auto now hosts django apps

added devfs_rule configs for jails
configure mail ipv6 settings
windows2019 VM
This commit is contained in:
Charlie Root 2020-04-11 00:46:09 -07:00
parent f26cf87f5a
commit 2327d9d6c0
34 changed files with 1451 additions and 113 deletions

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
#.gitignore
**/secret/**
**/.acme.sh/**

View File

@ -1,4 +1,4 @@
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2019, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -28,6 +28,8 @@ kern.geom.label.gptid.enable="0"
# Increase dmesg buffer to fit longer boot output.
kern.msgbufsize="524288"
kern.racct.enable=1
# ZFS root boot config
zfs_load="YES"
vfs.root.mountfrom="zfs:zroot/ROOT/default"

View File

@ -110,3 +110,7 @@ add path vmm.io/* unhide
add path tap* unhide
add path zvol/ship/raw/* unhide
add path nmdm* unhide
[devfs_rules_tun_jail=3000]
add include $devfsrules_jail
add path tun* unhide

View File

@ -15,7 +15,9 @@ ServerName update.FreeBSD.org
#Components src world kernel
# Example for updating the userland and the kernel source code only:
Components src world
#Components src world
Components world
# manually run - svnlite update /usr/src - before recompiling the kernel
# Paths which start with anything matching an entry in an IgnorePaths
# statement will be ignored.

View File

@ -0,0 +1 @@
DEBUG = False

View File

@ -0,0 +1,211 @@
#user nobody;
worker_processes 1;
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log /var/log/nginx/error.log;
#
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 0.0.0.0:80;
listen [::]:80;
server_name auto.ahlawat.com auto;
location / {
root /usr/local/www/nginx;
index index.html index.htm;
}
}
server {
listen 0.0.0.0:80;
listen [::]:80;
server_name portfolio.ahlawat.com portfolio;
location / {
return 301 https://portfolio.ahlawat.com$request_uri;
}
}
server {
listen 0.0.0.0:443 ssl;
listen [::]:443 ssl;
server_name portfolio.ahlawat.com;
ssl_certificate /mnt/certs/fullchain.pem;
ssl_certificate_key /mnt/certs/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#charset koi8-r;
#access_log logs/host.access.log main;
location /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /data/portfolio;
}
location /media/ {
root /data/portfolio;
}
location / {
proxy_pass http://unix:/var/run/portfolio.sock;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
server {
listen 0.0.0.0:80;
listen [::]:80;
server_name producthunt.ahlawat.com producthunt;
location / {
return 301 https://producthunt.ahlawat.com$request_uri;
}
}
server {
listen 0.0.0.0:443 ssl;
listen [::]:443 ssl;
server_name producthunt.ahlawat.com;
ssl_certificate /mnt/certs/fullchain.pem;
ssl_certificate_key /mnt/certs/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#access_log logs/host.access.log main;
location /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /data/producthunt;
}
location /media/ {
root /data/producthunt;
}
location / {
proxy_pass http://unix:/var/run/producthunt.sock;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}

52
jails/config/auto/portfolio Executable file
View File

@ -0,0 +1,52 @@
# Copyright (c) 2018-2020, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
#!/bin/sh
# the two lines below are not just comments but required by rcorder; service -e
# PROVIDE: portfolio
# REQUIRE: NETWORKING DAEMON
. /etc/rc.subr
: ${portfolio_enable="NO"}
name=portfolio
port=8000
appdir="/data/${name}"
rcvar=${name}_enable
GUNICORN_CMD="/usr/local/bin/gunicorn -D -b unix:/var/run/${name}.sock --log-file /var/log/${name}.log \
--chdir ${appdir} ${name}.wsgi"
# GUNICORN_CMD="/usr/local/bin/gunicorn -D -b 0.0.0.0:${port} -b [::]:${port} --log-file /var/log/${name}.log \
# --chdir ${appdir} ${name}.wsgi"
start_cmd="server_start"
stop_cmd="server_stop"
restart_cmd="server_restart"
server_start()
{
$GUNICORN_CMD
}
server_stop()
{
ps ax | grep -ie "gunicorn: master \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9
ps ax | grep -ie "gunicorn: worker \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9
}
server_restart()
{
ps ax | grep -ie "gunicorn: master \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9
server_start
}
load_rc_config ${name}
run_rc_command "$1"

52
jails/config/auto/producthunt Executable file
View File

@ -0,0 +1,52 @@
# Copyright (c) 2018-2020, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
#!/bin/sh
# the two lines below are not just comments but required by rcorder; service -e
# PROVIDE: producthunt
# REQUIRE: NETWORKING DAEMON
. /etc/rc.subr
: ${producthunt_enable="NO"}
name=producthunt
port=8000
appdir="/data/${name}"
rcvar=${name}_enable
GUNICORN_CMD="/usr/local/bin/gunicorn -D -b unix:/var/run/${name}.sock --log-file /var/log/${name}.log \
--chdir ${appdir} ${name}.wsgi"
# GUNICORN_CMD="/usr/local/bin/gunicorn -D -b 0.0.0.0:${port} -b [::]:${port} --log-file /var/log/${name}.log \
# --chdir ${appdir} ${name}.wsgi"
start_cmd="server_start"
stop_cmd="server_stop"
restart_cmd="server_restart"
server_start()
{
$GUNICORN_CMD
}
server_stop()
{
ps ax | grep -ie "gunicorn: master \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9
ps ax | grep -ie "gunicorn: worker \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9
}
server_restart()
{
ps ax | grep -ie "gunicorn: master \[${name}.wsgi\]" | grep -v grep | awk '{print $1}' | xargs kill -9
server_start
}
load_rc_config ${name}
run_rc_command "$1"

View File

@ -19,7 +19,7 @@
name=cpsserver
rcvar=${name}_enable
CPSSERVER="nohup /usr/local/bin/python3.6 /data/calibre-web/cps.py"
CPSSERVER="nohup /usr/local/bin/python3.7 /data/calibre-web/cps.py"
start_cmd="${name}_start"
stop_cmd="${name}_stop"

View File

@ -10,3 +10,6 @@
# smart_host - mail - is the mail server's dns name
echo "define(\`SMART_HOST', \`mail')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confDOMAIN_NAME', \`$HOSTNAME')" >> /etc/mail/$HOSTNAME.mc
IP6=`ifconfig -f inet6:cidr | grep "2603:3024:3f6:e1::" | cut -d" " -f 2 | cut -d "/" -f 1`
echo "CLIENT_OPTIONS(\`Family=inet6, Address=$IP6')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confDH_PARAMETERS', \`/mnt/certs/dhparam2048.pem')" >> /etc/mail/$HOSTNAME.mc

View File

@ -0,0 +1,7 @@
100 include 4
200 path 'cuau*' unhide
300 path 'cuaU*' unhide
400 path 'ttyu*' unhide
500 path 'ttyU*' unhide
600 path 'usb*' unhide
700 path 'usb/*' unhide

View File

@ -0,0 +1,13 @@
# devfs rule -s 150 add - < devfs_rules.raw
# devfs rule -s 150 show
# add to /etc/default/devfs.rules
[serial_usb_rules=150]
add include $devfsrules_jail
add path 'cuau*' unhide
add path 'cuaU*' unhide
add path 'ttyu*' unhide
add path 'ttyU*' unhide
add path 'usb*' unhide
add path 'usb/*' unhide

View File

@ -33,7 +33,7 @@
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
PermitRootLogin yes
#StrictModes yes
MaxAuthTries 2
MaxSessions 2
@ -62,7 +62,7 @@ PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no

View File

@ -265,7 +265,7 @@ unknown_local_recipient_reject_code = 550
#
#mynetworks_style = class
#mynetworks_style = subnet
mynetworks_style = host
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
@ -282,6 +282,10 @@ mynetworks_style = host
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:$config_directory/network_table
mynetworks = 127.0.0.1/32 192.168.0.0/16 [::1]/128 [fe80::]/10 [2603:3024:3f6::]/56
smtp_bind_address = 192.168.0.100
smtp_bind_address6 = 2603:3024:3f6:e1::100
# The relay_domains parameter restricts what destinations this system will
# relay mail to. See the smtpd_recipient_restrictions description in
# postconf(5) for detailed information.
@ -675,7 +679,7 @@ sample_directory = /usr/local/etc/postfix
# readme_directory: The location of the Postfix README files.
#
readme_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
inet_protocols = ipv4, ipv6
meta_directory = /usr/local/libexec/postfix
shlib_directory = /usr/local/lib/postfix

View File

@ -116,5 +116,11 @@ group "external_services" {
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/external_services_group.conf"
}
group "content" {
.include "$CONFDIR/scores.d/content_group.conf"
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/content_group.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/content_group.conf"
}
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/groups.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/groups.conf"

View File

@ -13,7 +13,7 @@
#
# Relevant documentation: https://rspamd.com/doc/configuration/options.html
filters = "chartable,dkim,spf,regexp,fuzzy_check";
filters = "chartable,dkim,regexp,fuzzy_check";
raw_mode = false;
one_shot = false;
cache_file = "$DBDIR/symbols.cache";
@ -28,6 +28,7 @@ check_all_filters = false;
# Default settings
dns_max_requests = 64;
max_lua_urls = 1024;
max_urls = 10240;
dns {
timeout = 1s;
@ -57,6 +58,9 @@ words_decay = 600;
# Write statistics about rspamd usage to the round-robin database
rrd = "${DBDIR}/rspamd.rrd";
# Write statistics for `rspamc` here
stats_file = "${DBDIR}/stats.ucl";
# Local networks
local_addrs = [192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, fd00::/8, 169.254.0.0/16, fe80::/10];
hs_cache_dir = "${DBDIR}/";

View File

@ -0,0 +1,93 @@
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file. A short
# synopsis follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type: "local" is a Unix-domain
# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
# plain TCP/IP socket.
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, or a comma-separated list thereof. The "all"
# keyword does not match "replication". Access to replication
# must be enabled in a separate record (see example below).
#
# USER can be "all", a user name, a group name prefixed with "+", or a
# comma-separated list thereof. In both the DATABASE and USER fields
# you can also write a file name prefixed with "@" to include names
# from a separate file.
#
# ADDRESS specifies the set of hosts the record matches. It can be a
# host name, or it is made up of an IP address and a CIDR mask that is
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
# specifies the number of significant bits in the mask. A host name
# that starts with a dot (.) matches a suffix of the actual host name.
# Alternatively, you can write an IP address and netmask in separate
# columns to specify the set of hosts. Instead of a CIDR-address, you
# can write "samehost" to match any of the server's own IP addresses,
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
# Note that "password" sends passwords in clear text; "md5" or
# "scram-sha-256" are preferred since they send encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE. The available options depend on the different
# authentication methods -- refer to the "Client Authentication"
# section in the documentation for a list of which options are
# available for which authentication methods.
#
# Database and user names containing spaces, commas, quotes and other
# special characters must be quoted. Quoting one of the keywords
# "all", "sameuser", "samerole" or "replication" makes the name lose
# its special character, and just match a database or username with
# that name.
#
# This file is read on server startup and when the server receives a
# SIGHUP signal. If you edit the file on a running system, you have to
# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
# or execute "SELECT pg_reload_conf()".
#
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
# CAUTION: Configuring the system for local "trust" authentication
# allows any local user to connect as any PostgreSQL user, including
# the database superuser. If you do not trust all your local users,
# use another authentication method.
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 0.0.0.0/0 md5
# IPv6 local connections:
host all all ::/0 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all trust
host replication all 127.0.0.1/32 trust
host replication all ::1/128 trust

View File

@ -0,0 +1,753 @@
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
#
# This file consists of lines of the form:
#
# name = value
#
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
# "#" anywhere on a line. The complete list of parameter names and allowed
# values can be found in the PostgreSQL documentation.
#
# The commented-out settings shown in this file represent the default values.
# Re-commenting a setting is NOT sufficient to revert it to the default value;
# you need to reload the server.
#
# This file is read on server startup and when the server receives a SIGHUP
# signal. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, run "pg_ctl reload", or execute
# "SELECT pg_reload_conf()". Some parameters, which are marked below,
# require a server shutdown and restart to take effect.
#
# Any parameter can also be given as a command-line option to the server, e.g.,
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: kB = kilobytes Time units: ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# TB = terabytes h = hours
# d = days
#------------------------------------------------------------------------------
# FILE LOCATIONS
#------------------------------------------------------------------------------
# The default values of these variables are driven from the -D command-line
# option or PGDATA environment variable, represented here as ConfigDir.
#data_directory = 'ConfigDir' # use data in another directory
# (change requires restart)
#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file
# (change requires restart)
#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file
# (change requires restart)
# If external_pid_file is not explicitly set, no extra PID file is written.
#external_pid_file = '' # write an extra PID file
# (change requires restart)
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
listen_addresses = '*' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
#port = 5432 # (change requires restart)
max_connections = 100 # (change requires restart)
#superuser_reserved_connections = 3 # (change requires restart)
#unix_socket_directories = '/tmp' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
#bonjour = off # advertise server via Bonjour
# (change requires restart)
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
# - TCP settings -
# see "man 7 tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default
#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds;
# 0 selects the system default
# - Authentication -
#authentication_timeout = 1min # 1s-600s
#password_encryption = md5 # md5 or scram-sha-256
#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_caseins_users = off
# - SSL -
#ssl = off
#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'
#ssl_crl_file = ''
#ssl_key_file = 'server.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
shared_buffers = 128MB # min 128kB
# (change requires restart)
#huge_pages = try # on, off, or try
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
# you actively intend to use prepared transactions.
#work_mem = 4MB # min 64kB
#maintenance_work_mem = 64MB # min 1MB
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
#max_stack_depth = 2MB # min 100kB
#shared_memory_type = mmap # the default is the first option
# supported by the operating system:
# mmap
# sysv
# windows
# (change requires restart)
dynamic_shared_memory_type = posix # the default is the first option
# supported by the operating system:
# posix
# sysv
# windows
# mmap
# (change requires restart)
# - Disk -
#temp_file_limit = -1 # limits per-process temp file space
# in kB, or -1 for no limit
# - Kernel Resources -
#max_files_per_process = 1000 # min 25
# (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 10 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
# - Background Writer -
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
#bgwriter_flush_after = 0 # measured in pages, 0 disables
# - Asynchronous Behavior -
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#max_worker_processes = 8 # (change requires restart)
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
#parallel_leader_participation = on
#max_parallel_workers = 8 # maximum number of max_worker_processes that
# can be used in parallel operations
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
# (change requires restart)
#backend_flush_after = 0 # measured in pages, 0 disables
#------------------------------------------------------------------------------
# WRITE-AHEAD LOG
#------------------------------------------------------------------------------
# - Settings -
#wal_level = replica # minimal, replica, or logical
# (change requires restart)
#fsync = on # flush data to disk for crash safety
# (turning this off can cause
# unrecoverable data corruption)
#synchronous_commit = on # synchronization level;
# off, local, remote_write, remote_apply, or on
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_compression = off # enable compression of full-page writes
#wal_log_hints = off # also do full page writes of non-critical updates
# (change requires restart)
#wal_init_zero = on # zero-fill new WAL files
#wal_recycle = on # recycle WAL files
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
# - Checkpoints -
#checkpoint_timeout = 5min # range 30s-1d
max_wal_size = 1GB
min_wal_size = 80MB
#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
#checkpoint_flush_after = 0 # measured in pages, 0 disables
#checkpoint_warning = 30s # 0 disables
# - Archiving -
#archive_mode = off # enables archiving; off, on, or always
# (change requires restart)
#archive_command = '' # command to use to archive a logfile segment
# placeholders: %p = path of file to archive
# %f = file name only
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
#archive_timeout = 0 # force a logfile segment switch after this
# number of seconds; 0 disables
# - Archive Recovery -
# These are only used in recovery mode.
#restore_command = '' # command to use to restore an archived logfile segment
# placeholders: %p = path of file to restore
# %f = file name only
# e.g. 'cp /mnt/server/archivedir/%f %p'
# (change requires restart)
#archive_cleanup_command = '' # command to execute at every restartpoint
#recovery_end_command = '' # command to execute at completion of recovery
# - Recovery Target -
# Set these only when performing a targeted recovery.
#recovery_target = '' # 'immediate' to end recovery as soon as a
# consistent state is reached
# (change requires restart)
#recovery_target_name = '' # the named restore point to which recovery will proceed
# (change requires restart)
#recovery_target_time = '' # the time stamp up to which recovery will proceed
# (change requires restart)
#recovery_target_xid = '' # the transaction ID up to which recovery will proceed
# (change requires restart)
#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed
# (change requires restart)
#recovery_target_inclusive = on # Specifies whether to stop:
# just after the specified recovery target (on)
# just before the recovery target (off)
# (change requires restart)
#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID
# (change requires restart)
#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown'
# (change requires restart)
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
# - Sending Servers -
# Set these on the master and on any standby that will send replication data.
#max_wal_senders = 10 # max number of walsender processes
# (change requires restart)
#wal_keep_segments = 0 # in logfile segments; 0 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
#max_replication_slots = 10 # max number of replication slots
# (change requires restart)
#track_commit_timestamp = off # collect timestamp of transaction commit
# (change requires restart)
# - Master Server -
# These settings are ignored on a standby server.
#synchronous_standby_names = '' # standby servers that provide sync rep
# method to choose sync standbys, number of sync standbys,
# and comma-separated list of application_name
# from standby(s); '*' = all
#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
# - Standby Servers -
# These settings are ignored on a master server.
#primary_conninfo = '' # connection string to sending server
# (change requires restart)
#primary_slot_name = '' # replication slot on sending server
# (change requires restart)
#promote_trigger_file = '' # file name whose presence ends recovery
#hot_standby = on # "off" disallows queries during recovery
# (change requires restart)
#max_standby_archive_delay = 30s # max delay before canceling queries
# when reading WAL from archive;
# -1 allows indefinite delay
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from master
# in milliseconds; 0 disables
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
# retrieve WAL after a failed attempt
#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery
# - Subscribers -
# These settings are ignored on a publisher.
#max_logical_replication_workers = 4 # taken from max_worker_processes
# (change requires restart)
#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
#------------------------------------------------------------------------------
# QUERY TUNING
#------------------------------------------------------------------------------
# - Planner Method Configuration -
#enable_bitmapscan = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_parallel_append = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
#enable_partitionwise_join = off
#enable_partitionwise_aggregate = off
#enable_parallel_hash = on
#enable_partition_pruning = on
# - Planner Cost Constants -
#seq_page_cost = 1.0 # measured on an arbitrary scale
#random_page_cost = 4.0 # same scale as above
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#parallel_setup_cost = 1000.0 # same scale as above
#jit_above_cost = 100000 # perform JIT compilation if available
# and query more expensive than this;
# -1 disables
#jit_inline_above_cost = 500000 # inline small functions if query is
# more expensive than this; -1 disables
#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
# query is more expensive than this;
# -1 disables
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
# - Genetic Query Optimizer -
#geqo = on
#geqo_threshold = 12
#geqo_effort = 5 # range 1-10
#geqo_pool_size = 0 # selects default based on effort
#geqo_generations = 0 # selects default based on effort
#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_seed = 0.0 # range 0.0-1.0
# - Other Planner Options -
#default_statistics_target = 100 # range 1-10000
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#force_parallel_mode = off
#jit = on # allow JIT compilation
#plan_cache_mode = auto # auto, force_generic_plan or
# force_custom_plan
#------------------------------------------------------------------------------
# REPORTING AND LOGGING
#------------------------------------------------------------------------------
# - Where to Log -
log_destination = 'syslog'
#log_destination = 'stderr' # Valid values are combinations of
# stderr, csvlog, syslog, and eventlog,
# depending on platform. csvlog
# requires logging_collector to be on.
# This is used when logging to stderr:
#logging_collector = off # Enable capturing of stderr and csvlog
# into log files. Required to be on for
# csvlogs.
# (change requires restart)
# These are only used if logging_collector is on:
#log_directory = 'log' # directory where log files are written,
# can be absolute or relative to PGDATA
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'
#syslog_sequence_numbers = on
#syslog_split_messages = on
# This is only relevant when logging to eventlog (win32):
# (change requires restart)
#event_source = 'PostgreSQL'
# - When to Log -
#log_min_messages = warning # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic
#log_min_error_statement = error # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic (effectively off)
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
#log_transaction_sample_rate = 0.0 # Fraction of transactions whose statements
# are logged regardless of their duration. 1.0 logs all
# statements from all transactions, 0.0 never logs.
# - What to Log -
#debug_print_parse = off
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_checkpoints = off
#log_connections = off
#log_disconnections = off
#log_duration = off
#log_error_verbosity = default # terse, default, or verbose messages
#log_hostname = off
#log_line_prefix = '%m [%p] ' # special values:
# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %p = process ID
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %n = timestamp with milliseconds (as a Unix epoch)
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_statement = 'none' # none, ddl, mod, all
#log_replication_commands = off
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
log_timezone = 'America/Los_Angeles'
#------------------------------------------------------------------------------
# PROCESS TITLE
#------------------------------------------------------------------------------
#cluster_name = '' # added to process titles if nonempty
# (change requires restart)
# On FreeBSD, this is a performance hog, so keep it off if you need speed
update_process_title = off
#------------------------------------------------------------------------------
# STATISTICS
#------------------------------------------------------------------------------
# - Query and Index Statistics Collector -
#track_activities = on
#track_counts = on
#track_io_timing = off
#track_functions = none # none, pl, all
#track_activity_query_size = 1024 # (change requires restart)
#stats_temp_directory = 'pg_stat_tmp'
# - Monitoring -
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#------------------------------------------------------------------------------
# AUTOVACUUM
#------------------------------------------------------------------------------
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
# before forced vacuum
# (change requires restart)
#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
# autovacuum, in milliseconds;
# -1 means use vacuum_cost_delay
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
# autovacuum, -1 means use
# vacuum_cost_limit
#------------------------------------------------------------------------------
# CLIENT CONNECTION DEFAULTS
#------------------------------------------------------------------------------
# - Statement Behavior -
#client_min_messages = notice # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# log
# notice
# warning
# error
#search_path = '"$user", public' # schema names
#row_security = on
#default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#default_table_access_method = 'heap'
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = 'origin'
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_min_age = 50000000
#vacuum_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_freeze_table_age = 150000000
#vacuum_cleanup_index_scale_factor = 0.1 # fraction of total number of tuples
# before index cleanup, 0 always performs
# index cleanup
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
#gin_fuzzy_search_limit = 0
#gin_pending_list_limit = 4MB
# - Locale and Formatting -
datestyle = 'iso, mdy'
#intervalstyle = 'postgres'
timezone = 'America/Los_Angeles'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
# Australia (historical usage)
# India
# You can create your own file in
# share/timezonesets/.
#extra_float_digits = 1 # min -15, max 3; any value >0 actually
# selects precise output mode
#client_encoding = sql_ascii # actually, defaults to database
# encoding
# These settings are initialized by initdb, but they can be changed.
lc_messages = 'C' # locale for system error message
# strings
lc_monetary = 'C' # locale for monetary formatting
lc_numeric = 'C' # locale for number formatting
lc_time = 'C' # locale for time formatting
# default configuration for text search
default_text_search_config = 'pg_catalog.english'
# - Shared Library Preloading -
#shared_preload_libraries = '' # (change requires restart)
#local_preload_libraries = ''
#session_preload_libraries = ''
#jit_provider = 'llvmjit' # JIT library to use
# - Other Defaults -
#dynamic_library_path = '$libdir'
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
#deadlock_timeout = 1s
#max_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_relation = -2 # negative values mean
# (max_pred_locks_per_transaction
# / -max_pred_locks_per_relation) - 1
#max_pred_locks_per_page = 2 # min 0
#------------------------------------------------------------------------------
# VERSION AND PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
# - Previous PostgreSQL Versions -
#array_nulls = on
#backslash_quote = safe_encoding # on, off, or safe_encoding
#escape_string_warning = on
#lo_compat_privileges = off
#operator_precedence_warning = off
#quote_all_identifiers = off
#standard_conforming_strings = on
#synchronize_seqscans = on
# - Other Platforms and Clients -
#transform_null_equals = off
#------------------------------------------------------------------------------
# ERROR HANDLING
#------------------------------------------------------------------------------
#exit_on_error = off # terminate session on any error?
#restart_after_crash = on # reinitialize after backend crash?
#data_sync_retry = off # retry or panic on failure to fsync
# data?
# (change requires restart)
#------------------------------------------------------------------------------
# CONFIG FILE INCLUDES
#------------------------------------------------------------------------------
# These options allow settings to be loaded from files other than the
# default postgresql.conf. Note that these are directives, not variable
# assignments, so they can usefully be given more than once.
#include_dir = '...' # include files ending in '.conf' from
# a directory, e.g., 'conf.d'
#include_if_exists = '...' # include file only if it exists
#include = '...' # include file
#------------------------------------------------------------------------------
# CUSTOMIZED OPTIONS
#------------------------------------------------------------------------------
# Add settings for extensions here

View File

@ -112,6 +112,7 @@ frontend ft
use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
use_backend bk_beyondbell-gs if { ssl_fc_sni gs.beyondbell.com }
default_backend bk_ahlawat
@ -228,3 +229,7 @@ backend bk_beyondbell-repo
rspirep ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2
server srv1 192.168.0.75:8080 check
rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell-gs
server srv1 192.168.0.81:26900 check
rspadd X-Frame-Options:\ SAMEORIGIN

View File

@ -0,0 +1,2 @@
100 include 4
200 path tun* unhide

View File

@ -0,0 +1,2 @@
100 include 4
200 path tun* unhide

View File

@ -0,0 +1,8 @@
# devfs rule -s 300 add - < devfs_rules.raw
# devfs rule -s 300 show
# add to /etc/default/devfs.rules
[devfs_rules_tun_jail=300]
add include $devfsrules_jail
add path tun* unhide

View File

@ -24,6 +24,11 @@ ifconfig bridge1 addm tap83 up
ifconfig tap83 up
ifconfig tap83 inet6 auto_linklocal
ifconfig tap84 create
ifconfig bridge1 addm tap84 up
ifconfig tap84 up
ifconfig tap84 inet6 auto_linklocal
ifconfig tap90 create
ifconfig bridge1 addm tap90 up
ifconfig tap90 up

View File

@ -0,0 +1,8 @@
100 include 4
200 path vmm unhide
300 path vmm/* unhide
400 path vmm.io unhide
500 path vmm.io/* unhide
600 path tap* unhide
700 path zvol/ship/raw/* unhide
800 path nmdm* unhide

View File

@ -0,0 +1,14 @@
# devfs rule -s 200 add - < devfs_rules.raw
# devfs rule -s 200 show
# add to /etc/default/devfs.rules
[devfs_rules_bhyve_jail=200]
add include $devfsrules_jail
add path vmm unhide
add path vmm/* unhide
add path vmm.io unhide
add path vmm.io/* unhide
add path tap* unhide
add path zvol/ship/raw/* unhide
add path nmdm* unhide

View File

@ -15,7 +15,7 @@ bhyvectl --destroy --vm=r-windows
while true
do
bhyve -c 4 -m 8G -S -A -H -P \
bhyve -c sockets=1,cores=2,threads=2 -m 16G -S -A -H -P \
-s 0,hostbridge \
-s 4,ahci-hd,/dev/zvol/ship/raw/windows,sectorsize=512 \
-s 5,virtio-net,tap81,mac=00:0A:0B:0C:0D:81 \
@ -47,7 +47,8 @@ exit $?
# -s 3,ahci,cd:/mnt/windows/w10.iso,cd:/mnt/windows/virtio-win.iso \
# mounting the USB HDD as an attached drive to the system
#-s 3,ahci,cd:/mnt/windows/w10.iso,cd:/mnt/windows/virtio-win.iso,hd:/dev/da3p2 \
#-s 3,ahci,cd:/mnt/windows/w10.iso,cd:/mnt/windows/virtio-win.iso,hd:/dev/daXp2 \
# daX being an NTFS drive
# bhyvectl --get-all --vm=r-windows

View File

@ -18,20 +18,25 @@ tmux new-session -d -s $session -n freepbx
tmux selectp -t 1
tmux send-keys "cd /mnt/config;./pbx.sh" C-m
# create a new window r-windows
tmux new-window -t $session:1 -n r-windows
tmux selectp -t 1
tmux send-keys "cd /mnt/config;./r-windows.sh" C-m
# create a new window ubuntu
tmux new-window -t $session:1 -n ubuntu
tmux new-window -t $session:2 -n ubuntu
tmux selectp -t 1
tmux send-keys "cd /mnt/config;./ubuntu.sh" C-m
# create a new window freebsd
tmux new-window -t $session:2 -n freebsd
tmux new-window -t $session:3 -n freebsd
tmux selectp -t 1
tmux send-keys "cd /mnt/config;./freebsd.sh" C-m
# create a new window r-windows
tmux new-window -t $session:3 -n r-windows
# create a new window w2019
tmux new-window -t $session:4 -n w2019
tmux selectp -t 1
tmux send-keys "cd /mnt/config;./r-windows.sh" C-m
tmux send-keys "cd /mnt/config;./w2019.sh" C-m
# return to main window
tmux select-window -t $session:0

65
jails/config/vm/w2019.sh Executable file
View File

@ -0,0 +1,65 @@
# Copyright (c) 2018-2020, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
#!/usr/local/bin/bash
# ./w2019.sh under tmux
# clean cached state
bhyvectl --destroy --vm=w2019
while true
do
bhyve -c sockets=1,cores=2,threads=2 -m 16G -S -A -H -P \
-s 0,hostbridge \
-s 4,ahci-hd,/dev/zvol/ship/raw/w2019,sectorsize=512 \
-s 5,virtio-net,tap84,mac=00:0A:0B:0C:0D:84 \
-s 6,ahci-hd,/dev/zvol/ship/raw/w2019_data,sectorsize=512 \
-s 29,fbuf,tcp=0.0.0.0:5984,w=1600,h=900 \
-s 30,xhci,tablet \
-s 31,lpc -l com1,/dev/nmdm84A \
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
w2019
bhyve_exit=$?
# bhyve returns the following status codes:
# 0 - VM has been reset
# 1 - VM has been powered off
# 2 - VM has been halted
# 3 - VM generated a triple fault
# all other non-zero status codes are errors
#
if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
then
break
fi
echo `date` - restarting w2019 in 5 seconds - press ctrl-c to stop
sleep 5
done
exit $?
# -s 3,ahci,cd:/mnt/windows/w2019.iso,cd:/mnt/windows/virtio-win.iso \
# mounting the USB HDD as an attached drive to the system
#-s 3,ahci,cd:/mnt/windows/w2019.iso,cd:/mnt/windows/virtio-win.iso,hd:/dev/daXp2 \
# daX being an NTFS drive
# bhyvectl --get-all --vm=w2109
# cu -l /dev/nmdm84B
# (This uses cu() so press ~+Ctrl-D to exit)
#on base system:
#zfs create -V 32G -o refreservation=none ship/raw/w2109
#zfs create -V 128G -o refreservation=none ship/raw/w2019_data
# on boot
#ifconfig tap84 create
#ifconfig bridge1 addm tap84 up
#ifconfig tap84 up
#ifconfig tap84 inet6 auto_linklocal

View File

@ -36,15 +36,14 @@ I4NS="192.168.0.5"
I6NS="2603:3024:3f6:e1::5"
# these IP spaces are diyit deployment specific
echo $JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC
echo "$JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC"
# cant install packages during jail creation because ipfw blocks all network traffic
#echo '{"pkgs":["bash","bash-completion","nano"]}' > /tmp/pkg-$JAIL.json
#iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json ...
#rm /tmp/pkg-$JAIL.json
if $I6CONFIG
then
if $I6CONFIG; then
iocage create -n "$JAIL" -r 12.1-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
# iocage create -n "$JAIL" -r 12.1-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64,vnet0|accept_rtadv" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
# iocage cannot set static IP AND enable SLAAC temporary properly
@ -66,15 +65,13 @@ iocage exec $JAIL "service ipfw restart"
iocage exec $JAIL "ifconfig epair0b inet6 accept_rtadv; sysctl net.inet6.ip6.accept_rtadv=1; sysctl net.inet6.ip6.use_tempaddr=1; sysctl net.inet6.ip6.prefer_tempaddr=1; service rtsold start"
iocage exec $JAIL "echo '$I4NW.$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
if $I6CONFIG
then
if $I6CONFIG; then
iocage exec $JAIL "echo '$I6NW::$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
fi
# create resolvconf.conf - IPv6 SLAAC on freebsd removes all ipv4 configuraton from resolv.conf
iocage exec $JAIL "echo 'export search_domains=$JAILDOMAIN' > /etc/resolvconf.conf"
if $I6CONFIG
then
if $I6CONFIG; then
iocage exec $JAIL "echo 'export name_servers=\"$I4NS $I6NS\"' >> /etc/resolvconf.conf"
else
iocage exec $JAIL "echo 'export name_servers=\"$I4NS\"' >> /etc/resolvconf.conf"
@ -132,8 +129,7 @@ iocage exec $JAIL "service sendmail restart"
# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213448
iocage exec $JAIL 'sysrc ntp_leapfile_fetch_opts="--no-verify-peer -mq"'
if [ "$JAILUSER" != "X" ]
then
if [ "$JAILUSER" != "X" ]; then
iocage exec $JAIL "pkg install -y sudo"
@ -151,11 +147,10 @@ then
iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER/.ssh"
iocage exec $JAIL "echo '%wheel ALL=(ALL) NOPASSWD: ALL' | EDITOR='tee -a' visudo"
echo set ssh password for $JAILUSER
echo "set ssh password for $JAILUSER"
iocage exec $JAIL "passwd $JAILUSER"
if $JAILUSERVNC
then
if $JAILUSERVNC; then
iocage exec $JAIL "pkg install -y tigervnc-server perl5 xauth fluxbox xorg-fonts-truetype xterm dbus"
#firefox and other X apps require dbus
iocage exec $JAIL "sysrc dbus_enable=YES"
@ -173,8 +168,8 @@ fi
iocage exec $JAIL "pkg clean -y"
iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
iocage exec $JAIL "rmdir /mnt/common"
# iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
# iocage exec $JAIL "rmdir /mnt/common"
iocage exec $JAIL "echo 'Subject: created new jail: $JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC' | sendmail -v jail-root@$JAILDOMAIN"
# reverse dns should already be configured for the mail server to accept this email

View File

@ -12,7 +12,22 @@ web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monit
for i in ${web_jails[@]};
do
echo restoring httpd.conf in web_jail $i after Apache update
echo "## checking $i JAIL configs after Apache and/or PHP updates ##"
iocage exec $i "diff /usr/local/etc/apache24/httpd.conf /mnt/config/httpd.conf"
iocage exec $i "diff /usr/local/etc/php.ini /mnt/config/php.ini"
if [[ "$i" != "ldap-mgr" && "$i" != "r-ldap-mgr" ]]; then
iocage exec $i "diff /usr/local/etc/php-fpm.d/www.conf /mnt/config/www.conf"
fi
echo "####"
done
read -p "Return/Enter to restore httpd.conf files, ctrl-c to abort? " RESP
for i in ${web_jails[@]};
do
echo "restoring httpd.conf in web_jail $i after Apache update"
iocage exec $i "cp /mnt/config/httpd.conf /usr/local/etc/apache24/httpd.conf"
iocage exec $i "service apache24 reload"
done
echo "check if php.ini or php-fpm need to be restored"

View File

@ -12,7 +12,7 @@ web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monit
for i in ${web_jails[@]};
do
echo restarting apache in web_jail $i after SSL update
echo "restarting apache in web_jail $i after SSL update"
iocage exec $i "service apache24 restart"
done
@ -20,17 +20,20 @@ ldap_jails=(ldap r-ldap)
for i in ${ldap_jails[@]};
do
echo restarting ldap in ldap_jail $i after SSL update
echo "restarting ldap in ldap_jail $i after SSL update"
iocage exec $i "service slapd restart"
done
echo restarting haproxy in jail proxy after SSL update
echo "restarting haproxy in jail proxy after SSL update"
iocage exec proxy "service haproxy reload"
echo restarting mail in jail mail after SSL update
echo "restarting nginx in jail pkgp after SSL update"
iocage exec pkgp "service nginx reload"
echo "restarting mail in jail mail after SSL update"
iocage exec mail "service postfix restart"
echo restarting ELK in jail monitor after SSL update
echo "restarting ELK in jail monitor after SSL update"
iocage exec monitor "cp /mnt/certs/diy*.pem /usr/local/etc/elasticsearch/certs"
iocage exec monitor "cp /mnt/certs/cacert.pem /usr/local/etc/elasticsearch/certs"
iocage exec monitor "service elasticsearch restart"

View File

@ -8,9 +8,7 @@
#!/bin/bash
#pkg-repo pj121
web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
pkg_jail="pj121"
#<<'COMMENT-SKIP-PKG-BUILD'
iocage exec pkgp "pkg update -f"
@ -19,30 +17,36 @@ iocage exec pkgp "pkg clean -ay"
iocage set securelevel=0 pkgp
iocage exec pkgp "poudriere jail -l"
iocage exec pkgp "poudriere jail -u -j pj121"
iocage exec pkgp "poudriere jail -u -j $pkg_jail"
iocage set securelevel=2 pkgp
iocage exec pkgp "portsnap auto"
iocage exec pkgp "poudriere ports -l"
iocage exec pkgp "poudriere ports -u"
iocage exec pkgp "poudriere bulk -f /mnt/config/mypkgs -j pj121"
iocage exec pkgp "poudriere bulk -f /mnt/config/mypkgs -j $pkg_jail"
#COMMENT-SKIP-PKG-BUILD
cd /mnt/ship/ldap/phpLDAPadmin
pwd
git pull
cd /mnt/ship/r-ldap/phpLDAPadmin
pwd
git pull
cd /mnt/ship/book/calibre-web
pwd
git pull
cd /mnt/ship/plex/PlexConnect
pwd
git pull
cd /mnt/ship/maps/networkmaps
pwd
git pull
# cert - acme.sh
echo Return/Enter to continue, ctrl-c to abort?
read RESP
#read -p "Return/Enter to continue, ctrl-c to abort? " RESP
web_jails=(cloud hub nivi rishabh sharad web web-diyit ldap-mgr r-ldap-mgr monitor)
pkg_repo="pkgp121"
for i in `iocage list -h | cut -f 2`;
do
@ -50,19 +54,17 @@ do
iocage exec $i "pkg update -f"
if [[ "$i" == "ldap" || "$i" == "r-ldap" ]];
then
if [[ "$i" == "ldap" || "$i" == "r-ldap" ]]; then
iocage exec $i "pkg unlock -y openldap-sasl-server"
iocage exec $i "pkg unlock -y openldap-sasl-client"
iocage exec $i "pkg upgrade -y -r pkgp121 openldap-sasl-server openldap-sasl-client"
iocage exec $i "pkg upgrade -y -r $pkg_repo openldap-sasl-server openldap-sasl-client"
iocage exec $i "pkg lock -y openldap-sasl-server"
iocage exec $i "pkg lock -y openldap-sasl-client"
fi
if [[ "$i" == "atm" || "$i" == "hub" || "$i" == "mail" || "$i" == "web" ]];
then
if [[ "$i" == "atm" || "$i" == "hub" || "$i" == "mail" || "$i" == "web" ]]; then
iocage exec $i "pkg unlock -y openldap-sasl-client"
iocage exec $i "pkg upgrade -y -r pkgp121 openldap-sasl-client"
iocage exec $i "pkg upgrade -y -r $pkg_repo openldap-sasl-client"
iocage exec $i "pkg lock -y openldap-sasl-client"
fi
@ -72,34 +74,20 @@ do
echo "####"
#echo continue?
#read RESP
#read -p "continue, ctrl-c to abort? " RESP
done
for i in ${web_jails[@]};
do
echo "## checking $i JAIL configs after Apache and/or PHP updates ##"
iocage exec $i "diff /usr/local/etc/apache24/httpd.conf /mnt/config/httpd.conf"
iocage exec $i "diff /usr/local/etc/php.ini /mnt/config/php.ini"
if [[ "$i" != "ldap-mgr" && "$i" != "r-ldap-mgr" ]];
then
iocage exec $i "diff /usr/local/etc/php-fpm.d/www.conf /mnt/config/www.conf"
fi
echo "####"
done
echo "NOTES:"
echo NOTES:
echo "pkg update -f"
echo "pkg autoremove -y"
echo "pkg upgrade -y"
echo "pkg clean -ay"
echo pkg update -f
echo pkg autoremove -y
echo pkg upgrade -y
echo pkg clean -ay
echo "iocage stop ALL"
echo "iocage start ALL"
echo iocage stop ALL
echo iocage start ALL
echo "hub check for index.html and adminer version"
echo hub check for index.html and adminer version
echo iocage exec cert "/root/.acme.sh/acme.sh --upgrade"
echo iocage exec cert "cp -r /root/.acme.sh /mnt/certs"
echo "iocage exec cert \"/root/.acme.sh/acme.sh --upgrade\""
echo "iocage exec cert \"cp -r /root/.acme.sh /mnt/certs\""

View File

@ -8,46 +8,60 @@
#!/usr/local/bin/bash
update_jail ()
{
echo "######## ## JAIL:::: $JAIL ##"
## uncomment below to list and remove snapshots
#zfs list -t snapshot -o name | grep ship/iocage/jails/$JAIL | sort
#read -p "remove all $JAIL snapshots (y/N)? " RESP
#if [ ! -z $RESP ] && [ $RESP == "y" ]; then
# zfs list -t snapshot -o name | grep ship/iocage/jails/$JAIL | sort | xargs -n 1 zfs destroy
#fi
iocage exec $JAIL "freebsd-version"
## uncomment below for an upgrade instead of an update
#iocage upgrade -r 12.1-RELEASE $JAIL
iocage update $JAIL
iocage exec $JAIL "pkg upgrade -f -y"
iocage exec $JAIL "mergemaster"
iocage exec $JAIL "freebsd-version"
iocage exec $JAIL "pkg update -f"
iocage exec $JAIL "pkg autoremove -y"
iocage exec $JAIL "pkg upgrade -y"
iocage exec $JAIL "pkg clean -ay"
echo "######## ####"
}
iocage fetch -U -r 12.1-RELEASE
iocage list -l
echo update all jails?
read RESP
if [ $RESP == "y" ]; then
for JAIL in `iocage list -h | cut -f2`;
do
echo "## JAIL:::: $JAIL ##"
zfs list -t snapshot -o name | grep ship/iocage/jails/$JAIL | sort
echo remove all $JAIL snapshots?
read RESP
if [ $RESP == "y" ]; then
zfs list -t snapshot -o name | grep ship/iocage/jails/$JAIL | sort | xargs -n 1 zfs destroy
fi
iocage exec $JAIL "freebsd-version"
# uncomment below for an upgrade
#iocage upgrade -r 12.1-RELEASE $JAIL
iocage update $JAIL
iocage exec $JAIL "pkg upgrade -f -y"
iocage exec $JAIL "mergemaster"
iocage exec $JAIL "freebsd-version"
iocage exec $JAIL "pkg update -f"
iocage exec $JAIL "pkg autoremove -y"
iocage exec $JAIL "pkg upgrade -y"
iocage exec $JAIL "pkg clean -ay"
echo "####"
done
read -p "update pkgp jail (y/N)? " RESP
if [ ! -z $RESP ] && [ $RESP == "y" ]; then
JAIL="pkgp"
update_jail
fi
echo update base system by running:
echo freebsd-update fetch
echo freebsd-update install
echo pkg-static upgrade -f
echo mergemaster
./jails-update-pkgs.sh
read -p "update all jails (y/N)? " RESP
if [ ! -z $RESP ] && [ $RESP == "y" ]; then
for JAIL in `iocage list -h | cut -f2`;
do
if [ $JAIL == "pkgp" ] || [ $JAIL == "debian"]; then
continue;
fi
update_jail
done
fi
echo "update base system by running:"
echo "freebsd-update fetch"
echo "freebsd-update install"
echo "pkg-static upgrade -f"
echo "mergemaster"