X-Git-Url: https://jfr.im/git/solanum.git/blobdiff_plain/0ed0a9fe0abee10181a92c10d9fe74d60f4607ac..f590bc6cece0cf3961f1a115fafec706f17a98f4:/doc/ircd.conf.example

diff --git a/doc/ircd.conf.example b/doc/ircd.conf.example
index 63b6fc65..8771f232 100644
--- a/doc/ircd.conf.example
+++ b/doc/ircd.conf.example
@@ -8,6 +8,7 @@
  */
 
 /* Extensions */
+#loadmodule "extensions/chm_nonotice";
 #loadmodule "extensions/chm_operonly_compat";
 #loadmodule "extensions/chm_quietunreg_compat";
 #loadmodule "extensions/chm_sslonly_compat";
@@ -61,18 +62,20 @@ serverinfo {
 	/* for IPv6 */
 	#vhost6 = "2001:db8:2::6";
 
-	/* ssl_private_key: our ssl private key */
-	ssl_private_key = "etc/ssl.key";
-
-	/* ssl_cert: certificate for our ssl server */
+	/* ssl_cert: certificate (and optionally key) for our ssl server */
 	ssl_cert = "etc/ssl.pem";
 
+	/* ssl_private_key: our ssl private key (if not contained in ssl_cert file) */
+	#ssl_private_key = "etc/ssl.key";
+
 	/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 2048
 	 * In general, the DH parameters size should be the same as your key's size.
 	 * However it has been reported that some clients have broken TLS implementations which may
 	 * choke on keysizes larger than 2048-bit, so we would recommend using 2048-bit DH parameters
 	 * for now if your keys are larger than 2048-bit.
-	 */
+	 *
+	 * If you do not provide parameters, some TLS backends will fail on DHE- ciphers,
+	 * and some will succeed but use weak, common DH groups! */
 	ssl_dh_params = "etc/dh.pem";
 
 	/* ssld_count: number of ssld processes you want to start, if you
@@ -161,7 +164,13 @@ listen {
 	/* Listen on IPv6 (if you used host= above). */
 	#host = "2001:db8:2::6";
 	#port = 5000, 6665 .. 6669;
-	#sslport = 9999;
+	#sslport = 6697;
+
+	/* wsock: listeners defined with this option enabled will be websocket listeners,
+	 * and will not accept normal clients.
+	 */
+	wsock = yes;
+	sslport = 9999;
 };
 
 /* auth {}: allow users to connect to the ircd (OLD I:)
@@ -227,7 +236,8 @@ auth {
  * means they must be defined before operator {}.
  */
 privset "local_op" {
-	privs = oper:local_kill, oper:operwall;
+	privs = oper:general, oper:privs, oper:testline, oper:local_kill, oper:operwall, usermode:servnotice,
+		auspex:oper, auspex:hostname, auspex:umodes, auspex:cmodes;
 };
 
 privset "server_bot" {
@@ -238,7 +248,7 @@ privset "server_bot" {
 privset "global_op" {
 	extends = "local_op";
 	privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
-		oper:resv, oper:mass_notice, oper:remoteban;
+		oper:resv, oper:cmodes, oper:mass_notice, oper:remoteban;
 };
 
 privset "admin" {
@@ -310,10 +320,6 @@ connect "irc.uplink.com" {
 	flags = compressed, topicburst;
 
 	#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
-
-	/* If the connection is IPv6, uncomment below.
-	 * Use 0::1, not ::1, for IPv6 localhost. */
-	#aftype = ipv6;
 };
 
 connect "ssl.uplink.com" {
@@ -369,6 +375,7 @@ channel {
 	autochanmodes = "+nt";
 	displayed_usercount = 3;
 	strip_topic_colors = no;
+	opmod_send_statusmsg = no;
 };
 
 serverhide {
@@ -378,14 +385,14 @@ serverhide {
 	disable_hidden = no;
 };
 
-/* These are the blacklist settings.
+/* These are the DNSBL settings.
  * You can have multiple combinations of host and rejection reasons.
  * They are used in pairs of one host/rejection reason.
  *
- * These settings should be adequate for most networks.
+ * The default settings should be adequate for most networks.
  *
- * Word to the wise: Do not use blacklists like SPEWS for blocking IRC
- * connections.
+ * It is not recommended to use DNSBL services designed for e-mail spam
+ * prevention, such as SPEWS for blocking IRC connections.
  *
  * As of charybdis 2.2, you can do some keyword substitution on the rejection
  * reason. The available keyword substitutions are:
@@ -405,13 +412,13 @@ serverhide {
  * is considered a match. If included, a comma-separated list of *quoted*
  * strings is allowed to match queries. They may be of the format "0" to "255"
  * to match the final octet (e.g. 127.0.0.1) or "127.x.y.z" to explicitly match
- * an A record. The blacklist is only applied if it matches anything in the
+ * an A record. The DNSBL match is only applied if it matches anything in the
  * list. You may freely mix full IP's and final octets.
  *
- * Consult your blacklist provider for the meaning of these parameters; they
- * are usually used to denote different ban types.
+ * Consult your DNSBL provider for the meaning of these parameters; they
+ * are usually used to denote different block reasons.
  */
-blacklist {
+dnsbl {
 	host = "rbl.efnetrbl.org";
 	type = ipv4;
 	reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";
@@ -433,13 +440,11 @@ blacklist {
  * notified upon connect if they are being scanned.
  *
  * WARNING:
- * These settings are considered experimental, and as of this writing, the
- * Charybdis scanner is not as comprehensive as the one available in HOPM. Only
- * basic SOCKS4 and SOCKS5 scanning is performed on a few well-known ports. You
- * may disable the open proxy scanning feature by deleting this block if you are
- * uncomfortable with this.
+ * These settings are considered experimental. Only the most common proxy types
+ * are checked for (Charybdis is immune from POST and GET proxies). If you are
+ * not comfortable with experimental code, do not use this feature.
  */
-opm {
+#opm {
 	/* IPv4 address to listen on. This must be a publicly facing IP address
 	 * to be effective.
 	 * If omitted, it defaults to serverinfo::vhost.
@@ -449,47 +454,53 @@ opm {
 	/* IPv4 port to listen on.
 	 * This should not be the same as any existing listeners.
 	 */
-	#port_ipv4 = 32000;
+	#port_v4 = 32000;
 
 	/* IPv6 address to listen on. This must be a publicly facing IP address
 	 * to be effective.
 	 * If omitted, it defaults to serverinfo::vhost6.
 	 */
-	#listen_ipv6 = "0::1";
+	#listen_ipv6 = "::1";
 
 	/* IPv6 port to listen on.
 	 * This should not be the same as any existing listeners.
 	 */
-	#port_ipv6 = 32000;
+	#port_v6 = 32000;
 
-	/* You can also set a port directive which will set both the IPv4 and
-	 * IPv6 ports at once.
+	/* You can also set the listen_port directive which will set both the
+	 * IPv4 and IPv6 ports at once.
 	 */
-	port = 32000;
+	#listen_port = 32000;
 
 	/* This sets the timeout in seconds before ending open proxy scans.
 	 * Values less than 1 or greater than 60 are ignored.
 	 * It is advisable to keep it as short as feasible, so clients do not
 	 * get held up by excessively long scan times.
 	 */
-	timeout = 5;
+	#timeout = 5;
 
 	/* These are the ports to scan for SOCKS4 proxies on. They may overlap
 	 * with other scan types. Sensible defaults are given below.
 	 */
-	socks4_ports = 1080, 10800, 443, 80, 8080, 8000;
+	#socks4_ports = 1080, 10800, 443, 80, 8080, 8000;
 
 	/* These are the ports to scan for SOCKS5 proxies on. They may overlap
 	 * with other scan types. Sensible defaults are given below.
 	 */
-	socks5_ports = 1080, 10800, 443, 80, 8080, 8000;
+	#socks5_ports = 1080, 10800, 443, 80, 8080, 8000;
 
 	/* These are the ports to scan for HTTP connect proxies on (plaintext).
 	 * They may overlap with other scan types. Sensible defaults are given
 	 * below.
 	 */
-	httpconnect_ports = 80, 8080, 8000;
-};
+	#httpconnect_ports = 80, 8080, 8000;
+
+	/* These are the ports to scan for HTTPS CONNECT proxies on (SSL).
+	 * They may overlap with other scan types. Sensible defaults are given
+	 * below.
+	 */
+	#httpsconnect_ports = 443, 4443;
+#};
 
 alias "NickServ" {
 	target = "NickServ";
@@ -554,7 +565,7 @@ general {
 	tkline_expire_notices = no;
 	default_floodcount = 10;
 	failed_oper_notice = yes;
-	dots_in_ident=2;
+	dots_in_ident = 2;
 	min_nonwildcard = 4;
 	min_nonwildcard_simple = 3;
 	max_accept = 100;
@@ -570,8 +581,8 @@ general {
 	resv_fnc = yes;
 	global_snotices = yes;
 	dline_with_reason = yes;
-	kline_delay = 0 seconds;
 	kline_with_reason = yes;
+	hide_tkdline_duration = no;
 	kline_reason = "K-Lined";
 	identify_service = "NickServ@services.int";
 	identify_command = "IDENTIFY";
@@ -579,13 +590,13 @@ general {
 	warn_no_nline = yes;
 	use_propagated_bans = yes;
 	stats_e_disabled = no;
-	stats_c_oper_only=no;
-	stats_h_oper_only=no;
-	stats_y_oper_only=no;
-	stats_o_oper_only=yes;
-	stats_P_oper_only=no;
-	stats_i_oper_only=masked;
-	stats_k_oper_only=masked;
+	stats_c_oper_only = no;
+	stats_h_oper_only = no;
+	stats_y_oper_only = no;
+	stats_o_oper_only = yes;
+	stats_P_oper_only = no;
+	stats_i_oper_only = masked;
+	stats_k_oper_only = masked;
 	map_oper_only = no;
 	operspy_admin_only = no;
 	operspy_dont_care_user_info = no;
@@ -600,6 +611,7 @@ general {
 	no_oper_flood = yes;
 	max_targets = 4;
 	client_flood_max_lines = 20;
+	post_registration_delay = 0 seconds;
 	use_whois_actually = no;
 	oper_only_umodes = operwall, locops, servnotice;
 	oper_umodes = locops, servnotice, operwall, wallop;
@@ -613,8 +625,9 @@ general {
 	throttle_count = 4;
 	max_ratelimit_tokens = 30;
 	away_interval = 30;
-	certfp_method = sha1;
+	certfp_method = spki_sha256;
 	hide_opers_in_whois = no;
+	tls_ciphers_oper_only = no;
 };
 
 modules {