===== Pre-requisites =====
* It is assumed you have ''[[openbsd:doas|doas]]'' configured properly. If you do not have this configured properly and are interfacing with your server as root, you are asking for trouble!
* It is assumed you have ran ''adduser'' before. If not, you can run it and the majority of the defaults are fine.
* It is **also** assumed you have your own favourite text editor. If you **do not have** a favourite text editor, I recommend installing ''nano'' via ''doas pkg_add nano''. You must know how to use your favourite text editor as I won't cover you on how to use it.
* A valid SSL/TLS certificate is required. If you do not have one you cannot use TLS function, and must have it disabled.
* ACOPM requires automake/autoconf, bash and some extra libraries.
* **''BASH'' is required due to some funkiness in autoconf (ac) scripts. not optional.**
===== Installation =====
Create acopm as its own user.
$ doas adduser
Use option ``-silent'' if you don't want to see all warnings and questions.
Reading /etc/shells
Check /etc/master.passwd
Check /etc/group
Ok, let's go.
Don't worry about mistakes. There will be a chance later to correct any input.
Enter username []: acopm
Enter full name []: acopm
Enter shell bash csh jk_chrootsh ksh nologin sh [ksh]: nologin
Uid [1002]: 65531
Login group acopm [acopm]:
Login group is ``acopm''. Invite acopm into other groups: guest no
[no]:
Login class authpf bgpd daemon default pbuild staff unbound znc
[default]: daemon
Enter password []:
Disable password logins for the user? (y/n) [n]: y
Name: acopm
Password: ****
Fullname: acopm
Uid: 65531
Gid: 65531 (acopm)
Groups: acopm
Login Class: daemon
HOME: /home/acopm
Shell: /sbin/nologin
OK? (y/n) [y]:
Added user ``acopm''
Copy files from /etc/skel to /home/acopm
Add another user? (y/n) [y]: n
Goodbye!
Install the necessary packages.
$ doas pkg_add git bash autoconf-2.69p2 automake-1.16.1 libconfig libevent mbedtls
Navigate into the newly created user.
$ cd /home/acopm
Fetch the project from the project page.
doas -u acopm git clone https://packages.alphachat.net/projects/ACOPM.git
Go into the ''ACOPM'' directory.
$ cd ACOPM
Explicitly state the versions that are installed for both ''automake'' and ''autoconf'' to ''autogen''.
$ doas -u acopm AUTOMAKE_VERSION=1.16 AUTOCONF_VERSION=2.69 bash ./autogen.sh
Explicitly state all the files in which ''configure'' needs.
$ doas -u acopm CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib LIBS="-levent_core -levent_extra" \
bash ./configure --with-mbedtls --prefix=$HOME/opt
Clean, build and install ''acopm''.
$ doas -u acopm make clean all install
This will leave you with a ready-to-configure ACOPM install in $HOME/opt. Now we navigate into $HOME/opt/etc.
$ cd ../opt/etc
Replicate ''acopm.conf.example'' as ''acopm.conf'' and edit with **your own favourite text editor**. In my case I use ''vim''.
$ doas -u acopm acopm.conf.example acopm.conf
$ doas -u vim acopm.conf
Make necessary adjustments within the ''acopm.conf'' to suit your server/network configuration. In the config, you will need a ''conn_fmt'' string to suit your IRCd, for ''ngircd'' it is:
conn_fmt = "Client connecting: %s %*s [%[0-9A-Fa-f.:]] - %*s"
Save and exit out of **your own favourite text editor**.
===== TLS =====
You should have at minimum a crt file. For ''acme-client'' users your ''/etc/acme-client.conf'' should probably look like this at minimum.
#
# $OpenBSD: acme-client.conf,v 1.2 2019/06/07 08:08:30 florian Exp $
#
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
api url "https://acme-staging-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
domain example.com {
# alternative names { }
domain key "/etc/ssl/private/example.com.key"
domain certificate "/etc/ssl/example.com.crt"
domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
sign with letsencrypt
}
This will generate three files. You mainly need the ''example.com.crt'' in the prior example, but you can use ''example.com.fullchain.pem'' if you wish.
Copy all these three files into ''$HOME/opt/bin''
$ doas cp /etc/ssl/example.com.crt /home/acopm/opt/bin
$ doas cp /etc/ssl/example.com.fullchain.pem /home/acopm/opt/bin
$ doas cp /etc/ssl/private/example.com.key /home/acopm/opt/bin
In your ''$HOME/opt/etc/acopm.conf'', you should have the following.
*
* The SPKI digests are useful if your server certificates change
* frequently (for example, with Let's Encrypt certificates which
* are only valid for 3 months at a time). If the public key in your
* certificate does not change when you renew it, the SPKI finger-
* prints will not change either, easing configuration management.
*/
# use_tls = true;
# certfp_method = "SPKI-SHA256-B64";
# certfp_values = (
# "cnqredviWVt2Vo4Ww0CgwFog0KWP7gubF7E8IC0LjuQ=",
# "pcky/MCUI+Wfm+Pftedhs7yzjaYvpysWO9cst4K/07Q="
# );
Uncomment the lines ''use_tls'', ''certfp_method'', and ''certfp_values''.
use_tls = true;
certfp_method = "SPKI-SHA256-B64";
certfp_values = (
"cnqredviWVt2Vo4Ww0CgwFog0KWP7gubF7E8IC0LjuQ=",
"pcky/MCUI+Wfm+Pftedhs7yzjaYvpysWO9cst4K/07Q="
);
Run ''acopm-mkfingerprint.sh''.
$ doas -u acopm /home/acopm/opt/bin/acopm-mkfingerprint.sh example.com.crt SPKI SHA256 B64
czky/MCYI+Wfm+Pftedhs1yzjaYvpasW99cst4K/07Q=$
Copy and paste that ''czky/MCYI+Wfm+Pftedhs1yzjaYvpasW99cst4K/07Q='' into your ''/home/acopm/opt/etc/acopm.conf''.
use_tls = true;
certfp_method = "SPKI-SHA256-B64";
certfp_values = ( "czky/MCYI+Wfm+Pftedhs1yzjaYvpasW99cst4K/07Q=" );
===== Troubleshooting =====
Getting acopm configured right can be tricky. So, here are some few hints and tips.
* If you are getting syntax errors, you might want to follow a hint for ''[[ngircd:hopm#troubleshooting|hopm]]''.
* If your acopm is exiting straight back to the prompt even when there's no syntax errors. You might want to set ''logmask'' to ''32''. Also, you might want to ensure that you don't have ''daemonise'' is set to true, as well as ''logfile'' defined.
* If your IRCd does not have a server password, you do not need to have ''password'' defined. The following example is sufficient,
/*
* The following 3 values are required and self-explanatory.
*/
nickname = "ACOPM";
username = "ACOPM";
// password = "supersecret";