💾 Archived View for altesq.net › ~masqq › gemlog › 2022-05-18.gmi captured on 2022-06-03 at 23:02:38. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
stacksmith recently wanted a simple gemini self hosting tutorial, so here i go.
the guide contains everything from installing, to hardening with a systemd service.
there are many choices here, because of the simplicity of the protocol, but personal favourites of mine are gemserv and agate, both which are written in rust. in this tutorial, i'll focus on agate due to it's simplicity.
download the latest binary for your coresponding architecture.
you can find your cpu architecture doing `$ uname -r` and looking at the kernel version. for example if you're on raspberrypi os 64-bit, you're running arm64/aarch64.
agate doesn't support cgi, so you cannot run any fancy scripts, but this comes with much improved security. if you wish to run only static pages, choose agate. gemserv supports cgi, but it can be easily disabled in the configuration file. the procedure with gemserv is basically the same, you just use the gemserv binary and create the gemserv configuration file and edit a few different settings. you can use the same systemd service with the respective variables changed.
once you have your binary downloaded to the server (you can simply use `wget` or `curl`), you have to make it executable. `$ chmod +x <filename>` will add the executable flag to the file. to make it be in your path (so you don't need to type the full path, e.g. /some/place/agate you just type `agate`), you have to move it to /usr/local/bin. `# mv agate /usr/local/bin/`. you now have agate installed, ready to be configured. it's configured only through environment variables, no configuration files for the sake of simplicity.
if you have a firewall up and running, (which i hope you do!), you must allow port `1965` on tcp. for example with ufw: `# ufw allow 1965/tcp`.
to make agate run in a separate non-root user, which is good practice, we have to make one. `# useradd -r agate`
we have to let systemd manage agate, so it can harden the process and manage its bootup behaviour. i've included a hardened systemd file below, which is tested by me, it also runs on my server. it denies access to most exploitable places in an os by a process. place it in `/etc/systemd/system/`.
make sure to edit the domain name to your corresponding domain name, and the working directory & the command argument to the directory where your index.gmi is. i use /srv/gemini, but you can use whatever directory you please. also, double check the user you created has access to the mentioned directory. if you want to support tls 1.2, you can also remove the `--only-tls13` flag.
after you've got the service file configured, execute `# systemctl daemon-reload` in order for systemd to pick up the new service file.
as mentioned above, the `agate` user must have access to the gemini capsule files. in this example i'll use `/srv/gemini`. first create it, `# mkdir /srv/gemini/` then copy your capsule files over there. then to change permissions, `# chmod -r agate:agate /srv/gemini/`.
on first run, agate will generate a self-signed certificate with an expiration time of 4096-01-01, so you don't have to worry about that, although they can be changed manually. they reside in your working directory that's specified in the systemd service file, in the `.certificates` directory.
all there is left to do is to enable and start the service at bootup. `# systemctl enable --now agate`, and check if it serves your gemini capsule!
if something goes wrong, browse the journal log of the agate service: `# journalctl -u agate.service` in order to see what errors it displays.
double check your firewall configuration and that the user has been created and everything works.
---