unrealircd- supernets unrealircd source & configuration |
git clone git://git.acid.vegas/unrealircd.git |
Log | Files | Refs | Archive |
setup.sh (13786B)
1 #!/bin/bash 2 # SuperNETs UnrealIRCd source update script - Developed by acidvegas (https://github.com/supernets/unrealircd) 3 # unrealircd/update-source.sh 4 5 set -xev 6 7 # Load environment variables 8 source .env 9 10 # Commonly used UnrealIRCd paths 11 UNREAL=/opt/ircd 12 SOURCE=/home/agent/unrealircd.source 13 BACKUP=/home/agent/unrealircd.backup 14 15 16 container_create() { 17 # Create the container 18 incus storage create unrealircd-pool dir 19 incus launch images:debian/12 unrealircd-container -s unrealircd-pool 20 incus config set unrealircd-container boot.autostart true 21 22 sleep 10 # Sleep for 10 seconds to ensure DHCP has assigned an IP address 23 24 # Basic provisioning 25 incus exec unrealircd-container -- sh -c 'printf "[Journal]\nStorage=volatile\nSplitMode=none\nRuntimeMaxUse=500K\n" > /etc/systemd/journald.conf' 26 incus exec unrealircd-container -- systemctl restart systemd-journald 27 incus exec unrealircd-container -- bash -c "apt update -y && apt upgrade -y && apt install -y curl cron git nano unattended-upgrades wget" 28 incus exec unrealircd-container -- apt install -y build-essential pkg-config gdb libssl-dev libpcre2-dev libargon2-dev libsodium-dev libc-ares-dev libcurl4-openssl-dev 29 incus exec unrealircd-container -- useradd -m -s /bin/bash agent 30 31 # Download & compile the source code 32 incus exec unrealircd-container -- chown agent:agent /opt 33 incus exec unrealircd-container -- sudo -u agent git clone --depth 1 https://github.com/supernets/unrealircd.git $SOURCE 34 incus exec unrealircd-container -- sudo -u agent bash -c "cd $SOURCE/unrealircd && echo -e "\n" | ./Config -nointro && make && make install && rm -rf $SOURCE" 35 36 # Add cronjobs 37 incus exec unrealircd-container -- sudo -u agent bash -c 'echo "*/5 * * * * $UNREAL/unrealircd croncheck" | crontab -' 38 incus exec unrealircd-container -- sudo -u agent bash -c 'echo "@reboot $UNREAL/unrealircd croncheck" | crontab -' 39 40 # IPv4 Port Forwarding 41 CONTAINER_IPV4=$(incus list | grep unrealircd-container | awk '{print $6}') 42 PUBLIC_IPV4=$(curl 4.icanhazip.com) 43 #PRIVATE_IPV4=$(ip route get 8.8.8.8 | awk '{print $7}' | head -1) # Replace PUBLIC_IPV4 below with this if running on AWS 44 incus config device override unrealircd-container eth0 45 incus config device set unrealircd-container eth0 ipv4.address=${CONTAINER_IPV4} 46 incus config device add unrealircd-container unrealircd-plaintext-ipv4-port proxy listen=tcp:${PUBLIC_IPV4}:6660-6669,7000 connect=tcp:${CONTAINER_IPV4}:6667 nat=true 47 incus config device add unrealircd-container unrealircd-tls-ipv4-port proxy listen=tcp:${PUBLIC_IPV4}:6697,9000 connect=tcp:${CONTAINER_IPV4}:6697 nat=true 48 incus config device add unrealircd-container unrealircd-servers-ipv4-port proxy listen=tcp:${PUBLIC_IPV4}:${S2S_PORT} connect=tcp:${CONTAINER_IPV4}:${S2S_PORT} nat=true 49 50 # IPv6 Port Forwarding 51 CONTAINER_IPV6=$(incus list | grep unrealircd-container | awk '{print $9}') 52 PUBLIC_IPV6=$(curl 6.icanhazip.com) 53 incus config device set unrealircd-container eth0 ipv6.address=${CONTAINER_IPV6} 54 incus network set incusbr0 ipv6.dhcp.stateful=true 55 incus config device add unrealircd-container unrealircd-plaintext-ipv6-port proxy listen=tcp:[${PUBLIC_IPV6}]:6660-6669,7000 connect=tcp:[${CONTAINER_IPV6}]:6667 nat=true 56 incus config device add unrealircd-container unrealircd-tls-ipv6-port proxy listen=tcp:[${PUBLIC_IPV6}]:6697,9000 connect=tcp:[${CONTAINER_IPV6}]:6697 nat=true 57 } 58 59 60 container_update() { 61 # Backup the existing configuration before nuking the old instance 62 incus exec unrealircd-container -- sudo -u agent mkdir -p $BACKUP 63 incus exec unrealircd-container -- sudo -u agent cp $UNREAL/conf/*.conf $BACKUP 64 incus exec unrealircd-container -- sudo -u agent cp $UNREAL/conf/tls/*.pem $BACKUP 65 incus exec unrealircd-container -- sudo -u agent cp $UNREAL/data/*.db $BACKUP 66 incus exec unrealircd-container -- sudo -u agent bash -c "$UNREAL/unrealircd stop && rm -rf $UNREAL" 67 68 # Download & compile the new source code 69 incus exec unrealircd-container -- sudo -u agent git clone --depth 1 https://github.com/supernets/unrealircd.git $SOURCE 70 incus exec unrealircd-container -- sudo -u agent bash -c "cd $SOURCE && echo -e "\n" | ./Config -nointro && make && make install" 71 72 # Restore the configuration & start the new instance 73 incus exec unrealircd-container -- sudo -u agent rm -rf $UNREAL/conf/*.conf 74 incus exec unrealircd-container -- sudo -u agent mv $BACKUP/*.conf $UNREAL/conf 75 incus exec unrealircd-container -- sudo -u agent mv $BACKUP/*.pem $UNREAL/conf/tls 76 incus exec unrealircd-container -- sudo -u agent mv $BACKUP/*.db $UNREAL/data 77 incus exec unrealircd-container -- sudo -u agent rm -rf $BACKUP 78 incus exec unrealircd-container -- sudo -u agent $UNREAL/unrealircd start 79 } 80 81 82 deploy_leaf() { 83 read -p "Link Name: " NAME 84 SID=$(cat /dev/urandom | tr -dc '0-9' | fold -w 256 | head -n 1 | head --bytes 1)$(cat /dev/urandom | tr -dc 'A-Z0-9' | fold -w 2 | head -n 1) 85 read -p "Remote Include: " REMOTE 86 for item in badwords except ircd modules opers snomasks spamfilter; do echo "include \"$REMOTE/$item.conf\";" >> $UNREAL/conf/unrealircd.conf; done 87 echo "me { name \"$NAME.supernets.org\"; info \"SuperNETs IRC Network\"; sid $SID; }" >> $UNREAL/conf/unrealircd.conf 88 $UNREAL/unrealircd start & 89 90 # Get the SPKIFP & IP addresses for adding to the hub links.conf 91 SPKIFP=$($UNREAL/unrealircd spkifp | tail -n2 | head -1) 92 IP4=$(curl -4 icanhazip.com) 93 echo "SPKIFP: $SPKIFP" && echo "IPv4: $IP4" 94 } 95 96 97 get_latest_release() { 98 curl -s https://www.unrealircd.org/downloads/list.json | jq .[].[].version 99 } 100 101 102 provision() { 103 # Define a random SSH port 104 SSH_PORT=$((RANDOM % 16501 + 49000)) 105 106 # Set password 107 passwd 108 109 # Set SSH config 110 echo -e "AuthenticationMethods publickey\nBanner /etc/issue\nClientAliveInterval 0\nDisableForwarding yes\nPermitRootLogin no\nPort $SSH_PORT\nPrintLastLog no" > /etc/ssh/sshd_config && systemctl restart ssh 111 112 # Limit journal size 113 echo -e "[Journal]\nStorage=volatile\nSplitMode=none\nRuntimeMaxUse=500K" > /etc/systemd/journald.conf && systemctl restart systemd-journald 114 115 # Set hostname 116 echo "$SERVER_NAME" > /etc/hostname 117 118 # Create a 1GB swap file 119 fallocate -l 1G /swapfile && chmod 600 /swapfile && mkswap /swapfile && swapon /swapfile && echo "/swapfile none swap sw 0 0" >> /etc/fstab 120 121 # Update & install packages 122 apt update -y && apt upgrade -y 123 apt install -y curl git htop incus incus-tools net-tools unattended-upgrades wget 124 125 # Create user 126 useradd -m -s /bin/bash supernets && passwd supernets && gpasswd -a supernets incus && gpasswd -a supernets incus-admin 127 128 # Set SSH keys 129 mkdir -p /root/.ssh && echo "$SSH_KEY" > /root/.ssh/authorized_keys && chmod 700 /root/.ssh && chown -R root /root/.ssh && chmod 400 /root/.ssh/authorized_keys 130 131 # Set bash configs 132 echo "export PS1=\"\e[38;5;237m\T\e[0m \e[38;5;196m\u@\h\e[0m \e[38;5;226m\w\e[0m : \"" > /root/.bashrc 133 echo "export PS1=\"\e[38;5;237m\T\e[0m \e[38;5;51m\u@\h\e[0m \e[38;5;129m\w\e[0m : \"" > /home/supernets/.bashrc 134 135 # Wipe issue 136 >/etc/issue 137 138 # Prevent logging 139 [ -f /root/.bash_history ] && rm /root/.bash_history 140 [ -f /home/supernets/.bash_history ] && rm /home/supernets/.bash_history 141 ln -s /dev/null /root/.bash_history && ln -s /dev/null /home/supernets/.bash_history 142 >/var/lastlog && chattr +i /var/lastlog 143 144 # Initialize incus 145 incus admin init 146 147 } 148 149 setup_tor() { 150 apt install -y tor 151 { 152 echo "HiddenServiceDir /var/lib/tor/ircd" 153 echo "HiddenServicePort 6667 unix:/etc/tor/unrealircd/tor_ircd.socket" 154 echo "HiddenServicePort 6697 unix:/etc/tor/unrealircd/tor_tls_ircd.socket" 155 } > /etc/tor/torrc 156 157 mkdir /etc/tor/unrealircd 158 chown unrealircd:debian-tor /etc/tor/unrealircd 159 chmod 750 /etc/tor/unrealircd 160 161 systemctl restart tor.service && systemctl enable tor.service 162 ONION_HOST=$(cat /var/lib/tor/ircd/hostname) 163 echo "MapAddress irc.supernets.org $ONION_HOST" >> /etc/tor/torrc 164 } 165 166 167 setup_firewall() { 168 # Install iptables-persistent & netfilter-persistent 169 apt install -y iptables-persistent netfilter-persistent wireguard wireguard-tools 170 171 # Kernel hardening settings 172 mkdir -p /etc/sysctl.d 173 { 174 echo "net.ipv4.conf.all.accept_source_route = 0" 175 echo "net.ipv6.conf.all.accept_source_route = 0" 176 echo "net.ipv4.conf.all.rp_filter = 1" 177 echo "net.ipv4.conf.default.rp_filter = 1" 178 echo "net.ipv4.conf.all.accept_redirects = 0" 179 echo "net.ipv6.conf.all.accept_redirects = 0" 180 echo "net.ipv4.conf.default.accept_redirects = 0" 181 echo "net.ipv6.conf.default.accept_redirects = 0" 182 echo "net.ipv4.conf.all.log_martians = 1" 183 echo "kernel.randomize_va_space = 2" 184 echo "fs.suid_dumpable = 0" 185 } > /etc/sysctl.d/99-custom-hardening.conf 186 187 # Apply hardening settings 188 sysctl -p /etc/sysctl.d/99-custom-hardening.conf 189 190 # Default chain policies 191 iptables -P INPUT DROP 192 iptables -P FORWARD DROP 193 iptables -P OUTPUT ACCEPT 194 195 # Common Firewall rules 196 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 197 iptables -A INPUT -i lo -j ACCEPT 198 199 # Allow container NAT 200 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 201 iptables -A FORWARD -i incusbr0 -o eth0 -j ACCEPT 202 iptables -A FORWARD -i eth0 -o incusbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT 203 204 # Allow container DHCP 205 iptables -I INPUT -i incusbr0 -p udp --dport 67:68 -j ACCEPT 206 iptables -I FORWARD -i incusbr0 -p udp --dport 67:68 -j ACCEPT 207 208 # Allow container DNS 209 iptables -A INPUT -i incusbr0 -p udp --dport 53 -j ACCEPT 210 iptables -A INPUT -i incusbr0 -p tcp --dport 53 -j ACCEPT 211 iptables -A FORWARD -i incusbr0 -o eth0 -p udp --dport 53 -j ACCEPT 212 iptables -A FORWARD -i incusbr0 -o eth0 -p tcp --dport 53 -j ACCEPT 213 214 # Allow SSH access 215 iptables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT 216 217 # Allow plaintext IRC access 218 iptables -A INPUT -p tcp --dport 6660:6669 -j ACCEPT 219 iptables -A INPUT -p tcp --dport 7000 -j ACCEPT 220 221 # Allow TLS IRC access 222 iptables -A INPUT -p tcp --dport 6697,9000 -j ACCEPT 223 224 # Allow IRC S2S access 225 #iptables -A INPUT -p tcp --dport $S2S_PORT -j ACCEPT 226 227 # IPv6 Default chain policies 228 ip6tables -P INPUT DROP 229 ip6tables -P FORWARD DROP 230 ip6tables -P OUTPUT ACCEPT 231 232 # IPv6 Common Firewall rules 233 ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 234 ip6tables -A INPUT -i lo -j ACCEPT 235 236 # IPv6 Allow container forwarding (no NAT needed for IPv6) 237 ip6tables -A FORWARD -i incusbr0 -o eth0 -j ACCEPT 238 ip6tables -A FORWARD -i eth0 -o incusbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT 239 240 # IPv6 Allow container DHCPv6 241 ip6tables -I INPUT -i incusbr0 -p udp --dport 546:547 -j ACCEPT 242 ip6tables -I FORWARD -i incusbr0 -p udp --dport 546:547 -j ACCEPT 243 244 # IPv6 Allow container DNS 245 ip6tables -A INPUT -i incusbr0 -p udp --dport 53 -j ACCEPT 246 ip6tables -A INPUT -i incusbr0 -p tcp --dport 53 -j ACCEPT 247 ip6tables -A FORWARD -i incusbr0 -o eth0 -p udp --dport 53 -j ACCEPT 248 ip6tables -A FORWARD -i incusbr0 -o eth0 -p tcp --dport 53 -j ACCEPT 249 250 # IPv6 Allow plaintext IRC access 251 ip6tables -A INPUT -p tcp --dport 6660:6669 -j ACCEPT 252 ip6tables -A INPUT -p tcp --dport 7000 -j ACCEPT 253 254 # IPv6 Allow TLS IRC access 255 ip6tables -A INPUT -p tcp --dport 6697,9000 -j ACCEPT 256 257 # Save rules 258 netfilter-persistent save 259 } 260 261 262 update_source() { 263 # Download and extract the source code 264 wget -O $SOURCE.tar.gz https://www.unrealircd.org/downloads/unrealircd-latest.tar.gz 265 tar -xvf $SOURCE.tar.gz --one-top-level --strip-components=1 && rm $SOURCE.tar.gz 266 267 # Tweak the source code 268 sed -i 's/NICKNAMEHISTORYLENGTH="2000"/NICKNAMEHISTORYLENGTH="100"/g' $SOURCE/Config 269 sed -i 's/REMOTEINC=""/REMOTEINC="1"/g' $SOURCE/Config 270 sed -i 's/if \[ "\$QUICK" != "0" \] ; then/if [ "$QUICK" != "fuckoff" ] ; then/' $SOURCE/Config 271 sed -i 's|BASEPATH="$HOME/unrealircd"|BASEPATH="/opt/ircd"|' $SOURCE/Config 272 sed -i 's/*.default.conf/*.conf/g' $SOURCE/Makefile.in 273 sed -i 's/*.optional.conf/*.motd/g' $SOURCE/Makefile.in 274 sed -i '/modules.sources.list/,/doc\/conf\/example/d' $SOURCE/Makefile.in 275 sed -i 's/sendnotice(target, "\*\*\* You were forced to join %s", jbuf);//g' $SOURCE/src/modules/sajoin.c 276 sed -i 's/0.organizationName_default = IRC geeks/0.organizationName_default = SuperNETs/g' $SOURCE/extras/tls.cnf 277 sed -i 's/1.commonName_value = localhost/1.commonName_value = irc.supernets.org/g' $SOURCE/extras/tls.cnf 278 sed -i 's;//#undef FAKELAG_CONFIGURABLE;#define FAKELAG_CONFIGURABLE;g' $SOURCE/include/config.h 279 280 # Cleanup unnecessary files & directories 281 for item in ".github" ".gitignore" "BSD" "CONTRIBUTING.md" "LICENSE" "Makefile.windows" "README.md" "SECURITY.md" "doc/conf/*.*" "doc/conf/aliases" "doc/conf/examples" "doc/conf/help"; do 282 rm -rf $SOURCE/$item 283 done 284 285 # Download the SuperNETsconfiguration files 286 for item in "badwords.conf" "except.conf" "ircd.motd" "ircd.rules" "modules.conf" "opers.conf" "remote.motd" "snomasks.conf" "spamfilter.conf" "unrealircd.hub.conf" "unrealircd.link.conf" "unrealircd.remote.conf"; do 287 wget -O $SOURCE/doc/conf/$item https://raw.githubusercontent.com/supernets/unrealircd/master/doc/conf/$item 288 done 289 } 290 291