From: David Uhden Collado Subject: Re: Fixes and improvements for the net/i2pd port To: ports@openbsd.org Date: Fri, 6 Feb 2026 16:32:00 +0000 > Here's the patch I came up with, taking into account your remarks and David's proposals: > > - /var/i2pd is set as working directory instead of /var/lib/i2pd > - logs are sent to syslogd by default > - HTTP interface is disabled by default > - /etc/i2pd is mode 750, and the config files within this directory are mode 640 > > Lightly tested on amd64 for now. The port builds fine, all tests are still passing, and it seems to run just fine, as far as I tested. > > I hope it will be OK like that. Could someone commit it? I think the maintainer doesn't have commit access to the repository. Index: Makefile =================================================================== RCS file: /cvs/ports/net/i2pd/Makefile,v diff -u -p -r1.31 Makefile --- Makefile 12 Nov 2025 02:13:09 -0000 1.31 +++ Makefile 15 Jan 2026 02:05:35 -0000 @@ -3,6 +3,7 @@ COMMENT = client for the I2P anonymous n GH_ACCOUNT = PurpleI2P GH_PROJECT = i2pd GH_TAGNAME = 2.58.0 +REVISION = 0 CATEGORIES = net HOMEPAGE = https://i2pd.website Index: patches/patch-contrib_i2pd_conf =================================================================== RCS file: patches/patch-contrib_i2pd_conf diff -N patches/patch-contrib_i2pd_conf --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-contrib_i2pd_conf 15 Jan 2026 02:05:35 -0000 @@ -0,0 +1,41 @@ +Index: contrib/i2pd.conf +--- contrib/i2pd.conf.orig ++++ contrib/i2pd.conf +@@ -8,16 +8,16 @@ + + ## Tunnels config file + ## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf +-# tunconf = /var/lib/i2pd/tunnels.conf ++tunconf = /etc/i2pd/tunnels.conf + + ## Tunnels config files path + ## Use that path to store separated tunnels in different config files. + ## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d +-# tunnelsdir = /var/lib/i2pd/tunnels.d ++tunnelsdir = /etc/i2pd/tunnels.d + + ## Path to certificates used for verifying .su3, families + ## Default: ~/.i2pd/certificates or /var/lib/i2pd/certificates +-# certsdir = /var/lib/i2pd/certificates ++certsdir = /etc/i2pd/certificates + + ## Where to write pidfile (default: /run/i2pd.pid, not used in Windows) + # pidfile = /run/i2pd.pid +@@ -30,7 +30,7 @@ + ## * stdout - print log entries to stdout + ## * file - log entries to a file + ## * syslog - use syslog, see man 3 syslog +-# log = file ++log = syslog + ## Path to logfile (default: autodetect) + # logfile = /var/log/i2pd/i2pd.log + ## Log messages above this level (debug, info, *warn, error, critical, none) +@@ -118,7 +118,7 @@ + [http] + ## Web Console settings + ## Enable the Web Console (default: true) +-# enabled = true ++enabled = false + ## Address and port service will listen on (default: 127.0.0.1:7070) + # address = 127.0.0.1 + # port = 7070 Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/net/i2pd/pkg/PLIST,v diff -u -p -r1.17 PLIST --- pkg/PLIST 12 Nov 2025 02:13:09 -0000 1.17 +++ pkg/PLIST 15 Jan 2026 02:05:35 -0000 @@ -1,5 +1,5 @@ @newgroup _i2pd:838 -@newuser _i2pd:838:838::i2pd account:${LOCALSTATEDIR}/lib/i2pd:/sbin/nologin +@newuser _i2pd:838:838::i2pd account:${LOCALSTATEDIR}/i2pd:/sbin/nologin @rcscript ${RCDIR}/i2pd @bin bin/i2pd include/i2pd/ @@ -69,14 +69,16 @@ include/i2pd/util.h include/i2pd/version.h @static-lib lib/libi2pd.a @static-lib lib/libi2pdclient.a +@mode 0750 @owner _i2pd @group _i2pd @sample ${SYSCONFDIR}/i2pd/ -@sample ${LOCALSTATEDIR}/lib/i2pd/ -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/ -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/family/ -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/ -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/router/ +@mode +@sample ${LOCALSTATEDIR}/i2pd/ +@sample ${LOCALSTATEDIR}/i2pd/certificates/ +@sample ${LOCALSTATEDIR}/i2pd/certificates/family/ +@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/ +@sample ${LOCALSTATEDIR}/i2pd/certificates/router/ @owner @group @static-lib lib/libi2pdlang.a @@ -87,127 +89,131 @@ share/examples/i2pd/certificates/family/ share/examples/i2pd/certificates/family/gostcoin.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/family/gostcoin.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/family/gostcoin.crt @owner @group share/examples/i2pd/certificates/family/i2p-dev.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/family/i2p-dev.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/family/i2p-dev.crt @owner @group share/examples/i2pd/certificates/family/i2pd-dev.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/family/i2pd-dev.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/family/i2pd-dev.crt @owner @group share/examples/i2pd/certificates/family/mca2-i2p.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/family/mca2-i2p.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/family/mca2-i2p.crt @owner @group share/examples/i2pd/certificates/family/stormycloud.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/family/stormycloud.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/family/stormycloud.crt @owner @group share/examples/i2pd/certificates/family/volatile.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/family/volatile.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/family/volatile.crt @owner @group share/examples/i2pd/certificates/reseed/ @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/ +@sample ${LOCALSTATEDIR}/ @owner @group share/examples/i2pd/certificates/reseed/acetone_at_mail.i2p.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/acetone_at_mail.i2p.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/acetone_at_mail.i2p.crt @owner @group share/examples/i2pd/certificates/reseed/admin_at_stormycloud.org.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/admin_at_stormycloud.org.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/admin_at_stormycloud.org.crt @owner @group share/examples/i2pd/certificates/reseed/creativecowpat_at_mail.i2p.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/creativecowpat_at_mail.i2p.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/creativecowpat_at_mail.i2p.crt @owner @group share/examples/i2pd/certificates/reseed/echelon3_at_mail.i2p.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/echelon3_at_mail.i2p.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/echelon3_at_mail.i2p.crt @owner @group share/examples/i2pd/certificates/reseed/hankhill19580_at_gmail.com.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/hankhill19580_at_gmail.com.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/hankhill19580_at_gmail.com.crt @owner @group share/examples/i2pd/certificates/reseed/i2p-reseed_at_mk16.de.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/i2p-reseed_at_mk16.de.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/i2p-reseed_at_mk16.de.crt @owner @group share/examples/i2pd/certificates/reseed/igor_at_novg.net.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/igor_at_novg.net.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/igor_at_novg.net.crt @owner @group share/examples/i2pd/certificates/reseed/lazygravy_at_mail.i2p.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/lazygravy_at_mail.i2p.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/lazygravy_at_mail.i2p.crt @owner @group share/examples/i2pd/certificates/reseed/orignal_at_mail.i2p.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/orignal_at_mail.i2p.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/orignal_at_mail.i2p.crt @owner @group share/examples/i2pd/certificates/reseed/r4sas-reseed_at_mail.i2p.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/r4sas-reseed_at_mail.i2p.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/r4sas-reseed_at_mail.i2p.crt @owner @group share/examples/i2pd/certificates/reseed/rambler_at_mail.i2p.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/rambler_at_mail.i2p.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/rambler_at_mail.i2p.crt @owner @group share/examples/i2pd/certificates/reseed/reseed_at_diva.exchange.crt @owner _i2pd @group _i2pd -@sample ${LOCALSTATEDIR}/lib/i2pd/certificates/reseed/reseed_at_diva.exchange.crt +@sample ${LOCALSTATEDIR}/i2pd/certificates/reseed/reseed_at_diva.exchange.crt @owner @group share/examples/i2pd/i2pd.conf +@mode 0640 @owner _i2pd @group _i2pd @sample ${SYSCONFDIR}/i2pd/i2pd.conf +@mode @owner @group share/examples/i2pd/tunnels.conf +@mode 0640 @owner _i2pd @group _i2pd @sample ${SYSCONFDIR}/i2pd/tunnels.conf +@mode @owner @group share/examples/login.conf.d/i2pd Index: pkg/README =================================================================== RCS file: /cvs/ports/net/i2pd/pkg/README,v diff -u -p -r1.4 README --- pkg/README 16 Apr 2024 15:22:32 -0000 1.4 +++ pkg/README 15 Jan 2026 02:05:35 -0000 @@ -24,3 +24,48 @@ and also edit /etc/login.conf.d/i2pd: :openfiles-cur=8192:\ :openfiles-max=8192:\ :tc=daemon: + + +The HTTP interface +================== + +On OpenBSD, i2pd's HTTP interface is disabled by default, because it +allows any user on the system to perform actions on the daemon, such +as shutting it down, or access private data, such as the router +identity and the tunnels' B32 addresses. + +If you want to use this interface anyway, you can reenable it in +/etc/i2pd/i2pd.conf under the [http] section. + + +Graceful shutdown +================= + +It is good practice to shutdown the i2pd daemon gracefully, to avoid +immediatly severing all connections, which would disconnect all +your peers and affect the overall operation of the I2P network. + +You can initiate a graceful shutdown without the HTTP interface by +sending a signal to the i2pd daemon like this: + + kill -INT $(cat /var/i2pd/i2pd.pid) + +When it shuts down gracefully, the i2pd daemon waits for all transit +tunnels to expire, which usually takes 10 minutes. + + +Logging +======= + +By default, the OpenBSD port of ${PKGSTEM} sends its log messages to +syslogd(8), which writes them to the /var/log/daemon file. + +The default log level of ${PKGSTEM} ("warn") can be very verbose. You +may want to reduce this log verbosity by changing the "loglevel" +parameter in /etc/i2pd/i2pd.conf. + +If you want log messages to be written to another file, e.g. +/var/i2pd/i2pd.log, you can change the "log" and "logfile" parameters +in /etc/i2pd/i2pd.conf. To have this log file rotated automatically, +see `man 8 newsyslog.conf`, and please take into account that the i2pd +daemon should be restarted gracefully at each rotation. Index: pkg/i2pd.rc =================================================================== RCS file: /cvs/ports/net/i2pd/pkg/i2pd.rc,v diff -u -p -r1.4 i2pd.rc --- pkg/i2pd.rc 11 Mar 2022 19:46:04 -0000 1.4 +++ pkg/i2pd.rc 15 Jan 2026 02:05:35 -0000 @@ -2,7 +2,7 @@ daemon="${TRUEPREFIX}/bin/i2pd --daemon" daemon_user="_i2pd" -daemon_flags="--service --datadir=${LOCALSTATEDIR}/lib/i2pd --conf=${SYSCONFDIR}/i2pd/i2pd.conf --tunconf=${SYSCONFDIR}/i2pd/tunnels.conf --tunnelsdir=${SYSCONFDIR}/i2pd/tunnels.d" +daemon_flags="--service --datadir=${LOCALSTATEDIR}/i2pd --conf=${SYSCONFDIR}/i2pd/i2pd.conf --tunconf=${SYSCONFDIR}/i2pd/tunnels.conf --tunnelsdir=${SYSCONFDIR}/i2pd/tunnels.d --certsdir=${LOCALSTATEDIR}/i2pd/certificates" . /etc/rc.d/rc.subr