From f04fc7f5d1ec6165a0f505ff900a4618793e5ccc Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Wed, 6 May 2015 13:48:16 +0300 Subject: [PATCH] Merge atheme and charybdis modules from parameterize --- atheme/manifests/init.pp | 121 ++ atheme/templates/atheme.conf.erb | 1756 +++++++++++++++++++++++++++++ charybdis/manifests/init.pp | 134 +++ charybdis/templates/ircd.conf.erb | 435 +++++++ 4 files changed, 2446 insertions(+) create mode 100644 atheme/manifests/init.pp create mode 100644 atheme/templates/atheme.conf.erb create mode 100644 charybdis/manifests/init.pp create mode 100644 charybdis/templates/ircd.conf.erb diff --git a/atheme/manifests/init.pp b/atheme/manifests/init.pp new file mode 100644 index 0000000..f588c11 --- /dev/null +++ b/atheme/manifests/init.pp @@ -0,0 +1,121 @@ +# Use default values from charybdis if defined. +# +class atheme::params { + + if $::charybdis::services_name { + $services_name = $::charybdis::services_name + } else { + $services_name = 'ircservices.localdomain' + } + + if $::charybdis::network_name { + $network_name = $::charybdis::network_name + } else { + $network_name = 'IRC Network' + } + + if $::charybdis::admin_name { + $admin_name = $::charybdis::admin_name + } else { + $admin_name = 'Administrator' + } + + if $::charybdis::admin_email { + $admin_email = $::charybdis::admin_email + } else { + $admin_email = 'root@localhost' + } + + if $::charybdis::server_name { + $uplink_name = $::charybdis::server_name + } else { + $uplink_name = undef + } + + if $::charybdis::port { + $uplink_port = $::charybdis::port + } else { + $uplink_port = '6667' + } + + if $::charybdis::services_password { + $uplink_password = $::charybdis::services_password + } else { + $uplink_password = undef + } + +} + +# Install Atheme IRC services. +# +class atheme( + $sid='00B', + $services_name=$atheme::params::services_name, + $services_description='Atheme IRC Services', + $network_name=$atheme::params::network_name, + $admin_name=$atheme::params::admin_name, + $admin_email=$atheme::params::admin_email, + $hidehostsuffix='hiddendomain', + $uplink_name=$atheme::params::uplink_name, + $uplink_port=$atheme::params::uplink_port, + $uplink_password=$atheme::params::uplink_password, + $operators=[], +) inherits atheme::params { + + case $::operatingsystem { + 'ubuntu': { } + default: { + fail("atheme not supported on ${::operatingsystem}") + } + } + + if ! $uplink_name { + fail('Must define $uplink_name') + } + + if ! $uplink_password { + fail('Must define $uplink_password') + } + + package { 'atheme-services': + ensure => installed, + } + + file { '/etc/atheme/atheme.conf': + ensure => present, + mode => '0644', + owner => 'root', + group => 'root', + content => template('atheme/atheme.conf.erb'), + require => Package['atheme-services'], + notify => Service['atheme-services'], + } + + augeas { 'atheme-enable': + context => '/files/etc/default/atheme-services', + changes => 'set ENABLED 1', + notify => Service['atheme-services'], + } + + service { 'atheme-services': + ensure => running, + enable => true, + hasstatus => false, + } + + file { '/var/log/atheme': + ensure => directory, + mode => '0640', + owner => 'irc', + group => 'irc', + recurse => true, + require => Service['atheme-services'], + } + + if defined(Service['charybdis']) { + Service['atheme-services'] { + require => Service['charybdis'], + } + } + +} diff --git a/atheme/templates/atheme.conf.erb b/atheme/templates/atheme.conf.erb new file mode 100644 index 0000000..5b380db --- /dev/null +++ b/atheme/templates/atheme.conf.erb @@ -0,0 +1,1756 @@ +/* This is an example configuration for Services. + * + * All statements end in semi-colons (';'). + * Shell style, C style, and C++ style comments may be used. + * + * Items marked with "(*)" are reconfigurable at runtime via REHASH. + */ + +/****************************************************************************** + * MODULES SECTION. * + ******************************************************************************/ + +/* + * These are the modules included with the core distribution of Services. + * + * You may be interested in the atheme community modules distribution as + * well, which adds additional features that may or may not be compatible + * with the project paradigms intended for maintainance of the core of + * atheme-services. + * + * Visit the atheme-services website for more information and to download them. + * + * Modules marked [experimental] will taint your atheme-services instance. Do + * not file any bug reports with us about using Services with those modules; + * they will be ignored. + */ + +/* Protocol module. + * + * Please select a protocol module. Different servers use different protocols. + * Below is a listing of ircd's known to work with the various protocol modules + * available. + * + * Asuka 1.2.1 or later modules/protocol/asuka + * Bahamut 1.8.x modules/protocol/bahamut + * Beware IRCd (bircd) modules/protocol/bircd + * Charybdis IRCd modules/protocol/charybdis + * DreamForge 4.6.7 or later modules/protocol/dreamforge + * Hybrid 7.1.2 and later modules/protocol/hybrid + * ircd-ratbox 2.0 and later modules/protocol/ratbox + * IRCNet ircd (ircd 2.11) modules/protocol/ircnet + * ircd-seven modules/protocol/ircd-seven + * ircu 2.10.11.07 or later modules/protocol/undernet + * InspIRCd 1.2 or later modules/protocol/inspircd12 + * Nefarious IRCu 0.4.0 or later modules/protocol/nefarious + * PleXusIRCd 3.x modules/protocol/plexus + * PTlink IRCd modules/protocol/ptlink + * ShadowIRCd 5.0 or later modules/protocol/shadowircd + * UnrealIRCd 3.1/3.2 modules/protocol/unreal + * + * If your IRCd vendor has supplied a module file, build it and load it here + * instead of one above. + */ +loadmodule "modules/protocol/charybdis"; + +/* Protocol mixins. + * + * These should be used if you do not have/want certain features on your + * network that your ircd normally has. If you do not know what this means, + * you do not need any of them. + * + * Disable halfops modules/protocol/mixin_nohalfops + * Disable holdnick (use enforcer clients) modules/protocol/mixin_noholdnick + * Disable "protect" mode on channels modules/protocol/mixin_noprotect + * Disable "owner" mode on channels modules/protocol/mixin_noowner + */ +#loadmodule "modules/protocol/mixin_nohalfops"; +#loadmodule "modules/protocol/mixin_noholdnick"; +#loadmodule "modules/protocol/mixin_noprotect"; +#loadmodule "modules/protocol/mixin_noowner"; + +/* Database backend module. + * + * Please select a database backend module. Different backends allow for + * different ways in which the services data can be manipulated. YOU MAY + * ONLY HAVE ONE OF THESE BACKENDS LOADED. + * + * The following backends are available: + * + * Atheme 0.1 flatfile database format modules/backend/flatfile + * Open Services Exchange database format modules/backend/opensex + * + * Most networks will want opensex. + */ +loadmodule "modules/backend/opensex"; + +/* Crypto module. + * + * If you would like encryption for your services passwords, please + * select a module here. Note that upon starting with a crypto module + * YOUR PASSWORDS ARE IMMEDIATELY AND IRREVERSIBLY CONVERTED. Make at + * least TWO backups of your database before experimenting with this. + * If you have several thousand accounts, this conversion may take + * appreciable time. + * + * The following crypto modules are available: + * + * POSIX-style crypt(3) modules/crypto/posix + * IRCServices (also Anope etc) compatibility modules/crypto/ircservices + * SorceryNet services compatibility modules/crypto/sorservices + * Raw MD5 (Anope compatibility) modules/crypto/rawmd5 + * Raw SHA1 (Anope compatibility) modules/crypto/rawsha1 + * + * The ircservices, sorservices, rawmd5 and rawsha1 modules are only + * recommended for use with a database converted from other services with + * password encryption. + * + * The rawsha1 module requires OpenSSL. + */ +loadmodule "modules/crypto/posix"; + +/* Authentication module. + * + * These allow using passwords from an external system. The password given + * when registering a new account is also checked against the external + * system. + * + * The following authentication modules are available: + * + * LDAP modules/auth/ldap + * + * The LDAP module requires OpenLDAP client libraries. It uses them in a + * synchronous manner, which means that an unresponsive LDAP server can + * freeze services. + */ +#loadmodule "modules/auth/ldap"; + +/* NickServ modules. + * + * Here you can disable or enable certain features of NickServ, by + * defining which modules are loaded. You can even disable NickServ + * entirely. Please note however, that an authentication service + * (either NickServ, or UserServ) are required for proper functionality. + * + * The CrackLib password validation module requires CrackLib to be + * installed on your system in order to use. + * + * Core components modules/nickserv/main + * Nickname access lists modules/nickserv/access + * Bad email address blocking modules/nickserv/badmail + * CertFP fingerprint managment modules/nickserv/cert + * CrackLib password validation modules/nickserv/cracklib + * DROP command modules/nickserv/drop + * Nickname enforcement modules/nickserv/enforce + * GHOST command modules/nickserv/ghost + * GROUP and UNGROUP commands modules/nickserv/group + * HELP command modules/nickserv/help + * Nickname expiry override (HOLD command) modules/nickserv/hold + * IDENTIFY command modules/nickserv/identify + * INFO command modules/nickserv/info + * LIST command modules/nickserv/list + * LISTMAIL command modules/nickserv/listmail + * LISTOWNMAIL command modules/nickserv/listownmail + * LOGIN command (for no_nick_ownership) modules/nickserv/login + * LOGOUT command modules/nickserv/logout + * MARK command modules/nickserv/mark + * FREEZE command modules/nickserv/freeze + * LISTCHANS command modules/nickserv/listchans + * REGISTER command modules/nickserv/register + * Bypass registration limits (REGNOLIMIT) modules/nickserv/regnolimit + * Password reset (RESETPASS command) modules/nickserv/resetpass + * Password return (RETURN command) modules/nickserv/return + * Password retrieval (SENDPASS command) modules/nickserv/sendpass + * Password retrieval allowed to normal users modules/nickserv/sendpass_user + * SET command (required for SET commands below) modules/nickserv/set_core + * Change primary nickname (SET ACCOUNTNAME) modules/nickserv/set_accountname + * SET EMAIL command modules/nickserv/set_email + * SET EMAILMEMOS command modules/nickserv/set_emailmemos + * SET ENFORCETIME command modules/nickserv/set_enforcetime + * SET HIDEMAIL command modules/nickserv/set_hidemail + * SET LANGUAGE command modules/nickserv/set_language + * SET NEVEROP command modules/nickserv/set_neverop + * SET NOMEMO command modules/nickserv/set_nomemo + * SET NOOP command modules/nickserv/set_noop + * SET PASSWORD command modules/nickserv/set_password + * PRIVMSG instead of NOTICE (SET PRIVMSG cmd) modules/nickserv/set_privmsg + * Account info hiding (SET PRIVATE command) modules/nickserv/set_private + * SET PROPERTY command modules/nickserv/set_property + * SET QUIETCHG command modules/nickserv/set_quietchg + * Password retrieval uses code (SETPASS cmd) modules/nickserv/setpass + * Presence notifications (EXPERIMENTAL) modules/nickserv/subscribe + * STATUS command modules/nickserv/status + * Nickname metadata viewer (TAXONOMY command) modules/nickserv/taxonomy + * VACATION command modules/nickserv/vacation + * VERIFY command modules/nickserv/verify + * VHOST command modules/nickserv/vhost + */ +loadmodule "modules/nickserv/main"; +#loadmodule "modules/nickserv/access"; +loadmodule "modules/nickserv/badmail"; +#loadmodule "modules/nickserv/cert"; +#loadmodule "modules/nickserv/cracklib"; +loadmodule "modules/nickserv/drop"; +#loadmodule "modules/nickserv/enforce"; +loadmodule "modules/nickserv/ghost"; +loadmodule "modules/nickserv/group"; +loadmodule "modules/nickserv/help"; +loadmodule "modules/nickserv/hold"; +loadmodule "modules/nickserv/identify"; +loadmodule "modules/nickserv/info"; +loadmodule "modules/nickserv/list"; +loadmodule "modules/nickserv/listmail"; +#loadmodule "modules/nickserv/listownmail"; +#loadmodule "modules/nickserv/login"; +loadmodule "modules/nickserv/logout"; +loadmodule "modules/nickserv/mark"; +loadmodule "modules/nickserv/freeze"; +loadmodule "modules/nickserv/listchans"; +loadmodule "modules/nickserv/register"; +loadmodule "modules/nickserv/regnolimit"; +loadmodule "modules/nickserv/resetpass"; +loadmodule "modules/nickserv/return"; +loadmodule "modules/nickserv/setpass"; +#loadmodule "modules/nickserv/sendpass"; +loadmodule "modules/nickserv/sendpass_user"; +loadmodule "modules/nickserv/set_core"; +loadmodule "modules/nickserv/set_accountname"; +loadmodule "modules/nickserv/set_email"; +loadmodule "modules/nickserv/set_emailmemos"; +#loadmodule "modules/nickserv/set_enforcetime"; +loadmodule "modules/nickserv/set_hidemail"; +loadmodule "modules/nickserv/set_language"; +loadmodule "modules/nickserv/set_neverop"; +loadmodule "modules/nickserv/set_nomemo"; +loadmodule "modules/nickserv/set_noop"; +loadmodule "modules/nickserv/set_password"; +#loadmodule "modules/nickserv/set_privmsg"; +#loadmodule "modules/nickserv/set_private"; +loadmodule "modules/nickserv/set_property"; +loadmodule "modules/nickserv/set_quietchg"; +#loadmodule "modules/nickserv/subscribe"; +loadmodule "modules/nickserv/status"; +loadmodule "modules/nickserv/taxonomy"; +loadmodule "modules/nickserv/vacation"; +loadmodule "modules/nickserv/verify"; +loadmodule "modules/nickserv/vhost"; + +/* ChanServ modules. + * + * Here you can disable or enable certain features of ChanServ, by + * defining which modules are loaded. You can even disable ChanServ + * entirely. Please note that ChanServ requires an authentication + * service, either NickServ or UserServ will do. + * + * Core components modules/chanserv/main + * ACCESS command (simplified ACL editing) modules/chanserv/access + * AKICK command modules/chanserv/akick + * BAN/UNBAN commands modules/chanserv/ban + * UNBAN self only (load ban or this not both) modules/chanserv/unban_self + * CLOSE command modules/chanserv/close + * CLEAR command modules/chanserv/clear + * CLEAR BANS command modules/chanserv/clear_bans + * CLEAR FLAGS command modules/chanserv/clear_flags + * CLEAR USERS command modules/chanserv/clear_users + * COUNT command modules/chanserv/count + * DROP command modules/chanserv/drop + * Forced flags changes modules/chanserv/fflags + * FLAGS command modules/chanserv/flags + * Forced foundership transfers modules/chanserv/ftransfer + * GETKEY command modules/chanserv/getkey + * HALFOP/DEHALFOP commands modules/chanserv/halfop + * HELP command modules/chanserv/help + * Channel expiry override (HOLD command) modules/chanserv/hold + * INFO command modules/chanserv/info + * INVITE command modules/chanserv/invite + * KICK/KICKBAN commands modules/chanserv/kick + * LIST command modules/chanserv/list + * MARK command modules/chanserv/mark + * OP/DEOP commands modules/chanserv/op + * OWNER/DEOWNER commands modules/chanserv/owner + * PROTECT/DEPROTECT commands modules/chanserv/protect + * QUIET command (+q support) modules/chanserv/quiet + * Channel takeover recovery (RECOVER command) modules/chanserv/recover + * REGISTER command modules/chanserv/register + * SET command (required for SET commands) modules/chanserv/set_core + * SET EMAIL command modules/chanserv/set_email + * SET ENTRYMSG command modules/chanserv/set_entrymsg + * SET FANTASY command modules/chanserv/set_fantasy + * SET FOUNDER command modules/chanserv/set_founder + * SET GAMESERV command modules/chanserv/set_gameserv + * SET GUARD command modules/chanserv/set_guard + * SET KEEPTOPIC command modules/chanserv/set_keeptopic + * SET LIMITFLAGS command modules/chanserv/set_limitflags + * SET MLOCK command modules/chanserv/set_mlock + * SET PREFIX command modules/chanserv/set_prefix + * Channel info hiding (SET PRIVATE command) modules/chanserv/set_private + * SET PROPERTY command modules/chanserv/set_property + * SET RESTRICTED command modules/chanserv/set_restricted + * SET SECURE command modules/chanserv/set_secure + * SET TOPICLOCK command modules/chanserv/set_topiclock + * SET URL command modules/chanserv/set_url + * SET VERBOSE command modules/chanserv/set_verbose + * STATUS command modules/chanserv/status + * Named Successor ACL flag modules/chanserv/successor_acl + * Channel metadata viewer (TAXONOMY command) modules/chanserv/taxonomy + * TEMPLATE command modules/chanserv/template + * TOPIC/TOPICAPPEND commands modules/chanserv/topic + * VOICE/DEVOICE commands modules/chanserv/voice + * WHY command modules/chanserv/why + * VOP/HOP/AOP/SOP commands modules/chanserv/xop + * This module provides emulation of the ircservices XOP scheme ONLY. + * Do not report discrepencies when using native commands to edit channel + * ACLs. This is intentional. + */ +loadmodule "modules/chanserv/main"; +loadmodule "modules/chanserv/access"; +loadmodule "modules/chanserv/akick"; +loadmodule "modules/chanserv/ban"; +#loadmodule "modules/chanserv/unban_self"; +loadmodule "modules/chanserv/close"; +loadmodule "modules/chanserv/clear"; +loadmodule "modules/chanserv/clear_bans"; +loadmodule "modules/chanserv/clear_flags"; +loadmodule "modules/chanserv/clear_users"; +loadmodule "modules/chanserv/count"; +loadmodule "modules/chanserv/drop"; +#loadmodule "modules/chanserv/fflags"; +loadmodule "modules/chanserv/flags"; +loadmodule "modules/chanserv/ftransfer"; +loadmodule "modules/chanserv/getkey"; +#loadmodule "modules/chanserv/halfop"; +loadmodule "modules/chanserv/help"; +loadmodule "modules/chanserv/hold"; +loadmodule "modules/chanserv/info"; +loadmodule "modules/chanserv/invite"; +loadmodule "modules/chanserv/kick"; +loadmodule "modules/chanserv/list"; +loadmodule "modules/chanserv/mark"; +loadmodule "modules/chanserv/op"; +#loadmodule "modules/chanserv/owner"; +#loadmodule "modules/chanserv/protect"; +#loadmodule "modules/chanserv/quiet"; +loadmodule "modules/chanserv/recover"; +loadmodule "modules/chanserv/register"; +loadmodule "modules/chanserv/set_core"; +loadmodule "modules/chanserv/set_email"; +loadmodule "modules/chanserv/set_entrymsg"; +loadmodule "modules/chanserv/set_fantasy"; +loadmodule "modules/chanserv/set_founder"; +#loadmodule "modules/chanserv/set_gameserv"; +loadmodule "modules/chanserv/set_guard"; +loadmodule "modules/chanserv/set_keeptopic"; +#loadmodule "modules/chanserv/set_limitflags"; +loadmodule "modules/chanserv/set_mlock"; +loadmodule "modules/chanserv/set_prefix"; +#loadmodule "modules/chanserv/set_private"; +loadmodule "modules/chanserv/set_property"; +loadmodule "modules/chanserv/set_restricted"; +loadmodule "modules/chanserv/set_secure"; +loadmodule "modules/chanserv/set_topiclock"; +loadmodule "modules/chanserv/set_url"; +loadmodule "modules/chanserv/set_verbose"; +loadmodule "modules/chanserv/status"; +#loadmodule "modules/chanserv/successor_acl"; +loadmodule "modules/chanserv/taxonomy"; +loadmodule "modules/chanserv/template"; +loadmodule "modules/chanserv/topic"; +loadmodule "modules/chanserv/voice"; +loadmodule "modules/chanserv/why"; +#loadmodule "modules/chanserv/xop"; + +/* OperServ modules. + * + * Here you can disable or enable certain features of OperServ, by + * defining which modules are loaded. + * + * Core components modules/operserv/main + * AKILL system modules/operserv/akill + * CLEARCHAN command modules/operserv/clearchan + * CLONES system modules/operserv/clones + * COMPARE command modules/operserv/compare + * GREPLOG command modules/operserv/greplog + * HELP command modules/operserv/help + * IGNORE system modules/operserv/ignore + * IDENTIFY command modules/operserv/identify + * INFO command modules/operserv/info + * INJECT command modules/operserv/inject + * JUPE command modules/operserv/jupe + * MODE command modules/operserv/mode + * MODINSPECT command modules/operserv/modinspect + * MODLIST command modules/operserv/modlist + * MODLOAD command modules/operserv/modload + * MODRELOAD command modules/operserv/modreload + * MODUNLOAD command modules/operserv/modunload + * NOOP system modules/operserv/noop + * Override access (OVERRIDE command) modules/operserv/override + * Regex mass akill (RAKILL command) modules/operserv/rakill + * RAW command modules/operserv/raw + * READONLY command modules/operserv/readonly + * REHASH command modules/operserv/rehash + * RESTART command modules/operserv/restart + * Display regex matching (RMATCH command) modules/operserv/rmatch + * Most common realnames (RNC command) modules/operserv/rnc + * RWATCH system modules/operserv/rwatch + * SGLINE system modules/operserv/sgline + * SHUTDOWN command modules/operserv/shutdown + * Non-config oper privileges (SOPER command) modules/operserv/soper + * Oper privilege display (SPECS command) modules/operserv/specs + * SQLINE system modules/operserv/sqline + * UPDATE command modules/operserv/update + * UPTIME command modules/operserv/uptime + */ +loadmodule "modules/operserv/main"; +loadmodule "modules/operserv/akill"; +#loadmodule "modules/operserv/clearchan"; +#loadmodule "modules/operserv/clones"; +loadmodule "modules/operserv/compare"; +#loadmodule "modules/operserv/greplog"; +loadmodule "modules/operserv/help"; +loadmodule "modules/operserv/identify"; +loadmodule "modules/operserv/ignore"; +loadmodule "modules/operserv/info"; +loadmodule "modules/operserv/jupe"; +loadmodule "modules/operserv/mode"; +loadmodule "modules/operserv/modinspect"; +loadmodule "modules/operserv/modlist"; +loadmodule "modules/operserv/modload"; +loadmodule "modules/operserv/modunload"; +loadmodule "modules/operserv/modreload"; +loadmodule "modules/operserv/noop"; +#loadmodule "modules/operserv/override"; +#loadmodule "modules/operserv/rakill"; +loadmodule "modules/operserv/readonly"; +loadmodule "modules/operserv/rehash"; +loadmodule "modules/operserv/restart"; +loadmodule "modules/operserv/rmatch"; +loadmodule "modules/operserv/rnc"; +loadmodule "modules/operserv/rwatch"; +loadmodule "modules/operserv/sgline"; +loadmodule "modules/operserv/shutdown"; +#loadmodule "modules/operserv/soper"; +loadmodule "modules/operserv/specs"; +loadmodule "modules/operserv/sqline"; +loadmodule "modules/operserv/update"; +loadmodule "modules/operserv/uptime"; + +/* MemoServ modules. + * + * Here you can disable or enable certain features of MemoServ, by + * defining which modules are loaded. You can even disable MemoServ + * entirely. + * + * Core components modules/memoserv/main + * HELP command modules/memoserv/help + * SEND command modules/memoserv/send + * Channel memos (SENDOPS command) modules/memoserv/sendops + * Group memos (SENDGROUP command) modules/memoserv/sendgroup + * LIST command modules/memoserv/list + * READ command modules/memoserv/read + * FORWARD command modules/memoserv/forward + * DELETE command modules/memoserv/delete + * IGNORE command modules/memoserv/ignore + */ +loadmodule "modules/memoserv/main"; +loadmodule "modules/memoserv/help"; +loadmodule "modules/memoserv/send"; +loadmodule "modules/memoserv/sendops"; +loadmodule "modules/memoserv/sendgroup"; +loadmodule "modules/memoserv/list"; +loadmodule "modules/memoserv/read"; +loadmodule "modules/memoserv/forward"; +loadmodule "modules/memoserv/delete"; +loadmodule "modules/memoserv/ignore"; + +/* Global module. + * + * Like the other services, the Global noticer is a module. You can + * disable or enable it to your liking below. Please note that the + * Global noticer is dependent on OperServ for full functionality. + */ +loadmodule "modules/global/main"; + +/* InfoServ module. + * + * Like the other services, InfoServ is a module. You can disable or + * enable it to your liking below. + */ +loadmodule "modules/infoserv/main"; + +/* SASL agent module. + * + * Allows clients to authenticate to services via SASL with an appropriate + * ircd. You need the core components and at least one mechanism. + * + * Core components modules/saslserv/main + * PLAIN mechanism modules/saslserv/plain + * DH-BLOWFISH mechanism modules/saslserv/dh-blowfish + * AUTHCOOKIE mechanism (for IRIS) modules/saslserv/authcookie + * EXTERNAL mechanism (IRCv3.1+) modules/saslserv/external + */ +#loadmodule "modules/saslserv/main"; +#loadmodule "modules/saslserv/plain"; +#loadmodule "modules/saslserv/dh-blowfish"; /* requires SSL */ +#loadmodule "modules/saslserv/authcookie"; +#loadmodule "modules/saslserv/external"; + +/* GameServ modules. + * + * Here you can disable or enable certain features of GameServ, by + * defining which modules are loaded. You can even disable GameServ + * entirely. + * + * Core components modules/gameserv/main + * DICE/WOD commands modules/gameserv/dice + * HELP commands modules/gameserv/help + * NAMEGEN command modules/gameserv/namegen + */ +#loadmodule "modules/gameserv/main"; +#loadmodule "modules/gameserv/dice"; +#loadmodule "modules/gameserv/help"; +#loadmodule "modules/gameserv/namegen"; + +/* BotServ modules. + * + * Here you can disable or enable certain features of BotServ, by + * defining which modules are loaded. You can even disable BotServ + * entirely. + * + * Core components modules/botserv/main + * HELP command modules/botserv/help + * INFO command modules/botserv/info + * NPC commands (SAY, ACT) modules/botserv/bottalk + * SET command (required for SET commands) modules/botserv/set_core + * SET FANTASY command modules/botserv/set_fantasy + * SET NOBOT command modules/botserv/set_nobot + * SET PRIVATE command modules/botserv/set_private + */ +#loadmodule "modules/botserv/main"; +#loadmodule "modules/botserv/help"; +#loadmodule "modules/botserv/info"; +#loadmodule "modules/botserv/bottalk"; +#loadmodule "modules/botserv/set_core"; +#loadmodule "modules/botserv/set_fantasy"; +#loadmodule "modules/botserv/set_nobot"; +#loadmodule "modules/botserv/set_private"; + +/* HostServ modules. + * + * Here you can disable or enable certain features of HostServ, by + * defining which modules are loaded. You can even disable HostServ + * entirely. + * + * HostServ is a more complex, and optional virtual host management service. + * Users wishing only to set vhosts need not use it (they can use the builtin + * vhost management of NickServ instead). + * + * Core components modules/hostserv/main + * HELP command modules/hostserv/help + * OFFER system modules/hostserv/offer + * ON and OFF commands modules/hostserv/onoff + * REQUEST system modules/hostserv/request + * VHOST and LISTVHOST commands modules/hostserv/vhost + * VHOSTNICK command modules/hostserv/vhostnick + * GROUP command modules/hostserv/group + */ +loadmodule "modules/hostserv/main"; +loadmodule "modules/hostserv/help"; +loadmodule "modules/hostserv/onoff"; +loadmodule "modules/hostserv/offer"; +loadmodule "modules/hostserv/request"; +loadmodule "modules/hostserv/vhost"; +loadmodule "modules/hostserv/vhostnick"; +loadmodule "modules/hostserv/group"; + +/* HelpServ modules. + * HelpServ allows users to request help from network staff in a few different ways. + * + * Core components modules/helpserv/main + * HELPME command modules/helpserv/helpme + * Help Ticket system modules/helpserv/ticket + * Service List modules/helpserv/services + * + * The ticket system works like a bugtracker ot helpdesk ticket system, HELPME + * works like a one-time alert. You should probably only load one of the two systems. + */ +#loadmodule "modules/helpserv/main"; +#loadmodule "modules/helpserv/helpme"; +#loadmodule "modules/helpserv/ticket"; +#loadmodule "modules/helpserv/services"; + +/* Channel listing service. + * + * Allows users to list channels with more flexibility than the /list + * command. + * + * Core components modules/alis/main + */ +#loadmodule "modules/alis/main"; + +/* GroupServ module. + * GroupServ allows users to create groups to easily mass-manage channel + * access and more. + * + * Core components modules/groupserv/main + * + */ +loadmodule "modules/groupserv/main"; + +/* + * Various modules. + * + * Atheme includes an optional HTTP server that can be used for integration + * with portal software and other useful things. To enable it, load this + * module, and uncomment the httpd { } block towards the bottom of the config. + * + * HTTP Server modules/misc/httpd + */ +#loadmodule "modules/misc/httpd"; + +/* XMLRPC server module. + * + * The XML-RPC handler requires modules/misc/httpd to be loaded as it merely + * registers a path handler for XML-RPC. The path used for XML-RPC is /xmlrpc. + * + * XMLRPC handler for the httpd modules/xmlrpc/main + */ +#loadmodule "modules/xmlrpc/main"; + +/* Other modules. + * + * Put any other modules you want to load on startup here. The path + * is relative to PREFIX or PREFIX/lib/atheme, depending on how Atheme + * was compiled. + */ +#loadmodule "modules/contrib/ns_listlogins"; + +/****************************************************************************** + * SERVICES RUNTIME CONFIGURATION SECTION. * + ******************************************************************************/ + +/* The serverinfo{} block defines how we appear on the IRC network. */ +serverinfo { + /* name + * The server name that this program uses on the IRC network. + * This is the name you'll have to use in C:/N:Lines. It must be + * unique on the IRC network and contain at least one dot, but does + * not have to be equal to any DNS name. + */ + name = "<%= @services_name %>"; + + /* desc + * The ``server comment'' we send to the IRC network. + * If you want server hiding, prefix your desc with "(H)" + */ + desc = "<%= @services_description %>"; + + /* numeric + * Some protocol drivers (Charybdis, Ratbox2, Hybrid, P10, IRCNet) + * require a server id, also known as a numeric. Please consult your + * ircd's documentation when providing this value. + */ + numeric = "<%= @sid %>"; + + /* (*)recontime + * The number of seconds before we reconnect to the uplink. + */ + recontime = 10; + + /* (*)netname + * The name of your network. + */ + netname = "<%= @network_name %>"; + + /* (*)hidehostsuffix + * P10 +x host hiding gives .. + * If using +x on asuka/bircd/undernet, this must agree + * with F:HIDDEN_HOST. + */ + hidehostsuffix = "<%= @hidehostsuffix %>"; + + /* (*)adminname + * The name of the person running this service. + */ + adminname = "misconfigured admin"; + + /* (*)adminemail + * The email address of the person running this service. + */ + adminemail = "misconfigured@admin.tld"; + + /* (*)mta + * The full path to your mail transfer agent. + * This is used for email authorization and password retrieval. + * Comment this out to disable sending email. + * Warning: sending email can disclose the IP of your services + * unless you take precautions (not discussed here further). + */ + mta = "/usr/sbin/sendmail"; + + /* (*)loglevel + * Specify the default categories of logging information to record + * in the master Atheme logfile, usually var/atheme.log. + * + * Options include: + * debug, all - meta-keyword for all possible categories + * trace - meta-keyword for a little bit of info + * misc - like trace, but with some more miscillaneous info + * notice - meta-keyword for notice-like information + * ------------------------------------------------------------------------------ + * error - critical errors + * info - miscillaneous log notices + * verbose - A bit more verbose than info, not quite as spammy as debug + * commands - all command use + * admin - administrative command use + * register - account and channel registrations + * set - changes of account or channel settings + * request - user requests (currently only vhosts) + * network - log notices related to network status + * rawdata - log raw data sent and received by services + * wallops - + */ + loglevel = { error; info; admin; network; wallops; }; + + /* (*)maxlogins + * What is the maximum number of sessions allowed to login to one + * username? This reduces potential abuse. It is only checked on login. + */ + maxlogins = 5; + + /* (*)maxusers + * What are the maximum usernames that one email address can register? + * Set to 0 to disable this check (it can be slow currently). + */ + maxusers = 5; + + /* (*)maxnicks + * If GROUP is loaded, what are the maximum nicknames that one + * username can register? + */ + maxnicks = 5; + + /* (*)maxchans + * What are the maximum channels that one username can register? + */ + maxchans = 30; + + /* (*)mdlimit + * How many metadata entries can be added to an object? + */ + mdlimit = 30; + + /* (*)emaillimit, emailtime + * The maximum number of emails allowed to be sent in + * that amount of time (seconds). If this is exceeded, + * wallops will be sent, at most one per minute. + */ + emaillimit = 10; + emailtime = 300; + + /* (*)auth + * What type of username registration authorization do you want? + * If "email", Atheme will send a confirmation email to the address to + * ensure it's valid. If registration is not completed within one day, + * the username will expire. If "none", no message will be sent and + * the username will be fully registered. + * Valid values are: email, none. + */ + auth = none; + + /* casemapping + * Specify the casemapping to use. Almost all TSora (and any that follow + * the RFC correctly) ircds will use rfc1459 casemapping. Bahamut, Unreal, + * and other ``Dalnet'' ircds will use ascii casemapping. + * Valid values are: rfc1459, ascii. + */ + casemapping = rfc1459; +}; + +/* uplink{} blocks define connections to IRC servers. + * Multiple may be defined but only one will be used at a time (IRC + * being a tree shaped network). + */ +uplink "<%= @uplink_name %>" { + // The server name of the ircd you're linking to goes above. + + // host + // The hostname to connect to. + host = "127.0.0.1"; + + // port + // The port to connect to. + port = <%= @uplink_port %>; + + // password + // The password used for linking. + password = "<%= @uplink_password %>"; +}; + +/* Services configuration. + * + * Each of these blocks can contain a nick, user, host, real and aliases. + * Several of them also have options specific to the service. + */ + +/* NickServ configuration. + * + * The nickserv {} block contains settings specific to the NickServ modules. + * + * NickServ provides nickname or username registration and authentication + * services. It provides necessary authentication features required for + * Services to operate correctly. You should make sure these settings + * are properly configured for your network. + */ +nickserv { + // If you want NickServ to tell people about how great it is, enable the directive + // below. + spam; + + /* no_nick_ownership + * Enable this to disable nickname ownership (old userserv{}). + * This changes changes "nickname" to "account" in most messages, + * disables GHOST on users not logged in to the same account and + * makes the spam directive ineffective. + * It is suggested that the nick be set to UserServ, login.so + * be loaded instead of identify.so and ghost.so not be loaded. + */ + #no_nick_ownership; + + /* (*)nick + * The nickname we want NickServ to have. + */ + nick = "NickServ"; + + /* (*)user + * The username we want NickServ to have. + */ + user = "NickServ"; + + /* (*)host + * The hostname we want NickServ to have. + */ + host = "<%= @services_name %>"; + + /* (*)real + * The realname (gecos) information we want NickServ to have. + */ + real = "Nickname Services"; + + /* (*)aliases + * Command aliases for NickServ. + */ + aliases { + "ID" = "IDENTIFY"; + "MYACCESS" = "LISTCHANS"; + }; + + /* (*)expire + * The number of days before inactive registrations are expired. + */ + expire = 180; + + /* (*)enforce_expire + * The number of days of no use after which to ignore enforcement + * settings on nicks. + */ + #enforce_expire = 14; + + /* (*)enforce_delay + * The number of seconds to delay nickchange enforcement settings + * on nicks. + */ + #enforce_delay = 30; + + /* (*)enforce_prefix + * The prefix to use when changing the user's nick on enforcement + */ + #enforce_prefix = "Guest"; + + /* (*)cracklib_dict + * The location and filename prefix of the cracklib dictionaries + * for use with nickserv/cracklib. This must be provided if you are + * going to be using nickserv/cracklib. + */ + #cracklib_dict = "/var/cache/cracklib/cracklib_dict"; + + /* (*)cracklib_warn + * If this option is set and nickserv/cracklib is loaded, nickserv will just + * warn users that their password is insecure, recommend they change it and + * still register the nick. If this option is unset, it will refuse to + * register the nick at all until the user chooses a better password. + */ + #cracklib_warn; +}; + +/* ChanServ configuration. + * + * The chanserv {} block contains settings specific to the ChanServ modules. + * + * ChanServ provides channel registration services, which allows users to own + * channels. It is not required, but is strongly recommended. + */ +chanserv { + /* (*)nick + * The nickname we want the client to have. + */ + nick = "ChanServ"; + + /* (*)user + * The username we want the client to have. + */ + user = "ChanServ"; + + /* (*)host + * The hostname we want the client to have. + */ + host = "<%= @services_name %>"; + + /* (*)real + * The GECOS of the client. + */ + real = "Channel Services"; + + /* (*)aliases + * Command aliases for ChanServ. + */ + aliases { + }; + + /* fantasy + * Do you want to enable fantasy commands? This can + * use a lot of CPU up, and will only work if you have + * join_chans (in general) enabled as well. + */ + fantasy; + + /* (*) hide_xop + * Hide the XOP templates from sight. This is useful if you + * want to use templates and not have the XOP templates displayed. + */ + #hide_xop; + + /* (*) templates + * Defines what flags the global templates comprise. + * + * For the special XOP templates: + * These should all be different and not equal to the empty set, + * except that hop may be equal to vop to disable hop. + * Each subsequent level should have more flags (except +VHO). + * For optimal functioning of /cs forcexop, aop should not have + * any of +sRf, hop should not have any of +sRfoOr and vop should + * not have any of +sRfoOrhHt. + * If this is not specified, the values of Atheme 0.3 are used, + * which are generally less intuitive than these. + * Note: changing these leaves the flags of existing channel access + * entries unchanged, thus removing them of the view of /cs xop list. + * Usually the channel founder can use /cs forcexop to update the + * entries to the new levels. + * + * Advice: + * If you want to add a co-founder role, remove the flags permission + * from the SOP role, and define a co-founder role with flags + * permissions. + */ + templates { + vop = "+VA"; + hop = "+vVhHtA"; + aop = "+vhoOtriA"; + sop = "+vhoOtrsifAa"; + + founder = "+vhoOtrisifAaF"; + + /* some examples (which are commented out...) */ + #member = "+iA"; + #op = "+voOtriA"; + }; + + /* (*) deftemplates + * Defines default templates to set on new channels, as a + * space-separated list of name=+flags pairs. + * Note: at this time no syntax checking is done on this; it + * is your own responsibility to make sure it is correct. + */ + #deftemplates = "MEMBER=+iA OP=+voOtriA"; + + /* (*) changets + * Change the channel TS to the registration time when someone + * recreates a registered channel, ensuring that they are deopped + * and all their modes are undone. Note that this involves ChanServ + * joining. When the channel was not recreated no deops will be done + * (apart from the SECURE option). + * This also solves the "join-mode" problem where someone recreates + * a registered channel and then sets some modes before they are + * deopped. + * This is currently supported for charybdis, hybrid, ratbox, unreal, + * bahamut and inspircd 1.1+. For charybdis, hybrid and ratbox + * it only fully works with TS6, with TS5 bans and last-moment modes + * will still apply. + * (That can also be used to advantage, when first enabling this.) + */ + #changets; + + /* (*) trigger + * This setting allows you to change the trigger prefix for + * ChanServ's in-channel command feature (disableable via chanserv::fantasy). + * If no setting is provided, the default is used, which is "!". + * + * Other settings you could consider trying: ".", "~", "?", "`", "'". + */ + trigger = "!"; + + /* (*)expire + * The number of days before inactive registrations are expired. + */ + expire = 180; + + /* (*)maxchanacs + * The maximum number of entries allowed in a channel's access list + * (both channel ops and akicks), 0 for unlimited. + */ + maxchanacs = 0; + + /* (*)maxfounders + * The maximum number of founders allowed in a channel. + * Note that all founders have the exact same privileges and + * the list of founders is shown in various places. + */ + maxfounders = 4; +}; + +/* Global noticing configuration. + * + * The global {} block contains settings specific to the Global notice module. + * + * The Global notice module provides the ability to mass-notify a network. + */ +global { + /* (*)nick + * Sets the nick used for sending out a global notice. + */ + nick = "Global"; + + /* (*)user + * Sets the username used for this client. + */ + user = "Global"; + + /* (*)host + * The hostname used for this client. + */ + host = "<%= @services_name %>"; + + /* (*)real + * The GECOS (real name) of the client. + */ + real = "Network Announcements"; +}; + +/* InfoServ configuration + * + * The infoserv {} block contains settings specific to the InfoServ module. + * + * The InfoServ modules provides the ability to mass-notify a network and send + * news to users when they connect to the network. + */ +infoserv { + /* (*)nick + * Sets the nick used for InfoServ and sending out informational messages. + */ + nick = "InfoServ"; + + /* (*)user + * Sets the username used for this client. + */ + user = "InfoServ"; + + /* (*)host + * The hostname used for this client, + */ + host = "<%= @services_name %>"; + + /* (*)real + * The GECOS (real name) of the client. + */ + real = "Information Service"; + + /* (*)logoninfo_count + * The number of InfoServ messages a user will see upon connect. + * If there are more than this number, the user will be able to + * see the rest with /msg infoserv list . + */ + logoninfo_count = 3; +}; + +/* OperServ configuration. + * + * The operserv {} block contains settings specific to the OperServ modules. + * + * OperServ provides essential network management tools for IRC operators + * on the IRC network. + */ +operserv { + /* (*)nick + * The nickname we want the Operator Service to have. + */ + nick = "OperServ"; + + /* (*)user + * Sets the username used for this client. + */ + user = "OperServ"; + + /* (*)host + * The hostname used for this client. + */ + host = "<%= @services_name %>"; + + /* (*)real + * The GECOS (real name) of the client. + */ + real = "Operator Services"; + + /* (*)aliases + * Command aliases for OperServ. + */ + aliases { + }; +}; + +/* SaslServ configuration. + * + * The saslserv {} block contains settings specific to the SaslServ modules. + * + * SaslServ provides an authentication agent which is compatible with the + * SASL over IRC (SASL/IRC) protocol extension. + */ +saslserv { + /* (*)nick + * The nickname we want SaslServ to have. + */ + nick = "SaslServ"; + + /* (*)user + * The username we want SaslServ to have. + */ + user = "SaslServ"; + + /* (*)host + * The hostname we want SaslServ to have. + */ + host = "<%= @services_name %>"; + + /* (*)real + * The realname (gecos) information we want SaslServ to have. + */ + real = "SASL Authentication Agent"; +}; + +/* MemoServ configuration. + * + * The memoserv {} block contains settings specific to the MemoServ modules. + * + * MemoServ provides a note-taking service that you can use to send notes + * to offline users (provided they are registered with Services). + */ +memoserv { + /* (*)nick + * The nickname we want MemoServ to have. + */ + nick = "MemoServ"; + + /* (*)user + * The username we want MemoServ to have. + */ + user = "MemoServ"; + + /* (*)host + * The hostname we want MemoServ to have. + */ + host = "<%= @services_name %>"; + + /* (*)real + * The realname (gecos) information we want MemoServ to have. + */ + real = "Memo Services"; + + /* (*)aliases + * Command aliases for MemoServ. + */ + aliases { + }; +}; + +/* GameServ configuration. + * + * The gameserv {} block contains settings specific to the GameServ modules. + * + * GameServ provides various in-channel commands for games. + */ +gameserv { + /* (*)nick + * The nickname we want GameServ to have. + */ + nick = "GameServ"; + + /* (*)user + * Sets the username used for this client. + */ + user = "GameServ"; + + /* (*)host + * The hostname used for this client. + */ + host = "<%= @services_name %>"; + + /* (*)real + * The GECOS (real name) of the client. + */ + real = "Game Services"; + + /* (*)aliases + * Command aliases for GameServ. + */ + aliases { + }; +}; + +/* BotServ configuration. + * + * The botserv {} block contains settings specific to the BotServ modules. + * + * BotServ provides virtual channel bots. + */ +botserv { + /* (*)nick + * The nickname we want BotServ to have. + */ + nick = "BotServ"; + + /* (*)user + * Sets the username used for this client. + */ + user = "BotServ"; + + /* (*)host + * The hostname used for this client. + */ + host = "<%= @services_name %>"; + + /* (*)real + * The GECOS (real name) of the client. + */ + real = "Bot Services"; + + /* (*)min_users + * Minimum number of users a channel must have before a Bot is allowed + * to be assigned to that channel. + */ + min_users = 0; +}; + +/* GroupServ configuration. + * + * The groupserv {} block contains settings specific to the GroupServ modules. + * + * GroupServ provides features for managing a collection of channels at once. + * + */ +groupserv { + /* (*)nick + * The nickname we want GroupServ to have. + */ + nick = "GroupServ"; + + /* (*)user + * The username we want GroupServ to have. + */ + user = "GroupServ"; + + /* (*)host + * The hostname we want GroupServ to have. + */ + host = "<%= @services_name %>"; + + /* (*)real + * The realname (gecos) information we want GroupServ to have. + */ + real = "Group Managment Services"; + + /* (*)aliases + * Command aliases for GroupServ. + */ + aliases { + }; + + /* (*)maxgroups + * Maximum number of groups one username can be founder of. + */ + maxgroups = 5; + + /* (*)maxgroupacs + * Maximum number of access entries you may have in a group. + */ + maxgroupacs = 100; + + /* (*)enable_open_groups + * Setting this option will allow any group founder to mark + * their group as "anyone can join". + */ + enable_open_groups; +}; + +/* HostServ configuration. + * + * The hostserv {} block contains settings specific to the HostServ modules. + * + * HostServ provides advanced virtual host management. + */ +hostserv { + /* (*)nick + * The nickname we want HostServ to have. + */ + nick = "HostServ"; + + /* (*)user + * Sets the username used for this client. + */ + user = "HostServ"; + + /* (*)host + * The hostname used for this client. + */ + host = "<%= @services_name %>"; + + /* (*)real + * The GECOS (real name) of the client. + */ + real = "Host Management Services"; + + /* (*)request_per_nick + * Whether the request system should work per nick or per account. + * The recommended setting is to leave this disabled, so that + * vhosts work as consistently as possible. + */ + #request_per_nick; + + /* (*)aliases + * Command aliases for HostServ. + */ + aliases { + "APPROVE" = "ACTIVATE"; + "DENY" = "REJECT"; + }; +}; + +/* HelpServ configuration + * + * The helpserv {} block contains settings specific to the HelpServ modules. + * + * HelpServ adds a few different ways for users to request help from network staff. + */ +helpserv { + /* (*)nick + * The nickname we want HelpServ to have. + */ + nick = "HelpServ"; + + /* (*)user + * The username we want HelpServ to have. + */ + user = "HelpServ"; + + /* (*)host + * The hostname we want HelpServ to have. + */ + host = "<%= @services_name %>"; + + /* (*)real + * The realname (gecos) information we want HelpServ to have. + */ + real = "Help Services"; +}; + +/* ALIS configuration. + * + * The alis {} block contains settings specific to the ALIS modules. + */ +alis { + /* (*)nick + * The nickname we want ALIS to have. + */ + nick = "ALIS"; + + /* (*)user + * The username we want ALIS to have. + */ + user = "alis"; + + /* (*)host + * The hostname we want ALIS to have. + */ + host = "<%= @services_name %>"; + + /* (*)real + * The realname (gecos) information we want ALIS to have. + */ + real = "Channel Directory"; +}; + +/****************************************************************************** + * LOGGING SECTION. * + ******************************************************************************/ + +/* + * logfile{} blocks can be used to set up log files other than the master + * logfile used by services, which is controlled by serverinfo::loglevel. + * + * The various logging categories are: + * debug, all - meta-keyword for all possible categories + * trace - meta-keyword for a little bit of info + * misc - like trace, but with some more miscillaneous info + * notice - meta-keyword for notice-like information + * ------------------------------------------------------------------------------ + * error - critical errors + * info - miscillaneous log notices + * verbose - A bit more verbose than info, not quite as spammy as debug + * commands - all command use + * admin - administrative command use + * register - account and channel registrations + * set - changes of account or channel settings + * request - user requests (currently only vhosts) + * network - log notices related to network status + * rawdata - log raw data sent and received by services + * wallops - + */ + +/* + * This block logs all account and channel registrations and drops, + * and account and channel setting changes to var/account.log. + */ +logfile "var/account.log" { register; set; }; + +/* + * This block logs all command use to var/commands.log. + */ +logfile "var/commands.log" { commands; }; + +/* + * You can log to IRC channels, and even split it by category, too. + * This entry provides roughly the same functionality as the old snoop + * feature. + */ +logfile "#services" { error; info; admin; request; register; }; + +/****************************************************************************** + * GENERAL PARAMETERS CONFIGURATION SECTION. * + ******************************************************************************/ + +/* The general {} block defines general configuration options. */ +general { + + /* (*)helpchan + * Network help channel. Shown to users when they request + * help for a command that doesn't exist. + */ + #helpchan = "#help"; + + /* (*)helpurl + * Network webpage for services help. Shown to users when they + * request help for a command that doesn't exist. + */ + #helpurl = "http://www.stack.nl/~jilles/irc/atheme-help/"; + + /* (*)silent + * If you want to prevent services from sending + * WALLOPS/GLOBOPS about things uncomment this. + * Not recommended. + */ + #silent; + + /* (*)verbose_wallops + * If you want services to send you more information about + * events that are occuring (in particular AKILLs), uncomment the + * directive below. + * + * WARNING! This may result in large amounts of wallops/globops + * floods. + */ + #verbose_wallops; + + /* (*)join_chans + * Should ChanServ be allowed to join registered channels? + * This option is useful for the fantasy command set. + * + * If enabled, you can tell ChanServ to join via SET GUARD ON. + * + * If you use ircu-like ircd (asuka, bircd, undernet), you must + * leave this enabled, and put guard in default cflags. + * + * For ratbox it is recommended to leave it on and put guard in + * default cflags, in order that ChanServ does not have to join/part + * to do certain things. On the other hand, enabling this increases + * potential for bots fighting with ChanServ. + * + * Regardless of this option, ChanServ will temporarily join + * channels which would otherwise be empty if necessary to enforce + * akick/restricted/close, and to change the TS if changets is + * enabled. + */ + join_chans; + + /* (*)leave_chans + * Do we leave registered channels after everyone else has left? + * Turning this off serves little purpose, except to mark "official" + * network channels by keeping them open, and to preserve the + * topic and +beI lists. + */ + leave_chans; + + /* secure + * Do you want to require the use of /msg @? + * Turning this on helps protect against spoofers, but is disabled + * as most networks do not presently use it. + */ + #secure; + + /* (*)uflags + * The default flags to set for usernames upon registration. + * Valid values are: hold, neverop, noop, hidemail, nomemo, emailmemos, + * enforce, privmsg, private, quietchg and none. + */ + uflags = { hidemail; }; + + /* (*)cflags + * The default flags to set for channels upon registration. + * Valid values are: hold, secure, verbose, verbose_ops, keeptopic, + * topiclock, guard, private, limitflags and none. + */ + cflags = { verbose; guard; }; + + /* (*)raw + * Do you want to allow SRAs to use the RAW and INJECT commands? + * These commands are for debugging. If you don't know how to use them + * then don't enable them. They are not supported. + */ + #raw; + + /* (*)flood_msgs + * Do you want services to detect floods? + * Set to how many messages before a flood is triggered. + * Note that some messages that need a lot of processing count + * as two or four messages. + * If services receives `flood_msgs' within `flood_time' the user will + * trigger the flood protection. + * Setting this to zero disables flood protection. + */ + flood_msgs = 7; + + /* (*)flood_time + * Do you want services to detect floods? + * Set to how long before the counter resets. + * If services receives `flood_msgs' within `flood_time' the user will + * trigger the flood protection. + */ + flood_time = 10; + + /* (*)ratelimit_uses + * After how many uses of a command will users be throttled. + * After `ratelimit_uses' of a command within `ratelimit_period', users + * will not be able to run that ratelimited command until the period is up. + * Comment this, ratelimit_period below or both options out to disable rate limiting. + * Currently used in helpserv/helpme, helpserv/ticket, hostserv/request, + * nickserv/register and chanserv/register. + */ + ratelimit_uses = 5; + + /* (*)ratelimit_period + * After how much time (in seconds) will the ratelimit_uses counter reset. + * After `ratelimit_uses' of a command within `ratelimit_period', users + * will not be able to run that ratelimited command until the period is up. + * Comment this, ratelimit_uses above or both options out to disable rate limiting. + * Currently used in helpserv/helpme, helpserv/ticket, hostserv/request, + * nickserv/register and chanserv/register. + */ + ratelimit_period = 60; + + /* (*)kline_time + * The default expire time for KLINE's in days. + * Setting this to 0 makes all KLINE's permanent. + */ + kline_time = 7; + + /* (*)clone_time + * This is the default expiry time for CLONE exemptions in minutes. + * Setting this to 0 makes all CLONE exemptions permanent. + */ + clone_time = 0; + + /* commit_interval + * The time between database writes in minutes. + */ + commit_interval = 5; + + /* (*)default_clone_limit + * The default clone limit used by operserv/clones. + * Deprecated by the two options below. + */ + default_clone_limit = 5; + + /* (*)default_clone_allowed + * The limit after which clones will be KILLed or TKLINEd. + * Used by operserv/clones. + */ + default_clone_allowed = 5; + + /* (*)default_clone_warn + * The limit after which clones will be warned that they may not + * have any more concurrent connections. Should be lower than + * default_clone_allowed . Used by operserv/clones. + */ + default_clone_warn = 4; + + /* (*)uplink_sendq_limit + * The maximum amount of data that may be queued to be sent + * to the uplink, in bytes. This should be enough to contain + * Atheme's response to the netburst, but smaller than the + * IRCd's sendq limit for servers. + */ + uplink_sendq_limit = 1048576; + + /* (*)language + * Language to use for channel and oper messages and as default + * for users. + */ + language = "en"; + + /* exempts + * This block contains a list of user@host masks. Users matching any + * of these will not be automatically K:lined by services. + */ + exempts { + }; + + /* allow_taint + * By enabling this option, Atheme will run in configurations where + * the upstream will not provide support. By enabling this feature, + * you void any perceived rights to support. + */ + #allow_taint; + + /* (*)immune_level + * This option allows you to customize the operlevel which gets kick + * immunity privileges. + * + * The following flags are available: + * immune - require whatever ircd usermode is needed for kick + * immunity (this is the default); + * admin - require admin privileges for kick immunity + * ircop - require any ircop privileges for kick immunity (umode +o) + */ + immune_level = immune; +}; + +/****************************************************************************** + * OPERATOR AND PRIVILEGES CONFIGURATION SECTION. * + ******************************************************************************/ + +/* Operator configuration + * See the PRIVILEGES document for more information. + * NOTE: All changes apply immediately upon rehash. You may need + * to send a signal (killall -HUP atheme-services) to regain control. + */ +/* (*) Operclasses specify groups of services operator privileges */ + +/* The "ircop" operclass specifies privileges all IRCops get. + * This may be empty in which case IRCops get no privs. + * At least chan:cmodes, chan:joinstaffonly and general:auspex are suggested. + */ +operclass "ircop" { + privs { + special:ircop; + }; + + privs { + user:auspex; + user:admin; + user:sendpass; + user:vhost; + user:mark; + }; + + privs { + chan:auspex; + chan:admin; + chan:cmodes; + chan:joinstaffonly; + }; + + privs { + general:auspex; + general:helper; + general:viewprivs; + general:flood; + }; + + privs { + operserv:omode; + operserv:akill; + operserv:jupe; + operserv:global; + }; + + privs { + group:auspex; + group:admin; + }; +}; + +operclass "sra" { + /* You can inherit privileges from a lower operclass. */ + extends "ircop"; + + privs { + user:hold; + user:regnolimit; + }; + + privs { + general:metadata; + general:admin; + }; + + privs { + #operserv:massakill; + #operserv:akill-anymask; + operserv:noop; + operserv:grant; + #operserv:override; + }; + + /* needoper + * Only grant privileges to IRC users in this oper class if they + * are opered; other use of privilege (channel succession, XMLRPC, + * etc.) is unaffected by this. + */ + needoper; +}; + + +/* (*) Operator blocks specify accounts with certain privileges + * Oper classes must be defined before they are used in operator blocks. + */ +<% @operators.each do |oper| -%> +operator "<%= oper %>" { + operclass = "sra"; +}; +<% end -%> + +/****************************************************************************** + * INCLUDE CONFIGURATION SECTION. * + ******************************************************************************/ + +/* You may also specify other files for inclusion. + * For example: + * + * include "etc/sras.conf"; + */ diff --git a/charybdis/manifests/init.pp b/charybdis/manifests/init.pp new file mode 100644 index 0000000..4f04422 --- /dev/null +++ b/charybdis/manifests/init.pp @@ -0,0 +1,134 @@ +# Install Charybdis IRC server. +# +class charybdis( + $sid='00A', + $server_name='irc.localdomain', + $server_description='IRC Server', + $network_name='IRC', + $network_description='IRC Network', + $admin_name='Administrator', + $admin_description='IRC Administrator', + $admin_email='root@localhost', + $motd=undef, + $motd_source=undef, + $port='6667', + $sslport='6668', + $ssl_dh=undef, + $ssl_key=undef, + $ssl_cert=undef, + $users=['*@*'], + $operators=[], + $umodes=undef, + $cloaking=true, + $hub=false, + $ident=false, + $throttle_count='4', + $throttle_duration='60', + $services=false, + $services_name='ircservices.localdomain', + $services_password=undef, +) { + + case $::operatingsystem { + 'ubuntu': { } + default: { + fail("charybdis not supported on ${::operatingsystem}") + } + } + + if $services == true and ! $services_password { + fail('Must define $services_password') + } + + if $umodes { + $umodes_real = $umodes + } else { + if $cloaking == true { + $umodes_real = '+ix' + } else { + $umodes_real = '+i' + } + } + + package { 'charybdis': + ensure => installed, + } + + file { '/etc/charybdis/ircd.conf': + ensure => present, + mode => '0640', + owner => 'root', + group => 'charybdis', + content => template('charybdis/ircd.conf.erb'), + require => Package['charybdis'], + notify => Service['charybdis'], + } + + file { '/etc/charybdis/ircd.motd': + ensure => present, + mode => '0640', + owner => 'root', + group => 'charybdis', + content => $motd, + source => $motd_source, + require => Package['charybdis'], + notify => Service['charybdis'], + } + + if $ssl_key and $ssl_cert { + file { '/etc/charybdis/ircd.key': + ensure => present, + mode => '0640', + owner => 'root', + group => 'charybdis', + source => $ssl_key, + require => Package['charybdis'], + notify => Service['charybdis'], + } + + file { '/etc/charybdis/ircd.crt': + ensure => present, + mode => '0640', + owner => 'root', + group => 'charybdis', + source => $ssl_cert, + require => Package['charybdis'], + notify => Service['charybdis'], + } + + if $ssl_dh { + file { '/etc/charybdis/dh.pem': + ensure => present, + mode => '0640', + owner => 'root', + group => 'charybdis', + source => $ssl_dh, + require => Package['charybdis'], + notify => Service['charybdis'], + } + } else { + ssl::dhparam { '/etc/charybdis/dh.pem': + mode => '0640', + owner => 'root', + group => 'charybdis', + require => Package['charybdis'], + notify => Service['charybdis'], + } + } + } + + service { 'charybdis': + ensure => running, + enable => true, + } + + file { '/var/log/charybdis': + ensure => directory, + mode => '0640', + owner => 'charybdis', + group => 'charybdis', + recurse => true, + require => Service['charybdis'], + } + +} diff --git a/charybdis/templates/ircd.conf.erb b/charybdis/templates/ircd.conf.erb new file mode 100644 index 0000000..4e29e53 --- /dev/null +++ b/charybdis/templates/ircd.conf.erb @@ -0,0 +1,435 @@ +/* doc/example.conf - brief example configuration file + * + * Copyright (C) 2000-2002 Hybrid Development Team + * Copyright (C) 2002-2005 ircd-ratbox development team + * Copyright (C) 2005-2006 charybdis development team + * + * $Id: example.conf 3582 2007-11-17 21:55:48Z jilles $ + * + * See reference.conf for more information. + */ + +/* Extensions */ +#loadmodule "extensions/chm_operonly_compat.so"; +#loadmodule "extensions/chm_quietunreg_compat.so"; +#loadmodule "extensions/chm_sslonly_compat.so"; +#loadmodule "extensions/createauthonly.so"; +#loadmodule "extensions/extb_account.so"; +#loadmodule "extensions/extb_canjoin.so"; +#loadmodule "extensions/extb_channel.so"; +#loadmodule "extensions/extb_extgecos.so"; +#loadmodule "extensions/extb_oper.so"; +#loadmodule "extensions/extb_realname.so"; +#loadmodule "extensions/extb_server.so"; +#loadmodule "extensions/extb_ssl.so"; +#loadmodule "extensions/hurt.so"; +#loadmodule "extensions/m_findforwards.so"; +#loadmodule "extensions/m_identify.so"; +#loadmodule "extensions/no_oper_invis.so"; +#loadmodule "extensions/sno_farconnect.so"; +#loadmodule "extensions/sno_globalkline.so"; +#loadmodule "extensions/sno_globaloper.so"; +#loadmodule "extensions/sno_whois.so"; +#loadmodule "extensions/override.so"; + +/* + * IP cloaking extensions: use ip_cloaking_4.0 + * if you're linking 3.2 and later, otherwise use + * ip_cloaking.so, for compatibility with older 3.x + * releases. + */ + +<% if @cloaking == true -%> +loadmodule "extensions/ip_cloaking_4.0.so"; +<% end -%> +#loadmodule "extensions/ip_cloaking.so"; + +serverinfo { + sid = "<%= @sid %>"; + name = "<%= @server_name %>"; + description = "<%= @server_description %>"; + network_name = "<%= @network_name %>"; + network_desc = "<%= @network_description %>"; +<% if @hub == true -%> + hub = yes; +<% else -%> + hub = no; +<% end -%> + + /* On multi-homed hosts you may need the following. These define + * the addresses we connect from to other servers. */ + /* for IPv4 */ + #vhost = "192.169.0.1"; + /* for IPv6 */ + #vhost6 = "3ffe:80e8:546::2"; + +<% if @ssl_key and @ssl_cert -%> + /* ssl_private_key: our ssl private key */ + ssl_private_key = "/etc/charybdis/ircd.key"; + + /* ssl_cert: certificate for our ssl server */ + ssl_cert = "/etc/charybdis/ircd.crt"; + + /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */ + ssl_dh_params = "/etc/charybdis/dh.pem"; + + /* ssld_count: number of ssld processes you want to start, if you + * have a really busy server, using N-1 where N is the number of + * cpu/cpu cores you have might be useful. A number greater than one + * can also be useful in case of bugs in ssld and because ssld needs + * two file descriptors per SSL connection. + */ + ssld_count = 10; + +<% end -%> + /* default max clients: the default maximum number of clients + * allowed to connect. This can be changed once ircd has started by + * issuing: + * /quote set maxclients + */ + default_max_clients = 1024; +}; + +admin { + name = "<%= @admin_name %>"; + description = "<%= @admin_description %>"; + email = "<%= @admin_email %>"; +}; + +log { + fname_userlog = "/var/log/charybdis/userlog"; + fname_fuserlog = "/var/log/charybdis/fuserlog"; + fname_operlog = "/var/log/charybdis/operlog"; + fname_foperlog = "/var/log/charybdis/foperlog"; + fname_serverlog = "/var/log/charybdis/serverlog"; + fname_klinelog = "/var/log/charybdis/klinelog"; + fname_killlog = "/var/log/charybdis/killlog"; + fname_operspylog = "/var/log/charybdis/operspylog"; + fname_ioerrorlog = "/var/log/charybdis/ioerror"; +}; + +/* class {} blocks MUST be specified before anything that uses them. That + * means they must be defined before auth {} and before connect {}. + */ +class "users" { + ping_time = 2 minutes; + number_per_ident = 100; + number_per_ip = 100; + number_per_ip_global = 100; + cidr_ipv4_bitlen = 24; + cidr_ipv6_bitlen = 64; + number_per_cidr = 200; + max_number = 3000; + sendq = 400 kbytes; +}; + +class "opers" { + ping_time = 5 minutes; + number_per_ip = 100; + max_number = 1000; + sendq = 1 megabyte; +}; + +class "server" { + ping_time = 5 minutes; + connectfreq = 5 minutes; + max_number = 1; + sendq = 4 megabytes; +}; + +listen { + /* If you want to listen on a specific IP only, specify host. + * host definitions apply only to the following port line. + */ + host = "127.0.0.1"; + port = <%= @port %>; +}; + +<% if @ssl_key and @ssl_cert -%> +listen { + sslport = <%= @sslport %>; +}; + +<% end -%> +/* auth {}: allow users to connect to the ircd (OLD I:) + * auth {} blocks MUST be specified in order of precedence. The first one + * that matches a user will be used. So place spoofs first, then specials, + * then general access, then restricted. + */ +<% @users.map! { |user| user.split } -%> +<% @users.each do |user| -%> +auth { + user = "<%= user[0] %>"; +<% if user[1] -%> + password = "<%= user[1] %>"; + flags = encrypted; +<% end -%> + class = "users"; +}; + +<% end -%> +/* privset {} blocks MUST be specified before anything that uses them. That + * means they must be defined before operator {}. + */ +privset "local_op" { + privs = oper:local_kill, oper:operwall; +}; + +privset "server_bot" { + extends = "local_op"; + privs = oper:kline, oper:remoteban, snomask:nick_changes; +}; + +privset "global_op" { + extends = "local_op"; + privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline, + oper:resv, oper:mass_notice, oper:remoteban; +}; + +privset "admin" { + extends = "global_op"; + privs = oper:admin, oper:die, oper:rehash, oper:spy; +}; + +<% @operators.map! { |oper| oper.split } + @operators.each do |oper| + scope.function_fail(["Invalid operator '%s'" % oper[0]]) if oper.length != 3 -%> +operator "<%= oper[0] %>" { + user = "<%= oper[1] %>"; + password = "<%= oper[2] %>"; + flags = encrypted; + privset = "admin"; +}; + +<% end -%> +<% if @services == true -%> +connect "<%= @services_name %>" { + host = "127.0.0.1"; + port = <%= @port %>; + send_password = "<%= @services_password %>"; + accept_password = "<%= @services_password %>"; + hub_mask = "*"; + class = "server"; + flags = compressed, topicburst; +}; + +service { + name = "<%= @services_name %>"; +}; + +<% end -%> +cluster { + name = "*"; + flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv; +}; + +shared { + oper = "*@*", "*"; + flags = all, rehash; +}; + +/* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */ +exempt { + ip = "127.0.0.1"; +}; + +channel { + use_invex = yes; + use_except = yes; + use_forward = yes; + use_knock = yes; + knock_delay = 5 minutes; + knock_delay_channel = 1 minute; + max_chans_per_user = 15; + max_bans = 100; + max_bans_large = 500; + default_split_user_count = 0; + default_split_server_count = 0; + no_create_on_split = no; + no_join_on_split = no; + burst_topicwho = yes; + kick_on_split_riding = no; + only_ascii_channels = no; + resv_forcepart = yes; + channel_target_change = yes; + disable_local_channels = no; +}; + +serverhide { + flatten_links = yes; + links_delay = 5 minutes; + hidden = no; + disable_hidden = no; +}; + +/* These are the blacklist settings. + * You can have multiple combinations of host and rejection reasons. + * They are used in pairs of one host/rejection reason. + * + * These settings should be adequate for most networks, and are (presently) + * required for use on StaticBox. + * + * Word to the wise: Do not use blacklists like SPEWS for blocking IRC + * connections. + * + * As of charybdis 2.2, you can do some keyword substitution on the rejection + * reason. The available keyword substitutions are: + * + * ${ip} - the user's IP + * ${host} - the user's canonical hostname + * ${dnsbl-host} - the dnsbl hostname the lookup was done against + * ${nick} - the user's nickname + * ${network-name} - the name of the network + * + * As of charybdis 3.4, a type parameter is supported, which specifies the + * address families the blacklist supports. IPv4 and IPv6 are supported. + * IPv4 is currently the default as few blacklists support IPv6 operation + * as of this writing. + * + * Note: AHBL (the providers of the below *.ahbl.org BLs) request that they be + * contacted, via email, at admins@2mbit.com before using these BLs. + * See for more information. + */ +blacklist { + host = "rbl.efnetrbl.org"; + type = ipv4; + reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}"; + +# host = "ircbl.ahbl.org"; +# type = ipv4; +# reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for having an open proxy. In order to protect ${network-name} from abuse, we are not allowing connections with open proxies to connect."; +# +# host = "tor.ahbl.org"; +# type = ipv4; +# reject_reason = "${nick}, your IP (${ip}) is listed as a TOR exit node. In order to protect ${network-name} from tor-based abuse, we are not allowing TOR exit nodes to connect to our network."; +# + /* Example of a blacklist that supports both IPv4 and IPv6 */ +# host = "foobl.blacklist.invalid"; +# type = ipv4, ipv6; +# reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for some reason. In order to protect ${network-name} from abuse, we are not allowing connections listed in ${dnsbl-host} to connect"; +}; + +alias "NickServ" { + target = "NickServ"; +}; + +alias "ChanServ" { + target = "ChanServ"; +}; + +alias "OperServ" { + target = "OperServ"; +}; + +alias "MemoServ" { + target = "MemoServ"; +}; + +alias "NS" { + target = "NickServ"; +}; + +alias "CS" { + target = "ChanServ"; +}; + +alias "OS" { + target = "OperServ"; +}; + +alias "MS" { + target = "MemoServ"; +}; + +general { + hide_error_messages = opers; + hide_spoof_ips = yes; + + /* + * default_umodes: umodes to enable on connect. + * If you have enabled the new ip_cloaking_4.0 module, and you want + * to make use of it, add +x to this option, i.e.: + * default_umodes = "+ix"; + * + * If you have enabled the old ip_cloaking module, and you want + * to make use of it, add +h to this option, i.e.: + * default_umodes = "+ih"; + */ + default_umodes = "<%= @umodes_real %>"; + + default_operstring = "is an IRC Operator"; + default_adminstring = "is a Server Administrator"; + servicestring = "is a Network Service"; + disable_fake_channels = no; + tkline_expire_notices = no; + default_floodcount = 10; + failed_oper_notice = yes; + dots_in_ident=2; + min_nonwildcard = 4; + min_nonwildcard_simple = 3; + max_accept = 100; + max_monitor = 100; + anti_nick_flood = yes; + max_nick_time = 20 seconds; + max_nick_changes = 5; + anti_spam_exit_message_time = 5 minutes; + ts_warn_delta = 30 seconds; + ts_max_delta = 5 minutes; + client_exit = yes; + collision_fnc = yes; + resv_fnc = yes; + global_snotices = yes; + dline_with_reason = yes; + kline_delay = 0 seconds; + kline_with_reason = yes; + kline_reason = "K-Lined"; + identify_service = "NickServ@services.int"; + identify_command = "IDENTIFY"; + non_redundant_klines = yes; + warn_no_nline = yes; + use_propagated_bans = yes; + stats_e_disabled = no; + stats_c_oper_only=no; + stats_h_oper_only=no; + stats_y_oper_only=no; + stats_o_oper_only=yes; + stats_P_oper_only=no; + stats_i_oper_only=masked; + stats_k_oper_only=masked; + map_oper_only = no; + operspy_admin_only = no; + operspy_dont_care_user_info = no; + caller_id_wait = 1 minute; + pace_wait_simple = 1 second; + pace_wait = 10 seconds; + short_motd = no; + ping_cookie = no; + connect_timeout = 30 seconds; + default_ident_timeout = 5; +<% if @ident == true -%> + disable_auth = no; +<% else -%> + disable_auth = yes; +<% end -%> + no_oper_flood = yes; + max_targets = 4; + client_flood_max_lines = 20; + use_whois_actually = no; + oper_only_umodes = operwall, locops, servnotice; + oper_umodes = locops, servnotice, operwall, wallop; + oper_snomask = "+s"; + burst_away = yes; + nick_delay = 0 seconds; # 15 minutes if you want to enable this + reject_ban_time = 1 minute; + reject_after_count = 3; + reject_duration = 5 minutes; + throttle_duration = <%= @throttle_duration %>; + throttle_count = <%= @throttle_count %>; + max_ratelimit_tokens = 30; + away_interval = 30; +}; + +modules { + path = "modules"; + path = "modules/autoload"; +};