1 <!doctype html>
2 <html lang="en">
3   <head>
4     <title>gmid quickstart</title>
5     <meta charset="utf8" />
6     <meta name="viewport" content="width=device-width, initial-scale=1" />
7     <style>
8     body {
9       font-family: monospace;
10       font-size: 14px;
11       max-width: 780px;
12       margin: 0 auto;
13       padding: 20px;
14       padding-bottom: 80px;
15     }
16 
17     h1::before {
18       content: "# ";
19     }
20 
21     h2 {
22       margin-top: 40px;
23     }
24 
25     h2::before {
26       content: "## ";
27     }
28 
29     h3::before {
30       content: "### ";
31     }
32 
33     blockquote {
34       margin: 0;
35       padding: 0;
36     }
37 
38     blockquote::before {
39       content: "> ";
40     }
41 
42     blockquote p {
43       font-style: italic;
44       display: inline;
45     }
46 
47     p.link::before {
48       content: "→ ";
49     }
50 
51     strong::before { content: "*" }
52     strong::after  { content: "*" }
53 
54     hr {
55       border: 0;
56       height: 1px;
57       background-color: #222;
58       width: 100%;
59       display: block;
60       margin: 2em auto;
61     }
62 
63     img {
64       border-radius: 5px;
65     }
66 
67     pre {
68       overflow: auto;
69       padding: 1rem;
70       background-color: #f0f0f0;
71       border-radius: 3px;
72     }
73 
74     pre.banner {
75       display: flex;
76       flex-direction: row;
77       justify-content: center;
78     }
79 
80     code, kbd {
81       color: #9d109d;
82     }
83 
84     img {
85       display: block;
86       margin: 0 auto;
87       max-width: 100%;
88     }
89 
90     @media (prefers-color-scheme: dark) {
91       body {
92         background-color: #222;
93         color: white;
94       }
95 
96       a {
97         color: aqua;
98       }
99 
100       hr {
101         background-color: #ddd;
102       }
103 
104       pre {
105         background-color: #353535;
106       }
107 
108       code, kbd {
109         color: #ff4cff;
110       }
111     }
112 
113     @media (max-width: 400px) {
114       pre.banner { font-size: 9px; }
115     }
116 
117     @media (max-width: 500px) {
118       pre.banner { font-size: 10px; }
119     }
120     </style>
121   </head>
122   <body>
123     <header>
124       <nav>
125         <a href="/">Home</a> |
126         <a href="contrib.html">contrib</a> |
127         Quickstart |
128         <a href="gmid.1.html">docs</a>
129       </nav>
130     </header>
131     <h1>gmid quickstart</h1>
132     <p>gmid can be run in two different “modes”:</p>
133     <dl>
134       <dt>configless:</dt>
135       <dd>
136         a quick way to serve a directory tree from the shell, useful
137         for testing a capsule before uploading it
138       </dd>
139       <dt>daemon mode:</dt>
140       <dd>
141         gmid reads the configuration file and runs in the background
142       </dd>
143     </dl>
144     <p>To run gmid in the “configless” mode, just type:</p>
145     <pre>$ gmid path/to/dir</pre>
146     <p>
147       gmid will then generate a certificate inside ~/.local/share/gmid
148       and serve the given directory locally.
149     </p>
150     <h2>Setting up a capsule with gmid</h2>
151     <p>To host a Gemini capsule you need to run gmid in “daemon” mode.</p>
152     <p>
153       To run gmid in daemon mode a configuration file is needed.  The
154       format of the configuration file is described in the manpage and
155       is quite flexible, but something like the following should be
156       enough to start:
157     </p>
158     <pre># /etc/gmid.conf
159 
160 server "example.com" {
161 	cert "/path/to/certificate"
162 	key  "/path/to/private-key"
163 	root "/var/gemini/example.com"
164 }</pre>
165     <p>
166       You also need to generate a certificate for the capsule.  A
167       X.509 (TLS) certificate can be generated for e.g. with
168       <a href="https://git.omarpolo.com/gmid/tree/contrib/gencert">contrib/gencert</a>:
169     </p>
170     <pre>$ ./contrib/gencert example.com
171 Generating a 4096 bit RSA private key
172 .................................................++++
173 ..........++++
174 writing new private key to './example.com.key'
175 -----
176 
177 Generated files:
178         ./example.com.pem : certificate
179         ./example.com.key : private key</pre>
180     <p>
181       Optionally, move ‘example.com.pem’ and ‘example.com.key’ to
182       another location.
183     </p>
184     <p>
185       Make sure that the ‘cert’ and ‘key’ options in the configuration
186       file points to these files.
187     </p>
188     <p>Then running gmid is as easy as</p>
189     <pre>$ gmid -c /etc/gmid.conf</pre>
190     <p>Congratulations, your capsule is online!</p>
191     <h2>Securing your gmid installation</h2>
192     <p>
193       gmid employs various techniques to prevent the damage caused by
194       bugs, but some steps needs to be done manually.
195     </p>
196     <p>
197       If gmid was installed from your distribution package manager,
198       chance are that it already does all of this and is also
199       providing a service to run gmid automatically (e.g. a systemd
200       unit file, a rc script, …)  Otherwise, it’s heavily suggested to
201       create at least a dedicated user.
202     </p>
203     <h3>A dedicated user</h3>
204     <p>
205       Ideally, gmid should be started as root and drop privileges to a
206       local user.  This way, the certificates can be readable only by
207       root.  For example, on GNU/linux systems a ‘gmid’ user can be
208       created with:
209     </p>
210     <pre># useradd --system --no-create-home -s /bin/nologin -c "gmid Gemini server" gmid</pre>
211     <p>
212       Please consult your OS documentation for more information on the
213       matter.
214     </p>
215     <p>
216       The configuration then needs to be adjusted to include the
217       ‘user’ directive at the top:
218     </p>
219     <pre># /etc/gmid.conf
220 user "gmid"
221 
222 server "example.com" { … }</pre>
223     <p>
224       gmid then needs to be started with root privileges, but will
225       then switch to the provided user automatically.  If by accident
226       the ‘user’ option is omitted and gmid is running as root, it
227       will complain loudly in the logs.
228     </p>
229     <h3>chroot</h3>
230     <p>
231       It’s a common practice for system daemons to chroot themselves
232       into a directory.  From here on I’ll assume /var/gemini, but it
233       can be any directory.
234     </p>
235     <p>
236       A chroot on UNIX-like OS is an operation that changes the
237       “apparent” root directory (i.e. the “/”) from the current
238       process and its child.  Think of it like imprisoning a process
239       into a directory and never letting it escape until it
240       terminates.
241     </p>
242     <p>
243       Using a chroot may complicate the use of CGI scripts, because
244       then all the dependencies of the scripts (sh, perl, libraries…)
245       need to be installed inside the chroot too.  For this very
246       reason gmid supports FastCGI.
247     </p>
248     <p>
249       The chroot feature requires a dedicate user, see the previous
250       section.
251     </p>
252     <p>
253       To chroot gmid inside a directory, use the ‘chroot’ directive in
254       the configuration file:
255     </p>
256     <pre># /etc/gmid.conf
257 
258 user "gmid"
259 
260 # the given directory, /var/gemini in this case, must exists.
261 chroot "/var/gemini"</pre>
262     <p>
263       Note that once ‘chroot’ is in place, every ‘root’ directive is
264       implicitly relative to the chroot, but ‘cert’ and ‘key’ aren’t!
265     </p>
266     <p>For example, given the following configuration:</p>
267     <pre># /etc/gmid.conf
268 
269 user "gmid"
270 chroot "/var/gemini"
271 
272 server "example.com" {
273 	cert "/etc/ssl/example.com.pem"
274 	key  "/etc/ssl/example.com.key"
275 	root "/example.com"
276 }</pre>
277     <p>
278       The certificate and the key path are the specified ones, but the
279       root directory of the virtual host is actually
280       “/var/gemini/example.com/”.
281     </p>
282   </body>
283 </html>