path: root/blog/2023-02-13-new-website-using-gnix.md

# New Website and gnix

_fixme: probably contains a lot of errors, shouldn't have written this late_

Last weekend I started a new attempt writing a reverse proxy: This time, with
success! I have been able to finally replace nginx for all services.
Additionally I now have a wildcard TLS certificate for all of
`*.metamuffin.org`.

The cgit instance is no longer available since it used CGI, which gnix does not
support nor I like.

## The reverse-proxy

Nginx was not optimal because I found it was hard to configure, required certbot
automatically chaning the config and was also just _too much_ for my use case.
(Who needs a http server that can also serve SMTP?!)

My new solution ([gnix](https://codeberg.org/metamuffin/gnix)) has very limited
configuration abilities for now but just enough to work. I simplified about 540
lines of `/etc/nginx/nginx.conf` to only 20 lines of `/etc/gnix.toml` (yesss.
TOML. of course it is.). The Proxy now only acts as a "Hostname Demultiplexer".
A configuration could look like this:

```toml
[http]
bind = "0.0.0.0:80"

[https]
bind = "0.0.0.0:443"
tls_cert = "/path/to/cert.pem"
tls_key = "/path/to/key.pem"

[hosts]
"domain.tld" = { backend = "127.0.0.1:18000" }
"www.domain.tld" = { backend = "127.0.0.1:18000" }
"keksmeet.domain.tld" = { backend = "127.0.0.1:18001" }
"otherdomain.tld" = { backend = "example.org:80" }
```

I am running two gnix instances now, one for `:80`+`:443` and another for matrix
federation on `:8448`. Additionally this required me to move my matrix
homeserver from `https://metamuffin.org/_matrix` to
`https://matrix.metamuffin.org/_matrix` via the `.well-known/matrix/server`
file. And that intern required me to host a file there, which was nginx' job
previously. At this point I started rewriting my main website.

## Wildcard Certificates

Another inconvinience was that I would need `certbot` to aquire one certificate
for each subdomain. Letsencrypt offers wildcard certificates; These can be
obtained by solving an ACME challenge that requires changing a DNS record (to
prove you own the domain). My current registrar (Namecheap) does not offer me an
API for automatically applying these though. They do however (through a very
very confusing, badly designed user interface) allow me to set a custom
nameserver. By setting the nameserver to `144.91.114.82` (IP address of my VPS)
the server can run its own nameserver that has authority over resolving
`metamuffin.org`. I used BIND9's `named` to do that and also dynamically update
records.

```conf
# /etc/named.conf (-rw-------; owned by named)
zone "metamuffin.org" IN {
	type master;
    # the zone file is trivial to configure, look it up somewhere else. :)
	file "metamuffin.org.zone";
    update-policy {
        # only allow certbot to change TXT records of _acme-challenge.metamuffin.org
        grant certbot. name _acme-challenge.metamuffin.org. TXT;
    };
};

# generated with `tsig-keygen -a HMAC-SHA512 -n HOST certbot`
key "certbot" {
	algorithm hmac-sha512;
	secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}
```

Then certbot can be configured to use these credentials for solving challenges:

```ini
# /etc/certbot/rfc2136.ini (-rw-------; owned by root)
dns_rfc2136_server = 127.0.0.1
dns_rfc2136_port = 53
dns_rfc2136_name = certbot
dns_rfc2136_secret = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
dns_rfc2136_algorithm = HMAC-SHA512
```

Now you can automatically request new wildcard certificates by running
`doas certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d '*.domain.tld' -d 'domain.tld' --server https://acme-v02.api.letsencrypt.org/directory`

## Rewrite of my website

As mentioned above, I replace my former Deno + pug.js + static file server setup
with a custom rust application (using Rocket and Markup and 253 other
dependencies). I rewrote my blog rendering system too, that why you don't see
syntax highlighting right now.

## End

In case of questions, ask me. Have fun suffering with the modern web!