1 0111ad5d 2021-10-09 op # gmid quickstart
3 0111ad5d 2021-10-09 op gmid can be run in two different “modes”:
5 0111ad5d 2021-10-09 op * configless: a quick way to serve a directory tree from the shell, useful for testing a capsule before uploading it
6 0111ad5d 2021-10-09 op * daemon mode: gmid reads the configuration file and runs in the background
8 0111ad5d 2021-10-09 op To run gmid in the “configless” mode, just type:
10 0111ad5d 2021-10-09 op ```serve a directory tree from the shell
11 0111ad5d 2021-10-09 op $ gmid path/to/dir
14 540d05de 2021-10-09 op gmid will then generate a certificate inside ~/.local/share/gmid and serve the given directory locally.
16 0111ad5d 2021-10-09 op To run gmid in daemon mode a configuration file is needed. The format of the configuration file is described in the manpage and is quite flexible, but for simple setup something like the following should be enough:
18 0111ad5d 2021-10-09 op ```sample configuration file
19 0111ad5d 2021-10-09 op # /etc/gmid.conf
21 0111ad5d 2021-10-09 op server "example.com" {
22 0111ad5d 2021-10-09 op cert "/path/to/certificate"
23 0111ad5d 2021-10-09 op key "/path/to/private-key"
24 0111ad5d 2021-10-09 op root "/var/gemini/example.com"
28 0111ad5d 2021-10-09 op A X.509 (TLS) certificate can be generated using contrib/gencert
30 0111ad5d 2021-10-09 op => https://git.omarpolo.com/gmid/tree/contrib/gencert contrib/gencert
32 0111ad5d 2021-10-09 op ```generate a certificate using contrib/gencert
33 0111ad5d 2021-10-09 op $ ./contrib/gencert example.com
34 0111ad5d 2021-10-09 op Generating a 4096 bit RSA private key
35 0111ad5d 2021-10-09 op .................................................++++
36 0111ad5d 2021-10-09 op ..........++++
37 0111ad5d 2021-10-09 op writing new private key to './example.com.key'
40 0111ad5d 2021-10-09 op Generated files:
41 0111ad5d 2021-10-09 op ./example.com.pem : certificate
42 0111ad5d 2021-10-09 op ./example.com.key : private key
45 35340c9f 2021-10-09 op Optionally, move ‘example.com.pem’ and ‘example.com.key’ to another location.
47 0111ad5d 2021-10-09 op Make sure that the ‘cert’ and ‘key’ options in the configuration file points to these files.
49 0111ad5d 2021-10-09 op Then running gmid is as easy as
51 0111ad5d 2021-10-09 op ```running gmid
52 0111ad5d 2021-10-09 op $ gmid -c /etc/gmid.conf
56 0111ad5d 2021-10-09 op ## Securing your gmid installation
58 0111ad5d 2021-10-09 op gmid employs various techniques to prevent the damage caused by bugs, but some steps needs to be done manually.
60 0111ad5d 2021-10-09 op If gmid was installed from your distribution package manager, chance are that it already does all of this and is also providing a service to run gmid automatically (e.g. a systemd unit file, a rc script, …) Otherwise, it’s heavily suggested to create at least a dedicated user.
63 0111ad5d 2021-10-09 op ### A dedicated user
65 35340c9f 2021-10-09 op Ideally, gmid should be started with root privileges and drop privileges to a local user. This way, the created certificates can be readable only by root. For example, on GNU/linux systems a ‘gmid’ user can be created with:
67 0111ad5d 2021-10-09 op ```how to create the gmid user
68 35340c9f 2021-10-09 op # useradd --system --no-create-home -s /bin/nologin -c "gmid Gemini server" gmid
71 0111ad5d 2021-10-09 op Please consult your OS documentation for more information on the matter.
73 0111ad5d 2021-10-09 op The configuration then needs to be adjusted to include the ‘user’ directive at the top:
75 0111ad5d 2021-10-09 op ```how to use the ‘user’ option
76 0111ad5d 2021-10-09 op # /etc/gmid.conf
79 0111ad5d 2021-10-09 op server "example.com" { … }
82 0111ad5d 2021-10-09 op gmid then needs to be started with root privileges, but will then switch to the provided user automatically. If by accident the ‘user’ is forgotten and gmid is running as root, it will complain loudly in the logs.
87 0111ad5d 2021-10-09 op It’s a common practice for system daemons to chroot themselves into a directory. From here on I’ll assume /var/gemini, but it can be any directory.
89 0111ad5d 2021-10-09 op A chroot on UNIX-like OS is an operation that changes the “apparent” root directory (i.e. “/”) from the current process and its child. Think of it like imprisoning a process into a directory and never letting it escape until it terminates.
91 35340c9f 2021-10-09 op Using a chroot may complicate the use of CGI scripts, because then all the dependencies of the scripts (like sh, perl, libraries…) need to be installed inside the chroot too. For this very reason gmid supports FastCGI.
93 0111ad5d 2021-10-09 op The chroot feature requires a dedicate user, see the previous section.
95 0111ad5d 2021-10-09 op To chroot gmid inside a directory, use the ‘chroot’ directive in the configuration file:
97 0111ad5d 2021-10-09 op ```how to use the ‘chroot’ option
98 0111ad5d 2021-10-09 op # /etc/gmid.conf
102 0111ad5d 2021-10-09 op # the given directory, /var/gemini in this case, must exists.
103 0111ad5d 2021-10-09 op chroot "/var/gemini"
106 0111ad5d 2021-10-09 op Note that once ‘chroot’ is in place, every ‘root’ directive is implicitly relative to the chroot, but ‘cert’ and ‘key’ aren’t!
108 0111ad5d 2021-10-09 op For example, given the following configuration:
110 0111ad5d 2021-10-09 op ```example configuration using chroot
111 0111ad5d 2021-10-09 op # /etc/gmid.conf
114 0111ad5d 2021-10-09 op chroot "/var/gemini"
116 0111ad5d 2021-10-09 op server "example.com" {
117 0111ad5d 2021-10-09 op cert "/etc/ssl/example.com.pem"
118 0111ad5d 2021-10-09 op key "/etc/ssl/example.com.key"
119 0111ad5d 2021-10-09 op root "/example.com"
123 0111ad5d 2021-10-09 op The certificate and the key path are the specified ones, but the root directory of the virtual host is actually “/var/gemini/example.com/”.
