Installing vger on FreeBSD, using inetd and nginx

Get the sources and compile 'em

$ git clone https://tildegit.org/solene/vger.git
$ cd vger
$ make
$ sudo make install

Create a dedicated user

Create a user with no shell and no password

# adduser
Username: gemini
Full name: gemini
Uid (Leave empty for default):
Login group [gemini]:
Login group is gemini. Invite gemini into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash zsh rzsh git-shell nologin) [sh]: nologin
Home directory [/home/gemini]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]:
Username   : gemini
Password   : <disabled>
Full Name  : gemini
Uid        : 1015
Class      :
Groups     : gemini
Home       : /home/gemini
Home Mode  :
Shell      : /usr/sbin/nologin
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (gemini) to the user database.
Add another user? (yes/no): no
Goodbye!

Add a service

inetd requires a defined service in /etc/services, so let's add it

echo "gemini          11965/tcp">>/etc/services

Activate and launch inetd

  • Add the following lines to /etc/inetd.conf. Adjust -d parameter to previously created user's home directory, don't forget the last slash:
gemini  stream  tcp     nowait          gemini  /usr/local/bin/vger     vger -v -i -d /home/gemini/
gemini  stream  tcp6    nowait          gemini  /usr/local/bin/vger     vger -v -i -d /home/gemini/
  • Activate inetd either by issuing
# sysrc inetd_enable="YES"

or, if you use separate files:

# echo "inetd_enable=\"YES\"">/usr/local/etc/rc.conf.d/inetd
  • Finaly, launch inetd:
# service inetd start

Use nginx as a "TLS Proxy"

  • Compile the port with the stream module
  • Activate it in configuration file, and create a stream section at the same level as the http section used for your virtualhosts:
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
 
stream {
        server {
                listen 1965 ssl;
 
                ssl_certificate     /path/to/cert.pem;
                ssl_certificate_key /path/to/privkey.pem;
                ssl_trusted_certificate /path/to/fullchain.pem;
 
                proxy_pass 127.0.0.1:11965;
        }
}

Usage

vger's vhost parameter is set (-v), so we'll have to create one or more directories within gemini's home directory, -i (directory index) is also set, so creating an index.gmi is not mandatory.

Basic monitoring

The following miniamlistic script can be used to check for capsule availability in Nagios/Icinga/Shinken/Etc., assuming gnutls is installed:

#!/bin/sh
 
errorOutput=$(echo -n  "gemini://$1/\r\n" | /usr/local/bin/gnutls-cli --port 1965 --tofu $1 2>&1 > /dev/null)
errorCode=$?
 
if [ $errorCode -gt 0 ]
then
  echo "ERROR: ${errorOutput}"
  return 2
else
  echo "OK: capsule responding"
  return 0
fi

Here we use “trust on first use authentication” (–tofu), so don't forget to manually launch gnutls-cli first. And if security is not your primary concern, you can use the more permissive –no-ca-verification flag instead.

Greetings

Many many thanks to @solene@bsd.network for writing that wonderful little piece of software thas is vger, and @hucste@framapiaf.org for pointing it to me.