Kapisi/roles/IRC/templates/anope/modules.conf.j2

798 lines
20 KiB
Plaintext
Raw Permalink Normal View History

/*
* [OPTIONAL] Non-Core Modules
*
* The following blocks are used to load all non-core modules, including 3rd-party modules.
* Modules can be prevented from loading by commenting out the line, other modules can be added by
* adding a module block. These modules will be loaded prior to Services connecting to your network.
*
* Note that some of these modules are labeled EXTRA, and must be enabled prior to compiling by
* running the 'extras' script on Linux and UNIX.
*/
/*
* help
*
* Provides the command generic/help.
*
* This is a generic help command that can be used with any client.
*/
module { name = "help" }
/*
* m_ldap [EXTRA]
*
* This module allows other modules to use LDAP. By itself, this module does nothing useful.
*/
module
{
name = "m_ldap"
ldap
{
server = "ldap://127.0.0.1"
port = 389
/*
* Admin credentials used for performing searches and adding users.
*/
admin_binddn = "uid=binduser,{{ ldap['userou'] }},{{ ldap['orgdn'] }}"
admin_password = "{{ secrets['Sora']['bindpassword'] }}"
}
}
/*
* m_ldap_authentication [EXTRA]
*
* This module allows many commands such as IDENTIFY, RELEASE, RECOVER, GHOST, etc. use
* LDAP to authenticate users. Requires m_ldap.
*/
module
{
name = "m_ldap_authentication"
/*
* The distinguished name used for searching for users's accounts.
*/
basedn = "{{ ldap['userou'] }},{{ ldap['orgdn'] }}"
/*
* The search filter used to look up users's accounts.
* %account is replaced with the user's account.
* %object_class is replaced with the object_class configured below.
*/
search_filter = "uid=%account"
/*
* The object class used by LDAP to store user account information.
* This is used for adding new users to LDAP if registration is allowed.
*/
object_class = "organizationalPerson"
/*
* The attribute value used for account names.
*/
username_attribute = "uid"
/*
* The attribute value used for email addresses.
* This directive is optional.
*/
email_attribute = "email"
/*
* The attribute value used for passwords.
* Used when registering new accounts in LDAP.
*/
password_attribute = "userPassword"
/*
* If set, the reason to give the users who try to register with nickserv,
* including nick registration from grouping.
*
* If not set, then registration is not blocked.
*/
#disable_register_reason = "To register on this network, contact a netadmin in #lobby. They will need to add an AniNIX/Sora LDAP account for you."
/*
* If set, the reason to give the users who try to "/msg NickServ SET EMAIL".
* If not set, then email changing is not blocked.
*/
disable_email_reason = "Not allowed -- this network does not use email for account management."
}
/*
* m_dns
*
* Adds support for the DNS protocol. By itself this module does nothing useful,
* but other modules such as m_dnsbl and os_dns require this.
*/
#module
{
name = "m_dns"
/*
* The nameserver to use for resolving hostnames, must be an IP or a resolver configuration file.
* The below should work fine on all unix like systems. Windows users will have to find their nameservers
* from ipconfig /all and put the IP here.
*/
nameserver = "/etc/resolv.conf"
#nameserver = "127.0.0.1"
/*
* How long to wait in seconds before a DNS query has timed out.
*/
timeout = 5
/* Only edit below if you are expecting to use os_dns or otherwise answer DNS queries. */
/*
* The IP and port services use to listen for DNS queries.
* Note that ports less than 1024 are privileged on UNIX/Linux systems, and
* require Anope to be started as root. If you do this, it is recommended you
* set options:user and options:group so Anope can change users after binding
* to this port.
*/
ip = "0.0.0.0"
port = 53
/*
* SOA record information.
*/
/* E-mail address of the DNS administrator. */
admin = "admin@example.com"
/* This should be the names of the public facing nameservers serving the records. */
nameservers = "ns1.example.com ns2.example.com"
/* The time slave servers are allowed to cache. This should be reasonably low
* if you want your records to be updated without much delay.
*/
refresh = 3600
/* A notify block. There should probably be one per nameserver listed in 'nameservers'.
*/
notify
{
ip = "192.0.2.0"
port = 53
}
}
/*
* m_dnsbl
*
* Allows configurable DNS blacklists to check connecting users against. If a user
* is found on the blacklist they will be immediately banned. This is a crucial module
* to prevent bot attacks.
*/
#module
{
name = "m_dnsbl"
/*
* If set, Services will check clients against the DNSBLs when services connect to its uplink.
* This is not recommended, and on large networks will open a very large amount of DNS queries.
* Whilst services are not drastically affected by this, your nameserver/DNSBL might care.
*/
check_on_connect = no
/*
* If set, Services will check clients when coming back from a netsplit. This can cause a large number
* of DNS queries open at once. Whilst services are not drastically affected by this, your nameserver/DNSBL
* might care.
*/
check_on_netburst = no
/*
* If set, OperServ will add clients found in the DNSBL to the akill list. Without it, OperServ simply sends
* a timed G/K-line to the IRCd and forgets about it. Can be useful if your akill list is being fill up by bots.
*/
add_to_akill = yes
blacklist
{
/* Name of the blacklist. */
name = "rbl.efnetrbl.org"
/* How long to set the ban for. */
time = 4h
/* Reason for akill.
* %n is the nick of the user
* %u is the ident/username of the user
* %g is the realname of the user
* %h is the hostname of the user
* %i is the IP of the user
* %r is the reply reason (configured below). Will be nothing if not configured.
* %N is the network name set in networkinfo:networkname
*/
reason = "You are listed in the efnet RBL, visit http://rbl.efnetrbl.org/?i=%i for info"
/* Replies to ban and their reason. If no relies are configured, all replies get banned. */
reply
{
code = 1
reason = "Open Proxy"
}
#reply
{
code = 2
reason = "spamtrap666"
}
#reply
{
code = 3
reason = "spamtrap50"
}
reply
{
code = 4
reason = "TOR"
/*
* If set, users identified to services at the time the result comes back
* will not be banned.
*/
#allow_account = yes
}
reply
{
code = 5
reason = "Drones / Flooding"
}
}
#blacklist
{
name = "dnsbl.dronebl.org"
time = 4h
reason = "You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=%N"
}
/* Exempt localhost from DNSBL checks */
exempt { ip = "127.0.0.1" }
}
/*
* m_helpchan
*
* Gives users who are op in the specified help channel usermode +h (helpop).
*/
#module
{
name = "m_helpchan"
helpchannel = "#help"
}
/*
* m_httpd
*
* Allows services to serve web pages. By itself, this module does nothing useful.
*
* Note that using this will allow users to get the IP of your services.
* To prevent this we recommend using a reverse proxy or a tunnel.
*/
#module
{
name = "m_httpd"
httpd
{
/* Name of this service. */
name = "httpd/main"
/* IP to listen on. */
ip = "0.0.0.0"
/* Port to listen on. */
port = 8080
/* Time before connections to this server are timed out. */
timeout = 30
/* Listen using SSL. Requires an SSL module. */
#ssl = yes
/* If you are using a reverse proxy that sends one of the
* extforward_headers set below, set this to its IP.
* This allows services to obtain the real IP of users by
* reading the forwarded-for HTTP header.
*/
#extforward_ip = "192.168.0.255"
/* The header to look for. These probably work as is. */
extforward_header = "X-Forwarded-For Forwarded-For"
}
}
/*
* m_ldap_oper [EXTRA]
*
* This module dynamically ties users to Anope opertypes when they identify
* via LDAP group membership. Requires m_ldap.
*
* Note that this doesn't give the user privileges on the IRCd, only in Services.
*/
#module
{
name = "m_ldap_oper"
/*
* An optional binddn to use when searching for groups.
* %a is replaced with the account name of the user.
*/
#binddn = "cn=Manager,dc=anope,dc=org"
/*
* An optional password to bind with.
*/
#password = "secret"
/*
* The base DN where the groups are.
*/
basedn = "ou=groups,dc=anope,dc=org"
/*
* The filter to use when searching for users.
* %a is replaced with the account name of the user.
*/
filter = "(member=uid=%a,ou=users,dc=anope,dc=org)"
/*
* The attribute of the group that is the name of the opertype.
* The cn attribute should match a known opertype in the config.
*/
opertype_attribute = "cn"
}
/*
* m_mysql [EXTRA]
*
* This module allows other modules to use MySQL.
*/
#module
{
name = "m_mysql"
mysql
{
/* The name of this service. */
name = "mysql/main"
database = "anope"
server = "127.0.0.1"
username = "anope"
password =
port = 3306
}
}
/*
* m_redis
*
* This module allows other modules to use Redis.
*/
#module
{
name = "m_redis"
/* A redis database */
redis
{
/* The name of this service */
name = "redis/main"
/*
* The redis database to use. New connections default to 0.
*/
db = 0
ip = "127.0.0.1"
port = 6379
}
}
/*
* m_regex_pcre [EXTRA]
*
* Provides the regex engine regex/pcre, which uses the Perl Compatible Regular Expressions library.
*/
#module { name = "m_regex_pcre" }
/*
* m_regex_posix [EXTRA]
*
* Provides the regex engine regex/posix, which uses the POSIX compliant regular expressions.
* This is likely the only regex module you will not need extra libraries for.
*/
#module { name = "m_regex_posix" }
/*
* m_regex_tre [EXTRA]
*
* Provides the regex engine regex/tre, which uses the TRE regex library.
*/
#module { name = "m_regex_tre" }
/*
* m_rewrite
*
* Allows rewriting commands sent to/from clients.
*/
#module { name = "m_rewrite" }
#command
{
service = "ChanServ"; name = "CLEAR"; command = "rewrite"
/* Enable m_rewrite. */
rewrite = true
/* Source message to match. A $ can be used to match anything. */
rewrite_source = "CLEAR $ USERS"
/*
* Message to rewrite the source message to. A $ followed by a number, eg $0, gets
* replaced by the number-th word from the source_message, starting from 0.
*/
rewrite_target = "KICK $1 *"
/*
* The command description. This only shows up in HELP's output.
* Comment this option to prevent the command from showing in the
* HELP command.
*/
rewrite_description = "Clears all users from a channel"
}
/*
* m_proxyscan
*
* This module allows you to scan connecting clients for open proxies.
* Note that using this will allow users to get the IP of your services.
*
* Currently the two supported proxy types are HTTP and SOCKS5.
*
* The proxy scanner works by attempting to connect to clients when they
* connect to the network, and if they have a proxy running instruct it to connect
* back to services. If services are able to connect through the proxy to itself
* then it knows it is an insecure proxy, and will ban it.
*/
#module
{
name = "m_proxyscan"
/*
* The target IP services tells the proxy to connect back to. This must be a publicly
* available IP that remote proxies can connect to.
*/
#target_ip = "127.0.0.1"
/*
* The port services tells the proxy to connect to.
*/
target_port = 7226
/*
* The listen IP services listen on for incoming connections from suspected proxies.
* This probably will be the same as target_ip, but may not be if you are behind a firewall (NAT).
*/
#listen_ip = "127.0.0.1"
/*
* The port services should listen on for incoming connections from suspected proxies.
* This most likely will be the same as target_port.
*/
listen_port = 7226
/*
* An optional notice sent to clients upon connect.
*/
#connect_notice = "We will now scan your host for insecure proxies. If you do not consent to this scan please disconnect immediately."
/*
* Who the notice should be sent from.
*/
#connect_source = "OperServ"
/*
* If set, OperServ will add infected clients to the akill list. Without it, OperServ simply sends
* a timed G/K-line to the IRCd and forgets about it. Can be useful if your akill list is being filled up by bots.
*/
add_to_akill = yes
/*
* How long before connections should be timed out.
*/
timeout = 5
proxyscan
{
/* The type of proxy to check for. A comma separated list is allowed. */
type = "HTTP"
/* The ports to check. */
port = "80,8080"
/* How long to set the ban for. */
time = 4h
/*
* The reason to ban the user for.
* %h is replaced with the type of proxy found.
* %i is replaced with the IP of proxy found.
* %p is replaced with the port.
*/
reason = "You have an open proxy running on your host (%t:%i:%p)"
}
}
/*
* m_sasl
*
* Some IRCds allow "SASL" authentication to let users identify to Services
* during the IRCd user registration process. If this module is loaded, Services will allow
* authenticating users through this mechanism. Supported mechanisms are:
* PLAIN, EXTERNAL.
*/
module { name = "m_sasl" }
/*
* m_sasl_dh-aes [EXTRA]
*
* Add the DH-AES mechanism to SASL.
* Requires m_sasl to be loaded.
* Requires openssl.
*/
#module { name = "m_sasl_dh-aes" }
/*
* m_sasl_dh-blowfish [EXTRA]
*
* Add the DH-BLOWFISH mechanism to SASL.
* Requires m_sasl to be loaded.
* Requires openssl.
*/
#module { name = "m_sasl_dh-blowfish" }
/*
* m_ssl_gnutls [EXTRA]
*
* This module provides SSL services to Anope using GnuTLS, for example to
* connect to the uplink server(s) via SSL.
*
* You may only load either m_ssl_gnutls or m_ssl_openssl, bot not both.
*/
#module
{
name = "m_ssl_gnutls"
/*
* An optional certificate and key for m_ssl_gnutls to give to the uplink.
*
* You can generate your own certificate and key pair by using:
*
* certtool --generate-privkey --bits 2048 --outfile anope.key
* certtool --generate-self-signed --load-privkey anope.key --outfile anope.crt
*
*/
cert = "data/anope.crt"
key = "data/anope.key"
/*
* Diffie-Hellman parameters to use when acting as a server. This is only
* required for TLS servers that want to use ephemeral DH cipher suites.
*
* This is NOT required for Anope to connect to the uplink server(s) via SSL.
*
* You can generate DH parameters by using:
*
* certtool --generate-dh-params --bits 2048 --outfile dhparams.pem
*
*/
# dhparams = "data/dhparams.pem"
}
/*
* m_ssl_openssl [EXTRA]
*
* This module provides SSL services to Anope using OpenSSL, for example to
* connect to the uplink server(s) via SSL.
*
* You may only load either m_ssl_openssl or m_ssl_gnutls, bot not both.
*
*/
#module
{
name = "m_ssl_openssl"
/*
* An optional certificate and key for m_ssl_openssl to give to the uplink.
*
* You can generate your own certificate and key pair by using:
*
* openssl genrsa -out anope.key 2048
* openssl req -new -x509 -key anope.key -out anope.crt -days 1095
*/
cert = "data/anope.crt"
key = "data/anope.key"
/*
* As of 2014 SSL 3.0 is considered insecure, but it might be enabled
* on some systems by default for compatibility reasons.
* You can use the following option to enable or disable it explicitly.
* Leaving this option not set defaults to the default system behavior.
*/
sslv3 = no
}
/*
* m_sql_authentication [EXTRA]
*
* This module allows authenticating users against an external SQL database using a custom
* query.
*/
#module
{
name = "m_sql_authentication"
/* SQL engine to use. Should be configured elsewhere with m_mysql, m_sqlite, etc. */
engine = "mysql/main"
/* Query to execute to authenticate. A non empty result from this query is considered a success,
* and the user will be authenticated.
*
* @a@ is replaced with the user's account name
* @p@ is replaced with the user's password
* @n@ is replaced with the user's nickname
* @i@ is replaced with the user's IP
*
* Note that @n@ and @i@ may not always exist in the case of a user identifying outside of the normal
* nickserv/identify command, such as through the web panel.
*
* Furthermore, if a field named email is returned from this query the user's email is
* set to its value.
*
*
* We've included some example queries for some popular website/forum systems.
*
* Drupal 6: "SELECT `mail` AS `email` FROM `users` WHERE `name` = @a@ AND `pass` = MD5(@p@) AND `status` = 1"
* e107 cms: "SELECT `user_email` AS `email` FROM `e107_user` WHERE `user_loginname` = @a@ AND `user_password` = MD5(@p@)"
* SMF Forum: "SELECT `email_address` AS `email` FROM `smf_members` WHERE `member_name` = @a@ AND `passwd` = SHA1(CONCAT(LOWER(@a@), @p@))"
* vBulletin: "SELECT `email` FROM `user` WHERE `username` = @a@ AND `password` = MD5(CONCAT(MD5(@p@), `salt`))"
* IP.Board: "SELECT `email` FROM `ibf_members` WHERE `name` = @a@ AND `members_pass_hash` = MD5(CONCAT(MD5(`members_pass_salt`), MD5(@p@)))"
*/
query = "SELECT `email_addr` AS `email` FROM `my_users` WHERE `username` = @a@ AND `password` = MD5(CONCAT('salt', @p@))"
/*
* If set, the reason to give the users who try to "/msg NickServ REGISTER".
* If not set, then registration is not blocked.
*/
#disable_reason = "To register on this network visit http://some.misconfigured.site/register"
/*
* If set, the reason to give the users who try to "/msg NickServ SET EMAIL".
* If not set, then email changing is not blocked.
*/
#disable_email_reason = "To change your email address visit http://some.misconfigured.site"
}
/*
* m_sql_log [EXTRA]
*
* This module adds an additional target option to log{} blocks
* that allows logging Service's logs to SQL. To log to SQL, add
* the SQL service name to log:targets prefixed by sql_log:. For
* example:
*
* log
* {
* targets = "services.log sql_log:mysql/main"
* ...
* }
*
* By default this module logs to the table `logs`, and will create
* it if it doesn't exist. This module does not create any indexes (keys)
* on the table and it is recommended you add them yourself as necessary.
*/
#module { name = "m_sql_log" }
/*
* m_sql_oper [EXTRA]
*
* This module allows granting users services operator privileges and possibly IRC Operator
* privileges based on an external SQL database using a custom query.
*/
#module
{
name = "m_sql_oper"
/* SQL engine to use. Should be configured elsewhere with m_mysql, m_sqlite, etc. */
engine = "mysql/main"
/* Query to execute to determine if a user should have operator privileges.
* A field named opertype must be returned in order to link the user to their oper type.
* The oper types must be configured earlier in services.conf.
*
* If a field named modes is returned from this query then those modes are set on the user.
* Without this, only a simple +o is sent.
*
* @a@ is replaced with the user's account name
* @i@ is replaced with the user's IP
*/
query = "SELECT `opertype` FROM `my_users` WHERE `user_name` = @a@"
}
/*
* m_sqlite [EXTRA]
*
* This module allows other modules to use SQLite.
*/
#module
{
name = "m_sqlite"
/* A SQLite database */
sqlite
{
/* The name of this service. */
name = "sqlite/main"
/* The database name, it will be created if it does not exist. */
database = "anope.db"
}
}
/*
* webcpanel
*
* This module creates a web configuration panel that allows users and operators to perform any task
* as they could over IRC. If you are using the default configuration you should be able to access
* this panel by visiting http://127.0.0.1:8080 in your web browser from the machine Anope is running on.
*
* This module requires m_httpd.
*/
#module
{
name = "webcpanel"
/* Web server to use. */
server = "httpd/main";
/* Template to use. */
template = "default";
/* Page title. */
title = "Anope IRC Services";
}
/*
* m_xmlrpc
*
* Allows remote applications (websites) to execute queries in real time to retrieve data from Anope.
* By itself this module does nothing, but allows other modules (m_xmlrpc_main) to receive and send XMLRPC queries.
*/
#module
{
name = "m_xmlrpc"
/* Web service to use. Requires m_httpd. */
server = "httpd/main"
}
/*
* m_xmlrpc_main
*
* Adds the main XMLRPC core functions.
* Requires m_xmlrpc.
*/
#module { name = "m_xmlrpc_main" }