dont include twice

Dockerfile

@@ -12,6 +12,8 @@ ENV NETWORK_NAME="LameNet"
 
 ENV STS_HOST="irc.lame-network.local"
 
+ENV SASL_REQUIRE_SSL="yes"
+
 ENV SASL_TARGET="service.lame-network.local"
 
 ENV ADMIN_PASSWORD="changeme"

custom/.gitignore

@@ -6,3 +6,5 @@ include.conf
 *.pem
 !ca.crt
 !crl.pem
+links.conf
+oper.conf

haproxy/Dockerfile

@@ -0,0 +1,23 @@
+ARG UBUNTU_VERSION="noble"
+
+FROM ubuntu:${UBUNTU_VERSION}
+
+RUN apt -y update
+
+RUN apt -y install haproxy
+
+RUN groupadd docker-haproxy
+
+RUN useradd --system --shell /bin/bash docker-haproxy -g docker-haproxy
+
+RUN mkdir -p /var/lib/haproxy/ -p /etc/haproxy
+
+ADD haproxy.cfg /etc/haproxy
+
+RUN chown -R docker-haproxy:docker-haproxy /etc/haproxy /var/lib/haproxy
+
+VOLUME /var/lib/haproxy
+
+USER docker-haproxy
+
+CMD haproxy -f /etc/haproxy/haproxy.cfg

haproxy/docker-compose.yml

@@ -0,0 +1,7 @@
+services:
+  haproxy:
+    restart: on-failure:3
+    build:
+      context: .
+    image: haproxy
+    network_mode: "host"

haproxy/haproxy.cfg

@@ -0,0 +1,26 @@
+global
+log stdout format raw local0 debug
+
+defaults
+log     global
+retries 0
+#timeout connect         604800s
+#timeout client          604800s
+#timeout server          604800s
+#timeout tunnel          604800s
+#timeout queue           604800s
+#timeout http-request    604800s
+#timeout http-keep-alive 604800s
+#timeout client-fin      604800s
+#timeout server-fin      604800s
+#timeout check           604800s
+option  tcplog 
+
+frontend tor-north
+  bind                 127.0.0.1:19818 accept-proxy
+  mode                 tcp
+  default_backend      inspircd-south
+
+backend inspircd-south
+  mode   tcp
+  server inspircd 127.0.0.1:7001 send-proxy-v2

include.conf.example

@@ -1,20 +1,5 @@
 <include file="/etc/inspircd/codepages/rfc1459.conf">
 
-#<autoconnect period="8s"
-#             server="temple.supernets.org">
-
-#<link allowmask="*"
-#      bind="1.2.3.4"
-#      hidden="no"
-#      sslprofile="defaultssl"
-#      ipaddr="4.2.3.1"
-#      name="temple.supernets.org"
-#      port="&env.SERVER_SSL_PORT;"
-#      recvpass="&env.LINK_RECV_PASSWORD;"
-#      sendpass="&env.LINK_SEND_PASSWORD;"
-#      statshidden="no"
-#      timeout="&env.LINK_TIMEOUT;">
-
 <sslprofile certfile="/etc/inspircd/custom/server.crt"
             keyfile="/etc/inspircd/custom/server.key"
             cafile="/etc/inspircd/custom/ca.crt"
@@ -28,34 +13,29 @@
             requestclientcert="yes"
             provider="gnutls">
 
-#<sslprofile certfile="/etc/inspircd/custom/server.crt"
-#            compression="no"
-#            keyfile="/etc/ssl/inspircd/custom/server.key"
-#            name="supernets_ssl"
-#            tlsv11="no"
-#            tlsv12="yes"
-#            tlsv13="yes"
-#            renegotiation="no"
-#            requestclientcert="no"
-#            provider="gnutls">
-
-#<badhost host="*@*"
-#         reason="default hostmask block">
+<sslprofile certfile="/etc/inspircd/custom/irc.crt"
+            keyfile="/etc/inspircd/custom/irc.key"
+            cafile="/etc/inspircd/custom/irc.ca.crt"
+            name="supernets_ssl"
+            tlsv11="no"
+            tlsv12="yes"
+            tlsv13="yes"
+            renegotiation="yes"
+            requestclientcert="yes"
+            provider="gnutls">
 
 <exception host="*@100.64.0.0/10"
            reason="tailscale network">
 
 <exception host="*@127.0.0.1/32"
-           reason="Local IRC client">
+           reason="localhost">
+
+<exception host="*@fc00:dead:beef:4dad::/64"
+           reason="Tor ULA addresses (represents circuit ID)">
 
 <eventexec command="/bin/true"
            event="rehash">
 
-<oper host="*@*"
-      name="admin"
-      password="&env.ADMIN_PASSWORD;"
-      type="NetAdmin">
-
 <showfile endtext="End of uptime"
           file="/proc/uptime"
           introtext="server uptime:"
@@ -66,95 +46,64 @@
           introtext="server loadavg:"
           name="LOADAVG">
 
-# from the torrc man page (latest / newer) 
-# HiddenServiceExportCircuitID protocol
-# The onion service will use the given protocol to expose the global circuit identifier 
-# of each inbound client circuit. The only protocol supported right now 'haproxy'. 
-# This option is only for v3 services. (Default: none)
-#
-# Create a hidden service and set HiddenServiceExportCircuitID to 'haproxy' in the
-# torrc, then enable this binding:
-#
-# <bind address="127.0.0.1"
-#      port="7001"
-#      hook="haproxy">
+<bind address="127.0.0.1"
+      port="7001"
+      hook="haproxy">
 
-# and enable the corresponding connect block: 
-# <connect commandrate="&env.COMMAND_RATE;"
-#          fakelag="&env.FAKE_LAG;"
-#          hardsendq="&env.HARD_SENDQ;"
-#          maxchans="&env.MAX_CHANS;"
-#          pingfreq="&env.PING_FREQ;"
-#          recvq="&env.RECVQ;"
-#          softsendq="&env.SOFT_SENDQ;"
-#          threshold="&env.COMMAND_RATE_THRESHOLD;"
-#          timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
-#          usecloak="yes"
-#          useconnflood="&env.USE_CONN_FLOOD;"
-#          usednsbl="no"
-#          useident="no"
-#          resolvehostnames="no"
-#          useconnectban="no"
-#          autojoin="#blackhole"
-#          globalmax="&env.GLOBAL_MAX;"
-#          localmax="&env.LOCAL_MAX;"
-#          maxconnwarn="&env.MAX_CONN_WARN;"
-#          modes="&env.DEFAULT_USER_MODES;"
-#          name="tor"
-#          port="7001">
+<connect commandrate="&env.COMMAND_RATE;"
+         fakelag="&env.FAKE_LAG;"
+         allow="127.0.0.1/32"
+         hardsendq="&env.HARD_SENDQ;"
+         maxchans="&env.MAX_CHANS;"
+         pingfreq="&env.PING_FREQ;"
+         recvq="&env.RECVQ;"
+         softsendq="&env.SOFT_SENDQ;"
+         threshold="&env.COMMAND_RATE_THRESHOLD;"
+         timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
+         usecloak="yes"
+         useconnflood="&env.USE_CONN_FLOOD;"
+         usednsbl="no"
+         useident="no"
+         resolvehostnames="no"
+         useconnectban="no"
+         globalmax="&env.GLOBAL_MAX;"
+         localmax="&env.LOCAL_MAX;"
+         maxconnwarn="&env.MAX_CONN_WARN;"
+         modes="&env.DEFAULT_USER_MODES;"
+         name="tor_haproxy_shim"
+         port="7001">
 
-# uncomment this line to masquerade tor users with a cloaked hostmask (uncloaked is 
-# an fc00::/7 address that corresponds to a Tor circuit ID provided via PROXY 
-# protocol)
-
-# <cloak method="hmac-sha256"
-#        suffix="onion"
-#        class="tor">
-
-# uncomment the following to setup WebIRC
-# <gateway type="webirc"
-#          mask="localhost">
-
-# and enable the corresponding connect block: 
-# <connect commandrate="&env.COMMAND_RATE;"
-#          fakelag="&env.FAKE_LAG;"
-#          hardsendq="&env.HARD_SENDQ;"
-#          maxchans="&env.MAX_CHANS;"
-#          pingfreq="&env.PING_FREQ;"
-#          recvq="&env.RECVQ;"
-#          softsendq="&env.SOFT_SENDQ;"
-#          threshold="&env.COMMAND_RATE_THRESHOLD;"
-#          timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
-#          usecloak="yes"
-#          useconnflood="&env.USE_CONN_FLOOD;"
-#          usednsbl="no"
-#          useident="no"
-#          resolvehostnames="no"
-#          useconnectban="no"
-#          autojoin="#blackhole"
-#          globalmax="&env.GLOBAL_MAX;"
-#          localmax="&env.LOCAL_MAX;"
-#          maxconnwarn="&env.MAX_CONN_WARN;"
-#          modes="&env.DEFAULT_USER_MODES;"
-#          name="webirc"
-#          webirc="localhost"
-#          port="7001">
-
-# uncomment this line to masquerade tor users with a cloaked hostmask (uncloaked is 
-# an fc00::/7 address that corresponds to a Tor circuit ID provided via PROXY 
-# protocol)
-
-# <cloak method="hmac-sha256"
-#        suffix="webirc"
-#        class="webirc">
+<connect commandrate="&env.COMMAND_RATE;"
+         fakelag="&env.FAKE_LAG;"
+         allow="fc00:dead:beef:4dad::/64"
+         hardsendq="&env.HARD_SENDQ;"
+         maxchans="&env.MAX_CHANS;"
+         pingfreq="&env.PING_FREQ;"
+         recvq="&env.RECVQ;"
+         softsendq="&env.SOFT_SENDQ;"
+         threshold="&env.COMMAND_RATE_THRESHOLD;"
+         timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
+         usecloak="yes"
+         useconnflood="&env.USE_CONN_FLOOD;"
+         usednsbl="no"
+         useident="no"
+         resolvehostnames="no"
+         useconnectban="no"
+         autojoin="#tor"
+         globalmax="&env.GLOBAL_MAX;"
+         localmax="&env.LOCAL_MAX;"
+         maxconnwarn="&env.MAX_CONN_WARN;"
+         modes="&env.DEFAULT_USER_MODES;"
+         name="tor"
+         port="6668">
 
 <bind address="127.0.0.1"
       port="8000"
       type="httpd">
 
-<bind address="*"
+ <bind address="*"
       port="&env.SSL_PORT;"
-      sslprofile="defaultssl"
+      sslprofile="supernets_ssl"
       type="clients">
 
 <bind address="*"
@@ -253,66 +202,3 @@
 <passforward cmd="SQUERY $nickrequired :IDENTIFY $nick $pass"
              forwardmsg="NOTICE $nick :*** Forwarding PASS to $nickrequired"
              nick="NICKSERV">
-
-#<strictsasl reason="Fix your SASL authentication settings and try again">
-
-#<module name="restrictchans">
-#<module name="restrictmsg">
-#<allowchannel name="*">
-#<restrictchans allowregistered="&env.RESTRICT_CHANS_ALLOW_REGISTERED;">
-
-#<autojoinident chan="#blackhole"
-#              ident="*">
-
-#<autojoinident chan="#blackhole"
-#              ident="*">
-
-#<anticaps lowercase="abcdefghijklmnopqrstuvwxyz"
-#          uppercase="ABCDEFGHIJKLMNOPQRSTUVWXYZ">
-
-#<module name="account">
-
-#<module name="blockhighlight">
-
-#<module name="connectban">
-
-#<module name="connflood">
-
-#<module name="cve_2024_39844">
-
-#<module name="delayuse">
-
-#<module name="discordnick">
-
-#<module name="eventexec">
-
-#<module name="helpmode">
-
-#<module name="ipinfo_io">
-
-#<module name="ircv3_extjwt">
-
-#<module name="ldapauth">
-
-#<module name="messagelength">
-
-#<module name="multiprefix">
-
-#<module name="opmoderated">
-
-#<module name="randomidxlines">
-
-#<module name="randquote">
-
-#<module name="realnameban">
-
-#<module name="solvemsg">
-
-#<module name="sqlauth">
-
-#<module name="sqloper">
-
-#<module name="qrcode">
-
-#<module name="antiknocker">
-

inspircd.conf

@@ -184,7 +184,7 @@
      port="&env.SSL_PORT;"
      preload="yes">
 
-<sasl requiressl="yes"
+<sasl requiressl="&env.SASL_REQUIRE_SSL;"
       target="&env.SASL_TARGET;">
 
 <alias format="*"

modules.conf

@@ -175,7 +175,6 @@
 <module name="sslinfo">
 <module name="sslmodes">
 <module name="sslrehashsignal">
-<module name="starttls">
 <module name="stats_unlinked">
 <module name="stripcolor">
 <module name="svshold">

tor/Dockerfile

@@ -0,0 +1,23 @@
+ARG UBUNTU_VERSION="noble"
+
+FROM ubuntu:${UBUNTU_VERSION}
+
+RUN apt -y update
+
+RUN apt -y install tor
+
+RUN groupadd docker-tor
+
+RUN useradd --system --shell /bin/bash docker-tor -g docker-tor
+
+RUN mkdir -p /var/lib/tor/ -p /etc/tor
+
+ADD torrc /etc/tor
+
+RUN chown -R docker-tor:docker-tor /etc/tor /var/lib/tor
+
+VOLUME /var/lib/tor
+
+USER docker-tor
+
+CMD tor -f /etc/tor/torrc

tor/docker-compose.yml

@@ -0,0 +1,20 @@
+services:
+  tor:
+    restart: on-failure:3
+    build:
+      context: .
+    image: tor
+    network_mode: "host"
+    volumes:
+      - data:/var/lib/inspircd
+    ulimits:
+      nofile:
+        soft: "102400"
+        hard: "102400"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "64k"
+volumes:
+  data:
+    name: tor_data

tor/torrc

@@ -0,0 +1,16 @@
+DNSPort                             0
+SocksPort                           0
+TransPort                           0
+NATDPort                            0
+RunAsDaemon                         0
+DataDirectory                       /var/lib/tor
+HiddenServiceDir                    /var/lib/tor/ircd
+HiddenServicePort                   6668 127.0.0.1:19818
+HiddenServiceMaxStreams             65535
+HiddenServiceExportCircuitID        haproxy
+CookieAuthentication                0
+ControlPort                         127.0.0.1:9051
+HardwareAccel                       1
+Log                                 info stderr
+HiddenServiceSingleHopMode          1
+HiddenServiceNonAnonymousMode       1