💾 Archived View for dissolved.space › notes › 2020-11-30-agate-setup.gmi captured on 2022-01-08 at 13:38:35. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

-=-=-=-=-=-=-

Capsule launch on Agate

I've resurrected a dog-slow dusty Raspberry Pi 1 B to run this capsule. After a lot of stuffing about trying to get my router + dynDNS + domain name register to play together, we are up and running!

I settled on using Agate [1] as the server, swayed by its "rustiness", which will make it easy for me to hack on if necessary at some point in the future. It is super simple, currently under 200 loc ignoring the dependencies, so it's possible to quickly pass over to get an idea of the quality. I wanted to leave a few notes about how I set it up to run as a systemd service. Plz don't hack me if I've done something stupid.

1: Agate

Users and directories

Rather than run the server as root, I created a new user `agate` which will have more limited permissions. A new group `gemini` will allow both my regular user and `agate` to access the files to be served:

useradd -r -s /sbin/nologin agate
addgroup gemini
adduser agate gemini

I settled on two separate directories, following the conventions used by gmnisrv [1], one for the certificates and one to host my static files:

mkdir -p /var/lib/gemini/certs
mkdir -p /srv/gemini/

1: gmnisrv

Setting up these directories with the right permissions (including setgid and sticky bits) and group:

chmod g+w /var/lib/gemini/certs
chmod g+wst /srv/gemini
chown :gemini /var/lib/gemini/certs /srv/gemini

I generated two sets of certificates (following the directions in the Agate documentation for using openssl), one for localhost to enable local testing and one for the public-facing domain.

Systemd unit file

I created the following systemd unit file `/etc/systemd/system/agate.service`:

[Unit]
Description=Agate Gemini Server

[Service]
ExecStart=/usr/bin/env AGATE_LOG=info /usr/bin/agate 0.0.0.0:1965 /srv/gemini/ /var/lib/gemini/certs/<your-cert> /var/lib/gemini/certs/<your-key> <your-domain>
Restart=on-failure
Type=simple
User=agate
Group=agate

[Install]
WantedBy=multi-user.target

Enable on boot and start it up:

systemctl enable agate.service
systemctl start agate.service

The Agate log output can be seen by running:

journalctl --follow

All done! See [1] for further ideas about how to strengthen your system against server implementation bugs. In order to follow the suggestion to restrict the server user to a `RootDirectory` I'd need to tweak the above directions so that the certs and server content live under a parent directory that isn't `/`. A pretty simple change, but one for another day, I'll put my trust in the Agate authors for now.

1: Sandboxing with systemd

Feed