Table of Contents

Streamlining file management

Justification

Pre-requisites

Procedure

Move /etc/ngircd/ngircd.conf into /var/ngircd/etc/ngircd, assuming the changes you made in /etc/ngircd/ngircd.conf satisfactorily meets doas ngircd -t tests, and, you are content with any of the new changes,

$ doas mv /etc/ngircd/ngircd.conf /var/ngircd/etc/ngircd

Create a symbolic link from /var/ngircd/etc/ngircd/ngircd.conf into /etc/ngircd as /etc/ngircd/ngircd.conf,

$ doas ln -s /var/ngircd/etc/ngircd/ngircd.conf /etc/ngircd/ngircd.conf

Do the same for every file that is within /var/ngircd and that there is already an exact copy outside of the chrooted ngircd directory. The following below is for Let's Encrypt certificates,

$ doas mv /etc/ngircd/example.com.fullchain.pem /var/ngircd/etc/ngircd
$ doas ln -s /var/ngircd/etc/ngircd/example.com.fullchain.pem /etc/ngircd/example.com.fullchain.pem
$ doas mv /etc/ngircd/example.com.key /var/ngircd/etc/ngircd
$ doas ln -s /var/ngircd/etc/ngircd/example.com.key /etc/ngircd/example.com.key

man ln if in doubt.

Log redirection and rotation

Justification

Pre-requisites

In general

Condition specifics

These only apply when you want to retain existing ngircd logged outputs into its own file. If you do not care about historical data, you can simply skip reading this.

Configuration

/etc/syslog.conf

This basically more or less follows a mailing list response for ''relayd''. In your /etc/syslog.conf, you will need to have these lines at the top of the file,

#       $OpenBSD: syslog.conf,v 1.20 2016/12/27 13:38:14 jca Exp $
#

!!ngircd
local1.*                                                /var/log/ngircd
!*
...

If this wasn't at the top of the /etc/syslog.conf, messages coming from ngircd will be trapped and processed by any preceding rules before it. Therefore it must be at the top to override any other subsequent rules.

Create an empty file named ngircd inside /var/log

$ doas touch /var/log/ngircd

Change ownership of the file so that even a chrooted ngircd can still access it. Assuming defaults within /etc/ngircd/ngircd.conf,

$ doas chown _ngircd:_ngircd /var/log/ngircd

Change file permissions so that it isn't others/world readable/writable/executable,

$ doas chmod 660 /var/log/ngircd

Historical log segregation

You can skip this section if you do not wish to segregate historical ngircd log(s) from /var/log/messages. The following methods are experimental, and are considered as risky!

Extract all traces of ngircd from all of /var/log/messages* including those that has been compressed due to /etc/newsyslog.conf,

$ zgrep ngircd /var/log/messages* | doas tee -a /var/log/ngircd

Manually and optionally, remove traces of ngircd messages from within /var/log/messages,

$ doas mv /var/log/messages /var/log/messages.orig ; doas sed '/ngircd/d' /var/log/messages.orig > /var/log/messages ; doas rm /var/log/messages.orig

This does not work against already archived /var/log/messages which are gzipped in the form of /var/log/messages.0.gz for example. For those cases, they require some due ingenuity in deleting traces of it.

Here is a possible example on how to proceed with archived /var/log/messages*,

$ doas gzip -d /var/log/messages.0.gz ; doas mv /var/log/messages.0 /var/log/messages.0.orig ; doas sed '/ngircd/d' /var/log/messages.0.orig > /var/log/messages.0 ; doas rm /var/log/messages.0.orig ; doas gzip -9 /var/log/messages.0

Which might be able to be shorted into something like this,

$ doas gzcat /var/log/messages.0.gz | sed '/ngircd/d' | doas tee /var/log/messages.0 ; doas rm /var/log/messages.0.gz ; doas gzip -9 /var/log/messages.0

If you have more than one of these archived /var/log/messages.0.gz, such as /var/log/messages.1.gz, /var/log/messages.2.gz, and so on, you may want to try repeating the procedure as outlined above, but with caution. Alternatively, and again, with some intuition, it might be possible to semi-automate this without needing to repeat the same command, just with different filenames, over and over again. I will not cover this part of the topic, as I have not personally experienced dealing with it.

/etc/newsyslog.conf

If you want your ngircd logs to be rotated, thus be compressed to save space, you will need to append the following into your /etc/newsyslog.conf,

/var/log/ngircd         _ngircd:_ngircd 660  7     *    $W0   Z

Where,

# logfile_name          owner:group     mode count size when  flags

Means the following:

See the man page for more information.

Compiling ngIRCd with ident and/or other options

Justification

Pre-requisites

Procedure

Create a new directory named myports under /usr/ports,

$ mkdir /usr/ports/myports

Copy the contents of net/ngircd into myports,

$ cp -R /usr/ports/net/ngircd /usr/ports/myports

Within the contents of Makefile under /usr/ports/myports/ngircd, have the following,

# $OpenBSD: Makefile,v 1.19 2020/02/24 10:30:16 solene Exp $

COMMENT =       lightweight irc server

DISTNAME =      ngircd-25

REVISION =      2-alpha

CATEGORIES =    myports

HOMEPAGE =      https://ngircd.barton.de/

MAINTAINER =    Giannis Tsaraias <tsg@openbsd.org>

# GPLv2
PERMIT_PACKAGE =        Yes

# use pledge()
WANTLIB =       c crypto iconv ssl z

MASTER_SITES =  http://ngircd.barton.de/pub/ngircd/ \
                http://ngircd.mirror.3rz.org/pub/ngircd/

LIB_DEPENDS =   converters/libiconv security/libident

BUILD_DEPENDS = security/libident

TEST_DEPENDS =  lang/expect \
                ${BASE_PKGPATH}

SYSCONFDIR =    ${BASESYSCONFDIR}/ngircd

CONFIGURE_STYLE = gnu
CONFIGURE_ARGS += --with-iconv=${LOCALBASE} \
                  --with-openssl \
                  --enable-ipv6 \
                  --with-ident=${LOCALBASE} \
                  --sysconfdir=/etc/ngircd \
                  --mandir=/usr/local/man

.include <bsd.port.mk>

Follow the rest of the OpenBSD FAQ ports page on how to compile, install your custom package ngIRCd.

SSL migration

Justification

Background

Let's assume there's two ngircd servers peered with each other right now. Server A is named as irc.foo.org and Server B is named as irc.bar.org. When connected to say irc.foo.org, and one executes the following command as IRC user,

/trace

They will see something like the following,

Link ngIRCd-25 irc.foo.org irc.foo.org VFz 100101 0 0
[irc.foo.org] Serv 1 0S 0C irc.bar.org[unknown@127.0.0.2] *!*irc.foo.org VFz
[irc.foo.org] irc.foo.org ngIRCd-25. End of TRACE

The letters VFz means a lot of things. For now, we will skip over the letters V and F, as there's not enough documentation on what they are. z

Server-Server-Links koennen nun komprimiert werden, dazu wird die zlib (www.zlib.org) benoetigt. Unterstuetzt die Gegenseite die Komprimierung nicht, wird automatisch unkomprimiert kommuniziert. Das Verfahren ist kompatibel mit dem Original-ircd 2.10.3, d.h. beide Server koennen miteinander ueber komprimiert Links kommunizieren.

https://gitlab.com/ngircd/ngircd/blob/master/ChangeLog#L1849 In English, it would roughly translate as,

Server-server links can now be compressed, which requires the zlib (www.zlib.org). If the other side does not support compression, communication is automatically uncompressed. The process is compatible with the original ircd 2.10.3, i.e. both servers can communicate with each other via compressed links.

Now if it was VFsz, we know that the link between irc.foo.org and irc.bar.org has SSL,

Show connection flag “s” (SSL) in RPL_TRACE{LINK|SERVER} messages: now you can check if a server-to-server link is SSL-encrypted or not using the IRC “TRACE” command.

https://gitlab.com/ngircd/ngircd/blob/master/ChangeLog#L544

The repeat of /trace command above would have been something like the following, assuming irc.bar.org has SSL connection to irc.foo.org,

Link ngIRCd-25 irc.foo.org irc.foo.org VFz 100101 0 0
[irc.foo.org] Serv 1 0S 0C irc.bar.org[unknown@127.0.0.2] *!*irc.foo.org VFsz
[irc.foo.org] irc.foo.org ngIRCd-25. End of TRACE

In a IRC network that has multiple servers linked to each other, where some of them have SSL S2S connections, and others don't. You will see a very mixed overview with /trace command.

Pre-requisites

Procedure

Assuming you have five (5) servers in your network, some has SSL enabled on ngircd, the rest doesn't. Assume the following server names:

Now, assume each of the following servers has server links to each other, irc.foo.org has the following,

[Server]
        Name = irc.bar.org
        Port = 6697
        MyPassword = OQGpksaFt4MJFVCyPAxj5xtHwSiZa
        PeerPassword = DSXv29Fpz4BuD3A7uzu8MAtKpJnBz
        SSLConnect = yes

[Server]
        Name = irc.baz.org
        Port = 6667
        MyPassword = OQGpksaFt4MJFVCyPAxj5xtHwSiZa
        PeerPassword = de290kQTlzMGwqAvH9l7Aqf6TzrsY

[Server]
        Name = irc.blah.org
        Port = 6667
        MyPassword = OQGpksaFt4MJFVCyPAxj5xtHwSiZa
        PeerPassword = 52pQawGcNOiGK1zJn46zTWSf4eTBe

[Server]
        Name = irc.example.org
        Port = 6667
        MyPassword = OQGpksaFt4MJFVCyPAxj5xtHwSiZa
        PeerPassword = CWomEefu3bHDNdfdbEbdAdPPzF7q1

Server irc.bar.org has the following,

[Server]
        Name = irc.foo.org
        Port = 6697
        MyPassword = DSXv29Fpz4BuD3A7uzu8MAtKpJnBz
        PeerPassword = OQGpksaFt4MJFVCyPAxj5xtHwSiZa
        SSLConnect = yes

[Server]
        Name = irc.baz.org
        Port = 6667
        MyPassword = DSXv29Fpz4BuD3A7uzu8MAtKpJnBz
        PeerPassword = de290kQTlzMGwqAvH9l7Aqf6TzrsY

[Server]
        Name = irc.blah.org
        Port = 6667
        MyPassword = DSXv29Fpz4BuD3A7uzu8MAtKpJnBz
        PeerPassword = 52pQawGcNOiGK1zJn46zTWSf4eTBe

[Server]
        Name = irc.example.org
        Port = 6667
        MyPassword = DSXv29Fpz4BuD3A7uzu8MAtKpJnBz
        PeerPassword = CWomEefu3bHDNdfdbEbdAdPPzF7q1

Server irc.baz.org has the following,

[Server]
        Name = irc.foo.org
        Port = 6697
        MyPassword = de290kQTlzMGwqAvH9l7Aqf6TzrsY
        PeerPassword = OQGpksaFt4MJFVCyPAxj5xtHwSiZa
        SSLConnect = yes

[Server]
        Name = irc.bar.org
        Port = 6697
        MyPassword = de290kQTlzMGwqAvH9l7Aqf6TzrsY
        PeerPassword = DSXv29Fpz4BuD3A7uzu8MAtKpJnBz
        SSLConnect = yes

[Server]
        Name = irc.blah.org
        Port = 6667
        MyPassword = de290kQTlzMGwqAvH9l7Aqf6TzrsY
        PeerPassword = 52pQawGcNOiGK1zJn46zTWSf4eTBe

[Server]
        Name = irc.example.org
        Port = 6667
        MyPassword = de290kQTlzMGwqAvH9l7Aqf6TzrsY
        PeerPassword = CWomEefu3bHDNdfdbEbdAdPPzF7q1

And so on, and so forth. Hopefully by now you should see the pattern. For those that don't,

Both Group and Passive are optional keys within ngircd.conf. Without either of these set,

Group takes in an ID which is an integer/number, it does not accept alphabetical characters or any other characters other than digits. We want to make use of Group because ngircd will try to connect to at least two of the grouped servers that shares the same number. Servers that are grouped in with different numbers will be dealt with separately, or at least that is the hypothesis.

Meanwhile Passive is temporarily used to give precedence over those that has SSL enabled ports. It has other uses, but for this scenario, we are going to use it to force SSL servers to be connected before non-SSL servers.

Putting all these into perspective, here is how the prior example would be laid out, with both Group and Passive explicitly implied, Server irc.foo.org has the following,

[Server]
        Name = irc.bar.org
        Port = 6697
        MyPassword = OQGpksaFt4MJFVCyPAxj5xtHwSiZa
        PeerPassword = DSXv29Fpz4BuD3A7uzu8MAtKpJnBz
        SSLConnect = yes
        Group = 0
        Passive = no

[Server]
        Name = irc.baz.org
        Port = 6667
        MyPassword = OQGpksaFt4MJFVCyPAxj5xtHwSiZa
        PeerPassword = de290kQTlzMGwqAvH9l7Aqf6TzrsY
        Group = 9
        Passive = yes

[Server]
        Name = irc.blah.org
        Port = 6667
        MyPassword = OQGpksaFt4MJFVCyPAxj5xtHwSiZa
        PeerPassword = 52pQawGcNOiGK1zJn46zTWSf4eTBe
        Group = 9
        Passive = yes

[Server]
        Name = irc.example.org
        Port = 6667
        MyPassword = OQGpksaFt4MJFVCyPAxj5xtHwSiZa
        PeerPassword = CWomEefu3bHDNdfdbEbdAdPPzF7q1
        Group = 9
        Passive = yes

Server irc.bar.org has the following,

[Server]
        Name = irc.foo.org
        Port = 6697
        MyPassword = DSXv29Fpz4BuD3A7uzu8MAtKpJnBz
        PeerPassword = OQGpksaFt4MJFVCyPAxj5xtHwSiZa
        SSLConnect = yes
        Group = 0
        Passive = no

[Server]
        Name = irc.baz.org
        Port = 6667
        MyPassword = DSXv29Fpz4BuD3A7uzu8MAtKpJnBz
        PeerPassword = de290kQTlzMGwqAvH9l7Aqf6TzrsY
        Group = 9
        Passive = yes

[Server]
        Name = irc.blah.org
        Port = 6667
        MyPassword = DSXv29Fpz4BuD3A7uzu8MAtKpJnBz
        PeerPassword = 52pQawGcNOiGK1zJn46zTWSf4eTBe
        Group = 9
        Passive = yes

[Server]
        Name = irc.example.org
        Port = 6667
        MyPassword = DSXv29Fpz4BuD3A7uzu8MAtKpJnBz
        PeerPassword = CWomEefu3bHDNdfdbEbdAdPPzF7q1
        Group = 9
        Passive = yes

Server irc.baz.org has the following,

[Server]
        Name = irc.foo.org
        Port = 6697
        MyPassword = de290kQTlzMGwqAvH9l7Aqf6TzrsY
        PeerPassword = OQGpksaFt4MJFVCyPAxj5xtHwSiZa
        SSLConnect = yes
        Group = 0
        Passive = no

[Server]
        Name = irc.bar.org
        Port = 6697
        MyPassword = de290kQTlzMGwqAvH9l7Aqf6TzrsY
        PeerPassword = DSXv29Fpz4BuD3A7uzu8MAtKpJnBz
        SSLConnect = yes
        Group = 0
        Passive = no

[Server]
        Name = irc.blah.org
        Port = 6667
        MyPassword = de290kQTlzMGwqAvH9l7Aqf6TzrsY
        PeerPassword = 52pQawGcNOiGK1zJn46zTWSf4eTBe
        Group = 9
        Passive = yes

[Server]
        Name = irc.example.org
        Port = 6667
        MyPassword = de290kQTlzMGwqAvH9l7Aqf6TzrsY
        PeerPassword = CWomEefu3bHDNdfdbEbdAdPPzF7q1
        Group = 9
        Passive = yes

Once set, all of these servers needs to either be rehashed or restarted. Depending on whether or not if your ngircd has been properly configured for chroot.