Compare commits

..

56 Commits

Author SHA1 Message Date
c0f6699720 Update README.md 2025-01-07 07:59:22 +00:00
33e4584687 Update README.md 2025-01-07 07:59:22 +00:00
b558352eb8 Update README.md 2025-01-07 07:59:22 +00:00
2936e43193 Update README.md 2025-01-07 07:59:22 +00:00
c8f7b59622 Update README.md 2025-01-07 07:59:22 +00:00
f7f1168c48 Update README.md 2025-01-07 07:59:22 +00:00
85c059fee2 Update README.md 2025-01-07 07:59:22 +00:00
1f65e2a4c2 Update README.md 2025-01-07 07:59:22 +00:00
95783e673e Update README.md 2025-01-07 07:59:22 +00:00
99566aaf1a Update README.md 2025-01-07 07:59:22 +00:00
31bbed9c02 Update README.md 2025-01-07 07:59:22 +00:00
632fc05f9c Update README.md 2025-01-07 07:59:22 +00:00
08bca975c6 Update README.md 2025-01-07 07:59:22 +00:00
0c0f72a543 Update README.md 2025-01-07 07:59:22 +00:00
e0d1f3612c Update README.md 2025-01-07 07:59:22 +00:00
9cc3ca4b2f Update README.md 2025-01-07 07:59:22 +00:00
9628d41b8e Update README.md 2025-01-07 07:59:22 +00:00
b76e71906d Update README.md 2025-01-07 07:59:22 +00:00
5bbfb57a29 Update README.md 2025-01-07 07:59:22 +00:00
root
1ef4939a94 add DAEMON_FLAGS to config.env and command to docker-compose (for enabling debugging 2025-01-05 21:32:21 +00:00
bce011d6dc update documentation 2025-01-05 16:16:38 +00:00
root
1afa46fa4d fix volume mount for haproxy 2025-01-05 16:00:37 +00:00
9a211eb3b1 update documentation 2025-01-05 15:58:17 +00:00
4fddb66e44 add stunnel to support tls connection for atheme 2025-01-04 05:36:04 +00:00
root
877a4607a5 update config env example 2024-11-19 08:08:15 +00:00
root
51efc3bf7a remove from include 2024-11-19 02:23:24 +00:00
root
57015df912 add default chanmodes to inspircd.conf for future updates 2024-11-19 02:22:28 +00:00
root
504021112a dont include twice 2024-11-18 23:26:59 +00:00
root
29c83aec39 update include.conf 2024-11-18 22:14:04 +00:00
root
67f06bcd0c fix file name 2024-11-18 13:41:46 +00:00
root
bcfadfa27d add sasl ssl enable option 2024-11-18 13:38:46 +00:00
root
81f9c05d49 fix tor and update example conf 2024-11-16 13:21:37 +00:00
root
c5a562a08b change some settings for torrc and haproxy config 2024-11-16 11:31:00 +00:00
root
e1be1dd320 add configuration for tor / haproxy compatibility (PROXY protocol V1 to PROXY protocol v2) 2024-11-16 09:29:17 +00:00
root
ef1f793a64 restrict chans in example 2024-11-07 01:45:59 +00:00
root
d42ad2767d disable restrict chans 2024-11-07 01:44:56 +00:00
root
1be3d2459b add restart to docker compose 2024-11-06 23:57:14 +00:00
1ac5edbd3d Update README.md 2024-11-06 23:14:44 +00:00
5dd0fbb1b4 clean up documentation 2024-11-06 23:14:10 +00:00
9fff6aba3b update include example 2024-11-06 20:23:33 +00:00
root
86d33f7bd5 update readme 2024-11-06 20:16:51 +00:00
b21a2f2a6d add easyrsa 2024-11-06 20:10:25 +00:00
f203a8a1db ca crt and crl 2024-11-06 20:00:35 +00:00
root
7506dcbe0a more last minute changes 2024-11-06 18:33:31 +00:00
root
464238a25d last minute fixes 2024-11-06 18:08:00 +00:00
root
0633eecb54 add notes on webirc 2024-11-06 16:49:19 +00:00
root
49c07085b6 add notes on tor PROXY port configuration 2024-11-06 16:38:05 +00:00
root
c635d29519 remove antiknocker 2024-11-06 13:31:17 +00:00
root
b170acebb3 gitignore 2024-11-06 13:25:53 +00:00
root
60ee03723a more last minute fixes 2024-11-06 13:25:18 +00:00
root
58e9ea823a some last minute fixes 2024-11-06 11:46:38 +00:00
root
7f99ef3424 fix directory structure and git ignore 2024-11-06 09:13:49 +00:00
root
7dfadf21cd fix directory structure.. 2024-11-06 09:13:09 +00:00
e68e481d6a Update inspircd.conf
fix whitespace
2024-11-04 04:58:36 +00:00
04daaf34ef Update inspircd.conf
clean up and add help.conf
2024-11-04 04:51:55 +00:00
76c4102944 Merge pull request 'Re-ordered and organized a few things' (#2) from acidvegas/inspircd:master into master
Reviewed-on: supernets/inspircd#2
2024-11-04 04:45:29 +00:00
34 changed files with 7170 additions and 412 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
config.env

View File

@ -1,10 +1,8 @@
ARG BUILD_SERVER_NAME="irc.lame-network.local"
ARG UBUNTU_VERSION="noble"
FROM ubuntu:${UBUNTU_VERSION}
ENV ADMIN_EMAIL="no-reply@lame-netwoork.local"
ENV ADMIN_EMAIL="no-reply@lame-network.local"
ENV SID="01A"
@ -14,29 +12,31 @@ ENV NETWORK_NAME="LameNet"
ENV STS_HOST="irc.lame-network.local"
ENV SASL_REQUIRE_SSL="yes"
ENV SASL_TARGET="service.lame-network.local"
ENV ADMIN_PASSWORD="changeme"
ENV COMMAND_RATE="128000"
ENV COMMAND_RATE="1000"
ENV FAKE_LAG="on"
ENV FAKE_LAG="off"
ENV HARD_SENDQ="1M"
ENV HARD_SENDQ="1048576"
ENV MAX_CHANS="256"
ENV PING_FREQ="64"
ENV RECVQ="8K"
ENV RECVQ="4096"
ENV SOFT_SENDQ="8192"
ENV SOFT_SENDQ="4096"
ENV COMMAND_RATE_THRESHOLD="128"
ENV COMMAND_RATE_THRESHOLD="10"
ENV COMMAND_RATE_THRESHOLD_TIMEOUT="16"
ENV PARTIAL_CONNECT_TIMEOUT="16s"
ENV USE_CONN_FLOOD="yes"
ENV USE_CONN_FLOOD="no"
ENV USE_DNSBL="yes"
@ -48,19 +48,19 @@ ENV LOCAL_MAX="16"
ENV MAX_CONN_WARN="yes"
ENV DEFAULT_USER_MODES="+xWz"
ENV DEFAULT_USER_MODES="+x"
ENV PORT="6667"
ENV RESOLVE_HOST_NAMES="yes"
ENV USE_CONNECT_BAN="yes"
ENV USE_CONNECT_BAN="no"
ENV SSL_USER_MODES="+xWz"
ENV SSL_USER_MODES="+xz"
ENV SSL_PORT="6697"
ENV AUTHENTICATED_USER_MODES="+xwWz"
ENV AUTHENTICATED_USER_MODES="+xz"
ENV SERVER_SSL_PORT="7000"
@ -168,8 +168,6 @@ ENV NET_ADMIN_VHOST="oper/admin.lame-network.local"
ENV GLOBAL_OP_VHOST="oper/op.lame-network.local"
ENV HOPM_VHOST="oper/hopm.lame-network.local"
ENV HELPER_VHOST="oper/helper.lame-network.local"
ENV SERVICES_ULINE="services.lame-network.local"
@ -184,13 +182,7 @@ ENV LINK_TIMEOUT=3600
ENV CLOAK_KEY="changemechangemechangemechangeme"
ENV CLOAK_IGNORE_CASE="no"
ENV CLOAK_MODE="full"
ENV CLOAK_PREFIX="cloak/"
ENV CLOAK_SUFFIX=".hidden"
ENV CLOAK_SUFFIX="hidden"
ENV BLOCK_AMSG_ACTION="killopers"
@ -208,7 +200,7 @@ ENV BOT_MODE_FORCE_NOTICE="no"
ENV CHAN_FILTER_HIDE_MASK="yes"
ENV CHAN_FILTER_MAX_LEN="512"
ENV CHAN_FILTER_MAX_LEN="250"
ENV CHAN_FILTER_NOTIFY_USER="yes"
@ -238,8 +230,6 @@ ENV CHANNELS_OPERS="4294967295"
ENV CHANNELS_USERS="4294967295"
ENV CODE_PAGE="ascii"
ENV CONNECT_BAN_BOOT_WAIT="128"
ENV CONNECT_BAN_DURATION="64"
@ -300,13 +290,13 @@ ENV IRCV3_EXTENDED_JOIN="yes"
ENV JOIN_FLOOD_BOOT_WAIT="32s"
ENV JOIN_FLOOD_DURATION="2m"
ENV JOIN_FLOOD_DURATION="32s"
ENV JOIN_FLOOD_SPLIT_WAIT="32s"
ENV KNOCK_NOTIFY="both"
ENV LIST_MAX_SIZE="100"
ENV LIST_MAX_SIZE="256"
ENV MESSAGE_FLOOD_NOTICE="1.0"
@ -422,6 +412,24 @@ ENV AUDITORIUM_OPER_CAN_SEE="yes"
ENV AUDITORIUM_OP_VISIBLE="no"
ENV IPV4_CLONE="32"
ENV IPV6_CLONE="64"
ENV ROTATE_LOG_PERIOD="86400"
ENV REGEX_TYPE="ecmascript"
ENV ALLOW_CORE_UNLOAD="no"
ENV ANNOUNCE_INVITES="dynamic"
ENV XLINEDB_SAVE_PERIOD="128s"
ENV PERMCHAN_LIST_MODES="yes"
ENV PERMCHANDB_SAVE_PERIOD="128s"
RUN apt -y update
RUN apt -y install coreutils perl git automake autoconf build-essential libpcre2-dev rapidjson-dev libcurl4-gnutls-dev libargon2-dev libmaxminddb-dev libldap2-dev rapidjson-dev libmysqlclient-dev libmysqlclient-dev default-libmysqlclient-dev libpq-dev libre2-dev gnutls-dev libsqlite3-dev libmbedtls-dev libqrencode-dev libpcre3-dev libtre-dev pkg-config libwww-perl
@ -444,7 +452,19 @@ RUN ./modulemanager list | awk '{print $1}' | xargs -i ./modulemanager install {
RUN make -j$(nproc) install
RUN mkdir -p /etc/inspircd /var/lib/inspircd /etc/ssl/inspircd /var/log/inspircd
RUN mkdir -p /etc/inspircd/custom /var/lib/inspircd /etc/ssl/inspircd /var/log/inspircd /etc/inspircd/codepages
WORKDIR docs/conf/codepages
RUN cp ascii.example.conf /etc/inspircd/codepages/ascii.conf
RUN cat iso-8859-1.example.conf | grep -v "include" > /etc/inspircd/codepages/iso-8859-1.conf
RUN cat iso-8859-2.example.conf | grep -v "include" > /etc/inspircd/codepages/iso-8859-2.conf
RUN cat rfc1459.example.conf | grep -v "include" > /etc/inspircd/codepages/rfc1459.conf
RUN cat strict-rfc1459.example.conf | grep -v "include" > /etc/inspircd/codepages/strict-rfc1459.conf
ADD inspircd.conf /etc/inspircd
@ -452,20 +472,17 @@ ADD modules.conf /etc/inspircd
ADD help.conf /etc/inspircd
ADD custom/ /etc/inspircd/custom
ADD include.conf.example /etc/inspircd/custom/include.conf
RUN touch /etc/inspircd/motd.txt
RUN touch /etc/inspircd/oper.motd.txt
ADD GeoLite2-Country.mmdb /etc/inspircd
RUN openssl genrsa -out /etc/ssl/inspircd/server.key
RUN chown -R inspircd:inspircd /etc/inspircd /var/lib/inspircd /var/log/inspircd
RUN openssl req -new -key /etc/ssl/inspircd/server.key -out /etc/ssl/inspircd/server.csr \
-subj "/C=US/ST=Washington/L=Seattle/O=LameNetwork/OU=IT Department/CN=$BUILD_SERVER_NAME"
RUN openssl x509 -req -days 365 -in /etc/ssl/inspircd/server.csr -signkey /etc/ssl/inspircd/server.key -out /etc/ssl/inspircd/server.crt
RUN chown -R inspircd:inspircd /etc/inspircd /etc/ssl/inspircd /var/lib/inspircd /var/log/inspircd
VOLUME /etc/ssl/inspircd
VOLUME /etc/inspircd/custom
VOLUME /var/lib/inspircd
@ -475,4 +492,4 @@ USER inspircd
WORKDIR /
CMD /usr/local/bin/inspircd -c /etc/inspircd/inspircd.conf -F
ENTRYPOINT ["/usr/local/bin/inspircd", "-c", "/etc/inspircd/inspircd.conf", "-F"]

308
README.md
View File

@ -1,72 +1,290 @@
# Instructions
# Getting started
This docker configuration relies on the host network driver meaning it doesn't setup any internal networks or even a separate NetNS. Your
mileage may vary if you change the intended network driver for Docker. There are a few caveats to how this is designed:
## docker-compose
- if you are not starting from scratch. delete stale containers and: `docker rmi inspi4` and `docker volume rm inspi4_ssl`
- copy `config.env.exmaple` to `config.env` and edit
- optional: if you intend to link, copy `include.default.conf` to `include.conf` and edit (see linking section below.)
- start: `docker-compose -f docker-compose.standalone.yml up -d` also use the linked variant if you intend to link.
- Some configuration is managed through `config.env` and exported to the Docker container as environment variables; This can help with convergence of configuration
between hosts but results in a configuration that cannot be changed with a simple `/quote REHASH`.
- inspircd autoloads any `.conf` file from the `custom/` directory (it's mapped into the container from the `docker-compose.yml` file.
- Environment variables are referenced in the configuration files using `&env.ENV_VAR_NAME;` and this usage can be found throughout the configuration.
- Changing the `config.env` means that the container must be re-created: `docker-compose up -d`
- ~~`docker build -t inspi4 -t inspi4:latest .`~~
- ~~`docker run -it --rm -e 'DEFAULT_BLOCK_HOST_MASK="nothing"' -net host inspi4`~~
# Optional
- ~~create a custom `links.conf`~~
- ~~`docker run -it --rm -e 'DEFAULT_BLOCK_HOST_MASK="nothing"' -net host -v $(pwd)/links.conf:/etc/inspircd/links.conf:ro inspi4`~~
# Linking
- Run `docker exec -it ircd_ircd_linked_1 openssl x509 -sha256 -fingerprint -in /etc/ssl/inspircd/server.crt | tr -d ":" | tr '[:upper:]' '[:lower:]'`
to get the SSL fingerprints, the `fingerprint` refers to the remote SSL certificate fingerprint for each linking section.
- On `hub.netcrave.network` add something like this to the `include.conf`:
When editing configuration, use generated passwords everywhere possible:
```
<autoconnect period="8s"
server="leaf.netcrave.network">
echo $(dd if=/dev/urandom bs=1024 count=1 status=none | sha256sum | base64 | head -c 64
```
Some passwords need to be consistent (uplink send/recv passwords for example) across servers. A subject for improvement would be not using the environment
for unencrypted passwords, see [#TODO](#TODO) section for more info on how this can be improved.
## Hub
- copy `config.env.example` to `config.env` and edit
- copy `include.conf.example` to `custom/include.conf` and edit (don't delete) as much as possible for now
### Internal TLS
The following steps describe how to setup `easyrsa3` for internal TLS. This step is necessary regardless of whether you intended to use
issued certificates for leaf servers because it provides TLS encryption between the hub and it's leaf servers and between services. Refer
to the [#external-tls](#external-tls) section under [#leaf-servers](#leaf-servers) for more info. To bootstrap internal TLS with an `easyrsa3`
CA perform the following:
- cd to `easyrsa3` directory
- `./easyrsa init-pki`
- `./easyrsa build-ca`
- `./easyrsa build-server-full hub.stuff.ts.net`
- `./easyrsa build-server-full leaf1.stuff.ts.net`
- `./easyrsa build-server-full services.stuff.ts.net`
- `./easyrsa gen-crl`
- `./easyrsa gen-dh`
The `.gitignore` takes care of keeping secrets out of the git repo:
There are two directories under `easyrsa3/pki/`: `issued/` and `private/`. The former contains certificates and the latter contains keys:
- copy `ca.crt`, `crl.pem`, and `dh.pem` to `custom/`
- copy hub cert and key to `custom/server.crt` and `custom/server.key` (the server cert and key are named `hub.stuff.ts.net.crt` and `hub.stuff.ts.net.key`
depending on the FQDN used to create the certificate.
The default `include.conf` example already refers to `custom/server.crt` and `custom/server.key` for the `defaultssl` profile:
```
<sslprofile certfile="/etc/inspircd/custom/server.crt"
keyfile="/etc/inspircd/custom/server.key"
cafile="/etc/inspircd/custom/ca.crt"
crlfile="/etc/inspircd/custom/crl.pem"
dhfile="/etc/inspircd/custom/dh.pem"
name="defaultssl"
tlsv11="no"
tlsv12="yes"
tlsv13="yes"
renegotiation="yes"
requestclientcert="yes"
provider="gnutls">
```
## Hub (continued)
create a `custom/links.conf`. The following describes a declaration for a leaf configuration:
```
<link allowmask="*"
bind="1.2.3.4"
bind="100.79.209.72"
hidden="no"
sslprofile="defaultssl"
fingerprint="c543d8a4a6c825d917d20520e4962e4bcdc3c3c5d856815f7fd626b708842baf"
ipaddr="4.2.3.1"
name="leaf.netcrave.network"
ipaddr="100.83.238.47"
name="lux.supernets.org"
port="&env.SERVER_SSL_PORT;"
recvpass="&env.LINK_RECV_PASSWORD;"
sendpass="&env.LINK_SEND_PASSWORD;"
statshidden="no"
timeout="&env.LINK_TIMEOUT;">
```
- On `leaf.netcrave.network` add something like this to the `include.conf`:
- `chown -R 999 custom/`
- `docker-compose build`
- `docker-compose up -d`
## Leaf servers
- copy `config.env.example` to `config.env` and edit
- copy `include.conf.example` to `custom/include.conf` and edit (don't delete) as much as possible for now
### Internal TLS
- Copy certificate and key as well as `ca.crt` and `dh.pem` from the `easyrsa3` CA (probably located on the hub server) to
the leaf server (these files go in `custom/` and should also be named `server.crt` and `server.key`.)
### Uplink (to hub)
Currently, this is setup for the hub to uplink to leaf servers, but the opposite can be provided with a `<link>` block in the
`include.conf`.
### External TLS
- Copy your issued certificate and key to `custom/irc.crt` and `custom/irc.key` respectively
- Add the following to `custom/include.conf`:
```
<autoconnect period="8s"
server="hub.netcrave.network">
<link allowmask="*"
bind="4.2.3.1"
hidden="no"
sslprofile="defaultssl"
fingerprint="09afef0d8561b8d13e3e7a480ed006caed11d3f5b36c5f4569c60060baa936cd"
ipaddr="1.2.3.4"
name="hub.netcrave.network"
port="&env.SERVER_SSL_PORT;"
recvpass="&env.LINK_RECV_PASSWORD;"
sendpass="&env.LINK_SEND_PASSWORD;"
statshidden="no"
timeout="&env.LINK_TIMEOUT;">
<sslprofile certfile="/etc/inspircd/custom/irc.crt"
keyfile="/etc/inspircd/custom/irc.key"
cafile="/etc/inspircd/custom/irc.ca.crt"
name="supernets_ssl"
tlsv11="no"
tlsv12="yes"
tlsv13="yes"
renegotiation="yes"
requestclientcert="yes"
provider="gnutls">
```
# Linking with services
- Doesn't work yet: https://github.com/atheme/atheme/issues/904
and also change the bind for `6697` to use the `supernets_ssl` profile:
```
<bind address="*"
port="&env.SSL_PORT;"
sslprofile="supernets_ssl"
type="clients">
```
### Tor hidden service
If you don't want Tor, skip to [#leaf-servers-continued](#leaf-servers-continued)
Tor can be configured with HAProxy between inspircd and Tor to identify clients based on their circuit ID; therefore a ULA-based IPv6
hostmask can be assigned to help identify each unique client:
- cd to `tor/`
- `docker-compose up -d`
- To get the hidden service hostname:
```
docker exec -it tor-tor-1 cat /var/lib/tor/ircd/hostname
q6ihxyqviqz76xt6dcpvgidbal64ltbvptbjp4yoxyjihgmqpxugcbid.onion
```
HAProxy is necessary in this case because Tor's `HiddenServiceExportCircuitID` uses PROXY protocol v1 and inspircd uses PROXY protocol v2, HAProxy supports both:
```
frontend tor-north
bind 127.0.0.1:19818 accept-proxy
mode tcp
default_backend inspircd-south
backend inspircd-south
mode tcp
server inspircd 127.0.0.1:7001 send-proxy-v2
```
- cd to `haproxy/`
- `docker-compose up -d`
- By default, the inspircd `include.conf` should already provide the necessary configuration:
```
<bind address="127.0.0.1"
port="7001"
hook="haproxy">
<exception host="*@fc00:dead:beef:4dad::/64"
reason="Tor ULA addresses (represents circuit ID)">
<connect commandrate="&env.COMMAND_RATE;"
fakelag="&env.FAKE_LAG;"
allow="127.0.0.1/32"
hardsendq="&env.HARD_SENDQ;"
maxchans="&env.MAX_CHANS;"
pingfreq="&env.PING_FREQ;"
recvq="&env.RECVQ;"
softsendq="&env.SOFT_SENDQ;"
threshold="&env.COMMAND_RATE_THRESHOLD;"
timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
usecloak="yes"
useconnflood="&env.USE_CONN_FLOOD;"
usednsbl="no"
useident="no"
resolvehostnames="no"
useconnectban="no"
globalmax="&env.GLOBAL_MAX;"
localmax="&env.LOCAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;"
modes="&env.DEFAULT_USER_MODES;"
name="tor_haproxy_shim"
port="7001">
<connect commandrate="&env.COMMAND_RATE;"
fakelag="&env.FAKE_LAG;"
allow="fc00:dead:beef:4dad::/64"
hardsendq="&env.HARD_SENDQ;"
maxchans="&env.MAX_CHANS;"
pingfreq="&env.PING_FREQ;"
recvq="&env.RECVQ;"
softsendq="&env.SOFT_SENDQ;"
threshold="&env.COMMAND_RATE_THRESHOLD;"
timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
usecloak="yes"
useconnflood="&env.USE_CONN_FLOOD;"
usednsbl="no"
useident="no"
resolvehostnames="no"
useconnectban="no"
autojoin="#tor"
globalmax="&env.GLOBAL_MAX;"
localmax="&env.LOCAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;"
modes="&env.DEFAULT_USER_MODES;"
name="tor"
port="6668">
```
This unfortunately requires two connect blocks due to how HAProxy support works on inspircd4 (this seems to work differently from inspircd3.)
#### Onionbalance v3
- This is not configured, but I will consider adding it to the Tor configuration if its of interest: https://onionservices.torproject.org/apps/base/onionbalance/v3/tutorial/
`HiddenServiceOnionbalanceInstance` would essentially allow multiple leaf servers to provide Tor access using the same `MasterOnionAddress`
but requires a shared secret between leaf server Tor instances.
There is no TLS for Tor connectivity because Tor hidden services are already encrypted end-to-end. To connect to the hidden service:
```
proxychains4 irssi
/connect q6ihxyqviqz76xt6dcpvgidbal64ltbvptbjp4yoxyjihgmqpxugcbid.onion 6668
```
After connecting the user will have an address that is unique to the circuit ID that is in use:
```
1:08 -!- sq_ [~stelleri@4m4l237j:f6jtvjrf:n6du6chj:hidden]
11:08 -!- ircname : User irc
11:08 -!- hostname : ~irc@fc00:dead:beef:4dad::5e fc00:dead:beef:4dad::5e
11:08 -!- channels : #tor
11:08 -!- server : miami.supernets.org [internet relay chat network]
11:08 -!- modes : +ix
11:08 -!- : * is connecting from an unknown autonomous system
11:08 -!- : * is connecting from an unknown country
11:08 -!- idle : 0 days 0 hours 46 mins 44 secs [signon: Sun Jan 5 17:22:28 2025]
11:08 -!- End of WHOIS
```
## Leaf servers (continued)
- chown -R 999 custom/
- docker-compose build
- docker-compose up -d
## Atheme services
To configure Atheme, add the following to `custom/links.conf` on the hub server:
```
<link allowmask="*"
bind="127.0.0.1"
hidden="no"
ipaddr="127.0.0.1"
name="services.netcrave.network"
port="7001"
name="services.supernets.org"
recvpass="&env.LINK_RECV_PASSWORD;"
sendpass="&env.LINK_SEND_PASSWORD;"
statshidden="no"
timeout="&env.LINK_TIMEOUT;">
```
Atheme also requires the following to be added to `custom/include.conf`:
```
<bind address="127.0.0.1"
port="6000"
type="servers">
```
Note that it does not specify TLS in this case, that's provided with `stunnel`:
- cd into the `stunnel/` directory
- edit `stunnel.conf`
- `docker-compose build`
- `docker-compose up -d`
- Refer to https://github.com/supernets/atheme/tree/master for Atheme configuration instructions.
# Administration
- OPER: `/oper admin <password@config.env>`
- OJOIN Override any channel restriction to join: `/quote ojoin #services`
- SNOMASKS are configured to log to `#opers`
## Debugging
- To start inspircd with debugging, add `-d` to `DAEMON_FLAGS` in `config.env`
- `docker-compose up -d`
- `docker logs -f inspircd-ircd-1`
# TODO
- The `password_hash` in conjunction with the `PBKDF` module can be used to produce hashed passwords which can be used in configuration: https://docs.inspircd.org/3/modules/password_hash/ this unfortunately as it is now assumes that you already have a server running and can use `/MKPASSWD` to create passwords.
- Using `docker-compose up --no-start` will create the container but not start it. This is useful if prior to starting the container more configuration needs
needs to be completed, it maps all of the volumes / files needed, etc. This also allows you to use `docker-compose run` on the created container, but won't
start the container; for running one-off commands that are not pertinent to the container's primary purpose. If inspircd provided some functionality like
creating password hashes or generating certificates from the inspircd executable this would be really useful.

View File

@ -1,29 +1,38 @@
ADMIN_EMAIL="no-reply@lame-network.local"
SID="01A"
SERVER_NAME="irc.lame-network.local"
NETWORK_NAME="NetcraveIRC"
STS_HOST="irc.lame-network.local"
SASL_TARGET="services.lame-network.local"
DAEMON_FLAGS=""
ADMIN_EMAIL="no-reply@supernets.org"
SID="01B"
SERVER_NAME="lux.supernets.org"
NETWORK_NAME="SuperNETs"
STS_HOST="irc.supernets.org"
STS_DURATION="32d"
SASL_TARGET="services.supernets.org"
ADMIN_PASSWORD="changeme"
PORT="6667"
SSL_PORT="6697"
SERVER_SSL_PORT="7000"
HTTP_ACL_PASSWORD="changeme"
HTTP_ACL_USERNAME="netcrave"
ROLE_PLAY_VHOST="roleplay/lame-network.local"
CUSTOM_VERSION="NetcraveIRC"
NET_ADMIN_VHOST="admin/lame-network.local"
GLOBAL_OP_VHOST="oper/lame-network.local"
HOPM_VHOST="hopm/lame-network.local"
HELPER_VHOST="helper/lame-network.local"
SERVICES_ULINE="services.lame-network.local"
WS_ORIGIN_ALLOW="irc.lame-network.local"
HTTP_ACL_USERNAME="supernets"
ROLE_PLAY_VHOST="roleplay/SuperNETs"
CUSTOM_VERSION="c l a n d e s t i n e"
NET_ADMIN_VHOST="admin/SuperNETs"
GLOBAL_OP_VHOST="oper/SuperNETs"
HELPER_VHOST="helper/SuperNETs"
SERVICES_ULINE="services.supernets.org"
WS_ORIGIN_ALLOW="lux.supernets.org"
LINK_RECV_PASSWORD="changeme"
LINK_SEND_PASSWORD="changeme"
LINK_TIMEOUT="32"
CLOAK_KEY="changeme"
CLOAK_PREFIX="cloak/"
CLOAK_SUFFIX=".hidden"
DEFAULT_USER_MODES="xW"
SSL_USER_MODES="xW"
USE_DNSBL="no"
CLOAK_SUFFIX="hidden"
DEFAULT_USER_MODES="x"
SSL_USER_MODES="x"
LINK_TIMEOUT="512s"
COMMAND_RATE="1000"
FAKE_LAG="off"
HARD_SENDQ="1M"
RECVQ="512K"
COMMAND_RATE_THRESHOLD="4096"
PING_FREQ="256"
DISABLE_USERMODES="dDz"
DISABLE_CHMODES="z"
DISABLE_COMMANDS="help info restart reloadmodule loadmodule gloadmodule unloadmodule gunloadmodule greloadmodule monitor watch dccallow map mkpasswd filter"
OPER_CHANNEL_SNOMASK="aAcCkKoOqQtxXdDfFgGjJlLnNrRvVwW"

10
custom/.gitignore vendored Normal file
View File

@ -0,0 +1,10 @@
motd.txt
oper.motd.txt
include.conf
*.crt
*.key
*.pem
!ca.crt
!crl.pem
links.conf
oper.conf

40
custom/ca.crt Normal file
View File

@ -0,0 +1,40 @@
-----BEGIN CERTIFICATE-----
MIIG+TCCBOGgAwIBAgIUTnY+1MZsN286sT+G2i8UWe3VjZwwDQYJKoZIhvcNAQEL
BQAwgaIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH
DA1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKDAlTdXBlck5FVHMxDDAKBgNVBAsMA0lS
QzEdMBsGA1UEAwwUY2EudGFpbDkxMjJjOC50cy5uZXQxJTAjBgkqhkiG9w0BCQEW
Fm5vLXJlcGx5QHN1cGVybmV0cy5vcmcwHhcNMjQxMTA2MTkzMDM3WhcNMzQxMTA0
MTkzMDM3WjCBojELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAU
BgNVBAcMDVNhbiBGcmFuY2lzY28xEjAQBgNVBAoMCVN1cGVyTkVUczEMMAoGA1UE
CwwDSVJDMR0wGwYDVQQDDBRjYS50YWlsOTEyMmM4LnRzLm5ldDElMCMGCSqGSIb3
DQEJARYWbm8tcmVwbHlAc3VwZXJuZXRzLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBAKSUdSIh1QLRB+rP0CrLd9T3zMSnA6o0ToIiSwJFjDqZ6F3v
ZtYnZMD0OiNCJe89KNngaLbTY9CY5Yds2b9g3PemdAM1Kle9hMom+W6Q17T4oA2q
0hrJkvf4sFQo1P0P6KEQSWRPqSwQ7h10DQYNEvZ7Q9LCAsgHoCmVXZIdAm6fRZmM
ihTkXm0K24aTS8k/Tjgq+NsMulw0Z5SA19INvq+jk4AnYcqwuFPbPHdcKdfXryLh
M8dXbUQbv0z8tLGptLqr56ESnf3QuP9ad86hx22WxesJxnR7JwHBjWdlwO1hAdOa
QZjlcJxejIyYwHAU1FSpYdbH++HuQ6kd+DvREEF6FOVMlIyYqwHzo4fm9mzrne7s
NLTQWp2wnzv3RB2/Q2sMwd3ccG7SWfo7iCOXIYaEwGbjduk2/4y388uBAfbofT+T
8hAWgPVVEJiCpQ2cMzscQxA1mAk3WDB1fz9lHwMrlgBRa/Tftj3jVogdVPl5fDsD
/2sCQgVQ68ABT6hlzMp56iayhZu1jjnBc/fTKK40NHCh7WNvZgJ9pR4Lpqzmt6JA
Z4iY5WtHehg+xwhFoAfjjZdCiWvLNmfzet+PmW+D9c8V17faMMNfLsHTxHjzABoc
2jFSdGNOyoI1DPKDEw6f/ZlNY67YOesiozbvH+XBurFhzh04hkyPkKWSZnqhAgMB
AAGjggEjMIIBHzAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRI9BMsv2VBGfUEfJjN
s1Fb2B68zDCB4gYDVR0jBIHaMIHXgBRI9BMsv2VBGfUEfJjNs1Fb2B68zKGBqKSB
pTCBojELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
DVNhbiBGcmFuY2lzY28xEjAQBgNVBAoMCVN1cGVyTkVUczEMMAoGA1UECwwDSVJD
MR0wGwYDVQQDDBRjYS50YWlsOTEyMmM4LnRzLm5ldDElMCMGCSqGSIb3DQEJARYW
bm8tcmVwbHlAc3VwZXJuZXRzLm9yZ4IUTnY+1MZsN286sT+G2i8UWe3VjZwwCwYD
VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAUfhnquPlKvCB/l47JZaC0V+wR
aAJlbCjqwCsfOJqE381i1yKBc7Dbk0rYmS68fjDDyeGs6Av/9wj6RZ4+WoY47WYL
fYCGF/HAFqyKllAfzKF+nvvBP8mKVOZX/QTlZKBD7biTjHTJSUou6y9LkRAwm7yw
cRHkJkPwPCHihLcn0MLdlf8vRrTCZqZ1wEiRd0jIPkrBdpYoc3ENg+3zQGkPnCsD
L1LwbiL7d1WASZ5cAxKKMl7rqA8oHCH8Ffou4DyK+igeEhcOxTu1A2jSpIAHjLZv
aoWy/aEl4QO1QmY4CTftb2qgX5rr7EDLRK4paqFMsPfv8nCK3w8KmwZ/s1rlYt10
oVoO3SJF+PRl78bMiuv55k+4UHh1S17fHuYKz31eGVkj9AfIec4FPewq4hHnLYO6
F5tX96OlTubweeNioZauKv4pynwleIhjnzW0af50beaGulJmY83gCenyQcxxdTxu
B7bmdj11/knCdFy0CKjZmvFNc99ujkH8Bac/qViHwjctWJ87mNLxHvlHQSMe9e7f
Z2FmtlL0tlFl4KSX3RLXBt5MzRq2zbGY6eAjm2Ld3F+/bPYoyi4t1dUZh9BglTUb
fW0A6bn325JCOPAMvyyBs4M4yeaUm5wep+KB1VyLhbm39OFotNz5oXZ/2WhQQK1E
WOpWX6M4m8GQTXG1IA==
-----END CERTIFICATE-----

23
custom/crl.pem Normal file
View File

@ -0,0 +1,23 @@
-----BEGIN X509 CRL-----
MIID2DCCAcACAQEwDQYJKoZIhvcNAQELBQAwgaIxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRIwEAYDVQQK
DAlTdXBlck5FVHMxDDAKBgNVBAsMA0lSQzEdMBsGA1UEAwwUY2EudGFpbDkxMjJj
OC50cy5uZXQxJTAjBgkqhkiG9w0BCQEWFm5vLXJlcGx5QHN1cGVybmV0cy5vcmcX
DTI0MTEwNjE5MzUwN1oXDTI1MDUwNTE5MzUwN1qggegwgeUwgeIGA1UdIwSB2jCB
14AUSPQTLL9lQRn1BHyYzbNRW9gevMyhgaikgaUwgaIxCzAJBgNVBAYTAlVTMRMw
EQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRIwEAYD
VQQKDAlTdXBlck5FVHMxDDAKBgNVBAsMA0lSQzEdMBsGA1UEAwwUY2EudGFpbDkx
MjJjOC50cy5uZXQxJTAjBgkqhkiG9w0BCQEWFm5vLXJlcGx5QHN1cGVybmV0cy5v
cmeCFE52PtTGbDdvOrE/htovFFnt1Y2cMA0GCSqGSIb3DQEBCwUAA4ICAQBp7z2s
2N2/cHnJaWEaQibnp89J8Co8w9+9c+VgMDtneoA5pqejV8a5gWF1U9O3txjceR1T
HcymU5KyWxx3FTehOS0vxMib7CWWhVrciBe5R628gaZzPAnlPLVXBLwzUwloJ4Rn
xR4+8SkKXE0aOW52Gbv3SyJId9BRkEFlxDuQeWOPgh3fIe9VqlA4T6DV5MslxH6Q
ul/Cg8DvBI6CsXnIvxz7MU/mPjuL/mvAi1SzjL1OrQAVNSVGaIE8EasQ9dC+Y1YF
/JsQJfDROQA8Cej2ku+R8oDp+gRuQCvEX/gu0vt72rdr8oTLjnBrHz6LjFdq9Kdw
0M0Dnj6x2KTDdhGZMLm7HEbsFcZVlUQMUcIlcqXDpi+Irdlz8QjKp0Zca8TsUN6s
8LGpzT5CxDlXmwli+cINZ/cMDhGNjIXSvZZOk0kfXN5pUbGFqGjPOqlyyL3NK9iG
/AQqJxl71PFUHWYKkOo3P/+WffpQfL200xkAUgf4lcYvC9Y7/0zmkL9MWaXqSbdL
dGdx8yCUR/TbgHSPYgoyIT65eYSb0X4vlWZnYprU1yz9SNyypO6ceg/pYKVG5ew+
IKzXi9pkRn0jhGHKN0V3uRY1IqJStAC09m7MMkuYrhBjWkFJXivcSuDndWNoYW0V
tRaYZVLFhkQ+CTDtovPMFoLnQyZp7dV3jiELBw==
-----END X509 CRL-----

View File

@ -1,57 +1,57 @@
0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗
0,0 0╔══0,0 0╗ 0,0 0║ 0,0 0║ 0,0 0╔══0,0 0╗ 0,0 0╔════╝ 0,0 0╔══0,0 0╗
0,0 0║ ╚═╝ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0╚0,0 0╗ 0,0 0║ 0,0 0║ 0,0 0╔╝ 0,0 0╗ 0,0 0╔╝
0╚═══0,0 0╗ 0,0 0║ 0,0 0║ 0,0 0╔═══╝ 0,0 0╔════╝ 0,0 0╔══0,0 0╗
0,0 0╗ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0╚0,0 0╔╝ ╚0,0 0╔╝ 0,0 0║ 0,0 0╗ 0,0 0║ 0,0 0║
0 ╚════╝ ╚════╝ ╚═╝ ╚══════╝ ╚═╝ ╚═╝
0,12 
0,12 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,12 
0,12 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,12 
0,12 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,12 
0,12 0,4 0,12 
0,12 0,4 0,12 
0,12 
0,12 
0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗
0,0 0╔═0,0 0╗ 0,0 0║ 0,0 0╔════╝ 0,0 0╔═╝ 0,0 0╔══0,0 0╗
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ ╚═╝
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0╗ 0,0 0║ ╚0,0 0╗
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0╔════╝ 0,0 0║ ╚═══0,0 0╗
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0  0,0 0║
0,0 0║ ╚0,0 0║ 0,0 0╗ 0,0 0║ ╚0,0 0╔╝
0╚═╝ ╚════╝ ╚══════╝ ╚═╝ ╚════╝
4─────────┤ 0THE WILD WILD WEST OF IRC 4├─────────
14• 7 Round-robin irc.supernets.org 14(IPv4/IPv6)
14• 7 Onion 14removed until further notice
14• 7 Ports 6660-6669 & 7000
14• 7SSL/TLS Ports 6697 & 9000
14• 7 Mail 12admin@supernets.org
14• 7 Git 12https://git.supernets.org
14• 7 Twitter 12https://twitter.com/super_nets
14• 7 Website 12https://supernets.org/
4─────────┤ 0MOST DANGEROUS IRC NETWORK 4├────────
14• 7This is a hostile chat environment
14• 7Do not disrupt the orderly operation of the network
14• 7No distribution of child pornography
14• 7See /RULES for a list of network rules
0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗
0,0 0╔══0,0 0╗ 0,0 0║ 0,0 0║ 0,0 0╔══0,0 0╗ 0,0 0╔════╝ 0,0 0╔══0,0 0╗
0,0 0║ ╚═╝ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0╚0,0 0╗ 0,0 0║ 0,0 0║ 0,0 0╔╝ 0,0 0╗ 0,0 0╔╝
0╚═══0,0 0╗ 0,0 0║ 0,0 0║ 0,0 0╔═══╝ 0,0 0╔════╝ 0,0 0╔══0,0 0╗
0,0 0╗ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0╚0,0 0╔╝ ╚0,0 0╔╝ 0,0 0║ 0,0 0╗ 0,0 0║ 0,0 0║
0 ╚════╝ ╚════╝ ╚═╝ ╚══════╝ ╚═╝ ╚═╝
0,12 
0,12 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,12 
0,12 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,12 
0,12 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,12 
0,12 0,4 0,12 
0,12 0,4 0,12 
0,12 
0,12 
0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗
0,0 0╔═0,0 0╗ 0,0 0║ 0,0 0╔════╝ 0,0 0╔═╝ 0,0 0╔══0,0 0╗
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ ╚═╝
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0╗ 0,0 0║ ╚0,0 0╗
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0╔════╝ 0,0 0║ ╚═══0,0 0╗
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0  0,0 0║
0,0 0║ ╚0,0 0║ 0,0 0╗ 0,0 0║ ╚0,0 0╔╝
0╚═╝ ╚════╝ ╚══════╝ ╚═╝ ╚════╝
4─────────┤ 0THE WILD WILD WEST OF IRC 4├─────────
14• 7 Round-robin irc.supernets.org 14(IPv4/IPv6)
14• 7 Onion 14removed until further notice
14• 7 Ports 6660-6669 & 7000
14• 7SSL/TLS Ports 6697 & 9000
14• 7 Mail 12admin@supernets.org
14• 7 Git 12https://git.supernets.org
14• 7 Twitter 12https://twitter.com/super_nets
14• 7 Website 12https://supernets.org/
4─────────┤ 0MOST DANGEROUS IRC NETWORK 4├────────
14• 7This is a hostile chat environment
14• 7Do not disrupt the orderly operation of the network
14• 7No distribution of child pornography
14• 7See /RULES for a list of network rules

View File

@ -1 +1,57 @@
-
0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗
0,0 0╔══0,0 0╗ 0,0 0║ 0,0 0║ 0,0 0╔══0,0 0╗ 0,0 0╔════╝ 0,0 0╔══0,0 0╗
0,0 0║ ╚═╝ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0╚0,0 0╗ 0,0 0║ 0,0 0║ 0,0 0╔╝ 0,0 0╗ 0,0 0╔╝
0╚═══0,0 0╗ 0,0 0║ 0,0 0║ 0,0 0╔═══╝ 0,0 0╔════╝ 0,0 0╔══0,0 0╗
0,0 0╗ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║
0╚0,0 0╔╝ ╚0,0 0╔╝ 0,0 0║ 0,0 0╗ 0,0 0║ 0,0 0║
0 ╚════╝ ╚════╝ ╚═╝ ╚══════╝ ╚═╝ ╚═╝
0,12 
0,12 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,12 
0,12 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,8 0,4 0,12 
0,12 0,4 0,12 
0,12 0,4 0,8 0,4 0,12 
0,12 0,4 0,8 0,4 0,12 
0,12 0,4 0,12 
0,12 0,4 0,12 
0,12 
0,12 
0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗ 0,0 0╗
0,0 0╔═0,0 0╗ 0,0 0║ 0,0 0╔════╝ 0,0 0╔═╝ 0,0 0╔══0,0 0╗
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ ╚═╝
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0╗ 0,0 0║ ╚0,0 0╗
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0╔════╝ 0,0 0║ ╚═══0,0 0╗
0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0 0║ 0,0  0,0 0║
0,0 0║ ╚0,0 0║ 0,0 0╗ 0,0 0║ ╚0,0 0╔╝
0╚═╝ ╚════╝ ╚══════╝ ╚═╝ ╚════╝
4─────────┤ 0THE WILD WILD WEST OF IRC 4├─────────
14• 7 Round-robin irc.supernets.org 14(IPv4/IPv6)
14• 7 Onion 14removed until further notice
14• 7 Ports 6660-6669 & 7000
14• 7SSL/TLS Ports 6697 & 9000
14• 7 Mail 12admin@supernets.org
14• 7 Git 12https://git.supernets.org
14• 7 Twitter 12https://twitter.com/super_nets
14• 7 Website 12https://supernets.org/
4─────────┤ 0MOST DANGEROUS IRC NETWORK 4├────────
14• 7This is a hostile chat environment
14• 7Do not disrupt the orderly operation of the network
14• 7No distribution of child pornography
14• 7See /RULES for a list of network rules

View File

@ -1,22 +1,18 @@
services:
leaf:
ircd:
restart: on-failure:3
build:
context: .
args:
BUILD_SERVER_NAME: ${SERVER_NAME}
image: inspi4
command: ${DAEMON_FLAGS}
network_mode: "host"
env_file: "config.env"
command: /usr/local/bin/inspircd -c /etc/inspircd/inspircd.conf -F
volumes:
- ./custom:/etc/inspircd/custom:ro
- ssl:/etc/ssl/inspircd
- data:/var/lib/inspircd
- log:/var/log/inspircd
volumes:
data:
name: inspi4_data
ssl:
name: inspi4_ssl
log:
name: inspi4_log

1
easyrsa3/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
pki/

6131
easyrsa3/easyrsa Executable file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,149 @@
# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::EASYRSA_PKI # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/certs_by_serial # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = basic_exts # The extensions to add to the cert
# A placeholder to handle the --copy-ext feature:
#%COPY_EXTS% # Do NOT remove or change this line as --copy-ext support requires it
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
# is designed for will. In return, we get the Issuer attached to CRLs.
crl_extensions = crl_ext
default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
default_crl_days = $ENV::EASYRSA_CRL_DAYS # how long before next CRL
default_md = $ENV::EASYRSA_DIGEST # use public key default MD
# Note: preserve=no|yes, does nothing for EasyRSA.
# Use sign-req command option 'preserve' instead.
preserve = no # keep passed DN ordering
# This allows to renew certificates which have not been revoked
unique_subject = no
# A few different ways of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the 'anything' policy, which defines allowed DN fields
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
serialNumber = optional
####################################################################
# Easy-RSA request handling
# We key off $DN_MODE to determine how to format the DN
[ req ]
default_bits = $ENV::EASYRSA_KEY_SIZE
default_keyfile = privkey.pem
default_md = $ENV::EASYRSA_DIGEST
distinguished_name = $ENV::EASYRSA_DN
x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
# A placeholder to handle the $EXTRA_EXTS feature:
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
####################################################################
# Easy-RSA DN (Subject) handling
# Easy-RSA DN for cn_only support:
[ cn_only ]
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN
# Easy-RSA DN for org support:
[ org ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::EASYRSA_REQ_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::EASYRSA_REQ_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::EASYRSA_REQ_ORG
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = $ENV::EASYRSA_REQ_OU
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN
emailAddress = Email Address
emailAddress_default = $ENV::EASYRSA_REQ_EMAIL
emailAddress_max = 64
serialNumber = Serial-number (eg, device serial-number)
serialNumber_default = $ENV::EASYRSA_REQ_SERIAL
####################################################################
# Easy-RSA cert extension handling
# This section is effectively unused as the main script sets extensions
# dynamically. This core section is left to support the odd usecase where
# a user calls openssl directly.
[ basic_exts ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# The Easy-RSA CA extensions
[ easyrsa_ca ]
# PKIX recommendations:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This could be marked critical, but it's nice to support reading by any
# broken clients who attempt to do so.
basicConstraints = CA:true
# Limit key usage to CA tasks. If you really want to use the generated pair as
# a self-signed cert, comment this out.
keyUsage = cRLSign, keyCertSign
# nsCertType omitted by default. Let's try to let the deprecated stuff die.
# nsCertType = sslCA
# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS:
#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it
# CRL extensions.
[ crl_ext ]
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

15
easyrsa3/vars Normal file
View File

@ -0,0 +1,15 @@
set_var EASYRSA_DN "org"
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "SuperNETs"
set_var EASYRSA_REQ_EMAIL "no-reply@supernets.org"
set_var EASYRSA_REQ_OU "IRC"
set_var EASYRSA_PRESERVE_DN 1
set_var EASYRSA_NO_PASS 1
set_var EASYRSA_KEY_SIZE 4096
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_CRL_DAYS 180
set_var EASYRSA_RAND_SN "yes"

View File

@ -0,0 +1,12 @@
# X509 extensions added to every signed cert
# This file is included for every cert signed, and by default does nothing.
# It could be used to add values every cert should have, such as a CDP as
# demonstrated in the following example:
#crlDistributionPoints = URI:http://example.net/pki/my_ca.crl
# The authority information access extension gives details about how to access
# certain information relating to the CA.
#authorityInfoAccess = caIssuers;URI:http://example.net/pki/my_ca.crt

12
easyrsa3/x509-types/ca Normal file
View File

@ -0,0 +1,12 @@
# X509 extensions for a ca
# Note that basicConstraints will be overridden by Easy-RSA when defining a
# CA_PATH_LEN for CA path length limits. You could also do this here
# manually as in the following example in place of the existing line:
#
# basicConstraints = CA:TRUE, pathlen:1
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = cRLSign, keyCertSign

View File

@ -0,0 +1,7 @@
# X509 extensions for a client
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = clientAuth
keyUsage = digitalSignature

View File

@ -0,0 +1,7 @@
# X509 extensions for a client
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = codeSigning
keyUsage = digitalSignature

View File

@ -0,0 +1,7 @@
# X509 extensions for email
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = emailProtection
keyUsage = digitalSignature,keyEncipherment,nonRepudiation

21
easyrsa3/x509-types/kdc Normal file
View File

@ -0,0 +1,21 @@
# X509 extensions for a KDC server certificate
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = 1.3.6.1.5.2.3.5
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
issuerAltName = issuer:copy
subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm = EXP:0,GeneralString:${ENV::EASYRSA_KDC_REALM}
principal_name = EXP:1,SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type = EXP:0,INTEGER:1
name_string = EXP:1,SEQUENCE:kdc_principals
[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:${ENV::EASYRSA_KDC_REALM}

View File

@ -0,0 +1,7 @@
# X509 extensions for a server
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth
keyUsage = digitalSignature,keyEncipherment

View File

@ -0,0 +1,7 @@
# X509 extensions for a client/server
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth,clientAuth
keyUsage = digitalSignature,keyEncipherment

23
haproxy/Dockerfile Normal file
View File

@ -0,0 +1,23 @@
ARG UBUNTU_VERSION="noble"
FROM ubuntu:${UBUNTU_VERSION}
RUN apt -y update
RUN apt -y install haproxy
RUN groupadd docker-haproxy
RUN useradd --system --shell /bin/bash docker-haproxy -g docker-haproxy
RUN mkdir -p /var/lib/haproxy/ -p /etc/haproxy
ADD haproxy.cfg /etc/haproxy
RUN chown -R docker-haproxy:docker-haproxy /etc/haproxy /var/lib/haproxy
VOLUME /var/lib/haproxy
USER docker-haproxy
CMD haproxy -f /etc/haproxy/haproxy.cfg

View File

@ -0,0 +1,9 @@
services:
haproxy:
restart: on-failure:3
build:
context: .
image: haproxy
network_mode: "host"
volumes:
- ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro

26
haproxy/haproxy.cfg Normal file
View File

@ -0,0 +1,26 @@
global
log stdout format raw local0 debug
defaults
log global
retries 0
#timeout connect 604800s
#timeout client 604800s
#timeout server 604800s
#timeout tunnel 604800s
#timeout queue 604800s
#timeout http-request 604800s
#timeout http-keep-alive 604800s
#timeout client-fin 604800s
#timeout server-fin 604800s
#timeout check 604800s
option tcplog
frontend tor-north
bind 127.0.0.1:19818 accept-proxy
mode tcp
default_backend inspircd-south
backend inspircd-south
mode tcp
server inspircd 127.0.0.1:7001 send-proxy-v2

View File

@ -1,28 +1,30 @@
<sslprofile certfile="/etc/ssl/inspircd/server.crt"
compression="no"
keyfile="/etc/ssl/inspircd/server.key"
<include file="/etc/inspircd/codepages/rfc1459.conf">
<sslprofile certfile="/etc/inspircd/custom/server.crt"
keyfile="/etc/inspircd/custom/server.key"
cafile="/etc/inspircd/custom/ca.crt"
crlfile="/etc/inspircd/custom/crl.pem"
dhfile="/etc/inspircd/custom/dh.pem"
name="defaultssl"
tlsv11="no"
tlsv12="yes"
tlsv13="yes"
renegotiation="no"
requestclientcert="no"
renegotiation="yes"
requestclientcert="yes"
provider="gnutls">
<badhost host="*@*"
reason="default hostmask block">
<exception host="*@100.64.0.0/10"
reason="tailscale network">
<exception host="*@127.0.0.1/32"
reason="Local IRC client">
reason="localhost">
<exception host="*@fc00:dead:beef:4dad::/64"
reason="Tor ULA addresses (represents circuit ID)">
<eventexec command="/bin/true"
event="rehash">
<oper host="*@*"
name="admin"
password="&env.ADMIN_PASSWORD;"
type="NetAdmin">
<showfile endtext="End of uptime"
file="/proc/uptime"
introtext="server uptime:"
@ -33,11 +35,62 @@
introtext="server loadavg:"
name="LOADAVG">
<bind address="*"
<bind address="127.0.0.1"
port="7001"
hook="haproxy">
<connect commandrate="&env.COMMAND_RATE;"
fakelag="&env.FAKE_LAG;"
allow="127.0.0.1/32"
hardsendq="&env.HARD_SENDQ;"
maxchans="&env.MAX_CHANS;"
pingfreq="&env.PING_FREQ;"
recvq="&env.RECVQ;"
softsendq="&env.SOFT_SENDQ;"
threshold="&env.COMMAND_RATE_THRESHOLD;"
timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
usecloak="yes"
useconnflood="&env.USE_CONN_FLOOD;"
usednsbl="no"
useident="no"
resolvehostnames="no"
useconnectban="no"
globalmax="&env.GLOBAL_MAX;"
localmax="&env.LOCAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;"
modes="&env.DEFAULT_USER_MODES;"
name="tor_haproxy_shim"
port="7001">
<connect commandrate="&env.COMMAND_RATE;"
fakelag="&env.FAKE_LAG;"
allow="fc00:dead:beef:4dad::/64"
hardsendq="&env.HARD_SENDQ;"
maxchans="&env.MAX_CHANS;"
pingfreq="&env.PING_FREQ;"
recvq="&env.RECVQ;"
softsendq="&env.SOFT_SENDQ;"
threshold="&env.COMMAND_RATE_THRESHOLD;"
timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
usecloak="yes"
useconnflood="&env.USE_CONN_FLOOD;"
usednsbl="no"
useident="no"
resolvehostnames="no"
useconnectban="no"
autojoin="#tor"
globalmax="&env.GLOBAL_MAX;"
localmax="&env.LOCAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;"
modes="&env.DEFAULT_USER_MODES;"
name="tor"
port="6668">
<bind address="127.0.0.1"
port="8000"
type="httpd">
<bind address="*"
<bind address="*"
port="&env.SSL_PORT;"
sslprofile="defaultssl"
type="clients">
@ -46,10 +99,6 @@
port="&env.PORT;"
type="clients">
<bind address="*"
port="7001"
type="servers">
<bind address="*"
port="&env.SERVER_SSL_PORT;"
sslprofile="defaultssl"
@ -68,13 +117,12 @@
fakelag="&env.FAKE_LAG;"
hardsendq="&env.HARD_SENDQ;"
maxchans="&env.MAX_CHANS;"
motd="defaultmotd"
name="all"
pingfreq="&env.PING_FREQ;"
recvq="&env.RECVQ;"
softsendq="&env.SOFT_SENDQ;"
threshold="&env.COMMAND_RATE_THRESHOLD;"
timeout="&env.COMMAND_RATE_THRESHOLD_TIMEOUT;"
timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
useconnflood="&env.USE_CONN_FLOOD;"
usednsbl="&env.USE_DNSBL;"
useident="&env.USE_IDENT;"
@ -119,21 +167,6 @@
types="password"
username="&env.HTTP_ACL_USERNAME;">
<autoconnect period="8s"
server="vps-1.lame-network.local">
<link allowmask="*"
bind="1.2.3.4"
hidden="no"
sslprofile="defaultssl"
ipaddr="4.2.3.1"
name="vps-1.lame-network.local"
port="&env.SERVER_SSL_PORT;"
recvpass="&env.LINK_RECV_PASSWORD;"
sendpass="&env.LINK_SEND_PASSWORD;"
statshidden="no"
timeout="&env.LINK_TIMEOUT;">
<ident prefixunqueried="&env.IDENT_PREFIX_UNQUERIED;"
timeout="&env.IDENT_TIMEOUT;">

View File

@ -1,4 +1,5 @@
<include file="/etc/inspircd/modules.conf">
<include file="/etc/inspircd/help.conf">
<include directory="/etc/inspircd/custom">
<badip ipmask="169.254.0.0/16" reason="APIPA">
@ -51,7 +52,7 @@
<badnick nick="SASLSERV" reason="Reserved For Services">
<badnick nick="STATSERV" reason="Reserved For Services">
<cidr ipv4clone="32" ipv6clone="64">
<cidr ipv4clone="&env.IPV4_CLONE;" ipv6clone="&env.IPV6_CLONE;">
<class chanmodes="*"
commands="DIE RESTART REHASH LOADMODULE UNLOADMODULE RELOADMODULE GLOADMODULE GUNLOADMODULE GRELOADMODULE"
@ -92,9 +93,7 @@
<class name="RolePlay"
priv="channels/roleplay channels/roleplay-override">
<define name="VOID" value="8,4 E N T E R T H E V O I D ">
<files motd="/etc/inspircd/custom/motd.txt" opermotd="/etc/inspircd/custom/oper.motd.txt">
<insane hostmasks="&env.INSANE_HOSTMASKS;" ipmasks="&env.INSANE_IPMASKS;" nickmasks="&env.INSANE_NICKMASKS;" trigger="&env.INSANE_TRIGGER;">
@ -110,19 +109,15 @@
maxquit="&env.MAX_QUIT;"
maxtopic="&env.MAX_TOPIC;">
<log method="ring" type="DEFAULT" level="normal" maxsize="1048576">
<log method="file" type="ERROR" level="warning critical" target="errors.log" flush="20">
<log method="file" type="m_dnsbl" level="debug" target="dnsbl.log" flush="20" maxsize="104857600">
<maxlist chan="*" limit="&env.LIST_MAX_SIZE;">
<options allowmismatch="&env.ALLOW_MISMATCH;"
allowzerolimit="&env.ALLOW_ZERO_LIMIT;"
announcets="&env.ANNOUNCE_TS;"
casemapping="ascii"
cyclehosts="&env.CYCLE_HOST_TS;"
cyclehostsfromuser="&env.CYCLE_HOST_FROM_USER;"
defaultbind="auto"
defaultmodes="npst"
exemptchanops="censor:o filter:o nickflood:o nonick:v regmoderated:o"
fixedpart=""
fixedquit=""
@ -155,8 +150,8 @@
<pid file="/tmp/inspircd.pid">
<security allowcoreunload="no"
announceinvites="dynamic"
<security allowcoreunload="&env.ALLOW_CORE_UNLOAD;"
announceinvites="&env.ANNOUNCE_INVITES;"
customversion="&env.CUSTOM_VERSION;"
flatlinks="&env.FLAT_LINKS;"
genericoper="&env.GENERIC_OPER;"
@ -177,17 +172,12 @@
name="GlobalOp"
vhost="&env.GLOBAL_OP_VHOST;">
<type classes="SACommands OperChat BanControl HostCloak ServerLink"
name="HOPM"
vhost="&env.HOPM_VHOST;">
<type classes="HostCloak"
name="Helper"
vhost="&env.HELPER_VHOST;">
<whowas groupsize="&env.WHOWAS_GROUP_SIZE;" maxgroups="&env.WHOWAS_MAX_GROUPS;" maxkeep="&env.WHOWAS_MAX_KEEP;">
<maxmind file="/etc/inspircd/GeoLite2-Country.mmdb">
<sts duration="5m"
@ -195,7 +185,7 @@
port="&env.SSL_PORT;"
preload="yes">
<sasl requiressl="yes"
<sasl requiressl="&env.SASL_REQUIRE_SSL;"
target="&env.SASL_TARGET;">
<alias format="*"
@ -313,42 +303,12 @@
text="GLOBAL"
uline="yes">
<allowchannel name="*">
<anticaps lowercase="abcdefghijklmnopqrstuvwxyz"
uppercase="ABCDEFGHIJKLMNOPQRSTUVWXYZ">
<argon2 iterations="3"
length="32"
memory="131074"
saltlength="16">
<argon2d memory="131074">
<argon2i iterations="4">
<argon2id iterations="5"
length="64"
memory="262144"
saltlength="32">
<auditorium opcansee="&env.AUDITORIUM_OP_CAN_SEE;"
opercansee="&env.AUDITORIUM_OPER_CAN_SEE;"
opvisible="&env.AUDITORIUM_OP_VISIBLE;">
<autodrop commands="CONNECT DELETE GET HEAD OPTIONS PATCH POST PUT TRACE">
<autojoinident chan="#blackhole"
ident="*">
<bcrypt rounds="16">
<blockamsg action="&env.BLOCK_AMSG_ACTION;"
delay="&env.BLOCK_AMSG_DELAY;">
@ -384,16 +344,10 @@
<channels opers="&env.CHANNELS_OPERS;"
users="&env.CHANNELS_USERS;">
<cloak ignorecase="&env.CLOAK_IGNORE_CASE;"
<cloak method="hmac-sha256-addr"
key="&env.CLOAK_KEY;"
mode="&env.CLOAK_MODE;"
prefix="&env.CLOAK_PREFIX;"
suffix="&env.CLOAK_SUFFIX;">
<codepage name="&env.CODE_PAGE;">
<connectban banmessage="filtered for connection hammering; wait 64 seconds to retry"
bootwait="&env.CONNECT_BAN_BOOT_WAIT;"
duration="&env.CONNECT_BAN_DURATION;"
@ -402,108 +356,6 @@
splitwait="&env.CONNECT_BAN_SPLIT_WAIT;"
threshold="&env.CONNECT_BAN_THRESHOLD;">
<cpcase lower="97"
upper="65">
<cpcase lower="98"
upper="66">
<cpcase lower="99"
upper="67">
<cpcase lower="100"
upper="68">
<cpcase lower="101"
upper="69">
<cpcase lower="102"
upper="70">
<cpcase lower="103"
upper="71">
<cpcase lower="104"
upper="72">
<cpcase lower="105"
upper="73">
<cpcase lower="106"
upper="74">
<cpcase lower="107"
upper="75">
<cpcase lower="108"
upper="76">
<cpcase lower="109"
upper="77">
<cpcase lower="110"
upper="78">
<cpcase lower="111"
upper="79">
<cpcase lower="112"
upper="80">
<cpcase lower="113"
upper="81">
<cpcase lower="114"
upper="82">
<cpcase lower="115"
upper="83">
<cpcase lower="116"
upper="84">
<cpcase lower="117"
upper="85">
<cpcase lower="118"
upper="86">
<cpcase lower="119"
upper="87">
<cpcase lower="120"
upper="88">
<cpcase lower="121"
upper="89">
<cpcase lower="122"
upper="90">
<cpchars index="45">
<cpchars begin="48"
end="57">
<cpchars begin="65"
end="90"
front="yes">
<cpchars begin="91"
end="96"
front="yes">
<cpchars begin="97"
end="122"
front="yes">
<cpchars begin="123"
end="125"
front="yes">
<cpchars front="no"
index="47">
<ctctags allowclientonlytags="&env.CTC_TAGS_ALLOW_CLIENT_ONLY_TAGS;">
<customprefix letter="q"
@ -574,8 +426,6 @@
timeout="5s"
type="record">
<exemptfromfilter target="ALIS">
<exemptfromfilter target="BOTSERV">
@ -625,7 +475,6 @@
<httpd timeout="&env.HTTPD_TIMEOUT;">
<inviteexception bypasskey="&env.INVITE_EXCEPTION_BYPASS_KEY;">
<ircv3 accountnotify="&env.IRCV3_ACCOUNT_NOTIFY;"
@ -638,15 +487,10 @@
<knock notify="&env.KNOCK_NOTIFY;">
<maxmind file="/etc/inspircd/geolite2.mmdb">
<messageflood notice="&env.MESSAGE_FLOOD_NOTICE;"
privmsg="&env.MESSAGE_FLOOD_PRIVMSG;"
tagmsg="&env.MESSAGE_FLOOD_TAG_MSG;">
<monitor maxentries="&env.MONITOR_MAX_ENTRIES;">
<muteban notifyuser="&env.MUTE_BAN_NOTIFY_USER;">
@ -669,32 +513,16 @@
<operprefix prefix="&env.OPER_PREFIX;">
<override enableumode="&env.OVERRIDE_ENABLE_UMODE;"
noisy="&env.OVERRIDE_NOISY;"
requirekey="&env.OVERRIDE_REQUIRE_KEY;">
<pbkdf2 iterations="12288"
length="32">
<pbkdf2prov hash="sha256"
iterations="24576">
<penalty name="HELPOP"
value="60">
<permchanneldb filename="/var/lib/inspircd/permchannels.db"
listmodes="yes"
saveperiod="1d">
<qrcode blockchar=" "
darkcolour="black"
lightcolour="white">
listmodes="&env.PERMCHAN_LIST_MODES;"
saveperiod="&env.PERMCHANDB_SAVE_PERIOD;">
<remove protectedrank="50000"
supportnokicks="&env.REMOVE_SUPPORT_NO_KICKS;">
@ -705,20 +533,16 @@
maxtime="&env.REPEAT_MAX_TIME;"
size="&env.REPEAT_MAX_SIZE;">
<restrictchans allowregistered="&env.RESTRICT_CHANS_ALLOW_REGISTERED;">
<rline engine="&env.RLINE_ENGINE;"
matchonnickchange="&env.RLINE_MATCH_ON_NICK_CHANGE;"
zlineonmatch="&env.RLINE_ZLINE_ON_MATCH;">
<rotatelog period="86400">
<rotatelog period="&env.ROTATE_LOG_PERIOD;">
<securelist exemptregistered="&env.SECURE_LIST_EXEMPT_REGISTERED;"
showmsg="&env.SECURE_LIST_SHOW_MSG;"
waittime="&env.SECURE_LIST_WAIT_TIME;">
<showwhois opersonly="&env.SHOW_WHOIS_OPER_ONLY;"
showfromopers="&env.SHOW_WHOIS_FROM_OPERS;">
@ -736,15 +560,12 @@
<sslmodes enableumode="&env.SSL_ENABLE_UMODE;">
<stdregex type="ecmascript">
<strictsasl reason="Fix your SASL authentication settings and try again">
<stdregex type="&env.REGEX_TYPE;">
<svshold silent="&env.SVS_HOLD_SILENT;">
<timedbans sendnotice="&env.TIMED_BANS_SEND_NOTICE;">
<uline server="&env.SERVICES_ULINE;"
silent="no">
@ -753,12 +574,10 @@
<watch maxwatch="&env.WATCH_MAX;">
<wsorigin allow="&env.WS_ORIGIN_ALLOW;">
<xlinedb filename="/var/lib/inspircd/xline.db"
saveperiod="128s">
saveperiod="&env.XLINEDB_SAVE_PERIOD;">
<zombie cleansplit="&env.ZOMBIE_CLEAN_SPLIT;"
dirtysplit="&env.ZOMBIE_DIRTY_SPLIT;"

View File

@ -3,7 +3,6 @@
<module name="allowinvite">
<module name="alltime">
<module name="anticaps">
<module name="antiknocker">
<module name="antisnoop">
<module name="argon2">
<module name="asn">
@ -36,7 +35,11 @@
<module name="chgname">
<module name="classban">
<module name="clearchan">
<module name="cloaking">
<module name="cloak">
<module name="cloak_sha256">
<module name="cloak_static">
<module name="cloak_unreal">
<module name="cloak_user">
<module name="clones">
<module name="codepage">
<module name="commonchans">
@ -109,7 +112,6 @@
<module name="modenotice">
<module name="monitor">
<module name="muteban">
<module name="mysql">
<module name="namedmodes">
<module name="namesx">
<module name="nickflood">
@ -134,9 +136,7 @@
<module name="password_hash">
<module name="pbkdf2">
<module name="permchannels">
<module name="pgsql">
<module name="protoctl">
<module name="qrcode">
<module name="redirect">
<module name="regex_glob">
<module name="regex_pcre2">
@ -146,8 +146,6 @@
<module name="regex_tre">
<module name="remove">
<module name="repeat">
<module name="restrictchans">
<module name="restrictmsg">
<module name="rline">
<module name="rmode">
<module name="sajoin">
@ -174,12 +172,9 @@
<module name="shun">
<module name="silence">
<module name="spanningtree">
<module name="sqlite3">
<module name="ssl_gnutls">
<module name="sslinfo">
<module name="sslmodes">
<module name="sslrehashsignal">
<module name="starttls">
<module name="stats_unlinked">
<module name="stripcolor">
<module name="svshold">
@ -196,3 +191,12 @@
<module name="watch">
<module name="websocket">
<module name="xline_db">
<module name="regex_pcre">
<module name="pgsql">
<module name="mysql">
<module name="sqlite3">
<module name="ssl_mbedtls">
<module name="ssl_openssl">
<module name="ssl_gnutls">
<module name="log_sql">
<module name="log_syslog">

11
stunnel/Dockerfile Normal file
View File

@ -0,0 +1,11 @@
ARG UBUNTU_VERSION="noble"
FROM ubuntu:${UBUNTU_VERSION}
RUN apt -y update
RUN apt -y install stunnel
ADD stunnel.conf /etc/stunnel/stunnel.conf
CMD stunnel

View File

@ -0,0 +1,20 @@
services:
stunnel:
restart: on-failure:3
build:
context: .
image: stunnel
network_mode: "host"
volumes:
- ../custom/ca.crt:/ca.crt:ro
- ../custom/server.crt:/server.crt:ro
- ../custom/server.key:/server.key:ro
- ./stunnel.conf:/etc/stunnel/stunnel.conf:ro
ulimits:
nofile:
soft: "102400"
hard: "102400"
logging:
driver: "json-file"
options:
max-size: "64k"

8
stunnel/stunnel.conf Normal file
View File

@ -0,0 +1,8 @@
foreground = yes
[certificate-based server]
accept = 100.79.209.72:7777
connect = 127.0.0.1:6000
cert = /server.crt
key = /server.key
CAfile = /ca.crt

23
tor/Dockerfile Normal file
View File

@ -0,0 +1,23 @@
ARG UBUNTU_VERSION="noble"
FROM ubuntu:${UBUNTU_VERSION}
RUN apt -y update
RUN apt -y install tor
RUN groupadd docker-tor
RUN useradd --system --shell /bin/bash docker-tor -g docker-tor
RUN mkdir -p /var/lib/tor/ -p /etc/tor
ADD torrc /etc/tor
RUN chown -R docker-tor:docker-tor /etc/tor /var/lib/tor
VOLUME /var/lib/tor
USER docker-tor
CMD tor -f /etc/tor/torrc

20
tor/docker-compose.yml Normal file
View File

@ -0,0 +1,20 @@
services:
tor:
restart: on-failure:3
build:
context: .
image: tor
network_mode: "host"
volumes:
- data:/var/lib/inspircd
ulimits:
nofile:
soft: "102400"
hard: "102400"
logging:
driver: "json-file"
options:
max-size: "64k"
volumes:
data:
name: tor_data

16
tor/torrc Normal file
View File

@ -0,0 +1,16 @@
DNSPort 0
SocksPort 0
TransPort 0
NATDPort 0
RunAsDaemon 0
DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/ircd
HiddenServicePort 6668 127.0.0.1:19818
HiddenServiceMaxStreams 65535
HiddenServiceExportCircuitID haproxy
CookieAuthentication 0
ControlPort 127.0.0.1:9051
HardwareAccel 1
Log info stderr
HiddenServiceSingleHopMode 1
HiddenServiceNonAnonymousMode 1