L<public-inbox-watch(1)>, L<public-inbox-mda(1)>, or
L<git-fetch(1)>.
+=head1 OPTIONS
+
+See common options in L<public-inbox-daemon(8)/OPTIONS>.
+Additionally, NNTP-specific behavior for certain options
+are supported and documented below.
+
+=over
+
+=item -l, --listen PROTO://ADDRESS/?cert=/path/to/cert,key=/path/to/key
+
+In addition to the normal C<-l>/C<--listen> switch described in
+L<public-inbox-daemon(8)>, the protocol prefix (e.g. C<nntp://> or
+C<nntps://>) may be specified to force a given protocol.
+
+For STARTTLS and NNTPS support, the C<cert> and C<key> may be specified
+on a per-listener basis after a C<?> character and separated by C<,>.
+These directives are per-directive, and it's possible to use a different
+cert for every listener.
+
+=item --cert /path/to/cert
+
+The default TLS certificate for optional STARTTLS and NNTPS support
+if the C<cert> option is not given with C<--listen>.
+
+If using systemd-compatible socket activation and a TCP listener on port
+563 is inherited, it is automatically NNTPS when this option is given.
+When a listener on port 119 is inherited and this option is given, it
+automatically gets STARTTLS support.
+
+=item --key /path/to/key
+
+The default private TLS certicate key for optional STARTTLS and NNTPS
+support if the C<key> option is not given with C<--listen>. The private
+key may concatenated into the path used by C<--cert>, in which case this
+option is not needed.
+
+=back
+
=head1 CONFIGURATION
These configuration knobs should be used in the
examples/public-inbox-httpd@.service
examples/public-inbox-nntpd.socket
examples/public-inbox-nntpd@.service
+examples/public-inbox-nntps.socket
examples/public-inbox-watch.service
examples/public-inbox.psgi
examples/unsubscribe-milter.socket
[Unit]
Description = public-inbox NNTP server %i
-Wants = public-inbox-nntpd.socket
-After = public-inbox-nntpd.socket
+Wants = public-inbox-nntpd.socket public-inbox-nntps.socket
+After = public-inbox-nntpd.socket public-inbox-nntps.socket
[Service]
Environment = PI_CONFIG=/home/pi/.public-inbox/config \
LimitNOFILE = 30000
ExecStartPre = /bin/mkdir -p -m 1777 /tmp/.pub-inline
ExecStart = /usr/local/bin/public-inbox-nntpd \
--1 /var/log/public-inbox/nntpd.out.log
+-1 /var/log/public-inbox/nntpd.out.log \
+--cert /etc/ssl/certs/news.example.com.pem \
+--key /etc/ssl/private/news.example.com.key
StandardError = syslog
# NonBlocking is REQUIRED to avoid a race condition if running
# simultaneous services
NonBlocking = true
-Sockets = public-inbox-nntpd.socket
+
+Sockets = public-inbox-nntpd.socket public-inbox-nntps.socket
KillSignal = SIGQUIT
User = nobody
-Group = nogroup
+Group = ssl-cert
ExecReload = /bin/kill -HUP $MAINPID
TimeoutStopSec = 86400
KillMode = process
--- /dev/null
+# ==> /etc/systemd/system/public-inbox-nntps.socket <==
+[Unit]
+Description = public-inbox-nntps socket
+
+[Socket]
+ListenStream = 0.0.0.0:563
+BindIPv6Only = ipv6-only
+ListenStream = [::]:563
+Service = public-inbox-nntpd@1.service
+
+[Install]
+WantedBy = sockets.target