X-Git-Url: https://jfr.im/git/solanum.git/blobdiff_plain/f0bce9d95d1b193ac69c3dd589ed0646d9b39361..e44504ebf154d69972f45f881daaaca282ff2d55:/doc/reference.conf diff --git a/doc/reference.conf b/doc/reference.conf index ae07abfe..b3ff2580 100755 --- a/doc/reference.conf +++ b/doc/reference.conf @@ -44,61 +44,73 @@ * Charybdis contains several extensions that are not enabled by default. * To use them, uncomment the lines below. * - * Channel mode +-A (admin only) -- chm_adminonly.so - * Channel mode +-O (oper only) -- chm_operonly.so - * Channel mode +-S (ssl only) -- chm_sslonly.so - * Emulates channel mode +-O (oper only) (+-iI $o) -- chm_operonly_compat.so - * Emulates channel mode +-R (quiet unreg) (+-q $~a) -- chm_quietunreg_compat.so - * Emulates channel mode +-S (ssl only) (+-b $~z) -- chm_sslonly_compat.so - * Restrict channel creation to logged in users -- createauthonly.so - * Account bans (+b $a[:mask]) -- extb_account.so - * Banned from another channel (+b $j:mask) -- extb_canjoin.so - * Other-channel bans (+b $c:mask) -- extb_channel.so - * Extended ban (+b $x:mask) -- extb_extgecos.so - * Oper bans (+b $o) -- extb_oper.so - * Realname (gecos) bans (+b $r:mask) -- extb_realname.so - * Server bans (+b $s:mask) -- extb_server.so - * SSL bans (+b $z) -- extb_ssl.so - * HURT system -- hurt.so - * New host mangling (umode +x) -- ip_cloaking_4.0.so - * Old host mangling (umode +h) -- ip_cloaking.so - * Find channel forwards -- m_findforwards.so - * /identify support -- m_identify.so - * Opers cannot be invisible (umode +i) -- no_oper_invis.so - * Far connection notices (snomask +F) -- sno_farconnect.so - * Remote k/d/x line active notices -- sno_globalkline.so - * Remote oper up notices -- sno_globaloper.so - * /whois notifications (snomask +W) -- sno_whois.so - * Oper-override (modehacking only) -- override.so - * Stop services kills -- m_nokillservices.so + * Channel mode +-A (admin only) -- chm_adminonly.la + * Channel mode +-O (oper only) -- chm_operonly.la + * Channel mode +-S (ssl only) -- chm_sslonly.la + * Emulates channel mode +-O (oper only) (+-iI $o) -- chm_operonly_compat.la + * Emulates channel mode +-R (quiet unreg) (+-q $~a) -- chm_quietunreg_compat.la + * Emulates channel mode +-S (ssl only) (+-b $~z) -- chm_sslonly_compat.la + * Channel mode +-M (disallow KICK on IRC ops) -- chm_operpeace.la + * Restrict channel creation to logged in users -- createauthonly.la + * Account bans (+b $a[:mask]) -- extb_account.la + * Banned from another channel (+b $j:mask) -- extb_canjoin.la + * Other-channel bans (+b $c:mask) -- extb_channel.la + * Combination extbans -- extb_combi.la + * Extended ban (+b $x:mask) -- extb_extgecos.la + * Hostmask bans (for combination extbans) -- extb_hostmask.la + * Oper bans (+b $o) -- extb_oper.la + * Realname (gecos) bans (+b $r:mask) -- extb_realname.la + * Server bans (+b $s:mask) -- extb_server.la + * SSL bans (+b $z) -- extb_ssl.la + * Helpops system (umode +H) -- helpops.la + * HURT system -- hurt.la + * New host mangling (umode +x) -- ip_cloaking_4.0.la + * Old host mangling (umode +h) -- ip_cloaking.la + * Dynamically extend channel limits -- m_extendchans.la + * Find channel forwards -- m_findforwards.la + * /identify support -- m_identify.la + * Opers cannot be invisible (umode +i) -- no_oper_invis.la + * Far connection notices (snomask +F) -- sno_farconnect.la + * Remote k/d/x line active notices -- sno_globalkline.la + * Remote oper up notices -- sno_globaloper.la + * Global nick-change notices -- sno_globalnickchange.la + * /whois notifications (snomask +W) -- sno_whois.la + * Oper-override (modehacking only) -- override.la + * Stop services kills -- no_kill_services.la */ -#loadmodule "extensions/chm_adminonly.so"; -#loadmodule "extensions/chm_operonly.so"; -#loadmodule "extensions/chm_sslonly.so"; -#loadmodule "extensions/chm_operonly_compat.so"; -#loadmodule "extensions/chm_quietunreg_compat.so"; -#loadmodule "extensions/chm_sslonly_compat.so"; -#loadmodule "extensions/createauthonly.so"; -#loadmodule "extensions/extb_account.so"; -#loadmodule "extensions/extb_canjoin.so"; -#loadmodule "extensions/extb_channel.so"; -#loadmodule "extensions/extb_extgecos.so"; -#loadmodule "extensions/extb_oper.so"; -#loadmodule "extensions/extb_realname.so"; -#loadmodule "extensions/extb_server.so"; -#loadmodule "extensions/extb_ssl.so"; -#loadmodule "extensions/hurt.so"; -#loadmodule "extensions/ip_cloaking_4.0.so"; -#loadmodule "extensions/ip_cloaking.so"; -#loadmodule "extensions/m_findforwards.so"; -#loadmodule "extensions/m_identify.so"; -#loadmodule "extensions/no_oper_invis.so"; -#loadmodule "extensions/sno_farconnect.so"; -#loadmodule "extensions/sno_globalkline.so"; -#loadmodule "extensions/sno_globaloper.so"; -#loadmodule "extensions/sno_whois.so"; -#loadmodule "extensions/override.so"; -#loadmodule "extensions/m_nokillservices.so"; +#loadmodule "extensions/chm_adminonly.la"; +#loadmodule "extensions/chm_operonly.la"; +#loadmodule "extensions/chm_sslonly.la"; +#loadmodule "extensions/chm_operonly_compat.la"; +#loadmodule "extensions/chm_quietunreg_compat.la"; +#loadmodule "extensions/chm_sslonly_compat.la"; +#loadmodule "extensions/chm_operpeace.la"; +#loadmodule "extensions/createauthonly.la"; +#loadmodule "extensions/extb_account.la"; +#loadmodule "extensions/extb_canjoin.la"; +#loadmodule "extensions/extb_channel.la"; +#loadmodule "extensions/extb_combi.la"; +#loadmodule "extensions/extb_extgecos.la"; +#loadmodule "extensions/extb_hostmask.la"; +#loadmodule "extensions/extb_oper.la"; +#loadmodule "extensions/extb_realname.la"; +#loadmodule "extensions/extb_server.la"; +#loadmodule "extensions/extb_ssl.la"; +#loadmodule "extensions/helpops.la"; +#loadmodule "extensions/hurt.la"; +#loadmodule "extensions/ip_cloaking_4.0.la"; +#loadmodule "extensions/ip_cloaking.la"; +#loadmodule "extensions/m_extendchans.la"; +#loadmodule "extensions/m_findforwards.la"; +#loadmodule "extensions/m_identify.la"; +#loadmodule "extensions/no_oper_invis.la"; +#loadmodule "extensions/sno_farconnect.la"; +#loadmodule "extensions/sno_globalkline.la"; +#loadmodule "extensions/sno_globalnickchange.la"; +#loadmodule "extensions/sno_globaloper.la"; +#loadmodule "extensions/sno_whois.la"; +#loadmodule "extensions/override.la"; +#loadmodule "extensions/no_kill_services.la"; /* serverinfo {}: Contains information about the server. (OLD M:) */ serverinfo { @@ -122,7 +134,6 @@ serverinfo { * is on. Shown in the 005 reply and used with serverhiding. */ network_name = "MyNet"; - network_desc = "This is My Network"; /* hub: allow this server to act as a hub and have multiple servers * connected to it. @@ -132,22 +143,25 @@ serverinfo { /* vhost: the IP to bind to when we connect outward to ipv4 servers. * This should be an ipv4 IP only. */ - #vhost = "192.169.0.1"; + #vhost = "192.0.2.6"; /* vhost6: the IP to bind to when we connect outward to ipv6 servers. * This should be an ipv6 IP only. */ - #vhost6 = "3ffe:80e8:546::2"; + #vhost6 = "2001:db7:2::6"; /* ssl_private_key: our ssl private key */ ssl_private_key = "etc/ssl.key"; /* ssl_cert: certificate for our ssl server */ - ssl_cert = "etc/ssl.cert"; + ssl_cert = "etc/ssl.pem"; /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */ ssl_dh_params = "etc/dh.pem"; + /* ssl_cipher_list: A list of ciphers, dependent on your TLS backend */ + #ssl_cipher_list = "EECDH+HIGH:EDH+HIGH:HIGH:!aNULL"; + /* ssld_count: number of ssld processes you want to start, if you * have a really busy server, using N-1 where N is the number of * cpu/cpu cores you have might be useful. A number greater than one @@ -314,11 +328,11 @@ listen { /* host: set a specific IP/host the ports after the line will listen * on. This may be ipv4 or ipv6. */ - host = "1.2.3.4"; + host = "192.0.2.6"; port = 7000, 7001; sslport = 9000, 9001; - host = "3ffe:1234:a:b:c::d"; + host = "2001:db8:2::6"; port = 7002; sslport = 9002; }; @@ -331,8 +345,8 @@ auth { * prepending a 0 if it starts with a colon) and can also use CIDR * masks. */ - user = "*@172.16.0.0/12"; - user = "*test@123D:B567:*"; + user = "*@198.51.100.0/24"; + user = "*test@2001:db8:1:*"; /* auth_user: This allows specifying a username:password instead of * just a password in PASS, so that a fixed user@host is not @@ -370,6 +384,7 @@ auth { * need_ident (old + flag) | require ident for user in this class * need_ssl | require SSL/TLS for user in this class * need_sasl | require SASL id for user in this class + * extend_chans | allow this user to join more channels than normal */ flags = kline_exempt, exceed_limit; @@ -382,10 +397,10 @@ auth { * not have to obey the redirection, the ircd just suggests to them * an alternative server. */ - redirserv = "irc.some.domain"; + redirserv = "irc.example.net"; redirport = 6667; - user = "*.some.domain"; + user = "*.example.com"; /* class: a class is required even though it is not used */ class = "users"; @@ -425,6 +440,7 @@ privset "local_op" { * oper:hidden: hides the oper from /stats p * oper:remoteban: allows remote kline etc * oper:mass_notice: allows sending wallops and mass notices + * oper:grant: allows using the GRANT command */ privs = oper:local_kill, oper:operwall; }; @@ -443,7 +459,7 @@ privset "global_op" { privset "admin" { extends = "global_op"; - privs = oper:admin, oper:die, oper:rehash, oper:spy; + privs = oper:admin, oper:die, oper:rehash, oper:spy, oper:grant; }; /* operator {}: defines ircd operators. (OLD O:) */ @@ -509,12 +525,12 @@ connect "irc.uplink.com" { /* host: the host or IP to connect to. If a hostname is used it * must match the reverse dns of the server. */ - host = "192.168.0.1"; + host = "203.0.113.3"; /* vhost: the host or IP to bind to for this connection. If this * is not specified, the default vhost (in serverinfo {}) is used. */ - #vhost = "192.168.0.50"; + #vhost = "192.0.2.131"; /* passwords: the passwords we send (OLD C:) and accept (OLD N:). * The remote server will have these passwords reversed. @@ -554,12 +570,12 @@ connect "irc.uplink.com" { flags = compressed, topicburst; }; -connect "ipv6.some.server" { +connect "ipv6.lame.server" { /* Hosts that are IPv6 addresses must be in :: shortened form * if applicable. Addresses starting with a colon get an extra * zero prepended, for example: 0::1 */ - host = "3ffd:dead:beef::1"; + host = "2001:db8:3::8"; send_password = "password"; accept_password = "password"; port = 6666; @@ -575,7 +591,7 @@ connect "ssl.uplink.com" { /* Example of ssl server-to-server connection, ssl flag doesn't need * compressed flag, 'cause it uses own compression */ - host = "192.168.0.1"; + host = "203.0.113.129"; send_password = "password"; accept_password = "anotherpassword"; port = 9999; @@ -661,6 +677,9 @@ shared { * dline - allow setting perm/temp dlines * tdline - allow setting temp dlines * undline - allow removing dlines + * grant - allow granting operator status + * die - allow remote DIE/RESTART + * module - allow remote module commands * none - disallow everything */ @@ -684,11 +703,10 @@ shared { /* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */ exempt { - ip = "192.168.0.0/16"; + ip = "192.0.2.0/24"; /* these may be stacked */ ip = "127.0.0.1"; - ip = "10.0.0.0/8"; }; /* The channel block contains options pertaining to channels */ @@ -728,6 +746,9 @@ channel { /* max chans: The maximum number of channels a user can join/be on. */ max_chans_per_user = 15; + /* max chans (large): The extended maximum number of channels a user can join. */ + max_chans_per_user_large = 60; + /* max bans: maximum number of +b/e/I/q modes in a channel */ max_bans = 100; @@ -792,6 +813,20 @@ channel { * supported. */ disable_local_channels = no; + + /* autochanmodes: the channel modes that should be automatically set + * when a channel is created. + */ + autochanmodes = "+nt"; + + /* displayed_usercount: the minimum amount of users on a channel before it + * is displayed in LIST. this parameter can be overridden using ELIST parameters, + * such as LIST >0. + */ + displayed_usercount = 3; + + /* strip_topic_colors: whether or not color codes in TOPIC should be stripped. */ + strip_topic_colors = no; }; @@ -852,24 +887,12 @@ serverhide { * * Consult your blacklist provider for the meaning of these parameters; they * are usually used to denote different ban types. - * - * Note: AHBL (the providers of the below *.ahbl.org BLs) request that they be - * contacted, via email, at admins@2mbit.com before using these BLs. - * See for more information. */ blacklist { host = "rbl.efnetrbl.org"; type = ipv4; reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}"; -# host = "ircbl.ahbl.org"; -# type = ipv4; -# reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for having an open proxy. In order to protect ${network-name} from abuse, we are not allowing connections with open proxies to connect."; -# -# host = "tor.ahbl.org"; -# type = ipv4; -# reject_reason = "${nick}, your IP (${ip}) is listed as a TOR exit node. In order to protect ${network-name} from tor-based abuse, we are not allowing TOR exit nodes to connect to our network."; -# /* Example of a blacklist that supports both IPv4 and IPv6 and using matches */ # host = "foobl.blacklist.invalid"; # matches = "4", "6", "127.0.0.10"; @@ -940,8 +963,6 @@ general { * If disabled, local opers can see them. * Dynamic spoofs (e.g. set by services) are unaffected by this; * any oper (local and remote) can see the real ip. - * Warning: for whowas, this is checked when the client exits, - * not when the IP is shown. */ hide_spoof_ips = yes; @@ -970,6 +991,14 @@ general { */ servicestring = "is a Network Service"; + /* + * Nick of the network's SASL agent. Used to check whether services are here, + * SASL credentials are only sent to its server. Needs to be a service. + * + * Defaults to SaslServ if unspecified. + */ + sasl_service = "SaslServ"; + /* disable fake channels: disable local users joining fake versions * of channels, eg #foo^B^B. Disables bold, mirc colour, reverse, * underline and hard space. (ASCII 2, 3, 22, 31, 160 respectively). @@ -1232,18 +1261,6 @@ general { * provided they have umode +s set */ oper_snomask = "+s"; - /* use egd: if your system does not have *random devices yet you - * want to use OpenSSL and encrypted links, enable this. Beware - - * EGD is *very* CPU intensive when gathering data for its pool - */ - #use_egd = yes; - - /* egdpool path: path to EGD pool. Not necessary for OpenSSL >= 0.9.7 - * which automatically finds the path. - */ - #egdpool_path = "/var/run/egd-pool"; - - /* compression level: level of compression for compressed links between * servers. * @@ -1314,6 +1331,15 @@ general { * counts. */ away_interval = 30; + + /* certfp_method: the method that should be used for computing certificate fingerprints. + * Acceptable options are sha1, sha256 and sha512. Networks running versions of charybdis + * prior to charybdis 3.5 MUST use sha1 for certfp_method. + */ + certfp_method = sha1; + + /* hide_opers_in_whois: if set to YES, then oper status will be hidden in /WHOIS output. */ + hide_opers_in_whois = no; }; modules { @@ -1324,5 +1350,5 @@ modules { path = "/usr/local/ircd/modules/autoload"; /* module: the name of a module to load on startup/rehash */ - #module = "some_module.so"; + #module = "some_module.la"; };