diff --git a/diyit-org-license.txt b/diyit-org-license.txt
index 537fdf1..e968406 100644
--- a/diyit-org-license.txt
+++ b/diyit-org-license.txt
@@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
-Copyright (c) 2018-2020, diyIT.org
+Copyright (c) 2018-2021, diyIT.org
All rights reserved.
Redistribution and use in source and binary forms, with or without
diff --git a/jails/config/atm/afp.conf b/jails/config/atm/afp.conf
index 846c2de..8547e74 100644
--- a/jails/config/atm/afp.conf
+++ b/jails/config/atm/afp.conf
@@ -1,32 +1,63 @@
;
; Netatalk 3.x configuration file
-;
+; http://netatalk.sourceforge.net/3.1/htmldocs/afp.conf.5.html
[Global]
; Global server settings
hostname = atm
-hosts allow = 192.168.0.0/24,192.168.100.0/24
-afp listen = 0.0.0.0
+afp listen = ::
+mimic model = TimeCapsule6,106
+uam list = uams_guest.so uams_dhx2_passwd.so
+; locate uam # show all the uam modules
+
+force xattr with sticky bit = yes
+
zeroconf = yes
+afpstats = yes
+
+ldap auth method = simple
+;ldap auth dn = cn=admin,dc=infra
+;ldap auth pw = notrequired
+ldap server = ldap.ahlawat.com
+
+ldap name attr = cn
+ldap userbase = ou=people,dc=infra
+ldap userscope = one
+ldap uuid attr = uidNumber
+
+ldap group attr = cn
+ldap groupbase = ou=group,dc=infra
+ldap groupscope = one
+;ldap uuid attr = gidNumber #this is used both for users and groups.
+
+; You can comment these 2 lines when your setup is working
+;log level = default:maxdebug,afpdaemon:maxdebug,logger:maxdebug,uamsdaemon:maxdebug
+log file = /var/log/afpd.log
+
+[default_for_all_vol]
+cnid scheme = dbd
+appledouble = ea
+ea = ad
; [Homes]
; basedir regex = /xxxx
-; [My AFP Volume]
-; path = /path/to/volume
-
-[Sharad Time Machine Volume]
+[Sharad]
path = /mnt/sharad
+valid users = sharad
time machine = yes
-[Rachna Time Machine Volume]
+[Rachna]
path = /mnt/rachna
+valid users = rachna
time machine = yes
-[Nivi Time Machine Volume]
+[Nivi]
path = /mnt/nivi
+valid users = nivi
time machine = yes
-[Rishabh Time Machine Volume]
+[Rishabh]
path = /mnt/rishabh
+valid users = rishabh
time machine = yes
diff --git a/jails/config/atm/afpd.service b/jails/config/atm/afpd.service
new file mode 100644
index 0000000..834e708
--- /dev/null
+++ b/jails/config/atm/afpd.service
@@ -0,0 +1,14 @@
+
+
+
+ %h
+
+ _afpovertcp._tcp
+ 548
+
+
+ _device-info._tcp
+ 0
+ model=Xserve
+
+
diff --git a/jails/config/atm/ldap.conf b/jails/config/atm/ldap.conf
new file mode 100644
index 0000000..91d0546
--- /dev/null
+++ b/jails/config/atm/ldap.conf
@@ -0,0 +1,15 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE ou=people,dc=infra
+URI ldaps://ldap.ahlawat.com:636
+ssl start_tls
+tls_cacert /mnt/certs/cacert.pem
+
+#SIZELIMIT 12
+#TIMELIMIT 15
+#DEREF never
diff --git a/jails/config/atm/netatalk b/jails/config/atm/netatalk
new file mode 100644
index 0000000..74e85d1
--- /dev/null
+++ b/jails/config/atm/netatalk
@@ -0,0 +1,3 @@
+auth required /usr/local/lib/pam_ldap.so try_first_pass
+account required /usr/local/lib/pam_ldap.so try_first_pass
+session required /usr/local/lib/pam_ldap.so
diff --git a/jails/config/atm/nslcd.conf b/jails/config/atm/nslcd.conf
new file mode 100644
index 0000000..654aabd
--- /dev/null
+++ b/jails/config/atm/nslcd.conf
@@ -0,0 +1,142 @@
+# This is the configuration file for the LDAP nameservice
+# switch library's nslcd daemon. It configures the mapping
+# between NSS names (see /etc/nsswitch.conf) and LDAP
+# information in the directory.
+# See the manual page nslcd.conf(5) for more information.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The uri pointing to the LDAP server to use for name lookups.
+# Multiple entries may be specified. The address that is used
+# here should be resolvable without using LDAP (obviously).
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+uri ldaps://ldap.ahlawat.com:636
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+#ldap_version 3
+
+# The distinguished name of the search base.
+base ou=people,dc=infra
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+#binddn cn=proxyuser,dc=example,dc=com
+
+# The credentials to bind with.
+# Optional: default is no credentials.
+# Note that if you set a bindpw you should check the permissions of this file.
+#bindpw secret
+
+# The distinguished name to perform password modifications by root by.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# The default search scope.
+#scope sub
+scope one
+#scope base
+
+# Customize certain database lookups.
+#base group ou=Groups,dc=example,dc=com
+#base passwd ou=People,dc=example,dc=com
+#base shadow ou=People,dc=example,dc=com
+#scope group onelevel
+#scope hosts sub
+
+# Bind/connect timelimit.
+#bind_timelimit 30
+
+# Search timelimit.
+#timelimit 30
+
+# Idle timelimit. nslcd will close connections if the
+# server has not been contacted for the number of seconds.
+#idle_timelimit 3600
+
+# Use StartTLS without verifying the server certificate.
+ssl start_tls
+#tls_reqcert never
+
+# CA certificates for server certificate verification
+tls_cacertdir /mnt/certs
+tls_cacertfile /mnt/certs/cacert.pem
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# Mappings for Services for UNIX 3.5
+#filter passwd (objectClass=User)
+#map passwd uid msSFU30Name
+#map passwd userPassword msSFU30Password
+#map passwd homeDirectory msSFU30HomeDirectory
+#map passwd homeDirectory msSFUHomeDirectory
+#filter shadow (objectClass=User)
+#map shadow uid msSFU30Name
+#map shadow userPassword msSFU30Password
+#filter group (objectClass=Group)
+#map group member msSFU30PosixMember
+
+# Mappings for Services for UNIX 2.0
+#filter passwd (objectClass=User)
+#map passwd uid msSFUName
+#map passwd userPassword msSFUPassword
+#map passwd homeDirectory msSFUHomeDirectory
+#map passwd gecos msSFUName
+#filter shadow (objectClass=User)
+#map shadow uid msSFUName
+#map shadow userPassword msSFUPassword
+#map shadow shadowLastChange pwdLastSet
+#filter group (objectClass=Group)
+#map group member posixMember
+
+# Mappings for Active Directory
+#pagesize 1000
+#referrals off
+#idle_timelimit 800
+#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
+#map passwd uid sAMAccountName
+#map passwd homeDirectory unixHomeDirectory
+#map passwd gecos displayName
+#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
+#map shadow uid sAMAccountName
+#map shadow shadowLastChange pwdLastSet
+#filter group (objectClass=group)
+
+# Alternative mappings for Active Directory
+# (replace the SIDs in the objectSid mappings with the value for your domain)
+#pagesize 1000
+#referrals off
+#idle_timelimit 800
+#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
+#map passwd uid cn
+#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
+#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
+#map passwd homeDirectory "/home/$cn"
+#map passwd gecos displayName
+#map passwd loginShell "/bin/bash"
+#filter group (|(objectClass=group)(objectClass=person))
+#map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
+
+# Mappings for AIX SecureWay
+#filter passwd (objectClass=aixAccount)
+#map passwd uid userName
+#map passwd userPassword passwordChar
+#map passwd uidNumber uid
+#map passwd gidNumber gid
+#filter group (objectClass=aixAccessGroup)
+#map group cn groupName
+#map group gidNumber gid
diff --git a/jails/config/atm/nsswitch.conf b/jails/config/atm/nsswitch.conf
new file mode 100644
index 0000000..585b3fc
--- /dev/null
+++ b/jails/config/atm/nsswitch.conf
@@ -0,0 +1,18 @@
+#
+# nsswitch.conf(5) - name service switch configuration file
+# $FreeBSD: releng/12.1/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $
+#
+#group: compat
+group: files ldap
+group_compat: nis
+hosts: files dns
+netgroup: compat
+networks: files
+#passwd: compat
+passwd: files ldap
+passwd_compat: nis
+shells: files
+services: compat
+services_compat: nis
+protocols: files
+rpc: files
diff --git a/jails/config/atm/pam_ldap.conf b/jails/config/atm/pam_ldap.conf
new file mode 100644
index 0000000..a7064c6
--- /dev/null
+++ b/jails/config/atm/pam_ldap.conf
@@ -0,0 +1,17 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE ou=people,dc=infra
+URI ldaps://ldap.ahlawat.com:636
+ssl start_tls
+tls_cacert /mnt/certs/cacert.pem
+
+pam_login_attribute cn
+
+#SIZELIMIT 12
+#TIMELIMIT 15
+#DEREF never
diff --git a/jails/config/atm/pkgp.conf b/jails/config/atm/pkgp.conf
index 88840a2..7e874ec 100644
--- a/jails/config/atm/pkgp.conf
+++ b/jails/config/atm/pkgp.conf
@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
-pkgp121: {
- url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+pkgp122: {
+ url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",
diff --git a/jails/config/atm/sshd b/jails/config/atm/sshd
new file mode 100644
index 0000000..aa224a7
--- /dev/null
+++ b/jails/config/atm/sshd
@@ -0,0 +1,28 @@
+#
+# $FreeBSD: releng/12.1/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
+#
+# PAM configuration for the "sshd" service
+#
+
+# auth
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn allow_local
+#auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_ssh.so no_warn try_first_pass
+auth sufficient /usr/local/lib/pam_ldap.so no_warn
+auth required pam_unix.so no_warn try_first_pass
+
+# account
+account required pam_nologin.so
+#account required pam_krb5.so
+account required pam_login_access.so
+account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
+account required pam_unix.so
+
+# session
+#session optional pam_ssh.so want_agent
+session required pam_permit.so
+
+# password
+#password sufficient pam_krb5.so no_warn try_first_pass
+password required pam_unix.so no_warn try_first_pass
diff --git a/jails/config/auto/portfolio b/jails/config/auto/portfolio
index f7983d9..98844e3 100755
--- a/jails/config/auto/portfolio
+++ b/jails/config/auto/portfolio
@@ -1,6 +1,6 @@
#!/bin/sh
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/auto/producthunt b/jails/config/auto/producthunt
index f728221..144b025 100755
--- a/jails/config/auto/producthunt
+++ b/jails/config/auto/producthunt
@@ -1,6 +1,6 @@
#!/bin/sh
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/book/cps b/jails/config/book/cps
index 3465783..ebaadaf 100755
--- a/jails/config/book/cps
+++ b/jails/config/book/cps
@@ -1,6 +1,6 @@
#!/bin/sh
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/cam/camserver b/jails/config/cam/camserver
index 174104f..cbd11d6 100644
--- a/jails/config/cam/camserver
+++ b/jails/config/cam/camserver
@@ -1,6 +1,6 @@
#!/bin/sh
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/cert/backup.sh b/jails/config/cert/backup.sh
new file mode 100755
index 0000000..c5060cb
--- /dev/null
+++ b/jails/config/cert/backup.sh
@@ -0,0 +1 @@
+cp -r /root/.acme.sh /mnt/config/secret/
diff --git a/jails/config/common/freebsd-update.conf b/jails/config/common/freebsd-update.conf
new file mode 100644
index 0000000..3b6c64d
--- /dev/null
+++ b/jails/config/common/freebsd-update.conf
@@ -0,0 +1,77 @@
+# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
+
+# Trusted keyprint. Changing this is a Bad Idea unless you've received
+# a PGP-signed email from telling you to
+# change it and explaining why.
+KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5
+
+# Server or server pool from which to fetch updates. You can change
+# this to point at a specific server if you want, but in most cases
+# using a "nearby" server won't provide a measurable improvement in
+# performance.
+ServerName update.FreeBSD.org
+
+# Components of the base system which should be kept updated.
+#Components src world
+Components world
+
+# Example for updating the userland and the kernel source code only:
+# Components src/base src/sys world
+
+# Paths which start with anything matching an entry in an IgnorePaths
+# statement will be ignored.
+IgnorePaths
+
+# Paths which start with anything matching an entry in an IDSIgnorePaths
+# statement will be ignored by "freebsd-update IDS".
+IDSIgnorePaths /usr/share/man/cat
+IDSIgnorePaths /usr/share/man/whatis
+IDSIgnorePaths /var/db/locate.database
+IDSIgnorePaths /var/log
+
+# Paths which start with anything matching an entry in an UpdateIfUnmodified
+# statement will only be updated if the contents of the file have not been
+# modified by the user (unless changes are merged; see below).
+UpdateIfUnmodified /etc/ /var/ /root/ /.cshrc /.profile
+
+# When upgrading to a new FreeBSD release, files which match MergeChanges
+# will have any local changes merged into the version from the new release.
+MergeChanges /etc/ /boot/device.hints
+
+### Default configuration options:
+
+# Directory in which to store downloaded updates and temporary
+# files used by FreeBSD Update.
+# WorkDir /var/db/freebsd-update
+
+# Destination to send output of "freebsd-update cron" if an error
+# occurs or updates have been downloaded.
+# MailTo root
+
+# Is FreeBSD Update allowed to create new files?
+# AllowAdd yes
+
+# Is FreeBSD Update allowed to delete files?
+# AllowDelete yes
+
+# If the user has modified file ownership, permissions, or flags, should
+# FreeBSD Update retain this modified metadata when installing a new version
+# of that file?
+# KeepModifiedMetadata yes
+
+# When upgrading between releases, should the list of Components be
+# read strictly (StrictComponents yes) or merely as a list of components
+# which *might* be installed of which FreeBSD Update should figure out
+# which actually are installed and upgrade those (StrictComponents no)?
+# StrictComponents no
+
+# When installing a new kernel perform a backup of the old one first
+# so it is possible to boot the old kernel in case of problems.
+# BackupKernel yes
+
+# If BackupKernel is enabled, the backup kernel is saved to this
+# directory.
+# BackupKernelDir /boot/kernel.old
+
+# When backing up a kernel also back up debug symbol files?
+# BackupKernelSymbolFiles no
diff --git a/jails/config/common/pkgp.conf b/jails/config/common/pkgp.conf
index db11aa2..aaf9563 100644
--- a/jails/config/common/pkgp.conf
+++ b/jails/config/common/pkgp.conf
@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
-pkgp121: {
- url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+pkgp122: {
+ url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",
diff --git a/jails/config/common/snip-sendmail.sh b/jails/config/common/snip-sendmail.sh
index c92b4a1..7198c37 100755
--- a/jails/config/common/snip-sendmail.sh
+++ b/jails/config/common/snip-sendmail.sh
@@ -1,6 +1,6 @@
#! /usr/local/bin/bash
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/common/sshd_config b/jails/config/common/sshd_config
index d84a17e..bd6cd67 100644
--- a/jails/config/common/sshd_config
+++ b/jails/config/common/sshd_config
@@ -1,5 +1,5 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
-# $FreeBSD: releng/12.1/crypto/openssh/sshd_config 338561 2018-09-10 16:20:12Z des $
+# $FreeBSD: releng/12.2/crypto/openssh/sshd_config 360313 2020-04-25 15:38:48Z emaste $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -105,7 +105,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#PermitTunnel no
#ChrootDirectory none
#UseBlacklist no
-#VersionAddendum FreeBSD-20180909
+#VersionAddendum FreeBSD-20200214
# no default banner path
#Banner none
diff --git a/jails/config/common/vncserver b/jails/config/common/vncserver
index 2652394..3a4eb07 100644
--- a/jails/config/common/vncserver
+++ b/jails/config/common/vncserver
@@ -1,6 +1,6 @@
#!/bin/sh
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/db/my.cnf b/jails/config/db/my.cnf
index dcd7fb3..b92ca89 100644
--- a/jails/config/db/my.cnf
+++ b/jails/config/db/my.cnf
@@ -1,99 +1,13 @@
-# Example MySQL config file for small systems.
#
-# This is for a system with little memory (<= 64M) where MySQL is only used
-# from time to time and it's important that the mysqld daemon
-# doesn't use much resources.
+# This group is read both by the client and the server
+# use it for options that affect everything, see
+# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#option-groups
#
-# MySQL programs look for option files in a set of
-# locations which depend on the deployment platform.
-# You can copy this option file to one of those
-# locations. For information about these locations, see:
-# http://dev.mysql.com/doc/mysql/en/option-files.html
+[client-server]
+port = 3306
+socket = /var/run/mysql/mysql.sock
+
#
-# In this file, you can use all long options that a program supports.
-# If you want to know which options a program supports, run the program
-# with the "--help" option.
-
-# The following options will be passed to all MySQL clients
-[client]
-#password = your_password
-port = 3306
-socket = /tmp/mysql.sock
-
-# Here follows entries for some specific programs
-
-# The MySQL server
-[mysqld]
-bind-address = *
-port = 3306
-socket = /tmp/mysql.sock
-skip-external-locking
-key_buffer_size = 16K
-max_allowed_packet = 64M
-table_open_cache = 16
-sort_buffer_size = 64K
-read_buffer_size = 256K
-read_rnd_buffer_size = 256K
-net_buffer_length = 2K
-thread_stack = 240K
-
-# Don't listen on a TCP/IP port at all. This can be a security enhancement,
-# if all processes that need to connect to mysqld run on the same host.
-# All interaction with mysqld must be made via Unix sockets or named pipes.
-# Note that using this option without enabling named pipes on Windows
-# (using the "enable-named-pipe" option) will render mysqld useless!
-#
-#skip-networking
-server-id = 1
-
-# Uncomment the following if you want to log updates
-#log-bin=mysql-bin
-
-# binary logging format - mixed recommended
-binlog_format=ROW
-
-# Causes updates to non-transactional engines using statement format to be
-# written directly to binary log. Before using this option make sure that
-# there are no dependencies between transactional and non-transactional
-# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
-# t_innodb; otherwise, slaves may diverge from the master.
-#binlog_direct_non_transactional_updates=TRUE
-
-# Uncomment the following if you are using InnoDB tables
-#innodb_data_home_dir = /var/db/mysql
-#innodb_data_file_path = ibdata1:10M:autoextend
-innodb_log_group_home_dir = /var/db/mysql-log
-# You can set .._buffer_pool_size up to 50 - 80 %
-# of RAM but beware of setting memory usage too high
-innodb_buffer_pool_size = 1G
-innodb_io_capacity=4000
-transaction-isolation = READ-COMMITTED
-# Set .._log_file_size to 25 % of buffer pool size
-innodb_log_file_size = 250M
-#innodb_log_buffer_size = 8M
-innodb_flush_log_at_trx_commit = 2
-#innodb_lock_wait_timeout = 50
-
-innodb_doublewrite = 0
-innodb_checksum_algorithm = none
-slow_query_log_file = /var/db/mysql-log/slow.log
-log-error = /var/db/mysql-log/error.log
-log_bin = /var/db/mysql-log/binlog
-relay_log = /var/db/mysql-log/relay-bin
-expire_logs_days = 7
-
-[mysqldump]
-quick
-max_allowed_packet = 16M
-
-[mysql]
-no-auto-rehash
-# Remove the next comment character if you are not familiar with SQL
-#safe-updates
-
-[myisamchk]
-key_buffer_size = 8M
-sort_buffer_size = 8M
-
-[mysqlhotcopy]
-interactive-timeout
+# include *.cnf from the config directory
+#
+!includedir /usr/local/etc/mysql/conf.d/
diff --git a/jails/config/db/my.cnf.oldversion b/jails/config/db/my.cnf.oldversion
new file mode 100644
index 0000000..dcd7fb3
--- /dev/null
+++ b/jails/config/db/my.cnf.oldversion
@@ -0,0 +1,99 @@
+# Example MySQL config file for small systems.
+#
+# This is for a system with little memory (<= 64M) where MySQL is only used
+# from time to time and it's important that the mysqld daemon
+# doesn't use much resources.
+#
+# MySQL programs look for option files in a set of
+# locations which depend on the deployment platform.
+# You can copy this option file to one of those
+# locations. For information about these locations, see:
+# http://dev.mysql.com/doc/mysql/en/option-files.html
+#
+# In this file, you can use all long options that a program supports.
+# If you want to know which options a program supports, run the program
+# with the "--help" option.
+
+# The following options will be passed to all MySQL clients
+[client]
+#password = your_password
+port = 3306
+socket = /tmp/mysql.sock
+
+# Here follows entries for some specific programs
+
+# The MySQL server
+[mysqld]
+bind-address = *
+port = 3306
+socket = /tmp/mysql.sock
+skip-external-locking
+key_buffer_size = 16K
+max_allowed_packet = 64M
+table_open_cache = 16
+sort_buffer_size = 64K
+read_buffer_size = 256K
+read_rnd_buffer_size = 256K
+net_buffer_length = 2K
+thread_stack = 240K
+
+# Don't listen on a TCP/IP port at all. This can be a security enhancement,
+# if all processes that need to connect to mysqld run on the same host.
+# All interaction with mysqld must be made via Unix sockets or named pipes.
+# Note that using this option without enabling named pipes on Windows
+# (using the "enable-named-pipe" option) will render mysqld useless!
+#
+#skip-networking
+server-id = 1
+
+# Uncomment the following if you want to log updates
+#log-bin=mysql-bin
+
+# binary logging format - mixed recommended
+binlog_format=ROW
+
+# Causes updates to non-transactional engines using statement format to be
+# written directly to binary log. Before using this option make sure that
+# there are no dependencies between transactional and non-transactional
+# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
+# t_innodb; otherwise, slaves may diverge from the master.
+#binlog_direct_non_transactional_updates=TRUE
+
+# Uncomment the following if you are using InnoDB tables
+#innodb_data_home_dir = /var/db/mysql
+#innodb_data_file_path = ibdata1:10M:autoextend
+innodb_log_group_home_dir = /var/db/mysql-log
+# You can set .._buffer_pool_size up to 50 - 80 %
+# of RAM but beware of setting memory usage too high
+innodb_buffer_pool_size = 1G
+innodb_io_capacity=4000
+transaction-isolation = READ-COMMITTED
+# Set .._log_file_size to 25 % of buffer pool size
+innodb_log_file_size = 250M
+#innodb_log_buffer_size = 8M
+innodb_flush_log_at_trx_commit = 2
+#innodb_lock_wait_timeout = 50
+
+innodb_doublewrite = 0
+innodb_checksum_algorithm = none
+slow_query_log_file = /var/db/mysql-log/slow.log
+log-error = /var/db/mysql-log/error.log
+log_bin = /var/db/mysql-log/binlog
+relay_log = /var/db/mysql-log/relay-bin
+expire_logs_days = 7
+
+[mysqldump]
+quick
+max_allowed_packet = 16M
+
+[mysql]
+no-auto-rehash
+# Remove the next comment character if you are not familiar with SQL
+#safe-updates
+
+[myisamchk]
+key_buffer_size = 8M
+sort_buffer_size = 8M
+
+[mysqlhotcopy]
+interactive-timeout
diff --git a/jails/config/db/server.cnf b/jails/config/db/server.cnf
new file mode 100644
index 0000000..19be077
--- /dev/null
+++ b/jails/config/db/server.cnf
@@ -0,0 +1,90 @@
+# Options specific to server applications, see
+# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#server-option-groups
+
+# Options specific to all server programs
+[server]
+
+# Options specific to MariaDB server programs
+[server-mariadb]
+
+#
+# Options for specific server tools
+#
+
+[mysqld]
+user = mysql
+# port = 3306 # set in /usr/local/etc/mysql/my.cnf
+# socket = /var/run/mysql/mysql.sock # set in /usr/local/etc/mysql/my.cnf
+bind-address = *
+basedir = /usr/local
+datadir = /var/db/mysql
+net_retry_count = 16384
+# [mysqld] configuration for ZFS
+# From https://www.percona.com/resources/technical-presentations/zfs-mysql-percona-technical-webinar
+# Create separate datasets for data and logs, eg
+# zroot/mysql compression=on recordsize=128k atime=off
+# zroot/mysql/data recordsize=16k
+# zroot/mysql/logs
+datadir = /var/db/mysql
+innodb_log_group_home_dir = /var/db/mysql-log
+#audit_log_file = /var/db/mysql-log/audit.log
+general_log_file = /var/db/mysql-log/general.log
+log_bin = /var/db/mysql-log/mysql-bin
+relay_log = /var/db/mysql-log/relay-log
+slow_query_log_file = /var/db/mysql-log/slow.log
+innodb_doublewrite = 0
+innodb_flush_method = O_DSYNC
+
+##
+log-error = /var/db/mysql-log/error.log
+
+
+### custom optimizations
+skip-external-locking
+key_buffer_size = 16K
+max_allowed_packet = 64M
+table_open_cache = 16
+sort_buffer_size = 64K
+read_buffer_size = 256K
+read_rnd_buffer_size = 256K
+net_buffer_length = 2K
+thread_stack = 240K
+
+server-id = 1
+binlog_format=ROW
+
+innodb_buffer_pool_size = 1G
+innodb_io_capacity=4000
+transaction-isolation = READ-COMMITTED
+innodb_log_file_size = 250M
+innodb_flush_log_at_trx_commit = 2
+innodb_checksum_algorithm = none
+
+slow_query_log_file = /var/db/mysql-log/slow.log
+
+expire_logs_days = 7
+###
+
+
+# Options read by `mysqld_safe`
+# Renamed from [mysqld_safe] starting with MariaDB 10.4.6.
+[mariadb_safe]
+
+# Options read my `mariabackup`
+[mariabackup]
+
+# Options read by `mysql_upgrade`
+# Renamed from [mysql_upgrade] starting with MariaDB 10.4.6.
+[mariadb-upgrade]
+
+# Specific options read by the mariabackup SST method
+[sst]
+
+# Options read by `mysqlbinlog`
+# Renamed from [mysqlbinlog] starting with MariaDB 10.4.6.
+[mariadb-binlog]
+
+# Options read by `mysqladmin`
+# Renamed from [mysqladmin] starting with MariaDB 10.4.6.
+[mariadb-admin]
+
diff --git a/jails/config/monitor/elasticsearch.yml b/jails/config/elk/elasticsearch.yml
similarity index 89%
rename from jails/config/monitor/elasticsearch.yml
rename to jails/config/elk/elasticsearch.yml
index 80c2530..672bc78 100755
--- a/jails/config/monitor/elasticsearch.yml
+++ b/jails/config/elk/elasticsearch.yml
@@ -36,7 +36,6 @@ xpack.security.http.ssl.certificate_authorities: certs/cacert.pem
xpack.security.transport.ssl.key: certs/diyprivkeyr.pem
xpack.security.transport.ssl.certificate: certs/diyfullchain.pem
xpack.security.transport.ssl.certificate_authorities: certs/cacert.pem
-
#
# ----------------------------------- Paths ------------------------------------
#
@@ -76,16 +75,17 @@ network.host: _epair0b_
#
# --------------------------------- Discovery ----------------------------------
#
-# Pass an initial list of hosts to perform discovery when new node is started:
+# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
-#discovery.zen.ping.unicast.hosts: ["host1", "host2"]
+#discovery.seed_hosts: ["host1", "host2"]
#
-# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
+# Bootstrap the cluster using an initial set of master-eligible nodes:
#
-#discovery.zen.minimum_master_nodes:
+cluster.initial_master_nodes: ["node-1"]
+#cluster.initial_master_nodes: ["node-1", "node-2"]
#
-# For more information, consult the zen discovery module documentation.
+# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
diff --git a/jails/config/elk/fstab b/jails/config/elk/fstab
new file mode 100644
index 0000000..2a3751c
--- /dev/null
+++ b/jails/config/elk/fstab
@@ -0,0 +1,2 @@
+fdesc /dev/fd fdescfs rw,auto 0 0
+proc /proc procfs rw,auto 0 0
diff --git a/jails/config/monitor/heartbeat.yml b/jails/config/elk/heartbeat.yml
similarity index 58%
rename from jails/config/monitor/heartbeat.yml
rename to jails/config/elk/heartbeat.yml
index 6378e12..382ad45 100644
--- a/jails/config/monitor/heartbeat.yml
+++ b/jails/config/elk/heartbeat.yml
@@ -24,8 +24,7 @@ heartbeat.monitors:
- type: http
# List or urls to query
- #urls: ["http://localhost:9200"]
- urls: ["https://google.com","https://aws.amazon.com"]
+ urls: ["https://cloud.google.com","https://azure.microsoft.com","https://aws.amazon.com"]
# Configure task schedule
schedule: '@every 10s'
@@ -56,46 +55,6 @@ setup.template.settings:
# env: staging
-#================================= Paths ======================================
-
-# The home path for the filebeat installation. This is the default base path
-# for all other path settings and for miscellaneous files that come with the
-# distribution (for example, the sample dashboards).
-# If not set by a CLI flag or in the configuration file, the default for the
-# home path is the location of the binary.
-#path.home:
-
-# The configuration path for the filebeat installation. This is the default
-# base path for configuration files, including the main YAML configuration file
-# and the Elasticsearch template file. If not set by a CLI flag or in the
-# configuration file, the default for the configuration path is the home path.
-#path.config: ${path.home}
-
-# The data path for the filebeat installation. This is the default base path
-# for all the files in which filebeat needs to store its data. If not set by a
-# CLI flag or in the configuration file, the default for the data path is a data
-# subdirectory inside the home path.
-#path.data: ${path.home}/data
-
-# The logs path for a filebeat installation. This is the default location for
-# the Beat's log files. If not set by a CLI flag or in the configuration file,
-# the default for the logs path is a logs subdirectory inside the home path.
-#path.logs: ${path.home}/logs
-
-
-#============================== Dashboards =====================================
-# These settings control loading the sample dashboards to the Kibana index. Loading
-# the dashboards is disabled by default and can be enabled either by setting the
-# options here, or by using the `-setup` CLI flag or the `setup` command.
-#setup.dashboards.enabled: false
-#setup.dashboards.enabled: true
-
-# The URL from where to download the dashboards archive. By default this URL
-# has a value which is computed based on the Beat name and version. For released
-# versions, this URL points to the dashboard archive on the artifacts.elastic.co
-# website.
-#setup.dashboards.url:
-
#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
@@ -106,9 +65,7 @@ setup.kibana:
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
- #host: "localhost:5601"
- #host: "https://kibanax.diyit.org:443"
- host: "http://kibanax.diyit.org:5601"
+ host: "http://elk.diyit.org:5601"
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
@@ -117,7 +74,7 @@ setup.kibana:
#============================= Elastic Cloud ==================================
-# These settings simplify using heartbeat with the Elastic Cloud (https://cloud.elastic.co/).
+# These settings simplify using Heartbeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
@@ -137,36 +94,40 @@ setup.kibana:
# Array of hosts to connect to.
#hosts: ["localhost:9200"]
- # Enabled ilm (beta) to use index lifecycle management instead daily indices.
- #ilm.enabled: false
-
- # Optional protocol and basic auth credentials.
+ # Protocol - either `http` (default) or `https`.
#protocol: "https"
+
+ # Authentication credentials - either API key or username/password.
+ #api_key: "id:api_key"
#username: "elastic"
#password: "changeme"
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
- hosts: ["kibanax.diyit.org:5044"]
+ hosts: ["elk.diyit.org:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
- #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+ #ssl.certificate_authorities: ["/mnt/certs/cacert.pem"]
# Certificate for SSL client authentication
- #ssl.certificate: "/etc/pki/client/cert.pem"
+ #ssl.certificate: "/mnt/certs/diyfullchain.pem"
# Client Certificate Key
- #ssl.key: "/etc/pki/client/cert.key"
+ #ssl.key: "/mnt/certs/diyprivkeyr.pem"
#================================ Processors =====================================
-# Configure processors to enhance or manipulate events generated by the beat.
-
processors:
- - add_host_metadata: ~
- - add_cloud_metadata: ~
+ - add_observer_metadata:
+ # Optional, but recommended geo settings for the location Heartbeat is running in
+ #geo:
+ # Token describing this location
+ #name: us-east-1a
+
+ # Lat, Lon "
+ #location: "37.926868, -78.024902"
#================================ Logging =====================================
@@ -178,20 +139,30 @@ processors:
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
-logging.to_syslog: true
-logging.to_files: false
-#============================== Xpack Monitoring ===============================
+#============================== X-Pack Monitoring ===============================
# heartbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
-#xpack.monitoring.enabled: false
+#monitoring.enabled: false
+
+# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
+# Heartbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
+# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
+#monitoring.cluster_uuid:
# Uncomment to send the metrics to Elasticsearch. Most settings from the
-# Elasticsearch output are accepted here as well. Any setting that is not set is
-# automatically inherited from the Elasticsearch output configuration, so if you
-# have the Elasticsearch output configured, you can simply uncomment the
-# following line.
-#xpack.monitoring.elasticsearch:
+# Elasticsearch output are accepted here as well.
+# Note that the settings should point to your Elasticsearch *monitoring* cluster.
+# Any setting that is not set is automatically inherited from the Elasticsearch
+# output configuration, so if you have the Elasticsearch output configured such
+# that it is pointing to your Elasticsearch monitoring cluster, you can simply
+# uncomment the following line.
+#monitoring.elasticsearch:
+
+#================================= Migration ==================================
+
+# This allows to enable 6.7 migration aliases
+#migration.6_to_7.enabled: true
diff --git a/jails/config/elk/jvm.options b/jails/config/elk/jvm.options
new file mode 100755
index 0000000..67dd885
--- /dev/null
+++ b/jails/config/elk/jvm.options
@@ -0,0 +1,77 @@
+## JVM configuration
+
+################################################################
+## IMPORTANT: JVM heap size
+################################################################
+##
+## You should always set the min and max JVM heap
+## size to the same value. For example, to set
+## the heap to 4 GB, set:
+##
+## -Xms4g
+## -Xmx4g
+##
+## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
+## for more information
+##
+################################################################
+
+# Xms represents the initial size of total heap space
+# Xmx represents the maximum size of total heap space
+
+-Xms4g
+-Xmx4g
+
+################################################################
+## Expert settings
+################################################################
+##
+## All settings below this section are considered
+## expert settings. Don't tamper with them unless
+## you understand what you are doing
+##
+################################################################
+
+## GC configuration
+8-13:-XX:+UseConcMarkSweepGC
+8-13:-XX:CMSInitiatingOccupancyFraction=75
+8-13:-XX:+UseCMSInitiatingOccupancyOnly
+
+## G1GC Configuration
+# NOTE: G1 GC is only supported on JDK version 10 or later
+# to use G1GC, uncomment the next two lines and update the version on the
+# following three lines to your version of the JDK
+# 10-13:-XX:-UseConcMarkSweepGC
+# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
+14-:-XX:+UseG1GC
+14-:-XX:G1ReservePercent=25
+14-:-XX:InitiatingHeapOccupancyPercent=30
+
+## JVM temporary directory
+-Djava.io.tmpdir=${ES_TMPDIR}
+
+## heap dumps
+
+# generate a heap dump when an allocation from the Java heap fails
+# heap dumps are created in the working directory of the JVM
+-XX:+HeapDumpOnOutOfMemoryError
+
+# specify an alternative path for heap dumps; ensure the directory exists and
+# has sufficient space
+-XX:HeapDumpPath=data
+
+# specify an alternative path for JVM fatal error logs
+-XX:ErrorFile=logs/hs_err_pid%p.log
+
+## JDK 8 GC logging
+8:-XX:+PrintGCDetails
+8:-XX:+PrintGCDateStamps
+8:-XX:+PrintTenuringDistribution
+8:-XX:+PrintGCApplicationStoppedTime
+8:-Xloggc:${ES_TMPDIR}/gc.log
+8:-XX:+UseGCLogFileRotation
+8:-XX:NumberOfGCLogFiles=32
+8:-XX:GCLogFileSize=64m
+
+# JDK 9+ GC logging
+9-:-Xlog:gc*,gc+age=trace,safepoint:file=${ES_TMPDIR}/gc.log:utctime,pid,tags:filecount=32,filesize=64m
diff --git a/jails/config/monitor/kibana.yml b/jails/config/elk/kibana.yml
similarity index 93%
rename from jails/config/monitor/kibana.yml
rename to jails/config/elk/kibana.yml
index 189fc03..5dcb9e7 100644
--- a/jails/config/monitor/kibana.yml
+++ b/jails/config/elk/kibana.yml
@@ -25,7 +25,7 @@ server.host: "::"
server.name: "kibana.diyit.org"
# The URLs of the Elasticsearch instances to use for all your queries.
-elasticsearch.hosts: ["https://kibanax.diyit.org:9200"]
+elasticsearch.hosts: ["https://elk.diyit.org:9200"]
# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
@@ -53,7 +53,8 @@ server.ssl.certificate: /mnt/certs/diyfullchain.pem
server.ssl.key: /mnt/certs/diyprivkeyr.pem
# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
-# These files validate that your Elasticsearch backend uses the same key files.
+# These files are used to verify the identity of Kibana to Elasticsearch and are required when
+# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
@@ -110,4 +111,5 @@ elasticsearch.ssl.verificationMode: full
#ops.interval: 5000
# Specifies locale to be used for all localizable strings, dates and number formats.
+# Supported languages are the following: English - en , by default , Chinese - zh-CN .
#i18n.locale: "en"
diff --git a/jails/config/monitor/logstash.conf b/jails/config/elk/logstash.conf
similarity index 80%
rename from jails/config/monitor/logstash.conf
rename to jails/config/elk/logstash.conf
index 90ac4cb..dd20319 100644
--- a/jails/config/monitor/logstash.conf
+++ b/jails/config/elk/logstash.conf
@@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@@ -10,6 +10,7 @@ input {
beats {
port => 5044
ssl => false
+ #https://discuss.elastic.co/t/problem-with-cipher-in-beat-input/67841
ssl_key => '/mnt/certs/diyprivkeyr.pem'
ssl_certificate => '/mnt/certs/diyfullchain.pem'
ssl_certificate_authorities => ["/mnt/certs/cacert.pem"]
@@ -22,7 +23,7 @@ output {
ssl => true
ssl_certificate_verification => true
cacert => '/mnt/certs/cacert.pem'
- hosts => ["https://kibanax.diyit.org:9200"]
+ hosts => ["https://elk.diyit.org:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
user => "elastic"
password => "${es_pwd}"
diff --git a/jails/config/monitor/logstash.keystore b/jails/config/elk/logstash.keystore
similarity index 100%
rename from jails/config/monitor/logstash.keystore
rename to jails/config/elk/logstash.keystore
diff --git a/jails/config/monitor/logstash.yml b/jails/config/elk/logstash.yml
similarity index 90%
rename from jails/config/monitor/logstash.yml
rename to jails/config/elk/logstash.yml
index 4283127..0b96d42 100644
--- a/jails/config/monitor/logstash.yml
+++ b/jails/config/elk/logstash.yml
@@ -16,7 +16,6 @@
#
# Use a descriptive name for the node:
#
-# node.name: test
node.name: logstash
#
# If omitted the node name will default to the machine's host name
@@ -26,7 +25,6 @@ node.name: logstash
# Which directory should be used by logstash and its plugins
# for any persistent needs. Defaults to LOGSTASH_HOME/data
#
-# path.data:
path.data: /var/db/logstash
#
# ------------ Pipeline Settings --------------
@@ -40,7 +38,7 @@ path.data: /var/db/logstash
#
# This defaults to the number of the host's CPU cores.
#
-pipeline.workers: 8
+pipeline.workers: 4
#
# How many events to retrieve from inputs before sending to filters+workers
#
@@ -207,7 +205,6 @@ path.config: /usr/local/etc/logstash/logstash.conf
# * trace
#
# log.level: info
-#log.level: debug
# path.logs:
#
# ------------ Other Settings --------------
@@ -215,17 +212,24 @@ path.config: /usr/local/etc/logstash/logstash.conf
# Where to find custom plugins
# path.plugins: []
#
+# Flag to output log lines of each pipeline in its separate log file. Each log filename contains the pipeline.name
+# Default is false
+# pipeline.separate_logs: false
+#
# ------------ X-Pack Settings (not applicable for OSS build)--------------
#
# X-Pack Monitoring
# https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html
-xpack.monitoring.enabled: true
+xpack.monitoring.enabled: false
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: a746MPWa1AVieOJlDtM2
-xpack.monitoring.elasticsearch.hosts: ["https://kibanax.diyit.org:9200"]
+xpack.monitoring.elasticsearch.hosts: ["https://elk.diyit.org:9200"]
#xpack.monitoring.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]
-xpack.monitoring.elasticsearch.ssl.certificate_authority: "/mnt/certs/cacert.pem"
-#xpack.monitoring.elasticsearch.ssl.truststore.path: /path/to/file
+# an alternative to hosts + username/password settings is to use cloud_id/cloud_auth
+#xpack.monitoring.elasticsearch.cloud_id: monitoring_cluster_id:xxxxxxxxxx
+#xpack.monitoring.elasticsearch.cloud_auth: logstash_system:password
+xpack.monitoring.elasticsearch.ssl.certificate_authority: "/mnt/certs/cacert.crt"
+#xpack.monitoring.elasticsearch.ssl.truststore.path: path/to/file
#xpack.monitoring.elasticsearch.ssl.truststore.password: password
#xpack.monitoring.elasticsearch.ssl.keystore.path: /path/to/file
#xpack.monitoring.elasticsearch.ssl.keystore.password: password
@@ -241,6 +245,9 @@ xpack.monitoring.elasticsearch.ssl.verification_mode: certificate
#xpack.management.elasticsearch.username: logstash_admin_user
#xpack.management.elasticsearch.password: password
#xpack.management.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]
+# an alternative to hosts + username/password settings is to use cloud_id/cloud_auth
+#xpack.management.elasticsearch.cloud_id: management_cluster_id:xxxxxxxxxx
+#xpack.management.elasticsearch.cloud_auth: logstash_admin_user:password
#xpack.management.elasticsearch.ssl.certificate_authority: [ "/path/to/ca.crt" ]
#xpack.management.elasticsearch.ssl.truststore.path: /path/to/file
#xpack.management.elasticsearch.ssl.truststore.password: password
diff --git a/jails/config/elk/rc.d/elasticsearch b/jails/config/elk/rc.d/elasticsearch
new file mode 100755
index 0000000..4394d80
--- /dev/null
+++ b/jails/config/elk/rc.d/elasticsearch
@@ -0,0 +1,130 @@
+#!/bin/sh
+#
+# $FreeBSD: head/textproc/elasticsearch7/files/elasticsearch.in 538703 2020-06-13 22:41:04Z glewis $
+#
+# PROVIDE: elasticsearch
+# REQUIRE: NETWORKING SERVERS
+# BEFORE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following line to /etc/rc.conf to enable elasticsearch:
+#
+# elasticsearch_enable="YES"
+#
+# elasticsearch_user (username): Set to elasticsearch by default.
+# Set it to required username.
+# elasticsearch_group (group): Set to elasticsearch by default.
+# Set it to required group.
+# elasticsearch_config (path): Set to /usr/local/etc/elasticsearch/elasticsearch.yml by default.
+# Set it to the config file location.
+# elasticsearch_java_home (path): Set to /usr/local/openjdk8 by default.
+# Set it to the root of the JDK to use.
+#
+. /etc/rc.subr
+
+name=elasticsearch
+rcvar=elasticsearch_enable
+
+load_rc_config ${name}
+
+: ${elasticsearch_enable:=NO}
+: ${elasticsearch_user=elasticsearch}
+: ${elasticsearch_group=elasticsearch}
+: ${elasticsearch_config=/usr/local/etc/elasticsearch}
+: ${elasticsearch_login_class=root}
+: ${elasticsearch_java_home="/usr/local/openjdk11"}
+
+required_files="${elasticsearch_config}/elasticsearch.yml"
+_pidprefix=/var/run/elasticsearch/elasticsearch
+pidfile=${_pidprefix}.pid
+procname=${elasticsearch_java_home}/bin/java
+
+extra_commands="console status"
+console_cmd=elasticsearch_console
+start_precmd=elasticsearch_precmd
+command=/usr/local/lib/elasticsearch/bin/elasticsearch
+command_args="-d --pidfile=${pidfile}"
+
+export ES_PATH_CONF=${elasticsearch_config}
+export JAVA_HOME=${elasticsearch_java_home}
+
+elasticsearch_precmd()
+{
+ /usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 ${pidfile%/*}
+ /usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 /var/db/elasticsearch
+ /usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 /var/log/elasticsearch
+}
+
+elasticsearch_console()
+{
+ command_args=""
+ run_rc_command "start"
+}
+
+if [ -n "$2" ]; then
+ profile="$2"
+ if [ "x${elasticsearch_profiles}" != "x" ]; then
+ eval elasticsearch_config="\${elasticsearch_${profile}_config:-}"
+ if [ "x${elasticsearch_config}" = "x" ]; then
+ echo "You must define a configuration (elasticsearch_${profile}_config)"
+ exit 1
+ fi
+ export ES_PATH_CONF=${elasticsearch_config}
+ required_files="${elasticsearch_config}/elasticsearch.yml"
+ required_files="${elasticsearch_config}/jvm.options"
+ eval elasticsearch_enable="\${elasticsearch_${profile}_enable:-${elasticsearch_enable}}"
+ pidfile="${_pidprefix}.${profile}.pid"
+ command_args="-d --pidfile=${pidfile}"
+ echo "===> elasticsearch profile: ${profile}"
+ else
+ echo "$0: extra argument ignored"
+ fi
+else
+ if [ "x${elasticsearch_profiles}" != "x" -a "x$1" != "x" ]; then
+ for profile in ${elasticsearch_profiles}; do
+ eval _enable="\${elasticsearch_${profile}_enable}"
+ case "x${_enable:-${elasticsearch_enable}}" in
+ x|x[Nn][Oo]|x[Nn][Oo][Nn][Ee])
+ continue
+ ;;
+ x[Yy][Ee][Ss])
+ ;;
+ *)
+ if test -z "$_enable"; then
+ _var=elasticsearch_enable
+ else
+ _var=elasticsearch_"${profile}"_enable
+ fi
+ echo "Bad value" \
+ "'${_enable:-${elasticsearch_enable}}'" \
+ "for ${_var}. " \
+ "Profile ${profile} skipped."
+ continue
+ ;;
+ esac
+ /usr/local/etc/rc.d/elasticsearch $1 ${profile}
+ retcode="$?"
+ if [ "0${retcode}" -ne 0 ]; then
+ failed="${profile} (${retcode}) ${failed:-}"
+ else
+ success="${profile} ${success:-}"
+ fi
+ done
+ exit 0
+ fi
+fi
+
+if [ "x${elasticsearch_mem_min}" != "x" ]; then
+ echo "The elasticsearch_mem_min variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
+ exit 1;
+fi
+if [ "x${elasticsearch_mem_max}" != "x" ]; then
+ echo "The elasticsearch_mem_max variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
+ exit 1;
+fi
+if [ "x${elasticsearch_props}" != "x" ]; then
+ echo "The elasticsearch_props variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
+ exit 1;
+fi
+
+run_rc_command "$1"
diff --git a/jails/config/elk/rc.d/logstash b/jails/config/elk/rc.d/logstash
new file mode 100755
index 0000000..ba1d6d8
--- /dev/null
+++ b/jails/config/elk/rc.d/logstash
@@ -0,0 +1,121 @@
+#!/bin/sh
+
+# Configuration settings for logstash in /etc/rc.conf:
+#
+# PROVIDE: logstash
+# REQUIRE: DAEMON
+# BEFORE: LOGIN
+# KEYWORD: shutdown
+#
+# logstash_enable (bool):
+# Default value: "NO"
+# Flag that determines whether Logstash is enabled.
+#
+# logstash_home (string):
+# Default value: "/usr/local/logstash"
+# Logstash installation directory.
+#
+# logstash_config (string):
+# Default value: /usr/local/etc/${name}
+# Logstash configuration path.
+#
+# logstash_log (bool):
+# Set to "NO" by default.
+# Set it to "YES" to enable logstash logging to file
+# Default output to /var/log/logstash.log
+#
+# logstash_log_file (string):
+# Default value: "${logdir}/${name}.log"
+# Log file path.
+#
+# logstash_java_home (string):
+# Default value: "/usr/local/openjdk8"
+# Root directory of the desired Java SDK.
+# The JAVA_HOME environment variable is set with the contents of this
+# variable.
+#
+# logstash_java_opts (string):
+# Default value: ""
+# Options to pass to the Java Virtual Machine.
+# The JAVA_OPTS environment variable is set with the contents of this
+# variable.
+#
+# logstash_opts (string):
+# Default value: ""
+# Additional command line flags for logstash, eg. "-r"
+#
+
+. /etc/rc.subr
+
+name=logstash
+rcvar=logstash_enable
+
+load_rc_config ${name}
+
+logdir="/var/log"
+
+: ${logstash_enable="NO"}
+: ${logstash_user="logstash"}
+: ${logstash_group="logstash"}
+: ${logstash_home="/usr/local/logstash"}
+: ${logstash_config="/usr/local/etc/logstash"}
+: ${logstash_log="YES"}
+: ${logstash_log_dir="${logdir}/${name}"}
+: ${logstash_java_home="/usr/local/openjdk11"}
+: ${logstash_java_opts=""}
+: ${logstash_opts=""}
+
+pidfile=/var/run/${name}/${name}.pid
+
+extra_commands="configtest reload"
+start_precmd="logstash_precmd"
+configtest_cmd=configtest
+
+logstash_cmd="${logstash_home}/bin/logstash"
+procname="${logstash_java_home}/bin/java"
+
+logstash_chdir=${logstash_home}
+logstash_log_options=""
+
+if checkyesno logstash_log; then
+ logstash_log_options=" -l ${logstash_log_dir}"
+fi
+
+logstash_args="--path.settings ${logstash_config} ${logstash_log_options} ${logstash_opts}"
+
+JAVA_OPTS="${logstash_java_opts}"
+JAVA_HOME="${logstash_java_home}"
+export JAVA_OPTS
+export JAVA_HOME
+
+command="/usr/sbin/daemon"
+command_args="-f -p ${pidfile} ${logstash_cmd} ${logstash_args}"
+required_files="${logstash_home} ${logstash_java_home} ${logstash_cmd} ${logstash_config}"
+
+# Include /usr/local/bin in path because Logstash startup scripts
+# assume bash is in path.
+PATH=/usr/local/bin:$PATH
+
+logstash_precmd()
+{
+ /usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 ${pidfile%/*}
+ /usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 ${logstash_log_dir}
+ /usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 /var/db/logstash
+ /usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 /var/run/logstash
+
+ if [ -d ${logstash_home}/data/queue ]; then
+ chown ${logstash_user}:${logstash_group} ${logstash_home}/data/queue
+ fi
+}
+
+configtest()
+{
+ echo "${name} configtest:"
+ echo "WARNING: this does not check validity of Grok patterns!"
+ echo "WARNING: this does not check validity of Grok patterns!"
+ echo "WARNING: this does not check validity of Grok patterns!"
+ ${logstash_cmd} --path.settings ${logstash_config} --config.test_and_exit
+}
+
+
+run_rc_command "$1"
diff --git a/jails/config/elk/start_logstash.sh b/jails/config/elk/start_logstash.sh
new file mode 100755
index 0000000..c63a84d
--- /dev/null
+++ b/jails/config/elk/start_logstash.sh
@@ -0,0 +1,7 @@
+ps axww | grep logstash
+echo press any key to continue - ctrl-c to abort
+read X
+mount proc
+service logstash start
+#/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
+ps axww | grep logstash
diff --git a/jails/config/elk/updateCerts.sh b/jails/config/elk/updateCerts.sh
new file mode 100755
index 0000000..7369574
--- /dev/null
+++ b/jails/config/elk/updateCerts.sh
@@ -0,0 +1,3 @@
+cp /mnt/certs/diy*.pem /usr/local/etc/elasticsearch/certs
+cp /mnt/certs/cacert.pem /usr/local/etc/elasticsearch/certs
+service elasticsearch restart
diff --git a/jails/config/git/gitea/options/license b/jails/config/git/gitea/options/license
index 537fdf1..e968406 100644
--- a/jails/config/git/gitea/options/license
+++ b/jails/config/git/gitea/options/license
@@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
-Copyright (c) 2018-2020, diyIT.org
+Copyright (c) 2018-2021, diyIT.org
All rights reserved.
Redistribution and use in source and binary forms, with or without
diff --git a/jails/config/git/gitea/public/diyit-org-license.txt b/jails/config/git/gitea/public/diyit-org-license.txt
index 537fdf1..e968406 100644
--- a/jails/config/git/gitea/public/diyit-org-license.txt
+++ b/jails/config/git/gitea/public/diyit-org-license.txt
@@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
-Copyright (c) 2018-2020, diyIT.org
+Copyright (c) 2018-2021, diyIT.org
All rights reserved.
Redistribution and use in source and binary forms, with or without
diff --git a/jails/config/hass/.tmux.conf b/jails/config/hass/.tmux.conf
new file mode 100644
index 0000000..b370482
--- /dev/null
+++ b/jails/config/hass/.tmux.conf
@@ -0,0 +1,12 @@
+unbind C-b
+set -g prefix C-a
+bind C-a send-prefix
+
+setw -g mouse on
+
+# Set the default terminal mode to 256color mode
+set -g default-terminal "xterm-256color"
+
+# enable activity alerts
+setw -g monitor-activity on
+set -g visual-activity on
diff --git a/jails/config/hass/hass.sh b/jails/config/hass/hass.sh
new file mode 100755
index 0000000..1b0cb84
--- /dev/null
+++ b/jails/config/hass/hass.sh
@@ -0,0 +1,15 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+# ./hass.sh under tmux
+
+cd /data/homeassistant/
+source bin/activate
+hass
diff --git a/jails/config/hass/heyu.sh b/jails/config/hass/heyu.sh
new file mode 100755
index 0000000..cd5c581
--- /dev/null
+++ b/jails/config/hass/heyu.sh
@@ -0,0 +1,15 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+# ./hass.sh under tmux
+
+heyu start
+heyu info
+heyu monitor
diff --git a/jails/config/hass/setup_jail.sh b/jails/config/hass/setup_jail.sh
new file mode 100755
index 0000000..1081df9
--- /dev/null
+++ b/jails/config/hass/setup_jail.sh
@@ -0,0 +1,4 @@
+# requrired to run other configured scripts
+/bin/sh /etc/rc
+# launch tmux with jails
+/mnt/config/startsessions.sh
diff --git a/jails/config/hass/startsessions.sh b/jails/config/hass/startsessions.sh
new file mode 100755
index 0000000..ac73f1c
--- /dev/null
+++ b/jails/config/hass/startsessions.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+session="sess_tmux"
+
+# set up tmux
+tmux start-server
+
+# create a new tmux session, naming the window freepbx
+tmux new-session -d -s $session -n hass
+tmux selectp -t 1
+tmux send-keys "cd /mnt/config;./hass.sh" C-m
+
+# create a new window windows
+tmux new-window -t $session:1 -n heyu
+tmux selectp -t 1
+tmux send-keys "cd /mnt/config;./heyu.sh" C-m
+
+# return to main window
+tmux select-window -t $session:0
+tmux selectp -t 1
+
+# Finished setup, attach to the tmux session!
+#tmux attach-session -t $session
diff --git a/jails/config/hass/x10.conf b/jails/config/hass/x10.conf
new file mode 100644
index 0000000..8dde3dd
--- /dev/null
+++ b/jails/config/hass/x10.conf
@@ -0,0 +1,264 @@
+# Example Heyu configuration file. Copy this to file 'x10config' in
+# directory $HOME/.heyu/ and modify as required. This example uses
+# features which are new to heyu version 2
+# and which will not be recognized by heyu version 1.xx.
+
+# Note: This example file describes only a few of the most commom
+# configuration directives. For the complete list see man page
+# x10config(5).
+
+# Anything on a line between a '#' character and the end of the line is
+# treated as a comment and ignored by Heyu, as are blank lines.
+# The various configuration directives in this file can be in any order
+# except that ALIAS directives must appear before any other directive
+# which references the alias label in place of a housecode|unit address.
+# See 'man x10config' for additional information and directives.
+
+# Serial port to which the CM11a is connected. Default is /dev/ttyS0.
+
+tty /dev/ttyU1
+check_ri_line NO
+
+# If you have an X10 compatible RF receiver connected to a second
+# serial port, use the TTY_AUX directive to specify the serial port
+# and model of receiver. Supported receivers are W800RF32, MR26A,
+# and RFXCOM. There are no defaults.
+
+tty_aux /dev/ttyU0 MR26A
+
+# The CM19A is both a receiver and transmitter for X10 RF signals.
+# The MR26A is a receiver only.
+# The CM19A is USB and the MR26A is serial port
+
+# Base housecode. The default is A.
+
+#housecode A
+
+# Aliases:
+# Format: ALIAS Label Housecode|Unitcode_string [Module_Type]
+
+# The label is limited to 32 characters in length and is case-sensitive,
+# e.g., Front_Porch and front_porch are treated as different labels.
+# Each alias may reference a single unitcode or a multiple unitcode
+# string (no embedded blanks), but is limited to one housecode.
+
+# The optional Module_Type is the general type or specific model number
+# of a module currently supported by Heyu. (Knowing the characteristics
+# of a module allows Heyu to track changes in its On/Off/Dim state
+# as X10 signals are sent or received.) The most commonly used modules
+# are the standard X10 lamp module (StdLM) and standard X10 appliance
+# module (StdAM). Other modules currently supported by Heyu are listed
+# in x10config(5). A standard X10 lamp module (StdLM) is the
+# default (changeable with the DEFAULT_MODULE directive)
+# for housecode|units which are not defined in an alias directive.
+# A module_type should normally not be defined for mutiple-unit
+# aliases, just for the single-unit aliases. (The module characteristics
+# are associated with the housecode|unit, however referenced.)
+
+# Some examples:
+
+
+
+
+# Note: Prior versions of Heyu used a different format for
+# aliases - no ALIAS directive and the Housecode and Unitcode_string
+# were separated by a space, e.g., simply:
+# front_porch A 1
+# Heyu will continue to accept this older format for compatibility,
+# but its use is discouraged as modules cannot be specified.
+
+# Scenes and Usersyns (User-defined synonyms):
+# Format: SCENE Label Command1 [; Command2 [; ...
+# Format: USERSYN Label Command1 [; Command2 [; ...
+# The label is limited to 32 characters and is case-sensitive.
+# Scenes and Usersyns are both semicolon-separated lists of
+# commands with their arguments which can be executed or used
+# in macros as if their labels were ordinary Heyu commands.
+# See 'man x10config' for the features and limitations of Scenes
+# and Usersyns.
+# (In the current version of heyu, the ONLY distinction between
+# scenes and usersyns is the 'show' menus in which they appear.)
+# Some examples:
+
+SCENE blinker on D5; off D5; on D5; off D5
+#USERSYN normal_lights on front_porch; on back_porch
+#SCENE tv_on on tv_set; dimb living_room 10
+
+# parameters, e.g., $1, $2, which are replaced by actual
+# parameters supplied when the scene/usersyn is run.
+
+#USERSYN night_lights dimb front_porch $1; dimb back_porch $1
+
+# Define the (writeable) directory where the Heyu state engine daemon
+# (started with 'heyu engine') is to write its log file 'heyu.log.'.
+# The default is 'NONE', indicating no log file is to be written.
+
+log_dir /usr/local/etc/heyu/log
+
+# The entries in the log file are similar to those which appear in
+# the heyu monitor, but in addition will include an entry when
+# a script is launched, and unless redirected elsewhere, any
+# text output from that script.
+
+# Note that the log file will continue to grow. Manually delete
+# or trim it from time to time, or configure a Unix utility like
+# 'logrotate' to manage this task automatically.
+
+# If the Heyu state engine is running, Heyu can launch scripts
+# (or any Unix commands) when it sees specified X10 signals.
+# The format is:
+
+#SCRIPT [ -l label ] :: [options]
+
+# where label is an optional label, tell
+# Heyu under what conditions to launch the script, and
+# is the script command to be executed.
+# The '::' (two colons) separator is mandatory since the launch
+# conditions can be quite complex.
+# See x10scripts(5) for details, but here's a simple example
+# (with no label):
+
+#SCRIPT doorbell on :: play $HOME/sounds/barking_dog.wav
+
+# Users have the option of running either 'heyuhelper' in a manner
+# similar to heyu 1.35 or general scripts as above with the
+# following directive. The default is SCRIPTS, to run general scripts.
+
+#script_mode SCRIPTS
+
+# (With the choice 'HEYUHELPER', a script named 'heyuhelper' on
+# the user's path is run every time any X10 signal is received
+# by heyu over the power line, assuming the heyu state engine
+# daemon is running.)
+
+### The following directives apply when a schedule is ###
+### is uploaded to the CM11A interface. ###
+
+# The file name of the user's X10 schedule file in the Heyu base
+# directory. The default is 'x10.sched'. If you regularly use
+# more than one, list them here and just comment/uncomment as
+# appropriate, e.g.,
+
+#schedule_file x10.sched
+#schedule_file normal.sched
+#schedule_file vacation.sched
+
+# The MODE directive - Heyu's two modes of operation:
+# In the default COMPATIBLE mode, the schedule uploaded to the
+# interface is configured to begin on Jan 1st of the current
+# year and # is valid for 366 days - through Dec 31st of the
+# current # year or Jan 1st of the following year, depending
+# whether # the current year is a leap or common year.
+# COMPATIBLE mode is the default.
+
+# In HEYU mode the schedule uploaded to the interface is
+# configured to begin on today's date and is valid for
+# the number days of provided by the PROGRAM_DAYS directive.
+# WARNING: The mere execution of X10's ActiveHome(tm) program
+# under MS-Windows, or having its resident driver running, when
+# the interface has been programmed by Heyu in HEYU mode can
+# cause problems. See 'man x10config' for details.
+
+#mode COMPATIBLE
+
+# Number of days for which the interface is to be programmed
+# when running in HEYU mode. It is ignored in COMPATIBLE mode.
+# (A shorter period can yield more accurate values for dawn
+# and dusk.) The default is 366 days.
+
+#program_days 366
+
+# Should Heyu combine events having the same date range, time, etc.,
+# by concatenating the macros for similar events? The default is YES.
+
+#combine_events YES
+
+# Should Heyu compress uploaded macros by combining unit codes for the same
+#housecode and command and eliminating duplicates? E.g.,
+# (on A1; on B2; on A3, on B2) ==> (on A1,3; on B2)
+# The default is NO
+
+#compress_macros NO
+
+# The user's Longitude and Latitude, needed for dawn/dusk calculations.
+# There are no defaults. Don't use these examples - put in values
+# for your own location.
+
+longitude W121:46
+latitude N37:16
+
+# For dawn/dusk related times, Heyu breaks up the schedule date intervals
+# into subintervals, each with a constant value of dawn or dusk time.
+# These directives instruct Heyu what value of dawn/dusk time to use.
+# The default value is FIRST, i.e., that on the first day of the subinterval,
+# which is most convenient for comparing Heyu's computations with actual.
+
+#dawn_option FIRST
+#dusk_option FIRST
+
+# The following times allow bounds to be placed on the times of Dawn
+# and Dusk computed by Heyu. For example, setting the value for
+#min_dawn to 06:30 will ensure that an event scheduled to be
+# executed at Dawn will occur at 06:30 during summer hours whenever
+# the actual computed value of Dawn is earlier than that time.
+# The value for these directives are specified as hh:mm Legal
+# (i.e., wall-clock) time, or the directives may be disabled with
+# the word OFF, which is the default.
+
+# Timer options DAWNLT, DAWNGT, DUSKLT, DUSKGT used in the Heyu
+# schedule file will usually eliminate the need for these directives.
+# See man page x10sched(5) for details.
+
+#min_dawn OFF
+#max_dawn OFF
+#min_dusk OFF
+#max_dusk OFF
+
+# Directory to write reports and files other than the critical files
+# The default is to write them in the Heyu base directory.
+
+#report_path ./
+
+# Replace events having delayed macros with new events and new
+# undelayed macros when possible. (The purpose is to avoid pending
+# delayed macros, which are purged when a new schedule is uploaded.)
+# The default is YES.
+
+#repl_delayed_macros YES
+
+# For test purposes, Heyu can write some additional files when
+# the command 'heyu upload check' is executed. This directive
+# instructs Heyu to write these files. The default is NO.
+
+#write_check_files NO
+
+START_ENGINE AUTO
+
+alias Kitchen D1 StdLM
+alias Family_Room D2 StdLM
+alias Hallway D3 StdLM
+alias Kitchen_Table D4 StdLM
+alias Stairway D5 StdLM
+alias Study D6 StdLM
+alias Dining D7 StdLM
+alias Bonus_Room D8 StdLM
+alias Living_Room_L0 D9 StdLM
+alias Front_Door D10 StdLM
+alias Living_Room_L1 D11 StdLM
+alias Living_Room_L2 D12 StdLM
+alias Piano_Room_L1 D13 StdLM
+alias Piano_Room_L2 D14 StdLM
+alias Family_Room_L0 D15 StdLM
+alias Chime G1 StdAM
+alias Main_Garage G2 StdAM
+alias Side_Garage G3 StdAM
+alias Front_Yard G13 StdLM
+alias Back_Yard G14 StdLM
+alias Plants_front_house I1 RAIN8II
+alias Plants_front_road I2 RAIN8II
+alias Lawn_front_road I3 RAIN8II
+alias Lawn_front_garage I4 RAIN8II
+alias Lawn_back_pool I5 RAIN8II
+alias Lawn_back_house I6 RAIN8II
+alias Plants_back_garage I7 RAIN8II
+alias Plants_back_road I8 RAIN8II
diff --git a/jails/config/hub/ipfw.rules b/jails/config/hub/ipfw.rules
new file mode 100644
index 0000000..0cda709
--- /dev/null
+++ b/jails/config/hub/ipfw.rules
@@ -0,0 +1,23 @@
+#!/bin/sh
+# Flush out the list before we begin.
+ipfw -q -f flush
+
+# Set rules command prefix
+cmd="ipfw -q add"
+pif="epair0b" # interface name of NIC attached to Internet
+
+$cmd 00100 allow ip from any to any via lo0
+$cmd 00200 deny ip from any to 127.0.0.0/8
+$cmd 00300 deny ip from 127.0.0.0/8 to any
+$cmd 00400 deny ip from any to ::1
+$cmd 00500 deny ip from ::1 to any
+$cmd 00600 allow ipv6-icmp from :: to ff02::/16
+$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
+$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
+$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
+$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
+$cmd 05000 reset ip from table(22) to me
+$cmd 65000 allow ip from any to any
+$cmd 65535 deny ip from any to any
+
+# https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
diff --git a/jails/config/hub/pkgp.conf b/jails/config/hub/pkgp.conf
index 88840a2..7e874ec 100644
--- a/jails/config/hub/pkgp.conf
+++ b/jails/config/hub/pkgp.conf
@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
-pkgp121: {
- url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+pkgp122: {
+ url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",
diff --git a/jails/config/hub/sshguard.conf b/jails/config/hub/sshguard.conf
new file mode 100644
index 0000000..a5e92bd
--- /dev/null
+++ b/jails/config/hub/sshguard.conf
@@ -0,0 +1,54 @@
+#!/bin/sh
+# sshguard.conf -- SSHGuard configuration
+
+# Options that are uncommented in this example are set to their default
+# values. Options without defaults are commented out.
+
+#### REQUIRED CONFIGURATION ####
+# Full path to backend executable (required, no default)
+#BACKEND="/usr/local/libexec/sshg-fw-hosts"
+BACKEND="/usr/local/libexec/sshg-fw-ipfw"
+#BACKEND="/usr/local/libexec/sshg-fw-pf"
+
+# Space-separated list of log files to monitor. (optional, no default)
+#FILES="/var/log/auth.log /var/log/maillog"
+FILES="/var/log/auth.log"
+
+# Shell command that provides logs on standard output. (optional, no default)
+# Example 1: ssh and sendmail from systemd journal:
+#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
+# Example 2: ssh from os_log (macOS 10.12+)
+#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"
+
+#### OPTIONS ####
+# Block attackers when their cumulative attack score exceeds THRESHOLD.
+# Most attacks have a score of 10. (optional, default 30)
+THRESHOLD=30
+
+# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
+# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
+BLOCK_TIME=120
+
+# Remember potential attackers for up to DETECTION_TIME seconds before
+# resetting their score. (optional, default 1800)
+DETECTION_TIME=1800
+
+# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
+IPV6_SUBNET=128
+
+# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
+IPV4_SUBNET=32
+
+#### EXTRAS ####
+# !! Warning: These features may not work correctly with sandboxing. !!
+
+# Full path to PID file (optional, no default)
+#PID_FILE=/var/run/sshguard.pid
+
+# Colon-separated blacklist threshold and full path to blacklist file.
+# (optional, no default)
+#BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db
+
+# IP addresses listed in the WHITELIST_FILE are considered to be
+# friendlies and will never be blocked.
+#WHITELIST_FILE=/usr/local/etc/sshguard.whitelist
diff --git a/jails/config/hub/vncmods/passwd b/jails/config/hub/vncmods/passwd
new file mode 100644
index 0000000..f3f143b
--- /dev/null
+++ b/jails/config/hub/vncmods/passwd
@@ -0,0 +1 @@
+Í•it†Í®
\ No newline at end of file
diff --git a/jails/config/hub/vncmods/vncserver b/jails/config/hub/vncmods/vncserver
new file mode 100755
index 0000000..a7c6040
--- /dev/null
+++ b/jails/config/hub/vncmods/vncserver
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+# the two lines below are not just comments but required by rcorder; service -e
+# PROVIDE: vncserver
+# REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv
+
+. /etc/rc.subr
+
+: ${vncserver_enable="NO"}
+: ${vncserver_user="p"}
+: ${vncserver_geometry="1600x900"}
+: ${vncserver_display="1"}
+: ${vncserver_securitytypes="vncauth"}
+# : ${vncserver_securitytypes="vencrypt,vncauth,tlsvnc"}
+# encryption incompatible with clients - vncconnect-realvnc and guacd
+
+name=vncserver
+rcvar=vncserver_enable
+
+VNCSERVER="/usr/local/bin/vncserver"
+
+start_cmd="vncserver_start"
+stop_cmd="vncserver_stop"
+restart_cmd="vncserver_restart"
+
+vncserver_start()
+{
+ CMD="$VNCSERVER -geometry ${vncserver_geometry} -name $(hostname -s) -securitytypes ${vncserver_securitytypes} :${vncserver_display}"
+ su -l ${vncserver_user} -c "${CMD}"
+}
+
+vncserver_stop()
+{
+ CMD="$VNCSERVER -kill :${vncserver_display}"
+ su -l ${vncserver_user} -c "${CMD}"
+}
+vncserver_restart()
+{
+ vncserver_stop
+ vncserver_start
+}
+
+load_rc_config ${name}
+run_rc_command "$1"
diff --git a/jails/config/ibm/ibm.sh b/jails/config/ibm/ibm.sh
index 90b69dc..4cc21cd 100755
--- a/jails/config/ibm/ibm.sh
+++ b/jails/config/ibm/ibm.sh
@@ -1,6 +1,6 @@
#!/usr/local/bin/bash
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@@ -10,9 +10,9 @@
# ./ibm.sh under tmux
-ifconfig tun186 create
-ifconfig tun186 inet 172.16.0.186 172.16.0.100
-chmod 666 /dev/tun186
+ifconfig tun95 create
+ifconfig tun95 inet 172.16.0.95 172.16.0.100
+chmod 666 /dev/tun95
cd /data/Z110/CONF
# hercules
diff --git a/jails/config/ibm/startemu.sh b/jails/config/ibm/startemu.sh
index b2d085f..683981e 100755
--- a/jails/config/ibm/startemu.sh
+++ b/jails/config/ibm/startemu.sh
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/jump/enable-routing.sh b/jails/config/jump/enable-routing.sh
new file mode 100755
index 0000000..ad7dfe7
--- /dev/null
+++ b/jails/config/jump/enable-routing.sh
@@ -0,0 +1,7 @@
+sysctl net.inet.ip.forwarding=1
+route add 10.1.2.0/24 192.168.55.105
+# on remote -
+#sudo sysctl net.ipv4.ip_forward=1
+#ip route add 192.168.0.0/24 via 192.168.55.1
+#OR
+#ip route add 192.168.0.0/24 dev tun0
diff --git a/jails/config/jump/guacamole-client/add-ldap.sh b/jails/config/jump/guacamole-client/add-ldap.sh
new file mode 100755
index 0000000..a3767a1
--- /dev/null
+++ b/jails/config/jump/guacamole-client/add-ldap.sh
@@ -0,0 +1 @@
+ldapadd -H ldaps://ldap.ahlawat.com -f $1 -D cn=admin,dc=infra -W
diff --git a/jails/config/jump/guacamole-client/extensions/guacamole-auth-ldap-1.2.0.jar b/jails/config/jump/guacamole-client/extensions/guacamole-auth-ldap-1.2.0.jar
new file mode 100644
index 0000000..2cd5cb6
Binary files /dev/null and b/jails/config/jump/guacamole-client/extensions/guacamole-auth-ldap-1.2.0.jar differ
diff --git a/jails/config/jump/guacamole-client/guacamole.properties b/jails/config/jump/guacamole-client/guacamole.properties
new file mode 100644
index 0000000..251f6d6
--- /dev/null
+++ b/jails/config/jump/guacamole-client/guacamole.properties
@@ -0,0 +1,16 @@
+###
+### guacamole.properties.sample
+###
+
+
+### The Host the Guacamole proxy daemon (guacd) is listening on.
+#
+guacd-host: localhost
+guacd-port: 4822
+guacd-ssl: false
+ldap-hostname: ldap.ahlawat.com
+ldap-port: 636
+ldap-encryption-method: ssl
+ldap-user-base-dn: ou=people,dc=infra
+ldap-username-attribute: cn
+ldap-config-base-dn: ou=hosts,dc=infra
diff --git a/jails/config/jump/guacamole-client/logback.xml b/jails/config/jump/guacamole-client/logback.xml
new file mode 100644
index 0000000..b8c083c
--- /dev/null
+++ b/jails/config/jump/guacamole-client/logback.xml
@@ -0,0 +1,20 @@
+
+
+
+
+
+
+
+ %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n
+
+
+
+
+
+
+
+
+
diff --git a/jails/config/jump/guacamole-client/rdp-windows.ldif b/jails/config/jump/guacamole-client/rdp-windows.ldif
new file mode 100644
index 0000000..1e70ea9
--- /dev/null
+++ b/jails/config/jump/guacamole-client/rdp-windows.ldif
@@ -0,0 +1,14 @@
+dn: cn=rdp-windows,ou=hosts,dc=infra
+objectClass: guacConfigGroup
+objectClass: groupOfNames
+cn: Windows rdp
+guacConfigProtocol: rdp
+guacConfigParameter: hostname=192.168.0.81
+guacConfigParameter: port=3389
+guacConfigParameter: username=v
+guacConfigParameter: password=v
+guacConfigParameter: security=nla
+guacConfigParameter: ignore-cert=true
+member: cn=sharad,ou=people,dc=infra
+member: cn=diyit,ou=people,dc=infra
+# seeAlso: cn=ahlawat.com,ou=groups,dc=infra
diff --git a/jails/config/jump/guacamole-client/ssh-nas.ldif b/jails/config/jump/guacamole-client/ssh-nas.ldif
new file mode 100644
index 0000000..25e290f
--- /dev/null
+++ b/jails/config/jump/guacamole-client/ssh-nas.ldif
@@ -0,0 +1,10 @@
+dn: cn=ssh-nas,ou=hosts,dc=infra
+objectClass: guacConfigGroup
+objectClass: groupOfNames
+cn: NAS ssh
+guacConfigProtocol: ssh
+guacConfigParameter: hostname=192.168.0.10
+guacConfigParameter: port=22
+member: cn=sharad,ou=people,dc=infra
+member: cn=diyit,ou=people,dc=infra
+# seeAlso: cn=ahlawat.com,ou=groups,dc=infra
diff --git a/jails/config/jump/guacamole-client/user-mapping.xml b/jails/config/jump/guacamole-client/user-mapping.xml
new file mode 100644
index 0000000..e691390
--- /dev/null
+++ b/jails/config/jump/guacamole-client/user-mapping.xml
@@ -0,0 +1,74 @@
+
+
+
+
+
+
+
+
+
+ vnc
+ 192.168.0.50
+ 5901
+ vncpass
+ 24
+
+
+ rdp
+ 192.168.0.81
+ 3389
+ nla
+ true
+ v
+ v
+
+
+ ssh
+ 192.168.0.10
+ 22
+ monospace
+
+
+ vnc
+ 192.168.200.192
+ 5901
+ vncpass
+ 24
+
+
+ ssh
+ 192.168.200.192
+ 22
+ monospace
+
+
+ ssh
+ 192.168.55.105
+ 22
+ monospace
+
+
+
+
+
+ vnc
+ 192.168.200.212
+ 5901
+ vncpass
+ 24
+
+
+ ssh
+ 192.168.200.212
+ 22
+ monospace
+
+
+
+
diff --git a/jails/config/jump/guacamole-client/vnc-hub.ldif b/jails/config/jump/guacamole-client/vnc-hub.ldif
new file mode 100644
index 0000000..035e67c
--- /dev/null
+++ b/jails/config/jump/guacamole-client/vnc-hub.ldif
@@ -0,0 +1,12 @@
+dn: cn=vnc-hub,ou=hosts,dc=infra
+objectClass: guacConfigGroup
+objectClass: groupOfNames
+cn: HUB vnc
+guacConfigProtocol: vnc
+guacConfigParameter: hostname=192.168.0.50
+guacConfigParameter: port=5901
+guacConfigParameter: password=vncpass
+guacConfigParameter: color-depth=24
+member: cn=sharad,ou=people,dc=infra
+member: cn=diyit,ou=people,dc=infra
+# seeAlso: cn=ahlawat.com,ou=groups,dc=infra
diff --git a/jails/config/jump/guacamole-server/guacd.conf b/jails/config/jump/guacamole-server/guacd.conf
new file mode 100644
index 0000000..2dac07f
--- /dev/null
+++ b/jails/config/jump/guacamole-server/guacd.conf
@@ -0,0 +1,17 @@
+#
+# guacd.conf example
+#
+
+[daemon]
+# Possible log_level variables are:
+# trace, debug, info, warning, and error
+# Default is info
+log_level = info
+
+[server]
+bind_host = localhost
+bind_port = 4822
+
+[ssl]
+#server_certificate = /mnt/certs/fullchain.pem
+#server_key = /mnt/certs/privkeyr.pem
diff --git a/jails/config/jump/schema/guacConfigGroup.ldif b/jails/config/jump/schema/guacConfigGroup.ldif
new file mode 100644
index 0000000..6e3f60b
--- /dev/null
+++ b/jails/config/jump/schema/guacConfigGroup.ldif
@@ -0,0 +1,28 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+dn: cn=guacConfigGroup,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: guacConfigGroup
+olcAttributeTypes: {0}( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol' SYNTAX 1.3.6.1.4.1.1466
+ .115.121.1.15 )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter' SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.15 )
+olcObjectClasses: {0}( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup' DESC 'Guacamole config
+ uration group' SUP groupOfNames MUST guacConfigProtocol MAY guacConfigParameter )
diff --git a/jails/config/jump/schema/guacConfigGroup.schema b/jails/config/jump/schema/guacConfigGroup.schema
new file mode 100644
index 0000000..129a41b
--- /dev/null
+++ b/jails/config/jump/schema/guacConfigGroup.schema
@@ -0,0 +1,31 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+attributetype ( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributetype ( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+objectClass ( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup'
+ DESC 'Guacamole configuration group'
+ SUP groupOfNames
+ MUST guacConfigProtocol
+ MAY guacConfigParameter )
+
diff --git a/jails/config/jump/setup_jail.sh b/jails/config/jump/setup_jail.sh
new file mode 100755
index 0000000..600ae7e
--- /dev/null
+++ b/jails/config/jump/setup_jail.sh
@@ -0,0 +1,2 @@
+# requrired to run other configured scripts
+/bin/sh /etc/rc
diff --git a/jails/config/ldap/pkgp.conf b/jails/config/ldap/pkgp.conf
index 88840a2..7e874ec 100644
--- a/jails/config/ldap/pkgp.conf
+++ b/jails/config/ldap/pkgp.conf
@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
-pkgp121: {
- url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+pkgp122: {
+ url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",
diff --git a/jails/config/ldap/schema-addons/guacConfigGroup.ldif b/jails/config/ldap/schema-addons/guacConfigGroup.ldif
new file mode 100644
index 0000000..6e3f60b
--- /dev/null
+++ b/jails/config/ldap/schema-addons/guacConfigGroup.ldif
@@ -0,0 +1,28 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+dn: cn=guacConfigGroup,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: guacConfigGroup
+olcAttributeTypes: {0}( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol' SYNTAX 1.3.6.1.4.1.1466
+ .115.121.1.15 )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter' SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.15 )
+olcObjectClasses: {0}( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup' DESC 'Guacamole config
+ uration group' SUP groupOfNames MUST guacConfigProtocol MAY guacConfigParameter )
diff --git a/jails/config/ldap/schema-addons/guacConfigGroup.schema b/jails/config/ldap/schema-addons/guacConfigGroup.schema
new file mode 100644
index 0000000..129a41b
--- /dev/null
+++ b/jails/config/ldap/schema-addons/guacConfigGroup.schema
@@ -0,0 +1,31 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+attributetype ( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributetype ( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+objectClass ( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup'
+ DESC 'Guacamole configuration group'
+ SUP groupOfNames
+ MUST guacConfigProtocol
+ MAY guacConfigParameter )
+
diff --git a/jails/config/mail/.secret/dkim/ahlawat.com.dkim.key b/jails/config/mail/.secret/dkim/ahlawat.com.dkim.key
deleted file mode 100644
index 23cfd27..0000000
--- a/jails/config/mail/.secret/dkim/ahlawat.com.dkim.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDECIuIzM+f5+s
-PdoTBSLGpARZkcKWboSUfLdiFsBEXkV5KLy12S6T2ja0oH5C6GfhkqpdzAsCPHKs
-SdIyJAmHj7FXnbOnP93N64E3n/wONj5cq9QAz2acKxS167DXpnSE7K+egcqI7ePL
-BBecLnKUUnSQ4JMAeUBatjnl5SsKF7pwDM1DsOYvWFpDH0BfjIlZq1JJIUnfE7pK
-b3ppdBSF0bum+/Y6TZVJdNg4fYj5k68vLeBp8PkJj60pO4B7oexLpXcz/pqkGi9a
-K5P86RzZliKMqGVAs3TmxWMskoX2Hpm1VXIg/Pht75FuaPqwkAW8FVb3Y7yvfmgU
-O7FaP423AgMBAAECggEAP7BG2LWZh7B32+8eAtPMdPsciHo1BJT1KN5HqfkvsaLu
-IA8S/nT45kF7VyKH1yS2tkoC4jk65vIBpws7XC+0BNT/3FGbVOJfc1qPiC/uRl2j
-ovJfeBw/roHKc1OPG/o3VSdKeAB8tpSlqaWeZ9oqgw8hDCSnGqJ8RqH06YEXumVO
-/59N5/kweoN1902nrsnhhY72cx/YY7TFZt+sbCs1D8rimHFX5UQUWGQgwqKeCvG2
-VmBtU+oXCBKdaR+IcJd9Oy/qkmEQZ6dDL7n/HUwOcRzuBuZoeXN9sc9z81mYEI2Q
-bYpowPOyqFArB08HjQpFndQFSyNwiVVSzaOHRUNBwQKBgQDkECi9WkyqGgVvSM6f
-fC9OTKKk5kI12j4I3aQKZSnW/eNTpaHykRhvUsr36zp58vRN4G9YDJyblgOhgr1U
-7SBwqZRLETwG0ktKDipgibWjBm+K5LfK+wWRwn/qzq494Qg2GQ/DniXqCZ6SI1s1
-wMBHS9s/VYPGaYvYrS1TD90JpwKBgQDa9R90rcyNlXTLHwYzxgjJczLKHz+0ANlR
-GORg31/VBxs94IYby+cZ/oGRjCB5syR/SaN5Z+N2w8GT0yFWN8UCJS0G4I6fGtCb
-wYWzhK2UtI4WyOH9jIdl8AYjFGRZMFJEkDPmac54jtNcqhfO/Eei9+yHq7llEnUP
-F4qKf8K9cQKBgQDEwDgVW4DGQxqrLhmrt3wsRasPLeKzCOv5xBTQLwRQiMoEkOFN
-HeYBrGCUT6gsKvCe+t+0C3VUOLA7N0pVqRkSeQoJVP3/OI9hfSUMEeHUminCnpz9
-DWB5pl2q2dGyaqAl46sY7SfyZ4gYtU3r6rU3DPdCBWlg1A+kx4pRnV7pAwKBgCOu
-fonNKOCJ0panX6NgSl5J36UAoqj62m9U1yLSRBO7LL1QsYomGGssBoFpjIFIqFH1
-9iX6wB7Cl/E3Ht+mBvzqggP05EkZXZWEW/19SaxKID2mTu260PXTv6xHznKaZU23
-Ej4iT/tlixw2u9qHUkVEkc8qNPQ7pcfn1jPrzhiBAoGBAN075cp3R9bzzfVzrFRh
-ZFWzSnWieSsOP635nj48HXKyne7gjvG1IG/HHSi3XPmRIdWTAfOYz29rWQEOaY7b
-wbNhvH7jvtq/A7/Uifh6l8cnN9TFAmN/wmKEUCloVxg1/GltXbR6UwzbJWAs40ya
-VtAxvncs1bqtPBAgfE5wwdCd
------END PRIVATE KEY-----
diff --git a/jails/config/mail/.secret/dkim/beyondbell.com.dkim.key b/jails/config/mail/.secret/dkim/beyondbell.com.dkim.key
deleted file mode 100644
index 8f56d6c..0000000
--- a/jails/config/mail/.secret/dkim/beyondbell.com.dkim.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYdTOGw8TvQtkr
-Z139xpQC1iXu/X+2ei7ascX6C2G8WM7NS3XphgMd0LgzEm9POoJyYP7KVjQdPK5m
-mRoZOCATmFhNPGSer96qjASHgm10GISKlUyGKRWv1mNHsLJaLwsd8ef13+qBsTvG
-pT0z2I/0OWwAuqQuZdMPuVskspF8jusycibpQ7WjqaOynPEUuRZHDLQToso02+Vd
-X3l3bU08Rz3vW7+hNjZYuzsfCTBzD91kxTGyetqg2CXyLM/dWbDFgY72zG682X0d
-CtoWoEAKdUJkPDxQeKJtqh84TsAOUvg/z3W6J7uJow9OcWsXWJcAJ/HG8gNPq4ho
-sVbc96SzAgMBAAECggEADXPTPPfjwF7uMkVdUQ1LW5XFi8HTcxrK2KqdvDmC3HrE
-d3vOGzJJ9UtodzwZENp5CvS+QQL0gDCqQhQXzCNx0uXv7vTm5/nUI9NJ4MYZWVLA
-wgAfXmMlRuVTDDyOCQ7NaRIEsYI2B9Nk/KZ+VD+MSshazvzKgVuwr1R8tp4mbpAx
-8f4xe51b5ZVqTLcnkoSR6lTmKMQruIZwQpvaGYZLjBRaBcACwYkbZksQZkx7xZdZ
-enpLcKoCc1xXg+gjlfF9HOD1e2GlYQTOgfDcQVJEIS+jjzMyiJA1BxqL8/LkafeD
-CKfx8mzd1LjyDDaAP8ruZb4Ns/6SazAPozxBSRnP2QKBgQD+uf+evckgN6+3/Bur
-egP6I4dUKw1joCo69p98388mWq+ywhIc2rquEfSoQCqjli4pG3iwBbDVxgjk08GV
-ayFaP3X3LvuqCZBktSjEJR6WUMB0kW77BigLCtbzyd2R9upp0A3CnXsmmLVL+o5n
-TD5w6cd67NPS/NGo2FyA6JQO5QKBgQDZijnfG4Yt6BdX3+WBFXNGkhdJziokmrfG
-no5p/tw+/kJfHFC017Z+EbLbcWMKL9cDzl9uMXGDy1xd8+OfolxZZEnrmt4btbmh
-wVzTPrhREwjqzwu/Y2jQwFBef+zJ+b8a1uZOFYVIWWeGCT7wirq54AslE8y0lNEF
-olBnP44TtwKBgQDyn4k50z16QXBOx4Q3fZ3CKQsigWtcZFc1GGlrEOaHesN1eeK0
-tyYu3Q1zIMM8U7SeFPuMda8sv1cDVitCPetjwaSED61IFZoCQoeU5GJQ/JODtG7I
-DOIhOm7pgHJaMJywsqoYn9WIOtYci4gOHhIvjI0jqeZNReARehwJ8P3tfQKBgEWD
-hAalNvVIat0rsJzVC+cLG+H7vT/BKOSRGhUI2bxPZ0oZNDj1jV0vrqWsz+cbbmvK
-8He32PwyaaukGaKTMUtnXq+o5zyXj1/+9/iQ3DkcCgdubeSUkZPTQFtSKYpJAiZD
-cYiWG+cImqocHj6jNhPbYfRRJWK3Ayv3uBWmG3J1AoGAGjKqKpd8+00IxElXpov9
-At2YzPZlzPQCU0+vcreGVTaO9wNdVKfc6uaeAO4D0DP9SOwEqRC9rv8FNb8DxgTB
-ryWMy8rY/CC3mhK6hnsWNRC0a1myKva2XwQ+jMKuCsznFE0N2xjizNdv2/HM2dcr
-ropb+P1w1KZyTiNbTTTC1eQ=
------END PRIVATE KEY-----
diff --git a/jails/config/mail/.secret/dkim/diyit.org.dkim.key b/jails/config/mail/.secret/dkim/diyit.org.dkim.key
deleted file mode 100644
index c48e017..0000000
--- a/jails/config/mail/.secret/dkim/diyit.org.dkim.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDc2cV9/D/MWdUl
-DBfKzA3zNjFbzDJd4WP1fdRRIdell57kJwyKehYCw/HxWy4+AnWj6c2fhPXI2EQp
-K3I1QjNSxV4kq+Lr2SFJuDiZvDRLzihu24N6go34R9712mbZOWWl0KyihO6E2cH8
-h6cr2iahXmAjqVtm9/mBmdnrQ2Bv0fusdpS24x3NOPs4Q5gJTadJFGBkwXb88D/+
-mBDcEUFwDul4bVQWvqHk+8EJwApGLo7YVL2F0A25FAm43rWexjb+JeTsHRqN/TaV
-ALzQPr/DQIb2wyWsTnQMnd0t8qg9ErDAKgxMDeGDRFbHr5wNMTrewQkW7yd+H0T0
-Wa97aDXbAgMBAAECggEANUp/M0VZB7BtlED0xMS0YQmko2gEh07J1gUE5IbsCFMr
-zhX2GrwW75fkm77Ky7/AL0tNiL6GqG43FFAdgOh2hfSGIQcw/IQqWiWP0tjtLZWT
-gByL/1XdeBmvnVeUFbqZ4ocWASlefMQm4Q7Csfwz8iBZxoEpQxF3LWS4huJ9NL3d
-qiI1jX5otXN0ybA6jDpridvExRwWT6KrAykUrh5f7vRGUp0I7/GltvSHS4mu24C1
-08RUPE5NjynEX/amc1urMwH3ZdOZgCx819DfQXpQts9/TejSLlLL8s4lXTsZDoab
-DiJ1zZKZEpMIheEGAWSyLtqc1QxypauVAMeM6ZgasQKBgQD88Yf1E7X8zS4hYSyu
-WHiUgrin/0febsHWZAVBTwnzpDwfY0jNnq57tiALyaVzk3vCL3a9WckpXPbQk4Yk
-Oypu1eDyGT4Xf7hrXqFTlMtkupa3Os5/MlTXOFMMs5VISsxrbVjNlvSxITXASWwr
-IYVjmhgTx8Rg3ApM5X/Tqd8XxwKBgQDfhPZ2t+4fBwhzgydKnkPWMbJ6k17tWoZu
-8tzCzrxJd/cYUmi/44sOLrFCLwaS28I4sR7iBPCeiFnnbqlv+f6uw2Xmr5jc/BsT
-md6yl2gNmow//iGFwf8lAsA1VyoFbZoAvQUMVElaxvCngifsTNqRHap8KY6xv5r/
-C6MEoGd5TQKBgQDEoPXxnEsCpHXR2Pqk5X2G5T+qyRYTYcIpaUN0i37O+cMLG2FD
-BrHY1bF/uFd3yxSP1dnWRG/OSchMSAIlNCE+W+EsEldkaRLx1HRQxwB941a6RWq1
-EmlFjTFyVEAeHJdgg3ZfC5RYBdsFCY6e0MYisW06IzcTnLodIOMHpawZjQKBgQC+
-1RVbnINXyDhl7rbQFTlTmVCJKGMmgGBAP2dNhxXoH909zbYTBmFFdYXvPJj/L1Kt
-9kKos5D/uOgRGEDfEnBnovnQL2FyYmd3n6orjerPmoBdbkoOmeeNIMEbiVSeF8oh
-EUBLG3cZYro6OXx+WctNlCdnJE/o3+6kC7pdi9lsDQKBgEtkK4RpB1OKJm6sEiWe
-hoTI6yqflpkivWtV3F8/D37LbYT5wiAsRr6AkgetB7jsi0t//thJiAUUxhtb+u4M
-1zR7i9bIRv3lU8TgYpfS/Yq3T9feZoj682LKtBMPoSgm/p5+ogzIlAU3cpjAW+A8
-2CyzbDc7K58vuzaR8RHpnzYi
------END PRIVATE KEY-----
diff --git a/jails/config/mail/.secret/dkim/diyit.space.dkim.key b/jails/config/mail/.secret/dkim/diyit.space.dkim.key
deleted file mode 100644
index 33ef529..0000000
--- a/jails/config/mail/.secret/dkim/diyit.space.dkim.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDJE2rtl2EGU7YD
-TWSlapLqMgn02m9Valldv6u3NP5CZTwI9/xrlEZYzjArInvLE4SFx5VlgC52K92A
-tZUqs7ckZgDmMOIr1vXGP3YgzGO9NK3hqyPHlu2Twuu96rP9+CTTlU8ovun14Ucu
-b0+W3pH646kMZBc0wAAj0xg+QI0PhFphQZyHkV9laOFwx/ErCu9SdUfcUY+zouSG
-DMxPAL8pT1JS5IOVGDM7rXbAwZ1+LrHTmOD1Mi6jtYtV7/Pqga6CBpcQFa/kMvza
-idjPkVyUg4YY/9i+P9dRQMK6dJgmRSaLLaOTaYHCT6PgpWQvKhYJZsNIB+LmfdHp
-gzE4s0tfAgMBAAECggEBALtNkzVu5bp3D/1TgoV0GRZ/NjcXos32GvjxKoummZJP
-qvTPzBqKLF1c9BG6NYadz7yuhcPe+2iow9S5URJOBjOpsPy8XHJp8teRFgDHY8FD
-6RVlzhaFyRjzYZWvo6rYE7XkR7C05ktcZmoi1gi7m1AR8c7RDazdjUPRx6t1hfEE
-ubocsnwZ5McU3tHVHj8pHBM9nKaarVd3BSTydStjGOmoS+E5BR1NLMDpx3Aw9S/V
-tn1iJxxF9+GONFfCBQ/IQ4+rBbOPsICwhhhrTpJwPilzBynGQevtEHdpq6ewS2bq
-ESsgQoax70cW1TymOPOzYQvPUzJy0S68OoSMAXVr8MECgYEA755LulHIALONfQWG
-XBUT7UMaePyLDkuNoGkIDqIdqZiJf8kxDs8yWznCGim/vlnmK2hVn1nqi+omtbaG
-AsCgU9q2JnP4r0Nr7yb/L4WAHp5WxR5ifS/aOHUple9oQwfPkzpxWEGFFvN0PW7p
-4lk4lRNvI4q5zMdugpbwn4vbzEMCgYEA1tKRDfPY/9GV/dYnt433bjtlNU9j7UCc
-8iP26Rg8zjC4tzlVoZDZjov5FMG2Ifb7cLNroONATg2ivKNyRm73Le9p2KVqtvTX
-zHs1sKVJofWQ4+GzJd8MkUEXu397oTUudGV+z82Hd0iKkQBT7EYBybHl6kY4XbR1
-BS36gdW2oLUCgYBvt1LBNH3V7eCqiFfjOKSIuv9tpvjCGnGWd0GdaPIBby+0Fz47
-FFj69UvM3OgbvFg2prc8yzQyNWIE2GtUfzCAx/iipvEr7Xg2EO1q34gjPllgH9F1
-YkkQh3dzAyKOFecuUlIj/rApSipIthxvPn/F6UCoxnXnxpd8ZRkcmZ1JdwKBgQCZ
-bltb88YRMMhIPCSx3RvUB2gJ42Ijmfp+l2FKqp0DR5kmhDS86I/6V87XHGPRbm23
-2O4OQ0Eyflq1EKgV1juE+3JF4h+N/OIEkhuOxv8IRjPuDs29RsnbFPq2WB8czLcZ
-O0SPduRCNfWCCxHltzqfrAfig7TOeIz73hMFmHaP4QKBgQCN1XzjGMrL0ZlFQTM1
-ljaqWEaQ+JSzZtiVDdPcuKytyvz59OdJnag9O0TBaOY6XGG1Dbl8FJEG9KZCwYRv
-a+CKb6qHyowgu17GlWQBn2i3Ep5GOQhkR4ghvDXZPwOJfW5VbfWo4N/r3Q81kaRO
-Iovk5uipUk5dtW69hOYmq4OBxA==
------END PRIVATE KEY-----
diff --git a/jails/config/mail/pkgp.conf b/jails/config/mail/pkgp.conf
index 88840a2..7e874ec 100644
--- a/jails/config/mail/pkgp.conf
+++ b/jails/config/mail/pkgp.conf
@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
-pkgp121: {
- url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+pkgp122: {
+ url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",
diff --git a/jails/config/mail/postfix/main.cf b/jails/config/mail/postfix/main.cf
index 90c9569..98a8ef5 100644
--- a/jails/config/mail/postfix/main.cf
+++ b/jails/config/mail/postfix/main.cf
@@ -683,7 +683,7 @@ readme_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4, ipv6
# sometimes comcast's IPv6 reverse DNS lookup stops working so you need to enable the line below (default: any)
-smtp_address_preference = ipv4
+#smtp_address_preference = ipv4
meta_directory = /usr/local/libexec/postfix
shlib_directory = /usr/local/lib/postfix
diff --git a/jails/config/mail/postfix/main.cf.default b/jails/config/mail/postfix/main.cf.default
index 3ba39f6..b26b4f9 100644
--- a/jails/config/mail/postfix/main.cf.default
+++ b/jails/config/mail/postfix/main.cf.default
@@ -328,9 +328,9 @@ local_transport_rate_delay = $default_transport_rate_delay
luser_relay =
mail_name = Postfix
mail_owner = postfix
-mail_release_date = 20200316
+mail_release_date = 20200516
mail_spool_directory = /var/mail
-mail_version = 3.5.0
+mail_version = 3.5.2
mailbox_command =
mailbox_command_maps =
mailbox_delivery_lock = flock, dotlock
@@ -340,7 +340,7 @@ mailbox_transport_maps =
maillog_file =
maillog_file_compressor = gzip
maillog_file_prefixes = /var, /dev/stdout
-maillog_file_rotate_suffix = %Y%M%d-%H%M%S
+maillog_file_rotate_suffix = %Y%m%d-%H%M%S
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maps_rbl_domains =
diff --git a/jails/config/mail/sendmail.cf b/jails/config/mail/sendmail.cf
new file mode 100644
index 0000000..c7df2df
--- /dev/null
+++ b/jails/config/mail/sendmail.cf
@@ -0,0 +1,1903 @@
+#
+# Copyright (c) 1998-2004, 2009, 2010 Proofpoint, Inc. and its suppliers.
+# All rights reserved.
+# Copyright (c) 1983, 1995 Eric P. Allman. All rights reserved.
+# Copyright (c) 1988, 1993
+# The Regents of the University of California. All rights reserved.
+#
+# By using this file, you agree to the terms and conditions set
+# forth in the LICENSE file which can be found at the top level of
+# the sendmail distribution.
+#
+# $FreeBSD: releng/12.2/contrib/sendmail/cf/m4/cfhead.m4 363465 2020-07-24 00:22:33Z gshapiro $
+#
+
+######################################################################
+######################################################################
+#####
+##### SENDMAIL CONFIGURATION FILE
+#####
+##### built by root@mail.ahlawat.com
+##### in /etc/mail
+##### using /usr/share/sendmail/cf/ as configuration include directory
+#####
+######################################################################
+#####
+##### DO NOT EDIT THIS FILE! Only edit the source .mc file.
+#####
+######################################################################
+######################################################################
+
+##### $Id: cfhead.m4,v 8.122 2013-11-22 20:51:13 ca Exp $ #####
+##### $Id: cf.m4,v 8.33 2013-11-22 20:51:13 ca Exp $ #####
+
+##### $FreeBSD: releng/12.2/etc/sendmail/freebsd.mc 363465 2020-07-24 00:22:33Z gshapiro $ #####
+
+##### $Id: freebsd6.m4,v 1.2 2013-11-22 20:51:15 ca Exp $ #####
+
+
+##### $Id: generic.m4,v 8.16 2013-11-22 20:51:10 ca Exp $ #####
+
+##### $Id: redirect.m4,v 8.16 2013-11-22 20:51:11 ca Exp $ #####
+
+##### $Id: use_cw_file.m4,v 8.12 2013-11-22 20:51:11 ca Exp $ #####
+
+
+
+
+##### $Id: access_db.m4,v 8.28 2013-11-22 20:51:11 ca Exp $ #####
+
+
+##### $Id: blocklist_recipients.m4,v 8.14 2013-11-22 20:51:11 ca Exp $ #####
+
+
+##### $Id: local_lmtp.m4,v 8.18 2013-11-22 20:51:11 ca Exp $ #####
+
+
+##### $Id: mailertable.m4,v 8.26 2013-11-22 20:51:11 ca Exp $ #####
+
+
+##### $Id: virtusertable.m4,v 8.24 2013-11-22 20:51:11 ca Exp $ #####
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+##### $Id: proto.m4,v 8.762 2013-11-22 20:51:13 ca Exp $ #####
+
+# level 10 config file format
+V10/Berkeley
+
+# override file safeties - setting this option compromises system security,
+# addressing the actual file configuration problem is preferred
+# need to set this before any file actions are encountered in the cf file
+#O DontBlameSendmail=safe
+
+# default LDAP map specification
+# need to set this now before any LDAP maps are defined
+#O LDAPDefaultSpec=-h localhost
+
+##################
+# local info #
+##################
+
+# my LDAP cluster
+# need to set this before any LDAP lookups are done (including classes)
+#D{sendmailMTACluster}$m
+
+Cwlocalhost
+# file containing names of hosts for which we receive email
+Fw-o /etc/mail/local-host-names
+
+# my official domain name
+# ... define this only if sendmail cannot automatically determine your domain
+Djmail.ahlawat.com
+
+# host/domain names ending with a token in class P are canonical
+CP.
+
+# "Smart" relay host (may be null)
+DSmail
+
+
+# operators that cannot be in local usernames (i.e., network indicators)
+CO @ % !
+
+# a class with just dot (for identifying canonical names)
+C..
+
+# a class with just a left bracket (for identifying domain literals)
+C[[
+
+# access_db acceptance class
+C{Accept}OK RELAY
+
+
+# Resolve map (to check if a host exists in check_mail)
+Kresolve host -a -T
+C{ResOk}OKR
+
+
+# Hosts for which relaying is permitted ($=R)
+FR-o /etc/mail/relay-domains
+
+# arithmetic map
+Karith arith
+# macro storage map
+Kmacro macro
+# possible values for TLS_connection in access map
+C{Tls}VERIFY ENCR
+C{TlsVerified}OK TRUSTED
+
+
+
+
+
+# dequoting map
+Kdequote dequote
+
+# class E: names that should be exposed as from this host, even if we masquerade
+# class L: names that should be delivered locally, even if we have a relay
+# class M: domains that should be converted to $M
+# class N: domains that should not be converted to $M
+#CL root
+C{E}root
+
+
+
+# my name for error messages
+DnMAILER-DAEMON
+
+
+CPREDIRECT
+
+# Access list database (for spam stomping)
+Kaccess hash -o -T /etc/mail/access
+
+# Mailer table (overriding domains)
+Kmailertable hash -o /etc/mail/mailertable
+
+# Virtual user table (maps incoming users)
+Kvirtuser hash -o /etc/mail/virtusertable
+
+# Configuration version number
+DZ8.16.1
+
+
+###############
+# Options #
+###############
+
+# strip message body to 7 bits on input?
+O SevenBitInput=False
+
+# 8-bit data handling
+#O EightBitMode=pass8
+
+# wait for alias file rebuild (default units: minutes)
+O AliasWait=10
+
+# location of alias file
+O AliasFile=/etc/mail/aliases
+
+# minimum number of free blocks on filesystem
+O MinFreeBlocks=100
+
+# maximum message size
+#O MaxMessageSize=0
+
+# substitution for space (blank) characters
+O BlankSub=.
+
+# avoid connecting to "expensive" mailers on initial submission?
+O HoldExpensive=False
+
+# checkpoint queue runs after every N successful deliveries
+#O CheckpointInterval=10
+
+# default delivery mode
+O DeliveryMode=background
+
+# error message header/file
+#O ErrorHeader=/etc/mail/error-header
+
+# error mode
+#O ErrorMode=print
+
+# save Unix-style "From_" lines at top of header?
+#O SaveFromLine=False
+
+# queue file mode (qf files)
+#O QueueFileMode=0600
+
+# temporary file mode
+O TempFileMode=0600
+
+# match recipients against GECOS field?
+#O MatchGECOS=False
+
+# maximum hop count
+#O MaxHopCount=25
+
+# location of help file
+O HelpFile=/etc/mail/helpfile
+
+# ignore dots as terminators in incoming messages?
+#O IgnoreDots=False
+
+# name resolver options
+O ResolverOptions=WorkAroundBrokenAAAA
+
+# deliver MIME-encapsulated error messages?
+O SendMimeErrors=True
+
+# Forward file search path
+O ForwardPath=$z/.forward.$w+$h:$z/.forward+$h:$z/.forward.$w:$z/.forward
+
+# open connection cache size
+O ConnectionCacheSize=2
+
+# open connection cache timeout
+O ConnectionCacheTimeout=5m
+
+# persistent host status directory
+#O HostStatusDirectory=.hoststat
+
+# single thread deliveries (requires HostStatusDirectory)?
+#O SingleThreadDelivery=False
+
+# use Errors-To: header?
+O UseErrorsTo=False
+
+# use compressed IPv6 address format?
+#O UseCompressedIPv6Addresses
+
+# log level
+O LogLevel=9
+
+# send to me too, even in an alias expansion?
+#O MeToo=True
+
+# verify RHS in newaliases?
+O CheckAliases=False
+
+# default messages to old style headers if no special punctuation?
+O OldStyleHeaders=True
+
+# SMTP daemon options
+
+O DaemonPortOptions=Name=IPv4, Family=inet
+O DaemonPortOptions=Name=IPv6, Family=inet6, Modifiers=O
+O DaemonPortOptions=Port=587, Name=MSA, M=E
+
+# SMTP client options
+
+O ClientPortOptions=Family=inet6, Address=2603:3024:3f6:e1::100
+
+# Modifiers to define {daemon_flags} for direct submissions
+#O DirectSubmissionModifiers
+
+# Use as mail submission program? See sendmail/SECURITY
+#O UseMSP
+
+# privacy flags
+O PrivacyOptions=authwarnings,noexpn,novrfy
+
+# who (if anyone) should get extra copies of error messages
+#O PostmasterCopy=Postmaster
+
+# slope of queue-only function
+#O QueueFactor=600000
+
+# limit on number of concurrent queue runners
+#O MaxQueueChildren
+
+# maximum number of queue-runners per queue-grouping with multiple queues
+#O MaxRunnersPerQueue=1
+
+# priority of queue runners (nice(3))
+#O NiceQueueRun
+
+# shall we sort the queue by hostname first?
+#O QueueSortOrder=priority
+
+# minimum time in queue before retry
+#O MinQueueAge=30m
+
+# maximum time in queue before retry (if > 0; only for exponential delay)
+#O MaxQueueAge
+
+# how many jobs can you process in the queue?
+#O MaxQueueRunSize=0
+
+# perform initial split of envelope without checking MX records
+#O FastSplit=1
+
+# queue directory
+O QueueDirectory=/var/spool/mqueue
+
+# key for shared memory; 0 to turn off, -1 to auto-select
+#O SharedMemoryKey=0
+
+# file to store auto-selected key for shared memory (SharedMemoryKey = -1)
+#O SharedMemoryKeyFile
+
+# timeouts (many of these)
+#O Timeout.initial=5m
+O Timeout.connect=1m
+#O Timeout.aconnect=0s
+#O Timeout.iconnect=5m
+#O Timeout.helo=5m
+#O Timeout.mail=10m
+#O Timeout.rcpt=1h
+#O Timeout.datainit=5m
+#O Timeout.datablock=1h
+#O Timeout.datafinal=1h
+#O Timeout.rset=5m
+#O Timeout.quit=2m
+#O Timeout.misc=2m
+O Timeout.command=2m
+O Timeout.ident=0
+#O Timeout.fileopen=60s
+#O Timeout.control=2m
+O Timeout.queuereturn=5d
+#O Timeout.queuereturn.normal=5d
+#O Timeout.queuereturn.urgent=2d
+#O Timeout.queuereturn.non-urgent=7d
+#O Timeout.queuereturn.dsn=5d
+O Timeout.queuewarn=4h
+#O Timeout.queuewarn.normal=4h
+#O Timeout.queuewarn.urgent=1h
+#O Timeout.queuewarn.non-urgent=12h
+#O Timeout.queuewarn.dsn=4h
+#O Timeout.hoststatus=30m
+#O Timeout.resolver.retrans=5s
+#O Timeout.resolver.retrans.first=5s
+#O Timeout.resolver.retrans.normal=5s
+#O Timeout.resolver.retry=4
+#O Timeout.resolver.retry.first=4
+#O Timeout.resolver.retry.normal=4
+#O Timeout.lhlo=2m
+#O Timeout.auth=10m
+#O Timeout.starttls=1h
+
+# time for DeliverBy; extension disabled if less than 0
+#O DeliverByMin=0
+
+# should we not prune routes in route-addr syntax addresses?
+#O DontPruneRoutes=False
+
+# queue up everything before forking?
+O SuperSafe=True
+
+# status file
+O StatusFile=/var/log/sendmail.st
+
+# time zone handling:
+# if undefined, use system default
+# if defined but null, use TZ envariable passed in
+# if defined and non-null, use that info
+#O TimeZoneSpec=
+
+# default UID (can be username or userid:groupid)
+#O DefaultUser=mailnull
+
+# list of locations of user database file (null means no lookup)
+#O UserDatabaseSpec=/etc/mail/userdb
+
+# fallback MX host
+#O FallbackMXhost=fall.back.host.net
+
+# fallback smart host
+#O FallbackSmartHost=fall.back.host.net
+
+# if we are the best MX host for a site, try it directly instead of config err
+#O TryNullMXList=False
+
+# load average at which we just queue messages
+#O QueueLA=8
+
+# load average at which we refuse connections
+#O RefuseLA=12
+
+# log interval when refusing connections for this long
+#O RejectLogInterval=3h
+
+# load average at which we delay connections; 0 means no limit
+#O DelayLA=0
+
+# maximum number of children we allow at one time
+#O MaxDaemonChildren=0
+
+# maximum number of new connections per second
+#O ConnectionRateThrottle=0
+
+# Width of the window
+#O ConnectionRateWindowSize=60s
+
+# work recipient factor
+#O RecipientFactor=30000
+
+# deliver each queued job in a separate process?
+#O ForkEachJob=False
+
+# work class factor
+#O ClassFactor=1800
+
+# work time factor
+#O RetryFactor=90000
+
+# default character set
+#O DefaultCharSet=unknown-8bit
+
+# service switch file (name hardwired on Solaris, Ultrix, OSF/1, others)
+#O ServiceSwitchFile=/etc/mail/service.switch
+
+# hosts file (normally /etc/hosts)
+#O HostsFile=/etc/hosts
+
+# dialup line delay on connection failure
+#O DialDelay=0s
+
+# action to take if there are no recipients in the message
+O NoRecipientAction=add-to-undisclosed
+
+# chrooted environment for writing to files
+#O SafeFileEnvironment
+
+# are colons OK in addresses?
+#O ColonOkInAddr=True
+
+# shall I avoid expanding CNAMEs (violates protocols)?
+#O DontExpandCnames=False
+
+# SMTP initial login message (old $e macro)
+O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
+
+# UNIX initial From header format (old $l macro)
+O UnixFromLine=From $g $d
+
+# From: lines that have embedded newlines are unwrapped onto one line
+#O SingleLineFromHeader=False
+
+# Allow HELO SMTP command that does not include a host name
+#O AllowBogusHELO=False
+
+# Characters to be quoted in a full name phrase (@,;:\()[] are automatic)
+#O MustQuoteChars=.
+
+# delimiter (operator) characters (old $o macro)
+O OperatorChars=.:%@!^/[]+
+
+# shall I avoid calling initgroups(3) because of high NIS costs?
+#O DontInitGroups=False
+
+# are group-writable :include: and .forward files (un)trustworthy?
+# True (the default) means they are not trustworthy.
+#O UnsafeGroupWrites=True
+
+
+# where do errors that occur when sending errors get sent?
+#O DoubleBounceAddress=postmaster
+
+# issue temporary errors (4xy) instead of permanent errors (5xy)?
+#O SoftBounce=False
+
+# where to save bounces if all else fails
+#O DeadLetterDrop=/var/tmp/dead.letter
+
+# what user id do we assume for the majority of the processing?
+#O RunAsUser=sendmail
+
+# maximum number of recipients per SMTP envelope
+#O MaxRecipientsPerMessage=0
+
+# limit the rate recipients per SMTP envelope are accepted
+# once the threshold number of recipients have been rejected
+#O BadRcptThrottle=0
+
+
+# shall we get local names from our installed interfaces?
+#O DontProbeInterfaces=False
+
+# Return-Receipt-To: header implies DSN request
+#O RrtImpliesDsn=False
+
+# override connection address (for testing)
+#O ConnectOnlyTo=0.0.0.0
+
+# Trusted user for file ownership and starting the daemon
+#O TrustedUser=root
+
+# Control socket for daemon management
+#O ControlSocketName=/var/spool/mqueue/.control
+
+# Maximum MIME header length to protect MUAs
+#O MaxMimeHeaderLength=0/0
+
+# Maximum length of the sum of all headers
+O MaxHeadersLength=32768
+
+# Maximum depth of alias recursion
+#O MaxAliasRecursion=10
+
+# location of pid file
+#O PidFile=/var/run/sendmail.pid
+
+# Prefix string for the process title shown on 'ps' listings
+#O ProcessTitlePrefix=prefix
+
+# Data file (df) memory-buffer file maximum size
+#O DataFileBufferSize=4096
+
+# Transcript file (xf) memory-buffer file maximum size
+#O XscriptFileBufferSize=4096
+
+# lookup type to find information about local mailboxes
+#O MailboxDatabase=pw
+
+# override compile time flag REQUIRES_DIR_FSYNC
+#O RequiresDirfsync=true
+
+# list of authentication mechanisms
+#O AuthMechanisms=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
+
+# Authentication realm
+#O AuthRealm
+
+# default authentication information for outgoing connections
+#O DefaultAuthInfo=/etc/mail/default-auth-info
+
+# SMTP AUTH flags
+#O AuthOptions
+
+# SMTP AUTH maximum encryption strength
+#O AuthMaxBits
+
+# SMTP STARTTLS server options
+#O TLSSrvOptions
+
+# SSL cipherlist
+#O CipherList
+# server side SSL options
+#O ServerSSLOptions
+# client side SSL options
+#O ClientSSLOptions
+# SSL Engine
+#O SSLEngine
+# Path to dynamic library for SSLEngine
+#O SSLEnginePath
+# TLS: fall back to clear text after handshake failure?
+#O TLSFallbacktoClear
+
+# Input mail filters
+#O InputMailFilters
+
+
+# CA directory
+O CACertPath=/etc/mail/certs
+# CA file
+O CACertFile=/etc/mail/certs/cacert.pem
+# Server Cert
+O ServerCertFile=/etc/mail/certs/host.cert
+# Server private key
+O ServerKeyFile=/etc/mail/certs/host.key
+# Client Cert
+O ClientCertFile=/etc/mail/certs/host.cert
+# Client private key
+O ClientKeyFile=/etc/mail/certs/host.key
+# File containing certificate revocation lists
+#O CRLFile
+# Directory containing hashes pointing to certificate revocation status files
+#O CRLPath
+# DHParameters (only required if DSA/DH is used)
+O DHParameters=/mnt/certs/dhparam2048.pem
+# Random data source (required for systems without /dev/urandom under OpenSSL)
+#O RandFile
+# fingerprint algorithm (digest) to use for the presented cert
+#O CertFingerprintAlgorithm
+# enable DANE?
+#O DANE=false
+
+# Maximum number of "useless" commands before slowing down
+#O MaxNOOPCommands=20
+
+# Name to use for EHLO (defaults to $j)
+#O HeloName
+
+
+
+############################
+# QUEUE GROUP DEFINITIONS #
+############################
+
+
+###########################
+# Message precedences #
+###########################
+
+Pfirst-class=0
+Pspecial-delivery=100
+Plist=-30
+Pbulk=-60
+Pjunk=-100
+
+#####################
+# Trusted users #
+#####################
+
+# this is equivalent to setting class "t"
+#Ft/etc/mail/trusted-users
+Troot
+Tdaemon
+Tuucp
+
+#########################
+# Format of headers #
+#########################
+
+H?P?Return-Path: <$g>
+HReceived: $?sfrom $s $.$?_($?s$|from $.$_)
+ $.$?{auth_type}(authenticated$?{auth_ssf} bits=${auth_ssf}$.)
+ $.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}
+ (version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify})$.$?u
+ for $u; $|;
+ $.$b$?g
+ (envelope-from $g)$.
+H?D?Resent-Date: $a
+H?D?Date: $a
+H?F?Resent-From: $?x$x <$g>$|$g$.
+H?F?From: $?x$x <$g>$|$g$.
+H?x?Full-Name: $x
+# HPosted-Date: $a
+# H?l?Received-Date: $b
+H?M?Resent-Message-Id: <$t.$i@$j>
+H?M?Message-Id: <$t.$i@$j>
+
+#
+######################################################################
+######################################################################
+#####
+##### REWRITING RULES
+#####
+######################################################################
+######################################################################
+
+############################################
+### Ruleset 3 -- Name Canonicalization ###
+############################################
+Scanonify=3
+
+# handle null input (translate to <@> special case)
+R$@ $@ <@>
+
+# strip group: syntax (not inside angle brackets!) and trailing semicolon
+R$* $: $1 <@> mark addresses
+R$* < $* > $* <@> $: $1 < $2 > $3 unmark
+R@ $* <@> $: @ $1 unmark @host:...
+R$* [ IPv6 : $+ ] <@> $: $1 [ IPv6 : $2 ] unmark IPv6 addr
+R$* :: $* <@> $: $1 :: $2 unmark node::addr
+R:include: $* <@> $: :include: $1 unmark :include:...
+R$* : $* [ $* ] $: $1 : $2 [ $3 ] <@> remark if leading colon
+R$* : $* <@> $: $2 strip colon if marked
+R$* <@> $: $1 unmark
+R$* ; $1 strip trailing semi
+R$* < $+ :; > $* $@ $2 :; <@> catch
+R$* < $* ; > $1 < $2 > bogus bracketed semi
+
+# null input now results from list:; syntax
+R$@ $@ :; <@>
+
+# strip angle brackets -- note RFC733 heuristic to get innermost item
+R$* $: < $1 > housekeeping <>
+R$+ < $* > < $2 > strip excess on left
+R< $* > $+ < $1 > strip excess on right
+R<> $@ < @ > MAIL FROM:<> case
+R< $+ > $: $1 remove housekeeping <>
+
+# strip route address <@a,@b,@c:user@d> ->
+R@ $+ , $+ $2
+R@ [ $* ] : $+ $2
+R@ $+ : $+ $2
+
+# find focus for list syntax
+R $+ : $* ; @ $+ $@ $>Canonify2 $1 : $2 ; < @ $3 > list syntax
+R $+ : $* ; $@ $1 : $2; list syntax
+
+# find focus for @ syntax addresses
+R$+ @ $+ $: $1 < @ $2 > focus on domain
+R$+ < $+ @ $+ > $1 $2 < @ $3 > move gaze right
+R$+ < @ $+ > $@ $>Canonify2 $1 < @ $2 > already canonical
+
+
+# convert old-style addresses to a domain-based address
+R$- ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > resolve uucp names
+R$+ . $- ! $+ $@ $>Canonify2 $3 < @ $1 . $2 > domain uucps
+R$+ ! $+ $@ $>Canonify2 $2 < @ $1 .UUCP > uucp subdomains
+
+# if we have % signs, take the rightmost one
+R$* % $* $1 @ $2 First make them all @s.
+R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
+
+R$* @ $* $@ $>Canonify2 $1 < @ $2 > Insert < > and finish
+
+# else we must be a local name
+R$* $@ $>Canonify2 $1
+
+
+################################################
+### Ruleset 96 -- bottom half of ruleset 3 ###
+################################################
+
+SCanonify2=96
+
+# handle special cases for local names
+R$* < @ localhost > $* $: $1 < @ $j . > $2 no domain at all
+R$* < @ localhost . $m > $* $: $1 < @ $j . > $2 local domain
+R$* < @ localhost . UUCP > $* $: $1 < @ $j . > $2 .UUCP domain
+
+# check for IPv4/IPv6 domain literal
+R$* < @ [ $+ ] > $* $: $1 < @@ [ $2 ] > $3 mark [addr]
+R$* < @@ $=w > $* $: $1 < @ $j . > $3 self-literal
+R$* < @@ $+ > $* $@ $1 < @ $2 > $3 canon IP addr
+
+
+
+
+
+# if really UUCP, handle it immediately
+
+# try UUCP traffic as a local address
+R$* < @ $+ . UUCP > $* $: $1 < @ $[ $2 $] . UUCP . > $3
+R$* < @ $+ . . UUCP . > $* $@ $1 < @ $2 . > $3
+
+# hostnames ending in class P are always canonical
+R$* < @ $* $=P > $* $: $1 < @ $2 $3 . > $4
+R$* < @ $* $~P > $* $: $&{daemon_flags} $| $1 < @ $2 $3 > $4
+R$* CC $* $| $* < @ $+.$+ > $* $: $3 < @ $4.$5 . > $6
+R$* CC $* $| $* $: $3
+# pass to name server to make hostname canonical
+R$* $| $* < @ $* > $* $: $2 < @ $[ $3 $] > $4
+R$* $| $* $: $2
+
+# local host aliases and pseudo-domains are always canonical
+R$* < @ $=w > $* $: $1 < @ $2 . > $3
+R$* < @ $=M > $* $: $1 < @ $2 . > $3
+R$* < @ $={VirtHost} > $* $: $1 < @ $2 . > $3
+R$* < @ $* . . > $* $1 < @ $2 . > $3
+
+
+##################################################
+### Ruleset 4 -- Final Output Post-rewriting ###
+##################################################
+Sfinal=4
+
+R$+ :; <@> $@ $1 : handle
+R$* <@> $@ handle <> and list:;
+
+# strip trailing dot off possibly canonical name
+R$* < @ $+ . > $* $1 < @ $2 > $3
+
+# eliminate internal code
+R$* < @ *LOCAL* > $* $1 < @ $j > $2
+
+# externalize local domain info
+R$* < $+ > $* $1 $2 $3 defocus
+R@ $+ : @ $+ : $+ @ $1 , @ $2 : $3 canonical
+R@ $* $@ @ $1 ... and exit
+
+# UUCP must always be presented in old form
+R$+ @ $- . UUCP $2!$1 u@h.UUCP => h!u
+
+# delete duplicate local names
+R$+ % $=w @ $=w $1 @ $2 u%host@host => u@host
+
+
+
+##############################################################
+### Ruleset 97 -- recanonicalize and call ruleset zero ###
+### (used for recursive calls) ###
+##############################################################
+
+SRecurse=97
+R$* $: $>canonify $1
+R$* $@ $>parse $1
+
+
+######################################
+### Ruleset 0 -- Parse Address ###
+######################################
+
+Sparse=0
+
+R$* $: $>Parse0 $1 initial parsing
+R<@> $#local $: <@> special case error msgs
+R$* $: $>ParseLocal $1 handle local hacks
+R$* $: $>Parse1 $1 final parsing
+
+#
+# Parse0 -- do initial syntax checking and eliminate local addresses.
+# This should either return with the (possibly modified) input
+# or return with a #error mailer. It should not return with a
+# #mailer other than the #error mailer.
+#
+
+SParse0
+R<@> $@ <@> special case error msgs
+R$* : $* ; <@> $#error $@ 5.1.3 $: "553 List:; syntax illegal for recipient addresses"
+R@ <@ $* > < @ $1 > catch "@@host" bogosity
+R<@ $+> $#error $@ 5.1.3 $: "553 User address required"
+R$+ <@> $#error $@ 5.1.3 $: "553 Hostname required"
+R$* $: <> $1
+R<> $* < @ [ $* ] : $+ > $* $1 < @ [ $2 ] : $3 > $4
+R<> $* < @ [ $* ] , $+ > $* $1 < @ [ $2 ] , $3 > $4
+R<> $* < @ [ $* ] $+ > $* $#error $@ 5.1.2 $: "553 Invalid address"
+R<> $* < @ [ $+ ] > $* $1 < @ [ $2 ] > $3
+R<> $* <$* : $* > $* $#error $@ 5.1.3 $: "553 Colon illegal in host name part"
+R<> $* $1
+R$* < @ . $* > $* $#error $@ 5.1.2 $: "553 Invalid host name"
+R$* < @ $* .. $* > $* $#error $@ 5.1.2 $: "553 Invalid host name"
+R$* < @ $* @ > $* $#error $@ 5.1.2 $: "553 Invalid route address"
+R$* @ $* < @ $* > $* $#error $@ 5.1.3 $: "553 Invalid route address"
+R$* , $~O $* $#error $@ 5.1.3 $: "553 Invalid route address"
+
+
+# now delete the local info -- note $=O to find characters that cause forwarding
+R$* < @ > $* $@ $>Parse0 $>canonify $1 user@ => user
+R< @ $=w . > : $* $@ $>Parse0 $>canonify $2 @here:... -> ...
+R$- < @ $=w . > $: $(dequote $1 $) < @ $2 . > dequote "foo"@here
+R< @ $+ > $#error $@ 5.1.3 $: "553 User address required"
+R$* $=O $* < @ $=w . > $@ $>Parse0 $>canonify $1 $2 $3 ...@here -> ...
+R$- $: $(dequote $1 $) < @ *LOCAL* > dequote "foo"
+R< @ *LOCAL* > $#error $@ 5.1.3 $: "553 User address required"
+R$* $=O $* < @ *LOCAL* >
+ $@ $>Parse0 $>canonify $1 $2 $3 ...@*LOCAL* -> ...
+R$* < @ *LOCAL* > $: $1
+
+
+#
+# Parse1 -- the bottom half of ruleset 0.
+#
+
+SParse1
+
+# handle numeric address spec
+R$* < @ [ $+ ] > $* $: $>ParseLocal $1 < @ [ $2 ] > $3 numeric internet spec
+R$* < @ [ $+ ] > $* $: $1 < @ [ $2 ] : $S > $3 Add smart host to path
+R$* < @ [ $+ ] : > $* $#esmtp $@ [$2] $: $1 < @ [$2] > $3 no smarthost: send
+R$* < @ [ $+ ] : $- : $*> $* $#$3 $@ $4 $: $1 < @ [$2] > $5 smarthost with mailer
+R$* < @ [ $+ ] : $+ > $* $#esmtp $@ $3 $: $1 < @ [$2] > $4 smarthost without mailer
+
+# handle virtual users
+R$+ $: $1 Mark for lookup
+R $+ < @ $={VirtHost} . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
+R $+ < @ $=w . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
+R<@> $+ + $+ < @ $* . >
+ $: < $(virtuser $1 + + @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
+R<@> $+ + $* < @ $* . >
+ $: < $(virtuser $1 + * @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
+R<@> $+ + $* < @ $* . >
+ $: < $(virtuser $1 @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
+R<@> $+ + $+ < @ $+ . > $: < $(virtuser + + @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
+R<@> $+ + $* < @ $+ . > $: < $(virtuser + * @ $3 $@ $1 $@ $2 $@ +$2 $: @ $) > $1 + $2 < @ $3 . >
+R<@> $+ + $* < @ $+ . > $: < $(virtuser @ $3 $@ $1 $@ $2 $@ +$2 $: ! $) > $1 + $2 < @ $3 . >
+R<@> $+ < @ $+ . > $: < $(virtuser @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
+R<@> $+ $: $1
+R $+ $: $1
+R< error : $-.$-.$- : $+ > $* $#error $@ $1.$2.$3 $: $4
+R< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2
+R< $+ > $+ < @ $+ > $: $>Recurse $1
+
+# short circuit local delivery so forwarded email works
+
+
+R$=L < @ $=w . > $#local $: @ $1 special local names
+R$+ < @ $=w . > $#local $: $1 regular local name
+
+# not local -- try mailer table lookup
+R$* <@ $+ > $* $: < $2 > $1 < @ $2 > $3 extract host name
+R< $+ . > $* $: < $1 > $2 strip trailing dot
+R< $+ > $* $: < $(mailertable $1 $) > $2 lookup
+R< $~[ : $* > $* $>MailerToTriple < $1 : $2 > $3 check -- resolved?
+R< $+ > $* $: $>Mailertable <$1> $2 try domain
+
+# resolve remotely connected UUCP links (if any)
+
+# resolve fake top level domains by forwarding to other hosts
+
+
+
+# pass names that still have a host to a smarthost (if defined)
+R$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost name
+
+# deal with other remote names
+R$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 user@host.domain
+
+# handle locally delivered names
+R$=L $#local $: @ $1 special local names
+R$+ $#local $: $1 regular local names
+
+
+
+###########################################################################
+### Ruleset 5 -- special rewriting after aliases have been expanded ###
+###########################################################################
+
+SLocal_localaddr
+Slocaladdr=5
+R$+ $: $1 $| $>"Local_localaddr" $1
+R$+ $| $#ok $@ $1 no change
+R$+ $| $#$* $#$2
+R$+ $| $* $: $1
+
+
+
+
+# deal with plussed users so aliases work nicely
+R$+ + * $#local $@ $&h $: $1
+R$+ + $* $#local $@ + $2 $: $1 + *
+
+# prepend an empty "forward host" on the front
+R$+ $: <> $1
+
+
+
+R< > $+ $: < > < $1 <> $&h > nope, restore +detail
+
+R< > < $+ <> + $* > $: < > < $1 + $2 > check whether +detail
+R< > < $+ <> $* > $: < > < $1 > else discard
+R< > < $+ + $* > $* < > < $1 > + $2 $3 find the user part
+R< > < $+ > + $* $#local $@ $2 $: @ $1 strip the extra +
+R< > < $+ > $@ $1 no +detail
+R$+ $: $1 <> $&h add +detail back in
+
+R$+ <> + $* $: $1 + $2 check whether +detail
+R$+ <> $* $: $1 else discard
+R< local : $* > $* $: $>MailerToTriple < local : $1 > $2 no host extension
+R< error : $* > $* $: $>MailerToTriple < error : $1 > $2 no host extension
+
+R< $~[ : $+ > $+ $: $>MailerToTriple < $1 : $2 > $3 < @ $2 >
+
+R< $+ > $+ $@ $>MailerToTriple < $1 > $2 < @ $1 >
+
+
+###################################################################
+### Ruleset 90 -- try domain part of mailertable entry ###
+###################################################################
+
+SMailertable=90
+R$* <$- . $+ > $* $: $1$2 < $(mailertable .$3 $@ $1$2 $@ $2 $) > $4
+R$* <$~[ : $* > $* $>MailerToTriple < $2 : $3 > $4 check -- resolved?
+R$* < . $+ > $* $@ $>Mailertable $1 . <$2> $3 no -- strip & try again
+R$* < $* > $* $: < $(mailertable . $@ $1$2 $) > $3 try "."
+R< $~[ : $* > $* $>MailerToTriple < $1 : $2 > $3 "." found?
+R< $* > $* $@ $2 no mailertable match
+
+###################################################################
+### Ruleset 95 -- canonify mailer:[user@]host syntax to triple ###
+###################################################################
+
+SMailerToTriple=95
+R< > $* $@ $1 strip off null relay
+R< error : $-.$-.$- : $+ > $* $#error $@ $1.$2.$3 $: $4
+R< error : $- : $+ > $* $#error $@ $(dequote $1 $) $: $2
+R< error : $+ > $* $#error $: $1
+R< local : $* > $* $>CanonLocal < $1 > $2
+R< $~[ : $+ @ $+ > $*<$*>$* $# $1 $@ $3 $: $2<@$3> use literal user
+R< $~[ : $+ > $* $# $1 $@ $2 $: $3 try qualified mailer
+R< $=w > $* $@ $2 delete local host
+R< $+ > $* $#relay $@ $1 $: $2 use unqualified mailer
+
+###################################################################
+### Ruleset CanonLocal -- canonify local: syntax ###
+###################################################################
+
+SCanonLocal
+# strip local host from routed addresses
+R< $* > < @ $+ > : $+ $@ $>Recurse $3
+R< $* > $+ $=O $+ < @ $+ > $@ $>Recurse $2 $3 $4
+
+# strip trailing dot from any host name that may appear
+R< $* > $* < @ $* . > $: < $1 > $2 < @ $3 >
+
+# handle local: syntax -- use old user, either with or without host
+R< > $* < @ $* > $* $#local $@ $1@$2 $: $1
+R< > $+ $#local $@ $1 $: $1
+
+# handle local:user@host syntax -- ignore host part
+R< $+ @ $+ > $* < @ $* > $: < $1 > $3 < @ $4 >
+
+# handle local:user syntax
+R< $+ > $* <@ $* > $* $#local $@ $2@$3 $: $1
+R< $+ > $* $#local $@ $2 $: $1
+
+###################################################################
+### Ruleset 93 -- convert header names to masqueraded form ###
+###################################################################
+
+SMasqHdr=93
+
+
+# do not masquerade anything in class N
+R$* < @ $* $=N . > $@ $1 < @ $2 $3 . >
+
+R$* < @ *LOCAL* > $@ $1 < @ $j . >
+
+###################################################################
+### Ruleset 94 -- convert envelope names to masqueraded form ###
+###################################################################
+
+SMasqEnv=94
+R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2
+
+###################################################################
+### Ruleset 98 -- local part of ruleset zero (can be null) ###
+###################################################################
+
+SParseLocal=98
+
+# addresses sent to foo@host.REDIRECT will give a 551 error code
+R$* < @ $+ .REDIRECT. > $: $1 < @ $2 . REDIRECT . > < ${opMode} >
+R$* < @ $+ .REDIRECT. > $: $1 < @ $2 . REDIRECT. >
+R$* < @ $+ .REDIRECT. > < $- > $#error $@ 5.1.1 $: "551 User has moved; please try " <$1@$2>
+
+
+
+
+
+
+######################################################################
+### D: LookUpDomain -- search for domain in access database
+###
+### Parameters:
+### <$1> -- key (domain name)
+### <$2> -- default (what to return if not found in db)
+### <$3> -- mark (must be <(!|+) single-token>)
+### ! does lookup only with tag
+### + does lookup with and without tag
+### <$4> -- passthru (additional data passed unchanged through)
+######################################################################
+
+SD
+R<$*> <$+> <$- $-> <$*> $: < $(access $4:$1 $: ? $) > <$1> <$2> <$3 $4> <$5>
+R> <$+> <$+> <+ $-> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <+ $3> <$4>
+R> <[$+.$-]> <$+> <$- $-> <$*> $@ $>D <[$1]> <$3> <$4 $5> <$6>
+R> <[$+::$-]> <$+> <$- $-> <$*> $: $>D <[$1]> <$3> <$4 $5> <$6>
+R> <[$+:$-]> <$+> <$- $-> <$*> $: $>D <[$1]> <$3> <$4 $5> <$6>
+R> <$+.$+> <$+> <$- $-> <$*> $@ $>D <$2> <$3> <$4 $5> <$6>
+R> <$+> <$+> <$- $-> <$*> $@ <$2> <$5>
+R<$* > <$+> <$+> <$- $-> <$*> $@ <> <$6>
+R<$*> <$+> <$+> <$- $-> <$*> $@ <$1> <$6>
+
+######################################################################
+### A: LookUpAddress -- search for host address in access database
+###
+### Parameters:
+### <$1> -- key (dot quadded host address)
+### <$2> -- default (what to return if not found in db)
+### <$3> -- mark (must be <(!|+) single-token>)
+### ! does lookup only with tag
+### + does lookup with and without tag
+### <$4> -- passthru (additional data passed through)
+######################################################################
+
+SA
+R<$+> <$+> <$- $-> <$*> $: < $(access $4:$1 $: ? $) > <$1> <$2> <$3 $4> <$5>
+R> <$+> <$+> <+ $-> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <+ $3> <$4>
+R> <$+::$-> <$+> <$- $-> <$*> $@ $>A <$1> <$3> <$4 $5> <$6>
+R> <$+:$-> <$+> <$- $-> <$*> $@ $>A <$1> <$3> <$4 $5> <$6>
+R> <$+.$-> <$+> <$- $-> <$*> $@ $>A <$1> <$3> <$4 $5> <$6>
+R> <$+> <$+> <$- $-> <$*> $@ <$2> <$5>
+R<$* > <$+> <$+> <$- $-> <$*> $@ <> <$6>
+R<$*> <$+> <$+> <$- $-> <$*> $@ <$1> <$6>
+
+######################################################################
+### CanonAddr -- Convert an address into a standard form for
+### relay checking. Route address syntax is
+### crudely converted into a %-hack address.
+###
+### Parameters:
+### $1 -- full recipient address
+###
+### Returns:
+### parsed address, not in source route form
+######################################################################
+
+SCanonAddr
+R$* $: $>Parse0 $>canonify $1 make domain canonical
+
+
+######################################################################
+### ParseRecipient -- Strip off hosts in $=R as well as possibly
+### $* $=m or the access database.
+### Check user portion for host separators.
+###
+### Parameters:
+### $1 -- full recipient address
+###
+### Returns:
+### parsed, non-local-relaying address
+######################################################################
+
+SParseRecipient
+R$* $: > $>CanonAddr $1
+R> $* < @ $* . > > $1 < @ $2 > strip trailing dots
+R> $- < @ $* > $: > $(dequote $1 $) < @ $2 > dequote local part
+
+# if no $=O character, no host in the user portion, we are done
+R> $* $=O $* < @ $* > $: $1 $2 $3 < @ $4>
+R> $* $@ $1
+
+
+R $* < @ $* $=R > $: $1 < @ $2 $3 >
+R $* < @ $+ > $: $>D <$2> <+ To> <$1 < @ $2 >>
+R<$+> <$+> $: <$1> $2
+
+
+
+R $* < @ $* > $@ $>ParseRecipient $1
+R<$+> $* $@ $2
+
+
+######################################################################
+### check_relay -- check hostname/address on SMTP startup
+######################################################################
+
+
+
+SLocal_check_relay
+Scheck_relay
+R$* $: $1 $| $>"Local_check_relay" $1
+R$* $| $* $| $#$* $#$3
+R$* $| $* $| $* $@ $>"Basic_check_relay" $1 $| $2
+
+SBasic_check_relay
+# check for deferred delivery mode
+R$* $: < $&{deliveryMode} > $1
+R< d > $* $@ deferred
+R< $* > $* $: $2
+
+R$+ $| $+ $: $>D < $1 > > <+ Connect> < $2 >
+R $| $+ $: $>A < $1 > > <+ Connect> <> empty client_name
+R> <$+> $: $>A < $1 > > <+ Connect> <> no: another lookup
+R> <$*> $: OK found nothing
+R<$={Accept}> <$*> $@ $1 return value of lookup
+R <$*> $#error $@ 5.7.1 $: "550 Access denied"
+R <$*> $#discard $: discard
+R <$*> $#error $@ quarantine $: $1
+R <$*> $#error $@ $1.$2.$3 $: $4
+R <$*> $#error $: $1
+R<$* > <$*> $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
+R<$+> <$*> $#error $: $1
+
+
+######################################################################
+### check_mail -- check SMTP `MAIL FROM:' command argument
+######################################################################
+
+SLocal_check_mail
+Scheck_mail
+R$* $: $1 $| $>"Local_check_mail" $1
+R$* $| $#$* $#$2
+R$* $| $* $@ $>"Basic_check_mail" $1
+
+SBasic_check_mail
+# check for deferred delivery mode
+R$* $: < $&{deliveryMode} > $1
+R< d > $* $@ deferred
+R< $* > $* $: $2
+
+# authenticated?
+R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL
+R$* $| $#$+ $#$2
+R$* $| $* $: $1
+
+R<> $@ we MUST accept <> (RFC 1123)
+R$+ $: > $1
+R><$+> $: <@> <$1>
+R>$+ $: <@> <$1>
+R$* $: $&{daemon_flags} $| $1
+R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 >
+R$* u $* $| <@> < $* > $: > < $3 >
+R$* $| $* $: $2
+# handle case of @localhost on address
+R<@> < $* @ localhost > $: < ? $&{client_name} > < $1 @ localhost >
+R<@> < $* @ [127.0.0.1] >
+ $: < ? $&{client_name} > < $1 @ [127.0.0.1] >
+R<@> < $* @ [IPv6:0:0:0:0:0:0:0:1] >
+ $: < ? $&{client_name} > < $1 @ [IPv6:0:0:0:0:0:0:0:1] >
+R<@> < $* @ [IPv6:::1] >
+ $: < ? $&{client_name} > < $1 @ [IPv6:::1] >
+R<@> < $* @ localhost.$m >
+ $: < ? $&{client_name} > < $1 @ localhost.$m >
+R<@> < $* @ localhost.UUCP >
+ $: < ? $&{client_name} > < $1 @ localhost.UUCP >
+R<@> $* $: $1 no localhost as domain
+R $=w> $* $: $2 local client: ok
+R $+> <$+> $#error $@ 5.5.4 $: "553 Real domain name required for sender address"
+R> $* $: $1
+R$* $: > $>CanonAddr $1 canonify sender address and mark it
+R> $* < @ $+ . > > $1 < @ $2 > strip trailing dots
+# handle non-DNS hostnames (*.bitnet, *.decnet, *.uucp, etc)
+R> $* < @ $* $=P > $: $1 < @ $2 $3 >
+R> $* < @ $j > $: $1 < @ $j >
+R> $* < @ $+ > $: $(resolve $2 $: $2 $) > $1 < @ $2 >
+R $* <$->> $* < @ $+ >
+ $: <$2> $3 < @ $4 >
+
+# check sender address: user@address, user@, address
+R<$+> $+ < @ $* > $: @<$1> <$2 < @ $3 >> $|
+R<$+> $+ $: @<$1> <$2> $|
+R@ <$+> <$*> $| <$+> $: <@> <$1> <$2> $| $>SearchList <+ From> $| <$3> <>
+R<@> <$+> <$*> $| <$*> $: <$3> <$1> <$2> reverse result
+# retransform for further use
+R> <$+> <$*> $: <$1> $2 no match
+R<$+> <$+> <$*> $: <$1> $3 relevant result, keep it
+
+# handle case of no @domain on address
+R> $* $: $&{daemon_flags} $| > $1
+R$* u $* $| > $* $: $3
+R$* $| $* $: $2
+R> $* $: < ? $&{client_addr} > $1
+R> $* $@ ...local unqualed ok
+R $+> $* $#error $@ 5.5.4 $: "553 Domain name required for sender address " $&f
+ ...remote is not
+# check results
+R> $* $: @ $1 mark address: nothing known about it
+R<$={ResOk}> $* $: @ $2 domain ok
+R $* $#error $@ 4.1.8 $: "451 Domain of sender address " $&f " does not resolve"
+R $* $#error $@ 5.1.8 $: "553 Domain of sender address " $&f " does not exist"
+R<$={Accept}> $* $# $1 accept from access map
+R $* $#discard $: discard
+R $* $#error $@ quarantine $: $1
+R $* $#error $@ 5.7.1 $: "550 Access denied"
+R $* $#error $@ $1.$2.$3 $: $4
+R $* $#error $: $1
+R<> $* $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
+R<$+> $* $#error $: $1 error from access db
+
+
+
+######################################################################
+### check_rcpt -- check SMTP `RCPT TO:' command argument
+######################################################################
+
+SLocal_check_rcpt
+Scheck_rcpt
+R$* $: $1 $| $>"Local_check_rcpt" $1
+R$* $| $#$* $#$2
+R$* $| $* $@ $>"Basic_check_rcpt" $1
+
+SBasic_check_rcpt
+# empty address?
+R<> $#error $@ nouser $: "553 User address required"
+R$@ $#error $@ nouser $: "553 User address required"
+# check for deferred delivery mode
+R$* $: < $&{deliveryMode} > $1
+R< d > $* $@ deferred
+R< $* > $* $: $2
+
+
+######################################################################
+R$* $: $1 $| @ $>"Rcpt_ok" $1
+R$* $| @ $#TEMP $+ $: $1 $| T $2
+R$* $| @ $#$* $#$2
+R$* $| @ RELAY $@ RELAY
+R$* $| @ $* $: O $| $>"Relay_ok" $1
+R$* $| T $+ $: T $2 $| $>"Relay_ok" $1
+R$* $| $#TEMP $+ $#error $2
+R$* $| $#$* $#$2
+R$* $| RELAY $@ RELAY
+R T $+ $| $* $#error $1
+# anything else is bogus
+R$* $#error $@ 5.7.1 $: "550 Relaying denied"
+
+
+######################################################################
+### Rcpt_ok: is the recipient ok?
+######################################################################
+SRcpt_ok
+R$* $: $>ParseRecipient $1 strip relayable hosts
+
+
+
+# blocklist local users or any host from receiving mail
+R$* $: > $1
+R> $+ < @ $=w > $: <> <$1 < @ $2 >> $|
+R> $+ < @ $* > $: <> <$1 < @ $2 >> $|
+R> $+ $: <> <$1> $|
+R<> <$*> $| <$+> $: <@> <$1> $| $>SearchList <+ To> $| <$2> <>
+R<@> <$*> $| <$*> $: <$2> <$1> reverse result
+R> <$*> $: @ $1 mark address as no match
+R<$={Accept}> <$*> $: @ $2 mark address as no match
+
+R $* $#error $@ 5.2.1 $: "550 Mailbox disabled for this recipient"
+R $* $#discard $: discard
+R $* $#error $@ quarantine $: $1
+R $* $#error $@ $1.$2.$3 $: $4
+R $* $#error $: $1
+R<> $* $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
+R<$+> $* $#error $: $1 error from access db
+R@ $* $1 remove mark
+
+# authenticated via TLS?
+R$* $: $1 $| $>RelayTLS client authenticated?
+R$* $| $# $+ $# $2 error/ok?
+R$* $| $* $: $1 no
+
+R$* $: $1 $| $>"Local_Relay_Auth" $&{auth_type}
+R$* $| $# $* $# $2
+R$* $| NO $: $1
+R$* $| $* $: $1 $| $&{auth_type}
+R$* $| $: $1
+R$* $| $={TrustAuthMech} $# RELAY
+R$* $| $* $: $1
+# anything terminating locally is ok
+R$+ < @ $=w > $@ RELAY
+R$+ < @ $* $=R > $@ RELAY
+R$+ < @ $+ > $: $>D <$2> > <+ To> <$1 < @ $2 >>
+R $* $@ RELAY
+R<$* > $* $#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
+R<$*> <$*> $: $2
+
+
+
+# check for local user (i.e. unqualified address)
+R$* $: > $1
+R> $* < @ $+ > $: $1 < @ $2 >
+# local user is ok
+R> $+ $@ RELAY
+R<$+> $* $: $2
+
+######################################################################
+### Relay_ok: is the relay/sender ok?
+######################################################################
+SRelay_ok
+# anything originating locally is ok
+# check IP address
+R$* $: $&{client_addr}
+R$@ $@ RELAY originated locally
+R0 $@ RELAY originated locally
+R127.0.0.1 $@ RELAY originated locally
+RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
+RIPv6:::1 $@ RELAY originated locally
+R$=R $* $@ RELAY relayable IP address
+R$* $: $>A <$1> > <+ Connect> <$1>
+R $* $@ RELAY relayable IP address
+
+R<> $* $#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
+R<$*> <$*> $: $2
+R$* $: [ $1 ] put brackets around it...
+R$=w $@ RELAY ... and see if it is local
+
+
+# check client name: first: did it resolve?
+R$* $: < $&{client_resolve} >
+R $#TEMP $@ 4.4.0 $: "450 Relaying temporarily denied. Cannot resolve PTR record for " $&{client_addr}
+R $#error $@ 5.7.1 $: "550 Relaying denied. IP name possibly forged " $&{client_name}
+R $#error $@ 5.7.1 $: "550 Relaying denied. IP name lookup failed " $&{client_name}
+R$* $: <@> $&{client_name}
+# pass to name server to make hostname canonical
+R<@> $* $=P $:> $1 $2
+R<@> $+ $:> $[ $1 $]
+R$* . $1 strip trailing dots
+R> $=w $@ RELAY
+R> $* $=R $@ RELAY
+R> $* $: $>D <$1> > <+ Connect> <$1>
+R $* $@ RELAY
+R<$* > $* $#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
+R<$*> <$*> $: $2
+
+
+
+######################################################################
+### F: LookUpFull -- search for an entry in access database
+###
+### lookup of full key (which should be an address) and
+### variations if +detail exists: +* and without +detail
+###
+### Parameters:
+### <$1> -- key
+### <$2> -- default (what to return if not found in db)
+### <$3> -- mark (must be <(!|+) single-token>)
+### ! does lookup only with tag
+### + does lookup with and without tag
+### <$4> -- passthru (additional data passed unchanged through)
+######################################################################
+
+SF
+R<$+> <$*> <$- $-> <$*> $: <$(access $4:$1 $: ? $)> <$1> <$2> <$3 $4> <$5>
+R> <$+> <$*> <+ $-> <$*> $: <$(access $1 $: ? $)> <$1> <$2> <+ $3> <$4>
+R> <$+ + $* @ $+> <$*> <$- $-> <$*>
+ $: <$(access $6:$1+*@$3 $: ? $)> <$1+$2@$3> <$4> <$5 $6> <$7>
+R> <$+ + $* @ $+> <$*> <+ $-> <$*>
+ $: <$(access $1+*@$3 $: ? $)> <$1+$2@$3> <$4> <+ $5> <$6>
+R> <$+ + $* @ $+> <$*> <$- $-> <$*>
+ $: <$(access $6:$1@$3 $: ? $)> <$1+$2@$3> <$4> <$5 $6> <$7>
+R> <$+ + $* @ $+> <$*> <+ $-> <$*>
+ $: <$(access $1@$3 $: ? $)> <$1+$2@$3> <$4> <+ $5> <$6>
+R> <$+> <$*> <$- $-> <$*> $@ <$2> <$5>
+R<$+ > <$*> <$- $-> <$*> $@ <> <$5>
+R<$+> <$*> <$- $-> <$*> $@ <$1> <$5>
+
+######################################################################
+### E: LookUpExact -- search for an entry in access database
+###
+### Parameters:
+### <$1> -- key
+### <$2> -- default (what to return if not found in db)
+### <$3> -- mark (must be <(!|+) single-token>)
+### ! does lookup only with tag
+### + does lookup with and without tag
+### <$4> -- passthru (additional data passed unchanged through)
+######################################################################
+
+SE
+R<$*> <$*> <$- $-> <$*> $: <$(access $4:$1 $: ? $)> <$1> <$2> <$3 $4> <$5>
+R> <$+> <$*> <+ $-> <$*> $: <$(access $1 $: ? $)> <$1> <$2> <+ $3> <$4>
+R> <$+> <$*> <$- $-> <$*> $@ <$2> <$5>
+R<$+ > <$*> <$- $-> <$*> $@ <> <$5>
+R<$+> <$*> <$- $-> <$*> $@ <$1> <$5>
+
+######################################################################
+### U: LookUpUser -- search for an entry in access database
+###
+### lookup of key (which should be a local part) and
+### variations if +detail exists: +* and without +detail
+###
+### Parameters:
+### <$1> -- key (user@)
+### <$2> -- default (what to return if not found in db)
+### <$3> -- mark (must be <(!|+) single-token>)
+### ! does lookup only with tag
+### + does lookup with and without tag
+### <$4> -- passthru (additional data passed unchanged through)
+######################################################################
+
+SU
+R<$+> <$*> <$- $-> <$*> $: <$(access $4:$1 $: ? $)> <$1> <$2> <$3 $4> <$5>
+R> <$+> <$*> <+ $-> <$*> $: <$(access $1 $: ? $)> <$1> <$2> <+ $3> <$4>
+R> <$+ + $* @> <$*> <$- $-> <$*>
+ $: <$(access $5:$1+*@ $: ? $)> <$1+$2@> <$3> <$4 $5> <$6>
+R> <$+ + $* @> <$*> <+ $-> <$*>
+ $: <$(access $1+*@ $: ? $)> <$1+$2@> <$3> <+ $4> <$5>
+R> <$+ + $* @> <$*> <$- $-> <$*>
+ $: <$(access $5:$1@ $: ? $)> <$1+$2@> <$3> <$4 $5> <$6>
+R> <$+ + $* @> <$*> <+ $-> <$*>
+ $: <$(access $1@ $: ? $)> <$1+$2@> <$3> <+ $4> <$5>
+R> <$+> <$*> <$- $-> <$*> $@ <$2> <$5>
+R<$+ > <$*> <$- $-> <$*> $@ <> <$5>
+R<$+> <$*> <$- $-> <$*> $@ <$1> <$5>
+
+######################################################################
+### SearchList: search a list of items in the access map
+### Parameters:
+### $| ... <>
+### where "exact" is either "+" or "!":
+### <+ TAG> lookup with and w/o tag
+### lookup with tag
+### possible values for "mark" are:
+### D: recursive host lookup (LookUpDomain)
+### E: exact lookup, no modifications
+### F: full lookup, try user+ext@domain and user@domain
+### U: user lookup, try user+ext and user (input must have trailing @)
+### return: or > (not found)
+######################################################################
+
+# class with valid marks for SearchList
+C{Src}E F D U
+SSearchList
+# just call the ruleset with the name of the tag... nice trick...
+R<$+> $| <$={Src}:$*> <$*> $: <$1> $| <$4> $| $>$2 <$3> > <$1> <>
+R<$+> $| <> $| > <> $@ >
+R<$+> $| <$+> $| > <> $@ $>SearchList <$1> $| <$2>
+R<$+> $| <$*> $| <$+> <> $@ <$3>
+R<$+> $| <$+> $@ <$2>
+
+
+######################################################################
+### trust_auth: is user trusted to authenticate as someone else?
+###
+### Parameters:
+### $1: AUTH= parameter from MAIL command
+######################################################################
+
+SLocal_trust_auth
+Strust_auth
+R$* $: $&{auth_type} $| $1
+# required by RFC 2554 section 4.
+R$@ $| $* $#error $@ 5.7.1 $: "550 not authenticated"
+R$* $| $&{auth_authen} $@ identical
+R$* $| <$&{auth_authen}> $@ identical
+R$* $| $* $: $1 $| $>"Local_trust_auth" $2
+R$* $| $#$* $#$2
+R$* $#error $@ 5.7.1 $: "550 " $&{auth_authen} " not allowed to act as " $&{auth_author}
+
+######################################################################
+### Relay_Auth: allow relaying based on authentication?
+###
+### Parameters:
+### $1: ${auth_type}
+######################################################################
+SLocal_Relay_Auth
+
+######################################################################
+### srv_features: which features to offer to a client?
+### (done in server)
+######################################################################
+Ssrv_features
+R$* $: $>D <$&{client_name}> > <>
+R>$* $: $>A <$&{client_addr}> > <>
+R>$* $: <$(access "Srv_Features": $: ? $)>
+R>$* $@ OK
+R<$* >$* $#temp
+R<$+>$* $# $1
+
+######################################################################
+### try_tls: try to use STARTTLS?
+### (done in client)
+######################################################################
+Stry_tls
+R$* $: $>D <$&{server_name}> > <>
+R>$* $: $>A <$&{server_addr}> > <>
+R>$* $: <$(access "Try_TLS": $: ? $)>
+R>$* $@ OK
+R<$* >$* $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
+R$* $#error $@ 5.7.1 $: "550 do not try TLS with " $&{server_name} " ["$&{server_addr}"]"
+
+######################################################################
+### tls_rcpt: is connection with server "good" enough?
+### (done in client, per recipient)
+###
+### Parameters:
+### $1: recipient
+######################################################################
+Stls_rcpt
+R$* $: $(macro {TLS_Name} $@ $&{server_name} $) $1
+R$+ $: > $>CanonAddr $1
+R> $+ < @ $+ . > > $1 <@ $2 >
+R> $+ < @ $+ > $: $1 <@ $2 > $|
+R> $+ $: $1 $|
+R$* $| $+ $: $1 $| $>SearchList $| $2 <>
+R$* $| > $@ OK
+R$* $| <$* > $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
+R$* $| <$+> $@ $>"TLS_connection" $&{verify} $| <$2>
+
+######################################################################
+### tls_client: is connection with client "good" enough?
+### (done in server)
+###
+### Parameters:
+### ${verify} $| (MAIL|STARTTLS)
+######################################################################
+Stls_client
+R$* $: $(macro {TLS_Name} $@ $&{client_name} $) $1
+R$* $| $* $: $1 $| $>D <$&{client_name}> > <>
+R$* $| >$* $: $1 $| $>A <$&{client_addr}> > <>
+R$* $| >$* $: $1 $| <$(access "TLS_Clt": $: ? $)>
+R$* $| <$* > $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
+R$* $@ $>"TLS_connection" $1
+
+######################################################################
+### tls_server: is connection with server "good" enough?
+### (done in client)
+###
+### Parameter:
+### ${verify}
+######################################################################
+Stls_server
+
+R$* $: $(macro {TLS_Name} $@ $&{server_name} $) $1
+R$* $: $1 $| $>D <$&{server_name}> > <>
+R$* $| >$* $: $1 $| $>A <$&{server_addr}> > <>
+R$* $| >$* $: $1 $| <$(access "TLS_Srv": $: ? $)>
+R$* $| <$* > $#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
+R$* $@ $>"TLS_connection" $1
+
+######################################################################
+### TLS_connection: is TLS connection "good" enough?
+###
+### Parameters:
+### ${verify} $| [<>]
+### Requirement: RHS from access map, may be ? for none.
+######################################################################
+STLS_connection
+R$* $| <$*>$* $: $1 $| <$2>
+# create the appropriate error codes
+R$* $| $: $1 $| <503:5.7.0> <$2 $3>
+R$* $| $: $1 $| <403:4.7.0> <$2 $3>
+R$* $| <$={Tls} $*> $: $1 $| <403:4.7.0> <$2 $3>
+# deal with TLS handshake failures: abort
+RSOFTWARE $| <$-:$+> $* $#error $@ $2 $: $1 " TLS handshake failed."
+RSOFTWARE $| $* $#error $@ 4.7.0 $: "403 TLS handshake failed."
+# deal with TLS protocol errors: abort
+RPROTOCOL $| <$-:$+> $* $#error $@ $2 $: $1 " STARTTLS failed."
+RPROTOCOL $| $* $#error $@ 4.7.0 $: "403 STARTTLS failed."
+# deal with DANE errors: abort
+RDANE_FAIL $| <$-:$+> $* $#error $@ $2 $: $1 " DANE check failed."
+RDANE_FAIL $| $* $#error $@ 4.7.0 $: "403 DANE check failed."
+R$* $| <$*> $: <$2> <> $1
+R$* $| <$*> $: <$2> <$3> $1
+R$* $| <$*> <$={Tls}:$->$* $: <$2> <$3:$4> <> $1
+R$* $| <$*> <$={Tls}:$- + $+>$* $: <$2> <$3:$4> <$5> $1
+R$* $| $* $@ OK
+# authentication required: give appropriate error
+# other side did authenticate (via STARTTLS)
+R<$*> <> $={TlsVerified} $@ OK
+R<$*> <$+> $={TlsVerified} $: <$1> <$2>
+R<$*> <$*> $={TlsVerified} $: <$1> <$3>
+R<$*> <$*> $* $: <$1> <$3>
+R<$-:$+> <$*> $#error $@ $2 $: $1 " authentication required"
+R<$-:$+> <$*> FAIL $#error $@ $2 $: $1 " authentication failed"
+R<$-:$+> <$*> NO $#error $@ $2 $: $1 " not authenticated"
+R<$-:$+> <$*> NOT $#error $@ $2 $: $1 " no authentication requested"
+R<$-:$+> <$*> NONE $#error $@ $2 $: $1 " other side does not support STARTTLS"
+R<$-:$+> <$*> CLEAR $#error $@ $2 $: $1 " STARTTLS disabled locally"
+R<$-:$+> <$*> $+ $#error $@ $2 $: $1 " authentication failure " $4
+R<$*> <$*> $: <$1> <$3> $>max $&{cipher_bits} : $&{auth_ssf}
+R<$*> <$*> $- $: <$1> <$2:$4> <$3> $(arith l $@ $4 $@ $2 $)
+R<$-:$+><$-:$-> <$*> TRUE $#error $@ $2 $: $1 " encryption too weak " $4 " less than " $3
+R<$-:$+><$-:$-> <$*> $* $: <$1:$2 ++ $5>
+R<$-:$+ ++ > $@ OK
+R<$-:$+ ++ $+ > $: <$1:$2> <$3>
+R<$-:$+> < $+ ++ $+ > <$1:$2> <$3> <$4>
+R<$-:$+> $+ $@ $>"TLS_req" $3 $| <$1:$2>
+
+######################################################################
+### TLS_req: check additional TLS requirements
+###
+### Parameters: [ ] $| <$-:$+>
+### $-: SMTP reply code
+### $+: Enhanced Status Code
+######################################################################
+STLS_req
+R $| $+ $@ OK
+R $* $| <$+> $: $1 $| <$2>
+R $* $| <$+> $@ $>"TLS_req" $1 $| <$2>
+R $* $| <$-:$+> $#error $@ $4 $: $3 " CN " $&{cn_subject} " does not match " $1
+R $* $| <$+> $@ $>"TLS_req" $1 $| <$2>
+R $* $| <$-:$+> $#error $@ $4 $: $3 " Cert Subject " $&{cert_subject} " does not match " $1
+R $* $| <$+> $@ $>"TLS_req" $1 $| <$2>
+R $* $| <$-:$+> $#error $@ $4 $: $3 " Cert Issuer " $&{cert_issuer} " does not match " $1
+R $* $| <$+> $: <$(access $1:$&{cert_issuer} $: ? $)> $2 $| <$3>
+R> $* $| <$-:$+> $#error $@ $3 $: $2 " Cert Issuer " $&{cert_issuer} " not acceptable"
+R $* $| <$+> $@ $>"TLS_req" $1 $| <$2>
+ROK $@ OK
+
+######################################################################
+### max: return the maximum of two values separated by :
+###
+### Parameters: [$-]:[$-]
+######################################################################
+Smax
+R: $: 0
+R:$- $: $1
+R$-: $: $1
+R$-:$- $: $(arith l $@ $1 $@ $2 $) : $1 : $2
+RTRUE:$-:$- $: $2
+R$-:$-:$- $: $2
+
+
+
+
+######################################################################
+### RelayTLS: allow relaying based on TLS authentication
+###
+### Parameters:
+### none
+######################################################################
+SRelayTLS
+# authenticated?
+R$* $: > $&{verify}
+R> $={TlsVerified} $: OK authenticated: continue
+R> $* $@ NO not authenticated
+R$* $: $&{cert_issuer}
+R$+ $: $(access CERTISSUER:$1 $)
+RRELAY $# RELAY
+RSUBJECT $: <@> $&{cert_subject}
+R<@> $+ $: <@> $(access CERTSUBJECT:$1 $)
+R<@> RELAY $# RELAY
+R$* $: NO
+
+######################################################################
+### authinfo: lookup authinfo in the access map
+###
+### Parameters:
+### $1: {server_name}
+### $2: {server_addr}
+######################################################################
+Sauthinfo
+R$* $: $1 $| $>D <$&{server_name}> > <>
+R$* $| >$* $: $1 $| $>A <$&{server_addr}> > <>
+R$* $| >$* $: $1 $| <$(access AuthInfo: $: ? $)> <>
+R$* $| >$* $@ no no authinfo available
+R$* $| <$*> <> $# $2
+
+
+
+
+
+#
+######################################################################
+######################################################################
+#####
+##### MAIL FILTER DEFINITIONS
+#####
+######################################################################
+######################################################################
+
+#
+######################################################################
+######################################################################
+#####
+##### MAILER DEFINITIONS
+#####
+######################################################################
+######################################################################
+
+
+##################################################
+### Local and Program Mailer specification ###
+##################################################
+
+##### $Id: local.m4,v 8.60 2013-11-22 20:51:14 ca Exp $ #####
+
+#
+# Envelope sender rewriting
+#
+SEnvFromL
+R<@> $n errors to mailer-daemon
+R@ <@ $*> $n temporarily bypass Sun bogosity
+R$+ $: $>AddDomain $1 add local domain if needed
+R$* $: $>MasqEnv $1 do masquerading
+
+#
+# Envelope recipient rewriting
+#
+SEnvToL
+R$+ < @ $* > $: $1 strip host part
+R$+ + $* $: < $&{addr_type} > $1 + $2 mark with addr type
+R $+ + $* $: $1 remove +detail for sender
+R< $* > $+ $: $2 else remove mark
+
+#
+# Header sender rewriting
+#
+SHdrFromL
+R<@> $n errors to mailer-daemon
+R@ <@ $*> $n temporarily bypass Sun bogosity
+R$+ $: $>AddDomain $1 add local domain if needed
+R$* $: $>MasqHdr $1 do masquerading
+
+#
+# Header recipient rewriting
+#
+SHdrToL
+R$+ $: $>AddDomain $1 add local domain if needed
+R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2
+
+#
+# Common code to add local domain name (only if always-add-domain)
+#
+SAddDomain
+
+Mlocal, P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qPSXmnz9, S=EnvFromSMTP/HdrFromL, R=EnvToL/HdrToL,
+ T=DNS/RFC822/SMTP,
+ A=mail.local -l
+Mprog, P=/bin/sh, F=lsDFMoqeu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, D=$z:/,
+ T=X-Unix/X-Unix/X-Unix,
+ A=sh -c $u
+
+#####################################
+### SMTP Mailer specification ###
+#####################################
+
+##### $Id: smtp.m4,v 8.66 2013-11-22 20:51:14 ca Exp $ #####
+
+#
+# common sender and masquerading recipient rewriting
+#
+SMasqSMTP
+R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified
+R$+ $@ $1 < @ *LOCAL* > add local qualification
+
+#
+# convert pseudo-domain addresses to real domain addresses
+#
+SPseudoToReal
+
+# pass s through
+R< @ $+ > $* $@ < @ $1 > $2 resolve
+
+# output fake domains as user%fake@relay
+
+# do UUCP heuristics; note that these are shared with UUCP mailers
+R$+ < @ $+ .UUCP. > $: < $2 ! > $1 convert to UUCP form
+R$+ < @ $* > $* $@ $1 < @ $2 > $3 not UUCP form
+
+# leave these in .UUCP form to avoid further tampering
+R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. >
+R< $&h ! > $-.$+ ! $+ $@ $3 < @ $1.$2 >
+R< $&h ! > $+ $@ $1 < @ $&h .UUCP. >
+R< $+ ! > $+ $: $1 ! $2 < @ $Y > use UUCP_RELAY
+R$+ < @ $~[ $* : $+ > $@ $1 < @ $4 > strip mailer: part
+R$+ < @ > $: $1 < @ *LOCAL* > if no UUCP_RELAY
+
+
+#
+# envelope sender rewriting
+#
+SEnvFromSMTP
+R$+ $: $>PseudoToReal $1 sender/recipient common
+R$* :; <@> $@ list:; special case
+R$* $: $>MasqSMTP $1 qualify unqual'ed names
+R$+ $: $>MasqEnv $1 do masquerading
+
+
+#
+# envelope recipient rewriting --
+# also header recipient if not masquerading recipients
+#
+SEnvToSMTP
+R$+ $: $>PseudoToReal $1 sender/recipient common
+R$+ $: $>MasqSMTP $1 qualify unqual'ed names
+R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2
+
+#
+# header sender and masquerading header recipient rewriting
+#
+SHdrFromSMTP
+R$+ $: $>PseudoToReal $1 sender/recipient common
+R:; <@> $@ list:; special case
+
+# do special header rewriting
+R$* <@> $* $@ $1 <@> $2 pass null host through
+R< @ $* > $* $@ < @ $1 > $2 pass route-addr through
+R$* $: $>MasqSMTP $1 qualify unqual'ed names
+R$+ $: $>MasqHdr $1 do masquerading
+
+
+#
+# relay mailer header masquerading recipient rewriting
+#
+SMasqRelay
+R$+ $: $>MasqSMTP $1
+R$+ $: $>MasqHdr $1
+
+Msmtp, P=[IPC], F=mDFMuX, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990,
+ T=DNS/RFC822/SMTP,
+ A=TCP $h
+Mesmtp, P=[IPC], F=mDFMuXa, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990,
+ T=DNS/RFC822/SMTP,
+ A=TCP $h
+Msmtp8, P=[IPC], F=mDFMuX8, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990,
+ T=DNS/RFC822/SMTP,
+ A=TCP $h
+Mdsmtp, P=[IPC], F=mDFMuXa%, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990,
+ T=DNS/RFC822/SMTP,
+ A=TCP $h
+Mrelay, P=[IPC], F=mDFMuXa8, S=EnvFromSMTP/HdrFromSMTP, R=MasqSMTP, E=\r\n, L=2040,
+ T=DNS/RFC822/SMTP,
+ A=TCP $h
+
diff --git a/jails/config/monitor/alert_rules.yml b/jails/config/monitor/alert_rules.yml
index de72a0e..066e30a 100644
--- a/jails/config/monitor/alert_rules.yml
+++ b/jails/config/monitor/alert_rules.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/monitor/alertmanager.yml b/jails/config/monitor/alertmanager.yml
index eadb9d5..371db99 100644
--- a/jails/config/monitor/alertmanager.yml
+++ b/jails/config/monitor/alertmanager.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/monitor/dbip-city-lite-2020-06.mmdb b/jails/config/monitor/dbip-city-lite-2020-06.mmdb
new file mode 100644
index 0000000..070a3c5
Binary files /dev/null and b/jails/config/monitor/dbip-city-lite-2020-06.mmdb differ
diff --git a/jails/config/monitor/matomo-archive b/jails/config/monitor/matomo-archive
new file mode 100644
index 0000000..0afced7
--- /dev/null
+++ b/jails/config/monitor/matomo-archive
@@ -0,0 +1,2 @@
+MAILTO="sharad@diyit.org"
+5 5 * * * /usr/local/bin/php /usr/local/www/matomo/console core:archive --url=https://ahlawat.com/matomo/ >> /root/matomo-archive.log
diff --git a/jails/config/monitor/prometheus.yml b/jails/config/monitor/prometheus.yml
index e23fc4a..d681513 100644
--- a/jails/config/monitor/prometheus.yml
+++ b/jails/config/monitor/prometheus.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/monitor/start_logstash.sh b/jails/config/monitor/start_logstash.sh
deleted file mode 100755
index 8b4e51f..0000000
--- a/jails/config/monitor/start_logstash.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-mount proc
-/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
-ps axww | grep logstash
diff --git a/jails/config/pkgp/ccache.conf b/jails/config/pkgp/ccache.conf
new file mode 100644
index 0000000..7d63e37
--- /dev/null
+++ b/jails/config/pkgp/ccache.conf
@@ -0,0 +1 @@
+max_size = 32.0G
diff --git a/jails/config/pkgp/freebsd-update.conf b/jails/config/pkgp/freebsd-update.conf
index 70dd36e..317e854 100644
--- a/jails/config/pkgp/freebsd-update.conf
+++ b/jails/config/pkgp/freebsd-update.conf
@@ -1,4 +1,4 @@
-# $FreeBSD: releng/12.1/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
+# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
# Trusted keyprint. Changing this is a Bad Idea unless you've received
# a PGP-signed email from telling you to
diff --git a/jails/config/pkgp/make.conf b/jails/config/pkgp/make.conf
index 5b6ddb3..880df0a 100644
--- a/jails/config/pkgp/make.conf
+++ b/jails/config/pkgp/make.conf
@@ -1,2 +1,3 @@
WANT_OPENLDAP_SASL=yes
LICENSES_ACCEPTED+=DCC
+WITH_CCACHE_BUILD=yes
diff --git a/jails/config/pkgp/mypkgs b/jails/config/pkgp/mypkgs
index 5fd4326..756386d 100644
--- a/jails/config/pkgp/mypkgs
+++ b/jails/config/pkgp/mypkgs
@@ -5,11 +5,14 @@ net/openldap24-sasl-client
security/cyrus-sasl2
www/apache24
devel/apr1
-net/php73-ldap
+net/php74-ldap
mail/postfix
mail/dovecot
mail/dovecot-pigeonhole
mail/rspamd
mail/dcc-dccd
net/netatalk3
-net/samba410
+net/samba411
+net/nss-pam-ldapd
+net/nss-pam-ldapd-sasl
+#security/pam_ldap # included above
diff --git a/jails/config/pkgp/pkgp.conf b/jails/config/pkgp/pkgp.conf
new file mode 100644
index 0000000..fcf2600
--- /dev/null
+++ b/jails/config/pkgp/pkgp.conf
@@ -0,0 +1,11 @@
+FreeBSD: {
+ url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
+ enabled: no
+}
+
+pkgp-freebsd-pkg: {
+ url: "http://pkgp-freebsd-pkg.ahlawat.com/${ABI}/latest",
+ mirror_type: "http",
+ enabled: yes,
+ priority: 10
+}
diff --git a/jails/config/pkgp/poudriere.conf b/jails/config/pkgp/poudriere.conf
index 481638f..59f0ba3 100644
--- a/jails/config/pkgp/poudriere.conf
+++ b/jails/config/pkgp/poudriere.conf
@@ -133,7 +133,7 @@ PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/keys/poudriere.key
# It will be mounted into the jail and be shared among all jails.
# It is recommended that extra ccache configuration be done with
# ccache -o rather than from the environment.
-#CCACHE_DIR=/var/cache/ccache
+CCACHE_DIR=/mnt/cache/ccache
# Static ccache support from host. This uses the existing
# ccache from the host in the build jail. This is useful for
@@ -200,7 +200,7 @@ NOLINUX=yes
# List of packages that will always be allowed to use MAKE_JOBS
# regardless of ALLOW_MAKE_JOBS. This is useful for allowing ports
# which holdup the rest of the queue to build more quickly.
-#ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py*"
+ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py* llvm*"
# Timestamp every line of build logs
# Default: no
@@ -282,7 +282,7 @@ PRESERVE_TIMESTAMP=yes
# Define pkgname globs to boost priority for
# Default: none
-#PRIORITY_BOOST="pypy openoffice*"
+PRIORITY_BOOST="llvm*"
# Define format for buildnames
# Default: %Y-%m-%d_%Hh%Mm%Ss
diff --git a/jails/config/plex/plexconnect b/jails/config/plex/plexconnect
index c5eadad..7b27bc5 100755
--- a/jails/config/plex/plexconnect
+++ b/jails/config/plex/plexconnect
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/proxy/haproxy.conf b/jails/config/proxy/haproxy.conf
index 908f785..9384100 100644
--- a/jails/config/proxy/haproxy.conf
+++ b/jails/config/proxy/haproxy.conf
@@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@@ -48,35 +48,31 @@ frontend stats
frontend ft
bind :::80 v4v6
- bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/dithaproxy.pem crt /mnt/certs/xflowhaproxy.pem
+ bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/xflowhaproxy.pem crt /mnt/certs/dvpchaproxy.pem crt /mnt/certs/mdvpchaproxy.pem
redirect scheme https if !{ ssl_fc }
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc
# passing on that browser is using https
- reqadd X-Forwarded-Proto:\ https
+ ## http-request add-header Forwarded: proto=https
+ #enabling this breaks things, needs investigation
+
+ http-request set-header X-Forwarded-Proto https if { ssl_fc }
+ http-request set-header X-Forwarded-Ssl on if { ssl_fc }
# for Clickjacking - added to individual backends
- # rspadd X-Frame-Options:\ SAMEORIGIN
+ # http-response add-header X-Frame-Options: SAMEORIGIN
# prevent browser from using non-secure
- rspadd Strict-Transport-Security:\ max-age=15768000
+ http-response add-header Strict-Transport-Security: max-age=15768000
acl network_allowed src 192.168.0.0/24 192.168.100.0/24 2603:3024:3f6:e1::/64
acl restricted_page path -i -m sub /wp-admin
acl restricted_page path -i -m sub /wp-login
- block if restricted_page !network_allowed
+ http-request deny if restricted_page !network_allowed
use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com }
use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com }
- use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
- use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
- use_backend bk_diyit if { ssl_fc_sni diyit.org }
- use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
- use_backend bk_diyit if { ssl_fc_sni xflow.org }
- use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
- use_backend bk_diyit if { ssl_fc_sni diyit.space }
- use_backend bk_diyit if { ssl_fc_sni www.diyit.space }
use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com }
use_backend bk_ahlawat-rachna if { ssl_fc_sni rachna.ahlawat.com }
@@ -96,53 +92,67 @@ frontend ft
use_backend bk_ahlawat-matrix if { ssl_fc_sni matrix.ahlawat.com }
use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
+ use_backend bk_ahlawat-jump if { ssl_fc_sni jump.ahlawat.com }
+ use_backend bk_diyit if { ssl_fc_sni diyit.org }
+ use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
+ use_backend bk_diyit if { ssl_fc_sni xflow.org }
+ use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org }
use_backend bk_diyit-prometheus if { ssl_fc_sni prometheus.diyit.org }
use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org }
use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org }
+ use_backend bk_dvpc if { ssl_fc_sni datavpc.com }
+ use_backend bk_dvpc if { ssl_fc_sni www.datavpc.com }
+ use_backend bk_dvpc if { ssl_fc_sni mydatavpc.com }
+ use_backend bk_dvpc if { ssl_fc_sni www.mydatavpc.com }
+
+ use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
+ use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
- use_backend bk_beyondbell-gs if { ssl_fc_sni gs.beyondbell.com }
+ use_backend bk_beyondbell-web-moonglade if { ssl_fc_sni moonglade.beyondbell.com }
+ use_backend bk_beyondbell-web-moonglade-private if { ssl_fc_sni moonglade-private.beyondbell.com }
+ use_backend bk_beyondbell-r-windows if { ssl_fc_sni moonglade-server.beyondbell.com }
+ use_backend bk_beyondbell-windows if { ssl_fc_sni gs.beyondbell.com }
default_backend bk_ahlawat
+ acl is_websocket hdr(Upgrade) -i WebSocket
+ acl is_websocket hdr_beg(Host) -i ws
+ use_backend bk_ahlawat if is_websocket
+
+
backend bk_ahlawat
server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
- rspadd X-Frame-Options:\ SAMEORIGIN
-
-backend bk_beyondbell
- server srv1 192.168.0.77:8000
- rspadd X-Frame-Options:\ SAMEORIGIN
-
-backend bk_diyit
- server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
- server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
- rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-sharad
balance roundrobin
server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
- rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
+# http-response set-header Content-Security-Policy "default-src 'self' *.ahlawat.com"
backend bk_ahlawat-rachna
server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
- rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-nivi
server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
- rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-rishabh
server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
- rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
+
+
#backend bk_ahlawat-book
# server srv1 bookx.ahlawat.com:443 check ssl verify none
@@ -150,102 +160,143 @@ backend bk_ahlawat-rishabh
backend bk_ahlawat-book-443
# server srv1 2603:3024:3f6:e1::57:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
- rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-book-444
# server srv1 2603:3024:3f6:e1::57:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
- rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-book-445
# server srv1 2603:3024:3f6:e1::57:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
- rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-cam
server srv1 192.168.0.54:8765 check
- rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_ahlawat-ci
+# http-request set-header Host cix.ahlawat.com:8080
+ http-request replace-header Host ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8080/\2
+ http-response replace-header Host ^([^\ \t:]*:)\ http://cix.ahlawat.com:8080/(.*) \1\ https://ci.ahlawat.com/\2
+ server srv1 cix.ahlawat.com:8080 check
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-cloud
server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-# rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-git
server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
- rspidel X-Frame-Options:*
-# http-request set-var(txn.src) src
-# acl mynet var(txn.src) -m sub 192.168.0
-# acl mynet var(txn.src) -m sub 2603:3024:3f6:e1
-# rspidel X-Frame-Options:* if mynet
-# rspadd X-Frame-Options:\ SAMEORIGIN unless mynet
-# The gitea server add this header be default
+ http-response set-header X-Frame-Options "ALLOW-FROM *.diyit.org"
+# http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-hub
server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
- rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-matrix
server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-# rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-meet
server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-# rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-monitor
server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-# rspadd X-Frame-Options:\ SAMEORIGIN
+# http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_ahlawat-jump
+ server srv1 jumpx.ahlawat.com:8080 check
+ http-response add-header X-Frame-Options: SAMEORIGIN
+
+
+
+backend bk_diyit
+ server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+ server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-grafana
server srv1 monitorx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-# rspadd X-Frame-Options:\ SAMEORIGIN
+# http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-prometheus
server srv1 monitorx.ahlawat.com:9090 check
# ssl ca-file /mnt/certs/cacert.pem alpn h2
- rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-kibana
- server srv1 monitorx.ahlawat.com:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-# rspadd X-Frame-Options:\ SAMEORIGIN
+ server srv1 elk.diyit.org:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+# http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-maps
- server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
- server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-# rspadd X-Frame-Options:\ SAMEORIGIN
+ server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2
+# server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+# server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+# server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+# http-response add-header X-Frame-Options: SAMEORIGIN
-backend bk_ahlawat-ci
-# http-request set-header Host cix.ahlawat.com:8180
- reqirep ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8180/\2
- rspirep ^([^\ \t:]*:)\ http://cix.ahlawat.com:8180/(.*) \1\ https://ci.ahlawat.com/\2
- server srv1 cix.ahlawat.com:8180 check
- rspadd X-Frame-Options:\ SAMEORIGIN
+
+
+backend bk_dvpc
+ server srv1 web.datavpc.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+ server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+ http-response add-header X-Frame-Options: SAMEORIGIN
+
+
+
+backend bk_beyondbell
+ server srv1 192.168.0.77:8000
+# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+ http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_beyondbell-ci
+# http-request set-header Host cix.beyondbell.com:8111
+ http-request replace-header Host ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://192.168.0.73:8111/\2
+ http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.73:8111/(.*) \1\ https://ci.beyondbell.com/\2
+ server srv1 192.168.0.73:8111
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-git
server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
- rspadd X-Frame-Options:\ SAMEORIGIN
-
-backend bk_beyondbell-ci
- http-request set-header Host cix.beyondbell.com:8111
- reqirep ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://cix.beyondbell.com:8111/\2
- rspirep ^([^\ \t:]*:)\ http://cix.beyondbell.com:8111/(.*) \1\ https://ci.beyondbell.com/\2
- server srv1 cix.beyondbell.com:8111
- rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-repo
-# http-request set-header Host 192.168.0.75:8080
- reqirep ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8080/\2
- rspirep ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2
- server srv1 192.168.0.75:8080
- rspadd X-Frame-Options:\ SAMEORIGIN
+# http-request set-header Host 192.168.0.75:8081
+# http-request replace-header Host ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8081/\2
+# http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.75:8081/(.*) \1\ https://repo.beyondbell.com/\2
-backend bk_beyondbell-gs
+ server srv1 192.168.0.75:8081
+ http-response add-header X-Frame-Options: SAMEORIGIN
+
+# http-response del-header Strict-Transport-Security
+# http-response add-header Content-Security-Policy: upgrade-insecure-requests
+
+backend bk_beyondbell-web-moonglade
+ server srv1 192.168.0.74:8000
+# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+ http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_beyondbell-web-moonglade-private
+ server srv1 192.168.0.74:4000
+# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+ http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_beyondbell-r-windows
+ server srv1 192.168.0.85:4000
+# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+ http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_beyondbell-windows
server srv1 192.168.0.81:26900 check
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
- rspadd X-Frame-Options:\ SAMEORIGIN
+ http-response add-header X-Frame-Options: SAMEORIGIN
diff --git a/jails/config/proxy/pkgp.conf b/jails/config/proxy/pkgp.conf
index 88840a2..7e874ec 100644
--- a/jails/config/proxy/pkgp.conf
+++ b/jails/config/proxy/pkgp.conf
@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
-pkgp121: {
- url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+pkgp122: {
+ url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",
diff --git a/jails/config/proxy/port-fwd.sh b/jails/config/proxy/port-fwd.sh
new file mode 100755
index 0000000..f2a8cc2
--- /dev/null
+++ b/jails/config/proxy/port-fwd.sh
@@ -0,0 +1 @@
+ipfw add 10000 fwd 192.168.0.4,55820 udp from me to 192.168.0.55 dst-port 55820
diff --git a/jails/config/r-db/my.cnf b/jails/config/r-db/my.cnf
index dcd7fb3..b92ca89 100644
--- a/jails/config/r-db/my.cnf
+++ b/jails/config/r-db/my.cnf
@@ -1,99 +1,13 @@
-# Example MySQL config file for small systems.
#
-# This is for a system with little memory (<= 64M) where MySQL is only used
-# from time to time and it's important that the mysqld daemon
-# doesn't use much resources.
+# This group is read both by the client and the server
+# use it for options that affect everything, see
+# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#option-groups
#
-# MySQL programs look for option files in a set of
-# locations which depend on the deployment platform.
-# You can copy this option file to one of those
-# locations. For information about these locations, see:
-# http://dev.mysql.com/doc/mysql/en/option-files.html
+[client-server]
+port = 3306
+socket = /var/run/mysql/mysql.sock
+
#
-# In this file, you can use all long options that a program supports.
-# If you want to know which options a program supports, run the program
-# with the "--help" option.
-
-# The following options will be passed to all MySQL clients
-[client]
-#password = your_password
-port = 3306
-socket = /tmp/mysql.sock
-
-# Here follows entries for some specific programs
-
-# The MySQL server
-[mysqld]
-bind-address = *
-port = 3306
-socket = /tmp/mysql.sock
-skip-external-locking
-key_buffer_size = 16K
-max_allowed_packet = 64M
-table_open_cache = 16
-sort_buffer_size = 64K
-read_buffer_size = 256K
-read_rnd_buffer_size = 256K
-net_buffer_length = 2K
-thread_stack = 240K
-
-# Don't listen on a TCP/IP port at all. This can be a security enhancement,
-# if all processes that need to connect to mysqld run on the same host.
-# All interaction with mysqld must be made via Unix sockets or named pipes.
-# Note that using this option without enabling named pipes on Windows
-# (using the "enable-named-pipe" option) will render mysqld useless!
-#
-#skip-networking
-server-id = 1
-
-# Uncomment the following if you want to log updates
-#log-bin=mysql-bin
-
-# binary logging format - mixed recommended
-binlog_format=ROW
-
-# Causes updates to non-transactional engines using statement format to be
-# written directly to binary log. Before using this option make sure that
-# there are no dependencies between transactional and non-transactional
-# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
-# t_innodb; otherwise, slaves may diverge from the master.
-#binlog_direct_non_transactional_updates=TRUE
-
-# Uncomment the following if you are using InnoDB tables
-#innodb_data_home_dir = /var/db/mysql
-#innodb_data_file_path = ibdata1:10M:autoextend
-innodb_log_group_home_dir = /var/db/mysql-log
-# You can set .._buffer_pool_size up to 50 - 80 %
-# of RAM but beware of setting memory usage too high
-innodb_buffer_pool_size = 1G
-innodb_io_capacity=4000
-transaction-isolation = READ-COMMITTED
-# Set .._log_file_size to 25 % of buffer pool size
-innodb_log_file_size = 250M
-#innodb_log_buffer_size = 8M
-innodb_flush_log_at_trx_commit = 2
-#innodb_lock_wait_timeout = 50
-
-innodb_doublewrite = 0
-innodb_checksum_algorithm = none
-slow_query_log_file = /var/db/mysql-log/slow.log
-log-error = /var/db/mysql-log/error.log
-log_bin = /var/db/mysql-log/binlog
-relay_log = /var/db/mysql-log/relay-bin
-expire_logs_days = 7
-
-[mysqldump]
-quick
-max_allowed_packet = 16M
-
-[mysql]
-no-auto-rehash
-# Remove the next comment character if you are not familiar with SQL
-#safe-updates
-
-[myisamchk]
-key_buffer_size = 8M
-sort_buffer_size = 8M
-
-[mysqlhotcopy]
-interactive-timeout
+# include *.cnf from the config directory
+#
+!includedir /usr/local/etc/mysql/conf.d/
diff --git a/jails/config/r-db/server.cnf b/jails/config/r-db/server.cnf
new file mode 100644
index 0000000..19be077
--- /dev/null
+++ b/jails/config/r-db/server.cnf
@@ -0,0 +1,90 @@
+# Options specific to server applications, see
+# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#server-option-groups
+
+# Options specific to all server programs
+[server]
+
+# Options specific to MariaDB server programs
+[server-mariadb]
+
+#
+# Options for specific server tools
+#
+
+[mysqld]
+user = mysql
+# port = 3306 # set in /usr/local/etc/mysql/my.cnf
+# socket = /var/run/mysql/mysql.sock # set in /usr/local/etc/mysql/my.cnf
+bind-address = *
+basedir = /usr/local
+datadir = /var/db/mysql
+net_retry_count = 16384
+# [mysqld] configuration for ZFS
+# From https://www.percona.com/resources/technical-presentations/zfs-mysql-percona-technical-webinar
+# Create separate datasets for data and logs, eg
+# zroot/mysql compression=on recordsize=128k atime=off
+# zroot/mysql/data recordsize=16k
+# zroot/mysql/logs
+datadir = /var/db/mysql
+innodb_log_group_home_dir = /var/db/mysql-log
+#audit_log_file = /var/db/mysql-log/audit.log
+general_log_file = /var/db/mysql-log/general.log
+log_bin = /var/db/mysql-log/mysql-bin
+relay_log = /var/db/mysql-log/relay-log
+slow_query_log_file = /var/db/mysql-log/slow.log
+innodb_doublewrite = 0
+innodb_flush_method = O_DSYNC
+
+##
+log-error = /var/db/mysql-log/error.log
+
+
+### custom optimizations
+skip-external-locking
+key_buffer_size = 16K
+max_allowed_packet = 64M
+table_open_cache = 16
+sort_buffer_size = 64K
+read_buffer_size = 256K
+read_rnd_buffer_size = 256K
+net_buffer_length = 2K
+thread_stack = 240K
+
+server-id = 1
+binlog_format=ROW
+
+innodb_buffer_pool_size = 1G
+innodb_io_capacity=4000
+transaction-isolation = READ-COMMITTED
+innodb_log_file_size = 250M
+innodb_flush_log_at_trx_commit = 2
+innodb_checksum_algorithm = none
+
+slow_query_log_file = /var/db/mysql-log/slow.log
+
+expire_logs_days = 7
+###
+
+
+# Options read by `mysqld_safe`
+# Renamed from [mysqld_safe] starting with MariaDB 10.4.6.
+[mariadb_safe]
+
+# Options read my `mariabackup`
+[mariabackup]
+
+# Options read by `mysql_upgrade`
+# Renamed from [mysql_upgrade] starting with MariaDB 10.4.6.
+[mariadb-upgrade]
+
+# Specific options read by the mariabackup SST method
+[sst]
+
+# Options read by `mysqlbinlog`
+# Renamed from [mysqlbinlog] starting with MariaDB 10.4.6.
+[mariadb-binlog]
+
+# Options read by `mysqladmin`
+# Renamed from [mysqladmin] starting with MariaDB 10.4.6.
+[mariadb-admin]
+
diff --git a/jails/config/r-git/gitea/options/license b/jails/config/r-git/gitea/options/license
index 9ed6a6e..8b9a0ea 100644
--- a/jails/config/r-git/gitea/options/license
+++ b/jails/config/r-git/gitea/options/license
@@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
-Copyright (c) 2018-2020, BeyondBell.com
+Copyright (c) 2018-2021, BeyondBell.com
All rights reserved.
Redistribution and use in source and binary forms, with or without
diff --git a/jails/config/r-git/gitea/public/beyondbell-com-license.txt b/jails/config/r-git/gitea/public/beyondbell-com-license.txt
index 9ed6a6e..8b9a0ea 100644
--- a/jails/config/r-git/gitea/public/beyondbell-com-license.txt
+++ b/jails/config/r-git/gitea/public/beyondbell-com-license.txt
@@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
-Copyright (c) 2018-2020, BeyondBell.com
+Copyright (c) 2018-2021, BeyondBell.com
All rights reserved.
Redistribution and use in source and binary forms, with or without
diff --git a/jails/config/r-ldap/pkgp.conf b/jails/config/r-ldap/pkgp.conf
index 88840a2..7e874ec 100644
--- a/jails/config/r-ldap/pkgp.conf
+++ b/jails/config/r-ldap/pkgp.conf
@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10
}
-pkgp121: {
- url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+pkgp122: {
+ url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http",
signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert",
diff --git a/jails/config/vm/create_taps.sh b/jails/config/vm/create_taps.sh
index a3a5ff2..8bef4b6 100755
--- a/jails/config/vm/create_taps.sh
+++ b/jails/config/vm/create_taps.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@@ -18,6 +18,16 @@ ifconfig bridge1 addm tap82 up
ifconfig tap82 up
ifconfig tap82 inet6 auto_linklocal
+ifconfig tap1082 create
+ifconfig bridge10 addm tap1082 up
+ifconfig tap1082 up
+ifconfig tap1082 inet6 auto_linklocal
+
+ifconfig tap2082 create
+ifconfig bridge9 addm tap2082 up
+ifconfig tap2082 up
+ifconfig tap2082 inet6 auto_linklocal
+
ifconfig tap83 create
ifconfig bridge1 addm tap83 up
ifconfig tap83 up
@@ -33,6 +43,21 @@ ifconfig bridge1 addm tap85 up
ifconfig tap85 up
ifconfig tap85 inet6 auto_linklocal
+ifconfig tap86 create
+ifconfig bridge1 addm tap86 up
+ifconfig tap86 up
+ifconfig tap86 inet6 auto_linklocal
+
+ifconfig tap1086 create
+ifconfig bridge10 addm tap1086 up
+ifconfig tap1086 up
+ifconfig tap1086 inet6 auto_linklocal
+
+ifconfig tap2086 create
+ifconfig bridge9 addm tap2086 up
+ifconfig tap2086 up
+ifconfig tap2086 inet6 auto_linklocal
+
ifconfig tap90 create
ifconfig bridge1 addm tap90 up
ifconfig tap90 up
@@ -42,3 +67,33 @@ ifconfig tap190 create
ifconfig bridge2 addm tap190 up
ifconfig tap190 up
ifconfig tap190 inet6 auto_linklocal
+
+ifconfig tap97 create
+ifconfig bridge1 addm tap97 up
+ifconfig tap97 up
+ifconfig tap97 inet6 auto_linklocal
+
+ifconfig tap1097 create
+ifconfig bridge10 addm tap1097 up
+ifconfig tap1097 up
+ifconfig tap1097 inet6 auto_linklocal
+
+ifconfig tap2097 create
+ifconfig bridge9 addm tap2097 up
+ifconfig tap2097 up
+ifconfig tap2097 inet6 auto_linklocal
+
+ifconfig tap96 create
+ifconfig bridge1 addm tap96 up
+ifconfig tap96 up
+ifconfig tap96 inet6 auto_linklocal
+
+ifconfig tap1096 create
+ifconfig bridge10 addm tap1096 up
+ifconfig tap1096 up
+ifconfig tap1096 inet6 auto_linklocal
+
+ifconfig tap2096 create
+ifconfig bridge9 addm tap2096 up
+ifconfig tap2096 up
+ifconfig tap2096 inet6 auto_linklocal
diff --git a/jails/config/vm/cvm-a.sh b/jails/config/vm/cvm-a.sh
new file mode 100755
index 0000000..d0f38f8
--- /dev/null
+++ b/jails/config/vm/cvm-a.sh
@@ -0,0 +1,70 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+# ./cvm-a.sh under tmux
+
+# clean cached state
+bhyvectl --destroy --vm=cvm-a
+
+while true
+do
+
+bhyve -c 4 -m 16G -A -H -P \
+-s 0,hostbridge \
+-s 3,ahci-cd \
+-s 4,virtio-blk,/dev/zvol/ship/raw/cvm-a \
+-s 5,virtio-net,tap97,mac=00:0A:0B:0C:0D:97 \
+-s 6,virtio-blk,/dev/zvol/ship/raw/cvm-a_data \
+-s 8,virtio-net,tap1097,mac=00:0A:0B:0C:8D:97 \
+-s 9,virtio-net,tap2097,mac=00:0A:0B:0C:9D:97 \
+-s 29,fbuf,tcp=0.0.0.0:5997,w=1600,h=900 \
+-s 30,xhci,tablet \
+-s 31,lpc -l com1,/dev/nmdm97A \
+-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
+cvm-a
+
+bhyve_exit=$?
+# bhyve returns the following status codes:
+# 0 - VM has been reset
+# 1 - VM has been powered off
+# 2 - VM has been halted
+# 3 - VM generated a triple fault
+# all other non-zero status codes are errors
+#
+if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
+then
+ break
+fi
+echo `date` - restarting cvm-a in 5 seconds - press ctrl-c to stop
+sleep 5
+
+done
+
+exit $?
+
+# -s 3,ahci-cd,/mnt/linux/ubuntu-20.04.1-live-server-amd64.iso \
+
+# bhyvectl --get-all --vm=cvm-a
+
+# cu -l /dev/nmdm97B
+# (This uses cu() so press ~+Ctrl-D to exit)
+
+#on base system:
+#zfs create -V 32G -o refreservation=none ship/raw/cvm-a - docker partition
+#zfs create -V 128G -o refreservation=none ship/raw/cvm-a_data - root partition
+# on boot
+#ifconfig tap97 create
+#ifconfig bridge1 addm tap97 up
+#ifconfig tap97 up
+#ifconfig tap97 inet6 auto_linklocal
+#ifconfig tap1097 create
+#ifconfig bridge10 addm tap1097 up
+#ifconfig tap1097 up
+#ifconfig tap1097 inet6 auto_linklocal
diff --git a/jails/config/vm/cvm-b.sh b/jails/config/vm/cvm-b.sh
new file mode 100755
index 0000000..8a75745
--- /dev/null
+++ b/jails/config/vm/cvm-b.sh
@@ -0,0 +1,70 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+# ./cvm-b.sh under tmux
+
+# clean cached state
+bhyvectl --destroy --vm=cvm-b
+
+while true
+do
+
+bhyve -c 4 -m 16G -A -H -P \
+-s 0,hostbridge \
+-s 3,ahci-cd \
+-s 4,virtio-blk,/dev/zvol/ship/raw/cvm-b \
+-s 5,virtio-net,tap96,mac=00:0A:0B:0C:0D:96 \
+-s 6,virtio-blk,/dev/zvol/ship/raw/cvm-b_data \
+-s 8,virtio-net,tap1096,mac=00:0A:0B:0C:8D:96 \
+-s 9,virtio-net,tap2096,mac=00:0A:0B:0C:9D:96 \
+-s 29,fbuf,tcp=0.0.0.0:5996,w=1600,h=900 \
+-s 30,xhci,tablet \
+-s 31,lpc -l com1,/dev/nmdm96A \
+-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
+cvm-b
+
+bhyve_exit=$?
+# bhyve returns the following status codes:
+# 0 - VM has been reset
+# 1 - VM has been powered off
+# 2 - VM has been halted
+# 3 - VM generated a triple fault
+# all other non-zero status codes are errors
+#
+if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
+then
+ break
+fi
+echo `date` - restarting cvm-b in 5 seconds - press ctrl-c to stop
+sleep 5
+
+done
+
+exit $?
+
+# -s 3,ahci-cd,/mnt/linux/ubuntu-20.04.1-live-server-amd64.iso \
+
+# bhyvectl --get-all --vm=cvm-b
+
+# cu -l /dev/nmdm96B
+# (This uses cu() so press ~+Ctrl-D to exit)
+
+#on base system:
+#zfs create -V 32G -o refreservation=none ship/raw/cvm-b - docker partition
+#zfs create -V 128G -o refreservation=none ship/raw/cvm-b_data - root partition
+# on boot
+#ifconfig tap96 create
+#ifconfig bridge1 addm tap96 up
+#ifconfig tap96 up
+#ifconfig tap96 inet6 auto_linklocal
+#ifconfig tap1096 create
+#ifconfig bridge10 addm tap1096 up
+#ifconfig tap1096 up
+#ifconfig tap1096 inet6 auto_linklocal
diff --git a/jails/config/vm/freebsd.sh b/jails/config/vm/freebsd.sh
index 575a8d5..87f0a40 100755
--- a/jails/config/vm/freebsd.sh
+++ b/jails/config/vm/freebsd.sh
@@ -1,6 +1,6 @@
#!/usr/local/bin/bash
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/vm/kali.sh b/jails/config/vm/kali.sh
new file mode 100755
index 0000000..7ffd5f1
--- /dev/null
+++ b/jails/config/vm/kali.sh
@@ -0,0 +1,77 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+# ./kali.sh under tmux
+
+# clean cached state
+bhyvectl --destroy --vm=kali
+
+while true
+do
+
+bhyve -c 2 -m 4G -A -H -P \
+-s 0,hostbridge \
+-s 3,ahci-cd \
+-s 4,virtio-blk,/dev/zvol/ship/raw/kali \
+-s 5,virtio-net,tap86,mac=00:0A:0B:0C:0D:86 \
+-s 8,virtio-net,tap1086,mac=00:0A:0B:0C:8D:86 \
+-s 9,virtio-net,tap2086,mac=00:0A:0B:0C:9D:86 \
+-s 29,fbuf,tcp=0.0.0.0:5986,w=1280,h=720 \
+-s 30,xhci,tablet \
+-s 31,lpc -l com1,/dev/nmdm86A \
+-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
+kali
+
+bhyve_exit=$?
+# bhyve returns the following status codes:
+# 0 - VM has been reset
+# 1 - VM has been powered off
+# 2 - VM has been halted
+# 3 - VM generated a triple fault
+# all other non-zero status codes are errors
+#
+if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
+then
+ break
+fi
+echo `date` - restarting kali in 5 seconds - press ctrl-c to stop
+sleep 5
+
+done
+
+exit $?
+
+#-s 3,ahci-cd,/mnt/linux/kali-linux-2020.4-installer-amd64.iso \
+##-s 6,virtio-blk,/dev/zvol/ship/raw/kali_data \
+
+# bhyvectl --get-all --vm=kali
+
+# cu -l /dev/nmdm86B
+# (This uses cu() so press ~+Ctrl-D to exit)
+
+#on base system:
+#zfs create -V 128G -o refreservation=none ship/raw/kali
+##zfs create -V 128G -o refreservation=none ship/raw/kali_data
+# on boot
+#ifconfig tap86 create
+#ifconfig bridge1 addm tap86 up
+#ifconfig tap86 up
+#ifconfig tap86 inet6 auto_linklocal
+#ifconfig tap1086 create
+#ifconfig bridge10 addm tap1086 up
+#ifconfig tap1086 up
+#ifconfig tap1086 inet6 auto_linklocal
+
+# Install VNC
+# curl -o turbovnc_2.2.5_amd64.deb https://sourceforge.net/projects/turbovnc/files/2.2.5/turbovnc_2.2.5_amd64.deb/download#
+# sudo apt install gdebi-core
+# sudo gdebi turbovnc_2.2.5_amd64.deb
+# sudo killall Xvnc; /opt/TurboVNC/bin/vncserver -name kali -geometry 1920x1080 :4
+# systemctl enable ssh.service; service ssh start
diff --git a/jails/config/vm/pbx.sh b/jails/config/vm/pbx.sh
index 2abb563..0927a76 100755
--- a/jails/config/vm/pbx.sh
+++ b/jails/config/vm/pbx.sh
@@ -1,6 +1,6 @@
#!/usr/local/bin/bash
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@@ -21,7 +21,7 @@ bhyve -c 2 -m 8G -A -H -P \
-s 3,ahci-cd \
-s 4,virtio-blk,/dev/zvol/ship/raw/pbx \
-s 5,virtio-net,tap90,mac=00:0A:0B:0C:0D:90 \
--s 6,virtio-net,tap190,mac=00:0A:0B:0C:0D:190 \
+-s 6,virtio-net,tap190,mac=00:0A:0B:0C:1D:190 \
-s 29,fbuf,tcp=0.0.0.0:5990,w=1600,h=900 \
-s 30,xhci,tablet \
-s 31,lpc -l com1,/dev/nmdm90A \
diff --git a/jails/config/vm/r-windows.sh b/jails/config/vm/r-windows.sh
index 0cecb3e..d35583e 100755
--- a/jails/config/vm/r-windows.sh
+++ b/jails/config/vm/r-windows.sh
@@ -1,6 +1,6 @@
#!/usr/local/bin/bash
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/vm/startvms.sh b/jails/config/vm/startvms.sh
index b8e59b1..801fd0a 100755
--- a/jails/config/vm/startvms.sh
+++ b/jails/config/vm/startvms.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@@ -43,6 +43,21 @@ tmux new-window -t $session:5 -n r-windows
tmux selectp -t 1
tmux send-keys "cd /mnt/config;./r-windows.sh" C-m
+# create a new window kali
+tmux new-window -t $session:6 -n kali
+tmux selectp -t 1
+tmux send-keys "cd /mnt/config;./kali.sh" C-m
+
+# create a new window cvm-a
+tmux new-window -t $session:7 -n cvm-a
+tmux selectp -t 1
+tmux send-keys "cd /mnt/config;./cvm-a.sh" C-m
+
+# create a new window cvm-b
+tmux new-window -t $session:8 -n cvm-b
+tmux selectp -t 1
+tmux send-keys "cd /mnt/config;./cvm-b.sh" C-m
+
# return to main window
tmux select-window -t $session:0
tmux selectp -t 1
diff --git a/jails/config/vm/ubuntu.sh b/jails/config/vm/ubuntu.sh
index d06b62b..9352772 100755
--- a/jails/config/vm/ubuntu.sh
+++ b/jails/config/vm/ubuntu.sh
@@ -1,6 +1,6 @@
#!/usr/local/bin/bash
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@@ -16,12 +16,14 @@ bhyvectl --destroy --vm=ubuntu
while true
do
-bhyve -c 4 -m 16G -A -H -P \
+bhyve -c 8 -m 16G -A -H -P \
-s 0,hostbridge \
-s 3,ahci-cd \
-s 4,virtio-blk,/dev/zvol/ship/raw/ubuntu \
-s 5,virtio-net,tap82,mac=00:0A:0B:0C:0D:82 \
-s 6,virtio-blk,/dev/zvol/ship/raw/ubuntu_data \
+-s 8,virtio-net,tap1082,mac=00:0A:0B:0C:8D:82 \
+-s 9,virtio-net,tap2082,mac=00:0A:0B:0C:9D:82 \
-s 29,fbuf,tcp=0.0.0.0:5982,w=1600,h=900 \
-s 30,xhci,tablet \
-s 31,lpc -l com1,/dev/nmdm82A \
@@ -62,3 +64,7 @@ exit $?
#ifconfig bridge1 addm tap82 up
#ifconfig tap82 up
#ifconfig tap82 inet6 auto_linklocal
+#ifconfig tap1082 create
+#ifconfig bridge10 addm tap1082 up
+#ifconfig tap1082 up
+#ifconfig tap1082 inet6 auto_linklocal
diff --git a/jails/config/vm/w2019.sh b/jails/config/vm/w2019.sh
index 2bea793..e5457ce 100755
--- a/jails/config/vm/w2019.sh
+++ b/jails/config/vm/w2019.sh
@@ -1,6 +1,6 @@
#!/usr/local/bin/bash
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/vm/windows.sh b/jails/config/vm/windows.sh
index 2185575..b7626b6 100755
--- a/jails/config/vm/windows.sh
+++ b/jails/config/vm/windows.sh
@@ -1,6 +1,6 @@
#!/usr/local/bin/bash
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
diff --git a/jails/config/vpngw/ipfw.rules b/jails/config/vpngw/ipfw.rules
index 2038eca..0ea0c43 100755
--- a/jails/config/vpngw/ipfw.rules
+++ b/jails/config/vpngw/ipfw.rules
@@ -11,14 +11,14 @@
# NATd configuration
#sysrc gateway_enable="YES"
#sysrc natd_enable="YES"
-#sysrc natd_interface="tun0"
+#sysrc natd_interface="tun1"
#sysrc natd_flags="-f /mnt/config/natd.conf"
#natd.conf: redirect_port tcp 192.168.0.9:80 80
# Set rules command prefix
cmd="ipfw -q add"
lif="epair0b" # interface name of VNET attached to Local network
-rif="tun0" # interface name of Tunnel attached to Remote network
+rif="tun1" # interface name of Tunnel attached to Remote network
skip="skipto 12000"
# Flush out the list before we begin.
diff --git a/jails/config/web-datavpc/020_mod_ssl.conf b/jails/config/web-datavpc/020_mod_ssl.conf
new file mode 100644
index 0000000..3fbba40
--- /dev/null
+++ b/jails/config/web-datavpc/020_mod_ssl.conf
@@ -0,0 +1,11 @@
+Listen 443
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+SSLHonorCipherOrder on
+SSLCompression off
+# SSLUseStapling on
+SSLSessionTickets off
+SSLOptions +StrictRequire
+SSLPassPhraseDialog builtin
+SSLSessionCacheTimeout 300
+SSLSessionCache shmcb:/usr/local/etc/apache24/ssl_scache(512000)
diff --git a/jails/config/web-datavpc/httpd.conf b/jails/config/web-datavpc/httpd.conf
new file mode 100644
index 0000000..5167345
--- /dev/null
+++ b/jails/config/web-datavpc/httpd.conf
@@ -0,0 +1,613 @@
+#
+# This is the main Apache HTTP server configuration file. It contains the
+# configuration directives that give the server its instructions.
+# See for detailed information.
+# In particular, see
+#
+# for a discussion of each configuration directive.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do. They're here only as hints or reminders. If you are unsure
+# consult the online docs. You have been warned.
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path. If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
+# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
+# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
+# will be interpreted as '/logs/access_log'.
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# Do not add a slash at the end of the directory path. If you point
+# ServerRoot at a non-local disk, be sure to specify a local disk on the
+# Mutex directive, if file-based mutexes are used. If you wish to share the
+# same ServerRoot for multiple httpd daemons, you will need to change at
+# least PidFile.
+#
+ServerRoot "/usr/local"
+
+#
+# Mutex: Allows you to set the mutex mechanism and mutex file directory
+# for individual mutexes, or change the global defaults
+#
+# Uncomment and change the directory if mutexes are file-based and the default
+# mutex file directory is not on a local disk or is not appropriate for some
+# other reason.
+#
+# Mutex default:/var/run
+
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, instead of the default. See also the
+# directive.
+#
+# Change this to Listen on specific IP addresses as shown below to
+# prevent Apache from glomming onto all bound IP addresses.
+#
+#Listen 12.34.56.78:80
+Listen 80
+
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Statically compiled modules (those listed by `httpd -l') do not need
+# to be loaded here.
+#
+# Example:
+# LoadModule foo_module modules/mod_foo.so
+#
+LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
+#LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
+#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
+LoadModule authn_file_module libexec/apache24/mod_authn_file.so
+#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
+#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
+#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
+#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
+LoadModule authn_core_module libexec/apache24/mod_authn_core.so
+LoadModule authz_host_module libexec/apache24/mod_authz_host.so
+LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
+LoadModule authz_user_module libexec/apache24/mod_authz_user.so
+#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
+#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
+#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
+LoadModule authz_core_module libexec/apache24/mod_authz_core.so
+#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
+LoadModule access_compat_module libexec/apache24/mod_access_compat.so
+LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
+#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
+#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
+#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
+#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
+#LoadModule cache_module libexec/apache24/mod_cache.so
+#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
+#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
+LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
+#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
+#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
+#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
+#LoadModule macro_module libexec/apache24/mod_macro.so
+#LoadModule dbd_module libexec/apache24/mod_dbd.so
+#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
+#LoadModule buffer_module libexec/apache24/mod_buffer.so
+#LoadModule data_module libexec/apache24/mod_data.so
+#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
+LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
+#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
+#LoadModule request_module libexec/apache24/mod_request.so
+#LoadModule include_module libexec/apache24/mod_include.so
+LoadModule filter_module libexec/apache24/mod_filter.so
+#LoadModule reflector_module libexec/apache24/mod_reflector.so
+#LoadModule substitute_module libexec/apache24/mod_substitute.so
+#LoadModule sed_module libexec/apache24/mod_sed.so
+#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
+#LoadModule deflate_module libexec/apache24/mod_deflate.so
+#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
+#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
+LoadModule mime_module libexec/apache24/mod_mime.so
+LoadModule log_config_module libexec/apache24/mod_log_config.so
+#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
+#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
+#LoadModule logio_module libexec/apache24/mod_logio.so
+LoadModule env_module libexec/apache24/mod_env.so
+#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
+#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
+#LoadModule expires_module libexec/apache24/mod_expires.so
+LoadModule headers_module libexec/apache24/mod_headers.so
+#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
+#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
+LoadModule setenvif_module libexec/apache24/mod_setenvif.so
+LoadModule version_module libexec/apache24/mod_version.so
+#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
+LoadModule proxy_module libexec/apache24/mod_proxy.so
+#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
+#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
+#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
+LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
+#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
+#LoadModule proxy_uwsgi_module libexec/apache24/mod_proxy_uwsgi.so
+#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
+#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
+#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
+#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
+#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
+#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
+#LoadModule session_module libexec/apache24/mod_session.so
+#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
+#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
+#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
+#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
+#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
+LoadModule ssl_module libexec/apache24/mod_ssl.so
+#LoadModule dialup_module libexec/apache24/mod_dialup.so
+LoadModule http2_module libexec/apache24/mod_http2.so
+LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
+#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
+#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
+#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
+#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
+LoadModule unixd_module libexec/apache24/mod_unixd.so
+#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
+#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
+#LoadModule dav_module libexec/apache24/mod_dav.so
+LoadModule status_module libexec/apache24/mod_status.so
+LoadModule autoindex_module libexec/apache24/mod_autoindex.so
+#LoadModule asis_module libexec/apache24/mod_asis.so
+#LoadModule info_module libexec/apache24/mod_info.so
+
+ #LoadModule cgid_module libexec/apache24/mod_cgid.so
+
+
+ #LoadModule cgi_module libexec/apache24/mod_cgi.so
+
+#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
+#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
+#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
+#LoadModule negotiation_module libexec/apache24/mod_negotiation.so
+LoadModule dir_module libexec/apache24/mod_dir.so
+#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
+#LoadModule actions_module libexec/apache24/mod_actions.so
+#LoadModule speling_module libexec/apache24/mod_speling.so
+#LoadModule userdir_module libexec/apache24/mod_userdir.so
+LoadModule alias_module libexec/apache24/mod_alias.so
+LoadModule rewrite_module libexec/apache24/mod_rewrite.so
+#LoadModule php7_module libexec/apache24/libphp7.so
+
+# Third party modules
+IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
+
+
+#
+# If you wish httpd to run as a different user or group, you must run
+# httpd as root initially and it will switch.
+#
+# User/Group: The name (or #number) of the user/group to run httpd as.
+# It is usually good practice to create a dedicated user and group for
+# running httpd, as with most system services.
+#
+User www
+Group www
+
+
+
+# 'Main' server configuration
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# definition. These values also provide defaults for
+# any containers you may define later in the file.
+#
+# All of these directives may appear inside containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed. This address appears on some server-generated pages, such
+# as error documents. e.g. admin@your-domain.com
+#
+ServerAdmin sharad@ahlawat.com
+
+#
+# ServerName gives the name and port that the server uses to identify itself.
+# This can often be determined automatically, but we recommend you specify
+# it explicitly to prevent problems during startup.
+#
+# If your host doesn't have a registered DNS name, enter its IP address here.
+#
+#ServerName www.example.com:80
+
+#
+# Deny access to the entirety of your server's filesystem. You must
+# explicitly permit access to web content directories in other
+# blocks below.
+#
+
+ AllowOverride none
+ Require all denied
+
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# DocumentRoot: The directory out of which you will serve your
+# documents. By default, all requests are taken from this directory, but
+# symbolic links and aliases may be used to point to other locations.
+#
+DocumentRoot "/usr/local/www/apache24/data"
+
+
+# can't set this if traffic is passing through haproxy and being redirected to ssl already
+# RewriteEngine on
+# RewriteRule ^/\.well-known/ - [L]
+# RewriteRule (.*) https://www.datavpc.com [R,L]
+
+ #
+ # Possible values for the Options directive are "None", "All",
+ # or any combination of:
+ # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+ #
+ # Note that "MultiViews" must be named *explicitly* --- "Options All"
+ # doesn't give it to you.
+ #
+ # The Options directive is both complicated and important. Please see
+ # http://httpd.apache.org/docs/2.4/mod/core.html#options
+ # for more information.
+ #
+ Options Indexes FollowSymLinks
+
+ #
+ # AllowOverride controls what directives may be placed in .htaccess files.
+ # It can be "All", "None", or any combination of the keywords:
+ # AllowOverride FileInfo AuthConfig Limit
+ #
+ AllowOverride None
+
+ #
+ # Controls who can get stuff from this server.
+ #
+ Require all granted
+
+
+#
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+
+ DirectoryIndex index.php index.html
+
+ SetHandler application/x-httpd-php
+
+
+ SetHandler application/x-httpd-php-source
+
+
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+
+ Require all denied
+
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a
+# container, error messages relating to that virtual host will be
+# logged here. If you *do* define an error logfile for a
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog "/var/log/httpd-error.log"
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+
+ #
+ # The following directives define some format nicknames for use with
+ # a CustomLog directive (see below).
+ #
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+
+ # You need to enable mod_logio.c to use %I and %O
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+
+
+ #
+ # The location and format of the access logfile (Common Logfile Format).
+ # If you do not define any access logfiles within a
+ # container, they will be logged here. Contrariwise, if you *do*
+ # define per- access logfiles, transactions will be
+ # logged therein and *not* in this file.
+ #
+ CustomLog "/var/log/httpd-access.log" common
+
+ #
+ # If you prefer a logfile with access, agent, and referer information
+ # (Combined Logfile Format) you can use the following directive.
+ #
+ #CustomLog "/var/log/httpd-access.log" combined
+
+
+
+ #
+ # Redirect: Allows you to tell clients about documents that used to
+ # exist in your server's namespace, but do not anymore. The client
+ # will make a new request for the document at its new location.
+ # Example:
+ # Redirect permanent /foo http://www.example.com/bar
+
+ #
+ # Alias: Maps web paths into filesystem paths and is used to
+ # access content that does not live under the DocumentRoot.
+ # Example:
+ # Alias /webpath /full/filesystem/path
+ #
+ # If you include a trailing / on /webpath then the server will
+ # require it to be present in the URL. You will also likely
+ # need to provide a section to allow access to
+ # the filesystem path.
+
+ #
+ # ScriptAlias: This controls which directories contain server scripts.
+ # ScriptAliases are essentially the same as Aliases, except that
+ # documents in the target directory are treated as applications and
+ # run by the server when requested rather than as documents sent to the
+ # client. The same rules about trailing "/" apply to ScriptAlias
+ # directives as to Alias.
+ #
+ ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"
+
+
+
+
+ #
+ # ScriptSock: On threaded servers, designate the path to the UNIX
+ # socket used to communicate with the CGI daemon of mod_cgid.
+ #
+ #Scriptsock cgisock
+
+
+#
+# "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+#
+
+ AllowOverride None
+ Options None
+ Require all granted
+
+
+
+ #
+ # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+ # backend servers which have lingering "httpoxy" defects.
+ # 'Proxy' request header is undefined by the IETF, not listed by IANA
+ #
+ RequestHeader unset Proxy early
+
+
+
+ #
+ # TypesConfig points to the file containing the list of mappings from
+ # filename extension to MIME-type.
+ #
+ TypesConfig etc/apache24/mime.types
+
+ #
+ # AddType allows you to add to or override the MIME configuration
+ # file specified in TypesConfig for specific file types.
+ #
+ #AddType application/x-gzip .tgz
+ #
+ # AddEncoding allows you to have certain browsers uncompress
+ # information on the fly. Note: Not all browsers support this.
+ #
+ #AddEncoding x-compress .Z
+ #AddEncoding x-gzip .gz .tgz
+ #
+ # If the AddEncoding directives above are commented-out, then you
+ # probably should define those extensions to indicate media types:
+ #
+ AddType application/x-compress .Z
+ AddType application/x-gzip .gz .tgz
+
+ #
+ # AddHandler allows you to map certain file extensions to "handlers":
+ # actions unrelated to filetype. These can be either built into the server
+ # or added with the Action directive (see below)
+ #
+ # To use CGI scripts outside of ScriptAliased directories:
+ # (You will also need to add "ExecCGI" to the "Options" directive.)
+ #
+ #AddHandler cgi-script .cgi
+
+ # For type maps (negotiated resources):
+ #AddHandler type-map var
+
+ #
+ # Filters allow you to process content before it is sent to the client.
+ #
+ # To parse .shtml files for server-side includes (SSI):
+ # (You will also need to add "Includes" to the "Options" directive.)
+ #
+ #AddType text/html .shtml
+ #AddOutputFilter INCLUDES .shtml
+
+ AddType application/x-httpd-php .php
+ AddType application/x-httpd-php-source .phps
+
+
+
+#
+# The mod_mime_magic module allows the server to use various hints from the
+# contents of the file itself to determine its type. The MIMEMagicFile
+# directive tells the module where the hint definitions are located.
+#
+#MIMEMagicFile etc/apache24/magic
+
+#
+# Customizable error responses come in three flavors:
+# 1) plain text 2) local redirects 3) external redirects
+#
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
+#ErrorDocument 404 /missing.html
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+#
+
+#
+# MaxRanges: Maximum number of Ranges in a request before
+# returning the entire resource, or one of the special
+# values 'default', 'none' or 'unlimited'.
+# Default setting is to accept 200 Ranges.
+#MaxRanges unlimited
+
+#
+# EnableMMAP and EnableSendfile: On systems that support it,
+# memory-mapping or the sendfile syscall may be used to deliver
+# files. This usually improves server performance, but must
+# be turned off when serving from networked-mounted
+# filesystems or if support for these functions is otherwise
+# broken on your system.
+# Defaults: EnableMMAP On, EnableSendfile Off
+#
+#EnableMMAP off
+#EnableSendfile on
+
+# Supplemental configuration
+#
+# The configuration files in the etc/apache24/extra/ directory can be
+# included to add extra features or to modify the default configuration of
+# the server, or you may simply copy their contents here and change as
+# necessary.
+
+# Server-pool management (MPM specific)
+#Include etc/apache24/extra/httpd-mpm.conf
+
+# Multi-language error messages
+#Include etc/apache24/extra/httpd-multilang-errordoc.conf
+
+# Fancy directory listings
+#Include etc/apache24/extra/httpd-autoindex.conf
+
+# Language settings
+#Include etc/apache24/extra/httpd-languages.conf
+
+# User home directories
+#Include etc/apache24/extra/httpd-userdir.conf
+
+# Real-time info on requests and configuration
+#Include etc/apache24/extra/httpd-info.conf
+
+# Virtual hosts
+#Include etc/apache24/extra/httpd-vhosts.conf
+
+# Local access to the Apache HTTP Server Manual
+#Include etc/apache24/extra/httpd-manual.conf
+
+# Distributed authoring and versioning (WebDAV)
+#Include etc/apache24/extra/httpd-dav.conf
+
+# Various default settings
+#Include etc/apache24/extra/httpd-default.conf
+
+# Configure mod_proxy_html to understand HTML4/XHTML1
+
+Include etc/apache24/extra/proxy-html.conf
+
+
+# Secure (SSL/TLS) connections
+#Include etc/apache24/extra/httpd-ssl.conf
+#
+# Note: The following must must be present to support
+# starting without SSL on platforms with no /dev/random equivalent
+# but a statically compiled-in mod_ssl.
+#
+
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+
+
+Include etc/apache24/Includes/*.conf
+
+
+ ServerName www.datavpc.com
+ ServerAlias *.datavpc.com
+ ServerAlias datavpc.com
+ ServerName www.mydatavpc.com
+ ServerAlias *.mydatavpc.com
+ ServerAlias mydatavpc.com
+
+ Protocols h2 h2c http/1.1
+
+ DocumentRoot "/usr/local/www/apache24/data/"
+
+ SSLEngine on
+ SSLCertificateFile "/mnt/certs/diyfullchain.pem"
+ SSLCertificateKeyFile "/mnt/certs/diyprivkey.pem"
+ #SSLCertificateChainFile "/mnt/certs/diyfullchain.pem"
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+ SSLHonorCipherOrder on
+ SSLCompression off
+ SSLSessionTickets off
+ SSLOptions +StrictRequire
+
+ RewriteEngine On
+ RewriteCond %{HTTP:Authorization} ^(.*)
+ RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
+
+
+ SetHandler "proxy:fcgi://127.0.0.1:9000"
+ SSLOptions +StdEnvVars
+
+
+
+ SSLOptions +StdEnvVars
+
+
+ BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
+ CustomLog "/var/log/ssl-request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+
+ Options Indexes FollowSymLinks MultiViews
+ ## IndexOptions FancyIndexing FoldersFirst IgnoreCase VersionSort SuppressHTMLPreamble NameWidth=96 DescriptionWidth=16
+ IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=96
+
+ #AllowOverride controls what directives may be placed in .htaccess files.
+ AllowOverride All
+ #AllowOverride AuthConfig
+ #Controls who can get stuff from this server file
+ Require all granted
+
+
+ ErrorLog "/var/log/ssl-error.log"
+ CustomLog "/var/log/ssl-access_log" combined
+
+
+ Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
+
+
+
diff --git a/jails/config/web-datavpc/php.ini b/jails/config/web-datavpc/php.ini
new file mode 100644
index 0000000..c04b984
--- /dev/null
+++ b/jails/config/web-datavpc/php.ini
@@ -0,0 +1,1918 @@
+[PHP]
+
+;;;;;;;;;;;;;;;;;;;
+; About php.ini ;
+;;;;;;;;;;;;;;;;;;;
+; PHP's initialization file, generally called php.ini, is responsible for
+; configuring many of the aspects of PHP's behavior.
+
+; PHP attempts to find and load this configuration from a number of locations.
+; The following is a summary of its search order:
+; 1. SAPI module specific location.
+; 2. The PHPRC environment variable. (As of PHP 5.2.0)
+; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0)
+; 4. Current working directory (except CLI)
+; 5. The web server's directory (for SAPI modules), or directory of PHP
+; (otherwise in Windows)
+; 6. The directory from the --with-config-file-path compile time option, or the
+; Windows directory (C:\windows or C:\winnt)
+; See the PHP docs for more specific information.
+; http://php.net/configuration.file
+
+; The syntax of the file is extremely simple. Whitespace and lines
+; beginning with a semicolon are silently ignored (as you probably guessed).
+; Section headers (e.g. [Foo]) are also silently ignored, even though
+; they might mean something in the future.
+
+; Directives following the section heading [PATH=/www/mysite] only
+; apply to PHP files in the /www/mysite directory. Directives
+; following the section heading [HOST=www.example.com] only apply to
+; PHP files served from www.example.com. Directives set in these
+; special sections cannot be overridden by user-defined INI files or
+; at runtime. Currently, [PATH=] and [HOST=] sections only work under
+; CGI/FastCGI.
+; http://php.net/ini.sections
+
+; Directives are specified using the following syntax:
+; directive = value
+; Directive names are *case sensitive* - foo=bar is different from FOO=bar.
+; Directives are variables used to configure PHP or PHP extensions.
+; There is no name validation. If PHP can't find an expected
+; directive because it is not set or is mistyped, a default value will be used.
+
+; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one
+; of the INI constants (On, Off, True, False, Yes, No and None) or an expression
+; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a
+; previously set variable or directive (e.g. ${foo})
+
+; Expressions in the INI file are limited to bitwise operators and parentheses:
+; | bitwise OR
+; ^ bitwise XOR
+; & bitwise AND
+; ~ bitwise NOT
+; ! boolean NOT
+
+; Boolean flags can be turned on using the values 1, On, True or Yes.
+; They can be turned off using the values 0, Off, False or No.
+
+; An empty string can be denoted by simply not writing anything after the equal
+; sign, or by using the None keyword:
+
+; foo = ; sets foo to an empty string
+; foo = None ; sets foo to an empty string
+; foo = "None" ; sets foo to the string 'None'
+
+; If you use constants in your value, and these constants belong to a
+; dynamically loaded extension (either a PHP extension or a Zend extension),
+; you may only use these constants *after* the line that loads the extension.
+
+;;;;;;;;;;;;;;;;;;;
+; About this file ;
+;;;;;;;;;;;;;;;;;;;
+; PHP comes packaged with two INI files. One that is recommended to be used
+; in production environments and one that is recommended to be used in
+; development environments.
+
+; php.ini-production contains settings which hold security, performance and
+; best practices at its core. But please be aware, these settings may break
+; compatibility with older or less security conscience applications. We
+; recommending using the production ini in production and testing environments.
+
+; php.ini-development is very similar to its production variant, except it is
+; much more verbose when it comes to errors. We recommend using the
+; development version only in development environments, as errors shown to
+; application users can inadvertently leak otherwise secure information.
+
+; This is php.ini-production INI file.
+
+;;;;;;;;;;;;;;;;;;;
+; Quick Reference ;
+;;;;;;;;;;;;;;;;;;;
+; The following are all the settings which are different in either the production
+; or development versions of the INIs with respect to PHP's default behavior.
+; Please see the actual settings later in the document for more details as to why
+; we recommend these changes in PHP's behavior.
+
+; display_errors
+; Default Value: On
+; Development Value: On
+; Production Value: Off
+
+; display_startup_errors
+; Default Value: Off
+; Development Value: On
+; Production Value: Off
+
+; error_reporting
+; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
+; Development Value: E_ALL
+; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
+
+; html_errors
+; Default Value: On
+; Development Value: On
+; Production value: On
+
+; log_errors
+; Default Value: Off
+; Development Value: On
+; Production Value: On
+
+; max_input_time
+; Default Value: -1 (Unlimited)
+; Development Value: 60 (60 seconds)
+; Production Value: 60 (60 seconds)
+
+; output_buffering
+; Default Value: Off
+; Development Value: 4096
+; Production Value: 4096
+
+; register_argc_argv
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+
+; request_order
+; Default Value: None
+; Development Value: "GP"
+; Production Value: "GP"
+
+; session.gc_divisor
+; Default Value: 100
+; Development Value: 1000
+; Production Value: 1000
+
+; session.sid_bits_per_character
+; Default Value: 4
+; Development Value: 5
+; Production Value: 5
+
+; short_open_tag
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+
+; track_errors
+; Default Value: Off
+; Development Value: On
+; Production Value: Off
+
+; variables_order
+; Default Value: "EGPCS"
+; Development Value: "GPCS"
+; Production Value: "GPCS"
+
+;;;;;;;;;;;;;;;;;;;;
+; php.ini Options ;
+;;;;;;;;;;;;;;;;;;;;
+; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini"
+;user_ini.filename = ".user.ini"
+
+; To disable this feature set this option to empty value
+;user_ini.filename =
+
+; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes)
+;user_ini.cache_ttl = 300
+
+;;;;;;;;;;;;;;;;;;;;
+; Language Options ;
+;;;;;;;;;;;;;;;;;;;;
+
+; Enable the PHP scripting language engine under Apache.
+; http://php.net/engine
+engine = On
+
+; This directive determines whether or not PHP will recognize code between
+; and ?> tags as PHP source which should be processed as such. It is
+; generally recommended that should be used and that this feature
+; should be disabled, as enabling it may result in issues when generating XML
+; documents, however this remains supported for backward compatibility reasons.
+; Note that this directive does not control the = shorthand tag, which can be
+; used regardless of this directive.
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+; http://php.net/short-open-tag
+short_open_tag = Off
+
+; The number of significant digits displayed in floating point numbers.
+; http://php.net/precision
+precision = 14
+
+; Output buffering is a mechanism for controlling how much output data
+; (excluding headers and cookies) PHP should keep internally before pushing that
+; data to the client. If your application's output exceeds this setting, PHP
+; will send that data in chunks of roughly the size you specify.
+; Turning on this setting and managing its maximum buffer size can yield some
+; interesting side-effects depending on your application and web server.
+; You may be able to send headers and cookies after you've already sent output
+; through print or echo. You also may see performance benefits if your server is
+; emitting less packets due to buffered output versus PHP streaming the output
+; as it gets it. On production servers, 4096 bytes is a good setting for performance
+; reasons.
+; Note: Output buffering can also be controlled via Output Buffering Control
+; functions.
+; Possible Values:
+; On = Enabled and buffer is unlimited. (Use with caution)
+; Off = Disabled
+; Integer = Enables the buffer and sets its maximum size in bytes.
+; Note: This directive is hardcoded to Off for the CLI SAPI
+; Default Value: Off
+; Development Value: 4096
+; Production Value: 4096
+; http://php.net/output-buffering
+output_buffering = 4096
+
+; You can redirect all of the output of your scripts to a function. For
+; example, if you set output_handler to "mb_output_handler", character
+; encoding will be transparently converted to the specified encoding.
+; Setting any output handler automatically turns on output buffering.
+; Note: People who wrote portable scripts should not depend on this ini
+; directive. Instead, explicitly set the output handler using ob_start().
+; Using this ini directive may cause problems unless you know what script
+; is doing.
+; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler"
+; and you cannot use both "ob_gzhandler" and "zlib.output_compression".
+; Note: output_handler must be empty if this is set 'On' !!!!
+; Instead you must use zlib.output_handler.
+; http://php.net/output-handler
+;output_handler =
+
+; URL rewriter function rewrites URL on the fly by using
+; output buffer. You can set target tags by this configuration.
+; "form" tag is special tag. It will add hidden input tag to pass values.
+; Refer to session.trans_sid_tags for usage.
+; Default Value: "form="
+; Development Value: "form="
+; Production Value: "form="
+;url_rewriter.tags
+
+; URL rewriter will not rewrites absolute URL nor form by default. To enable
+; absolute URL rewrite, allowed hosts must be defined at RUNTIME.
+; Refer to session.trans_sid_hosts for more details.
+; Default Value: ""
+; Development Value: ""
+; Production Value: ""
+;url_rewriter.hosts
+
+; Transparent output compression using the zlib library
+; Valid values for this option are 'off', 'on', or a specific buffer size
+; to be used for compression (default is 4KB)
+; Note: Resulting chunk size may vary due to nature of compression. PHP
+; outputs chunks that are few hundreds bytes each as a result of
+; compression. If you prefer a larger chunk size for better
+; performance, enable output_buffering in addition.
+; Note: You need to use zlib.output_handler instead of the standard
+; output_handler, or otherwise the output will be corrupted.
+; http://php.net/zlib.output-compression
+zlib.output_compression = Off
+
+; http://php.net/zlib.output-compression-level
+;zlib.output_compression_level = -1
+
+; You cannot specify additional output handlers if zlib.output_compression
+; is activated here. This setting does the same as output_handler but in
+; a different order.
+; http://php.net/zlib.output-handler
+;zlib.output_handler =
+
+; Implicit flush tells PHP to tell the output layer to flush itself
+; automatically after every output block. This is equivalent to calling the
+; PHP function flush() after each and every call to print() or echo() and each
+; and every HTML block. Turning this option on has serious performance
+; implications and is generally recommended for debugging purposes only.
+; http://php.net/implicit-flush
+; Note: This directive is hardcoded to On for the CLI SAPI
+implicit_flush = Off
+
+; The unserialize callback function will be called (with the undefined class'
+; name as parameter), if the unserializer finds an undefined class
+; which should be instantiated. A warning appears if the specified function is
+; not defined, or if the function doesn't include/implement the missing class.
+; So only set this entry, if you really want to implement such a
+; callback-function.
+unserialize_callback_func =
+
+; When floats & doubles are serialized, store serialize_precision significant
+; digits after the floating point. The default value ensures that when floats
+; are decoded with unserialize, the data will remain the same.
+; The value is also used for json_encode when encoding double values.
+; If -1 is used, then dtoa mode 0 is used which automatically select the best
+; precision.
+serialize_precision = -1
+
+; open_basedir, if set, limits all file operations to the defined directory
+; and below. This directive makes most sense if used in a per-directory
+; or per-virtualhost web server configuration file.
+; http://php.net/open-basedir
+;open_basedir =
+
+; This directive allows you to disable certain functions for security reasons.
+; It receives a comma-delimited list of function names.
+; http://php.net/disable-functions
+disable_functions =
+
+; This directive allows you to disable certain classes for security reasons.
+; It receives a comma-delimited list of class names.
+; http://php.net/disable-classes
+disable_classes =
+
+; Colors for Syntax Highlighting mode. Anything that's acceptable in
+; would work.
+; http://php.net/syntax-highlighting
+;highlight.string = #DD0000
+;highlight.comment = #FF9900
+;highlight.keyword = #007700
+;highlight.default = #0000BB
+;highlight.html = #000000
+
+; If enabled, the request will be allowed to complete even if the user aborts
+; the request. Consider enabling it if executing long requests, which may end up
+; being interrupted by the user or a browser timing out. PHP's default behavior
+; is to disable this feature.
+; http://php.net/ignore-user-abort
+;ignore_user_abort = On
+
+; Determines the size of the realpath cache to be used by PHP. This value should
+; be increased on systems where PHP opens many files to reflect the quantity of
+; the file operations performed.
+; http://php.net/realpath-cache-size
+;realpath_cache_size = 4096k
+
+; Duration of time, in seconds for which to cache realpath information for a given
+; file or directory. For systems with rarely changing files, consider increasing this
+; value.
+; http://php.net/realpath-cache-ttl
+;realpath_cache_ttl = 120
+
+; Enables or disables the circular reference collector.
+; http://php.net/zend.enable-gc
+zend.enable_gc = On
+
+; If enabled, scripts may be written in encodings that are incompatible with
+; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such
+; encodings. To use this feature, mbstring extension must be enabled.
+; Default: Off
+;zend.multibyte = Off
+
+; Allows to set the default encoding for the scripts. This value will be used
+; unless "declare(encoding=...)" directive appears at the top of the script.
+; Only affects if zend.multibyte is set.
+; Default: ""
+;zend.script_encoding =
+
+;;;;;;;;;;;;;;;;;
+; Miscellaneous ;
+;;;;;;;;;;;;;;;;;
+
+; Decides whether PHP may expose the fact that it is installed on the server
+; (e.g. by adding its signature to the Web server header). It is no security
+; threat in any way, but it makes it possible to determine whether you use PHP
+; on your server or not.
+; http://php.net/expose-php
+expose_php = On
+
+;;;;;;;;;;;;;;;;;;;
+; Resource Limits ;
+;;;;;;;;;;;;;;;;;;;
+
+; Maximum execution time of each script, in seconds
+; http://php.net/max-execution-time
+; Note: This directive is hardcoded to 0 for the CLI SAPI
+max_execution_time = 30
+
+; Maximum amount of time each script may spend parsing request data. It's a good
+; idea to limit this time on productions servers in order to eliminate unexpectedly
+; long running scripts.
+; Note: This directive is hardcoded to -1 for the CLI SAPI
+; Default Value: -1 (Unlimited)
+; Development Value: 60 (60 seconds)
+; Production Value: 60 (60 seconds)
+; http://php.net/max-input-time
+max_input_time = 60
+
+; Maximum input variable nesting level
+; http://php.net/max-input-nesting-level
+;max_input_nesting_level = 64
+
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
+; Maximum amount of memory a script may consume (128MB)
+; http://php.net/memory-limit
+memory_limit = 128M
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Error handling and logging ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; This directive informs PHP of which errors, warnings and notices you would like
+; it to take action for. The recommended way of setting values for this
+; directive is through the use of the error level constants and bitwise
+; operators. The error level constants are below here for convenience as well as
+; some common settings and their meanings.
+; By default, PHP is set to take action on all errors, notices and warnings EXCEPT
+; those related to E_NOTICE and E_STRICT, which together cover best practices and
+; recommended coding standards in PHP. For performance reasons, this is the
+; recommend error reporting setting. Your production server shouldn't be wasting
+; resources complaining about best practices and coding standards. That's what
+; development servers and development settings are for.
+; Note: The php.ini-development file has this setting as E_ALL. This
+; means it pretty much reports everything which is exactly what you want during
+; development and early testing.
+;
+; Error Level Constants:
+; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0)
+; E_ERROR - fatal run-time errors
+; E_RECOVERABLE_ERROR - almost fatal run-time errors
+; E_WARNING - run-time warnings (non-fatal errors)
+; E_PARSE - compile-time parse errors
+; E_NOTICE - run-time notices (these are warnings which often result
+; from a bug in your code, but it's possible that it was
+; intentional (e.g., using an uninitialized variable and
+; relying on the fact it is automatically initialized to an
+; empty string)
+; E_STRICT - run-time notices, enable to have PHP suggest changes
+; to your code which will ensure the best interoperability
+; and forward compatibility of your code
+; E_CORE_ERROR - fatal errors that occur during PHP's initial startup
+; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's
+; initial startup
+; E_COMPILE_ERROR - fatal compile-time errors
+; E_COMPILE_WARNING - compile-time warnings (non-fatal errors)
+; E_USER_ERROR - user-generated error message
+; E_USER_WARNING - user-generated warning message
+; E_USER_NOTICE - user-generated notice message
+; E_DEPRECATED - warn about code that will not work in future versions
+; of PHP
+; E_USER_DEPRECATED - user-generated deprecation warnings
+;
+; Common Values:
+; E_ALL (Show all errors, warnings and notices including coding standards.)
+; E_ALL & ~E_NOTICE (Show all errors, except for notices)
+; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.)
+; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors)
+; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
+; Development Value: E_ALL
+; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
+; http://php.net/error-reporting
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+
+; This directive controls whether or not and where PHP will output errors,
+; notices and warnings too. Error output is very useful during development, but
+; it could be very dangerous in production environments. Depending on the code
+; which is triggering the error, sensitive information could potentially leak
+; out of your application such as database usernames and passwords or worse.
+; For production environments, we recommend logging errors rather than
+; sending them to STDOUT.
+; Possible Values:
+; Off = Do not display any errors
+; stderr = Display errors to STDERR (affects only CGI/CLI binaries!)
+; On or stdout = Display errors to STDOUT
+; Default Value: On
+; Development Value: On
+; Production Value: Off
+; http://php.net/display-errors
+display_errors = Off
+
+; The display of errors which occur during PHP's startup sequence are handled
+; separately from display_errors. PHP's default behavior is to suppress those
+; errors from clients. Turning the display of startup errors on can be useful in
+; debugging configuration problems. We strongly recommend you
+; set this to 'off' for production servers.
+; Default Value: Off
+; Development Value: On
+; Production Value: Off
+; http://php.net/display-startup-errors
+display_startup_errors = Off
+
+; Besides displaying errors, PHP can also log errors to locations such as a
+; server-specific log, STDERR, or a location specified by the error_log
+; directive found below. While errors should not be displayed on productions
+; servers they should still be monitored and logging is a great way to do that.
+; Default Value: Off
+; Development Value: On
+; Production Value: On
+; http://php.net/log-errors
+log_errors = On
+
+; Set maximum length of log_errors. In error_log information about the source is
+; added. The default is 1024 and 0 allows to not apply any maximum length at all.
+; http://php.net/log-errors-max-len
+log_errors_max_len = 1024
+
+; Do not log repeated messages. Repeated errors must occur in same file on same
+; line unless ignore_repeated_source is set true.
+; http://php.net/ignore-repeated-errors
+ignore_repeated_errors = Off
+
+; Ignore source of message when ignoring repeated messages. When this setting
+; is On you will not log errors with repeated messages from different files or
+; source lines.
+; http://php.net/ignore-repeated-source
+ignore_repeated_source = Off
+
+; If this parameter is set to Off, then memory leaks will not be shown (on
+; stdout or in the log). This has only effect in a debug compile, and if
+; error reporting includes E_WARNING in the allowed list
+; http://php.net/report-memleaks
+report_memleaks = On
+
+; This setting is on by default.
+;report_zend_debug = 0
+
+; Store the last error/warning message in $php_errormsg (boolean). Setting this value
+; to On can assist in debugging and is appropriate for development servers. It should
+; however be disabled on production servers.
+; This directive is DEPRECATED.
+; Default Value: Off
+; Development Value: Off
+; Production Value: Off
+; http://php.net/track-errors
+;track_errors = Off
+
+; Turn off normal error reporting and emit XML-RPC error XML
+; http://php.net/xmlrpc-errors
+;xmlrpc_errors = 0
+
+; An XML-RPC faultCode
+;xmlrpc_error_number = 0
+
+; When PHP displays or logs an error, it has the capability of formatting the
+; error message as HTML for easier reading. This directive controls whether
+; the error message is formatted as HTML or not.
+; Note: This directive is hardcoded to Off for the CLI SAPI
+; Default Value: On
+; Development Value: On
+; Production value: On
+; http://php.net/html-errors
+html_errors = On
+
+; If html_errors is set to On *and* docref_root is not empty, then PHP
+; produces clickable error messages that direct to a page describing the error
+; or function causing the error in detail.
+; You can download a copy of the PHP manual from http://php.net/docs
+; and change docref_root to the base URL of your local copy including the
+; leading '/'. You must also specify the file extension being used including
+; the dot. PHP's default behavior is to leave these settings empty, in which
+; case no links to documentation are generated.
+; Note: Never use this feature for production boxes.
+; http://php.net/docref-root
+; Examples
+;docref_root = "/phpmanual/"
+
+; http://php.net/docref-ext
+;docref_ext = .html
+
+; String to output before an error message. PHP's default behavior is to leave
+; this setting blank.
+; http://php.net/error-prepend-string
+; Example:
+;error_prepend_string = ""
+
+; String to output after an error message. PHP's default behavior is to leave
+; this setting blank.
+; http://php.net/error-append-string
+; Example:
+;error_append_string = ""
+
+; Log errors to specified file. PHP's default behavior is to leave this value
+; empty.
+; http://php.net/error-log
+; Example:
+;error_log = php_errors.log
+; Log errors to syslog (Event Log on Windows).
+;error_log = syslog
+
+;windows.show_crt_warning
+; Default value: 0
+; Development value: 0
+; Production value: 0
+
+;;;;;;;;;;;;;;;;;
+; Data Handling ;
+;;;;;;;;;;;;;;;;;
+
+; The separator used in PHP generated URLs to separate arguments.
+; PHP's default setting is "&".
+; http://php.net/arg-separator.output
+; Example:
+;arg_separator.output = "&"
+
+; List of separator(s) used by PHP to parse input URLs into variables.
+; PHP's default setting is "&".
+; NOTE: Every character in this directive is considered as separator!
+; http://php.net/arg-separator.input
+; Example:
+;arg_separator.input = ";&"
+
+; This directive determines which super global arrays are registered when PHP
+; starts up. G,P,C,E & S are abbreviations for the following respective super
+; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty
+; paid for the registration of these arrays and because ENV is not as commonly
+; used as the others, ENV is not recommended on productions servers. You
+; can still get access to the environment variables through getenv() should you
+; need to.
+; Default Value: "EGPCS"
+; Development Value: "GPCS"
+; Production Value: "GPCS";
+; http://php.net/variables-order
+variables_order = "GPCS"
+
+; This directive determines which super global data (G,P & C) should be
+; registered into the super global array REQUEST. If so, it also determines
+; the order in which that data is registered. The values for this directive
+; are specified in the same manner as the variables_order directive,
+; EXCEPT one. Leaving this value empty will cause PHP to use the value set
+; in the variables_order directive. It does not mean it will leave the super
+; globals array REQUEST empty.
+; Default Value: None
+; Development Value: "GP"
+; Production Value: "GP"
+; http://php.net/request-order
+request_order = "GP"
+
+; This directive determines whether PHP registers $argv & $argc each time it
+; runs. $argv contains an array of all the arguments passed to PHP when a script
+; is invoked. $argc contains an integer representing the number of arguments
+; that were passed when the script was invoked. These arrays are extremely
+; useful when running scripts from the command line. When this directive is
+; enabled, registering these variables consumes CPU cycles and memory each time
+; a script is executed. For performance reasons, this feature should be disabled
+; on production servers.
+; Note: This directive is hardcoded to On for the CLI SAPI
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+; http://php.net/register-argc-argv
+register_argc_argv = Off
+
+; When enabled, the ENV, REQUEST and SERVER variables are created when they're
+; first used (Just In Time) instead of when the script starts. If these
+; variables are not used within a script, having this directive on will result
+; in a performance gain. The PHP directive register_argc_argv must be disabled
+; for this directive to have any affect.
+; http://php.net/auto-globals-jit
+auto_globals_jit = On
+
+; Whether PHP will read the POST data.
+; This option is enabled by default.
+; Most likely, you won't want to disable this option globally. It causes $_POST
+; and $_FILES to always be empty; the only way you will be able to read the
+; POST data will be through the php://input stream wrapper. This can be useful
+; to proxy requests or to process the POST data in a memory efficient fashion.
+; http://php.net/enable-post-data-reading
+;enable_post_data_reading = Off
+
+; Maximum size of POST data that PHP will accept.
+; Its value may be 0 to disable the limit. It is ignored if POST data reading
+; is disabled through enable_post_data_reading.
+; http://php.net/post-max-size
+post_max_size = 8M
+
+; Automatically add files before PHP document.
+; http://php.net/auto-prepend-file
+auto_prepend_file =
+
+; Automatically add files after PHP document.
+; http://php.net/auto-append-file
+auto_append_file =
+
+; By default, PHP will output a media type using the Content-Type header. To
+; disable this, simply set it to be empty.
+;
+; PHP's built-in default media type is set to text/html.
+; http://php.net/default-mimetype
+default_mimetype = "text/html"
+
+; PHP's default character set is set to UTF-8.
+; http://php.net/default-charset
+default_charset = "UTF-8"
+
+; PHP internal character encoding is set to empty.
+; If empty, default_charset is used.
+; http://php.net/internal-encoding
+;internal_encoding =
+
+; PHP input character encoding is set to empty.
+; If empty, default_charset is used.
+; http://php.net/input-encoding
+;input_encoding =
+
+; PHP output character encoding is set to empty.
+; If empty, default_charset is used.
+; See also output_buffer.
+; http://php.net/output-encoding
+;output_encoding =
+
+;;;;;;;;;;;;;;;;;;;;;;;;;
+; Paths and Directories ;
+;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; UNIX: "/path1:/path2"
+;include_path = ".:/php/includes"
+;
+; Windows: "\path1;\path2"
+;include_path = ".;c:\php\includes"
+;
+; PHP's default setting for include_path is ".;/path/to/php/pear"
+; http://php.net/include-path
+
+; The root of the PHP pages, used only if nonempty.
+; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
+; if you are running php as a CGI under any web server (other than IIS)
+; see documentation for security issues. The alternate is to use the
+; cgi.force_redirect configuration below
+; http://php.net/doc-root
+doc_root =
+
+; The directory under which PHP opens the script using /~username used only
+; if nonempty.
+; http://php.net/user-dir
+user_dir =
+
+; Directory in which the loadable extensions (modules) reside.
+; http://php.net/extension-dir
+; extension_dir = "./"
+; On windows:
+; extension_dir = "ext"
+
+; Directory where the temporary files should be placed.
+; Defaults to the system default (see sys_get_temp_dir)
+; sys_temp_dir = "/tmp"
+
+; Whether or not to enable the dl() function. The dl() function does NOT work
+; properly in multithreaded servers, such as IIS or Zeus, and is automatically
+; disabled on them.
+; http://php.net/enable-dl
+enable_dl = Off
+
+; cgi.force_redirect is necessary to provide security running PHP as a CGI under
+; most web servers. Left undefined, PHP turns this on by default. You can
+; turn it off here AT YOUR OWN RISK
+; **You CAN safely turn this off for IIS, in fact, you MUST.**
+; http://php.net/cgi.force-redirect
+;cgi.force_redirect = 1
+
+; if cgi.nph is enabled it will force cgi to always sent Status: 200 with
+; every request. PHP's default behavior is to disable this feature.
+;cgi.nph = 1
+
+; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
+; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
+; will look for to know it is OK to continue execution. Setting this variable MAY
+; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
+; http://php.net/cgi.redirect-status-env
+;cgi.redirect_status_env =
+
+; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
+; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
+; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting
+; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting
+; of zero causes PHP to behave as before. Default is 1. You should fix your scripts
+; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
+; http://php.net/cgi.fix-pathinfo
+;cgi.fix_pathinfo=1
+
+; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside
+; of the web tree and people will not be able to circumvent .htaccess security.
+; http://php.net/cgi.dicard-path
+;cgi.discard_path=1
+
+; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
+; security tokens of the calling client. This allows IIS to define the
+; security context that the request runs under. mod_fastcgi under Apache
+; does not currently support this feature (03/17/2002)
+; Set to 1 if running under IIS. Default is zero.
+; http://php.net/fastcgi.impersonate
+;fastcgi.impersonate = 1
+
+; Disable logging through FastCGI connection. PHP's default behavior is to enable
+; this feature.
+;fastcgi.logging = 0
+
+; cgi.rfc2616_headers configuration option tells PHP what type of headers to
+; use when sending HTTP response code. If set to 0, PHP sends Status: header that
+; is supported by Apache. When this option is set to 1, PHP will send
+; RFC2616 compliant header.
+; Default is zero.
+; http://php.net/cgi.rfc2616-headers
+;cgi.rfc2616_headers = 0
+
+; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #!
+; (shebang) at the top of the running script. This line might be needed if the
+; script support running both as stand-alone script and via PHP CGI<. PHP in CGI
+; mode skips this line and ignores its content if this directive is turned on.
+; http://php.net/cgi.check-shebang-line
+;cgi.check_shebang_line=1
+
+;;;;;;;;;;;;;;;;
+; File Uploads ;
+;;;;;;;;;;;;;;;;
+
+; Whether to allow HTTP file uploads.
+; http://php.net/file-uploads
+file_uploads = On
+
+; Temporary directory for HTTP uploaded files (will use system default if not
+; specified).
+; http://php.net/upload-tmp-dir
+;upload_tmp_dir =
+
+; Maximum allowed size for uploaded files.
+; http://php.net/upload-max-filesize
+upload_max_filesize = 2M
+
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 20
+
+;;;;;;;;;;;;;;;;;;
+; Fopen wrappers ;
+;;;;;;;;;;;;;;;;;;
+
+; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
+; http://php.net/allow-url-fopen
+allow_url_fopen = On
+
+; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
+; http://php.net/allow-url-include
+allow_url_include = Off
+
+; Define the anonymous ftp password (your email address). PHP's default setting
+; for this is empty.
+; http://php.net/from
+;from="john@doe.com"
+
+; Define the User-Agent string. PHP's default setting for this is empty.
+; http://php.net/user-agent
+;user_agent="PHP"
+
+; Default timeout for socket based streams (seconds)
+; http://php.net/default-socket-timeout
+default_socket_timeout = 60
+
+; If your scripts have to deal with files from Macintosh systems,
+; or you are running on a Mac and need to deal with files from
+; unix or win32 systems, setting this flag will cause PHP to
+; automatically detect the EOL character in those files so that
+; fgets() and file() will work regardless of the source of the file.
+; http://php.net/auto-detect-line-endings
+;auto_detect_line_endings = Off
+
+;;;;;;;;;;;;;;;;;;;;;;
+; Dynamic Extensions ;
+;;;;;;;;;;;;;;;;;;;;;;
+
+; If you wish to have an extension loaded automatically, use the following
+; syntax:
+;
+; extension=modulename
+;
+; For example:
+;
+; extension=mysqli
+;
+; When the extension library to load is not located in the default extension
+; directory, You may specify an absolute path to the library file:
+;
+; extension=/path/to/extension/mysqli.so
+;
+; Note : The syntax used in previous PHP versions ('extension=.so' and
+; 'extension='php_.dll') is supported for legacy reasons and may be
+; deprecated in a future PHP major version. So, when it is possible, please
+; move to the new ('extension=) syntax.
+;
+; Notes for Windows environments :
+;
+; - Many DLL files are located in the extensions/ (PHP 4) or ext/ (PHP 5+)
+; extension folders as well as the separate PECL DLL download (PHP 5+).
+; Be sure to appropriately set the extension_dir directive.
+;
+;extension=bz2
+;extension=curl
+;extension=fileinfo
+;extension=gd2
+;extension=gettext
+;extension=gmp
+;extension=intl
+;extension=imap
+;extension=interbase
+;extension=ldap
+;extension=mbstring
+;extension=exif ; Must be after mbstring as it depends on it
+;extension=mysqli
+;extension=oci8_12c ; Use with Oracle Database 12c Instant Client
+;extension=odbc
+;extension=openssl
+;extension=pdo_firebird
+;extension=pdo_mysql
+;extension=pdo_oci
+;extension=pdo_odbc
+;extension=pdo_pgsql
+;extension=pdo_sqlite
+;extension=pgsql
+;extension=shmop
+
+; The MIBS data available in the PHP distribution must be installed.
+; See http://www.php.net/manual/en/snmp.installation.php
+;extension=snmp
+
+;extension=soap
+;extension=sockets
+;extension=sqlite3
+;extension=tidy
+;extension=xmlrpc
+;extension=xsl
+
+;;;;;;;;;;;;;;;;;;;
+; Module Settings ;
+;;;;;;;;;;;;;;;;;;;
+
+[CLI Server]
+; Whether the CLI web server uses ANSI color coding in its terminal output.
+cli_server.color = On
+
+[Date]
+; Defines the default timezone used by the date functions
+; http://php.net/date.timezone
+date.timezone = America/Los_Angeles
+
+; http://php.net/date.default-latitude
+;date.default_latitude = 31.7667
+
+; http://php.net/date.default-longitude
+;date.default_longitude = 35.2333
+
+; http://php.net/date.sunrise-zenith
+;date.sunrise_zenith = 90.583333
+
+; http://php.net/date.sunset-zenith
+;date.sunset_zenith = 90.583333
+
+[filter]
+; http://php.net/filter.default
+;filter.default = unsafe_raw
+
+; http://php.net/filter.default-flags
+;filter.default_flags =
+
+[iconv]
+; Use of this INI entry is deprecated, use global input_encoding instead.
+; If empty, default_charset or input_encoding or iconv.input_encoding is used.
+; The precedence is: default_charset < intput_encoding < iconv.input_encoding
+;iconv.input_encoding =
+
+; Use of this INI entry is deprecated, use global internal_encoding instead.
+; If empty, default_charset or internal_encoding or iconv.internal_encoding is used.
+; The precedence is: default_charset < internal_encoding < iconv.internal_encoding
+;iconv.internal_encoding =
+
+; Use of this INI entry is deprecated, use global output_encoding instead.
+; If empty, default_charset or output_encoding or iconv.output_encoding is used.
+; The precedence is: default_charset < output_encoding < iconv.output_encoding
+; To use an output encoding conversion, iconv's output handler must be set
+; otherwise output encoding conversion cannot be performed.
+;iconv.output_encoding =
+
+[intl]
+;intl.default_locale =
+; This directive allows you to produce PHP errors when some error
+; happens within intl functions. The value is the level of the error produced.
+; Default is 0, which does not produce any errors.
+;intl.error_level = E_WARNING
+;intl.use_exceptions = 0
+
+[sqlite3]
+;sqlite3.extension_dir =
+
+[Pcre]
+;PCRE library backtracking limit.
+; http://php.net/pcre.backtrack-limit
+;pcre.backtrack_limit=100000
+
+;PCRE library recursion limit.
+;Please note that if you set this value to a high number you may consume all
+;the available process stack and eventually crash PHP (due to reaching the
+;stack size limit imposed by the Operating System).
+; http://php.net/pcre.recursion-limit
+;pcre.recursion_limit=100000
+
+;Enables or disables JIT compilation of patterns. This requires the PCRE
+;library to be compiled with JIT support.
+;pcre.jit=1
+
+[Pdo]
+; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off"
+; http://php.net/pdo-odbc.connection-pooling
+;pdo_odbc.connection_pooling=strict
+
+;pdo_odbc.db2_instance_name
+
+[Pdo_mysql]
+; If mysqlnd is used: Number of cache slots for the internal result set cache
+; http://php.net/pdo_mysql.cache_size
+pdo_mysql.cache_size = 2000
+
+; Default socket name for local MySQL connects. If empty, uses the built-in
+; MySQL defaults.
+; http://php.net/pdo_mysql.default-socket
+pdo_mysql.default_socket=
+
+[Phar]
+; http://php.net/phar.readonly
+;phar.readonly = On
+
+; http://php.net/phar.require-hash
+;phar.require_hash = On
+
+;phar.cache_list =
+
+[mail function]
+; For Win32 only.
+; http://php.net/smtp
+SMTP = localhost
+; http://php.net/smtp-port
+smtp_port = 25
+
+; For Win32 only.
+; http://php.net/sendmail-from
+;sendmail_from = me@example.com
+
+; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
+; http://php.net/sendmail-path
+;sendmail_path =
+
+; Force the addition of the specified parameters to be passed as extra parameters
+; to the sendmail binary. These parameters will always replace the value of
+; the 5th parameter to mail().
+;mail.force_extra_parameters =
+
+; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
+mail.add_x_header = Off
+
+; The path to a log file that will log all mail() calls. Log entries include
+; the full path of the script, line number, To address and headers.
+;mail.log =
+; Log mail to syslog (Event Log on Windows).
+;mail.log = syslog
+
+[ODBC]
+; http://php.net/odbc.default-db
+;odbc.default_db = Not yet implemented
+
+; http://php.net/odbc.default-user
+;odbc.default_user = Not yet implemented
+
+; http://php.net/odbc.default-pw
+;odbc.default_pw = Not yet implemented
+
+; Controls the ODBC cursor model.
+; Default: SQL_CURSOR_STATIC (default).
+;odbc.default_cursortype
+
+; Allow or prevent persistent links.
+; http://php.net/odbc.allow-persistent
+odbc.allow_persistent = On
+
+; Check that a connection is still valid before reuse.
+; http://php.net/odbc.check-persistent
+odbc.check_persistent = On
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/odbc.max-persistent
+odbc.max_persistent = -1
+
+; Maximum number of links (persistent + non-persistent). -1 means no limit.
+; http://php.net/odbc.max-links
+odbc.max_links = -1
+
+; Handling of LONG fields. Returns number of bytes to variables. 0 means
+; passthru.
+; http://php.net/odbc.defaultlrl
+odbc.defaultlrl = 4096
+
+; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char.
+; See the documentation on odbc_binmode and odbc_longreadlen for an explanation
+; of odbc.defaultlrl and odbc.defaultbinmode
+; http://php.net/odbc.defaultbinmode
+odbc.defaultbinmode = 1
+
+;birdstep.max_links = -1
+
+[Interbase]
+; Allow or prevent persistent links.
+ibase.allow_persistent = 1
+
+; Maximum number of persistent links. -1 means no limit.
+ibase.max_persistent = -1
+
+; Maximum number of links (persistent + non-persistent). -1 means no limit.
+ibase.max_links = -1
+
+; Default database name for ibase_connect().
+;ibase.default_db =
+
+; Default username for ibase_connect().
+;ibase.default_user =
+
+; Default password for ibase_connect().
+;ibase.default_password =
+
+; Default charset for ibase_connect().
+;ibase.default_charset =
+
+; Default timestamp format.
+ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
+
+; Default date format.
+ibase.dateformat = "%Y-%m-%d"
+
+; Default time format.
+ibase.timeformat = "%H:%M:%S"
+
+[MySQLi]
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/mysqli.max-persistent
+mysqli.max_persistent = -1
+
+; Allow accessing, from PHP's perspective, local files with LOAD DATA statements
+; http://php.net/mysqli.allow_local_infile
+;mysqli.allow_local_infile = On
+
+; Allow or prevent persistent links.
+; http://php.net/mysqli.allow-persistent
+mysqli.allow_persistent = On
+
+; Maximum number of links. -1 means no limit.
+; http://php.net/mysqli.max-links
+mysqli.max_links = -1
+
+; If mysqlnd is used: Number of cache slots for the internal result set cache
+; http://php.net/mysqli.cache_size
+mysqli.cache_size = 2000
+
+; Default port number for mysqli_connect(). If unset, mysqli_connect() will use
+; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
+; compile-time value defined MYSQL_PORT (in that order). Win32 will only look
+; at MYSQL_PORT.
+; http://php.net/mysqli.default-port
+mysqli.default_port = 3306
+
+; Default socket name for local MySQL connects. If empty, uses the built-in
+; MySQL defaults.
+; http://php.net/mysqli.default-socket
+mysqli.default_socket =
+
+; Default host for mysql_connect() (doesn't apply in safe mode).
+; http://php.net/mysqli.default-host
+mysqli.default_host =
+
+; Default user for mysql_connect() (doesn't apply in safe mode).
+; http://php.net/mysqli.default-user
+mysqli.default_user =
+
+; Default password for mysqli_connect() (doesn't apply in safe mode).
+; Note that this is generally a *bad* idea to store passwords in this file.
+; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw")
+; and reveal this password! And of course, any users with read access to this
+; file will be able to reveal the password as well.
+; http://php.net/mysqli.default-pw
+mysqli.default_pw =
+
+; Allow or prevent reconnect
+mysqli.reconnect = Off
+
+[mysqlnd]
+; Enable / Disable collection of general statistics by mysqlnd which can be
+; used to tune and monitor MySQL operations.
+; http://php.net/mysqlnd.collect_statistics
+mysqlnd.collect_statistics = On
+
+; Enable / Disable collection of memory usage statistics by mysqlnd which can be
+; used to tune and monitor MySQL operations.
+; http://php.net/mysqlnd.collect_memory_statistics
+mysqlnd.collect_memory_statistics = Off
+
+; Records communication from all extensions using mysqlnd to the specified log
+; file.
+; http://php.net/mysqlnd.debug
+;mysqlnd.debug =
+
+; Defines which queries will be logged.
+; http://php.net/mysqlnd.log_mask
+;mysqlnd.log_mask = 0
+
+; Default size of the mysqlnd memory pool, which is used by result sets.
+; http://php.net/mysqlnd.mempool_default_size
+;mysqlnd.mempool_default_size = 16000
+
+; Size of a pre-allocated buffer used when sending commands to MySQL in bytes.
+; http://php.net/mysqlnd.net_cmd_buffer_size
+;mysqlnd.net_cmd_buffer_size = 2048
+
+; Size of a pre-allocated buffer used for reading data sent by the server in
+; bytes.
+; http://php.net/mysqlnd.net_read_buffer_size
+;mysqlnd.net_read_buffer_size = 32768
+
+; Timeout for network requests in seconds.
+; http://php.net/mysqlnd.net_read_timeout
+;mysqlnd.net_read_timeout = 31536000
+
+; SHA-256 Authentication Plugin related. File with the MySQL server public RSA
+; key.
+; http://php.net/mysqlnd.sha256_server_public_key
+;mysqlnd.sha256_server_public_key =
+
+[OCI8]
+
+; Connection: Enables privileged connections using external
+; credentials (OCI_SYSOPER, OCI_SYSDBA)
+; http://php.net/oci8.privileged-connect
+;oci8.privileged_connect = Off
+
+; Connection: The maximum number of persistent OCI8 connections per
+; process. Using -1 means no limit.
+; http://php.net/oci8.max-persistent
+;oci8.max_persistent = -1
+
+; Connection: The maximum number of seconds a process is allowed to
+; maintain an idle persistent connection. Using -1 means idle
+; persistent connections will be maintained forever.
+; http://php.net/oci8.persistent-timeout
+;oci8.persistent_timeout = -1
+
+; Connection: The number of seconds that must pass before issuing a
+; ping during oci_pconnect() to check the connection validity. When
+; set to 0, each oci_pconnect() will cause a ping. Using -1 disables
+; pings completely.
+; http://php.net/oci8.ping-interval
+;oci8.ping_interval = 60
+
+; Connection: Set this to a user chosen connection class to be used
+; for all pooled server requests with Oracle 11g Database Resident
+; Connection Pooling (DRCP). To use DRCP, this value should be set to
+; the same string for all web servers running the same application,
+; the database pool must be configured, and the connection string must
+; specify to use a pooled server.
+;oci8.connection_class =
+
+; High Availability: Using On lets PHP receive Fast Application
+; Notification (FAN) events generated when a database node fails. The
+; database must also be configured to post FAN events.
+;oci8.events = Off
+
+; Tuning: This option enables statement caching, and specifies how
+; many statements to cache. Using 0 disables statement caching.
+; http://php.net/oci8.statement-cache-size
+;oci8.statement_cache_size = 20
+
+; Tuning: Enables statement prefetching and sets the default number of
+; rows that will be fetched automatically after statement execution.
+; http://php.net/oci8.default-prefetch
+;oci8.default_prefetch = 100
+
+; Compatibility. Using On means oci_close() will not close
+; oci_connect() and oci_new_connect() connections.
+; http://php.net/oci8.old-oci-close-semantics
+;oci8.old_oci_close_semantics = Off
+
+[PostgreSQL]
+; Allow or prevent persistent links.
+; http://php.net/pgsql.allow-persistent
+pgsql.allow_persistent = On
+
+; Detect broken persistent links always with pg_pconnect().
+; Auto reset feature requires a little overheads.
+; http://php.net/pgsql.auto-reset-persistent
+pgsql.auto_reset_persistent = Off
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/pgsql.max-persistent
+pgsql.max_persistent = -1
+
+; Maximum number of links (persistent+non persistent). -1 means no limit.
+; http://php.net/pgsql.max-links
+pgsql.max_links = -1
+
+; Ignore PostgreSQL backends Notice message or not.
+; Notice message logging require a little overheads.
+; http://php.net/pgsql.ignore-notice
+pgsql.ignore_notice = 0
+
+; Log PostgreSQL backends Notice message or not.
+; Unless pgsql.ignore_notice=0, module cannot log notice message.
+; http://php.net/pgsql.log-notice
+pgsql.log_notice = 0
+
+[bcmath]
+; Number of decimal digits for all bcmath functions.
+; http://php.net/bcmath.scale
+bcmath.scale = 0
+
+[browscap]
+; http://php.net/browscap
+;browscap = extra/browscap.ini
+
+[Session]
+; Handler used to store/retrieve data.
+; http://php.net/session.save-handler
+session.save_handler = files
+
+; Argument passed to save_handler. In the case of files, this is the path
+; where data files are stored. Note: Windows users have to change this
+; variable in order to use PHP's session functions.
+;
+; The path can be defined as:
+;
+; session.save_path = "N;/path"
+;
+; where N is an integer. Instead of storing all the session files in
+; /path, what this will do is use subdirectories N-levels deep, and
+; store the session data in those directories. This is useful if
+; your OS has problems with many files in one directory, and is
+; a more efficient layout for servers that handle many sessions.
+;
+; NOTE 1: PHP will not create this directory structure automatically.
+; You can use the script in the ext/session dir for that purpose.
+; NOTE 2: See the section on garbage collection below if you choose to
+; use subdirectories for session storage
+;
+; The file storage module creates files using mode 600 by default.
+; You can change that by using
+;
+; session.save_path = "N;MODE;/path"
+;
+; where MODE is the octal representation of the mode. Note that this
+; does not overwrite the process's umask.
+; http://php.net/session.save-path
+;session.save_path = "/tmp"
+
+; Whether to use strict session mode.
+; Strict session mode does not accept uninitialized session ID and regenerate
+; session ID if browser sends uninitialized session ID. Strict mode protects
+; applications from session fixation via session adoption vulnerability. It is
+; disabled by default for maximum compatibility, but enabling it is encouraged.
+; https://wiki.php.net/rfc/strict_sessions
+session.use_strict_mode = 0
+
+; Whether to use cookies.
+; http://php.net/session.use-cookies
+session.use_cookies = 1
+
+; http://php.net/session.cookie-secure
+;session.cookie_secure =
+
+; This option forces PHP to fetch and use a cookie for storing and maintaining
+; the session id. We encourage this operation as it's very helpful in combating
+; session hijacking when not specifying and managing your own session id. It is
+; not the be-all and end-all of session hijacking defense, but it's a good start.
+; http://php.net/session.use-only-cookies
+session.use_only_cookies = 1
+
+; Name of the session (used as cookie name).
+; http://php.net/session.name
+session.name = PHPSESSID
+
+; Initialize session on request startup.
+; http://php.net/session.auto-start
+session.auto_start = 0
+
+; Lifetime in seconds of cookie or, if 0, until browser is restarted.
+; http://php.net/session.cookie-lifetime
+session.cookie_lifetime = 0
+
+; The path for which the cookie is valid.
+; http://php.net/session.cookie-path
+session.cookie_path = /
+
+; The domain for which the cookie is valid.
+; http://php.net/session.cookie-domain
+session.cookie_domain =
+
+; Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript.
+; http://php.net/session.cookie-httponly
+session.cookie_httponly =
+
+; Handler used to serialize data. php is the standard serializer of PHP.
+; http://php.net/session.serialize-handler
+session.serialize_handler = php
+
+; Defines the probability that the 'garbage collection' process is started
+; on every session initialization. The probability is calculated by using
+; gc_probability/gc_divisor. Where session.gc_probability is the numerator
+; and gc_divisor is the denominator in the equation. Setting this value to 1
+; when the session.gc_divisor value is 100 will give you approximately a 1% chance
+; the gc will run on any give request.
+; Default Value: 1
+; Development Value: 1
+; Production Value: 1
+; http://php.net/session.gc-probability
+session.gc_probability = 1
+
+; Defines the probability that the 'garbage collection' process is started on every
+; session initialization. The probability is calculated by using the following equation:
+; gc_probability/gc_divisor. Where session.gc_probability is the numerator and
+; session.gc_divisor is the denominator in the equation. Setting this value to 1
+; when the session.gc_divisor value is 100 will give you approximately a 1% chance
+; the gc will run on any give request. Increasing this value to 1000 will give you
+; a 0.1% chance the gc will run on any give request. For high volume production servers,
+; this is a more efficient approach.
+; Default Value: 100
+; Development Value: 1000
+; Production Value: 1000
+; http://php.net/session.gc-divisor
+session.gc_divisor = 1000
+
+; After this number of seconds, stored data will be seen as 'garbage' and
+; cleaned up by the garbage collection process.
+; http://php.net/session.gc-maxlifetime
+session.gc_maxlifetime = 1440
+
+; NOTE: If you are using the subdirectory option for storing session files
+; (see session.save_path above), then garbage collection does *not*
+; happen automatically. You will need to do your own garbage
+; collection through a shell script, cron entry, or some other method.
+; For example, the following script would is the equivalent of
+; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
+; find /path/to/sessions -cmin +24 -type f | xargs rm
+
+; Check HTTP Referer to invalidate externally stored URLs containing ids.
+; HTTP_REFERER has to contain this substring for the session to be
+; considered as valid.
+; http://php.net/session.referer-check
+session.referer_check =
+
+; Set to {nocache,private,public,} to determine HTTP caching aspects
+; or leave this empty to avoid sending anti-caching headers.
+; http://php.net/session.cache-limiter
+session.cache_limiter = nocache
+
+; Document expires after n minutes.
+; http://php.net/session.cache-expire
+session.cache_expire = 180
+
+; trans sid support is disabled by default.
+; Use of trans sid may risk your users' security.
+; Use this option with caution.
+; - User may send URL contains active session ID
+; to other person via. email/irc/etc.
+; - URL that contains active session ID may be stored
+; in publicly accessible computer.
+; - User may access your site with the same session ID
+; always using URL stored in browser's history or bookmarks.
+; http://php.net/session.use-trans-sid
+session.use_trans_sid = 0
+
+; Set session ID character length. This value could be between 22 to 256.
+; Shorter length than default is supported only for compatibility reason.
+; Users should use 32 or more chars.
+; http://php.net/session.sid-length
+; Default Value: 32
+; Development Value: 26
+; Production Value: 26
+session.sid_length = 26
+
+; The URL rewriter will look for URLs in a defined set of HTML tags.
+;