💾 Archived View for dissolved.space › notes › 2020-11-30-agate-setup.gmi captured on 2022-01-08 at 13:38:35. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
I've resurrected a dog-slow dusty Raspberry Pi 1 B to run this capsule. After a lot of stuffing about trying to get my router + dynDNS + domain name register to play together, we are up and running!
I settled on using Agate [1] as the server, swayed by its "rustiness", which will make it easy for me to hack on if necessary at some point in the future. It is super simple, currently under 200 loc ignoring the dependencies, so it's possible to quickly pass over to get an idea of the quality. I wanted to leave a few notes about how I set it up to run as a systemd service. Plz don't hack me if I've done something stupid.
Rather than run the server as root, I created a new user `agate` which will have more limited permissions. A new group `gemini` will allow both my regular user and `agate` to access the files to be served:
useradd -r -s /sbin/nologin agate addgroup gemini adduser agate gemini
I settled on two separate directories, following the conventions used by gmnisrv [1], one for the certificates and one to host my static files:
mkdir -p /var/lib/gemini/certs mkdir -p /srv/gemini/
Setting up these directories with the right permissions (including setgid and sticky bits) and group:
chmod g+w /var/lib/gemini/certs chmod g+wst /srv/gemini chown :gemini /var/lib/gemini/certs /srv/gemini
I generated two sets of certificates (following the directions in the Agate documentation for using openssl), one for localhost to enable local testing and one for the public-facing domain.
I created the following systemd unit file `/etc/systemd/system/agate.service`:
[Unit] Description=Agate Gemini Server [Service] ExecStart=/usr/bin/env AGATE_LOG=info /usr/bin/agate 0.0.0.0:1965 /srv/gemini/ /var/lib/gemini/certs/<your-cert> /var/lib/gemini/certs/<your-key> <your-domain> Restart=on-failure Type=simple User=agate Group=agate [Install] WantedBy=multi-user.target
Enable on boot and start it up:
systemctl enable agate.service systemctl start agate.service
The Agate log output can be seen by running:
journalctl --follow
All done! See [1] for further ideas about how to strengthen your system against server implementation bugs. In order to follow the suggestion to restrict the server user to a `RootDirectory` I'd need to tweak the above directions so that the certs and server content live under a parent directory that isn't `/`. A pretty simple change, but one for another day, I'll put my trust in the Agate authors for now.