diff --git a/configs/etc/defaults/devfs.rules b/configs/etc/defaults/devfs.rules index 3603d77..85262d3 100644 --- a/configs/etc/defaults/devfs.rules +++ b/configs/etc/defaults/devfs.rules @@ -13,7 +13,7 @@ # references must include a dollar sign '$' in front of the # name to be expanded properly. # -# $FreeBSD: releng/12.2/sbin/devfs/devfs.rules 338204 2018-08-22 15:55:23Z brd $ +# $FreeBSD: releng/12.3/sbin/devfs/devfs.rules 338204 2018-08-22 15:55:23Z brd $ # # Very basic and secure ruleset: Hide everything. diff --git a/configs/etc/defaults/periodic.conf b/configs/etc/defaults/periodic.conf index 36e4707..6213c09 100644 --- a/configs/etc/defaults/periodic.conf +++ b/configs/etc/defaults/periodic.conf @@ -13,7 +13,7 @@ # For a more detailed explanation of all the periodic.conf variables, please # refer to the periodic.conf(5) manual page. # -# $FreeBSD: releng/12.2/usr.sbin/periodic/periodic.conf 337648 2018-08-11 17:11:08Z brd $ +# $FreeBSD: releng/12.3/usr.sbin/periodic/periodic.conf 370770 2021-10-07 19:46:04Z asomers $ # # What files override these defaults ? @@ -77,6 +77,29 @@ daily_backup_passwd_enable="YES" # Backup passwd & group # 210.backup-aliases daily_backup_aliases_enable="YES" # Backup mail aliases +# 221.backup-gpart +if [ $(sysctl -n security.jail.jailed) = 0 ]; then + # Backup partition table/boot partition/MBR + daily_backup_gpart_enable="YES" +else + daily_backup_gpart_enable="NO" +fi +daily_backup_gpart_verbose="NO" # Be verbose if new backup differs from the old one +daily_backup_efi_enable="NO" # Backup EFI system partition (ESP) + +# 222.backup-gmirror +daily_backup_gmirror_enable="NO" # Backup of gmirror info (i.e., output of `gmirror list`) +daily_backup_gmirror_verbose="NO" # Log diff if new backup differs from the old one + +# 223.backup-zfs +daily_backup_zfs_enable="NO" # Backup output from zpool/zfs list +daily_backup_zfs_props_enable="NO" # Backup zpool/zfs filesystem properties +daily_backup_zfs_get_flags="all" # flags passed to `zfs get` +daily_backup_zfs_list_flags="" # flags passed to `zfs list` +daily_backup_zpool_get_flags="all" # flags passed to `zpool get` +daily_backup_zpool_list_flags="-v" # flags passed to `zpool list` +daily_backup_zfs_verbose="NO" # Report diff between the old and new backups. + # 300.calendar daily_calendar_enable="NO" # Run calendar -a @@ -118,7 +141,7 @@ daily_status_mfi_enable="NO" # Check mfiutil(8) # 420.status-network daily_status_network_enable="NO" # Check network status daily_status_network_usedns="YES" # DNS lookups are ok -daily_status_network_netstat_flags="-d" # netstat(1) flags +daily_status_network_netstat_flags="-d -W" # netstat(1) flags # 430.status-uptime daily_status_uptime_enable="YES" # Check system uptime diff --git a/configs/etc/freebsd-update.conf b/configs/etc/freebsd-update.conf index 7852883..7965941 100644 --- a/configs/etc/freebsd-update.conf +++ b/configs/etc/freebsd-update.conf @@ -1,4 +1,4 @@ -# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $ +# $FreeBSD: releng/12.3/usr.sbin/freebsd-update/freebsd-update.conf 370439 2021-08-29 16:58:35Z kevans $ # Trusted keyprint. Changing this is a Bad Idea unless you've received # a PGP-signed email from telling you to @@ -17,7 +17,7 @@ ServerName update.FreeBSD.org # Example for updating the userland and the kernel source code only: #Components src world Components world -# manually run - svnlite update /usr/src - before recompiling the kernel +# manually run - git pull in /usr/src - before recompiling the kernel # Paths which start with anything matching an entry in an IgnorePaths # statement will be ignored. @@ -76,3 +76,6 @@ MergeChanges /etc/ /boot/device.hints # When backing up a kernel also back up debug symbol files? # BackupKernelSymbolFiles no + +# Create a new boot environment when installing patches +# CreateBootEnv yes diff --git a/configs/etc/hosts b/configs/etc/hosts index 6f9b15f..37153db 100644 --- a/configs/etc/hosts +++ b/configs/etc/hosts @@ -1,4 +1,4 @@ -# $FreeBSD: releng/12.2/lib/libc/net/hosts 338729 2018-09-17 18:56:47Z brd $ +# $FreeBSD: releng/12.3/lib/libc/net/hosts 338729 2018-09-17 18:56:47Z brd $ # # Host Database # @@ -24,7 +24,7 @@ fd09::10 nas nas.ahlawat.com 192.168.10.10 nas nas.ahlawat.com fd0a::10 nas nas.ahlawat.com 192.168.48.10 nas nas.ahlawat.com -2001:470:82a9::10 nas nas.ahlawat.com +2001:470:480a::10 nas nas.ahlawat.com # # Imaginary network. 10.0.0.2 myname.my.domain myname 10.0.0.3 myfriend.my.domain myfriend diff --git a/configs/etc/login.conf b/configs/etc/login.conf index c53274b..8af82a7 100644 --- a/configs/etc/login.conf +++ b/configs/etc/login.conf @@ -7,7 +7,7 @@ # This file controls resource limits, accounting limits and # default user environment settings. # -# $FreeBSD: releng/12.2/usr.bin/login/login.conf 357789 2020-02-12 02:04:03Z kevans $ +# $FreeBSD: releng/12.3/usr.bin/login/login.conf 369215 2021-02-04 03:15:28Z kevans $ # # Default settings effectively disable resource limits, see the @@ -63,7 +63,13 @@ xuser:\ :tc=default: staff:\ :tc=default: + +# This PATH may be clobbered by individual applications. Notably, by default, +# rc(8), service(8), and cron(8) will all override it with a default PATH that +# may not include /usr/local/sbin and /usr/local/bin when starting services or +# jobs. daemon:\ + :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin:\ :mail@:\ :memorylocked=128M:\ :tc=default: diff --git a/configs/etc/ntp.conf b/configs/etc/ntp.conf index 3a5409b..5468a28 100644 --- a/configs/etc/ntp.conf +++ b/configs/etc/ntp.conf @@ -1,5 +1,5 @@ # -# $FreeBSD: releng/12.2/usr.sbin/ntp/ntpd/ntp.conf 352865 2019-09-29 03:36:50Z cy $ +# $FreeBSD: releng/12.3/usr.sbin/ntp/ntpd/ntp.conf 365704 2020-09-14 01:20:57Z emaste $ # # Default NTP servers for the FreeBSD operating system. # @@ -14,8 +14,8 @@ # Set the target and limit for adding servers configured via pool statements # or discovered dynamically via mechanisms such as broadcast and manycast. # Ntpd automatically adds maxclock-1 servers from configured pools, and may -# add as many as maxclock*2 if necessary to ensure that at least minclock -# servers are providing good consistant time. +# add as many as maxclock*2 if necessary to ensure that at least minclock +# servers are providing good consistent time. # tos minclock 3 maxclock 6 diff --git a/configs/etc/profile b/configs/etc/profile index d6af3ee..69c49eb 100644 --- a/configs/etc/profile +++ b/configs/etc/profile @@ -1,4 +1,4 @@ -# $FreeBSD: releng/12.2/bin/sh/profile 363525 2020-07-25 11:57:39Z pstef $ +# $FreeBSD: releng/12.3/bin/sh/profile 363525 2020-07-25 11:57:39Z pstef $ # # System-wide .profile file for sh(1). # diff --git a/configs/etc/rc.conf b/configs/etc/rc.conf index 5486ea6..fcfdcba 100644 --- a/configs/etc/rc.conf +++ b/configs/etc/rc.conf @@ -1,6 +1,6 @@ zfs_enable="YES" -kld_list="nmdm vmm ipfw ipdivert linux64" +kld_list="nmdm vmm ipfw ipdivert linux64 wg" # Do not mark to autodetach otherwise ZFS gets very unhappy. geli_autodetach="NO" @@ -34,7 +34,7 @@ firewall_logif="YES" cloned_interfaces_sticky="YES" cloned_interfaces="lagg0 bridge1 bridge2 bridge5 bridge9 bridge10 bridge48" -ifconfig_lagg0="laggproto lacp laggport igb0 laggport igb1 up" +ifconfig_lagg0="laggproto loadbalance laggport igb0 laggport igb1 up" ifconfig_igb0="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso" ifconfig_igb1="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso" @@ -54,7 +54,7 @@ ifconfig_lagg0_9_ipv6="inet6 fd09::10/64 auto_linklocal accept_rtadv" ifconfig_lagg0_10="inet 192.168.10.10/24" ifconfig_lagg0_10_ipv6="inet6 fd0a::10/64 auto_linklocal accept_rtadv" ifconfig_lagg0_48="inet 192.168.48.10/24" -ifconfig_lagg0_48_ipv6="inet6 2001:470:82a9::10/64 auto_linklocal accept_rtadv" +ifconfig_lagg0_48_ipv6="inet6 2001:470:480a::10/64 auto_linklocal accept_rtadv" ifconfig_bridge1="addm lagg0.1 up" ifconfig_bridge2="addm lagg0.2 up" diff --git a/configs/etc/sysctl.conf b/configs/etc/sysctl.conf index 55f3b5e..294330e 100644 --- a/configs/etc/sysctl.conf +++ b/configs/etc/sysctl.conf @@ -1,4 +1,4 @@ -# $FreeBSD: releng/12.2/sbin/sysctl/sysctl.conf 337624 2018-08-11 13:28:03Z brd $ +# $FreeBSD: releng/12.3/sbin/sysctl/sysctl.conf 337624 2018-08-11 13:28:03Z brd $ # # This file is read when going to multi-user and its contents piped thru # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details. diff --git a/configs/usr/local/etc/pkg/repos/pkgp.conf b/configs/usr/local/etc/pkg/repos/pkgp.conf index e5f32d4..9327ae9 100644 --- a/configs/usr/local/etc/pkg/repos/pkgp.conf +++ b/configs/usr/local/etc/pkg/repos/pkgp.conf @@ -1,17 +1,17 @@ FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", - enabled: yes + enabled: no } pkgp-freebsd-pkg: { url: "http://pkgp-freebsd-pkg.ahlawat.com/${ABI}/latest", mirror_type: "http", - enabled: no, + enabled: yes, priority: 10 } -pkgp121: { - url: "http://pkgp.ahlawat.com/packages/pj121-default/", +pkgp123: { + url: "http://pkgp.ahlawat.com/packages/pj123-default/", mirror_type: "http", signature_type: "pubkey", pubkey: "/mnt/data/apps/certs/poudriere.cert", diff --git a/configs/usr/local/etc/rc.d/gstat_exporter b/configs/usr/local/etc/rc.d/gstat_exporter index 5988d3b..5aa7774 100755 --- a/configs/usr/local/etc/rc.d/gstat_exporter +++ b/configs/usr/local/etc/rc.d/gstat_exporter @@ -19,7 +19,7 @@ name=gstat_exporter rcvar=${name}_enable -GSTATEXPORTER="nohup /usr/local/bin/python3.7 /root/FreeBSD/scripts/gstat_exporter.py" +GSTATEXPORTER="nohup /usr/local/bin/python3.8 /root/FreeBSD/scripts/gstat_exporter.py" start_cmd="${name}_start" stop_cmd="${name}_stop" diff --git a/iocage/Makefile b/iocage/Makefile index 1195075..36e0eab 100644 --- a/iocage/Makefile +++ b/iocage/Makefile @@ -1,11 +1,11 @@ ZPOOL="" SERVER="" -PYTHON?=/usr/local/bin/python3.7 +PYTHON?=/usr/local/bin/python3.8 depends: @(pkg -vv | grep -e "url.*/latest") > /dev/null 2>&1 || (echo "It is advised pkg url is using \"latest\" instead of \"quarterly\" in /etc/pkg/FreeBSD.conf.";) - @test -s ${PYTHON} || (echo "Python binary ${PYTHON} not found, iocage will install python37"; pkg install -q -y python37) - pkg install -q -y py37-libzfs + @test -s ${PYTHON} || (echo "Python binary ${PYTHON} not found, iocage will install python38"; pkg install -q -y python38) + pkg install -q -y py38-libzfs ${PYTHON} -m ensurepip ${PYTHON} -m pip install -Ur requirements.txt diff --git a/iocage/iocage-env.sh b/iocage/iocage-env.sh index f145e8d..f4ba1c4 100644 --- a/iocage/iocage-env.sh +++ b/iocage/iocage-env.sh @@ -1,3 +1,3 @@ -pkg install python37 py37-cython py37-pip py37-libzfs py37-six -python3.7 -m pip install pip==19.3.1 +pkg install python38 py38-cython py38-pip py38-libzfs py38-six +python3.8 -m pip install pip==19.3.1 # iocage install does not work with pip 20.x diff --git a/jails/config/atm/nsswitch.conf b/jails/config/atm/nsswitch.conf index 585b3fc..85ce0ec 100644 --- a/jails/config/atm/nsswitch.conf +++ b/jails/config/atm/nsswitch.conf @@ -1,6 +1,6 @@ # # nsswitch.conf(5) - name service switch configuration file -# $FreeBSD: releng/12.1/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $ +# $FreeBSD: releng/12.2/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $ # #group: compat group: files ldap diff --git a/jails/config/atm/pkg-list-details.txt b/jails/config/atm/pkg-list-details.txt new file mode 100644 index 0000000..5c649a1 --- /dev/null +++ b/jails/config/atm/pkg-list-details.txt @@ -0,0 +1,6 @@ +pkgp122____netatalk3-3.1.12_4,1 +pkgp123____nss-pam-ldapd-sasl-0.9.12_1 +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____pkg-1.17.5_1 diff --git a/jails/config/atm/pkg-list.txt b/jails/config/atm/pkg-list.txt new file mode 100644 index 0000000..f97a56b --- /dev/null +++ b/jails/config/atm/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion nano netatalk3 nss-pam-ldapd-sasl pkg diff --git a/jails/config/atm/pkgp.conf b/jails/config/atm/pkgp.conf index 7e874ec..86e5a9a 100644 --- a/jails/config/atm/pkgp.conf +++ b/jails/config/atm/pkgp.conf @@ -10,8 +10,8 @@ pkgp-freebsd-pkg: { priority: 10 } -pkgp122: { - url: "http://pkgp.ahlawat.com/packages/pj122-default/", +pkgp123: { + url: "http://pkgp.ahlawat.com/packages/pj123-default", mirror_type: "http", signature_type: "pubkey", pubkey: "/mnt/certs/poudriere.cert", diff --git a/jails/config/atm/sshd b/jails/config/atm/sshd index aa224a7..ed7ddac 100644 --- a/jails/config/atm/sshd +++ b/jails/config/atm/sshd @@ -1,5 +1,5 @@ # -# $FreeBSD: releng/12.1/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $ +# $FreeBSD: releng/12.2/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $ # # PAM configuration for the "sshd" service # diff --git a/jails/config/auto/pkg-list-details.txt b/jails/config/auto/pkg-list-details.txt new file mode 100644 index 0000000..6e6aaa0 --- /dev/null +++ b/jails/config/auto/pkg-list-details.txt @@ -0,0 +1,14 @@ +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____mc-4.8.28 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____nginx-1.20.2_9,2 +pkgp-freebsd-pkg____pkg-1.17.5_1 +pkgp-freebsd-pkg____postgresql14-client-14.2 +pkgp-freebsd-pkg____py38-ansible-5.5.0 +pkgp-freebsd-pkg____py38-django32-3.2.12 +pkgp-freebsd-pkg____py38-gunicorn-20.1.0 +pkgp-freebsd-pkg____py38-pillow-9.0.1_1 +pkgp-freebsd-pkg____py38-pip-20.3.4 +pkgp-freebsd-pkg____py38-tkinter-3.8.13_6 +pkgp-freebsd-pkg____sudo-1.9.10 diff --git a/jails/config/auto/pkg-list.txt b/jails/config/auto/pkg-list.txt new file mode 100644 index 0000000..e704c74 --- /dev/null +++ b/jails/config/auto/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion mc nano nginx pkg postgresql14-client py38-ansible py38-django32 py38-gunicorn py38-pillow py38-pip py38-tkinter sudo diff --git a/jails/config/book/cps b/jails/config/book/cps index ebaadaf..5cbd4b0 100755 --- a/jails/config/book/cps +++ b/jails/config/book/cps @@ -1,6 +1,4 @@ -#!/bin/sh - -# Copyright (c) 2018-2021, diyIT.org +# Copyright (c) 2018-2022, diyIT.org # All rights reserved. # # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") @@ -8,6 +6,8 @@ # # +#!/bin/sh + # the two lines below are not just comments but required by rcorder; service -e # PROVIDE: cpsserver # REQUIRE: NETWORKING DAEMON @@ -19,7 +19,8 @@ name=cpsserver rcvar=${name}_enable -CPSSERVER="nohup /usr/local/bin/python3.7 /data/calibre-web/cps.py" +#CPSSERVER="nohup /usr/local/bin/python3.8 /data/calibre-web/cps.py" +CPSSERVER="nohup /usr/local/bin/cps" start_cmd="${name}_start" stop_cmd="${name}_stop" diff --git a/jails/config/book/pkg-list-details.txt b/jails/config/book/pkg-list-details.txt new file mode 100644 index 0000000..35a3be6 --- /dev/null +++ b/jails/config/book/pkg-list-details.txt @@ -0,0 +1,10 @@ +pkgp123____libxml2-2.9.13_2 +pkgp123____libxslt-1.1.35_3 +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____pkg-1.17.5_1 +pkgp-freebsd-pkg____py38-ldap-3.4.0 +pkgp-freebsd-pkg____py38-pip-20.3.4 +pkgp-freebsd-pkg____py38-sqlite3-3.8.13_7 +pkgp-freebsd-pkg____rust-1.59.0 diff --git a/jails/config/book/pkg-list.txt b/jails/config/book/pkg-list.txt new file mode 100644 index 0000000..e6a9025 --- /dev/null +++ b/jails/config/book/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion libxml2 libxslt nano pkg py38-ldap py38-pip py38-sqlite3 rust diff --git a/jails/config/book/pkgp.conf b/jails/config/book/pkgp.conf new file mode 100644 index 0000000..86e5a9a --- /dev/null +++ b/jails/config/book/pkgp.conf @@ -0,0 +1,20 @@ +FreeBSD: { + url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", + enabled: no +} + +pkgp-freebsd-pkg: { + url: "http://pkgp-freebsd-pkg.ahlawat.com/${ABI}/latest", + mirror_type: "http", + enabled: yes, + priority: 10 +} + +pkgp123: { + url: "http://pkgp.ahlawat.com/packages/pj123-default", + mirror_type: "http", + signature_type: "pubkey", + pubkey: "/mnt/certs/poudriere.cert", + enabled: yes, + priority: 100 +} diff --git a/jails/config/calibre/pkg-list-details.txt b/jails/config/calibre/pkg-list-details.txt new file mode 100644 index 0000000..b5ecbf4 --- /dev/null +++ b/jails/config/calibre/pkg-list-details.txt @@ -0,0 +1,11 @@ +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____calibre-5.40.0 +pkgp-freebsd-pkg____fluxbox-1.3.7_5 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____pkg-1.17.5_1 +pkgp-freebsd-pkg____sudo-1.9.10 +pkgp-freebsd-pkg____tigervnc-server-1.12.0_4 +pkgp-freebsd-pkg____xauth-1.1 +pkgp-freebsd-pkg____xpdf-4.03_1,1 +pkgp-freebsd-pkg____xterm-372 diff --git a/jails/config/calibre/pkg-list.txt b/jails/config/calibre/pkg-list.txt new file mode 100644 index 0000000..6733504 --- /dev/null +++ b/jails/config/calibre/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion calibre fluxbox nano pkg sudo tigervnc-server xauth xpdf xterm diff --git a/jails/config/cam/pkg-list-details.txt b/jails/config/cam/pkg-list-details.txt new file mode 100644 index 0000000..4142e07 --- /dev/null +++ b/jails/config/cam/pkg-list-details.txt @@ -0,0 +1,7 @@ +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____curl-7.82.0 +pkgp-freebsd-pkg____motion-4.3.2_3 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____pkg-1.17.5_1 +pkgp-freebsd-pkg____py27-pip-20.2.3 diff --git a/jails/config/cam/pkg-list.txt b/jails/config/cam/pkg-list.txt new file mode 100644 index 0000000..3a4bfa9 --- /dev/null +++ b/jails/config/cam/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion curl motion nano pkg py27-pip diff --git a/jails/config/cert/acmedns b/jails/config/cert/acmedns new file mode 100755 index 0000000..706557d --- /dev/null +++ b/jails/config/cert/acmedns @@ -0,0 +1,44 @@ +#!/bin/sh + +# Copyright (c) 2018-2021, diyIT.org +# All rights reserved. +# +# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") +# https://diyit.org/license/ +# +# + +# the two lines below are not just comments but required by rcorder; service -e +# PROVIDE: acmedns +# REQUIRE: NETWORKING DAEMON + +. /etc/rc.subr + +: ${acmedns_enable="NO"} + +name=acmedns +rcvar=${name}_enable + +ACMEDNS="/usr/local/bin/acme-dns" + +start_cmd="${name}_start" +stop_cmd="${name}_stop" +restart_cmd="${name}_restart" + +acmedns_start() +{ + $ACMEDNS -c /etc/acme-dns/config.cfg & +} + +acmedns_stop() +{ + ps ax | grep -ie acme-dns | grep -v grep | awk '{print $1}' | xargs kill -9 +} +acmedns_restart() +{ + acmedns_stop + acmedns_start +} + +load_rc_config ${name} +run_rc_command "$1" diff --git a/jails/config/cert/config.cfg b/jails/config/cert/config.cfg new file mode 100644 index 0000000..1aac380 --- /dev/null +++ b/jails/config/cert/config.cfg @@ -0,0 +1,65 @@ +[general] +# DNS interface. Note that systemd-resolved may reserve port 53 on 127.0.0.53 +# In this case acme-dns will error out and you will need to define the listening interface +# for example: listen = "127.0.0.1:53" +listen = "0.0.0.0:53" +# protocol, "both", "both4", "both6", "udp", "udp4", "udp6" or "tcp", "tcp4", "tcp6" +protocol = "both4" +# domain name to serve the requests off of +domain = "dns-auth.ahlawat.com" +# zone name server +nsname = "dns-auth.ahlawat.com" +# admin email address, where @ is substituted with . +nsadmin = "sharad.ahlawat.com" +# predefined records served in addition to the TXT +records = [ + # domain pointing to the public IP of your acme-dns server + "dns-auth.ahlawat.com. A 216.139.40.20", + # specify that auth.example.org will resolve any *.auth.example.org records + "dns-auth.ahlawat.com. NS dns-auth.ahlawat.com.", +] +# debug messages from CORS etc +debug = false + +[database] +# Database engine to use, sqlite3 or postgres +engine = "sqlite3" +# Connection string, filename for sqlite3 and postgres://$username:$password@$host/$db_name for postgres +# Please note that the default Docker image uses path /var/lib/acme-dns/acme-dns.db for sqlite3 +connection = "/usr/local/lib/acme-dns/acme-dns.db" +# connection = "postgres://user:password@localhost/acmedns_db" + +[api] +# listen ip eg. 127.0.0.1 +ip = "0.0.0.0" +# disable registration endpoint +disable_registration = false +# listen port, eg. 443 for default HTTPS +port = "443" +# possible values: "letsencrypt", "letsencryptstaging", "cert", "none" +tls = "cert" +# only used if tls = "cert" +tls_cert_privkey = "/mnt/certs/privkey.pem" +tls_cert_fullchain = "/mnt/certs/fullchain.pem" +# only used if tls = "letsencrypt" +acme_cache_dir = "api-certs" +# optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert +notification_email = "" +# CORS AllowOrigins, wildcards can be used +corsorigins = [ + "*" +] +# use HTTP header to get the client ip +use_header = false +# header name to pull the ip address / list of ip addresses from +header_name = "X-Forwarded-For" + +[logconfig] +# logging level: "error", "warning", "info" or "debug" +loglevel = "debug" +# possible values: stdout, TODO file & integrations +logtype = "stdout" +# file path for logfile TODO +# logfile = "./acme-dns.log" +# format, either "json" or "text" +logformat = "text" diff --git a/jails/config/cert/config.cfg-80 b/jails/config/cert/config.cfg-80 new file mode 100644 index 0000000..78decad --- /dev/null +++ b/jails/config/cert/config.cfg-80 @@ -0,0 +1,65 @@ +[general] +# DNS interface. Note that systemd-resolved may reserve port 53 on 127.0.0.53 +# In this case acme-dns will error out and you will need to define the listening interface +# for example: listen = "127.0.0.1:53" +listen = "0.0.0.0:53" +# protocol, "both", "both4", "both6", "udp", "udp4", "udp6" or "tcp", "tcp4", "tcp6" +protocol = "both" +# domain name to serve the requests off of +domain = "dns-auth.ahlawat.com" +# zone name server +nsname = "dns-auth.ahlawat.com" +# admin email address, where @ is substituted with . +nsadmin = "sharad.ahlawat.com" +# predefined records served in addition to the TXT +records = [ + # domain pointing to the public IP of your acme-dns server + "dns-auth.ahlawat.com. A 216.139.40.20", + # specify that auth.example.org will resolve any *.auth.example.org records + "dns-auth.ahlawat.com. NS dns-auth.ahlawat.com.", +] +# debug messages from CORS etc +debug = false + +[database] +# Database engine to use, sqlite3 or postgres +engine = "sqlite3" +# Connection string, filename for sqlite3 and postgres://$username:$password@$host/$db_name for postgres +# Please note that the default Docker image uses path /var/lib/acme-dns/acme-dns.db for sqlite3 +connection = "/usr/local/lib/acme-dns/acme-dns.db" +# connection = "postgres://user:password@localhost/acmedns_db" + +[api] +# listen ip eg. 127.0.0.1 +ip = "0.0.0.0" +# disable registration endpoint +disable_registration = false +# listen port, eg. 443 for default HTTPS +port = "80" +# possible values: "letsencrypt", "letsencryptstaging", "cert", "none" +tls = "none" +# only used if tls = "cert" +tls_cert_privkey = "/mnt/certs/privkey.pem" +tls_cert_fullchain = "/mnt/certs/fullchain.pem" +# only used if tls = "letsencrypt" +acme_cache_dir = "api-certs" +# optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert +notification_email = "" +# CORS AllowOrigins, wildcards can be used +corsorigins = [ + "*" +] +# use HTTP header to get the client ip +use_header = false +# header name to pull the ip address / list of ip addresses from +header_name = "X-Forwarded-For" + +[logconfig] +# logging level: "error", "warning", "info" or "debug" +loglevel = "debug" +# possible values: stdout, TODO file & integrations +logtype = "stdout" +# file path for logfile TODO +# logfile = "./acme-dns.log" +# format, either "json" or "text" +logformat = "text" diff --git a/jails/config/cert/pkg-list-details.txt b/jails/config/cert/pkg-list-details.txt new file mode 100644 index 0000000..ec2c347 --- /dev/null +++ b/jails/config/cert/pkg-list-details.txt @@ -0,0 +1,7 @@ +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____curl-7.82.0 +pkgp-freebsd-pkg____git-lite-2.35.1 +pkgp-freebsd-pkg____go-1.18,1 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____pkg-1.17.5_1 diff --git a/jails/config/cert/pkg-list.txt b/jails/config/cert/pkg-list.txt new file mode 100644 index 0000000..3bd803e --- /dev/null +++ b/jails/config/cert/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion curl git-lite go nano pkg diff --git a/jails/config/ci/pkg-list-details.txt b/jails/config/ci/pkg-list-details.txt new file mode 100644 index 0000000..f7d3fdc --- /dev/null +++ b/jails/config/ci/pkg-list-details.txt @@ -0,0 +1,5 @@ +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____jenkins-2.341 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____pkg-1.17.5_1 diff --git a/jails/config/ci/pkg-list.txt b/jails/config/ci/pkg-list.txt new file mode 100644 index 0000000..aaf032d --- /dev/null +++ b/jails/config/ci/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion jenkins nano pkg diff --git a/jails/config/cloud/config.php b/jails/config/cloud/config.php new file mode 100644 index 0000000..ae550d8 --- /dev/null +++ b/jails/config/cloud/config.php @@ -0,0 +1,51 @@ + '5OBfApfc/+tJzU/4n+F8e+PzOfAStP', + 'secret' => 'IFX9kjXwOk4L21503pLACwa2Dadv9JzHNSu8XsnTogmwb5Tr', + 'trusted_domains' => + array ( + 0 => 'localhost', + 1 => 'cloud.ahlawat.com', + 2 => '192.168.0.59', + 3 => 'fd01::59', + ), + 'datadirectory' => '/mnt/cloud', + 'overwrite.cli.url' => 'https://cloud.ahlawat.com/', + 'dbtype' => 'mysql', + 'version' => '21.0.3.1', + 'dbname' => 'nextcloud', + 'dbhost' => 'db.ahlawat.com', + 'dbport' => '3306', + 'dbtableprefix' => 'oc_', + 'mysql.utf8mb4' => true, + 'dbuser' => 'nextcloud', + 'dbpassword' => 'mysql__nextcloud', + 'installed' => true, + 'instanceid' => 'oc7suxvjiy9s', + 'htaccess.RewriteBase' => '/', + 'filelocking.enabled' => 'true', + 'memcache.locking' => '\\OC\\Memcache\\Redis', + 'redis' => + array ( + 'host' => '/tmp/redis.sock', + 'port' => 0, + ), + 'logtimezone' => 'America/Los_Angeles', + 'default_phone_region' => 'US', + 'log_type' => 'file', + 'logfile' => '/var/log/nextcloud.log', + 'loglevel' => 0, + 'logrotate_size' => '104847600', + 'ldapIgnoreNamingRules' => false, + 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory', + 'mail_smtpmode' => 'smtp', + 'mail_from_address' => 'nobody', + 'mail_domain' => 'ahlawat.com', + 'mail_smtphost' => '192.168.0.100', + 'mail_smtpport' => '25', + 'maintenance' => false, + 'theme' => '', + 'encryption.legacy_format_support' => false, + 'encryption.key_storage_migrated' => false, + 'updater.secret' => '$2y$10$jAnC4Ha3RI2CL.IlhYluSeeOuKMT4itq/ViSiH1Q9DciUXfB3YSYS', +); diff --git a/jails/config/cloud/config.php.20 b/jails/config/cloud/config.php.20 new file mode 100644 index 0000000..a0b7c37 --- /dev/null +++ b/jails/config/cloud/config.php.20 @@ -0,0 +1,51 @@ + '5OBfApfc/+tJzU/4n+F8e+PzOfAStP', + 'secret' => 'IFX9kjXwOk4L21503pLACwa2Dadv9JzHNSu8XsnTogmwb5Tr', + 'trusted_domains' => + array ( + 0 => 'localhost', + 1 => 'cloud.ahlawat.com', + 2 => '192.168.0.59', + 3 => 'fd01::59', + ), + 'datadirectory' => '/mnt/cloud', + 'overwrite.cli.url' => 'https://cloud.ahlawat.com/', + 'dbtype' => 'mysql', + 'version' => '21.0.3.1', + 'dbname' => 'nextcloud', + 'dbhost' => 'db.ahlawat.com', + 'dbport' => '3306', + 'dbtableprefix' => 'oc_', + 'mysql.utf8mb4' => true, + 'dbuser' => 'nextcloud', + 'dbpassword' => 'mysql__nextcloud', + 'installed' => true, + 'instanceid' => 'oc7suxvjiy9s', + 'htaccess.RewriteBase' => '/', + 'filelocking.enabled' => 'true', + 'memcache.local' => '\\OC\\Memcache\\APCu', + 'memcache.locking' => '\\OC\\Memcache\\Redis', + 'redis' => + array ( + 'host' => '/tmp/redis.sock', + 'port' => 0, + ), + 'logtimezone' => 'America/Los_Angeles', + 'log_type' => 'file', + 'logfile' => '/var/log/nextcloud.log', + 'loglevel' => 0, + 'logrotate_size' => '104847600', + 'ldapIgnoreNamingRules' => false, + 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory', + 'mail_smtpmode' => 'smtp', + 'mail_from_address' => 'nobody', + 'mail_domain' => 'ahlawat.com', + 'mail_smtphost' => '192.168.0.100', + 'mail_smtpport' => '25', + 'maintenance' => false, + 'theme' => '', + 'encryption.legacy_format_support' => false, + 'encryption.key_storage_migrated' => false, + 'updater.secret' => '$2y$10$jAnC4Ha3RI2CL.IlhYluSeeOuKMT4itq/ViSiH1Q9DciUXfB3YSYS', +); diff --git a/jails/config/cloud/httpd.conf b/jails/config/cloud/httpd.conf index f5b1f8d..6724eea 100644 --- a/jails/config/cloud/httpd.conf +++ b/jails/config/cloud/httpd.conf @@ -49,7 +49,7 @@ ServerRoot "/usr/local" # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 -Listen 80 +#Listen 80 # # Dynamic Shared Object (DSO) Support @@ -108,7 +108,7 @@ LoadModule filter_module libexec/apache24/mod_filter.so #LoadModule substitute_module libexec/apache24/mod_substitute.so #LoadModule sed_module libexec/apache24/mod_sed.so #LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so -#LoadModule deflate_module libexec/apache24/mod_deflate.so +LoadModule deflate_module libexec/apache24/mod_deflate.so #LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so #LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so LoadModule mime_module libexec/apache24/mod_mime.so @@ -119,7 +119,7 @@ LoadModule log_config_module libexec/apache24/mod_log_config.so LoadModule env_module libexec/apache24/mod_env.so #LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so #LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so -#LoadModule expires_module libexec/apache24/mod_expires.so +LoadModule expires_module libexec/apache24/mod_expires.so LoadModule headers_module libexec/apache24/mod_headers.so #LoadModule usertrack_module libexec/apache24/mod_usertrack.so #LoadModule unique_id_module libexec/apache24/mod_unique_id.so @@ -178,7 +178,6 @@ LoadModule dir_module libexec/apache24/mod_dir.so #LoadModule userdir_module libexec/apache24/mod_userdir.so LoadModule alias_module libexec/apache24/mod_alias.so LoadModule rewrite_module libexec/apache24/mod_rewrite.so -#LoadModule php7_module libexec/apache24/libphp7.so # Third party modules IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf @@ -223,7 +222,7 @@ ServerAdmin sharad@ahlawat.com # # If your host doesn't have a registered DNS name, enter its IP address here. # -#ServerName www.example.com:80 +ServerName cloud.ahlawat.com # # Deny access to the entirety of your server's filesystem. You must @@ -250,9 +249,10 @@ ServerAdmin sharad@ahlawat.com DocumentRoot "/usr/local/www/apache24/data" - RewriteEngine on - RewriteRule ^/\.well-known/ - [L] - RewriteRule (.*) https://cloud.ahlawat.com [R,L] +# can't set this if traffic is passing through haproxy and being redirected to ssl already +# RewriteEngine on +# RewriteRule ^/\.well-known/ - [L] +# RewriteRule (.*) https://cloud.ahlawat.com [R,L] # # Possible values for the Options directive are "None", "All", @@ -554,27 +554,25 @@ Include etc/apache24/Includes/*.conf ServerName cloud.ahlawat.com ServerAlias *.ahlawat.com - ServerAlias cloud - Protocols h2 h2c http/1.1 + Protocols h2 http/1.1 DocumentRoot "/usr/local/www/apache24/data/nextcloud/" - DirectoryIndex /index.php index.php SSLEngine on SSLCertificateFile "/mnt/certs/fullchain.pem" SSLCertificateKeyFile "/mnt/certs/privkey.pem" #SSLCertificateChainFile "/mnt/certs/fullchain.pem" SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 - SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 - SSLHonorCipherOrder on - SSLCompression off + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off SSLSessionTickets off SSLOptions +StrictRequire +# SSLCompression off - RewriteEngine On - RewriteCond %{HTTP:Authorization} ^(.*) - RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] + RewriteEngine On + RewriteCond %{HTTP:Authorization} ^(.*) + RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] SetHandler "proxy:fcgi://127.0.0.1:9000" @@ -589,7 +587,8 @@ Include etc/apache24/Includes/*.conf CustomLog "/var/log/ssl-request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - Options +FollowSymLinks + Require all granted + Options FollowSymLinks MultiViews AllowOverride All @@ -601,11 +600,116 @@ Include etc/apache24/Includes/*.conf + + Options Indexes FollowSymLinks MultiViews + ## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16 + IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96 + + #AllowOverride controls what directives may be placed in .htaccess files. + #AllowOverride All + #AllowOverride AuthConfig + #Controls who can get stuff from this server file + #Require all granted + + ErrorLog "/var/log/ssl-error.log" CustomLog "/var/log/ssl-access_log" combined - Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" + Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" + +ExpiresActive On +ExpiresDefault A0 + + +ExpiresDefault A31536000 + + + +ExpiresDefault A31536000 + + + +ExpiresDefault A31536000 + + + +ExpiresDefault A31536000 + + + + + + Header set Cache-Control "max-age=31536000" + + + + Header set Cache-Control "max-age=31536000" + + + + Header set Cache-Control "max-age=31536000" + + + + Header set Cache-Control "max-age=31536000" + + + + + SetOutputFilter DEFLATE + + + SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding + RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding + + + + AddOutputFilterByType DEFLATE "application/atom+xml" \ + "application/javascript" \ + "application/json" \ + "application/ld+json" \ + "application/manifest+json" \ + "application/rdf+xml" \ + "application/rss+xml" \ + "application/schema+json" \ + "application/vnd.geo+json" \ + "application/vnd.ms-fontobject" \ + "application/x-font-ttf" \ + "application/x-font-opentype" \ + "application/x-font-truetype" \ + "application/x-javascript" \ + "application/x-web-app-manifest+json" \ + "application/xhtml+xml" \ + "application/xml" \ + "font/eot" \ + "font/opentype" \ + "font/otf" \ + "image/bmp" \ + "image/svg+xml" \ + "image/vnd.microsoft.icon" \ + "image/x-icon" \ + "text/cache-manifest" \ + "text/css" \ + "text/html" \ + "text/javascript" \ + "text/plain" \ + "text/vcard" \ + "text/vnd.rim.location.xloc" \ + "text/vtt" \ + "text/x-component" \ + "text/x-cross-domain-policy" \ + "text/xml" + + + + AddEncoding gzip svgz + + + + +SSLUseStapling On +SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" diff --git a/jails/config/cloud/php.ini b/jails/config/cloud/php.ini index 3baa5f7..eaff024 100644 --- a/jails/config/cloud/php.ini +++ b/jails/config/cloud/php.ini @@ -1774,7 +1774,7 @@ opcache.enable_cli=1 opcache.memory_consumption=128 ; The amount of memory for interned strings in Mbytes. -opcache.interned_strings_buffer=8 +opcache.interned_strings_buffer=32 ; The maximum number of keys (scripts) in the OPcache hash table. ; Only numbers between 200 and 1000000 are allowed. @@ -1796,7 +1796,7 @@ opcache.max_accelerated_files=10000 ; How often (in seconds) to check file timestamps for changes to the shared ; memory storage allocation. ("1" means validate once per second, but only ; once per request. "0" means always validate) -opcache.revalidate_freq=1 +opcache.revalidate_freq=60 ; Enables or disables file search in include_path optimization ;opcache.revalidate_path=0 diff --git a/jails/config/cloud/pkg-list-details.txt b/jails/config/cloud/pkg-list-details.txt new file mode 100644 index 0000000..d275002 --- /dev/null +++ b/jails/config/cloud/pkg-list-details.txt @@ -0,0 +1,44 @@ +pkgp-freebsd-pkg____apache24-2.4.53 +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____ffmpeg-4.4.1_11,1 +pkgp-freebsd-pkg____mod_php80-8.0.17_1 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____php80-8.0.17_2 +pkgp-freebsd-pkg____php80-bcmath-8.0.17_2 +pkgp-freebsd-pkg____php80-bz2-8.0.17_2 +pkgp-freebsd-pkg____php80-ctype-8.0.17_2 +pkgp-freebsd-pkg____php80-curl-8.0.17_2 +pkgp-freebsd-pkg____php80-dom-8.0.17_1 +pkgp-freebsd-pkg____php80-exif-8.0.17_2 +pkgp-freebsd-pkg____php80-fileinfo-8.0.17_2 +pkgp-freebsd-pkg____php80-filter-8.0.17_2 +pkgp-freebsd-pkg____php80-ftp-8.0.17_2 +pkgp-freebsd-pkg____php80-gd-8.0.17_2 +pkgp-freebsd-pkg____php80-gmp-8.0.17_2 +pkgp-freebsd-pkg____php80-iconv-8.0.17_2 +pkgp-freebsd-pkg____php80-imap-8.0.17_2 +pkgp-freebsd-pkg____php80-intl-8.0.17_2 +pkgp-freebsd-pkg____php80-ldap-8.0.17_2 +pkgp-freebsd-pkg____php80-mbstring-8.0.17_2 +pkgp-freebsd-pkg____php80-mysqli-8.0.17_2 +pkgp-freebsd-pkg____php80-opcache-8.0.17_2 +pkgp-freebsd-pkg____php80-pcntl-8.0.17_2 +pkgp-freebsd-pkg____php80-pdo-8.0.17_2 +pkgp-freebsd-pkg____php80-pdo_mysql-8.0.17_2 +pkgp-freebsd-pkg____php80-pecl-APCu-5.1.21 +pkgp-freebsd-pkg____php80-pecl-imagick-3.5.1 +pkgp-freebsd-pkg____php80-pecl-mcrypt-1.0.4 +pkgp-freebsd-pkg____php80-pecl-redis-5.3.5 +pkgp-freebsd-pkg____php80-posix-8.0.17_2 +pkgp-freebsd-pkg____php80-session-8.0.17_2 +pkgp-freebsd-pkg____php80-simplexml-8.0.17_1 +pkgp-freebsd-pkg____php80-xml-8.0.17_1 +pkgp-freebsd-pkg____php80-xmlreader-8.0.17_1 +pkgp-freebsd-pkg____php80-xmlwriter-8.0.17_1 +pkgp-freebsd-pkg____php80-xsl-8.0.17_1 +pkgp-freebsd-pkg____php80-zip-8.0.17_2 +pkgp-freebsd-pkg____php80-zlib-8.0.17_2 +pkgp-freebsd-pkg____pkg-1.17.5_1 +pkgp-freebsd-pkg____redis-6.2.6 +pkgp-freebsd-pkg____sudo-1.9.10 diff --git a/jails/config/cloud/pkg-list.txt b/jails/config/cloud/pkg-list.txt new file mode 100644 index 0000000..85da320 --- /dev/null +++ b/jails/config/cloud/pkg-list.txt @@ -0,0 +1 @@ +apache24 bash bash-completion ffmpeg mod_php80 nano php80 php80-bcmath php80-bz2 php80-ctype php80-curl php80-dom php80-exif php80-fileinfo php80-filter php80-ftp php80-gd php80-gmp php80-iconv php80-imap php80-intl php80-ldap php80-mbstring php80-mysqli php80-opcache php80-pcntl php80-pdo php80-pdo_mysql php80-pecl-APCu php80-pecl-imagick php80-pecl-mcrypt php80-pecl-redis php80-posix php80-session php80-simplexml php80-xml php80-xmlreader php80-xmlwriter php80-xsl php80-zip php80-zlib pkg redis sudo diff --git a/jails/config/common/12.3-RELEASE.bzip2 b/jails/config/common/12.3-RELEASE.bzip2 new file mode 100644 index 0000000..f136d66 Binary files /dev/null and b/jails/config/common/12.3-RELEASE.bzip2 differ diff --git a/jails/config/common/current-src.bzip2 b/jails/config/common/current-src.bzip2 deleted file mode 100644 index ea46b87..0000000 Binary files a/jails/config/common/current-src.bzip2 and /dev/null differ diff --git a/jails/config/common/freebsd-update.conf b/jails/config/common/freebsd-update.conf index 3b6c64d..f627abb 100644 --- a/jails/config/common/freebsd-update.conf +++ b/jails/config/common/freebsd-update.conf @@ -1,4 +1,4 @@ -# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $ +# $FreeBSD: releng/12.3/usr.sbin/freebsd-update/freebsd-update.conf 370439 2021-08-29 16:58:35Z kevans $ # Trusted keyprint. Changing this is a Bad Idea unless you've received # a PGP-signed email from telling you to @@ -10,6 +10,8 @@ KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5 # using a "nearby" server won't provide a measurable improvement in # performance. ServerName update.FreeBSD.org +# caching not used as I am mounting the /var/db/freebsd-update/files directory into every jail +#ServerName pkgp-freebsd-update.ahlawat.com # Components of the base system which should be kept updated. #Components src world @@ -75,3 +77,6 @@ MergeChanges /etc/ /boot/device.hints # When backing up a kernel also back up debug symbol files? # BackupKernelSymbolFiles no + +# Create a new boot environment when installing patches +# CreateBootEnv yes diff --git a/jails/config/common/httpd-ldap.conf b/jails/config/common/httpd-ldap.conf new file mode 100644 index 0000000..1fd6ad9 --- /dev/null +++ b/jails/config/common/httpd-ldap.conf @@ -0,0 +1,705 @@ +# +# This is the main Apache HTTP server configuration file. It contains the +# configuration directives that give the server its instructions. +# See for detailed information. +# In particular, see +# +# for a discussion of each configuration directive. +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# Configuration and logfile names: If the filenames you specify for many +# of the server's control files begin with "/" (or "drive:/" for Win32), the +# server will use that explicit path. If the filenames do *not* begin +# with "/", the value of ServerRoot is prepended -- so "logs/access_log" +# with ServerRoot set to "/usr/local/apache2" will be interpreted by the +# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" +# will be interpreted as '/logs/access_log'. + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# Do not add a slash at the end of the directory path. If you point +# ServerRoot at a non-local disk, be sure to specify a local disk on the +# Mutex directive, if file-based mutexes are used. If you wish to share the +# same ServerRoot for multiple httpd daemons, you will need to change at +# least PidFile. +# +ServerRoot "/usr/local" + +# +# Mutex: Allows you to set the mutex mechanism and mutex file directory +# for individual mutexes, or change the global defaults +# +# Uncomment and change the directory if mutexes are file-based and the default +# mutex file directory is not on a local disk or is not appropriate for some +# other reason. +# +# Mutex default:/var/run + +# +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses. +# +#Listen 12.34.56.78:80 +#Listen 80 + +# +# Dynamic Shared Object (DSO) Support +# +# To be able to use the functionality of a module which was built as a DSO you +# have to place corresponding `LoadModule' lines at this location so the +# directives contained in it are actually available _before_ they are used. +# Statically compiled modules (those listed by `httpd -l') do not need +# to be loaded here. +# +# Example: +# LoadModule foo_module modules/mod_foo.so +# +LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so +#LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so +#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so +LoadModule authn_file_module libexec/apache24/mod_authn_file.so +#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so +#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so +#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so +#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so +LoadModule authn_core_module libexec/apache24/mod_authn_core.so +LoadModule authz_host_module libexec/apache24/mod_authz_host.so +LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so +LoadModule authz_user_module libexec/apache24/mod_authz_user.so +#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so +#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so +#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so +LoadModule authz_core_module libexec/apache24/mod_authz_core.so +#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so +LoadModule access_compat_module libexec/apache24/mod_access_compat.so +LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so +#LoadModule auth_form_module libexec/apache24/mod_auth_form.so +#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so +#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so +#LoadModule file_cache_module libexec/apache24/mod_file_cache.so +#LoadModule cache_module libexec/apache24/mod_cache.so +#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so +#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so +LoadModule authnz_ldap_module libexec/apache24/mod_authnz_ldap.so +LoadModule ldap_module libexec/apache24/mod_ldap.so +LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so +#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so +#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so +#LoadModule watchdog_module libexec/apache24/mod_watchdog.so +#LoadModule macro_module libexec/apache24/mod_macro.so +#LoadModule dbd_module libexec/apache24/mod_dbd.so +#LoadModule dumpio_module libexec/apache24/mod_dumpio.so +#LoadModule buffer_module libexec/apache24/mod_buffer.so +#LoadModule data_module libexec/apache24/mod_data.so +#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so +LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so +#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so +#LoadModule request_module libexec/apache24/mod_request.so +#LoadModule include_module libexec/apache24/mod_include.so +LoadModule filter_module libexec/apache24/mod_filter.so +#LoadModule reflector_module libexec/apache24/mod_reflector.so +#LoadModule substitute_module libexec/apache24/mod_substitute.so +#LoadModule sed_module libexec/apache24/mod_sed.so +#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so +LoadModule deflate_module libexec/apache24/mod_deflate.so +#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so +#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so +LoadModule mime_module libexec/apache24/mod_mime.so +LoadModule log_config_module libexec/apache24/mod_log_config.so +#LoadModule log_debug_module libexec/apache24/mod_log_debug.so +#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so +#LoadModule logio_module libexec/apache24/mod_logio.so +LoadModule env_module libexec/apache24/mod_env.so +#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so +#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so +LoadModule expires_module libexec/apache24/mod_expires.so +LoadModule headers_module libexec/apache24/mod_headers.so +#LoadModule usertrack_module libexec/apache24/mod_usertrack.so +#LoadModule unique_id_module libexec/apache24/mod_unique_id.so +LoadModule setenvif_module libexec/apache24/mod_setenvif.so +LoadModule version_module libexec/apache24/mod_version.so +#LoadModule remoteip_module libexec/apache24/mod_remoteip.so +LoadModule proxy_module libexec/apache24/mod_proxy.so +#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so +#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so +#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so +LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so +#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so +#LoadModule proxy_uwsgi_module libexec/apache24/mod_proxy_uwsgi.so +#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so +#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so +#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so +#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so +#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so +#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so +#LoadModule session_module libexec/apache24/mod_session.so +#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so +#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so +#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so +#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so +#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so +LoadModule ssl_module libexec/apache24/mod_ssl.so +#LoadModule dialup_module libexec/apache24/mod_dialup.so +LoadModule http2_module libexec/apache24/mod_http2.so +LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so +#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so +#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so +#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so +#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so +LoadModule unixd_module libexec/apache24/mod_unixd.so +#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so +#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so +#LoadModule dav_module libexec/apache24/mod_dav.so +LoadModule status_module libexec/apache24/mod_status.so +LoadModule autoindex_module libexec/apache24/mod_autoindex.so +#LoadModule asis_module libexec/apache24/mod_asis.so +#LoadModule info_module libexec/apache24/mod_info.so + + #LoadModule cgid_module libexec/apache24/mod_cgid.so + + + #LoadModule cgi_module libexec/apache24/mod_cgi.so + +#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so +#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so +#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so +#LoadModule negotiation_module libexec/apache24/mod_negotiation.so +LoadModule dir_module libexec/apache24/mod_dir.so +#LoadModule imagemap_module libexec/apache24/mod_imagemap.so +#LoadModule actions_module libexec/apache24/mod_actions.so +#LoadModule speling_module libexec/apache24/mod_speling.so +#LoadModule userdir_module libexec/apache24/mod_userdir.so +LoadModule alias_module libexec/apache24/mod_alias.so +LoadModule rewrite_module libexec/apache24/mod_rewrite.so +#LoadModule php_module libexec/apache24/libphp.so + +# Third party modules +IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf + + +# +# If you wish httpd to run as a different user or group, you must run +# httpd as root initially and it will switch. +# +# User/Group: The name (or #number) of the user/group to run httpd as. +# It is usually good practice to create a dedicated user and group for +# running httpd, as with most system services. +# +User www +Group www + + + +# 'Main' server configuration +# +# The directives in this section set up the values used by the 'main' +# server, which responds to any requests that aren't handled by a +# definition. These values also provide defaults for +# any containers you may define later in the file. +# +# All of these directives may appear inside containers, +# in which case these default settings will be overridden for the +# virtual host being defined. +# + +# +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin sharad@ahlawat.com + +# +# ServerName gives the name and port that the server uses to identify itself. +# This can often be determined automatically, but we recommend you specify +# it explicitly to prevent problems during startup. +# +# If your host doesn't have a registered DNS name, enter its IP address here. +# +ServerName www.ahlawat.com + +# +# Deny access to the entirety of your server's filesystem. You must +# explicitly permit access to web content directories in other +# blocks below. +# + + AllowOverride none + Require all denied + + +# +# Note that from this point forward you must specifically allow +# particular features to be enabled - so if something's not working as +# you might expect, make sure that you have specifically enabled it +# below. +# + +# +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +DocumentRoot "/usr/local/www/apache24/data" + + +# can't set this if traffic is passing through haproxy and being redirected to ssl already +# RewriteEngine on +# RewriteRule ^/\.well-known/ - [L] +# RewriteRule (.*) https://www.ahlawat.com [R,L] + + # + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs/2.4/mod/core.html#options + # for more information. + # + Options Indexes FollowSymLinks + + # + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # AllowOverride FileInfo AuthConfig Limit + # + AllowOverride None + + # + # Controls who can get stuff from this server. + # + Require all granted + + +# +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# + + DirectoryIndex index.php index.html + + SetHandler application/x-httpd-php + + + SetHandler application/x-httpd-php-source + + + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + +# +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog "/var/log/httpd-error.log" + +# +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +LogLevel warn + + + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a + # container, they will be logged here. Contrariwise, if you *do* + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # + CustomLog "/var/log/httpd-access.log" common + + # + # If you prefer a logfile with access, agent, and referer information + # (Combined Logfile Format) you can use the following directive. + # + #CustomLog "/var/log/httpd-access.log" combined + + + + # + # Redirect: Allows you to tell clients about documents that used to + # exist in your server's namespace, but do not anymore. The client + # will make a new request for the document at its new location. + # Example: + # Redirect permanent /foo http://www.example.com/bar + + # + # Alias: Maps web paths into filesystem paths and is used to + # access content that does not live under the DocumentRoot. + # Example: + # Alias /webpath /full/filesystem/path + # + # If you include a trailing / on /webpath then the server will + # require it to be present in the URL. You will also likely + # need to provide a section to allow access to + # the filesystem path. + + # + # ScriptAlias: This controls which directories contain server scripts. + # ScriptAliases are essentially the same as Aliases, except that + # documents in the target directory are treated as applications and + # run by the server when requested rather than as documents sent to the + # client. The same rules about trailing "/" apply to ScriptAlias + # directives as to Alias. + # + ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/" + + + + + # + # ScriptSock: On threaded servers, designate the path to the UNIX + # socket used to communicate with the CGI daemon of mod_cgid. + # + #Scriptsock cgisock + + +# +# "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. +# + + AllowOverride None + Options None + Require all granted + + + + # + # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied + # backend servers which have lingering "httpoxy" defects. + # 'Proxy' request header is undefined by the IETF, not listed by IANA + # + RequestHeader unset Proxy early + + + + # + # TypesConfig points to the file containing the list of mappings from + # filename extension to MIME-type. + # + TypesConfig etc/apache24/mime.types + + # + # AddType allows you to add to or override the MIME configuration + # file specified in TypesConfig for specific file types. + # + #AddType application/x-gzip .tgz + # + # AddEncoding allows you to have certain browsers uncompress + # information on the fly. Note: Not all browsers support this. + # + #AddEncoding x-compress .Z + #AddEncoding x-gzip .gz .tgz + # + # If the AddEncoding directives above are commented-out, then you + # probably should define those extensions to indicate media types: + # + AddType application/x-compress .Z + AddType application/x-gzip .gz .tgz + + # + # AddHandler allows you to map certain file extensions to "handlers": + # actions unrelated to filetype. These can be either built into the server + # or added with the Action directive (see below) + # + # To use CGI scripts outside of ScriptAliased directories: + # (You will also need to add "ExecCGI" to the "Options" directive.) + # + #AddHandler cgi-script .cgi + + # For type maps (negotiated resources): + #AddHandler type-map var + + # + # Filters allow you to process content before it is sent to the client. + # + # To parse .shtml files for server-side includes (SSI): + # (You will also need to add "Includes" to the "Options" directive.) + # + #AddType text/html .shtml + #AddOutputFilter INCLUDES .shtml + + AddType application/x-httpd-php .php + AddType application/x-httpd-php-source .phps + + + +# +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +# +#MIMEMagicFile etc/apache24/magic + +# +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# MaxRanges: Maximum number of Ranges in a request before +# returning the entire resource, or one of the special +# values 'default', 'none' or 'unlimited'. +# Default setting is to accept 200 Ranges. +#MaxRanges unlimited + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall may be used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# Defaults: EnableMMAP On, EnableSendfile Off +# +#EnableMMAP off +#EnableSendfile on + +# Supplemental configuration +# +# The configuration files in the etc/apache24/extra/ directory can be +# included to add extra features or to modify the default configuration of +# the server, or you may simply copy their contents here and change as +# necessary. + +# Server-pool management (MPM specific) +#Include etc/apache24/extra/httpd-mpm.conf + +# Multi-language error messages +#Include etc/apache24/extra/httpd-multilang-errordoc.conf + +# Fancy directory listings +#Include etc/apache24/extra/httpd-autoindex.conf + +# Language settings +#Include etc/apache24/extra/httpd-languages.conf + +# User home directories +#Include etc/apache24/extra/httpd-userdir.conf + +# Real-time info on requests and configuration +#Include etc/apache24/extra/httpd-info.conf + +# Virtual hosts +#Include etc/apache24/extra/httpd-vhosts.conf + +# Local access to the Apache HTTP Server Manual +#Include etc/apache24/extra/httpd-manual.conf + +# Distributed authoring and versioning (WebDAV) +#Include etc/apache24/extra/httpd-dav.conf + +# Various default settings +#Include etc/apache24/extra/httpd-default.conf + +# Configure mod_proxy_html to understand HTML4/XHTML1 + +Include etc/apache24/extra/proxy-html.conf + + +# Secure (SSL/TLS) connections +#Include etc/apache24/extra/httpd-ssl.conf +# +# Note: The following must must be present to support +# starting without SSL on platforms with no /dev/random equivalent +# but a statically compiled-in mod_ssl. +# + +SSLRandomSeed startup builtin +SSLRandomSeed connect builtin + + +Include etc/apache24/Includes/*.conf + + + ServerName www.ahlawat.com + ServerAlias *.ahlawat.com + ServerAlias ahlawat.com + + Protocols h2 http/1.1 + + DocumentRoot "/usr/local/www/apache24/data/" + + SSLEngine on + SSLCertificateFile "/mnt/certs/fullchain.pem" + SSLCertificateKeyFile "/mnt/certs/privkey.pem" + #SSLCertificateChainFile "/mnt/certs/fullchain.pem" + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off + SSLOptions +StrictRequire +# SSLCompression off + + RewriteEngine On + RewriteCond %{HTTP:Authorization} ^(.*) + RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] + + + SetHandler "proxy:fcgi://127.0.0.1:9000" + SSLOptions +StdEnvVars + + + + SSLOptions +StdEnvVars + + + BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 + CustomLog "/var/log/ssl-request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + Options Indexes FollowSymLinks MultiViews + ## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16 + IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96 + + #AllowOverride controls what directives may be placed in .htaccess files. + AllowOverride All + #AllowOverride AuthConfig + #Controls who can get stuff from this server file + Require all granted + + + ErrorLog "/var/log/ssl-error.log" + CustomLog "/var/log/ssl-access_log" combined + + + Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" + + + +ExpiresActive On +ExpiresDefault A0 + + +ExpiresDefault A31536000 + + + +ExpiresDefault A31536000 + + + +ExpiresDefault A31536000 + + + +ExpiresDefault A31536000 + + + + + + Header set Cache-Control "max-age=31536000" + + + + Header set Cache-Control "max-age=31536000" + + + + Header set Cache-Control "max-age=31536000" + + + + Header set Cache-Control "max-age=31536000" + + + + + SetOutputFilter DEFLATE + + + SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding + RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding + + + + AddOutputFilterByType DEFLATE "application/atom+xml" \ + "application/javascript" \ + "application/json" \ + "application/ld+json" \ + "application/manifest+json" \ + "application/rdf+xml" \ + "application/rss+xml" \ + "application/schema+json" \ + "application/vnd.geo+json" \ + "application/vnd.ms-fontobject" \ + "application/x-font-ttf" \ + "application/x-font-opentype" \ + "application/x-font-truetype" \ + "application/x-javascript" \ + "application/x-web-app-manifest+json" \ + "application/xhtml+xml" \ + "application/xml" \ + "font/eot" \ + "font/opentype" \ + "font/otf" \ + "image/bmp" \ + "image/svg+xml" \ + "image/vnd.microsoft.icon" \ + "image/x-icon" \ + "text/cache-manifest" \ + "text/css" \ + "text/html" \ + "text/javascript" \ + "text/plain" \ + "text/vcard" \ + "text/vnd.rim.location.xloc" \ + "text/vtt" \ + "text/x-component" \ + "text/x-cross-domain-policy" \ + "text/xml" + + + + AddEncoding gzip svgz + + + + + +SSLUseStapling On +SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" diff --git a/jails/config/common/httpd.conf b/jails/config/common/httpd.conf new file mode 100644 index 0000000..00bb8ba --- /dev/null +++ b/jails/config/common/httpd.conf @@ -0,0 +1,703 @@ +# +# This is the main Apache HTTP server configuration file. It contains the +# configuration directives that give the server its instructions. +# See for detailed information. +# In particular, see +# +# for a discussion of each configuration directive. +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# Configuration and logfile names: If the filenames you specify for many +# of the server's control files begin with "/" (or "drive:/" for Win32), the +# server will use that explicit path. If the filenames do *not* begin +# with "/", the value of ServerRoot is prepended -- so "logs/access_log" +# with ServerRoot set to "/usr/local/apache2" will be interpreted by the +# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" +# will be interpreted as '/logs/access_log'. + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# Do not add a slash at the end of the directory path. If you point +# ServerRoot at a non-local disk, be sure to specify a local disk on the +# Mutex directive, if file-based mutexes are used. If you wish to share the +# same ServerRoot for multiple httpd daemons, you will need to change at +# least PidFile. +# +ServerRoot "/usr/local" + +# +# Mutex: Allows you to set the mutex mechanism and mutex file directory +# for individual mutexes, or change the global defaults +# +# Uncomment and change the directory if mutexes are file-based and the default +# mutex file directory is not on a local disk or is not appropriate for some +# other reason. +# +# Mutex default:/var/run + +# +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses. +# +#Listen 12.34.56.78:80 +#Listen 80 + +# +# Dynamic Shared Object (DSO) Support +# +# To be able to use the functionality of a module which was built as a DSO you +# have to place corresponding `LoadModule' lines at this location so the +# directives contained in it are actually available _before_ they are used. +# Statically compiled modules (those listed by `httpd -l') do not need +# to be loaded here. +# +# Example: +# LoadModule foo_module modules/mod_foo.so +# +LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so +#LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so +#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so +LoadModule authn_file_module libexec/apache24/mod_authn_file.so +#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so +#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so +#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so +#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so +LoadModule authn_core_module libexec/apache24/mod_authn_core.so +LoadModule authz_host_module libexec/apache24/mod_authz_host.so +LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so +LoadModule authz_user_module libexec/apache24/mod_authz_user.so +#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so +#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so +#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so +LoadModule authz_core_module libexec/apache24/mod_authz_core.so +#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so +LoadModule access_compat_module libexec/apache24/mod_access_compat.so +LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so +#LoadModule auth_form_module libexec/apache24/mod_auth_form.so +#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so +#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so +#LoadModule file_cache_module libexec/apache24/mod_file_cache.so +#LoadModule cache_module libexec/apache24/mod_cache.so +#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so +#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so +LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so +#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so +#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so +#LoadModule watchdog_module libexec/apache24/mod_watchdog.so +#LoadModule macro_module libexec/apache24/mod_macro.so +#LoadModule dbd_module libexec/apache24/mod_dbd.so +#LoadModule dumpio_module libexec/apache24/mod_dumpio.so +#LoadModule buffer_module libexec/apache24/mod_buffer.so +#LoadModule data_module libexec/apache24/mod_data.so +#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so +LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so +#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so +#LoadModule request_module libexec/apache24/mod_request.so +#LoadModule include_module libexec/apache24/mod_include.so +LoadModule filter_module libexec/apache24/mod_filter.so +#LoadModule reflector_module libexec/apache24/mod_reflector.so +#LoadModule substitute_module libexec/apache24/mod_substitute.so +#LoadModule sed_module libexec/apache24/mod_sed.so +#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so +LoadModule deflate_module libexec/apache24/mod_deflate.so +#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so +#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so +LoadModule mime_module libexec/apache24/mod_mime.so +LoadModule log_config_module libexec/apache24/mod_log_config.so +#LoadModule log_debug_module libexec/apache24/mod_log_debug.so +#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so +#LoadModule logio_module libexec/apache24/mod_logio.so +LoadModule env_module libexec/apache24/mod_env.so +#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so +#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so +LoadModule expires_module libexec/apache24/mod_expires.so +LoadModule headers_module libexec/apache24/mod_headers.so +#LoadModule usertrack_module libexec/apache24/mod_usertrack.so +#LoadModule unique_id_module libexec/apache24/mod_unique_id.so +LoadModule setenvif_module libexec/apache24/mod_setenvif.so +LoadModule version_module libexec/apache24/mod_version.so +#LoadModule remoteip_module libexec/apache24/mod_remoteip.so +LoadModule proxy_module libexec/apache24/mod_proxy.so +#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so +#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so +#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so +LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so +#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so +#LoadModule proxy_uwsgi_module libexec/apache24/mod_proxy_uwsgi.so +#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so +#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so +#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so +#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so +#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so +#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so +#LoadModule session_module libexec/apache24/mod_session.so +#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so +#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so +#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so +#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so +#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so +LoadModule ssl_module libexec/apache24/mod_ssl.so +#LoadModule dialup_module libexec/apache24/mod_dialup.so +LoadModule http2_module libexec/apache24/mod_http2.so +LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so +#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so +#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so +#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so +#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so +LoadModule unixd_module libexec/apache24/mod_unixd.so +#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so +#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so +#LoadModule dav_module libexec/apache24/mod_dav.so +LoadModule status_module libexec/apache24/mod_status.so +LoadModule autoindex_module libexec/apache24/mod_autoindex.so +#LoadModule asis_module libexec/apache24/mod_asis.so +#LoadModule info_module libexec/apache24/mod_info.so + + #LoadModule cgid_module libexec/apache24/mod_cgid.so + + + #LoadModule cgi_module libexec/apache24/mod_cgi.so + +#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so +#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so +#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so +#LoadModule negotiation_module libexec/apache24/mod_negotiation.so +LoadModule dir_module libexec/apache24/mod_dir.so +#LoadModule imagemap_module libexec/apache24/mod_imagemap.so +#LoadModule actions_module libexec/apache24/mod_actions.so +#LoadModule speling_module libexec/apache24/mod_speling.so +#LoadModule userdir_module libexec/apache24/mod_userdir.so +LoadModule alias_module libexec/apache24/mod_alias.so +LoadModule rewrite_module libexec/apache24/mod_rewrite.so +#LoadModule php_module libexec/apache24/libphp.so + +# Third party modules +IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf + + +# +# If you wish httpd to run as a different user or group, you must run +# httpd as root initially and it will switch. +# +# User/Group: The name (or #number) of the user/group to run httpd as. +# It is usually good practice to create a dedicated user and group for +# running httpd, as with most system services. +# +User www +Group www + + + +# 'Main' server configuration +# +# The directives in this section set up the values used by the 'main' +# server, which responds to any requests that aren't handled by a +# definition. These values also provide defaults for +# any containers you may define later in the file. +# +# All of these directives may appear inside containers, +# in which case these default settings will be overridden for the +# virtual host being defined. +# + +# +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin sharad@ahlawat.com + +# +# ServerName gives the name and port that the server uses to identify itself. +# This can often be determined automatically, but we recommend you specify +# it explicitly to prevent problems during startup. +# +# If your host doesn't have a registered DNS name, enter its IP address here. +# +ServerName www.ahlawat.com + +# +# Deny access to the entirety of your server's filesystem. You must +# explicitly permit access to web content directories in other +# blocks below. +# + + AllowOverride none + Require all denied + + +# +# Note that from this point forward you must specifically allow +# particular features to be enabled - so if something's not working as +# you might expect, make sure that you have specifically enabled it +# below. +# + +# +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +DocumentRoot "/usr/local/www/apache24/data" + + +# can't set this if traffic is passing through haproxy and being redirected to ssl already +# RewriteEngine on +# RewriteRule ^/\.well-known/ - [L] +# RewriteRule (.*) https://www.ahlawat.com [R,L] + + # + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs/2.4/mod/core.html#options + # for more information. + # + Options Indexes FollowSymLinks + + # + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # AllowOverride FileInfo AuthConfig Limit + # + AllowOverride None + + # + # Controls who can get stuff from this server. + # + Require all granted + + +# +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# + + DirectoryIndex index.php index.html + + SetHandler application/x-httpd-php + + + SetHandler application/x-httpd-php-source + + + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + +# +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog "/var/log/httpd-error.log" + +# +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +LogLevel warn + + + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a + # container, they will be logged here. Contrariwise, if you *do* + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # + CustomLog "/var/log/httpd-access.log" common + + # + # If you prefer a logfile with access, agent, and referer information + # (Combined Logfile Format) you can use the following directive. + # + #CustomLog "/var/log/httpd-access.log" combined + + + + # + # Redirect: Allows you to tell clients about documents that used to + # exist in your server's namespace, but do not anymore. The client + # will make a new request for the document at its new location. + # Example: + # Redirect permanent /foo http://www.example.com/bar + + # + # Alias: Maps web paths into filesystem paths and is used to + # access content that does not live under the DocumentRoot. + # Example: + # Alias /webpath /full/filesystem/path + # + # If you include a trailing / on /webpath then the server will + # require it to be present in the URL. You will also likely + # need to provide a section to allow access to + # the filesystem path. + + # + # ScriptAlias: This controls which directories contain server scripts. + # ScriptAliases are essentially the same as Aliases, except that + # documents in the target directory are treated as applications and + # run by the server when requested rather than as documents sent to the + # client. The same rules about trailing "/" apply to ScriptAlias + # directives as to Alias. + # + ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/" + + + + + # + # ScriptSock: On threaded servers, designate the path to the UNIX + # socket used to communicate with the CGI daemon of mod_cgid. + # + #Scriptsock cgisock + + +# +# "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. +# + + AllowOverride None + Options None + Require all granted + + + + # + # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied + # backend servers which have lingering "httpoxy" defects. + # 'Proxy' request header is undefined by the IETF, not listed by IANA + # + RequestHeader unset Proxy early + + + + # + # TypesConfig points to the file containing the list of mappings from + # filename extension to MIME-type. + # + TypesConfig etc/apache24/mime.types + + # + # AddType allows you to add to or override the MIME configuration + # file specified in TypesConfig for specific file types. + # + #AddType application/x-gzip .tgz + # + # AddEncoding allows you to have certain browsers uncompress + # information on the fly. Note: Not all browsers support this. + # + #AddEncoding x-compress .Z + #AddEncoding x-gzip .gz .tgz + # + # If the AddEncoding directives above are commented-out, then you + # probably should define those extensions to indicate media types: + # + AddType application/x-compress .Z + AddType application/x-gzip .gz .tgz + + # + # AddHandler allows you to map certain file extensions to "handlers": + # actions unrelated to filetype. These can be either built into the server + # or added with the Action directive (see below) + # + # To use CGI scripts outside of ScriptAliased directories: + # (You will also need to add "ExecCGI" to the "Options" directive.) + # + #AddHandler cgi-script .cgi + + # For type maps (negotiated resources): + #AddHandler type-map var + + # + # Filters allow you to process content before it is sent to the client. + # + # To parse .shtml files for server-side includes (SSI): + # (You will also need to add "Includes" to the "Options" directive.) + # + #AddType text/html .shtml + #AddOutputFilter INCLUDES .shtml + + AddType application/x-httpd-php .php + AddType application/x-httpd-php-source .phps + + + +# +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +# +#MIMEMagicFile etc/apache24/magic + +# +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# MaxRanges: Maximum number of Ranges in a request before +# returning the entire resource, or one of the special +# values 'default', 'none' or 'unlimited'. +# Default setting is to accept 200 Ranges. +#MaxRanges unlimited + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall may be used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# Defaults: EnableMMAP On, EnableSendfile Off +# +#EnableMMAP off +#EnableSendfile on + +# Supplemental configuration +# +# The configuration files in the etc/apache24/extra/ directory can be +# included to add extra features or to modify the default configuration of +# the server, or you may simply copy their contents here and change as +# necessary. + +# Server-pool management (MPM specific) +#Include etc/apache24/extra/httpd-mpm.conf + +# Multi-language error messages +#Include etc/apache24/extra/httpd-multilang-errordoc.conf + +# Fancy directory listings +#Include etc/apache24/extra/httpd-autoindex.conf + +# Language settings +#Include etc/apache24/extra/httpd-languages.conf + +# User home directories +#Include etc/apache24/extra/httpd-userdir.conf + +# Real-time info on requests and configuration +#Include etc/apache24/extra/httpd-info.conf + +# Virtual hosts +#Include etc/apache24/extra/httpd-vhosts.conf + +# Local access to the Apache HTTP Server Manual +#Include etc/apache24/extra/httpd-manual.conf + +# Distributed authoring and versioning (WebDAV) +#Include etc/apache24/extra/httpd-dav.conf + +# Various default settings +#Include etc/apache24/extra/httpd-default.conf + +# Configure mod_proxy_html to understand HTML4/XHTML1 + +Include etc/apache24/extra/proxy-html.conf + + +# Secure (SSL/TLS) connections +#Include etc/apache24/extra/httpd-ssl.conf +# +# Note: The following must must be present to support +# starting without SSL on platforms with no /dev/random equivalent +# but a statically compiled-in mod_ssl. +# + +SSLRandomSeed startup builtin +SSLRandomSeed connect builtin + + +Include etc/apache24/Includes/*.conf + + + ServerName www.ahlawat.com + ServerAlias *.ahlawat.com + ServerAlias ahlawat.com + + Protocols h2 http/1.1 + + DocumentRoot "/usr/local/www/apache24/data/" + + SSLEngine on + SSLCertificateFile "/mnt/certs/fullchain.pem" + SSLCertificateKeyFile "/mnt/certs/privkey.pem" + #SSLCertificateChainFile "/mnt/certs/fullchain.pem" + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off + SSLOptions +StrictRequire +# SSLCompression off + + RewriteEngine On + RewriteCond %{HTTP:Authorization} ^(.*) + RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] + + + SetHandler "proxy:fcgi://127.0.0.1:9000" + SSLOptions +StdEnvVars + + + + SSLOptions +StdEnvVars + + + BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 + CustomLog "/var/log/ssl-request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + Options Indexes FollowSymLinks MultiViews + ## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16 + IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96 + + #AllowOverride controls what directives may be placed in .htaccess files. + #AllowOverride All + #AllowOverride AuthConfig + #Controls who can get stuff from this server file + #Require all granted + + + ErrorLog "/var/log/ssl-error.log" + CustomLog "/var/log/ssl-access_log" combined + + + Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" + + + +ExpiresActive On +ExpiresDefault A0 + + +ExpiresDefault A31536000 + + + +ExpiresDefault A31536000 + + + +ExpiresDefault A31536000 + + + +ExpiresDefault A31536000 + + + + + + Header set Cache-Control "max-age=31536000" + + + + Header set Cache-Control "max-age=31536000" + + + + Header set Cache-Control "max-age=31536000" + + + + Header set Cache-Control "max-age=31536000" + + + + + SetOutputFilter DEFLATE + + + SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding + RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding + + + + AddOutputFilterByType DEFLATE "application/atom+xml" \ + "application/javascript" \ + "application/json" \ + "application/ld+json" \ + "application/manifest+json" \ + "application/rdf+xml" \ + "application/rss+xml" \ + "application/schema+json" \ + "application/vnd.geo+json" \ + "application/vnd.ms-fontobject" \ + "application/x-font-ttf" \ + "application/x-font-opentype" \ + "application/x-font-truetype" \ + "application/x-javascript" \ + "application/x-web-app-manifest+json" \ + "application/xhtml+xml" \ + "application/xml" \ + "font/eot" \ + "font/opentype" \ + "font/otf" \ + "image/bmp" \ + "image/svg+xml" \ + "image/vnd.microsoft.icon" \ + "image/x-icon" \ + "text/cache-manifest" \ + "text/css" \ + "text/html" \ + "text/javascript" \ + "text/plain" \ + "text/vcard" \ + "text/vnd.rim.location.xloc" \ + "text/vtt" \ + "text/x-component" \ + "text/x-cross-domain-policy" \ + "text/xml" + + + + AddEncoding gzip svgz + + + + + +SSLUseStapling On +SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" diff --git a/jails/config/common/pkgp.conf b/jails/config/common/pkgp.conf index aaf9563..787f4ce 100644 --- a/jails/config/common/pkgp.conf +++ b/jails/config/common/pkgp.conf @@ -10,8 +10,8 @@ pkgp-freebsd-pkg: { priority: 10 } -pkgp122: { - url: "http://pkgp.ahlawat.com/packages/pj122-default/", +pkgp123: { + url: "http://pkgp.ahlawat.com/packages/pj123-default", mirror_type: "http", signature_type: "pubkey", pubkey: "/mnt/certs/poudriere.cert", diff --git a/jails/config/db/pkg-list-details.txt b/jails/config/db/pkg-list-details.txt new file mode 100644 index 0000000..7e30f3e --- /dev/null +++ b/jails/config/db/pkg-list-details.txt @@ -0,0 +1,6 @@ +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____mariadb105-server-10.5.15_2 +pkgp-freebsd-pkg____mysqld_exporter-0.12.1_1 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____pkg-1.17.5_1 diff --git a/jails/config/db/pkg-list.txt b/jails/config/db/pkg-list.txt new file mode 100644 index 0000000..3167549 --- /dev/null +++ b/jails/config/db/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion mariadb105-server mysqld_exporter nano pkg diff --git a/jails/config/dns/dns_update.sh b/jails/config/dns/dns_update.sh new file mode 100755 index 0000000..794409c --- /dev/null +++ b/jails/config/dns/dns_update.sh @@ -0,0 +1,58 @@ +#!/usr/local/bin/bash + +# Copyright (c) 2018-2021, diyIT.org +# All rights reserved. +# +# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") +# https://diyit.org/license/ +# +# + +#SIM="-s" +#SIM="" + +#rpl $SIM -v -R "2001:470:480a:a1::" "2001:470:480a:8001::" ./namedb +#rpl $SIM -v -R "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.8" "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.8" ./namedb +#rpl $SIM -v -R "2021120700" "2022010100" ./namedb +#service $SIM named $SIM restart + + +service named stop + +cd /data/namedb/master + +rm /data/namedb/master/*signed* + +declare -A ZONE_PEM +ZONE_PEM=(["ahlawat.com"]="" ["beyondbell.com"]="bb" ["diyit.org"]="diy" ["xflow.org"]="xflow" ["datavpc.com"]="dvpc" ["mydatavpc.com"]="mdvpc" ["rockwoodestates.org"]="rwe" ["rockwoodranch.org"]="rwr" ["scvcc-rental.com"]="scvcc") + +for ZONE in "${!ZONE_PEM[@]}" +do + PEM=${ZONE_PEM[$ZONE]} + + /usr/local/bin/ldns-dane -c "/mnt/certs/"$PEM"fullchain.pem" create mail.$ZONE 25 3 1 1 > /data/namedb/master/tlsa-$ZONE + /usr/local/bin/ldns-dane -c "/mnt/certs/"$PEM"fullchain.pem" create mail-backup.$ZONE 25 3 1 1 >> /data/namedb/master/tlsa-$ZONE + /usr/local/bin/ldns-dane -c "/mnt/certs/"$PEM"fullchain.pem" create $ZONE 443 3 1 1 >> /data/namedb/master/tlsa-$ZONE + /usr/local/bin/ldns-dane -c "/mnt/certs/"$PEM"fullchain.pem" create www.$ZONE 443 3 1 1 >> /data/namedb/master/tlsa-$ZONE +done + +NEW_SERIAL=`date -j +%Y%m%d%H` +#NEW_SERIAL="2022022635" +echo $NEW_SERIAL + +for DBFILE in `ls /data/namedb/master/*.db` +do + ZONE=`echo $DBFILE | cut -d/ -f 5 | cut -d. -f -2` + + /usr/local/sbin/named-checkzone $ZONE $DBFILE + SERIAL=`/usr/local/sbin/named-checkzone $ZONE $DBFILE | egrep -ho '[0-9]{10}'` + echo $SERIAL + sed -i .orig 's/'$SERIAL'/'$(($NEW_SERIAL))'/' $DBFILE + + #/usr/local/sbin/dnssec-signzone -S -K /data/namedb/master -t -o $ZONE $DBFILE + /usr/local/sbin/dnssec-signzone -3 $(head -c 1024 /dev/random | sha1sum | cut -b 1-16) -K /data/namedb/master -t -o $ZONE $DBFILE +done + +chown bind:bind /data/namedb/master/* + +service named start diff --git a/jails/config/dns/dns_verify-6.sh b/jails/config/dns/dns_verify-6.sh new file mode 100755 index 0000000..4bf1011 --- /dev/null +++ b/jails/config/dns/dns_verify-6.sh @@ -0,0 +1,29 @@ + +#### dns_verify-6.sh +# +NETS="2603:3024:3f6:e1: 2603:3024:3f6:e2: 2603:3024:3f6:e5:" +IPS=$(seq 1 254) +# +echo +echo -e "\tip -> hostname -> ip" +echo '--------------------------------------------------------' +for NET in $NETS; do + for n in $IPS; do + A=${NET}:${n} + echo -e "\t$A" + HOST=$(dig -6 -x $A +short) + if test -n "$HOST"; then + ADDR=$(dig -6 -t "AAAA" $HOST +short) + if test "$A" = "$ADDR"; then + echo -e "ok\t$A -> $HOST -> $ADDR" + elif test -n "$ADDR"; then + echo -e "fail\t$A -> $HOST -> $ADDR" + else + echo -e "fail\t$A -> $HOST -> [unassigned]" + fi + fi + done +done + +echo "" +echo "DONE." diff --git a/jails/config/dns/dns_verify.sh b/jails/config/dns/dns_verify.sh new file mode 100755 index 0000000..ba3709d --- /dev/null +++ b/jails/config/dns/dns_verify.sh @@ -0,0 +1,27 @@ +#### dns_verify.sh +# +NETS="192.168.0 192.168.1 192.168.2" +IPS=$(seq 1 254) +# +echo +echo -e "\tip -> hostname -> ip" +echo '--------------------------------------------------------' +for NET in $NETS; do + for n in $IPS; do + A=${NET}.${n} + HOST=$(dig -x $A +short) + if test -n "$HOST"; then + ADDR=$(dig $HOST +short) + if test "$A" = "$ADDR"; then + echo -e "ok\t$A -> $HOST -> $ADDR" + elif test -n "$ADDR"; then + echo -e "fail\t$A -> $HOST -> $ADDR" + else + echo -e "fail\t$A -> $HOST -> [unassigned]" + fi + fi + done +done + +echo "" +echo "DONE." diff --git a/jails/config/dns/pkg-list-details.txt b/jails/config/dns/pkg-list-details.txt new file mode 100644 index 0000000..7f22ccc --- /dev/null +++ b/jails/config/dns/pkg-list-details.txt @@ -0,0 +1,7 @@ +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____bind916-9.16.27 +pkgp-freebsd-pkg____ldns-1.8.1 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____pkg-1.17.5_1 +pkgp-freebsd-pkg____rpl-1.4.1 diff --git a/jails/config/dns/pkg-list.txt b/jails/config/dns/pkg-list.txt new file mode 100644 index 0000000..29f51bf --- /dev/null +++ b/jails/config/dns/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion bind916 ldns nano pkg rpl diff --git a/jails/config/dns/update6.sh b/jails/config/dns/update6.sh deleted file mode 100755 index 54095b1..0000000 --- a/jails/config/dns/update6.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/local/bin/bash - -# Copyright (c) 2018-2021, diyIT.org -# All rights reserved. -# -# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") -# https://diyit.org/license/ -# -# - -SIM="-s" -#SIM="" - -rpl $SIM -v -R "2603:3024:3f6:21::" "2603:3024:3f6:1::" ./namedb -rpl $SIM -v -R "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2" "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1" ./namedb -rpl $SIM -v -R "2021030900" "2021031100" ./namedb - -service $SIM named $SIM restart diff --git a/jails/config/elk/pkg-list-details.txt b/jails/config/elk/pkg-list-details.txt new file mode 100644 index 0000000..4a1a4ec --- /dev/null +++ b/jails/config/elk/pkg-list-details.txt @@ -0,0 +1,10 @@ +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____beats7-7.16.3_1 +pkgp-freebsd-pkg____curl-7.82.0 +pkgp-freebsd-pkg____elasticsearch7-7.16.3 +pkgp-freebsd-pkg____kibana7-7.16.3 +pkgp-freebsd-pkg____logstash7-7.16.3 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____openjdk11-11.0.14+9.1_1 +pkgp-freebsd-pkg____pkg-1.17.5_1 diff --git a/jails/config/elk/pkg-list.txt b/jails/config/elk/pkg-list.txt new file mode 100644 index 0000000..cac4741 --- /dev/null +++ b/jails/config/elk/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion beats7 curl elasticsearch7 kibana7 logstash7 nano openjdk11 pkg diff --git a/jails/config/git/gitea-restart.sh b/jails/config/git/gitea-restart.sh index d477970..64f384f 100755 --- a/jails/config/git/gitea-restart.sh +++ b/jails/config/git/gitea-restart.sh @@ -8,10 +8,13 @@ # # -Q=`netstat -LAan | grep 3000 | cut -f3 -d" " | cut -f1 -d/` +Q=`netstat -LAan | grep "*.3000" | cut -f3 -d" " | cut -f1 -d/` # Q is null if gitea service is not running -if [ ! "$Q" ] || [ $Q -ne 0 ]; then +# 1537 is max stuck recvQ qlen limit when logging start: +# sonewconn: pcb 0xfffff804b9f73d58: Listen queue overflow: 1537 already in queue awaiting acceptance (30 occurrences) + +if [ ! "$Q" ] || [ $Q -ge 100 ]; then echo "restarting gitea stuck at $Q" tail /var/log/gitea/gitea.log kill -9 `pgrep gitea` ; sleep 2 ; service gitea start diff --git a/jails/config/git/pkg-list-details.txt b/jails/config/git/pkg-list-details.txt new file mode 100644 index 0000000..7ef23ac --- /dev/null +++ b/jails/config/git/pkg-list-details.txt @@ -0,0 +1,6 @@ +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____gitea-1.16.5_1 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____openldap-sasl-client-2.4.59 +pkgp-freebsd-pkg____pkg-1.17.5_1 diff --git a/jails/config/git/pkg-list.txt b/jails/config/git/pkg-list.txt new file mode 100644 index 0000000..24507dc --- /dev/null +++ b/jails/config/git/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion gitea nano openldap-sasl-client pkg diff --git a/jails/config/hass/pkg-list-details.txt b/jails/config/hass/pkg-list-details.txt new file mode 100644 index 0000000..ced381b --- /dev/null +++ b/jails/config/hass/pkg-list-details.txt @@ -0,0 +1,17 @@ +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____cmake-3.22.2 +pkgp-freebsd-pkg____ffmpeg-4.4.1_11,1 +pkgp-freebsd-pkg____git-lite-2.35.1 +pkgp-freebsd-pkg____gmake-4.3_2 +pkgp-freebsd-pkg____heyu2-2.10_1 +pkgp-freebsd-pkg____libxslt-1.1.35_1 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____openjpeg-2.4.0 +pkgp-freebsd-pkg____pkg-1.17.5_1 +pkgp-freebsd-pkg____py38-sqlite3-3.8.13_7 +pkgp-freebsd-pkg____py39-sqlite3-3.9.12_7 +pkgp-freebsd-pkg____python39-3.9.12 +pkgp-freebsd-pkg____rust-1.59.0 +pkgp-freebsd-pkg____tmux-3.2a +pkgp-freebsd-pkg____wget-1.21.3 diff --git a/jails/config/hass/pkg-list.txt b/jails/config/hass/pkg-list.txt new file mode 100644 index 0000000..c563026 --- /dev/null +++ b/jails/config/hass/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion cmake ffmpeg git-lite gmake heyu2 libxslt nano openjpeg pkg py38-sqlite3 py39-sqlite3 python39 rust tmux wget diff --git a/jails/config/hass/x10.conf b/jails/config/hass/x10.conf index 8dde3dd..a1c9721 100644 --- a/jails/config/hass/x10.conf +++ b/jails/config/hass/x10.conf @@ -16,7 +16,7 @@ # Serial port to which the CM11a is connected. Default is /dev/ttyS0. -tty /dev/ttyU1 +tty /dev/ttyU0 check_ri_line NO # If you have an X10 compatible RF receiver connected to a second @@ -24,7 +24,7 @@ check_ri_line NO # and model of receiver. Supported receivers are W800RF32, MR26A, # and RFXCOM. There are no defaults. -tty_aux /dev/ttyU0 MR26A +tty_aux /dev/ttyU1 MR26A # The CM19A is both a receiver and transmitter for X10 RF signals. # The MR26A is a receiver only. diff --git a/jails/config/hub/httpd.conf b/jails/config/hub/httpd.conf index 19fbe56..f67adf8 100644 --- a/jails/config/hub/httpd.conf +++ b/jails/config/hub/httpd.conf @@ -49,7 +49,7 @@ ServerRoot "/usr/local" # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 -Listen 80 +#Listen 80 # # Dynamic Shared Object (DSO) Support @@ -110,7 +110,7 @@ LoadModule filter_module libexec/apache24/mod_filter.so #LoadModule substitute_module libexec/apache24/mod_substitute.so #LoadModule sed_module libexec/apache24/mod_sed.so #LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so -#LoadModule deflate_module libexec/apache24/mod_deflate.so +LoadModule deflate_module libexec/apache24/mod_deflate.so #LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so #LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so LoadModule mime_module libexec/apache24/mod_mime.so @@ -121,7 +121,7 @@ LoadModule log_config_module libexec/apache24/mod_log_config.so LoadModule env_module libexec/apache24/mod_env.so #LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so #LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so -#LoadModule expires_module libexec/apache24/mod_expires.so +LoadModule expires_module libexec/apache24/mod_expires.so LoadModule headers_module libexec/apache24/mod_headers.so #LoadModule usertrack_module libexec/apache24/mod_usertrack.so #LoadModule unique_id_module libexec/apache24/mod_unique_id.so @@ -180,7 +180,6 @@ LoadModule dir_module libexec/apache24/mod_dir.so #LoadModule userdir_module libexec/apache24/mod_userdir.so LoadModule alias_module libexec/apache24/mod_alias.so LoadModule rewrite_module libexec/apache24/mod_rewrite.so -#LoadModule php7_module libexec/apache24/libphp7.so # Third party modules IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf @@ -225,7 +224,7 @@ ServerAdmin sharad@ahlawat.com # # If your host doesn't have a registered DNS name, enter its IP address here. # -#ServerName www.example.com:80 +ServerName hub.ahlawat.com # # Deny access to the entirety of your server's filesystem. You must @@ -559,7 +558,7 @@ Include etc/apache24/Includes/*.conf ServerAlias *.ahlawat.com ServerAlias hub - Protocols h2 h2c http/1.1 + Protocols h2 http/1.1 DocumentRoot "/usr/local/www/apache24/data/" @@ -568,15 +567,15 @@ Include etc/apache24/Includes/*.conf SSLCertificateKeyFile "/mnt/certs/privkey.pem" #SSLCertificateChainFile "/mnt/certs/fullchain.pem" SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 - SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 - SSLHonorCipherOrder on - SSLCompression off + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off SSLSessionTickets off SSLOptions +StrictRequire +# SSLCompression off - RewriteEngine On - RewriteCond %{HTTP:Authorization} ^(.*) - RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] + RewriteEngine On + RewriteCond %{HTTP:Authorization} ^(.*) + RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] SetHandler "proxy:fcgi://127.0.0.1:9000" @@ -606,7 +605,100 @@ Include etc/apache24/Includes/*.conf CustomLog "/var/log/ssl-access_log" combined - Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" + Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" + +ExpiresActive On +ExpiresDefault A0 + + +ExpiresDefault A31536000 + + + +ExpiresDefault A31536000 + + + +ExpiresDefault A31536000 + + + +ExpiresDefault A31536000 + + + + + + Header set Cache-Control "max-age=31536000" + + + + Header set Cache-Control "max-age=31536000" + + + + Header set Cache-Control "max-age=31536000" + + + + Header set Cache-Control "max-age=31536000" + + + + + SetOutputFilter DEFLATE + + + SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding + RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding + + + + AddOutputFilterByType DEFLATE "application/atom+xml" \ + "application/javascript" \ + "application/json" \ + "application/ld+json" \ + "application/manifest+json" \ + "application/rdf+xml" \ + "application/rss+xml" \ + "application/schema+json" \ + "application/vnd.geo+json" \ + "application/vnd.ms-fontobject" \ + "application/x-font-ttf" \ + "application/x-font-opentype" \ + "application/x-font-truetype" \ + "application/x-javascript" \ + "application/x-web-app-manifest+json" \ + "application/xhtml+xml" \ + "application/xml" \ + "font/eot" \ + "font/opentype" \ + "font/otf" \ + "image/bmp" \ + "image/svg+xml" \ + "image/vnd.microsoft.icon" \ + "image/x-icon" \ + "text/cache-manifest" \ + "text/css" \ + "text/html" \ + "text/javascript" \ + "text/plain" \ + "text/vcard" \ + "text/vnd.rim.location.xloc" \ + "text/vtt" \ + "text/x-component" \ + "text/x-cross-domain-policy" \ + "text/xml" + + + + AddEncoding gzip svgz + + + + +SSLUseStapling On +SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" diff --git a/jails/config/hub/pkg-list-details.txt b/jails/config/hub/pkg-list-details.txt new file mode 100644 index 0000000..1cef954 --- /dev/null +++ b/jails/config/hub/pkg-list-details.txt @@ -0,0 +1,29 @@ +pkgp122____openldap24-client-2.4.59_4 +pkgp123____apache24-2.4.53_1 +pkgp123____apr-1.7.0.1.6.1_2 +pkgp123____php81-ldap-8.1.5 +pkgp123____pkg-1.17.5_1 +pkgp123____samba413-4.13.17_1 +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____compat9x-amd64-9.3.903000.20170608 +pkgp-freebsd-pkg____fluxbox-1.3.7_5 +pkgp-freebsd-pkg____iperf3-3.11 +pkgp-freebsd-pkg____mc-4.8.28 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____openjdk8-8.322.06.1 +pkgp-freebsd-pkg____p7zip-16.02_3 +pkgp-freebsd-pkg____php81-mysqli-8.1.4_2 +pkgp-freebsd-pkg____php81-pgsql-8.1.4_2 +pkgp-freebsd-pkg____php81-session-8.1.4_2 +pkgp-freebsd-pkg____rename-1.99.2 +pkgp-freebsd-pkg____rkhunter-1.4.6_1 +pkgp-freebsd-pkg____rsync-3.2.3_1 +pkgp-freebsd-pkg____sshguard-2.4.2_2,1 +pkgp-freebsd-pkg____sudo-1.9.10 +pkgp-freebsd-pkg____tigervnc-1.9.0_4 +pkgp-freebsd-pkg____unrar-6.11,6 +pkgp-freebsd-pkg____wget-1.21.3 +pkgp-freebsd-pkg____xauth-1.1 +pkgp-freebsd-pkg____xorriso-1.5.4 +pkgp-freebsd-pkg____xterm-372 diff --git a/jails/config/hub/pkg-list.txt b/jails/config/hub/pkg-list.txt new file mode 100644 index 0000000..42c5454 --- /dev/null +++ b/jails/config/hub/pkg-list.txt @@ -0,0 +1 @@ +apache24 apr bash bash-completion compat9x-amd64 fluxbox iperf3 mc nano openjdk8 openldap24-client p7zip php81-ldap php81-mysqli php81-pgsql php81-session pkg rename rkhunter rsync samba413 sshguard sudo tigervnc unrar wget xauth xorriso xterm diff --git a/jails/config/hub/pkgp.conf b/jails/config/hub/pkgp.conf index 7e874ec..86e5a9a 100644 --- a/jails/config/hub/pkgp.conf +++ b/jails/config/hub/pkgp.conf @@ -10,8 +10,8 @@ pkgp-freebsd-pkg: { priority: 10 } -pkgp122: { - url: "http://pkgp.ahlawat.com/packages/pj122-default/", +pkgp123: { + url: "http://pkgp.ahlawat.com/packages/pj123-default", mirror_type: "http", signature_type: "pubkey", pubkey: "/mnt/certs/poudriere.cert", diff --git a/jails/config/ibm/pkg-list-details.txt b/jails/config/ibm/pkg-list-details.txt new file mode 100644 index 0000000..4b04ff4 --- /dev/null +++ b/jails/config/ibm/pkg-list-details.txt @@ -0,0 +1,9 @@ +pkgp-freebsd-pkg____automake-1.16.5 +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____cmake-3.22.2 +pkgp-freebsd-pkg____git-lite-2.35.1 +pkgp-freebsd-pkg____hercules-3.13 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____pkg-1.17.5_1 +pkgp-freebsd-pkg____tmux-3.2a diff --git a/jails/config/ibm/pkg-list.txt b/jails/config/ibm/pkg-list.txt new file mode 100644 index 0000000..5d6bd51 --- /dev/null +++ b/jails/config/ibm/pkg-list.txt @@ -0,0 +1 @@ +automake bash bash-completion cmake git-lite hercules nano pkg tmux diff --git a/jails/config/jump/enable-routing.sh b/jails/config/jump/enable-routing.sh deleted file mode 100755 index ad7dfe7..0000000 --- a/jails/config/jump/enable-routing.sh +++ /dev/null @@ -1,7 +0,0 @@ -sysctl net.inet.ip.forwarding=1 -route add 10.1.2.0/24 192.168.55.105 -# on remote - -#sudo sysctl net.ipv4.ip_forward=1 -#ip route add 192.168.0.0/24 via 192.168.55.1 -#OR -#ip route add 192.168.0.0/24 dev tun0 diff --git a/jails/config/jump/pkg-list-details.txt b/jails/config/jump/pkg-list-details.txt new file mode 100644 index 0000000..072a7e1 --- /dev/null +++ b/jails/config/jump/pkg-list-details.txt @@ -0,0 +1,10 @@ +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____guacamole-client-1.4.0 +pkgp-freebsd-pkg____guacamole-server-1.4.0 +pkgp-freebsd-pkg____libqrencode-4.1.1 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____openldap-sasl-client-2.4.59 +pkgp-freebsd-pkg____pkg-1.17.5_1 +pkgp-freebsd-pkg____wireguard-2,1 +pkgp-freebsd-pkg____zip-3.0_1 diff --git a/jails/config/jump/pkg-list.txt b/jails/config/jump/pkg-list.txt new file mode 100644 index 0000000..b701cde --- /dev/null +++ b/jails/config/jump/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion guacamole-client guacamole-server libqrencode nano openldap-sasl-client pkg wireguard zip diff --git a/jails/config/ldap-mgr/config.php.phpldapadmin.github b/jails/config/ldap-mgr/config.php.phpldapadmin.github index b737cfe..6d1b560 100644 --- a/jails/config/ldap-mgr/config.php.phpldapadmin.github +++ b/jails/config/ldap-mgr/config.php.phpldapadmin.github @@ -71,6 +71,31 @@ environments. */ # $config->custom->password['no_random_crypt_salt'] = true; +/* If you want to restrict password available types (encryption algorithms) + Should be subset of: + array( + ''=>'clear', + 'bcrypt'=>'bcrypt', + 'blowfish'=>'blowfish', + 'crypt'=>'crypt', + 'ext_des'=>'ext_des', + 'md5'=>'md5', + 'k5key'=>'k5key', + 'md5crypt'=>'md5crypt', + 'sha'=>'sha', + 'smd5'=>'smd5', + 'ssha'=>'ssha', + 'sha256'=>'sha256', + 'ssha256'=>'ssha256', + 'sha384'=>'sha384', + 'ssha384'=>'ssha384', + 'sha512'=>'sha512', + 'ssha512'=>'ssha512', + 'sha256crypt'=>'sha256crypt', + 'sha512crypt'=>'sha512crypt', + )*/ +# $config->custom->password['available_types'] = array(''=>'clear','md5'=>'md5'); + /* PHP script timeout control. If php runs longer than this many seconds then PHP will stop with an Maximum Execution time error. Increase this value from the default if queries to your LDAP server are slow. The default is either @@ -173,6 +198,10 @@ $config->custom->commands['script'] = array( // $config->custom->appearance['tree_width'] = null; # $config->custom->appearance['tree_width'] = 250; +/* Number of tree command icons to show, 0 = show all icons on 1 row. */ +// $config->custom->appearance['tree_icons'] = 0; +# $config->custom->appearance['tree_icons'] = 4; + /* Confirm create and update operations, allowing you to review the changes and optionally skip attributes during the create/update operation. */ // $config->custom->confirm['create'] = true; @@ -235,7 +264,7 @@ $config->custom->appearance['friendly_attrs'] = array( *********************************************/ /* Add "modify group members" link to the attribute. */ -// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid'); +// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid','sudoUser'); /* Configure filter for member search. This only applies to "modify group members" feature */ // $config->custom->modify_member['filter'] = '(objectclass=Person)'; @@ -310,12 +339,13 @@ $servers->setValue('server','base',array('dc=infra')); login will be required to use phpLDAPadmin for this server. 5. 'sasl': login will be taken from the webserver's kerberos authentication. Currently only GSSAPI has been tested (using mod_auth_kerb). + 6. 'sasl_external': login will be taken from SASL external mechanism. Choose wisely to protect your authentication information appropriately for your situation. If you choose 'cookie', your cookie contents will be encrypted using blowfish and the secret your specify above as session['blowfish']. */ -$servers->setValue('login','auth_type','cookie'); +// $servers->setValue('login','auth_type','session'); /* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or 'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS @@ -334,6 +364,22 @@ $servers->setValue('login','bind_pass',''); /* Use TLS (Transport Layer Security) to connect to the LDAP server. */ $servers->setValue('server','tls',false); +/* TLS Certificate Authority file (overrides ldap.conf, PHP 7.1+) */ +// $servers->setValue('server','tls_cacert',null); +# $servers->setValue('server','tls_cacert','/etc/openldap/certs/ca.crt'); + +/* TLS Certificate Authority hashed directory (overrides ldap.conf, PHP 7.1+) */ +// $servers->setValue('server','tls_cacertdir',null); +# $servers->setValue('server','tls_cacertdir','/etc/openldap/certs'); + +/* TLS Client Certificate file (PHP 7.1+) */ +// $servers->setValue('server','tls_cert',null); +# $servers->setValue('server','tls_cert','/etc/pki/tls/certs/ldap_user.crt'); + +/* TLS Client Certificate Key file (PHP 7.1+) */ +// $servers->setValue('server','tls_key',null); +# $servers->setValue('server','tls_key','/etc/pki/tls/private/ldap_user.key'); + /************************************ * SASL Authentication * ************************************/ @@ -341,11 +387,19 @@ $servers->setValue('server','tls',false); /* Enable SASL authentication LDAP SASL authentication requires PHP 5.x configured with --with-ldap-sasl=DIR. If this option is disabled (ie, set to false), then all other sasl options are ignored. */ -// $servers->setValue('login','auth_type','sasl'); +# $servers->setValue('login','auth_type','sasl'); -/* SASL auth mechanism */ +/* SASL GSSAPI auth mechanism (requires auth_type of sasl) */ // $servers->setValue('sasl','mech','GSSAPI'); +/* SASL PLAIN support... this mech converts simple binds to SASL + PLAIN binds using any auth_type (or other bind_id/pass) as credentials. + NOTE: auth_type must be simple auth compatible (ie not sasl) */ +# $servers->setValue('sasl','mech','PLAIN'); + +/* SASL EXTERNAL support... really a different auth_type */ +# $servers->setValue('login','auth_type','sasl_external'); + /* SASL authentication realm name */ // $servers->setValue('sasl','realm',''); # $servers->setValue('sasl','realm','EXAMPLE.COM'); @@ -400,6 +454,12 @@ $servers->setValue('server','tls',false); setup. */ // $servers->setValue('login','class',array()); +/* If login_attr was set to 'dn', it is possible to specify a template string to + build the DN from. Use '%s' where user input should be inserted. A user may + still enter the complete DN. In this case the template will not be used. */ +// $servers->setValue('login','bind_dn_template',null); +# $servers->setValue('login','bind_dn_template','cn=%s,ou=people,dc=example,dc=com'); + /* If you specified something different from 'dn', for example 'uid', as the login_attr above, you can optionally specify here to fall back to authentication with dn. @@ -420,6 +480,9 @@ $servers->setValue('server','tls',false); /* Set to true if you would like to initially open the first level of each tree. */ // $servers->setValue('appearance','open_tree',false); +/* Set to true to display authorization ID in place of login dn (PHP 7.2+) */ +// $servers->setValue('appearance','show_authz',false); + /* This feature allows phpLDAPadmin to automatically determine the next available uidNumber for a new entry. */ // $servers->setValue('auto_number','enable',true); @@ -556,7 +619,7 @@ $servers->setValue('appearance','show_create',true); $servers->setValue('auto_number','enable',true); $servers->setValue('auto_number','mechanism','search'); $servers->setValue('auto_number','search_base',null); -$servers->setValue('auto_number','min',array('uidNumber'=>10000,'gidNumber'=>5000)); +$servers->setValue('auto_number','min',array('uidNumber'=>1000,'gidNumber'=>500)); $servers->setValue('auto_number','dn',null); $servers->setValue('auto_number','pass',null); @@ -573,4 +636,19 @@ $servers->setValue('server','custom_sys_attrs',array('passwordExpirationTime','p $servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock')); $servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID')); */ + + +/*********************************************************************************** + * If you want to configure Google reCAPTCHA on autentication form, do so below. * + * Remove the commented lines and use this section as a template for all * + * reCAPTCHA v2 Generate on https://www.google.com/recaptcha/ * + * * + * IMPORTANT: Select reCAPTCHA v2 on Type of reCAPTCHA * + ***********************************************************************************/ + + +$config->custom->session['reCAPTCHA-enable'] = false; +$config->custom->session['reCAPTCHA-key-site'] = ''; +$config->custom->session['reCAPTCHA-key-server'] = ''; + ?> diff --git a/jails/config/ldap-mgr/httpd.conf b/jails/config/ldap-mgr/httpd.conf index 3a15e45..9dd957d 100644 --- a/jails/config/ldap-mgr/httpd.conf +++ b/jails/config/ldap-mgr/httpd.conf @@ -49,7 +49,7 @@ ServerRoot "/usr/local" # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 -Listen 80 +#Listen 80 # # Dynamic Shared Object (DSO) Support @@ -178,7 +178,7 @@ LoadModule dir_module libexec/apache24/mod_dir.so #LoadModule userdir_module libexec/apache24/mod_userdir.so LoadModule alias_module libexec/apache24/mod_alias.so #LoadModule rewrite_module libexec/apache24/mod_rewrite.so -LoadModule php7_module libexec/apache24/libphp7.so +LoadModule php_module libexec/apache24/libphp.so # Third party modules IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf @@ -214,7 +214,7 @@ Group www # e-mailed. This address appears on some server-generated pages, such # as error documents. e.g. admin@your-domain.com # -ServerAdmin you@example.com +ServerAdmin sharad@ahlawat.com # # ServerName gives the name and port that the server uses to identify itself. @@ -223,7 +223,7 @@ ServerAdmin you@example.com # # If your host doesn't have a registered DNS name, enter its IP address here. # -#ServerName www.example.com:80 +ServerName ldap-mgr.ahlawat.com # # Deny access to the entirety of your server's filesystem. You must @@ -578,7 +578,7 @@ Include etc/apache24/Includes/*.conf Require all granted - Alias /ssp "/usr/local/www/self-service-password" + Alias /ssp "/usr/local/www/self-service-password/htdocs" AllowOverride None Require all granted diff --git a/jails/config/ldap-mgr/php.ini b/jails/config/ldap-mgr/php.ini index dc6bc64..0fc6c5d 100644 --- a/jails/config/ldap-mgr/php.ini +++ b/jails/config/ldap-mgr/php.ini @@ -401,7 +401,7 @@ max_input_time = 60 ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit -memory_limit = 128M +memory_limit = 256M ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Error handling and logging ; diff --git a/jails/config/ldap-mgr/pkg-list-details.txt b/jails/config/ldap-mgr/pkg-list-details.txt new file mode 100644 index 0000000..b187398 --- /dev/null +++ b/jails/config/ldap-mgr/pkg-list-details.txt @@ -0,0 +1,9 @@ +pkgp-freebsd-pkg____apache24-2.4.53 +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____ldap-account-manager-7.9 +pkgp-freebsd-pkg____mod_php80-8.0.17_1 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____phpldapadmin-php80-1.2.6.3_1 +pkgp-freebsd-pkg____pkg-1.17.5_1 +pkgp-freebsd-pkg____self-service-password-php80-1.4_1 diff --git a/jails/config/ldap-mgr/pkg-list.txt b/jails/config/ldap-mgr/pkg-list.txt new file mode 100644 index 0000000..91d77b6 --- /dev/null +++ b/jails/config/ldap-mgr/pkg-list.txt @@ -0,0 +1 @@ +apache24 bash bash-completion ldap-account-manager mod_php80 nano phpldapadmin-php80 pkg self-service-password-php80 diff --git a/jails/config/ldap/pkg-list-details.txt b/jails/config/ldap/pkg-list-details.txt new file mode 100644 index 0000000..67b4c58 --- /dev/null +++ b/jails/config/ldap/pkg-list-details.txt @@ -0,0 +1,7 @@ +pkgp122____openldap24-client-2.4.59_4 +pkgp123____openldap24-server-2.4.59_9 +pkgp123____pkg-1.17.5_1 +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____openssl-1.1.1n,1 diff --git a/jails/config/ldap/pkg-list.txt b/jails/config/ldap/pkg-list.txt new file mode 100644 index 0000000..5c0abc8 --- /dev/null +++ b/jails/config/ldap/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion nano openldap24-client openldap24-server openssl pkg diff --git a/jails/config/ldap/pkgp.conf b/jails/config/ldap/pkgp.conf index 7e874ec..86e5a9a 100644 --- a/jails/config/ldap/pkgp.conf +++ b/jails/config/ldap/pkgp.conf @@ -10,8 +10,8 @@ pkgp-freebsd-pkg: { priority: 10 } -pkgp122: { - url: "http://pkgp.ahlawat.com/packages/pj122-default/", +pkgp123: { + url: "http://pkgp.ahlawat.com/packages/pj123-default", mirror_type: "http", signature_type: "pubkey", pubkey: "/mnt/certs/poudriere.cert", diff --git a/jails/config/mage/pkg-list-details.txt b/jails/config/mage/pkg-list-details.txt new file mode 100644 index 0000000..a6c364f --- /dev/null +++ b/jails/config/mage/pkg-list-details.txt @@ -0,0 +1,30 @@ +pkgp-freebsd-pkg____automake-1.16.5 +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____cmake-3.22.2 +pkgp-freebsd-pkg____dbus-1.12.20_5 +pkgp-freebsd-pkg____fluxbox-1.3.7_5 +pkgp-freebsd-pkg____git-lite-2.35.1 +pkgp-freebsd-pkg____libxslt-1.1.35_1 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____perl5-5.32.1_1 +pkgp-freebsd-pkg____pkg-1.17.5_1 +pkgp-freebsd-pkg____py38-IBMQuantumExperience-2.0.4 +pkgp-freebsd-pkg____py38-jupyterlab-3.1.19 +pkgp-freebsd-pkg____py38-matplotlib-3.4.3_3 +pkgp-freebsd-pkg____py38-pandas-1.3.5,1 +pkgp-freebsd-pkg____py38-pep517-0.12.0 +pkgp-freebsd-pkg____py38-pip-20.3.4 +pkgp-freebsd-pkg____py38-scikit-learn-1.0.2 +pkgp-freebsd-pkg____py38-seaborn-0.11.0_1 +pkgp-freebsd-pkg____py38-tensorflow-1.15.5_2 +pkgp-freebsd-pkg____rubygem-pkg-config-1.4.7 +pkgp-freebsd-pkg____rust-1.59.0 +pkgp-freebsd-pkg____sudo-1.9.10 +pkgp-freebsd-pkg____suitesparse-cholmod-3.0.14 +pkgp-freebsd-pkg____suitesparse-umfpack-5.7.9 +pkgp-freebsd-pkg____symengine-0.8.1 +pkgp-freebsd-pkg____tigervnc-server-1.12.0_4 +pkgp-freebsd-pkg____xauth-1.1 +pkgp-freebsd-pkg____xorg-fonts-truetype-7.7_1 +pkgp-freebsd-pkg____xterm-372 diff --git a/jails/config/mage/pkg-list.txt b/jails/config/mage/pkg-list.txt new file mode 100644 index 0000000..851edaf --- /dev/null +++ b/jails/config/mage/pkg-list.txt @@ -0,0 +1 @@ +automake bash bash-completion cmake dbus fluxbox git-lite libxslt nano perl5 pkg py38-IBMQuantumExperience py38-jupyterlab py38-matplotlib py38-pandas py38-pep517 py38-pip py38-scikit-learn py38-seaborn py38-tensorflow rubygem-pkg-config rust sudo suitesparse-cholmod suitesparse-umfpack symengine tigervnc-server xauth xorg-fonts-truetype xterm diff --git a/jails/config/mail/pkg-list-details.txt b/jails/config/mail/pkg-list-details.txt new file mode 100644 index 0000000..ccd66f0 --- /dev/null +++ b/jails/config/mail/pkg-list-details.txt @@ -0,0 +1,12 @@ +pkgp122____openldap24-client-2.4.59_4 +pkgp123____dcc-dccd-2.3.168 +pkgp123____dovecot-2.3.18_1 +pkgp123____dovecot-pigeonhole-0.5.18 +pkgp123____pkg-1.17.5_1 +pkgp123____postfix-3.7.0_2,1 +pkgp123____rspamd-3.2_1 +pkgp-freebsd-pkg____apache-solr-8.11.1 +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____redis-6.2.6 diff --git a/jails/config/mail/pkg-list.txt b/jails/config/mail/pkg-list.txt new file mode 100644 index 0000000..511eaf2 --- /dev/null +++ b/jails/config/mail/pkg-list.txt @@ -0,0 +1 @@ +apache-solr bash bash-completion dcc-dccd dovecot dovecot-pigeonhole nano openldap24-client pkg postfix redis rspamd diff --git a/jails/config/mail/pkgp.conf b/jails/config/mail/pkgp.conf index 7e874ec..86e5a9a 100644 --- a/jails/config/mail/pkgp.conf +++ b/jails/config/mail/pkgp.conf @@ -10,8 +10,8 @@ pkgp-freebsd-pkg: { priority: 10 } -pkgp122: { - url: "http://pkgp.ahlawat.com/packages/pj122-default/", +pkgp123: { + url: "http://pkgp.ahlawat.com/packages/pj123-default", mirror_type: "http", signature_type: "pubkey", pubkey: "/mnt/certs/poudriere.cert", diff --git a/jails/config/mail/postfix-reload.sh b/jails/config/mail/postfix-reload.sh new file mode 100755 index 0000000..be880fd --- /dev/null +++ b/jails/config/mail/postfix-reload.sh @@ -0,0 +1,14 @@ +#! /bin/sh +certfiles=$(postconf -n | awk -F " = " '$1 ~ /(cert|key)_file/ {print $2}' | sort -u) +reload=false +for f in $certfiles; do + if [ -f "$f" ]; then + if [ /var/spool/postfix/pid/master.pid -ot "$f" ]; then + reload=true + fi + fi +done +if $reload; then + echo "postfix master.pid file older than certificates; restart required!" + service postfix restart +fi diff --git a/jails/config/maps/pkg-list-details.txt b/jails/config/maps/pkg-list-details.txt new file mode 100644 index 0000000..e4be81b --- /dev/null +++ b/jails/config/maps/pkg-list-details.txt @@ -0,0 +1,7 @@ +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____npm-8.5.2 +pkgp-freebsd-pkg____pkg-1.17.5_1 +pkgp-freebsd-pkg____pkgconf-1.8.0,1 +pkgp-freebsd-pkg____vips-8.12.2_4 diff --git a/jails/config/maps/pkg-list.txt b/jails/config/maps/pkg-list.txt new file mode 100644 index 0000000..d7a8b86 --- /dev/null +++ b/jails/config/maps/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion nano npm pkg pkgconf vips diff --git a/jails/config/matrix/config.json b/jails/config/matrix/config.json index ae7c351..1026dd7 100644 --- a/jails/config/matrix/config.json +++ b/jails/config/matrix/config.json @@ -1,7 +1,7 @@ { "default_server_config": { "m.homeserver": { - "base_url": "https://matrix.ahlawat.com", + "base_url": "https://matrix.ahlawat.com:8448", "server_name": "matrix.ahlawat.com" }, "m.identity_server": { @@ -12,7 +12,7 @@ "disable_guests": false, "disable_login_language_selector": false, "disable_3pid_login": false, - "brand": "Riot", + "brand": "Ahlawat", "integrations_ui_url": "https://scalar.vector.im/", "integrations_rest_url": "https://scalar.vector.im/api", "integrations_widgets_urls": [ @@ -22,23 +22,19 @@ "https://scalar-staging.vector.im/api", "https://scalar-staging.riot.im/scalar/api" ], - "bug_report_endpoint_url": "https://riot.im/bugreports/submit", + "bug_report_endpoint_url": "https://element.io/bugreports/submit", + "uisi_autorageshake_app": "element-auto-uisi", "defaultCountryCode": "US", "showLabsSettings": false, - "features": { - "feature_pinning": "labs", - "feature_custom_status": "labs", - "feature_custom_tags": "labs", - "feature_state_counters": "labs" - }, + "features": { }, "default_federate": true, "default_theme": "light", "roomDirectory": { "servers": [ + "matrix.ahlawat.com", "matrix.org" ] }, - "welcomeUserId": "@riot-bot:matrix.org", "piwik": { "url": "https://piwik.riot.im/", "whitelistedHSUrls": ["https://matrix.org"], @@ -54,5 +50,6 @@ }, "jitsi": { "preferredDomain": "meet.ahlawat.com" - } + }, + "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx" } diff --git a/jails/config/matrix/nginx.conf b/jails/config/matrix/nginx.conf index 91c9604..131c3ba 100644 --- a/jails/config/matrix/nginx.conf +++ b/jails/config/matrix/nginx.conf @@ -146,7 +146,7 @@ http { #location /favicon.ico { access_log off; log_not_found off; } - root /usr/local/www/riot; + root /usr/local/www/element; index index.html; #error_page 404 /404.html; diff --git a/jails/config/matrix/pkg-list-details.txt b/jails/config/matrix/pkg-list-details.txt new file mode 100644 index 0000000..a3204dc --- /dev/null +++ b/jails/config/matrix/pkg-list-details.txt @@ -0,0 +1,9 @@ +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____element-web-1.10.8 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____nginx-1.20.2_9,2 +pkgp-freebsd-pkg____pkg-1.17.5_1 +pkgp-freebsd-pkg____py38-matrix-synapse-1.55.2 +pkgp-freebsd-pkg____py38-matrix-synapse-ldap3-0.2.0 +pkgp-freebsd-pkg____py38-psycopg2-2.9.3 diff --git a/jails/config/matrix/pkg-list.txt b/jails/config/matrix/pkg-list.txt new file mode 100644 index 0000000..11d856e --- /dev/null +++ b/jails/config/matrix/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion element-web nano nginx pkg py38-matrix-synapse py38-matrix-synapse-ldap3 py38-psycopg2 diff --git a/jails/config/meet/pkg-list-details.txt b/jails/config/meet/pkg-list-details.txt new file mode 100644 index 0000000..4018bdc --- /dev/null +++ b/jails/config/meet/pkg-list-details.txt @@ -0,0 +1,9 @@ +pkgp-freebsd-pkg____bash-5.1.16 +pkgp-freebsd-pkg____bash-completion-2.11_1,2 +pkgp-freebsd-pkg____jicofo-1.0.555_2 +pkgp-freebsd-pkg____jitsi-meet-1.0.4048_2 +pkgp-freebsd-pkg____jitsi-videobridge-2.1.183_3 +pkgp-freebsd-pkg____nano-6.0 +pkgp-freebsd-pkg____nginx-1.20.2_9,2 +pkgp-freebsd-pkg____pkg-1.17.5_1 +pkgp-freebsd-pkg____prosody-0.12.0 diff --git a/jails/config/meet/pkg-list.txt b/jails/config/meet/pkg-list.txt new file mode 100644 index 0000000..c54bd3d --- /dev/null +++ b/jails/config/meet/pkg-list.txt @@ -0,0 +1 @@ +bash bash-completion jicofo jitsi-meet jitsi-videobridge nano nginx pkg prosody diff --git a/jails/config/monitor/grafana.conf b/jails/config/monitor/grafana.conf deleted file mode 100644 index 92143cd..0000000 --- a/jails/config/monitor/grafana.conf +++ /dev/null @@ -1,549 +0,0 @@ -##################### Grafana Configuration Example ##################### -# -# Everything has defaults so you only need to uncomment things you want to -# change - -# possible values : production, development -;app_mode = production - -# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty -;instance_name = ${HOSTNAME} -instance_name = grafana.diyit.org - -#################################### Paths #################################### -[paths] -# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used) -data = /var/db/grafana/ - -# Temporary files in `data` directory older than given duration will be removed -;temp_data_lifetime = 24h - -# Directory where grafana can store logs -logs = /var/log/grafana/ - -# Directory where grafana will automatically scan and look for plugins -plugins = /var/db/grafana/plugins - -# folder that contains provisioning config files that grafana will apply on startup and while running. -provisioning = /var/db/grafana/provisioning - -#################################### Server #################################### -[server] -# Protocol (http, https, socket) -protocol = https - -# The ip address to bind to, empty will bind to all interfaces -;http_addr = - -# The http port to use -;http_port = 3000 - -# The public facing domain name used to access grafana from a browser -;domain = localhost - -# Redirect to correct domain if host header does not match domain -# Prevents DNS rebinding attacks -enforce_domain = false - -# The full public facing url you use in browser, used for redirects and emails -# If you use reverse proxy and sub path specify full url (with sub path) -root_url = https://grafana.diyit.org - -# Log web requests -;router_logging = false - -# the path relative working path -;static_root_path = public - -# enable gzip -;enable_gzip = false - -# https certs & key file -cert_file = /mnt/certs/diyfullchain.pem -cert_key =/mnt/certs/diyprivkeyr.pem - -# Unix socket path -;socket = - -#################################### Database #################################### -[database] -# You can configure the database connection by specifying type, host, name, user and password -# as separate properties or as on string using the url properties. - -# Either "mysql", "postgres" or "sqlite3", it's your choice -;type = sqlite3 -;host = 127.0.0.1:3306 -;name = grafana -;user = root -# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" -;password = - -# Use either URL or the previous fields to configure the database -# Example: mysql://user:secret@host:port/database -;url = - -# For "postgres" only, either "disable", "require" or "verify-full" -;ssl_mode = disable - -# For "sqlite3" only, path relative to data_path setting -;path = grafana.db - -# Max idle conn setting default is 2 -;max_idle_conn = 2 - -# Max conn setting default is 0 (mean not set) -;max_open_conn = - -# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours) -;conn_max_lifetime = 14400 - -# Set to true to log the sql calls and execution times. -log_queries = - -# For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared) -;cache_mode = private - -#################################### Cache server ############################# -[remote_cache] -# Either "redis", "memcached" or "database" default is "database" -;type = database - -# cache connectionstring options -# database: will use Grafana primary database. -# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana` -# memcache: 127.0.0.1:11211 -;connstr = - -#################################### Session #################################### -[session] -# Either "memory", "file", "redis", "mysql", "postgres", default is "file" -;provider = file - -# Provider config options -# memory: not have any config yet -# file: session dir path, is relative to grafana data_path -# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana` -# mysql: go-sql-driver/mysql dsn config string, e.g. `user:password@tcp(127.0.0.1:3306)/database_name` -# postgres: user=a password=b host=localhost port=5432 dbname=c sslmode=disable -;provider_config = sessions - -# Session cookie name -;cookie_name = grafana_sess - -# If you use session in https only, default is false -;cookie_secure = false - -# Session life time, default is 86400 (means 86400 seconds or 24 hours) -;session_life_time = 86400 - -#################################### Data proxy ########################### -[dataproxy] - -# This enables data proxy logging, default is false -;logging = false - -# How long the data proxy should wait before timing out default is 30 (seconds) -;timeout = 30 - -# If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request, default is false. -;send_user_header = false - -#################################### Analytics #################################### -[analytics] -# Server reporting, sends usage counters to stats.grafana.org every 24 hours. -# No ip addresses are being tracked, only simple counters to track -# running instances, dashboard and error counts. It is very helpful to us. -# Change this option to false to disable reporting. -;reporting_enabled = true - -# Set to false to disable all checks to https://grafana.net -# for new vesions (grafana itself and plugins), check is used -# in some UI views to notify that grafana or plugin update exists -# This option does not cause any auto updates, nor send any information -# only a GET request to http://grafana.com to get latest versions -;check_for_updates = true - -# Google Analytics universal tracking code, only enabled if you specify an id here -;google_analytics_ua_id = - -# Google Tag Manager ID, only enabled if you specify an id here -;google_tag_manager_id = - -#################################### Security #################################### -[security] -# default admin user, created on startup -;admin_user = admin - -# default admin password, can be changed before first start of grafana, or in profile settings -;admin_password = admin - -# used for signing -;secret_key = SW2YcwTIb9zpOOhoPsMm - -# disable gravatar profile images -;disable_gravatar = false - -# data source proxy whitelist (ip_or_domain:port separated by spaces) -;data_source_proxy_whitelist = - -# disable protection against brute force login attempts -;disable_brute_force_login_protection = false - -# set to true if you host Grafana behind HTTPS. default is false. -cookie_secure = true - -# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict" and "none" -cookie_samesite = none - -allow_embedding = true - -#################################### Snapshots ########################### -[snapshots] -# snapshot sharing options -;external_enabled = true -;external_snapshot_url = https://snapshots-origin.raintank.io -;external_snapshot_name = Publish to snapshot.raintank.io - -# remove expired snapshot -;snapshot_remove_expired = true - -#################################### Dashboards History ################## -[dashboards] -# Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1 -;versions_to_keep = 20 - -#################################### Users ############################### -[users] -# disable user signup / registration -;allow_sign_up = true - -# Allow non admin users to create organizations -;allow_org_create = true - -# Set to true to automatically assign new users to the default organization (id 1) -;auto_assign_org = true - -# Default role new users will be automatically assigned (if disabled above is set to true) -;auto_assign_org_role = Viewer - -# Background text for the user field on the login page -;login_hint = email or username -;password_hint = password - -# Default UI theme ("dark" or "light") -;default_theme = dark - -# External user management, these options affect the organization users view -;external_manage_link_url = -;external_manage_link_name = -;external_manage_info = - -# Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard. -;viewers_can_edit = false - -# Editors can administrate dashboard, folders and teams they create -;editors_can_admin = false - -[auth] -# Login cookie name -;login_cookie_name = grafana_session - -# The lifetime (days) an authenticated user can be inactive before being required to login at next visit. Default is 7 days, -;login_maximum_inactive_lifetime_days = 7 - -# The maximum lifetime (days) an authenticated user can be logged in since login time before being required to login. Default is 30 days. -;login_maximum_lifetime_days = 30 - -# How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes. -;token_rotation_interval_minutes = 10 - -# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false -;disable_login_form = false - -# Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false -;disable_signout_menu = false - -# URL to redirect the user to after sign out -;signout_redirect_url = - -# Set to true to attempt login with OAuth automatically, skipping the login screen. -# This setting is ignored if multiple OAuth providers are configured. -;oauth_auto_login = false - -#################################### Anonymous Auth ###################### -[auth.anonymous] -# enable anonymous access -;enabled = false - -# specify organization name that should be used for unauthenticated users -;org_name = Main Org. - -# specify role for unauthenticated users -;org_role = Viewer - -#################################### Github Auth ########################## -[auth.github] -;enabled = false -;allow_sign_up = true -;client_id = some_id -;client_secret = some_secret -;scopes = user:email,read:org -;auth_url = https://github.com/login/oauth/authorize -;token_url = https://github.com/login/oauth/access_token -;api_url = https://api.github.com/user -;team_ids = -;allowed_organizations = - -#################################### Google Auth ########################## -[auth.google] -;enabled = false -;allow_sign_up = true -;client_id = some_client_id -;client_secret = some_client_secret -;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email -;auth_url = https://accounts.google.com/o/oauth2/auth -;token_url = https://accounts.google.com/o/oauth2/token -;api_url = https://www.googleapis.com/oauth2/v1/userinfo -;allowed_domains = - -#################################### Generic OAuth ########################## -[auth.generic_oauth] -;enabled = false -;name = OAuth -;allow_sign_up = true -;client_id = some_id -;client_secret = some_secret -;scopes = user:email,read:org -;auth_url = https://foo.bar/login/oauth/authorize -;token_url = https://foo.bar/login/oauth/access_token -;api_url = https://foo.bar/user -;team_ids = -;allowed_organizations = -;tls_skip_verify_insecure = false -;tls_client_cert = -;tls_client_key = -;tls_client_ca = - -; Set to true to enable sending client_id and client_secret via POST body instead of Basic authentication HTTP header -; This might be required if the OAuth provider is not RFC6749 compliant, only supporting credentials passed via POST payload -;send_client_credentials_via_post = false - -#################################### Grafana.com Auth #################### -[auth.grafana_com] -;enabled = false -;allow_sign_up = true -;client_id = some_id -;client_secret = some_secret -;scopes = user:email -;allowed_organizations = - -#################################### Auth Proxy ########################## -[auth.proxy] -;enabled = false -;header_name = X-WEBAUTH-USER -;header_property = username -;auto_sign_up = true -;ldap_sync_ttl = 60 -;whitelist = 192.168.1.1, 192.168.2.1 -;headers = Email:X-User-Email, Name:X-User-Name - -#################################### Basic Auth ########################## -[auth.basic] -;enabled = true - -#################################### Auth LDAP ########################## -[auth.ldap] -;enabled = false -;config_file = /etc/grafana/ldap.toml -;allow_sign_up = true - -#################################### SMTP / Emailing ########################## -[smtp] -;enabled = false -;host = localhost:25 -;user = -# If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;""" -;password = -;cert_file = -;key_file = -;skip_verify = false -;from_address = admin@grafana.localhost -;from_name = Grafana -# EHLO identity in SMTP dialog (defaults to instance_name) -;ehlo_identity = dashboard.example.com - -[emails] -;welcome_email_on_sign_up = false - -#################################### Logging ########################## -[log] -# Either "console", "file", "syslog". Default is console and file -# Use space to separate multiple modes, e.g. "console file" -;mode = console file - -# Either "debug", "info", "warn", "error", "critical", default is "info" -;level = info - -# optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug -;filters = - -# For "console" mode only -[log.console] -;level = - -# log line format, valid options are text, console and json -;format = console - -# For "file" mode only -[log.file] -;level = - -# log line format, valid options are text, console and json -;format = text - -# This enables automated log rotate(switch of following options), default is true -;log_rotate = true - -# Max line number of single file, default is 1000000 -;max_lines = 1000000 - -# Max size shift of single file, default is 28 means 1 << 28, 256MB -;max_size_shift = 28 - -# Segment log daily, default is true -;daily_rotate = true - -# Expired days of log file(delete after max days), default is 7 -;max_days = 7 - -[log.syslog] -;level = - -# log line format, valid options are text, console and json -;format = text - -# Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used. -;network = -;address = - -# Syslog facility. user, daemon and local0 through local7 are valid. -;facility = - -# Syslog tag. By default, the process' argv[0] is used. -;tag = - -#################################### Alerting ############################ -[alerting] -# Disable alerting engine & UI features -;enabled = true -# Makes it possible to turn off alert rule execution but alerting UI is visible -;execute_alerts = true - -# Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state) -;error_or_timeout = alerting - -# Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok) -;nodata_or_nullvalues = no_data - -# Alert notifications can include images, but rendering many images at the same time can overload the server -# This limit will protect the server from render overloading and make sure notifications are sent out quickly -;concurrent_render_limit = 5 - - -# Default setting for alert calculation timeout. Default value is 30 -;evaluation_timeout_seconds = 30 - -# Default setting for alert notification timeout. Default value is 30 -;notification_timeout_seconds = 30 - -# Default setting for max attempts to sending alert notifications. Default value is 3 -;max_attempts = 3 - -#################################### Explore ############################# -[explore] -# Enable the Explore section -;enabled = true - -#################################### Internal Grafana Metrics ########################## -# Metrics available at HTTP API Url /metrics -[metrics] -# Disable / Enable internal metrics -;enabled = true - -# Publish interval -;interval_seconds = 10 - -# Send internal metrics to Graphite -[metrics.graphite] -# Enable by setting the address setting (ex localhost:2003) -;address = -;prefix = prod.grafana.%(instance_name)s. - -#################################### Distributed tracing ############ -[tracing.jaeger] -# Enable by setting the address sending traces to jaeger (ex localhost:6831) -;address = localhost:6831 -# Tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2) -;always_included_tag = tag1:value1 -# Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote -;sampler_type = const -# jaeger samplerconfig param -# for "const" sampler, 0 or 1 for always false/true respectively -# for "probabilistic" sampler, a probability between 0 and 1 -# for "rateLimiting" sampler, the number of spans per second -# for "remote" sampler, param is the same as for "probabilistic" -# and indicates the initial sampling rate before the actual one -# is received from the mothership -;sampler_param = 1 - -#################################### Grafana.com integration ########################## -# Url used to import dashboards directly from Grafana.com -[grafana_com] -;url = https://grafana.com - -#################################### External image storage ########################## -[external_image_storage] -# Used for uploading images to public servers so they can be included in slack/email messages. -# you can choose between (s3, webdav, gcs, azure_blob, local) -;provider = - -[external_image_storage.s3] -;bucket = -;region = -;path = -;access_key = -;secret_key = - -[external_image_storage.webdav] -;url = -;public_url = -;username = -;password = - -[external_image_storage.gcs] -;key_file = -;bucket = -;path = - -[external_image_storage.azure_blob] -;account_name = -;account_key = -;container_name = - -[external_image_storage.local] -# does not require any configuration - -[rendering] -# Options to configure external image rendering server like https://github.com/grafana/grafana-image-renderer -;server_url = -;callback_url = - -[enterprise] -# Path to a valid Grafana Enterprise license.jwt file -;license_path = - -[panels] -;enable_alpha = false -# If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities. -;disable_sanitize_html = false - diff --git a/jails/config/monitor/grafana.ini b/jails/config/monitor/grafana.ini new file mode 100644 index 0000000..e6cbf98 --- /dev/null +++ b/jails/config/monitor/grafana.ini @@ -0,0 +1,1083 @@ +##################### Grafana Configuration Example ##################### +# +# Everything has defaults so you only need to uncomment things you want to +# change + +# possible values : production, development +app_mode = production + +# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty +;instance_name = ${HOSTNAME} +instance_name = grafana.diyit.org + +#################################### Paths #################################### +[paths] +# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used) +data = /var/db/grafana + +# Temporary files in `data` directory older than given duration will be removed +temp_data_lifetime = 24h + +# Directory where grafana can store logs +logs = /var/log/grafana + +# Directory where grafana will automatically scan and look for plugins +plugins = /var/db/grafana/plugins + +# folder that contains provisioning config files that grafana will apply on startup and while running. +provisioning = /usr/local/etc/grafana/provisioning + +#################################### Server #################################### +[server] +# Protocol (http, https, h2, socket) +protocol = h2 + +# The ip address to bind to, empty will bind to all interfaces +;http_addr = + +# The http port to use +;http_port = 3000 + +# The public facing domain name used to access grafana from a browser +;domain = localhost +domain = grafana.diyit.org + +# Redirect to correct domain if host header does not match domain +# Prevents DNS rebinding attacks +enforce_domain = false + +# The full public facing url you use in browser, used for redirects and emails +# If you use reverse proxy and sub path specify full url (with sub path) +;root_url = %(protocol)s://%(domain)s:%(http_port)s/ +root_url = https://grafana.diyit.org/ + +# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons. +;serve_from_sub_path = false + +# Log web requests +;router_logging = false + +# the path relative working path +;static_root_path = public + +# enable gzip +enable_gzip = true + +# https certs & key file +cert_file = /mnt/certs/diyfullchain.pem +cert_key =/mnt/certs/diyprivkeyr.pem + +# Unix socket path +;socket = + +# CDN Url +;cdn_url = + +# Sets the maximum time using a duration format (5s/5m/5ms) before timing out read of an incoming request and closing idle connections. +# `0` means there is no timeout for reading the request. +;read_timeout = 0 + +#################################### Database #################################### +[database] +# You can configure the database connection by specifying type, host, name, user and password +# as separate properties or as on string using the url properties. + +# Either "mysql", "postgres" or "sqlite3", it's your choice +;type = sqlite3 +;host = 127.0.0.1:3306 +;name = grafana +;user = root +# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" +;password = + +# Use either URL or the previous fields to configure the database +# Example: mysql://user:secret@host:port/database +;url = + +# For "postgres" only, either "disable", "require" or "verify-full" +;ssl_mode = disable + +# Database drivers may support different transaction isolation levels. +# Currently, only "mysql" driver supports isolation levels. +# If the value is empty - driver's default isolation level is applied. +# For "mysql" use "READ-UNCOMMITTED", "READ-COMMITTED", "REPEATABLE-READ" or "SERIALIZABLE". +;isolation_level = + +;ca_cert_path = +;client_key_path = +;client_cert_path = +;server_cert_name = + +# For "sqlite3" only, path relative to data_path setting +;path = grafana.db + +# Max idle conn setting default is 2 +;max_idle_conn = 2 + +# Max conn setting default is 0 (mean not set) +;max_open_conn = + +# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours) +;conn_max_lifetime = 14400 + +# Set to true to log the sql calls and execution times. +;log_queries = + +# For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared) +;cache_mode = private + +################################### Data sources ######################### +[datasources] +# Upper limit of data sources that Grafana will return. This limit is a temporary configuration and it will be deprecated when pagination will be introduced on the list data sources API. +;datasource_limit = 5000 + +#################################### Cache server ############################# +[remote_cache] +# Either "redis", "memcached" or "database" default is "database" +;type = database + +# cache connectionstring options +# database: will use Grafana primary database. +# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=0,ssl=false`. Only addr is required. ssl may be 'true', 'false', or 'insecure'. +# memcache: 127.0.0.1:11211 +;connstr = + +#################################### Data proxy ########################### +[dataproxy] + +# This enables data proxy logging, default is false +;logging = false + +# How long the data proxy waits to read the headers of the response before timing out, default is 30 seconds. +# This setting also applies to core backend HTTP data sources where query requests use an HTTP client with timeout set. +;timeout = 30 + +# How long the data proxy waits to establish a TCP connection before timing out, default is 10 seconds. +;dialTimeout = 10 + +# How many seconds the data proxy waits before sending a keepalive probe request. +;keep_alive_seconds = 30 + +# How many seconds the data proxy waits for a successful TLS Handshake before timing out. +;tls_handshake_timeout_seconds = 10 + +# How many seconds the data proxy will wait for a server's first response headers after +# fully writing the request headers if the request has an "Expect: 100-continue" +# header. A value of 0 will result in the body being sent immediately, without +# waiting for the server to approve. +;expect_continue_timeout_seconds = 1 + +# Optionally limits the total number of connections per host, including connections in the dialing, +# active, and idle states. On limit violation, dials will block. +# A value of zero (0) means no limit. +;max_conns_per_host = 0 + +# The maximum number of idle connections that Grafana will keep alive. +;max_idle_connections = 100 + +# How many seconds the data proxy keeps an idle connection open before timing out. +;idle_conn_timeout_seconds = 90 + +# If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request, default is false. +;send_user_header = false + +# Limit the amount of bytes that will be read/accepted from responses of outgoing HTTP requests. +;response_limit = 0 + +# Limits the number of rows that Grafana will process from SQL data sources. +;row_limit = 1000000 + +#################################### Analytics #################################### +[analytics] +# Server reporting, sends usage counters to stats.grafana.org every 24 hours. +# No ip addresses are being tracked, only simple counters to track +# running instances, dashboard and error counts. It is very helpful to us. +# Change this option to false to disable reporting. +;reporting_enabled = true + +# The name of the distributor of the Grafana instance. Ex hosted-grafana, grafana-labs +;reporting_distributor = grafana-labs + +# Set to false to disable all checks to https://grafana.net +# for new versions (grafana itself and plugins), check is used +# in some UI views to notify that grafana or plugin update exists +# This option does not cause any auto updates, nor send any information +# only a GET request to http://grafana.com to get latest versions +;check_for_updates = true + +# Google Analytics universal tracking code, only enabled if you specify an id here +;google_analytics_ua_id = + +# Google Tag Manager ID, only enabled if you specify an id here +;google_tag_manager_id = + +#################################### Security #################################### +[security] +# disable creation of admin user on first start of grafana +;disable_initial_admin_creation = false + +# default admin user, created on startup +;admin_user = admin + +# default admin password, can be changed before first start of grafana, or in profile settings +;admin_password = admin + +# used for signing +;secret_key = SW2YcwTIb9zpOOhoPsMm + +# current key provider used for envelope encryption, default to static value specified by secret_key +;encryption_provider = secretKey + +# list of configured key providers, space separated (Enterprise only): e.g., awskms.v1 azurekv.v1 +;available_encryption_providers = + +# disable gravatar profile images +;disable_gravatar = false + +# data source proxy whitelist (ip_or_domain:port separated by spaces) +;data_source_proxy_whitelist = + +# disable protection against brute force login attempts +;disable_brute_force_login_protection = false + +# set to true if you host Grafana behind HTTPS. default is false. +;cookie_secure = false + +# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled" +;cookie_samesite = lax + +# set to true if you want to allow browsers to render Grafana in a ,