diyIT/FreeBSD
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

apr 19 update

Browse Source
This commit is contained in:
Sharad Ahlawat
2022-04-19 13:38:56 -07:00
parent a0a9496aef
commit 18dd3d9761
208 changed files with 12435 additions and 1112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
jails/config/atm/nsswitch.conf
View File

@ -1,6 +1,6 @@
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/12.1/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $
# $FreeBSD: releng/12.2/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $
#
#group: compat
group: files ldap

6
jails/config/atm/pkg-list-details.txt Normal file
View File

@ -0,0 +1,6 @@
pkgp122____netatalk3-3.1.12_4,1
pkgp123____nss-pam-ldapd-sasl-0.9.12_1
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____pkg-1.17.5_1

1
jails/config/atm/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion nano netatalk3 nss-pam-ldapd-sasl pkg

4
jails/config/atm/pkgp.conf
View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
pkgp123: {
url: "http://pkgp.ahlawat.com/packages/pj123-default",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",

2
jails/config/atm/sshd
View File

@ -1,5 +1,5 @@
#
# $FreeBSD: releng/12.1/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
# $FreeBSD: releng/12.2/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

14
jails/config/auto/pkg-list-details.txt Normal file
View File

@ -0,0 +1,14 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____mc-4.8.28
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____nginx-1.20.2_9,2
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____postgresql14-client-14.2
pkgp-freebsd-pkg____py38-ansible-5.5.0
pkgp-freebsd-pkg____py38-django32-3.2.12
pkgp-freebsd-pkg____py38-gunicorn-20.1.0
pkgp-freebsd-pkg____py38-pillow-9.0.1_1
pkgp-freebsd-pkg____py38-pip-20.3.4
pkgp-freebsd-pkg____py38-tkinter-3.8.13_6
pkgp-freebsd-pkg____sudo-1.9.10

1
jails/config/auto/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion mc nano nginx pkg postgresql14-client py38-ansible py38-django32 py38-gunicorn py38-pillow py38-pip py38-tkinter sudo

9
jails/config/book/cps
View File

@ -1,6 +1,4 @@
#!/bin/sh
# Copyright (c) 2018-2021, diyIT.org
# Copyright (c) 2018-2022, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -8,6 +6,8 @@
#
#
#!/bin/sh
# the two lines below are not just comments but required by rcorder; service -e
# PROVIDE: cpsserver
# REQUIRE: NETWORKING DAEMON
@ -19,7 +19,8 @@
name=cpsserver
rcvar=${name}_enable
CPSSERVER="nohup /usr/local/bin/python3.7 /data/calibre-web/cps.py"
#CPSSERVER="nohup /usr/local/bin/python3.8 /data/calibre-web/cps.py"
CPSSERVER="nohup /usr/local/bin/cps"
start_cmd="${name}_start"
stop_cmd="${name}_stop"

10
jails/config/book/pkg-list-details.txt Normal file
View File

@ -0,0 +1,10 @@
pkgp123____libxml2-2.9.13_2
pkgp123____libxslt-1.1.35_3
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____py38-ldap-3.4.0
pkgp-freebsd-pkg____py38-pip-20.3.4
pkgp-freebsd-pkg____py38-sqlite3-3.8.13_7
pkgp-freebsd-pkg____rust-1.59.0

1
jails/config/book/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion libxml2 libxslt nano pkg py38-ldap py38-pip py38-sqlite3 rust

20
jails/config/book/pkgp.conf Normal file
View File

@ -0,0 +1,20 @@
FreeBSD: {
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
enabled: no
}
pkgp-freebsd-pkg: {
url: "http://pkgp-freebsd-pkg.ahlawat.com/${ABI}/latest",
mirror_type: "http",
enabled: yes,
priority: 10
}
pkgp123: {
url: "http://pkgp.ahlawat.com/packages/pj123-default",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",
enabled: yes,
priority: 100
}

11
jails/config/calibre/pkg-list-details.txt Normal file
View File

@ -0,0 +1,11 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____calibre-5.40.0
pkgp-freebsd-pkg____fluxbox-1.3.7_5
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____sudo-1.9.10
pkgp-freebsd-pkg____tigervnc-server-1.12.0_4
pkgp-freebsd-pkg____xauth-1.1
pkgp-freebsd-pkg____xpdf-4.03_1,1
pkgp-freebsd-pkg____xterm-372

1
jails/config/calibre/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion calibre fluxbox nano pkg sudo tigervnc-server xauth xpdf xterm

7
jails/config/cam/pkg-list-details.txt Normal file
View File

@ -0,0 +1,7 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____curl-7.82.0
pkgp-freebsd-pkg____motion-4.3.2_3
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____py27-pip-20.2.3

1
jails/config/cam/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion curl motion nano pkg py27-pip

44
jails/config/cert/acmedns Executable file
View File

@ -0,0 +1,44 @@
#!/bin/sh
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
# the two lines below are not just comments but required by rcorder; service -e
# PROVIDE: acmedns
# REQUIRE: NETWORKING DAEMON
. /etc/rc.subr
: ${acmedns_enable="NO"}
name=acmedns
rcvar=${name}_enable
ACMEDNS="/usr/local/bin/acme-dns"
start_cmd="${name}_start"
stop_cmd="${name}_stop"
restart_cmd="${name}_restart"
acmedns_start()
{
$ACMEDNS -c /etc/acme-dns/config.cfg &
}
acmedns_stop()
{
ps ax | grep -ie acme-dns | grep -v grep | awk '{print $1}' | xargs kill -9
}
acmedns_restart()
{
acmedns_stop
acmedns_start
}
load_rc_config ${name}
run_rc_command "$1"

65
jails/config/cert/config.cfg Normal file
View File

@ -0,0 +1,65 @@
[general]
# DNS interface. Note that systemd-resolved may reserve port 53 on 127.0.0.53
# In this case acme-dns will error out and you will need to define the listening interface
# for example: listen = "127.0.0.1:53"
listen = "0.0.0.0:53"
# protocol, "both", "both4", "both6", "udp", "udp4", "udp6" or "tcp", "tcp4", "tcp6"
protocol = "both4"
# domain name to serve the requests off of
domain = "dns-auth.ahlawat.com"
# zone name server
nsname = "dns-auth.ahlawat.com"
# admin email address, where @ is substituted with .
nsadmin = "sharad.ahlawat.com"
# predefined records served in addition to the TXT
records = [
# domain pointing to the public IP of your acme-dns server
"dns-auth.ahlawat.com. A 216.139.40.20",
# specify that auth.example.org will resolve any *.auth.example.org records
"dns-auth.ahlawat.com. NS dns-auth.ahlawat.com.",
]
# debug messages from CORS etc
debug = false
[database]
# Database engine to use, sqlite3 or postgres
engine = "sqlite3"
# Connection string, filename for sqlite3 and postgres://$username:$password@$host/$db_name for postgres
# Please note that the default Docker image uses path /var/lib/acme-dns/acme-dns.db for sqlite3
connection = "/usr/local/lib/acme-dns/acme-dns.db"
# connection = "postgres://user:password@localhost/acmedns_db"
[api]
# listen ip eg. 127.0.0.1
ip = "0.0.0.0"
# disable registration endpoint
disable_registration = false
# listen port, eg. 443 for default HTTPS
port = "443"
# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
tls = "cert"
# only used if tls = "cert"
tls_cert_privkey = "/mnt/certs/privkey.pem"
tls_cert_fullchain = "/mnt/certs/fullchain.pem"
# only used if tls = "letsencrypt"
acme_cache_dir = "api-certs"
# optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert
notification_email = ""
# CORS AllowOrigins, wildcards can be used
corsorigins = [
"*"
]
# use HTTP header to get the client ip
use_header = false
# header name to pull the ip address / list of ip addresses from
header_name = "X-Forwarded-For"
[logconfig]
# logging level: "error", "warning", "info" or "debug"
loglevel = "debug"
# possible values: stdout, TODO file & integrations
logtype = "stdout"
# file path for logfile TODO
# logfile = "./acme-dns.log"
# format, either "json" or "text"
logformat = "text"

65
jails/config/cert/config.cfg-80 Normal file
View File

@ -0,0 +1,65 @@
[general]
# DNS interface. Note that systemd-resolved may reserve port 53 on 127.0.0.53
# In this case acme-dns will error out and you will need to define the listening interface
# for example: listen = "127.0.0.1:53"
listen = "0.0.0.0:53"
# protocol, "both", "both4", "both6", "udp", "udp4", "udp6" or "tcp", "tcp4", "tcp6"
protocol = "both"
# domain name to serve the requests off of
domain = "dns-auth.ahlawat.com"
# zone name server
nsname = "dns-auth.ahlawat.com"
# admin email address, where @ is substituted with .
nsadmin = "sharad.ahlawat.com"
# predefined records served in addition to the TXT
records = [
# domain pointing to the public IP of your acme-dns server
"dns-auth.ahlawat.com. A 216.139.40.20",
# specify that auth.example.org will resolve any *.auth.example.org records
"dns-auth.ahlawat.com. NS dns-auth.ahlawat.com.",
]
# debug messages from CORS etc
debug = false
[database]
# Database engine to use, sqlite3 or postgres
engine = "sqlite3"
# Connection string, filename for sqlite3 and postgres://$username:$password@$host/$db_name for postgres
# Please note that the default Docker image uses path /var/lib/acme-dns/acme-dns.db for sqlite3
connection = "/usr/local/lib/acme-dns/acme-dns.db"
# connection = "postgres://user:password@localhost/acmedns_db"
[api]
# listen ip eg. 127.0.0.1
ip = "0.0.0.0"
# disable registration endpoint
disable_registration = false
# listen port, eg. 443 for default HTTPS
port = "80"
# possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
tls = "none"
# only used if tls = "cert"
tls_cert_privkey = "/mnt/certs/privkey.pem"
tls_cert_fullchain = "/mnt/certs/fullchain.pem"
# only used if tls = "letsencrypt"
acme_cache_dir = "api-certs"
# optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert
notification_email = ""
# CORS AllowOrigins, wildcards can be used
corsorigins = [
"*"
]
# use HTTP header to get the client ip
use_header = false
# header name to pull the ip address / list of ip addresses from
header_name = "X-Forwarded-For"
[logconfig]
# logging level: "error", "warning", "info" or "debug"
loglevel = "debug"
# possible values: stdout, TODO file & integrations
logtype = "stdout"
# file path for logfile TODO
# logfile = "./acme-dns.log"
# format, either "json" or "text"
logformat = "text"

7
jails/config/cert/pkg-list-details.txt Normal file
View File

@ -0,0 +1,7 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____curl-7.82.0
pkgp-freebsd-pkg____git-lite-2.35.1
pkgp-freebsd-pkg____go-1.18,1
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____pkg-1.17.5_1

1
jails/config/cert/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion curl git-lite go nano pkg

5
jails/config/ci/pkg-list-details.txt Normal file
View File

@ -0,0 +1,5 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____jenkins-2.341
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____pkg-1.17.5_1

1
jails/config/ci/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion jenkins nano pkg

51
jails/config/cloud/config.php Normal file
View File

@ -0,0 +1,51 @@
<?php
$CONFIG = array (
'passwordsalt' => '5OBfApfc/+tJzU/4n+F8e+PzOfAStP',
'secret' => 'IFX9kjXwOk4L21503pLACwa2Dadv9JzHNSu8XsnTogmwb5Tr',
'trusted_domains' =>
array (
0 => 'localhost',
1 => 'cloud.ahlawat.com',
2 => '192.168.0.59',
3 => 'fd01::59',
),
'datadirectory' => '/mnt/cloud',
'overwrite.cli.url' => 'https://cloud.ahlawat.com/',
'dbtype' => 'mysql',
'version' => '21.0.3.1',
'dbname' => 'nextcloud',
'dbhost' => 'db.ahlawat.com',
'dbport' => '3306',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => 'mysql__nextcloud',
'installed' => true,
'instanceid' => 'oc7suxvjiy9s',
'htaccess.RewriteBase' => '/',
'filelocking.enabled' => 'true',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => '/tmp/redis.sock',
'port' => 0,
),
'logtimezone' => 'America/Los_Angeles',
'default_phone_region' => 'US',
'log_type' => 'file',
'logfile' => '/var/log/nextcloud.log',
'loglevel' => 0,
'logrotate_size' => '104847600',
'ldapIgnoreNamingRules' => false,
'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
'mail_smtpmode' => 'smtp',
'mail_from_address' => 'nobody',
'mail_domain' => 'ahlawat.com',
'mail_smtphost' => '192.168.0.100',
'mail_smtpport' => '25',
'maintenance' => false,
'theme' => '',
'encryption.legacy_format_support' => false,
'encryption.key_storage_migrated' => false,
'updater.secret' => '$2y$10$jAnC4Ha3RI2CL.IlhYluSeeOuKMT4itq/ViSiH1Q9DciUXfB3YSYS',
);

51
jails/config/cloud/config.php.20 Normal file
View File

@ -0,0 +1,51 @@
<?php
$CONFIG = array (
'passwordsalt' => '5OBfApfc/+tJzU/4n+F8e+PzOfAStP',
'secret' => 'IFX9kjXwOk4L21503pLACwa2Dadv9JzHNSu8XsnTogmwb5Tr',
'trusted_domains' =>
array (
0 => 'localhost',
1 => 'cloud.ahlawat.com',
2 => '192.168.0.59',
3 => 'fd01::59',
),
'datadirectory' => '/mnt/cloud',
'overwrite.cli.url' => 'https://cloud.ahlawat.com/',
'dbtype' => 'mysql',
'version' => '21.0.3.1',
'dbname' => 'nextcloud',
'dbhost' => 'db.ahlawat.com',
'dbport' => '3306',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => 'mysql__nextcloud',
'installed' => true,
'instanceid' => 'oc7suxvjiy9s',
'htaccess.RewriteBase' => '/',
'filelocking.enabled' => 'true',
'memcache.local' => '\\OC\\Memcache\\APCu',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => '/tmp/redis.sock',
'port' => 0,
),
'logtimezone' => 'America/Los_Angeles',
'log_type' => 'file',
'logfile' => '/var/log/nextcloud.log',
'loglevel' => 0,
'logrotate_size' => '104847600',
'ldapIgnoreNamingRules' => false,
'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
'mail_smtpmode' => 'smtp',
'mail_from_address' => 'nobody',
'mail_domain' => 'ahlawat.com',
'mail_smtphost' => '192.168.0.100',
'mail_smtpport' => '25',
'maintenance' => false,
'theme' => '',
'encryption.legacy_format_support' => false,
'encryption.key_storage_migrated' => false,
'updater.secret' => '$2y$10$jAnC4Ha3RI2CL.IlhYluSeeOuKMT4itq/ViSiH1Q9DciUXfB3YSYS',
);

142
jails/config/cloud/httpd.conf
View File

@ -49,7 +49,7 @@ ServerRoot "/usr/local"
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
#Listen 80
#
# Dynamic Shared Object (DSO) Support
@ -108,7 +108,7 @@ LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
#LoadModule deflate_module libexec/apache24/mod_deflate.so
LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
@ -119,7 +119,7 @@ LoadModule log_config_module libexec/apache24/mod_log_config.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
#LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
@ -178,7 +178,6 @@ LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
#LoadModule php7_module libexec/apache24/libphp7.so
# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
@ -223,7 +222,7 @@ ServerAdmin sharad@ahlawat.com
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
ServerName cloud.ahlawat.com
#
# Deny access to the entirety of your server's filesystem. You must
@ -250,9 +249,10 @@ ServerAdmin sharad@ahlawat.com
DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">
RewriteEngine on
RewriteRule ^/\.well-known/ - [L]
RewriteRule (.*) https://cloud.ahlawat.com [R,L]
# can't set this if traffic is passing through haproxy and being redirected to ssl already
# RewriteEngine on
# RewriteRule ^/\.well-known/ - [L]
# RewriteRule (.*) https://cloud.ahlawat.com [R,L]
#
# Possible values for the Options directive are "None", "All",
@ -554,27 +554,25 @@ Include etc/apache24/Includes/*.conf
<VirtualHost *:443>
ServerName cloud.ahlawat.com
ServerAlias *.ahlawat.com
ServerAlias cloud
Protocols h2 h2c http/1.1
Protocols h2 http/1.1
DocumentRoot "/usr/local/www/apache24/data/nextcloud/"
DirectoryIndex /index.php index.php
SSLEngine on
SSLCertificateFile "/mnt/certs/fullchain.pem"
SSLCertificateKeyFile "/mnt/certs/privkey.pem"
#SSLCertificateChainFile "/mnt/certs/fullchain.pem"
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# SSLCompression off
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
@ -589,7 +587,8 @@ Include etc/apache24/Includes/*.conf
CustomLog "/var/log/ssl-request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "/usr/local/www/apache24/data/nextcloud/">
Options +FollowSymLinks
Require all granted
Options FollowSymLinks MultiViews
AllowOverride All
<IfModule mod_dav.c>
@ -601,11 +600,116 @@ Include etc/apache24/Includes/*.conf
</Directory>
<Directory "/usr/local/www/apache24/data/">
Options Indexes FollowSymLinks MultiViews
## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16
IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96
#AllowOverride controls what directives may be placed in .htaccess files.
#AllowOverride All
#AllowOverride AuthConfig
#Controls who can get stuff from this server file
#Require all granted
</Directory>
ErrorLog "/var/log/ssl-error.log"
CustomLog "/var/log/ssl-access_log" combined
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault A0
<FilesMatch "\.(txt|xml|js)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(css)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
ExpiresDefault A31536000
</FilesMatch>
</IfModule>
<IfModule mod_headers.c>
<FilesMatch "\.(txt|xml|js)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(css)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
</IfModule>
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
</IfModule>
</IfModule>
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/vnd.geo+json" \
"application/vnd.ms-fontobject" \
"application/x-font-ttf" \
"application/x-font-opentype" \
"application/x-font-truetype" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/eot" \
"font/opentype" \
"font/otf" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"image/x-icon" \
"text/cache-manifest" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
</IfModule>
<IfModule mod_mime.c>
AddEncoding gzip svgz
</IfModule>
</IfModule>
</VirtualHost>
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

4
jails/config/cloud/php.ini
View File

@ -1774,7 +1774,7 @@ opcache.enable_cli=1
opcache.memory_consumption=128
; The amount of memory for interned strings in Mbytes.
opcache.interned_strings_buffer=8
opcache.interned_strings_buffer=32
; The maximum number of keys (scripts) in the OPcache hash table.
; Only numbers between 200 and 1000000 are allowed.
@ -1796,7 +1796,7 @@ opcache.max_accelerated_files=10000
; How often (in seconds) to check file timestamps for changes to the shared
; memory storage allocation. ("1" means validate once per second, but only
; once per request. "0" means always validate)
opcache.revalidate_freq=1
opcache.revalidate_freq=60
; Enables or disables file search in include_path optimization
;opcache.revalidate_path=0

44
jails/config/cloud/pkg-list-details.txt Normal file
View File

@ -0,0 +1,44 @@
pkgp-freebsd-pkg____apache24-2.4.53
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____ffmpeg-4.4.1_11,1
pkgp-freebsd-pkg____mod_php80-8.0.17_1
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____php80-8.0.17_2
pkgp-freebsd-pkg____php80-bcmath-8.0.17_2
pkgp-freebsd-pkg____php80-bz2-8.0.17_2
pkgp-freebsd-pkg____php80-ctype-8.0.17_2
pkgp-freebsd-pkg____php80-curl-8.0.17_2
pkgp-freebsd-pkg____php80-dom-8.0.17_1
pkgp-freebsd-pkg____php80-exif-8.0.17_2
pkgp-freebsd-pkg____php80-fileinfo-8.0.17_2
pkgp-freebsd-pkg____php80-filter-8.0.17_2
pkgp-freebsd-pkg____php80-ftp-8.0.17_2
pkgp-freebsd-pkg____php80-gd-8.0.17_2
pkgp-freebsd-pkg____php80-gmp-8.0.17_2
pkgp-freebsd-pkg____php80-iconv-8.0.17_2
pkgp-freebsd-pkg____php80-imap-8.0.17_2
pkgp-freebsd-pkg____php80-intl-8.0.17_2
pkgp-freebsd-pkg____php80-ldap-8.0.17_2
pkgp-freebsd-pkg____php80-mbstring-8.0.17_2
pkgp-freebsd-pkg____php80-mysqli-8.0.17_2
pkgp-freebsd-pkg____php80-opcache-8.0.17_2
pkgp-freebsd-pkg____php80-pcntl-8.0.17_2
pkgp-freebsd-pkg____php80-pdo-8.0.17_2
pkgp-freebsd-pkg____php80-pdo_mysql-8.0.17_2
pkgp-freebsd-pkg____php80-pecl-APCu-5.1.21
pkgp-freebsd-pkg____php80-pecl-imagick-3.5.1
pkgp-freebsd-pkg____php80-pecl-mcrypt-1.0.4
pkgp-freebsd-pkg____php80-pecl-redis-5.3.5
pkgp-freebsd-pkg____php80-posix-8.0.17_2
pkgp-freebsd-pkg____php80-session-8.0.17_2
pkgp-freebsd-pkg____php80-simplexml-8.0.17_1
pkgp-freebsd-pkg____php80-xml-8.0.17_1
pkgp-freebsd-pkg____php80-xmlreader-8.0.17_1
pkgp-freebsd-pkg____php80-xmlwriter-8.0.17_1
pkgp-freebsd-pkg____php80-xsl-8.0.17_1
pkgp-freebsd-pkg____php80-zip-8.0.17_2
pkgp-freebsd-pkg____php80-zlib-8.0.17_2
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____redis-6.2.6
pkgp-freebsd-pkg____sudo-1.9.10

1
jails/config/cloud/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
apache24 bash bash-completion ffmpeg mod_php80 nano php80 php80-bcmath php80-bz2 php80-ctype php80-curl php80-dom php80-exif php80-fileinfo php80-filter php80-ftp php80-gd php80-gmp php80-iconv php80-imap php80-intl php80-ldap php80-mbstring php80-mysqli php80-opcache php80-pcntl php80-pdo php80-pdo_mysql php80-pecl-APCu php80-pecl-imagick php80-pecl-mcrypt php80-pecl-redis php80-posix php80-session php80-simplexml php80-xml php80-xmlreader php80-xmlwriter php80-xsl php80-zip php80-zlib pkg redis sudo

BIN
jails/config/common/12.3-RELEASE.bzip2 Normal file
View File

Binary file not shown.

BIN
jails/config/common/current-src.bzip2
View File

Binary file not shown.

7
jails/config/common/freebsd-update.conf
View File

@ -1,4 +1,4 @@
# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
# $FreeBSD: releng/12.3/usr.sbin/freebsd-update/freebsd-update.conf 370439 2021-08-29 16:58:35Z kevans $
# Trusted keyprint. Changing this is a Bad Idea unless you've received
# a PGP-signed email from <security-officer@FreeBSD.org> telling you to
@ -10,6 +10,8 @@ KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5
# using a "nearby" server won't provide a measurable improvement in
# performance.
ServerName update.FreeBSD.org
# caching not used as I am mounting the /var/db/freebsd-update/files directory into every jail
#ServerName pkgp-freebsd-update.ahlawat.com
# Components of the base system which should be kept updated.
#Components src world
@ -75,3 +77,6 @@ MergeChanges /etc/ /boot/device.hints
# When backing up a kernel also back up debug symbol files?
# BackupKernelSymbolFiles no
# Create a new boot environment when installing patches
# CreateBootEnv yes

705
jails/config/common/httpd-ldap.conf Normal file
View File

@ -0,0 +1,705 @@
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
# will be interpreted as '/logs/access_log'.
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/usr/local"
#
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
#
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
#
# Mutex default:/var/run
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
#Listen 80
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
#LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
#LoadModule cache_module libexec/apache24/mod_cache.so
#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
LoadModule authnz_ldap_module libexec/apache24/mod_authnz_ldap.so
LoadModule ldap_module libexec/apache24/mod_ldap.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
#LoadModule macro_module libexec/apache24/mod_macro.so
#LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
#LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
#LoadModule logio_module libexec/apache24/mod_logio.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_uwsgi_module libexec/apache24/mod_proxy_uwsgi.so
#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
LoadModule http2_module libexec/apache24/mod_http2.so
LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
#LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule status_module libexec/apache24/mod_status.so
LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
#LoadModule info_module libexec/apache24/mod_info.so
<IfModule !mpm_prefork_module>
#LoadModule cgid_module libexec/apache24/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
#LoadModule cgi_module libexec/apache24/mod_cgi.so
</IfModule>
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
#LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
#LoadModule php_module libexec/apache24/libphp.so
# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User www
Group www
</IfModule>
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin sharad@ahlawat.com
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
ServerName www.ahlawat.com
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">
# can't set this if traffic is passing through haproxy and being redirected to ssl already
# RewriteEngine on
# RewriteRule ^/\.well-known/ - [L]
# RewriteRule (.*) https://www.ahlawat.com [R,L]
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.php index.html
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>
</IfModule>
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "/var/log/httpd-error.log"
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
CustomLog "/var/log/httpd-access.log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
#CustomLog "/var/log/httpd-access.log" combined
</IfModule>
<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"
</IfModule>
<IfModule cgid_module>
#
# ScriptSock: On threaded servers, designate the path to the UNIX
# socket used to communicate with the CGI daemon of mod_cgid.
#
#Scriptsock cgisock
</IfModule>
#
# "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/www/apache24/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule headers_module>
#
# Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
# backend servers which have lingering "httpoxy" defects.
# 'Proxy' request header is undefined by the IETF, not listed by IANA
#
RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig etc/apache24/mime.types
#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
</IfModule>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile etc/apache24/magic
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited
#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
#EnableSendfile on
# Supplemental configuration
#
# The configuration files in the etc/apache24/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.
# Server-pool management (MPM specific)
#Include etc/apache24/extra/httpd-mpm.conf
# Multi-language error messages
#Include etc/apache24/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
#Include etc/apache24/extra/httpd-autoindex.conf
# Language settings
#Include etc/apache24/extra/httpd-languages.conf
# User home directories
#Include etc/apache24/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include etc/apache24/extra/httpd-info.conf
# Virtual hosts
#Include etc/apache24/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include etc/apache24/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include etc/apache24/extra/httpd-dav.conf
# Various default settings
#Include etc/apache24/extra/httpd-default.conf
# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include etc/apache24/extra/proxy-html.conf
</IfModule>
# Secure (SSL/TLS) connections
#Include etc/apache24/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Include etc/apache24/Includes/*.conf
<VirtualHost *:443>
ServerName www.ahlawat.com
ServerAlias *.ahlawat.com
ServerAlias ahlawat.com
Protocols h2 http/1.1
DocumentRoot "/usr/local/www/apache24/data/"
SSLEngine on
SSLCertificateFile "/mnt/certs/fullchain.pem"
SSLCertificateKeyFile "/mnt/certs/privkey.pem"
#SSLCertificateChainFile "/mnt/certs/fullchain.pem"
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# SSLCompression off
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "/var/log/ssl-request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "/usr/local/www/apache24/data/">
Options Indexes FollowSymLinks MultiViews
## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16
IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96
#AllowOverride controls what directives may be placed in .htaccess files.
AllowOverride All
#AllowOverride AuthConfig
#Controls who can get stuff from this server file
Require all granted
</Directory>
ErrorLog "/var/log/ssl-error.log"
CustomLog "/var/log/ssl-access_log" combined
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault A0
<FilesMatch "\.(txt|xml|js)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(css)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
ExpiresDefault A31536000
</FilesMatch>
</IfModule>
<IfModule mod_headers.c>
<FilesMatch "\.(txt|xml|js)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(css)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
</IfModule>
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
</IfModule>
</IfModule>
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/vnd.geo+json" \
"application/vnd.ms-fontobject" \
"application/x-font-ttf" \
"application/x-font-opentype" \
"application/x-font-truetype" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/eot" \
"font/opentype" \
"font/otf" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"image/x-icon" \
"text/cache-manifest" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
</IfModule>
<IfModule mod_mime.c>
AddEncoding gzip svgz
</IfModule>
</IfModule>
</VirtualHost>
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

703
jails/config/common/httpd.conf Normal file
View File

@ -0,0 +1,703 @@
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
# will be interpreted as '/logs/access_log'.
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/usr/local"
#
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
#
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
#
# Mutex default:/var/run
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
#Listen 80
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
#LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
#LoadModule cache_module libexec/apache24/mod_cache.so
#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
#LoadModule macro_module libexec/apache24/mod_macro.so
#LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
#LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
#LoadModule logio_module libexec/apache24/mod_logio.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_uwsgi_module libexec/apache24/mod_proxy_uwsgi.so
#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
LoadModule http2_module libexec/apache24/mod_http2.so
LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
#LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule status_module libexec/apache24/mod_status.so
LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
#LoadModule info_module libexec/apache24/mod_info.so
<IfModule !mpm_prefork_module>
#LoadModule cgid_module libexec/apache24/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
#LoadModule cgi_module libexec/apache24/mod_cgi.so
</IfModule>
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
#LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
#LoadModule php_module libexec/apache24/libphp.so
# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User www
Group www
</IfModule>
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin sharad@ahlawat.com
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
ServerName www.ahlawat.com
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">
# can't set this if traffic is passing through haproxy and being redirected to ssl already
# RewriteEngine on
# RewriteRule ^/\.well-known/ - [L]
# RewriteRule (.*) https://www.ahlawat.com [R,L]
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.php index.html
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>
</IfModule>
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "/var/log/httpd-error.log"
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
CustomLog "/var/log/httpd-access.log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
#CustomLog "/var/log/httpd-access.log" combined
</IfModule>
<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"
</IfModule>
<IfModule cgid_module>
#
# ScriptSock: On threaded servers, designate the path to the UNIX
# socket used to communicate with the CGI daemon of mod_cgid.
#
#Scriptsock cgisock
</IfModule>
#
# "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/www/apache24/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule headers_module>
#
# Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
# backend servers which have lingering "httpoxy" defects.
# 'Proxy' request header is undefined by the IETF, not listed by IANA
#
RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig etc/apache24/mime.types
#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
</IfModule>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile etc/apache24/magic
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited
#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
#EnableSendfile on
# Supplemental configuration
#
# The configuration files in the etc/apache24/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.
# Server-pool management (MPM specific)
#Include etc/apache24/extra/httpd-mpm.conf
# Multi-language error messages
#Include etc/apache24/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
#Include etc/apache24/extra/httpd-autoindex.conf
# Language settings
#Include etc/apache24/extra/httpd-languages.conf
# User home directories
#Include etc/apache24/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include etc/apache24/extra/httpd-info.conf
# Virtual hosts
#Include etc/apache24/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include etc/apache24/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include etc/apache24/extra/httpd-dav.conf
# Various default settings
#Include etc/apache24/extra/httpd-default.conf
# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include etc/apache24/extra/proxy-html.conf
</IfModule>
# Secure (SSL/TLS) connections
#Include etc/apache24/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Include etc/apache24/Includes/*.conf
<VirtualHost *:443>
ServerName www.ahlawat.com
ServerAlias *.ahlawat.com
ServerAlias ahlawat.com
Protocols h2 http/1.1
DocumentRoot "/usr/local/www/apache24/data/"
SSLEngine on
SSLCertificateFile "/mnt/certs/fullchain.pem"
SSLCertificateKeyFile "/mnt/certs/privkey.pem"
#SSLCertificateChainFile "/mnt/certs/fullchain.pem"
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# SSLCompression off
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "/var/log/ssl-request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "/usr/local/www/apache24/data/">
Options Indexes FollowSymLinks MultiViews
## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16
IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96
#AllowOverride controls what directives may be placed in .htaccess files.
#AllowOverride All
#AllowOverride AuthConfig
#Controls who can get stuff from this server file
#Require all granted
</Directory>
ErrorLog "/var/log/ssl-error.log"
CustomLog "/var/log/ssl-access_log" combined
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault A0
<FilesMatch "\.(txt|xml|js)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(css)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
ExpiresDefault A31536000
</FilesMatch>
</IfModule>
<IfModule mod_headers.c>
<FilesMatch "\.(txt|xml|js)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(css)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
</IfModule>
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
</IfModule>
</IfModule>
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/vnd.geo+json" \
"application/vnd.ms-fontobject" \
"application/x-font-ttf" \
"application/x-font-opentype" \
"application/x-font-truetype" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/eot" \
"font/opentype" \
"font/otf" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"image/x-icon" \
"text/cache-manifest" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
</IfModule>
<IfModule mod_mime.c>
AddEncoding gzip svgz
</IfModule>
</IfModule>
</VirtualHost>
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

4
jails/config/common/pkgp.conf
View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
pkgp123: {
url: "http://pkgp.ahlawat.com/packages/pj123-default",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",

6
jails/config/db/pkg-list-details.txt Normal file
View File

@ -0,0 +1,6 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____mariadb105-server-10.5.15_2
pkgp-freebsd-pkg____mysqld_exporter-0.12.1_1
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____pkg-1.17.5_1

1
jails/config/db/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion mariadb105-server mysqld_exporter nano pkg

58
jails/config/dns/dns_update.sh Executable file
View File

@ -0,0 +1,58 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
#SIM="-s"
#SIM=""
#rpl $SIM -v -R "2001:470:480a:a1::" "2001:470:480a:8001::" ./namedb
#rpl $SIM -v -R "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.8" "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.8" ./namedb
#rpl $SIM -v -R "2021120700" "2022010100" ./namedb
#service $SIM named $SIM restart
service named stop
cd /data/namedb/master
rm /data/namedb/master/*signed*
declare -A ZONE_PEM
ZONE_PEM=(["ahlawat.com"]="" ["beyondbell.com"]="bb" ["diyit.org"]="diy" ["xflow.org"]="xflow" ["datavpc.com"]="dvpc" ["mydatavpc.com"]="mdvpc" ["rockwoodestates.org"]="rwe" ["rockwoodranch.org"]="rwr" ["scvcc-rental.com"]="scvcc")
for ZONE in "${!ZONE_PEM[@]}"
do
PEM=${ZONE_PEM[$ZONE]}
/usr/local/bin/ldns-dane -c "/mnt/certs/"$PEM"fullchain.pem" create mail.$ZONE 25 3 1 1 > /data/namedb/master/tlsa-$ZONE
/usr/local/bin/ldns-dane -c "/mnt/certs/"$PEM"fullchain.pem" create mail-backup.$ZONE 25 3 1 1 >> /data/namedb/master/tlsa-$ZONE
/usr/local/bin/ldns-dane -c "/mnt/certs/"$PEM"fullchain.pem" create $ZONE 443 3 1 1 >> /data/namedb/master/tlsa-$ZONE
/usr/local/bin/ldns-dane -c "/mnt/certs/"$PEM"fullchain.pem" create www.$ZONE 443 3 1 1 >> /data/namedb/master/tlsa-$ZONE
done
NEW_SERIAL=`date -j +%Y%m%d%H`
#NEW_SERIAL="2022022635"
echo $NEW_SERIAL
for DBFILE in `ls /data/namedb/master/*.db`
do
ZONE=`echo $DBFILE | cut -d/ -f 5 | cut -d. -f -2`
/usr/local/sbin/named-checkzone $ZONE $DBFILE
SERIAL=`/usr/local/sbin/named-checkzone $ZONE $DBFILE | egrep -ho '[0-9]{10}'`
echo $SERIAL
sed -i .orig 's/'$SERIAL'/'$(($NEW_SERIAL))'/' $DBFILE
#/usr/local/sbin/dnssec-signzone -S -K /data/namedb/master -t -o $ZONE $DBFILE
/usr/local/sbin/dnssec-signzone -3 $(head -c 1024 /dev/random | sha1sum | cut -b 1-16) -K /data/namedb/master -t -o $ZONE $DBFILE
done
chown bind:bind /data/namedb/master/*
service named start

29
jails/config/dns/dns_verify-6.sh Executable file
View File

@ -0,0 +1,29 @@
#### dns_verify-6.sh
#
NETS="2603:3024:3f6:e1: 2603:3024:3f6:e2: 2603:3024:3f6:e5:"
IPS=$(seq 1 254)
#
echo
echo -e "\tip -> hostname -> ip"
echo '--------------------------------------------------------'
for NET in $NETS; do
for n in $IPS; do
A=${NET}:${n}
echo -e "\t$A"
HOST=$(dig -6 -x $A +short)
if test -n "$HOST"; then
ADDR=$(dig -6 -t "AAAA" $HOST +short)
if test "$A" = "$ADDR"; then
echo -e "ok\t$A -> $HOST -> $ADDR"
elif test -n "$ADDR"; then
echo -e "fail\t$A -> $HOST -> $ADDR"
else
echo -e "fail\t$A -> $HOST -> [unassigned]"
fi
fi
done
done
echo ""
echo "DONE."

27
jails/config/dns/dns_verify.sh Executable file
View File

@ -0,0 +1,27 @@
#### dns_verify.sh
#
NETS="192.168.0 192.168.1 192.168.2"
IPS=$(seq 1 254)
#
echo
echo -e "\tip -> hostname -> ip"
echo '--------------------------------------------------------'
for NET in $NETS; do
for n in $IPS; do
A=${NET}.${n}
HOST=$(dig -x $A +short)
if test -n "$HOST"; then
ADDR=$(dig $HOST +short)
if test "$A" = "$ADDR"; then
echo -e "ok\t$A -> $HOST -> $ADDR"
elif test -n "$ADDR"; then
echo -e "fail\t$A -> $HOST -> $ADDR"
else
echo -e "fail\t$A -> $HOST -> [unassigned]"
fi
fi
done
done
echo ""
echo "DONE."

7
jails/config/dns/pkg-list-details.txt Normal file
View File

@ -0,0 +1,7 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____bind916-9.16.27
pkgp-freebsd-pkg____ldns-1.8.1
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____rpl-1.4.1

1
jails/config/dns/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion bind916 ldns nano pkg rpl

18
jails/config/dns/update6.sh
View File

@ -1,18 +0,0 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
SIM="-s"
#SIM=""
rpl $SIM -v -R "2603:3024:3f6:21::" "2603:3024:3f6:1::" ./namedb
rpl $SIM -v -R "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2" "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1" ./namedb
rpl $SIM -v -R "2021030900" "2021031100" ./namedb
service $SIM named $SIM restart

10
jails/config/elk/pkg-list-details.txt Normal file
View File

@ -0,0 +1,10 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____beats7-7.16.3_1
pkgp-freebsd-pkg____curl-7.82.0
pkgp-freebsd-pkg____elasticsearch7-7.16.3
pkgp-freebsd-pkg____kibana7-7.16.3
pkgp-freebsd-pkg____logstash7-7.16.3
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____openjdk11-11.0.14+9.1_1
pkgp-freebsd-pkg____pkg-1.17.5_1

1
jails/config/elk/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion beats7 curl elasticsearch7 kibana7 logstash7 nano openjdk11 pkg

7
jails/config/git/gitea-restart.sh
View File

@ -8,10 +8,13 @@
#
#
Q=`netstat -LAan | grep 3000 | cut -f3 -d" " | cut -f1 -d/`
Q=`netstat -LAan | grep "*.3000" | cut -f3 -d" " | cut -f1 -d/`
# Q is null if gitea service is not running
if [ ! "$Q" ] || [ $Q -ne 0 ]; then
# 1537 is max stuck recvQ qlen limit when logging start:
# sonewconn: pcb 0xfffff804b9f73d58: Listen queue overflow: 1537 already in queue awaiting acceptance (30 occurrences)
if [ ! "$Q" ] || [ $Q -ge 100 ]; then
echo "restarting gitea stuck at $Q"
tail /var/log/gitea/gitea.log
kill -9 `pgrep gitea` ; sleep 2 ; service gitea start

6
jails/config/git/pkg-list-details.txt Normal file
View File

@ -0,0 +1,6 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____gitea-1.16.5_1
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____openldap-sasl-client-2.4.59
pkgp-freebsd-pkg____pkg-1.17.5_1

1
jails/config/git/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion gitea nano openldap-sasl-client pkg

17
jails/config/hass/pkg-list-details.txt Normal file
View File

@ -0,0 +1,17 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____cmake-3.22.2
pkgp-freebsd-pkg____ffmpeg-4.4.1_11,1
pkgp-freebsd-pkg____git-lite-2.35.1
pkgp-freebsd-pkg____gmake-4.3_2
pkgp-freebsd-pkg____heyu2-2.10_1
pkgp-freebsd-pkg____libxslt-1.1.35_1
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____openjpeg-2.4.0
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____py38-sqlite3-3.8.13_7
pkgp-freebsd-pkg____py39-sqlite3-3.9.12_7
pkgp-freebsd-pkg____python39-3.9.12
pkgp-freebsd-pkg____rust-1.59.0
pkgp-freebsd-pkg____tmux-3.2a
pkgp-freebsd-pkg____wget-1.21.3

1
jails/config/hass/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion cmake ffmpeg git-lite gmake heyu2 libxslt nano openjpeg pkg py38-sqlite3 py39-sqlite3 python39 rust tmux wget

4
jails/config/hass/x10.conf
View File

@ -16,7 +16,7 @@
# Serial port to which the CM11a is connected. Default is /dev/ttyS0.
tty /dev/ttyU1
tty /dev/ttyU0
check_ri_line NO
# If you have an X10 compatible RF receiver connected to a second
@ -24,7 +24,7 @@ check_ri_line NO
# and model of receiver. Supported receivers are W800RF32, MR26A,
# and RFXCOM. There are no defaults.
tty_aux /dev/ttyU0 MR26A
tty_aux /dev/ttyU1 MR26A
# The CM19A is both a receiver and transmitter for X10 RF signals.
# The MR26A is a receiver only.

118
jails/config/hub/httpd.conf
View File

@ -49,7 +49,7 @@ ServerRoot "/usr/local"
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
#Listen 80
#
# Dynamic Shared Object (DSO) Support
@ -110,7 +110,7 @@ LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
#LoadModule deflate_module libexec/apache24/mod_deflate.so
LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
@ -121,7 +121,7 @@ LoadModule log_config_module libexec/apache24/mod_log_config.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
#LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
@ -180,7 +180,6 @@ LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
#LoadModule php7_module libexec/apache24/libphp7.so
# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
@ -225,7 +224,7 @@ ServerAdmin sharad@ahlawat.com
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
ServerName hub.ahlawat.com
#
# Deny access to the entirety of your server's filesystem. You must
@ -559,7 +558,7 @@ Include etc/apache24/Includes/*.conf
ServerAlias *.ahlawat.com
ServerAlias hub
Protocols h2 h2c http/1.1
Protocols h2 http/1.1
DocumentRoot "/usr/local/www/apache24/data/"
@ -568,15 +567,15 @@ Include etc/apache24/Includes/*.conf
SSLCertificateKeyFile "/mnt/certs/privkey.pem"
#SSLCertificateChainFile "/mnt/certs/fullchain.pem"
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# SSLCompression off
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
@ -606,7 +605,100 @@ Include etc/apache24/Includes/*.conf
CustomLog "/var/log/ssl-access_log" combined
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault A0
<FilesMatch "\.(txt|xml|js)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(css)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
ExpiresDefault A31536000
</FilesMatch>
</IfModule>
<IfModule mod_headers.c>
<FilesMatch "\.(txt|xml|js)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(css)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
</IfModule>
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
</IfModule>
</IfModule>
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/vnd.geo+json" \
"application/vnd.ms-fontobject" \
"application/x-font-ttf" \
"application/x-font-opentype" \
"application/x-font-truetype" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/eot" \
"font/opentype" \
"font/otf" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"image/x-icon" \
"text/cache-manifest" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
</IfModule>
<IfModule mod_mime.c>
AddEncoding gzip svgz
</IfModule>
</IfModule>
</VirtualHost>
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

29
jails/config/hub/pkg-list-details.txt Normal file
View File

@ -0,0 +1,29 @@
pkgp122____openldap24-client-2.4.59_4
pkgp123____apache24-2.4.53_1
pkgp123____apr-1.7.0.1.6.1_2
pkgp123____php81-ldap-8.1.5
pkgp123____pkg-1.17.5_1
pkgp123____samba413-4.13.17_1
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____compat9x-amd64-9.3.903000.20170608
pkgp-freebsd-pkg____fluxbox-1.3.7_5
pkgp-freebsd-pkg____iperf3-3.11
pkgp-freebsd-pkg____mc-4.8.28
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____openjdk8-8.322.06.1
pkgp-freebsd-pkg____p7zip-16.02_3
pkgp-freebsd-pkg____php81-mysqli-8.1.4_2
pkgp-freebsd-pkg____php81-pgsql-8.1.4_2
pkgp-freebsd-pkg____php81-session-8.1.4_2
pkgp-freebsd-pkg____rename-1.99.2
pkgp-freebsd-pkg____rkhunter-1.4.6_1
pkgp-freebsd-pkg____rsync-3.2.3_1
pkgp-freebsd-pkg____sshguard-2.4.2_2,1
pkgp-freebsd-pkg____sudo-1.9.10
pkgp-freebsd-pkg____tigervnc-1.9.0_4
pkgp-freebsd-pkg____unrar-6.11,6
pkgp-freebsd-pkg____wget-1.21.3
pkgp-freebsd-pkg____xauth-1.1
pkgp-freebsd-pkg____xorriso-1.5.4
pkgp-freebsd-pkg____xterm-372

1
jails/config/hub/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
apache24 apr bash bash-completion compat9x-amd64 fluxbox iperf3 mc nano openjdk8 openldap24-client p7zip php81-ldap php81-mysqli php81-pgsql php81-session pkg rename rkhunter rsync samba413 sshguard sudo tigervnc unrar wget xauth xorriso xterm

4
jails/config/hub/pkgp.conf
View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
pkgp123: {
url: "http://pkgp.ahlawat.com/packages/pj123-default",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",

9
jails/config/ibm/pkg-list-details.txt Normal file
View File

@ -0,0 +1,9 @@
pkgp-freebsd-pkg____automake-1.16.5
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____cmake-3.22.2
pkgp-freebsd-pkg____git-lite-2.35.1
pkgp-freebsd-pkg____hercules-3.13
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____tmux-3.2a

1
jails/config/ibm/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
automake bash bash-completion cmake git-lite hercules nano pkg tmux

7
jails/config/jump/enable-routing.sh
View File

@ -1,7 +0,0 @@
sysctl net.inet.ip.forwarding=1
route add 10.1.2.0/24 192.168.55.105
# on remote -
#sudo sysctl net.ipv4.ip_forward=1
#ip route add 192.168.0.0/24 via 192.168.55.1
#OR
#ip route add 192.168.0.0/24 dev tun0

10
jails/config/jump/pkg-list-details.txt Normal file
View File

@ -0,0 +1,10 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____guacamole-client-1.4.0
pkgp-freebsd-pkg____guacamole-server-1.4.0
pkgp-freebsd-pkg____libqrencode-4.1.1
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____openldap-sasl-client-2.4.59
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____wireguard-2,1
pkgp-freebsd-pkg____zip-3.0_1

1
jails/config/jump/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion guacamole-client guacamole-server libqrencode nano openldap-sasl-client pkg wireguard zip

88
jails/config/ldap-mgr/config.php.phpldapadmin.github
View File

@ -71,6 +71,31 @@
environments. */
# $config->custom->password['no_random_crypt_salt'] = true;
/* If you want to restrict password available types (encryption algorithms)
Should be subset of:
array(
''=>'clear',
'bcrypt'=>'bcrypt',
'blowfish'=>'blowfish',
'crypt'=>'crypt',
'ext_des'=>'ext_des',
'md5'=>'md5',
'k5key'=>'k5key',
'md5crypt'=>'md5crypt',
'sha'=>'sha',
'smd5'=>'smd5',
'ssha'=>'ssha',
'sha256'=>'sha256',
'ssha256'=>'ssha256',
'sha384'=>'sha384',
'ssha384'=>'ssha384',
'sha512'=>'sha512',
'ssha512'=>'ssha512',
'sha256crypt'=>'sha256crypt',
'sha512crypt'=>'sha512crypt',
)*/
# $config->custom->password['available_types'] = array(''=>'clear','md5'=>'md5');
/* PHP script timeout control. If php runs longer than this many seconds then
PHP will stop with an Maximum Execution time error. Increase this value from
the default if queries to your LDAP server are slow. The default is either
@ -173,6 +198,10 @@ $config->custom->commands['script'] = array(
// $config->custom->appearance['tree_width'] = null;
# $config->custom->appearance['tree_width'] = 250;
/* Number of tree command icons to show, 0 = show all icons on 1 row. */
// $config->custom->appearance['tree_icons'] = 0;
# $config->custom->appearance['tree_icons'] = 4;
/* Confirm create and update operations, allowing you to review the changes
and optionally skip attributes during the create/update operation. */
// $config->custom->confirm['create'] = true;
@ -235,7 +264,7 @@ $config->custom->appearance['friendly_attrs'] = array(
*********************************************/
/* Add "modify group members" link to the attribute. */
// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid');
// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid','sudoUser');
/* Configure filter for member search. This only applies to "modify group members" feature */
// $config->custom->modify_member['filter'] = '(objectclass=Person)';
@ -310,12 +339,13 @@ $servers->setValue('server','base',array('dc=infra'));
login will be required to use phpLDAPadmin for this server.
5. 'sasl': login will be taken from the webserver's kerberos authentication.
Currently only GSSAPI has been tested (using mod_auth_kerb).
6. 'sasl_external': login will be taken from SASL external mechanism.
Choose wisely to protect your authentication information appropriately for
your situation. If you choose 'cookie', your cookie contents will be
encrypted using blowfish and the secret your specify above as
session['blowfish']. */
$servers->setValue('login','auth_type','cookie');
// $servers->setValue('login','auth_type','session');
/* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS
@ -334,6 +364,22 @@ $servers->setValue('login','bind_pass','');
/* Use TLS (Transport Layer Security) to connect to the LDAP server. */
$servers->setValue('server','tls',false);
/* TLS Certificate Authority file (overrides ldap.conf, PHP 7.1+) */
// $servers->setValue('server','tls_cacert',null);
# $servers->setValue('server','tls_cacert','/etc/openldap/certs/ca.crt');
/* TLS Certificate Authority hashed directory (overrides ldap.conf, PHP 7.1+) */
// $servers->setValue('server','tls_cacertdir',null);
# $servers->setValue('server','tls_cacertdir','/etc/openldap/certs');
/* TLS Client Certificate file (PHP 7.1+) */
// $servers->setValue('server','tls_cert',null);
# $servers->setValue('server','tls_cert','/etc/pki/tls/certs/ldap_user.crt');
/* TLS Client Certificate Key file (PHP 7.1+) */
// $servers->setValue('server','tls_key',null);
# $servers->setValue('server','tls_key','/etc/pki/tls/private/ldap_user.key');
/************************************
* SASL Authentication *
************************************/
@ -341,11 +387,19 @@ $servers->setValue('server','tls',false);
/* Enable SASL authentication LDAP SASL authentication requires PHP 5.x
configured with --with-ldap-sasl=DIR. If this option is disabled (ie, set to
false), then all other sasl options are ignored. */
// $servers->setValue('login','auth_type','sasl');
# $servers->setValue('login','auth_type','sasl');
/* SASL auth mechanism */
/* SASL GSSAPI auth mechanism (requires auth_type of sasl) */
// $servers->setValue('sasl','mech','GSSAPI');
/* SASL PLAIN support... this mech converts simple binds to SASL
PLAIN binds using any auth_type (or other bind_id/pass) as credentials.
NOTE: auth_type must be simple auth compatible (ie not sasl) */
# $servers->setValue('sasl','mech','PLAIN');
/* SASL EXTERNAL support... really a different auth_type */
# $servers->setValue('login','auth_type','sasl_external');
/* SASL authentication realm name */
// $servers->setValue('sasl','realm','');
# $servers->setValue('sasl','realm','EXAMPLE.COM');
@ -400,6 +454,12 @@ $servers->setValue('server','tls',false);
setup. */
// $servers->setValue('login','class',array());
/* If login_attr was set to 'dn', it is possible to specify a template string to
build the DN from. Use '%s' where user input should be inserted. A user may
still enter the complete DN. In this case the template will not be used. */
// $servers->setValue('login','bind_dn_template',null);
# $servers->setValue('login','bind_dn_template','cn=%s,ou=people,dc=example,dc=com');
/* If you specified something different from 'dn', for example 'uid', as the
login_attr above, you can optionally specify here to fall back to
authentication with dn.
@ -420,6 +480,9 @@ $servers->setValue('server','tls',false);
/* Set to true if you would like to initially open the first level of each tree. */
// $servers->setValue('appearance','open_tree',false);
/* Set to true to display authorization ID in place of login dn (PHP 7.2+) */
// $servers->setValue('appearance','show_authz',false);
/* This feature allows phpLDAPadmin to automatically determine the next
available uidNumber for a new entry. */
// $servers->setValue('auto_number','enable',true);
@ -556,7 +619,7 @@ $servers->setValue('appearance','show_create',true);
$servers->setValue('auto_number','enable',true);
$servers->setValue('auto_number','mechanism','search');
$servers->setValue('auto_number','search_base',null);
$servers->setValue('auto_number','min',array('uidNumber'=>10000,'gidNumber'=>5000));
$servers->setValue('auto_number','min',array('uidNumber'=>1000,'gidNumber'=>500));
$servers->setValue('auto_number','dn',null);
$servers->setValue('auto_number','pass',null);
@ -573,4 +636,19 @@ $servers->setValue('server','custom_sys_attrs',array('passwordExpirationTime','p
$servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock'));
$servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID'));
*/
/***********************************************************************************
* If you want to configure Google reCAPTCHA on autentication form, do so below. *
* Remove the commented lines and use this section as a template for all *
* reCAPTCHA v2 Generate on https://www.google.com/recaptcha/ *
* *
* IMPORTANT: Select reCAPTCHA v2 on Type of reCAPTCHA *
***********************************************************************************/
$config->custom->session['reCAPTCHA-enable'] = false;
$config->custom->session['reCAPTCHA-key-site'] = '<put-here-key-site>';
$config->custom->session['reCAPTCHA-key-server'] = '<put-here-key-server>';
?>

10
jails/config/ldap-mgr/httpd.conf
View File

@ -49,7 +49,7 @@ ServerRoot "/usr/local"
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
#Listen 80
#
# Dynamic Shared Object (DSO) Support
@ -178,7 +178,7 @@ LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
#LoadModule rewrite_module libexec/apache24/mod_rewrite.so
LoadModule php7_module libexec/apache24/libphp7.so
LoadModule php_module libexec/apache24/libphp.so
# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
@ -214,7 +214,7 @@ Group www
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin you@example.com
ServerAdmin sharad@ahlawat.com
#
# ServerName gives the name and port that the server uses to identify itself.
@ -223,7 +223,7 @@ ServerAdmin you@example.com
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
ServerName ldap-mgr.ahlawat.com
#
# Deny access to the entirety of your server's filesystem. You must
@ -578,7 +578,7 @@ Include etc/apache24/Includes/*.conf
Require all granted
</Directory>
Alias /ssp "/usr/local/www/self-service-password"
Alias /ssp "/usr/local/www/self-service-password/htdocs"
<Directory "/usr/local/www/self-service-password">
AllowOverride None
Require all granted

2
jails/config/ldap-mgr/php.ini
View File

@ -401,7 +401,7 @@ max_input_time = 60
; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 128M
memory_limit = 256M
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Error handling and logging ;

9
jails/config/ldap-mgr/pkg-list-details.txt Normal file
View File

@ -0,0 +1,9 @@
pkgp-freebsd-pkg____apache24-2.4.53
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____ldap-account-manager-7.9
pkgp-freebsd-pkg____mod_php80-8.0.17_1
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____phpldapadmin-php80-1.2.6.3_1
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____self-service-password-php80-1.4_1

1
jails/config/ldap-mgr/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
apache24 bash bash-completion ldap-account-manager mod_php80 nano phpldapadmin-php80 pkg self-service-password-php80

7
jails/config/ldap/pkg-list-details.txt Normal file
View File

@ -0,0 +1,7 @@
pkgp122____openldap24-client-2.4.59_4
pkgp123____openldap24-server-2.4.59_9
pkgp123____pkg-1.17.5_1
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____openssl-1.1.1n,1

1
jails/config/ldap/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion nano openldap24-client openldap24-server openssl pkg

4
jails/config/ldap/pkgp.conf
View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
pkgp123: {
url: "http://pkgp.ahlawat.com/packages/pj123-default",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",

30
jails/config/mage/pkg-list-details.txt Normal file
View File

@ -0,0 +1,30 @@
pkgp-freebsd-pkg____automake-1.16.5
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____cmake-3.22.2
pkgp-freebsd-pkg____dbus-1.12.20_5
pkgp-freebsd-pkg____fluxbox-1.3.7_5
pkgp-freebsd-pkg____git-lite-2.35.1
pkgp-freebsd-pkg____libxslt-1.1.35_1
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____perl5-5.32.1_1
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____py38-IBMQuantumExperience-2.0.4
pkgp-freebsd-pkg____py38-jupyterlab-3.1.19
pkgp-freebsd-pkg____py38-matplotlib-3.4.3_3
pkgp-freebsd-pkg____py38-pandas-1.3.5,1
pkgp-freebsd-pkg____py38-pep517-0.12.0
pkgp-freebsd-pkg____py38-pip-20.3.4
pkgp-freebsd-pkg____py38-scikit-learn-1.0.2
pkgp-freebsd-pkg____py38-seaborn-0.11.0_1
pkgp-freebsd-pkg____py38-tensorflow-1.15.5_2
pkgp-freebsd-pkg____rubygem-pkg-config-1.4.7
pkgp-freebsd-pkg____rust-1.59.0
pkgp-freebsd-pkg____sudo-1.9.10
pkgp-freebsd-pkg____suitesparse-cholmod-3.0.14
pkgp-freebsd-pkg____suitesparse-umfpack-5.7.9
pkgp-freebsd-pkg____symengine-0.8.1
pkgp-freebsd-pkg____tigervnc-server-1.12.0_4
pkgp-freebsd-pkg____xauth-1.1
pkgp-freebsd-pkg____xorg-fonts-truetype-7.7_1
pkgp-freebsd-pkg____xterm-372

1
jails/config/mage/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
automake bash bash-completion cmake dbus fluxbox git-lite libxslt nano perl5 pkg py38-IBMQuantumExperience py38-jupyterlab py38-matplotlib py38-pandas py38-pep517 py38-pip py38-scikit-learn py38-seaborn py38-tensorflow rubygem-pkg-config rust sudo suitesparse-cholmod suitesparse-umfpack symengine tigervnc-server xauth xorg-fonts-truetype xterm

12
jails/config/mail/pkg-list-details.txt Normal file
View File

@ -0,0 +1,12 @@
pkgp122____openldap24-client-2.4.59_4
pkgp123____dcc-dccd-2.3.168
pkgp123____dovecot-2.3.18_1
pkgp123____dovecot-pigeonhole-0.5.18
pkgp123____pkg-1.17.5_1
pkgp123____postfix-3.7.0_2,1
pkgp123____rspamd-3.2_1
pkgp-freebsd-pkg____apache-solr-8.11.1
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____redis-6.2.6

1
jails/config/mail/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
apache-solr bash bash-completion dcc-dccd dovecot dovecot-pigeonhole nano openldap24-client pkg postfix redis rspamd

4
jails/config/mail/pkgp.conf
View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
pkgp123: {
url: "http://pkgp.ahlawat.com/packages/pj123-default",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",

14
jails/config/mail/postfix-reload.sh Executable file
View File

@ -0,0 +1,14 @@
#! /bin/sh
certfiles=$(postconf -n | awk -F " = " '$1 ~ /(cert|key)_file/ {print $2}' | sort -u)
reload=false
for f in $certfiles; do
if [ -f "$f" ]; then
if [ /var/spool/postfix/pid/master.pid -ot "$f" ]; then
reload=true
fi
fi
done
if $reload; then
echo "postfix master.pid file older than certificates; restart required!"
service postfix restart
fi

7
jails/config/maps/pkg-list-details.txt Normal file
View File

@ -0,0 +1,7 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____npm-8.5.2
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____pkgconf-1.8.0,1
pkgp-freebsd-pkg____vips-8.12.2_4

1
jails/config/maps/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion nano npm pkg pkgconf vips

19
jails/config/matrix/config.json
View File

@ -1,7 +1,7 @@
{
"default_server_config": {
"m.homeserver": {
"base_url": "https://matrix.ahlawat.com",
"base_url": "https://matrix.ahlawat.com:8448",
"server_name": "matrix.ahlawat.com"
},
"m.identity_server": {
@ -12,7 +12,7 @@
"disable_guests": false,
"disable_login_language_selector": false,
"disable_3pid_login": false,
"brand": "Riot",
"brand": "Ahlawat",
"integrations_ui_url": "https://scalar.vector.im/",
"integrations_rest_url": "https://scalar.vector.im/api",
"integrations_widgets_urls": [
@ -22,23 +22,19 @@
"https://scalar-staging.vector.im/api",
"https://scalar-staging.riot.im/scalar/api"
],
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
"bug_report_endpoint_url": "https://element.io/bugreports/submit",
"uisi_autorageshake_app": "element-auto-uisi",
"defaultCountryCode": "US",
"showLabsSettings": false,
"features": {
"feature_pinning": "labs",
"feature_custom_status": "labs",
"feature_custom_tags": "labs",
"feature_state_counters": "labs"
},
"features": { },
"default_federate": true,
"default_theme": "light",
"roomDirectory": {
"servers": [
"matrix.ahlawat.com",
"matrix.org"
]
},
"welcomeUserId": "@riot-bot:matrix.org",
"piwik": {
"url": "https://piwik.riot.im/",
"whitelistedHSUrls": ["https://matrix.org"],
@ -54,5 +50,6 @@
},
"jitsi": {
"preferredDomain": "meet.ahlawat.com"
}
},
"map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
}

2
jails/config/matrix/nginx.conf
View File

@ -146,7 +146,7 @@ http {
#location /favicon.ico { access_log off; log_not_found off; }
root /usr/local/www/riot;
root /usr/local/www/element;
index index.html;
#error_page 404 /404.html;

9
jails/config/matrix/pkg-list-details.txt Normal file
View File

@ -0,0 +1,9 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____element-web-1.10.8
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____nginx-1.20.2_9,2
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____py38-matrix-synapse-1.55.2
pkgp-freebsd-pkg____py38-matrix-synapse-ldap3-0.2.0
pkgp-freebsd-pkg____py38-psycopg2-2.9.3

1
jails/config/matrix/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion element-web nano nginx pkg py38-matrix-synapse py38-matrix-synapse-ldap3 py38-psycopg2

9
jails/config/meet/pkg-list-details.txt Normal file
View File

@ -0,0 +1,9 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____jicofo-1.0.555_2
pkgp-freebsd-pkg____jitsi-meet-1.0.4048_2
pkgp-freebsd-pkg____jitsi-videobridge-2.1.183_3
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____nginx-1.20.2_9,2
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____prosody-0.12.0

1
jails/config/meet/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion jicofo jitsi-meet jitsi-videobridge nano nginx pkg prosody

549
jails/config/monitor/grafana.conf
View File

@ -1,549 +0,0 @@
##################### Grafana Configuration Example #####################
#
# Everything has defaults so you only need to uncomment things you want to
# change
# possible values : production, development
;app_mode = production
# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
;instance_name = ${HOSTNAME}
instance_name = grafana.diyit.org
#################################### Paths ####################################
[paths]
# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
data = /var/db/grafana/
# Temporary files in `data` directory older than given duration will be removed
;temp_data_lifetime = 24h
# Directory where grafana can store logs
logs = /var/log/grafana/
# Directory where grafana will automatically scan and look for plugins
plugins = /var/db/grafana/plugins
# folder that contains provisioning config files that grafana will apply on startup and while running.
provisioning = /var/db/grafana/provisioning
#################################### Server ####################################
[server]
# Protocol (http, https, socket)
protocol = https
# The ip address to bind to, empty will bind to all interfaces
;http_addr =
# The http port to use
;http_port = 3000
# The public facing domain name used to access grafana from a browser
;domain = localhost
# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
enforce_domain = false
# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://grafana.diyit.org
# Log web requests
;router_logging = false
# the path relative working path
;static_root_path = public
# enable gzip
;enable_gzip = false
# https certs & key file
cert_file = /mnt/certs/diyfullchain.pem
cert_key =/mnt/certs/diyprivkeyr.pem
# Unix socket path
;socket =
#################################### Database ####################################
[database]
# You can configure the database connection by specifying type, host, name, user and password
# as separate properties or as on string using the url properties.
# Either "mysql", "postgres" or "sqlite3", it's your choice
;type = sqlite3
;host = 127.0.0.1:3306
;name = grafana
;user = root
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
;password =
# Use either URL or the previous fields to configure the database
# Example: mysql://user:secret@host:port/database
;url =
# For "postgres" only, either "disable", "require" or "verify-full"
;ssl_mode = disable
# For "sqlite3" only, path relative to data_path setting
;path = grafana.db
# Max idle conn setting default is 2
;max_idle_conn = 2
# Max conn setting default is 0 (mean not set)
;max_open_conn =
# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
;conn_max_lifetime = 14400
# Set to true to log the sql calls and execution times.
log_queries =
# For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
;cache_mode = private
#################################### Cache server #############################
[remote_cache]
# Either "redis", "memcached" or "database" default is "database"
;type = database
# cache connectionstring options
# database: will use Grafana primary database.
# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana`
# memcache: 127.0.0.1:11211
;connstr =
#################################### Session ####################################
[session]
# Either "memory", "file", "redis", "mysql", "postgres", default is "file"
;provider = file
# Provider config options
# memory: not have any config yet
# file: session dir path, is relative to grafana data_path
# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana`
# mysql: go-sql-driver/mysql dsn config string, e.g. `user:password@tcp(127.0.0.1:3306)/database_name`
# postgres: user=a password=b host=localhost port=5432 dbname=c sslmode=disable
;provider_config = sessions
# Session cookie name
;cookie_name = grafana_sess
# If you use session in https only, default is false
;cookie_secure = false
# Session life time, default is 86400 (means 86400 seconds or 24 hours)
;session_life_time = 86400
#################################### Data proxy ###########################
[dataproxy]
# This enables data proxy logging, default is false
;logging = false
# How long the data proxy should wait before timing out default is 30 (seconds)
;timeout = 30
# If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request, default is false.
;send_user_header = false
#################################### Analytics ####################################
[analytics]
# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
# No ip addresses are being tracked, only simple counters to track
# running instances, dashboard and error counts. It is very helpful to us.
# Change this option to false to disable reporting.
;reporting_enabled = true
# Set to false to disable all checks to https://grafana.net
# for new vesions (grafana itself and plugins), check is used
# in some UI views to notify that grafana or plugin update exists
# This option does not cause any auto updates, nor send any information
# only a GET request to http://grafana.com to get latest versions
;check_for_updates = true
# Google Analytics universal tracking code, only enabled if you specify an id here
;google_analytics_ua_id =
# Google Tag Manager ID, only enabled if you specify an id here
;google_tag_manager_id =
#################################### Security ####################################
[security]
# default admin user, created on startup
;admin_user = admin
# default admin password, can be changed before first start of grafana, or in profile settings
;admin_password = admin
# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm
# disable gravatar profile images
;disable_gravatar = false
# data source proxy whitelist (ip_or_domain:port separated by spaces)
;data_source_proxy_whitelist =
# disable protection against brute force login attempts
;disable_brute_force_login_protection = false
# set to true if you host Grafana behind HTTPS. default is false.
cookie_secure = true
# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict" and "none"
cookie_samesite = none
allow_embedding = true
#################################### Snapshots ###########################
[snapshots]
# snapshot sharing options
;external_enabled = true
;external_snapshot_url = https://snapshots-origin.raintank.io
;external_snapshot_name = Publish to snapshot.raintank.io
# remove expired snapshot
;snapshot_remove_expired = true
#################################### Dashboards History ##################
[dashboards]
# Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1
;versions_to_keep = 20
#################################### Users ###############################
[users]
# disable user signup / registration
;allow_sign_up = true
# Allow non admin users to create organizations
;allow_org_create = true
# Set to true to automatically assign new users to the default organization (id 1)
;auto_assign_org = true
# Default role new users will be automatically assigned (if disabled above is set to true)
;auto_assign_org_role = Viewer
# Background text for the user field on the login page
;login_hint = email or username
;password_hint = password
# Default UI theme ("dark" or "light")
;default_theme = dark
# External user management, these options affect the organization users view
;external_manage_link_url =
;external_manage_link_name =
;external_manage_info =
# Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
;viewers_can_edit = false
# Editors can administrate dashboard, folders and teams they create
;editors_can_admin = false
[auth]
# Login cookie name
;login_cookie_name = grafana_session
# The lifetime (days) an authenticated user can be inactive before being required to login at next visit. Default is 7 days,
;login_maximum_inactive_lifetime_days = 7
# The maximum lifetime (days) an authenticated user can be logged in since login time before being required to login. Default is 30 days.
;login_maximum_lifetime_days = 30
# How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
;token_rotation_interval_minutes = 10
# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
;disable_login_form = false
# Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
;disable_signout_menu = false
# URL to redirect the user to after sign out
;signout_redirect_url =
# Set to true to attempt login with OAuth automatically, skipping the login screen.
# This setting is ignored if multiple OAuth providers are configured.
;oauth_auto_login = false
#################################### Anonymous Auth ######################
[auth.anonymous]
# enable anonymous access
;enabled = false
# specify organization name that should be used for unauthenticated users
;org_name = Main Org.
# specify role for unauthenticated users
;org_role = Viewer
#################################### Github Auth ##########################
[auth.github]
;enabled = false
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = user:email,read:org
;auth_url = https://github.com/login/oauth/authorize
;token_url = https://github.com/login/oauth/access_token
;api_url = https://api.github.com/user
;team_ids =
;allowed_organizations =
#################################### Google Auth ##########################
[auth.google]
;enabled = false
;allow_sign_up = true
;client_id = some_client_id
;client_secret = some_client_secret
;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
;auth_url = https://accounts.google.com/o/oauth2/auth
;token_url = https://accounts.google.com/o/oauth2/token
;api_url = https://www.googleapis.com/oauth2/v1/userinfo
;allowed_domains =
#################################### Generic OAuth ##########################
[auth.generic_oauth]
;enabled = false
;name = OAuth
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = user:email,read:org
;auth_url = https://foo.bar/login/oauth/authorize
;token_url = https://foo.bar/login/oauth/access_token
;api_url = https://foo.bar/user
;team_ids =
;allowed_organizations =
;tls_skip_verify_insecure = false
;tls_client_cert =
;tls_client_key =
;tls_client_ca =
; Set to true to enable sending client_id and client_secret via POST body instead of Basic authentication HTTP header
; This might be required if the OAuth provider is not RFC6749 compliant, only supporting credentials passed via POST payload
;send_client_credentials_via_post = false
#################################### Grafana.com Auth ####################
[auth.grafana_com]
;enabled = false
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;scopes = user:email
;allowed_organizations =
#################################### Auth Proxy ##########################
[auth.proxy]
;enabled = false
;header_name = X-WEBAUTH-USER
;header_property = username
;auto_sign_up = true
;ldap_sync_ttl = 60
;whitelist = 192.168.1.1, 192.168.2.1
;headers = Email:X-User-Email, Name:X-User-Name
#################################### Basic Auth ##########################
[auth.basic]
;enabled = true
#################################### Auth LDAP ##########################
[auth.ldap]
;enabled = false
;config_file = /etc/grafana/ldap.toml
;allow_sign_up = true
#################################### SMTP / Emailing ##########################
[smtp]
;enabled = false
;host = localhost:25
;user =
# If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""
;password =
;cert_file =
;key_file =
;skip_verify = false
;from_address = admin@grafana.localhost
;from_name = Grafana
# EHLO identity in SMTP dialog (defaults to instance_name)
;ehlo_identity = dashboard.example.com
[emails]
;welcome_email_on_sign_up = false
#################################### Logging ##########################
[log]
# Either "console", "file", "syslog". Default is console and file
# Use space to separate multiple modes, e.g. "console file"
;mode = console file
# Either "debug", "info", "warn", "error", "critical", default is "info"
;level = info
# optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
;filters =
# For "console" mode only
[log.console]
;level =
# log line format, valid options are text, console and json
;format = console
# For "file" mode only
[log.file]
;level =
# log line format, valid options are text, console and json
;format = text
# This enables automated log rotate(switch of following options), default is true
;log_rotate = true
# Max line number of single file, default is 1000000
;max_lines = 1000000
# Max size shift of single file, default is 28 means 1 << 28, 256MB
;max_size_shift = 28
# Segment log daily, default is true
;daily_rotate = true
# Expired days of log file(delete after max days), default is 7
;max_days = 7
[log.syslog]
;level =
# log line format, valid options are text, console and json
;format = text
# Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used.
;network =
;address =
# Syslog facility. user, daemon and local0 through local7 are valid.
;facility =
# Syslog tag. By default, the process' argv[0] is used.
;tag =
#################################### Alerting ############################
[alerting]
# Disable alerting engine & UI features
;enabled = true
# Makes it possible to turn off alert rule execution but alerting UI is visible
;execute_alerts = true
# Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
;error_or_timeout = alerting
# Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
;nodata_or_nullvalues = no_data
# Alert notifications can include images, but rendering many images at the same time can overload the server
# This limit will protect the server from render overloading and make sure notifications are sent out quickly
;concurrent_render_limit = 5
# Default setting for alert calculation timeout. Default value is 30
;evaluation_timeout_seconds = 30
# Default setting for alert notification timeout. Default value is 30
;notification_timeout_seconds = 30
# Default setting for max attempts to sending alert notifications. Default value is 3
;max_attempts = 3
#################################### Explore #############################
[explore]
# Enable the Explore section
;enabled = true
#################################### Internal Grafana Metrics ##########################
# Metrics available at HTTP API Url /metrics
[metrics]
# Disable / Enable internal metrics
;enabled = true
# Publish interval
;interval_seconds = 10
# Send internal metrics to Graphite
[metrics.graphite]
# Enable by setting the address setting (ex localhost:2003)
;address =
;prefix = prod.grafana.%(instance_name)s.
#################################### Distributed tracing ############
[tracing.jaeger]
# Enable by setting the address sending traces to jaeger (ex localhost:6831)
;address = localhost:6831
# Tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2)
;always_included_tag = tag1:value1
# Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote
;sampler_type = const
# jaeger samplerconfig param
# for "const" sampler, 0 or 1 for always false/true respectively
# for "probabilistic" sampler, a probability between 0 and 1
# for "rateLimiting" sampler, the number of spans per second
# for "remote" sampler, param is the same as for "probabilistic"
# and indicates the initial sampling rate before the actual one
# is received from the mothership
;sampler_param = 1
#################################### Grafana.com integration ##########################
# Url used to import dashboards directly from Grafana.com
[grafana_com]
;url = https://grafana.com
#################################### External image storage ##########################
[external_image_storage]
# Used for uploading images to public servers so they can be included in slack/email messages.
# you can choose between (s3, webdav, gcs, azure_blob, local)
;provider =
[external_image_storage.s3]
;bucket =
;region =
;path =
;access_key =
;secret_key =
[external_image_storage.webdav]
;url =
;public_url =
;username =
;password =
[external_image_storage.gcs]
;key_file =
;bucket =
;path =
[external_image_storage.azure_blob]
;account_name =
;account_key =
;container_name =
[external_image_storage.local]
# does not require any configuration
[rendering]
# Options to configure external image rendering server like https://github.com/grafana/grafana-image-renderer
;server_url =
;callback_url =
[enterprise]
# Path to a valid Grafana Enterprise license.jwt file
;license_path =
[panels]
;enable_alpha = false
# If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities.
;disable_sanitize_html = false

1083
jails/config/monitor/grafana.ini Normal file
View File

File diff suppressed because it is too large Load Diff

119
jails/config/monitor/httpd.conf
View File

@ -49,7 +49,7 @@ ServerRoot "/usr/local"
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
#Listen 80
#
# Dynamic Shared Object (DSO) Support
@ -108,7 +108,7 @@ LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
#LoadModule deflate_module libexec/apache24/mod_deflate.so
LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
@ -119,7 +119,7 @@ LoadModule log_config_module libexec/apache24/mod_log_config.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
#LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
@ -178,7 +178,6 @@ LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
#LoadModule php7_module libexec/apache24/libphp7.so
# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
@ -223,7 +222,7 @@ ServerAdmin sharad@ahlawat.com
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
ServerName monitor.ahlawat.com
#
# Deny access to the entirety of your server's filesystem. You must
@ -555,9 +554,8 @@ Include etc/apache24/Includes/*.conf
<VirtualHost *:443>
ServerName monitor.ahlawat.com
ServerAlias *.ahlawat.com
ServerAlias ahlawat.com
Protocols h2 h2c http/1.1
Protocols h2 http/1.1
DocumentRoot "/usr/local/www/apache24/data/"
@ -566,15 +564,15 @@ Include etc/apache24/Includes/*.conf
SSLCertificateKeyFile "/mnt/certs/privkey.pem"
#SSLCertificateChainFile "/mnt/certs/fullchain.pem"
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# SSLCompression off
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
@ -612,7 +610,100 @@ Include etc/apache24/Includes/*.conf
CustomLog "/var/log/ssl-access_log" combined
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault A0
<FilesMatch "\.(txt|xml|js)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(css)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
ExpiresDefault A31536000
</FilesMatch>
</IfModule>
<IfModule mod_headers.c>
<FilesMatch "\.(txt|xml|js)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(css)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
</IfModule>
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
</IfModule>
</IfModule>
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/vnd.geo+json" \
"application/vnd.ms-fontobject" \
"application/x-font-ttf" \
"application/x-font-opentype" \
"application/x-font-truetype" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/eot" \
"font/opentype" \
"font/otf" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"image/x-icon" \
"text/cache-manifest" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
</IfModule>
<IfModule mod_mime.c>
AddEncoding gzip svgz
</IfModule>
</IfModule>
</VirtualHost>
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

41
jails/config/monitor/pkg-list-details.txt Normal file
View File

@ -0,0 +1,41 @@
pkgp-freebsd-pkg____alertmanager-0.23.0_2
pkgp-freebsd-pkg____apache24-2.4.53
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____grafana8-8.3.6_1
pkgp-freebsd-pkg____influxdb-1.8.10_2
pkgp-freebsd-pkg____iperf3-3.11
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____php81-8.1.4_2
pkgp-freebsd-pkg____php81-bcmath-8.1.4_2
pkgp-freebsd-pkg____php81-bz2-8.1.4_2
pkgp-freebsd-pkg____php81-ctype-8.1.4_2
pkgp-freebsd-pkg____php81-curl-8.1.4_2
pkgp-freebsd-pkg____php81-dom-8.1.4_1
pkgp-freebsd-pkg____php81-fileinfo-8.1.4_2
pkgp-freebsd-pkg____php81-filter-8.1.4_2
pkgp-freebsd-pkg____php81-gd-8.1.4_2
pkgp-freebsd-pkg____php81-iconv-8.1.4_2
pkgp-freebsd-pkg____php81-intl-8.1.4_2
pkgp-freebsd-pkg____php81-mbstring-8.1.4_2
pkgp-freebsd-pkg____php81-mysqli-8.1.4_2
pkgp-freebsd-pkg____php81-opcache-8.1.4_2
pkgp-freebsd-pkg____php81-pdo-8.1.4_2
pkgp-freebsd-pkg____php81-pdo_mysql-8.1.4_2
pkgp-freebsd-pkg____php81-pecl-mcrypt-1.0.4
pkgp-freebsd-pkg____php81-pecl-memcache-8.0
pkgp-freebsd-pkg____php81-posix-8.1.4_2
pkgp-freebsd-pkg____php81-readline-8.1.4_2
pkgp-freebsd-pkg____php81-session-8.1.4_2
pkgp-freebsd-pkg____php81-simplexml-8.1.4_1
pkgp-freebsd-pkg____php81-soap-8.1.4_1
pkgp-freebsd-pkg____php81-sockets-8.1.4_2
pkgp-freebsd-pkg____php81-sqlite3-8.1.4_2
pkgp-freebsd-pkg____php81-tidy-8.1.4_2
pkgp-freebsd-pkg____php81-tokenizer-8.1.4_2
pkgp-freebsd-pkg____php81-xml-8.1.4_1
pkgp-freebsd-pkg____php81-zip-8.1.4_2
pkgp-freebsd-pkg____php81-zlib-8.1.4_2
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____prometheus-2.32.1_1
pkgp-freebsd-pkg____telegraf-1.22.0_1

1
jails/config/monitor/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
alertmanager apache24 bash bash-completion grafana8 influxdb iperf3 nano php81 php81-bcmath php81-bz2 php81-ctype php81-curl php81-dom php81-fileinfo php81-filter php81-gd php81-iconv php81-intl php81-mbstring php81-mysqli php81-opcache php81-pdo php81-pdo_mysql php81-pecl-mcrypt php81-pecl-memcache php81-posix php81-readline php81-session php81-simplexml php81-soap php81-sockets php81-sqlite3 php81-tidy php81-tokenizer php81-xml php81-zip php81-zlib pkg prometheus telegraf

125
jails/config/nivi/httpd.conf
View File

@ -49,7 +49,7 @@ ServerRoot "/usr/local"
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
#Listen 80
#
# Dynamic Shared Object (DSO) Support
@ -108,7 +108,7 @@ LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
#LoadModule deflate_module libexec/apache24/mod_deflate.so
LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
@ -119,7 +119,7 @@ LoadModule log_config_module libexec/apache24/mod_log_config.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
#LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
@ -178,7 +178,6 @@ LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
#LoadModule php7_module libexec/apache24/libphp7.so
# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
@ -223,7 +222,7 @@ ServerAdmin sharad@ahlawat.com
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
ServerName nivi.ahlawat.com
#
# Deny access to the entirety of your server's filesystem. You must
@ -555,9 +554,8 @@ Include etc/apache24/Includes/*.conf
<VirtualHost *:443>
ServerName nivi.ahlawat.com
ServerAlias *.ahlawat.com
ServerAlias nivi
Protocols h2 h2c http/1.1
Protocols h2 http/1.1
DocumentRoot "/usr/local/www/apache24/data/"
@ -566,15 +564,15 @@ Include etc/apache24/Includes/*.conf
SSLCertificateKeyFile "/mnt/certs/privkey.pem"
#SSLCertificateChainFile "/mnt/certs/fullchain.pem"
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# SSLCompression off
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
@ -591,20 +589,113 @@ Include etc/apache24/Includes/*.conf
<Directory "/usr/local/www/apache24/data/">
Options Indexes FollowSymLinks MultiViews
## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16
#-IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96
#IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96
#AllowOverride controls what directives may be placed in .htaccess files.
#AllowOverride All
#-AllowOverride AuthConfig
#AllowOverride AuthConfig
#Controls who can get stuff from this server file
#-Require all granted
#Require all granted
</Directory>
ErrorLog "/var/log/ssl-error.log"
CustomLog "/var/log/ssl-access_log" combined
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault A0
<FilesMatch "\.(txt|xml|js)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(css)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
ExpiresDefault A31536000
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
ExpiresDefault A31536000
</FilesMatch>
</IfModule>
<IfModule mod_headers.c>
<FilesMatch "\.(txt|xml|js)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(css)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
<FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
Header set Cache-Control "max-age=31536000"
</FilesMatch>
</IfModule>
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
</IfModule>
</IfModule>
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/vnd.geo+json" \
"application/vnd.ms-fontobject" \
"application/x-font-ttf" \
"application/x-font-opentype" \
"application/x-font-truetype" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/eot" \
"font/opentype" \
"font/otf" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"image/x-icon" \
"text/cache-manifest" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
</IfModule>
<IfModule mod_mime.c>
AddEncoding gzip svgz
</IfModule>
</IfModule>
</VirtualHost>
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

32
jails/config/nivi/pkg-list-details.txt Normal file
View File

@ -0,0 +1,32 @@
pkgp-freebsd-pkg____apache24-2.4.53
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____ffmpeg-4.4.1_11,1
pkgp-freebsd-pkg____mod_php81-8.1.4_1
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____php81-8.1.4_2
pkgp-freebsd-pkg____php81-bz2-8.1.4_2
pkgp-freebsd-pkg____php81-ctype-8.1.4_2
pkgp-freebsd-pkg____php81-curl-8.1.4_2
pkgp-freebsd-pkg____php81-dom-8.1.4_1
pkgp-freebsd-pkg____php81-exif-8.1.4_2
pkgp-freebsd-pkg____php81-fileinfo-8.1.4_2
pkgp-freebsd-pkg____php81-filter-8.1.4_2
pkgp-freebsd-pkg____php81-gd-8.1.4_2
pkgp-freebsd-pkg____php81-iconv-8.1.4_2
pkgp-freebsd-pkg____php81-mbstring-8.1.4_2
pkgp-freebsd-pkg____php81-mysqli-8.1.4_2
pkgp-freebsd-pkg____php81-opcache-8.1.4_2
pkgp-freebsd-pkg____php81-pdo-8.1.4_2
pkgp-freebsd-pkg____php81-pdo_mysql-8.1.4_2
pkgp-freebsd-pkg____php81-pecl-imagick-3.5.1
pkgp-freebsd-pkg____php81-posix-8.1.4_2
pkgp-freebsd-pkg____php81-session-8.1.4_2
pkgp-freebsd-pkg____php81-simplexml-8.1.4_1
pkgp-freebsd-pkg____php81-xml-8.1.4_1
pkgp-freebsd-pkg____php81-xmlreader-8.1.4_1
pkgp-freebsd-pkg____php81-xmlwriter-8.1.4_1
pkgp-freebsd-pkg____php81-xsl-8.1.4_1
pkgp-freebsd-pkg____php81-zip-8.1.4_2
pkgp-freebsd-pkg____php81-zlib-8.1.4_2
pkgp-freebsd-pkg____pkg-1.17.5_1

1
jails/config/nivi/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
apache24 bash bash-completion ffmpeg mod_php81 nano php81 php81-bz2 php81-ctype php81-curl php81-dom php81-exif php81-fileinfo php81-filter php81-gd php81-iconv php81-mbstring php81-mysqli php81-opcache php81-pdo php81-pdo_mysql php81-pecl-imagick php81-posix php81-session php81-simplexml php81-xml php81-xmlreader php81-xmlwriter php81-xsl php81-zip php81-zlib pkg

23
jails/config/pg/pg_hba.conf
View File

@ -9,17 +9,22 @@
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type: "local" is a Unix-domain
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
# plain TCP/IP socket.
# The first field is the connection type:
# - "local" is a Unix-domain socket
# - "host" is a TCP/IP socket (encrypted or not)
# - "hostssl" is a TCP/IP socket that is SSL-encrypted
# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted
# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted
# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "all"
@ -85,7 +90,7 @@ local all all trust
# IPv4 local connections:
host all all 0.0.0.0/0 md5
# IPv6 local connections:
host all all ::/0 md5
host all all ::1/0 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all trust

5
jails/config/pg/pkg-list-details.txt Normal file
View File

@ -0,0 +1,5 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____bash-completion-2.11_1,2
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____postgresql14-server-14.2

1
jails/config/pg/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash bash-completion nano pkg postgresql14-server

172
jails/config/pg/postgresql.conf
View File

@ -24,7 +24,8 @@
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: kB = kilobytes Time units: ms = milliseconds
# Memory units: B = bytes Time units: us = microseconds
# kB = kilobytes ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# TB = terabytes h = hours
@ -74,7 +75,7 @@ max_connections = 100 # (change requires restart)
# (change requires restart)
# - TCP settings -
# see "man 7 tcp" for details
# see "man tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
@ -85,14 +86,18 @@ max_connections = 100 # (change requires restart)
#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds;
# 0 selects the system default
#client_connection_check_interval = 0 # time between checks for client
# disconnection while running queries;
# 0 for never
# - Authentication -
#authentication_timeout = 1min # 1s-600s
#password_encryption = md5 # md5 or scram-sha-256
#password_encryption = scram-sha-256 # scram-sha-256 or md5
#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
#krb_caseins_users = off
# - SSL -
@ -101,11 +106,12 @@ max_connections = 100 # (change requires restart)
#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'
#ssl_crl_file = ''
#ssl_crl_dir = ''
#ssl_key_file = 'server.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1'
#ssl_min_protocol_version = 'TLSv1.2'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
@ -122,14 +128,18 @@ shared_buffers = 128MB # min 128kB
# (change requires restart)
#huge_pages = try # on, off, or try
# (change requires restart)
#huge_page_size = 0 # zero for system default
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
# you actively intend to use prepared transactions.
#work_mem = 4MB # min 64kB
#hash_mem_multiplier = 1.0 # 1-1000.0 multiplier on hash table work_mem
#maintenance_work_mem = 64MB # min 1MB
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
#logical_decoding_work_mem = 64MB # min 64kB
#max_stack_depth = 2MB # min 100kB
#shared_memory_type = mmap # the default is the first option
# supported by the operating system:
@ -144,22 +154,23 @@ dynamic_shared_memory_type = posix # the default is the first option
# windows
# mmap
# (change requires restart)
#min_dynamic_shared_memory = 0MB # (change requires restart)
# - Disk -
#temp_file_limit = -1 # limits per-process temp file space
# in kB, or -1 for no limit
# in kilobytes, or -1 for no limit
# - Kernel Resources -
#max_files_per_process = 1000 # min 25
#max_files_per_process = 1000 # min 64
# (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 10 # 0-10000 credits
#vacuum_cost_page_miss = 2 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
@ -172,16 +183,17 @@ dynamic_shared_memory_type = posix # the default is the first option
# - Asynchronous Behavior -
#backend_flush_after = 0 # measured in pages, 0 disables
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#maintenance_io_concurrency = 10 # 1-1000; 0 disables prefetching
#max_worker_processes = 8 # (change requires restart)
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
#parallel_leader_participation = on
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#max_parallel_workers = 8 # maximum number of max_worker_processes that
# can be used in parallel operations
#parallel_leader_participation = on
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
# (change requires restart)
#backend_flush_after = 0 # measured in pages, 0 disables
#------------------------------------------------------------------------------
@ -200,20 +212,21 @@ dynamic_shared_memory_type = posix # the default is the first option
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux)
# fdatasync (default on Linux and FreeBSD)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_compression = off # enable compression of full-page writes
#wal_log_hints = off # also do full page writes of non-critical updates
# (change requires restart)
#wal_compression = off # enable compression of full-page writes
#wal_init_zero = on # zero-fill new WAL files
#wal_recycle = on # recycle WAL files
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
#wal_skip_threshold = 2MB
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
@ -221,11 +234,11 @@ dynamic_shared_memory_type = posix # the default is the first option
# - Checkpoints -
#checkpoint_timeout = 5min # range 30s-1d
max_wal_size = 1GB
min_wal_size = 80MB
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
#checkpoint_completion_target = 0.9 # checkpoint target duration, 0.0 - 1.0
#checkpoint_flush_after = 0 # measured in pages, 0 disables
#checkpoint_warning = 30s # 0 disables
max_wal_size = 1GB
min_wal_size = 80MB
# - Archiving -
@ -246,7 +259,6 @@ min_wal_size = 80MB
# placeholders: %p = path of file to restore
# %f = file name only
# e.g. 'cp /mnt/server/archivedir/%f %p'
# (change requires restart)
#archive_cleanup_command = '' # command to execute at every restartpoint
#recovery_end_command = '' # command to execute at completion of recovery
@ -281,19 +293,19 @@ min_wal_size = 80MB
# - Sending Servers -
# Set these on the master and on any standby that will send replication data.
# Set these on the primary and on any standby that will send replication data.
#max_wal_senders = 10 # max number of walsender processes
# (change requires restart)
#wal_keep_segments = 0 # in logfile segments; 0 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
#max_replication_slots = 10 # max number of replication slots
# (change requires restart)
#wal_keep_size = 0 # in megabytes; 0 disables
#max_slot_wal_keep_size = -1 # in megabytes; -1 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
#track_commit_timestamp = off # collect timestamp of transaction commit
# (change requires restart)
# - Master Server -
# - Primary Server -
# These settings are ignored on a standby server.
@ -305,12 +317,10 @@ min_wal_size = 80MB
# - Standby Servers -
# These settings are ignored on a master server.
# These settings are ignored on a primary server.
#primary_conninfo = '' # connection string to sending server
# (change requires restart)
#primary_slot_name = '' # replication slot on sending server
# (change requires restart)
#promote_trigger_file = '' # file name whose presence ends recovery
#hot_standby = on # "off" disallows queries during recovery
# (change requires restart)
@ -320,12 +330,14 @@ min_wal_size = 80MB
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_create_temp_slot = off # create temp slot if primary_slot_name
# is not set
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from master
# communication from primary
# in milliseconds; 0 disables
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
# retrieve WAL after a failed attempt
@ -346,22 +358,26 @@ min_wal_size = 80MB
# - Planner Method Configuration -
#enable_async_append = on
#enable_bitmapscan = on
#enable_gathermerge = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_incremental_sort = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_memoize = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_parallel_append = on
#enable_parallel_hash = on
#enable_partition_pruning = on
#enable_partitionwise_join = off
#enable_partitionwise_aggregate = off
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
#enable_partitionwise_join = off
#enable_partitionwise_aggregate = off
#enable_parallel_hash = on
#enable_partition_pruning = on
# - Planner Cost Constants -
@ -370,8 +386,11 @@ min_wal_size = 80MB
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#parallel_setup_cost = 1000.0 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
#jit_above_cost = 100000 # perform JIT compilation if available
# and query more expensive than this;
@ -382,10 +401,6 @@ min_wal_size = 80MB
# query is more expensive than this;
# -1 disables
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
# - Genetic Query Optimizer -
#geqo = on
@ -402,10 +417,9 @@ min_wal_size = 80MB
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#jit = on # allow JIT compilation
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#force_parallel_mode = off
#jit = on # allow JIT compilation
#plan_cache_mode = auto # auto, force_generic_plan or
# force_custom_plan
@ -435,6 +449,11 @@ log_destination = 'syslog'
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
@ -443,11 +462,6 @@ log_destination = 'syslog'
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
@ -455,7 +469,7 @@ log_destination = 'syslog'
#syslog_sequence_numbers = on
#syslog_split_messages = on
# This is only relevant when logging to eventlog (win32):
# This is only relevant when logging to eventlog (Windows):
# (change requires restart)
#event_source = 'PostgreSQL'
@ -494,9 +508,20 @@ log_destination = 'syslog'
# statements running at least this number
# of milliseconds
#log_transaction_sample_rate = 0.0 # Fraction of transactions whose statements
# are logged regardless of their duration. 1.0 logs all
# statements from all transactions, 0.0 never logs.
#log_min_duration_sample = -1 # -1 is disabled, 0 logs a sample of statements
# and their durations, > 0 logs only a sample of
# statements running at least this number
# of milliseconds;
# sample fraction is determined by log_statement_sample_rate
#log_statement_sample_rate = 1.0 # fraction of logged statements exceeding
# log_min_duration_sample to be logged;
# 1.0 logs all such statements, 0.0 never logs
#log_transaction_sample_rate = 0.0 # fraction of transactions whose statements
# are logged regardless of their duration; 1.0 logs all
# statements from all transactions, 0.0 never logs
# - What to Log -
@ -504,6 +529,11 @@ log_destination = 'syslog'
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_autovacuum_min_duration = -1 # log autovacuum activity;
# -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#log_checkpoints = off
#log_connections = off
#log_disconnections = off
@ -516,10 +546,13 @@ log_destination = 'syslog'
# %d = database name
# %r = remote host and port
# %h = remote host
# %b = backend type
# %p = process ID
# %P = process ID of parallel group leader
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %n = timestamp with milliseconds (as a Unix epoch)
# %Q = query ID (0 if none or not computed)
# %i = command tag
# %e = SQL state
# %c = session ID
@ -532,12 +565,21 @@ log_destination = 'syslog'
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_recovery_conflict_waits = off # log standby recovery conflict waits
# >= deadlock_timeout
#log_parameter_max_length = -1 # when logging statements, limit logged
# bind-parameter values to N bytes;
# -1 means print in full, 0 disables
#log_parameter_max_length_on_error = 0 # when logging an error, limit logged
# bind-parameter values to N bytes;
# -1 means print in full, 0 disables
#log_statement = 'none' # none, ddl, mod, all
#log_replication_commands = off
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
log_timezone = 'America/Los_Angeles'
log_timezone = 'US/Pacific'
#------------------------------------------------------------------------------
# PROCESS TITLE
@ -557,19 +599,21 @@ update_process_title = off
# - Query and Index Statistics Collector -
#track_activities = on
#track_activity_query_size = 1024 # (change requires restart)
#track_counts = on
#track_io_timing = off
#track_wal_io_timing = off
#track_functions = none # none, pl, all
#track_activity_query_size = 1024 # (change requires restart)
#stats_temp_directory = 'pg_stat_tmp'
# - Monitoring -
#compute_query_id = auto
#log_statement_stats = off
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#------------------------------------------------------------------------------
@ -578,18 +622,19 @@ update_process_title = off
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_vacuum_insert_threshold = 1000 # min number of row inserts
# before vacuum; -1 disables insert
# vacuums
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_vacuum_insert_scale_factor = 0.2 # fraction of inserts over table
# size before insert vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
@ -622,10 +667,11 @@ update_process_title = off
# error
#search_path = '"$user", public' # schema names
#row_security = on
#default_table_access_method = 'heap'
#default_tablespace = '' # a tablespace name, '' uses the default
#default_toast_compression = 'pglz' # 'pglz' or 'lz4'
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#default_table_access_method = 'heap'
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
@ -634,24 +680,23 @@ update_process_title = off
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_min_age = 50000000
#idle_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_freeze_min_age = 50000000
#vacuum_failsafe_age = 1600000000
#vacuum_multixact_freeze_table_age = 150000000
#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
# before index cleanup, 0 always performs
# index cleanup
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_failsafe_age = 1600000000
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
#gin_fuzzy_search_limit = 0
#gin_pending_list_limit = 4MB
# - Locale and Formatting -
datestyle = 'iso, mdy'
#intervalstyle = 'postgres'
timezone = 'America/Los_Angeles'
timezone = 'US/Pacific'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
@ -676,14 +721,15 @@ default_text_search_config = 'pg_catalog.english'
# - Shared Library Preloading -
#shared_preload_libraries = '' # (change requires restart)
#local_preload_libraries = ''
#session_preload_libraries = ''
#shared_preload_libraries = '' # (change requires restart)
#jit_provider = 'llvmjit' # JIT library to use
# - Other Defaults -
#dynamic_library_path = '$libdir'
#gin_fuzzy_search_limit = 0
#------------------------------------------------------------------------------
@ -711,7 +757,6 @@ default_text_search_config = 'pg_catalog.english'
#backslash_quote = safe_encoding # on, off, or safe_encoding
#escape_string_warning = on
#lo_compat_privileges = off
#operator_precedence_warning = off
#quote_all_identifiers = off
#standard_conforming_strings = on
#synchronize_seqscans = on
@ -730,6 +775,7 @@ default_text_search_config = 'pg_catalog.english'
#data_sync_retry = off # retry or panic on failure to fsync
# data?
# (change requires restart)
#recovery_init_sync_method = fsync # fsync, syncfs (Linux 5.8+)
#------------------------------------------------------------------------------

7
jails/config/pkgp/freebsd-update.conf
View File

@ -1,4 +1,4 @@
# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
# $FreeBSD: releng/12.3/usr.sbin/freebsd-update/freebsd-update.conf 370439 2021-08-29 16:58:35Z kevans $
# Trusted keyprint. Changing this is a Bad Idea unless you've received
# a PGP-signed email from <security-officer@FreeBSD.org> telling you to
@ -10,6 +10,8 @@ KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5
# using a "nearby" server won't provide a measurable improvement in
# performance.
ServerName update.FreeBSD.org
# caching not used as I am mounting the /var/db/freebsd-update/files directory into every jail
#ServerName pkgp-freebsd-update.ahlawat.com
# Components of the base system which should be kept updated.
Components src world
@ -74,3 +76,6 @@ MergeChanges /etc/ /boot/device.hints
# When backing up a kernel also back up debug symbol files?
# BackupKernelSymbolFiles no
# Create a new boot environment when installing patches
# CreateBootEnv yes

6
jails/config/pkgp/mypkgs
View File

@ -1,18 +1,18 @@
net/haproxy
net/openldap24-server
net/openldap24-client
net/openldap24-sasl-client
security/cyrus-sasl2
www/apache24
devel/apr1
net/php74-ldap
net/php81-ldap
net/php80-ldap
mail/postfix
mail/dovecot
mail/dovecot-pigeonhole
mail/rspamd
mail/dcc-dccd
net/netatalk3
net/samba411
net/samba413
net/nss-pam-ldapd
net/nss-pam-ldapd-sasl
#security/pam_ldap # included above

96
jails/config/pkgp/nginx.conf
View File

@ -1,28 +1,24 @@
user www wheel;
worker_processes 8;
error_log /var/log/nginx/error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
# access_log /var/log/nginx/access.log;
access_log /var/log/nginx/access.log;
access_log off;
error_log /var/log/nginx/error.log;
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
aio on;
sendfile on;
tcp_nopush on;
resolver 192.168.0.5 [fd01::5];
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
server {
listen *:80;
listen [::]:80;
@ -40,7 +36,6 @@ http {
}
#error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
@ -48,18 +43,31 @@ http {
}
server {
listen *:443 ssl;
listen [::]:443 ssl;
listen *:443 ssl http2;
listen [::]:443 ssl http2;
server_name pkgp.ahlawat.com;
root /usr/local/share/poudriere/html;
ssl_certificate /mnt/certs/fullchain.pem;
ssl_certificate_key /mnt/certs/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# modern configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /mnt/certs/fullchain.pem;
location /data {
alias /mnt/poudriere/data/logs/bulk;
@ -72,31 +80,43 @@ http {
}
#error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
}
proxy_cache_path /mnt/cache/pkg/ levels=1:2 keys_zone=pkg_cache:10m max_size=10g inactive=10d use_temp_path=off;
# https://www.nginx.com/blog/nginx-caching-guide/
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_valid
proxy_cache_path /mnt/cache/pkg/ levels=1:2 keys_zone=pkg_cache:10m max_size=10g inactive=1d use_temp_path=off;
server {
listen *:80;
listen [::]:80;
server_name pkgp-freebsd-pkg.ahlawat.com;
root /mnt/cache/pkg/;
autoindex on;
if_modified_since before;
# root /mnt/cache/pkg/;
# autoindex on;
proxy_http_version 1.1;
proxy_socket_keepalive on;
proxy_set_header Host $host;
# add_header X-Proxy-Cache $upstream_cache_status;
location / {
proxy_cache pkg_cache;
proxy_cache_valid 1d;
proxy_cache_revalidate on;
proxy_cache_lock on;
proxy_next_upstream error timeout invalid_header http_404;
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
proxy_hide_header X-Accel-Expires;
proxy_hide_header Expires;
proxy_hide_header Cache-Control;
proxy_hide_header Set-Cookie;
proxy_pass http://pkg-mirrors;
proxy_http_version 1.1;
# add_header X-Proxy-Cache $upstream_cache_status;
proxy_next_upstream error timeout invalid_header http_404;
}
}
upstream pkg-mirrors {
@ -110,7 +130,7 @@ http {
listen [::]:8001;
server_name localhost;
location / {
proxy_pass http://pkg0.isc.FreeBSD.org;
proxy_pass http://pkg0.tuk.FreeBSD.org;
}
}
@ -119,7 +139,7 @@ http {
listen [::]:8002;
server_name localhost;
location / {
proxy_pass http://pkg0.tuk.FreeBSD.org;
proxy_pass http://pkg0.bbt.FreeBSD.org;
}
}
@ -132,27 +152,38 @@ http {
}
}
proxy_cache_path /mnt/cache/update/ levels=1:2 keys_zone=update_cache:10m max_size=10g inactive=10d use_temp_path=off;
proxy_cache_path /mnt/cache/update/ levels=1:2 keys_zone=update_cache:10m max_size=10g inactive=1d use_temp_path=off;
server {
listen *:80;
listen [::]:80;
server_name pkgp-freebsd-update.ahlawat.com;
root /mnt/cache/update/;
if_modified_since before;
# root /mnt/cache/update/;
# autoindex on;
proxy_http_version 1.1;
proxy_socket_keepalive on;
proxy_set_header Host $host;
# add_header X-Proxy-Cache $upstream_cache_status;
location / {
proxy_cache update_cache;
proxy_cache_valid 1d;
proxy_cache_revalidate on;
proxy_cache_lock on;
proxy_next_upstream error timeout invalid_header http_404;
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
proxy_hide_header X-Accel-Expires;
proxy_hide_header Expires;
proxy_hide_header Cache-Control;
proxy_hide_header Set-Cookie;
proxy_pass http://update-mirrors;
proxy_http_version 1.1;
# add_header X-Proxy-Cache $upstream_cache_status;
proxy_next_upstream error timeout invalid_header http_404;
}
}
upstream update-mirrors {
keepalive 4;
server localhost:8011;
server localhost:8012;
server localhost:8013;
@ -193,4 +224,5 @@ http {
proxy_pass http://update4.FreeBSD.org;
}
}
}

9
jails/config/pkgp/pkgp.conf
View File

@ -9,3 +9,12 @@ pkgp-freebsd-pkg: {
enabled: yes,
priority: 10
}
pkgp123: {
url: "http://pkgp.ahlawat.com/packages/pj123-default",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/data/apps/certs/poudriere.cert",
enabled: no,
priority: 100
}

6
jails/config/plex/pkg-list-details.txt Normal file
View File

@ -0,0 +1,6 @@
pkgp-freebsd-pkg____bash-5.1.16
pkgp-freebsd-pkg____ca_root_nss-3.76
pkgp-freebsd-pkg____nano-6.0
pkgp-freebsd-pkg____pkg-1.17.5_1
pkgp-freebsd-pkg____plexmediaserver-1.25.6.5577
pkgp-freebsd-pkg____python27-2.7.18_1

1
jails/config/plex/pkg-list.txt Normal file
View File

@ -0,0 +1 @@
bash ca_root_nss nano pkg plexmediaserver python27

306
jails/config/proxy/haproxy.conf
View File

@ -6,19 +6,42 @@
#
#
# https://ssl-config.mozilla.org/#server=haproxy
# Need to use Intermediate setting for Twilio and Jetpack
global
daemon
maxconn 4096
# modern configuration # twilio is one of the sites that cannot handle the modern config
# ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
# ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
# ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
# ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
# intermediate configuration
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /mnt/certs/dhparam2048.pem
ssl-dh-param-file /mnt/certs/dhparam2048.pem
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3 no-tlsv10
# no-tlsv11
#testing
#tune.idle-pool.shared off
log 127.0.0.1 local0
defaults
log global
mode http
option http-use-htx
# option http-use-htx #not supported in 2.5
option forwardfor
option redispatch
option http-keep-alive
@ -26,6 +49,7 @@ defaults
option httplog
option dontlognull
retries 3
maxconn 4096
timeout http-request 10s
timeout http-keep-alive 10s
timeout queue 1m
@ -36,6 +60,12 @@ defaults
timeout tunnel 3600s
timeout tarpit 60s
unique-id-format %{+X}o\ %[hostname,field(1,.),upper]-%Ts%rt
default-server init-addr none resolvers mydns
resolvers mydns
nameserver ns1 192.168.0.5:53
frontend stats
bind :::8404 v4v6
http-request use-service prometheus-exporter if { path /metrics }
@ -48,230 +78,271 @@ frontend stats
frontend ft
bind :::80 v4v6
bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/xflowhaproxy.pem crt /mnt/certs/dvpchaproxy.pem crt /mnt/certs/mdvpchaproxy.pem
# bind :::443 v4v6 strict-sni alpn http/1.1 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/xflowhaproxy.pem crt /mnt/certs/dvpchaproxy.pem crt /mnt/certs/mdvpchaproxy.pem crt /mnt/certs/rwehaproxy.pem crt /mnt/certs/rwrhaproxy.pem crt /mnt/certs/scvcchaproxy.pem
bind :::443 v4v6 strict-sni alpn h2,http/1.1 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/xflowhaproxy.pem crt /mnt/certs/dvpchaproxy.pem crt /mnt/certs/mdvpchaproxy.pem crt /mnt/certs/rwehaproxy.pem crt /mnt/certs/rwrhaproxy.pem crt /mnt/certs/scvcchaproxy.pem
redirect scheme https if !{ ssl_fc }
redirect scheme https code 301 if !{ ssl_fc }
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc
# passing on that browser is using https
## http-request add-header Forwarded: proto=https
#enabling this breaks things, needs investigation
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Ssl on if { ssl_fc }
# acl is_websocket hdr(Upgrade) -i WebSocket
# acl is_websocket hdr_beg(Host) -i ws
# use_backend bk_ahlawat-hass if is_websocket
# for Clickjacking - added to individual backends
# http-response add-header X-Frame-Options: SAMEORIGIN
# prevent browser from using non-secure
http-response add-header Strict-Transport-Security: max-age=15768000
acl network_allowed src 192.168.0.0/24 fd01::/64
acl restricted_page path -i -m sub /wp-admin
acl network_allowed src 192.168.0.0/24 192.168.8.0/24 192.168.50.0/24 192.168.51.0/24 fd01::/64 fd08::/64 fd50::/64 fd51::/64
# acl restricted_page path -i -m sub /wp-admin ## rockwood needs external access
acl restricted_page path -i -m sub /wp-login
http-request deny if restricted_page !network_allowed
use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com }
use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com }
http-request set-header X-Client-IP "%[src]"
http-request set-header X-Client-Port "%[src_port]"
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Ssl on if { ssl_fc }
http-response set-header Strict-Transport-Security max-age=63072000
use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com }
use_backend bk_ahlawat-rachna if { ssl_fc_sni rachna.ahlawat.com }
use_backend bk_ahlawat-nivi if { ssl_fc_sni nivi.ahlawat.com }
use_backend bk_ahlawat-nivi if { ssl_fc_sni nivedita.ahlawat.com }
use_backend bk_ahlawat-rishabh if { ssl_fc_sni rishabh.ahlawat.com }
# for Clickjacking - added to individual backends
# http-response set-header X-Frame-Options SAMEORIGIN
use_backend bk_ahlawat-book-443 if { ssl_fc_sni book.ahlawat.com }
use_backend bk_ahlawat-book-444 if { ssl_fc_sni book1.ahlawat.com }
use_backend bk_ahlawat-book-445 if { ssl_fc_sni book2.ahlawat.com }
use_backend bk_ahlawat-cam if { ssl_fc_sni cam.ahlawat.com }
use_backend bk_ahlawat-ci if { ssl_fc_sni ci.ahlawat.com }
use_backend bk_ahlawat-cloud if { ssl_fc_sni cloud.ahlawat.com }
use_backend bk_ahlawat-git if { ssl_fc_sni git.ahlawat.com }
use_backend bk_ahlawat-hub if { ssl_fc_sni hub.ahlawat.com }
use_backend bk_ahlawat-matrix if { ssl_fc_sni matrix.ahlawat.com }
use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
use_backend bk_ahlawat-jump if { ssl_fc_sni jump.ahlawat.com }
use_backend bk_ahlawat-hass if { ssl_fc_sni hass.ahlawat.com }
# https://github.com/haproxy/haproxy/issues/1353
# use req.hdr(host) instead of ssl_fc_sni
# use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com }
# use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com }
use_backend bk_diyit if { ssl_fc_sni diyit.org }
use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
use_backend bk_diyit if { ssl_fc_sni xflow.org }
use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org }
use_backend bk_diyit-prometheus if { ssl_fc_sni prometheus.diyit.org }
use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org }
use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org }
use_backend bk_ahlawat if { req.hdr(host) ahlawat.com }
use_backend bk_ahlawat if { req.hdr(host) www.ahlawat.com }
use_backend bk_dvpc if { ssl_fc_sni datavpc.com }
use_backend bk_dvpc if { ssl_fc_sni www.datavpc.com }
use_backend bk_dvpc if { ssl_fc_sni mydatavpc.com }
use_backend bk_dvpc if { ssl_fc_sni www.mydatavpc.com }
use_backend bk_ahlawat-sharad if { req.hdr(host) sharad.ahlawat.com }
use_backend bk_ahlawat-rachna if { req.hdr(host) rachna.ahlawat.com }
use_backend bk_ahlawat-nivi if { req.hdr(host) nivi.ahlawat.com }
use_backend bk_ahlawat-nivi if { req.hdr(host) nivedita.ahlawat.com }
use_backend bk_ahlawat-rishabh if { req.hdr(host) rishabh.ahlawat.com }
use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
use_backend bk_beyondbell-dashboard if { ssl_fc_sni dashboard.beyondbell.com }
use_backend bk_beyondbell-web-moonglade if { ssl_fc_sni moonglade.beyondbell.com }
use_backend bk_beyondbell-web-moonglade-private if { ssl_fc_sni moonglade-private.beyondbell.com }
use_backend bk_beyondbell-r-windows if { ssl_fc_sni moonglade-server.beyondbell.com }
use_backend bk_beyondbell-windows if { ssl_fc_sni gs.beyondbell.com }
use_backend bk_ahlawat-book-443 if { req.hdr(host) books.ahlawat.com }
use_backend bk_ahlawat-book-444 if { req.hdr(host) book1.ahlawat.com }
use_backend bk_ahlawat-book-445 if { req.hdr(host) book2.ahlawat.com }
use_backend bk_ahlawat-cam if { req.hdr(host) cam.ahlawat.com }
use_backend bk_ahlawat-ci if { req.hdr(host) ci.ahlawat.com }
use_backend bk_ahlawat-cloud if { req.hdr(host) cloud.ahlawat.com }
use_backend bk_ahlawat-git if { req.hdr(host) git.ahlawat.com }
use_backend bk_ahlawat-hub if { req.hdr(host) hub.ahlawat.com }
use_backend bk_ahlawat-matrix if { req.hdr(host) matrix.ahlawat.com }
use_backend bk_ahlawat-meet if { req.hdr(host) meet.ahlawat.com }
use_backend bk_ahlawat-monitor if { req.hdr(host) monitor.ahlawat.com }
use_backend bk_ahlawat-jump if { req.hdr(host) jump.ahlawat.com }
use_backend bk_ahlawat-hass if { req.hdr(host) hass.ahlawat.com }
use_backend bk_diyit if { req.hdr(host) diyit.org }
use_backend bk_diyit if { req.hdr(host) www.diyit.org }
use_backend bk_diyit if { req.hdr(host) xflow.org }
use_backend bk_diyit if { req.hdr(host) www.xflow.org }
use_backend bk_diyit-grafana if { req.hdr(host) grafana.diyit.org }
use_backend bk_diyit-prometheus if { req.hdr(host) prometheus.diyit.org }
use_backend bk_diyit-kibana if { req.hdr(host) kibana.diyit.org }
use_backend bk_diyit-maps if { req.hdr(host) maps.diyit.org }
use_backend bk_dvpc if { req.hdr(host) datavpc.com }
use_backend bk_dvpc if { req.hdr(host) www.datavpc.com }
use_backend bk_dvpc if { req.hdr(host) mydatavpc.com }
use_backend bk_dvpc if { req.hdr(host) www.mydatavpc.com }
use_backend bk_rwe if { req.hdr(host) rockwoodestates.org }
use_backend bk_rwe if { req.hdr(host) www.rockwoodestates.org }
use_backend bk_rwr if { req.hdr(host) rockwoodranch.org }
use_backend bk_rwr if { req.hdr(host) www.rockwoodranch.org }
use_backend bk_scvcc if { req.hdr(host) scvcc-rental.com }
use_backend bk_scvcc if { req.hdr(host) www.scvcc-rental.com }
use_backend bk_beyondbell if { req.hdr(host) beyondbell.com }
use_backend bk_beyondbell if { req.hdr(host) www.beyondbell.com }
use_backend bk_beyondbell-ci if { req.hdr(host) ci.beyondbell.com }
use_backend bk_beyondbell-git if { req.hdr(host) git.beyondbell.com }
use_backend bk_beyondbell-repo if { req.hdr(host) repo.beyondbell.com }
use_backend bk_beyondbell-dashboard if { req.hdr(host) dashboard.beyondbell.com }
use_backend bk_beyondbell-vault if { req.hdr(host) vault.beyondbell.com }
use_backend bk_beyondbell-web-moonglade if { req.hdr(host) moonglade.beyondbell.com }
use_backend bk_beyondbell-web-moonglade-private if { req.hdr(host) moonglade-private.beyondbell.com }
use_backend bk_beyondbell-r-windows if { req.hdr(host) moonglade-server.beyondbell.com }
use_backend bk_beyondbell-windows if { req.hdr(host) gs.beyondbell.com }
use_backend bk_beyondbell-mazes if { req.hdr(host) mazes.beyondbell.com }
use_backend bk_beyondbell-mazes-backend if { req.hdr(host) mazes-backend.beyondbell.com }
# Fallback for non-SNI clients
acl is-ahlawat hdr(host) -i ahlawat.com
acl is-ahlawat hdr(host) -i www.ahlawat.com
use_backend bk_ahlawat if is-ahlawat
acl is-diyit hdr(host) -i diyit.org
acl is-diyit hdr(host) -i www.diyit.org
use_backend bk_diyit if is-diyit
default_backend bk_ahlawat
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
use_backend bk_ahlawat if is_websocket
backend bk_ahlawat
server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-sharad
# balance roundrobin
server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
# http-response set-header Content-Security-Policy "default-src 'self' *.ahlawat.com"
backend bk_ahlawat-rachna
server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-nivi
server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-rishabh
server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-book-443
server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 book.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-book-444
server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 book.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-book-445
server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 book.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-cam
server srv1 192.168.0.54:8765 check
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-ci
# http-request set-header Host cix.ahlawat.com:8080
http-request replace-header Host ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8080/\2
http-response replace-header Host ^([^\ \t:]*:)\ http://cix.ahlawat.com:8080/(.*) \1\ https://ci.ahlawat.com/\2
server srv1 cix.ahlawat.com:8080 check
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-cloud
server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-git
timeout queue 8s
# timeout queue 8s
server srv1 gitx.ahlawat.com:3000 check ssl maxconn 32 ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response set-header X-Frame-Options "ALLOW-FROM *.diyit.org"
# http-response add-header X-Frame-Options: SAMEORIGIN
# http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-hub
server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-matrix
server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-meet
server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-monitor
server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# http-response add-header X-Frame-Options: SAMEORIGIN
# http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-jump
server srv1 jumpx.ahlawat.com:8080 check
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_ahlawat-hass
server srv1 hassx.ahlawat.com:8123 check
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_diyit
server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_diyit-grafana
server srv1 monitorx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# http-response add-header X-Frame-Options: SAMEORIGIN
server srv1 grafanax.diyit.org:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_diyit-prometheus
server srv1 monitorx.ahlawat.com:9090 check
server srv1 prometheusx.diyit.org:9090 check
# ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_diyit-kibana
server srv1 elk.diyit.org:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_diyit-maps
server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2
# http-response add-header X-Frame-Options: SAMEORIGIN
# http-response set-header X-Frame-Options SAMEORIGIN
backend bk_dvpc
server srv1 web.datavpc.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_rwe
server srv1 web.rockwoodestates.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_rwr
server srv1 web.rockwoodranch.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_scvcc
server srv1 web.scvcc-rental.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_beyondbell
server srv1 192.168.0.77:8000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
# server srv1 192.168.0.77:8080
server srv1 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_beyondbell-ci
# http-request set-header Host cix.beyondbell.com:8111
http-request replace-header Host ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://192.168.0.73:8111/\2
http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.73:8111/(.*) \1\ https://ci.beyondbell.com/\2
server srv1 192.168.0.73:8111
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_beyondbell-git
server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_beyondbell-repo
# http-request set-header Host 192.168.0.75:8081
@ -279,7 +350,7 @@ backend bk_beyondbell-repo
# http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.75:8081/(.*) \1\ https://repo.beyondbell.com/\2
server srv1 192.168.0.75:8081
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
# http-response del-header Strict-Transport-Security
# http-response add-header Content-Security-Policy: upgrade-insecure-requests
@ -288,24 +359,41 @@ backend bk_beyondbell-dashboard
http-request replace-header Host ^([^\ \t:]*:)\ https://dashboardx.beyondbell.com/(.*) \1\ http://192.168.0.92:8080/\2
http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.92:8080/(.*) \1\ https://dashboardx.beyondbell.com/\2
server srv1 192.168.0.92:8080
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_beyondbell-vault
http-request replace-header Host ^([^\ \t:]*:)\ https://vault.beyondbell.com/(.*) \1\ http://192.168.0.93:8200/\2
http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.93:8200/(.*) \1\ https://vault.beyondbell.com/\2
server srv1 192.168.0.93:8200
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_beyondbell-web-moonglade
server srv1 192.168.0.74:8000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_beyondbell-web-moonglade-private
server srv1 192.168.0.74:4000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_beyondbell-r-windows
server srv1 192.168.0.85:4000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_beyondbell-windows
server srv1 192.168.0.81:26900
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_beyondbell-mazes
server srv1 192.168.0.171:8080
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
http-response set-header X-Frame-Options SAMEORIGIN
backend bk_beyondbell-mazes-backend
server srv1 192.168.0.172:8080
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response set-header X-Frame-Options SAMEORIGIN

Some files were not shown because too many files have changed in this diff Show More