X-Git-Url: https://jfr.im/git/solanum.git/blobdiff_plain/a2b7ef92a1b38ebf96663ff1e0bb4bafac73a714..18ac52f017175f39469db1272f12c0b3ee8cf6a8:/doc/ircd.conf.example diff --git a/doc/ircd.conf.example b/doc/ircd.conf.example index 71d26c71..9cd18fa1 100644 --- a/doc/ircd.conf.example +++ b/doc/ircd.conf.example @@ -8,9 +8,7 @@ */ /* Extensions */ -#loadmodule "extensions/chm_operonly_compat"; -#loadmodule "extensions/chm_quietunreg_compat"; -#loadmodule "extensions/chm_sslonly_compat"; +#loadmodule "extensions/chm_nonotice"; #loadmodule "extensions/chm_operpeace"; #loadmodule "extensions/createauthonly"; #loadmodule "extensions/extb_account"; @@ -31,10 +29,8 @@ #loadmodule "extensions/m_locops"; #loadmodule "extensions/no_oper_invis"; #loadmodule "extensions/sno_farconnect"; -#loadmodule "extensions/sno_globalkline"; #loadmodule "extensions/sno_globalnickchange"; #loadmodule "extensions/sno_globaloper"; -#loadmodule "extensions/sno_whois"; #loadmodule "extensions/override"; #loadmodule "extensions/no_kill_services"; @@ -51,7 +47,7 @@ serverinfo { name = "hades.arpa"; sid = "42X"; - description = "charybdis test server"; + description = "solanum test server"; network_name = "StaticBox"; /* On multi-homed hosts you may need the following. These define @@ -61,18 +57,20 @@ serverinfo { /* for IPv6 */ #vhost6 = "2001:db8:2::6"; - /* ssl_private_key: our ssl private key */ - ssl_private_key = "etc/ssl.key"; - - /* ssl_cert: certificate for our ssl server */ + /* ssl_cert: certificate (and optionally key) for our ssl server */ ssl_cert = "etc/ssl.pem"; + /* ssl_private_key: our ssl private key (if not contained in ssl_cert file) */ + #ssl_private_key = "etc/ssl.key"; + /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 2048 * In general, the DH parameters size should be the same as your key's size. * However it has been reported that some clients have broken TLS implementations which may * choke on keysizes larger than 2048-bit, so we would recommend using 2048-bit DH parameters * for now if your keys are larger than 2048-bit. - */ + * + * If you do not provide parameters, some TLS backends will fail on DHE- ciphers, + * and some will succeed but use weak, common DH groups! */ ssl_dh_params = "etc/dh.pem"; /* ssld_count: number of ssld processes you want to start, if you @@ -161,7 +159,13 @@ listen { /* Listen on IPv6 (if you used host= above). */ #host = "2001:db8:2::6"; #port = 5000, 6665 .. 6669; - #sslport = 9999; + #sslport = 6697; + + /* wsock: listeners defined with this option enabled will be websocket listeners, + * and will not accept normal clients. + */ + wsock = yes; + sslport = 9999; }; /* auth {}: allow users to connect to the ircd (OLD I:) @@ -227,7 +231,8 @@ auth { * means they must be defined before operator {}. */ privset "local_op" { - privs = oper:local_kill, oper:operwall; + privs = oper:general, oper:privs, oper:testline, oper:kill, oper:operwall, oper:message, + usermode:servnotice, auspex:oper, auspex:hostname, auspex:umodes, auspex:cmodes; }; privset "server_bot" { @@ -237,8 +242,9 @@ privset "server_bot" { privset "global_op" { extends = "local_op"; - privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline, - oper:resv, oper:mass_notice, oper:remoteban; + privs = oper:routing, oper:kline, oper:unkline, oper:xline, + oper:resv, oper:cmodes, oper:mass_notice, oper:wallops, + oper:remoteban; }; privset "admin" { @@ -300,20 +306,17 @@ operator "god" { privset = "admin"; }; +// See connecting-servers.rst for an introduction to using these files. + connect "irc.uplink.com" { host = "203.0.113.3"; send_password = "password"; accept_password = "anotherpassword"; port = 6666; - hub_mask = "*"; class = "server"; - flags = compressed, topicburst; + flags = topicburst; #fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b"; - - /* If the connection is IPv6, uncomment below. - * Use 0::1, not ::1, for IPv6 localhost. */ - #aftype = ipv6; }; connect "ssl.uplink.com" { @@ -321,7 +324,6 @@ connect "ssl.uplink.com" { send_password = "password"; accept_password = "anotherpassword"; port = 9999; - hub_mask = "*"; class = "server"; flags = ssl, topicburst; }; @@ -335,9 +337,8 @@ cluster { flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv; }; -shared { - oper = "*@*", "*"; - flags = all, rehash; +secure { + ip = "127.0.0.1"; }; /* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */ @@ -369,6 +370,7 @@ channel { autochanmodes = "+nt"; displayed_usercount = 3; strip_topic_colors = no; + opmod_send_statusmsg = no; }; serverhide { @@ -378,14 +380,14 @@ serverhide { disable_hidden = no; }; -/* These are the blacklist settings. +/* These are the DNSBL settings. * You can have multiple combinations of host and rejection reasons. * They are used in pairs of one host/rejection reason. * - * These settings should be adequate for most networks. + * The default settings should be adequate for most networks. * - * Word to the wise: Do not use blacklists like SPEWS for blocking IRC - * connections. + * It is not recommended to use DNSBL services designed for e-mail spam + * prevention, such as SPEWS for blocking IRC connections. * * As of charybdis 2.2, you can do some keyword substitution on the rejection * reason. The available keyword substitutions are: @@ -405,13 +407,13 @@ serverhide { * is considered a match. If included, a comma-separated list of *quoted* * strings is allowed to match queries. They may be of the format "0" to "255" * to match the final octet (e.g. 127.0.0.1) or "127.x.y.z" to explicitly match - * an A record. The blacklist is only applied if it matches anything in the + * an A record. The DNSBL match is only applied if it matches anything in the * list. You may freely mix full IP's and final octets. * - * Consult your blacklist provider for the meaning of these parameters; they - * are usually used to denote different ban types. + * Consult your DNSBL provider for the meaning of these parameters; they + * are usually used to denote different block reasons. */ -blacklist { +dnsbl { host = "rbl.efnetrbl.org"; type = ipv4; reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}"; @@ -435,10 +437,9 @@ blacklist { * WARNING: * These settings are considered experimental. Only the most common proxy types * are checked for (Charybdis is immune from POST and GET proxies). If you are - * not comfortable with experimental code, remove or comment out the *entire* - * block below to disable the proxy scanner. + * not comfortable with experimental code, do not use this feature. */ -opm { +#opm { /* IPv4 address to listen on. This must be a publicly facing IP address * to be effective. * If omitted, it defaults to serverinfo::vhost. @@ -448,53 +449,53 @@ opm { /* IPv4 port to listen on. * This should not be the same as any existing listeners. */ - #port_ipv4 = 32000; + #port_v4 = 32000; /* IPv6 address to listen on. This must be a publicly facing IP address * to be effective. * If omitted, it defaults to serverinfo::vhost6. */ - #listen_ipv6 = "0::1"; + #listen_ipv6 = "::1"; /* IPv6 port to listen on. * This should not be the same as any existing listeners. */ - #port_ipv6 = 32000; + #port_v6 = 32000; /* You can also set the listen_port directive which will set both the * IPv4 and IPv6 ports at once. */ - listen_port = 32000; + #listen_port = 32000; /* This sets the timeout in seconds before ending open proxy scans. * Values less than 1 or greater than 60 are ignored. * It is advisable to keep it as short as feasible, so clients do not * get held up by excessively long scan times. */ - timeout = 5; + #timeout = 5; /* These are the ports to scan for SOCKS4 proxies on. They may overlap * with other scan types. Sensible defaults are given below. */ - socks4_ports = 1080, 10800, 443, 80, 8080, 8000; + #socks4_ports = 1080, 10800, 443, 80, 8080, 8000; /* These are the ports to scan for SOCKS5 proxies on. They may overlap * with other scan types. Sensible defaults are given below. */ - socks5_ports = 1080, 10800, 443, 80, 8080, 8000; + #socks5_ports = 1080, 10800, 443, 80, 8080, 8000; /* These are the ports to scan for HTTP connect proxies on (plaintext). * They may overlap with other scan types. Sensible defaults are given * below. */ - httpconnect_ports = 80, 8080, 8000; + #httpconnect_ports = 80, 8080, 8000; /* These are the ports to scan for HTTPS CONNECT proxies on (SSL). * They may overlap with other scan types. Sensible defaults are given * below. */ - httpsconnect_ports = 443, 4443; -}; + #httpsconnect_ports = 443, 4443; +#}; alias "NickServ" { target = "NickServ"; @@ -559,7 +560,7 @@ general { tkline_expire_notices = no; default_floodcount = 10; failed_oper_notice = yes; - dots_in_ident=2; + dots_in_ident = 2; min_nonwildcard = 4; min_nonwildcard_simple = 3; max_accept = 100; @@ -575,22 +576,31 @@ general { resv_fnc = yes; global_snotices = yes; dline_with_reason = yes; - kline_delay = 0 seconds; kline_with_reason = yes; + hide_tkdline_duration = no; kline_reason = "K-Lined"; + sasl_only_client_message = "You need to identify via SASL to use this server."; + identd_only_client_message = "You need to install identd to use this server."; + sctp_forbidden_client_message = "You are not allowed to use SCTP on this server."; + ssltls_only_client_message = "You need to use SSL/TLS to use this server."; + not_authorised_client_message = "You are not authorised to access this server."; + illegal_hostname_client_message = "You have an illegal character in your hostname."; + server_full_client_message = "Sorry, server is full - try later"; + illegal_name_long_client_message = "Your username is invalid. Please make sure that your username contains " + "only alphanumeric characters."; + illegal_name_short_client_message = "Invalid username"; identify_service = "NickServ@services.int"; identify_command = "IDENTIFY"; non_redundant_klines = yes; warn_no_nline = yes; use_propagated_bans = yes; stats_e_disabled = no; - stats_c_oper_only=no; - stats_h_oper_only=no; - stats_y_oper_only=no; - stats_o_oper_only=yes; - stats_P_oper_only=no; - stats_i_oper_only=masked; - stats_k_oper_only=masked; + stats_c_oper_only = no; + stats_y_oper_only = no; + stats_o_oper_only = yes; + stats_P_oper_only = no; + stats_i_oper_only = masked; + stats_k_oper_only = masked; map_oper_only = no; operspy_admin_only = no; operspy_dont_care_user_info = no; @@ -605,6 +615,7 @@ general { no_oper_flood = yes; max_targets = 4; client_flood_max_lines = 20; + post_registration_delay = 0 seconds; use_whois_actually = no; oper_only_umodes = operwall, locops, servnotice; oper_umodes = locops, servnotice, operwall, wallop; @@ -618,8 +629,9 @@ general { throttle_count = 4; max_ratelimit_tokens = 30; away_interval = 30; - certfp_method = sha1; + certfp_method = spki_sha256; hide_opers_in_whois = no; + tls_ciphers_oper_only = no; }; modules {