created with:
206 35340c9f 2021-10-09 op <pre># useradd --system --no-create-home -s /bin/nologin -c "gmid Gemini server" gmid</pre>
208 0111ad5d 2021-10-09 op Please consult your OS documentation for more information on the
212 0111ad5d 2021-10-09 op The configuration then needs to be adjusted to include the
213 0111ad5d 2021-10-09 op ‘user’ directive at the top:
215 0111ad5d 2021-10-09 op <pre># /etc/gmid.conf
218 0111ad5d 2021-10-09 op server "example.com" { … }</pre>
220 0111ad5d 2021-10-09 op gmid then needs to be started with root privileges, but will
221 0111ad5d 2021-10-09 op then switch to the provided user automatically. If by accident
222 0111ad5d 2021-10-09 op the ‘user’ is forgotten and gmid is running as root, it will
223 0111ad5d 2021-10-09 op complain loudly in the logs.
225 0111ad5d 2021-10-09 op <h3>chroot</h3>
227 0111ad5d 2021-10-09 op It’s a common practice for system daemons to chroot themselves
228 0111ad5d 2021-10-09 op into a directory. From here on I’ll assume /var/gemini, but it
229 0111ad5d 2021-10-09 op can be any directory.
232 0111ad5d 2021-10-09 op A chroot on UNIX-like OS is an operation that changes the
233 0111ad5d 2021-10-09 op “apparent” root directory (i.e. “/”) from the current process
234 0111ad5d 2021-10-09 op and its child. Think of it like imprisoning a process into a
235 0111ad5d 2021-10-09 op directory and never letting it escape until it terminates.
238 0111ad5d 2021-10-09 op Using a chroot may complicate the use of CGI scripts, because
239 35340c9f 2021-10-09 op then all the dependencies of the scripts (like sh, perl,
240 35340c9f 2021-10-09 op libraries…) need to be installed inside the chroot too. For
241 35340c9f 2021-10-09 op this very reason gmid supports FastCGI.
244 0111ad5d 2021-10-09 op The chroot feature requires a dedicate user, see the previous
248 0111ad5d 2021-10-09 op To chroot gmid inside a directory, use the ‘chroot’ directive in
249 0111ad5d 2021-10-09 op the configuration file:
251 0111ad5d 2021-10-09 op <pre># /etc/gmid.conf
255 0111ad5d 2021-10-09 op # the given directory, /var/gemini in this case, must exists.
256 0111ad5d 2021-10-09 op chroot "/var/gemini"</pre>
258 0111ad5d 2021-10-09 op Note that once ‘chroot’ is in place, every ‘root’ directive is
259 0111ad5d 2021-10-09 op implicitly relative to the chroot, but ‘cert’ and ‘key’ aren’t!
261 0111ad5d 2021-10-09 op <p>For example, given the following configuration:</p>
262 0111ad5d 2021-10-09 op <pre># /etc/gmid.conf
265 0111ad5d 2021-10-09 op chroot "/var/gemini"
267 0111ad5d 2021-10-09 op server "example.com" {
268 0111ad5d 2021-10-09 op cert "/etc/ssl/example.com.pem"
269 0111ad5d 2021-10-09 op key "/etc/ssl/example.com.key"
270 0111ad5d 2021-10-09 op root "/example.com"
273 0111ad5d 2021-10-09 op The certificate and the key path are the specified ones, but the
274 0111ad5d 2021-10-09 op root directory of the virtual host is actually
275 0111ad5d 2021-10-09 op “/var/gemini/example.com/”.