5 Server config file format
6 =========================
11 The config file consists of a series of BIND-style blocks. Each block
12 consists of a series of values inside it which pertain to configuration
13 settings that apply to the given block.
15 Several values take lists of values and have defaults preset inside
16 them. Prefix a keyword with a tilde (~) to override the default and
19 A line may also be a .include directive, which is of the form .include
20 "file" and causes file to be read in at that point, before the rest of
21 the current file is processed. Relative paths are first tried relative
22 to PREFIX and then relative to ETCPATH (normally PREFIX/etc).
24 Anything from a # to the end of a line is a comment. Blank lines are
25 ignored. C-style comments are also supported.
27 Specific blocks and directives
28 ==============================
30 Not all configuration blocks and directives are listed here, only the
31 most common ones. More blocks and directives will be documented in later
32 revisions of this manual.
40 Loads a module into the IRCd. In charybdis 1.1, most modules are
41 automatically loaded in. In future versions, it is intended to remove
42 this behaviour as to allow for easy customization of the IRCd's
63 The serverinfo {} block defines the core operational parameters of the
67 The name of the IRC server that you are configuring. This must
68 contain at least one dot. It is not necessarily equal to any DNS
69 name. This must be unique on the IRC network.
72 A unique ID which describes the server. This consists of one digit
73 and two characters which can be digits or letters.
76 A user-defined field of text which describes the IRC server. This
77 information is used in /links and /whois requests. Geographical
78 location information could be a useful use of this field, but most
79 administrators put a witty saying inside it instead.
82 The name of the IRC network that this server will be a member of.
83 This is used in the welcome message and NETWORK= in 005.
86 A boolean which defines whether or not this IRC server will be
87 serving as a hub, i.e. have multiple servers connected to it.
90 An optional text field which defines an IPv4 address from which
91 to connect outward to other IRC servers.
94 An optional text field which defines an IPv6 address from which
95 to connect outward to other IRC servers.
107 This block provides the information which is returned by the ADMIN
111 The name of the administrator running this service.
114 The description of the administrator's position in the network.
117 A point of contact for the administrator, usually an e-mail address.
126 ; number\_per\_ident =
130 ; number\_per\_ip\_global =
132 ; cidr\_ipv4\_bitlen =
134 ; cidr\_ipv6\_bitlen =
136 ; number\_per\_cidr =
154 Class blocks define classes of connections for later use. The class name
155 is used to connect them to other blocks in the config file (auth{} and
156 connect{}). They must be defined before they are used.
158 Classes are used both for client and server connections, but most
159 variables are different.
162 The amount of time between checking pings for clients, e.g.: 2
166 The amount of clients which may be connected from a single identd
167 username on a per-IP basis, globally. Unidented clients all count as
171 The amount of clients which may be connected from a single IP
174 number\_per\_ip\_global
175 The amount of clients which may be connected globally from a single
179 The netblock length to use with CIDR-based client limiting for IPv4
180 users in this class (between 0 and 32).
183 The netblock length to use with CIDR-based client limiting for IPv6
184 users in this class (between 0 and 128).
187 The amount of clients which may be connected from a single netblock.
189 If this needs to differ between IPv4 and IPv6, make different
190 classes for IPv4 and IPv6 users.
193 The maximum amount of clients which may use this class at any given
197 The maximum size of the queue of data to be sent to a client before
201 The amount of time between checking pings for servers, e.g.: 2
205 The amount of time between autoconnects. This must at least be one
206 minute, as autoconnects are evaluated with that granularity.
209 The amount of servers to autoconnect to in this class. More
210 precisely, no autoconnects are done if the number of servers in this
211 class is greater than or equal max\_number
214 The maximum size of the queue of data to be sent to a server before
231 auth {} blocks allow client connections to the server, and set various
232 properties concerning those connections.
234 Auth blocks are evaluated from top to bottom in priority, so put special
238 A hostmask (user@host) that the auth {} block applies to. It is
239 matched against the hostname and IP address (using :: shortening for
240 IPv6 and prepending a 0 if it starts with a colon) and can also use
241 CIDR masks. You can have multiple user entries.
244 An optional password to use for authenticating into this auth{}
245 block. If the password is wrong the user will not be able to connect
246 (will not fall back on another auth{} block).
249 An optional fake hostname (or user@host) to apply to users
250 authenticated to this auth{} block. In STATS i and TESTLINE, an
251 equals sign (=) appears before the user@host and the spoof is shown.
254 A list of flags to apply to this auth{} block. They are listed
255 below. Some of the flags appear as a special character,
256 parenthesized in the list, before the user@host in STATS i and
260 A name of a class to put users matching this auth{} block into.
263 The password used has been encrypted.
266 Causes the IRCd to send out a server notice when activating a spoof
267 provided by this auth{} block.
270 Users in this auth{} block can exceed class-wide limitations.
273 Users in this auth{} block are exempted from DNS blacklist checks.
274 However, they will still be warned if they are listed.
277 Users in this auth{} block are exempted from DNS blacklists, k:lines
281 Users in this auth{} block are exempted from spambot checks.
284 Users in this auth{} block are exempted from some serverhiding
288 Users in this auth{} block do not trigger an alarm when joining
292 Users in this auth{} block may use reserved nicknames and channels.
296 The initial nickname may still not be reserved.
299 Users in this auth{} block may send arbitrary amounts of commands
300 per time unit to the server. This does not exempt them from any
301 other flood limits. You should use this setting with caution.
304 Users in this auth{} block will not have a tilde added to their
305 username if they do not run identd.
308 Users in this auth{} block must have identd, otherwise they will be
312 Users in this auth{} block must be connected via SSL/TLS, otherwise
313 they will be rejected.
316 Users in this auth{} block must identify via SASL, otherwise they
325 An exempt block specifies IP addresses which are exempt from D:lines and
326 throttling. Multiple addresses can be specified in one block. Clients
327 coming from these addresses can still be K/G/X:lined or banned by a DNS
328 blacklist unless they also have appropriate flags in their auth{} block.
331 The IP address or CIDR range to exempt.
336 privset { extends = "
341 A privset (privilege set) block specifies a set of operator privileges.
344 An optional privset to inherit. The new privset will have all
345 privileges that the given privset has.
348 Privileges to grant to this privset. These are described in the
349 operator privileges section.
360 "; rsa\_public\_key\_file = "
369 Operator blocks define who may use the OPER command to gain extended
373 A hostmask that users trying to use this operator {} block must
374 match. This is checked against the original host and IP address;
375 CIDR is also supported. So auth {} spoofs work in operator {}
376 blocks; the real host behind them is not checked. Other kind of
377 spoofs do not work in operator {} blocks; the real host behind them
380 Note that this is different from charybdis 1.x where all kinds of
381 spoofs worked in operator {} blocks.
384 A password used with the OPER command to use this operator {} block.
385 Passwords are encrypted by default, but may be unencrypted if
386 ~encrypted is present in the flags list.
388 rsa\_public\_key\_file
389 An optional path to a RSA public key file associated with the
390 operator {} block. This information is used by the CHALLENGE
391 command, which is an alternative authentication scheme to the
392 traditional OPER command.
395 A list of usermodes to apply to successfully opered clients.
398 An snomask to apply to successfully opered clients.
401 The privilege set granted to successfully opered clients. This must
402 be defined before this operator{} block.
405 A list of flags to apply to this operator{} block. They are listed
409 The password used has been encrypted. This is enabled by default,
410 use ~encrypted to disable it.
413 Restricts use of this operator{} block to SSL/TLS connections only.
422 "; send\_password = "
424 "; accept\_password = "
439 Connect blocks define what servers may connect or be connected to.
442 The hostname or IP to connect to.
446 Furthermore, if a hostname is used, it must have an A or AAAA
447 record (no CNAME) and it must be the primary hostname for
448 inbound connections to work.
451 The password to send to the other server.
454 The password that should be accepted from the other server.
457 The port on the other server to connect to.
460 An optional domain mask of servers allowed to be introduced by this
461 link. Usually, "\*" is fine. Multiple hub\_masks may be specified,
462 and any of them may be introduced. Violation of hub\_mask and
463 leaf\_mask restrictions will cause the local link to be closed.
466 An optional domain mask of servers not allowed to be introduced by
467 this link. Multiple leaf\_masks may be specified, and none of them
468 may be introduced. leaf\_mask has priority over hub\_mask.
471 The name of the class this server should be placed into.
474 A list of flags concerning the connect block. They are listed below.
477 The protocol that should be used to connect with, either ipv4 or
478 ipv6. This defaults to neither, allowing connection using either
482 The value for accept\_password has been encrypted.
485 The server should automatically try to connect to the server defined
486 in this connect {} block if it's not connected already and
487 max\_number in the class is not reached yet.
490 Ziplinks should be used with this server connection. This compresses
491 traffic using zlib, saving some bandwidth and speeding up netbursts.
493 If you have trouble setting up a link, you should turn this off as
494 it often hides error messages.
497 Topics should be bursted to this server.
499 This is enabled by default.
509 A listen block specifies what ports a server should listen on.
512 An optional host to bind to. Otherwise, the ircd will listen on all
516 A port to listen on. You can specify multiple ports via commas, and
517 define a range by seperating the start and end ports with two dots
528 The modules block specifies information for loadable modules.
531 Specifies a path to search for loadable modules.
534 Specifies a module to load, similar to loadmodule.
542 The general block specifies a variety of options, many of which were in
543 ``config.h`` in older daemons. The options are documented in
552 The channel block specifies a variety of channel-related options, many
553 of which were in ``config.h`` in older daemons. The options are
554 documented in ``reference.conf``.
562 The serverhide block specifies options related to server hiding. The
563 options are documented in ``reference.conf``.
570 "; reject\_reason = "
573 The blacklist block specifies DNS blacklists to check. Listed clients
574 will not be allowed to connect. IPv6 clients are not checked against
577 Multiple blacklists can be specified, in pairs with first host then
584 The reason to send to listed clients when disconnecting them.
594 Alias blocks allow the definition of custom commands. These commands
595 send PRIVMSG to the given target. A real command takes precedence above
599 The target nick (must be a network service (umode +S)) or
600 user@server. In the latter case, the server cannot be this server,
601 only opers can use user starting with "opers" reliably and the user
602 is interpreted on the target server only so you may need to use
603 nick@server instead).
613 The cluster block specifies servers we propagate things to
614 automatically. This does not allow them to set bans, you need a separate
615 shared{} block for that.
617 Having overlapping cluster{} items will cause the command to be executed
618 twice on the target servers. This is particularly undesirable for ban
621 The letters in parentheses denote the flags in /stats U.
624 The server name to share with, this may contain wildcards and may be
628 The list of what to share, all the name lines above this (up to
629 another flags entry) will receive these flags. They are listed
651 Permanently reserved nicks/channels
654 Temporarily reserved nicks/channels
660 LOCOPS messages (sharing this with \* makes LOCOPS rather similar to
661 OPERWALL which is not useful)
676 The shared block specifies opers allowed to perform certain actions on
677 our server remotely. These are ordered top down. The first one matching
678 will determine the oper's access. If access is denied, the command will
681 The letters in parentheses denote the flags in /stats U.
684 The user@host the oper must have, and the server they must be on.
685 This may contain wildcards.
688 The list of what to allow, all the oper lines above this (up to
689 another flags entry) will receive these flags. They are listed
694 While they have the same names, the flags have subtly different
695 meanings from those in the cluster{} block.
698 Permanent and temporary K:lines
707 Permanent and temporary X:lines
716 Permanently and temporarily reserved nicks/channels
719 Temporarily reserved nicks/channels
725 All of the above; this does not include locops, rehash, dline,
729 LOCOPS messages (accepting this from \* makes LOCOPS rather similar
730 to OPERWALL which is not useful); unlike the other flags, this can
731 only be accepted from \*@\* although it can be restricted based on
735 REHASH commands; all options can be used
738 Permanent and temporary D:lines
747 Allow nothing to be done
755 The service block specifies privileged servers (services). These servers
756 have extra privileges such as setting login names on users and
757 introducing clients with umode +S (unkickable, hide channels, etc). This
758 does not allow them to set bans, you need a separate shared{} block for
761 Do not place normal servers here.
763 Multiple names may be specified but there may be only one service{}
767 The server name to grant special privileges. This may not contain
770 Hostname resolution (DNS)
771 =========================
773 Charybdis uses solely DNS for all hostname/address lookups (no
774 ``/etc/hosts`` or anything else). The DNS servers are taken from
775 ``/etc/resolv.conf``. If this file does not exist or no valid IP
776 addresses are listed in it, the local host (127.0.0.1) is used. (Note
777 that the latter part did not work in older versions of Charybdis.)
779 IPv4 as well as IPv6 DNS servers are supported, but it is not possible
780 to use both IPv4 and IPv6 in ``/etc/resolv.conf``.
782 For both security and performance reasons, it is recommended that a
783 caching nameserver such as BIND be run on the same machine as Charybdis
784 and that ``/etc/resolv.conf`` only list 127.0.0.1.