#-#-#-#-#-#-#-#-#-#-#-#-#  CLASS CONFIGURATION  #-#-#-#-#-#-#-#-#-#-#-#
#                                                                     #
#   Classes are a group of commands which are grouped together and    #
#   given a unique name. They're used to define which commands        #
#   are available to certain types of Operators.                      #
#                                                                     #
#                                                                     #
#  Note: It is possible to make a class which covers all available    #
#  commands. To do this, specify commands="*". This is not really     #
#  recommended, as it negates the whole purpose of the class system,  #
#  however it is provided for fast configuration (e.g. in test nets). #
#                                                                     #

<class
     name="Shutdown"

     # commands: Oper-only commands that opers of this class can run.
     commands="DIE RESTART REHASH LOADMODULE UNLOADMODULE RELOADMODULE GLOADMODULE GUNLOADMODULE GRELOADMODULE"

     # privs: Special privileges that users with this class may utilise.
     #  VIEWING:
     #   - channels/auspex: allows opers with this priv to see more details about channels than normal users.
     #   - users/auspex: allows opers with this priv to view more details about users than normal users, e.g. real host and IP.
     #   - users/channel-spy: allows opers with this priv to view the private/secret channels that a user is on.
     #   - servers/auspex: allows opers with this priv to see more details about server information than normal users.
     #  ACTIONS:
     #   - users/mass-message: allows opers with this priv to PRIVMSG and NOTICE to a server mask (e.g. NOTICE $*).
     #   - users/samode-usermodes: allows opers with this priv to change the user modes of any other user using /SAMODE.
     #  PERMISSIONS:
     #   - channels/ignore-chanfilter: allows opers with this priv to be immune to channel filters.
     #   - channels/ignore-delaymsg: allows opers with this priv to be immune to delaymsg restriction on a +d channel.
     #   - channels/ignore-noctcp: allows opers with this priv to send a CTCP to a +C channel.
     #   - channels/ignore-nonicks: allows opers with this priv to change their nick when on a +N channel.
     #   - channels/ignore-opmoderated: allows opers with this priv to ignore +U.
     #   - channels/ignore-repeat: allows opers with this priv to be immune to repeat punishment on a +E channel.
     #   - channels/restricted-create: allows opers with this priv to create channels if the restrictchans module is loaded.
     #   - users/flood/increased-buffers: allows opers with this priv to send and receive data without worrying about being disconnected for exceeding limits (*NOTE).
     #   - users/flood/no-fakelag: prevents opers from being penalized with fake lag for flooding (*NOTE).
     #   - users/flood/no-throttle: allows opers with this priv to send commands without being throttled (*NOTE).
     #   - users/ignore-callerid: allows opers with this priv to message people using callerid without being on their callerid list.
     #   - users/ignore-commonchans: allows opers with this priv to send a message to a +c user without sharing common channels.
     #   - users/ignore-noctcp: allows opers with this priv to send a CTCP to a +T user.
     #   - users/ignore-privdeaf: allows opers with this priv to message users with +D set.
     #   - users/sajoin-others: allows opers with this priv to /SAJOIN users other than themselves.
     #   - users/secret-whois: allows opers with this priv to /WHOIS +W users without them being notified.
     #     servers/ignore-blockamsg: allows opers with this priv to use /AMSG and /AME.
     #   - servers/ignore-shun: allows opers with this priv to ignore shuns.
     #   - servers/ignore-securelist: allows opers with this priv to ignore securelist.
     #   - servers/use-disabled-commands: allows opers with this priv to use disabled commands.
     #   - servers/use-disabled-modes: allows opers with this priv to use disabled modes.
     #
     # *NOTE: These privs are potentially dangerous, as they grant users with them the ability to hammer your server's CPU/RAM as much as they want, essentially.
     privs="users/auspex channels/auspex servers/auspex users/mass-message users/flood/no-throttle users/flood/increased-buffers"

     # usermodes: Oper-only user modes that opers with this class can use.
     usermodes="*"

     # chanmodes: Oper-only channel modes that opers with this class can use.
     chanmodes="*"

     # snomasks: The snomasks that opers with this class can use.
     snomasks="*">

<class name="SACommands" commands="SAJOIN SAPART SANICK SAQUIT SATOPIC SAKICK SAMODE OJOIN">
<class name="ServerLink" commands="CONNECT SQUIT RCONNECT RSQUIT MKPASSWD ALLTIME SWHOIS" usermodes="*" chanmodes="*" privs="servers/auspex" snomasks="Cc">
<class name="BanControl" commands="KILL GLINE KLINE ZLINE QLINE ELINE TLINE RLINE CHECK NICKLOCK NICKUNLOCK SHUN CBAN" usermodes="*" chanmodes="*" snomasks="Xx">
<class name="OperChat" commands="WALLOPS GLOBOPS" usermodes="*" chanmodes="*" privs="users/mass-message" snomasks="Gg">
<class name="HostCloak" commands="SETHOST SETIDENT SETIDLE CHGNAME CHGHOST CHGIDENT" usermodes="*" chanmodes="*" privs="users/auspex">


#-#-#-#-#-#-#-#-#-#-#-#-  OPERATOR COMPOSITION   -#-#-#-#-#-#-#-#-#-#-#
#                                                                     #
#   This is where you specify which types of operators you have on    #
#   your server, as well as the commands they are allowed to use.     #
#   This works alongside with the classes specified above.            #
#                                                                     #

<type
    # name: Name of the type. Used in actual server operator accounts below.
    name="NetAdmin"

    # classes: Classes (blocks above) that this type belongs to.
    classes="SACommands OperChat BanControl HostCloak Shutdown ServerLink"

    # vhost: Host that opers of this type get when they log in (oper up). This is optional.
    vhost="netadmin.omega.example.org"

    # maxchans: Maximum number of channels opers of this type can be in at once.
    maxchans="60"

    # motd: The server operator MOTD that this should be shown to this
    # operator type. This can be viewed with /OPERMOTD or automatically
    # on login if automotd (see below) is enabled.
    # Requires the opermotd module to be loaded.
    motd="&dir.example;/opermotd.example.txt"

    # automotd: Whether to send the server operator MOTD (see above)
    # to operators of this type when they log in.
    # Requires the opermotd module to be loaded.
    automotd="yes"

    # modes: User modes besides +o that are set on an oper of this type
    # when they oper up. Used for snomasks and other things.
    # Requires the opermodes module to be loaded.
    modes="+s +cCqQ">

<type name="GlobalOp" classes="SACommands OperChat BanControl HostCloak ServerLink" vhost="serverop.omega.example.org">
<type name="Helper" classes="HostCloak" vhost="helper.omega.example.org">


#-#-#-#-#-#-#-#-#-#-#-  OPERATOR CONFIGURATION   -#-#-#-#-#-#-#-#-#-#-#
#                                                                     #
#   Opers are defined here. This is a very important section.         #
#   Remember to only make operators out of trustworthy people.        #
#                                                                     #

# Operator account with a plaintext password.
<oper
      # name: Oper login that is used to oper up (/OPER <username> <password>).
      # Remember: This is case sensitive.
      name="Attila"

      # password: Case-sensitive, unhashed (plaintext).
      password="s3cret"

      # nopassword: Whether to allow logging into an account without a password.
      #
      # IMPORTANT: As this option overrides the password field it should **NOT** be used
      # unless you are certain that nobody other than the intended user will match the
      # restrictions of this <oper> block. Failure to do this may result in your server
      # being compromised.
      #nopassword="no"

      # host: What hostnames and IPs are allowed to use this operator account.
      # Multiple options can be separated by spaces and CIDRs are allowed.
      # You can use just * or *@* for this section, but it is not recommended
      # for security reasons.
      host="attila@inspircd.org *@2001:db8::/32"

      # account: A space delimited list of account names or account ids that are allowed
      # to log into this account.
      # Requires the account module.
      account="Attila 1234567890"

      # fingerprint: When using the sslinfo module, you may specify a space separated
      # list of TLS client certificate fingerprints here. These can be obtained by using
      # the /SSLINFO command while the module is loaded, and is also noticed on connect.
      # This enhances security by verifying that the person opering up has
      # a matching TLS client certificate, which is very difficult to
      # forge (impossible unless preimage attacks on the hash exist).
      # If the sslinfo module isn't loaded, this option will be ignored.
      #fingerprint="67cb9dc013248a829bb2171ed11becd4"

      # autologin: Whether to automatically log this server operator in on connect if all
      # of their details match the ones in this <oper> block. Can be set to "strict" to
      # automatically log in if the user's nickname matches the oper account name and the
      # account/host/sslonly/etc fields match, "relaxed" to automatically log in if the
      # account/host/sslonly/etc fields match, and "never" to not allow automatically
      # logging in to this oper account. Defaults to "never".
      #
      # IMPORTANT: As this option overrides the password field it should **NOT** be used
      # unless you are certain that nobody other than the intended user will match the
      # restrictions of this <oper> block. Failure to do this may result in your server
      # being compromised.
      #autologin="strict"

      # sslonly: If enabled, this oper can only oper up if they're using a TLS connection.
      # Setting this option adds a decent bit of security. Highly recommended
      # if the oper is on wifi, or specifically, unsecured wifi. Note that it
      # is redundant to specify this option if you specify a fingerprint.
      # This setting only takes effect if the sslinfo module is loaded.
      #sslonly="yes"

      # vhost: Overrides the vhost in the type block. Class and modes may also
      # be overridden.
      vhost="attila.example.org"

      # type: Which type of operator this person is; see the block
      # above for the list of types. NOTE: This is case-sensitive as well.
      type="NetAdmin">

# Operator with a plaintext password and no comments, for easy copy & paste.
<oper
      name="Brain"
      password="youshouldhashthis"
      host="brain@dialup15.isp.test.com *@localhost *@example.com *@2001:db8::/32"
      #fingerprint="67cb9dc013248a829bb2171ed11becd4"
      type="NetAdmin">

# Operator with a hashed password. It is highly recommended to use hashed passwords.
<oper
      # name: Oper login that is used to oper up (/OPER <username> <password>).
      # Remember: This is case sensitive.
      name="Adam"

      # hash: The hash function this password is hashed with. Requires the
      # module for the selected function (bcrypt, md5, sha1, or sha256) and
      # the password hashing module (password_hash) to be loaded.
      #
      # You may also use any of the above other than bcrypt prefixed with
      # either "hmac-" or "pbkdf2-hmac-" (requires the pbkdf2 module).
      # Create hashed passwords with: /MKPASSWD <hashtype> <plaintext>.
      hash="bcrypt"

      # password: A hash of the password (see above option) hashed
      # with /MKPASSWD <hashtype> <plaintext>. See the password_hash module
      # in modules.conf for more information about password hashing.
      password="qQmv3LcF$Qh63wzmtUqWp9OXnLwe7yv1GcBwHpq59k2a0UrY8xe0"

      # host: What hostnames and IPs are allowed to use this operator account.
      # Multiple options can be separated by spaces and CIDRs are allowed.
      # You can use just * or *@* for this section, but it is not recommended
      # for security reasons.
      host="*@127.0.0.1 *@192.0.2.40 *@198.51.100.4"

      # type: Which type of operator this person is; see the block
      # above for the list of types. NOTE: This is case-sensitive as well.
      type="Helper">

# Once you have edited this file you can remove this line. This is just to
# ensure that you don't hastily include the file without reading it.
<die reason="Using opers.example.conf without editing it is a security risk">