Compare commits

...

7 Commits

Author SHA1 Message Date
root
504021112a dont include twice 2024-11-18 23:26:59 +00:00
root
29c83aec39 update include.conf 2024-11-18 22:14:04 +00:00
root
67f06bcd0c fix file name 2024-11-18 13:41:46 +00:00
root
bcfadfa27d add sasl ssl enable option 2024-11-18 13:38:46 +00:00
root
81f9c05d49 fix tor and update example conf 2024-11-16 13:21:37 +00:00
root
c5a562a08b change some settings for torrc and haproxy config 2024-11-16 11:31:00 +00:00
root
e1be1dd320 add configuration for tor / haproxy compatibility (PROXY protocol V1 to PROXY protocol v2) 2024-11-16 09:29:17 +00:00
11 changed files with 184 additions and 180 deletions

View File

@ -12,6 +12,8 @@ ENV NETWORK_NAME="LameNet"
ENV STS_HOST="irc.lame-network.local" ENV STS_HOST="irc.lame-network.local"
ENV SASL_REQUIRE_SSL="yes"
ENV SASL_TARGET="service.lame-network.local" ENV SASL_TARGET="service.lame-network.local"
ENV ADMIN_PASSWORD="changeme" ENV ADMIN_PASSWORD="changeme"

2
custom/.gitignore vendored
View File

@ -6,3 +6,5 @@ include.conf
*.pem *.pem
!ca.crt !ca.crt
!crl.pem !crl.pem
links.conf
oper.conf

23
haproxy/Dockerfile Normal file
View File

@ -0,0 +1,23 @@
ARG UBUNTU_VERSION="noble"
FROM ubuntu:${UBUNTU_VERSION}
RUN apt -y update
RUN apt -y install haproxy
RUN groupadd docker-haproxy
RUN useradd --system --shell /bin/bash docker-haproxy -g docker-haproxy
RUN mkdir -p /var/lib/haproxy/ -p /etc/haproxy
ADD haproxy.cfg /etc/haproxy
RUN chown -R docker-haproxy:docker-haproxy /etc/haproxy /var/lib/haproxy
VOLUME /var/lib/haproxy
USER docker-haproxy
CMD haproxy -f /etc/haproxy/haproxy.cfg

View File

@ -0,0 +1,7 @@
services:
haproxy:
restart: on-failure:3
build:
context: .
image: haproxy
network_mode: "host"

26
haproxy/haproxy.cfg Normal file
View File

@ -0,0 +1,26 @@
global
log stdout format raw local0 debug
defaults
log global
retries 0
#timeout connect 604800s
#timeout client 604800s
#timeout server 604800s
#timeout tunnel 604800s
#timeout queue 604800s
#timeout http-request 604800s
#timeout http-keep-alive 604800s
#timeout client-fin 604800s
#timeout server-fin 604800s
#timeout check 604800s
option tcplog
frontend tor-north
bind 127.0.0.1:19818 accept-proxy
mode tcp
default_backend inspircd-south
backend inspircd-south
mode tcp
server inspircd 127.0.0.1:7001 send-proxy-v2

View File

@ -1,20 +1,5 @@
<include file="/etc/inspircd/codepages/rfc1459.conf"> <include file="/etc/inspircd/codepages/rfc1459.conf">
#<autoconnect period="8s"
# server="temple.supernets.org">
#<link allowmask="*"
# bind="1.2.3.4"
# hidden="no"
# sslprofile="defaultssl"
# ipaddr="4.2.3.1"
# name="temple.supernets.org"
# port="&env.SERVER_SSL_PORT;"
# recvpass="&env.LINK_RECV_PASSWORD;"
# sendpass="&env.LINK_SEND_PASSWORD;"
# statshidden="no"
# timeout="&env.LINK_TIMEOUT;">
<sslprofile certfile="/etc/inspircd/custom/server.crt" <sslprofile certfile="/etc/inspircd/custom/server.crt"
keyfile="/etc/inspircd/custom/server.key" keyfile="/etc/inspircd/custom/server.key"
cafile="/etc/inspircd/custom/ca.crt" cafile="/etc/inspircd/custom/ca.crt"
@ -28,34 +13,29 @@
requestclientcert="yes" requestclientcert="yes"
provider="gnutls"> provider="gnutls">
#<sslprofile certfile="/etc/inspircd/custom/server.crt" <sslprofile certfile="/etc/inspircd/custom/irc.crt"
# compression="no" keyfile="/etc/inspircd/custom/irc.key"
# keyfile="/etc/ssl/inspircd/custom/server.key" cafile="/etc/inspircd/custom/irc.ca.crt"
# name="supernets_ssl" name="supernets_ssl"
# tlsv11="no" tlsv11="no"
# tlsv12="yes" tlsv12="yes"
# tlsv13="yes" tlsv13="yes"
# renegotiation="no" renegotiation="yes"
# requestclientcert="no" requestclientcert="yes"
# provider="gnutls"> provider="gnutls">
#<badhost host="*@*"
# reason="default hostmask block">
<exception host="*@100.64.0.0/10" <exception host="*@100.64.0.0/10"
reason="tailscale network"> reason="tailscale network">
<exception host="*@127.0.0.1/32" <exception host="*@127.0.0.1/32"
reason="Local IRC client"> reason="localhost">
<exception host="*@fc00:dead:beef:4dad::/64"
reason="Tor ULA addresses (represents circuit ID)">
<eventexec command="/bin/true" <eventexec command="/bin/true"
event="rehash"> event="rehash">
<oper host="*@*"
name="admin"
password="&env.ADMIN_PASSWORD;"
type="NetAdmin">
<showfile endtext="End of uptime" <showfile endtext="End of uptime"
file="/proc/uptime" file="/proc/uptime"
introtext="server uptime:" introtext="server uptime:"
@ -66,95 +46,64 @@
introtext="server loadavg:" introtext="server loadavg:"
name="LOADAVG"> name="LOADAVG">
# from the torrc man page (latest / newer) <bind address="127.0.0.1"
# HiddenServiceExportCircuitID protocol port="7001"
# The onion service will use the given protocol to expose the global circuit identifier hook="haproxy">
# of each inbound client circuit. The only protocol supported right now 'haproxy'.
# This option is only for v3 services. (Default: none)
#
# Create a hidden service and set HiddenServiceExportCircuitID to 'haproxy' in the
# torrc, then enable this binding:
#
# <bind address="127.0.0.1"
# port="7001"
# hook="haproxy">
# and enable the corresponding connect block: <connect commandrate="&env.COMMAND_RATE;"
# <connect commandrate="&env.COMMAND_RATE;" fakelag="&env.FAKE_LAG;"
# fakelag="&env.FAKE_LAG;" allow="127.0.0.1/32"
# hardsendq="&env.HARD_SENDQ;" hardsendq="&env.HARD_SENDQ;"
# maxchans="&env.MAX_CHANS;" maxchans="&env.MAX_CHANS;"
# pingfreq="&env.PING_FREQ;" pingfreq="&env.PING_FREQ;"
# recvq="&env.RECVQ;" recvq="&env.RECVQ;"
# softsendq="&env.SOFT_SENDQ;" softsendq="&env.SOFT_SENDQ;"
# threshold="&env.COMMAND_RATE_THRESHOLD;" threshold="&env.COMMAND_RATE_THRESHOLD;"
# timeout="&env.PARTIAL_CONNECT_TIMEOUT;" timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
# usecloak="yes" usecloak="yes"
# useconnflood="&env.USE_CONN_FLOOD;" useconnflood="&env.USE_CONN_FLOOD;"
# usednsbl="no" usednsbl="no"
# useident="no" useident="no"
# resolvehostnames="no" resolvehostnames="no"
# useconnectban="no" useconnectban="no"
# autojoin="#blackhole" globalmax="&env.GLOBAL_MAX;"
# globalmax="&env.GLOBAL_MAX;" localmax="&env.LOCAL_MAX;"
# localmax="&env.LOCAL_MAX;" maxconnwarn="&env.MAX_CONN_WARN;"
# maxconnwarn="&env.MAX_CONN_WARN;" modes="&env.DEFAULT_USER_MODES;"
# modes="&env.DEFAULT_USER_MODES;" name="tor_haproxy_shim"
# name="tor" port="7001">
# port="7001">
# uncomment this line to masquerade tor users with a cloaked hostmask (uncloaked is <connect commandrate="&env.COMMAND_RATE;"
# an fc00::/7 address that corresponds to a Tor circuit ID provided via PROXY fakelag="&env.FAKE_LAG;"
# protocol) allow="fc00:dead:beef:4dad::/64"
hardsendq="&env.HARD_SENDQ;"
# <cloak method="hmac-sha256" maxchans="&env.MAX_CHANS;"
# suffix="onion" pingfreq="&env.PING_FREQ;"
# class="tor"> recvq="&env.RECVQ;"
softsendq="&env.SOFT_SENDQ;"
# uncomment the following to setup WebIRC threshold="&env.COMMAND_RATE_THRESHOLD;"
# <gateway type="webirc" timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
# mask="localhost"> usecloak="yes"
useconnflood="&env.USE_CONN_FLOOD;"
# and enable the corresponding connect block: usednsbl="no"
# <connect commandrate="&env.COMMAND_RATE;" useident="no"
# fakelag="&env.FAKE_LAG;" resolvehostnames="no"
# hardsendq="&env.HARD_SENDQ;" useconnectban="no"
# maxchans="&env.MAX_CHANS;" autojoin="#tor"
# pingfreq="&env.PING_FREQ;" globalmax="&env.GLOBAL_MAX;"
# recvq="&env.RECVQ;" localmax="&env.LOCAL_MAX;"
# softsendq="&env.SOFT_SENDQ;" maxconnwarn="&env.MAX_CONN_WARN;"
# threshold="&env.COMMAND_RATE_THRESHOLD;" modes="&env.DEFAULT_USER_MODES;"
# timeout="&env.PARTIAL_CONNECT_TIMEOUT;" name="tor"
# usecloak="yes" port="6668">
# useconnflood="&env.USE_CONN_FLOOD;"
# usednsbl="no"
# useident="no"
# resolvehostnames="no"
# useconnectban="no"
# autojoin="#blackhole"
# globalmax="&env.GLOBAL_MAX;"
# localmax="&env.LOCAL_MAX;"
# maxconnwarn="&env.MAX_CONN_WARN;"
# modes="&env.DEFAULT_USER_MODES;"
# name="webirc"
# webirc="localhost"
# port="7001">
# uncomment this line to masquerade tor users with a cloaked hostmask (uncloaked is
# an fc00::/7 address that corresponds to a Tor circuit ID provided via PROXY
# protocol)
# <cloak method="hmac-sha256"
# suffix="webirc"
# class="webirc">
<bind address="127.0.0.1" <bind address="127.0.0.1"
port="8000" port="8000"
type="httpd"> type="httpd">
<bind address="*" <bind address="*"
port="&env.SSL_PORT;" port="&env.SSL_PORT;"
sslprofile="defaultssl" sslprofile="supernets_ssl"
type="clients"> type="clients">
<bind address="*" <bind address="*"
@ -253,66 +202,3 @@
<passforward cmd="SQUERY $nickrequired :IDENTIFY $nick $pass" <passforward cmd="SQUERY $nickrequired :IDENTIFY $nick $pass"
forwardmsg="NOTICE $nick :*** Forwarding PASS to $nickrequired" forwardmsg="NOTICE $nick :*** Forwarding PASS to $nickrequired"
nick="NICKSERV"> nick="NICKSERV">
#<strictsasl reason="Fix your SASL authentication settings and try again">
#<module name="restrictchans">
#<module name="restrictmsg">
#<allowchannel name="*">
#<restrictchans allowregistered="&env.RESTRICT_CHANS_ALLOW_REGISTERED;">
#<autojoinident chan="#blackhole"
# ident="*">
#<autojoinident chan="#blackhole"
# ident="*">
#<anticaps lowercase="abcdefghijklmnopqrstuvwxyz"
# uppercase="ABCDEFGHIJKLMNOPQRSTUVWXYZ">
#<module name="account">
#<module name="blockhighlight">
#<module name="connectban">
#<module name="connflood">
#<module name="cve_2024_39844">
#<module name="delayuse">
#<module name="discordnick">
#<module name="eventexec">
#<module name="helpmode">
#<module name="ipinfo_io">
#<module name="ircv3_extjwt">
#<module name="ldapauth">
#<module name="messagelength">
#<module name="multiprefix">
#<module name="opmoderated">
#<module name="randomidxlines">
#<module name="randquote">
#<module name="realnameban">
#<module name="solvemsg">
#<module name="sqlauth">
#<module name="sqloper">
#<module name="qrcode">
#<module name="antiknocker">

View File

@ -184,7 +184,7 @@
port="&env.SSL_PORT;" port="&env.SSL_PORT;"
preload="yes"> preload="yes">
<sasl requiressl="yes" <sasl requiressl="&env.SASL_REQUIRE_SSL;"
target="&env.SASL_TARGET;"> target="&env.SASL_TARGET;">
<alias format="*" <alias format="*"

View File

@ -175,7 +175,6 @@
<module name="sslinfo"> <module name="sslinfo">
<module name="sslmodes"> <module name="sslmodes">
<module name="sslrehashsignal"> <module name="sslrehashsignal">
<module name="starttls">
<module name="stats_unlinked"> <module name="stats_unlinked">
<module name="stripcolor"> <module name="stripcolor">
<module name="svshold"> <module name="svshold">

23
tor/Dockerfile Normal file
View File

@ -0,0 +1,23 @@
ARG UBUNTU_VERSION="noble"
FROM ubuntu:${UBUNTU_VERSION}
RUN apt -y update
RUN apt -y install tor
RUN groupadd docker-tor
RUN useradd --system --shell /bin/bash docker-tor -g docker-tor
RUN mkdir -p /var/lib/tor/ -p /etc/tor
ADD torrc /etc/tor
RUN chown -R docker-tor:docker-tor /etc/tor /var/lib/tor
VOLUME /var/lib/tor
USER docker-tor
CMD tor -f /etc/tor/torrc

20
tor/docker-compose.yml Normal file
View File

@ -0,0 +1,20 @@
services:
tor:
restart: on-failure:3
build:
context: .
image: tor
network_mode: "host"
volumes:
- data:/var/lib/inspircd
ulimits:
nofile:
soft: "102400"
hard: "102400"
logging:
driver: "json-file"
options:
max-size: "64k"
volumes:
data:
name: tor_data

16
tor/torrc Normal file
View File

@ -0,0 +1,16 @@
DNSPort 0
SocksPort 0
TransPort 0
NATDPort 0
RunAsDaemon 0
DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/ircd
HiddenServicePort 6668 127.0.0.1:19818
HiddenServiceMaxStreams 65535
HiddenServiceExportCircuitID haproxy
CookieAuthentication 0
ControlPort 127.0.0.1:9051
HardwareAccel 1
Log info stderr
HiddenServiceSingleHopMode 1
HiddenServiceNonAnonymousMode 1