1 21dc3794 2022-01-28 op # gmid quickstart guide
3 acc86215 2024-01-07 op The aim of this “quickstart” guide is to get your capsule up and running.
5 acc86215 2024-01-07 op gmid needs a configuration file to operate. The format is quite flexible and carefully described in the gmid.conf(5) manpage, but to start this should be enough:
7 0111ad5d 2021-10-09 op ```sample configuration file
8 0111ad5d 2021-10-09 op # /etc/gmid.conf
10 0111ad5d 2021-10-09 op server "example.com" {
11 acc86215 2024-01-07 op listen on * port 1965
12 33c4c3a5 2021-10-13 op cert "/etc/ssl/example.com.pem"
13 33c4c3a5 2021-10-13 op key "/etc/ssl/private/example.com.key"
15 33c4c3a5 2021-10-13 op # path to the root directory of your capsule
16 0111ad5d 2021-10-09 op root "/var/gemini/example.com"
20 acc86215 2024-01-07 op This will have gmid listening on any address on port 1965 and serving the directory /var/gemini/example.com.
22 ffd92e63 2022-04-07 op A TLS certificate is also needed. There are many way to obtain one (acme-client, certbot, ...) but within the Geminispace is common to use self-signed ones.
24 ffd92e63 2022-04-07 op One way to generate self-signed certificates is to use openssl(1), but contrib/gencert is easier to use:
26 2573332d 2022-07-07 op => TREE/contrib/gencert contrib/gencert
28 0111ad5d 2021-10-09 op ```generate a certificate using contrib/gencert
29 0111ad5d 2021-10-09 op $ ./contrib/gencert example.com
30 0111ad5d 2021-10-09 op Generating a 4096 bit RSA private key
31 0111ad5d 2021-10-09 op .................................................++++
32 0111ad5d 2021-10-09 op ..........++++
33 0111ad5d 2021-10-09 op writing new private key to './example.com.key'
36 0111ad5d 2021-10-09 op Generated files:
37 0111ad5d 2021-10-09 op ./example.com.pem : certificate
38 0111ad5d 2021-10-09 op ./example.com.key : private key
41 33c4c3a5 2021-10-13 op Move ‘example.com.pem’ and ‘example.com.key’ to a safe place and double check that the ‘cert’ and ‘key’ options in the configuration points to these files.
43 ffd92e63 2022-04-07 op One place could be ‘/etc/ssl/’
45 33c4c3a5 2021-10-13 op ```how to save the certificate and private key in /etc/ssl
46 33c4c3a5 2021-10-13 op # mkdir -p /etc/ssl/private
47 33c4c3a5 2021-10-13 op # chown 700 /etc/ssl/private
48 33c4c3a5 2021-10-13 op # mv example.com.pem /etc/ssl/
49 33c4c3a5 2021-10-13 op # mv example.com.key /etc/ssl/private/
52 0111ad5d 2021-10-09 op Then running gmid is as easy as
54 0111ad5d 2021-10-09 op ```running gmid
55 ffd92e63 2022-04-07 op # gmid -c /etc/gmid.conf
58 fc4b58d4 2021-10-11 op Congratulations, your capsule is online!
61 0111ad5d 2021-10-09 op ## Securing your gmid installation
63 ffd92e63 2022-04-07 op gmid employs various techniques to prevent the damage caused by bugs but some steps needs to be done manually.
65 ffd92e63 2022-04-07 op If gmid was installed from your distribution package manager chance are that it already does all of this and is also providing a service to easily run gmid (e.g. a rc script, a systemd unit file, …) Otherwise, it’s heavily suggested to create at least a dedicated user.
68 0111ad5d 2021-10-09 op ### A dedicated user
70 ffd92e63 2022-04-07 op Ideally, gmid should be started as root and then drop privileges. This allows to save the certificates in a directory that's readable only by root
72 db48d276 2022-05-02 op For example, on OpenBSD a ‘_gmid’ user can be created with:
75 db48d276 2022-05-02 op # useradd -c gmid -d /var/empty -s /sbin/nologin _gmid
78 db48d276 2022-05-02 op while on most GNU/linux systems it's:
80 0111ad5d 2021-10-09 op ```how to create the gmid user
81 35340c9f 2021-10-09 op # useradd --system --no-create-home -s /bin/nologin -c "gmid Gemini server" gmid
84 db48d276 2022-05-02 op or if you use systemd-sysusers:
86 3c04ffc0 2022-03-09 op ```how to create the gmid user, using systemd-sysusers
87 3c04ffc0 2022-03-09 op # systemd-sysusers contrib/gmid.sysusers
90 0111ad5d 2021-10-09 op Please consult your OS documentation for more information on the matter.
92 0111ad5d 2021-10-09 op The configuration then needs to be adjusted to include the ‘user’ directive at the top:
94 0111ad5d 2021-10-09 op ```how to use the ‘user’ option
95 0111ad5d 2021-10-09 op # /etc/gmid.conf
98 0111ad5d 2021-10-09 op server "example.com" { … }
101 db48d276 2022-05-02 op Now gmid needs to be started with root privileges but will switch to the provided user automatically. If by accident the ‘user’ option is omitted and gmid is running as root, it will complain loudly in the logs.
106 0111ad5d 2021-10-09 op It’s a common practice for system daemons to chroot themselves into a directory. From here on I’ll assume /var/gemini, but it can be any directory.
108 fc4b58d4 2021-10-11 op A chroot on UNIX-like OS is an operation that changes the “apparent” root directory (i.e. the “/”) from the current process and its child. Think of it like imprisoning a process into a directory and never letting it escape until it terminates.
110 acc86215 2024-01-07 op Using a chroot may complicate the setup since eventual FastCGI socket or files needed for DNS resolution need to be installed or copied inside the chroot too.
112 0111ad5d 2021-10-09 op The chroot feature requires a dedicate user, see the previous section.
114 0111ad5d 2021-10-09 op To chroot gmid inside a directory, use the ‘chroot’ directive in the configuration file:
116 0111ad5d 2021-10-09 op ```how to use the ‘chroot’ option
117 0111ad5d 2021-10-09 op # /etc/gmid.conf
121 0111ad5d 2021-10-09 op # the given directory, /var/gemini in this case, must exists.
122 0111ad5d 2021-10-09 op chroot "/var/gemini"
125 0111ad5d 2021-10-09 op Note that once ‘chroot’ is in place, every ‘root’ directive is implicitly relative to the chroot, but ‘cert’ and ‘key’ aren’t!
127 0111ad5d 2021-10-09 op For example, given the following configuration:
129 0111ad5d 2021-10-09 op ```example configuration using chroot
130 0111ad5d 2021-10-09 op # /etc/gmid.conf
133 0111ad5d 2021-10-09 op chroot "/var/gemini"
135 0111ad5d 2021-10-09 op server "example.com" {
137 0111ad5d 2021-10-09 op cert "/etc/ssl/example.com.pem"
138 0111ad5d 2021-10-09 op key "/etc/ssl/example.com.key"
139 0111ad5d 2021-10-09 op root "/example.com"
143 0111ad5d 2021-10-09 op The certificate and the key path are the specified ones, but the root directory of the virtual host is actually “/var/gemini/example.com/”.
