💾 Archived View for rawtext.club › ~sloum › geminilist › 002691.gmi captured on 2020-09-24 at 01:01:40. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

<-- back to the mailing list

Critique my setup, please

Nathan Galt mailinglists at ngalt.com

Sat Sep 12 21:01:48 BST 2020

- - - - - - - - - - - - - - - - - - - 

I’m setting up a capsule on a VPS served up with Molly Brown. I’d like to get some feedback on what I should be doing, in case I’m doing something egregiously wrong. The capsule isn’t intended to be permanent, at least not yet, so I’m giving it the domain name of beepbeepbeep.example.

(It was only after I decided I should post this that I remembered that the best way to get good advice on the Internet is to post bad advice…)

I wasn’t sure how to make/get certs, so I stumbled around and found this:

https://github.com/michael-lazar/jetforce#tls-certificates

And then there’s also

sudo certbot certonly --standalone

as shown on <https://certbot.eff.org/lets-encrypt/ubuntufocal-other>.

I’m waffling back and forth on whether I should stick everything in some unprivileged user’s home directory (much like I do here) or if I should put things in “proper” places like /var/gemini. Opinions welcome. I do not intend for humans other than me to be inside this server ever.

Without further ado, the commands I used just now:

- - - - - - - - - 8< - - - - - - - - -

!/bin/bashapt updateapt upgrade --yes

apt install --yes fish batln -s /usr/bin/batcat /usr/local/bin/bat

mkdir /etc/skel/.sshcp ~/.ssh/authorized_keys /etc/skel/.ssh/

addgroup certview

named after Gus Grissom, who named the Gemini 3 capsule “Molly Brown”adduser --shell /usr/bin/fish --disabled-password --gecos -- grissusermod -aG certview griss

snap install --classic certbotcertbot certonly --standalone \ --non-interactive \ --agree-tos \ --domains "gemini.beepbeepbeep.example" \ --register-unsafely-without-email

chmod 0755 /etc/letsencrypt/{live,archive}chmod g+r /etc/letsencrypt/archive/gemini.beepbeepbeep.example/privkey1.pemchgrp certview /etc/letsencrypt/archive/gemini.beepbeepbeep.example/privkey1.pem

cat << 'EOF' > /etc/molly.confHostname = "gemini.beepbeepbeep.example"DefaultLang = "en-US"

DocBase = "/home/griss/public"AccessLog = "/home/griss/access.log"ErrorLog = "/home/griss/error.log"

CertPath = "/etc/letsencrypt/live/gemini.beepbeepbeep.example/fullchain.pem"KeyPath = "/etc/letsencrypt/live/gemini.beepbeepbeep.example/privkey.pem"

[MimeOverrides]"atom.xml$" = "application/atom+xml"EOF

cat << 'EOF' > /etc/systemd/system/molly-brown.service[Unit]Description=Molly Brown gemini serverAfter=network.target

[Service]Type=simpleRestart=on-failureUser=grissExecStart=/home/griss/go/bin/molly-brown

NoNewPrivileges=trueProtectSystem=strictReadWritePaths=/home/griss/access.log /home/griss/error.log

[Install]WantedBy=multi-user.targetEOF

systemctl enable molly-brown.service

Much later…systemctl start molly-brown.service

As griss…

wget https://golang.org/dl/go1.15.2.linux-amd64.tar.gztar xf go*mv go go-distmkdir go

./go-dist/bin/go get tildegit.org/solderpunk/molly-brown

openssl req -newkey rsa:2048 -nodes -keyout gemini.beepbeepbeep.example.key \# -nodes -x509 -out gemini.beepbeepbeep.example.crt -subj "/CN=gemini.beepbeepbeep.example"

mkdir public

printf "# It works!\n\nYour Gemini capsule is up and running.\n"

public/index.gmi