supernets/inspircd
supernets/inspircd
4
Fork 1
Code Issues 3 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

fix tor and update example conf

Browse Source
This commit is contained in:
root 2024-11-16 13:21:37 +00:00
parent c5a562a08b
commit 81f9c05d49
4 changed files with 235 additions and 330 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
haproxy/haproxy.cfg
View File

@ -4,16 +4,16 @@ log stdout format raw local0 debug
defaults
log global
retries 0
timeout connect 604800s
timeout client 604800s
timeout server 604800s
timeout tunnel 604800s
timeout queue 604800s
timeout http-request 604800s
timeout http-keep-alive 604800s
timeout client-fin 604800s
timeout server-fin 604800s
timeout check 604800s
#timeout connect 604800s
#timeout client 604800s
#timeout server 604800s
#timeout tunnel 604800s
#timeout queue 604800s
#timeout http-request 604800s
#timeout http-keep-alive 604800s
#timeout client-fin 604800s
#timeout server-fin 604800s
#timeout check 604800s
option tcplog
frontend tor-north

319
include.conf.example
View File

@ -1,319 +0,0 @@
<include file="/etc/inspircd/codepages/rfc1459.conf">
#<autoconnect period="8s"
# server="temple.supernets.org">
#<link allowmask="*"
# bind="1.2.3.4"
# hidden="no"
# sslprofile="defaultssl"
# ipaddr="4.2.3.1"
# name="temple.supernets.org"
# port="&env.SERVER_SSL_PORT;"
# recvpass="&env.LINK_RECV_PASSWORD;"
# sendpass="&env.LINK_SEND_PASSWORD;"
# statshidden="no"
# timeout="&env.LINK_TIMEOUT;">
<sslprofile certfile="/etc/inspircd/custom/server.crt"
keyfile="/etc/inspircd/custom/server.key"
cafile="/etc/inspircd/custom/ca.crt"
crlfile="/etc/inspircd/custom/crl.pem"
dhfile="/etc/inspircd/custom/dh.pem"
name="defaultssl"
tlsv11="no"
tlsv12="yes"
tlsv13="yes"
renegotiation="yes"
requestclientcert="yes"
provider="gnutls">
#<sslprofile certfile="/etc/inspircd/custom/server.crt"
# compression="no"
# keyfile="/etc/ssl/inspircd/custom/server.key"
# name="supernets_ssl"
# tlsv11="no"
# tlsv12="yes"
# tlsv13="yes"
# renegotiation="no"
# requestclientcert="no"
# provider="gnutls">
#<badhost host="*@*"
# reason="default hostmask block">
<exception host="*@100.64.0.0/10"
reason="tailscale network">
<exception host="*@127.0.0.1/32"
reason="Local IRC client">
<eventexec command="/bin/true"
event="rehash">
<oper host="*@*"
name="admin"
password="&env.ADMIN_PASSWORD;"
type="NetAdmin">
<showfile endtext="End of uptime"
file="/proc/uptime"
introtext="server uptime:"
name="UPTIME">
<showfile endtext="End of loadavg"
file="/proc/loadavg"
introtext="server loadavg:"
name="LOADAVG">
# from the torrc man page (latest / newer)
# HiddenServiceExportCircuitID protocol
# The onion service will use the given protocol to expose the global circuit identifier
# of each inbound client circuit. The only protocol supported right now 'haproxy'.
# This option is only for v3 services. (Default: none)
#
# Create a hidden service and set HiddenServiceExportCircuitID to 'haproxy' in the
# torrc, then enable this binding:
#
# <bind address="127.0.0.1"
# port="7001"
# hook="haproxy">
# and enable the corresponding connect block:
# <connect commandrate="&env.COMMAND_RATE;"
# fakelag="&env.FAKE_LAG;"
# hardsendq="&env.HARD_SENDQ;"
# maxchans="&env.MAX_CHANS;"
# pingfreq="&env.PING_FREQ;"
# recvq="&env.RECVQ;"
# softsendq="&env.SOFT_SENDQ;"
# threshold="&env.COMMAND_RATE_THRESHOLD;"
# timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
# usecloak="yes"
# useconnflood="&env.USE_CONN_FLOOD;"
# usednsbl="no"
# useident="no"
# resolvehostnames="no"
# useconnectban="no"
# autojoin="#blackhole"
# globalmax="&env.GLOBAL_MAX;"
# localmax="&env.LOCAL_MAX;"
# maxconnwarn="&env.MAX_CONN_WARN;"
# modes="&env.DEFAULT_USER_MODES;"
# name="tor"
# port="7001">
# uncomment this line to masquerade tor users with a cloaked hostmask (uncloaked is
# an fc00::/7 address that corresponds to a Tor circuit ID provided via PROXY
# protocol)
# <cloak method="hmac-sha256"
# suffix="onion"
# class="tor">
# uncomment the following to setup WebIRC
# <gateway type="webirc"
# mask="localhost">
# and enable the corresponding connect block:
# <connect commandrate="&env.COMMAND_RATE;"
# fakelag="&env.FAKE_LAG;"
# hardsendq="&env.HARD_SENDQ;"
# maxchans="&env.MAX_CHANS;"
# pingfreq="&env.PING_FREQ;"
# recvq="&env.RECVQ;"
# softsendq="&env.SOFT_SENDQ;"
# threshold="&env.COMMAND_RATE_THRESHOLD;"
# timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
# usecloak="yes"
# useconnflood="&env.USE_CONN_FLOOD;"
# usednsbl="no"
# useident="no"
# resolvehostnames="no"
# useconnectban="no"
# autojoin="#blackhole"
# globalmax="&env.GLOBAL_MAX;"
# localmax="&env.LOCAL_MAX;"
# maxconnwarn="&env.MAX_CONN_WARN;"
# modes="&env.DEFAULT_USER_MODES;"
# name="webirc"
# webirc="localhost"
# port="7001">
# uncomment this line to masquerade tor users with a cloaked hostmask (uncloaked is
# an fc00::/7 address that corresponds to a Tor circuit ID provided via PROXY
# protocol)
# <cloak method="hmac-sha256"
# suffix="webirc"
# class="webirc">
<bind address="127.0.0.1"
port="8000"
type="httpd">
<bind address="*"
port="&env.SSL_PORT;"
sslprofile="defaultssl"
type="clients">
<bind address="*"
port="&env.PORT;"
type="clients">
<bind address="*"
port="&env.SERVER_SSL_PORT;"
sslprofile="defaultssl"
type="servers">
<admin email="&env.ADMIN_EMAIL;"
name="admin"
nick="admin">
<server description="internet relay chat network"
id="&env.SID;"
name="&env.SERVER_NAME;"
network="&env.NETWORK_NAME;">
<connect commandrate="&env.COMMAND_RATE;"
fakelag="&env.FAKE_LAG;"
hardsendq="&env.HARD_SENDQ;"
maxchans="&env.MAX_CHANS;"
name="all"
pingfreq="&env.PING_FREQ;"
recvq="&env.RECVQ;"
softsendq="&env.SOFT_SENDQ;"
threshold="&env.COMMAND_RATE_THRESHOLD;"
timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
useconnflood="&env.USE_CONN_FLOOD;"
usednsbl="&env.USE_DNSBL;"
useident="&env.USE_IDENT;"
resolvehostnames="&env.RESOLVE_HOST_NAMES;"
useconnectban="&env.USE_CONNECT_BAN;">
<connect allow="*"
autojoin="#blackhole"
globalmax="&env.GLOBAL_MAX;"
localmax="&env.LOCAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;"
modes="&env.DEFAULT_USER_MODES;"
name="default"
parent="all"
port="&env.PORT;">
<connect allow="*"
autojoin="#blackhole"
globalmax="&env.GLOBAL_MAX;"
localmax="&env.LOCAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;"
modes="&env.SSL_USER_MODES;"
name="ssl"
parent="all"
port="&env.SSL_PORT;">
<connect allow="*"
name="authenticated"
globalmax="&env.GLOBAL_MAX;"
localmax="&env.LOCAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;"
modes="&env.SSL_USER_MODES;"
parent="all"
port="&env.SSL_PORT;"
requireaccount="yes">
<operjoin channel="&env.OPER_CHANNEL;"
override="no">
<httpdacl password="&env.HTTP_ACL_PASSWORD;"
path="/*"
types="password"
username="&env.HTTP_ACL_USERNAME;">
<ident prefixunqueried="&env.IDENT_PREFIX_UNQUERIED;"
timeout="&env.IDENT_TIMEOUT;">
<permchannels channel="&env.OPER_CHANNEL;"
modes="npstOP"
topic="party line">
<permchannels channel="&env.SERVICE_CHANNEL;"
modes="npstOP"
topic="Service monitoring">
<permchannels channel="#blackhole"
modes="ntP"
topic="blackhole">
<exemptfromfilter target="&env.OPER_CHANNEL;">
<exemptfromfilter target="&env.SERVICE_CHANNEL;">
<exemptfromfilter target="&env.HELP_CHANNEL;">
<passforward cmd="SQUERY $nickrequired :IDENTIFY $nick $pass"
forwardmsg="NOTICE $nick :*** Forwarding PASS to $nickrequired"
nick="NICKSERV">
#<strictsasl reason="Fix your SASL authentication settings and try again">
#<module name="restrictchans">
#<module name="restrictmsg">
#<allowchannel name="*">
#<restrictchans allowregistered="&env.RESTRICT_CHANS_ALLOW_REGISTERED;">
#<autojoinident chan="#blackhole"
# ident="*">
#<autojoinident chan="#blackhole"
# ident="*">
#<anticaps lowercase="abcdefghijklmnopqrstuvwxyz"
# uppercase="ABCDEFGHIJKLMNOPQRSTUVWXYZ">
#<module name="account">
#<module name="blockhighlight">
#<module name="connectban">
#<module name="connflood">
#<module name="cve_2024_39844">
#<module name="delayuse">
#<module name="discordnick">
#<module name="eventexec">
#<module name="helpmode">
#<module name="ipinfo_io">
#<module name="ircv3_extjwt">
#<module name="ldapauth">
#<module name="messagelength">
#<module name="multiprefix">
#<module name="opmoderated">
#<module name="randomidxlines">
#<module name="randquote">
#<module name="realnameban">
#<module name="solvemsg">
#<module name="sqlauth">
#<module name="sqloper">
#<module name="qrcode">
#<module name="antiknocker">
#<module name="starttls">

224
include.leaf.example.conf Normal file
View File

@ -0,0 +1,224 @@
<include file="/etc/inspircd/codepages/rfc1459.conf">
<autoconnect period="8s"
server="temple.supernets.org">
<link allowmask="*"
bind="1.2.3.4"
hidden="no"
sslprofile="defaultssl"
ipaddr="4.2.3.1"
name="temple.supernets.org"
port="&env.SERVER_SSL_PORT;"
recvpass="&env.LINK_RECV_PASSWORD;"
sendpass="&env.LINK_SEND_PASSWORD;"
statshidden="no"
timeout="&env.LINK_TIMEOUT;">
<sslprofile certfile="/etc/inspircd/custom/server.crt"
keyfile="/etc/inspircd/custom/server.key"
cafile="/etc/inspircd/custom/ca.crt"
crlfile="/etc/inspircd/custom/crl.pem"
dhfile="/etc/inspircd/custom/dh.pem"
name="defaultssl"
tlsv11="no"
tlsv12="yes"
tlsv13="yes"
renegotiation="yes"
requestclientcert="yes"
provider="gnutls">
<sslprofile certfile="/etc/inspircd/custom/irc.crt"
keyfile="/etc/inspircd/custom/irc.key"
cafile="/etc/inspircd/custom/irc.ca.crt"
name="supernets_ssl"
tlsv11="no"
tlsv12="yes"
tlsv13="yes"
renegotiation="yes"
requestclientcert="yes"
provider="gnutls">
<exception host="*@100.64.0.0/10"
reason="tailscale network">
<exception host="*@127.0.0.1/32"
reason="localhost">
<exception host="*@fc00:dead:beef:4dad::/64"
reason="Tor ULA addresses (represents circuit ID)">
<eventexec command="/bin/true"
event="rehash">
<oper host="*@*"
name="admin"
password="&env.ADMIN_PASSWORD;"
type="NetAdmin">
<showfile endtext="End of uptime"
file="/proc/uptime"
introtext="server uptime:"
name="UPTIME">
<showfile endtext="End of loadavg"
file="/proc/loadavg"
introtext="server loadavg:"
name="LOADAVG">
<bind address="127.0.0.1"
port="7001"
hook="haproxy">
<connect commandrate="&env.COMMAND_RATE;"
fakelag="&env.FAKE_LAG;"
allow="127.0.0.1/32"
hardsendq="&env.HARD_SENDQ;"
maxchans="&env.MAX_CHANS;"
pingfreq="&env.PING_FREQ;"
recvq="&env.RECVQ;"
softsendq="&env.SOFT_SENDQ;"
threshold="&env.COMMAND_RATE_THRESHOLD;"
timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
usecloak="yes"
useconnflood="&env.USE_CONN_FLOOD;"
usednsbl="no"
useident="no"
resolvehostnames="no"
useconnectban="no"
globalmax="&env.GLOBAL_MAX;"
localmax="&env.LOCAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;"
modes="&env.DEFAULT_USER_MODES;"
name="tor_haproxy_shim"
port="7001">
<connect commandrate="&env.COMMAND_RATE;"
fakelag="&env.FAKE_LAG;"
allow="fc00:dead:beef:4dad::/64"
hardsendq="&env.HARD_SENDQ;"
maxchans="&env.MAX_CHANS;"
pingfreq="&env.PING_FREQ;"
recvq="&env.RECVQ;"
softsendq="&env.SOFT_SENDQ;"
threshold="&env.COMMAND_RATE_THRESHOLD;"
timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
usecloak="yes"
useconnflood="&env.USE_CONN_FLOOD;"
usednsbl="no"
useident="no"
resolvehostnames="no"
useconnectban="no"
autojoin="#tor"
globalmax="&env.GLOBAL_MAX;"
localmax="&env.LOCAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;"
modes="&env.DEFAULT_USER_MODES;"
name="tor"
port="6668">
<bind address="127.0.0.1"
port="8000"
type="httpd">
<bind address="*"
port="&env.SSL_PORT;"
sslprofile="supernets_ssl"
type="clients">
<bind address="*"
port="&env.PORT;"
type="clients">
<bind address="*"
port="&env.SERVER_SSL_PORT;"
sslprofile="defaultssl"
type="servers">
<admin email="&env.ADMIN_EMAIL;"
name="admin"
nick="admin">
<server description="internet relay chat network"
id="&env.SID;"
name="&env.SERVER_NAME;"
network="&env.NETWORK_NAME;">
<connect commandrate="&env.COMMAND_RATE;"
fakelag="&env.FAKE_LAG;"
hardsendq="&env.HARD_SENDQ;"
maxchans="&env.MAX_CHANS;"
name="all"
pingfreq="&env.PING_FREQ;"
recvq="&env.RECVQ;"
softsendq="&env.SOFT_SENDQ;"
threshold="&env.COMMAND_RATE_THRESHOLD;"
timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
useconnflood="&env.USE_CONN_FLOOD;"
usednsbl="&env.USE_DNSBL;"
useident="&env.USE_IDENT;"
resolvehostnames="&env.RESOLVE_HOST_NAMES;"
useconnectban="&env.USE_CONNECT_BAN;">
<connect allow="*"
autojoin="#blackhole"
globalmax="&env.GLOBAL_MAX;"
localmax="&env.LOCAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;"
modes="&env.DEFAULT_USER_MODES;"
name="default"
parent="all"
port="&env.PORT;">
<connect allow="*"
autojoin="#blackhole"
globalmax="&env.GLOBAL_MAX;"
localmax="&env.LOCAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;"
modes="&env.SSL_USER_MODES;"
name="ssl"
parent="all"
port="&env.SSL_PORT;">
<connect allow="*"
name="authenticated"
globalmax="&env.GLOBAL_MAX;"
localmax="&env.LOCAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;"
modes="&env.SSL_USER_MODES;"
parent="all"
port="&env.SSL_PORT;"
requireaccount="yes">
<operjoin channel="&env.OPER_CHANNEL;"
override="no">
<httpdacl password="&env.HTTP_ACL_PASSWORD;"
path="/*"
types="password"
username="&env.HTTP_ACL_USERNAME;">
<ident prefixunqueried="&env.IDENT_PREFIX_UNQUERIED;"
timeout="&env.IDENT_TIMEOUT;">
<permchannels channel="&env.OPER_CHANNEL;"
modes="npstOP"
topic="party line">
<permchannels channel="&env.SERVICE_CHANNEL;"
modes="npstOP"
topic="Service monitoring">
<permchannels channel="#blackhole"
modes="ntP"
topic="blackhole">
<exemptfromfilter target="&env.OPER_CHANNEL;">
<exemptfromfilter target="&env.SERVICE_CHANNEL;">
<exemptfromfilter target="&env.HELP_CHANNEL;">
<passforward cmd="SQUERY $nickrequired :IDENTIFY $nick $pass"
forwardmsg="NOTICE $nick :*** Forwarding PASS to $nickrequired"
nick="NICKSERV">

2
tor/torrc
View File

@ -5,7 +5,7 @@ NATDPort 0
RunAsDaemon 0
DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/ircd
HiddenServicePort 6667 127.0.0.1:19818
HiddenServicePort 6668 127.0.0.1:19818
HiddenServiceMaxStreams 65535
HiddenServiceExportCircuitID haproxy
CookieAuthentication 0