💾 Archived View for mercadal.rustytel.net › posts › setup.gmi captured on 2023-01-29 at 02:33:18. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
I did it! I put on my big boy pants and decided to set up a Gemini server.
"So," he thought to himself, "which server to choose."
If you want to get right to it: Install vger and stunnel via pkg, and scroll down to below where I say "let's start again with stunnel"
I would skip relayd unless you have experience with it.
I chose vger for the fact that it appeared rather simple. It's not built for FreeBSD per se, but something built for OpenBSD seems to have a pretty good pedigree as far as I'm concerned. And I like compiled daemons; I find I have lots of issues with interpreted stuff.
I started off by doing what, you know, lots of people probably do, and followed the instructions. I thought I'd give things a go with vger and relayd.
They'e right in the FreeBSD pors tree, easy enough right?
[mercadal:ports/ports-mgmt/pkg] 10:30pm% sudo pkg install relayd vger Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. Updating database digests format: 100% The following 2 package(s) will be affected (of 0 checked): New packages to be INSTALLED: relayd: 5.5.20140810_8 vger: 1.10 Number of packages to be installed: 2 The process will require 2 MiB more space. 751 KiB to be downloaded. Proceed with this action? [y/N]: y [1/2] Fetching vger-1.10.pkg: 100% 14 KiB 13.9kB/s 00:01 [2/2] Fetching relayd-5.5.20140810_8.pkg: 100% 738 KiB 755.4kB/s 00:01 Checking integrity... done (0 conflicting) [1/2] Installing vger-1.10... [1/2] Extracting vger-1.10: 100% [2/2] Installing relayd-5.5.20140810_8... ===> Creating groups. Creating group '_relayd' with gid '913'. ===> Creating users Creating user '_relayd' with uid '913'.
Seems easy!
I started off by enabling inted in /etc/rc.conf:
inetd_enable="YES"
Then, of course, I started inetd with: service start inetd
Realized then I'd need to edit inetd.conf to add some services. I followed the steps provided by vger:
# vger for Gemini # see gemini://gemini.omarpolo.com/cgi/gempkg/net/vger/ 127.0.0.1:11965 stream tcp nowait _vger /usr/local/bin/vger vger
We'll come back to this in a bit, but (spoiler alert), I don't think FreeBSD loved the syntax. So don't bother doing the step above.
I tried editing /usr/local/etc/relayd.conf to get it to listen on port 1965 and forward stuff in. Things got weird here. Apparently, relayd can do a whole lot of stuff, more than just encapsulting vger in TLS for Gemini. Too bad — everything I tried ended up resulting in errors. I probably should have read up more on relayd to have realized this wasn't the best option for me.
[mercadal:/usr/local/etc] 10:38pm% sudo service relayd start Performing sanity check on relayd configuration: /usr/local/etc/relayd.conf:2: syntax error /usr/local/etc/relayd.conf:6: syntax error /usr/local/etc/relayd.conf:8: syntax error no actions, nothing to do unused protocol: gemini /usr/local/etc/rc.d/relayd: WARNING: failed precmd routine for relayd
Womp womp.
As Strong Bad once said, "Next, we'll draw a more different S." Or, in this case, a more different Stunnel.
First I said goodbye to relayd:
[mercadal:/usr/local/etc] 10:50pm% sudo pkg delete relayd Checking integrity... done (0 conflicting) Deinstallation has been requested for the following 1 packages (of 0 packages in the universe): Installed packages to be REMOVED: relayd: 5.5.20140810_8 Number of packages to be removed: 1 The operation will free 2 MiB. Proceed with deinstalling packages? [y/N]: y [1/1] Deinstalling relayd-5.5.20140810_8... [1/1] Deleting files for relayd-5.5.20140810_8: 100% ==> You should manually remove the "_relayd" user. ==> You should manually remove the "_relayd" group You may need to manually remove /usr/local/etc/relayd.conf if it is no longer needed.
Then, you know, let's let the package manager do the heavy lifting:
[mercadal:/usr/local/etc] 10:52pm% sudo pkg install stunnel Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED: stunnel: 5.63,1 Number of packages to be installed: 1 188 KiB to be downloaded. Proceed with this action? [y/N]: y [1/1] Fetching stunnel-5.63,1.pkg: 100% 188 KiB 192.1kB/s 00:01 Checking integrity... done (0 conflicting) [1/1] Installing stunnel-5.63,1... ===> Creating groups. Creating group 'stunnel' with gid '341'. ===> Creating users Creating user 'stunnel' with uid '341'. [1/1] Extracting stunnel-5.63,1: 100% ===== Message from stunnel-5.63,1: -- Don't forget to check out the FAQ at http://www.stunnel.org/
(I forgot to check out the FAQ.)
Now, rather than complain about my many issues, here are the working steps I took:
OK, back to something I mentioned earlier: I don't think inetd liked the syntax I used from the vger documentation. I had to make a couple changes for that.
First, make a new service in /etc/services:
gemini 1965/tcp
Then, edit inetd.conf referencing the services by name:
gemini stream tcp nowait root /usr/local/bin/stunnel stunnel
At some point I created vger a pseudo-user account (named vger). Now seems like a good time to make it if you haven't already.
If you skipped my steps of sadness above, make sure you start inetd. Add the following to /etc/rc.conf and then run: sudo service start inetd
inetd_enable="YES"
Doing the self-signed cert thing for now. While in the stunnel configuration director (/usr/local/etc/stunnel/):
sudo openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650
Here's the thing: I'm running stunnel from inetd. So unlike the many examples, you don't want to have a section for the service, you just want it at the root of the file. So comment out any other services and put this in at the end:
exec = /usr/local/bin/vger cert = /usr/local/etc/stunnel/stunnel.pem verifyChain = no verifyPeer = no
For some reason, vger sends messages to all terminals when I get a request. It's annoying, it blows away screen-based editors regularly.
I have a line in my /etc/syslog.conf file, that was included in the default FreeBSD setup, that omits certain syslog messages being generated from devd. It looks like this:
!-devd
I updated it to prevent vger sending messages as daemon.emerg from logging everywhere.
!-devd,vger
This is one way to do it on FreeBSD, I'm sure there are many others.
In short, inetd starts stunnel. Stunnel reaches out to vger and tunnels the connection. All the rest is making sure you have valid certs and permissions and user accounts.
Updated:
Mon Aug 8 09:51:57 EDT 2022