snit/gemini
2
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
gemini/site/comp/gemini-yggdrasil.scm

54 lines
3.4 KiB
Scheme
Raw Permalink Blame History

;;; site/comp/gemini-yggdrasil.scm
(import "util.scm")
(define title "Hosting Gemini Capsules via Yggdrasil")
`(,@(import "header.scm")
(p "Getting a Gemini capsule running on Yggdrasil was harder than I would have thought. The main complexity came from the fact that Gemini has mandatory TLS, combined with Yggdrasil predominantly being bare IPv6 addresses.")
(p)
(p "I suspect that this would have been no different than hosting a clearnet capsule had I been using Alfis to get an actual domain name, but I haven't set that up.")
(p)
(q "NOTE: This guide assumes the use of gmid as the server. I have no clue how this works (or doesn't) on any other server.")
(p)
(h2 "Prerequisites")
(p "This is NOT a guide to setting up Yggdrasil, nor for setting up gmid. I assume you already have a working Yggdrasil setup, as well as know how to run gmid for clearnet capsules.")
(p)
(h2 "Self-signed Certificates")
(p "First, we need to generate a certificate, as Gemini mandates the use of TLS. As Gemini prefers the use of self-signed certificates, that's what we'll be doing here. If you'd rather use a CA, be aware that many of them don't issue certificates for raw IP addresses.")
(p)
(q "Note: Apparently, LetsEncrypt has recently started rolling out support for issuing raw IP certificates, though it seems they're only allowed to live for less than a week. Not ideal.")
(a ,(build-uri 'https #:host "letsencrypt.org" #:path "/2025/07/01/issuing-our-first-ip-address-certificate.html")
"Issuing our first IP Address Certificate")
(p)
(p "The gencert program provided with gmid doesn't seem to work with raw IP addresses; it just resuls in a SANS error. Thus, OpenSSL will be used directly. Replace $YGG_IPADDR below with your Yggdrasil address, and $CERTNAME with the filename for the certificate files:")
(pre "YGGADDR=\"200::\""
"CERTNAME=\"yggdrasil\""
"openssl req -x509 -nodes -days 365 \\"
" -keyout \"${CERTNAME}.key\" -out \"${CERTNAME}.crt\" \\"
" -subj \"/CN=${YGGADDR}\" -addext \"subjectAltName = IP:${YGGADDR}\"")
(p)
(p "Finally, move the resulting yggdrasil.key and yggdrasil.crt files to your preferred location. I put my gmid keys in /etc/ssl/gmid/.")
(p)
(h2 "Configuring gmid")
(p "On my clearnet capsule, I'd used a wildcard statement for the listen declaration, but apparently that doesn't fly here. Replace the wildcard with the same IP address as used in the server declaration part. Also, do not surround them with brackets.")
(p)
(p "Here's an example:")
(pre "server \"200::\" {"
" listen on 200:: port 1965"
""
" root \"/srv/gmi/yggsite\""
""
" cert \"/etc/ssl/gmid/yggdrasil.crt\""
" key \"/etc/ssl/gmid/yggdrasil.key\""
"}")
(p)
(a ,(build-uri 'https #:host "github.com"
#:path "/omar-polo/gmid/issues/25")
"Relevant GitHub discussion")
(p)
(p "Start up gmid and you should be able to connect!")
(p)
(p "As an aside, even though you can't put brackets in gmid's configuration, amfora won't work unless you DO put brackets into the URL:")
(pre "amfora gemini://[200::]")
(p "I'm not sure if this is a problem with gmid or amfora, or how it works on other clients, but I figured I'd note it down here, because I spent an extra twenty minutes thinking this wasn't working just because I stopped using brackets on amfora after gmid told me to."))
Reference in a new issue View git blame Copy permalink