supernets inspircd source & configuration https://www.inspircd.org/

internet-relay-chat irc ircd irc-daemon irc-server

Go to file

paige 9a211eb3b1 update documentation		2025-01-05 15:58:17 +00:00
custom	update include.conf	2024-11-18 22:14:04 +00:00
easyrsa3	add easyrsa	2024-11-06 20:10:25 +00:00
haproxy	fix tor and update example conf	2024-11-16 13:21:37 +00:00
stunnel	update documentation	2025-01-05 15:58:17 +00:00
tor	fix tor and update example conf	2024-11-16 13:21:37 +00:00
.dockerignore	add compose file for linked networks and build arg to Dockerfile for ssl cert	2024-10-28 02:34:13 +03:00
.env	add compose file for linked networks and build arg to Dockerfile for ssl cert	2024-10-28 02:34:13 +03:00
.gitignore	more last minute changes	2024-11-06 18:33:31 +00:00
config.env.example	update config env example	2024-11-19 08:08:15 +00:00
docker-compose.yml	add restart to docker compose	2024-11-06 23:57:14 +00:00
Dockerfile	add sasl ssl enable option	2024-11-18 13:38:46 +00:00
GeoLite2-Country.mmdb	fix geolite db	2024-10-28 05:08:06 +03:00
help.conf	Re-ordered and organized a few things	2024-11-02 22:41:39 -04:00
include.conf.example	update documentation	2025-01-05 15:58:17 +00:00
inspircd.conf	add default chanmodes to inspircd.conf for future updates	2024-11-19 02:22:28 +00:00
modules.conf	add configuration for tor / haproxy compatibility (PROXY protocol V1 to PROXY protocol v2)	2024-11-16 09:29:17 +00:00
README.md	update documentation	2025-01-05 15:58:17 +00:00

README.md

Getting started

This docker configuration relies on the host network driver meaning it doesn't setup any internal networks or even a separate NetNS. Your mileage may vary if you change the intended network driver for Docker.

Hub

copy config.env.example to config.env and edit
copy include.conf.example to custom/include.conf and edit (don't delete) as much as possible for now

Internal TLS

The following steps describe how to setup easyrsa3 for internal TLS. This step is necessary regardless of whether you intended to use issued certificates for leaf servers because it provides TLS encryption between the hub and it's leaf servers and between services. Refer to the external TLS section for leaf servers for more info. To bootstrap internal TLS with an easyrsa3 CA perform the following:

cd to easyrsa3 directory
./easyrsa init-pki
./easyrsa build-ca
./easyrsa build-server-full hub.stuff.ts.net
./easyrsa build-server-full leaf1.stuff.ts.net
./easyrsa build-server-full services.stuff.ts.net
./easyrsa gen-crl
./easyrsa gen-dh

The .gitignore takes care of keeping secrets out of the git repo:

There are two directories under easyrsa3/pki/: issued/ and private/. The former contains certificates and the latter contains keys:

copy ca.crt, crl.pem, and dh.pem to custom/
copy hub cert and key to custom/server.crt and custom/server.key (the server cert and key are named hub.stuff.ts.net.crt and hub.stuff.ts.net.key depending on the FQDN used to create the certificate.

The default include.conf example already refers to custom/server.crt and custom/server.key for the defaultssl profile:

<sslprofile certfile="/etc/inspircd/custom/server.crt"
            keyfile="/etc/inspircd/custom/server.key"
            cafile="/etc/inspircd/custom/ca.crt"
            crlfile="/etc/inspircd/custom/crl.pem"
            dhfile="/etc/inspircd/custom/dh.pem"
            name="defaultssl"
            tlsv11="no"
            tlsv12="yes"
            tlsv13="yes"
            renegotiation="yes"
            requestclientcert="yes"
            provider="gnutls">

Hub (continued)

create a custom/links.conf. The following describes a declaration for a leaf configuration:

<link allowmask="*"
      bind="100.79.209.72"
      hidden="no"
      sslprofile="defaultssl"
      ipaddr="100.83.238.47"
      name="lux.supernets.org"
      port="&env.SERVER_SSL_PORT;"
      recvpass="&env.LINK_RECV_PASSWORD;"
      sendpass="&env.LINK_SEND_PASSWORD;"
      statshidden="no"
      timeout="&env.LINK_TIMEOUT;">

chown -R 999 custom/
docker-compose build
docker-compose up -d

Leaf servers

copy config.env.example to config.env and edit
copy include.conf.example to custom/include.conf and edit (don't delete) as much as possible for now

Internal TLS

Copy certificate and key as well as ca.crt and dh.pem from the easyrsa3 CA (probably located on the hub server) to the leaf server (these files go in custom/ and should also be named server.crt and server.key.)

External TLS

Copy your issued certificate and key to custom/irc.crt and custom/irc.key respectively
Add the following to custom/include.conf:

<sslprofile certfile="/etc/inspircd/custom/irc.crt"
            keyfile="/etc/inspircd/custom/irc.key"
            cafile="/etc/inspircd/custom/irc.ca.crt"
            name="supernets_ssl"
            tlsv11="no"
            tlsv12="yes"
            tlsv13="yes"
            renegotiation="yes"
            requestclientcert="yes"
            provider="gnutls">

and also change the bind for 6697 to use the supernets_ssl SSL profile:

<bind address="*"
      port="&env.SSL_PORT;"
      sslprofile="supernets_ssl"
      type="clients">

Tor hidden service

Tor can be configured with HAProxy between inspircd and Tor to identify clients based on their circuit ID; therefore a ULA-based IPv6 hostmask can be assigned to help identify each unique client:

cd to tor/
docker-compose up -d
To get the hidden service hostname:

docker exec -it tor-tor-1 cat /var/lib/tor/ircd/hostname
q6ihxyqviqz76xt6dcpvgidbal64ltbvptbjp4yoxyjihgmqpxugcbid.onion

cd to haproxy/
docker-compose up -d
By default, the inspircd include.conf should already provide the necessary configuration:

<bind address="127.0.0.1"
      port="7001"
      hook="haproxy">

<exception host="*@fc00:dead:beef:4dad::/64"
           reason="Tor ULA addresses (represents circuit ID)">

<connect commandrate="&env.COMMAND_RATE;"
         fakelag="&env.FAKE_LAG;"
         allow="127.0.0.1/32"
         hardsendq="&env.HARD_SENDQ;"
         maxchans="&env.MAX_CHANS;"
         pingfreq="&env.PING_FREQ;"
         recvq="&env.RECVQ;"
         softsendq="&env.SOFT_SENDQ;"
         threshold="&env.COMMAND_RATE_THRESHOLD;"
         timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
         usecloak="yes"
         useconnflood="&env.USE_CONN_FLOOD;"
         usednsbl="no"
         useident="no"
         resolvehostnames="no"
         useconnectban="no"
         globalmax="&env.GLOBAL_MAX;"
         localmax="&env.LOCAL_MAX;"
         maxconnwarn="&env.MAX_CONN_WARN;"
         modes="&env.DEFAULT_USER_MODES;"
         name="tor_haproxy_shim"
         port="7001">

<connect commandrate="&env.COMMAND_RATE;"
         fakelag="&env.FAKE_LAG;"
         allow="fc00:dead:beef:4dad::/64"
         hardsendq="&env.HARD_SENDQ;"
         maxchans="&env.MAX_CHANS;"
         pingfreq="&env.PING_FREQ;"
         recvq="&env.RECVQ;"
         softsendq="&env.SOFT_SENDQ;"
         threshold="&env.COMMAND_RATE_THRESHOLD;"
         timeout="&env.PARTIAL_CONNECT_TIMEOUT;"
         usecloak="yes"
         useconnflood="&env.USE_CONN_FLOOD;"
         usednsbl="no"
         useident="no"
         resolvehostnames="no"
         useconnectban="no"
         autojoin="#tor"
         globalmax="&env.GLOBAL_MAX;"
         localmax="&env.LOCAL_MAX;"
         maxconnwarn="&env.MAX_CONN_WARN;"
         modes="&env.DEFAULT_USER_MODES;"
         name="tor"
         port="6668">

Atheme services

To configure Atheme, add the following to custom/links.conf on the hub server:

<link allowmask="*"
      bind="127.0.0.1"
      hidden="no"
      name="services.supernets.org"
      recvpass="&env.LINK_RECV_PASSWORD;"
      sendpass="&env.LINK_SEND_PASSWORD;"
      statshidden="no"
      timeout="&env.LINK_TIMEOUT;">

Atheme also requires the following to be added to custom/include.conf:

<bind address="127.0.0.1"
      port="6000"
      type="servers">

Note that it does not specify TLS in this case, that's provided with stunnel:

cd into the stunnel/ directory
edit stunnel.conf
docker-compose build
docker-compose up -d
Refer to https://github.com/supernets/atheme/tree/master for Atheme configuration instructions.