From 266753cc38d1fbdf3c08fcec79e97d3c00cf6a5e Mon Sep 17 00:00:00 2001 From: acidvegas Date: Sat, 3 Aug 2024 02:08:55 -0400 Subject: [PATCH] Initial commit --- README.md | 42 ++++++++++++++++++++ deploy | 51 ++++++++++++++++++++++++ fiya | 101 ++++++++++++++++++++++++++++++++++++++++++++++++ prosody.cfg.lua | 31 +++++++++++++++ 4 files changed, 225 insertions(+) create mode 100644 README.md create mode 100755 deploy create mode 100644 fiya create mode 100644 prosody.cfg.lua diff --git a/README.md b/README.md new file mode 100644 index 0000000..8ef6c84 --- /dev/null +++ b/README.md @@ -0,0 +1,42 @@ +# Prosody + +#### Setup Client +We use the [Profanity](https://profanity-im.github.io/) XMPP client for comunnication. + +###### Commands +``` +/register acidvegas@xmpp.supernets.org +``` + +``` +/account add acidvegas +/account default set acidvegas +/account set acidvegas clientid "" +/account set acidvegas jid acidvegas@xmpp.supernets.org +/account set acidvegas muc muc.supernets.org +/account set acidvegas nick acidvegas +/account set acidvegas port 5222 +/account set acidvegas resource "" +/account set acidvegas server xmpp.supernets.org +/account set acidvegas session_alarm 2 +/account set acidvegas status online +/account set acidvegas tls force +/autoconnect set acidvegas +``` +``` +/color on +/color own on +/connect acidvegas +/occupants color on +/omemo char 🔑 +/omemo gen +/omemo log off +/omemo policy always +/omemo trustmode blind +/omemo trustmode manual +/outtypee off +/privacy logging off +/privacy os off +/receipts send off +/states off +``` diff --git a/deploy b/deploy new file mode 100755 index 0000000..291d37f --- /dev/null +++ b/deploy @@ -0,0 +1,51 @@ +#!/bin/bash +# Prosody Container Script - developed by acidvegas (https://git.acid.vegas/prosody) + +set -xev + +create_container() { + NAME=$1 + + incus storage create $NAME-pool dir + incus launch images:debian/12 $NAME-container -s $NAME-pool + incus config set $NAME-container boot.autostart true + sleep 10 # Delay to allow the container to start and get an IP address from the DHCP server + incus exec $NAME-container -- apt update -y + incus exec $NAME-container -- apt upgrade -y + incus exec $NAME-container -- apt install -y git nano unattended-upgrades wget + incus exec $NAME-container -- useradd -m -s /bin/bash agent + incus exec $NAME-container -- journalctl --vacuum-time=1d + incus exec $NAME-container -- sh -c 'printf "[Journal]\nStorage=volatile\nSplitMode=none\nRuntimeMaxUse=500K\n" > /etc/systemd/journald.conf' + incus exec $NAME-container -- systemctl restart systemd-journald +} + +setup_prosody() { + PORT_C2S=5222 # Default 5222 + PORT_S2S=5269 # Default 5269 + CONTAINER_IP=$(incus list | grep gotify-container | awk '{print $6}') + + create_container prosody + + incus config set prosody-container boot.autostart true + incus config device add prosody-container prosody-c2s-port proxy listen=tcp:0.0.0.0:$PORT_C2S connect=tcp:$CONTAINER_IP:5222 + incus config device add prosody-container prosody-s2s-port proxy listen=tcp:0.0.0.0:$PORT_S2S connect=tcp:$CONTAINER_IP:5269 + + incus exec prosody-container -- apt-get install certbot libevent-dev prosody -y + + incus exec prosody-container -- certbot certonly --standalone -d xmpp.supernets.org -d muc.supernets.org -m nobody@no.name --agree-tos --non-interactive --no-eff-email + + incus exec prosody-container -- sh -c 'printf "[Unit]\nDescription=cerbot renewal\n\n[Service]\nType=oneshot\nExecStart=/usr/bin/certbot renew -n --quiet --agree-tos --deploy-hook \"prosodyctl --root cert import /etc/letsencrypt/live\"\n" > /etc/systemd/system/certbot.service' + incus exec prosody-container -- sh -c 'printf "[Unit]\nDescription=cerbot renewal timer\n\n[Timer]\nOnCalendar=0/12:00:00\nRandomizedDelaySec=1h\nPersistent=true\n\n[Install]\nWantedBy=timers.target\n" > /etc/systemd/system/certbot.timer' + + incus exec prosody-container -- systemctl enable certbot.timer + incus exec prosody-container -- systemctl start certbot.timer + + incus file push prosody.cfg.lua prosody-container:/etc/prosody/prosody.cfg.lua + + # Need to set the certifcate permissions to allow prosody to read it + #sudo ln -s /etc/letsencrypt/live/xmpp.supernets.org/privkey.pem /etc/prosody/certs/xmpp.supernets.org.key + #sudo ln -s /etc/letsencrypt/live/xmpp.supernets.org/privkey.pem /etc/prosody/certs/xmpp.supernets.org.key + + incus exec prosody-container -- systemctl enable prosody + incus exec prosody-container -- systemctl start prosody +} \ No newline at end of file diff --git a/fiya b/fiya new file mode 100644 index 0000000..1880e50 --- /dev/null +++ b/fiya @@ -0,0 +1,101 @@ +#!/bin/bash +# Prosody XMPP Firewall - developed by acidvegas (https://git.acid.vegas/prosody) + +set -xev + +# Configuration +IP_SSH="changeme" +PORT_SSH=22 # Default 22 +PORT_XMPP_C2S=5222 # Default 5222 +PORT_XMPP_S2S=5269 # Default 5269 + +CONTAINER_IP=$(incus list | grep prosody-container | awk '{print $6}') +SUBNET=$(echo $CONTAINER_IP | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+/\1.0\/24/') + +# -------------------------------------------------- # + +# Kernel hardening settings +mkdir -p /etc/sysctl.d +{ + echo "net.ipv4.conf.all.accept_source_route = 0" + echo "net.ipv6.conf.all.accept_source_route = 0" + echo "net.ipv4.conf.all.rp_filter = 1" + echo "net.ipv4.conf.default.rp_filter = 1" + echo "net.ipv4.conf.all.accept_redirects = 0" + echo "net.ipv6.conf.all.accept_redirects = 0" + echo "net.ipv4.conf.default.accept_redirects = 0" + echo "net.ipv6.conf.default.accept_redirects = 0" + echo "net.ipv4.conf.all.log_martians = 1" + echo "kernel.randomize_va_space = 2" + echo "fs.suid_dumpable = 0" + echo "net.ipv4.ip_forward=1" +} > /etc/sysctl.d/99-custom-hardening.conf + +# Apply hardening settings +sysctl -p /etc/sysctl.d/99-custom-hardening.conf + +# -------------------------------------------------- # + +# Flush existing rules +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X + +# Default chain policies +iptables -P INPUT ACCEPT +iptables -P FORWARD DROP +iptables -P OUTPUT ACCEPT + +# Common Firewall rules +iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +iptables -A INPUT -p icmp --icmp-type echo-request -j DROP +iptables -A INPUT -p icmp --icmp-type port-unreachable -j DROP +iptables -A INPUT -i lo -j ACCEPT + +# -------------------------------------------------- # + +# Allow container NAT +iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +iptables -A FORWARD -i incusbr0 -o eth0 -j ACCEPT +iptables -A FORWARD -i eth0 -o incusbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT + +# Allow container DHCP +iptables -I INPUT -i incusbr0 -p udp --dport 67:68 -j ACCEPT +iptables -I FORWARD -i incusbr0 -p udp --dport 67:68 -j ACCEPT + +# Allow container DNS +iptables -A INPUT -i incusbr0 -p udp --dport 53 -j ACCEPT +iptables -A INPUT -i incusbr0 -p tcp --dport 53 -j ACCEPT +iptables -A FORWARD -i incusbr0 -o eth0 -p udp --dport 53 -j ACCEPT +iptables -A FORWARD -i incusbr0 -o eth0 -p tcp --dport 53 -j ACCEPT + +# -------------------------------------------------- # + +# Allow SSH +iptables -A INPUT -p tcp -s $IP_SSH --dport $PORT_SSH -j ACCEPT + +# Allow Certbot +iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination $CONTAINER_IP:80 +iptables -t nat -A POSTROUTING -s $SUBNET -o eth0 -j MASQUERADE +iptables -A FORWARD -d ${CONTAINER_IP}/32 -o incusbr0 -p tcp --dport 80 -j ACCEPT +iptables -A FORWARD -s ${CONTAINER_IP}/32 -i incusbr0 -j ACCEPT + +# Allow Prosody +iptables -A INPUT -p tcp --dport $PORT_XMPP_C2S -j ACCEPT +iptables -A INPUT -p tcp --dport $PORT_XMPP_S2S -j ACCEPT + +# -------------------------------------------------- # + +# Save rules (iptables-persistent package) +iptables-save > /etc/iptables/iptables.rules + +# Create and configure the iptables service +printf '#!/bin/sh\nexec 2>&1\niptables-restore < /etc/iptables/iptables.rules\nexec chpst -b iptables pause\n' > /etc/sv/iptables/run +chmod +x /etc/sv/iptables/run +ln -sf /etc/sv/iptables /var/service/ && sv restart iptables + +# Show rules +iptables -L -v -n \ No newline at end of file diff --git a/prosody.cfg.lua b/prosody.cfg.lua new file mode 100644 index 0000000..d92aa9d --- /dev/null +++ b/prosody.cfg.lua @@ -0,0 +1,31 @@ +admins = { } + +plugin_paths = { "/usr/local/lib/prosody/modules" } + +pidfile = "/run/prosody/prosody.pid"; + +limits = { + c2s = { rate = "3kb/s"; burst = "2s"; }; + s2sin = { rate = "10kb/s"; burst = "5s"; }; +} + +log = "*syslog" + +VirtualHost "xmpp.supernets.org" + modules_enabled = { "carbons"; "dialback"; "disco"; "limits"; "pep"; "ping"; "posix"; "register"; "register_limits", "roster"; "saslauth"; "tls"; } + + allow_registration = true -- register + authentication = "internal_hashed" -- register + blacklist_on_registration_throttle_overload = true -- register_limits + c2s_require_encryption = true + min_seconds_between_registrations = 86400 -- register_limits + registration_throttle_cache_size = 100 -- register_limits + s2s_require_encryption = true + + ssl = { + certificate = "/etc/prosody/certs/xmpp.supernets.org/fullchain.pem"; + key = "/etc/prosody/certs/xmpp.supernets.org/privkey.pem"; + } + + Component "muc.supernets.org" "muc" + name = "SuperNETs XMPP Chatrooms" \ No newline at end of file