Mon 8th February 2021 By David T. Sadler.
So I have a Gemini site over at gemini://davidtsadler.co.uk and I thought I'd write up how I achieved this in case anyone was interested in doing the same.
I would say that from purchasing the domain name to having a complete server hosting the site took about 30 minutes in total.
I decided that for the moment I would keep my traditional "Big Web" content hosted at davidtsadler.com and use a different domain name for my new Gemini site. Since this meant purchasing a new one I popped over to Gandi.net to acquire davidtsadler.co.uk. Side note: I used to own this but decided not to renew it for some crazy reason.
My cloud provider of choice is Hetzner and creating a new server is done in eight steps.
Hetzner provide a few locations in Europe as to where the server is hosted. For this server I chose Helsinki.
I chose Ubuntu 20.04 as the operating system as this is the one I'm most familiar with.
As this server is only going to a host a Gemini site I don't need a overly powerful system so I chose their most basic CX11 configuration. For €2.99 a month this gives me:
You have the option of attaching additional storage to the server. I skipped this step as for the time been the 20GB SSD that comes with the server should be enough for my needs.
I skipped this step as its not needed.
Again I skipped this step but select any if you believe that you will need them.
When a server is created a root user is added and a password is emailed to you so that you can login. However if you provide a SSH key it will be installed on the server instead of creating a password.
I like to use separate keys for each server that I manage so I tend store the them in a directory named after the hostname.
$ mkdir ~/.ssh/davidtsadler.co.uk
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/davidtsadler.co.uk/id_rsaThe SSH key is added by clicking + ADD SSH KEY and then copying and pasting the contents of the id_rsa.pub file.
I name my servers after the hostname so for this I called it davidtsadler.co.uk. I then created the server by clicking CREATE & BUY NOW.
Once the server was created I took the allocated IP address and ensured that I could access it via SSH using the key that I had provided.
$ ssh root@135.181.201.71 -i ~/.ssh/davidtsadler.co.uk/id_rsaIn my Gandi.net account I went to the DNS Records section for the domain name I had purchased. There I deleted everything except for the @ (A) and www (CNAME) records which was configured as follows:
The A record is configured with the IPv4 address of my new server and the CNAME with the domain name. Note that the CNAME must end with a period!
After saving the changes it was just a matter of waiting for it to propagate through the DNS system. At which point I could use the domain name when logging in via SSH.
$ ssh root@davidtsadler.co.uk -i ~/.ssh/davidtsadler.co.uk/id_rsaAt a bare minimum I setup a firewall and harden SSH. I may at a later date go further, such as installing fail2ban.
This setup will deny any incoming requests unless they were first initiated by a request from the server. Since I need to be able to access the server I allow SSH. The Gemini protocol uses port 1965 so that is also allowed.
$ ufw default allow outgoing
$ ufw default deny incoming
$ ufw allow OpenSSH
$ ufw allow 1965
$ ufw enableI edited the /etc/ssh/sshd_config file.
$ vim /etc/ssh/sshd_configI added the two below options so that the root user is not allowed to access the sever via SSH and other users may only access using keys.
PermitRootLogin no PasswordAuthentication no
Since I'd made changes to the configuration I needed to restart the SSH service.
$ service sshd restartWhenever I access a server I like to login as a non-root user that is able to run sudo on the system.
$ adduser gemini
$ usermod -aG sudo geminiAs the SSH key is already on the server I can copy it to the non-root user account.
$ rsync --archive --chown=gemini:gemini ~/.ssh /home/geminiOn my local system I confirm that I can log in as the new user without a password.
$ ssh gemini@davidtsadler.co.uk -i ~/.ssh/davidtsadler.co.uk/id_rsaI also confirm that I have sudo access.
$ sudo lsI decided to go with a very simple directory structure. Each site will be a sub-directory in ~/sites that will be named after the domain name. Then each site will have the following sub-directories. The idea is that I may want to host more than one site in the future.
I created the directory structure with the below command.
$ mkdir -p ~/sites/davidtsadler.co.uk/{bin,certs,public,scripts}Sine the Gemini protocol encourages using a self-signed certificate I installed one with the openssl command.
$ openssl req -x509 \
-newkey rsa:4096 \
-keyout ~/sites/davidtsadler.co.uk/certs/key.rsa \
-out ~/sites/davidtsadler.co.uk/certs/cert.pem \
-days 3650 \
-nodes \
-subj "/CN=davidtsadler.co.uk"I created a very simple index.gmi file purely for testing.
$ cat << EOF > ~/sites/davidtsadler.co.uk/public/index.gmi
# Welcome
Hello world!
EOFI decided to go with agate as the Gemini server as its very simple to install and configure. Installing it was a matter of downloading the binary archive into the bin directory and setting the executable permission on it.
$ cd ~/sites/davidtsadler.co.uk/bin
$ wget https://github.com/mbrubeck/agate/releases/download/v2.3.0/agate.x86_64-unknown-linux-gnu.gz
$ gunzip agate.x86_64-unknown-linux-gnu.gz
$ mv agate.x86_64-unknown-linux-gnu agate
$ chmod u+x agateI wrote a very simple bash script to run agate and have it serve the site.
$ cat << EOF > ~/sites/davidtsadler.co.uk/scripts/start
#!/bin/bash
/home/gemini/sites/davidtsadler.co.uk/bin/agate \
--content /home/gemini/sites/davidtsadler.co.uk/public/ \
--key /home/gemini/sites/davidtsadler.co.uk/certs/key.rsa \
--cert /home/gemini/sites/davidtsadler.co.uk/certs/cert.pem \
--addr [::]:1965 \
--addr 0.0.0.0:1965 \
--hostname davidtsadler.co.uk \
--lang en-GB
EOF
$ chmod u+x ~/sites/davidtsadler.co.uk/scripts/startAt this point I have the Gemini server installed and a site available for testing.
I first started agate with the bash script.
$ ~/sites/davidtsadler.co.uk/scripts/start
[2021-02-05T17:26:56Z INFO agate] Listening on [[::]:1965, 0.0.0.0:1965]...With agate up and running I pointed my Gemini client to gemini://davidtsadler.co.uk and confirmed I was able to access the site before entering Ctrl-C to halt agate.
Since I was happy that agate was able to serve my new site I created a systemd unit to ensure that agate was started whenever the system was rebooted.
$ sudo vim /etc/systemd/system/agate.serviceThe unit is very simple and just runs the bash script to start agate once the network is available.
[Unit] Description=Agate Gemini Server After=network.target [Service] Type=simple User=gemini Group=gemini ExecStart=/home/gemini/sites/davidtsadler.co.uk/scripts/start [Install] WantedBy=default.target
I then started this service and confirmed it was working.
$ sudo systemctl start agate.service $ sudo systemctl status agate.service Active: active (running)
The final step was to have this service start when the system is rebooted.
$ sudo systemctl enable agate.service
Setting up a Gemini site was easy to do and I hope this guide shows it. I have several ideas about how I'm going to use this new site and I'm excited to see where this leads to.
I don't have comments as I don't want to manage them. You can however contact me at the below address if you want to.
Email david@davidtsadler.comCopyright © 2021 David T. Sadler.
Return to Homepage.