|
@@ -29,6 +29,7 @@ _Copyright © Daniel Oaks <daniel@danieloaks.net>, Shivaram Lingamneni <slingamn
|
29
|
29
|
- Features
|
30
|
30
|
- User Accounts
|
31
|
31
|
- Nickname reservation
|
|
32
|
+ - Email verification
|
32
|
33
|
- Channel Registration
|
33
|
34
|
- Language
|
34
|
35
|
- Multiclient ("Bouncer")
|
|
@@ -140,7 +141,7 @@ The recommended way to operate oragono as a service on Linux is via systemd. Thi
|
140
|
141
|
The only major distribution that currently packages Oragono is Arch Linux; the aforementioned AUR package includes a systemd unit file. However, it should be fairly straightforward to set up a productionized Oragono on any Linux distribution. Here's a quickstart guide for Debian/Ubuntu:
|
141
|
142
|
|
142
|
143
|
1. Create a dedicated, unprivileged role user who will own the oragono process and all its associated files: `adduser --system --group oragono`. This user now has a home directory at `/home/oragono`.
|
143
|
|
-1. Copy the executable binary `oragono`, the config file `ircd.yaml`, the database `ircd.db`, and the self-signed TLS certificate (`tls.crt` and `tls.key`) to `/home/oragono`. Ensure that they are all owned by the new oragono role user: `sudo chown oragono:oragono /home/oragono/*`. Ensure that the configuration file logs to stderr.
|
|
144
|
+1. Copy the executable binary `oragono`, the config file `ircd.yaml`, the database `ircd.db`, and the self-signed TLS certificate (`fullchain.pem` and `privkey.pem`) to `/home/oragono`. Ensure that they are all owned by the new oragono role user: `sudo chown oragono:oragono /home/oragono/*`. Ensure that the configuration file logs to stderr.
|
144
|
145
|
1. Install our example [oragono.service](https://github.com/oragono/oragono/blob/master/distrib/systemd/oragono.service) file to `/etc/systemd/system/oragono.service`.
|
145
|
146
|
1. Enable and start the new service with the following commands:
|
146
|
147
|
1. `systemctl daemon-reload`
|
|
@@ -159,9 +160,9 @@ The other major hurdle for productionizing (but one well worth the effort) is ob
|
159
|
160
|
set -eu
|
160
|
161
|
|
161
|
162
|
umask 077
|
162
|
|
-cp /etc/letsencrypt/live/example.com/fullchain.pem /home/oragono/tls.crt
|
163
|
|
-cp /etc/letsencrypt/live/example.com/privkey.pem /home/oragono/tls.key
|
164
|
|
-chown oragono:oragono /home/oragono/tls.*
|
|
163
|
+cp /etc/letsencrypt/live/example.com/fullchain.pem /home/oragono/
|
|
164
|
+cp /etc/letsencrypt/live/example.com/privkey.pem /home/oragono/
|
|
165
|
+chown oragono:oragono /home/oragono/*.pem
|
165
|
166
|
# rehash oragono, which will reload the certificates:
|
166
|
167
|
systemctl reload oragono.service
|
167
|
168
|
````
|
|
@@ -219,9 +220,9 @@ Oragono supports several different modes of operation with respect to accounts a
|
219
|
220
|
|
220
|
221
|
### Traditional / lenient mode
|
221
|
222
|
|
222
|
|
-This is the default mode, and makes Oragono's services act similar to Quakenet's Q bot. In this mode, users cannot own or reserve nicknames. In other words, there is no connection between account names and nicknames. Anyone can use any nickname (as long as it's not already in use by another running client). However, accounts are still useful: they can be used to register channels (see below), and some IRCv3-capable clients (with the `account-tag` or `extended-join` capabilities) may be able to take advantage of them.
|
|
223
|
+This makes Oragono's services act similar to Quakenet's Q bot. In this mode, users cannot own or reserve nicknames. In other words, there is no connection between account names and nicknames. Anyone can use any nickname (as long as it's not already in use by another running client). However, accounts are still useful: they can be used to register channels (see below), and some IRCv3-capable clients (with the `account-tag` or `extended-join` capabilities) may be able to take advantage of them.
|
223
|
224
|
|
224
|
|
-To enable this mode, set the following configs (this is the default mode):
|
|
225
|
+To enable this mode, set the following configs:
|
225
|
226
|
|
226
|
227
|
* `accounts.registration.enabled = true`
|
227
|
228
|
* `accounts.authentication-enabled = true`
|
|
@@ -229,22 +230,17 @@ To enable this mode, set the following configs (this is the default mode):
|
229
|
230
|
|
230
|
231
|
### Nick ownership
|
231
|
232
|
|
232
|
|
-This mode makes Oragono's services act like those of a typical IRC network (like Freenode). In this mode, registering an account gives you privileges over the use of that account as a nickname. The server will then help you to enforce control over your nickname(s):
|
233
|
|
-
|
234
|
|
-* You can proactively prevent anyone from using your nickname, unless they're already logged into your account
|
235
|
|
-* Alternately, you can give clients a grace period to log into your account, but if they don't and the grace period expires, the server will change their nickname to something else
|
236
|
|
-* Alternately, you can forego any proactive enforcement – but if you decide you want to reclaim your nickname from a squatter, you can `/msg Nickserv ghost stolen_nickname` and they'll be disconnected
|
237
|
|
-* You can associate additional nicknames with your account by changing to it and then issuing `/msg NickServ group`
|
|
233
|
+In this mode (the default), registering an account gives you privileges over the use of that account as a nickname. The server will then help you to enforce control over your nickname(s). No one will be able to use your nickname unless they are logged into your account.
|
238
|
234
|
|
239
|
235
|
To enable this mode, set the following configs:
|
240
|
236
|
|
241
|
237
|
* `accounts.registration.enabled = true`
|
242
|
238
|
* `accounts.authentication-enabled = true`
|
243
|
239
|
* `accounts.nick-reservation.enabled = true`
|
|
240
|
+* `accounts.nick-reservation.method = strict`
|
244
|
241
|
|
245
|
242
|
The following additional configs may be of interest:
|
246
|
243
|
|
247
|
|
-* `accounts.nick-reservation.method = strict` ; we currently recommend strict nickname enforcement as the default, since we've found that users find it less confusing.
|
248
|
244
|
* `accounts.nick-reservation.force-nick-equals-account = true` ; this allows nicknames to be treated as account names for most purposes, including for controlling access to channels (see the discussion of private channels below)
|
249
|
245
|
|
250
|
246
|
### SASL-only mode
|
|
@@ -259,12 +255,29 @@ To enable this mode, set the following configs:
|
259
|
255
|
* `accounts.authentication-enabled = true`
|
260
|
256
|
* `accounts.require-sasl.enabled = true`
|
261
|
257
|
* `accounts.nick-reservation.enabled = true`
|
262
|
|
-
|
263
|
|
-Additionally, the following configs are recommended:
|
264
|
|
-
|
265
|
258
|
* `accounts.nick-reservation.method = strict`
|
266
|
259
|
* `accounts.nick-reservation.force-nick-equals-account = true`
|
267
|
260
|
|
|
261
|
+### Email verification
|
|
262
|
+
|
|
263
|
+By default, account registrations complete immediately and do not require a verification step. However, like other service frameworks, Oragono's NickServ can be configured to require email verification of registrations. The main challenge here is to prevent your emails from being marked as spam, which you can do by configuring [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework), [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail), and [DMARC](https://en.wikipedia.org/wiki/DMARC). For example, this configuration (when added to the `accounts.registration` section) enables email verification, with the emails being signed with a DKIM key and sent directly from Oragono:
|
|
264
|
+
|
|
265
|
+```yaml
|
|
266
|
+ enabled-callbacks:
|
|
267
|
+ - mailto
|
|
268
|
+
|
|
269
|
+ callbacks:
|
|
270
|
+ mailto:
|
|
271
|
+ sender: "admin@my.network"
|
|
272
|
+ require-tls: true
|
|
273
|
+ dkim:
|
|
274
|
+ domain: "my.network"
|
|
275
|
+ selector: "20200525"
|
|
276
|
+ key-file: "dkim-private-20200525.pem"
|
|
277
|
+```
|
|
278
|
+
|
|
279
|
+You must create the corresponding TXT record `20200525._domainkey.my.network` to hold your public key. You can also use an MTA ("relay" or "smarthost") to send the email, in which case DKIM signing can be deferred to the MTA; see the example config for details.
|
|
280
|
+
|
268
|
281
|
|
269
|
282
|
## Channel Registration
|
270
|
283
|
|
|
@@ -318,7 +331,7 @@ Our language and translation functionality is very early, so feel free to let us
|
318
|
331
|
|
319
|
332
|
Traditionally, every connection to an IRC server is separate must use a different nickname. [Bouncers](https://en.wikipedia.org/wiki/BNC_%28software%29#IRC) are used to work around this, by letting multiple clients connect to a single nickname. With Oragono, if the server is configured to allow it, multiple clients can share a single nickname without needing a bouncer. To use this feature, both connections must authenticate with SASL to the same user account and then use the same nickname during connection registration (while connecting to the server) – once you've logged-in, you can't share another nickname.
|
320
|
333
|
|
321
|
|
-To enable this functionality, set `accounts.multiclient.enabled` to `true`. Setting `accounts.multiclient.allowed-by-default` to `true` will allow this for everyone. If `allowed-by-default` is `false` (but `enabled` is still `true`), users can opt in to shared connections using `/msg NickServ SET multiclient on`.
|
|
334
|
+To enable this functionality, set `accounts.multiclient.enabled` to `true`. Setting `accounts.multiclient.allowed-by-default` to `true` will allow this for everyone. If `allowed-by-default` is `false` (but `enabled` is still `true`), users can opt in to shared connections using `/msg NickServ SET multiclient true`.
|
322
|
335
|
|
323
|
336
|
You can see a list of your active sessions and their idle times with `/msg NickServ sessions` (network operators can use `/msg NickServ sessions nickname` to see another user's sessions).
|
324
|
337
|
|
|
@@ -428,8 +441,8 @@ Many clients do not have this support. However, you can designate port 6667 as a
|
428
|
441
|
|
429
|
442
|
":6697":
|
430
|
443
|
tls:
|
431
|
|
- key: tls.key
|
432
|
|
- cert: tls.crt
|
|
444
|
+ cert: fullchain.pem
|
|
445
|
+ key: privkey.pem
|
433
|
446
|
|
434
|
447
|
sts:
|
435
|
448
|
enabled: true
|
|
@@ -490,9 +503,9 @@ To unset this mode and let anyone speak to you:
|
490
|
503
|
|
491
|
504
|
/mode dan -R
|
492
|
505
|
|
493
|
|
-### +s - Server Notice Masks
|
|
506
|
+### +s - Server Notice Masks ("snomasks")
|
494
|
507
|
|
495
|
|
-This is a special 'list mode'. If you're an IRC operator, this mode lets you see special server notices that get sent out. See the Server Notice Masks section for more information on this mode.
|
|
508
|
+This is a special 'list mode'. If you're an IRC operator, this mode lets you see special server notices that get sent out. See `/helpop snomasks` (as an operator) for more information on this mode.
|
496
|
509
|
|
497
|
510
|
### +Z - TLS
|
498
|
511
|
|