X-Git-Url: https://jfr.im/git/solanum.git/blobdiff_plain/d1239f613f72f46aa378bc94d14db52b55b0a5f1..22ebfd257e7f6959dda7253f8f39d27e8c118924:/doc/reference.conf diff --git a/doc/reference.conf b/doc/reference.conf index a1d62fbd..368c5a70 100644 --- a/doc/reference.conf +++ b/doc/reference.conf @@ -26,6 +26,10 @@ * .include "filename" * .include * + * Flags variables are comma-separated sets of predefined values, + * specific to each block. For example in operator {} blocks: + * flags = encrypted, encrypted; + * * Times/durations are written as: * 12 hours 30 minutes 1 second * @@ -47,9 +51,6 @@ * Channel mode +-T (blocks notices) -- chm_nonotice * Channel mode +-O (oper only) -- chm_operonly * Channel mode +-S (ssl only) -- chm_sslonly - * Emulates channel mode +-O (oper only) (+-iI $o) -- chm_operonly_compat - * Emulates channel mode +-R (quiet unreg) (+-q $~a) -- chm_quietunreg_compat - * Emulates channel mode +-S (ssl only) (+-b $~z) -- chm_sslonly_compat * Channel mode +-M (disallow KICK on IRC ops) -- chm_operpeace * Restrict channel creation to logged in users -- createauthonly * Account bans (+b $a[:mask]) -- extb_account @@ -73,10 +74,8 @@ * /locops support -- m_locops * Opers cannot be invisible (umode +i) -- no_oper_invis * Far connection notices (snomask +F) -- sno_farconnect - * Remote k/d/x line active notices -- sno_globalkline * Remote oper up notices -- sno_globaloper * Global nick-change notices -- sno_globalnickchange - * /whois notifications (snomask +W) -- sno_whois * Oper-override (modehacking only) -- override * Stop services kills -- no_kill_services */ @@ -84,9 +83,6 @@ #loadmodule "extensions/chm_nonotice"; #loadmodule "extensions/chm_operonly"; #loadmodule "extensions/chm_sslonly"; -#loadmodule "extensions/chm_operonly_compat"; -#loadmodule "extensions/chm_quietunreg_compat"; -#loadmodule "extensions/chm_sslonly_compat"; #loadmodule "extensions/chm_operpeace"; #loadmodule "extensions/createauthonly"; #loadmodule "extensions/extb_account"; @@ -110,10 +106,8 @@ #loadmodule "extensions/m_locops"; #loadmodule "extensions/no_oper_invis"; #loadmodule "extensions/sno_farconnect"; -#loadmodule "extensions/sno_globalkline"; #loadmodule "extensions/sno_globalnickchange"; #loadmodule "extensions/sno_globaloper"; -#loadmodule "extensions/sno_whois"; #loadmodule "extensions/override"; #loadmodule "extensions/no_kill_services"; @@ -162,7 +156,7 @@ serverinfo { ssl_dh_params = "etc/dh.pem"; /* ssl_cipher_list: A list of ciphers, dependent on your TLS backend */ - #ssl_cipher_list = "EECDH+HIGH:EDH+HIGH:HIGH:!aNULL"; + #ssl_cipher_list = "TLS_CHACHA20_POLY1305_SHA256:EECDH+HIGH:EDH+HIGH:HIGH:!aNULL"; /* ssld_count: number of ssld processes you want to start, if you * have a really busy server, using N-1 where N is the number of @@ -384,13 +378,13 @@ auth { * exceed_limit (old > flag) | allow user to exceed class user limits * kline_exempt (old ^ flag) | exempt this user from k/g/xlines, * | dnsbls, and proxies - * dnsbl_exempt | exempt this user from dnsbls + * dnsbl_exempt | exempt this user from dnsbls * proxy_exempt | exempt this user from proxies - * spambot_exempt | exempt this user from spambot checks - * shide_exempt | exempt this user from serverhiding + * spambot_exempt | exempt this user from spambot checks + * shide_exempt | exempt this user from serverhiding * jupe_exempt | exempt this user from generating * warnings joining juped channels - * resv_exempt | exempt this user from resvs + * resv_exempt | exempt this user from resvs * flood_exempt | exempt this user from flood limits * USE WITH CAUTION. * no_tilde (old - flag) | don't prefix ~ to username if no ident @@ -462,9 +456,11 @@ privset "local_op" { * channels etc. see /quote help operspy * oper:hidden: hides the oper from /stats p * oper:remoteban: allows remote kline etc - * oper:mass_notice: allows sending wallops and mass notices + * oper:mass_notice: allows sending mass notices + * oper:wallops: allows sending wallops messages * oper:grant: allows using the GRANT command * usermode:servnotice: allows setting +s + * oper:message: allows opers to bypass CALLERID (usermode +g) * * Privileges provided by extensions include: * @@ -474,8 +470,8 @@ privset "local_op" { * confers the benefits of chmode +M (operpeace) (from extensions/chm_operpeace) * usermode:helpops allows setting +h (from extensions/helpops) */ - privs = oper:general, oper:privs, oper:testline, oper:kill, oper:operwall, usermode:servnotice, - auspex:oper, auspex:hostname, auspex:umodes, auspex:cmodes; + privs = oper:general, oper:privs, oper:testline, oper:kill, oper:operwall, oper:message, + usermode:servnotice, auspex:oper, auspex:hostname, auspex:umodes, auspex:cmodes; }; privset "server_bot" { @@ -487,7 +483,8 @@ privset "server_bot" { privset "global_op" { extends = "local_op"; privs = oper:routing, oper:kline, oper:unkline, oper:xline, - oper:resv, oper:cmodes, oper:mass_notice, oper:remoteban; + oper:resv, oper:cmodes, oper:mass_notice, oper:wallops, + oper:remoteban; }; privset "admin" { @@ -551,12 +548,21 @@ operator "god" { privset = "admin"; }; -/* connect {}: controls servers we connect to (OLD C:, N:, H:, L:) */ +/* connect {}: controls servers we connect with (OLD C:, N:, H:, L:). + * + * This configuration is used whether connections are incoming or + * outgoing. + */ connect "irc.uplink.com" { - /* the name must go above */ + /* the name of the other server must go above. It should match the + * other server's name in its serverinfo {} block, and does not + * need to be an actual hostname. + */ - /* host: the host or IP to connect to. If a hostname is used it - * must match the reverse dns of the server. + /* host: the host or IP to connect to. + * + * It is also used to validate incoming connections. If a hostname + * is used, it must match the reverse dns of the server. */ host = "203.0.113.3"; @@ -580,28 +586,17 @@ connect "irc.uplink.com" { /* port: the port to connect to this server on */ port = 6666; - /* hub mask: the mask of servers that this server may hub. Multiple - * entries are permitted - */ - hub_mask = "*"; - - /* leaf mask: the mask of servers this server may not hub. Multiple - * entries are permitted. Useful for forbidding EU -> US -> EU routes. - */ - #leaf_mask = "*.uk"; - /* class: the class this server is in */ class = "server"; /* flags: controls special options for this server - * encrypted - marks the accept_password as being crypt()'d - * autoconn - automatically connect to this server - * compressed - compress traffic via ziplinks - * topicburst - burst topics between servers - * ssl - ssl/tls encrypted server connections + * encrypted - marks the accept_password as being crypt()'d + * autoconn - automatically connect to this server + * topicburst - burst topics between servers + * ssl - ssl/tls encrypted server connections * no-export - marks the link as a no-export link (not exported to other links) */ - flags = compressed, topicburst; + flags = topicburst; }; connect "ipv6.lame.server" { @@ -619,24 +614,15 @@ connect "ipv6.lame.server" { }; connect "ssl.uplink.com" { - /* Example of ssl server-to-server connection, ssl flag doesn't need - * compressed flag, 'cause it uses own compression - */ host = "203.0.113.129"; send_password = "password"; accept_password = "anotherpassword"; port = 9999; - hub_mask = "*"; class = "server"; flags = ssl, topicburst; }; -/* cluster {}; servers that we propagate things to automatically. - * NOTE: This does NOT grant them privileges to apply anything locally, - * you must add a seperate shared block for that. Clustering will - * only be done for actions by LOCAL opers, that arent directed - * remotely. - */ +/* cluster {}; servers that we propagate things to automatically. */ cluster { /* name: the server to share with, this can be a wildcard and may be * stacked. @@ -669,8 +655,7 @@ cluster { /* service{}: privileged servers (services). These servers have extra * privileges such as setting login names on users and introducing clients - * with umode +S (unkickable, hide channels, etc). This does not allow them - * to set bans, you need a separate shared{} for that. + * with umode +S (unkickable, hide channels, etc). * Do not place normal servers here. * There may be only one service{} block. */ @@ -679,59 +664,6 @@ service { name = "services.int"; }; -/* shared {}: users that are allowed to place remote bans on our server. - * NOTE: These are ordered top down. The first one the user@host and server - * matches will be used. Their access will then be decided on that - * block and will not fall back to another block that matches. - */ -shared { - /* oper: the user@host and server the user must be on to set klines. - * The first field must be a user@host, the second field is an - * optional server. These may be stacked. - */ - /* flags: list of what to allow them to place, all the oper lines - * above this (up until another flags entry) will receive these - * flags. This *must* be present. - * - * kline - allow setting perm/temp klines - * tkline - allow setting temp klines - * unkline - allow removing klines - * xline - allow setting perm/temp xlines - * txline - allow setting temp xlines - * unxline - allow removing xlines - * resv - allow setting perm/temp resvs - * tresv - allow setting temp resvs - * unresv - allow removing xlines - * all - allow oper/server to do all of above. - * locops - allow locops - only used for servers who cluster - * rehash - allow rehashing - * dline - allow setting perm/temp dlines - * tdline - allow setting temp dlines - * undline - allow removing dlines - * grant - allow granting operator status - * die - allow remote DIE/RESTART - * module - allow remote module commands - * none - disallow everything - */ - - /* allow flame@*.leeh.co.uk on server irc.ircd-ratbox.org and - * allow leeh@*.leeh.co.uk on server ircd.ircd-ratbox.org to kline - */ - oper = "flame@*.leeh.co.uk", "irc.ircd-ratbox.org"; - oper = "leeh@*.leeh.co.uk", "ircd.ircd-ratbox.org"; - flags = kline; - - /* you may forbid certain opers/servers from doing anything */ - oper = "irc@vanity.oper", "*"; - oper = "*@*", "irc.vanity.server"; - oper = "irc@another.vanity.oper", "bigger.vanity.server"; - flags = none; - - /* or allow everyone to place temp klines */ - oper = "*@*"; - flags = tkline; -}; - /* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */ exempt { ip = "192.0.2.0/24"; @@ -869,6 +801,9 @@ channel { * as PRIVMSG @#channel when sent to clients. */ opmod_send_statusmsg = no; + + /* ip_bans_through_vhost: should channel IP bans see through dynamic spoofed hosts? */ + ip_bans_through_vhost = yes; }; @@ -1222,6 +1157,52 @@ general { */ kline_reason = "Connection closed"; + /* SASL access only client message: give users a message that + * informs them + */ + sasl_only_client_message = "You need to identify via SASL to use this server."; + + /* Identd access only client message: give users a message that + * informs them + */ + identd_only_client_message = "You need to install identd to use this server."; + + /* SCTP forbidden client message: give users a message that + * informs them + */ + sctp_forbidden_client_message = "You are not allowed to use SCTP on this server."; + + /* SSL/TLS access only client message: give users a message that + * informs them + */ + ssltls_only_client_message = "You need to use SSL/TLS to use this server."; + + /* Not authorised client message: tell users that they are not + * authorised + */ + not_authorised_client_message = "You are not authorised to access this server."; + + /* Illegal hostname client message: tell users that they have illegal + * chars in their hostname + */ + illegal_hostname_client_message = "You have an illegal character in your hostname."; + + /* Server full client message: tell users that the server they're connecting + * to is full + */ + server_full_client_message = "Sorry, server is full - try later"; + + /* illegal name long client message: long-form explanation that their username + * contains illegal characters + */ + illegal_name_long_client_message = "Your username is invalid. Please make sure that your username contains " + "only alphanumeric characters."; + + /* illegal name short client message: short-form notification that their username + * contains illegal characters; will be followed by ": their_username" + */ + illegal_name_short_client_message = "Invalid username"; + /* identify to services via server password * if auth{} block had no password but the user specified a * server password anyway, send a PRIVMSG to @@ -1254,9 +1235,6 @@ general { /* stats c oper only: make stats c (connect {}) oper only */ stats_c_oper_only = no; - /* stats h oper only: make stats h (hub_mask/leaf_mask) oper only */ - stats_h_oper_only = no; - /* stats y oper only: make stats y (class {}) oper only */ stats_y_oper_only = no; @@ -1283,6 +1261,13 @@ general { */ stats_k_oper_only = masked; + /* stats l/L oper only: + * yes: non-opers can't use this at all + * self: non-opers see only themselves + * no: show targeted users or non-hidden opers to everyone + */ + stats_l_oper_only = self; + /* map oper only: make /map oper only */ map_oper_only = no; @@ -1379,14 +1364,6 @@ general { * provided they have umode +s set */ oper_snomask = "+s"; - /* compression level: level of compression for compressed links between - * servers. - * - * values are between: 1 (least compression, fastest) - * and: 9 (most compression, slowest). - */ - #compression_level = 6; - /* burst_away: This enables bursting away messages to servers. * With this disabled, we will only propogate AWAY messages * as users send them, but never burst them. Be warned though @@ -1471,6 +1448,17 @@ general { /* tls_ciphers_oper_only: show the TLS cipher string in /WHOIS only to opers and self */ tls_ciphers_oper_only = no; + + /* hidden_caps: client capabilities we'll pretend we don't support until they're requested */ + #hidden_caps = "userhost-in-names"; + + /* oper_secure_only: require TLS on any connection trying to oper up */ + oper_secure_only = no; + + /* drain_reason: Message shown to users when they are rejected from a draining server. + * requires extensions/drain to be loaded. + */ + drain_reason = "This server is not accepting connections."; }; modules {