diff options
| author | GoliathLabs | 2020-05-19 16:28:26 +0200 |
|---|---|---|
| committer | GoliathLabs | 2020-05-19 16:28:26 +0200 |
| commit | fe4ebf0958a42cf3644ce8cebf7b80f4de36d07a (patch) | |
| tree | 1893961ab66ec1ed91705576dc6f56e0a192c9d0 | |
| parent | 004e20e17e38a0eeb845be10ff8306bcb73ef949 (diff) | |
| download | aur-fe4ebf0958a42cf3644ce8cebf7b80f4de36d07a.tar.gz | |
Updated: PKGBUILD
| -rw-r--r-- | .SRCINFO | 21 | ||||
| -rw-r--r-- | PKGBUILD | 51 | ||||
| -rw-r--r-- | ircd-hybrid.conf | 1362 | ||||
| -rw-r--r-- | ircd-hybrid.service | 16 | ||||
| -rw-r--r-- | ircd-hybrid.sysusers | 2 | ||||
| -rw-r--r-- | ircd-hybrid.tmpfiles | 2 |
6 files changed, 1441 insertions, 13 deletions
@@ -1,14 +1,29 @@ pkgbase = ircd-hybrid pkgdesc = A lightweight, high-performance internet relay chat daemon. - pkgver = 8.2.28 + pkgver = 8.2.31 pkgrel = 1 url = http://www.ircd-hybrid.org/ arch = i686 arch = x86_64 license = GPLv2 + depends = zlib + depends = pcre depends = openssl - source = ircd-hybrid-8.2.28.tar.gz::https://github.com/ircd-hybrid/ircd-hybrid/archive/8.2.28.tar.gz - sha512sums = d354c6dc43614d41995be44049d33395f8bfd025aab5bcb39721d358a06ea9bc03962d3cb8ed985e35b3397c248dd0e09b485343cc9da0934520dace5ec77b94 + optdepends = anope: IRC services designed for flexibility and ease of use + provides = ircd + conflicts = ircd + options = libtool + backup = etc/ircd-hybrid/ircd.conf + source = ircd-hybrid-8.2.31.tar.gz::https://github.com/ircd-hybrid/ircd-hybrid/archive/8.2.31.tar.gz + source = ircd-hybrid.service + source = ircd-hybrid.tmpfiles + source = ircd-hybrid.sysusers + source = ircd-hybrid.conf + sha512sums = 298eacb90f79491236a5f939aef427cf4fc017a1a43d68336b4abe65a7d6b849309077ef4d74b9a885da9161d6cbbdd2e7bff73499900dc3b4e4142cace67a56 + sha512sums = cebd20d53d7e289ebfebaf5944bfb9a22a7dc6b013681157b4b254d86f917b9fc76a7d5100fe99c5cce74db2a96417c1f081df39b41b35860dc87348f07c2b02 + sha512sums = db9efc53012993577b4f5510898c788c7a70de9348d66e6b1a6826d519f47ca2a28689a60c3e6b5a30f33b3b4af058f4c2cca5f89ad02ef37f86286c0096314f + sha512sums = 41e50980eefa1f4b2cb39bc0ac6017f42ae5c8e9bc0ca3670432e181883b40b41765917c25fbd273af83c92237003ff955f69bef0851f8cf9eb84dfb384515fa + sha512sums = 706551c02765ed5203586ade3e73db8aa0552b21cf65094359dbc5ab5e4ef9ff6e8af32776e52adb2bca17a2eb83cf4df1fe6923689562b1696877ab30de3a98 pkgname = ircd-hybrid @@ -1,23 +1,43 @@ -# Maintainer: Samadi van Koten <me at vktec dot co dot uk> +# Maintainer: Felix Golatofski <contact@xdfr.de> +# Contributor: Samadi van Koten <me at vktec dot co dot uk> pkgname=ircd-hybrid -pkgver=8.2.28 +pkgver=8.2.31 pkgrel=1 pkgdesc='A lightweight, high-performance internet relay chat daemon.' arch=('i686' 'x86_64') url='http://www.ircd-hybrid.org/' license=('GPLv2') -depends=('openssl') -makedepends=() -conflicts=() -provides=() -options=() -source=("$pkgname-$pkgver.tar.gz::https://github.com/ircd-hybrid/ircd-hybrid/archive/$pkgver.tar.gz") -sha512sums=('d354c6dc43614d41995be44049d33395f8bfd025aab5bcb39721d358a06ea9bc03962d3cb8ed985e35b3397c248dd0e09b485343cc9da0934520dace5ec77b94') +depends=("zlib" "pcre" "openssl") +optdepends=("anope: IRC services designed for flexibility and ease of use") +source=("$pkgname-$pkgver.tar.gz::https://github.com/ircd-hybrid/ircd-hybrid/archive/${pkgver}.tar.gz" + "$pkgname.service" + "$pkgname.tmpfiles" + "$pkgname.sysusers" + "$pkgname.conf") +conflicts=("ircd") +provides=("ircd") +backup=("etc/ircd-hybrid/ircd.conf") +sha512sums=('298eacb90f79491236a5f939aef427cf4fc017a1a43d68336b4abe65a7d6b849309077ef4d74b9a885da9161d6cbbdd2e7bff73499900dc3b4e4142cace67a56' + 'cebd20d53d7e289ebfebaf5944bfb9a22a7dc6b013681157b4b254d86f917b9fc76a7d5100fe99c5cce74db2a96417c1f081df39b41b35860dc87348f07c2b02' + 'db9efc53012993577b4f5510898c788c7a70de9348d66e6b1a6826d519f47ca2a28689a60c3e6b5a30f33b3b4af058f4c2cca5f89ad02ef37f86286c0096314f' + '41e50980eefa1f4b2cb39bc0ac6017f42ae5c8e9bc0ca3670432e181883b40b41765917c25fbd273af83c92237003ff955f69bef0851f8cf9eb84dfb384515fa' + '706551c02765ed5203586ade3e73db8aa0552b21cf65094359dbc5ab5e4ef9ff6e8af32776e52adb2bca17a2eb83cf4df1fe6923689562b1696877ab30de3a98') +options=('libtool') build() { cd "$srcdir/$pkgname-$pkgver" - ./configure --prefix=/usr/ --enable-epoll --sysconfdir=/etc/ircd/ + autoconf + ./configure \ + --prefix=/usr/ \ + --bindir=/usr/bin \ + --sysconfdir=/etc/${pkgname} \ + --localstatedir=/var \ + --datarootdir=/usr/share \ + --mandir=/usr/share/man \ + --includedir=/usr/include \ + --libdir=/usr/lib \ + --enable-epoll make } @@ -29,6 +49,17 @@ check() { package() { cd "$srcdir/$pkgname-$pkgver" make DESTDIR="$pkgdir" install + + # Install Hybrid sample configuration + install -D -m 0660 ${srcdir}/${pkgname}.conf ${pkgdir}/etc/${pkgname}/ircd.conf + install -Dm644 "${srcdir}/$pkgname.service" "${pkgdir}"/usr/lib/systemd/system/$pkgname.service + install -Dm644 "${srcdir}/$pkgname.sysusers" "$pkgdir/usr/lib/sysusers.d/$pkgname.conf" + + # Prepare extra directories + install -d "${pkgdir}/var/log/ircd" + install -d "${pkgdir}/var/lib/ircd" + install -d "${pkgdir}/run/ircd" + install -d -m 0750 "${pkgdir}/etc/${pkgname}/ssl" } # vim: ft=sh sw=2 ts=2 et diff --git a/ircd-hybrid.conf b/ircd-hybrid.conf new file mode 100644 index 000000000000..024ca2d54b2c --- /dev/null +++ b/ircd-hybrid.conf @@ -0,0 +1,1362 @@ +/* + * This is an example configuration file for ircd-hybrid + * + * Copyright (c) 1997-2020 ircd-hybrid development team + * + * $Id$ + */ + +/* + * ######################################################################## + * IMPORTANT NOTE: + * + * auth {} blocks MUST be specified in order of precedence. The first one + * that matches a user will be used. So place spoofs first, then specials, + * then general access. + * ######################################################################## + * + * Shell style (#), C++ style (//) and C style comments are supported. + * + * Files may be included by either: + * .include "filename" + * .include <filename> + * + * Times/durations are written as: + * 12 hours 30 minutes 1 second + * + * Valid units of time: + * year, month, week, day, hour, minute, second + * + * Valid units of size: + * megabyte/mbyte/mb, kilobyte/kbyte/kb, byte + * + * Sizes and times may be singular or plural. + */ + + +/* + * serverinfo {}: contains information about the server + */ +serverinfo { + /* + * name: the name of this server. This cannot be changed at runtime. + */ + name = "server.example.net"; + + /* + * sid: a server's unique ID. This is three characters long and must + * be in the form [0-9][A-Z0-9][A-Z0-9]. The first character must be + * a digit, followed by 2 alpha-numerical letters. + * + * NOTE: The letters must be capitalized. This cannot be changed at runtime. + * + * A sid is automatically generated at runtime, if you want to configure + * a specific sid, uncomment the following line. + */ +# sid = "0HY"; + + /* + * description: the description of the server. + */ + description = "ircd-hybrid test server"; + + /* + * network_name, network_desc: the name and description of the network this + * server is on. Shown in the 005 reply and used with serverhiding. + */ + network_name = "MyNet"; + network_desc = "This is My Network"; + + /* + * hub: allow this server to act as a hub and have multiple servers + * connected to it. + */ + hub = no; + + /* + * default_max_clients: the default maximum number of clients allowed + * to connect. This can be changed from within IRC via /QUOTE SET MAX. + */ + default_max_clients = 512; + + /* + * max_nick_length: only applies to local clients. Must be in the + * range of 9 to 30. Default is 9 if nothing else is specified. + */ + max_nick_length = 9; + + /* + * max_topic_length: only applies to topics set by local clients. + * Must be in the range of 80 to 300. Default is 80 if nothing + * else is specified. + */ + max_topic_length = 160; + + /* + * rsa_private_key_file: the path to the file containing the RSA key. + * + * Once the RSA key is generated, it is highly recommended to lock down + * its file permissions: + * + * chown <ircd-user>.<ircd.group> rsa.key + * chmod 0600 rsa.key + */ +# rsa_private_key_file = "etc/rsa.key"; + + /* + * tls_certificate_file: the path to the file containing our + * TLS certificate for encrypted client connection. + */ +# tls_certificate_file = "etc/cert.pem"; + + /* + * tls_dh_param_file: the path to the PEM encoded Diffie-Hellman + * parameter file. DH parameters are required when using + * ciphers with EDH (ephemeral Diffie-Hellman) key exchange. + */ +# tls_dh_param_file = "etc/dhparam.pem"; + + /* + * tls_supported_groups: defines the curve to use for the + * Elliptic Curve Diffie-Hellman (ECDH) algorithm. + * If none is specified, OpenSSL does enable automatic curve selection. + * + * It is recommended to leave this directive commented out and have the + * TLS library choose the optimal settings. + * + * This directive currently doesn't do anything with GnuTLS support. + */ +# tls_supported_groups = "X25519:P-256"; + + /* + * tls_cipher_list: list of TLSv1.2 ciphers to support on _this_ server. + * Can be used to enforce specific ciphers for incoming TLS + * connections. If a client (which also includes incoming server + * connections) is not capable of using any of the ciphers listed + * here, the connection will simply be rejected. + * + * Multiple ciphers are separated by colons. The order of preference is + * from left to right. + * + * It is recommended to leave this directive commented out and have the + * TLS library choose the optimal settings. + */ +# tls_cipher_list = "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA:AES256-SHA"; + + /* + * tls_cipher_suites: list of TLSv1.3 cipher suites to support on _this_ server. + * OpenSSL supports the following TLSv1.3 cipher suites: + * + * TLS_AES_256_GCM_SHA384 + * TLS_CHACHA20_POLY1305_SHA256 + * TLS_AES_128_GCM_SHA256 + * TLS_AES_128_CCM_8_SHA256 + * TLS_AES_128_CCM_SHA256 + * + * It is recommended to leave this directive commented out and have the + * TLS library choose the optimal settings. + * + * This directive currently doesn't do anything if built with GnuTLS or LibreSSL. + */ +# tls_cipher_suites = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"; + + /* + * tls_message_digest_algorithm: defines which cryptographic hash function + * to use for generating fingerprint hashes of X.509 certificates. + * Default is SHA-256 if nothing else is specified. + */ +# tls_message_digest_algorithm = "sha256"; +}; + +/* + * admin {}: contains administrative information about the server + */ +admin { + name = "Smurf target"; + description = "Main Server Administrator"; + email = "<admin@server.example.net>"; +}; + +/* + * class {}: contains information about classes for users + */ +class { + /* name: the name of the class. */ + name = "users"; + + /* + * ping_time: how often a client must reply to a PING from the + * server before they are dropped. + */ + ping_time = 90 seconds; + + /* + * number_per_ip_local: how many local users are allowed to connect + * from a single IP address (optional) + */ + number_per_ip_local = 2; + + /* + * number_per_ip_global: how many global users are allowed to connect + * from a single IP address (optional) + */ + number_per_ip_global = 8; + + /* + * max_number: the maximum number of users allowed in this class (optional) + */ + max_number = 100; + + /* + * The following lines are optional and allow you to define + * how many users can connect from one /NN subnet. + */ + cidr_bitlen_ipv4 = 24; + cidr_bitlen_ipv6 = 120; + number_per_cidr = 16; + + /* + * sendq: the amount of data allowed in a client's send queue before + * they are dropped. + */ + sendq = 100 kbytes; + + /* + * recvq: the amount of data allowed in a client's receive queue before + * they are dropped for flooding. Defaults to 2560 if the chosen value + * isn't within the range of 512 to 8000. + */ + recvq = 2560 bytes; +}; + +class { + name = "opers"; + ping_time = 90 seconds; + number_per_ip_local = 10; + max_number = 100; + sendq = 100 kbytes; + + /* + * max_channels: maximum number of channels users in this class can join. + */ + max_channels = 60; + + /* + * min_idle: minimum idle time that is shown in WHOIS. + */ + min_idle = 3 hours; + + /* + * max_idle: maximum idle time that is shown in WHOIS. + */ + max_idle = 8 hours; + + /* + * flags: + * + * random_idle - a fake idle time is set randomly between + * min_idle and max_idle + * hide_idle_from_opers - the fake idle time will also be shown to operators + */ + flags = random_idle, hide_idle_from_opers; +}; + +class { + name = "server"; + ping_time = 90 seconds; + + /* + * connectfreq: only used in server classes. Specifies the delay + * between autoconnecting to servers. + */ + connectfreq = 5 minutes; + + /* max number: the number of servers to autoconnect to. */ + max_number = 1; + + /* sendq: servers need a higher sendq as they send more data. */ + sendq = 2 megabytes; +}; + +/* + * motd {}: Allows the display of a different MOTD to a client + * depending on its origin. Applies to local users only. + */ +motd { + /* + * mask: multiple mask entries are permitted. Mask can either be + * a class name or a hostname. CIDR is supported. + */ + mask = "*.at"; + mask = "*.de"; + mask = "*.ch"; + + /* + * file: path to the motd file. + */ + file = "etc/german.motd"; +}; + +/* + * listen {}: contains information about the ports ircd listens on + */ +listen { + /* + * port: the port to listen on. If no host is specified earlier in the + * listen {} block, it will listen on all available IP addresses. + * + * Ports are separated by commas; a range may be specified using ".." + */ + + /* port: listen on all available IP addresses, ports 6665 to 6669. */ + port = 6665 .. 6669; + + /* + * Listen on 192.0.2.2/6697 with TLS enabled and hidden from STATS P + * unless you are an administrator. + * + * NOTE: The "flags" directive always has to come before "port". + * + * Currently available flags are: + * + * tls - Port may only accept TLS connections + * server - Only server connections are permitted + * hidden - Port is hidden from /stats P, unless you're an admin + */ + flags = hidden, tls; + host = "192.0.2.2"; + port = 6697; + + /* + * host: set a specific IP address to listen on using the + * subsequent port definitions. This may be IPv4 or IPv6. + */ + host = "192.0.2.3"; + port = 7000, 7001; + + host = "2001:DB8::2"; + port = 7002; +}; + +/* + * auth {}: allow users to connect to the ircd + */ +auth { + /* + * user: the user@host allowed to connect. Multiple user + * lines are permitted within each auth {} block. + */ + user = "*@192.0.2.0/24"; + user = "*test@2001:DB8:*"; + + /* password: an optional password that is required to use this block. */ + password = "letmein"; + + /* + * encrypted: indicates whether the auth password above has been + * encrypted. Default is 'no' if nothing else is specified. + */ + encrypted = yes; + + /* + * spoof: fake the user's host to this. This is free-form; just do + * everyone a favor and don't abuse it. ('=' prefix on /stats I) + */ + spoof = "I.still.hate.packets"; + + /* class: the class the user is placed in. */ + class = "opers"; + + /* + * need_password - don't allow users who haven't supplied the correct | ('&' prefix on /stats I if disabled) + * password to connect using another auth {} block + * need_ident - require the user to have identd to connect | ('+' prefix on /stats I) + * exceed_limit - allow a user to exceed class limits | ('>' prefix on /stats I) + * kline_exempt - exempt this user from k-lines | ('^' prefix on /stats I) + * xline_exempt - exempt this user from x-lines | ('!' prefix on /stats I) + * resv_exempt - exempt this user from resvs | ('$' prefix on /stats I) + * no_tilde - remove ~ from a user with no ident | ('-' prefix on /stats I) + * can_flood - allow this user to exceed flood limits | ('|' prefix on /stats I) + * webirc - enables WEBIRC authentication for web-based | ('<' prefix on /stats I) + * clients such as Mibbit + */ + flags = need_password, exceed_limit, kline_exempt, xline_exempt, resv_exempt, can_flood; +}; + +auth { + /* + * redirserv, redirport: the server and port to redirect a user to. + * A user does not have to obey the redirection; the ircd just + * suggests an alternative server for them. + */ + redirserv = "server2.example.net"; + redirport = 6667; + + user = "*@*.ch"; + + /* class: a class is required even though it is not used. */ + class = "users"; +}; + +auth { + user = "*@*"; + class = "users"; + flags = need_ident; +}; + +/* + * operator {}: defines ircd operators + */ +operator { + /* name: the name of the operator */ + name = "sheep"; + + /* + * user: the user@host required for this operator. Multiple user + * lines are permitted within each operator {} block. + */ + user = "*sheep@192.0.2.0/26"; + user = "*@192.0.2.240/28"; + + /* + * password: the password required to oper. By default this will need + * to be encrypted using the provided mkpasswd tool. + * The availability of various password hashing algorithms may vary + * depending on the system's crypt(3) implementation. + */ + password = "$5$x5zof8qe.Yc7/bPp$5zIg1Le2Lsgd4CvOjaD20pr5PmcfD7ha/9b2.TaUyG4"; + + /* + * encrypted: indicates whether the oper password above has been + * encrypted. Default is 'yes' if nothing else is specified. + */ + encrypted = yes; + + /* + * tls_certificate_fingerprint: enhances security by additionally checking + * the oper's client certificate fingerprint against the specified + * fingerprint below. + */ +# tls_certificate_fingerprint = "4C62287BA6776A89CD4F8FF10A62FFB35E79319F51AF6C62C674984974FCCB1D"; + + /* + * tls_connection_required: client must be connected over TLS in order to be able to + * use this operator {} block. Default is 'no' if nothing else is specified. + */ + tls_connection_required = no; + + /* class: the class the oper joins when they successfully OPER. */ + class = "opers"; + + /* + * whois: allows overriding the default RPL_WHOISOPERATOR numeric + * string shown in WHOIS. + * This string is propagated to all servers on the network. + */ +# whois = "is a Smurf Target (IRC Operator)"; + + /* + * umodes: the default user modes opers get when they successfully OPER. + * If defined, it will override oper_umodes settings in general {}. + * Available user modes: + * + * +b - bots - See bot and drone flooding notices + * +c - cconn - Client connection/quit notices + * +D - deaf - Don't receive channel messages + * +d - debug - See debugging notices + * +e - external - See remote server connection and split notices + * +F - farconnect - Remote client connection/quit notices + * +f - full - See auth {} block full notices + * +G - softcallerid - Server Side Ignore for users not on your channels + * +g - callerid - Server Side Ignore (for privmsgs etc) + * +H - hidden - Hides IRC operator status to other users + * +i - invisible - Not shown in NAMES or WHO unless you share a channel + * +j - rej - See rejected client notices + * +k - skill - See server generated KILL messages + * +l - locops - See LOCOPS messages + * +n - nchange - See client nick changes + * +p - hidechans - Hides channel list in WHOIS + * +q - hideidle - Hides idle and signon time in WHOIS + * +R - nononreg - Only receive private messages from registered clients + * +s - servnotice - See general server notices + * +u - unauth - See unauthorized client notices + * +w - wallop - See server generated WALLOPS + * +X - expiration - See *LINE expiration notices + * +y - spy - See LINKS, STATS, TRACE notices etc. + */ + umodes = locops, servnotice, wallop; + + /* + * flags: controls the activities and commands an oper is + * allowed to do on the server. All flags default to 'no'. + * Available flags: + * + * admin - gives administrator privileges | ('A' flag) + * close - allows CLOSE | ('B' flag) + * connect - allows local CONNECT | ('C' flag) + * connect:remote - allows remote CONNECT | ('D' flag) + * die - allows DIE | ('E' flag) + * dline - allows DLINE | ('F' flag) + * globops - allows GLOBOPS | ('G' flag) + * join:resv - allows to JOIN resv {} channels | ('H' flag) + * kill - allows to KILL local clients | ('I' flag) + * kill:remote - allows remote users to be /KILL'd | ('J' flag) + * kline - allows KLINE | ('K' flag) + * locops - allows LOCOPS | ('L' flag) + * module - allows MODULE | ('M' flag) + * nick:resv - allows to use NICK on resv {} nicks | ('N' flag) + * opme - allows OPME | ('O' flag) + * rehash - allows oper to REHASH config | ('P' flag) + * rehash:remote - allows oper to remotely REHASH config | ('Q' flag) + * remoteban - allows remote KLINE/UNKLINE | ('R' flag) + * restart - allows RESTART | ('S' flag) + * resv - allows RESV | ('T' flag) + * set - allows SET | ('U' flag) + * squit - allows local SQUIT | ('V' flag) + * squit:remote - allows remote SQUIT | ('W' flag) + * undline - allows UNDLINE | ('X' flag) + * unkline - allows UNKLINE | ('Y' flag) + * unresv - allows UNRESV | ('Z' flag) + * unxline - allows UNXLINE | ('a' flag) + * wallops - allows WALLOPS | ('b' flag) + * xline - allows XLINE | ('c' flag) + */ + flags = admin, connect, connect:remote, die, globops, kill, kill:remote, + kline, module, rehash, restart, set, unkline, unxline, xline; +}; + +/* + * connect {}: define a server to connect to + */ +connect { + /* name: the name of the server. */ + name = "uplink.example.net"; + + /* + * host: the host or IP address to connect to. If a hostname is used, + * it must match the reverse DNS of the server. + */ + host = "192.0.2.4"; + + /* port: the port to connect to this server on. */ + port = 6666; + + /* + * timeout: defines how long to wait until a connection is established. + * Default is 30 seconds if this option is not specified. + */ + timeout = 10 seconds; + + /* + * bind: the IP address to bind to when making outgoing connections to + * servers. + */ + bind = "192.0.2.5"; + + /* + * send_password, accept_password: the passwords to send and accept. + * The remote server will have these passwords swapped. + */ + send_password = "password"; + accept_password = "anotherpassword"; + + /* + * encrypted: indicates whether the accept_password above has been + * encrypted. + */ + encrypted = no; + + /* + * hub_mask: the mask of servers that this server may hub. Multiple + * entries are permitted. + */ + hub_mask = "*"; + + /* + * leaf_mask: the mask of servers this server may not hub. Multiple + * entries are permitted. Useful for forbidding EU -> US -> EU routes. + */ +# leaf_mask = "*.uk"; + + /* class: the class this server is in. */ + class = "server"; + + /* + * tls_cipher_list: list of ciphers that the server we are connecting to + * must support. If the server is not capable of using any of the ciphers + * listed below, the connection will simply be rejected. + * Can be used to enforce stronger ciphers, even though this option + * is not necessarily required to establish a TLS connection. + * + * Multiple ciphers are separated by colons. The order of preference + * is from left to right. + * + * It is recommended to leave this directive commented out and have the + * TLS library choose the optimal settings. + */ +# tls_cipher_list = "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA:AES256-SHA"; + + /* + * tls_certificate_fingerprint: enhances security by additionally checking + * the server's client certificate fingerprint against the specified + * fingerprint below. + */ +# tls_certificate_fingerprint = "4C62287BA6776A89CD4F8FF10A62FFB35E79319F51AF6C62C674984974FCCB1D"; + + /* + * autoconn - controls whether we autoconnect to this server or not, + * dependent on class limits. By default, this is disabled. + * tls - initiates a TLS connection. + */ +# flags = autoconn, tls; +}; + +connect { + name = "ipv6.example.net"; + host = "2001:DB8::3"; + port = 6666; + send_password = "password"; + accept_password = "password"; + + /* + * aftype: controls whether the connection uses "ipv4" or "ipv6". + * Default is ipv4. + */ + aftype = ipv6; + class = "server"; +}; + +/* + * cluster {}: servers that share klines/unkline/xline/unxline/resv/unresv/locops + * automatically + */ +cluster { + /* + * name: the server to share with; this can take wildcards + * + * NOTE: only local actions will be clustered, meaning that if + * the server receives a shared kline/unkline/etc, it + * will not be propagated to clustered servers. + * + * Remote servers are not necessarily required to accept + * clustered lines, they need a shared {} block for *THIS* + * server in order to accept them. + */ + name = "*.example.net"; + + /* + * type: list of what to share; options are as follows: + * dline - share dlines + * undline - share undlines + * kline - share klines + * unkline - share unklines + * xline - share xlines + * unxline - share unxlines + * resv - share resvs + * unresv - share unresvs + * locops - share locops + * all - share all of the above (default) + */ + type = kline, unkline, locops, xline, resv; +}; + +/* + * shared {}: users that are allowed to remote kline + * + * NOTE: This can effectively be used for remote klines. + * Please note that there is no password authentication + * for users setting remote klines. You must also be + * /oper'd in order to issue a remote kline. + */ +shared { + /* + * name: the server the user must be connected to in order to set klines. + * If this is not specified, the user will be allowed to kline from all + * servers. + */ + name = "irc2.example.net"; + + /* + * user: the user@host mask that is allowed to set klines. If this is + * not specified, all users on the server above will be allowed to set + * a remote kline. + */ + user = "oper@my.host.is.spoofed"; + + /* + * type: list of what to share, options are as follows: + * dline - allow oper/server to dline + * undline - allow oper/server to undline + * kline - allow oper/server to kline + * unkline - allow oper/server to unkline + * xline - allow oper/server to xline + * unxline - allow oper/server to unxline + * rehash - allow oper/server to rehash + * resv - allow oper/server to resv + * unresv - allow oper/server to unresv + * locops - allow oper/server to locops - only used for servers that cluster + * all - allow oper/server to do all of the above (default) + */ + type = kline, unkline, resv; +}; + +/* + * kill {}: users that are not allowed to connect + * Oper issued klines will be added to the specified kline database + */ +kill { + user = "bad@*.example.net"; + reason = "Obviously hacked account"; +}; + +/* + * deny {}: IP addresses that are not allowed to connect + * (before DNS/ident lookup) + * Oper issued dlines will be added to the specified dline database + */ +deny { + ip = "192.0.2.0/28"; + reason = "Reconnecting vhosted bots"; +}; + +/* + * exempt {}: IP addresses that are exempt from deny {} and Dlines + */ +exempt { + ip = "192.0.2.240/28"; + + /* The 'ip' directives can be stacked */ + ip = "10.0.0.0/8"; + ip = "fc00::/7"; +}; + +/* + * resv {}: nicks and channels users may not use/join + */ +resv { mask = "clone*"; reason = "Clone bots"; }; +resv { mask = "Global"; reason = "Reserved for services"; }; +resv { mask = "ChanServ"; reason = "Reserved for services"; }; +resv { mask = "NickServ"; reason = "Reserved for services"; }; +resv { mask = "OperServ"; reason = "Reserved for services"; }; +resv { mask = "MemoServ"; reason = "Reserved for services"; }; +resv { mask = "BotServ"; reason = "Reserved for services"; }; +resv { mask = "HelpServ"; reason = "Reserved for services"; }; +resv { mask = "HostServ"; reason = "Reserved for services"; }; +resv { mask = "StatServ"; reason = "Reserved for services"; }; +resv { mask = "#*services*"; reason = "Reserved for services"; }; + +resv { + /* + * mask: masks starting with a '#' are automatically considered + * as channel name masks. + */ + mask = "#helsinki"; + reason = "Channel is reserved for Finnish inhabitants"; + + /* + * exempt: nick!user@host mask. CIDR is supported. Exempt + * entries can be stacked. + */ + exempt = "*@*.sexy"; +}; + +/* + * gecos {}: used for banning users based on their "realname". + */ +gecos { + name = "*sex*"; + reason = "Possible spambot"; +}; + +gecos { + name = "sub7server"; + reason = "Trojan drone"; +}; + +/* + * service {}: specifies a server which may act as a network service + * + * NOTE: it is very important that every server on the network + * has the same service {} block. + */ +service { + /* name: the actual name of the service. Wildcards are not allowed. */ + name = "service.example.net"; + + /* The 'name' directives can be stacked. */ + name = "stats.example.net"; +}; + +/* + * pseudo {}: adds pseudo/custom commands also known as service aliases + */ +pseudo { + /* command: the actual command/alias. */ + command = "IDENTIFY"; + + /* prepend: optional text that can be prepended to the user's message. */ + prepend = "IDENTIFY "; + + /* name: the service name, used for error messages. */ + name = "NickServ"; + + /* target: the actual target where this message should be sent to. */ + target = "NickServ@service.example.net"; +}; + +pseudo { + command = "CHANSERV"; + name = "ChanServ"; + target = "ChanServ@service.example.net"; +}; + +pseudo { + command = "CS"; + name = "ChanServ"; + target = "ChanServ@service.example.net"; +}; + +pseudo { + command = "NICKSERV"; + name = "NickServ"; + target = "NickServ@service.example.net"; +}; + +pseudo { + command = "NS"; + name = "NickServ"; + target = "NickServ@service.example.net"; +}; + +pseudo { + command = "MEMOSERV"; + name = "MemoServ"; + target = "MemoServ@service.example.net"; +}; + +pseudo { + command = "MS"; + name = "MemoServ"; + target = "MemoServ@service.example.net"; +}; + +pseudo { + command = "OPERSERV"; + name = "OperServ"; + target = "OperServ@service.example.net"; +}; + +pseudo { + command = "OS"; + name = "OperServ"; + target = "OperServ@service.example.net"; +}; + +pseudo { + command = "HOSTSERV"; + name = "HostServ"; + target = "HostServ@service.example.net"; +}; + +pseudo { + command = "HS"; + name = "HostServ"; + target = "HostServ@service.example.net"; +}; + +pseudo { + command = "BOTSERV"; + name = "BotServ"; + target = "BotServ@service.example.net"; +}; + +pseudo { + command = "BS"; + name = "BotServ"; + target = "BotServ@service.example.net"; +}; + +/* + * channel {}: the channel block contains options pertaining to channels + */ +channel { + /* + * enable_extbans: whether or not to enable extbans. This is set + * to 'no' by default and should not be enabled before all servers + * on the network have been updated to ircd-hybrid 8.2.29 or later. + * + * For a more detailed explanation of the extban feature, see help/extban. + */ + enable_extbans = no; + + /* + * disable_fake_channels: this option, if set to 'yes', will + * disallow clients from creating or joining channels that have one + * of the following ASCII characters in their name: + * + * 2 | bold + * 3 | mirc color + * 15 | plain text + * 22 | reverse + * 29 | italic + * 31 | underline + * 160 | non-breaking space + */ + disable_fake_channels = yes; + + /* + * invite_client_count, invite_client_time: how many INVITE commands + * are permitted per client per invite_client_time. + */ + invite_client_count = 10; + invite_client_time = 5 minutes; + + /* + * invite_delay_channel: how often an INVITE to any specific channel + * is permitted, regardless of the user sending the INVITE. + */ + invite_delay_channel = 5 seconds; + + /* + * invite_expire_time: specifies the amount of time an INVITE will be + * active until it expires. Set it to 0 if you don't want invites to + * expire. Default is 30 minutes if nothing else is specified. + */ + invite_expire_time = 1 hour; + + /* + * knock_client_count, knock_client_time: how many KNOCK commands + * are permitted per client per knock_client_time. + */ + knock_client_count = 1; + knock_client_time = 5 minutes; + + /* + * knock_delay_channel: how often a KNOCK to any specific channel + * is permitted, regardless of the user sending the KNOCK. + */ + knock_delay_channel = 1 minute; + + /* + * max_channels: the maximum number of channels a user can join/be on. + * This is a default value which can be overriden with class {} blocks. + */ + max_channels = 25; + + /* max_invites: the maximum number of channels a user can be invited to. */ + max_invites = 20; + + /* max_bans: maximum number of +b/e/I modes in a channel. */ + max_bans = 100; + + /* max_bans_large: maximum number of +b/e/I modes in a +L channel. */ + max_bans_large = 500; + + /* + * default_join_flood_count, default_join_flood_time: + * how many joins in how many seconds constitute a flood. Use 0 to disable. + * +b opers will be notified. These are only default values which can be + * changed via "/QUOTE SET JFLOODCOUNT" and "/QUOTE SET JFLOODTIME". + */ + default_join_flood_count = 18; + default_join_flood_time = 6 seconds; +}; + +/* + * serverhide {}: the serverhide block contains the options regarding + * to server hiding. For more information regarding server hiding, + * please see doc/serverhide.txt + */ +serverhide { + /* + * disable_remote_commands: disable users issuing commands + * on remote servers. + */ + disable_remote_commands = no; + + /* + * flatten_links: this option will show all servers in /links appear + * as though they are linked to this current server. + */ + flatten_links = no; + + /* + * flatten_links_delay: how often to update the links file when it is + * flattened. + */ + flatten_links_delay = 5 minutes; + + /* + * flatten_links_file: path to the flatten links cache file. + */ + flatten_links_file = "var/lib/links.txt"; + + /* + * hidden: hide this server from a /links output on servers that + * support it. This allows hub servers to be hidden etc. + */ + hidden = no; + + /* + * hide_servers: hide remote servernames everywhere and instead use + * hidden_name and network_desc. + */ + hide_servers = no; + + /* + * hide_services: define this if you want to hide the location of + * services servers that are specified in the service {} block. + */ + hide_services = no; + + /* + * hidden_name: use this as the servername users see if hide_servers = yes. + */ + hidden_name = "*.example.net"; + + /* + * hide_server_ips: if this is disabled, opers will be unable to see + * servers' IP addresses and will be shown a masked IP address; admins + * will be shown the real IP address. + * + * If this is enabled, nobody can see a server's IP address. + * *This is a kludge*: it has the side effect of hiding the IP addresses + * everywhere, including logfiles. + * + * We recommend you leave this disabled, and just take care with who you + * give administrator privileges to. + */ + hide_server_ips = no; +}; + +/* + * general {}: the general block contains many of the options that were once + * compiled in options in config.h + */ +general { + /* + * cycle_on_host_change: sends a fake QUIT/JOIN combination + * when services change the hostname of a specific client. + */ + cycle_on_host_change = yes; + + /* max_watch: maximum WATCH entries a client can have. */ + max_watch = 50; + + /* max_accept: maximum allowed /accept's for +g user mode. */ + max_accept = 50; + + /* whowas_history_length: maximum length of the WHOWAS nick name history. */ + whowas_history_length = 15000; + + /* + * dline_min_cidr: the minimum required length of a CIDR bitmask + * for IPv4 based D-lines. + */ + dline_min_cidr = 16; + + /* + * dline_min_cidr6: the minimum required length of a CIDR bitmask + * for IPv6 based D-lines. + */ + dline_min_cidr6 = 48; + + /* + * kline_min_cidr: the minimum required length of a CIDR bitmask + * for IPv4 based K-lines. + */ + kline_min_cidr = 16; + + /* + * kline_min_cidr6: the minimum required length of a CIDR bitmask + * for IPv6 based K-lines. + */ + kline_min_cidr6 = 48; + + /* + * invisible_on_connect: whether to automatically set user mode +i + * on connecting users. + */ + invisible_on_connect = yes; + + /* + * kill_chase_time_limit: KILL chasing is a feature whereby a KILL + * issued for a user who has recently changed nickname will be applied + * automatically to the new nick. kill_chase_time_limit is the maximum + * time following a nickname change that this chasing will apply. + */ + kill_chase_time_limit = 30 seconds; + + /* + * disable_auth: completely disable ident lookups; if you enable this, + * be careful of what you set need_ident to in your auth {} blocks. + */ + disable_auth = no; + + /* + * default_floodcount: the default value of floodcount that is configurable + * via /quote set floodcount. This is the number of lines a user may send + * to any other user/channel per floodtime. Set to 0 to disable. + */ + default_floodcount = 10; + + /* + * default_floodtime: the default value of floodtime that is configurable + * via /quote set floodtime. + */ + default_floodtime = 1 second; + + /* + * failed_oper_notice: send a notice to all opers on the server when + * someone tries to OPER and uses the wrong password, host or ident. + */ + failed_oper_notice = yes; + + /* + * dots_in_ident: the number of '.' characters permitted in an ident + * reply before the user is rejected. + */ + dots_in_ident = 2; + + /* + * min_nonwildcard: the minimum number of non-wildcard characters in + * k/d lines placed via the server. K-lines hand-placed are exempt from + * this limit. + * Wildcard characters: '.', ':', '*', '?' + */ + min_nonwildcard = 4; + + /* + * min_nonwildcard_simple: the minimum number of non-wildcard characters + * in gecos bans. Wildcard characters: '*', '?' + */ + min_nonwildcard_simple = 3; + + /* anti_nick_flood: enable the nickflood control code. */ + anti_nick_flood = yes; + + /* + * max_nick_changes, max_nick_time: the number of nick changes allowed in + * the specified period. + */ + max_nick_changes = 5; + max_nick_time = 20 seconds; + + /* + * away_count, away_time: how many AWAY commands are permitted per + * client per away_time. + */ + away_count = 2; + away_time = 10 seconds; + + /* + * anti_spam_exit_message_time: the minimum time a user must be connected + * before custom PART/QUIT messages are allowed. + */ + anti_spam_exit_message_time = 5 minutes; + + /* + * ts_warn_delta, ts_max_delta: the time delta allowed between server + * clocks before a warning is given, or before the link is dropped. + * All servers should run ntpdate/rdate to keep clocks in sync. + */ + ts_warn_delta = 3 seconds; + ts_max_delta = 15 seconds; + + /* + * warn_no_connect_block: warn opers about servers that try to connect + * but for which we don't have a connect {} block. Twits with + * misconfigured servers can become really annoying with this enabled. + */ + warn_no_connect_block = yes; + + /* + * stats_e_disabled: set this to 'yes' to disable "STATS e" for both + * operators and administrators. Doing so is a good idea in case + * there are any exempted (exempt {}) server IP addresses you don't + * want to see leaked. + */ + stats_e_disabled = no; + + /* stats_m_oper_only: make /stats m/M (messages) oper only. */ + stats_m_oper_only = yes; + + /* stats_o_oper_only: make stats o (opers) oper only. */ + stats_o_oper_only = yes; + + /* stats_P_oper_only: make stats P (ports) oper only. */ + stats_P_oper_only = yes; + + /* stats_u_oper_only: make stats u (uptime) oper only. */ + stats_u_oper_only = no; + + /* stats_i_oper_only: make stats i (auth {}) oper only. */ + stats_i_oper_only = yes; + + /* stats_k_oper_only: make stats k/K (klines) oper only. */ + stats_k_oper_only = yes; + + /* + * caller_id_wait: time between notifying a +g user that somebody + * is messaging them. + */ + caller_id_wait = 1 minute; + + /* + * opers_bypass_callerid: allows operators to bypass +g and message + * anyone who has it set. + */ + opers_bypass_callerid = yes; + + /* + * pace_wait_simple: minimum time required between use of less + * intensive commands + * (ADMIN, HELP, LUSERS, VERSION, remote WHOIS) + */ + pace_wait_simple = 1 second; + + /* + * pace_wait: minimum time required between use of more intensive commands + * (INFO, LINKS, MAP, MOTD, STATS, WHO, WHOWAS) + */ + pace_wait = 10 seconds; + + /* + * short_motd: send clients a notice telling them to read the MOTD + * instead of forcing an MOTD to clients who may simply ignore it. + */ + short_motd = no; + + /* + * ping_cookie: require clients to respond exactly to a PING command, + * can help block certain types of drones and FTP PASV mode spoofing. + */ + ping_cookie = no; + + /* no_oper_flood: increase flood limits for opers. */ + no_oper_flood = yes; + + /* + * max_targets: the maximum number of targets in a single + * PRIVMSG/NOTICE. Set to 999 NOT 0 for unlimited. + */ + max_targets = 4; + + /* + * user modes configurable: a list of user modes for the options below + * + * +b - bots - See bot and drone flooding notices + * +c - cconn - Client connection/quit notices + * +D - deaf - Don't receive channel messages + * +d - debug - See debugging notices + * +e - external - See remote server connection and split notices + * +F - farconnect - Remote client connection/quit notices + * +f - full - See auth {} block full notices + * +G - softcallerid - Server Side Ignore for users not on your channels + * +g - callerid - Server Side Ignore (for privmsgs etc) + * +H - hidden - Hides IRC operator status to other users + * +i - invisible - Not shown in NAMES or WHO unless you share a channel + * +j - rej - See rejected client notices + * +k - skill - See server generated KILL messages + * +l - locops - See LOCOPS messages + * +n - nchange - See client nick changes + * +p - hidechans - Hides channel list in WHOIS + * +q - hideidle - Hides idle and signon time in WHOIS + * +R - nononreg - Only receive private messages from registered clients + * +s - servnotice - See general server notices + * +u - unauth - See unauthorized client notices + * +w - wallop - See server generated WALLOPS + * +X - expiration - See *LINE expiration notices + * +y - spy - See LINKS, STATS, TRACE notices etc. + */ + + /* oper_only_umodes: user modes only operators may set. */ + oper_only_umodes = bots, cconn, debug, external, farconnect, full, hidden, + locops, nchange, rej, skill, spy, unauth, expiration; + + /* oper_umodes: default user modes operators get when they successfully OPER. */ + oper_umodes = bots, locops, servnotice, wallop; + + /* + * throttle_count: the maximum number of connections from the same + * IP address allowed in throttle_time duration. + */ + throttle_count = 1; + + /* + * throttle_time: the minimum amount of time required between + * connections from the same IP address. exempt {} blocks are + * excluded from this throttling. + * Offers protection against flooders who reconnect quickly. + * Set to 0 to disable. + */ + throttle_time = 2 seconds; +}; + +modules { + /* + * path: other paths to search for modules specified below + * and in "/module load". + */ + path = "/usr/lib/ircd-hybrid/modules"; + path = "/usr/lib/ircd-hybrid/modules/autoload"; + + /* module: the name of a module to load on startup/rehash. */ +# module = "some_module.la"; +}; + +/* + * log {}: contains information about logfiles. + */ +log { + /* Do you want to enable logging to ircd.log? */ + use_logging = yes; + + file { + type = oper; + name = "/var/log/ircd/oper.log"; + size = unlimited; + }; + + file { + type = user; + name = "/var/log/ircd/user.log"; + size = 50 megabytes; + }; + + file { + type = kill; + name = "/var/log/ircd/kill.log"; + size = 50 megabytes; + }; + + file { + type = kline; + name = "/var/log/ircd/kline.log"; + size = 50 megabytes; + }; + + file { + type = dline; + name = "/var/log/ircd/dline.log"; + size = 50 megabytes; + }; + + file { + type = xline; + name = "/var/log/ircd/xline.log"; + size = 50 megabytes; + }; + + file { + type = resv; + name = "/var/log/ircd/resv.log"; + size = 50 megabytes; + }; + + file { + type = debug; + name = "/var/log/ircd/debug.log"; + size = 50 megabytes; + }; +}; diff --git a/ircd-hybrid.service b/ircd-hybrid.service new file mode 100644 index 000000000000..115684583eba --- /dev/null +++ b/ircd-hybrid.service @@ -0,0 +1,16 @@ +[Unit] +Description=IRCD-Hybrid daemon +Requires=network.target +After=network.target + +[Service] +Type=forking +PIDFile=/run/ircd/ircd.pid +ExecStart=/usr/bin/ircd start -logfile /var/log/ircd/ircd.log -pidfile /run/ircd/ircd-hybrid.pid -configfile /etc/ircd-hybrid/ircd.conf +ExecStop=/usr/bin/ircd/ircd stop +Restart=always +User=ircd +Group=ircd + +[Install] +WantedBy=multi-user.target diff --git a/ircd-hybrid.sysusers b/ircd-hybrid.sysusers new file mode 100644 index 000000000000..6c78849d54c9 --- /dev/null +++ b/ircd-hybrid.sysusers @@ -0,0 +1,2 @@ +g ircd /var/lib/ircd +u ircd - "ircd-hybrid user" /var/lib/ircd /bin/false diff --git a/ircd-hybrid.tmpfiles b/ircd-hybrid.tmpfiles new file mode 100644 index 000000000000..75fc0dc8353d --- /dev/null +++ b/ircd-hybrid.tmpfiles @@ -0,0 +1,2 @@ +d /run/ircd 0755 ircd irc - + |