.

.gitignore

@@ -1,3 +1,4 @@
 #.gitignore
 **/secret/**
 **/.acme.sh/**
+current-src.bzip2

configs/boot/loader.conf

@@ -28,6 +28,8 @@ kern.geom.label.gptid.enable="0"
 # Increase dmesg buffer to fit longer boot output.
 kern.msgbufsize="524288"
 
+kern.ipc.maxmbufmem=150608778240
+
 kern.racct.enable=1
 
 # ZFS root boot config
@@ -96,6 +98,7 @@ vfs.zfs.vdev.cache.size=134217728
 vfs.zfs.vdev.cache.max=134217728
 
 # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=185487
+# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210686
 # https://forums.freebsd.org/threads/updating-bsd-from-10-to-11-ahci-ssd-issue.59923/
 # https://lists.freebsd.org/pipermail/freebsd-bugs/2013-April/052301.html
 # my 8TB's don't support NCQ TRIM

configs/etc/crontab-config.txt

@@ -1,2 +0,0 @@
-00 08,12,16,20 *   *   *   /root/FreeBSD/scripts/zfs_health.sh
-00   2    *   *   0   /usr/local/sbin/zfSnap -d -s -S -a 2w -p weekly_ -r zroot ship data base

configs/etc/ctl.conf

@@ -33,3 +33,23 @@ target iqn.nas.ahlawat.com:f13 {
 		size 128G
 	}
 }
+
+target iqn.nas.ahlawat.com:f12p {
+#	auth-group no-authentication
+	portal-group pg0
+    chap user secretsecret
+	lun 0 {
+		path /dev/zvol/ship/raw/FreeBSD12p
+		size 128G
+	}
+}
+
+target iqn.nas.ahlawat.com:f13p {
+#	auth-group no-authentication
+	portal-group pg0
+    chap user secretsecret
+	lun 0 {
+		path /dev/zvol/ship/raw/FreeBSD13p
+		size 128G
+	}
+}

configs/etc/defaults/devfs.rules

@@ -13,7 +13,7 @@
 # references must include a dollar sign '$' in front of the
 # name to be expanded properly.
 #
-# $FreeBSD: releng/12.1/sbin/devfs/devfs.rules 338204 2018-08-22 15:55:23Z brd $
+# $FreeBSD: releng/12.2/sbin/devfs/devfs.rules 338204 2018-08-22 15:55:23Z brd $
 #
 
 # Very basic and secure ruleset: Hide everything.
@@ -87,12 +87,13 @@ add include $devfsrules_unhide_login
 add path fuse unhide
 add path zfs unhide
 
+# members of group uucp can access all usb and tty devices
 [usbrules=100]
 add path 'usbctl' mode 660 group uucp
 add path 'usb/*' mode 660 group uucp
 add path 'ttyU*' mode 660 group uucp
 
-[serial_usb_rules=1000]
+[serial_usb_rules=150]
 add include $devfsrules_jail
 add path 'cuau*' unhide
 add path 'cuaU*' unhide
@@ -101,7 +102,7 @@ add path 'ttyU*' unhide
 add path 'usb*' unhide
 add path 'usb/*' unhide
 
-[devfs_rules_bhyve_jail=2000]
+[devfs_rules_bhyve_jail=200]
 add include $devfsrules_jail
 add path vmm unhide
 add path vmm/* unhide
@@ -111,6 +112,6 @@ add path tap* unhide
 add path zvol/ship/raw/* unhide
 add path nmdm* unhide
 
-[devfs_rules_tun_jail=3000]
+[devfs_rules_tun_jail=300]
 add include $devfsrules_jail
 add path tun* unhide

configs/etc/defaults/periodic.conf

@@ -13,7 +13,7 @@
 # For a more detailed explanation of all the periodic.conf variables, please
 # refer to the periodic.conf(5) manual page.
 #
-# $FreeBSD: releng/12.1/usr.sbin/periodic/periodic.conf 337648 2018-08-11 17:11:08Z brd $
+# $FreeBSD: releng/12.2/usr.sbin/periodic/periodic.conf 337648 2018-08-11 17:11:08Z brd $
 #
 
 # What files override these defaults ?

configs/etc/exports

@@ -1,3 +1,6 @@
+V4: / -network=192.168.10.0 -mask=255.255.255.0
 /mnt/ship/pxe/FreeBSD11 -alldirs -maproot=root
 /mnt/ship/pxe/FreeBSD12 -alldirs -maproot=root
 /mnt/ship/pxe/FreeBSD13 -alldirs -maproot=root
+/mnt/ship/pxe/FreeBSD12p -alldirs -maproot=root
+/mnt/ship/pxe/FreeBSD13p -alldirs -maproot=root

configs/etc/freebsd-update.conf

@@ -1,4 +1,4 @@
-# $FreeBSD: releng/12.1/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
+# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
 
 # Trusted keyprint.  Changing this is a Bad Idea unless you've received
 # a PGP-signed email from <security-officer@FreeBSD.org> telling you to

configs/etc/fstab

@@ -1,11 +1,12 @@
 # Device		Mountpoint	FStype	Options		Dump	Pass#
-/dev/ada2p3		none	swap	sw		0	0
-/dev/ada3p3		none	swap	sw		0	0
+#/dev/zvol/zroot/swapvol		none	swap	sw		0	0
+#/dev/ada2p3		none	swap	sw		0	0
+#/dev/ada3p3		none	swap	sw		0	0
 #/dev/da0p1		none	swap	sw		0	0
-/dev/da1p1		none	swap	sw		0	0
-/dev/da2p1		none	swap	sw		0	0
-/dev/da3p1		none	swap	sw		0	0
-/dev/da4p1		none	swap	sw		0	0
+#/dev/da1p1		none	swap	sw		0	0
+#/dev/da2p1		none	swap	sw		0	0
+#/dev/da3p1		none	swap	sw		0	0
+#/dev/da4p1		none	swap	sw		0	0
 #/dev/da5p1		none	swap	sw		0	0
 #/dev/da6p1		none	swap	sw		0	0
 #/dev/da7p1		none	swap	sw		0	0

configs/etc/login.conf

@@ -7,7 +7,7 @@
 # This file controls resource limits, accounting limits and
 # default user environment settings.
 #
-# $FreeBSD: releng/12.1/usr.bin/login/login.conf 338399 2018-08-30 15:52:03Z brd $
+# $FreeBSD: releng/12.2/usr.bin/login/login.conf 357789 2020-02-12 02:04:03Z kevans $
 #
 
 # Default settings effectively disable resource limits, see the
@@ -26,7 +26,8 @@ default:\
 	:passwd_format=sha512:\
 	:copyright=/etc/COPYRIGHT:\
 	:welcome=/etc/motd:\
-	:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
+	:setenv=BLOCKSIZE=K:\
+	:mail=/var/mail/$:\
 	:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\
 	:nologin=/var/run/nologin:\
 	:cputime=unlimited:\
@@ -63,6 +64,7 @@ xuser:\
 staff:\
 	:tc=default:
 daemon:\
+	:mail@:\
 	:memorylocked=128M:\
 	:tc=default:
 news:\
@@ -123,7 +125,8 @@ russian|Russian Users Accounts:\
 #standard:\
 #	:copyright=/etc/COPYRIGHT:\
 #	:welcome=/etc/motd:\
-#	:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
+#	:setenv=BLOCKSIZE=K:\
+#	:mail=/var/mail/$:\
 #	:path=~/bin /bin /usr/bin /usr/local/bin:\
 #	:manpath=/usr/share/man /usr/local/man:\
 #	:nologin=/var/run/nologin:\

configs/etc/ntp.conf

@@ -1,5 +1,5 @@
 #
-# $FreeBSD: releng/12.1/usr.sbin/ntp/ntpd/ntp.conf 337649 2018-08-11 17:42:42Z brd $
+# $FreeBSD: releng/12.2/usr.sbin/ntp/ntpd/ntp.conf 352865 2019-09-29 03:36:50Z cy $
 #
 # Default NTP servers for the FreeBSD operating system.
 #
@@ -103,3 +103,11 @@ restrict ::1
 # Use either leapfile in /etc/ntp or periodically updated leapfile in /var/db.
 #leapfile "/etc/ntp/leap-seconds"
 leapfile "/var/db/ntpd.leap-seconds.list"
+
+# Specify the number of megabytes of memory that should be allocated and
+# locked. -1 (default) means "do not lock the process into memory".
+# 0 means "lock whatever memory the process wants into memory". Any other
+# number means to lock up to that number of megabytes into memory.
+# 0 may result in a segfault when ASLR with stack gap randomization
+# is enabled.
+#rlimit memlock 32

configs/etc/profile

@@ -1,11 +1,7 @@
-# $FreeBSD: releng/12.1/bin/sh/profile 337849 2018-08-15 14:41:24Z brd $
+# $FreeBSD: releng/12.2/bin/sh/profile 363525 2020-07-25 11:57:39Z pstef $
 #
 # System-wide .profile file for sh(1).
 #
-# Uncomment this to give you the default 4.2 behavior, where disk
-# information is shown in K-Blocks
-# BLOCKSIZE=K; export BLOCKSIZE
-#
 # For the setting of languages and character sets please see
 # login.conf(5) and in particular the charset and lang options.
 # For full locales list check /usr/share/locale/*

configs/etc/rc.conf

@@ -32,13 +32,13 @@ firewall_logif="YES"
 
 # interfaces
 cloned_interfaces_sticky="YES"
-cloned_interfaces="lagg0 bridge1 bridge2 bridge5 bridge9 bridge10"
+cloned_interfaces="lagg0 bridge1 bridge2 bridge5 bridge9 bridge10 bridge48"
 
 ifconfig_lagg0="laggproto lacp laggport igb0 laggport igb1 up"
 ifconfig_igb0="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
 ifconfig_igb1="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
 
-vlans_lagg0="1 2 5 9 10"
+vlans_lagg0="1 2 5 9 10 48"
 
 ipv6_activate_all_interfaces="YES"
 rtsold_enable="YES"
@@ -53,12 +53,15 @@ ifconfig_lagg0_9="inet 192.168.200.10/24"
 ifconfig_lagg0_9_ipv6="inet6 fd09::10/64 auto_linklocal accept_rtadv"
 ifconfig_lagg0_10="inet 192.168.10.10/24"
 ifconfig_lagg0_10_ipv6="inet6 fd0a::10/64 auto_linklocal accept_rtadv"
+ifconfig_lagg0_48="inet 192.168.48.10/24"
+ifconfig_lagg0_48_ipv6="inet6 2001:470:f835::10/64 auto_linklocal accept_rtadv"
 
 ifconfig_bridge1="addm lagg0.1 up"
 ifconfig_bridge2="addm lagg0.2 up"
 ifconfig_bridge5="addm lagg0.5 up"
 ifconfig_bridge9="addm lagg0.9 up"
 ifconfig_bridge10="addm lagg0.10 up"
+ifconfig_bridge48="addm lagg0.48 up"
 
 # adding IP to bridges does not work
 #ifconfig_bridge1="inet 192.168.0.10/24"

configs/pxe/ctl.conf

@@ -1,35 +0,0 @@
-portal-group pg0 {
-	discovery-auth-group no-authentication
-	listen 0.0.0.0
-	listen [::]
-}
-
-target iqn.nas.ahlawat.com:f11 {
-#	auth-group no-authentication
-	portal-group pg0
-    chap user secretsecret
-	lun 0 {
-		path /dev/zvol/ship/raw/FreeBSD11
-		size 128G
-	}
-}
-
-target iqn.nas.ahlawat.com:f12 {
-#	auth-group no-authentication
-	portal-group pg0
-    chap user secretsecret
-	lun 0 {
-		path /dev/zvol/ship/raw/FreeBSD12
-		size 128G
-	}
-}
-
-target iqn.nas.ahlawat.com:f13 {
-#	auth-group no-authentication
-	portal-group pg0
-    chap user secretsecret
-	lun 0 {
-		path /dev/zvol/ship/raw/FreeBSD13
-		size 128G
-	}
-}

configs/usr/local/etc/nut/ups.conf

@@ -119,6 +119,6 @@
 # the -h option and/or read the driver's documentation.
 [ups]
     driver = usbhid-ups
-    port = /dev/ugen0.6
+    port = /dev/ugen0.7
     desc = ""
 pollonly

configs/usr/local/etc/scl.conf

@@ -1,30 +0,0 @@
-#############################################################################
-# Copyright (c) 2010-2014 Balabit
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 as published
-# by the Free Software Foundation, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-#
-# As an additional exemption you are allowed to compile & link against the
-# OpenSSL libraries as published by the OpenSSL project. See the file
-# COPYING for details.
-#
-#############################################################################
-#
-# This file is placed into /etc/syslog-ng in order to make it trivial to
-# include in user written syslog-ng.conf files.  It sets up 'scl-root' and
-# `include-path`, then includes all SCL supplied plugins.
-#
-
-@include 'scl/*/*.conf'
-
-@define java-module-dir "`module-install-dir`/java-modules"

configs/usr/local/etc/syslog-ng.conf

@@ -1,185 +0,0 @@
-@version:3.25
-@include "scl.conf"
-
-#
-# This sample configuration file is essentially equilivent to the stock
-# FreeBSD /etc/syslog.conf file.
-#
-# $FreeBSD: head/sysutils/syslog-ng/files/syslog-ng.conf.sample 340872 2014-01-24 00:14:07Z mat $
-#
-
-#
-# options
-#
-options { chain_hostnames(off); flush_lines(0); threaded(yes); };
-
-#
-# sources
-#
-source src { system();
-	     udp(); internal(); };
-
-#
-# destinations
-#
-destination messages { file("/var/log/messages"); };
-destination security { file("/var/log/security"); };
-destination authlog { file("/var/log/auth.log"); };
-destination maillog { file("/var/log/maillog"); };
-destination lpd-errs { file("/var/log/lpd-errs"); };
-destination xferlog { file("/var/log/xferlog"); };
-destination cron { file("/var/log/cron"); };
-destination debuglog { file("/var/log/debug.log"); };
-destination consolelog { file("/var/log/console.log"); };
-destination all { file("/var/log/all.log"); };
-destination newscrit { file("/var/log/news/news.crit"); };
-destination newserr { file("/var/log/news/news.err"); };
-destination newsnotice { file("/var/log/news/news.notice"); };
-destination slip { file("/var/log/slip.log"); };
-destination ppp { file("/var/log/ppp.log"); };
-destination console { file("/dev/console"); };
-destination allusers { usertty("*"); };
-#destination loghost { udp("loghost" port(514)); };
-
-#
-# log facility filters
-#
-filter f_auth { facility(auth); };
-filter f_authpriv { facility(authpriv); };
-filter f_not_authpriv { not facility(authpriv); };
-#filter f_console { facility(console); };
-filter f_cron { facility(cron); };
-filter f_daemon { facility(daemon); };
-filter f_ftp { facility(ftp); };
-filter f_kern { facility(kern); };
-filter f_lpr { facility(lpr); };
-filter f_mail { facility(mail); };
-filter f_news { facility(news); };
-filter f_security { facility(security); };
-filter f_user { facility(user); };
-filter f_uucp { facility(uucp); };
-filter f_local0 { facility(local0); };
-filter f_local1 { facility(local1); };
-filter f_local2 { facility(local2); };
-filter f_local3 { facility(local3); };
-filter f_local4 { facility(local4); };
-filter f_local5 { facility(local5); };
-filter f_local6 { facility(local6); };
-filter f_local7 { facility(local7); };
-
-#
-# log level filters
-#
-filter f_emerg { level(emerg); };
-filter f_alert { level(alert..emerg); };
-filter f_crit { level(crit..emerg); };
-filter f_err { level(err..emerg); };
-filter f_warning { level(warning..emerg); };
-filter f_notice { level(notice..emerg); };
-filter f_info { level(info..emerg); };
-filter f_debug { level(debug..emerg); };
-filter f_is_debug { level(debug); };
-
-#
-# program filters
-#
-filter f_ppp { program("ppp"); };
-filter f_slip { program("startslip"); };
-
-#
-# *.err;kern.warning;auth.notice;mail.crit		/dev/console
-#
-log { source(src); filter(f_err); destination(console); };
-log { source(src); filter(f_kern); filter(f_warning); destination(console); };
-log { source(src); filter(f_auth); filter(f_notice); destination(console); };
-log { source(src); filter(f_mail); filter(f_crit); destination(console); };
-
-#
-# *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err	/var/log/messages
-#
-log { source(src); filter(f_notice); filter(f_not_authpriv); destination(messages); };
-log { source(src); filter(f_kern); filter(f_debug); destination(messages); };
-log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
-log { source(src); filter(f_mail); filter(f_crit); destination(messages); };
-log { source(src); filter(f_news); filter(f_err); destination(messages); };
-
-#
-# security.*						/var/log/security
-#
-log { source(src); filter(f_security); destination(security); };
-
-#
-# auth.info;authpriv.info				/var/log/auth.log
-log { source(src); filter(f_auth); filter(f_info); destination(authlog); };
-log { source(src); filter(f_authpriv); filter(f_info); destination(authlog); };
-
-#
-# mail.info						/var/log/maillog
-#
-log { source(src); filter(f_mail); filter(f_info); destination(maillog); };
-
-#
-# lpr.info						/var/log/lpd-errs
-#
-log { source(src); filter(f_lpr); filter(f_info); destination(lpd-errs); };
-
-#
-# ftp.info						/var/log/xferlog
-#
-log { source(src); filter(f_ftp); filter(f_info); destination(xferlog); };
-
-#
-# cron.*						/var/log/cron
-#
-log { source(src); filter(f_cron); destination(cron); };
-
-#
-# *.=debug						/var/log/debug.log
-#
-log { source(src); filter(f_is_debug); destination(debuglog); };
-
-#
-# *.emerg						*
-#
-log { source(src); filter(f_emerg); destination(allusers); };
-
-#
-# uncomment this to log all writes to /dev/console to /var/log/console.log
-# console.info						/var/log/console.log
-#
-#log { source(src); filter(f_console); filter(f_info); destination(consolelog); };
-
-#
-# uncomment this to enable logging of all log messages to /var/log/all.log
-# touch /var/log/all.log and chmod it to mode 600 before it will work
-# *.*							/var/log/all.log
-#
-#log { source(src); destination(all); };
-
-#
-# uncomment this to enable logging to a remote loghost named loghost
-# *.*							@loghost
-#
-#log { source(src); destination(loghost); };
-
-#
-# uncomment these if you're running inn
-# news.crit						/var/log/news/news.crit
-# news.err						/var/log/news/news.err
-# news.notice						/var/log/news/news.notice
-#
-#log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
-#log { source(src); filter(f_news); filter(f_err); destination(newserr); };
-#log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };
-
-#
-# !startslip
-# *.*							/var/log/slip.log
-#
-log { source(src); filter(f_slip); destination(slip); };
-
-#
-# !ppp
-# *.*							/var/log/ppp.log
-#
-log { source(src); filter(f_ppp); destination(ppp); };

freebsd_vm/devfs.rules

@@ -0,0 +1,116 @@
+#
+# The following are some default rules for devfs(5) mounts.
+# The format is very simple. Empty lines and lines beginning
+# with a hash '#' are ignored. If the hash mark occurs anywhere
+# other than the beginning of a line, it and any subsequent
+# characters will be ignored.  A line in between brackets '[]'
+# denotes the beginning of a ruleset. In the brackets should
+# be a name for the rule and its ruleset number. Any other lines
+# will be considered to be the 'action' part of a rule
+# passed to the devfs(8) command. These will be passed
+# "as-is" to the devfs(8) command with the exception that
+# any references to other rulesets will be expanded first. These
+# references must include a dollar sign '$' in front of the
+# name to be expanded properly.
+#
+# $FreeBSD: releng/12.1/sbin/devfs/devfs.rules 338204 2018-08-22 15:55:23Z brd $
+#
+
+# Very basic and secure ruleset: Hide everything.
+# Used as a basis for other rules.
+#
+[devfsrules_hide_all=1]
+add hide
+
+# Basic devices typically necessary.
+# Requires: devfsrules_hide_all
+#
+[devfsrules_unhide_basic=2]
+add path log unhide
+add path null unhide
+add path zero unhide
+add path crypto unhide
+add path random unhide
+add path urandom unhide
+
+# Devices typically needed to support logged-in users.
+# Requires: devfsrules_hide_all
+#
+[devfsrules_unhide_login=3]
+add path 'ptyp*' unhide
+add path 'ptyq*' unhide
+add path 'ptyr*' unhide
+add path 'ptys*' unhide
+add path 'ptyP*' unhide
+add path 'ptyQ*' unhide
+add path 'ptyR*' unhide
+add path 'ptyS*' unhide
+add path 'ptyl*' unhide
+add path 'ptym*' unhide
+add path 'ptyn*' unhide
+add path 'ptyo*' unhide
+add path 'ptyL*' unhide
+add path 'ptyM*' unhide
+add path 'ptyN*' unhide
+add path 'ptyO*' unhide
+add path 'ttyp*' unhide
+add path 'ttyq*' unhide
+add path 'ttyr*' unhide
+add path 'ttys*' unhide
+add path 'ttyP*' unhide
+add path 'ttyQ*' unhide
+add path 'ttyR*' unhide
+add path 'ttyS*' unhide
+add path 'ttyl*' unhide
+add path 'ttym*' unhide
+add path 'ttyn*' unhide
+add path 'ttyo*' unhide
+add path 'ttyL*' unhide
+add path 'ttyM*' unhide
+add path 'ttyN*' unhide
+add path 'ttyO*' unhide
+add path ptmx unhide
+add path pts unhide
+add path 'pts/*' unhide
+add path fd unhide
+add path 'fd/*' unhide
+add path stdin unhide
+add path stdout unhide
+add path stderr unhide
+
+# Devices usually found in a jail.
+#
+[devfsrules_jail=4]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path fuse unhide
+add path zfs unhide
+
+[usbrules=100]
+add path 'usbctl' mode 660 group uucp
+add path 'usb/*' mode 660 group uucp
+add path 'ttyU*' mode 660 group uucp
+
+[serial_usb_rules=1000]
+add include $devfsrules_jail
+add path 'cuau*' unhide
+add path 'cuaU*' unhide
+add path 'ttyu*' unhide
+add path 'ttyU*' unhide
+add path 'usb*' unhide
+add path 'usb/*' unhide
+
+[devfs_rules_bhyve_jail=2000]
+add include $devfsrules_jail
+add path vmm unhide
+add path vmm/* unhide
+add path vmm.io unhide
+add path vmm.io/* unhide
+add path tap* unhide
+add path zvol/ship/raw/* unhide
+add path nmdm* unhide
+
+[devfs_rules_tun_jail=3000]
+add include $devfsrules_jail
+add path tun* unhide

freebsd_vm/loader.conf

@@ -0,0 +1,4 @@
+boot_serial="NO"
+
+if_tap_load="YES"
+

freebsd_vm/rc.conf

@@ -0,0 +1,99 @@
+hostname="freebsd.ahlawat.com"
+#ifconfig_vtnet0="DHCP"
+#ifconfig_vtnet0_ipv6="inet6 accept_rtadv"
+sshd_enable="YES"
+# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
+dumpdev="AUTO"
+
+
+zfs_enable="YES"
+
+kld_list="nmdm vmm ipfw ipdivert linux64"
+
+# Do not mark to autodetach otherwise ZFS gets very unhappy.
+geli_autodetach="NO"
+
+# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
+dumpdir="/var/crash"
+savecore_enable="YES"
+
+# Turbo boost
+performance_cpu_freq="HIGH"
+
+ntpd_sync_on_start="YES"
+ntpd_enable="YES"
+
+powerd_enable="YES"
+powerd_flags="-a hiadaptive -n hiadaptive -m 2500 -M 3300"
+
+smartd_enable="YES"
+#nut_enable="YES"
+
+#dbus_enable="YES"
+
+firewall_enable="YES"
+firewall_type="open"
+firewall_logging="YES"
+firewall_logif="YES"
+
+# interfaces
+cloned_interfaces_sticky="YES"
+cloned_interfaces="bridge1"
+
+ifconfig_vtnet0="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
+
+ipv6_activate_all_interfaces="YES"
+rtsold_enable="YES"
+
+ifconfig_vtnet0="inet 192.168.0.83/24"
+ifconfig_vtnet0_ipv6="inet6 fd01::83/64 auto_linklocal accept_rtadv"
+
+ifconfig_bridge1="ether random addm vtnet0 up"
+
+defaultrouter="192.168.0.5"
+ipv6_defaultrouter="fd01::5"
+# interfaces
+
+syslogd_enable="YES"
+syslogd_flags="-C -O rfc5424 -ss"
+
+syslog_ng_enable="NO"
+syslog_ng_config="-u daemon"
+syslog_ng_pid="/var/run/syslog-ng.pid"
+
+sendmail_enable="NO"
+sendmail_outbound_enable="NO"
+sendmail_submit_enable="YES"
+sendmail_msp_queue_enable="YES"
+
+sshd_enable="YES"
+
+iocage_enable="NO"
+
+devfs_system_ruleset="usbrules"
+
+#node_exporter_enable="YES"
+#node_exporter_args=--collector.filesystem.ignored-mount-points="/mnt/iocage*"
+#gstat_exporter_enable="YES"
+
+# modify hard disk cam queues
+cam_tag_enable="YES"
+
+# debian jail
+linux_enable="YES"
+
+nfs_server_enable="YES"
+nfsv4_server_enable="YES"
+nfsuserd_enable="YES"
+
+mountd_enable="YES"
+mountd_flags="-r"
+
+rpcbind_enable="YES"
+rpc_lockd_enable="YES"
+rpc_statd_enable="YES"
+
+tftpd_enable="YES"
+tftpd_flags="-s /mnt/ship/pxe"
+
+ctld_enable="YES"

freebsd_vm/sysctl.conf

@@ -0,0 +1,14 @@
+# $FreeBSD$
+#
+#  This file is read when going to multi-user and its contents piped thru
+#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
+#
+
+# Uncomment this to prevent users from seeing information about processes that
+# are being run under another UID.
+#security.bsd.see_other_uids=0
+
+net.inet.ip.forwarding=1       # Enable IP forwarding between interfaces
+net.link.bridge.pfil_onlyip=0  # Only pass IP packets when pfil is enabled
+net.link.bridge.pfil_bridge=0  # Packet filter on the bridge interface
+net.link.bridge.pfil_member=0  # Packet filter on the member interface

jails/config/vm/freebsd.sh

@@ -62,7 +62,7 @@ exit $?
 # (This uses cu() so press ~+Ctrl-D to exit)
 
 #on base system:
-#zfs create -V 32G -o refreservation=none ship/raw/freebsd
+#zfs create -V 16G -o refreservation=none ship/raw/freebsd
 #zfs create -V 16G -o refreservation=none ship/raw/freebsd_1
 #zfs create -V 16G -o refreservation=none ship/raw/freebsd_2
 #zfs create -V 16G -o refreservation=none ship/raw/freebsd_z1

jails/update.sh

@@ -48,6 +48,8 @@ update_jail ()
 }
 
 iocage fetch -U -r 12.2-RELEASE
+etcupdate build current-src.bzip2
+mv current-src.bzip2 /root/FreeBSD/jails/configs/common/
 
 read -p "update pkgp packages first (y/N)? " RESP
 if [ ! -z $RESP ] && [ $RESP == "y" ]; then
@@ -78,7 +80,6 @@ echo "freebsd-update fetch"
 echo "freebsd-update install"
 # echo "pkg bootstrap -f ; pkg update ; pkg upgrade"
 echo "cd /usr/src; svn update; make -j8 buildkernel KERNCONF=diyIT && make -j8 installkernel KERNCONF=diyIT"
-echo "etcupdate build /root/FreeBSD/jails/configs/common/current-src.bzip2"
 echo "reboot"
 echo "pkg-static upgrade -f"
 #echo "rm -rf /var/tmp/temproot*"

pxe/root/create.sh

@@ -0,0 +1,174 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+JAIL=$1
+JAILHOSTNAME=$2
+JAILDOMAIN=$3
+JAILIP=$4
+JAILUSER=$5
+JAILUSERID=$6
+JAILUSERVNC=$7
+
+: "${JAIL:?Need to specify JAIL - first parameter}"
+: "${JAILHOSTNAME:?Need to specify JAILHOSTNAME - second parameter}"
+: "${JAILDOMAIN:?Need to specify JAILDOMAIN - third parameter}"
+: "${JAILIP:?Need to specify JAILIP - fourth parameter}"
+: "${JAILUSER:?Need to specify JAILUSER - fifth parameter - set to X if none required}"
+: "${JAILUSERID:?Need to specify JAILUSERID - sixth parameter - eg. set to 1000 for p OR 2002 for r}"
+: "${JAILUSERVNC:?Need to specify JAILUSERVNC - seventh parameter - set to true to add vnc for jailuser}"
+# user p and r are diyit deployment specific
+
+# there are cases where you may only want an IPv4 jail
+I6CONFIG=true
+
+I4NW="192.168.10"
+I6NW="fd0a"
+I4GW="192.168.10.5"
+I6GW="fd0a::5"
+I4NS="192.168.10.5"
+I6NS="fd0a::5"
+# these IP spaces are diyit deployment specific
+
+echo "$JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC"
+
+# cant install packages during jail creation because ipfw blocks all network traffic
+#echo '{"pkgs":["bash","bash-completion","nano"]}' > /tmp/pkg-$JAIL.json
+#iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json ...
+#rm /tmp/pkg-$JAIL.json
+
+if $I6CONFIG; then
+	iocage create -n "$JAIL" -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
+	# iocage create -n "$JAIL" -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64,vnet0|accept_rtadv" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
+    # iocage cannot set static IP AND enable SLAAC temporary properly
+    iocage exec $JAIL 'sysrc ifconfig_epair0b_ipv6="inet6 auto_linklocal accept_rtadv"'
+    iocage exec $JAIL "sysrc rtsold_enable=YES"
+    iocage exec $JAIL "echo 'net.inet6.ip6.accept_rtadv=1' >> /etc/sysctl.conf"
+    iocage exec $JAIL "echo 'net.inet6.ip6.use_tempaddr=1' >> /etc/sysctl.conf"
+    iocage exec $JAIL "echo 'net.inet6.ip6.prefer_tempaddr=1' >> /etc/sysctl.conf"
+else
+	iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" defaultrouter=$I4GW resolver="nameserver $I4NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
+fi
+
+iocage exec $JAIL "sysrc firewall_enable=YES"
+iocage exec $JAIL "sysrc firewall_type=open"
+iocage exec $JAIL "sysrc firewall_logif=YES"
+iocage exec $JAIL "service ipfw restart"
+
+# jail is already up at this point so configure IPv6 manually for this run
+iocage exec $JAIL "ifconfig epair0b inet6 accept_rtadv; sysctl net.inet6.ip6.accept_rtadv=1; sysctl net.inet6.ip6.use_tempaddr=1; sysctl net.inet6.ip6.prefer_tempaddr=1; service rtsold start"
+
+iocage exec $JAIL "echo '$I4NW.$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
+if $I6CONFIG; then
+	iocage exec $JAIL "echo '$I6NW::$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
+fi
+
+iocage exec $JAIL "mkdir -p /mnt/certs"
+iocage fstab -a $JAIL /mnt/ship/certs /mnt/certs nullfs ro 0 0
+iocage exec $JAIL "mkdir -p /mnt/config"
+iocage fstab -a $JAIL /root/FreeBSD/jails/config/$JAIL /mnt/config nullfs rw 0 0
+iocage exec $JAIL "mkdir -p /var/db/freebsd-update/files"
+iocage fstab -a $JAIL /var/db/freebsd-update/files /var/db/freebsd-update/files nullfs rw 0 0
+iocage exec $JAIL "mkdir -p /mnt/common"
+iocage fstab -a $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
+
+# create resolvconf.conf - IPv6 SLAAC/DHCP on freebsd removes all ipv4 configuraton from resolv.conf
+iocage exec $JAIL "[ -f /mnt/config/resolv.conf ] && cp /mnt/config/resolvconf.conf /etc/ || cp /mnt/common/resolvconf.conf /etc/"
+iocage exec $JAIL "resolvconf -u"
+
+iocage exec $JAIL "mkdir -p /usr/local/etc/pkg/repos"
+iocage exec $JAIL "[ -f /mnt/config/pkgp.conf ] && cp /mnt/config/pkgp.conf /usr/local/etc/pkg/repos/ || cp /mnt/common/pkgp.conf /usr/local/etc/pkg/repos/"
+
+iocage exec $JAIL "[ -f /mnt/config/freebsd-update.conf ] && cp /mnt/config/freebsd-update.conf /etc/ || cp /mnt/common/freebsd-update.conf /etc/"
+
+iocage exec $JAIL "env ASSUME_ALWAYS_YES=YES pkg bootstrap"
+iocage exec $JAIL "pkg update -f"
+iocage exec $JAIL "pkg upgrade -y"
+iocage exec $JAIL "pkg install -y bash bash-completion nano"
+
+iocage exec $JAIL "[ -f /mnt/config/nanorc ] && cp /mnt/config/nanorc /usr/local/etc/ || cp /mnt/common/nanorc /usr/local/etc/"
+iocage exec $JAIL "cp -r /mnt/common/nano /usr/local/etc/"
+
+#iocage exec $JAIL "passwd root"
+iocage exec $JAIL "chsh -s /usr/sbin/nologin toor"
+iocage exec $JAIL "pw usermod -n root -s /usr/local/bin/bash -c jail-$JAIL"
+
+iocage exec $JAIL "[ -f /mnt/config/.bash_profile ] && cp /mnt/config/.bash_profile /root/ || cp /mnt/common/.bash_profile /root/"
+
+iocage exec $JAIL "[ -f /mnt/config/.dir_colors ] && cp /mnt/config/.dir_colors /root/ || cp /mnt/common/.dir_colors /root/"
+
+iocage exec $JAIL "mkdir /root/.ssh"
+iocage exec $JAIL "[ -f /mnt/config/authorized_keys ] && cp /mnt/config/authorized_keys /root/.ssh/ || cp /mnt/common/authorized_keys /root/.ssh/"
+iocage exec $JAIL "chmod 600 /root/.ssh/authorized_keys"
+
+iocage exec $JAIL "[ -f /mnt/config/sshd_config ] && cp /mnt/config/sshd_config /etc/ssh/ || cp /mnt/common/sshd_config /etc/ssh/"
+iocage exec $JAIL "sysrc sshd_enable=YES"
+iocage exec $JAIL "/etc/rc.d/sshd start"
+iocage exec $JAIL "service sshd restart"
+
+iocage exec $JAIL "cd /etc/mail ; make"
+iocage exec $JAIL "bash /mnt/common/snip-sendmail.sh"
+iocage exec $JAIL "sysrc sendmail_enable=NO"
+iocage exec $JAIL "sysrc sendmail_outbound_enable=NO"
+iocage exec $JAIL "sysrc sendmail_submit_enable=YES"
+iocage exec $JAIL "sysrc sendmail_msp_queue_enable=YES"
+iocage exec $JAIL "cd /etc/mail ; make all install"
+iocage exec $JAIL "echo 'root: jail-root@$JAILDOMAIN' >> /etc/mail/aliases"
+iocage exec $JAIL "/usr/bin/newaliases"
+iocage exec $JAIL "service sendmail start"
+iocage exec $JAIL "service sendmail restart"
+
+# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213448
+iocage exec $JAIL 'sysrc ntp_leapfile_fetch_opts="--no-verify-peer -mq"'
+
+if [ "$JAILUSER" != "X" ]; then
+
+	iocage exec $JAIL "pkg install -y sudo"
+
+	iocage exec $JAIL "pw useradd $JAILUSER -u $JAILUSERID -G wheel -m -d /home/$JAILUSER -s /usr/local/bin/bash"
+
+	iocage exec $JAIL "[ -f /mnt/config/.bash_profile ] && cp /mnt/config/.bash_profile /home/$JAILUSER/ || cp /mnt/common/.bash_profile /home/$JAILUSER/"
+	iocage exec $JAIL "chown $JAILUSER /home/$JAILUSER/.bash_profile"
+
+	iocage exec $JAIL "[ -f /mnt/config/.dir_colors ] && cp /mnt/config/.dir_colors /home/$JAILUSER/ || cp /mnt/common/.dir_colors /home/$JAILUSER/"
+	iocage exec $JAIL "chown $JAILUSER /home/$JAILUSER/.dir_colors"
+
+	iocage exec $JAIL "mkdir /home/$JAILUSER/.ssh"
+	iocage exec $JAIL "[ -f /mnt/config/authorized_keys ] && cp /mnt/config/authorized_keys /home/$JAILUSER/.ssh/ || cp /mnt/common/authorized_keys /home/$JAILUSER/.ssh/"
+	iocage exec $JAIL "chmod 600 /home/$JAILUSER/.ssh/authorized_keys"
+	iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER/.ssh"
+
+	iocage exec $JAIL "echo '%wheel ALL=(ALL) NOPASSWD: ALL' | EDITOR='tee -a' visudo"
+	echo "set ssh password for $JAILUSER"
+	iocage exec $JAIL "passwd $JAILUSER"
+
+    if $JAILUSERVNC; then
+        iocage exec $JAIL "pkg install -y tigervnc-server perl5 xauth fluxbox xorg-fonts-truetype xterm dbus"
+        #firefox and other X apps require dbus
+        iocage exec $JAIL "sysrc dbus_enable=YES"
+        iocage exec $JAIL "service dbus start"
+        iocage exec $JAIL "mkdir -p /home/$JAILUSER/.vnc"
+    	iocage exec $JAIL "[ -f /mnt/config/secret/passwd ] && cp /mnt/config/secret/passwd /home/$JAILUSER/.vnc/ || cp /mnt/common/secret/passwd /home/$JAILUSER/.vnc/"
+    	iocage exec $JAIL "[ -f /mnt/config/xstartup ] && cp /mnt/config/xstartup /home/$JAILUSER/.vnc/ || cp /mnt/common/xstartup /home/$JAILUSER/.vnc/"
+        iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER"
+    	iocage exec $JAIL "[ -f /mnt/config/vncserver ] && cp /mnt/config/vncserver /usr/local/etc/rc.d/vncserver || cp /mnt/common/vncserver /usr/local/etc/rc.d/vncserver"
+        iocage exec $JAIL "chmod 555 /usr/local/etc/rc.d/vncserver"
+        iocage exec $JAIL "sysrc vncserver_enable=YES"
+        iocage exec $JAIL "service vncserver start"
+    fi
+fi
+
+iocage exec $JAIL "pkg clean -y"
+iocage exec $JAIL "tzsetup America/Los_Angeles"
+
+# iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
+# iocage exec $JAIL "rmdir /mnt/common"
+
+iocage exec $JAIL "echo 'Subject: created new jail: $JAIL with  $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC' | sendmail -v -t jail-root@$JAILDOMAIN"
+# reverse dns should already be configured for the mail server to accept this email

scripts/cam_tag.sh

@@ -1,4 +1,13 @@
 #!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
 #shrinking the command Native Command Queue down to 1 effectively disabling queuing
 for Disk in `camcontrol devlist | grep "ST8000DM" | cut -d"," -f2 | cut -d")" -f1`;
 do

scripts/fan.py

@@ -1,14 +0,0 @@
-# pkgk install py37-pysnmp
-
-from pysnmp import hlapi
-
-
-def get(target, oids, credentials, port=161, engine=hlapi.SnmpEngine(), context=hlapi.ContextData()):
-    handler = hlapi.getCmd(
-        engine,
-        credentials,
-        hlapi.UdpTransportTarget((target, port)),
-        context,
-        *construct_object_types(oids)
-    )
-    return fetch(handler, 1)[0]

sync-config.sh

@@ -0,0 +1,21 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+diff -ru / configs | grep -v "Only in /" | grep "Only in" | sed 's/Only in // ; s/: /\//' | xargs -n1 echo WILL DELETE
+read -p "(y/N)? " RESP
+if [ ! -z $RESP ] && [ $RESP == "y" ]; then
+    diff -ru / configs | grep -v "Only in /" | grep "Only in" | sed 's/Only in // ; s/: /\//' | xargs -n1 rm
+fi
+
+diff -ru / configs | grep -v "Only in /" | grep "diff -ru" | sed 's/diff -ru//' | xargs -n2 echo WILL COPY
+read -p "(y/N)? " RESP
+if [ ! -z $RESP ] && [ $RESP == "y" ]; then
+    diff -ru / configs | grep -v "Only in /" | grep "diff -ru" | sed 's/diff -ru//' | xargs -n2 cp
+fi

sync-pxe.sh

@@ -0,0 +1,21 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+diff -ru /mnt/ship/pxe pxe | grep -v "Only in /" | grep "Only in" | sed 's/Only in // ; s/: /\//' | xargs -n1 echo WILL DELETE
+read -p "(y/N)? " RESP
+if [ ! -z $RESP ] && [ $RESP == "y" ]; then
+    diff -ru /mnt/ship/pxe pxe | grep -v "Only in /" | grep "Only in" | sed 's/Only in // ; s/: /\//' | xargs -n1 rm
+fi
+
+diff -ru /mnt/ship/pxe pxe | grep -v "Only in /" | grep "diff -ru" | sed 's/diff -ru//' | xargs -n2 echo WILL COPY
+read -p "(y/N)? " RESP
+if [ ! -z $RESP ] && [ $RESP == "y" ]; then
+    diff -ru /mnt/ship/pxe pxe | grep -v "Only in /" | grep "diff -ru" | sed 's/diff -ru//' | xargs -n2 cp
+fi