Cleanup, incus container added, fuck docker for now

.gitattributes

@@ -1 +0,0 @@
-*.conf diff merge text

Dockerfile

@@ -1,31 +0,0 @@
-FROM alpine:latest
-
-# Install required packages
-RUN apk add --no-cache curl nano openssl python3-pip weechat weechat-perl weechat-python
-
-# Create weechat user
-RUN adduser -D -h /home/weechat weechat
-
-# Switch to weechat user
-USER weechat
-WORKDIR /home/weechat
-
-# Create weechat directory structure
-RUN mkdir -p .weechat/{python/autoload,perl/autoload,logs,tls} && chmod 700 .weechat
-
-# Copy our local files into the container
-COPY scripts/python/*.py .weechat/python/autoload/
-COPY scripts/perl/*.pl   .weechat/perl/autoload/
-COPY alias.conf          .weechat/
-
-# Install Python dependencies for scripts
-RUN pip3 install --user requests
-
-# Create fifo for external commands
-RUN mkfifo .weechat/weechat_fifo
-
-# Generate SSL certificate
-RUN openssl req -x509 -new -newkey rsa:4096 -sha256 -days 3650 -nodes -out .weechat/tls/cert.pem -keyout .weechat/tls/cert.pem -subj "/CN=HARDCHATS" && chmod 400 .weechat/tls/cert.pem
-
-# Start actual weechat client
-ENTRYPOINT ["weechat"] 

README.md

@@ -1,13 +1,8 @@
 # WeeChat
-> backup of me weechat setup
 
 ![](preview.png)
 
 ## Table of Contents
-- [Setup](#setup)
-  - [WeeChat](#weechat)
-  - [Relay](#relay)
-  - [Docker](#docker)
 - [Settings](#settings)
   - [Appearance](#appearance)
   - [Settings](#appearance)
@@ -26,51 +21,6 @@
 
 ---
 
-### Setup
-###### Repository for Debian (because Debian is always 7 versions behind to deem themself "stable")
-```shell
-sudo mkdir /root/.gnupg
-sudo chmod 700 /root/.gnupg
-sudo mkdir -p /usr/share/keyrings
-sudo gpg --no-default-keyring --keyring /usr/share/keyrings/weechat-archive-keyring.gpg --keyserver hkps://keys.openpgp.org --recv-keys 11E9DE8848F2B65222AA75B8D1820DB22A11534E
-echo "deb [signed-by=/usr/share/keyrings/weechat-archive-keyring.gpg] https://weechat.org/debian bullseye main" | sudo tee /etc/apt/sources.list.d/weechat.list
-sudo apt-get update
-sudo apt-get install weechat-curses weechat-plugins weechat-python weechat-perl
-```
-
-###### WeeChat
-```shell
-git clone https://github.com/tat3r/tdfiglet.git && cd tdfiglet && make && sudo make install && cd
-weechat -P "alias,buflist,charset,exec,fifo,fset,irc,logger,perl,python,relay,script,trigger,typing" -r "/set weechat.plugin.autoload alias,buflist,charset,exec,fifo,fset,irc,logger,perl,python,relay,script,trigger,typing;/save;/quit"
-rm $HOME/.weechat/weechat.log && chmod 700 $HOME/.weechat && mkdir $HOME/.weechat/tls
-git clone --depth 1 https://github.com/acidvegas/weechat.git $HOME/weechat
-mv $HOME/weechat/alias.conf $HOME/.weechat/alias.conf && mv $HOME/weechat/scripts/perl/*.pl $HOME/.weechat/perl/autoload/ && mv $HOME/weechat/scripts/python/*.py $HOME/.weechat/python/autoload/
-mkdir $HOME/.weechat/logs
-mkfifo $HOME/.weechat/weechat_fifo
-openssl req -x509 -new -newkey rsa:4096 -sha256 -days 3650 -out $HOME/.weechat/tls/cert.pem -keyout $HOME/.weechat/tls/cert.pem
-chmod 400 $HOME/.weechat/tls/cert.pem
-```
-
-###### Relay
-```shell
-certbot certonly --standalone -d chat.acid.vegas -m acid.vegas@acid.vegas
-echo -e "[Unit]\nDescription=cerbot renewal\n\n[Service]\nType=oneshot\nExecStart=/usr/bin/certbot renew -n --quiet --agree-tos --deploy-hook /home/acidvegas/.local/share/weechat/renew" > /etc/systemd/system/certbot.service
-echo -e "[Unit]\nDescription=cerbot renewal timer\n\n[Timer]\nOnCalendar=0/12:00:00\nRandomizedDelaySec=1h\nPersistent=true\n\n[Install]\nWantedBy=timers.target" > /etc/systemd/system/certbot.timer
-systemctl enable certbot.timer && systemctl start certbot.timer
-
-echo "#!/bin/bash" > $HOME/.local/share/weechat/renew
-echo "cat /etc/letsencrypt/live/chat.acid.vegas/fullchain.pem /etc/letsencrypt/live/chat.acid.vegas/privkey.pem > $HOME/.config/weechat/tls/relay.pem" >> $HOME/.local/share/weechat/renew
-echo "chown -R acidvegas:acidvegas $HOME/.weechat/tls/relay.pem && chmod 400 $HOME/.confg/weechat/tls/relay.pem" >> $HOME/.local/share/weechat/renew
-echo "printf \'%b\' \'*/relay tlscertkey\n\' > /run/user/1000/weechat/weechat_fifo" >> $HOME/.local/share/weechat/renew
-chmod +x $HOME/.local/share/weechat/renew
-
-mkdir -p $HOME/.config/systemd/user
-echo -e "[Unit]\nDescription=headless weechat relay service\nAfter=network.target\n\n[Service]\nType=forking\nExecStart=/usr/bin/weechat-headless --daemon\n\n[Install]\nWantedBy=default.target" > $HOME/.config/systemd/user/weechat-headless.service
-systemctl --user enable weechat-headless
-```
-
----
-
 ### Settings
 ###### Appearance
 ```
@@ -277,15 +227,13 @@ See [alias.conf](https://github.com/acidvegas/weechat/blob/master/alias.conf) fi
 /set weechat.notify.irc.22f30        highlight
 /set irc.server.anope.autojoin       #anope
 /set irc.serber.blackcatz            #blackcatz
-/set irc.server.blcknd.autojoin      #blcknd,#chat
+/set irc.server.blcknd.autojoin      #blcknd
 /set irc.server.buttes.autojoin      #gamme
 /set irc.server.efnet.autojoin       #2600,#efnetnews,#exchange,#irc30,#lrh
-/set irc.server.gamesurge.autojoin   #nfo-support,#worms
+/set irc.server.gamesurge.autojoin   #worms
 /set weechat.notify.irc.gamesurge    highlight
 /set irc.server.irc.autojoin         #h4x
 /set irc.server.ircstorm.autojoin    #schizophrenia
-/set irc.server.libera.autojoin      #archlinux,#ircv3,#matrix,#music-theory,#python,#raspberrypi,#weechat
-/set weechat.notify.irc.libera       message
 /set irc.server.malvager.autojoin    #malvager
 /set irc.server.sandnet.autojoin     #arab
 /set irc.server.sandnet.away_check   60
@@ -301,7 +249,6 @@ See [alias.conf](https://github.com/acidvegas/weechat/blob/master/alias.conf) fi
 /set irc.server.wormnet.realname     "48 0 US 3.7.2.1"
 /set weechat.notify.irc.wormnet      highlight
 /set irc.server.wtfux.autojoin       #ED,#wtfux
-
 ```
 
 ---
@@ -337,6 +284,11 @@ See [alias.conf](https://github.com/acidvegas/weechat/blob/master/alias.conf) fi
 ```
 /proxy add tor socks5 127.0.0.1 9050
 /set irc.server.CHANGEME.proxy tor
+
+/proxy add dirtysocks socks5 example.dirtysocks.com 8080 myuser mypass
+/set irc.server.CHANGEME.proxy dirtysocks
+
+/set irc.server_default.proxy tor
 ```
 
 ---

assets/certbot.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=cerbot renewal
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/certbot renew -n --quiet --agree-tos --deploy-hook /home/agent/.local/share/weechat/renew

assets/certbot.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=cerbot renewal timer
+
+[Timer]
+OnCalendar=0/12:00:00
+RandomizedDelaySec=1h
+Persistent=true
+
+[Install]
+WantedBy=timers.target

assets/pmf

@@ -0,0 +1,54 @@
+#!/bin/sh
+# poor mans firewall (weechat edition) - developed by acidvegas (https://git.acid.vegas/weechat)
+
+set -xev
+
+# Configuration
+PORT_SSH='22'
+PORT_RELAY='2222'
+
+# Kernel hardening settings
+mkdir -p /etc/sysctl.d
+{
+  printf "net.ipv4.conf.all.accept_source_route = 0\n"
+  printf "net.ipv6.conf.all.accept_source_route = 0\n"
+  printf "net.ipv4.conf.all.rp_filter = 1\n"
+  printf "net.ipv4.conf.default.rp_filter = 1\n"
+  printf "net.ipv4.conf.all.accept_redirects = 0\n"
+  printf "net.ipv6.conf.all.accept_redirects = 0\n"
+  printf "net.ipv4.conf.default.accept_redirects = 0\n"
+  printf "net.ipv6.conf.default.accept_redirects = 0\n"
+  printf "net.ipv4.conf.all.log_martians = 1\n"
+  printf "kernel.randomize_va_space = 2\n"
+  printf "fs.suid_dumpable = 0\n"
+} > /etc/sysctl.d/99-custom-hardening.conf
+
+# Apply hardening settings
+sysctl -p /etc/sysctl.d/99-custom-hardening.conf
+
+# Flush existing rules
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+
+# Default chain policies
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT ACCEPT
+
+# Common Firewall rules
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type echo-request     -j DROP # Disable response to ping requests
+iptables -A INPUT -p icmp --icmp-type port-unreachable -j DROP
+iptables -A INPUT -i lo -j ACCEPT
+
+# Allow access
+iptables -A INPUT -p tcp --dport $PORT_SSH -j ACCEPT
+iptables -A INPUT -p tcp --dport $PORT_RELAY -j ACCEPT
+iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+
+# Save rules
+iptables-save > /etc/iptables/iptables.rules

assets/renew

@@ -0,0 +1,6 @@
+#!/bin/bash
+# WeeChat Relay Certificate Renewal Script - Developed by acidvegas (https://git.acid.vegas/weechat)
+RELAY_DOMAIN=$1
+cat /etc/letsencrypt/live/$RELAY_DOMAIN/fullchain.pem /etc/letsencrypt/live/$RELAY_DOMAIN/privkey.pem > /home/agent/.config/weechat/tls/relay.pem
+chown -R agent:agent /home/agent/.weechat/tls/relay.pem && chmod 400 /home/agent/.confg/weechat/tls/relay.pem
+printf '%b' '*/relay tlscertkey\n' > /home/agent/.local/share/weechat/FIFO

setup.sh

@@ -1,6 +1,64 @@
 #!/bin/bash
-docker build -t weechat .
-docker run --restart=always -d --name weechat weechat
+# Weechat Incus Container Setup Script - Developed by acidvegas (https://git.acid.vegas/weechat)
 
-echo "Attach to   WeeChat: docker attach weechat"
-echo "Detach from WeeChat: Ctrl+p Ctrl+q"
+set -xev
+
+create_container() {
+    incus storage create weechat-pool dir
+    incus launch images:debian/12 weechat-container -s weechat-pool
+    incus config set weechat-container boot.autostart true
+    sleep 10
+    incus exec weechat-container -- apt update  -y
+    incus exec weechat-container -- apt upgrade -y
+    incus exec weechat-container -- apt install -y git nano nattended-upgrades wget
+    incus exec weechat-container -- useradd -m -s /bin/bash agent
+    incus exec weechat-container -- journalctl --vacuum-time=1d
+    incus exec weechat-container -- sh -c 'printf "[Journal]\nStorage=volatile\nSplitMode=none\nRuntimeMaxUse=500K\n" > /etc/systemd/journald.conf'
+    incus exec weechat-container -- systemctl restart systemd-journald
+    incus exec weechat-container -- bash -c "echo 'TERM=xterm-256color' >> /etc/environment"
+    incus config set weechat-container boot.autostart true
+}
+
+
+install_weechat() {
+    incus exec weechat-container -- apt install -y ca-certificates
+    incus exec weechat-container -- mkdir -p /etc/apt/keyrings
+    incus exec weechat-container -- bash -c "curl --silent https://weechat.org/dev/info/debian_repository_signing_key_asc/ > /etc/apt/keyrings/weechat.asc"
+    incus exec weechat-container -- bash -c "echo 'deb     [arch=amd64,i386,arm64,armhf signed-by=/etc/apt/keyrings/weechat.asc] https://weechat.org/debian bookworm main'  > /etc/apt/sources.list.d/weechat.list"
+    incus exec weechat-container -- bash -c "echo 'deb-src [arch=amd64,i386,arm64,armhf signed-by=/etc/apt/keyrings/weechat.asc] https://weechat.org/debian bookworm main' >> /etc/apt/sources.list.d/weechat.list"
+    incus exec weechat-container -- apt update
+    incus exec weechat-container -- apt install -y screen weechat-curses weechat-plugins weechat-python weechat-perl
+}
+
+
+configure_weechat() {
+    incus exec weechat-container -- su - agent -c "weechat -P 'alias,buflist,charset,exec,fifo,fset,irc,logger,perl,python,relay,script,trigger,typing' -r '/set weechat.plugin.autoload alias,buflist,charset,exec,fifo,fset,irc,logger,perl,python,relay,script,trigger,typing;/save;/quit'"
+    incus exec weechat-container -- su - agent -c "mkdir /home/agent/.config/weechat/tls"
+    incus exec weechat-container -- su - agent -c "git clone --depth 1 https://github.com/acidvegas/weechat.git /home/agent/weechat"
+    incus exec weechat-container -- su - agent -c "mv /home/agent/weechat/assets/alias.conf /home/agent/.config/weechat/alias.conf && mv /home/agent/weechat/assets/scripts/perl/*.pl /home/agent/.local/share/weechat/perl/autoload/ && mv /home/agent/weechat/assets/scripts/python/*.py /home/agent/.local/share/weechat/python/autoload/ && rm -rf /home/agent/weechat"
+    incus exec weechat-container -- su - agent -c "mkdir /home/agent/.local/share/weechat/logs"
+    incus exec weechat-container -- su - agent -c "mkfifo /home/agent/.local/share/weechat/FIFO"
+    incus exec weechat-container -- bash -c "git clone https://github.com/tat3r/tdfiglet.git && cd tdfiglet && make && sudo make install && cd && rm -rf tdfiglet"
+}
+
+
+configure_relay() {
+    RELAY_PORT=2222
+    RELAY_DOMAIN=big.dick.acid.vegas
+    CONTAINER_IP=$(incus list | grep weechat-container | awk '{print $6}')
+    
+    incus config device add weechat-container weechat-certbot-port proxy listen=tcp:0.0.0.0:$RELAY_PORT connect=tcp:$CONTAINER_IP:$RELAY_PORT
+    incus config device add weechat-container weechat-relay-port proxy   listen=tcp:0.0.0.0:80          connect=tcp:$CONTAINER_IP:80
+
+    incus file push assets/renew weechat-container/home/agent/.local/share/weechat/renew
+    incus exec weechat-container -- chown agent:agent /home/agent/.local/share/weechat/renew
+    incus exec weechat-container -- chmod +x /home/agent/.local/share/weechat/renew
+ 
+    incus exec weechat-container -- apt install -y certbot
+    incus exec weechat-container -- certbot certonly --standalone -d $RELAY_DOMAIN -m nobody@noname.gov
+    incus file push assets/certbot.service weechat-container/etc/systemd/system/certbot.service
+    incus file push assets/certbot.timer weechat-container/etc/systemd/system/certbot.timer
+    incus exec weechat-container -- systemctl enable certbot.timer && incus exec weechat-container -- systemctl start certbot.timer
+}
+
+create_container && install_weechat && configure_weechat && configure_relay