From a0239f0024e07aca71de35828c3f47df77abf9ff Mon Sep 17 00:00:00 2001 From: alex Date: Sat, 14 Feb 2026 21:46:55 +0100 Subject: Import gemini-from-http --- gemini-from-http/README.md | 54 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 gemini-from-http/README.md (limited to 'gemini-from-http/README.md') diff --git a/gemini-from-http/README.md b/gemini-from-http/README.md new file mode 100644 index 0000000..ec8b5d2 --- /dev/null +++ b/gemini-from-http/README.md @@ -0,0 +1,54 @@ +# Gemini from http + +`proxy.py` is a Gemini server that proxies all content to an http or https server. + +`proxy.py` loads certificates following the structure of Apache mod_md. + +## Providing the certificates via systemd credentials + +With `/etc/systemd/system/gemini-from-http.service`: + +``` +[Service] +LoadCredential=certificates:/etc/apache2/md/domains/ +ExecStart=.../proxy.py --certificates-from-credential certificates +DynamicUser=true +CapabilityBoundingSet= +PrivateDevices=true +ProtectClock=true +ProtectKernelLogs=true +ProtectControlGroups=true +ProtectKernelModules=true +SystemCallArchitectures=native +MemoryDenyWriteExecute=true +RestrictNamespaces=true +ProtectHostname=true +LockPersonality=true +ProtectKernelTunables=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictRealtime=true +# If you don't put proxy.py in a home directory... ProtectHome=true +ProtectProc=invisible +ProcSubset=pid +PrivateUsers=self +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +UMask=7777 +``` + +Systemd injects the certificates to a private path than only `proxy.py` can read. +The injection is a one off, so you must restart the service to get updated certificates. + +## Providing the certificates manually + +To run `proxy.py` as a regular user, you can run the `package-mod-md-certs` script as root to copy the certificates to your user: + +``` +su -c ./package-mod-md-certs | tar x +``` + +Then you can run: + +``` +./proxy.py --certificates-from-path domains/ +``` -- cgit v1.2.3