Next Generation IRC Daemon setup guide
Date: 2021-01-16
In this guide you're going setup an IRC daemon (server) for Debian 10.7 systems. It's expected of you to be familiar to some degree in how IRC functions and proficient in obtaining a domain name, a TLS certificate, and server hosting. You will be using The Next Generation IRC Daemon, "a free, portable and lightweight Internet Relay Chat server for small or private networks, developed under the GNU General Public License (GPL)." --Alexander Barton
You will also utilize Atheme for additional IRC services such as NickServ and ChanServ.
- Installing ngIRCd
- Building Atheme
- Configuring ngIRCd
- Configuring Atheme
- Setup Atheme service account and Systemd startup script.
- Enable Services
- Notes
Installing ngIRCd
Before you begin with installing any additional packages, go ahead and make sure that the system is up-to-date. I recommend rebooting the server after the fact to apply any kernal updates.
apt update
apt upgrade
With the updates out of the way, install ngIRCd.
apt install ngircd
You can locate the ngIRCd files in the following directories:
- /usr/sbin/ngircd: executable server.
- /etc/ngircd/ngircd.conf: configuration file.
[Return to top]
Building Atheme
Before you begin building Atheme, install some prerequisite dependencies.
apt install pkg-config build-essential gettext git wget xz-utils
Download Atheme to the server you will be hosting from. As of the writing of this guide Atheme release version v7.2.10-r2 will be used in the following examples, however you should be fine with any newer release. You can locate the latest release from the Atheme GitHub repository.[1]
Make sure to downlow the archive file ending in ".tar.xz". Once downloaded, extract the contents and move into the extracted atheme directory.
wget https://github.com/atheme/atheme/releases/download/v7.2.10-r2/atheme-v7.2.10-r2.tar.xz
tar -xf atheme-v7.2.10-r2.tar.xz
cd atheme-v7.2.10-r2/
You can now begin with building Atheme. Run the ./configure script first. It will run through a check to detect local system dependencies. If it comes back with an error for missing dependencies, you will have to search for a package containing the requisite dependency to install.
| Note |
| You should specify an installation location for Atheme. By default running “make install” will install Atheme in “/present/working/directory/atheme/”. I recommend installing in “/usr/local/atheme/”. This can be specified when running the configure script. It's also easier to remove in the future since everything would be installed in that directory. |
| One more thing to note; when building Atheme, the location it was configured and installed for at build time cannot be changed. Moving the Atheme files to a different directory on the file-system will result in library file path location errors. If you need to move Atheme to a different directory, then you should re-build with the installation location specified in advance. |
./configure --prefix=/usr/local/atheme/
make
make install
If you followed the previous step for specifying an installation location for Atheme, then you can locate the Atheme files in the following directories:
- /usr/local/atheme/bin/atheme-services: executable server
- /usr/local/atheme/etc/atheme.conf.example: sample configuration
- /usr/local/atheme/etc/services.db: Atheme database file (generated on first launch)
[Return to top]
Configuring ngIRCd
You will be configuring ngIRCd to utilize TLS encryption. It is important that some form of encryption is used since the Atheme IRC Service for NickServ user authentication would otherwise be handled in clear-text. This could present an opportunity for an attacker to MITM user credentials.
The following ports listed will either be used or disabled for this guide.
6667 = enabled (localhost access only)
6668 = disabled
6669 = enabled (localhost access only)
6697 = enabled
7000 = disabled
9999 = enabled
Start by allowing an exception in your firewall for ports 6697 and 9999. You can do this with either UFW or iptables.
- UFW (Uncomplicated Firewall) method.
- The iptables method.
ufw allow in 6697,9999/tcp
iptables -A INPUT -p tcp -m tcp --dport 6697 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
netfilter-persistent save
netfilter-persistent reload
| Note |
| Make sure that you are permitting all inbound and outbound traffic on the loopback interface. The loopback interface will be used later by Atheme. |
Now you can begin with configuring ngIRCd.
vi /etc/ngircd/ngircd.conf
| Note |
| If you are unable to locate a configuration file for ngIRCd, then you can obtain an example config file from the ngIRCd GitHub repository.[3] |
For the [Global] section of the config file, locate each of the following lines and modify them as seen below. You can replace the server name with your own.
[Global]
Name = irc.emhmki.org
AdminInfo1 = IRC user
AdminInfo2 = Dallas, TX
AdminEMail = admin@irc.server
Listen = 0.0.0.0
MotdFile = /etc/ngircd/ngircd.motd
Network = irc.emhmki.org
Password = <You can set a global password if you want.>
Ports = 6667, 6669
ServerGID = irc
ServerUID = irc
For the [Limits] section of the config file, locate each of the following lines and modify them as seen below.
[Limits]
MaxNickLength = 15
For the [Options] section of the config file, locate each of the following lines and modify them as seen below.
[Options]
AllowedChannelTypes = #&+
AllowRemoteOper = no
PAM = no
For the [SSL] section of the config file, locate each of the following lines and modify them as seen below.
| Note |
|
The following example will use an X.509 certificate generate by Let's Encrypt. This guide will assume that you already have such a certificate. If you fail to configure a certificate here, then the ngIRCd daemon will refuse all connections. The certificate file and path must be accessible for the ngircd service account. (Verify file permissions.) |
[SSL]
CertFile = /etc/letsencrypt/live/irc.emhmki.org/fullchain.pem
DHFile = /etc/ngircd/dhparams.pem
KeyFile = /etc/letsencrypt/live/irc.emhmki.org/privkey.pem
Ports = 6697, 9999
For the [Operator] section of the config file, locate each of the following lines and modify them as seen below.
[Operator]
Name = TheOper
Password = <insert a password here>
For the [Server] section of the config file, locate each of the following lines and modify them as seen below.
| Note |
|
The "Name" field here will be the name of your IRC Service dameon, Atheme. Avoid using the same name here as you applied previously for the [Global] section. You can use any name that you want, just keep note of it for later when setting up Atheme. In the password fields, come up with any password you want. "MyPassword" is for ngIRCd which will be used by Atheme. "PeerPassword" is for Atheme, which will be used by ngIRCd. Both ngIRCd and Atheme will authenticate with one another and should be aware of each others passwords. Keep note of these passwords for later when setting up Atheme. |
[Server]
Name = service.emhmki.org
MyPassword = <insert a password here for ngIRCd server>
PeerPassword = <insert a password here for Atheme>
ServiceMask = *Serv
Save your configuration and close the file.
Create the motd (Message Of The Day) file. You can add anything to it that you would like ngIRCd to announce when users connect.
touch /etc/ngircd/ngircd.motd
Create Diffie-Hellman parameters.
openssl dhparam -out /etc/ngircd/dhparams.pem 2048
[Return to top]
Configuring Atheme
By default Atheme does not include a configuration file, which means you will have to create one by copying from the example configuration file.
cp /usr/local/atheme/etc/atheme.conf.example /usr/local/atheme/etc/atheme.conf
vi /usr/local/atheme/etc/atheme.conf
Locate the MODULES section and scroll down to the list of IRC daemon protocol modules. You can add the ngIRCd module on a new line.
loadmodule "modules/protocol/ngircd";
The nickserv enforce module will enforce users to identify themselves if they attempt to use a registered nickname. Locate the line and uncomment (remove the pound character "#") for the nickserv enforce module. Don't modify the other defaults in this section unless it's necessary or if you already know what you're doing.
loadmodule "modules/nickserv/enforce";
Scroll down in the config file until you reach the "serverinfo" block. This block will define how the Atheme service will appear to ngIRCd. Use the 'name' that you configured previously in the [Server] block of the ngircd.conf file.
For the netname, use the name that you configured in the [Global] block of the ngircd.conf file. Don't modify the other defaults in this section unless it's neccesary.
serverinfo {
name = "service.emhmki.org";
netname = "irc.emhmki.org";
adminname = "<insert any name here>";
adminemail = "<insert any mail address here>";
};
Scroll down in the config file until you reach the "uplink" block. This block will define how the Atheme service will connect to ngIRCd. For the send_password, use the password configured previously in the [Server] block of the ngircd.conf file for "MyPassword." For the receive_password, use the password configured previously in the [Server] block of the ngircd.conf file for "PeerPassword." Don't modify the other defaults in this section unless it's neccesary.
uplink "irc.emhmki.org" {
send_password = "<insert the password here>";
receive_password = "<insert the password here>";
};
Scroll down in the config file until you reach the "nickserv" block. Don't modify the other defaults in this section unless it's neccesary.
nickserv {
host = "irc.emhmki.org";
};
Scroll down in the config file until you reach the "chanserv" block. Don't modify the other defaults in this section unless it's neccesary.
chanserv {
host = "irc.emhmki.org";
};
[Return to top]
Setup Atheme service account and Systemd startup script.
It would be best practice to run the Atheme daemon from a non-root service account.
useradd --system --comment "Athemed IRC Service Daemon" --shell /sbin/nologin --home-dir /usr/local/atheme/bin/ athemed
Our athemed user will also need permission to read and write in the /usr/local/atheme directory.
chown -R athemed:athemed /usr/local/atheme/
Next you will need a Systemd unit service file for running Atheme.
vi /usr/lib/systemd/system/athemed.service
Add the following configuration to the file.
[Unit]
Description=Atheme IRC Service Daemon
After=network.target
[Service]
PrivateTmp=yes
NoNewPrivileges=true
User=athemed
ExecStart=/usr/local/atheme/bin/atheme-services
RemainAfterExit=true
[Install]
WantedBy=multi-user.target
[Return to top]
Enable Services
Now that ngIRCd and Atheme are installed and configured, enable their services.
systemctl enable ngircd athemed
systemctl start ngircd athemed
You can view the status of both services with the following command.
systemctl status ngircd athemed
You should see similar output.
● ngircd.service - Next Generation IRC Daemon
Loaded: loaded (/usr/lib/systemd/system/ngircd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2020-11-23 01:23:04 UTC; 2 weeks 0 days ago
● athemed.service - Atheme IRC Services Daemon
Loaded: loaded (/usr/lib/systemd/system/athemed.service; enabled; vendor preset: disabled)
Active: active (exited) since Mon 2020-11-23 01:23:04 UTC; 2 weeks 0 days ago
[Return to top]
Notes
• Troubleshoot
If you're having trouble with either the ngircd or athemed daemon starting up, you can narrow down the cause with journalctl.
journalctl -u ngircd
• Let's Encrypt certbot
If you use Let's Encrypt's certbot utility for renewing certificates, then use the following as a post hook command. Ngircd won't ingest the renewed certificate unless the process is completely reset. This can cause some momentary downtime for users on the server, so you should consider informing them that the server might bounce every two months.
post-hook = systemctl restart ngircd athemed
[Return to top]
References
1. https://github.com/atheme/atheme/releases/
2. https://github.com/atheme/atheme#obtaining-atheme
3. https://github.com/ngircd/ngircd/blob/master/doc/sample-ngircd.conf.tmpl
[Return to top]