123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535 |
- # oragono IRCd config
-
- # network configuration
- network:
- # name of the network
- name: OragonoTest
-
- # server configuration
- server:
- # server name
- name: oragono.test
-
- # addresses to listen on
- listen:
- - ":6667"
- - ":6697" # ssl port
- # Binding on specific IPs:
- # - "127.0.0.1:6668"
- # - "[::1]:6668"
- # Unix domain socket for proxying:
- # - "/tmp/oragono_sock"
-
- # sets the permissions for Unix listen sockets. on a typical Linux system,
- # the default is 0775 or 0755, which prevents other users/groups from connecting
- # to the socket. With 0777, it behaves like a normal TCP socket
- # where anyone can connect.
- unix-bind-mode: 0777
-
- # tls listeners
- tls-listeners:
- # listener on ":6697"
- ":6697":
- key: tls.key
- cert: tls.crt
-
- # tor listeners: designate listeners for use by a tor hidden service / .onion address
- # WARNING: if you are running oragono as a pure hidden service, see the
- # anonymization / hardening recommendations in docs/MANUAL.md
- tor-listeners:
- # any connections that come in on these listeners will be considered
- # Tor connections. it is strongly recommended that these listeners *not*
- # be on public interfaces: they should be on 127.0.0.0/8 or unix domain
- listeners:
- # - "/tmp/oragono_tor_sock"
-
- # if this is true, connections from Tor must authenticate with SASL
- require-sasl: false
-
- # what hostname should be displayed for Tor connections?
- vhost: "tor-network.onion"
-
- # allow at most this many connections at once (0 for no limit):
- max-connections: 64
-
- # connection throttling (limit how many connection attempts are allowed at once):
- throttle-duration: 10m
- # set to 0 to disable throttling:
- max-connections-per-duration: 64
-
- # strict transport security, to get clients to automagically use TLS
- sts:
- # whether to advertise STS
- #
- # to stop advertising STS, leave this enabled and set 'duration' below to "0". this will
- # advertise to connecting users that the STS policy they have saved is no longer valid
- enabled: false
-
- # how long clients should be forced to use TLS for.
- # setting this to a too-long time will mean bad things if you later remove your TLS.
- # the default duration below is 1 month, 2 days and 5 minutes.
- duration: 1mo2d5m
-
- # tls port - you should be listening on this port above
- port: 6697
-
- # should clients include this STS policy when they ship their inbuilt preload lists?
- preload: false
-
- # use ident protocol to get usernames
- check-ident: true
-
- # password to login to the server
- # generated using "oragono genpasswd"
- #password: ""
-
- # motd filename
- # if you change the motd, you should move it to ircd.motd
- motd: oragono.motd
-
- # motd formatting codes
- # if this is true, the motd is escaped using formatting codes like $c, $b, and $i
- motd-formatting: true
-
- # addresses/CIDRs the PROXY command can be used from
- # this should be restricted to 127.0.0.1/8 and ::1/128 (unless you have a good reason)
- # you should also add these addresses to the connection limits and throttling exemption lists
- proxy-allowed-from:
- # - localhost
- # - "127.0.0.1"
- # - "127.0.0.1/8"
-
- # controls the use of the WEBIRC command (by IRC<->web interfaces, bouncers and similar)
- webirc:
- # one webirc block -- should correspond to one set of gateways
- -
- # tls fingerprint the gateway must connect with to use this webirc block
- fingerprint: 938dd33f4b76dcaf7ce5eb25c852369cb4b8fb47ba22fc235aa29c6623a5f182
-
- # password the gateway uses to connect, made with oragono genpasswd
- password: "$2a$04$sLEFDpIOyUp55e6gTMKbOeroT6tMXTjPFvA0eGvwvImVR9pkwv7ee"
-
- # addresses/CIDRs that can use this webirc command
- # you should also add these addresses to the connection limits and throttling exemption lists
- hosts:
- # - localhost
- # - "127.0.0.1"
- # - "127.0.0.1/8"
- # - "0::1"
-
- # allow use of the RESUME extension over plaintext connections:
- # do not enable this unless the ircd is only accessible over internal networks
- allow-plaintext-resume: false
-
- # maximum length of clients' sendQ in bytes
- # this should be big enough to hold bursts of channel/direct messages
- max-sendq: 16k
-
- # maximum number of connections per subnet
- connection-limits:
- # whether to enforce connection limits or not
- enabled: true
-
- # how wide the cidr should be for IPv4
- cidr-len-ipv4: 32
-
- # how wide the cidr should be for IPv6
- cidr-len-ipv6: 64
-
- # maximum concurrent connections per subnet (defined above by the cidr length)
- connections-per-subnet: 16
-
- # IPs/networks which are exempted from connection limits
- exempted:
- - "localhost"
- # - "192.168.1.1"
- # - "2001:0db8::/32"
-
- # automated connection throttling
- connection-throttling:
- # whether to throttle connections or not
- enabled: true
-
- # how wide the cidr should be for IPv4
- cidr-len-ipv4: 32
-
- # how wide the cidr should be for IPv6
- cidr-len-ipv6: 64
-
- # how long to keep track of connections for
- duration: 10m
-
- # maximum number of connections, per subnet, within the given duration
- max-connections: 32
-
- # how long to ban offenders for, and the message to use
- # after banning them, the number of connections is reset (which lets you use UNDLINE to unban people)
- ban-duration: 10m
- ban-message: You have attempted to connect too many times within a short duration. Wait a while, and you will be able to connect.
-
- # IPs/networks which are exempted from connection limits
- exempted:
- - "localhost"
- # - "192.168.1.1"
- # - "2001:0db8::/32"
-
- # account options
- accounts:
- # account registration
- registration:
- # can users register new accounts?
- enabled: true
-
- # this is the bcrypt cost we'll use for account passwords
- bcrypt-cost: 12
-
- # length of time a user has to verify their account before it can be re-registered
- verify-timeout: "32h"
-
- # callbacks to allow
- enabled-callbacks:
- - none # no verification needed, will instantly register successfully
-
- # example configuration for sending verification emails via a local mail relay
- # callbacks:
- # mailto:
- # server: localhost
- # port: 25
- # tls:
- # enabled: false
- # username: ""
- # password: ""
- # sender: "admin@my.network"
-
- # is account authentication enabled?
- authentication-enabled: true
-
- # throttle account login attempts (to prevent either password guessing, or DoS
- # attacks on the server aimed at forcing repeated expensive bcrypt computations)
- login-throttling:
- enabled: true
-
- # window
- duration: 1m
-
- # number of attempts allowed within the window
- max-attempts: 3
-
- # some clients (notably Pidgin and Hexchat) offer only a single password field,
- # which makes it impossible to specify a separate server password (for the PASS
- # command) and SASL password. if this option is set to true, a client that
- # successfully authenticates with SASL will not be required to send
- # PASS as well, so it can be configured to authenticate with SASL only.
- skip-server-password: false
-
- # require-sasl controls whether clients are required to have accounts
- # (and sign into them using SASL) to connect to the server
- require-sasl:
- # if this is enabled, all clients must authenticate with SASL while connecting
- enabled: false
-
- # IPs/CIDRs which are exempted from the account requirement
- exempted:
- - "localhost"
- # - '127.0.0.2'
- # - '10.10.0.0/16'
-
- # nick-reservation controls how, and whether, nicknames are linked to accounts
- nick-reservation:
- # is there any enforcement of reserved nicknames?
- enabled: false
-
- # how many nicknames, in addition to the account name, can be reserved?
- additional-nick-limit: 2
-
- # method describes how nickname reservation is handled
- # already logged-in using SASL or NickServ
- # timeout: let the user change to the registered nickname, give them X seconds
- # to login and then rename them if they haven't done so
- # strict: don't let the user change to the registered nickname unless they're
- # already logged-in using SASL or NickServ
- # optional: no enforcement by default, but allow users to opt in to
- # the enforcement level of their choice
- method: timeout
-
- # allow users to set their own nickname enforcement status, e.g.,
- # to opt in to strict enforcement
- allow-custom-enforcement: true
-
- # rename-timeout - this is how long users have 'til they're renamed
- rename-timeout: 30s
-
- # rename-prefix - this is the prefix to use when renaming clients (e.g. Guest-AB54U31)
- rename-prefix: Guest-
-
- # vhosts controls the assignment of vhosts (strings displayed in place of the user's
- # hostname/IP) by the HostServ service
- vhosts:
- # are vhosts enabled at all?
- enabled: true
-
- # maximum length of a vhost
- max-length: 64
-
- # regexp for testing the validity of a vhost
- # (make sure any changes you make here are RFC-compliant)
- valid-regexp: '^[0-9A-Za-z.\-_/]+$'
-
- # options controlling users requesting vhosts:
- user-requests:
- # can users request vhosts at all? if this is false, operators with the
- # 'vhosts' capability can still assign vhosts manually
- enabled: false
-
- # if uncommented, all new vhost requests will be dumped into the given
- # channel, so opers can review them as they are sent in. ensure that you
- # have registered and restricted the channel appropriately before you
- # uncomment this.
- #channel: "#vhosts"
-
- # after a user's vhost has been approved or rejected, they need to wait
- # this long (starting from the time of their original request)
- # before they can request a new one.
- cooldown: 168h
-
- # channel options
- channels:
- # modes that are set when new channels are created
- # +n is no-external-messages and +t is op-only-topic
- # see /QUOTE HELP cmodes for more channel modes
- default-modes: +nt
-
- # how many channels can a client be in at once?
- max-channels-per-client: 100
-
- # channel registration - requires an account
- registration:
- # can users register new channels?
- enabled: true
-
- # how many channels can each account register?
- max-channels-per-account: 15
-
- # operator classes
- oper-classes:
- # local operator
- "local-oper":
- # title shown in WHOIS
- title: Local Operator
-
- # capability names
- capabilities:
- - "oper:local_kill"
- - "oper:local_ban"
- - "oper:local_unban"
- - "nofakelag"
-
- # network operator
- "network-oper":
- # title shown in WHOIS
- title: Network Operator
-
- # oper class this extends from
- extends: "local-oper"
-
- # capability names
- capabilities:
- - "oper:remote_kill"
- - "oper:remote_ban"
- - "oper:remote_unban"
-
- # server admin
- "server-admin":
- # title shown in WHOIS
- title: Server Admin
-
- # oper class this extends from
- extends: "local-oper"
-
- # capability names
- capabilities:
- - "oper:rehash"
- - "oper:die"
- - "accreg"
- - "sajoin"
- - "samode"
- - "vhosts"
- - "chanreg"
-
- # ircd operators
- opers:
- # operator named 'dan'
- dan:
- # which capabilities this oper has access to
- class: "server-admin"
-
- # custom whois line
- whois-line: is a cool dude
-
- # custom hostname
- vhost: "n"
-
- # modes are the modes to auto-set upon opering-up
- modes: +is acjknoqtux
-
- # password to login with /OPER command
- # generated using "oragono genpasswd"
- password: "$2a$04$LiytCxaY0lI.guDj2pBN4eLRD5cdM2OLDwqmGAgB6M2OPirbF5Jcu"
-
- # logging, takes inspiration from Insp
- logging:
- -
- # how to log these messages
- #
- # file log to given target filename
- # stdout log to stdout
- # stderr log to stderr
- # (you can specify multiple methods, e.g., to log to both stderr and a file)
- method: stderr
-
- # filename to log to, if file method is selected
- # filename: ircd.log
-
- # type(s) of logs to keep here. you can use - to exclude those types
- #
- # exclusions take precedent over inclusions, so if you exclude a type it will NEVER
- # be logged, even if you explicitly include it
- #
- # useful types include:
- # * everything (usually used with exclusing some types below)
- # server server startup, rehash, and shutdown events
- # accounts account registration and authentication
- # channels channel creation and operations
- # commands command calling and operations
- # opers oper actions, authentication, etc
- # services actions related to NickServ, ChanServ, etc.
- # internal unexpected runtime behavior, including potential bugs
- # userinput raw lines sent by users
- # useroutput raw lines sent to users
- type: "* -userinput -useroutput"
-
- # one of: debug info warn error
- level: info
- #-
- # # example of a file log that avoids logging IP addresses
- # method: file
- # filename: ircd.log
- # type: "* -userinput -useroutput -localconnect -localconnect-ip"
- # level: debug
-
- # debug options
- debug:
- # when enabled, oragono will attempt to recover from certain kinds of
- # client-triggered runtime errors that would normally crash the server.
- # this makes the server more resilient to DoS, but could result in incorrect
- # behavior. deployments that would prefer to "start from scratch", e.g., by
- # letting the process crash and auto-restarting it with systemd, can set
- # this to false.
- recover-from-errors: true
-
- # optionally expose a pprof http endpoint: https://golang.org/pkg/net/http/pprof/
- # it is strongly recommended that you don't expose this on a public interface;
- # if you need to access it remotely, you can use an SSH tunnel.
- # set to `null`, "", leave blank, or omit to disable
- # pprof-listener: "localhost:6060"
-
- # datastore configuration
- datastore:
- # path to the datastore
- path: ircd.db
-
- # if the database schema requires an upgrade, `autoupgrade` will attempt to
- # perform it automatically on startup. the database will be backed
- # up, and if the upgrade fails, the original database will be restored.
- autoupgrade: true
-
- # languages config
- languages:
- # whether to load languages
- enabled: true
-
- # default language to use for new clients
- # 'en' is the default English language in the code
- default: en
-
- # which directory contains our language files
- path: languages
-
- # limits - these need to be the same across the network
- limits:
- # nicklen is the max nick length allowed
- nicklen: 32
-
- # identlen is the max ident length allowed
- identlen: 20
-
- # channellen is the max channel length allowed
- channellen: 64
-
- # awaylen is the maximum length of an away message
- awaylen: 500
-
- # kicklen is the maximum length of a kick message
- kicklen: 1000
-
- # topiclen is the maximum length of a channel topic
- topiclen: 1000
-
- # maximum number of monitor entries a client can have
- monitor-entries: 100
-
- # whowas entries to store
- whowas-entries: 100
-
- # maximum length of channel lists (beI modes)
- chan-list-modes: 60
-
- # maximum length of IRC lines
- # this should generally be 1024-2048, and will only apply when negotiated by clients
- linelen:
- # tags section
- tags: 2048
-
- # rest of the message
- rest: 2048
-
- # fakelag: prevents clients from spamming commands too rapidly
- fakelag:
- # whether to enforce fakelag
- enabled: false
-
- # time unit for counting command rates
- window: 1s
-
- # clients can send this many commands without fakelag being imposed
- burst-limit: 5
-
- # once clients have exceeded their burst allowance, they can send only
- # this many commands per `window`:
- messages-per-window: 2
-
- # client status resets to the default state if they go this long without
- # sending any commands:
- cooldown: 2s
-
- # message history tracking, for the RESUME extension and possibly other uses in future
- history:
- # should we store messages for later playback?
- # the current implementation stores messages in RAM only; they do not persist
- # across server restarts. however, you should not enable this unless you understand
- # how it interacts with the GDPR and/or any data privacy laws that apply
- # in your country and the countries of your users.
- enabled: false
-
- # how many channel-specific events (messages, joins, parts) should be tracked per channel?
- channel-length: 256
-
- # how many direct messages and notices should be tracked per user?
- client-length: 64
-
- # number of messages to automatically play back on channel join (0 to disable):
- autoreplay-on-join: 0
-
- # maximum number of CHATHISTORY messages that can be
- # requested at once (0 disables support for CHATHISTORY)
- chathistory-maxmessages: 100
|