a muffin with purple glowing regions where a 3d vornoi function using chebychev distance exceeds some threshold

metamuffin's personal website

New Website and gnix

fixme: probably contains a lot of errors, shouldn't have written this late

Last weekend I started a new attempt writing a reverse proxy: This time, with success! I have been able to finally replace nginx for all services. Additionally I now have a wildcard TLS certificate for all of *.metamuffin.org.

The cgit instance is no longer available since it used CGI, which gnix does not support nor I like.

The reverse-proxy

Nginx was not optimal because I found it was hard to configure, required certbot automatically chaning the config and was also just too much for my use case. (Who needs a http server that can also serve SMTP?!)

My new solution (gnix) has very limited configuration abilities for now but just enough to work. I simplified about 540 lines of /etc/nginx/nginx.conf to only 20 lines of /etc/gnix.toml (yesss. TOML. of course it is.). The Proxy now only acts as a "Hostname Demultiplexer". A configuration could look like this:

```toml [http] bind = "0.0.0.0:80"

[https] bind = "0.0.0.0:443" tls_cert = "/path/to/cert.pem" tls_key = "/path/to/key.pem"

[hosts] "domain.tld" = { backend = "127.0.0.1:18000" } "www.domain.tld" = { backend = "127.0.0.1:18000" } "keksmeet.domain.tld" = { backend = "127.0.0.1:18001" } "otherdomain.tld" = { backend = "example.org:80" } ```

I am running two gnix instances now, one for :80+:443 and another for matrix federation on :8448. Additionally this required me to move my matrix homeserver from https://metamuffin.org/_matrix to https://matrix.metamuffin.org/_matrix via the .well-known/matrix/server file. And that intern required me to host a file there, which was nginx' job previously. At this point I started rewriting my main website.

Wildcard Certificates

Another inconvinience was that I would need certbot to aquire one certificate for each subdomain. Letsencrypt offers wildcard certificates; These can be obtained by solving an ACME challenge that requires changing a DNS record (to prove you own the domain). My current registrar (Namecheap) does not offer me an API for automatically applying these though. They do however (through a very very confusing, badly designed user interface) allow me to set a custom nameserver. By setting the nameserver to 144.91.114.82 (IP address of my VPS) the server can run its own nameserver that has authority over resolving metamuffin.org. I used BIND9's named to do that and also dynamically update records.

```conf

/etc/named.conf (-rw-------; owned by named)

zone "metamuffin.org" IN { type master; # the zone file is trivial to configure, look it up somewhere else. :) file "metamuffin.org.zone"; update-policy { # only allow certbot to change TXT records of _acme-challenge.metamuffin.org grant certbot. name _acme-challenge.metamuffin.org. TXT; }; };

generated with tsig-keygen -a HMAC-SHA512 -n HOST certbot

key "certbot" { algorithm hmac-sha512; secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" } ```

Then certbot can be configured to use these credentials for solving challenges:

```ini

/etc/certbot/rfc2136.ini (-rw-------; owned by root)

dns_rfc2136_server = 127.0.0.1 dns_rfc2136_port = 53 dns_rfc2136_name = certbot dns_rfc2136_secret = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX dns_rfc2136_algorithm = HMAC-SHA512 ```

Now you can automatically request new wildcard certificates by running doas certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d '*.domain.tld' -d 'domain.tld' --server https://acme-v02.api.letsencrypt.org/directory

Rewrite of my website

As mentioned above, I replace my former Deno + pug.js + static file server setup with a custom rust application (using Rocket and Markup and 253 other dependencies). I rewrote my blog rendering system too, that why you don't see syntax highlighting right now.

End

In case of questions, ask me. Have fun suffering with the modern web!