refactoring

README.md

@@ -0,0 +1,155 @@
+# Quickstart
+
+## Host configuration (debian)
+### sysctl.conf
+```
+net.core.default_qdisc                             = fq
+net.core.rmem_max                                  = 134217728
+net.core.wmem_max                                  = 134217728
+net.ipv4.conf.all.log_martians                     = 1
+net.ipv4.tcp_rmem                                  = 4096 87380 67108864
+net.ipv4.tcp_wmem                                  = 4096 65536 67108864
+net.ipv4.tcp_congestion_control                    = htcp
+net.ipv4.tcp_mtu_probing                           = 0
+net.ipv4.tcp_timestamps                            = 1
+net.ipv4.conf.default.accept_redirects             = 0
+net.ipv4.conf.default.secure_redirects             = 0
+net.ipv4.conf.default.send_redirects               = 0
+net.ipv4.conf.all.rp_filter                        = 2
+net.ipv4.conf.all.accept_source_route              = 0
+net.ipv4.tcp_syncookies                            = 1
+net.ipv6.conf.default.autoconf                     = 0
+net.ipv6.conf.default.accept_ra                    = 0
+net.ipv6.conf.default.accept_dad                   = 0
+net.ipv6.conf.default.accept_redirects             = 0
+net.netfilter.nf_conntrack_checksum                = 1
+net.netfilter.nf_conntrack_tcp_timeout_established = 120
+net.netfilter.nf_conntrack_log_invalid             = 255
+net.netfilter.nf_conntrack_tcp_timeout_close_wait  = 60
+net.netfilter.nf_conntrack_tcp_timeout_fin_wait    = 60
+net.netfilter.nf_conntrack_tcp_timeout_time_wait   = 60
+net.netfilter.nf_conntrack_max                     = 524288
+net.netfilter.nf_conntrack_timestamp               = 1
+net.netfilter.nf_conntrack_acct                    = 1
+```
+#### documentation
+- netfilter https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
+
+### Packages
+`apt install iptables-persistent docker tor`
+
+### /etc/systemd/network/25-wan_interface.link
+- replace `aa:bb:cc:dd:ee:ff` with the MAC address of your VPS or server WAN interface
+```
+[Match]
+MACAddress=aa:bb:cc:dd:ee:ff 
+
+[Link]
+Description=WAN
+MACAddressPolicy=persistent 
+Name=WAN
+```
+- `systemctl enable systemd-networkd`
+- `systemctl start systemd-networkd`
+- verify that your WAN interface is renamed to `WAN`
+
+### IPTables
+```
+*nat
+:PREROUTING ACCEPT  [0:0]
+:INPUT ACCEPT       [0:0]
+:OUTPUT ACCEPT      [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING  -o WAN   -s 198.18.48.0/20                                                              -j MASQUERADE
+COMMIT
+*filter
+:INPUT DROP         [0:0]
+:FORWARD DROP       [0:0]
+:OUTPUT DROP        [0:0]
+:DOCKER-USER      - [0:0]
+:INVALID_FORWARD  - [0:0]
+:INVALID_IN       - [0:0]
+:INVALID_OUT      - [0:0]
+:LOG_FORWARD      - [0:0]
+:LOG_INPUT        - [0:0]
+:LOG_OUTPUT       - [0:0]
+-A INPUT                                                       -m state --state INVALID                 -j INVALID_IN
+-A INPUT        -i lo    -s 127.0.0.0/8      -d 127.0.0.0/8                                             -j ACCEPT
+-A INPUT        -i WAN                                         -m state --state RELATED,ESTABLISHED     -j ACCEPT
+-A INPUT                 -s 198.18.48.0/20   -d 198.18.48.1/32 -m udp -p udp --dport 53                 -j ACCEPT
+-A INPUT                                                       -m tcp -p tcp --dport 22                 -j ACCEPT
+-A INPUT                                                       -m tcp -p tcp --dport 6667               -j ACCEPT
+-A INPUT                                                       -m tcp -p tcp --dport 6697               -j ACCEPT
+-A INPUT                                                                                                -j LOG_INPUT
+-A FORWARD                                                     -m state --state INVALID                 -j INVALID_FORWARD
+-A FORWARD               -s 198.18.0.0/20    -d 198.18.16.0/20                                          -j ACCEPT
+-A FORWARD               -s 198.18.48.0/20   -d 198.18.16.0/20                                          -j ACCEPT
+-A FORWARD               -s 198.18.16.0/20   -d 198.18.0.0/20  -m state --state RELATED,ESTABLISHED     -j ACCEPT
+-A FORWARD               -s 198.18.16.0/20   -d 198.18.48.0/20 -m state --state RELATED,ESTABLISHED     -j ACCEPT
+-A FORWARD               -s 198.18.48.0/20 ! -d 198.18.0.0/17                                           -j ACCEPT
+-A FORWARD !             -s 198.18.0.0/17    -d 198.18.48.0/20 -m state --state RELATED,ESTABLISHED     -j ACCEPT
+-A FORWARD                                                                                              -j LOG_FORWARD
+-A OUTPUT                                                      -m state --state INVALID                 -j INVALID_OUT
+-A OUTPUT       -o lo    -s 127.0.0.0/8      -d 127.0.0.0/8                                             -j ACCEPT
+-A OUTPUT       -o WAN                                                                                  -j ACCEPT
+-A OUTPUT                -s 198.18.48.1/32   -d 198.18.48.0/20 -m udp -p udp                            -j ACCEPT
+-A OUTPUT                                                                                               -j LOG_OUTPUT
+-A DOCKER-USER                                                                                          -j RETURN
+-A INVALID_FORWARD                                             -m limit --limit 2/min                   -j LOG               --log-prefix "4INVALID_FWD: "
+-A INVALID_FORWARD                                                                                      -j DROP
+-A INVALID_IN                                                  -m limit --limit 2/min                   -j LOG               --log-prefix "4INVALID_IN: "
+-A INVALID_IN                                                                                           -j DROP
+-A INVALID_OUT                                                 -m limit --limit 2/min                   -j LOG               --log-prefix "4INVALID_OUT: "
+-A INVALID_OUT                                                                                          -j DROP
+-A LOG_FORWARD                                                 -m limit --limit 2/min                   -j LOG               --log-prefix "4FWD dropped: "
+-A LOG_FORWARD                                                                                          -j DROP
+-A LOG_INPUT                                                   -m limit --limit 2/min                   -j LOG               --log-prefix "4IN dropped: "
+-A LOG_INPUT                                                                                            -j DROP
+-A LOG_OUTPUT                                                  -m limit --limit 2/min                   -j LOG               --log-prefix "4OUT dropped: "
+-A LOG_OUTPUT                                                                                           -j DROP
+COMMIT
+```
+### /etc/tor/torrc
+```
+DNSPort                     0.0.0.0:53
+Log                         notice syslog
+```
+- `systemctl enable tor` 
+- `systemctl start tor`
+
+### /etc/default/docker
+```
+DOCKER_OPTS="--dns='198.18.48.1' --userns-remap=default --iptables=false --ip-masq=false --bip=198.18.48.1/25 --fixed-cidr=198.18.48.0/25"
+```
+- `ip link del docker0`
+- `ip link add docker0 type bridge`
+- `ip addr add 198.18.48.1/25 dev docker0`
+
+## Starting ircd 
+### Console
+- `cd rb_console ; docker-compose up -d ; cd ..`
+
+### Hub 
+- `cd rb_hub ; docker-compose up -d ; cd ..`
+
+### General leaf 
+- `cd rb_general ; docker-compose up -d ; cd ..`
+
+### Edge leaf 
+- `cd rb_edge ; docker-compose up -d ; cd ..`
+
+### Tor daemon
+- `cd rb_tor ; docker-compose up -d ; cd ..`
+
+### Tor DMZ leaf 
+- `cd rb_tor_dmz ; docker-compose up -d ; cd ..`
+
+### Proxy DMZ leaf 
+- `cd rb_proxy_dmz ; docker-compose up -d ; cd ..`
+
+### Services 
+- `cd rb_services ; docker-compose up -d ; cd ..`
+
+## Uplinking
+
+

docker-compose.console.yml

@@ -1,43 +0,0 @@
-version: "3.8"
-
-networks:
-  console_default:
-    ipam:
-      driver: default
-      config:
-        - subnet: 198.18.3.8/30   # 198.18.0.0/20
-  console:
-    external:
-      name: docker-ratbox_console
-services:
-  console:
-    restart: unless-stopped
-    hostname: console
-    domainname: netwerk.insecurity.corp
-    userns_mode: "host"
-    build:
-      context: ./irssi
-      dockerfile: Dockerfile
-    command: "/usr/bin/irssi"
-    environment:
-      LANG: en_US.utf8
-      TZ: UTC
-      TERM: xterm-256color
-      IRCNICK: commodus
-      IRCSERVER: 198.18.70.35
-      IRCUSER: commodus
-      IRCNAME: commodus
-    ulimits:
-      nproc: 65535
-      nofile:
-        soft: 1024000
-        hard: 1024000
-    tty: true
-    stdin_open: true
-    networks:
-      console_default:
-        ipv4_address: 198.18.3.10
-      console:
-        ipv4_address: 198.18.70.34
-    volumes:
-      - ./irssi/volumes/.irssi:/home/console/.irssi

ratbox/Dockerfile

@@ -1,12 +1,18 @@
 FROM debian:latest
 ENV DEBIAN_FRONTEND noninteractive
-RUN apt-get update && apt-get -y install subversion libssl-dev build-essential autoconf automake
-WORKDIR /tmp
+ENV NICK_LEN 9
+RUN apt-get update && apt-get -y install git subversion libssl-dev build-essential autoconf automake1.11 clang zlib1g-dev libsqlite3-dev
+RUN mkdir -p /tmp/ratbox
+WORKDIR /tmp/ratbox
 RUN svn co http://svn.ratbox.org/svnroot/ircd-ratbox/branches/RATBOX_3_0
-WORKDIR /tmp/RATBOX_3_0
-RUN ./configure && make && make install
+WORKDIR /tmp/ratbox/RATBOX_3_0
+RUN ./configure --enable-services --with-nicklen=${NICK_LEN}
+RUN make
+RUN make install
+RUN rm -rf /tmp/ratbox
+RUN apt -y remove git subversion libssl-dev build-essential autoconf automake1.11 clang zlib1g-dev libsqlite3-dev
 RUN groupadd -g 2000 ircd
-RUN useradd  -m -u 2001 -g ircd ircd
+RUN useradd -m -u 2001 -g ircd ircd
 RUN mkdir -p /usr/local/ircd/logs
 RUN chown -R 2001:2000 /usr/local/ircd
 USER ircd

rb_console/.irssi/config

@@ -71,6 +71,15 @@ servers = (
     use_tls = "no";
     tls_verify = "no";
     autoconnect = "yes";
+  },
+  {
+    address = "edge";
+    chatnet = "edge";
+    port = "6667";
+    password = "password";
+    use_tls = "no";
+    tls_verify = "no";
+    autoconnect = "yes";
   }
 );
 
@@ -144,6 +153,7 @@ chatnets = {
     max_whois = "1";
   };
   hub = { type = "IRC"; autosendcmd = "/quote oper commodus password"; };
+  edge = { type = "IRC"; autosendcmd = "/oper odysseus password"; };
 };
 
 channels = (

rb_console/docker-compose.yml

@@ -0,0 +1,75 @@
+version: "3.8"
+
+networks:
+  default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 198.18.3.8/30   # 198.18.0.0/20
+  hub:
+    ipam:
+      driver: default
+      config:
+        - subnet: 198.18.70.32/29 # 198.18.64.0/20
+  edge:
+    ipam:
+      driver: default
+      config:
+        - subnet: 198.18.70.40/29 # 198.18.64.0/20
+  general:
+    ipam:
+      driver: default
+      config:
+        - subnet: 198.18.70.48/29 # 198.18.64.0/20
+  tor_dmz:
+    ipam:
+      driver: default
+      config:
+        - subnet: 198.18.70.56/29 # 198.18.64.0/20
+  proxy_dmz:
+    ipam:
+      driver: default
+      config:
+        - subnet: 198.18.70.64/29 # 198.18.64.0/20
+
+services:
+  console:
+    restart: unless-stopped
+    hostname: console
+    domainname: netwerk.insecurity.corp
+    userns_mode: "host"
+    build:
+      context: ../irssi
+      dockerfile: Dockerfile
+    image: irssi:latest
+    command: "/usr/bin/irssi"
+    environment:
+      LANG: en_US.utf8
+      TZ: UTC
+      TERM: xterm-256color
+      IRCNICK: commodus
+      IRCSERVER: 198.18.70.35
+      IRCUSER: commodus
+      IRCNAME: commodus
+    ulimits:
+      nproc: 65535
+      nofile:
+        soft: 1024000
+        hard: 1024000
+    tty: true
+    stdin_open: true
+    networks:
+      default:
+        ipv4_address: 198.18.3.10
+      hub:
+        ipv4_address: 198.18.70.34
+      edge:
+        ipv4_address: 198.18.70.43
+      general:
+        ipv4_address: 198.18.70.51
+      tor_dmz:
+        ipv4_address: 198.18.70.59
+      proxy_dmz:
+        ipv4_address: 198.18.70.67
+    volumes:
+      - ./.irssi/:/home/console/.irssi

rb_edge/docker-compose.yml

@@ -8,10 +8,10 @@ networks:
         - subnet: 198.18.3.12/30   # 198.18.0.0/20
   edge:
     external:
-      name: docker-ratbox_edge_leaf
+      name: rb_hub_edge_leaf
   console:
     external:
-      name: docker-ratbox_console
+      name: rb_console_edge
 
 services:
   edge:
@@ -19,7 +19,10 @@ services:
     hostname: edge
     domainname: netwerk.insecurity.corp
     userns_mode: "host"
-    image: "docker-ratbox_hub"
+    build:
+      context: ../ratbox
+      dockerfile: Dockerfile
+    image: ratbox:latest
     command: "/usr/local/ircd/bin/ircd -pidfile /run/ircd.pid -foreground || /usr/local/ircd/bin/ircd -conftest"
     environment:
       LANG: en_US.utf8

rb_edge/edge.conf

@@ -0,0 +1,75 @@
+.include <admin.conf>
+.include <modules.conf>
+.include <general.internal.conf>
+.include <classes.conf>
+.include <server.classes.conf>
+.include <channel.conf>
+
+serverinfo {
+	name                = "edge.netwerk.insecurity.corp";
+	sid                 = "32K";
+	description         = "Ｎ３ｔｗ３ｒｋ";
+	network_name        = "𝓷3𝓽𝔀3𝓻𝓴";
+	network_desc        = "Powered by Eris-free Technology";
+	hub                 = yes;
+	default_max_clients = 102400;
+  bandb               = "ephemeral/db/edge.ban.db";
+};
+
+serverhide {
+	flatten_links  = no;
+	links_delay    = 16 seconds;
+	hidden         = yes;
+	disable_hidden = no;
+};
+
+cluster {
+        name  = "*.netwerk.insecurity.corp";
+        flags = kline, unkline, xline;
+        name = "irc.netwerk.insecurity.corp";
+        name = "ircd.netwerk.insecurity.corp";
+        flags = locops;
+};
+
+auth {
+  spoof = "console.netwerk.insecurity.corp";
+	user  = "*@198.18.70.34";
+	class = "admins";
+  flags = spambot_exempt, shide_exempt, jupe_exempt, no_tilde,
+          gline_exempt, kline_exempt,   exceed_limit;
+};
+
+operator "odysseus" {
+	user     = "*@198.18.70.34";
+	password = "password";
+
+	umodes   = cconn, cconnext, debug,    full,     skill,  nchange,
+             rej,   external, operwall, locops, unauth;
+
+	flags    = ~encrypted, global_kill, remote, kline, unkline, gline,
+	           rehash,     admin,       xline,  resv,  operwall;
+};
+
+connect "hub.netwerk.insecurity.corp" {
+        host            = "198.18.70.26";
+        send_password   = "password";
+        accept_password = "password";
+        port            = 7003;
+        aftype          = ipv4;
+        class           = "hub_server";
+        flags           = autoconn;
+};
+
+listen {
+       host             = "198.18.70.36";
+       port             = 6667;
+       sslport          = 6697;
+       host             = "198.18.70.27";
+       port             = 7003;
+       sslport          = 7103;
+};
+
+exempt {
+        ip = "198.18.64.0/20";
+        ip = "127.0.0.0/8";
+};

rb_general/docker-compose.yml

@@ -0,0 +1,43 @@
+version: "3.8"
+
+networks:
+  general_default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 198.18.55.0/30   # 198.18.48.0/20
+  general:
+    external:
+      name: docker-ratbox_general_leaf
+  console:
+    external:
+      name: docker-ratbox_console
+
+services:
+  general:
+    restart: unless-stopped
+    hostname: general
+    domainname: netwerk.insecurity.corp
+    userns_mode: "host"
+    image: "docker-ratbox_hub"
+    command: "/usr/local/ircd/bin/ircd -pidfile /run/ircd.pid -foreground || /usr/local/ircd/bin/ircd -conftest"
+    environment:
+      LANG: en_US.utf8
+      TZ: UTC
+    ulimits:
+      nproc: 65535
+      nofile:
+        soft: 1024000
+        hard: 1024000
+    networks:
+      general_default:
+        ipv4_address: 198.18.55.2
+      general:
+        ipv4_address: 198.18.70.3
+      console:
+        ipv4_address: 198.18.70.37
+    volumes:
+      - ./etc/:/usr/local/ircd/etc:rw
+      - ./configs/general.conf:/usr/local/ircd/etc/ircd.conf:ro
+      - ./ephemeral/logs:/usr/local/ircd/logs:rw
+      - ./ephemeral/db:/usr/local/ircd/ephemeral/db:rw

rb_general/general.conf

@@ -0,0 +1,78 @@
+.include <admin.conf>
+.include <modules.conf>
+.include <general.internal.conf>
+.include <classes.conf>
+.include <server.classes.conf>
+.include <channel.conf>
+
+serverinfo {
+	name                = "general.netwerk.insecurity.corp";
+	sid                 = "32K";
+	description         = "Ｎ３ｔｗ３ｒｋ";
+	network_name        = "𝓷3𝓽𝔀3𝓻𝓴";
+	network_desc        = "Ｎ３ｔｗ３ｒｋ";
+	hub                 = yes;
+	default_max_clients = 102400;
+  bandb               = "ephemeral/db/general.ban.db";
+};
+
+serverhide {
+	flatten_links  = no;
+	links_delay    = 16 seconds;
+	hidden         = yes;
+	disable_hidden = no;
+};
+
+cluster {
+        name  = "*.netwerk.insecurity.corp";
+        flags = kline, unkline, xline;
+        name = "irc.netwerk.insecurity.corp";
+        name = "ircd.netwerk.insecurity.corp";
+        flags = locops;
+};
+
+auth {
+  spoof = "console.netwerk.insecurity.corp";
+	user  = "*@198.18.70.34";
+	class = "admins";
+  flags = spambot_exempt, shide_exempt, jupe_exempt, no_tilde,
+          gline_exempt, kline_exempt,   exceed_limit;
+};
+
+operator "odysseus" {
+	user     = "*@198.18.70.34";
+	password = "password";
+
+	umodes   = cconn, cconnext, debug,    full,     skill,  nchange,
+             rej,   external, operwall, locops, unauth;
+
+	flags    = ~encrypted, global_kill, remote, kline, unkline, gline,
+	           rehash,     admin,       xline,  resv,  operwall;
+};
+
+connect "hub.netwerk.insecurity.corp" {
+        host            = "198.18.70.2";
+        send_password   = "password";
+        accept_password = "password";
+        port            = 7000;
+        aftype          = ipv4;
+        class           = "hub_server";
+        flags           = autoconn;
+};
+
+listen {
+       host             = "198.18.55.2";
+       port             = 6667;
+       sslport          = 6697;
+       host             = "198.18.70.37";
+       port             = 6667;
+       sslport          = 6697;
+       host             = "198.18.70.3";
+       port             = 7000;
+       sslport          = 7100;
+};
+
+exempt {
+        ip = "198.18.64.0/20";
+        ip = "127.0.0.0/8";
+};

rb_hub/docker-compose.yml

@@ -31,11 +31,9 @@ networks:
         - subnet: 198.18.70.24/29  # 198.18.64.0/20
     internal: true
   console:
-    ipam:
-      driver: default
-      config:
-        - subnet: 198.18.70.32/27 # 198.18.64.0/20
-
+    external:
+      name: rb_console_hub
+  
 services:
   hub:
     restart: unless-stopped
@@ -43,9 +41,10 @@ services:
     domainname: netwerk.insecurity.corp
     userns_mode: "host"
     build:
-      context: ./ratbox
+      context: ../ratbox
       dockerfile: Dockerfile
-    command: "/usr/local/ircd/bin/ircd -foreground -pidfile /usr/local/ircd/ephemeral/pid/hub.pid || /usr/local/ircd/bin/ircd -conftest"
+    image: ratbox:latest
+    command: "/usr/local/ircd/bin/ircd -foreground -pidfile /run/hub.pid || /usr/local/ircd/bin/ircd -conftest"
     environment:
       LANG: en_US.utf8
       TZ: UTC
@@ -68,8 +67,8 @@ services:
       console:
         ipv4_address: 198.18.70.35
     volumes:
-      - ./etc/:/usr/local/ircd/etc:rw
-      - ./configs/hub.conf:/usr/local/ircd/etc/ircd.conf:ro
-      - ./ephemeral/logs:/usr/local/ircd/logs:rw
-      - ./ephemeral/db:/usr/local/ircd/ephemeral/db:rw
-      - ./ephemeral/pid:/usr/local/ircd/ephemeral/pid:rw
+      - ../etc/:/usr/local/ircd/etc:rw
+      - ./hub.conf:/usr/local/ircd/etc/ircd.conf:ro
+      - ../ephemeral/logs:/usr/local/ircd/logs:rw
+      - ../ephemeral/db:/usr/local/ircd/ephemeral/db:rw
+      - ../ephemeral/pid:/usr/local/ircd/ephemeral/pid:rw

rb_hub/hub.conf

@@ -59,7 +59,7 @@ connect "general.netwerk.insecurity.corp" {
         class           = "general_server";
 };
 
-connect "tor.netwerk.insecurity.corp" {
+connect "tor-dmz.netwerk.insecurity.corp" {
         host            = "198.18.70.12";
         send_password   = "password";
         accept_password = "password";
@@ -68,7 +68,7 @@ connect "tor.netwerk.insecurity.corp" {
         class           = "tor_dmz_server";
 };
 
-connect "dmz.netwerk.insecurity.corp" {
+connect "proxy-dmz.netwerk.insecurity.corp" {
         host            = "198.18.70.19";
         send_password   = "password";
         accept_password = "password";

rb_proxy_dmz/docker-compose.yml

@@ -0,0 +1,43 @@
+version: "3.8"
+
+networks:
+  proxy-dmz_default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 198.18.3.20/30   # 198.18.0.0/20
+  proxy-dmz:
+    external:
+      name: docker-ratbox_proxy_leaf
+  console:
+    external:
+      name: docker-ratbox_console
+
+services:
+  proxy-dmz:
+    restart: unless-stopped
+    hostname: proxy-dmz
+    domainname: netwerk.insecurity.corp
+    userns_mode: "host"
+    image: "docker-ratbox_hub"
+    command: "/usr/local/ircd/bin/ircd -pidfile /run/ircd.pid -foreground || /usr/local/ircd/bin/ircd -conftest"
+    environment:
+      LANG: en_US.utf8
+      TZ: UTC
+    ulimits:
+      nproc: 65535
+      nofile:
+        soft: 1024000
+        hard: 1024000
+    networks:
+      proxy-dmz_default:
+        ipv4_address: 198.18.3.22
+      proxy-dmz:
+        ipv4_address: 198.18.70.19
+      console:
+        ipv4_address: 198.18.70.37
+    volumes:
+      - ./etc/:/usr/local/ircd/etc:rw
+      - ./configs/proxy-dmz.conf:/usr/local/ircd/etc/ircd.conf:ro
+      - ./ephemeral/logs:/usr/local/ircd/logs:rw
+      - ./ephemeral/db:/usr/local/ircd/ephemeral/db:rw

rb_proxy_dmz/proxy-dmz.conf

@@ -57,6 +57,7 @@ connect "hub.netwerk.insecurity.corp" {
         port            = 7003;
         aftype          = ipv4;
         class           = "hub_server";
+        flags           = autoconn;
 };
 
 listen {

rb_tor/docker-compose.yml

@@ -0,0 +1,40 @@
+version: "3.8"
+
+networks:
+  default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 198.18.55.4/30
+  tor:
+    ipam:
+      driver: default
+      config:
+        - subnet: 198.18.70.64/29
+
+services:
+  tor:
+    restart: unless-stopped
+    hostname: tor
+    domainname: tor-hidden-services.local
+    userns_mode: "host"
+    build:
+      context: ../tor
+      dockerfile: Dockerfile
+    image: tor:latest
+    command: "tor -f /tor/configs/torrc"
+    environment:
+      LANG: en_US.utf8
+      TZ: UTC
+    networks:
+      default:
+        ipv4_address: 198.18.55.6
+      tor:
+        ipv4_address: 198.18.70.66
+    ulimits:
+      nproc: 65535
+      nofile:
+        soft: 1024000
+        hard: 1024000
+    volumes:
+      - ./torrc:/tor/configs/torrc:ro

rb_tor/torrc

@@ -0,0 +1,11 @@
+RunAsDaemon                   0
+
+SocksPort                     0
+
+DNSPort                       0
+
+TransPort                     0
+
+HiddenServiceDir              /var/lib/tor/irc_6667/
+
+HiddenServicePort             6667 198.18.70.67:6667

rb_tor_dmz/docker-compose.yml

@@ -0,0 +1,48 @@
+version: "3.8"
+
+networks:
+  tor-dmz_default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 198.18.3.24/30   # 198.18.0.0/20
+  hub:
+    external:
+      name: docker-ratbox_tor_leaf
+  console:
+    external:
+      name: docker-ratbox_console
+  tor:
+    external:
+      name: docker-ratbox_tor
+
+services:
+  tor-dmz:
+    restart: unless-stopped
+    hostname: tor-dmz
+    domainname: netwerk.insecurity.corp
+    userns_mode: "host"
+    image: "docker-ratbox_hub"
+    command: "/usr/local/ircd/bin/ircd -pidfile /run/ircd.pid -foreground || /usr/local/ircd/bin/ircd -conftest"
+    environment:
+      LANG: en_US.utf8
+      TZ: UTC
+    ulimits:
+      nproc: 65535
+      nofile:
+        soft: 1024000
+        hard: 1024000
+    networks:
+      tor-dmz_default:
+        ipv4_address: 198.18.3.26
+      hub:
+        ipv4_address: 198.18.70.12
+      console:
+        ipv4_address: 198.18.70.38
+      tor:
+        ipv4_address: 198.18.70.67
+    volumes:
+      - ./etc/:/usr/local/ircd/etc:rw
+      - ./configs/tor-dmz.conf:/usr/local/ircd/etc/ircd.conf:ro
+      - ./ephemeral/logs:/usr/local/ircd/logs:rw
+      - ./ephemeral/db:/usr/local/ircd/ephemeral/db:rw

rb_tor_dmz/tor-dmz.conf

@@ -0,0 +1,75 @@
+.include <admin.conf>
+.include <modules.conf>
+.include <general.internal.conf>
+.include <classes.conf>
+.include <server.classes.conf>
+.include <channel.conf>
+
+serverinfo {
+	name                = "edge.netwerk.insecurity.corp";
+	sid                 = "32K";
+	description         = "Ｎ３ｔｗ３ｒｋ";
+	network_name        = "𝓷3𝓽𝔀3𝓻𝓴";
+	network_desc        = "Ｎ３ｔｗ３ｒｋ";
+	hub                 = yes;
+	default_max_clients = 102400;
+  bandb               = "ephemeral/db/tor.ban.db";
+};
+
+serverhide {
+	flatten_links  = no;
+	links_delay    = 16 seconds;
+	hidden         = yes;
+	disable_hidden = no;
+};
+
+cluster {
+        name  = "*.netwerk.insecurity.corp";
+        flags = kline, unkline, xline;
+        name = "irc.netwerk.insecurity.corp";
+        name = "ircd.netwerk.insecurity.corp";
+        flags = locops;
+};
+
+auth {
+  spoof = "console.netwerk.insecurity.corp";
+	user  = "*@198.18.70.34";
+	class = "admins";
+  flags = spambot_exempt, shide_exempt, jupe_exempt, no_tilde,
+          gline_exempt, kline_exempt,   exceed_limit;
+};
+
+operator "tordmz" {
+	user     = "*@198.18.70.34";
+	password = "password";
+
+	umodes   = cconn, cconnext, debug,    full,     skill,  nchange,
+             rej,   external, operwall, locops, unauth;
+
+	flags    = ~encrypted, global_kill, remote, kline, unkline, gline,
+	           rehash,     admin,       xline,  resv,  operwall;
+};
+
+connect "hub.netwerk.insecurity.corp" {
+        host            = "198.18.70.11";
+        send_password   = "password";
+        accept_password = "password";
+        port            = 7001;
+        aftype          = ipv4;
+        class           = "hub_server";
+        flags           = autoconn;
+};
+
+listen {
+       host             = "198.18.70.38";
+       port             = 6667;
+       sslport          = 6697;
+       host             = "198.18.70.27";
+       port             = 7003;
+       sslport          = 7103;
+};
+
+exempt {
+        ip = "198.18.64.0/20";
+        ip = "127.0.0.0/8";
+};

tor/Dockerfile

@@ -0,0 +1,4 @@
+FROM debian:latest
+ENV DEBIAN_FRONTEND noninteractive
+RUN apt-get update && apt-get -y install tor iputils-ping net-tools iproute2 iftop tcpdump mtr
+