[inspircd] PEPCRANS + prevent diffs

2021-06-25 14:52:06 +02:00 · 2021-06-25 14:52:06 +02:00 · fa8c430a53
parent f0c6a62853
commit fa8c430a53
5 changed files with 116 additions and 130 deletions
--- a/host_vars/irc.adm.crans.org.yml
+++ b/host_vars/irc.adm.crans.org.yml
@ -27,10 +27,67 @@ loc_thelounge:
  public: "true"

 loc_inspircd:
-  cloak_key: "{{ vault.irc_inspircd_cloak_key }}"
+  cloak:
+    name: crans
+    key: "{{ vault.irc_inspircd_cloak_key }}"
  diepass: "{{ vault.irc_inspircd_diepass }}"
  restartpass: "{{ vault.irc_inspircd_restartpass }}"
  opers: "{{ vault.irc_inspircd_opers }}"
+  server:
+    name: irc.crans.org
+    description: Crans IRC server
+    network: Crans
+  admin:
+    name: Pierre-Elliott Bécue
+    nick: PEB
+    email: root@crans.org
+  bind:
+     - address: 185.230.79.11
+       type: clients
+       clair: 6667
+       ssl: 6697
+     - address: 2a0c:700:2::ff:fe01:2902
+       type: clients
+       clair: 6667
+       ssl: 6697
+     - address : 172.16.10.129
+       type: clients
+       clair: 6667
+     - address: 127.0.0.1
+       type: servers
+       clair: 6668
+  connect:
+    - name: zamok
+      allows:
+        ipv4: 185.230.79.1/32
+        ipv6: 2a0c:700:2:0:ec4:7aff:fe59:a1ad/128
+      threshold: 1
+    - name: irc
+      allows:
+        ipv4: 185.230.79.11/32
+        ipv6: 2a0c:700:2::ff:fe01:2902/128
+      threshold: 1
+    - name: gitlab
+      allows:
+        ipv4: 185.230.79.14/32
+        ipv6: 2a0c:700:2::ff:fe01:502/128
+      threshold: 10
+      commandrate: 10000
+    - name: monitoring
+      allows:
+        ipv4: 172.16.10.121/32
+        ipv6: fd00::10:ff:fe01:2110/128
+      threshold: 10
+      commandrate: 10000
+      modes: yes
+  dns: 185.230.79.62
+  services:
+    name: services.irc.crans.org
+    port: 6668
+    recvpass: "{{ vault.irc_anope_recvpass }}"
+    sendpass: "{{ vault.irc_anope_sendpass }}"
+
+

 loc_anope:
  recvpass: "{{ vault.irc_anope_recvpass }}"
--- a/roles/anope/templates/anope/services.conf.j2
+++ b/roles/anope/templates/anope/services.conf.j2
@ -891,33 +891,35 @@ opertype
 * As with all permissions, make sure to only give trustworthy people access to Services.
 */

-oper
-{
-	/* The nickname of this services oper */
-	name = "Fardale"
+/*
+	* oper
+	* {
+	*	/* The nickname of this services oper */
+	*	name = "nick"

-	/* The opertype this person will have */
-	type = "Services Root"
+	*	/* The opertype this person will have */
+	*	type = "Services Root"

-	/* If set, the user must be an oper on the IRCd to gain their Services
-	 * oper privileges.
-	 */
-	require_oper = yes
+	*	/* If set, the user must be an oper on the IRCd to gain their Services
+	*	 * oper privileges.
+	*	 */
+	*	require_oper = yes

-	/* An optional password. If defined the user must login using "/msg OperServ LOGIN" first */
-	#password = "secret"
+	*	/* An optional password. If defined the user must login using "/msg OperServ LOGIN" first */
+	*	#password = "secret"

-	/* An optional SSL fingerprint. If defined, it's required to be able to use this opertype. */
-	#certfp = "ed3383b3f7d74e89433ddaa4a6e5b2d7"
+	*	/* An optional SSL fingerprint. If defined, it's required to be able to use this opertype. */
+	*	#certfp = "ed3383b3f7d74e89433ddaa4a6e5b2d7"

-	/* An optional list of user@host masks. If defined the user must be connected from one of them */
-	#host = "*@*.anope.org ident@*"
+	*	/* An optional list of user@host masks. If defined the user must be connected from one of them */
+	*	#host = "*@*.anope.org ident@*"

-	/* An optional vHost to set on users who identify for this oper block.
-	 * This will override HostServ vHosts, and may not be available on all IRCds
-	 */
-	#vhost = "oper.mynet"
-}
+	*	/* An optional vHost to set on users who identify for this oper block.
+	*	 * This will override HostServ vHosts, and may not be available on all IRCds
+	*	 */
+	*	#vhost = "oper.mynet"
+	* }
+	*/

 {% for oper in anope.services_roots %}
 oper
--- a/roles/inspircd/templates/inspircd/inspircd.conf.j2
+++ b/roles/inspircd/templates/inspircd/inspircd.conf.j2
@ -9,21 +9,21 @@
 	target="/var/log/inspircd.log"
 >

-<server name="irc.crans.org"
-        description="Crans IRC server"
-        network="Crans"
+<server name="{{ inspircd.server.name }}"
+        description="{{ inspircd.server.description }}"
+        network="{{ inspircd.server.network }}"
        sid="3AX">

-<admin name="Pierre-Elliott Bécue"
-       nick="PEB"
-       email="root@crans.org">
+<admin name="{{ inspircd.admin.name }}"
+       nick="{{ inspircd.admin.nick }}"
+       email="{{ inspircd.admin.email }}">

-<bind address="185.230.79.11" port="6667" type="clients">
-<bind address="185.230.79.11" port="6697" type="clients" ssl="openssl">
-<bind address="2a0c:700:2::ff:fe01:2902" port="6667" type="clients">
-<bind address="2a0c:700:2::ff:fe01:2902" port="6697" type="clients" ssl="openssl">
-<bind address="172.16.10.129" port="6667" type="clients">
-<bind address="127.0.0.1" port="6668" type="servers">
+{% for bind in inspircd.bind %}
+<bind address="{{ bind.address }}" port="{{ bind.clair }}" type="{{ bind.type }}">
+{% if bind.ssl is defined %}
+<bind address="{{ bind.address }}" port="{{ bind.ssl }}" type="{{ bind.type }}" ssl="openssl">
+{% endif %}
+{% endfor %}

 <sslprofile
 	name="openssl"
@ -37,102 +37,29 @@

 <include file="/etc/inspircd/links.conf">

-<connect name="zamok-ipv4"
-         allow="185.230.79.1/32"
+{% for connect in inspircd.connect %}
+{% for name,allow in connect.allows.items() %}
+<connect name="{{ connect.name }}-{{ name }}"
+         allow="{{ allow }}"
         timeout="60"
-         threshold="1"
+         threshold="{{ connect.threshold }}"
+{% if connect.commandrate is defined %}
+         commandrate="{{ connect.commandrate }}"
+{% endif %}
         pingfreq="120"
         sendq="262144"
         recvq="8192"
         maxchans="70"
         localmax="1000"
-         globalmax="1000">
+         globalmax="1000"{% if connect.modes is not defined %}>
+{% else %}

-<connect name="zamok-ipv6"
-         allow="2a0c:700:2:0:ec4:7aff:fe59:a1ad/128"
-         timeout="60"
-         threshold="1"
-         pingfreq="120"
-         sendq="262144"
-         recvq="8192"
-         maxchans="70"
-         localmax="1000"
-         globalmax="1000">
-
-<connect name="irc-ipv4"
-         allow="185.230.79.11/32"
-         timeout="60"
-         threshold="1"
-         pingfreq="120"
-         sendq="262144"
-         recvq="8192"
-         maxchans="70"
-         localmax="1000"
-         globalmax="1000">
-
-<connect name="irc-ipv6"
-         allow="2a0c:700:2::ff:fe01:2902/128"
-         timeout="60"
-         threshold="10"
-         pingfreq="120"
-         sendq="262144"
-         recvq="8192"
-         maxchans="70"
-         localmax="1000"
-         globalmax="1000">
-
-<connect name="gitlab-ipv4"
-         allow="185.230.79.14/32"
-         timeout="60"
-         threshold="10"
-         commandrate="10000"
-         pingfreq="120"
-         sendq="262144"
-         recvq="8192"
-         maxchans="70"
-         localmax="1000"
-         globalmax="1000">
-
-<connect name="gitlab-ipv6"
-         allow="2a0c:700:2::ff:fe01:502/128"
-         timeout="60"
-         threshold="10"
-         commandrate="10000"
-         pingfreq="120"
-         sendq="262144"
-         recvq="8192"
-         maxchans="70"
-         localmax="1000"
-         globalmax="1000">
-
-<connect name="monitoring-ipv4"
-         allow="172.16.10.121/32"
-         timeout="60"
-         threshold="10"
-         commandrate="10000"
-         pingfreq="120"
-         sendq="262144"
-         recvq="8192"
-         maxchans="70"
-         localmax="1000"
-         globalmax="1000"
-         modes="+x"
-         useident="no">
-
-<connect name="monitoring-ipv6"
-         allow="fd00::10:ff:fe01:2110/128"
-         timeout="60"
-         threshold="10"
-         commandrate="10000"
-         pingfreq="120"
-         sendq="262144"
-         recvq="8192"
-         maxchans="70"
-         localmax="1000"
-         globalmax="1000"
         modes="+x"
         useident="no">
+{% endif %}

+{% endfor %}
+{% endfor %}
 <connect name="default"
         allow="*"
         timeout="60"
@ -156,7 +83,7 @@
 <channels users="30"
          opers="1000">

-<dns server="172.16.10.101" timeout="5">
+<dns server="{{ inspircd.dns }}" timeout="5">

 <options prefixquit="Quit: "
         noservices="no"
--- a/roles/inspircd/templates/inspircd/links.conf.j2
+++ b/roles/inspircd/templates/inspircd/links.conf.j2
@ -1,13 +1,13 @@
 {{ ansible_header | comment }}

 <link
-	name="services.irc.crans.org"
+	name="{{ inspircd.services.name }}"
 	ipaddr="127.0.0.1"
-	port="6668"
+	port="{{ inspircd.services.port }}"
 	sid="3AX"
 	allowmask="127.0.0.0/8"
-	sendpass="{{ anope.recvpass }}"
-	recvpass="{{ anope.sendpass }}"
+	sendpass="{{ inspircd.services.recvpass }}"
+	recvpass="{{ inspircd.services.sendpass }}"
 >

-<uline server="services.irc.crans.org">
+<uline server="{{ inspircd.services.name }}">
--- a/roles/inspircd/templates/inspircd/modules.conf.j2
+++ b/roles/inspircd/templates/inspircd/modules.conf.j2
@ -24,8 +24,8 @@
 <auditorium  opvisible="yes" opcansee="no" opercansee="yes">
 <module name="m_banexception.so">
 <module name="m_banredirect.so">
-#<module name="m_blockamsg.so">
-#   <blockamsg delay="3" action="noticeopers">
+<module name="m_blockamsg.so">
+   <blockamsg delay="3" action="noticeopers">

 <module name="m_blockcaps.so">
 <blockcaps percent="50"
@ -84,8 +84,8 @@
 <module name="m_cloaking.so">
 <cloak
 	mode="full"
-	key="{{ inspircd.cloak_key }}"
-	prefix="crans"
+	key="{{ inspircd.cloak.key }}"
+	prefix="{{ inspircd.cloak.name }}"
 >

 #<module name="m_conn_join.so">