You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

oragono.yaml 18KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533
  1. # oragono IRCd config
  2. # network configuration
  3. network:
  4. # name of the network
  5. name: OragonoTest
  6. # server configuration
  7. server:
  8. # server name
  9. name: oragono.test
  10. # addresses to listen on
  11. listen:
  12. - ":6697" # SSL/TLS port
  13. - ":6667" # plaintext port
  14. # To disable plaintext over the Internet, comment out :6667 and replace with:
  15. # - "127.0.0.1:6667" # (loopback ipv4, localhost-only)
  16. # - "[::1]:6667" # (loopback ipv6, localhost-only)
  17. # Unix domain socket for proxying:
  18. # - "/tmp/oragono_sock"
  19. # sets the permissions for Unix listen sockets. on a typical Linux system,
  20. # the default is 0775 or 0755, which prevents other users/groups from connecting
  21. # to the socket. With 0777, it behaves like a normal TCP socket
  22. # where anyone can connect.
  23. unix-bind-mode: 0777
  24. # tls listeners
  25. tls-listeners:
  26. # listener on ":6697"
  27. ":6697":
  28. key: tls.key
  29. cert: tls.crt
  30. # tor listeners: designate listeners for use by a tor hidden service / .onion address
  31. # WARNING: if you are running oragono as a pure hidden service, see the
  32. # anonymization / hardening recommendations in docs/MANUAL.md
  33. tor-listeners:
  34. # any connections that come in on these listeners will be considered
  35. # Tor connections. it is strongly recommended that these listeners *not*
  36. # be on public interfaces: they should be on 127.0.0.0/8 or unix domain
  37. listeners:
  38. # - "/tmp/oragono_tor_sock"
  39. # if this is true, connections from Tor must authenticate with SASL
  40. require-sasl: false
  41. # what hostname should be displayed for Tor connections?
  42. vhost: "tor-network.onion"
  43. # allow at most this many connections at once (0 for no limit):
  44. max-connections: 64
  45. # connection throttling (limit how many connection attempts are allowed at once):
  46. throttle-duration: 10m
  47. # set to 0 to disable throttling:
  48. max-connections-per-duration: 64
  49. # strict transport security, to get clients to automagically use TLS
  50. sts:
  51. # whether to advertise STS
  52. #
  53. # to stop advertising STS, leave this enabled and set 'duration' below to "0". this will
  54. # advertise to connecting users that the STS policy they have saved is no longer valid
  55. enabled: false
  56. # how long clients should be forced to use TLS for.
  57. # setting this to a too-long time will mean bad things if you later remove your TLS.
  58. # the default duration below is 1 month, 2 days and 5 minutes.
  59. duration: 1mo2d5m
  60. # tls port - you should be listening on this port above
  61. port: 6697
  62. # should clients include this STS policy when they ship their inbuilt preload lists?
  63. preload: false
  64. # use ident protocol to get usernames
  65. check-ident: false
  66. # password to login to the server
  67. # generated using "oragono genpasswd"
  68. #password: ""
  69. # motd filename
  70. # if you change the motd, you should move it to ircd.motd
  71. motd: oragono.motd
  72. # motd formatting codes
  73. # if this is true, the motd is escaped using formatting codes like $c, $b, and $i
  74. motd-formatting: true
  75. # addresses/CIDRs the PROXY command can be used from
  76. # this should be restricted to 127.0.0.1/8 and ::1/128 (unless you have a good reason)
  77. # you should also add these addresses to the connection limits and throttling exemption lists
  78. proxy-allowed-from:
  79. # - localhost
  80. # - "127.0.0.1"
  81. # - "127.0.0.1/8"
  82. # controls the use of the WEBIRC command (by IRC<->web interfaces, bouncers and similar)
  83. webirc:
  84. # one webirc block -- should correspond to one set of gateways
  85. -
  86. # tls fingerprint the gateway must connect with to use this webirc block
  87. fingerprint: 938dd33f4b76dcaf7ce5eb25c852369cb4b8fb47ba22fc235aa29c6623a5f182
  88. # password the gateway uses to connect, made with oragono genpasswd
  89. password: "$2a$04$sLEFDpIOyUp55e6gTMKbOeroT6tMXTjPFvA0eGvwvImVR9pkwv7ee"
  90. # addresses/CIDRs that can use this webirc command
  91. # you should also add these addresses to the connection limits and throttling exemption lists
  92. hosts:
  93. # - localhost
  94. # - "127.0.0.1"
  95. # - "127.0.0.1/8"
  96. # - "0::1"
  97. # allow use of the RESUME extension over plaintext connections:
  98. # do not enable this unless the ircd is only accessible over internal networks
  99. allow-plaintext-resume: false
  100. # maximum length of clients' sendQ in bytes
  101. # this should be big enough to hold bursts of channel/direct messages
  102. max-sendq: 16k
  103. # maximum number of connections per subnet
  104. connection-limits:
  105. # whether to enforce connection limits or not
  106. enabled: true
  107. # how wide the cidr should be for IPv4
  108. cidr-len-ipv4: 32
  109. # how wide the cidr should be for IPv6
  110. cidr-len-ipv6: 64
  111. # maximum concurrent connections per subnet (defined above by the cidr length)
  112. connections-per-subnet: 16
  113. # IPs/networks which are exempted from connection limits
  114. exempted:
  115. - "localhost"
  116. # - "192.168.1.1"
  117. # - "2001:0db8::/32"
  118. # automated connection throttling
  119. connection-throttling:
  120. # whether to throttle connections or not
  121. enabled: true
  122. # how wide the cidr should be for IPv4
  123. cidr-len-ipv4: 32
  124. # how wide the cidr should be for IPv6
  125. cidr-len-ipv6: 64
  126. # how long to keep track of connections for
  127. duration: 10m
  128. # maximum number of connections, per subnet, within the given duration
  129. max-connections: 32
  130. # how long to ban offenders for, and the message to use
  131. # after banning them, the number of connections is reset (which lets you use UNDLINE to unban people)
  132. ban-duration: 10m
  133. ban-message: You have attempted to connect too many times within a short duration. Wait a while, and you will be able to connect.
  134. # IPs/networks which are exempted from connection limits
  135. exempted:
  136. - "localhost"
  137. # - "192.168.1.1"
  138. # - "2001:0db8::/32"
  139. # account options
  140. accounts:
  141. # account registration
  142. registration:
  143. # can users register new accounts?
  144. enabled: true
  145. # this is the bcrypt cost we'll use for account passwords
  146. bcrypt-cost: 12
  147. # length of time a user has to verify their account before it can be re-registered
  148. verify-timeout: "32h"
  149. # callbacks to allow
  150. enabled-callbacks:
  151. - none # no verification needed, will instantly register successfully
  152. # example configuration for sending verification emails via a local mail relay
  153. # callbacks:
  154. # mailto:
  155. # server: localhost
  156. # port: 25
  157. # tls:
  158. # enabled: false
  159. # username: ""
  160. # password: ""
  161. # sender: "admin@my.network"
  162. # is account authentication enabled?
  163. authentication-enabled: true
  164. # throttle account login attempts (to prevent either password guessing, or DoS
  165. # attacks on the server aimed at forcing repeated expensive bcrypt computations)
  166. login-throttling:
  167. enabled: true
  168. # window
  169. duration: 1m
  170. # number of attempts allowed within the window
  171. max-attempts: 3
  172. # some clients (notably Pidgin and Hexchat) offer only a single password field,
  173. # which makes it impossible to specify a separate server password (for the PASS
  174. # command) and SASL password. if this option is set to true, a client that
  175. # successfully authenticates with SASL will not be required to send
  176. # PASS as well, so it can be configured to authenticate with SASL only.
  177. skip-server-password: false
  178. # require-sasl controls whether clients are required to have accounts
  179. # (and sign into them using SASL) to connect to the server
  180. require-sasl:
  181. # if this is enabled, all clients must authenticate with SASL while connecting
  182. enabled: false
  183. # IPs/CIDRs which are exempted from the account requirement
  184. exempted:
  185. - "localhost"
  186. # - '127.0.0.2'
  187. # - '10.10.0.0/16'
  188. # nick-reservation controls how, and whether, nicknames are linked to accounts
  189. nick-reservation:
  190. # is there any enforcement of reserved nicknames?
  191. enabled: false
  192. # how many nicknames, in addition to the account name, can be reserved?
  193. additional-nick-limit: 2
  194. # method describes how nickname reservation is handled
  195. # already logged-in using SASL or NickServ
  196. # timeout: let the user change to the registered nickname, give them X seconds
  197. # to login and then rename them if they haven't done so
  198. # strict: don't let the user change to the registered nickname unless they're
  199. # already logged-in using SASL or NickServ
  200. # optional: no enforcement by default, but allow users to opt in to
  201. # the enforcement level of their choice
  202. method: timeout
  203. # allow users to set their own nickname enforcement status, e.g.,
  204. # to opt in to strict enforcement
  205. allow-custom-enforcement: true
  206. # rename-timeout - this is how long users have 'til they're renamed
  207. rename-timeout: 30s
  208. # rename-prefix - this is the prefix to use when renaming clients (e.g. Guest-AB54U31)
  209. rename-prefix: Guest-
  210. # vhosts controls the assignment of vhosts (strings displayed in place of the user's
  211. # hostname/IP) by the HostServ service
  212. vhosts:
  213. # are vhosts enabled at all?
  214. enabled: true
  215. # maximum length of a vhost
  216. max-length: 64
  217. # regexp for testing the validity of a vhost
  218. # (make sure any changes you make here are RFC-compliant)
  219. valid-regexp: '^[0-9A-Za-z.\-_/]+$'
  220. # options controlling users requesting vhosts:
  221. user-requests:
  222. # can users request vhosts at all? if this is false, operators with the
  223. # 'vhosts' capability can still assign vhosts manually
  224. enabled: false
  225. # if uncommented, all new vhost requests will be dumped into the given
  226. # channel, so opers can review them as they are sent in. ensure that you
  227. # have registered and restricted the channel appropriately before you
  228. # uncomment this.
  229. #channel: "#vhosts"
  230. # after a user's vhost has been approved or rejected, they need to wait
  231. # this long (starting from the time of their original request)
  232. # before they can request a new one.
  233. cooldown: 168h
  234. # channel options
  235. channels:
  236. # modes that are set when new channels are created
  237. # +n is no-external-messages and +t is op-only-topic
  238. # see /QUOTE HELP cmodes for more channel modes
  239. default-modes: +nt
  240. # how many channels can a client be in at once?
  241. max-channels-per-client: 100
  242. # channel registration - requires an account
  243. registration:
  244. # can users register new channels?
  245. enabled: true
  246. # how many channels can each account register?
  247. max-channels-per-account: 15
  248. # operator classes
  249. oper-classes:
  250. # local operator
  251. "local-oper":
  252. # title shown in WHOIS
  253. title: Local Operator
  254. # capability names
  255. capabilities:
  256. - "oper:local_kill"
  257. - "oper:local_ban"
  258. - "oper:local_unban"
  259. - "nofakelag"
  260. # network operator
  261. "network-oper":
  262. # title shown in WHOIS
  263. title: Network Operator
  264. # oper class this extends from
  265. extends: "local-oper"
  266. # capability names
  267. capabilities:
  268. - "oper:remote_kill"
  269. - "oper:remote_ban"
  270. - "oper:remote_unban"
  271. # server admin
  272. "server-admin":
  273. # title shown in WHOIS
  274. title: Server Admin
  275. # oper class this extends from
  276. extends: "local-oper"
  277. # capability names
  278. capabilities:
  279. - "oper:rehash"
  280. - "oper:die"
  281. - "accreg"
  282. - "sajoin"
  283. - "samode"
  284. - "vhosts"
  285. - "chanreg"
  286. # ircd operators
  287. opers:
  288. # operator named 'dan'
  289. dan:
  290. # which capabilities this oper has access to
  291. class: "server-admin"
  292. # custom whois line
  293. whois-line: is a cool dude
  294. # custom hostname
  295. vhost: "n"
  296. # modes are the modes to auto-set upon opering-up
  297. modes: +is acjknoqtux
  298. # password to login with /OPER command
  299. # generated using "oragono genpasswd"
  300. password: "$2a$04$LiytCxaY0lI.guDj2pBN4eLRD5cdM2OLDwqmGAgB6M2OPirbF5Jcu"
  301. # logging, takes inspiration from Insp
  302. logging:
  303. -
  304. # how to log these messages
  305. #
  306. # file log to given target filename
  307. # stdout log to stdout
  308. # stderr log to stderr
  309. # (you can specify multiple methods, e.g., to log to both stderr and a file)
  310. method: stderr
  311. # filename to log to, if file method is selected
  312. # filename: ircd.log
  313. # type(s) of logs to keep here. you can use - to exclude those types
  314. #
  315. # exclusions take precedent over inclusions, so if you exclude a type it will NEVER
  316. # be logged, even if you explicitly include it
  317. #
  318. # useful types include:
  319. # * everything (usually used with exclusing some types below)
  320. # server server startup, rehash, and shutdown events
  321. # accounts account registration and authentication
  322. # channels channel creation and operations
  323. # commands command calling and operations
  324. # opers oper actions, authentication, etc
  325. # services actions related to NickServ, ChanServ, etc.
  326. # internal unexpected runtime behavior, including potential bugs
  327. # userinput raw lines sent by users
  328. # useroutput raw lines sent to users
  329. type: "* -userinput -useroutput"
  330. # one of: debug info warn error
  331. level: info
  332. #-
  333. # # example of a file log that avoids logging IP addresses
  334. # method: file
  335. # filename: ircd.log
  336. # type: "* -userinput -useroutput -localconnect -localconnect-ip"
  337. # level: debug
  338. # debug options
  339. debug:
  340. # when enabled, oragono will attempt to recover from certain kinds of
  341. # client-triggered runtime errors that would normally crash the server.
  342. # this makes the server more resilient to DoS, but could result in incorrect
  343. # behavior. deployments that would prefer to "start from scratch", e.g., by
  344. # letting the process crash and auto-restarting it with systemd, can set
  345. # this to false.
  346. recover-from-errors: true
  347. # optionally expose a pprof http endpoint: https://golang.org/pkg/net/http/pprof/
  348. # it is strongly recommended that you don't expose this on a public interface;
  349. # if you need to access it remotely, you can use an SSH tunnel.
  350. # set to `null`, "", leave blank, or omit to disable
  351. # pprof-listener: "localhost:6060"
  352. # datastore configuration
  353. datastore:
  354. # path to the datastore
  355. path: ircd.db
  356. # if the database schema requires an upgrade, `autoupgrade` will attempt to
  357. # perform it automatically on startup. the database will be backed
  358. # up, and if the upgrade fails, the original database will be restored.
  359. autoupgrade: true
  360. # languages config
  361. languages:
  362. # whether to load languages
  363. enabled: true
  364. # default language to use for new clients
  365. # 'en' is the default English language in the code
  366. default: en
  367. # which directory contains our language files
  368. path: languages
  369. # limits - these need to be the same across the network
  370. limits:
  371. # nicklen is the max nick length allowed
  372. nicklen: 32
  373. # identlen is the max ident length allowed
  374. identlen: 20
  375. # channellen is the max channel length allowed
  376. channellen: 64
  377. # awaylen is the maximum length of an away message
  378. awaylen: 500
  379. # kicklen is the maximum length of a kick message
  380. kicklen: 1000
  381. # topiclen is the maximum length of a channel topic
  382. topiclen: 1000
  383. # maximum number of monitor entries a client can have
  384. monitor-entries: 100
  385. # whowas entries to store
  386. whowas-entries: 100
  387. # maximum length of channel lists (beI modes)
  388. chan-list-modes: 60
  389. # maximum length of IRC lines
  390. # this should generally be 1024-2048, and will only apply when negotiated by clients
  391. linelen:
  392. # ratified version of the message-tags cap fixes the max tag length at 8191 bytes
  393. # configurable length for the rest of the message:
  394. rest: 2048
  395. # fakelag: prevents clients from spamming commands too rapidly
  396. fakelag:
  397. # whether to enforce fakelag
  398. enabled: false
  399. # time unit for counting command rates
  400. window: 1s
  401. # clients can send this many commands without fakelag being imposed
  402. burst-limit: 5
  403. # once clients have exceeded their burst allowance, they can send only
  404. # this many commands per `window`:
  405. messages-per-window: 2
  406. # client status resets to the default state if they go this long without
  407. # sending any commands:
  408. cooldown: 2s
  409. # message history tracking, for the RESUME extension and possibly other uses in future
  410. history:
  411. # should we store messages for later playback?
  412. # the current implementation stores messages in RAM only; they do not persist
  413. # across server restarts. however, you should not enable this unless you understand
  414. # how it interacts with the GDPR and/or any data privacy laws that apply
  415. # in your country and the countries of your users.
  416. enabled: false
  417. # how many channel-specific events (messages, joins, parts) should be tracked per channel?
  418. channel-length: 256
  419. # how many direct messages and notices should be tracked per user?
  420. client-length: 64
  421. # number of messages to automatically play back on channel join (0 to disable):
  422. autoreplay-on-join: 0
  423. # maximum number of CHATHISTORY messages that can be
  424. # requested at once (0 disables support for CHATHISTORY)
  425. chathistory-maxmessages: 100