*/
/* Extensions */
+#loadmodule "extensions/chm_adminonly.so";
+loadmodule "extensions/chm_operonly.so";
+#loadmodule "extensions/chm_sslonly.so";
+#loadmodule "extensions/chm_operonly_compat.so";
+#loadmodule "extensions/chm_quietunreg_compat.so";
+#loadmodule "extensions/chm_sslonly_compat.so";
#loadmodule "extensions/createauthonly.so";
-#loadmodule "extensions/extb_account.so";
-#loadmodule "extensions/extb_canjoin.so";
-#loadmodule "extensions/extb_channel.so";
-#loadmodule "extensions/extb_extgecos.so";
-#loadmodule "extensions/extb_oper.so";
-#loadmodule "extensions/extb_realname.so";
+loadmodule "extensions/extb_account.so";
+loadmodule "extensions/extb_canjoin.so";
+loadmodule "extensions/extb_channel.so";
+loadmodule "extensions/extb_extgecos.so";
+loadmodule "extensions/extb_oper.so";
+loadmodule "extensions/extb_realname.so";
#loadmodule "extensions/extb_server.so";
+#loadmodule "extensions/extb_ssl.so";
#loadmodule "extensions/hurt.so";
-#loadmodule "extensions/ip_cloaking.so";
+loadmodule "extensions/ip_cloaking.so";
#loadmodule "extensions/m_findforwards.so";
-#loadmodule "extensions/m_identify.so";
+loadmodule "extensions/m_identify.so";
+loadmodule "extensions/m_mkpasswd.so";
+loadmodule "extensions/m_webirc.so";
+#loadmodule "extensions/m_adminwall.so";
+#loadmodule "extensions/m_oaccept.so";
+#loadmodule "extensions/m_opme.so";
+#loadmodule "extensions/m_ojoin.so";
+#loadmodule "extensions/m_omode.so";
+#loadmodule "extensions/m_olist.so";
+#loadmodule "extensions/m_force.so";
#loadmodule "extensions/no_oper_invis.so";
-#loadmodule "extensions/sno_farconnect.so";
-#loadmodule "extensions/sno_globalkline.so";
-#loadmodule "extensions/sno_globaloper.so";
+loadmodule "extensions/sno_farconnect.so";
+loadmodule "extensions/sno_globalkline.so";
+loadmodule "extensions/sno_globaloper.so";
#loadmodule "extensions/sno_whois.so";
serverinfo {
name = "hades.arpa";
sid = "42X";
- description = "charybdis test server";
+ description = "shadowircd test server";
network_name = "AthemeNET";
network_desc = "Your IRC network.";
hub = yes;
#vhost = "192.169.0.1";
/* for IPv6 */
#vhost6 = "3ffe:80e8:546::2";
+
+ /* ssl_private_key: our ssl private key */
+ ssl_private_key = "etc/test.key";
+
+ /* ssl_cert: certificate for our ssl server */
+ ssl_cert = "etc/test.cert";
- /* default max clients: the default maximum number of clients\r
- * allowed to connect. This can be changed once ircd has started by\r
- * issuing:\r
- * /quote set maxclients <limit>\r
+ /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
+ ssl_dh_params = "etc/dh.pem";
+
+ /* ssld_count: number of ssld processes you want to start, if you
+ * have a really busy server, using N-1 where N is the number of
+ * cpu/cpu cores you have might be useful. A number greater than one
+ * can also be useful in case of bugs in ssld and because ssld needs
+ * two file descriptors per SSL connection.
+ */
+ ssld_count = 1;
+
+ /* default max clients: the default maximum number of clients
+ * allowed to connect. This can be changed once ircd has started by
+ * issuing:
+ * /quote set maxclients <limit>
*/
default_max_clients = 1024;
};
fname_operlog = "logs/operlog";
#fname_foperlog = "logs/foperlog";
fname_serverlog = "logs/serverlog";
- fname_glinelog = "logs/glinelog";
#fname_klinelog = "logs/klinelog";
fname_killlog = "logs/killlog";
fname_operspylog = "logs/operspylog";
*/
class "users" {
ping_time = 2 minutes;
- number_per_ident = 10;
+ number_per_ident = 10;
number_per_ip = 10;
- number_per_ip_global = 50;
- cidr_bitlen = 64;
- number_per_cidr = 8;
+ number_per_ip_global = 50;
+ cidr_ipv4_bitlen = 24;
+ cidr_ipv6_bitlen = 64;
+ number_per_cidr = 200;
max_number = 3000;
sendq = 400 kbytes;
};
*/
#host = "192.169.0.1";
port = 5000, 6665 .. 6669;
+ sslport = 9999;
/* Listen on IPv6 (if you used host= above). */
#host = "3ffe:1234:a:b:c::d";
#port = 5000, 6665 .. 6669;
+ #sslport = 9999;
};
/* auth {}: allow users to connect to the ircd (OLD I:)
*/
spoof = "I.still.hate.packets";
+ /* autojoin: Channel (or channels, comma-seperated) to join users
+ * in this auth block to on connect. Note that this won't join
+ * the user through any bans or otherwise restrictive chmodes.
+ */
+ autojoin = "#shadowircd,#test";
+
+ /* autojoin_opers : Channel (or channels, comma-seperated) to join
+ * opers to on oper-up.
+ */
+ autojoin_opers = "#opers,#help";
+
/* Possible flags in auth:
*
* encrypted | password is encrypted with mkpasswd
* exceed_limit (old > flag) | allow user to exceed class user limits
* kline_exempt (old ^ flag) | exempt this user from k/g/xlines&dnsbls
* dnsbl_exempt | exempt this user from dnsbls
- * gline_exempt (old _ flag) | exempt this user from glines
* spambot_exempt | exempt this user from spambot checks
* shide_exempt | exempt this user from serverhiding
* jupe_exempt | exempt this user from generating
* USE WITH CAUTION.
* no_tilde (old - flag) | don't prefix ~ to username if no ident
* need_ident (old + flag) | require ident for user in this class
+ * need_ssl | require SSL/TLS for user in this class
* need_sasl | require SASL id for user in this class
*/
flags = kline_exempt, exceed_limit;
class = "opers";
};
+/* Example WEBIRC authblock */
+auth {
+ /* user: webirc@IP.OF.YOUR.WEBIRC . the webirc@ part is required */
+ user = "webirc@192.168.1.1";
+
+ /* password: password the webirc client sends in the WEBIRC command.
+ * You can use a encrypted password here (see above auth block).
+ */
+ password = "<password>";
+
+ /* spoof: This is required to keep it what it is currently if you
+ * want the webirc client to show the users' real host as their
+ * host on IRC.
+ */
+ spoof = "webirc.";
+ class = "users";
+};
+
auth {
user = "*@*";
class = "users";
};
+/* privset {} blocks MUST be specified before anything that uses them. That
+ * means they must be defined before operator {}.
+ */
+privset "local_op" {
+ privs = oper:local_kill, oper:operwall;
+};
+
+privset "server_bot" {
+ extends = "local_op";
+ privs = oper:kline, oper:remoteban, snomask:nick_changes;
+};
+
+privset "global_op" {
+ extends = "local_op";
+ privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
+ oper:resv, oper:mass_notice, oper:remoteban;
+};
+
+privset "admin" {
+ extends = "global_op";
+ privs = oper:admin, oper:die, oper:rehash, oper:spy, oper:override;
+};
+
operator "god" {
/* name: the name of the oper must go above */
*/
#umodes = locops, servnotice, operwall, wallop;
+ /* fingerprint: if specified, the oper's client certificate
+ * fingerprint will be checked against the specified fingerprint
+ * below.
+ */
+ #fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
+
/* snomask: specific server notice mask on oper up.
* If this is specified an oper will not be given oper_snomask.
*/
snomask = "+Zbfkrsuy";
- /* privileges: controls the activities and commands an oper is
- * allowed to do on the server. You may prefix an option with ~ to
- * disable it, ie ~operwall
+ /* vhost: defines the vhost that this oper will get on oper up.
+ * this must be a valid hostmask. If this is specified the oper
+ * will not be given default_operhost.
+ */
+ vhost = "is.an.oper";
+
+ /* swhois: defines an additional line that will be displayed
+ * whenever someone does /whois on the oper in question.
+ */
+ swhois = "is wearing pants.";
+
+ /* operstring: defines a custom operstring for this oper,
+ * which will be shown in whois instead of default_operstring
+ * or default_adminstring.
+ */
+ operstring = "is a lazy IRC Operator";
+
+ /* flags: misc options for the operator. You may prefix an option
+ * with ~ to disable it, e.g. ~encrypted.
*
- * Default flags are operwall, remoteban and encrypted.
+ * Default flags are encrypted.
*
* Available options:
*
* encrypted: the password above is encrypted [DEFAULT]
- * local_kill: allows local users to be /KILL'd
- * global_kill: allows local and remote users to be
- * /KILL'd (OLD 'O' flag)
- * remote: allows remote SQUIT and CONNECT (OLD 'R' flag)
- * kline: allows KLINE and DLINE (OLD 'K' flag)
- * unkline: allows UNKLINE and UNDLINE (OLD 'U' flag)
- * gline: allows GLINE (OLD 'G' flag)
- * nick_changes: allows oper to see nickchanges (OLD 'N' flag)
- * via snomask +n
- * rehash: allows oper to REHASH config (OLD 'H' flag)
- * die: allows DIE and RESTART (OLD 'D' flag)
- * admin: gives admin privileges. admins
- * may (un)load modules and see the
- * real IPs of servers.
- * hidden_admin: gives admin privileges except
- * will not have the admin lines in
- * stats p and whois.
- * xline: allows use of /quote xline/unxline
- * resv: allows /quote resv/unresv and cmode +LP [DEFAULT]
- * operwall: allows the oper to send/receive operwalls [DEFAULT]
- * oper_spy: allows 'operspy' features to see through +s
- * channels etc. see /quote help operspy
- * hidden_oper: hides the oper from /stats p (OLD UMODE +p)
- * remoteban: allows remote kline etc [DEFAULT]
- * mass_notice: allows sending wallops and mass notices [DEFAULT]
+ * need_ssl: must be using SSL/TLS to oper up
*/
- flags = global_kill, remote, kline, unkline, gline,
- die, rehash, admin, xline, operwall;
+ flags = encrypted;
+
+ /* privset: privileges set to grant */
+ privset = "admin";
};
connect "irc.uplink.com" {
#aftype = ipv6;
};
+connect "ssl.uplink.com" {
+ host = "192.168.0.1";
+ send_password = "password";
+ accept_password = "anotherpassword";
+ port = 9999;
+ hub_mask = "*";
+ class = "server";
+ flags = ssl, topicburst;
+};
+
service {
name = "services.int";
};
};
channel {
+ autochanmodes = "nt";
+ exemptchanops = "NT";
+ use_halfop = yes;
+ use_owner = yes;
use_invex = yes;
use_except = yes;
use_knock = yes;
use_forward = yes;
+ use_local_channels = yes;
knock_delay = 5 minutes;
knock_delay_channel = 1 minute;
max_chans_per_user = 15;
no_join_on_split = no;
burst_topicwho = yes;
kick_on_split_riding = no;
+ only_ascii_channels = no;
+ cycle_host_change = yes;
+ host_in_topic = yes;
+ resv_forcepart = yes;
+ kick_no_rejoin_time = 30 seconds;
};
serverhide {
/* These are the blacklist settings.
* You can have multiple combinations of host and rejection reasons.
- * They are used in pairs of one host/rejection reason, or multiple hosts/rejection reason.
+ * They are used in pairs of one host/rejection reason.
*
* These settings should be adequate for most networks, and are (presently)
* required for use on AthemeNet.
target = "MemoServ";
};
+alias "HostServ" {
+ target = "HostServ";
+};
+
+alias "BotServ" {
+ target = "BotServ";
+};
+
alias "NS" {
target = "NickServ";
};
target = "MemoServ";
};
+alias "HS" {
+ target = "HostServ";
+};
+
+alias "BS" {
+ target = "BotServ";
+};
+
general {
hide_error_messages = opers;
hide_spoof_ips = yes;
/*
- * default_umodes: umodes to enable on connect.
- * If you have enabled the ip_cloaking module, and you want
- * to make use of it, add +h to this option, i.e.:
- * default_umodes = "+ih";
+ * default umodes: umodes to set upon connection
+ * If you have enabled the ip_cloaking extension, and you wish for
+ * incoming clients to be cloaked upon connection, +x must be in
+ * the umode string below.
*/
- default_umodes = "+i";
+ default_umodes = "+ix";
default_operstring = "is an IRC Operator";
default_adminstring = "is a Server Administrator";
+ default_operhost = "staff.testnet.net";
servicestring = "is a Network Service";
disable_fake_channels = no;
tkline_expire_notices = no;
map_oper_only = no;
operspy_admin_only = no;
operspy_dont_care_user_info = no;
+ secret_channels_in_whois = no;
caller_id_wait = 1 minute;
pace_wait_simple = 1 second;
pace_wait = 10 seconds;
connect_timeout = 30 seconds;
disable_auth = no;
no_oper_flood = yes;
- glines = no;
- gline_time = 1 day;
- gline_min_cidr = 16;
max_targets = 4;
client_flood = 20;
use_whois_actually = no;
reject_ban_time = 1 minute;
reject_after_count = 3;
reject_duration = 5 minutes;
- max_unknown_ip = 2;
+ throttle_duration = 60;
+ throttle_count = 4;
+ expire_override_time = 5 minutes;
};
modules {