Critique my setup, please

I?m setting up a capsule on a VPS served up with Molly Brown. I?d like to 
get some feedback on what I should be doing, in case I?m doing something 
egregiously wrong. The capsule isn?t intended to be permanent, at least 
not yet, so I?m giving it the domain name of beepbeepbeep.example.

(It was only after I decided I should post this that I remembered that the 
best way to get good advice on the Internet is to post bad advice?)

I wasn?t sure how to make/get certs, so I stumbled around and found this:

https://github.com/michael-lazar/jetforce#tls-certificates

And then there?s also

sudo certbot certonly --standalone

as shown on <https://certbot.eff.org/lets-encrypt/ubuntufocal-other>.

I?m waffling back and forth on whether I should stick everything in some 
unprivileged user?s home directory (much like I do here) or if I should 
put things in ?proper? places like /var/gemini. Opinions welcome. I do not 
intend for humans other than me to be inside this server ever.

Without further ado, the commands I used just now:

- - - - - - - - - 8< - - - - - - - - - 

#!/bin/bash
apt update
apt upgrade --yes

apt install --yes fish bat
ln -s /usr/bin/batcat /usr/local/bin/bat

mkdir /etc/skel/.ssh
cp ~/.ssh/authorized_keys /etc/skel/.ssh/

addgroup certview

# named after Gus Grissom, who named the Gemini 3 capsule ?Molly Brown?
adduser --shell /usr/bin/fish --disabled-password --gecos -- griss
usermod -aG certview griss

snap install --classic certbot
certbot certonly --standalone \
    --non-interactive \
    --agree-tos \
    --domains "gemini.beepbeepbeep.example" \
    --register-unsafely-without-email

chmod 0755     /etc/letsencrypt/{live,archive}
chmod g+r      /etc/letsencrypt/archive/gemini.beepbeepbeep.example/privkey1.pem
chgrp certview /etc/letsencrypt/archive/gemini.beepbeepbeep.example/privkey1.pem

cat << 'EOF' > /etc/molly.conf
Hostname = "gemini.beepbeepbeep.example"
DefaultLang = "en-US"

DocBase =   "/home/griss/public"
AccessLog = "/home/griss/access.log"
ErrorLog =  "/home/griss/error.log"

CertPath = "/etc/letsencrypt/live/gemini.beepbeepbeep.example/fullchain.pem"
KeyPath =  "/etc/letsencrypt/live/gemini.beepbeepbeep.example/privkey.pem"

[MimeOverrides]
"atom.xml$" = "application/atom+xml"
EOF

cat << 'EOF' > /etc/systemd/system/molly-brown.service
[Unit]
Description=Molly Brown gemini server
After=network.target

[Service]
Type=simple
Restart=on-failure
User=griss
ExecStart=/home/griss/go/bin/molly-brown

NoNewPrivileges=true
ProtectSystem=strict
ReadWritePaths=/home/griss/access.log /home/griss/error.log

[Install]
WantedBy=multi-user.target
EOF

systemctl enable molly-brown.service 

# Much later?
systemctl start molly-brown.service 

#######################################
# As griss?

wget https://golang.org/dl/go1.15.2.linux-amd64.tar.gz
tar xf go*
mv go go-dist
mkdir go

./go-dist/bin/go get tildegit.org/solderpunk/molly-brown

# openssl req -newkey rsa:2048 -nodes -keyout gemini.beepbeepbeep.example.key \
#    -nodes -x509 -out gemini.beepbeepbeep.example.crt -subj 
"/CN=gemini.beepbeepbeep.example"

mkdir public

printf "# It works!\n\nYour Gemini capsule is up and running.\n" > public/index.gmi

Hello, welcome to Gemini!

I can't speak to your Molly Brown setup, as I don't use it,
but I can offer some advice for certificates. I've actually
written a whole post on how to generate nice Gemini certs
here:

gemini://makeworld.gq/gemlog/2020-07-06-openssl.gmi

The main difference from what you've done is that these certs
are valid for 5 years, so you'll change them less often, and
that they use EC keys, making the cert size (and therefore
request overhead) much smaller.

Cheers!
makeworld

> ExecStart=/home/griss/go/bin/molly-brown

Do you need to make the execution of molly brown to include -c?
e.g. ExecStart=/home/griss/go/bin/molly-brown -c /etc/molly.conf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200912/f7b8
abae/attachment.htm>

> On Sep 12, 2020, at 7:12 PM, Jansen Price <jansen.price at gmail.com> wrote:
> 
> > ExecStart=/home/griss/go/bin/molly-brown
> 
> Do you need to make the execution of molly brown to include -c?
> e.g. ExecStart=/home/griss/go/bin/molly-brown -c /etc/molly.conf

-c overrides the default of /etc/molly.conf.