 |
Title: How to deploy Vger gemini server on OpenBSD |
|
Author: Solène |
|
Date: 30 November 2020 |
|
Tags: gemini openbsd |
|
Description: |
|
|
|
# Introduction |
|
|
|
In this article I will explain how to install and configure Vger, a |
|
gemini server. |
|
|
 |
What is the gemini protocol |
|
|
|
Short introduction about Gemini: it's a very recent protocol that is |
|
being simplistic and limited. Keys features are: pages are written in |
|
markdown like, mandatory TLS, no header, UTF-8 encoding only. |
|
|
|
# Vger program |
|
|
|
Vger source code |
|
|
|
I wrote Vger to discover the protocol and the Gemini space. I had a lot |
|
of fun with it, it was the opportunity for me to rediscover the C |
|
language with a better approach. The sources include a full test suite. |
|
This test suite was unvaluable for the development process. |
|
|
|
Vger was really built with security in mind from the first lines of |
|
code, now it offers the following features: |
|
|
|
* chroot and privilege dropping, and on OpenBSD it uses unveil/pledge |
|
all the time |
|
* virtualhost support |
|
* language selection |
|
* MIME detection |
|
* handcrafted man page, OpenBSD quality! |
|
|
|
The name Vger is a reference to the 1979 first Star Trek movie. |
|
Star Trek: The Motion Picture |
|
|
|
|
|
# Install Vger |
|
|
|
Compile vger.c using clang or gcc |
|
|
|
```shell command, dollar sign for regular user and pound sign for root |
|
$ make |
|
# install -o root -g bin -m 755 vger /usr/local/bin/vger |
|
``` |
|
|
|
Vger receives requests on stdin and gives the result on stdout. It |
|
doesn't take account of the hostname given but a request MUST start |
|
with `gemini://`. |
|
|
|
vger official homepage |
|
|
|
|
|
# Setup on OpenBSD |
|
|
|
Create directory /var/gemini/, files will be served from there. |
|
|
|
Create the `_gemini` user: |
|
|
|
```shell command as root |
|
useradd -s /sbin/nologin _gemini |
|
``` |
|
|
|
Configure vger in /etc/inetd.conf |
|
|
|
```configuration line for /etc/inetd.conf |
|
11965 stream tcp nowait _gemini /usr/local/bin/vger vger |
|
``` |
|
|
|
Inetd will run vger` with the _gemini user. You need to take care that |
|
/var/gemini/ is readable by this user. |
|
inetd is a wonderful daemon listening on ports and running commands |
|
upon connections. This mean when someone connects on the port 11965, |
|
inetd will run vger as _gemini and pass the network data to its |
|
standard input, vger will send the result to the standard output |
|
captured by inetd that will transmit it back to the TCP client. |
|
|
|
Tell relayd to forward connections in relayd.conf |
|
|
|
```configuration sample for /etc/relayd.conf |
|
log connection |
|
relay "gemini" { |
|
listen on 163.172.223.238 port 1965 tls |
|
forward to 127.0.0.1 port 11965 |
|
} |
|
``` |
|
|
|
Make links to the certificates and key files according to relayd.conf |
|
documentation. You can use acme / certbot / dehydrate or any "Let's |
|
Encrypt" client to get certificates. You can also generate your own |
|
certificates but it's beyond the scope of this article. |
|
|
|
```shell commands as root |
|
# ln -s /etc/ssl/acme/cert.pem /etc/ssl/163.172.223.238\:1965.crt |
|
# ln -s /etc/ssl/acme/private/privkey.pem /etc/ssl/private/163.172.223.238\:196… |
|
``` |
|
|
|
Enable inetd and relayd at boot and start them |
|
|
|
```shell commands as root |
|
# rcctl enable relayd inetd |
|
# rcctl start relayd inetd |
|
``` |
|
|
|
From here, what's left is populating /var/gemini/ with the files you |
|
want to publish, the `index.md` file is special because it will be the |
|
default file if no file are requests. |
