path: root/articles/2023-02-13-new-website-using-gnix.md

# New Website and gnix

_fixme: probably contains a lot of errors, shouldn't have written this late_

Last weekend I started a new attempt writing a reverse proxy: This time, with
success! I have been able to finally replace nginx for all services.
Additionally I now have a wildcard TLS certificate for all of
`*.metamuffin.org`.

The cgit instance is no longer available since it used CGI, which gnix does not
support nor I like.

## The reverse-proxy

Nginx was not optimal because I found it was hard to configure, required certbot
automatically chaning the config and was also just _too much_ for my use case.
(Who needs a http server that can also serve SMTP?!)

My new solution ([gnix](https://codeberg.org/metamuffin/gnix)) has very limited
configuration abilities for now but just enough to work. I simplified about 540
lines of `/etc/nginx/nginx.conf` to only 20 lines of `/etc/gnix.toml` (yesss.
TOML. of course it is.). The Proxy now only acts as a "Hostname Demultiplexer".
A configuration could look like this:

```toml
[http]
bind = "0.0.0.0:80"

[https]
bind = "0.0.0.0:443"
tls_cert = "/path/to/cert.pem"
tls_key = "/path/to/key.pem"

[hosts]
"domain.tld" = { backend = "127.0.0.1:18000" }
"www.domain.tld" = { backend = "127.0.0.1:18000" }
"keksmeet.domain.tld" = { backend = "127.0.0.1:18001" }
"otherdomain.tld" = { backend = "example.org:80" }
```

I am running two gnix instances now, one for `:80`+`:443` and another for matrix
federation on `:8448`. Additionally this required me to move my matrix
homeserver from `https://metamuffin.org/_matrix` to
`https://matrix.metamuffin.org/_matrix` via the `.well-known/matrix/server`
file. And that intern required me to host a file there, which was nginx' job
previously. At this point I started rewriting my main website.

## Wildcard Certificates

Another inconvinience was that I would need `certbot` to aquire one certificate
for each subdomain. Letsencrypt offers wildcard certificates; These can be
obtained by solving a ACME challenge that requires changing DNS record (to prove
you own the domain). My current registrar (Namecheap) does not offer me an API
for automatically applying these though. They do however (through a very very
confusing, badly designed user interface) allow me to set a custom nameserver.
By setting the nameserver to `144.91.114.82` (IP address of my VPS) the server
can run its own nameserver that has authority over resolving `metamuffin.org`. I
used BIND9's `named` to do that and also dynamically update records.

```conf
# /etc/named.conf (-rw-------; owned by named)
zone "metamuffin.org" IN {
	type master;
    # the zone file is trivial to configure, look it up somewhere else. :)
	file "metamuffin.org.zone";
    update-policy {
        # only allow certbot to change TXT records of _acme-challenge.metamuffin.org
        grant certbot. name _acme-challenge.metamuffin.org. TXT;
    };
};

# generated with `tsig-keygen -a HMAC-SHA512 -n HOST certbot`
key "certbot" {
	algorithm hmac-sha512;
	secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}
```

Then certbot can be configured to use these credentials for solving challenges:

```ini
# /etc/certbot/rfc2136.ini (-rw-------; owned by root)
dns_rfc2136_server = 127.0.0.1
dns_rfc2136_port = 53
dns_rfc2136_name = certbot
dns_rfc2136_secret = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
dns_rfc2136_algorithm = HMAC-SHA512
```

Now you can automatically request new wildcard certificates by running
`doas certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d '*.domain.tld' -d 'domain.tld' --server https://acme-v02.api.letsencrypt.org/directory`

## Rewrite of my website

As mentioned above, I replace my former Deno + pug.js + static file server setup
with a custom rust application (using Rocket and Markup and 253 other
dependencies). I rewrote my blog rendering system too, that why you don't see
syntax highlighting right now.

## End

In case of questions, ask me. Have fun suffering with the modern web!