I?m setting up a capsule on a VPS served up with Molly Brown. I?d like to get some feedback on what I should be doing, in case I?m doing something egregiously wrong. The capsule isn?t intended to be permanent, at least not yet, so I?m giving it the domain name of beepbeepbeep.example. (It was only after I decided I should post this that I remembered that the best way to get good advice on the Internet is to post bad advice?) I wasn?t sure how to make/get certs, so I stumbled around and found this: https://github.com/michael-lazar/jetforce#tls-certificates And then there?s also sudo certbot certonly --standalone as shown on <https://certbot.eff.org/lets-encrypt/ubuntufocal-other>. I?m waffling back and forth on whether I should stick everything in some unprivileged user?s home directory (much like I do here) or if I should put things in ?proper? places like /var/gemini. Opinions welcome. I do not intend for humans other than me to be inside this server ever. Without further ado, the commands I used just now: - - - - - - - - - 8< - - - - - - - - - #!/bin/bash apt update apt upgrade --yes apt install --yes fish bat ln -s /usr/bin/batcat /usr/local/bin/bat mkdir /etc/skel/.ssh cp ~/.ssh/authorized_keys /etc/skel/.ssh/ addgroup certview # named after Gus Grissom, who named the Gemini 3 capsule ?Molly Brown? adduser --shell /usr/bin/fish --disabled-password --gecos -- griss usermod -aG certview griss snap install --classic certbot certbot certonly --standalone \ --non-interactive \ --agree-tos \ --domains "gemini.beepbeepbeep.example" \ --register-unsafely-without-email chmod 0755 /etc/letsencrypt/{live,archive} chmod g+r /etc/letsencrypt/archive/gemini.beepbeepbeep.example/privkey1.pem chgrp certview /etc/letsencrypt/archive/gemini.beepbeepbeep.example/privkey1.pem cat << 'EOF' > /etc/molly.conf Hostname = "gemini.beepbeepbeep.example" DefaultLang = "en-US" DocBase = "/home/griss/public" AccessLog = "/home/griss/access.log" ErrorLog = "/home/griss/error.log" CertPath = "/etc/letsencrypt/live/gemini.beepbeepbeep.example/fullchain.pem" KeyPath = "/etc/letsencrypt/live/gemini.beepbeepbeep.example/privkey.pem" [MimeOverrides] "atom.xml$" = "application/atom+xml" EOF cat << 'EOF' > /etc/systemd/system/molly-brown.service [Unit] Description=Molly Brown gemini server After=network.target [Service] Type=simple Restart=on-failure User=griss ExecStart=/home/griss/go/bin/molly-brown NoNewPrivileges=true ProtectSystem=strict ReadWritePaths=/home/griss/access.log /home/griss/error.log [Install] WantedBy=multi-user.target EOF systemctl enable molly-brown.service # Much later? systemctl start molly-brown.service ####################################### # As griss? wget https://golang.org/dl/go1.15.2.linux-amd64.tar.gz tar xf go* mv go go-dist mkdir go ./go-dist/bin/go get tildegit.org/solderpunk/molly-brown # openssl req -newkey rsa:2048 -nodes -keyout gemini.beepbeepbeep.example.key \ # -nodes -x509 -out gemini.beepbeepbeep.example.crt -subj "/CN=gemini.beepbeepbeep.example" mkdir public printf "# It works!\n\nYour Gemini capsule is up and running.\n" > public/index.gmi
Hello, welcome to Gemini! I can't speak to your Molly Brown setup, as I don't use it, but I can offer some advice for certificates. I've actually written a whole post on how to generate nice Gemini certs here: gemini://makeworld.gq/gemlog/2020-07-06-openssl.gmi The main difference from what you've done is that these certs are valid for 5 years, so you'll change them less often, and that they use EC keys, making the cert size (and therefore request overhead) much smaller. Cheers! makeworld
> ExecStart=/home/griss/go/bin/molly-brown Do you need to make the execution of molly brown to include -c? e.g. ExecStart=/home/griss/go/bin/molly-brown -c /etc/molly.conf -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200912/f7b8 abae/attachment.htm>
> On Sep 12, 2020, at 7:12 PM, Jansen Price <jansen.price at gmail.com> wrote: > > > ExecStart=/home/griss/go/bin/molly-brown > > Do you need to make the execution of molly brown to include -c? > e.g. ExecStart=/home/griss/go/bin/molly-brown -c /etc/molly.conf -c overrides the default of /etc/molly.conf.
---