31 changed files with 434 additions and 6894 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +0,0 @@
 config.env
--- a/99
+++ b/99
@ -1,8 +1,10 @@
 ARG BUILD_SERVER_NAME="irc.lame-network.local"
 ARG UBUNTU_VERSION="noble"
 FROM ubuntu:${UBUNTU_VERSION}
-ENV ADMIN_EMAIL="no-reply@lame-network.local"
+ENV ADMIN_EMAIL="no-reply@lame-netwoork.local"
 ENV SID="01A"
@ -12,31 +14,29 @@ ENV NETWORK_NAME="LameNet"
 ENV STS_HOST="irc.lame-network.local"
 ENV SASL_REQUIRE_SSL="yes"
 ENV SASL_TARGET="service.lame-network.local"
 ENV ADMIN_PASSWORD="changeme"
-ENV COMMAND_RATE="1000"
+ENV COMMAND_RATE="128000"
-ENV FAKE_LAG="off"
+ENV FAKE_LAG="on"
-ENV HARD_SENDQ="1048576"
+ENV HARD_SENDQ="1M"
 ENV MAX_CHANS="256"
 ENV PING_FREQ="64"
-ENV RECVQ="4096"
+ENV RECVQ="8K"
-ENV SOFT_SENDQ="4096"
+ENV SOFT_SENDQ="8192"
-ENV COMMAND_RATE_THRESHOLD="10"
+ENV COMMAND_RATE_THRESHOLD="128"
-ENV PARTIAL_CONNECT_TIMEOUT="16s"
+ENV COMMAND_RATE_THRESHOLD_TIMEOUT="16"
-ENV USE_CONN_FLOOD="no"
+ENV USE_CONN_FLOOD="yes"
 ENV USE_DNSBL="yes"
@ -48,19 +48,19 @@ ENV LOCAL_MAX="16"
 ENV MAX_CONN_WARN="yes"
-ENV DEFAULT_USER_MODES="+x"
+ENV DEFAULT_USER_MODES="+xWz"
 ENV PORT="6667"
 ENV RESOLVE_HOST_NAMES="yes"
-ENV USE_CONNECT_BAN="no"
+ENV USE_CONNECT_BAN="yes"
-ENV SSL_USER_MODES="+xz"
+ENV SSL_USER_MODES="+xWz"
 ENV SSL_PORT="6697"
-ENV AUTHENTICATED_USER_MODES="+xz"
+ENV AUTHENTICATED_USER_MODES="+xwWz"
 ENV SERVER_SSL_PORT="7000"
@ -168,6 +168,8 @@ ENV NET_ADMIN_VHOST="oper/admin.lame-network.local"
 ENV GLOBAL_OP_VHOST="oper/op.lame-network.local"
 ENV HOPM_VHOST="oper/hopm.lame-network.local"
 ENV HELPER_VHOST="oper/helper.lame-network.local"
 ENV SERVICES_ULINE="services.lame-network.local"
@ -182,7 +184,13 @@ ENV LINK_TIMEOUT=3600
 ENV CLOAK_KEY="changemechangemechangemechangeme"
-ENV CLOAK_SUFFIX="hidden"
+ENV CLOAK_IGNORE_CASE="no"
 ENV CLOAK_MODE="full"
 ENV CLOAK_PREFIX="cloak/"
 ENV CLOAK_SUFFIX=".hidden"
 ENV BLOCK_AMSG_ACTION="killopers"
@ -200,7 +208,7 @@ ENV BOT_MODE_FORCE_NOTICE="no"
 ENV CHAN_FILTER_HIDE_MASK="yes"
-ENV CHAN_FILTER_MAX_LEN="250"
+ENV CHAN_FILTER_MAX_LEN="512"
 ENV CHAN_FILTER_NOTIFY_USER="yes"
@ -230,6 +238,8 @@ ENV CHANNELS_OPERS="4294967295"
 ENV CHANNELS_USERS="4294967295"
 ENV CODE_PAGE="ascii"
 ENV CONNECT_BAN_BOOT_WAIT="128"
 ENV CONNECT_BAN_DURATION="64"
@ -290,13 +300,13 @@ ENV IRCV3_EXTENDED_JOIN="yes"
 ENV JOIN_FLOOD_BOOT_WAIT="32s"
-ENV JOIN_FLOOD_DURATION="32s"
+ENV JOIN_FLOOD_DURATION="2m"
 ENV JOIN_FLOOD_SPLIT_WAIT="32s"
 ENV KNOCK_NOTIFY="both"
-ENV LIST_MAX_SIZE="256"
+ENV LIST_MAX_SIZE="100"
 ENV MESSAGE_FLOOD_NOTICE="1.0"
@ -412,24 +422,6 @@ ENV AUDITORIUM_OPER_CAN_SEE="yes"
 ENV AUDITORIUM_OP_VISIBLE="no"
 ENV IPV4_CLONE="32"
 ENV IPV6_CLONE="64"
 ENV ROTATE_LOG_PERIOD="86400"
 ENV REGEX_TYPE="ecmascript"
 ENV ALLOW_CORE_UNLOAD="no"
 ENV ANNOUNCE_INVITES="dynamic"
 ENV XLINEDB_SAVE_PERIOD="128s"
 ENV PERMCHAN_LIST_MODES="yes"
 ENV PERMCHANDB_SAVE_PERIOD="128s"
 RUN apt -y update
 RUN apt -y install coreutils perl git automake autoconf build-essential libpcre2-dev rapidjson-dev libcurl4-gnutls-dev libargon2-dev libmaxminddb-dev libldap2-dev rapidjson-dev libmysqlclient-dev libmysqlclient-dev default-libmysqlclient-dev libpq-dev libre2-dev gnutls-dev libsqlite3-dev libmbedtls-dev libqrencode-dev libpcre3-dev libtre-dev pkg-config libwww-perl
@ -452,19 +444,7 @@ RUN ./modulemanager list | awk '{print $1}' | xargs -i ./modulemanager install {
 RUN make -j$(nproc) install
-RUN mkdir -p /etc/inspircd/custom /var/lib/inspircd /etc/ssl/inspircd /var/log/inspircd /etc/inspircd/codepages
+RUN mkdir -p /etc/inspircd /var/lib/inspircd /etc/ssl/inspircd /var/log/inspircd
 WORKDIR docs/conf/codepages
 RUN cp ascii.example.conf /etc/inspircd/codepages/ascii.conf
 RUN cat iso-8859-1.example.conf | grep -v "include" > /etc/inspircd/codepages/iso-8859-1.conf
 RUN cat iso-8859-2.example.conf | grep -v "include" > /etc/inspircd/codepages/iso-8859-2.conf
 RUN cat rfc1459.example.conf | grep -v "include" > /etc/inspircd/codepages/rfc1459.conf
 RUN cat strict-rfc1459.example.conf | grep -v "include" > /etc/inspircd/codepages/strict-rfc1459.conf
 ADD inspircd.conf /etc/inspircd
@ -472,17 +452,20 @@ ADD modules.conf /etc/inspircd
 ADD help.conf /etc/inspircd
-ADD include.conf.example /etc/inspircd/custom/include.conf
+ADD custom/ /etc/inspircd/custom
 RUN touch /etc/inspircd/motd.txt
 RUN touch /etc/inspircd/oper.motd.txt
 ADD GeoLite2-Country.mmdb /etc/inspircd
-RUN chown -R inspircd:inspircd /etc/inspircd /var/lib/inspircd /var/log/inspircd
+RUN openssl genrsa -out /etc/ssl/inspircd/server.key
-VOLUME /etc/inspircd/custom
+RUN openssl req -new -key /etc/ssl/inspircd/server.key -out /etc/ssl/inspircd/server.csr \
    -subj "/C=US/ST=Washington/L=Seattle/O=LameNetwork/OU=IT Department/CN=$BUILD_SERVER_NAME"
 RUN openssl x509 -req -days 365 -in /etc/ssl/inspircd/server.csr -signkey /etc/ssl/inspircd/server.key -out /etc/ssl/inspircd/server.crt
 RUN chown -R inspircd:inspircd /etc/inspircd /etc/ssl/inspircd /var/lib/inspircd /var/log/inspircd
 VOLUME /etc/ssl/inspircd
 VOLUME /var/lib/inspircd
@ -492,4 +475,4 @@ USER inspircd
 WORKDIR /
-ENTRYPOINT ["/usr/local/bin/inspircd", "-c", "/etc/inspircd/inspircd.conf", "-F"]
+CMD /usr/local/bin/inspircd -c /etc/inspircd/inspircd.conf -F
--- a/README.md
+++ b/README.md
@ -1,24 +1,72 @@
 # Instructions 
 ## docker-compose 
-1. copy `config.env.exmaple` to `config.env` and edit 
+- if you are not starting from scratch. delete stale containers and: `docker rmi inspi4` and `docker volume rm inspi4_ssl` 
-2. copy `include.conf.example` to `custom/include.conf`
+- copy `config.env.exmaple` to `config.env` and edit 
-3. follow steps from [#easyrsa] section
+- optional: if you intend to link, copy `include.default.conf` to `include.conf` and edit (see linking section below.)
-4. `docker-compose build`
+- start: `docker-compose -f docker-compose.standalone.yml up -d` also use the linked variant if you intend to link.
 5. `docker-compose up -d`
-# easyrsa
+- ~~`docker build -t inspi4 -t inspi4:latest .`~~
-On the hub:
+- ~~`docker run -it --rm -e 'DEFAULT_BLOCK_HOST_MASK="nothing"' -net host inspi4`~~
 - cd to `easyrsa3` directory
 - `./easyrsa init-pki` 
 - `./easyrsa build-ca`
 - `./easyrsa build-server-full hub.stuff.ts.net`
 - `./easyrsa gen-crl`
 - `./easyrsa gen-dh`
-The `.gitignore` takes care of keeping secrets out of the git repo:
+# Optional 
 - ~~create a custom `links.conf`~~
 - ~~`docker run -it --rm -e 'DEFAULT_BLOCK_HOST_MASK="nothing"' -net host -v $(pwd)/links.conf:/etc/inspircd/links.conf:ro inspi4`~~
- copy `ca.crt`, `crl.pem`, and `dh.pem` to `custom/`
+# Linking 
- `chown -R 999 custom/`
+- Run `docker exec -it ircd_ircd_linked_1 openssl x509 -sha256 -fingerprint -in /etc/ssl/inspircd/server.crt  | tr -d ":" | tr '[:upper:]' '[:lower:]'` 
- copy hub cert and key to `custom/server.crt` and `custom/server.key`
+to get the SSL fingerprints, the `fingerprint` refers to the remote SSL certificate fingerprint for each linking section.
- manually copy certs and keys as well as `dh.pem` to each leaf. 
+
 - On `hub.netcrave.network` add something like this to the `include.conf`:
 ```
 <autoconnect period="8s"
             server="leaf.netcrave.network">
 <link allowmask="*"
      bind="1.2.3.4"
      hidden="no"
      sslprofile="defaultssl"
      fingerprint="c543d8a4a6c825d917d20520e4962e4bcdc3c3c5d856815f7fd626b708842baf"
      ipaddr="4.2.3.1"
      name="leaf.netcrave.network"
      port="&env.SERVER_SSL_PORT;"
      recvpass="&env.LINK_RECV_PASSWORD;"
      sendpass="&env.LINK_SEND_PASSWORD;"
      statshidden="no"
      timeout="&env.LINK_TIMEOUT;">
 ```
 - On `leaf.netcrave.network` add something like this to the `include.conf`:
 ```
 <autoconnect period="8s"
             server="hub.netcrave.network">
 <link allowmask="*"
      bind="4.2.3.1"
      hidden="no"
      sslprofile="defaultssl"
      fingerprint="09afef0d8561b8d13e3e7a480ed006caed11d3f5b36c5f4569c60060baa936cd"
      ipaddr="1.2.3.4"
      name="hub.netcrave.network"
      port="&env.SERVER_SSL_PORT;"
      recvpass="&env.LINK_RECV_PASSWORD;"
      sendpass="&env.LINK_SEND_PASSWORD;"
      statshidden="no"
      timeout="&env.LINK_TIMEOUT;">
 ```
 # Linking with services
 - Doesn't work yet: https://github.com/atheme/atheme/issues/904
 ```
 <link allowmask="*"
      bind="127.0.0.1"
      hidden="no"
      ipaddr="127.0.0.1"
      name="services.netcrave.network"
      port="7001"
      recvpass="&env.LINK_RECV_PASSWORD;"
      sendpass="&env.LINK_SEND_PASSWORD;"
      statshidden="no"
      timeout="&env.LINK_TIMEOUT;">
 ```
--- a/config.env.example
+++ b/config.env.example
@ -1,37 +1,29 @@
-ADMIN_EMAIL="no-reply@supernets.org"
+ADMIN_EMAIL="no-reply@lame-network.local"
-SID="01B"
+SID="01A"
-SERVER_NAME="lux.supernets.org"
+SERVER_NAME="irc.lame-network.local"
-NETWORK_NAME="SuperNETs"
+NETWORK_NAME="NetcraveIRC"
-STS_HOST="irc.supernets.org"
+STS_HOST="irc.lame-network.local"
-STS_DURATION="32d"
+SASL_TARGET="services.lame-network.local"
 SASL_TARGET="services.supernets.org"
 ADMIN_PASSWORD="changeme"
 PORT="6667"
 SSL_PORT="6697"
 SERVER_SSL_PORT="7000"
 HTTP_ACL_PASSWORD="changeme"
-HTTP_ACL_USERNAME="supernets"
+HTTP_ACL_USERNAME="netcrave"
-ROLE_PLAY_VHOST="roleplay/SuperNETs"
+ROLE_PLAY_VHOST="roleplay/lame-network.local"
-CUSTOM_VERSION="c l a n d e s t i n  e"
+CUSTOM_VERSION="NetcraveIRC"
-NET_ADMIN_VHOST="admin/SuperNETs"
+NET_ADMIN_VHOST="admin/lame-network.local"
-GLOBAL_OP_VHOST="oper/SuperNETs"
+GLOBAL_OP_VHOST="oper/lame-network.local"
-HELPER_VHOST="helper/SuperNETs"
+HOPM_VHOST="hopm/lame-network.local"
-SERVICES_ULINE="services.supernets.org"
+HELPER_VHOST="helper/lame-network.local"
-WS_ORIGIN_ALLOW="lux.supernets.org"
+SERVICES_ULINE="services.lame-network.local"
 WS_ORIGIN_ALLOW="irc.lame-network.local"
 LINK_RECV_PASSWORD="changeme"
 LINK_SEND_PASSWORD="changeme"
 LINK_TIMEOUT="32"
 CLOAK_KEY="changeme"
-CLOAK_SUFFIX="hidden"
+CLOAK_PREFIX="cloak/"
-DEFAULT_USER_MODES="x"
+CLOAK_SUFFIX=".hidden"
-SSL_USER_MODES="x"
+DEFAULT_USER_MODES="xW"
-LINK_TIMEOUT="512s"
+SSL_USER_MODES="xW"
-COMMAND_RATE="1000"
+USE_DNSBL="no"
 FAKE_LAG="off"
 HARD_SENDQ="1M"
 RECVQ="512K"
 COMMAND_RATE_THRESHOLD="4096"
 PING_FREQ="256"
 DISABLE_USERMODES="dDz"
 DISABLE_CHMODES="z"
 DISABLE_COMMANDS="help info restart reloadmodule loadmodule gloadmodule unloadmodule gunloadmodule greloadmodule monitor watch dccallow map mkpasswd filter"
 OPER_CHANNEL_SNOMASK="aAcCkKoOqQtxXdDfFgGjJlLnNrRvVwW"
--- a/custom/.gitignore
+++ b/custom/.gitignore
@ -1,10 +0,0 @@
 motd.txt
 oper.motd.txt
 include.conf
 *.crt
 *.key
 *.pem
 !ca.crt
 !crl.pem
 links.conf
 oper.conf
--- a/custom/ca.crt
+++ b/custom/ca.crt
@ -1,40 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIG+TCCBOGgAwIBAgIUTnY+1MZsN286sT+G2i8UWe3VjZwwDQYJKoZIhvcNAQEL
 BQAwgaIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH
 DA1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKDAlTdXBlck5FVHMxDDAKBgNVBAsMA0lS
 QzEdMBsGA1UEAwwUY2EudGFpbDkxMjJjOC50cy5uZXQxJTAjBgkqhkiG9w0BCQEW
 Fm5vLXJlcGx5QHN1cGVybmV0cy5vcmcwHhcNMjQxMTA2MTkzMDM3WhcNMzQxMTA0
 MTkzMDM3WjCBojELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAU
 BgNVBAcMDVNhbiBGcmFuY2lzY28xEjAQBgNVBAoMCVN1cGVyTkVUczEMMAoGA1UE
 CwwDSVJDMR0wGwYDVQQDDBRjYS50YWlsOTEyMmM4LnRzLm5ldDElMCMGCSqGSIb3
 DQEJARYWbm8tcmVwbHlAc3VwZXJuZXRzLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQAD
 ggIPADCCAgoCggIBAKSUdSIh1QLRB+rP0CrLd9T3zMSnA6o0ToIiSwJFjDqZ6F3v
 ZtYnZMD0OiNCJe89KNngaLbTY9CY5Yds2b9g3PemdAM1Kle9hMom+W6Q17T4oA2q
 0hrJkvf4sFQo1P0P6KEQSWRPqSwQ7h10DQYNEvZ7Q9LCAsgHoCmVXZIdAm6fRZmM
 ihTkXm0K24aTS8k/Tjgq+NsMulw0Z5SA19INvq+jk4AnYcqwuFPbPHdcKdfXryLh
 M8dXbUQbv0z8tLGptLqr56ESnf3QuP9ad86hx22WxesJxnR7JwHBjWdlwO1hAdOa
 QZjlcJxejIyYwHAU1FSpYdbH++HuQ6kd+DvREEF6FOVMlIyYqwHzo4fm9mzrne7s
 NLTQWp2wnzv3RB2/Q2sMwd3ccG7SWfo7iCOXIYaEwGbjduk2/4y388uBAfbofT+T
 8hAWgPVVEJiCpQ2cMzscQxA1mAk3WDB1fz9lHwMrlgBRa/Tftj3jVogdVPl5fDsD
 /2sCQgVQ68ABT6hlzMp56iayhZu1jjnBc/fTKK40NHCh7WNvZgJ9pR4Lpqzmt6JA
 Z4iY5WtHehg+xwhFoAfjjZdCiWvLNmfzet+PmW+D9c8V17faMMNfLsHTxHjzABoc
 2jFSdGNOyoI1DPKDEw6f/ZlNY67YOesiozbvH+XBurFhzh04hkyPkKWSZnqhAgMB
 AAGjggEjMIIBHzAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRI9BMsv2VBGfUEfJjN
 s1Fb2B68zDCB4gYDVR0jBIHaMIHXgBRI9BMsv2VBGfUEfJjNs1Fb2B68zKGBqKSB
 pTCBojELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DVNhbiBGcmFuY2lzY28xEjAQBgNVBAoMCVN1cGVyTkVUczEMMAoGA1UECwwDSVJD
 MR0wGwYDVQQDDBRjYS50YWlsOTEyMmM4LnRzLm5ldDElMCMGCSqGSIb3DQEJARYW
 bm8tcmVwbHlAc3VwZXJuZXRzLm9yZ4IUTnY+1MZsN286sT+G2i8UWe3VjZwwCwYD
 VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAUfhnquPlKvCB/l47JZaC0V+wR
 aAJlbCjqwCsfOJqE381i1yKBc7Dbk0rYmS68fjDDyeGs6Av/9wj6RZ4+WoY47WYL
 fYCGF/HAFqyKllAfzKF+nvvBP8mKVOZX/QTlZKBD7biTjHTJSUou6y9LkRAwm7yw
 cRHkJkPwPCHihLcn0MLdlf8vRrTCZqZ1wEiRd0jIPkrBdpYoc3ENg+3zQGkPnCsD
 L1LwbiL7d1WASZ5cAxKKMl7rqA8oHCH8Ffou4DyK+igeEhcOxTu1A2jSpIAHjLZv
 aoWy/aEl4QO1QmY4CTftb2qgX5rr7EDLRK4paqFMsPfv8nCK3w8KmwZ/s1rlYt10
 oVoO3SJF+PRl78bMiuv55k+4UHh1S17fHuYKz31eGVkj9AfIec4FPewq4hHnLYO6
 F5tX96OlTubweeNioZauKv4pynwleIhjnzW0af50beaGulJmY83gCenyQcxxdTxu
 B7bmdj11/knCdFy0CKjZmvFNc99ujkH8Bac/qViHwjctWJ87mNLxHvlHQSMe9e7f
 Z2FmtlL0tlFl4KSX3RLXBt5MzRq2zbGY6eAjm2Ld3F+/bPYoyi4t1dUZh9BglTUb
 fW0A6bn325JCOPAMvyyBs4M4yeaUm5wep+KB1VyLhbm39OFotNz5oXZ/2WhQQK1E
 WOpWX6M4m8GQTXG1IA==
 -----END CERTIFICATE-----
--- a/custom/crl.pem
+++ b/custom/crl.pem
@ -1,23 +0,0 @@
 -----BEGIN X509 CRL-----
 MIID2DCCAcACAQEwDQYJKoZIhvcNAQELBQAwgaIxCzAJBgNVBAYTAlVTMRMwEQYD
 VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRIwEAYDVQQK
 DAlTdXBlck5FVHMxDDAKBgNVBAsMA0lSQzEdMBsGA1UEAwwUY2EudGFpbDkxMjJj
 OC50cy5uZXQxJTAjBgkqhkiG9w0BCQEWFm5vLXJlcGx5QHN1cGVybmV0cy5vcmcX
 DTI0MTEwNjE5MzUwN1oXDTI1MDUwNTE5MzUwN1qggegwgeUwgeIGA1UdIwSB2jCB
 14AUSPQTLL9lQRn1BHyYzbNRW9gevMyhgaikgaUwgaIxCzAJBgNVBAYTAlVTMRMw
 EQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRIwEAYD
 VQQKDAlTdXBlck5FVHMxDDAKBgNVBAsMA0lSQzEdMBsGA1UEAwwUY2EudGFpbDkx
 MjJjOC50cy5uZXQxJTAjBgkqhkiG9w0BCQEWFm5vLXJlcGx5QHN1cGVybmV0cy5v
 cmeCFE52PtTGbDdvOrE/htovFFnt1Y2cMA0GCSqGSIb3DQEBCwUAA4ICAQBp7z2s
 2N2/cHnJaWEaQibnp89J8Co8w9+9c+VgMDtneoA5pqejV8a5gWF1U9O3txjceR1T
 HcymU5KyWxx3FTehOS0vxMib7CWWhVrciBe5R628gaZzPAnlPLVXBLwzUwloJ4Rn
 xR4+8SkKXE0aOW52Gbv3SyJId9BRkEFlxDuQeWOPgh3fIe9VqlA4T6DV5MslxH6Q
 ul/Cg8DvBI6CsXnIvxz7MU/mPjuL/mvAi1SzjL1OrQAVNSVGaIE8EasQ9dC+Y1YF
 /JsQJfDROQA8Cej2ku+R8oDp+gRuQCvEX/gu0vt72rdr8oTLjnBrHz6LjFdq9Kdw
 0M0Dnj6x2KTDdhGZMLm7HEbsFcZVlUQMUcIlcqXDpi+Irdlz8QjKp0Zca8TsUN6s
 8LGpzT5CxDlXmwli+cINZ/cMDhGNjIXSvZZOk0kfXN5pUbGFqGjPOqlyyL3NK9iG
 /AQqJxl71PFUHWYKkOo3P/+WffpQfL200xkAUgf4lcYvC9Y7/0zmkL9MWaXqSbdL
 dGdx8yCUR/TbgHSPYgoyIT65eYSb0X4vlWZnYprU1yz9SNyypO6ceg/pYKVG5ew+
 IKzXi9pkRn0jhGHKN0V3uRY1IqJStAC09m7MMkuYrhBjWkFJXivcSuDndWNoYW0V
 tRaYZVLFhkQ+CTDtovPMFoLnQyZp7dV3jiELBw==
 -----END X509 CRL-----
--- a/include.conf.example
+++ b/include.conf.example
@ -1,41 +1,28 @@
-<include file="/etc/inspircd/codepages/rfc1459.conf">
+<sslprofile certfile="/etc/ssl/inspircd/server.crt"
-
+            compression="no"
-<sslprofile certfile="/etc/inspircd/custom/server.crt"
+            keyfile="/etc/ssl/inspircd/server.key"
            keyfile="/etc/inspircd/custom/server.key"
            cafile="/etc/inspircd/custom/ca.crt"
            crlfile="/etc/inspircd/custom/crl.pem"
            dhfile="/etc/inspircd/custom/dh.pem"
            name="defaultssl"
            tlsv11="no"
            tlsv12="yes"
            tlsv13="yes"
-            renegotiation="yes"
+            renegotiation="no"
-            requestclientcert="yes"
+            requestclientcert="no"
            provider="gnutls">
-<sslprofile certfile="/etc/inspircd/custom/irc.crt"
+<badhost host="*@*"
-            keyfile="/etc/inspircd/custom/irc.key"
+         reason="default hostmask block">
            cafile="/etc/inspircd/custom/irc.ca.crt"
            name="supernets_ssl"
            tlsv11="no"
            tlsv12="yes"
            tlsv13="yes"
            renegotiation="yes"
            requestclientcert="yes"
            provider="gnutls">
 <exception host="*@100.64.0.0/10"
           reason="tailscale network">
 <exception host="*@127.0.0.1/32"
-           reason="localhost">
+           reason="Local IRC client">
 <exception host="*@fc00:dead:beef:4dad::/64"
           reason="Tor ULA addresses (represents circuit ID)">
 <eventexec command="/bin/true"
           event="rehash">
 <oper host="*@*"
      name="admin"
      password="&env.ADMIN_PASSWORD;"
      type="NetAdmin">
 <showfile endtext="End of uptime"
          file="/proc/uptime"
          introtext="server uptime:"
@ -46,70 +33,23 @@
          introtext="server loadavg:"
          name="LOADAVG">
-<bind address="127.0.0.1"
+<bind address="*"
      port="7001"
      hook="haproxy">
 <connect commandrate="&env.COMMAND_RATE;"
         fakelag="&env.FAKE_LAG;"
         allow="127.0.0.1/32"
         hardsendq="&env.HARD_SENDQ;"
         maxchans="&env.MAX_CHANS;"
         pingfreq="&env.PING_FREQ;"
         recvq="&env.RECVQ;"
         softsendq="&env.SOFT_SENDQ;"
         threshold="&env.COMMAND_RATE_THRESHOLD;"
         timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
         usecloak="yes"
         useconnflood="&env.USE_CONN_FLOOD;"
         usednsbl="no"
         useident="no"
         resolvehostnames="no"
         useconnectban="no"
         globalmax="&env.GLOBAL_MAX;"
         localmax="&env.LOCAL_MAX;"
         maxconnwarn="&env.MAX_CONN_WARN;"
         modes="&env.DEFAULT_USER_MODES;"
         name="tor_haproxy_shim"
         port="7001">
 <connect commandrate="&env.COMMAND_RATE;"
         fakelag="&env.FAKE_LAG;"
         allow="fc00:dead:beef:4dad::/64"
         hardsendq="&env.HARD_SENDQ;"
         maxchans="&env.MAX_CHANS;"
         pingfreq="&env.PING_FREQ;"
         recvq="&env.RECVQ;"
         softsendq="&env.SOFT_SENDQ;"
         threshold="&env.COMMAND_RATE_THRESHOLD;"
         timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
         usecloak="yes"
         useconnflood="&env.USE_CONN_FLOOD;"
         usednsbl="no"
         useident="no"
         resolvehostnames="no"
         useconnectban="no"
         autojoin="#tor"
         globalmax="&env.GLOBAL_MAX;"
         localmax="&env.LOCAL_MAX;"
         maxconnwarn="&env.MAX_CONN_WARN;"
         modes="&env.DEFAULT_USER_MODES;"
         name="tor"
         port="6668">
 <bind address="127.0.0.1"
      port="8000"
      type="httpd">
- <bind address="*"
+<bind address="*"
      port="&env.SSL_PORT;"
-      sslprofile="supernets_ssl"
+      sslprofile="defaultssl"
      type="clients">
 <bind address="*"
      port="&env.PORT;"
      type="clients">
 <bind address="*"
      port="7001"
      type="servers">
 <bind address="*"
      port="&env.SERVER_SSL_PORT;"
      sslprofile="defaultssl"
@ -128,12 +68,13 @@
         fakelag="&env.FAKE_LAG;"
         hardsendq="&env.HARD_SENDQ;"
         maxchans="&env.MAX_CHANS;"
         motd="defaultmotd"
         name="all"
         pingfreq="&env.PING_FREQ;"
         recvq="&env.RECVQ;"
         softsendq="&env.SOFT_SENDQ;"
         threshold="&env.COMMAND_RATE_THRESHOLD;"
-         timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
+         timeout="&env.COMMAND_RATE_THRESHOLD_TIMEOUT;"
         useconnflood="&env.USE_CONN_FLOOD;"
         usednsbl="&env.USE_DNSBL;"
         useident="&env.USE_IDENT;"
@ -178,6 +119,21 @@
          types="password"
          username="&env.HTTP_ACL_USERNAME;">
 <autoconnect period="8s"
             server="vps-1.lame-network.local">
 <link allowmask="*"
      bind="1.2.3.4"
      hidden="no"
      sslprofile="defaultssl"
      ipaddr="4.2.3.1"
      name="vps-1.lame-network.local"
      port="&env.SERVER_SSL_PORT;"
      recvpass="&env.LINK_RECV_PASSWORD;"
      sendpass="&env.LINK_SEND_PASSWORD;"
      statshidden="no"
      timeout="&env.LINK_TIMEOUT;">
 <ident prefixunqueried="&env.IDENT_PREFIX_UNQUERIED;"
       timeout="&env.IDENT_TIMEOUT;">
--- a/custom/motd.txt
+++ b/custom/motd.txt
@ -1,57 +1,57 @@
-   0,0     0╗  0,0  0╗  0,0  0╗ 0,0      0╗  0,0       0╗ 0,0      0╗
+   0,0     0╗  0,0  0╗  0,0  0╗ 0,0      0╗  0,0       0╗ 0,0      0╗
-  0,0  0╔══0,0  0╗ 0,0  0║  0,0  0║ 0,0  0╔══0,0  0╗ 0,0  0╔════╝ 0,0  0╔══0,0  0╗
+  0,0  0╔══0,0  0╗ 0,0  0║  0,0  0║ 0,0  0╔══0,0  0╗ 0,0  0╔════╝ 0,0  0╔══0,0  0╗
-  0,0  0║  ╚═╝ 0,0  0║  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║  0,0  0║
+  0,0  0║  ╚═╝ 0,0  0║  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║  0,0  0║
-  0╚0,0     0╗  0,0  0║  0,0  0║ 0,0      0╔╝ 0,0       0╗ 0,0      0╔╝
+  0╚0,0     0╗  0,0  0║  0,0  0║ 0,0      0╔╝ 0,0       0╗ 0,0      0╔╝
-   0╚═══0,0  0╗ 0,0  0║  0,0  0║ 0,0  0╔═══╝  0,0  0╔════╝ 0,0  0╔══0,0  0╗
+   0╚═══0,0  0╗ 0,0  0║  0,0  0║ 0,0  0╔═══╝  0,0  0╔════╝ 0,0  0╔══0,0  0╗
-  0,0  0╗  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║      0,0  0║  0,0  0║
+  0,0  0╗  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║      0,0  0║  0,0  0║
-  0,0  0║  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║      0,0  0║  0,0  0║
+  0,0  0║  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║      0,0  0║  0,0  0║
-  0,0  0║  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║      0,0  0║  0,0  0║
+  0,0  0║  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║      0,0  0║  0,0  0║
-  0,0  0║  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║      0,0  0║  0,0  0║
+  0,0  0║  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║      0,0  0║  0,0  0║
-  0╚0,0     0╔╝ ╚0,0     0╔╝ 0,0  0║      0,0       0╗ 0,0  0║  0,0  0║
+  0╚0,0     0╔╝ ╚0,0     0╔╝ 0,0  0║      0,0       0╗ 0,0  0║  0,0  0║
-0   ╚════╝   ╚════╝  ╚═╝      ╚══════╝ ╚═╝  ╚═╝
+0   ╚════╝   ╚════╝  ╚═╝      ╚══════╝ ╚═╝  ╚═╝
-
+
-      0,12                                          
+      0,12                                          
-    0,12    0,4                              0,12          
+    0,12    0,4                              0,12          
-  0,12    0,4      0,8  0,4    0,8        0,4    0,8  0,4        0,12        
+  0,12    0,4      0,8  0,4    0,8        0,4    0,8  0,4        0,12        
-0,12    0,4      0,8  0,4    0,8            0,4      0,8  0,4      0,12      
+0,12    0,4      0,8  0,4    0,8            0,4      0,8  0,4      0,12      
-0,12    0,4    0,8    0,4    0,8                      0,4    0,12      
+0,12    0,4    0,8    0,4    0,8                      0,4    0,12      
-  0,12    0,4    0,8  0,4                      0,8    0,4  0,12        
+  0,12    0,4    0,8  0,4                      0,8    0,4  0,12        
-    0,12    0,4                              0,12          
+    0,12    0,4                              0,12          
-      0,12    0,4    0,8              0,4        0,12            
+      0,12    0,4    0,8              0,4        0,12            
-        0,12    0,4      0,8  0,4  0,8      0,4      0,12              
+        0,12    0,4      0,8  0,4  0,8      0,4      0,12              
-          0,12    0,4                  0,12                
+          0,12    0,4                  0,12                
-            0,12    0,4    0,8      0,4    0,12                  
+            0,12    0,4    0,8      0,4    0,12                  
-              0,12    0,4    0,8  0,4    0,12                    
+              0,12    0,4    0,8  0,4    0,12                    
-                0,12    0,4      0,12                      
+                0,12    0,4      0,12                      
-                  0,12    0,4  0,12                        
+                  0,12    0,4  0,12                        
-                    0,12                            
+                    0,12                            
-                      0,12  
+                      0,12  
-
+
-     0,0     0╗  0,0  0╗ 0,0       0╗ 0,0      0╗  0,0     0╗
+     0,0     0╗  0,0  0╗ 0,0       0╗ 0,0      0╗  0,0     0╗
-     0,0  0╔═0,0  0╗ 0,0  0║ 0,0  0╔════╝   0,0  0╔═╝ 0,0  0╔══0,0  0╗
+     0,0  0╔═0,0  0╗ 0,0  0║ 0,0  0╔════╝   0,0  0╔═╝ 0,0  0╔══0,0  0╗
-     0,0  0║ 0,0  0║ 0,0  0║ 0,0  0║        0,0  0║   0,0  0║  ╚═╝
+     0,0  0║ 0,0  0║ 0,0  0║ 0,0  0║        0,0  0║   0,0  0║  ╚═╝
-     0,0  0║ 0,0  0║ 0,0  0║ 0,0       0╗   0,0  0║   ╚0,0     0╗
+     0,0  0║ 0,0  0║ 0,0  0║ 0,0       0╗   0,0  0║   ╚0,0     0╗
-     0,0  0║ 0,0  0║ 0,0  0║ 0,0  0╔════╝   0,0  0║    ╚═══0,0  0╗
+     0,0  0║ 0,0  0║ 0,0  0║ 0,0  0╔════╝   0,0  0║    ╚═══0,0  0╗
-     0,0  0║ 0,0  0║ 0,0  0║ 0,0  0║        0,0  0║   0,0     0,0  0║
+     0,0  0║ 0,0  0║ 0,0  0║ 0,0  0║        0,0  0║   0,0     0,0  0║
-     0,0  0║ ╚0,0     0║ 0,0       0╗   0,0  0║   ╚0,0     0╔╝
+     0,0  0║ ╚0,0     0║ 0,0       0╗   0,0  0║   ╚0,0     0╔╝
-     0╚═╝  ╚════╝ ╚══════╝   ╚═╝    ╚════╝
+     0╚═╝  ╚════╝ ╚══════╝   ╚═╝    ╚════╝
-
+
-4─────────┤ 0THE WILD WILD WEST OF IRC 4├─────────
+4─────────┤ 0THE WILD WILD WEST OF IRC 4├─────────
-
+
-14• 7  Round-robin   irc.supernets.org 14(IPv4/IPv6)
+14• 7  Round-robin   irc.supernets.org 14(IPv4/IPv6)
-14• 7        Onion   14removed until further notice
+14• 7        Onion   14removed until further notice
-
+
-14• 7        Ports   6660-6669 & 7000
+14• 7        Ports   6660-6669 & 7000
-14• 7SSL/TLS Ports   6697      & 9000
+14• 7SSL/TLS Ports   6697      & 9000
-
+
-14• 7         Mail   12admin@supernets.org
+14• 7         Mail   12admin@supernets.org
-14• 7          Git   12https://git.supernets.org
+14• 7          Git   12https://git.supernets.org
-14• 7      Twitter   12https://twitter.com/super_nets
+14• 7      Twitter   12https://twitter.com/super_nets
-14• 7      Website   12https://supernets.org/
+14• 7      Website   12https://supernets.org/
-
+
-4─────────┤ 0MOST DANGEROUS IRC NETWORK 4├────────
+4─────────┤ 0MOST DANGEROUS IRC NETWORK 4├────────
-
+
-14• 7This is a hostile chat environment
+14• 7This is a hostile chat environment
-14• 7Do not disrupt the orderly operation of the network
+14• 7Do not disrupt the orderly operation of the network
-14• 7No distribution of child pornography
+14• 7No distribution of child pornography
-14• 7See /RULES for a list of network rules
+14• 7See /RULES for a list of network rules
--- a/custom/oper.motd.txt
+++ b/custom/oper.motd.txt
@ -1,57 +1 @@
-   0,0     0╗  0,0  0╗  0,0  0╗ 0,0      0╗  0,0       0╗ 0,0      0╗
+-
  0,0  0╔══0,0  0╗ 0,0  0║  0,0  0║ 0,0  0╔══0,0  0╗ 0,0  0╔════╝ 0,0  0╔══0,0  0╗
  0,0  0║  ╚═╝ 0,0  0║  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║  0,0  0║
  0╚0,0     0╗  0,0  0║  0,0  0║ 0,0      0╔╝ 0,0       0╗ 0,0      0╔╝
   0╚═══0,0  0╗ 0,0  0║  0,0  0║ 0,0  0╔═══╝  0,0  0╔════╝ 0,0  0╔══0,0  0╗
  0,0  0╗  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║      0,0  0║  0,0  0║
  0,0  0║  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║      0,0  0║  0,0  0║
  0,0  0║  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║      0,0  0║  0,0  0║
  0,0  0║  0,0  0║ 0,0  0║  0,0  0║ 0,0  0║      0,0  0║      0,0  0║  0,0  0║
  0╚0,0     0╔╝ ╚0,0     0╔╝ 0,0  0║      0,0       0╗ 0,0  0║  0,0  0║
 0   ╚════╝   ╚════╝  ╚═╝      ╚══════╝ ╚═╝  ╚═╝
      0,12                                          
    0,12    0,4                              0,12          
  0,12    0,4      0,8  0,4    0,8        0,4    0,8  0,4        0,12        
 0,12    0,4      0,8  0,4    0,8            0,4      0,8  0,4      0,12      
 0,12    0,4    0,8    0,4    0,8                      0,4    0,12      
  0,12    0,4    0,8  0,4                      0,8    0,4  0,12        
    0,12    0,4                              0,12          
      0,12    0,4    0,8              0,4        0,12            
        0,12    0,4      0,8  0,4  0,8      0,4      0,12              
          0,12    0,4                  0,12                
            0,12    0,4    0,8      0,4    0,12                  
              0,12    0,4    0,8  0,4    0,12                    
                0,12    0,4      0,12                      
                  0,12    0,4  0,12                        
                    0,12                            
                      0,12  
     0,0     0╗  0,0  0╗ 0,0       0╗ 0,0      0╗  0,0     0╗
     0,0  0╔═0,0  0╗ 0,0  0║ 0,0  0╔════╝   0,0  0╔═╝ 0,0  0╔══0,0  0╗
     0,0  0║ 0,0  0║ 0,0  0║ 0,0  0║        0,0  0║   0,0  0║  ╚═╝
     0,0  0║ 0,0  0║ 0,0  0║ 0,0       0╗   0,0  0║   ╚0,0     0╗
     0,0  0║ 0,0  0║ 0,0  0║ 0,0  0╔════╝   0,0  0║    ╚═══0,0  0╗
     0,0  0║ 0,0  0║ 0,0  0║ 0,0  0║        0,0  0║   0,0     0,0  0║
     0,0  0║ ╚0,0     0║ 0,0       0╗   0,0  0║   ╚0,0     0╔╝
     0╚═╝  ╚════╝ ╚══════╝   ╚═╝    ╚════╝
 4─────────┤ 0THE WILD WILD WEST OF IRC 4├─────────
 14• 7  Round-robin   irc.supernets.org 14(IPv4/IPv6)
 14• 7        Onion   14removed until further notice
 14• 7        Ports   6660-6669 & 7000
 14• 7SSL/TLS Ports   6697      & 9000
 14• 7         Mail   12admin@supernets.org
 14• 7          Git   12https://git.supernets.org
 14• 7      Twitter   12https://twitter.com/super_nets
 14• 7      Website   12https://supernets.org/
 4─────────┤ 0MOST DANGEROUS IRC NETWORK 4├────────
 14• 7This is a hostile chat environment
 14• 7Do not disrupt the orderly operation of the network
 14• 7No distribution of child pornography
 14• 7See /RULES for a list of network rules
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,17 +1,22 @@
 services:
-  ircd:
+  leaf:
    restart: on-failure:3
    build:
      context: .
      args:
        BUILD_SERVER_NAME: ${SERVER_NAME}
    image: inspi4
    network_mode: "host"
    env_file: "config.env"
    command: /usr/local/bin/inspircd -c /etc/inspircd/inspircd.conf -F
    volumes:
      - ./custom:/etc/inspircd/custom:ro
      - ssl:/etc/ssl/inspircd
      - data:/var/lib/inspircd
      - log:/var/log/inspircd
 volumes:
  data:
    name: inspi4_data
  ssl:
    name: inspi4_ssl
  log:
    name: inspi4_log
--- a/easyrsa3/.gitignore
+++ b/easyrsa3/.gitignore
@ -1 +0,0 @@
 pki/
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
--- a/easyrsa3/openssl-easyrsa.cnf
+++ b/easyrsa3/openssl-easyrsa.cnf
@ -1,149 +0,0 @@
 # For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
 ####################################################################
 [ ca ]
 default_ca	= CA_default		# The default ca section
 ####################################################################
 [ CA_default ]
 dir		= $ENV::EASYRSA_PKI	# Where everything is kept
 certs		= $dir			# Where the issued certs are kept
 crl_dir		= $dir			# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
 new_certs_dir	= $dir/certs_by_serial	# default place for new certs.
 certificate	= $dir/ca.crt		# The CA certificate
 serial		= $dir/serial		# The current serial number
 crl		= $dir/crl.pem		# The current CRL
 private_key	= $dir/private/ca.key	# The private key
 RANDFILE	= $dir/.rand		# private random number file
 x509_extensions	= basic_exts		# The extensions to add to the cert
 # A placeholder to handle the --copy-ext feature:
 #%COPY_EXTS%	# Do NOT remove or change this line as --copy-ext support requires it
 # This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
 # is designed for will. In return, we get the Issuer attached to CRLs.
 crl_extensions	= crl_ext
 default_days	= $ENV::EASYRSA_CERT_EXPIRE	# how long to certify for
 default_crl_days	= $ENV::EASYRSA_CRL_DAYS	# how long before next CRL
 default_md	= $ENV::EASYRSA_DIGEST		# use public key default MD
 # Note: preserve=no|yes, does nothing for EasyRSA.
 # Use sign-req command option 'preserve' instead.
 preserve	= no			# keep passed DN ordering
 # This allows to renew certificates which have not been revoked
 unique_subject	= no
 # A few different ways of specifying how similar the request should look
 # For type CA, the listed attributes must be the same, and the optional
 # and supplied fields are just that :-)
 policy		= policy_anything
 # For the 'anything' policy, which defines allowed DN fields
 [ policy_anything ]
 countryName		= optional
 stateOrProvinceName	= optional
 localityName		= optional
 organizationName	= optional
 organizationalUnitName	= optional
 commonName		= supplied
 emailAddress		= optional
 serialNumber	= optional
 ####################################################################
 # Easy-RSA request handling
 # We key off $DN_MODE to determine how to format the DN
 [ req ]
 default_bits		= $ENV::EASYRSA_KEY_SIZE
 default_keyfile	= privkey.pem
 default_md		= $ENV::EASYRSA_DIGEST
 distinguished_name	= $ENV::EASYRSA_DN
 x509_extensions		= easyrsa_ca	# The extensions to add to the self signed cert
 # A placeholder to handle the $EXTRA_EXTS feature:
 #%EXTRA_EXTS%	# Do NOT remove or change this line as $EXTRA_EXTS support requires it
 ####################################################################
 # Easy-RSA DN (Subject) handling
 # Easy-RSA DN for cn_only support:
 [ cn_only ]
 commonName		= Common Name (eg: your user, host, or server name)
 commonName_max		= 64
 commonName_default	= $ENV::EASYRSA_REQ_CN
 # Easy-RSA DN for org support:
 [ org ]
 countryName			= Country Name (2 letter code)
 countryName_default		= $ENV::EASYRSA_REQ_COUNTRY
 countryName_min			= 2
 countryName_max			= 2
 stateOrProvinceName		= State or Province Name (full name)
 stateOrProvinceName_default	= $ENV::EASYRSA_REQ_PROVINCE
 localityName			= Locality Name (eg, city)
 localityName_default		= $ENV::EASYRSA_REQ_CITY
 0.organizationName		= Organization Name (eg, company)
 0.organizationName_default	= $ENV::EASYRSA_REQ_ORG
 organizationalUnitName		= Organizational Unit Name (eg, section)
 organizationalUnitName_default	= $ENV::EASYRSA_REQ_OU
 commonName			= Common Name (eg: your user, host, or server name)
 commonName_max			= 64
 commonName_default		= $ENV::EASYRSA_REQ_CN
 emailAddress			= Email Address
 emailAddress_default		= $ENV::EASYRSA_REQ_EMAIL
 emailAddress_max		= 64
 serialNumber		= Serial-number (eg, device serial-number)
 serialNumber_default	= $ENV::EASYRSA_REQ_SERIAL
 ####################################################################
 # Easy-RSA cert extension handling
 # This section is effectively unused as the main script sets extensions
 # dynamically. This core section is left to support the odd usecase where
 # a user calls openssl directly.
 [ basic_exts ]
 basicConstraints	= CA:FALSE
 subjectKeyIdentifier	= hash
 authorityKeyIdentifier	= keyid,issuer:always
 # The Easy-RSA CA extensions
 [ easyrsa_ca ]
 # PKIX recommendations:
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
 # This could be marked critical, but it's nice to support reading by any
 # broken clients who attempt to do so.
 basicConstraints = CA:true
 # Limit key usage to CA tasks. If you really want to use the generated pair as
 # a self-signed cert, comment this out.
 keyUsage = cRLSign, keyCertSign
 # nsCertType omitted by default. Let's try to let the deprecated stuff die.
 # nsCertType = sslCA
 # A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS:
 #%CA_X509_TYPES_EXTRA_EXTS%	# Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it
 # CRL extensions.
 [ crl_ext ]
 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
--- a/easyrsa3/vars
+++ b/easyrsa3/vars
@ -1,15 +0,0 @@
 set_var EASYRSA_DN	"org"
 set_var EASYRSA_REQ_COUNTRY	"US"
 set_var EASYRSA_REQ_PROVINCE	"California"
 set_var EASYRSA_REQ_CITY	"San Francisco"
 set_var EASYRSA_REQ_ORG	"SuperNETs"
 set_var EASYRSA_REQ_EMAIL	"no-reply@supernets.org"
 set_var EASYRSA_REQ_OU		"IRC"
 set_var EASYRSA_PRESERVE_DN	1
 set_var EASYRSA_NO_PASS	1
 set_var EASYRSA_KEY_SIZE	4096
 set_var EASYRSA_ALGO		rsa
 set_var EASYRSA_CA_EXPIRE	3650
 set_var EASYRSA_CERT_EXPIRE	3650
 set_var EASYRSA_CRL_DAYS	180
 set_var EASYRSA_RAND_SN	"yes"
--- a/easyrsa3/x509-types/COMMON
+++ b/easyrsa3/x509-types/COMMON
@ -1,12 +0,0 @@
 # X509 extensions added to every signed cert
 # This file is included for every cert signed, and by default does nothing.
 # It could be used to add values every cert should have, such as a CDP as
 # demonstrated in the following example:
 #crlDistributionPoints = URI:http://example.net/pki/my_ca.crl
 # The authority information access extension gives details about how to access
 # certain information relating to the CA.
 #authorityInfoAccess = caIssuers;URI:http://example.net/pki/my_ca.crt
--- a/easyrsa3/x509-types/ca
+++ b/easyrsa3/x509-types/ca
@ -1,12 +0,0 @@
 # X509 extensions for a ca
 # Note that basicConstraints will be overridden by Easy-RSA when defining a
 # CA_PATH_LEN for CA path length limits. You could also do this here
 # manually as in the following example in place of the existing line:
 #
 # basicConstraints = CA:TRUE, pathlen:1
 basicConstraints = CA:TRUE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
 keyUsage = cRLSign, keyCertSign
--- a/easyrsa3/x509-types/client
+++ b/easyrsa3/x509-types/client
@ -1,7 +0,0 @@
 # X509 extensions for a client
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 extendedKeyUsage = clientAuth
 keyUsage = digitalSignature
--- a/easyrsa3/x509-types/code-signing
+++ b/easyrsa3/x509-types/code-signing
@ -1,7 +0,0 @@
 # X509 extensions for a client
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 extendedKeyUsage = codeSigning
 keyUsage = digitalSignature
--- a/easyrsa3/x509-types/email
+++ b/easyrsa3/x509-types/email
@ -1,7 +0,0 @@
 # X509 extensions for email
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 extendedKeyUsage = emailProtection
 keyUsage = digitalSignature,keyEncipherment,nonRepudiation
--- a/easyrsa3/x509-types/kdc
+++ b/easyrsa3/x509-types/kdc
@ -1,21 +0,0 @@
 # X509 extensions for a KDC server certificate
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 extendedKeyUsage = 1.3.6.1.5.2.3.5
 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
 issuerAltName = issuer:copy
 subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
 [kdc_princ_name]
 realm = EXP:0,GeneralString:${ENV::EASYRSA_KDC_REALM}
 principal_name = EXP:1,SEQUENCE:kdc_principal_seq
 [kdc_principal_seq]
 name_type = EXP:0,INTEGER:1
 name_string = EXP:1,SEQUENCE:kdc_principals
 [kdc_principals]
 princ1 = GeneralString:krbtgt
 princ2 = GeneralString:${ENV::EASYRSA_KDC_REALM}
--- a/easyrsa3/x509-types/server
+++ b/easyrsa3/x509-types/server
@ -1,7 +0,0 @@
 # X509 extensions for a server
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 extendedKeyUsage = serverAuth
 keyUsage = digitalSignature,keyEncipherment
--- a/easyrsa3/x509-types/serverClient
+++ b/easyrsa3/x509-types/serverClient
@ -1,7 +0,0 @@
 # X509 extensions for a client/server
 basicConstraints = CA:FALSE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 extendedKeyUsage = serverAuth,clientAuth
 keyUsage = digitalSignature,keyEncipherment
--- a/haproxy/Dockerfile
+++ b/haproxy/Dockerfile
@ -1,23 +0,0 @@
 ARG UBUNTU_VERSION="noble"
 FROM ubuntu:${UBUNTU_VERSION}
 RUN apt -y update
 RUN apt -y install haproxy
 RUN groupadd docker-haproxy
 RUN useradd --system --shell /bin/bash docker-haproxy -g docker-haproxy
 RUN mkdir -p /var/lib/haproxy/ -p /etc/haproxy
 ADD haproxy.cfg /etc/haproxy
 RUN chown -R docker-haproxy:docker-haproxy /etc/haproxy /var/lib/haproxy
 VOLUME /var/lib/haproxy
 USER docker-haproxy
 CMD haproxy -f /etc/haproxy/haproxy.cfg
--- a/haproxy/docker-compose.yml
+++ b/haproxy/docker-compose.yml
@ -1,7 +0,0 @@
 services:
  haproxy:
    restart: on-failure:3
    build:
      context: .
    image: haproxy
    network_mode: "host"
--- a/haproxy/haproxy.cfg
+++ b/haproxy/haproxy.cfg
@ -1,26 +0,0 @@
 global
 log stdout format raw local0 debug
 defaults
 log     global
 retries 0
 #timeout connect         604800s
 #timeout client          604800s
 #timeout server          604800s
 #timeout tunnel          604800s
 #timeout queue           604800s
 #timeout http-request    604800s
 #timeout http-keep-alive 604800s
 #timeout client-fin      604800s
 #timeout server-fin      604800s
 #timeout check           604800s
 option  tcplog 
 frontend tor-north
  bind                 127.0.0.1:19818 accept-proxy
  mode                 tcp
  default_backend      inspircd-south
 backend inspircd-south
  mode   tcp
  server inspircd 127.0.0.1:7001 send-proxy-v2
--- a/inspircd.conf
+++ b/inspircd.conf
@ -1,5 +1,4 @@
 <include file="/etc/inspircd/modules.conf">
 <include file="/etc/inspircd/help.conf">
 <include directory="/etc/inspircd/custom">
 <badip ipmask="169.254.0.0/16"  reason="APIPA">
@ -52,7 +51,7 @@
 <badnick nick="SASLSERV"  reason="Reserved For Services">
 <badnick nick="STATSERV"  reason="Reserved For Services">
-<cidr ipv4clone="&env.IPV4_CLONE;" ipv6clone="&env.IPV6_CLONE;">
+<cidr ipv4clone="32" ipv6clone="64">
 <class chanmodes="*"
       commands="DIE RESTART REHASH LOADMODULE UNLOADMODULE RELOADMODULE GLOADMODULE GUNLOADMODULE GRELOADMODULE"
@ -93,7 +92,9 @@
 <class name="RolePlay"
       priv="channels/roleplay channels/roleplay-override">
-       
+
 <define name="VOID" value="8,4   E N T E R   T H E   V O I D   ">
 <files motd="/etc/inspircd/custom/motd.txt" opermotd="/etc/inspircd/custom/oper.motd.txt">
 <insane hostmasks="&env.INSANE_HOSTMASKS;" ipmasks="&env.INSANE_IPMASKS;" nickmasks="&env.INSANE_NICKMASKS;" trigger="&env.INSANE_TRIGGER;">
@ -109,15 +110,19 @@
        maxquit="&env.MAX_QUIT;"
        maxtopic="&env.MAX_TOPIC;">
 <log method="ring" type="DEFAULT" level="normal" maxsize="1048576">
 <log method="file" type="ERROR" level="warning critical" target="errors.log" flush="20">
 <log method="file" type="m_dnsbl" level="debug" target="dnsbl.log" flush="20" maxsize="104857600">
 <maxlist chan="*" limit="&env.LIST_MAX_SIZE;">
 <options allowmismatch="&env.ALLOW_MISMATCH;"
         allowzerolimit="&env.ALLOW_ZERO_LIMIT;"
         announcets="&env.ANNOUNCE_TS;"
         casemapping="ascii"
         cyclehosts="&env.CYCLE_HOST_TS;"
         cyclehostsfromuser="&env.CYCLE_HOST_FROM_USER;"
         defaultbind="auto"
         defaultmodes="npst"
         exemptchanops="censor:o filter:o nickflood:o nonick:v regmoderated:o"
         fixedpart=""
         fixedquit=""
@ -150,8 +155,8 @@
 <pid file="/tmp/inspircd.pid">
-<security allowcoreunload="&env.ALLOW_CORE_UNLOAD;"
+<security allowcoreunload="no"
-          announceinvites="&env.ANNOUNCE_INVITES;"
+          announceinvites="dynamic"
          customversion="&env.CUSTOM_VERSION;"
          flatlinks="&env.FLAT_LINKS;"
          genericoper="&env.GENERIC_OPER;"
@ -172,12 +177,17 @@
      name="GlobalOp"
      vhost="&env.GLOBAL_OP_VHOST;">
 <type classes="SACommands OperChat BanControl HostCloak ServerLink"
      name="HOPM"
      vhost="&env.HOPM_VHOST;">
 <type classes="HostCloak"
      name="Helper"
      vhost="&env.HELPER_VHOST;">
 <whowas groupsize="&env.WHOWAS_GROUP_SIZE;" maxgroups="&env.WHOWAS_MAX_GROUPS;" maxkeep="&env.WHOWAS_MAX_KEEP;">
 <maxmind file="/etc/inspircd/GeoLite2-Country.mmdb">
 <sts duration="5m"
@ -185,7 +195,7 @@
     port="&env.SSL_PORT;"
     preload="yes">
-<sasl requiressl="&env.SASL_REQUIRE_SSL;"
+<sasl requiressl="yes"
      target="&env.SASL_TARGET;">
 <alias format="*"
@ -303,12 +313,42 @@
       text="GLOBAL"
       uline="yes">
 <allowchannel name="*">
 <anticaps lowercase="abcdefghijklmnopqrstuvwxyz"
          uppercase="ABCDEFGHIJKLMNOPQRSTUVWXYZ">
 <argon2 iterations="3"
        length="32"
        memory="131074"
        saltlength="16">
 <argon2d memory="131074">
 <argon2i iterations="4">
 <argon2id iterations="5"
          length="64"
          memory="262144"
          saltlength="32">
 <auditorium opcansee="&env.AUDITORIUM_OP_CAN_SEE;"
            opercansee="&env.AUDITORIUM_OPER_CAN_SEE;"
            opvisible="&env.AUDITORIUM_OP_VISIBLE;">
 <autodrop commands="CONNECT DELETE GET HEAD OPTIONS PATCH POST PUT TRACE">
 <autojoinident chan="#blackhole"
               ident="*">
 <bcrypt rounds="16">
 <blockamsg action="&env.BLOCK_AMSG_ACTION;"
           delay="&env.BLOCK_AMSG_DELAY;">
@ -344,10 +384,16 @@
 <channels opers="&env.CHANNELS_OPERS;"
          users="&env.CHANNELS_USERS;">
-<cloak method="hmac-sha256-addr"
+
 <cloak ignorecase="&env.CLOAK_IGNORE_CASE;"
       key="&env.CLOAK_KEY;"
       mode="&env.CLOAK_MODE;"
       prefix="&env.CLOAK_PREFIX;"
       suffix="&env.CLOAK_SUFFIX;">
 <codepage name="&env.CODE_PAGE;">
 <connectban banmessage="filtered for connection hammering; wait 64 seconds to retry"
            bootwait="&env.CONNECT_BAN_BOOT_WAIT;"
            duration="&env.CONNECT_BAN_DURATION;"
@ -356,6 +402,108 @@
            splitwait="&env.CONNECT_BAN_SPLIT_WAIT;"
            threshold="&env.CONNECT_BAN_THRESHOLD;">
 <cpcase lower="97"
        upper="65">
 <cpcase lower="98"
        upper="66">
 <cpcase lower="99"
        upper="67">
 <cpcase lower="100"
        upper="68">
 <cpcase lower="101"
        upper="69">
 <cpcase lower="102"
        upper="70">
 <cpcase lower="103"
        upper="71">
 <cpcase lower="104"
        upper="72">
 <cpcase lower="105"
        upper="73">
 <cpcase lower="106"
        upper="74">
 <cpcase lower="107"
        upper="75">
 <cpcase lower="108"
        upper="76">
 <cpcase lower="109"
        upper="77">
 <cpcase lower="110"
        upper="78">
 <cpcase lower="111"
        upper="79">
 <cpcase lower="112"
        upper="80">
 <cpcase lower="113"
        upper="81">
 <cpcase lower="114"
        upper="82">
 <cpcase lower="115"
        upper="83">
 <cpcase lower="116"
        upper="84">
 <cpcase lower="117"
        upper="85">
 <cpcase lower="118"
        upper="86">
 <cpcase lower="119"
        upper="87">
 <cpcase lower="120"
        upper="88">
 <cpcase lower="121"
        upper="89">
 <cpcase lower="122"
        upper="90">
 <cpchars index="45">
 <cpchars begin="48"
         end="57">
 <cpchars begin="65"
         end="90"
         front="yes">
 <cpchars begin="91"
         end="96"
         front="yes">
 <cpchars begin="97"
         end="122"
         front="yes">
 <cpchars begin="123"
         end="125"
         front="yes">
 <cpchars front="no"
         index="47">
 <ctctags allowclientonlytags="&env.CTC_TAGS_ALLOW_CLIENT_ONLY_TAGS;">
 <customprefix letter="q"
@ -426,6 +574,8 @@
       timeout="5s"
       type="record">
 <exemptfromfilter target="ALIS">
 <exemptfromfilter target="BOTSERV">
@ -475,6 +625,7 @@
 <httpd timeout="&env.HTTPD_TIMEOUT;">
 <inviteexception bypasskey="&env.INVITE_EXCEPTION_BYPASS_KEY;">
 <ircv3 accountnotify="&env.IRCV3_ACCOUNT_NOTIFY;"
@ -487,10 +638,15 @@
 <knock notify="&env.KNOCK_NOTIFY;">
 <maxmind file="/etc/inspircd/geolite2.mmdb">
 <messageflood notice="&env.MESSAGE_FLOOD_NOTICE;"
              privmsg="&env.MESSAGE_FLOOD_PRIVMSG;"
              tagmsg="&env.MESSAGE_FLOOD_TAG_MSG;">
 <monitor maxentries="&env.MONITOR_MAX_ENTRIES;">
 <muteban notifyuser="&env.MUTE_BAN_NOTIFY_USER;">
@ -513,16 +669,32 @@
 <operprefix prefix="&env.OPER_PREFIX;">
 <override enableumode="&env.OVERRIDE_ENABLE_UMODE;"
          noisy="&env.OVERRIDE_NOISY;"
          requirekey="&env.OVERRIDE_REQUIRE_KEY;">
 <pbkdf2 iterations="12288"
        length="32">
 <pbkdf2prov hash="sha256"
            iterations="24576">
 <penalty name="HELPOP"
         value="60">
 <permchanneldb filename="/var/lib/inspircd/permchannels.db"
-               listmodes="&env.PERMCHAN_LIST_MODES;"
+               listmodes="yes"
-               saveperiod="&env.PERMCHANDB_SAVE_PERIOD;">
+               saveperiod="1d">
 <qrcode blockchar=" "
        darkcolour="black"
        lightcolour="white">
 <remove protectedrank="50000"
        supportnokicks="&env.REMOVE_SUPPORT_NO_KICKS;">
@ -533,16 +705,20 @@
        maxtime="&env.REPEAT_MAX_TIME;"
        size="&env.REPEAT_MAX_SIZE;">
 <restrictchans allowregistered="&env.RESTRICT_CHANS_ALLOW_REGISTERED;">
 <rline engine="&env.RLINE_ENGINE;"
       matchonnickchange="&env.RLINE_MATCH_ON_NICK_CHANGE;"
       zlineonmatch="&env.RLINE_ZLINE_ON_MATCH;">
-<rotatelog period="&env.ROTATE_LOG_PERIOD;">
+<rotatelog period="86400">
 <securelist exemptregistered="&env.SECURE_LIST_EXEMPT_REGISTERED;"
            showmsg="&env.SECURE_LIST_SHOW_MSG;"
            waittime="&env.SECURE_LIST_WAIT_TIME;">
 <showwhois opersonly="&env.SHOW_WHOIS_OPER_ONLY;"
           showfromopers="&env.SHOW_WHOIS_FROM_OPERS;">
@ -560,12 +736,15 @@
 <sslmodes enableumode="&env.SSL_ENABLE_UMODE;">
-<stdregex type="&env.REGEX_TYPE;">
+<stdregex type="ecmascript">
 <strictsasl reason="Fix your SASL authentication settings and try again">
 <svshold silent="&env.SVS_HOLD_SILENT;">
 <timedbans sendnotice="&env.TIMED_BANS_SEND_NOTICE;">
 <uline server="&env.SERVICES_ULINE;"
       silent="no">
@ -574,10 +753,12 @@
 <watch maxwatch="&env.WATCH_MAX;">
 <wsorigin allow="&env.WS_ORIGIN_ALLOW;">
 <xlinedb filename="/var/lib/inspircd/xline.db"
-         saveperiod="&env.XLINEDB_SAVE_PERIOD;">
+         saveperiod="128s">
 <zombie cleansplit="&env.ZOMBIE_CLEAN_SPLIT;"
        dirtysplit="&env.ZOMBIE_DIRTY_SPLIT;"
--- a/modules.conf
+++ b/modules.conf
@ -3,6 +3,7 @@
 <module name="allowinvite">
 <module name="alltime">
 <module name="anticaps">
 <module name="antiknocker">
 <module name="antisnoop">
 <module name="argon2">
 <module name="asn">
@ -35,11 +36,7 @@
 <module name="chgname">
 <module name="classban">
 <module name="clearchan">
-<module name="cloak">
+<module name="cloaking">
 <module name="cloak_sha256">
 <module name="cloak_static">
 <module name="cloak_unreal">
 <module name="cloak_user">
 <module name="clones">
 <module name="codepage">
 <module name="commonchans">
@ -112,6 +109,7 @@
 <module name="modenotice">
 <module name="monitor">
 <module name="muteban">
 <module name="mysql">
 <module name="namedmodes">
 <module name="namesx">
 <module name="nickflood">
@ -136,7 +134,9 @@
 <module name="password_hash">
 <module name="pbkdf2">
 <module name="permchannels">
 <module name="pgsql">
 <module name="protoctl">
 <module name="qrcode">
 <module name="redirect">
 <module name="regex_glob">
 <module name="regex_pcre2">
@ -146,6 +146,8 @@
 <module name="regex_tre">
 <module name="remove">
 <module name="repeat">
 <module name="restrictchans">
 <module name="restrictmsg">
 <module name="rline">
 <module name="rmode">
 <module name="sajoin">
@ -172,9 +174,12 @@
 <module name="shun">
 <module name="silence">
 <module name="spanningtree">
 <module name="sqlite3">
 <module name="ssl_gnutls">
 <module name="sslinfo">
 <module name="sslmodes">
 <module name="sslrehashsignal">
 <module name="starttls">
 <module name="stats_unlinked">
 <module name="stripcolor">
 <module name="svshold">
@ -191,12 +196,3 @@
 <module name="watch">
 <module name="websocket">
 <module name="xline_db">
 <module name="regex_pcre">
 <module name="pgsql">
 <module name="mysql">
 <module name="sqlite3">
 <module name="ssl_mbedtls">
 <module name="ssl_openssl">
 <module name="ssl_gnutls">
 <module name="log_sql">
 <module name="log_syslog">
--- a/tor/Dockerfile
+++ b/tor/Dockerfile
@ -1,23 +0,0 @@
 ARG UBUNTU_VERSION="noble"
 FROM ubuntu:${UBUNTU_VERSION}
 RUN apt -y update
 RUN apt -y install tor
 RUN groupadd docker-tor
 RUN useradd --system --shell /bin/bash docker-tor -g docker-tor
 RUN mkdir -p /var/lib/tor/ -p /etc/tor
 ADD torrc /etc/tor
 RUN chown -R docker-tor:docker-tor /etc/tor /var/lib/tor
 VOLUME /var/lib/tor
 USER docker-tor
 CMD tor -f /etc/tor/torrc
--- a/tor/docker-compose.yml
+++ b/tor/docker-compose.yml
@ -1,20 +0,0 @@
 services:
  tor:
    restart: on-failure:3
    build:
      context: .
    image: tor
    network_mode: "host"
    volumes:
      - data:/var/lib/inspircd
    ulimits:
      nofile:
        soft: "102400"
        hard: "102400"
    logging:
      driver: "json-file"
      options:
        max-size: "64k"
 volumes:
  data:
    name: tor_data
--- a/tor/torrc
+++ b/tor/torrc
@ -1,16 +0,0 @@
 DNSPort                             0
 SocksPort                           0
 TransPort                           0
 NATDPort                            0
 RunAsDaemon                         0
 DataDirectory                       /var/lib/tor
 HiddenServiceDir                    /var/lib/tor/ircd
 HiddenServicePort                   6668 127.0.0.1:19818
 HiddenServiceMaxStreams             65535
 HiddenServiceExportCircuitID        haproxy
 CookieAuthentication                0
 ControlPort                         127.0.0.1:9051
 HardwareAccel                       1
 Log                                 info stderr
 HiddenServiceSingleHopMode          1
 HiddenServiceNonAnonymousMode       1