X-Git-Url: https://jfr.im/git/irc/rqf/shadowircd.git/blobdiff_plain/286f7449d82c08627760463281fe5dc0f3c6a21c..b626b0171bf4db506d167f79063ba60fedfeb9cb:/doc/sgml/oper-guide/config.sgml
diff --git a/doc/sgml/oper-guide/config.sgml b/doc/sgml/oper-guide/config.sgml
index 987a29a..4c6207f 100644
--- a/doc/sgml/oper-guide/config.sgml
+++ b/doc/sgml/oper-guide/config.sgml
@@ -359,7 +359,7 @@ auth {
kline_exempt (^)
- Users in this auth{} block are exempted from DNS blacklists, k:lines, g:lines and x:lines.
+ Users in this auth{} block are exempted from DNS blacklists, k:lines and x:lines.
@@ -410,6 +410,12 @@ auth {
Users in this auth{} block must have identd, otherwise they will be rejected.
+
+ need_ssl
+
+ Users in this auth{} block must be connected via SSL/TLS, otherwise they will be rejected.
+
+
need_sasl
@@ -442,6 +448,33 @@ exempt {
+
+ privset {} block
+
+privset {
+ extends = "name";
+ privs = list;
+};
+
+ A privset (privilege set) block specifies a set of
+ operator privileges.
+
+
+ privset {} variables
+
+ extends
+
+ An optional privset to inherit. The new privset will have all privileges that the given privset has.
+
+
+
+ privs
+
+ Privileges to grant to this privset. These are described in the operator privileges section.
+
+
+
+
operator {} block
@@ -510,19 +543,35 @@ operator "name" {
- flags
+ privset
- A listing of privileges granted to operators using this block.
- By default, the mass_notice, operwall, remoteban and resv privileges are granted;
- use ~mass_notice, ~operwall, ~remoteban and ~resv to disable them if necessary.
-
-
- In addition, a flag designating if the password is encrypted is here.
- Privileges are documented elsewhere in this guide.
+ The privilege set granted to successfully opered clients.
+ This must be defined before this operator{} block.
+
+ flags
+
+ A list of flags to apply to this operator{} block. They are listed below.
+
+
+
+
+ operator {} flags
+
+ encrypted
+
+ The password used has been encrypted. This is enabled by default, use ~encrypted to disable it.
+
+
+
+ need_ssl
+
+ Restricts use of this operator{} block to SSL/TLS connections only.
+
+
@@ -549,8 +598,6 @@ connect "name" {
The hostname or IP to connect to.
- Charybdis uses solely DNS for all hostname/address lookups
- (no /etc/hosts or anything else).
Furthermore, if a hostname is used, it must have an A or AAAA
record (no CNAME) and it must be the primary
hostname for inbound connections to work.
@@ -1018,7 +1065,7 @@ shared {
all
- All of the above; this does not include locops or rehash
+ All of the above; this does not include locops, rehash, dline, tdline or undline.
@@ -1036,6 +1083,24 @@ shared {
REHASH commands; all options can be used
+
+ dline (D)
+
+ Permanent and temporary D:lines
+
+
+
+ tdline (d)
+
+ Temporary D:lines
+
+
+
+ undline (E)
+
+ D:line removals
+
+
none
@@ -1076,6 +1141,28 @@ service {
+
+ Hostname resolution (DNS)
+
+ Charybdis uses solely DNS for all hostname/address lookups
+ (no /etc/hosts or anything else).
+ The DNS servers are taken from /etc/resolv.conf.
+ If this file does not exist or no valid IP addresses are listed in it,
+ the local host (127.0.0.1) is used. (Note that the latter part
+ did not work in older versions of Charybdis.)
+
+
+ IPv4 as well as IPv6 DNS servers are supported, but it is not
+ possible to use both IPv4 and IPv6 in
+ /etc/resolv.conf.
+
+
+ For both security and performance reasons, it is recommended
+ that a caching nameserver such as BIND be run on the same machine
+ as Charybdis and that /etc/resolv.conf only
+ list 127.0.0.1.
+
+