ngircd: Add optional SSL / TLS support

Unfortunately, irssi doesn't have a command-line flag to select
encrypted connections [1].  I'd like something like:

  $ irssi -c irc.example.net -p 6697 --ssl

Until something like that is added, you'll need to add the server to
your irssi config:

  $ cat ~/.irssi/config
  ...
  servers = (
    {
      address = "irc.example.net";
      chatnet = "example";
      port = "6697";
      use_ssl = "yes";
      ssl_verify = "yes";
      autoconnect = "yes";
    },
    ...
  );
  chatnets = {
    example = {
      type = "IRC";
      nick = "your-nick";
    };
    ...
  };
  ...

Or connect manually after firing up irssi:

  $ irssi --noconnect
  [(status)] /connect -ssl -ssl_verify nott 6697

Run `/help connect` for more information.

[1]: http://www.irssi.org/documentation/manual

diff --git a/ngircd/README.md b/ngircd/README.md
index 054159edda119a47b9ce3c09fcd4c77be016fcad..749728870b49c6aa9d6c921dc611cb006577c073 100644 (file)
--- a/ngircd/README.md
+++ b/ngircd/README.md
@@ -7,4 +7,32 @@ Run this [ngIRCd][] image with:
     >   -e INFO="testing, testing" \
     >   -p 6667:6667 wking/ngircd
 
+For [SSL / TLS][TLS], set the `SSL` environment variable to `yes` and
+[volume-mount][volume-mount] your keys under the container's
+`/etc/ngircd/ssl/`:
+
+    $ docker run -d --name ngircd-0 --hostname irc.example.net \
+    >   …
+    >   -e SSL=yes \
+    >   -v /etc/ssl/ngircd-0:/etc/ngircd/ssl \
+    >   -p 6697:6697 wking/ngircd
+
+You'll [need][SSL-docs] at least `server-cert.pem` and
+`server-key.pem` in that directory.  If you're using DH or DSA keys,
+you'll also want `dhparams.pem` with [Diffie–Hellman][DH] parameters;
+you can manage the file with OpenSSH's [dhparam][]).  If you don't
+want to require SSL, you can expose both the [encrypted port][6697]
+and the [unencrypted port][6667]:
+
+    $ docker run -d --name ngircd-0 --hostname irc.example.net \
+    >   …
+    >   -p 6667:6667 -p 6697:6697 wking/ngircd
+
 [ngIRCd]: http://ngircd.barton.de/
+[TLS]: http://en.wikipedia.org/wiki/Transport_Layer_Security
+[volume-mount]: http://docs.docker.io/en/latest/use/working_with_volumes/
+[SSL-docs]: http://ngircd.barton.de/doc/SSL.txt
+[DH]: http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
+[dhparam]: http://www.openssl.org/docs/apps/dhparam.html
+[6697]: http://tools.ietf.org/html/draft-hartmann-default-port-for-irc-via-tls-ssl-09
+[6667]: http://tools.ietf.org/html/draft-hartmann-default-port-for-irc-via-tls-ssl-09#section-1

diff --git a/ngircd/setup-ngircd-config-from-environment.sh b/ngircd/setup-ngircd-config-from-environment.sh
index 6c23f3d98614b662bfb629e687b7ac6904fdfec2..c957f40ed4a1c40f37d576845239f681e1f9e578 100755 (executable)
--- a/ngircd/setup-ngircd-config-from-environment.sh
+++ b/ngircd/setup-ngircd-config-from-environment.sh
@@ -24,8 +24,8 @@
 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 # POSSIBILITY OF SUCH DAMAGE.
 
-# usage: C1_PORT=tcp://192.168.0.1:12345/ C1_NAME=a.com \
-#        C2_PORT=tcp://192.168.0.2:54321/ C2_NAME=b.net \
+# usage: DESCRIPTION="My IRC server" LOCATION="My attic" \
+#        EMAIL="admin@example.net" INFO="testing, testing" \
 #        setup-ngircd-config-from-environment
 
 HOSTNAME=$(hostname -f) \
@@ -38,3 +38,23 @@ HOSTNAME=$(hostname -f) \
                ' \
                < /etc/ngircd/ngircd.conf > /tmp/ngircd.conf &&
 mv /tmp/ngircd.conf /etc/ngircd/ngircd.conf
+
+if [ "${SSL}" = 'yes' ]
+then
+       sed -i \
+               -e 's/;\[SSL\]/[SSL]/' \
+               -e 's/;Ports = 6697, 9999/Ports = 6697/' \
+               /etc/ngircd/ngircd.conf
+       if [ -f '/etc/ngircd/ssl/server-cert.pem' ]
+       then
+               sed -i 's/;CertFile/CertFile/' /etc/ngircd/ngircd.conf
+       fi
+       if [ -f '/etc/ngircd/ssl/server-key.pem' ]
+       then
+               sed -i 's/;KeyFile/KeyFile/' /etc/ngircd/ngircd.conf
+       fi
+       if [ -f '/etc/ngircd/ssl/dhparams.pem' ]
+       then
+               sed -i 's/;DHFile/DHFile/' /etc/ngircd/ngircd.conf
+       fi
+fi