/* This file will load all optional modules. These are features that
 * not everyone will use or are considered experimental.
 * You can include this file from your unrealircd.conf like this:
 * include "modules.optional.conf";
 * OR... and this is probably a better idea... you can copy-paste it
 * to another file where you do your own customizations.
 *
 * DO NOT EDIT THIS FILE! IT WILL BE OVERWRITTEN DURING NEXT UPGRADE!!
 * If you want to customize, make a copy of this file (for example
 * name it modules.custom.conf) and edit it.
 * Then include that file from your unrealircd.conf instead of this one.
 */

/*** Commands ***/

// This add the /IRCOPS command: A more visual way for users
// to see which IRCOps are online.
loadmodule "ircops";

// This adds the /STAFF command: This command simply displays
// a text file that you can configure here:
loadmodule "staff";
@if module-loaded("staff")
set { staff-file "network.staff"; }
@endif


/*** Channel modes ***/

// The following module ('nocodes') is not a true channel mode.
// It simply enhances the existing channel mode +S/+c to include
// stripping/blocking of bold, underline and italic text.
loadmodule "nocodes";


/*** Other ***/

// The hideserver module will hide /MAP and /LINKS to regular users.
// It does not truly enhance security as server names can still be
// seen at other places.
// Comment out the following line to enable this:
// loadmodule "hideserver";

// The antirandom module will kill or *line users that have a nick,
// ident and/or realname that is considered "random".
// This helps to combat simple botnets/drones.
// Note that failure to set the right settings may ban innocent users.
// This is especially true if you are on a non-English network where
// the module may consider a sequence of characters "random" even though
// it is a perfectly pronounceable word in your language.
loadmodule "antirandom";
@if module-loaded("antirandom")
set {
	antirandom {
		/* THRESHOLD:
		 * This is the most important setting of all.
		 * For every randomly looking item the user gets a certain amount of
		 * 'points'. If the points reach the 'threshold' then the appropriate
		 * action is taken (killed, *lined, see later on).
		 *  lower = more randomly looking users will be caught
		 *          (but also more innocent users).
		 * higher = less chance of innocent users getting killed
		 *          (but also less chance on bots getting caught).
		 * <2:  DON'T!!
		 *  4:  Works good, probably a few more innocent kills, but if you have a
		 *      big problem with drone attacks then this might be a good setting.
		 *  5:  Works well with few innocent kills, probably good to begin with.
		 *  6:  If you want to be a tad more careful
		 * >6:  For the paranoid. Module can still be quite effective, though :)
		 */
		threshold 6;

		/* BAN-ACTION:
		 * Action to take whenever the user is caught as random, options:
		 * warn, kill, gline, gzline, kline, zline, shun, tempshun
		 */
		ban-action kill;

		/* BAN-TIME:
		 * Time to ban the user (irrelevant for tempshun/kill).
		 * Something between 1 hour and 2 days is recommended.
		 * If you set it higher than 3 or 4 days then you get quite a risk
		 * of catching innocent users due to dynamic IP, not to mention
		 * your *line list gets filled up... so choose it wisely.
		 */
		ban-time 4h;

		/* BAN-REASON:
		 * The ban or kill reason to use.
		 * Tip: you might want to put in an entry to a FAQ or an email address where
		 *      users can mail if they have been caught and don't know what to do.
		 * NOTE: One of the various reasons that "innocent users" are blocked is when
		 *       they randomly type in info for their nick, ident, or realname.
		 */
		ban-reason "You look like a bot. Be sure to fill in your nick/ident/realname properly.";

		/* CONVERT-TO-LOWERCASE:
		 * Convert nicks, idents, and realnames to lowercase before doing random checks?
		 * Useful to catch GnStA5FYhiTH51TUkf style random nicks as random.
		 * Enabled by default.
		 */
		convert-to-lowercase yes;

		/* SHOW-FAILEDCONNECTS:
		 * This will send out a notice whenever a randomly looking user has been caught
		 * during connecting. This can be pretty noisy.
		 * Especially recommended to enable during the first few days you use this module.
		 */
		show-failedconnects yes;

		/* EXCEPT:
		 * Don't do antirandom checks for these users.
		 */
		except {
			/* Exempt WEBIRC gateways because these frequently
			 * cause false positives. So the default is yes.
			 */
			webirc yes;

			/* Exempt LAN users */
			ip { 192.168.*; 127.*; }

			// Or by hostname:
			//mask { *.example.net; }

			/* You can also exempt security groups: */
			// security-group known-users;

			/* For all options, see https://www.unrealircd.org/docs/Mask_item */
		}
	}
}
@endif

// This module will send a HTTP 301 redirect to any client which sends
// a HTTP request to us. This is commented out by default:
//loadmodule "webredir";
//set {
//	webredir {
//		url 'https://...';
//	}
//}

// Load the webserver module, needed for websocket (see next)
loadmodule "webserver";

// This adds websocket support. For more information, see:
// https://www.unrealircd.org/docs/WebSocket_support
loadmodule "websocket";

// This module will detect and stop spam containing of characters of
// mixed "scripts", where (for example) some characters are in
// Latin script and other characters are in Cyrillic script.
loadmodule "antimixedutf8";
@if module-loaded("antimixedutf8")
set {
	antimixedutf8 {
		/* Take action at this 'score' (lower = more sensitive)
		 *
		 * A score of 2 or 3 will catch a lot but also
		 * catch innocent users who are not using a pure
		 * Latin script, such as Russian people who
		 * commonly use a mix of Latin and Cyrillic.
		 *
		 * A score of 8 is a safe default.
		 */
		score 8;

		/* Action to take, see:
		 * https://www.unrealircd.org/docs/Actions
		 */
		ban-action block;

		/* Block/kill/ban reason (sent to user) */
		ban-reason "Mixed character spam";

		/* Duration of ban (does not apply to block/kill) */
		ban-time 4h; // For other types

		/* Except these users - see
		 * https://www.unrealircd.org/docs/Mask_item for options.
		 */
		//commented out by default:
		//except {
		//	security-group known-users;
		//	webirc yes;
		//}
	}
}
@endif

// This module will add support for /EXTJWT command,
// used for generating authorization tokens for external services.
// The feature is based on a specification described here:
// https://github.com/ircv3/ircv3-specifications/pull/341
// Please create your configuration block based on the example below.
// Do not uncomment the example.
//
// Supported JWT methods: NONE (not recommended), HS256, HS384, HS512,
// ES256, ES384, ES512, RS256, RS384, RS512
// Method NONE does not use any cryptography to sign the token. This
// is only useful for checking whether the service works when initially
// setting it up. HS* methods use a password that must be shared with
// the verification service. ES* and RS* methods use public-private key
// pairs, so the verification service, knowing your public key, can't
// generate own valid tokens. 
//
// For methods requiring a key, place it in your "conf" directory.
//
// Use following shell commands to create keys if needed:
// To generate RS256, RS384 or RS512 private key (for UnrealIRCd):
// openssl genrsa -out privkey.pem 4096
// To generate matching public key (for the external service to verify
// the token):
// openssl rsa -in privkey.pem -pubout > pubkey.pem
//
// To generate ES256, ES384 or ES512 private key (for UnrealIRCd):
// openssl ecparam -genkey -name secp521r1 -noout -out privkey.pem
// To generate matching public key (for the external service to verify
// the token):
// openssl ec -in privkey.pem -pubout -out pubkey.pem
//
// In all cases, substitute your preferred file names for "pubkey.pem"
// and "privkey.pem".

//loadmodule "extjwt";
//extjwt {
//	/* The configuration below is used when no service name is
//	 * provided by the user command.
//	 */
//	method "HS256"; /* described above */
//	expire-after 30; /* seconds */
//	secret "somepassword"; /* required for HS* methods */
//	/* Optional service blocks for generating different tokens.
//	 * Add as many of these as you need.
//	 */
//	service "service1" {
//		method "ES512"; /* will be inherited from main if not given */
//		//secret "anotherpassword"; /* required for HS* method */
//		key "es512.pem"; /* required for ES* and RS* methods */
//		//verify-url 'https://example.com/verify/?t=%s'; /* URL for your validation service - optional; use single quotes here! */
//		expire-after 60; /* seconds, will be inherited from main if not given */
//	};
//	/* Another service block. */
//	service "service2" {
//		method "RS256";
//		key "RS256.pem";
//	};
//};