Got ngircd + atheme services roles working.
authorLuke Hoersten <luke@hoersten.org>
Sat, 04 Jul 2020 11:00:20 -0500
changeset 113 d843011c249d
parent 112 22c06d6916bf
child 114 34c8632d763d
Got ngircd + atheme services roles working.
atheme/handlers/main.yaml
atheme/tasks/main.yaml
atheme/templates/atheme.conf.j2
ngircd/handlers/main.yaml
ngircd/tasks/main.yaml
ngircd/templates/ngircd.conf.j2
prosody/handlers/main.yaml
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/atheme/handlers/main.yaml	Sat Jul 04 11:00:20 2020 -0500
@@ -0,0 +1,5 @@
+---
+
+- name: restart atheme
+  become: yes
+  systemd: name="atheme-services.service" enabled="yes" daemon_reload="yes" state="restarted"
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/atheme/tasks/main.yaml	Sat Jul 04 11:00:20 2020 -0500
@@ -0,0 +1,17 @@
+---
+
+- name: apt install atheme
+  become: yes
+  apt: name="atheme-services"
+  notify: restart atheme
+
+- name: configure atheme
+  become: yes
+  template:
+    src: "atheme.conf.j2"
+    dest: "/etc/atheme/atheme.conf"
+  notify: restart atheme
+
+- name: start atheme service
+  become: yes
+  systemd: name="atheme-services.service" state="started" enabled="yes" daemon_reload="yes"
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/atheme/templates/atheme.conf.j2	Sat Jul 04 11:00:20 2020 -0500
@@ -0,0 +1,2850 @@
+/* This is an example configuration for Services.
+ *
+ * All statements end in semi-colons (';').
+ * Shell style, C style, and C++ style comments may be used.
+ *
+ * Items marked with "(*)" are reconfigurable at runtime via REHASH.
+ */
+
+/******************************************************************************
+ * MODULES SECTION.                                                           *
+ ******************************************************************************/
+
+/*
+ * These are the modules included with the core distribution of Services.
+ *
+ * You may be interested in the atheme community modules distribution as
+ * well, which adds additional features that may or may not be compatible
+ * with the project paradigms intended for maintainance of the core of
+ * atheme-services.
+ *
+ * Visit the atheme-services website for more information and to download them.
+ *
+ * Modules marked [experimental] will taint your atheme-services instance. Do
+ * not file any bug reports with us about using Services with those modules;
+ * they will be ignored.
+ */
+
+/* Dynamic security modules.
+ *
+ * WARNING: If you select one of these modules, the default security policy included
+ * with Atheme may break.  These modules are intended for people who know what they
+ * are doing and understand the implications of what they do.  Security modules which
+ * are likely to break the default policy are prefixed with [!], if you are new to
+ * Atheme, you should avoid enabling them.
+ *
+ * If you find your security policy is broken, you may debug it while allowing normal
+ * operation of your IRC network by putting Atheme into "permissive mode".  To do this,
+ * enable general::permissive_mode.
+ *
+ * [!] Infer "command:" namespace permissions   modules/security/cmdperm
+ */
+#loadmodule "modules/security/cmdperm";
+
+/* Protocol module.
+ *
+ * Please select a protocol module. Different servers use different protocols.
+ * Below is a listing of ircd's known to work with the various protocol modules
+ * available.
+ *
+ * Asuka 1.2.1 or later                         modules/protocol/asuka
+ * Bahamut 2.1.x                                modules/protocol/bahamut
+ * Charybdis IRCd                               modules/protocol/charybdis
+ * ChatIRCd                                     modules/protocol/chatircd1.1
+ * DreamForge 4.6.7 or later                    modules/protocol/dreamforge
+ * InspIRCd 2.0                                 modules/protocol/inspircd
+ * ircd-ratbox 2.0 and later                    modules/protocol/ratbox
+ * IRCNet ircd (ircd 2.11)                      modules/protocol/ircnet
+ * ircd-seven                                   modules/protocol/ircd-seven
+ * Nefarious IRCu 0.4.0 or later                modules/protocol/nefarious
+ * ngIRCd 19 or later [experimental]            modules/protocol/ngircd
+ * UnrealIRCd 3.2.*                             modules/protocol/unreal
+ * UnrealIRCd 4 or later                        modules/protocol/unreal4
+ *
+ * If your IRCd vendor has supplied a module file, build it and load it here
+ * instead of one above.
+ */
+loadmodule "modules/protocol/ngircd";
+
+/* Protocol mixins.
+ *
+ * These should be used if you do not have/want certain features on your
+ * network that your ircd normally has. If you do not know what this means,
+ * you do not need any of them.
+ *
+ * Disable halfops                              modules/protocol/mixin_nohalfops
+ * Disable holdnick (use enforcer clients)      modules/protocol/mixin_noholdnick
+ * Disable "protect" mode on channels           modules/protocol/mixin_noprotect
+ * Disable "owner" mode on channels             modules/protocol/mixin_noowner
+ */
+#loadmodule "modules/protocol/mixin_nohalfops";
+#loadmodule "modules/protocol/mixin_noholdnick";
+#loadmodule "modules/protocol/mixin_noprotect";
+#loadmodule "modules/protocol/mixin_noowner";
+
+/* Database backend module.
+ *
+ * Please select a database backend module. Different backends allow for
+ * different ways in which the services data can be manipulated. YOU MAY
+ * ONLY HAVE ONE OF THESE BACKENDS LOADED.
+ *
+ * The following backends are available:
+ *
+ * Atheme 0.1 flatfile database format          modules/backend/flatfile
+ * Open Services Exchange database format       modules/backend/opensex
+ *
+ * Most networks will want opensex.
+ */
+loadmodule "modules/backend/opensex";
+
+/* Password hashing modules.
+ *
+ * If you would like encryption for your services passwords, or to migrate
+ * from another IRC services package which used encryption for its passwords,
+ * please select a module here.
+ *
+ * The following encryption-capable crypto modules are available:
+ *
+ *   Argon2 (Password Hashing Competition 2015)    modules/crypto/argon2
+ *   scrypt (Tarsnap Online Backup Service)        modules/crypto/scrypt
+ *   PBKDF2 (Including support for SASL SCRAM-SHA) modules/crypto/pbkdf2v2
+ *   bcrypt (EksBlowfish; from Niels Provos etc.)  modules/crypto/bcrypt
+ *   SHA2-512 crypt(3) a la '$6$...'               modules/crypto/crypt3-sha2-512
+ *   SHA2-256 crypt(3) a la '$5$...'               modules/crypto/crypt3-sha2-256
+ *
+ * If you do not load an encryption-capable crypto module, some features will
+ * not work correctly, and errors will be logged on e.g. user registration
+ * that it was not possible to encrypt their password. Support for running
+ * without an encryption-capable crypto module will be removed in a later
+ * version of this software; for now it is just *HIGHLY* discouraged.
+ *
+ * Note, that upon starting with an encryption-capable crypto module, YOUR
+ * UNENCRYPTED PASSWORDS ARE IMMEDIATELY AND *IRREVERSIBLY* CONVERTED. Make
+ * at least TWO backups of your database before experimenting with this. If
+ * you have several thousand accounts, this conversion may take a long time.
+ *
+ * The following modules can only be used to /verify/ existing encrypted
+ * passwords, for example when upgrading from an older version of this
+ * software, or migrating from something else:
+ *
+ *   PBKDF2 v1 (Atheme <= 7.2 compatibility)       modules/crypto/pbkdf2
+ *   Raw SHA2-512                                  modules/crypto/rawsha2-512
+ *   Raw SHA2-256                                  modules/crypto/rawsha2-256
+ *   Anope SHA2-256 (Anope 2.0 compatibility)      modules/crypto/anope-enc-sha256
+ *   Raw SHA1 (Anope ~1.8 compatibility)           modules/crypto/rawsha1
+ *   Raw MD5 (Anope ~1.8 compatibility)            modules/crypto/rawmd5
+ *   IRCServices (+ Anope) compatibility           modules/crypto/ircservices
+ *   MD5 crypt(3) (Atheme Linux compatibility)     modules/crypto/crypt3-md5
+ *   DES crypt(3) (Atheme OS X compatibility)      modules/crypto/crypt3-des
+ *   Base64 (Anope ~1.8 compatibility)             modules/crypto/base64
+ *
+ * To transition between crypto schemes, load the preferred scheme first,
+ * and as users login or set new passwords, they will be migrated to the new
+ * preferred scheme. Like so:
+ *
+ * loadmodule "modules/crypto/argon2";
+ * loadmodule "modules/crypto/scrypt";
+ * loadmodule "modules/crypto/pbkdf2v2";
+ * loadmodule "modules/crypto/pbkdf2";
+ * loadmodule "modules/crypto/crypt3-md5";
+ *
+ * The Argon2 module requires the argon2 reference library (./configure
+ * --with-argon2) and is *NOT* available in Atheme v7.2 or earlier. If you
+ * wish to use this module while retaining the possibility to downgrade to
+ * v7.2, please see the crypto {} documentation below.
+ *
+ * The Scrypt module requires libsodium (./configure --with-libsodium) and is
+ * *NOT* available in Atheme v7.2 or earlier. This module may also require a
+ * 64-bit Operating System to function correctly.
+ *
+ * The PBKDF2v2 module has no dependencies and is recommended. If you were
+ * previously using the PBKDF2 v1 module on v7.2, you must still keep it in
+ * the configuration here; the PBKDF2 v2 module cannot verify its password
+ * hashes. However, you should also load PBKDF2 v2 (if you don't decide to use
+ * anything else), because the PBKDF2 v1 module is now verify-only.
+ *
+ * The bcrypt module will truncate passwords greater than 72 characters. It is
+ * also capable of verifying the older $2a$ digests that contain an integer
+ * wrap-around bug, as used on e.g. Anope. It is not capable of verifying the
+ * PHP-bcrypt $2x$ and $2y$ digests; but $2y$ can simply be changed to $2b$.
+ * All successfully-verified passwords not using $2b$ will be converted to it.
+ * This is an encryption-capable module, but its use is discouraged unless you
+ * need to use it for interoperability with some other piece of software.
+ *
+ * The crypt3-* modules depend on your platform crypt(3) supporting the
+ * respective algorithms. This is not guaranteed to be the case. If you used
+ * modules/crypto/posix on Linux, you need crypt3-md5. If you used
+ * modules/crypto/posix on OS X, you need crypt3-des. These modules issue
+ * informational messages when loaded to the effect that they might break in
+ * the future. They also run selftests on load to verify that they will work.
+ *
+ * All available modules are listed below, in the preferred load order. The
+ * modules that are commented out are not available by default (please see
+ * the v7.3 release notes in NEWS.md) or may require a third-party library to
+ * use. If you know that you do not need a specific module, it is better to
+ * not load it, so comment it out. Do not change the order of the modules
+ * below unless you need to migrate from one to the other (as described
+ * above); in particular, putting verify-only modules above encryption-
+ * capable modules would be a waste of CPU time every time password
+ * verification for a user whose password was not encrypted by them is
+ * attempted.
+ *
+ * Comments that start with -- describe the ./configure option necessary to
+ * have this module built.
+ */
+#loadmodule "modules/crypto/argon2";            /* --with-argon2 */
+#loadmodule "modules/crypto/scrypt";            /* --with-sodium */
+loadmodule "modules/crypto/pbkdf2v2";
+#loadmodule "modules/crypto/bcrypt";            /* See notes above */
+loadmodule "modules/crypto/pbkdf2";             /* Verify-only, see prev. */
+#loadmodule "modules/crypto/crypt3-sha2-512";   /* Needs crypt(3) support */
+#loadmodule "modules/crypto/crypt3-sha2-256";   /* Needs crypt(3) support */
+#loadmodule "modules/crypto/crypt3-md5";        /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/rawsha2-512";       /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/rawsha2-256";       /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/anope-enc-sha256";  /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/rawsha1";           /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/rawmd5";            /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/ircservices";       /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/crypt3-des";        /* --enable-legacy-pwcrypto */
+#loadmodule "modules/crypto/base64";            /* --enable-legacy-pwcrypto */
+
+/* Authentication module.
+ *
+ * These allow using passwords from an external system. The password given
+ * when registering a new account is also checked against the external
+ * system.
+ *
+ * The following authentication modules are available:
+ *
+ * LDAP                                         modules/auth/ldap
+ *
+ * The LDAP module requires OpenLDAP client libraries. It uses them in a
+ * synchronous manner, which means that an unresponsive LDAP server can
+ * freeze services.
+ */
+#loadmodule "modules/auth/ldap";
+
+/* NickServ modules.
+ *
+ * Here you can disable or enable certain features of NickServ, by
+ * defining which modules are loaded. You can even disable NickServ
+ * entirely. Please note however, that an authentication service
+ * (either NickServ, or UserServ) is required for proper functionality.
+ *
+ * Core components                              modules/nickserv/main
+ * Nickname access lists                        modules/nickserv/access
+ * Bad email address blocking                   modules/nickserv/badmail
+ * CertFP fingerprint managment                 modules/nickserv/cert
+ * DROP command                                 modules/nickserv/drop
+ * Nickname enforcement                         modules/nickserv/enforce
+ * GHOST command                                modules/nickserv/ghost
+ * GROUP and UNGROUP commands                   modules/nickserv/group
+ * HELP command                                 modules/nickserv/help
+ * Nickname expiry override (HOLD command)      modules/nickserv/hold
+ * IDENTIFY command                             modules/nickserv/identify
+ * INFO command                                 modules/nickserv/info
+ * Last quit message in INFO                    modules/nickserv/info_lastquit
+ * LIST command                                 modules/nickserv/list
+ * LISTLOGINS command                           modules/nickserv/listlogins
+ * LISTMAIL command                             modules/nickserv/listmail
+ * LISTOWNMAIL command                          modules/nickserv/listownmail
+ * LOGIN command (for no_nick_ownership)        modules/nickserv/login
+ * LOGOUT command                               modules/nickserv/logout
+ * MARK command                                 modules/nickserv/mark
+ * Password quality validation                  modules/nickserv/pwquality
+ * FREEZE command                               modules/nickserv/freeze
+ * LISTCHANS command                            modules/nickserv/listchans
+ * LISTGROUPS command                           modules/nickserv/listgroups
+ * REGISTER command                             modules/nickserv/register
+ * Bypass registration limits (REGNOLIMIT)      modules/nickserv/regnolimit
+ * Password reset (RESETPASS command)           modules/nickserv/resetpass
+ * RESTRICT command                             modules/nickserv/restrict
+ * Password return (RETURN command)             modules/nickserv/return
+ * Password retrieval (SENDPASS command)        modules/nickserv/sendpass
+ * Password retrieval allowed to normal users   modules/nickserv/sendpass_user
+ * Change primary nickname (SET ACCOUNTNAME)    modules/nickserv/set_accountname
+ * SET EMAIL command                            modules/nickserv/set_email
+ * SET EMAILMEMOS command                       modules/nickserv/set_emailmemos
+ * SET ENFORCETIME command                      modules/nickserv/set_enforcetime
+ * SET HIDEMAIL command                         modules/nickserv/set_hidemail
+ * SET LANGUAGE command                         modules/nickserv/set_language
+ * SET NEVERGROUP command                       modules/nickserv/set_nevergroup
+ * SET NEVEROP command                          modules/nickserv/set_neverop
+ * SET NOGREET command                          modules/nickserv/set_nogreet
+ * SET NOMEMO command                           modules/nickserv/set_nomemo
+ * SET NOOP command                             modules/nickserv/set_noop
+ * SET NOPASSWORD command                       modules/nickserv/set_nopassword
+ * SET PASSWORD command                         modules/nickserv/set_password
+ * PRIVMSG instead of NOTICE (SET PRIVMSG cmd)  modules/nickserv/set_privmsg
+ * Account info hiding (SET PRIVATE command)    modules/nickserv/set_private
+ * SET PROPERTY command                         modules/nickserv/set_property
+ * SET PUBKEY command                           modules/nickserv/set_pubkey
+ * SET QUIETCHG command                         modules/nickserv/set_quietchg
+ * Password retrieval uses code (SETPASS cmd)   modules/nickserv/setpass
+ * STATUS command                               modules/nickserv/status
+ * Nickname metadata viewer (TAXONOMY command)  modules/nickserv/taxonomy
+ * VACATION command                             modules/nickserv/vacation
+ * VERIFY command                               modules/nickserv/verify
+ * VHOST command                                modules/nickserv/vhost
+ * Delay services account registrations         modules/nickserv/waitreg
+ */
+loadmodule "modules/nickserv/main";
+#loadmodule "modules/nickserv/access";
+loadmodule "modules/nickserv/badmail";
+#loadmodule "modules/nickserv/cert";
+loadmodule "modules/nickserv/drop";
+#loadmodule "modules/nickserv/enforce";
+loadmodule "modules/nickserv/ghost";
+loadmodule "modules/nickserv/group";
+loadmodule "modules/nickserv/help";
+loadmodule "modules/nickserv/hold";
+loadmodule "modules/nickserv/identify";
+loadmodule "modules/nickserv/info";
+#loadmodule "modules/nickserv/info_lastquit";
+loadmodule "modules/nickserv/list";
+#loadmodule "modules/nickserv/listlogins";
+loadmodule "modules/nickserv/listmail";
+#loadmodule "modules/nickserv/listownmail";
+#loadmodule "modules/nickserv/login";
+loadmodule "modules/nickserv/logout";
+loadmodule "modules/nickserv/mark";
+#loadmodule "modules/nickserv/pwquality";
+loadmodule "modules/nickserv/freeze";
+loadmodule "modules/nickserv/listchans";
+loadmodule "modules/nickserv/listgroups";
+loadmodule "modules/nickserv/register";
+loadmodule "modules/nickserv/regnolimit";
+loadmodule "modules/nickserv/resetpass";
+loadmodule "modules/nickserv/restrict";
+loadmodule "modules/nickserv/return";
+loadmodule "modules/nickserv/setpass";
+#loadmodule "modules/nickserv/sendpass";
+loadmodule "modules/nickserv/sendpass_user";
+loadmodule "modules/nickserv/set_accountname";
+loadmodule "modules/nickserv/set_email";
+loadmodule "modules/nickserv/set_emailmemos";
+#loadmodule "modules/nickserv/set_enforcetime";
+loadmodule "modules/nickserv/set_hidemail";
+loadmodule "modules/nickserv/set_language";
+loadmodule "modules/nickserv/set_nevergroup";
+loadmodule "modules/nickserv/set_neverop";
+loadmodule "modules/nickserv/set_nogreet";
+loadmodule "modules/nickserv/set_nomemo";
+loadmodule "modules/nickserv/set_noop";
+#loadmodule "modules/nickserv/set_nopassword";
+loadmodule "modules/nickserv/set_password";
+#loadmodule "modules/nickserv/set_privmsg";
+#loadmodule "modules/nickserv/set_private";
+loadmodule "modules/nickserv/set_property";
+loadmodule "modules/nickserv/set_pubkey";
+loadmodule "modules/nickserv/set_quietchg";
+loadmodule "modules/nickserv/status";
+loadmodule "modules/nickserv/taxonomy";
+loadmodule "modules/nickserv/vacation";
+loadmodule "modules/nickserv/verify";
+loadmodule "modules/nickserv/vhost";
+#loadmodule "modules/nickserv/waitreg";
+
+/* ChanServ modules.
+ *
+ * Here you can disable or enable certain features of ChanServ, by
+ * defining which modules are loaded. You can even disable ChanServ
+ * entirely. Please note that ChanServ requires an authentication
+ * service, either NickServ or UserServ will do.
+ *
+ * Core components                              modules/chanserv/main
+ * ACCESS command (simplified ACL editing)      modules/chanserv/access
+ * AKICK command                                modules/chanserv/akick
+ * BAN/UNBAN commands                           modules/chanserv/ban
+ * UNBAN self only (load ban or this not both)  modules/chanserv/unban_self
+ * BANSEARCH command                            modules/chanserv/bansearch
+ * CLOSE command                                modules/chanserv/close
+ * CLONE command                                modules/chanserv/clone
+ * CLEAR command                                modules/chanserv/clear
+ * CLEAR AKICKS command                         modules/chanserv/clear_akicks
+ * CLEAR BANS command                           modules/chanserv/clear_bans
+ * CLEAR FLAGS command                          modules/chanserv/clear_flags
+ * CLEAR USERS command                          modules/chanserv/clear_users
+ * COUNT command                                modules/chanserv/count
+ * DROP command                                 modules/chanserv/drop
+ * Forced flags changes                         modules/chanserv/fflags
+ * FLAGS command                                modules/chanserv/flags
+ * Forced foundership transfers                 modules/chanserv/ftransfer
+ * GETKEY command                               modules/chanserv/getkey
+ * HALFOP/DEHALFOP commands                     modules/chanserv/halfop
+ * HELP command                                 modules/chanserv/help
+ * Channel expiry override (HOLD command)       modules/chanserv/hold
+ * INFO command                                 modules/chanserv/info
+ * INVITE command                               modules/chanserv/invite
+ * KICK/KICKBAN commands                        modules/chanserv/kick
+ * LIST command                                 modules/chanserv/list
+ * MARK command                                 modules/chanserv/mark
+ * Moderated channel registrations              modules/chanserv/moderate
+ * OP/DEOP commands                             modules/chanserv/op
+ * OWNER/DEOWNER commands                       modules/chanserv/owner
+ * PROTECT/DEPROTECT commands                   modules/chanserv/protect
+ * QUIET command (+q support)                   modules/chanserv/quiet
+ * Channel takeover recovery (RECOVER command)  modules/chanserv/recover
+ * REGISTER command                             modules/chanserv/register
+ * SET EMAIL command                            modules/chanserv/set_email
+ * SET ENTRYMSG command                         modules/chanserv/set_entrymsg
+ * SET FANTASY command                          modules/chanserv/set_fantasy
+ * SET GAMESERV command                         modules/chanserv/set_gameserv
+ * SET GUARD command                            modules/chanserv/set_guard
+ * SET KEEPTOPIC command                        modules/chanserv/set_keeptopic
+ * SET LIMITFLAGS command                       modules/chanserv/set_limitflags
+ * SET MLOCK command                            modules/chanserv/set_mlock
+ * SET PREFIX command                           modules/chanserv/set_prefix
+ * Channel info hiding (SET PRIVATE command)    modules/chanserv/set_private
+ * SET PROPERTY command                         modules/chanserv/set_property
+ * SET PUBACL command                           modules/chanserv/set_pubacl
+ * SET RESTRICTED command                       modules/chanserv/set_restricted
+ * SET SECURE command                           modules/chanserv/set_secure
+ * SET TOPICLOCK command                        modules/chanserv/set_topiclock
+ * SET URL command                              modules/chanserv/set_url
+ * SET VERBOSE command                          modules/chanserv/set_verbose
+ * STATUS command                               modules/chanserv/status
+ * SYNC command (and automatic ACL syncing)     modules/chanserv/sync
+ * Named Successor ACL flag                     modules/chanserv/successor_acl
+ * Channel metadata viewer (TAXONOMY command)   modules/chanserv/taxonomy
+ * TEMPLATE command                             modules/chanserv/template
+ * TOPIC/TOPICAPPEND commands                   modules/chanserv/topic
+ * VOICE/DEVOICE commands                       modules/chanserv/voice
+ * WHY command                                  modules/chanserv/why
+ * VOP/HOP/AOP/SOP commands                     modules/chanserv/xop
+ *  This module provides emulation of the ircservices XOP scheme ONLY.
+ *  Do not report discrepencies when using native commands to edit channel
+ *  ACLs. This is intentional.
+ * Flood protection                             modules/chanserv/antiflood
+ *  This module should be loaded after at least chanserv/quiet if you want
+ *  the autoquiet feature to work.
+ */
+loadmodule "modules/chanserv/main";
+loadmodule "modules/chanserv/access";
+loadmodule "modules/chanserv/akick";
+loadmodule "modules/chanserv/ban";
+#loadmodule "modules/chanserv/unban_self";
+loadmodule "modules/chanserv/bansearch";
+loadmodule "modules/chanserv/clone";
+loadmodule "modules/chanserv/close";
+loadmodule "modules/chanserv/clear";
+loadmodule "modules/chanserv/clear_akicks";
+loadmodule "modules/chanserv/clear_bans";
+loadmodule "modules/chanserv/clear_flags";
+loadmodule "modules/chanserv/clear_users";
+loadmodule "modules/chanserv/count";
+loadmodule "modules/chanserv/drop";
+#loadmodule "modules/chanserv/fflags";
+loadmodule "modules/chanserv/flags";
+loadmodule "modules/chanserv/ftransfer";
+loadmodule "modules/chanserv/getkey";
+#loadmodule "modules/chanserv/halfop";
+loadmodule "modules/chanserv/help";
+loadmodule "modules/chanserv/hold";
+loadmodule "modules/chanserv/info";
+loadmodule "modules/chanserv/invite";
+loadmodule "modules/chanserv/kick";
+loadmodule "modules/chanserv/list";
+loadmodule "modules/chanserv/mark";
+#loadmodule "modules/chanserv/moderate";
+loadmodule "modules/chanserv/op";
+#loadmodule "modules/chanserv/owner";
+#loadmodule "modules/chanserv/protect";
+#loadmodule "modules/chanserv/quiet";
+loadmodule "modules/chanserv/recover";
+loadmodule "modules/chanserv/register";
+loadmodule "modules/chanserv/set_email";
+loadmodule "modules/chanserv/set_entrymsg";
+loadmodule "modules/chanserv/set_fantasy";
+#loadmodule "modules/chanserv/set_gameserv";
+loadmodule "modules/chanserv/set_guard";
+loadmodule "modules/chanserv/set_keeptopic";
+#loadmodule "modules/chanserv/set_limitflags";
+loadmodule "modules/chanserv/set_mlock";
+loadmodule "modules/chanserv/set_prefix";
+#loadmodule "modules/chanserv/set_private";
+loadmodule "modules/chanserv/set_property";
+#loadmodule "modules/chanserv/set_pubacl";
+loadmodule "modules/chanserv/set_restricted";
+loadmodule "modules/chanserv/set_secure";
+loadmodule "modules/chanserv/set_topiclock";
+loadmodule "modules/chanserv/set_url";
+loadmodule "modules/chanserv/set_verbose";
+loadmodule "modules/chanserv/status";
+loadmodule "modules/chanserv/sync";
+#loadmodule "modules/chanserv/successor_acl";
+loadmodule "modules/chanserv/taxonomy";
+loadmodule "modules/chanserv/template";
+loadmodule "modules/chanserv/topic";
+loadmodule "modules/chanserv/voice";
+loadmodule "modules/chanserv/why";
+#loadmodule "modules/chanserv/xop";
+loadmodule "modules/chanserv/antiflood";
+
+/* CHANFIX module.
+ *
+ * Here you can disable or enable certain features of CHANFIX, by
+ * defining which modules are loaded.
+ *
+ * Core components                              modules/chanfix/main
+ */
+#loadmodule "modules/chanfix/main";
+
+/* OperServ modules.
+ *
+ * Here you can disable or enable certain features of OperServ, by
+ * defining which modules are loaded.
+ *
+ * Core components                              modules/operserv/main
+ * AKILL system                                 modules/operserv/akill
+ * CLEARCHAN command                            modules/operserv/clearchan
+ * CLONES system                                modules/operserv/clones
+ * COMPARE command                              modules/operserv/compare
+ * GENHASH command                              modules/operserv/genhash
+ * GREPLOG command                              modules/operserv/greplog
+ * HELP command                                 modules/operserv/help
+ * IGNORE system                                modules/operserv/ignore
+ * IDENTIFY command                             modules/operserv/identify
+ * INFO command                                 modules/operserv/info
+ * INJECT command                               modules/operserv/inject
+ * JUPE command                                 modules/operserv/jupe
+ * MODE command                                 modules/operserv/mode
+ * MODINSPECT command                           modules/operserv/modinspect
+ * MODLIST command                              modules/operserv/modlist
+ * MODLOAD command                              modules/operserv/modload
+ * MODRELOAD command                            modules/operserv/modreload
+ * MODUNLOAD command                            modules/operserv/modunload
+ * NOOP system                                  modules/operserv/noop
+ * Regex mass akill (RAKILL command)            modules/operserv/rakill
+ * RAW command                                  modules/operserv/raw
+ * READONLY command                             modules/operserv/readonly
+ * REHASH command                               modules/operserv/rehash
+ * RESTART command                              modules/operserv/restart
+ * Display regex matching (RMATCH command)      modules/operserv/rmatch
+ * Most common realnames (RNC command)          modules/operserv/rnc
+ * RWATCH system                                modules/operserv/rwatch
+ *
+ * Note that ALL of these SET commands only apply until the next rehash!
+ *
+ * ALL of the below SET commands (deprecated)   modules/operserv/set
+ * SET AKICKTIME subcommand (temporarily)       modules/operserv/set_akicktime
+ * SET CHANEXPIRE subcommand (temporarily)      modules/operserv/set_chanexpire
+ * SET COMMITINTERVAL subcommand (temporarily)  modules/operserv/set_commitinterval
+ * SET ENFORCEPREFIX subcommand (temporarily)   modules/operserv/set_enforceprefix
+ * SET KLINETIME subcommand (temporarily)       modules/operserv/set_klinetime
+ * SET MAXCHANACS subcommand (temporarily)      modules/operserv/set_maxchanacs
+ * SET MAXCHANS subcommand (temporarily)        modules/operserv/set_maxchans
+ * SET MAXFOUNDERS subcommand (temporarily)     modules/operserv/set_maxfounders
+ * SET MAXLOGINS subcommand (temporarily)       modules/operserv/set_maxlogins
+ * SET MAXNICKS subcommand (temporarily)        modules/operserv/set_maxnicks
+ * SET MAXUSERS subcommand (temporarily)        modules/operserv/set_maxusers
+ * SET MDLIMIT subcommand (temporarily)         modules/operserv/set_mdlimit
+ * SET NICKEXPIRE subcommand (temporarily)      modules/operserv/set_nickexpire
+ * SET RECONTIME subcommand (temporarily)       modules/operserv/set_recontime
+ * SET SPAM subcommand (temporarily)            modules/operserv/set_spam
+ *
+ * SGLINE system                                modules/operserv/sgline
+ * SHUTDOWN command                             modules/operserv/shutdown
+ * Non-config oper privileges (SOPER command)   modules/operserv/soper
+ * Oper privilege display (SPECS command)       modules/operserv/specs
+ * SQLINE system                                modules/operserv/sqline
+ * UPDATE command                               modules/operserv/update
+ * UPTIME command                               modules/operserv/uptime
+ */
+loadmodule "modules/operserv/main";
+loadmodule "modules/operserv/akill";
+#loadmodule "modules/operserv/clearchan";
+#loadmodule "modules/operserv/clones";
+loadmodule "modules/operserv/compare";
+#loadmodule "modules/operserv/genhash";
+#loadmodule "modules/operserv/greplog";
+loadmodule "modules/operserv/help";
+loadmodule "modules/operserv/identify";
+loadmodule "modules/operserv/ignore";
+loadmodule "modules/operserv/info";
+loadmodule "modules/operserv/jupe";
+loadmodule "modules/operserv/mode";
+loadmodule "modules/operserv/modinspect";
+loadmodule "modules/operserv/modlist";
+loadmodule "modules/operserv/modload";
+loadmodule "modules/operserv/modunload";
+loadmodule "modules/operserv/modreload";
+loadmodule "modules/operserv/noop";
+#loadmodule "modules/operserv/rakill";
+loadmodule "modules/operserv/readonly";
+loadmodule "modules/operserv/rehash";
+loadmodule "modules/operserv/restart";
+loadmodule "modules/operserv/rmatch";
+loadmodule "modules/operserv/rnc";
+loadmodule "modules/operserv/rwatch";
+loadmodule "modules/operserv/set";
+loadmodule "modules/operserv/sgline";
+loadmodule "modules/operserv/shutdown";
+#loadmodule "modules/operserv/soper";
+loadmodule "modules/operserv/specs";
+#loadmodule "modules/operserv/sqline";
+loadmodule "modules/operserv/update";
+loadmodule "modules/operserv/uptime";
+
+/* MemoServ modules.
+ *
+ * Here you can disable or enable certain features of MemoServ, by
+ * defining which modules are loaded. You can even disable MemoServ
+ * entirely.
+ *
+ * Core components                              modules/memoserv/main
+ * HELP command                                 modules/memoserv/help
+ * SEND command                                 modules/memoserv/send
+ * Channel memos (SENDOPS command)              modules/memoserv/sendops
+ * Group memos (SENDGROUP command)              modules/memoserv/sendgroup
+ * LIST command                                 modules/memoserv/list
+ * READ command                                 modules/memoserv/read
+ * FORWARD command                              modules/memoserv/forward
+ * DELETE command                               modules/memoserv/delete
+ * IGNORE command                               modules/memoserv/ignore
+ */
+loadmodule "modules/memoserv/main";
+loadmodule "modules/memoserv/help";
+loadmodule "modules/memoserv/send";
+loadmodule "modules/memoserv/sendops";
+loadmodule "modules/memoserv/sendgroup";
+loadmodule "modules/memoserv/list";
+loadmodule "modules/memoserv/read";
+loadmodule "modules/memoserv/forward";
+loadmodule "modules/memoserv/delete";
+loadmodule "modules/memoserv/ignore";
+
+/* Global module.
+ *
+ * Like the other services, the Global noticer is a module. You can
+ * disable or enable it to your liking below. Please note that the
+ * Global noticer is dependent on OperServ for full functionality.
+ */
+loadmodule "modules/global/main";
+
+/* InfoServ module.
+ *
+ * Like the other services, InfoServ is a module. You can disable or
+ * enable it to your liking below.
+ */
+loadmodule "modules/infoserv/main";
+
+/* SASL agent module.
+ *
+ * Allows clients to authenticate to services via SASL with an appropriate
+ * ircd. You need the core components and at least one mechanism.
+ *
+ * Core components                      modules/saslserv/main
+ * AUTHCOOKIE mechanism (for IRIS)      modules/saslserv/authcookie
+ * ECDH-X25519-CHALLENGE mechanism      modules/saslserv/ecdh-x25519-challenge
+ * ECDSA-NIST256P-CHALLENGE mechanism   modules/saslserv/ecdsa-nist256p-challenge
+ * EXTERNAL mechanism (IRCv3.1+)        modules/saslserv/external
+ * PLAIN mechanism                      modules/saslserv/plain
+ * SCRAM-SHA-* mechanisms               modules/saslserv/scram
+ *
+ * ECDH-X25519-CHALLENGE support requires that Atheme be compiled against a
+ * cryptographic library that provides X25519 ECDH support (BoringSSL,
+ * LibreSSL, ARM mbedTLS, Nettle, Sodium). This will be checked while running
+ * ./configure.
+ *
+ * ECDSA-NIST256P-CHALLENGE support requires that Atheme be compiled against
+ * an OpenSSL with ECDSA support (not RHEL etc. unless you compile your own).
+ * This will be checked while running ./configure.
+ *
+ * You MUST read doc/SASL-SCRAM before loading modules/saslserv/scram!
+ */
+loadmodule "modules/saslserv/main";
+loadmodule "modules/saslserv/authcookie";
+#loadmodule "modules/saslserv/ecdh-x25519-challenge";
+#loadmodule "modules/saslserv/ecdsa-nist256p-challenge";
+#loadmodule "modules/saslserv/external";
+loadmodule "modules/saslserv/plain";
+#loadmodule "modules/saslserv/scram";   /* READ doc/SASL-SCRAM FIRST! */
+
+/* GameServ modules.
+ *
+ * Here you can disable or enable certain features of GameServ, by
+ * defining which modules are loaded. You can even disable GameServ
+ * entirely.
+ *
+ * Core components                              modules/gameserv/main
+ * DICE/WOD commands                            modules/gameserv/dice
+ * EIGHTBALL command                            modules/gameserv/eightball
+ * Game-specific dice calculators               modules/gameserv/gamecalc
+ * HELP commands                                modules/gameserv/help
+ * LOTTERY command                              modules/gameserv/lottery
+ * NAMEGEN command                              modules/gameserv/namegen
+ * RPS command                                  modules/gameserv/rps
+ */
+#loadmodule "modules/gameserv/main";
+#loadmodule "modules/gameserv/dice";
+#loadmodule "modules/gameserv/eightball";
+#loadmodule "modules/gameserv/gamecalc";
+#loadmodule "modules/gameserv/help";
+#loadmodule "modules/gameserv/lottery";
+#loadmodule "modules/gameserv/namegen";
+#loadmodule "modules/gameserv/rps";
+
+/* RPGServ modules.
+ *
+ * Here you can disable or enable certain features of RPGServ, by
+ * defining which modules are loaded. You can even disable RPGServ
+ * entirely.
+ *
+ * Core components                              modules/rpgserv/main
+ * ENABLE/DISABLE commands                      modules/rpgserv/enable
+ * HELP command                                 modules/rpgserv/help
+ * INFO command                                 modules/rpgserv/info
+ * LIST command                                 modules/rpgserv/list
+ * SEARCH command                               modules/rpgserv/search
+ * SET commands                                 modules/rpgserv/set
+ */
+#loadmodule "modules/rpgserv/main";
+#loadmodule "modules/rpgserv/enable";
+#loadmodule "modules/rpgserv/help";
+#loadmodule "modules/rpgserv/info";
+#loadmodule "modules/rpgserv/list";
+#loadmodule "modules/rpgserv/search";
+#loadmodule "modules/rpgserv/set";
+
+/* BotServ modules.
+ *
+ * Here you can disable or enable certain features of BotServ, by
+ * defining which modules are loaded. You can even disable BotServ
+ * entirely.
+ *
+ * Core components                              modules/botserv/main
+ * HELP command                                 modules/botserv/help
+ * INFO command                                 modules/botserv/info
+ * NPC commands (SAY, ACT)                      modules/botserv/bottalk
+ * SET FANTASY command                          modules/botserv/set_fantasy
+ * SET NOBOT command                            modules/botserv/set_nobot
+ * SET PRIVATE command                          modules/botserv/set_private
+ * SET SAYCALLER command                        modules/botserv/set_saycaller
+ */
+#loadmodule "modules/botserv/main";
+#loadmodule "modules/botserv/help";
+#loadmodule "modules/botserv/info";
+#loadmodule "modules/botserv/bottalk";
+#loadmodule "modules/botserv/set_fantasy";
+#loadmodule "modules/botserv/set_nobot";
+#loadmodule "modules/botserv/set_private";
+#loadmodule "modules/botserv/set_saycaller";
+
+/* HostServ modules.
+ *
+ * Here you can disable or enable certain features of HostServ, by
+ * defining which modules are loaded. You can even disable HostServ
+ * entirely.
+ *
+ * HostServ is a more complex, and optional virtual host management service.
+ * Users wishing only to set vhosts need not use it (they can use the builtin
+ * vhost management of NickServ instead).
+ *
+ * Core components                              modules/hostserv/main
+ * HELP command                                 modules/hostserv/help
+ * OFFER system                                 modules/hostserv/offer
+ * ON and OFF commands                          modules/hostserv/onoff
+ * REQUEST system                               modules/hostserv/request
+ * VHOST and LISTVHOST commands                 modules/hostserv/vhost
+ * VHOSTNICK command                            modules/hostserv/vhostnick
+ * GROUP command                                modules/hostserv/group
+ * DROP command                                 modules/hostserv/drop
+ */
+#loadmodule "modules/hostserv/main";
+#loadmodule "modules/hostserv/help";
+#loadmodule "modules/hostserv/onoff";
+#loadmodule "modules/hostserv/offer";
+#loadmodule "modules/hostserv/request";
+#loadmodule "modules/hostserv/vhost";
+#loadmodule "modules/hostserv/vhostnick";
+#loadmodule "modules/hostserv/group";
+#loadmodule "modules/hostserv/drop";
+
+/* HelpServ modules.
+ * HelpServ allows users to request help from network staff in a few different ways.
+ *
+ * Core components                              modules/helpserv/main
+ * HELPME command                               modules/helpserv/helpme
+ * Help Ticket system                           modules/helpserv/ticket
+ * Service List                                 modules/helpserv/services
+ *
+ * The ticket system works like a bugtracker ot helpdesk ticket system, HELPME
+ * works like a one-time alert. You should probably only load one of the two systems.
+ */
+#loadmodule "modules/helpserv/main";
+#loadmodule "modules/helpserv/helpme";
+#loadmodule "modules/helpserv/ticket";
+#loadmodule "modules/helpserv/services";
+
+/* Channel listing service.
+ *
+ * Allows users to list channels with more flexibility than the /list
+ * command.
+ *
+ * Core components                              modules/alis/main
+ */
+#loadmodule "modules/alis/main";
+
+/* StatServ module.
+ * StatServ provides basic statistics and split tracking.
+ *
+ * Core components                              modules/statserv/main
+ * CHANNEL command                              modules/statserv/channel
+ * NETSPLIT command                             modules/statserv/netsplit
+ * SERVER command                               modules/statserv/server
+ */
+loadmodule "modules/statserv/main";
+#loadmodule "modules/statserv/channel";
+loadmodule "modules/statserv/netsplit";
+loadmodule "modules/statserv/server";
+
+/* GroupServ module.
+ * GroupServ allows users to create groups to easily mass-manage channel
+ * access and more.
+ *
+ * Core components                              modules/groupserv/main
+ * ACSNOLIMIT command                           modules/groupserv/acsnolimit
+ * DROP command                                 modules/groupserv/drop
+ * FFLAGS command                               modules/groupserv/fflags
+ * FLAGS command                                modules/groupserv/flags
+ * HELP command                                 modules/groupserv/help
+ * INFO command                                 modules/groupserv/info
+ * JOIN command                                 modules/groupserv/join
+ * LIST command                                 modules/groupserv/list
+ * LISTCHANS command                            modules/groupserv/listchans
+ * REGISTER command                             modules/groupserv/register
+ * REGNOLIMIT command                           modules/groupserv/regnolimit
+ * INVITE command                               modules/groupserv/invite
+ * SET command                                  modules/groupserv/set
+ * SET CHANNEL command                          modules/groupserv/set_channel
+ * SET DESCRIPTION command                      modules/groupserv/set_description
+ * SET EMAIL command                            modules/groupserv/set_email
+ * SET GROUPNAME command                        modules/groupserv/set_groupname
+ * SET JOINFLAGS command                        modules/groupserv/set_joinflags
+ * SET OPEN command                             modules/groupserv/set_open
+ * SET PUBLIC command                           modules/groupserv/set_public
+ * SET URL command                              modules/groupserv/set_url
+ *
+ */
+loadmodule "modules/groupserv/main";
+loadmodule "modules/groupserv/acsnolimit";
+loadmodule "modules/groupserv/drop";
+loadmodule "modules/groupserv/fflags";
+loadmodule "modules/groupserv/flags";
+loadmodule "modules/groupserv/help";
+loadmodule "modules/groupserv/info";
+loadmodule "modules/groupserv/join";
+loadmodule "modules/groupserv/list";
+loadmodule "modules/groupserv/listchans";
+loadmodule "modules/groupserv/register";
+loadmodule "modules/groupserv/regnolimit";
+#loadmodule "modules/groupserv/invite";
+loadmodule "modules/groupserv/set";
+loadmodule "modules/groupserv/set_channel";
+loadmodule "modules/groupserv/set_description";
+loadmodule "modules/groupserv/set_email";
+loadmodule "modules/groupserv/set_groupname";
+loadmodule "modules/groupserv/set_joinflags";
+loadmodule "modules/groupserv/set_open";
+loadmodule "modules/groupserv/set_public";
+loadmodule "modules/groupserv/set_url";
+
+/*
+ * Various modules.
+ *
+ * Atheme includes an optional HTTP server that can be used for integration
+ * with portal software and other useful things. To enable it, load this
+ * module, and uncomment the httpd { } block towards the bottom of the config.
+ *
+ * HTTP Server                                  modules/misc/httpd
+ */
+#loadmodule "modules/misc/httpd";
+
+/* XMLRPC server module.
+ *
+ * The XML-RPC handler requires modules/misc/httpd to be loaded as it merely
+ * registers a path handler for XML-RPC. The path used for XML-RPC is /xmlrpc.
+ *
+ * XMLRPC handler for the httpd                 modules/transport/xmlrpc
+ */
+#loadmodule "modules/transport/xmlrpc";
+
+/* Extended target entity types. [EXPERIMENTAL]
+ *
+ * Atheme can set up special target mapping entities which match multiple
+ * users in channel access entries.  These target mapping entity types are
+ * defined through the 'exttarget' modules listed below.
+ *
+ * Exttarget handling core                      modules/exttarget/main
+ * $oper exttarget match type                   modules/exttarget/oper
+ * $registered exttarget match type             modules/exttarget/registered
+ * $channel exttarget match type                modules/exttarget/channel
+ * $chanacs exttarget match type                modules/exttarget/chanacs
+ * $server exttarget match type                 modules/exttarget/server
+ */
+#loadmodule "modules/exttarget/main";
+#loadmodule "modules/exttarget/oper";
+#loadmodule "modules/exttarget/registered";
+#loadmodule "modules/exttarget/channel";
+#loadmodule "modules/exttarget/chanacs";
+#loadmodule "modules/exttarget/server";
+
+/* Proxyscan (DNSBL) modules.
+ *
+ * Atheme can also check set DNS Blacklists for matches and respond
+ * as set.  Activate modules here and customize further down under Proxyscan
+ * section.
+ */
+#loadmodule "modules/proxyscan/main";
+#loadmodule "modules/proxyscan/dnsbl";
+
+/* Other modules.
+ *
+ * Put any other modules you want to load on startup here. The path
+ * is relative to PREFIX or PREFIX/lib/atheme, depending on how Atheme
+ * was compiled.
+ */
+#loadmodule "modules/contrib/backtrace";
+
+/******************************************************************************
+ * SERVICES RUNTIME CONFIGURATION SECTION.                                    *
+ ******************************************************************************/
+
+/*
+ * This block controls the configuration options for crypto modules.
+ *
+ * It is recommended to either leave the values at their defaults, or
+ * experiment with them so that it takes approximately 0.2-0.4 seconds
+ * for users to identify. Services blocks while the password is being
+ * encrypted or verified, so don't set these too large, or people can
+ * hang services by trying many password attempts at once.
+ *
+ * A benchmark program for the Argon2, scrypt & PBKDF2 crypto code is
+ * available to assist with tuning these parameters:
+ *
+ *     - ./configure --prefix=foo ...
+ *     - make
+ *     - make install
+ *     - ${foo}/bin/atheme-crypto-benchmark -o
+ *
+ * If you wish to deploy SASL SCRAM support, please read 'doc/SASL-SCRAM' and
+ * pass the '-i' flag to the included cryptographic benchmarking utility too.
+ *
+ * If you are using the PBKDF2 module, its performance will be significantly
+ * affected by your choice of cryptographic digest library. This software can
+ * currently interface with 3 libraries; in decreasing order of performance:
+ *
+ *     - OpenSSL (libcrypto)
+ *     - GnuPG (libgcrypt)
+ *     - ARM mbedTLS (libmbedcrypto)
+ *
+ * If you have one of these libraries available at configure-time, the PBKDF2
+ * module will perform significantly better, allowing you to raise its
+ * iteration count without affecting the computation time. This is indicated
+ * by the output of the configure script; "Digest Frontend". The benchmark
+ * program will also inform you what cryptographic digest library it is using,
+ * if any.
+ *
+ *
+ *
+ * If you are migrating from crypto/argon2d (v7.2) to crypto/argon2, and you
+ * wish to use the same parameters as the older module's defaults, configure
+ * it like so:
+ *
+ *     crypto {
+ *         argon2_type = "argon2d";
+ *         argon2_memcost = 14;
+ *         argon2_timecost = 32;
+ *         argon2_threads = 1;
+ *         argon2_saltlen = 32;
+ *         argon2_hashlen = 64;
+ *     };
+ *
+ *
+ *
+ * If you are migrating from crypto/pbkdf2 (v7.2) to crypto/pbkdf2v2, and you
+ * wish to use the same parameters as the older module, configure it like so:
+ *
+ *     crypto {
+ *         pbkdf2v2_digest = "SHA512";
+ *         pbkdf2v2_rounds = 128000;
+ *     };
+ *
+ * Note that this will still result in passwords being re-encrypted with the
+ * newer module (as the older module successfully verifies them); another new
+ * PBKDF2 computation with a new salt will occur, but this is still no worse
+ * than an invocation of NickServ's "SET PASSWORD" command. You will still
+ * need to keep the old module in your loadmodule configuration above, as the
+ * new module cannot verify digests produced by the old one.
+ *
+ * If you wish to deploy SASL SCRAM support, please read 'doc/SASL-SCRAM'.
+ * Its advice regarding parameter choice takes precedence over this!
+ */
+crypto {
+
+        /* (*) argon2_type
+         *
+         * The algorithm type to use for new passwords.
+         *
+         * Argon2d is suitable for use on a dedicated machine that has
+         * limited access. It provides the most resistance to GPU and ASIC
+         * cracking attacks, but its operation is data-dependent; that is,
+         * during its operation, keying material derived from the password
+         * itself is indirectly affecting the execution choices made by the
+         * algorithm. This creates a side-channel that can leak information
+         * about the password to other software running on the same physical
+         * machine.
+         *
+         * Argon2i avoids this by being data-independent. The order of memory
+         * accesses, conditional execution, etc. does not depend on the
+         * password, or any material derived from the password, so no side-
+         * channel that can reveal any information about the password is
+         * created. However, this means that it is easier to bruteforce by a
+         * password cracker, which does not have to account for execution
+         * differences in its implementation. This is the most suitable
+         * choice for running on a virtual machine that is co-located with
+         * other, untrusted, virtual machines, or on a dedicated machine that
+         * runs other, untrusted, software, or has untrusted user access.
+         *
+         * Argon2id is a blend of both, limiting the exploitability of any
+         * side-channels while retaining excellent resistance to GPU and ASIC
+         * cracking. This is suitable for all but the most sensitive of
+         * deployments.
+         *
+         * All algorithm types perform about equally as well as each other;
+         * changing this will not significantly affect the computation time.
+         *
+         * The "argon2id" type requires a more recent libargon2 library. This
+         * is indicated in your ./configure output ("checking if libargon2
+         * algorithm type Argon2id appears to be usable...").
+         *
+         * Valid values are "argon2d", "argon2i", and "argon2id"
+         * The default is "argon2id"; unless unsupported, then "argon2d".
+         */
+        #argon2_type = "argon2id";
+
+        /* (*) argon2_memcost
+         *
+         * Memory cost (as a power of 2, in KiB) to use for new passwords.
+         *
+         * You should set this as high as is reasonable for the machine you
+         * will be running this software on. If this results in too slow a
+         * computation time, reset the time cost below to its minimum value.
+         * If it is still too slow, decrement this value (halving the memory
+         * usage) until it is fast enough. Alternatively, if it is still too
+         * fast after setting this to its highest reasonable value, raise the
+         * time cost below until it is not. A benchmark program is available
+         * alongside this software to aid in this process.
+         *
+         * WARNING: Do *NOT* set this to more than 20 (1 GiB RAM) on a 32-bit
+         *          machine or a 32-bit Operating System!
+         *
+         * Valid values are 3 (8 KiB RAM) to 30 (1 TiB RAM) (inclusive)
+         * The default is 16 (64 MiB RAM)
+         */
+        #argon2_memcost = 16;
+
+        /* (*) argon2_timecost
+         *
+         * Time cost (iterations over the memory pool).
+         *
+         * Valid values are 3 to 1,048,576 (inclusive)
+         * The default is 3
+         */
+        #argon2_timecost = 3;
+
+        /* (*) argon2_threads
+         *
+         * Number of processor threads to use for new passwords.
+         *
+         * If you want to increase the amount of computation effort required,
+         * while not increasing the real ("wall clock") time required, raise
+         * this setting to its maximum reasonable value for the machine you
+         * will be running this software on.
+         *
+         * This software is not multi-threaded, so only one password will be
+         * verified at a time. Therefore, you do NOT need to divide this by
+         * the expected maximum number of simultaneous logins.
+         *
+         * It is pointless to set this higher than the number of hardware
+         * processing threads you have; increase the time cost above instead
+         * if you want to make it arbitrarily slower. Diminishing returns are
+         * to be expected once you exceed the number of hardware processing
+         * /cores/ you have; hyperthreading does NOT provide much (if any) of
+         * a boost for this workload.
+         *
+         * Increasing this value will *decrease* the real time required, so
+         * you may have to subsequently increase the time cost above again to
+         * make it "just slow enough" once more. A benchmark program is
+         * available alongside this software to aid in this process.
+         *
+         * WARNING: The (size of the) memory pool configured above is split
+         * between the threads, which can result in too small a memory area
+         * per-thread if many threads are used. If you set this value, it is
+         * HIGHLY RECOMMENDED that you run the included benchmarking program
+         * with the same configuration options, to confirm that it works!
+         *
+         * WARNING: This feature is experimental. Some of the code in this
+         * software is not thread-safe, and although every effort has been
+         * made to ensure that this feature will not interfere with the
+         * operation of this software, this cannot be guaranteed.
+         *
+         * Valid values are 1 to 255 (inclusive)
+         * The default is 1 (do not use any computation parallelism)
+         */
+        #argon2_threads = 1;
+
+        /* (*) argon2_saltlen
+         *
+         * Salt length (in bytes) to use for new passwords. You should only
+         * change this if absolutely necessary; for example, to interoperate
+         * with other software. Its value doesn't significantly affect the
+         * computation time.
+         *
+         * Valid values are 4 to 48 (inclusive)
+         * The default is 16
+         */
+        #argon2_saltlen = 16;
+
+        /* (*) argon2_hashlen
+         *
+         * Digest length (in bytes) to use for new passwords. You should only
+         * change this if absolutely necessary; for example, to interoperate
+         * with other software. Its value doesn't significantly affect the
+         * computation time.
+         *
+         * Valid values are 16 to 128 (inclusive)
+         * The default is 64
+         */
+        #argon2_hashlen = 64;
+
+        /* (*) scrypt_memlimit
+         *
+         * Memory limit (as a power of 2, in KiB) to use for new passwords.
+         *
+         * You should set this as high as is reasonable for the machine you
+         * will be running this software on. If this results in too slow a
+         * computation time, reset the opslimit below to its default value.
+         * If it is still too slow, decrement this value (halving the memory
+         * usage) until it is fast enough. Alternatively, if it is still too
+         * fast after setting this to its highest reasonable value, raise the
+         * opslimit below until it is not. A benchmark program is available
+         * alongside this software to aid in this process.
+         *
+         * WARNING: Do *NOT* set this to more than 20 (1 GiB RAM) on a 32-bit
+         *          machine or a 32-bit Operating System!
+         *
+         * Valid values are 14 (16 MiB RAM) to 26 (64 GiB RAM) (inclusive)
+         * The default is 14 (16 MiB RAM)
+         */
+        #scrypt_memlimit = 14;
+
+        /* (*) scrypt_opslimit
+         *
+         * Amount of computation to perform for new passwords.
+         *
+         * The default value for this option is based on the default value of
+         * the above option. The recommended value is (memlimit_bytes / 32).
+         *
+         * Valid values are 32,768 to 4,294,967,295 (inclusive)
+         * The default is 524,288
+         */
+        #scrypt_opslimit = 524288;
+
+        /* (*) pbkdf2v2_digest
+         *
+         * Cryptographic digest algorithm to use (in HMAC mode).
+         *
+         * Valid values are "SHA1", "SHA2-256", and "SHA2-512".
+         * Additionally, the following aliases exist, for compatibility:
+         *
+         *   "SHA-1"   -> SHA1
+         *   "SHA256"  -> SHA2-256
+         *   "SHA512"  -> SHA2-512
+         *   "SHA-256" -> SHA2-256
+         *   "SHA-512" -> SHA2-512
+         *
+         * Finally, you can prefix this value with "SCRAM-" to enable the
+         * computation and storage of an RFC5802/SCRAM ServerKey & StoredKey,
+         * instead of a raw PBKDF2 digest (SaltedPassword). Verification of
+         * plaintext passwords against these digests can still be performed
+         * (for e.g. NickServ IDENTIFY or SASL PLAIN), by computing a new
+         * SCRAM ServerKey from the provided password and comparing it to the
+         * stored ServerKey, so setting this to a SCRAM mode does NOT prevent
+         * non-SCRAM logins. For these variants, please read doc/SASL-SCRAM.
+         *
+         * The default is "SHA2-512"
+         */
+        #pbkdf2v2_digest = "SHA2-512";
+
+        /* (*) pbkdf2v2_rounds
+         *
+         * This is the PBKDF2 "iteration count". You should raise this as high
+         * as is reasonable for the machine you will be running services on.
+         * However, note that if you are going to deploy SASL SCRAM support,
+         * the *client*, NOT services, performs the PBKDF2 calculation during
+         * login, so keep in mind that many mobile clients will not perform as
+         * well as a server, and reduce the iteration count accordingly. Also,
+         * some clients will refuse to perform a login at all if this is set
+         * too high. A benchmark program is included alongside this software to
+         * aid in tuning this parameter.
+         *
+         * Valid values are 10,000 to 5,000,000 (inclusive)
+         * The default is 64,000
+         */
+        #pbkdf2v2_rounds = 64000;
+
+        /* (*) pbkdf2v2_saltlen
+         * You should only change this if you *really* know what you're doing
+         * Valid values are 8 to 64 (inclusive)
+         * The default is 32
+         */
+        #pbkdf2v2_saltlen = 32;
+
+        /* (*) bcrypt_cost
+         *
+         * Amount of rounds to perform for new passwords (as a power of 2).
+         * You should raise this as high as is reasonable. A benchmark
+         * program is available alongside this software to aid in this
+         * process.
+         *
+         * Valid values are 4 to 31 (inclusive)
+         * The default is 7
+         */
+        #bcrypt_cost = 7;
+
+        /* (*) crypt3_sha2_256_rounds
+         * (*) crypt3_sha2_512_rounds
+         *
+         * Use of this option is restricted to certain C libraries!
+         * At present, only GNU libc6 ("glibc") v2.7+ is known to work.
+         *
+         * Valid values are 5,000 to 1,000,000 (inclusive)
+         * The default is 5,000
+         */
+        #crypt3_sha2_256_rounds = 5000;
+        #crypt3_sha2_512_rounds = 5000;
+};
+
+/* The serverinfo{} block defines how we appear on the IRC network. */
+serverinfo {
+        /* name
+         * The server name that this program uses on the IRC network.
+         * This is the name you'll have to use in C:/N:Lines. It must be
+         * unique on the IRC network and contain at least one dot, but does
+         * not have to be equal to any DNS name.
+         */
+        name = "{{atheme_server_host}}";
+
+        /* desc
+         * The ``server comment'' we send to the IRC network.
+         */
+        desc = "Atheme IRC Services";
+
+        /* numeric
+         * Some protocol drivers (Charybdis, Ratbox2, P10, IRCNet)
+         * require a server id, also known as a numeric. Please consult your
+         * ircd's documentation when providing this value.
+         */
+        numeric = "00A";
+
+        /* (*)recontime
+         * The number of seconds before we reconnect to the uplink.
+         */
+        recontime = 10;
+
+        /* (*)netname
+         * The name of your network.
+         */
+        netname = "{{atheme_server_host}}";
+
+        /* (*)hidehostsuffix
+         * P10 +x host hiding gives <account>.<hidehostsuffix>.
+         * If using +x on asuka, this must agree
+         * with F:HIDDEN_HOST.
+         */
+        hidehostsuffix = "users.misconfigured";
+
+        /* (*)adminname
+         * The name of the person running this service.
+         */
+        adminname = "{{atheme_admin_name}}";
+
+        /* (*)adminemail
+         * The email address of the person running this service.
+         */
+        adminemail = "{{atheme_admin_email}}";
+
+        /* (*)registeremail
+         * The email address that messages should be originated from.
+         * If this is not set, then "noreply.$adminemail" will be used.
+         */
+        registeremail = "{{atheme_admin_email}}";
+
+        /* (*)hidden
+         * If this is enabled, Atheme will indicate to the uplink IRCd
+         * that it should not be included in /links output.  This only works
+         * on the following IRCds at present: charybdis, ircd-seven, ratbox.
+         */
+        #hidden;
+
+        /* (*)mta
+         * The full path to your mail transfer agent.
+         * This is used for email authorization and password retrieval.
+         * Comment this out to disable sending email.
+         * Warning: sending email can disclose the IP of your services
+         * unless you take precautions (not discussed here further).
+         */
+        mta = "/usr/sbin/sendmail";
+
+        /* (*)loglevel
+         * Specify the default categories of logging information to record
+         * in the master Atheme logfile, usually var/atheme.log.
+         *
+         * Options include:
+         *      debug, all      - meta-keyword for all possible categories
+         *      trace           - meta-keyword for a little bit of info
+         *      misc            - like trace, but with some more miscellaneous info
+         *      notice          - meta-keyword for notice-like information
+         * ------------------------------------------------------------------------------
+         *      error           - critical errors
+         *      info            - miscillaneous log notices
+         *      verbose         - A bit more verbose than info, not quite as spammy as debug
+         *      commands        - all command use
+         *      admin           - administrative command use
+         *      register        - account and channel registrations
+         *      set             - changes of account or channel settings
+         *      request         - user requests (currently only vhosts)
+         *      network         - log notices related to network status
+         *      rawdata         - log raw data sent and received by services
+         *      wallops         - <not yet used>
+         */
+        loglevel = { error; info; admin; network; wallops; };
+
+        /* (*)maxlogins
+         * What is the maximum number of sessions allowed to login to one
+         * username? This reduces potential abuse. It is only checked on login.
+         */
+        maxlogins = 5;
+
+        /* (*)maxusers
+         * What are the maximum usernames that one email address can register?
+         * Set to 0 to disable this check (it can be slow currently).
+         */
+        maxusers = 5;
+
+        /* (*)mdlimit
+         * How many metadata entries can be added to an object?
+         */
+        mdlimit = 30;
+
+        /* (*)emaillimit, emailtime
+         * The maximum number of emails allowed to be sent in
+         * that amount of time (seconds). If this is exceeded,
+         * wallops will be sent, at most one per minute.
+         */
+        emaillimit = 10;
+        emailtime = 300;
+
+        /* (*)auth
+         * What type of username registration authorization do you want?
+         * If "email", Atheme will send a confirmation email to the address to
+         * ensure it's valid. If registration is not completed within one day,
+         * the username will expire. If "none", no message will be sent and
+         * the username will be fully registered.
+         * Valid values are: email, none.
+         */
+        auth = none;
+
+        /* casemapping
+         * Specify the casemapping to use. Almost all TSora (and any that follow
+         * the RFC correctly) ircds will use rfc1459 casemapping. Bahamut, Unreal,
+         * and other ``Dalnet'' ircds will use ascii casemapping.
+         * Valid values are: rfc1459, ascii.
+         */
+        casemapping = rfc1459;
+};
+
+/* uplink{} blocks define connections to IRC servers.
+ * Multiple may be defined but only one will be used at a time (IRC
+ * being a tree shaped network). Atheme does not currently link over SSL.
+ * To link Atheme over ssl, please connect Atheme to a local ircd and have that
+ * connect to your network over SSL.
+ */
+uplink "{{atheme_upstream_server}}" {
+        // The server name of the ircd you're linking to goes above.
+
+        // host
+        // The hostname to connect to.
+        host = "127.0.0.1";
+
+        // vhost
+        // The source IP to connect from, used on machines with multiple interfaces.
+        #vhost = "192.0.2.5";
+
+        // send_password
+        // The password sent for linking.
+        send_password = "{{atheme_server_pass}}";
+
+        // receive_password
+        // The password received for linking.
+        receive_password = "{{atheme_server_pass}}";
+
+        // port
+        // The port to connect to.
+        port = 6667;
+};
+
+/* this is an example for using an IPv6 address as an uplink */
+/* uplink "irc6.example.net" {
+        host = "::1";
+
+        // password
+        // If you want to have same send_password and accept_password, you
+        // can specify both using 'password' instead of individually.
+        password = "linkage";
+
+        port = 6667;
+};
+*/
+
+/* Services configuration.
+ *
+ * Each of these blocks can contain a nick, user, host, real and aliases.
+ * Several of them also have options specific to the service.
+ */
+
+/* NickServ configuration.
+ *
+ * The nickserv {} block contains settings specific to the NickServ modules.
+ *
+ * NickServ provides nickname or username registration and authentication
+ * services. It provides necessary authentication features required for
+ * Services to operate correctly. You should make sure these settings
+ * are properly configured for your network.
+ */
+nickserv {
+        /* (*)spam
+         * Have NickServ tell people about how great it and ChanServ are.
+         */
+        spam;
+
+        /* no_nick_ownership
+         * Enable this to disable nickname ownership (old userserv{}).
+         * This changes changes "nickname" to "account" in most messages,
+         * disables GHOST on users not logged in to the same account and
+         * makes the spam directive ineffective.
+         * It is suggested that the nick be set to UserServ, login.so
+         * be loaded instead of identify.so and ghost.so not be loaded.
+         */
+        #no_nick_ownership;
+
+        /* (*)nick
+         * The nickname we want NickServ to have.
+         */
+        nick = "NickServ";
+
+        /* (*)user
+         * The username we want NickServ to have.
+         */
+        user = "NickServ";
+
+        /* (*)host
+         * The hostname we want NickServ to have.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The realname (gecos) information we want NickServ to have.
+         */
+        real = "Nickname Services";
+
+        /* (*)aliases
+         * Command aliases for NickServ.
+         */
+        aliases {
+                "ID" = "IDENTIFY";
+                "MYACCESS" = "LISTCHANS";
+        };
+
+        /* (*)access
+         * This block allows you to modify the access level required to run
+         * commands. The list of possible accesses are listed in the operclass
+         * section later in this .conf . Note that you can only set the access
+         * on an actual command, not an alias.
+         */
+        access {
+        };
+
+        /* (*)maxnicks
+         * If GROUP is loaded, what are the maximum nicknames that one
+         * username can register?
+         */
+        maxnicks = 5;
+
+        /* (*)expire
+         * The number of days before inactive registrations are expired.
+         */
+        expire = 30;
+
+        /* (*)enforce_expire
+         * The number of days of no use after which to ignore enforcement
+         * settings on nicks.
+         */
+        #enforce_expire = 14;
+
+        /* (*)enforce_delay
+         * The number of seconds to delay nickchange enforcement settings
+         * on nicks.
+         */
+        #enforce_delay = 30;
+
+        /* (*)enforce_prefix
+         * The prefix to use when changing the user's nick on enforcement
+         */
+        #enforce_prefix = "Guest";
+
+        /* (*)waitreg_time
+         * The amount of time (in seconds) users have to wait between
+         * connecting to the network, and being able to register a services
+         * account. Minimum value 0 (disables the enforced delay), default
+         * value 0, maximum value 43200 (12 hours). Requires the
+         * "modules/nickserv/waitreg" module to be loaded to do anything.
+         */
+        #waitreg_time = 0;
+
+        /* (*)cracklib_dict
+         * The location and filename prefix of the cracklib dictionaries
+         * for use with nickserv/pwquality. This must be provided if you are
+         * going to be using nickserv/pwquality with cracklib support enabled.
+         */
+        #cracklib_dict = "/var/cache/cracklib/cracklib_dict";
+
+        /* (*)passwdqc_*
+         * Please see the passwdqc.conf(5) documentation for an explanation
+         * of these values. Affects modules/nickserv/pwquality if passwdqc
+         * support is enabled. Default values given below.
+         */
+        #passwdqc_max = 288;     /* (8 <= value <= 288) */
+        #passwdqc_min_n0 = 20;   /* (0 <= value <= passwdqc_max) */
+        #passwdqc_min_n1 = 16;   /* (0 <= value <= passwdqc_min_n0) */
+        #passwdqc_min_n2 = 16;   /* (0 <= value <= passwdqc_min_n1) */
+        #passwdqc_min_n3 = 12;   /* (0 <= value <= passwdqc_min_n2) */
+        #passwdqc_min_n4 = 8;    /* (0 <= value <= passwdqc_min_n3) */
+        #passwdqc_words = 4;     /* (2 <= value <= 8) */
+
+        /* (*)pwquality_warn_only
+         * If this option is set and nickserv/pwquality is loaded, nickserv will just
+         * warn users that their password is insecure, recommend they change it and
+         * still register the nick. If this option is unset, it will refuse to
+         * register the nick at all until the user chooses a better password.
+         */
+        #pwquality_warn_only;
+
+        /* (*)show_custom_metadata
+         * Setting this option to false will prevent user-set metadata (via SET PROPERTY)
+         * from showing up in the INFO output. The TAXONOMY command will still function
+         * as usual, and INFO will point this out if users have metadata set.
+         */
+        show_custom_metadata;
+
+        /* (*)emailexempts
+         * A list of email addresses that will be exempt from the check of how many
+         * accounts one user may have. Any email address in this block may register
+         * an unlimited number of accounts/usernames.
+         */
+        emailexempts {
+        };
+
+        /*
+         * (*)shorthelp
+         *
+         * A list of commands that are displayed (with their full description) in the
+         * output of `/msg NickServ HELP'. Commands not in this list will be listed, but
+         * not with their descriptions. All commands with descriptions are still listed
+         * in `/msg NickServ HELP COMMANDS' regardless of the value set here.
+         *
+         * Optional; defaults to "ACCESS CERT DROP GHOST GROUP IDENTIFY INFO LISTCHANS
+         * LISTGROUPS LISTLOGINS LISTOWNMAIL LOGOUT REGAIN REGISTER RELEASE SENDPASS SET
+         * UNGROUP".
+         *
+         * A command in this list will only be printed if the corresponding module is
+         * loaded and the user has permission to use it. Set to an empty string to
+         * disable listing command descriptions in `/msg NickServ HELP'.
+         */
+        #shorthelp = "";
+};
+
+/* ChanServ configuration.
+ *
+ * The chanserv {} block contains settings specific to the ChanServ modules.
+ *
+ * ChanServ provides channel registration services, which allows users to own
+ * channels. It is not required, but is strongly recommended.
+ */
+chanserv {
+        /* (*)nick
+         * The nickname we want the client to have.
+         */
+        nick = "ChanServ";
+
+        /* (*)user
+         * The username we want the client to have.
+         */
+        user = "ChanServ";
+
+        /* (*)host
+         * The hostname we want the client to have.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The GECOS of the client.
+         */
+        real = "Channel Services";
+
+        /* reggroup
+         * The group that will receive Memos about
+         * channel Registration requests when
+         * chanserv/moderate is loaded.
+         */
+        #reggroup = "!Services-Team";
+
+        /* (*)aliases
+         * Command aliases for ChanServ.
+         */
+        aliases {
+        };
+
+        /* (*)access
+         * Command access changes for ChanServ.
+         */
+        access {
+        };
+
+        /* (*)maxchans
+         * What are the maximum channels that one username can register?
+         */
+        maxchans = 5;
+
+        /* fantasy
+         * Do you want to enable fantasy commands? This can
+         * use a lot of CPU up, and will only work if you have
+         * join_chans (in general) enabled as well.
+         */
+        fantasy;
+
+        /* (*) hide_xop
+         * Hide the XOP templates from sight.  This is useful if you
+         * want to use templates and not have the XOP templates displayed.
+         */
+        #hide_xop;
+
+        /* (*) templates
+         * Defines what flags the global templates comprise.
+         *
+         * For the special XOP templates:
+         * These should all be different and not equal to the empty set,
+         * except that hop may be equal to vop to disable hop.
+         * Each subsequent level should have more flags (except +VHO).
+         * For optimal functioning of /cs forcexop, aop should not have
+         * any of +sRf, hop should not have any of +sRfoOr and vop should
+         * not have any of +sRfoOrhHt.
+         * If this is not specified, the values of Atheme 0.3 are used,
+         * which are generally less intuitive than these.
+         * Note: changing these leaves the flags of existing channel access
+         * entries unchanged, thus removing them of the view of /cs xop list.
+         * Usually the channel founder can use /cs forcexop to update the
+         * entries to the new levels.
+         *
+         * Advice:
+         * If you want to add a co-founder role, remove the flags permission
+         * from the SOP role, and define a co-founder role with flags
+         * permissions.
+         */
+        templates {
+                vop = "+AV";
+                hop = "+AHehitrv";
+                aop = "+AOehiortv";
+                sop = "+AOaefhiorstv";
+
+                founder = "+AFORaefhioqrstv";
+
+                /* some examples (which are commented out...) */
+                #member = "+Ai";
+                #op = "+AOiortv";
+        };
+
+        /* (*) deftemplates
+         * Defines default templates to set on new channels, as a
+         * space-separated list of name=+flags pairs.
+         * Note: at this time no syntax checking is done on this; it
+         * is your own responsibility to make sure it is correct.
+         */
+        #deftemplates = "MEMBER=+Ai OP=+AOiortv";
+
+        /* (*) changets
+         * Change the channel TS to the registration time when someone
+         * recreates a registered channel, ensuring that they are deopped
+         * and all their modes are undone. Note that this involves ChanServ
+         * joining. When the channel was not recreated no deops will be done
+         * (apart from the SECURE option).
+         * This also solves the "join-mode" problem where someone recreates
+         * a registered channel and then sets some modes before they are
+         * deopped.
+         * This is currently supported for charybdis, ratbox, bahamut,
+         * and inspircd 1.1+. For charybdis and ratbox it only fully
+         * works with TS6, with TS5 bans and last-moment modes will
+         * still apply.
+         * (That can also be used to advantage, when first enabling this.)
+         */
+        #changets;
+
+        /* (*) trigger
+         * This setting allows you to change the trigger prefix for
+         * ChanServ's in-channel command feature (disableable via chanserv::fantasy).
+         * If no setting is provided, the default is used, which is "!".
+         *
+         * Other settings you could consider trying: ".", "~", "?", "`", "'".
+         */
+        trigger = "!";
+
+        /* (*)expire
+         * The number of days before inactive registrations are expired.
+         */
+        expire = 30;
+
+        /* (*)maxchanacs
+         * The maximum number of entries allowed in a channel's access list
+         * (both channel ops and akicks), 0 for unlimited.
+         */
+        maxchanacs = 0;
+
+        /* (*)maxfounders
+         * The maximum number of founders allowed in a channel.
+         * Note that all founders have the exact same privileges and
+         * the list of founders is shown in various places.
+         */
+        maxfounders = 4;
+
+        /* (*)founder_flags
+         * The flags a user will get when they register a new channel.
+         * This MUST include at least 'F' or it will be ignored.
+         * If it is not set, Atheme will give the user all channel flags.
+         */
+        #founder_flags = "AFORefiorstv";
+
+        /* (*)akick_time
+         * The default expiration time (in minutes) for AKICKs.
+         * Comment this option out or set to zero for permanent AKICKs
+         * by default (the old behaviour).
+         */
+        #akick_time = 10;
+
+        /* (*)antiflood_enforce_method
+         * The enforcement method to use for flood protection by default.
+         * This may be overridden by channel staff.
+         * Available options are: quiet, kickban and akill.
+         */
+        antiflood_enforce_method = quiet;
+
+        /* (*)show_custom_metadata
+         * Setting this option to false will prevent user-set metadata (via SET PROPERTY)
+         * from showing up in the INFO output. The TAXONOMY command will still function
+         * as usual, and INFO will point this out if channels have metadata set.
+         */
+        show_custom_metadata;
+
+        /*
+         * (*)shorthelp
+         *
+         * A list of commands that are displayed (with their full description) in the
+         * output of `/msg ChanServ HELP'. Commands not in this list will be listed, but
+         * not with their descriptions. All commands with descriptions are still listed
+         * in `/msg ChanServ HELP COMMANDS' regardless of the value set here.
+         *
+         * Optional; defaults to "AKICK BAN CLEAR DEOP DEVOICE DROP FLAGS GETKEY INFO
+         * INVITE KICK KICKBAN OP QUIET REGISTER SET TOPIC UNBAN UNQUIET VOICE WHY".
+         *
+         * A command in this list will only be printed if the corresponding module is
+         * loaded and the user has permission to use it. Set to an empty string to
+         * disable listing command descriptions in `/msg ChanServ HELP'.
+         */
+        #shorthelp = "";
+};
+
+/* CHANFIX configuration.
+ *
+ * The chanfix {} block contains settings specific to the CHANFIX modules.
+ *
+ * CHANFIX provides channel recovery services without registration, which
+ * allows users to maintain control of channels even if ChanServ is not used
+ * to register them.
+ */
+chanfix {
+        /* (*)nick
+         * The nickname we want the client to have.
+         */
+        nick = "ChanFix";
+
+        /* (*)user
+         * The username we want the client to have.
+         */
+        user = "ChanFix";
+
+        /* (*)host
+         * The hostname we want the client to have.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The GECOS of the client.
+         */
+        real = "Channel Fixing Service";
+
+        /* (*)autofix
+         * Automatically fix channels if they become opless and meet fixing
+         * criteria.
+         */
+        autofix;
+};
+
+/* Global noticing configuration.
+ *
+ * The global {} block contains settings specific to the Global notice module.
+ *
+ * The Global notice module provides the ability to mass-notify a network.
+ */
+global {
+        /* (*)nick
+         * Sets the nick used for sending out a global notice.
+         */
+        nick = "Global";
+
+        /* (*)user
+         * Sets the username used for this client.
+         */
+        user = "Global";
+
+        /* (*)host
+         * The hostname used for this client.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The GECOS (real name) of the client.
+         */
+        real = "Network Announcements";
+};
+
+/* InfoServ configuration
+ *
+ * The infoserv {} block contains settings specific to the InfoServ module.
+ *
+ * The InfoServ modules provides the ability to mass-notify a network and send
+ * news to users when they connect to the network.
+ */
+infoserv {
+        /* (*)nick
+         * Sets the nick used for InfoServ and sending out informational messages.
+         */
+        nick = "InfoServ";
+
+        /* (*)user
+         * Sets the username used for this client.
+         */
+        user = "InfoServ";
+
+        /* (*)host
+         * The hostname used for this client,
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The GECOS (real name) of the client.
+         */
+        real = "Information Service";
+
+        /* (*)logoninfo_count
+         * The number of InfoServ messages a user will see upon connect.
+         * If there are more than this number, the user will be able to
+         * see the rest with /msg infoserv list .
+         */
+        logoninfo_count = 3;
+};
+
+/* OperServ configuration.
+ *
+ * The operserv {} block contains settings specific to the OperServ modules.
+ *
+ * OperServ provides essential network management tools for IRC operators
+ * on the IRC network.
+ */
+operserv {
+        /* (*)nick
+         * The nickname we want the Operator Service to have.
+         */
+        nick = "OperServ";
+
+        /* (*)user
+         * Sets the username used for this client.
+         */
+        user = "OperServ";
+
+        /* (*)host
+         * The hostname used for this client.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The GECOS (real name) of the client.
+         */
+        real = "Operator Services";
+
+        /* (*)aliases
+         * Command aliases for OperServ.
+         */
+        aliases {
+        };
+
+        /* (*)access
+         * Command access changes for OperServ.
+         */
+        access {
+        };
+};
+
+/* SaslServ configuration.
+ *
+ * The saslserv {} block contains settings specific to the SaslServ modules.
+ *
+ * SaslServ provides an authentication agent which is compatible with the
+ * SASL over IRC (SASL/IRC) protocol extension.
+ */
+saslserv {
+        /* (*)nick
+         * The nickname we want SaslServ to have.
+         */
+        nick = "SaslServ";
+
+        /* (*)user
+         * The username we want SaslServ to have.
+         */
+        user = "SaslServ";
+
+        /* (*)host
+         * The hostname we want SaslServ to have.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The realname (gecos) information we want SaslServ to have.
+         */
+        real = "SASL Authentication Agent";
+
+        /* (*)hide_server_names
+         * Hide server names in the bad_password message.
+         */
+        #hide_server_names;
+};
+
+/* MemoServ configuration.
+ *
+ * The memoserv {} block contains settings specific to the MemoServ modules.
+ *
+ * MemoServ provides a note-taking service that you can use to send notes
+ * to offline users (provided they are registered with Services).
+ */
+memoserv {
+        /* (*)nick
+         * The nickname we want MemoServ to have.
+         */
+        nick = "MemoServ";
+
+        /* (*)user
+         * The username we want MemoServ to have.
+         */
+        user = "MemoServ";
+
+        /* (*)host
+         * The hostname we want MemoServ to have.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The realname (gecos) information we want MemoServ to have.
+         */
+        real = "Memo Services";
+
+        /* (*)aliases
+         * Command aliases for MemoServ.
+         */
+        aliases {
+        };
+
+        /* (*)access
+         * Command access changes for MemoServ.
+         */
+        access {
+        };
+
+        /* (*)maxmemos
+         * What is the maximum amount of memos a user can have in their inbox?
+         */
+        maxmemos = 30;
+};
+
+/* GameServ configuration.
+ *
+ * The gameserv {} block contains settings specific to the GameServ modules.
+ *
+ * GameServ provides various in-channel commands for games.
+ */
+gameserv {
+        /* (*)nick
+         * The nickname we want GameServ to have.
+         */
+        nick = "GameServ";
+
+        /* (*)user
+         * Sets the username used for this client.
+         */
+        user = "GameServ";
+
+        /* (*)host
+         * The hostname used for this client.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The GECOS (real name) of the client.
+         */
+        real = "Game Services";
+
+        /* (*)aliases
+         * Command aliases for GameServ.
+         */
+        aliases {
+        };
+
+        /* (*)access
+         * Command access changes for GameServ.
+         */
+        access {
+        };
+};
+
+/* RPGServ configuration.
+ *
+ * The rpgserv {} block contains settings specific to the RPGServ modules.
+ *
+ * RPGServ provides a facility for finding roleplaying channels.
+ */
+rpgserv {
+        /* (*)nick
+         * The nickname we want RPGServ to have.
+         */
+        nick = "RPGServ";
+
+        /* (*)user
+         * Sets the username used for this client.
+         */
+        user = "RPGServ";
+
+        /* (*)host
+         * The hostname used for this client.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The GECOS (real name) of the client.
+         */
+        real = "RPG Finding Services";
+
+        /* (*)aliases
+         * Command aliases for RPGServ.
+         */
+        aliases {
+        };
+
+        /* (*)access
+         * Command access changes for RPGServ.
+         */
+        access {
+        };
+};
+
+/* BotServ configuration.
+ *
+ * The botserv {} block contains settings specific to the BotServ modules.
+ *
+ * BotServ provides virtual channel bots.
+ */
+botserv {
+        /* (*)nick
+         * The nickname we want BotServ to have.
+         */
+        nick = "BotServ";
+
+        /* (*)user
+         * Sets the username used for this client.
+         */
+        user = "BotServ";
+
+        /* (*)host
+         * The hostname used for this client.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The GECOS (real name) of the client.
+         */
+        real = "Bot Services";
+
+        /* (*)min_users
+         * Minimum number of users a channel must have before a Bot is allowed
+         * to be assigned to that channel.
+         */
+        min_users = 0;
+};
+
+/* GroupServ configuration.
+ *
+ * The groupserv {} block contains settings specific to the GroupServ modules.
+ *
+ * GroupServ provides features for managing a collection of channels at once.
+ *
+ */
+groupserv {
+        /* (*)nick
+         * The nickname we want GroupServ to have.
+         */
+        nick = "GroupServ";
+
+        /* (*)user
+         * The username we want GroupServ to have.
+         */
+        user = "GroupServ";
+
+        /* (*)host
+         * The hostname we want GroupServ to have.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The realname (gecos) information we want GroupServ to have.
+         */
+        real = "Group Management Services";
+
+        /* (*)aliases
+         * Command aliases for GroupServ.
+         */
+        aliases {
+        };
+
+        /* (*)access
+         * Command access changes for GroupServ.
+         */
+        access {
+        };
+
+        /* (*)maxgroups
+         * Maximum number of groups one username can be founder of.
+         */
+        maxgroups = 5;
+
+        /* (*)maxgroupacs
+         * Maximum number of access entries you may have in a group.
+         */
+        maxgroupacs = 100;
+
+        /* (*)enable_open_groups
+         * Setting this option will allow any group founder to mark
+         * their group as "anyone can join".
+         */
+        enable_open_groups;
+
+        /* (*)join_flags
+         * This is the GroupServ flagset that users who JOIN a open
+         * group will get upon join. Please check the groupserv/flags
+         * helpfile before changing this option. Valid flagsets (for
+         * example) would be: "+v" or "+cv". It is not valid to use
+         * minus flags (such as "-v") here.
+         */
+        join_flags = "+";
+};
+
+/* HostServ configuration.
+ *
+ * The hostserv {} block contains settings specific to the HostServ modules.
+ *
+ * HostServ provides advanced virtual host management.
+ */
+hostserv {
+        /* (*)nick
+         * The nickname we want HostServ to have.
+         */
+        nick = "HostServ";
+
+        /* (*)user
+         * Sets the username used for this client.
+         */
+        user = "HostServ";
+
+        /* (*)host
+         * The hostname used for this client.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The GECOS (real name) of the client.
+         */
+        real = "Host Management Services";
+
+        /* reggroup
+         * The group that will receive Memos about
+         * vHost requests.
+         */
+        #reggroup = "!Services-Team";
+
+        /* (*)request_per_nick
+         * Whether the request system should work per nick or per account.
+         * The recommended setting is to leave this disabled, so that
+         * vhosts work as consistently as possible.
+         */
+        #request_per_nick;
+
+        /* (*)aliases
+         * Command aliases for HostServ.
+         */
+        aliases {
+                "APPROVE" = "ACTIVATE";
+                "DENY" = "REJECT";
+        };
+
+        /* (*)access
+         * Command access changes for HostServ.
+         */
+        access {
+        };
+};
+
+/* HelpServ configuration
+ *
+ * The helpserv {} block contains settings specific to the HelpServ modules.
+ *
+ * HelpServ adds a few different ways for users to request help from network staff.
+ */
+helpserv {
+        /* (*)nick
+         * The nickname we want HelpServ to have.
+         */
+        nick = "HelpServ";
+
+        /* (*)user
+         * The username we want HelpServ to have.
+         */
+        user = "HelpServ";
+
+        /* (*)host
+         * The hostname we want HelpServ to have.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The realname (gecos) information we want HelpServ to have.
+         */
+        real = "Help Services";
+};
+
+/* StatServ configuration
+ *
+ * The statserv {} block contains settings specific to the StatServ modules.
+ *
+ * StatServ adds basic stats and split tracking.
+ */
+statserv {
+        /* (*)nick
+         * The nickname we want StatServ to have.
+         */
+        nick = "StatServ";
+
+        /* (*)user
+         * The username we want StatServ to have.
+         */
+        user = "StatServ";
+
+        /* (*)host
+         * The hostname we want StatServ to have.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The realname (gecos) information we want StatServ to have.
+         */
+        real = "Statistics Services";
+};
+
+/* ALIS configuration.
+ *
+ * The alis {} block contains settings specific to the ALIS modules.
+ */
+alis {
+        /* (*)nick
+         * The nickname we want ALIS to have.
+         */
+        nick = "ALIS";
+
+        /* (*)user
+         * The username we want ALIS to have.
+         */
+        user = "alis";
+
+        /* (*)host
+         * The hostname we want ALIS to have.
+         */
+        host = "{{atheme_server_host}}";
+
+        /* (*)real
+         * The realname (gecos) information we want ALIS to have.
+         */
+        real = "Channel Directory";
+
+        /* (*)maxmatches
+         * The default maximum number of channels returned in a query.
+         * Privilege (chan:auspex) is required to ask for more.
+         * Minimum 8, default 64, maximum 128.
+         */
+        #maxmatches = 64;
+};
+
+/* HTTP server configuration.
+ *
+ * The httpd {} block contains settings specific to the HTTP server module.
+ *
+ * The HTTP server in Services is used for serving XMLRPC requests. It can
+ * also serve static documents and statistics pages.
+ */
+httpd {
+        /* host
+         * The host that the HTTP server will listen on.
+         * Use 0.0.0.0 if you want to listen on all available hosts.
+         */
+        host = "0.0.0.0";
+
+        /* host (ipv6)
+         * If you want, you can have Atheme listen on an IPv6 host too.
+         * Use :: if you want to listen on all available IPv6 hosts.
+         */
+        #host = "::";
+
+        /* www_root
+         * The directory that contains the files that should be served by the httpd.
+         */
+        www_root = "/var/www";
+
+        /* port
+         * The port that the HTTP server will listen on.
+         */
+        port = 8080;
+};
+
+/* LDAP configuration.
+ *
+ * The ldap {} block contains settings specific to the LDAP authentication
+ * module.
+ */
+ldap {
+        /* (*)url
+         * LDAP URL of the server to use.
+         */
+        url = "ldap://127.0.0.1";
+
+        /* (*)dnformat
+         * Format string to convert an account name to an LDAP DN.
+         * Must contain exactly one %s which will be replaced by the account
+         * name.
+         * Services will attempt a simple bind with this DN and the given
+         * password; if this is successful the password is considered correct.
+         */
+        dnformat = "cn=%s,dc=jillestest,dc=com";
+};
+
+/******************************************************************************
+ * LOGGING SECTION.                                                           *
+ ******************************************************************************/
+
+/*
+ * logfile{} blocks can be used to set up log files other than the master
+ * logfile used by services, which is controlled by serverinfo::loglevel.
+ *
+ * The various logging categories are:
+ *      debug, all      - meta-keyword for all possible categories
+ *      trace           - meta-keyword for a little bit of info
+ *      misc            - like trace, but with some more miscillaneous info
+ *      notice          - meta-keyword for notice-like information
+ * ------------------------------------------------------------------------------
+ *      error           - critical errors
+ *      info            - miscillaneous log notices
+ *      verbose         - A bit more verbose than info, not quite as spammy as debug
+ *      commands        - all command use
+ *      admin           - administrative command use
+ *      register        - account and channel registrations
+ *      set             - changes of account or channel settings
+ *      request         - user requests (currently only vhosts)
+ *      network         - log notices related to network status
+ *      rawdata         - log raw data sent and received by services
+ *      wallops         - <not yet used>
+ *      denycmd         - security model denials (commands, permissions)
+ */
+
+/*
+ * This block logs all account and channel registrations and drops,
+ * and account and channel setting changes to var/account.log.
+ */
+logfile "var/account.log" { register; set; };
+
+/*
+ * This block logs all command use to var/commands.log.
+ */
+logfile "var/commands.log" { commands; };
+
+/*
+ * This block logs all security auditing information.
+ */
+logfile "var/audit.log" { denycmd; };
+
+/*
+ * You can log to IRC channels, and even split it by category, too.
+ * This entry provides roughly the same functionality as the old snoop
+ * feature.
+ */
+logfile "#services" { error; info; admin; request; register; denycmd; };
+
+/*
+ * This block logs to server notices.
+ */
+logfile "!snotices" { error; info; request; denycmd; };
+
+/******************************************************************************
+ * GENERAL PARAMETERS CONFIGURATION SECTION.                                  *
+ ******************************************************************************/
+
+/* The general {} block defines general configuration options. */
+general {
+        /* (*)permissive_mode
+         * Whether or not security denials should be soft denials instead of
+         * hard denials.  If security denials are soft denials, then they will
+         * only be logged to the denial log.
+         */
+        #permissive_mode;
+
+        /* (*)helpchan
+         * Network help channel. Shown to users when they request
+         * help for a command that doesn't exist.
+         */
+        #helpchan = "#help";
+
+        /* (*)helpurl
+         * Network webpage for services help. Shown to users when they
+         * request help for a command that doesn't exist.
+         */
+        #helpurl = "http://www.stack.nl/~jilles/irc/atheme-help/";
+
+        /* (*)silent
+         * If you want to prevent services from sending
+         * WALLOPS/GLOBOPS about things uncomment this.
+         * Not recommended.
+         */
+        #silent;
+
+        /* (*)verbose_wallops
+         * If you want services to send you more information about
+         * events that are occuring (in particular AKILLs), uncomment the
+         * directive below.
+         *
+         * WARNING! This may result in large amounts of wallops/globops
+         * floods.
+         */
+        #verbose_wallops;
+
+        /* (*)join_chans
+         * Should ChanServ be allowed to join registered channels?
+         * This option is useful for the fantasy command set.
+         *
+         * If enabled, you can tell ChanServ to join via SET GUARD ON.
+         *
+         * If you use ircu-like ircd (asuka), you must
+         * leave this enabled, and put guard in default cflags.
+         *
+         * For ratbox it is recommended to leave it on and put guard in
+         * default cflags, in order that ChanServ does not have to join/part
+         * to do certain things. On the other hand, enabling this increases
+         * potential for bots fighting with ChanServ.
+         *
+         * Regardless of this option, ChanServ will temporarily join
+         * channels which would otherwise be empty if necessary to enforce
+         * akick/restricted/close, and to change the TS if changets is
+         * enabled.
+         */
+        join_chans;
+
+        /* (*)leave_chans
+         * Do we leave registered channels after everyone else has left?
+         * Turning this off serves little purpose, except to mark "official"
+         * network channels by keeping them open, and to preserve the
+         * topic and +beI lists.
+         */
+        leave_chans;
+
+        /* secure
+         * Do you want to require the use of /msg <service>@<services host>?
+         * Turning this on helps protect against spoofers, but is disabled
+         * as most networks do not presently use it.
+         */
+        #secure;
+
+        /* (*)uflags
+         * The default flags to set for usernames upon registration.
+         * Valid values are: hold, neverop, noop, hidemail, nomemo, emailmemos,
+         * enforce, privmsg, private, quietchg and none.
+         */
+        uflags = { hidemail; };
+
+        /* (*)cflags
+         * The default flags to set for channels upon registration.
+         * Valid values are: hold, secure, verbose, verbose_ops, keeptopic,
+         * topiclock, guard, private, nosync, limitflags, pubacl and none.
+         */
+        cflags = { verbose; guard; };
+
+        /* (*)raw
+         * Do you want to allow SRAs to use the RAW and INJECT commands?
+         * These commands are for debugging. If you don't know how to use them
+         * then don't enable them. They are not supported.
+         */
+        #raw;
+
+        /* (*)flood_msgs
+         * Do you want services to detect floods?
+         * Set to how many messages before a flood is triggered.
+         * Note that some messages that need a lot of processing count
+         * as two or four messages.
+         * If services receives `flood_msgs' within `flood_time' the user will
+         * trigger the flood protection.
+         * Setting this to zero disables flood protection.
+         */
+        flood_msgs = 7;
+
+        /* (*)flood_time
+         * Do you want services to detect floods?
+         * Set to how long before the counter resets.
+         * If services receives `flood_msgs' within `flood_time' the user will
+         * trigger the flood protection.
+         */
+        flood_time = 10;
+
+        /* (*)ratelimit_uses
+         * After how many uses of a command will users be throttled.
+         * After `ratelimit_uses' of a command within `ratelimit_period', users
+         * will not be able to run that ratelimited command until the period is up.
+         * Comment this, ratelimit_period below or both options out to disable rate limiting.
+         * Currently used in helpserv/helpme, helpserv/ticket, hostserv/request,
+         * nickserv/register and chanserv/register.
+         */
+        ratelimit_uses = 5;
+
+        /* (*)ratelimit_period
+         * After how much time (in seconds) will the ratelimit_uses counter reset.
+         * After `ratelimit_uses' of a command within `ratelimit_period', users
+         * will not be able to run that ratelimited command until the period is up.
+         * Comment this, ratelimit_uses above or both options out to disable rate limiting.
+         * Currently used in helpserv/helpme, helpserv/ticket, hostserv/request,
+         * nickserv/register and chanserv/register.
+         */
+        ratelimit_period = 60;
+
+        /* (*)vhost_change
+         * The default number of days between vHost changes once a user has used HostServ
+         * TAKE or REQUEST.  (Helps to deter rabid host-swappers and ban evaders.)
+         */
+        #vhost_change = 30;
+
+        /* (*)kline_time
+         * The default expire time for KLINE's in days.
+         * Setting this to 0 makes all KLINE's permanent.
+         */
+        kline_time = 7;
+
+        /* (*)kline_with_ident
+         * KLINE user@host instead of *@host.
+         * Applies to all automatic KLINE's set by services.
+         */
+        #kline_with_ident;
+
+        /* (*)kline_verified_ident
+         * KLINE *@host if the first character of the ident is ~,
+         * irrespective of the value of kline_with_ident.
+         */
+        #kline_verified_ident;
+
+        /* (*)clone_time
+         * This is the default expiry time for CLONE exemptions in minutes.
+         * Setting this to 0 makes all CLONE exemptions permanent.
+         */
+        clone_time = 0;
+
+        /* commit_interval
+         * The time between database writes in minutes.
+         */
+        commit_interval = 5;
+
+        /* (*)operstring
+         * The string returned in WHOIS (against services) for IRC operators.
+         */
+        #operstring = "is an IRC Operator";
+
+        /* (*)servicestring
+         * The string returned in WHOIS (against services) for services.
+         */
+        #servicestring = "is a Network Service";
+
+        /* (*)default_clone_allowed
+         * The limit after which clones will be KILLed or TKLINEd.
+         * Used by operserv/clones.
+         */
+        default_clone_allowed = 5;
+
+        /* (*)default_clone_warn
+         * The limit after which clones will be warned that they may not
+         * have any more concurrent connections. Should be lower than
+         * default_clone_allowed . Used by operserv/clones.
+         */
+        default_clone_warn = 4;
+
+        /* (*)clone_identified_increase_limit
+         * If this option is enabled, the clone limit for a IP/host will
+         * be increased by 1 per clone that's identified to services.
+         * This has a limit of double the clone limits above.
+         */
+        clone_identified_increase_limit;
+
+        /* (*)uplink_sendq_limit
+         * The maximum amount of data that may be queued to be sent
+         * to the uplink, in bytes. This should be enough to contain
+         * Atheme's response to the netburst, but smaller than the
+         * IRCd's sendq limit for servers.
+         */
+        uplink_sendq_limit = 1048576;
+
+        /* (*)language
+         * Language to use for channel and oper messages and as default
+         * for users.
+         */
+        language = "en";
+
+        /* exempts
+         * This block contains a list of user@host masks. Users matching any
+         * of these will not be automatically K:lined by services.
+         */
+        exempts {
+        };
+
+        /* allow_taint
+         * By enabling this option, Atheme will run in configurations where
+         * the upstream will not provide support.  By enabling this feature,
+         * you void any perceived rights to support.
+         */
+        #allow_taint;
+
+        /* (*)immune_level
+         * This option allows you to customize the operlevel which gets kick
+         * immunity privileges.
+         *
+         * The following flags are available:
+         *    immune - require whatever ircd usermode is needed for kick
+         *             immunity (this is the default);
+         *    admin  - require admin privileges for kick immunity
+         *    ircop  - require any ircop privileges for kick immunity (umode +o)
+         */
+        immune_level = immune;
+
+        /* show_entity_id
+         * This makes nick/user & group entity IDs visible to everyone, rather
+         * than just opers with user:auspex or group:auspex privileges.
+         */
+        show_entity_id;
+
+        /* load_database_mdeps
+         *
+         * For module dependencies listed in the services database (if any),
+         * whether to load those modules on startup (if they are not already
+         * loaded) or abort startup with a more helpful error message than
+         * e.g. "db services.db:123: unknown directive 'BE'" --> "corestorage:
+         * exiting to avoid data loss".
+         *
+         * Comment this out to abort startup instead of silently loading the
+         * modules you need to process the database successfully. The abort
+         * reason will tell you what module the database requires so that you
+         * can fix your configuration file.
+         */
+        load_database_mdeps;
+};
+
+proxyscan {
+        /* Here you can configure the details of your Proxyscan (DNS Blacklist)
+         * scanner service.
+         */
+
+        nick = "Proxyscan";
+        user = "dnsbl";
+        host = "{{atheme_server_host}}";
+        real = "Proxyscan Service";
+
+        blacklists {
+         "dnsbl.dronebl.org";
+         "rbl.efnetrbl.org";
+         "tor.efnet.org";
+        };
+
+        /* Available dnsbl_action's:
+         * NONE - Do nothing
+         * NOTIFY - Notify user that they are listed in a DNSBL and which one
+         * SNOOP - Report the user to the logchannel or services channel
+         * KLINE - AKILL the user from the network (default AKILL is 24 hours)
+         */
+
+        dnsbl_action = kline;
+};
+
+/******************************************************************************
+ * OPERATOR AND PRIVILEGES CONFIGURATION SECTION.                             *
+ ******************************************************************************/
+
+/* Operator configuration
+ * See the PRIVILEGES document for more information.
+ * NOTE: All changes apply immediately upon rehash. You may need
+ * to send a signal (killall -HUP atheme-services) to regain control.
+ */
+/* (*) Operclasses specify groups of services operator privileges */
+/* The "user" operclass specifies privileges all users get.
+ * This may be empty (default) in which case users get no special privileges.
+ * If you use the security/cmdperm module, you will need to grant command: privileges
+ * to every command that you want users to be able to use.
+ */
+operclass "user" { };
+
+/* The "ircop" operclass specifies privileges all IRCops get.
+ * This may be empty in which case IRCops get no privs.
+ * At least chan:cmodes, chan:joinstaffonly and general:auspex are suggested.
+ */
+operclass "ircop" {
+        privs {
+                special:ircop;
+        };
+
+        privs {
+                user:auspex;
+                user:admin;
+                user:sendpass;
+                user:vhost;
+                user:mark;
+        };
+
+        privs {
+                chan:auspex;
+                chan:admin;
+                chan:cmodes;
+                chan:joinstaffonly;
+        };
+
+        privs {
+                general:auspex;
+                general:helper;
+                general:viewprivs;
+                general:flood;
+        };
+
+        privs {
+                operserv:omode;
+                operserv:akill;
+                operserv:jupe;
+                operserv:global;
+        };
+
+        privs {
+                group:auspex;
+                group:admin;
+        };
+};
+
+operclass "sra" {
+        /* You can inherit privileges from a lower operclass. */
+        extends "ircop";
+
+        privs {
+                user:hold;
+                user:regnolimit;
+        };
+
+        privs {
+                general:metadata;
+                general:admin;
+        };
+
+        privs {
+                #operserv:massakill;
+                #operserv:akill-anymask;
+                operserv:noop;
+                operserv:grant;
+        };
+
+        /* needoper
+         * Only grant privileges to IRC users in this oper class if they
+         * are opered; other use of privilege (channel succession, XMLRPC,
+         * etc.) is unaffected by this.
+         *
+         * This flag is *not* inherited by operclasses that extend this one;
+         * you will have to set it explicitly for each operclass.
+         */
+        needoper;
+};
+
+
+/* (*) Operator blocks specify accounts with certain privileges
+ * Oper classes must be defined before they are used in operator blocks.
+ */
+operator "jilles" {
+        /* operclass */
+        operclass = "sra";
+
+        /* password
+         *
+         * Normally, the user needs to identify/log in using the account's
+         * password, and may need to be an IRCop (see operclass::needoper
+         * above). If you consider this not secure enough, you can
+         * specify an additional password here, which the user must enter
+         * using the OperServ IDENTIFY command, before the privileges can
+         * be used.
+         *
+         * The password must be encrypted if a crypto module is in use.
+         *
+         * If you are using modules/crypto/crypt3-*, you can probably use
+         * the "mkpasswd" program included with most Linux distributions.
+         * Otherwise you can use modules/operserv/genhash to encrypt a
+         * password for use here.
+         */
+        #password = "$1$3gJMO9by$0G60YE6GqmuHVH3AnFPor1";
+};
+
+/******************************************************************************
+ * INCLUDE CONFIGURATION SECTION.                                             *
+ ******************************************************************************/
+
+/* You may also specify other files for inclusion.
+ * For example:
+ *
+ * include "etc/sras.conf";
+ */
--- a/ngircd/handlers/main.yaml	Fri Jul 03 12:01:00 2020 -0500
+++ b/ngircd/handlers/main.yaml	Sat Jul 04 11:00:20 2020 -0500
@@ -2,4 +2,4 @@
 
 - name: restart ngircd
   become: yes
-  systemd: name="ngircd" state="restarted" daemon_reload="yes"
+  systemd: name="ngircd.service" state="restarted" daemon_reload="yes"
--- a/ngircd/tasks/main.yaml	Fri Jul 03 12:01:00 2020 -0500
+++ b/ngircd/tasks/main.yaml	Sat Jul 04 11:00:20 2020 -0500
@@ -5,29 +5,11 @@
   apt: name="ngircd"
   notify: restart ngircd
 
-- name: config server name
-  become: yes
-  lineinfile:
-    path: "/etc/ngircd/ngircd.conf"
-    regexp: '^	Name ='
-    line: "	Name = {{ngircd_name}}"
-  notify: restart ngircd
-
-- name: config server local listen
+- name: configure ngircd
   become: yes
-  lineinfile:
-    path: "/etc/ngircd/ngircd.conf"
-    regexp: '^	Listen ='
-    line: "	Listen = 127.0.0.1"
-    insertafter: "^	;Listen ="
-  notify: restart ngircd
-
-- name: config motd
-  become: yes
-  lineinfile:
-    path: "/etc/ngircd/ngircd.conf"
-    regexp: '^	Info ='
-    line: "	Info = {{ngircd_motd}}"
+  template:
+    src: "ngircd.conf.j2"
+    dest: "/etc/ngircd/ngircd.conf"
   notify: restart ngircd
 
 - name: copy motd file
@@ -35,9 +17,8 @@
   copy:
     src: "{{ngircd_motd_src}}"
     dest: "/etc/ngircd/ngircd.motd"
-    mode: "0644"
   notify: restart ngircd
 
 - name: start ngircd service
   become: yes
-  systemd: name="ngircd" state="started" daemon_reload="yes"
+  systemd: name="ngircd" state="started" enabled="yes" daemon_reload="yes"
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ngircd/templates/ngircd.conf.j2	Sat Jul 04 11:00:20 2020 -0500
@@ -0,0 +1,422 @@
+#
+# This is a sample configuration file for the ngIRCd IRC daemon, which must
+# be customized to the local preferences and needs.
+#
+# Comments are started with "#" or ";".
+#
+# A lot of configuration options in this file start with a ";". You have
+# to remove the ";" in front of each variable to actually set a value!
+# The disabled variables are shown with example values for completeness only
+# and the daemon is using compiled-in default settings.
+#
+# Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the
+# server interprets the configuration file as expected!
+#
+# Please see ngircd.conf(5) for a complete list of configuration options
+# and their descriptions.
+#
+# The original can be found at:
+# /usr/share/doc/ngircd/sample-ngircd.conf.gz
+
+[Global]
+        # The [Global] section of this file is used to define the main
+        # configuration of the server, like the server name and the ports
+        # on which the server should be listening.
+        # These settings depend on your personal preferences, so you should
+        # make sure that they correspond to your installation and setup!
+
+        # Server name in the IRC network, must contain at least one dot
+        # (".") and be unique in the IRC network. Required!
+        Name = {{ngircd_name}}
+
+        # Information about the server and the administrator, used by the
+        # ADMIN command. Not required by server but by RFC!
+        AdminInfo1 = {{ngircd_admin_name}}
+        ;AdminInfo2 = Debian City
+        AdminEMail = {{ngircd_admin_email}}
+
+        # Text file which contains the ngIRCd help text. This file is required
+        # to display help texts when using the "HELP <cmd>" command.
+        ;HelpFile = /usr/share/doc/ngircd/Commands.txt
+
+        # Info text of the server. This will be shown by WHOIS and
+        # LINKS requests for example.
+        Info = {{ngircd_name}}
+
+        # Comma separated list of IP addresses on which the server should
+        # listen. Default values are:
+        # "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0"
+        # so the server listens on all IP addresses of the system by default.
+        Listen = 127.0.0.1
+
+        # Text file with the "message of the day" (MOTD). This message will
+        # be shown to all users connecting to the server:
+        MotdFile = /etc/ngircd/ngircd.motd
+
+        # A simple Phrase (<127 chars) if you don't want to use a motd file.
+        ;MotdPhrase = "Hello. This is the Debian default MOTD sentence"
+
+        # The name of the IRC network to which this server belongs. This name
+        # is optional, should only contain ASCII characters, and can't contain
+        # spaces. It is only used to inform clients. The default is empty,
+        # so no network name is announced to clients.
+        ;Network = aIRCnetwork
+
+        # Global password for all users needed to connect to the server.
+        # (Default: not set)
+        ;Password = wealllikedebian
+
+        # This tells ngIRCd to write its current process ID to a file.
+        # Note that the pidfile is written AFTER chroot and switching the
+        # user ID, e.g. the directory the pidfile resides in must be
+        # writable by the ngIRCd user and exist in the chroot directory.
+        # Keep this setting in sync with PIDFILE in /etc/init.d/ngircd
+        PidFile = /var/run/ngircd/ngircd.pid
+
+        # Ports on which the server should listen. There may be more than
+        # one port, separated with ",". (Default: 6667)
+        ;Ports = 6667, 6668, 6669
+
+        # Group ID under which the ngIRCd should run; you can use the name
+        # of the group or the numerical ID. ATTENTION: For this to work the
+        # server must have been started with root privileges!
+        # Keep this setting in sync with DAEMONUSER in the init script and/or
+        # the Group= setting in service file.
+        ServerGID = irc
+
+        # User ID under which the server should run; you can use the name
+        # of the user or the numerical ID. ATTENTION: For this to work the
+        # server must have been started with root privileges! In addition,
+        # the configuration and MOTD files must be readable by this user,
+        # otherwise RESTART and REHASH won't work!
+        # Keep this setting in sync with DAEMONUSER in the init script and/or
+        # the User= setting in service file.
+        ServerUID = irc
+
+[Limits]
+        # Define some limits and timeouts for this ngIRCd instance. Default
+        # values should be safe, but it is wise to double-check :-)
+
+        # The server tries every <ConnectRetry> seconds to establish a link
+        # to not yet (or no longer) connected servers.
+        ConnectRetry = 60
+
+        # Number of seconds after which the whole daemon should shutdown when
+        # no connections are left active after handling at least one client
+        # (0: never, which is the default).
+        # This can be useful for testing or when ngIRCd is started using
+        # "socket activation" with systemd(8), for example.
+        ;IdleTimeout = 0
+
+        # Maximum number of simultaneous in- and outbound connections the
+        # server is allowed to accept (0: unlimited):
+        MaxConnections = 500
+
+        # Maximum number of simultaneous connections from a single IP address
+        # the server will accept (0: unlimited):
+        MaxConnectionsIP = 10
+
+        # Maximum number of channels a user can be member of (0: no limit):
+        MaxJoins = 10
+
+        # Maximum length of an user nickname (Default: 9, as in RFC 2812).
+        # Please note that all servers in an IRC network MUST use the same
+        # maximum nickname length!
+        ;MaxNickLength = 9
+
+        # Maximum penalty time increase in seconds, per penalty event. Set to -1
+        # for no limit (the default), 0 to disable penalties altogether. The
+        # daemon doesn't use penalty increases higher than 2 seconds during
+        # normal operation, so values greater than 1 rarely make sense.
+        ;MaxPenaltyTime = -1
+
+        # Maximum number of channels returned in response to a /list
+        # command (0: unlimited):
+        ;MaxListSize = 100
+
+        # After <PingTimeout> seconds of inactivity the server will send a
+        # PING to the peer to test whether it is alive or not.
+        PingTimeout = 120
+
+        # If a client fails to answer a PING with a PONG within <PongTimeout>
+        # seconds, it will be disconnected by the server.
+        PongTimeout = 20
+
+[Options]
+        # Optional features and configuration options to further tweak the
+        # behavior of ngIRCd. If you want to get started quickly, you most
+        # probably don't have to make changes here -- they are all optional.
+
+        # List of allowed channel types (channel prefixes) for newly created
+        # channels on the local server. By default, all supported channel
+        # types are allowed. Set this variable to the empty string to disallow
+        # creation of new channels by local clients at all.
+        ;AllowedChannelTypes = #&+
+
+        # Are remote IRC operators allowed to control this server, e.g.
+        # use commands like CONNECT, SQUIT, DIE, ...?
+        ;AllowRemoteOper = no
+
+        # A directory to chroot in when everything is initialized. It
+        # doesn't need to be populated if ngIRCd is compiled as a static
+        # binary. By default ngIRCd won't use the chroot() feature.
+        # ATTENTION: For this to work the server must have been started
+        # with root privileges!
+        ;ChrootDir = /var/empty
+
+        # Set this hostname for every client instead of the real one.
+        # Use %x to add the hashed value of the original hostname.
+        {% if ngircd_cloak is defined %}
+        CloakHost = {{ngircd_cloak}}
+        {% endif %}
+
+        # Use this hostname for hostname cloaking on clients that have the
+        # user mode "+x" set, instead of the name of the server.
+        # Use %x to add the hashed value of the original hostname.
+        ;CloakHostModeX = cloaked.user
+
+        # The Salt for cloaked hostname hashing. When undefined a random
+        # hash is generated after each server start.
+        ;CloakHostSalt = abcdefghijklmnopqrstuvwxyz
+
+        # Set every clients' user name to their nickname
+        ;CloakUserToNick = yes
+
+        # Try to connect to other IRC servers using IPv4 and IPv6, if possible.
+        ;ConnectIPv6 = yes
+        ;ConnectIPv4 = yes
+
+        # Default user mode(s) to set on new local clients. Please note that
+        # only modes can be set that the client could set using regular MODE
+        # commands, you can't set "a" (away) for example! Default: none.
+        ;DefaultUserModes = i
+
+        # Do DNS lookups when a client connects to the server.
+        ;DNS = yes
+
+        # Do IDENT lookups if ngIRCd has been compiled with support for it.
+        # Users identified using IDENT are registered without the "~" character
+        # prepended to their user name.
+        ;Ident = yes
+
+        # Directory containing configuration snippets (*.conf), that should
+        # be read in after parsing this configuration file.
+        ;IncludeDir = /etc/ngircd/conf.d
+
+        # Enhance user privacy slightly (useful for IRC server on TOR or I2P)
+        # by censoring some information like idle time, logon time, etc.
+        ;MorePrivacy = no
+
+        # Normally ngIRCd doesn't send any messages to a client until it is
+        # registered. Enable this option to let the daemon send "NOTICE *"
+        # messages to clients while connecting.
+        ;NoticeBeforeRegistration = no
+
+        # Should IRC Operators be allowed to use the MODE command even if
+        # they are not(!) channel-operators?
+        OperCanUseMode = yes
+
+        # Should IRC Operators get AutoOp (+o) in persistent (+P) channels?
+        ;OperChanPAutoOp = yes
+
+        # Mask IRC Operator mode requests as if they were coming from the
+        # server? (This is a compatibility hack for ircd-irc2 servers)
+        ;OperServerMode = no
+
+        # Use PAM if ngIRCd has been compiled with support for it.
+        # Users identified using PAM are registered without the "~" character
+        # prepended to their user name.
+        PAM = no
+
+        # When PAM is enabled, all clients are required to be authenticated
+        # using PAM; connecting to the server without successful PAM
+        # authentication isn't possible.
+        # If this option is set, clients not sending a password are still
+        # allowed to connect: they won't become "identified" and keep the "~"
+        # character prepended to their supplied user name.
+        # Please note: To make some use of this behavior, it most probably
+        # isn't useful to enable "Ident", "PAM" and "PAMIsOptional" at the
+        # same time, because you wouldn't be able to distinguish between
+        # Ident'ified and PAM-authenticated users: both don't have a "~"
+        # character prepended to their respective user names!
+        ;PAMIsOptional = no
+
+        # When PAM is enabled, this value determines the used PAM
+        # configuration.
+        # This setting allows to run multiple ngIRCd instances with
+        # different PAM configurations on each instance.
+        # If you set it to "ngircd-foo", PAM will use
+        # /etc/pam.d/ngircd-foo instead of the default
+        # /etc/pam.d/ngircd.
+        ;PAMServiceName = ngircd
+
+        # Let ngIRCd send an "authentication PING" when a new client connects,
+        # and register this client only after receiving the corresponding
+        # "PONG" reply.
+        ;RequireAuthPing = no
+
+        # Silently drop all incoming CTCP requests.
+        ;ScrubCTCP = no
+
+        # Syslog "facility" to which ngIRCd should send log messages.
+        # Possible values are system dependent, but most probably auth, daemon,
+        # user and local1 through local7 are possible values; see syslog(3).
+        # Default is "local5" for historical reasons, you probably want to
+        # change this to "daemon", for example.
+        SyslogFacility = local1
+
+        # Password required for using the WEBIRC command used by some
+        # Web-to-IRC gateways. If not set/empty, the WEBIRC command can't
+        # be used. (Default: not set)
+        ;WebircPassword = xyz
+
+[SSL]
+        # SSL-related configuration options. Please note that this section
+        # is only available when ngIRCd is compiled with support for SSL!
+        # So don't forget to remove the ";" above if this is the case ...
+
+        # SSL Server Key Certificate
+        ;CertFile = /etc/ssl/certs/server.crt
+
+        # Select cipher suites allowed for SSL/TLS connections. This defaults
+        # to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
+        # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'
+        # (GnuTLS) for details.
+        # For OpenSSL:
+        ;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3
+        # For GnuTLS (this Debian package was linked against GnuTLS):
+        CipherList = SECURE128:-VERS-SSL3.0
+
+        # Diffie-Hellman parameters
+        ;DHFile = /etc/ngircd/dhparams.pem
+
+        # SSL Server Key
+        ;KeyFile = /etc/ssl/private/server.key
+
+        # password to decrypt SSLKeyFile (OpenSSL only)
+        # Note that this Debian package is linked against GnuTLS so this
+        # option has no effect.
+        ;KeyFilePassword = secret
+
+        # Additional Listen Ports that expect SSL/TLS encrypted connections
+        ;Ports = 6697, 9999
+
+{% for op in ngircd_ops %}
+[Operator]
+        # [Operator] sections are used to define IRC Operators. There may be
+        # more than one [Operator] block, one for each local operator.
+
+        # ID of the operator (may be different of the nickname)
+        Name = {{op.name}}
+
+        # Password of the IRC operator
+        Password = {{op.pass}}
+
+        # Optional Mask from which /OPER will be accepted
+        # Mask = *[email protected]
+        {% if op.mask is defined %}
+        Mask = {{op.mask}}
+        {% endif %}
+
+{% endfor %}
+[Server]
+{% for server in ngircd_servers %}
+        # Other servers are configured in [Server] sections. If you
+        # configure a port for the connection, then this ngircd tries to
+        # connect to the other server on the given port; if not it waits
+        # for the other server to connect.
+        # There may be more than one server block, one for each server.
+        #
+        # Server Groups:
+        # The ngIRCd allows "server groups": You can assign an "ID" to every
+        # server with which you want this ngIRCd to link. If a server of a
+        # group won't answer, the ngIRCd tries to connect to the next server
+        # in the given group. But the ngircd never tries to connect to two
+        # servers with the same group ID.
+
+        # IRC name of the remote server, must match the "Name" variable in
+        # the [Global] section of the other server (when using ngIRCd).
+        Name = {{server.name}}
+
+        # Internet host name or IP address of the peer (only required when
+        # this server should establish the connection).
+        # Host = connect-to-host.example.net
+        {% if server.host is defined %}
+        Host = {{server.host}}
+        {% endif %}
+
+        # IP address to use as _source_ address for the connection. if
+        # unspecified, ngircd will let the operating system pick an address.
+        ;Bind = 10.0.0.1
+
+        # Port of the server to which the ngIRCd should connect. If you
+        # assign no port the ngIRCd waits for incoming connections.
+        ;Port = 6667
+
+        # Own password for the connection. This password has to be configured
+        # as "PeerPassword" on the other server.
+        MyPassword = {{server.pass}}
+
+        # Foreign password for this connection. This password has to be
+        # configured as "MyPassword" on the other server.
+        PeerPassword = {{server.pass}}
+
+        # Group of this server (optional)
+        ;Group = 123
+
+        # Set the "Passive" option to "yes" if you don't want this ngIRCd to
+        # connect to the configured peer (same as leaving the "Port" variable
+        # empty). The advantage of this option is that you can actually
+        # configure a port an use the IRC command CONNECT more easily to
+        # manually connect this specific server later.
+        ;Passive = no
+
+        # Connect to the remote server using TLS/SSL (Default: false)
+        ;SSLConnect = yes
+
+        # Define a (case insensitive) list of masks matching nicknames that
+        # should be treated as IRC services when introduced via this remote
+        # server, separated by commas (",").
+        # REGULAR SERVERS DON'T NEED this parameter, so leave it empty
+        # (which is the default).
+        # When you are connecting IRC services which mask as a IRC server
+        # and which use "virtual users" to communicate with, for example
+        # "NickServ" and "ChanServ", you should set this parameter to
+        # something like "*Serv" or "NickServ,ChanServ,XyzServ".
+        {% if server.service_mask is defined %}
+        ServiceMask = {{server.service_mask}}
+        {% endif %}
+
+{% endfor %}
+
+[Channel]
+        # Pre-defined channels can be configured in [Channel] sections.
+        # Such channels are created by the server when starting up and even
+        # persist when there are no more members left.
+        # Persistent channels are marked with the mode 'P', which can be set
+        # and unset by IRC operators like other modes on the fly.
+        # There may be more than one [Channel] block, one for each channel.
+
+        # Name of the channel
+        ;Name = #ngircd
+
+        # Topic for this channel
+        ;Topic = Our ngircd testing channel
+
+        # Initial channel modes
+        ;Modes = tnk
+
+        # initial channel password (mode k)
+        ;Key = Secret
+
+        # Key file, syntax for each line: "<user>:<nick>:<key>".
+        # Default: none.
+        ;KeyFile = /etc/ngircd/#chan.key
+
+        # maximum users per channel (mode l)
+        ;MaxUsers = 23
+
+[Channel]
+        # More [Channel] sections, if you like ...
+
+# -eof-
--- a/prosody/handlers/main.yaml	Fri Jul 03 12:01:00 2020 -0500
+++ b/prosody/handlers/main.yaml	Sat Jul 04 11:00:20 2020 -0500
@@ -2,4 +2,4 @@
 
 - name: restart prosody
   become: yes
-  systemd: name="prosody.service" enabled="yes" daemon_reload="yes"
+  systemd: name="prosody.service" state="restarted" daemon_reload="yes"