2016-10-20 18:54:38 +00:00
{ config , . . . }: with import <stockholm/lib> ; let
2016-02-21 05:23:06 +00:00
cfg = config . tv . charybdis ;
in toFile " c h a r y b d i s . c o n f " ''
/* d o c / e x a m p l e . c o n f - b r i e f e x a m p l e c o n f i g u r a t i o n f i l e
*
* Copyright ( C ) 2 0 0 0 -2002 Hybrid Development Team
* Copyright ( C ) 2 0 0 2 -2005 ircd-ratbox development team
* Copyright ( C ) 2 0 0 5 -2006 charybdis development team
*
* $ Id : example . conf 3582 2 0 0 7 - 1 1 -17 21 : 55 : 4 8 Z jilles $
*
* See reference . conf for more information .
* /
/* E x t e n s i o n s */
#loadmodule "extensions/chm_operonly_compat.so";
#loadmodule "extensions/chm_quietunreg_compat.so";
#loadmodule "extensions/chm_sslonly_compat.so";
#loadmodule "extensions/createauthonly.so";
#loadmodule "extensions/extb_account.so";
#loadmodule "extensions/extb_canjoin.so";
#loadmodule "extensions/extb_channel.so";
#loadmodule "extensions/extb_extgecos.so";
#loadmodule "extensions/extb_oper.so";
#loadmodule "extensions/extb_realname.so";
#loadmodule "extensions/extb_server.so";
#loadmodule "extensions/extb_ssl.so";
#loadmodule "extensions/hurt.so";
#loadmodule "extensions/m_findforwards.so";
#loadmodule "extensions/m_identify.so";
#loadmodule "extensions/no_oper_invis.so";
#loadmodule "extensions/sno_farconnect.so";
#loadmodule "extensions/sno_globalkline.so";
#loadmodule "extensions/sno_globaloper.so";
#loadmodule "extensions/sno_whois.so";
loadmodule " e x t e n s i o n s / o v e r r i d e . s o " ;
/*
* IP cloaking extensions : use ip_cloaking_4 .0
* if you're linking 3 .2 and later , otherwise use
* ip_cloaking . so , for compatibility with older 3 . x
* releases .
* /
#loadmodule "extensions/ip_cloaking_4.0.so";
#loadmodule "extensions/ip_cloaking.so";
serverinfo {
name = $ { toJSON ( head config . krebs . build . host . nets . retiolum . aliases ) } ;
sid = " 4 z 3 " ;
description = " m i e p ! " ;
2017-04-12 09:30:57 +00:00
network_name = " i r c . r " ;
2016-02-21 05:23:06 +00:00
#network_desc = "Retiolum IRC Network";
hub = yes ;
/* O n m u l t i - h o m e d h o s t s y o u m a y n e e d t h e f o l l o w i n g . T h e s e d e f i n e
* the addresses we connect from to other servers . * /
/* f o r I P v 4 */
2016-04-08 01:53:34 +00:00
vhost = $ { toJSON config . krebs . build . host . nets . retiolum . ip4 . addr } ;
2016-02-21 05:23:06 +00:00
/* f o r I P v 6 */
2016-04-08 01:53:34 +00:00
vhost6 = $ { toJSON config . krebs . build . host . nets . retiolum . ip6 . addr } ;
2016-02-21 05:23:06 +00:00
/* s s l _ p r i v a t e _ k e y : o u r s s l p r i v a t e k e y */
ssl_private_key = $ { toJSON cfg . ssl_private_key . path } ;
/* s s l _ c e r t : c e r t i f i c a t e f o r o u r s s l s e r v e r */
ssl_cert = $ { toJSON cfg . ssl_cert } ;
/* s s l _ d h _ p a r a m s : D H p a r a m e t e r s , g e n e r a t e w i t h o p e n s s l d h p a r a m - o u t d h . p e m 1 0 2 4 */
ssl_dh_params = $ { toJSON cfg . ssl_dh_params . path } ;
/* s s l d _ c o u n t : n u m b e r o f s s l d p r o c e s s e s y o u w a n t t o s t a r t , i f y o u
* have a really busy server , using N-1 where N is the number of
* cpu/cpu cores you have might be useful . A number greater than one
* can also be useful in case of bugs in ssld and because ssld needs
* two file descriptors per SSL connection .
* /
ssld_count = 1 ;
/* d e f a u l t m a x c l i e n t s : t h e d e f a u l t m a x i m u m n u m b e r o f c l i e n t s
* allowed to connect . This can be changed once ircd has started by
* issuing :
* /quote set maxclients <limit>
* /
default_max_clients = 1024 ;
/* n i c k l e n : e n f o r c e d n i c k n a m e l e n g t h ( f o r t h i s s e r v e r o n l y ; m u s t n o t
* be longer than the maximum length set while building ) .
* /
nicklen = 30 ;
} ;
admin {
name = " t v " ;
description = " p e e r " ;
} ;
log {
fname_userlog = " / d e v / s t d e r r " ;
fname_fuserlog = " / d e v / s t d e r r " ;
fname_operlog = " / d e v / s t d e r r " ;
fname_foperlog = " / d e v / s t d e r r " ;
fname_serverlog = " / d e v / s t d e r r " ;
fname_klinelog = " / d e v / s t d e r r " ;
fname_killlog = " / d e v / s t d e r r " ;
fname_operspylog = " / d e v / s t d e r r " ;
fname_ioerrorlog = " / d e v / s t d e r r " ;
} ;
/* c l a s s { } b l o c k s M U S T b e s p e c i f i e d b e f o r e a n y t h i n g t h a t u s e s t h e m . T h a t
* means they must be defined before auth { } and before connect { } .
* /
class " k r e b s " {
ping_time = 2 minutes ;
number_per_ident = 10 ;
number_per_ip = 2048 ;
number_per_ip_global = 4096 ;
cidr_ipv4_bitlen = 24 ;
cidr_ipv6_bitlen = 64 ;
number_per_cidr = 65536 ;
max_number = 3000 ;
sendq = 1 megabyte ;
} ;
class " u s e r s " {
ping_time = 2 minutes ;
number_per_ident = 10 ;
number_per_ip = 1024 ;
number_per_ip_global = 4096 ;
cidr_ipv4_bitlen = 24 ;
cidr_ipv6_bitlen = 64 ;
number_per_cidr = 65536 ;
max_number = 3000 ;
sendq = 400 kbytes ;
} ;
class " o p e r s " {
ping_time = 5 minutes ;
number_per_ip = 10 ;
max_number = 1000 ;
sendq = 1 megabyte ;
} ;
class " s e r v e r " {
ping_time = 5 minutes ;
connectfreq = 5 minutes ;
max_number = 1 ;
sendq = 4 megabytes ;
} ;
listen {
/* d e f e r _ a c c e p t : w a i t f o r c l i e n t s t o s e n d I R C h a n d s h a k e d a t a b e f o r e
* accepting them . if you intend to use software which depends on the
* server replying first , such as BOPM , you should disable this feature .
* otherwise , you probably want to leave it on .
* /
defer_accept = yes ;
/* I f y o u w a n t t o l i s t e n o n a s p e c i f i c I P o n l y , s p e c i f y h o s t .
* host definitions apply only to the following port line .
* /
2016-04-08 01:53:34 +00:00
#host = ${toJSON config.krebs.build.host.nets.retiolum.ip4.addr};
2016-02-21 05:23:06 +00:00
port = $ { toString cfg . port } ;
sslport = $ { toString cfg . sslport } ;
} ;
/* a u t h { } : a l l o w u s e r s t o c o n n e c t t o t h e i r c d ( O L D I : )
* auth { } blocks MUST be specified in order of precedence . The first one
* that matches a user will be used . So place spoofs first , then specials ,
* then general access , then restricted .
* /
auth {
/* u s e r : t h e u s e r @ h o s t a l l o w e d t o c o n n e c t . M u l t i p l e I P v 4 / I P v 6 u s e r
* lines are permitted per auth block . This is matched against the
* hostname and IP address ( using : : shortening for IPv6 and
* prepending a 0 if it starts with a colon ) and can also use CIDR
* masks .
* /
user = " * @ 1 0 . 2 4 3 . 0 . 0 / 1 6 " ;
user = " * @ 4 2 : : / 1 6 " ;
/* p a s s w o r d : a n o p t i o n a l p a s s w o r d t h a t i s r e q u i r e d t o u s e t h i s b l o c k .
* By default this is not encrypted , specify the flag " e n c r y p t e d " in
* flags = . . . ; below if it is .
* /
#password = "letmein";
/* s p o o f : f a k e t h e u s e r s u s e r @ h o s t t o b e b e t h i s . Y o u m a y e i t h e r
* specify a host or a user @ host to spoof to . This is free-form ,
* just do everyone a favour and dont abuse it . ( OLD I : = flag )
* /
#spoof = "I.still.hate.packets";
/* P o s s i b l e f l a g s i n a u t h :
*
* encrypted | password is encrypted with mkpasswd
* spoof_notice | give a notice when spoofing hosts
* exceed_limit ( old > flag ) | allow user to exceed class user limits
* kline_exempt ( old ^ flag ) | exempt this user from k/g/xlines & dnsbls
* dnsbl_exempt | exempt this user from dnsbls
* spambot_exempt | exempt this user from spambot checks
* shide_exempt | exempt this user from serverhiding
* jupe_exempt | exempt this user from generating
* warnings joining juped channels
* resv_exempt | exempt this user from resvs
* flood_exempt | exempt this user from flood limits
* USE WITH CAUTION .
* no_tilde ( old - flag ) | don't prefix ~ to username if no ident
* need_ident ( old + flag ) | require ident for user in this class
* need_ssl | require SSL/TLS for user in this class
* need_sasl | require SASL id for user in this class
* /
flags = kline_exempt , exceed_limit , flood_exempt ;
/* c l a s s : t h e c l a s s t h e u s e r i s p l a c e d i n */
class = " k r e b s " ;
} ;
auth {
user = " * @ * " ;
class = " u s e r s " ;
} ;
/* p r i v s e t { } b l o c k s M U S T b e s p e c i f i e d b e f o r e a n y t h i n g t h a t u s e s t h e m . T h a t
* means they must be defined before operator { } .
* /
privset " l o c a l _ o p " {
privs = oper:local_kill, oper:operwall ;
} ;
privset " s e r v e r _ b o t " {
extends = " l o c a l _ o p " ;
privs = oper:kline, oper:remoteban, snomask:nick_changes ;
} ;
privset " g l o b a l _ o p " {
extends = " l o c a l _ o p " ;
privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
oper:resv, oper:mass_notice, oper:remoteban ;
} ;
privset " a d m i n " {
extends = " g l o b a l _ o p " ;
privs = oper:admin, oper:die, oper:rehash, oper:spy, oper:override ;
} ;
privset " a i d s " {
privs = oper:override, oper:rehash ;
} ;
operator " a i d s " {
user = " * @ 1 0 . 2 4 3 . * " ;
privset = " a i d s " ;
flags = ~ encrypted ;
password = " b a l l s " ;
} ;
operator " g o d " {
/* n a m e : t h e n a m e o f t h e o p e r m u s t g o a b o v e */
/* u s e r : t h e u s e r @ h o s t r e q u i r e d f o r t h i s o p e r a t o r . C I D R * i s *
* supported now . auth { } spoofs work here , other spoofs do not .
* multiple user = " " lines are supported .
* /
user = " * g o d @ 1 2 7 . 0 . 0 . 1 " ;
/* p a s s w o r d : t h e p a s s w o r d r e q u i r e d t o o p e r . U n l e s s ~ e n c r y p t e d i s
* contained in flags = . . . ; this will need to be encrypted using
* mkpasswd , MD5 is supported
* /
password = " 5 " ;
/* r s a k e y : t h e p u b l i c k e y f o r t h i s o p e r w h e n u s i n g C h a l l e n g e .
* A password should not be defined when this is used , see
* doc/challenge.txt for more information .
* /
#rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";
/* u m o d e s : t h e s p e c i f i c u m o d e s t h i s o p e r g e t s w h e n t h e y o p e r .
* If this is specified an oper will not be given oper_umodes
* These are described above oper_only_umodes in general { } ;
* /
#umodes = locops, servnotice, operwall, wallop;
/* f i n g e r p r i n t : i f s p e c i f i e d , t h e o p e r ' s c l i e n t c e r t i f i c a t e
* fingerprint will be checked against the specified fingerprint
* below .
* /
#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
/* s n o m a s k : s p e c i f i c s e r v e r n o t i c e m a s k o n o p e r u p .
* If this is specified an oper will not be given oper_snomask .
* /
snomask = " + Z b f k r s u y " ;
/* f l a g s : m i s c o p t i o n s f o r t h e o p e r a t o r . Y o u m a y p r e f i x a n o p t i o n
* with ~ to disable it , e . g . ~ encrypted .
*
* Default flags are encrypted .
*
* Available options :
*
* encrypted : the password above is encrypted [ DEFAULT ]
* need_ssl : must be using SSL/TLS to oper up
* /
flags = encrypted ;
/* p r i v s e t : p r i v i l e g e s s e t t o g r a n t */
privset = " a d m i n " ;
} ;
service {
name = " s e r v i c e s . i n t " ;
} ;
cluster {
name = " * " ;
flags = kline , tkline , unkline , xline , txline , unxline , resv , tresv , unresv ;
} ;
shared {
oper = " * @ * " , " * " ;
flags = all , rehash ;
} ;
/* e x e m p t { } : I P s t h a t a r e e x e m p t f r o m D l i n e s a n d r e j e c t c a c h e . ( O L D d : ) */
exempt {
ip = " 1 2 7 . 0 . 0 . 1 " ;
} ;
channel {
use_invex = yes ;
use_except = yes ;
use_forward = yes ;
use_knock = yes ;
knock_delay = 5 minutes ;
knock_delay_channel = 1 minute ;
max_chans_per_user = 15 ;
max_bans = 100 ;
max_bans_large = 500 ;
default_split_user_count = 0 ;
default_split_server_count = 0 ;
no_create_on_split = no ;
no_join_on_split = no ;
burst_topicwho = yes ;
kick_on_split_riding = no ;
only_ascii_channels = no ;
resv_forcepart = yes ;
channel_target_change = yes ;
disable_local_channels = no ;
} ;
serverhide {
flatten_links = yes ;
links_delay = 5 minutes ;
hidden = no ;
disable_hidden = no ;
} ;
/* T h e s e a r e t h e b l a c k l i s t s e t t i n g s .
* You can have multiple combinations of host and rejection reasons .
* They are used in pairs of one host/rejection reason .
*
* These settings should be adequate for most networks , and are ( presently )
* required for use on StaticBox .
*
* Word to the wise : Do not use blacklists like SPEWS for blocking IRC
* connections .
*
* As of charybdis 2 .2 , you can do some keyword substitution on the rejection
* reason . The available keyword substitutions are :
*
* '' ${ ip } - t h e u s e r ' s I P
* '' ${ host } - t h e u s e r ' s c a n o n i c a l h o s t n a m e
* '' ${ dnsbl-host } - t h e d n s b l h o s t n a m e t h e l o o k u p w a s d o n e a g a i n s t
* '' ${ nick } - t h e u s e r ' s n i c k n a m e
* '' ${ network-name } - t h e n a m e o f t h e n e t w o r k
*
* As of charybdis 3 .4 , a type parameter is supported , which specifies the
* address families the blacklist supports . IPv4 and IPv6 are supported .
* IPv4 is currently the default as few blacklists support IPv6 operation
* as of this writing .
*
* Note : AHBL ( the providers of the below * . ahbl . org BLs ) request that they be
* contacted , via email , at admins @ 2 mbit . com before using these BLs .
* See < http://www.ahbl.org/services.php > for more information .
* /
blacklist {
host = " r b l . e f n e t r b l . o r g " ;
type = ipv4 ;
reject_reason = " ' ' ${ nick } , y o u r I P ( ' ' ${ ip } ) i s l i s t e d i n E F n e t ' s R B L . F o r a s s i s t a n c e , s e e h t t p : / / e f n e t r b l . o r g / ? i = ' ' ${ ip } " ;
# host = "ircbl.ahbl.org";
# type = ipv4;
# reject_reason = "''${nick}, your IP (''${ip}) is listed in ''${dnsbl-host} for having an open proxy. In order to protect ''${network-name} from abuse, we are not allowing connections with open proxies to connect.";
#
# host = "tor.ahbl.org";
# type = ipv4;
# reject_reason = "''${nick}, your IP (''${ip}) is listed as a TOR exit node. In order to protect ''${network-name} from tor-based abuse, we are not allowing TOR exit nodes to connect to our network.";
#
/* E x a m p l e o f a b l a c k l i s t t h a t s u p p o r t s b o t h I P v 4 a n d I P v 6 */
# host = "foobl.blacklist.invalid";
# type = ipv4, ipv6;
# reject_reason = "''${nick}, your IP (''${ip}) is listed in ''${dnsbl-host} for some reason. In order to protect ''${network-name} from abuse, we are not allowing connections listed in ''${dnsbl-host} to connect";
} ;
alias " N i c k S e r v " {
target = " N i c k S e r v " ;
} ;
alias " C h a n S e r v " {
target = " C h a n S e r v " ;
} ;
alias " O p e r S e r v " {
target = " O p e r S e r v " ;
} ;
alias " M e m o S e r v " {
target = " M e m o S e r v " ;
} ;
alias " N S " {
target = " N i c k S e r v " ;
} ;
alias " C S " {
target = " C h a n S e r v " ;
} ;
alias " O S " {
target = " O p e r S e r v " ;
} ;
alias " M S " {
target = " M e m o S e r v " ;
} ;
general {
hide_error_messages = opers ;
hide_spoof_ips = yes ;
/*
* default_umodes : umodes to enable on connect .
* If you have enabled the new ip_cloaking_4 .0 module , and you want
* to make use of it , add + x to this option , i . e . :
* default_umodes = " + i x " ;
*
* If you have enabled the old ip_cloaking module , and you want
* to make use of it , add + h to this option , i . e . :
* default_umodes = " + i h " ;
* /
default_umodes = " + i " ;
default_operstring = " i s a n I R C O p e r a t o r " ;
default_adminstring = " i s a S e r v e r A d m i n i s t r a t o r " ;
servicestring = " i s a N e t w o r k S e r v i c e " ;
disable_fake_channels = no ;
tkline_expire_notices = no ;
default_floodcount = 1000 ;
failed_oper_notice = yes ;
dots_in_ident = 2 ;
min_nonwildcard = 4 ;
min_nonwildcard_simple = 3 ;
max_accept = 100 ;
max_monitor = 100 ;
anti_nick_flood = yes ;
max_nick_time = 20 seconds ;
max_nick_changes = 5 ;
anti_spam_exit_message_time = 5 minutes ;
ts_warn_delta = 30 seconds ;
ts_max_delta = 5 minutes ;
client_exit = yes ;
collision_fnc = yes ;
resv_fnc = yes ;
global_snotices = yes ;
dline_with_reason = yes ;
kline_delay = 0 seconds ;
kline_with_reason = yes ;
kline_reason = " K - L i n e d " ;
identify_service = " N i c k S e r v @ s e r v i c e s . i n t " ;
identify_command = " I D E N T I F Y " ;
non_redundant_klines = yes ;
warn_no_nline = yes ;
use_propagated_bans = yes ;
stats_e_disabled = no ;
stats_c_oper_only = no ;
stats_h_oper_only = no ;
client_flood_max_lines = 16000 ;
client_flood_burst_rate = 32000 ;
client_flood_burst_max = 32000 ;
client_flood_message_num = 32000 ;
client_flood_message_time = 32000 ;
use_whois_actually = no ;
oper_only_umodes = operwall , locops , servnotice ;
oper_umodes = locops , servnotice , operwall , wallop ;
oper_snomask = " + s " ;
burst_away = yes ;
nick_delay = 0 seconds ; # 15 minutes if you want to enable this
reject_ban_time = 1 minute ;
reject_after_count = 3 ;
reject_duration = 5 minutes ;
2017-04-11 20:34:48 +00:00
throttle_duration = 1 ;
throttle_count = 1000 ;
2016-02-21 05:23:06 +00:00
max_ratelimit_tokens = 30 ;
away_interval = 30 ;
disable_auth = yes ;
} ;
modules {
path = " m o d u l e s " ;
path = " m o d u l e s / a u t o l o a d " ;
} ;
exempt {
ip = " 1 0 . 2 4 3 . 0 . 0 / 1 6 " ;
} ;
''
