1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
|
---
title: How I set up an IRC daemon on Kubernetes
date: 2019-12-21
series: howto
tags:
- irc
- kubernetes
---
[IRC][rfc1459]. It's one of the last bastions of the old internet, and still an actively developed and researched protocol. Historically, IRC daemons have been notoriously annoying to set up and maintain. I have created an IRC daemon running on top of Kubernetes, which will hopefully help remove a lot of the pain points for my personal usage. Here's how I did it.
[rfc1459]: https://tools.ietf.org/html/rfc1459
IRC is a simple protocol and only has a few major moving parts. IRC is made up of networks of servers that federate together as one logical unit. IRC is scalable from networks spanning one server to hundreds (though realistically you're not likely to find more than about 10 servers in a network).
At its core, IRC daemons are a pub-sub protocol that also has a distributed state layer on top of it. TCP connections can either represent individual users or server trunking. Each user has their own state (nickname, ident and "real name"). Users can join channels which can have their own state (modes, topic, timestamp and ban lists). Some servers have a limit of the number of channels you can join.
So, with this in mind, let's start with a simple IRC daemon in a docker container. I chose [ngircd][ngircd] for this because it's packaged in Alpine Linux. Let's create the configuration file ngircd.conf:
[ngircd]: https://ngircd.barton.de/index.php.en
```ini
[Global]
Name = seaworld.yolo-swag.com
AdminInfo1 = ShadowNET Main Server
AdminInfo2 = New York, New York, USA
AdminInfo3 = Cadey Ratio <me@christine.website>
Info = Hosted on Kubernetes!
Listen = 0.0.0.0
MotdFile = /shadownet/motd
Network = ShadowNET
Ports = 6667
ServerGID = 65534
ServerUID = 65534
[Limits]
MaxJoins = 50
MaxNickLength = 31
MaxListSize = 100
PingTimeout = 120
PongTimeout = 20
[Options]
AllowedChannelTypes = #&+
AllowRemoteOper = yes
CloakUserToNick = yes
DNS = no
Ident = no
IncludeDir = /shadownet/secret
MorePrivacy = yes
NoticeBeforeRegistration = yes
OperCanUseMode = yes
OperChanPAutoOp = yes
PAM = no
PAMIsOptional = yes
RequireAuthPing = yes
# WebircPassword is set in secrets
[Channel]
Name = #lobby
Topic = Welcome to the new ShadowNET!
Modes = tn
[Channel]
Name = #help
Topic = Get help with ShadowNET | Ping an oper for help
Modes = tn
[Channel]
Name = #opers
Topic = Oper hideout
Modes = tnO
```
This is mostly based on the default settings in the example configuration file with a few glaring exceptions:
* The server name is `seaworld.yolo-swag.com`, which will show up when users are connecting
* My information is filled out for the admin information (which is shown when a user does /ADMIN in their client)
* It has a lot of privacy-enhancing features set up
* It disables the need to authenticate with PAM before being allowed to connect to the IRC server
* Some default channel names are reserved
So, let's create a dockerfile for this:
```dockerfile
FROM xena/alpine
COPY motd /shadownet/motd
COPY ngircd.conf /shadownet/ngircd.conf
RUN apk --no-cache add ngircd
COPY run.sh /
CMD ["/run.sh"]
```
`motd` is a plain text file that is used as the "message of the day" when users connect. Servers usually list their rules here. My motd has some ascii art and has this extra info:
```
The *new* irc.yolo-swag.com!
Connect on irc.within.website port 6667 or r4qrvdln2nvqyfbq.onion:6667
Rules:
- Don't do things that make me have to write more rules here
- This rule makes you breathe manually
```
Now you can build and push this image to the [docker hub][shadownetircd].
[shadownetircd]: https://hub.docker.com/repository/docker/shadownet/ircd
You may have noticed earlier that a comment in the config file mentioned [webirc][webirc]. This is important for us because IRC server normally assume that the remote host information in socket calls is accurate. My Kubernetes setup has at least one level of TCP proxying at work, so this cannot pan out. Webirc offers an authenticated mechanism to let a proxy server lie about user IP addresses. My nginx-ingress setup uses the [haproxy PROXY protocol][haproxyproxy] to let underlying services know client IP addresses. So what we need is an adaptor from haproxy PROXY protocol to webirc. I hacked one up:
[haproxyproxy]: https://www.haproxy.com/blog/haproxy/proxy-protocol/
```go
package main
import (
"crypto/md5"
"flag"
"fmt"
"io"
"log"
"net"
"strings"
"github.com/armon/go-proxyproto"
"github.com/facebookgo/flagenv"
_ "github.com/joho/godotenv/autoload"
irc "gopkg.in/irc.v3"
)
var (
webircPassword = flag.String("webirc-password", "", "the password for WEBIRC")
webircIdent = flag.String("webirc-ident", "snet", "the ident for WEBIRC")
webircHost = flag.String("webirc-host", "", "the host to connect to for WEBIRC")
port = flag.String("port", "5667", "port to listen on for PROXY traffic")
)
func main() {
flagenv.Parse()
flag.Parse()
list, err := net.Listen("tcp", ":"+*port)
if err != nil {
panic(err)
}
log.Printf("now listening on port %s, forwarding traffic to %s", *port, *webircHost)
proxyList := &proxyproto.Listener{Listener: list}
for {
conn, err := proxyList.Accept()
if err != nil {
log.Println(err)
continue
}
go dataTo(conn)
}
}
func dataTo(conn net.Conn) {
defer conn.Close()
ip, _, err := net.SplitHostPort(conn.RemoteAddr().String())
if err != nil {
log.Printf("what, can't split remote address: %v", err)
ev := irc.Message{
Command: "QUIT",
Params: []string{
"***",
err.Error(),
},
}
fmt.Fprintln(conn, ev.String())
return
}
peer, err := net.Dial("tcp", *webircHost)
if err != nil {
log.Println(*webircHost, err)
}
defer peer.Close()
spip := strings.Split(ip, ".")
hostname := strings.Join([]string{
"snet",
Hash("snet", spip[0])[:8],
Hash("snet", spip[0] + spip[1])[:8],
Hash("snet", spip[0] + spip[1] + spip[2] + spip[3])[:8],
}, ".")
ev := irc.Message{
Command: "WEBIRC",
Params: []string{
*webircPassword,
*webircIdent,
ip,
hostname,
},
}
log.Println(ev.String())
fmt.Fprintf(peer, "%s\r\n", ev.String())
go io.Copy(conn, peer)
io.Copy(peer, conn)
}
// Hash is a simple wrapper around the MD5 algorithm implementation in the
// Go standard library. It takes in data and a salt and returns the hashed
// representation.
func Hash(data string, salt string) string {
output := md5.Sum([]byte(data + salt))
return fmt.Sprintf("%x", output)
}
```
This proxies connections from incoming TCP sockets to the IRC server. It also creates a fancy hostname for ngircd to use when people do a /whois on users. ngircd does have its own cloaking mechanism (which I am not using here), but I figure doing the splitting on IP address classes will make a more easy way to reliably ban users from channels.
Now, let's build this as a docker image and push it to the [docker hub][proxy2webirc]:
[proxy2webirc]: https://hub.docker.com/repository/docker/shadownet/proxy2webirc
```dockerfile
FROM xena/go:1.13.5 AS build
WORKDIR /shadownet
COPY go.mod .
COPY go.sum .
ENV GOPROXY https://cache.greedo.xeserv.us
RUN go mod download
COPY cmd ./cmd
RUN GOBIN=/shadownet/bin go install ./cmd/proxy2webirc
FROM xena/alpine
COPY --from=build /shadownet/bin/proxy2webirc /usr/local/bin/proxy2webirc
CMD ["/usr/local/bin/proxy2webirc"]
```
And now we get to wire this all up in a kubernetes manifest. Let's create a namespace:
```yaml
# 00_namespace.yml
apiVersion: v1
kind: Namespace
metadata:
name: ircd
```
And now we need to create the secrets that the IRC daemon will use when operating. We need the webirc password and a few operator blocks. Let's make a script to create operator blocks:
```sh
#!/bin/sh
# scripts/makeoper.sh
echo "[Operator]
Name = $1
Password = $(uuidgen)"
```
Then let's use it to create a few operator configs:
```console
$ scripts/makeoper.sh Cadey >> opers.conf
$ scripts/makeoper.sh h >> opers.conf
```
And then create the webirc password:
```console
$ echo "[Options]
WebircPassword = $(uuidgen)" >> webirc.conf
```
And then let's load these into a yaml file:
```yaml
# 01_secrets.yml
apiVersion: v1
kind: Secret
metadata:
name: config
namespace: ircd
type: Opaque
stringData:
opers.conf: |
<contents of opers.conf>
webirc.conf: |
<contents of webirc.conf>
```
Now all we need is the irc daemon deployment itself that ties this all together:
```yaml
# 02_ircd.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ircd
namespace: ircd
labels:
app: ircd
spec:
replicas: 1
template:
metadata:
name: ircd
labels:
app: ircd
spec:
containers:
- name: proxystrip
image: shadownet/proxy2webirc:latest
imagePullPolicy: Always
ports:
- containerPort: 5667
name: proxiedirc
protocol: TCP
env:
- name: WEBIRC_HOST
value: 127.0.0.1:6667
- name: WEBIRC_PASSWORD
value: <password from webirc.conf>
- name: ircd
image: shadownet/ircd:latest
imagePullPolicy: Always
volumeMounts:
- name: secretconfig
mountPath: "/shadownet/secret"
restartPolicy: Always
volumes:
- name: secretconfig
secret:
secretName: config
selector:
matchLabels:
app: ircd
---
apiVersion: v1
kind: Service
metadata:
name: ircd
namespace: ircd
labels:
app: ircd
spec:
ports:
- port: 6667
targetPort: 5667
protocol: TCP
selector:
app: ircd
type: NodePort
```
This will set up our IRC daemon to read the secrets from the filesystem at `/shadownet/secret`, which was configured as the `IncludeDir` in the ngircd config above.
At this point, your IRC daemon is ready to go and can be applied to your cluster whenever you want, however it may be interesting to set up a tor onion address for the IRC server. Using the [tor operator][toroperator], we can create a private key locally, load it as a kubernetes secret and then activate the tor hidden service:
[toroperator]: https://github.com/kragniz/tor-controller
```console
$ openssl genrsa -out private_key 1024
$ kubectl create secret -n ircd generic ircd-tor-key --from-file=private_key
```
Now apply this manifest:
```yaml
# 03_onion.yml
apiVersion: tor.k8s.io/v1alpha1
|
