1.1--- a/dnsmasq.conf Wed Jun 12 14:31:01 2024 -0400
1.2+++ b/dnsmasq.conf Wed Jun 12 14:31:33 2024 -0400
1.3@@ -4,686 +4,23 @@
1.4 # as the long options legal on the command line. See
1.5 # "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
1.6
1.7-# Listen on this specific port instead of the standard DNS port
1.8-# (53). Setting this to zero completely disables DNS function,
1.9-# leaving only DHCP and/or TFTP.
1.10-#port=5353
1.11-
1.12-# The following two options make you a better netizen, since they
1.13-# tell dnsmasq to filter out queries which the public DNS cannot
1.14-# answer, and which load the servers (especially the root servers)
1.15-# unnecessarily. If you have a dial-on-demand link they also stop
1.16-# these requests from bringing up the link unnecessarily.
1.17-
1.18-# Never forward plain names (without a dot or domain part)
1.19-#domain-needed
1.20-# Never forward addresses in the non-routed address spaces.
1.21-#bogus-priv
1.22-
1.23-# Uncomment these to enable DNSSEC validation and caching:
1.24-# (Requires dnsmasq to be built with DNSSEC option.)
1.25-#conf-file=/usr/share/dnsmasq/trust-anchors.conf
1.26-#dnssec
1.27-
1.28-# Replies which are not DNSSEC signed may be legitimate, because the domain
1.29-# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
1.30-# check that an unsigned reply is OK, by finding a secure proof that a DS
1.31-# record somewhere between the root and the domain does not exist.
1.32-# The cost of setting this is that even queries in unsigned domains will need
1.33-# one or more extra DNS queries to verify.
1.34-#dnssec-check-unsigned
1.35-
1.36-# Uncomment this to filter useless windows-originated DNS requests
1.37-# which can trigger dial-on-demand links needlessly.
1.38-# Note that (amongst other things) this blocks all SRV requests,
1.39-# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
1.40-# This option only affects forwarding, SRV records originating for
1.41-# dnsmasq (via srv-host= lines) are not suppressed by it.
1.42-#filterwin2k
1.43-
1.44-# Change this line if you want dns to get its upstream servers from
1.45-# somewhere other that /etc/resolv.conf
1.46-#resolv-file=
1.47-
1.48-# By default, dnsmasq will send queries to any of the upstream
1.49-# servers it knows about and tries to favour servers to are known
1.50-# to be up. Uncommenting this forces dnsmasq to try each query
1.51-# with each server strictly in the order they appear in
1.52-# /etc/resolv.conf
1.53-#strict-order
1.54-
1.55-# If you don't want dnsmasq to read /etc/resolv.conf or any other
1.56-# file, getting its servers from this file instead (see below), then
1.57-# uncomment this.
1.58-#no-resolv
1.59-
1.60-# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
1.61-# files for changes and re-read them then uncomment this.
1.62-#no-poll
1.63-
1.64-# Add other name servers here, with domain specs if they are for
1.65-# non-public domains.
1.66-#server=/localnet/192.168.0.1
1.67-
1.68-# Example of routing PTR queries to nameservers: this will send all
1.69-# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
1.70-#server=/3.168.192.in-addr.arpa/10.1.2.3
1.71-
1.72-# Add local-only domains here, queries in these domains are answered
1.73-# from /etc/hosts or DHCP only.
1.74-#local=/localnet/
1.75-
1.76-# Add domains which you want to force to an IP address here.
1.77-# The example below send any host in double-click.net to a local
1.78-# web-server.
1.79-#address=/double-click.net/127.0.0.1
1.80-
1.81-# --address (and --server) work with IPv6 addresses too.
1.82-#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
1.83-
1.84-# Add the IPs of all queries to yahoo.com, google.com, and their
1.85-# subdomains to the vpn and search ipsets:
1.86-#ipset=/yahoo.com/google.com/vpn,search
1.87-
1.88-# Add the IPs of all queries to yahoo.com, google.com, and their
1.89-# subdomains to netfilters sets, which is equivalent to
1.90-# 'nft add element ip test vpn { ... }; nft add element ip test search { ... }'
1.91-#nftset=/yahoo.com/google.com/ip#test#vpn,ip#test#search
1.92-
1.93-# Use netfilters sets for both IPv4 and IPv6:
1.94-# This adds all addresses in *.yahoo.com to vpn4 and vpn6 for IPv4 and IPv6 addresses.
1.95-#nftset=/yahoo.com/4#ip#test#vpn4
1.96-#nftset=/yahoo.com/6#ip#test#vpn6
1.97-
1.98-# You can control how dnsmasq talks to a server: this forces
1.99-# queries to 10.1.2.3 to be routed via eth1
1.100-# server=10.1.2.3@eth1
1.101-
1.102-# and this sets the source (ie local) address used to talk to
1.103-# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that
1.104-# IP on the machine, obviously).
1.105-# server=10.1.2.3@192.168.1.1#55
1.106-
1.107-# If you want dnsmasq to change uid and gid to something other
1.108-# than the default, edit the following lines.
1.109-#user=
1.110-#group=
1.111-
1.112-# If you want dnsmasq to listen for DHCP and DNS requests only on
1.113-# specified interfaces (and the loopback) give the name of the
1.114-# interface (eg eth0) here.
1.115-# Repeat the line for more than one interface.
1.116-#interface=
1.117-# Or you can specify which interface _not_ to listen on
1.118-#except-interface=
1.119-# Or which to listen on by address (remember to include 127.0.0.1 if
1.120-# you use this.)
1.121-#listen-address=
1.122-# If you want dnsmasq to provide only DNS service on an interface,
1.123-# configure it as shown above, and then use the following line to
1.124-# disable DHCP and TFTP on it.
1.125-#no-dhcp-interface=
1.126-
1.127-# On systems which support it, dnsmasq binds the wildcard address,
1.128-# even when it is listening on only some interfaces. It then discards
1.129-# requests that it shouldn't reply to. This has the advantage of
1.130-# working even when interfaces come and go and change address. If you
1.131-# want dnsmasq to really bind only the interfaces it is listening on,
1.132-# uncomment this option. About the only time you may need this is when
1.133-# running another nameserver on the same machine.
1.134-#bind-interfaces
1.135-
1.136-# If you don't want dnsmasq to read /etc/hosts, uncomment the
1.137-# following line.
1.138-#no-hosts
1.139-# or if you want it to read another file, as well as /etc/hosts, use
1.140-# this.
1.141-#addn-hosts=/etc/banner_add_hosts
1.142-
1.143-# Set this (and domain: see below) if you want to have a domain
1.144-# automatically added to simple names in a hosts-file.
1.145-#expand-hosts
1.146-
1.147-# Set the domain for dnsmasq. this is optional, but if it is set, it
1.148-# does the following things.
1.149-# 1) Allows DHCP hosts to have fully qualified domain names, as long
1.150-# as the domain part matches this setting.
1.151-# 2) Sets the "domain" DHCP option thereby potentially setting the
1.152-# domain of all systems configured by DHCP
1.153-# 3) Provides the domain part for "expand-hosts"
1.154-#domain=thekelleys.org.uk
1.155-
1.156-# Set a different domain for a particular subnet
1.157-#domain=wireless.thekelleys.org.uk,192.168.2.0/24
1.158-
1.159-# Same idea, but range rather then subnet
1.160-#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
1.161-
1.162-# Uncomment this to enable the integrated DHCP server, you need
1.163-# to supply the range of addresses available for lease and optionally
1.164-# a lease time. If you have more than one network, you will need to
1.165-# repeat this for each network on which you want to supply DHCP
1.166-# service.
1.167-#dhcp-range=192.168.0.50,192.168.0.150,12h
1.168-
1.169-# This is an example of a DHCP range where the netmask is given. This
1.170-# is needed for networks we reach the dnsmasq DHCP server via a relay
1.171-# agent. If you don't know what a DHCP relay agent is, you probably
1.172-# don't need to worry about this.
1.173-#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
1.174-
1.175-# This is an example of a DHCP range which sets a tag, so that
1.176-# some DHCP options may be set only for this network.
1.177-#dhcp-range=set:red,192.168.0.50,192.168.0.150
1.178-
1.179-# Use this DHCP range only when the tag "green" is set.
1.180-#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
1.181-
1.182-# Specify a subnet which can't be used for dynamic address allocation,
1.183-# is available for hosts with matching --dhcp-host lines. Note that
1.184-# dhcp-host declarations will be ignored unless there is a dhcp-range
1.185-# of some type for the subnet in question.
1.186-# In this case the netmask is implied (it comes from the network
1.187-# configuration on the machine running dnsmasq) it is possible to give
1.188-# an explicit netmask instead.
1.189-#dhcp-range=192.168.0.0,static
1.190-
1.191-# Enable DHCPv6. Note that the prefix-length does not need to be specified
1.192-# and defaults to 64 if missing/
1.193-#dhcp-range=1234::2, 1234::500, 64, 12h
1.194-
1.195-# Do Router Advertisements, BUT NOT DHCP for this subnet.
1.196-#dhcp-range=1234::, ra-only
1.197-
1.198-# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
1.199-# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
1.200-# hosts. Use the DHCPv4 lease to derive the name, network segment and
1.201-# MAC address and assume that the host will also have an
1.202-# IPv6 address calculated using the SLAAC algorithm.
1.203-#dhcp-range=1234::, ra-names
1.204-
1.205-# Do Router Advertisements, BUT NOT DHCP for this subnet.
1.206-# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
1.207-#dhcp-range=1234::, ra-only, 48h
1.208-
1.209-# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
1.210-# so that clients can use SLAAC addresses as well as DHCP ones.
1.211-#dhcp-range=1234::2, 1234::500, slaac
1.212-
1.213-# Do Router Advertisements and stateless DHCP for this subnet. Clients will
1.214-# not get addresses from DHCP, but they will get other configuration information.
1.215-# They will use SLAAC for addresses.
1.216-#dhcp-range=1234::, ra-stateless
1.217-
1.218-# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
1.219-# from DHCPv4 leases.
1.220-#dhcp-range=1234::, ra-stateless, ra-names
1.221-
1.222-# Do router advertisements for all subnets where we're doing DHCPv6
1.223-# Unless overridden by ra-stateless, ra-names, et al, the router
1.224-# advertisements will have the M and O bits set, so that the clients
1.225-# get addresses and configuration from DHCPv6, and the A bit reset, so the
1.226-# clients don't use SLAAC addresses.
1.227-#enable-ra
1.228-
1.229-# Supply parameters for specified hosts using DHCP. There are lots
1.230-# of valid alternatives, so we will give examples of each. Note that
1.231-# IP addresses DO NOT have to be in the range given above, they just
1.232-# need to be on the same network. The order of the parameters in these
1.233-# do not matter, it's permissible to give name, address and MAC in any
1.234-# order.
1.235-
1.236-# Always allocate the host with Ethernet address 11:22:33:44:55:66
1.237-# The IP address 192.168.0.60
1.238-#dhcp-host=11:22:33:44:55:66,192.168.0.60
1.239-
1.240-# Always set the name of the host with hardware address
1.241-# 11:22:33:44:55:66 to be "fred"
1.242-#dhcp-host=11:22:33:44:55:66,fred
1.243-
1.244-# Always give the host with Ethernet address 11:22:33:44:55:66
1.245-# the name fred and IP address 192.168.0.60 and lease time 45 minutes
1.246-#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
1.247-
1.248-# Give a host with Ethernet address 11:22:33:44:55:66 or
1.249-# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
1.250-# that these two Ethernet interfaces will never be in use at the same
1.251-# time, and give the IP address to the second, even if it is already
1.252-# in use by the first. Useful for laptops with wired and wireless
1.253-# addresses.
1.254-#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
1.255-
1.256-# Give the machine which says its name is "bert" IP address
1.257-# 192.168.0.70 and an infinite lease
1.258-#dhcp-host=bert,192.168.0.70,infinite
1.259-
1.260-# Always give the host with client identifier 01:02:02:04
1.261-# the IP address 192.168.0.60
1.262-#dhcp-host=id:01:02:02:04,192.168.0.60
1.263-
1.264-# Always give the InfiniBand interface with hardware address
1.265-# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
1.266-# ip address 192.168.0.61. The client id is derived from the prefix
1.267-# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
1.268-# hex digits of the hardware address.
1.269-#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61
1.270-
1.271-# Always give the host with client identifier "marjorie"
1.272-# the IP address 192.168.0.60
1.273-#dhcp-host=id:marjorie,192.168.0.60
1.274-
1.275-# Enable the address given for "judge" in /etc/hosts
1.276-# to be given to a machine presenting the name "judge" when
1.277-# it asks for a DHCP lease.
1.278-#dhcp-host=judge
1.279-
1.280-# Never offer DHCP service to a machine whose Ethernet
1.281-# address is 11:22:33:44:55:66
1.282-#dhcp-host=11:22:33:44:55:66,ignore
1.283-
1.284-# Ignore any client-id presented by the machine with Ethernet
1.285-# address 11:22:33:44:55:66. This is useful to prevent a machine
1.286-# being treated differently when running under different OS's or
1.287-# between PXE boot and OS boot.
1.288-#dhcp-host=11:22:33:44:55:66,id:*
1.289-
1.290-# Send extra options which are tagged as "red" to
1.291-# the machine with Ethernet address 11:22:33:44:55:66
1.292-#dhcp-host=11:22:33:44:55:66,set:red
1.293-
1.294-# Send extra options which are tagged as "red" to
1.295-# any machine with Ethernet address starting 11:22:33:
1.296-#dhcp-host=11:22:33:*:*:*,set:red
1.297-
1.298-# Give a fixed IPv6 address and name to client with
1.299-# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
1.300-# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
1.301-# Note also that the [] around the IPv6 address are obligatory.
1.302-#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
1.303-
1.304-# Ignore any clients which are not specified in dhcp-host lines
1.305-# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
1.306-# This relies on the special "known" tag which is set when
1.307-# a host is matched.
1.308-#dhcp-ignore=tag:!known
1.309-
1.310-# Send extra options which are tagged as "red" to any machine whose
1.311-# DHCP vendorclass string includes the substring "Linux"
1.312-#dhcp-vendorclass=set:red,Linux
1.313-
1.314-# Send extra options which are tagged as "red" to any machine one
1.315-# of whose DHCP userclass strings includes the substring "accounts"
1.316-#dhcp-userclass=set:red,accounts
1.317-
1.318-# Send extra options which are tagged as "red" to any machine whose
1.319-# MAC address matches the pattern.
1.320-#dhcp-mac=set:red,00:60:8C:*:*:*
1.321-
1.322-# If this line is uncommented, dnsmasq will read /etc/ethers and act
1.323-# on the ethernet-address/IP pairs found there just as if they had
1.324-# been given as --dhcp-host options. Useful if you keep
1.325-# MAC-address/host mappings there for other purposes.
1.326-#read-ethers
1.327-
1.328-# Send options to hosts which ask for a DHCP lease.
1.329-# See RFC 2132 for details of available options.
1.330-# Common options can be given to dnsmasq by name:
1.331-# run "dnsmasq --help dhcp" to get a list.
1.332-# Note that all the common settings, such as netmask and
1.333-# broadcast address, DNS server and default route, are given
1.334-# sane defaults by dnsmasq. You very likely will not need
1.335-# any dhcp-options. If you use Windows clients and Samba, there
1.336-# are some options which are recommended, they are detailed at the
1.337-# end of this section.
1.338-
1.339-# Override the default route supplied by dnsmasq, which assumes the
1.340-# router is the same machine as the one running dnsmasq.
1.341-#dhcp-option=3,1.2.3.4
1.342-
1.343-# Do the same thing, but using the option name
1.344-#dhcp-option=option:router,1.2.3.4
1.345-
1.346-# Override the default route supplied by dnsmasq and send no default
1.347-# route at all. Note that this only works for the options sent by
1.348-# default (1, 3, 6, 12, 28) the same line will send a zero-length option
1.349-# for all other option numbers.
1.350-#dhcp-option=3
1.351-
1.352-# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
1.353-#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
1.354-
1.355-# Send DHCPv6 option. Note [] around IPv6 addresses.
1.356-#dhcp-option=option6:dns-server,[1234::77],[1234::88]
1.357-
1.358-# Send DHCPv6 option for namservers as the machine running
1.359-# dnsmasq and another.
1.360-#dhcp-option=option6:dns-server,[::],[1234::88]
1.361-
1.362-# Ask client to poll for option changes every six hours. (RFC4242)
1.363-#dhcp-option=option6:information-refresh-time,6h
1.364-
1.365-# Set option 58 client renewal time (T1). Defaults to half of the
1.366-# lease time if not specified. (RFC2132)
1.367-#dhcp-option=option:T1,1m
1.368-
1.369-# Set option 59 rebinding time (T2). Defaults to 7/8 of the
1.370-# lease time if not specified. (RFC2132)
1.371-#dhcp-option=option:T2,2m
1.372-
1.373-# Set the NTP time server address to be the same machine as
1.374-# is running dnsmasq
1.375-#dhcp-option=42,0.0.0.0
1.376-
1.377-# Set the NIS domain name to "welly"
1.378-#dhcp-option=40,welly
1.379-
1.380-# Set the default time-to-live to 50
1.381-#dhcp-option=23,50
1.382-
1.383-# Set the "all subnets are local" flag
1.384-#dhcp-option=27,1
1.385-
1.386-# Send the etherboot magic flag and then etherboot options (a string).
1.387-#dhcp-option=128,e4:45:74:68:00:00
1.388-#dhcp-option=129,NIC=eepro100
1.389-
1.390-# Specify an option which will only be sent to the "red" network
1.391-# (see dhcp-range for the declaration of the "red" network)
1.392-# Note that the tag: part must precede the option: part.
1.393-#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
1.394-
1.395-# The following DHCP options set up dnsmasq in the same way as is specified
1.396-# for the ISC dhcpcd in
1.397-# https://web.archive.org/web/20040313070105/http://us1.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
1.398-# adapted for a typical dnsmasq installation where the host running
1.399-# dnsmasq is also the host running samba.
1.400-# you may want to uncomment some or all of them if you use
1.401-# Windows clients and Samba.
1.402-#dhcp-option=19,0 # option ip-forwarding off
1.403-#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
1.404-#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
1.405-#dhcp-option=46,8 # netbios node type
1.406-
1.407-# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
1.408-#dhcp-option=252,"\n"
1.409-
1.410-# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
1.411-# probably doesn't support this......
1.412-#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
1.413-
1.414-# Send RFC-3442 classless static routes (note the netmask encoding)
1.415-#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
1.416-
1.417-# Send vendor-class specific options encapsulated in DHCP option 43.
1.418-# The meaning of the options is defined by the vendor-class so
1.419-# options are sent only when the client supplied vendor class
1.420-# matches the class given here. (A substring match is OK, so "MSFT"
1.421-# matches "MSFT" and "MSFT 5.0"). This example sets the
1.422-# mtftp address to 0.0.0.0 for PXEClients.
1.423-#dhcp-option=vendor:PXEClient,1,0.0.0.0
1.424-
1.425-# Send microsoft-specific option to tell windows to release the DHCP lease
1.426-# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
1.427-# value as a four-byte integer - that's what microsoft wants. See
1.428-# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
1.429-#dhcp-option=vendor:MSFT,2,1i
1.430-
1.431-# Send the Encapsulated-vendor-class ID needed by some configurations of
1.432-# Etherboot to allow is to recognise the DHCP server.
1.433-#dhcp-option=vendor:Etherboot,60,"Etherboot"
1.434-
1.435-# Send options to PXELinux. Note that we need to send the options even
1.436-# though they don't appear in the parameter request list, so we need
1.437-# to use dhcp-option-force here.
1.438-# See http://syslinux.zytor.com/pxe.php#special for details.
1.439-# Magic number - needed before anything else is recognised
1.440-#dhcp-option-force=208,f1:00:74:7e
1.441-# Configuration file name
1.442-#dhcp-option-force=209,configs/common
1.443-# Path prefix
1.444-#dhcp-option-force=210,/tftpboot/pxelinux/files/
1.445-# Reboot time. (Note 'i' to send 32-bit value)
1.446-#dhcp-option-force=211,30i
1.447-
1.448-# Set the boot filename for netboot/PXE. You will only need
1.449-# this if you want to boot machines over the network and you will need
1.450-# a TFTP server; either dnsmasq's built-in TFTP server or an
1.451-# external one. (See below for how to enable the TFTP server.)
1.452-#dhcp-boot=pxelinux.0
1.453-
1.454-# The same as above, but use custom tftp-server instead machine running dnsmasq
1.455-#dhcp-boot=pxelinux,server.name,192.168.1.100
1.456-
1.457-# Boot for iPXE. The idea is to send two different
1.458-# filenames, the first loads iPXE, and the second tells iPXE what to
1.459-# load. The dhcp-match sets the ipxe tag for requests from iPXE.
1.460-#dhcp-boot=undionly.kpxe
1.461-#dhcp-match=set:ipxe,175 # iPXE sends a 175 option.
1.462-#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php
1.463-
1.464-# Encapsulated options for iPXE. All the options are
1.465-# encapsulated within option 175
1.466-#dhcp-option=encap:175, 1, 5b # priority code
1.467-#dhcp-option=encap:175, 176, 1b # no-proxydhcp
1.468-#dhcp-option=encap:175, 177, string # bus-id
1.469-#dhcp-option=encap:175, 189, 1b # BIOS drive code
1.470-#dhcp-option=encap:175, 190, user # iSCSI username
1.471-#dhcp-option=encap:175, 191, pass # iSCSI password
1.472-
1.473-# Test for the architecture of a netboot client. PXE clients are
1.474-# supposed to send their architecture as option 93. (See RFC 4578)
1.475-#dhcp-match=peecees, option:client-arch, 0 #x86-32
1.476-#dhcp-match=itanics, option:client-arch, 2 #IA64
1.477-#dhcp-match=hammers, option:client-arch, 6 #x86-64
1.478-#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
1.479-
1.480-# Do real PXE, rather than just booting a single file, this is an
1.481-# alternative to dhcp-boot.
1.482-#pxe-prompt="What system shall I netboot?"
1.483-# or with timeout before first available action is taken:
1.484-#pxe-prompt="Press F8 for menu.", 60
1.485-
1.486-# Available boot services. for PXE.
1.487-#pxe-service=x86PC, "Boot from local disk"
1.488-
1.489-# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
1.490-#pxe-service=x86PC, "Install Linux", pxelinux
1.491-
1.492-# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
1.493-# Beware this fails on old PXE ROMS.
1.494-#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
1.495-
1.496-# Use bootserver on network, found my multicast or broadcast.
1.497-#pxe-service=x86PC, "Install windows from RIS server", 1
1.498-
1.499-# Use bootserver at a known IP address.
1.500-#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
1.501-
1.502-# If you have multicast-FTP available,
1.503-# information for that can be passed in a similar way using options 1
1.504-# to 5. See page 19 of
1.505-# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
1.506-
1.507-
1.508-# Enable dnsmasq's built-in TFTP server
1.509-#enable-tftp
1.510-
1.511-# Set the root directory for files available via FTP.
1.512-#tftp-root=/var/ftpd
1.513-
1.514-# Do not abort if the tftp-root is unavailable
1.515-#tftp-no-fail
1.516-
1.517-# Make the TFTP server more secure: with this set, only files owned by
1.518-# the user dnsmasq is running as will be send over the net.
1.519-#tftp-secure
1.520-
1.521-# This option stops dnsmasq from negotiating a larger blocksize for TFTP
1.522-# transfers. It will slow things down, but may rescue some broken TFTP
1.523-# clients.
1.524-#tftp-no-blocksize
1.525-
1.526-# Set the boot file name only when the "red" tag is set.
1.527-#dhcp-boot=tag:red,pxelinux.red-net
1.528-
1.529-# An example of dhcp-boot with an external TFTP server: the name and IP
1.530-# address of the server are given after the filename.
1.531-# Can fail with old PXE ROMS. Overridden by --pxe-service.
1.532-#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
1.533-
1.534-# If there are multiple external tftp servers having a same name
1.535-# (using /etc/hosts) then that name can be specified as the
1.536-# tftp_servername (the third option to dhcp-boot) and in that
1.537-# case dnsmasq resolves this name and returns the resultant IP
1.538-# addresses in round robin fashion. This facility can be used to
1.539-# load balance the tftp load among a set of servers.
1.540-#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
1.541-
1.542-# Set the limit on DHCP leases, the default is 150
1.543-#dhcp-lease-max=150
1.544-
1.545-# The DHCP server needs somewhere on disk to keep its lease database.
1.546-# This defaults to a sane location, but if you want to change it, use
1.547-# the line below.
1.548-#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
1.549-
1.550-# Set the DHCP server to authoritative mode. In this mode it will barge in
1.551-# and take over the lease for any client which broadcasts on the network,
1.552-# whether it has a record of the lease or not. This avoids long timeouts
1.553-# when a machine wakes up on a new network. DO NOT enable this if there's
1.554-# the slightest chance that you might end up accidentally configuring a DHCP
1.555-# server for your campus/company accidentally. The ISC server uses
1.556-# the same option, and this URL provides more information:
1.557-# http://www.isc.org/files/auth.html
1.558-#dhcp-authoritative
1.559-
1.560-# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.
1.561-# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit
1.562-# option with a DHCPACK including a Rapid Commit option and fully committed address
1.563-# and configuration information. This must only be enabled if either the server is
1.564-# the only server for the subnet, or multiple servers are present and they each
1.565-# commit a binding for all clients.
1.566-#dhcp-rapid-commit
1.567-
1.568-# Run an executable when a DHCP lease is created or destroyed.
1.569-# The arguments sent to the script are "add" or "del",
1.570-# then the MAC address, the IP address and finally the hostname
1.571-# if there is one.
1.572-#dhcp-script=/bin/echo
1.573-
1.574-# Set the cachesize here.
1.575-#cache-size=150
1.576-
1.577-# If you want to disable negative caching, uncomment this.
1.578-#no-negcache
1.579-
1.580-# Normally responses which come from /etc/hosts and the DHCP lease
1.581-# file have Time-To-Live set as zero, which conventionally means
1.582-# do not cache further. If you are happy to trade lower load on the
1.583-# server for potentially stale date, you can set a time-to-live (in
1.584-# seconds) here.
1.585-#local-ttl=
1.586-
1.587-# If you want dnsmasq to detect attempts by Verisign to send queries
1.588-# to unregistered .com and .net hosts to its sitefinder service and
1.589-# have dnsmasq instead return the correct NXDOMAIN response, uncomment
1.590-# this line. You can add similar lines to do the same for other
1.591-# registries which have implemented wildcard A records.
1.592-#bogus-nxdomain=64.94.110.11
1.593-
1.594-# If you want to fix up DNS results from upstream servers, use the
1.595-# alias option. This only works for IPv4.
1.596-# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
1.597-#alias=1.2.3.4,5.6.7.8
1.598-# and this maps 1.2.3.x to 5.6.7.x
1.599-#alias=1.2.3.0,5.6.7.0,255.255.255.0
1.600-# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
1.601-#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
1.602-
1.603-# Change these lines if you want dnsmasq to serve MX records.
1.604-
1.605-# Return an MX record named "maildomain.com" with target
1.606-# servermachine.com and preference 50
1.607-#mx-host=maildomain.com,servermachine.com,50
1.608-
1.609-# Set the default target for MX records created using the localmx option.
1.610-#mx-target=servermachine.com
1.611-
1.612-# Return an MX record pointing to the mx-target for all local
1.613-# machines.
1.614-#localmx
1.615-
1.616-# Return an MX record pointing to itself for all local machines.
1.617-#selfmx
1.618-
1.619-# Change the following lines if you want dnsmasq to serve SRV
1.620-# records. These are useful if you want to serve ldap requests for
1.621-# Active Directory and other windows-originated DNS requests.
1.622-# See RFC 2782.
1.623-# You may add multiple srv-host lines.
1.624-# The fields are <name>,<target>,<port>,<priority>,<weight>
1.625-# If the domain part if missing from the name (so that is just has the
1.626-# service and protocol sections) then the domain given by the domain=
1.627-# config option is used. (Note that expand-hosts does not need to be
1.628-# set for this to work.)
1.629-
1.630-# A SRV record sending LDAP for the example.com domain to
1.631-# ldapserver.example.com port 389
1.632-#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
1.633-
1.634-# A SRV record sending LDAP for the example.com domain to
1.635-# ldapserver.example.com port 389 (using domain=)
1.636-#domain=example.com
1.637-#srv-host=_ldap._tcp,ldapserver.example.com,389
1.638-
1.639-# Two SRV records for LDAP, each with different priorities
1.640-#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
1.641-#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
1.642-
1.643-# A SRV record indicating that there is no LDAP server for the domain
1.644-# example.com
1.645-#srv-host=_ldap._tcp.example.com
1.646-
1.647-# The following line shows how to make dnsmasq serve an arbitrary PTR
1.648-# record. This is useful for DNS-SD. (Note that the
1.649-# domain-name expansion done for SRV records _does_not
1.650-# occur for PTR records.)
1.651-#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
1.652-
1.653-# Change the following lines to enable dnsmasq to serve TXT records.
1.654-# These are used for things like SPF and zeroconf. (Note that the
1.655-# domain-name expansion done for SRV records _does_not
1.656-# occur for TXT records.)
1.657-
1.658-#Example SPF.
1.659-#txt-record=example.com,"v=spf1 a -all"
1.660-
1.661-#Example zeroconf
1.662-#txt-record=_http._tcp.example.com,name=value,paper=A4
1.663-
1.664-# Provide an alias for a "local" DNS name. Note that this _only_ works
1.665-# for targets which are names from DHCP or /etc/hosts. Give host
1.666-# "bert" another name, bertrand
1.667-#cname=bertrand,bert
1.668-
1.669-# For debugging purposes, log each DNS query as it passes through
1.670-# dnsmasq.
1.671-#log-queries
1.672-
1.673-# Log lots of extra information about DHCP transactions.
1.674-#log-dhcp
1.675-
1.676-# Include another lot of configuration options.
1.677-#conf-file=/etc/dnsmasq.more.conf
1.678-#conf-dir=/etc/dnsmasq.d
1.679-
1.680-# Include all the files in a directory except those ending in .bak
1.681-#conf-dir=/etc/dnsmasq.d,.bak
1.682-
1.683-# Include all files in a directory which end in .conf
1.684-#conf-dir=/etc/dnsmasq.d/,*.conf
1.685-
1.686-# If a DHCP client claims that its name is "wpad", ignore that.
1.687-# This fixes a security hole. see CERT Vulnerability VU#598349
1.688-#dhcp-name-match=set:wpad-ignore,wpad
1.689-#dhcp-ignore-names=tag:wpad-ignore
1.690+cache-size=1000
1.691+conf-file=/usr/share/dnsmasq/trust-anchors.conf
1.692+dnssec
1.693+no-resolv
1.694+server=1.1.1.1
1.695+server=8.8.8.8
1.696+local=/lab/
1.697+domain=lab
1.698+expand-hosts
1.699+bind-interfaces
1.700+interface=vpn0
1.701+dhcp-option=3,0.0.0.0
1.702+dhcp-option=6,0.0.0.0
1.703+#dhcp-host=
1.704+#dhcp-host=88.44.22
1.705+enable-tftp
1.706+tftp-root=/srv/tftp
1.707+dhcp-boot=lpxelinux.0
1.708+pxe-service=x86PC,"PXELINUX (BIOS)",bios/lpxelinux
1.709+pxe-service=X86-64_EFI,"PXELINUX (EFI)",efi64/syslinux.efi
1.710\ No newline at end of file
2.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
2.2+++ b/easy-rsa/vars Wed Jun 12 14:31:33 2024 -0400
2.3@@ -0,0 +1,4 @@
2.4+set_var EASYRSA_DIGEST "sha512"
2.5+# set_var EASYRSA_NS_SUPPORT "yes" # for netscape, deprecated
2.6+set_var EASYRSA_ALGO ed
2.7+set_var EASYRSA_CURVE ed25519
2.8\ No newline at end of file
3.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
3.2+++ b/ngircd.conf Wed Jun 12 14:31:33 2024 -0400
3.3@@ -0,0 +1,425 @@
3.4+#
3.5+# This is a sample configuration file for the ngIRCd IRC daemon, which must
3.6+# be customized to the local preferences and needs.
3.7+#
3.8+# Comments are started with "#" or ";".
3.9+#
3.10+# A lot of configuration options in this file start with a ";". You have
3.11+# to remove the ";" in front of each variable to actually set a value!
3.12+# The disabled variables are shown with example values for completeness only
3.13+# and the daemon is using compiled-in default settings.
3.14+#
3.15+# Use "ngircd --configtest" (see manual page ngircd(8)) to validate that the
3.16+# server interprets the configuration file as expected!
3.17+#
3.18+# Please see ngircd.conf(5) for a complete list of configuration options
3.19+# and their descriptions.
3.20+#
3.21+
3.22+[Global]
3.23+ # The [Global] section of this file is used to define the main
3.24+ # configuration of the server, like the server name and the ports
3.25+ # on which the server should be listening.
3.26+ # These settings depend on your personal preferences, so you should
3.27+ # make sure that they correspond to your installation and setup!
3.28+
3.29+ # Server name in the IRC network, must contain at least one dot
3.30+ # (".") and be unique in the IRC network. When not set, ngIRCd tries
3.31+ # to deduce a valid IRC server name from the local host name.
3.32+ ;Name = irc.example.net
3.33+
3.34+ # Information about the server and the administrator, used by the
3.35+ # ADMIN command. Not required by server but by RFC!
3.36+ ;AdminInfo1 = Description
3.37+ ;AdminInfo2 = Location
3.38+ ;AdminEMail = admin@irc.server
3.39+
3.40+ # Text file which contains the ngIRCd help text. This file is required
3.41+ # to display help texts when using the "HELP <cmd>" command. Default: a
3.42+ # built-in standard path (check "ngircd --configtest").
3.43+ ;HelpFile = /usr/local/share/doc/ngircd/Commands.txt
3.44+
3.45+ # Info text of the server. This will be shown by WHOIS and
3.46+ # LINKS requests for example. Set to the server software name and
3.47+ # version by default.
3.48+ ;Info = Server Info Text
3.49+
3.50+ # Comma separated list of IP addresses on which the server should
3.51+ # listen. Default values are:
3.52+ # "0.0.0.0" or (if compiled with IPv6 support) "::,0.0.0.0"
3.53+ # so the server listens on all IP addresses of the system by default.
3.54+ ;Listen = 127.0.0.1,192.168.0.1
3.55+
3.56+ # Text file with the "message of the day" (MOTD). This message will
3.57+ # be shown to all users connecting to the server: Default: a built-in
3.58+ # standard path (check "ngircd --configtest").
3.59+ ;MotdFile = /usr/local/etc/ngircd.motd
3.60+
3.61+ # A simple Phrase (<127 chars) if you don't want to use a motd file.
3.62+ ;MotdPhrase = "Hello world!"
3.63+
3.64+ # The name of the IRC network to which this server belongs. This name
3.65+ # is optional, should only contain ASCII characters, and can't contain
3.66+ # spaces. It is only used to inform clients. The default is empty,
3.67+ # so no network name is announced to clients.
3.68+ ;Network = aIRCnetwork
3.69+
3.70+ # Global password for all users needed to connect to the server.
3.71+ # (Default: not set)
3.72+ ;Password = abc
3.73+
3.74+ # This tells ngIRCd to write its current process ID to a file.
3.75+ # Note that the pidfile is written AFTER chroot and switching the
3.76+ # user ID, e.g. the directory the pidfile resides in must be
3.77+ # writable by the ngIRCd user and exist in the chroot directory.
3.78+ ;PidFile = /var/run/ngircd/ngircd.pid
3.79+
3.80+ # Ports on which the server should listen. There may be more than
3.81+ # one port, separated with ",". (Default: 6667)
3.82+ ;Ports = 6667, 6668, 6669
3.83+
3.84+ # Group ID under which the ngIRCd should run; you can use the name
3.85+ # of the group or the numerical ID. ATTENTION: For this to work the
3.86+ # server must have been started with root privileges!
3.87+ ;ServerGID = 65534
3.88+
3.89+ # User ID under which the server should run; you can use the name
3.90+ # of the user or the numerical ID. ATTENTION: For this to work the
3.91+ # server must have been started with root privileges! In addition,
3.92+ # the configuration and MOTD files must be readable by this user,
3.93+ # otherwise RESTART and REHASH won't work!
3.94+ ;ServerUID = 65534
3.95+
3.96+[Limits]
3.97+ # Define some limits and timeouts for this ngIRCd instance. Default
3.98+ # values should be safe, but it is wise to double-check :-)
3.99+
3.100+ # The server tries every <ConnectRetry> seconds to establish a link
3.101+ # to not yet (or no longer) connected servers.
3.102+ ;ConnectRetry = 60
3.103+
3.104+ # Number of seconds after which the whole daemon should shutdown when
3.105+ # no connections are left active after handling at least one client
3.106+ # (0: never, which is the default).
3.107+ # This can be useful for testing or when ngIRCd is started using
3.108+ # "socket activation" with systemd(8), for example.
3.109+ ;IdleTimeout = 0
3.110+
3.111+ # Maximum number of simultaneous in- and outbound connections the
3.112+ # server is allowed to accept (0: unlimited):
3.113+ ;MaxConnections = 0
3.114+
3.115+ # Maximum number of simultaneous connections from a single IP address
3.116+ # the server will accept (0: unlimited):
3.117+ ;MaxConnectionsIP = 5
3.118+
3.119+ # Maximum number of channels a user can be member of (0: no limit):
3.120+ ;MaxJoins = 10
3.121+
3.122+ # Maximum length of an user nickname (Default: 9, as in RFC 2812).
3.123+ # Please note that all servers in an IRC network MUST use the same
3.124+ # maximum nickname length!
3.125+ ;MaxNickLength = 9
3.126+
3.127+ # Maximum penalty time increase in seconds, per penalty event. Set to -1
3.128+ # for no limit (the default), 0 to disable penalties altogether. The
3.129+ # daemon doesn't use penalty increases higher than 2 seconds during
3.130+ # normal operation, so values greater than 1 rarely make sense.
3.131+ ;MaxPenaltyTime = -1
3.132+
3.133+ # Maximum number of channels returned in response to a /list
3.134+ # command (0: unlimited):
3.135+ ;MaxListSize = 100
3.136+
3.137+ # After <PingTimeout> seconds of inactivity the server will send a
3.138+ # PING to the peer to test whether it is alive or not.
3.139+ ;PingTimeout = 120
3.140+
3.141+ # If a client fails to answer a PING with a PONG within <PongTimeout>
3.142+ # seconds, it will be disconnected by the server.
3.143+ ;PongTimeout = 20
3.144+
3.145+[Options]
3.146+ # Optional features and configuration options to further tweak the
3.147+ # behavior of ngIRCd. If you want to get started quickly, you most
3.148+ # probably don't have to make changes here -- they are all optional.
3.149+
3.150+ # List of allowed channel types (channel prefixes) for newly created
3.151+ # channels on the local server. By default, all supported channel
3.152+ # types are allowed. Set this variable to the empty string to disallow
3.153+ # creation of new channels by local clients at all.
3.154+ ;AllowedChannelTypes = #&+
3.155+
3.156+ # Are remote IRC operators allowed to control this server, e.g.
3.157+ # use commands like CONNECT, SQUIT, DIE, ...?
3.158+ ;AllowRemoteOper = no
3.159+
3.160+ # A directory to chroot in when everything is initialized. It
3.161+ # doesn't need to be populated if ngIRCd is compiled as a static
3.162+ # binary. By default ngIRCd won't use the chroot() feature.
3.163+ # ATTENTION: For this to work the server must have been started
3.164+ # with root privileges!
3.165+ ;ChrootDir = /var/empty
3.166+
3.167+ # Set this hostname for every client instead of the real one.
3.168+ # Use %x to add the hashed value of the original hostname.
3.169+ ;CloakHost = cloaked.host
3.170+
3.171+ # Use this hostname for hostname cloaking on clients that have the
3.172+ # user mode "+x" set, instead of the name of the server.
3.173+ # Use %x to add the hashed value of the original hostname.
3.174+ ;CloakHostModeX = cloaked.user
3.175+
3.176+ # The Salt for cloaked hostname hashing. When undefined a random
3.177+ # hash is generated after each server start.
3.178+ ;CloakHostSalt = abcdefghijklmnopqrstuvwxyz
3.179+
3.180+ # Set every clients' user name to their nickname
3.181+ ;CloakUserToNick = yes
3.182+
3.183+ # Try to connect to other IRC servers using IPv4 and IPv6, if possible.
3.184+ ;ConnectIPv6 = yes
3.185+ ;ConnectIPv4 = yes
3.186+
3.187+ # Default user mode(s) to set on new local clients. Please note that
3.188+ # only modes can be set that the client could set using regular MODE
3.189+ # commands, you can't set "a" (away) for example! Default: none.
3.190+ ;DefaultUserModes = i
3.191+
3.192+ # Do DNS lookups when a client connects to the server.
3.193+ ;DNS = yes
3.194+
3.195+ # Do IDENT lookups if ngIRCd has been compiled with support for it.
3.196+ # Users identified using IDENT are registered without the "~" character
3.197+ # prepended to their user name.
3.198+ ;Ident = yes
3.199+
3.200+ # Directory containing configuration snippets (*.conf), that should
3.201+ # be read in after parsing this configuration file.
3.202+ # Default: a built-in directory name when no configuration file was
3.203+ # explicitly given on the command line (check "ngircd --configtest"),
3.204+ # none (empty) otherwise.
3.205+ ;IncludeDir = /usr/local/etc/conf.d
3.206+
3.207+ # Enhance user privacy slightly (useful for IRC server on TOR or I2P)
3.208+ # by censoring some information like idle time, logon time, etc.
3.209+ ;MorePrivacy = no
3.210+
3.211+ # Normally ngIRCd doesn't send any messages to a client until it is
3.212+ # registered. Enable this option to let the daemon send "NOTICE *"
3.213+ # messages to clients while connecting.
3.214+ ;NoticeBeforeRegistration = no
3.215+
3.216+ # Should IRC Operators be allowed to use the MODE command even if
3.217+ # they are not(!) channel-operators?
3.218+ ;OperCanUseMode = no
3.219+
3.220+ # Should IRC Operators get AutoOp (+o) in persistent (+P) channels?
3.221+ ;OperChanPAutoOp = yes
3.222+
3.223+ # Mask IRC Operator mode requests as if they were coming from the
3.224+ # server? (This is a compatibility hack for ircd-irc2 servers)
3.225+ ;OperServerMode = no
3.226+
3.227+ # Use PAM if ngIRCd has been compiled with support for it.
3.228+ # Users identified using PAM are registered without the "~" character
3.229+ # prepended to their user name.
3.230+ ;PAM = yes
3.231+
3.232+ # When PAM is enabled, all clients are required to be authenticated
3.233+ # using PAM; connecting to the server without successful PAM
3.234+ # authentication isn't possible.
3.235+ # If this option is set, clients not sending a password are still
3.236+ # allowed to connect: they won't become "identified" and keep the "~"
3.237+ # character prepended to their supplied user name.
3.238+ # Please note: To make some use of this behavior, it most probably
3.239+ # isn't useful to enable "Ident", "PAM" and "PAMIsOptional" at the
3.240+ # same time, because you wouldn't be able to distinguish between
3.241+ # Ident'ified and PAM-authenticated users: both don't have a "~"
3.242+ # character prepended to their respective user names!
3.243+ ;PAMIsOptional = no
3.244+
3.245+ # When PAM is enabled, this value determines the used PAM
3.246+ # configuration.
3.247+ # This setting allows to run multiple ngIRCd instances with
3.248+ # different PAM configurations on each instance.
3.249+ # If you set it to "ngircd-foo", PAM will use
3.250+ # /etc/pam.d/ngircd-foo instead of the default
3.251+ # /etc/pam.d/ngircd.
3.252+ ;PAMServiceName = ngircd
3.253+
3.254+ # Let ngIRCd send an "authentication PING" when a new client connects,
3.255+ # and register this client only after receiving the corresponding
3.256+ # "PONG" reply.
3.257+ ;RequireAuthPing = no
3.258+
3.259+ # Silently drop all incoming CTCP requests.
3.260+ ;ScrubCTCP = no
3.261+
3.262+ # Syslog "facility" to which ngIRCd should send log messages.
3.263+ # Possible values are system dependent, but most probably auth, daemon,
3.264+ # user and local1 through local7 are possible values; see syslog(3).
3.265+ # Default is "local5" for historical reasons, you probably want to
3.266+ # change this to "daemon", for example.
3.267+ ;SyslogFacility = local1
3.268+
3.269+ # Password required for using the WEBIRC command used by some
3.270+ # Web-to-IRC gateways. If not set/empty, the WEBIRC command can't
3.271+ # be used. (Default: not set)
3.272+ ;WebircPassword = xyz
3.273+
3.274+;[SSL]
3.275+ # SSL-related configuration options. Please note that this section
3.276+ # is only available when ngIRCd is compiled with support for SSL!
3.277+ # So don't forget to remove the ";" above if this is the case ...
3.278+
3.279+ # SSL Trusted CA Certificates File for verifying peer certificates.
3.280+ # (Default: not set; so no certificates are trusted)
3.281+ ;CAFile = /etc/ssl/CA/cacert.pem
3.282+
3.283+ # Certificate Revocation File (for marking otherwise valid
3.284+ # certficates as invalid)
3.285+ ;CRLFile = /etc/ssl/CA/crl.pem
3.286+
3.287+ # SSL Server Key Certificate
3.288+ ;CertFile = /usr/local/etc/ssl/server-cert.pem
3.289+
3.290+ # Select cipher suites allowed for SSL/TLS connections. This defaults
3.291+ # to HIGH:!aNULL:@STRENGTH (OpenSSL) or SECURE128 (GnuTLS).
3.292+ # See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'
3.293+ # (GnuTLS) for details.
3.294+ # For OpenSSL:
3.295+ ;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3
3.296+ # For GnuTLS:
3.297+ ;CipherList = SECURE128:-VERS-SSL3.0
3.298+
3.299+ # Diffie-Hellman parameters
3.300+ ;DHFile = /usr/local/etc/ssl/dhparams.pem
3.301+
3.302+ # SSL Server Key
3.303+ ;KeyFile = /usr/local/etc/ssl/server-key.pem
3.304+
3.305+ # password to decrypt SSLKeyFile (OpenSSL only)
3.306+ ;KeyFilePassword = secret
3.307+
3.308+ # Additional Listen Ports that expect SSL/TLS encrypted connections
3.309+ ;Ports = 6697, 9999
3.310+
3.311+[Operator]
3.312+ # [Operator] sections are used to define IRC Operators. There may be
3.313+ # more than one [Operator] block, one for each local operator.
3.314+
3.315+ # ID of the operator (may be different of the nickname)
3.316+ ;Name = TheOper
3.317+
3.318+ # Password of the IRC operator
3.319+ ;Password = ThePwd
3.320+
3.321+ # Optional Mask from which /OPER will be accepted
3.322+ ;Mask = *!ident@somewhere.example.com
3.323+
3.324+[Operator]
3.325+ # More [Operator] sections, if you like ...
3.326+
3.327+[Server]
3.328+ # Other servers are configured in [Server] sections. If you
3.329+ # configure a port for the connection, then this ngircd tries to
3.330+ # connect to the other server on the given port; if not it waits
3.331+ # for the other server to connect.
3.332+ # There may be more than one server block, one for each server.
3.333+ #
3.334+ # Server Groups:
3.335+ # The ngIRCd allows "server groups": You can assign an "ID" to every
3.336+ # server with which you want this ngIRCd to link. If a server of a
3.337+ # group won't answer, the ngIRCd tries to connect to the next server
3.338+ # in the given group. But the ngircd never tries to connect to two
3.339+ # servers with the same group ID.
3.340+
3.341+ # IRC name of the remote server, must match the "Name" variable in
3.342+ # the [Global] section of the other server (when using ngIRCd).
3.343+ ;Name = irc2.example.net
3.344+
3.345+ # Internet host name or IP address of the peer (only required when
3.346+ # this server should establish the connection).
3.347+ ;Host = connect-to-host.example.net
3.348+
3.349+ # IP address to use as _source_ address for the connection. if
3.350+ # unspecified, ngircd will let the operating system pick an address.
3.351+ ;Bind = 10.0.0.1
3.352+
3.353+ # Port of the server to which the ngIRCd should connect. If you
3.354+ # assign no port the ngIRCd waits for incoming connections.
3.355+ ;Port = 6667
3.356+
3.357+ # Own password for the connection. This password has to be configured
3.358+ # as "PeerPassword" on the other server.
3.359+ ;MyPassword = MySecret
3.360+
3.361+ # Foreign password for this connection. This password has to be
3.362+ # configured as "MyPassword" on the other server.
3.363+ ;PeerPassword = PeerSecret
3.364+
3.365+ # Group of this server (optional)
3.366+ ;Group = 123
3.367+
3.368+ # Set the "Passive" option to "yes" if you don't want this ngIRCd to
3.369+ # connect to the configured peer (same as leaving the "Port" variable
3.370+ # empty). The advantage of this option is that you can actually
3.371+ # configure a port an use the IRC command CONNECT more easily to
3.372+ # manually connect this specific server later.
3.373+ ;Passive = no
3.374+
3.375+ # Connect to the remote server using TLS/SSL (Default: false)
3.376+ ;SSLConnect = yes
3.377+
3.378+ # Verify the TLS certificate presented by the remote server
3.379+ # (Default: yes)
3.380+ ;SSLVerify = yes
3.381+
3.382+ # Define a (case insensitive) list of masks matching nicknames that
3.383+ # should be treated as IRC services when introduced via this remote
3.384+ # server, separated by commas (",").
3.385+ # REGULAR SERVERS DON'T NEED this parameter, so leave it empty
3.386+ # (which is the default).
3.387+ # When you are connecting IRC services which mask as a IRC server
3.388+ # and which use "virtual users" to communicate with, for example
3.389+ # "NickServ" and "ChanServ", you should set this parameter to
3.390+ # something like "*Serv" or "NickServ,ChanServ,XyzServ".
3.391+ ;ServiceMask = *Serv,Global
3.392+
3.393+[Server]
3.394+ # More [Server] sections, if you like ...
3.395+
3.396+[Channel]
3.397+ # Pre-defined channels can be configured in [Channel] sections.
3.398+ # Such channels are created by the server when starting up and even
3.399+ # persist when there are no more members left.
3.400+ # Persistent channels are marked with the mode 'P', which can be set
3.401+ # and unset by IRC operators like other modes on the fly.
3.402+ # There may be more than one [Channel] block, one for each channel.
3.403+
3.404+ # Name of the channel
3.405+ ;Name = #TheName
3.406+
3.407+ # Topic for this channel
3.408+ ;Topic = a great topic
3.409+
3.410+ # Initial channel modes, as used in "MODE" commands. Modifying lists
3.411+ # (ban list, invite list, exception list) is supported.
3.412+ # This option can be specified multiple times, evaluated top to bottom.
3.413+ ;Modes = +tnk mykey +l 5
3.414+ ;Modes = +b nick!~user@bad.host.example.com
3.415+
3.416+ # Should ngIRCd automatically join ("autojoin") all users to this
3.417+ # channel on connect? Note: The users must have permissions to access
3.418+ # the channel, otherwise joining them will fail!
3.419+ ;Autojoin = yes
3.420+
3.421+ # Key file, syntax for each line: "<user>:<nick>:<key>".
3.422+ # Default: none.
3.423+ ;KeyFile = /usr/local/etc/#chan.key
3.424+
3.425+[Channel]
3.426+ # More [Channel] sections, if you like ...
3.427+
3.428+# -eof-
4.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
4.2+++ b/resolv.conf Wed Jun 12 14:31:33 2024 -0400
4.3@@ -0,0 +1,1 @@
4.4+# Generated by Connection Manager
5.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
5.2+++ b/resolvconf.conf Wed Jun 12 14:31:33 2024 -0400
5.3@@ -0,0 +1,5 @@
5.4+# openresolv config
5.5+name_servers="127.0.0.1"
5.6+dnsmasq_conf=/etc/dnsmasq-conf.conf
5.7+dnsmasq_resolv=/etc/dnsmasq-resolv.conf
5.8+resolv_conf=/etc/resolv.conf
5.9\ No newline at end of file
6.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
6.2+++ b/sysctl.d/60-network-security.conf Wed Jun 12 14:31:33 2024 -0400
6.3@@ -0,0 +1,3 @@
6.4+# https://datatracker.ietf.org/doc/html/rfc3704
6.5+net.ipv4.conf.all.rp_filter=1
6.6+net.ipv4.conf.default.rp_filter=1
6.7\ No newline at end of file
7.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000
7.2+++ b/wireguard/client.conf Wed Jun 12 14:31:33 2024 -0400
7.3@@ -0,0 +1,5 @@
7.4+[Interface]
7.5+ListenPort = 24842
7.6+[Peer]
7.7+Endpoint = compiler.company:42484
7.8+AllowedIPs = 0.0.0.0/0
7.9\ No newline at end of file
