summaryrefslogtreecommitdiff
path: root/docs/conf/opers.conf.example
blob: 7cad2589c4306ef98637697b67ef6baa3f1d6751 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
#-#-#-#-#-#-#-#-#-#-#-#-#  CLASS CONFIGURATION  #-#-#-#-#-#-#-#-#-#-#-#
#                                                                     #
#   Classes are a group of commands which are grouped together and    #
#   given a unique name. They're used to define which commands        #
#   are available to certain types of Operators.                      #
#                                                                     #
#                                                                     #
#  Note: It is possible to make a class which covers all available    #
#  commands. To do this, specify commands="*". This is not really     #
#  recommended, as it negates the whole purpose of the class system,  #
#  however it is provided for fast configuration (e.g. in test nets). #
#                                                                     #

<class
     name="Shutdown"

     # commands: Oper-only commands that opers of this class can run.
     commands="DIE RESTART REHASH LOADMODULE UNLOADMODULE RELOADMODULE GLOADMODULE GUNLOADMODULE GRELOADMODULE"

     # privs: Special privileges that users with this class may utilise.
     #  VIEWING:
     #   - channels/auspex: allows opers with this priv to see more details about channels than normal users.
     #   - users/auspex: allows opers with this priv to view more details about users than normal users, e.g. real host and IP.
     #   - users/channel-spy: allows opers with this priv to view the private/secret channels that a user is on.
     #   - servers/auspex: allows opers with this priv to see more details about server information than normal users.
     #  ACTIONS:
     #   - users/mass-message: allows opers with this priv to PRIVMSG and NOTICE to a server mask (e.g. NOTICE $*).
     #   - users/samode-usermodes: allows opers with this priv to change the user modes of any other user using /SAMODE.
     #  PERMISSIONS:
     #   - channels/ignore-noctcp: allows opers with this priv to send a CTCP to a +C channel.
     #   - channels/ignore-nonicks: allows opers with this priv to change their nick when on a +N channel.
     #   - channels/restricted-create: allows opers with this priv to create channels if the restrictchans module is loaded.
     #   - users/flood/increased-buffers: allows opers with this priv to send and receive data without worrying about being disconnected for exceeding limits (*NOTE).
     #   - users/flood/no-fakelag: prevents opers from being penalized with fake lag for flooding (*NOTE).
     #   - users/flood/no-throttle: allows opers with this priv to send commands without being throttled (*NOTE).
     #   - users/ignore-callerid: allows opers with this priv to message people using callerid without being on their callerid list.
     #   - users/ignore-commonchans: allows opers with this priv to send a message to a +c user without sharing common channels.
     #   - users/ignore-noctcp: allows opers with this priv to send a CTCP to a +T user.
     #   - users/ignore-privdeaf: allows opers with this priv to message users with +D set.
     #   - users/sajoin-others: allows opers with this priv to /SAJOIN users other than themselves.
     #   - servers/use-disabled-commands: allows opers with this priv to use disabled commands.
     #   - servers/use-disabled-modes: allows opers with this priv to use disabled modes.
     #
     # *NOTE: These privs are potentially dangerous, as they grant users with them the ability to hammer your server's CPU/RAM as much as they want, essentially.
     privs="users/auspex channels/auspex servers/auspex users/mass-message users/flood/no-throttle users/flood/increased-buffers"

     # usermodes: Oper-only user modes that opers with this class can use.
     usermodes="*"

     # chanmodes: Oper-only channel modes that opers with this class can use.
     chanmodes="*">

<class name="SACommands" commands="SAJOIN SAPART SANICK SAQUIT SATOPIC SAKICK SAMODE OJOIN">
<class name="ServerLink" commands="CONNECT SQUIT RCONNECT RSQUIT MKPASSWD ALLTIME SWHOIS LOCKSERV UNLOCKSERV" usermodes="*" chanmodes="*" privs="servers/auspex">
<class name="BanControl" commands="KILL GLINE KLINE ZLINE QLINE ELINE TLINE RLINE CHECK NICKLOCK NICKUNLOCK SHUN CLONES CBAN" usermodes="*" chanmodes="*">
<class name="OperChat" commands="WALLOPS GLOBOPS" usermodes="*" chanmodes="*" privs="users/mass-message">
<class name="HostCloak" commands="SETHOST SETIDENT SETIDLE CHGNAME CHGHOST CHGIDENT" usermodes="*" chanmodes="*" privs="users/auspex">


#-#-#-#-#-#-#-#-#-#-#-#-  OPERATOR COMPOSITION   -#-#-#-#-#-#-#-#-#-#-#
#                                                                     #
#   This is where you specify which types of operators you have on    #
#   your server, as well as the commands they are allowed to use.     #
#   This works alongside with the classes specified above.            #
#                                                                     #

<type
    # name: Name of the type. Used in actual server operator accounts below.
    name="NetAdmin"

    # classes: Classes (blocks above) that this type belongs to.
    classes="SACommands OperChat BanControl HostCloak Shutdown ServerLink"

    # vhost: Host that opers of this type get when they log in (oper up). This is optional.
    vhost="netadmin.omega.example.org"

    # maxchans: Maximum number of channels opers of this type can be in at once.
    maxchans="60"

    # modes: User modes besides +o that are set on an oper of this type
    # when they oper up. Used for snomasks and other things.
    # Requires the opermodes module to be loaded.
    modes="+s +cCqQ">

<type name="GlobalOp" classes="SACommands OperChat BanControl HostCloak ServerLink" vhost="serverop.omega.example.org">
<type name="Helper" classes="HostCloak" vhost="helper.omega.example.org">


#-#-#-#-#-#-#-#-#-#-#-  OPERATOR CONFIGURATION   -#-#-#-#-#-#-#-#-#-#-#
#                                                                     #
#   Opers are defined here. This is a very important section.         #
#   Remember to only make operators out of trustworthy people.        #
#                                                                     #

# Operator account with a plaintext password.
<oper
      # name: Oper login that is used to oper up (/OPER <username> <password>).
      # Remember: This is case sensitive.
      name="Attila"

      # password: Case-sensitive, unhashed (plaintext).
      password="s3cret"

      # host: What hostnames and IPs are allowed to use this operator account.
      # Multiple options can be separated by spaces and CIDRs are allowed.
      # You can use just * or *@* for this section, but it is not recommended
      # for security reasons.
      host="attila@inspircd.org *@2001:db8::/32"

      # ** ADVANCED ** This option is disabled by default.
      # fingerprint: When using the sslinfo module, you may specify
      # a key fingerprint here. This can be obtained by using the /SSLINFO
      # command while the module is loaded, and is also noticed on connect.
      # This enhances security by verifying that the person opering up has
      # a matching SSL client certificate, which is very difficult to
      # forge (impossible unless preimage attacks on the hash exist).
      # If the sslinfo module isn't loaded, this option will be ignored.
      #fingerprint="67cb9dc013248a829bb2171ed11becd4"

      # autologin: If an SSL certificate fingerprint for this oper is specified,
      # you can have the oper block automatically log in. This moves all security
      # of the oper block to the protection of the client certificate, so be sure
      # that the private key is well-protected! Requires the sslinfo module.
      #autologin="on"

      # sslonly: If on, this oper can only oper up if they're using an SSL connection.
      # Setting this option adds a decent bit of security. Highly recommended
      # if the oper is on wifi, or specifically, unsecured wifi. Note that it
      # is redundant to specify this option if you specify a fingerprint.
      # This setting only takes effect if the sslinfo module is loaded.
      #sslonly="yes"

      # vhost: Overrides the vhost in the type block. Class and modes may also
      # be overridden.
      vhost="attila.example.org"

      # type: Which type of operator this person is; see the block
      # above for the list of types. NOTE: This is case-sensitive as well.
      type="NetAdmin">

# Operator with a plaintext password and no comments, for easy copy & paste.
<oper
      name="Brain"
      password="youshouldhashthis"
      host="brain@dialup15.isp.test.com *@localhost *@example.com *@2001:db8::/32"
      #fingerprint="67cb9dc013248a829bb2171ed11becd4"
      type="NetAdmin">

# Operator with a hashed password. It is highly recommended to use hashed passwords.
<oper
      # name: Oper login that is used to oper up (/OPER <username> <password>).
      # Remember: This is case sensitive.
      name="Adam"

      # hash: The hash function this password is hashed with. Requires the
      # module for the selected function (bcrypt, md5, sha1, or sha256) and
      # the password hashing module (password_hash) to be loaded.
      #
      # You may also use any of the above other than bcrypt prefixed with
      # either "hmac-" or "pbkdf2-hmac-" (requires the pbkdf2 module).
      # Create hashed passwords with: /MKPASSWD <hashtype> <plaintext>.
      hash="bcrypt"

      # password: A hash of the password (see above option) hashed
      # with /MKPASSWD <hashtype> <plaintext>. See the password_hash module
      # in modules.conf for more information about password hashing.
      password="qQmv3LcF$Qh63wzmtUqWp9OXnLwe7yv1GcBwHpq59k2a0UrY8xe0"

      # host: What hostnames and IPs are allowed to use this operator account.
      # Multiple options can be separated by spaces and CIDRs are allowed.
      # You can use just * or *@* for this section, but it is not recommended
      # for security reasons.
      host="*@127.0.0.1 *@192.0.2.40 *@198.51.100.4"

      # type: Which type of operator this person is; see the block
      # above for the list of types. NOTE: This is case-sensitive as well.
      type="Helper">

# Once you have edited this file you can remove this line. This is just to
# ensure that you don't hastily include the file without reading it.
<die reason="Using opers.conf.example without editing it is a security risk">