version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=w3m/0.5.3+git20190105 author=jrmu charset=UTF-8 csum= ctime=1597288187 host=125.224.16.135 name=Openbsd.Ngircd rev=61 targets=Openbsd.Netcat,Password.Management,Openbsd.Chroot,Rcctl.Rcctl,Ngircd.Ssl,Ngircd.Link,Anope.Install,Achurch.Install,Hopm.Install,Acopm.Install text=(:redirect ngircd.install:)%0a(:title Ngircd -- The Next Generation IRCd:)%0a%0aIn this guide, we'll setup ngircd, a free, portable, lightweight IRC server.%0a%0aAdvantages:%0a%0a# The source code runs well on OpenBSD%0a# The server has a very simple, easy-to-understand configuration%0a# Fewer features means the manual pages are short%0a# The server is a clean implementation which was written from scratch%0a# The source code is written in modern, portable C. It will be easy to fork to new features such as:%0a # Customized censorship to block NSFW content%0a # Spam filters%0a# The lead developer po||ux actively hangs out on the IRC server barton.ngircd.de on #ngircd%0a%0aBefore you begin, please read the official [[https://ngircd.barton.de/documentation.php.en|ngIRCd documentation]].%0a%0a!! Installation%0a%0a!!! From packages%0a%0a[@%0a$ doas pkg_add ngircd%0a$ doas cp /usr/local/share/examples/ngircd/sample-ngircd.conf /etc/ngircd/ngircd.conf%0a@]%0a%0angIRCd v26 provided by OpenBSD 6.8 ports does not have ident support. You must eventually compile from source to get ident support, which is necessary on a production server.%0a%0a!!! From source%0a%0a[@%0a$ ftp https://ircnow.org/software/ngircd.tgz%0a$ tar xvzf ngircd.tgz%0a$ cd ngircd-26.1/%0a$ sh build.sh%0a@]%0a%0a!! Configuration%0a%0aEdit /etc/ngircd/ngircd.conf:%0a%0a'''Note''': Lines that begin with # or ; are comments and will be ignored. Remove # or ; to uncomment the line.%0a%0a!!! Global Block%0a%0a[@%0a[Global]%0a Name = username.fruit.ircnow.org%0a AdminInfo1 = Fruit Server on IRCNow%0a AdminInfo2 = Planet Earth%0a AdminEMail = admin@username.fruit.ircnow.org%0a Info = username.fruit.ircnow.org%0a@]%0a%0aFor Name, use your hostname (like username.fruit.ircnow.org). If you are on a team, use irc.example.com, replacing example.com with your team's custom domain. For AdminInfo1, provide a description; for AdminInfo2, provide the location.%0a%0a[@%0a Listen = 127.0.0.1,192.168.1.1,2001:db8::%0a@]%0a%0aUncomment this line and provide every single IP address we want ngircd to listen on. This includes localhost (127.0.0.1), and our public IPv4 and IPv6 addresses. If you are hosting a public service and not on training, avoid listing IPs that are not DDoS-filtered. IRC servers are heavily DDoSed and using an unfiltered IP will get you nullrouted.%0a%0a'''Note''': if you do not uncomment on this line, you will listen to all IPs by default, which is probably a mistake.%0a%0a[@%0a MotdFile = /etc/ngircd/ngircd.motd%0a Network = IRCNow%0a@]%0a%0aPaste your Message of the Day in /etc/ngircd/ngircd.motd. Here's a suggested template:%0a%0a[@%0aIRCNow - The Users' Network%0a%0aIRCNow is the network of the user, by the user, for the user.%0a%0a * No porn / illegal drugs / promotion of violence%0a * No slander / libel / gambling%0a * No spam, illegal cracking, or DDoS%0a * No copyright infrigement%0a%0aYou must agree to our terms of service and our privacy policy %0ato use this network:%0a%0ahttps://wiki.ircnow.org/index.php?n=Terms.Terms%0a%0aOnly 5 connections per IP address. If you need help, please speak with staff on #help.%0a@]%0a%0a[@%0a Ports = 6660, 6661, 6662, 6663, 6664, 6665, 6666, 6667, 6668, 6669, 7000, 16667%0a MaxConnectionsIP = 0%0a MaxJoins = 300%0a MaxNickLength = 16%0a MaxListSize = 1000%0a PingTimeout = 300%0a PongTimeout = 300%0a@]%0a%0aThe above are default plaintext ports we listen on; we provide ports besides the standard 6667 to allow users to evade their network firewalls. Note that the MaxNickLength must be identical to all servers on the network. On IRCNow, MaxNickLength is 16.%0a%0a!!! Options Block%0a%0a[@%0a[Options]%0a AllowRemoteOper = no%0a ChrootDir = /var/ngircd%0a CloakHost = %25x%0a CloakHostModeX = jrmu.coconut.ircnow.org%0a CloakHostSalt = abcdefghijklmnopqrstuvwxyz%0a DefaultUserModes = iC%0a NoticeBeforeRegistration = yes%0a OperChanPAutoOp = no %0a RequireAuthPing = yes%0a SyslogFacility = daemon%0a@]%0a%0aFor security reasons, we do not want to allow remote opers. Each team appoints their own opers, so you may not necessarily trust an oper on another server. We want to chroot to /var/ngircd to prevent a security compromise. We will cloak the host using a unique salt; contact another sysadmin for the exact salt.%0a%0aUserMode i keeps the user invisible, and C means that only users that share channels can send a message. Both settings help reduce spam, stalking, and harassment. Receiving a notice before registration can help with debugging with [[openbsd/netcat|netcat]]. We're going to log using syslog (see section below).%0a%0a!!! Configuring syslog%0a%0aYou want all the messages from ngircd to go to /var/log/ngircd.log and not anywhere else, so we insert these three lines starting at line 3 (at the top) in /etc/syslog.conf:%0a%0a[@%0a!!ngircd%0a*.* /var/log/ngircd.log%0a!*%0a@]%0a%0aThis directs all logs from ngircd to go straight to /var/log/ngircd.log and nowhere else.%0a%0aNext, create the file /var/log/ngircd.log and restart syslogd:%0a%0a[@%0a$ doas touch /var/log/ngircd.log%0a$ doas rcctl restart syslogd%0a@]%0a%0a!!! Operator Block%0a%0a[@%0a[Operator]%0a Name = username%0a Password = password%0a@]%0a%0aPlease use a [[password/management|long, random string]] for your password.%0a%0aIf you uncomment Mask, your hostmask must match the operator hostmask in order for the /OPER command to be accepted. If it differs at all, then your /OPER command will be rejected. If you don't want to check the hostmask, leave Mask commented out.%0a%0aFor more security, you can uncomment Mask and have it match your vhost. However, please be aware that this will make it impossible to authenticate if you ever have to connect from a different IP address.%0a%0a!! Chroot%0a%0aWe need to set up the [[openbsd/chroot|chroot]] for ngircd. Let's copy the files into the chroot:%0a%0a[@%0a$ doas mkdir /var/ngircd/etc/%0a$ doas cp -R /etc/ngircd /var/ngircd/etc/%0a$ doas chown -R _ngircd:_ngircd /var/ngircd/%0a$ doas rm -r /etc/ngircd%0a$ doas ln -s /var/ngircd/etc/ngircd /etc/ngircd%0a@]%0a%0aThis will create a symlink so that only one set of configuration files needs to be maintained inside and outside of the chroot. Otherwise, ngircd will require two sets of configuration files, one inside and the other outside of the chroot.%0a%0a!! Starting ngircd%0a%0aTo start ngircd:%0a%0a[@%0adoas rcctl enable ngircd%0adoas rcctl start ngircd%0a@]%0a%0a[[rcctl/rcctl|rcctl]] controls how system daemons are run.%0a%0aNext, use your IRC client to connect to the server, which may have the hostname user.fruit.ircnow.org. Join a few channels and chat inside.%0a%0a!! Troubleshooting%0a%0aIf you run into any errors, you can test to see if your configuration file has errors:%0a%0a[@%0a$ doas ngircd -t%0a@]%0a%0aTo run ngircd in debug mode:%0a%0a[@%0a$ doas ngircd -n%0a@]%0a%0aCheck /var/log/ngircd.log to see if ngircd is listening on the correct IP addresses and ports. Connect to those ports using your IRC client to verify that the server is working as intended.%0a%0aRemember, if you are connecting using port 6667 without SSL, any eavesdropper can read all your text, including your passwords. Don't send any sensitive information until you have upgraded to [[ngircd/ssl|SSL]].%0a%0a!! Reloading and Restarting ngIRCd%0a%0aAfter you edit /etc/ngircd/ngircd.conf for a running ngircd server, you will need to reload the configuration file:%0a%0a[@%0a$ doas rcctl reload ngircd%0a@]%0a%0aAlternatively, you can run:%0a%0a[@%0a$ doas pkill -HUP ngircd%0a@]%0a%0a'''Reloading''' a configuration file will '''not''' disconnect any active connections. So, try to reload the configuration where possible.%0a%0aTo restart the ircd:%0a%0a[@%0a$ doas rcctl restart ngircd%0a@]%0a%0a'''WARNING''': '''Restarting''' the ircd '''will''' disconnect all existing connections. So, try to restart ngircd only when absolutely necessary.%0a%0a'''Warning''': ngircd appears to have a bug where the ircd will crash if you reload the configuration file while a message is being sent. Be careful to avoid reloading configuration files when many users are chatting.%0a%0a!! See Also%0a%0a# Configure [[ngircd/ssl|SSL]] for ngircd to ensure secure connections%0a# [[ngircd/link|Link your ngircd]] with another server to create a network%0a# Install [[anope/install|anope]] to provide services%0a# Install [[achurch/install|achurch]] to test achurch services%0a# Configure [[hopm/install|hopm]], an open proxy monitor to stop spammers.%0a# Configure [[acopm/install|acopm]], a minimalist open proxy monitor to stop spammers.%0a time=1624414865 title=Ngircd -- The Next Generation IRCd author:1624414865=jrmu diff:1624414865:1612974527:=1d0%0a%3c (:redirect ngircd.install:)%0a234c233%0a%3c # Configure [[acopm/install|acopm]], a minimalist open proxy monitor to stop spammers.%0a---%0a> # Configure [[acopm/install|acopm]], a minimalist open proxy monitor to stop spammers.%0a\ No newline at end of file%0a host:1624414865=125.224.16.135 author:1612974527=jrmu diff:1612974527:1612974496:=232a233%0a> # Configure [[acopm/install|acopm]], a minimalist open proxy monitor to stop spammers.%0a host:1612974527=198.251.81.119 author:1612974496=jrmu diff:1612974496:1612974269:=226,234c226,232%0a%3c !! See Also%0a%3c %0a%3c # Configure [[ngircd/ssl|SSL]] for ngircd to ensure secure connections%0a%3c # [[ngircd/link|Link your ngircd]] with another server to create a network%0a%3c # Install [[anope/install|anope]] to provide services%0a%3c # Install [[achurch/install|achurch]] to test achurch services%0a%3c # Configure [[hopm/install|hopm]], an open proxy monitor to stop spammers.%0a%3c # Configure [[acopm/install|acopm]], a minimalist open proxy monitor to stop spammers.%0a%3c # Configure [[acopm/install|acopm]], a minimalist open proxy monitor to stop spammers.%0a\ No newline at end of file%0a---%0a> Make sure to configure [[openbsd/hopm|hopm]].%0a> %0a> !! Related Software%0a> %0a> You will want to install, configure, and run [[openbsd/hopm|HOPM]] to block spammers. Eventually, IRCNow plans to use a fork of [[openbsd/acopm|ACOPM]].%0a> %0a> ngIRCd can be linked with [[https://github.com/ngircd/ngircd/blob/master/doc/Services.txt|services]]. The services currently used is anope but IRCNow plans to switch over to [[openbsd/achurch|achurch]].%0a\ No newline at end of file%0a host:1612974496=198.251.81.119 author:1612974269=jrmu diff:1612974269:1612973813:=155,158c155,158%0a%3c !! Chroot%0a%3c %0a%3c We need to set up the [[openbsd/chroot|chroot]] for ngircd. Let's copy the files into the chroot:%0a%3c %0a---%0a> !! Starting ngircd%0a> %0a> To start ngircd:%0a> %0a160,164c160,161%0a%3c $ doas mkdir /var/ngircd/etc/%0a%3c $ doas cp -R /etc/ngircd /var/ngircd/etc/%0a%3c $ doas chown -R _ngircd:_ngircd /var/ngircd/%0a%3c $ doas rm -r /etc/ngircd%0a%3c $ doas ln -s /var/ngircd/etc/ngircd /etc/ngircd%0a---%0a> doas rcctl enable ngircd%0a> doas rcctl start ngircd%0a167,177d163%0a%3c This will create a symlink so that only one set of configuration files needs to be maintained inside and outside of the chroot. Otherwise, ngircd will require two sets of configuration files, one inside and the other outside of the chroot.%0a%3c %0a%3c !! Starting ngircd%0a%3c %0a%3c To start ngircd:%0a%3c %0a%3c [@%0a%3c doas rcctl enable ngircd%0a%3c doas rcctl start ngircd%0a%3c @]%0a%3c %0a196,199c182,185%0a%3c Check /var/log/ngircd.log to see if ngircd is listening on the correct IP addresses and ports. Connect to those ports using your IRC client to verify that the server is working as intended.%0a%3c %0a%3c Remember, if you are connecting using port 6667 without SSL, any eavesdropper can read all your text, including your passwords. Don't send any sensitive information until you have upgraded to [[ngircd/ssl|SSL]].%0a%3c %0a---%0a> Check ''/var/log/messages'' to see if it is also listening on ports ''6697'' and ''9999''. Then connect to those ports via your IRC client to verify that SSL does work as intended.%0a> %0a> Now, connect to ngircd using your IRC client. Use the OPER command to log in as operator.%0a> %0a202,203c188,189%0a%3c After you edit /etc/ngircd/ngircd.conf for a running ngircd server, you will need to reload the configuration file:%0a%3c %0a---%0a> To reload the configuration file, you can:%0a> %0a208,209c194,195%0a%3c Alternatively, you can run:%0a%3c %0a---%0a> or:%0a> %0a214,215d199%0a%3c '''Reloading''' a configuration file will '''not''' disconnect any active connections. So, try to reload the configuration where possible.%0a%3c %0a222,224c206,239%0a%3c '''WARNING''': '''Restarting''' the ircd '''will''' disconnect all existing connections. So, try to restart ngircd only when absolutely necessary.%0a%3c %0a%3c '''Warning''': ngircd appears to have a bug where the ircd will crash if you reload the configuration file while a message is being sent. Be careful to avoid reloading configuration files when many users are chatting.%0a---%0a> '''WARNING''': '''Reloading''' a configuration file will '''not''' disconnect any active connections. However, '''restarting''' the ircd '''will''' disconnect all existing connections. So make sure to restart ngircd only when absolutely necessary.%0a> %0a> ''Note'': ngircd appears to have a bug where the ircd will crash if you reload the configuration file while a message is being sent. Be careful to avoid reloading configuration files when many users are chatting.%0a> %0a> MaxNickLength must be the same on all servers on a network. On IRCNow, MaxNickLength = 16.%0a> %0a> In the server block, for Host, it is better to use a [[openbsd/dns|symbolic hostname]] (don't use an IP address).%0a> %0a> [@%0a> [Server]%0a> Name = irc.example.ircnow.org%0a> Host = irc.example.ircnow.org%0a> Port = 6667%0a> MyPassword = password12345%0a> PeerPassword = password12345%0a> @]%0a> %0a> Notice that Host = irc.example.ircnow.org and not an IP address like 1.2.3.4. This makes it less work to configure when the other server changes its IP address.%0a> %0a> !! Chroot%0a> %0a> Make sure to [[openbsd/chroot|chroot]] ngircd.%0a> %0a> Once you have finished configuring /etc/ngircd/ngircd.conf, you can copy the files into the chroot:%0a> %0a> [@%0a> $ doas mkdir /var/ngircd/etc/%0a> $ doas cp -R /etc/ngircd /var/ngircd/etc/%0a> $ doas chown -R _ngircd:_ngircd /var/ngircd/%0a> $ doas rm -r /etc/ngircd%0a> $ doas ln -s /var/ngircd/etc/ngircd /etc/ngircd%0a> @]%0a> %0a> This will create a symlink so that only one set of configuration files needs to be maintained inside and outside of the chroot. Otherwise, ngircd will require two sets of configuration files, one inside and the other outside of the chroot.%0a host:1612974269=198.251.81.119 author:1612973813=jrmu diff:1612973813:1612973386:=240a241,311%0a> !! SSL%0a> %0a> Use [[openbsd/acme-client|acme-client]] to get an SSL certificate signed by Let's Encrypt.%0a> %0a> [@%0a> $ doas cp /etc/ssl/example.com.fullchain.pem /etc/ngircd/%0a> $ doas cp /etc/ssl/private/example.com.key /etc/ngircd/%0a> @]%0a> %0a> In /etc/ngircd/ngircd.conf, change the following lines in the [SSL] block:%0a> %0a> [@%0a> # SSL Server Key Certificate%0a> CertFile = /etc/ngircd/example.com.fullchain.pem%0a> ...%0a> # SSL Server Key%0a> KeyFile = /etc/ngircd/example.com.key%0a> ...%0a> # Additional Listen Ports that expect SSL/TLS encrypted connections%0a> Ports = 6697, 9999, 16697%0a> @]%0a> %0a> ''Optional'': If you want to have a DHFile,%0a> %0a> [@%0a> $ doas openssl dhparam -out /etc/ngircd/dhparams.pem 2048%0a> $ doas chown _ngircd:_ngircd /etc/ngircd/dhparams.pem%0a> @]%0a> %0a> Then, uncomment @@DHFile = /etc/ngircd/dhparams.pem@@ in /etc/ngircd/ngircd.conf.%0a> %0a> !! Autostart%0a> %0a> To automatically restart ngIRCd if it was terminated unexpectedly, create a script in /usr/local/libexec/project/ngircd.sh:%0a> %0a> [@%0a> doas touch /usr/local/libexec/project/ngircd.sh%0a> doas chmod +x /usr/local/libexec/project/ngircd.sh%0a> @]%0a> %0a> Inside /usr/local/libexec/project/ngircd.sh:%0a> %0a> [@%0a> #!/bin/sh%0a> %0a> SERVICE_NAME="ngircd"%0a> SERVICE_USER="_ngircd"%0a> SERVICE_PID="/var/ngircd/var/run/ngircd/ngircd.pid"%0a> %0a> if ! pgrep -u $SERVICE_USER -x "$SERVICE_NAME" > /dev/null%0a> then%0a> if [ -f $SERVICE_PID ]; then%0a> rm -f $SERVICE_PID%0a> rcctl -d start $SERVICE_NAME%0a> fi%0a> fi%0a> @]%0a> %0a> Add this as a cronjob:%0a> %0a> [@%0a> $ doas crontab -e%0a> %0a> * * * * * /usr/local/libexec/project/checker_ngircd.sh > /dev/null 2>&1%0a> @]%0a> %0a> For the solution to work, you need to enable the use of pid files in /etc/ngircd/ngircd.conf:%0a> [@%0a> PidFile = /var/run/ngircd/ngircd.pid%0a> @]%0a> %0a247c318,389%0a%3c ngIRCd can be linked with [[https://github.com/ngircd/ngircd/blob/master/doc/Services.txt|services]]. The services currently used is anope but IRCNow plans to switch over to [[openbsd/achurch|achurch]].%0a\ No newline at end of file%0a---%0a> ngIRCd can be linked with [[https://github.com/ngircd/ngircd/blob/master/doc/Services.txt|services]]. The services currently used is anope but IRCNow plans to switch over to [[openbsd/achurch|achurch]].%0a> %0a> %0a> %0a> %0a> %0a> === Example ngIRCd server configurations ===%0a> To illustrate what I mean is, say for example, you have two ''ngircd'' servers that you want to connect to each other. Let's say that the server "foo" has this configuration,%0a> [@%0a> [Global]%0a> Name = irc.foo.org%0a> Ports = 6667%0a> ...%0a> [Server]%0a> MyPassword = Jp5meaikMiRAKsbBy6G6%0a> @]%0a> %0a> Server "bar" has the following configuration,%0a> [@%0a> [Global]%0a> Name = irc.bar.org%0a> Ports = 6667%0a> ...%0a> [Server]%0a> MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a> @]%0a> %0a> [@%0a> [Server]%0a> Name = irc.bar.org%0a> Host = irc.bar.org%0a> Port = 6667%0a> MyPassword = Jp5meaikMiRAKsbBy6G6%0a> PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a> @]%0a> %0a> Likewise under server "bar",%0a> [@%0a> [Server]%0a> Name = irc.foo.org%0a> Host = irc.foo.org%0a> Port = 6667%0a> MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a> PeerPassword = Jp5meaikMiRAKsbBy6G6%0a> @]%0a> %0a> Sysadmins should have proper [[openbsd/passwords|password management]].%0a> %0a> Keep in mind that ''MyPassword'' is used for linking with other servers. **It is stored in plaintext and has nothing to do with the server password specified under [Global] section, nor is it related to your [Operator] password!**. When other servers connects to you, they **need** to know **your** ''MyPassword'', in which they will then set it as their ''PeerPassword'' on their end. The same thing likewise when you need to peer with them, you **need** to know their ''MyPassword'' so that you can set it as **your** ''PeerPassword''.%0a> %0a> See how in the example above how ''irc.foo.org'' ''MyPassword'' is set as ''Jp5meaikMiRAKsbBy6G6'' but when linking with ''irc.bar.org'', whose ''MyPassword'' is set as ''HpNSbcDbrTVQ3lkkqSfq'', that ''irc.foo.org'' ''PeerPassword'' is therefore ''HpNSbcDbrTVQ3lkkqSfq'' for linking to ''irc.bar.org''? The same logic also applies in reverse for when ''irc.bar.org'' is to link up with ''irc.foo.org''.%0a> %0a> === Summing it up ===%0a> To sum it up in the prior example,%0a> Server ''irc.foo.org'' has the following for ''irc.bar.org'',%0a> [@%0a> [Server]%0a> Name = irc.bar.org%0a> Host = irc.bar.org%0a> Port = 6667%0a> MyPassword = Password_To_Be_Set_On_IRCBARORG's_PeerPassword%0a> PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCBARORG's_MyPassword%0a> @]%0a> and the same likewise, for ''irc.bar.org'' when linking to ''irc.foo.org'',%0a> [@%0a> [Server]%0a> Name = irc.foo.org%0a> Host = irc.foo.org%0a> Port = 6667%0a> MyPassword = Password_To_Be_Set_On_IRCFOOORG's_PeerPassword%0a> PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCFOOORG's_MyPassword%0a> @]%0a host:1612973813=198.251.81.119 author:1612973386=jrmu diff:1612973386:1612972811:=155,158c155,158%0a%3c !! Starting ngircd%0a%3c %0a%3c To start ngircd:%0a%3c %0a---%0a> !! Debug%0a> %0a> To test your configuration:%0a> %0a160,161c160%0a%3c doas rcctl enable ngircd%0a%3c doas rcctl start ngircd%0a---%0a> $ doas ngircd -t%0a164,171c163,164%0a%3c [[rcctl/rcctl|rcctl]] controls how system daemons are run.%0a%3c %0a%3c Next, use your IRC client to connect to the server, which may have the hostname user.fruit.ircnow.org. Join a few channels and chat inside.%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c If you run into any errors, you can test to see if your configuration file has errors:%0a%3c %0a---%0a> To run ngircd in debug mode:%0a> %0a173c166%0a%3c $ doas ngircd -t%0a---%0a> $ doas ngircd -n%0a176,177c169,170%0a%3c To run ngircd in debug mode:%0a%3c %0a---%0a> To start ngircd:%0a> %0a179c172,173%0a%3c $ doas ngircd -n%0a---%0a> doas rcctl enable ngircd%0a> doas rcctl start ngircd%0a180a175,176%0a> %0a> OpenBSD uses [[https://www.openbsd.org/faq/faq10.html#rc|rcctl]] to control how system daemons are run.%0a host:1612973386=198.251.81.119 author:1612972811=jrmu diff:1612972811:1612972391:=149,153d148%0a%3c Please use a [[password/management|long, random string]] for your password.%0a%3c %0a%3c If you uncomment Mask, your hostmask must match the operator hostmask in order for the /OPER command to be accepted. If it differs at all, then your /OPER command will be rejected. If you don't want to check the hostmask, leave Mask commented out.%0a%3c %0a%3c For more security, you can uncomment Mask and have it match your vhost. However, please be aware that this will make it impossible to authenticate if you ever have to connect from a different IP address.%0a host:1612972811=198.251.81.119 author:1612972391=jrmu diff:1612972391:1612972215:=44,45d43%0a%3c !!! Global Block%0a%3c %0a102,103d99%0a%3c !!! Options Block%0a%3c %0a122,123c118,119%0a%3c !!! Configuring syslog%0a%3c %0a---%0a> !! Configuring syslog%0a> %0a140,148d135%0a%3c %0a%3c !!! Operator Block%0a%3c %0a%3c [@%0a%3c [Operator]%0a%3c Name = username%0a%3c Password = password%0a%3c @]%0a%3c %0a host:1612972391=198.251.81.119 author:1612972215=jrmu diff:1612972215:1612971710:=111d110%0a%3c SyslogFacility = daemon%0a116,117c115,116%0a%3c UserMode i keeps the user invisible, and C means that only users that share channels can send a message. Both settings help reduce spam, stalking, and harassment. Receiving a notice before registration can help with debugging with [[openbsd/netcat|netcat]]. We're going to log using syslog (see section below).%0a%3c %0a---%0a> UserMode i keeps the user invisible, and C means that only users that share channels can send a message. Both settings help reduce spam, stalking, and harassment. Receiving a notice before registration can help with debugging with [[openbsd/netcat|netcat]].%0a> %0a120,121c119,120%0a%3c You want all the messages from ngircd to go to /var/log/ngircd.log and not anywhere else, so we insert these three lines starting at line 3 (at the top) in /etc/syslog.conf:%0a%3c %0a---%0a> You want all the messages from ngircd to go to /var/log/ngircd.log and not /var/log/messages, so we insert these three lines starting at line 3 (at the top) in /etc/syslog.conf:%0a> %0a130c129%0a%3c Next, create the file /var/log/ngircd.log and restart syslogd:%0a---%0a> Next, restart syslogd:%0a host:1612972215=198.251.81.119 author:1612971710=jrmu diff:1612971710:1612971598:=132d131%0a%3c $ doas touch /var/log/ngircd.log%0a host:1612971710=198.251.81.119 author:1612971598=jrmu diff:1612971598:1612949587:=116,133d115%0a%3c %0a%3c !! Configuring syslog%0a%3c %0a%3c You want all the messages from ngircd to go to /var/log/ngircd.log and not /var/log/messages, so we insert these three lines starting at line 3 (at the top) in /etc/syslog.conf:%0a%3c %0a%3c [@%0a%3c !!ngircd%0a%3c *.* /var/log/ngircd.log%0a%3c !*%0a%3c @]%0a%3c %0a%3c This directs all logs from ngircd to go straight to /var/log/ngircd.log and nowhere else.%0a%3c %0a%3c Next, restart syslogd:%0a%3c %0a%3c [@%0a%3c $ doas rcctl restart syslogd%0a%3c @]%0a host:1612971598=198.251.81.119 author:1612949587=jrmu diff:1612949587:1612947944:= host:1612949587=198.251.81.119 author:1612947944=jrmu diff:1612947944:1612947223:=115c115,117%0a%3c UserMode i keeps the user invisible, and C means that only users that share channels can send a message. Both settings help reduce spam, stalking, and harassment. Receiving a notice before registration can help with debugging with [[openbsd/netcat|netcat]].%0a---%0a> DefaultUserModes%0a> %0a> NoticeBeforeRegistration%0a host:1612947944=198.251.81.119 author:1612947223=jrmu diff:1612947223:1612947072:=16c16%0a%3c Before you begin, please read the official [[https://ngircd.barton.de/documentation.php.en|ngIRCd documentation]].%0a---%0a> Before you begin, read the official [[https://ngircd.barton.de/documentation.php.en|ngIRCd documentation]].%0a host:1612947223=198.251.81.119 author:1612947072=jrmu diff:1612947072:1612946671:=1,15d0%0a%3c (:title Ngircd -- The Next Generation IRCd:)%0a%3c %0a%3c In this guide, we'll setup ngircd, a free, portable, lightweight IRC server.%0a%3c %0a%3c Advantages:%0a%3c %0a%3c # The source code runs well on OpenBSD%0a%3c # The server has a very simple, easy-to-understand configuration%0a%3c # Fewer features means the manual pages are short%0a%3c # The server is a clean implementation which was written from scratch%0a%3c # The source code is written in modern, portable C. It will be easy to fork to new features such as:%0a%3c # Customized censorship to block NSFW content%0a%3c # Spam filters%0a%3c # The lead developer po||ux actively hangs out on the IRC server barton.ngircd.de on #ngircd%0a%3c %0a host:1612947072=198.251.81.119 author:1612946671=jrmu diff:1612946671:1612946480:=99,102d98%0a%3c %0a%3c DefaultUserModes%0a%3c %0a%3c NoticeBeforeRegistration%0a host:1612946671=198.251.81.119 author:1612946480=jrmu diff:1612946480:1612946274:=95a96%0a> %0a97,98d97%0a%3c %0a%3c For security reasons, we do not want to allow remote opers. Each team appoints their own opers, so you may not necessarily trust an oper on another server. We want to chroot to /var/ngircd to prevent a security compromise. We will cloak the host using a unique salt; contact another sysadmin for the exact salt.%0a host:1612946480=198.251.81.119 author:1612946274=jrmu diff:1612946274:1612945592:=88,95d87%0a%3c ChrootDir = /var/ngircd%0a%3c CloakHost = %25x%0a%3c CloakHostModeX = jrmu.coconut.ircnow.org%0a%3c CloakHostSalt = abcdefghijklmnopqrstuvwxyz%0a%3c DefaultUserModes = iC%0a%3c NoticeBeforeRegistration = yes%0a%3c OperChanPAutoOp = no %0a%3c RequireAuthPing = yes%0a host:1612946274=198.251.81.119 author:1612945592=jrmu diff:1612945592:1612945145:=80a81%0a> %0a83,89c84%0a%3c The above are default plaintext ports we listen on; we provide ports besides the standard 6667 to allow users to evade their network firewalls. Note that the MaxNickLength must be identical to all servers on the network. On IRCNow, MaxNickLength is 16.%0a%3c %0a%3c [@%0a%3c [Options]%0a%3c AllowRemoteOper = no%0a%3c %0a%3c @]%0a---%0a> The above are default plaintext ports we listen on; we provide ports besides the standard 6667 to allow users to evade their network firewalls.%0a host:1612945592=198.251.81.119 author:1612945145=jrmu diff:1612945145:1612945079:= host:1612945145=198.251.81.119 author:1612945079=jrmu diff:1612945079:1612944533:=78,81d77%0a%3c MaxListSize = 1000%0a%3c PingTimeout = 300%0a%3c PongTimeout = 300%0a%3c %0a host:1612945079=198.251.81.119 author:1612944533=jrmu diff:1612944533:1612944382:=77d76%0a%3c MaxNickLength = 16%0a host:1612944533=198.251.81.119 author:1612944382=jrmu diff:1612944382:1612943875:=74,76c74,75%0a%3c Ports = 6660, 6661, 6662, 6663, 6664, 6665, 6666, 6667, 6668, 6669, 7000, 16667%0a%3c MaxConnectionsIP = 0%0a%3c MaxJoins = 300%0a---%0a> Ports = 6660, 6661, 6662, 6663, 6664, 6665, 6666, 6667, 6668, 6669, 7000, 16667%0a> MaxConnectionsIP = 0%0a host:1612944382=198.251.81.119 author:1612943875=jrmu diff:1612943875:1612942979:=50d49%0a%3c Network = IRCNow%0a53,54c52,53%0a%3c Paste your Message of the Day in /etc/ngircd/ngircd.motd. Here's a suggested template:%0a%3c %0a---%0a> Paste your Message of the Dat in /etc/ngircd/ngircd.motd. Here's a suggested template:%0a> %0a72,78d70%0a%3c %0a%3c [@%0a%3c Ports = 6660, 6661, 6662, 6663, 6664, 6665, 6666, 6667, 6668, 6669, 7000, 16667%0a%3c MaxConnectionsIP = 0%0a%3c @]%0a%3c %0a%3c The above are default plaintext ports we listen on; we provide ports besides the standard 6667 to allow users to evade their network firewalls.%0a host:1612943875=198.251.81.119 author:1612942979=jrmu diff:1612942979:1612942732:=44,70c44,49%0a%3c Uncomment this line and provide every single IP address we want ngircd to listen on. This includes localhost (127.0.0.1), and our public IPv4 and IPv6 addresses. If you are hosting a public service and not on training, avoid listing IPs that are not DDoS-filtered. IRC servers are heavily DDoSed and using an unfiltered IP will get you nullrouted.%0a%3c %0a%3c '''Note''': if you do not uncomment on this line, you will listen to all IPs by default, which is probably a mistake.%0a%3c %0a%3c [@%0a%3c MotdFile = /etc/ngircd/ngircd.motd%0a%3c @]%0a%3c %0a%3c Paste your Message of the Dat in /etc/ngircd/ngircd.motd. Here's a suggested template:%0a%3c %0a%3c [@%0a%3c IRCNow - The Users' Network%0a%3c %0a%3c IRCNow is the network of the user, by the user, for the user.%0a%3c %0a%3c * No porn / illegal drugs / promotion of violence%0a%3c * No slander / libel / gambling%0a%3c * No spam, illegal cracking, or DDoS%0a%3c * No copyright infrigement%0a%3c %0a%3c You must agree to our terms of service and our privacy policy %0a%3c to use this network:%0a%3c %0a%3c https://wiki.ircnow.org/index.php?n=Terms.Terms%0a%3c %0a%3c Only 5 connections per IP address. If you need help, please speak with staff on #help.%0a%3c @]%0a---%0a> We must provide every single IP address we want ngircd to listen on. This includes localhost (127.0.0.1), and our public IPv4 and IPv6 addresses. If you are hosting a public service and not on training, avoid using IPs that are not DDoS-filtered. IRC servers are heavily DDoSed and using an unfiltered IP will get you nullrouted.%0a> %0a> !! Debug%0a> %0a> To test your configuration:%0a> %0a host:1612942979=198.251.81.119 author:1612942732=jrmu diff:1612942732:1612942212:=39,44d38%0a%3c %0a%3c [@%0a%3c Listen = 127.0.0.1,192.168.1.1,2001:db8::%0a%3c @]%0a%3c %0a%3c We must provide every single IP address we want ngircd to listen on. This includes localhost (127.0.0.1), and our public IPv4 and IPv6 addresses. If you are hosting a public service and not on training, avoid using IPs that are not DDoS-filtered. IRC servers are heavily DDoSed and using an unfiltered IP will get you nullrouted.%0a host:1612942732=198.251.81.119 author:1612942212=jrmu diff:1612942212:1612941602:=35c35%0a%3c Info = username.fruit.ircnow.org%0a---%0a> Info = Server Info Text%0a host:1612942212=198.251.81.119 author:1612941602=jrmu diff:1612941602:1612941572:=35d34%0a%3c Info = Server Info Text%0a host:1612941602=198.251.81.119 author:1612941572=jrmu diff:1612941572:1612941501:=27,28d26%0a%3c '''Note''': Lines that begin with # or ; are comments and will be ignored. Remove # or ; to uncomment the line.%0a%3c %0a37a36,37%0a> %0a> **Lines that begin with # or ; are comments and will be ignored. Remove # or ; to uncomment the line%0a host:1612941572=198.251.81.119 author:1612941501=jrmu diff:1612941501:1612941400:=35c35%0a%3c For Name, use your hostname (like username.fruit.ircnow.org). If you are on a team, use irc.example.com, replacing example.com with your team's custom domain. For AdminInfo1, provide a description; for AdminInfo2, provide the location.%0a---%0a> For Name, use your hostname (like username.fruit.ircnow.org).. For AdminInfo1, provide a description; for AdminInfo2, provide the location.%0a host:1612941501=198.251.81.119 author:1612941400=jrmu diff:1612941400:1612941192:=29,32c29,34%0a%3c Name = username.fruit.ircnow.org%0a%3c AdminInfo1 = Fruit Server on IRCNow%0a%3c AdminInfo2 = Planet Earth%0a%3c AdminEMail = admin@username.fruit.ircnow.org%0a---%0a> Name = irc.example.net%0a> # Information about the server and the administrator, used by the%0a> # ADMIN command. Not required by server but by RFC!%0a> ;AdminInfo1 = Description%0a> ;AdminInfo2 = Location%0a> ;AdminEMail = admin@irc.server%0a35c37%0a%3c For Name, use your hostname (like username.fruit.ircnow.org).. For AdminInfo1, provide a description; for AdminInfo2, provide the location.%0a---%0a> For Name, use your hostname (like username.fruit.ircnow.org).%0a host:1612941400=198.251.81.119 author:1612941192=jrmu diff:1612941192:1612940983:=26a27,32%0a> **Lines that begin with # or ; are comments and will be ignored. Remove # or ; to uncomment the line%0a> %0a> !! Debug%0a> %0a> To test your configuration:%0a> %0a28,34c34%0a%3c [Global]%0a%3c Name = irc.example.net%0a%3c # Information about the server and the administrator, used by the%0a%3c # ADMIN command. Not required by server but by RFC!%0a%3c ;AdminInfo1 = Description%0a%3c ;AdminInfo2 = Location%0a%3c ;AdminEMail = admin@irc.server%0a---%0a> $ doas ngircd -t%0a37,44c37,38%0a%3c For Name, use your hostname (like username.fruit.ircnow.org).%0a%3c %0a%3c **Lines that begin with # or ; are comments and will be ignored. Remove # or ; to uncomment the line%0a%3c %0a%3c !! Debug%0a%3c %0a%3c To test your configuration:%0a%3c %0a---%0a> To run ngircd in debug mode:%0a> %0a46c40%0a%3c $ doas ngircd -t%0a---%0a> $ doas ngircd -n%0a49,50c43,44%0a%3c To run ngircd in debug mode:%0a%3c %0a---%0a> To start ngircd:%0a> %0a52c46,47%0a%3c $ doas ngircd -n%0a---%0a> doas rcctl enable ngircd%0a> doas rcctl start ngircd%0a55,61d49%0a%3c To start ngircd:%0a%3c %0a%3c [@%0a%3c doas rcctl enable ngircd%0a%3c doas rcctl start ngircd%0a%3c @]%0a%3c %0a204a193,197%0a> %0a> %0a> %0a> ==== MyPassword and PeerPassword dilemma ====%0a> Another simpler catch involves the MyPassword and PeerPassword keys. Your MyPassword should be the password that you set for other servers/peers to connect to your server. On their (these other server/peer end), should be set as PeerPassword when connecting to you. However, when you are connecting to them you need to know their PeerPassword.%0a host:1612941192=198.251.81.119 author:1612940983=jrmu diff:1612940983:1612940885:=25c25,27%0a%3c Edit /etc/ngircd/ngircd.conf:%0a---%0a> [@%0a> $ doas vi /etc/ngircd/ngircd.conf%0a> @]%0a host:1612940983=198.251.81.119 author:1612940885=jrmu diff:1612940885:1612940824:= host:1612940885=198.251.81.119 author:1612940824=jrmu diff:1612940824:1609606061:=2a3,4%0a> If you are unfamiliar with [[https://www.openbsd.org/faq/faq15.html|OpenBSD's package system]], please read the FAQ first.%0a> %0a5,6c7,8%0a%3c !!! From packages%0a%3c %0a---%0a> To install from packages:%0a> %0a11a14,15%0a> !! Warnings%0a> %0a14,15c18,19%0a%3c !!! From source%0a%3c %0a---%0a> To build from source:%0a> %0a17,20c21,31%0a%3c $ ftp https://ircnow.org/software/ngircd.tgz%0a%3c $ tar xvzf ngircd.tgz%0a%3c $ cd ngircd-26.1/%0a%3c $ sh build.sh%0a---%0a> $ doas pkg_add ngircd # this will provide files /etc/rc.d/ startup scripts%0a> $ export CFLAGS=-static%0a> $ doas pkg_add libiconv-1.16p0%0a> $ doas pkg_add libident-0.32p1%0a> $ doas pkg_add autoconf-2.69p3%0a> $ doas pkg_add automake-1.11.6p3%0a> $ ./autogen.sh%0a> $ ./configure --enable-ipv6 --with-openssl --with-ident=/usr/local/ --with-iconv=/usr/local/ --with-syslog --sysconfdir=/etc/ngircd/ --mandir=/usr/local/man/%0a> $ export AUTOCONF_VERSION="2.69"%0a> $ make%0a> $ doas make install%0a host:1612940824=198.251.81.119 author:1609606061=jrmu diff:1609606061:1604504975:=29d28%0a%3c $ export AUTOCONF_VERSION="2.69"%0a host:1609606061=125.231.63.134 author:1604504975=jrmu diff:1604504975:1604504607:=154,157c154,159%0a%3c !! Autostart%0a%3c %0a%3c To automatically restart ngIRCd if it was terminated unexpectedly, create a script in /usr/local/libexec/project/ngircd.sh:%0a%3c %0a---%0a> '''Autostart'''%0a> %0a> This solution automatically restarts the service if its work was terminated unexpectedly.%0a> %0a> Create an executable worker script%0a> %0a159,160c161,162%0a%3c doas touch /usr/local/libexec/project/ngircd.sh%0a%3c doas chmod +x /usr/local/libexec/project/ngircd.sh%0a---%0a> doas touch /usr/local/libexec/project/checker_ngircd.sh%0a> doas chmod +x /usr/local/libexec/project/checker_ngircd.sh%0a163,164c165,166%0a%3c Inside /usr/local/libexec/project/ngircd.sh:%0a%3c %0a---%0a> /usr/local/libexec/project/checker_ngircd.sh:%0a> %0a181,182c183%0a%3c Add this as a cronjob:%0a%3c %0a---%0a> Add it to the operating system planner%0a184,185c185%0a%3c $ doas crontab -e%0a%3c %0a---%0a> doas crontab -e%0a189c189%0a%3c For the solution to work, you need to enable the use of pid files in /etc/ngircd/ngircd.conf:%0a---%0a> For the solution to work, you need to enable the use of pid files. Like this:%0a host:1604504975=38.81.163.7 author:1604504607=jrmu diff:1604504607:1604503920:=94,95c94,98%0a%3c In the server block, for Host, it is better to use a [[openbsd/dns|symbolic hostname]] (don't use an IP address).%0a%3c %0a---%0a> ==== MyPassword and PeerPassword dilemma ====%0a> Another simpler catch involves the MyPassword and PeerPassword keys. Your MyPassword should be the password that you set for other servers/peers to connect to your server. On their (these other server/peer end), should be set as PeerPassword when connecting to you. However, when you are connecting to them you need to know their PeerPassword.%0a> %0a> === Example ngIRCd server configurations ===%0a> To illustrate what I mean is, say for example, you have two ''ngircd'' servers that you want to connect to each other. Let's say that the server "foo" has this configuration,%0a96a100,103%0a> [Global]%0a> Name = irc.foo.org%0a> Ports = 6667%0a> ...%0a98,102c105%0a%3c Name = irc.example.ircnow.org%0a%3c Host = irc.example.ircnow.org%0a%3c Port = 6667%0a%3c MyPassword = password12345%0a%3c PeerPassword = password12345%0a---%0a> MyPassword = Jp5meaikMiRAKsbBy6G6%0a105,112c108%0a%3c Notice that Host = irc.example.ircnow.org and not an IP address like 1.2.3.4. This makes it less work to configure when the other server changes its IP address.%0a%3c %0a%3c !! Chroot%0a%3c %0a%3c Make sure to [[openbsd/chroot|chroot]] ngircd.%0a%3c %0a%3c Once you have finished configuring /etc/ngircd/ngircd.conf, you can copy the files into the chroot:%0a%3c %0a---%0a> Server "bar" has the following configuration,%0a114,118c110,115%0a%3c $ doas mkdir /var/ngircd/etc/%0a%3c $ doas cp -R /etc/ngircd /var/ngircd/etc/%0a%3c $ doas chown -R _ngircd:_ngircd /var/ngircd/%0a%3c $ doas rm -r /etc/ngircd%0a%3c $ doas ln -s /var/ngircd/etc/ngircd /etc/ngircd%0a---%0a> [Global]%0a> Name = irc.bar.org%0a> Ports = 6667%0a> ...%0a> [Server]%0a> MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a121,126c118%0a%3c This will create a symlink so that only one set of configuration files needs to be maintained inside and outside of the chroot. Otherwise, ngircd will require two sets of configuration files, one inside and the other outside of the chroot.%0a%3c %0a%3c !! SSL%0a%3c %0a%3c Use [[openbsd/acme-client|acme-client]] to get an SSL certificate signed by Let's Encrypt.%0a%3c %0a---%0a> Under "[Server]" section (**not global section**), it should be added as the following for server "foo". Ideally, I would put it in a separate ''[Server]'' section, which would have the following,%0a128,129c120,134%0a%3c $ doas cp /etc/ssl/example.com.fullchain.pem /etc/ngircd/%0a%3c $ doas cp /etc/ssl/private/example.com.key /etc/ngircd/%0a---%0a> # Define a (case insensitive) list of masks matching nicknames that%0a> # should be treated as IRC services when introduced via this remote%0a> # server, separated by commas (",").%0a> # REGULAR SERVERS DON'T NEED this parameter, so leave it empty%0a> # (which is the default).%0a> # When you are connecting IRC services which mask as a IRC server%0a> # and which use "virtual users" to communicate with, for example%0a> # "NickServ" and "ChanServ", you should set this parameter to%0a> # something like "*Serv" or "NickServ,ChanServ,XyzServ".%0a> ;ServiceMask = *Serv,Global%0a> %0a> [Server]%0a> # More [Server] sections, if you like ...%0a> %0a> [Channel]%0a132,133c137%0a%3c In /etc/ngircd/ngircd.conf, change the following lines in the [SSL] block:%0a%3c %0a---%0a> See ''# More [Server] sections, if you like ...''? I would replace that line with the following below,%0a135,142c139,144%0a%3c # SSL Server Key Certificate%0a%3c CertFile = /etc/ngircd/example.com.fullchain.pem%0a%3c ...%0a%3c # SSL Server Key%0a%3c KeyFile = /etc/ngircd/example.com.key%0a%3c ...%0a%3c # Additional Listen Ports that expect SSL/TLS encrypted connections%0a%3c Ports = 6697, 9999, 16697%0a---%0a> [Server]%0a> Name = irc.bar.org%0a> Host = irc.bar.org%0a> Port = 6667%0a> MyPassword = Jp5meaikMiRAKsbBy6G6%0a> PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a145,146c147%0a%3c ''Optional'': If you want to have a DHFile,%0a%3c %0a---%0a> Likewise under server "bar",%0a148,149c149,154%0a%3c $ doas openssl dhparam -out /etc/ngircd/dhparams.pem 2048%0a%3c $ doas chown _ngircd:_ngircd /etc/ngircd/dhparams.pem%0a---%0a> [Server]%0a> Name = irc.foo.org%0a> Host = irc.foo.org%0a> Port = 6667%0a> MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a> PeerPassword = Jp5meaikMiRAKsbBy6G6%0a152,159c157,165%0a%3c Then, uncomment @@DHFile = /etc/ngircd/dhparams.pem@@ in /etc/ngircd/ngircd.conf.%0a%3c %0a%3c '''Autostart'''%0a%3c %0a%3c This solution automatically restarts the service if its work was terminated unexpectedly.%0a%3c %0a%3c Create an executable worker script%0a%3c %0a---%0a> Sysadmins should have proper [[openbsd/passwords|password management]].%0a> %0a> Keep in mind that ''MyPassword'' is used for linking with other servers. **It is stored in plaintext and has nothing to do with the server password specified under [Global] section, nor is it related to your [Operator] password!**. When other servers connects to you, they **need** to know **your** ''MyPassword'', in which they will then set it as their ''PeerPassword'' on their end. The same thing likewise when you need to peer with them, you **need** to know their ''MyPassword'' so that you can set it as **your** ''PeerPassword''.%0a> %0a> See how in the example above how ''irc.foo.org'' ''MyPassword'' is set as ''Jp5meaikMiRAKsbBy6G6'' but when linking with ''irc.bar.org'', whose ''MyPassword'' is set as ''HpNSbcDbrTVQ3lkkqSfq'', that ''irc.foo.org'' ''PeerPassword'' is therefore ''HpNSbcDbrTVQ3lkkqSfq'' for linking to ''irc.bar.org''? The same logic also applies in reverse for when ''irc.bar.org'' is to link up with ''irc.foo.org''.%0a> %0a> === Summing it up ===%0a> To sum it up in the prior example,%0a> Server ''irc.foo.org'' has the following for ''irc.bar.org'',%0a161,162c167,172%0a%3c doas touch /usr/local/libexec/project/checker_ngircd.sh%0a%3c doas chmod +x /usr/local/libexec/project/checker_ngircd.sh%0a---%0a> [Server]%0a> Name = irc.bar.org%0a> Host = irc.bar.org%0a> Port = 6667%0a> MyPassword = Password_To_Be_Set_On_IRCBARORG's_PeerPassword%0a> PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCBARORG's_MyPassword%0a164,166c174%0a%3c %0a%3c /usr/local/libexec/project/checker_ngircd.sh:%0a%3c %0a---%0a> and the same likewise, for ''irc.bar.org'' when linking to ''irc.foo.org'',%0a168,180c176,181%0a%3c #!/bin/sh%0a%3c %0a%3c SERVICE_NAME="ngircd"%0a%3c SERVICE_USER="_ngircd"%0a%3c SERVICE_PID="/var/ngircd/var/run/ngircd/ngircd.pid"%0a%3c %0a%3c if ! pgrep -u $SERVICE_USER -x "$SERVICE_NAME" > /dev/null%0a%3c then%0a%3c if [ -f $SERVICE_PID ]; then%0a%3c rm -f $SERVICE_PID%0a%3c rcctl -d start $SERVICE_NAME%0a%3c fi%0a%3c fi%0a---%0a> [Server]%0a> Name = irc.foo.org%0a> Host = irc.foo.org%0a> Port = 6667%0a> MyPassword = Password_To_Be_Set_On_IRCFOOORG's_PeerPassword%0a> PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCFOOORG's_MyPassword%0a183c184,194%0a%3c Add it to the operating system planner%0a---%0a> You replace the contents of,%0a> * ''Name'', ''Host'' and ''Port'', keeping in mind that ''[Server]'' needs to be explicitly implied in the ''/etc/ngircd/ngircd.conf'' or ''ngircd'' will not understand what to do with the following contents.%0a> %0a> The following should be very self explanatory, on the string that is to be replaced,%0a> * ''Password_To_Be_Set_On_IRCBARORG's_PeerPassword'',%0a> * ''Password_That_Is_To_Be_received_from_owner_of_IRCBARORG's_MyPassword'',%0a> * ''Password_To_Be_Set_On_IRCFOOORG's_PeerPassword'', and%0a> * ''Password_That_Is_To_Be_received_from_owner_of_IRCFOOORG's_MyPassword''%0a> %0a> In the server block, for Host, it is better to use a [[openbsd/dns|symbolic hostname]] (don't use an IP address).%0a> %0a185,186c196,201%0a%3c doas crontab -e%0a%3c * * * * * /usr/local/libexec/project/checker_ngircd.sh > /dev/null 2>&1%0a---%0a> [Server]%0a> Name = irc.example.ircnow.org%0a> Host = irc.example.ircnow.org%0a> Port = 6667%0a> MyPassword = password12345%0a> PeerPassword = password12345%0a189c204,211%0a%3c For the solution to work, you need to enable the use of pid files. Like this:%0a---%0a> Notice that Host = irc.example.ircnow.org and not an IP address like 1.2.3.4. This makes it less work to configure when the other server changes its IP address.%0a> %0a> !! Chroot%0a> %0a> Make sure to [[openbsd/chroot|chroot]] ngircd.%0a> %0a> Once you have finished configuring /etc/ngircd/ngircd.conf, you can copy the files into the chroot:%0a> %0a191c213,217%0a%3c PidFile = /var/run/ngircd/ngircd.pid%0a---%0a> $ doas mkdir /var/ngircd/etc/%0a> $ doas cp -R /etc/ngircd /var/ngircd/etc/%0a> $ doas chown -R _ngircd:_ngircd /var/ngircd/%0a> $ doas rm -r /etc/ngircd%0a> $ doas ln -s /var/ngircd/etc/ngircd /etc/ngircd%0a194,212c220,225%0a%3c Make sure to configure [[openbsd/hopm|hopm]].%0a%3c %0a%3c !! Related Software%0a%3c %0a%3c You will want to install, configure, and run [[openbsd/hopm|HOPM]] to block spammers. Eventually, IRCNow plans to use a fork of [[openbsd/acopm|ACOPM]].%0a%3c %0a%3c ngIRCd can be linked with [[https://github.com/ngircd/ngircd/blob/master/doc/Services.txt|services]]. The services currently used is anope but IRCNow plans to switch over to [[openbsd/achurch|achurch]].%0a%3c %0a%3c %0a%3c %0a%3c %0a%3c %0a%3c %0a%3c %0a%3c ==== MyPassword and PeerPassword dilemma ====%0a%3c Another simpler catch involves the MyPassword and PeerPassword keys. Your MyPassword should be the password that you set for other servers/peers to connect to your server. On their (these other server/peer end), should be set as PeerPassword when connecting to you. However, when you are connecting to them you need to know their PeerPassword.%0a%3c %0a%3c === Example ngIRCd server configurations ===%0a%3c To illustrate what I mean is, say for example, you have two ''ngircd'' servers that you want to connect to each other. Let's say that the server "foo" has this configuration,%0a---%0a> This will create a symlink so that only one set of configuration files needs to be maintained inside and outside of the chroot. Otherwise, ngircd will require two sets of configuration files, one inside and the other outside of the chroot.%0a> %0a> !! SSL%0a> %0a> Use [[openbsd/acme-client|acme-client]] to get an SSL certificate signed by Let's Encrypt.%0a> %0a214,219c227,228%0a%3c [Global]%0a%3c Name = irc.foo.org%0a%3c Ports = 6667%0a%3c ...%0a%3c [Server]%0a%3c MyPassword = Jp5meaikMiRAKsbBy6G6%0a---%0a> $ doas cp /etc/ssl/example.com.fullchain.pem /etc/ngircd/%0a> $ doas cp /etc/ssl/private/example.com.key /etc/ngircd/%0a222c231,232%0a%3c Server "bar" has the following configuration,%0a---%0a> In /etc/ngircd/ngircd.conf, change the following lines in the [SSL] block:%0a> %0a224,226c234,235%0a%3c [Global]%0a%3c Name = irc.bar.org%0a%3c Ports = 6667%0a---%0a> # SSL Server Key Certificate%0a> CertFile = /etc/ngircd/example.com.fullchain.pem%0a228,229c237,241%0a%3c [Server]%0a%3c MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a---%0a> # SSL Server Key%0a> KeyFile = /etc/ngircd/example.com.key%0a> ...%0a> # Additional Listen Ports that expect SSL/TLS encrypted connections%0a> Ports = 6697, 9999, 16697%0a231a244,245%0a> ''Optional'': If you want to have a DHFile,%0a> %0a233,238c247,248%0a%3c [Server]%0a%3c Name = irc.bar.org%0a%3c Host = irc.bar.org%0a%3c Port = 6667%0a%3c MyPassword = Jp5meaikMiRAKsbBy6G6%0a%3c PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a---%0a> $ doas openssl dhparam -out /etc/ngircd/dhparams.pem 2048%0a> $ doas chown _ngircd:_ngircd /etc/ngircd/dhparams.pem%0a241c251,258%0a%3c Likewise under server "bar",%0a---%0a> Then, uncomment @@DHFile = /etc/ngircd/dhparams.pem@@ in /etc/ngircd/ngircd.conf.%0a> %0a> '''Autostart'''%0a> %0a> This solution automatically restarts the service if its work was terminated unexpectedly.%0a> %0a> Create an executable worker script%0a> %0a243,248c260,261%0a%3c [Server]%0a%3c Name = irc.foo.org%0a%3c Host = irc.foo.org%0a%3c Port = 6667%0a%3c MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a%3c PeerPassword = Jp5meaikMiRAKsbBy6G6%0a---%0a> doas touch /usr/local/libexec/project/checker_ngircd.sh%0a> doas chmod +x /usr/local/libexec/project/checker_ngircd.sh%0a251,259c264,265%0a%3c Sysadmins should have proper [[openbsd/passwords|password management]].%0a%3c %0a%3c Keep in mind that ''MyPassword'' is used for linking with other servers. **It is stored in plaintext and has nothing to do with the server password specified under [Global] section, nor is it related to your [Operator] password!**. When other servers connects to you, they **need** to know **your** ''MyPassword'', in which they will then set it as their ''PeerPassword'' on their end. The same thing likewise when you need to peer with them, you **need** to know their ''MyPassword'' so that you can set it as **your** ''PeerPassword''.%0a%3c %0a%3c See how in the example above how ''irc.foo.org'' ''MyPassword'' is set as ''Jp5meaikMiRAKsbBy6G6'' but when linking with ''irc.bar.org'', whose ''MyPassword'' is set as ''HpNSbcDbrTVQ3lkkqSfq'', that ''irc.foo.org'' ''PeerPassword'' is therefore ''HpNSbcDbrTVQ3lkkqSfq'' for linking to ''irc.bar.org''? The same logic also applies in reverse for when ''irc.bar.org'' is to link up with ''irc.foo.org''.%0a%3c %0a%3c === Summing it up ===%0a%3c To sum it up in the prior example,%0a%3c Server ''irc.foo.org'' has the following for ''irc.bar.org'',%0a---%0a> /usr/local/libexec/project/checker_ngircd.sh:%0a> %0a261,266c267,279%0a%3c [Server]%0a%3c Name = irc.bar.org%0a%3c Host = irc.bar.org%0a%3c Port = 6667%0a%3c MyPassword = Password_To_Be_Set_On_IRCBARORG's_PeerPassword%0a%3c PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCBARORG's_MyPassword%0a---%0a> #!/bin/sh%0a> %0a> SERVICE_NAME="ngircd"%0a> SERVICE_USER="_ngircd"%0a> SERVICE_PID="/var/ngircd/var/run/ngircd/ngircd.pid"%0a> %0a> if ! pgrep -u $SERVICE_USER -x "$SERVICE_NAME" > /dev/null%0a> then%0a> if [ -f $SERVICE_PID ]; then%0a> rm -f $SERVICE_PID%0a> rcctl -d start $SERVICE_NAME%0a> fi%0a> fi%0a268c281,282%0a%3c and the same likewise, for ''irc.bar.org'' when linking to ''irc.foo.org'',%0a---%0a> %0a> Add it to the operating system planner%0a270,275c284,285%0a%3c [Server]%0a%3c Name = irc.foo.org%0a%3c Host = irc.foo.org%0a%3c Port = 6667%0a%3c MyPassword = Password_To_Be_Set_On_IRCFOOORG's_PeerPassword%0a%3c PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCFOOORG's_MyPassword%0a---%0a> doas crontab -e%0a> * * * * * /usr/local/libexec/project/checker_ngircd.sh > /dev/null 2>&1%0a276a287,299%0a> %0a> For the solution to work, you need to enable the use of pid files. Like this:%0a> [@%0a> PidFile = /var/run/ngircd/ngircd.pid%0a> @]%0a> %0a> Make sure to configure [[openbsd/hopm|hopm]].%0a> %0a> !! Related Software%0a> %0a> You will want to install, configure, and run [[openbsd/hopm|HOPM]] to block spammers. Eventually, IRCNow plans to use a fork of [[openbsd/acopm|ACOPM]].%0a> %0a> ngIRCd can be linked with [[https://github.com/ngircd/ngircd/blob/master/doc/Services.txt|services]]. The services currently used is anope but IRCNow plans to switch over to [[openbsd/achurch|achurch]].%0a\ No newline at end of file%0a host:1604504607=38.81.163.7 author:1604503920=jrmu diff:1604503920:1604503822:=297c297%0a%3c You will want to install, configure, and run [[openbsd/hopm|HOPM]] to block spammers. Eventually, IRCNow plans to use a fork of [[openbsd/acopm|ACOPM]].%0a---%0a> [[https://packages.alphachat.net/projects/ACOPM.git/plain/README.md|AlphaChat Open Proxy Monitor (ACOPM)]] can be configured for ''ngircd''. [[openbsd:irc:acopm|Click here to read more about it]].%0a host:1604503920=38.81.163.7 author:1604503822=jrmu diff:1604503822:1604503580:=64,65d63%0a%3c Check ''/var/log/messages'' to see if it is also listening on ports ''6697'' and ''9999''. Then connect to those ports via your IRC client to verify that SSL does work as intended.%0a%3c %0a160a159,161%0a> %0a> You can also choose to have this ''pw'' command whenever you login, by putting it inside your ''.%3cshell>rc'', where ''%3cshell>'' implies the shell you are currently using, by default on OpenBSD, it is ''ksh'' and therefore it would be ''.kshrc''.%0a> %0a244,245c245,246%0a%3c ''Optional'': If you want to have a DHFile,%0a%3c %0a---%0a> ''Optional'': If you want have a DHFile,%0a> %0a248c249%0a%3c $ doas chown _ngircd:_ngircd /etc/ngircd/dhparams.pem%0a---%0a> $ doas cp /etc/ngircd/dhparams.pem /var/ngircd/etc/ngircd%0a250,251c251,253%0a%3c %0a%3c Then, uncomment @@DHFile = /etc/ngircd/dhparams.pem@@ in /etc/ngircd/ngircd.conf.%0a---%0a> Then once you have generated that file. Make sure you uncomment it in your ''ngircd.conf''%0a> %0a> Save, and reload/restart your ''ngircd''. Check ''/var/log/messages'' to see if it is also listening on ports ''6697'' and ''9999''. Then connect to those ports via your IRC client to verify that SSL does work as intended.%0a host:1604503822=38.81.163.7 author:1604503580=jrmu diff:1604503580:1604503263:=90c90,99%0a%3c MaxNickLength must be the same on all servers on a network. On IRCNow, MaxNickLength = 16.%0a---%0a> ===== Linking (Peering) =====%0a> ==== MaxNickLength ====%0a> There's a few gotchas with linking multiple ''ngircd'' servers. First and foremost, ensure that all your ''ngircd.conf'' has ''MaxNickLength'' set to a specific value.%0a> [@%0a> # Maximum length of an user nickname (Default: 9, as in RFC 2812).%0a> # Please note that all servers in an IRC network MUST use the same%0a> # maximum nickname length!%0a> ;MaxNickLength = 9%0a> @]%0a> **If one or more servers has a value that isn't 9 and/or that field is commented out, you will not be able to link up with that server.** So please ascertain what value to set **prior** to linking.%0a host:1604503580=38.81.163.7 author:1604503263=jrmu diff:1604503263:1604503059:=41,44c41%0a%3c !! Debug%0a%3c %0a%3c To test your configuration:%0a%3c %0a---%0a> You will then need to create missing directories within your ''ChrootDir''. Assuming you are using the defaults, for which ''ChrootDir'' is ''/var/ngircd'', you will need to create the following base layout,%0a46c43,47%0a%3c $ doas ngircd -t%0a---%0a> /var%0a> /var/ngircd%0a> /var/ngircd/etc%0a> /var/ngircd/etc/ngircd%0a> /var/ngircd/etc/ngircd.conf%0a48,50c49,51%0a%3c %0a%3c To run ngircd in debug mode:%0a%3c %0a---%0a> ''man 7 hier'' to get an understanding of how the filesystem is laid out.%0a> %0a> This means you will need to create parent directories leading up to ''/var/ngircd/etc/ngircd/ngircd.conf'',%0a52c53%0a%3c $ doas ngircd -n%0a---%0a> $ doas mkdir -p /var/ngircd/etc/ngircd%0a55,56c56%0a%3c To start ngircd:%0a%3c %0a---%0a> Copy the ''ngircd.conf'' from ''/etc/ngircd'' into ''/var/ngircd/etc/ngircd'',%0a58,59c58%0a%3c doas rcctl enable ngircd%0a%3c doas rcctl start ngircd%0a---%0a> $ doas cp /etc/ngircd/ngircd.conf /var/ngircd/etc/ngircd%0a62,69c61%0a%3c OpenBSD uses [[https://www.openbsd.org/faq/faq10.html#rc|rcctl]] to control how system daemons are run.%0a%3c %0a%3c Now, connect to ngircd using your IRC client. Use the OPER command to log in as operator.%0a%3c %0a%3c !! Reloading and Restarting ngIRCd%0a%3c %0a%3c To reload the configuration file, you can:%0a%3c %0a---%0a> Make sure the path to ''/var/ngircd/etc/ngircd'' has the correct permissions. The following sets permissions as ''drwxrw-rw'', ''man chmod'' if in doubt,%0a71c63%0a%3c $ doas rcctl reload ngircd%0a---%0a> $ find /var/ngircd -type d -exec doas chmod 755 '{}' \;%0a74,75c66,100%0a%3c or:%0a%3c %0a---%0a> Make sure any of the files within ''/var/ngircd'' does not have others/world read/write/execute capability. You currently only have one file within it anyway,%0a> [@%0a> $ find /var/ngircd -type f -exec doas chmod 640 '{}' \;%0a> @]%0a> %0a> You should now be able to execute either ''doas rcctl reload ngircd'' or ''/quote rehash'' from either the console or your IRC client respectively.%0a> %0a> !! Debug%0a> %0a> To test your configuration:%0a> %0a> [@%0a> $ doas ngircd -t%0a> @]%0a> %0a> To run ngircd in debug mode:%0a> %0a> [@%0a> $ doas ngircd -n%0a> @]%0a> %0a> To start ngircd:%0a> %0a> [@%0a> doas rcctl enable ngircd%0a> doas rcctl start ngircd%0a> @]%0a> %0a> OpenBSD uses [[https://www.openbsd.org/faq/faq10.html#rc|rcctl]] to control how system daemons are run.%0a> %0a> Now, connect to ngircd using your IRC client. Use the OPER command to log in as operator.%0a> %0a> !! Reloading and Restarting ngIRCd%0a> %0a> To reload the configuration file, run:%0a host:1604503263=38.81.163.7 author:1604503059=jrmu diff:1604503059:1604502251:=267,268c267,268%0a%3c In /etc/ngircd/ngircd.conf, change the following lines in the [SSL] block:%0a%3c %0a---%0a> ==== Configuration ====%0a> In your ''ngircd.conf'', you will need to have the following,%0a269a270,274%0a> [SSL]%0a> # SSL-related configuration options. Please note that this section%0a> # is only available when ngIRCd is compiled with support for SSL!%0a> # So don't forget to remove the ";" above if this is the case ...%0a> %0a272c277,289%0a%3c ...%0a---%0a> %0a> # Select cipher suites allowed for SSL/TLS connections. This defaults%0a> # to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).%0a> # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'%0a> # (GnuTLS) for details.%0a> # For OpenSSL:%0a> CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3%0a> # For GnuTLS:%0a> ;CipherList = SECURE128:-VERS-SSL3.0%0a> %0a> # Diffie-Hellman parameters%0a> ;DHFile = /etc/ngircd/dhparams.pem%0a> %0a275c292,295%0a%3c ...%0a---%0a> %0a> # password to decrypt SSLKeyFile (OpenSSL only)%0a> ;KeyFilePassword = secret%0a> %0a277c297%0a%3c Ports = 6697, 9999, 16697%0a---%0a> Ports = 6697, 9999%0a280,281c300,302%0a%3c ''Optional'': If you want have a DHFile,%0a%3c %0a---%0a> Notice how I,%0a> * Left the ''CipherList'' under the words ''For GnuTLS'' as-is, without uncommenting it? We're not using GnuTLS as OpenBSD does not include that by default.%0a> * Left ''DHFile'' commented out? This is **unnecessary**, however, if you feel you must have a DHFile set, you can do,%0a host:1604503059=38.81.163.7 author:1604502251=jrmu diff:1604502251:1604502186:= host:1604502251=38.81.163.7 author:1604502186=jrmu diff:1604502186:1604501312:=246,247c246,247%0a%3c Once you have finished configuring /etc/ngircd/ngircd.conf, you can copy the files into the chroot:%0a%3c %0a---%0a> Once you have %0a> %0a249,253c249%0a%3c $ doas mkdir /var/ngircd/etc/%0a%3c $ doas cp -R /etc/ngircd /var/ngircd/etc/%0a%3c $ doas chown -R _ngircd:_ngircd /var/ngircd/%0a%3c $ doas rm -r /etc/ngircd%0a%3c $ doas ln -s /var/ngircd/etc/ngircd /etc/ngircd%0a---%0a> $ doas cp -R /etc/ngircd /var/ngircd/%0a255,256d250%0a%3c %0a%3c This will create a symlink so that only one set of configuration files needs to be maintained inside and outside of the chroot. Otherwise, ngircd will require two sets of configuration files, one inside and the other outside of the chroot.%0a host:1604502186=38.81.163.7 author:1604501312=jrmu diff:1604501312:1604500973:=115a116,119%0a> !! Enable SSL%0a> %0a> Use [[openbsd/acme-client|acme-client]] to get an SSL certificate signed by Let's Encrypt.%0a> %0a246,247c250,253%0a%3c Once you have %0a%3c %0a---%0a> ==== Pre-configuration ====%0a> Copy the necessary certificates into both your ''/etc/ngircd'' directory and your chrooted ''ngircd'' directory. Chrooted ''ngircd'' directory by default is ''/var/ngircd'' but can be altered. If you have a custom chroot directory, you will need to copy the certificates there.%0a> %0a> Assuming you got your certificates from Let's Encrypt via following the aforementioned [[https://ircnow.org/kb/doku.php?id=openbsd:acme-client|acme-client]] guide,%0a249c255,256%0a%3c $ doas cp -R /etc/ngircd /var/ngircd/%0a---%0a> $ doas cp /etc/ssl/example.com.fullchain.pem /etc/ngircd%0a> $ doas cp /etc/ssl/private/example.com.key /etc/ngircd%0a252,255c259%0a%3c !! SSL%0a%3c %0a%3c Use [[openbsd/acme-client|acme-client]] to get an SSL certificate signed by Let's Encrypt.%0a%3c %0a---%0a> The same with your chrooted ''ngircd''. Again assuming defaults,%0a257,258c261,262%0a%3c $ doas cp /etc/ssl/example.com.fullchain.pem /etc/ngircd/%0a%3c $ doas cp /etc/ssl/private/example.com.key /etc/ngircd/%0a---%0a> $ doas cp /etc/ssl/example.com.fullchain.pem /var/ngircd/etc/ngircd%0a> $ doas cp /etc/ssl/private/example.com.key /var/ngircd/etc/ngircd%0a259a264,265%0a> %0a> Note: if /var/ngircd/etc/ doesn't exist, you can create it.%0a host:1604501312=38.81.163.7 author:1604500973=jrmu diff:1604500973:1604500528:=233,234c233,241%0a%3c In the server block, for Host, it is better to use a [[openbsd/dns|symbolic hostname]] (don't use an IP address).%0a%3c %0a---%0a> ==== Fancy IRC domain names ====%0a> If you or other ''ngircd'' owners chooses to use a domain name that resolves to a different IP, say ''irc.freenode.net'', you **must** set ''Host'' parameter, which points to their actual ''ngircd'''s [[https://en.wikipedia.org/wiki/Fully_qualified_domain_name|Fully Qualified Domain Name (FQDN)]] ''or'' their ''ngircd'''s IP address. I personally **do not** condone the notion of using FQDN that does not belong to you, as the consequences of going public with the named servers //can// potentially end up in lawsuits, for falsely misrepresenting a domain name.%0a> %0a> Let's use the prior example with the ''[Server]'' block. This time we assume,%0a> * ''irc.bar.org'' is owned by another operator, and%0a> * the owner of ''irc.bar.org'' wants to use ''irc.freenode.net'',%0a> * the owner has indicated under their ''Name'' key, under ''[Global]'' section is ''irc.freenode.net''%0a> %0a> You **should** try to check if it resolves,%0a236,241c243%0a%3c [Server]%0a%3c Name = irc.example.ircnow.org%0a%3c Host = irc.example.ircnow.org%0a%3c Port = 6667%0a%3c MyPassword = password12345%0a%3c PeerPassword = password12345%0a---%0a> $ host irc.freenode.net%0a244,256c246,275%0a%3c Notice that Host = irc.example.ircnow.org and not an IP address like 1.2.3.4. This makes it less work to configure when the other server changes its IP address.%0a%3c %0a%3c !! Chroot%0a%3c %0a%3c Make sure to [[openbsd/chroot|chroot]] ngircd.%0a%3c %0a%3c ==== Pre-configuration ====%0a%3c Copy the necessary certificates into both your ''/etc/ngircd'' directory and your chrooted ''ngircd'' directory. Chrooted ''ngircd'' directory by default is ''/var/ngircd'' but can be altered. If you have a custom chroot directory, you will need to copy the certificates there.%0a%3c %0a%3c Assuming you got your certificates from Let's Encrypt via following the aforementioned [[https://ircnow.org/kb/doku.php?id=openbsd:acme-client|acme-client]] guide,%0a%3c [@%0a%3c $ doas cp /etc/ssl/example.com.fullchain.pem /etc/ngircd%0a%3c $ doas cp /etc/ssl/private/example.com.key /etc/ngircd%0a---%0a> Regardless if it resolves or not, you need to confirm whether or not it points to their server's FQDN or their IP address. The owner of ''irc.foo.org'' needs to confirm the FQDN/IP address(es) for the owner of ''irc.freenode.net'' who is formerly the owner of ''irc.bar.org'', by asking the operator to perform the following,%0a> [@%0a> $ ifconfig | grep broadcast%0a> @]%0a> %0a> Note that it is the literal pipe character ''|'' , not the letter ''l'' in between ''ifconfig'' and ''grep''.%0a> %0a> If the IP address(es) irc.bar.org states does not match the output of ''irc.freenode.net'', or say for example ''host irc.freenode.net'' returns not found, you should then, decide to ask for their FQDN or the IP address to connect to. Now, there's two ways to go about on this, in terms of filling in the information. You can either choose to fill in (as owner of ''irc.foo.org''),%0a> %0a> [@%0a> [Server]%0a> Name = irc.freenode.net%0a> Host = irc.bar.org%0a> Port = 6667%0a> MyPassword = Jp5meaikMiRAKsbBy6G6%0a> PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a> @]%0a> %0a> See how ''Host = irc.bar.org'' is specified when the name they provided from within their config mentions ''irc.freenode.net''? This is one way. Assume that they give you the IP address to connect to on their server, and assume that the IP address is ''127.0.0.2'',%0a> %0a> [@%0a> [Server]%0a> Name = irc.freenode.net%0a> Host = 127.0.0.2%0a> Port = 6667%0a> MyPassword = Jp5meaikMiRAKsbBy6G6%0a> PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a> @]%0a> %0a> ''Host = 127.0.0.2'' is implied, instead of ''Host = irc.bar.org''. Specifying the IP address in the ''Host'' key is more //ideal// as it does not require ''ngircd'' to query the [[https://en.wikipedia.org/wiki/Domain_Name_System#Address_resolution_mechanism|Domain Name System (DNS)]] for the IP address of a given FQDN. As an added bonus, connections to the said server via IP address //persists// even when the domain name has expired or changed hands (and therefore resolves to different IP address).%0a host:1604500973=38.81.163.7 author:1604500528=jrmu diff:1604500528:1604500249:=98,101c98,100%0a%3c !! Reloading and Restarting ngIRCd%0a%3c %0a%3c To reload the configuration file, run:%0a%3c %0a---%0a> ===== Linking (Peering) =====%0a> ==== MaxNickLength ====%0a> There's a few gotchas with linking multiple ''ngircd'' servers. First and foremost, ensure that all your ''ngircd.conf'' has ''MaxNickLength'' set to a specific value.%0a103c102,105%0a%3c $ doas pkill -HUP ngircd%0a---%0a> # Maximum length of an user nickname (Default: 9, as in RFC 2812).%0a> # Please note that all servers in an IRC network MUST use the same%0a> # maximum nickname length!%0a> ;MaxNickLength = 9%0a105,107c107,113%0a%3c %0a%3c To restart the ircd:%0a%3c %0a---%0a> **If one or more servers has a value that isn't 9 and/or that field is commented out, you will not be able to link up with that server.** So please ascertain what value to set **prior** to linking.%0a> %0a> ==== MyPassword and PeerPassword dilemma ====%0a> Another simpler catch involves the MyPassword and PeerPassword keys. Your MyPassword should be the password that you set for other servers/peers to connect to your server. On their (these other server/peer end), should be set as PeerPassword when connecting to you. However, when you are connecting to them you need to know their PeerPassword.%0a> %0a> === Example ngIRCd server configurations ===%0a> To illustrate what I mean is, say for example, you have two ''ngircd'' servers that you want to connect to each other. Let's say that the server "foo" has this configuration,%0a109c115,120%0a%3c $ doas rcctl restart ngircd%0a---%0a> [Global]%0a> Name = irc.foo.org%0a> Ports = 6667%0a> ...%0a> [Server]%0a> MyPassword = Jp5meaikMiRAKsbBy6G6%0a112,122c123%0a%3c '''WARNING''': '''Reloading''' a configuration file will '''not''' disconnect any active connections. However, '''restarting''' the ircd '''will''' disconnect all existing connections. So make sure to restart ngircd only when absolutely necessary.%0a%3c %0a%3c ''Note'': ngircd appears to have a bug where the ircd will crash if you reload the configuration file while a message is being sent. Be careful to avoid reloading configuration files when many users are chatting.%0a%3c %0a%3c !! Enable SSL%0a%3c %0a%3c Use [[openbsd/acme-client|acme-client]] to get an SSL certificate signed by Let's Encrypt.%0a%3c %0a%3c ===== Linking (Peering) =====%0a%3c ==== MaxNickLength ====%0a%3c There's a few gotchas with linking multiple ''ngircd'' servers. First and foremost, ensure that all your ''ngircd.conf'' has ''MaxNickLength'' set to a specific value.%0a---%0a> Server "bar" has the following configuration,%0a124,127c125,130%0a%3c # Maximum length of an user nickname (Default: 9, as in RFC 2812).%0a%3c # Please note that all servers in an IRC network MUST use the same%0a%3c # maximum nickname length!%0a%3c ;MaxNickLength = 9%0a---%0a> [Global]%0a> Name = irc.bar.org%0a> Ports = 6667%0a> ...%0a> [Server]%0a> MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a129,135c132,133%0a%3c **If one or more servers has a value that isn't 9 and/or that field is commented out, you will not be able to link up with that server.** So please ascertain what value to set **prior** to linking.%0a%3c %0a%3c ==== MyPassword and PeerPassword dilemma ====%0a%3c Another simpler catch involves the MyPassword and PeerPassword keys. Your MyPassword should be the password that you set for other servers/peers to connect to your server. On their (these other server/peer end), should be set as PeerPassword when connecting to you. However, when you are connecting to them you need to know their PeerPassword.%0a%3c %0a%3c === Example ngIRCd server configurations ===%0a%3c To illustrate what I mean is, say for example, you have two ''ngircd'' servers that you want to connect to each other. Let's say that the server "foo" has this configuration,%0a---%0a> %0a> Under "[Server]" section (**not global section**), it should be added as the following for server "foo". Ideally, I would put it in a separate ''[Server]'' section, which would have the following,%0a137,140c135,145%0a%3c [Global]%0a%3c Name = irc.foo.org%0a%3c Ports = 6667%0a%3c ...%0a---%0a> # Define a (case insensitive) list of masks matching nicknames that%0a> # should be treated as IRC services when introduced via this remote%0a> # server, separated by commas (",").%0a> # REGULAR SERVERS DON'T NEED this parameter, so leave it empty%0a> # (which is the default).%0a> # When you are connecting IRC services which mask as a IRC server%0a> # and which use "virtual users" to communicate with, for example%0a> # "NickServ" and "ChanServ", you should set this parameter to%0a> # something like "*Serv" or "NickServ,ChanServ,XyzServ".%0a> ;ServiceMask = *Serv,Global%0a> %0a142c147,149%0a%3c MyPassword = Jp5meaikMiRAKsbBy6G6%0a---%0a> # More [Server] sections, if you like ...%0a> %0a> [Channel]%0a145c152%0a%3c Server "bar" has the following configuration,%0a---%0a> See ''# More [Server] sections, if you like ...''? I would replace that line with the following below,%0a147c154%0a%3c [Global]%0a---%0a> [Server]%0a149,152c156,159%0a%3c Ports = 6667%0a%3c ...%0a%3c [Server]%0a%3c MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a---%0a> Host = irc.bar.org%0a> Port = 6667%0a> MyPassword = Jp5meaikMiRAKsbBy6G6%0a> PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a155c162%0a%3c Under "[Server]" section (**not global section**), it should be added as the following for server "foo". Ideally, I would put it in a separate ''[Server]'' section, which would have the following,%0a---%0a> Likewise under server "bar",%0a157,167d163%0a%3c # Define a (case insensitive) list of masks matching nicknames that%0a%3c # should be treated as IRC services when introduced via this remote%0a%3c # server, separated by commas (",").%0a%3c # REGULAR SERVERS DON'T NEED this parameter, so leave it empty%0a%3c # (which is the default).%0a%3c # When you are connecting IRC services which mask as a IRC server%0a%3c # and which use "virtual users" to communicate with, for example%0a%3c # "NickServ" and "ChanServ", you should set this parameter to%0a%3c # something like "*Serv" or "NickServ,ChanServ,XyzServ".%0a%3c ;ServiceMask = *Serv,Global%0a%3c %0a169,171c165,169%0a%3c # More [Server] sections, if you like ...%0a%3c %0a%3c [Channel]%0a---%0a> Name = irc.foo.org%0a> Host = irc.foo.org%0a> Port = 6667%0a> MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a> PeerPassword = Jp5meaikMiRAKsbBy6G6%0a174c172,185%0a%3c See ''# More [Server] sections, if you like ...''? I would replace that line with the following below,%0a---%0a> === Password considerations ===%0a> %0a> [[openbsd/passwords|Password Management]]%0a> %0a> Keep in mind that ''MyPassword'' is used for linking with other servers. **It is stored in plaintext and has nothing to do with the server password specified under [Global] section, nor is it related to your [Operator] password!**. When other servers connects to you, they **need** to know **your** ''MyPassword'', in which they will then set it as their ''PeerPassword'' on their end. The same thing likewise when you need to peer with them, you **need** to know their ''MyPassword'' so that you can set it as **your** ''PeerPassword''.%0a> %0a> %0a> You can also choose to have this ''pw'' command whenever you login, by putting it inside your ''.%3cshell>rc'', where ''%3cshell>'' implies the shell you are currently using, by default on OpenBSD, it is ''ksh'' and therefore it would be ''.kshrc''.%0a> %0a> See how in the example above how ''irc.foo.org'' ''MyPassword'' is set as ''Jp5meaikMiRAKsbBy6G6'' but when linking with ''irc.bar.org'', whose ''MyPassword'' is set as ''HpNSbcDbrTVQ3lkkqSfq'', that ''irc.foo.org'' ''PeerPassword'' is therefore ''HpNSbcDbrTVQ3lkkqSfq'' for linking to ''irc.bar.org''? The same logic also applies in reverse for when ''irc.bar.org'' is to link up with ''irc.foo.org''.%0a> %0a> === Summing it up ===%0a> To sum it up in the prior example,%0a> Server ''irc.foo.org'' has the following for ''irc.bar.org'',%0a180,181c191,192%0a%3c MyPassword = Jp5meaikMiRAKsbBy6G6%0a%3c PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a---%0a> MyPassword = Password_To_Be_Set_On_IRCBARORG's_PeerPassword%0a> PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCBARORG's_MyPassword%0a183,184c194%0a%3c %0a%3c Likewise under server "bar",%0a---%0a> and the same likewise, for ''irc.bar.org'' when linking to ''irc.foo.org'',%0a190,191c200,201%0a%3c MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a%3c PeerPassword = Jp5meaikMiRAKsbBy6G6%0a---%0a> MyPassword = Password_To_Be_Set_On_IRCFOOORG's_PeerPassword%0a> PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCFOOORG's_MyPassword%0a194,223d203%0a%3c Sysadmins should have proper [[openbsd/passwords|password management]].%0a%3c %0a%3c Keep in mind that ''MyPassword'' is used for linking with other servers. **It is stored in plaintext and has nothing to do with the server password specified under [Global] section, nor is it related to your [Operator] password!**. When other servers connects to you, they **need** to know **your** ''MyPassword'', in which they will then set it as their ''PeerPassword'' on their end. The same thing likewise when you need to peer with them, you **need** to know their ''MyPassword'' so that you can set it as **your** ''PeerPassword''.%0a%3c %0a%3c %0a%3c You can also choose to have this ''pw'' command whenever you login, by putting it inside your ''.%3cshell>rc'', where ''%3cshell>'' implies the shell you are currently using, by default on OpenBSD, it is ''ksh'' and therefore it would be ''.kshrc''.%0a%3c %0a%3c See how in the example above how ''irc.foo.org'' ''MyPassword'' is set as ''Jp5meaikMiRAKsbBy6G6'' but when linking with ''irc.bar.org'', whose ''MyPassword'' is set as ''HpNSbcDbrTVQ3lkkqSfq'', that ''irc.foo.org'' ''PeerPassword'' is therefore ''HpNSbcDbrTVQ3lkkqSfq'' for linking to ''irc.bar.org''? The same logic also applies in reverse for when ''irc.bar.org'' is to link up with ''irc.foo.org''.%0a%3c %0a%3c === Summing it up ===%0a%3c To sum it up in the prior example,%0a%3c Server ''irc.foo.org'' has the following for ''irc.bar.org'',%0a%3c [@%0a%3c [Server]%0a%3c Name = irc.bar.org%0a%3c Host = irc.bar.org%0a%3c Port = 6667%0a%3c MyPassword = Password_To_Be_Set_On_IRCBARORG's_PeerPassword%0a%3c PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCBARORG's_MyPassword%0a%3c @]%0a%3c and the same likewise, for ''irc.bar.org'' when linking to ''irc.foo.org'',%0a%3c [@%0a%3c [Server]%0a%3c Name = irc.foo.org%0a%3c Host = irc.foo.org%0a%3c Port = 6667%0a%3c MyPassword = Password_To_Be_Set_On_IRCFOOORG's_PeerPassword%0a%3c PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCFOOORG's_MyPassword%0a%3c @]%0a%3c %0a279a260,279%0a> %0a> To reload the configuration file, run:%0a> %0a> [@%0a> $ doas pkill -HUP ngircd%0a> @]%0a> %0a> To restart the ircd:%0a> %0a> [@%0a> $ doas rcctl restart ngircd%0a> @]%0a> %0a> '''WARNING''': '''Reloading''' a configuration file will '''not''' disconnect any active connections. However, '''restarting''' the ircd '''will''' disconnect all existing connections. So make sure to restart ngircd only when absolutely necessary.%0a> %0a> ''Note'': ngircd appears to have a bug where the ircd will crash if you reload the configuration file while a message is being sent. Be careful to avoid reloading configuration files when many users are chatting.%0a> %0a> !! Enable SSL%0a> %0a> Use [[openbsd/acme-client|acme-client]] to get an SSL certificate signed by Let's Encrypt.%0a host:1604500528=38.81.163.7 author:1604500249=jrmu diff:1604500249:1604496192:=14,17d13%0a%3c !! Warnings%0a%3c %0a%3c ngIRCd v26 provided by OpenBSD 6.8 ports does not have ident support. You must eventually compile from source to get ident support, which is necessary on a production server.%0a%3c %0a384,385c380%0a%3c !! Related Software%0a%3c %0a---%0a> ===== ACOPM =====%0a388c383,388%0a%3c ngIRCd can be linked with [[https://github.com/ngircd/ngircd/blob/master/doc/Services.txt|services]]. The services currently used is anope but IRCNow plans to switch over to [[openbsd/achurch|achurch]].%0a\ No newline at end of file%0a---%0a> ===== IRC services =====%0a> You may wish to refer to [[https://github.com/ngircd/ngircd/blob/master/doc/Services.txt|this link]] for more information on hints with setting up IRC services for ''ngircd''.%0a> %0a> !! Warnings%0a> %0a> ngIRCd v26 provided by OpenBSD 6.8 ports does not have ident support. You must eventually compile from source to get ident support, which is necessary on a production server.%0a\ No newline at end of file%0a host:1604500249=38.81.163.7 author:1604496192=jrmu diff:1604496192:1604496033:=386,388c386,395%0a%3c !! Warnings%0a%3c %0a%3c ngIRCd v26 provided by OpenBSD 6.8 ports does not have ident support. You must eventually compile from source to get ident support, which is necessary on a production server.%0a\ No newline at end of file%0a---%0a> ===== Caveats =====%0a> ngIRCd v25 provided by OpenBSD 6.6 via ports does not have the following compiled:%0a> * IDENT support,%0a> * PAM support%0a> ngIRCd without these compiled **can not** be enabled in ''/etc/ngircd/ngircd.conf''! %0a> %0a> IDENT support will be covered in [[openbsd:irc:ngircd:adv_topics|advanced topics]].%0a> %0a> ===== See also =====%0a> * [[openbsd:irc:ngircd:adv_topics|Advanced topics on ngIRCd]].%0a\ No newline at end of file%0a host:1604496192=38.81.163.7 author:1604496033=jrmu diff:1604496033:1604495476:=169,171d168%0a%3c %0a%3c [[openbsd/passwords|Password Management]]%0a%3c %0a173a171,191%0a> Considering how the passwords for linking are revealed when linking, you //do not// need to generate by hand a password that is to either be shared amongst your peering server(s), or for every new peer server(s), that you need to arbitrarily give it a different password. According to [[https://www.reddit.com/r/openbsd/comments/a1fyd5/generating_a_pseudorandom_password_from_the/|this link (reddit)]], you can simply make the system generate a pseudo random password, which isn't dictionary based, and can be arbitrarily lengthened (or shortened) to however long you wish,%0a> [@%0a> $ alias pw="%3c/dev/random tr -cd [:alnum:] | fold -w 20 | head -1"%0a> @]%0a> %0a> This will generate a pseudo password of up to 21 characters long, whenever you type the command ''pw'',%0a> [@%0a> $ pw%0a> LwF33FVlnBbHLFlgA6pc%0a> @]%0a> %0a> If you want to lengthen or shorten the length of the password, in the ''fold -w 20'', replace ''20'' with whatever number you wish. Keep in mind that the number you specify, doesn't include the very first character. In other words, specifying ''fold -w 29'' instead of ''fold -w 20'',%0a> [@%0a> $ alias pw="%3c/dev/random tr -cd [:alnum:] | fold -w 29 | head -1"%0a> @]%0a> %0a> This will generate a pseudo password of up to 30 characters long,%0a> [@%0a> $ pw%0a> dtkqvMhZDxBs5OJYewWBlK1Gnqbpa%0a> @]%0a host:1604496033=38.81.163.7 author:1604495476=jrmu diff:1604495476:1604495420:= host:1604495476=38.81.163.7 author:1604495420=jrmu diff:1604495420:1604494868:=4a5%0a> %0a37c38,41%0a%3c You will then need to create missing directories within your ''ChrootDir''. Assuming you are using the defaults, for which ''ChrootDir'' is ''/var/ngircd'', you will need to create the following base layout,%0a---%0a> !! Debug%0a> %0a> To test your configuration:%0a> %0a39,43c43%0a%3c /var%0a%3c /var/ngircd%0a%3c /var/ngircd/etc%0a%3c /var/ngircd/etc/ngircd%0a%3c /var/ngircd/etc/ngircd.conf%0a---%0a> $ doas ngircd -t%0a45,47c45,47%0a%3c ''man 7 hier'' to get an understanding of how the filesystem is laid out.%0a%3c %0a%3c This means you will need to create parent directories leading up to ''/var/ngircd/etc/ngircd/ngircd.conf'',%0a---%0a> %0a> To run ngircd in debug mode:%0a> %0a49c49%0a%3c $ doas mkdir -p /var/ngircd/etc/ngircd%0a---%0a> $ doas ngircd -n%0a52c52,53%0a%3c Copy the ''ngircd.conf'' from ''/etc/ngircd'' into ''/var/ngircd/etc/ngircd'',%0a---%0a> To start ngircd:%0a> %0a54c55,56%0a%3c $ doas cp /etc/ngircd/ngircd.conf /var/ngircd/etc/ngircd%0a---%0a> doas rcctl enable ngircd%0a> doas rcctl start ngircd%0a57c59,65%0a%3c Make sure the path to ''/var/ngircd/etc/ngircd'' has the correct permissions. The following sets permissions as ''drwxrw-rw'', ''man chmod'' if in doubt,%0a---%0a> OpenBSD uses [[https://www.openbsd.org/faq/faq10.html#rc|rcctl]] to control how system daemons are run.%0a> %0a> Now, connect to ngircd using your IRC client. Use the OPER command to log in as operator.%0a> %0a> ===== Linking (Peering) =====%0a> ==== MaxNickLength ====%0a> There's a few gotchas with linking multiple ''ngircd'' servers. First and foremost, ensure that all your ''ngircd.conf'' has ''MaxNickLength'' set to a specific value.%0a59c67,70%0a%3c $ find /var/ngircd -type d -exec doas chmod 755 '{}' \;%0a---%0a> # Maximum length of an user nickname (Default: 9, as in RFC 2812).%0a> # Please note that all servers in an IRC network MUST use the same%0a> # maximum nickname length!%0a> ;MaxNickLength = 9%0a61,62c72,78%0a%3c %0a%3c Make sure any of the files within ''/var/ngircd'' does not have others/world read/write/execute capability. You currently only have one file within it anyway,%0a---%0a> **If one or more servers has a value that isn't 9 and/or that field is commented out, you will not be able to link up with that server.** So please ascertain what value to set **prior** to linking.%0a> %0a> ==== MyPassword and PeerPassword dilemma ====%0a> Another simpler catch involves the MyPassword and PeerPassword keys. Your MyPassword should be the password that you set for other servers/peers to connect to your server. On their (these other server/peer end), should be set as PeerPassword when connecting to you. However, when you are connecting to them you need to know their PeerPassword.%0a> %0a> === Example ngIRCd server configurations ===%0a> To illustrate what I mean is, say for example, you have two ''ngircd'' servers that you want to connect to each other. Let's say that the server "foo" has this configuration,%0a64c80,85%0a%3c $ find /var/ngircd -type f -exec doas chmod 640 '{}' \;%0a---%0a> [Global]%0a> Name = irc.foo.org%0a> Ports = 6667%0a> ...%0a> [Server]%0a> MyPassword = Jp5meaikMiRAKsbBy6G6%0a67,72c88%0a%3c You should now be able to execute either ''doas rcctl reload ngircd'' or ''/quote rehash'' from either the console or your IRC client respectively.%0a%3c %0a%3c !! Debug%0a%3c %0a%3c To test your configuration:%0a%3c %0a---%0a> Server "bar" has the following configuration,%0a74c90,95%0a%3c $ doas ngircd -t%0a---%0a> [Global]%0a> Name = irc.bar.org%0a> Ports = 6667%0a> ...%0a> [Server]%0a> MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a77,78c98%0a%3c To run ngircd in debug mode:%0a%3c %0a---%0a> Under "[Server]" section (**not global section**), it should be added as the following for server "foo". Ideally, I would put it in a separate ''[Server]'' section, which would have the following,%0a80c100,114%0a%3c $ doas ngircd -n%0a---%0a> # Define a (case insensitive) list of masks matching nicknames that%0a> # should be treated as IRC services when introduced via this remote%0a> # server, separated by commas (",").%0a> # REGULAR SERVERS DON'T NEED this parameter, so leave it empty%0a> # (which is the default).%0a> # When you are connecting IRC services which mask as a IRC server%0a> # and which use "virtual users" to communicate with, for example%0a> # "NickServ" and "ChanServ", you should set this parameter to%0a> # something like "*Serv" or "NickServ,ChanServ,XyzServ".%0a> ;ServiceMask = *Serv,Global%0a> %0a> [Server]%0a> # More [Server] sections, if you like ...%0a> %0a> [Channel]%0a83,84c117%0a%3c To start ngircd:%0a%3c %0a---%0a> See ''# More [Server] sections, if you like ...''? I would replace that line with the following below,%0a86,87c119,124%0a%3c doas rcctl enable ngircd%0a%3c doas rcctl start ngircd%0a---%0a> [Server]%0a> Name = irc.bar.org%0a> Host = irc.bar.org%0a> Port = 6667%0a> MyPassword = Jp5meaikMiRAKsbBy6G6%0a> PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a90,96c127%0a%3c OpenBSD uses [[https://www.openbsd.org/faq/faq10.html#rc|rcctl]] to control how system daemons are run.%0a%3c %0a%3c Now, connect to ngircd using your IRC client. Use the OPER command to log in as operator.%0a%3c %0a%3c ===== Linking (Peering) =====%0a%3c ==== MaxNickLength ====%0a%3c There's a few gotchas with linking multiple ''ngircd'' servers. First and foremost, ensure that all your ''ngircd.conf'' has ''MaxNickLength'' set to a specific value.%0a---%0a> Likewise under server "bar",%0a98,101c129,134%0a%3c # Maximum length of an user nickname (Default: 9, as in RFC 2812).%0a%3c # Please note that all servers in an IRC network MUST use the same%0a%3c # maximum nickname length!%0a%3c ;MaxNickLength = 9%0a---%0a> [Server]%0a> Name = irc.foo.org%0a> Host = irc.foo.org%0a> Port = 6667%0a> MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a> PeerPassword = Jp5meaikMiRAKsbBy6G6%0a103,109c136,140%0a%3c **If one or more servers has a value that isn't 9 and/or that field is commented out, you will not be able to link up with that server.** So please ascertain what value to set **prior** to linking.%0a%3c %0a%3c ==== MyPassword and PeerPassword dilemma ====%0a%3c Another simpler catch involves the MyPassword and PeerPassword keys. Your MyPassword should be the password that you set for other servers/peers to connect to your server. On their (these other server/peer end), should be set as PeerPassword when connecting to you. However, when you are connecting to them you need to know their PeerPassword.%0a%3c %0a%3c === Example ngIRCd server configurations ===%0a%3c To illustrate what I mean is, say for example, you have two ''ngircd'' servers that you want to connect to each other. Let's say that the server "foo" has this configuration,%0a---%0a> %0a> === Password considerations ===%0a> Keep in mind that ''MyPassword'' is used for linking with other servers. **It is stored in plaintext and has nothing to do with the server password specified under [Global] section, nor is it related to your [Operator] password!**. When other servers connects to you, they **need** to know **your** ''MyPassword'', in which they will then set it as their ''PeerPassword'' on their end. The same thing likewise when you need to peer with them, you **need** to know their ''MyPassword'' so that you can set it as **your** ''PeerPassword''.%0a> %0a> Considering how the passwords for linking are revealed when linking, you //do not// need to generate by hand a password that is to either be shared amongst your peering server(s), or for every new peer server(s), that you need to arbitrarily give it a different password. According to [[https://www.reddit.com/r/openbsd/comments/a1fyd5/generating_a_pseudorandom_password_from_the/|this link (reddit)]], you can simply make the system generate a pseudo random password, which isn't dictionary based, and can be arbitrarily lengthened (or shortened) to however long you wish,%0a111,116c142%0a%3c [Global]%0a%3c Name = irc.foo.org%0a%3c Ports = 6667%0a%3c ...%0a%3c [Server]%0a%3c MyPassword = Jp5meaikMiRAKsbBy6G6%0a---%0a> $ alias pw="%3c/dev/random tr -cd [:alnum:] | fold -w 20 | head -1"%0a119c145%0a%3c Server "bar" has the following configuration,%0a---%0a> This will generate a pseudo password of up to 21 characters long, whenever you type the command ''pw'',%0a121,126c147,148%0a%3c [Global]%0a%3c Name = irc.bar.org%0a%3c Ports = 6667%0a%3c ...%0a%3c [Server]%0a%3c MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a---%0a> $ pw%0a> LwF33FVlnBbHLFlgA6pc%0a129c151%0a%3c Under "[Server]" section (**not global section**), it should be added as the following for server "foo". Ideally, I would put it in a separate ''[Server]'' section, which would have the following,%0a---%0a> If you want to lengthen or shorten the length of the password, in the ''fold -w 20'', replace ''20'' with whatever number you wish. Keep in mind that the number you specify, doesn't include the very first character. In other words, specifying ''fold -w 29'' instead of ''fold -w 20'',%0a131,145c153%0a%3c # Define a (case insensitive) list of masks matching nicknames that%0a%3c # should be treated as IRC services when introduced via this remote%0a%3c # server, separated by commas (",").%0a%3c # REGULAR SERVERS DON'T NEED this parameter, so leave it empty%0a%3c # (which is the default).%0a%3c # When you are connecting IRC services which mask as a IRC server%0a%3c # and which use "virtual users" to communicate with, for example%0a%3c # "NickServ" and "ChanServ", you should set this parameter to%0a%3c # something like "*Serv" or "NickServ,ChanServ,XyzServ".%0a%3c ;ServiceMask = *Serv,Global%0a%3c %0a%3c [Server]%0a%3c # More [Server] sections, if you like ...%0a%3c %0a%3c [Channel]%0a---%0a> $ alias pw="%3c/dev/random tr -cd [:alnum:] | fold -w 29 | head -1"%0a148c156%0a%3c See ''# More [Server] sections, if you like ...''? I would replace that line with the following below,%0a---%0a> This will generate a pseudo password of up to 30 characters long,%0a150,155c158,159%0a%3c [Server]%0a%3c Name = irc.bar.org%0a%3c Host = irc.bar.org%0a%3c Port = 6667%0a%3c MyPassword = Jp5meaikMiRAKsbBy6G6%0a%3c PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a---%0a> $ pw%0a> dtkqvMhZDxBs5OJYewWBlK1Gnqbpa%0a158c162,168%0a%3c Likewise under server "bar",%0a---%0a> You can also choose to have this ''pw'' command whenever you login, by putting it inside your ''.%3cshell>rc'', where ''%3cshell>'' implies the shell you are currently using, by default on OpenBSD, it is ''ksh'' and therefore it would be ''.kshrc''.%0a> %0a> See how in the example above how ''irc.foo.org'' ''MyPassword'' is set as ''Jp5meaikMiRAKsbBy6G6'' but when linking with ''irc.bar.org'', whose ''MyPassword'' is set as ''HpNSbcDbrTVQ3lkkqSfq'', that ''irc.foo.org'' ''PeerPassword'' is therefore ''HpNSbcDbrTVQ3lkkqSfq'' for linking to ''irc.bar.org''? The same logic also applies in reverse for when ''irc.bar.org'' is to link up with ''irc.foo.org''.%0a> %0a> === Summing it up ===%0a> To sum it up in the prior example,%0a> Server ''irc.foo.org'' has the following for ''irc.bar.org'',%0a161,162c171,172%0a%3c Name = irc.foo.org%0a%3c Host = irc.foo.org%0a---%0a> Name = irc.bar.org%0a> Host = irc.bar.org%0a164,165c174,175%0a%3c MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a%3c PeerPassword = Jp5meaikMiRAKsbBy6G6%0a---%0a> MyPassword = Password_To_Be_Set_On_IRCBARORG's_PeerPassword%0a> PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCBARORG's_MyPassword%0a167,171c177%0a%3c %0a%3c === Password considerations ===%0a%3c Keep in mind that ''MyPassword'' is used for linking with other servers. **It is stored in plaintext and has nothing to do with the server password specified under [Global] section, nor is it related to your [Operator] password!**. When other servers connects to you, they **need** to know **your** ''MyPassword'', in which they will then set it as their ''PeerPassword'' on their end. The same thing likewise when you need to peer with them, you **need** to know their ''MyPassword'' so that you can set it as **your** ''PeerPassword''.%0a%3c %0a%3c Considering how the passwords for linking are revealed when linking, you //do not// need to generate by hand a password that is to either be shared amongst your peering server(s), or for every new peer server(s), that you need to arbitrarily give it a different password. According to [[https://www.reddit.com/r/openbsd/comments/a1fyd5/generating_a_pseudorandom_password_from_the/|this link (reddit)]], you can simply make the system generate a pseudo random password, which isn't dictionary based, and can be arbitrarily lengthened (or shortened) to however long you wish,%0a---%0a> and the same likewise, for ''irc.bar.org'' when linking to ''irc.foo.org'',%0a173c179,184%0a%3c $ alias pw="%3c/dev/random tr -cd [:alnum:] | fold -w 20 | head -1"%0a---%0a> [Server]%0a> Name = irc.foo.org%0a> Host = irc.foo.org%0a> Port = 6667%0a> MyPassword = Password_To_Be_Set_On_IRCFOOORG's_PeerPassword%0a> PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCFOOORG's_MyPassword%0a176c187,204%0a%3c This will generate a pseudo password of up to 21 characters long, whenever you type the command ''pw'',%0a---%0a> You replace the contents of,%0a> * ''Name'', ''Host'' and ''Port'', keeping in mind that ''[Server]'' needs to be explicitly implied in the ''/etc/ngircd/ngircd.conf'' or ''ngircd'' will not understand what to do with the following contents.%0a> %0a> The following should be very self explanatory, on the string that is to be replaced,%0a> * ''Password_To_Be_Set_On_IRCBARORG's_PeerPassword'',%0a> * ''Password_That_Is_To_Be_received_from_owner_of_IRCBARORG's_MyPassword'',%0a> * ''Password_To_Be_Set_On_IRCFOOORG's_PeerPassword'', and%0a> * ''Password_That_Is_To_Be_received_from_owner_of_IRCFOOORG's_MyPassword''%0a> %0a> ==== Fancy IRC domain names ====%0a> If you or other ''ngircd'' owners chooses to use a domain name that resolves to a different IP, say ''irc.freenode.net'', you **must** set ''Host'' parameter, which points to their actual ''ngircd'''s [[https://en.wikipedia.org/wiki/Fully_qualified_domain_name|Fully Qualified Domain Name (FQDN)]] ''or'' their ''ngircd'''s IP address. I personally **do not** condone the notion of using FQDN that does not belong to you, as the consequences of going public with the named servers //can// potentially end up in lawsuits, for falsely misrepresenting a domain name.%0a> %0a> Let's use the prior example with the ''[Server]'' block. This time we assume,%0a> * ''irc.bar.org'' is owned by another operator, and%0a> * the owner of ''irc.bar.org'' wants to use ''irc.freenode.net'',%0a> * the owner has indicated under their ''Name'' key, under ''[Global]'' section is ''irc.freenode.net''%0a> %0a> You **should** try to check if it resolves,%0a178,179c206%0a%3c $ pw%0a%3c LwF33FVlnBbHLFlgA6pc%0a---%0a> $ host irc.freenode.net%0a182c209%0a%3c If you want to lengthen or shorten the length of the password, in the ''fold -w 20'', replace ''20'' with whatever number you wish. Keep in mind that the number you specify, doesn't include the very first character. In other words, specifying ''fold -w 29'' instead of ''fold -w 20'',%0a---%0a> Regardless if it resolves or not, you need to confirm whether or not it points to their server's FQDN or their IP address. The owner of ''irc.foo.org'' needs to confirm the FQDN/IP address(es) for the owner of ''irc.freenode.net'' who is formerly the owner of ''irc.bar.org'', by asking the operator to perform the following,%0a184c211%0a%3c $ alias pw="%3c/dev/random tr -cd [:alnum:] | fold -w 29 | head -1"%0a---%0a> $ ifconfig | grep broadcast%0a187c214,217%0a%3c This will generate a pseudo password of up to 30 characters long,%0a---%0a> Note that it is the literal pipe character ''|'' , not the letter ''l'' in between ''ifconfig'' and ''grep''.%0a> %0a> If the IP address(es) irc.bar.org states does not match the output of ''irc.freenode.net'', or say for example ''host irc.freenode.net'' returns not found, you should then, decide to ask for their FQDN or the IP address to connect to. Now, there's two ways to go about on this, in terms of filling in the information. You can either choose to fill in (as owner of ''irc.foo.org''),%0a> %0a189,190c219,224%0a%3c $ pw%0a%3c dtkqvMhZDxBs5OJYewWBlK1Gnqbpa%0a---%0a> [Server]%0a> Name = irc.freenode.net%0a> Host = irc.bar.org%0a> Port = 6667%0a> MyPassword = Jp5meaikMiRAKsbBy6G6%0a> PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a193,199c227,228%0a%3c You can also choose to have this ''pw'' command whenever you login, by putting it inside your ''.%3cshell>rc'', where ''%3cshell>'' implies the shell you are currently using, by default on OpenBSD, it is ''ksh'' and therefore it would be ''.kshrc''.%0a%3c %0a%3c See how in the example above how ''irc.foo.org'' ''MyPassword'' is set as ''Jp5meaikMiRAKsbBy6G6'' but when linking with ''irc.bar.org'', whose ''MyPassword'' is set as ''HpNSbcDbrTVQ3lkkqSfq'', that ''irc.foo.org'' ''PeerPassword'' is therefore ''HpNSbcDbrTVQ3lkkqSfq'' for linking to ''irc.bar.org''? The same logic also applies in reverse for when ''irc.bar.org'' is to link up with ''irc.foo.org''.%0a%3c %0a%3c === Summing it up ===%0a%3c To sum it up in the prior example,%0a%3c Server ''irc.foo.org'' has the following for ''irc.bar.org'',%0a---%0a> See how ''Host = irc.bar.org'' is specified when the name they provided from within their config mentions ''irc.freenode.net''? This is one way. Assume that they give you the IP address to connect to on their server, and assume that the IP address is ''127.0.0.2'',%0a> %0a202,203c231,232%0a%3c Name = irc.bar.org%0a%3c Host = irc.bar.org%0a---%0a> Name = irc.freenode.net%0a> Host = 127.0.0.2%0a205,206c234,235%0a%3c MyPassword = Password_To_Be_Set_On_IRCBARORG's_PeerPassword%0a%3c PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCBARORG's_MyPassword%0a---%0a> MyPassword = Jp5meaikMiRAKsbBy6G6%0a> PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a208c237,249%0a%3c and the same likewise, for ''irc.bar.org'' when linking to ''irc.foo.org'',%0a---%0a> %0a> ''Host = 127.0.0.2'' is implied, instead of ''Host = irc.bar.org''. Specifying the IP address in the ''Host'' key is more //ideal// as it does not require ''ngircd'' to query the [[https://en.wikipedia.org/wiki/Domain_Name_System#Address_resolution_mechanism|Domain Name System (DNS)]] for the IP address of a given FQDN. As an added bonus, connections to the said server via IP address //persists// even when the domain name has expired or changed hands (and therefore resolves to different IP address).%0a> %0a> ===== Chrooting =====%0a> ==== Why chroot ====%0a> You can simply reload your daemon without needing to restart it.%0a> %0a> Reloading your daemon makes it re-read any of the associated configuration files without restarting. In the case of ''ngircd'' the existing IRC connections/sessions you have active will be kept active.%0a> %0a> Restarting your daemon will also make it re-read any of the associated configuration files. **However**, it will also terminate any of your existing IRC connection/sessions.%0a> %0a> ==== Configuration ====%0a> There are three values that you will need to unset it as a key. These are (in ''ngircd.conf''),%0a210,215c251,273%0a%3c [Server]%0a%3c Name = irc.foo.org%0a%3c Host = irc.foo.org%0a%3c Port = 6667%0a%3c MyPassword = Password_To_Be_Set_On_IRCFOOORG's_PeerPassword%0a%3c PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCFOOORG's_MyPassword%0a---%0a> [Global]%0a> ...%0a> # Group ID under which the ngIRCd should run; you can use the name%0a> # of the group or the numerical ID. ATTENTION: For this to work the%0a> # server must have been started with root privileges!%0a> ServerGID = _ngircd%0a> %0a> # User ID under which the server should run; you can use the name%0a> # of the user or the numerical ID. ATTENTION: For this to work the%0a> # server must have been started with root privileges! In addition,%0a> # the configuration and MOTD files must be readable by this user,%0a> # otherwise RESTART and REHASH won't work!%0a> ServerUID = _ngircd%0a> ...%0a> [Options]%0a> ...%0a> # A directory to chroot in when everything is initialized. It%0a> # doesn't need to be populated if ngIRCd is compiled as a static%0a> # binary. By default ngIRCd won't use the chroot() feature.%0a> # ATTENTION: For this to work the server must have been started%0a> # with root privileges!%0a> ChrootDir = /var/ngircd%0a> ...%0a218,235c276%0a%3c You replace the contents of,%0a%3c * ''Name'', ''Host'' and ''Port'', keeping in mind that ''[Server]'' needs to be explicitly implied in the ''/etc/ngircd/ngircd.conf'' or ''ngircd'' will not understand what to do with the following contents.%0a%3c %0a%3c The following should be very self explanatory, on the string that is to be replaced,%0a%3c * ''Password_To_Be_Set_On_IRCBARORG's_PeerPassword'',%0a%3c * ''Password_That_Is_To_Be_received_from_owner_of_IRCBARORG's_MyPassword'',%0a%3c * ''Password_To_Be_Set_On_IRCFOOORG's_PeerPassword'', and%0a%3c * ''Password_That_Is_To_Be_received_from_owner_of_IRCFOOORG's_MyPassword''%0a%3c %0a%3c ==== Fancy IRC domain names ====%0a%3c If you or other ''ngircd'' owners chooses to use a domain name that resolves to a different IP, say ''irc.freenode.net'', you **must** set ''Host'' parameter, which points to their actual ''ngircd'''s [[https://en.wikipedia.org/wiki/Fully_qualified_domain_name|Fully Qualified Domain Name (FQDN)]] ''or'' their ''ngircd'''s IP address. I personally **do not** condone the notion of using FQDN that does not belong to you, as the consequences of going public with the named servers //can// potentially end up in lawsuits, for falsely misrepresenting a domain name.%0a%3c %0a%3c Let's use the prior example with the ''[Server]'' block. This time we assume,%0a%3c * ''irc.bar.org'' is owned by another operator, and%0a%3c * the owner of ''irc.bar.org'' wants to use ''irc.freenode.net'',%0a%3c * the owner has indicated under their ''Name'' key, under ''[Global]'' section is ''irc.freenode.net''%0a%3c %0a%3c You **should** try to check if it resolves,%0a---%0a> You will then need to create missing directories within your ''ChrootDir''. Assuming you are using the defaults, for which ''ChrootDir'' is ''/var/ngircd'', you will need to create the following base layout,%0a237c278,282%0a%3c $ host irc.freenode.net%0a---%0a> /var%0a> /var/ngircd%0a> /var/ngircd/etc%0a> /var/ngircd/etc/ngircd%0a> /var/ngircd/etc/ngircd.conf%0a239,240c284,286%0a%3c %0a%3c Regardless if it resolves or not, you need to confirm whether or not it points to their server's FQDN or their IP address. The owner of ''irc.foo.org'' needs to confirm the FQDN/IP address(es) for the owner of ''irc.freenode.net'' who is formerly the owner of ''irc.bar.org'', by asking the operator to perform the following,%0a---%0a> ''man 7 hier'' to get an understanding of how the filesystem is laid out.%0a> %0a> This means you will need to create parent directories leading up to ''/var/ngircd/etc/ngircd/ngircd.conf'',%0a242c288%0a%3c $ ifconfig | grep broadcast%0a---%0a> $ doas mkdir -p /var/ngircd/etc/ngircd%0a245,248c291%0a%3c Note that it is the literal pipe character ''|'' , not the letter ''l'' in between ''ifconfig'' and ''grep''.%0a%3c %0a%3c If the IP address(es) irc.bar.org states does not match the output of ''irc.freenode.net'', or say for example ''host irc.freenode.net'' returns not found, you should then, decide to ask for their FQDN or the IP address to connect to. Now, there's two ways to go about on this, in terms of filling in the information. You can either choose to fill in (as owner of ''irc.foo.org''),%0a%3c %0a---%0a> Copy the ''ngircd.conf'' from ''/etc/ngircd'' into ''/var/ngircd/etc/ngircd'',%0a250,255c293%0a%3c [Server]%0a%3c Name = irc.freenode.net%0a%3c Host = irc.bar.org%0a%3c Port = 6667%0a%3c MyPassword = Jp5meaikMiRAKsbBy6G6%0a%3c PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a---%0a> $ doas cp /etc/ngircd/ngircd.conf /var/ngircd/etc/ngircd%0a258,259c296%0a%3c See how ''Host = irc.bar.org'' is specified when the name they provided from within their config mentions ''irc.freenode.net''? This is one way. Assume that they give you the IP address to connect to on their server, and assume that the IP address is ''127.0.0.2'',%0a%3c %0a---%0a> Make sure the path to ''/var/ngircd/etc/ngircd'' has the correct permissions. The following sets permissions as ''drwxrw-rw'', ''man chmod'' if in doubt,%0a261,266c298%0a%3c [Server]%0a%3c Name = irc.freenode.net%0a%3c Host = 127.0.0.2%0a%3c Port = 6667%0a%3c MyPassword = Jp5meaikMiRAKsbBy6G6%0a%3c PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a---%0a> $ find /var/ngircd -type d -exec doas chmod 755 '{}' \;%0a269,276c301%0a%3c ''Host = 127.0.0.2'' is implied, instead of ''Host = irc.bar.org''. Specifying the IP address in the ''Host'' key is more //ideal// as it does not require ''ngircd'' to query the [[https://en.wikipedia.org/wiki/Domain_Name_System#Address_resolution_mechanism|Domain Name System (DNS)]] for the IP address of a given FQDN. As an added bonus, connections to the said server via IP address //persists// even when the domain name has expired or changed hands (and therefore resolves to different IP address).%0a%3c %0a%3c !! Chroot%0a%3c %0a%3c Make sure to [[openbsd/chroot|chroot]] ngircd.%0a%3c %0a%3c To reload the configuration file, run:%0a%3c %0a---%0a> Make sure any of the files within ''/var/ngircd'' does not have others/world read/write/execute capability. You currently only have one file within it anyway,%0a278c303%0a%3c $ doas pkill -HUP ngircd%0a---%0a> $ find /var/ngircd -type f -exec doas chmod 640 '{}' \;%0a281,289c306%0a%3c To restart the ircd:%0a%3c %0a%3c [@%0a%3c $ doas rcctl restart ngircd%0a%3c @]%0a%3c %0a%3c '''WARNING''': '''Reloading''' a configuration file will '''not''' disconnect any active connections. However, '''restarting''' the ircd '''will''' disconnect all existing connections. So make sure to restart ngircd only when absolutely necessary.%0a%3c %0a%3c ''Note'': ngircd appears to have a bug where the ircd will crash if you reload the configuration file while a message is being sent. Be careful to avoid reloading configuration files when many users are chatting.%0a---%0a> You should now be able to execute either ''doas rcctl reload ngircd'' or ''/quote rehash'' from either the console or your IRC client respectively.%0a host:1604495420=38.81.163.7 author:1604494868=jrmu diff:1604494868:1604494583:=33c33%0a%3c $ doas vi /etc/ngircd/ngircd.conf%0a---%0a> doas vi /etc/ngircd/ngircd.conf%0a43c43%0a%3c $ doas ngircd -t%0a---%0a> doas ngircd -t%0a46,47c46,47%0a%3c To run ngircd in debug mode:%0a%3c %0a---%0a> To start ngircd:%0a> %0a49c49,50%0a%3c $ doas ngircd -n%0a---%0a> doas rcctl enable ngircd%0a> doas rcctl start ngircd%0a52,58d52%0a%3c To start ngircd:%0a%3c %0a%3c [@%0a%3c doas rcctl enable ngircd%0a%3c doas rcctl start ngircd%0a%3c @]%0a%3c %0a61,62c55,56%0a%3c Now, connect to ngircd using your IRC client. Use the OPER command to log in as operator.%0a%3c %0a---%0a> Once all that is set, connect to your IRCd via your IRC client. Test to see if you can connect and can login as an IRC Operator.%0a> %0a308,310c302,304%0a%3c !! Enable SSL%0a%3c %0a%3c Use [[openbsd/acme-client|acme-client]] to get an SSL certificate signed by Let's Encrypt.%0a---%0a> ===== SSL via TLS =====%0a> ==== Pre-requisites ====%0a> * You have a certificate that you can use with ''ngircd''. If you do not have one, I **recommend** that you obtain a free certificate from Let's Encrypt, following [[https://ircnow.org/kb/doku.php?id=openbsd:acme-client|this guide]].%0a host:1604494868=38.81.163.7 author:1604494583=jrmu diff:1604494583:1604494496:=407c407,408%0a%3c Make sure to configure [[openbsd/hopm|hopm]].%0a---%0a> ===== HOPM =====%0a> [[https://github.com/ircd-hybrid/hopm/blob/master/README|Hybrid Open Proxy Monitor (HOPM)]] can be configured for ''ngircd''. [[openbsd:irc:hopm|Click here to read more about it]].%0a host:1604494583=38.81.163.7 author:1604494496=jrmu diff:1604494496:1604494333:=36,41c36,39%0a%3c **Lines that begin with # or ; are comments and will be ignored. Remove # or ; to uncomment the line%0a%3c %0a%3c !! Debug%0a%3c %0a%3c To test your configuration:%0a%3c %0a---%0a> ==== Configuration file ====%0a> **Any lines begins with either "#" or ";" in ''ngircd.conf'' are comments. The example configuration file has lots of these lines, make sure you un-comment it where needed**%0a> %0a> **Example**%0a43c41,42%0a%3c doas ngircd -t%0a---%0a> # This is a comment in ngircd.conf. ngircd will ignore this line.%0a> ;This is a also a comment in ngircd.conf. ngircd will ignore this line as well.%0a46,47c45,46%0a%3c To start ngircd:%0a%3c %0a---%0a> Example within ''ngircd.conf'',%0a> %0a49,50c48,57%0a%3c doas rcctl enable ngircd%0a%3c doas rcctl start ngircd%0a---%0a> [Global]%0a> # The [Global] section of this file is used to define the main%0a> # configuration of the server, like the server name and the ports%0a> # on which the server should be listening.%0a> # These settings depend on your personal preferences, so you should%0a> # make sure that they correspond to your installation and setup!%0a> %0a> # Server name in the IRC network, must contain at least one dot%0a> # (".") and be unique in the IRC network. Required!%0a> ;Name = irc.example.com%0a52,59c59,105%0a%3c %0a%3c OpenBSD uses [[https://www.openbsd.org/faq/faq10.html#rc|rcctl]] to control how system daemons are run.%0a%3c %0a%3c Once all that is set, connect to your IRCd via your IRC client. Test to see if you can connect and can login as an IRC Operator.%0a%3c %0a%3c ===== Linking (Peering) =====%0a%3c ==== MaxNickLength ====%0a%3c There's a few gotchas with linking multiple ''ngircd'' servers. First and foremost, ensure that all your ''ngircd.conf'' has ''MaxNickLength'' set to a specific value.%0a---%0a> This should really be,%0a> [@%0a> [Global]%0a> # The [Global] section of this file is used to define the main%0a> # configuration of the server, like the server name and the ports%0a> # on which the server should be listening.%0a> # These settings depend on your personal preferences, so you should%0a> # make sure that they correspond to your installation and setup!%0a> %0a> # Server name in the IRC network, must contain at least one dot%0a> # (".") and be unique in the IRC network. Required!%0a> Name = irc.acme.ircnow.org%0a> @]%0a> %0a> Note how:%0a> %0a> [@%0a> ;Name = irc.acme.ircnow.org%0a> @]%0a> %0a> Became:%0a> %0a> [@%0a> Name = irc.acme.ircnow.org%0a> @]%0a> %0a> You have now successfully turned from what was a comment into an actual parameter.%0a> %0a> You will need to uncomment and set any line that begins with semi-colon (;) character at the beginning of the line for any feature that you want. **Without removing that semi-colon that feature is either disabled or the defaults are used!**%0a> %0a> ===== Testing and running =====%0a> To save yourself the hassles of finding out why ''ngircd'' fails to start, it is advised that you make ''ngircd'' test your configuration,%0a> [@%0a> doas ngircd -t%0a> @]%0a> Any errors and such will be shown along with waiting for you to press enter to show the configuration, without the comments. Remember how I emphasised that both "#" and ";" are at the beginning of the line, indicates a comment? those will not be visible by ''ngircd''! instead they are ignored.%0a> %0a> Once you are happy with your configuration and that ''ngircd'' no longer is reporting errors and such, simply,%0a> [@%0a> doas rcctl start ngircd%0a> @]%0a> To start ''ngircd'', if you want to have it started whenever you reboot the machine, replace the words "start" with "enable", e.g.,%0a> [@%0a> doas rcctl enable ngircd%0a> @]%0a> %0a> Read [[https://www.openbsd.org/faq/faq10.html#rc|here]] on how to control system daemons such as using ''rcctl'' command above. %0a host:1604494496=38.81.163.7 author:1604494333=jrmu diff:1604494333:1604494049:=33c33%0a%3c doas vi /etc/ngircd/ngircd.conf%0a---%0a> doas vim /etc/ngircd/ngircd.conf%0a34a35,42%0a> %0a> ''vim'' is not installed by default on OpenBSD! so you will need to install it before you can use it. In the previous example with installing ngircd, you just replace it with ''vim'', e.g.%0a> %0a> [@%0a> doas pkg_add vim%0a> @]%0a> %0a> **If your favourite text editor is not ''vim'', please do not simply just install ''vim''! Instead, replace ''vim'' with whatever text editor you are familiar with. If you are a novice to command line text editors, I suggest you to install/use ''nano'' or ''pico'' instead. Please also do ensure that you read up the relevant text editor documentation of your choice.**%0a host:1604494333=38.81.163.7 author:1604494049=jrmu diff:1604494049:1602321545:=1,9c1,10%0a%3c Before you begin, read the official [[https://ngircd.barton.de/documentation.php.en|ngIRCd documentation]].%0a%3c %0a%3c If you are unfamiliar with [[https://www.openbsd.org/faq/faq15.html|OpenBSD's package system]], please read the FAQ first.%0a%3c %0a%3c %0a%3c !! Installation%0a%3c %0a%3c To install from packages:%0a%3c %0a---%0a> ===== Pre-requisites ======%0a> It is assumed the following:%0a> * You have already read the official [[https://ngircd.barton.de/documentation.php.en|ngIRCd documentation]]. This wiki page is **just a supplementary guide**%0a> * You already have configured ''[[openbsd:doas|doas]]''. If you have not configured ''doas'' and are running everything as root (user), you are asking for trouble!%0a> * You already have a text editor you prefer using. If you **do not** have a preference or have no idea about text editors. I personally suggest ''nano''%0a> * This guide will not help you understand how to use ''nano'' or ''vim'' or whatever other editors that you may fancy%0a> * You already know how to install packages on OpenBSD, if not [[https://www.openbsd.org/faq/faq15.html#PkgInstall|read here]].%0a> %0a> ===== Installation =====%0a> %0a15,16c16,17%0a%3c To build from source:%0a%3c %0a---%0a> If you want to build from source: %0a> %0a20,22c21%0a%3c $ doas pkg_add libiconv-1.16p0%0a%3c $ doas pkg_add libident-0.32p1%0a%3c $ doas pkg_add autoconf-2.69p3%0a---%0a> $ doas pkg_add autoconf-2.69p2%0a24c23,24%0a%3c $ ./autogen.sh%0a---%0a> $ doas pkg_add libident%0a> $ doas pkg_add libiconv%0a30c30,32%0a%3c !! Configuration%0a---%0a> ===== Configuration =====%0a> ==== Text editors ====%0a> Edit ''/etc/ngircd/ngircd.conf'' **with your favourite editor**, making sure to prefix doas at the beginning. For example, if your favourite editor is ''vim'', you would do,%0a host:1604494049=38.81.163.7 author:1602321545=jrmu diff:1602321545:1597827205:=10,11c10%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a14,15c13,14%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a18c17%0a%3c [@%0a---%0a> %3ccode>%0a25c24,25%0a%3c $ ./configure --enable-ipv6 --with-openssl --with-ident=/usr/local/ --with-iconv=/usr/local/ --with-syslog --sysconfdir=/etc/ngircd/ --mandir=/usr/local/man/%0a---%0a> $ ./configure --enable-ipv6 --with-openssl --with-ident=/usr/local/ --with-iconv=/usr/loca%0a> l/ --with-syslog --sysconfdir=/etc/ngircd/ --mandir=/usr/local/man/%0a28,29c28,29%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a34c34%0a%3c [@%0a---%0a> %3ccode>%0a36,37c36,37%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a40c40%0a%3c [@%0a---%0a> %3ccode>%0a42,43c42,43%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a50c50%0a%3c [@%0a---%0a> %3ccode>%0a51a52,54%0a> %3c/code>%0a> %0a> %3ccode>%0a53,54c56,57%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a56,57c59%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a68c70%0a%3c @]%0a---%0a> %3c/code>%0a70c72%0a%3c [@%0a---%0a> %3ccode>%0a81,82c83,84%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a85c87%0a%3c [@%0a---%0a> %3ccode>%0a87,88c89,90%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a91c93%0a%3c [@%0a---%0a> %3ccode>%0a93,94c95,96%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a101c103%0a%3c [@%0a---%0a> %3ccode>%0a103c105%0a%3c @]%0a---%0a> %3c/code>%0a107c109%0a%3c [@%0a---%0a> %3ccode>%0a109c111%0a%3c @]%0a---%0a> %3c/code>%0a111c113%0a%3c [@%0a---%0a> %3ccode>%0a113,114c115,116%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a122c124%0a%3c [@%0a---%0a> %3ccode>%0a127c129%0a%3c @]%0a---%0a> %3c/code>%0a135c137%0a%3c [@%0a---%0a> %3ccode>%0a142,143c144,145%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a145c147%0a%3c [@%0a---%0a> %3ccode>%0a152,153c154,155%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a155c157%0a%3c [@%0a---%0a> %3ccode>%0a171,172c173,174%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a174c176%0a%3c [@%0a---%0a> %3ccode>%0a181,182c183,184%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a184c186%0a%3c [@%0a---%0a> %3ccode>%0a191,192c193,194%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a197c199%0a%3c [@%0a---%0a> %3ccode>%0a199,200c201,202%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a202c204%0a%3c [@%0a---%0a> %3ccode>%0a205,206c207,208%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a208c210%0a%3c [@%0a---%0a> %3ccode>%0a210,211c212,213%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a213c215%0a%3c [@%0a---%0a> %3ccode>%0a216,217c218,219%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a225c227%0a%3c [@%0a---%0a> %3ccode>%0a232c234%0a%3c @]%0a---%0a> %3c/code>%0a234c236%0a%3c [@%0a---%0a> %3ccode>%0a241,242c243,244%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a261c263%0a%3c [@%0a---%0a> %3ccode>%0a263,264c265,266%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a266c268%0a%3c [@%0a---%0a> %3ccode>%0a268,269c270,271%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a274c276%0a%3c [@%0a---%0a> %3ccode>%0a281,282c283,284%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a285c287%0a%3c [@%0a---%0a> %3ccode>%0a292,293c294,295%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a306c308%0a%3c [@%0a---%0a> %3ccode>%0a330,331c332,333%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a333c335%0a%3c [@%0a---%0a> %3ccode>%0a339c341%0a%3c @]%0a---%0a> %3c/code>%0a343c345%0a%3c [@%0a---%0a> %3ccode>%0a345,346c347,348%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a348c350%0a%3c [@%0a---%0a> %3ccode>%0a350,351c352,353%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a353c355%0a%3c [@%0a---%0a> %3ccode>%0a355,356c357,358%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a358c360%0a%3c [@%0a---%0a> %3ccode>%0a360,361c362,363%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a372c374%0a%3c [@%0a---%0a> %3ccode>%0a375,376c377,378%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a378c380%0a%3c [@%0a---%0a> %3ccode>%0a381,382c383,384%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a387c389%0a%3c [@%0a---%0a> %3ccode>%0a416,417c418,419%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a421c423%0a%3c [@%0a---%0a> %3ccode>%0a424c426%0a%3c @]%0a---%0a> %3c/code>%0a434,435c436%0a%3c %0a%3c [@%0a---%0a> [=%0a438,439c439,440%0a%3c @]%0a%3c %0a---%0a> =]%0a> %0a441,442c442%0a%3c %0a%3c [@%0a---%0a> [=%0a456,457c456,457%0a%3c @]%0a%3c %0a---%0a> =]%0a> %0a459c459%0a%3c [@%0a---%0a> [=%0a462,463c462,463%0a%3c @]%0a%3c %0a---%0a> =]%0a> %0a465c465%0a%3c [@%0a---%0a> [=%0a467c467%0a%3c @]%0a---%0a> =]%0a host:1602321545=125.231.67.217 author:1597827205=baytuch diff:1597827205:1597288187:=430,467d429%0a%3c %0a%3c '''Autostart'''%0a%3c %0a%3c This solution automatically restarts the service if its work was terminated unexpectedly.%0a%3c %0a%3c Create an executable worker script%0a%3c [=%0a%3c doas touch /usr/local/libexec/project/checker_ngircd.sh%0a%3c doas chmod +x /usr/local/libexec/project/checker_ngircd.sh%0a%3c =]%0a%3c %0a%3c /usr/local/libexec/project/checker_ngircd.sh:%0a%3c [=%0a%3c #!/bin/sh%0a%3c %0a%3c SERVICE_NAME="ngircd"%0a%3c SERVICE_USER="_ngircd"%0a%3c SERVICE_PID="/var/ngircd/var/run/ngircd/ngircd.pid"%0a%3c %0a%3c if ! pgrep -u $SERVICE_USER -x "$SERVICE_NAME" > /dev/null%0a%3c then%0a%3c if [ -f $SERVICE_PID ]; then%0a%3c rm -f $SERVICE_PID%0a%3c rcctl -d start $SERVICE_NAME%0a%3c fi%0a%3c fi%0a%3c =]%0a%3c %0a%3c Add it to the operating system planner%0a%3c [=%0a%3c doas crontab -e%0a%3c * * * * * /usr/local/libexec/project/checker_ngircd.sh > /dev/null 2>&1%0a%3c =]%0a%3c %0a%3c For the solution to work, you need to enable the use of pid files. Like this:%0a%3c [=%0a%3c PidFile = /var/run/ngircd/ngircd.pid%0a%3c =]%0a host:1597827205=91.228.147.58 author:1597288187=searchsocial diff:1597288187:1597288187:=1,449d0%0a%3c ===== Pre-requisites ======%0a%3c It is assumed the following:%0a%3c * You have already read the official [[https://ngircd.barton.de/documentation.php.en|ngIRCd documentation]]. This wiki page is **just a supplementary guide**%0a%3c * You already have configured ''[[openbsd:doas|doas]]''. If you have not configured ''doas'' and are running everything as root (user), you are asking for trouble!%0a%3c * You already have a text editor you prefer using. If you **do not** have a preference or have no idea about text editors. I personally suggest ''nano''%0a%3c * This guide will not help you understand how to use ''nano'' or ''vim'' or whatever other editors that you may fancy%0a%3c * You already know how to install packages on OpenBSD, if not [[https://www.openbsd.org/faq/faq15.html#PkgInstall|read here]].%0a%3c %0a%3c ===== Installation =====%0a%3c %3ccode>%0a%3c $ doas pkg_add ngircd%0a%3c $ doas cp /usr/local/share/examples/ngircd/sample-ngircd.conf /etc/ngircd/ngircd.conf%0a%3c %3c/code>%0a%3c %0a%3c If you want to build from source: %0a%3c %0a%3c %3ccode>%0a%3c $ doas pkg_add ngircd # this will provide files /etc/rc.d/ startup scripts%0a%3c $ export CFLAGS=-static%0a%3c $ doas pkg_add autoconf-2.69p2%0a%3c $ doas pkg_add automake-1.11.6p3%0a%3c $ doas pkg_add libident%0a%3c $ doas pkg_add libiconv%0a%3c $ ./configure --enable-ipv6 --with-openssl --with-ident=/usr/local/ --with-iconv=/usr/loca%0a%3c l/ --with-syslog --sysconfdir=/etc/ngircd/ --mandir=/usr/local/man/%0a%3c $ make%0a%3c $ doas make install%0a%3c %3c/code>%0a%3c %0a%3c ===== Configuration =====%0a%3c ==== Text editors ====%0a%3c Edit ''/etc/ngircd/ngircd.conf'' **with your favourite editor**, making sure to prefix doas at the beginning. For example, if your favourite editor is ''vim'', you would do,%0a%3c %0a%3c %3ccode>%0a%3c doas vim /etc/ngircd/ngircd.conf%0a%3c %3c/code>%0a%3c %0a%3c ''vim'' is not installed by default on OpenBSD! so you will need to install it before you can use it. In the previous example with installing ngircd, you just replace it with ''vim'', e.g.%0a%3c %0a%3c %3ccode>%0a%3c doas pkg_add vim%0a%3c %3c/code>%0a%3c %0a%3c **If your favourite text editor is not ''vim'', please do not simply just install ''vim''! Instead, replace ''vim'' with whatever text editor you are familiar with. If you are a novice to command line text editors, I suggest you to install/use ''nano'' or ''pico'' instead. Please also do ensure that you read up the relevant text editor documentation of your choice.**%0a%3c %0a%3c ==== Configuration file ====%0a%3c **Any lines begins with either "#" or ";" in ''ngircd.conf'' are comments. The example configuration file has lots of these lines, make sure you un-comment it where needed**%0a%3c %0a%3c **Example**%0a%3c %3ccode>%0a%3c # This is a comment in ngircd.conf. ngircd will ignore this line.%0a%3c %3c/code>%0a%3c %0a%3c %3ccode>%0a%3c ;This is a also a comment in ngircd.conf. ngircd will ignore this line as well.%0a%3c %3c/code>%0a%3c %0a%3c Example within ''ngircd.conf'',%0a%3c %3ccode>%0a%3c [Global]%0a%3c # The [Global] section of this file is used to define the main%0a%3c # configuration of the server, like the server name and the ports%0a%3c # on which the server should be listening.%0a%3c # These settings depend on your personal preferences, so you should%0a%3c # make sure that they correspond to your installation and setup!%0a%3c %0a%3c # Server name in the IRC network, must contain at least one dot%0a%3c # (".") and be unique in the IRC network. Required!%0a%3c ;Name = irc.example.com%0a%3c %3c/code>%0a%3c This should really be,%0a%3c %3ccode>%0a%3c [Global]%0a%3c # The [Global] section of this file is used to define the main%0a%3c # configuration of the server, like the server name and the ports%0a%3c # on which the server should be listening.%0a%3c # These settings depend on your personal preferences, so you should%0a%3c # make sure that they correspond to your installation and setup!%0a%3c %0a%3c # Server name in the IRC network, must contain at least one dot%0a%3c # (".") and be unique in the IRC network. Required!%0a%3c Name = irc.acme.ircnow.org%0a%3c %3c/code>%0a%3c %0a%3c Note how:%0a%3c %0a%3c %3ccode>%0a%3c ;Name = irc.acme.ircnow.org%0a%3c %3c/code>%0a%3c %0a%3c Became:%0a%3c %0a%3c %3ccode>%0a%3c Name = irc.acme.ircnow.org%0a%3c %3c/code>%0a%3c %0a%3c You have now successfully turned from what was a comment into an actual parameter.%0a%3c %0a%3c You will need to uncomment and set any line that begins with semi-colon (;) character at the beginning of the line for any feature that you want. **Without removing that semi-colon that feature is either disabled or the defaults are used!**%0a%3c %0a%3c ===== Testing and running =====%0a%3c To save yourself the hassles of finding out why ''ngircd'' fails to start, it is advised that you make ''ngircd'' test your configuration,%0a%3c %3ccode>%0a%3c doas ngircd -t%0a%3c %3c/code>%0a%3c Any errors and such will be shown along with waiting for you to press enter to show the configuration, without the comments. Remember how I emphasised that both "#" and ";" are at the beginning of the line, indicates a comment? those will not be visible by ''ngircd''! instead they are ignored.%0a%3c %0a%3c Once you are happy with your configuration and that ''ngircd'' no longer is reporting errors and such, simply,%0a%3c %3ccode>%0a%3c doas rcctl start ngircd%0a%3c %3c/code>%0a%3c To start ''ngircd'', if you want to have it started whenever you reboot the machine, replace the words "start" with "enable", e.g.,%0a%3c %3ccode>%0a%3c doas rcctl enable ngircd%0a%3c %3c/code>%0a%3c %0a%3c Read [[https://www.openbsd.org/faq/faq10.html#rc|here]] on how to control system daemons such as using ''rcctl'' command above. %0a%3c %0a%3c Once all that is set, connect to your IRCd via your IRC client. Test to see if you can connect and can login as an IRC Operator.%0a%3c %0a%3c ===== Linking (Peering) =====%0a%3c ==== MaxNickLength ====%0a%3c There's a few gotchas with linking multiple ''ngircd'' servers. First and foremost, ensure that all your ''ngircd.conf'' has ''MaxNickLength'' set to a specific value.%0a%3c %3ccode>%0a%3c # Maximum length of an user nickname (Default: 9, as in RFC 2812).%0a%3c # Please note that all servers in an IRC network MUST use the same%0a%3c # maximum nickname length!%0a%3c ;MaxNickLength = 9%0a%3c %3c/code>%0a%3c **If one or more servers has a value that isn't 9 and/or that field is commented out, you will not be able to link up with that server.** So please ascertain what value to set **prior** to linking.%0a%3c %0a%3c ==== MyPassword and PeerPassword dilemma ====%0a%3c Another simpler catch involves the MyPassword and PeerPassword keys. Your MyPassword should be the password that you set for other servers/peers to connect to your server. On their (these other server/peer end), should be set as PeerPassword when connecting to you. However, when you are connecting to them you need to know their PeerPassword.%0a%3c %0a%3c === Example ngIRCd server configurations ===%0a%3c To illustrate what I mean is, say for example, you have two ''ngircd'' servers that you want to connect to each other. Let's say that the server "foo" has this configuration,%0a%3c %3ccode>%0a%3c [Global]%0a%3c Name = irc.foo.org%0a%3c Ports = 6667%0a%3c ...%0a%3c [Server]%0a%3c MyPassword = Jp5meaikMiRAKsbBy6G6%0a%3c %3c/code>%0a%3c %0a%3c Server "bar" has the following configuration,%0a%3c %3ccode>%0a%3c [Global]%0a%3c Name = irc.bar.org%0a%3c Ports = 6667%0a%3c ...%0a%3c [Server]%0a%3c MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a%3c %3c/code>%0a%3c %0a%3c Under "[Server]" section (**not global section**), it should be added as the following for server "foo". Ideally, I would put it in a separate ''[Server]'' section, which would have the following,%0a%3c %3ccode>%0a%3c # Define a (case insensitive) list of masks matching nicknames that%0a%3c # should be treated as IRC services when introduced via this remote%0a%3c # server, separated by commas (",").%0a%3c # REGULAR SERVERS DON'T NEED this parameter, so leave it empty%0a%3c # (which is the default).%0a%3c # When you are connecting IRC services which mask as a IRC server%0a%3c # and which use "virtual users" to communicate with, for example%0a%3c # "NickServ" and "ChanServ", you should set this parameter to%0a%3c # something like "*Serv" or "NickServ,ChanServ,XyzServ".%0a%3c ;ServiceMask = *Serv,Global%0a%3c %0a%3c [Server]%0a%3c # More [Server] sections, if you like ...%0a%3c %0a%3c [Channel]%0a%3c %3c/code>%0a%3c %0a%3c See ''# More [Server] sections, if you like ...''? I would replace that line with the following below,%0a%3c %3ccode>%0a%3c [Server]%0a%3c Name = irc.bar.org%0a%3c Host = irc.bar.org%0a%3c Port = 6667%0a%3c MyPassword = Jp5meaikMiRAKsbBy6G6%0a%3c PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a%3c %3c/code>%0a%3c %0a%3c Likewise under server "bar",%0a%3c %3ccode>%0a%3c [Server]%0a%3c Name = irc.foo.org%0a%3c Host = irc.foo.org%0a%3c Port = 6667%0a%3c MyPassword = HpNSbcDbrTVQ3lkkqSfq%0a%3c PeerPassword = Jp5meaikMiRAKsbBy6G6%0a%3c %3c/code>%0a%3c %0a%3c === Password considerations ===%0a%3c Keep in mind that ''MyPassword'' is used for linking with other servers. **It is stored in plaintext and has nothing to do with the server password specified under [Global] section, nor is it related to your [Operator] password!**. When other servers connects to you, they **need** to know **your** ''MyPassword'', in which they will then set it as their ''PeerPassword'' on their end. The same thing likewise when you need to peer with them, you **need** to know their ''MyPassword'' so that you can set it as **your** ''PeerPassword''.%0a%3c %0a%3c Considering how the passwords for linking are revealed when linking, you //do not// need to generate by hand a password that is to either be shared amongst your peering server(s), or for every new peer server(s), that you need to arbitrarily give it a different password. According to [[https://www.reddit.com/r/openbsd/comments/a1fyd5/generating_a_pseudorandom_password_from_the/|this link (reddit)]], you can simply make the system generate a pseudo random password, which isn't dictionary based, and can be arbitrarily lengthened (or shortened) to however long you wish,%0a%3c %3ccode>%0a%3c $ alias pw="%3c/dev/random tr -cd [:alnum:] | fold -w 20 | head -1"%0a%3c %3c/code>%0a%3c %0a%3c This will generate a pseudo password of up to 21 characters long, whenever you type the command ''pw'',%0a%3c %3ccode>%0a%3c $ pw%0a%3c LwF33FVlnBbHLFlgA6pc%0a%3c %3c/code>%0a%3c %0a%3c If you want to lengthen or shorten the length of the password, in the ''fold -w 20'', replace ''20'' with whatever number you wish. Keep in mind that the number you specify, doesn't include the very first character. In other words, specifying ''fold -w 29'' instead of ''fold -w 20'',%0a%3c %3ccode>%0a%3c $ alias pw="%3c/dev/random tr -cd [:alnum:] | fold -w 29 | head -1"%0a%3c %3c/code>%0a%3c %0a%3c This will generate a pseudo password of up to 30 characters long,%0a%3c %3ccode>%0a%3c $ pw%0a%3c dtkqvMhZDxBs5OJYewWBlK1Gnqbpa%0a%3c %3c/code>%0a%3c %0a%3c You can also choose to have this ''pw'' command whenever you login, by putting it inside your ''.%3cshell>rc'', where ''%3cshell>'' implies the shell you are currently using, by default on OpenBSD, it is ''ksh'' and therefore it would be ''.kshrc''.%0a%3c %0a%3c See how in the example above how ''irc.foo.org'' ''MyPassword'' is set as ''Jp5meaikMiRAKsbBy6G6'' but when linking with ''irc.bar.org'', whose ''MyPassword'' is set as ''HpNSbcDbrTVQ3lkkqSfq'', that ''irc.foo.org'' ''PeerPassword'' is therefore ''HpNSbcDbrTVQ3lkkqSfq'' for linking to ''irc.bar.org''? The same logic also applies in reverse for when ''irc.bar.org'' is to link up with ''irc.foo.org''.%0a%3c %0a%3c === Summing it up ===%0a%3c To sum it up in the prior example,%0a%3c Server ''irc.foo.org'' has the following for ''irc.bar.org'',%0a%3c %3ccode>%0a%3c [Server]%0a%3c Name = irc.bar.org%0a%3c Host = irc.bar.org%0a%3c Port = 6667%0a%3c MyPassword = Password_To_Be_Set_On_IRCBARORG's_PeerPassword%0a%3c PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCBARORG's_MyPassword%0a%3c %3c/code>%0a%3c and the same likewise, for ''irc.bar.org'' when linking to ''irc.foo.org'',%0a%3c %3ccode>%0a%3c [Server]%0a%3c Name = irc.foo.org%0a%3c Host = irc.foo.org%0a%3c Port = 6667%0a%3c MyPassword = Password_To_Be_Set_On_IRCFOOORG's_PeerPassword%0a%3c PeerPassword = Password_That_Is_To_Be_received_from_owner_of_IRCFOOORG's_MyPassword%0a%3c %3c/code>%0a%3c %0a%3c You replace the contents of,%0a%3c * ''Name'', ''Host'' and ''Port'', keeping in mind that ''[Server]'' needs to be explicitly implied in the ''/etc/ngircd/ngircd.conf'' or ''ngircd'' will not understand what to do with the following contents.%0a%3c %0a%3c The following should be very self explanatory, on the string that is to be replaced,%0a%3c * ''Password_To_Be_Set_On_IRCBARORG's_PeerPassword'',%0a%3c * ''Password_That_Is_To_Be_received_from_owner_of_IRCBARORG's_MyPassword'',%0a%3c * ''Password_To_Be_Set_On_IRCFOOORG's_PeerPassword'', and%0a%3c * ''Password_That_Is_To_Be_received_from_owner_of_IRCFOOORG's_MyPassword''%0a%3c %0a%3c ==== Fancy IRC domain names ====%0a%3c If you or other ''ngircd'' owners chooses to use a domain name that resolves to a different IP, say ''irc.freenode.net'', you **must** set ''Host'' parameter, which points to their actual ''ngircd'''s [[https://en.wikipedia.org/wiki/Fully_qualified_domain_name|Fully Qualified Domain Name (FQDN)]] ''or'' their ''ngircd'''s IP address. I personally **do not** condone the notion of using FQDN that does not belong to you, as the consequences of going public with the named servers //can// potentially end up in lawsuits, for falsely misrepresenting a domain name.%0a%3c %0a%3c Let's use the prior example with the ''[Server]'' block. This time we assume,%0a%3c * ''irc.bar.org'' is owned by another operator, and%0a%3c * the owner of ''irc.bar.org'' wants to use ''irc.freenode.net'',%0a%3c * the owner has indicated under their ''Name'' key, under ''[Global]'' section is ''irc.freenode.net''%0a%3c %0a%3c You **should** try to check if it resolves,%0a%3c %3ccode>%0a%3c $ host irc.freenode.net%0a%3c %3c/code>%0a%3c %0a%3c Regardless if it resolves or not, you need to confirm whether or not it points to their server's FQDN or their IP address. The owner of ''irc.foo.org'' needs to confirm the FQDN/IP address(es) for the owner of ''irc.freenode.net'' who is formerly the owner of ''irc.bar.org'', by asking the operator to perform the following,%0a%3c %3ccode>%0a%3c $ ifconfig | grep broadcast%0a%3c %3c/code>%0a%3c %0a%3c Note that it is the literal pipe character ''|'' , not the letter ''l'' in between ''ifconfig'' and ''grep''.%0a%3c %0a%3c If the IP address(es) irc.bar.org states does not match the output of ''irc.freenode.net'', or say for example ''host irc.freenode.net'' returns not found, you should then, decide to ask for their FQDN or the IP address to connect to. Now, there's two ways to go about on this, in terms of filling in the information. You can either choose to fill in (as owner of ''irc.foo.org''),%0a%3c %0a%3c %3ccode>%0a%3c [Server]%0a%3c Name = irc.freenode.net%0a%3c Host = irc.bar.org%0a%3c Port = 6667%0a%3c MyPassword = Jp5meaikMiRAKsbBy6G6%0a%3c PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a%3c %3c/code>%0a%3c %0a%3c See how ''Host = irc.bar.org'' is specified when the name they provided from within their config mentions ''irc.freenode.net''? This is one way. Assume that they give you the IP address to connect to on their server, and assume that the IP address is ''127.0.0.2'',%0a%3c %0a%3c %3ccode>%0a%3c [Server]%0a%3c Name = irc.freenode.net%0a%3c Host = 127.0.0.2%0a%3c Port = 6667%0a%3c MyPassword = Jp5meaikMiRAKsbBy6G6%0a%3c PeerPassword = HpNSbcDbrTVQ3lkkqSfq%0a%3c %3c/code>%0a%3c %0a%3c ''Host = 127.0.0.2'' is implied, instead of ''Host = irc.bar.org''. Specifying the IP address in the ''Host'' key is more //ideal// as it does not require ''ngircd'' to query the [[https://en.wikipedia.org/wiki/Domain_Name_System#Address_resolution_mechanism|Domain Name System (DNS)]] for the IP address of a given FQDN. As an added bonus, connections to the said server via IP address //persists// even when the domain name has expired or changed hands (and therefore resolves to different IP address).%0a%3c %0a%3c ===== Chrooting =====%0a%3c ==== Why chroot ====%0a%3c You can simply reload your daemon without needing to restart it.%0a%3c %0a%3c Reloading your daemon makes it re-read any of the associated configuration files without restarting. In the case of ''ngircd'' the existing IRC connections/sessions you have active will be kept active.%0a%3c %0a%3c Restarting your daemon will also make it re-read any of the associated configuration files. **However**, it will also terminate any of your existing IRC connection/sessions.%0a%3c %0a%3c ==== Configuration ====%0a%3c There are three values that you will need to unset it as a key. These are (in ''ngircd.conf''),%0a%3c %3ccode>%0a%3c [Global]%0a%3c ...%0a%3c # Group ID under which the ngIRCd should run; you can use the name%0a%3c # of the group or the numerical ID. ATTENTION: For this to work the%0a%3c # server must have been started with root privileges!%0a%3c ServerGID = _ngircd%0a%3c %0a%3c # User ID under which the server should run; you can use the name%0a%3c # of the user or the numerical ID. ATTENTION: For this to work the%0a%3c # server must have been started with root privileges! In addition,%0a%3c # the configuration and MOTD files must be readable by this user,%0a%3c # otherwise RESTART and REHASH won't work!%0a%3c ServerUID = _ngircd%0a%3c ...%0a%3c [Options]%0a%3c ...%0a%3c # A directory to chroot in when everything is initialized. It%0a%3c # doesn't need to be populated if ngIRCd is compiled as a static%0a%3c # binary. By default ngIRCd won't use the chroot() feature.%0a%3c # ATTENTION: For this to work the server must have been started%0a%3c # with root privileges!%0a%3c ChrootDir = /var/ngircd%0a%3c ...%0a%3c %3c/code>%0a%3c %0a%3c You will then need to create missing directories within your ''ChrootDir''. Assuming you are using the defaults, for which ''ChrootDir'' is ''/var/ngircd'', you will need to create the following base layout,%0a%3c %3ccode>%0a%3c /var%0a%3c /var/ngircd%0a%3c /var/ngircd/etc%0a%3c /var/ngircd/etc/ngircd%0a%3c /var/ngircd/etc/ngircd.conf%0a%3c %3c/code>%0a%3c ''man 7 hier'' to get an understanding of how the filesystem is laid out.%0a%3c %0a%3c This means you will need to create parent directories leading up to ''/var/ngircd/etc/ngircd/ngircd.conf'',%0a%3c %3ccode>%0a%3c $ doas mkdir -p /var/ngircd/etc/ngircd%0a%3c %3c/code>%0a%3c %0a%3c Copy the ''ngircd.conf'' from ''/etc/ngircd'' into ''/var/ngircd/etc/ngircd'',%0a%3c %3ccode>%0a%3c $ doas cp /etc/ngircd/ngircd.conf /var/ngircd/etc/ngircd%0a%3c %3c/code>%0a%3c %0a%3c Make sure the path to ''/var/ngircd/etc/ngircd'' has the correct permissions. The following sets permissions as ''drwxrw-rw'', ''man chmod'' if in doubt,%0a%3c %3ccode>%0a%3c $ find /var/ngircd -type d -exec doas chmod 755 '{}' \;%0a%3c %3c/code>%0a%3c %0a%3c Make sure any of the files within ''/var/ngircd'' does not have others/world read/write/execute capability. You currently only have one file within it anyway,%0a%3c %3ccode>%0a%3c $ find /var/ngircd -type f -exec doas chmod 640 '{}' \;%0a%3c %3c/code>%0a%3c %0a%3c You should now be able to execute either ''doas rcctl reload ngircd'' or ''/quote rehash'' from either the console or your IRC client respectively.%0a%3c %0a%3c ===== SSL via TLS =====%0a%3c ==== Pre-requisites ====%0a%3c * You have a certificate that you can use with ''ngircd''. If you do not have one, I **recommend** that you obtain a free certificate from Let's Encrypt, following [[https://ircnow.org/kb/doku.php?id=openbsd:acme-client|this guide]].%0a%3c %0a%3c ==== Pre-configuration ====%0a%3c Copy the necessary certificates into both your ''/etc/ngircd'' directory and your chrooted ''ngircd'' directory. Chrooted ''ngircd'' directory by default is ''/var/ngircd'' but can be altered. If you have a custom chroot directory, you will need to copy the certificates there.%0a%3c %0a%3c Assuming you got your certificates from Let's Encrypt via following the aforementioned [[https://ircnow.org/kb/doku.php?id=openbsd:acme-client|acme-client]] guide,%0a%3c %3ccode>%0a%3c $ doas cp /etc/ssl/example.com.fullchain.pem /etc/ngircd%0a%3c $ doas cp /etc/ssl/private/example.com.key /etc/ngircd%0a%3c %3c/code>%0a%3c %0a%3c The same with your chrooted ''ngircd''. Again assuming defaults,%0a%3c %3ccode>%0a%3c $ doas cp /etc/ssl/example.com.fullchain.pem /var/ngircd/etc/ngircd%0a%3c $ doas cp /etc/ssl/private/example.com.key /var/ngircd/etc/ngircd%0a%3c %3c/code>%0a%3c %0a%3c Note: if /var/ngircd/etc/ doesn't exist, you can create it.%0a%3c %0a%3c ==== Configuration ====%0a%3c In your ''ngircd.conf'', you will need to have the following,%0a%3c %3ccode>%0a%3c [SSL]%0a%3c # SSL-related configuration options. Please note that this section%0a%3c # is only available when ngIRCd is compiled with support for SSL!%0a%3c # So don't forget to remove the ";" above if this is the case ...%0a%3c %0a%3c # SSL Server Key Certificate%0a%3c CertFile = /etc/ngircd/example.com.fullchain.pem%0a%3c %0a%3c # Select cipher suites allowed for SSL/TLS connections. This defaults%0a%3c # to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).%0a%3c # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'%0a%3c # (GnuTLS) for details.%0a%3c # For OpenSSL:%0a%3c CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3%0a%3c # For GnuTLS:%0a%3c ;CipherList = SECURE128:-VERS-SSL3.0%0a%3c %0a%3c # Diffie-Hellman parameters%0a%3c ;DHFile = /etc/ngircd/dhparams.pem%0a%3c %0a%3c # SSL Server Key%0a%3c KeyFile = /etc/ngircd/example.com.key%0a%3c %0a%3c # password to decrypt SSLKeyFile (OpenSSL only)%0a%3c ;KeyFilePassword = secret%0a%3c %0a%3c # Additional Listen Ports that expect SSL/TLS encrypted connections%0a%3c Ports = 6697, 9999%0a%3c %3c/code>%0a%3c %0a%3c Notice how I,%0a%3c * Left the ''CipherList'' under the words ''For GnuTLS'' as-is, without uncommenting it? We're not using GnuTLS as OpenBSD does not include that by default.%0a%3c * Left ''DHFile'' commented out? This is **unnecessary**, however, if you feel you must have a DHFile set, you can do,%0a%3c %3ccode>%0a%3c $ doas openssl dhparam -out /etc/ngircd/dhparams.pem 2048%0a%3c $ doas cp /etc/ngircd/dhparams.pem /var/ngircd/etc/ngircd%0a%3c %3c/code>%0a%3c Then once you have generated that file. Make sure you uncomment it in your ''ngircd.conf''%0a%3c %0a%3c Save, and reload/restart your ''ngircd''. Check ''/var/log/messages'' to see if it is also listening on ports ''6697'' and ''9999''. Then connect to those ports via your IRC client to verify that SSL does work as intended.%0a%3c %0a%3c ===== HOPM =====%0a%3c [[https://github.com/ircd-hybrid/hopm/blob/master/README|Hybrid Open Proxy Monitor (HOPM)]] can be configured for ''ngircd''. [[openbsd:irc:hopm|Click here to read more about it]].%0a%3c %0a%3c ===== ACOPM =====%0a%3c [[https://packages.alphachat.net/projects/ACOPM.git/plain/README.md|AlphaChat Open Proxy Monitor (ACOPM)]] can be configured for ''ngircd''. [[openbsd:irc:acopm|Click here to read more about it]].%0a%3c %0a%3c ===== IRC services =====%0a%3c You may wish to refer to [[https://github.com/ngircd/ngircd/blob/master/doc/Services.txt|this link]] for more information on hints with setting up IRC services for ''ngircd''.%0a%3c %0a%3c ===== Caveats =====%0a%3c ngIRCd v25 provided by OpenBSD 6.6 via ports does not have the following compiled:%0a%3c * IDENT support,%0a%3c * PAM support%0a%3c ngIRCd without these compiled **can not** be enabled in ''/etc/ngircd/ngircd.conf''! %0a%3c %0a%3c IDENT support will be covered in [[openbsd:irc:ngircd:adv_topics|advanced topics]].%0a%3c %0a%3c ===== See also =====%0a%3c * [[openbsd:irc:ngircd:adv_topics|Advanced topics on ngIRCd]].%0a\ No newline at end of file%0a host:1597288187=2600:1700:71b0:2420:aed5:64ff:fedd:25f