about summary refs log tree commit
diff options
authorEric Wong <e@80x24.org>2019-09-14 18:28:54 +0000
committerEric Wong <e@80x24.org>2019-09-14 18:31:13 +0000
commit46c79526fd34996605a97ce52437069aa6462cef (patch)
parent6c89cf6208dd4f5251faeec18dc76ac123335fed (diff)
NNTPS and STARTTLS seems to be working for several months
without incident on news.public-inbox.org, so consider it a
success and maybe others can try using it.

HTTPS technically works, too, but isn't documented at
the moment since I can't recommend production deployments
without varnish protecting it.
5 files changed, 59 insertions, 7 deletions
diff --git a/Documentation/public-inbox-daemon.pod b/Documentation/public-inbox-daemon.pod
index abb84dd7..e8d1ff29 100644
--- a/Documentation/public-inbox-daemon.pod
+++ b/Documentation/public-inbox-daemon.pod
@@ -25,8 +25,6 @@ breaking existing connections during software upgrades.
 These daemons may also utilize multiple pre-forked worker
 processes to take advantage of multiple CPUs.
-Native TLS (Transport Layer Security) support is planned.
 =head1 OPTIONS
diff --git a/Documentation/public-inbox-nntpd.pod b/Documentation/public-inbox-nntpd.pod
index b56580bf..4214fd75 100644
--- a/Documentation/public-inbox-nntpd.pod
+++ b/Documentation/public-inbox-nntpd.pod
@@ -18,6 +18,44 @@ may be run as a different user than the user running
 L<public-inbox-watch(1)>, L<public-inbox-mda(1)>, or
+=head1 OPTIONS
+See common options in L<public-inbox-daemon(8)/OPTIONS>.
+Additionally, NNTP-specific behavior for certain options
+are supported and documented below.
+=item -l, --listen PROTO://ADDRESS/?cert=/path/to/cert,key=/path/to/key
+In addition to the normal C<-l>/C<--listen> switch described in
+L<public-inbox-daemon(8)>, the protocol prefix (e.g. C<nntp://> or
+C<nntps://>) may be specified to force a given protocol.
+For STARTTLS and NNTPS support, the C<cert> and C<key> may be specified
+on a per-listener basis after a C<?> character and separated by C<,>.
+These directives are per-directive, and it's possible to use a different
+cert for every listener.
+=item --cert /path/to/cert
+The default TLS certificate for optional STARTTLS and NNTPS support
+if the C<cert> option is not given with C<--listen>.
+If using systemd-compatible socket activation and a TCP listener on port
+563 is inherited, it is automatically NNTPS when this option is given.
+When a listener on port 119 is inherited and this option is given, it
+automatically gets STARTTLS support.
+=item --key /path/to/key
+The default private TLS certicate key for optional STARTTLS and NNTPS
+support if the C<key> option is not given with C<--listen>.  The private
+key may concatenated into the path used by C<--cert>, in which case this
+option is not needed.
 These configuration knobs should be used in the
diff --git a/MANIFEST b/MANIFEST
index 777367d0..f5290b40 100644
@@ -60,6 +60,7 @@ examples/public-inbox-httpd.socket
diff --git a/examples/public-inbox-nntpd@.service b/examples/public-inbox-nntpd@.service
index a879841e..4dd2f5d7 100644
--- a/examples/public-inbox-nntpd@.service
+++ b/examples/public-inbox-nntpd@.service
@@ -7,8 +7,8 @@
 Description = public-inbox NNTP server %i
-Wants = public-inbox-nntpd.socket
-After = public-inbox-nntpd.socket
+Wants = public-inbox-nntpd.socket public-inbox-nntps.socket
+After = public-inbox-nntpd.socket public-inbox-nntps.socket
 Environment = PI_CONFIG=/home/pi/.public-inbox/config \
@@ -18,17 +18,20 @@ PERL_INLINE_DIRECTORY=/tmp/.pub-inline
 LimitNOFILE = 30000
 ExecStartPre = /bin/mkdir -p -m 1777 /tmp/.pub-inline
 ExecStart = /usr/local/bin/public-inbox-nntpd \
--1 /var/log/public-inbox/nntpd.out.log
+-1 /var/log/public-inbox/nntpd.out.log \
+--cert /etc/ssl/certs/news.example.com.pem \
+--key /etc/ssl/private/news.example.com.key
 StandardError = syslog
 # NonBlocking is REQUIRED to avoid a race condition if running
 # simultaneous services
 NonBlocking = true
-Sockets = public-inbox-nntpd.socket
+Sockets = public-inbox-nntpd.socket public-inbox-nntps.socket
 KillSignal = SIGQUIT
 User = nobody
-Group = nogroup
+Group = ssl-cert
 ExecReload = /bin/kill -HUP $MAINPID
 TimeoutStopSec = 86400
 KillMode = process
diff --git a/examples/public-inbox-nntps.socket b/examples/public-inbox-nntps.socket
new file mode 100644
index 00000000..fa678196
--- /dev/null
+++ b/examples/public-inbox-nntps.socket
@@ -0,0 +1,12 @@
+# ==> /etc/systemd/system/public-inbox-nntps.socket <==
+Description = public-inbox-nntps socket
+ListenStream =
+BindIPv6Only = ipv6-only
+ListenStream = [::]:563
+Service = public-inbox-nntpd@1.service
+WantedBy = sockets.target