X-Git-Url: https://jfr.im/git/irc/rqf/shadowircd.git/blobdiff_plain/c3a82957dbb750bea1d83f3e32ffa187a8b5faf3..c3a0fde28f4866bc6df368456de0bb86c663229e:/doc/example.conf?ds=sidebyside

diff --git a/doc/example.conf b/doc/example.conf
index 48df57c..a7417ff 100755
--- a/doc/example.conf
+++ b/doc/example.conf
@@ -23,7 +23,6 @@
 #loadmodule "extensions/extb_server.so";
 #loadmodule "extensions/extb_ssl.so";
 #loadmodule "extensions/hurt.so";
-#loadmodule "extensions/ip_cloaking.so";
 #loadmodule "extensions/m_findforwards.so";
 #loadmodule "extensions/m_identify.so";
 #loadmodule "extensions/no_oper_invis.so";
@@ -32,10 +31,20 @@
 #loadmodule "extensions/sno_globaloper.so";
 #loadmodule "extensions/sno_whois.so";
 
+/*
+ * IP cloaking extensions: use ip_cloaking_4.0
+ * if you're linking 3.2 and later, otherwise use
+ * ip_cloaking.so, for compatibility with older 3.x
+ * releases.
+ */
+
+#loadmodule "extensions/ip_cloaking_4.0.so";
+#loadmodule "extensions/ip_cloaking.so";
+
 serverinfo {
 	name = "hades.arpa";
 	sid = "42X";
-	description = "charybdis test server";
+	description = "shadowircd test server";
 	network_name = "AthemeNET";
 	network_desc = "Your IRC network.";
 	hub = yes;
@@ -56,8 +65,11 @@ serverinfo {
 	/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
 	ssl_dh_params = "etc/dh.pem";
 
-	/* ssld_count: number of ssld processes you want to start, if you have a really busy 
-	 * server, using N-1 where N is the number of cpu/cpu cores you have might be useful
+	/* ssld_count: number of ssld processes you want to start, if you
+	 * have a really busy server, using N-1 where N is the number of
+	 * cpu/cpu cores you have might be useful. A number greater than one
+	 * can also be useful in case of bugs in ssld and because ssld needs
+	 * two file descriptors per SSL connection.
 	 */
 	ssld_count = 1;
 
@@ -92,11 +104,12 @@ log {
  */
 class "users" {
 	ping_time = 2 minutes;
-        number_per_ident = 10;
+	number_per_ident = 10;
 	number_per_ip = 10;
-        number_per_ip_global = 50;
-	cidr_bitlen = 64;
-	number_per_cidr = 8;
+	number_per_ip_global = 50;
+	cidr_ipv4_bitlen = 24;
+	cidr_ipv6_bitlen = 64;
+	number_per_cidr = 200;
 	max_number = 3000;
 	sendq = 400 kbytes;
 };
@@ -156,6 +169,17 @@ auth {
 	 */
         spoof = "I.still.hate.packets";
 
+	/* autojoin: Channel (or channels, comma-seperated) to join users
+	 * in this auth block to on connect. Note that this won't join
+	 * the user through any bans or otherwise restrictive chmodes.
+	 */
+	autojoin = "#shadowircd,#test";
+
+	/* autojoin_opers : Channel (or channels, comma-seperated) to join
+	 * opers to on oper-up.
+	 */
+	autojoin_opers = "#opers,#help";
+
 	/* Possible flags in auth:
 	 * 
 	 * encrypted                  | password is encrypted with mkpasswd
@@ -172,6 +196,7 @@ auth {
          *                                     USE WITH CAUTION.
 	 * no_tilde     (old - flag)  | don't prefix ~ to username if no ident
 	 * need_ident   (old + flag)  | require ident for user in this class
+	 * need_ssl                   | require SSL/TLS for user in this class
 	 * need_sasl                  | require SASL id for user in this class
 	 */
 	flags = kline_exempt, exceed_limit;
@@ -185,6 +210,29 @@ auth {
 	class = "users";
 };
 
+/* privset {} blocks MUST be specified before anything that uses them.  That
+ * means they must be defined before operator {}.
+ */
+privset "local_op" {
+	privs = oper:local_kill, oper:operwall;
+};
+
+privset "server_bot" {
+	extends = "local_op";
+	privs = oper:kline, oper:remoteban, snomask:nick_changes;
+};
+
+privset "global_op" {
+	extends = "local_op";
+	privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
+		oper:resv, oper:mass_notice, oper:remoteban;
+};
+
+privset "admin" {
+	extends = "global_op";
+	privs = oper:admin, oper:die, oper:rehash, oper:spy;
+};
+
 operator "god" {
 	/* name: the name of the oper must go above */
 
@@ -212,47 +260,31 @@ operator "god" {
 	 */
 	#umodes = locops, servnotice, operwall, wallop;
 
+	/* fingerprint: if specified, the oper's client certificate
+	 * fingerprint will be checked against the specified fingerprint
+	 * below.
+	 */
+	#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
+
 	/* snomask: specific server notice mask on oper up.
 	 * If this is specified an oper will not be given oper_snomask.
 	 */
 	snomask = "+Zbfkrsuy";
 
-	/* privileges: controls the activities and commands an oper is
-	 * allowed to do on the server.  You may prefix an option with ~ to
-	 * disable it, ie ~operwall
+	/* flags: misc options for the operator.  You may prefix an option
+	 * with ~ to disable it, e.g. ~encrypted.
 	 *
-	 * Default flags are operwall, remoteban and encrypted.
+	 * Default flags are encrypted.
 	 *
 	 * Available options:
 	 *
 	 * encrypted:    the password above is encrypted [DEFAULT]
-	 * local_kill:   allows local users to be /KILL'd
-	 * global_kill:  allows local and remote users to be 
-	 *               /KILL'd                           (OLD 'O' flag)
-	 * remote:       allows remote SQUIT and CONNECT   (OLD 'R' flag)
-	 * kline:        allows KLINE and DLINE            (OLD 'K' flag)
-	 * unkline:      allows UNKLINE and UNDLINE        (OLD 'U' flag)
-	 * nick_changes: allows oper to see nickchanges    (OLD 'N' flag)
-	 *               via snomask +n
-	 * rehash:       allows oper to REHASH config      (OLD 'H' flag)
-	 * die:          allows DIE and RESTART            (OLD 'D' flag)
-	 * admin:        gives admin privileges.  admins
-	 *               may (un)load modules and see the
-	 *               real IPs of servers.
-	 * hidden_admin: gives admin privileges except
-	 *		 will not have the admin lines in
-	 *		 stats p and whois.
-	 * xline:	 allows use of /quote xline/unxline
-	 * resv:	 allows /quote resv/unresv and cmode +LP [DEFAULT]
-	 * operwall:     allows the oper to send/receive operwalls [DEFAULT]
-	 * oper_spy:	 allows 'operspy' features to see through +s
-	 * 		 channels etc. see /quote help operspy
-	 * hidden_oper:  hides the oper from /stats p    (OLD UMODE +p)	
-	 * remoteban:    allows remote kline etc [DEFAULT]
-	 * mass_notice:  allows sending wallops and mass notices [DEFAULT]
+	 * need_ssl:     must be using SSL/TLS to oper up
          */
-	flags = global_kill, remote, kline, unkline,
-		die, rehash, admin, xline, operwall;
+	flags = encrypted;
+
+	/* privset: privileges set to grant */
+	privset = "admin";
 };
 
 connect "irc.uplink.com" {
@@ -314,6 +346,9 @@ channel {
 	no_join_on_split = no;
 	burst_topicwho = yes;
 	kick_on_split_riding = no;
+	only_ascii_channels = no;
+	cycle_host_change = yes;
+	resv_forcepart = yes;
 };
 
 serverhide {
@@ -325,7 +360,7 @@ serverhide {
 
 /* These are the blacklist settings.
  * You can have multiple combinations of host and rejection reasons.
- * They are used in pairs of one host/rejection reason, or multiple hosts/rejection reason.
+ * They are used in pairs of one host/rejection reason.
  *
  * These settings should be adequate for most networks, and are (presently)
  * required for use on AthemeNet.
@@ -395,7 +430,11 @@ general {
 
 	/*
 	 * default_umodes: umodes to enable on connect.
-	 * If you have enabled the ip_cloaking module, and you want
+	 * If you have enabled the new ip_cloaking_4.0 module, and you want
+	 * to make use of it, add +x to this option, i.e.:
+	 *      default_umodes = "+ix";
+	 *
+	 * If you have enabled the old ip_cloaking module, and you want
 	 * to make use of it, add +h to this option, i.e.:
 	 *	default_umodes = "+ih";
 	 */