Merge atheme and charybdis modules from parameterize

2015-05-06 13:48:16 +03:00 · 2015-05-06 13:48:16 +03:00 · f04fc7f5d1
commit f04fc7f5d1
parent e8c6de331c
4 changed files with 2446 additions and 0 deletions
--- a/atheme/manifests/init.pp
+++ b/atheme/manifests/init.pp
@ -0,0 +1,121 @@
+# Use default values from charybdis if defined.
+#
+class atheme::params {
+
+  if $::charybdis::services_name {
+    $services_name = $::charybdis::services_name
+  } else {
+    $services_name = 'ircservices.localdomain'
+  }
+
+  if $::charybdis::network_name {
+    $network_name = $::charybdis::network_name
+  } else {
+    $network_name = 'IRC Network'
+  }
+
+  if $::charybdis::admin_name {
+    $admin_name = $::charybdis::admin_name
+  } else {
+    $admin_name = 'Administrator'
+  }
+
+  if $::charybdis::admin_email {
+    $admin_email = $::charybdis::admin_email
+  } else {
+    $admin_email = 'root@localhost'
+  }
+
+  if $::charybdis::server_name {
+    $uplink_name = $::charybdis::server_name
+  } else {
+    $uplink_name = undef
+  }
+
+  if $::charybdis::port {
+    $uplink_port = $::charybdis::port
+  } else {
+    $uplink_port = '6667'
+  }
+
+  if $::charybdis::services_password {
+    $uplink_password = $::charybdis::services_password
+  } else {
+    $uplink_password = undef
+  }
+
+}
+
+# Install Atheme IRC services.
+#
+class atheme(
+  $sid='00B',
+  $services_name=$atheme::params::services_name,
+  $services_description='Atheme IRC Services',
+  $network_name=$atheme::params::network_name,
+  $admin_name=$atheme::params::admin_name,
+  $admin_email=$atheme::params::admin_email,
+  $hidehostsuffix='hiddendomain',
+  $uplink_name=$atheme::params::uplink_name,
+  $uplink_port=$atheme::params::uplink_port,
+  $uplink_password=$atheme::params::uplink_password,
+  $operators=[],
+) inherits atheme::params {
+
+  case $::operatingsystem {
+    'ubuntu': { }
+    default: {
+      fail("atheme not supported on ${::operatingsystem}")
+    }
+  }
+
+  if ! $uplink_name {
+    fail('Must define $uplink_name')
+  }
+
+  if ! $uplink_password {
+    fail('Must define $uplink_password')
+  }
+
+  package { 'atheme-services':
+    ensure => installed,
+  }
+
+  file { '/etc/atheme/atheme.conf':
+    ensure  => present,
+    mode    => '0644',
+    owner   => 'root',
+    group   => 'root',
+    content => template('atheme/atheme.conf.erb'),
+    require => Package['atheme-services'],
+    notify  => Service['atheme-services'],
+  }
+
+  augeas { 'atheme-enable':
+    context => '/files/etc/default/atheme-services',
+    changes => 'set ENABLED 1',
+    notify  => Service['atheme-services'],
+  }
+
+  service { 'atheme-services':
+    ensure    => running,
+    enable    => true,
+    hasstatus => false,
+  }
+
+  file { '/var/log/atheme':
+    ensure  => directory,
+    mode    => '0640',
+    owner   => 'irc',
+    group   => 'irc',
+    recurse => true,
+    require => Service['atheme-services'],
+  }
+
+  if defined(Service['charybdis']) {
+    Service['atheme-services'] {
+      require => Service['charybdis'],
+    }
+  }
+
+}
--- a/atheme/templates/atheme.conf.erb
+++ b/atheme/templates/atheme.conf.erb
--- a/charybdis/manifests/init.pp
+++ b/charybdis/manifests/init.pp
@ -0,0 +1,134 @@
+# Install Charybdis IRC server.
+#
+class charybdis(
+  $sid='00A',
+  $server_name='irc.localdomain',
+  $server_description='IRC Server',
+  $network_name='IRC',
+  $network_description='IRC Network',
+  $admin_name='Administrator',
+  $admin_description='IRC Administrator',
+  $admin_email='root@localhost',
+  $motd=undef,
+  $motd_source=undef,
+  $port='6667',
+  $sslport='6668',
+  $ssl_dh=undef,
+  $ssl_key=undef,
+  $ssl_cert=undef,
+  $users=['*@*'],
+  $operators=[],
+  $umodes=undef,
+  $cloaking=true,
+  $hub=false,
+  $ident=false,
+  $throttle_count='4',
+  $throttle_duration='60',
+  $services=false,
+  $services_name='ircservices.localdomain',
+  $services_password=undef,
+) {
+
+  case $::operatingsystem {
+    'ubuntu': { }
+    default: {
+      fail("charybdis not supported on ${::operatingsystem}")
+    }
+  }
+
+  if $services == true and ! $services_password {
+    fail('Must define $services_password')
+  }
+
+  if $umodes {
+    $umodes_real = $umodes
+  } else {
+    if $cloaking == true {
+      $umodes_real = '+ix'
+    } else {
+      $umodes_real = '+i'
+    }
+  }
+
+  package { 'charybdis':
+    ensure => installed,
+  }
+
+  file { '/etc/charybdis/ircd.conf':
+    ensure  => present,
+    mode    => '0640',
+    owner   => 'root',
+    group   => 'charybdis',
+    content => template('charybdis/ircd.conf.erb'),
+    require => Package['charybdis'],
+    notify  => Service['charybdis'],
+  }
+
+  file { '/etc/charybdis/ircd.motd':
+    ensure  => present,
+    mode    => '0640',
+    owner   => 'root',
+    group   => 'charybdis',
+    content => $motd,
+    source  => $motd_source,
+    require => Package['charybdis'],
+    notify  => Service['charybdis'],
+  }
+
+  if $ssl_key and $ssl_cert {
+    file { '/etc/charybdis/ircd.key':
+      ensure  => present,
+      mode    => '0640',
+      owner   => 'root',
+      group   => 'charybdis',
+      source  => $ssl_key,
+      require => Package['charybdis'],
+      notify  => Service['charybdis'],
+    }
+
+    file { '/etc/charybdis/ircd.crt':
+      ensure  => present,
+      mode    => '0640',
+      owner   => 'root',
+      group   => 'charybdis',
+      source  => $ssl_cert,
+      require => Package['charybdis'],
+      notify  => Service['charybdis'],
+    }
+
+    if $ssl_dh {
+      file { '/etc/charybdis/dh.pem':
+        ensure  => present,
+        mode    => '0640',
+        owner   => 'root',
+        group   => 'charybdis',
+        source  => $ssl_dh,
+        require => Package['charybdis'],
+        notify  => Service['charybdis'],
+      }
+    } else {
+      ssl::dhparam { '/etc/charybdis/dh.pem':
+        mode    => '0640',
+        owner   => 'root',
+        group   => 'charybdis',
+        require => Package['charybdis'],
+        notify  => Service['charybdis'],
+      }
+    }
+  }
+
+  service { 'charybdis':
+    ensure => running,
+    enable => true,
+  }
+
+  file { '/var/log/charybdis':
+    ensure  => directory,
+    mode    => '0640',
+    owner   => 'charybdis',
+    group   => 'charybdis',
+    recurse => true,
+    require => Service['charybdis'],
+  }
+
+}
--- a/charybdis/templates/ircd.conf.erb
+++ b/charybdis/templates/ircd.conf.erb
@ -0,0 +1,435 @@
+/* doc/example.conf - brief example configuration file
+ *
+ * Copyright (C) 2000-2002 Hybrid Development Team
+ * Copyright (C) 2002-2005 ircd-ratbox development team
+ * Copyright (C) 2005-2006 charybdis development team
+ *
+ * $Id: example.conf 3582 2007-11-17 21:55:48Z jilles $
+ *
+ * See reference.conf for more information.
+ */
+
+/* Extensions */
+#loadmodule "extensions/chm_operonly_compat.so";
+#loadmodule "extensions/chm_quietunreg_compat.so";
+#loadmodule "extensions/chm_sslonly_compat.so";
+#loadmodule "extensions/createauthonly.so";
+#loadmodule "extensions/extb_account.so";
+#loadmodule "extensions/extb_canjoin.so";
+#loadmodule "extensions/extb_channel.so";
+#loadmodule "extensions/extb_extgecos.so";
+#loadmodule "extensions/extb_oper.so";
+#loadmodule "extensions/extb_realname.so";
+#loadmodule "extensions/extb_server.so";
+#loadmodule "extensions/extb_ssl.so";
+#loadmodule "extensions/hurt.so";
+#loadmodule "extensions/m_findforwards.so";
+#loadmodule "extensions/m_identify.so";
+#loadmodule "extensions/no_oper_invis.so";
+#loadmodule "extensions/sno_farconnect.so";
+#loadmodule "extensions/sno_globalkline.so";
+#loadmodule "extensions/sno_globaloper.so";
+#loadmodule "extensions/sno_whois.so";
+#loadmodule "extensions/override.so";
+
+/*
+ * IP cloaking extensions: use ip_cloaking_4.0
+ * if you're linking 3.2 and later, otherwise use
+ * ip_cloaking.so, for compatibility with older 3.x
+ * releases.
+ */
+
+<% if @cloaking == true -%>
+loadmodule "extensions/ip_cloaking_4.0.so";
+<% end -%>
+#loadmodule "extensions/ip_cloaking.so";
+
+serverinfo {
+	sid = "<%= @sid %>";
+	name = "<%= @server_name %>";
+	description = "<%= @server_description %>";
+	network_name = "<%= @network_name %>";
+	network_desc = "<%= @network_description %>";
+<% if @hub == true -%>
+	hub = yes;
+<% else -%>
+	hub = no;
+<% end -%>
+
+	/* On multi-homed hosts you may need the following. These define
+	 * the addresses we connect from to other servers. */
+	/* for IPv4 */
+	#vhost = "192.169.0.1";
+	/* for IPv6 */
+	#vhost6 = "3ffe:80e8:546::2";
+	
+<% if @ssl_key and @ssl_cert -%>
+	/* ssl_private_key: our ssl private key */
+	ssl_private_key = "/etc/charybdis/ircd.key";
+
+	/* ssl_cert: certificate for our ssl server */
+	ssl_cert = "/etc/charybdis/ircd.crt";
+
+	/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
+	ssl_dh_params = "/etc/charybdis/dh.pem";
+
+	/* ssld_count: number of ssld processes you want to start, if you
+	 * have a really busy server, using N-1 where N is the number of
+	 * cpu/cpu cores you have might be useful. A number greater than one
+	 * can also be useful in case of bugs in ssld and because ssld needs
+	 * two file descriptors per SSL connection.
+	 */
+	ssld_count = 10;
+
+<% end -%>
+	/* default max clients: the default maximum number of clients
+	 * allowed to connect.  This can be changed once ircd has started by
+	 * issuing:
+	 *   /quote set maxclients <limit>
+	 */
+	default_max_clients = 1024;
+};
+
+admin {
+	name = "<%= @admin_name %>";
+	description = "<%= @admin_description %>";
+	email = "<%= @admin_email %>";
+};
+
+log {
+	fname_userlog = "/var/log/charybdis/userlog";
+	fname_fuserlog = "/var/log/charybdis/fuserlog";
+	fname_operlog = "/var/log/charybdis/operlog";
+	fname_foperlog = "/var/log/charybdis/foperlog";
+	fname_serverlog = "/var/log/charybdis/serverlog";
+	fname_klinelog = "/var/log/charybdis/klinelog";
+	fname_killlog = "/var/log/charybdis/killlog";
+	fname_operspylog = "/var/log/charybdis/operspylog";
+	fname_ioerrorlog = "/var/log/charybdis/ioerror";
+};
+
+/* class {} blocks MUST be specified before anything that uses them.  That
+ * means they must be defined before auth {} and before connect {}.
+ */
+class "users" {
+	ping_time = 2 minutes;
+	number_per_ident = 100;
+	number_per_ip = 100;
+	number_per_ip_global = 100;
+	cidr_ipv4_bitlen = 24;
+	cidr_ipv6_bitlen = 64;
+	number_per_cidr = 200;
+	max_number = 3000;
+	sendq = 400 kbytes;
+};
+
+class "opers" {
+	ping_time = 5 minutes;
+	number_per_ip = 100;
+	max_number = 1000;
+	sendq = 1 megabyte;
+};
+
+class "server" {
+	ping_time = 5 minutes;
+	connectfreq = 5 minutes;
+	max_number = 1;
+	sendq = 4 megabytes;
+};
+
+listen {
+	/* If you want to listen on a specific IP only, specify host.
+	 * host definitions apply only to the following port line.
+	 */
+	host = "127.0.0.1";
+	port = <%= @port %>;
+};
+
+<% if @ssl_key and @ssl_cert -%>
+listen {
+	sslport = <%= @sslport %>;
+};
+
+<% end -%>
+/* auth {}: allow users to connect to the ircd (OLD I:)
+ * auth {} blocks MUST be specified in order of precedence.  The first one
+ * that matches a user will be used.  So place spoofs first, then specials,
+ * then general access, then restricted.
+ */
+<% @users.map! { |user| user.split } -%>
+<% @users.each do |user| -%>
+auth {
+	user = "<%= user[0] %>";
+<%   if user[1] -%>
+	password = "<%= user[1] %>";
+	flags = encrypted;
+<%   end -%>
+	class = "users";
+};
+
+<% end -%>
+/* privset {} blocks MUST be specified before anything that uses them.  That
+ * means they must be defined before operator {}.
+ */
+privset "local_op" {
+	privs = oper:local_kill, oper:operwall;
+};
+
+privset "server_bot" {
+	extends = "local_op";
+	privs = oper:kline, oper:remoteban, snomask:nick_changes;
+};
+
+privset "global_op" {
+	extends = "local_op";
+	privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
+		oper:resv, oper:mass_notice, oper:remoteban;
+};
+
+privset "admin" {
+	extends = "global_op";
+	privs = oper:admin, oper:die, oper:rehash, oper:spy;
+};
+
+<% @operators.map! { |oper| oper.split }
+   @operators.each do |oper|
+     scope.function_fail(["Invalid operator '%s'" % oper[0]]) if oper.length != 3 -%>
+operator "<%= oper[0] %>" {
+	user = "<%= oper[1] %>";
+	password = "<%= oper[2] %>";
+	flags = encrypted;
+	privset = "admin";
+};
+
+<% end -%>
+<% if @services == true -%>
+connect "<%= @services_name %>" {
+	host = "127.0.0.1";
+	port = <%= @port %>;
+	send_password = "<%= @services_password %>";
+	accept_password = "<%= @services_password %>";
+	hub_mask = "*";
+	class = "server";
+	flags = compressed, topicburst;
+};
+
+service {
+	name = "<%= @services_name %>";
+};
+
+<% end -%>
+cluster {
+	name = "*";
+	flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv;
+};
+
+shared {
+	oper = "*@*", "*";
+	flags = all, rehash;
+};
+
+/* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */
+exempt {
+	ip = "127.0.0.1";
+};
+
+channel {
+	use_invex = yes;
+	use_except = yes;
+	use_forward = yes;
+	use_knock = yes;
+	knock_delay = 5 minutes;
+	knock_delay_channel = 1 minute;
+	max_chans_per_user = 15;
+	max_bans = 100;
+	max_bans_large = 500;
+	default_split_user_count = 0;
+	default_split_server_count = 0;
+	no_create_on_split = no;
+	no_join_on_split = no;
+	burst_topicwho = yes;
+	kick_on_split_riding = no;
+	only_ascii_channels = no;
+	resv_forcepart = yes;
+	channel_target_change = yes;
+	disable_local_channels = no;
+};
+
+serverhide {
+	flatten_links = yes;
+	links_delay = 5 minutes;
+	hidden = no;
+	disable_hidden = no;
+};
+
+/* These are the blacklist settings.
+ * You can have multiple combinations of host and rejection reasons.
+ * They are used in pairs of one host/rejection reason.
+ *
+ * These settings should be adequate for most networks, and are (presently)
+ * required for use on StaticBox.
+ *
+ * Word to the wise: Do not use blacklists like SPEWS for blocking IRC
+ * connections.
+ *
+ * As of charybdis 2.2, you can do some keyword substitution on the rejection
+ * reason. The available keyword substitutions are:
+ *
+ *   ${ip}           - the user's IP
+ *   ${host}         - the user's canonical hostname
+ *   ${dnsbl-host}   - the dnsbl hostname the lookup was done against
+ *   ${nick}         - the user's nickname
+ *   ${network-name} - the name of the network
+ *
+ * As of charybdis 3.4, a type parameter is supported, which specifies the
+ * address families the blacklist supports. IPv4 and IPv6 are supported.
+ * IPv4 is currently the default as few blacklists support IPv6 operation
+ * as of this writing.
+ *
+ * Note: AHBL (the providers of the below *.ahbl.org BLs) request that they be
+ * contacted, via email, at admins@2mbit.com before using these BLs.
+ * See <http://www.ahbl.org/services.php> for more information.
+ */
+blacklist {
+	host = "rbl.efnetrbl.org";
+	type = ipv4;
+	reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";
+
+#	host = "ircbl.ahbl.org";
+#	type = ipv4;
+#	reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for having an open proxy. In order to protect ${network-name} from abuse, we are not allowing connections with open proxies to connect.";
+#
+#	host = "tor.ahbl.org";
+#	type = ipv4;
+#	reject_reason = "${nick}, your IP (${ip}) is listed as a TOR exit node. In order to protect ${network-name} from tor-based abuse, we are not allowing TOR exit nodes to connect to our network.";
+#
+	/* Example of a blacklist that supports both IPv4 and IPv6 */
+#	host = "foobl.blacklist.invalid";
+#	type = ipv4, ipv6;
+#	reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for some reason. In order to protect ${network-name} from abuse, we are not allowing connections listed in ${dnsbl-host} to connect";
+};
+
+alias "NickServ" {
+	target = "NickServ";
+};
+
+alias "ChanServ" {
+	target = "ChanServ";
+};
+
+alias "OperServ" {
+	target = "OperServ";
+};
+
+alias "MemoServ" {
+	target = "MemoServ";
+};
+
+alias "NS" {
+	target = "NickServ";
+};
+
+alias "CS" {
+	target = "ChanServ";
+};
+
+alias "OS" {
+	target = "OperServ";
+};
+
+alias "MS" {
+	target = "MemoServ";
+};
+
+general {
+	hide_error_messages = opers;
+	hide_spoof_ips = yes;
+
+	/*
+	 * default_umodes: umodes to enable on connect.
+	 * If you have enabled the new ip_cloaking_4.0 module, and you want
+	 * to make use of it, add +x to this option, i.e.:
+	 *      default_umodes = "+ix";
+	 *
+	 * If you have enabled the old ip_cloaking module, and you want
+	 * to make use of it, add +h to this option, i.e.:
+	 *	default_umodes = "+ih";
+	 */
+	default_umodes = "<%= @umodes_real %>";
+
+	default_operstring = "is an IRC Operator";
+	default_adminstring = "is a Server Administrator";
+	servicestring = "is a Network Service";
+	disable_fake_channels = no;
+	tkline_expire_notices = no;
+	default_floodcount = 10;
+	failed_oper_notice = yes;
+	dots_in_ident=2;
+	min_nonwildcard = 4;
+	min_nonwildcard_simple = 3;
+	max_accept = 100;
+	max_monitor = 100;
+	anti_nick_flood = yes;
+	max_nick_time = 20 seconds;
+	max_nick_changes = 5;
+	anti_spam_exit_message_time = 5 minutes;
+	ts_warn_delta = 30 seconds;
+	ts_max_delta = 5 minutes;
+	client_exit = yes;
+	collision_fnc = yes;
+	resv_fnc = yes;
+	global_snotices = yes;
+	dline_with_reason = yes;
+	kline_delay = 0 seconds;
+	kline_with_reason = yes;
+	kline_reason = "K-Lined";
+	identify_service = "NickServ@services.int";
+	identify_command = "IDENTIFY";
+	non_redundant_klines = yes;
+	warn_no_nline = yes;
+	use_propagated_bans = yes;
+	stats_e_disabled = no;
+	stats_c_oper_only=no;
+	stats_h_oper_only=no;
+	stats_y_oper_only=no;
+	stats_o_oper_only=yes;
+	stats_P_oper_only=no;
+	stats_i_oper_only=masked;
+	stats_k_oper_only=masked;
+	map_oper_only = no;
+	operspy_admin_only = no;
+	operspy_dont_care_user_info = no;
+	caller_id_wait = 1 minute;
+	pace_wait_simple = 1 second;
+	pace_wait = 10 seconds;
+	short_motd = no;
+	ping_cookie = no;
+	connect_timeout = 30 seconds;
+	default_ident_timeout = 5;
+<% if @ident == true -%>
+	disable_auth = no;
+<% else -%>
+	disable_auth = yes;
+<% end -%>
+	no_oper_flood = yes;
+	max_targets = 4;
+	client_flood_max_lines = 20;
+	use_whois_actually = no;
+	oper_only_umodes = operwall, locops, servnotice;
+	oper_umodes = locops, servnotice, operwall, wallop;
+	oper_snomask = "+s";
+	burst_away = yes;
+	nick_delay = 0 seconds; # 15 minutes if you want to enable this
+	reject_ban_time = 1 minute;
+	reject_after_count = 3;
+	reject_duration = 5 minutes;
+	throttle_duration = <%= @throttle_duration %>;
+	throttle_count = <%= @throttle_count %>;
+	max_ratelimit_tokens = 30;
+	away_interval = 30;
+};
+
+modules {
+	path = "modules";
+	path = "modules/autoload";
+};