X-Git-Url: https://jfr.im/git/irc/rqf/shadowircd.git/blobdiff_plain/212380e3f42f585dc1ea927402252eb943f91f7b..637b590f9ea45a66dfb056dd3bdea18a302f8a84:/doc/sgml/oper-guide/config.sgml
diff --git a/doc/sgml/oper-guide/config.sgml b/doc/sgml/oper-guide/config.sgml
index e3c0950..4c6207f 100644
--- a/doc/sgml/oper-guide/config.sgml
+++ b/doc/sgml/oper-guide/config.sgml
@@ -25,8 +25,8 @@
Specific blocks and directives
- Not all configuration blocks and directives are listed here, only the most common ones. More blocks and directives will
- be documented in later revisions of this manual.
+ Not all configuration blocks and directives are listed here, only the most common ones. More blocks and directives will
+ be documented in later revisions of this manual.
loadmodule directive
@@ -42,7 +42,6 @@ loadmodule "text";
serverinfo {
name = "text";
- use_ts6 = boolean;
sid = "text";
description = "text";
network_name = "text";
@@ -66,21 +65,11 @@ serverinfo {
-
- use_ts6
-
-
- A boolean which defines whether or not you want to use the new TS6 protocol, which provides
- many improvements over the old protocol, TS5, which is used in Hyperion.
-
-
-
sid
- A unique ID which describes the server. This is required regardless of whether you are using
- TS6 or not.
+ A unique ID which describes the server.
This consists of one digit and two characters which can be
digits or letters.
@@ -303,7 +292,13 @@ auth {
user
- A hostmask (user@host) that the auth{} block is matched against. You can have multiple user entries.
+
+ A hostmask (user@host) that the auth {} block applies to.
+ It is matched against the hostname and IP address (using ::
+ shortening for IPv6 and prepending a 0 if it starts with
+ a colon) and can also use CIDR masks.
+ You can have multiple user entries.
+
@@ -319,13 +314,13 @@ auth {
spoof
- An optional fake hostname (or user@host) to apply to users authenticated to this auth{} block.
+ An optional fake hostname (or user@host) to apply to users authenticated to this auth{} block. In STATS i and TESTLINE, an equals sign (=) appears before the user@host and the spoof is shown.
flags
- A list of flags to apply to this auth{} block. They are listed below.
+ A list of flags to apply to this auth{} block. They are listed below. Some of the flags appear as a special character, parenthesized in the list, before the user@host in STATS i and TESTLINE.
@@ -350,27 +345,21 @@ auth {
- exceed_limit
+ exceed_limit (>)
Users in this auth{} block can exceed class-wide limitations.
- dnsbl_exempt
+ dnsbl_exempt ($)
Users in this auth{} block are exempted from DNS blacklist checks. However, they will still be warned if they are listed.
- kline_exempt
-
- Users in this auth{} block are exempted from DNS blacklists, k:lines, g:lines and x:lines, and will not be disconnected because of d:lines.
-
-
-
- gline_exempt
+ kline_exempt (^)
- Users in this auth{} block are exempted from g:lines.
+ Users in this auth{} block are exempted from DNS blacklists, k:lines and x:lines.
@@ -399,7 +388,7 @@ auth {
- flood_exempt
+ flood_exempt (|)
Users in this auth{} block may send arbitrary amounts of
@@ -410,17 +399,23 @@ auth {
- no_tilde
+ no_tilde (-)
Users in this auth{} block will not have a tilde added to their username if they do not run identd.
- need_ident
+ need_ident (+)
Users in this auth{} block must have identd, otherwise they will be rejected.
+
+ need_ssl
+
+ Users in this auth{} block must be connected via SSL/TLS, otherwise they will be rejected.
+
+
need_sasl
@@ -436,7 +431,8 @@ exempt {
ip = "ip";
};
- An exempt block specifies IP addresses which are exempt from D:lines.
+ An exempt block specifies IP addresses which are exempt from D:lines
+ and throttling.
Multiple addresses can be specified in one block.
Clients coming from these addresses can still be K/G/X:lined or
banned by a DNS blacklist unless
@@ -452,6 +448,33 @@ exempt {
+
+ privset {} block
+
+privset {
+ extends = "name";
+ privs = list;
+};
+
+ A privset (privilege set) block specifies a set of
+ operator privileges.
+
+
+ privset {} variables
+
+ extends
+
+ An optional privset to inherit. The new privset will have all privileges that the given privset has.
+
+
+
+ privs
+
+ Privileges to grant to this privset. These are described in the operator privileges section.
+
+
+
+
operator {} block
@@ -520,19 +543,35 @@ operator "name" {
- flags
+ privset
- A listing of privileges granted to operators using this block.
- By default, the operwall and remoteban privileges are granted;
- use ~operwall and ~remoteban to disable them if necessary.
-
-
- In addition, a flag designating if the password is encrypted is here.
- Privileges are documented elsewhere in this guide.
+ The privilege set granted to successfully opered clients.
+ This must be defined before this operator{} block.
+
+ flags
+
+ A list of flags to apply to this operator{} block. They are listed below.
+
+
+
+
+ operator {} flags
+
+ encrypted
+
+ The password used has been encrypted. This is enabled by default, use ~encrypted to disable it.
+
+
+
+ need_ssl
+
+ Restricts use of this operator{} block to SSL/TLS connections only.
+
+
@@ -559,11 +598,13 @@ connect "name" {
The hostname or IP to connect to.
- Charybdis uses solely DNS for all hostname/address lookups
- (no /etc/hosts or anything else).
Furthermore, if a hostname is used, it must have an A or AAAA
record (no CNAME) and it must be the primary
hostname for inbound connections to work.
+
+ IPv6 addresses must be in :: shortened form; addresses which
+ then start with a colon must be prepended with a zero,
+ for example 0::1.
@@ -659,6 +700,7 @@ connect "name" {
topicburst
Topics should be bursted to this server.
+ This is enabled by default.
@@ -1023,7 +1065,7 @@ shared {
all
- All of the above; this does not include locops or rehash
+ All of the above; this does not include locops, rehash, dline, tdline or undline.
@@ -1041,6 +1083,24 @@ shared {
REHASH commands; all options can be used
+
+ dline (D)
+
+ Permanent and temporary D:lines
+
+
+
+ tdline (d)
+
+ Temporary D:lines
+
+
+
+ undline (E)
+
+ D:line removals
+
+
none
@@ -1081,6 +1141,28 @@ service {
+
+ Hostname resolution (DNS)
+
+ Charybdis uses solely DNS for all hostname/address lookups
+ (no /etc/hosts or anything else).
+ The DNS servers are taken from /etc/resolv.conf.
+ If this file does not exist or no valid IP addresses are listed in it,
+ the local host (127.0.0.1) is used. (Note that the latter part
+ did not work in older versions of Charybdis.)
+
+
+ IPv4 as well as IPv6 DNS servers are supported, but it is not
+ possible to use both IPv4 and IPv6 in
+ /etc/resolv.conf.
+
+
+ For both security and performance reasons, it is recommended
+ that a caching nameserver such as BIND be run on the same machine
+ as Charybdis and that /etc/resolv.conf only
+ list 127.0.0.1.
+
+