summaryrefslogtreecommitdiffstats
path: root/krebs/2configs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/2configs')
-rw-r--r--krebs/2configs/default.nix1
-rw-r--r--krebs/2configs/ergo.nix13
-rw-r--r--krebs/2configs/ircd.nix149
-rw-r--r--krebs/2configs/mud.nix3
-rw-r--r--krebs/2configs/news.nix8
-rw-r--r--krebs/2configs/reaktor2.nix2
-rw-r--r--krebs/2configs/security-workarounds.nix6
7 files changed, 53 insertions, 129 deletions
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index 9200d41fe..38d770316 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -4,6 +4,7 @@ with import <stockholm/lib>;
{
imports = [
./backup.nix
+ ./security-workarounds.nix
];
krebs.announce-activation.enable = true;
krebs.enable = true;
diff --git a/krebs/2configs/ergo.nix b/krebs/2configs/ergo.nix
deleted file mode 100644
index db0bc5748..000000000
--- a/krebs/2configs/ergo.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- networking.firewall.allowedTCPPorts = [
- 6667
- ];
-
- krebs.ergo = {
- enable = true;
- };
-}
-
-
diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix
index 904878731..c6c91e074 100644
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@@ -1,121 +1,44 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [
- 6667 6669
+ 6667
];
- systemd.services.solanum.serviceConfig.LimitNOFILE = lib.mkForce 16384;
-
- services.solanum = {
+ krebs.ergo = {
enable = true;
- motd = ''
- hello
- '';
- config = ''
- loadmodule "extensions/m_omode";
- serverinfo {
- name = "${config.krebs.build.host.name}.irc.r";
- sid = "1as";
- description = "irc!";
- network_name = "irc.r";
-
- vhost = "0.0.0.0";
- vhost6 = "::";
-
- #ssl_private_key = "etc/ssl.key";
- #ssl_cert = "etc/ssl.cert";
- #ssl_dh_params = "etc/dh.pem";
- #ssld_count = 1;
-
- default_max_clients = 2048;
- #nicklen = 30;
- };
-
- listen {
- defer_accept = yes;
-
- /* If you want to listen on a specific IP only, specify host.
- * host definitions apply only to the following port line.
- */
- host = "0.0.0.0";
- port = 6667;
- #sslport = 6697;
-
- /* Listen on IPv6 (if you used host= above). */
- host = "::";
- port = 6667;
- #sslport = 6697;
- };
-
- class "users" {
- ping_time = 2 minutes;
- number_per_ident = 10;
- number_per_ip = 4096;
- number_per_ip_global = 4096;
- cidr_ipv4_bitlen = 24;
- cidr_ipv6_bitlen = 64;
- number_per_cidr = 65535;
- max_number = 65535;
- sendq = 1000 megabyte;
- };
-
- privset "op" {
- privs = oper:admin, oper:general;
- };
-
- operator "aids" {
- user = "*@*";
- password = "balls";
- flags = ~encrypted;
- snomask = "+s";
- privset = "op";
- };
-
- exempt {
- ip = "127.0.0.1";
- };
-
- exempt {
- ip = "10.243.0.0/16";
- };
-
- auth {
- user = "*@*";
- class = "users";
- flags = kline_exempt, exceed_limit, flood_exempt;
- };
-
- channel {
- autochanmodes = "+t";
- use_invex = yes;
- use_except = yes;
- use_forward = yes;
- use_knock = yes;
- knock_delay = 5 minutes;
- knock_delay_channel = 1 minute;
- max_chans_per_user = 150;
- max_bans = 100;
- max_bans_large = 500;
- default_split_user_count = 0;
- default_split_server_count = 0;
- no_create_on_split = no;
- no_join_on_split = no;
- burst_topicwho = yes;
- kick_on_split_riding = no;
- only_ascii_channels = no;
- resv_forcepart = yes;
- channel_target_change = yes;
- disable_local_channels = no;
- };
-
- general {
- #maybe we want ident someday?
- default_floodcount = 10000;
- disable_auth = yes;
- throttle_duration = 1;
- throttle_count = 10000;
- };
- '';
+ config = {
+ server.secure-nets = [
+ "42::0/16"
+ "10.240.0.0/12"
+ ];
+ oper-classes.server-admin = {
+ title = "admin";
+ capabilities = [
+ "kill" # disconnect user sessions
+ "ban" # ban IPs, CIDRs, and NUH masks ("d-line" and "k-line")
+ "nofakelag" # remove "fakelag" restrictions on rate of message sending
+ "relaymsg" # use RELAYMSG in any channel (see the 'relaymsg' config block)
+ "vhosts" # add and remove vhosts from users
+ "sajoin" # join arbitrary channels, including private channels
+ "samode" # modify arbitrary channel and user modes
+ "snomasks" # subscribe to arbitrary server notice masks
+ "roleplay" # use the (deprecated) roleplay commands in any channel
+ "rehash" # rehash the server, i.e. reload the config at runtime
+ "accreg" # modify arbitrary account registrations
+ "chanreg" # modify arbitrary channel registrations
+ "history" # modify or delete history messages
+ "defcon" # use the DEFCON command (restrict server capabilities)
+ "massmessage" # message all users on the server
+ ];
+ };
+ opers.aids = {
+ class = "server-admin";
+ hidden = false;
+ password = "$2a$04$0AtVycWQJ07ymrDdKyAm2un3UVSVIzpzL3wsWbWb3PF95d1CZMcMO";
+ };
+ };
};
}
+
+
diff --git a/krebs/2configs/mud.nix b/krebs/2configs/mud.nix
index d5e4c89c1..30f232b64 100644
--- a/krebs/2configs/mud.nix
+++ b/krebs/2configs/mud.nix
@@ -156,7 +156,8 @@ in {
openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
makefu.pubkey
- kmein.pubkey
+ kmein-kabsa.pubkey
+ kmein-manakish.pubkey
tv.pubkey
];
packages = with pkgs; [
diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix
index 84a39f95b..9ea4cbf8d 100644
--- a/krebs/2configs/news.nix
+++ b/krebs/2configs/news.nix
@@ -68,7 +68,13 @@
wantedBy = [ "multi-user.target" ];
};
- systemd.services.brockman.bindsTo = [ "solanum.service" ];
+ krebs.ergo.openFilesLimit = 16384;
+ krebs.ergo.config = {
+ limits.nicklen = 100;
+ limits.identlen = 100;
+ history.enabled = false;
+ };
+ systemd.services.brockman.bindsTo = [ "ergo.service" ];
systemd.services.brockman.serviceConfig.LimitNOFILE = 16384;
systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG";
krebs.brockman = {
diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix
index df66fd798..305d31405 100644
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@@ -95,7 +95,7 @@ let
}
hooks.sed
(generators.command_hook {
- inherit (commands) random-emoji nixos-version;
+ inherit (commands) dance random-emoji nixos-version;
tell = {
filename =
<stockholm/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh>;
diff --git a/krebs/2configs/security-workarounds.nix b/krebs/2configs/security-workarounds.nix
new file mode 100644
index 000000000..27d1f8485
--- /dev/null
+++ b/krebs/2configs/security-workarounds.nix
@@ -0,0 +1,6 @@
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+{
+ # https://github.com/berdav/CVE-2021-4034
+ security.wrappers.pkexec.source = lib.mkForce (pkgs.writeText "pkexec" "");
+}