Critique my setup, please

Nathan Galt mailinglists at ngalt.com
Sat Sep 12 21:01:48 BST 2020

Previous message (by thread): HTML as an escape hatch
Next message (by thread): Critique my setup, please
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I’m setting up a capsule on a VPS served up with Molly Brown. I’d like to get some feedback on what I should be doing, in case I’m doing something egregiously wrong. The capsule isn’t intended to be permanent, at least not yet, so I’m giving it the domain name of beepbeepbeep.example.

(It was only after I decided I should post this that I remembered that the best way to get good advice on the Internet is to post bad advice…)

I wasn’t sure how to make/get certs, so I stumbled around and found this:

https://github.com/michael-lazar/jetforce#tls-certificates

And then there’s also

sudo certbot certonly --standalone

as shown on <https://certbot.eff.org/lets-encrypt/ubuntufocal-other>.

I’m waffling back and forth on whether I should stick everything in some unprivileged user’s home directory (much like I do here) or if I should put things in “proper” places like /var/gemini. Opinions welcome. I do not intend for humans other than me to be inside this server ever.

Without further ado, the commands I used just now:

- - - - - - - - - 8< - - - - - - - - - 

#!/bin/bash
apt update
apt upgrade --yes

apt install --yes fish bat
ln -s /usr/bin/batcat /usr/local/bin/bat

mkdir /etc/skel/.ssh
cp ~/.ssh/authorized_keys /etc/skel/.ssh/

addgroup certview

# named after Gus Grissom, who named the Gemini 3 capsule “Molly Brown”
adduser --shell /usr/bin/fish --disabled-password --gecos -- griss
usermod -aG certview griss

snap install --classic certbot
certbot certonly --standalone \
    --non-interactive \
    --agree-tos \
    --domains "gemini.beepbeepbeep.example" \
    --register-unsafely-without-email

chmod 0755     /etc/letsencrypt/{live,archive}
chmod g+r      /etc/letsencrypt/archive/gemini.beepbeepbeep.example/privkey1.pem
chgrp certview /etc/letsencrypt/archive/gemini.beepbeepbeep.example/privkey1.pem

cat << 'EOF' > /etc/molly.conf
Hostname = "gemini.beepbeepbeep.example"
DefaultLang = "en-US"

DocBase =   "/home/griss/public"
AccessLog = "/home/griss/access.log"
ErrorLog =  "/home/griss/error.log"

CertPath = "/etc/letsencrypt/live/gemini.beepbeepbeep.example/fullchain.pem"
KeyPath =  "/etc/letsencrypt/live/gemini.beepbeepbeep.example/privkey.pem"

[MimeOverrides]
"atom.xml$" = "application/atom+xml"
EOF

cat << 'EOF' > /etc/systemd/system/molly-brown.service
[Unit]
Description=Molly Brown gemini server
After=network.target

[Service]
Type=simple
Restart=on-failure
User=griss
ExecStart=/home/griss/go/bin/molly-brown

NoNewPrivileges=true
ProtectSystem=strict
ReadWritePaths=/home/griss/access.log /home/griss/error.log

[Install]
WantedBy=multi-user.target
EOF

systemctl enable molly-brown.service 

# Much later…
systemctl start molly-brown.service 

#######################################
# As griss…

wget https://golang.org/dl/go1.15.2.linux-amd64.tar.gz
tar xf go*
mv go go-dist
mkdir go

./go-dist/bin/go get tildegit.org/solderpunk/molly-brown

# openssl req -newkey rsa:2048 -nodes -keyout gemini.beepbeepbeep.example.key \
#    -nodes -x509 -out gemini.beepbeepbeep.example.crt -subj "/CN=gemini.beepbeepbeep.example"

mkdir public

printf "# It works!\n\nYour Gemini capsule is up and running.\n" > public/index.gmi

Previous message (by thread): HTML as an escape hatch
Next message (by thread): Critique my setup, please
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list