So let's start.
Note: This guide has been updated to include services like ChanServ and NickServ on December 30, 2021
This tutorial applied on Arch (without SSL) in video format [19MB]
Here we're also going to build the thing from source, because why not? So let's install the dependencies we're going to need both for the build and SSL.
$ sudo apt install letsencrypt gnutls-build autoconf automake build-essential git
Now let's download the source code:
$ git clone https://github.com/ngircd/ngircd $ cd ngircd/
And now let's build it:
$ ./autogen.sh $ ./configure --with-gnutls $ sudo make install
Let's first generate the trusteed Letsencrypt certificate using `certbot` (included in the `letsencrypt` package installed earlier. Of course, don't forget to change YOUR.DOMAIN.TLD into your real domain. Also make sure the DNS of the domain is linked to your server and that the the ports 80, 443, 6667 and 6697 are open.
$ sudo systemctl stop nginx $ sudo certbot certonly --standalone -d YOUR.DOMAIN.TLD $ sudo systemctl start nginx
Now let's move those files to the current directory (ngircd), as well as generating the dhparams.pem file.
$ sudo cp /etc/letsencrypt/live/YOUR.DOMAIN.TLD/fullchain.pem cert.pem $ sudo cp /etc/letsencrypt/live/YOUR.DOMAIN.TLD/privkey.pem key.pem $ certtool --generate-dh-params --bits 4096 --outfile dhparams.pem
Because the Let's Encrypt certificates have been generated by root, you have to make them readable by the current user:
$ sudo chown $USER:$USER *.pem
Now let's copy and edit the configuration file
$ cp doc/sample-ngircd.conf.tmpl ngircd.conf $ nano ngircd.conf
In that file uncomment the line about the ports 6667 (to enable plaintext and tor connections) as well as the SSL part, which you can replace by the following snippet:
[SSL]
CertFile = cert.pem
CipherList = SECURE128:-VERS-SSL3.0
DHFile = dhparams.pem
KeyFile = key.pem
Ports = 6697, 9999
You should probably read that file and update the values you find. I found myself blocked with my webclient once because it limited the number of connections per IP
Now that the basic configuration is setup, you can launch ngircd. Let's just make a test run first to see if it launches:
$ ngircd -f ngircd.conf -n
If everything is working and you can connect to your server, press CTRL+C and launch the following command to launch the daemon for good:
$ ngircd -f ngircd.conf
Atheme is the name of the software we'll use for getting services on IRC. We'll start by download and extracting the tarball:
$ wget https://github.com/atheme/atheme/releases/download/v7.2.11/atheme-services-v7.2.11.tar.xz $ tar xvf atheme-services*.tar.xz $ cd atheme-services*/
Let's install the dependencies of atheme:
$ sudo apt install libmowgli-dev
Now let's build and install it
$ ./autogen.sh $ ./configure $ make $ make install $ cd ~/atheme
Enable the atheme config file and start editing it.
$ cd ~/atheme/etc $ cp atheme.conf.example atheme.conf $ nano atheme.conf
In the config file go into the "serverinfo" configuration and change the variable "name" to the service name i.e "services.irc.net"
Then go to the "uplink" section and change the passwords to your secure password. And change the name of the uplink(s) to the [Global] Name of ngircd. i.e "server.irc.net".
Finally add the following line:
loadmodule "modules/protocol/ngircd";
Now start editing the ngircd config file.
$ nano ~/ngircd/ngircd.conf
Add the following server section there, replace the two passwords and replace the name by your service name (i.e "services.irc.net")
[SERVER]
Name = services.int
MyPassword = 123abc
PeerPassword = 123abc
ServiceMask = *Serv
Now we can run the two:
$ pkill ngircd $ ngircd -f ~/ngircd/ngircd.conf $ ~/atheme/bin/atheme-services
You might want to add the "-n" flags to the start commands if you want to debug an issue with the logs.
If you want an extra layer of anonymity you can also use TOR to root the traffic. This is also something you can do with any IRCd, but it's really easy to do:
Just install tor, add a new hidden service in the config file, reload and get the onion link:
$ sudo apt install tor $ sudo echo "HiddenServiceDir /var/lib/tor/hidden_service/" >> /etc/tor/torrc $ sudo echo "HiddenServicePort 6667 127.0.0.1:6667" >> /etc/tor/torrc $ sudo systemctl restart tor $ sudo cat /var/lib/tor/hidden_service/hostname
Not all clients can use TOR out of the box in their config file. So I am only going to leave the commands for Weechat:
$ sudo apt install tor weechat $ weechat /proxy add tor socks5 127.0.0.1 9050 /server add SERVER-NAME ONION-LINK 6667 /set irc.server.SERVER-NAME.proxy "tor" /connect SERVER-NAME
To connect via SSL (for most users) through weechat:
/server add SERVER-NAME HOSTNAME 6697 -ssl /connect SERVER-NAME
To connect via unencrypted plaintext (NOT RECOMMENDED) through weechat:
/server add SERVER-NAME HOSTNAME 6667 /connect SERVER-NAME
I'll soon make a post about how to setup kiwiirc because I know Weechat is not all user's cup of tea and kiwiirc is really really easy to use (just click on the button).
Please tell me if you have any problem following this guide by asking me the questions on