# Ngircd Install Guide In this guide, we'll setup [ngircd](https://ngircd.barton.de/documentation.php.en), a free, portable, lightweight IRC server. ## Overview ngircd is an [IRC](/irc/guide) server. It helps IRC clients send messages to one another. Advantages: 1. The source code is written in modern, portable C. 2. The code compiles easily on all BSDs, Linux, and other platforms. 3. The code is easy to fork to add new features such as spam filters 4. The server has a very simple, easy-to-understand configuration 5. Documentation is short and easy to understand 6. The server is a clean implementation which was written from scratch 7. The lead developer po||ux actively hangs out on the IRC server barton.ngircd.de on #ngircd ## Docs and references Before installation, please consult: 1. The [Official ngIRCd documentation](https://ngircd.barton.de/documentation.php.en) 2. After installation, see also /usr/local/share/doc/ngircd/ for local documentation 3. Consult the man pages: 1. `$ man 5 ngircd.conf` 2. `$ man 8 ngircd` ## Installation ### Installing from OpenBSD packages $ doas pkg_add ngircd Copy the sample configuration file: $ doas cp /usr/local/share/examples/ngircd/sample-ngircd.conf /etc/ngircd/ngircd.conf ngIRCd v26.1 provided by OpenBSD 7.1 ports does not have ident support. On a production server, ident support is essential, so we will need to compile from source (described below). You will want to do this after installing from packages, so that rc.d scripts are created automatically. ### Building from source **Note**: Before building from source, make sure you have ngircd package installed using the instructions from above. Download the IRC server, extract the code, and build it: $ ftp https://ircnow.org/software/ircnowd.tgz $ tar xvzf ircnowd.tgz $ cd ircnowd/ $ sh build.sh ## Configuring ngircd Edit `/etc/ngircd/ngircd.conf` as root: **Note**: Lines that begin with # or ; are comments and will be ignored. You will need to remove # or ; to uncomment. Typically, ";" precedes a line of code that has been commented, while a "#" precedes an actual note that should not be uncommented. ### Global Block [Global] Name = irc.example.com AdminInfo1 = Example Network AdminInfo2 = Planet Earth AdminEMail = admin@example.com HelpFile = /usr/local/share/doc/ngircd/Commands.txt Info = irc.example.com * Name: Use your server's domain name. * Info: Use your server's domain name. Listen = 127.0.0.1,::1,192.168.1.1,2001:db8:: Provide every single IP address you want ngircd to listen on. This includes localhost (127.0.0.1 and ::1), and [our public IPv4 and IPv6 addresses](/ip/myaddress). Keep 127.0.0.1 and ::1 untouched, but replace 192.168.1.1 and 2001:db8:: with your real public IPs. If you are hosting a public service, avoid listing IPs that are not DDoS-filtered. IRC servers are heavily [DDoSed](/ddos/intro) and using an unfiltered IP may get you nullrouted. **Note**: if you do not uncomment this line, you will listen to all IPs by default, which is probably a mistake. MotdFile = /etc/ngircd/ngircd.motd ;MotdPhrase = "Hello world!" Network = ExampleNet ;Password = abc * Network: Your network name; this usually contains no periods. Keep the MotdPhrase and Password commented out. First, we will be using a MotdFile instead. Secondly, we do not want a global password for a public server. PidFile = /var/run/ngircd/ngircd.pid The Pid file is where ngircd writes its process ID. Ports = 6660, 6661, 6662, 6663, 6664, 6665, 6666, 6667, 6668, 6669, 7000, 16667 ServerGID = _ngircd ServerUID = _ngircd It's recommended to provide ports besides the standard 6667 to allow users to bypass network firewalls. **NOTE**: Make sure to set the ServerUID and ServerGID to _ngircd. Otherwise, it runs as the user nobody by default. ### Limits Block [Limits] MaxConnectionsIP = 0 MaxJoins = 300 MaxNickLength = 16 MaxListSize = 3000 PingTimeout = 300 PongTimeout = 300 We allow unlimited connections per IP and handle abuse with other techniques. MaxNickLength: **must** be identical for all servers on the network. On IRCNow, MaxNickLength is 16. ### Options Block [Options] AllowRemoteOper = yes ChrootDir = /var/ngircd ;CloakHost = %25x CloakHostModeX = %25x CloakHostSalt = abcdefghijklmnopqrstuvwxyz DefaultUserModes = ix DNS = yes Ident = yes We will turn on AllowRemoteOpers so that GLINEs function properly. We want to [chroot](/chroot/intro) to /var/ngircd to prevent a security compromise. We will cloak the host using a unique salt; contact another sysadmin for the exact salt. If not linking to another network, you can leave it commented to use a random salt each time it runs, or you can generate your own random salt. We use CloakHostModeX so that users are cloaked when mode +x is set. Users can then turn off mode x in order to remove the cloak (to show a custom hostmask). If we had used CloakHost instead, uncloaking a user would not be possible. User mode +i keeps the user invisible so that /whois does not show all channels a user has joined. This helps reduce stalking and harassment. We want to perform DNS lookups when a client connects so that we can validate a user's hostmask. We also want to perform IDENT lookups. NoticeBeforeRegistration = yes OperCanUseMode = yes OperChanPAutoOp = no PAM = no RequireAuthPing = yes SyslogFacility = daemon Receiving a notice before registration can help with debugging with [netcat](/netcat/irc). It is also necessary for [hopm](/hopm/install). OperCanUseMode will allow opers the ability to use mode commands when needed. **Opers should use this power sparingly**, generally only if the channel owner is unable to moderate his channel. OperChanPAutoOp should be set to no so that opers are not automatically op'd in every channel they join. Opers should not interfere with normal channel operation. Set PAM to no because enabling PAM on OpenBSD causes issues. We set RequireAuthPing to yes because it may help reduce spam. We're going to log using syslog (see below) to log events. ### SSL block ;[SSL] **This entire block should be commented**. When you are ready to set up [SSL/TLS encryption](/ngircd/ssl), un-comment the entire block. **WARNING**: Do not send passwords or sensitive data over this server until SSL is set up. ### Operator Block Create one Operator block for each operator on the server: [Operator] Name = username Password = password ;Mask = *!ident@somewhere.example.com Please use a [long, random string](/password/management) for your password. If you uncomment Mask, your hostmask must match the operator hostmask in order for the /OPER command to work. If the hostmask differs by even a single character, then your /OPER command will be rejected. It's best to leave Mask commented out until you are familiar with ngircd. Once your configuration is tested and stable, you can uncomment Mask and have it match your [vhost](/dns/vhost). However, please be aware that this will make it impossible to become IRC Operator if you connect from a different IP address. ### Server Block ;[Server] The server block is used to connect to other servers to form a network. You can have multiple server blocks. For now, leave it commented out until you are ready to [link ngircd](/ngircd/link). You are now finished editing ngircd.conf, so we turn to edit other files. ## MOTD file Create the Message of the Day in /etc/ngircd/ngircd.motd. Here is a suggested template: IRCNow - The Users' Network IRCNow is the network of the user, by the user, for the user. * No porn / illegal drugs / threats of violence * No slander / libel / gambling * No spam, illegal cracking, or DDoS * No copyright infrigement You must agree to our terms of service and our privacy policy to use this network: https://wiki.ircnow.org/index.php?n=Terms.Terms Only 5 connections per IP address. If you need help, please speak with staff on #help. ## Configuring [syslog](/syslogd/configure) All log messages from ngircd should go to ##STARTCODEBLOCK## /var/log/ngircd.log ##ENDCODEBLOCK## . Insert these three lines starting at line 3 (at the top) in ##STARTCODEBLOCK## /etc/syslog.conf##ENDCODEBLOCK## : !!ngircd *.* /var/log/ngircd.log !* This directs all logs from ngircd to go straight to /var/log/ngircd.log. Syslogd expects all logfiles to already exist with the correct permissions. So, we will create the file /var/log/ngircd.log and restart syslogd: $ doas touch /var/log/ngircd.log $ doas rcctl restart syslogd ## Chroot We need to set up the [chroot](/chroot/intro) for ngircd. Let's copy the files into the chroot: $ doas mkdir /var/ngircd/etc/ $ doas cp /etc/resolv.conf /var/ngircd/etc/ $ doas cp -R /etc/ngircd /var/ngircd/etc/ $ doas chown -R _ngircd:_ngircd /var/ngircd/ $ doas rm -r /etc/ngircd $ doas ln -s /var/ngircd/etc/ngircd /etc/ngircd $ doas mkdir -p /var/ngircd/usr/local/share/doc/ $ doas cp -R /usr/local/share/doc/ngircd/ /var/ngircd/usr/local/share/doc/ $ doas chown -R _ngircd:_ngircd /var/ngircd/usr/local/share/doc/ngircd/ This will create a symlink so that only one set of configuration files needs to be maintained inside and outside of the chroot. Otherwise, ngircd will require two sets of configuration files, one inside and the other outside of the chroot. ## Automation To automatically restart ngIRCd if it was terminated unexpectedly, create a script in /usr/local/libexec/ngircd/restart.sh: $ doas mkdir -p /usr/local/libexec/ngircd/ $ doas touch /usr/local/libexec/ngircd/restart.sh $ doas chmod +x /usr/local/libexec/ngircd/restart.sh Edit `/usr/local/libexec/ngircd/restart.sh`: #!/bin/sh SERVICE_NAME="ngircd" SERVICE_USER="_ngircd" SERVICE_PID="/var/ngircd/var/run/ngircd/ngircd.pid" if # pgrep -u $SERVICE_USER -x "$SERVICE_NAME" > /dev/null then if [ -f $SERVICE_PID ]; then rm -f $SERVICE_PID rcctl -d restart $SERVICE_NAME fi fi Add this as a cronjob: $ doas crontab -e */5 * * * * /usr/local/libexec/ngircd/restart.sh > /dev/null 2>&1 For the solution to work, make sure you have enabled the use of pid files in /etc/ngircd/ngircd.conf: PidFile = /var/run/ngircd/ngircd.pid ## Starting ngircd To start ngircd via [rcctl](/openbsd/rcctl): $ doas rcctl enable ngircd $ doas rcctl start ngircd Next, use your IRC client to connect to the server. Join a few channels and chat inside. You will need to invite your friends, since a new IRC server will have no other users on it. ## Troubleshooting If you run into any errors, you can test to see if your configuration file has errors: $ doas ngircd -t To run ngircd in debug mode: $ doas ngircd -n Check ##STARTCODEBLOCK## /var/log/ngircd.log ##ENDCODEBLOCK## to see if ngircd is listening on the correct IP addresses and ports. Connect to those ports using your IRC client to verify that the server is working as intended. Remember, if you are connecting using port 6667 without SSL, any eavesdropper can read all your text, including your passwords. **Don't send any sensitive information until you have upgraded to [SSL](/ngircd/ssl).** ## Reloading and Restarting ngIRCd After you edit ##STARTCODEBLOCK## /etc/ngircd/ngircd.conf ##ENDCODEBLOCK## for a running ngircd server, you will need to reload the configuration file: $ doas rcctl reload ngircd Alternatively, you can run: $ doas pkill -HUP ngircd **Reloading** a configuration file will **not** disconnect any active connections. So, try to reload the configuration where possible **instead of restarting the service**. To restart the ircd: $ doas rcctl restart ngircd **WARNING**: **Restarting** the ircd **will** disconnect all existing connections. So, try to restart ngircd only when absolutely necessary. **WARNING**: ngircd appears to have a bug where the ircd will crash if you reload the configuration file while a message is being sent. Be careful to avoid reloading configuration files when many users are chatting. ## See Also 1. Configure [SSL](/ngircd/ssl) for ngircd to ensure secure connections 2. [Link your ngircd](/ngircd/link) with another server to create a network 3. Install Anope [anope](/anope/install) to provide your network with anope irc services. 4. Install Atheme [atheme](/atheme/install) to provide your network with atheme irc services. 5. Configure [hopm](/hopm/install), an open proxy monitor to stop spammers. 6. Configure [acopm](/acopm/install), a minimalist open proxy monitor to stop spammers.