metamuffin's personal website

New Website and gnix

fixme: probably contains a lot of errors, shouldn't have written this late

Last weekend I started a new attempt writing a reverse proxy: This time, with success! I have been able to finally replace nginx for all services. Additionally I now have a wildcard TLS certificate for all of *.metamuffin.org.

The cgit instance is no longer available since it used CGI, which gnix does not support nor I like.

The reverse-proxy

Nginx was not optimal because I found it was hard to configure, required certbot automatically chaning the config and was also just too much for my use case. (Who needs a http server that can also serve SMTP?!)

My new solution (gnix) has very limited configuration abilities for now but just enough to work. I simplified about 540 lines of /etc/nginx/nginx.conf to only 20 lines of /etc/gnix.toml (yesss. TOML. of course it is.). The Proxy now only acts as a "Hostname Demultiplexer". A configuration could look like this:

[http]
bind = "0.0.0.0:80"

[https]
bind = "0.0.0.0:443"
tls_cert = "/path/to/cert.pem"
tls_key = "/path/to/key.pem"

[hosts]
"domain.tld" = { backend = "127.0.0.1:18000" }
"www.domain.tld" = { backend = "127.0.0.1:18000" }
"keksmeet.domain.tld" = { backend = "127.0.0.1:18001" }
"otherdomain.tld" = { backend = "example.org:80" }

I am running two gnix instances now, one for :80+:443 and another for matrix federation on :8448. Additionally this required me to move my matrix homeserver from https://metamuffin.org/_matrix to https://matrix.metamuffin.org/_matrix via the .well-known/matrix/server file. And that intern required me to host a file there, which was nginx' job previously. At this point I started rewriting my main website.

Wildcard Certificates

Another inconvinience was that I would need certbot to aquire one certificate for each subdomain. Letsencrypt offers wildcard certificates; These can be obtained by solving an ACME challenge that requires changing a DNS record (to prove you own the domain). My current registrar (Namecheap) does not offer me an API for automatically applying these though. They do however (through a very very confusing, badly designed user interface) allow me to set a custom nameserver. By setting the nameserver to 144.91.114.82 (IP address of my VPS) the server can run its own nameserver that has authority over resolving metamuffin.org. I used BIND9's named to do that and also dynamically update records.

# /etc/named.conf (-rw-------; owned by named)
zone "metamuffin.org" IN {
	type master;
    # the zone file is trivial to configure, look it up somewhere else. :)
	file "metamuffin.org.zone";
    update-policy {
        # only allow certbot to change TXT records of _acme-challenge.metamuffin.org
        grant certbot. name _acme-challenge.metamuffin.org. TXT;
    };
};

# generated with `tsig-keygen -a HMAC-SHA512 -n HOST certbot`
key "certbot" {
	algorithm hmac-sha512;
	secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}

Then certbot can be configured to use these credentials for solving challenges:

# /etc/certbot/rfc2136.ini (-rw-------; owned by root)
dns_rfc2136_server = 127.0.0.1
dns_rfc2136_port = 53
dns_rfc2136_name = certbot
dns_rfc2136_secret = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
dns_rfc2136_algorithm = HMAC-SHA512

Now you can automatically request new wildcard certificates by running doas certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d '*.domain.tld' -d 'domain.tld' --server https://acme-v02.api.letsencrypt.org/directory

Rewrite of my website

As mentioned above, I replace my former Deno + pug.js + static file server setup with a custom rust application (using Rocket and Markup and 253 other dependencies). I rewrote my blog rendering system too, that why you don't see syntax highlighting right now.

End

In case of questions, ask me. Have fun suffering with the modern web!