1
0
mirror of https://github.com/osmarks/ngircd.git synced 2024-12-04 22:19:57 +00:00
ngircd/doc/sample-ngircd.conf.tmpl

426 lines
16 KiB
Cheetah
Raw Permalink Normal View History

#
# This is a sample configuration file for the ngIRCd IRC daemon, which must
# be customized to the local preferences and needs.
#
# Comments are started with "#" or ";".
#
# A lot of configuration options in this file start with a ";". You have
# to remove the ";" in front of each variable to actually set a value!
# The disabled variables are shown with example values for completeness only
# and the daemon is using compiled-in default settings.
#
# Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the
2006-04-09 12:27:23 +00:00
# server interprets the configuration file as expected!
#
# Please see ngircd.conf(5) for a complete list of configuration options
# and their descriptions.
2008-09-13 13:10:08 +00:00
#
[Global]
2003-03-10 00:23:34 +00:00
# The [Global] section of this file is used to define the main
# configuration of the server, like the server name and the ports
# on which the server should be listening.
# These settings depend on your personal preferences, so you should
# make sure that they correspond to your installation and setup!
2006-04-09 12:27:23 +00:00
# Server name in the IRC network, must contain at least one dot
# (".") and be unique in the IRC network. When not set, ngIRCd tries
# to deduce a valid IRC server name from the local host name.
;Name = irc.example.net
2006-04-09 12:27:23 +00:00
2003-03-10 00:23:34 +00:00
# Information about the server and the administrator, used by the
# ADMIN command. Not required by server but by RFC!
;AdminInfo1 = Description
;AdminInfo2 = Location
2002-09-16 10:33:09 +00:00
;AdminEMail = admin@irc.server
# Text file which contains the ngIRCd help text. This file is required
# to display help texts when using the "HELP <cmd>" command. Default: a
# built-in standard path (check "ngircd --configtest").
;HelpFile = :DOCDIR:/Commands.txt
# Info text of the server. This will be shown by WHOIS and
# LINKS requests for example. Set to the server software name and
# version by default.
;Info = Server Info Text
2008-09-13 13:10:08 +00:00
# Comma separated list of IP addresses on which the server should
# listen. Default values are:
# "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0"
# so the server listens on all IP addresses of the system by default.
;Listen = 127.0.0.1,192.168.0.1
2006-04-09 12:27:23 +00:00
2003-03-10 00:23:34 +00:00
# Text file with the "message of the day" (MOTD). This message will
# be shown to all users connecting to the server: Default: a built-in
# standard path (check "ngircd --configtest").
;MotdFile = :ETCDIR:/ngircd.motd
2002-03-29 23:41:23 +00:00
# A simple Phrase (<127 chars) if you don't want to use a motd file.
;MotdPhrase = "Hello world!"
# The name of the IRC network to which this server belongs. This name
# is optional, should only contain ASCII characters, and can't contain
# spaces. It is only used to inform clients. The default is empty,
# so no network name is announced to clients.
;Network = aIRCnetwork
# Global password for all users needed to connect to the server.
# (Default: not set)
;Password = abc
# This tells ngIRCd to write its current process ID to a file.
# Note that the pidfile is written AFTER chroot and switching the
# user ID, e.g. the directory the pidfile resides in must be
2011-06-28 11:12:06 +00:00
# writable by the ngIRCd user and exist in the chroot directory.
;PidFile = /var/run/ngircd/ngircd.pid
# Ports on which the server should listen. There may be more than
# one port, separated with ",". (Default: 6667)
;Ports = 6667, 6668, 6669
# Group ID under which the ngIRCd should run; you can use the name
# of the group or the numerical ID. ATTENTION: For this to work the
# server must have been started with root privileges!
;ServerGID = 65534
2003-03-10 00:23:34 +00:00
# User ID under which the server should run; you can use the name
# of the user or the numerical ID. ATTENTION: For this to work the
# server must have been started with root privileges! In addition,
# the configuration and MOTD files must be readable by this user,
# otherwise RESTART and REHASH won't work!
;ServerUID = 65534
2002-03-29 23:41:23 +00:00
[Limits]
# Define some limits and timeouts for this ngIRCd instance. Default
# values should be safe, but it is wise to double-check :-)
2003-03-10 00:23:34 +00:00
# The server tries every <ConnectRetry> seconds to establish a link
# to not yet (or no longer) connected servers.
2002-03-29 23:41:23 +00:00
;ConnectRetry = 60
# Number of seconds after which the whole daemon should shutdown when
# no connections are left active after handling at least one client
# (0: never, which is the default).
# This can be useful for testing or when ngIRCd is started using
# "socket activation" with systemd(8), for example.
;IdleTimeout = 0
# Maximum number of simultaneous in- and outbound connections the
# server is allowed to accept (0: unlimited):
;MaxConnections = 0
2006-04-09 12:27:23 +00:00
# Maximum number of simultaneous connections from a single IP address
# the server will accept (0: unlimited):
;MaxConnectionsIP = 5
# Maximum number of channels a user can be member of (0: no limit):
2002-12-14 13:32:30 +00:00
;MaxJoins = 10
# Maximum length of an user nickname (Default: 9, as in RFC 2812).
# Please note that all servers in an IRC network MUST use the same
# maximum nickname length!
;MaxNickLength = 9
# Maximum penalty time increase in seconds, per penalty event. Set to -1
# for no limit (the default), 0 to disable penalties altogether. The
# daemon doesn't use penalty increases higher than 2 seconds during
# normal operation, so values greater than 1 rarely make sense.
;MaxPenaltyTime = -1
# Maximum number of channels returned in response to a /list
# command (0: unlimited):
;MaxListSize = 100
# After <PingTimeout> seconds of inactivity the server will send a
# PING to the peer to test whether it is alive or not.
;PingTimeout = 120
# If a client fails to answer a PING with a PONG within <PongTimeout>
# seconds, it will be disconnected by the server.
;PongTimeout = 20
[Options]
# Optional features and configuration options to further tweak the
2011-06-28 11:12:06 +00:00
# behavior of ngIRCd. If you want to get started quickly, you most
# probably don't have to make changes here -- they are all optional.
# List of allowed channel types (channel prefixes) for newly created
# channels on the local server. By default, all supported channel
# types are allowed. Set this variable to the empty string to disallow
# creation of new channels by local clients at all.
;AllowedChannelTypes = #&+
# Are remote IRC operators allowed to control this server, e.g.
# use commands like CONNECT, SQUIT, DIE, ...?
;AllowRemoteOper = no
# A directory to chroot in when everything is initialized. It
# doesn't need to be populated if ngIRCd is compiled as a static
# binary. By default ngIRCd won't use the chroot() feature.
# ATTENTION: For this to work the server must have been started
# with root privileges!
;ChrootDir = /var/empty
# Set this hostname for every client instead of the real one.
# Use %x to add the hashed value of the original hostname.
;CloakHost = cloaked.host
# Use this hostname for hostname cloaking on clients that have the
# user mode "+x" set, instead of the name of the server.
# Use %x to add the hashed value of the original hostname.
;CloakHostModeX = cloaked.user
# The Salt for cloaked hostname hashing. When undefined a random
# hash is generated after each server start.
;CloakHostSalt = abcdefghijklmnopqrstuvwxyz
# Set every clients' user name to their nickname
;CloakUserToNick = yes
# Try to connect to other IRC servers using IPv4 and IPv6, if possible.
;ConnectIPv6 = yes
;ConnectIPv4 = yes
# Default user mode(s) to set on new local clients. Please note that
# only modes can be set that the client could set using regular MODE
# commands, you can't set "a" (away) for example! Default: none.
;DefaultUserModes = i
# Do DNS lookups when a client connects to the server.
;DNS = yes
# Do IDENT lookups if ngIRCd has been compiled with support for it.
# Users identified using IDENT are registered without the "~" character
# prepended to their user name.
;Ident = yes
# Directory containing configuration snippets (*.conf), that should
# be read in after parsing this configuration file.
# Default: a built-in directory name when no configuration file was
# explicitly given on the command line (check "ngircd --configtest"),
# none (empty) otherwise.
;IncludeDir = :ETCDIR:/conf.d
# Enhance user privacy slightly (useful for IRC server on TOR or I2P)
# by censoring some information like idle time, logon time, etc.
;MorePrivacy = no
# Normally ngIRCd doesn't send any messages to a client until it is
# registered. Enable this option to let the daemon send "NOTICE *"
# messages to clients while connecting.
;NoticeBeforeRegistration = no
# Should IRC Operators be allowed to use the MODE command even if
# they are not(!) channel-operators?
;OperCanUseMode = no
# Should IRC Operators get AutoOp (+o) in persistent (+P) channels?
;OperChanPAutoOp = yes
# Mask IRC Operator mode requests as if they were coming from the
# server? (This is a compatibility hack for ircd-irc2 servers)
;OperServerMode = no
# Use PAM if ngIRCd has been compiled with support for it.
# Users identified using PAM are registered without the "~" character
# prepended to their user name.
;PAM = yes
# When PAM is enabled, all clients are required to be authenticated
# using PAM; connecting to the server without successful PAM
# authentication isn't possible.
# If this option is set, clients not sending a password are still
# allowed to connect: they won't become "identified" and keep the "~"
# character prepended to their supplied user name.
# Please note: To make some use of this behavior, it most probably
# isn't useful to enable "Ident", "PAM" and "PAMIsOptional" at the
# same time, because you wouldn't be able to distinguish between
# Ident'ified and PAM-authenticated users: both don't have a "~"
# character prepended to their respective user names!
;PAMIsOptional = no
# When PAM is enabled, this value determines the used PAM
# configuration.
# This setting allows to run multiple ngIRCd instances with
# different PAM configurations on each instance.
# If you set it to "ngircd-foo", PAM will use
# /etc/pam.d/ngircd-foo instead of the default
# /etc/pam.d/ngircd.
;PAMServiceName = ngircd
# Let ngIRCd send an "authentication PING" when a new client connects,
# and register this client only after receiving the corresponding
# "PONG" reply.
;RequireAuthPing = no
2011-06-28 11:12:06 +00:00
# Silently drop all incoming CTCP requests.
;ScrubCTCP = no
# Syslog "facility" to which ngIRCd should send log messages.
# Possible values are system dependent, but most probably auth, daemon,
# user and local1 through local7 are possible values; see syslog(3).
# Default is "local5" for historical reasons, you probably want to
# change this to "daemon", for example.
;SyslogFacility = local1
# Password required for using the WEBIRC command used by some
# Web-to-IRC gateways. If not set/empty, the WEBIRC command can't
# be used. (Default: not set)
;WebircPassword = xyz
;[SSL]
# SSL-related configuration options. Please note that this section
# is only available when ngIRCd is compiled with support for SSL!
# So don't forget to remove the ";" above if this is the case ...
# SSL Trusted CA Certificates File for verifying peer certificates.
# (Default: not set; so no certificates are trusted)
Support for server certificate validation on server links [S2S-TLS] This patch provides code to validate the server certificate in server links, defeating nasty man-in-the-middle attacks on server links. Features: - Check whether the certificate is signed by a trusted certificate authority (CA). - Check the host name, including wildcard certificates and Subject Alternative Names. - Optionally check against a certificate revocation list (CRL). - Implementation for both OpenSSL and GnuTLS linkage. Left for another day: - Parameterize the TLS parameter of an outbound connection. Currently, it's hardcoded to disable all versions before TLSv1.1. - Using certificate as CA-certificate. They work for GnuTLS only but perhaps this should rather raise an error there, too. - Optional OCSP checking. - Checking client certificates. Code is there but this first needs some consideration about the use cases. This could replace all other authentication methods, for both client-server and server-server connections. This patch is based on a patch by Florian Westphal from 2009, which implemented this for OpenSSL only: From: Florian Westphal <fw@strlen.de> Date: Mon, 18 May 2009 00:29:02 +0200 Subject: SSL/TLS: Add initial certificate support to OpenSSL backend Commit message modified by Alex Barton. Closes #120, "Server links using TLS/SSL need certificate validation". Supersedes PR #8, "Options for verifying and requiring SSL client certificates", which had (incomplete?) code for OpenSSL, no GnuTLS.
2014-11-02 13:48:34 +00:00
;CAFile = /etc/ssl/CA/cacert.pem
# Certificate Revocation File (for marking otherwise valid
# certficates as invalid)
;CRLFile = /etc/ssl/CA/crl.pem
# SSL Server Key Certificate
;CertFile = :ETCDIR:/ssl/server-cert.pem
# Select cipher suites allowed for SSL/TLS connections. This defaults
# to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
# See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'
# (GnuTLS) for details.
# For OpenSSL:
;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3
# For GnuTLS:
;CipherList = SECURE128:-VERS-SSL3.0
# Diffie-Hellman parameters
;DHFile = :ETCDIR:/ssl/dhparams.pem
# SSL Server Key
;KeyFile = :ETCDIR:/ssl/server-key.pem
# password to decrypt SSLKeyFile (OpenSSL only)
;KeyFilePassword = secret
# Additional Listen Ports that expect SSL/TLS encrypted connections
;Ports = 6697, 9999
[Operator]
2003-03-10 00:23:34 +00:00
# [Operator] sections are used to define IRC Operators. There may be
# more than one [Operator] block, one for each local operator.
2006-04-09 12:27:23 +00:00
# ID of the operator (may be different of the nickname)
;Name = TheOper
2003-03-10 00:23:34 +00:00
# Password of the IRC operator
;Password = ThePwd
# Optional Mask from which /OPER will be accepted
;Mask = *!ident@somewhere.example.com
[Operator]
# More [Operator] sections, if you like ...
[Server]
2003-03-10 00:23:34 +00:00
# Other servers are configured in [Server] sections. If you
# configure a port for the connection, then this ngircd tries to
# connect to the other server on the given port; if not it waits
2003-03-10 00:23:34 +00:00
# for the other server to connect.
2006-04-09 12:27:23 +00:00
# There may be more than one server block, one for each server.
#
2003-03-10 00:23:34 +00:00
# Server Groups:
# The ngIRCd allows "server groups": You can assign an "ID" to every
# server with which you want this ngIRCd to link. If a server of a
# group won't answer, the ngIRCd tries to connect to the next server
# in the given group. But the ngircd never tries to connect to two
# servers with the same group ID.
2006-04-09 12:27:23 +00:00
# IRC name of the remote server, must match the "Name" variable in
# the [Global] section of the other server (when using ngIRCd).
;Name = irc2.example.net
2008-09-13 13:10:08 +00:00
# Internet host name or IP address of the peer (only required when
# this server should establish the connection).
;Host = connect-to-host.example.net
2002-12-18 12:19:07 +00:00
# IP address to use as _source_ address for the connection. if
# unspecified, ngircd will let the operating system pick an address.
;Bind = 10.0.0.1
2003-03-10 00:23:34 +00:00
# Port of the server to which the ngIRCd should connect. If you
# assign no port the ngIRCd waits for incoming connections.
;Port = 6667
# Own password for the connection. This password has to be configured
# as "PeerPassword" on the other server.
;MyPassword = MySecret
# Foreign password for this connection. This password has to be
# configured as "MyPassword" on the other server.
;PeerPassword = PeerSecret
2006-04-09 12:27:23 +00:00
2003-03-10 00:23:34 +00:00
# Group of this server (optional)
;Group = 123
# Set the "Passive" option to "yes" if you don't want this ngIRCd to
# connect to the configured peer (same as leaving the "Port" variable
# empty). The advantage of this option is that you can actually
# configure a port an use the IRC command CONNECT more easily to
# manually connect this specific server later.
;Passive = no
2008-09-13 13:10:08 +00:00
# Connect to the remote server using TLS/SSL (Default: false)
;SSLConnect = yes
2008-09-13 13:10:08 +00:00
Support for server certificate validation on server links [S2S-TLS] This patch provides code to validate the server certificate in server links, defeating nasty man-in-the-middle attacks on server links. Features: - Check whether the certificate is signed by a trusted certificate authority (CA). - Check the host name, including wildcard certificates and Subject Alternative Names. - Optionally check against a certificate revocation list (CRL). - Implementation for both OpenSSL and GnuTLS linkage. Left for another day: - Parameterize the TLS parameter of an outbound connection. Currently, it's hardcoded to disable all versions before TLSv1.1. - Using certificate as CA-certificate. They work for GnuTLS only but perhaps this should rather raise an error there, too. - Optional OCSP checking. - Checking client certificates. Code is there but this first needs some consideration about the use cases. This could replace all other authentication methods, for both client-server and server-server connections. This patch is based on a patch by Florian Westphal from 2009, which implemented this for OpenSSL only: From: Florian Westphal <fw@strlen.de> Date: Mon, 18 May 2009 00:29:02 +0200 Subject: SSL/TLS: Add initial certificate support to OpenSSL backend Commit message modified by Alex Barton. Closes #120, "Server links using TLS/SSL need certificate validation". Supersedes PR #8, "Options for verifying and requiring SSL client certificates", which had (incomplete?) code for OpenSSL, no GnuTLS.
2014-11-02 13:48:34 +00:00
# Verify the TLS certificate presented by the remote server
# (Default: yes)
;SSLVerify = yes
# Define a (case insensitive) list of masks matching nicknames that
# should be treated as IRC services when introduced via this remote
# server, separated by commas (",").
# REGULAR SERVERS DON'T NEED this parameter, so leave it empty
# (which is the default).
# When you are connecting IRC services which mask as a IRC server
# and which use "virtual users" to communicate with, for example
2009-01-01 16:56:42 +00:00
# "NickServ" and "ChanServ", you should set this parameter to
# something like "*Serv" or "NickServ,ChanServ,XyzServ".
;ServiceMask = *Serv,Global
[Server]
# More [Server] sections, if you like ...
2002-05-21 00:09:53 +00:00
[Channel]
2003-03-10 00:23:34 +00:00
# Pre-defined channels can be configured in [Channel] sections.
# Such channels are created by the server when starting up and even
# persist when there are no more members left.
# Persistent channels are marked with the mode 'P', which can be set
# and unset by IRC operators like other modes on the fly.
2006-04-09 12:27:23 +00:00
# There may be more than one [Channel] block, one for each channel.
# Name of the channel
2002-05-21 00:09:53 +00:00
;Name = #TheName
2003-03-10 00:23:34 +00:00
# Topic for this channel
;Topic = a great topic
2006-04-09 12:27:23 +00:00
# Initial channel modes, as used in "MODE" commands. Modifying lists
# (ban list, invite list, exception list) is supported.
# This option can be specified multiple times, evaluated top to bottom.
;Modes = +tnk mykey +l 5
;Modes = +b nick!~user@bad.host.example.com
# Should ngIRCd automatically join ("autojoin") all users to this
# channel on connect? Note: The users must have permissions to access
# the channel, otherwise joining them will fail!
;Autojoin = yes
# Key file, syntax for each line: "<user>:<nick>:<key>".
# Default: none.
;KeyFile = :ETCDIR:/#chan.key
[Channel]
# More [Channel] sections, if you like ...
# -eof-