Title: How to deploy Vger gemini server on OpenBSD | |
Author: Solène | |
Date: 30 November 2020 | |
Tags: gemini openbsd | |
Description: | |
## Introduction | |
In this article I will explain how to install and configure Vger, a | |
gemini server. | |
What is the gemini protocol | |
Short introduction about Gemini: it's a very recent protocol that is | |
being simplistic and limited. Keys features are: pages are written in | |
markdown like, mandatory TLS, no header, UTF-8 encoding only. | |
## Vger program | |
Vger source code | |
I wrote Vger to discover the protocol and the Gemini space. I had a lot | |
of fun with it, it was the opportunity for me to rediscover the C | |
language with a better approach. The sources include a full test suite. | |
This test suite was unvaluable for the development process. | |
Vger was really built with security in mind from the first lines of | |
code, now it offers the following features: | |
* chroot and privilege dropping, and on OpenBSD it uses unveil/pledge | |
all the time | |
* virtualhost support | |
* language selection | |
* MIME detection | |
* handcrafted man page, OpenBSD quality! | |
The name Vger is a reference to the 1979 first Star Trek movie. | |
Star Trek: The Motion Picture | |
## Install Vger | |
Compile vger.c using clang or gcc | |
```shell command, dollar sign for regular user and pound sign for root | |
$ make | |
# install -o root -g bin -m 755 vger /usr/local/bin/vger | |
``` | |
Vger receives requests on stdin and gives the result on stdout. It | |
doesn't take account of the hostname given but a request MUST start | |
with `gemini://`. | |
vger official homepage | |
## Setup on OpenBSD | |
Create directory /var/gemini/, files will be served from there. | |
Create the `_gemini` user: | |
```shell command as root | |
useradd -s /sbin/nologin _gemini | |
``` | |
Configure vger in /etc/inetd.conf | |
```configuration line for /etc/inetd.conf | |
11965 stream tcp nowait _gemini /usr/local/bin/vger vger | |
``` | |
Inetd will run vger` with the _gemini user. You need to take care that | |
/var/gemini/ is readable by this user. | |
inetd is a wonderful daemon listening on ports and running commands | |
upon connections. This mean when someone connects on the port 11965, | |
inetd will run vger as _gemini and pass the network data to its | |
standard input, vger will send the result to the standard output | |
captured by inetd that will transmit it back to the TCP client. | |
Tell relayd to forward connections in relayd.conf | |
```configuration sample for /etc/relayd.conf | |
log connection | |
relay "gemini" { | |
listen on 163.172.223.238 port 1965 tls | |
forward to 127.0.0.1 port 11965 | |
} | |
``` | |
Make links to the certificates and key files according to relayd.conf | |
documentation. You can use acme / certbot / dehydrate or any "Let's | |
Encrypt" client to get certificates. You can also generate your own | |
certificates but it's beyond the scope of this article. | |
```shell commands as root | |
# ln -s /etc/ssl/acme/cert.pem /etc/ssl/163.172.223.238\:1965.crt | |
# ln -s /etc/ssl/acme/private/privkey.pem /etc/ssl/private/163.172.223.238\:196… | |
``` | |
Enable inetd and relayd at boot and start them | |
```shell commands as root | |
# rcctl enable relayd inetd | |
# rcctl start relayd inetd | |
``` | |
From here, what's left is populating /var/gemini/ with the files you | |
want to publish, the `index.md` file is special because it will be the | |
default file if no file are requests. |