diff options
Diffstat (limited to 'krebs/2configs')
-rw-r--r-- | krebs/2configs/default.nix | 1 | ||||
-rw-r--r-- | krebs/2configs/ergo.nix | 13 | ||||
-rw-r--r-- | krebs/2configs/ircd.nix | 149 | ||||
-rw-r--r-- | krebs/2configs/mud.nix | 3 | ||||
-rw-r--r-- | krebs/2configs/news.nix | 8 | ||||
-rw-r--r-- | krebs/2configs/reaktor2.nix | 2 | ||||
-rw-r--r-- | krebs/2configs/security-workarounds.nix | 6 |
7 files changed, 53 insertions, 129 deletions
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 9200d41fe..38d770316 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -4,6 +4,7 @@ with import <stockholm/lib>; { imports = [ ./backup.nix + ./security-workarounds.nix ]; krebs.announce-activation.enable = true; krebs.enable = true; diff --git a/krebs/2configs/ergo.nix b/krebs/2configs/ergo.nix deleted file mode 100644 index db0bc5748..000000000 --- a/krebs/2configs/ergo.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, pkgs, ... }: - -{ - networking.firewall.allowedTCPPorts = [ - 6667 - ]; - - krebs.ergo = { - enable = true; - }; -} - - diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index 904878731..c6c91e074 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -1,121 +1,44 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, ... }: { networking.firewall.allowedTCPPorts = [ - 6667 6669 + 6667 ]; - systemd.services.solanum.serviceConfig.LimitNOFILE = lib.mkForce 16384; - - services.solanum = { + krebs.ergo = { enable = true; - motd = '' - hello - ''; - config = '' - loadmodule "extensions/m_omode"; - serverinfo { - name = "${config.krebs.build.host.name}.irc.r"; - sid = "1as"; - description = "irc!"; - network_name = "irc.r"; - - vhost = "0.0.0.0"; - vhost6 = "::"; - - #ssl_private_key = "etc/ssl.key"; - #ssl_cert = "etc/ssl.cert"; - #ssl_dh_params = "etc/dh.pem"; - #ssld_count = 1; - - default_max_clients = 2048; - #nicklen = 30; - }; - - listen { - defer_accept = yes; - - /* If you want to listen on a specific IP only, specify host. - * host definitions apply only to the following port line. - */ - host = "0.0.0.0"; - port = 6667; - #sslport = 6697; - - /* Listen on IPv6 (if you used host= above). */ - host = "::"; - port = 6667; - #sslport = 6697; - }; - - class "users" { - ping_time = 2 minutes; - number_per_ident = 10; - number_per_ip = 4096; - number_per_ip_global = 4096; - cidr_ipv4_bitlen = 24; - cidr_ipv6_bitlen = 64; - number_per_cidr = 65535; - max_number = 65535; - sendq = 1000 megabyte; - }; - - privset "op" { - privs = oper:admin, oper:general; - }; - - operator "aids" { - user = "*@*"; - password = "balls"; - flags = ~encrypted; - snomask = "+s"; - privset = "op"; - }; - - exempt { - ip = "127.0.0.1"; - }; - - exempt { - ip = "10.243.0.0/16"; - }; - - auth { - user = "*@*"; - class = "users"; - flags = kline_exempt, exceed_limit, flood_exempt; - }; - - channel { - autochanmodes = "+t"; - use_invex = yes; - use_except = yes; - use_forward = yes; - use_knock = yes; - knock_delay = 5 minutes; - knock_delay_channel = 1 minute; - max_chans_per_user = 150; - max_bans = 100; - max_bans_large = 500; - default_split_user_count = 0; - default_split_server_count = 0; - no_create_on_split = no; - no_join_on_split = no; - burst_topicwho = yes; - kick_on_split_riding = no; - only_ascii_channels = no; - resv_forcepart = yes; - channel_target_change = yes; - disable_local_channels = no; - }; - - general { - #maybe we want ident someday? - default_floodcount = 10000; - disable_auth = yes; - throttle_duration = 1; - throttle_count = 10000; - }; - ''; + config = { + server.secure-nets = [ + "42::0/16" + "10.240.0.0/12" + ]; + oper-classes.server-admin = { + title = "admin"; + capabilities = [ + "kill" # disconnect user sessions + "ban" # ban IPs, CIDRs, and NUH masks ("d-line" and "k-line") + "nofakelag" # remove "fakelag" restrictions on rate of message sending + "relaymsg" # use RELAYMSG in any channel (see the 'relaymsg' config block) + "vhosts" # add and remove vhosts from users + "sajoin" # join arbitrary channels, including private channels + "samode" # modify arbitrary channel and user modes + "snomasks" # subscribe to arbitrary server notice masks + "roleplay" # use the (deprecated) roleplay commands in any channel + "rehash" # rehash the server, i.e. reload the config at runtime + "accreg" # modify arbitrary account registrations + "chanreg" # modify arbitrary channel registrations + "history" # modify or delete history messages + "defcon" # use the DEFCON command (restrict server capabilities) + "massmessage" # message all users on the server + ]; + }; + opers.aids = { + class = "server-admin"; + hidden = false; + password = "$2a$04$0AtVycWQJ07ymrDdKyAm2un3UVSVIzpzL3wsWbWb3PF95d1CZMcMO"; + }; + }; }; } + + diff --git a/krebs/2configs/mud.nix b/krebs/2configs/mud.nix index d5e4c89c1..30f232b64 100644 --- a/krebs/2configs/mud.nix +++ b/krebs/2configs/mud.nix @@ -156,7 +156,8 @@ in { openssh.authorizedKeys.keys = with config.krebs.users; [ lass.pubkey makefu.pubkey - kmein.pubkey + kmein-kabsa.pubkey + kmein-manakish.pubkey tv.pubkey ]; packages = with pkgs; [ diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 84a39f95b..9ea4cbf8d 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -68,7 +68,13 @@ wantedBy = [ "multi-user.target" ]; }; - systemd.services.brockman.bindsTo = [ "solanum.service" ]; + krebs.ergo.openFilesLimit = 16384; + krebs.ergo.config = { + limits.nicklen = 100; + limits.identlen = 100; + history.enabled = false; + }; + systemd.services.brockman.bindsTo = [ "ergo.service" ]; systemd.services.brockman.serviceConfig.LimitNOFILE = 16384; systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG"; krebs.brockman = { diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index df66fd798..305d31405 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -95,7 +95,7 @@ let } hooks.sed (generators.command_hook { - inherit (commands) random-emoji nixos-version; + inherit (commands) dance random-emoji nixos-version; tell = { filename = <stockholm/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh>; diff --git a/krebs/2configs/security-workarounds.nix b/krebs/2configs/security-workarounds.nix new file mode 100644 index 000000000..27d1f8485 --- /dev/null +++ b/krebs/2configs/security-workarounds.nix @@ -0,0 +1,6 @@ +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; +{ + # https://github.com/berdav/CVE-2021-4034 + security.wrappers.pkexec.source = lib.mkForce (pkgs.writeText "pkexec" ""); +} |