4 <title>gmid quickstart</title>
5 <meta charset="utf8" />
6 <meta name="viewport" content="width=device-width, initial-scale=1" />
9 font-family: monospace;
51 strong::before { content: "*" }
52 strong::after { content: "*" }
57 background-color: #222;
70 background-color: #f0f0f0;
77 justify-content: center;
90 @media (prefers-color-scheme: dark) {
92 background-color: #222;
101 background-color: #ddd;
105 background-color: #353535;
113 @media (max-width: 400px) {
114 pre.banner { font-size: 9px; }
117 @media (max-width: 500px) {
118 pre.banner { font-size: 10px; }
125 <a href="/">Home</a> |
126 <a href="contrib.html">contrib</a> |
128 <a href="gmid.1.html">docs</a>
131 <h1>gmid quickstart</h1>
132 <p>gmid can be run in two different “modes”:</p>
136 a quick way to serve a directory tree from the shell, useful
137 for testing a capsule before uploading it
139 <dt>daemon mode:</dt>
141 gmid reads the configuration file and runs in the background
144 <p>To run gmid in the “configless” mode, just type:</p>
145 <pre>$ gmid path/to/dir</pre>
147 gmid will then generate a certificate inside ~/.local/share/gmid
148 and serve the given directory locally.
150 <h2>Setting up a capsule with gmid</h2>
151 <p>To host a Gemini capsule you need to run gmid in “daemon” mode.</p>
153 To run gmid in daemon mode a configuration file is needed. The
154 format of the configuration file is described in the manpage and
155 is quite flexible, but something like the following should be
158 <pre># /etc/gmid.conf
160 server "example.com" {
161 cert "/etc/ssl/example.com.pem"
162 key "/etc/ssl/private/example.com/key"
164 # path to the root directory of your capsule
165 root "/var/gemini/example.com"
168 A certificate is needed for the capsule. Generate one for
170 <a href="https://git.omarpolo.com/gmid/tree/contrib/gencert">contrib/gencert</a>:
172 <pre>$ ./contrib/gencert example.com
173 Generating a 4096 bit RSA private key
174 .................................................++++
176 writing new private key to './example.com.key'
180 ./example.com.pem : certificate
181 ./example.com.key : private key</pre>
183 Move ‘example.com.pem’ and ‘example.com.key’ to a safe place and
184 double check that the ‘cert’ and ‘key’ options in the
185 configuration points to these files.
187 <p>For example, save them in ‘/etc/ssl/’ (as root)</p>
188 <pre># mkdir -p /etc/ssl/private
189 # chown 700 /etc/ssl/private
190 # mv example.com.pem /etc/ssl/
191 # mv example.com.key /etc/ssl/private/</pre>
193 Make sure that the ‘cert’ and ‘key’ options in the configuration
194 file points to these files.
196 <p>Then running gmid is as easy as</p>
197 <pre>$ gmid -c /etc/gmid.conf</pre>
198 <p>Congratulations, your capsule is online!</p>
199 <h2>Securing your gmid installation</h2>
201 gmid employs various techniques to prevent the damage caused by
202 bugs, but some steps needs to be done manually.
205 If gmid was installed from your distribution package manager,
206 chance are that it already does all of this and is also
207 providing a service to run gmid automatically (e.g. a rc script,
208 a systemd unit file …) Otherwise, it’s heavily suggested to
209 create at least a dedicated user.
211 <h3>A dedicated user</h3>
213 Ideally, gmid should be started as root and drop privileges to a
214 local user. This way, the certificates can be readable only by
215 root. For example, on GNU/linux systems a ‘gmid’ user can be
218 <pre># useradd --system --no-create-home -s /bin/nologin -c "gmid Gemini server" gmid</pre>
220 Please consult your OS documentation for more information on the
224 The configuration then needs to be adjusted to include the
225 ‘user’ directive at the top:
227 <pre># /etc/gmid.conf
230 server "example.com" { … }</pre>
232 gmid then needs to be started with root privileges, but will
233 then switch to the provided user automatically. If by accident
234 the ‘user’ option is omitted and gmid is running as root, it
235 will complain loudly in the logs.
239 It’s a common practice for system daemons to chroot themselves
240 into a directory. From here on I’ll assume /var/gemini, but it
241 can be any directory.
244 A chroot on UNIX-like OS is an operation that changes the
245 “apparent” root directory (i.e. the “/”) from the current
246 process and its child. Think of it like imprisoning a process
247 into a directory and never letting it escape until it
251 Using a chroot may complicate the use of CGI scripts, because
252 then all the dependencies of the scripts (sh, perl, libraries…)
253 need to be installed inside the chroot too. For this very
254 reason gmid supports FastCGI.
257 The chroot feature requires a dedicate user, see the previous
261 To chroot gmid inside a directory, use the ‘chroot’ directive in
262 the configuration file:
264 <pre># /etc/gmid.conf
268 # the given directory, /var/gemini in this case, must exists.
269 chroot "/var/gemini"</pre>
271 Note that once ‘chroot’ is in place, every ‘root’ directive is
272 implicitly relative to the chroot, but ‘cert’ and ‘key’ aren’t!
274 <p>For example, given the following configuration:</p>
275 <pre># /etc/gmid.conf
280 server "example.com" {
281 cert "/etc/ssl/example.com.pem"
282 key "/etc/ssl/example.com.key"
286 The certificate and the key path are the specified ones, but the
287 root directory of the virtual host is actually
288 “/var/gemini/example.com/”.
