IRCNow

Pre-requisites

  • It is assumed you have doas configured properly. If you do not have this configured properly and are interfacing with your server as root, you are asking for trouble!
  • It is assumed you have ran adduser before. If not, you can run it and the majority of the defaults are fine.
  • It is also assumed you have your own favourite text editor. If you do not have a favourite text editor, I recommend installing nano via doas pkg_add nano. You must know how to use your favourite text editor as I won't cover you on how to use it.
  • A valid SSL/TLS certificate is required. If you do not have one you cannot use TLS function, and must have it disabled.
  • ACOPM requires automake/autoconf, bash and some extra libraries.
  • BASH is required due to some funkiness in autoconf (ac) scripts. not optional.

Installation

Create acopm as its own user.

$ doas adduser
Use option ``-silent'' if you don't want to see all warnings and questions.

Reading /etc/shells
Check /etc/master.passwd
Check /etc/group

Ok, let's go.
Don't worry about mistakes. There will be a chance later to correct any input.
Enter username []: acopm
Enter full name []: acopm
Enter shell bash csh jk_chrootsh ksh nologin sh [ksh]: nologin
Uid [1002]: 65531
Login group acopm [acopm]:  
Login group is ``acopm''. Invite acopm into other groups: guest no 
[no]: 
Login class authpf bgpd daemon default pbuild staff unbound znc 
[default]: daemon
Enter password []: 
Disable password logins for the user? (y/n) [n]: y

Name:        acopm
Password:    ****
Fullname:    acopm
Uid:         65531
Gid:         65531 (acopm)
Groups:      acopm 
Login Class: daemon
HOME:        /home/acopm
Shell:       /sbin/nologin
OK? (y/n) [y]: 
Added user ``acopm''
Copy files from /etc/skel to /home/acopm
Add another user? (y/n) [y]: n
Goodbye!

Install the necessary packages.

$ doas pkg_add git bash autoconf-2.69p2 automake-1.16.1 libconfig libevent mbedtls

Navigate into the newly created user.

$ cd /home/acopm

Fetch the project from the project page.

doas -u acopm git clone https://packages.alphachat.net/projects/ACOPM.git

Go into the ACOPM directory.

$ cd ACOPM

Explicitly state the versions that are installed for both automake and autoconf to autogen.

$ doas -u acopm AUTOMAKE_VERSION=1.16 AUTOCONF_VERSION=2.69 bash ./autogen.sh

Explicitly state all the files in which configure needs.

$ doas -u acopm CPPFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib LIBS="-levent_core -levent_extra" \
bash ./configure --with-mbedtls --prefix=$HOME/opt

Clean, build and install acopm.

$ doas -u acopm make clean all install

This will leave you with a ready-to-configure ACOPM install in $HOME/opt. Now we navigate into $HOME/opt/etc.

$ cd ../opt/etc

Replicate acopm.conf.example as acopm.conf and edit with your own favourite text editor. In my case I use vim.

$ doas -u acopm acopm.conf.example acopm.conf
$ doas -u vim acopm.conf

Make necessary adjustments within the acopm.conf to suit your server/network configuration. In the config, you will need a conn_fmt string to suit your IRCd, for ngircd it is:

conn_fmt       = "Client connecting: %s %*s [%[0-9A-Fa-f.:]] - %*s"

Save and exit out of your own favourite text editor.

TLS

You should have at minimum a crt file. For acme-client users your /etc/acme-client.conf should probably look like this at minimum.

#
# $OpenBSD: acme-client.conf,v 1.2 2019/06/07 08:08:30 florian Exp $
#
authority letsencrypt {
        api url "https://acme-v02.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
        api url "https://acme-staging-v02.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain example.com {
#       alternative names { }
        domain key "/etc/ssl/private/example.com.key"
        domain certificate "/etc/ssl/example.com.crt"
        domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
        sign with letsencrypt
}

This will generate three files. You mainly need the example.com.crt in the prior example, but you can use example.com.fullchain.pem if you wish.

Copy all these three files into $HOME/opt/bin

$ doas cp /etc/ssl/example.com.crt /home/acopm/opt/bin
$ doas cp /etc/ssl/example.com.fullchain.pem /home/acopm/opt/bin
$ doas cp /etc/ssl/private/example.com.key /home/acopm/opt/bin

In your $HOME/opt/etc/acopm.conf, you should have the following.

         *
         * The SPKI digests are useful if your server certificates change
         * frequently (for example, with Let's Encrypt certificates which
         * are only valid for 3 months at a time). If the public key in your
         * certificate does not change when you renew it, the SPKI finger-
         * prints will not change either, easing configuration management.
         */
        # use_tls       = true;
        # certfp_method = "SPKI-SHA256-B64";
        # certfp_values = (
        #     "cnqredviWVt2Vo4Ww0CgwFog0KWP7gubF7E8IC0LjuQ=",
        #     "pcky/MCUI+Wfm+Pftedhs7yzjaYvpysWO9cst4K/07Q="
        # );

Uncomment the lines use_tls, certfp_method, and certfp_values.

        use_tls       = true;
        certfp_method = "SPKI-SHA256-B64";
        certfp_values = (
            "cnqredviWVt2Vo4Ww0CgwFog0KWP7gubF7E8IC0LjuQ=",
            "pcky/MCUI+Wfm+Pftedhs7yzjaYvpysWO9cst4K/07Q="
        );

Run acopm-mkfingerprint.sh.

$ doas -u acopm /home/acopm/opt/bin/acopm-mkfingerprint.sh example.com.crt SPKI SHA256 B64
czky/MCYI+Wfm+Pftedhs1yzjaYvpasW99cst4K/07Q=$

Copy and paste that czky/MCYI+Wfm+Pftedhs1yzjaYvpasW99cst4K/07Q= into your /home/acopm/opt/etc/acopm.conf.

        use_tls       = true;
        certfp_method = "SPKI-SHA256-B64";
        certfp_values = ( "czky/MCYI+Wfm+Pftedhs1yzjaYvpasW99cst4K/07Q=" );

Troubleshooting

Getting acopm configured right can be tricky. So, here are some few hints and tips.

  • If you are getting syntax errors, you might want to follow a hint for hopm.
  • If your acopm is exiting straight back to the prompt even when there's no syntax errors. You might want to set logmask to 32. Also, you might want to ensure that you don't have daemonise is set to true, as well as logfile defined.
  • If your IRCd does not have a server password, you do not need to have password defined. The following example is sufficient,
        /*
         * The following 3 values are required and self-explanatory.
         */
        nickname        = "ACOPM";
        username        = "ACOPM";
        // password        = "supersecret";