Title: How to deploy Vger gemini server on OpenBSD
Author: Solène
Date: 30 November 2020
Tags: gemini openbsd
Description:
## Introduction
In this article I will explain how to install and configure Vger, a
gemini server.
(HTM) What is the gemini protocol
Short introduction about Gemini: it's a very recent protocol that is
being simplistic and limited. Keys features are: pages are written in
markdown like, mandatory TLS, no header, UTF-8 encoding only.
## Vger program
(HTM) Vger source code
I wrote Vger to discover the protocol and the Gemini space. I had a lot
of fun with it, it was the opportunity for me to rediscover the C
language with a better approach. The sources include a full test suite.
This test suite was unvaluable for the development process.
Vger was really built with security in mind from the first lines of
code, now it offers the following features:
* chroot and privilege dropping, and on OpenBSD it uses unveil/pledge
all the time
* virtualhost support
* language selection
* MIME detection
* handcrafted man page, OpenBSD quality!
The name Vger is a reference to the 1979 first Star Trek movie.
(HTM) Star Trek: The Motion Picture
## Install Vger
Compile vger.c using clang or gcc
```shell command, dollar sign for regular user and pound sign for root
$ make
# install -o root -g bin -m 755 vger /usr/local/bin/vger
```
Vger receives requests on stdin and gives the result on stdout. It
doesn't take account of the hostname given but a request MUST start
with `gemini://`.
(HTM) vger official homepage
## Setup on OpenBSD
Create directory /var/gemini/, files will be served from there.
Create the `_gemini` user:
```shell command as root
useradd -s /sbin/nologin _gemini
```
Configure vger in /etc/inetd.conf
```configuration line for /etc/inetd.conf
11965 stream tcp nowait _gemini /usr/local/bin/vger vger
```
Inetd will run vger` with the _gemini user. You need to take care that
/var/gemini/ is readable by this user.
inetd is a wonderful daemon listening on ports and running commands
upon connections. This mean when someone connects on the port 11965,
inetd will run vger as _gemini and pass the network data to its
standard input, vger will send the result to the standard output
captured by inetd that will transmit it back to the TCP client.
Tell relayd to forward connections in relayd.conf
```configuration sample for /etc/relayd.conf
log connection
relay "gemini" {
listen on 163.172.223.238 port 1965 tls
forward to 127.0.0.1 port 11965
}
```
Make links to the certificates and key files according to relayd.conf
documentation. You can use acme / certbot / dehydrate or any "Let's
Encrypt" client to get certificates. You can also generate your own
certificates but it's beyond the scope of this article.
```shell commands as root
# ln -s /etc/ssl/acme/cert.pem /etc/ssl/163.172.223.238\:1965.crt
# ln -s /etc/ssl/acme/private/privkey.pem /etc/ssl/private/163.172.223.238\:1965.key
```
Enable inetd and relayd at boot and start them
```shell commands as root
# rcctl enable relayd inetd
# rcctl start relayd inetd
```
From here, what's left is populating /var/gemini/ with the files you
want to publish, the `index.md` file is special because it will be the
default file if no file are requests.