--- /dev/null
+=head1 NAME
+
+public-inbox-netd - read-only network daemon for sharing public-inboxes
+
+=head1 SYNOPSIS
+
+ public-inbox-netd [OPTIONS]
+
+=head1 DESCRIPTION
+
+public-inbox-netd provides a read-only HTTP/IMAP/NNTP/POP3 daemon for
+public-inbox. It uses options and environment variables common
+to all L<public-inbox-daemon(8)> implementations.
+
+The default configuration will never require write access
+to the directory where the public-inbox is stored, so it
+may be run as a different user than the user running
+L<public-inbox-watch(1)>, L<public-inbox-mda(1)>, or
+L<git-fetch(1)>.
+
+=head1 OPTIONS
+
+See common options in L<public-inbox-daemon(8)/OPTIONS>.
+
+=over
+
+=item -l PROTO://ADDRESS/?cert=/path/to/cert,key=/path/to/key
+
+=item --listen PROTO://ADDRESS/?cert=/path/to/cert,key=/path/to/key
+
+In addition to the normal C<-l>/C<--listen> switch described in
+L<public-inbox-daemon(8)>, the protocol prefix (e.g. C<nntp://> or
+C<nntps://>) may be specified to force a given protocol.
+
+=item --cert /path/to/cert
+
+The default TLS certificate for optional TLS support
+if the C<cert> option is not given with C<--listen>.
+
+=item --key /path/to/key
+
+The default private TLS certificate key for optional TLS support
+if the C<key> option is not given with C<--listen>. The private
+key may concatenated into the path used by C<--cert>, in which case this
+option is not needed.
+
+=back
+
+=head1 CONFIGURATION
+
+These configuration knobs should be used in the
+L<public-inbox-config(5)>.
+
+=over 8
+
+=item publicinbox.<name>.newsgroup
+
+=item publicinbox.nntpserver
+
+=back
+
+See L<public-inbox-config(5)> for documentation on them.
+
+=head1 CONTACT
+
+Feedback welcome via plain-text mail to L<mailto:meta@public-inbox.org>
+
+The mail archives are hosted at L<https://public-inbox.org/meta/>, and
+L<nntp://news.public-inbox.org/inbox.comp.mail.public-inbox.meta>,
+L<nntp://4uok3hntl7oi7b4uf4rtfwefqeexfzil2w6kgk2jn5z2f764irre7byd.onion/inbox.comp.mail.public-inbox.meta>
+
+=head1 COPYRIGHT
+
+Copyright all contributors L<mailto:meta@public-inbox.org>
+
+License: AGPL-3.0+ L<https://www.gnu.org/licenses/agpl-3.0.txt>
+
+=head1 SEE ALSO
+
+L<git(1)>, L<git-config(1)>, L<public-inbox-daemon(8)>,
+L<public-inbox-config(5)>
Documentation/public-inbox-init.pod
Documentation/public-inbox-learn.pod
Documentation/public-inbox-mda.pod
+Documentation/public-inbox-netd.pod
Documentation/public-inbox-nntpd.pod
Documentation/public-inbox-overview.pod
Documentation/public-inbox-purge.pod
script/public-inbox-init
script/public-inbox-learn
script/public-inbox-mda
+script/public-inbox-netd
script/public-inbox-nntpd
script/public-inbox-purge
script/public-inbox-watch
t/msgtime.t
t/multi-mid.t
t/net_reader-imap.t
+t/netd.t
t/nntp.t
t/nntpd-tls.t
t/nntpd-v2.t
-# Copyright (C) 2015-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
#
# Contains common daemon code for the httpd, imapd, and nntpd servers
{ SSL_server => 1, SSL_startHandshake => 0, SSL_reuse_ctx => $ctx };
}
-sub daemon_prepare ($) {
- my ($default_listen) = @_;
+sub load_mod ($) {
+ my ($scheme) = @_;
+ my $modc = "PublicInbox::\U$1";
+ my $mod = $modc.'D';
+ eval "require $mod"; # IMAPD|HTTPD|NNTPD|POP3D
+ die $@ if $@;
+ my %xn = map { $_ => $mod->can($_) } qw(refresh post_accept);
+ $xn{tlsd} = $mod->new if $mod->can('refresh_groups'); #!HTTPD
+ my $tlsd = $xn{tlsd};
+ $xn{refresh} //= sub { $tlsd->refresh_groups(@_) };
+ $xn{post_accept} //= sub { $modc->new($_[0], $tlsd) };
+ $xn{af_default} = 'httpready' if $modc eq 'PublicInbox::HTTP';
+ \%xn;
+}
+
+sub daemon_prepare ($$) {
+ my ($default_listen, $xnetd) = @_;
my $listener_names = {}; # sockname => IO::Handle
$oldset = PublicInbox::DS::block_signals();
@CMD = ($0, @ARGV);
my ($prog) = ($CMD[0] =~ m!([^/]+)\z!g);
+ my $dh = defined($default_listen) ? " (default: $default_listen)" : '';
my $help = <<EOF;
usage: $prog [-l ADDRESS] [--cert=FILE] [--key=FILE]
options:
- -l ADDRESS address to listen on (default: $default_listen)
+ -l ADDRESS address to listen on$dh
--cert=FILE default SSL/TLS certificate
--key=FILE default SSL/TLS certificate
-W WORKERS number of worker processes to spawn (default: 1)
# ignore daemonize when inheriting
$daemonize = undef if scalar @listeners;
- push @cfg_listen, $default_listen unless (@listeners || @cfg_listen);
+ unless (@listeners || @cfg_listen) {
+ $default_listen // die "no listeners specified\n";
+ push @cfg_listen, $default_listen
+ }
foreach my $l (@cfg_listen) {
my $orig = $l;
} elsif ($scheme =~ /\A(?:https|imaps|imaps)\z/) {
die "$orig specified w/o cert=\n";
}
- # TODO: use scheme to load either NNTP.pm or HTTP.pm
+ $scheme =~ /\A(http|imap|nntp|pop3)/ and
+ $xnetd->{$l} = load_mod($1);
next if $listener_names->{$l}; # already inherited
my (%o, $sock_pkg);
}
}
-sub daemon_loop ($$$$) {
- my ($refresh, $post_accept, $tlsd, $af_default) = @_;
+sub daemon_loop ($) {
+ my ($xnetd) = @_;
+ my $refresh = sub {
+ my ($sig) = @_;
+ for my $xn (values %$xnetd) {
+ eval { $xn->{refresh}->($sig) };
+ warn "refresh $@\n" if $@;
+ }
+ };
my %post_accept;
while (my ($k, $v) = each %tls_opt) {
- if ($k =~ s!\A(?:https|imaps|nntps)://!!) {
- $post_accept{$k} = tls_start_cb($v, $post_accept);
- } elsif ($tlsd) { # STARTTLS, $k eq '' is OK
- $tlsd->{accept_tls} = $v;
+ my $l = $k;
+ $l =~ s!\A([^:]+)://!!;
+ my $scheme = $1;
+ my $xn = $xnetd->{$l} // $xnetd->{''};
+ if ($scheme =~ s!\A(?:https|imaps|nntps)!!) {
+ $post_accept{$l} = tls_start_cb($v, $xn->{post_accept});
+ } elsif ($xn->{tlsd}) { # STARTTLS, $k eq '' is OK
+ $xn->{tlsd}->{accept_tls} = $v;
}
}
my $sig = {
$uid = $gid = undef;
reopen_logs();
@listeners = map {;
- my $tls_cb = $post_accept{sockname($_)};
+ my $l = sockname($_);
+ my $tls_cb = $post_accept{$l};
+ my $xn = $xnetd->{$l} // $xnetd->{''};
# NNTPS, HTTPS, HTTP, IMAPS and POP3S are client-first traffic
# IMAP, NNTP and POP3 are server-first
- defer_accept($_, $tls_cb ? 'dataready' : $af_default);
+ defer_accept($_, $tls_cb ? 'dataready' : $xn->{af_default});
# this calls epoll_create:
- PublicInbox::Listener->new($_, $tls_cb || $post_accept)
+ PublicInbox::Listener->new($_, $tls_cb || $xn->{post_accept})
} @listeners;
PublicInbox::DS::event_loop($sig, $oldset);
}
-sub run ($$$;$) {
- my ($default, $refresh, $post_accept, $tlsd) = @_;
- daemon_prepare($default);
- my $af_default = $default =~ /:8080\z/ ? 'httpready' : undef;
+sub run {
+ my ($default_listen) = @_;
+ my $xnetd = {};
+ if ($default_listen) {
+ $default_listen =~ /\A(http|imap|nntp|pop3)/ or
+ die "BUG: $default_listen";
+ $xnetd->{''} = load_mod($1);
+ }
+ daemon_prepare($default_listen, $xnetd);
my $for_destroy = daemonize();
# localize GCF2C for tests:
local $PublicInbox::Git::async_warn = 1;
local $SIG{__WARN__} = PublicInbox::Eml::warn_ignore_cb();
- daemon_loop($refresh, $post_accept, $tlsd, $af_default);
+ daemon_loop($xnetd);
PublicInbox::DS->Reset;
# ->DESTROY runs when $for_destroy goes out-of-scope
}
-# Copyright (C) 2016-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
# wraps a listen socket for HTTP and links it to the PSGI app in
# public-inbox-httpd
package PublicInbox::HTTPD;
+use v5.10.1;
use strict;
-use warnings;
-use Plack::Util;
+use Plack::Util ();
+use Plack::Builder;
+use PublicInbox::HTTP;
use PublicInbox::HTTPD::Async;
-use PublicInbox::Daemon;
sub pi_httpd_async { PublicInbox::HTTPD::Async->new(@_) }
# detect when to use async paths for slow blobs
'pi-httpd.async' => \&pi_httpd_async
);
- bless {
- app => $app,
- env => \%env
- }, $class;
+ bless { app => $app, env => \%env }, $class;
+}
+
+my %httpds; # per-listen-FD mapping for HTTPD->{env}->{SERVER_<NAME|PORT>}
+my $default_app; # ugh...
+
+sub refresh {
+ if (@main::ARGV) {
+ eval { $default_app = Plack::Util::load_psgi(@ARGV) };
+ if ($@) {
+ die $@,
+"$0 runs in /, command-line paths must be absolute\n";
+ }
+ } else {
+ require PublicInbox::WWW;
+ my $www = PublicInbox::WWW->new;
+ $www->preload;
+ $default_app = builder {
+ eval { enable 'ReverseProxy' };
+ $@ and warn <<EOM;
+Plack::Middleware::ReverseProxy missing,
+URL generation for redirects may be wrong if behind a reverse proxy
+EOM
+ enable 'Head';
+ sub { $www->call(@_) };
+ };
+ }
+ %httpds = (); # invalidate cache
+}
+
+sub post_accept { # Listener->{post_accept}
+ my ($client, $addr, $srv) = @_; # $_[3] - tls_wrap (unused)
+ my $httpd = $httpds{fileno($srv)} //=
+ __PACKAGE__->new($srv, $default_app, $client);
+ PublicInbox::HTTP->new($client, $addr, $httpd),
}
1;
-# Copyright (C) 2020-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
# represents an IMAPD (currently a singleton),
# see script/public-inbox-imapd for how it is used
package PublicInbox::IMAPD;
use strict;
+use v5.10.1;
use PublicInbox::Config;
use PublicInbox::ConfigIter;
use PublicInbox::InboxIdle;
-use PublicInbox::IMAP;
+use PublicInbox::IMAPdeflate; # loads PublicInbox::IMAP
use PublicInbox::DummyInbox;
my $dummy = bless { uidvalidity => 0 }, 'PublicInbox::DummyInbox';
-# Copyright (C) 2016-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
# represents an NNTPD (currently a singleton),
# see script/public-inbox-nntpd for how it is used
package PublicInbox::NNTPD;
use strict;
-use warnings;
+use v5.10.1;
use Sys::Hostname;
use PublicInbox::Config;
use PublicInbox::InboxIdle;
+use PublicInbox::NNTPdeflate; # loads PublicInbox::NNTP
sub new {
my ($class) = @_;
-#!/usr/bin/perl -w
-# Copyright (C) 2016-2021 all contributors <meta@public-inbox.org>
+#!perl -w
+# Copyright (C) all contributors <meta@public-inbox.org>
# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
#
# Standalone HTTP server for public-inbox.
-use strict;
-use v5.10.1;
+use v5.12;
use PublicInbox::Daemon;
-BEGIN {
- for (qw(Plack::Builder Plack::Util)) {
- eval("require $_") or die "E: Plack is required for $0\n";
- }
- Plack::Builder->import;
- require PublicInbox::HTTP;
- require PublicInbox::HTTPD;
-}
-
-my %httpds; # per-listen-FD mapping for HTTPD->{env}->{SERVER_<NAME|PORT>}
-my $app;
-my $refresh = sub {
- if (@ARGV) {
- eval { $app = Plack::Util::load_psgi(@ARGV) };
- if ($@) {
- die $@,
-"$0 runs in /, command-line paths must be absolute\n";
- }
- } else {
- require PublicInbox::WWW;
- my $www = PublicInbox::WWW->new;
- $www->preload;
- $app = builder {
- eval { enable 'ReverseProxy' };
- $@ and warn
-"Plack::Middleware::ReverseProxy missing,\n",
-"URL generation for redirects may be wrong if behind a reverse proxy\n";
-
- enable 'Head';
- sub { $www->call(@_) };
- };
- }
- %httpds = (); # invalidate cache
-};
-
-PublicInbox::Daemon::run('0.0.0.0:8080', $refresh,
- sub ($$$) { # Listener->{post_accept}
- my ($client, $addr, $srv, $tls_wrap) = @_;
- my $fd = fileno($srv);
- my $h = $httpds{$fd} //=
- PublicInbox::HTTPD->new($srv, $app, $client);
- PublicInbox::HTTP->new($client, $addr, $h),
- });
+PublicInbox::Daemon::run('http://0.0.0.0:8080');
#!perl -w
-# Copyright (C) 2020-2021 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
#
# Standalone read-only IMAP server for public-inbox.
-use strict;
+use v5.12;
use PublicInbox::Daemon;
-use PublicInbox::IMAPdeflate; # loads PublicInbox::IMAP
-use PublicInbox::IMAPD;
-my $imapd = PublicInbox::IMAPD->new;
-PublicInbox::Daemon::run('0.0.0.0:143',
- sub { $imapd->refresh_groups(@_) }, # refresh
- sub ($$$) { PublicInbox::IMAP->new($_[0], $imapd) }, # post_accept
- $imapd);
+PublicInbox::Daemon::run('imap://0.0.0.0:143');
--- /dev/null
+#!/usr/bin/perl -w
+# Copyright (C) all contributors <meta@public-inbox.org>
+# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
+use v5.12;
+use PublicInbox::Daemon;
+PublicInbox::Daemon::run();
-#!/usr/bin/perl -w
-# Copyright (C) 2015-2021 all contributors <meta@public-inbox.org>
+#!perl -w
+# Copyright (C) all contributors <meta@public-inbox.org>
# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
#
# Standalone NNTP server for public-inbox.
-use strict;
-use warnings;
+use v5.12;
use PublicInbox::Daemon;
-use PublicInbox::NNTPdeflate; # loads PublicInbox::NNTP
-use PublicInbox::NNTPD;
-my $nntpd = PublicInbox::NNTPD->new;
-PublicInbox::Daemon::run('0.0.0.0:119',
- sub { $nntpd->refresh_groups }, # refresh
- sub ($$$) { PublicInbox::NNTP->new($_[0], $nntpd) }, # post_accept
- $nntpd);
+PublicInbox::Daemon::run('nntp://0.0.0.0:119');
--- /dev/null
+#!perl -w
+# Copyright (C) all contributors <meta@public-inbox.org>
+# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
+use v5.12;
+use Socket qw(IPPROTO_TCP SOL_SOCKET);
+use PublicInbox::TestCommon;
+# IO::Poll and Net::NNTP are part of the standard library, but
+# distros may split them off...
+require_mods(qw(-imapd IO::Socket::SSL Mail::IMAPClient IO::Poll Net::NNTP));
+my $imap_client = 'Mail::IMAPClient';
+$imap_client->can('starttls') or
+ plan skip_all => 'Mail::IMAPClient does not support TLS';
+Net::NNTP->can('starttls') or
+ plan skip_all => 'Net::NNTP does not support TLS';
+my $cert = 'certs/server-cert.pem';
+my $key = 'certs/server-key.pem';
+unless (-r $key && -r $cert) {
+ plan skip_all =>
+ "certs/ missing for $0, run $^X ./create-certs.perl in certs/";
+}
+use_ok 'PublicInbox::TLS';
+use_ok 'IO::Socket::SSL';
+require_git('2.6');
+
+my ($tmpdir, $for_destroy) = tmpdir();
+my $err = "$tmpdir/stderr.log";
+my $out = "$tmpdir/stdout.log";
+my $pi_config;
+my $group = 'test-netd';
+my $addr = $group . '@example.com';
+
+# ensure we have free, low-numbered contiguous FDs from 3.. FD inheritance
+my @pad_pipes;
+for (1..3) {
+ pipe(my ($r, $w)) or xbail "pipe: $!";
+ push @pad_pipes, $r, $w;
+};
+my %srv = map { $_ => tcp_server() } qw(imap nntp imaps nntps);
+my $ibx = create_inbox 'netd', version => 2,
+ -primary_address => $addr, indexlevel => 'basic', sub {
+ my ($im, $ibx) = @_;
+ $im->add(eml_load('t/data/0001.patch')) or BAIL_OUT '->add';
+ $pi_config = "$ibx->{inboxdir}/pi_config";
+ open my $fh, '>', $pi_config or BAIL_OUT "open: $!";
+ print $fh <<EOF or BAIL_OUT "print: $!";
+[publicinbox "netd"]
+ inboxdir = $ibx->{inboxdir}
+ address = $addr
+ indexlevel = basic
+ newsgroup = $group
+EOF
+ close $fh or BAIL_OUT "close: $!\n";
+};
+$pi_config //= "$ibx->{inboxdir}/pi_config";
+my @args = ("--cert=$cert", "--key=$key");
+my $rdr = {};
+my $fd = 3;
+while (my ($k, $v) = each %srv) {
+ push @args, "-l$k://".tcp_host_port($v);
+ $rdr->{$fd++} = $v;
+}
+my $cmd = [ '-netd', '-W0', @args, "--stdout=$out", "--stderr=$err" ];
+my $env = { PI_CONFIG => $pi_config };
+my $td = start_script($cmd, $env, $rdr);
+@pad_pipes = ();
+undef $rdr;
+my %o = (
+ SSL_hostname => 'server.local',
+ SSL_verifycn_name => 'server.local',
+ SSL_verify_mode => SSL_VERIFY_PEER(),
+ SSL_ca_file => 'certs/test-ca.pem',
+);
+{
+ my $c = tcp_connect($srv{imap});
+ my $msg = <$c>;
+ like($msg, qr/IMAP4rev1/, 'connected to IMAP');
+}
+{
+ my $c = tcp_connect($srv{nntp});
+ my $msg = <$c>;
+ like($msg, qr/^201 .*? ready - post via email/, 'connected to NNTP');
+}
+
+# TODO: more tests
+done_testing;