====== Installing vger on FreeBSD, using inetd and nginx  ======

===== Get the sources and compile 'em =====

<code bash>
$ git clone https://tildegit.org/solene/vger.git
$ cd vger
$ make
$ sudo make install
</code>

===== Create a dedicated user =====

Create a user with no shell and no password
<code bash>
# adduser
Username: gemini
Full name: gemini
Uid (Leave empty for default):
Login group [gemini]:
Login group is gemini. Invite gemini into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash zsh rzsh git-shell nologin) [sh]: nologin
Home directory [/home/gemini]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]:
Username   : gemini
Password   : <disabled>
Full Name  : gemini
Uid        : 1015
Class      :
Groups     : gemini
Home       : /home/gemini
Home Mode  :
Shell      : /usr/sbin/nologin
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (gemini) to the user database.
Add another user? (yes/no): no
Goodbye!
</code>

===== Add a service =====

inetd requires a defined service in /etc/services, so let's add it
<code bash>
echo "gemini          11965/tcp">>/etc/services
</code>

===== Activate and launch inetd =====

  * Add the following lines to /etc/inetd.conf. Adjust -d parameter to previously created user's home directory, don't forget the last slash:

<code>
gemini  stream  tcp     nowait          gemini  /usr/local/bin/vger     vger -v -i -d /home/gemini/
gemini  stream  tcp6    nowait          gemini  /usr/local/bin/vger     vger -v -i -d /home/gemini/
</code>

  * Activate inetd either by issuing

<code bash>
# sysrc inetd_enable="YES"
</code>

or, if you use separate files:

<code bash>
# echo "inetd_enable=\"YES\"">/usr/local/etc/rc.conf.d/inetd
</code>

  * Finaly, launch inetd:
<code bash>
# service inetd start
</code>

===== Use nginx as a "TLS Proxy" =====

  * Compile the port with the stream module
  * Activate it in configuration file, and create a stream section at the same level as the http section used for your virtualhosts:

<code nginx>
load_module /usr/local/libexec/nginx/ngx_stream_module.so;

stream {
        server {
                listen 1965 ssl;

                ssl_certificate     /path/to/cert.pem;
                ssl_certificate_key /path/to/privkey.pem;
                ssl_trusted_certificate /path/to/fullchain.pem;

                proxy_pass 127.0.0.1:11965;
        }
}
</code>

===== Usage =====

vger's vhost parameter is set (-v), so we'll have to create one or more directories within gemini's home directory, -i (directory index) is also set, so creating an index.gmi is not mandatory.

===== Basic monitoring =====

The following minimalist script can be used to check for capsule availability in Nagios/Icinga/Shinken/Etc., assuming gnutls is installed:

<code bash>
#!/bin/sh

errorOutput=$(echo -n  "gemini://$1/\r\n" | /usr/local/bin/gnutls-cli --port 1965 --tofu $1 2>&1 > /dev/null)
errorCode=$?

if [ $errorCode -gt 0 ]
then
  echo "ERROR: ${errorOutput}"
  return 2
else
  echo "OK: capsule responding"
  return 0
fi
</code>

Here we use "trust on first use authentication" (--tofu), so don't forget to manually launch gnutls-cli first. And if security is not your primary concern, you can use the more permissive --no-ca-verification flag instead.

===== Greetings =====

Many many thanks to [[https://bsd.network/@solene|@solene@bsd.network]] for writing that wonderful little piece of software thas is vger, and [[https://framapiaf.org/@hucste|@hucste@framapiaf.org]] for pointing it to me.