diff --git a/Dockerfile b/Dockerfile index 30eda4f..97605b8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -208,7 +208,7 @@ ADD inspircd.conf /etc/inspircd ADD include.default.conf /etc/inspircd/include.conf -ADD GeoLite2-ASN.mmdb /etc/inspircd +ADD GeoLite2-Country.mmdb /etc/inspircd RUN touch /etc/inspircd/motd.txt diff --git a/services/.gitignore b/services/.gitignore new file mode 100644 index 0000000..0c11540 --- /dev/null +++ b/services/.gitignore @@ -0,0 +1,2 @@ +include.conf +config.env diff --git a/services/Dockerfile b/services/Dockerfile new file mode 100644 index 0000000..4e8161a --- /dev/null +++ b/services/Dockerfile @@ -0,0 +1,62 @@ +FROM ubuntu:latest + +ARG BUILD_SERVER_NAME="services.lame-network.local" + +RUN apt -y update + +RUN apt -y install coreutils perl git automake autoconf build-essential libpcre2-dev rapidjson-dev libcurl4-gnutls-dev libargon2-dev libmaxminddb-dev libldap2-dev rapidjson-dev libmysqlclient-dev libmysqlclient-dev default-libmysqlclient-dev libpq-dev libre2-dev gnutls-dev libsqlite3-dev libmbedtls-dev libqrencode-dev libpcre3-dev libtre-dev pkg-config libwww-perl libidn-dev libpasswdqc-dev libcrack2-dev libperl-dev libsodium-dev cracklib-runtime libcrypt-cracklib-perl sendmail + +RUN groupadd atheme + +RUN useradd --system --shell /bin/bash atheme -g atheme + +WORKDIR /tmp + +RUN apt -y install libperl-dev + +RUN git clone https://github.com/atheme/atheme.git + +WORKDIR /tmp/atheme + +RUN git submodule update --init --recursive + +RUN ./configure --prefix=/usr/local --enable-large-net --enable-contrib --enable-legacy-pwcrypto + +RUN make -j$(nproc) + +RUN make install + +RUN mkdir -p /etc/atheme -p /etc/ssl/atheme -p /var/lib/atheme -p /var/log/atheme + +RUN mv /usr/local/etc /usr/local/etc_old + +RUN ln -sf /etc/atheme /usr/local/etc + +ADD atheme.conf /etc/atheme + +ADD include.default.conf /etc/atheme/include.conf + +RUN openssl genrsa -out /etc/ssl/atheme/server.key + +RUN openssl req -new -key /etc/ssl/atheme/server.key -out /etc/ssl/atheme/server.csr \ + -subj "/C=US/ST=Washington/L=Seattle/O=LameNetwork/OU=IT Department/CN=$BUILD_SERVER_NAME" + +RUN openssl x509 -req -days 365 -in /etc/ssl/atheme/server.csr -signkey /etc/ssl/atheme/server.key -out /etc/ssl/atheme/server.crt + +RUN chown -R atheme:atheme /etc/atheme /etc/ssl/atheme /var/log/atheme /var/lib/atheme + +WORKDIR / + +USER atheme + +RUN /usr/local/bin/atheme-services -b ; true + +VOLUME /etc/atheme + +VOLUME /etc/ssl/atheme + +VOLUME /var/lib/atheme + +VOLUME /var/log/atheme + +ENTRYPOINT ["/usr/local/bin/atheme-services", "-p", "/tmp/atheme.pid", "-n"] diff --git a/services/atheme.conf b/services/atheme.conf new file mode 100644 index 0000000..de63faa --- /dev/null +++ b/services/atheme.conf @@ -0,0 +1,690 @@ +include "/etc/atheme/include.conf"; + +loadmodule "security/cmdperm"; +loadmodule "protocol/charybdis"; +loadmodule "protocol/mixin_nohalfops"; +loadmodule "protocol/mixin_noholdnick"; +loadmodule "protocol/mixin_noprotect"; +loadmodule "protocol/mixin_noowner"; +loadmodule "backend/opensex"; +loadmodule "crypto/argon2"; +loadmodule "crypto/scrypt"; +loadmodule "crypto/pbkdf2v2"; +loadmodule "crypto/bcrypt"; +loadmodule "crypto/pbkdf2"; +loadmodule "crypto/crypt3-sha2-512"; +loadmodule "crypto/crypt3-sha2-256"; +loadmodule "crypto/crypt3-md5"; +loadmodule "crypto/rawsha2-512"; +loadmodule "crypto/rawsha2-256"; +loadmodule "crypto/anope-enc-sha256"; +loadmodule "crypto/rawsha1"; +loadmodule "crypto/rawmd5"; +loadmodule "crypto/ircservices"; +loadmodule "crypto/crypt3-des"; +loadmodule "crypto/base64"; +loadmodule "auth/ldap"; +loadmodule "nickserv/main"; +loadmodule "nickserv/access"; +loadmodule "nickserv/badmail"; +loadmodule "nickserv/cert"; +loadmodule "nickserv/drop"; +loadmodule "nickserv/enforce"; +loadmodule "nickserv/ghost"; +loadmodule "nickserv/group"; +loadmodule "nickserv/help"; +loadmodule "nickserv/hold"; +loadmodule "nickserv/identify"; +loadmodule "nickserv/info"; +loadmodule "nickserv/info_lastquit"; +loadmodule "nickserv/list"; +loadmodule "nickserv/listlogins"; +loadmodule "nickserv/listmail"; +loadmodule "nickserv/listownmail"; +loadmodule "nickserv/login"; +loadmodule "nickserv/loginnolimit"; +loadmodule "nickserv/logout"; +loadmodule "nickserv/mark"; +loadmodule "nickserv/pwquality"; +loadmodule "nickserv/freeze"; +loadmodule "nickserv/listchans"; +loadmodule "nickserv/listgroups"; +loadmodule "nickserv/register"; +loadmodule "nickserv/regnolimit"; +loadmodule "nickserv/resetpass"; +loadmodule "nickserv/restrict"; +loadmodule "nickserv/return"; +loadmodule "nickserv/setpass"; +loadmodule "nickserv/sendpass"; +loadmodule "nickserv/sendpass_user"; +loadmodule "nickserv/set_accountname"; +loadmodule "nickserv/set_badpasswdmsg"; +loadmodule "nickserv/set_email"; +loadmodule "nickserv/set_emailmemos"; +loadmodule "nickserv/set_enforcetime"; +loadmodule "nickserv/set_hidemail"; +loadmodule "nickserv/set_language"; +loadmodule "nickserv/set_nevergroup"; +loadmodule "nickserv/set_neverop"; +loadmodule "nickserv/set_nogreet"; +loadmodule "nickserv/set_nomemo"; +loadmodule "nickserv/set_noop"; +loadmodule "nickserv/set_nopassword"; +loadmodule "nickserv/set_password"; +loadmodule "nickserv/set_privmsg"; +loadmodule "nickserv/set_private"; +loadmodule "nickserv/set_property"; +loadmodule "nickserv/set_pubkey"; +loadmodule "nickserv/set_quietchg"; +loadmodule "nickserv/status"; +loadmodule "nickserv/taxonomy"; +loadmodule "nickserv/vacation"; +loadmodule "nickserv/verify"; +loadmodule "nickserv/vhost"; +loadmodule "nickserv/waitreg"; +loadmodule "chanserv/main"; +loadmodule "chanserv/access"; +loadmodule "chanserv/akick"; +loadmodule "chanserv/ban"; +loadmodule "chanserv/unban_self"; +loadmodule "chanserv/bansearch"; +loadmodule "chanserv/clone"; +loadmodule "chanserv/close"; +loadmodule "chanserv/clear"; +loadmodule "chanserv/clear_akicks"; +loadmodule "chanserv/clear_bans"; +loadmodule "chanserv/clear_flags"; +loadmodule "chanserv/clear_users"; +loadmodule "chanserv/count"; +loadmodule "chanserv/drop"; +loadmodule "chanserv/fflags"; +loadmodule "chanserv/flags"; +loadmodule "chanserv/ftransfer"; +loadmodule "chanserv/getkey"; +loadmodule "chanserv/halfop"; +loadmodule "chanserv/help"; +loadmodule "chanserv/hold"; +loadmodule "chanserv/info"; +loadmodule "chanserv/invite"; +loadmodule "chanserv/kick"; +loadmodule "chanserv/list"; +loadmodule "chanserv/mark"; +loadmodule "chanserv/moderate"; +loadmodule "chanserv/op"; +loadmodule "chanserv/owner"; +loadmodule "chanserv/protect"; +loadmodule "chanserv/quiet"; +loadmodule "chanserv/recover"; +loadmodule "chanserv/register"; +loadmodule "chanserv/set_email"; +loadmodule "chanserv/set_entrymsg"; +loadmodule "chanserv/set_fantasy"; +loadmodule "chanserv/set_gameserv"; +loadmodule "chanserv/set_guard"; +loadmodule "chanserv/set_keeptopic"; +loadmodule "chanserv/set_limitflags"; +loadmodule "chanserv/set_mlock"; +loadmodule "chanserv/set_prefix"; +loadmodule "chanserv/set_private"; +loadmodule "chanserv/set_property"; +loadmodule "chanserv/set_pubacl"; +loadmodule "chanserv/set_restricted"; +loadmodule "chanserv/set_secure"; +loadmodule "chanserv/set_topiclock"; +loadmodule "chanserv/set_url"; +loadmodule "chanserv/set_verbose"; +loadmodule "chanserv/status"; +loadmodule "chanserv/sync"; +loadmodule "chanserv/successor_acl"; +loadmodule "chanserv/taxonomy"; +loadmodule "chanserv/template"; +loadmodule "chanserv/topic"; +loadmodule "chanserv/voice"; +loadmodule "chanserv/why"; +loadmodule "chanserv/xop"; +loadmodule "chanserv/antiflood"; +loadmodule "chanfix/main"; +loadmodule "operserv/akill"; +loadmodule "operserv/clearchan"; +loadmodule "operserv/clones"; +loadmodule "operserv/compare"; +loadmodule "operserv/genhash"; +loadmodule "operserv/greplog"; +loadmodule "operserv/help"; +loadmodule "operserv/identify"; +loadmodule "operserv/ignore"; +loadmodule "operserv/info"; +loadmodule "operserv/joinrate"; +loadmodule "operserv/jupe"; +loadmodule "operserv/mode"; +loadmodule "operserv/modlist"; +loadmodule "operserv/modmanager"; +loadmodule "operserv/noop"; +loadmodule "operserv/rakill"; +loadmodule "operserv/readonly"; +loadmodule "operserv/rehash"; +loadmodule "operserv/restart"; +loadmodule "operserv/rmatch"; +loadmodule "operserv/rnc"; +loadmodule "operserv/rwatch"; +loadmodule "operserv/set"; +loadmodule "operserv/sgline"; +loadmodule "operserv/shutdown"; +loadmodule "operserv/soper"; +loadmodule "operserv/specs"; +loadmodule "operserv/sqline"; +loadmodule "operserv/update"; +loadmodule "operserv/uptime"; +loadmodule "memoserv/help"; +loadmodule "memoserv/send"; +loadmodule "memoserv/sendops"; +loadmodule "memoserv/sendgroup"; +loadmodule "memoserv/list"; +loadmodule "memoserv/read"; +loadmodule "memoserv/forward"; +loadmodule "memoserv/delete"; +loadmodule "memoserv/ignore"; +loadmodule "global/main"; +loadmodule "infoserv/main"; +loadmodule "saslserv/authcookie"; +loadmodule "saslserv/ecdh-x25519-challenge"; +loadmodule "saslserv/ecdsa-nist256p-challenge"; +loadmodule "saslserv/external"; +loadmodule "saslserv/plain"; +loadmodule "saslserv/scram"; +loadmodule "gameserv/dice"; +loadmodule "gameserv/eightball"; +loadmodule "gameserv/gamecalc"; +loadmodule "gameserv/help"; +loadmodule "gameserv/lottery"; +loadmodule "gameserv/namegen"; +loadmodule "gameserv/rps"; +loadmodule "rpgserv/enable"; +loadmodule "rpgserv/help"; +loadmodule "rpgserv/info"; +loadmodule "rpgserv/list"; +loadmodule "rpgserv/search"; +loadmodule "rpgserv/set"; +loadmodule "botserv/main"; +loadmodule "botserv/help"; +loadmodule "botserv/info"; +loadmodule "botserv/bottalk"; +loadmodule "botserv/set_fantasy"; +loadmodule "botserv/set_nobot"; +loadmodule "botserv/set_private"; +loadmodule "botserv/set_saycaller"; +loadmodule "hostserv/help"; +loadmodule "hostserv/onoff"; +loadmodule "hostserv/offer"; +loadmodule "hostserv/request"; +loadmodule "hostserv/vhost"; +loadmodule "hostserv/vhostnick"; +loadmodule "hostserv/group"; +loadmodule "hostserv/drop"; +loadmodule "helpserv/helpme"; +loadmodule "helpserv/ticket"; +loadmodule "helpserv/services"; +loadmodule "alis/main"; +loadmodule "statserv/channel"; +loadmodule "statserv/netsplit"; +loadmodule "statserv/server"; +loadmodule "groupserv/main"; +loadmodule "groupserv/acsnolimit"; +loadmodule "groupserv/drop"; +loadmodule "groupserv/fflags"; +loadmodule "groupserv/flags"; +loadmodule "groupserv/help"; +loadmodule "groupserv/info"; +loadmodule "groupserv/join"; +loadmodule "groupserv/list"; +loadmodule "groupserv/listchans"; +loadmodule "groupserv/register"; +loadmodule "groupserv/regnolimit"; +loadmodule "groupserv/invite"; +loadmodule "groupserv/set"; +loadmodule "groupserv/set_channel"; +loadmodule "groupserv/set_description"; +loadmodule "groupserv/set_email"; +loadmodule "groupserv/set_groupname"; +loadmodule "groupserv/set_joinflags"; +loadmodule "groupserv/set_open"; +loadmodule "groupserv/set_public"; +loadmodule "groupserv/set_url"; +loadmodule "misc/httpd"; +loadmodule "misc/login_throttling"; +loadmodule "transport/xmlrpc"; +loadmodule "exttarget/oper"; +loadmodule "exttarget/registered"; +loadmodule "exttarget/channel"; +loadmodule "exttarget/chanacs"; +loadmodule "exttarget/server"; +loadmodule "proxyscan/dnsbl"; + +crypto { + argon2_type = "argon2id"; + argon2_memcost = 16; + argon2_timecost = 3; + argon2_threads = 1; + argon2_saltlen = 16; + argon2_hashlen = 64; + scrypt_memlimit = 14; + scrypt_opslimit = 524288; + pbkdf2v2_digest = "SHA2-512"; + pbkdf2v2_rounds = 64000; + pbkdf2v2_saltlen = 32; + scram_mechanisms = "SCRAM-SHA-1,SCRAM-SHA-256,SCRAM-SHA-512"; + bcrypt_cost = 7; + crypt3_sha2_256_rounds = 5000; + crypt3_sha2_512_rounds = 5000; +}; + +nickserv { + + nick = "NICKSERV"; + user = "NICKSERV"; + host = "services/-"; + real = "Nickname Services"; + + aliases { + "ID" = "IDENTIFY"; + "MYACCESS" = "LISTCHANS"; + }; + + access { + }; + + spam; + + no_nick_ownership; + maxnicks = 5; + expire = 30; + enforce_expire = 14; + enforce_delay = 30; + enforce_prefix = "G`"; + waitreg_time = 0; + cracklib_dict = "/var/cache/cracklib/cracklib_dict"; + passwdqc_max = 288; + passwdqc_min_n0 = 20; + passwdqc_min_n1 = 16; + passwdqc_min_n2 = 16; + passwdqc_min_n3 = 12; + passwdqc_min_n4 = 8; + passwdqc_words = 4; + pwquality_warn_only; + show_custom_metadata; + + emailexempts { + }; + + shorthelp = ""; + listownmail_canon; + bad_password_message; +}; + +chanserv { + + nick = "CHANSERV"; + user = "CHANSERV"; + host = "services/-"; + real = "Channel Services"; + + aliases { + }; + + access { + }; + + reggroup = "!Services-Team"; + maxchans = 5; + fantasy; + hide_xop; + hide_flags_akicks; + hide_pubacl_akicks; + + templates { + vop = "+AV"; + hop = "+AHehitrv"; + aop = "+AOehiortv"; + sop = "+AOaefhiorstv"; + founder = "+AFORaefhioqrstv"; + member = "+Ai"; + op = "+AOiortv"; + }; + + deftemplates = "MEMBER=+Ai OP=+AOeiortv"; + changets; + trigger = "!"; + expire = 30; + maxchanacs = 0; + maxfounders = 4; + founder_flags = "AFORefiorstv"; + default_mlock = "+nt"; + akick_time = 10; + antiflood_enforce_method = quiet; + show_custom_metadata; + shorthelp = ""; +}; + +chanfix { + + nick = "CHANFIX"; + user = "CHANFIX"; + host = "services/-"; + real = "Channel Fixing Service"; + + aliases { + }; + + access { + }; + + autofix; +}; + +global { + + nick = "GLOBAL"; + user = "GLOBAL"; + host = "services/-"; + real = "Network Announcements"; + + aliases { + }; + + access { + }; +}; + +infoserv { + + nick = "INFOSERV"; + user = "INFOSERV"; + host = "services/-"; + real = "Information Service"; + + aliases { + }; + + access { + }; + + logoninfo_count = 3; + logoninfo_reverse; + logoninfo_show_metadata; +}; + +operserv { + + nick = "OPERSERV"; + user = "OPERSERV"; + host = "services/-"; + real = "Operator Services"; + + aliases { + }; + + access { + }; + + modinspect_use_colors; +}; + +saslserv { + + nick = "SASLSERV"; + user = "SASLSERV"; + host = "services/-"; + real = "SASL Authentication Agent"; + hide_server_names; +}; + +memoserv { + + nick = "MEMOSERV"; + user = "MEMOSERV"; + host = "services/-"; + real = "Memo Services"; + + aliases { + }; + + access { + }; + + maxmemos = 30; +}; + +gameserv { + + nick = "GAMESERV"; + user = "GAMESERV"; + host = "services/-"; + real = "Game Services"; + + aliases { + }; + + access { + }; +}; + +rpgserv { + + nick = "RPGSERV"; + user = "RPGSERV"; + host = "services/-"; + real = "RPG Finding Services"; + + aliases { + }; + + access { + }; +}; + +botserv { + + nick = "BOTSERV"; + user = "BOTSERV"; + host = "services/-"; + real = "Bot Services"; + + aliases { + }; + + access { + }; + + min_users = 0; +}; + +groupserv { + + nick = "GROYPSERV"; + user = "GROYPSERV"; + host = "services/-"; + real = "Group Management Services"; + + aliases { + }; + + access { + }; + + maxgroups = 5; + maxgroupacs = 100; + enable_open_groups; + join_flags = "+"; +}; + +hostserv { + + nick = "HOSTSERV"; + user = "HOSTSERV"; + host = "services/-"; + real = "Host Management Services"; + + aliases { + "APPROVE" = "ACTIVATE"; + "DENY" = "REJECT"; + }; + + access { + }; + + reggroup = "!Services-Team"; + no_subsequent_requests; + request_per_nick; +}; + +helpserv { + + nick = "HELPSERV"; + user = "HELPSERV"; + host = "services/-"; + real = "Help Services"; + + aliases { + }; + + access { + }; +}; + +statserv { + + nick = "STATSERV"; + user = "STATSERV"; + host = "services/-"; + real = "Statistics Services"; + + aliases { + }; + + access { + }; +}; + +alis { + + nick = "ALIS"; + user = "ALIS"; + host = "services/-"; + real = "Channel Directory"; + + aliases { + }; + + access { + }; + + maxmatches = 64; +}; + +proxyscan { + + nick = "PROXYSCAN"; + user = "PROXYSCAN"; + host = "services/-"; + real = "Proxyscan Service"; + + aliases { + }; + + access { + }; + + blacklists { + "dnsbl.dronebl.org"; + "rbl.efnetrbl.org"; + "tor.efnet.org"; + }; + + dnsbl_action = kline; +}; + +httpd { + host = "0.0.0.0"; + host = "::"; + www_root = "/var/www"; + port = 8080; +}; + +throttle { + address_burst = 5; + address_replenish = 1; + address_account_burst = 2; + address_account_replenish = 2; +}; + +logfile "/var/log/atheme/account.log" { register; set; }; +logfile "/var/log/atheme/commands.log" { commands; }; +logfile "/var/log/atheme/audit.log" { denycmd; }; +logfile "#services" { admin; denycmd; error; info; register; request; }; +logfile "!snotices" { denycmd; error; info; request; }; + +operclass "user" { }; + +operclass "ircop" { + privs { + special:ircop; + }; + + privs { + user:auspex; + user:admin; + user:sendpass; + user:vhost; + user:mark; + }; + + privs { + chan:auspex; + chan:admin; + chan:cmodes; + chan:joinstaffonly; + }; + + privs { + general:auspex; + general:helper; + general:viewprivs; + general:flood; + }; + + privs { + operserv:omode; + operserv:akill; + operserv:jupe; + operserv:global; + }; + + privs { + group:auspex; + group:admin; + }; +}; + +operclass "sra" { + extends "ircop"; + + privs { + user:exceedlimits; + user:hold; + user:regnolimit; + }; + + privs { + general:metadata; + general:admin; + }; + + privs { + #operserv:massakill; + #operserv:akill-anymask; + operserv:noop; + operserv:grant; + }; + + needoper; +}; diff --git a/services/include.default.conf b/services/include.default.conf new file mode 100644 index 0000000..8c60447 --- /dev/null +++ b/services/include.default.conf @@ -0,0 +1,76 @@ +serverinfo { + name = "lame-network.local"; + desc = "IRC Services"; + numeric = "00A"; + recontime = 10; + netname = "LameNet"; + hidehostsuffix = "users.misconfigured"; + adminname = "admin"; + adminemail = "no-reply@lame-network.local"; + registeremail = "no-reply@lame-network.local"; + hidden; + mta = "/usr/sbin/sendmail"; + loglevel = { admin; error; info; network; wallops; }; + maxcertfp = 0; + maxlogins = 5; + maxusers = 5; + mdlimit = 30; + emaillimit = 10; + emailtime = 300; + auth = none; + casemapping = rfc1459; +}; + +uplink "irc.lame-network.local" { + host = "127.0.0.1"; + port = 7001; + send_password = "changeme"; + receive_password = "changeme"; +}; + +operator "admin" { + operclass = "sra"; + password = "changeme"; +}; + +general { + permissive_mode; + helpchan = "#help"; + helpurl = "https://www.lame-network.local"; + verbose_wallops; + join_chans; + leave_chans; + secure; + uflags = { hidemail; }; + cflags = { guard; verbose; }; + raw; + flood_msgs = 7; + flood_time = 10; + ratelimit_uses = 5; + ratelimit_period = 60; + vhost_change = 30; + kline_time = 7; + kline_with_ident; + kline_verified_ident; + clone_time = 0; + commit_interval = 5; + db_save_blocking; + operstring = "is an IRC Operator"; + servicestring = "is a Network Service"; + default_clone_allowed = 5; + default_clone_warn = 4; + clone_identified_increase_limit; + uplink_sendq_limit = 1048576; + language = "en"; + + exempts { + }; + + allow_taint; + immune_level = immune; + show_entity_id; + load_database_mdeps; + hide_opers; + match_masks_through_vhost; + default_password_length = 16; +};