diff --git a/.gitignore b/.gitignore index 10e4514..ba79b78 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ #.gitignore **/secret/** +**/.acme.sh/** diff --git a/configs/boot/loader.conf b/configs/boot/loader.conf index dc44a7e..c7cb30c 100644 --- a/configs/boot/loader.conf +++ b/configs/boot/loader.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2018-2020, diyIT.org +# Copyright (c) 2018-2019, diyIT.org # All rights reserved. # # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") @@ -28,6 +28,8 @@ kern.geom.label.gptid.enable="0" # Increase dmesg buffer to fit longer boot output. kern.msgbufsize="524288" +kern.racct.enable=1 + # ZFS root boot config zfs_load="YES" vfs.root.mountfrom="zfs:zroot/ROOT/default" diff --git a/configs/etc/defaults/devfs.rules b/configs/etc/defaults/devfs.rules index b024474..9f4de19 100644 --- a/configs/etc/defaults/devfs.rules +++ b/configs/etc/defaults/devfs.rules @@ -110,3 +110,7 @@ add path vmm.io/* unhide add path tap* unhide add path zvol/ship/raw/* unhide add path nmdm* unhide + +[devfs_rules_tun_jail=3000] +add include $devfsrules_jail +add path tun* unhide diff --git a/configs/etc/freebsd-update.conf b/configs/etc/freebsd-update.conf index 40d187c..e46aa6a 100644 --- a/configs/etc/freebsd-update.conf +++ b/configs/etc/freebsd-update.conf @@ -15,7 +15,9 @@ ServerName update.FreeBSD.org #Components src world kernel # Example for updating the userland and the kernel source code only: -Components src world +#Components src world +Components world +# manually run - svnlite update /usr/src - before recompiling the kernel # Paths which start with anything matching an entry in an IgnorePaths # statement will be ignored. diff --git a/jails/config/auto/.keep b/jails/config/auto/.keep deleted file mode 100644 index e69de29..0000000 diff --git a/jails/config/auto/local_settings.py b/jails/config/auto/local_settings.py new file mode 100644 index 0000000..c7d5d42 --- /dev/null +++ b/jails/config/auto/local_settings.py @@ -0,0 +1 @@ +DEBUG = False diff --git a/jails/config/auto/nginx.conf b/jails/config/auto/nginx.conf new file mode 100644 index 0000000..4e687d2 --- /dev/null +++ b/jails/config/auto/nginx.conf @@ -0,0 +1,211 @@ + +#user nobody; +worker_processes 1; + +# This default error log path is compiled-in to make sure configuration parsing +# errors are logged somewhere, especially during unattended boot when stderr +# isn't normally logged anywhere. This path will be touched on every nginx +# start regardless of error log location configured here. See +# https://trac.nginx.org/nginx/ticket/147 for more info. +# +#error_log /var/log/nginx/error.log; +# + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include mime.types; + default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + #access_log logs/access.log main; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + #gzip on; + + server { + listen 0.0.0.0:80; + listen [::]:80; + server_name auto.ahlawat.com auto; + + location / { + root /usr/local/www/nginx; + index index.html index.htm; + } + } + + + + server { + listen 0.0.0.0:80; + listen [::]:80; + server_name portfolio.ahlawat.com portfolio; + + location / { + return 301 https://portfolio.ahlawat.com$request_uri; + } + } + + server { + listen 0.0.0.0:443 ssl; + listen [::]:443 ssl; + server_name portfolio.ahlawat.com; + + ssl_certificate /mnt/certs/fullchain.pem; + ssl_certificate_key /mnt/certs/privkey.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + #charset koi8-r; + + #access_log logs/host.access.log main; + + location /favicon.ico { access_log off; log_not_found off; } + location /static/ { + root /data/portfolio; + } + location /media/ { + root /data/portfolio; + } + location / { + proxy_pass http://unix:/var/run/portfolio.sock; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/local/www/nginx-dist; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} + } + + + + server { + listen 0.0.0.0:80; + listen [::]:80; + server_name producthunt.ahlawat.com producthunt; + + location / { + return 301 https://producthunt.ahlawat.com$request_uri; + } + } + + server { + listen 0.0.0.0:443 ssl; + listen [::]:443 ssl; + server_name producthunt.ahlawat.com; + + ssl_certificate /mnt/certs/fullchain.pem; + ssl_certificate_key /mnt/certs/privkey.pem; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + #access_log logs/host.access.log main; + + location /favicon.ico { access_log off; log_not_found off; } + location /static/ { + root /data/producthunt; + } + location /media/ { + root /data/producthunt; + } + location / { + proxy_pass http://unix:/var/run/producthunt.sock; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/local/www/nginx-dist; + } + } + + + + # another virtual host using mix of IP-, name-, and port-based configuration + # + #server { + # listen 8000; + # listen somename:8080; + # server_name somename alias another.alias; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + + # HTTPS server + # + #server { + # listen 443 ssl; + # server_name localhost; + + # ssl_certificate cert.pem; + # ssl_certificate_key cert.key; + + # ssl_session_cache shared:SSL:1m; + # ssl_session_timeout 5m; + + # ssl_ciphers HIGH:!aNULL:!MD5; + # ssl_prefer_server_ciphers on; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + +} diff --git a/jails/config/auto/portfolio b/jails/config/auto/portfolio new file mode 100755 index 0000000..00b625e --- /dev/null +++ b/jails/config/auto/portfolio @@ -0,0 +1,52 @@ +# Copyright (c) 2018-2020, diyIT.org +# All rights reserved. +# +# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") +# https://diyit.org/license/ +# +# + +#!/bin/sh + +# the two lines below are not just comments but required by rcorder; service -e +# PROVIDE: portfolio +# REQUIRE: NETWORKING DAEMON + +. /etc/rc.subr + +: ${portfolio_enable="NO"} + +name=portfolio +port=8000 +appdir="/data/${name}" + +rcvar=${name}_enable + +GUNICORN_CMD="/usr/local/bin/gunicorn -D -b unix:/var/run/${name}.sock --log-file /var/log/${name}.log \ + --chdir ${appdir} ${name}.wsgi" +# GUNICORN_CMD="/usr/local/bin/gunicorn -D -b 0.0.0.0:${port} -b [::]:${port} --log-file /var/log/${name}.log \ +# --chdir ${appdir} ${name}.wsgi" + +start_cmd="server_start" +stop_cmd="server_stop" +restart_cmd="server_restart" + +server_start() +{ + $GUNICORN_CMD +} + +server_stop() +{ + ps ax | grep -ie "gunicorn: master \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9 + ps ax | grep -ie "gunicorn: worker \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9 +} + +server_restart() +{ + ps ax | grep -ie "gunicorn: master \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9 + server_start +} + +load_rc_config ${name} +run_rc_command "$1" diff --git a/jails/config/auto/producthunt b/jails/config/auto/producthunt new file mode 100755 index 0000000..1c3297a --- /dev/null +++ b/jails/config/auto/producthunt @@ -0,0 +1,52 @@ +# Copyright (c) 2018-2020, diyIT.org +# All rights reserved. +# +# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") +# https://diyit.org/license/ +# +# + +#!/bin/sh + +# the two lines below are not just comments but required by rcorder; service -e +# PROVIDE: producthunt +# REQUIRE: NETWORKING DAEMON + +. /etc/rc.subr + +: ${producthunt_enable="NO"} + +name=producthunt +port=8000 +appdir="/data/${name}" + +rcvar=${name}_enable + +GUNICORN_CMD="/usr/local/bin/gunicorn -D -b unix:/var/run/${name}.sock --log-file /var/log/${name}.log \ + --chdir ${appdir} ${name}.wsgi" +# GUNICORN_CMD="/usr/local/bin/gunicorn -D -b 0.0.0.0:${port} -b [::]:${port} --log-file /var/log/${name}.log \ +# --chdir ${appdir} ${name}.wsgi" + +start_cmd="server_start" +stop_cmd="server_stop" +restart_cmd="server_restart" + +server_start() +{ + $GUNICORN_CMD +} + +server_stop() +{ + ps ax | grep -ie "gunicorn: master \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9 + ps ax | grep -ie "gunicorn: worker \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9 +} + +server_restart() +{ + ps ax | grep -ie "gunicorn: master \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9 + server_start +} + +load_rc_config ${name} +run_rc_command "$1" diff --git a/jails/config/book/cps b/jails/config/book/cps index c82af52..fc9423a 100755 --- a/jails/config/book/cps +++ b/jails/config/book/cps @@ -19,7 +19,7 @@ name=cpsserver rcvar=${name}_enable -CPSSERVER="nohup /usr/local/bin/python3.6 /data/calibre-web/cps.py" +CPSSERVER="nohup /usr/local/bin/python3.7 /data/calibre-web/cps.py" start_cmd="${name}_start" stop_cmd="${name}_stop" diff --git a/jails/config/common/snip-sendmail.sh b/jails/config/common/snip-sendmail.sh index 5dedda8..a6939ff 100755 --- a/jails/config/common/snip-sendmail.sh +++ b/jails/config/common/snip-sendmail.sh @@ -10,3 +10,6 @@ # smart_host - mail - is the mail server's dns name echo "define(\`SMART_HOST', \`mail')" >> /etc/mail/$HOSTNAME.mc echo "define(\`confDOMAIN_NAME', \`$HOSTNAME')" >> /etc/mail/$HOSTNAME.mc +IP6=`ifconfig -f inet6:cidr | grep "2603:3024:3f6:e1::" | cut -d" " -f 2 | cut -d "/" -f 1` +echo "CLIENT_OPTIONS(\`Family=inet6, Address=$IP6')" >> /etc/mail/$HOSTNAME.mc +echo "define(\`confDH_PARAMETERS', \`/mnt/certs/dhparam2048.pem')" >> /etc/mail/$HOSTNAME.mc diff --git a/jails/config/hub/devfs_rules.raw b/jails/config/hub/devfs_rules.raw new file mode 100644 index 0000000..40c16b7 --- /dev/null +++ b/jails/config/hub/devfs_rules.raw @@ -0,0 +1,7 @@ +100 include 4 +200 path 'cuau*' unhide +300 path 'cuaU*' unhide +400 path 'ttyu*' unhide +500 path 'ttyU*' unhide +600 path 'usb*' unhide +700 path 'usb/*' unhide diff --git a/jails/config/hub/devfs_rules.txt b/jails/config/hub/devfs_rules.txt new file mode 100644 index 0000000..80f4d37 --- /dev/null +++ b/jails/config/hub/devfs_rules.txt @@ -0,0 +1,13 @@ +# devfs rule -s 150 add - < devfs_rules.raw +# devfs rule -s 150 show + +# add to /etc/default/devfs.rules + +[serial_usb_rules=150] +add include $devfsrules_jail +add path 'cuau*' unhide +add path 'cuaU*' unhide +add path 'ttyu*' unhide +add path 'ttyU*' unhide +add path 'usb*' unhide +add path 'usb/*' unhide diff --git a/jails/config/hub/sshd_config b/jails/config/hub/sshd_config index 358f80a..a0b92bc 100644 --- a/jails/config/hub/sshd_config +++ b/jails/config/hub/sshd_config @@ -33,7 +33,7 @@ # Authentication: #LoginGraceTime 2m -PermitRootLogin no +PermitRootLogin yes #StrictModes yes MaxAuthTries 2 MaxSessions 2 @@ -62,7 +62,7 @@ PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable PAM authentication -#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no diff --git a/jails/config/mail/postfix/main.cf b/jails/config/mail/postfix/main.cf index db6565e..0a0a964 100644 --- a/jails/config/mail/postfix/main.cf +++ b/jails/config/mail/postfix/main.cf @@ -265,7 +265,7 @@ unknown_local_recipient_reject_code = 550 # #mynetworks_style = class #mynetworks_style = subnet -mynetworks_style = host +#mynetworks_style = host # Alternatively, you can specify the mynetworks list by hand, in # which case Postfix ignores the mynetworks_style setting. @@ -282,6 +282,10 @@ mynetworks_style = host #mynetworks = $config_directory/mynetworks #mynetworks = hash:$config_directory/network_table +mynetworks = 127.0.0.1/32 192.168.0.0/16 [::1]/128 [fe80::]/10 [2603:3024:3f6::]/56 +smtp_bind_address = 192.168.0.100 +smtp_bind_address6 = 2603:3024:3f6:e1::100 + # The relay_domains parameter restricts what destinations this system will # relay mail to. See the smtpd_recipient_restrictions description in # postconf(5) for detailed information. @@ -675,7 +679,7 @@ sample_directory = /usr/local/etc/postfix # readme_directory: The location of the Postfix README files. # readme_directory = /usr/local/share/doc/postfix -inet_protocols = ipv4 +inet_protocols = ipv4, ipv6 meta_directory = /usr/local/libexec/postfix shlib_directory = /usr/local/lib/postfix diff --git a/jails/config/mail/rspamd/groups.conf b/jails/config/mail/rspamd/groups.conf index bf783cc..dcea1bc 100644 --- a/jails/config/mail/rspamd/groups.conf +++ b/jails/config/mail/rspamd/groups.conf @@ -116,5 +116,11 @@ group "external_services" { .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/external_services_group.conf" } +group "content" { + .include "$CONFDIR/scores.d/content_group.conf" + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/content_group.conf" + .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/content_group.conf" +} + .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/groups.conf" .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/groups.conf" diff --git a/jails/config/mail/rspamd/options.inc b/jails/config/mail/rspamd/options.inc index f600fdb..92d6ad7 100644 --- a/jails/config/mail/rspamd/options.inc +++ b/jails/config/mail/rspamd/options.inc @@ -13,7 +13,7 @@ # # Relevant documentation: https://rspamd.com/doc/configuration/options.html -filters = "chartable,dkim,spf,regexp,fuzzy_check"; +filters = "chartable,dkim,regexp,fuzzy_check"; raw_mode = false; one_shot = false; cache_file = "$DBDIR/symbols.cache"; @@ -28,6 +28,7 @@ check_all_filters = false; # Default settings dns_max_requests = 64; max_lua_urls = 1024; +max_urls = 10240; dns { timeout = 1s; @@ -57,6 +58,9 @@ words_decay = 600; # Write statistics about rspamd usage to the round-robin database rrd = "${DBDIR}/rspamd.rrd"; +# Write statistics for `rspamc` here +stats_file = "${DBDIR}/stats.ucl"; + # Local networks local_addrs = [192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, fd00::/8, 169.254.0.0/16, fe80::/10]; hs_cache_dir = "${DBDIR}/"; diff --git a/jails/config/pg/pg_hba.conf b/jails/config/pg/pg_hba.conf new file mode 100644 index 0000000..d8f0eb3 --- /dev/null +++ b/jails/config/pg/pg_hba.conf @@ -0,0 +1,93 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: "local" is a Unix-domain +# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, +# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a +# plain TCP/IP socket. +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", +# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". +# Note that "password" sends passwords in clear text; "md5" or +# "scram-sha-256" are preferred since they send encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the server receives a +# SIGHUP signal. If you edit the file on a running system, you have to +# SIGHUP the server for the changes to take effect, run "pg_ctl reload", +# or execute "SELECT pg_reload_conf()". +# +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + +# CAUTION: Configuring the system for local "trust" authentication +# allows any local user to connect as any PostgreSQL user, including +# the database superuser. If you do not trust all your local users, +# use another authentication method. + + +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all trust +# IPv4 local connections: +host all all 0.0.0.0/0 md5 +# IPv6 local connections: +host all all ::/0 md5 +# Allow replication connections from localhost, by a user with the +# replication privilege. +local replication all trust +host replication all 127.0.0.1/32 trust +host replication all ::1/128 trust diff --git a/jails/config/pg/postgresql.conf b/jails/config/pg/postgresql.conf new file mode 100644 index 0000000..91c3439 --- /dev/null +++ b/jails/config/pg/postgresql.conf @@ -0,0 +1,753 @@ +# ----------------------------- +# PostgreSQL configuration file +# ----------------------------- +# +# This file consists of lines of the form: +# +# name = value +# +# (The "=" is optional.) Whitespace may be used. Comments are introduced with +# "#" anywhere on a line. The complete list of parameter names and allowed +# values can be found in the PostgreSQL documentation. +# +# The commented-out settings shown in this file represent the default values. +# Re-commenting a setting is NOT sufficient to revert it to the default value; +# you need to reload the server. +# +# This file is read on server startup and when the server receives a SIGHUP +# signal. If you edit the file on a running system, you have to SIGHUP the +# server for the changes to take effect, run "pg_ctl reload", or execute +# "SELECT pg_reload_conf()". Some parameters, which are marked below, +# require a server shutdown and restart to take effect. +# +# Any parameter can also be given as a command-line option to the server, e.g., +# "postgres -c log_connections=on". Some parameters can be changed at run time +# with the "SET" SQL command. +# +# Memory units: kB = kilobytes Time units: ms = milliseconds +# MB = megabytes s = seconds +# GB = gigabytes min = minutes +# TB = terabytes h = hours +# d = days + + +#------------------------------------------------------------------------------ +# FILE LOCATIONS +#------------------------------------------------------------------------------ + +# The default values of these variables are driven from the -D command-line +# option or PGDATA environment variable, represented here as ConfigDir. + +#data_directory = 'ConfigDir' # use data in another directory + # (change requires restart) +#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file + # (change requires restart) +#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file + # (change requires restart) + +# If external_pid_file is not explicitly set, no extra PID file is written. +#external_pid_file = '' # write an extra PID file + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONNECTIONS AND AUTHENTICATION +#------------------------------------------------------------------------------ + +# - Connection Settings - + +listen_addresses = '*' # what IP address(es) to listen on; + # comma-separated list of addresses; + # defaults to 'localhost'; use '*' for all + # (change requires restart) +#port = 5432 # (change requires restart) +max_connections = 100 # (change requires restart) +#superuser_reserved_connections = 3 # (change requires restart) +#unix_socket_directories = '/tmp' # comma-separated list of directories + # (change requires restart) +#unix_socket_group = '' # (change requires restart) +#unix_socket_permissions = 0777 # begin with 0 to use octal notation + # (change requires restart) +#bonjour = off # advertise server via Bonjour + # (change requires restart) +#bonjour_name = '' # defaults to the computer name + # (change requires restart) + +# - TCP settings - +# see "man 7 tcp" for details + +#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; + # 0 selects the system default +#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; + # 0 selects the system default +#tcp_keepalives_count = 0 # TCP_KEEPCNT; + # 0 selects the system default +#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds; + # 0 selects the system default + +# - Authentication - + +#authentication_timeout = 1min # 1s-600s +#password_encryption = md5 # md5 or scram-sha-256 +#db_user_namespace = off + +# GSSAPI using Kerberos +#krb_server_keyfile = '' +#krb_caseins_users = off + +# - SSL - + +#ssl = off +#ssl_ca_file = '' +#ssl_cert_file = 'server.crt' +#ssl_crl_file = '' +#ssl_key_file = 'server.key' +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers +#ssl_prefer_server_ciphers = on +#ssl_ecdh_curve = 'prime256v1' +#ssl_min_protocol_version = 'TLSv1' +#ssl_max_protocol_version = '' +#ssl_dh_params_file = '' +#ssl_passphrase_command = '' +#ssl_passphrase_command_supports_reload = off + + +#------------------------------------------------------------------------------ +# RESOURCE USAGE (except WAL) +#------------------------------------------------------------------------------ + +# - Memory - + +shared_buffers = 128MB # min 128kB + # (change requires restart) +#huge_pages = try # on, off, or try + # (change requires restart) +#temp_buffers = 8MB # min 800kB +#max_prepared_transactions = 0 # zero disables the feature + # (change requires restart) +# Caution: it is not advisable to set max_prepared_transactions nonzero unless +# you actively intend to use prepared transactions. +#work_mem = 4MB # min 64kB +#maintenance_work_mem = 64MB # min 1MB +#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem +#max_stack_depth = 2MB # min 100kB +#shared_memory_type = mmap # the default is the first option + # supported by the operating system: + # mmap + # sysv + # windows + # (change requires restart) +dynamic_shared_memory_type = posix # the default is the first option + # supported by the operating system: + # posix + # sysv + # windows + # mmap + # (change requires restart) + +# - Disk - + +#temp_file_limit = -1 # limits per-process temp file space + # in kB, or -1 for no limit + +# - Kernel Resources - + +#max_files_per_process = 1000 # min 25 + # (change requires restart) + +# - Cost-Based Vacuum Delay - + +#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables) +#vacuum_cost_page_hit = 1 # 0-10000 credits +#vacuum_cost_page_miss = 10 # 0-10000 credits +#vacuum_cost_page_dirty = 20 # 0-10000 credits +#vacuum_cost_limit = 200 # 1-10000 credits + +# - Background Writer - + +#bgwriter_delay = 200ms # 10-10000ms between rounds +#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables +#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round +#bgwriter_flush_after = 0 # measured in pages, 0 disables + +# - Asynchronous Behavior - + +#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching +#max_worker_processes = 8 # (change requires restart) +#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers +#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers +#parallel_leader_participation = on +#max_parallel_workers = 8 # maximum number of max_worker_processes that + # can be used in parallel operations +#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate + # (change requires restart) +#backend_flush_after = 0 # measured in pages, 0 disables + + +#------------------------------------------------------------------------------ +# WRITE-AHEAD LOG +#------------------------------------------------------------------------------ + +# - Settings - + +#wal_level = replica # minimal, replica, or logical + # (change requires restart) +#fsync = on # flush data to disk for crash safety + # (turning this off can cause + # unrecoverable data corruption) +#synchronous_commit = on # synchronization level; + # off, local, remote_write, remote_apply, or on +#wal_sync_method = fsync # the default is the first option + # supported by the operating system: + # open_datasync + # fdatasync (default on Linux) + # fsync + # fsync_writethrough + # open_sync +#full_page_writes = on # recover from partial page writes +#wal_compression = off # enable compression of full-page writes +#wal_log_hints = off # also do full page writes of non-critical updates + # (change requires restart) +#wal_init_zero = on # zero-fill new WAL files +#wal_recycle = on # recycle WAL files +#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers + # (change requires restart) +#wal_writer_delay = 200ms # 1-10000 milliseconds +#wal_writer_flush_after = 1MB # measured in pages, 0 disables + +#commit_delay = 0 # range 0-100000, in microseconds +#commit_siblings = 5 # range 1-1000 + +# - Checkpoints - + +#checkpoint_timeout = 5min # range 30s-1d +max_wal_size = 1GB +min_wal_size = 80MB +#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0 +#checkpoint_flush_after = 0 # measured in pages, 0 disables +#checkpoint_warning = 30s # 0 disables + +# - Archiving - + +#archive_mode = off # enables archiving; off, on, or always + # (change requires restart) +#archive_command = '' # command to use to archive a logfile segment + # placeholders: %p = path of file to archive + # %f = file name only + # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' +#archive_timeout = 0 # force a logfile segment switch after this + # number of seconds; 0 disables + +# - Archive Recovery - + +# These are only used in recovery mode. + +#restore_command = '' # command to use to restore an archived logfile segment + # placeholders: %p = path of file to restore + # %f = file name only + # e.g. 'cp /mnt/server/archivedir/%f %p' + # (change requires restart) +#archive_cleanup_command = '' # command to execute at every restartpoint +#recovery_end_command = '' # command to execute at completion of recovery + +# - Recovery Target - + +# Set these only when performing a targeted recovery. + +#recovery_target = '' # 'immediate' to end recovery as soon as a + # consistent state is reached + # (change requires restart) +#recovery_target_name = '' # the named restore point to which recovery will proceed + # (change requires restart) +#recovery_target_time = '' # the time stamp up to which recovery will proceed + # (change requires restart) +#recovery_target_xid = '' # the transaction ID up to which recovery will proceed + # (change requires restart) +#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed + # (change requires restart) +#recovery_target_inclusive = on # Specifies whether to stop: + # just after the specified recovery target (on) + # just before the recovery target (off) + # (change requires restart) +#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID + # (change requires restart) +#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown' + # (change requires restart) + + +#------------------------------------------------------------------------------ +# REPLICATION +#------------------------------------------------------------------------------ + +# - Sending Servers - + +# Set these on the master and on any standby that will send replication data. + +#max_wal_senders = 10 # max number of walsender processes + # (change requires restart) +#wal_keep_segments = 0 # in logfile segments; 0 disables +#wal_sender_timeout = 60s # in milliseconds; 0 disables + +#max_replication_slots = 10 # max number of replication slots + # (change requires restart) +#track_commit_timestamp = off # collect timestamp of transaction commit + # (change requires restart) + +# - Master Server - + +# These settings are ignored on a standby server. + +#synchronous_standby_names = '' # standby servers that provide sync rep + # method to choose sync standbys, number of sync standbys, + # and comma-separated list of application_name + # from standby(s); '*' = all +#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed + +# - Standby Servers - + +# These settings are ignored on a master server. + +#primary_conninfo = '' # connection string to sending server + # (change requires restart) +#primary_slot_name = '' # replication slot on sending server + # (change requires restart) +#promote_trigger_file = '' # file name whose presence ends recovery +#hot_standby = on # "off" disallows queries during recovery + # (change requires restart) +#max_standby_archive_delay = 30s # max delay before canceling queries + # when reading WAL from archive; + # -1 allows indefinite delay +#max_standby_streaming_delay = 30s # max delay before canceling queries + # when reading streaming WAL; + # -1 allows indefinite delay +#wal_receiver_status_interval = 10s # send replies at least this often + # 0 disables +#hot_standby_feedback = off # send info from standby to prevent + # query conflicts +#wal_receiver_timeout = 60s # time that receiver waits for + # communication from master + # in milliseconds; 0 disables +#wal_retrieve_retry_interval = 5s # time to wait before retrying to + # retrieve WAL after a failed attempt +#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery + +# - Subscribers - + +# These settings are ignored on a publisher. + +#max_logical_replication_workers = 4 # taken from max_worker_processes + # (change requires restart) +#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers + + +#------------------------------------------------------------------------------ +# QUERY TUNING +#------------------------------------------------------------------------------ + +# - Planner Method Configuration - + +#enable_bitmapscan = on +#enable_hashagg = on +#enable_hashjoin = on +#enable_indexscan = on +#enable_indexonlyscan = on +#enable_material = on +#enable_mergejoin = on +#enable_nestloop = on +#enable_parallel_append = on +#enable_seqscan = on +#enable_sort = on +#enable_tidscan = on +#enable_partitionwise_join = off +#enable_partitionwise_aggregate = off +#enable_parallel_hash = on +#enable_partition_pruning = on + +# - Planner Cost Constants - + +#seq_page_cost = 1.0 # measured on an arbitrary scale +#random_page_cost = 4.0 # same scale as above +#cpu_tuple_cost = 0.01 # same scale as above +#cpu_index_tuple_cost = 0.005 # same scale as above +#cpu_operator_cost = 0.0025 # same scale as above +#parallel_tuple_cost = 0.1 # same scale as above +#parallel_setup_cost = 1000.0 # same scale as above + +#jit_above_cost = 100000 # perform JIT compilation if available + # and query more expensive than this; + # -1 disables +#jit_inline_above_cost = 500000 # inline small functions if query is + # more expensive than this; -1 disables +#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if + # query is more expensive than this; + # -1 disables + +#min_parallel_table_scan_size = 8MB +#min_parallel_index_scan_size = 512kB +#effective_cache_size = 4GB + +# - Genetic Query Optimizer - + +#geqo = on +#geqo_threshold = 12 +#geqo_effort = 5 # range 1-10 +#geqo_pool_size = 0 # selects default based on effort +#geqo_generations = 0 # selects default based on effort +#geqo_selection_bias = 2.0 # range 1.5-2.0 +#geqo_seed = 0.0 # range 0.0-1.0 + +# - Other Planner Options - + +#default_statistics_target = 100 # range 1-10000 +#constraint_exclusion = partition # on, off, or partition +#cursor_tuple_fraction = 0.1 # range 0.0-1.0 +#from_collapse_limit = 8 +#join_collapse_limit = 8 # 1 disables collapsing of explicit + # JOIN clauses +#force_parallel_mode = off +#jit = on # allow JIT compilation +#plan_cache_mode = auto # auto, force_generic_plan or + # force_custom_plan + + +#------------------------------------------------------------------------------ +# REPORTING AND LOGGING +#------------------------------------------------------------------------------ + +# - Where to Log - + +log_destination = 'syslog' +#log_destination = 'stderr' # Valid values are combinations of + # stderr, csvlog, syslog, and eventlog, + # depending on platform. csvlog + # requires logging_collector to be on. + +# This is used when logging to stderr: +#logging_collector = off # Enable capturing of stderr and csvlog + # into log files. Required to be on for + # csvlogs. + # (change requires restart) + +# These are only used if logging_collector is on: +#log_directory = 'log' # directory where log files are written, + # can be absolute or relative to PGDATA +#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, + # can include strftime() escapes +#log_file_mode = 0600 # creation mode for log files, + # begin with 0 to use octal notation +#log_truncate_on_rotation = off # If on, an existing log file with the + # same name as the new log file will be + # truncated rather than appended to. + # But such truncation only occurs on + # time-driven rotation, not on restarts + # or size-driven rotation. Default is + # off, meaning append to existing files + # in all cases. +#log_rotation_age = 1d # Automatic rotation of logfiles will + # happen after that time. 0 disables. +#log_rotation_size = 10MB # Automatic rotation of logfiles will + # happen after that much log output. + # 0 disables. + +# These are relevant when logging to syslog: +#syslog_facility = 'LOCAL0' +#syslog_ident = 'postgres' +#syslog_sequence_numbers = on +#syslog_split_messages = on + +# This is only relevant when logging to eventlog (win32): +# (change requires restart) +#event_source = 'PostgreSQL' + +# - When to Log - + +#log_min_messages = warning # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic + +#log_min_error_statement = error # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic (effectively off) + +#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements + # and their durations, > 0 logs only + # statements running at least this number + # of milliseconds + +#log_transaction_sample_rate = 0.0 # Fraction of transactions whose statements + # are logged regardless of their duration. 1.0 logs all + # statements from all transactions, 0.0 never logs. + +# - What to Log - + +#debug_print_parse = off +#debug_print_rewritten = off +#debug_print_plan = off +#debug_pretty_print = on +#log_checkpoints = off +#log_connections = off +#log_disconnections = off +#log_duration = off +#log_error_verbosity = default # terse, default, or verbose messages +#log_hostname = off +#log_line_prefix = '%m [%p] ' # special values: + # %a = application name + # %u = user name + # %d = database name + # %r = remote host and port + # %h = remote host + # %p = process ID + # %t = timestamp without milliseconds + # %m = timestamp with milliseconds + # %n = timestamp with milliseconds (as a Unix epoch) + # %i = command tag + # %e = SQL state + # %c = session ID + # %l = session line number + # %s = session start timestamp + # %v = virtual transaction ID + # %x = transaction ID (0 if none) + # %q = stop here in non-session + # processes + # %% = '%' + # e.g. '<%u%%%d> ' +#log_lock_waits = off # log lock waits >= deadlock_timeout +#log_statement = 'none' # none, ddl, mod, all +#log_replication_commands = off +#log_temp_files = -1 # log temporary files equal or larger + # than the specified size in kilobytes; + # -1 disables, 0 logs all temp files +log_timezone = 'America/Los_Angeles' + +#------------------------------------------------------------------------------ +# PROCESS TITLE +#------------------------------------------------------------------------------ + +#cluster_name = '' # added to process titles if nonempty + # (change requires restart) + +# On FreeBSD, this is a performance hog, so keep it off if you need speed +update_process_title = off + + +#------------------------------------------------------------------------------ +# STATISTICS +#------------------------------------------------------------------------------ + +# - Query and Index Statistics Collector - + +#track_activities = on +#track_counts = on +#track_io_timing = off +#track_functions = none # none, pl, all +#track_activity_query_size = 1024 # (change requires restart) +#stats_temp_directory = 'pg_stat_tmp' + + +# - Monitoring - + +#log_parser_stats = off +#log_planner_stats = off +#log_executor_stats = off +#log_statement_stats = off + + +#------------------------------------------------------------------------------ +# AUTOVACUUM +#------------------------------------------------------------------------------ + +#autovacuum = on # Enable autovacuum subprocess? 'on' + # requires track_counts to also be on. +#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and + # their durations, > 0 logs only + # actions running at least this number + # of milliseconds. +#autovacuum_max_workers = 3 # max number of autovacuum subprocesses + # (change requires restart) +#autovacuum_naptime = 1min # time between autovacuum runs +#autovacuum_vacuum_threshold = 50 # min number of row updates before + # vacuum +#autovacuum_analyze_threshold = 50 # min number of row updates before + # analyze +#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum +#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze +#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum + # (change requires restart) +#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age + # before forced vacuum + # (change requires restart) +#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for + # autovacuum, in milliseconds; + # -1 means use vacuum_cost_delay +#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for + # autovacuum, -1 means use + # vacuum_cost_limit + + +#------------------------------------------------------------------------------ +# CLIENT CONNECTION DEFAULTS +#------------------------------------------------------------------------------ + +# - Statement Behavior - + +#client_min_messages = notice # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # log + # notice + # warning + # error +#search_path = '"$user", public' # schema names +#row_security = on +#default_tablespace = '' # a tablespace name, '' uses the default +#temp_tablespaces = '' # a list of tablespace names, '' uses + # only default tablespace +#default_table_access_method = 'heap' +#check_function_bodies = on +#default_transaction_isolation = 'read committed' +#default_transaction_read_only = off +#default_transaction_deferrable = off +#session_replication_role = 'origin' +#statement_timeout = 0 # in milliseconds, 0 is disabled +#lock_timeout = 0 # in milliseconds, 0 is disabled +#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled +#vacuum_freeze_min_age = 50000000 +#vacuum_freeze_table_age = 150000000 +#vacuum_multixact_freeze_min_age = 5000000 +#vacuum_multixact_freeze_table_age = 150000000 +#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples + # before index cleanup, 0 always performs + # index cleanup +#bytea_output = 'hex' # hex, escape +#xmlbinary = 'base64' +#xmloption = 'content' +#gin_fuzzy_search_limit = 0 +#gin_pending_list_limit = 4MB + +# - Locale and Formatting - + +datestyle = 'iso, mdy' +#intervalstyle = 'postgres' +timezone = 'America/Los_Angeles' +#timezone_abbreviations = 'Default' # Select the set of available time zone + # abbreviations. Currently, there are + # Default + # Australia (historical usage) + # India + # You can create your own file in + # share/timezonesets/. +#extra_float_digits = 1 # min -15, max 3; any value >0 actually + # selects precise output mode +#client_encoding = sql_ascii # actually, defaults to database + # encoding + +# These settings are initialized by initdb, but they can be changed. +lc_messages = 'C' # locale for system error message + # strings +lc_monetary = 'C' # locale for monetary formatting +lc_numeric = 'C' # locale for number formatting +lc_time = 'C' # locale for time formatting + +# default configuration for text search +default_text_search_config = 'pg_catalog.english' + +# - Shared Library Preloading - + +#shared_preload_libraries = '' # (change requires restart) +#local_preload_libraries = '' +#session_preload_libraries = '' +#jit_provider = 'llvmjit' # JIT library to use + +# - Other Defaults - + +#dynamic_library_path = '$libdir' + + +#------------------------------------------------------------------------------ +# LOCK MANAGEMENT +#------------------------------------------------------------------------------ + +#deadlock_timeout = 1s +#max_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_relation = -2 # negative values mean + # (max_pred_locks_per_transaction + # / -max_pred_locks_per_relation) - 1 +#max_pred_locks_per_page = 2 # min 0 + + +#------------------------------------------------------------------------------ +# VERSION AND PLATFORM COMPATIBILITY +#------------------------------------------------------------------------------ + +# - Previous PostgreSQL Versions - + +#array_nulls = on +#backslash_quote = safe_encoding # on, off, or safe_encoding +#escape_string_warning = on +#lo_compat_privileges = off +#operator_precedence_warning = off +#quote_all_identifiers = off +#standard_conforming_strings = on +#synchronize_seqscans = on + +# - Other Platforms and Clients - + +#transform_null_equals = off + + +#------------------------------------------------------------------------------ +# ERROR HANDLING +#------------------------------------------------------------------------------ + +#exit_on_error = off # terminate session on any error? +#restart_after_crash = on # reinitialize after backend crash? +#data_sync_retry = off # retry or panic on failure to fsync + # data? + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONFIG FILE INCLUDES +#------------------------------------------------------------------------------ + +# These options allow settings to be loaded from files other than the +# default postgresql.conf. Note that these are directives, not variable +# assignments, so they can usefully be given more than once. + +#include_dir = '...' # include files ending in '.conf' from + # a directory, e.g., 'conf.d' +#include_if_exists = '...' # include file only if it exists +#include = '...' # include file + + +#------------------------------------------------------------------------------ +# CUSTOMIZED OPTIONS +#------------------------------------------------------------------------------ + +# Add settings for extensions here diff --git a/jails/config/proxy/haproxy.conf b/jails/config/proxy/haproxy.conf index ef9eb0f..4ddc821 100644 --- a/jails/config/proxy/haproxy.conf +++ b/jails/config/proxy/haproxy.conf @@ -112,6 +112,7 @@ frontend ft use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com } use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com } use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com } + use_backend bk_beyondbell-gs if { ssl_fc_sni gs.beyondbell.com } default_backend bk_ahlawat @@ -228,3 +229,7 @@ backend bk_beyondbell-repo rspirep ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2 server srv1 192.168.0.75:8080 check rspadd X-Frame-Options:\ SAMEORIGIN + +backend bk_beyondbell-gs + server srv1 192.168.0.81:26900 check + rspadd X-Frame-Options:\ SAMEORIGIN diff --git a/jails/config/test/devfs_rules b/jails/config/test/devfs_rules new file mode 100644 index 0000000..4caf24f --- /dev/null +++ b/jails/config/test/devfs_rules @@ -0,0 +1,2 @@ +100 include 4 +200 path tun* unhide diff --git a/jails/config/test/devfs_rules.raw b/jails/config/test/devfs_rules.raw new file mode 100644 index 0000000..4caf24f --- /dev/null +++ b/jails/config/test/devfs_rules.raw @@ -0,0 +1,2 @@ +100 include 4 +200 path tun* unhide diff --git a/jails/config/test/devfs_rules.txt b/jails/config/test/devfs_rules.txt new file mode 100644 index 0000000..219cb78 --- /dev/null +++ b/jails/config/test/devfs_rules.txt @@ -0,0 +1,8 @@ +# devfs rule -s 300 add - < devfs_rules.raw +# devfs rule -s 300 show + +# add to /etc/default/devfs.rules + +[devfs_rules_tun_jail=300] +add include $devfsrules_jail +add path tun* unhide diff --git a/jails/config/vm/create_taps.sh b/jails/config/vm/create_taps.sh index 1a478e8..bd4aec6 100755 --- a/jails/config/vm/create_taps.sh +++ b/jails/config/vm/create_taps.sh @@ -24,6 +24,11 @@ ifconfig bridge1 addm tap83 up ifconfig tap83 up ifconfig tap83 inet6 auto_linklocal +ifconfig tap84 create +ifconfig bridge1 addm tap84 up +ifconfig tap84 up +ifconfig tap84 inet6 auto_linklocal + ifconfig tap90 create ifconfig bridge1 addm tap90 up ifconfig tap90 up diff --git a/jails/config/vm/devfs_rules.raw b/jails/config/vm/devfs_rules.raw new file mode 100644 index 0000000..a8e2c84 --- /dev/null +++ b/jails/config/vm/devfs_rules.raw @@ -0,0 +1,8 @@ +100 include 4 +200 path vmm unhide +300 path vmm/* unhide +400 path vmm.io unhide +500 path vmm.io/* unhide +600 path tap* unhide +700 path zvol/ship/raw/* unhide +800 path nmdm* unhide diff --git a/jails/config/vm/devfs_rules.txt b/jails/config/vm/devfs_rules.txt new file mode 100644 index 0000000..7bdf288 --- /dev/null +++ b/jails/config/vm/devfs_rules.txt @@ -0,0 +1,14 @@ +# devfs rule -s 200 add - < devfs_rules.raw +# devfs rule -s 200 show + +# add to /etc/default/devfs.rules + +[devfs_rules_bhyve_jail=200] +add include $devfsrules_jail +add path vmm unhide +add path vmm/* unhide +add path vmm.io unhide +add path vmm.io/* unhide +add path tap* unhide +add path zvol/ship/raw/* unhide +add path nmdm* unhide diff --git a/jails/config/vm/r-windows.sh b/jails/config/vm/r-windows.sh index 18c22a0..dd2bb11 100755 --- a/jails/config/vm/r-windows.sh +++ b/jails/config/vm/r-windows.sh @@ -15,7 +15,7 @@ bhyvectl --destroy --vm=r-windows while true do -bhyve -c 4 -m 8G -S -A -H -P \ +bhyve -c sockets=1,cores=2,threads=2 -m 16G -S -A -H -P \ -s 0,hostbridge \ -s 4,ahci-hd,/dev/zvol/ship/raw/windows,sectorsize=512 \ -s 5,virtio-net,tap81,mac=00:0A:0B:0C:0D:81 \ @@ -47,7 +47,8 @@ exit $? # -s 3,ahci,cd:/mnt/windows/w10.iso,cd:/mnt/windows/virtio-win.iso \ # mounting the USB HDD as an attached drive to the system -#-s 3,ahci,cd:/mnt/windows/w10.iso,cd:/mnt/windows/virtio-win.iso,hd:/dev/da3p2 \ +#-s 3,ahci,cd:/mnt/windows/w10.iso,cd:/mnt/windows/virtio-win.iso,hd:/dev/daXp2 \ +# daX being an NTFS drive # bhyvectl --get-all --vm=r-windows diff --git a/jails/config/vm/startvms.sh b/jails/config/vm/startvms.sh index 1f1549f..293dd47 100755 --- a/jails/config/vm/startvms.sh +++ b/jails/config/vm/startvms.sh @@ -18,20 +18,25 @@ tmux new-session -d -s $session -n freepbx tmux selectp -t 1 tmux send-keys "cd /mnt/config;./pbx.sh" C-m +# create a new window r-windows +tmux new-window -t $session:1 -n r-windows +tmux selectp -t 1 +tmux send-keys "cd /mnt/config;./r-windows.sh" C-m + # create a new window ubuntu -tmux new-window -t $session:1 -n ubuntu +tmux new-window -t $session:2 -n ubuntu tmux selectp -t 1 tmux send-keys "cd /mnt/config;./ubuntu.sh" C-m # create a new window freebsd -tmux new-window -t $session:2 -n freebsd +tmux new-window -t $session:3 -n freebsd tmux selectp -t 1 tmux send-keys "cd /mnt/config;./freebsd.sh" C-m -# create a new window r-windows -tmux new-window -t $session:3 -n r-windows +# create a new window w2019 +tmux new-window -t $session:4 -n w2019 tmux selectp -t 1 -tmux send-keys "cd /mnt/config;./r-windows.sh" C-m +tmux send-keys "cd /mnt/config;./w2019.sh" C-m # return to main window tmux select-window -t $session:0 diff --git a/jails/config/vm/w2019.sh b/jails/config/vm/w2019.sh new file mode 100755 index 0000000..0253ef9 --- /dev/null +++ b/jails/config/vm/w2019.sh @@ -0,0 +1,65 @@ +# Copyright (c) 2018-2020, diyIT.org +# All rights reserved. +# +# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") +# https://diyit.org/license/ +# +# + +#!/usr/local/bin/bash +# ./w2019.sh under tmux + +# clean cached state +bhyvectl --destroy --vm=w2019 + +while true +do + +bhyve -c sockets=1,cores=2,threads=2 -m 16G -S -A -H -P \ +-s 0,hostbridge \ +-s 4,ahci-hd,/dev/zvol/ship/raw/w2019,sectorsize=512 \ +-s 5,virtio-net,tap84,mac=00:0A:0B:0C:0D:84 \ +-s 6,ahci-hd,/dev/zvol/ship/raw/w2019_data,sectorsize=512 \ +-s 29,fbuf,tcp=0.0.0.0:5984,w=1600,h=900 \ +-s 30,xhci,tablet \ +-s 31,lpc -l com1,/dev/nmdm84A \ +-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \ +w2019 + +bhyve_exit=$? +# bhyve returns the following status codes: +# 0 - VM has been reset +# 1 - VM has been powered off +# 2 - VM has been halted +# 3 - VM generated a triple fault +# all other non-zero status codes are errors +# +if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ] +then + break +fi +echo `date` - restarting w2019 in 5 seconds - press ctrl-c to stop +sleep 5 + +done + +exit $? + +# -s 3,ahci,cd:/mnt/windows/w2019.iso,cd:/mnt/windows/virtio-win.iso \ +# mounting the USB HDD as an attached drive to the system +#-s 3,ahci,cd:/mnt/windows/w2019.iso,cd:/mnt/windows/virtio-win.iso,hd:/dev/daXp2 \ +# daX being an NTFS drive + +# bhyvectl --get-all --vm=w2109 + +# cu -l /dev/nmdm84B +# (This uses cu() so press ~+Ctrl-D to exit) + +#on base system: +#zfs create -V 32G -o refreservation=none ship/raw/w2109 +#zfs create -V 128G -o refreservation=none ship/raw/w2019_data +# on boot +#ifconfig tap84 create +#ifconfig bridge1 addm tap84 up +#ifconfig tap84 up +#ifconfig tap84 inet6 auto_linklocal diff --git a/jails/create.sh b/jails/create.sh index 08365b3..d6ecb54 100755 --- a/jails/create.sh +++ b/jails/create.sh @@ -36,15 +36,14 @@ I4NS="192.168.0.5" I6NS="2603:3024:3f6:e1::5" # these IP spaces are diyit deployment specific -echo $JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC +echo "$JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC" # cant install packages during jail creation because ipfw blocks all network traffic #echo '{"pkgs":["bash","bash-completion","nano"]}' > /tmp/pkg-$JAIL.json #iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json ... #rm /tmp/pkg-$JAIL.json -if $I6CONFIG -then +if $I6CONFIG; then iocage create -n "$JAIL" -r 12.1-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN" # iocage create -n "$JAIL" -r 12.1-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64,vnet0|accept_rtadv" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN" # iocage cannot set static IP AND enable SLAAC temporary properly @@ -66,15 +65,13 @@ iocage exec $JAIL "service ipfw restart" iocage exec $JAIL "ifconfig epair0b inet6 accept_rtadv; sysctl net.inet6.ip6.accept_rtadv=1; sysctl net.inet6.ip6.use_tempaddr=1; sysctl net.inet6.ip6.prefer_tempaddr=1; service rtsold start" iocage exec $JAIL "echo '$I4NW.$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts" -if $I6CONFIG -then +if $I6CONFIG; then iocage exec $JAIL "echo '$I6NW::$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts" fi # create resolvconf.conf - IPv6 SLAAC on freebsd removes all ipv4 configuraton from resolv.conf iocage exec $JAIL "echo 'export search_domains=$JAILDOMAIN' > /etc/resolvconf.conf" -if $I6CONFIG -then +if $I6CONFIG; then iocage exec $JAIL "echo 'export name_servers=\"$I4NS $I6NS\"' >> /etc/resolvconf.conf" else iocage exec $JAIL "echo 'export name_servers=\"$I4NS\"' >> /etc/resolvconf.conf" @@ -132,8 +129,7 @@ iocage exec $JAIL "service sendmail restart" # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213448 iocage exec $JAIL 'sysrc ntp_leapfile_fetch_opts="--no-verify-peer -mq"' -if [ "$JAILUSER" != "X" ] -then +if [ "$JAILUSER" != "X" ]; then iocage exec $JAIL "pkg install -y sudo" @@ -151,11 +147,10 @@ then iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER/.ssh" iocage exec $JAIL "echo '%wheel ALL=(ALL) NOPASSWD: ALL' | EDITOR='tee -a' visudo" - echo set ssh password for $JAILUSER + echo "set ssh password for $JAILUSER" iocage exec $JAIL "passwd $JAILUSER" - if $JAILUSERVNC - then + if $JAILUSERVNC; then iocage exec $JAIL "pkg install -y tigervnc-server perl5 xauth fluxbox xorg-fonts-truetype xterm dbus" #firefox and other X apps require dbus iocage exec $JAIL "sysrc dbus_enable=YES" @@ -173,8 +168,8 @@ fi iocage exec $JAIL "pkg clean -y" -iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0 -iocage exec $JAIL "rmdir /mnt/common" +# iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0 +# iocage exec $JAIL "rmdir /mnt/common" iocage exec $JAIL "echo 'Subject: created new jail: $JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC' | sendmail -v jail-root@$JAILDOMAIN" # reverse dns should already be configured for the mail server to accept this email diff --git a/jails/jails-restore-httpd.sh b/jails/jails-restore-httpd.sh index d137c3c..375b767 100755 --- a/jails/jails-restore-httpd.sh +++ b/jails/jails-restore-httpd.sh @@ -12,7 +12,22 @@ web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monit for i in ${web_jails[@]}; do - echo restoring httpd.conf in web_jail $i after Apache update + echo "## checking $i JAIL configs after Apache and/or PHP updates ##" + iocage exec $i "diff /usr/local/etc/apache24/httpd.conf /mnt/config/httpd.conf" + iocage exec $i "diff /usr/local/etc/php.ini /mnt/config/php.ini" + if [[ "$i" != "ldap-mgr" && "$i" != "r-ldap-mgr" ]]; then + iocage exec $i "diff /usr/local/etc/php-fpm.d/www.conf /mnt/config/www.conf" + fi + echo "####" +done + +read -p "Return/Enter to restore httpd.conf files, ctrl-c to abort? " RESP + +for i in ${web_jails[@]}; +do + echo "restoring httpd.conf in web_jail $i after Apache update" iocage exec $i "cp /mnt/config/httpd.conf /usr/local/etc/apache24/httpd.conf" iocage exec $i "service apache24 reload" done + +echo "check if php.ini or php-fpm need to be restored" diff --git a/jails/jails-update-cert.sh b/jails/jails-update-cert.sh index dac1dc6..90c54f2 100755 --- a/jails/jails-update-cert.sh +++ b/jails/jails-update-cert.sh @@ -12,7 +12,7 @@ web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monit for i in ${web_jails[@]}; do - echo restarting apache in web_jail $i after SSL update + echo "restarting apache in web_jail $i after SSL update" iocage exec $i "service apache24 restart" done @@ -20,17 +20,20 @@ ldap_jails=(ldap r-ldap) for i in ${ldap_jails[@]}; do - echo restarting ldap in ldap_jail $i after SSL update + echo "restarting ldap in ldap_jail $i after SSL update" iocage exec $i "service slapd restart" done -echo restarting haproxy in jail proxy after SSL update +echo "restarting haproxy in jail proxy after SSL update" iocage exec proxy "service haproxy reload" -echo restarting mail in jail mail after SSL update +echo "restarting nginx in jail pkgp after SSL update" +iocage exec pkgp "service nginx reload" + +echo "restarting mail in jail mail after SSL update" iocage exec mail "service postfix restart" -echo restarting ELK in jail monitor after SSL update +echo "restarting ELK in jail monitor after SSL update" iocage exec monitor "cp /mnt/certs/diy*.pem /usr/local/etc/elasticsearch/certs" iocage exec monitor "cp /mnt/certs/cacert.pem /usr/local/etc/elasticsearch/certs" iocage exec monitor "service elasticsearch restart" diff --git a/jails/jails-update-pkgs.sh b/jails/jails-update-pkgs.sh index 680e2a3..e284b48 100755 --- a/jails/jails-update-pkgs.sh +++ b/jails/jails-update-pkgs.sh @@ -8,9 +8,7 @@ #!/bin/bash -#pkg-repo pj121 - -web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor) +pkg_jail="pj121" #<<'COMMENT-SKIP-PKG-BUILD' iocage exec pkgp "pkg update -f" @@ -19,30 +17,36 @@ iocage exec pkgp "pkg clean -ay" iocage set securelevel=0 pkgp iocage exec pkgp "poudriere jail -l" -iocage exec pkgp "poudriere jail -u -j pj121" +iocage exec pkgp "poudriere jail -u -j $pkg_jail" iocage set securelevel=2 pkgp iocage exec pkgp "portsnap auto" iocage exec pkgp "poudriere ports -l" iocage exec pkgp "poudriere ports -u" -iocage exec pkgp "poudriere bulk -f /mnt/config/mypkgs -j pj121" +iocage exec pkgp "poudriere bulk -f /mnt/config/mypkgs -j $pkg_jail" #COMMENT-SKIP-PKG-BUILD cd /mnt/ship/ldap/phpLDAPadmin +pwd git pull cd /mnt/ship/r-ldap/phpLDAPadmin +pwd git pull cd /mnt/ship/book/calibre-web +pwd git pull cd /mnt/ship/plex/PlexConnect +pwd git pull cd /mnt/ship/maps/networkmaps +pwd git pull -# cert - acme.sh -echo Return/Enter to continue, ctrl-c to abort? -read RESP +#read -p "Return/Enter to continue, ctrl-c to abort? " RESP + +web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor) +pkg_repo="pkgp121" for i in `iocage list -h | cut -f 2`; do @@ -50,19 +54,17 @@ do iocage exec $i "pkg update -f" - if [[ "$i" == "ldap" || "$i" == "r-ldap" ]]; - then + if [[ "$i" == "ldap" || "$i" == "r-ldap" ]]; then iocage exec $i "pkg unlock -y openldap-sasl-server" iocage exec $i "pkg unlock -y openldap-sasl-client" - iocage exec $i "pkg upgrade -y -r pkgp121 openldap-sasl-server openldap-sasl-client" + iocage exec $i "pkg upgrade -y -r $pkg_repo openldap-sasl-server openldap-sasl-client" iocage exec $i "pkg lock -y openldap-sasl-server" iocage exec $i "pkg lock -y openldap-sasl-client" fi - if [[ "$i" == "atm" || "$i" == "hub" || "$i" == "mail" || "$i" == "web" ]]; - then + if [[ "$i" == "atm" || "$i" == "hub" || "$i" == "mail" || "$i" == "web" ]]; then iocage exec $i "pkg unlock -y openldap-sasl-client" - iocage exec $i "pkg upgrade -y -r pkgp121 openldap-sasl-client" + iocage exec $i "pkg upgrade -y -r $pkg_repo openldap-sasl-client" iocage exec $i "pkg lock -y openldap-sasl-client" fi @@ -72,34 +74,20 @@ do echo "####" - #echo continue? - #read RESP - + #read -p "continue, ctrl-c to abort? " RESP done -for i in ${web_jails[@]}; -do - echo "## checking $i JAIL configs after Apache and/or PHP updates ##" - iocage exec $i "diff /usr/local/etc/apache24/httpd.conf /mnt/config/httpd.conf" - iocage exec $i "diff /usr/local/etc/php.ini /mnt/config/php.ini" - if [[ "$i" != "ldap-mgr" && "$i" != "r-ldap-mgr" ]]; - then - iocage exec $i "diff /usr/local/etc/php-fpm.d/www.conf /mnt/config/www.conf" - fi - echo "####" -done +echo "NOTES:" -echo NOTES: +echo "pkg update -f" +echo "pkg autoremove -y" +echo "pkg upgrade -y" +echo "pkg clean -ay" -echo pkg update -f -echo pkg autoremove -y -echo pkg upgrade -y -echo pkg clean -ay +echo "iocage stop ALL" +echo "iocage start ALL" -echo iocage stop ALL -echo iocage start ALL +echo "hub check for index.html and adminer version" -echo hub check for index.html and adminer version - -echo iocage exec cert "/root/.acme.sh/acme.sh --upgrade" -echo iocage exec cert "cp -r /root/.acme.sh /mnt/certs" +echo "iocage exec cert \"/root/.acme.sh/acme.sh --upgrade\"" +echo "iocage exec cert \"cp -r /root/.acme.sh /mnt/certs\"" diff --git a/jails/update.sh b/jails/update.sh index 17ad08c..54f9395 100755 --- a/jails/update.sh +++ b/jails/update.sh @@ -8,46 +8,60 @@ #!/usr/local/bin/bash +update_jail () +{ + echo "######## ## JAIL:::: $JAIL ##" + + ## uncomment below to list and remove snapshots + #zfs list -t snapshot -o name | grep ship/iocage/jails/$JAIL | sort + #read -p "remove all $JAIL snapshots (y/N)? " RESP + #if [ ! -z $RESP ] && [ $RESP == "y" ]; then + # zfs list -t snapshot -o name | grep ship/iocage/jails/$JAIL | sort | xargs -n 1 zfs destroy + #fi + + iocage exec $JAIL "freebsd-version" + + ## uncomment below for an upgrade instead of an update + #iocage upgrade -r 12.1-RELEASE $JAIL + + iocage update $JAIL + + iocage exec $JAIL "pkg upgrade -f -y" + iocage exec $JAIL "mergemaster" + + iocage exec $JAIL "freebsd-version" + + iocage exec $JAIL "pkg update -f" + iocage exec $JAIL "pkg autoremove -y" + iocage exec $JAIL "pkg upgrade -y" + iocage exec $JAIL "pkg clean -ay" + + echo "######## ####" +} + iocage fetch -U -r 12.1-RELEASE -iocage list -l - -echo update all jails? -read RESP -if [ $RESP == "y" ]; then - for JAIL in `iocage list -h | cut -f2`; - do - echo "## JAIL:::: $JAIL ##" - - zfs list -t snapshot -o name | grep ship/iocage/jails/$JAIL | sort - echo remove all $JAIL snapshots? - read RESP - if [ $RESP == "y" ]; then - zfs list -t snapshot -o name | grep ship/iocage/jails/$JAIL | sort | xargs -n 1 zfs destroy - fi - - iocage exec $JAIL "freebsd-version" - - # uncomment below for an upgrade - #iocage upgrade -r 12.1-RELEASE $JAIL - - iocage update $JAIL - iocage exec $JAIL "pkg upgrade -f -y" - iocage exec $JAIL "mergemaster" - - iocage exec $JAIL "freebsd-version" - - iocage exec $JAIL "pkg update -f" - iocage exec $JAIL "pkg autoremove -y" - iocage exec $JAIL "pkg upgrade -y" - iocage exec $JAIL "pkg clean -ay" - - echo "####" - done +read -p "update pkgp jail (y/N)? " RESP +if [ ! -z $RESP ] && [ $RESP == "y" ]; then + JAIL="pkgp" + update_jail fi -echo update base system by running: -echo freebsd-update fetch -echo freebsd-update install -echo pkg-static upgrade -f -echo mergemaster +./jails-update-pkgs.sh + +read -p "update all jails (y/N)? " RESP +if [ ! -z $RESP ] && [ $RESP == "y" ]; then + for JAIL in `iocage list -h | cut -f2`; + do + if [ $JAIL == "pkgp" ] || [ $JAIL == "debian"]; then + continue; + fi + update_jail + done +fi + +echo "update base system by running:" +echo "freebsd-update fetch" +echo "freebsd-update install" +echo "pkg-static upgrade -f" +echo "mergemaster"