# HG changeset patch # User Luke Hoersten # Date 1593878420 18000 # Node ID d843011c249d25fb0d4e6afc55547613ac69b002 # Parent 22c06d6916bf89326bb372e05d8f5613f024e4dc Got ngircd + atheme services roles working. diff -r 22c06d6916bf -r d843011c249d atheme/handlers/main.yaml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/atheme/handlers/main.yaml Sat Jul 04 11:00:20 2020 -0500 @@ -0,0 +1,5 @@ +--- + +- name: restart atheme + become: yes + systemd: name="atheme-services.service" enabled="yes" daemon_reload="yes" state="restarted" diff -r 22c06d6916bf -r d843011c249d atheme/tasks/main.yaml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/atheme/tasks/main.yaml Sat Jul 04 11:00:20 2020 -0500 @@ -0,0 +1,17 @@ +--- + +- name: apt install atheme + become: yes + apt: name="atheme-services" + notify: restart atheme + +- name: configure atheme + become: yes + template: + src: "atheme.conf.j2" + dest: "/etc/atheme/atheme.conf" + notify: restart atheme + +- name: start atheme service + become: yes + systemd: name="atheme-services.service" state="started" enabled="yes" daemon_reload="yes" diff -r 22c06d6916bf -r d843011c249d atheme/templates/atheme.conf.j2 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/atheme/templates/atheme.conf.j2 Sat Jul 04 11:00:20 2020 -0500 @@ -0,0 +1,2850 @@ +/* This is an example configuration for Services. + * + * All statements end in semi-colons (';'). + * Shell style, C style, and C++ style comments may be used. + * + * Items marked with "(*)" are reconfigurable at runtime via REHASH. + */ + +/****************************************************************************** + * MODULES SECTION. * + ******************************************************************************/ + +/* + * These are the modules included with the core distribution of Services. + * + * You may be interested in the atheme community modules distribution as + * well, which adds additional features that may or may not be compatible + * with the project paradigms intended for maintainance of the core of + * atheme-services. + * + * Visit the atheme-services website for more information and to download them. + * + * Modules marked [experimental] will taint your atheme-services instance. Do + * not file any bug reports with us about using Services with those modules; + * they will be ignored. + */ + +/* Dynamic security modules. + * + * WARNING: If you select one of these modules, the default security policy included + * with Atheme may break. These modules are intended for people who know what they + * are doing and understand the implications of what they do. Security modules which + * are likely to break the default policy are prefixed with [!], if you are new to + * Atheme, you should avoid enabling them. + * + * If you find your security policy is broken, you may debug it while allowing normal + * operation of your IRC network by putting Atheme into "permissive mode". To do this, + * enable general::permissive_mode. + * + * [!] Infer "command:" namespace permissions modules/security/cmdperm + */ +#loadmodule "modules/security/cmdperm"; + +/* Protocol module. + * + * Please select a protocol module. Different servers use different protocols. + * Below is a listing of ircd's known to work with the various protocol modules + * available. + * + * Asuka 1.2.1 or later modules/protocol/asuka + * Bahamut 2.1.x modules/protocol/bahamut + * Charybdis IRCd modules/protocol/charybdis + * ChatIRCd modules/protocol/chatircd1.1 + * DreamForge 4.6.7 or later modules/protocol/dreamforge + * InspIRCd 2.0 modules/protocol/inspircd + * ircd-ratbox 2.0 and later modules/protocol/ratbox + * IRCNet ircd (ircd 2.11) modules/protocol/ircnet + * ircd-seven modules/protocol/ircd-seven + * Nefarious IRCu 0.4.0 or later modules/protocol/nefarious + * ngIRCd 19 or later [experimental] modules/protocol/ngircd + * UnrealIRCd 3.2.* modules/protocol/unreal + * UnrealIRCd 4 or later modules/protocol/unreal4 + * + * If your IRCd vendor has supplied a module file, build it and load it here + * instead of one above. + */ +loadmodule "modules/protocol/ngircd"; + +/* Protocol mixins. + * + * These should be used if you do not have/want certain features on your + * network that your ircd normally has. If you do not know what this means, + * you do not need any of them. + * + * Disable halfops modules/protocol/mixin_nohalfops + * Disable holdnick (use enforcer clients) modules/protocol/mixin_noholdnick + * Disable "protect" mode on channels modules/protocol/mixin_noprotect + * Disable "owner" mode on channels modules/protocol/mixin_noowner + */ +#loadmodule "modules/protocol/mixin_nohalfops"; +#loadmodule "modules/protocol/mixin_noholdnick"; +#loadmodule "modules/protocol/mixin_noprotect"; +#loadmodule "modules/protocol/mixin_noowner"; + +/* Database backend module. + * + * Please select a database backend module. Different backends allow for + * different ways in which the services data can be manipulated. YOU MAY + * ONLY HAVE ONE OF THESE BACKENDS LOADED. + * + * The following backends are available: + * + * Atheme 0.1 flatfile database format modules/backend/flatfile + * Open Services Exchange database format modules/backend/opensex + * + * Most networks will want opensex. + */ +loadmodule "modules/backend/opensex"; + +/* Password hashing modules. + * + * If you would like encryption for your services passwords, or to migrate + * from another IRC services package which used encryption for its passwords, + * please select a module here. + * + * The following encryption-capable crypto modules are available: + * + * Argon2 (Password Hashing Competition 2015) modules/crypto/argon2 + * scrypt (Tarsnap Online Backup Service) modules/crypto/scrypt + * PBKDF2 (Including support for SASL SCRAM-SHA) modules/crypto/pbkdf2v2 + * bcrypt (EksBlowfish; from Niels Provos etc.) modules/crypto/bcrypt + * SHA2-512 crypt(3) a la '$6$...' modules/crypto/crypt3-sha2-512 + * SHA2-256 crypt(3) a la '$5$...' modules/crypto/crypt3-sha2-256 + * + * If you do not load an encryption-capable crypto module, some features will + * not work correctly, and errors will be logged on e.g. user registration + * that it was not possible to encrypt their password. Support for running + * without an encryption-capable crypto module will be removed in a later + * version of this software; for now it is just *HIGHLY* discouraged. + * + * Note, that upon starting with an encryption-capable crypto module, YOUR + * UNENCRYPTED PASSWORDS ARE IMMEDIATELY AND *IRREVERSIBLY* CONVERTED. Make + * at least TWO backups of your database before experimenting with this. If + * you have several thousand accounts, this conversion may take a long time. + * + * The following modules can only be used to /verify/ existing encrypted + * passwords, for example when upgrading from an older version of this + * software, or migrating from something else: + * + * PBKDF2 v1 (Atheme <= 7.2 compatibility) modules/crypto/pbkdf2 + * Raw SHA2-512 modules/crypto/rawsha2-512 + * Raw SHA2-256 modules/crypto/rawsha2-256 + * Anope SHA2-256 (Anope 2.0 compatibility) modules/crypto/anope-enc-sha256 + * Raw SHA1 (Anope ~1.8 compatibility) modules/crypto/rawsha1 + * Raw MD5 (Anope ~1.8 compatibility) modules/crypto/rawmd5 + * IRCServices (+ Anope) compatibility modules/crypto/ircservices + * MD5 crypt(3) (Atheme Linux compatibility) modules/crypto/crypt3-md5 + * DES crypt(3) (Atheme OS X compatibility) modules/crypto/crypt3-des + * Base64 (Anope ~1.8 compatibility) modules/crypto/base64 + * + * To transition between crypto schemes, load the preferred scheme first, + * and as users login or set new passwords, they will be migrated to the new + * preferred scheme. Like so: + * + * loadmodule "modules/crypto/argon2"; + * loadmodule "modules/crypto/scrypt"; + * loadmodule "modules/crypto/pbkdf2v2"; + * loadmodule "modules/crypto/pbkdf2"; + * loadmodule "modules/crypto/crypt3-md5"; + * + * The Argon2 module requires the argon2 reference library (./configure + * --with-argon2) and is *NOT* available in Atheme v7.2 or earlier. If you + * wish to use this module while retaining the possibility to downgrade to + * v7.2, please see the crypto {} documentation below. + * + * The Scrypt module requires libsodium (./configure --with-libsodium) and is + * *NOT* available in Atheme v7.2 or earlier. This module may also require a + * 64-bit Operating System to function correctly. + * + * The PBKDF2v2 module has no dependencies and is recommended. If you were + * previously using the PBKDF2 v1 module on v7.2, you must still keep it in + * the configuration here; the PBKDF2 v2 module cannot verify its password + * hashes. However, you should also load PBKDF2 v2 (if you don't decide to use + * anything else), because the PBKDF2 v1 module is now verify-only. + * + * The bcrypt module will truncate passwords greater than 72 characters. It is + * also capable of verifying the older $2a$ digests that contain an integer + * wrap-around bug, as used on e.g. Anope. It is not capable of verifying the + * PHP-bcrypt $2x$ and $2y$ digests; but $2y$ can simply be changed to $2b$. + * All successfully-verified passwords not using $2b$ will be converted to it. + * This is an encryption-capable module, but its use is discouraged unless you + * need to use it for interoperability with some other piece of software. + * + * The crypt3-* modules depend on your platform crypt(3) supporting the + * respective algorithms. This is not guaranteed to be the case. If you used + * modules/crypto/posix on Linux, you need crypt3-md5. If you used + * modules/crypto/posix on OS X, you need crypt3-des. These modules issue + * informational messages when loaded to the effect that they might break in + * the future. They also run selftests on load to verify that they will work. + * + * All available modules are listed below, in the preferred load order. The + * modules that are commented out are not available by default (please see + * the v7.3 release notes in NEWS.md) or may require a third-party library to + * use. If you know that you do not need a specific module, it is better to + * not load it, so comment it out. Do not change the order of the modules + * below unless you need to migrate from one to the other (as described + * above); in particular, putting verify-only modules above encryption- + * capable modules would be a waste of CPU time every time password + * verification for a user whose password was not encrypted by them is + * attempted. + * + * Comments that start with -- describe the ./configure option necessary to + * have this module built. + */ +#loadmodule "modules/crypto/argon2"; /* --with-argon2 */ +#loadmodule "modules/crypto/scrypt"; /* --with-sodium */ +loadmodule "modules/crypto/pbkdf2v2"; +#loadmodule "modules/crypto/bcrypt"; /* See notes above */ +loadmodule "modules/crypto/pbkdf2"; /* Verify-only, see prev. */ +#loadmodule "modules/crypto/crypt3-sha2-512"; /* Needs crypt(3) support */ +#loadmodule "modules/crypto/crypt3-sha2-256"; /* Needs crypt(3) support */ +#loadmodule "modules/crypto/crypt3-md5"; /* --enable-legacy-pwcrypto */ +#loadmodule "modules/crypto/rawsha2-512"; /* --enable-legacy-pwcrypto */ +#loadmodule "modules/crypto/rawsha2-256"; /* --enable-legacy-pwcrypto */ +#loadmodule "modules/crypto/anope-enc-sha256"; /* --enable-legacy-pwcrypto */ +#loadmodule "modules/crypto/rawsha1"; /* --enable-legacy-pwcrypto */ +#loadmodule "modules/crypto/rawmd5"; /* --enable-legacy-pwcrypto */ +#loadmodule "modules/crypto/ircservices"; /* --enable-legacy-pwcrypto */ +#loadmodule "modules/crypto/crypt3-des"; /* --enable-legacy-pwcrypto */ +#loadmodule "modules/crypto/base64"; /* --enable-legacy-pwcrypto */ + +/* Authentication module. + * + * These allow using passwords from an external system. The password given + * when registering a new account is also checked against the external + * system. + * + * The following authentication modules are available: + * + * LDAP modules/auth/ldap + * + * The LDAP module requires OpenLDAP client libraries. It uses them in a + * synchronous manner, which means that an unresponsive LDAP server can + * freeze services. + */ +#loadmodule "modules/auth/ldap"; + +/* NickServ modules. + * + * Here you can disable or enable certain features of NickServ, by + * defining which modules are loaded. You can even disable NickServ + * entirely. Please note however, that an authentication service + * (either NickServ, or UserServ) is required for proper functionality. + * + * Core components modules/nickserv/main + * Nickname access lists modules/nickserv/access + * Bad email address blocking modules/nickserv/badmail + * CertFP fingerprint managment modules/nickserv/cert + * DROP command modules/nickserv/drop + * Nickname enforcement modules/nickserv/enforce + * GHOST command modules/nickserv/ghost + * GROUP and UNGROUP commands modules/nickserv/group + * HELP command modules/nickserv/help + * Nickname expiry override (HOLD command) modules/nickserv/hold + * IDENTIFY command modules/nickserv/identify + * INFO command modules/nickserv/info + * Last quit message in INFO modules/nickserv/info_lastquit + * LIST command modules/nickserv/list + * LISTLOGINS command modules/nickserv/listlogins + * LISTMAIL command modules/nickserv/listmail + * LISTOWNMAIL command modules/nickserv/listownmail + * LOGIN command (for no_nick_ownership) modules/nickserv/login + * LOGOUT command modules/nickserv/logout + * MARK command modules/nickserv/mark + * Password quality validation modules/nickserv/pwquality + * FREEZE command modules/nickserv/freeze + * LISTCHANS command modules/nickserv/listchans + * LISTGROUPS command modules/nickserv/listgroups + * REGISTER command modules/nickserv/register + * Bypass registration limits (REGNOLIMIT) modules/nickserv/regnolimit + * Password reset (RESETPASS command) modules/nickserv/resetpass + * RESTRICT command modules/nickserv/restrict + * Password return (RETURN command) modules/nickserv/return + * Password retrieval (SENDPASS command) modules/nickserv/sendpass + * Password retrieval allowed to normal users modules/nickserv/sendpass_user + * Change primary nickname (SET ACCOUNTNAME) modules/nickserv/set_accountname + * SET EMAIL command modules/nickserv/set_email + * SET EMAILMEMOS command modules/nickserv/set_emailmemos + * SET ENFORCETIME command modules/nickserv/set_enforcetime + * SET HIDEMAIL command modules/nickserv/set_hidemail + * SET LANGUAGE command modules/nickserv/set_language + * SET NEVERGROUP command modules/nickserv/set_nevergroup + * SET NEVEROP command modules/nickserv/set_neverop + * SET NOGREET command modules/nickserv/set_nogreet + * SET NOMEMO command modules/nickserv/set_nomemo + * SET NOOP command modules/nickserv/set_noop + * SET NOPASSWORD command modules/nickserv/set_nopassword + * SET PASSWORD command modules/nickserv/set_password + * PRIVMSG instead of NOTICE (SET PRIVMSG cmd) modules/nickserv/set_privmsg + * Account info hiding (SET PRIVATE command) modules/nickserv/set_private + * SET PROPERTY command modules/nickserv/set_property + * SET PUBKEY command modules/nickserv/set_pubkey + * SET QUIETCHG command modules/nickserv/set_quietchg + * Password retrieval uses code (SETPASS cmd) modules/nickserv/setpass + * STATUS command modules/nickserv/status + * Nickname metadata viewer (TAXONOMY command) modules/nickserv/taxonomy + * VACATION command modules/nickserv/vacation + * VERIFY command modules/nickserv/verify + * VHOST command modules/nickserv/vhost + * Delay services account registrations modules/nickserv/waitreg + */ +loadmodule "modules/nickserv/main"; +#loadmodule "modules/nickserv/access"; +loadmodule "modules/nickserv/badmail"; +#loadmodule "modules/nickserv/cert"; +loadmodule "modules/nickserv/drop"; +#loadmodule "modules/nickserv/enforce"; +loadmodule "modules/nickserv/ghost"; +loadmodule "modules/nickserv/group"; +loadmodule "modules/nickserv/help"; +loadmodule "modules/nickserv/hold"; +loadmodule "modules/nickserv/identify"; +loadmodule "modules/nickserv/info"; +#loadmodule "modules/nickserv/info_lastquit"; +loadmodule "modules/nickserv/list"; +#loadmodule "modules/nickserv/listlogins"; +loadmodule "modules/nickserv/listmail"; +#loadmodule "modules/nickserv/listownmail"; +#loadmodule "modules/nickserv/login"; +loadmodule "modules/nickserv/logout"; +loadmodule "modules/nickserv/mark"; +#loadmodule "modules/nickserv/pwquality"; +loadmodule "modules/nickserv/freeze"; +loadmodule "modules/nickserv/listchans"; +loadmodule "modules/nickserv/listgroups"; +loadmodule "modules/nickserv/register"; +loadmodule "modules/nickserv/regnolimit"; +loadmodule "modules/nickserv/resetpass"; +loadmodule "modules/nickserv/restrict"; +loadmodule "modules/nickserv/return"; +loadmodule "modules/nickserv/setpass"; +#loadmodule "modules/nickserv/sendpass"; +loadmodule "modules/nickserv/sendpass_user"; +loadmodule "modules/nickserv/set_accountname"; +loadmodule "modules/nickserv/set_email"; +loadmodule "modules/nickserv/set_emailmemos"; +#loadmodule "modules/nickserv/set_enforcetime"; +loadmodule "modules/nickserv/set_hidemail"; +loadmodule "modules/nickserv/set_language"; +loadmodule "modules/nickserv/set_nevergroup"; +loadmodule "modules/nickserv/set_neverop"; +loadmodule "modules/nickserv/set_nogreet"; +loadmodule "modules/nickserv/set_nomemo"; +loadmodule "modules/nickserv/set_noop"; +#loadmodule "modules/nickserv/set_nopassword"; +loadmodule "modules/nickserv/set_password"; +#loadmodule "modules/nickserv/set_privmsg"; +#loadmodule "modules/nickserv/set_private"; +loadmodule "modules/nickserv/set_property"; +loadmodule "modules/nickserv/set_pubkey"; +loadmodule "modules/nickserv/set_quietchg"; +loadmodule "modules/nickserv/status"; +loadmodule "modules/nickserv/taxonomy"; +loadmodule "modules/nickserv/vacation"; +loadmodule "modules/nickserv/verify"; +loadmodule "modules/nickserv/vhost"; +#loadmodule "modules/nickserv/waitreg"; + +/* ChanServ modules. + * + * Here you can disable or enable certain features of ChanServ, by + * defining which modules are loaded. You can even disable ChanServ + * entirely. Please note that ChanServ requires an authentication + * service, either NickServ or UserServ will do. + * + * Core components modules/chanserv/main + * ACCESS command (simplified ACL editing) modules/chanserv/access + * AKICK command modules/chanserv/akick + * BAN/UNBAN commands modules/chanserv/ban + * UNBAN self only (load ban or this not both) modules/chanserv/unban_self + * BANSEARCH command modules/chanserv/bansearch + * CLOSE command modules/chanserv/close + * CLONE command modules/chanserv/clone + * CLEAR command modules/chanserv/clear + * CLEAR AKICKS command modules/chanserv/clear_akicks + * CLEAR BANS command modules/chanserv/clear_bans + * CLEAR FLAGS command modules/chanserv/clear_flags + * CLEAR USERS command modules/chanserv/clear_users + * COUNT command modules/chanserv/count + * DROP command modules/chanserv/drop + * Forced flags changes modules/chanserv/fflags + * FLAGS command modules/chanserv/flags + * Forced foundership transfers modules/chanserv/ftransfer + * GETKEY command modules/chanserv/getkey + * HALFOP/DEHALFOP commands modules/chanserv/halfop + * HELP command modules/chanserv/help + * Channel expiry override (HOLD command) modules/chanserv/hold + * INFO command modules/chanserv/info + * INVITE command modules/chanserv/invite + * KICK/KICKBAN commands modules/chanserv/kick + * LIST command modules/chanserv/list + * MARK command modules/chanserv/mark + * Moderated channel registrations modules/chanserv/moderate + * OP/DEOP commands modules/chanserv/op + * OWNER/DEOWNER commands modules/chanserv/owner + * PROTECT/DEPROTECT commands modules/chanserv/protect + * QUIET command (+q support) modules/chanserv/quiet + * Channel takeover recovery (RECOVER command) modules/chanserv/recover + * REGISTER command modules/chanserv/register + * SET EMAIL command modules/chanserv/set_email + * SET ENTRYMSG command modules/chanserv/set_entrymsg + * SET FANTASY command modules/chanserv/set_fantasy + * SET GAMESERV command modules/chanserv/set_gameserv + * SET GUARD command modules/chanserv/set_guard + * SET KEEPTOPIC command modules/chanserv/set_keeptopic + * SET LIMITFLAGS command modules/chanserv/set_limitflags + * SET MLOCK command modules/chanserv/set_mlock + * SET PREFIX command modules/chanserv/set_prefix + * Channel info hiding (SET PRIVATE command) modules/chanserv/set_private + * SET PROPERTY command modules/chanserv/set_property + * SET PUBACL command modules/chanserv/set_pubacl + * SET RESTRICTED command modules/chanserv/set_restricted + * SET SECURE command modules/chanserv/set_secure + * SET TOPICLOCK command modules/chanserv/set_topiclock + * SET URL command modules/chanserv/set_url + * SET VERBOSE command modules/chanserv/set_verbose + * STATUS command modules/chanserv/status + * SYNC command (and automatic ACL syncing) modules/chanserv/sync + * Named Successor ACL flag modules/chanserv/successor_acl + * Channel metadata viewer (TAXONOMY command) modules/chanserv/taxonomy + * TEMPLATE command modules/chanserv/template + * TOPIC/TOPICAPPEND commands modules/chanserv/topic + * VOICE/DEVOICE commands modules/chanserv/voice + * WHY command modules/chanserv/why + * VOP/HOP/AOP/SOP commands modules/chanserv/xop + * This module provides emulation of the ircservices XOP scheme ONLY. + * Do not report discrepencies when using native commands to edit channel + * ACLs. This is intentional. + * Flood protection modules/chanserv/antiflood + * This module should be loaded after at least chanserv/quiet if you want + * the autoquiet feature to work. + */ +loadmodule "modules/chanserv/main"; +loadmodule "modules/chanserv/access"; +loadmodule "modules/chanserv/akick"; +loadmodule "modules/chanserv/ban"; +#loadmodule "modules/chanserv/unban_self"; +loadmodule "modules/chanserv/bansearch"; +loadmodule "modules/chanserv/clone"; +loadmodule "modules/chanserv/close"; +loadmodule "modules/chanserv/clear"; +loadmodule "modules/chanserv/clear_akicks"; +loadmodule "modules/chanserv/clear_bans"; +loadmodule "modules/chanserv/clear_flags"; +loadmodule "modules/chanserv/clear_users"; +loadmodule "modules/chanserv/count"; +loadmodule "modules/chanserv/drop"; +#loadmodule "modules/chanserv/fflags"; +loadmodule "modules/chanserv/flags"; +loadmodule "modules/chanserv/ftransfer"; +loadmodule "modules/chanserv/getkey"; +#loadmodule "modules/chanserv/halfop"; +loadmodule "modules/chanserv/help"; +loadmodule "modules/chanserv/hold"; +loadmodule "modules/chanserv/info"; +loadmodule "modules/chanserv/invite"; +loadmodule "modules/chanserv/kick"; +loadmodule "modules/chanserv/list"; +loadmodule "modules/chanserv/mark"; +#loadmodule "modules/chanserv/moderate"; +loadmodule "modules/chanserv/op"; +#loadmodule "modules/chanserv/owner"; +#loadmodule "modules/chanserv/protect"; +#loadmodule "modules/chanserv/quiet"; +loadmodule "modules/chanserv/recover"; +loadmodule "modules/chanserv/register"; +loadmodule "modules/chanserv/set_email"; +loadmodule "modules/chanserv/set_entrymsg"; +loadmodule "modules/chanserv/set_fantasy"; +#loadmodule "modules/chanserv/set_gameserv"; +loadmodule "modules/chanserv/set_guard"; +loadmodule "modules/chanserv/set_keeptopic"; +#loadmodule "modules/chanserv/set_limitflags"; +loadmodule "modules/chanserv/set_mlock"; +loadmodule "modules/chanserv/set_prefix"; +#loadmodule "modules/chanserv/set_private"; +loadmodule "modules/chanserv/set_property"; +#loadmodule "modules/chanserv/set_pubacl"; +loadmodule "modules/chanserv/set_restricted"; +loadmodule "modules/chanserv/set_secure"; +loadmodule "modules/chanserv/set_topiclock"; +loadmodule "modules/chanserv/set_url"; +loadmodule "modules/chanserv/set_verbose"; +loadmodule "modules/chanserv/status"; +loadmodule "modules/chanserv/sync"; +#loadmodule "modules/chanserv/successor_acl"; +loadmodule "modules/chanserv/taxonomy"; +loadmodule "modules/chanserv/template"; +loadmodule "modules/chanserv/topic"; +loadmodule "modules/chanserv/voice"; +loadmodule "modules/chanserv/why"; +#loadmodule "modules/chanserv/xop"; +loadmodule "modules/chanserv/antiflood"; + +/* CHANFIX module. + * + * Here you can disable or enable certain features of CHANFIX, by + * defining which modules are loaded. + * + * Core components modules/chanfix/main + */ +#loadmodule "modules/chanfix/main"; + +/* OperServ modules. + * + * Here you can disable or enable certain features of OperServ, by + * defining which modules are loaded. + * + * Core components modules/operserv/main + * AKILL system modules/operserv/akill + * CLEARCHAN command modules/operserv/clearchan + * CLONES system modules/operserv/clones + * COMPARE command modules/operserv/compare + * GENHASH command modules/operserv/genhash + * GREPLOG command modules/operserv/greplog + * HELP command modules/operserv/help + * IGNORE system modules/operserv/ignore + * IDENTIFY command modules/operserv/identify + * INFO command modules/operserv/info + * INJECT command modules/operserv/inject + * JUPE command modules/operserv/jupe + * MODE command modules/operserv/mode + * MODINSPECT command modules/operserv/modinspect + * MODLIST command modules/operserv/modlist + * MODLOAD command modules/operserv/modload + * MODRELOAD command modules/operserv/modreload + * MODUNLOAD command modules/operserv/modunload + * NOOP system modules/operserv/noop + * Regex mass akill (RAKILL command) modules/operserv/rakill + * RAW command modules/operserv/raw + * READONLY command modules/operserv/readonly + * REHASH command modules/operserv/rehash + * RESTART command modules/operserv/restart + * Display regex matching (RMATCH command) modules/operserv/rmatch + * Most common realnames (RNC command) modules/operserv/rnc + * RWATCH system modules/operserv/rwatch + * + * Note that ALL of these SET commands only apply until the next rehash! + * + * ALL of the below SET commands (deprecated) modules/operserv/set + * SET AKICKTIME subcommand (temporarily) modules/operserv/set_akicktime + * SET CHANEXPIRE subcommand (temporarily) modules/operserv/set_chanexpire + * SET COMMITINTERVAL subcommand (temporarily) modules/operserv/set_commitinterval + * SET ENFORCEPREFIX subcommand (temporarily) modules/operserv/set_enforceprefix + * SET KLINETIME subcommand (temporarily) modules/operserv/set_klinetime + * SET MAXCHANACS subcommand (temporarily) modules/operserv/set_maxchanacs + * SET MAXCHANS subcommand (temporarily) modules/operserv/set_maxchans + * SET MAXFOUNDERS subcommand (temporarily) modules/operserv/set_maxfounders + * SET MAXLOGINS subcommand (temporarily) modules/operserv/set_maxlogins + * SET MAXNICKS subcommand (temporarily) modules/operserv/set_maxnicks + * SET MAXUSERS subcommand (temporarily) modules/operserv/set_maxusers + * SET MDLIMIT subcommand (temporarily) modules/operserv/set_mdlimit + * SET NICKEXPIRE subcommand (temporarily) modules/operserv/set_nickexpire + * SET RECONTIME subcommand (temporarily) modules/operserv/set_recontime + * SET SPAM subcommand (temporarily) modules/operserv/set_spam + * + * SGLINE system modules/operserv/sgline + * SHUTDOWN command modules/operserv/shutdown + * Non-config oper privileges (SOPER command) modules/operserv/soper + * Oper privilege display (SPECS command) modules/operserv/specs + * SQLINE system modules/operserv/sqline + * UPDATE command modules/operserv/update + * UPTIME command modules/operserv/uptime + */ +loadmodule "modules/operserv/main"; +loadmodule "modules/operserv/akill"; +#loadmodule "modules/operserv/clearchan"; +#loadmodule "modules/operserv/clones"; +loadmodule "modules/operserv/compare"; +#loadmodule "modules/operserv/genhash"; +#loadmodule "modules/operserv/greplog"; +loadmodule "modules/operserv/help"; +loadmodule "modules/operserv/identify"; +loadmodule "modules/operserv/ignore"; +loadmodule "modules/operserv/info"; +loadmodule "modules/operserv/jupe"; +loadmodule "modules/operserv/mode"; +loadmodule "modules/operserv/modinspect"; +loadmodule "modules/operserv/modlist"; +loadmodule "modules/operserv/modload"; +loadmodule "modules/operserv/modunload"; +loadmodule "modules/operserv/modreload"; +loadmodule "modules/operserv/noop"; +#loadmodule "modules/operserv/rakill"; +loadmodule "modules/operserv/readonly"; +loadmodule "modules/operserv/rehash"; +loadmodule "modules/operserv/restart"; +loadmodule "modules/operserv/rmatch"; +loadmodule "modules/operserv/rnc"; +loadmodule "modules/operserv/rwatch"; +loadmodule "modules/operserv/set"; +loadmodule "modules/operserv/sgline"; +loadmodule "modules/operserv/shutdown"; +#loadmodule "modules/operserv/soper"; +loadmodule "modules/operserv/specs"; +#loadmodule "modules/operserv/sqline"; +loadmodule "modules/operserv/update"; +loadmodule "modules/operserv/uptime"; + +/* MemoServ modules. + * + * Here you can disable or enable certain features of MemoServ, by + * defining which modules are loaded. You can even disable MemoServ + * entirely. + * + * Core components modules/memoserv/main + * HELP command modules/memoserv/help + * SEND command modules/memoserv/send + * Channel memos (SENDOPS command) modules/memoserv/sendops + * Group memos (SENDGROUP command) modules/memoserv/sendgroup + * LIST command modules/memoserv/list + * READ command modules/memoserv/read + * FORWARD command modules/memoserv/forward + * DELETE command modules/memoserv/delete + * IGNORE command modules/memoserv/ignore + */ +loadmodule "modules/memoserv/main"; +loadmodule "modules/memoserv/help"; +loadmodule "modules/memoserv/send"; +loadmodule "modules/memoserv/sendops"; +loadmodule "modules/memoserv/sendgroup"; +loadmodule "modules/memoserv/list"; +loadmodule "modules/memoserv/read"; +loadmodule "modules/memoserv/forward"; +loadmodule "modules/memoserv/delete"; +loadmodule "modules/memoserv/ignore"; + +/* Global module. + * + * Like the other services, the Global noticer is a module. You can + * disable or enable it to your liking below. Please note that the + * Global noticer is dependent on OperServ for full functionality. + */ +loadmodule "modules/global/main"; + +/* InfoServ module. + * + * Like the other services, InfoServ is a module. You can disable or + * enable it to your liking below. + */ +loadmodule "modules/infoserv/main"; + +/* SASL agent module. + * + * Allows clients to authenticate to services via SASL with an appropriate + * ircd. You need the core components and at least one mechanism. + * + * Core components modules/saslserv/main + * AUTHCOOKIE mechanism (for IRIS) modules/saslserv/authcookie + * ECDH-X25519-CHALLENGE mechanism modules/saslserv/ecdh-x25519-challenge + * ECDSA-NIST256P-CHALLENGE mechanism modules/saslserv/ecdsa-nist256p-challenge + * EXTERNAL mechanism (IRCv3.1+) modules/saslserv/external + * PLAIN mechanism modules/saslserv/plain + * SCRAM-SHA-* mechanisms modules/saslserv/scram + * + * ECDH-X25519-CHALLENGE support requires that Atheme be compiled against a + * cryptographic library that provides X25519 ECDH support (BoringSSL, + * LibreSSL, ARM mbedTLS, Nettle, Sodium). This will be checked while running + * ./configure. + * + * ECDSA-NIST256P-CHALLENGE support requires that Atheme be compiled against + * an OpenSSL with ECDSA support (not RHEL etc. unless you compile your own). + * This will be checked while running ./configure. + * + * You MUST read doc/SASL-SCRAM before loading modules/saslserv/scram! + */ +loadmodule "modules/saslserv/main"; +loadmodule "modules/saslserv/authcookie"; +#loadmodule "modules/saslserv/ecdh-x25519-challenge"; +#loadmodule "modules/saslserv/ecdsa-nist256p-challenge"; +#loadmodule "modules/saslserv/external"; +loadmodule "modules/saslserv/plain"; +#loadmodule "modules/saslserv/scram"; /* READ doc/SASL-SCRAM FIRST! */ + +/* GameServ modules. + * + * Here you can disable or enable certain features of GameServ, by + * defining which modules are loaded. You can even disable GameServ + * entirely. + * + * Core components modules/gameserv/main + * DICE/WOD commands modules/gameserv/dice + * EIGHTBALL command modules/gameserv/eightball + * Game-specific dice calculators modules/gameserv/gamecalc + * HELP commands modules/gameserv/help + * LOTTERY command modules/gameserv/lottery + * NAMEGEN command modules/gameserv/namegen + * RPS command modules/gameserv/rps + */ +#loadmodule "modules/gameserv/main"; +#loadmodule "modules/gameserv/dice"; +#loadmodule "modules/gameserv/eightball"; +#loadmodule "modules/gameserv/gamecalc"; +#loadmodule "modules/gameserv/help"; +#loadmodule "modules/gameserv/lottery"; +#loadmodule "modules/gameserv/namegen"; +#loadmodule "modules/gameserv/rps"; + +/* RPGServ modules. + * + * Here you can disable or enable certain features of RPGServ, by + * defining which modules are loaded. You can even disable RPGServ + * entirely. + * + * Core components modules/rpgserv/main + * ENABLE/DISABLE commands modules/rpgserv/enable + * HELP command modules/rpgserv/help + * INFO command modules/rpgserv/info + * LIST command modules/rpgserv/list + * SEARCH command modules/rpgserv/search + * SET commands modules/rpgserv/set + */ +#loadmodule "modules/rpgserv/main"; +#loadmodule "modules/rpgserv/enable"; +#loadmodule "modules/rpgserv/help"; +#loadmodule "modules/rpgserv/info"; +#loadmodule "modules/rpgserv/list"; +#loadmodule "modules/rpgserv/search"; +#loadmodule "modules/rpgserv/set"; + +/* BotServ modules. + * + * Here you can disable or enable certain features of BotServ, by + * defining which modules are loaded. You can even disable BotServ + * entirely. + * + * Core components modules/botserv/main + * HELP command modules/botserv/help + * INFO command modules/botserv/info + * NPC commands (SAY, ACT) modules/botserv/bottalk + * SET FANTASY command modules/botserv/set_fantasy + * SET NOBOT command modules/botserv/set_nobot + * SET PRIVATE command modules/botserv/set_private + * SET SAYCALLER command modules/botserv/set_saycaller + */ +#loadmodule "modules/botserv/main"; +#loadmodule "modules/botserv/help"; +#loadmodule "modules/botserv/info"; +#loadmodule "modules/botserv/bottalk"; +#loadmodule "modules/botserv/set_fantasy"; +#loadmodule "modules/botserv/set_nobot"; +#loadmodule "modules/botserv/set_private"; +#loadmodule "modules/botserv/set_saycaller"; + +/* HostServ modules. + * + * Here you can disable or enable certain features of HostServ, by + * defining which modules are loaded. You can even disable HostServ + * entirely. + * + * HostServ is a more complex, and optional virtual host management service. + * Users wishing only to set vhosts need not use it (they can use the builtin + * vhost management of NickServ instead). + * + * Core components modules/hostserv/main + * HELP command modules/hostserv/help + * OFFER system modules/hostserv/offer + * ON and OFF commands modules/hostserv/onoff + * REQUEST system modules/hostserv/request + * VHOST and LISTVHOST commands modules/hostserv/vhost + * VHOSTNICK command modules/hostserv/vhostnick + * GROUP command modules/hostserv/group + * DROP command modules/hostserv/drop + */ +#loadmodule "modules/hostserv/main"; +#loadmodule "modules/hostserv/help"; +#loadmodule "modules/hostserv/onoff"; +#loadmodule "modules/hostserv/offer"; +#loadmodule "modules/hostserv/request"; +#loadmodule "modules/hostserv/vhost"; +#loadmodule "modules/hostserv/vhostnick"; +#loadmodule "modules/hostserv/group"; +#loadmodule "modules/hostserv/drop"; + +/* HelpServ modules. + * HelpServ allows users to request help from network staff in a few different ways. + * + * Core components modules/helpserv/main + * HELPME command modules/helpserv/helpme + * Help Ticket system modules/helpserv/ticket + * Service List modules/helpserv/services + * + * The ticket system works like a bugtracker ot helpdesk ticket system, HELPME + * works like a one-time alert. You should probably only load one of the two systems. + */ +#loadmodule "modules/helpserv/main"; +#loadmodule "modules/helpserv/helpme"; +#loadmodule "modules/helpserv/ticket"; +#loadmodule "modules/helpserv/services"; + +/* Channel listing service. + * + * Allows users to list channels with more flexibility than the /list + * command. + * + * Core components modules/alis/main + */ +#loadmodule "modules/alis/main"; + +/* StatServ module. + * StatServ provides basic statistics and split tracking. + * + * Core components modules/statserv/main + * CHANNEL command modules/statserv/channel + * NETSPLIT command modules/statserv/netsplit + * SERVER command modules/statserv/server + */ +loadmodule "modules/statserv/main"; +#loadmodule "modules/statserv/channel"; +loadmodule "modules/statserv/netsplit"; +loadmodule "modules/statserv/server"; + +/* GroupServ module. + * GroupServ allows users to create groups to easily mass-manage channel + * access and more. + * + * Core components modules/groupserv/main + * ACSNOLIMIT command modules/groupserv/acsnolimit + * DROP command modules/groupserv/drop + * FFLAGS command modules/groupserv/fflags + * FLAGS command modules/groupserv/flags + * HELP command modules/groupserv/help + * INFO command modules/groupserv/info + * JOIN command modules/groupserv/join + * LIST command modules/groupserv/list + * LISTCHANS command modules/groupserv/listchans + * REGISTER command modules/groupserv/register + * REGNOLIMIT command modules/groupserv/regnolimit + * INVITE command modules/groupserv/invite + * SET command modules/groupserv/set + * SET CHANNEL command modules/groupserv/set_channel + * SET DESCRIPTION command modules/groupserv/set_description + * SET EMAIL command modules/groupserv/set_email + * SET GROUPNAME command modules/groupserv/set_groupname + * SET JOINFLAGS command modules/groupserv/set_joinflags + * SET OPEN command modules/groupserv/set_open + * SET PUBLIC command modules/groupserv/set_public + * SET URL command modules/groupserv/set_url + * + */ +loadmodule "modules/groupserv/main"; +loadmodule "modules/groupserv/acsnolimit"; +loadmodule "modules/groupserv/drop"; +loadmodule "modules/groupserv/fflags"; +loadmodule "modules/groupserv/flags"; +loadmodule "modules/groupserv/help"; +loadmodule "modules/groupserv/info"; +loadmodule "modules/groupserv/join"; +loadmodule "modules/groupserv/list"; +loadmodule "modules/groupserv/listchans"; +loadmodule "modules/groupserv/register"; +loadmodule "modules/groupserv/regnolimit"; +#loadmodule "modules/groupserv/invite"; +loadmodule "modules/groupserv/set"; +loadmodule "modules/groupserv/set_channel"; +loadmodule "modules/groupserv/set_description"; +loadmodule "modules/groupserv/set_email"; +loadmodule "modules/groupserv/set_groupname"; +loadmodule "modules/groupserv/set_joinflags"; +loadmodule "modules/groupserv/set_open"; +loadmodule "modules/groupserv/set_public"; +loadmodule "modules/groupserv/set_url"; + +/* + * Various modules. + * + * Atheme includes an optional HTTP server that can be used for integration + * with portal software and other useful things. To enable it, load this + * module, and uncomment the httpd { } block towards the bottom of the config. + * + * HTTP Server modules/misc/httpd + */ +#loadmodule "modules/misc/httpd"; + +/* XMLRPC server module. + * + * The XML-RPC handler requires modules/misc/httpd to be loaded as it merely + * registers a path handler for XML-RPC. The path used for XML-RPC is /xmlrpc. + * + * XMLRPC handler for the httpd modules/transport/xmlrpc + */ +#loadmodule "modules/transport/xmlrpc"; + +/* Extended target entity types. [EXPERIMENTAL] + * + * Atheme can set up special target mapping entities which match multiple + * users in channel access entries. These target mapping entity types are + * defined through the 'exttarget' modules listed below. + * + * Exttarget handling core modules/exttarget/main + * $oper exttarget match type modules/exttarget/oper + * $registered exttarget match type modules/exttarget/registered + * $channel exttarget match type modules/exttarget/channel + * $chanacs exttarget match type modules/exttarget/chanacs + * $server exttarget match type modules/exttarget/server + */ +#loadmodule "modules/exttarget/main"; +#loadmodule "modules/exttarget/oper"; +#loadmodule "modules/exttarget/registered"; +#loadmodule "modules/exttarget/channel"; +#loadmodule "modules/exttarget/chanacs"; +#loadmodule "modules/exttarget/server"; + +/* Proxyscan (DNSBL) modules. + * + * Atheme can also check set DNS Blacklists for matches and respond + * as set. Activate modules here and customize further down under Proxyscan + * section. + */ +#loadmodule "modules/proxyscan/main"; +#loadmodule "modules/proxyscan/dnsbl"; + +/* Other modules. + * + * Put any other modules you want to load on startup here. The path + * is relative to PREFIX or PREFIX/lib/atheme, depending on how Atheme + * was compiled. + */ +#loadmodule "modules/contrib/backtrace"; + +/****************************************************************************** + * SERVICES RUNTIME CONFIGURATION SECTION. * + ******************************************************************************/ + +/* + * This block controls the configuration options for crypto modules. + * + * It is recommended to either leave the values at their defaults, or + * experiment with them so that it takes approximately 0.2-0.4 seconds + * for users to identify. Services blocks while the password is being + * encrypted or verified, so don't set these too large, or people can + * hang services by trying many password attempts at once. + * + * A benchmark program for the Argon2, scrypt & PBKDF2 crypto code is + * available to assist with tuning these parameters: + * + * - ./configure --prefix=foo ... + * - make + * - make install + * - ${foo}/bin/atheme-crypto-benchmark -o + * + * If you wish to deploy SASL SCRAM support, please read 'doc/SASL-SCRAM' and + * pass the '-i' flag to the included cryptographic benchmarking utility too. + * + * If you are using the PBKDF2 module, its performance will be significantly + * affected by your choice of cryptographic digest library. This software can + * currently interface with 3 libraries; in decreasing order of performance: + * + * - OpenSSL (libcrypto) + * - GnuPG (libgcrypt) + * - ARM mbedTLS (libmbedcrypto) + * + * If you have one of these libraries available at configure-time, the PBKDF2 + * module will perform significantly better, allowing you to raise its + * iteration count without affecting the computation time. This is indicated + * by the output of the configure script; "Digest Frontend". The benchmark + * program will also inform you what cryptographic digest library it is using, + * if any. + * + * + * + * If you are migrating from crypto/argon2d (v7.2) to crypto/argon2, and you + * wish to use the same parameters as the older module's defaults, configure + * it like so: + * + * crypto { + * argon2_type = "argon2d"; + * argon2_memcost = 14; + * argon2_timecost = 32; + * argon2_threads = 1; + * argon2_saltlen = 32; + * argon2_hashlen = 64; + * }; + * + * + * + * If you are migrating from crypto/pbkdf2 (v7.2) to crypto/pbkdf2v2, and you + * wish to use the same parameters as the older module, configure it like so: + * + * crypto { + * pbkdf2v2_digest = "SHA512"; + * pbkdf2v2_rounds = 128000; + * }; + * + * Note that this will still result in passwords being re-encrypted with the + * newer module (as the older module successfully verifies them); another new + * PBKDF2 computation with a new salt will occur, but this is still no worse + * than an invocation of NickServ's "SET PASSWORD" command. You will still + * need to keep the old module in your loadmodule configuration above, as the + * new module cannot verify digests produced by the old one. + * + * If you wish to deploy SASL SCRAM support, please read 'doc/SASL-SCRAM'. + * Its advice regarding parameter choice takes precedence over this! + */ +crypto { + + /* (*) argon2_type + * + * The algorithm type to use for new passwords. + * + * Argon2d is suitable for use on a dedicated machine that has + * limited access. It provides the most resistance to GPU and ASIC + * cracking attacks, but its operation is data-dependent; that is, + * during its operation, keying material derived from the password + * itself is indirectly affecting the execution choices made by the + * algorithm. This creates a side-channel that can leak information + * about the password to other software running on the same physical + * machine. + * + * Argon2i avoids this by being data-independent. The order of memory + * accesses, conditional execution, etc. does not depend on the + * password, or any material derived from the password, so no side- + * channel that can reveal any information about the password is + * created. However, this means that it is easier to bruteforce by a + * password cracker, which does not have to account for execution + * differences in its implementation. This is the most suitable + * choice for running on a virtual machine that is co-located with + * other, untrusted, virtual machines, or on a dedicated machine that + * runs other, untrusted, software, or has untrusted user access. + * + * Argon2id is a blend of both, limiting the exploitability of any + * side-channels while retaining excellent resistance to GPU and ASIC + * cracking. This is suitable for all but the most sensitive of + * deployments. + * + * All algorithm types perform about equally as well as each other; + * changing this will not significantly affect the computation time. + * + * The "argon2id" type requires a more recent libargon2 library. This + * is indicated in your ./configure output ("checking if libargon2 + * algorithm type Argon2id appears to be usable..."). + * + * Valid values are "argon2d", "argon2i", and "argon2id" + * The default is "argon2id"; unless unsupported, then "argon2d". + */ + #argon2_type = "argon2id"; + + /* (*) argon2_memcost + * + * Memory cost (as a power of 2, in KiB) to use for new passwords. + * + * You should set this as high as is reasonable for the machine you + * will be running this software on. If this results in too slow a + * computation time, reset the time cost below to its minimum value. + * If it is still too slow, decrement this value (halving the memory + * usage) until it is fast enough. Alternatively, if it is still too + * fast after setting this to its highest reasonable value, raise the + * time cost below until it is not. A benchmark program is available + * alongside this software to aid in this process. + * + * WARNING: Do *NOT* set this to more than 20 (1 GiB RAM) on a 32-bit + * machine or a 32-bit Operating System! + * + * Valid values are 3 (8 KiB RAM) to 30 (1 TiB RAM) (inclusive) + * The default is 16 (64 MiB RAM) + */ + #argon2_memcost = 16; + + /* (*) argon2_timecost + * + * Time cost (iterations over the memory pool). + * + * Valid values are 3 to 1,048,576 (inclusive) + * The default is 3 + */ + #argon2_timecost = 3; + + /* (*) argon2_threads + * + * Number of processor threads to use for new passwords. + * + * If you want to increase the amount of computation effort required, + * while not increasing the real ("wall clock") time required, raise + * this setting to its maximum reasonable value for the machine you + * will be running this software on. + * + * This software is not multi-threaded, so only one password will be + * verified at a time. Therefore, you do NOT need to divide this by + * the expected maximum number of simultaneous logins. + * + * It is pointless to set this higher than the number of hardware + * processing threads you have; increase the time cost above instead + * if you want to make it arbitrarily slower. Diminishing returns are + * to be expected once you exceed the number of hardware processing + * /cores/ you have; hyperthreading does NOT provide much (if any) of + * a boost for this workload. + * + * Increasing this value will *decrease* the real time required, so + * you may have to subsequently increase the time cost above again to + * make it "just slow enough" once more. A benchmark program is + * available alongside this software to aid in this process. + * + * WARNING: The (size of the) memory pool configured above is split + * between the threads, which can result in too small a memory area + * per-thread if many threads are used. If you set this value, it is + * HIGHLY RECOMMENDED that you run the included benchmarking program + * with the same configuration options, to confirm that it works! + * + * WARNING: This feature is experimental. Some of the code in this + * software is not thread-safe, and although every effort has been + * made to ensure that this feature will not interfere with the + * operation of this software, this cannot be guaranteed. + * + * Valid values are 1 to 255 (inclusive) + * The default is 1 (do not use any computation parallelism) + */ + #argon2_threads = 1; + + /* (*) argon2_saltlen + * + * Salt length (in bytes) to use for new passwords. You should only + * change this if absolutely necessary; for example, to interoperate + * with other software. Its value doesn't significantly affect the + * computation time. + * + * Valid values are 4 to 48 (inclusive) + * The default is 16 + */ + #argon2_saltlen = 16; + + /* (*) argon2_hashlen + * + * Digest length (in bytes) to use for new passwords. You should only + * change this if absolutely necessary; for example, to interoperate + * with other software. Its value doesn't significantly affect the + * computation time. + * + * Valid values are 16 to 128 (inclusive) + * The default is 64 + */ + #argon2_hashlen = 64; + + /* (*) scrypt_memlimit + * + * Memory limit (as a power of 2, in KiB) to use for new passwords. + * + * You should set this as high as is reasonable for the machine you + * will be running this software on. If this results in too slow a + * computation time, reset the opslimit below to its default value. + * If it is still too slow, decrement this value (halving the memory + * usage) until it is fast enough. Alternatively, if it is still too + * fast after setting this to its highest reasonable value, raise the + * opslimit below until it is not. A benchmark program is available + * alongside this software to aid in this process. + * + * WARNING: Do *NOT* set this to more than 20 (1 GiB RAM) on a 32-bit + * machine or a 32-bit Operating System! + * + * Valid values are 14 (16 MiB RAM) to 26 (64 GiB RAM) (inclusive) + * The default is 14 (16 MiB RAM) + */ + #scrypt_memlimit = 14; + + /* (*) scrypt_opslimit + * + * Amount of computation to perform for new passwords. + * + * The default value for this option is based on the default value of + * the above option. The recommended value is (memlimit_bytes / 32). + * + * Valid values are 32,768 to 4,294,967,295 (inclusive) + * The default is 524,288 + */ + #scrypt_opslimit = 524288; + + /* (*) pbkdf2v2_digest + * + * Cryptographic digest algorithm to use (in HMAC mode). + * + * Valid values are "SHA1", "SHA2-256", and "SHA2-512". + * Additionally, the following aliases exist, for compatibility: + * + * "SHA-1" -> SHA1 + * "SHA256" -> SHA2-256 + * "SHA512" -> SHA2-512 + * "SHA-256" -> SHA2-256 + * "SHA-512" -> SHA2-512 + * + * Finally, you can prefix this value with "SCRAM-" to enable the + * computation and storage of an RFC5802/SCRAM ServerKey & StoredKey, + * instead of a raw PBKDF2 digest (SaltedPassword). Verification of + * plaintext passwords against these digests can still be performed + * (for e.g. NickServ IDENTIFY or SASL PLAIN), by computing a new + * SCRAM ServerKey from the provided password and comparing it to the + * stored ServerKey, so setting this to a SCRAM mode does NOT prevent + * non-SCRAM logins. For these variants, please read doc/SASL-SCRAM. + * + * The default is "SHA2-512" + */ + #pbkdf2v2_digest = "SHA2-512"; + + /* (*) pbkdf2v2_rounds + * + * This is the PBKDF2 "iteration count". You should raise this as high + * as is reasonable for the machine you will be running services on. + * However, note that if you are going to deploy SASL SCRAM support, + * the *client*, NOT services, performs the PBKDF2 calculation during + * login, so keep in mind that many mobile clients will not perform as + * well as a server, and reduce the iteration count accordingly. Also, + * some clients will refuse to perform a login at all if this is set + * too high. A benchmark program is included alongside this software to + * aid in tuning this parameter. + * + * Valid values are 10,000 to 5,000,000 (inclusive) + * The default is 64,000 + */ + #pbkdf2v2_rounds = 64000; + + /* (*) pbkdf2v2_saltlen + * You should only change this if you *really* know what you're doing + * Valid values are 8 to 64 (inclusive) + * The default is 32 + */ + #pbkdf2v2_saltlen = 32; + + /* (*) bcrypt_cost + * + * Amount of rounds to perform for new passwords (as a power of 2). + * You should raise this as high as is reasonable. A benchmark + * program is available alongside this software to aid in this + * process. + * + * Valid values are 4 to 31 (inclusive) + * The default is 7 + */ + #bcrypt_cost = 7; + + /* (*) crypt3_sha2_256_rounds + * (*) crypt3_sha2_512_rounds + * + * Use of this option is restricted to certain C libraries! + * At present, only GNU libc6 ("glibc") v2.7+ is known to work. + * + * Valid values are 5,000 to 1,000,000 (inclusive) + * The default is 5,000 + */ + #crypt3_sha2_256_rounds = 5000; + #crypt3_sha2_512_rounds = 5000; +}; + +/* The serverinfo{} block defines how we appear on the IRC network. */ +serverinfo { + /* name + * The server name that this program uses on the IRC network. + * This is the name you'll have to use in C:/N:Lines. It must be + * unique on the IRC network and contain at least one dot, but does + * not have to be equal to any DNS name. + */ + name = "{{atheme_server_host}}"; + + /* desc + * The ``server comment'' we send to the IRC network. + */ + desc = "Atheme IRC Services"; + + /* numeric + * Some protocol drivers (Charybdis, Ratbox2, P10, IRCNet) + * require a server id, also known as a numeric. Please consult your + * ircd's documentation when providing this value. + */ + numeric = "00A"; + + /* (*)recontime + * The number of seconds before we reconnect to the uplink. + */ + recontime = 10; + + /* (*)netname + * The name of your network. + */ + netname = "{{atheme_server_host}}"; + + /* (*)hidehostsuffix + * P10 +x host hiding gives .. + * If using +x on asuka, this must agree + * with F:HIDDEN_HOST. + */ + hidehostsuffix = "users.misconfigured"; + + /* (*)adminname + * The name of the person running this service. + */ + adminname = "{{atheme_admin_name}}"; + + /* (*)adminemail + * The email address of the person running this service. + */ + adminemail = "{{atheme_admin_email}}"; + + /* (*)registeremail + * The email address that messages should be originated from. + * If this is not set, then "noreply.$adminemail" will be used. + */ + registeremail = "{{atheme_admin_email}}"; + + /* (*)hidden + * If this is enabled, Atheme will indicate to the uplink IRCd + * that it should not be included in /links output. This only works + * on the following IRCds at present: charybdis, ircd-seven, ratbox. + */ + #hidden; + + /* (*)mta + * The full path to your mail transfer agent. + * This is used for email authorization and password retrieval. + * Comment this out to disable sending email. + * Warning: sending email can disclose the IP of your services + * unless you take precautions (not discussed here further). + */ + mta = "/usr/sbin/sendmail"; + + /* (*)loglevel + * Specify the default categories of logging information to record + * in the master Atheme logfile, usually var/atheme.log. + * + * Options include: + * debug, all - meta-keyword for all possible categories + * trace - meta-keyword for a little bit of info + * misc - like trace, but with some more miscellaneous info + * notice - meta-keyword for notice-like information + * ------------------------------------------------------------------------------ + * error - critical errors + * info - miscillaneous log notices + * verbose - A bit more verbose than info, not quite as spammy as debug + * commands - all command use + * admin - administrative command use + * register - account and channel registrations + * set - changes of account or channel settings + * request - user requests (currently only vhosts) + * network - log notices related to network status + * rawdata - log raw data sent and received by services + * wallops - + */ + loglevel = { error; info; admin; network; wallops; }; + + /* (*)maxlogins + * What is the maximum number of sessions allowed to login to one + * username? This reduces potential abuse. It is only checked on login. + */ + maxlogins = 5; + + /* (*)maxusers + * What are the maximum usernames that one email address can register? + * Set to 0 to disable this check (it can be slow currently). + */ + maxusers = 5; + + /* (*)mdlimit + * How many metadata entries can be added to an object? + */ + mdlimit = 30; + + /* (*)emaillimit, emailtime + * The maximum number of emails allowed to be sent in + * that amount of time (seconds). If this is exceeded, + * wallops will be sent, at most one per minute. + */ + emaillimit = 10; + emailtime = 300; + + /* (*)auth + * What type of username registration authorization do you want? + * If "email", Atheme will send a confirmation email to the address to + * ensure it's valid. If registration is not completed within one day, + * the username will expire. If "none", no message will be sent and + * the username will be fully registered. + * Valid values are: email, none. + */ + auth = none; + + /* casemapping + * Specify the casemapping to use. Almost all TSora (and any that follow + * the RFC correctly) ircds will use rfc1459 casemapping. Bahamut, Unreal, + * and other ``Dalnet'' ircds will use ascii casemapping. + * Valid values are: rfc1459, ascii. + */ + casemapping = rfc1459; +}; + +/* uplink{} blocks define connections to IRC servers. + * Multiple may be defined but only one will be used at a time (IRC + * being a tree shaped network). Atheme does not currently link over SSL. + * To link Atheme over ssl, please connect Atheme to a local ircd and have that + * connect to your network over SSL. + */ +uplink "{{atheme_upstream_server}}" { + // The server name of the ircd you're linking to goes above. + + // host + // The hostname to connect to. + host = "127.0.0.1"; + + // vhost + // The source IP to connect from, used on machines with multiple interfaces. + #vhost = "192.0.2.5"; + + // send_password + // The password sent for linking. + send_password = "{{atheme_server_pass}}"; + + // receive_password + // The password received for linking. + receive_password = "{{atheme_server_pass}}"; + + // port + // The port to connect to. + port = 6667; +}; + +/* this is an example for using an IPv6 address as an uplink */ +/* uplink "irc6.example.net" { + host = "::1"; + + // password + // If you want to have same send_password and accept_password, you + // can specify both using 'password' instead of individually. + password = "linkage"; + + port = 6667; +}; +*/ + +/* Services configuration. + * + * Each of these blocks can contain a nick, user, host, real and aliases. + * Several of them also have options specific to the service. + */ + +/* NickServ configuration. + * + * The nickserv {} block contains settings specific to the NickServ modules. + * + * NickServ provides nickname or username registration and authentication + * services. It provides necessary authentication features required for + * Services to operate correctly. You should make sure these settings + * are properly configured for your network. + */ +nickserv { + /* (*)spam + * Have NickServ tell people about how great it and ChanServ are. + */ + spam; + + /* no_nick_ownership + * Enable this to disable nickname ownership (old userserv{}). + * This changes changes "nickname" to "account" in most messages, + * disables GHOST on users not logged in to the same account and + * makes the spam directive ineffective. + * It is suggested that the nick be set to UserServ, login.so + * be loaded instead of identify.so and ghost.so not be loaded. + */ + #no_nick_ownership; + + /* (*)nick + * The nickname we want NickServ to have. + */ + nick = "NickServ"; + + /* (*)user + * The username we want NickServ to have. + */ + user = "NickServ"; + + /* (*)host + * The hostname we want NickServ to have. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The realname (gecos) information we want NickServ to have. + */ + real = "Nickname Services"; + + /* (*)aliases + * Command aliases for NickServ. + */ + aliases { + "ID" = "IDENTIFY"; + "MYACCESS" = "LISTCHANS"; + }; + + /* (*)access + * This block allows you to modify the access level required to run + * commands. The list of possible accesses are listed in the operclass + * section later in this .conf . Note that you can only set the access + * on an actual command, not an alias. + */ + access { + }; + + /* (*)maxnicks + * If GROUP is loaded, what are the maximum nicknames that one + * username can register? + */ + maxnicks = 5; + + /* (*)expire + * The number of days before inactive registrations are expired. + */ + expire = 30; + + /* (*)enforce_expire + * The number of days of no use after which to ignore enforcement + * settings on nicks. + */ + #enforce_expire = 14; + + /* (*)enforce_delay + * The number of seconds to delay nickchange enforcement settings + * on nicks. + */ + #enforce_delay = 30; + + /* (*)enforce_prefix + * The prefix to use when changing the user's nick on enforcement + */ + #enforce_prefix = "Guest"; + + /* (*)waitreg_time + * The amount of time (in seconds) users have to wait between + * connecting to the network, and being able to register a services + * account. Minimum value 0 (disables the enforced delay), default + * value 0, maximum value 43200 (12 hours). Requires the + * "modules/nickserv/waitreg" module to be loaded to do anything. + */ + #waitreg_time = 0; + + /* (*)cracklib_dict + * The location and filename prefix of the cracklib dictionaries + * for use with nickserv/pwquality. This must be provided if you are + * going to be using nickserv/pwquality with cracklib support enabled. + */ + #cracklib_dict = "/var/cache/cracklib/cracklib_dict"; + + /* (*)passwdqc_* + * Please see the passwdqc.conf(5) documentation for an explanation + * of these values. Affects modules/nickserv/pwquality if passwdqc + * support is enabled. Default values given below. + */ + #passwdqc_max = 288; /* (8 <= value <= 288) */ + #passwdqc_min_n0 = 20; /* (0 <= value <= passwdqc_max) */ + #passwdqc_min_n1 = 16; /* (0 <= value <= passwdqc_min_n0) */ + #passwdqc_min_n2 = 16; /* (0 <= value <= passwdqc_min_n1) */ + #passwdqc_min_n3 = 12; /* (0 <= value <= passwdqc_min_n2) */ + #passwdqc_min_n4 = 8; /* (0 <= value <= passwdqc_min_n3) */ + #passwdqc_words = 4; /* (2 <= value <= 8) */ + + /* (*)pwquality_warn_only + * If this option is set and nickserv/pwquality is loaded, nickserv will just + * warn users that their password is insecure, recommend they change it and + * still register the nick. If this option is unset, it will refuse to + * register the nick at all until the user chooses a better password. + */ + #pwquality_warn_only; + + /* (*)show_custom_metadata + * Setting this option to false will prevent user-set metadata (via SET PROPERTY) + * from showing up in the INFO output. The TAXONOMY command will still function + * as usual, and INFO will point this out if users have metadata set. + */ + show_custom_metadata; + + /* (*)emailexempts + * A list of email addresses that will be exempt from the check of how many + * accounts one user may have. Any email address in this block may register + * an unlimited number of accounts/usernames. + */ + emailexempts { + }; + + /* + * (*)shorthelp + * + * A list of commands that are displayed (with their full description) in the + * output of `/msg NickServ HELP'. Commands not in this list will be listed, but + * not with their descriptions. All commands with descriptions are still listed + * in `/msg NickServ HELP COMMANDS' regardless of the value set here. + * + * Optional; defaults to "ACCESS CERT DROP GHOST GROUP IDENTIFY INFO LISTCHANS + * LISTGROUPS LISTLOGINS LISTOWNMAIL LOGOUT REGAIN REGISTER RELEASE SENDPASS SET + * UNGROUP". + * + * A command in this list will only be printed if the corresponding module is + * loaded and the user has permission to use it. Set to an empty string to + * disable listing command descriptions in `/msg NickServ HELP'. + */ + #shorthelp = ""; +}; + +/* ChanServ configuration. + * + * The chanserv {} block contains settings specific to the ChanServ modules. + * + * ChanServ provides channel registration services, which allows users to own + * channels. It is not required, but is strongly recommended. + */ +chanserv { + /* (*)nick + * The nickname we want the client to have. + */ + nick = "ChanServ"; + + /* (*)user + * The username we want the client to have. + */ + user = "ChanServ"; + + /* (*)host + * The hostname we want the client to have. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The GECOS of the client. + */ + real = "Channel Services"; + + /* reggroup + * The group that will receive Memos about + * channel Registration requests when + * chanserv/moderate is loaded. + */ + #reggroup = "!Services-Team"; + + /* (*)aliases + * Command aliases for ChanServ. + */ + aliases { + }; + + /* (*)access + * Command access changes for ChanServ. + */ + access { + }; + + /* (*)maxchans + * What are the maximum channels that one username can register? + */ + maxchans = 5; + + /* fantasy + * Do you want to enable fantasy commands? This can + * use a lot of CPU up, and will only work if you have + * join_chans (in general) enabled as well. + */ + fantasy; + + /* (*) hide_xop + * Hide the XOP templates from sight. This is useful if you + * want to use templates and not have the XOP templates displayed. + */ + #hide_xop; + + /* (*) templates + * Defines what flags the global templates comprise. + * + * For the special XOP templates: + * These should all be different and not equal to the empty set, + * except that hop may be equal to vop to disable hop. + * Each subsequent level should have more flags (except +VHO). + * For optimal functioning of /cs forcexop, aop should not have + * any of +sRf, hop should not have any of +sRfoOr and vop should + * not have any of +sRfoOrhHt. + * If this is not specified, the values of Atheme 0.3 are used, + * which are generally less intuitive than these. + * Note: changing these leaves the flags of existing channel access + * entries unchanged, thus removing them of the view of /cs xop list. + * Usually the channel founder can use /cs forcexop to update the + * entries to the new levels. + * + * Advice: + * If you want to add a co-founder role, remove the flags permission + * from the SOP role, and define a co-founder role with flags + * permissions. + */ + templates { + vop = "+AV"; + hop = "+AHehitrv"; + aop = "+AOehiortv"; + sop = "+AOaefhiorstv"; + + founder = "+AFORaefhioqrstv"; + + /* some examples (which are commented out...) */ + #member = "+Ai"; + #op = "+AOiortv"; + }; + + /* (*) deftemplates + * Defines default templates to set on new channels, as a + * space-separated list of name=+flags pairs. + * Note: at this time no syntax checking is done on this; it + * is your own responsibility to make sure it is correct. + */ + #deftemplates = "MEMBER=+Ai OP=+AOiortv"; + + /* (*) changets + * Change the channel TS to the registration time when someone + * recreates a registered channel, ensuring that they are deopped + * and all their modes are undone. Note that this involves ChanServ + * joining. When the channel was not recreated no deops will be done + * (apart from the SECURE option). + * This also solves the "join-mode" problem where someone recreates + * a registered channel and then sets some modes before they are + * deopped. + * This is currently supported for charybdis, ratbox, bahamut, + * and inspircd 1.1+. For charybdis and ratbox it only fully + * works with TS6, with TS5 bans and last-moment modes will + * still apply. + * (That can also be used to advantage, when first enabling this.) + */ + #changets; + + /* (*) trigger + * This setting allows you to change the trigger prefix for + * ChanServ's in-channel command feature (disableable via chanserv::fantasy). + * If no setting is provided, the default is used, which is "!". + * + * Other settings you could consider trying: ".", "~", "?", "`", "'". + */ + trigger = "!"; + + /* (*)expire + * The number of days before inactive registrations are expired. + */ + expire = 30; + + /* (*)maxchanacs + * The maximum number of entries allowed in a channel's access list + * (both channel ops and akicks), 0 for unlimited. + */ + maxchanacs = 0; + + /* (*)maxfounders + * The maximum number of founders allowed in a channel. + * Note that all founders have the exact same privileges and + * the list of founders is shown in various places. + */ + maxfounders = 4; + + /* (*)founder_flags + * The flags a user will get when they register a new channel. + * This MUST include at least 'F' or it will be ignored. + * If it is not set, Atheme will give the user all channel flags. + */ + #founder_flags = "AFORefiorstv"; + + /* (*)akick_time + * The default expiration time (in minutes) for AKICKs. + * Comment this option out or set to zero for permanent AKICKs + * by default (the old behaviour). + */ + #akick_time = 10; + + /* (*)antiflood_enforce_method + * The enforcement method to use for flood protection by default. + * This may be overridden by channel staff. + * Available options are: quiet, kickban and akill. + */ + antiflood_enforce_method = quiet; + + /* (*)show_custom_metadata + * Setting this option to false will prevent user-set metadata (via SET PROPERTY) + * from showing up in the INFO output. The TAXONOMY command will still function + * as usual, and INFO will point this out if channels have metadata set. + */ + show_custom_metadata; + + /* + * (*)shorthelp + * + * A list of commands that are displayed (with their full description) in the + * output of `/msg ChanServ HELP'. Commands not in this list will be listed, but + * not with their descriptions. All commands with descriptions are still listed + * in `/msg ChanServ HELP COMMANDS' regardless of the value set here. + * + * Optional; defaults to "AKICK BAN CLEAR DEOP DEVOICE DROP FLAGS GETKEY INFO + * INVITE KICK KICKBAN OP QUIET REGISTER SET TOPIC UNBAN UNQUIET VOICE WHY". + * + * A command in this list will only be printed if the corresponding module is + * loaded and the user has permission to use it. Set to an empty string to + * disable listing command descriptions in `/msg ChanServ HELP'. + */ + #shorthelp = ""; +}; + +/* CHANFIX configuration. + * + * The chanfix {} block contains settings specific to the CHANFIX modules. + * + * CHANFIX provides channel recovery services without registration, which + * allows users to maintain control of channels even if ChanServ is not used + * to register them. + */ +chanfix { + /* (*)nick + * The nickname we want the client to have. + */ + nick = "ChanFix"; + + /* (*)user + * The username we want the client to have. + */ + user = "ChanFix"; + + /* (*)host + * The hostname we want the client to have. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The GECOS of the client. + */ + real = "Channel Fixing Service"; + + /* (*)autofix + * Automatically fix channels if they become opless and meet fixing + * criteria. + */ + autofix; +}; + +/* Global noticing configuration. + * + * The global {} block contains settings specific to the Global notice module. + * + * The Global notice module provides the ability to mass-notify a network. + */ +global { + /* (*)nick + * Sets the nick used for sending out a global notice. + */ + nick = "Global"; + + /* (*)user + * Sets the username used for this client. + */ + user = "Global"; + + /* (*)host + * The hostname used for this client. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The GECOS (real name) of the client. + */ + real = "Network Announcements"; +}; + +/* InfoServ configuration + * + * The infoserv {} block contains settings specific to the InfoServ module. + * + * The InfoServ modules provides the ability to mass-notify a network and send + * news to users when they connect to the network. + */ +infoserv { + /* (*)nick + * Sets the nick used for InfoServ and sending out informational messages. + */ + nick = "InfoServ"; + + /* (*)user + * Sets the username used for this client. + */ + user = "InfoServ"; + + /* (*)host + * The hostname used for this client, + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The GECOS (real name) of the client. + */ + real = "Information Service"; + + /* (*)logoninfo_count + * The number of InfoServ messages a user will see upon connect. + * If there are more than this number, the user will be able to + * see the rest with /msg infoserv list . + */ + logoninfo_count = 3; +}; + +/* OperServ configuration. + * + * The operserv {} block contains settings specific to the OperServ modules. + * + * OperServ provides essential network management tools for IRC operators + * on the IRC network. + */ +operserv { + /* (*)nick + * The nickname we want the Operator Service to have. + */ + nick = "OperServ"; + + /* (*)user + * Sets the username used for this client. + */ + user = "OperServ"; + + /* (*)host + * The hostname used for this client. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The GECOS (real name) of the client. + */ + real = "Operator Services"; + + /* (*)aliases + * Command aliases for OperServ. + */ + aliases { + }; + + /* (*)access + * Command access changes for OperServ. + */ + access { + }; +}; + +/* SaslServ configuration. + * + * The saslserv {} block contains settings specific to the SaslServ modules. + * + * SaslServ provides an authentication agent which is compatible with the + * SASL over IRC (SASL/IRC) protocol extension. + */ +saslserv { + /* (*)nick + * The nickname we want SaslServ to have. + */ + nick = "SaslServ"; + + /* (*)user + * The username we want SaslServ to have. + */ + user = "SaslServ"; + + /* (*)host + * The hostname we want SaslServ to have. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The realname (gecos) information we want SaslServ to have. + */ + real = "SASL Authentication Agent"; + + /* (*)hide_server_names + * Hide server names in the bad_password message. + */ + #hide_server_names; +}; + +/* MemoServ configuration. + * + * The memoserv {} block contains settings specific to the MemoServ modules. + * + * MemoServ provides a note-taking service that you can use to send notes + * to offline users (provided they are registered with Services). + */ +memoserv { + /* (*)nick + * The nickname we want MemoServ to have. + */ + nick = "MemoServ"; + + /* (*)user + * The username we want MemoServ to have. + */ + user = "MemoServ"; + + /* (*)host + * The hostname we want MemoServ to have. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The realname (gecos) information we want MemoServ to have. + */ + real = "Memo Services"; + + /* (*)aliases + * Command aliases for MemoServ. + */ + aliases { + }; + + /* (*)access + * Command access changes for MemoServ. + */ + access { + }; + + /* (*)maxmemos + * What is the maximum amount of memos a user can have in their inbox? + */ + maxmemos = 30; +}; + +/* GameServ configuration. + * + * The gameserv {} block contains settings specific to the GameServ modules. + * + * GameServ provides various in-channel commands for games. + */ +gameserv { + /* (*)nick + * The nickname we want GameServ to have. + */ + nick = "GameServ"; + + /* (*)user + * Sets the username used for this client. + */ + user = "GameServ"; + + /* (*)host + * The hostname used for this client. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The GECOS (real name) of the client. + */ + real = "Game Services"; + + /* (*)aliases + * Command aliases for GameServ. + */ + aliases { + }; + + /* (*)access + * Command access changes for GameServ. + */ + access { + }; +}; + +/* RPGServ configuration. + * + * The rpgserv {} block contains settings specific to the RPGServ modules. + * + * RPGServ provides a facility for finding roleplaying channels. + */ +rpgserv { + /* (*)nick + * The nickname we want RPGServ to have. + */ + nick = "RPGServ"; + + /* (*)user + * Sets the username used for this client. + */ + user = "RPGServ"; + + /* (*)host + * The hostname used for this client. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The GECOS (real name) of the client. + */ + real = "RPG Finding Services"; + + /* (*)aliases + * Command aliases for RPGServ. + */ + aliases { + }; + + /* (*)access + * Command access changes for RPGServ. + */ + access { + }; +}; + +/* BotServ configuration. + * + * The botserv {} block contains settings specific to the BotServ modules. + * + * BotServ provides virtual channel bots. + */ +botserv { + /* (*)nick + * The nickname we want BotServ to have. + */ + nick = "BotServ"; + + /* (*)user + * Sets the username used for this client. + */ + user = "BotServ"; + + /* (*)host + * The hostname used for this client. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The GECOS (real name) of the client. + */ + real = "Bot Services"; + + /* (*)min_users + * Minimum number of users a channel must have before a Bot is allowed + * to be assigned to that channel. + */ + min_users = 0; +}; + +/* GroupServ configuration. + * + * The groupserv {} block contains settings specific to the GroupServ modules. + * + * GroupServ provides features for managing a collection of channels at once. + * + */ +groupserv { + /* (*)nick + * The nickname we want GroupServ to have. + */ + nick = "GroupServ"; + + /* (*)user + * The username we want GroupServ to have. + */ + user = "GroupServ"; + + /* (*)host + * The hostname we want GroupServ to have. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The realname (gecos) information we want GroupServ to have. + */ + real = "Group Management Services"; + + /* (*)aliases + * Command aliases for GroupServ. + */ + aliases { + }; + + /* (*)access + * Command access changes for GroupServ. + */ + access { + }; + + /* (*)maxgroups + * Maximum number of groups one username can be founder of. + */ + maxgroups = 5; + + /* (*)maxgroupacs + * Maximum number of access entries you may have in a group. + */ + maxgroupacs = 100; + + /* (*)enable_open_groups + * Setting this option will allow any group founder to mark + * their group as "anyone can join". + */ + enable_open_groups; + + /* (*)join_flags + * This is the GroupServ flagset that users who JOIN a open + * group will get upon join. Please check the groupserv/flags + * helpfile before changing this option. Valid flagsets (for + * example) would be: "+v" or "+cv". It is not valid to use + * minus flags (such as "-v") here. + */ + join_flags = "+"; +}; + +/* HostServ configuration. + * + * The hostserv {} block contains settings specific to the HostServ modules. + * + * HostServ provides advanced virtual host management. + */ +hostserv { + /* (*)nick + * The nickname we want HostServ to have. + */ + nick = "HostServ"; + + /* (*)user + * Sets the username used for this client. + */ + user = "HostServ"; + + /* (*)host + * The hostname used for this client. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The GECOS (real name) of the client. + */ + real = "Host Management Services"; + + /* reggroup + * The group that will receive Memos about + * vHost requests. + */ + #reggroup = "!Services-Team"; + + /* (*)request_per_nick + * Whether the request system should work per nick or per account. + * The recommended setting is to leave this disabled, so that + * vhosts work as consistently as possible. + */ + #request_per_nick; + + /* (*)aliases + * Command aliases for HostServ. + */ + aliases { + "APPROVE" = "ACTIVATE"; + "DENY" = "REJECT"; + }; + + /* (*)access + * Command access changes for HostServ. + */ + access { + }; +}; + +/* HelpServ configuration + * + * The helpserv {} block contains settings specific to the HelpServ modules. + * + * HelpServ adds a few different ways for users to request help from network staff. + */ +helpserv { + /* (*)nick + * The nickname we want HelpServ to have. + */ + nick = "HelpServ"; + + /* (*)user + * The username we want HelpServ to have. + */ + user = "HelpServ"; + + /* (*)host + * The hostname we want HelpServ to have. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The realname (gecos) information we want HelpServ to have. + */ + real = "Help Services"; +}; + +/* StatServ configuration + * + * The statserv {} block contains settings specific to the StatServ modules. + * + * StatServ adds basic stats and split tracking. + */ +statserv { + /* (*)nick + * The nickname we want StatServ to have. + */ + nick = "StatServ"; + + /* (*)user + * The username we want StatServ to have. + */ + user = "StatServ"; + + /* (*)host + * The hostname we want StatServ to have. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The realname (gecos) information we want StatServ to have. + */ + real = "Statistics Services"; +}; + +/* ALIS configuration. + * + * The alis {} block contains settings specific to the ALIS modules. + */ +alis { + /* (*)nick + * The nickname we want ALIS to have. + */ + nick = "ALIS"; + + /* (*)user + * The username we want ALIS to have. + */ + user = "alis"; + + /* (*)host + * The hostname we want ALIS to have. + */ + host = "{{atheme_server_host}}"; + + /* (*)real + * The realname (gecos) information we want ALIS to have. + */ + real = "Channel Directory"; + + /* (*)maxmatches + * The default maximum number of channels returned in a query. + * Privilege (chan:auspex) is required to ask for more. + * Minimum 8, default 64, maximum 128. + */ + #maxmatches = 64; +}; + +/* HTTP server configuration. + * + * The httpd {} block contains settings specific to the HTTP server module. + * + * The HTTP server in Services is used for serving XMLRPC requests. It can + * also serve static documents and statistics pages. + */ +httpd { + /* host + * The host that the HTTP server will listen on. + * Use 0.0.0.0 if you want to listen on all available hosts. + */ + host = "0.0.0.0"; + + /* host (ipv6) + * If you want, you can have Atheme listen on an IPv6 host too. + * Use :: if you want to listen on all available IPv6 hosts. + */ + #host = "::"; + + /* www_root + * The directory that contains the files that should be served by the httpd. + */ + www_root = "/var/www"; + + /* port + * The port that the HTTP server will listen on. + */ + port = 8080; +}; + +/* LDAP configuration. + * + * The ldap {} block contains settings specific to the LDAP authentication + * module. + */ +ldap { + /* (*)url + * LDAP URL of the server to use. + */ + url = "ldap://127.0.0.1"; + + /* (*)dnformat + * Format string to convert an account name to an LDAP DN. + * Must contain exactly one %s which will be replaced by the account + * name. + * Services will attempt a simple bind with this DN and the given + * password; if this is successful the password is considered correct. + */ + dnformat = "cn=%s,dc=jillestest,dc=com"; +}; + +/****************************************************************************** + * LOGGING SECTION. * + ******************************************************************************/ + +/* + * logfile{} blocks can be used to set up log files other than the master + * logfile used by services, which is controlled by serverinfo::loglevel. + * + * The various logging categories are: + * debug, all - meta-keyword for all possible categories + * trace - meta-keyword for a little bit of info + * misc - like trace, but with some more miscillaneous info + * notice - meta-keyword for notice-like information + * ------------------------------------------------------------------------------ + * error - critical errors + * info - miscillaneous log notices + * verbose - A bit more verbose than info, not quite as spammy as debug + * commands - all command use + * admin - administrative command use + * register - account and channel registrations + * set - changes of account or channel settings + * request - user requests (currently only vhosts) + * network - log notices related to network status + * rawdata - log raw data sent and received by services + * wallops - + * denycmd - security model denials (commands, permissions) + */ + +/* + * This block logs all account and channel registrations and drops, + * and account and channel setting changes to var/account.log. + */ +logfile "var/account.log" { register; set; }; + +/* + * This block logs all command use to var/commands.log. + */ +logfile "var/commands.log" { commands; }; + +/* + * This block logs all security auditing information. + */ +logfile "var/audit.log" { denycmd; }; + +/* + * You can log to IRC channels, and even split it by category, too. + * This entry provides roughly the same functionality as the old snoop + * feature. + */ +logfile "#services" { error; info; admin; request; register; denycmd; }; + +/* + * This block logs to server notices. + */ +logfile "!snotices" { error; info; request; denycmd; }; + +/****************************************************************************** + * GENERAL PARAMETERS CONFIGURATION SECTION. * + ******************************************************************************/ + +/* The general {} block defines general configuration options. */ +general { + /* (*)permissive_mode + * Whether or not security denials should be soft denials instead of + * hard denials. If security denials are soft denials, then they will + * only be logged to the denial log. + */ + #permissive_mode; + + /* (*)helpchan + * Network help channel. Shown to users when they request + * help for a command that doesn't exist. + */ + #helpchan = "#help"; + + /* (*)helpurl + * Network webpage for services help. Shown to users when they + * request help for a command that doesn't exist. + */ + #helpurl = "http://www.stack.nl/~jilles/irc/atheme-help/"; + + /* (*)silent + * If you want to prevent services from sending + * WALLOPS/GLOBOPS about things uncomment this. + * Not recommended. + */ + #silent; + + /* (*)verbose_wallops + * If you want services to send you more information about + * events that are occuring (in particular AKILLs), uncomment the + * directive below. + * + * WARNING! This may result in large amounts of wallops/globops + * floods. + */ + #verbose_wallops; + + /* (*)join_chans + * Should ChanServ be allowed to join registered channels? + * This option is useful for the fantasy command set. + * + * If enabled, you can tell ChanServ to join via SET GUARD ON. + * + * If you use ircu-like ircd (asuka), you must + * leave this enabled, and put guard in default cflags. + * + * For ratbox it is recommended to leave it on and put guard in + * default cflags, in order that ChanServ does not have to join/part + * to do certain things. On the other hand, enabling this increases + * potential for bots fighting with ChanServ. + * + * Regardless of this option, ChanServ will temporarily join + * channels which would otherwise be empty if necessary to enforce + * akick/restricted/close, and to change the TS if changets is + * enabled. + */ + join_chans; + + /* (*)leave_chans + * Do we leave registered channels after everyone else has left? + * Turning this off serves little purpose, except to mark "official" + * network channels by keeping them open, and to preserve the + * topic and +beI lists. + */ + leave_chans; + + /* secure + * Do you want to require the use of /msg @? + * Turning this on helps protect against spoofers, but is disabled + * as most networks do not presently use it. + */ + #secure; + + /* (*)uflags + * The default flags to set for usernames upon registration. + * Valid values are: hold, neverop, noop, hidemail, nomemo, emailmemos, + * enforce, privmsg, private, quietchg and none. + */ + uflags = { hidemail; }; + + /* (*)cflags + * The default flags to set for channels upon registration. + * Valid values are: hold, secure, verbose, verbose_ops, keeptopic, + * topiclock, guard, private, nosync, limitflags, pubacl and none. + */ + cflags = { verbose; guard; }; + + /* (*)raw + * Do you want to allow SRAs to use the RAW and INJECT commands? + * These commands are for debugging. If you don't know how to use them + * then don't enable them. They are not supported. + */ + #raw; + + /* (*)flood_msgs + * Do you want services to detect floods? + * Set to how many messages before a flood is triggered. + * Note that some messages that need a lot of processing count + * as two or four messages. + * If services receives `flood_msgs' within `flood_time' the user will + * trigger the flood protection. + * Setting this to zero disables flood protection. + */ + flood_msgs = 7; + + /* (*)flood_time + * Do you want services to detect floods? + * Set to how long before the counter resets. + * If services receives `flood_msgs' within `flood_time' the user will + * trigger the flood protection. + */ + flood_time = 10; + + /* (*)ratelimit_uses + * After how many uses of a command will users be throttled. + * After `ratelimit_uses' of a command within `ratelimit_period', users + * will not be able to run that ratelimited command until the period is up. + * Comment this, ratelimit_period below or both options out to disable rate limiting. + * Currently used in helpserv/helpme, helpserv/ticket, hostserv/request, + * nickserv/register and chanserv/register. + */ + ratelimit_uses = 5; + + /* (*)ratelimit_period + * After how much time (in seconds) will the ratelimit_uses counter reset. + * After `ratelimit_uses' of a command within `ratelimit_period', users + * will not be able to run that ratelimited command until the period is up. + * Comment this, ratelimit_uses above or both options out to disable rate limiting. + * Currently used in helpserv/helpme, helpserv/ticket, hostserv/request, + * nickserv/register and chanserv/register. + */ + ratelimit_period = 60; + + /* (*)vhost_change + * The default number of days between vHost changes once a user has used HostServ + * TAKE or REQUEST. (Helps to deter rabid host-swappers and ban evaders.) + */ + #vhost_change = 30; + + /* (*)kline_time + * The default expire time for KLINE's in days. + * Setting this to 0 makes all KLINE's permanent. + */ + kline_time = 7; + + /* (*)kline_with_ident + * KLINE user@host instead of *@host. + * Applies to all automatic KLINE's set by services. + */ + #kline_with_ident; + + /* (*)kline_verified_ident + * KLINE *@host if the first character of the ident is ~, + * irrespective of the value of kline_with_ident. + */ + #kline_verified_ident; + + /* (*)clone_time + * This is the default expiry time for CLONE exemptions in minutes. + * Setting this to 0 makes all CLONE exemptions permanent. + */ + clone_time = 0; + + /* commit_interval + * The time between database writes in minutes. + */ + commit_interval = 5; + + /* (*)operstring + * The string returned in WHOIS (against services) for IRC operators. + */ + #operstring = "is an IRC Operator"; + + /* (*)servicestring + * The string returned in WHOIS (against services) for services. + */ + #servicestring = "is a Network Service"; + + /* (*)default_clone_allowed + * The limit after which clones will be KILLed or TKLINEd. + * Used by operserv/clones. + */ + default_clone_allowed = 5; + + /* (*)default_clone_warn + * The limit after which clones will be warned that they may not + * have any more concurrent connections. Should be lower than + * default_clone_allowed . Used by operserv/clones. + */ + default_clone_warn = 4; + + /* (*)clone_identified_increase_limit + * If this option is enabled, the clone limit for a IP/host will + * be increased by 1 per clone that's identified to services. + * This has a limit of double the clone limits above. + */ + clone_identified_increase_limit; + + /* (*)uplink_sendq_limit + * The maximum amount of data that may be queued to be sent + * to the uplink, in bytes. This should be enough to contain + * Atheme's response to the netburst, but smaller than the + * IRCd's sendq limit for servers. + */ + uplink_sendq_limit = 1048576; + + /* (*)language + * Language to use for channel and oper messages and as default + * for users. + */ + language = "en"; + + /* exempts + * This block contains a list of user@host masks. Users matching any + * of these will not be automatically K:lined by services. + */ + exempts { + }; + + /* allow_taint + * By enabling this option, Atheme will run in configurations where + * the upstream will not provide support. By enabling this feature, + * you void any perceived rights to support. + */ + #allow_taint; + + /* (*)immune_level + * This option allows you to customize the operlevel which gets kick + * immunity privileges. + * + * The following flags are available: + * immune - require whatever ircd usermode is needed for kick + * immunity (this is the default); + * admin - require admin privileges for kick immunity + * ircop - require any ircop privileges for kick immunity (umode +o) + */ + immune_level = immune; + + /* show_entity_id + * This makes nick/user & group entity IDs visible to everyone, rather + * than just opers with user:auspex or group:auspex privileges. + */ + show_entity_id; + + /* load_database_mdeps + * + * For module dependencies listed in the services database (if any), + * whether to load those modules on startup (if they are not already + * loaded) or abort startup with a more helpful error message than + * e.g. "db services.db:123: unknown directive 'BE'" --> "corestorage: + * exiting to avoid data loss". + * + * Comment this out to abort startup instead of silently loading the + * modules you need to process the database successfully. The abort + * reason will tell you what module the database requires so that you + * can fix your configuration file. + */ + load_database_mdeps; +}; + +proxyscan { + /* Here you can configure the details of your Proxyscan (DNS Blacklist) + * scanner service. + */ + + nick = "Proxyscan"; + user = "dnsbl"; + host = "{{atheme_server_host}}"; + real = "Proxyscan Service"; + + blacklists { + "dnsbl.dronebl.org"; + "rbl.efnetrbl.org"; + "tor.efnet.org"; + }; + + /* Available dnsbl_action's: + * NONE - Do nothing + * NOTIFY - Notify user that they are listed in a DNSBL and which one + * SNOOP - Report the user to the logchannel or services channel + * KLINE - AKILL the user from the network (default AKILL is 24 hours) + */ + + dnsbl_action = kline; +}; + +/****************************************************************************** + * OPERATOR AND PRIVILEGES CONFIGURATION SECTION. * + ******************************************************************************/ + +/* Operator configuration + * See the PRIVILEGES document for more information. + * NOTE: All changes apply immediately upon rehash. You may need + * to send a signal (killall -HUP atheme-services) to regain control. + */ +/* (*) Operclasses specify groups of services operator privileges */ +/* The "user" operclass specifies privileges all users get. + * This may be empty (default) in which case users get no special privileges. + * If you use the security/cmdperm module, you will need to grant command: privileges + * to every command that you want users to be able to use. + */ +operclass "user" { }; + +/* The "ircop" operclass specifies privileges all IRCops get. + * This may be empty in which case IRCops get no privs. + * At least chan:cmodes, chan:joinstaffonly and general:auspex are suggested. + */ +operclass "ircop" { + privs { + special:ircop; + }; + + privs { + user:auspex; + user:admin; + user:sendpass; + user:vhost; + user:mark; + }; + + privs { + chan:auspex; + chan:admin; + chan:cmodes; + chan:joinstaffonly; + }; + + privs { + general:auspex; + general:helper; + general:viewprivs; + general:flood; + }; + + privs { + operserv:omode; + operserv:akill; + operserv:jupe; + operserv:global; + }; + + privs { + group:auspex; + group:admin; + }; +}; + +operclass "sra" { + /* You can inherit privileges from a lower operclass. */ + extends "ircop"; + + privs { + user:hold; + user:regnolimit; + }; + + privs { + general:metadata; + general:admin; + }; + + privs { + #operserv:massakill; + #operserv:akill-anymask; + operserv:noop; + operserv:grant; + }; + + /* needoper + * Only grant privileges to IRC users in this oper class if they + * are opered; other use of privilege (channel succession, XMLRPC, + * etc.) is unaffected by this. + * + * This flag is *not* inherited by operclasses that extend this one; + * you will have to set it explicitly for each operclass. + */ + needoper; +}; + + +/* (*) Operator blocks specify accounts with certain privileges + * Oper classes must be defined before they are used in operator blocks. + */ +operator "jilles" { + /* operclass */ + operclass = "sra"; + + /* password + * + * Normally, the user needs to identify/log in using the account's + * password, and may need to be an IRCop (see operclass::needoper + * above). If you consider this not secure enough, you can + * specify an additional password here, which the user must enter + * using the OperServ IDENTIFY command, before the privileges can + * be used. + * + * The password must be encrypted if a crypto module is in use. + * + * If you are using modules/crypto/crypt3-*, you can probably use + * the "mkpasswd" program included with most Linux distributions. + * Otherwise you can use modules/operserv/genhash to encrypt a + * password for use here. + */ + #password = "$1$3gJMO9by$0G60YE6GqmuHVH3AnFPor1"; +}; + +/****************************************************************************** + * INCLUDE CONFIGURATION SECTION. * + ******************************************************************************/ + +/* You may also specify other files for inclusion. + * For example: + * + * include "etc/sras.conf"; + */ diff -r 22c06d6916bf -r d843011c249d ngircd/handlers/main.yaml --- a/ngircd/handlers/main.yaml Fri Jul 03 12:01:00 2020 -0500 +++ b/ngircd/handlers/main.yaml Sat Jul 04 11:00:20 2020 -0500 @@ -2,4 +2,4 @@ - name: restart ngircd become: yes - systemd: name="ngircd" state="restarted" daemon_reload="yes" + systemd: name="ngircd.service" state="restarted" daemon_reload="yes" diff -r 22c06d6916bf -r d843011c249d ngircd/tasks/main.yaml --- a/ngircd/tasks/main.yaml Fri Jul 03 12:01:00 2020 -0500 +++ b/ngircd/tasks/main.yaml Sat Jul 04 11:00:20 2020 -0500 @@ -5,29 +5,11 @@ apt: name="ngircd" notify: restart ngircd -- name: config server name - become: yes - lineinfile: - path: "/etc/ngircd/ngircd.conf" - regexp: '^ Name =' - line: " Name = {{ngircd_name}}" - notify: restart ngircd - -- name: config server local listen +- name: configure ngircd become: yes - lineinfile: - path: "/etc/ngircd/ngircd.conf" - regexp: '^ Listen =' - line: " Listen = 127.0.0.1" - insertafter: "^ ;Listen =" - notify: restart ngircd - -- name: config motd - become: yes - lineinfile: - path: "/etc/ngircd/ngircd.conf" - regexp: '^ Info =' - line: " Info = {{ngircd_motd}}" + template: + src: "ngircd.conf.j2" + dest: "/etc/ngircd/ngircd.conf" notify: restart ngircd - name: copy motd file @@ -35,9 +17,8 @@ copy: src: "{{ngircd_motd_src}}" dest: "/etc/ngircd/ngircd.motd" - mode: "0644" notify: restart ngircd - name: start ngircd service become: yes - systemd: name="ngircd" state="started" daemon_reload="yes" + systemd: name="ngircd" state="started" enabled="yes" daemon_reload="yes" diff -r 22c06d6916bf -r d843011c249d ngircd/templates/ngircd.conf.j2 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ngircd/templates/ngircd.conf.j2 Sat Jul 04 11:00:20 2020 -0500 @@ -0,0 +1,422 @@ +# +# This is a sample configuration file for the ngIRCd IRC daemon, which must +# be customized to the local preferences and needs. +# +# Comments are started with "#" or ";". +# +# A lot of configuration options in this file start with a ";". You have +# to remove the ";" in front of each variable to actually set a value! +# The disabled variables are shown with example values for completeness only +# and the daemon is using compiled-in default settings. +# +# Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the +# server interprets the configuration file as expected! +# +# Please see ngircd.conf(5) for a complete list of configuration options +# and their descriptions. +# +# The original can be found at: +# /usr/share/doc/ngircd/sample-ngircd.conf.gz + +[Global] + # The [Global] section of this file is used to define the main + # configuration of the server, like the server name and the ports + # on which the server should be listening. + # These settings depend on your personal preferences, so you should + # make sure that they correspond to your installation and setup! + + # Server name in the IRC network, must contain at least one dot + # (".") and be unique in the IRC network. Required! + Name = {{ngircd_name}} + + # Information about the server and the administrator, used by the + # ADMIN command. Not required by server but by RFC! + AdminInfo1 = {{ngircd_admin_name}} + ;AdminInfo2 = Debian City + AdminEMail = {{ngircd_admin_email}} + + # Text file which contains the ngIRCd help text. This file is required + # to display help texts when using the "HELP " command. + ;HelpFile = /usr/share/doc/ngircd/Commands.txt + + # Info text of the server. This will be shown by WHOIS and + # LINKS requests for example. + Info = {{ngircd_name}} + + # Comma separated list of IP addresses on which the server should + # listen. Default values are: + # "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0" + # so the server listens on all IP addresses of the system by default. + Listen = 127.0.0.1 + + # Text file with the "message of the day" (MOTD). This message will + # be shown to all users connecting to the server: + MotdFile = /etc/ngircd/ngircd.motd + + # A simple Phrase (<127 chars) if you don't want to use a motd file. + ;MotdPhrase = "Hello. This is the Debian default MOTD sentence" + + # The name of the IRC network to which this server belongs. This name + # is optional, should only contain ASCII characters, and can't contain + # spaces. It is only used to inform clients. The default is empty, + # so no network name is announced to clients. + ;Network = aIRCnetwork + + # Global password for all users needed to connect to the server. + # (Default: not set) + ;Password = wealllikedebian + + # This tells ngIRCd to write its current process ID to a file. + # Note that the pidfile is written AFTER chroot and switching the + # user ID, e.g. the directory the pidfile resides in must be + # writable by the ngIRCd user and exist in the chroot directory. + # Keep this setting in sync with PIDFILE in /etc/init.d/ngircd + PidFile = /var/run/ngircd/ngircd.pid + + # Ports on which the server should listen. There may be more than + # one port, separated with ",". (Default: 6667) + ;Ports = 6667, 6668, 6669 + + # Group ID under which the ngIRCd should run; you can use the name + # of the group or the numerical ID. ATTENTION: For this to work the + # server must have been started with root privileges! + # Keep this setting in sync with DAEMONUSER in the init script and/or + # the Group= setting in service file. + ServerGID = irc + + # User ID under which the server should run; you can use the name + # of the user or the numerical ID. ATTENTION: For this to work the + # server must have been started with root privileges! In addition, + # the configuration and MOTD files must be readable by this user, + # otherwise RESTART and REHASH won't work! + # Keep this setting in sync with DAEMONUSER in the init script and/or + # the User= setting in service file. + ServerUID = irc + +[Limits] + # Define some limits and timeouts for this ngIRCd instance. Default + # values should be safe, but it is wise to double-check :-) + + # The server tries every seconds to establish a link + # to not yet (or no longer) connected servers. + ConnectRetry = 60 + + # Number of seconds after which the whole daemon should shutdown when + # no connections are left active after handling at least one client + # (0: never, which is the default). + # This can be useful for testing or when ngIRCd is started using + # "socket activation" with systemd(8), for example. + ;IdleTimeout = 0 + + # Maximum number of simultaneous in- and outbound connections the + # server is allowed to accept (0: unlimited): + MaxConnections = 500 + + # Maximum number of simultaneous connections from a single IP address + # the server will accept (0: unlimited): + MaxConnectionsIP = 10 + + # Maximum number of channels a user can be member of (0: no limit): + MaxJoins = 10 + + # Maximum length of an user nickname (Default: 9, as in RFC 2812). + # Please note that all servers in an IRC network MUST use the same + # maximum nickname length! + ;MaxNickLength = 9 + + # Maximum penalty time increase in seconds, per penalty event. Set to -1 + # for no limit (the default), 0 to disable penalties altogether. The + # daemon doesn't use penalty increases higher than 2 seconds during + # normal operation, so values greater than 1 rarely make sense. + ;MaxPenaltyTime = -1 + + # Maximum number of channels returned in response to a /list + # command (0: unlimited): + ;MaxListSize = 100 + + # After seconds of inactivity the server will send a + # PING to the peer to test whether it is alive or not. + PingTimeout = 120 + + # If a client fails to answer a PING with a PONG within + # seconds, it will be disconnected by the server. + PongTimeout = 20 + +[Options] + # Optional features and configuration options to further tweak the + # behavior of ngIRCd. If you want to get started quickly, you most + # probably don't have to make changes here -- they are all optional. + + # List of allowed channel types (channel prefixes) for newly created + # channels on the local server. By default, all supported channel + # types are allowed. Set this variable to the empty string to disallow + # creation of new channels by local clients at all. + ;AllowedChannelTypes = #&+ + + # Are remote IRC operators allowed to control this server, e.g. + # use commands like CONNECT, SQUIT, DIE, ...? + ;AllowRemoteOper = no + + # A directory to chroot in when everything is initialized. It + # doesn't need to be populated if ngIRCd is compiled as a static + # binary. By default ngIRCd won't use the chroot() feature. + # ATTENTION: For this to work the server must have been started + # with root privileges! + ;ChrootDir = /var/empty + + # Set this hostname for every client instead of the real one. + # Use %x to add the hashed value of the original hostname. + {% if ngircd_cloak is defined %} + CloakHost = {{ngircd_cloak}} + {% endif %} + + # Use this hostname for hostname cloaking on clients that have the + # user mode "+x" set, instead of the name of the server. + # Use %x to add the hashed value of the original hostname. + ;CloakHostModeX = cloaked.user + + # The Salt for cloaked hostname hashing. When undefined a random + # hash is generated after each server start. + ;CloakHostSalt = abcdefghijklmnopqrstuvwxyz + + # Set every clients' user name to their nickname + ;CloakUserToNick = yes + + # Try to connect to other IRC servers using IPv4 and IPv6, if possible. + ;ConnectIPv6 = yes + ;ConnectIPv4 = yes + + # Default user mode(s) to set on new local clients. Please note that + # only modes can be set that the client could set using regular MODE + # commands, you can't set "a" (away) for example! Default: none. + ;DefaultUserModes = i + + # Do DNS lookups when a client connects to the server. + ;DNS = yes + + # Do IDENT lookups if ngIRCd has been compiled with support for it. + # Users identified using IDENT are registered without the "~" character + # prepended to their user name. + ;Ident = yes + + # Directory containing configuration snippets (*.conf), that should + # be read in after parsing this configuration file. + ;IncludeDir = /etc/ngircd/conf.d + + # Enhance user privacy slightly (useful for IRC server on TOR or I2P) + # by censoring some information like idle time, logon time, etc. + ;MorePrivacy = no + + # Normally ngIRCd doesn't send any messages to a client until it is + # registered. Enable this option to let the daemon send "NOTICE *" + # messages to clients while connecting. + ;NoticeBeforeRegistration = no + + # Should IRC Operators be allowed to use the MODE command even if + # they are not(!) channel-operators? + OperCanUseMode = yes + + # Should IRC Operators get AutoOp (+o) in persistent (+P) channels? + ;OperChanPAutoOp = yes + + # Mask IRC Operator mode requests as if they were coming from the + # server? (This is a compatibility hack for ircd-irc2 servers) + ;OperServerMode = no + + # Use PAM if ngIRCd has been compiled with support for it. + # Users identified using PAM are registered without the "~" character + # prepended to their user name. + PAM = no + + # When PAM is enabled, all clients are required to be authenticated + # using PAM; connecting to the server without successful PAM + # authentication isn't possible. + # If this option is set, clients not sending a password are still + # allowed to connect: they won't become "identified" and keep the "~" + # character prepended to their supplied user name. + # Please note: To make some use of this behavior, it most probably + # isn't useful to enable "Ident", "PAM" and "PAMIsOptional" at the + # same time, because you wouldn't be able to distinguish between + # Ident'ified and PAM-authenticated users: both don't have a "~" + # character prepended to their respective user names! + ;PAMIsOptional = no + + # When PAM is enabled, this value determines the used PAM + # configuration. + # This setting allows to run multiple ngIRCd instances with + # different PAM configurations on each instance. + # If you set it to "ngircd-foo", PAM will use + # /etc/pam.d/ngircd-foo instead of the default + # /etc/pam.d/ngircd. + ;PAMServiceName = ngircd + + # Let ngIRCd send an "authentication PING" when a new client connects, + # and register this client only after receiving the corresponding + # "PONG" reply. + ;RequireAuthPing = no + + # Silently drop all incoming CTCP requests. + ;ScrubCTCP = no + + # Syslog "facility" to which ngIRCd should send log messages. + # Possible values are system dependent, but most probably auth, daemon, + # user and local1 through local7 are possible values; see syslog(3). + # Default is "local5" for historical reasons, you probably want to + # change this to "daemon", for example. + SyslogFacility = local1 + + # Password required for using the WEBIRC command used by some + # Web-to-IRC gateways. If not set/empty, the WEBIRC command can't + # be used. (Default: not set) + ;WebircPassword = xyz + +[SSL] + # SSL-related configuration options. Please note that this section + # is only available when ngIRCd is compiled with support for SSL! + # So don't forget to remove the ";" above if this is the case ... + + # SSL Server Key Certificate + ;CertFile = /etc/ssl/certs/server.crt + + # Select cipher suites allowed for SSL/TLS connections. This defaults + # to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS). + # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init' + # (GnuTLS) for details. + # For OpenSSL: + ;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3 + # For GnuTLS (this Debian package was linked against GnuTLS): + CipherList = SECURE128:-VERS-SSL3.0 + + # Diffie-Hellman parameters + ;DHFile = /etc/ngircd/dhparams.pem + + # SSL Server Key + ;KeyFile = /etc/ssl/private/server.key + + # password to decrypt SSLKeyFile (OpenSSL only) + # Note that this Debian package is linked against GnuTLS so this + # option has no effect. + ;KeyFilePassword = secret + + # Additional Listen Ports that expect SSL/TLS encrypted connections + ;Ports = 6697, 9999 + +{% for op in ngircd_ops %} +[Operator] + # [Operator] sections are used to define IRC Operators. There may be + # more than one [Operator] block, one for each local operator. + + # ID of the operator (may be different of the nickname) + Name = {{op.name}} + + # Password of the IRC operator + Password = {{op.pass}} + + # Optional Mask from which /OPER will be accepted + # Mask = *!ident@somewhere.example.com + {% if op.mask is defined %} + Mask = {{op.mask}} + {% endif %} + +{% endfor %} +[Server] +{% for server in ngircd_servers %} + # Other servers are configured in [Server] sections. If you + # configure a port for the connection, then this ngircd tries to + # connect to the other server on the given port; if not it waits + # for the other server to connect. + # There may be more than one server block, one for each server. + # + # Server Groups: + # The ngIRCd allows "server groups": You can assign an "ID" to every + # server with which you want this ngIRCd to link. If a server of a + # group won't answer, the ngIRCd tries to connect to the next server + # in the given group. But the ngircd never tries to connect to two + # servers with the same group ID. + + # IRC name of the remote server, must match the "Name" variable in + # the [Global] section of the other server (when using ngIRCd). + Name = {{server.name}} + + # Internet host name or IP address of the peer (only required when + # this server should establish the connection). + # Host = connect-to-host.example.net + {% if server.host is defined %} + Host = {{server.host}} + {% endif %} + + # IP address to use as _source_ address for the connection. if + # unspecified, ngircd will let the operating system pick an address. + ;Bind = 10.0.0.1 + + # Port of the server to which the ngIRCd should connect. If you + # assign no port the ngIRCd waits for incoming connections. + ;Port = 6667 + + # Own password for the connection. This password has to be configured + # as "PeerPassword" on the other server. + MyPassword = {{server.pass}} + + # Foreign password for this connection. This password has to be + # configured as "MyPassword" on the other server. + PeerPassword = {{server.pass}} + + # Group of this server (optional) + ;Group = 123 + + # Set the "Passive" option to "yes" if you don't want this ngIRCd to + # connect to the configured peer (same as leaving the "Port" variable + # empty). The advantage of this option is that you can actually + # configure a port an use the IRC command CONNECT more easily to + # manually connect this specific server later. + ;Passive = no + + # Connect to the remote server using TLS/SSL (Default: false) + ;SSLConnect = yes + + # Define a (case insensitive) list of masks matching nicknames that + # should be treated as IRC services when introduced via this remote + # server, separated by commas (","). + # REGULAR SERVERS DON'T NEED this parameter, so leave it empty + # (which is the default). + # When you are connecting IRC services which mask as a IRC server + # and which use "virtual users" to communicate with, for example + # "NickServ" and "ChanServ", you should set this parameter to + # something like "*Serv" or "NickServ,ChanServ,XyzServ". + {% if server.service_mask is defined %} + ServiceMask = {{server.service_mask}} + {% endif %} + +{% endfor %} + +[Channel] + # Pre-defined channels can be configured in [Channel] sections. + # Such channels are created by the server when starting up and even + # persist when there are no more members left. + # Persistent channels are marked with the mode 'P', which can be set + # and unset by IRC operators like other modes on the fly. + # There may be more than one [Channel] block, one for each channel. + + # Name of the channel + ;Name = #ngircd + + # Topic for this channel + ;Topic = Our ngircd testing channel + + # Initial channel modes + ;Modes = tnk + + # initial channel password (mode k) + ;Key = Secret + + # Key file, syntax for each line: "::". + # Default: none. + ;KeyFile = /etc/ngircd/#chan.key + + # maximum users per channel (mode l) + ;MaxUsers = 23 + +[Channel] + # More [Channel] sections, if you like ... + +# -eof- diff -r 22c06d6916bf -r d843011c249d prosody/handlers/main.yaml --- a/prosody/handlers/main.yaml Fri Jul 03 12:01:00 2020 -0500 +++ b/prosody/handlers/main.yaml Sat Jul 04 11:00:20 2020 -0500 @@ -2,4 +2,4 @@ - name: restart prosody become: yes - systemd: name="prosody.service" enabled="yes" daemon_reload="yes" + systemd: name="prosody.service" state="restarted" daemon_reload="yes"