2 ################################################
3 ### Managed by someone's ansible provisioner ###
4 ################################################
5 # Part of: https://git.somenet.org/root/pub/somesible.git
6 # 2017-2024 by someone <someone@somenet.org>
10 * [OPTIONAL] Non-Core Modules
12 * The following blocks are used to load all non-core modules, including 3rd-party modules.
13 * Modules can be prevented from loading by commenting out the line, other modules can be added by
14 * adding a module block. These modules will be loaded prior to Services connecting to your network.
16 * Note that some of these modules are labeled EXTRA, and must be enabled prior to compiling by
17 * running the 'extras' script on Linux and UNIX.
23 * Provides the command generic/help.
25 * This is a generic help command that can be used with any client.
27 module { name = "help" }
32 * Adds support for the DNS protocol. By itself this module does nothing useful,
33 * but other modules such as m_dnsbl and os_dns require this.
40 * The nameserver to use for resolving hostnames, must be an IP or a resolver configuration file.
41 * The below should work fine on all unix like systems. Windows users will have to find their nameservers
42 * from ipconfig /all and put the IP here.
44 nameserver = "/etc/resolv.conf"
45 #nameserver = "127.0.0.1"
48 * How long to wait in seconds before a DNS query has timed out.
53 /* Only edit below if you are expecting to use os_dns or otherwise answer DNS queries. */
56 * The IP and port services use to listen for DNS queries.
57 * Note that ports less than 1024 are privileged on UNIX/Linux systems, and
58 * require Anope to be started as root. If you do this, it is recommended you
59 * set options:user and options:group so Anope can change users after binding
67 * SOA record information.
70 /* E-mail address of the DNS administrator. */
71 admin = "admin@example.com"
73 /* This should be the names of the public facing nameservers serving the records. */
74 nameservers = "ns1.example.com ns2.example.com"
76 /* The time slave servers are allowed to cache. This should be reasonably low
77 * if you want your records to be updated without much delay.
81 /* A notify block. There should probably be one per nameserver listed in 'nameservers'.
93 * Allows configurable DNS blacklists to check connecting users against. If a user
94 * is found on the blacklist they will be immediately banned. This is a crucial module
95 * to prevent bot attacks.
102 * If set, Services will check clients against the DNSBLs when services connect to its uplink.
103 * This is not recommended, and on large networks will open a very large amount of DNS queries.
104 * Whilst services are not drastically affected by this, your nameserver/DNSBL might care.
106 check_on_connect = no
109 * If set, Services will check clients when coming back from a netsplit. This can cause a large number
110 * of DNS queries open at once. Whilst services are not drastically affected by this, your nameserver/DNSBL
113 check_on_netburst = no
116 * If set, OperServ will add clients found in the DNSBL to the akill list. Without it, OperServ simply sends
117 * a timed G/K-line to the IRCd and forgets about it. Can be useful if your akill list is being fill up by bots.
123 /* Name of the blacklist. */
124 name = "rbl.efnetrbl.org"
126 /* How long to set the ban for. */
130 * %n is the nick of the user
131 * %u is the ident/username of the user
132 * %g is the realname of the user
133 * %h is the hostname of the user
134 * %i is the IP of the user
135 * %r is the reply reason (configured below). Will be nothing if not configured.
136 * %N is the network name set in networkinfo:networkname
138 reason = "You are listed in the efnet RBL, visit http://rbl.efnetrbl.org/?i=%i for info"
140 /* Replies to ban and their reason. If no relies are configured, all replies get banned. */
144 reason = "Open Proxy"
150 reason = "spamtrap666"
156 reason = "spamtrap50"
165 * If set, users identified to services at the time the result comes back
166 * will not be banned.
174 reason = "Drones / Flooding"
180 name = "dnsbl.dronebl.org"
182 reason = "You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=%N"
185 /* Exempt localhost from DNSBL checks */
186 exempt { ip = "127.0.0.1" }
192 * Gives users who are op in the specified help channel usermode +h (helpop).
198 helpchannel = "#help"
204 * Allows services to serve web pages. By itself, this module does nothing useful.
206 * Note that using this will allow users to get the IP of your services.
207 * To prevent this we recommend using a reverse proxy or a tunnel.
215 /* Name of this service. */
218 /* IP to listen on. */
221 /* Port to listen on. */
224 /* Time before connections to this server are timed out. */
227 /* Listen using SSL. Requires an SSL module. */
230 /* If you are using a reverse proxy that sends one of the
231 * extforward_headers set below, set this to its IP.
232 * This allows services to obtain the real IP of users by
233 * reading the forwarded-for HTTP header.
235 #extforward_ip = "192.168.0.255"
237 /* The header to look for. These probably work as is. */
238 extforward_header = "X-Forwarded-For Forwarded-For"
245 * This module allows other modules to use LDAP. By itself, this module does nothing useful.
253 server = "ldap://127.0.0.1"
257 * Admin credentials used for performing searches and adding users.
259 admin_binddn = "cn=Manager,dc=anope,dc=org"
260 admin_password = "secret"
265 * m_ldap_authentication [EXTRA]
267 * This module allows many commands such as IDENTIFY, RELEASE, RECOVER, GHOST, etc. use
268 * LDAP to authenticate users. Requires m_ldap.
272 name = "m_ldap_authentication"
275 * The distinguished name used for searching for users's accounts.
277 basedn = "ou=users,dc=anope,dc=org"
280 * The search filter used to look up users's accounts.
281 * %account is replaced with the user's account.
282 * %object_class is replaced with the object_class configured below.
284 search_filter = "(&(uid=%account)(objectClass=%object_class))"
287 * The object class used by LDAP to store user account information.
288 * This is used for adding new users to LDAP if registration is allowed.
290 object_class = "anopeUser"
293 * The attribute value used for account names.
295 username_attribute = "uid"
298 * The attribute value used for email addresses.
299 * This directive is optional.
301 email_attribute = "email"
304 * The attribute value used for passwords.
305 * Used when registering new accounts in LDAP.
307 password_attribute = "userPassword"
310 * If set, the reason to give the users who try to register with nickserv,
311 * including nick registration from grouping.
313 * If not set, then registration is not blocked.
315 #disable_register_reason = "To register on this network visit http://some.misconfigured.site/register"
318 * If set, the reason to give the users who try to "/msg NickServ SET EMAIL".
319 * If not set, then email changing is not blocked.
321 #disable_email_reason = "To change your email address visit http://some.misconfigured.site"
325 * m_ldap_oper [EXTRA]
327 * This module dynamically ties users to Anope opertypes when they identify
328 * via LDAP group membership. Requires m_ldap.
330 * Note that this doesn't give the user privileges on the IRCd, only in Services.
337 * An optional binddn to use when searching for groups.
338 * %a is replaced with the account name of the user.
340 #binddn = "cn=Manager,dc=anope,dc=org"
343 * An optional password to bind with.
348 * The base DN where the groups are.
350 basedn = "ou=groups,dc=anope,dc=org"
353 * The filter to use when searching for users.
354 * %a is replaced with the account name of the user.
356 filter = "(member=uid=%a,ou=users,dc=anope,dc=org)"
359 * The attribute of the group that is the name of the opertype.
360 * The cn attribute should match a known opertype in the config.
362 opertype_attribute = "cn"
368 * This module allows other modules to use MySQL.
376 /* The name of this service. */
381 password = "mypassword"
388 * This module allows other modules to use Redis.
394 /* A redis database */
397 /* The name of this service */
401 * The redis database to use. New connections default to 0.
411 * m_regex_pcre [EXTRA]
413 * Provides the regex engine regex/pcre, which uses the Perl Compatible Regular Expressions library.
415 #module { name = "m_regex_pcre" }
418 * m_regex_posix [EXTRA]
420 * Provides the regex engine regex/posix, which uses the POSIX compliant regular expressions.
421 * This is likely the only regex module you will not need extra libraries for.
423 module { name = "m_regex_posix" }
426 * m_regex_tre [EXTRA]
428 * Provides the regex engine regex/tre, which uses the TRE regex library.
430 #module { name = "m_regex_tre" }
435 * Allows rewriting commands sent to/from clients.
437 #module { name = "m_rewrite" }
440 service = "ChanServ"; name = "CLEAR"; command = "rewrite"
442 /* Enable m_rewrite. */
445 /* Source message to match. A $ can be used to match anything. */
446 rewrite_source = "CLEAR $ USERS"
449 * Message to rewrite the source message to. A $ followed by a number, eg $0, gets
450 * replaced by the number-th word from the source_message, starting from 0.
452 rewrite_target = "KICK $1 *"
455 * The command description. This only shows up in HELP's output.
456 * Comment this option to prevent the command from showing in the
459 rewrite_description = "Clears all users from a channel"
465 * This module allows you to scan connecting clients for open proxies.
466 * Note that using this will allow users to get the IP of your services.
468 * Currently the two supported proxy types are HTTP and SOCKS5.
470 * The proxy scanner works by attempting to connect to clients when they
471 * connect to the network, and if they have a proxy running instruct it to connect
472 * back to services. If services are able to connect through the proxy to itself
473 * then it knows it is an insecure proxy, and will ban it.
480 * The target IP services tells the proxy to connect back to. This must be a publicly
481 * available IP that remote proxies can connect to.
483 #target_ip = "127.0.0.1"
486 * The port services tells the proxy to connect to.
491 * The listen IP services listen on for incoming connections from suspected proxies.
492 * This probably will be the same as target_ip, but may not be if you are behind a firewall (NAT).
494 #listen_ip = "127.0.0.1"
497 * The port services should listen on for incoming connections from suspected proxies.
498 * This most likely will be the same as target_port.
503 * An optional notice sent to clients upon connect.
505 #connect_notice = "We will now scan your host for insecure proxies. If you do not consent to this scan please disconnect immediately."
508 * Who the notice should be sent from.
510 #connect_source = "OperServ"
513 * If set, OperServ will add infected clients to the akill list. Without it, OperServ simply sends
514 * a timed G/K-line to the IRCd and forgets about it. Can be useful if your akill list is being filled up by bots.
519 * How long before connections should be timed out.
525 /* The type of proxy to check for. A comma separated list is allowed. */
528 /* The ports to check. */
531 /* How long to set the ban for. */
535 * The reason to ban the user for.
536 * %h is replaced with the type of proxy found.
537 * %i is replaced with the IP of proxy found.
538 * %p is replaced with the port.
540 reason = "You have an open proxy running on your host (%t:%i:%p)"
547 * Some IRCds allow "SASL" authentication to let users identify to Services
548 * during the IRCd user registration process. If this module is loaded, Services will allow
549 * authenticating users through this mechanism. Supported mechanisms are:
552 module { name = "m_sasl" }
555 * m_sasl_dh-aes [EXTRA]
557 * Add the DH-AES mechanism to SASL.
558 * Requires m_sasl to be loaded.
561 module { name = "m_sasl_dh-aes" }
564 * m_sasl_dh-blowfish [EXTRA]
566 * Add the DH-BLOWFISH mechanism to SASL.
567 * Requires m_sasl to be loaded.
570 module { name = "m_sasl_dh-blowfish" }
573 * m_ssl_gnutls [EXTRA]
575 * This module provides SSL services to Anope using GnuTLS, for example to
576 * connect to the uplink server(s) via SSL.
578 * You may only load either m_ssl_gnutls or m_ssl_openssl, bot not both.
582 name = "m_ssl_gnutls"
585 * An optional certificate and key for m_ssl_gnutls to give to the uplink.
587 * You can generate your own certificate and key pair by using:
589 * certtool --generate-privkey --bits 2048 --outfile anope.key
590 * certtool --generate-self-signed --load-privkey anope.key --outfile anope.crt
593 cert = "data/anope.crt"
594 key = "data/anope.key"
597 * Diffie-Hellman parameters to use when acting as a server. This is only
598 * required for TLS servers that want to use ephemeral DH cipher suites.
600 * This is NOT required for Anope to connect to the uplink server(s) via SSL.
602 * You can generate DH parameters by using:
604 * certtool --generate-dh-params --bits 2048 --outfile dhparams.pem
607 # dhparams = "data/dhparams.pem"
611 * m_ssl_openssl [EXTRA]
613 * This module provides SSL services to Anope using OpenSSL, for example to
614 * connect to the uplink server(s) via SSL.
616 * You may only load either m_ssl_openssl or m_ssl_gnutls, bot not both.
621 name = "m_ssl_openssl"
624 * An optional certificate and key for m_ssl_openssl to give to the uplink.
626 * You can generate your own certificate and key pair by using:
628 * openssl genrsa -out anope.key 2048
629 * openssl req -new -x509 -key anope.key -out anope.crt -days 1095
631 cert = "data/anope.crt"
632 key = "data/anope.key"
635 * As of 2014 SSL 3.0 is considered insecure, but it might be enabled
636 * on some systems by default for compatibility reasons.
637 * You can use the following option to enable or disable it explicitly.
638 * Leaving this option not set defaults to the default system behavior.
644 * m_sql_authentication [EXTRA]
646 * This module allows authenticating users against an external SQL database using a custom
651 name = "m_sql_authentication"
653 /* SQL engine to use. Should be configured elsewhere with m_mysql, m_sqlite, etc. */
654 engine = "mysql/main"
656 /* Query to execute to authenticate. A non empty result from this query is considered a success,
657 * and the user will be authenticated.
659 * @a@ is replaced with the user's account name
660 * @p@ is replaced with the user's password
661 * @n@ is replaced with the user's nickname
662 * @i@ is replaced with the user's IP
664 * Note that @n@ and @i@ may not always exist in the case of a user identifying outside of the normal
665 * nickserv/identify command, such as through the web panel.
667 * Furthermore, if a field named email is returned from this query the user's email is
671 * We've included some example queries for some popular website/forum systems.
673 * Drupal 6: "SELECT `mail` AS `email` FROM `users` WHERE `name` = @a@ AND `pass` = MD5(@p@) AND `status` = 1"
674 * e107 cms: "SELECT `user_email` AS `email` FROM `e107_user` WHERE `user_loginname` = @a@ AND `user_password` = MD5(@p@)"
675 * SMF Forum: "SELECT `email_address` AS `email` FROM `smf_members` WHERE `member_name` = @a@ AND `passwd` = SHA1(CONCAT(LOWER(@a@), @p@))"
676 * vBulletin: "SELECT `email` FROM `user` WHERE `username` = @a@ AND `password` = MD5(CONCAT(MD5(@p@), `salt`))"
677 * IP.Board: "SELECT `email` FROM `ibf_members` WHERE `name` = @a@ AND `members_pass_hash` = MD5(CONCAT(MD5(`members_pass_salt`), MD5(@p@)))"
679 query = "SELECT `email_addr` AS `email` FROM `my_users` WHERE `username` = @a@ AND `password` = MD5(CONCAT('salt', @p@))"
682 * If set, the reason to give the users who try to "/msg NickServ REGISTER".
683 * If not set, then registration is not blocked.
685 #disable_reason = "To register on this network visit http://some.misconfigured.site/register"
688 * If set, the reason to give the users who try to "/msg NickServ SET EMAIL".
689 * If not set, then email changing is not blocked.
691 #disable_email_reason = "To change your email address visit http://some.misconfigured.site"
697 * This module adds an additional target option to log{} blocks
698 * that allows logging Service's logs to SQL. To log to SQL, add
699 * the SQL service name to log:targets prefixed by sql_log:. For
704 * targets = "services.log sql_log:mysql/main"
708 * By default this module logs to the table `logs`, and will create
709 * it if it doesn't exist. This module does not create any indexes (keys)
710 * on the table and it is recommended you add them yourself as necessary.
712 #module { name = "m_sql_log" }
717 * This module allows granting users services operator privileges and possibly IRC Operator
718 * privileges based on an external SQL database using a custom query.
724 /* SQL engine to use. Should be configured elsewhere with m_mysql, m_sqlite, etc. */
725 engine = "mysql/main"
727 /* Query to execute to determine if a user should have operator privileges.
728 * A field named opertype must be returned in order to link the user to their oper type.
729 * The oper types must be configured earlier in services.conf.
731 * If a field named modes is returned from this query then those modes are set on the user.
732 * Without this, only a simple +o is sent.
734 * @a@ is replaced with the user's account name
735 * @i@ is replaced with the user's IP
737 query = "SELECT `opertype` FROM `my_users` WHERE `user_name` = @a@"
743 * This module allows other modules to use SQLite.
749 /* A SQLite database */
752 /* The name of this service. */
755 /* The database name, it will be created if it does not exist. */
756 database = "anope.db"
763 * This module creates a web configuration panel that allows users and operators to perform any task
764 * as they could over IRC. If you are using the default configuration you should be able to access
765 * this panel by visiting http://127.0.0.1:8080 in your web browser from the machine Anope is running on.
767 * This module requires m_httpd.
773 /* Web server to use. */
774 server = "httpd/main";
776 /* Template to use. */
777 template = "default";
780 title = "Anope IRC Services";
786 * Allows remote applications (websites) to execute queries in real time to retrieve data from Anope.
787 * By itself this module does nothing, but allows other modules (m_xmlrpc_main) to receive and send XMLRPC queries.
793 /* Web service to use. Requires m_httpd. */
794 server = "httpd/main"
800 * Adds the main XMLRPC core functions.
803 #module { name = "m_xmlrpc_main" }
SomeNet / public repos / root / pub / somesible.git / blob