auto now hosts django apps

added devfs_rule configs for jails configure mail ipv6 settings windows2019 VM
2020-04-11 00:46:09 -07:00 · 2020-04-11 00:46:09 -07:00 · 2327d9d6c0
parent f26cf87f5a
commit 2327d9d6c0
34 changed files with 1451 additions and 113 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 #.gitignore
 **/secret/**
+**/.acme.sh/**
--- a/configs/boot/loader.conf
+++ b/configs/boot/loader.conf
@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2019, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -28,6 +28,8 @@ kern.geom.label.gptid.enable="0"
 # Increase dmesg buffer to fit longer boot output.
 kern.msgbufsize="524288"

+kern.racct.enable=1
+
 # ZFS root boot config
 zfs_load="YES"
 vfs.root.mountfrom="zfs:zroot/ROOT/default"
--- a/configs/etc/defaults/devfs.rules
+++ b/configs/etc/defaults/devfs.rules
@ -110,3 +110,7 @@ add path vmm.io/* unhide
 add path tap* unhide
 add path zvol/ship/raw/* unhide
 add path nmdm* unhide
+
+[devfs_rules_tun_jail=3000]
+add include $devfsrules_jail
+add path tun* unhide
--- a/configs/etc/freebsd-update.conf
+++ b/configs/etc/freebsd-update.conf
@ -15,7 +15,9 @@ ServerName update.FreeBSD.org
 #Components src world kernel

 # Example for updating the userland and the kernel source code only:
-Components src world
+#Components src world
+Components world
+# manually run - svnlite update /usr/src - before recompiling the kernel

 # Paths which start with anything matching an entry in an IgnorePaths
 # statement will be ignored.
--- a/jails/config/auto/.keep
+++ b/jails/config/auto/.keep
--- a/jails/config/auto/local_settings.py
+++ b/jails/config/auto/local_settings.py
@ -0,0 +1 @@
+DEBUG = False
--- a/jails/config/auto/nginx.conf
+++ b/jails/config/auto/nginx.conf
@ -0,0 +1,211 @@
+
+#user  nobody;
+worker_processes  1;
+
+# This default error log path is compiled-in to make sure configuration parsing
+# errors are logged somewhere, especially during unattended boot when stderr
+# isn't normally logged anywhere. This path will be touched on every nginx
+# start regardless of error log location configured here. See
+# https://trac.nginx.org/nginx/ticket/147 for more info. 
+#
+#error_log  /var/log/nginx/error.log;
+#
+
+#pid        logs/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    #                  '$status $body_bytes_sent "$http_referer" '
+    #                  '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  logs/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    #keepalive_timeout  0;
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    server {
+        listen       0.0.0.0:80;
+        listen       [::]:80;
+        server_name  auto.ahlawat.com auto;
+
+        location / {
+            root   /usr/local/www/nginx;
+            index  index.html index.htm;
+        }
+    }
+
+
+
+    server {
+        listen       0.0.0.0:80;
+        listen       [::]:80;
+        server_name  portfolio.ahlawat.com portfolio;
+
+        location / {
+            return 301 https://portfolio.ahlawat.com$request_uri;
+        }
+    }
+
+    server {
+        listen      0.0.0.0:443 ssl;
+        listen      [::]:443 ssl;
+        server_name portfolio.ahlawat.com;
+
+        ssl_certificate      /mnt/certs/fullchain.pem;
+        ssl_certificate_key  /mnt/certs/privkey.pem;
+
+        ssl_session_cache    shared:SSL:1m;
+        ssl_session_timeout  5m;
+
+        ssl_ciphers  HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers  on;
+
+        #charset koi8-r;
+
+        #access_log  logs/host.access.log  main;
+
+        location /favicon.ico { access_log off; log_not_found off; }
+        location /static/ {
+            root   /data/portfolio;
+        }
+        location /media/ {
+            root   /data/portfolio;
+        }
+        location / {
+            proxy_pass  http://unix:/var/run/portfolio.sock;
+        }
+
+        #error_page  404              /404.html;
+
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/local/www/nginx-dist;
+        }
+
+        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
+        #
+        #location ~ \.php$ {
+        #    proxy_pass   http://127.0.0.1;
+        #}
+
+        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+        #
+        #location ~ \.php$ {
+        #    root           html;
+        #    fastcgi_pass   127.0.0.1:9000;
+        #    fastcgi_index  index.php;
+        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
+        #    include        fastcgi_params;
+        #}
+
+        # deny access to .htaccess files, if Apache's document root
+        # concurs with nginx's one
+        #
+        #location ~ /\.ht {
+        #    deny  all;
+        #}
+    }
+
+
+
+    server {
+        listen       0.0.0.0:80;
+        listen       [::]:80;
+        server_name  producthunt.ahlawat.com producthunt;
+
+        location / {
+            return 301 https://producthunt.ahlawat.com$request_uri;
+        }
+    }
+
+    server {
+        listen      0.0.0.0:443 ssl;
+        listen      [::]:443 ssl;
+        server_name producthunt.ahlawat.com;
+
+        ssl_certificate      /mnt/certs/fullchain.pem;
+        ssl_certificate_key  /mnt/certs/privkey.pem;
+
+        ssl_session_cache    shared:SSL:1m;
+        ssl_session_timeout  5m;
+
+        ssl_ciphers  HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers  on;
+
+        #access_log  logs/host.access.log  main;
+
+        location /favicon.ico { access_log off; log_not_found off; }
+        location /static/ {
+            root   /data/producthunt;
+        }
+        location /media/ {
+            root   /data/producthunt;
+        }
+        location / {
+            proxy_pass  http://unix:/var/run/producthunt.sock;
+        }
+
+        #error_page  404              /404.html;
+
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/local/www/nginx-dist;
+        }
+    }
+
+
+
+    # another virtual host using mix of IP-, name-, and port-based configuration
+    #
+    #server {
+    #    listen       8000;
+    #    listen       somename:8080;
+    #    server_name  somename  alias  another.alias;
+
+    #    location / {
+    #        root   html;
+    #        index  index.html index.htm;
+    #    }
+    #}
+
+
+    # HTTPS server
+    #
+    #server {
+    #    listen       443 ssl;
+    #    server_name  localhost;
+
+    #    ssl_certificate      cert.pem;
+    #    ssl_certificate_key  cert.key;
+
+    #    ssl_session_cache    shared:SSL:1m;
+    #    ssl_session_timeout  5m;
+
+    #    ssl_ciphers  HIGH:!aNULL:!MD5;
+    #    ssl_prefer_server_ciphers  on;
+
+    #    location / {
+    #        root   html;
+    #        index  index.html index.htm;
+    #    }
+    #}
+
+}
--- a/jails/config/auto/portfolio
+++ b/jails/config/auto/portfolio
@ -0,0 +1,52 @@
+# Copyright (c) 2018-2020, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+#!/bin/sh
+
+# the two lines below are not just comments but required by rcorder; service -e
+# PROVIDE: portfolio
+# REQUIRE: NETWORKING DAEMON
+
+. /etc/rc.subr
+
+: ${portfolio_enable="NO"}
+ 
+name=portfolio
+port=8000
+appdir="/data/${name}"
+
+rcvar=${name}_enable
+
+GUNICORN_CMD="/usr/local/bin/gunicorn -D -b unix:/var/run/${name}.sock --log-file /var/log/${name}.log \
+    --chdir ${appdir} ${name}.wsgi"
+# GUNICORN_CMD="/usr/local/bin/gunicorn -D -b 0.0.0.0:${port} -b [::]:${port} --log-file /var/log/${name}.log \
+#     --chdir ${appdir} ${name}.wsgi"
+
+start_cmd="server_start"
+stop_cmd="server_stop"
+restart_cmd="server_restart"
+
+server_start()
+{
+    $GUNICORN_CMD
+}
+
+server_stop()
+{
+    ps ax | grep -ie "gunicorn: master \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9
+    ps ax | grep -ie "gunicorn: worker \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9
+}
+
+server_restart()
+{
+    ps ax | grep -ie "gunicorn: master \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9
+	server_start
+}
+
+load_rc_config ${name}
+run_rc_command "$1"
--- a/jails/config/auto/producthunt
+++ b/jails/config/auto/producthunt
@ -0,0 +1,52 @@
+# Copyright (c) 2018-2020, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+#!/bin/sh
+
+# the two lines below are not just comments but required by rcorder; service -e
+# PROVIDE: producthunt
+# REQUIRE: NETWORKING DAEMON
+
+. /etc/rc.subr
+
+: ${producthunt_enable="NO"}
+ 
+name=producthunt
+port=8000
+appdir="/data/${name}"
+
+rcvar=${name}_enable
+
+GUNICORN_CMD="/usr/local/bin/gunicorn -D -b unix:/var/run/${name}.sock --log-file /var/log/${name}.log \
+    --chdir ${appdir} ${name}.wsgi"
+# GUNICORN_CMD="/usr/local/bin/gunicorn -D -b 0.0.0.0:${port} -b [::]:${port} --log-file /var/log/${name}.log \
+#     --chdir ${appdir} ${name}.wsgi"
+
+start_cmd="server_start"
+stop_cmd="server_stop"
+restart_cmd="server_restart"
+
+server_start()
+{
+    $GUNICORN_CMD
+}
+
+server_stop()
+{
+    ps ax | grep -ie "gunicorn: master \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9
+    ps ax | grep -ie "gunicorn: worker \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9
+}
+
+server_restart()
+{
+    ps ax | grep -ie "gunicorn: master \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9
+	server_start
+}
+
+load_rc_config ${name}
+run_rc_command "$1"
--- a/jails/config/book/cps
+++ b/jails/config/book/cps
@ -19,7 +19,7 @@
 name=cpsserver
 rcvar=${name}_enable

-CPSSERVER="nohup /usr/local/bin/python3.6 /data/calibre-web/cps.py"
+CPSSERVER="nohup /usr/local/bin/python3.7 /data/calibre-web/cps.py"

 start_cmd="${name}_start"
 stop_cmd="${name}_stop"
--- a/jails/config/common/snip-sendmail.sh
+++ b/jails/config/common/snip-sendmail.sh
@ -10,3 +10,6 @@
 # smart_host - mail - is the mail server's dns name
 echo "define(\`SMART_HOST', \`mail')" >> /etc/mail/$HOSTNAME.mc
 echo "define(\`confDOMAIN_NAME', \`$HOSTNAME')" >> /etc/mail/$HOSTNAME.mc
+IP6=`ifconfig -f inet6:cidr | grep "2603:3024:3f6:e1::" | cut -d" " -f 2 | cut -d "/" -f 1`
+echo "CLIENT_OPTIONS(\`Family=inet6, Address=$IP6')" >> /etc/mail/$HOSTNAME.mc
+echo "define(\`confDH_PARAMETERS', \`/mnt/certs/dhparam2048.pem')" >> /etc/mail/$HOSTNAME.mc
--- a/jails/config/hub/devfs_rules.raw
+++ b/jails/config/hub/devfs_rules.raw
@ -0,0 +1,7 @@
+100 include 4
+200 path 'cuau*' unhide
+300 path 'cuaU*' unhide
+400 path 'ttyu*' unhide
+500 path 'ttyU*' unhide
+600 path 'usb*' unhide
+700 path 'usb/*' unhide
--- a/jails/config/hub/devfs_rules.txt
+++ b/jails/config/hub/devfs_rules.txt
@ -0,0 +1,13 @@
+# devfs rule -s 150 add - < devfs_rules.raw
+# devfs rule -s 150 show
+
+# add to /etc/default/devfs.rules
+
+[serial_usb_rules=150]
+add include $devfsrules_jail
+add path 'cuau*' unhide
+add path 'cuaU*' unhide
+add path 'ttyu*' unhide
+add path 'ttyU*' unhide
+add path 'usb*' unhide
+add path 'usb/*' unhide
--- a/jails/config/hub/sshd_config
+++ b/jails/config/hub/sshd_config
@ -33,7 +33,7 @@
 # Authentication:

 #LoginGraceTime 2m
-PermitRootLogin no
+PermitRootLogin yes
 #StrictModes yes
 MaxAuthTries 2
 MaxSessions 2
@ -62,7 +62,7 @@ PasswordAuthentication no
 #PermitEmptyPasswords no

 # Change to no to disable PAM authentication
-#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no

 # Kerberos options
 #KerberosAuthentication no
--- a/jails/config/mail/postfix/main.cf
+++ b/jails/config/mail/postfix/main.cf
@ -265,7 +265,7 @@ unknown_local_recipient_reject_code = 550
 # 
 #mynetworks_style = class
 #mynetworks_style = subnet
-mynetworks_style = host
+#mynetworks_style = host

 # Alternatively, you can specify the mynetworks list by hand, in
 # which case Postfix ignores the mynetworks_style setting.
@ -282,6 +282,10 @@ mynetworks_style = host
 #mynetworks = $config_directory/mynetworks
 #mynetworks = hash:$config_directory/network_table

+mynetworks = 127.0.0.1/32 192.168.0.0/16 [::1]/128 [fe80::]/10 [2603:3024:3f6::]/56
+smtp_bind_address = 192.168.0.100
+smtp_bind_address6 = 2603:3024:3f6:e1::100
+
 # The relay_domains parameter restricts what destinations this system will
 # relay mail to.  See the smtpd_recipient_restrictions description in
 # postconf(5) for detailed information.
@ -675,7 +679,7 @@ sample_directory = /usr/local/etc/postfix
 # readme_directory: The location of the Postfix README files.
 #
 readme_directory = /usr/local/share/doc/postfix
-inet_protocols = ipv4
+inet_protocols = ipv4, ipv6
 meta_directory = /usr/local/libexec/postfix
 shlib_directory = /usr/local/lib/postfix

--- a/jails/config/mail/rspamd/groups.conf
+++ b/jails/config/mail/rspamd/groups.conf
@ -116,5 +116,11 @@ group "external_services" {
    .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/external_services_group.conf"
 }

+group "content" {
+    .include "$CONFDIR/scores.d/content_group.conf"
+    .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/content_group.conf"
+    .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/content_group.conf"
+}
+
 .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/groups.conf"
 .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/groups.conf"
--- a/jails/config/mail/rspamd/options.inc
+++ b/jails/config/mail/rspamd/options.inc
@ -13,7 +13,7 @@
 #
 # Relevant documentation: https://rspamd.com/doc/configuration/options.html

-filters = "chartable,dkim,spf,regexp,fuzzy_check";
+filters = "chartable,dkim,regexp,fuzzy_check";
 raw_mode = false;
 one_shot = false;
 cache_file = "$DBDIR/symbols.cache";
@ -28,6 +28,7 @@ check_all_filters = false;
 # Default settings
 dns_max_requests = 64;
 max_lua_urls = 1024;
+max_urls = 10240;

 dns {
    timeout = 1s;
@ -57,6 +58,9 @@ words_decay = 600;
 # Write statistics about rspamd usage to the round-robin database
 rrd = "${DBDIR}/rspamd.rrd";

+# Write statistics for `rspamc` here
+stats_file = "${DBDIR}/stats.ucl";
+
 # Local networks
 local_addrs = [192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, fd00::/8, 169.254.0.0/16, fe80::/10];
 hs_cache_dir = "${DBDIR}/";
--- a/jails/config/pg/pg_hba.conf
+++ b/jails/config/pg/pg_hba.conf
@ -0,0 +1,93 @@
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the PostgreSQL
+# documentation for a complete description of this file.  A short
+# synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.  Records take one of these forms:
+#
+# local      DATABASE  USER  METHOD  [OPTIONS]
+# host       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostssl    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostnossl  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type: "local" is a Unix-domain
+# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
+# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
+# plain TCP/IP socket.
+#
+# DATABASE can be "all", "sameuser", "samerole", "replication", a
+# database name, or a comma-separated list thereof. The "all"
+# keyword does not match "replication". Access to replication
+# must be enabled in a separate record (see example below).
+#
+# USER can be "all", a user name, a group name prefixed with "+", or a
+# comma-separated list thereof.  In both the DATABASE and USER fields
+# you can also write a file name prefixed with "@" to include names
+# from a separate file.
+#
+# ADDRESS specifies the set of hosts the record matches.  It can be a
+# host name, or it is made up of an IP address and a CIDR mask that is
+# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
+# specifies the number of significant bits in the mask.  A host name
+# that starts with a dot (.) matches a suffix of the actual host name.
+# Alternatively, you can write an IP address and netmask in separate
+# columns to specify the set of hosts.  Instead of a CIDR-address, you
+# can write "samehost" to match any of the server's own IP addresses,
+# or "samenet" to match any address in any subnet that the server is
+# directly connected to.
+#
+# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
+# Note that "password" sends passwords in clear text; "md5" or
+# "scram-sha-256" are preferred since they send encrypted passwords.
+#
+# OPTIONS are a set of options for the authentication in the format
+# NAME=VALUE.  The available options depend on the different
+# authentication methods -- refer to the "Client Authentication"
+# section in the documentation for a list of which options are
+# available for which authentication methods.
+#
+# Database and user names containing spaces, commas, quotes and other
+# special characters must be quoted.  Quoting one of the keywords
+# "all", "sameuser", "samerole" or "replication" makes the name lose
+# its special character, and just match a database or username with
+# that name.
+#
+# This file is read on server startup and when the server receives a
+# SIGHUP signal.  If you edit the file on a running system, you have to
+# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
+# or execute "SELECT pg_reload_conf()".
+#
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records.  In that case you will also need to make PostgreSQL
+# listen on a non-local interface via the listen_addresses
+# configuration parameter, or via the -i or -h command line switches.
+
+# CAUTION: Configuring the system for local "trust" authentication
+# allows any local user to connect as any PostgreSQL user, including
+# the database superuser.  If you do not trust all your local users,
+# use another authentication method.
+
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# "local" is for Unix domain socket connections only
+local   all             all                                     trust
+# IPv4 local connections:
+host    all             all             0.0.0.0/0               md5
+# IPv6 local connections:
+host    all             all             ::/0                    md5
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+local   replication     all                                     trust
+host    replication     all             127.0.0.1/32            trust
+host    replication     all             ::1/128                 trust
--- a/jails/config/pg/postgresql.conf
+++ b/jails/config/pg/postgresql.conf
@ -0,0 +1,753 @@
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, run "pg_ctl reload", or execute
+# "SELECT pg_reload_conf()".  Some parameters, which are marked below,
+# require a server shutdown and restart to take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                TB = terabytes                     h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+
+#data_directory = 'ConfigDir'		# use data in another directory
+					# (change requires restart)
+#hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
+					# (change requires restart)
+#ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
+					# (change requires restart)
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+#external_pid_file = ''			# write an extra PID file
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+listen_addresses = '*'		# what IP address(es) to listen on;
+					# comma-separated list of addresses;
+					# defaults to 'localhost'; use '*' for all
+					# (change requires restart)
+#port = 5432				# (change requires restart)
+max_connections = 100			# (change requires restart)
+#superuser_reserved_connections = 3	# (change requires restart)
+#unix_socket_directories = '/tmp'	# comma-separated list of directories
+					# (change requires restart)
+#unix_socket_group = ''			# (change requires restart)
+#unix_socket_permissions = 0777		# begin with 0 to use octal notation
+					# (change requires restart)
+#bonjour = off				# advertise server via Bonjour
+					# (change requires restart)
+#bonjour_name = ''			# defaults to the computer name
+					# (change requires restart)
+
+# - TCP settings -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_count = 0		# TCP_KEEPCNT;
+					# 0 selects the system default
+#tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
+					# 0 selects the system default
+
+# - Authentication -
+
+#authentication_timeout = 1min		# 1s-600s
+#password_encryption = md5		# md5 or scram-sha-256
+#db_user_namespace = off
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = off
+
+# - SSL -
+
+#ssl = off
+#ssl_ca_file = ''
+#ssl_cert_file = 'server.crt'
+#ssl_crl_file = ''
+#ssl_key_file = 'server.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_min_protocol_version = 'TLSv1'
+#ssl_max_protocol_version = ''
+#ssl_dh_params_file = ''
+#ssl_passphrase_command = ''
+#ssl_passphrase_command_supports_reload = off
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+shared_buffers = 128MB			# min 128kB
+					# (change requires restart)
+#huge_pages = try			# on, off, or try
+					# (change requires restart)
+#temp_buffers = 8MB			# min 800kB
+#max_prepared_transactions = 0		# zero disables the feature
+					# (change requires restart)
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# you actively intend to use prepared transactions.
+#work_mem = 4MB				# min 64kB
+#maintenance_work_mem = 64MB		# min 1MB
+#autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
+#max_stack_depth = 2MB			# min 100kB
+#shared_memory_type = mmap		# the default is the first option
+					# supported by the operating system:
+					#   mmap
+					#   sysv
+					#   windows
+					# (change requires restart)
+dynamic_shared_memory_type = posix	# the default is the first option
+					# supported by the operating system:
+					#   posix
+					#   sysv
+					#   windows
+					#   mmap
+					# (change requires restart)
+
+# - Disk -
+
+#temp_file_limit = -1			# limits per-process temp file space
+					# in kB, or -1 for no limit
+
+# - Kernel Resources -
+
+#max_files_per_process = 1000		# min 25
+					# (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
+#vacuum_cost_page_hit = 1		# 0-10000 credits
+#vacuum_cost_page_miss = 10		# 0-10000 credits
+#vacuum_cost_page_dirty = 20		# 0-10000 credits
+#vacuum_cost_limit = 200		# 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms			# 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
+#bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
+#bgwriter_flush_after = 0		# measured in pages, 0 disables
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
+#max_worker_processes = 8		# (change requires restart)
+#max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
+#max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
+#parallel_leader_participation = on
+#max_parallel_workers = 8		# maximum number of max_worker_processes that
+					# can be used in parallel operations
+#old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
+					# (change requires restart)
+#backend_flush_after = 0		# measured in pages, 0 disables
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = replica			# minimal, replica, or logical
+					# (change requires restart)
+#fsync = on				# flush data to disk for crash safety
+					# (turning this off can cause
+					# unrecoverable data corruption)
+#synchronous_commit = on		# synchronization level;
+					# off, local, remote_write, remote_apply, or on
+#wal_sync_method = fsync		# the default is the first option
+					# supported by the operating system:
+					#   open_datasync
+					#   fdatasync (default on Linux)
+					#   fsync
+					#   fsync_writethrough
+					#   open_sync
+#full_page_writes = on			# recover from partial page writes
+#wal_compression = off			# enable compression of full-page writes
+#wal_log_hints = off			# also do full page writes of non-critical updates
+					# (change requires restart)
+#wal_init_zero = on			# zero-fill new WAL files
+#wal_recycle = on			# recycle WAL files
+#wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
+					# (change requires restart)
+#wal_writer_delay = 200ms		# 1-10000 milliseconds
+#wal_writer_flush_after = 1MB		# measured in pages, 0 disables
+
+#commit_delay = 0			# range 0-100000, in microseconds
+#commit_siblings = 5			# range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min		# range 30s-1d
+max_wal_size = 1GB
+min_wal_size = 80MB
+#checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
+#checkpoint_flush_after = 0		# measured in pages, 0 disables
+#checkpoint_warning = 30s		# 0 disables
+
+# - Archiving -
+
+#archive_mode = off		# enables archiving; off, on, or always
+				# (change requires restart)
+#archive_command = ''		# command to use to archive a logfile segment
+				# placeholders: %p = path of file to archive
+				#               %f = file name only
+				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
+#archive_timeout = 0		# force a logfile segment switch after this
+				# number of seconds; 0 disables
+
+# - Archive Recovery -
+
+# These are only used in recovery mode.
+
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+				# (change requires restart)
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery.
+
+#recovery_target = ''		# 'immediate' to end recovery as soon as a
+                                # consistent state is reached
+				# (change requires restart)
+#recovery_target_name = ''	# the named restore point to which recovery will proceed
+				# (change requires restart)
+#recovery_target_time = ''	# the time stamp up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_inclusive = on # Specifies whether to stop:
+				# just after the specified recovery target (on)
+				# just before the recovery target (off)
+				# (change requires restart)
+#recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
+				# (change requires restart)
+#recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
+				# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+# Set these on the master and on any standby that will send replication data.
+
+#max_wal_senders = 10		# max number of walsender processes
+				# (change requires restart)
+#wal_keep_segments = 0		# in logfile segments; 0 disables
+#wal_sender_timeout = 60s	# in milliseconds; 0 disables
+
+#max_replication_slots = 10	# max number of replication slots
+				# (change requires restart)
+#track_commit_timestamp = off	# collect timestamp of transaction commit
+				# (change requires restart)
+
+# - Master Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = ''	# standby servers that provide sync rep
+				# method to choose sync standbys, number of sync standbys,
+				# and comma-separated list of application_name
+				# from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a master server.
+
+#primary_conninfo = ''			# connection string to sending server
+					# (change requires restart)
+#primary_slot_name = ''			# replication slot on sending server
+					# (change requires restart)
+#promote_trigger_file = ''		# file name whose presence ends recovery
+#hot_standby = on			# "off" disallows queries during recovery
+					# (change requires restart)
+#max_standby_archive_delay = 30s	# max delay before canceling queries
+					# when reading WAL from archive;
+					# -1 allows indefinite delay
+#max_standby_streaming_delay = 30s	# max delay before canceling queries
+					# when reading streaming WAL;
+					# -1 allows indefinite delay
+#wal_receiver_status_interval = 10s	# send replies at least this often
+					# 0 disables
+#hot_standby_feedback = off		# send info from standby to prevent
+					# query conflicts
+#wal_receiver_timeout = 60s		# time that receiver waits for
+					# communication from master
+					# in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s	# time to wait before retrying to
+					# retrieve WAL after a failed attempt
+#recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
+
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+#max_logical_replication_workers = 4	# taken from max_worker_processes
+					# (change requires restart)
+#max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_parallel_append = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+#enable_partitionwise_join = off
+#enable_partitionwise_aggregate = off
+#enable_parallel_hash = on
+#enable_partition_pruning = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0			# measured on an arbitrary scale
+#random_page_cost = 4.0			# same scale as above
+#cpu_tuple_cost = 0.01			# same scale as above
+#cpu_index_tuple_cost = 0.005		# same scale as above
+#cpu_operator_cost = 0.0025		# same scale as above
+#parallel_tuple_cost = 0.1		# same scale as above
+#parallel_setup_cost = 1000.0	# same scale as above
+
+#jit_above_cost = 100000		# perform JIT compilation if available
+					# and query more expensive than this;
+					# -1 disables
+#jit_inline_above_cost = 500000		# inline small functions if query is
+					# more expensive than this; -1 disables
+#jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
+					# query is more expensive than this;
+					# -1 disables
+
+#min_parallel_table_scan_size = 8MB
+#min_parallel_index_scan_size = 512kB
+#effective_cache_size = 4GB
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5			# range 1-10
+#geqo_pool_size = 0			# selects default based on effort
+#geqo_generations = 0			# selects default based on effort
+#geqo_selection_bias = 2.0		# range 1.5-2.0
+#geqo_seed = 0.0			# range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100	# range 1-10000
+#constraint_exclusion = partition	# on, off, or partition
+#cursor_tuple_fraction = 0.1		# range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8		# 1 disables collapsing of explicit
+					# JOIN clauses
+#force_parallel_mode = off
+#jit = on				# allow JIT compilation
+#plan_cache_mode = auto			# auto, force_generic_plan or
+					# force_custom_plan
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+log_destination = 'syslog'
+#log_destination = 'stderr'		# Valid values are combinations of
+					# stderr, csvlog, syslog, and eventlog,
+					# depending on platform.  csvlog
+					# requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#logging_collector = off		# Enable capturing of stderr and csvlog
+					# into log files. Required to be on for
+					# csvlogs.
+					# (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'log'			# directory where log files are written,
+					# can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
+					# can include strftime() escapes
+#log_file_mode = 0600			# creation mode for log files,
+					# begin with 0 to use octal notation
+#log_truncate_on_rotation = off		# If on, an existing log file with the
+					# same name as the new log file will be
+					# truncated rather than appended to.
+					# But such truncation only occurs on
+					# time-driven rotation, not on restarts
+					# or size-driven rotation.  Default is
+					# off, meaning append to existing files
+					# in all cases.
+#log_rotation_age = 1d			# Automatic rotation of logfiles will
+					# happen after that time.  0 disables.
+#log_rotation_size = 10MB		# Automatic rotation of logfiles will
+					# happen after that much log output.
+					# 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+#syslog_sequence_numbers = on
+#syslog_split_messages = on
+
+# This is only relevant when logging to eventlog (win32):
+# (change requires restart)
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+#log_min_messages = warning		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic
+
+#log_min_error_statement = error	# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic (effectively off)
+
+#log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
+					# and their durations, > 0 logs only
+					# statements running at least this number
+					# of milliseconds
+
+#log_transaction_sample_rate = 0.0	# Fraction of transactions whose statements
+					# are logged regardless of their duration. 1.0 logs all
+					# statements from all transactions, 0.0 never logs.
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default		# terse, default, or verbose messages
+#log_hostname = off
+#log_line_prefix = '%m [%p] '		# special values:
+					#   %a = application name
+					#   %u = user name
+					#   %d = database name
+					#   %r = remote host and port
+					#   %h = remote host
+					#   %p = process ID
+					#   %t = timestamp without milliseconds
+					#   %m = timestamp with milliseconds
+					#   %n = timestamp with milliseconds (as a Unix epoch)
+					#   %i = command tag
+					#   %e = SQL state
+					#   %c = session ID
+					#   %l = session line number
+					#   %s = session start timestamp
+					#   %v = virtual transaction ID
+					#   %x = transaction ID (0 if none)
+					#   %q = stop here in non-session
+					#        processes
+					#   %% = '%'
+					# e.g. '<%u%%%d> '
+#log_lock_waits = off			# log lock waits >= deadlock_timeout
+#log_statement = 'none'			# none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1			# log temporary files equal or larger
+					# than the specified size in kilobytes;
+					# -1 disables, 0 logs all temp files
+log_timezone = 'America/Los_Angeles'
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+#cluster_name = ''			# added to process titles if nonempty
+					# (change requires restart)
+
+# On FreeBSD, this is a performance hog, so keep it off if you need speed
+update_process_title = off
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_io_timing = off
+#track_functions = none			# none, pl, all
+#track_activity_query_size = 1024	# (change requires restart)
+#stats_temp_directory = 'pg_stat_tmp'
+
+
+# - Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+#autovacuum = on			# Enable autovacuum subprocess?  'on'
+					# requires track_counts to also be on.
+#log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
+					# their durations, > 0 logs only
+					# actions running at least this number
+					# of milliseconds.
+#autovacuum_max_workers = 3		# max number of autovacuum subprocesses
+					# (change requires restart)
+#autovacuum_naptime = 1min		# time between autovacuum runs
+#autovacuum_vacuum_threshold = 50	# min number of row updates before
+					# vacuum
+#autovacuum_analyze_threshold = 50	# min number of row updates before
+					# analyze
+#autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
+#autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
+					# (change requires restart)
+#autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
+					# before forced vacuum
+					# (change requires restart)
+#autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
+					# autovacuum, in milliseconds;
+					# -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
+					# autovacuum, -1 means use
+					# vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#client_min_messages = notice		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   log
+					#   notice
+					#   warning
+					#   error
+#search_path = '"$user", public'	# schema names
+#row_security = on
+#default_tablespace = ''		# a tablespace name, '' uses the default
+#temp_tablespaces = ''			# a list of tablespace names, '' uses
+					# only default tablespace
+#default_table_access_method = 'heap'
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0			# in milliseconds, 0 is disabled
+#lock_timeout = 0			# in milliseconds, 0 is disabled
+#idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_freeze_table_age = 150000000
+#vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
+						# before index cleanup, 0 always performs
+						# index cleanup
+#bytea_output = 'hex'			# hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_fuzzy_search_limit = 0
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+datestyle = 'iso, mdy'
+#intervalstyle = 'postgres'
+timezone = 'America/Los_Angeles'
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+					# abbreviations.  Currently, there are
+					#   Default
+					#   Australia (historical usage)
+					#   India
+					# You can create your own file in
+					# share/timezonesets/.
+#extra_float_digits = 1			# min -15, max 3; any value >0 actually
+					# selects precise output mode
+#client_encoding = sql_ascii		# actually, defaults to database
+					# encoding
+
+# These settings are initialized by initdb, but they can be changed.
+lc_messages = 'C'			# locale for system error message
+					# strings
+lc_monetary = 'C'			# locale for monetary formatting
+lc_numeric = 'C'			# locale for number formatting
+lc_time = 'C'				# locale for time formatting
+
+# default configuration for text search
+default_text_search_config = 'pg_catalog.english'
+
+# - Shared Library Preloading -
+
+#shared_preload_libraries = ''	# (change requires restart)
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#jit_provider = 'llvmjit'		# JIT library to use
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64		# min 10
+					# (change requires restart)
+#max_pred_locks_per_transaction = 64	# min 10
+					# (change requires restart)
+#max_pred_locks_per_relation = -2	# negative values mean
+					# (max_pred_locks_per_transaction
+					#  / -max_pred_locks_per_relation) - 1
+#max_pred_locks_per_page = 2            # min 0
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
+#escape_string_warning = on
+#lo_compat_privileges = off
+#operator_precedence_warning = off
+#quote_all_identifiers = off
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off			# terminate session on any error?
+#restart_after_crash = on		# reinitialize after backend crash?
+#data_sync_retry = off			# retry or panic on failure to fsync
+					# data?
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.  Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+#include_dir = '...'			# include files ending in '.conf' from
+					# a directory, e.g., 'conf.d'
+#include_if_exists = '...'		# include file only if it exists
+#include = '...'			# include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here
--- a/jails/config/proxy/haproxy.conf
+++ b/jails/config/proxy/haproxy.conf
@ -112,6 +112,7 @@ frontend ft
  use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
  use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
  use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
+  use_backend bk_beyondbell-gs if { ssl_fc_sni gs.beyondbell.com }

  default_backend bk_ahlawat

@ -228,3 +229,7 @@ backend bk_beyondbell-repo
  rspirep  ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2
  server srv1 192.168.0.75:8080 check
  rspadd X-Frame-Options:\ SAMEORIGIN
+
+backend bk_beyondbell-gs
+  server srv1 192.168.0.81:26900 check
+  rspadd X-Frame-Options:\ SAMEORIGIN
--- a/jails/config/test/devfs_rules
+++ b/jails/config/test/devfs_rules
@ -0,0 +1,2 @@
+100 include 4
+200 path tun* unhide
--- a/jails/config/test/devfs_rules.raw
+++ b/jails/config/test/devfs_rules.raw
@ -0,0 +1,2 @@
+100 include 4
+200 path tun* unhide
--- a/jails/config/test/devfs_rules.txt
+++ b/jails/config/test/devfs_rules.txt
@ -0,0 +1,8 @@
+# devfs rule -s 300 add - < devfs_rules.raw
+# devfs rule -s 300 show
+
+# add to /etc/default/devfs.rules
+
+[devfs_rules_tun_jail=300]
+add include $devfsrules_jail
+add path tun* unhide
--- a/jails/config/vm/create_taps.sh
+++ b/jails/config/vm/create_taps.sh
@ -24,6 +24,11 @@ ifconfig bridge1 addm tap83 up
 ifconfig tap83 up
 ifconfig tap83 inet6 auto_linklocal

+ifconfig tap84 create
+ifconfig bridge1 addm tap84 up
+ifconfig tap84 up
+ifconfig tap84 inet6 auto_linklocal
+
 ifconfig tap90 create
 ifconfig bridge1 addm tap90 up
 ifconfig tap90 up
--- a/jails/config/vm/devfs_rules.raw
+++ b/jails/config/vm/devfs_rules.raw
@ -0,0 +1,8 @@
+100 include 4
+200 path vmm unhide
+300 path vmm/* unhide
+400 path vmm.io unhide
+500 path vmm.io/* unhide
+600 path tap* unhide
+700 path zvol/ship/raw/* unhide
+800 path nmdm* unhide
--- a/jails/config/vm/devfs_rules.txt
+++ b/jails/config/vm/devfs_rules.txt
@ -0,0 +1,14 @@
+# devfs rule -s 200 add - < devfs_rules.raw
+# devfs rule -s 200 show
+
+# add to /etc/default/devfs.rules
+
+[devfs_rules_bhyve_jail=200]
+add include $devfsrules_jail
+add path vmm unhide
+add path vmm/* unhide
+add path vmm.io unhide
+add path vmm.io/* unhide
+add path tap* unhide
+add path zvol/ship/raw/* unhide
+add path nmdm* unhide
--- a/jails/config/vm/r-windows.sh
+++ b/jails/config/vm/r-windows.sh
@ -15,7 +15,7 @@ bhyvectl --destroy --vm=r-windows
 while true
 do

-bhyve -c 4 -m 8G -S -A -H -P \
+bhyve -c sockets=1,cores=2,threads=2 -m 16G -S -A -H -P \
 -s 0,hostbridge \
 -s 4,ahci-hd,/dev/zvol/ship/raw/windows,sectorsize=512 \
 -s 5,virtio-net,tap81,mac=00:0A:0B:0C:0D:81 \
@ -47,7 +47,8 @@ exit $?

 # -s 3,ahci,cd:/mnt/windows/w10.iso,cd:/mnt/windows/virtio-win.iso \
 # mounting the USB HDD as an attached drive to the system
-#-s 3,ahci,cd:/mnt/windows/w10.iso,cd:/mnt/windows/virtio-win.iso,hd:/dev/da3p2 \
+#-s 3,ahci,cd:/mnt/windows/w10.iso,cd:/mnt/windows/virtio-win.iso,hd:/dev/daXp2 \
+# daX being an NTFS drive

 # bhyvectl --get-all --vm=r-windows

--- a/jails/config/vm/startvms.sh
+++ b/jails/config/vm/startvms.sh
@ -18,20 +18,25 @@ tmux new-session -d -s $session -n freepbx
 tmux selectp -t 1
 tmux send-keys "cd /mnt/config;./pbx.sh" C-m

+# create a new window r-windows
+tmux new-window -t $session:1 -n r-windows
+tmux selectp -t 1
+tmux send-keys "cd /mnt/config;./r-windows.sh" C-m
+
 # create a new window ubuntu
-tmux new-window -t $session:1 -n ubuntu
+tmux new-window -t $session:2 -n ubuntu
 tmux selectp -t 1
 tmux send-keys "cd /mnt/config;./ubuntu.sh" C-m

 # create a new window freebsd
-tmux new-window -t $session:2 -n freebsd
+tmux new-window -t $session:3 -n freebsd
 tmux selectp -t 1
 tmux send-keys "cd /mnt/config;./freebsd.sh" C-m

-# create a new window r-windows
-tmux new-window -t $session:3 -n r-windows
+# create a new window w2019
+tmux new-window -t $session:4 -n w2019
 tmux selectp -t 1
-tmux send-keys "cd /mnt/config;./r-windows.sh" C-m
+tmux send-keys "cd /mnt/config;./w2019.sh" C-m

 # return to main window
 tmux select-window -t $session:0
--- a/jails/config/vm/w2019.sh
+++ b/jails/config/vm/w2019.sh
@ -0,0 +1,65 @@
+# Copyright (c) 2018-2020, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+#!/usr/local/bin/bash
+# ./w2019.sh under tmux
+
+# clean cached state
+bhyvectl --destroy --vm=w2019
+
+while true
+do
+
+bhyve -c sockets=1,cores=2,threads=2 -m 16G -S -A -H -P \
+-s 0,hostbridge \
+-s 4,ahci-hd,/dev/zvol/ship/raw/w2019,sectorsize=512 \
+-s 5,virtio-net,tap84,mac=00:0A:0B:0C:0D:84 \
+-s 6,ahci-hd,/dev/zvol/ship/raw/w2019_data,sectorsize=512 \
+-s 29,fbuf,tcp=0.0.0.0:5984,w=1600,h=900 \
+-s 30,xhci,tablet \
+-s 31,lpc -l com1,/dev/nmdm84A \
+-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
+w2019
+
+bhyve_exit=$?
+# bhyve returns the following status codes:
+#  0 - VM has been reset
+#  1 - VM has been powered off
+#  2 - VM has been halted
+#  3 - VM generated a triple fault
+#  all other non-zero status codes are errors
+#
+if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
+then
+    break
+fi
+echo `date` - restarting w2019 in 5 seconds - press ctrl-c to stop
+sleep 5
+
+done
+
+exit $?
+
+# -s 3,ahci,cd:/mnt/windows/w2019.iso,cd:/mnt/windows/virtio-win.iso \
+# mounting the USB HDD as an attached drive to the system
+#-s 3,ahci,cd:/mnt/windows/w2019.iso,cd:/mnt/windows/virtio-win.iso,hd:/dev/daXp2 \
+# daX being an NTFS drive
+
+# bhyvectl --get-all --vm=w2109
+
+# cu -l /dev/nmdm84B
+# (This uses cu() so press ~+Ctrl-D to exit)
+
+#on base system:
+#zfs create -V 32G -o refreservation=none ship/raw/w2109
+#zfs create -V 128G -o refreservation=none ship/raw/w2019_data
+# on boot
+#ifconfig tap84 create
+#ifconfig bridge1 addm tap84 up
+#ifconfig tap84 up
+#ifconfig tap84 inet6 auto_linklocal
--- a/jails/create.sh
+++ b/jails/create.sh
@ -36,15 +36,14 @@ I4NS="192.168.0.5"
 I6NS="2603:3024:3f6:e1::5"
 # these IP spaces are diyit deployment specific

-echo $JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC
+echo "$JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC"

 # cant install packages during jail creation because ipfw blocks all network traffic
 #echo '{"pkgs":["bash","bash-completion","nano"]}' > /tmp/pkg-$JAIL.json
 #iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json ...
 #rm /tmp/pkg-$JAIL.json

-if $I6CONFIG
-then
+if $I6CONFIG; then
 	iocage create -n "$JAIL" -r 12.1-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
 	# iocage create -n "$JAIL" -r 12.1-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64,vnet0|accept_rtadv" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
    # iocage cannot set static IP AND enable SLAAC temporary properly
@ -66,15 +65,13 @@ iocage exec $JAIL "service ipfw restart"
 iocage exec $JAIL "ifconfig epair0b inet6 accept_rtadv; sysctl net.inet6.ip6.accept_rtadv=1; sysctl net.inet6.ip6.use_tempaddr=1; sysctl net.inet6.ip6.prefer_tempaddr=1; service rtsold start"

 iocage exec $JAIL "echo '$I4NW.$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
-if $I6CONFIG
-then
+if $I6CONFIG; then
 	iocage exec $JAIL "echo '$I6NW::$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
 fi

 # create resolvconf.conf - IPv6 SLAAC on freebsd removes all ipv4 configuraton from resolv.conf
 iocage exec $JAIL "echo 'export search_domains=$JAILDOMAIN' > /etc/resolvconf.conf"
-if $I6CONFIG
-then
+if $I6CONFIG; then
 	iocage exec $JAIL "echo 'export name_servers=\"$I4NS $I6NS\"' >> /etc/resolvconf.conf"
 else
 	iocage exec $JAIL "echo 'export name_servers=\"$I4NS\"' >> /etc/resolvconf.conf"
@ -132,8 +129,7 @@ iocage exec $JAIL "service sendmail restart"
 # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213448
 iocage exec $JAIL 'sysrc ntp_leapfile_fetch_opts="--no-verify-peer -mq"'

-if [ "$JAILUSER" != "X" ]
-then
+if [ "$JAILUSER" != "X" ]; then

 	iocage exec $JAIL "pkg install -y sudo"

@ -151,11 +147,10 @@ then
 	iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER/.ssh"

 	iocage exec $JAIL "echo '%wheel ALL=(ALL) NOPASSWD: ALL' | EDITOR='tee -a' visudo"
-	echo set ssh password for $JAILUSER
+	echo "set ssh password for $JAILUSER"
 	iocage exec $JAIL "passwd $JAILUSER"

-    if $JAILUSERVNC
-    then
+    if $JAILUSERVNC; then
        iocage exec $JAIL "pkg install -y tigervnc-server perl5 xauth fluxbox xorg-fonts-truetype xterm dbus"
        #firefox and other X apps require dbus
        iocage exec $JAIL "sysrc dbus_enable=YES"
@ -173,8 +168,8 @@ fi

 iocage exec $JAIL "pkg clean -y"

-iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
-iocage exec $JAIL "rmdir /mnt/common"
+# iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
+# iocage exec $JAIL "rmdir /mnt/common"

 iocage exec $JAIL "echo 'Subject: created new jail: $JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC' | sendmail -v jail-root@$JAILDOMAIN"
 # reverse dns should already be configured for the mail server to accept this email
--- a/jails/jails-restore-httpd.sh
+++ b/jails/jails-restore-httpd.sh
@ -12,7 +12,22 @@ web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monit

 for i in ${web_jails[@]};
 do
-	echo restoring httpd.conf in web_jail $i after Apache update
+	echo "## checking $i JAIL configs after Apache and/or PHP updates ##"
+	iocage exec $i "diff /usr/local/etc/apache24/httpd.conf /mnt/config/httpd.conf"
+	iocage exec $i "diff /usr/local/etc/php.ini /mnt/config/php.ini"
+    if [[ "$i" != "ldap-mgr" && "$i" != "r-ldap-mgr" ]]; then
+    	iocage exec $i "diff /usr/local/etc/php-fpm.d/www.conf /mnt/config/www.conf"
+    fi
+	echo "####"
+done
+
+read -p "Return/Enter to restore httpd.conf files, ctrl-c to abort? " RESP
+
+for i in ${web_jails[@]};
+do
+	echo "restoring httpd.conf in web_jail $i after Apache update"
 	iocage exec $i "cp /mnt/config/httpd.conf /usr/local/etc/apache24/httpd.conf"
 	iocage exec $i "service apache24 reload"
 done
+
+echo "check if php.ini or php-fpm need to be restored"
--- a/jails/jails-update-cert.sh
+++ b/jails/jails-update-cert.sh
@ -12,7 +12,7 @@ web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monit

 for i in ${web_jails[@]};
 do
-	echo restarting apache in web_jail $i after SSL update
+	echo "restarting apache in web_jail $i after SSL update"
 	iocage exec $i "service apache24 restart"
 done

@ -20,17 +20,20 @@ ldap_jails=(ldap r-ldap)

 for i in ${ldap_jails[@]};
 do
-	echo restarting ldap in ldap_jail $i after SSL update
+	echo "restarting ldap in ldap_jail $i after SSL update"
 	iocage exec $i "service slapd restart"
 done

-echo restarting haproxy in jail proxy after SSL update
+echo "restarting haproxy in jail proxy after SSL update"
 iocage exec proxy "service haproxy reload"

-echo restarting mail in jail mail after SSL update
+echo "restarting nginx in jail pkgp after SSL update"
+iocage exec pkgp "service nginx reload"
+
+echo "restarting mail in jail mail after SSL update"
 iocage exec mail "service postfix restart"

-echo restarting ELK in jail monitor after SSL update
+echo "restarting ELK in jail monitor after SSL update"
 iocage exec monitor "cp /mnt/certs/diy*.pem /usr/local/etc/elasticsearch/certs"
 iocage exec monitor "cp /mnt/certs/cacert.pem /usr/local/etc/elasticsearch/certs"
 iocage exec monitor "service elasticsearch restart"
--- a/jails/jails-update-pkgs.sh
+++ b/jails/jails-update-pkgs.sh
@ -8,9 +8,7 @@

 #!/bin/bash

-#pkg-repo pj121
-
-web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
+pkg_jail="pj121"

 #<<'COMMENT-SKIP-PKG-BUILD'
 iocage exec pkgp "pkg update -f"
@ -19,30 +17,36 @@ iocage exec pkgp "pkg clean -ay"

 iocage set securelevel=0 pkgp
 iocage exec pkgp "poudriere jail -l"
-iocage exec pkgp "poudriere jail -u -j pj121"
+iocage exec pkgp "poudriere jail -u -j $pkg_jail"
 iocage set securelevel=2 pkgp

 iocage exec pkgp "portsnap auto"

 iocage exec pkgp "poudriere ports -l"
 iocage exec pkgp "poudriere ports -u"
-iocage exec pkgp "poudriere bulk -f /mnt/config/mypkgs -j pj121"
+iocage exec pkgp "poudriere bulk -f /mnt/config/mypkgs -j $pkg_jail"
 #COMMENT-SKIP-PKG-BUILD

 cd /mnt/ship/ldap/phpLDAPadmin
+pwd
 git pull
 cd /mnt/ship/r-ldap/phpLDAPadmin
+pwd
 git pull
 cd /mnt/ship/book/calibre-web
+pwd
 git pull
 cd /mnt/ship/plex/PlexConnect
+pwd
 git pull
 cd /mnt/ship/maps/networkmaps
+pwd
 git pull
-# cert - acme.sh

-echo Return/Enter to continue, ctrl-c to abort?
-read RESP
+#read -p "Return/Enter to continue, ctrl-c to abort? " RESP
+
+web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
+pkg_repo="pkgp121"

 for i in `iocage list -h | cut -f 2`;
 do
@ -50,19 +54,17 @@ do

 	iocage exec $i "pkg update -f"

-	if [[ "$i" == "ldap" || "$i" == "r-ldap" ]];
-	then
+	if [[ "$i" == "ldap" || "$i" == "r-ldap" ]]; then
 		iocage exec $i "pkg unlock -y openldap-sasl-server"
 		iocage exec $i "pkg unlock -y openldap-sasl-client"
-		iocage exec $i "pkg upgrade -y -r pkgp121 openldap-sasl-server openldap-sasl-client"
+		iocage exec $i "pkg upgrade -y -r $pkg_repo openldap-sasl-server openldap-sasl-client"
 		iocage exec $i "pkg lock -y openldap-sasl-server"
 		iocage exec $i "pkg lock -y openldap-sasl-client"
 	fi

-	if [[ "$i" == "atm" || "$i" == "hub" || "$i" == "mail" || "$i" == "web" ]];
-	then
+	if [[ "$i" == "atm" || "$i" == "hub" || "$i" == "mail" || "$i" == "web" ]]; then
 		iocage exec $i "pkg unlock -y openldap-sasl-client"
-		iocage exec $i "pkg upgrade -y -r pkgp121 openldap-sasl-client"
+		iocage exec $i "pkg upgrade -y -r $pkg_repo openldap-sasl-client"
 		iocage exec $i "pkg lock -y openldap-sasl-client"
 	fi

@ -72,34 +74,20 @@ do

 	echo "####"

-	#echo continue?
-	#read RESP
-
+	#read -p "continue, ctrl-c to abort? " RESP
 done

-for i in ${web_jails[@]};
-do
-	echo "## checking $i JAIL configs after Apache and/or PHP updates ##"
-	iocage exec $i "diff /usr/local/etc/apache24/httpd.conf /mnt/config/httpd.conf"
-	iocage exec $i "diff /usr/local/etc/php.ini /mnt/config/php.ini"
-    if [[ "$i" != "ldap-mgr" && "$i" != "r-ldap-mgr" ]];
-    then
-    	iocage exec $i "diff /usr/local/etc/php-fpm.d/www.conf /mnt/config/www.conf"
-    fi
-	echo "####"
-done
+echo "NOTES:"

-echo NOTES:
+echo "pkg update -f"
+echo "pkg autoremove -y"
+echo "pkg upgrade -y"
+echo "pkg clean -ay"

-echo pkg update -f
-echo pkg autoremove -y
-echo pkg upgrade -y
-echo pkg clean -ay
+echo "iocage stop ALL"
+echo "iocage start ALL"

-echo iocage stop ALL
-echo iocage start ALL
+echo "hub check for index.html and adminer version"

-echo hub check for index.html and adminer version
-
-echo iocage exec cert "/root/.acme.sh/acme.sh --upgrade"
-echo iocage exec cert "cp -r /root/.acme.sh /mnt/certs"
+echo "iocage exec cert \"/root/.acme.sh/acme.sh --upgrade\""
+echo "iocage exec cert \"cp -r /root/.acme.sh /mnt/certs\""
--- a/jails/update.sh
+++ b/jails/update.sh
@ -8,30 +8,24 @@

 #!/usr/local/bin/bash

-iocage fetch -U -r 12.1-RELEASE
+update_jail ()
+{
+    echo "######## ## JAIL:::: $JAIL ##"

-iocage list -l
-
-echo update all jails?
-read RESP
-if [ $RESP == "y" ]; then
-	for JAIL in `iocage list -h | cut -f2`;
-	do
-		echo "## JAIL:::: $JAIL ##"
-
-        zfs list -t snapshot -o name | grep ship/iocage/jails/$JAIL | sort
-        echo remove all $JAIL snapshots?
-        read RESP
-        if [ $RESP == "y" ]; then
-        	zfs list -t snapshot -o name | grep ship/iocage/jails/$JAIL | sort | xargs -n 1 zfs destroy
-        fi
+    ## uncomment below to list and remove snapshots
+    #zfs list -t snapshot -o name | grep ship/iocage/jails/$JAIL | sort
+    #read -p "remove all $JAIL snapshots (y/N)? " RESP
+    #if [ ! -z $RESP ] && [ $RESP == "y" ]; then
+    #    zfs list -t snapshot -o name | grep ship/iocage/jails/$JAIL | sort | xargs -n 1 zfs destroy
+    #fi

    iocage exec $JAIL "freebsd-version"

-        # uncomment below for an upgrade
+    ## uncomment below for an upgrade instead of an update
    #iocage upgrade -r 12.1-RELEASE $JAIL

    iocage update $JAIL
+
    iocage exec $JAIL "pkg upgrade -f -y"
    iocage exec $JAIL "mergemaster"

@ -42,12 +36,32 @@ if [ $RESP == "y" ]; then
    iocage exec $JAIL "pkg upgrade -y"
    iocage exec $JAIL "pkg clean -ay"

-		echo "####"
+    echo "######## ####"
+}
+
+iocage fetch -U -r 12.1-RELEASE
+
+read -p "update pkgp jail (y/N)? " RESP
+if [ ! -z $RESP ] && [ $RESP == "y" ]; then
+    JAIL="pkgp"
+    update_jail
+fi
+
+./jails-update-pkgs.sh
+
+read -p "update all jails (y/N)? " RESP
+if [ ! -z $RESP ] && [ $RESP == "y" ]; then
+    for JAIL in `iocage list -h | cut -f2`;
+    do
+        if [ $JAIL == "pkgp" ] || [ $JAIL == "debian"]; then
+            continue;
+        fi
+        update_jail
    done
 fi

-echo update base system by running:
-echo freebsd-update fetch
-echo freebsd-update install
-echo pkg-static upgrade -f
-echo mergemaster
+echo "update base system by running:"
+echo "freebsd-update fetch"
+echo "freebsd-update install"
+echo "pkg-static upgrade -f"
+echo "mergemaster"