path: root/data/modules.example.conf

/*
 * [OPTIONAL] Non-Core Modules
 *
 * The following blocks are used to load all non-core modules, including 3rd-party modules.
 * Modules can be prevented from loading by commenting out the line, other modules can be added by
 * adding a module block. These modules will be loaded prior to Anope connecting to your network.
 *
 * Note that some of these modules are labeled EXTRA, and must be enabled prior to compiling by
 * running the 'extras' script on Linux and UNIX.
 */

/*
 * help
 *
 * Provides the command generic/help.
 *
 * This is a generic help command that can be used with any client.
 */
module { name = "help" }

/*
 * dns
 *
 * Adds support for the DNS protocol. By itself this module does nothing useful,
 * but other modules such as dnsbl and os_dns require this.
 */
#module
{
	name = "dns"

	/*
	 * The nameserver to use for resolving hostnames, must be an IP or a resolver configuration file.
	 * The below should work fine on all UNIX-like systems. Windows users will have to find their nameservers
	 * from ipconfig /all and put the IP here.
	 */
	nameserver = "/etc/resolv.conf"
	#nameserver = "127.0.0.1"

	/*
	 * How long to wait in seconds before a DNS query has timed out.
	 */
	timeout = 5


	/* Only edit below if you are expecting to use os_dns or otherwise answer DNS queries. */

	/*
	 * The IP and port services use to listen for DNS queries.
	 * Note that ports less than 1024 are privileged on UNIX/Linux systems, and
	 * require Anope to be started as root. If you do this, it is recommended you
	 * set options:user and options:group so Anope can change users after binding
	 * to this port.
	 */
	ip = "0.0.0.0"
	port = 53


	/*
	 * SOA record information.
	 */

	/* Email address of the DNS administrator. */
	admin = "admin@example.com"

	/* This should be the names of the public facing nameservers serving the records. */
	nameservers = "ns1.example.com ns2.example.com"

	/* The time slave servers are allowed to cache. This should be reasonably low
	 * if you want your records to be updated without much delay.
	 */
	refresh = 3600

	/* A notify block. There should probably be one per nameserver listed in 'nameservers'.
	 */
	notify
	{
		ip = "192.0.2.0"
		port = 53
	}
}

/*
 * dnsbl
 *
 * Allows configurable DNS blacklists to check connecting users against. If a user
 * is found on the blacklist they will be immediately banned. This is a crucial module
 * to prevent bot attacks.
 */
#module
{
	name = "dnsbl"

	/*
	 * If set, Anope will check clients against the DNSBLs when services connect to its uplink.
	 * This is not recommended, and on large networks will open a very large amount of DNS queries.
	 * Whilst services are not drastically affected by this, your nameserver/DNSBL might care.
	 */
	check_on_connect = no

	/*
	 * If set, Anope will check clients when coming back from a netsplit. This can cause a large number
	 * of DNS queries open at once. Whilst services are not drastically affected by this, your nameserver/DNSBL
	 * might care.
	 */
	check_on_netburst = no

	/*
	 * If set, OperServ will add clients found in the DNSBL to the akill list. Without it, OperServ simply sends
	 * a timed G/K-line to the IRCd and forgets about it. Can be useful if your akill list is being fill up by bots.
	 */
	add_to_akill = yes

	blacklist
	{
		/* Name of the blacklist. */
		name = "rbl.efnetrbl.org"

		/* How long to set the ban for. */
		time = 4h

		/* Reason for akill.
		 * %n is the nick of the user
		 * %u is the ident/username of the user
		 * %g is the realname of the user
		 * %h is the hostname of the user
		 * %i is the IP of the user
		 * %r is the reply reason (configured below). Will be nothing if not configured.
		 * %N is the network name set in networkinfo:networkname
		 */
		reason = "You are listed in the EFnet RBL, visit https://rbl.efnetrbl.org/?i=%i for info"

		/* Replies to ban and their reason. If no replies are configured, all replies get banned. */
		reply
		{
			code = 1
			reason = "Open Proxy"
		}

		#reply
		{
			code = 2
			reason = "spamtrap666"
		}

		#reply
		{
			code = 3
			reason = "spamtrap50"
		}

		reply
		{
			code = 4
			reason = "TOR"

			/*
			 * If set, users identified to services at the time the result comes back
			 * will not be banned.
			 */
			#allow_account = yes
		}

		reply
		{
			code = 5
			reason = "Drones / Flooding"
		}
	}

	#blacklist
	{
		name = "dnsbl.dronebl.org"
		time = 4h
		reason = "You have a host listed in the DroneBL. For more information, visit https://dronebl.org/lookup_branded?ip=%i&network=%N"
	}

	/* Exempt localhost from DNSBL checks */
	exempt { ip = "127.0.0.0/8" }
}

/*
 * helpchan
 *
 * Gives users who are op in the specified help channel usermode +h (helpop).
 */
#module
{
	name = "helpchan"

	helpchannel = "#help"
}

/*
 * httpd
 *
 * Allows services to serve web pages. By itself, this module does nothing useful.
 *
 * Note that using this will allow users to get the IP of your services.
 * To prevent this we recommend using a reverse proxy or a tunnel.
 */
#module
{
	name = "httpd"

	httpd
	{
		/* Name of this service. */
		name = "httpd/main"

		/* IP to listen on. */
		ip = "0.0.0.0"

		/* Port to listen on. */
		port = 8080

		/* Time before connections to this server are timed out. */
		timeout = 30

		/* Listen using SSL. Requires an SSL module. */
		#ssl = yes

		/* If you are using a reverse proxy that sends one of the
		 * extforward_headers set below, set this to its IP.
		 * This allows services to obtain the real IP of users by
		 * reading the forwarded-for HTTP header.
		 * Multiple IP addresses can be specified separated by a space character.
		 */
		#extforward_ip = "192.168.0.255 192.168.1.255"

		/* The header to look for. These probably work as is. */
		extforward_header = "X-Forwarded-For Forwarded-For"
	}
}

/*
 * ldap [EXTRA]
 *
 * This module allows other modules to use LDAP. By itself, this module does nothing useful.
 */
#module
{
	name = "ldap"

	ldap
	{
		server = "ldap://127.0.0.1"

		/*
		 * Admin credentials used for performing searches and adding users.
		 */
		admin_binddn = "cn=Manager,dc=anope,dc=org"
		admin_password = "secret"
	}
}

/*
 * ldap_authentication
 *
 * This module allows many commands such as IDENTIFY, RELEASE, RECOVER, GHOST, etc. use
 * LDAP to authenticate users. Requires ldap.
*/
#module
{
	name = "ldap_authentication"

	/*
	 * The distinguished name used for searching for users's accounts.
	 */
	basedn = "ou=users,dc=anope,dc=org"

	/*
	 * The search filter used to look up users's accounts.
	 * %account is replaced with the user's account.
	 * %object_class is replaced with the object_class configured below.
	 */
	search_filter = "(&(uid=%account)(objectClass=%object_class))"

	/*
	 * The object class used by LDAP to store user account information.
	 * This is used for adding new users to LDAP if registration is allowed.
	 */
	object_class = "anopeUser"

	/*
	 * The attribute value used for account names.
	 */
	username_attribute = "uid"

	/*
	 * The attribute value used for email addresses.
	 * This directive is optional.
	 */
	email_attribute = "email"

	/*
	 * The attribute value used for passwords.
	 * Used when registering new accounts in LDAP.
	 */
	password_attribute = "userPassword"

	/*
	 * If set, the reason to give the users who try to register with NickServ,
	 * including nick registration from grouping.
	 *
	 * If not set, then registration is not blocked.
	 */
	#disable_register_reason = "To register on this network visit https://some.misconfigured.site/register"

	/*
	 * If set, the reason to give the users who try to "/msg NickServ SET EMAIL".
	 * If not set, then email changing is not blocked.
	 */
	#disable_email_reason = "To change your email address visit https://some.misconfigured.site"
}

/*
 * ldap_oper
 *
 * This module dynamically ties users to Anope opertypes when they identify
 * via LDAP group membership. Requires ldap.
 *
 * Note that this doesn't give the user privileges on the IRCd, only in Anope.
 */
#module
{
	name = "ldap_oper"

	/*
	 * An optional binddn to use when searching for groups.
	 * %a is replaced with the account name of the user.
	 */
	#binddn = "cn=Manager,dc=anope,dc=org"

	/*
	 * An optional password to bind with.
	 */
	#password = "secret"

	/*
	 * The base DN where the groups are.
	 */
	basedn = "ou=groups,dc=anope,dc=org"

	/*
	 * The filter to use when searching for users.
	 * %a is replaced with the account name of the user.
	 */
	filter = "(member=uid=%a,ou=users,dc=anope,dc=org)"

	/*
	 * The attribute of the group that is the name of the opertype.
	 * The cn attribute should match a known opertype in the config.
	 */
	opertype_attribute = "cn"
}

/*
 * mysql [EXTRA]
 *
 * This module allows other modules to use MySQL.
 */
#module
{
	name = "mysql"

	mysql
	{
		/* The name of this service. */
		name = "mysql/main"
		database = "anope"
		server = "127.0.0.1"
		username = "anope"
		password = "mypassword"
		port = 3306
		socket = ""
	}
}

/*
 * redis
 *
 * This module allows other modules to use Redis.
 */
#module
{
	name = "redis"

	/* A redis database */
	redis
	{
		/* The name of this service */
		name = "redis/main"

		/*
		 * The redis database to use. New connections default to 0.
		 */
		db = 0

		ip = "127.0.0.1"
		port = 6379
	}
}

/*
 * regex_pcre2 [EXTRA]
 *
 * Provides the regex engine regex/pcre, which uses version 2 of the Perl Compatible Regular
 * Expressions library.
 */
#module { name = "regex_pcre2" }

/*
 * regex_posix [EXTRA]
 *
 * Provides the regex engine regex/posix, which uses the POSIX compliant regular expressions.
 */
#module { name = "regex_posix" }

/*
 * regex_stdlib
 *
 * Provides the regex engine regex/stdlib, which uses the regular expression library that is part of
 * the C++ standard library.
 */
module
{
	name = "regex_stdlib"

	/*
	 * The syntax scheme to use. Can be set to awk to use the regular expression grammar used by the
	 * awk utility in POSIX, basic to use the basic POSIX regular expression grammar, ecmascript to
	 * use the modified ECMAScript regular expression grammar, egrep to use the regular expression
	 * grammar used by the grep utility with the -E option in POSIX, extended to use the extended
	 * POSIX regular expression grammar, or grep to use the regular expression grammar used by the
	 * grep utility in POSIX.
	 *
	 * See https://en.cppreference.com/w/cpp/regex/syntax_option_type for more information.
	 */
	syntax = "ecmascript"
}

/*
 * regex_tre [EXTRA]
 *
 * Provides the regex engine regex/tre, which uses the TRE regex library.
 */
#module { name = "regex_tre" }

/*
 * rewrite
 *
 * Allows rewriting commands sent to/from clients.
 */
#module { name = "rewrite" }
#command
{
	service = "ChanServ"; name = "CLEAR"; command = "rewrite"

	/* Enable rewrite. */
	rewrite = true

	/* Source message to match. A $ can be used to match anything. */
	rewrite_source = "CLEAR $ USERS"

	/*
	 * Message to rewrite the source message to. A $ followed by a number, e.g. $0, gets
	 * replaced by the number-th word from the source_message, starting from 0.
	 */
	rewrite_target = "KICK $1 *"

	/*
	 * The command description. This only shows up in HELP's output.
	 * Comment this option to prevent the command from showing in the
	 * HELP command.
	 */
	rewrite_description = "Clears all users from a channel"
}

/*
 * proxyscan
 *
 * This module allows you to scan connecting clients for open proxies.
 * Note that using this will allow users to get the IP of your services.
 *
 * Currently the two supported proxy types are HTTP and SOCKS5.
 *
 * The proxy scanner works by attempting to connect to clients when they
 * connect to the network, and if they have a proxy running instruct it to connect
 * back to services. If services are able to connect through the proxy to itself
 * then it knows it is an insecure proxy, and will ban it.
 */
#module
{
	name = "proxyscan"

	/*
	 * The target IP services tells the proxy to connect back to. This must be a publicly
	 * available IP that remote proxies can connect to.
	 */
	#target_ip = "127.0.0.1"

	/*
	 * The port services tells the proxy to connect to.
	 */
	target_port = 7226

	/*
	 * The listen IP services listen on for incoming connections from suspected proxies.
	 * This probably will be the same as target_ip, but may not be if you are behind a firewall (NAT).
	 */
	#listen_ip = "127.0.0.1"

	/*
	 * The port services should listen on for incoming connections from suspected proxies.
	 * This most likely will be the same as target_port.
	 */
	listen_port = 7226

	/*
	 * An optional notice sent to clients upon connect.
	 */
	#connect_notice = "We will now scan your host for insecure proxies. If you do not consent to this scan please disconnect immediately."

	/*
	 * Who the notice should be sent from.
	 */
	#connect_source = "OperServ"

	/*
	 * If set, OperServ will add infected clients to the akill list. Without it, OperServ simply sends
	 * a timed G/K-line to the IRCd and forgets about it. Can be useful if your akill list is being filled up by bots.
	 */
	add_to_akill = yes

	/*
	 * How long before connections should be timed out.
	 */
	timeout = 5

	proxyscan
	{
		/* The type of proxy to check for. A comma separated list is allowed. */
		type = "HTTP"

		/* The ports to check. */
		port = "80,8080"

		/* How long to set the ban for. */
		time = 4h

		/*
		 * The reason to ban the user for.
		 * %h is replaced with the type of proxy found.
		 * %i is replaced with the IP of proxy found.
		 * %p is replaced with the port.
		 */
		reason = "You have an open proxy running on your host (%t:%i:%p)"
	}
}

/*
 * sasl
 *
 * Some IRCds allow "SASL" authentication to let users identify to services
 * during the IRCd user registration process. If this module is loaded, Anope will allow
 * authenticating users through this mechanism. Supported mechanisms are:
 * PLAIN, EXTERNAL.
 */
module { name = "sasl" }

/*
 * ssl_gnutls [EXTRA]
 *
 * This module provides SSL services to Anope using GnuTLS, for example to
 * connect to the uplink server(s) via SSL.
 *
 * You may only load either ssl_gnutls or ssl_openssl, but not both.
 */
#module
{
	name = "ssl_gnutls"

	/*
	 * An optional certificate and key for ssl_gnutls to give to the uplink. All
	 * paths are relative to the config directory.
	 *
	 * You can generate your own certificate and key pair by using:
	 *
	 *   certtool --generate-privkey --bits 2048 --outfile privkey.pem
	 *   certtool --generate-self-signed --load-privkey privkey.pem --outfile fullchain.pem
	 *
	 */
	cert = "fullchain.pem"
	key = "privkey.pem"

	/*
	 * Diffie-Hellman parameters to use when acting as a server. This is only
	 * required for TLS servers that want to use ephemeral DH cipher suites.
	 *
	 * This is NOT required for Anope to connect to the uplink server(s) via SSL.
	 *
	 * You can generate DH parameters by using:
	 *
	 *   certtool --generate-dh-params --bits 2048 --outfile dhparams.pem
	 *
	 */
	#dhparams = "dhparams.pem"
}

/*
 * ssl_openssl [EXTRA]
 *
 * This module provides SSL services to Anope using OpenSSL, for example to
 * connect to the uplink server(s) via SSL.
 *
 * You may only load either ssl_openssl or ssl_gnutls, but not both.
 *
 */
#module
{
	name = "ssl_openssl"

	/*
	 * An optional certificate and key for ssl_openssl to give to the uplink.
	 * All paths are relative to the config directory.
	 *
	 * You can generate your own certificate and key pair by using:
	 *
	 *   openssl genrsa -out privkey.pem 2048
	 *   openssl req -new -x509 -key privkey.pem -out fullchain.pem -days 1095
	 */
	cert = "fullchain.pem"
	key = "privkey.pem"

	/*
	 * If you wish to increase security you can disable support for older
	 * versions of TLS with no known vulnerabilities but that provide less
	 * security. For your security SSLv2 and SSLv3 are always disabled.
	 */
	#tlsv10 = no
	#tlsv11 = no
	#tlsv12 = yes
}

/*
 * sql_authentication
 *
 * This module allows authenticating users against an external SQL database using a custom
 * query.
 */
#module
{
	name = "sql_authentication"

	/* SQL engine to use. Should be configured elsewhere with mysql, sqlite, etc. */
	engine = "mysql/main"

	/* Query to execute to authenticate. A non empty result from this query is considered a success,
	 * and the user will be authenticated.
	 *
	 * @a@ is replaced with the user's account name
	 * @p@ is replaced with the user's password
	 * @n@ is replaced with the user's nickname
	 * @i@ is replaced with the user's IP
	 *
	 * Note that @n@ and @i@ may not always exist in the case of a user identifying outside of the normal
	 * nickserv/identify command, such as through the web panel.
	 *
	 * Furthermore, if a field named email is returned from this query the user's email is
	 * set to its value.
	 *
	 *
	 * We've included some example queries for some popular website/forum systems.
	 *
	 * Drupal 6: "SELECT `mail` AS `email` FROM `users` WHERE `name` = @a@ AND `pass` = MD5(@p@) AND `status` = 1"
	 * e107 cms: "SELECT `user_email` AS `email` FROM `e107_user` WHERE `user_loginname` = @a@ AND `user_password` = MD5(@p@)"
	 * SMF Forum: "SELECT `email_address` AS `email` FROM `smf_members` WHERE `member_name` = @a@ AND `passwd` = SHA1(CONCAT(LOWER(@a@), @p@))"
	 * vBulletin: "SELECT `email` FROM `user` WHERE `username` = @a@ AND `password` = MD5(CONCAT(MD5(@p@), `salt`))"
	 * IP.Board: "SELECT `email` FROM `ibf_members` WHERE `name` = @a@ AND `members_pass_hash` = MD5(CONCAT(MD5(`members_pass_salt`), MD5(@p@)))"
	 */
	query = "SELECT `email_addr` AS `email` FROM `my_users` WHERE `username` = @a@ AND `password` = MD5(CONCAT('salt', @p@))"

	/*
	 * If set, the reason to give the users who try to "/msg NickServ REGISTER".
	 * If not set, then registration is not blocked.
	 */
	#disable_reason = "To register on this network visit https://some.misconfigured.site/register"

	/*
	 * If set, the reason to give the users who try to "/msg NickServ SET EMAIL".
	 * If not set, then email changing is not blocked.
	 */
	#disable_email_reason = "To change your email address visit https://some.misconfigured.site"
}

/*
 * sql_log
 *
 * This module adds an additional target option to log{} blocks
 * that allows logging Service's logs to SQL. To log to SQL, add
 * the SQL service name to log:targets prefixed by sql_log:. For
 * example:
 *
 * log
 * {
 *     targets = "services.log sql_log:mysql/main"
 *     ...
 * }
 *
 * By default this module logs to the table `logs`, and will create
 * it if it doesn't exist. This module does not create any indexes (keys)
 * on the table and it is recommended you add them yourself as necessary.
 */
#module { name = "sql_log" }

/*
 * sql_oper
 *
 * This module allows granting users services operator privileges and possibly IRC Operator
 * privileges based on an external SQL database using a custom query.
 */
#module
{
	name = "sql_oper"

	/* SQL engine to use. Should be configured elsewhere with mysql, sqlite, etc. */
	engine = "mysql/main"

	/* Query to execute to determine if a user should have operator privileges.
	 * A field named opertype must be returned in order to link the user to their oper type.
	 * The oper types must be configured earlier in anope.conf.
	 *
	 * If a field named modes is returned from this query then those modes are set on the user.
	 * Without this, only a simple +o is sent.
	 *
	 * @a@ is replaced with the user's account name
	 * @i@ is replaced with the user's IP
	 */
	query = "SELECT `opertype` FROM `my_users` WHERE `user_name` = @a@"
}

/*
 * sqlite [EXTRA]
 *
 * This module allows other modules to use SQLite.
 */
#module
{
	name = "sqlite"

	/* A SQLite database */
	sqlite
	{
		/* The name of this service. */
		name = "sqlite/main"

		/* The database name, it will be created if it does not exist. */
		database = "anope.sqlite"
	}
}

/*
 * webcpanel
 *
 * This module creates a web configuration panel that allows users and operators to perform any task
 * as they could over IRC. If you are using the default configuration you should be able to access
 * this panel by visiting http://127.0.0.1:8080 in your web browser from the machine Anope is running on.
 *
 * This module requires httpd.
 */
#module
{
	name = "webcpanel"

	/* Web server to use. */
	server = "httpd/main"

	/*
	 * The directory containing the webcpanel templates. This is relative to the
	 * data directory.
	 */
	template_dir = "webcpanel/templates/default"

	/* Page title. */
	title = "Anope IRC Services"
}

/*
 * xmlrpc
 *
 * Allows remote applications (websites) to execute queries in real time to retrieve data from Anope.
 * By itself this module does nothing, but allows other modules (xmlrpc_main) to receive and send XMLRPC queries.
 */
#module
{
	name = "xmlrpc"

	/* Web service to use. Requires httpd. */
	server = "httpd/main"
}

/*
 * xmlrpc_main
 *
 * Adds the main XMLRPC core functions.
 * Requires xmlrpc.
 */
#module { name = "xmlrpc_main" }