author | Luke Hoersten <luke@hoersten.org> |
Sat, 10 Jul 2021 20:12:21 -0500 | |
changeset 162 | a7a64ed07204 |
parent 142 | 3f0f6964a903 |
permissions | -rw-r--r-- |
114 | 1 |
# This is the default config file for Oragono. |
2 |
# It contains recommended defaults for all settings, including some behaviors |
|
3 |
# that differ from conventional ircds. See conventional.yaml for a config |
|
4 |
# with more "mainstream" behavior. |
|
5 |
# |
|
6 |
# If you are setting up a new oragono server, you should copy this file |
|
7 |
# to a new one named 'ircd.yaml', then read the whole file to see which |
|
8 |
# settings you want to customize. If you don't understand a setting, or |
|
9 |
# aren't sure what behavior you want, most of the defaults are fine |
|
10 |
# to start with (you can change them later, even on a running server). |
|
11 |
# However, there are a few that you should probably change up front: |
|
12 |
# 1. network.name (a human-readable name that identifies your network, |
|
13 |
# no spaces or special characters) and server.name (consider using the |
|
14 |
# domain name of your server) |
|
15 |
# 2. if you have valid TLS certificates (for example, from letsencrypt.org), |
|
16 |
# you should enable them in server.listeners in place of the default |
|
17 |
# self-signed certificates |
|
18 |
# 3. the operator password in the 'opers' section |
|
19 |
# 4. by default, message history is enabled, using in-memory history storage |
|
20 |
# and with messages expiring after 7 days. depending on your needs, you may |
|
21 |
# want to disable history entirely, remove the expiration time, switch to |
|
22 |
# persistent history stored in MySQL, or do something else entirely. See |
|
23 |
# the 'history' section of the config. |
|
24 |
||
25 |
# network configuration |
|
26 |
network: |
|
27 |
# name of the network |
|
28 |
name: {{oragono_network_name}} |
|
29 |
||
30 |
# server configuration |
|
31 |
server: |
|
32 |
# server name |
|
33 |
name: {{oragono_server_name}} |
|
34 |
||
35 |
# addresses to listen on |
|
36 |
listeners: |
|
37 |
# The standard plaintext port for IRC is 6667. Allowing plaintext over the |
|
38 |
# public Internet poses serious security and privacy issues. Accordingly, |
|
39 |
# we recommend using plaintext only on local (loopback) interfaces: |
|
40 |
# "127.0.0.1:6667": # (loopback ipv4, localhost-only) |
|
41 |
# "[::1]:6667": # (loopback ipv6, localhost-only) |
|
42 |
# If you need to serve plaintext on public interfaces, comment out the above |
|
43 |
# two lines and uncomment the line below (which listens on all interfaces): |
|
44 |
# ":6667": |
|
45 |
# Alternately, if you have a TLS certificate issued by a recognized CA, |
|
46 |
# you can configure port 6667 as an STS-only listener that only serves |
|
47 |
# "redirects" to the TLS port, but doesn't allow chat. See the manual |
|
48 |
# for details. |
|
49 |
||
50 |
# The standard SSL/TLS port for IRC is 6697. This will listen on all interfaces: |
|
51 |
# ":6697": |
|
52 |
# tls: |
|
53 |
# cert: fullchain.pem |
|
54 |
# key: privkey.pem |
|
55 |
# # 'proxy' should typically be false. It's only for Kubernetes-style load |
|
56 |
# # balancing that does not terminate TLS, but sends an initial PROXY line |
|
57 |
# # in plaintext. |
|
58 |
# proxy: false |
|
59 |
||
60 |
# Example of a Unix domain socket for proxying: |
|
137
645c1e109921
Moved oragono socket to more persistent location.
Luke Hoersten <luke@hoersten.org>
parents:
118
diff
changeset
|
61 |
"/var/oragono/oragono.socket": |
114 | 62 |
|
63 |
# Example of a Tor listener: any connection that comes in on this listener will |
|
64 |
# be considered a Tor connection. It is strongly recommended that this listener |
|
65 |
# *not* be on a public interface --- it should be on 127.0.0.0/8 or unix domain: |
|
66 |
# "/hidden_service_sockets/oragono_tor_sock": |
|
67 |
# tor: true |
|
68 |
||
69 |
# Example of a WebSocket listener: |
|
70 |
# ":8097": |
|
71 |
# websocket: true |
|
72 |
# tls: |
|
73 |
# cert: fullchain.pem |
|
74 |
# key: privkey.pem |
|
75 |
||
76 |
# sets the permissions for Unix listen sockets. on a typical Linux system, |
|
77 |
# the default is 0775 or 0755, which prevents other users/groups from connecting |
|
78 |
# to the socket. With 0777, it behaves like a normal TCP socket |
|
79 |
# where anyone can connect. |
|
80 |
unix-bind-mode: 0777 |
|
81 |
||
82 |
# configure the behavior of Tor listeners (ignored if you didn't enable any): |
|
83 |
tor-listeners: |
|
84 |
# if this is true, connections from Tor must authenticate with SASL |
|
85 |
require-sasl: false |
|
86 |
||
87 |
# what hostname should be displayed for Tor connections? |
|
88 |
vhost: "tor-network.onion" |
|
89 |
||
90 |
# allow at most this many connections at once (0 for no limit): |
|
91 |
max-connections: 64 |
|
92 |
||
93 |
# connection throttling (limit how many connection attempts are allowed at once): |
|
94 |
throttle-duration: 10m |
|
95 |
# set to 0 to disable throttling: |
|
96 |
max-connections-per-duration: 64 |
|
97 |
||
98 |
# strict transport security, to get clients to automagically use TLS |
|
99 |
sts: |
|
100 |
# whether to advertise STS |
|
101 |
# |
|
102 |
# to stop advertising STS, leave this enabled and set 'duration' below to "0". this will |
|
103 |
# advertise to connecting users that the STS policy they have saved is no longer valid |
|
104 |
enabled: false |
|
105 |
||
106 |
# how long clients should be forced to use TLS for. |
|
107 |
# setting this to a too-long time will mean bad things if you later remove your TLS. |
|
108 |
# the default duration below is 1 month, 2 days and 5 minutes. |
|
109 |
duration: 1mo2d5m |
|
110 |
||
111 |
# tls port - you should be listening on this port above |
|
112 |
port: 6697 |
|
113 |
||
114 |
# should clients include this STS policy when they ship their inbuilt preload lists? |
|
115 |
preload: false |
|
116 |
||
117 |
websockets: |
|
118 |
# Restrict the origin of WebSocket connections by matching the "Origin" HTTP |
|
119 |
# header. This settings makes oragono reject every WebSocket connection, |
|
120 |
# except when it originates from one of the hosts in this list. Use this to |
|
121 |
# prevent malicious websites from making their visitors connect to oragono |
|
122 |
# without their knowledge. An empty list means that there are no restrictions. |
|
123 |
allowed-origins: |
|
124 |
# - "https://oragono.io" |
|
125 |
# - "https://*.oragono.io" |
|
126 |
||
127 |
# casemapping controls what kinds of strings are permitted as identifiers (nicknames, |
|
128 |
# channel names, account names, etc.), and how they are normalized for case. |
|
129 |
# with the recommended default of 'precis', utf-8 identifiers that are "sane" |
|
130 |
# (according to RFC 8265) are allowed, and the server additionally tries to protect |
|
131 |
# against confusable characters ("homoglyph attacks"). |
|
132 |
# the other options are 'ascii' (traditional ASCII-only identifiers), and 'permissive', |
|
133 |
# which allows identifiers to contain unusual characters like emoji, but makes users |
|
134 |
# vulnerable to homoglyph attacks. unless you're really confident in your decision, |
|
135 |
# we recommend leaving this value at its default (changing it once the network is |
|
136 |
# already up and running is problematic). |
|
137 |
casemapping: "precis" |
|
138 |
||
139 |
# whether to look up user hostnames with reverse DNS. |
|
140 |
# (disabling this will expose user IPs instead of hostnames; |
|
141 |
# to make IP/hostname information private, see the ip-cloaking section) |
|
142 |
lookup-hostnames: true |
|
143 |
# whether to confirm hostname lookups using "forward-confirmed reverse DNS", i.e., for |
|
144 |
# any hostname returned from reverse DNS, resolve it back to an IP address and reject it |
|
145 |
# unless it matches the connecting IP |
|
146 |
forward-confirm-hostnames: true |
|
147 |
||
148 |
# use ident protocol to get usernames |
|
149 |
check-ident: false |
|
150 |
||
151 |
# password to login to the server |
|
152 |
# generated using "oragono genpasswd" |
|
153 |
#password: "" |
|
154 |
||
155 |
# motd filename |
|
156 |
# if you change the motd, you should move it to ircd.motd |
|
157 |
motd: "/etc/oragono/oragono.motd" |
|
158 |
||
159 |
# motd formatting codes |
|
160 |
# if this is true, the motd is escaped using formatting codes like $c, $b, and $i |
|
161 |
motd-formatting: true |
|
162 |
||
163 |
# addresses/CIDRs the PROXY command can be used from |
|
164 |
# this should be restricted to localhost (127.0.0.1/8, ::1/128, and unix sockets), |
|
165 |
# unless you have a good reason. you should also add these addresses to the |
|
166 |
# connection limits and throttling exemption lists. |
|
167 |
proxy-allowed-from: |
|
168 |
- localhost |
|
169 |
# - "192.168.1.1" |
|
170 |
# - "192.168.10.1/24" |
|
171 |
||
172 |
# controls the use of the WEBIRC command (by IRC<->web interfaces, bouncers and similar) |
|
173 |
webirc: |
|
174 |
# one webirc block -- should correspond to one set of gateways |
|
175 |
- |
|
176 |
# SHA-256 fingerprint of the TLS certificate the gateway must use to connect |
|
177 |
# (comment this out to use passwords only) |
|
178 |
fingerprint: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789" |
|
179 |
||
180 |
# password the gateway uses to connect, made with oragono genpasswd |
|
181 |
password: "$2a$04$abcdef0123456789abcdef0123456789abcdef0123456789abcde" |
|
182 |
||
183 |
# addresses/CIDRs that can use this webirc command |
|
184 |
# you should also add these addresses to the connection limits and throttling exemption lists |
|
185 |
hosts: |
|
186 |
- localhost |
|
187 |
# - "192.168.1.1" |
|
188 |
# - "192.168.10.1/24" |
|
189 |
||
190 |
# allow use of the RESUME extension over plaintext connections: |
|
191 |
# do not enable this unless the ircd is only accessible over internal networks |
|
192 |
allow-plaintext-resume: false |
|
193 |
||
194 |
# maximum length of clients' sendQ in bytes |
|
195 |
# this should be big enough to hold bursts of channel/direct messages |
|
196 |
max-sendq: 96k |
|
197 |
||
198 |
# compatibility with legacy clients |
|
199 |
compatibility: |
|
200 |
# many clients require that the final parameter of certain messages be an |
|
201 |
# RFC1459 trailing parameter, i.e., prefixed with :, whether or not this is |
|
202 |
# actually required. this forces Oragono to send those parameters |
|
203 |
# as trailings. this is recommended unless you're testing clients for conformance; |
|
204 |
# defaults to true when unset for that reason. |
|
205 |
force-trailing: true |
|
206 |
||
207 |
# some clients (ZNC 1.6.x and lower, Pidgin 2.12 and lower) do not |
|
208 |
# respond correctly to SASL messages with the server name as a prefix: |
|
209 |
# https://github.com/znc/znc/issues/1212 |
|
210 |
# this works around that bug, allowing them to use SASL. |
|
211 |
send-unprefixed-sasl: true |
|
212 |
||
213 |
# IP-based DoS protection |
|
214 |
ip-limits: |
|
215 |
# whether to limit the total number of concurrent connections per IP/CIDR |
|
216 |
count: true |
|
217 |
# maximum concurrent connections per IP/CIDR |
|
218 |
max-concurrent-connections: 16 |
|
219 |
||
220 |
# whether to restrict the rate of new connections per IP/CIDR |
|
221 |
throttle: true |
|
222 |
# how long to keep track of connections for |
|
223 |
window: 10m |
|
224 |
# maximum number of new connections per IP/CIDR within the given duration |
|
225 |
max-connections-per-window: 32 |
|
226 |
# how long to ban offenders for. after banning them, the number of connections is |
|
227 |
# reset, which lets you use /UNDLINE to unban people |
|
228 |
throttle-ban-duration: 10m |
|
229 |
||
230 |
# how wide the CIDR should be for IPv4 (a /32 is a fully specified IPv4 address) |
|
231 |
cidr-len-ipv4: 32 |
|
232 |
# how wide the CIDR should be for IPv6 (a /64 is the typical prefix assigned |
|
233 |
# by an ISP to an individual customer for their LAN) |
|
234 |
cidr-len-ipv6: 64 |
|
235 |
||
236 |
# IPs/networks which are exempted from connection limits |
|
237 |
exempted: |
|
238 |
- "localhost" |
|
239 |
# - "192.168.1.1" |
|
240 |
# - "2001:0db8::/32" |
|
241 |
||
242 |
# custom connection limits for certain IPs/networks. note that CIDR |
|
243 |
# widths defined here override the default CIDR width --- the limit |
|
244 |
# will apply to the entire CIDR no matter how large or small it is |
|
245 |
custom-limits: |
|
246 |
# "8.8.0.0/16": |
|
247 |
# max-concurrent-connections: 128 |
|
248 |
# max-connections-per-window: 1024 |
|
249 |
||
250 |
# IP cloaking hides users' IP addresses from other users and from channel admins |
|
251 |
# (but not from server admins), while still allowing channel admins to ban |
|
252 |
# offending IP addresses or networks. In place of hostnames derived from reverse |
|
253 |
# DNS, users see fake domain names like pwbs2ui4377257x8.oragono. These names are |
|
254 |
# generated deterministically from the underlying IP address, but if the underlying |
|
255 |
# IP is not already known, it is infeasible to recover it from the cloaked name. |
|
256 |
ip-cloaking: |
|
257 |
# whether to enable IP cloaking |
|
258 |
enabled: true |
|
259 |
||
260 |
# fake TLD at the end of the hostname, e.g., pwbs2ui4377257x8.irc |
|
261 |
# you may want to use your network name here |
|
115 | 262 |
netname: "usr.{{oragono_network_name}}" |
114 | 263 |
|
264 |
# the cloaked hostname is derived only from the CIDR (most significant bits |
|
265 |
# of the IP address), up to a configurable number of bits. this is the |
|
266 |
# granularity at which bans will take effect for IPv4. Note that changing |
|
267 |
# this value will invalidate any stored bans. |
|
268 |
cidr-len-ipv4: 32 |
|
269 |
||
270 |
# analogous granularity for IPv6 |
|
271 |
cidr-len-ipv6: 64 |
|
272 |
||
273 |
# number of bits of hash output to include in the cloaked hostname. |
|
274 |
# more bits means less likelihood of distinct IPs colliding, |
|
275 |
# at the cost of a longer cloaked hostname. if this value is set to 0, |
|
276 |
# all users will receive simply `netname` as their cloaked hostname. |
|
277 |
num-bits: 64 |
|
278 |
||
279 |
# secure-nets identifies IPs and CIDRs which are secure at layer 3, |
|
280 |
# for example, because they are on a trusted internal LAN or a VPN. |
|
281 |
# plaintext connections from these IPs and CIDRs will be considered |
|
282 |
# secure (clients will receive the +Z mode and be allowed to resume |
|
283 |
# or reattach to secure connections). note that loopback IPs are always |
|
284 |
# considered secure: |
|
285 |
secure-nets: |
|
286 |
# - "10.0.0.0/8" |
|
287 |
||
288 |
# oragono will write files to disk under certain circumstances, e.g., |
|
289 |
# CPU profiling or data export. by default, these files will be written |
|
290 |
# to the working directory. set this to customize: |
|
118
56bffa9ef826
Added nginx and oragono HUP reloading to systemd handlers. Added nginx config.
Luke Hoersten <luke@hoersten.org>
parents:
116
diff
changeset
|
291 |
output-path: "/var/oragono" |
114 | 292 |
|
293 |
# account options |
|
294 |
accounts: |
|
295 |
# is account authentication enabled, i.e., can users log into existing accounts? |
|
296 |
authentication-enabled: true |
|
297 |
||
298 |
# account registration |
|
299 |
registration: |
|
300 |
# can users register new accounts for themselves? if this is false, operators with |
|
301 |
# the `accreg` capability can still create accounts with `/NICKSERV SAREGISTER` |
|
302 |
enabled: true |
|
303 |
||
304 |
# global throttle on new account creation |
|
305 |
throttling: |
|
306 |
enabled: true |
|
307 |
# window |
|
308 |
duration: 10m |
|
309 |
# number of attempts allowed within the window |
|
310 |
max-attempts: 30 |
|
311 |
||
312 |
# this is the bcrypt cost we'll use for account passwords |
|
313 |
bcrypt-cost: 9 |
|
314 |
||
315 |
# length of time a user has to verify their account before it can be re-registered |
|
316 |
verify-timeout: "32h" |
|
317 |
||
318 |
# callbacks to allow |
|
319 |
enabled-callbacks: |
|
320 |
- none # no verification needed, will instantly register successfully |
|
321 |
||
322 |
# example configuration for sending verification emails |
|
323 |
# callbacks: |
|
324 |
# mailto: |
|
325 |
# sender: "[email protected]" |
|
326 |
# require-tls: true |
|
327 |
# helo-domain: "my.network" # defaults to server name if unset |
|
328 |
# dkim: |
|
329 |
# domain: "my.network" |
|
330 |
# selector: "20200229" |
|
331 |
# key-file: "dkim.pem" |
|
332 |
# # to use an MTA/smarthost instead of sending email directly: |
|
333 |
# # mta: |
|
334 |
# # server: localhost |
|
335 |
# # port: 25 |
|
336 |
# # username: "admin" |
|
337 |
# # password: "hunter2" |
|
338 |
# blacklist-regexes: |
|
339 |
# # - ".*@mailinator.com" |
|
340 |
||
341 |
# throttle account login attempts (to prevent either password guessing, or DoS |
|
342 |
# attacks on the server aimed at forcing repeated expensive bcrypt computations) |
|
343 |
login-throttling: |
|
344 |
enabled: true |
|
345 |
||
346 |
# window |
|
347 |
duration: 1m |
|
348 |
||
349 |
# number of attempts allowed within the window |
|
350 |
max-attempts: 3 |
|
351 |
||
352 |
# some clients (notably Pidgin and Hexchat) offer only a single password field, |
|
353 |
# which makes it impossible to specify a separate server password (for the PASS |
|
354 |
# command) and SASL password. if this option is set to true, a client that |
|
355 |
# successfully authenticates with SASL will not be required to send |
|
356 |
# PASS as well, so it can be configured to authenticate with SASL only. |
|
357 |
skip-server-password: false |
|
358 |
||
359 |
# enable login to accounts via the PASS command, e.g., PASS account:password |
|
360 |
# this is sometimes useful for compatibility with old clients that don't support SASL |
|
361 |
login-via-pass-command: false |
|
362 |
||
363 |
# require-sasl controls whether clients are required to have accounts |
|
364 |
# (and sign into them using SASL) to connect to the server |
|
365 |
require-sasl: |
|
366 |
# if this is enabled, all clients must authenticate with SASL while connecting |
|
116 | 367 |
enabled: true |
114 | 368 |
|
369 |
# IPs/CIDRs which are exempted from the account requirement |
|
370 |
exempted: |
|
371 |
- "localhost" |
|
372 |
# - '10.10.0.0/16' |
|
373 |
||
374 |
# nick-reservation controls how, and whether, nicknames are linked to accounts |
|
375 |
nick-reservation: |
|
376 |
# is there any enforcement of reserved nicknames? |
|
377 |
enabled: true |
|
378 |
||
379 |
# how many nicknames, in addition to the account name, can be reserved? |
|
380 |
additional-nick-limit: 2 |
|
381 |
||
382 |
# method describes how nickname reservation is handled |
|
383 |
# timeout: let the user change to the registered nickname, give them X seconds |
|
384 |
# to login and then rename them if they haven't done so |
|
385 |
# strict: don't let the user change to the registered nickname unless they're |
|
386 |
# already logged-in using SASL or NickServ |
|
387 |
# optional: no enforcement by default, but allow users to opt in to |
|
388 |
# the enforcement level of their choice |
|
389 |
# |
|
390 |
# 'optional' matches the behavior of other NickServs, but 'strict' is |
|
391 |
# preferable if all your users can enable SASL. |
|
392 |
method: strict |
|
393 |
||
394 |
# allow users to set their own nickname enforcement status, e.g., |
|
395 |
# to opt out of strict enforcement |
|
396 |
allow-custom-enforcement: false |
|
397 |
||
398 |
# rename-timeout - this is how long users have 'til they're renamed |
|
399 |
rename-timeout: 30s |
|
400 |
||
401 |
# format for guest nicknames: |
|
402 |
# 1. these nicknames cannot be registered or reserved |
|
403 |
# 2. if a client is automatically renamed by the server, |
|
404 |
# this is the template that will be used (e.g., Guest-nccj6rgmt97cg) |
|
405 |
# 3. if enforce-guest-format (see below) is enabled, clients without |
|
406 |
# a registered account will have this template applied to their |
|
407 |
# nicknames (e.g., 'katie' will become 'Guest-katie') |
|
408 |
guest-nickname-format: "Guest-*" |
|
409 |
||
410 |
# when enabled, forces users not logged into an account to use |
|
411 |
# a nickname matching the guest template. a caveat: this may prevent |
|
412 |
# users from choosing nicknames in scripts different from the guest |
|
413 |
# nickname format. |
|
414 |
force-guest-format: false |
|
415 |
||
416 |
# when enabled, forces users logged into an account to use the |
|
417 |
# account name as their nickname. when combined with strict nickname |
|
418 |
# enforcement, this lets users treat nicknames and account names |
|
419 |
# as equivalent for the purpose of ban/invite/exception lists. |
|
142
3f0f6964a903
Disabled irc force nick equals account by default.
Luke Hoersten <luke@hoersten.org>
parents:
137
diff
changeset
|
420 |
force-nick-equals-account: {{oragono_force_nick_equals_account}} |
114 | 421 |
|
422 |
# multiclient controls whether oragono allows multiple connections to |
|
423 |
# attach to the same client/nickname identity; this is part of the |
|
424 |
# functionality traditionally provided by a bouncer like ZNC |
|
425 |
multiclient: |
|
426 |
# when disabled, each connection must use a separate nickname (as is the |
|
427 |
# typical behavior of IRC servers). when enabled, a new connection that |
|
428 |
# has authenticated with SASL can associate itself with an existing |
|
429 |
# client |
|
430 |
enabled: true |
|
431 |
||
432 |
# if this is disabled, clients have to opt in to bouncer functionality |
|
433 |
# using nickserv or the cap system. if it's enabled, they can opt out |
|
434 |
# via nickserv |
|
435 |
allowed-by-default: true |
|
436 |
||
437 |
# whether to allow clients that remain on the server even |
|
438 |
# when they have no active connections. The possible values are: |
|
439 |
# "disabled", "opt-in", "opt-out", or "mandatory". |
|
440 |
always-on: "opt-in" |
|
441 |
||
442 |
# whether to mark always-on clients away when they have no active connections: |
|
443 |
auto-away: "opt-in" |
|
444 |
||
445 |
# vhosts controls the assignment of vhosts (strings displayed in place of the user's |
|
446 |
# hostname/IP) by the HostServ service |
|
447 |
vhosts: |
|
448 |
# are vhosts enabled at all? |
|
449 |
enabled: true |
|
450 |
||
451 |
# maximum length of a vhost |
|
452 |
max-length: 64 |
|
453 |
||
454 |
# regexp for testing the validity of a vhost |
|
455 |
# (make sure any changes you make here are RFC-compliant) |
|
456 |
valid-regexp: '^[0-9A-Za-z.\-_/]+$' |
|
457 |
||
458 |
# options controlling users requesting vhosts: |
|
459 |
user-requests: |
|
460 |
# can users request vhosts at all? if this is false, operators with the |
|
461 |
# 'vhosts' capability can still assign vhosts manually |
|
116 | 462 |
enabled: true |
114 | 463 |
|
464 |
# if uncommented, all new vhost requests will be dumped into the given |
|
465 |
# channel, so opers can review them as they are sent in. ensure that you |
|
466 |
# have registered and restricted the channel appropriately before you |
|
467 |
# uncomment this. |
|
468 |
#channel: "#vhosts" |
|
469 |
||
470 |
# after a user's vhost has been approved or rejected, they need to wait |
|
471 |
# this long (starting from the time of their original request) |
|
472 |
# before they can request a new one. |
|
473 |
cooldown: 168h |
|
474 |
||
475 |
# vhosts that users can take without approval, using `/HS TAKE` |
|
476 |
offer-list: |
|
477 |
#- "oragono.test" |
|
478 |
||
479 |
# modes that are set by default when a user connects |
|
480 |
# if unset, no user modes will be set by default |
|
481 |
# +i is invisible (a user's channels are hidden from whois replies) |
|
482 |
# see /QUOTE HELP umodes for more user modes |
|
483 |
default-user-modes: +i |
|
484 |
||
485 |
# support for deferring password checking to an external LDAP server |
|
486 |
# you should probably ignore this section! consult the grafana docs for details: |
|
487 |
# https://grafana.com/docs/grafana/latest/auth/ldap/ |
|
488 |
# you will probably want to set require-sasl and disable accounts.registration.enabled |
|
489 |
# ldap: |
|
490 |
# enabled: true |
|
491 |
# # should we automatically create users if their LDAP login succeeds? |
|
492 |
# autocreate: true |
|
493 |
# # example configuration that works with Forum Systems's testing server: |
|
494 |
# # https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ |
|
495 |
# host: "ldap.forumsys.com" |
|
496 |
# port: 389 |
|
497 |
# timeout: 30s |
|
498 |
# # example "single-bind" configuration, where we bind directly to the user's entry: |
|
499 |
# bind-dn: "uid=%s,dc=example,dc=com" |
|
500 |
# # example "admin bind" configuration, where we bind to an initial admin user, |
|
501 |
# # then search for the user's entry with a search filter: |
|
502 |
# #search-base-dns: |
|
503 |
# # - "dc=example,dc=com" |
|
504 |
# #bind-dn: "cn=read-only-admin,dc=example,dc=com" |
|
505 |
# #bind-password: "password" |
|
506 |
# #search-filter: "(uid=%s)" |
|
507 |
# # example of requiring that users be in a particular group |
|
508 |
# # (note that this is an OR over the listed groups, not an AND): |
|
509 |
# #require-groups: |
|
510 |
# # - "ou=mathematicians,dc=example,dc=com" |
|
511 |
# #group-search-filter-user-attribute: "dn" |
|
512 |
# #group-search-filter: "(uniqueMember=%s)" |
|
513 |
# #group-search-base-dns: |
|
514 |
# # - "dc=example,dc=com" |
|
515 |
# # example of group membership testing via user attributes, as in AD |
|
516 |
# # or with OpenLDAP's "memberOf overlay" (overrides group-search-filter): |
|
517 |
# attributes: |
|
518 |
# member-of: "memberOf" |
|
519 |
||
520 |
# channel options |
|
521 |
channels: |
|
522 |
# modes that are set when new channels are created |
|
523 |
# +n is no-external-messages and +t is op-only-topic |
|
524 |
# see /QUOTE HELP cmodes for more channel modes |
|
525 |
default-modes: +nt |
|
526 |
||
527 |
# how many channels can a client be in at once? |
|
528 |
max-channels-per-client: 100 |
|
529 |
||
530 |
# if this is true, new channels can only be created by operators with the |
|
531 |
# `chanreg` operator capability |
|
532 |
operator-only-creation: false |
|
533 |
||
534 |
# channel registration - requires an account |
|
535 |
registration: |
|
536 |
# can users register new channels? |
|
537 |
enabled: true |
|
538 |
||
539 |
# restrict new channel registrations to operators only? |
|
540 |
# (operators can then transfer channels to regular users using /CS TRANSFER) |
|
541 |
operator-only: false |
|
542 |
||
543 |
# how many channels can each account register? |
|
544 |
max-channels-per-account: 15 |
|
545 |
||
546 |
# as a crude countermeasure against spambots, anonymous connections younger |
|
547 |
# than this value will get an empty response to /LIST (a time period of 0 disables) |
|
548 |
list-delay: 0s |
|
549 |
||
550 |
# operator classes |
|
551 |
oper-classes: |
|
552 |
# local operator |
|
553 |
"local-oper": |
|
554 |
# title shown in WHOIS |
|
555 |
title: Local Operator |
|
556 |
||
557 |
# capability names |
|
558 |
capabilities: |
|
559 |
- "local_kill" |
|
560 |
- "local_ban" |
|
561 |
- "local_unban" |
|
562 |
- "nofakelag" |
|
563 |
- "roleplay" |
|
564 |
||
565 |
# network operator |
|
566 |
"network-oper": |
|
567 |
# title shown in WHOIS |
|
568 |
title: Network Operator |
|
569 |
||
570 |
# oper class this extends from |
|
571 |
extends: "local-oper" |
|
572 |
||
573 |
# capability names |
|
574 |
capabilities: |
|
575 |
- "remote_kill" |
|
576 |
- "remote_ban" |
|
577 |
- "remote_unban" |
|
578 |
||
579 |
# server admin |
|
580 |
"server-admin": |
|
581 |
# title shown in WHOIS |
|
582 |
title: Server Admin |
|
583 |
||
584 |
# oper class this extends from |
|
585 |
extends: "local-oper" |
|
586 |
||
587 |
# capability names |
|
588 |
capabilities: |
|
589 |
- "rehash" |
|
590 |
- "die" |
|
591 |
- "accreg" |
|
592 |
- "sajoin" |
|
593 |
- "samode" |
|
594 |
- "vhosts" |
|
595 |
- "chanreg" |
|
596 |
- "history" |
|
597 |
||
598 |
# ircd operators |
|
599 |
opers: |
|
600 |
# operator named 'admin'; log in with /OPER admin [password] |
|
601 |
admin: |
|
602 |
# which capabilities this oper has access to |
|
603 |
class: "server-admin" |
|
604 |
||
605 |
# custom whois line |
|
606 |
whois-line: "server admin" |
|
607 |
||
608 |
# custom hostname |
|
118
56bffa9ef826
Added nginx and oragono HUP reloading to systemd handlers. Added nginx config.
Luke Hoersten <luke@hoersten.org>
parents:
116
diff
changeset
|
609 |
vhost: "opr.{{oragono_network_name}}" |
114 | 610 |
|
611 |
# modes are the modes to auto-set upon opering-up |
|
612 |
modes: +is acjknoqtuxv |
|
613 |
||
614 |
# operators can be authenticated either by password (with the /OPER command), |
|
615 |
# or by certificate fingerprint, or both. if a password hash is set, then a |
|
616 |
# password is required to oper up (e.g., /OPER dan mypassword). to generate |
|
617 |
# the hash, use `oragono genpasswd`. |
|
618 |
password: "{{oragono_oper_pass_hash}}" |
|
619 |
||
620 |
# if a SHA-256 certificate fingerprint is configured here, then it will be |
|
621 |
# required to /OPER. if you comment out the password hash above, then you can |
|
622 |
# /OPER without a password. |
|
623 |
#fingerprint: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789" |
|
624 |
# if 'auto' is set (and no password hash is set), operator permissions will be |
|
625 |
# granted automatically as soon as you connect with the right fingerprint. |
|
626 |
#auto: true |
|
627 |
||
628 |
# logging, takes inspiration from Insp |
|
629 |
logging: |
|
630 |
- |
|
631 |
# how to log these messages |
|
632 |
# |
|
633 |
# file log to a file |
|
634 |
# stdout log to stdout |
|
635 |
# stderr log to stderr |
|
636 |
# (you can specify multiple methods, e.g., to log to both stderr and a file) |
|
637 |
method: stdout |
|
638 |
||
639 |
# filename to log to, if file method is selected |
|
640 |
# filename: ircd.log |
|
641 |
||
642 |
# type(s) of logs to keep here. you can use - to exclude those types |
|
643 |
# |
|
644 |
# exclusions take precedent over inclusions, so if you exclude a type it will NEVER |
|
645 |
# be logged, even if you explicitly include it |
|
646 |
# |
|
647 |
# useful types include: |
|
648 |
# * everything (usually used with exclusing some types below) |
|
649 |
# server server startup, rehash, and shutdown events |
|
650 |
# accounts account registration and authentication |
|
651 |
# channels channel creation and operations |
|
652 |
# commands command calling and operations |
|
653 |
# opers oper actions, authentication, etc |
|
654 |
# services actions related to NickServ, ChanServ, etc. |
|
655 |
# internal unexpected runtime behavior, including potential bugs |
|
656 |
# userinput raw lines sent by users |
|
657 |
# useroutput raw lines sent to users |
|
658 |
type: "* -userinput -useroutput" |
|
659 |
||
660 |
# one of: debug info warn error |
|
661 |
level: info |
|
662 |
#- |
|
663 |
# # example of a file log that avoids logging IP addresses |
|
664 |
# method: file |
|
665 |
# filename: ircd.log |
|
666 |
# type: "* -userinput -useroutput -connect-ip" |
|
667 |
# level: debug |
|
668 |
||
669 |
# debug options |
|
670 |
debug: |
|
671 |
# when enabled, oragono will attempt to recover from certain kinds of |
|
672 |
# client-triggered runtime errors that would normally crash the server. |
|
673 |
# this makes the server more resilient to DoS, but could result in incorrect |
|
674 |
# behavior. deployments that would prefer to "start from scratch", e.g., by |
|
675 |
# letting the process crash and auto-restarting it with systemd, can set |
|
676 |
# this to false. |
|
677 |
recover-from-errors: true |
|
678 |
||
679 |
# optionally expose a pprof http endpoint: https://golang.org/pkg/net/http/pprof/ |
|
680 |
# it is strongly recommended that you don't expose this on a public interface; |
|
681 |
# if you need to access it remotely, you can use an SSH tunnel. |
|
682 |
# set to `null`, "", leave blank, or omit to disable |
|
683 |
# pprof-listener: "localhost:6060" |
|
684 |
||
685 |
# datastore configuration |
|
686 |
datastore: |
|
687 |
# path to the datastore |
|
688 |
path: "/var/oragono/oragono.db" |
|
689 |
||
690 |
# if the database schema requires an upgrade, `autoupgrade` will attempt to |
|
691 |
# perform it automatically on startup. the database will be backed |
|
692 |
# up, and if the upgrade fails, the original database will be restored. |
|
693 |
autoupgrade: true |
|
694 |
||
695 |
# connection information for MySQL (currently only used for persistent history): |
|
696 |
mysql: |
|
697 |
enabled: false |
|
698 |
host: "localhost" |
|
699 |
port: 3306 |
|
700 |
# if socket-path is set, it will be used instead of host:port |
|
701 |
#socket-path: "/var/run/mysqld/mysqld.sock" |
|
702 |
user: "oragono" |
|
703 |
password: "hunter2" |
|
704 |
history-database: "oragono_history" |
|
705 |
timeout: 3s |
|
706 |
||
707 |
# languages config |
|
708 |
languages: |
|
709 |
# whether to load languages |
|
710 |
enabled: false |
|
711 |
||
712 |
# default language to use for new clients |
|
713 |
# 'en' is the default English language in the code |
|
714 |
default: en |
|
715 |
||
716 |
# which directory contains our language files |
|
717 |
path: languages |
|
718 |
||
719 |
# limits - these need to be the same across the network |
|
720 |
limits: |
|
721 |
# nicklen is the max nick length allowed |
|
722 |
nicklen: 32 |
|
723 |
||
724 |
# identlen is the max ident length allowed |
|
725 |
identlen: 20 |
|
726 |
||
727 |
# channellen is the max channel length allowed |
|
728 |
channellen: 64 |
|
729 |
||
730 |
# awaylen is the maximum length of an away message |
|
731 |
awaylen: 500 |
|
732 |
||
733 |
# kicklen is the maximum length of a kick message |
|
734 |
kicklen: 1000 |
|
735 |
||
736 |
# topiclen is the maximum length of a channel topic |
|
737 |
topiclen: 1000 |
|
738 |
||
739 |
# maximum number of monitor entries a client can have |
|
740 |
monitor-entries: 100 |
|
741 |
||
742 |
# whowas entries to store |
|
743 |
whowas-entries: 100 |
|
744 |
||
745 |
# maximum length of channel lists (beI modes) |
|
746 |
chan-list-modes: 60 |
|
747 |
||
748 |
# maximum number of messages to accept during registration (prevents |
|
749 |
# DoS / resource exhaustion attacks): |
|
750 |
registration-messages: 1024 |
|
751 |
||
752 |
# message length limits for the new multiline cap |
|
753 |
multiline: |
|
754 |
max-bytes: 4096 # 0 means disabled |
|
755 |
max-lines: 100 # 0 means no limit |
|
756 |
||
757 |
# fakelag: prevents clients from spamming commands too rapidly |
|
758 |
fakelag: |
|
759 |
# whether to enforce fakelag |
|
760 |
enabled: true |
|
761 |
||
762 |
# time unit for counting command rates |
|
763 |
window: 1s |
|
764 |
||
765 |
# clients can send this many commands without fakelag being imposed |
|
766 |
burst-limit: 5 |
|
767 |
||
768 |
# once clients have exceeded their burst allowance, they can send only |
|
769 |
# this many commands per `window`: |
|
770 |
messages-per-window: 2 |
|
771 |
||
772 |
# client status resets to the default state if they go this long without |
|
773 |
# sending any commands: |
|
774 |
cooldown: 2s |
|
775 |
||
776 |
# the roleplay commands are semi-standardized extensions to IRC that allow |
|
777 |
# sending and receiving messages from pseudo-nicknames. this can be used either |
|
778 |
# for actual roleplaying, or for bridging IRC with other protocols. |
|
779 |
roleplay: |
|
780 |
# are roleplay commands enabled at all? (channels and clients still have to |
|
781 |
# opt in individually with the +E mode) |
|
782 |
enabled: true |
|
783 |
||
784 |
# require the "roleplay" oper capability to send roleplay messages? |
|
785 |
require-oper: false |
|
786 |
||
787 |
# require channel operator permissions to send roleplay messages? |
|
788 |
require-chanops: false |
|
789 |
||
790 |
# add the real nickname, in parentheses, to the end of every roleplay message? |
|
791 |
add-suffix: true |
|
792 |
||
793 |
# history message storage: this is used by CHATHISTORY, HISTORY, znc.in/playback, |
|
794 |
# various autoreplay features, and the resume extension |
|
795 |
history: |
|
796 |
# should we store messages for later playback? |
|
797 |
# by default, messages are stored in RAM only; they do not persist |
|
798 |
# across server restarts. however, you may want to understand how message |
|
799 |
# history interacts with the GDPR and/or any data privacy laws that apply |
|
800 |
# in your country and the countries of your users. |
|
801 |
enabled: true |
|
802 |
||
803 |
# how many channel-specific events (messages, joins, parts) should be tracked per channel? |
|
804 |
channel-length: 2048 |
|
805 |
||
806 |
# how many direct messages and notices should be tracked per user? |
|
807 |
client-length: 256 |
|
808 |
||
809 |
# how long should we try to preserve messages? |
|
810 |
# if `autoresize-window` is 0, the in-memory message buffers are preallocated to |
|
811 |
# their maximum length. if it is nonzero, the buffers are initially small and |
|
812 |
# are dynamically expanded up to the maximum length. if the buffer is full |
|
813 |
# and the oldest message is older than `autoresize-window`, then it will overwrite |
|
814 |
# the oldest message rather than resize; otherwise, it will expand if possible. |
|
815 |
autoresize-window: 3d |
|
816 |
||
817 |
# number of messages to automatically play back on channel join (0 to disable): |
|
818 |
autoreplay-on-join: 0 |
|
819 |
||
820 |
# maximum number of CHATHISTORY messages that can be |
|
821 |
# requested at once (0 disables support for CHATHISTORY) |
|
822 |
chathistory-maxmessages: 100 |
|
823 |
||
824 |
# maximum number of messages that can be replayed at once during znc emulation |
|
825 |
# (znc.in/playback, or automatic replay on initial reattach to a persistent client): |
|
826 |
znc-maxmessages: 2048 |
|
827 |
||
828 |
# options to delete old messages, or prevent them from being retrieved |
|
829 |
restrictions: |
|
830 |
# if this is set, messages older than this cannot be retrieved by anyone |
|
831 |
# (and will eventually be deleted from persistent storage, if that's enabled) |
|
832 |
expire-time: 1w |
|
833 |
||
834 |
# if this is set, logged-in users cannot retrieve messages older than their |
|
835 |
# account registration date, and logged-out users cannot retrieve messages |
|
836 |
# older than their sign-on time (modulo grace-period, see below): |
|
837 |
enforce-registration-date: false |
|
838 |
||
839 |
# but if this is set, you can retrieve messages that are up to `grace-period` |
|
840 |
# older than the above cutoff time. this is recommended to allow logged-out |
|
841 |
# users to do session resumption / query history after disconnections. |
|
842 |
grace-period: 1h |
|
843 |
||
844 |
# options to store history messages in a persistent database (currently only MySQL): |
|
845 |
persistent: |
|
846 |
enabled: false |
|
847 |
||
848 |
# store unregistered channel messages in the persistent database? |
|
849 |
unregistered-channels: false |
|
850 |
||
851 |
# for a registered channel, the channel owner can potentially customize |
|
852 |
# the history storage setting. as the server operator, your options are |
|
853 |
# 'disabled' (no persistent storage, regardless of per-channel setting), |
|
854 |
# 'opt-in', 'opt-out', and 'mandatory' (force persistent storage, ignoring |
|
855 |
# per-channel setting): |
|
856 |
registered-channels: "opt-out" |
|
857 |
||
858 |
# direct messages are only stored in the database for logged-in clients; |
|
859 |
# you can control how they are stored here (same options as above). |
|
860 |
# if you enable this, strict nickname reservation is strongly recommended |
|
861 |
# as well. |
|
862 |
direct-messages: "opt-out" |
|
863 |
||
864 |
# options to control how messages are stored and deleted: |
|
865 |
retention: |
|
866 |
# allow users to delete their own messages from history? |
|
867 |
allow-individual-delete: false |
|
868 |
||
869 |
# if persistent history is enabled, create additional index tables, |
|
870 |
# allowing deletion of JSON export of an account's messages. this |
|
871 |
# may be needed for compliance with data privacy regulations. |
|
872 |
enable-account-indexing: false |