readme: install and systemd instructions

Cargo.lock

@@ -13,9 +13,9 @@ dependencies = [
 
 [[package]]
 name = "ansi_term"
-version = "0.11.0"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
+checksum = "d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2"
 dependencies = [
  "winapi",
 ]
@@ -70,9 +70,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "2.33.3"
+version = "2.34.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002"
+checksum = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c"
 dependencies = [
  "ansi_term",
  "atty",
@@ -149,9 +149,9 @@ dependencies = [
 
 [[package]]
 name = "libc"
-version = "0.2.108"
+version = "0.2.112"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8521a1b57e76b1ec69af7599e75e38e7b7fad6610f037db8c79b127201b5d119"
+checksum = "1b03d17f364a3a042d5e5d46b053bbbf82c92c9430c592dd4c064dc6ee997125"
 
 [[package]]
 name = "log"
@@ -195,13 +195,13 @@ dependencies = [
 
 [[package]]
 name = "once_cell"
-version = "1.8.0"
+version = "1.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "692fcb63b64b1758029e0a96ee63e049ce8c5948587f2f7208df04625e5f6b56"
+checksum = "da32515d9f6e6e489d7bc9d84c71b060db7247dc035bbe44eac88cf87486d8d5"
 
 [[package]]
 name = "opal"
-version = "0.1.0"
+version = "0.2.0"
 dependencies = [
  "chrono",
  "clap",
@@ -228,9 +228,9 @@ dependencies = [
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.71"
+version = "0.9.72"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7df13d165e607909b363a4757a6f133f8a818a74e9d3a98d09c6128e15fa4c73"
+checksum = "7e46109c383602735fa0a2e48dd2b7c892b048e1bf69e5c3b1d804b7d9c203cb"
 dependencies = [
  "autocfg",
  "cc",
@@ -247,9 +247,9 @@ checksum = "d4fd5641d01c8f18a23da7b6fe29298ff4b55afcccdf78973b24cf3175fee32e"
 
 [[package]]
 name = "pkg-config"
-version = "0.3.22"
+version = "0.3.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "12295df4f294471248581bc09bef3c38a5e46f1e36d6a37353621a0c6c357e1f"
+checksum = "58893f751c9b0412871a09abd62ecd2a00298c6c83befa223ef98c52aef40cbe"
 
 [[package]]
 name = "regex"

README.md

@@ -8,7 +8,7 @@ project's goals are:
 
 - Focus on a small set of features (around CGI) but do them correctly.
 - Be nice with old/stupid hardware (TLS 1.2 is OK, be efficient, etc).
-- Don't add features unless someone actively wants them in.
+- Don't add features (see the roadmap at the end of this file).
 - Try to keep resources (binary size, memory, etc) under tight control.
 
 Opal uses the `openssl` Rust bindings, which work with OpenSSL and LibreSSL, so
@@ -21,6 +21,23 @@ Opal is licensed as GPLv3.
 
 
 
+Installation
+------------
+
+### Pre-compiled releases
+
+Binary releases for 64-bit Linux systems are available on [my Gitea][gitea-rel]
+and on [Github][gh-rel].
+
+[gitea-rel]: https://git.dece.space/Dece/Opal/releases
+[gh-rel]: https://github.com/Dece/Opal/releases
+
+### Compiling from sources
+
+Compiling Opal requires Cargo installed with the stable Rust toolchain.
+
+
+
 Usage
 -----
 
@@ -39,6 +56,43 @@ Note that if you just want to listen to both IPv4 and IPv6 on any interface,
 listening only on `[::]:1965` should suffice for systems with dual-stack
 enabled (default on many Linux systems, maybe not BSD).
 
+### Systemd
+
+I personally run Opal as a Systemd service. Here is an example unit file:
+
+``` ini
+[Unit]
+Description=Opal Gemini server
+
+[Service]
+WorkingDirectory=/home/gemini/opal
+User=gemini
+Group=gemini
+ExecStart=/usr/local/bin/opal -a "[::]:1966" -c certs/cert.pem -k certs/key.pem -r cgi -e STORAGE_ROOT=storage
+Restart=always
+RestartSec=1
+SyslogIdentifier=opal
+# Security options:
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=tmpfs
+BindReadOnlyPaths="/home/gemini/opal"
+BindPaths="/home/gemini/opal/storage"
+
+[Install]
+WantedBy=multi-user.target
+```
+
+- Opal has been installed in `/usr/local/bin`
+- The directory `/home/gemini/opal` contains the directories `certs`, `cgi` and
+    `storage`, for certificates, the CGI scripts and a storage path.
+- The `/home` directory is not readable, except for `/home/gemini/opal` which is
+    read-only, except for the `storage` directory which is writeable.
+
+This is just an example, please do not mindlessly copy and paste it without
+understanding what the options stand for. It is also possible to use a chrooted
+environment or the Systemd equivalent option RootDirectory. Your choice!
+
 
 
 CGI support
@@ -82,9 +136,9 @@ Opal does not provide `CONTENT_LENGTH`, `CONTENT_TYPE`, `REMOTE_IDENT` because
 they do not make much sense in Gemini. `PATH_TRANSLATED` is also not implemented
 by pure laziness.
 
-The `TLS_CLIENT_HASH` is a string that starts with "SHA256:" followed by the
-SHA256 digest of the DER representation of the client certificate, as an
-uppercase hex-string.
+The `TLS_CLIENT_HASH` is a string that starts with the 7 bytes `SHA256:`
+followed by the SHA256 digest of the DER representation of the client
+certificate, as an uppercase hex-string.
 
 It can be a bit confusing which variable represent what data, especially those
 related to the URL and the path. Take the following request as example:
@@ -106,13 +160,12 @@ QUERY_STRING=search=%C3%A9l%C3%A9ment
 Roadmap
 -------
 
-Things to consider:
+Things that might end up in Opal one day:
 
 - Support SCGI; a bit more complex but should save resources on smol hardware.
-- Chroot; quite cheap and can bring a bit of peace of mind.
 
 Things that probably won't be considered:
 
-- Serve static files; so many other servers to that correctly already!
+- Serve static files; so many other servers do that correctly already!
 - Any kind of security mechanism that is not properly motivated.
-- FastCGI; come on…
+- FastCGI; un-smol…