user/dev discussion of public-inbox itself
 help / color / mirror / code / Atom feed
* [PATCH] doc: update nntpd with NNTPS and STARTTLS examples
@ 2019-09-14 18:28 Eric Wong
  0 siblings, 0 replies; only message in thread
From: Eric Wong @ 2019-09-14 18:28 UTC (permalink / raw)
  To: meta

NNTPS and STARTTLS seems to be working for several months
without incident on, so consider it a
success and maybe others can try using it.

HTTPS technically works, too, but isn't documented at
the moment since I can't recommend production deployments
without varnish protecting it.
 Documentation/public-inbox-daemon.pod |  2 --
 Documentation/public-inbox-nntpd.pod  | 38 +++++++++++++++++++++++++++
 MANIFEST                              |  1 +
 examples/public-inbox-nntpd@.service  | 13 +++++----
 examples/public-inbox-nntps.socket    | 12 +++++++++
 5 files changed, 59 insertions(+), 7 deletions(-)
 create mode 100644 examples/public-inbox-nntps.socket

diff --git a/Documentation/public-inbox-daemon.pod b/Documentation/public-inbox-daemon.pod
index abb84dd7..e8d1ff29 100644
--- a/Documentation/public-inbox-daemon.pod
+++ b/Documentation/public-inbox-daemon.pod
@@ -25,8 +25,6 @@ breaking existing connections during software upgrades.
 These daemons may also utilize multiple pre-forked worker
 processes to take advantage of multiple CPUs.
-Native TLS (Transport Layer Security) support is planned.
 =head1 OPTIONS
diff --git a/Documentation/public-inbox-nntpd.pod b/Documentation/public-inbox-nntpd.pod
index b56580bf..4214fd75 100644
--- a/Documentation/public-inbox-nntpd.pod
+++ b/Documentation/public-inbox-nntpd.pod
@@ -18,6 +18,44 @@ may be run as a different user than the user running
 L<public-inbox-watch(1)>, L<public-inbox-mda(1)>, or
+=head1 OPTIONS
+See common options in L<public-inbox-daemon(8)/OPTIONS>.
+Additionally, NNTP-specific behavior for certain options
+are supported and documented below.
+=item -l, --listen PROTO://ADDRESS/?cert=/path/to/cert,key=/path/to/key
+In addition to the normal C<-l>/C<--listen> switch described in
+L<public-inbox-daemon(8)>, the protocol prefix (e.g. C<nntp://> or
+C<nntps://>) may be specified to force a given protocol.
+For STARTTLS and NNTPS support, the C<cert> and C<key> may be specified
+on a per-listener basis after a C<?> character and separated by C<,>.
+These directives are per-directive, and it's possible to use a different
+cert for every listener.
+=item --cert /path/to/cert
+The default TLS certificate for optional STARTTLS and NNTPS support
+if the C<cert> option is not given with C<--listen>.
+If using systemd-compatible socket activation and a TCP listener on port
+563 is inherited, it is automatically NNTPS when this option is given.
+When a listener on port 119 is inherited and this option is given, it
+automatically gets STARTTLS support.
+=item --key /path/to/key
+The default private TLS certicate key for optional STARTTLS and NNTPS
+support if the C<key> option is not given with C<--listen>.  The private
+key may concatenated into the path used by C<--cert>, in which case this
+option is not needed.
 These configuration knobs should be used in the
diff --git a/MANIFEST b/MANIFEST
index 777367d0..f5290b40 100644
@@ -60,6 +60,7 @@ examples/public-inbox-httpd.socket
diff --git a/examples/public-inbox-nntpd@.service b/examples/public-inbox-nntpd@.service
index a879841e..4dd2f5d7 100644
--- a/examples/public-inbox-nntpd@.service
+++ b/examples/public-inbox-nntpd@.service
@@ -7,8 +7,8 @@
 Description = public-inbox NNTP server %i
-Wants = public-inbox-nntpd.socket
-After = public-inbox-nntpd.socket
+Wants = public-inbox-nntpd.socket public-inbox-nntps.socket
+After = public-inbox-nntpd.socket public-inbox-nntps.socket
 Environment = PI_CONFIG=/home/pi/.public-inbox/config \
@@ -18,17 +18,20 @@ PERL_INLINE_DIRECTORY=/tmp/.pub-inline
 LimitNOFILE = 30000
 ExecStartPre = /bin/mkdir -p -m 1777 /tmp/.pub-inline
 ExecStart = /usr/local/bin/public-inbox-nntpd \
--1 /var/log/public-inbox/nntpd.out.log
+-1 /var/log/public-inbox/nntpd.out.log \
+--cert /etc/ssl/certs/ \
+--key /etc/ssl/private/
 StandardError = syslog
 # NonBlocking is REQUIRED to avoid a race condition if running
 # simultaneous services
 NonBlocking = true
-Sockets = public-inbox-nntpd.socket
+Sockets = public-inbox-nntpd.socket public-inbox-nntps.socket
 KillSignal = SIGQUIT
 User = nobody
-Group = nogroup
+Group = ssl-cert
 ExecReload = /bin/kill -HUP $MAINPID
 TimeoutStopSec = 86400
 KillMode = process
diff --git a/examples/public-inbox-nntps.socket b/examples/public-inbox-nntps.socket
new file mode 100644
index 00000000..fa678196
--- /dev/null
+++ b/examples/public-inbox-nntps.socket
@@ -0,0 +1,12 @@
+# ==> /etc/systemd/system/public-inbox-nntps.socket <==
+Description = public-inbox-nntps socket
+ListenStream =
+BindIPv6Only = ipv6-only
+ListenStream = [::]:563
+Service = public-inbox-nntpd@1.service
+WantedBy =

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2019-09-14 18:28 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-14 18:28 [PATCH] doc: update nntpd with NNTPS and STARTTLS examples Eric Wong

Code repositories for project(s) associated with this public inbox

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).