Skip to main content
Version: 1.0

Configuration

This page explains the ircd-yeti configuration file.

Configuration file syntax#

The configuration file consists of blocks, each containing name-value pairs, tags or string data. It is designed to be easily readable by both human and ircd.

Example:

blockname {    name = value;    name = "string";    name = value1, value2;    name = 123;    name;};

You must terminate each line with a semicolon (';') and terminate each block with a closing brace and semicolon ('};'). Only the start of the block has no terminating semicolon.

Comments#

Shell, C and C++ style comments are supported.

# This is a comment.
// This is a comment.
/* * This is a comment. */

Units#

Time/durations and sizes may be written as singular or plural.

Time/duration#

Valid units of time are:

  • year
  • month
  • week
  • day
  • hour
  • minute
  • second

They are written as: 1 year 3 months

Size#

Valid units of size are:

  • terabyte/tbyte/tb
  • gigabyte/gbyte/gb
  • megabyte/mbyte/mb
  • kilobyte/kbyte/kb
  • byte/b

The are written as: 100 kilobytes

Include directive#

The parser also understands a special include directive outside of a block context, which allows you to include other configuration files. This is useful for splitting up your configuration instead of having one large ircd.conf.

.include <filename>.include "filename"

Notice that the include directive does not end with a terminating semicolon (';'). This is the exception to the rule mentioned above.

Blocks#

General#

Defines some general information about the server itself.

Syntax#

general {    name = "<string>";    descripton = "<string>";    numeric = <integer>;    vhost = "<ipv4address>";    vhost = "<ipv6address>";    dns vhost = "<ipv4address>";    dns vhost = "<ipv6address>";    dns server = "<ipaddress>";    dns server = "<ipaddress>";    message_digest_algorithm = "<string>";};

name#

required

Defines the name of the server. It cannot be changed at run time.

description#

required

Defines a short description for the server.

numeric#

required

A unique id for the server. It may be between 1 and 4095, cannot be changed at run time, and must be unique on the network the server is linked to.

vhost#

Defines the IP address to bind to for outgoing connections, unless overridden by a connect block. If in doubt, simply omit it, or use "*" which has the same meaning as no vhost.

dns vhost#

Defines the local IP address to use for DNS lookups. By default, ircd-yeti will let the operating system assign the address.

dns server#

Defines the DNS servers to use for DNS lookups. By default, ircd-yeti will use the servers read from /etc/resolv.conf.

message_digest_algorithm#

Defines which cryptographic hash function to use for generating fingerprint hashes for X.509 certificates. If not set, defaults to SHA-256.

A list of supported message digest algorithms can be obtained by running:

$ openssl list-message-digest-algorithms

On some versions of OpenSSL, the command above may not work. In that case, run:

$ openssl list -digest-algorithms

Changing message_digest_algorithm is not recommended. The ircd picks a secure default.

Example#

general {        name = "irc.example.com";        description = "An IRC server";        numeric = 1;        vhost = "192.0.2.6";        vhost = "2001:db7:2::6";        dns server = "8.8.8.8";        dns server = "8.8.4.4";        message_digest_algorithm = "sha256";};

Admin#

Defines information for the /ADMIN command.

Syntax#

admin {    location = "<string>";    location = "<string>";    contact = "<string>";};

location#

You can specify up to two location lines, which may contain whatever information you choose. These lines will display as the first two lines of an ADMIN reply.

contact#

You can specify one contact line, which can contain whatever information you choose. This line will display as the third line of an ADMIN reply.

Example#

admin {    location = "An ircd-yeti test server";    location = "DareNET Development";    contact = "<dev@lists.darenet.org>";};

TLS#

Configures TLS options for the server.

There may be multiple TLS blocks. For example, you may define two options, such as one for users and another for servers, allowing more backwards compatibility for users than servers.

A TLS block can have one or more identities, see below.

Syntax#

tls {    name = "<string>";    identity {        ...    };    dh_param_file = "<string>";    dh_elliptic_curve = "<string>";    cipher_list = "<string>";};

identity#

required

A TLS block must have at least one identity block, see below.

name#

The name for these TLS options. This is only used for referencing this TLS block in other sections of the configuration file. Any arbitrary string can be used.

dh_param_file#

The file containing Diffie-Hellman parameters to use.

DH parameters are required when using ciphers with ephemeral Diffie-Hellman (EDH) key exchange.

A DH parameter file can be created by running:

$ openssl dhparam -out dhparam.pem 2048

Depending on your security needs, you should regenerate them every few weeks or so.

The longer the key length, the more CPU time a TLS handshake will consume.

dh_elliptic_curve#

Defines the curve to use for Elliptic Curve Diffie-Hellman (ECDH) algorithm.

If nothing is specified, defaults to ANSI X9.62 prime256v1/secp256r1.

A list of curves supported by OpenSSL can be obtained by running:

$ openssl ecparam -list_curves

Changing dh_elliptic_curve is not recommended. The ircd picks a secure default.

cipher_list#

List of ciphers to support.

This can be used to enforce specific ciphers from incoming and outgoing TLS connections. If a client is not capable of using any of the ciphers listed, the connection is rejected.

The ciphers are specified in a format understood by the OpenSSL library โ€“ multiple ciphers are separated by colons. The order of preference is from left to right.

A list of supported ciphers by OpenSSL can be obtained by running:

$ openssl ciphers -s -tls1_2 -v

Changing cipher_list is not recommended. The ircd picks a secure default.

Identity#

rsa_private_key_file#
required

The file containing the RSA key.

Example commands to store a 4096 bit RSA key in rsa.key:

$ openssl genrsa -out rsa.key 4096$ chown <ircd-user>.<ircd-group> rsa.key$ chmod 0600 rsa.key

You must specify this before certificate_file, else reading the configuration file will fail with the message: "No rsa_private_key_file specified; TLS support disabled"

certificate_file#
required

The file containing our TLS certificate. It should be in PEM format and sorted starting with the subject's certificate, followed by intermediate CA certificates (if applicable), and ending at the highest level (root) CA.

Example commands to generate certificate (assuming we have rsa.key):

$ openssl req -new -days 365 -x509 -key rsa.key -out cert.pem

See http://www.openssl.org/docs/HOWTO/certificates.txt

server_name#

This defines the server name as used for Server Name Indication (SNI). You may have multiple server_names.

If you use more than one TLS identity in the same or in separate profiles, setting the server_name is highly suggested. Results may be indeterminate if not set.

Example#

tls {    name = "users";    identity {        server_name = "test.darenet.org";        rsa_private_key_file = "test.darenet.org.key";        certificate_file = "test.darenet.org.crt";    };    identity {        server_name = "irc.darenet.org";        rsa_private_key_file = "irc.darenet.org.key";        certificate_file = "irc.darenet.org.crt";    };    dh_param_file = "dhparam.pem";    dh_elliptic_curve = "secp521r1";    cipher_list = "EECDH+HIGH:EDH+HIGH:HIGH:!aNULL";    message_digest_algorithm = "sha256";};

Class#

Defines connection classes for users and servers. While the server will start without a class block, it will not be usable.

There may be multiple class blocks.

Syntax#

class {        name = "<string>";        pingfreq = <duration>;        sendq = <size>;        recvq = <size>;        maxlinks = <size>;        connectfreq = <duration>;        usermode = "<string>";        maxchans = <integer>;        fake_lag_minimum = <integer>;        fake_lag_factor = <integer>;        flags = <flag,[<flagN>]>;};

name#

required

Sets the name for this class block, which is used to reference the class in other blocks.

pingfreq#

Defines how often a client or server must respond to a PING from the server before they're dropped.

sendq#

The amount of data allowed in a client or server's queue before they're dropped.

recvq#

The amount of data allowed in a client's receive queue before they're dropped for flooding. The maximum size is 8000 bytes. If this option is omitted, the value of the CLIENT_FLOOD feature will be used instead.

maxlinks#

For clients, sets the maximum number of users allowed in this class. Once this limit is reached, any additional connections will receive a "Sorry your connection class is full - try again later or try another server" error.

For servers, if autoconnect is enabled, the server will attempt to automatically connect until the number of servers in the class is greater or equal to what is set for maxlinks. Usually 0 for hubs, and 1 for leafs.

Alias: maxusers

usermode#

Defines the user modes to automatically set for the client.

maxchans#

Defines the maximum number of a channels the client may join.

fake_lag_minimum#

Defines the minimum number of seconds the server should wait before processing commands received by the client. The default is two (2) seconds.

fake_lag_factor#

Defines the value the message length will be divided by to determine any additional fake lag penalty to apply to the client. The default is 120. Setting this to 0 will exempt the client from fake lag.

flags#

Available flags for clients:

  • no_create - prevents users in this class from creating channels
  • no_nickchange - prevents users in this class from being able to change their nickname
  • restrict_privmsg - users in this class can only private message opers and services

connectfreq#

For servers, sets the frequency at which auto-connections are tried. For autoconnects to take place, the connect block using this class must have a valid port specified, and there must be less than class::maxlinks connected servers in the class.

Setting class::connectfreq to 0 will cause the server to attempt to connect repeatedly without delay until the condition is satisfied. This reconnection in quick succession may, in the worst case, cause a hosting provider to blacklist the connecting server for awhile.

Example#

// Class block for usersclass {    name = "Users";    pingfreq = 1 minute 30 seconds;    sendq = 100 kilobytes;    maxlinks = 10000;    usermode = "+i";};
// Class block for opersclass {    name = "Opers";    pingfreq = 5 minutes;    sendq = 100 kilobytes;    maxlinks = 10;
    /* Operator privleges may be listed in a class block, which     * apply to operators using the class, or in the oper's     * operator block.     */    local = no;};
// Class block for serversclass {    name = "Servers";    pingfreq = 3 minutes;    sendq = 2 megabytes;    maxlinks = 1;    connectfreq = 5 minutes;};

Client#

Defines what clients are allowed to connect to the server, and places them into connection classes. While the server will start without a client block, no clients will be able to connect.

There may be multiple client blocks.

Syntax#

client {        class = "<string>";        username = "<string>";        host = "<string>";        ip = "<ipaddress/netmask>";        password = "<string>";        certfp = "<string>";        maxlinks = <integer>;        flags = <flag>[,<flagN>]};

class#

required

The name of the connection class to place the client in.

username#

If set, the client's username, as determined by the ident lookup, must match it to use this block.

host#

required (if client::ip omitted)

The hostname to match against.

For every connecting client, the IP address is known. A reverse lookup on the IP address is performed to get all hostnames. Each hostname that belongs to the IP address is then matched to the host entry, and the first matching client block is used. The client will appear on IRC with this resolved hostname.

You may omit this if using client::ip.

ip#

required (if client::host omitted)

The IP address to match against.

If no hostnames match, of there is no client::host entry for the block, the client's IP address is then matched against the ip entry, and the first matching client block is used. If the IP address did not resolve, the client will appear on IRC with the IP address.

You may specify an IPv4 address, IPv6 address or netmask.

password#

Sets a password that a client must supply with the PASS command to use this block.

certfp#

Sets the fingerprint that the user's client certificate must match to use this block.

maxlinks#

Sets the maximum number of clients allowed from the same IP address (globally).

flags#

Flags allow you to set additional restrictions or exemptions for clients using this client block.

Available flags:

  • can_flood - Allows the user to set umode +F to exempt themselves from flood protection and fake lag
  • gline_exempt - Exempts the user from G-lines
  • kline_exempt - Exempts the user from K-lines
  • list_exempt - Exempts the user from /LIST restriction
  • need_account - Requires the user to successfully authenticate to a service account using SASL
  • need_ident - Requires the use of identd
  • need_tls - Requires the user to connect using TLS
  • no_tilde - Prevents prefixing the username with โ€˜~โ€™ if no ident
  • shun_exempt - Exempts the user from Shuns
  • target_exempt - Exempts the user from target limits

Example#

client {        class = "Users";        username = "*";        host = "example.com";        ip = "198.51.100.0/24";        certfp = "BE205BC7EC2FACCD6CCE9D0FC9AEA45FF2A5FFB006D2E20EAD242805587CD0B0";        maxlinks = 5;        flags = list_exempt, need_tls;};

IPcheck#

deprecated

Defines what IP addresses to exempt from IPcheck.

The ipcheck block has been marked as deprecated and will be removed in a future release. You should use exempt blocks instead.

Syntax#

ipcheck {    ip = "<ipaddress/netmask>";    ip = "<ipaddress/netmask>";};

ip#

required

The IP address to exempt. You may specify an IPv4 address, IPv6 address or netmask.

There may be multiple ip entries.

Example#

ipcheck {        ip = "127.0.0.1";        ip = "198.51.100.0/24";        ip = "2001:db7:2::6";};

Exempt#

Defines exemptions for IPcheck and WebIRC port restrictions based on IP address.

Syntax#

exempt {    ip = "<ipaddress/netmask>";    flags = <flag,[<flagN>]>;};

ip#

required

The IP address to exempt. You may specify an IPv4 address, IPv6 address or netmask.

There may be multiple ip entries.

flags#

The exemptions to grant. If omitted, defaults to ipcheck; however, this behaviour may be changed in a future release, thus it shouldn't be relied upon.

Available flags:

  • ipcheck - Exempts the client from IPcheck limits and restrictions
  • webirc - Allows the client to use WebIRC ports without WEBIRC authorization

Example#

exempt {        ip = "127.0.0.1";        flags = ipcheck, webirc;};

MOTD#

Allows showing a different Message of the Day (MOTD) to clients based on their origin. If no motd blocks are defined, or match the client, the value of the MPATH feature (default: ircd.motd) will be used.

Syntax#

motd {        host = "<string>";        file = "<string>";};

host#

required

The mask to match against. Multiple host entries are allowed.

file#

required

The MOTD file to show.

Example#

motd {        host = "*.de";        host = "*.ch";        host = "*.at";
        file = "german.motd";};

Connect#

Defines servers to connect to.

Syntax#

connect {        name = "<string>";        class = "<string>";        host = "<string>";        vhost = "<string>";        password = "<string>";        certfp = "<string>";        port = <integer>;        maxhops = <integer>;        hub = "<string>";        leaf;        autoconnect = <yes/no>;        tls = <yes/no>;        ca_file = "<string>";        tls_options = "<string>";};

name#

required

The server's name.

class#

required

The connection class to place the server in.

host#

required

The host or IP address of the server.

password#

required

The password we send and accept.

vhost#

The IP address to bind to when making outgoing connections to this server. This overrides the general::vhost value.

port#

The default port the server will try to connect to if an operator uses /CONNECT without specifying one. This is also the port used when the server attempts to autoconnect.

certfp#

Enhances securtiy by allowing you to "pin" the server's client certificate fingerprint, which is checked against the client certificate presented by the server.

maxhops#

Causes an SQUIT if a hub tries to introduce servers farther away than the value given here.

leaf#

An aloas for maxhops = 0;

hub#

A mask of servers that may be introduced by a hub. There may be multiple hub entries.

The hub; tag is an alias for hub = "*";.

autoconnect#

Enables or disables autoconnects. The default is to autoconnect.

See class blocks for more informtion.

tls#

Enables or disables using TLS for this connection.

ca_file#

If defined, requires that the server use a TLS certificate signed by the given Certificate Authority (CA).

tls_options#

The TLS options to use for the outbound connection.

The TLS options for the inbound connection are defined in the listen block accessed by the remote server.

If you have more than one TLS identity, it is strongly recommended to define the tls_options parameter for each connect block. Results may be indeterminate if not set.

See TLS blocks for more information.

Example#

connect {        name = "uplink.example.com";        host = "192.0.2.4";        password = "secret";        certfp = "BE205BC7EC2FACCD6CCE9D0FC9AEA45FF2A5FFB006D2E20EAD242805587CD0B0";        port = 4400;        class = "Servers";        hub;        tls = yes;        ca_file = "ca.pem";};

Listen#

Defines the ports the ircd listens on. There may be multiple port blocks.

  • De factor port: 6667
  • Standard ports: 6660-6669 and 7000
  • Standard TLS ports: 6697 and 9999

These are just hints and are in no way official IANA or ITEF policies. IANA says we should use port 194, but that requires us to run as root, so we don't do that.

Syntax#

listen {    port = [[ipv4] [ipv6]] <integer>;    mask = "<string>";    vhost = [[ipv4] [ipv6]] "<ipaddress>" [port];    server = <yes/no>;    hidden = <yes/no>;    tls = <yes/no>;    tls_options = "<string>";    defer_accept = <yes/no>;    webirc = <yes/no>;    http = <yes/no>;};

port#

required

The specific port to listen on.

mask#

A range of IP addresses to allow connections from. This should only contain IP addresses, as this does not use DNS in any way.

vhost#

Set a specific IP address to listen on. Default is to bind to all available interfaces, if this is not specified.

There may be multiple vhost entries.

server#

If specified, and set to 'yes', only server connections are allowed on this port.

hidden#

If specified, and set to 'yes', the port is not shown in /STATS ports.

tls#

If specified, and set to 'yes', only TLS connections are permitted on this port.

tls_options#

The TLS options to use for inbound connections.

The TLS options for outbound connections to other servers is defined in the connect block for the remote server.

See TLS blocks for more information.

defer_accept#

If specified, and set to 'yes', the server will wait for clients to send IRC handshake before accepting them. You'll want to leave this disabled for ports used by clients such as BOPM/HOPM, sicne they depend on the server replying first.

webirc#

If specified, and set to 'yes', only WEBIRC connections are allowed on this port, unless the client matches an exempt block.

http#

If specified, and set to 'yes', only HTTP connections are accepted on this port. It is highly recommended that you don't expose this to the outside.

Examples#

listen {        port 4400;        server = yes;        tls = yes;        hidden = yes;};
listen {        port = 6697;        vhost = "192.0.2.2";        tls = yes;};
listen {        port = 7001;        hidden = yes;        webirc = yes;        tls = yes;};

Operator#

Defines IRC operators.

There may be multiple operator blocks.

Syntax#

operator {        name = "<string>";        host = "<string>";        password = "<string>";        certfp = "<string>";        snomask = "<string>";        class = "<string>";        flags = <flag,[<flagN>]>;
        /* Any privileges here */};

name#

required

The username for this operator block, as used in the /OPER command.

host#

required

The user@host mask the operator must match to use this block. Multiple host entries are supported.

password#

required

The password required to /OPER. By default, the password is encrypted using the provided umkpasswd tool.

class#

required

The connection class to place this operator in.

certfp#

Enhances security by allowing you to "pin" the operator's client certificate fingerprint, which is checked against the client certificate presented by the user.

snomask#

The default server notice mask(s) to set for the operator, overriding the server's default.

flags#

Allows you to set additional restrictions for this operator.

Available flags:

  • need_account - Requires that the operator be authenticated to a services account
  • need_tls - Requires that the operator be connected using TLS

Privilges#

Operator privileges may be listed in a class block, which apply to all operators using the class, or in the oper's operator block. If a privilege is present in both blocks, the value of the privilege contained in the operator block will take precedence.

The local privilege must be specfied by either the class or operator block.

Example#

operator {    name = "god";    host = "god@192.0.2.0/26";    host = "*god@127.0.0.1";    password = "$pbkdf2_sha256$128000$bljllcjeiekqrjta$2f11f4d4cc723b43159ed739391f2898ca2e4a72b26d33c5418f1d21e23384ff";    certfp = "BE205BC7EC2FACCD6CCE9D0FC9AEA45FF2A5FFB006D2E20EAD242805587CD0B0";    snomask = "+Ksgox";    class = "Opers";    flags = need_tls;
    /* privileges */    local = no;    whox = yes;};

Kill#

Disallows connections from clients based on specific ident, gecos and/or host.

Kill blocks (also known as K-lines) are flexible general client ban mechanism. Clients matching a block will be disconnected. Existing clients will be scanned for possible matches when new blocks are loaded.

All kill blocks are local to the server.

There may be multiple kill blocks.

Syntax#

kill {        host = "<string>";        username = "<string>";        realname = "<string>";        reason = "<string>";        file = "<string>";};

host#

required (if kill::username and kill::realname are omitted)

Host or user@host mask to match against.

username#

required (if kill::host and kill::realname are omitted)

Username mask to match against.

realname#

required (if kill::host and kill::username are omitted)

Gecos mask to match against.

reason#

The reason shown to the user when they're disconnected. If omitted, a default reason will be used.

The default reason is "Connection from your host is refused on this server".

file#

A file containing text that will be shown to the user when they're disconnected.

Examples#

kill {        host = "*@192.167.0.0/24";        reason = "You are infected with a Trojan.";        file = "/path/to/file/with/reason/to/show";};
kill {        /* ban based on username and realname. */        username = "sub7";        realname = "s*7*";        reason = "You are infected with a Trojan.";};
kill {        /* ban based on username. */        username = "root";        reason = "Don't IRC as root!";};
kill {        /* ban based on user@host mask using a file that containts         * the reason text.         */        host = "*luser@unixbox.flooder.co.uk";        file = "klines/youflooded.txt";};
kill {        /* IP-based bans apply to all hosts, even if the client's         * IP address has a properly resolving hostname.         */        host = "192.168.*";        file = "klines/martians.txt";};

UWorld#

Defines servers that are allowed to do special network things (e.g., network services).

UWorld servers are permitted do things typical network services would want to do, such as apply network bans, manage channel modes, etc; the details are too numerous and complex to describe here.

UWorld blocks must be the same on every single server linked to the network or the results will be disastrous.

Syntax#

uworld {        name = "<string>";};

name#

required

Server name or wildcard mask. Multiple name entries are allowed.

Example#

uworld {        name = "services.darenet.org";        name = "services2.darenet.org";        name = "control.darenet.org";};

Jupe#

Defines nicknames that cannot be used.

Syntax#

jupe {    "<nickname>" = "<reason>";};

<nickname>#

required

A single nickname, list of nicknames (comma delimited) to disallow. Wildcards are supported.

There may be multiple entries.

<reason>#

required

A reason that will be shown to the user when they try to use the nickname.

Example#

jupe {        "ChanS?rv,NickS?rv,MemoS?rv,HostS?rv,OperS?rv" = "Reserved for services.";        "login" = "Invalid nickname";        "protocol,pass,newpass" = "Invalid nickname.";};

Resv#

Defines channels that non-operators may not join.

Syntax#

resv {    "<channel>" = "<reason>";};

<channel>#

required

The channel to reserve. Multiple entries are allowed.

<reason>#

required

A reason that will be shown to the user when they try to join the channel.

Example#

resv {        "#wtf" = "Whiskey Tango Foxtrot";};

Quarantine#

Disallows operators from using OPMODE and CLEARMODE on certain channels.

Operators with the force_opmode, and force_local_opmode for local channels, privilege may override the quarantine.

Syntax#

quarantine {    "<channel>" = "<reason>";};

<channel>#

required

The channel to quarantine. Multiple entries are allowed.

<reason>#

required

A reason that will be shown to the operator when they try to use OPMODE or CLEARMODE on the channel.

Example#

quarantine {    "&kiddies" = "They can take care of themselves";    "#shells" = "Thou shalt not support the h4><0rz";};

CRule#

Defines connection rules, which is a real-time, rule-based, routing decision system.

There may be multiple crule blocks.

See doc/readme.crules.

Syntax#

crule {        server = "<string>";        rule = "<string>";        all = <yes/no>;};

server#

required

Server mask.

rule#

required

The connection rule.

all#

If specified, and set to 'yes', indicates that this rule always applies. If no, which is the default, it will only apply to autoconnects.

Example#

crule {        server = "*.us.example.com";        rule = "connected(*us.example.com)";        all = yes;};

Pseudo#

Defines server-side aliases to send messages to a service. There may be multiple pseudo blocks.

Syntax#

pseudo <block-value> {        name = "<string>";        nick = "<string>";        prepend = "<string>";        default = "<string>";        allow_empty = <yes/no>;        oper_only = <yes/no>;};

<block-value>#

required

Defines the alias name.

name#

required

The service name; used for error messages.

nick#

required

Defines where the messages should be delivered to.

Multiple nick entries may be specified, with the one last one listed having the highest priority.

prepend#

Text to prepend to the user's message.

default#

Defines default text to use if the user doesn't provide any arguments.

allow_empty#

If specfied, and set to 'yes', this alias does not require any arguments to specified.

This is ignored if default text has been defined.

oper_only#

If specified, and set to 'yes', the user must be an IRC operator to use the alias. Any non-operator use of the alias is treated as though the alias does not exist.

Examples#

pseudo "AUTH" {        name = "N";        nick = "N2@services2.darenet.org";        nick = "N@services.darenet.org";        prepend = "AUTH ";};
/* operator only alias */pseudo "OS" {    name = "O";    nick = "O2@services2.darenet.org";    nick = "O@services.darenet.org";    oper_only = yes;    allow_empty = yes;};

Cloak#

Configures the cloak (aka guest hidden host) system. There may be multiple cloak blocks.

Syntax#

cloak {    name = "<string>";    default = <yes/no>;    cloak_key = "<string>";    ipv4_host_format = "<string>";    ipv6_host_format = "<string>";    host_suffix = "<string>";};

name#

required

Name of the cloak system type to use; ircd-yeti ships with HMAC-SHA256.

default#

If specified, and set to 'yes', indicates this is the default cloak applied to users.

cloak_key#

A symmetric key that is used to generate the different hashes that make up the cloak. This should be the same on all servers linked to the network so that things like bans work appropriately.

If no cloak key is provided, a random one will be generated.

If the m_cloak module is loaded, and no cloak key has been defined, the server will set its cloak key to that provided by its uplink, if any, and re-generate cloaks for clients using the new cloak key as appropriate. This can be used, for example, to only store cloak keys in the configuration file for hubs, or allow a network service to manage the cloak key.

ipv4_host_format#

required

Defines the format used for the generated cloak for clients with an IPv4 address. It should contain exactly 5 '%s' specifiers. The first four are used for the hashes, and the fifth for the host suffix.

ipv6_host_format#

Defines the format used for the generated cloak for clients with an IPv6 address. It should contain exactly 5 '%s' specifiers. The first four are used for the hashes, and the fifth for the host suffix.

If this omitted, IPv6 cloaks will use the same format as IPv4 cloaks.

host_suffix#

required

Defines the host suffix used for the generated cloaks.

Example#

cloak {    name = "HMAC-SHA256";    default = yes;    cloak_key = "J8d/FC5jG9+xq7jq0a13vK6dQ";    ipv4_host_format = "%s-%s-%s-%s.%s";    host_suffix = "guest.darenet";};

Modules#

Defines modules to be loaded on startup and rehash.

Syntax#

modules {    path = "<string>";    module = "<string>";};

path#

Defines a path to search for modules. Multiple path entries are supported.

module#

The name of the module to load. Multiple module entries are supported.

You should append the .la suffix to the name of the module.

Example#

modules {    path = "lib/ircd-yeti/modules";    module = "cloak_hmac_sha256.la";    module = "m_sasl.la";};

WebIRC#

Defines what connections may use WEBIRC. Multiple webirc blocks are supported.

A rehash will disconnect clients using a webirc block that was removed. A webirc block is considered removed if there is no block in the new config with the same IP address and password.

Syntax#

webirc {    ip = "<ipaddress>";    password = "<string>";    description = "<string>";    hidden = <yes/no>;    strip_certfp = <yes/no>;};

ip#

required

The IP address. You may specify an IPv4 address, IPv6 address or netmask.

There may be multiple ip entries.

password#

required

The password we expect in the WEBIRC command. By default, the password is encrypted using the provided umkpasswd tool.

description#

A short description shown in a /WHOIS reply on a WebIRC user.

hidden#

If specified, and set to 'yes', the IP address is hidden in a /STATS webirc.

strip_certfp#

If the client issuing the WEBIRC command presents a TLS client certificate, the fingerprint for it will not be stored if this option is specifed and set to 'yes'.

You should always set to this 'yes' for public WebIRC gateways.

Example#

webirc {    ip = "127.0.0.1";    password = "$pbkdf2_sha256$128000$bljllcjeiekqrjta$2f11f4d4cc723b43159ed739391f2898ca2e4a72b26d33c5418f1d21e23384ff";    description = "Awesome WebIRC Client";    strip_certfp = yes;};

Forwards#

Allows the server to forward prefixed channel messages that match a UWorld server. This allows users to use in-channel (fantasy) commands without the service client having to be present in the channel.

Syntax#

forwards {    "<prefix>" = "<uworld server>";};

<prefix>#

required

Channel messages marked with this prefix to forward. Multiple prefix entries are supported.

<uworld server>#

required

The UWorld server to forward the prefixed channel message to.

Example#

forwards {        "!" = "services.darenet.org";        "?" = "services2.darenet.org";        "." = "services.darenet.org";};

IAuth#

Allows an IAuth helper program to determine if a client should be allowed to connect or not.

Syntax#

iauth {    program = "<path>" "<args>";};

program#

required

Specifies the path to the IAuth program, as well as any additional arguments to use.

Example#

iauth {    program = "/home/user/iauthd" "-c" "server.conf" "-d";};

Features#

Configures various server settings. Multiple feature blocks are allowed.

Multiple settings may be specified in a single features block.

Syntax#

features {    "<setting>" = "<value>";};

<setting>#

required

The name of the feature setting.

<value>#

required

The value to set for the feature setting.

Example#

features {    "LOG" = "SYSTEM" "FILE" "ircd.log";    "LOG" = "SYSTEM" "LEVEL" "CRIT";
    "HUB" = "TRUE";};