Compare commits

..

7 Commits

Author SHA1 Message Date
root
504021112a dont include twice 2024-11-18 23:26:59 +00:00
root
29c83aec39 update include.conf 2024-11-18 22:14:04 +00:00
root
67f06bcd0c fix file name 2024-11-18 13:41:46 +00:00
root
bcfadfa27d add sasl ssl enable option 2024-11-18 13:38:46 +00:00
root
81f9c05d49 fix tor and update example conf 2024-11-16 13:21:37 +00:00
root
c5a562a08b change some settings for torrc and haproxy config 2024-11-16 11:31:00 +00:00
root
e1be1dd320 add configuration for tor / haproxy compatibility (PROXY protocol V1 to PROXY protocol v2) 2024-11-16 09:29:17 +00:00
11 changed files with 184 additions and 180 deletions

View File

@ -12,6 +12,8 @@ ENV NETWORK_NAME="LameNet"
ENV STS_HOST="irc.lame-network.local"
ENV SASL_REQUIRE_SSL="yes"
ENV SASL_TARGET="service.lame-network.local"
ENV ADMIN_PASSWORD="changeme"

2
custom/.gitignore vendored
View File

@ -6,3 +6,5 @@ include.conf
*.pem
!ca.crt
!crl.pem
links.conf
oper.conf

23
haproxy/Dockerfile Normal file
View File

@ -0,0 +1,23 @@
ARG UBUNTU_VERSION="noble"
FROM ubuntu:${UBUNTU_VERSION}
RUN apt -y update
RUN apt -y install haproxy
RUN groupadd docker-haproxy
RUN useradd --system --shell /bin/bash docker-haproxy -g docker-haproxy
RUN mkdir -p /var/lib/haproxy/ -p /etc/haproxy
ADD haproxy.cfg /etc/haproxy
RUN chown -R docker-haproxy:docker-haproxy /etc/haproxy /var/lib/haproxy
VOLUME /var/lib/haproxy
USER docker-haproxy
CMD haproxy -f /etc/haproxy/haproxy.cfg

View File

@ -0,0 +1,7 @@
services:
haproxy:
restart: on-failure:3
build:
context: .
image: haproxy
network_mode: "host"

26
haproxy/haproxy.cfg Normal file
View File

@ -0,0 +1,26 @@
global
log stdout format raw local0 debug
defaults
log global
retries 0
#timeout connect 604800s
#timeout client 604800s
#timeout server 604800s
#timeout tunnel 604800s
#timeout queue 604800s
#timeout http-request 604800s
#timeout http-keep-alive 604800s
#timeout client-fin 604800s
#timeout server-fin 604800s
#timeout check 604800s
option tcplog
frontend tor-north
bind 127.0.0.1:19818 accept-proxy
mode tcp
default_backend inspircd-south
backend inspircd-south
mode tcp
server inspircd 127.0.0.1:7001 send-proxy-v2

View File

@ -1,20 +1,5 @@
<include file="/etc/inspircd/codepages/rfc1459.conf">
#<autoconnect period="8s"
# server="temple.supernets.org">
#<link allowmask="*"
# bind="1.2.3.4"
# hidden="no"
# sslprofile="defaultssl"
# ipaddr="4.2.3.1"
# name="temple.supernets.org"
# port="&env.SERVER_SSL_PORT;"
# recvpass="&env.LINK_RECV_PASSWORD;"
# sendpass="&env.LINK_SEND_PASSWORD;"
# statshidden="no"
# timeout="&env.LINK_TIMEOUT;">
<sslprofile certfile="/etc/inspircd/custom/server.crt"
keyfile="/etc/inspircd/custom/server.key"
cafile="/etc/inspircd/custom/ca.crt"
@ -28,34 +13,29 @@
requestclientcert="yes"
provider="gnutls">
#<sslprofile certfile="/etc/inspircd/custom/server.crt"
# compression="no"
# keyfile="/etc/ssl/inspircd/custom/server.key"
# name="supernets_ssl"
# tlsv11="no"
# tlsv12="yes"
# tlsv13="yes"
# renegotiation="no"
# requestclientcert="no"
# provider="gnutls">
#<badhost host="*@*"
# reason="default hostmask block">
<sslprofile certfile="/etc/inspircd/custom/irc.crt"
keyfile="/etc/inspircd/custom/irc.key"
cafile="/etc/inspircd/custom/irc.ca.crt"
name="supernets_ssl"
tlsv11="no"
tlsv12="yes"
tlsv13="yes"
renegotiation="yes"
requestclientcert="yes"
provider="gnutls">
<exception host="*@100.64.0.0/10"
reason="tailscale network">
<exception host="*@127.0.0.1/32"
reason="Local IRC client">
reason="localhost">
<exception host="*@fc00:dead:beef:4dad::/64"
reason="Tor ULA addresses (represents circuit ID)">
<eventexec command="/bin/true"
event="rehash">
<oper host="*@*"
name="admin"
password="&env.ADMIN_PASSWORD;"
type="NetAdmin">
<showfile endtext="End of uptime"
file="/proc/uptime"
introtext="server uptime:"
@ -66,87 +46,56 @@
introtext="server loadavg:"
name="LOADAVG">
# from the torrc man page (latest / newer)
# HiddenServiceExportCircuitID protocol
# The onion service will use the given protocol to expose the global circuit identifier
# of each inbound client circuit. The only protocol supported right now 'haproxy'.
# This option is only for v3 services. (Default: none)
#
# Create a hidden service and set HiddenServiceExportCircuitID to 'haproxy' in the
# torrc, then enable this binding:
#
# <bind address="127.0.0.1"
# port="7001"
# hook="haproxy">
<bind address="127.0.0.1"
port="7001"
hook="haproxy">
# and enable the corresponding connect block:
# <connect commandrate="&env.COMMAND_RATE;"
# fakelag="&env.FAKE_LAG;"
# hardsendq="&env.HARD_SENDQ;"
# maxchans="&env.MAX_CHANS;"
# pingfreq="&env.PING_FREQ;"
# recvq="&env.RECVQ;"
# softsendq="&env.SOFT_SENDQ;"
# threshold="&env.COMMAND_RATE_THRESHOLD;"
# timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
# usecloak="yes"
# useconnflood="&env.USE_CONN_FLOOD;"
# usednsbl="no"
# useident="no"
# resolvehostnames="no"
# useconnectban="no"
# autojoin="#blackhole"
# globalmax="&env.GLOBAL_MAX;"
# localmax="&env.LOCAL_MAX;"
# maxconnwarn="&env.MAX_CONN_WARN;"
# modes="&env.DEFAULT_USER_MODES;"
# name="tor"
# port="7001">
<connect commandrate="&env.COMMAND_RATE;"
fakelag="&env.FAKE_LAG;"
allow="127.0.0.1/32"
hardsendq="&env.HARD_SENDQ;"
maxchans="&env.MAX_CHANS;"
pingfreq="&env.PING_FREQ;"
recvq="&env.RECVQ;"
softsendq="&env.SOFT_SENDQ;"
threshold="&env.COMMAND_RATE_THRESHOLD;"
timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
usecloak="yes"
useconnflood="&env.USE_CONN_FLOOD;"
usednsbl="no"
useident="no"
resolvehostnames="no"
useconnectban="no"
globalmax="&env.GLOBAL_MAX;"
localmax="&env.LOCAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;"
modes="&env.DEFAULT_USER_MODES;"
name="tor_haproxy_shim"
port="7001">
# uncomment this line to masquerade tor users with a cloaked hostmask (uncloaked is
# an fc00::/7 address that corresponds to a Tor circuit ID provided via PROXY
# protocol)
# <cloak method="hmac-sha256"
# suffix="onion"
# class="tor">
# uncomment the following to setup WebIRC
# <gateway type="webirc"
# mask="localhost">
# and enable the corresponding connect block:
# <connect commandrate="&env.COMMAND_RATE;"
# fakelag="&env.FAKE_LAG;"
# hardsendq="&env.HARD_SENDQ;"
# maxchans="&env.MAX_CHANS;"
# pingfreq="&env.PING_FREQ;"
# recvq="&env.RECVQ;"
# softsendq="&env.SOFT_SENDQ;"
# threshold="&env.COMMAND_RATE_THRESHOLD;"
# timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
# usecloak="yes"
# useconnflood="&env.USE_CONN_FLOOD;"
# usednsbl="no"
# useident="no"
# resolvehostnames="no"
# useconnectban="no"
# autojoin="#blackhole"
# globalmax="&env.GLOBAL_MAX;"
# localmax="&env.LOCAL_MAX;"
# maxconnwarn="&env.MAX_CONN_WARN;"
# modes="&env.DEFAULT_USER_MODES;"
# name="webirc"
# webirc="localhost"
# port="7001">
# uncomment this line to masquerade tor users with a cloaked hostmask (uncloaked is
# an fc00::/7 address that corresponds to a Tor circuit ID provided via PROXY
# protocol)
# <cloak method="hmac-sha256"
# suffix="webirc"
# class="webirc">
<connect commandrate="&env.COMMAND_RATE;"
fakelag="&env.FAKE_LAG;"
allow="fc00:dead:beef:4dad::/64"
hardsendq="&env.HARD_SENDQ;"
maxchans="&env.MAX_CHANS;"
pingfreq="&env.PING_FREQ;"
recvq="&env.RECVQ;"
softsendq="&env.SOFT_SENDQ;"
threshold="&env.COMMAND_RATE_THRESHOLD;"
timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
usecloak="yes"
useconnflood="&env.USE_CONN_FLOOD;"
usednsbl="no"
useident="no"
resolvehostnames="no"
useconnectban="no"
autojoin="#tor"
globalmax="&env.GLOBAL_MAX;"
localmax="&env.LOCAL_MAX;"
maxconnwarn="&env.MAX_CONN_WARN;"
modes="&env.DEFAULT_USER_MODES;"
name="tor"
port="6668">
<bind address="127.0.0.1"
port="8000"
@ -154,7 +103,7 @@
<bind address="*"
port="&env.SSL_PORT;"
sslprofile="defaultssl"
sslprofile="supernets_ssl"
type="clients">
<bind address="*"
@ -253,66 +202,3 @@
<passforward cmd="SQUERY $nickrequired :IDENTIFY $nick $pass"
forwardmsg="NOTICE $nick :*** Forwarding PASS to $nickrequired"
nick="NICKSERV">
#<strictsasl reason="Fix your SASL authentication settings and try again">
#<module name="restrictchans">
#<module name="restrictmsg">
#<allowchannel name="*">
#<restrictchans allowregistered="&env.RESTRICT_CHANS_ALLOW_REGISTERED;">
#<autojoinident chan="#blackhole"
# ident="*">
#<autojoinident chan="#blackhole"
# ident="*">
#<anticaps lowercase="abcdefghijklmnopqrstuvwxyz"
# uppercase="ABCDEFGHIJKLMNOPQRSTUVWXYZ">
#<module name="account">
#<module name="blockhighlight">
#<module name="connectban">
#<module name="connflood">
#<module name="cve_2024_39844">
#<module name="delayuse">
#<module name="discordnick">
#<module name="eventexec">
#<module name="helpmode">
#<module name="ipinfo_io">
#<module name="ircv3_extjwt">
#<module name="ldapauth">
#<module name="messagelength">
#<module name="multiprefix">
#<module name="opmoderated">
#<module name="randomidxlines">
#<module name="randquote">
#<module name="realnameban">
#<module name="solvemsg">
#<module name="sqlauth">
#<module name="sqloper">
#<module name="qrcode">
#<module name="antiknocker">

View File

@ -184,7 +184,7 @@
port="&env.SSL_PORT;"
preload="yes">
<sasl requiressl="yes"
<sasl requiressl="&env.SASL_REQUIRE_SSL;"
target="&env.SASL_TARGET;">
<alias format="*"

View File

@ -175,7 +175,6 @@
<module name="sslinfo">
<module name="sslmodes">
<module name="sslrehashsignal">
<module name="starttls">
<module name="stats_unlinked">
<module name="stripcolor">
<module name="svshold">

23
tor/Dockerfile Normal file
View File

@ -0,0 +1,23 @@
ARG UBUNTU_VERSION="noble"
FROM ubuntu:${UBUNTU_VERSION}
RUN apt -y update
RUN apt -y install tor
RUN groupadd docker-tor
RUN useradd --system --shell /bin/bash docker-tor -g docker-tor
RUN mkdir -p /var/lib/tor/ -p /etc/tor
ADD torrc /etc/tor
RUN chown -R docker-tor:docker-tor /etc/tor /var/lib/tor
VOLUME /var/lib/tor
USER docker-tor
CMD tor -f /etc/tor/torrc

20
tor/docker-compose.yml Normal file
View File

@ -0,0 +1,20 @@
services:
tor:
restart: on-failure:3
build:
context: .
image: tor
network_mode: "host"
volumes:
- data:/var/lib/inspircd
ulimits:
nofile:
soft: "102400"
hard: "102400"
logging:
driver: "json-file"
options:
max-size: "64k"
volumes:
data:
name: tor_data

16
tor/torrc Normal file
View File

@ -0,0 +1,16 @@
DNSPort 0
SocksPort 0
TransPort 0
NATDPort 0
RunAsDaemon 0
DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/ircd
HiddenServicePort 6668 127.0.0.1:19818
HiddenServiceMaxStreams 65535
HiddenServiceExportCircuitID haproxy
CookieAuthentication 0
ControlPort 127.0.0.1:9051
HardwareAccel 1
Log info stderr
HiddenServiceSingleHopMode 1
HiddenServiceNonAnonymousMode 1