unrealircd

- supernets unrealircd source & configuration
git clone git://git.acid.vegas/unrealircd.git
Log | Files | Refs | Archive

setup.sh (13786B)

      1 #!/bin/bash
      2 # SuperNETs UnrealIRCd source update script - Developed by acidvegas (https://github.com/supernets/unrealircd)
      3 # unrealircd/update-source.sh
      4 
      5 set -xev
      6 
      7 # Load environment variables
      8 source .env
      9 
     10 # Commonly used UnrealIRCd paths
     11 UNREAL=/opt/ircd
     12 SOURCE=/home/agent/unrealircd.source
     13 BACKUP=/home/agent/unrealircd.backup
     14 
     15 
     16 container_create() {
     17     # Create the container
     18     incus storage create unrealircd-pool dir
     19     incus launch images:debian/12 unrealircd-container -s unrealircd-pool
     20     incus config set unrealircd-container boot.autostart true
     21 
     22     sleep 10 # Sleep for 10 seconds to ensure DHCP has assigned an IP address
     23 
     24     # Basic provisioning
     25     incus exec unrealircd-container -- sh -c 'printf "[Journal]\nStorage=volatile\nSplitMode=none\nRuntimeMaxUse=500K\n" > /etc/systemd/journald.conf'
     26     incus exec unrealircd-container -- systemctl restart systemd-journald
     27     incus exec unrealircd-container -- bash -c "apt update  -y && apt upgrade -y && apt install -y curl cron git nano unattended-upgrades wget"
     28     incus exec unrealircd-container -- apt install -y build-essential pkg-config gdb libssl-dev libpcre2-dev libargon2-dev libsodium-dev libc-ares-dev libcurl4-openssl-dev
     29     incus exec unrealircd-container -- useradd -m -s /bin/bash agent
     30 
     31     # Download & compile the source code
     32     incus exec unrealircd-container -- chown agent:agent /opt
     33     incus exec unrealircd-container -- sudo -u agent git clone --depth 1 https://github.com/supernets/unrealircd.git $SOURCE
     34     incus exec unrealircd-container -- sudo -u agent bash -c "cd $SOURCE/unrealircd && echo -e "\n" | ./Config -nointro && make && make install && rm -rf $SOURCE"
     35 
     36     # Add cronjobs
     37     incus exec unrealircd-container -- sudo -u agent bash -c 'echo "*/5 * * * * $UNREAL/unrealircd croncheck" | crontab -'
     38     incus exec unrealircd-container -- sudo -u agent bash -c 'echo "@reboot     $UNREAL/unrealircd croncheck" | crontab -'
     39 
     40     # IPv4 Port Forwarding
     41     CONTAINER_IPV4=$(incus list | grep unrealircd-container | awk '{print $6}')
     42     PUBLIC_IPV4=$(curl 4.icanhazip.com)
     43     #PRIVATE_IPV4=$(ip route get 8.8.8.8 | awk '{print $7}' | head -1) # Replace PUBLIC_IPV4 below with this if running on AWS
     44     incus config device override unrealircd-container eth0
     45     incus config device set unrealircd-container eth0 ipv4.address=${CONTAINER_IPV4}
     46     incus config device add unrealircd-container unrealircd-plaintext-ipv4-port proxy listen=tcp:${PUBLIC_IPV4}:6660-6669,7000 connect=tcp:${CONTAINER_IPV4}:6667        nat=true
     47     incus config device add unrealircd-container unrealircd-tls-ipv4-port       proxy listen=tcp:${PUBLIC_IPV4}:6697,9000      connect=tcp:${CONTAINER_IPV4}:6697        nat=true
     48     incus config device add unrealircd-container unrealircd-servers-ipv4-port   proxy listen=tcp:${PUBLIC_IPV4}:${S2S_PORT}    connect=tcp:${CONTAINER_IPV4}:${S2S_PORT} nat=true
     49 
     50     # IPv6 Port Forwarding
     51     CONTAINER_IPV6=$(incus list | grep unrealircd-container | awk '{print $9}')
     52     PUBLIC_IPV6=$(curl 6.icanhazip.com)
     53     incus config device set unrealircd-container eth0 ipv6.address=${CONTAINER_IPV6}
     54     incus network set incusbr0 ipv6.dhcp.stateful=true
     55     incus config device add unrealircd-container unrealircd-plaintext-ipv6-port proxy listen=tcp:[${PUBLIC_IPV6}]:6660-6669,7000 connect=tcp:[${CONTAINER_IPV6}]:6667 nat=true
     56     incus config device add unrealircd-container unrealircd-tls-ipv6-port       proxy listen=tcp:[${PUBLIC_IPV6}]:6697,9000      connect=tcp:[${CONTAINER_IPV6}]:6697 nat=true
     57 }
     58 
     59 
     60 container_update() {
     61     # Backup the existing configuration before nuking the old instance
     62     incus exec unrealircd-container -- sudo -u agent mkdir -p $BACKUP
     63     incus exec unrealircd-container -- sudo -u agent cp $UNREAL/conf/*.conf    $BACKUP
     64     incus exec unrealircd-container -- sudo -u agent cp $UNREAL/conf/tls/*.pem $BACKUP
     65     incus exec unrealircd-container -- sudo -u agent cp $UNREAL/data/*.db      $BACKUP
     66     incus exec unrealircd-container -- sudo -u agent bash -c "$UNREAL/unrealircd stop && rm -rf $UNREAL"
     67 
     68     # Download & compile the new source code
     69     incus exec unrealircd-container -- sudo -u agent git clone --depth 1 https://github.com/supernets/unrealircd.git $SOURCE
     70     incus exec unrealircd-container -- sudo -u agent bash -c "cd $SOURCE && echo -e "\n" | ./Config -nointro && make && make install"
     71 
     72     # Restore the configuration & start the new instance
     73     incus exec unrealircd-container -- sudo -u agent rm -rf $UNREAL/conf/*.conf
     74     incus exec unrealircd-container -- sudo -u agent mv $BACKUP/*.conf $UNREAL/conf
     75     incus exec unrealircd-container -- sudo -u agent mv $BACKUP/*.pem  $UNREAL/conf/tls
     76     incus exec unrealircd-container -- sudo -u agent mv $BACKUP/*.db   $UNREAL/data
     77     incus exec unrealircd-container -- sudo -u agent rm -rf $BACKUP
     78     incus exec unrealircd-container -- sudo -u agent $UNREAL/unrealircd start
     79 }
     80 
     81 
     82 deploy_leaf() {
     83     read -p "Link Name: " NAME
     84     SID=$(cat /dev/urandom | tr -dc '0-9' | fold -w 256 | head -n 1 | head --bytes 1)$(cat /dev/urandom | tr -dc 'A-Z0-9' | fold -w 2 | head -n 1)
     85     read -p "Remote Include: " REMOTE
     86     for item in badwords except ircd modules opers snomasks spamfilter; do echo "include \"$REMOTE/$item.conf\";" >> $UNREAL/conf/unrealircd.conf; done
     87     echo "me { name \"$NAME.supernets.org\"; info \"SuperNETs IRC Network\"; sid $SID; }" >> $UNREAL/conf/unrealircd.conf
     88     $UNREAL/unrealircd start &
     89 
     90     # Get the SPKIFP & IP addresses for adding to the hub links.conf
     91     SPKIFP=$($UNREAL/unrealircd spkifp | tail -n2 | head -1)
     92     IP4=$(curl -4 icanhazip.com)
     93     echo "SPKIFP: $SPKIFP" && echo "IPv4: $IP4"
     94 }
     95 
     96 
     97 get_latest_release() {
     98     curl -s https://www.unrealircd.org/downloads/list.json | jq .[].[].version
     99 }
    100 
    101 
    102 provision() {
    103     # Define a random SSH port
    104     SSH_PORT=$((RANDOM % 16501 + 49000))
    105 
    106     # Set password
    107     passwd
    108 
    109     # Set SSH config
    110     echo -e "AuthenticationMethods publickey\nBanner /etc/issue\nClientAliveInterval 0\nDisableForwarding yes\nPermitRootLogin no\nPort $SSH_PORT\nPrintLastLog no" > /etc/ssh/sshd_config && systemctl restart ssh
    111 
    112     # Limit journal size
    113     echo -e "[Journal]\nStorage=volatile\nSplitMode=none\nRuntimeMaxUse=500K" > /etc/systemd/journald.conf && systemctl restart systemd-journald
    114 
    115     # Set hostname
    116     echo "$SERVER_NAME" > /etc/hostname
    117 
    118     # Create a 1GB swap file
    119     fallocate -l 1G /swapfile && chmod 600 /swapfile && mkswap /swapfile && swapon /swapfile && echo "/swapfile none swap sw 0 0" >> /etc/fstab
    120 
    121     # Update & install packages
    122     apt update -y && apt upgrade -y
    123     apt install -y curl git htop incus incus-tools net-tools unattended-upgrades wget
    124 
    125     # Create user
    126     useradd -m -s /bin/bash supernets && passwd supernets && gpasswd -a supernets incus && gpasswd -a supernets incus-admin
    127 
    128     # Set SSH keys
    129     mkdir -p /root/.ssh && echo "$SSH_KEY" > /root/.ssh/authorized_keys && chmod 700 /root/.ssh && chown -R root /root/.ssh && chmod 400 /root/.ssh/authorized_keys
    130 
    131     # Set bash configs
    132     echo "export PS1=\"\e[38;5;237m\T\e[0m \e[38;5;196m\u@\h\e[0m \e[38;5;226m\w\e[0m : \"" > /root/.bashrc
    133     echo "export PS1=\"\e[38;5;237m\T\e[0m \e[38;5;51m\u@\h\e[0m \e[38;5;129m\w\e[0m : \""  > /home/supernets/.bashrc
    134 
    135     # Wipe issue
    136     >/etc/issue
    137 
    138     # Prevent logging
    139     [ -f /root/.bash_history ]           && rm /root/.bash_history
    140     [ -f /home/supernets/.bash_history ] && rm /home/supernets/.bash_history
    141     ln -s /dev/null /root/.bash_history  && ln -s /dev/null /home/supernets/.bash_history
    142     >/var/lastlog && chattr +i /var/lastlog
    143 
    144     # Initialize incus
    145     incus admin init
    146 
    147 }
    148 
    149 setup_tor() {
    150     apt install -y tor
    151     {
    152         echo "HiddenServiceDir /var/lib/tor/ircd"
    153         echo "HiddenServicePort 6667 unix:/etc/tor/unrealircd/tor_ircd.socket"
    154         echo "HiddenServicePort 6697 unix:/etc/tor/unrealircd/tor_tls_ircd.socket"
    155     } > /etc/tor/torrc
    156 
    157     mkdir /etc/tor/unrealircd
    158     chown unrealircd:debian-tor /etc/tor/unrealircd
    159     chmod 750 /etc/tor/unrealircd
    160 
    161     systemctl restart tor.service && systemctl enable tor.service
    162     ONION_HOST=$(cat /var/lib/tor/ircd/hostname)
    163     echo "MapAddress irc.supernets.org $ONION_HOST" >> /etc/tor/torrc
    164 }
    165 
    166 
    167 setup_firewall() {
    168     # Install iptables-persistent & netfilter-persistent
    169     apt install -y iptables-persistent netfilter-persistent wireguard wireguard-tools
    170 
    171     # Kernel hardening settings
    172     mkdir -p /etc/sysctl.d
    173     {
    174         echo "net.ipv4.conf.all.accept_source_route = 0"
    175         echo "net.ipv6.conf.all.accept_source_route = 0"
    176         echo "net.ipv4.conf.all.rp_filter = 1"
    177         echo "net.ipv4.conf.default.rp_filter = 1"
    178         echo "net.ipv4.conf.all.accept_redirects = 0"
    179         echo "net.ipv6.conf.all.accept_redirects = 0"
    180         echo "net.ipv4.conf.default.accept_redirects = 0"
    181         echo "net.ipv6.conf.default.accept_redirects = 0"
    182         echo "net.ipv4.conf.all.log_martians = 1"
    183         echo "kernel.randomize_va_space = 2"
    184         echo "fs.suid_dumpable = 0"
    185     } > /etc/sysctl.d/99-custom-hardening.conf
    186 
    187     # Apply hardening settings
    188     sysctl -p /etc/sysctl.d/99-custom-hardening.conf
    189 
    190     # Default chain policies
    191     iptables -P INPUT   DROP
    192     iptables -P FORWARD DROP
    193     iptables -P OUTPUT  ACCEPT
    194 
    195     # Common Firewall rules
    196     iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    197     iptables -A INPUT -i lo -j ACCEPT
    198 
    199     # Allow container NAT
    200     iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    201     iptables -A FORWARD -i incusbr0 -o eth0 -j ACCEPT
    202     iptables -A FORWARD -i eth0 -o incusbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    203 
    204     # Allow container DHCP
    205     iptables -I INPUT   -i incusbr0 -p udp --dport 67:68 -j ACCEPT
    206     iptables -I FORWARD -i incusbr0 -p udp --dport 67:68 -j ACCEPT
    207 
    208     # Allow container DNS
    209     iptables -A INPUT   -i incusbr0         -p udp --dport 53 -j ACCEPT
    210     iptables -A INPUT   -i incusbr0         -p tcp --dport 53 -j ACCEPT
    211     iptables -A FORWARD -i incusbr0 -o eth0 -p udp --dport 53 -j ACCEPT
    212     iptables -A FORWARD -i incusbr0 -o eth0 -p tcp --dport 53 -j ACCEPT
    213 
    214     # Allow SSH access
    215     iptables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT
    216 
    217     # Allow plaintext IRC access
    218     iptables -A INPUT -p tcp --dport 6660:6669 -j ACCEPT
    219     iptables -A INPUT -p tcp --dport 7000      -j ACCEPT
    220 
    221     # Allow TLS IRC access
    222     iptables -A INPUT -p tcp --dport 6697,9000 -j ACCEPT
    223 
    224     # Allow IRC S2S access
    225     #iptables -A INPUT -p tcp --dport $S2S_PORT -j ACCEPT
    226 
    227     # IPv6 Default chain policies
    228     ip6tables -P INPUT   DROP
    229     ip6tables -P FORWARD DROP
    230     ip6tables -P OUTPUT  ACCEPT
    231     
    232     # IPv6 Common Firewall rules
    233     ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    234     ip6tables -A INPUT -i lo -j ACCEPT
    235     
    236     # IPv6 Allow container forwarding (no NAT needed for IPv6)
    237     ip6tables -A FORWARD -i incusbr0 -o eth0 -j ACCEPT
    238     ip6tables -A FORWARD -i eth0     -o incusbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    239     
    240     # IPv6 Allow container DHCPv6
    241     ip6tables -I INPUT   -i incusbr0 -p udp --dport 546:547 -j ACCEPT
    242     ip6tables -I FORWARD -i incusbr0 -p udp --dport 546:547 -j ACCEPT
    243     
    244     # IPv6 Allow container DNS
    245     ip6tables -A INPUT   -i incusbr0         -p udp --dport 53 -j ACCEPT
    246     ip6tables -A INPUT   -i incusbr0         -p tcp --dport 53 -j ACCEPT
    247     ip6tables -A FORWARD -i incusbr0 -o eth0 -p udp --dport 53 -j ACCEPT
    248     ip6tables -A FORWARD -i incusbr0 -o eth0 -p tcp --dport 53 -j ACCEPT
    249         
    250     # IPv6 Allow plaintext IRC access
    251     ip6tables -A INPUT -p tcp --dport 6660:6669 -j ACCEPT
    252     ip6tables -A INPUT -p tcp --dport 7000      -j ACCEPT
    253     
    254     # IPv6 Allow TLS IRC access
    255     ip6tables -A INPUT -p tcp --dport 6697,9000 -j ACCEPT
    256     
    257     # Save rules
    258     netfilter-persistent save
    259 }
    260 
    261 
    262 update_source() {
    263     # Download and extract the source code
    264     wget -O $SOURCE.tar.gz https://www.unrealircd.org/downloads/unrealircd-latest.tar.gz
    265     tar -xvf $SOURCE.tar.gz --one-top-level --strip-components=1 && rm $SOURCE.tar.gz
    266 
    267     # Tweak the source code
    268     sed -i 's/NICKNAMEHISTORYLENGTH="2000"/NICKNAMEHISTORYLENGTH="100"/g' $SOURCE/Config
    269     sed -i 's/REMOTEINC=""/REMOTEINC="1"/g' $SOURCE/Config
    270     sed -i 's/if \[ "\$QUICK" != "0" \] ; then/if [ "$QUICK" != "fuckoff" ] ; then/' $SOURCE/Config
    271     sed -i 's|BASEPATH="$HOME/unrealircd"|BASEPATH="/opt/ircd"|' $SOURCE/Config
    272     sed -i 's/*.default.conf/*.conf/g'  $SOURCE/Makefile.in
    273     sed -i 's/*.optional.conf/*.motd/g' $SOURCE/Makefile.in
    274     sed -i '/modules.sources.list/,/doc\/conf\/example/d' $SOURCE/Makefile.in
    275     sed -i 's/sendnotice(target, "\*\*\* You were forced to join %s", jbuf);//g' $SOURCE/src/modules/sajoin.c
    276     sed -i 's/0.organizationName_default      = IRC geeks/0.organizationName_default      = SuperNETs/g'         $SOURCE/extras/tls.cnf
    277     sed -i 's/1.commonName_value              = localhost/1.commonName_value              = irc.supernets.org/g' $SOURCE/extras/tls.cnf
    278     sed -i 's;//#undef FAKELAG_CONFIGURABLE;#define FAKELAG_CONFIGURABLE;g' $SOURCE/include/config.h
    279 
    280     # Cleanup unnecessary files & directories
    281     for item in ".github" ".gitignore" "BSD" "CONTRIBUTING.md" "LICENSE" "Makefile.windows" "README.md" "SECURITY.md" "doc/conf/*.*" "doc/conf/aliases" "doc/conf/examples" "doc/conf/help"; do
    282         rm -rf $SOURCE/$item
    283     done
    284 
    285     # Download the SuperNETsconfiguration files
    286     for item in "badwords.conf" "except.conf" "ircd.motd" "ircd.rules" "modules.conf" "opers.conf" "remote.motd" "snomasks.conf" "spamfilter.conf" "unrealircd.hub.conf" "unrealircd.link.conf" "unrealircd.remote.conf"; do
    287         wget -O $SOURCE/doc/conf/$item https://raw.githubusercontent.com/supernets/unrealircd/master/doc/conf/$item
    288     done
    289 }
    290 
    291