Skip to content

Latest commit

 

History

History
223 lines (149 loc) · 5 KB

README.md

File metadata and controls

223 lines (149 loc) · 5 KB

About

This repository contains Terraform, Packer, and Ansible configuration to deploy an Arch Linux Linode instance that hosts a ZNC IRC bouncer that uses Tor, an Onion service to access the bouncer webadmin and a Tor middle relay.

Pre requisites

Deploying the bouncer

Build image

  1. To export Packer variables:
set +o history # unset bash history
unset HISTFILE # unset zsh history

export PKR_VAR_linode_token=<linode token>
export PKR_VAR_user=<instance user>
export PKR_VAR_ssh_keys=<url with public keys>
export PKR_VAR_control_pass=<tor's control password>
  1. To install packer plugins:
packer init packer
  1. To build an image:
packer build packer

The following variables are shown in STDOUT and are required for the next steps:

  1. znc_cert_fingerprint
  2. liberachat_fingerprint
  3. oftc_fingerprint
  4. hidden_service
  5. linode_image

Screenshot of Ansible's output showing three certificate variables

Deploy image

  1. To export Terraform variables:
set +o history # unset bash history
unset HISTFILE # unset zsh history

export TF_VAR_linode_token=<your linode token>
export TF_VAR_image=<linode image id>
  1. To deploy an instance
terraform -chdir=terraform init
terraform -chdir=terraform apply
  1. To connect to the instance:
ssh <user>@<ip> -p <port>

You're required to set-up your password upon first login:

Terminal showing how to set password of the instance user

First login:

Terminal showing the first SSH login

Access ZNC's webadmin

  • To get the Onion Service URL:
cat /var/lib/tor/hidden_service/hostname
  • To get ZNC's port
sed --quiet --expression '/Port/p' /var/lib/znc/.znc/configs/znc.conf

Access ZNC's webadmin using the onion service and the port, (ex. http://owgtuxw3dd2m2cyii5nzxk6bohzggragerdvzdsev6uhjyb3cfn2u5yd.onion:15763/):

Screenshot showing ZNC's user interface via an Onion Service

Connecting to the bouncer

The following stpes are done in an IRC client like WeeChat.

Add SSL certificates for SASL External authentication

Adding the LiberaChat network:

  1. To connect to LiberaChat directly:
/server add liberachat-direct irc.libera.chat/6697 -ssl
/set irc.server.liberachat-direct.nicks <liberachat_nick>
/save
/connect liberachat-direct
  1. To add the SSL certificate to LiberaChat:
/msg NickServ cert add <liberachat_fingerprint>
  1. To connect to LiberaChat using ZNC:
/server add liberachat-znc <ip_address>/6697 -ssl -username=<znc_user>/liberachat -password=<znc_pass>
/set irc.server.liberachat-znc.ssl_fingerprint <znc_cert_fingerprint>
/save
/connect liberachat-znc
  1. To use SASL External:
/query *sasl Mechanism EXTERNAL
  1. To accept LiberaChat's SSL fingerprint:

Move to the *status buffer, then add the certificate:

/znc AddTrustedServerFingerprint <ssl_fingerprint>
  1. To use clientbuffer:
/query *clientbuffer AddClient <client_name>
/disconnect -all
/set irc.server.liberachat-znc.username "<irc_user>@<client_name>/liberachat"

Adding the OFTC network:

  1. To connect to OFTC:
/server add oftc-direct irc.oftc.net/6697 -ssl
/set irc.server.oftc.nicks <liberachat_nick>
/save
/connect oftc-direct
  1. To add the SSL certificate to OFTC:
/msg NickServ cert add <oftc_fingerprint>
  1. To use SASL External:
/server add oftc-znc <ip_address> -ssl -username=<znc_user>/oftc -password=<znc_pass>
/set irc.server.oftc-znc.ssl_fingerprint <znc_cert_fingerprint>
/save
/connect oftc-znc
/query *sasl Mechanism EXTERNAL
  1. To accept LiberaChat's SSL fingerprint:

Move to the *status buffer, then add the certificate:

/znc AddTrustedServerFingerprint <ssl_fingerprint>
  1. To use clientbuffer:
/query *clientbuffer AddClient <client_name>
/disconnect -all
/set irc.server.oftc-znc.username "<irc_user>@<client_name>/oftc"

Monitoring

The following services are accessible from the Tor network:

Service Port
grafana 3000
prometheus 9090
prometheus-node-exporter 9100

Access a service (ex. Grafana) using the Onion Adress and the port, ex (owgtuxw3dd2m2cyii5nzxk6bohzggragerdvzdsev6uhjyb3cfn2u5yd.onion:3000/):

ZNC dashboard