diyIT/FreeBSD
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated for FreeBSD 12.2

Browse Source
This commit is contained in:
Sharad Ahlawat 2021-02-13 11:38:38 -08:00
parent bd3cffc61a
commit 5cee123a3c
121 changed files with 7315 additions and 624 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
diyit-org-license.txt
View File

@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
Copyright (c) 2018-2020, diyIT.org
Copyright (c) 2018-2021, diyIT.org
All rights reserved.
Redistribution and use in source and binary forms, with or without

51
jails/config/atm/afp.conf
View File

@ -1,32 +1,63 @@
;
; Netatalk 3.x configuration file
;
; http://netatalk.sourceforge.net/3.1/htmldocs/afp.conf.5.html
[Global]
; Global server settings
hostname = atm
hosts allow = 192.168.0.0/24,192.168.100.0/24
afp listen = 0.0.0.0
afp listen = ::
mimic model = TimeCapsule6,106
uam list = uams_guest.so uams_dhx2_passwd.so
; locate uam # show all the uam modules
force xattr with sticky bit = yes
zeroconf = yes
afpstats = yes
ldap auth method = simple
;ldap auth dn = cn=admin,dc=infra
;ldap auth pw = notrequired
ldap server = ldap.ahlawat.com
ldap name attr = cn
ldap userbase = ou=people,dc=infra
ldap userscope = one
ldap uuid attr = uidNumber
ldap group attr = cn
ldap groupbase = ou=group,dc=infra
ldap groupscope = one
;ldap uuid attr = gidNumber #this is used both for users and groups.
; You can comment these 2 lines when your setup is working
;log level = default:maxdebug,afpdaemon:maxdebug,logger:maxdebug,uamsdaemon:maxdebug
log file = /var/log/afpd.log
[default_for_all_vol]
cnid scheme = dbd
appledouble = ea
ea = ad
; [Homes]
; basedir regex = /xxxx
; [My AFP Volume]
; path = /path/to/volume
[Sharad Time Machine Volume]
[Sharad]
path = /mnt/sharad
valid users = sharad
time machine = yes
[Rachna Time Machine Volume]
[Rachna]
path = /mnt/rachna
valid users = rachna
time machine = yes
[Nivi Time Machine Volume]
[Nivi]
path = /mnt/nivi
valid users = nivi
time machine = yes
[Rishabh Time Machine Volume]
[Rishabh]
path = /mnt/rishabh
valid users = rishabh
time machine = yes

14
jails/config/atm/afpd.service Normal file
View File

@ -0,0 +1,14 @@
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_afpovertcp._tcp</type>
<port>548</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=Xserve</txt-record>
</service>
</service-group>

15
jails/config/atm/ldap.conf Normal file
View File

@ -0,0 +1,15 @@
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE ou=people,dc=infra
URI ldaps://ldap.ahlawat.com:636
ssl start_tls
tls_cacert /mnt/certs/cacert.pem
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

3
jails/config/atm/netatalk Normal file
View File

@ -0,0 +1,3 @@
auth required /usr/local/lib/pam_ldap.so try_first_pass
account required /usr/local/lib/pam_ldap.so try_first_pass
session required /usr/local/lib/pam_ldap.so

142
jails/config/atm/nslcd.conf Normal file
View File

@ -0,0 +1,142 @@
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldaps://ldap.ahlawat.com:636
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name of the search base.
base ou=people,dc=infra
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret
# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com
# The default search scope.
#scope sub
scope one
#scope base
# Customize certain database lookups.
#base group ou=Groups,dc=example,dc=com
#base passwd ou=People,dc=example,dc=com
#base shadow ou=People,dc=example,dc=com
#scope group onelevel
#scope hosts sub
# Bind/connect timelimit.
#bind_timelimit 30
# Search timelimit.
#timelimit 30
# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600
# Use StartTLS without verifying the server certificate.
ssl start_tls
#tls_reqcert never
# CA certificates for server certificate verification
tls_cacertdir /mnt/certs
tls_cacertfile /mnt/certs/cacert.pem
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group member msSFU30PosixMember
# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map passwd uid msSFUName
#map passwd userPassword msSFUPassword
#map passwd homeDirectory msSFUHomeDirectory
#map passwd gecos msSFUName
#filter shadow (objectClass=User)
#map shadow uid msSFUName
#map shadow userPassword msSFUPassword
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=Group)
#map group member posixMember
# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map passwd uid sAMAccountName
#map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)
# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map passwd uid cn
#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd homeDirectory "/home/$cn"
#map passwd gecos displayName
#map passwd loginShell "/bin/bash"
#filter group (|(objectClass=group)(objectClass=person))
#map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map passwd uid userName
#map passwd userPassword passwordChar
#map passwd uidNumber uid
#map passwd gidNumber gid
#filter group (objectClass=aixAccessGroup)
#map group cn groupName
#map group gidNumber gid

18
jails/config/atm/nsswitch.conf Normal file
View File

@ -0,0 +1,18 @@
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/12.1/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $
#
#group: compat
group: files ldap
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
#passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

17
jails/config/atm/pam_ldap.conf Normal file
View File

@ -0,0 +1,17 @@
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE ou=people,dc=infra
URI ldaps://ldap.ahlawat.com:636
ssl start_tls
tls_cacert /mnt/certs/cacert.pem
pam_login_attribute cn
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

4
jails/config/atm/pkgp.conf
View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
pkgp121: {
url: "http://pkgp.ahlawat.com/packages/pj121-default/",
pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",

28
jails/config/atm/sshd Normal file
View File

@ -0,0 +1,28 @@
#
# $FreeBSD: releng/12.1/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass

2
jails/config/auto/portfolio
View File

@ -1,6 +1,6 @@
#!/bin/sh
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

2
jails/config/auto/producthunt
View File

@ -1,6 +1,6 @@
#!/bin/sh
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

2
jails/config/book/cps
View File

@ -1,6 +1,6 @@
#!/bin/sh
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

2
jails/config/cam/camserver
View File

@ -1,6 +1,6 @@
#!/bin/sh
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

1
jails/config/cert/backup.sh Executable file
View File

@ -0,0 +1 @@
cp -r /root/.acme.sh /mnt/config/secret/

77
jails/config/common/freebsd-update.conf Normal file
View File

@ -0,0 +1,77 @@
# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
# Trusted keyprint. Changing this is a Bad Idea unless you've received
# a PGP-signed email from <security-officer@FreeBSD.org> telling you to
# change it and explaining why.
KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5
# Server or server pool from which to fetch updates. You can change
# this to point at a specific server if you want, but in most cases
# using a "nearby" server won't provide a measurable improvement in
# performance.
ServerName update.FreeBSD.org
# Components of the base system which should be kept updated.
#Components src world
Components world
# Example for updating the userland and the kernel source code only:
# Components src/base src/sys world
# Paths which start with anything matching an entry in an IgnorePaths
# statement will be ignored.
IgnorePaths
# Paths which start with anything matching an entry in an IDSIgnorePaths
# statement will be ignored by "freebsd-update IDS".
IDSIgnorePaths /usr/share/man/cat
IDSIgnorePaths /usr/share/man/whatis
IDSIgnorePaths /var/db/locate.database
IDSIgnorePaths /var/log
# Paths which start with anything matching an entry in an UpdateIfUnmodified
# statement will only be updated if the contents of the file have not been
# modified by the user (unless changes are merged; see below).
UpdateIfUnmodified /etc/ /var/ /root/ /.cshrc /.profile
# When upgrading to a new FreeBSD release, files which match MergeChanges
# will have any local changes merged into the version from the new release.
MergeChanges /etc/ /boot/device.hints
### Default configuration options:
# Directory in which to store downloaded updates and temporary
# files used by FreeBSD Update.
# WorkDir /var/db/freebsd-update
# Destination to send output of "freebsd-update cron" if an error
# occurs or updates have been downloaded.
# MailTo root
# Is FreeBSD Update allowed to create new files?
# AllowAdd yes
# Is FreeBSD Update allowed to delete files?
# AllowDelete yes
# If the user has modified file ownership, permissions, or flags, should
# FreeBSD Update retain this modified metadata when installing a new version
# of that file?
# KeepModifiedMetadata yes
# When upgrading between releases, should the list of Components be
# read strictly (StrictComponents yes) or merely as a list of components
# which *might* be installed of which FreeBSD Update should figure out
# which actually are installed and upgrade those (StrictComponents no)?
# StrictComponents no
# When installing a new kernel perform a backup of the old one first
# so it is possible to boot the old kernel in case of problems.
# BackupKernel yes
# If BackupKernel is enabled, the backup kernel is saved to this
# directory.
# BackupKernelDir /boot/kernel.old
# When backing up a kernel also back up debug symbol files?
# BackupKernelSymbolFiles no

4
jails/config/common/pkgp.conf
View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
pkgp121: {
url: "http://pkgp.ahlawat.com/packages/pj121-default/",
pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",

2
jails/config/common/snip-sendmail.sh
View File

@ -1,6 +1,6 @@
#! /usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

4
jails/config/common/sshd_config
View File

@ -1,5 +1,5 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# $FreeBSD: releng/12.1/crypto/openssh/sshd_config 338561 2018-09-10 16:20:12Z des $
# $FreeBSD: releng/12.2/crypto/openssh/sshd_config 360313 2020-04-25 15:38:48Z emaste $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@ -105,7 +105,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#PermitTunnel no
#ChrootDirectory none
#UseBlacklist no
#VersionAddendum FreeBSD-20180909
#VersionAddendum FreeBSD-20200214
# no default banner path
#Banner none

2
jails/config/common/vncserver
View File

@ -1,6 +1,6 @@
#!/bin/sh
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

106
jails/config/db/my.cnf
View File

@ -1,99 +1,13 @@
# Example MySQL config file for small systems.
#
# This is for a system with little memory (<= 64M) where MySQL is only used
# from time to time and it's important that the mysqld daemon
# doesn't use much resources.
# This group is read both by the client and the server
# use it for options that affect everything, see
# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#option-groups
#
# MySQL programs look for option files in a set of
# locations which depend on the deployment platform.
# You can copy this option file to one of those
# locations. For information about these locations, see:
# http://dev.mysql.com/doc/mysql/en/option-files.html
[client-server]
port = 3306
socket = /var/run/mysql/mysql.sock
#
# In this file, you can use all long options that a program supports.
# If you want to know which options a program supports, run the program
# with the "--help" option.
# The following options will be passed to all MySQL clients
[client]
#password = your_password
port = 3306
socket = /tmp/mysql.sock
# Here follows entries for some specific programs
# The MySQL server
[mysqld]
bind-address = *
port = 3306
socket = /tmp/mysql.sock
skip-external-locking
key_buffer_size = 16K
max_allowed_packet = 64M
table_open_cache = 16
sort_buffer_size = 64K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 240K
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (using the "enable-named-pipe" option) will render mysqld useless!
#
#skip-networking
server-id = 1
# Uncomment the following if you want to log updates
#log-bin=mysql-bin
# binary logging format - mixed recommended
binlog_format=ROW
# Causes updates to non-transactional engines using statement format to be
# written directly to binary log. Before using this option make sure that
# there are no dependencies between transactional and non-transactional
# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
# t_innodb; otherwise, slaves may diverge from the master.
#binlog_direct_non_transactional_updates=TRUE
# Uncomment the following if you are using InnoDB tables
#innodb_data_home_dir = /var/db/mysql
#innodb_data_file_path = ibdata1:10M:autoextend
innodb_log_group_home_dir = /var/db/mysql-log
# You can set .._buffer_pool_size up to 50 - 80 %
# of RAM but beware of setting memory usage too high
innodb_buffer_pool_size = 1G
innodb_io_capacity=4000
transaction-isolation = READ-COMMITTED
# Set .._log_file_size to 25 % of buffer pool size
innodb_log_file_size = 250M
#innodb_log_buffer_size = 8M
innodb_flush_log_at_trx_commit = 2
#innodb_lock_wait_timeout = 50
innodb_doublewrite = 0
innodb_checksum_algorithm = none
slow_query_log_file = /var/db/mysql-log/slow.log
log-error = /var/db/mysql-log/error.log
log_bin = /var/db/mysql-log/binlog
relay_log = /var/db/mysql-log/relay-bin
expire_logs_days = 7
[mysqldump]
quick
max_allowed_packet = 16M
[mysql]
no-auto-rehash
# Remove the next comment character if you are not familiar with SQL
#safe-updates
[myisamchk]
key_buffer_size = 8M
sort_buffer_size = 8M
[mysqlhotcopy]
interactive-timeout
# include *.cnf from the config directory
#
!includedir /usr/local/etc/mysql/conf.d/

99
jails/config/db/my.cnf.oldversion Normal file
View File

@ -0,0 +1,99 @@
# Example MySQL config file for small systems.
#
# This is for a system with little memory (<= 64M) where MySQL is only used
# from time to time and it's important that the mysqld daemon
# doesn't use much resources.
#
# MySQL programs look for option files in a set of
# locations which depend on the deployment platform.
# You can copy this option file to one of those
# locations. For information about these locations, see:
# http://dev.mysql.com/doc/mysql/en/option-files.html
#
# In this file, you can use all long options that a program supports.
# If you want to know which options a program supports, run the program
# with the "--help" option.
# The following options will be passed to all MySQL clients
[client]
#password = your_password
port = 3306
socket = /tmp/mysql.sock
# Here follows entries for some specific programs
# The MySQL server
[mysqld]
bind-address = *
port = 3306
socket = /tmp/mysql.sock
skip-external-locking
key_buffer_size = 16K
max_allowed_packet = 64M
table_open_cache = 16
sort_buffer_size = 64K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 240K
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (using the "enable-named-pipe" option) will render mysqld useless!
#
#skip-networking
server-id = 1
# Uncomment the following if you want to log updates
#log-bin=mysql-bin
# binary logging format - mixed recommended
binlog_format=ROW
# Causes updates to non-transactional engines using statement format to be
# written directly to binary log. Before using this option make sure that
# there are no dependencies between transactional and non-transactional
# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
# t_innodb; otherwise, slaves may diverge from the master.
#binlog_direct_non_transactional_updates=TRUE
# Uncomment the following if you are using InnoDB tables
#innodb_data_home_dir = /var/db/mysql
#innodb_data_file_path = ibdata1:10M:autoextend
innodb_log_group_home_dir = /var/db/mysql-log
# You can set .._buffer_pool_size up to 50 - 80 %
# of RAM but beware of setting memory usage too high
innodb_buffer_pool_size = 1G
innodb_io_capacity=4000
transaction-isolation = READ-COMMITTED
# Set .._log_file_size to 25 % of buffer pool size
innodb_log_file_size = 250M
#innodb_log_buffer_size = 8M
innodb_flush_log_at_trx_commit = 2
#innodb_lock_wait_timeout = 50
innodb_doublewrite = 0
innodb_checksum_algorithm = none
slow_query_log_file = /var/db/mysql-log/slow.log
log-error = /var/db/mysql-log/error.log
log_bin = /var/db/mysql-log/binlog
relay_log = /var/db/mysql-log/relay-bin
expire_logs_days = 7
[mysqldump]
quick
max_allowed_packet = 16M
[mysql]
no-auto-rehash
# Remove the next comment character if you are not familiar with SQL
#safe-updates
[myisamchk]
key_buffer_size = 8M
sort_buffer_size = 8M
[mysqlhotcopy]
interactive-timeout

90
jails/config/db/server.cnf Normal file
View File

@ -0,0 +1,90 @@
# Options specific to server applications, see
# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#server-option-groups
# Options specific to all server programs
[server]
# Options specific to MariaDB server programs
[server-mariadb]
#
# Options for specific server tools
#
[mysqld]
user = mysql
# port = 3306 # set in /usr/local/etc/mysql/my.cnf
# socket = /var/run/mysql/mysql.sock # set in /usr/local/etc/mysql/my.cnf
bind-address = *
basedir = /usr/local
datadir = /var/db/mysql
net_retry_count = 16384
# [mysqld] configuration for ZFS
# From https://www.percona.com/resources/technical-presentations/zfs-mysql-percona-technical-webinar
# Create separate datasets for data and logs, eg
# zroot/mysql compression=on recordsize=128k atime=off
# zroot/mysql/data recordsize=16k
# zroot/mysql/logs
datadir = /var/db/mysql
innodb_log_group_home_dir = /var/db/mysql-log
#audit_log_file = /var/db/mysql-log/audit.log
general_log_file = /var/db/mysql-log/general.log
log_bin = /var/db/mysql-log/mysql-bin
relay_log = /var/db/mysql-log/relay-log
slow_query_log_file = /var/db/mysql-log/slow.log
innodb_doublewrite = 0
innodb_flush_method = O_DSYNC
##
log-error = /var/db/mysql-log/error.log
### custom optimizations
skip-external-locking
key_buffer_size = 16K
max_allowed_packet = 64M
table_open_cache = 16
sort_buffer_size = 64K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 240K
server-id = 1
binlog_format=ROW
innodb_buffer_pool_size = 1G
innodb_io_capacity=4000
transaction-isolation = READ-COMMITTED
innodb_log_file_size = 250M
innodb_flush_log_at_trx_commit = 2
innodb_checksum_algorithm = none
slow_query_log_file = /var/db/mysql-log/slow.log
expire_logs_days = 7
###
# Options read by `mysqld_safe`
# Renamed from [mysqld_safe] starting with MariaDB 10.4.6.
[mariadb_safe]
# Options read my `mariabackup`
[mariabackup]
# Options read by `mysql_upgrade`
# Renamed from [mysql_upgrade] starting with MariaDB 10.4.6.
[mariadb-upgrade]
# Specific options read by the mariabackup SST method
[sst]
# Options read by `mysqlbinlog`
# Renamed from [mysqlbinlog] starting with MariaDB 10.4.6.
[mariadb-binlog]
# Options read by `mysqladmin`
# Renamed from [mysqladmin] starting with MariaDB 10.4.6.
[mariadb-admin]

12
jails/config/monitor/elasticsearch.yml → jails/config/elk/elasticsearch.yml
View File

@ -36,7 +36,6 @@ xpack.security.http.ssl.certificate_authorities: certs/cacert.pem
xpack.security.transport.ssl.key: certs/diyprivkeyr.pem
xpack.security.transport.ssl.certificate: certs/diyfullchain.pem
xpack.security.transport.ssl.certificate_authorities: certs/cacert.pem
#
# ----------------------------------- Paths ------------------------------------
#
@ -76,16 +75,17 @@ network.host: _epair0b_
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started:
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.zen.ping.unicast.hosts: ["host1", "host2"]
#discovery.seed_hosts: ["host1", "host2"]
#
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#discovery.zen.minimum_master_nodes:
cluster.initial_master_nodes: ["node-1"]
#cluster.initial_master_nodes: ["node-1", "node-2"]
#
# For more information, consult the zen discovery module documentation.
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#

2
jails/config/elk/fstab Normal file
View File

@ -0,0 +1,2 @@
fdesc /dev/fd fdescfs rw,auto 0 0
proc /proc procfs rw,auto 0 0

105
jails/config/monitor/heartbeat.yml → jails/config/elk/heartbeat.yml
View File

@ -24,8 +24,7 @@ heartbeat.monitors:
- type: http
# List or urls to query
#urls: ["http://localhost:9200"]
urls: ["https://google.com","https://aws.amazon.com"]
urls: ["https://cloud.google.com","https://azure.microsoft.com","https://aws.amazon.com"]
# Configure task schedule
schedule: '@every 10s'
@ -56,46 +55,6 @@ setup.template.settings:
# env: staging
#================================= Paths ======================================
# The home path for the filebeat installation. This is the default base path
# for all other path settings and for miscellaneous files that come with the
# distribution (for example, the sample dashboards).
# If not set by a CLI flag or in the configuration file, the default for the
# home path is the location of the binary.
#path.home:
# The configuration path for the filebeat installation. This is the default
# base path for configuration files, including the main YAML configuration file
# and the Elasticsearch template file. If not set by a CLI flag or in the
# configuration file, the default for the configuration path is the home path.
#path.config: ${path.home}
# The data path for the filebeat installation. This is the default base path
# for all the files in which filebeat needs to store its data. If not set by a
# CLI flag or in the configuration file, the default for the data path is a data
# subdirectory inside the home path.
#path.data: ${path.home}/data
# The logs path for a filebeat installation. This is the default location for
# the Beat's log files. If not set by a CLI flag or in the configuration file,
# the default for the logs path is a logs subdirectory inside the home path.
#path.logs: ${path.home}/logs
#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
#setup.dashboards.enabled: false
#setup.dashboards.enabled: true
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
@ -106,9 +65,7 @@ setup.kibana:
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
#host: "localhost:5601"
#host: "https://kibanax.diyit.org:443"
host: "http://kibanax.diyit.org:5601"
host: "http://elk.diyit.org:5601"
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
@ -117,7 +74,7 @@ setup.kibana:
#============================= Elastic Cloud ==================================
# These settings simplify using heartbeat with the Elastic Cloud (https://cloud.elastic.co/).
# These settings simplify using Heartbeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
@ -137,36 +94,40 @@ setup.kibana:
# Array of hosts to connect to.
#hosts: ["localhost:9200"]
# Enabled ilm (beta) to use index lifecycle management instead daily indices.
#ilm.enabled: false
# Optional protocol and basic auth credentials.
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
#username: "elastic"
#password: "changeme"
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["kibanax.diyit.org:5044"]
hosts: ["elk.diyit.org:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
#ssl.certificate_authorities: ["/mnt/certs/cacert.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
#ssl.certificate: "/mnt/certs/diyfullchain.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
#ssl.key: "/mnt/certs/diyprivkeyr.pem"
#================================ Processors =====================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_observer_metadata:
# Optional, but recommended geo settings for the location Heartbeat is running in
#geo:
# Token describing this location
#name: us-east-1a
# Lat, Lon "
#location: "37.926868, -78.024902"
#================================ Logging =====================================
@ -178,20 +139,30 @@ processors:
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
logging.to_syslog: true
logging.to_files: false
#============================== Xpack Monitoring ===============================
#============================== X-Pack Monitoring ===============================
# heartbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false
#monitoring.enabled: false
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Heartbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line.
#xpack.monitoring.elasticsearch:
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:
#================================= Migration ==================================
# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

77
jails/config/elk/jvm.options Executable file
View File

@ -0,0 +1,77 @@
## JVM configuration
################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
## for more information
##
################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms4g
-Xmx4g
################################################################
## Expert settings
################################################################
##
## All settings below this section are considered
## expert settings. Don't tamper with them unless
## you understand what you are doing
##
################################################################
## GC configuration
8-13:-XX:+UseConcMarkSweepGC
8-13:-XX:CMSInitiatingOccupancyFraction=75
8-13:-XX:+UseCMSInitiatingOccupancyOnly
## G1GC Configuration
# NOTE: G1 GC is only supported on JDK version 10 or later
# to use G1GC, uncomment the next two lines and update the version on the
# following three lines to your version of the JDK
# 10-13:-XX:-UseConcMarkSweepGC
# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
14-:-XX:+UseG1GC
14-:-XX:G1ReservePercent=25
14-:-XX:InitiatingHeapOccupancyPercent=30
## JVM temporary directory
-Djava.io.tmpdir=${ES_TMPDIR}
## heap dumps
# generate a heap dump when an allocation from the Java heap fails
# heap dumps are created in the working directory of the JVM
-XX:+HeapDumpOnOutOfMemoryError
# specify an alternative path for heap dumps; ensure the directory exists and
# has sufficient space
-XX:HeapDumpPath=data
# specify an alternative path for JVM fatal error logs
-XX:ErrorFile=logs/hs_err_pid%p.log
## JDK 8 GC logging
8:-XX:+PrintGCDetails
8:-XX:+PrintGCDateStamps
8:-XX:+PrintTenuringDistribution
8:-XX:+PrintGCApplicationStoppedTime
8:-Xloggc:${ES_TMPDIR}/gc.log
8:-XX:+UseGCLogFileRotation
8:-XX:NumberOfGCLogFiles=32
8:-XX:GCLogFileSize=64m
# JDK 9+ GC logging
9-:-Xlog:gc*,gc+age=trace,safepoint:file=${ES_TMPDIR}/gc.log:utctime,pid,tags:filecount=32,filesize=64m

6
jails/config/monitor/kibana.yml → jails/config/elk/kibana.yml
View File

@ -25,7 +25,7 @@ server.host: "::"
server.name: "kibana.diyit.org"
# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["https://kibanax.diyit.org:9200"]
elasticsearch.hosts: ["https://elk.diyit.org:9200"]
# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
@ -53,7 +53,8 @@ server.ssl.certificate: /mnt/certs/diyfullchain.pem
server.ssl.key: /mnt/certs/diyprivkeyr.pem
# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files validate that your Elasticsearch backend uses the same key files.
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
@ -110,4 +111,5 @@ elasticsearch.ssl.verificationMode: full
#ops.interval: 5000
# Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English - en , by default , Chinese - zh-CN .
#i18n.locale: "en"

5
jails/config/monitor/logstash.conf → jails/config/elk/logstash.conf
View File

@ -1,4 +1,4 @@
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -10,6 +10,7 @@ input {
beats {
port => 5044
ssl => false
#https://discuss.elastic.co/t/problem-with-cipher-in-beat-input/67841
ssl_key => '/mnt/certs/diyprivkeyr.pem'
ssl_certificate => '/mnt/certs/diyfullchain.pem'
ssl_certificate_authorities => ["/mnt/certs/cacert.pem"]
@ -22,7 +23,7 @@ output {
ssl => true
ssl_certificate_verification => true
cacert => '/mnt/certs/cacert.pem'
hosts => ["https://kibanax.diyit.org:9200"]
hosts => ["https://elk.diyit.org:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
user => "elastic"
password => "${es_pwd}"

0
jails/config/monitor/logstash.keystore → jails/config/elk/logstash.keystore
View File

23
jails/config/monitor/logstash.yml → jails/config/elk/logstash.yml
View File

@ -16,7 +16,6 @@
#
# Use a descriptive name for the node:
#
# node.name: test
node.name: logstash
#
# If omitted the node name will default to the machine's host name
@ -26,7 +25,6 @@ node.name: logstash
# Which directory should be used by logstash and its plugins
# for any persistent needs. Defaults to LOGSTASH_HOME/data
#
# path.data:
path.data: /var/db/logstash
#
# ------------ Pipeline Settings --------------
@ -40,7 +38,7 @@ path.data: /var/db/logstash
#
# This defaults to the number of the host's CPU cores.
#
pipeline.workers: 8
pipeline.workers: 4
#
# How many events to retrieve from inputs before sending to filters+workers
#
@ -207,7 +205,6 @@ path.config: /usr/local/etc/logstash/logstash.conf
# * trace
#
# log.level: info
#log.level: debug
# path.logs:
#
# ------------ Other Settings --------------
@ -215,17 +212,24 @@ path.config: /usr/local/etc/logstash/logstash.conf
# Where to find custom plugins
# path.plugins: []
#
# Flag to output log lines of each pipeline in its separate log file. Each log filename contains the pipeline.name
# Default is false
# pipeline.separate_logs: false
#
# ------------ X-Pack Settings (not applicable for OSS build)--------------
#
# X-Pack Monitoring
# https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html
xpack.monitoring.enabled: true
xpack.monitoring.enabled: false
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: a746MPWa1AVieOJlDtM2
xpack.monitoring.elasticsearch.hosts: ["https://kibanax.diyit.org:9200"]
xpack.monitoring.elasticsearch.hosts: ["https://elk.diyit.org:9200"]
#xpack.monitoring.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/mnt/certs/cacert.pem"
#xpack.monitoring.elasticsearch.ssl.truststore.path: /path/to/file
# an alternative to hosts + username/password settings is to use cloud_id/cloud_auth
#xpack.monitoring.elasticsearch.cloud_id: monitoring_cluster_id:xxxxxxxxxx
#xpack.monitoring.elasticsearch.cloud_auth: logstash_system:password
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/mnt/certs/cacert.crt"
#xpack.monitoring.elasticsearch.ssl.truststore.path: path/to/file
#xpack.monitoring.elasticsearch.ssl.truststore.password: password
#xpack.monitoring.elasticsearch.ssl.keystore.path: /path/to/file
#xpack.monitoring.elasticsearch.ssl.keystore.password: password
@ -241,6 +245,9 @@ xpack.monitoring.elasticsearch.ssl.verification_mode: certificate
#xpack.management.elasticsearch.username: logstash_admin_user
#xpack.management.elasticsearch.password: password
#xpack.management.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]
# an alternative to hosts + username/password settings is to use cloud_id/cloud_auth
#xpack.management.elasticsearch.cloud_id: management_cluster_id:xxxxxxxxxx
#xpack.management.elasticsearch.cloud_auth: logstash_admin_user:password
#xpack.management.elasticsearch.ssl.certificate_authority: [ "/path/to/ca.crt" ]
#xpack.management.elasticsearch.ssl.truststore.path: /path/to/file
#xpack.management.elasticsearch.ssl.truststore.password: password

130
jails/config/elk/rc.d/elasticsearch Executable file
View File

@ -0,0 +1,130 @@
#!/bin/sh
#
# $FreeBSD: head/textproc/elasticsearch7/files/elasticsearch.in 538703 2020-06-13 22:41:04Z glewis $
#
# PROVIDE: elasticsearch
# REQUIRE: NETWORKING SERVERS
# BEFORE: DAEMON
# KEYWORD: shutdown
#
# Add the following line to /etc/rc.conf to enable elasticsearch:
#
# elasticsearch_enable="YES"
#
# elasticsearch_user (username): Set to elasticsearch by default.
# Set it to required username.
# elasticsearch_group (group): Set to elasticsearch by default.
# Set it to required group.
# elasticsearch_config (path): Set to /usr/local/etc/elasticsearch/elasticsearch.yml by default.
# Set it to the config file location.
# elasticsearch_java_home (path): Set to /usr/local/openjdk8 by default.
# Set it to the root of the JDK to use.
#
. /etc/rc.subr
name=elasticsearch
rcvar=elasticsearch_enable
load_rc_config ${name}
: ${elasticsearch_enable:=NO}
: ${elasticsearch_user=elasticsearch}
: ${elasticsearch_group=elasticsearch}
: ${elasticsearch_config=/usr/local/etc/elasticsearch}
: ${elasticsearch_login_class=root}
: ${elasticsearch_java_home="/usr/local/openjdk11"}
required_files="${elasticsearch_config}/elasticsearch.yml"
_pidprefix=/var/run/elasticsearch/elasticsearch
pidfile=${_pidprefix}.pid
procname=${elasticsearch_java_home}/bin/java
extra_commands="console status"
console_cmd=elasticsearch_console
start_precmd=elasticsearch_precmd
command=/usr/local/lib/elasticsearch/bin/elasticsearch
command_args="-d --pidfile=${pidfile}"
export ES_PATH_CONF=${elasticsearch_config}
export JAVA_HOME=${elasticsearch_java_home}
elasticsearch_precmd()
{
/usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 ${pidfile%/*}
/usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 /var/db/elasticsearch
/usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 /var/log/elasticsearch
}
elasticsearch_console()
{
command_args=""
run_rc_command "start"
}
if [ -n "$2" ]; then
profile="$2"
if [ "x${elasticsearch_profiles}" != "x" ]; then
eval elasticsearch_config="\${elasticsearch_${profile}_config:-}"
if [ "x${elasticsearch_config}" = "x" ]; then
echo "You must define a configuration (elasticsearch_${profile}_config)"
exit 1
fi
export ES_PATH_CONF=${elasticsearch_config}
required_files="${elasticsearch_config}/elasticsearch.yml"
required_files="${elasticsearch_config}/jvm.options"
eval elasticsearch_enable="\${elasticsearch_${profile}_enable:-${elasticsearch_enable}}"
pidfile="${_pidprefix}.${profile}.pid"
command_args="-d --pidfile=${pidfile}"
echo "===> elasticsearch profile: ${profile}"
else
echo "$0: extra argument ignored"
fi
else
if [ "x${elasticsearch_profiles}" != "x" -a "x$1" != "x" ]; then
for profile in ${elasticsearch_profiles}; do
eval _enable="\${elasticsearch_${profile}_enable}"
case "x${_enable:-${elasticsearch_enable}}" in
x|x[Nn][Oo]|x[Nn][Oo][Nn][Ee])
continue
;;
x[Yy][Ee][Ss])
;;
*)
if test -z "$_enable"; then
_var=elasticsearch_enable
else
_var=elasticsearch_"${profile}"_enable
fi
echo "Bad value" \
"'${_enable:-${elasticsearch_enable}}'" \
"for ${_var}. " \
"Profile ${profile} skipped."
continue
;;
esac
/usr/local/etc/rc.d/elasticsearch $1 ${profile}
retcode="$?"
if [ "0${retcode}" -ne 0 ]; then
failed="${profile} (${retcode}) ${failed:-}"
else
success="${profile} ${success:-}"
fi
done
exit 0
fi
fi
if [ "x${elasticsearch_mem_min}" != "x" ]; then
echo "The elasticsearch_mem_min variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
exit 1;
fi
if [ "x${elasticsearch_mem_max}" != "x" ]; then
echo "The elasticsearch_mem_max variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
exit 1;
fi
if [ "x${elasticsearch_props}" != "x" ]; then
echo "The elasticsearch_props variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
exit 1;
fi
run_rc_command "$1"

121
jails/config/elk/rc.d/logstash Executable file
View File

@ -0,0 +1,121 @@
#!/bin/sh
# Configuration settings for logstash in /etc/rc.conf:
#
# PROVIDE: logstash
# REQUIRE: DAEMON
# BEFORE: LOGIN
# KEYWORD: shutdown
#
# logstash_enable (bool):
# Default value: "NO"
# Flag that determines whether Logstash is enabled.
#
# logstash_home (string):
# Default value: "/usr/local/logstash"
# Logstash installation directory.
#
# logstash_config (string):
# Default value: /usr/local/etc/${name}
# Logstash configuration path.
#
# logstash_log (bool):
# Set to "NO" by default.
# Set it to "YES" to enable logstash logging to file
# Default output to /var/log/logstash.log
#
# logstash_log_file (string):
# Default value: "${logdir}/${name}.log"
# Log file path.
#
# logstash_java_home (string):
# Default value: "/usr/local/openjdk8"
# Root directory of the desired Java SDK.
# The JAVA_HOME environment variable is set with the contents of this
# variable.
#
# logstash_java_opts (string):
# Default value: ""
# Options to pass to the Java Virtual Machine.
# The JAVA_OPTS environment variable is set with the contents of this
# variable.
#
# logstash_opts (string):
# Default value: ""
# Additional command line flags for logstash, eg. "-r"
#
. /etc/rc.subr
name=logstash
rcvar=logstash_enable
load_rc_config ${name}
logdir="/var/log"
: ${logstash_enable="NO"}
: ${logstash_user="logstash"}
: ${logstash_group="logstash"}
: ${logstash_home="/usr/local/logstash"}
: ${logstash_config="/usr/local/etc/logstash"}
: ${logstash_log="YES"}
: ${logstash_log_dir="${logdir}/${name}"}
: ${logstash_java_home="/usr/local/openjdk11"}
: ${logstash_java_opts=""}
: ${logstash_opts=""}
pidfile=/var/run/${name}/${name}.pid
extra_commands="configtest reload"
start_precmd="logstash_precmd"
configtest_cmd=configtest
logstash_cmd="${logstash_home}/bin/logstash"
procname="${logstash_java_home}/bin/java"
logstash_chdir=${logstash_home}
logstash_log_options=""
if checkyesno logstash_log; then
logstash_log_options=" -l ${logstash_log_dir}"
fi
logstash_args="--path.settings ${logstash_config} ${logstash_log_options} ${logstash_opts}"
JAVA_OPTS="${logstash_java_opts}"
JAVA_HOME="${logstash_java_home}"
export JAVA_OPTS
export JAVA_HOME
command="/usr/sbin/daemon"
command_args="-f -p ${pidfile} ${logstash_cmd} ${logstash_args}"
required_files="${logstash_home} ${logstash_java_home} ${logstash_cmd} ${logstash_config}"
# Include /usr/local/bin in path because Logstash startup scripts
# assume bash is in path.
PATH=/usr/local/bin:$PATH
logstash_precmd()
{
/usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 ${pidfile%/*}
/usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 ${logstash_log_dir}
/usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 /var/db/logstash
/usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 /var/run/logstash
if [ -d ${logstash_home}/data/queue ]; then
chown ${logstash_user}:${logstash_group} ${logstash_home}/data/queue
fi
}
configtest()
{
echo "${name} configtest:"
echo "WARNING: this does not check validity of Grok patterns!"
echo "WARNING: this does not check validity of Grok patterns!"
echo "WARNING: this does not check validity of Grok patterns!"
${logstash_cmd} --path.settings ${logstash_config} --config.test_and_exit
}
run_rc_command "$1"

7
jails/config/elk/start_logstash.sh Executable file
View File

@ -0,0 +1,7 @@
ps axww | grep logstash
echo press any key to continue - ctrl-c to abort
read X
mount proc
service logstash start
#/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
ps axww | grep logstash

3
jails/config/elk/updateCerts.sh Executable file
View File

@ -0,0 +1,3 @@
cp /mnt/certs/diy*.pem /usr/local/etc/elasticsearch/certs
cp /mnt/certs/cacert.pem /usr/local/etc/elasticsearch/certs
service elasticsearch restart

2
jails/config/git/gitea/options/license
View File

@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
Copyright (c) 2018-2020, diyIT.org
Copyright (c) 2018-2021, diyIT.org
All rights reserved.
Redistribution and use in source and binary forms, with or without

2
jails/config/git/gitea/public/diyit-org-license.txt
View File

@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
Copyright (c) 2018-2020, diyIT.org
Copyright (c) 2018-2021, diyIT.org
All rights reserved.
Redistribution and use in source and binary forms, with or without

12
jails/config/hass/.tmux.conf Normal file
View File

@ -0,0 +1,12 @@
unbind C-b
set -g prefix C-a
bind C-a send-prefix
setw -g mouse on
# Set the default terminal mode to 256color mode
set -g default-terminal "xterm-256color"
# enable activity alerts
setw -g monitor-activity on
set -g visual-activity on

15
jails/config/hass/hass.sh Executable file
View File

@ -0,0 +1,15 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
# ./hass.sh under tmux
cd /data/homeassistant/
source bin/activate
hass

15
jails/config/hass/heyu.sh Executable file
View File

@ -0,0 +1,15 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
# ./hass.sh under tmux
heyu start
heyu info
heyu monitor

4
jails/config/hass/setup_jail.sh Executable file
View File

@ -0,0 +1,4 @@
# requrired to run other configured scripts
/bin/sh /etc/rc
# launch tmux with jails
/mnt/config/startsessions.sh

31
jails/config/hass/startsessions.sh Executable file
View File

@ -0,0 +1,31 @@
#!/bin/sh
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
session="sess_tmux"
# set up tmux
tmux start-server
# create a new tmux session, naming the window freepbx
tmux new-session -d -s $session -n hass
tmux selectp -t 1
tmux send-keys "cd /mnt/config;./hass.sh" C-m
# create a new window windows
tmux new-window -t $session:1 -n heyu
tmux selectp -t 1
tmux send-keys "cd /mnt/config;./heyu.sh" C-m
# return to main window
tmux select-window -t $session:0
tmux selectp -t 1
# Finished setup, attach to the tmux session!
#tmux attach-session -t $session

264
jails/config/hass/x10.conf Normal file
View File

@ -0,0 +1,264 @@
# Example Heyu configuration file. Copy this to file 'x10config' in
# directory $HOME/.heyu/ and modify as required. This example uses
# features which are new to heyu version 2
# and which will not be recognized by heyu version 1.xx.
# Note: This example file describes only a few of the most commom
# configuration directives. For the complete list see man page
# x10config(5).
# Anything on a line between a '#' character and the end of the line is
# treated as a comment and ignored by Heyu, as are blank lines.
# The various configuration directives in this file can be in any order
# except that ALIAS directives must appear before any other directive
# which references the alias label in place of a housecode|unit address.
# See 'man x10config' for additional information and directives.
# Serial port to which the CM11a is connected. Default is /dev/ttyS0.
tty /dev/ttyU1
check_ri_line NO
# If you have an X10 compatible RF receiver connected to a second
# serial port, use the TTY_AUX directive to specify the serial port
# and model of receiver. Supported receivers are W800RF32, MR26A,
# and RFXCOM. There are no defaults.
tty_aux /dev/ttyU0 MR26A
# The CM19A is both a receiver and transmitter for X10 RF signals.
# The MR26A is a receiver only.
# The CM19A is USB and the MR26A is serial port
# Base housecode. The default is A.
#housecode A
# Aliases:
# Format: ALIAS Label Housecode|Unitcode_string [Module_Type]
# The label is limited to 32 characters in length and is case-sensitive,
# e.g., Front_Porch and front_porch are treated as different labels.
# Each alias may reference a single unitcode or a multiple unitcode
# string (no embedded blanks), but is limited to one housecode.
# The optional Module_Type is the general type or specific model number
# of a module currently supported by Heyu. (Knowing the characteristics
# of a module allows Heyu to track changes in its On/Off/Dim state
# as X10 signals are sent or received.) The most commonly used modules
# are the standard X10 lamp module (StdLM) and standard X10 appliance
# module (StdAM). Other modules currently supported by Heyu are listed
# in x10config(5). A standard X10 lamp module (StdLM) is the
# default (changeable with the DEFAULT_MODULE directive)
# for housecode|units which are not defined in an alias directive.
# A module_type should normally not be defined for mutiple-unit
# aliases, just for the single-unit aliases. (The module characteristics
# are associated with the housecode|unit, however referenced.)
# Some examples:
# Note: Prior versions of Heyu used a different format for
# aliases - no ALIAS directive and the Housecode and Unitcode_string
# were separated by a space, e.g., simply:
# front_porch A 1
# Heyu will continue to accept this older format for compatibility,
# but its use is discouraged as modules cannot be specified.
# Scenes and Usersyns (User-defined synonyms):
# Format: SCENE Label Command1 <args> [; Command2 <args> [; ...
# Format: USERSYN Label Command1 <args> [; Command2 <args> [; ...
# The label is limited to 32 characters and is case-sensitive.
# Scenes and Usersyns are both semicolon-separated lists of
# commands with their arguments which can be executed or used
# in macros as if their labels were ordinary Heyu commands.
# See 'man x10config' for the features and limitations of Scenes
# and Usersyns.
# (In the current version of heyu, the ONLY distinction between
# scenes and usersyns is the 'show' menus in which they appear.)
# Some examples:
SCENE blinker on D5; off D5; on D5; off D5
#USERSYN normal_lights on front_porch; on back_porch
#SCENE tv_on on tv_set; dimb living_room 10
# parameters, e.g., $1, $2, which are replaced by actual
# parameters supplied when the scene/usersyn is run.
#USERSYN night_lights dimb front_porch $1; dimb back_porch $1
# Define the (writeable) directory where the Heyu state engine daemon
# (started with 'heyu engine') is to write its log file 'heyu.log.<tty>'.
# The default is 'NONE', indicating no log file is to be written.
log_dir /usr/local/etc/heyu/log
# The entries in the log file are similar to those which appear in
# the heyu monitor, but in addition will include an entry when
# a script is launched, and unless redirected elsewhere, any
# text output from that script.
# Note that the log file will continue to grow. Manually delete
# or trim it from time to time, or configure a Unix utility like
# 'logrotate' to manage this task automatically.
# If the Heyu state engine is running, Heyu can launch scripts
# (or any Unix commands) when it sees specified X10 signals.
# The format is:
#SCRIPT [ -l label ] <launch conditions> :: [options] <command line>
# where label is an optional label, <launch conditions> tell
# Heyu under what conditions to launch the script, and
# <command line> is the script command to be executed.
# The '::' (two colons) separator is mandatory since the launch
# conditions can be quite complex.
# See x10scripts(5) for details, but here's a simple example
# (with no label):
#SCRIPT doorbell on :: play $HOME/sounds/barking_dog.wav
# Users have the option of running either 'heyuhelper' in a manner
# similar to heyu 1.35 or general scripts as above with the
# following directive. The default is SCRIPTS, to run general scripts.
#script_mode SCRIPTS
# (With the choice 'HEYUHELPER', a script named 'heyuhelper' on
# the user's path is run every time any X10 signal is received
# by heyu over the power line, assuming the heyu state engine
# daemon is running.)
### The following directives apply when a schedule is ###
### is uploaded to the CM11A interface. ###
# The file name of the user's X10 schedule file in the Heyu base
# directory. The default is 'x10.sched'. If you regularly use
# more than one, list them here and just comment/uncomment as
# appropriate, e.g.,
#schedule_file x10.sched
#schedule_file normal.sched
#schedule_file vacation.sched
# The MODE directive - Heyu's two modes of operation:
# In the default COMPATIBLE mode, the schedule uploaded to the
# interface is configured to begin on Jan 1st of the current
# year and # is valid for 366 days - through Dec 31st of the
# current # year or Jan 1st of the following year, depending
# whether # the current year is a leap or common year.
# COMPATIBLE mode is the default.
# In HEYU mode the schedule uploaded to the interface is
# configured to begin on today's date and is valid for
# the number days of provided by the PROGRAM_DAYS directive.
# WARNING: The mere execution of X10's ActiveHome(tm) program
# under MS-Windows, or having its resident driver running, when
# the interface has been programmed by Heyu in HEYU mode can
# cause problems. See 'man x10config' for details.
#mode COMPATIBLE
# Number of days for which the interface is to be programmed
# when running in HEYU mode. It is ignored in COMPATIBLE mode.
# (A shorter period can yield more accurate values for dawn
# and dusk.) The default is 366 days.
#program_days 366
# Should Heyu combine events having the same date range, time, etc.,
# by concatenating the macros for similar events? The default is YES.
#combine_events YES
# Should Heyu compress uploaded macros by combining unit codes for the same
#housecode and command and eliminating duplicates? E.g.,
# (on A1; on B2; on A3, on B2) ==> (on A1,3; on B2)
# The default is NO
#compress_macros NO
# The user's Longitude and Latitude, needed for dawn/dusk calculations.
# There are no defaults. Don't use these examples - put in values
# for your own location.
longitude W121:46
latitude N37:16
# For dawn/dusk related times, Heyu breaks up the schedule date intervals
# into subintervals, each with a constant value of dawn or dusk time.
# These directives instruct Heyu what value of dawn/dusk time to use.
# The default value is FIRST, i.e., that on the first day of the subinterval,
# which is most convenient for comparing Heyu's computations with actual.
#dawn_option FIRST
#dusk_option FIRST
# The following times allow bounds to be placed on the times of Dawn
# and Dusk computed by Heyu. For example, setting the value for
#min_dawn to 06:30 will ensure that an event scheduled to be
# executed at Dawn will occur at 06:30 during summer hours whenever
# the actual computed value of Dawn is earlier than that time.
# The value for these directives are specified as hh:mm Legal
# (i.e., wall-clock) time, or the directives may be disabled with
# the word OFF, which is the default.
# Timer options DAWNLT, DAWNGT, DUSKLT, DUSKGT used in the Heyu
# schedule file will usually eliminate the need for these directives.
# See man page x10sched(5) for details.
#min_dawn OFF
#max_dawn OFF
#min_dusk OFF
#max_dusk OFF
# Directory to write reports and files other than the critical files
# The default is to write them in the Heyu base directory.
#report_path ./
# Replace events having delayed macros with new events and new
# undelayed macros when possible. (The purpose is to avoid pending
# delayed macros, which are purged when a new schedule is uploaded.)
# The default is YES.
#repl_delayed_macros YES
# For test purposes, Heyu can write some additional files when
# the command 'heyu upload check' is executed. This directive
# instructs Heyu to write these files. The default is NO.
#write_check_files NO
START_ENGINE AUTO
alias Kitchen D1 StdLM
alias Family_Room D2 StdLM
alias Hallway D3 StdLM
alias Kitchen_Table D4 StdLM
alias Stairway D5 StdLM
alias Study D6 StdLM
alias Dining D7 StdLM
alias Bonus_Room D8 StdLM
alias Living_Room_L0 D9 StdLM
alias Front_Door D10 StdLM
alias Living_Room_L1 D11 StdLM
alias Living_Room_L2 D12 StdLM
alias Piano_Room_L1 D13 StdLM
alias Piano_Room_L2 D14 StdLM
alias Family_Room_L0 D15 StdLM
alias Chime G1 StdAM
alias Main_Garage G2 StdAM
alias Side_Garage G3 StdAM
alias Front_Yard G13 StdLM
alias Back_Yard G14 StdLM
alias Plants_front_house I1 RAIN8II
alias Plants_front_road I2 RAIN8II
alias Lawn_front_road I3 RAIN8II
alias Lawn_front_garage I4 RAIN8II
alias Lawn_back_pool I5 RAIN8II
alias Lawn_back_house I6 RAIN8II
alias Plants_back_garage I7 RAIN8II
alias Plants_back_road I8 RAIN8II

23
jails/config/hub/ipfw.rules Normal file
View File

@ -0,0 +1,23 @@
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="epair0b" # interface name of NIC attached to Internet
$cmd 00100 allow ip from any to any via lo0
$cmd 00200 deny ip from any to 127.0.0.0/8
$cmd 00300 deny ip from 127.0.0.0/8 to any
$cmd 00400 deny ip from any to ::1
$cmd 00500 deny ip from ::1 to any
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
$cmd 05000 reset ip from table(22) to me
$cmd 65000 allow ip from any to any
$cmd 65535 deny ip from any to any
# https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html

4
jails/config/hub/pkgp.conf
View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
pkgp121: {
url: "http://pkgp.ahlawat.com/packages/pj121-default/",
pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",

54
jails/config/hub/sshguard.conf Normal file
View File

@ -0,0 +1,54 @@
#!/bin/sh
# sshguard.conf -- SSHGuard configuration
# Options that are uncommented in this example are set to their default
# values. Options without defaults are commented out.
#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
#BACKEND="/usr/local/libexec/sshg-fw-hosts"
BACKEND="/usr/local/libexec/sshg-fw-ipfw"
#BACKEND="/usr/local/libexec/sshg-fw-pf"
# Space-separated list of log files to monitor. (optional, no default)
#FILES="/var/log/auth.log /var/log/maillog"
FILES="/var/log/auth.log"
# Shell command that provides logs on standard output. (optional, no default)
# Example 1: ssh and sendmail from systemd journal:
#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
# Example 2: ssh from os_log (macOS 10.12+)
#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"
#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=30
# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
BLOCK_TIME=120
# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
DETECTION_TIME=1800
# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
IPV6_SUBNET=128
# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
IPV4_SUBNET=32
#### EXTRAS ####
# !! Warning: These features may not work correctly with sandboxing. !!
# Full path to PID file (optional, no default)
#PID_FILE=/var/run/sshguard.pid
# Colon-separated blacklist threshold and full path to blacklist file.
# (optional, no default)
#BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db
# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.
#WHITELIST_FILE=/usr/local/etc/sshguard.whitelist

1
jails/config/hub/vncmods/passwd Normal file
View File

@ -0,0 +1 @@
Í•it†Í­®

44
jails/config/hub/vncmods/vncserver Executable file
View File

@ -0,0 +1,44 @@
#!/bin/sh
# the two lines below are not just comments but required by rcorder; service -e
# PROVIDE: vncserver
# REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv
. /etc/rc.subr
: ${vncserver_enable="NO"}
: ${vncserver_user="p"}
: ${vncserver_geometry="1600x900"}
: ${vncserver_display="1"}
: ${vncserver_securitytypes="vncauth"}
# : ${vncserver_securitytypes="vencrypt,vncauth,tlsvnc"}
# encryption incompatible with clients - vncconnect-realvnc and guacd
name=vncserver
rcvar=vncserver_enable
VNCSERVER="/usr/local/bin/vncserver"
start_cmd="vncserver_start"
stop_cmd="vncserver_stop"
restart_cmd="vncserver_restart"
vncserver_start()
{
CMD="$VNCSERVER -geometry ${vncserver_geometry} -name $(hostname -s) -securitytypes ${vncserver_securitytypes} :${vncserver_display}"
su -l ${vncserver_user} -c "${CMD}"
}
vncserver_stop()
{
CMD="$VNCSERVER -kill :${vncserver_display}"
su -l ${vncserver_user} -c "${CMD}"
}
vncserver_restart()
{
vncserver_stop
vncserver_start
}
load_rc_config ${name}
run_rc_command "$1"

8
jails/config/ibm/ibm.sh
View File

@ -1,6 +1,6 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -10,9 +10,9 @@
# ./ibm.sh under tmux
ifconfig tun186 create
ifconfig tun186 inet 172.16.0.186 172.16.0.100
chmod 666 /dev/tun186
ifconfig tun95 create
ifconfig tun95 inet 172.16.0.95 172.16.0.100
chmod 666 /dev/tun95
cd /data/Z110/CONF
# hercules

2
jails/config/ibm/startemu.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

7
jails/config/jump/enable-routing.sh Executable file
View File

@ -0,0 +1,7 @@
sysctl net.inet.ip.forwarding=1
route add 10.1.2.0/24 192.168.55.105
# on remote -
#sudo sysctl net.ipv4.ip_forward=1
#ip route add 192.168.0.0/24 via 192.168.55.1
#OR
#ip route add 192.168.0.0/24 dev tun0

1
jails/config/jump/guacamole-client/add-ldap.sh Executable file
View File

@ -0,0 +1 @@
ldapadd -H ldaps://ldap.ahlawat.com -f $1 -D cn=admin,dc=infra -W

BIN
jails/config/jump/guacamole-client/extensions/guacamole-auth-ldap-1.2.0.jar Normal file
View File

Binary file not shown.

16
jails/config/jump/guacamole-client/guacamole.properties Normal file
View File

@ -0,0 +1,16 @@
###
### guacamole.properties.sample
###
### The Host the Guacamole proxy daemon (guacd) is listening on.
#
guacd-host: localhost
guacd-port: 4822
guacd-ssl: false
ldap-hostname: ldap.ahlawat.com
ldap-port: 636
ldap-encryption-method: ssl
ldap-user-base-dn: ou=people,dc=infra
ldap-username-attribute: cn
ldap-config-base-dn: ou=hosts,dc=infra

20
jails/config/jump/guacamole-client/logback.xml Normal file
View File

@ -0,0 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- Guacamole logs all messages to console by default. Servlet containers
like Tomcat will automattically redirect these messages to a log file,
catalina.out in the case of Tomcat. Valid levels= error, warn, info,
debug -->
<configuration>
<!-- Appender for debugging -->
<appender name="GUAC-DEBUG" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
</encoder>
</appender>
<!-- Log at DEBUG level -->
<root level="info">
<appender-ref ref="GUAC-DEBUG"/>
</root>
</configuration>

14
jails/config/jump/guacamole-client/rdp-windows.ldif Normal file
View File

@ -0,0 +1,14 @@
dn: cn=rdp-windows,ou=hosts,dc=infra
objectClass: guacConfigGroup
objectClass: groupOfNames
cn: Windows rdp
guacConfigProtocol: rdp
guacConfigParameter: hostname=192.168.0.81
guacConfigParameter: port=3389
guacConfigParameter: username=v
guacConfigParameter: password=v
guacConfigParameter: security=nla
guacConfigParameter: ignore-cert=true
member: cn=sharad,ou=people,dc=infra
member: cn=diyit,ou=people,dc=infra
# seeAlso: cn=ahlawat.com,ou=groups,dc=infra

10
jails/config/jump/guacamole-client/ssh-nas.ldif Normal file
View File

@ -0,0 +1,10 @@
dn: cn=ssh-nas,ou=hosts,dc=infra
objectClass: guacConfigGroup
objectClass: groupOfNames
cn: NAS ssh
guacConfigProtocol: ssh
guacConfigParameter: hostname=192.168.0.10
guacConfigParameter: port=22
member: cn=sharad,ou=people,dc=infra
member: cn=diyit,ou=people,dc=infra
# seeAlso: cn=ahlawat.com,ou=groups,dc=infra

74
jails/config/jump/guacamole-client/user-mapping.xml Normal file
View File

@ -0,0 +1,74 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- Guacamole's default authentication module is a simple xml file.
Each user is specified with a corresponding <authorized> tag. This
tag contains all authorized connections for that user each denoted
with a <connections> tag. Each <connection> tag contains a
protocol and set of protocol-specific parameters, specified with
the <protocol> and <param> tags respectively. For more information
visit http://guac-dev.org/doc/gug/configuring-guacamole.html -->
<user-mapping>
<!-- Per-user authentication and config information md5 -s "Npasswd" -->
<authorize username="admin" password="4ee438b74bd65c9f8402e7e48fa64fb7" encoding="md5">
<connection name="vnc-hub">
<protocol>vnc</protocol>
<param name="hostname">192.168.0.50</param>
<param name="port">5901</param>
<param name="password">vncpass</param>
<param name="color-depth">24</param>
</connection>
<connection name="rdp-windows">
<protocol>rdp</protocol>
<param name="hostname">192.168.0.81</param>
<param name="port">3389</param>
<param name="security">nla</param>
<param name="ignore-cert">true</param>
<param name="username">v</param>
<param name="password">v</param>
</connection>
<connection name="ssh-nas">
<protocol>ssh</protocol>
<param name="hostname">192.168.0.10</param>
<param name="port">22</param>
<param name="font-name">monospace</param>
</connection>
<connection name="vnc-rpi3">
<protocol>vnc</protocol>
<param name="hostname">192.168.200.192</param>
<param name="port">5901</param>
<param name="password">vncpass</param>
<param name="color-depth">24</param>
</connection>
<connection name="ssh-rpi3">
<protocol>ssh</protocol>
<param name="hostname">192.168.200.192</param>
<param name="port">22</param>
<param name="font-name">monospace</param>
</connection>
<connection name="ssh-dev">
<protocol>ssh</protocol>
<param name="hostname">192.168.55.105</param>
<param name="port">22</param>
<param name="font-name">monospace</param>
</connection>
</authorize>
<authorize username="inseego" password="7cc6a3864acc736437f606146083abad" encoding="md5">
<connection name="vnc">
<protocol>vnc</protocol>
<param name="hostname">192.168.200.212</param>
<param name="port">5901</param>
<param name="password">vncpass</param>
<param name="color-depth">24</param>
</connection>
<connection name="ssh">
<protocol>ssh</protocol>
<param name="hostname">192.168.200.212</param>
<param name="port">22</param>
<param name="font-name">monospace</param>
</connection>
</authorize>
</user-mapping>

12
jails/config/jump/guacamole-client/vnc-hub.ldif Normal file
View File

@ -0,0 +1,12 @@
dn: cn=vnc-hub,ou=hosts,dc=infra
objectClass: guacConfigGroup
objectClass: groupOfNames
cn: HUB vnc
guacConfigProtocol: vnc
guacConfigParameter: hostname=192.168.0.50
guacConfigParameter: port=5901
guacConfigParameter: password=vncpass
guacConfigParameter: color-depth=24
member: cn=sharad,ou=people,dc=infra
member: cn=diyit,ou=people,dc=infra
# seeAlso: cn=ahlawat.com,ou=groups,dc=infra

17
jails/config/jump/guacamole-server/guacd.conf Normal file
View File

@ -0,0 +1,17 @@
#
# guacd.conf example
#
[daemon]
# Possible log_level variables are:
# trace, debug, info, warning, and error
# Default is info
log_level = info
[server]
bind_host = localhost
bind_port = 4822
[ssl]
#server_certificate = /mnt/certs/fullchain.pem
#server_key = /mnt/certs/privkeyr.pem

28
jails/config/jump/schema/guacConfigGroup.ldif Normal file
View File

@ -0,0 +1,28 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
dn: cn=guacConfigGroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: guacConfigGroup
olcAttributeTypes: {0}( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol' SYNTAX 1.3.6.1.4.1.1466
.115.121.1.15 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter' SYNTAX 1.3.6.1.4.1.146
6.115.121.1.15 )
olcObjectClasses: {0}( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup' DESC 'Guacamole config
uration group' SUP groupOfNames MUST guacConfigProtocol MAY guacConfigParameter )

31
jails/config/jump/schema/guacConfigGroup.schema Normal file
View File

@ -0,0 +1,31 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
attributetype ( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
objectClass ( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup'
DESC 'Guacamole configuration group'
SUP groupOfNames
MUST guacConfigProtocol
MAY guacConfigParameter )

2
jails/config/jump/setup_jail.sh Executable file
View File

@ -0,0 +1,2 @@
# requrired to run other configured scripts
/bin/sh /etc/rc

4
jails/config/ldap/pkgp.conf
View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
pkgp121: {
url: "http://pkgp.ahlawat.com/packages/pj121-default/",
pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",

28
jails/config/ldap/schema-addons/guacConfigGroup.ldif Normal file
View File

@ -0,0 +1,28 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
dn: cn=guacConfigGroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: guacConfigGroup
olcAttributeTypes: {0}( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol' SYNTAX 1.3.6.1.4.1.1466
.115.121.1.15 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter' SYNTAX 1.3.6.1.4.1.146
6.115.121.1.15 )
olcObjectClasses: {0}( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup' DESC 'Guacamole config
uration group' SUP groupOfNames MUST guacConfigProtocol MAY guacConfigParameter )

31
jails/config/ldap/schema-addons/guacConfigGroup.schema Normal file
View File

@ -0,0 +1,31 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
attributetype ( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
objectClass ( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup'
DESC 'Guacamole configuration group'
SUP groupOfNames
MUST guacConfigProtocol
MAY guacConfigParameter )

28
jails/config/mail/.secret/dkim/ahlawat.com.dkim.key
View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDECIuIzM+f5+s
PdoTBSLGpARZkcKWboSUfLdiFsBEXkV5KLy12S6T2ja0oH5C6GfhkqpdzAsCPHKs
SdIyJAmHj7FXnbOnP93N64E3n/wONj5cq9QAz2acKxS167DXpnSE7K+egcqI7ePL
BBecLnKUUnSQ4JMAeUBatjnl5SsKF7pwDM1DsOYvWFpDH0BfjIlZq1JJIUnfE7pK
b3ppdBSF0bum+/Y6TZVJdNg4fYj5k68vLeBp8PkJj60pO4B7oexLpXcz/pqkGi9a
K5P86RzZliKMqGVAs3TmxWMskoX2Hpm1VXIg/Pht75FuaPqwkAW8FVb3Y7yvfmgU
O7FaP423AgMBAAECggEAP7BG2LWZh7B32+8eAtPMdPsciHo1BJT1KN5HqfkvsaLu
IA8S/nT45kF7VyKH1yS2tkoC4jk65vIBpws7XC+0BNT/3FGbVOJfc1qPiC/uRl2j
ovJfeBw/roHKc1OPG/o3VSdKeAB8tpSlqaWeZ9oqgw8hDCSnGqJ8RqH06YEXumVO
/59N5/kweoN1902nrsnhhY72cx/YY7TFZt+sbCs1D8rimHFX5UQUWGQgwqKeCvG2
VmBtU+oXCBKdaR+IcJd9Oy/qkmEQZ6dDL7n/HUwOcRzuBuZoeXN9sc9z81mYEI2Q
bYpowPOyqFArB08HjQpFndQFSyNwiVVSzaOHRUNBwQKBgQDkECi9WkyqGgVvSM6f
fC9OTKKk5kI12j4I3aQKZSnW/eNTpaHykRhvUsr36zp58vRN4G9YDJyblgOhgr1U
7SBwqZRLETwG0ktKDipgibWjBm+K5LfK+wWRwn/qzq494Qg2GQ/DniXqCZ6SI1s1
wMBHS9s/VYPGaYvYrS1TD90JpwKBgQDa9R90rcyNlXTLHwYzxgjJczLKHz+0ANlR
GORg31/VBxs94IYby+cZ/oGRjCB5syR/SaN5Z+N2w8GT0yFWN8UCJS0G4I6fGtCb
wYWzhK2UtI4WyOH9jIdl8AYjFGRZMFJEkDPmac54jtNcqhfO/Eei9+yHq7llEnUP
F4qKf8K9cQKBgQDEwDgVW4DGQxqrLhmrt3wsRasPLeKzCOv5xBTQLwRQiMoEkOFN
HeYBrGCUT6gsKvCe+t+0C3VUOLA7N0pVqRkSeQoJVP3/OI9hfSUMEeHUminCnpz9
DWB5pl2q2dGyaqAl46sY7SfyZ4gYtU3r6rU3DPdCBWlg1A+kx4pRnV7pAwKBgCOu
fonNKOCJ0panX6NgSl5J36UAoqj62m9U1yLSRBO7LL1QsYomGGssBoFpjIFIqFH1
9iX6wB7Cl/E3Ht+mBvzqggP05EkZXZWEW/19SaxKID2mTu260PXTv6xHznKaZU23
Ej4iT/tlixw2u9qHUkVEkc8qNPQ7pcfn1jPrzhiBAoGBAN075cp3R9bzzfVzrFRh
ZFWzSnWieSsOP635nj48HXKyne7gjvG1IG/HHSi3XPmRIdWTAfOYz29rWQEOaY7b
wbNhvH7jvtq/A7/Uifh6l8cnN9TFAmN/wmKEUCloVxg1/GltXbR6UwzbJWAs40ya
VtAxvncs1bqtPBAgfE5wwdCd
-----END PRIVATE KEY-----

28
jails/config/mail/.secret/dkim/beyondbell.com.dkim.key
View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYdTOGw8TvQtkr
Z139xpQC1iXu/X+2ei7ascX6C2G8WM7NS3XphgMd0LgzEm9POoJyYP7KVjQdPK5m
mRoZOCATmFhNPGSer96qjASHgm10GISKlUyGKRWv1mNHsLJaLwsd8ef13+qBsTvG
pT0z2I/0OWwAuqQuZdMPuVskspF8jusycibpQ7WjqaOynPEUuRZHDLQToso02+Vd
X3l3bU08Rz3vW7+hNjZYuzsfCTBzD91kxTGyetqg2CXyLM/dWbDFgY72zG682X0d
CtoWoEAKdUJkPDxQeKJtqh84TsAOUvg/z3W6J7uJow9OcWsXWJcAJ/HG8gNPq4ho
sVbc96SzAgMBAAECggEADXPTPPfjwF7uMkVdUQ1LW5XFi8HTcxrK2KqdvDmC3HrE
d3vOGzJJ9UtodzwZENp5CvS+QQL0gDCqQhQXzCNx0uXv7vTm5/nUI9NJ4MYZWVLA
wgAfXmMlRuVTDDyOCQ7NaRIEsYI2B9Nk/KZ+VD+MSshazvzKgVuwr1R8tp4mbpAx
8f4xe51b5ZVqTLcnkoSR6lTmKMQruIZwQpvaGYZLjBRaBcACwYkbZksQZkx7xZdZ
enpLcKoCc1xXg+gjlfF9HOD1e2GlYQTOgfDcQVJEIS+jjzMyiJA1BxqL8/LkafeD
CKfx8mzd1LjyDDaAP8ruZb4Ns/6SazAPozxBSRnP2QKBgQD+uf+evckgN6+3/Bur
egP6I4dUKw1joCo69p98388mWq+ywhIc2rquEfSoQCqjli4pG3iwBbDVxgjk08GV
ayFaP3X3LvuqCZBktSjEJR6WUMB0kW77BigLCtbzyd2R9upp0A3CnXsmmLVL+o5n
TD5w6cd67NPS/NGo2FyA6JQO5QKBgQDZijnfG4Yt6BdX3+WBFXNGkhdJziokmrfG
no5p/tw+/kJfHFC017Z+EbLbcWMKL9cDzl9uMXGDy1xd8+OfolxZZEnrmt4btbmh
wVzTPrhREwjqzwu/Y2jQwFBef+zJ+b8a1uZOFYVIWWeGCT7wirq54AslE8y0lNEF
olBnP44TtwKBgQDyn4k50z16QXBOx4Q3fZ3CKQsigWtcZFc1GGlrEOaHesN1eeK0
tyYu3Q1zIMM8U7SeFPuMda8sv1cDVitCPetjwaSED61IFZoCQoeU5GJQ/JODtG7I
DOIhOm7pgHJaMJywsqoYn9WIOtYci4gOHhIvjI0jqeZNReARehwJ8P3tfQKBgEWD
hAalNvVIat0rsJzVC+cLG+H7vT/BKOSRGhUI2bxPZ0oZNDj1jV0vrqWsz+cbbmvK
8He32PwyaaukGaKTMUtnXq+o5zyXj1/+9/iQ3DkcCgdubeSUkZPTQFtSKYpJAiZD
cYiWG+cImqocHj6jNhPbYfRRJWK3Ayv3uBWmG3J1AoGAGjKqKpd8+00IxElXpov9
At2YzPZlzPQCU0+vcreGVTaO9wNdVKfc6uaeAO4D0DP9SOwEqRC9rv8FNb8DxgTB
ryWMy8rY/CC3mhK6hnsWNRC0a1myKva2XwQ+jMKuCsznFE0N2xjizNdv2/HM2dcr
ropb+P1w1KZyTiNbTTTC1eQ=
-----END PRIVATE KEY-----

28
jails/config/mail/.secret/dkim/diyit.org.dkim.key
View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDc2cV9/D/MWdUl
DBfKzA3zNjFbzDJd4WP1fdRRIdell57kJwyKehYCw/HxWy4+AnWj6c2fhPXI2EQp
K3I1QjNSxV4kq+Lr2SFJuDiZvDRLzihu24N6go34R9712mbZOWWl0KyihO6E2cH8
h6cr2iahXmAjqVtm9/mBmdnrQ2Bv0fusdpS24x3NOPs4Q5gJTadJFGBkwXb88D/+
mBDcEUFwDul4bVQWvqHk+8EJwApGLo7YVL2F0A25FAm43rWexjb+JeTsHRqN/TaV
ALzQPr/DQIb2wyWsTnQMnd0t8qg9ErDAKgxMDeGDRFbHr5wNMTrewQkW7yd+H0T0
Wa97aDXbAgMBAAECggEANUp/M0VZB7BtlED0xMS0YQmko2gEh07J1gUE5IbsCFMr
zhX2GrwW75fkm77Ky7/AL0tNiL6GqG43FFAdgOh2hfSGIQcw/IQqWiWP0tjtLZWT
gByL/1XdeBmvnVeUFbqZ4ocWASlefMQm4Q7Csfwz8iBZxoEpQxF3LWS4huJ9NL3d
qiI1jX5otXN0ybA6jDpridvExRwWT6KrAykUrh5f7vRGUp0I7/GltvSHS4mu24C1
08RUPE5NjynEX/amc1urMwH3ZdOZgCx819DfQXpQts9/TejSLlLL8s4lXTsZDoab
DiJ1zZKZEpMIheEGAWSyLtqc1QxypauVAMeM6ZgasQKBgQD88Yf1E7X8zS4hYSyu
WHiUgrin/0febsHWZAVBTwnzpDwfY0jNnq57tiALyaVzk3vCL3a9WckpXPbQk4Yk
Oypu1eDyGT4Xf7hrXqFTlMtkupa3Os5/MlTXOFMMs5VISsxrbVjNlvSxITXASWwr
IYVjmhgTx8Rg3ApM5X/Tqd8XxwKBgQDfhPZ2t+4fBwhzgydKnkPWMbJ6k17tWoZu
8tzCzrxJd/cYUmi/44sOLrFCLwaS28I4sR7iBPCeiFnnbqlv+f6uw2Xmr5jc/BsT
md6yl2gNmow//iGFwf8lAsA1VyoFbZoAvQUMVElaxvCngifsTNqRHap8KY6xv5r/
C6MEoGd5TQKBgQDEoPXxnEsCpHXR2Pqk5X2G5T+qyRYTYcIpaUN0i37O+cMLG2FD
BrHY1bF/uFd3yxSP1dnWRG/OSchMSAIlNCE+W+EsEldkaRLx1HRQxwB941a6RWq1
EmlFjTFyVEAeHJdgg3ZfC5RYBdsFCY6e0MYisW06IzcTnLodIOMHpawZjQKBgQC+
1RVbnINXyDhl7rbQFTlTmVCJKGMmgGBAP2dNhxXoH909zbYTBmFFdYXvPJj/L1Kt
9kKos5D/uOgRGEDfEnBnovnQL2FyYmd3n6orjerPmoBdbkoOmeeNIMEbiVSeF8oh
EUBLG3cZYro6OXx+WctNlCdnJE/o3+6kC7pdi9lsDQKBgEtkK4RpB1OKJm6sEiWe
hoTI6yqflpkivWtV3F8/D37LbYT5wiAsRr6AkgetB7jsi0t//thJiAUUxhtb+u4M
1zR7i9bIRv3lU8TgYpfS/Yq3T9feZoj682LKtBMPoSgm/p5+ogzIlAU3cpjAW+A8
2CyzbDc7K58vuzaR8RHpnzYi
-----END PRIVATE KEY-----

28
jails/config/mail/.secret/dkim/diyit.space.dkim.key
View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDJE2rtl2EGU7YD
TWSlapLqMgn02m9Valldv6u3NP5CZTwI9/xrlEZYzjArInvLE4SFx5VlgC52K92A
tZUqs7ckZgDmMOIr1vXGP3YgzGO9NK3hqyPHlu2Twuu96rP9+CTTlU8ovun14Ucu
b0+W3pH646kMZBc0wAAj0xg+QI0PhFphQZyHkV9laOFwx/ErCu9SdUfcUY+zouSG
DMxPAL8pT1JS5IOVGDM7rXbAwZ1+LrHTmOD1Mi6jtYtV7/Pqga6CBpcQFa/kMvza
idjPkVyUg4YY/9i+P9dRQMK6dJgmRSaLLaOTaYHCT6PgpWQvKhYJZsNIB+LmfdHp
gzE4s0tfAgMBAAECggEBALtNkzVu5bp3D/1TgoV0GRZ/NjcXos32GvjxKoummZJP
qvTPzBqKLF1c9BG6NYadz7yuhcPe+2iow9S5URJOBjOpsPy8XHJp8teRFgDHY8FD
6RVlzhaFyRjzYZWvo6rYE7XkR7C05ktcZmoi1gi7m1AR8c7RDazdjUPRx6t1hfEE
ubocsnwZ5McU3tHVHj8pHBM9nKaarVd3BSTydStjGOmoS+E5BR1NLMDpx3Aw9S/V
tn1iJxxF9+GONFfCBQ/IQ4+rBbOPsICwhhhrTpJwPilzBynGQevtEHdpq6ewS2bq
ESsgQoax70cW1TymOPOzYQvPUzJy0S68OoSMAXVr8MECgYEA755LulHIALONfQWG
XBUT7UMaePyLDkuNoGkIDqIdqZiJf8kxDs8yWznCGim/vlnmK2hVn1nqi+omtbaG
AsCgU9q2JnP4r0Nr7yb/L4WAHp5WxR5ifS/aOHUple9oQwfPkzpxWEGFFvN0PW7p
4lk4lRNvI4q5zMdugpbwn4vbzEMCgYEA1tKRDfPY/9GV/dYnt433bjtlNU9j7UCc
8iP26Rg8zjC4tzlVoZDZjov5FMG2Ifb7cLNroONATg2ivKNyRm73Le9p2KVqtvTX
zHs1sKVJofWQ4+GzJd8MkUEXu397oTUudGV+z82Hd0iKkQBT7EYBybHl6kY4XbR1
BS36gdW2oLUCgYBvt1LBNH3V7eCqiFfjOKSIuv9tpvjCGnGWd0GdaPIBby+0Fz47
FFj69UvM3OgbvFg2prc8yzQyNWIE2GtUfzCAx/iipvEr7Xg2EO1q34gjPllgH9F1
YkkQh3dzAyKOFecuUlIj/rApSipIthxvPn/F6UCoxnXnxpd8ZRkcmZ1JdwKBgQCZ
bltb88YRMMhIPCSx3RvUB2gJ42Ijmfp+l2FKqp0DR5kmhDS86I/6V87XHGPRbm23
2O4OQ0Eyflq1EKgV1juE+3JF4h+N/OIEkhuOxv8IRjPuDs29RsnbFPq2WB8czLcZ
O0SPduRCNfWCCxHltzqfrAfig7TOeIz73hMFmHaP4QKBgQCN1XzjGMrL0ZlFQTM1
ljaqWEaQ+JSzZtiVDdPcuKytyvz59OdJnag9O0TBaOY6XGG1Dbl8FJEG9KZCwYRv
a+CKb6qHyowgu17GlWQBn2i3Ep5GOQhkR4ghvDXZPwOJfW5VbfWo4N/r3Q81kaRO
Iovk5uipUk5dtW69hOYmq4OBxA==
-----END PRIVATE KEY-----

4
jails/config/mail/pkgp.conf
View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
pkgp121: {
url: "http://pkgp.ahlawat.com/packages/pj121-default/",
pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",

2
jails/config/mail/postfix/main.cf
View File

@ -683,7 +683,7 @@ readme_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4, ipv6
# sometimes comcast's IPv6 reverse DNS lookup stops working so you need to enable the line below (default: any)
smtp_address_preference = ipv4
#smtp_address_preference = ipv4
meta_directory = /usr/local/libexec/postfix
shlib_directory = /usr/local/lib/postfix

6
jails/config/mail/postfix/main.cf.default
View File

@ -328,9 +328,9 @@ local_transport_rate_delay = $default_transport_rate_delay
luser_relay =
mail_name = Postfix
mail_owner = postfix
mail_release_date = 20200316
mail_release_date = 20200516
mail_spool_directory = /var/mail
mail_version = 3.5.0
mail_version = 3.5.2
mailbox_command =
mailbox_command_maps =
mailbox_delivery_lock = flock, dotlock
@ -340,7 +340,7 @@ mailbox_transport_maps =
maillog_file =
maillog_file_compressor = gzip
maillog_file_prefixes = /var, /dev/stdout
maillog_file_rotate_suffix = %Y%M%d-%H%M%S
maillog_file_rotate_suffix = %Y%m%d-%H%M%S
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maps_rbl_domains =

1903
jails/config/mail/sendmail.cf Normal file
View File

File diff suppressed because it is too large Load Diff

2
jails/config/monitor/alert_rules.yml
View File

@ -1,4 +1,4 @@
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

2
jails/config/monitor/alertmanager.yml
View File

@ -1,4 +1,4 @@
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

BIN
jails/config/monitor/dbip-city-lite-2020-06.mmdb Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 85 MiB

2
jails/config/monitor/matomo-archive Normal file
View File

@ -0,0 +1,2 @@
MAILTO="sharad@diyit.org"
5 5 * * * /usr/local/bin/php /usr/local/www/matomo/console core:archive --url=https://ahlawat.com/matomo/ >> /root/matomo-archive.log

2
jails/config/monitor/prometheus.yml
View File

@ -1,4 +1,4 @@
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

3
jails/config/monitor/start_logstash.sh
View File

@ -1,3 +0,0 @@
mount proc
/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
ps axww | grep logstash

1
jails/config/pkgp/ccache.conf Normal file
View File

@ -0,0 +1 @@
max_size = 32.0G

2
jails/config/pkgp/freebsd-update.conf
View File

@ -1,4 +1,4 @@
# $FreeBSD: releng/12.1/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
# Trusted keyprint. Changing this is a Bad Idea unless you've received
# a PGP-signed email from <security-officer@FreeBSD.org> telling you to

1
jails/config/pkgp/make.conf
View File

@ -1,2 +1,3 @@
WANT_OPENLDAP_SASL=yes
LICENSES_ACCEPTED+=DCC
WITH_CCACHE_BUILD=yes

7
jails/config/pkgp/mypkgs
View File

@ -5,11 +5,14 @@ net/openldap24-sasl-client
security/cyrus-sasl2
www/apache24
devel/apr1
net/php73-ldap
net/php74-ldap
mail/postfix
mail/dovecot
mail/dovecot-pigeonhole
mail/rspamd
mail/dcc-dccd
net/netatalk3
net/samba410
net/samba411
net/nss-pam-ldapd
net/nss-pam-ldapd-sasl
#security/pam_ldap # included above

11
jails/config/pkgp/pkgp.conf Normal file
View File

@ -0,0 +1,11 @@
FreeBSD: {
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
enabled: no
}
pkgp-freebsd-pkg: {
url: "http://pkgp-freebsd-pkg.ahlawat.com/${ABI}/latest",
mirror_type: "http",
enabled: yes,
priority: 10
}

6
jails/config/pkgp/poudriere.conf
View File

@ -133,7 +133,7 @@ PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/keys/poudriere.key
# It will be mounted into the jail and be shared among all jails.
# It is recommended that extra ccache configuration be done with
# ccache -o rather than from the environment.
#CCACHE_DIR=/var/cache/ccache
CCACHE_DIR=/mnt/cache/ccache
# Static ccache support from host. This uses the existing
# ccache from the host in the build jail. This is useful for
@ -200,7 +200,7 @@ NOLINUX=yes
# List of packages that will always be allowed to use MAKE_JOBS
# regardless of ALLOW_MAKE_JOBS. This is useful for allowing ports
# which holdup the rest of the queue to build more quickly.
#ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py*"
ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py* llvm*"
# Timestamp every line of build logs
# Default: no
@ -282,7 +282,7 @@ PRESERVE_TIMESTAMP=yes
# Define pkgname globs to boost priority for
# Default: none
#PRIORITY_BOOST="pypy openoffice*"
PRIORITY_BOOST="llvm*"
# Define format for buildnames
# Default: %Y-%m-%d_%Hh%Mm%Ss

2
jails/config/plex/plexconnect
View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

197
jails/config/proxy/haproxy.conf
View File

@ -1,4 +1,4 @@
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -48,35 +48,31 @@ frontend stats
frontend ft
bind :::80 v4v6
bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/dithaproxy.pem crt /mnt/certs/xflowhaproxy.pem
bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/xflowhaproxy.pem crt /mnt/certs/dvpchaproxy.pem crt /mnt/certs/mdvpchaproxy.pem
redirect scheme https if !{ ssl_fc }
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc
# passing on that browser is using https
reqadd X-Forwarded-Proto:\ https
## http-request add-header Forwarded: proto=https
#enabling this breaks things, needs investigation
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Ssl on if { ssl_fc }
# for Clickjacking - added to individual backends
# rspadd X-Frame-Options:\ SAMEORIGIN
# http-response add-header X-Frame-Options: SAMEORIGIN
# prevent browser from using non-secure
rspadd Strict-Transport-Security:\ max-age=15768000
http-response add-header Strict-Transport-Security: max-age=15768000
acl network_allowed src 192.168.0.0/24 192.168.100.0/24 2603:3024:3f6:e1::/64
acl restricted_page path -i -m sub /wp-admin
acl restricted_page path -i -m sub /wp-login
block if restricted_page !network_allowed
http-request deny if restricted_page !network_allowed
use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com }
use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com }
use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
use_backend bk_diyit if { ssl_fc_sni diyit.org }
use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
use_backend bk_diyit if { ssl_fc_sni xflow.org }
use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
use_backend bk_diyit if { ssl_fc_sni diyit.space }
use_backend bk_diyit if { ssl_fc_sni www.diyit.space }
use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com }
use_backend bk_ahlawat-rachna if { ssl_fc_sni rachna.ahlawat.com }
@ -96,53 +92,67 @@ frontend ft
use_backend bk_ahlawat-matrix if { ssl_fc_sni matrix.ahlawat.com }
use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
use_backend bk_ahlawat-jump if { ssl_fc_sni jump.ahlawat.com }
use_backend bk_diyit if { ssl_fc_sni diyit.org }
use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
use_backend bk_diyit if { ssl_fc_sni xflow.org }
use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org }
use_backend bk_diyit-prometheus if { ssl_fc_sni prometheus.diyit.org }
use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org }
use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org }
use_backend bk_dvpc if { ssl_fc_sni datavpc.com }
use_backend bk_dvpc if { ssl_fc_sni www.datavpc.com }
use_backend bk_dvpc if { ssl_fc_sni mydatavpc.com }
use_backend bk_dvpc if { ssl_fc_sni www.mydatavpc.com }
use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
use_backend bk_beyondbell-gs if { ssl_fc_sni gs.beyondbell.com }
use_backend bk_beyondbell-web-moonglade if { ssl_fc_sni moonglade.beyondbell.com }
use_backend bk_beyondbell-web-moonglade-private if { ssl_fc_sni moonglade-private.beyondbell.com }
use_backend bk_beyondbell-r-windows if { ssl_fc_sni moonglade-server.beyondbell.com }
use_backend bk_beyondbell-windows if { ssl_fc_sni gs.beyondbell.com }
default_backend bk_ahlawat
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
use_backend bk_ahlawat if is_websocket
backend bk_ahlawat
server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell
server srv1 192.168.0.77:8000
rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_diyit
server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-sharad
balance roundrobin
server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
# http-response set-header Content-Security-Policy "default-src 'self' *.ahlawat.com"
backend bk_ahlawat-rachna
server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-nivi
server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-rishabh
server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
#backend bk_ahlawat-book
# server srv1 bookx.ahlawat.com:443 check ssl verify none
@ -150,102 +160,143 @@ backend bk_ahlawat-rishabh
backend bk_ahlawat-book-443
# server srv1 2603:3024:3f6:e1::57:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-book-444
# server srv1 2603:3024:3f6:e1::57:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-book-445
# server srv1 2603:3024:3f6:e1::57:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-cam
server srv1 192.168.0.54:8765 check
rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-ci
# http-request set-header Host cix.ahlawat.com:8080
http-request replace-header Host ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8080/\2
http-response replace-header Host ^([^\ \t:]*:)\ http://cix.ahlawat.com:8080/(.*) \1\ https://ci.ahlawat.com/\2
server srv1 cix.ahlawat.com:8080 check
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-cloud
server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-git
server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspidel X-Frame-Options:*
# http-request set-var(txn.src) src
# acl mynet var(txn.src) -m sub 192.168.0
# acl mynet var(txn.src) -m sub 2603:3024:3f6:e1
# rspidel X-Frame-Options:* if mynet
# rspadd X-Frame-Options:\ SAMEORIGIN unless mynet
# The gitea server add this header be default
http-response set-header X-Frame-Options "ALLOW-FROM *.diyit.org"
# http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-hub
server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-matrix
server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-meet
server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-monitor
server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN
# http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-jump
server srv1 jumpx.ahlawat.com:8080 check
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit
server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-grafana
server srv1 monitorx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN
# http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-prometheus
server srv1 monitorx.ahlawat.com:9090 check
# ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-kibana
server srv1 monitorx.ahlawat.com:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN
server srv1 elk.diyit.org:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-maps
server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN
server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2
# server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-ci
# http-request set-header Host cix.ahlawat.com:8180
reqirep ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8180/\2
rspirep ^([^\ \t:]*:)\ http://cix.ahlawat.com:8180/(.*) \1\ https://ci.ahlawat.com/\2
server srv1 cix.ahlawat.com:8180 check
rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_dvpc
server srv1 web.datavpc.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell
server srv1 192.168.0.77:8000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-ci
# http-request set-header Host cix.beyondbell.com:8111
http-request replace-header Host ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://192.168.0.73:8111/\2
http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.73:8111/(.*) \1\ https://ci.beyondbell.com/\2
server srv1 192.168.0.73:8111
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-git
server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell-ci
http-request set-header Host cix.beyondbell.com:8111
reqirep ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://cix.beyondbell.com:8111/\2
rspirep ^([^\ \t:]*:)\ http://cix.beyondbell.com:8111/(.*) \1\ https://ci.beyondbell.com/\2
server srv1 cix.beyondbell.com:8111
rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-repo
# http-request set-header Host 192.168.0.75:8080
reqirep ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8080/\2
rspirep ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2
server srv1 192.168.0.75:8080
rspadd X-Frame-Options:\ SAMEORIGIN
# http-request set-header Host 192.168.0.75:8081
# http-request replace-header Host ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8081/\2
# http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.75:8081/(.*) \1\ https://repo.beyondbell.com/\2
backend bk_beyondbell-gs
server srv1 192.168.0.75:8081
http-response add-header X-Frame-Options: SAMEORIGIN
# http-response del-header Strict-Transport-Security
# http-response add-header Content-Security-Policy: upgrade-insecure-requests
backend bk_beyondbell-web-moonglade
server srv1 192.168.0.74:8000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-web-moonglade-private
server srv1 192.168.0.74:4000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-r-windows
server srv1 192.168.0.85:4000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-windows
server srv1 192.168.0.81:26900 check
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
http-response add-header X-Frame-Options: SAMEORIGIN

4
jails/config/proxy/pkgp.conf
View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
pkgp121: {
url: "http://pkgp.ahlawat.com/packages/pj121-default/",
pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",

1
jails/config/proxy/port-fwd.sh Executable file
View File

@ -0,0 +1 @@
ipfw add 10000 fwd 192.168.0.4,55820 udp from me to 192.168.0.55 dst-port 55820

106
jails/config/r-db/my.cnf
View File

@ -1,99 +1,13 @@
# Example MySQL config file for small systems.
#
# This is for a system with little memory (<= 64M) where MySQL is only used
# from time to time and it's important that the mysqld daemon
# doesn't use much resources.
# This group is read both by the client and the server
# use it for options that affect everything, see
# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#option-groups
#
# MySQL programs look for option files in a set of
# locations which depend on the deployment platform.
# You can copy this option file to one of those
# locations. For information about these locations, see:
# http://dev.mysql.com/doc/mysql/en/option-files.html
[client-server]
port = 3306
socket = /var/run/mysql/mysql.sock
#
# In this file, you can use all long options that a program supports.
# If you want to know which options a program supports, run the program
# with the "--help" option.
# The following options will be passed to all MySQL clients
[client]
#password = your_password
port = 3306
socket = /tmp/mysql.sock
# Here follows entries for some specific programs
# The MySQL server
[mysqld]
bind-address = *
port = 3306
socket = /tmp/mysql.sock
skip-external-locking
key_buffer_size = 16K
max_allowed_packet = 64M
table_open_cache = 16
sort_buffer_size = 64K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 240K
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (using the "enable-named-pipe" option) will render mysqld useless!
#
#skip-networking
server-id = 1
# Uncomment the following if you want to log updates
#log-bin=mysql-bin
# binary logging format - mixed recommended
binlog_format=ROW
# Causes updates to non-transactional engines using statement format to be
# written directly to binary log. Before using this option make sure that
# there are no dependencies between transactional and non-transactional
# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
# t_innodb; otherwise, slaves may diverge from the master.
#binlog_direct_non_transactional_updates=TRUE
# Uncomment the following if you are using InnoDB tables
#innodb_data_home_dir = /var/db/mysql
#innodb_data_file_path = ibdata1:10M:autoextend
innodb_log_group_home_dir = /var/db/mysql-log
# You can set .._buffer_pool_size up to 50 - 80 %
# of RAM but beware of setting memory usage too high
innodb_buffer_pool_size = 1G
innodb_io_capacity=4000
transaction-isolation = READ-COMMITTED
# Set .._log_file_size to 25 % of buffer pool size
innodb_log_file_size = 250M
#innodb_log_buffer_size = 8M
innodb_flush_log_at_trx_commit = 2
#innodb_lock_wait_timeout = 50
innodb_doublewrite = 0
innodb_checksum_algorithm = none
slow_query_log_file = /var/db/mysql-log/slow.log
log-error = /var/db/mysql-log/error.log
log_bin = /var/db/mysql-log/binlog
relay_log = /var/db/mysql-log/relay-bin
expire_logs_days = 7
[mysqldump]
quick
max_allowed_packet = 16M
[mysql]
no-auto-rehash
# Remove the next comment character if you are not familiar with SQL
#safe-updates
[myisamchk]
key_buffer_size = 8M
sort_buffer_size = 8M
[mysqlhotcopy]
interactive-timeout
# include *.cnf from the config directory
#
!includedir /usr/local/etc/mysql/conf.d/

90
jails/config/r-db/server.cnf Normal file
View File

@ -0,0 +1,90 @@
# Options specific to server applications, see
# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#server-option-groups
# Options specific to all server programs
[server]
# Options specific to MariaDB server programs
[server-mariadb]
#
# Options for specific server tools
#
[mysqld]
user = mysql
# port = 3306 # set in /usr/local/etc/mysql/my.cnf
# socket = /var/run/mysql/mysql.sock # set in /usr/local/etc/mysql/my.cnf
bind-address = *
basedir = /usr/local
datadir = /var/db/mysql
net_retry_count = 16384
# [mysqld] configuration for ZFS
# From https://www.percona.com/resources/technical-presentations/zfs-mysql-percona-technical-webinar
# Create separate datasets for data and logs, eg
# zroot/mysql compression=on recordsize=128k atime=off
# zroot/mysql/data recordsize=16k
# zroot/mysql/logs
datadir = /var/db/mysql
innodb_log_group_home_dir = /var/db/mysql-log
#audit_log_file = /var/db/mysql-log/audit.log
general_log_file = /var/db/mysql-log/general.log
log_bin = /var/db/mysql-log/mysql-bin
relay_log = /var/db/mysql-log/relay-log
slow_query_log_file = /var/db/mysql-log/slow.log
innodb_doublewrite = 0
innodb_flush_method = O_DSYNC
##
log-error = /var/db/mysql-log/error.log
### custom optimizations
skip-external-locking
key_buffer_size = 16K
max_allowed_packet = 64M
table_open_cache = 16
sort_buffer_size = 64K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 240K
server-id = 1
binlog_format=ROW
innodb_buffer_pool_size = 1G
innodb_io_capacity=4000
transaction-isolation = READ-COMMITTED
innodb_log_file_size = 250M
innodb_flush_log_at_trx_commit = 2
innodb_checksum_algorithm = none
slow_query_log_file = /var/db/mysql-log/slow.log
expire_logs_days = 7
###
# Options read by `mysqld_safe`
# Renamed from [mysqld_safe] starting with MariaDB 10.4.6.
[mariadb_safe]
# Options read my `mariabackup`
[mariabackup]
# Options read by `mysql_upgrade`
# Renamed from [mysql_upgrade] starting with MariaDB 10.4.6.
[mariadb-upgrade]
# Specific options read by the mariabackup SST method
[sst]
# Options read by `mysqlbinlog`
# Renamed from [mysqlbinlog] starting with MariaDB 10.4.6.
[mariadb-binlog]
# Options read by `mysqladmin`
# Renamed from [mysqladmin] starting with MariaDB 10.4.6.
[mariadb-admin]

2
jails/config/r-git/gitea/options/license
View File

@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
Copyright (c) 2018-2020, BeyondBell.com
Copyright (c) 2018-2021, BeyondBell.com
All rights reserved.
Redistribution and use in source and binary forms, with or without

2
jails/config/r-git/gitea/public/beyondbell-com-license.txt
View File

@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
Copyright (c) 2018-2020, BeyondBell.com
Copyright (c) 2018-2021, BeyondBell.com
All rights reserved.
Redistribution and use in source and binary forms, with or without

4
jails/config/r-ldap/pkgp.conf
View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
pkgp121: {
url: "http://pkgp.ahlawat.com/packages/pj121-default/",
pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",

57
jails/config/vm/create_taps.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -18,6 +18,16 @@ ifconfig bridge1 addm tap82 up
ifconfig tap82 up
ifconfig tap82 inet6 auto_linklocal
ifconfig tap1082 create
ifconfig bridge10 addm tap1082 up
ifconfig tap1082 up
ifconfig tap1082 inet6 auto_linklocal
ifconfig tap2082 create
ifconfig bridge9 addm tap2082 up
ifconfig tap2082 up
ifconfig tap2082 inet6 auto_linklocal
ifconfig tap83 create
ifconfig bridge1 addm tap83 up
ifconfig tap83 up
@ -33,6 +43,21 @@ ifconfig bridge1 addm tap85 up
ifconfig tap85 up
ifconfig tap85 inet6 auto_linklocal
ifconfig tap86 create
ifconfig bridge1 addm tap86 up
ifconfig tap86 up
ifconfig tap86 inet6 auto_linklocal
ifconfig tap1086 create
ifconfig bridge10 addm tap1086 up
ifconfig tap1086 up
ifconfig tap1086 inet6 auto_linklocal
ifconfig tap2086 create
ifconfig bridge9 addm tap2086 up
ifconfig tap2086 up
ifconfig tap2086 inet6 auto_linklocal
ifconfig tap90 create
ifconfig bridge1 addm tap90 up
ifconfig tap90 up
@ -42,3 +67,33 @@ ifconfig tap190 create
ifconfig bridge2 addm tap190 up
ifconfig tap190 up
ifconfig tap190 inet6 auto_linklocal
ifconfig tap97 create
ifconfig bridge1 addm tap97 up
ifconfig tap97 up
ifconfig tap97 inet6 auto_linklocal
ifconfig tap1097 create
ifconfig bridge10 addm tap1097 up
ifconfig tap1097 up
ifconfig tap1097 inet6 auto_linklocal
ifconfig tap2097 create
ifconfig bridge9 addm tap2097 up
ifconfig tap2097 up
ifconfig tap2097 inet6 auto_linklocal
ifconfig tap96 create
ifconfig bridge1 addm tap96 up
ifconfig tap96 up
ifconfig tap96 inet6 auto_linklocal
ifconfig tap1096 create
ifconfig bridge10 addm tap1096 up
ifconfig tap1096 up
ifconfig tap1096 inet6 auto_linklocal
ifconfig tap2096 create
ifconfig bridge9 addm tap2096 up
ifconfig tap2096 up
ifconfig tap2096 inet6 auto_linklocal

70
jails/config/vm/cvm-a.sh Executable file
View File

@ -0,0 +1,70 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
# ./cvm-a.sh under tmux
# clean cached state
bhyvectl --destroy --vm=cvm-a
while true
do
bhyve -c 4 -m 16G -A -H -P \
-s 0,hostbridge \
-s 3,ahci-cd \
-s 4,virtio-blk,/dev/zvol/ship/raw/cvm-a \
-s 5,virtio-net,tap97,mac=00:0A:0B:0C:0D:97 \
-s 6,virtio-blk,/dev/zvol/ship/raw/cvm-a_data \
-s 8,virtio-net,tap1097,mac=00:0A:0B:0C:8D:97 \
-s 9,virtio-net,tap2097,mac=00:0A:0B:0C:9D:97 \
-s 29,fbuf,tcp=0.0.0.0:5997,w=1600,h=900 \
-s 30,xhci,tablet \
-s 31,lpc -l com1,/dev/nmdm97A \
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
cvm-a
bhyve_exit=$?
# bhyve returns the following status codes:
# 0 - VM has been reset
# 1 - VM has been powered off
# 2 - VM has been halted
# 3 - VM generated a triple fault
# all other non-zero status codes are errors
#
if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
then
break
fi
echo `date` - restarting cvm-a in 5 seconds - press ctrl-c to stop
sleep 5
done
exit $?
# -s 3,ahci-cd,/mnt/linux/ubuntu-20.04.1-live-server-amd64.iso \
# bhyvectl --get-all --vm=cvm-a
# cu -l /dev/nmdm97B
# (This uses cu() so press ~+Ctrl-D to exit)
#on base system:
#zfs create -V 32G -o refreservation=none ship/raw/cvm-a - docker partition
#zfs create -V 128G -o refreservation=none ship/raw/cvm-a_data - root partition
# on boot
#ifconfig tap97 create
#ifconfig bridge1 addm tap97 up
#ifconfig tap97 up
#ifconfig tap97 inet6 auto_linklocal
#ifconfig tap1097 create
#ifconfig bridge10 addm tap1097 up
#ifconfig tap1097 up
#ifconfig tap1097 inet6 auto_linklocal

70
jails/config/vm/cvm-b.sh Executable file
View File

@ -0,0 +1,70 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
# ./cvm-b.sh under tmux
# clean cached state
bhyvectl --destroy --vm=cvm-b
while true
do
bhyve -c 4 -m 16G -A -H -P \
-s 0,hostbridge \
-s 3,ahci-cd \
-s 4,virtio-blk,/dev/zvol/ship/raw/cvm-b \
-s 5,virtio-net,tap96,mac=00:0A:0B:0C:0D:96 \
-s 6,virtio-blk,/dev/zvol/ship/raw/cvm-b_data \
-s 8,virtio-net,tap1096,mac=00:0A:0B:0C:8D:96 \
-s 9,virtio-net,tap2096,mac=00:0A:0B:0C:9D:96 \
-s 29,fbuf,tcp=0.0.0.0:5996,w=1600,h=900 \
-s 30,xhci,tablet \
-s 31,lpc -l com1,/dev/nmdm96A \
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
cvm-b
bhyve_exit=$?
# bhyve returns the following status codes:
# 0 - VM has been reset
# 1 - VM has been powered off
# 2 - VM has been halted
# 3 - VM generated a triple fault
# all other non-zero status codes are errors
#
if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
then
break
fi
echo `date` - restarting cvm-b in 5 seconds - press ctrl-c to stop
sleep 5
done
exit $?
# -s 3,ahci-cd,/mnt/linux/ubuntu-20.04.1-live-server-amd64.iso \
# bhyvectl --get-all --vm=cvm-b
# cu -l /dev/nmdm96B
# (This uses cu() so press ~+Ctrl-D to exit)
#on base system:
#zfs create -V 32G -o refreservation=none ship/raw/cvm-b - docker partition
#zfs create -V 128G -o refreservation=none ship/raw/cvm-b_data - root partition
# on boot
#ifconfig tap96 create
#ifconfig bridge1 addm tap96 up
#ifconfig tap96 up
#ifconfig tap96 inet6 auto_linklocal
#ifconfig tap1096 create
#ifconfig bridge10 addm tap1096 up
#ifconfig tap1096 up
#ifconfig tap1096 inet6 auto_linklocal

2
jails/config/vm/freebsd.sh
View File

@ -1,6 +1,6 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

77
jails/config/vm/kali.sh Executable file
View File

@ -0,0 +1,77 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
# ./kali.sh under tmux
# clean cached state
bhyvectl --destroy --vm=kali
while true
do
bhyve -c 2 -m 4G -A -H -P \
-s 0,hostbridge \
-s 3,ahci-cd \
-s 4,virtio-blk,/dev/zvol/ship/raw/kali \
-s 5,virtio-net,tap86,mac=00:0A:0B:0C:0D:86 \
-s 8,virtio-net,tap1086,mac=00:0A:0B:0C:8D:86 \
-s 9,virtio-net,tap2086,mac=00:0A:0B:0C:9D:86 \
-s 29,fbuf,tcp=0.0.0.0:5986,w=1280,h=720 \
-s 30,xhci,tablet \
-s 31,lpc -l com1,/dev/nmdm86A \
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
kali
bhyve_exit=$?
# bhyve returns the following status codes:
# 0 - VM has been reset
# 1 - VM has been powered off
# 2 - VM has been halted
# 3 - VM generated a triple fault
# all other non-zero status codes are errors
#
if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
then
break
fi
echo `date` - restarting kali in 5 seconds - press ctrl-c to stop
sleep 5
done
exit $?
#-s 3,ahci-cd,/mnt/linux/kali-linux-2020.4-installer-amd64.iso \
##-s 6,virtio-blk,/dev/zvol/ship/raw/kali_data \
# bhyvectl --get-all --vm=kali
# cu -l /dev/nmdm86B
# (This uses cu() so press ~+Ctrl-D to exit)
#on base system:
#zfs create -V 128G -o refreservation=none ship/raw/kali
##zfs create -V 128G -o refreservation=none ship/raw/kali_data
# on boot
#ifconfig tap86 create
#ifconfig bridge1 addm tap86 up
#ifconfig tap86 up
#ifconfig tap86 inet6 auto_linklocal
#ifconfig tap1086 create
#ifconfig bridge10 addm tap1086 up
#ifconfig tap1086 up
#ifconfig tap1086 inet6 auto_linklocal
# Install VNC
# curl -o turbovnc_2.2.5_amd64.deb https://sourceforge.net/projects/turbovnc/files/2.2.5/turbovnc_2.2.5_amd64.deb/download#
# sudo apt install gdebi-core
# sudo gdebi turbovnc_2.2.5_amd64.deb
# sudo killall Xvnc; /opt/TurboVNC/bin/vncserver -name kali -geometry 1920x1080 :4
# systemctl enable ssh.service; service ssh start

Some files were not shown because too many files have changed in this diff Show More