diff --git a/.gitignore b/.gitignore index 0c11540..10501ce 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ include.conf config.env +atheme.db diff --git a/Dockerfile b/Dockerfile index 78d3223..8e46b0b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ WORKDIR /tmp/atheme RUN git submodule update --init --recursive -RUN ./configure --prefix=/usr/local --enable-large-net --enable-contrib --enable-legacy-pwcrypto +RUN ./configure --prefix=/usr/local --enable-large-net --enable-contrib --enable-legacy-pwcrypto --enable-contrib RUN make -j$(nproc) @@ -50,4 +50,4 @@ VOLUME /etc/ssl/atheme VOLUME /var/log/atheme -ENTRYPOINT ["/usr/local/bin/atheme-services", "-p", "/tmp/atheme.pid", "-n", "-d"] +ENTRYPOINT ["/usr/local/bin/atheme-services", "-p", "/tmp/atheme.pid", "-n"] diff --git a/atheme.conf b/atheme.conf index 56973d6..f775fbd 100644 --- a/atheme.conf +++ b/atheme.conf @@ -1,31 +1,29 @@ +loadmodule "/usr/local/modules/security/cmdperm"; loadmodule "/usr/local/modules/protocol/inspircd"; -include "/usr/local/etc/include.conf"; - -#loadmodule "/usr/local/modules/security/cmdperm"; -#loadmodule "/usr/local/modules/protocol/mixin_nohalfops"; -#loadmodule "/usr/local/modules/protocol/mixin_noholdnick"; -#loadmodule "/usr/local/modules/protocol/mixin_noprotect"; -#loadmodule "/usr/local/modules/protocol/mixin_noowner"; +# loadmodule "/usr/local/modules/protocol/mixin_nohalfops"; +# loadmodule "/usr/local/modules/protocol/mixin_noholdnick"; +# loadmodule "/usr/local/modules/protocol/mixin_noprotect"; +# loadmodule "/usr/local/modules/protocol/mixin_noowner"; loadmodule "/usr/local/modules/backend/opensex"; -#loadmodule "/usr/local/modules/crypto/argon2"; -#loadmodule "/usr/local/modules/crypto/scrypt"; -#loadmodule "/usr/local/modules/crypto/pbkdf2v2"; -#loadmodule "/usr/local/modules/crypto/bcrypt"; -#loadmodule "/usr/local/modules/crypto/pbkdf2"; -#loadmodule "/usr/local/modules/crypto/crypt3-sha2-512"; -#loadmodule "/usr/local/modules/crypto/crypt3-sha2-256"; -#loadmodule "/usr/local/modules/crypto/crypt3-md5"; -#loadmodule "/usr/local/modules/crypto/rawsha2-512"; -#loadmodule "/usr/local/modules/crypto/rawsha2-256"; -#loadmodule "/usr/local/modules/crypto/anope-enc-sha256"; -#loadmodule "/usr/local/modules/crypto/rawsha1"; -#loadmodule "/usr/local/modules/crypto/rawmd5"; -#loadmodule "/usr/local/modules/crypto/ircservices"; -#loadmodule "/usr/local/modules/crypto/crypt3-des"; -#loadmodule "/usr/local/modules/crypto/base64"; +# loadmodule "/usr/local/modules/crypto/argon2"; +loadmodule "/usr/local/modules/crypto/scrypt"; +# loadmodule "/usr/local/modules/crypto/pbkdf2v2"; +loadmodule "/usr/local/modules/crypto/bcrypt"; +# loadmodule "/usr/local/modules/crypto/pbkdf2"; +# loadmodule "/usr/local/modules/crypto/crypt3-sha2-512"; +# loadmodule "/usr/local/modules/crypto/crypt3-sha2-256"; +# loadmodule "/usr/local/modules/crypto/crypt3-md5"; +loadmodule "/usr/local/modules/crypto/rawsha2-512"; +loadmodule "/usr/local/modules/crypto/rawsha2-256"; +loadmodule "/usr/local/modules/crypto/anope-enc-sha256"; +loadmodule "/usr/local/modules/crypto/rawsha1"; +loadmodule "/usr/local/modules/crypto/rawmd5"; +loadmodule "/usr/local/modules/crypto/ircservices"; +# loadmodule "/usr/local/modules/crypto/crypt3-des"; +loadmodule "/usr/local/modules/crypto/base64"; #loadmodule "/usr/local/modules/auth/ldap"; loadmodule "/usr/local/modules/nickserv/main"; -#loadmodule "/usr/local/modules/nickserv/access"; +loadmodule "/usr/local/modules/nickserv/access"; loadmodule "/usr/local/modules/nickserv/badmail"; loadmodule "/usr/local/modules/nickserv/cert"; loadmodule "/usr/local/modules/nickserv/drop"; @@ -56,14 +54,14 @@ loadmodule "/usr/local/modules/nickserv/restrict"; loadmodule "/usr/local/modules/nickserv/return"; loadmodule "/usr/local/modules/nickserv/setpass"; loadmodule "/usr/local/modules/nickserv/sendpass"; -loadmodule "/usr/local/modules/nickserv/sendpass_user"; +# loadmodule "/usr/local/modules/nickserv/sendpass_user"; loadmodule "/usr/local/modules/nickserv/set_accountname"; loadmodule "/usr/local/modules/nickserv/set_badpasswdmsg"; loadmodule "/usr/local/modules/nickserv/set_email"; loadmodule "/usr/local/modules/nickserv/set_emailmemos"; loadmodule "/usr/local/modules/nickserv/set_enforcetime"; loadmodule "/usr/local/modules/nickserv/set_hidemail"; -loadmodule "/usr/local/modules/nickserv/set_language"; +# loadmodule "/usr/local/modules/nickserv/set_language"; loadmodule "/usr/local/modules/nickserv/set_nevergroup"; loadmodule "/usr/local/modules/nickserv/set_neverop"; loadmodule "/usr/local/modules/nickserv/set_nogreet"; @@ -86,7 +84,7 @@ loadmodule "/usr/local/modules/chanserv/main"; loadmodule "/usr/local/modules/chanserv/access"; loadmodule "/usr/local/modules/chanserv/akick"; loadmodule "/usr/local/modules/chanserv/ban"; -loadmodule "/usr/local/modules/chanserv/unban_self"; +# loadmodule "/usr/local/modules/chanserv/unban_self"; loadmodule "/usr/local/modules/chanserv/bansearch"; loadmodule "/usr/local/modules/chanserv/clone"; loadmodule "/usr/local/modules/chanserv/close"; @@ -168,7 +166,7 @@ loadmodule "/usr/local/modules/operserv/rmatch"; loadmodule "/usr/local/modules/operserv/rnc"; loadmodule "/usr/local/modules/operserv/rwatch"; loadmodule "/usr/local/modules/operserv/set"; -loadmodule "/usr/local/modules/operserv/sgline"; +# loadmodule "/usr/local/modules/operserv/sgline"; loadmodule "/usr/local/modules/operserv/shutdown"; loadmodule "/usr/local/modules/operserv/soper"; loadmodule "/usr/local/modules/operserv/specs"; @@ -191,7 +189,7 @@ loadmodule "/usr/local/modules/saslserv/ecdh-x25519-challenge"; loadmodule "/usr/local/modules/saslserv/ecdsa-nist256p-challenge"; loadmodule "/usr/local/modules/saslserv/external"; loadmodule "/usr/local/modules/saslserv/plain"; -loadmodule "/usr/local/modules/saslserv/scram"; +# loadmodule "/usr/local/modules/saslserv/scram"; loadmodule "/usr/local/modules/gameserv/dice"; loadmodule "/usr/local/modules/gameserv/eightball"; loadmodule "/usr/local/modules/gameserv/gamecalc"; @@ -250,48 +248,48 @@ loadmodule "/usr/local/modules/groupserv/set_joinflags"; loadmodule "/usr/local/modules/groupserv/set_open"; loadmodule "/usr/local/modules/groupserv/set_public"; loadmodule "/usr/local/modules/groupserv/set_url"; -#loadmodule "/usr/local/modules/misc/httpd"; -#loadmodule "/usr/local/modules/misc/login_throttling"; -#loadmodule "/usr/local/modules/transport/xmlrpc"; -#loadmodule "/usr/local/modules/exttarget/oper"; -#loadmodule "/usr/local/modules/exttarget/registered"; -#loadmodule "/usr/local/modules/exttarget/channel"; -#loadmodule "/usr/local/modules/exttarget/chanacs"; -#loadmodule "/usr/local/modules/exttarget/server"; -#loadmodule "/usr/local/modules/proxyscan/dnsbl"; +loadmodule "/usr/local/modules/misc/httpd"; +loadmodule "/usr/local/modules/misc/login_throttling"; +loadmodule "/usr/local/modules/transport/xmlrpc"; +loadmodule "/usr/local/modules/exttarget/oper"; +loadmodule "/usr/local/modules/exttarget/registered"; +loadmodule "/usr/local/modules/exttarget/channel"; +loadmodule "/usr/local/modules/exttarget/chanacs"; +loadmodule "/usr/local/modules/exttarget/server"; +loadmodule "/usr/local/modules/proxyscan/dnsbl"; +include "/usr/local/etc/include.conf"; crypto { -# argon2_type = "argon2id"; -# argon2_memcost = 16; -# argon2_timecost = 3; -# argon2_threads = 1; -# argon2_saltlen = 16; -# argon2_hashlen = 64; -# scrypt_memlimit = 14; -# scrypt_opslimit = 524288; -# pbkdf2v2_digest = "SHA2-512"; -# pbkdf2v2_rounds = 64000; -# pbkdf2v2_saltlen = 32; -# scram_mechanisms = "SCRAM-SHA-1,SCRAM-SHA-256,SCRAM-SHA-512"; -# bcrypt_cost = 7; -# crypt3_sha2_256_rounds = 5000; -# crypt3_sha2_512_rounds = 5000; + # argon2_type = "argon2id"; + # argon2_memcost = 16; + # argon2_timecost = 3; + # argon2_threads = 1; + # argon2_saltlen = 16; + # argon2_hashlen = 64; + # scrypt_memlimit = 14; + # scrypt_opslimit = 524288; + # pbkdf2v2_digest = "SHA2-512"; + # pbkdf2v2_rounds = 64000; + # pbkdf2v2_saltlen = 32; + # scram_mechanisms = "SCRAM-SHA-1,SCRAM-SHA-256,SCRAM-SHA-512"; + # bcrypt_cost = 7; + # crypt3_sha2_256_rounds = 5000; + # crypt3_sha2_512_rounds = 5000; }; nickserv { - nick = "NICKSERV"; user = "_"; host = "services/SuperNETs"; real = "Nickname Services"; - spam; - no_nick_ownership; - maxnicks = 5; - expire = 30; - enforce_expire = 14; - enforce_delay = 30; + # spam; + # no_nick_ownership; + maxnicks = 8; + expire = 0; + # enforce_expire = 14; + enforce_delay = 32; enforce_prefix = "`"; - waitreg_time = 0; + waitreg_time = 4; pwquality_warn_only; show_custom_metadata; shorthelp = ""; @@ -300,25 +298,20 @@ nickserv { }; chanserv { - nick = "CHANSERV"; user = "_"; host = "services/SuperNETs"; real = "Channel Services"; - aliases { }; - access { }; - reggroup = "!Services-Team"; maxchans = 5; fantasy; hide_xop; hide_flags_akicks; hide_pubacl_akicks; - templates { vop = "+AV"; hop = "+AHehitrv"; @@ -328,7 +321,6 @@ chanserv { member = "+Ai"; op = "+AOiortv"; }; - deftemplates = "MEMBER=+Ai OP=+AOeiortv"; changets; trigger = "!"; @@ -344,71 +336,55 @@ chanserv { }; chanfix { - nick = "CHANFIX"; user = "_"; host = "services/SuperNETs"; real = "Channel Fixing Service"; - aliases { }; - access { }; - autofix; }; global { - nick = "GLOBAL"; user = "_"; host = "services/SuperNETs"; real = "Network Announcements"; - aliases { }; - access { }; }; infoserv { - nick = "INFOSERV"; user = "_"; host = "services/SuperNETs"; real = "Information Service"; - aliases { }; - access { }; - logoninfo_count = 3; logoninfo_reverse; logoninfo_show_metadata; }; operserv { - nick = "OPERSERV"; user = "_"; host = "services/SuperNETs"; real = "Operator Services"; - aliases { }; - access { }; - modinspect_use_colors; }; saslserv { - nick = "SASLSERV"; user = "_"; host = "services/SuperNETs"; @@ -417,173 +393,136 @@ saslserv { }; memoserv { - nick = "MEMOSERV"; user = "_"; host = "services/SuperNETs"; real = "Memo Services"; - aliases { }; - access { }; - - maxmemos = 30; + maxmemos = 64; }; gameserv { - nick = "GAMESERV"; user = "_"; host = "services/SuperNETs"; real = "Game Services"; - aliases { }; - access { }; }; rpgserv { - nick = "RPGSERV"; user = "_"; host = "services/SuperNETs"; real = "RPG Finding Services"; - aliases { }; - access { }; }; botserv { - nick = "BOTSERV"; user = "_"; host = "services/SuperNETs"; real = "Bot Services"; - aliases { }; - access { }; - min_users = 0; }; groupserv { - nick = "GROUPSERV"; user = "_"; host = "services/SuperNETs"; real = "Group Management Services"; - aliases { }; - access { }; - - maxgroups = 5; - maxgroupacs = 100; + maxgroups = 16; + maxgroupacs = 256; enable_open_groups; join_flags = "+"; }; hostserv { - nick = "HOSTSERV"; user = "_"; host = "services/SuperNETs"; real = "Host Management Services"; - aliases { "APPROVE" = "ACTIVATE"; "DENY" = "REJECT"; }; - access { }; - reggroup = "!Services-Team"; no_subsequent_requests; request_per_nick; }; helpserv { - nick = "HELPSERV"; user = "_"; host = "services/SuperNETs"; real = "Help Services"; - aliases { }; - access { }; }; statserv { - nick = "STATSERV"; user = "_"; host = "services/SuperNETs"; real = "Statistics Services"; - aliases { }; - access { }; }; alis { - nick = "ALIS"; user = "_"; host = "services/SuperNETs"; real = "Channel Directory"; - aliases { }; - access { }; - - maxmatches = 64; + maxmatches = 128; }; proxyscan { - nick = "PROXYSCAN"; user = "_"; host = "services/SuperNETs"; real = "Proxyscan Service"; - aliases { }; - access { }; - blacklists { "dnsbl.dronebl.org"; "rbl.efnetrbl.org"; "tor.efnet.org"; }; - - dnsbl_action = kline; + dnsbl_action = snoop; }; httpd { - host = "0.0.0.0"; - host = "::"; + host = "127.0.0.1"; + # host = "::"; www_root = "/var/www"; port = 8080; }; @@ -607,7 +546,6 @@ operclass "ircop" { privs { special:ircop; }; - privs { user:auspex; user:admin; @@ -615,28 +553,24 @@ operclass "ircop" { user:vhost; user:mark; }; - privs { chan:auspex; chan:admin; chan:cmodes; chan:joinstaffonly; }; - privs { general:auspex; general:helper; general:viewprivs; general:flood; }; - privs { operserv:omode; operserv:akill; operserv:jupe; operserv:global; }; - privs { group:auspex; group:admin; @@ -645,24 +579,20 @@ operclass "ircop" { operclass "sra" { extends "ircop"; - privs { user:exceedlimits; user:hold; user:regnolimit; }; - privs { general:metadata; general:admin; }; - privs { - #operserv:massakill; - #operserv:akill-anymask; + # operserv:massakill; + # operserv:akill-anymask; operserv:noop; operserv:grant; }; - - needoper; + # needoper; }; diff --git a/docker-compose.yml b/docker-compose.yml index 0f9d5b3..7de918a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,12 +11,9 @@ services: - data:/etc/atheme - ./include.conf:/usr/local/etc/include.conf:ro - ./atheme.conf:/usr/local/etc/atheme.conf:ro - - ssl:/etc/ssl/atheme - log:/var/log/atheme volumes: data: name: atheme_data - ssl: - name: atheme_ssl log: name: atheme_log diff --git a/include.default.conf b/include.default.conf index 8c60447..b9fd044 100644 --- a/include.default.conf +++ b/include.default.conf @@ -1,29 +1,29 @@ serverinfo { - name = "lame-network.local"; + name = "services.supernets.org"; desc = "IRC Services"; - numeric = "00A"; - recontime = 10; - netname = "LameNet"; - hidehostsuffix = "users.misconfigured"; + numeric = "10X"; + recontime = 4; + netname = "SuperNETs"; + hidehostsuffix = "hidden"; adminname = "admin"; - adminemail = "no-reply@lame-network.local"; - registeremail = "no-reply@lame-network.local"; - hidden; - mta = "/usr/sbin/sendmail"; + adminemail = "no-reply@supernets.org"; + registeremail = "no-reply@supernets.org"; + # hidden; + # mta = "/usr/sbin/sendmail"; loglevel = { admin; error; info; network; wallops; }; - maxcertfp = 0; - maxlogins = 5; - maxusers = 5; - mdlimit = 30; - emaillimit = 10; - emailtime = 300; + maxcertfp = 8; + maxlogins = 8; + maxusers = 8; + mdlimit = 64; + emaillimit = 8; + emailtime = 256; auth = none; casemapping = rfc1459; }; -uplink "irc.lame-network.local" { +uplink "temple.supernets.org" { host = "127.0.0.1"; - port = 7001; + port = 6000; send_password = "changeme"; receive_password = "changeme"; }; @@ -34,38 +34,34 @@ operator "admin" { }; general { - permissive_mode; + permissive_mode; # https://github.com/atheme/atheme/issues/937 helpchan = "#help"; - helpurl = "https://www.lame-network.local"; + helpurl = "https://www.supernets.org"; verbose_wallops; join_chans; leave_chans; - secure; uflags = { hidemail; }; - cflags = { guard; verbose; }; - raw; - flood_msgs = 7; + cflags = { verbose; verbose_ops; keeptopic; guard; }; + flood_msgs = 0; flood_time = 10; - ratelimit_uses = 5; - ratelimit_period = 60; - vhost_change = 30; - kline_time = 7; - kline_with_ident; + # ratelimit_uses = 5; + # ratelimit_period = 60; + # vhost_change = 30; + kline_time = 1; + # kline_with_ident; kline_verified_ident; clone_time = 0; - commit_interval = 5; + commit_interval = 16; db_save_blocking; operstring = "is an IRC Operator"; servicestring = "is a Network Service"; - default_clone_allowed = 5; + default_clone_allowed = 8; default_clone_warn = 4; clone_identified_increase_limit; uplink_sendq_limit = 1048576; language = "en"; - exempts { }; - allow_taint; immune_level = immune; show_entity_id; diff --git a/stunnel/stunnel.conf.example b/stunnel/stunnel.conf.example index 6fd35c4..f1dba84 100644 --- a/stunnel/stunnel.conf.example +++ b/stunnel/stunnel.conf.example @@ -3,9 +3,7 @@ foreground = yes [PKI client] client = yes accept = 127.0.0.1:6000 -connect = 1.2.3.4:7777 -verifyChain = yes +connect = 100.79.209.72:7777 CAfile = /ca.crt -cert = /server.crt -key = /server.key -checkHost = hub.lame-network.local +verifyChain = yes +checkHost = super-temple.lame-server.local