💾 Archived View for snowcode.ovh › tech › ngircd.gmi captured on 2023-06-14 at 14:02:40. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-01-08)

-=-=-=-=-=-=-

How to setup ngircd on Debian with SSL (TOR in bonus)

So let's start.

Note: This guide has been updated to include services like ChanServ and NickServ on December 30, 2021

This tutorial applied on Arch (without SSL) in video format [19MB]

Step 1: Building ngircd

Here we're also going to build the thing from source, because why not? So let's install the dependencies we're going to need both for the build and SSL.

$ sudo apt install letsencrypt gnutls-build autoconf automake build-essential git

Now let's download the source code:

$ git clone https://github.com/ngircd/ngircd
$ cd ngircd/

And now let's build it:

$ ./autogen.sh
$ ./configure --with-gnutls
$ sudo make install

Step 2: Generating and copying the SSL files

Let's first generate the trusteed Letsencrypt certificate using `certbot` (included in the `letsencrypt` package installed earlier. Of course, don't forget to change YOUR.DOMAIN.TLD into your real domain. Also make sure the DNS of the domain is linked to your server and that the the ports 80, 443, 6667 and 6697 are open.

$ sudo systemctl stop nginx
$ sudo certbot certonly --standalone -d YOUR.DOMAIN.TLD
$ sudo systemctl start nginx

Now let's move those files to the current directory (ngircd), as well as generating the dhparams.pem file.

$ sudo cp /etc/letsencrypt/live/YOUR.DOMAIN.TLD/fullchain.pem cert.pem
$ sudo cp /etc/letsencrypt/live/YOUR.DOMAIN.TLD/privkey.pem key.pem
$ certtool  --generate-dh-params --bits 4096 --outfile dhparams.pem

Because the Let's Encrypt certificates have been generated by root, you have to make them readable by the current user:

$ sudo chown $USER:$USER *.pem

Step 3: Configuring

Now let's copy and edit the configuration file

$ cp doc/sample-ngircd.conf.tmpl ngircd.conf
$ nano ngircd.conf

In that file uncomment the line about the ports 6667 (to enable plaintext and tor connections) as well as the SSL part, which you can replace by the following snippet:

[SSL]
    CertFile = cert.pem
    CipherList = SECURE128:-VERS-SSL3.0
    DHFile = dhparams.pem
    KeyFile = key.pem
    Ports = 6697, 9999

You should probably read that file and update the values you find. I found myself blocked with my webclient once because it limited the number of connections per IP

Step 4: Running ngircd

Now that the basic configuration is setup, you can launch ngircd. Let's just make a test run first to see if it launches:

$ ngircd -f ngircd.conf -n

If everything is working and you can connect to your server, press CTRL+C and launch the following command to launch the daemon for good:

$ ngircd -f ngircd.conf

Step 5: Installing atheme

Atheme is the name of the software we'll use for getting services on IRC. We'll start by download and extracting the tarball:

$ wget https://github.com/atheme/atheme/releases/download/v7.2.11/atheme-services-v7.2.11.tar.xz
$ tar xvf atheme-services*.tar.xz
$ cd atheme-services*/

Let's install the dependencies of atheme:

$ sudo apt install libmowgli-dev

Now let's build and install it

$ ./autogen.sh
$ ./configure
$ make
$ make install
$ cd ~/atheme

Step 6: Configure atheme and ngircd

Enable the atheme config file and start editing it.

$ cd ~/atheme/etc
$ cp atheme.conf.example atheme.conf
$ nano atheme.conf

In the config file go into the "serverinfo" configuration and change the variable "name" to the service name i.e "services.irc.net"

Then go to the "uplink" section and change the passwords to your secure password. And change the name of the uplink(s) to the [Global] Name of ngircd. i.e "server.irc.net".

Finally add the following line:

loadmodule "modules/protocol/ngircd";

Now start editing the ngircd config file.

$ nano ~/ngircd/ngircd.conf

Add the following server section there, replace the two passwords and replace the name by your service name (i.e "services.irc.net")

[SERVER]
     Name = services.int
     MyPassword = 123abc
     PeerPassword = 123abc
     ServiceMask = *Serv

Step 7: Run ngircd and atheme

Now we can run the two:

$ pkill ngircd
$ ngircd -f ~/ngircd/ngircd.conf
$ ~/atheme/bin/atheme-services

You might want to add the "-n" flags to the start commands if you want to debug an issue with the logs.

Step 8: Routing the traffic through TOR (optional)

If you want an extra layer of anonymity you can also use TOR to root the traffic. This is also something you can do with any IRCd, but it's really easy to do:

Just install tor, add a new hidden service in the config file, reload and get the onion link:

$ sudo apt install tor
$ sudo echo "HiddenServiceDir /var/lib/tor/hidden_service/" >> /etc/tor/torrc
$ sudo echo "HiddenServicePort 6667 127.0.0.1:6667" >> /etc/tor/torrc
$ sudo systemctl restart tor
$ sudo cat /var/lib/tor/hidden_service/hostname

Connecting to the server using weechat for plaintext, SSL and TOR

Not all clients can use TOR out of the box in their config file. So I am only going to leave the commands for Weechat:

$ sudo apt install tor weechat
$ weechat 
/proxy add tor socks5 127.0.0.1 9050
/server add SERVER-NAME ONION-LINK 6667
/set irc.server.SERVER-NAME.proxy "tor"
/connect SERVER-NAME

To connect via SSL (for most users) through weechat:

/server add SERVER-NAME HOSTNAME 6697 -ssl
/connect SERVER-NAME

To connect via unencrypted plaintext (NOT RECOMMENDED) through weechat:

/server add SERVER-NAME HOSTNAME 6667
/connect SERVER-NAME

Conclusion

I'll soon make a post about how to setup kiwiirc because I know Weechat is not all user's cup of tea and kiwiirc is really really easy to use (just click on the button).

Please tell me if you have any problem following this guide by asking me the questions on

#SnowCodeBlog on Libera