From d5a960f3277b2144f020b99228776b9edc6e135a Mon Sep 17 00:00:00 2001
From: Hugo Herter <git@hugoherter.com>
Date: Mon, 11 Dec 2023 11:48:21 +0100
Subject: [PATCH] Fix: Kubo IPFS used default config

This disables features that are not expected on
aleph.im Compute Resource Nodes and limits the number of CIDs published on the P2P network.
---
 packaging/aleph-vm/etc/ipfs/KUBO.md              |  4 ++++
 packaging/aleph-vm/etc/ipfs/kubo.json            | 16 ++++++++++++++++
 .../aleph-vm/etc/systemd/system/ipfs.service     |  4 ++--
 3 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 packaging/aleph-vm/etc/ipfs/KUBO.md
 create mode 100644 packaging/aleph-vm/etc/ipfs/kubo.json

diff --git a/packaging/aleph-vm/etc/ipfs/KUBO.md b/packaging/aleph-vm/etc/ipfs/KUBO.md
new file mode 100644
index 000000000..a21a9fa4f
--- /dev/null
+++ b/packaging/aleph-vm/etc/ipfs/KUBO.md
@@ -0,0 +1,4 @@
+The IP range `86.84.0.0/16` is managed by `KPN Internet`  is filtered out due to 
+an abuse letter sent to a node operator by Hetzner regarding "an attack" from the node.
+The content of this "attack" appears as legit IPFS traffic 
+(TCP packets from port 4001 to port 4001 and UDP packets from port 4001 to port 46024).
diff --git a/packaging/aleph-vm/etc/ipfs/kubo.json b/packaging/aleph-vm/etc/ipfs/kubo.json
new file mode 100644
index 000000000..56db34c10
--- /dev/null
+++ b/packaging/aleph-vm/etc/ipfs/kubo.json
@@ -0,0 +1,16 @@
+{
+  "AutoNAT": {
+    "ServiceMode": "disabled"
+  },
+  "AddrFilters": [
+  ],
+  "Reprovider": {
+    "Strategy": "roots"
+  },
+  "Swarm": {
+    "EnableHolePunching":false,
+    "RelayService": {
+      "Enabled": false
+    }
+  }
+}
diff --git a/packaging/aleph-vm/etc/systemd/system/ipfs.service b/packaging/aleph-vm/etc/systemd/system/ipfs.service
index 6f4a8c359..66a753036 100644
--- a/packaging/aleph-vm/etc/systemd/system/ipfs.service
+++ b/packaging/aleph-vm/etc/systemd/system/ipfs.service
@@ -25,7 +25,7 @@ After=network.target
 
 [Service]
 # hardening
-ReadOnlyPaths="/opt/kubo/"
+ReadOnlyPaths="/opt/kubo/" "/etc/ipfs"
 ReadWritePaths="/var/lib/ipfs/"
 NoNewPrivileges=true
 ProtectSystem=strict
@@ -72,7 +72,7 @@ Type=notify
 User=ipfs
 Group=ipfs
 Environment=IPFS_PATH="/var/lib/ipfs"
-ExecStart=/opt/kubo/ipfs daemon --init --migrate --init-profile=server
+ExecStart=/opt/kubo/ipfs daemon --init --migrate --init-profile=server --config-file /etc/ipfs/kubo.json
 Restart=on-failure
 KillSignal=SIGINT