----------------------------------------
       gophernicus TLS howto
       January 20th, 2019
       ----------------------------------------
       
       A few people on mastodon requested a little guide on how to set up
       stunnel4 with gophernicus to offer TLS. As you might know from my
       earlier posts on gopher.black, I prefer to run this gopher server
       as a tor service instead of using the TLS approach alone since it
       does all the same things plus some extra goodies and doesn't
       require modification to your gopher clients. Regardless, gopher
       over TLS is cool in its own right (and I use it on cosmic.voyage).
       
       Here's how:
       
       1) Make sure you're using gophernicus and it's Kim's Prison
          Edition, not one of the ancient ones that shows up when you
          google gophernicus, like prologic's
       
       2) Have an SSL cert. I use letsencrypt because why pay for
          something that's free?
       
       3) Have stunnel4. I think it was an apt install for me.
       
       Actually configuring everything is just a matter of tweaking
       2 files:
       
       1) /etc/default/gophernicus
       
       OPTIONS="-o UTF-8 -nt -nh -nf -T 7070"
       
       The important part for TLS is the last bit (-T PORT). The other
       switches hide the /stats page which is a security issue, and get
       rid of titles and footer and stuff, which make for a cleaner
       rendered gophermap. They're cool settings, but not necessary for
       TLS.
       
       2) /etc/stunnel/gophernicus.conf
       
       ;
       ; Gophernicus behind Stunnel4 for gopher over TLS
       ;
       
       ; User/group for stunnel daemon
       setuid = stunnel4
       setgid = stunnel4
       
       ; PID file location
       pid = /var/run/stunnel4/gophernicus.pid
       
       ; Log to file, not syslog
       output = /var/log/stunnel4/gophernicus.log
       syslog = no
       
       ; Certificate in pem format is needed for TLS
       cert = /etc/letsencrypt/live/cosmic.voyage/fullchain.pem
       key = /etc/letsencrypt/live/cosmic.voyage/privkey.pem
       
       ; Enable TCP wrappers
       libwrap = yes
       service = in.gophernicus-tls
       
       ; Gopher over TLS service
       [gophernicus]
       accept  = :::7070
       connect = 127.0.0.1:70
       protocol = proxy
       
       
       So I'm pointing at my letsencrypt cert for cosmic in this file,
       and I've chosen to use port 7070 for TLS. Kensanata says there's
       an argument for port 7443 that was given on the gopher mailing
       list, but I never read it. Use what makes sense to you, but make
       sure it matches what you have in /etc/default/gophernicus.
       
       And that's it. Oh, I guess you'll need to open up your port with
       your firewall, but everything else should just work(TM).
       
       Good luck!