--- title: How to setup vger, a gemini server date: Sun, 11 Sep 2022 author: ~aryak --- Hi, I recently setup vger, a gemini server to replace agate on ~vern. The main reason was the great virtual-hosts support (You just put a directory with the domain name in the dir and its rendered on it, no reload or anything!) Heres some instructions on how I did that, on GNU/Linux. Firstly, one of the hurdles i came across was that the instructions at the [git repo](https://tildegit.org/solene/vger) were very BSD-focused. In our setup, vger runs on the PubNixVM and the TLS Termination Proxy runs on the tilserv. To install vger, I git clon'd the repo, then ran `nix-shell` to get a shell with all the deps I need. After that I just ran `./configure` and `make`, like any old unix program. To start vger though, is a lot more weird. It cannot be started standalone, instead you have to start it through inetd (or an equivalent like xinetd). I went with Xinetd, and used its nix service to set it up. ``` services.xinetd.enable = true; #services.xinetd.services = [ vger services.xinetd.services = [ { name = "vger"; user = "gemini"; server = "/var/gemini/vger/vger"; serverArgs = "-v -i -c cgi-bin"; protocol = "tcp"; port = 11965; unlisted = true; } ]; ``` This translated to a Xinetd.conf that looks like this :- ``` defaults { log_type = SYSLOG daemon info log_on_failure = HOST log_on_success = PID HOST DURATION EXIT } service vger { protocol = tcp type = UNLISTED socket_type = stream port = 11965 wait = no user = gemini server = /var/gemini/vger/vger server_args = -v -i } ``` Additionally, I enabled syslog with `services.syslogd.enable = true;` and set `ForwardToWall=no` in journald.conf (`services.journald.extraConfig = "ForwardToWall=no";`) so that it won't spam my terminal every time someone visits the capsule. With a quick nixos-rebuild switch, vger is running on port 11965. `-v` flag enabled virtual hosts. This means when you visit aryak.vern.cc, vger will look for the directory /var/gemini/aryak.vern.cc. But if you try to visit localhost:11965 with any gemini client, it will just give you a TLS error. This is because vger does not handle TLS, instead out-sourcing that to relayd, which hasn't been ported to GNU/Linux. So, instead of that, I used this simple (100 LOC) Go project called [TLSify](https://github.com/tlsify/tlsify) Its really simple, just run `tlsify tcp4 :11965 tcp4 :1965 /path/to/cert.pem /path/to/privkey.pem` I also made a systemd service for it :- ``` [Unit] Description=TLS Termination Proxy for vger After=libvirt.service [Service] User=gemini Type=simple ExecStart=/usr/local/bin/tlsify tcp4 192.168.122.30:11965 tcp4 :1965 /etc/letsencrypt/live/vern.cc/cert.pem /etc/letsencrypt/live/vern.cc/privkey.pem [Install] WantedBy=default.target ``` Now, just open 1965 through your firewall and you can access your gemini server! While vger does support CGI, it does not support `TLS_CLIENT_HASH` since TLS is not handled by it. Hence some gemini cgi progs will not work (mainly ones that need authentication) If you have any doubts/questions/recommendations, feel free to ask in #vern-chat ~aryak