apr 19 update

2022-04-19 13:38:56 -07:00 · 2022-04-19 13:38:56 -07:00 · 18dd3d9761
commit 18dd3d9761
parent a0a9496aef
208 changed files with 12435 additions and 1112 deletions
--- a/configs/etc/defaults/devfs.rules
+++ b/configs/etc/defaults/devfs.rules
@ -13,7 +13,7 @@
 # references must include a dollar sign '$' in front of the
 # name to be expanded properly.
 #
-# $FreeBSD: releng/12.2/sbin/devfs/devfs.rules 338204 2018-08-22 15:55:23Z brd $
+# $FreeBSD: releng/12.3/sbin/devfs/devfs.rules 338204 2018-08-22 15:55:23Z brd $
 #
 # Very basic and secure ruleset: Hide everything.
--- a/configs/etc/defaults/periodic.conf
+++ b/configs/etc/defaults/periodic.conf
@ -13,7 +13,7 @@
 # For a more detailed explanation of all the periodic.conf variables, please
 # refer to the periodic.conf(5) manual page.
 #
-# $FreeBSD: releng/12.2/usr.sbin/periodic/periodic.conf 337648 2018-08-11 17:11:08Z brd $
+# $FreeBSD: releng/12.3/usr.sbin/periodic/periodic.conf 370770 2021-10-07 19:46:04Z asomers $
 #
 # What files override these defaults ?
@ -77,6 +77,29 @@ daily_backup_passwd_enable="YES"			# Backup passwd & group
 # 210.backup-aliases
 daily_backup_aliases_enable="YES"			# Backup mail aliases
 # 221.backup-gpart
 if [ $(sysctl -n security.jail.jailed) = 0 ]; then
        # Backup partition table/boot partition/MBR
        daily_backup_gpart_enable="YES"
 else
        daily_backup_gpart_enable="NO"
 fi
 daily_backup_gpart_verbose="NO"             		# Be verbose if new backup differs from the old one
 daily_backup_efi_enable="NO"                		# Backup EFI system partition (ESP)
 # 222.backup-gmirror
 daily_backup_gmirror_enable="NO"			# Backup of gmirror info (i.e., output of `gmirror list`)
 daily_backup_gmirror_verbose="NO"			# Log diff if new backup differs from the old one
 # 223.backup-zfs
 daily_backup_zfs_enable="NO"				# Backup output from zpool/zfs list
 daily_backup_zfs_props_enable="NO"			# Backup zpool/zfs filesystem properties
 daily_backup_zfs_get_flags="all"			# flags passed to `zfs get`
 daily_backup_zfs_list_flags=""				# flags passed to `zfs list`
 daily_backup_zpool_get_flags="all"			# flags passed to `zpool get`
 daily_backup_zpool_list_flags="-v"			# flags passed to `zpool list`
 daily_backup_zfs_verbose="NO"				# Report diff between the old and new backups.
 # 300.calendar
 daily_calendar_enable="NO"				# Run calendar -a
@ -118,7 +141,7 @@ daily_status_mfi_enable="NO"				# Check mfiutil(8)
 # 420.status-network
 daily_status_network_enable="NO"			# Check network status
 daily_status_network_usedns="YES"			# DNS lookups are ok
-daily_status_network_netstat_flags="-d"			# netstat(1) flags
+daily_status_network_netstat_flags="-d -W"		# netstat(1) flags
 # 430.status-uptime
 daily_status_uptime_enable="YES"			# Check system uptime
--- a/configs/etc/freebsd-update.conf
+++ b/configs/etc/freebsd-update.conf
@ -1,4 +1,4 @@
-# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
+# $FreeBSD: releng/12.3/usr.sbin/freebsd-update/freebsd-update.conf 370439 2021-08-29 16:58:35Z kevans $
 # Trusted keyprint.  Changing this is a Bad Idea unless you've received
 # a PGP-signed email from <security-officer@FreeBSD.org> telling you to
@ -17,7 +17,7 @@ ServerName update.FreeBSD.org
 # Example for updating the userland and the kernel source code only:
 #Components src world
 Components world
-# manually run - svnlite update /usr/src - before recompiling the kernel
+# manually run - git pull in /usr/src - before recompiling the kernel
 # Paths which start with anything matching an entry in an IgnorePaths
 # statement will be ignored.
@ -76,3 +76,6 @@ MergeChanges /etc/ /boot/device.hints
 # When backing up a kernel also back up debug symbol files?
 # BackupKernelSymbolFiles no
 # Create a new boot environment when installing patches
 # CreateBootEnv yes
--- a/configs/etc/hosts
+++ b/configs/etc/hosts
@ -1,4 +1,4 @@
-# $FreeBSD: releng/12.2/lib/libc/net/hosts 338729 2018-09-17 18:56:47Z brd $
+# $FreeBSD: releng/12.3/lib/libc/net/hosts 338729 2018-09-17 18:56:47Z brd $
 #
 # Host Database
 #
@ -24,7 +24,7 @@ fd09::10	nas nas.ahlawat.com
 192.168.10.10		nas nas.ahlawat.com
 fd0a::10	nas nas.ahlawat.com
 192.168.48.10		nas nas.ahlawat.com
-2001:470:82a9::10	nas nas.ahlawat.com
+2001:470:480a::10	nas nas.ahlawat.com
 #
 # Imaginary network. 10.0.0.2 myname.my.domain myname 10.0.0.3 myfriend.my.domain myfriend
--- a/configs/etc/login.conf
+++ b/configs/etc/login.conf
@ -7,7 +7,7 @@
 # This file controls resource limits, accounting limits and
 # default user environment settings.
 #
-# $FreeBSD: releng/12.2/usr.bin/login/login.conf 357789 2020-02-12 02:04:03Z kevans $
+# $FreeBSD: releng/12.3/usr.bin/login/login.conf 369215 2021-02-04 03:15:28Z kevans $
 #
 # Default settings effectively disable resource limits, see the
@ -63,7 +63,13 @@ xuser:\
 	:tc=default:
 staff:\
 	:tc=default:
 # This PATH may be clobbered by individual applications.  Notably, by default,
 # rc(8), service(8), and cron(8) will all override it with a default PATH that
 # may not include /usr/local/sbin and /usr/local/bin when starting services or
 # jobs.
 daemon:\
 	:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin:\
 	:mail@:\
 	:memorylocked=128M:\
 	:tc=default:
--- a/configs/etc/ntp.conf
+++ b/configs/etc/ntp.conf
@ -1,5 +1,5 @@
 #
-# $FreeBSD: releng/12.2/usr.sbin/ntp/ntpd/ntp.conf 352865 2019-09-29 03:36:50Z cy $
+# $FreeBSD: releng/12.3/usr.sbin/ntp/ntpd/ntp.conf 365704 2020-09-14 01:20:57Z emaste $
 #
 # Default NTP servers for the FreeBSD operating system.
 #
@ -15,7 +15,7 @@
 # or discovered dynamically via mechanisms such as broadcast and manycast.
 # Ntpd automatically adds maxclock-1 servers from configured pools, and may
 # add as many as maxclock*2 if necessary to ensure that at least minclock
-# servers are providing good consistant time.
+# servers are providing good consistent time.
 #
 tos minclock 3 maxclock 6
--- a/configs/etc/profile
+++ b/configs/etc/profile
@ -1,4 +1,4 @@
-# $FreeBSD: releng/12.2/bin/sh/profile 363525 2020-07-25 11:57:39Z pstef $
+# $FreeBSD: releng/12.3/bin/sh/profile 363525 2020-07-25 11:57:39Z pstef $
 #
 # System-wide .profile file for sh(1).
 #
--- a/configs/etc/rc.conf
+++ b/configs/etc/rc.conf
@ -1,6 +1,6 @@
 zfs_enable="YES"
-kld_list="nmdm vmm ipfw ipdivert linux64"
+kld_list="nmdm vmm ipfw ipdivert linux64 wg"
 # Do not mark to autodetach otherwise ZFS gets very unhappy.
 geli_autodetach="NO"
@ -34,7 +34,7 @@ firewall_logif="YES"
 cloned_interfaces_sticky="YES"
 cloned_interfaces="lagg0 bridge1 bridge2 bridge5 bridge9 bridge10 bridge48"
-ifconfig_lagg0="laggproto lacp laggport igb0 laggport igb1 up"
+ifconfig_lagg0="laggproto loadbalance laggport igb0 laggport igb1 up"
 ifconfig_igb0="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
 ifconfig_igb1="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
@ -54,7 +54,7 @@ ifconfig_lagg0_9_ipv6="inet6 fd09::10/64 auto_linklocal accept_rtadv"
 ifconfig_lagg0_10="inet 192.168.10.10/24"
 ifconfig_lagg0_10_ipv6="inet6 fd0a::10/64 auto_linklocal accept_rtadv"
 ifconfig_lagg0_48="inet 192.168.48.10/24"
-ifconfig_lagg0_48_ipv6="inet6 2001:470:82a9::10/64 auto_linklocal accept_rtadv"
+ifconfig_lagg0_48_ipv6="inet6 2001:470:480a::10/64 auto_linklocal accept_rtadv"
 ifconfig_bridge1="addm lagg0.1 up"
 ifconfig_bridge2="addm lagg0.2 up"
--- a/configs/etc/sysctl.conf
+++ b/configs/etc/sysctl.conf
@ -1,4 +1,4 @@
-# $FreeBSD: releng/12.2/sbin/sysctl/sysctl.conf 337624 2018-08-11 13:28:03Z brd $
+# $FreeBSD: releng/12.3/sbin/sysctl/sysctl.conf 337624 2018-08-11 13:28:03Z brd $
 #
 #  This file is read when going to multi-user and its contents piped thru
 #  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
--- a/configs/usr/local/etc/pkg/repos/pkgp.conf
+++ b/configs/usr/local/etc/pkg/repos/pkgp.conf
@ -1,17 +1,17 @@
 FreeBSD: {
    url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
-    enabled: yes
+    enabled: no
 }
 pkgp-freebsd-pkg: {
    url: "http://pkgp-freebsd-pkg.ahlawat.com/${ABI}/latest",
    mirror_type: "http",
-    enabled: no,
+    enabled: yes,
    priority: 10
 }
-pkgp121: {
+pkgp123: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj123-default/",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/data/apps/certs/poudriere.cert",
--- a/configs/usr/local/etc/rc.d/gstat_exporter
+++ b/configs/usr/local/etc/rc.d/gstat_exporter
@ -19,7 +19,7 @@
 name=gstat_exporter
 rcvar=${name}_enable
-GSTATEXPORTER="nohup /usr/local/bin/python3.7 /root/FreeBSD/scripts/gstat_exporter.py"
+GSTATEXPORTER="nohup /usr/local/bin/python3.8 /root/FreeBSD/scripts/gstat_exporter.py"
 start_cmd="${name}_start"
 stop_cmd="${name}_stop"
--- a/iocage/Makefile
+++ b/iocage/Makefile
@ -1,11 +1,11 @@
 ZPOOL=""
 SERVER=""
-PYTHON?=/usr/local/bin/python3.7
+PYTHON?=/usr/local/bin/python3.8
 depends:
 	@(pkg -vv | grep -e "url.*/latest") > /dev/null 2>&1 || (echo "It is advised pkg url is using \"latest\" instead of \"quarterly\" in /etc/pkg/FreeBSD.conf.";)
-	@test -s ${PYTHON} || (echo "Python binary ${PYTHON} not found, iocage will install python37"; pkg install -q -y python37)
+	@test -s ${PYTHON} || (echo "Python binary ${PYTHON} not found, iocage will install python38"; pkg install -q -y python38)
-	pkg install -q -y py37-libzfs
+	pkg install -q -y py38-libzfs
 	${PYTHON} -m ensurepip
 	${PYTHON} -m pip install -Ur requirements.txt
--- a/iocage/iocage-env.sh
+++ b/iocage/iocage-env.sh
@ -1,3 +1,3 @@
-pkg install python37 py37-cython py37-pip py37-libzfs py37-six
+pkg install python38 py38-cython py38-pip py38-libzfs py38-six
-python3.7 -m pip install pip==19.3.1
+python3.8 -m pip install pip==19.3.1
 # iocage install does not work with pip 20.x
--- a/jails/config/atm/nsswitch.conf
+++ b/jails/config/atm/nsswitch.conf
@ -1,6 +1,6 @@
 #
 # nsswitch.conf(5) - name service switch configuration file
-# $FreeBSD: releng/12.1/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $
+# $FreeBSD: releng/12.2/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $
 #
 #group: compat
 group: files ldap
--- a/jails/config/atm/pkg-list-details.txt
+++ b/jails/config/atm/pkg-list-details.txt
@ -0,0 +1,6 @@
 pkgp122____netatalk3-3.1.12_4,1
 pkgp123____nss-pam-ldapd-sasl-0.9.12_1
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____pkg-1.17.5_1
--- a/jails/config/atm/pkg-list.txt
+++ b/jails/config/atm/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion nano netatalk3 nss-pam-ldapd-sasl pkg
--- a/jails/config/atm/pkgp.conf
+++ b/jails/config/atm/pkgp.conf
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
    priority: 10
 }
-pkgp122: {
+pkgp123: {
-    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj123-default",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
--- a/jails/config/atm/sshd
+++ b/jails/config/atm/sshd
@ -1,5 +1,5 @@
 #
-# $FreeBSD: releng/12.1/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
+# $FreeBSD: releng/12.2/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
 #
 # PAM configuration for the "sshd" service
 #
--- a/jails/config/auto/pkg-list-details.txt
+++ b/jails/config/auto/pkg-list-details.txt
@ -0,0 +1,14 @@
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____mc-4.8.28
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____nginx-1.20.2_9,2
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____postgresql14-client-14.2
 pkgp-freebsd-pkg____py38-ansible-5.5.0
 pkgp-freebsd-pkg____py38-django32-3.2.12
 pkgp-freebsd-pkg____py38-gunicorn-20.1.0
 pkgp-freebsd-pkg____py38-pillow-9.0.1_1
 pkgp-freebsd-pkg____py38-pip-20.3.4
 pkgp-freebsd-pkg____py38-tkinter-3.8.13_6
 pkgp-freebsd-pkg____sudo-1.9.10
--- a/jails/config/auto/pkg-list.txt
+++ b/jails/config/auto/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion mc nano nginx pkg postgresql14-client py38-ansible py38-django32 py38-gunicorn py38-pillow py38-pip py38-tkinter sudo
--- a/jails/config/book/cps
+++ b/jails/config/book/cps
@ -1,6 +1,4 @@
-#!/bin/sh
+# Copyright (c) 2018-2022, diyIT.org
 # Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -8,6 +6,8 @@
 #
 #
 #!/bin/sh
 # the two lines below are not just comments but required by rcorder; service -e
 # PROVIDE: cpsserver
 # REQUIRE: NETWORKING DAEMON
@ -19,7 +19,8 @@
 name=cpsserver
 rcvar=${name}_enable
-CPSSERVER="nohup /usr/local/bin/python3.7 /data/calibre-web/cps.py"
+#CPSSERVER="nohup /usr/local/bin/python3.8 /data/calibre-web/cps.py"
 CPSSERVER="nohup /usr/local/bin/cps"
 start_cmd="${name}_start"
 stop_cmd="${name}_stop"
--- a/jails/config/book/pkg-list-details.txt
+++ b/jails/config/book/pkg-list-details.txt
@ -0,0 +1,10 @@
 pkgp123____libxml2-2.9.13_2
 pkgp123____libxslt-1.1.35_3
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____py38-ldap-3.4.0
 pkgp-freebsd-pkg____py38-pip-20.3.4
 pkgp-freebsd-pkg____py38-sqlite3-3.8.13_7
 pkgp-freebsd-pkg____rust-1.59.0
--- a/jails/config/book/pkg-list.txt
+++ b/jails/config/book/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion libxml2 libxslt nano pkg py38-ldap py38-pip py38-sqlite3 rust
--- a/jails/config/book/pkgp.conf
+++ b/jails/config/book/pkgp.conf
@ -0,0 +1,20 @@
 FreeBSD: {
    url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
    enabled: no
 }
 pkgp-freebsd-pkg: {
    url: "http://pkgp-freebsd-pkg.ahlawat.com/${ABI}/latest",
    mirror_type: "http",
    enabled: yes,
    priority: 10
 }
 pkgp123: {
    url: "http://pkgp.ahlawat.com/packages/pj123-default",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
    enabled: yes,
    priority: 100
 }
--- a/jails/config/calibre/pkg-list-details.txt
+++ b/jails/config/calibre/pkg-list-details.txt
@ -0,0 +1,11 @@
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____calibre-5.40.0
 pkgp-freebsd-pkg____fluxbox-1.3.7_5
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____sudo-1.9.10
 pkgp-freebsd-pkg____tigervnc-server-1.12.0_4
 pkgp-freebsd-pkg____xauth-1.1
 pkgp-freebsd-pkg____xpdf-4.03_1,1
 pkgp-freebsd-pkg____xterm-372
--- a/jails/config/calibre/pkg-list.txt
+++ b/jails/config/calibre/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion calibre fluxbox nano pkg sudo tigervnc-server xauth xpdf xterm
--- a/jails/config/cam/pkg-list-details.txt
+++ b/jails/config/cam/pkg-list-details.txt
@ -0,0 +1,7 @@
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____curl-7.82.0
 pkgp-freebsd-pkg____motion-4.3.2_3
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____py27-pip-20.2.3
--- a/jails/config/cam/pkg-list.txt
+++ b/jails/config/cam/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion curl motion nano pkg py27-pip
--- a/jails/config/cert/acmedns
+++ b/jails/config/cert/acmedns
@ -0,0 +1,44 @@
 #!/bin/sh
 # Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 # https://diyit.org/license/
 #
 #
 # the two lines below are not just comments but required by rcorder; service -e
 # PROVIDE: acmedns
 # REQUIRE: NETWORKING DAEMON
 . /etc/rc.subr
 : ${acmedns_enable="NO"}
 name=acmedns
 rcvar=${name}_enable
 ACMEDNS="/usr/local/bin/acme-dns"
 start_cmd="${name}_start"
 stop_cmd="${name}_stop"
 restart_cmd="${name}_restart"
 acmedns_start()
 {
        $ACMEDNS -c /etc/acme-dns/config.cfg &
 }
 acmedns_stop()
 {
        ps ax | grep -ie acme-dns | grep -v grep | awk '{print $1}' | xargs kill -9
 }
 acmedns_restart()
 {
 	acmedns_stop
 	acmedns_start
 }
 load_rc_config ${name}
 run_rc_command "$1"
--- a/jails/config/cert/config.cfg
+++ b/jails/config/cert/config.cfg
@ -0,0 +1,65 @@
 [general]
 # DNS interface. Note that systemd-resolved may reserve port 53 on 127.0.0.53
 # In this case acme-dns will error out and you will need to define the listening interface
 # for example: listen = "127.0.0.1:53"
 listen = "0.0.0.0:53"
 # protocol, "both", "both4", "both6", "udp", "udp4", "udp6" or "tcp", "tcp4", "tcp6"
 protocol = "both4"
 # domain name to serve the requests off of
 domain = "dns-auth.ahlawat.com"
 # zone name server
 nsname = "dns-auth.ahlawat.com"
 # admin email address, where @ is substituted with .
 nsadmin = "sharad.ahlawat.com"
 # predefined records served in addition to the TXT
 records = [
    # domain pointing to the public IP of your acme-dns server
    "dns-auth.ahlawat.com. A 216.139.40.20",
    # specify that auth.example.org will resolve any *.auth.example.org records
    "dns-auth.ahlawat.com. NS dns-auth.ahlawat.com.",
 ]
 # debug messages from CORS etc
 debug = false
 [database]
 # Database engine to use, sqlite3 or postgres
 engine = "sqlite3"
 # Connection string, filename for sqlite3 and postgres://$username:$password@$host/$db_name for postgres
 # Please note that the default Docker image uses path /var/lib/acme-dns/acme-dns.db for sqlite3
 connection = "/usr/local/lib/acme-dns/acme-dns.db"
 # connection = "postgres://user:password@localhost/acmedns_db"
 [api]
 # listen ip eg. 127.0.0.1
 ip = "0.0.0.0"
 # disable registration endpoint
 disable_registration = false
 # listen port, eg. 443 for default HTTPS
 port = "443"
 # possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
 tls = "cert"
 # only used if tls = "cert"
 tls_cert_privkey = "/mnt/certs/privkey.pem"
 tls_cert_fullchain = "/mnt/certs/fullchain.pem"
 # only used if tls = "letsencrypt"
 acme_cache_dir = "api-certs"
 # optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert
 notification_email = ""
 # CORS AllowOrigins, wildcards can be used
 corsorigins = [
    "*"
 ]
 # use HTTP header to get the client ip
 use_header = false
 # header name to pull the ip address / list of ip addresses from
 header_name = "X-Forwarded-For"
 [logconfig]
 # logging level: "error", "warning", "info" or "debug"
 loglevel = "debug"
 # possible values: stdout, TODO file & integrations
 logtype = "stdout"
 # file path for logfile TODO
 # logfile = "./acme-dns.log"
 # format, either "json" or "text"
 logformat = "text"
--- a/jails/config/cert/config.cfg-80
+++ b/jails/config/cert/config.cfg-80
@ -0,0 +1,65 @@
 [general]
 # DNS interface. Note that systemd-resolved may reserve port 53 on 127.0.0.53
 # In this case acme-dns will error out and you will need to define the listening interface
 # for example: listen = "127.0.0.1:53"
 listen = "0.0.0.0:53"
 # protocol, "both", "both4", "both6", "udp", "udp4", "udp6" or "tcp", "tcp4", "tcp6"
 protocol = "both"
 # domain name to serve the requests off of
 domain = "dns-auth.ahlawat.com"
 # zone name server
 nsname = "dns-auth.ahlawat.com"
 # admin email address, where @ is substituted with .
 nsadmin = "sharad.ahlawat.com"
 # predefined records served in addition to the TXT
 records = [
    # domain pointing to the public IP of your acme-dns server
    "dns-auth.ahlawat.com. A 216.139.40.20",
    # specify that auth.example.org will resolve any *.auth.example.org records
    "dns-auth.ahlawat.com. NS dns-auth.ahlawat.com.",
 ]
 # debug messages from CORS etc
 debug = false
 [database]
 # Database engine to use, sqlite3 or postgres
 engine = "sqlite3"
 # Connection string, filename for sqlite3 and postgres://$username:$password@$host/$db_name for postgres
 # Please note that the default Docker image uses path /var/lib/acme-dns/acme-dns.db for sqlite3
 connection = "/usr/local/lib/acme-dns/acme-dns.db"
 # connection = "postgres://user:password@localhost/acmedns_db"
 [api]
 # listen ip eg. 127.0.0.1
 ip = "0.0.0.0"
 # disable registration endpoint
 disable_registration = false
 # listen port, eg. 443 for default HTTPS
 port = "80"
 # possible values: "letsencrypt", "letsencryptstaging", "cert", "none"
 tls = "none"
 # only used if tls = "cert"
 tls_cert_privkey = "/mnt/certs/privkey.pem"
 tls_cert_fullchain = "/mnt/certs/fullchain.pem"
 # only used if tls = "letsencrypt"
 acme_cache_dir = "api-certs"
 # optional e-mail address to which Let's Encrypt will send expiration notices for the API's cert
 notification_email = ""
 # CORS AllowOrigins, wildcards can be used
 corsorigins = [
    "*"
 ]
 # use HTTP header to get the client ip
 use_header = false
 # header name to pull the ip address / list of ip addresses from
 header_name = "X-Forwarded-For"
 [logconfig]
 # logging level: "error", "warning", "info" or "debug"
 loglevel = "debug"
 # possible values: stdout, TODO file & integrations
 logtype = "stdout"
 # file path for logfile TODO
 # logfile = "./acme-dns.log"
 # format, either "json" or "text"
 logformat = "text"
--- a/jails/config/cert/pkg-list-details.txt
+++ b/jails/config/cert/pkg-list-details.txt
@ -0,0 +1,7 @@
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____curl-7.82.0
 pkgp-freebsd-pkg____git-lite-2.35.1
 pkgp-freebsd-pkg____go-1.18,1
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____pkg-1.17.5_1
--- a/jails/config/cert/pkg-list.txt
+++ b/jails/config/cert/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion curl git-lite go nano pkg
--- a/jails/config/ci/pkg-list-details.txt
+++ b/jails/config/ci/pkg-list-details.txt
@ -0,0 +1,5 @@
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____jenkins-2.341
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____pkg-1.17.5_1
--- a/jails/config/ci/pkg-list.txt
+++ b/jails/config/ci/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion jenkins nano pkg
--- a/jails/config/cloud/config.php
+++ b/jails/config/cloud/config.php
@ -0,0 +1,51 @@
 <?php
 $CONFIG = array (
  'passwordsalt' => '5OBfApfc/+tJzU/4n+F8e+PzOfAStP',
  'secret' => 'IFX9kjXwOk4L21503pLACwa2Dadv9JzHNSu8XsnTogmwb5Tr',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'cloud.ahlawat.com',
    2 => '192.168.0.59',
    3 => 'fd01::59',
  ),
  'datadirectory' => '/mnt/cloud',
  'overwrite.cli.url' => 'https://cloud.ahlawat.com/',
  'dbtype' => 'mysql',
  'version' => '21.0.3.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'db.ahlawat.com',
  'dbport' => '3306',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'mysql__nextcloud',
  'installed' => true,
  'instanceid' => 'oc7suxvjiy9s',
  'htaccess.RewriteBase' => '/',
  'filelocking.enabled' => 'true',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '/tmp/redis.sock',
    'port' => 0,
  ),
  'logtimezone' => 'America/Los_Angeles',
  'default_phone_region' => 'US',
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud.log',
  'loglevel' => 0,
  'logrotate_size' => '104847600',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
  'mail_smtpmode' => 'smtp',
  'mail_from_address' => 'nobody',
  'mail_domain' => 'ahlawat.com',
  'mail_smtphost' => '192.168.0.100',
  'mail_smtpport' => '25',
  'maintenance' => false,
  'theme' => '',
  'encryption.legacy_format_support' => false,
  'encryption.key_storage_migrated' => false,
  'updater.secret' => '$2y$10$jAnC4Ha3RI2CL.IlhYluSeeOuKMT4itq/ViSiH1Q9DciUXfB3YSYS',
 );
--- a/jails/config/cloud/config.php.20
+++ b/jails/config/cloud/config.php.20
@ -0,0 +1,51 @@
 <?php
 $CONFIG = array (
  'passwordsalt' => '5OBfApfc/+tJzU/4n+F8e+PzOfAStP',
  'secret' => 'IFX9kjXwOk4L21503pLACwa2Dadv9JzHNSu8XsnTogmwb5Tr',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'cloud.ahlawat.com',
    2 => '192.168.0.59',
    3 => 'fd01::59',
  ),
  'datadirectory' => '/mnt/cloud',
  'overwrite.cli.url' => 'https://cloud.ahlawat.com/',
  'dbtype' => 'mysql',
  'version' => '21.0.3.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'db.ahlawat.com',
  'dbport' => '3306',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'mysql__nextcloud',
  'installed' => true,
  'instanceid' => 'oc7suxvjiy9s',
  'htaccess.RewriteBase' => '/',
  'filelocking.enabled' => 'true',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '/tmp/redis.sock',
    'port' => 0,
  ),
  'logtimezone' => 'America/Los_Angeles',
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud.log',
  'loglevel' => 0,
  'logrotate_size' => '104847600',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
  'mail_smtpmode' => 'smtp',
  'mail_from_address' => 'nobody',
  'mail_domain' => 'ahlawat.com',
  'mail_smtphost' => '192.168.0.100',
  'mail_smtpport' => '25',
  'maintenance' => false,
  'theme' => '',
  'encryption.legacy_format_support' => false,
  'encryption.key_storage_migrated' => false,
  'updater.secret' => '$2y$10$jAnC4Ha3RI2CL.IlhYluSeeOuKMT4itq/ViSiH1Q9DciUXfB3YSYS',
 );
--- a/jails/config/cloud/httpd.conf
+++ b/jails/config/cloud/httpd.conf
@ -49,7 +49,7 @@ ServerRoot "/usr/local"
 # prevent Apache from glomming onto all bound IP addresses.
 #
 #Listen 12.34.56.78:80
-Listen 80
+#Listen 80
 #
 # Dynamic Shared Object (DSO) Support
@ -108,7 +108,7 @@ LoadModule filter_module libexec/apache24/mod_filter.so
 #LoadModule substitute_module libexec/apache24/mod_substitute.so
 #LoadModule sed_module libexec/apache24/mod_sed.so
 #LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
-#LoadModule deflate_module libexec/apache24/mod_deflate.so
+LoadModule deflate_module libexec/apache24/mod_deflate.so
 #LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
 #LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
 LoadModule mime_module libexec/apache24/mod_mime.so
@ -119,7 +119,7 @@ LoadModule log_config_module libexec/apache24/mod_log_config.so
 LoadModule env_module libexec/apache24/mod_env.so
 #LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
 #LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
-#LoadModule expires_module libexec/apache24/mod_expires.so
+LoadModule expires_module libexec/apache24/mod_expires.so
 LoadModule headers_module libexec/apache24/mod_headers.so
 #LoadModule usertrack_module libexec/apache24/mod_usertrack.so
 #LoadModule unique_id_module libexec/apache24/mod_unique_id.so
@ -178,7 +178,6 @@ LoadModule dir_module libexec/apache24/mod_dir.so
 #LoadModule userdir_module libexec/apache24/mod_userdir.so
 LoadModule alias_module libexec/apache24/mod_alias.so
 LoadModule rewrite_module libexec/apache24/mod_rewrite.so
 #LoadModule php7_module        libexec/apache24/libphp7.so
 # Third party modules
 IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
@ -223,7 +222,7 @@ ServerAdmin sharad@ahlawat.com
 #
 # If your host doesn't have a registered DNS name, enter its IP address here.
 #
-#ServerName www.example.com:80
+ServerName cloud.ahlawat.com
 #
 # Deny access to the entirety of your server's filesystem. You must
@ -250,9 +249,10 @@ ServerAdmin sharad@ahlawat.com
 DocumentRoot "/usr/local/www/apache24/data"
 <Directory "/usr/local/www/apache24/data">
-  RewriteEngine on
+# can't set this if traffic is passing through haproxy and being redirected to ssl already
-  RewriteRule ^/\.well-known/ - [L]
+#  RewriteEngine on
-  RewriteRule (.*) https://cloud.ahlawat.com [R,L]
+#  RewriteRule ^/\.well-known/ - [L]
 #  RewriteRule (.*) https://cloud.ahlawat.com [R,L]
    #
    # Possible values for the Options directive are "None", "All",
@ -554,23 +554,21 @@ Include etc/apache24/Includes/*.conf
 <VirtualHost *:443>
    ServerName cloud.ahlawat.com
    ServerAlias *.ahlawat.com
    ServerAlias cloud
-    Protocols h2 h2c http/1.1
+    Protocols h2 http/1.1
    DocumentRoot "/usr/local/www/apache24/data/nextcloud/"
    DirectoryIndex /index.php index.php
    SSLEngine on
    SSLCertificateFile "/mnt/certs/fullchain.pem"
    SSLCertificateKeyFile "/mnt/certs/privkey.pem"
    #SSLCertificateChainFile "/mnt/certs/fullchain.pem"
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-    SSLHonorCipherOrder on
+    SSLHonorCipherOrder off
    SSLCompression off
    SSLSessionTickets off
    SSLOptions +StrictRequire
 #    SSLCompression off
    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
@ -589,7 +587,8 @@ Include etc/apache24/Includes/*.conf
  CustomLog "/var/log/ssl-request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  <Directory "/usr/local/www/apache24/data/nextcloud/">
-    Options +FollowSymLinks
+    Require all granted
    Options FollowSymLinks MultiViews
    AllowOverride All
    <IfModule mod_dav.c>
@ -601,11 +600,116 @@ Include etc/apache24/Includes/*.conf
  </Directory>
  <Directory "/usr/local/www/apache24/data/">
    Options Indexes FollowSymLinks MultiViews
    ## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16
    IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96
    #AllowOverride controls what directives may be placed in .htaccess files.
    #AllowOverride All
    #AllowOverride AuthConfig
    #Controls who can get stuff from this server file
    #Require all granted
  </Directory>
  ErrorLog "/var/log/ssl-error.log"
  CustomLog "/var/log/ssl-access_log" combined
  <IfModule mod_headers.c>
-    Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
+    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
  </IfModule>
 <IfModule mod_expires.c>
 ExpiresActive On
 ExpiresDefault A0
 <FilesMatch "\.(txt|xml|js)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(css)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
 ExpiresDefault A31536000
 </FilesMatch>
 </IfModule>
 <IfModule mod_headers.c>
  <FilesMatch "\.(txt|xml|js)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(css)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
 </IfModule>
 <IfModule mod_deflate.c>
 	SetOutputFilter DEFLATE
    <IfModule mod_setenvif.c>
        <IfModule mod_headers.c>
            SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
            RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
        </IfModule>
    </IfModule>
    <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE "application/atom+xml" \
                                      "application/javascript" \
                                      "application/json" \
                                      "application/ld+json" \
                                      "application/manifest+json" \
                                      "application/rdf+xml" \
                                      "application/rss+xml" \
                                      "application/schema+json" \
                                      "application/vnd.geo+json" \
                                      "application/vnd.ms-fontobject" \
                                      "application/x-font-ttf" \
                                      "application/x-font-opentype" \
                                      "application/x-font-truetype" \
                                      "application/x-javascript" \
                                      "application/x-web-app-manifest+json" \
                                      "application/xhtml+xml" \
                                      "application/xml" \
                                      "font/eot" \
                                      "font/opentype" \
                                      "font/otf" \
                                      "image/bmp" \
                                      "image/svg+xml" \
                                      "image/vnd.microsoft.icon" \
                                      "image/x-icon" \
                                      "text/cache-manifest" \
                                      "text/css" \
                                      "text/html" \
                                      "text/javascript" \
                                      "text/plain" \
                                      "text/vcard" \
                                      "text/vnd.rim.location.xloc" \
                                      "text/vtt" \
                                      "text/x-component" \
                                      "text/x-cross-domain-policy" \
                                      "text/xml"
    </IfModule>
    <IfModule mod_mime.c>
        AddEncoding gzip              svgz
    </IfModule>
 </IfModule>
 </VirtualHost>
 SSLUseStapling On
 SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
--- a/jails/config/cloud/php.ini
+++ b/jails/config/cloud/php.ini
@ -1774,7 +1774,7 @@ opcache.enable_cli=1
 opcache.memory_consumption=128
 ; The amount of memory for interned strings in Mbytes.
-opcache.interned_strings_buffer=8
+opcache.interned_strings_buffer=32
 ; The maximum number of keys (scripts) in the OPcache hash table.
 ; Only numbers between 200 and 1000000 are allowed.
@ -1796,7 +1796,7 @@ opcache.max_accelerated_files=10000
 ; How often (in seconds) to check file timestamps for changes to the shared
 ; memory storage allocation. ("1" means validate once per second, but only
 ; once per request. "0" means always validate)
-opcache.revalidate_freq=1
+opcache.revalidate_freq=60
 ; Enables or disables file search in include_path optimization
 ;opcache.revalidate_path=0
--- a/jails/config/cloud/pkg-list-details.txt
+++ b/jails/config/cloud/pkg-list-details.txt
@ -0,0 +1,44 @@
 pkgp-freebsd-pkg____apache24-2.4.53
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____ffmpeg-4.4.1_11,1
 pkgp-freebsd-pkg____mod_php80-8.0.17_1
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____php80-8.0.17_2
 pkgp-freebsd-pkg____php80-bcmath-8.0.17_2
 pkgp-freebsd-pkg____php80-bz2-8.0.17_2
 pkgp-freebsd-pkg____php80-ctype-8.0.17_2
 pkgp-freebsd-pkg____php80-curl-8.0.17_2
 pkgp-freebsd-pkg____php80-dom-8.0.17_1
 pkgp-freebsd-pkg____php80-exif-8.0.17_2
 pkgp-freebsd-pkg____php80-fileinfo-8.0.17_2
 pkgp-freebsd-pkg____php80-filter-8.0.17_2
 pkgp-freebsd-pkg____php80-ftp-8.0.17_2
 pkgp-freebsd-pkg____php80-gd-8.0.17_2
 pkgp-freebsd-pkg____php80-gmp-8.0.17_2
 pkgp-freebsd-pkg____php80-iconv-8.0.17_2
 pkgp-freebsd-pkg____php80-imap-8.0.17_2
 pkgp-freebsd-pkg____php80-intl-8.0.17_2
 pkgp-freebsd-pkg____php80-ldap-8.0.17_2
 pkgp-freebsd-pkg____php80-mbstring-8.0.17_2
 pkgp-freebsd-pkg____php80-mysqli-8.0.17_2
 pkgp-freebsd-pkg____php80-opcache-8.0.17_2
 pkgp-freebsd-pkg____php80-pcntl-8.0.17_2
 pkgp-freebsd-pkg____php80-pdo-8.0.17_2
 pkgp-freebsd-pkg____php80-pdo_mysql-8.0.17_2
 pkgp-freebsd-pkg____php80-pecl-APCu-5.1.21
 pkgp-freebsd-pkg____php80-pecl-imagick-3.5.1
 pkgp-freebsd-pkg____php80-pecl-mcrypt-1.0.4
 pkgp-freebsd-pkg____php80-pecl-redis-5.3.5
 pkgp-freebsd-pkg____php80-posix-8.0.17_2
 pkgp-freebsd-pkg____php80-session-8.0.17_2
 pkgp-freebsd-pkg____php80-simplexml-8.0.17_1
 pkgp-freebsd-pkg____php80-xml-8.0.17_1
 pkgp-freebsd-pkg____php80-xmlreader-8.0.17_1
 pkgp-freebsd-pkg____php80-xmlwriter-8.0.17_1
 pkgp-freebsd-pkg____php80-xsl-8.0.17_1
 pkgp-freebsd-pkg____php80-zip-8.0.17_2
 pkgp-freebsd-pkg____php80-zlib-8.0.17_2
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____redis-6.2.6
 pkgp-freebsd-pkg____sudo-1.9.10
--- a/jails/config/cloud/pkg-list.txt
+++ b/jails/config/cloud/pkg-list.txt
@ -0,0 +1 @@
 apache24 bash bash-completion ffmpeg mod_php80 nano php80 php80-bcmath php80-bz2 php80-ctype php80-curl php80-dom php80-exif php80-fileinfo php80-filter php80-ftp php80-gd php80-gmp php80-iconv php80-imap php80-intl php80-ldap php80-mbstring php80-mysqli php80-opcache php80-pcntl php80-pdo php80-pdo_mysql php80-pecl-APCu php80-pecl-imagick php80-pecl-mcrypt php80-pecl-redis php80-posix php80-session php80-simplexml php80-xml php80-xmlreader php80-xmlwriter php80-xsl php80-zip php80-zlib pkg redis sudo
--- a/jails/config/common/12.3-RELEASE.bzip2
+++ b/jails/config/common/12.3-RELEASE.bzip2
--- a/jails/config/common/current-src.bzip2
+++ b/jails/config/common/current-src.bzip2
--- a/jails/config/common/freebsd-update.conf
+++ b/jails/config/common/freebsd-update.conf
@ -1,4 +1,4 @@
-# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
+# $FreeBSD: releng/12.3/usr.sbin/freebsd-update/freebsd-update.conf 370439 2021-08-29 16:58:35Z kevans $
 # Trusted keyprint.  Changing this is a Bad Idea unless you've received
 # a PGP-signed email from <security-officer@FreeBSD.org> telling you to
@ -10,6 +10,8 @@ KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5
 # using a "nearby" server won't provide a measurable improvement in
 # performance.
 ServerName update.FreeBSD.org
 # caching not used as I am mounting the /var/db/freebsd-update/files directory into every jail
 #ServerName pkgp-freebsd-update.ahlawat.com
 # Components of the base system which should be kept updated.
 #Components src world
@ -75,3 +77,6 @@ MergeChanges /etc/ /boot/device.hints
 # When backing up a kernel also back up debug symbol files?
 # BackupKernelSymbolFiles no
 # Create a new boot environment when installing patches
 # CreateBootEnv yes
--- a/jails/config/common/httpd-ldap.conf
+++ b/jails/config/common/httpd-ldap.conf
@ -0,0 +1,705 @@
 #
 # This is the main Apache HTTP server configuration file.  It contains the
 # configuration directives that give the server its instructions.
 # See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
 # In particular, see 
 # <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
 # for a discussion of each configuration directive.
 #
 # Do NOT simply read the instructions in here without understanding
 # what they do.  They're here only as hints or reminders.  If you are unsure
 # consult the online docs. You have been warned.  
 #
 # Configuration and logfile names: If the filenames you specify for many
 # of the server's control files begin with "/" (or "drive:/" for Win32), the
 # server will use that explicit path.  If the filenames do *not* begin
 # with "/", the value of ServerRoot is prepended -- so "logs/access_log"
 # with ServerRoot set to "/usr/local/apache2" will be interpreted by the
 # server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" 
 # will be interpreted as '/logs/access_log'.
 #
 # ServerRoot: The top of the directory tree under which the server's
 # configuration, error, and log files are kept.
 #
 # Do not add a slash at the end of the directory path.  If you point
 # ServerRoot at a non-local disk, be sure to specify a local disk on the
 # Mutex directive, if file-based mutexes are used.  If you wish to share the
 # same ServerRoot for multiple httpd daemons, you will need to change at
 # least PidFile.
 #
 ServerRoot "/usr/local"
 #
 # Mutex: Allows you to set the mutex mechanism and mutex file directory
 # for individual mutexes, or change the global defaults
 #
 # Uncomment and change the directory if mutexes are file-based and the default
 # mutex file directory is not on a local disk or is not appropriate for some
 # other reason.
 #
 # Mutex default:/var/run
 #
 # Listen: Allows you to bind Apache to specific IP addresses and/or
 # ports, instead of the default. See also the <VirtualHost>
 # directive.
 #
 # Change this to Listen on specific IP addresses as shown below to 
 # prevent Apache from glomming onto all bound IP addresses.
 #
 #Listen 12.34.56.78:80
 #Listen 80
 #
 # Dynamic Shared Object (DSO) Support
 #
 # To be able to use the functionality of a module which was built as a DSO you
 # have to place corresponding `LoadModule' lines at this location so the
 # directives contained in it are actually available _before_ they are used.
 # Statically compiled modules (those listed by `httpd -l') do not need
 # to be loaded here.
 #
 # Example:
 # LoadModule foo_module modules/mod_foo.so
 #
 LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
 #LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
 #LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
 LoadModule authn_file_module libexec/apache24/mod_authn_file.so
 #LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
 #LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
 #LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
 #LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
 LoadModule authn_core_module libexec/apache24/mod_authn_core.so
 LoadModule authz_host_module libexec/apache24/mod_authz_host.so
 LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
 LoadModule authz_user_module libexec/apache24/mod_authz_user.so
 #LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
 #LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
 #LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
 LoadModule authz_core_module libexec/apache24/mod_authz_core.so
 #LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
 LoadModule access_compat_module libexec/apache24/mod_access_compat.so
 LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
 #LoadModule auth_form_module libexec/apache24/mod_auth_form.so
 #LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
 #LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
 #LoadModule file_cache_module libexec/apache24/mod_file_cache.so
 #LoadModule cache_module libexec/apache24/mod_cache.so
 #LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
 #LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
 LoadModule authnz_ldap_module libexec/apache24/mod_authnz_ldap.so
 LoadModule ldap_module libexec/apache24/mod_ldap.so
 LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
 #LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
 #LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
 #LoadModule watchdog_module libexec/apache24/mod_watchdog.so
 #LoadModule macro_module libexec/apache24/mod_macro.so
 #LoadModule dbd_module libexec/apache24/mod_dbd.so
 #LoadModule dumpio_module libexec/apache24/mod_dumpio.so
 #LoadModule buffer_module libexec/apache24/mod_buffer.so
 #LoadModule data_module libexec/apache24/mod_data.so
 #LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
 LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
 #LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
 #LoadModule request_module libexec/apache24/mod_request.so
 #LoadModule include_module libexec/apache24/mod_include.so
 LoadModule filter_module libexec/apache24/mod_filter.so
 #LoadModule reflector_module libexec/apache24/mod_reflector.so
 #LoadModule substitute_module libexec/apache24/mod_substitute.so
 #LoadModule sed_module libexec/apache24/mod_sed.so
 #LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
 LoadModule deflate_module libexec/apache24/mod_deflate.so
 #LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
 #LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
 LoadModule mime_module libexec/apache24/mod_mime.so
 LoadModule log_config_module libexec/apache24/mod_log_config.so
 #LoadModule log_debug_module libexec/apache24/mod_log_debug.so
 #LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
 #LoadModule logio_module libexec/apache24/mod_logio.so
 LoadModule env_module libexec/apache24/mod_env.so
 #LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
 #LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
 LoadModule expires_module libexec/apache24/mod_expires.so
 LoadModule headers_module libexec/apache24/mod_headers.so
 #LoadModule usertrack_module libexec/apache24/mod_usertrack.so
 #LoadModule unique_id_module libexec/apache24/mod_unique_id.so
 LoadModule setenvif_module libexec/apache24/mod_setenvif.so
 LoadModule version_module libexec/apache24/mod_version.so
 #LoadModule remoteip_module libexec/apache24/mod_remoteip.so
 LoadModule proxy_module libexec/apache24/mod_proxy.so
 #LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
 #LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
 #LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
 LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
 #LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
 #LoadModule proxy_uwsgi_module libexec/apache24/mod_proxy_uwsgi.so
 #LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
 #LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
 #LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
 #LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
 #LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
 #LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
 #LoadModule session_module libexec/apache24/mod_session.so
 #LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
 #LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
 #LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
 #LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
 #LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
 LoadModule ssl_module libexec/apache24/mod_ssl.so
 #LoadModule dialup_module libexec/apache24/mod_dialup.so
 LoadModule http2_module libexec/apache24/mod_http2.so
 LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
 #LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
 #LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
 #LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
 #LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
 LoadModule unixd_module libexec/apache24/mod_unixd.so
 #LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
 #LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
 #LoadModule dav_module libexec/apache24/mod_dav.so
 LoadModule status_module libexec/apache24/mod_status.so
 LoadModule autoindex_module libexec/apache24/mod_autoindex.so
 #LoadModule asis_module libexec/apache24/mod_asis.so
 #LoadModule info_module libexec/apache24/mod_info.so
 <IfModule !mpm_prefork_module>
 	#LoadModule cgid_module libexec/apache24/mod_cgid.so
 </IfModule>
 <IfModule mpm_prefork_module>
 	#LoadModule cgi_module libexec/apache24/mod_cgi.so
 </IfModule>
 #LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
 #LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
 #LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
 #LoadModule negotiation_module libexec/apache24/mod_negotiation.so
 LoadModule dir_module libexec/apache24/mod_dir.so
 #LoadModule imagemap_module libexec/apache24/mod_imagemap.so
 #LoadModule actions_module libexec/apache24/mod_actions.so
 #LoadModule speling_module libexec/apache24/mod_speling.so
 #LoadModule userdir_module libexec/apache24/mod_userdir.so
 LoadModule alias_module libexec/apache24/mod_alias.so
 LoadModule rewrite_module libexec/apache24/mod_rewrite.so
 #LoadModule php_module        libexec/apache24/libphp.so
 # Third party modules
 IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
 <IfModule unixd_module>
 #
 # If you wish httpd to run as a different user or group, you must run
 # httpd as root initially and it will switch.  
 #
 # User/Group: The name (or #number) of the user/group to run httpd as.
 # It is usually good practice to create a dedicated user and group for
 # running httpd, as with most system services.
 #
 User www
 Group www
 </IfModule>
 # 'Main' server configuration
 #
 # The directives in this section set up the values used by the 'main'
 # server, which responds to any requests that aren't handled by a
 # <VirtualHost> definition.  These values also provide defaults for
 # any <VirtualHost> containers you may define later in the file.
 #
 # All of these directives may appear inside <VirtualHost> containers,
 # in which case these default settings will be overridden for the
 # virtual host being defined.
 #
 #
 # ServerAdmin: Your address, where problems with the server should be
 # e-mailed.  This address appears on some server-generated pages, such
 # as error documents.  e.g. admin@your-domain.com
 #
 ServerAdmin sharad@ahlawat.com
 #
 # ServerName gives the name and port that the server uses to identify itself.
 # This can often be determined automatically, but we recommend you specify
 # it explicitly to prevent problems during startup.
 #
 # If your host doesn't have a registered DNS name, enter its IP address here.
 #
 ServerName www.ahlawat.com
 #
 # Deny access to the entirety of your server's filesystem. You must
 # explicitly permit access to web content directories in other 
 # <Directory> blocks below.
 #
 <Directory />
    AllowOverride none
    Require all denied
 </Directory>
 #
 # Note that from this point forward you must specifically allow
 # particular features to be enabled - so if something's not working as
 # you might expect, make sure that you have specifically enabled it
 # below.
 #
 #
 # DocumentRoot: The directory out of which you will serve your
 # documents. By default, all requests are taken from this directory, but
 # symbolic links and aliases may be used to point to other locations.
 #
 DocumentRoot "/usr/local/www/apache24/data"
 <Directory "/usr/local/www/apache24/data">
 # can't set this if traffic is passing through haproxy and being redirected to ssl already
 #  RewriteEngine on
 #  RewriteRule ^/\.well-known/ - [L]
 #  RewriteRule (.*) https://www.ahlawat.com [R,L]
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #
    AllowOverride None
    #
    # Controls who can get stuff from this server.
    #
    Require all granted
 </Directory>
 #
 # DirectoryIndex: sets the file that Apache will serve if a directory
 # is requested.
 #
 <IfModule dir_module>
    DirectoryIndex index.php index.html
    <FilesMatch "\.php$">
        SetHandler application/x-httpd-php
    </FilesMatch>
    <FilesMatch "\.phps$">
        SetHandler application/x-httpd-php-source
    </FilesMatch>
 </IfModule>
 #
 # The following lines prevent .htaccess and .htpasswd files from being 
 # viewed by Web clients. 
 #
 <Files ".ht*">
    Require all denied
 </Files>
 #
 # ErrorLog: The location of the error log file.
 # If you do not specify an ErrorLog directive within a <VirtualHost>
 # container, error messages relating to that virtual host will be
 # logged here.  If you *do* define an error logfile for a <VirtualHost>
 # container, that host's errors will be logged there and not here.
 #
 ErrorLog "/var/log/httpd-error.log"
 #
 # LogLevel: Control the number of messages logged to the error_log.
 # Possible values include: debug, info, notice, warn, error, crit,
 # alert, emerg.
 #
 LogLevel warn
 <IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    CustomLog "/var/log/httpd-access.log" common
    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    #CustomLog "/var/log/httpd-access.log" combined
 </IfModule>
 <IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to 
    # exist in your server's namespace, but do not anymore. The client 
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar
    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.
    #
    # ScriptAlias: This controls which directories contain server scripts. 
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"
 </IfModule>
 <IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #
    #Scriptsock cgisock
 </IfModule>
 #
 # "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased
 # CGI directory exists, if you have that configured.
 #
 <Directory "/usr/local/www/apache24/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
 </Directory>
 <IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
 </IfModule>
 <IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig etc/apache24/mime.types
    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi
    # For type maps (negotiated resources):
    #AddHandler type-map var
    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml
    AddType application/x-httpd-php .php
    AddType application/x-httpd-php-source .phps
 </IfModule>
 #
 # The mod_mime_magic module allows the server to use various hints from the
 # contents of the file itself to determine its type.  The MIMEMagicFile
 # directive tells the module where the hint definitions are located.
 #
 #MIMEMagicFile etc/apache24/magic
 #
 # Customizable error responses come in three flavors:
 # 1) plain text 2) local redirects 3) external redirects
 #
 # Some examples:
 #ErrorDocument 500 "The server made a boo boo."
 #ErrorDocument 404 /missing.html
 #ErrorDocument 404 "/cgi-bin/missing_handler.pl"
 #ErrorDocument 402 http://www.example.com/subscription_info.html
 #
 #
 # MaxRanges: Maximum number of Ranges in a request before
 # returning the entire resource, or one of the special
 # values 'default', 'none' or 'unlimited'.
 # Default setting is to accept 200 Ranges.
 #MaxRanges unlimited
 #
 # EnableMMAP and EnableSendfile: On systems that support it, 
 # memory-mapping or the sendfile syscall may be used to deliver
 # files.  This usually improves server performance, but must
 # be turned off when serving from networked-mounted 
 # filesystems or if support for these functions is otherwise
 # broken on your system.
 # Defaults: EnableMMAP On, EnableSendfile Off
 #
 #EnableMMAP off
 #EnableSendfile on
 # Supplemental configuration
 #
 # The configuration files in the etc/apache24/extra/ directory can be 
 # included to add extra features or to modify the default configuration of 
 # the server, or you may simply copy their contents here and change as 
 # necessary.
 # Server-pool management (MPM specific)
 #Include etc/apache24/extra/httpd-mpm.conf
 # Multi-language error messages
 #Include etc/apache24/extra/httpd-multilang-errordoc.conf
 # Fancy directory listings
 #Include etc/apache24/extra/httpd-autoindex.conf
 # Language settings
 #Include etc/apache24/extra/httpd-languages.conf
 # User home directories
 #Include etc/apache24/extra/httpd-userdir.conf
 # Real-time info on requests and configuration
 #Include etc/apache24/extra/httpd-info.conf
 # Virtual hosts
 #Include etc/apache24/extra/httpd-vhosts.conf
 # Local access to the Apache HTTP Server Manual
 #Include etc/apache24/extra/httpd-manual.conf
 # Distributed authoring and versioning (WebDAV)
 #Include etc/apache24/extra/httpd-dav.conf
 # Various default settings
 #Include etc/apache24/extra/httpd-default.conf
 # Configure mod_proxy_html to understand HTML4/XHTML1
 <IfModule proxy_html_module>
 Include etc/apache24/extra/proxy-html.conf
 </IfModule>
 # Secure (SSL/TLS) connections
 #Include etc/apache24/extra/httpd-ssl.conf
 #
 # Note: The following must must be present to support
 #       starting without SSL on platforms with no /dev/random equivalent
 #       but a statically compiled-in mod_ssl.
 #
 <IfModule ssl_module>
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 </IfModule>
 Include etc/apache24/Includes/*.conf
 <VirtualHost *:443>
    ServerName www.ahlawat.com
    ServerAlias *.ahlawat.com
    ServerAlias ahlawat.com
    Protocols h2 http/1.1
    DocumentRoot "/usr/local/www/apache24/data/"
    SSLEngine on
    SSLCertificateFile "/mnt/certs/fullchain.pem"
    SSLCertificateKeyFile "/mnt/certs/privkey.pem"
    #SSLCertificateChainFile "/mnt/certs/fullchain.pem"
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off
    SSLSessionTickets off
    SSLOptions +StrictRequire
 #    SSLCompression off
    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SetHandler "proxy:fcgi://127.0.0.1:9000"
    SSLOptions +StdEnvVars
  </FilesMatch>
  <Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
  </Directory>
  BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
  CustomLog "/var/log/ssl-request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  <Directory "/usr/local/www/apache24/data/">
    Options Indexes FollowSymLinks MultiViews
    ## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16
    IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96
    #AllowOverride controls what directives may be placed in .htaccess files.
    AllowOverride All
    #AllowOverride AuthConfig
    #Controls who can get stuff from this server file
    Require all granted
  </Directory>
  ErrorLog "/var/log/ssl-error.log"
  CustomLog "/var/log/ssl-access_log" combined
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
  </IfModule>
 <IfModule mod_expires.c>
 ExpiresActive On
 ExpiresDefault A0
 <FilesMatch "\.(txt|xml|js)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(css)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
 ExpiresDefault A31536000
 </FilesMatch>
 </IfModule>
 <IfModule mod_headers.c>
  <FilesMatch "\.(txt|xml|js)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(css)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
 </IfModule>
 <IfModule mod_deflate.c>
 	SetOutputFilter DEFLATE
    <IfModule mod_setenvif.c>
        <IfModule mod_headers.c>
            SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
            RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
        </IfModule>
    </IfModule>
    <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE "application/atom+xml" \
                                      "application/javascript" \
                                      "application/json" \
                                      "application/ld+json" \
                                      "application/manifest+json" \
                                      "application/rdf+xml" \
                                      "application/rss+xml" \
                                      "application/schema+json" \
                                      "application/vnd.geo+json" \
                                      "application/vnd.ms-fontobject" \
                                      "application/x-font-ttf" \
                                      "application/x-font-opentype" \
                                      "application/x-font-truetype" \
                                      "application/x-javascript" \
                                      "application/x-web-app-manifest+json" \
                                      "application/xhtml+xml" \
                                      "application/xml" \
                                      "font/eot" \
                                      "font/opentype" \
                                      "font/otf" \
                                      "image/bmp" \
                                      "image/svg+xml" \
                                      "image/vnd.microsoft.icon" \
                                      "image/x-icon" \
                                      "text/cache-manifest" \
                                      "text/css" \
                                      "text/html" \
                                      "text/javascript" \
                                      "text/plain" \
                                      "text/vcard" \
                                      "text/vnd.rim.location.xloc" \
                                      "text/vtt" \
                                      "text/x-component" \
                                      "text/x-cross-domain-policy" \
                                      "text/xml"
    </IfModule>
    <IfModule mod_mime.c>
        AddEncoding gzip              svgz
    </IfModule>
 </IfModule>
 </VirtualHost>
 SSLUseStapling On
 SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
--- a/jails/config/common/httpd.conf
+++ b/jails/config/common/httpd.conf
@ -0,0 +1,703 @@
 #
 # This is the main Apache HTTP server configuration file.  It contains the
 # configuration directives that give the server its instructions.
 # See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
 # In particular, see 
 # <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
 # for a discussion of each configuration directive.
 #
 # Do NOT simply read the instructions in here without understanding
 # what they do.  They're here only as hints or reminders.  If you are unsure
 # consult the online docs. You have been warned.  
 #
 # Configuration and logfile names: If the filenames you specify for many
 # of the server's control files begin with "/" (or "drive:/" for Win32), the
 # server will use that explicit path.  If the filenames do *not* begin
 # with "/", the value of ServerRoot is prepended -- so "logs/access_log"
 # with ServerRoot set to "/usr/local/apache2" will be interpreted by the
 # server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" 
 # will be interpreted as '/logs/access_log'.
 #
 # ServerRoot: The top of the directory tree under which the server's
 # configuration, error, and log files are kept.
 #
 # Do not add a slash at the end of the directory path.  If you point
 # ServerRoot at a non-local disk, be sure to specify a local disk on the
 # Mutex directive, if file-based mutexes are used.  If you wish to share the
 # same ServerRoot for multiple httpd daemons, you will need to change at
 # least PidFile.
 #
 ServerRoot "/usr/local"
 #
 # Mutex: Allows you to set the mutex mechanism and mutex file directory
 # for individual mutexes, or change the global defaults
 #
 # Uncomment and change the directory if mutexes are file-based and the default
 # mutex file directory is not on a local disk or is not appropriate for some
 # other reason.
 #
 # Mutex default:/var/run
 #
 # Listen: Allows you to bind Apache to specific IP addresses and/or
 # ports, instead of the default. See also the <VirtualHost>
 # directive.
 #
 # Change this to Listen on specific IP addresses as shown below to 
 # prevent Apache from glomming onto all bound IP addresses.
 #
 #Listen 12.34.56.78:80
 #Listen 80
 #
 # Dynamic Shared Object (DSO) Support
 #
 # To be able to use the functionality of a module which was built as a DSO you
 # have to place corresponding `LoadModule' lines at this location so the
 # directives contained in it are actually available _before_ they are used.
 # Statically compiled modules (those listed by `httpd -l') do not need
 # to be loaded here.
 #
 # Example:
 # LoadModule foo_module modules/mod_foo.so
 #
 LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
 #LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
 #LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
 LoadModule authn_file_module libexec/apache24/mod_authn_file.so
 #LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
 #LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
 #LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
 #LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
 LoadModule authn_core_module libexec/apache24/mod_authn_core.so
 LoadModule authz_host_module libexec/apache24/mod_authz_host.so
 LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
 LoadModule authz_user_module libexec/apache24/mod_authz_user.so
 #LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
 #LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
 #LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
 LoadModule authz_core_module libexec/apache24/mod_authz_core.so
 #LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
 LoadModule access_compat_module libexec/apache24/mod_access_compat.so
 LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
 #LoadModule auth_form_module libexec/apache24/mod_auth_form.so
 #LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
 #LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
 #LoadModule file_cache_module libexec/apache24/mod_file_cache.so
 #LoadModule cache_module libexec/apache24/mod_cache.so
 #LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
 #LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
 LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
 #LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
 #LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
 #LoadModule watchdog_module libexec/apache24/mod_watchdog.so
 #LoadModule macro_module libexec/apache24/mod_macro.so
 #LoadModule dbd_module libexec/apache24/mod_dbd.so
 #LoadModule dumpio_module libexec/apache24/mod_dumpio.so
 #LoadModule buffer_module libexec/apache24/mod_buffer.so
 #LoadModule data_module libexec/apache24/mod_data.so
 #LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
 LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
 #LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
 #LoadModule request_module libexec/apache24/mod_request.so
 #LoadModule include_module libexec/apache24/mod_include.so
 LoadModule filter_module libexec/apache24/mod_filter.so
 #LoadModule reflector_module libexec/apache24/mod_reflector.so
 #LoadModule substitute_module libexec/apache24/mod_substitute.so
 #LoadModule sed_module libexec/apache24/mod_sed.so
 #LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
 LoadModule deflate_module libexec/apache24/mod_deflate.so
 #LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
 #LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
 LoadModule mime_module libexec/apache24/mod_mime.so
 LoadModule log_config_module libexec/apache24/mod_log_config.so
 #LoadModule log_debug_module libexec/apache24/mod_log_debug.so
 #LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
 #LoadModule logio_module libexec/apache24/mod_logio.so
 LoadModule env_module libexec/apache24/mod_env.so
 #LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
 #LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
 LoadModule expires_module libexec/apache24/mod_expires.so
 LoadModule headers_module libexec/apache24/mod_headers.so
 #LoadModule usertrack_module libexec/apache24/mod_usertrack.so
 #LoadModule unique_id_module libexec/apache24/mod_unique_id.so
 LoadModule setenvif_module libexec/apache24/mod_setenvif.so
 LoadModule version_module libexec/apache24/mod_version.so
 #LoadModule remoteip_module libexec/apache24/mod_remoteip.so
 LoadModule proxy_module libexec/apache24/mod_proxy.so
 #LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
 #LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
 #LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
 LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
 #LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
 #LoadModule proxy_uwsgi_module libexec/apache24/mod_proxy_uwsgi.so
 #LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
 #LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
 #LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
 #LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
 #LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
 #LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
 #LoadModule session_module libexec/apache24/mod_session.so
 #LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
 #LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
 #LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
 #LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
 #LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
 LoadModule ssl_module libexec/apache24/mod_ssl.so
 #LoadModule dialup_module libexec/apache24/mod_dialup.so
 LoadModule http2_module libexec/apache24/mod_http2.so
 LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
 #LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
 #LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
 #LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
 #LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
 LoadModule unixd_module libexec/apache24/mod_unixd.so
 #LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
 #LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
 #LoadModule dav_module libexec/apache24/mod_dav.so
 LoadModule status_module libexec/apache24/mod_status.so
 LoadModule autoindex_module libexec/apache24/mod_autoindex.so
 #LoadModule asis_module libexec/apache24/mod_asis.so
 #LoadModule info_module libexec/apache24/mod_info.so
 <IfModule !mpm_prefork_module>
 	#LoadModule cgid_module libexec/apache24/mod_cgid.so
 </IfModule>
 <IfModule mpm_prefork_module>
 	#LoadModule cgi_module libexec/apache24/mod_cgi.so
 </IfModule>
 #LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
 #LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
 #LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
 #LoadModule negotiation_module libexec/apache24/mod_negotiation.so
 LoadModule dir_module libexec/apache24/mod_dir.so
 #LoadModule imagemap_module libexec/apache24/mod_imagemap.so
 #LoadModule actions_module libexec/apache24/mod_actions.so
 #LoadModule speling_module libexec/apache24/mod_speling.so
 #LoadModule userdir_module libexec/apache24/mod_userdir.so
 LoadModule alias_module libexec/apache24/mod_alias.so
 LoadModule rewrite_module libexec/apache24/mod_rewrite.so
 #LoadModule php_module        libexec/apache24/libphp.so
 # Third party modules
 IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
 <IfModule unixd_module>
 #
 # If you wish httpd to run as a different user or group, you must run
 # httpd as root initially and it will switch.  
 #
 # User/Group: The name (or #number) of the user/group to run httpd as.
 # It is usually good practice to create a dedicated user and group for
 # running httpd, as with most system services.
 #
 User www
 Group www
 </IfModule>
 # 'Main' server configuration
 #
 # The directives in this section set up the values used by the 'main'
 # server, which responds to any requests that aren't handled by a
 # <VirtualHost> definition.  These values also provide defaults for
 # any <VirtualHost> containers you may define later in the file.
 #
 # All of these directives may appear inside <VirtualHost> containers,
 # in which case these default settings will be overridden for the
 # virtual host being defined.
 #
 #
 # ServerAdmin: Your address, where problems with the server should be
 # e-mailed.  This address appears on some server-generated pages, such
 # as error documents.  e.g. admin@your-domain.com
 #
 ServerAdmin sharad@ahlawat.com
 #
 # ServerName gives the name and port that the server uses to identify itself.
 # This can often be determined automatically, but we recommend you specify
 # it explicitly to prevent problems during startup.
 #
 # If your host doesn't have a registered DNS name, enter its IP address here.
 #
 ServerName www.ahlawat.com
 #
 # Deny access to the entirety of your server's filesystem. You must
 # explicitly permit access to web content directories in other 
 # <Directory> blocks below.
 #
 <Directory />
    AllowOverride none
    Require all denied
 </Directory>
 #
 # Note that from this point forward you must specifically allow
 # particular features to be enabled - so if something's not working as
 # you might expect, make sure that you have specifically enabled it
 # below.
 #
 #
 # DocumentRoot: The directory out of which you will serve your
 # documents. By default, all requests are taken from this directory, but
 # symbolic links and aliases may be used to point to other locations.
 #
 DocumentRoot "/usr/local/www/apache24/data"
 <Directory "/usr/local/www/apache24/data">
 # can't set this if traffic is passing through haproxy and being redirected to ssl already
 #  RewriteEngine on
 #  RewriteRule ^/\.well-known/ - [L]
 #  RewriteRule (.*) https://www.ahlawat.com [R,L]
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #
    AllowOverride None
    #
    # Controls who can get stuff from this server.
    #
    Require all granted
 </Directory>
 #
 # DirectoryIndex: sets the file that Apache will serve if a directory
 # is requested.
 #
 <IfModule dir_module>
    DirectoryIndex index.php index.html
    <FilesMatch "\.php$">
        SetHandler application/x-httpd-php
    </FilesMatch>
    <FilesMatch "\.phps$">
        SetHandler application/x-httpd-php-source
    </FilesMatch>
 </IfModule>
 #
 # The following lines prevent .htaccess and .htpasswd files from being 
 # viewed by Web clients. 
 #
 <Files ".ht*">
    Require all denied
 </Files>
 #
 # ErrorLog: The location of the error log file.
 # If you do not specify an ErrorLog directive within a <VirtualHost>
 # container, error messages relating to that virtual host will be
 # logged here.  If you *do* define an error logfile for a <VirtualHost>
 # container, that host's errors will be logged there and not here.
 #
 ErrorLog "/var/log/httpd-error.log"
 #
 # LogLevel: Control the number of messages logged to the error_log.
 # Possible values include: debug, info, notice, warn, error, crit,
 # alert, emerg.
 #
 LogLevel warn
 <IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    CustomLog "/var/log/httpd-access.log" common
    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    #CustomLog "/var/log/httpd-access.log" combined
 </IfModule>
 <IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to 
    # exist in your server's namespace, but do not anymore. The client 
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar
    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.
    #
    # ScriptAlias: This controls which directories contain server scripts. 
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"
 </IfModule>
 <IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #
    #Scriptsock cgisock
 </IfModule>
 #
 # "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased
 # CGI directory exists, if you have that configured.
 #
 <Directory "/usr/local/www/apache24/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
 </Directory>
 <IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
 </IfModule>
 <IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig etc/apache24/mime.types
    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi
    # For type maps (negotiated resources):
    #AddHandler type-map var
    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml
    AddType application/x-httpd-php .php
    AddType application/x-httpd-php-source .phps
 </IfModule>
 #
 # The mod_mime_magic module allows the server to use various hints from the
 # contents of the file itself to determine its type.  The MIMEMagicFile
 # directive tells the module where the hint definitions are located.
 #
 #MIMEMagicFile etc/apache24/magic
 #
 # Customizable error responses come in three flavors:
 # 1) plain text 2) local redirects 3) external redirects
 #
 # Some examples:
 #ErrorDocument 500 "The server made a boo boo."
 #ErrorDocument 404 /missing.html
 #ErrorDocument 404 "/cgi-bin/missing_handler.pl"
 #ErrorDocument 402 http://www.example.com/subscription_info.html
 #
 #
 # MaxRanges: Maximum number of Ranges in a request before
 # returning the entire resource, or one of the special
 # values 'default', 'none' or 'unlimited'.
 # Default setting is to accept 200 Ranges.
 #MaxRanges unlimited
 #
 # EnableMMAP and EnableSendfile: On systems that support it, 
 # memory-mapping or the sendfile syscall may be used to deliver
 # files.  This usually improves server performance, but must
 # be turned off when serving from networked-mounted 
 # filesystems or if support for these functions is otherwise
 # broken on your system.
 # Defaults: EnableMMAP On, EnableSendfile Off
 #
 #EnableMMAP off
 #EnableSendfile on
 # Supplemental configuration
 #
 # The configuration files in the etc/apache24/extra/ directory can be 
 # included to add extra features or to modify the default configuration of 
 # the server, or you may simply copy their contents here and change as 
 # necessary.
 # Server-pool management (MPM specific)
 #Include etc/apache24/extra/httpd-mpm.conf
 # Multi-language error messages
 #Include etc/apache24/extra/httpd-multilang-errordoc.conf
 # Fancy directory listings
 #Include etc/apache24/extra/httpd-autoindex.conf
 # Language settings
 #Include etc/apache24/extra/httpd-languages.conf
 # User home directories
 #Include etc/apache24/extra/httpd-userdir.conf
 # Real-time info on requests and configuration
 #Include etc/apache24/extra/httpd-info.conf
 # Virtual hosts
 #Include etc/apache24/extra/httpd-vhosts.conf
 # Local access to the Apache HTTP Server Manual
 #Include etc/apache24/extra/httpd-manual.conf
 # Distributed authoring and versioning (WebDAV)
 #Include etc/apache24/extra/httpd-dav.conf
 # Various default settings
 #Include etc/apache24/extra/httpd-default.conf
 # Configure mod_proxy_html to understand HTML4/XHTML1
 <IfModule proxy_html_module>
 Include etc/apache24/extra/proxy-html.conf
 </IfModule>
 # Secure (SSL/TLS) connections
 #Include etc/apache24/extra/httpd-ssl.conf
 #
 # Note: The following must must be present to support
 #       starting without SSL on platforms with no /dev/random equivalent
 #       but a statically compiled-in mod_ssl.
 #
 <IfModule ssl_module>
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 </IfModule>
 Include etc/apache24/Includes/*.conf
 <VirtualHost *:443>
    ServerName www.ahlawat.com
    ServerAlias *.ahlawat.com
    ServerAlias ahlawat.com
    Protocols h2 http/1.1
    DocumentRoot "/usr/local/www/apache24/data/"
    SSLEngine on
    SSLCertificateFile "/mnt/certs/fullchain.pem"
    SSLCertificateKeyFile "/mnt/certs/privkey.pem"
    #SSLCertificateChainFile "/mnt/certs/fullchain.pem"
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off
    SSLSessionTickets off
    SSLOptions +StrictRequire
 #    SSLCompression off
    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SetHandler "proxy:fcgi://127.0.0.1:9000"
    SSLOptions +StdEnvVars
  </FilesMatch>
  <Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
  </Directory>
  BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
  CustomLog "/var/log/ssl-request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  <Directory "/usr/local/www/apache24/data/">
    Options Indexes FollowSymLinks MultiViews
    ## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16
    IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96
    #AllowOverride controls what directives may be placed in .htaccess files.
    #AllowOverride All
    #AllowOverride AuthConfig
    #Controls who can get stuff from this server file
    #Require all granted
  </Directory>
  ErrorLog "/var/log/ssl-error.log"
  CustomLog "/var/log/ssl-access_log" combined
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
  </IfModule>
 <IfModule mod_expires.c>
 ExpiresActive On
 ExpiresDefault A0
 <FilesMatch "\.(txt|xml|js)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(css)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
 ExpiresDefault A31536000
 </FilesMatch>
 </IfModule>
 <IfModule mod_headers.c>
  <FilesMatch "\.(txt|xml|js)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(css)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
 </IfModule>
 <IfModule mod_deflate.c>
 	SetOutputFilter DEFLATE
    <IfModule mod_setenvif.c>
        <IfModule mod_headers.c>
            SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
            RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
        </IfModule>
    </IfModule>
    <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE "application/atom+xml" \
                                      "application/javascript" \
                                      "application/json" \
                                      "application/ld+json" \
                                      "application/manifest+json" \
                                      "application/rdf+xml" \
                                      "application/rss+xml" \
                                      "application/schema+json" \
                                      "application/vnd.geo+json" \
                                      "application/vnd.ms-fontobject" \
                                      "application/x-font-ttf" \
                                      "application/x-font-opentype" \
                                      "application/x-font-truetype" \
                                      "application/x-javascript" \
                                      "application/x-web-app-manifest+json" \
                                      "application/xhtml+xml" \
                                      "application/xml" \
                                      "font/eot" \
                                      "font/opentype" \
                                      "font/otf" \
                                      "image/bmp" \
                                      "image/svg+xml" \
                                      "image/vnd.microsoft.icon" \
                                      "image/x-icon" \
                                      "text/cache-manifest" \
                                      "text/css" \
                                      "text/html" \
                                      "text/javascript" \
                                      "text/plain" \
                                      "text/vcard" \
                                      "text/vnd.rim.location.xloc" \
                                      "text/vtt" \
                                      "text/x-component" \
                                      "text/x-cross-domain-policy" \
                                      "text/xml"
    </IfModule>
    <IfModule mod_mime.c>
        AddEncoding gzip              svgz
    </IfModule>
 </IfModule>
 </VirtualHost>
 SSLUseStapling On
 SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
--- a/jails/config/common/pkgp.conf
+++ b/jails/config/common/pkgp.conf
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
    priority: 10
 }
-pkgp122: {
+pkgp123: {
-    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj123-default",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
--- a/jails/config/db/pkg-list-details.txt
+++ b/jails/config/db/pkg-list-details.txt
@ -0,0 +1,6 @@
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____mariadb105-server-10.5.15_2
 pkgp-freebsd-pkg____mysqld_exporter-0.12.1_1
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____pkg-1.17.5_1
--- a/jails/config/db/pkg-list.txt
+++ b/jails/config/db/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion mariadb105-server mysqld_exporter nano pkg
--- a/jails/config/dns/dns_update.sh
+++ b/jails/config/dns/dns_update.sh
@ -0,0 +1,58 @@
 #!/usr/local/bin/bash
 # Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 # https://diyit.org/license/
 #
 #
 #SIM="-s"
 #SIM=""
 #rpl $SIM -v -R "2001:470:480a:a1::" "2001:470:480a:8001::" ./namedb
 #rpl $SIM -v -R "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.8" "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.8" ./namedb
 #rpl $SIM -v -R "2021120700" "2022010100" ./namedb
 #service $SIM named $SIM restart
 service named stop
 cd /data/namedb/master
 rm /data/namedb/master/*signed*
 declare -A ZONE_PEM
 ZONE_PEM=(["ahlawat.com"]="" ["beyondbell.com"]="bb" ["diyit.org"]="diy" ["xflow.org"]="xflow" ["datavpc.com"]="dvpc" ["mydatavpc.com"]="mdvpc" ["rockwoodestates.org"]="rwe" ["rockwoodranch.org"]="rwr" ["scvcc-rental.com"]="scvcc")
 for ZONE in "${!ZONE_PEM[@]}"
 do
    PEM=${ZONE_PEM[$ZONE]}
    /usr/local/bin/ldns-dane -c "/mnt/certs/"$PEM"fullchain.pem" create mail.$ZONE 25 3 1 1 > /data/namedb/master/tlsa-$ZONE
    /usr/local/bin/ldns-dane -c "/mnt/certs/"$PEM"fullchain.pem" create mail-backup.$ZONE 25 3 1 1 >> /data/namedb/master/tlsa-$ZONE
    /usr/local/bin/ldns-dane -c "/mnt/certs/"$PEM"fullchain.pem" create $ZONE 443 3 1 1 >> /data/namedb/master/tlsa-$ZONE
    /usr/local/bin/ldns-dane -c "/mnt/certs/"$PEM"fullchain.pem" create www.$ZONE 443 3 1 1 >> /data/namedb/master/tlsa-$ZONE
 done
 NEW_SERIAL=`date -j +%Y%m%d%H`
 #NEW_SERIAL="2022022635"
 echo $NEW_SERIAL
 for DBFILE in `ls /data/namedb/master/*.db`
 do
    ZONE=`echo $DBFILE | cut -d/ -f 5 | cut -d. -f -2`
    /usr/local/sbin/named-checkzone $ZONE $DBFILE
    SERIAL=`/usr/local/sbin/named-checkzone $ZONE $DBFILE | egrep -ho '[0-9]{10}'`
    echo $SERIAL
    sed -i .orig 's/'$SERIAL'/'$(($NEW_SERIAL))'/' $DBFILE
    #/usr/local/sbin/dnssec-signzone -S -K /data/namedb/master -t -o $ZONE $DBFILE
    /usr/local/sbin/dnssec-signzone -3 $(head -c 1024 /dev/random | sha1sum | cut -b 1-16) -K /data/namedb/master -t -o $ZONE $DBFILE
 done
 chown bind:bind /data/namedb/master/*
 service named start
--- a/jails/config/dns/dns_verify-6.sh
+++ b/jails/config/dns/dns_verify-6.sh
@ -0,0 +1,29 @@
 #### dns_verify-6.sh
 #
 NETS="2603:3024:3f6:e1: 2603:3024:3f6:e2: 2603:3024:3f6:e5:"
 IPS=$(seq 1 254)
 #
 echo
 echo -e "\tip        ->     hostname      -> ip"
 echo '--------------------------------------------------------'  
 for NET in $NETS; do
  for n in $IPS; do
    A=${NET}:${n}
    echo -e "\t$A"
    HOST=$(dig -6 -x $A +short)
    if test -n "$HOST"; then
      ADDR=$(dig -6 -t "AAAA" $HOST +short)
      if test "$A" = "$ADDR"; then
        echo -e "ok\t$A -> $HOST -> $ADDR"
      elif test -n "$ADDR"; then
        echo -e "fail\t$A -> $HOST -> $ADDR"
      else
        echo -e "fail\t$A -> $HOST -> [unassigned]"
      fi
    fi
  done
 done
 echo ""
 echo "DONE."
--- a/jails/config/dns/dns_verify.sh
+++ b/jails/config/dns/dns_verify.sh
@ -0,0 +1,27 @@
 #### dns_verify.sh
 #
 NETS="192.168.0 192.168.1 192.168.2"
 IPS=$(seq 1 254)
 #
 echo
 echo -e "\tip        ->     hostname      -> ip"
 echo '--------------------------------------------------------'  
 for NET in $NETS; do
  for n in $IPS; do
    A=${NET}.${n}
    HOST=$(dig -x $A +short)
    if test -n "$HOST"; then
      ADDR=$(dig $HOST +short)
      if test "$A" = "$ADDR"; then
        echo -e "ok\t$A -> $HOST -> $ADDR"
      elif test -n "$ADDR"; then
        echo -e "fail\t$A -> $HOST -> $ADDR"
      else
        echo -e "fail\t$A -> $HOST -> [unassigned]"
      fi
    fi
  done
 done
 echo ""
 echo "DONE."
--- a/jails/config/dns/pkg-list-details.txt
+++ b/jails/config/dns/pkg-list-details.txt
@ -0,0 +1,7 @@
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____bind916-9.16.27
 pkgp-freebsd-pkg____ldns-1.8.1
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____rpl-1.4.1
--- a/jails/config/dns/pkg-list.txt
+++ b/jails/config/dns/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion bind916 ldns nano pkg rpl
--- a/jails/config/dns/update6.sh
+++ b/jails/config/dns/update6.sh
@ -1,18 +0,0 @@
 #!/usr/local/bin/bash
 # Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 # https://diyit.org/license/
 #
 #
 SIM="-s"
 #SIM=""
 rpl $SIM -v -R "2603:3024:3f6:21::" "2603:3024:3f6:1::" ./namedb
 rpl $SIM -v -R "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2" "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1" ./namedb
 rpl $SIM -v -R "2021030900" "2021031100" ./namedb
 service $SIM named $SIM restart
--- a/jails/config/elk/pkg-list-details.txt
+++ b/jails/config/elk/pkg-list-details.txt
@ -0,0 +1,10 @@
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____beats7-7.16.3_1
 pkgp-freebsd-pkg____curl-7.82.0
 pkgp-freebsd-pkg____elasticsearch7-7.16.3
 pkgp-freebsd-pkg____kibana7-7.16.3
 pkgp-freebsd-pkg____logstash7-7.16.3
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____openjdk11-11.0.14+9.1_1
 pkgp-freebsd-pkg____pkg-1.17.5_1
--- a/jails/config/elk/pkg-list.txt
+++ b/jails/config/elk/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion beats7 curl elasticsearch7 kibana7 logstash7 nano openjdk11 pkg
--- a/jails/config/git/gitea-restart.sh
+++ b/jails/config/git/gitea-restart.sh
@ -8,10 +8,13 @@
 #
 #
-Q=`netstat -LAan | grep 3000 | cut -f3 -d" " | cut -f1 -d/`
+Q=`netstat -LAan | grep "*.3000" | cut -f3 -d" " | cut -f1 -d/`
 # Q is null if gitea service is not running
-if [ ! "$Q" ] || [ $Q -ne 0 ]; then
+# 1537 is max stuck recvQ qlen limit when logging start:
 # sonewconn: pcb 0xfffff804b9f73d58: Listen queue overflow: 1537 already in queue awaiting acceptance (30 occurrences)
 if [ ! "$Q" ] || [ $Q -ge 100 ]; then
    echo "restarting gitea stuck at $Q"
    tail /var/log/gitea/gitea.log
    kill -9 `pgrep gitea` ; sleep 2 ; service gitea start
--- a/jails/config/git/pkg-list-details.txt
+++ b/jails/config/git/pkg-list-details.txt
@ -0,0 +1,6 @@
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____gitea-1.16.5_1
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____openldap-sasl-client-2.4.59
 pkgp-freebsd-pkg____pkg-1.17.5_1
--- a/jails/config/git/pkg-list.txt
+++ b/jails/config/git/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion gitea nano openldap-sasl-client pkg
--- a/jails/config/hass/pkg-list-details.txt
+++ b/jails/config/hass/pkg-list-details.txt
@ -0,0 +1,17 @@
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____cmake-3.22.2
 pkgp-freebsd-pkg____ffmpeg-4.4.1_11,1
 pkgp-freebsd-pkg____git-lite-2.35.1
 pkgp-freebsd-pkg____gmake-4.3_2
 pkgp-freebsd-pkg____heyu2-2.10_1
 pkgp-freebsd-pkg____libxslt-1.1.35_1
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____openjpeg-2.4.0
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____py38-sqlite3-3.8.13_7
 pkgp-freebsd-pkg____py39-sqlite3-3.9.12_7
 pkgp-freebsd-pkg____python39-3.9.12
 pkgp-freebsd-pkg____rust-1.59.0
 pkgp-freebsd-pkg____tmux-3.2a
 pkgp-freebsd-pkg____wget-1.21.3
--- a/jails/config/hass/pkg-list.txt
+++ b/jails/config/hass/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion cmake ffmpeg git-lite gmake heyu2 libxslt nano openjpeg pkg py38-sqlite3 py39-sqlite3 python39 rust tmux wget
--- a/jails/config/hass/x10.conf
+++ b/jails/config/hass/x10.conf
@ -16,7 +16,7 @@
 # Serial port to which the CM11a is connected. Default is /dev/ttyS0.
-tty /dev/ttyU1
+tty /dev/ttyU0
 check_ri_line NO
 # If you have an X10 compatible RF receiver connected to a second
@ -24,7 +24,7 @@ check_ri_line NO
 # and model of receiver.  Supported receivers are W800RF32, MR26A,
 # and RFXCOM.  There are no defaults.
-tty_aux /dev/ttyU0 MR26A
+tty_aux /dev/ttyU1 MR26A
 # The CM19A is both a receiver and transmitter for X10 RF signals.
 # The MR26A is a receiver only.
--- a/jails/config/hub/httpd.conf
+++ b/jails/config/hub/httpd.conf
@ -49,7 +49,7 @@ ServerRoot "/usr/local"
 # prevent Apache from glomming onto all bound IP addresses.
 #
 #Listen 12.34.56.78:80
-Listen 80
+#Listen 80
 #
 # Dynamic Shared Object (DSO) Support
@ -110,7 +110,7 @@ LoadModule filter_module libexec/apache24/mod_filter.so
 #LoadModule substitute_module libexec/apache24/mod_substitute.so
 #LoadModule sed_module libexec/apache24/mod_sed.so
 #LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
-#LoadModule deflate_module libexec/apache24/mod_deflate.so
+LoadModule deflate_module libexec/apache24/mod_deflate.so
 #LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
 #LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
 LoadModule mime_module libexec/apache24/mod_mime.so
@ -121,7 +121,7 @@ LoadModule log_config_module libexec/apache24/mod_log_config.so
 LoadModule env_module libexec/apache24/mod_env.so
 #LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
 #LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
-#LoadModule expires_module libexec/apache24/mod_expires.so
+LoadModule expires_module libexec/apache24/mod_expires.so
 LoadModule headers_module libexec/apache24/mod_headers.so
 #LoadModule usertrack_module libexec/apache24/mod_usertrack.so
 #LoadModule unique_id_module libexec/apache24/mod_unique_id.so
@ -180,7 +180,6 @@ LoadModule dir_module libexec/apache24/mod_dir.so
 #LoadModule userdir_module libexec/apache24/mod_userdir.so
 LoadModule alias_module libexec/apache24/mod_alias.so
 LoadModule rewrite_module libexec/apache24/mod_rewrite.so
 #LoadModule php7_module        libexec/apache24/libphp7.so
 # Third party modules
 IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
@ -225,7 +224,7 @@ ServerAdmin sharad@ahlawat.com
 #
 # If your host doesn't have a registered DNS name, enter its IP address here.
 #
-#ServerName www.example.com:80
+ServerName hub.ahlawat.com
 #
 # Deny access to the entirety of your server's filesystem. You must
@ -559,7 +558,7 @@ Include etc/apache24/Includes/*.conf
    ServerAlias *.ahlawat.com
    ServerAlias hub
-    Protocols h2 h2c http/1.1
+    Protocols h2 http/1.1
    DocumentRoot "/usr/local/www/apache24/data/"
@ -568,11 +567,11 @@ Include etc/apache24/Includes/*.conf
    SSLCertificateKeyFile "/mnt/certs/privkey.pem"
    #SSLCertificateChainFile "/mnt/certs/fullchain.pem"
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-    SSLHonorCipherOrder on
+    SSLHonorCipherOrder off
    SSLCompression off
    SSLSessionTickets off
    SSLOptions +StrictRequire
 #    SSLCompression off
    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
@ -606,7 +605,100 @@ Include etc/apache24/Includes/*.conf
  CustomLog "/var/log/ssl-access_log" combined
  <IfModule mod_headers.c>
-    Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
+    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
  </IfModule>
 <IfModule mod_expires.c>
 ExpiresActive On
 ExpiresDefault A0
 <FilesMatch "\.(txt|xml|js)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(css)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
 ExpiresDefault A31536000
 </FilesMatch>
 </IfModule>
 <IfModule mod_headers.c>
  <FilesMatch "\.(txt|xml|js)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(css)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
 </IfModule>
 <IfModule mod_deflate.c>
 	SetOutputFilter DEFLATE
    <IfModule mod_setenvif.c>
        <IfModule mod_headers.c>
            SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
            RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
        </IfModule>
    </IfModule>
    <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE "application/atom+xml" \
                                      "application/javascript" \
                                      "application/json" \
                                      "application/ld+json" \
                                      "application/manifest+json" \
                                      "application/rdf+xml" \
                                      "application/rss+xml" \
                                      "application/schema+json" \
                                      "application/vnd.geo+json" \
                                      "application/vnd.ms-fontobject" \
                                      "application/x-font-ttf" \
                                      "application/x-font-opentype" \
                                      "application/x-font-truetype" \
                                      "application/x-javascript" \
                                      "application/x-web-app-manifest+json" \
                                      "application/xhtml+xml" \
                                      "application/xml" \
                                      "font/eot" \
                                      "font/opentype" \
                                      "font/otf" \
                                      "image/bmp" \
                                      "image/svg+xml" \
                                      "image/vnd.microsoft.icon" \
                                      "image/x-icon" \
                                      "text/cache-manifest" \
                                      "text/css" \
                                      "text/html" \
                                      "text/javascript" \
                                      "text/plain" \
                                      "text/vcard" \
                                      "text/vnd.rim.location.xloc" \
                                      "text/vtt" \
                                      "text/x-component" \
                                      "text/x-cross-domain-policy" \
                                      "text/xml"
    </IfModule>
    <IfModule mod_mime.c>
        AddEncoding gzip              svgz
    </IfModule>
 </IfModule>
 </VirtualHost>
 SSLUseStapling On
 SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
--- a/jails/config/hub/pkg-list-details.txt
+++ b/jails/config/hub/pkg-list-details.txt
@ -0,0 +1,29 @@
 pkgp122____openldap24-client-2.4.59_4
 pkgp123____apache24-2.4.53_1
 pkgp123____apr-1.7.0.1.6.1_2
 pkgp123____php81-ldap-8.1.5
 pkgp123____pkg-1.17.5_1
 pkgp123____samba413-4.13.17_1
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____compat9x-amd64-9.3.903000.20170608
 pkgp-freebsd-pkg____fluxbox-1.3.7_5
 pkgp-freebsd-pkg____iperf3-3.11
 pkgp-freebsd-pkg____mc-4.8.28
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____openjdk8-8.322.06.1
 pkgp-freebsd-pkg____p7zip-16.02_3
 pkgp-freebsd-pkg____php81-mysqli-8.1.4_2
 pkgp-freebsd-pkg____php81-pgsql-8.1.4_2
 pkgp-freebsd-pkg____php81-session-8.1.4_2
 pkgp-freebsd-pkg____rename-1.99.2
 pkgp-freebsd-pkg____rkhunter-1.4.6_1
 pkgp-freebsd-pkg____rsync-3.2.3_1
 pkgp-freebsd-pkg____sshguard-2.4.2_2,1
 pkgp-freebsd-pkg____sudo-1.9.10
 pkgp-freebsd-pkg____tigervnc-1.9.0_4
 pkgp-freebsd-pkg____unrar-6.11,6
 pkgp-freebsd-pkg____wget-1.21.3
 pkgp-freebsd-pkg____xauth-1.1
 pkgp-freebsd-pkg____xorriso-1.5.4
 pkgp-freebsd-pkg____xterm-372
--- a/jails/config/hub/pkg-list.txt
+++ b/jails/config/hub/pkg-list.txt
@ -0,0 +1 @@
 apache24 apr bash bash-completion compat9x-amd64 fluxbox iperf3 mc nano openjdk8 openldap24-client p7zip php81-ldap php81-mysqli php81-pgsql php81-session pkg rename rkhunter rsync samba413 sshguard sudo tigervnc unrar wget xauth xorriso xterm
--- a/jails/config/hub/pkgp.conf
+++ b/jails/config/hub/pkgp.conf
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
    priority: 10
 }
-pkgp122: {
+pkgp123: {
-    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj123-default",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
--- a/jails/config/ibm/pkg-list-details.txt
+++ b/jails/config/ibm/pkg-list-details.txt
@ -0,0 +1,9 @@
 pkgp-freebsd-pkg____automake-1.16.5
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____cmake-3.22.2
 pkgp-freebsd-pkg____git-lite-2.35.1
 pkgp-freebsd-pkg____hercules-3.13
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____tmux-3.2a
--- a/jails/config/ibm/pkg-list.txt
+++ b/jails/config/ibm/pkg-list.txt
@ -0,0 +1 @@
 automake bash bash-completion cmake git-lite hercules nano pkg tmux
--- a/jails/config/jump/enable-routing.sh
+++ b/jails/config/jump/enable-routing.sh
@ -1,7 +0,0 @@
 sysctl net.inet.ip.forwarding=1
 route add 10.1.2.0/24 192.168.55.105
 # on remote -
 #sudo sysctl net.ipv4.ip_forward=1
 #ip route add 192.168.0.0/24 via 192.168.55.1
 #OR
 #ip route add 192.168.0.0/24 dev tun0
--- a/jails/config/jump/pkg-list-details.txt
+++ b/jails/config/jump/pkg-list-details.txt
@ -0,0 +1,10 @@
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____guacamole-client-1.4.0
 pkgp-freebsd-pkg____guacamole-server-1.4.0
 pkgp-freebsd-pkg____libqrencode-4.1.1
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____openldap-sasl-client-2.4.59
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____wireguard-2,1
 pkgp-freebsd-pkg____zip-3.0_1
--- a/jails/config/jump/pkg-list.txt
+++ b/jails/config/jump/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion guacamole-client guacamole-server libqrencode nano openldap-sasl-client pkg wireguard zip
--- a/jails/config/ldap-mgr/config.php.phpldapadmin.github
+++ b/jails/config/ldap-mgr/config.php.phpldapadmin.github
@ -71,6 +71,31 @@
   environments. */
 #  $config->custom->password['no_random_crypt_salt'] = true;
 /* If you want to restrict password available types (encryption algorithms)
 	 Should be subset of:
 	 array(
 		''=>'clear',
 		'bcrypt'=>'bcrypt',
 		'blowfish'=>'blowfish',
 		'crypt'=>'crypt',
 		'ext_des'=>'ext_des',
 		'md5'=>'md5',
 		'k5key'=>'k5key',
 		'md5crypt'=>'md5crypt',
 		'sha'=>'sha',
 		'smd5'=>'smd5',
 		'ssha'=>'ssha',
 		'sha256'=>'sha256',
 		'ssha256'=>'ssha256',
 		'sha384'=>'sha384',
 		'ssha384'=>'ssha384',
 		'sha512'=>'sha512',
 		'ssha512'=>'ssha512',
 		'sha256crypt'=>'sha256crypt',
 		'sha512crypt'=>'sha512crypt',
 	 )*/
 #  $config->custom->password['available_types'] = array(''=>'clear','md5'=>'md5');
 /* PHP script timeout control. If php runs longer than this many seconds then
   PHP will stop with an Maximum Execution time error. Increase this value from
   the default if queries to your LDAP server are slow. The default is either
@ -173,6 +198,10 @@ $config->custom->commands['script'] = array(
 // $config->custom->appearance['tree_width'] = null;
 #  $config->custom->appearance['tree_width'] = 250;
 /* Number of tree command icons to show, 0 = show all icons on 1 row. */
 // $config->custom->appearance['tree_icons'] = 0;
 #  $config->custom->appearance['tree_icons'] = 4;
 /* Confirm create and update operations, allowing you to review the changes
   and optionally skip attributes during the create/update operation. */
 // $config->custom->confirm['create'] = true;
@ -235,7 +264,7 @@ $config->custom->appearance['friendly_attrs'] = array(
 *********************************************/
 /* Add "modify group members" link to the attribute. */
-// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid');
+// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid','sudoUser');
 /* Configure filter for member search. This only applies to "modify group members" feature */
 // $config->custom->modify_member['filter'] = '(objectclass=Person)';
@ -310,12 +339,13 @@ $servers->setValue('server','base',array('dc=infra'));
      login will be required to use phpLDAPadmin for this server.
   5. 'sasl': login will be taken from the webserver's kerberos authentication.
      Currently only GSSAPI has been tested (using mod_auth_kerb).
   6. 'sasl_external': login will be taken from SASL external mechanism.
   Choose wisely to protect your authentication information appropriately for
   your situation. If you choose 'cookie', your cookie contents will be
   encrypted using blowfish and the secret your specify above as
   session['blowfish']. */
-$servers->setValue('login','auth_type','cookie');
+// $servers->setValue('login','auth_type','session');
 /* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
   'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS
@ -334,6 +364,22 @@ $servers->setValue('login','bind_pass','');
 /* Use TLS (Transport Layer Security) to connect to the LDAP server. */
 $servers->setValue('server','tls',false);
 /* TLS Certificate Authority file (overrides ldap.conf, PHP 7.1+) */
 // $servers->setValue('server','tls_cacert',null);
 #  $servers->setValue('server','tls_cacert','/etc/openldap/certs/ca.crt');
 /* TLS Certificate Authority hashed directory (overrides ldap.conf, PHP 7.1+) */
 // $servers->setValue('server','tls_cacertdir',null);
 #  $servers->setValue('server','tls_cacertdir','/etc/openldap/certs');
 /* TLS Client Certificate file (PHP 7.1+) */
 // $servers->setValue('server','tls_cert',null);
 #  $servers->setValue('server','tls_cert','/etc/pki/tls/certs/ldap_user.crt');
 /* TLS Client Certificate Key file (PHP 7.1+) */
 // $servers->setValue('server','tls_key',null);
 #  $servers->setValue('server','tls_key','/etc/pki/tls/private/ldap_user.key');
 /************************************
 *      SASL Authentication         *
 ************************************/
@ -341,11 +387,19 @@ $servers->setValue('server','tls',false);
 /* Enable SASL authentication LDAP SASL authentication requires PHP 5.x
   configured with --with-ldap-sasl=DIR. If this option is disabled (ie, set to
   false), then all other sasl options are ignored. */
-// $servers->setValue('login','auth_type','sasl');
+#  $servers->setValue('login','auth_type','sasl');
-/* SASL auth mechanism */
+/* SASL GSSAPI auth mechanism (requires auth_type of sasl) */
 // $servers->setValue('sasl','mech','GSSAPI');
 /* SASL PLAIN support... this mech converts simple binds to SASL
   PLAIN binds using any auth_type (or other bind_id/pass) as credentials.
   NOTE: auth_type must be simple auth compatible (ie not sasl) */
 #  $servers->setValue('sasl','mech','PLAIN');
 /* SASL EXTERNAL support... really a different auth_type */
 #  $servers->setValue('login','auth_type','sasl_external');
 /* SASL authentication realm name */
 // $servers->setValue('sasl','realm','');
 #  $servers->setValue('sasl','realm','EXAMPLE.COM');
@ -400,6 +454,12 @@ $servers->setValue('server','tls',false);
   setup. */
 // $servers->setValue('login','class',array());
 /* If login_attr was set to 'dn', it is possible to specify a template string to
   build the DN from. Use '%s' where user input should be inserted. A user may
   still enter the complete DN. In this case the template will not be used. */
 // $servers->setValue('login','bind_dn_template',null);
 #  $servers->setValue('login','bind_dn_template','cn=%s,ou=people,dc=example,dc=com');
 /* If you specified something different from 'dn', for example 'uid', as the
   login_attr above, you can optionally specify here to fall back to
   authentication with dn.
@ -420,6 +480,9 @@ $servers->setValue('server','tls',false);
 /* Set to true if you would like to initially open the first level of each tree. */
 // $servers->setValue('appearance','open_tree',false);
 /* Set to true to display authorization ID in place of login dn (PHP 7.2+) */
 // $servers->setValue('appearance','show_authz',false);
 /* This feature allows phpLDAPadmin to automatically determine the next
   available uidNumber for a new entry. */
 // $servers->setValue('auto_number','enable',true);
@ -556,7 +619,7 @@ $servers->setValue('appearance','show_create',true);
 $servers->setValue('auto_number','enable',true);
 $servers->setValue('auto_number','mechanism','search');
 $servers->setValue('auto_number','search_base',null);
-$servers->setValue('auto_number','min',array('uidNumber'=>10000,'gidNumber'=>5000));
+$servers->setValue('auto_number','min',array('uidNumber'=>1000,'gidNumber'=>500));
 $servers->setValue('auto_number','dn',null);
 $servers->setValue('auto_number','pass',null);
@ -573,4 +636,19 @@ $servers->setValue('server','custom_sys_attrs',array('passwordExpirationTime','p
 $servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock'));
 $servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID'));
 */
 /***********************************************************************************
 * If you want to configure Google reCAPTCHA on autentication form, do so below.   *
 * Remove the commented lines and use this section as a template for all           *
 * reCAPTCHA v2  Generate on https://www.google.com/recaptcha/                     *
 *                                                                                 *
 * IMPORTANT: Select reCAPTCHA v2   on  Type of reCAPTCHA                          *
 ***********************************************************************************/
 $config->custom->session['reCAPTCHA-enable'] = false;
 $config->custom->session['reCAPTCHA-key-site'] = '<put-here-key-site>';
 $config->custom->session['reCAPTCHA-key-server'] = '<put-here-key-server>';
 ?>
--- a/jails/config/ldap-mgr/httpd.conf
+++ b/jails/config/ldap-mgr/httpd.conf
@ -49,7 +49,7 @@ ServerRoot "/usr/local"
 # prevent Apache from glomming onto all bound IP addresses.
 #
 #Listen 12.34.56.78:80
-Listen 80
+#Listen 80
 #
 # Dynamic Shared Object (DSO) Support
@ -178,7 +178,7 @@ LoadModule dir_module libexec/apache24/mod_dir.so
 #LoadModule userdir_module libexec/apache24/mod_userdir.so
 LoadModule alias_module libexec/apache24/mod_alias.so
 #LoadModule rewrite_module libexec/apache24/mod_rewrite.so
-LoadModule php7_module        libexec/apache24/libphp7.so
+LoadModule php_module         libexec/apache24/libphp.so
 # Third party modules
 IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
@ -214,7 +214,7 @@ Group www
 # e-mailed.  This address appears on some server-generated pages, such
 # as error documents.  e.g. admin@your-domain.com
 #
-ServerAdmin you@example.com
+ServerAdmin sharad@ahlawat.com
 #
 # ServerName gives the name and port that the server uses to identify itself.
@ -223,7 +223,7 @@ ServerAdmin you@example.com
 #
 # If your host doesn't have a registered DNS name, enter its IP address here.
 #
-#ServerName www.example.com:80
+ServerName ldap-mgr.ahlawat.com
 #
 # Deny access to the entirety of your server's filesystem. You must
@ -578,7 +578,7 @@ Include etc/apache24/Includes/*.conf
    Require all granted
  </Directory>
-  Alias /ssp "/usr/local/www/self-service-password"
+  Alias /ssp "/usr/local/www/self-service-password/htdocs"
  <Directory "/usr/local/www/self-service-password">
    AllowOverride None
    Require all granted
--- a/jails/config/ldap-mgr/php.ini
+++ b/jails/config/ldap-mgr/php.ini
@ -401,7 +401,7 @@ max_input_time = 60
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
-memory_limit = 128M
+memory_limit = 256M
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ; Error handling and logging ;
--- a/jails/config/ldap-mgr/pkg-list-details.txt
+++ b/jails/config/ldap-mgr/pkg-list-details.txt
@ -0,0 +1,9 @@
 pkgp-freebsd-pkg____apache24-2.4.53
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____ldap-account-manager-7.9
 pkgp-freebsd-pkg____mod_php80-8.0.17_1
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____phpldapadmin-php80-1.2.6.3_1
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____self-service-password-php80-1.4_1
--- a/jails/config/ldap-mgr/pkg-list.txt
+++ b/jails/config/ldap-mgr/pkg-list.txt
@ -0,0 +1 @@
 apache24 bash bash-completion ldap-account-manager mod_php80 nano phpldapadmin-php80 pkg self-service-password-php80
--- a/jails/config/ldap/pkg-list-details.txt
+++ b/jails/config/ldap/pkg-list-details.txt
@ -0,0 +1,7 @@
 pkgp122____openldap24-client-2.4.59_4
 pkgp123____openldap24-server-2.4.59_9
 pkgp123____pkg-1.17.5_1
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____openssl-1.1.1n,1
--- a/jails/config/ldap/pkg-list.txt
+++ b/jails/config/ldap/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion nano openldap24-client openldap24-server openssl pkg
--- a/jails/config/ldap/pkgp.conf
+++ b/jails/config/ldap/pkgp.conf
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
    priority: 10
 }
-pkgp122: {
+pkgp123: {
-    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj123-default",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
--- a/jails/config/mage/pkg-list-details.txt
+++ b/jails/config/mage/pkg-list-details.txt
@ -0,0 +1,30 @@
 pkgp-freebsd-pkg____automake-1.16.5
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____cmake-3.22.2
 pkgp-freebsd-pkg____dbus-1.12.20_5
 pkgp-freebsd-pkg____fluxbox-1.3.7_5
 pkgp-freebsd-pkg____git-lite-2.35.1
 pkgp-freebsd-pkg____libxslt-1.1.35_1
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____perl5-5.32.1_1
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____py38-IBMQuantumExperience-2.0.4
 pkgp-freebsd-pkg____py38-jupyterlab-3.1.19
 pkgp-freebsd-pkg____py38-matplotlib-3.4.3_3
 pkgp-freebsd-pkg____py38-pandas-1.3.5,1
 pkgp-freebsd-pkg____py38-pep517-0.12.0
 pkgp-freebsd-pkg____py38-pip-20.3.4
 pkgp-freebsd-pkg____py38-scikit-learn-1.0.2
 pkgp-freebsd-pkg____py38-seaborn-0.11.0_1
 pkgp-freebsd-pkg____py38-tensorflow-1.15.5_2
 pkgp-freebsd-pkg____rubygem-pkg-config-1.4.7
 pkgp-freebsd-pkg____rust-1.59.0
 pkgp-freebsd-pkg____sudo-1.9.10
 pkgp-freebsd-pkg____suitesparse-cholmod-3.0.14
 pkgp-freebsd-pkg____suitesparse-umfpack-5.7.9
 pkgp-freebsd-pkg____symengine-0.8.1
 pkgp-freebsd-pkg____tigervnc-server-1.12.0_4
 pkgp-freebsd-pkg____xauth-1.1
 pkgp-freebsd-pkg____xorg-fonts-truetype-7.7_1
 pkgp-freebsd-pkg____xterm-372
--- a/jails/config/mage/pkg-list.txt
+++ b/jails/config/mage/pkg-list.txt
@ -0,0 +1 @@
 automake bash bash-completion cmake dbus fluxbox git-lite libxslt nano perl5 pkg py38-IBMQuantumExperience py38-jupyterlab py38-matplotlib py38-pandas py38-pep517 py38-pip py38-scikit-learn py38-seaborn py38-tensorflow rubygem-pkg-config rust sudo suitesparse-cholmod suitesparse-umfpack symengine tigervnc-server xauth xorg-fonts-truetype xterm
--- a/jails/config/mail/pkg-list-details.txt
+++ b/jails/config/mail/pkg-list-details.txt
@ -0,0 +1,12 @@
 pkgp122____openldap24-client-2.4.59_4
 pkgp123____dcc-dccd-2.3.168
 pkgp123____dovecot-2.3.18_1
 pkgp123____dovecot-pigeonhole-0.5.18
 pkgp123____pkg-1.17.5_1
 pkgp123____postfix-3.7.0_2,1
 pkgp123____rspamd-3.2_1
 pkgp-freebsd-pkg____apache-solr-8.11.1
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____redis-6.2.6
--- a/jails/config/mail/pkg-list.txt
+++ b/jails/config/mail/pkg-list.txt
@ -0,0 +1 @@
 apache-solr bash bash-completion dcc-dccd dovecot dovecot-pigeonhole nano openldap24-client pkg postfix redis rspamd
--- a/jails/config/mail/pkgp.conf
+++ b/jails/config/mail/pkgp.conf
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
    priority: 10
 }
-pkgp122: {
+pkgp123: {
-    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj123-default",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
--- a/jails/config/mail/postfix-reload.sh
+++ b/jails/config/mail/postfix-reload.sh
@ -0,0 +1,14 @@
 #! /bin/sh
 certfiles=$(postconf -n | awk -F " = " '$1 ~ /(cert|key)_file/ {print $2}' | sort -u)
 reload=false
 for f in $certfiles; do
  if [ -f "$f" ]; then
    if [ /var/spool/postfix/pid/master.pid -ot "$f" ]; then
      reload=true
    fi
  fi
 done
 if $reload; then
  echo "postfix master.pid file older than certificates; restart required!"
  service postfix restart
 fi
--- a/jails/config/maps/pkg-list-details.txt
+++ b/jails/config/maps/pkg-list-details.txt
@ -0,0 +1,7 @@
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____npm-8.5.2
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____pkgconf-1.8.0,1
 pkgp-freebsd-pkg____vips-8.12.2_4
--- a/jails/config/maps/pkg-list.txt
+++ b/jails/config/maps/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion nano npm pkg pkgconf vips
--- a/jails/config/matrix/config.json
+++ b/jails/config/matrix/config.json
@ -1,7 +1,7 @@
 {
    "default_server_config": {
        "m.homeserver": {
-            "base_url": "https://matrix.ahlawat.com",
+            "base_url": "https://matrix.ahlawat.com:8448",
            "server_name": "matrix.ahlawat.com"
        },
        "m.identity_server": {
@ -12,7 +12,7 @@
    "disable_guests": false,
    "disable_login_language_selector": false,
    "disable_3pid_login": false,
-    "brand": "Riot",
+    "brand": "Ahlawat",
    "integrations_ui_url": "https://scalar.vector.im/",
    "integrations_rest_url": "https://scalar.vector.im/api",
    "integrations_widgets_urls": [
@ -22,23 +22,19 @@
        "https://scalar-staging.vector.im/api",
        "https://scalar-staging.riot.im/scalar/api"
    ],
-    "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
+    "bug_report_endpoint_url": "https://element.io/bugreports/submit",
    "uisi_autorageshake_app": "element-auto-uisi",
    "defaultCountryCode": "US",
    "showLabsSettings": false,
-    "features": {
+    "features": { },
        "feature_pinning": "labs",
        "feature_custom_status": "labs",
        "feature_custom_tags": "labs",
        "feature_state_counters": "labs"
    },
    "default_federate": true,
    "default_theme": "light",
    "roomDirectory": {
        "servers": [
            "matrix.ahlawat.com",
            "matrix.org"
        ]
    },
    "welcomeUserId": "@riot-bot:matrix.org",
    "piwik": {
        "url": "https://piwik.riot.im/",
        "whitelistedHSUrls": ["https://matrix.org"],
@ -54,5 +50,6 @@
    },
    "jitsi": {
        "preferredDomain": "meet.ahlawat.com"
-    }
+    },
    "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
 }
--- a/jails/config/matrix/nginx.conf
+++ b/jails/config/matrix/nginx.conf
@ -146,7 +146,7 @@ http {
        #location /favicon.ico { access_log off; log_not_found off; }
-        root /usr/local/www/riot;
+        root /usr/local/www/element;
        index index.html;
        #error_page  404              /404.html;
--- a/jails/config/matrix/pkg-list-details.txt
+++ b/jails/config/matrix/pkg-list-details.txt
@ -0,0 +1,9 @@
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____element-web-1.10.8
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____nginx-1.20.2_9,2
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____py38-matrix-synapse-1.55.2
 pkgp-freebsd-pkg____py38-matrix-synapse-ldap3-0.2.0
 pkgp-freebsd-pkg____py38-psycopg2-2.9.3
--- a/jails/config/matrix/pkg-list.txt
+++ b/jails/config/matrix/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion element-web nano nginx pkg py38-matrix-synapse py38-matrix-synapse-ldap3 py38-psycopg2
--- a/jails/config/meet/pkg-list-details.txt
+++ b/jails/config/meet/pkg-list-details.txt
@ -0,0 +1,9 @@
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____jicofo-1.0.555_2
 pkgp-freebsd-pkg____jitsi-meet-1.0.4048_2
 pkgp-freebsd-pkg____jitsi-videobridge-2.1.183_3
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____nginx-1.20.2_9,2
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____prosody-0.12.0
--- a/jails/config/meet/pkg-list.txt
+++ b/jails/config/meet/pkg-list.txt
@ -0,0 +1 @@
 bash bash-completion jicofo jitsi-meet jitsi-videobridge nano nginx pkg prosody
--- a/jails/config/monitor/grafana.conf
+++ b/jails/config/monitor/grafana.conf
@ -1,549 +0,0 @@
 ##################### Grafana Configuration Example #####################
 #
 # Everything has defaults so you only need to uncomment things you want to
 # change
 # possible values : production, development
 ;app_mode = production
 # instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
 ;instance_name = ${HOSTNAME}
 instance_name = grafana.diyit.org
 #################################### Paths ####################################
 [paths]
 # Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
 data = /var/db/grafana/
 # Temporary files in `data` directory older than given duration will be removed
 ;temp_data_lifetime = 24h
 # Directory where grafana can store logs
 logs = /var/log/grafana/
 # Directory where grafana will automatically scan and look for plugins
 plugins = /var/db/grafana/plugins
 # folder that contains provisioning config files that grafana will apply on startup and while running.
 provisioning = /var/db/grafana/provisioning
 #################################### Server ####################################
 [server]
 # Protocol (http, https, socket)
 protocol = https
 # The ip address to bind to, empty will bind to all interfaces
 ;http_addr =
 # The http port  to use
 ;http_port = 3000
 # The public facing domain name used to access grafana from a browser
 ;domain = localhost
 # Redirect to correct domain if host header does not match domain
 # Prevents DNS rebinding attacks
 enforce_domain = false
 # The full public facing url you use in browser, used for redirects and emails
 # If you use reverse proxy and sub path specify full url (with sub path)
 root_url = https://grafana.diyit.org
 # Log web requests
 ;router_logging = false
 # the path relative working path
 ;static_root_path = public
 # enable gzip
 ;enable_gzip = false
 # https certs & key file
 cert_file = /mnt/certs/diyfullchain.pem
 cert_key =/mnt/certs/diyprivkeyr.pem
 # Unix socket path
 ;socket =
 #################################### Database ####################################
 [database]
 # You can configure the database connection by specifying type, host, name, user and password
 # as separate properties or as on string using the url properties.
 # Either "mysql", "postgres" or "sqlite3", it's your choice
 ;type = sqlite3
 ;host = 127.0.0.1:3306
 ;name = grafana
 ;user = root
 # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
 ;password =
 # Use either URL or the previous fields to configure the database
 # Example: mysql://user:secret@host:port/database
 ;url =
 # For "postgres" only, either "disable", "require" or "verify-full"
 ;ssl_mode = disable
 # For "sqlite3" only, path relative to data_path setting
 ;path = grafana.db
 # Max idle conn setting default is 2
 ;max_idle_conn = 2
 # Max conn setting default is 0 (mean not set)
 ;max_open_conn =
 # Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
 ;conn_max_lifetime = 14400
 # Set to true to log the sql calls and execution times.
 log_queries =
 # For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
 ;cache_mode = private
 #################################### Cache server #############################
 [remote_cache]
 # Either "redis", "memcached" or "database" default is "database"
 ;type = database
 # cache connectionstring options
 # database: will use Grafana primary database.
 # redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana`
 # memcache: 127.0.0.1:11211
 ;connstr =
 #################################### Session ####################################
 [session]
 # Either "memory", "file", "redis", "mysql", "postgres", default is "file"
 ;provider = file
 # Provider config options
 # memory: not have any config yet
 # file: session dir path, is relative to grafana data_path
 # redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=grafana`
 # mysql: go-sql-driver/mysql dsn config string, e.g. `user:password@tcp(127.0.0.1:3306)/database_name`
 # postgres: user=a password=b host=localhost port=5432 dbname=c sslmode=disable
 ;provider_config = sessions
 # Session cookie name
 ;cookie_name = grafana_sess
 # If you use session in https only, default is false
 ;cookie_secure = false
 # Session life time, default is 86400 (means 86400 seconds or 24 hours)
 ;session_life_time = 86400
 #################################### Data proxy ###########################
 [dataproxy]
 # This enables data proxy logging, default is false
 ;logging = false
 # How long the data proxy should wait before timing out default is 30 (seconds)
 ;timeout = 30
 # If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request, default is false.
 ;send_user_header = false
 #################################### Analytics ####################################
 [analytics]
 # Server reporting, sends usage counters to stats.grafana.org every 24 hours.
 # No ip addresses are being tracked, only simple counters to track
 # running instances, dashboard and error counts. It is very helpful to us.
 # Change this option to false to disable reporting.
 ;reporting_enabled = true
 # Set to false to disable all checks to https://grafana.net
 # for new vesions (grafana itself and plugins), check is used
 # in some UI views to notify that grafana or plugin update exists
 # This option does not cause any auto updates, nor send any information
 # only a GET request to http://grafana.com to get latest versions
 ;check_for_updates = true
 # Google Analytics universal tracking code, only enabled if you specify an id here
 ;google_analytics_ua_id =
 # Google Tag Manager ID, only enabled if you specify an id here
 ;google_tag_manager_id =
 #################################### Security ####################################
 [security]
 # default admin user, created on startup
 ;admin_user = admin
 # default admin password, can be changed before first start of grafana,  or in profile settings
 ;admin_password = admin
 # used for signing
 ;secret_key = SW2YcwTIb9zpOOhoPsMm
 # disable gravatar profile images
 ;disable_gravatar = false
 # data source proxy whitelist (ip_or_domain:port separated by spaces)
 ;data_source_proxy_whitelist =
 # disable protection against brute force login attempts
 ;disable_brute_force_login_protection = false
 # set to true if you host Grafana behind HTTPS. default is false.
 cookie_secure = true
 # set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict" and "none"
 cookie_samesite = none
 allow_embedding = true
 #################################### Snapshots ###########################
 [snapshots]
 # snapshot sharing options
 ;external_enabled = true
 ;external_snapshot_url = https://snapshots-origin.raintank.io
 ;external_snapshot_name = Publish to snapshot.raintank.io
 # remove expired snapshot
 ;snapshot_remove_expired = true
 #################################### Dashboards History ##################
 [dashboards]
 # Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1
 ;versions_to_keep = 20
 #################################### Users ###############################
 [users]
 # disable user signup / registration
 ;allow_sign_up = true
 # Allow non admin users to create organizations
 ;allow_org_create = true
 # Set to true to automatically assign new users to the default organization (id 1)
 ;auto_assign_org = true
 # Default role new users will be automatically assigned (if disabled above is set to true)
 ;auto_assign_org_role = Viewer
 # Background text for the user field on the login page
 ;login_hint = email or username
 ;password_hint = password
 # Default UI theme ("dark" or "light")
 ;default_theme = dark
 # External user management, these options affect the organization users view
 ;external_manage_link_url =
 ;external_manage_link_name =
 ;external_manage_info =
 # Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
 ;viewers_can_edit = false
 # Editors can administrate dashboard, folders and teams they create
 ;editors_can_admin = false
 [auth]
 # Login cookie name
 ;login_cookie_name = grafana_session
 # The lifetime (days) an authenticated user can be inactive before being required to login at next visit. Default is 7 days,
 ;login_maximum_inactive_lifetime_days = 7
 # The maximum lifetime (days) an authenticated user can be logged in since login time before being required to login. Default is 30 days.
 ;login_maximum_lifetime_days = 30
 # How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
 ;token_rotation_interval_minutes = 10
 # Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
 ;disable_login_form = false
 # Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
 ;disable_signout_menu = false
 # URL to redirect the user to after sign out
 ;signout_redirect_url =
 # Set to true to attempt login with OAuth automatically, skipping the login screen.
 # This setting is ignored if multiple OAuth providers are configured.
 ;oauth_auto_login = false
 #################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access
 ;enabled = false
 # specify organization name that should be used for unauthenticated users
 ;org_name = Main Org.
 # specify role for unauthenticated users
 ;org_role = Viewer
 #################################### Github Auth ##########################
 [auth.github]
 ;enabled = false
 ;allow_sign_up = true
 ;client_id = some_id
 ;client_secret = some_secret
 ;scopes = user:email,read:org
 ;auth_url = https://github.com/login/oauth/authorize
 ;token_url = https://github.com/login/oauth/access_token
 ;api_url = https://api.github.com/user
 ;team_ids =
 ;allowed_organizations =
 #################################### Google Auth ##########################
 [auth.google]
 ;enabled = false
 ;allow_sign_up = true
 ;client_id = some_client_id
 ;client_secret = some_client_secret
 ;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
 ;auth_url = https://accounts.google.com/o/oauth2/auth
 ;token_url = https://accounts.google.com/o/oauth2/token
 ;api_url = https://www.googleapis.com/oauth2/v1/userinfo
 ;allowed_domains =
 #################################### Generic OAuth ##########################
 [auth.generic_oauth]
 ;enabled = false
 ;name = OAuth
 ;allow_sign_up = true
 ;client_id = some_id
 ;client_secret = some_secret
 ;scopes = user:email,read:org
 ;auth_url = https://foo.bar/login/oauth/authorize
 ;token_url = https://foo.bar/login/oauth/access_token
 ;api_url = https://foo.bar/user
 ;team_ids =
 ;allowed_organizations =
 ;tls_skip_verify_insecure = false
 ;tls_client_cert =
 ;tls_client_key =
 ;tls_client_ca =
 ; Set to true to enable sending client_id and client_secret via POST body instead of Basic authentication HTTP header
 ; This might be required if the OAuth provider is not RFC6749 compliant, only supporting credentials passed via POST payload
 ;send_client_credentials_via_post = false
 #################################### Grafana.com Auth ####################
 [auth.grafana_com]
 ;enabled = false
 ;allow_sign_up = true
 ;client_id = some_id
 ;client_secret = some_secret
 ;scopes = user:email
 ;allowed_organizations =
 #################################### Auth Proxy ##########################
 [auth.proxy]
 ;enabled = false
 ;header_name = X-WEBAUTH-USER
 ;header_property = username
 ;auto_sign_up = true
 ;ldap_sync_ttl = 60
 ;whitelist = 192.168.1.1, 192.168.2.1
 ;headers = Email:X-User-Email, Name:X-User-Name
 #################################### Basic Auth ##########################
 [auth.basic]
 ;enabled = true
 #################################### Auth LDAP ##########################
 [auth.ldap]
 ;enabled = false
 ;config_file = /etc/grafana/ldap.toml
 ;allow_sign_up = true
 #################################### SMTP / Emailing ##########################
 [smtp]
 ;enabled = false
 ;host = localhost:25
 ;user =
 # If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""
 ;password =
 ;cert_file =
 ;key_file =
 ;skip_verify = false
 ;from_address = admin@grafana.localhost
 ;from_name = Grafana
 # EHLO identity in SMTP dialog (defaults to instance_name)
 ;ehlo_identity = dashboard.example.com
 [emails]
 ;welcome_email_on_sign_up = false
 #################################### Logging ##########################
 [log]
 # Either "console", "file", "syslog". Default is console and  file
 # Use space to separate multiple modes, e.g. "console file"
 ;mode = console file
 # Either "debug", "info", "warn", "error", "critical", default is "info"
 ;level = info
 # optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
 ;filters =
 # For "console" mode only
 [log.console]
 ;level =
 # log line format, valid options are text, console and json
 ;format = console
 # For "file" mode only
 [log.file]
 ;level =
 # log line format, valid options are text, console and json
 ;format = text
 # This enables automated log rotate(switch of following options), default is true
 ;log_rotate = true
 # Max line number of single file, default is 1000000
 ;max_lines = 1000000
 # Max size shift of single file, default is 28 means 1 << 28, 256MB
 ;max_size_shift = 28
 # Segment log daily, default is true
 ;daily_rotate = true
 # Expired days of log file(delete after max days), default is 7
 ;max_days = 7
 [log.syslog]
 ;level =
 # log line format, valid options are text, console and json
 ;format = text
 # Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used.
 ;network =
 ;address =
 # Syslog facility. user, daemon and local0 through local7 are valid.
 ;facility =
 # Syslog tag. By default, the process' argv[0] is used.
 ;tag =
 #################################### Alerting ############################
 [alerting]
 # Disable alerting engine & UI features
 ;enabled = true
 # Makes it possible to turn off alert rule execution but alerting UI is visible
 ;execute_alerts = true
 # Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
 ;error_or_timeout = alerting
 # Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
 ;nodata_or_nullvalues = no_data
 # Alert notifications can include images, but rendering many images at the same time can overload the server
 # This limit will protect the server from render overloading and make sure notifications are sent out quickly
 ;concurrent_render_limit = 5
 # Default setting for alert calculation timeout. Default value is 30
 ;evaluation_timeout_seconds = 30
 # Default setting for alert notification timeout. Default value is 30
 ;notification_timeout_seconds = 30
 # Default setting for max attempts to sending alert notifications. Default value is 3
 ;max_attempts = 3
 #################################### Explore #############################
 [explore]
 # Enable the Explore section
 ;enabled = true
 #################################### Internal Grafana Metrics ##########################
 # Metrics available at HTTP API Url /metrics
 [metrics]
 # Disable / Enable internal metrics
 ;enabled           = true
 # Publish interval
 ;interval_seconds  = 10
 # Send internal metrics to Graphite
 [metrics.graphite]
 # Enable by setting the address setting (ex localhost:2003)
 ;address =
 ;prefix = prod.grafana.%(instance_name)s.
 #################################### Distributed tracing ############
 [tracing.jaeger]
 # Enable by setting the address sending traces to jaeger (ex localhost:6831)
 ;address = localhost:6831
 # Tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2)
 ;always_included_tag = tag1:value1
 # Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote
 ;sampler_type = const
 # jaeger samplerconfig param
 # for "const" sampler, 0 or 1 for always false/true respectively
 # for "probabilistic" sampler, a probability between 0 and 1
 # for "rateLimiting" sampler, the number of spans per second
 # for "remote" sampler, param is the same as for "probabilistic"
 # and indicates the initial sampling rate before the actual one
 # is received from the mothership
 ;sampler_param = 1
 #################################### Grafana.com integration  ##########################
 # Url used to import dashboards directly from Grafana.com
 [grafana_com]
 ;url = https://grafana.com
 #################################### External image storage ##########################
 [external_image_storage]
 # Used for uploading images to public servers so they can be included in slack/email messages.
 # you can choose between (s3, webdav, gcs, azure_blob, local)
 ;provider =
 [external_image_storage.s3]
 ;bucket =
 ;region =
 ;path =
 ;access_key =
 ;secret_key =
 [external_image_storage.webdav]
 ;url =
 ;public_url =
 ;username =
 ;password =
 [external_image_storage.gcs]
 ;key_file =
 ;bucket =
 ;path =
 [external_image_storage.azure_blob]
 ;account_name =
 ;account_key =
 ;container_name =
 [external_image_storage.local]
 # does not require any configuration
 [rendering]
 # Options to configure external image rendering server like https://github.com/grafana/grafana-image-renderer
 ;server_url =
 ;callback_url =
 [enterprise]
 # Path to a valid Grafana Enterprise license.jwt file
 ;license_path =
 [panels]
 ;enable_alpha = false
 # If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities.
 ;disable_sanitize_html = false
--- a/jails/config/monitor/grafana.ini
+++ b/jails/config/monitor/grafana.ini
--- a/jails/config/monitor/httpd.conf
+++ b/jails/config/monitor/httpd.conf
@ -49,7 +49,7 @@ ServerRoot "/usr/local"
 # prevent Apache from glomming onto all bound IP addresses.
 #
 #Listen 12.34.56.78:80
-Listen 80
+#Listen 80
 #
 # Dynamic Shared Object (DSO) Support
@ -108,7 +108,7 @@ LoadModule filter_module libexec/apache24/mod_filter.so
 #LoadModule substitute_module libexec/apache24/mod_substitute.so
 #LoadModule sed_module libexec/apache24/mod_sed.so
 #LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
-#LoadModule deflate_module libexec/apache24/mod_deflate.so
+LoadModule deflate_module libexec/apache24/mod_deflate.so
 #LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
 #LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
 LoadModule mime_module libexec/apache24/mod_mime.so
@ -119,7 +119,7 @@ LoadModule log_config_module libexec/apache24/mod_log_config.so
 LoadModule env_module libexec/apache24/mod_env.so
 #LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
 #LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
-#LoadModule expires_module libexec/apache24/mod_expires.so
+LoadModule expires_module libexec/apache24/mod_expires.so
 LoadModule headers_module libexec/apache24/mod_headers.so
 #LoadModule usertrack_module libexec/apache24/mod_usertrack.so
 #LoadModule unique_id_module libexec/apache24/mod_unique_id.so
@ -178,7 +178,6 @@ LoadModule dir_module libexec/apache24/mod_dir.so
 #LoadModule userdir_module libexec/apache24/mod_userdir.so
 LoadModule alias_module libexec/apache24/mod_alias.so
 LoadModule rewrite_module libexec/apache24/mod_rewrite.so
 #LoadModule php7_module        libexec/apache24/libphp7.so
 # Third party modules
 IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
@ -223,7 +222,7 @@ ServerAdmin sharad@ahlawat.com
 #
 # If your host doesn't have a registered DNS name, enter its IP address here.
 #
-#ServerName www.example.com:80
+ServerName monitor.ahlawat.com
 #
 # Deny access to the entirety of your server's filesystem. You must
@ -555,9 +554,8 @@ Include etc/apache24/Includes/*.conf
 <VirtualHost *:443>
    ServerName monitor.ahlawat.com
    ServerAlias *.ahlawat.com
    ServerAlias ahlawat.com
-    Protocols h2 h2c http/1.1
+    Protocols h2 http/1.1
    DocumentRoot "/usr/local/www/apache24/data/"
@ -566,11 +564,11 @@ Include etc/apache24/Includes/*.conf
    SSLCertificateKeyFile "/mnt/certs/privkey.pem"
    #SSLCertificateChainFile "/mnt/certs/fullchain.pem"
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-    SSLHonorCipherOrder on
+    SSLHonorCipherOrder off
    SSLCompression off
    SSLSessionTickets off
    SSLOptions +StrictRequire
 #    SSLCompression off
    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
@ -612,7 +610,100 @@ Include etc/apache24/Includes/*.conf
  CustomLog "/var/log/ssl-access_log" combined
  <IfModule mod_headers.c>
-    Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
+    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
  </IfModule>
 <IfModule mod_expires.c>
 ExpiresActive On
 ExpiresDefault A0
 <FilesMatch "\.(txt|xml|js)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(css)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
 ExpiresDefault A31536000
 </FilesMatch>
 </IfModule>
 <IfModule mod_headers.c>
  <FilesMatch "\.(txt|xml|js)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(css)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
 </IfModule>
 <IfModule mod_deflate.c>
 	SetOutputFilter DEFLATE
    <IfModule mod_setenvif.c>
        <IfModule mod_headers.c>
            SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
            RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
        </IfModule>
    </IfModule>
    <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE "application/atom+xml" \
                                      "application/javascript" \
                                      "application/json" \
                                      "application/ld+json" \
                                      "application/manifest+json" \
                                      "application/rdf+xml" \
                                      "application/rss+xml" \
                                      "application/schema+json" \
                                      "application/vnd.geo+json" \
                                      "application/vnd.ms-fontobject" \
                                      "application/x-font-ttf" \
                                      "application/x-font-opentype" \
                                      "application/x-font-truetype" \
                                      "application/x-javascript" \
                                      "application/x-web-app-manifest+json" \
                                      "application/xhtml+xml" \
                                      "application/xml" \
                                      "font/eot" \
                                      "font/opentype" \
                                      "font/otf" \
                                      "image/bmp" \
                                      "image/svg+xml" \
                                      "image/vnd.microsoft.icon" \
                                      "image/x-icon" \
                                      "text/cache-manifest" \
                                      "text/css" \
                                      "text/html" \
                                      "text/javascript" \
                                      "text/plain" \
                                      "text/vcard" \
                                      "text/vnd.rim.location.xloc" \
                                      "text/vtt" \
                                      "text/x-component" \
                                      "text/x-cross-domain-policy" \
                                      "text/xml"
    </IfModule>
    <IfModule mod_mime.c>
        AddEncoding gzip              svgz
    </IfModule>
 </IfModule>
 </VirtualHost>
 SSLUseStapling On
 SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
--- a/jails/config/monitor/pkg-list-details.txt
+++ b/jails/config/monitor/pkg-list-details.txt
@ -0,0 +1,41 @@
 pkgp-freebsd-pkg____alertmanager-0.23.0_2
 pkgp-freebsd-pkg____apache24-2.4.53
 pkgp-freebsd-pkg____bash-5.1.16
 pkgp-freebsd-pkg____bash-completion-2.11_1,2
 pkgp-freebsd-pkg____grafana8-8.3.6_1
 pkgp-freebsd-pkg____influxdb-1.8.10_2
 pkgp-freebsd-pkg____iperf3-3.11
 pkgp-freebsd-pkg____nano-6.0
 pkgp-freebsd-pkg____php81-8.1.4_2
 pkgp-freebsd-pkg____php81-bcmath-8.1.4_2
 pkgp-freebsd-pkg____php81-bz2-8.1.4_2
 pkgp-freebsd-pkg____php81-ctype-8.1.4_2
 pkgp-freebsd-pkg____php81-curl-8.1.4_2
 pkgp-freebsd-pkg____php81-dom-8.1.4_1
 pkgp-freebsd-pkg____php81-fileinfo-8.1.4_2
 pkgp-freebsd-pkg____php81-filter-8.1.4_2
 pkgp-freebsd-pkg____php81-gd-8.1.4_2
 pkgp-freebsd-pkg____php81-iconv-8.1.4_2
 pkgp-freebsd-pkg____php81-intl-8.1.4_2
 pkgp-freebsd-pkg____php81-mbstring-8.1.4_2
 pkgp-freebsd-pkg____php81-mysqli-8.1.4_2
 pkgp-freebsd-pkg____php81-opcache-8.1.4_2
 pkgp-freebsd-pkg____php81-pdo-8.1.4_2
 pkgp-freebsd-pkg____php81-pdo_mysql-8.1.4_2
 pkgp-freebsd-pkg____php81-pecl-mcrypt-1.0.4
 pkgp-freebsd-pkg____php81-pecl-memcache-8.0
 pkgp-freebsd-pkg____php81-posix-8.1.4_2
 pkgp-freebsd-pkg____php81-readline-8.1.4_2
 pkgp-freebsd-pkg____php81-session-8.1.4_2
 pkgp-freebsd-pkg____php81-simplexml-8.1.4_1
 pkgp-freebsd-pkg____php81-soap-8.1.4_1
 pkgp-freebsd-pkg____php81-sockets-8.1.4_2
 pkgp-freebsd-pkg____php81-sqlite3-8.1.4_2
 pkgp-freebsd-pkg____php81-tidy-8.1.4_2
 pkgp-freebsd-pkg____php81-tokenizer-8.1.4_2
 pkgp-freebsd-pkg____php81-xml-8.1.4_1
 pkgp-freebsd-pkg____php81-zip-8.1.4_2
 pkgp-freebsd-pkg____php81-zlib-8.1.4_2
 pkgp-freebsd-pkg____pkg-1.17.5_1
 pkgp-freebsd-pkg____prometheus-2.32.1_1
 pkgp-freebsd-pkg____telegraf-1.22.0_1
--- a/jails/config/monitor/pkg-list.txt
+++ b/jails/config/monitor/pkg-list.txt
@ -0,0 +1 @@
 alertmanager apache24 bash bash-completion grafana8 influxdb iperf3 nano php81 php81-bcmath php81-bz2 php81-ctype php81-curl php81-dom php81-fileinfo php81-filter php81-gd php81-iconv php81-intl php81-mbstring php81-mysqli php81-opcache php81-pdo php81-pdo_mysql php81-pecl-mcrypt php81-pecl-memcache php81-posix php81-readline php81-session php81-simplexml php81-soap php81-sockets php81-sqlite3 php81-tidy php81-tokenizer php81-xml php81-zip php81-zlib pkg prometheus telegraf
--- a/jails/config/nivi/httpd.conf
+++ b/jails/config/nivi/httpd.conf
@ -49,7 +49,7 @@ ServerRoot "/usr/local"
 # prevent Apache from glomming onto all bound IP addresses.
 #
 #Listen 12.34.56.78:80
-Listen 80
+#Listen 80
 #
 # Dynamic Shared Object (DSO) Support
@ -108,7 +108,7 @@ LoadModule filter_module libexec/apache24/mod_filter.so
 #LoadModule substitute_module libexec/apache24/mod_substitute.so
 #LoadModule sed_module libexec/apache24/mod_sed.so
 #LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
-#LoadModule deflate_module libexec/apache24/mod_deflate.so
+LoadModule deflate_module libexec/apache24/mod_deflate.so
 #LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
 #LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
 LoadModule mime_module libexec/apache24/mod_mime.so
@ -119,7 +119,7 @@ LoadModule log_config_module libexec/apache24/mod_log_config.so
 LoadModule env_module libexec/apache24/mod_env.so
 #LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
 #LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
-#LoadModule expires_module libexec/apache24/mod_expires.so
+LoadModule expires_module libexec/apache24/mod_expires.so
 LoadModule headers_module libexec/apache24/mod_headers.so
 #LoadModule usertrack_module libexec/apache24/mod_usertrack.so
 #LoadModule unique_id_module libexec/apache24/mod_unique_id.so
@ -178,7 +178,6 @@ LoadModule dir_module libexec/apache24/mod_dir.so
 #LoadModule userdir_module libexec/apache24/mod_userdir.so
 LoadModule alias_module libexec/apache24/mod_alias.so
 LoadModule rewrite_module libexec/apache24/mod_rewrite.so
 #LoadModule php7_module        libexec/apache24/libphp7.so
 # Third party modules
 IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
@ -223,7 +222,7 @@ ServerAdmin sharad@ahlawat.com
 #
 # If your host doesn't have a registered DNS name, enter its IP address here.
 #
-#ServerName www.example.com:80
+ServerName nivi.ahlawat.com
 #
 # Deny access to the entirety of your server's filesystem. You must
@ -555,9 +554,8 @@ Include etc/apache24/Includes/*.conf
 <VirtualHost *:443>
    ServerName nivi.ahlawat.com
    ServerAlias *.ahlawat.com
    ServerAlias nivi
-    Protocols h2 h2c http/1.1
+    Protocols h2 http/1.1
    DocumentRoot "/usr/local/www/apache24/data/"
@ -566,11 +564,11 @@ Include etc/apache24/Includes/*.conf
    SSLCertificateKeyFile "/mnt/certs/privkey.pem"
    #SSLCertificateChainFile "/mnt/certs/fullchain.pem"
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-    SSLHonorCipherOrder on
+    SSLHonorCipherOrder off
    SSLCompression off
    SSLSessionTickets off
    SSLOptions +StrictRequire
 #    SSLCompression off
    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
@ -591,20 +589,113 @@ Include etc/apache24/Includes/*.conf
  <Directory "/usr/local/www/apache24/data/">
    Options Indexes FollowSymLinks MultiViews
    ## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16
-    #-IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96
+    #IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96
    #AllowOverride controls what directives may be placed in .htaccess files.
    #AllowOverride All
-    #-AllowOverride AuthConfig
+    #AllowOverride AuthConfig
    #Controls who can get stuff from this server file
-    #-Require all granted
+    #Require all granted
  </Directory>
  ErrorLog "/var/log/ssl-error.log"
  CustomLog "/var/log/ssl-access_log" combined
  <IfModule mod_headers.c>
-    Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
+    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
  </IfModule>
 <IfModule mod_expires.c>
 ExpiresActive On
 ExpiresDefault A0
 <FilesMatch "\.(txt|xml|js)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(css)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
 ExpiresDefault A31536000
 </FilesMatch>
 <FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
 ExpiresDefault A31536000
 </FilesMatch>
 </IfModule>
 <IfModule mod_headers.c>
  <FilesMatch "\.(txt|xml|js)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(css)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|mp4|m4v|ogg|webm|aac|eot|ttf|otf|woff|woff2|svg)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
  <FilesMatch "\.(jpg|jpeg|png|gif|swf|webp)$">
   Header set Cache-Control "max-age=31536000"
  </FilesMatch>
 </IfModule>
 <IfModule mod_deflate.c>
 	SetOutputFilter DEFLATE
    <IfModule mod_setenvif.c>
        <IfModule mod_headers.c>
            SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
            RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
        </IfModule>
    </IfModule>
    <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE "application/atom+xml" \
                                      "application/javascript" \
                                      "application/json" \
                                      "application/ld+json" \
                                      "application/manifest+json" \
                                      "application/rdf+xml" \
                                      "application/rss+xml" \
                                      "application/schema+json" \
                                      "application/vnd.geo+json" \
                                      "application/vnd.ms-fontobject" \
                                      "application/x-font-ttf" \
                                      "application/x-font-opentype" \
                                      "application/x-font-truetype" \
                                      "application/x-javascript" \
                                      "application/x-web-app-manifest+json" \
                                      "application/xhtml+xml" \
                                      "application/xml" \
                                      "font/eot" \
                                      "font/opentype" \
                                      "font/otf" \
                                      "image/bmp" \
                                      "image/svg+xml" \
                                      "image/vnd.microsoft.icon" \
                                      "image/x-icon" \
                                      "text/cache-manifest" \
                                      "text/css" \
                                      "text/html" \
                                      "text/javascript" \
                                      "text/plain" \
                                      "text/vcard" \
                                      "text/vnd.rim.location.xloc" \
                                      "text/vtt" \
                                      "text/x-component" \
                                      "text/x-cross-domain-policy" \
                                      "text/xml"
    </IfModule>
    <IfModule mod_mime.c>
        AddEncoding gzip              svgz
    </IfModule>
 </IfModule>
 </VirtualHost>
 SSLUseStapling On
 SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
--- a/Show More
+++ b/Show More
		`@ -0,0 +1 @@`
							`bash bash-completion nano netatalk3 nss-pam-ldapd-sasl pkg`
		`@ -0,0 +1 @@`
							`bash bash-completion mc nano nginx pkg postgresql14-client py38-ansible py38-django32 py38-gunicorn py38-pillow py38-pip py38-tkinter sudo`
		`@ -0,0 +1 @@`
							`bash bash-completion libxml2 libxslt nano pkg py38-ldap py38-pip py38-sqlite3 rust`
		`@ -0,0 +1 @@`
							`bash bash-completion calibre fluxbox nano pkg sudo tigervnc-server xauth xpdf xterm`
		`@ -0,0 +1 @@`
							`bash bash-completion curl motion nano pkg py27-pip`
		`@ -0,0 +1 @@`
							`bash bash-completion curl git-lite go nano pkg`
		`@ -0,0 +1 @@`
							apache24 bash bash-completion ffmpeg mod_php80 nano php80 php80-bcmath php80-bz2 php80-ctype php80-curl php80-dom php80-exif php80-fileinfo php80-filter php80-ftp php80-gd php80-gmp php80-iconv php80-imap php80-intl php80-ldap php80-mbstring php80-mysqli php80-opcache php80-pcntl php80-pdo php80-pdo_mysql php80-pecl-APCu php80-pecl-imagick php80-pecl-mcrypt php80-pecl-redis php80-posix php80-session php80-simplexml php80-xml php80-xmlreader php80-xmlwriter php80-xsl php80-zip php80-zlib pkg redis sudo
		`@ -0,0 +1 @@`
							`bash bash-completion mariadb105-server mysqld_exporter nano pkg`
		`@ -0,0 +1 @@`
							`bash bash-completion bind916 ldns nano pkg rpl`
		`@ -0,0 +1 @@`
							`bash bash-completion beats7 curl elasticsearch7 kibana7 logstash7 nano openjdk11 pkg`