X-Git-Url: https://jfr.im/git/irc/rqf/shadowircd.git/blobdiff_plain/57b7610916d2cee677e065bec5c39f80291e9f51..c8d858891539e6d5f56d56a2c9c3bfae9698282b:/doc/example.conf

diff --git a/doc/example.conf b/doc/example.conf
index 3346ce7..932846e 100755
--- a/doc/example.conf
+++ b/doc/example.conf
@@ -10,6 +10,9 @@
  */
 
 /* Extensions */
+#loadmodule "extensions/chm_operonly_compat.so";
+#loadmodule "extensions/chm_quietunreg_compat.so";
+#loadmodule "extensions/chm_sslonly_compat.so";
 #loadmodule "extensions/createauthonly.so";
 #loadmodule "extensions/extb_account.so";
 #loadmodule "extensions/extb_canjoin.so";
@@ -18,6 +21,7 @@
 #loadmodule "extensions/extb_oper.so";
 #loadmodule "extensions/extb_realname.so";
 #loadmodule "extensions/extb_server.so";
+#loadmodule "extensions/extb_ssl.so";
 #loadmodule "extensions/hurt.so";
 #loadmodule "extensions/ip_cloaking.so";
 #loadmodule "extensions/m_findforwards.so";
@@ -42,11 +46,25 @@ serverinfo {
 	#vhost = "192.169.0.1";
 	/* for IPv6 */
 	#vhost6 = "3ffe:80e8:546::2";
+	
+	/* ssl_private_key: our ssl private key */
+	ssl_private_key = "etc/test.key";
+
+	/* ssl_cert: certificate for our ssl server */
+	ssl_cert = "etc/test.cert";
+
+	/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
+	ssl_dh_params = "etc/dh.pem";
 
-	/* default max clients: the default maximum number of clients
-	 * allowed to connect.  This can be changed once ircd has started by
-	 * issuing:
-	 *   /quote set maxclients <limit>
+	/* ssld_count: number of ssld processes you want to start, if you have a really busy 
+	 * server, using N-1 where N is the number of cpu/cpu cores you have might be useful
+	 */
+	ssld_count = 1;
+
+	/* default max clients: the default maximum number of clients
+	 * allowed to connect.  This can be changed once ircd has started by
+	 * issuing:
+	 *   /quote set maxclients <limit>
 	 */
 	default_max_clients = 1024;
 };
@@ -63,7 +81,6 @@ log {
 	fname_operlog = "logs/operlog";
 	#fname_foperlog = "logs/foperlog";
 	fname_serverlog = "logs/serverlog";
-	fname_glinelog = "logs/glinelog";
 	#fname_klinelog = "logs/klinelog";
 	fname_killlog = "logs/killlog";
 	fname_operspylog = "logs/operspylog";
@@ -75,11 +92,12 @@ log {
  */
 class "users" {
 	ping_time = 2 minutes;
-        number_per_ident = 10;
-	number_per_ip = 10;
-        number_per_ip_global = 50;
-	cidr_bitlen = 64;
-	number_per_cidr = 8;
+	number_per_ident = 2;
+	number_per_ip = 3;
+	number_per_ip_global = 5;
+	cidr_ipv4_bitlen = 24;
+	cidr_ipv6_bitlen = 64;
+	number_per_cidr = 4;
 	max_number = 3000;
 	sendq = 400 kbytes;
 };
@@ -104,10 +122,12 @@ listen {
 	 */
 	#host = "192.169.0.1";
 	port = 5000, 6665 .. 6669;
+	sslport = 9999;
 
 	/* Listen on IPv6 (if you used host= above). */
 	#host = "3ffe:1234:a:b:c::d";
         #port = 5000, 6665 .. 6669;
+        #sslport = 9999;
 };
 
 /* auth {}: allow users to connect to the ircd (OLD I:)
@@ -144,7 +164,6 @@ auth {
 	 * exceed_limit (old > flag)  | allow user to exceed class user limits
 	 * kline_exempt (old ^ flag)  | exempt this user from k/g/xlines&dnsbls
 	 * dnsbl_exempt		      | exempt this user from dnsbls
-	 * gline_exempt (old _ flag)  | exempt this user from glines
 	 * spambot_exempt	      | exempt this user from spambot checks
 	 * shide_exempt		      | exempt this user from serverhiding
 	 * jupe_exempt                | exempt this user from generating
@@ -154,6 +173,7 @@ auth {
          *                                     USE WITH CAUTION.
 	 * no_tilde     (old - flag)  | don't prefix ~ to username if no ident
 	 * need_ident   (old + flag)  | require ident for user in this class
+	 * need_ssl                   | require SSL/TLS for user in this class
 	 * need_sasl                  | require SASL id for user in this class
 	 */
 	flags = kline_exempt, exceed_limit;
@@ -167,6 +187,29 @@ auth {
 	class = "users";
 };
 
+/* privset {} blocks MUST be specified before anything that uses them.  That
+ * means they must be defined before operator {}.
+ */
+privset "local_op" {
+	privs = oper:local_kill, oper:operwall;
+};
+
+privset "server_bot" {
+	extends = "local_op";
+	privs = oper:global_kill, oper:kline, oper:remoteban, snomask:nick_changes;
+};
+
+privset "global_op" {
+	extends = "local_op";
+	privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
+		oper:resv, oper:mass_notice, oper:remoteban;
+};
+
+privset "admin" {
+	extends = "global_op";
+	privs = oper:admin, oper:die, oper:rehash, oper:spy;
+};
+
 operator "god" {
 	/* name: the name of the oper must go above */
 
@@ -199,43 +242,20 @@ operator "god" {
 	 */
 	snomask = "+Zbfkrsuy";
 
-	/* privileges: controls the activities and commands an oper is
-	 * allowed to do on the server.  You may prefix an option with ~ to
-	 * disable it, ie ~operwall
+	/* flags: misc options for the operator.  You may prefix an option
+	 * with ~ to disable it, e.g. ~encrypted.
 	 *
-	 * Default flags are operwall, remoteban and encrypted.
+	 * Default flags are encrypted.
 	 *
 	 * Available options:
 	 *
 	 * encrypted:    the password above is encrypted [DEFAULT]
-	 * local_kill:   allows local users to be /KILL'd
-	 * global_kill:  allows local and remote users to be 
-	 *               /KILL'd                           (OLD 'O' flag)
-	 * remote:       allows remote SQUIT and CONNECT   (OLD 'R' flag)
-	 * kline:        allows KLINE and DLINE            (OLD 'K' flag)
-	 * unkline:      allows UNKLINE and UNDLINE        (OLD 'U' flag)
-	 * gline:        allows GLINE                      (OLD 'G' flag)
-	 * nick_changes: allows oper to see nickchanges    (OLD 'N' flag)
-	 *               via snomask +n
-	 * rehash:       allows oper to REHASH config      (OLD 'H' flag)
-	 * die:          allows DIE and RESTART            (OLD 'D' flag)
-	 * admin:        gives admin privileges.  admins
-	 *               may (un)load modules and see the
-	 *               real IPs of servers.
-	 * hidden_admin: gives admin privileges except
-	 *		 will not have the admin lines in
-	 *		 stats p and whois.
-	 * xline:	 allows use of /quote xline/unxline
-	 * resv:	 allows /quote resv/unresv and cmode +LP [DEFAULT]
-	 * operwall:     allows the oper to send/receive operwalls [DEFAULT]
-	 * oper_spy:	 allows 'operspy' features to see through +s
-	 * 		 channels etc. see /quote help operspy
-	 * hidden_oper:  hides the oper from /stats p    (OLD UMODE +p)	
-	 * remoteban:    allows remote kline etc [DEFAULT]
-	 * mass_notice:  allows sending wallops and mass notices [DEFAULT]
+	 * need_ssl:     must be using SSL/TLS to oper up
          */
-	flags = global_kill, remote, kline, unkline, gline,
-		die, rehash, admin, xline, operwall;
+	flags = encrypted;
+
+	/* privset: privileges set to grant */
+	privset = "admin";
 };
 
 connect "irc.uplink.com" {
@@ -252,6 +272,16 @@ connect "irc.uplink.com" {
 	#aftype = ipv6;
 };
 
+connect "ssl.uplink.com" {
+	host = "192.168.0.1";
+	send_password = "password";
+	accept_password = "anotherpassword";
+	port = 9999;
+	hub_mask = "*";
+	class = "server";
+	flags = ssl, topicburst;
+};
+
 service {
 	name = "services.int";
 };
@@ -422,9 +452,6 @@ general {
 	connect_timeout = 30 seconds;
 	disable_auth = no;
 	no_oper_flood = yes;
-	glines = no;
-	gline_time = 1 day;
-	gline_min_cidr = 16;
 	max_targets = 4;
 	client_flood = 20;
         use_whois_actually = no;
@@ -436,7 +463,8 @@ general {
 	reject_ban_time = 1 minute;
 	reject_after_count = 3;
 	reject_duration = 5 minutes;
-	max_unknown_ip = 2;
+	throttle_duration = 60;
+	throttle_count = 4;
 };
 
 modules {