krebs: use ergo instead of solanum everywhere

This commit is contained in:
lassulus 2022-01-09 00:43:23 +01:00
parent dbc2387520
commit 545b424ecb
5 changed files with 49 additions and 129 deletions

View File

@ -7,7 +7,7 @@
<stockholm/krebs/2configs/buildbot-stockholm.nix> <stockholm/krebs/2configs/buildbot-stockholm.nix>
<stockholm/krebs/2configs/binary-cache/nixos.nix> <stockholm/krebs/2configs/binary-cache/nixos.nix>
<stockholm/krebs/2configs/ergo.nix> <stockholm/krebs/2configs/ircd.nix>
<stockholm/krebs/2configs/reaktor2.nix> <stockholm/krebs/2configs/reaktor2.nix>
<stockholm/krebs/2configs/wiki.nix> <stockholm/krebs/2configs/wiki.nix>
<stockholm/krebs/2configs/acme.nix> <stockholm/krebs/2configs/acme.nix>

View File

@ -1,13 +0,0 @@
{ config, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [
6667
];
krebs.ergo = {
enable = true;
};
}

View File

@ -1,121 +1,44 @@
{ config, pkgs, lib, ... }: { config, pkgs, ... }:
{ {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
6667 6669 6667
]; ];
systemd.services.solanum.serviceConfig.LimitNOFILE = lib.mkForce 16384; krebs.ergo = {
services.solanum = {
enable = true; enable = true;
motd = '' config = {
hello server.secure-nets = [
''; "42::0/16"
config = '' "10.240.0.0/12"
loadmodule "extensions/m_omode"; ];
serverinfo { oper-classes.server-admin = {
name = "${config.krebs.build.host.name}.irc.r"; title = "admin";
sid = "1as"; capabilities = [
description = "irc!"; "kill" # disconnect user sessions
network_name = "irc.r"; "ban" # ban IPs, CIDRs, and NUH masks ("d-line" and "k-line")
"nofakelag" # remove "fakelag" restrictions on rate of message sending
vhost = "0.0.0.0"; "relaymsg" # use RELAYMSG in any channel (see the 'relaymsg' config block)
vhost6 = "::"; "vhosts" # add and remove vhosts from users
"sajoin" # join arbitrary channels, including private channels
#ssl_private_key = "etc/ssl.key"; "samode" # modify arbitrary channel and user modes
#ssl_cert = "etc/ssl.cert"; "snomasks" # subscribe to arbitrary server notice masks
#ssl_dh_params = "etc/dh.pem"; "roleplay" # use the (deprecated) roleplay commands in any channel
#ssld_count = 1; "rehash" # rehash the server, i.e. reload the config at runtime
"accreg" # modify arbitrary account registrations
default_max_clients = 2048; "chanreg" # modify arbitrary channel registrations
#nicklen = 30; "history" # modify or delete history messages
"defcon" # use the DEFCON command (restrict server capabilities)
"massmessage" # message all users on the server
];
}; };
opers.aids = {
listen { class = "server-admin";
defer_accept = yes; hidden = false;
password = "$2a$04$0AtVycWQJ07ymrDdKyAm2un3UVSVIzpzL3wsWbWb3PF95d1CZMcMO";
/* If you want to listen on a specific IP only, specify host.
* host definitions apply only to the following port line.
*/
host = "0.0.0.0";
port = 6667;
#sslport = 6697;
/* Listen on IPv6 (if you used host= above). */
host = "::";
port = 6667;
#sslport = 6697;
}; };
class "users" {
ping_time = 2 minutes;
number_per_ident = 10;
number_per_ip = 4096;
number_per_ip_global = 4096;
cidr_ipv4_bitlen = 24;
cidr_ipv6_bitlen = 64;
number_per_cidr = 65535;
max_number = 65535;
sendq = 1000 megabyte;
}; };
privset "op" {
privs = oper:admin, oper:general;
};
operator "aids" {
user = "*@*";
password = "balls";
flags = ~encrypted;
snomask = "+s";
privset = "op";
};
exempt {
ip = "127.0.0.1";
};
exempt {
ip = "10.243.0.0/16";
};
auth {
user = "*@*";
class = "users";
flags = kline_exempt, exceed_limit, flood_exempt;
};
channel {
autochanmodes = "+t";
use_invex = yes;
use_except = yes;
use_forward = yes;
use_knock = yes;
knock_delay = 5 minutes;
knock_delay_channel = 1 minute;
max_chans_per_user = 150;
max_bans = 100;
max_bans_large = 500;
default_split_user_count = 0;
default_split_server_count = 0;
no_create_on_split = no;
no_join_on_split = no;
burst_topicwho = yes;
kick_on_split_riding = no;
only_ascii_channels = no;
resv_forcepart = yes;
channel_target_change = yes;
disable_local_channels = no;
};
general {
#maybe we want ident someday?
default_floodcount = 10000;
disable_auth = yes;
throttle_duration = 1;
throttle_count = 10000;
};
'';
}; };
} }

View File

@ -68,7 +68,8 @@
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
}; };
systemd.services.brockman.bindsTo = [ "solanum.service" ]; krebs.ergo.openFilesLimit = 16384;
systemd.services.brockman.bindsTo = [ "ergo.service" ];
systemd.services.brockman.serviceConfig.LimitNOFILE = 16384; systemd.services.brockman.serviceConfig.LimitNOFILE = 16384;
systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG"; systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG";
krebs.brockman = { krebs.brockman = {

View File

@ -2,6 +2,13 @@
options = { options = {
krebs.ergo = { krebs.ergo = {
enable = lib.mkEnableOption "Ergo IRC daemon"; enable = lib.mkEnableOption "Ergo IRC daemon";
openFilesLimit = lib.mkOption {
type = lib.types.int;
default = 1024;
description = ''
Maximum number of open files. Limits the clients and server connections.
'';
};
config = lib.mkOption { config = lib.mkOption {
type = (pkgs.formats.json {}).type; type = (pkgs.formats.json {}).type;
description = '' description = ''
@ -54,8 +61,8 @@
multiclient = { multiclient = {
enabled = true; enabled = true;
allowed-by-default = true; allowed-by-default = true;
always-on = "opt-in"; always-on = "opt-out";
auto-away = "opt-in"; auto-away = "opt-out";
}; };
}; };
channels = { channels = {
@ -111,13 +118,15 @@
systemd.services.ergo = { systemd.services.ergo = {
description = "Ergo IRC daemon"; description = "Ergo IRC daemon";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
reloadIfChanged = true; # reload currently not working as expected
# reloadIfChanged = true;
restartTriggers = [ configFile ]; restartTriggers = [ configFile ];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml"; ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml";
ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
DynamicUser = true; DynamicUser = true;
StateDirectory = "ergo"; StateDirectory = "ergo";
LimitNOFILE = "${toString cfg.openFilesLimit}";
}; };
}; };
}); });