+.TP
+\fBMaxPenaltyTime\fR (number)
+Maximum penalty time increase in seconds, per penalty event. Set to -1 for no
+limit (the default), 0 to disable penalties altogether. ngIRCd doesn't use
+penalty increases higher than 2 seconds during normal operation, so values
+greater than 1 rarely make sense.
+.TP
+\fBMaxListSize\fR (number)
+Maximum number of channels returned in response to a LIST command. Default: 100.
+.TP
+\fBPingTimeout\fR (number)
+After <PingTimeout> seconds of inactivity the server will send a PING to
+the peer to test whether it is alive or not. Default: 120.
+.TP
+\fBPongTimeout\fR (number)
+If a client fails to answer a PING with a PONG within <PongTimeout>
+seconds, it will be disconnected by the server. Default: 20.
+.SH [OPTIONS]
+Optional features and configuration options to further tweak the behavior of
+ngIRCd are configured in this section. If you want to get started quickly, you
+most probably don't have to make changes here -- they are all optional.
+.TP
+\fBAllowedChannelTypes\fR (string)
+List of allowed channel types (channel prefixes) for newly created channels
+on the local server. By default, all supported channel types are allowed.
+Set this variable to the empty string to disallow creation of new channels
+by local clients at all. Default: #&+
+.TP
+\fBAllowRemoteOper\fR (boolean)
+If this option is active, IRC operators connected to remote servers are allowed
+to control this local server using administrative commands, for example like
+CONNECT, DIE, SQUIT etc. Default: no.
+.TP
+\fBChrootDir\fR (string)
+A directory to chroot in when everything is initialized. It doesn't need
+to be populated if ngIRCd is compiled as a static binary. By default ngIRCd
+won't use the chroot() feature.
+.PP
+.RS
+.B Attention:
+.br
+For this to work the server must have been started with root privileges!
+.RE
+.TP
+\fBCloakHost\fR (string)
+Set this hostname for every client instead of the real one. Default: empty,
+don't change. Use %x to add the hashed value of the original hostname.
+.TP
+\fBCloakHostModeX\fR (string)
+Use this hostname for hostname cloaking on clients that have the user mode
+"+x" set, instead of the name of the server. Default: empty, use the name
+of the server. Use %x to add the hashed value of the original hostname
+.TP
+\fBCloakHostSalt\fR (string)
+The Salt for cloaked hostname hashing. When undefined a random hash is
+generated after each server start.
+.TP
+\fBCloakUserToNick\fR (boolean)
+Set every clients' user name and real name to their nickname and hide the one
+supplied by the IRC client. Default: no.
+.TP
+\fBConnectIPv4\fR (boolean)
+Set this to no if you do not want ngIRCd to connect to other IRC servers using
+the IPv4 protocol. This allows the usage of ngIRCd in IPv6-only setups.
+Default: yes.
+.TP
+\fBConnectIPv6\fR (boolean)
+Set this to no if you do not want ngIRCd to connect to other IRC servers using
+the IPv6 protocol.
+Default: yes.
+.TP
+\fBDefaultUserModes\fR (string)
+Default user mode(s) to set on new local clients. Please note that only modes
+can be set that the client could set using regular MODE commands, you can't
+set "a" (away) for example!
+Default: none.
+.TP
+\fBDNS\fR (boolean)
+If set to false, ngIRCd will not make any DNS lookups when clients connect.
+If you configure the daemon to connect to other servers, ngIRCd may still
+perform a DNS lookup if required.
+Default: yes.
+.TP
+\fBIdent\fR (boolean)
+If ngIRCd is compiled with IDENT support this can be used to disable IDENT
+lookups at run time.
+Users identified using IDENT are registered without the "~" character
+prepended to their user name.
+Default: yes.
+.TP
+\fBIncludeDir\fR (string)
+Directory containing configuration snippets (*.conf), that should be read in
+after parsing the current configuration file.
+Default: none.
+.TP
+\fBMorePrivacy\fR (boolean)
+This will cause ngIRCd to censor user idle time, logon time as well as the
+PART/QUIT messages (that are sometimes used to inform everyone about which
+client software is being used). WHOWAS requests are also silently ignored,
+and NAMES output doesn't list any clients for non-members.
+This option is most useful when ngIRCd is being used together with
+anonymizing software such as TOR or I2P and one does not wish to make it
+too easy to collect statistics on the users.
+Default: no.
+.TP
+\fBNoticeBeforeRegistration\fR (boolean)
+Normally ngIRCd doesn't send any messages to a client until it is registered.
+Enable this option to let the daemon send "NOTICE *" messages to clients
+while connecting. Default: no.
+.TP
+\fBOperCanUseMode\fR (boolean)
+Should IRC Operators be allowed to use the MODE command even if they are
+not(!) channel-operators? Default: no.
+.TP
+\fBOperChanPAutoOp\fR (boolean)
+Should IRC Operators get AutoOp (+o) in persistent (+P) channels?
+Default: yes.
+.TP
+\fBOperServerMode\fR (boolean)
+If \fBOperCanUseMode\fR is enabled, this may lead the compatibility problems
+with Servers that run the ircd-irc2 Software. This Option "masks" mode
+requests by non-chanops as if they were coming from the server. Default: no;
+only enable it if you have ircd-irc2 servers in your IRC network.
+.TP
+\fBPAM\fR (boolean)
+If ngIRCd is compiled with PAM support this can be used to disable all calls
+to the PAM library at runtime; all users connecting without password are
+allowed to connect, all passwords given will fail.
+Users identified using PAM are registered without the "~" character
+prepended to their user name.
+Default: yes.
+.TP
+\fBPAMIsOptional\fR (boolean)
+When PAM is enabled, all clients are required to be authenticated using PAM;
+connecting to the server without successful PAM authentication isn't possible.
+If this option is set, clients not sending a password are still allowed to
+connect: they won't become "identified" and keep the "~" character prepended
+to their supplied user name.
+Please note:
+To make some use of this behavior, it most probably isn't useful to enable
+"Ident", "PAM" and "PAMIsOptional" at the same time, because you wouldn't be
+able to distinguish between Ident'ified and PAM-authenticated users: both
+don't have a "~" character prepended to their respective user names!
+Default: no.
+.TP
+\fBPAMServiceName\fR (string)
+When PAM is enabled, this value determines the used PAM configuration.
+This setting allows to run multiple ngIRCd instances with different
+PAM configurations on each instance. If you set it to "ngircd-foo",
+PAM will use /etc/pam.d/ngircd-foo instead of the default
+/etc/pam.d/ngircd.
+Default: ngircd.
+.TP
+\fBRequireAuthPing\fR (boolean)
+Let ngIRCd send an "authentication PING" when a new client connects, and
+register this client only after receiving the corresponding "PONG" reply.
+Default: no.
+.TP
+\fBScrubCTCP\fR (boolean)
+If set to true, ngIRCd will silently drop all CTCP requests sent to it from
+both clients and servers. It will also not forward CTCP requests to any
+other servers. CTCP requests can be used to query user clients about which
+software they are using and which versions said software is. CTCP can also be
+used to reveal clients IP numbers. ACTION CTCP requests are not blocked,
+this means that /me commands will not be dropped, but please note that
+blocking CTCP will disable file sharing between users!
+Default: no.
+.TP
+\fBSyslogFacility\fR (string)
+Syslog "facility" to which ngIRCd should send log messages. Possible
+values are system dependent, but most probably "auth", "daemon", "user"
+and "local1" through "local7" are possible values; see syslog(3).
+Default is "local5" for historical reasons, you probably want to
+change this to "daemon", for example.
+.TP
+\fBWebircPassword\fR (string)
+Password required for using the WEBIRC command used by some Web-to-IRC
+gateways. If not set or empty, the WEBIRC command can't be used.
+Default: not set.
+.SH [SSL]
+All SSL-related configuration variables are located in the
+.I [SSL]
+section. Please note that this whole section is only recognized by ngIRCd
+when it is compiled with support for SSL using OpenSSL or GnuTLS!
+.TP
+\fBCertFile\fR (string)
+SSL Certificate file of the private server key.
+.TP
+\fBCipherList\fR (string)
+Select cipher suites allowed for SSL/TLS connections. This defaults to
+"HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) or "SECURE128:-VERS-SSL3.0" (GnuTLS).
+Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init'
+(GnuTLS) for details.
+.TP
+\fBDHFile\fR (string)
+Name of the Diffie-Hellman Parameter file. Can be created with GnuTLS
+"certtool \-\-generate-dh-params" or "openssl dhparam". If this file is not
+present, it will be generated on startup when ngIRCd was compiled with GnuTLS
+support (this may take some time). If ngIRCd was compiled with OpenSSL, then
+(Ephemeral)-Diffie-Hellman Key Exchanges and several Cipher Suites will not be
+available.
+.TP
+\fBKeyFile\fR (string)
+Filename of SSL Server Key to be used for SSL connections. This is required
+for SSL/TLS support.
+.TP
+\fBKeyFilePassword\fR (string)
+OpenSSL only: Password to decrypt the private key file.
+.TP
+\fBPorts\fR (list of numbers)
+Same as \fBPorts\fR , except that ngIRCd will expect incoming connections
+to be SSL/TLS encrypted. Common port numbers for SSL-encrypted IRC are 6669
+and 6697. Default: none.