oragono/templates/oragono.yaml.j2
changeset 170 a20a6d03747f
parent 169 f4f9b52ede46
child 171 534b247bed1c
equal deleted inserted replaced
169:f4f9b52ede46 170:a20a6d03747f
     1 # This is the default config file for Oragono.
       
     2 # It contains recommended defaults for all settings, including some behaviors
       
     3 # that differ from conventional ircds. See conventional.yaml for a config
       
     4 # with more "mainstream" behavior.
       
     5 #
       
     6 # If you are setting up a new oragono server, you should copy this file
       
     7 # to a new one named 'ircd.yaml', then read the whole file to see which
       
     8 # settings you want to customize. If you don't understand a setting, or
       
     9 # aren't sure what behavior you want, most of the defaults are fine
       
    10 # to start with (you can change them later, even on a running server).
       
    11 # However, there are a few that you should probably change up front:
       
    12 # 1. network.name (a human-readable name that identifies your network,
       
    13 #    no spaces or special characters) and server.name (consider using the
       
    14 #    domain name of your server)
       
    15 # 2. if you have valid TLS certificates (for example, from letsencrypt.org),
       
    16 #    you should enable them in server.listeners in place of the default
       
    17 #    self-signed certificates
       
    18 # 3. the operator password in the 'opers' section
       
    19 # 4. by default, message history is enabled, using in-memory history storage
       
    20 #    and with messages expiring after 7 days. depending on your needs, you may
       
    21 #    want to disable history entirely, remove the expiration time, switch to
       
    22 #    persistent history stored in MySQL, or do something else entirely. See
       
    23 #    the 'history' section of the config.
       
    24 
       
    25 # network configuration
       
    26 network:
       
    27     # name of the network
       
    28     name: {{oragono_network_name}}
       
    29 
       
    30 # server configuration
       
    31 server:
       
    32     # server name
       
    33     name: {{oragono_server_name}}
       
    34 
       
    35     # addresses to listen on
       
    36     listeners:
       
    37         # The standard plaintext port for IRC is 6667. Allowing plaintext over the
       
    38         # public Internet poses serious security and privacy issues. Accordingly,
       
    39         # we recommend using plaintext only on local (loopback) interfaces:
       
    40         # "127.0.0.1:6667": # (loopback ipv4, localhost-only)
       
    41         # "[::1]:6667":     # (loopback ipv6, localhost-only)
       
    42         # If you need to serve plaintext on public interfaces, comment out the above
       
    43         # two lines and uncomment the line below (which listens on all interfaces):
       
    44         # ":6667":
       
    45         # Alternately, if you have a TLS certificate issued by a recognized CA,
       
    46         # you can configure port 6667 as an STS-only listener that only serves
       
    47         # "redirects" to the TLS port, but doesn't allow chat. See the manual
       
    48         # for details.
       
    49 
       
    50         # The standard SSL/TLS port for IRC is 6697. This will listen on all interfaces:
       
    51         # ":6697":
       
    52         #     tls:
       
    53         #         cert: fullchain.pem
       
    54         #         key: privkey.pem
       
    55         #         # 'proxy' should typically be false. It's only for Kubernetes-style load
       
    56         #         # balancing that does not terminate TLS, but sends an initial PROXY line
       
    57         #         # in plaintext.
       
    58         #         proxy: false
       
    59 
       
    60         # Example of a Unix domain socket for proxying:
       
    61         "/var/oragono/oragono.socket":
       
    62 
       
    63         # Example of a Tor listener: any connection that comes in on this listener will
       
    64         # be considered a Tor connection. It is strongly recommended that this listener
       
    65         # *not* be on a public interface --- it should be on 127.0.0.0/8 or unix domain:
       
    66         # "/hidden_service_sockets/oragono_tor_sock":
       
    67         #     tor: true
       
    68 
       
    69         # Example of a WebSocket listener:
       
    70         # ":8097":
       
    71         #     websocket: true
       
    72         #     tls:
       
    73         #         cert: fullchain.pem
       
    74         #         key: privkey.pem
       
    75 
       
    76     # sets the permissions for Unix listen sockets. on a typical Linux system,
       
    77     # the default is 0775 or 0755, which prevents other users/groups from connecting
       
    78     # to the socket. With 0777, it behaves like a normal TCP socket
       
    79     # where anyone can connect.
       
    80     unix-bind-mode: 0777
       
    81 
       
    82     # configure the behavior of Tor listeners (ignored if you didn't enable any):
       
    83     tor-listeners:
       
    84         # if this is true, connections from Tor must authenticate with SASL
       
    85         require-sasl: false
       
    86 
       
    87         # what hostname should be displayed for Tor connections?
       
    88         vhost: "tor-network.onion"
       
    89 
       
    90         # allow at most this many connections at once (0 for no limit):
       
    91         max-connections: 64
       
    92 
       
    93         # connection throttling (limit how many connection attempts are allowed at once):
       
    94         throttle-duration: 10m
       
    95         # set to 0 to disable throttling:
       
    96         max-connections-per-duration: 64
       
    97 
       
    98     # strict transport security, to get clients to automagically use TLS
       
    99     sts:
       
   100         # whether to advertise STS
       
   101         #
       
   102         # to stop advertising STS, leave this enabled and set 'duration' below to "0". this will
       
   103         # advertise to connecting users that the STS policy they have saved is no longer valid
       
   104         enabled: false
       
   105 
       
   106         # how long clients should be forced to use TLS for.
       
   107         # setting this to a too-long time will mean bad things if you later remove your TLS.
       
   108         # the default duration below is 1 month, 2 days and 5 minutes.
       
   109         duration: 1mo2d5m
       
   110 
       
   111         # tls port - you should be listening on this port above
       
   112         port: 6697
       
   113 
       
   114         # should clients include this STS policy when they ship their inbuilt preload lists?
       
   115         preload: false
       
   116 
       
   117     websockets:
       
   118         # Restrict the origin of WebSocket connections by matching the "Origin" HTTP
       
   119         # header. This settings makes oragono reject every WebSocket connection,
       
   120         # except when it originates from one of the hosts in this list. Use this to
       
   121         # prevent malicious websites from making their visitors connect to oragono
       
   122         # without their knowledge. An empty list means that there are no restrictions.
       
   123         allowed-origins:
       
   124             # - "https://oragono.io"
       
   125             # - "https://*.oragono.io"
       
   126 
       
   127     # casemapping controls what kinds of strings are permitted as identifiers (nicknames,
       
   128     # channel names, account names, etc.), and how they are normalized for case.
       
   129     # with the recommended default of 'precis', utf-8 identifiers that are "sane"
       
   130     # (according to RFC 8265) are allowed, and the server additionally tries to protect
       
   131     # against confusable characters ("homoglyph attacks").
       
   132     # the other options are 'ascii' (traditional ASCII-only identifiers), and 'permissive',
       
   133     # which allows identifiers to contain unusual characters like emoji, but makes users
       
   134     # vulnerable to homoglyph attacks. unless you're really confident in your decision,
       
   135     # we recommend leaving this value at its default (changing it once the network is
       
   136     # already up and running is problematic).
       
   137     casemapping: "precis"
       
   138 
       
   139     # whether to look up user hostnames with reverse DNS.
       
   140     # (disabling this will expose user IPs instead of hostnames;
       
   141     # to make IP/hostname information private, see the ip-cloaking section)
       
   142     lookup-hostnames: true
       
   143     # whether to confirm hostname lookups using "forward-confirmed reverse DNS", i.e., for
       
   144     # any hostname returned from reverse DNS, resolve it back to an IP address and reject it
       
   145     # unless it matches the connecting IP
       
   146     forward-confirm-hostnames: true
       
   147 
       
   148     # use ident protocol to get usernames
       
   149     check-ident: false
       
   150 
       
   151     # password to login to the server
       
   152     # generated using  "oragono genpasswd"
       
   153     #password: ""
       
   154 
       
   155     # motd filename
       
   156     # if you change the motd, you should move it to ircd.motd
       
   157     motd: "/etc/oragono/oragono.motd"
       
   158 
       
   159     # motd formatting codes
       
   160     # if this is true, the motd is escaped using formatting codes like $c, $b, and $i
       
   161     motd-formatting: true
       
   162 
       
   163     # addresses/CIDRs the PROXY command can be used from
       
   164     # this should be restricted to localhost (127.0.0.1/8, ::1/128, and unix sockets),
       
   165     # unless you have a good reason. you should also add these addresses to the
       
   166     # connection limits and throttling exemption lists.
       
   167     proxy-allowed-from:
       
   168         - localhost
       
   169         # - "192.168.1.1"
       
   170         # - "192.168.10.1/24"
       
   171 
       
   172     # controls the use of the WEBIRC command (by IRC<->web interfaces, bouncers and similar)
       
   173     webirc:
       
   174         # one webirc block -- should correspond to one set of gateways
       
   175         -
       
   176             # SHA-256 fingerprint of the TLS certificate the gateway must use to connect
       
   177             # (comment this out to use passwords only)
       
   178             fingerprint: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
       
   179 
       
   180             # password the gateway uses to connect, made with oragono genpasswd
       
   181             password: "$2a$04$abcdef0123456789abcdef0123456789abcdef0123456789abcde"
       
   182 
       
   183             # addresses/CIDRs that can use this webirc command
       
   184             # you should also add these addresses to the connection limits and throttling exemption lists
       
   185             hosts:
       
   186                 - localhost
       
   187                 # - "192.168.1.1"
       
   188                 # - "192.168.10.1/24"
       
   189 
       
   190     # allow use of the RESUME extension over plaintext connections:
       
   191     # do not enable this unless the ircd is only accessible over internal networks
       
   192     allow-plaintext-resume: false
       
   193 
       
   194     # maximum length of clients' sendQ in bytes
       
   195     # this should be big enough to hold bursts of channel/direct messages
       
   196     max-sendq: 96k
       
   197 
       
   198     # compatibility with legacy clients
       
   199     compatibility:
       
   200         # many clients require that the final parameter of certain messages be an
       
   201         # RFC1459 trailing parameter, i.e., prefixed with :, whether or not this is
       
   202         # actually required. this forces Oragono to send those parameters
       
   203         # as trailings. this is recommended unless you're testing clients for conformance;
       
   204         # defaults to true when unset for that reason.
       
   205         force-trailing: true
       
   206 
       
   207         # some clients (ZNC 1.6.x and lower, Pidgin 2.12 and lower) do not
       
   208         # respond correctly to SASL messages with the server name as a prefix:
       
   209         # https://github.com/znc/znc/issues/1212
       
   210         # this works around that bug, allowing them to use SASL.
       
   211         send-unprefixed-sasl: true
       
   212 
       
   213     # IP-based DoS protection
       
   214     ip-limits:
       
   215         # whether to limit the total number of concurrent connections per IP/CIDR
       
   216         count: true
       
   217         # maximum concurrent connections per IP/CIDR
       
   218         max-concurrent-connections: 16
       
   219 
       
   220         # whether to restrict the rate of new connections per IP/CIDR
       
   221         throttle: true
       
   222         # how long to keep track of connections for
       
   223         window: 10m
       
   224         # maximum number of new connections per IP/CIDR within the given duration
       
   225         max-connections-per-window: 32
       
   226         # how long to ban offenders for. after banning them, the number of connections is
       
   227         # reset, which lets you use /UNDLINE to unban people
       
   228         throttle-ban-duration: 10m
       
   229 
       
   230         # how wide the CIDR should be for IPv4 (a /32 is a fully specified IPv4 address)
       
   231         cidr-len-ipv4: 32
       
   232         # how wide the CIDR should be for IPv6 (a /64 is the typical prefix assigned
       
   233         # by an ISP to an individual customer for their LAN)
       
   234         cidr-len-ipv6: 64
       
   235 
       
   236         # IPs/networks which are exempted from connection limits
       
   237         exempted:
       
   238             - "localhost"
       
   239             # - "192.168.1.1"
       
   240             # - "2001:0db8::/32"
       
   241 
       
   242         # custom connection limits for certain IPs/networks. note that CIDR
       
   243         # widths defined here override the default CIDR width --- the limit
       
   244         # will apply to the entire CIDR no matter how large or small it is
       
   245         custom-limits:
       
   246             # "8.8.0.0/16":
       
   247             #     max-concurrent-connections: 128
       
   248             #     max-connections-per-window: 1024
       
   249 
       
   250     # IP cloaking hides users' IP addresses from other users and from channel admins
       
   251     # (but not from server admins), while still allowing channel admins to ban
       
   252     # offending IP addresses or networks. In place of hostnames derived from reverse
       
   253     # DNS, users see fake domain names like pwbs2ui4377257x8.oragono. These names are
       
   254     # generated deterministically from the underlying IP address, but if the underlying
       
   255     # IP is not already known, it is infeasible to recover it from the cloaked name.
       
   256     ip-cloaking:
       
   257         # whether to enable IP cloaking
       
   258         enabled: true
       
   259 
       
   260         # fake TLD at the end of the hostname, e.g., pwbs2ui4377257x8.irc
       
   261         # you may want to use your network name here
       
   262         netname: "usr.{{oragono_network_name}}"
       
   263 
       
   264         # the cloaked hostname is derived only from the CIDR (most significant bits
       
   265         # of the IP address), up to a configurable number of bits. this is the
       
   266         # granularity at which bans will take effect for IPv4. Note that changing
       
   267         # this value will invalidate any stored bans.
       
   268         cidr-len-ipv4: 32
       
   269 
       
   270         # analogous granularity for IPv6
       
   271         cidr-len-ipv6: 64
       
   272 
       
   273         # number of bits of hash output to include in the cloaked hostname.
       
   274         # more bits means less likelihood of distinct IPs colliding,
       
   275         # at the cost of a longer cloaked hostname. if this value is set to 0,
       
   276         # all users will receive simply `netname` as their cloaked hostname.
       
   277         num-bits: 64
       
   278 
       
   279     # secure-nets identifies IPs and CIDRs which are secure at layer 3,
       
   280     # for example, because they are on a trusted internal LAN or a VPN.
       
   281     # plaintext connections from these IPs and CIDRs will be considered
       
   282     # secure (clients will receive the +Z mode and be allowed to resume
       
   283     # or reattach to secure connections). note that loopback IPs are always
       
   284     # considered secure:
       
   285     secure-nets:
       
   286         # - "10.0.0.0/8"
       
   287 
       
   288     # oragono will write files to disk under certain circumstances, e.g.,
       
   289     # CPU profiling or data export. by default, these files will be written
       
   290     # to the working directory. set this to customize:
       
   291     output-path: "/var/oragono"
       
   292 
       
   293 # account options
       
   294 accounts:
       
   295     # is account authentication enabled, i.e., can users log into existing accounts?
       
   296     authentication-enabled: true
       
   297 
       
   298     # account registration
       
   299     registration:
       
   300         # can users register new accounts for themselves? if this is false, operators with
       
   301         # the `accreg` capability can still create accounts with `/NICKSERV SAREGISTER`
       
   302         enabled: true
       
   303 
       
   304         # global throttle on new account creation
       
   305         throttling:
       
   306             enabled: true
       
   307             # window
       
   308             duration: 10m
       
   309             # number of attempts allowed within the window
       
   310             max-attempts: 30
       
   311 
       
   312         # this is the bcrypt cost we'll use for account passwords
       
   313         bcrypt-cost: 9
       
   314 
       
   315         # length of time a user has to verify their account before it can be re-registered
       
   316         verify-timeout: "32h"
       
   317 
       
   318         # callbacks to allow
       
   319         enabled-callbacks:
       
   320             - none # no verification needed, will instantly register successfully
       
   321 
       
   322         # example configuration for sending verification emails
       
   323         # callbacks:
       
   324         #     mailto:
       
   325         #         sender: "[email protected]"
       
   326         #         require-tls: true
       
   327         #         helo-domain: "my.network" # defaults to server name if unset
       
   328         #         dkim:
       
   329         #             domain: "my.network"
       
   330         #             selector: "20200229"
       
   331         #             key-file: "dkim.pem"
       
   332         #         # to use an MTA/smarthost instead of sending email directly:
       
   333         #         # mta:
       
   334         #         #     server: localhost
       
   335         #         #     port: 25
       
   336         #         #     username: "admin"
       
   337         #         #     password: "hunter2"
       
   338         #         blacklist-regexes:
       
   339         #         #    - ".*@mailinator.com"
       
   340 
       
   341     # throttle account login attempts (to prevent either password guessing, or DoS
       
   342     # attacks on the server aimed at forcing repeated expensive bcrypt computations)
       
   343     login-throttling:
       
   344         enabled: true
       
   345 
       
   346         # window
       
   347         duration:  1m
       
   348 
       
   349         # number of attempts allowed within the window
       
   350         max-attempts: 3
       
   351 
       
   352     # some clients (notably Pidgin and Hexchat) offer only a single password field,
       
   353     # which makes it impossible to specify a separate server password (for the PASS
       
   354     # command) and SASL password. if this option is set to true, a client that
       
   355     # successfully authenticates with SASL will not be required to send
       
   356     # PASS as well, so it can be configured to authenticate with SASL only.
       
   357     skip-server-password: false
       
   358 
       
   359     # enable login to accounts via the PASS command, e.g., PASS account:password
       
   360     # this is sometimes useful for compatibility with old clients that don't support SASL
       
   361     login-via-pass-command: false
       
   362 
       
   363     # require-sasl controls whether clients are required to have accounts
       
   364     # (and sign into them using SASL) to connect to the server
       
   365     require-sasl:
       
   366         # if this is enabled, all clients must authenticate with SASL while connecting
       
   367         enabled: true
       
   368 
       
   369         # IPs/CIDRs which are exempted from the account requirement
       
   370         exempted:
       
   371             - "localhost"
       
   372             # - '10.10.0.0/16'
       
   373 
       
   374     # nick-reservation controls how, and whether, nicknames are linked to accounts
       
   375     nick-reservation:
       
   376         # is there any enforcement of reserved nicknames?
       
   377         enabled: true
       
   378 
       
   379         # how many nicknames, in addition to the account name, can be reserved?
       
   380         additional-nick-limit: 2
       
   381 
       
   382         # method describes how nickname reservation is handled
       
   383         #   timeout:  let the user change to the registered nickname, give them X seconds
       
   384         #             to login and then rename them if they haven't done so
       
   385         #   strict:   don't let the user change to the registered nickname unless they're
       
   386         #             already logged-in using SASL or NickServ
       
   387         #   optional: no enforcement by default, but allow users to opt in to
       
   388         #             the enforcement level of their choice
       
   389         #
       
   390         # 'optional' matches the behavior of other NickServs, but 'strict' is
       
   391         # preferable if all your users can enable SASL.
       
   392         method: strict
       
   393 
       
   394         # allow users to set their own nickname enforcement status, e.g.,
       
   395         # to opt out of strict enforcement
       
   396         allow-custom-enforcement: false
       
   397 
       
   398         # rename-timeout - this is how long users have 'til they're renamed
       
   399         rename-timeout: 30s
       
   400 
       
   401         # format for guest nicknames:
       
   402         # 1. these nicknames cannot be registered or reserved
       
   403         # 2. if a client is automatically renamed by the server,
       
   404         #    this is the template that will be used (e.g., Guest-nccj6rgmt97cg)
       
   405         # 3. if enforce-guest-format (see below) is enabled, clients without
       
   406         #    a registered account will have this template applied to their
       
   407         #    nicknames (e.g., 'katie' will become 'Guest-katie')
       
   408         guest-nickname-format: "Guest-*"
       
   409 
       
   410         # when enabled, forces users not logged into an account to use
       
   411         # a nickname matching the guest template. a caveat: this may prevent
       
   412         # users from choosing nicknames in scripts different from the guest
       
   413         # nickname format.
       
   414         force-guest-format: false
       
   415 
       
   416         # when enabled, forces users logged into an account to use the
       
   417         # account name as their nickname. when combined with strict nickname
       
   418         # enforcement, this lets users treat nicknames and account names
       
   419         # as equivalent for the purpose of ban/invite/exception lists.
       
   420         force-nick-equals-account: {{oragono_force_nick_equals_account}}
       
   421 
       
   422     # multiclient controls whether oragono allows multiple connections to
       
   423     # attach to the same client/nickname identity; this is part of the
       
   424     # functionality traditionally provided by a bouncer like ZNC
       
   425     multiclient:
       
   426         # when disabled, each connection must use a separate nickname (as is the
       
   427         # typical behavior of IRC servers). when enabled, a new connection that
       
   428         # has authenticated with SASL can associate itself with an existing
       
   429         # client
       
   430         enabled: true
       
   431 
       
   432         # if this is disabled, clients have to opt in to bouncer functionality
       
   433         # using nickserv or the cap system. if it's enabled, they can opt out
       
   434         # via nickserv
       
   435         allowed-by-default: true
       
   436 
       
   437         # whether to allow clients that remain on the server even
       
   438         # when they have no active connections. The possible values are:
       
   439         # "disabled", "opt-in", "opt-out", or "mandatory".
       
   440         always-on: "opt-in"
       
   441 
       
   442         # whether to mark always-on clients away when they have no active connections:
       
   443         auto-away: "opt-in"
       
   444 
       
   445     # vhosts controls the assignment of vhosts (strings displayed in place of the user's
       
   446     # hostname/IP) by the HostServ service
       
   447     vhosts:
       
   448         # are vhosts enabled at all?
       
   449         enabled: true
       
   450 
       
   451         # maximum length of a vhost
       
   452         max-length: 64
       
   453 
       
   454         # regexp for testing the validity of a vhost
       
   455         # (make sure any changes you make here are RFC-compliant)
       
   456         valid-regexp: '^[0-9A-Za-z.\-_/]+$'
       
   457 
       
   458         # options controlling users requesting vhosts:
       
   459         user-requests:
       
   460             # can users request vhosts at all? if this is false, operators with the
       
   461             # 'vhosts' capability can still assign vhosts manually
       
   462             enabled: true
       
   463 
       
   464             # if uncommented, all new vhost requests will be dumped into the given
       
   465             # channel, so opers can review them as they are sent in. ensure that you
       
   466             # have registered and restricted the channel appropriately before you
       
   467             # uncomment this.
       
   468             #channel: "#vhosts"
       
   469 
       
   470             # after a user's vhost has been approved or rejected, they need to wait
       
   471             # this long (starting from the time of their original request)
       
   472             # before they can request a new one.
       
   473             cooldown: 168h
       
   474 
       
   475         # vhosts that users can take without approval, using `/HS TAKE`
       
   476         offer-list:
       
   477             #- "oragono.test"
       
   478 
       
   479     # modes that are set by default when a user connects
       
   480     # if unset, no user modes will be set by default
       
   481     # +i is invisible (a user's channels are hidden from whois replies)
       
   482     # see  /QUOTE HELP umodes  for more user modes
       
   483     default-user-modes: +i
       
   484 
       
   485     # support for deferring password checking to an external LDAP server
       
   486     # you should probably ignore this section! consult the grafana docs for details:
       
   487     # https://grafana.com/docs/grafana/latest/auth/ldap/
       
   488     # you will probably want to set require-sasl and disable accounts.registration.enabled
       
   489     # ldap:
       
   490     #     enabled: true
       
   491     #     # should we automatically create users if their LDAP login succeeds?
       
   492     #     autocreate: true
       
   493     #     # example configuration that works with Forum Systems's testing server:
       
   494     #     # https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
       
   495     #     host: "ldap.forumsys.com"
       
   496     #     port: 389
       
   497     #     timeout: 30s
       
   498     #     # example "single-bind" configuration, where we bind directly to the user's entry:
       
   499     #     bind-dn: "uid=%s,dc=example,dc=com"
       
   500     #     # example "admin bind" configuration, where we bind to an initial admin user,
       
   501     #     # then search for the user's entry with a search filter:
       
   502     #     #search-base-dns:
       
   503     #     #    - "dc=example,dc=com"
       
   504     #     #bind-dn: "cn=read-only-admin,dc=example,dc=com"
       
   505     #     #bind-password: "password"
       
   506     #     #search-filter: "(uid=%s)"
       
   507     #     # example of requiring that users be in a particular group
       
   508     #     # (note that this is an OR over the listed groups, not an AND):
       
   509     #     #require-groups:
       
   510     #     #    - "ou=mathematicians,dc=example,dc=com"
       
   511     #     #group-search-filter-user-attribute: "dn"
       
   512     #     #group-search-filter: "(uniqueMember=%s)"
       
   513     #     #group-search-base-dns:
       
   514     #     #    - "dc=example,dc=com"
       
   515     #     # example of group membership testing via user attributes, as in AD
       
   516     #     # or with OpenLDAP's "memberOf overlay" (overrides group-search-filter):
       
   517     #     attributes:
       
   518     #         member-of: "memberOf"
       
   519 
       
   520 # channel options
       
   521 channels:
       
   522     # modes that are set when new channels are created
       
   523     # +n is no-external-messages and +t is op-only-topic
       
   524     # see  /QUOTE HELP cmodes  for more channel modes
       
   525     default-modes: +nt
       
   526 
       
   527     # how many channels can a client be in at once?
       
   528     max-channels-per-client: 100
       
   529 
       
   530     # if this is true, new channels can only be created by operators with the
       
   531     # `chanreg` operator capability
       
   532     operator-only-creation: false
       
   533 
       
   534     # channel registration - requires an account
       
   535     registration:
       
   536         # can users register new channels?
       
   537         enabled: true
       
   538 
       
   539         # restrict new channel registrations to operators only?
       
   540         # (operators can then transfer channels to regular users using /CS TRANSFER)
       
   541         operator-only: false
       
   542 
       
   543         # how many channels can each account register?
       
   544         max-channels-per-account: 15
       
   545 
       
   546     # as a crude countermeasure against spambots, anonymous connections younger
       
   547     # than this value will get an empty response to /LIST (a time period of 0 disables)
       
   548     list-delay: 0s
       
   549 
       
   550 # operator classes
       
   551 oper-classes:
       
   552     # local operator
       
   553     "local-oper":
       
   554         # title shown in WHOIS
       
   555         title: Local Operator
       
   556 
       
   557         # capability names
       
   558         capabilities:
       
   559             - "local_kill"
       
   560             - "local_ban"
       
   561             - "local_unban"
       
   562             - "nofakelag"
       
   563             - "roleplay"
       
   564 
       
   565     # network operator
       
   566     "network-oper":
       
   567         # title shown in WHOIS
       
   568         title: Network Operator
       
   569 
       
   570         # oper class this extends from
       
   571         extends: "local-oper"
       
   572 
       
   573         # capability names
       
   574         capabilities:
       
   575             - "remote_kill"
       
   576             - "remote_ban"
       
   577             - "remote_unban"
       
   578 
       
   579     # server admin
       
   580     "server-admin":
       
   581         # title shown in WHOIS
       
   582         title: Server Admin
       
   583 
       
   584         # oper class this extends from
       
   585         extends: "local-oper"
       
   586 
       
   587         # capability names
       
   588         capabilities:
       
   589             - "rehash"
       
   590             - "die"
       
   591             - "accreg"
       
   592             - "sajoin"
       
   593             - "samode"
       
   594             - "vhosts"
       
   595             - "chanreg"
       
   596             - "history"
       
   597 
       
   598 # ircd operators
       
   599 opers:
       
   600     # operator named 'admin'; log in with /OPER admin [password]
       
   601     admin:
       
   602         # which capabilities this oper has access to
       
   603         class: "server-admin"
       
   604 
       
   605         # custom whois line
       
   606         whois-line: "server admin"
       
   607 
       
   608         # custom hostname
       
   609         vhost: "opr.{{oragono_network_name}}"
       
   610 
       
   611         # modes are the modes to auto-set upon opering-up
       
   612         modes: +is acjknoqtuxv
       
   613 
       
   614         # operators can be authenticated either by password (with the /OPER command),
       
   615         # or by certificate fingerprint, or both. if a password hash is set, then a
       
   616         # password is required to oper up (e.g., /OPER dan mypassword). to generate
       
   617         # the hash, use `oragono genpasswd`.
       
   618         password: "{{oragono_oper_pass_hash}}"
       
   619 
       
   620         # if a SHA-256 certificate fingerprint is configured here, then it will be
       
   621         # required to /OPER. if you comment out the password hash above, then you can
       
   622         # /OPER without a password.
       
   623         #fingerprint: "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
       
   624         # if 'auto' is set (and no password hash is set), operator permissions will be
       
   625         # granted automatically as soon as you connect with the right fingerprint.
       
   626         #auto: true
       
   627 
       
   628 # logging, takes inspiration from Insp
       
   629 logging:
       
   630     -
       
   631         # how to log these messages
       
   632         #
       
   633         #   file    log to a file
       
   634         #   stdout  log to stdout
       
   635         #   stderr  log to stderr
       
   636         #   (you can specify multiple methods, e.g., to log to both stderr and a file)
       
   637         method: stdout
       
   638 
       
   639         # filename to log to, if file method is selected
       
   640         # filename: ircd.log
       
   641 
       
   642         # type(s) of logs to keep here. you can use - to exclude those types
       
   643         #
       
   644         # exclusions take precedent over inclusions, so if you exclude a type it will NEVER
       
   645         # be logged, even if you explicitly include it
       
   646         #
       
   647         # useful types include:
       
   648         #   *               everything (usually used with exclusing some types below)
       
   649         #   server          server startup, rehash, and shutdown events
       
   650         #   accounts        account registration and authentication
       
   651         #   channels        channel creation and operations
       
   652         #   commands        command calling and operations
       
   653         #   opers           oper actions, authentication, etc
       
   654         #   services        actions related to NickServ, ChanServ, etc.
       
   655         #   internal        unexpected runtime behavior, including potential bugs
       
   656         #   userinput       raw lines sent by users
       
   657         #   useroutput      raw lines sent to users
       
   658         type: "* -userinput -useroutput"
       
   659 
       
   660         # one of: debug info warn error
       
   661         level: info
       
   662     #-
       
   663     #   # example of a file log that avoids logging IP addresses
       
   664     #   method: file
       
   665     #   filename: ircd.log
       
   666     #   type: "* -userinput -useroutput -connect-ip"
       
   667     #   level: debug
       
   668 
       
   669 # debug options
       
   670 debug:
       
   671     # when enabled, oragono will attempt to recover from certain kinds of
       
   672     # client-triggered runtime errors that would normally crash the server.
       
   673     # this makes the server more resilient to DoS, but could result in incorrect
       
   674     # behavior. deployments that would prefer to "start from scratch", e.g., by
       
   675     # letting the process crash and auto-restarting it with systemd, can set
       
   676     # this to false.
       
   677     recover-from-errors: true
       
   678 
       
   679     # optionally expose a pprof http endpoint: https://golang.org/pkg/net/http/pprof/
       
   680     # it is strongly recommended that you don't expose this on a public interface;
       
   681     # if you need to access it remotely, you can use an SSH tunnel.
       
   682     # set to `null`, "", leave blank, or omit to disable
       
   683     # pprof-listener: "localhost:6060"
       
   684 
       
   685 # datastore configuration
       
   686 datastore:
       
   687     # path to the datastore
       
   688     path: "/var/oragono/oragono.db"
       
   689 
       
   690     # if the database schema requires an upgrade, `autoupgrade` will attempt to
       
   691     # perform it automatically on startup. the database will be backed
       
   692     # up, and if the upgrade fails, the original database will be restored.
       
   693     autoupgrade: true
       
   694 
       
   695     # connection information for MySQL (currently only used for persistent history):
       
   696     mysql:
       
   697         enabled: false
       
   698         host: "localhost"
       
   699         port: 3306
       
   700         # if socket-path is set, it will be used instead of host:port
       
   701         #socket-path: "/var/run/mysqld/mysqld.sock"
       
   702         user: "oragono"
       
   703         password: "hunter2"
       
   704         history-database: "oragono_history"
       
   705         timeout: 3s
       
   706 
       
   707 # languages config
       
   708 languages:
       
   709     # whether to load languages
       
   710     enabled: false
       
   711 
       
   712     # default language to use for new clients
       
   713     # 'en' is the default English language in the code
       
   714     default: en
       
   715 
       
   716     # which directory contains our language files
       
   717     path: languages
       
   718 
       
   719 # limits - these need to be the same across the network
       
   720 limits:
       
   721     # nicklen is the max nick length allowed
       
   722     nicklen: 32
       
   723 
       
   724     # identlen is the max ident length allowed
       
   725     identlen: 20
       
   726 
       
   727     # channellen is the max channel length allowed
       
   728     channellen: 64
       
   729 
       
   730     # awaylen is the maximum length of an away message
       
   731     awaylen: 500
       
   732 
       
   733     # kicklen is the maximum length of a kick message
       
   734     kicklen: 1000
       
   735 
       
   736     # topiclen is the maximum length of a channel topic
       
   737     topiclen: 1000
       
   738 
       
   739     # maximum number of monitor entries a client can have
       
   740     monitor-entries: 100
       
   741 
       
   742     # whowas entries to store
       
   743     whowas-entries: 100
       
   744 
       
   745     # maximum length of channel lists (beI modes)
       
   746     chan-list-modes: 60
       
   747 
       
   748     # maximum number of messages to accept during registration (prevents
       
   749     # DoS / resource exhaustion attacks):
       
   750     registration-messages: 1024
       
   751 
       
   752     # message length limits for the new multiline cap
       
   753     multiline:
       
   754         max-bytes: 4096 # 0 means disabled
       
   755         max-lines: 100  # 0 means no limit
       
   756 
       
   757 # fakelag: prevents clients from spamming commands too rapidly
       
   758 fakelag:
       
   759     # whether to enforce fakelag
       
   760     enabled: true
       
   761 
       
   762     # time unit for counting command rates
       
   763     window: 1s
       
   764 
       
   765     # clients can send this many commands without fakelag being imposed
       
   766     burst-limit: 5
       
   767 
       
   768     # once clients have exceeded their burst allowance, they can send only
       
   769     # this many commands per `window`:
       
   770     messages-per-window: 2
       
   771 
       
   772     # client status resets to the default state if they go this long without
       
   773     # sending any commands:
       
   774     cooldown: 2s
       
   775 
       
   776 # the roleplay commands are semi-standardized extensions to IRC that allow
       
   777 # sending and receiving messages from pseudo-nicknames. this can be used either
       
   778 # for actual roleplaying, or for bridging IRC with other protocols.
       
   779 roleplay:
       
   780     # are roleplay commands enabled at all? (channels and clients still have to
       
   781     # opt in individually with the +E mode)
       
   782     enabled: true
       
   783 
       
   784     # require the "roleplay" oper capability to send roleplay messages?
       
   785     require-oper: false
       
   786 
       
   787     # require channel operator permissions to send roleplay messages?
       
   788     require-chanops: false
       
   789 
       
   790     # add the real nickname, in parentheses, to the end of every roleplay message?
       
   791     add-suffix: true
       
   792 
       
   793 # history message storage: this is used by CHATHISTORY, HISTORY, znc.in/playback,
       
   794 # various autoreplay features, and the resume extension
       
   795 history:
       
   796     # should we store messages for later playback?
       
   797     # by default, messages are stored in RAM only; they do not persist
       
   798     # across server restarts. however, you may want to understand how message
       
   799     # history interacts with the GDPR and/or any data privacy laws that apply
       
   800     # in your country and the countries of your users.
       
   801     enabled: true
       
   802 
       
   803     # how many channel-specific events (messages, joins, parts) should be tracked per channel?
       
   804     channel-length: 2048
       
   805 
       
   806     # how many direct messages and notices should be tracked per user?
       
   807     client-length: 256
       
   808 
       
   809     # how long should we try to preserve messages?
       
   810     # if `autoresize-window` is 0, the in-memory message buffers are preallocated to
       
   811     # their maximum length. if it is nonzero, the buffers are initially small and
       
   812     # are dynamically expanded up to the maximum length. if the buffer is full
       
   813     # and the oldest message is older than `autoresize-window`, then it will overwrite
       
   814     # the oldest message rather than resize; otherwise, it will expand if possible.
       
   815     autoresize-window: 3d
       
   816 
       
   817     # number of messages to automatically play back on channel join (0 to disable):
       
   818     autoreplay-on-join: 0
       
   819 
       
   820     # maximum number of CHATHISTORY messages that can be
       
   821     # requested at once (0 disables support for CHATHISTORY)
       
   822     chathistory-maxmessages: 100
       
   823 
       
   824     # maximum number of messages that can be replayed at once during znc emulation
       
   825     # (znc.in/playback, or automatic replay on initial reattach to a persistent client):
       
   826     znc-maxmessages: 2048
       
   827 
       
   828     # options to delete old messages, or prevent them from being retrieved
       
   829     restrictions:
       
   830         # if this is set, messages older than this cannot be retrieved by anyone
       
   831         # (and will eventually be deleted from persistent storage, if that's enabled)
       
   832         expire-time: 1w
       
   833 
       
   834         # if this is set, logged-in users cannot retrieve messages older than their
       
   835         # account registration date, and logged-out users cannot retrieve messages
       
   836         # older than their sign-on time (modulo grace-period, see below):
       
   837         enforce-registration-date: false
       
   838 
       
   839         # but if this is set, you can retrieve messages that are up to `grace-period`
       
   840         # older than the above cutoff time. this is recommended to allow logged-out
       
   841         # users to do session resumption / query history after disconnections.
       
   842         grace-period: 1h
       
   843 
       
   844     # options to store history messages in a persistent database (currently only MySQL):
       
   845     persistent:
       
   846         enabled: false
       
   847 
       
   848         # store unregistered channel messages in the persistent database?
       
   849         unregistered-channels: false
       
   850 
       
   851         # for a registered channel, the channel owner can potentially customize
       
   852         # the history storage setting. as the server operator, your options are
       
   853         # 'disabled' (no persistent storage, regardless of per-channel setting),
       
   854         # 'opt-in', 'opt-out', and 'mandatory' (force persistent storage, ignoring
       
   855         # per-channel setting):
       
   856         registered-channels: "opt-out"
       
   857 
       
   858         # direct messages are only stored in the database for logged-in clients;
       
   859         # you can control how they are stored here (same options as above).
       
   860         # if you enable this, strict nickname reservation is strongly recommended
       
   861         # as well.
       
   862         direct-messages: "opt-out"
       
   863 
       
   864     # options to control how messages are stored and deleted:
       
   865     retention:
       
   866         # allow users to delete their own messages from history?
       
   867         allow-individual-delete: false
       
   868 
       
   869         # if persistent history is enabled, create additional index tables,
       
   870         # allowing deletion of JSON export of an account's messages. this
       
   871         # may be needed for compliance with data privacy regulations.
       
   872         enable-account-indexing: false