--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/atheme/templates/atheme.conf.j2 Sat Jul 04 11:00:20 2020 -0500
@@ -0,0 +1,2850 @@
+/* This is an example configuration for Services.
+ *
+ * All statements end in semi-colons (';').
+ * Shell style, C style, and C++ style comments may be used.
+ *
+ * Items marked with "(*)" are reconfigurable at runtime via REHASH.
+ */
+
+/******************************************************************************
+ * MODULES SECTION. *
+ ******************************************************************************/
+
+/*
+ * These are the modules included with the core distribution of Services.
+ *
+ * You may be interested in the atheme community modules distribution as
+ * well, which adds additional features that may or may not be compatible
+ * with the project paradigms intended for maintainance of the core of
+ * atheme-services.
+ *
+ * Visit the atheme-services website for more information and to download them.
+ *
+ * Modules marked [experimental] will taint your atheme-services instance. Do
+ * not file any bug reports with us about using Services with those modules;
+ * they will be ignored.
+ */
+
+/* Dynamic security modules.
+ *
+ * WARNING: If you select one of these modules, the default security policy included
+ * with Atheme may break. These modules are intended for people who know what they
+ * are doing and understand the implications of what they do. Security modules which
+ * are likely to break the default policy are prefixed with [!], if you are new to
+ * Atheme, you should avoid enabling them.
+ *
+ * If you find your security policy is broken, you may debug it while allowing normal
+ * operation of your IRC network by putting Atheme into "permissive mode". To do this,
+ * enable general::permissive_mode.
+ *
+ * [!] Infer "command:" namespace permissions modules/security/cmdperm
+ */
+#loadmodule "modules/security/cmdperm";
+
+/* Protocol module.
+ *
+ * Please select a protocol module. Different servers use different protocols.
+ * Below is a listing of ircd's known to work with the various protocol modules
+ * available.
+ *
+ * Asuka 1.2.1 or later modules/protocol/asuka
+ * Bahamut 2.1.x modules/protocol/bahamut
+ * Charybdis IRCd modules/protocol/charybdis
+ * ChatIRCd modules/protocol/chatircd1.1
+ * DreamForge 4.6.7 or later modules/protocol/dreamforge
+ * InspIRCd 2.0 modules/protocol/inspircd
+ * ircd-ratbox 2.0 and later modules/protocol/ratbox
+ * IRCNet ircd (ircd 2.11) modules/protocol/ircnet
+ * ircd-seven modules/protocol/ircd-seven
+ * Nefarious IRCu 0.4.0 or later modules/protocol/nefarious
+ * ngIRCd 19 or later [experimental] modules/protocol/ngircd
+ * UnrealIRCd 3.2.* modules/protocol/unreal
+ * UnrealIRCd 4 or later modules/protocol/unreal4
+ *
+ * If your IRCd vendor has supplied a module file, build it and load it here
+ * instead of one above.
+ */
+loadmodule "modules/protocol/ngircd";
+
+/* Protocol mixins.
+ *
+ * These should be used if you do not have/want certain features on your
+ * network that your ircd normally has. If you do not know what this means,
+ * you do not need any of them.
+ *
+ * Disable halfops modules/protocol/mixin_nohalfops
+ * Disable holdnick (use enforcer clients) modules/protocol/mixin_noholdnick
+ * Disable "protect" mode on channels modules/protocol/mixin_noprotect
+ * Disable "owner" mode on channels modules/protocol/mixin_noowner
+ */
+#loadmodule "modules/protocol/mixin_nohalfops";
+#loadmodule "modules/protocol/mixin_noholdnick";
+#loadmodule "modules/protocol/mixin_noprotect";
+#loadmodule "modules/protocol/mixin_noowner";
+
+/* Database backend module.
+ *
+ * Please select a database backend module. Different backends allow for
+ * different ways in which the services data can be manipulated. YOU MAY
+ * ONLY HAVE ONE OF THESE BACKENDS LOADED.
+ *
+ * The following backends are available:
+ *
+ * Atheme 0.1 flatfile database format modules/backend/flatfile
+ * Open Services Exchange database format modules/backend/opensex
+ *
+ * Most networks will want opensex.
+ */
+loadmodule "modules/backend/opensex";
+
+/* Password hashing modules.
+ *
+ * If you would like encryption for your services passwords, or to migrate
+ * from another IRC services package which used encryption for its passwords,
+ * please select a module here.
+ *
+ * The following encryption-capable crypto modules are available:
+ *
+ * Argon2 (Password Hashing Competition 2015) modules/crypto/argon2
+ * scrypt (Tarsnap Online Backup Service) modules/crypto/scrypt
+ * PBKDF2 (Including support for SASL SCRAM-SHA) modules/crypto/pbkdf2v2
+ * bcrypt (EksBlowfish; from Niels Provos etc.) modules/crypto/bcrypt
+ * SHA2-512 crypt(3) a la '$6$...' modules/crypto/crypt3-sha2-512
+ * SHA2-256 crypt(3) a la '$5$...' modules/crypto/crypt3-sha2-256
+ *
+ * If you do not load an encryption-capable crypto module, some features will
+ * not work correctly, and errors will be logged on e.g. user registration
+ * that it was not possible to encrypt their password. Support for running
+ * without an encryption-capable crypto module will be removed in a later
+ * version of this software; for now it is just *HIGHLY* discouraged.
+ *
+ * Note, that upon starting with an encryption-capable crypto module, YOUR
+ * UNENCRYPTED PASSWORDS ARE IMMEDIATELY AND *IRREVERSIBLY* CONVERTED. Make
+ * at least TWO backups of your database before experimenting with this. If
+ * you have several thousand accounts, this conversion may take a long time.
+ *
+ * The following modules can only be used to /verify/ existing encrypted
+ * passwords, for example when upgrading from an older version of this
+ * software, or migrating from something else:
+ *
+ * PBKDF2 v1 (Atheme <= 7.2 compatibility) modules/crypto/pbkdf2
+ * Raw SHA2-512 modules/crypto/rawsha2-512
+ * Raw SHA2-256 modules/crypto/rawsha2-256
+ * Anope SHA2-256 (Anope 2.0 compatibility) modules/crypto/anope-enc-sha256
+ * Raw SHA1 (Anope ~1.8 compatibility) modules/crypto/rawsha1
+ * Raw MD5 (Anope ~1.8 compatibility) modules/crypto/rawmd5
+ * IRCServices (+ Anope) compatibility modules/crypto/ircservices
+ * MD5 crypt(3) (Atheme Linux compatibility) modules/crypto/crypt3-md5
+ * DES crypt(3) (Atheme OS X compatibility) modules/crypto/crypt3-des
+ * Base64 (Anope ~1.8 compatibility) modules/crypto/base64
+ *
+ * To transition between crypto schemes, load the preferred scheme first,
+ * and as users login or set new passwords, they will be migrated to the new
+ * preferred scheme. Like so:
+ *
+ * loadmodule "modules/crypto/argon2";
+ * loadmodule "modules/crypto/scrypt";
+ * loadmodule "modules/crypto/pbkdf2v2";
+ * loadmodule "modules/crypto/pbkdf2";
+ * loadmodule "modules/crypto/crypt3-md5";
+ *
+ * The Argon2 module requires the argon2 reference library (./configure
+ * --with-argon2) and is *NOT* available in Atheme v7.2 or earlier. If you
+ * wish to use this module while retaining the possibility to downgrade to
+ * v7.2, please see the crypto {} documentation below.
+ *
+ * The Scrypt module requires libsodium (./configure --with-libsodium) and is
+ * *NOT* available in Atheme v7.2 or earlier. This module may also require a
+ * 64-bit Operating System to function correctly.
+ *
+ * The PBKDF2v2 module has no dependencies and is recommended. If you were
+ * previously using the PBKDF2 v1 module on v7.2, you must still keep it in
+ * the configuration here; the PBKDF2 v2 module cannot verify its password
+ * hashes. However, you should also load PBKDF2 v2 (if you don't decide to use
+ * anything else), because the PBKDF2 v1 module is now verify-only.
+ *
+ * The bcrypt module will truncate passwords greater than 72 characters. It is
+ * also capable of verifying the older $2a$ digests that contain an integer
+ * wrap-around bug, as used on e.g. Anope. It is not capable of verifying the
+ * PHP-bcrypt $2x$ and $2y$ digests; but $2y$ can simply be changed to $2b$.
+ * All successfully-verified passwords not using $2b$ will be converted to it.
+ * This is an encryption-capable module, but its use is discouraged unless you
+ * need to use it for interoperability with some other piece of software.
+ *
+ * The crypt3-* modules depend on your platform crypt(3) supporting the
+ * respective algorithms. This is not guaranteed to be the case. If you used
+ * modules/crypto/posix on Linux, you need crypt3-md5. If you used
+ * modules/crypto/posix on OS X, you need crypt3-des. These modules issue
+ * informational messages when loaded to the effect that they might break in
+ * the future. They also run selftests on load to verify that they will work.
+ *
+ * All available modules are listed below, in the preferred load order. The
+ * modules that are commented out are not available by default (please see
+ * the v7.3 release notes in NEWS.md) or may require a third-party library to
+ * use. If you know that you do not need a specific module, it is better to
+ * not load it, so comment it out. Do not change the order of the modules
+ * below unless you need to migrate from one to the other (as described
+ * above); in particular, putting verify-only modules above encryption-
+ * capable modules would be a waste of CPU time every time password
+ * verification for a user whose password was not encrypted by them is
+ * attempted.
+ *
+ * Comments that start with -- describe the ./configure option necessary to
+ * have this module built.
+ */
+#loadmodule "modules/crypto/argon2"; /* --with-argon2 */
+#loadmodule "modules/crypto/scrypt"; /* --with-sodium */
+loadmodule "modules/crypto/pbkdf2v2";
+#loadmodule "modules/crypto/bcrypt"; /* See notes above */
+loadmodule "modules/crypto/pbkdf2"; /* Verify-only, see prev. */
+#loadmodule "modules/crypto/crypt3-sha2-512"; /* Needs crypt(3) support */
+#loadmodule "modules/crypto/crypt3-sha2-256"; /* Needs crypt(3) support */
+#loadmodule "modules/crypto/crypt3-md5"; /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/rawsha2-512"; /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/rawsha2-256"; /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/anope-enc-sha256"; /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/rawsha1"; /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/rawmd5"; /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/ircservices"; /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/crypt3-des"; /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/base64"; /* --enable-legacy-pwcrypto */
+
+/* Authentication module.
+ *
+ * These allow using passwords from an external system. The password given
+ * when registering a new account is also checked against the external
+ * system.
+ *
+ * The following authentication modules are available:
+ *
+ * LDAP modules/auth/ldap
+ *
+ * The LDAP module requires OpenLDAP client libraries. It uses them in a
+ * synchronous manner, which means that an unresponsive LDAP server can
+ * freeze services.
+ */
+#loadmodule "modules/auth/ldap";
+
+/* NickServ modules.
+ *
+ * Here you can disable or enable certain features of NickServ, by
+ * defining which modules are loaded. You can even disable NickServ
+ * entirely. Please note however, that an authentication service
+ * (either NickServ, or UserServ) is required for proper functionality.
+ *
+ * Core components modules/nickserv/main
+ * Nickname access lists modules/nickserv/access
+ * Bad email address blocking modules/nickserv/badmail
+ * CertFP fingerprint managment modules/nickserv/cert
+ * DROP command modules/nickserv/drop
+ * Nickname enforcement modules/nickserv/enforce
+ * GHOST command modules/nickserv/ghost
+ * GROUP and UNGROUP commands modules/nickserv/group
+ * HELP command modules/nickserv/help
+ * Nickname expiry override (HOLD command) modules/nickserv/hold
+ * IDENTIFY command modules/nickserv/identify
+ * INFO command modules/nickserv/info
+ * Last quit message in INFO modules/nickserv/info_lastquit
+ * LIST command modules/nickserv/list
+ * LISTLOGINS command modules/nickserv/listlogins
+ * LISTMAIL command modules/nickserv/listmail
+ * LISTOWNMAIL command modules/nickserv/listownmail
+ * LOGIN command (for no_nick_ownership) modules/nickserv/login
+ * LOGOUT command modules/nickserv/logout
+ * MARK command modules/nickserv/mark
+ * Password quality validation modules/nickserv/pwquality
+ * FREEZE command modules/nickserv/freeze
+ * LISTCHANS command modules/nickserv/listchans
+ * LISTGROUPS command modules/nickserv/listgroups
+ * REGISTER command modules/nickserv/register
+ * Bypass registration limits (REGNOLIMIT) modules/nickserv/regnolimit
+ * Password reset (RESETPASS command) modules/nickserv/resetpass
+ * RESTRICT command modules/nickserv/restrict
+ * Password return (RETURN command) modules/nickserv/return
+ * Password retrieval (SENDPASS command) modules/nickserv/sendpass
+ * Password retrieval allowed to normal users modules/nickserv/sendpass_user
+ * Change primary nickname (SET ACCOUNTNAME) modules/nickserv/set_accountname
+ * SET EMAIL command modules/nickserv/set_email
+ * SET EMAILMEMOS command modules/nickserv/set_emailmemos
+ * SET ENFORCETIME command modules/nickserv/set_enforcetime
+ * SET HIDEMAIL command modules/nickserv/set_hidemail
+ * SET LANGUAGE command modules/nickserv/set_language
+ * SET NEVERGROUP command modules/nickserv/set_nevergroup
+ * SET NEVEROP command modules/nickserv/set_neverop
+ * SET NOGREET command modules/nickserv/set_nogreet
+ * SET NOMEMO command modules/nickserv/set_nomemo
+ * SET NOOP command modules/nickserv/set_noop
+ * SET NOPASSWORD command modules/nickserv/set_nopassword
+ * SET PASSWORD command modules/nickserv/set_password
+ * PRIVMSG instead of NOTICE (SET PRIVMSG cmd) modules/nickserv/set_privmsg
+ * Account info hiding (SET PRIVATE command) modules/nickserv/set_private
+ * SET PROPERTY command modules/nickserv/set_property
+ * SET PUBKEY command modules/nickserv/set_pubkey
+ * SET QUIETCHG command modules/nickserv/set_quietchg
+ * Password retrieval uses code (SETPASS cmd) modules/nickserv/setpass
+ * STATUS command modules/nickserv/status
+ * Nickname metadata viewer (TAXONOMY command) modules/nickserv/taxonomy
+ * VACATION command modules/nickserv/vacation
+ * VERIFY command modules/nickserv/verify
+ * VHOST command modules/nickserv/vhost
+ * Delay services account registrations modules/nickserv/waitreg
+ */
+loadmodule "modules/nickserv/main";
+#loadmodule "modules/nickserv/access";
+loadmodule "modules/nickserv/badmail";
+#loadmodule "modules/nickserv/cert";
+loadmodule "modules/nickserv/drop";
+#loadmodule "modules/nickserv/enforce";
+loadmodule "modules/nickserv/ghost";
+loadmodule "modules/nickserv/group";
+loadmodule "modules/nickserv/help";
+loadmodule "modules/nickserv/hold";
+loadmodule "modules/nickserv/identify";
+loadmodule "modules/nickserv/info";
+#loadmodule "modules/nickserv/info_lastquit";
+loadmodule "modules/nickserv/list";
+#loadmodule "modules/nickserv/listlogins";
+loadmodule "modules/nickserv/listmail";
+#loadmodule "modules/nickserv/listownmail";
+#loadmodule "modules/nickserv/login";
+loadmodule "modules/nickserv/logout";
+loadmodule "modules/nickserv/mark";
+#loadmodule "modules/nickserv/pwquality";
+loadmodule "modules/nickserv/freeze";
+loadmodule "modules/nickserv/listchans";
+loadmodule "modules/nickserv/listgroups";
+loadmodule "modules/nickserv/register";
+loadmodule "modules/nickserv/regnolimit";
+loadmodule "modules/nickserv/resetpass";
+loadmodule "modules/nickserv/restrict";
+loadmodule "modules/nickserv/return";
+loadmodule "modules/nickserv/setpass";
+#loadmodule "modules/nickserv/sendpass";
+loadmodule "modules/nickserv/sendpass_user";
+loadmodule "modules/nickserv/set_accountname";
+loadmodule "modules/nickserv/set_email";
+loadmodule "modules/nickserv/set_emailmemos";
+#loadmodule "modules/nickserv/set_enforcetime";
+loadmodule "modules/nickserv/set_hidemail";
+loadmodule "modules/nickserv/set_language";
+loadmodule "modules/nickserv/set_nevergroup";
+loadmodule "modules/nickserv/set_neverop";
+loadmodule "modules/nickserv/set_nogreet";
+loadmodule "modules/nickserv/set_nomemo";
+loadmodule "modules/nickserv/set_noop";
+#loadmodule "modules/nickserv/set_nopassword";
+loadmodule "modules/nickserv/set_password";
+#loadmodule "modules/nickserv/set_privmsg";
+#loadmodule "modules/nickserv/set_private";
+loadmodule "modules/nickserv/set_property";
+loadmodule "modules/nickserv/set_pubkey";
+loadmodule "modules/nickserv/set_quietchg";
+loadmodule "modules/nickserv/status";
+loadmodule "modules/nickserv/taxonomy";
+loadmodule "modules/nickserv/vacation";
+loadmodule "modules/nickserv/verify";
+loadmodule "modules/nickserv/vhost";
+#loadmodule "modules/nickserv/waitreg";
+
+/* ChanServ modules.
+ *
+ * Here you can disable or enable certain features of ChanServ, by
+ * defining which modules are loaded. You can even disable ChanServ
+ * entirely. Please note that ChanServ requires an authentication
+ * service, either NickServ or UserServ will do.
+ *
+ * Core components modules/chanserv/main
+ * ACCESS command (simplified ACL editing) modules/chanserv/access
+ * AKICK command modules/chanserv/akick
+ * BAN/UNBAN commands modules/chanserv/ban
+ * UNBAN self only (load ban or this not both) modules/chanserv/unban_self
+ * BANSEARCH command modules/chanserv/bansearch
+ * CLOSE command modules/chanserv/close
+ * CLONE command modules/chanserv/clone
+ * CLEAR command modules/chanserv/clear
+ * CLEAR AKICKS command modules/chanserv/clear_akicks
+ * CLEAR BANS command modules/chanserv/clear_bans
+ * CLEAR FLAGS command modules/chanserv/clear_flags
+ * CLEAR USERS command modules/chanserv/clear_users
+ * COUNT command modules/chanserv/count
+ * DROP command modules/chanserv/drop
+ * Forced flags changes modules/chanserv/fflags
+ * FLAGS command modules/chanserv/flags
+ * Forced foundership transfers modules/chanserv/ftransfer
+ * GETKEY command modules/chanserv/getkey
+ * HALFOP/DEHALFOP commands modules/chanserv/halfop
+ * HELP command modules/chanserv/help
+ * Channel expiry override (HOLD command) modules/chanserv/hold
+ * INFO command modules/chanserv/info
+ * INVITE command modules/chanserv/invite
+ * KICK/KICKBAN commands modules/chanserv/kick
+ * LIST command modules/chanserv/list
+ * MARK command modules/chanserv/mark
+ * Moderated channel registrations modules/chanserv/moderate
+ * OP/DEOP commands modules/chanserv/op
+ * OWNER/DEOWNER commands modules/chanserv/owner
+ * PROTECT/DEPROTECT commands modules/chanserv/protect
+ * QUIET command (+q support) modules/chanserv/quiet
+ * Channel takeover recovery (RECOVER command) modules/chanserv/recover
+ * REGISTER command modules/chanserv/register
+ * SET EMAIL command modules/chanserv/set_email
+ * SET ENTRYMSG command modules/chanserv/set_entrymsg
+ * SET FANTASY command modules/chanserv/set_fantasy
+ * SET GAMESERV command modules/chanserv/set_gameserv
+ * SET GUARD command modules/chanserv/set_guard
+ * SET KEEPTOPIC command modules/chanserv/set_keeptopic
+ * SET LIMITFLAGS command modules/chanserv/set_limitflags
+ * SET MLOCK command modules/chanserv/set_mlock
+ * SET PREFIX command modules/chanserv/set_prefix
+ * Channel info hiding (SET PRIVATE command) modules/chanserv/set_private
+ * SET PROPERTY command modules/chanserv/set_property
+ * SET PUBACL command modules/chanserv/set_pubacl
+ * SET RESTRICTED command modules/chanserv/set_restricted
+ * SET SECURE command modules/chanserv/set_secure
+ * SET TOPICLOCK command modules/chanserv/set_topiclock
+ * SET URL command modules/chanserv/set_url
+ * SET VERBOSE command modules/chanserv/set_verbose
+ * STATUS command modules/chanserv/status
+ * SYNC command (and automatic ACL syncing) modules/chanserv/sync
+ * Named Successor ACL flag modules/chanserv/successor_acl
+ * Channel metadata viewer (TAXONOMY command) modules/chanserv/taxonomy
+ * TEMPLATE command modules/chanserv/template
+ * TOPIC/TOPICAPPEND commands modules/chanserv/topic
+ * VOICE/DEVOICE commands modules/chanserv/voice
+ * WHY command modules/chanserv/why
+ * VOP/HOP/AOP/SOP commands modules/chanserv/xop
+ * This module provides emulation of the ircservices XOP scheme ONLY.
+ * Do not report discrepencies when using native commands to edit channel
+ * ACLs. This is intentional.
+ * Flood protection modules/chanserv/antiflood
+ * This module should be loaded after at least chanserv/quiet if you want
+ * the autoquiet feature to work.
+ */
+loadmodule "modules/chanserv/main";
+loadmodule "modules/chanserv/access";
+loadmodule "modules/chanserv/akick";
+loadmodule "modules/chanserv/ban";
+#loadmodule "modules/chanserv/unban_self";
+loadmodule "modules/chanserv/bansearch";
+loadmodule "modules/chanserv/clone";
+loadmodule "modules/chanserv/close";
+loadmodule "modules/chanserv/clear";
+loadmodule "modules/chanserv/clear_akicks";
+loadmodule "modules/chanserv/clear_bans";
+loadmodule "modules/chanserv/clear_flags";
+loadmodule "modules/chanserv/clear_users";
+loadmodule "modules/chanserv/count";
+loadmodule "modules/chanserv/drop";
+#loadmodule "modules/chanserv/fflags";
+loadmodule "modules/chanserv/flags";
+loadmodule "modules/chanserv/ftransfer";
+loadmodule "modules/chanserv/getkey";
+#loadmodule "modules/chanserv/halfop";
+loadmodule "modules/chanserv/help";
+loadmodule "modules/chanserv/hold";
+loadmodule "modules/chanserv/info";
+loadmodule "modules/chanserv/invite";
+loadmodule "modules/chanserv/kick";
+loadmodule "modules/chanserv/list";
+loadmodule "modules/chanserv/mark";
+#loadmodule "modules/chanserv/moderate";
+loadmodule "modules/chanserv/op";
+#loadmodule "modules/chanserv/owner";
+#loadmodule "modules/chanserv/protect";
+#loadmodule "modules/chanserv/quiet";
+loadmodule "modules/chanserv/recover";
+loadmodule "modules/chanserv/register";
+loadmodule "modules/chanserv/set_email";
+loadmodule "modules/chanserv/set_entrymsg";
+loadmodule "modules/chanserv/set_fantasy";
+#loadmodule "modules/chanserv/set_gameserv";
+loadmodule "modules/chanserv/set_guard";
+loadmodule "modules/chanserv/set_keeptopic";
+#loadmodule "modules/chanserv/set_limitflags";
+loadmodule "modules/chanserv/set_mlock";
+loadmodule "modules/chanserv/set_prefix";
+#loadmodule "modules/chanserv/set_private";
+loadmodule "modules/chanserv/set_property";
+#loadmodule "modules/chanserv/set_pubacl";
+loadmodule "modules/chanserv/set_restricted";
+loadmodule "modules/chanserv/set_secure";
+loadmodule "modules/chanserv/set_topiclock";
+loadmodule "modules/chanserv/set_url";
+loadmodule "modules/chanserv/set_verbose";
+loadmodule "modules/chanserv/status";
+loadmodule "modules/chanserv/sync";
+#loadmodule "modules/chanserv/successor_acl";
+loadmodule "modules/chanserv/taxonomy";
+loadmodule "modules/chanserv/template";
+loadmodule "modules/chanserv/topic";
+loadmodule "modules/chanserv/voice";
+loadmodule "modules/chanserv/why";
+#loadmodule "modules/chanserv/xop";
+loadmodule "modules/chanserv/antiflood";
+
+/* CHANFIX module.
+ *
+ * Here you can disable or enable certain features of CHANFIX, by
+ * defining which modules are loaded.
+ *
+ * Core components modules/chanfix/main
+ */
+#loadmodule "modules/chanfix/main";
+
+/* OperServ modules.
+ *
+ * Here you can disable or enable certain features of OperServ, by
+ * defining which modules are loaded.
+ *
+ * Core components modules/operserv/main
+ * AKILL system modules/operserv/akill
+ * CLEARCHAN command modules/operserv/clearchan
+ * CLONES system modules/operserv/clones
+ * COMPARE command modules/operserv/compare
+ * GENHASH command modules/operserv/genhash
+ * GREPLOG command modules/operserv/greplog
+ * HELP command modules/operserv/help
+ * IGNORE system modules/operserv/ignore
+ * IDENTIFY command modules/operserv/identify
+ * INFO command modules/operserv/info
+ * INJECT command modules/operserv/inject
+ * JUPE command modules/operserv/jupe
+ * MODE command modules/operserv/mode
+ * MODINSPECT command modules/operserv/modinspect
+ * MODLIST command modules/operserv/modlist
+ * MODLOAD command modules/operserv/modload
+ * MODRELOAD command modules/operserv/modreload
+ * MODUNLOAD command modules/operserv/modunload
+ * NOOP system modules/operserv/noop
+ * Regex mass akill (RAKILL command) modules/operserv/rakill
+ * RAW command modules/operserv/raw
+ * READONLY command modules/operserv/readonly
+ * REHASH command modules/operserv/rehash
+ * RESTART command modules/operserv/restart
+ * Display regex matching (RMATCH command) modules/operserv/rmatch
+ * Most common realnames (RNC command) modules/operserv/rnc
+ * RWATCH system modules/operserv/rwatch
+ *
+ * Note that ALL of these SET commands only apply until the next rehash!
+ *
+ * ALL of the below SET commands (deprecated) modules/operserv/set
+ * SET AKICKTIME subcommand (temporarily) modules/operserv/set_akicktime
+ * SET CHANEXPIRE subcommand (temporarily) modules/operserv/set_chanexpire
+ * SET COMMITINTERVAL subcommand (temporarily) modules/operserv/set_commitinterval
+ * SET ENFORCEPREFIX subcommand (temporarily) modules/operserv/set_enforceprefix
+ * SET KLINETIME subcommand (temporarily) modules/operserv/set_klinetime
+ * SET MAXCHANACS subcommand (temporarily) modules/operserv/set_maxchanacs
+ * SET MAXCHANS subcommand (temporarily) modules/operserv/set_maxchans
+ * SET MAXFOUNDERS subcommand (temporarily) modules/operserv/set_maxfounders
+ * SET MAXLOGINS subcommand (temporarily) modules/operserv/set_maxlogins
+ * SET MAXNICKS subcommand (temporarily) modules/operserv/set_maxnicks
+ * SET MAXUSERS subcommand (temporarily) modules/operserv/set_maxusers
+ * SET MDLIMIT subcommand (temporarily) modules/operserv/set_mdlimit
+ * SET NICKEXPIRE subcommand (temporarily) modules/operserv/set_nickexpire
+ * SET RECONTIME subcommand (temporarily) modules/operserv/set_recontime
+ * SET SPAM subcommand (temporarily) modules/operserv/set_spam
+ *
+ * SGLINE system modules/operserv/sgline
+ * SHUTDOWN command modules/operserv/shutdown
+ * Non-config oper privileges (SOPER command) modules/operserv/soper
+ * Oper privilege display (SPECS command) modules/operserv/specs
+ * SQLINE system modules/operserv/sqline
+ * UPDATE command modules/operserv/update
+ * UPTIME command modules/operserv/uptime
+ */
+loadmodule "modules/operserv/main";
+loadmodule "modules/operserv/akill";
+#loadmodule "modules/operserv/clearchan";
+#loadmodule "modules/operserv/clones";
+loadmodule "modules/operserv/compare";
+#loadmodule "modules/operserv/genhash";
+#loadmodule "modules/operserv/greplog";
+loadmodule "modules/operserv/help";
+loadmodule "modules/operserv/identify";
+loadmodule "modules/operserv/ignore";
+loadmodule "modules/operserv/info";
+loadmodule "modules/operserv/jupe";
+loadmodule "modules/operserv/mode";
+loadmodule "modules/operserv/modinspect";
+loadmodule "modules/operserv/modlist";
+loadmodule "modules/operserv/modload";
+loadmodule "modules/operserv/modunload";
+loadmodule "modules/operserv/modreload";
+loadmodule "modules/operserv/noop";
+#loadmodule "modules/operserv/rakill";
+loadmodule "modules/operserv/readonly";
+loadmodule "modules/operserv/rehash";
+loadmodule "modules/operserv/restart";
+loadmodule "modules/operserv/rmatch";
+loadmodule "modules/operserv/rnc";
+loadmodule "modules/operserv/rwatch";
+loadmodule "modules/operserv/set";
+loadmodule "modules/operserv/sgline";
+loadmodule "modules/operserv/shutdown";
+#loadmodule "modules/operserv/soper";
+loadmodule "modules/operserv/specs";
+#loadmodule "modules/operserv/sqline";
+loadmodule "modules/operserv/update";
+loadmodule "modules/operserv/uptime";
+
+/* MemoServ modules.
+ *
+ * Here you can disable or enable certain features of MemoServ, by
+ * defining which modules are loaded. You can even disable MemoServ
+ * entirely.
+ *
+ * Core components modules/memoserv/main
+ * HELP command modules/memoserv/help
+ * SEND command modules/memoserv/send
+ * Channel memos (SENDOPS command) modules/memoserv/sendops
+ * Group memos (SENDGROUP command) modules/memoserv/sendgroup
+ * LIST command modules/memoserv/list
+ * READ command modules/memoserv/read
+ * FORWARD command modules/memoserv/forward
+ * DELETE command modules/memoserv/delete
+ * IGNORE command modules/memoserv/ignore
+ */
+loadmodule "modules/memoserv/main";
+loadmodule "modules/memoserv/help";
+loadmodule "modules/memoserv/send";
+loadmodule "modules/memoserv/sendops";
+loadmodule "modules/memoserv/sendgroup";
+loadmodule "modules/memoserv/list";
+loadmodule "modules/memoserv/read";
+loadmodule "modules/memoserv/forward";
+loadmodule "modules/memoserv/delete";
+loadmodule "modules/memoserv/ignore";
+
+/* Global module.
+ *
+ * Like the other services, the Global noticer is a module. You can
+ * disable or enable it to your liking below. Please note that the
+ * Global noticer is dependent on OperServ for full functionality.
+ */
+loadmodule "modules/global/main";
+
+/* InfoServ module.
+ *
+ * Like the other services, InfoServ is a module. You can disable or
+ * enable it to your liking below.
+ */
+loadmodule "modules/infoserv/main";
+
+/* SASL agent module.
+ *
+ * Allows clients to authenticate to services via SASL with an appropriate
+ * ircd. You need the core components and at least one mechanism.
+ *
+ * Core components modules/saslserv/main
+ * AUTHCOOKIE mechanism (for IRIS) modules/saslserv/authcookie
+ * ECDH-X25519-CHALLENGE mechanism modules/saslserv/ecdh-x25519-challenge
+ * ECDSA-NIST256P-CHALLENGE mechanism modules/saslserv/ecdsa-nist256p-challenge
+ * EXTERNAL mechanism (IRCv3.1+) modules/saslserv/external
+ * PLAIN mechanism modules/saslserv/plain
+ * SCRAM-SHA-* mechanisms modules/saslserv/scram
+ *
+ * ECDH-X25519-CHALLENGE support requires that Atheme be compiled against a
+ * cryptographic library that provides X25519 ECDH support (BoringSSL,
+ * LibreSSL, ARM mbedTLS, Nettle, Sodium). This will be checked while running
+ * ./configure.
+ *
+ * ECDSA-NIST256P-CHALLENGE support requires that Atheme be compiled against
+ * an OpenSSL with ECDSA support (not RHEL etc. unless you compile your own).
+ * This will be checked while running ./configure.
+ *
+ * You MUST read doc/SASL-SCRAM before loading modules/saslserv/scram!
+ */
+loadmodule "modules/saslserv/main";
+loadmodule "modules/saslserv/authcookie";
+#loadmodule "modules/saslserv/ecdh-x25519-challenge";
+#loadmodule "modules/saslserv/ecdsa-nist256p-challenge";
+#loadmodule "modules/saslserv/external";
+loadmodule "modules/saslserv/plain";
+#loadmodule "modules/saslserv/scram"; /* READ doc/SASL-SCRAM FIRST! */
+
+/* GameServ modules.
+ *
+ * Here you can disable or enable certain features of GameServ, by
+ * defining which modules are loaded. You can even disable GameServ
+ * entirely.
+ *
+ * Core components modules/gameserv/main
+ * DICE/WOD commands modules/gameserv/dice
+ * EIGHTBALL command modules/gameserv/eightball
+ * Game-specific dice calculators modules/gameserv/gamecalc
+ * HELP commands modules/gameserv/help
+ * LOTTERY command modules/gameserv/lottery
+ * NAMEGEN command modules/gameserv/namegen
+ * RPS command modules/gameserv/rps
+ */
+#loadmodule "modules/gameserv/main";
+#loadmodule "modules/gameserv/dice";
+#loadmodule "modules/gameserv/eightball";
+#loadmodule "modules/gameserv/gamecalc";
+#loadmodule "modules/gameserv/help";
+#loadmodule "modules/gameserv/lottery";
+#loadmodule "modules/gameserv/namegen";
+#loadmodule "modules/gameserv/rps";
+
+/* RPGServ modules.
+ *
+ * Here you can disable or enable certain features of RPGServ, by
+ * defining which modules are loaded. You can even disable RPGServ
+ * entirely.
+ *
+ * Core components modules/rpgserv/main
+ * ENABLE/DISABLE commands modules/rpgserv/enable
+ * HELP command modules/rpgserv/help
+ * INFO command modules/rpgserv/info
+ * LIST command modules/rpgserv/list
+ * SEARCH command modules/rpgserv/search
+ * SET commands modules/rpgserv/set
+ */
+#loadmodule "modules/rpgserv/main";
+#loadmodule "modules/rpgserv/enable";
+#loadmodule "modules/rpgserv/help";
+#loadmodule "modules/rpgserv/info";
+#loadmodule "modules/rpgserv/list";
+#loadmodule "modules/rpgserv/search";
+#loadmodule "modules/rpgserv/set";
+
+/* BotServ modules.
+ *
+ * Here you can disable or enable certain features of BotServ, by
+ * defining which modules are loaded. You can even disable BotServ
+ * entirely.
+ *
+ * Core components modules/botserv/main
+ * HELP command modules/botserv/help
+ * INFO command modules/botserv/info
+ * NPC commands (SAY, ACT) modules/botserv/bottalk
+ * SET FANTASY command modules/botserv/set_fantasy
+ * SET NOBOT command modules/botserv/set_nobot
+ * SET PRIVATE command modules/botserv/set_private
+ * SET SAYCALLER command modules/botserv/set_saycaller
+ */
+#loadmodule "modules/botserv/main";
+#loadmodule "modules/botserv/help";
+#loadmodule "modules/botserv/info";
+#loadmodule "modules/botserv/bottalk";
+#loadmodule "modules/botserv/set_fantasy";
+#loadmodule "modules/botserv/set_nobot";
+#loadmodule "modules/botserv/set_private";
+#loadmodule "modules/botserv/set_saycaller";
+
+/* HostServ modules.
+ *
+ * Here you can disable or enable certain features of HostServ, by
+ * defining which modules are loaded. You can even disable HostServ
+ * entirely.
+ *
+ * HostServ is a more complex, and optional virtual host management service.
+ * Users wishing only to set vhosts need not use it (they can use the builtin
+ * vhost management of NickServ instead).
+ *
+ * Core components modules/hostserv/main
+ * HELP command modules/hostserv/help
+ * OFFER system modules/hostserv/offer
+ * ON and OFF commands modules/hostserv/onoff
+ * REQUEST system modules/hostserv/request
+ * VHOST and LISTVHOST commands modules/hostserv/vhost
+ * VHOSTNICK command modules/hostserv/vhostnick
+ * GROUP command modules/hostserv/group
+ * DROP command modules/hostserv/drop
+ */
+#loadmodule "modules/hostserv/main";
+#loadmodule "modules/hostserv/help";
+#loadmodule "modules/hostserv/onoff";
+#loadmodule "modules/hostserv/offer";
+#loadmodule "modules/hostserv/request";
+#loadmodule "modules/hostserv/vhost";
+#loadmodule "modules/hostserv/vhostnick";
+#loadmodule "modules/hostserv/group";
+#loadmodule "modules/hostserv/drop";
+
+/* HelpServ modules.
+ * HelpServ allows users to request help from network staff in a few different ways.
+ *
+ * Core components modules/helpserv/main
+ * HELPME command modules/helpserv/helpme
+ * Help Ticket system modules/helpserv/ticket
+ * Service List modules/helpserv/services
+ *
+ * The ticket system works like a bugtracker ot helpdesk ticket system, HELPME
+ * works like a one-time alert. You should probably only load one of the two systems.
+ */
+#loadmodule "modules/helpserv/main";
+#loadmodule "modules/helpserv/helpme";
+#loadmodule "modules/helpserv/ticket";
+#loadmodule "modules/helpserv/services";
+
+/* Channel listing service.
+ *
+ * Allows users to list channels with more flexibility than the /list
+ * command.
+ *
+ * Core components modules/alis/main
+ */
+#loadmodule "modules/alis/main";
+
+/* StatServ module.
+ * StatServ provides basic statistics and split tracking.
+ *
+ * Core components modules/statserv/main
+ * CHANNEL command modules/statserv/channel
+ * NETSPLIT command modules/statserv/netsplit
+ * SERVER command modules/statserv/server
+ */
+loadmodule "modules/statserv/main";
+#loadmodule "modules/statserv/channel";
+loadmodule "modules/statserv/netsplit";
+loadmodule "modules/statserv/server";
+
+/* GroupServ module.
+ * GroupServ allows users to create groups to easily mass-manage channel
+ * access and more.
+ *
+ * Core components modules/groupserv/main
+ * ACSNOLIMIT command modules/groupserv/acsnolimit
+ * DROP command modules/groupserv/drop
+ * FFLAGS command modules/groupserv/fflags
+ * FLAGS command modules/groupserv/flags
+ * HELP command modules/groupserv/help
+ * INFO command modules/groupserv/info
+ * JOIN command modules/groupserv/join
+ * LIST command modules/groupserv/list
+ * LISTCHANS command modules/groupserv/listchans
+ * REGISTER command modules/groupserv/register
+ * REGNOLIMIT command modules/groupserv/regnolimit
+ * INVITE command modules/groupserv/invite
+ * SET command modules/groupserv/set
+ * SET CHANNEL command modules/groupserv/set_channel
+ * SET DESCRIPTION command modules/groupserv/set_description
+ * SET EMAIL command modules/groupserv/set_email
+ * SET GROUPNAME command modules/groupserv/set_groupname
+ * SET JOINFLAGS command modules/groupserv/set_joinflags
+ * SET OPEN command modules/groupserv/set_open
+ * SET PUBLIC command modules/groupserv/set_public
+ * SET URL command modules/groupserv/set_url
+ *
+ */
+loadmodule "modules/groupserv/main";
+loadmodule "modules/groupserv/acsnolimit";
+loadmodule "modules/groupserv/drop";
+loadmodule "modules/groupserv/fflags";
+loadmodule "modules/groupserv/flags";
+loadmodule "modules/groupserv/help";
+loadmodule "modules/groupserv/info";
+loadmodule "modules/groupserv/join";
+loadmodule "modules/groupserv/list";
+loadmodule "modules/groupserv/listchans";
+loadmodule "modules/groupserv/register";
+loadmodule "modules/groupserv/regnolimit";
+#loadmodule "modules/groupserv/invite";
+loadmodule "modules/groupserv/set";
+loadmodule "modules/groupserv/set_channel";
+loadmodule "modules/groupserv/set_description";
+loadmodule "modules/groupserv/set_email";
+loadmodule "modules/groupserv/set_groupname";
+loadmodule "modules/groupserv/set_joinflags";
+loadmodule "modules/groupserv/set_open";
+loadmodule "modules/groupserv/set_public";
+loadmodule "modules/groupserv/set_url";
+
+/*
+ * Various modules.
+ *
+ * Atheme includes an optional HTTP server that can be used for integration
+ * with portal software and other useful things. To enable it, load this
+ * module, and uncomment the httpd { } block towards the bottom of the config.
+ *
+ * HTTP Server modules/misc/httpd
+ */
+#loadmodule "modules/misc/httpd";
+
+/* XMLRPC server module.
+ *
+ * The XML-RPC handler requires modules/misc/httpd to be loaded as it merely
+ * registers a path handler for XML-RPC. The path used for XML-RPC is /xmlrpc.
+ *
+ * XMLRPC handler for the httpd modules/transport/xmlrpc
+ */
+#loadmodule "modules/transport/xmlrpc";
+
+/* Extended target entity types. [EXPERIMENTAL]
+ *
+ * Atheme can set up special target mapping entities which match multiple
+ * users in channel access entries. These target mapping entity types are
+ * defined through the 'exttarget' modules listed below.
+ *
+ * Exttarget handling core modules/exttarget/main
+ * $oper exttarget match type modules/exttarget/oper
+ * $registered exttarget match type modules/exttarget/registered
+ * $channel exttarget match type modules/exttarget/channel
+ * $chanacs exttarget match type modules/exttarget/chanacs
+ * $server exttarget match type modules/exttarget/server
+ */
+#loadmodule "modules/exttarget/main";
+#loadmodule "modules/exttarget/oper";
+#loadmodule "modules/exttarget/registered";
+#loadmodule "modules/exttarget/channel";
+#loadmodule "modules/exttarget/chanacs";
+#loadmodule "modules/exttarget/server";
+
+/* Proxyscan (DNSBL) modules.
+ *
+ * Atheme can also check set DNS Blacklists for matches and respond
+ * as set. Activate modules here and customize further down under Proxyscan
+ * section.
+ */
+#loadmodule "modules/proxyscan/main";
+#loadmodule "modules/proxyscan/dnsbl";
+
+/* Other modules.
+ *
+ * Put any other modules you want to load on startup here. The path
+ * is relative to PREFIX or PREFIX/lib/atheme, depending on how Atheme
+ * was compiled.
+ */
+#loadmodule "modules/contrib/backtrace";
+
+/******************************************************************************
+ * SERVICES RUNTIME CONFIGURATION SECTION. *
+ ******************************************************************************/
+
+/*
+ * This block controls the configuration options for crypto modules.
+ *
+ * It is recommended to either leave the values at their defaults, or
+ * experiment with them so that it takes approximately 0.2-0.4 seconds
+ * for users to identify. Services blocks while the password is being
+ * encrypted or verified, so don't set these too large, or people can
+ * hang services by trying many password attempts at once.
+ *
+ * A benchmark program for the Argon2, scrypt & PBKDF2 crypto code is
+ * available to assist with tuning these parameters:
+ *
+ * - ./configure --prefix=foo ...
+ * - make
+ * - make install
+ * - ${foo}/bin/atheme-crypto-benchmark -o
+ *
+ * If you wish to deploy SASL SCRAM support, please read 'doc/SASL-SCRAM' and
+ * pass the '-i' flag to the included cryptographic benchmarking utility too.
+ *
+ * If you are using the PBKDF2 module, its performance will be significantly
+ * affected by your choice of cryptographic digest library. This software can
+ * currently interface with 3 libraries; in decreasing order of performance:
+ *
+ * - OpenSSL (libcrypto)
+ * - GnuPG (libgcrypt)
+ * - ARM mbedTLS (libmbedcrypto)
+ *
+ * If you have one of these libraries available at configure-time, the PBKDF2
+ * module will perform significantly better, allowing you to raise its
+ * iteration count without affecting the computation time. This is indicated
+ * by the output of the configure script; "Digest Frontend". The benchmark
+ * program will also inform you what cryptographic digest library it is using,
+ * if any.
+ *
+ *
+ *
+ * If you are migrating from crypto/argon2d (v7.2) to crypto/argon2, and you
+ * wish to use the same parameters as the older module's defaults, configure
+ * it like so:
+ *
+ * crypto {
+ * argon2_type = "argon2d";
+ * argon2_memcost = 14;
+ * argon2_timecost = 32;
+ * argon2_threads = 1;
+ * argon2_saltlen = 32;
+ * argon2_hashlen = 64;
+ * };
+ *
+ *
+ *
+ * If you are migrating from crypto/pbkdf2 (v7.2) to crypto/pbkdf2v2, and you
+ * wish to use the same parameters as the older module, configure it like so:
+ *
+ * crypto {
+ * pbkdf2v2_digest = "SHA512";
+ * pbkdf2v2_rounds = 128000;
+ * };
+ *
+ * Note that this will still result in passwords being re-encrypted with the
+ * newer module (as the older module successfully verifies them); another new
+ * PBKDF2 computation with a new salt will occur, but this is still no worse
+ * than an invocation of NickServ's "SET PASSWORD" command. You will still
+ * need to keep the old module in your loadmodule configuration above, as the
+ * new module cannot verify digests produced by the old one.
+ *
+ * If you wish to deploy SASL SCRAM support, please read 'doc/SASL-SCRAM'.
+ * Its advice regarding parameter choice takes precedence over this!
+ */
+crypto {
+
+ /* (*) argon2_type
+ *
+ * The algorithm type to use for new passwords.
+ *
+ * Argon2d is suitable for use on a dedicated machine that has
+ * limited access. It provides the most resistance to GPU and ASIC
+ * cracking attacks, but its operation is data-dependent; that is,
+ * during its operation, keying material derived from the password
+ * itself is indirectly affecting the execution choices made by the
+ * algorithm. This creates a side-channel that can leak information
+ * about the password to other software running on the same physical
+ * machine.
+ *
+ * Argon2i avoids this by being data-independent. The order of memory
+ * accesses, conditional execution, etc. does not depend on the
+ * password, or any material derived from the password, so no side-
+ * channel that can reveal any information about the password is
+ * created. However, this means that it is easier to bruteforce by a
+ * password cracker, which does not have to account for execution
+ * differences in its implementation. This is the most suitable
+ * choice for running on a virtual machine that is co-located with
+ * other, untrusted, virtual machines, or on a dedicated machine that
+ * runs other, untrusted, software, or has untrusted user access.
+ *
+ * Argon2id is a blend of both, limiting the exploitability of any
+ * side-channels while retaining excellent resistance to GPU and ASIC
+ * cracking. This is suitable for all but the most sensitive of
+ * deployments.
+ *
+ * All algorithm types perform about equally as well as each other;
+ * changing this will not significantly affect the computation time.
+ *
+ * The "argon2id" type requires a more recent libargon2 library. This
+ * is indicated in your ./configure output ("checking if libargon2
+ * algorithm type Argon2id appears to be usable...").
+ *
+ * Valid values are "argon2d", "argon2i", and "argon2id"
+ * The default is "argon2id"; unless unsupported, then "argon2d".
+ */
+ #argon2_type = "argon2id";
+
+ /* (*) argon2_memcost
+ *
+ * Memory cost (as a power of 2, in KiB) to use for new passwords.
+ *
+ * You should set this as high as is reasonable for the machine you
+ * will be running this software on. If this results in too slow a
+ * computation time, reset the time cost below to its minimum value.
+ * If it is still too slow, decrement this value (halving the memory
+ * usage) until it is fast enough. Alternatively, if it is still too
+ * fast after setting this to its highest reasonable value, raise the
+ * time cost below until it is not. A benchmark program is available
+ * alongside this software to aid in this process.
+ *
+ * WARNING: Do *NOT* set this to more than 20 (1 GiB RAM) on a 32-bit
+ * machine or a 32-bit Operating System!
+ *
+ * Valid values are 3 (8 KiB RAM) to 30 (1 TiB RAM) (inclusive)
+ * The default is 16 (64 MiB RAM)
+ */
+ #argon2_memcost = 16;
+
+ /* (*) argon2_timecost
+ *
+ * Time cost (iterations over the memory pool).
+ *
+ * Valid values are 3 to 1,048,576 (inclusive)
+ * The default is 3
+ */
+ #argon2_timecost = 3;
+
+ /* (*) argon2_threads
+ *
+ * Number of processor threads to use for new passwords.
+ *
+ * If you want to increase the amount of computation effort required,
+ * while not increasing the real ("wall clock") time required, raise
+ * this setting to its maximum reasonable value for the machine you
+ * will be running this software on.
+ *
+ * This software is not multi-threaded, so only one password will be
+ * verified at a time. Therefore, you do NOT need to divide this by
+ * the expected maximum number of simultaneous logins.
+ *
+ * It is pointless to set this higher than the number of hardware
+ * processing threads you have; increase the time cost above instead
+ * if you want to make it arbitrarily slower. Diminishing returns are
+ * to be expected once you exceed the number of hardware processing
+ * /cores/ you have; hyperthreading does NOT provide much (if any) of
+ * a boost for this workload.
+ *
+ * Increasing this value will *decrease* the real time required, so
+ * you may have to subsequently increase the time cost above again to
+ * make it "just slow enough" once more. A benchmark program is
+ * available alongside this software to aid in this process.
+ *
+ * WARNING: The (size of the) memory pool configured above is split
+ * between the threads, which can result in too small a memory area
+ * per-thread if many threads are used. If you set this value, it is
+ * HIGHLY RECOMMENDED that you run the included benchmarking program
+ * with the same configuration options, to confirm that it works!
+ *
+ * WARNING: This feature is experimental. Some of the code in this
+ * software is not thread-safe, and although every effort has been
+ * made to ensure that this feature will not interfere with the
+ * operation of this software, this cannot be guaranteed.
+ *
+ * Valid values are 1 to 255 (inclusive)
+ * The default is 1 (do not use any computation parallelism)
+ */
+ #argon2_threads = 1;
+
+ /* (*) argon2_saltlen
+ *
+ * Salt length (in bytes) to use for new passwords. You should only
+ * change this if absolutely necessary; for example, to interoperate
+ * with other software. Its value doesn't significantly affect the
+ * computation time.
+ *
+ * Valid values are 4 to 48 (inclusive)
+ * The default is 16
+ */
+ #argon2_saltlen = 16;
+
+ /* (*) argon2_hashlen
+ *
+ * Digest length (in bytes) to use for new passwords. You should only
+ * change this if absolutely necessary; for example, to interoperate
+ * with other software. Its value doesn't significantly affect the
+ * computation time.
+ *
+ * Valid values are 16 to 128 (inclusive)
+ * The default is 64
+ */
+ #argon2_hashlen = 64;
+
+ /* (*) scrypt_memlimit
+ *
+ * Memory limit (as a power of 2, in KiB) to use for new passwords.
+ *
+ * You should set this as high as is reasonable for the machine you
+ * will be running this software on. If this results in too slow a
+ * computation time, reset the opslimit below to its default value.
+ * If it is still too slow, decrement this value (halving the memory
+ * usage) until it is fast enough. Alternatively, if it is still too
+ * fast after setting this to its highest reasonable value, raise the
+ * opslimit below until it is not. A benchmark program is available
+ * alongside this software to aid in this process.
+ *
+ * WARNING: Do *NOT* set this to more than 20 (1 GiB RAM) on a 32-bit
+ * machine or a 32-bit Operating System!
+ *
+ * Valid values are 14 (16 MiB RAM) to 26 (64 GiB RAM) (inclusive)
+ * The default is 14 (16 MiB RAM)
+ */
+ #scrypt_memlimit = 14;
+
+ /* (*) scrypt_opslimit
+ *
+ * Amount of computation to perform for new passwords.
+ *
+ * The default value for this option is based on the default value of
+ * the above option. The recommended value is (memlimit_bytes / 32).
+ *
+ * Valid values are 32,768 to 4,294,967,295 (inclusive)
+ * The default is 524,288
+ */
+ #scrypt_opslimit = 524288;
+
+ /* (*) pbkdf2v2_digest
+ *
+ * Cryptographic digest algorithm to use (in HMAC mode).
+ *
+ * Valid values are "SHA1", "SHA2-256", and "SHA2-512".
+ * Additionally, the following aliases exist, for compatibility:
+ *
+ * "SHA-1" -> SHA1
+ * "SHA256" -> SHA2-256
+ * "SHA512" -> SHA2-512
+ * "SHA-256" -> SHA2-256
+ * "SHA-512" -> SHA2-512
+ *
+ * Finally, you can prefix this value with "SCRAM-" to enable the
+ * computation and storage of an RFC5802/SCRAM ServerKey & StoredKey,
+ * instead of a raw PBKDF2 digest (SaltedPassword). Verification of
+ * plaintext passwords against these digests can still be performed
+ * (for e.g. NickServ IDENTIFY or SASL PLAIN), by computing a new
+ * SCRAM ServerKey from the provided password and comparing it to the
+ * stored ServerKey, so setting this to a SCRAM mode does NOT prevent
+ * non-SCRAM logins. For these variants, please read doc/SASL-SCRAM.
+ *
+ * The default is "SHA2-512"
+ */
+ #pbkdf2v2_digest = "SHA2-512";
+
+ /* (*) pbkdf2v2_rounds
+ *
+ * This is the PBKDF2 "iteration count". You should raise this as high
+ * as is reasonable for the machine you will be running services on.
+ * However, note that if you are going to deploy SASL SCRAM support,
+ * the *client*, NOT services, performs the PBKDF2 calculation during
+ * login, so keep in mind that many mobile clients will not perform as
+ * well as a server, and reduce the iteration count accordingly. Also,
+ * some clients will refuse to perform a login at all if this is set
+ * too high. A benchmark program is included alongside this software to
+ * aid in tuning this parameter.
+ *
+ * Valid values are 10,000 to 5,000,000 (inclusive)
+ * The default is 64,000
+ */
+ #pbkdf2v2_rounds = 64000;
+
+ /* (*) pbkdf2v2_saltlen
+ * You should only change this if you *really* know what you're doing
+ * Valid values are 8 to 64 (inclusive)
+ * The default is 32
+ */
+ #pbkdf2v2_saltlen = 32;
+
+ /* (*) bcrypt_cost
+ *
+ * Amount of rounds to perform for new passwords (as a power of 2).
+ * You should raise this as high as is reasonable. A benchmark
+ * program is available alongside this software to aid in this
+ * process.
+ *
+ * Valid values are 4 to 31 (inclusive)
+ * The default is 7
+ */
+ #bcrypt_cost = 7;
+
+ /* (*) crypt3_sha2_256_rounds
+ * (*) crypt3_sha2_512_rounds
+ *
+ * Use of this option is restricted to certain C libraries!
+ * At present, only GNU libc6 ("glibc") v2.7+ is known to work.
+ *
+ * Valid values are 5,000 to 1,000,000 (inclusive)
+ * The default is 5,000
+ */
+ #crypt3_sha2_256_rounds = 5000;
+ #crypt3_sha2_512_rounds = 5000;
+};
+
+/* The serverinfo{} block defines how we appear on the IRC network. */
+serverinfo {
+ /* name
+ * The server name that this program uses on the IRC network.
+ * This is the name you'll have to use in C:/N:Lines. It must be
+ * unique on the IRC network and contain at least one dot, but does
+ * not have to be equal to any DNS name.
+ */
+ name = "{{atheme_server_host}}";
+
+ /* desc
+ * The ``server comment'' we send to the IRC network.
+ */
+ desc = "Atheme IRC Services";
+
+ /* numeric
+ * Some protocol drivers (Charybdis, Ratbox2, P10, IRCNet)
+ * require a server id, also known as a numeric. Please consult your
+ * ircd's documentation when providing this value.
+ */
+ numeric = "00A";
+
+ /* (*)recontime
+ * The number of seconds before we reconnect to the uplink.
+ */
+ recontime = 10;
+
+ /* (*)netname
+ * The name of your network.
+ */
+ netname = "{{atheme_server_host}}";
+
+ /* (*)hidehostsuffix
+ * P10 +x host hiding gives <account>.<hidehostsuffix>.
+ * If using +x on asuka, this must agree
+ * with F:HIDDEN_HOST.
+ */
+ hidehostsuffix = "users.misconfigured";
+
+ /* (*)adminname
+ * The name of the person running this service.
+ */
+ adminname = "{{atheme_admin_name}}";
+
+ /* (*)adminemail
+ * The email address of the person running this service.
+ */
+ adminemail = "{{atheme_admin_email}}";
+
+ /* (*)registeremail
+ * The email address that messages should be originated from.
+ * If this is not set, then "noreply.$adminemail" will be used.
+ */
+ registeremail = "{{atheme_admin_email}}";
+
+ /* (*)hidden
+ * If this is enabled, Atheme will indicate to the uplink IRCd
+ * that it should not be included in /links output. This only works
+ * on the following IRCds at present: charybdis, ircd-seven, ratbox.
+ */
+ #hidden;
+
+ /* (*)mta
+ * The full path to your mail transfer agent.
+ * This is used for email authorization and password retrieval.
+ * Comment this out to disable sending email.
+ * Warning: sending email can disclose the IP of your services
+ * unless you take precautions (not discussed here further).
+ */
+ mta = "/usr/sbin/sendmail";
+
+ /* (*)loglevel
+ * Specify the default categories of logging information to record
+ * in the master Atheme logfile, usually var/atheme.log.
+ *
+ * Options include:
+ * debug, all - meta-keyword for all possible categories
+ * trace - meta-keyword for a little bit of info
+ * misc - like trace, but with some more miscellaneous info
+ * notice - meta-keyword for notice-like information
+ * ------------------------------------------------------------------------------
+ * error - critical errors
+ * info - miscillaneous log notices
+ * verbose - A bit more verbose than info, not quite as spammy as debug
+ * commands - all command use
+ * admin - administrative command use
+ * register - account and channel registrations
+ * set - changes of account or channel settings
+ * request - user requests (currently only vhosts)
+ * network - log notices related to network status
+ * rawdata - log raw data sent and received by services
+ * wallops - <not yet used>
+ */
+ loglevel = { error; info; admin; network; wallops; };
+
+ /* (*)maxlogins
+ * What is the maximum number of sessions allowed to login to one
+ * username? This reduces potential abuse. It is only checked on login.
+ */
+ maxlogins = 5;
+
+ /* (*)maxusers
+ * What are the maximum usernames that one email address can register?
+ * Set to 0 to disable this check (it can be slow currently).
+ */
+ maxusers = 5;
+
+ /* (*)mdlimit
+ * How many metadata entries can be added to an object?
+ */
+ mdlimit = 30;
+
+ /* (*)emaillimit, emailtime
+ * The maximum number of emails allowed to be sent in
+ * that amount of time (seconds). If this is exceeded,
+ * wallops will be sent, at most one per minute.
+ */
+ emaillimit = 10;
+ emailtime = 300;
+
+ /* (*)auth
+ * What type of username registration authorization do you want?
+ * If "email", Atheme will send a confirmation email to the address to
+ * ensure it's valid. If registration is not completed within one day,
+ * the username will expire. If "none", no message will be sent and
+ * the username will be fully registered.
+ * Valid values are: email, none.
+ */
+ auth = none;
+
+ /* casemapping
+ * Specify the casemapping to use. Almost all TSora (and any that follow
+ * the RFC correctly) ircds will use rfc1459 casemapping. Bahamut, Unreal,
+ * and other ``Dalnet'' ircds will use ascii casemapping.
+ * Valid values are: rfc1459, ascii.
+ */
+ casemapping = rfc1459;
+};
+
+/* uplink{} blocks define connections to IRC servers.
+ * Multiple may be defined but only one will be used at a time (IRC
+ * being a tree shaped network). Atheme does not currently link over SSL.
+ * To link Atheme over ssl, please connect Atheme to a local ircd and have that
+ * connect to your network over SSL.
+ */
+uplink "{{atheme_upstream_server}}" {
+ // The server name of the ircd you're linking to goes above.
+
+ // host
+ // The hostname to connect to.
+ host = "127.0.0.1";
+
+ // vhost
+ // The source IP to connect from, used on machines with multiple interfaces.
+ #vhost = "192.0.2.5";
+
+ // send_password
+ // The password sent for linking.
+ send_password = "{{atheme_server_pass}}";
+
+ // receive_password
+ // The password received for linking.
+ receive_password = "{{atheme_server_pass}}";
+
+ // port
+ // The port to connect to.
+ port = 6667;
+};
+
+/* this is an example for using an IPv6 address as an uplink */
+/* uplink "irc6.example.net" {
+ host = "::1";
+
+ // password
+ // If you want to have same send_password and accept_password, you
+ // can specify both using 'password' instead of individually.
+ password = "linkage";
+
+ port = 6667;
+};
+*/
+
+/* Services configuration.
+ *
+ * Each of these blocks can contain a nick, user, host, real and aliases.
+ * Several of them also have options specific to the service.
+ */
+
+/* NickServ configuration.
+ *
+ * The nickserv {} block contains settings specific to the NickServ modules.
+ *
+ * NickServ provides nickname or username registration and authentication
+ * services. It provides necessary authentication features required for
+ * Services to operate correctly. You should make sure these settings
+ * are properly configured for your network.
+ */
+nickserv {
+ /* (*)spam
+ * Have NickServ tell people about how great it and ChanServ are.
+ */
+ spam;
+
+ /* no_nick_ownership
+ * Enable this to disable nickname ownership (old userserv{}).
+ * This changes changes "nickname" to "account" in most messages,
+ * disables GHOST on users not logged in to the same account and
+ * makes the spam directive ineffective.
+ * It is suggested that the nick be set to UserServ, login.so
+ * be loaded instead of identify.so and ghost.so not be loaded.
+ */
+ #no_nick_ownership;
+
+ /* (*)nick
+ * The nickname we want NickServ to have.
+ */
+ nick = "NickServ";
+
+ /* (*)user
+ * The username we want NickServ to have.
+ */
+ user = "NickServ";
+
+ /* (*)host
+ * The hostname we want NickServ to have.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The realname (gecos) information we want NickServ to have.
+ */
+ real = "Nickname Services";
+
+ /* (*)aliases
+ * Command aliases for NickServ.
+ */
+ aliases {
+ "ID" = "IDENTIFY";
+ "MYACCESS" = "LISTCHANS";
+ };
+
+ /* (*)access
+ * This block allows you to modify the access level required to run
+ * commands. The list of possible accesses are listed in the operclass
+ * section later in this .conf . Note that you can only set the access
+ * on an actual command, not an alias.
+ */
+ access {
+ };
+
+ /* (*)maxnicks
+ * If GROUP is loaded, what are the maximum nicknames that one
+ * username can register?
+ */
+ maxnicks = 5;
+
+ /* (*)expire
+ * The number of days before inactive registrations are expired.
+ */
+ expire = 30;
+
+ /* (*)enforce_expire
+ * The number of days of no use after which to ignore enforcement
+ * settings on nicks.
+ */
+ #enforce_expire = 14;
+
+ /* (*)enforce_delay
+ * The number of seconds to delay nickchange enforcement settings
+ * on nicks.
+ */
+ #enforce_delay = 30;
+
+ /* (*)enforce_prefix
+ * The prefix to use when changing the user's nick on enforcement
+ */
+ #enforce_prefix = "Guest";
+
+ /* (*)waitreg_time
+ * The amount of time (in seconds) users have to wait between
+ * connecting to the network, and being able to register a services
+ * account. Minimum value 0 (disables the enforced delay), default
+ * value 0, maximum value 43200 (12 hours). Requires the
+ * "modules/nickserv/waitreg" module to be loaded to do anything.
+ */
+ #waitreg_time = 0;
+
+ /* (*)cracklib_dict
+ * The location and filename prefix of the cracklib dictionaries
+ * for use with nickserv/pwquality. This must be provided if you are
+ * going to be using nickserv/pwquality with cracklib support enabled.
+ */
+ #cracklib_dict = "/var/cache/cracklib/cracklib_dict";
+
+ /* (*)passwdqc_*
+ * Please see the passwdqc.conf(5) documentation for an explanation
+ * of these values. Affects modules/nickserv/pwquality if passwdqc
+ * support is enabled. Default values given below.
+ */
+ #passwdqc_max = 288; /* (8 <= value <= 288) */
+ #passwdqc_min_n0 = 20; /* (0 <= value <= passwdqc_max) */
+ #passwdqc_min_n1 = 16; /* (0 <= value <= passwdqc_min_n0) */
+ #passwdqc_min_n2 = 16; /* (0 <= value <= passwdqc_min_n1) */
+ #passwdqc_min_n3 = 12; /* (0 <= value <= passwdqc_min_n2) */
+ #passwdqc_min_n4 = 8; /* (0 <= value <= passwdqc_min_n3) */
+ #passwdqc_words = 4; /* (2 <= value <= 8) */
+
+ /* (*)pwquality_warn_only
+ * If this option is set and nickserv/pwquality is loaded, nickserv will just
+ * warn users that their password is insecure, recommend they change it and
+ * still register the nick. If this option is unset, it will refuse to
+ * register the nick at all until the user chooses a better password.
+ */
+ #pwquality_warn_only;
+
+ /* (*)show_custom_metadata
+ * Setting this option to false will prevent user-set metadata (via SET PROPERTY)
+ * from showing up in the INFO output. The TAXONOMY command will still function
+ * as usual, and INFO will point this out if users have metadata set.
+ */
+ show_custom_metadata;
+
+ /* (*)emailexempts
+ * A list of email addresses that will be exempt from the check of how many
+ * accounts one user may have. Any email address in this block may register
+ * an unlimited number of accounts/usernames.
+ */
+ emailexempts {
+ };
+
+ /*
+ * (*)shorthelp
+ *
+ * A list of commands that are displayed (with their full description) in the
+ * output of `/msg NickServ HELP'. Commands not in this list will be listed, but
+ * not with their descriptions. All commands with descriptions are still listed
+ * in `/msg NickServ HELP COMMANDS' regardless of the value set here.
+ *
+ * Optional; defaults to "ACCESS CERT DROP GHOST GROUP IDENTIFY INFO LISTCHANS
+ * LISTGROUPS LISTLOGINS LISTOWNMAIL LOGOUT REGAIN REGISTER RELEASE SENDPASS SET
+ * UNGROUP".
+ *
+ * A command in this list will only be printed if the corresponding module is
+ * loaded and the user has permission to use it. Set to an empty string to
+ * disable listing command descriptions in `/msg NickServ HELP'.
+ */
+ #shorthelp = "";
+};
+
+/* ChanServ configuration.
+ *
+ * The chanserv {} block contains settings specific to the ChanServ modules.
+ *
+ * ChanServ provides channel registration services, which allows users to own
+ * channels. It is not required, but is strongly recommended.
+ */
+chanserv {
+ /* (*)nick
+ * The nickname we want the client to have.
+ */
+ nick = "ChanServ";
+
+ /* (*)user
+ * The username we want the client to have.
+ */
+ user = "ChanServ";
+
+ /* (*)host
+ * The hostname we want the client to have.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The GECOS of the client.
+ */
+ real = "Channel Services";
+
+ /* reggroup
+ * The group that will receive Memos about
+ * channel Registration requests when
+ * chanserv/moderate is loaded.
+ */
+ #reggroup = "!Services-Team";
+
+ /* (*)aliases
+ * Command aliases for ChanServ.
+ */
+ aliases {
+ };
+
+ /* (*)access
+ * Command access changes for ChanServ.
+ */
+ access {
+ };
+
+ /* (*)maxchans
+ * What are the maximum channels that one username can register?
+ */
+ maxchans = 5;
+
+ /* fantasy
+ * Do you want to enable fantasy commands? This can
+ * use a lot of CPU up, and will only work if you have
+ * join_chans (in general) enabled as well.
+ */
+ fantasy;
+
+ /* (*) hide_xop
+ * Hide the XOP templates from sight. This is useful if you
+ * want to use templates and not have the XOP templates displayed.
+ */
+ #hide_xop;
+
+ /* (*) templates
+ * Defines what flags the global templates comprise.
+ *
+ * For the special XOP templates:
+ * These should all be different and not equal to the empty set,
+ * except that hop may be equal to vop to disable hop.
+ * Each subsequent level should have more flags (except +VHO).
+ * For optimal functioning of /cs forcexop, aop should not have
+ * any of +sRf, hop should not have any of +sRfoOr and vop should
+ * not have any of +sRfoOrhHt.
+ * If this is not specified, the values of Atheme 0.3 are used,
+ * which are generally less intuitive than these.
+ * Note: changing these leaves the flags of existing channel access
+ * entries unchanged, thus removing them of the view of /cs xop list.
+ * Usually the channel founder can use /cs forcexop to update the
+ * entries to the new levels.
+ *
+ * Advice:
+ * If you want to add a co-founder role, remove the flags permission
+ * from the SOP role, and define a co-founder role with flags
+ * permissions.
+ */
+ templates {
+ vop = "+AV";
+ hop = "+AHehitrv";
+ aop = "+AOehiortv";
+ sop = "+AOaefhiorstv";
+
+ founder = "+AFORaefhioqrstv";
+
+ /* some examples (which are commented out...) */
+ #member = "+Ai";
+ #op = "+AOiortv";
+ };
+
+ /* (*) deftemplates
+ * Defines default templates to set on new channels, as a
+ * space-separated list of name=+flags pairs.
+ * Note: at this time no syntax checking is done on this; it
+ * is your own responsibility to make sure it is correct.
+ */
+ #deftemplates = "MEMBER=+Ai OP=+AOiortv";
+
+ /* (*) changets
+ * Change the channel TS to the registration time when someone
+ * recreates a registered channel, ensuring that they are deopped
+ * and all their modes are undone. Note that this involves ChanServ
+ * joining. When the channel was not recreated no deops will be done
+ * (apart from the SECURE option).
+ * This also solves the "join-mode" problem where someone recreates
+ * a registered channel and then sets some modes before they are
+ * deopped.
+ * This is currently supported for charybdis, ratbox, bahamut,
+ * and inspircd 1.1+. For charybdis and ratbox it only fully
+ * works with TS6, with TS5 bans and last-moment modes will
+ * still apply.
+ * (That can also be used to advantage, when first enabling this.)
+ */
+ #changets;
+
+ /* (*) trigger
+ * This setting allows you to change the trigger prefix for
+ * ChanServ's in-channel command feature (disableable via chanserv::fantasy).
+ * If no setting is provided, the default is used, which is "!".
+ *
+ * Other settings you could consider trying: ".", "~", "?", "`", "'".
+ */
+ trigger = "!";
+
+ /* (*)expire
+ * The number of days before inactive registrations are expired.
+ */
+ expire = 30;
+
+ /* (*)maxchanacs
+ * The maximum number of entries allowed in a channel's access list
+ * (both channel ops and akicks), 0 for unlimited.
+ */
+ maxchanacs = 0;
+
+ /* (*)maxfounders
+ * The maximum number of founders allowed in a channel.
+ * Note that all founders have the exact same privileges and
+ * the list of founders is shown in various places.
+ */
+ maxfounders = 4;
+
+ /* (*)founder_flags
+ * The flags a user will get when they register a new channel.
+ * This MUST include at least 'F' or it will be ignored.
+ * If it is not set, Atheme will give the user all channel flags.
+ */
+ #founder_flags = "AFORefiorstv";
+
+ /* (*)akick_time
+ * The default expiration time (in minutes) for AKICKs.
+ * Comment this option out or set to zero for permanent AKICKs
+ * by default (the old behaviour).
+ */
+ #akick_time = 10;
+
+ /* (*)antiflood_enforce_method
+ * The enforcement method to use for flood protection by default.
+ * This may be overridden by channel staff.
+ * Available options are: quiet, kickban and akill.
+ */
+ antiflood_enforce_method = quiet;
+
+ /* (*)show_custom_metadata
+ * Setting this option to false will prevent user-set metadata (via SET PROPERTY)
+ * from showing up in the INFO output. The TAXONOMY command will still function
+ * as usual, and INFO will point this out if channels have metadata set.
+ */
+ show_custom_metadata;
+
+ /*
+ * (*)shorthelp
+ *
+ * A list of commands that are displayed (with their full description) in the
+ * output of `/msg ChanServ HELP'. Commands not in this list will be listed, but
+ * not with their descriptions. All commands with descriptions are still listed
+ * in `/msg ChanServ HELP COMMANDS' regardless of the value set here.
+ *
+ * Optional; defaults to "AKICK BAN CLEAR DEOP DEVOICE DROP FLAGS GETKEY INFO
+ * INVITE KICK KICKBAN OP QUIET REGISTER SET TOPIC UNBAN UNQUIET VOICE WHY".
+ *
+ * A command in this list will only be printed if the corresponding module is
+ * loaded and the user has permission to use it. Set to an empty string to
+ * disable listing command descriptions in `/msg ChanServ HELP'.
+ */
+ #shorthelp = "";
+};
+
+/* CHANFIX configuration.
+ *
+ * The chanfix {} block contains settings specific to the CHANFIX modules.
+ *
+ * CHANFIX provides channel recovery services without registration, which
+ * allows users to maintain control of channels even if ChanServ is not used
+ * to register them.
+ */
+chanfix {
+ /* (*)nick
+ * The nickname we want the client to have.
+ */
+ nick = "ChanFix";
+
+ /* (*)user
+ * The username we want the client to have.
+ */
+ user = "ChanFix";
+
+ /* (*)host
+ * The hostname we want the client to have.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The GECOS of the client.
+ */
+ real = "Channel Fixing Service";
+
+ /* (*)autofix
+ * Automatically fix channels if they become opless and meet fixing
+ * criteria.
+ */
+ autofix;
+};
+
+/* Global noticing configuration.
+ *
+ * The global {} block contains settings specific to the Global notice module.
+ *
+ * The Global notice module provides the ability to mass-notify a network.
+ */
+global {
+ /* (*)nick
+ * Sets the nick used for sending out a global notice.
+ */
+ nick = "Global";
+
+ /* (*)user
+ * Sets the username used for this client.
+ */
+ user = "Global";
+
+ /* (*)host
+ * The hostname used for this client.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The GECOS (real name) of the client.
+ */
+ real = "Network Announcements";
+};
+
+/* InfoServ configuration
+ *
+ * The infoserv {} block contains settings specific to the InfoServ module.
+ *
+ * The InfoServ modules provides the ability to mass-notify a network and send
+ * news to users when they connect to the network.
+ */
+infoserv {
+ /* (*)nick
+ * Sets the nick used for InfoServ and sending out informational messages.
+ */
+ nick = "InfoServ";
+
+ /* (*)user
+ * Sets the username used for this client.
+ */
+ user = "InfoServ";
+
+ /* (*)host
+ * The hostname used for this client,
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The GECOS (real name) of the client.
+ */
+ real = "Information Service";
+
+ /* (*)logoninfo_count
+ * The number of InfoServ messages a user will see upon connect.
+ * If there are more than this number, the user will be able to
+ * see the rest with /msg infoserv list .
+ */
+ logoninfo_count = 3;
+};
+
+/* OperServ configuration.
+ *
+ * The operserv {} block contains settings specific to the OperServ modules.
+ *
+ * OperServ provides essential network management tools for IRC operators
+ * on the IRC network.
+ */
+operserv {
+ /* (*)nick
+ * The nickname we want the Operator Service to have.
+ */
+ nick = "OperServ";
+
+ /* (*)user
+ * Sets the username used for this client.
+ */
+ user = "OperServ";
+
+ /* (*)host
+ * The hostname used for this client.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The GECOS (real name) of the client.
+ */
+ real = "Operator Services";
+
+ /* (*)aliases
+ * Command aliases for OperServ.
+ */
+ aliases {
+ };
+
+ /* (*)access
+ * Command access changes for OperServ.
+ */
+ access {
+ };
+};
+
+/* SaslServ configuration.
+ *
+ * The saslserv {} block contains settings specific to the SaslServ modules.
+ *
+ * SaslServ provides an authentication agent which is compatible with the
+ * SASL over IRC (SASL/IRC) protocol extension.
+ */
+saslserv {
+ /* (*)nick
+ * The nickname we want SaslServ to have.
+ */
+ nick = "SaslServ";
+
+ /* (*)user
+ * The username we want SaslServ to have.
+ */
+ user = "SaslServ";
+
+ /* (*)host
+ * The hostname we want SaslServ to have.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The realname (gecos) information we want SaslServ to have.
+ */
+ real = "SASL Authentication Agent";
+
+ /* (*)hide_server_names
+ * Hide server names in the bad_password message.
+ */
+ #hide_server_names;
+};
+
+/* MemoServ configuration.
+ *
+ * The memoserv {} block contains settings specific to the MemoServ modules.
+ *
+ * MemoServ provides a note-taking service that you can use to send notes
+ * to offline users (provided they are registered with Services).
+ */
+memoserv {
+ /* (*)nick
+ * The nickname we want MemoServ to have.
+ */
+ nick = "MemoServ";
+
+ /* (*)user
+ * The username we want MemoServ to have.
+ */
+ user = "MemoServ";
+
+ /* (*)host
+ * The hostname we want MemoServ to have.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The realname (gecos) information we want MemoServ to have.
+ */
+ real = "Memo Services";
+
+ /* (*)aliases
+ * Command aliases for MemoServ.
+ */
+ aliases {
+ };
+
+ /* (*)access
+ * Command access changes for MemoServ.
+ */
+ access {
+ };
+
+ /* (*)maxmemos
+ * What is the maximum amount of memos a user can have in their inbox?
+ */
+ maxmemos = 30;
+};
+
+/* GameServ configuration.
+ *
+ * The gameserv {} block contains settings specific to the GameServ modules.
+ *
+ * GameServ provides various in-channel commands for games.
+ */
+gameserv {
+ /* (*)nick
+ * The nickname we want GameServ to have.
+ */
+ nick = "GameServ";
+
+ /* (*)user
+ * Sets the username used for this client.
+ */
+ user = "GameServ";
+
+ /* (*)host
+ * The hostname used for this client.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The GECOS (real name) of the client.
+ */
+ real = "Game Services";
+
+ /* (*)aliases
+ * Command aliases for GameServ.
+ */
+ aliases {
+ };
+
+ /* (*)access
+ * Command access changes for GameServ.
+ */
+ access {
+ };
+};
+
+/* RPGServ configuration.
+ *
+ * The rpgserv {} block contains settings specific to the RPGServ modules.
+ *
+ * RPGServ provides a facility for finding roleplaying channels.
+ */
+rpgserv {
+ /* (*)nick
+ * The nickname we want RPGServ to have.
+ */
+ nick = "RPGServ";
+
+ /* (*)user
+ * Sets the username used for this client.
+ */
+ user = "RPGServ";
+
+ /* (*)host
+ * The hostname used for this client.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The GECOS (real name) of the client.
+ */
+ real = "RPG Finding Services";
+
+ /* (*)aliases
+ * Command aliases for RPGServ.
+ */
+ aliases {
+ };
+
+ /* (*)access
+ * Command access changes for RPGServ.
+ */
+ access {
+ };
+};
+
+/* BotServ configuration.
+ *
+ * The botserv {} block contains settings specific to the BotServ modules.
+ *
+ * BotServ provides virtual channel bots.
+ */
+botserv {
+ /* (*)nick
+ * The nickname we want BotServ to have.
+ */
+ nick = "BotServ";
+
+ /* (*)user
+ * Sets the username used for this client.
+ */
+ user = "BotServ";
+
+ /* (*)host
+ * The hostname used for this client.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The GECOS (real name) of the client.
+ */
+ real = "Bot Services";
+
+ /* (*)min_users
+ * Minimum number of users a channel must have before a Bot is allowed
+ * to be assigned to that channel.
+ */
+ min_users = 0;
+};
+
+/* GroupServ configuration.
+ *
+ * The groupserv {} block contains settings specific to the GroupServ modules.
+ *
+ * GroupServ provides features for managing a collection of channels at once.
+ *
+ */
+groupserv {
+ /* (*)nick
+ * The nickname we want GroupServ to have.
+ */
+ nick = "GroupServ";
+
+ /* (*)user
+ * The username we want GroupServ to have.
+ */
+ user = "GroupServ";
+
+ /* (*)host
+ * The hostname we want GroupServ to have.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The realname (gecos) information we want GroupServ to have.
+ */
+ real = "Group Management Services";
+
+ /* (*)aliases
+ * Command aliases for GroupServ.
+ */
+ aliases {
+ };
+
+ /* (*)access
+ * Command access changes for GroupServ.
+ */
+ access {
+ };
+
+ /* (*)maxgroups
+ * Maximum number of groups one username can be founder of.
+ */
+ maxgroups = 5;
+
+ /* (*)maxgroupacs
+ * Maximum number of access entries you may have in a group.
+ */
+ maxgroupacs = 100;
+
+ /* (*)enable_open_groups
+ * Setting this option will allow any group founder to mark
+ * their group as "anyone can join".
+ */
+ enable_open_groups;
+
+ /* (*)join_flags
+ * This is the GroupServ flagset that users who JOIN a open
+ * group will get upon join. Please check the groupserv/flags
+ * helpfile before changing this option. Valid flagsets (for
+ * example) would be: "+v" or "+cv". It is not valid to use
+ * minus flags (such as "-v") here.
+ */
+ join_flags = "+";
+};
+
+/* HostServ configuration.
+ *
+ * The hostserv {} block contains settings specific to the HostServ modules.
+ *
+ * HostServ provides advanced virtual host management.
+ */
+hostserv {
+ /* (*)nick
+ * The nickname we want HostServ to have.
+ */
+ nick = "HostServ";
+
+ /* (*)user
+ * Sets the username used for this client.
+ */
+ user = "HostServ";
+
+ /* (*)host
+ * The hostname used for this client.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The GECOS (real name) of the client.
+ */
+ real = "Host Management Services";
+
+ /* reggroup
+ * The group that will receive Memos about
+ * vHost requests.
+ */
+ #reggroup = "!Services-Team";
+
+ /* (*)request_per_nick
+ * Whether the request system should work per nick or per account.
+ * The recommended setting is to leave this disabled, so that
+ * vhosts work as consistently as possible.
+ */
+ #request_per_nick;
+
+ /* (*)aliases
+ * Command aliases for HostServ.
+ */
+ aliases {
+ "APPROVE" = "ACTIVATE";
+ "DENY" = "REJECT";
+ };
+
+ /* (*)access
+ * Command access changes for HostServ.
+ */
+ access {
+ };
+};
+
+/* HelpServ configuration
+ *
+ * The helpserv {} block contains settings specific to the HelpServ modules.
+ *
+ * HelpServ adds a few different ways for users to request help from network staff.
+ */
+helpserv {
+ /* (*)nick
+ * The nickname we want HelpServ to have.
+ */
+ nick = "HelpServ";
+
+ /* (*)user
+ * The username we want HelpServ to have.
+ */
+ user = "HelpServ";
+
+ /* (*)host
+ * The hostname we want HelpServ to have.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The realname (gecos) information we want HelpServ to have.
+ */
+ real = "Help Services";
+};
+
+/* StatServ configuration
+ *
+ * The statserv {} block contains settings specific to the StatServ modules.
+ *
+ * StatServ adds basic stats and split tracking.
+ */
+statserv {
+ /* (*)nick
+ * The nickname we want StatServ to have.
+ */
+ nick = "StatServ";
+
+ /* (*)user
+ * The username we want StatServ to have.
+ */
+ user = "StatServ";
+
+ /* (*)host
+ * The hostname we want StatServ to have.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The realname (gecos) information we want StatServ to have.
+ */
+ real = "Statistics Services";
+};
+
+/* ALIS configuration.
+ *
+ * The alis {} block contains settings specific to the ALIS modules.
+ */
+alis {
+ /* (*)nick
+ * The nickname we want ALIS to have.
+ */
+ nick = "ALIS";
+
+ /* (*)user
+ * The username we want ALIS to have.
+ */
+ user = "alis";
+
+ /* (*)host
+ * The hostname we want ALIS to have.
+ */
+ host = "{{atheme_server_host}}";
+
+ /* (*)real
+ * The realname (gecos) information we want ALIS to have.
+ */
+ real = "Channel Directory";
+
+ /* (*)maxmatches
+ * The default maximum number of channels returned in a query.
+ * Privilege (chan:auspex) is required to ask for more.
+ * Minimum 8, default 64, maximum 128.
+ */
+ #maxmatches = 64;
+};
+
+/* HTTP server configuration.
+ *
+ * The httpd {} block contains settings specific to the HTTP server module.
+ *
+ * The HTTP server in Services is used for serving XMLRPC requests. It can
+ * also serve static documents and statistics pages.
+ */
+httpd {
+ /* host
+ * The host that the HTTP server will listen on.
+ * Use 0.0.0.0 if you want to listen on all available hosts.
+ */
+ host = "0.0.0.0";
+
+ /* host (ipv6)
+ * If you want, you can have Atheme listen on an IPv6 host too.
+ * Use :: if you want to listen on all available IPv6 hosts.
+ */
+ #host = "::";
+
+ /* www_root
+ * The directory that contains the files that should be served by the httpd.
+ */
+ www_root = "/var/www";
+
+ /* port
+ * The port that the HTTP server will listen on.
+ */
+ port = 8080;
+};
+
+/* LDAP configuration.
+ *
+ * The ldap {} block contains settings specific to the LDAP authentication
+ * module.
+ */
+ldap {
+ /* (*)url
+ * LDAP URL of the server to use.
+ */
+ url = "ldap://127.0.0.1";
+
+ /* (*)dnformat
+ * Format string to convert an account name to an LDAP DN.
+ * Must contain exactly one %s which will be replaced by the account
+ * name.
+ * Services will attempt a simple bind with this DN and the given
+ * password; if this is successful the password is considered correct.
+ */
+ dnformat = "cn=%s,dc=jillestest,dc=com";
+};
+
+/******************************************************************************
+ * LOGGING SECTION. *
+ ******************************************************************************/
+
+/*
+ * logfile{} blocks can be used to set up log files other than the master
+ * logfile used by services, which is controlled by serverinfo::loglevel.
+ *
+ * The various logging categories are:
+ * debug, all - meta-keyword for all possible categories
+ * trace - meta-keyword for a little bit of info
+ * misc - like trace, but with some more miscillaneous info
+ * notice - meta-keyword for notice-like information
+ * ------------------------------------------------------------------------------
+ * error - critical errors
+ * info - miscillaneous log notices
+ * verbose - A bit more verbose than info, not quite as spammy as debug
+ * commands - all command use
+ * admin - administrative command use
+ * register - account and channel registrations
+ * set - changes of account or channel settings
+ * request - user requests (currently only vhosts)
+ * network - log notices related to network status
+ * rawdata - log raw data sent and received by services
+ * wallops - <not yet used>
+ * denycmd - security model denials (commands, permissions)
+ */
+
+/*
+ * This block logs all account and channel registrations and drops,
+ * and account and channel setting changes to var/account.log.
+ */
+logfile "var/account.log" { register; set; };
+
+/*
+ * This block logs all command use to var/commands.log.
+ */
+logfile "var/commands.log" { commands; };
+
+/*
+ * This block logs all security auditing information.
+ */
+logfile "var/audit.log" { denycmd; };
+
+/*
+ * You can log to IRC channels, and even split it by category, too.
+ * This entry provides roughly the same functionality as the old snoop
+ * feature.
+ */
+logfile "#services" { error; info; admin; request; register; denycmd; };
+
+/*
+ * This block logs to server notices.
+ */
+logfile "!snotices" { error; info; request; denycmd; };
+
+/******************************************************************************
+ * GENERAL PARAMETERS CONFIGURATION SECTION. *
+ ******************************************************************************/
+
+/* The general {} block defines general configuration options. */
+general {
+ /* (*)permissive_mode
+ * Whether or not security denials should be soft denials instead of
+ * hard denials. If security denials are soft denials, then they will
+ * only be logged to the denial log.
+ */
+ #permissive_mode;
+
+ /* (*)helpchan
+ * Network help channel. Shown to users when they request
+ * help for a command that doesn't exist.
+ */
+ #helpchan = "#help";
+
+ /* (*)helpurl
+ * Network webpage for services help. Shown to users when they
+ * request help for a command that doesn't exist.
+ */
+ #helpurl = "http://www.stack.nl/~jilles/irc/atheme-help/";
+
+ /* (*)silent
+ * If you want to prevent services from sending
+ * WALLOPS/GLOBOPS about things uncomment this.
+ * Not recommended.
+ */
+ #silent;
+
+ /* (*)verbose_wallops
+ * If you want services to send you more information about
+ * events that are occuring (in particular AKILLs), uncomment the
+ * directive below.
+ *
+ * WARNING! This may result in large amounts of wallops/globops
+ * floods.
+ */
+ #verbose_wallops;
+
+ /* (*)join_chans
+ * Should ChanServ be allowed to join registered channels?
+ * This option is useful for the fantasy command set.
+ *
+ * If enabled, you can tell ChanServ to join via SET GUARD ON.
+ *
+ * If you use ircu-like ircd (asuka), you must
+ * leave this enabled, and put guard in default cflags.
+ *
+ * For ratbox it is recommended to leave it on and put guard in
+ * default cflags, in order that ChanServ does not have to join/part
+ * to do certain things. On the other hand, enabling this increases
+ * potential for bots fighting with ChanServ.
+ *
+ * Regardless of this option, ChanServ will temporarily join
+ * channels which would otherwise be empty if necessary to enforce
+ * akick/restricted/close, and to change the TS if changets is
+ * enabled.
+ */
+ join_chans;
+
+ /* (*)leave_chans
+ * Do we leave registered channels after everyone else has left?
+ * Turning this off serves little purpose, except to mark "official"
+ * network channels by keeping them open, and to preserve the
+ * topic and +beI lists.
+ */
+ leave_chans;
+
+ /* secure
+ * Do you want to require the use of /msg <service>@<services host>?
+ * Turning this on helps protect against spoofers, but is disabled
+ * as most networks do not presently use it.
+ */
+ #secure;
+
+ /* (*)uflags
+ * The default flags to set for usernames upon registration.
+ * Valid values are: hold, neverop, noop, hidemail, nomemo, emailmemos,
+ * enforce, privmsg, private, quietchg and none.
+ */
+ uflags = { hidemail; };
+
+ /* (*)cflags
+ * The default flags to set for channels upon registration.
+ * Valid values are: hold, secure, verbose, verbose_ops, keeptopic,
+ * topiclock, guard, private, nosync, limitflags, pubacl and none.
+ */
+ cflags = { verbose; guard; };
+
+ /* (*)raw
+ * Do you want to allow SRAs to use the RAW and INJECT commands?
+ * These commands are for debugging. If you don't know how to use them
+ * then don't enable them. They are not supported.
+ */
+ #raw;
+
+ /* (*)flood_msgs
+ * Do you want services to detect floods?
+ * Set to how many messages before a flood is triggered.
+ * Note that some messages that need a lot of processing count
+ * as two or four messages.
+ * If services receives `flood_msgs' within `flood_time' the user will
+ * trigger the flood protection.
+ * Setting this to zero disables flood protection.
+ */
+ flood_msgs = 7;
+
+ /* (*)flood_time
+ * Do you want services to detect floods?
+ * Set to how long before the counter resets.
+ * If services receives `flood_msgs' within `flood_time' the user will
+ * trigger the flood protection.
+ */
+ flood_time = 10;
+
+ /* (*)ratelimit_uses
+ * After how many uses of a command will users be throttled.
+ * After `ratelimit_uses' of a command within `ratelimit_period', users
+ * will not be able to run that ratelimited command until the period is up.
+ * Comment this, ratelimit_period below or both options out to disable rate limiting.
+ * Currently used in helpserv/helpme, helpserv/ticket, hostserv/request,
+ * nickserv/register and chanserv/register.
+ */
+ ratelimit_uses = 5;
+
+ /* (*)ratelimit_period
+ * After how much time (in seconds) will the ratelimit_uses counter reset.
+ * After `ratelimit_uses' of a command within `ratelimit_period', users
+ * will not be able to run that ratelimited command until the period is up.
+ * Comment this, ratelimit_uses above or both options out to disable rate limiting.
+ * Currently used in helpserv/helpme, helpserv/ticket, hostserv/request,
+ * nickserv/register and chanserv/register.
+ */
+ ratelimit_period = 60;
+
+ /* (*)vhost_change
+ * The default number of days between vHost changes once a user has used HostServ
+ * TAKE or REQUEST. (Helps to deter rabid host-swappers and ban evaders.)
+ */
+ #vhost_change = 30;
+
+ /* (*)kline_time
+ * The default expire time for KLINE's in days.
+ * Setting this to 0 makes all KLINE's permanent.
+ */
+ kline_time = 7;
+
+ /* (*)kline_with_ident
+ * KLINE user@host instead of *@host.
+ * Applies to all automatic KLINE's set by services.
+ */
+ #kline_with_ident;
+
+ /* (*)kline_verified_ident
+ * KLINE *@host if the first character of the ident is ~,
+ * irrespective of the value of kline_with_ident.
+ */
+ #kline_verified_ident;
+
+ /* (*)clone_time
+ * This is the default expiry time for CLONE exemptions in minutes.
+ * Setting this to 0 makes all CLONE exemptions permanent.
+ */
+ clone_time = 0;
+
+ /* commit_interval
+ * The time between database writes in minutes.
+ */
+ commit_interval = 5;
+
+ /* (*)operstring
+ * The string returned in WHOIS (against services) for IRC operators.
+ */
+ #operstring = "is an IRC Operator";
+
+ /* (*)servicestring
+ * The string returned in WHOIS (against services) for services.
+ */
+ #servicestring = "is a Network Service";
+
+ /* (*)default_clone_allowed
+ * The limit after which clones will be KILLed or TKLINEd.
+ * Used by operserv/clones.
+ */
+ default_clone_allowed = 5;
+
+ /* (*)default_clone_warn
+ * The limit after which clones will be warned that they may not
+ * have any more concurrent connections. Should be lower than
+ * default_clone_allowed . Used by operserv/clones.
+ */
+ default_clone_warn = 4;
+
+ /* (*)clone_identified_increase_limit
+ * If this option is enabled, the clone limit for a IP/host will
+ * be increased by 1 per clone that's identified to services.
+ * This has a limit of double the clone limits above.
+ */
+ clone_identified_increase_limit;
+
+ /* (*)uplink_sendq_limit
+ * The maximum amount of data that may be queued to be sent
+ * to the uplink, in bytes. This should be enough to contain
+ * Atheme's response to the netburst, but smaller than the
+ * IRCd's sendq limit for servers.
+ */
+ uplink_sendq_limit = 1048576;
+
+ /* (*)language
+ * Language to use for channel and oper messages and as default
+ * for users.
+ */
+ language = "en";
+
+ /* exempts
+ * This block contains a list of user@host masks. Users matching any
+ * of these will not be automatically K:lined by services.
+ */
+ exempts {
+ };
+
+ /* allow_taint
+ * By enabling this option, Atheme will run in configurations where
+ * the upstream will not provide support. By enabling this feature,
+ * you void any perceived rights to support.
+ */
+ #allow_taint;
+
+ /* (*)immune_level
+ * This option allows you to customize the operlevel which gets kick
+ * immunity privileges.
+ *
+ * The following flags are available:
+ * immune - require whatever ircd usermode is needed for kick
+ * immunity (this is the default);
+ * admin - require admin privileges for kick immunity
+ * ircop - require any ircop privileges for kick immunity (umode +o)
+ */
+ immune_level = immune;
+
+ /* show_entity_id
+ * This makes nick/user & group entity IDs visible to everyone, rather
+ * than just opers with user:auspex or group:auspex privileges.
+ */
+ show_entity_id;
+
+ /* load_database_mdeps
+ *
+ * For module dependencies listed in the services database (if any),
+ * whether to load those modules on startup (if they are not already
+ * loaded) or abort startup with a more helpful error message than
+ * e.g. "db services.db:123: unknown directive 'BE'" --> "corestorage:
+ * exiting to avoid data loss".
+ *
+ * Comment this out to abort startup instead of silently loading the
+ * modules you need to process the database successfully. The abort
+ * reason will tell you what module the database requires so that you
+ * can fix your configuration file.
+ */
+ load_database_mdeps;
+};
+
+proxyscan {
+ /* Here you can configure the details of your Proxyscan (DNS Blacklist)
+ * scanner service.
+ */
+
+ nick = "Proxyscan";
+ user = "dnsbl";
+ host = "{{atheme_server_host}}";
+ real = "Proxyscan Service";
+
+ blacklists {
+ "dnsbl.dronebl.org";
+ "rbl.efnetrbl.org";
+ "tor.efnet.org";
+ };
+
+ /* Available dnsbl_action's:
+ * NONE - Do nothing
+ * NOTIFY - Notify user that they are listed in a DNSBL and which one
+ * SNOOP - Report the user to the logchannel or services channel
+ * KLINE - AKILL the user from the network (default AKILL is 24 hours)
+ */
+
+ dnsbl_action = kline;
+};
+
+/******************************************************************************
+ * OPERATOR AND PRIVILEGES CONFIGURATION SECTION. *
+ ******************************************************************************/
+
+/* Operator configuration
+ * See the PRIVILEGES document for more information.
+ * NOTE: All changes apply immediately upon rehash. You may need
+ * to send a signal (killall -HUP atheme-services) to regain control.
+ */
+/* (*) Operclasses specify groups of services operator privileges */
+/* The "user" operclass specifies privileges all users get.
+ * This may be empty (default) in which case users get no special privileges.
+ * If you use the security/cmdperm module, you will need to grant command: privileges
+ * to every command that you want users to be able to use.
+ */
+operclass "user" { };
+
+/* The "ircop" operclass specifies privileges all IRCops get.
+ * This may be empty in which case IRCops get no privs.
+ * At least chan:cmodes, chan:joinstaffonly and general:auspex are suggested.
+ */
+operclass "ircop" {
+ privs {
+ special:ircop;
+ };
+
+ privs {
+ user:auspex;
+ user:admin;
+ user:sendpass;
+ user:vhost;
+ user:mark;
+ };
+
+ privs {
+ chan:auspex;
+ chan:admin;
+ chan:cmodes;
+ chan:joinstaffonly;
+ };
+
+ privs {
+ general:auspex;
+ general:helper;
+ general:viewprivs;
+ general:flood;
+ };
+
+ privs {
+ operserv:omode;
+ operserv:akill;
+ operserv:jupe;
+ operserv:global;
+ };
+
+ privs {
+ group:auspex;
+ group:admin;
+ };
+};
+
+operclass "sra" {
+ /* You can inherit privileges from a lower operclass. */
+ extends "ircop";
+
+ privs {
+ user:hold;
+ user:regnolimit;
+ };
+
+ privs {
+ general:metadata;
+ general:admin;
+ };
+
+ privs {
+ #operserv:massakill;
+ #operserv:akill-anymask;
+ operserv:noop;
+ operserv:grant;
+ };
+
+ /* needoper
+ * Only grant privileges to IRC users in this oper class if they
+ * are opered; other use of privilege (channel succession, XMLRPC,
+ * etc.) is unaffected by this.
+ *
+ * This flag is *not* inherited by operclasses that extend this one;
+ * you will have to set it explicitly for each operclass.
+ */
+ needoper;
+};
+
+
+/* (*) Operator blocks specify accounts with certain privileges
+ * Oper classes must be defined before they are used in operator blocks.
+ */
+operator "jilles" {
+ /* operclass */
+ operclass = "sra";
+
+ /* password
+ *
+ * Normally, the user needs to identify/log in using the account's
+ * password, and may need to be an IRCop (see operclass::needoper
+ * above). If you consider this not secure enough, you can
+ * specify an additional password here, which the user must enter
+ * using the OperServ IDENTIFY command, before the privileges can
+ * be used.
+ *
+ * The password must be encrypted if a crypto module is in use.
+ *
+ * If you are using modules/crypto/crypt3-*, you can probably use
+ * the "mkpasswd" program included with most Linux distributions.
+ * Otherwise you can use modules/operserv/genhash to encrypt a
+ * password for use here.
+ */
+ #password = "$1$3gJMO9by$0G60YE6GqmuHVH3AnFPor1";
+};
+
+/******************************************************************************
+ * INCLUDE CONFIGURATION SECTION. *
+ ******************************************************************************/
+
+/* You may also specify other files for inclusion.
+ * For example:
+ *
+ * include "etc/sras.conf";
+ */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/ngircd/templates/ngircd.conf.j2 Sat Jul 04 11:00:20 2020 -0500
@@ -0,0 +1,422 @@
+#
+# This is a sample configuration file for the ngIRCd IRC daemon, which must
+# be customized to the local preferences and needs.
+#
+# Comments are started with "#" or ";".
+#
+# A lot of configuration options in this file start with a ";". You have
+# to remove the ";" in front of each variable to actually set a value!
+# The disabled variables are shown with example values for completeness only
+# and the daemon is using compiled-in default settings.
+#
+# Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the
+# server interprets the configuration file as expected!
+#
+# Please see ngircd.conf(5) for a complete list of configuration options
+# and their descriptions.
+#
+# The original can be found at:
+# /usr/share/doc/ngircd/sample-ngircd.conf.gz
+
+[Global]
+ # The [Global] section of this file is used to define the main
+ # configuration of the server, like the server name and the ports
+ # on which the server should be listening.
+ # These settings depend on your personal preferences, so you should
+ # make sure that they correspond to your installation and setup!
+
+ # Server name in the IRC network, must contain at least one dot
+ # (".") and be unique in the IRC network. Required!
+ Name = {{ngircd_name}}
+
+ # Information about the server and the administrator, used by the
+ # ADMIN command. Not required by server but by RFC!
+ AdminInfo1 = {{ngircd_admin_name}}
+ ;AdminInfo2 = Debian City
+ AdminEMail = {{ngircd_admin_email}}
+
+ # Text file which contains the ngIRCd help text. This file is required
+ # to display help texts when using the "HELP <cmd>" command.
+ ;HelpFile = /usr/share/doc/ngircd/Commands.txt
+
+ # Info text of the server. This will be shown by WHOIS and
+ # LINKS requests for example.
+ Info = {{ngircd_name}}
+
+ # Comma separated list of IP addresses on which the server should
+ # listen. Default values are:
+ # "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0"
+ # so the server listens on all IP addresses of the system by default.
+ Listen = 127.0.0.1
+
+ # Text file with the "message of the day" (MOTD). This message will
+ # be shown to all users connecting to the server:
+ MotdFile = /etc/ngircd/ngircd.motd
+
+ # A simple Phrase (<127 chars) if you don't want to use a motd file.
+ ;MotdPhrase = "Hello. This is the Debian default MOTD sentence"
+
+ # The name of the IRC network to which this server belongs. This name
+ # is optional, should only contain ASCII characters, and can't contain
+ # spaces. It is only used to inform clients. The default is empty,
+ # so no network name is announced to clients.
+ ;Network = aIRCnetwork
+
+ # Global password for all users needed to connect to the server.
+ # (Default: not set)
+ ;Password = wealllikedebian
+
+ # This tells ngIRCd to write its current process ID to a file.
+ # Note that the pidfile is written AFTER chroot and switching the
+ # user ID, e.g. the directory the pidfile resides in must be
+ # writable by the ngIRCd user and exist in the chroot directory.
+ # Keep this setting in sync with PIDFILE in /etc/init.d/ngircd
+ PidFile = /var/run/ngircd/ngircd.pid
+
+ # Ports on which the server should listen. There may be more than
+ # one port, separated with ",". (Default: 6667)
+ ;Ports = 6667, 6668, 6669
+
+ # Group ID under which the ngIRCd should run; you can use the name
+ # of the group or the numerical ID. ATTENTION: For this to work the
+ # server must have been started with root privileges!
+ # Keep this setting in sync with DAEMONUSER in the init script and/or
+ # the Group= setting in service file.
+ ServerGID = irc
+
+ # User ID under which the server should run; you can use the name
+ # of the user or the numerical ID. ATTENTION: For this to work the
+ # server must have been started with root privileges! In addition,
+ # the configuration and MOTD files must be readable by this user,
+ # otherwise RESTART and REHASH won't work!
+ # Keep this setting in sync with DAEMONUSER in the init script and/or
+ # the User= setting in service file.
+ ServerUID = irc
+
+[Limits]
+ # Define some limits and timeouts for this ngIRCd instance. Default
+ # values should be safe, but it is wise to double-check :-)
+
+ # The server tries every <ConnectRetry> seconds to establish a link
+ # to not yet (or no longer) connected servers.
+ ConnectRetry = 60
+
+ # Number of seconds after which the whole daemon should shutdown when
+ # no connections are left active after handling at least one client
+ # (0: never, which is the default).
+ # This can be useful for testing or when ngIRCd is started using
+ # "socket activation" with systemd(8), for example.
+ ;IdleTimeout = 0
+
+ # Maximum number of simultaneous in- and outbound connections the
+ # server is allowed to accept (0: unlimited):
+ MaxConnections = 500
+
+ # Maximum number of simultaneous connections from a single IP address
+ # the server will accept (0: unlimited):
+ MaxConnectionsIP = 10
+
+ # Maximum number of channels a user can be member of (0: no limit):
+ MaxJoins = 10
+
+ # Maximum length of an user nickname (Default: 9, as in RFC 2812).
+ # Please note that all servers in an IRC network MUST use the same
+ # maximum nickname length!
+ ;MaxNickLength = 9
+
+ # Maximum penalty time increase in seconds, per penalty event. Set to -1
+ # for no limit (the default), 0 to disable penalties altogether. The
+ # daemon doesn't use penalty increases higher than 2 seconds during
+ # normal operation, so values greater than 1 rarely make sense.
+ ;MaxPenaltyTime = -1
+
+ # Maximum number of channels returned in response to a /list
+ # command (0: unlimited):
+ ;MaxListSize = 100
+
+ # After <PingTimeout> seconds of inactivity the server will send a
+ # PING to the peer to test whether it is alive or not.
+ PingTimeout = 120
+
+ # If a client fails to answer a PING with a PONG within <PongTimeout>
+ # seconds, it will be disconnected by the server.
+ PongTimeout = 20
+
+[Options]
+ # Optional features and configuration options to further tweak the
+ # behavior of ngIRCd. If you want to get started quickly, you most
+ # probably don't have to make changes here -- they are all optional.
+
+ # List of allowed channel types (channel prefixes) for newly created
+ # channels on the local server. By default, all supported channel
+ # types are allowed. Set this variable to the empty string to disallow
+ # creation of new channels by local clients at all.
+ ;AllowedChannelTypes = #&+
+
+ # Are remote IRC operators allowed to control this server, e.g.
+ # use commands like CONNECT, SQUIT, DIE, ...?
+ ;AllowRemoteOper = no
+
+ # A directory to chroot in when everything is initialized. It
+ # doesn't need to be populated if ngIRCd is compiled as a static
+ # binary. By default ngIRCd won't use the chroot() feature.
+ # ATTENTION: For this to work the server must have been started
+ # with root privileges!
+ ;ChrootDir = /var/empty
+
+ # Set this hostname for every client instead of the real one.
+ # Use %x to add the hashed value of the original hostname.
+ {% if ngircd_cloak is defined %}
+ CloakHost = {{ngircd_cloak}}
+ {% endif %}
+
+ # Use this hostname for hostname cloaking on clients that have the
+ # user mode "+x" set, instead of the name of the server.
+ # Use %x to add the hashed value of the original hostname.
+ ;CloakHostModeX = cloaked.user
+
+ # The Salt for cloaked hostname hashing. When undefined a random
+ # hash is generated after each server start.
+ ;CloakHostSalt = abcdefghijklmnopqrstuvwxyz
+
+ # Set every clients' user name to their nickname
+ ;CloakUserToNick = yes
+
+ # Try to connect to other IRC servers using IPv4 and IPv6, if possible.
+ ;ConnectIPv6 = yes
+ ;ConnectIPv4 = yes
+
+ # Default user mode(s) to set on new local clients. Please note that
+ # only modes can be set that the client could set using regular MODE
+ # commands, you can't set "a" (away) for example! Default: none.
+ ;DefaultUserModes = i
+
+ # Do DNS lookups when a client connects to the server.
+ ;DNS = yes
+
+ # Do IDENT lookups if ngIRCd has been compiled with support for it.
+ # Users identified using IDENT are registered without the "~" character
+ # prepended to their user name.
+ ;Ident = yes
+
+ # Directory containing configuration snippets (*.conf), that should
+ # be read in after parsing this configuration file.
+ ;IncludeDir = /etc/ngircd/conf.d
+
+ # Enhance user privacy slightly (useful for IRC server on TOR or I2P)
+ # by censoring some information like idle time, logon time, etc.
+ ;MorePrivacy = no
+
+ # Normally ngIRCd doesn't send any messages to a client until it is
+ # registered. Enable this option to let the daemon send "NOTICE *"
+ # messages to clients while connecting.
+ ;NoticeBeforeRegistration = no
+
+ # Should IRC Operators be allowed to use the MODE command even if
+ # they are not(!) channel-operators?
+ OperCanUseMode = yes
+
+ # Should IRC Operators get AutoOp (+o) in persistent (+P) channels?
+ ;OperChanPAutoOp = yes
+
+ # Mask IRC Operator mode requests as if they were coming from the
+ # server? (This is a compatibility hack for ircd-irc2 servers)
+ ;OperServerMode = no
+
+ # Use PAM if ngIRCd has been compiled with support for it.
+ # Users identified using PAM are registered without the "~" character
+ # prepended to their user name.
+ PAM = no
+
+ # When PAM is enabled, all clients are required to be authenticated
+ # using PAM; connecting to the server without successful PAM
+ # authentication isn't possible.
+ # If this option is set, clients not sending a password are still
+ # allowed to connect: they won't become "identified" and keep the "~"
+ # character prepended to their supplied user name.
+ # Please note: To make some use of this behavior, it most probably
+ # isn't useful to enable "Ident", "PAM" and "PAMIsOptional" at the
+ # same time, because you wouldn't be able to distinguish between
+ # Ident'ified and PAM-authenticated users: both don't have a "~"
+ # character prepended to their respective user names!
+ ;PAMIsOptional = no
+
+ # When PAM is enabled, this value determines the used PAM
+ # configuration.
+ # This setting allows to run multiple ngIRCd instances with
+ # different PAM configurations on each instance.
+ # If you set it to "ngircd-foo", PAM will use
+ # /etc/pam.d/ngircd-foo instead of the default
+ # /etc/pam.d/ngircd.
+ ;PAMServiceName = ngircd
+
+ # Let ngIRCd send an "authentication PING" when a new client connects,
+ # and register this client only after receiving the corresponding
+ # "PONG" reply.
+ ;RequireAuthPing = no
+
+ # Silently drop all incoming CTCP requests.
+ ;ScrubCTCP = no
+
+ # Syslog "facility" to which ngIRCd should send log messages.
+ # Possible values are system dependent, but most probably auth, daemon,
+ # user and local1 through local7 are possible values; see syslog(3).
+ # Default is "local5" for historical reasons, you probably want to
+ # change this to "daemon", for example.
+ SyslogFacility = local1
+
+ # Password required for using the WEBIRC command used by some
+ # Web-to-IRC gateways. If not set/empty, the WEBIRC command can't
+ # be used. (Default: not set)
+ ;WebircPassword = xyz
+
+[SSL]
+ # SSL-related configuration options. Please note that this section
+ # is only available when ngIRCd is compiled with support for SSL!
+ # So don't forget to remove the ";" above if this is the case ...
+
+ # SSL Server Key Certificate
+ ;CertFile = /etc/ssl/certs/server.crt
+
+ # Select cipher suites allowed for SSL/TLS connections. This defaults
+ # to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
+ # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'
+ # (GnuTLS) for details.
+ # For OpenSSL:
+ ;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3
+ # For GnuTLS (this Debian package was linked against GnuTLS):
+ CipherList = SECURE128:-VERS-SSL3.0
+
+ # Diffie-Hellman parameters
+ ;DHFile = /etc/ngircd/dhparams.pem
+
+ # SSL Server Key
+ ;KeyFile = /etc/ssl/private/server.key
+
+ # password to decrypt SSLKeyFile (OpenSSL only)
+ # Note that this Debian package is linked against GnuTLS so this
+ # option has no effect.
+ ;KeyFilePassword = secret
+
+ # Additional Listen Ports that expect SSL/TLS encrypted connections
+ ;Ports = 6697, 9999
+
+{% for op in ngircd_ops %}
+[Operator]
+ # [Operator] sections are used to define IRC Operators. There may be
+ # more than one [Operator] block, one for each local operator.
+
+ # ID of the operator (may be different of the nickname)
+ Name = {{op.name}}
+
+ # Password of the IRC operator
+ Password = {{op.pass}}
+
+ # Optional Mask from which /OPER will be accepted
+ # Mask = *[email protected]
+ {% if op.mask is defined %}
+ Mask = {{op.mask}}
+ {% endif %}
+
+{% endfor %}
+[Server]
+{% for server in ngircd_servers %}
+ # Other servers are configured in [Server] sections. If you
+ # configure a port for the connection, then this ngircd tries to
+ # connect to the other server on the given port; if not it waits
+ # for the other server to connect.
+ # There may be more than one server block, one for each server.
+ #
+ # Server Groups:
+ # The ngIRCd allows "server groups": You can assign an "ID" to every
+ # server with which you want this ngIRCd to link. If a server of a
+ # group won't answer, the ngIRCd tries to connect to the next server
+ # in the given group. But the ngircd never tries to connect to two
+ # servers with the same group ID.
+
+ # IRC name of the remote server, must match the "Name" variable in
+ # the [Global] section of the other server (when using ngIRCd).
+ Name = {{server.name}}
+
+ # Internet host name or IP address of the peer (only required when
+ # this server should establish the connection).
+ # Host = connect-to-host.example.net
+ {% if server.host is defined %}
+ Host = {{server.host}}
+ {% endif %}
+
+ # IP address to use as _source_ address for the connection. if
+ # unspecified, ngircd will let the operating system pick an address.
+ ;Bind = 10.0.0.1
+
+ # Port of the server to which the ngIRCd should connect. If you
+ # assign no port the ngIRCd waits for incoming connections.
+ ;Port = 6667
+
+ # Own password for the connection. This password has to be configured
+ # as "PeerPassword" on the other server.
+ MyPassword = {{server.pass}}
+
+ # Foreign password for this connection. This password has to be
+ # configured as "MyPassword" on the other server.
+ PeerPassword = {{server.pass}}
+
+ # Group of this server (optional)
+ ;Group = 123
+
+ # Set the "Passive" option to "yes" if you don't want this ngIRCd to
+ # connect to the configured peer (same as leaving the "Port" variable
+ # empty). The advantage of this option is that you can actually
+ # configure a port an use the IRC command CONNECT more easily to
+ # manually connect this specific server later.
+ ;Passive = no
+
+ # Connect to the remote server using TLS/SSL (Default: false)
+ ;SSLConnect = yes
+
+ # Define a (case insensitive) list of masks matching nicknames that
+ # should be treated as IRC services when introduced via this remote
+ # server, separated by commas (",").
+ # REGULAR SERVERS DON'T NEED this parameter, so leave it empty
+ # (which is the default).
+ # When you are connecting IRC services which mask as a IRC server
+ # and which use "virtual users" to communicate with, for example
+ # "NickServ" and "ChanServ", you should set this parameter to
+ # something like "*Serv" or "NickServ,ChanServ,XyzServ".
+ {% if server.service_mask is defined %}
+ ServiceMask = {{server.service_mask}}
+ {% endif %}
+
+{% endfor %}
+
+[Channel]
+ # Pre-defined channels can be configured in [Channel] sections.
+ # Such channels are created by the server when starting up and even
+ # persist when there are no more members left.
+ # Persistent channels are marked with the mode 'P', which can be set
+ # and unset by IRC operators like other modes on the fly.
+ # There may be more than one [Channel] block, one for each channel.
+
+ # Name of the channel
+ ;Name = #ngircd
+
+ # Topic for this channel
+ ;Topic = Our ngircd testing channel
+
+ # Initial channel modes
+ ;Modes = tnk
+
+ # initial channel password (mode k)
+ ;Key = Secret
+
+ # Key file, syntax for each line: "<user>:<nick>:<key>".
+ # Default: none.
+ ;KeyFile = /etc/ngircd/#chan.key
+
+ # maximum users per channel (mode l)
+ ;MaxUsers = 23
+
+[Channel]
+ # More [Channel] sections, if you like ...
+
+# -eof-