summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/1systems/hotdog/config.nix2
-rw-r--r--krebs/2configs/ergo.nix13
-rw-r--r--krebs/2configs/ircd.nix149
-rw-r--r--krebs/2configs/news.nix3
-rw-r--r--krebs/3modules/ergo.nix15
5 files changed, 51 insertions, 131 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 6a51bf45f..cf07d3b4d 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -7,7 +7,7 @@
<stockholm/krebs/2configs/buildbot-stockholm.nix>
<stockholm/krebs/2configs/binary-cache/nixos.nix>
- <stockholm/krebs/2configs/ergo.nix>
+ <stockholm/krebs/2configs/ircd.nix>
<stockholm/krebs/2configs/reaktor2.nix>
<stockholm/krebs/2configs/wiki.nix>
<stockholm/krebs/2configs/acme.nix>
diff --git a/krebs/2configs/ergo.nix b/krebs/2configs/ergo.nix
deleted file mode 100644
index db0bc5748..000000000
--- a/krebs/2configs/ergo.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- networking.firewall.allowedTCPPorts = [
- 6667
- ];
-
- krebs.ergo = {
- enable = true;
- };
-}
-
-
diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix
index 904878731..c6c91e074 100644
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@@ -1,121 +1,44 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [
- 6667 6669
+ 6667
];
- systemd.services.solanum.serviceConfig.LimitNOFILE = lib.mkForce 16384;
-
- services.solanum = {
+ krebs.ergo = {
enable = true;
- motd = ''
- hello
- '';
- config = ''
- loadmodule "extensions/m_omode";
- serverinfo {
- name = "${config.krebs.build.host.name}.irc.r";
- sid = "1as";
- description = "irc!";
- network_name = "irc.r";
-
- vhost = "0.0.0.0";
- vhost6 = "::";
-
- #ssl_private_key = "etc/ssl.key";
- #ssl_cert = "etc/ssl.cert";
- #ssl_dh_params = "etc/dh.pem";
- #ssld_count = 1;
-
- default_max_clients = 2048;
- #nicklen = 30;
- };
-
- listen {
- defer_accept = yes;
-
- /* If you want to listen on a specific IP only, specify host.
- * host definitions apply only to the following port line.
- */
- host = "0.0.0.0";
- port = 6667;
- #sslport = 6697;
-
- /* Listen on IPv6 (if you used host= above). */
- host = "::";
- port = 6667;
- #sslport = 6697;
- };
-
- class "users" {
- ping_time = 2 minutes;
- number_per_ident = 10;
- number_per_ip = 4096;
- number_per_ip_global = 4096;
- cidr_ipv4_bitlen = 24;
- cidr_ipv6_bitlen = 64;
- number_per_cidr = 65535;
- max_number = 65535;
- sendq = 1000 megabyte;
- };
-
- privset "op" {
- privs = oper:admin, oper:general;
- };
-
- operator "aids" {
- user = "*@*";
- password = "balls";
- flags = ~encrypted;
- snomask = "+s";
- privset = "op";
- };
-
- exempt {
- ip = "127.0.0.1";
- };
-
- exempt {
- ip = "10.243.0.0/16";
- };
-
- auth {
- user = "*@*";
- class = "users";
- flags = kline_exempt, exceed_limit, flood_exempt;
- };
-
- channel {
- autochanmodes = "+t";
- use_invex = yes;
- use_except = yes;
- use_forward = yes;
- use_knock = yes;
- knock_delay = 5 minutes;
- knock_delay_channel = 1 minute;
- max_chans_per_user = 150;
- max_bans = 100;
- max_bans_large = 500;
- default_split_user_count = 0;
- default_split_server_count = 0;
- no_create_on_split = no;
- no_join_on_split = no;
- burst_topicwho = yes;
- kick_on_split_riding = no;
- only_ascii_channels = no;
- resv_forcepart = yes;
- channel_target_change = yes;
- disable_local_channels = no;
- };
-
- general {
- #maybe we want ident someday?
- default_floodcount = 10000;
- disable_auth = yes;
- throttle_duration = 1;
- throttle_count = 10000;
- };
- '';
+ config = {
+ server.secure-nets = [
+ "42::0/16"
+ "10.240.0.0/12"
+ ];
+ oper-classes.server-admin = {
+ title = "admin";
+ capabilities = [
+ "kill" # disconnect user sessions
+ "ban" # ban IPs, CIDRs, and NUH masks ("d-line" and "k-line")
+ "nofakelag" # remove "fakelag" restrictions on rate of message sending
+ "relaymsg" # use RELAYMSG in any channel (see the 'relaymsg' config block)
+ "vhosts" # add and remove vhosts from users
+ "sajoin" # join arbitrary channels, including private channels
+ "samode" # modify arbitrary channel and user modes
+ "snomasks" # subscribe to arbitrary server notice masks
+ "roleplay" # use the (deprecated) roleplay commands in any channel
+ "rehash" # rehash the server, i.e. reload the config at runtime
+ "accreg" # modify arbitrary account registrations
+ "chanreg" # modify arbitrary channel registrations
+ "history" # modify or delete history messages
+ "defcon" # use the DEFCON command (restrict server capabilities)
+ "massmessage" # message all users on the server
+ ];
+ };
+ opers.aids = {
+ class = "server-admin";
+ hidden = false;
+ password = "$2a$04$0AtVycWQJ07ymrDdKyAm2un3UVSVIzpzL3wsWbWb3PF95d1CZMcMO";
+ };
+ };
};
}
+
+
diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix
index 84a39f95b..639cadb37 100644
--- a/krebs/2configs/news.nix
+++ b/krebs/2configs/news.nix
@@ -68,7 +68,8 @@
wantedBy = [ "multi-user.target" ];
};
- systemd.services.brockman.bindsTo = [ "solanum.service" ];
+ krebs.ergo.openFilesLimit = 16384;
+ systemd.services.brockman.bindsTo = [ "ergo.service" ];
systemd.services.brockman.serviceConfig.LimitNOFILE = 16384;
systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG";
krebs.brockman = {
diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix
index 3153e4cfc..50c5ab628 100644
--- a/krebs/3modules/ergo.nix
+++ b/krebs/3modules/ergo.nix
@@ -2,6 +2,13 @@
options = {
krebs.ergo = {
enable = lib.mkEnableOption "Ergo IRC daemon";
+ openFilesLimit = lib.mkOption {
+ type = lib.types.int;
+ default = 1024;
+ description = ''
+ Maximum number of open files. Limits the clients and server connections.
+ '';
+ };
config = lib.mkOption {
type = (pkgs.formats.json {}).type;
description = ''
@@ -54,8 +61,8 @@
multiclient = {
enabled = true;
allowed-by-default = true;
- always-on = "opt-in";
- auto-away = "opt-in";
+ always-on = "opt-out";
+ auto-away = "opt-out";
};
};
channels = {
@@ -111,13 +118,15 @@
systemd.services.ergo = {
description = "Ergo IRC daemon";
wantedBy = [ "multi-user.target" ];
- reloadIfChanged = true;
+ # reload currently not working as expected
+ # reloadIfChanged = true;
restartTriggers = [ configFile ];
serviceConfig = {
ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml";
ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
DynamicUser = true;
StateDirectory = "ergo";
+ LimitNOFILE = "${toString cfg.openFilesLimit}";
};
};
});