You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
stryan 9389c5b224 Update README 2 years ago
src support lang tag on a vhost basis 2 years ago
.gitignore Makefile, readme in markdown 2 years ago
COPYING add licensing 2 years ago
Makefile Update readme, makefile, standardize logging 2 years ago Update README 2 years ago
config.yaml.sample support lang tag on a vhost basis 2 years ago
go.mod cleanup 2 years ago
go.sum Makefile, readme in markdown 2 years ago
secretshop.service have everything use /usr by default 2 years ago

SecretShop: a small Gemini server.


  • Multi-site hosting
  • Also supports simple Gopher hosting
  • Fully compliant with Jetforce diagnostics
  • Client Certificates
  • Probably won't kill your computer

Where to get it

git clone

I also release binaries at

The release tab also has pre-generated archives if you don't want to run master.


SecretShop looks in it's current running directory and /etc/secretshop for it's config file. Configuration is in a file labeled "config.yaml" in one of the above directories. See the sample config for more details.

A standard file looks like such:

port: 1965
        - localhost
        Hostname: "localhost"
        Port: "1965"
        RootDir: "/var/gemini"
        CGIDir: "/var/gemini/cgi"
        KeyFile: "localhost.key"
        CertFile: "localhost.crt"
            - /id
                    - /known
            - /private
                Whitelist: "whitelist"
	Lang: "en"

Where each "active_capsule" is a virtual Gemini capsule. SecretShop supports virtual Gemini capsules all listening on port 1965.

By default, a capsule requires the Hostname, Root Directory, Keyfile, and CertFile to start properly. The capsule also needs to be listed in the "active_capsules" list. Each capsule can optionally have a "AccessControl" section for use with client certificates. AccessControl is broken up into three zones: Identified: Requires a client to present a certificate of some kind to access. Currently not validate certificate. Response code 60 Known: Reserved for transient certificates; currently not fully implemented. Reponse code 61 Trusted: Requires a client to present a certificate who's fingerprint matches an entry in the Whitelist file. Currently checks validity dates and the fingerprint. Response codes 62-65

For the Trusted zone, a Whitelist section must exist, with a path leading to the whitelist file. The whitelist file is a text file containing Certificate fingerprints, one for line. This is used to authenticate client certificates.

If you want full logging (i.e. you're not using systemd, rsyslog, something that auto adds timestamps and program names etc) you can add the "full_logging: true" option.

SecretShop supports specifying what language a Gemini capsule uses for content. See section 5.2 of the Gemini spec for more details. This is set per vhost.


Build Dependencies: go1.14

Running "make" should work for any given x86 machine.

If you're planning on running this on a Raspberry Pi or other ARM machine try env GOOS=linux GOARCH=arm GOARM=5 make


Running "make install" will install to /usr//bin by default and will attempt to install the systemd service file


Run "make uninstall".


Either run the executable directly or use the Systemd unit file.


Currently does not support transient certificates Only handles whitelisting for certificate authorization


This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see