supernets/inspircd
supernets/inspircd
4
Fork 1
Code Issues 3 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: supernets:504021112a63b7fa8b421e6e6e8be19f5270efea
Branches Tags
supernets:master
..
compare: supernets:ef1f793a64ad61b5ba9e3733fe8efe07900b46da
Branches Tags
supernets:master

No commits in common. "504021112a63b7fa8b421e6e6e8be19f5270efea" and "ef1f793a64ad61b5ba9e3733fe8efe07900b46da" have entirely different histories.
504021112a ... ef1f793a64

11 changed files with 180 additions and 184 deletions
Show Stats Expand all files Collapse all files

2
Dockerfile
View File

@ -12,8 +12,6 @@ ENV NETWORK_NAME="LameNet"
ENV STS_HOST="irc.lame-network.local" ENV STS_HOST="irc.lame-network.local"
ENV SASL_REQUIRE_SSL="yes"
ENV SASL_TARGET="service.lame-network.local" ENV SASL_TARGET="service.lame-network.local"
ENV ADMIN_PASSWORD="changeme" ENV ADMIN_PASSWORD="changeme"

2
custom/.gitignore vendored
View File

@ -6,5 +6,3 @@ include.conf
*.pem *.pem
!ca.crt !ca.crt
!crl.pem !crl.pem
links.conf
oper.conf

23
haproxy/Dockerfile
View File

@ -1,23 +0,0 @@
ARG UBUNTU_VERSION="noble"
FROM ubuntu:${UBUNTU_VERSION}
RUN apt -y update
RUN apt -y install haproxy
RUN groupadd docker-haproxy
RUN useradd --system --shell /bin/bash docker-haproxy -g docker-haproxy
RUN mkdir -p /var/lib/haproxy/ -p /etc/haproxy
ADD haproxy.cfg /etc/haproxy
RUN chown -R docker-haproxy:docker-haproxy /etc/haproxy /var/lib/haproxy
VOLUME /var/lib/haproxy
USER docker-haproxy
CMD haproxy -f /etc/haproxy/haproxy.cfg

7
haproxy/docker-compose.yml
View File

@ -1,7 +0,0 @@
services:
haproxy:
restart: on-failure:3
build:
context: .
image: haproxy
network_mode: "host"

26
haproxy/haproxy.cfg
View File

@ -1,26 +0,0 @@
global
log stdout format raw local0 debug
defaults
log global
retries 0
#timeout connect 604800s
#timeout client 604800s
#timeout server 604800s
#timeout tunnel 604800s
#timeout queue 604800s
#timeout http-request 604800s
#timeout http-keep-alive 604800s
#timeout client-fin 604800s
#timeout server-fin 604800s
#timeout check 604800s
option tcplog
frontend tor-north
bind 127.0.0.1:19818 accept-proxy
mode tcp
default_backend inspircd-south
backend inspircd-south
mode tcp
server inspircd 127.0.0.1:7001 send-proxy-v2

240
include.conf.example
View File

@ -1,5 +1,20 @@
<include file="/etc/inspircd/codepages/rfc1459.conf"> <include file="/etc/inspircd/codepages/rfc1459.conf">
#<autoconnect period="8s"
# server="temple.supernets.org">
#<link allowmask="*"
# bind="1.2.3.4"
# hidden="no"
# sslprofile="defaultssl"
# ipaddr="4.2.3.1"
# name="temple.supernets.org"
# port="&env.SERVER_SSL_PORT;"
# recvpass="&env.LINK_RECV_PASSWORD;"
# sendpass="&env.LINK_SEND_PASSWORD;"
# statshidden="no"
# timeout="&env.LINK_TIMEOUT;">
<sslprofile certfile="/etc/inspircd/custom/server.crt" <sslprofile certfile="/etc/inspircd/custom/server.crt"
keyfile="/etc/inspircd/custom/server.key" keyfile="/etc/inspircd/custom/server.key"
cafile="/etc/inspircd/custom/ca.crt" cafile="/etc/inspircd/custom/ca.crt"
@ -13,29 +28,34 @@
requestclientcert="yes" requestclientcert="yes"
provider="gnutls"> provider="gnutls">
<sslprofile certfile="/etc/inspircd/custom/irc.crt" #<sslprofile certfile="/etc/inspircd/custom/server.crt"
keyfile="/etc/inspircd/custom/irc.key" # compression="no"
cafile="/etc/inspircd/custom/irc.ca.crt" # keyfile="/etc/ssl/inspircd/custom/server.key"
name="supernets_ssl" # name="supernets_ssl"
tlsv11="no" # tlsv11="no"
tlsv12="yes" # tlsv12="yes"
tlsv13="yes" # tlsv13="yes"
renegotiation="yes" # renegotiation="no"
requestclientcert="yes" # requestclientcert="no"
provider="gnutls"> # provider="gnutls">
#<badhost host="*@*"
# reason="default hostmask block">
<exception host="*@100.64.0.0/10" <exception host="*@100.64.0.0/10"
reason="tailscale network"> reason="tailscale network">
<exception host="*@127.0.0.1/32" <exception host="*@127.0.0.1/32"
reason="localhost"> reason="Local IRC client">
<exception host="*@fc00:dead:beef:4dad::/64"
reason="Tor ULA addresses (represents circuit ID)">
<eventexec command="/bin/true" <eventexec command="/bin/true"
event="rehash"> event="rehash">
<oper host="*@*"
name="admin"
password="&env.ADMIN_PASSWORD;"
type="NetAdmin">
<showfile endtext="End of uptime" <showfile endtext="End of uptime"
file="/proc/uptime" file="/proc/uptime"
introtext="server uptime:" introtext="server uptime:"
@ -46,56 +66,87 @@
introtext="server loadavg:" introtext="server loadavg:"
name="LOADAVG"> name="LOADAVG">
<bind address="127.0.0.1" # from the torrc man page (latest / newer)
port="7001" # HiddenServiceExportCircuitID protocol
hook="haproxy"> # The onion service will use the given protocol to expose the global circuit identifier
# of each inbound client circuit. The only protocol supported right now 'haproxy'.
# This option is only for v3 services. (Default: none)
#
# Create a hidden service and set HiddenServiceExportCircuitID to 'haproxy' in the
# torrc, then enable this binding:
#
# <bind address="127.0.0.1"
# port="7001"
# hook="haproxy">
<connect commandrate="&env.COMMAND_RATE;" # and enable the corresponding connect block:
fakelag="&env.FAKE_LAG;" # <connect commandrate="&env.COMMAND_RATE;"
allow="127.0.0.1/32" # fakelag="&env.FAKE_LAG;"
hardsendq="&env.HARD_SENDQ;" # hardsendq="&env.HARD_SENDQ;"
maxchans="&env.MAX_CHANS;" # maxchans="&env.MAX_CHANS;"
pingfreq="&env.PING_FREQ;" # pingfreq="&env.PING_FREQ;"
recvq="&env.RECVQ;" # recvq="&env.RECVQ;"
softsendq="&env.SOFT_SENDQ;" # softsendq="&env.SOFT_SENDQ;"
threshold="&env.COMMAND_RATE_THRESHOLD;" # threshold="&env.COMMAND_RATE_THRESHOLD;"
timeout="&env.PARTIAL_CONNECT_TIMEOUT;" # timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
usecloak="yes" # usecloak="yes"
useconnflood="&env.USE_CONN_FLOOD;" # useconnflood="&env.USE_CONN_FLOOD;"
usednsbl="no" # usednsbl="no"
useident="no" # useident="no"
resolvehostnames="no" # resolvehostnames="no"
useconnectban="no" # useconnectban="no"
globalmax="&env.GLOBAL_MAX;" # autojoin="#blackhole"
localmax="&env.LOCAL_MAX;" # globalmax="&env.GLOBAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;" # localmax="&env.LOCAL_MAX;"
modes="&env.DEFAULT_USER_MODES;" # maxconnwarn="&env.MAX_CONN_WARN;"
name="tor_haproxy_shim" # modes="&env.DEFAULT_USER_MODES;"
port="7001"> # name="tor"
# port="7001">
<connect commandrate="&env.COMMAND_RATE;" # uncomment this line to masquerade tor users with a cloaked hostmask (uncloaked is
fakelag="&env.FAKE_LAG;" # an fc00::/7 address that corresponds to a Tor circuit ID provided via PROXY
allow="fc00:dead:beef:4dad::/64" # protocol)
hardsendq="&env.HARD_SENDQ;"
maxchans="&env.MAX_CHANS;" # <cloak method="hmac-sha256"
pingfreq="&env.PING_FREQ;" # suffix="onion"
recvq="&env.RECVQ;" # class="tor">
softsendq="&env.SOFT_SENDQ;"
threshold="&env.COMMAND_RATE_THRESHOLD;" # uncomment the following to setup WebIRC
timeout="&env.PARTIAL_CONNECT_TIMEOUT;" # <gateway type="webirc"
usecloak="yes" # mask="localhost">
useconnflood="&env.USE_CONN_FLOOD;"
usednsbl="no" # and enable the corresponding connect block:
useident="no" # <connect commandrate="&env.COMMAND_RATE;"
resolvehostnames="no" # fakelag="&env.FAKE_LAG;"
useconnectban="no" # hardsendq="&env.HARD_SENDQ;"
autojoin="#tor" # maxchans="&env.MAX_CHANS;"
globalmax="&env.GLOBAL_MAX;" # pingfreq="&env.PING_FREQ;"
localmax="&env.LOCAL_MAX;" # recvq="&env.RECVQ;"
maxconnwarn="&env.MAX_CONN_WARN;" # softsendq="&env.SOFT_SENDQ;"
modes="&env.DEFAULT_USER_MODES;" # threshold="&env.COMMAND_RATE_THRESHOLD;"
name="tor" # timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
port="6668"> # usecloak="yes"
# useconnflood="&env.USE_CONN_FLOOD;"
# usednsbl="no"
# useident="no"
# resolvehostnames="no"
# useconnectban="no"
# autojoin="#blackhole"
# globalmax="&env.GLOBAL_MAX;"
# localmax="&env.LOCAL_MAX;"
# maxconnwarn="&env.MAX_CONN_WARN;"
# modes="&env.DEFAULT_USER_MODES;"
# name="webirc"
# webirc="localhost"
# port="7001">
# uncomment this line to masquerade tor users with a cloaked hostmask (uncloaked is
# an fc00::/7 address that corresponds to a Tor circuit ID provided via PROXY
# protocol)
# <cloak method="hmac-sha256"
# suffix="webirc"
# class="webirc">
<bind address="127.0.0.1" <bind address="127.0.0.1"
port="8000" port="8000"
@ -103,7 +154,7 @@
<bind address="*" <bind address="*"
port="&env.SSL_PORT;" port="&env.SSL_PORT;"
sslprofile="supernets_ssl" sslprofile="defaultssl"
type="clients"> type="clients">
<bind address="*" <bind address="*"
@ -202,3 +253,66 @@
<passforward cmd="SQUERY $nickrequired :IDENTIFY $nick $pass" <passforward cmd="SQUERY $nickrequired :IDENTIFY $nick $pass"
forwardmsg="NOTICE $nick :*** Forwarding PASS to $nickrequired" forwardmsg="NOTICE $nick :*** Forwarding PASS to $nickrequired"
nick="NICKSERV"> nick="NICKSERV">
#<strictsasl reason="Fix your SASL authentication settings and try again">
#<module name="restrictchans">
#<module name="restrictmsg">
#<allowchannel name="*">
#<restrictchans allowregistered="&env.RESTRICT_CHANS_ALLOW_REGISTERED;">
#<autojoinident chan="#blackhole"
# ident="*">
#<autojoinident chan="#blackhole"
# ident="*">
#<anticaps lowercase="abcdefghijklmnopqrstuvwxyz"
# uppercase="ABCDEFGHIJKLMNOPQRSTUVWXYZ">
#<module name="account">
#<module name="blockhighlight">
#<module name="connectban">
#<module name="connflood">
#<module name="cve_2024_39844">
#<module name="delayuse">
#<module name="discordnick">
#<module name="eventexec">
#<module name="helpmode">
#<module name="ipinfo_io">
#<module name="ircv3_extjwt">
#<module name="ldapauth">
#<module name="messagelength">
#<module name="multiprefix">
#<module name="opmoderated">
#<module name="randomidxlines">
#<module name="randquote">
#<module name="realnameban">
#<module name="solvemsg">
#<module name="sqlauth">
#<module name="sqloper">
#<module name="qrcode">
#<module name="antiknocker">

2
inspircd.conf
View File

@ -184,7 +184,7 @@
port="&env.SSL_PORT;" port="&env.SSL_PORT;"
preload="yes"> preload="yes">
<sasl requiressl="&env.SASL_REQUIRE_SSL;" <sasl requiressl="yes"
target="&env.SASL_TARGET;"> target="&env.SASL_TARGET;">
<alias format="*" <alias format="*"

1
modules.conf
View File

@ -175,6 +175,7 @@
<module name="sslinfo"> <module name="sslinfo">
<module name="sslmodes"> <module name="sslmodes">
<module name="sslrehashsignal"> <module name="sslrehashsignal">
<module name="starttls">
<module name="stats_unlinked"> <module name="stats_unlinked">
<module name="stripcolor"> <module name="stripcolor">
<module name="svshold"> <module name="svshold">

23
tor/Dockerfile
View File

@ -1,23 +0,0 @@
ARG UBUNTU_VERSION="noble"
FROM ubuntu:${UBUNTU_VERSION}
RUN apt -y update
RUN apt -y install tor
RUN groupadd docker-tor
RUN useradd --system --shell /bin/bash docker-tor -g docker-tor
RUN mkdir -p /var/lib/tor/ -p /etc/tor
ADD torrc /etc/tor
RUN chown -R docker-tor:docker-tor /etc/tor /var/lib/tor
VOLUME /var/lib/tor
USER docker-tor
CMD tor -f /etc/tor/torrc

20
tor/docker-compose.yml
View File

@ -1,20 +0,0 @@
services:
tor:
restart: on-failure:3
build:
context: .
image: tor
network_mode: "host"
volumes:
- data:/var/lib/inspircd
ulimits:
nofile:
soft: "102400"
hard: "102400"
logging:
driver: "json-file"
options:
max-size: "64k"
volumes:
data:
name: tor_data

16
tor/torrc
View File

@ -1,16 +0,0 @@
DNSPort 0
SocksPort 0
TransPort 0
NATDPort 0
RunAsDaemon 0
DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/ircd
HiddenServicePort 6668 127.0.0.1:19818
HiddenServiceMaxStreams 65535
HiddenServiceExportCircuitID haproxy
CookieAuthentication 0
ControlPort 127.0.0.1:9051
HardwareAccel 1
Log info stderr
HiddenServiceSingleHopMode 1
HiddenServiceNonAnonymousMode 1