irkerd [-c ca-file] [-d debuglevel] [-e cert-file] [-l logfile] [-H host] [-n nick] [-p password] [-P password-file] [--sasl-mechanism PLAIN|EXTERNAL] [--sasl-username username] [--sasl-password password] [--sasl-password-file password-file] [-i IRC-URL] [-t timeout] [-V] [-h] [message text]
irkerd is a specialized write-only IRC client intended to be used for shipping notification messages to IRC channels. The use case in mind when it was designed was broadcasting notifications from commit hooks in version-control systems.
The main advantage of relaying through this daemon over individual scripted sends from applications is that it can maintain connection state for multiple channels, rather than producing obnoxious join/leave channel spam on every message.
irkerd is a socket server that listens on for UDP or TCP packets on port 6659 for textual request lines containing JSON objects and terminated by a newline. Each JSON object must have two members: "to" specifying a destination or destination list, and "privmsg" specifying the message text. Examples:
{"to":"irc://chat.freenode.net/git-ciabot", "privmsg":"Hello, world!"}
{"to":["irc://chat.freenode.net/#git-ciabot","irc://chat.freenode.net/#gpsd"],"privmsg":"Multichannel test"}
{"to":"irc://chat.hypothetical.net:6668/git-ciabot", "privmsg":"Hello, world!"}
{"to":"ircs://chat.hypothetical.net/git-private?key=topsecret", "privmsg":"Keyed channel test"}
{"to":"ircs://:topsecret@chat.example.net/git-private", "privmsg":"Password-protected server test"}
If the channel part of the URL does not have one of the prefix characters “#”, “&”, or “+”, a “#” will be prepended to it before shipping - unless the channel part has the suffix ",isnick" (which is unconditionally removed).
The host part of the URL may have a port-number suffix separated by a colon, as shown in the third example; otherwise irkerd sends plaintext messages to the default 6667 IRC port of each server, and SSL/TLS messages to 6697.
The password for password-protected servers can be set using the usual “[{username}:{password}@]{host}:{port}” defined in RFC 3986, as shown in the fifth example. Non-empty URL usernames override the default “irker” username.
When the “to” URL uses the “ircs” scheme (as shown in the fourth and fifth examples), the connection to the IRC server is made via SSL/TLS (vs. a plaintext connection with the “irc” scheme). You can set this “-c /etc/ssl/certs/ca-certificates.crt” to declare a custom CA file, but if you don't set it irkerd will use OpenSSL's default file (using Python's “ssl.SSLContext.set_default_verify_paths”); “ssl.match_hostname” is used to ensure the server certificate belongs to the intended host, as well as being signed by a trusted CA.
To join password-protected (mode +k) channels, the channel part of the URL may be followed with a query-string indicating the channel key, of the form “?secret” or “?key=secret”, where “secret” is the channel key.
An empty message is legal and will cause irkerd to join or maintain a connection to the target channels without actually emitting a message. This may be useful for advertising that an instance is up and running, or for joining a channel to log its traffic.
irkerd takes the following options:
Takes a following value, setting the debugging level from it; possible values are 'critical', 'error', 'warning', 'info', 'debug'. This option will generally only be of interest to developers, as the logs are designed to help trace irkerd's internal state. These tracing logs are independent of the traffic logs controlled by “-l”.
Logging will be to standard error (if irkerd is running in the foreground) or to “/dev/syslog” with facility "daemon" (if irkerd is running in the background). The background-ness of irkerd is determined by comparing the process group id with the process group associated with the terminal attached to stdout (with non-matches for background processes). We assume you aren't running irkerd in Windows or another OS that doesn't support “os.getpgrp” or “tcgetpgrp”. We assume that if stdout is attached to a TTY associated with the same process group as irkerd, you do intend to log to stderr and not syslog.
Takes a following filename in pem format and uses it to authenticate to the IRC server. You must be connecting to the IRC server over SSL for this to function properly. This is commonly known as “CertFP.”
Takes a following filename, logs traffic to that file. Each log line consists of three |-separated fields; a numeric timestamp in Unix time, the FQDN of the sending server, and the message data.
Takes a following hostname, and binds to that address when listening for messages. irkerd binds to localhost by default, but you may want to use your host's public address to listen on a local network. Listening on a public interface is not recommended, as it makes spamming IRC channels very easy.
Takes a following value, setting the nick to be used. If the nick contains a numeric format element (such as %03d) it is used to generate suffixed fallback names in the event of a nick collision.
Takes a following value, setting a nickserv password to be used. If given, this password is shipped to authenticate the nick on receipt of a welcome message.
Like p, but the argument is interpreted as a filename from which to read the password
Enables SASL authentication and selects the mechanism to use. Supported values are “PLAIN” and “EXTERNAL”.
When this option is specified, irkerd performs IRCv3 capability negotiation and attempts SASL authentication during connection setup, before completing registration. If SASL is enabled, the traditional NickServ “identify” message is not sent.
Specifies the username used for SASL authentication. This is typically the account name registered with the IRC network.
This option is required when using the “PLAIN” mechanism. It is ignored for “EXTERNAL”, which uses client TLS certificate authentication instead.
Specifies the password used for SASL authentication.
This option is required when using the “PLAIN”
mechanism unless --sasl-password-file is used.
The password is transmitted as part of the SASL exchange and is
not sent via NickServ.
Like --sasl-password, but the password is read
from the specified file instead of the command line. This is
preferred for security reasons to avoid exposing credentials via
process listings or shell history.
Takes a following value, setting the connection timeout for server-socket opens.
Immediate mode, to be run in foreground. Takes a following value interpreted as a channel URL. May take a second argument giving a message string; if the second argument is absent the message is read from standard input (and may contain newlines). Sends the message, then quits.
Write the program version to stdout and terminate.
Print usage instructions and terminate.
Requests via UDP optimizes for lowest latency and network load by avoiding TCP connection setup time; the cost is that delivery is not reliable in the face of packet loss.
An irkerd instance with a publicly-accessible request socket could complicate blocking of IRC spam by making it easy for spammers to submit while hiding their IP addresses; the better way to deploy, then, is on places like project-hosting sites where the irkerd socket can be visible from commit-hook code but not exposed to the outside world. Priming your firewall with blocklists of IP addresses known to spew spam is always a good idea.
The absence of any option to set the service port is deliberate. If you think you need to do that, you have a problem better solved at your firewall.
IRC has a message length limit of 510 bytes; generate your privmsg attribute values with appropriate care.
IRC ignores any text after an embedded newline. Be aware that irkerd will turn payload strings with embedded newlines into multiple IRC sends to avoid having message data discarded.
Due to a bug in Python URL parsing, IRC urls with both a # and a key part may fail unexpectedly. The workaround is to remove the #.
Eric S. Raymond <esr@snark.thyrsus.com>. See the
project page at http://www.catb.org/~esr/irker
for updates and other resources, including an installable repository
hook script.