1Introduction 2 3 This is an installation checklist written by Rebecca Ore, intended to be 4 the beginning of a different presentation of the information in INSTALL, 5 since getting started with installing INN can be complex. Further 6 clarifications, updates, and expansion are welcome. 7 8Setup 9 10 * Make sure there is a "news" user (and a "news" group to which the 11 "news" user belongs). If necessary, you can use: 12 13 adduser --group --home /usr/local/news news 14 15 where /usr/local/news is the home directory for the "news" user. 16 This directory will be passed to configure via the --prefix option. 17 It will also be set as *pathnews* in inn.conf. 18 19 * Create a local mail alias for "usenet" (editing your aliases file 20 for instance). 21 22 * Make sure the directory /usr/local/news and its subdirectories are 23 owned by "news", group "news". 24 25 You want to be careful that things in that directory stay owned by 26 "news" -- but you can't just "chown -R news:news" after the install, 27 because you may have binaries that are SUID root. You can do the 28 build as any user, but you need to be root when doing "make install" 29 so as to set the permissions correctly. After that point, though, 30 you may want to "su news -s /bin/sh" to avoid creating any files as 31 root. (For routine maintenance once INN is working, you can 32 generally be root. However, it is always better to be accustomed to 33 doing that as the news user.) 34 35 * If necessary, add ~news/bin (that is to say *pathbin*) to the news 36 user's path and ~news/share/man (that is to say 37 *pathnews*/share/man) to the news user's MANPATH in your shell 38 config files. (You may want to do this, especially the second part, 39 on your regular account; the man pages are very useful.) 40 41 You can do this now or later, but you will certainly want the man 42 pages to help with configuring INN. 43 44 For bash, try: 45 46 PATH=<pathbin in inn.conf>:$PATH 47 export PATH 48 MANPATH=<pathnews in inn.conf>/share/man:$MANPATH 49 export MANPATH 50 51 or csh: 52 53 setenv PATH <pathbin in inn.conf>:$PATH 54 setenv MANPATH <pathnews in inn.conf>/share/man:$MANPATH 55 56 although if you don't already have MANPATH set, the above may give 57 an error or override your defaults (making it so you can only read 58 the news man pages); if "echo $MANPATH" does not give some 59 reasonable path, you'll need to look up what the default is for your 60 system (such as /usr/man or /usr/share/man). 61 62Compile 63 64 * Download the INN tarball and unpack. Make sure that you download 65 the last release from <https://ftp.isc.org/isc/inn/> or a snapshot 66 from <https://ftp.isc.org/isc/inn/snapshots/>. 67 68 * Work out configure options ("./configure --help" for a list). If 69 you aren't working out of /usr/local/news, or want to put some files 70 on a different partition, you can set the directories now (or later 71 in *pathnews* in inn.conf if you change your mind). By default, 72 --prefix=/usr/local/news is used. 73 74 You probably want --with-perl. If you're not using NetBSD with 75 cycbuffs or OpenBSD, perhaps --with-tagged-hash. You might want to 76 compile in TLS/SSL and SQLite, if your system supports them. You 77 will need to have the relevant external libraries to compile 78 (depending on whether you use OpenSSL for TLS/SSL access to your 79 news server, GnuPG to verify the authenticity of Usenet control 80 messages, Perl, Python, etc.). 81 82 ./configure --with-perl ... 83 make 84 85 su 86 make install 87 88 (If you do the last step as root, all of the ownerships and 89 permissions will be correct.) 90 91 Note that if you update a previous installation of INN, you should 92 use "make update" instead of "make install" to keep your 93 configuration files. 94 95 If you wish to use TLS/SSL, you can use "make cert" to generate a 96 certificate and a private key. 97 98Configure 99 100 * Find INSTALL and open a separate window for it. A printout is 101 probably a good idea -- it's long but very helpful. Any time the 102 instructions below ask you to make a decision, you can probably find 103 help in INSTALL. 104 105 * Now it's time to work on the files in ~news/etc (the default 106 *pathetc* location set in inn.conf). Start with inn.conf; you must 107 fill in the default moderators address, your fully qualified domain 108 names and path. Fill in all the blanks. Change the file descriptor 109 limits to something like 500. 110 111 * If using cycbuffs (the CNFS storage method), open cycbuff.conf in 112 one window and a shell in another to create the cycbuff as described 113 in INSTALL. As you create them, record in cycbuff.conf the paths 114 and sizes. Save paths and sizes in a separate text file on another 115 machine in case you ever blow away the wrong file. 116 117 Name the metacycbuff, then configure storage.conf. 118 119 * In storage.conf, be sure that all sizes of articles can be 120 accommodated. If you want to throw away large articles, do it 121 explicitly by using the "trash" storage method (you can also set a 122 lower *maxartsize* in inn.conf). 123 124 * The default options in expire.ctl work fine if you have cycbuffs; if 125 not, configure to suit (depending on your disk space and your 126 interest in some hierarchies, you can define how long you keep 127 articles in your news spool). 128 129 * Check over moderators and control.ctl. You may want to also 130 configure the process of newsgroup control messages (see the 131 corresponding section in INSTALL). 132 133 * Run "<pathbin in inn.conf>/inncheck -a -v -f --pedantic --perm" and 134 fix anything noted: inncheck gives a rough check on the 135 appropriateness of the configuration files as you go. (It's the 136 equivalent of "perl -cw yourfile.pl" for Perl scripts.) 137 138 Note that inncheck is very conservative about permissions; there's 139 no reason most of the config files can't be world-readable if you 140 prefer that. 141 142 * You can now import an active file (*pathdb in inn.conf*/active) and 143 run inncheck again. You may want to look at 144 <https://ftp.isc.org/pub/usenet/CONFIG/active> and only keep the 145 lines corresponding to the newsgroups you are interested in. Also 146 import a newsgroups file which contains the descriptions of these 147 newsgroups (see for instance 148 <https://ftp.isc.org/pub/usenet/CONFIG/newsgroups>). 149 150 Note that it is not necessary to do that now. INN is shipped with 151 minimal active and newsgroups files and you can add newsgroups later 152 with "ctlinnd newgroup" or actsync. 153 154 In case you need to create empty initial database files, import an 155 active file (owned by "news") and execute as the news user: 156 157 cd <pathdb in inn.conf> 158 159 touch newsgroups 160 touch active.times 161 162 touch history 163 <pathbin in inn.conf>/makedbz -i 164 mv history.n.hash history.hash 165 mv history.n.index history.index 166 mv history.n.dir history.dir 167 168 chmod 644 * 169 170 (However, it is not necessary to do that since INN takes care of 171 these files during the setup.) 172 173 * Create the cron jobs (especially news.daily), the log files, and 174 make the changes to your system's syslog.conf as noted in INSTALL. 175 Also create the cron job for nntpsend if you've chosen that over 176 innfeed. 177 178 * For the time being, we can see if everything initially works without 179 worrying about feeds or reader access. 180 181Run 182 183 * Start innd by running *pathbin*/rc.news as the news user. It is 184 also what you should launch in your init scripts: 185 186 su news -s /bin/sh -c <pathbin in inn.conf>/rc.news 187 188 Check *pathlog*/news.notice to see if everything went well; also use 189 "ps" to see if innd is running. 190 191 "telnet localhost 119" and you should see either a welcome banner or 192 a "no permission to talk" message. If not, investigate. 193 194 * "man ctlinnd" now; you'll use "ctlinnd reload" as you complete your 195 configuration. You can also see whether "ctlinnd checkfile" reports 196 any problems. 197 198Feeds 199 200 All of this can be done while INN is running. 201 202 * To get your incoming feeds working, edit incoming.conf. When done, 203 "ctlinnd reload incoming.conf 'reason'" (where "reason" is some text 204 that will show up in the logs -- anything will do). 205 206 * To get your outgoing feeds working, decide whether to use innfeed or 207 nntpsend. Edit newsfeeds and either innfeed.conf or nntpsend.ctl. 208 209 In newsfeeds, if using innfeed, use the option which doesn't require 210 you to do a separate innfeed configuration unless you know more than 211 I do. 212 213 Then "ctlinnd reload newsfeeds 'reason'". 214 215Readers 216 217 * In readers.conf, remember that auth and access blocks can be 218 separated. 219 220 Begin with auth. Your auth for password users could look like this: 221 222 auth "foreignokay" { 223 auth: "ckpasswd -d <pathdb in inn.conf>/newsusers" 224 default: "<unauthenticated>" 225 } 226 227 There is a Perl script in the ckpasswd(8) man page if you want to do 228 authentications by password and have the appropriate libraries. 229 Copy it to *pathbin*, name the file something like makepasswd.pl and 230 change the internal paths to whatever you're using and wherever 231 you're putting the newsusers database. The standard Apache htpasswd 232 tool also works just fine to create INN password files. For 233 instance, a line for the newsusers database corresponding to the 234 user "user" with the password "pass" would be "user:LIfOpbjNaEQYE" 235 as obtained by the following command: 236 237 % htpasswd -nbd user pass 238 user:LIfOpbjNaEQYE 239 240 In case htpasswd is not installed or if you do not want to depend on 241 it, another command involving Perl does a similar job: 242 243 % perl -e 'print "user:".crypt("pass", "LI")."\n";' 244 user:LIfOpbjNaEQYE 245 246 Follow with the access stanzas. Something for people with 247 passwords: 248 249 access "generalpeople" { 250 users: "*" 251 newsgroups: "*,!junk,!control,!control.*" 252 } 253 254 And then something like one of the following two, depending on 255 whether unauthenticated users get any access: 256 257 access "restrictive" { 258 users: "<unauthenticated>" 259 newsgroups: "!*" 260 } 261 262 access "readonly" { 263 users: "<unauthenticated>" 264 read: "local.*" 265 post: "!*" 266 } 267 268 You don't need to reload anything after modifying readers.conf; 269 every time an nnrpd launches, it reads its configuration from disk. 270 271 * If you wish to use TLS/SSL for your readers, you can either use the 272 same readers.conf file or use two different files (for instance 273 readers.conf and readers-ssl.conf). The syntax is similar for both 274 these files. You then need to start a second nnrpd to listen to 275 these connections to NNTPS port 563 and put something like that in 276 your init scripts: 277 278 su news -s /bin/sh -c '<pathbin>/nnrpd -D -c <pathetc>/readers-ssl.conf -p 563 -S' 279 280 Note that a news client which supports the STARTTLS command can also 281 use the conventional NNTP port 119 to dynamically upgrade from 282 unencrypted to TLS-protected traffic during an NNTP session. 283 However, this practice is discouraged in favour of using the 284 separate port 563. See nnrpd(8) for more information about TLS 285 support. 286 287