2 <title>Server config file format</title>
4 <title>General format</title>
6 The config file consists of a series of BIND-style blocks. Each block consists of a series
7 of values inside it which pertain to configuration settings that apply to the given block.
10 Several values take lists of values and have defaults preset inside
11 them. Prefix a keyword with a tilde (~) to override the default and
15 A line may also be a .include directive, which is of the form <synopsis>.include "<replaceable>file</replaceable>"</synopsis>
16 and causes <replaceable>file</replaceable> to be read in at that point, before the rest of the current file is
18 Relative paths are first tried relative to PREFIX and then relative
19 to ETCPATH (normally PREFIX/etc).
22 Anything from a # to the end of a line is a comment. Blank lines are ignored. C-style comments are also supported.
25 <sect1 id="configlines">
26 <title>Specific blocks and directives</title>
28 Not all configuration blocks and directives are listed here, only the most common ones. More blocks and directives will
29 be documented in later revisions of this manual.
32 <title>loadmodule directive</title>
34 loadmodule "<replaceable>text</replaceable>";</synopsis>
36 Loads a module into the IRCd. In charybdis 1.1, most modules are automatically loaded in. In future versions, it is
37 intended to remove this behaviour as to allow for easy customization of the IRCd's featureset.
41 <title>serverinfo {} block</title>
44 name = "<replaceable>text</replaceable>";
45 sid = "<replaceable>text</replaceable>";
46 description = "<replaceable>text</replaceable>";
47 network_name = "<replaceable>text</replaceable>";
48 network_desc = "<replaceable>text</replaceable>";
49 hub = <replaceable>boolean</replaceable>;
50 vhost = "<replaceable>text</replaceable>";
51 vhost6 = "<replaceable>text</replaceable>";
54 The serverinfo {} block defines the core operational parameters of the IRC server.
57 <title>serverinfo {} variables</title>
62 The name of the IRC server that you are configuring. This
63 must contain at least one dot. It is not necessarily equal
64 to any DNS name. This must be unique on the IRC network.
72 A unique ID which describes the server.
73 This consists of one digit and two characters which can be
79 <term>description</term>
82 A user-defined field of text which describes the IRC server. This information is used in
83 /links and /whois requests. Geographical location information could be a useful use of
84 this field, but most administrators put a witty saying inside it instead.
89 <term>network_name</term>
92 The name of the IRC network that this server will be a member of.
93 This is used in the welcome message and NETWORK= in 005.
98 <term>network_desc</term>
101 A description of the IRC network that this server will be a member of.
102 This is currently unused.
110 A boolean which defines whether or not this IRC server will be serving as a hub, i.e. have multiple servers connected to it.
118 An optional text field which defines an IP from which to connect outward to other IRC servers.
126 An optional text field which defines an IPv6 IP from which to connect outward to other IRC servers.
133 <title>admin {} block</title>
136 name = "<replaceable>text</replaceable>";
137 description = "<replaceable>text</replaceable>";
138 email = "<replaceable>text</replaceable>";
141 This block provides the information which is returned by the ADMIN command.
144 <title>admin {} variables</title>
148 <para>The name of the administrator running this service.</para>
152 <term>description</term>
154 <para>The description of the administrator's position in the network.</para>
160 <para>A point of contact for the administrator, usually an e-mail address.</para>
166 <title>class {} block</title>
168 class "<replaceable>name</replaceable>" {
169 ping_time = <replaceable>duration</replaceable>;
170 number_per_ident = <replaceable>number</replaceable>;
171 number_per_ip = <replaceable>number</replaceable>;
172 number_per_ip_global = <replaceable>number</replaceable>;
173 cidr_ipv4_bitlen = <replaceable>number</replaceable>;
174 cidr_ipv6_bitlen = <replaceable>number</replaceable>;
175 number_per_cidr = <replaceable>number</replaceable>;
176 max_number = <replaceable>number</replaceable>;
177 sendq = <replaceable>size</replaceable>;
180 class "<replaceable>name</replaceable>" {
181 ping_time = <replaceable>duration</replaceable>;
182 connectfreq = <replaceable>duration</replaceable>;
183 max_number = <replaceable>number</replaceable>;
184 sendq = <replaceable>size</replaceable>;
187 Class blocks define classes of connections for later use.
188 The class name is used to connect them to
189 other blocks in the config file (auth{} and connect{}).
190 They must be defined before they are used.
193 Classes are used both for client and server connections,
194 but most variables are different.
197 <title>class {} variables: client classes</title>
199 <term>ping_time</term>
201 <para>The amount of time between checking pings for clients, e.g.: 2 minutes</para>
205 <term>number_per_ident</term>
207 <para>The amount of clients which may be connected from a single identd username on a per-IP basis, globally. Unidented clients all count as the same username.</para>
211 <term>number_per_ip</term>
213 <para>The amount of clients which may be connected from a single IP address.</para>
217 <term>number_per_ip_global</term>
219 <para>The amount of clients which may be connected globally from a single IP address.</para>
223 <term>cidr_ipv4_bitlen</term>
225 <para>The netblock length to use with CIDR-based client limiting for IPv4 users in this class (between 0 and 32).</para>
229 <term>cidr_ipv6_bitlen</term>
231 <para>The netblock length to use with CIDR-based client limiting for IPv6 users in this class (between 0 and 128).</para>
235 <term>number_per_cidr</term>
237 <para>The amount of clients which may be connected from a single netblock.</para>
238 <para>If this needs to differ between IPv4 and IPv6, make different classes for IPv4 and IPv6 users.</para>
242 <term>max_number</term>
244 <para>The maximum amount of clients which may use this class at any given time.</para>
250 <para>The maximum size of the queue of data to be sent to a client before it is dropped.</para>
255 <title>class {} variables: server classes</title>
257 <term>ping_time</term>
259 <para>The amount of time between checking pings for servers, e.g.: 2 minutes</para>
263 <term>connectfreq</term>
265 <para>The amount of time between autoconnects. This must at least be one minute, as autoconnects are evaluated with that granularity.</para>
269 <term>max_number</term>
271 <para>The amount of servers to autoconnect to in this class. More precisely, no autoconnects are done if the number of servers in this class is greater than or equal max_number</para>
277 <para>The maximum size of the queue of data to be sent to a server before it is dropped.</para>
283 <title>auth {} block</title>
286 user = "<replaceable>hostmask</replaceable>";
287 password = "<replaceable>text</replaceable>";
288 spoof = "<replaceable>text</replaceable>";
289 flags = <replaceable>list</replaceable>;
290 class = "<replaceable>text</replaceable>";
293 auth {} blocks allow client connections to the server, and set various properties concerning those connections.
296 Auth blocks are evaluated from top to bottom in priority, so put special blocks first.
299 <title>auth {} variables</title>
304 A hostmask (user@host) that the auth {} block applies to.
305 It is matched against the hostname and IP address (using ::
306 shortening for IPv6 and prepending a 0 if it starts with
307 a colon) and can also use CIDR masks.
308 You can have multiple user entries.
313 <term>password</term>
316 An optional password to use for authenticating into this auth{}
317 block. If the password is wrong the user will not be able to
318 connect (will not fall back on another auth{} block).
325 <para>An optional fake hostname (or user@host) to apply to users authenticated to this auth{} block. In STATS i and TESTLINE, an equals sign (=) appears before the user@host and the spoof is shown.</para>
331 <para>A list of flags to apply to this auth{} block. They are listed below. Some of the flags appear as a special character, parenthesized in the list, before the user@host in STATS i and TESTLINE.</para>
337 <para>A name of a class to put users matching this auth{} block into.</para>
342 <title>auth {} flags</title>
344 <term>encrypted</term>
346 <para>The password used has been encrypted.</para>
350 <term>spoof_notice</term>
352 <para>Causes the IRCd to send out a server notice when activating a spoof provided by this auth{} block.</para>
356 <term>exceed_limit (>)</term>
358 <para>Users in this auth{} block can exceed class-wide limitations.</para>
362 <term>dnsbl_exempt ($)</term>
364 <para>Users in this auth{} block are exempted from DNS blacklist checks. However, they will still be warned if they are listed.</para>
368 <term>kline_exempt (^)</term>
370 <para>Users in this auth{} block are exempted from DNS blacklists, k:lines and x:lines.</para>
374 <term>spambot_exempt</term>
376 <para>Users in this auth{} block are exempted from spambot checks.</para>
380 <term>shide_exempt</term>
382 <para>Users in this auth{} block are exempted from some serverhiding effects.</para>
386 <term>jupe_exempt</term>
388 <para>Users in this auth{} block do not trigger an alarm when joining juped channels.</para>
392 <term>resv_exempt</term>
394 <para>Users in this auth{} block may use reserved nicknames and channels.</para>
395 <note><para>The initial nickname may still not be reserved.</para></note>
399 <term>flood_exempt (|)</term>
402 Users in this auth{} block may send arbitrary amounts of
403 commands per time unit to the server. This does not exempt
404 them from any other flood limits.
405 You should use this setting with caution.
410 <term>no_tilde (-)</term>
412 <para>Users in this auth{} block will not have a tilde added to their username if they do not run identd.</para>
416 <term>need_ident (+)</term>
418 <para>Users in this auth{} block must have identd, otherwise they will be rejected.</para>
422 <term>need_ssl</term>
424 <para>Users in this auth{} block must be connected via SSL/TLS, otherwise they will be rejected.</para>
428 <term>need_sasl</term>
430 <para>Users in this auth{} block must identify via SASL, otherwise they will be rejected.</para>
436 <title>exempt {} block</title>
439 ip = "<replaceable>ip</replaceable>";
442 An exempt block specifies IP addresses which are exempt from D:lines
444 Multiple addresses can be specified in one block.
445 Clients coming from these addresses can still be K/G/X:lined or
446 banned by a DNS blacklist unless
447 they also have appropriate flags in their auth{} block.
450 <title>exempt {} variables</title>
454 <para>The IP address or CIDR range to exempt.</para>
460 <title>privset {} block</title>
463 extends = "<replaceable>name</replaceable>";
464 privs = <replaceable>list</replaceable>;
467 A privset (privilege set) block specifies a set of
471 <title>privset {} variables</title>
475 <para>An optional privset to inherit. The new privset will have all privileges that the given privset has.</para>
481 <para>Privileges to grant to this privset. These are described in the operator privileges section.</para>
487 <title>operator {} block</title>
489 operator "<replaceable>name</replaceable>" {
490 user = "<replaceable>hostmask</replaceable>";
491 password = "<replaceable>text</replaceable>";
492 rsa_public_key_file = "<replaceable>text</replaceable>";
493 umodes = <replaceable>list</replaceable>;
494 snomask = "<replaceable>text</replaceable>";
495 flags = <replaceable>list</replaceable>;
498 Operator blocks define who may use the OPER command to gain extended privileges.
501 <title>operator {} variables</title>
506 A hostmask that users trying to use this operator {} block
507 must match. This is checked against the original host and IP
508 address; CIDR is also supported. So auth {} spoofs work in
509 operator {} blocks; the real host behind them is not checked.
510 Other kind of spoofs do not work in operator {} blocks; the
511 real host behind them is checked.
514 Note that this is different from charybdis 1.x where all
515 kinds of spoofs worked in operator {} blocks.
520 <term>password</term>
523 A password used with the OPER command to use this operator {} block.
524 Passwords are encrypted by default, but may be unencrypted if ~encrypted is present
530 <term>rsa_public_key_file</term>
533 An optional path to a RSA public key file associated with the operator {} block.
534 This information is used by the CHALLENGE command, which is an alternative authentication
535 scheme to the traditional OPER command.
542 <para>A list of usermodes to apply to successfully opered clients.</para>
549 An snomask to apply to successfully opered clients.
557 The privilege set granted to successfully opered clients.
558 This must be defined before this operator{} block.
565 <para>A list of flags to apply to this operator{} block. They are listed below.</para>
570 <title>operator {} flags</title>
572 <term>encrypted</term>
574 <para>The password used has been encrypted. This is enabled by default, use ~encrypted to disable it.</para>
578 <term>need_ssl</term>
580 <para>Restricts use of this operator{} block to SSL/TLS connections only.</para>
586 <title>connect {} block</title>
588 connect "<replaceable>name</replaceable>" {
589 host = "<replaceable>text</replaceable>";
590 send_password = "<replaceable>text</replaceable>";
591 accept_password = "<replaceable>text</replaceable>";
592 port = <replaceable>number</replaceable>;
593 hub_mask = "<replaceable>mask</replaceable>";
594 leaf_mask = "<replaceable>mask</replaceable>";
595 class = "<replaceable>text</replaceable>";
596 flags = <replaceable>list</replaceable>;
597 aftype = <replaceable>protocol</replaceable>;
600 Connect blocks define what servers may connect or be connected to.
603 <title>connect {} variables</title>
607 <para>The hostname or IP to connect to.</para>
609 Furthermore, if a hostname is used, it must have an A or AAAA
610 record (no CNAME) and it must be the primary
611 hostname for inbound connections to work.
613 IPv6 addresses must be in :: shortened form; addresses which
614 then start with a colon must be prepended with a zero,
620 <term>send_password</term>
622 <para>The password to send to the other server.</para>
626 <term>accept_password</term>
628 <para>The password that should be accepted from the other server.</para>
634 <para>The port on the other server to connect to.</para>
638 <term>hub_mask</term>
641 An optional domain mask of servers allowed to be introduced
642 by this link. Usually, "*" is fine. Multiple hub_masks may be
643 specified, and any of them may be introduced.
644 Violation of hub_mask and leaf_mask restrictions will
645 cause the local link to be closed.
650 <term>leaf_mask</term>
653 An optional domain mask of servers not allowed to be
654 introduced by this link. Multiple leaf_masks may be specified,
655 and none of them may be introduced. leaf_mask has priority
663 <para>The name of the class this server should be placed into.</para>
669 <para>A list of flags concerning the connect block. They are listed below.</para>
675 <para>The protocol that should be used to connect with, either ipv4 or ipv6. This defaults to ipv4 unless host is a numeric IPv6 address.</para>
680 <title>connect {} flags</title>
682 <term>encrypted</term>
684 <para>The value for accept_password has been encrypted.</para>
688 <term>autoconn</term>
691 The server should automatically try to connect to the server defined in this
692 connect {} block if it's not connected already and max_number
693 in the class is not reached yet.
698 <term>compressed</term>
700 <para>Ziplinks should be used with this server connection.
701 This compresses traffic using zlib, saving some bandwidth
702 and speeding up netbursts.</para>
703 <para>If you have trouble setting up a link, you should
704 turn this off as it often hides error messages.</para>
708 <term>topicburst</term>
710 <para>Topics should be bursted to this server.</para>
711 <para>This is enabled by default.</para>
717 <title>listen {} block</title>
720 host = "<replaceable>text</replaceable>";
721 port = <replaceable>number</replaceable>;
724 A listen block specifies what ports a server should listen on.
727 <title>listen {} variables</title>
731 <para>An optional host to bind to. Otherwise, the ircd will listen on all available hosts.</para>
738 A port to listen on. You can specify multiple ports via commas, and define a range by seperating
739 the start and end ports with two dots (..).
746 <title>modules {} block</title>
749 path = "<replaceable>text</replaceable>";
750 module = <replaceable>text</replaceable>;
753 The modules block specifies information for loadable modules.
756 <title>modules {} variables</title>
760 <para>Specifies a path to search for loadable modules.</para>
767 Specifies a module to load, similar to loadmodule.
774 <title>general {} block</title>
777 <replaceable>values</replaceable>
780 The general block specifies a variety of options, many of which
781 were in <filename>config.h</filename> in older daemons.
782 The options are documented in <filename>reference.conf</filename>.
786 <title>channel {} block</title>
789 <replaceable>values</replaceable>
792 The channel block specifies a variety of channel-related options,
793 many of which were in <filename>config.h</filename> in older daemons.
794 The options are documented in <filename>reference.conf</filename>.
798 <title>serverhide {} block</title>
801 <replaceable>values</replaceable>
804 The serverhide block specifies options related to server hiding.
805 The options are documented in <filename>reference.conf</filename>.
809 <title>blacklist {} block</title>
812 host = "<replaceable>text</replaceable>";
813 reject_reason = "<replaceable>text</replaceable>";
816 The blacklist block specifies DNS blacklists to check.
817 Listed clients will not be allowed to connect.
818 IPv6 clients are not checked against these.
821 Multiple blacklists can be specified, in pairs with first host
825 <title>blacklist {} variables</title>
829 <para>The DNSBL to use.</para>
833 <term>reject_reason</term>
835 <para>The reason to send to listed clients when disconnecting them.</para>
841 <title>alias {} block</title>
843 alias "<replaceable>name</replaceable>" {
844 target = "<replaceable>text</replaceable>";
847 Alias blocks allow the definition of custom commands.
848 These commands send PRIVMSG to the given target. A real
849 command takes precedence above an alias.
852 <title>alias {} variables</title>
857 The target nick (must be a network service (umode +S)) or
859 In the latter case, the server cannot be this server,
860 only opers can use user starting with "opers" reliably and
861 the user is interpreted on the target server only
862 so you may need to use nick@server instead).
869 <title>cluster {} block</title>
872 name = "<replaceable>text</replaceable>";
873 flags = <replaceable>list</replaceable>;
876 The cluster block specifies servers we propagate things to
878 This does not allow them to set bans, you need a separate shared{}
882 Having overlapping cluster{} items will cause the command to
883 be executed twice on the target servers. This is particularly
884 undesirable for ban removals.
887 The letters in parentheses denote the flags in /stats U.
890 <title>cluster {} variables</title>
894 <para>The server name to share with, this may contain wildcards
895 and may be stacked.</para>
901 <para>The list of what to share, all the name lines above this
902 (up to another flags entry) will receive these flags.
903 They are listed below.</para>
908 <title>cluster {} flags</title>
910 <term>kline (K)</term>
912 <para>Permanent K:lines</para>
916 <term>tkline (k)</term>
918 <para>Temporary K:lines</para>
922 <term>unkline (U)</term>
924 <para>K:line removals</para>
928 <term>xline (X)</term>
930 <para>Permanent X:lines</para>
934 <term>txline (x)</term>
936 <para>Temporary X:lines</para>
940 <term>unxline (Y)</term>
942 <para>X:line removals</para>
946 <term>resv (Q)</term>
948 <para>Permanently reserved nicks/channels</para>
952 <term>tresv (q)</term>
954 <para>Temporarily reserved nicks/channels</para>
958 <term>unresv (R)</term>
960 <para>RESV removals</para>
964 <term>locops (L)</term>
966 <para>LOCOPS messages (sharing this with * makes LOCOPS rather
967 similar to OPERWALL which is not useful)</para>
973 <para>All of the above</para>
979 <title>shared {} block</title>
982 oper = "<replaceable>user@host</replaceable>", "<replaceable>server</replaceable>";
983 flags = <replaceable>list</replaceable>;
986 The shared block specifies opers allowed to perform certain actions
987 on our server remotely.
988 These are ordered top down. The first one matching will determine
990 If access is denied, the command will be silently ignored.
993 The letters in parentheses denote the flags in /stats U.
996 <title>shared {} variables</title>
1000 <para>The user@host the oper must have, and the server they must
1001 be on. This may contain wildcards.</para>
1007 <para>The list of what to allow, all the oper lines above this
1008 (up to another flags entry) will receive these flags.
1009 They are listed below.</para>
1014 While they have the same names, the flags have subtly different
1015 meanings from those in the cluster{} block.
1018 <title>shared {} flags</title>
1020 <term>kline (K)</term>
1022 <para>Permanent and temporary K:lines</para>
1026 <term>tkline (k)</term>
1028 <para>Temporary K:lines</para>
1032 <term>unkline (U)</term>
1034 <para>K:line removals</para>
1038 <term>xline (X)</term>
1040 <para>Permanent and temporary X:lines</para>
1044 <term>txline (x)</term>
1046 <para>Temporary X:lines</para>
1050 <term>unxline (Y)</term>
1052 <para>X:line removals</para>
1056 <term>resv (Q)</term>
1058 <para>Permanently and temporarily reserved nicks/channels</para>
1062 <term>tresv (q)</term>
1064 <para>Temporarily reserved nicks/channels</para>
1068 <term>unresv (R)</term>
1070 <para>RESV removals</para>
1076 <para>All of the above; this does not include locops, rehash, dline, tdline or undline.</para>
1080 <term>locops (L)</term>
1082 <para>LOCOPS messages (accepting this from * makes LOCOPS rather
1083 similar to OPERWALL which is not useful); unlike the other flags,
1084 this can only be accepted from *@* although it can be
1085 restricted based on source server.</para>
1089 <term>rehash (H)</term>
1091 <para>REHASH commands; all options can be used</para>
1095 <term>dline (D)</term>
1097 <para>Permanent and temporary D:lines</para>
1101 <term>tdline (d)</term>
1103 <para>Temporary D:lines</para>
1107 <term>undline (E)</term>
1109 <para>D:line removals</para>
1115 <para>Allow nothing to be done</para>
1121 <title>service {} block</title>
1124 name = "<replaceable>text</replaceable>";
1127 The service block specifies privileged servers (services). These
1128 servers have extra privileges such as setting login names on users
1129 and introducing clients with umode +S (unkickable, hide channels, etc).
1130 This does not allow them to set bans, you need a separate shared{}
1134 Do not place normal servers here.
1137 Multiple names may be specified but there may be only one service{}
1141 <title>service {} variables</title>
1145 <para>The server name to grant special privileges. This may not
1146 contain wildcards.</para>
1153 <title>Hostname resolution (DNS)</title>
1155 Charybdis uses solely DNS for all hostname/address lookups
1156 (no <filename>/etc/hosts</filename> or anything else).
1157 The DNS servers are taken from <filename>/etc/resolv.conf</filename>.
1158 If this file does not exist or no valid IP addresses are listed in it,
1159 the local host (127.0.0.1) is used. (Note that the latter part
1160 did not work in older versions of Charybdis.)
1163 IPv4 as well as IPv6 DNS servers are supported, but it is not
1164 possible to use both IPv4 and IPv6 in
1165 <filename>/etc/resolv.conf</filename>.
1168 For both security and performance reasons, it is recommended
1169 that a caching nameserver such as BIND be run on the same machine
1170 as Charybdis and that <filename>/etc/resolv.conf</filename> only
1175 <!-- Keep this comment at the end of the file
1180 sgml-namecase-general:t
1181 sgml-general-insert-case:lower
1182 sgml-minimize-attributes:nil
1183 sgml-always-quote-attributes:t
1186 sgml-parent-document: ("dancer-oper-guide.sgml" "book")
1187 sgml-exposed-tags:nil
1189 sgml-validate-command: "nsgmls -e -g -s -u dancer-oper-guide.sgml"
projects / irc / rqf / shadowircd.git / blob