đž Archived View for gmid.omarpolo.com âş quickstart.gmi captured on 2023-12-28 at 15:03:04. Gemini links have been rewritten to link to archived content
âŹ ď¸ Previous capture (2022-07-16)
âĄď¸ Next capture (2024-02-05)
-=-=-=-=-=-=-
gmid can be run in two different modes:
To run gmid in the âconfiglessâ mode, just type:
$ gmid path/to/dir
gmid will then generate a certificate inside ~/.local/share/gmid and serve the given directory locally.
To host a Gemini capsule you need to run gmid in âdaemonâ mode, and so a configuration file is needed. The format of the configuration file is described in the manpage and is quite flexible, but something like the following should be enough to start:
# /etc/gmid.conf server "example.com" { cert "/etc/ssl/example.com.pem" key "/etc/ssl/private/example.com.key" # path to the root directory of your capsule root "/var/gemini/example.com" }
A TLS certificate is also needed. There are many way to obtain one (acme-client, certbot, ...) but within the Geminispace is common to use self-signed ones.
One way to generate self-signed certificates is to use openssl(1), but contrib/gencert is easier to use:
$ ./contrib/gencert example.com Generating a 4096 bit RSA private key .................................................++++ ..........++++ writing new private key to './example.com.key' ----- Generated files: ./example.com.pem : certificate ./example.com.key : private key
Move âexample.com.pemâ and âexample.com.keyâ to a safe place and double check that the âcertâ and âkeyâ options in the configuration points to these files.
One place could be â/etc/ssl/â
# mkdir -p /etc/ssl/private # chown 700 /etc/ssl/private # mv example.com.pem /etc/ssl/ # mv example.com.key /etc/ssl/private/
Then running gmid is as easy as
# gmid -c /etc/gmid.conf
Congratulations, your capsule is online!
gmid employs various techniques to prevent the damage caused by bugs but some steps needs to be done manually.
If gmid was installed from your distribution package manager chance are that it already does all of this and is also providing a service to easily run gmid (e.g. a rc script, a systemd unit file, âŚ) Otherwise, itâs heavily suggested to create at least a dedicated user.
Ideally, gmid should be started as root and then drop privileges. This allows to save the certificates in a directory that's readable only by root
For example, on OpenBSD a â_gmidâ user can be created with:
# useradd -c gmid -d /var/empty -s /sbin/nologin _gmid
while on most GNU/linux systems it's:
# useradd --system --no-create-home -s /bin/nologin -c "gmid Gemini server" gmid
or if you use systemd-sysusers:
# systemd-sysusers contrib/gmid.sysusers
Please consult your OS documentation for more information on the matter.
The configuration then needs to be adjusted to include the âuserâ directive at the top:
# /etc/gmid.conf user "gmid" server "example.com" { ⌠}
Now gmid needs to be started with root privileges but will switch to the provided user automatically. If by accident the âuserâ option is omitted and gmid is running as root, it will complain loudly in the logs.
Itâs a common practice for system daemons to chroot themselves into a directory. From here on Iâll assume /var/gemini, but it can be any directory.
A chroot on UNIX-like OS is an operation that changes the âapparentâ root directory (i.e. the â/â) from the current process and its child. Think of it like imprisoning a process into a directory and never letting it escape until it terminates.
Using a chroot may complicate the use of CGI scripts, because then all the dependencies of the scripts (sh, perl, librariesâŚ) need to be installed inside the chroot too. For this very reason gmid supports FastCGI.
The chroot feature requires a dedicate user, see the previous section.
To chroot gmid inside a directory, use the âchrootâ directive in the configuration file:
# /etc/gmid.conf user "gmid" # the given directory, /var/gemini in this case, must exists. chroot "/var/gemini"
Note that once âchrootâ is in place, every ârootâ directive is implicitly relative to the chroot, but âcertâ and âkeyâ arenât!
For example, given the following configuration:
# /etc/gmid.conf user "gmid" chroot "/var/gemini" server "example.com" { cert "/etc/ssl/example.com.pem" key "/etc/ssl/example.com.key" root "/example.com" }
The certificate and the key path are the specified ones, but the root directory of the virtual host is actually â/var/gemini/example.com/â.