/* * [OPTIONAL] Non-Core Modules * * The following blocks are used to load all non-core modules, including 3rd-party modules. * Modules can be prevented from loading by commenting out the line, other modules can be added by * adding a module block. These modules will be loaded prior to Services connecting to your network. * * Note that some of these modules are labeled EXTRA, and must be enabled prior to compiling by * running the 'extras' script on Linux and UNIX. */ /* * help * * Provides the command generic/help. * * This is a generic help command that can be used with any client. */ module { name = "help" } /* * m_ldap [EXTRA] * * This module allows other modules to use LDAP. By itself, this module does nothing useful. */ module { name = "m_ldap" ldap { server = "ldap://127.0.0.1" port = 389 /* * Admin credentials used for performing searches and adding users. */ admin_binddn = "uid=binduser,{{ ldap['userou'] }},{{ ldap['orgdn'] }}" admin_password = "{{ secrets['Sora']['bindpassword'] }}" } } /* * m_ldap_authentication [EXTRA] * * This module allows many commands such as IDENTIFY, RELEASE, RECOVER, GHOST, etc. use * LDAP to authenticate users. Requires m_ldap. */ module { name = "m_ldap_authentication" /* * The distinguished name used for searching for users's accounts. */ basedn = "{{ ldap['userou'] }},{{ ldap['orgdn'] }}" /* * The search filter used to look up users's accounts. * %account is replaced with the user's account. * %object_class is replaced with the object_class configured below. */ search_filter = "uid=%account" /* * The object class used by LDAP to store user account information. * This is used for adding new users to LDAP if registration is allowed. */ object_class = "organizationalPerson" /* * The attribute value used for account names. */ username_attribute = "uid" /* * The attribute value used for email addresses. * This directive is optional. */ email_attribute = "email" /* * The attribute value used for passwords. * Used when registering new accounts in LDAP. */ password_attribute = "userPassword" /* * If set, the reason to give the users who try to register with nickserv, * including nick registration from grouping. * * If not set, then registration is not blocked. */ #disable_register_reason = "To register on this network, contact a netadmin in #lobby. They will need to add an AniNIX/Sora LDAP account for you." /* * If set, the reason to give the users who try to "/msg NickServ SET EMAIL". * If not set, then email changing is not blocked. */ disable_email_reason = "Not allowed -- this network does not use email for account management." } /* * m_dns * * Adds support for the DNS protocol. By itself this module does nothing useful, * but other modules such as m_dnsbl and os_dns require this. */ #module { name = "m_dns" /* * The nameserver to use for resolving hostnames, must be an IP or a resolver configuration file. * The below should work fine on all unix like systems. Windows users will have to find their nameservers * from ipconfig /all and put the IP here. */ nameserver = "/etc/resolv.conf" #nameserver = "127.0.0.1" /* * How long to wait in seconds before a DNS query has timed out. */ timeout = 5 /* Only edit below if you are expecting to use os_dns or otherwise answer DNS queries. */ /* * The IP and port services use to listen for DNS queries. * Note that ports less than 1024 are privileged on UNIX/Linux systems, and * require Anope to be started as root. If you do this, it is recommended you * set options:user and options:group so Anope can change users after binding * to this port. */ ip = "0.0.0.0" port = 53 /* * SOA record information. */ /* E-mail address of the DNS administrator. */ admin = "admin@example.com" /* This should be the names of the public facing nameservers serving the records. */ nameservers = "ns1.example.com ns2.example.com" /* The time slave servers are allowed to cache. This should be reasonably low * if you want your records to be updated without much delay. */ refresh = 3600 /* A notify block. There should probably be one per nameserver listed in 'nameservers'. */ notify { ip = "192.0.2.0" port = 53 } } /* * m_dnsbl * * Allows configurable DNS blacklists to check connecting users against. If a user * is found on the blacklist they will be immediately banned. This is a crucial module * to prevent bot attacks. */ #module { name = "m_dnsbl" /* * If set, Services will check clients against the DNSBLs when services connect to its uplink. * This is not recommended, and on large networks will open a very large amount of DNS queries. * Whilst services are not drastically affected by this, your nameserver/DNSBL might care. */ check_on_connect = no /* * If set, Services will check clients when coming back from a netsplit. This can cause a large number * of DNS queries open at once. Whilst services are not drastically affected by this, your nameserver/DNSBL * might care. */ check_on_netburst = no /* * If set, OperServ will add clients found in the DNSBL to the akill list. Without it, OperServ simply sends * a timed G/K-line to the IRCd and forgets about it. Can be useful if your akill list is being fill up by bots. */ add_to_akill = yes blacklist { /* Name of the blacklist. */ name = "rbl.efnetrbl.org" /* How long to set the ban for. */ time = 4h /* Reason for akill. * %n is the nick of the user * %u is the ident/username of the user * %g is the realname of the user * %h is the hostname of the user * %i is the IP of the user * %r is the reply reason (configured below). Will be nothing if not configured. * %N is the network name set in networkinfo:networkname */ reason = "You are listed in the efnet RBL, visit http://rbl.efnetrbl.org/?i=%i for info" /* Replies to ban and their reason. If no relies are configured, all replies get banned. */ reply { code = 1 reason = "Open Proxy" } #reply { code = 2 reason = "spamtrap666" } #reply { code = 3 reason = "spamtrap50" } reply { code = 4 reason = "TOR" /* * If set, users identified to services at the time the result comes back * will not be banned. */ #allow_account = yes } reply { code = 5 reason = "Drones / Flooding" } } #blacklist { name = "dnsbl.dronebl.org" time = 4h reason = "You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=%N" } /* Exempt localhost from DNSBL checks */ exempt { ip = "127.0.0.1" } } /* * m_helpchan * * Gives users who are op in the specified help channel usermode +h (helpop). */ #module { name = "m_helpchan" helpchannel = "#help" } /* * m_httpd * * Allows services to serve web pages. By itself, this module does nothing useful. * * Note that using this will allow users to get the IP of your services. * To prevent this we recommend using a reverse proxy or a tunnel. */ #module { name = "m_httpd" httpd { /* Name of this service. */ name = "httpd/main" /* IP to listen on. */ ip = "0.0.0.0" /* Port to listen on. */ port = 8080 /* Time before connections to this server are timed out. */ timeout = 30 /* Listen using SSL. Requires an SSL module. */ #ssl = yes /* If you are using a reverse proxy that sends one of the * extforward_headers set below, set this to its IP. * This allows services to obtain the real IP of users by * reading the forwarded-for HTTP header. */ #extforward_ip = "192.168.0.255" /* The header to look for. These probably work as is. */ extforward_header = "X-Forwarded-For Forwarded-For" } } /* * m_ldap_oper [EXTRA] * * This module dynamically ties users to Anope opertypes when they identify * via LDAP group membership. Requires m_ldap. * * Note that this doesn't give the user privileges on the IRCd, only in Services. */ #module { name = "m_ldap_oper" /* * An optional binddn to use when searching for groups. * %a is replaced with the account name of the user. */ #binddn = "cn=Manager,dc=anope,dc=org" /* * An optional password to bind with. */ #password = "secret" /* * The base DN where the groups are. */ basedn = "ou=groups,dc=anope,dc=org" /* * The filter to use when searching for users. * %a is replaced with the account name of the user. */ filter = "(member=uid=%a,ou=users,dc=anope,dc=org)" /* * The attribute of the group that is the name of the opertype. * The cn attribute should match a known opertype in the config. */ opertype_attribute = "cn" } /* * m_mysql [EXTRA] * * This module allows other modules to use MySQL. */ #module { name = "m_mysql" mysql { /* The name of this service. */ name = "mysql/main" database = "anope" server = "127.0.0.1" username = "anope" password = port = 3306 } } /* * m_redis * * This module allows other modules to use Redis. */ #module { name = "m_redis" /* A redis database */ redis { /* The name of this service */ name = "redis/main" /* * The redis database to use. New connections default to 0. */ db = 0 ip = "127.0.0.1" port = 6379 } } /* * m_regex_pcre [EXTRA] * * Provides the regex engine regex/pcre, which uses the Perl Compatible Regular Expressions library. */ #module { name = "m_regex_pcre" } /* * m_regex_posix [EXTRA] * * Provides the regex engine regex/posix, which uses the POSIX compliant regular expressions. * This is likely the only regex module you will not need extra libraries for. */ #module { name = "m_regex_posix" } /* * m_regex_tre [EXTRA] * * Provides the regex engine regex/tre, which uses the TRE regex library. */ #module { name = "m_regex_tre" } /* * m_rewrite * * Allows rewriting commands sent to/from clients. */ #module { name = "m_rewrite" } #command { service = "ChanServ"; name = "CLEAR"; command = "rewrite" /* Enable m_rewrite. */ rewrite = true /* Source message to match. A $ can be used to match anything. */ rewrite_source = "CLEAR $ USERS" /* * Message to rewrite the source message to. A $ followed by a number, eg $0, gets * replaced by the number-th word from the source_message, starting from 0. */ rewrite_target = "KICK $1 *" /* * The command description. This only shows up in HELP's output. * Comment this option to prevent the command from showing in the * HELP command. */ rewrite_description = "Clears all users from a channel" } /* * m_proxyscan * * This module allows you to scan connecting clients for open proxies. * Note that using this will allow users to get the IP of your services. * * Currently the two supported proxy types are HTTP and SOCKS5. * * The proxy scanner works by attempting to connect to clients when they * connect to the network, and if they have a proxy running instruct it to connect * back to services. If services are able to connect through the proxy to itself * then it knows it is an insecure proxy, and will ban it. */ #module { name = "m_proxyscan" /* * The target IP services tells the proxy to connect back to. This must be a publicly * available IP that remote proxies can connect to. */ #target_ip = "127.0.0.1" /* * The port services tells the proxy to connect to. */ target_port = 7226 /* * The listen IP services listen on for incoming connections from suspected proxies. * This probably will be the same as target_ip, but may not be if you are behind a firewall (NAT). */ #listen_ip = "127.0.0.1" /* * The port services should listen on for incoming connections from suspected proxies. * This most likely will be the same as target_port. */ listen_port = 7226 /* * An optional notice sent to clients upon connect. */ #connect_notice = "We will now scan your host for insecure proxies. If you do not consent to this scan please disconnect immediately." /* * Who the notice should be sent from. */ #connect_source = "OperServ" /* * If set, OperServ will add infected clients to the akill list. Without it, OperServ simply sends * a timed G/K-line to the IRCd and forgets about it. Can be useful if your akill list is being filled up by bots. */ add_to_akill = yes /* * How long before connections should be timed out. */ timeout = 5 proxyscan { /* The type of proxy to check for. A comma separated list is allowed. */ type = "HTTP" /* The ports to check. */ port = "80,8080" /* How long to set the ban for. */ time = 4h /* * The reason to ban the user for. * %h is replaced with the type of proxy found. * %i is replaced with the IP of proxy found. * %p is replaced with the port. */ reason = "You have an open proxy running on your host (%t:%i:%p)" } } /* * m_sasl * * Some IRCds allow "SASL" authentication to let users identify to Services * during the IRCd user registration process. If this module is loaded, Services will allow * authenticating users through this mechanism. Supported mechanisms are: * PLAIN, EXTERNAL. */ module { name = "m_sasl" } /* * m_sasl_dh-aes [EXTRA] * * Add the DH-AES mechanism to SASL. * Requires m_sasl to be loaded. * Requires openssl. */ #module { name = "m_sasl_dh-aes" } /* * m_sasl_dh-blowfish [EXTRA] * * Add the DH-BLOWFISH mechanism to SASL. * Requires m_sasl to be loaded. * Requires openssl. */ #module { name = "m_sasl_dh-blowfish" } /* * m_ssl_gnutls [EXTRA] * * This module provides SSL services to Anope using GnuTLS, for example to * connect to the uplink server(s) via SSL. * * You may only load either m_ssl_gnutls or m_ssl_openssl, bot not both. */ #module { name = "m_ssl_gnutls" /* * An optional certificate and key for m_ssl_gnutls to give to the uplink. * * You can generate your own certificate and key pair by using: * * certtool --generate-privkey --bits 2048 --outfile anope.key * certtool --generate-self-signed --load-privkey anope.key --outfile anope.crt * */ cert = "data/anope.crt" key = "data/anope.key" /* * Diffie-Hellman parameters to use when acting as a server. This is only * required for TLS servers that want to use ephemeral DH cipher suites. * * This is NOT required for Anope to connect to the uplink server(s) via SSL. * * You can generate DH parameters by using: * * certtool --generate-dh-params --bits 2048 --outfile dhparams.pem * */ # dhparams = "data/dhparams.pem" } /* * m_ssl_openssl [EXTRA] * * This module provides SSL services to Anope using OpenSSL, for example to * connect to the uplink server(s) via SSL. * * You may only load either m_ssl_openssl or m_ssl_gnutls, bot not both. * */ #module { name = "m_ssl_openssl" /* * An optional certificate and key for m_ssl_openssl to give to the uplink. * * You can generate your own certificate and key pair by using: * * openssl genrsa -out anope.key 2048 * openssl req -new -x509 -key anope.key -out anope.crt -days 1095 */ cert = "data/anope.crt" key = "data/anope.key" /* * As of 2014 SSL 3.0 is considered insecure, but it might be enabled * on some systems by default for compatibility reasons. * You can use the following option to enable or disable it explicitly. * Leaving this option not set defaults to the default system behavior. */ sslv3 = no } /* * m_sql_authentication [EXTRA] * * This module allows authenticating users against an external SQL database using a custom * query. */ #module { name = "m_sql_authentication" /* SQL engine to use. Should be configured elsewhere with m_mysql, m_sqlite, etc. */ engine = "mysql/main" /* Query to execute to authenticate. A non empty result from this query is considered a success, * and the user will be authenticated. * * @a@ is replaced with the user's account name * @p@ is replaced with the user's password * @n@ is replaced with the user's nickname * @i@ is replaced with the user's IP * * Note that @n@ and @i@ may not always exist in the case of a user identifying outside of the normal * nickserv/identify command, such as through the web panel. * * Furthermore, if a field named email is returned from this query the user's email is * set to its value. * * * We've included some example queries for some popular website/forum systems. * * Drupal 6: "SELECT `mail` AS `email` FROM `users` WHERE `name` = @a@ AND `pass` = MD5(@p@) AND `status` = 1" * e107 cms: "SELECT `user_email` AS `email` FROM `e107_user` WHERE `user_loginname` = @a@ AND `user_password` = MD5(@p@)" * SMF Forum: "SELECT `email_address` AS `email` FROM `smf_members` WHERE `member_name` = @a@ AND `passwd` = SHA1(CONCAT(LOWER(@a@), @p@))" * vBulletin: "SELECT `email` FROM `user` WHERE `username` = @a@ AND `password` = MD5(CONCAT(MD5(@p@), `salt`))" * IP.Board: "SELECT `email` FROM `ibf_members` WHERE `name` = @a@ AND `members_pass_hash` = MD5(CONCAT(MD5(`members_pass_salt`), MD5(@p@)))" */ query = "SELECT `email_addr` AS `email` FROM `my_users` WHERE `username` = @a@ AND `password` = MD5(CONCAT('salt', @p@))" /* * If set, the reason to give the users who try to "/msg NickServ REGISTER". * If not set, then registration is not blocked. */ #disable_reason = "To register on this network visit http://some.misconfigured.site/register" /* * If set, the reason to give the users who try to "/msg NickServ SET EMAIL". * If not set, then email changing is not blocked. */ #disable_email_reason = "To change your email address visit http://some.misconfigured.site" } /* * m_sql_log [EXTRA] * * This module adds an additional target option to log{} blocks * that allows logging Service's logs to SQL. To log to SQL, add * the SQL service name to log:targets prefixed by sql_log:. For * example: * * log * { * targets = "services.log sql_log:mysql/main" * ... * } * * By default this module logs to the table `logs`, and will create * it if it doesn't exist. This module does not create any indexes (keys) * on the table and it is recommended you add them yourself as necessary. */ #module { name = "m_sql_log" } /* * m_sql_oper [EXTRA] * * This module allows granting users services operator privileges and possibly IRC Operator * privileges based on an external SQL database using a custom query. */ #module { name = "m_sql_oper" /* SQL engine to use. Should be configured elsewhere with m_mysql, m_sqlite, etc. */ engine = "mysql/main" /* Query to execute to determine if a user should have operator privileges. * A field named opertype must be returned in order to link the user to their oper type. * The oper types must be configured earlier in services.conf. * * If a field named modes is returned from this query then those modes are set on the user. * Without this, only a simple +o is sent. * * @a@ is replaced with the user's account name * @i@ is replaced with the user's IP */ query = "SELECT `opertype` FROM `my_users` WHERE `user_name` = @a@" } /* * m_sqlite [EXTRA] * * This module allows other modules to use SQLite. */ #module { name = "m_sqlite" /* A SQLite database */ sqlite { /* The name of this service. */ name = "sqlite/main" /* The database name, it will be created if it does not exist. */ database = "anope.db" } } /* * webcpanel * * This module creates a web configuration panel that allows users and operators to perform any task * as they could over IRC. If you are using the default configuration you should be able to access * this panel by visiting http://127.0.0.1:8080 in your web browser from the machine Anope is running on. * * This module requires m_httpd. */ #module { name = "webcpanel" /* Web server to use. */ server = "httpd/main"; /* Template to use. */ template = "default"; /* Page title. */ title = "Anope IRC Services"; } /* * m_xmlrpc * * Allows remote applications (websites) to execute queries in real time to retrieve data from Anope. * By itself this module does nothing, but allows other modules (m_xmlrpc_main) to receive and send XMLRPC queries. */ #module { name = "m_xmlrpc" /* Web service to use. Requires m_httpd. */ server = "httpd/main" } /* * m_xmlrpc_main * * Adds the main XMLRPC core functions. * Requires m_xmlrpc. */ #module { name = "m_xmlrpc_main" }