updated for FreeBSD 12.2

2021-02-13 11:38:38 -08:00 · 2021-02-13 11:38:38 -08:00 · 5cee123a3c
commit 5cee123a3c
parent bd3cffc61a
121 changed files with 7315 additions and 624 deletions
--- a/diyit-org-license.txt
+++ b/diyit-org-license.txt
@ -1,6 +1,6 @@
 BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
-Copyright (c) 2018-2020, diyIT.org
+Copyright (c) 2018-2021, diyIT.org
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
--- a/jails/config/atm/afp.conf
+++ b/jails/config/atm/afp.conf
@ -1,32 +1,63 @@
 ;
 ; Netatalk 3.x configuration file
-;
+; http://netatalk.sourceforge.net/3.1/htmldocs/afp.conf.5.html
 [Global]
 ; Global server settings
 hostname = atm
-hosts allow = 192.168.0.0/24,192.168.100.0/24
+afp listen = ::
-afp listen = 0.0.0.0
+mimic model = TimeCapsule6,106
 uam list = uams_guest.so uams_dhx2_passwd.so
 ; locate uam # show all the uam modules
 force xattr with sticky bit = yes
 zeroconf = yes
 afpstats = yes
 ldap auth method = simple
 ;ldap auth dn = cn=admin,dc=infra
 ;ldap auth pw = notrequired
 ldap server = ldap.ahlawat.com
 ldap name attr = cn
 ldap userbase = ou=people,dc=infra
 ldap userscope = one
 ldap uuid attr = uidNumber
 ldap group attr = cn
 ldap groupbase = ou=group,dc=infra
 ldap groupscope = one
 ;ldap uuid attr = gidNumber #this is used both for users and groups.
 ; You can comment these 2 lines when your setup is working
 ;log level = default:maxdebug,afpdaemon:maxdebug,logger:maxdebug,uamsdaemon:maxdebug
 log file = /var/log/afpd.log
 [default_for_all_vol]
 cnid scheme = dbd
 appledouble = ea
 ea = ad
 ; [Homes]
 ; basedir regex = /xxxx
-; [My AFP Volume]
+[Sharad]
 ; path = /path/to/volume
 [Sharad Time Machine Volume]
 path = /mnt/sharad
 valid users = sharad
 time machine = yes
-[Rachna Time Machine Volume]
+[Rachna]
 path = /mnt/rachna
 valid users = rachna
 time machine = yes
-[Nivi Time Machine Volume]
+[Nivi]
 path = /mnt/nivi
 valid users = nivi
 time machine = yes
-[Rishabh Time Machine Volume]
+[Rishabh]
 path = /mnt/rishabh
 valid users = rishabh
 time machine = yes
--- a/jails/config/atm/afpd.service
+++ b/jails/config/atm/afpd.service
@ -0,0 +1,14 @@
 <?xml version="1.0" standalone='no'?><!--*-nxml-*-->
 <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
 <service-group>
    <name replace-wildcards="yes">%h</name>
    <service>
        <type>_afpovertcp._tcp</type>
        <port>548</port>
    </service>
    <service>
        <type>_device-info._tcp</type>
        <port>0</port>
        <txt-record>model=Xserve</txt-record>
    </service>
 </service-group>
--- a/jails/config/atm/ldap.conf
+++ b/jails/config/atm/ldap.conf
@ -0,0 +1,15 @@
 #
 # LDAP Defaults
 #
 # See ldap.conf(5) for details
 # This file should be world readable but not world writable.
 BASE	ou=people,dc=infra
 URI	ldaps://ldap.ahlawat.com:636
 ssl start_tls
 tls_cacert /mnt/certs/cacert.pem
 #SIZELIMIT	12
 #TIMELIMIT	15
 #DEREF		never
--- a/jails/config/atm/netatalk
+++ b/jails/config/atm/netatalk
@ -0,0 +1,3 @@
 auth    required        /usr/local/lib/pam_ldap.so     try_first_pass
 account required        /usr/local/lib/pam_ldap.so     try_first_pass
 session required        /usr/local/lib/pam_ldap.so
--- a/jails/config/atm/nslcd.conf
+++ b/jails/config/atm/nslcd.conf
@ -0,0 +1,142 @@
 # This is the configuration file for the LDAP nameservice
 # switch library's nslcd daemon. It configures the mapping
 # between NSS names (see /etc/nsswitch.conf) and LDAP
 # information in the directory.
 # See the manual page nslcd.conf(5) for more information.
 # The user and group nslcd should run as.
 uid nslcd
 gid nslcd
 # The uri pointing to the LDAP server to use for name lookups.
 # Multiple entries may be specified. The address that is used
 # here should be resolvable without using LDAP (obviously).
 #uri ldap://127.0.0.1/
 #uri ldaps://127.0.0.1/
 #uri ldapi://%2fvar%2frun%2fldapi_sock/
 # Note: %2f encodes the '/' used as directory separator
 uri ldaps://ldap.ahlawat.com:636
 # The LDAP version to use (defaults to 3
 # if supported by client library)
 #ldap_version 3
 # The distinguished name of the search base.
 base ou=people,dc=infra
 # The distinguished name to bind to the server with.
 # Optional: default is to bind anonymously.
 #binddn cn=proxyuser,dc=example,dc=com
 # The credentials to bind with.
 # Optional: default is no credentials.
 # Note that if you set a bindpw you should check the permissions of this file.
 #bindpw secret
 # The distinguished name to perform password modifications by root by.
 #rootpwmoddn cn=admin,dc=example,dc=com
 # The default search scope.
 #scope sub
 scope one
 #scope base
 # Customize certain database lookups.
 #base   group  ou=Groups,dc=example,dc=com
 #base   passwd ou=People,dc=example,dc=com
 #base   shadow ou=People,dc=example,dc=com
 #scope  group  onelevel
 #scope  hosts  sub
 # Bind/connect timelimit.
 #bind_timelimit 30
 # Search timelimit.
 #timelimit 30
 # Idle timelimit. nslcd will close connections if the
 # server has not been contacted for the number of seconds.
 #idle_timelimit 3600
 # Use StartTLS without verifying the server certificate.
 ssl start_tls
 #tls_reqcert never
 # CA certificates for server certificate verification
 tls_cacertdir /mnt/certs
 tls_cacertfile /mnt/certs/cacert.pem
 # Seed the PRNG if /dev/urandom is not provided
 #tls_randfile /var/run/egd-pool
 # SSL cipher suite
 # See man ciphers for syntax
 #tls_ciphers TLSv1
 # Client certificate and key
 # Use these, if your server requires client authentication.
 #tls_cert
 #tls_key
 # Mappings for Services for UNIX 3.5
 #filter passwd (objectClass=User)
 #map    passwd uid              msSFU30Name
 #map    passwd userPassword     msSFU30Password
 #map    passwd homeDirectory    msSFU30HomeDirectory
 #map    passwd homeDirectory    msSFUHomeDirectory
 #filter shadow (objectClass=User)
 #map    shadow uid              msSFU30Name
 #map    shadow userPassword     msSFU30Password
 #filter group  (objectClass=Group)
 #map    group  member           msSFU30PosixMember
 # Mappings for Services for UNIX 2.0
 #filter passwd (objectClass=User)
 #map    passwd uid              msSFUName
 #map    passwd userPassword     msSFUPassword
 #map    passwd homeDirectory    msSFUHomeDirectory
 #map    passwd gecos            msSFUName
 #filter shadow (objectClass=User)
 #map    shadow uid              msSFUName
 #map    shadow userPassword     msSFUPassword
 #map    shadow shadowLastChange pwdLastSet
 #filter group  (objectClass=Group)
 #map    group  member           posixMember
 # Mappings for Active Directory
 #pagesize 1000
 #referrals off
 #idle_timelimit 800
 #filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
 #map    passwd uid              sAMAccountName
 #map    passwd homeDirectory    unixHomeDirectory
 #map    passwd gecos            displayName
 #filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
 #map    shadow uid              sAMAccountName
 #map    shadow shadowLastChange pwdLastSet
 #filter group  (objectClass=group)
 # Alternative mappings for Active Directory
 # (replace the SIDs in the objectSid mappings with the value for your domain)
 #pagesize 1000
 #referrals off
 #idle_timelimit 800
 #filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
 #map    passwd uid           cn
 #map    passwd uidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
 #map    passwd gidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
 #map    passwd homeDirectory "/home/$cn"
 #map    passwd gecos         displayName
 #map    passwd loginShell    "/bin/bash"
 #filter group (|(objectClass=group)(objectClass=person))
 #map    group gidNumber      objectSid:S-1-5-21-3623811015-3361044348-30300820
 # Mappings for AIX SecureWay
 #filter passwd (objectClass=aixAccount)
 #map    passwd uid              userName
 #map    passwd userPassword     passwordChar
 #map    passwd uidNumber        uid
 #map    passwd gidNumber        gid
 #filter group  (objectClass=aixAccessGroup)
 #map    group  cn               groupName
 #map    group  gidNumber        gid
--- a/jails/config/atm/nsswitch.conf
+++ b/jails/config/atm/nsswitch.conf
@ -0,0 +1,18 @@
 #
 # nsswitch.conf(5) - name service switch configuration file
 # $FreeBSD: releng/12.1/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $
 #
 #group: compat
 group: files ldap
 group_compat: nis
 hosts: files dns
 netgroup: compat
 networks: files
 #passwd: compat
 passwd: files ldap
 passwd_compat: nis
 shells: files
 services: compat
 services_compat: nis
 protocols: files
 rpc: files
--- a/jails/config/atm/pam_ldap.conf
+++ b/jails/config/atm/pam_ldap.conf
@ -0,0 +1,17 @@
 #
 # LDAP Defaults
 #
 # See ldap.conf(5) for details
 # This file should be world readable but not world writable.
 BASE	ou=people,dc=infra
 URI	ldaps://ldap.ahlawat.com:636
 ssl start_tls
 tls_cacert /mnt/certs/cacert.pem
 pam_login_attribute cn
 #SIZELIMIT	12
 #TIMELIMIT	15
 #DEREF		never
--- a/jails/config/atm/pkgp.conf
+++ b/jails/config/atm/pkgp.conf
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
    priority: 10
 }
-pkgp121: {
+pkgp122: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
--- a/jails/config/atm/sshd
+++ b/jails/config/atm/sshd
@ -0,0 +1,28 @@
 #
 # $FreeBSD: releng/12.1/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
 #
 # PAM configuration for the "sshd" service
 #
 # auth
 auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth        sufficient  /usr/local/lib/pam_ldap.so  no_warn
 auth		required	pam_unix.so		no_warn try_first_pass
 # account
 account		required	pam_nologin.so
 #account	required	pam_krb5.so
 account		required	pam_login_access.so
 account     required    /usr/local/lib/pam_ldap.so  no_warn ignore_authinfo_unavail ignore_unknown_user
 account		required	pam_unix.so
 # session
 #session	optional	pam_ssh.so		want_agent
 session		required	pam_permit.so
 # password
 #password	sufficient	pam_krb5.so		no_warn try_first_pass
 password	required	pam_unix.so		no_warn try_first_pass
--- a/jails/config/auto/portfolio
+++ b/jails/config/auto/portfolio
@ -1,6 +1,6 @@
 #!/bin/sh
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
--- a/jails/config/auto/producthunt
+++ b/jails/config/auto/producthunt
@ -1,6 +1,6 @@
 #!/bin/sh
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
--- a/jails/config/book/cps
+++ b/jails/config/book/cps
@ -1,6 +1,6 @@
 #!/bin/sh
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
--- a/jails/config/cam/camserver
+++ b/jails/config/cam/camserver
@ -1,6 +1,6 @@
 #!/bin/sh
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
--- a/jails/config/cert/backup.sh
+++ b/jails/config/cert/backup.sh
@ -0,0 +1 @@
 cp -r /root/.acme.sh /mnt/config/secret/
--- a/jails/config/common/freebsd-update.conf
+++ b/jails/config/common/freebsd-update.conf
@ -0,0 +1,77 @@
 # $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
 # Trusted keyprint.  Changing this is a Bad Idea unless you've received
 # a PGP-signed email from <security-officer@FreeBSD.org> telling you to
 # change it and explaining why.
 KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5
 # Server or server pool from which to fetch updates.  You can change
 # this to point at a specific server if you want, but in most cases
 # using a "nearby" server won't provide a measurable improvement in
 # performance.
 ServerName update.FreeBSD.org
 # Components of the base system which should be kept updated.
 #Components src world
 Components world
 # Example for updating the userland and the kernel source code only:
 # Components src/base src/sys world
 # Paths which start with anything matching an entry in an IgnorePaths
 # statement will be ignored.
 IgnorePaths
 # Paths which start with anything matching an entry in an IDSIgnorePaths
 # statement will be ignored by "freebsd-update IDS".
 IDSIgnorePaths /usr/share/man/cat
 IDSIgnorePaths /usr/share/man/whatis
 IDSIgnorePaths /var/db/locate.database
 IDSIgnorePaths /var/log
 # Paths which start with anything matching an entry in an UpdateIfUnmodified
 # statement will only be updated if the contents of the file have not been
 # modified by the user (unless changes are merged; see below).
 UpdateIfUnmodified /etc/ /var/ /root/ /.cshrc /.profile
 # When upgrading to a new FreeBSD release, files which match MergeChanges
 # will have any local changes merged into the version from the new release.
 MergeChanges /etc/ /boot/device.hints
 ### Default configuration options:
 # Directory in which to store downloaded updates and temporary
 # files used by FreeBSD Update.
 # WorkDir /var/db/freebsd-update
 # Destination to send output of "freebsd-update cron" if an error
 # occurs or updates have been downloaded.
 # MailTo root
 # Is FreeBSD Update allowed to create new files?
 # AllowAdd yes
 # Is FreeBSD Update allowed to delete files?
 # AllowDelete yes
 # If the user has modified file ownership, permissions, or flags, should
 # FreeBSD Update retain this modified metadata when installing a new version
 # of that file?
 # KeepModifiedMetadata yes
 # When upgrading between releases, should the list of Components be
 # read strictly (StrictComponents yes) or merely as a list of components
 # which *might* be installed of which FreeBSD Update should figure out
 # which actually are installed and upgrade those (StrictComponents no)?
 # StrictComponents no
 # When installing a new kernel perform a backup of the old one first
 # so it is possible to boot the old kernel in case of problems.
 # BackupKernel yes
 # If BackupKernel is enabled, the backup kernel is saved to this
 # directory.
 # BackupKernelDir /boot/kernel.old
 # When backing up a kernel also back up debug symbol files?
 # BackupKernelSymbolFiles no
--- a/jails/config/common/pkgp.conf
+++ b/jails/config/common/pkgp.conf
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
    priority: 10
 }
-pkgp121: {
+pkgp122: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
--- a/jails/config/common/snip-sendmail.sh
+++ b/jails/config/common/snip-sendmail.sh
@ -1,6 +1,6 @@
 #! /usr/local/bin/bash
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
--- a/jails/config/common/sshd_config
+++ b/jails/config/common/sshd_config
@ -1,5 +1,5 @@
 #	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
-#	$FreeBSD: releng/12.1/crypto/openssh/sshd_config 338561 2018-09-10 16:20:12Z des $
+#	$FreeBSD: releng/12.2/crypto/openssh/sshd_config 360313 2020-04-25 15:38:48Z emaste $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@ -105,7 +105,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #PermitTunnel no
 #ChrootDirectory none
 #UseBlacklist no
-#VersionAddendum FreeBSD-20180909
+#VersionAddendum FreeBSD-20200214
 # no default banner path
 #Banner none
--- a/jails/config/common/vncserver
+++ b/jails/config/common/vncserver
@ -1,6 +1,6 @@
 #!/bin/sh
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
--- a/jails/config/db/my.cnf
+++ b/jails/config/db/my.cnf
@ -1,99 +1,13 @@
 # Example MySQL config file for small systems.
 #
-# This is for a system with little memory (<= 64M) where MySQL is only used
+# This group is read both by the client and the server
-# from time to time and it's important that the mysqld daemon
+# use it for options that affect everything, see
-# doesn't use much resources.
+# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#option-groups
 #
-# MySQL programs look for option files in a set of
+[client-server]
 # locations which depend on the deployment platform.
 # You can copy this option file to one of those
 # locations. For information about these locations, see:
 # http://dev.mysql.com/doc/mysql/en/option-files.html
 #
 # In this file, you can use all long options that a program supports.
 # If you want to know which options a program supports, run the program
 # with the "--help" option.
 # The following options will be passed to all MySQL clients
 [client]
 #password	= your_password
 port	= 3306
-socket		= /tmp/mysql.sock
+socket	= /var/run/mysql/mysql.sock
 # Here follows entries for some specific programs
 # The MySQL server
 [mysqld]
 bind-address    = *
 port		= 3306
 socket		= /tmp/mysql.sock
 skip-external-locking
 key_buffer_size = 16K
 max_allowed_packet = 64M
 table_open_cache = 16
 sort_buffer_size = 64K
 read_buffer_size = 256K
 read_rnd_buffer_size = 256K
 net_buffer_length = 2K
 thread_stack = 240K
 # Don't listen on a TCP/IP port at all. This can be a security enhancement,
 # if all processes that need to connect to mysqld run on the same host.
 # All interaction with mysqld must be made via Unix sockets or named pipes.
 # Note that using this option without enabling named pipes on Windows
 # (using the "enable-named-pipe" option) will render mysqld useless!
 #
-#skip-networking
+# include *.cnf from the config directory
-server-id	= 1
+#
-
+!includedir /usr/local/etc/mysql/conf.d/
 # Uncomment the following if you want to log updates
 #log-bin=mysql-bin
 # binary logging format - mixed recommended
 binlog_format=ROW
 # Causes updates to non-transactional engines using statement format to be
 # written directly to binary log. Before using this option make sure that
 # there are no dependencies between transactional and non-transactional
 # tables such as in the statement INSERT INTO t_myisam SELECT * FROM
 # t_innodb; otherwise, slaves may diverge from the master.
 #binlog_direct_non_transactional_updates=TRUE
 # Uncomment the following if you are using InnoDB tables
 #innodb_data_home_dir = /var/db/mysql
 #innodb_data_file_path = ibdata1:10M:autoextend
 innodb_log_group_home_dir = /var/db/mysql-log
 # You can set .._buffer_pool_size up to 50 - 80 %
 # of RAM but beware of setting memory usage too high
 innodb_buffer_pool_size = 1G
 innodb_io_capacity=4000
 transaction-isolation = READ-COMMITTED
 # Set .._log_file_size to 25 % of buffer pool size
 innodb_log_file_size = 250M
 #innodb_log_buffer_size = 8M
 innodb_flush_log_at_trx_commit = 2
 #innodb_lock_wait_timeout = 50
 innodb_doublewrite = 0
 innodb_checksum_algorithm = none
 slow_query_log_file = /var/db/mysql-log/slow.log
 log-error = /var/db/mysql-log/error.log
 log_bin = /var/db/mysql-log/binlog
 relay_log = /var/db/mysql-log/relay-bin
 expire_logs_days = 7
 [mysqldump]
 quick
 max_allowed_packet = 16M
 [mysql]
 no-auto-rehash
 # Remove the next comment character if you are not familiar with SQL
 #safe-updates
 [myisamchk]
 key_buffer_size = 8M
 sort_buffer_size = 8M
 [mysqlhotcopy]
 interactive-timeout
--- a/jails/config/db/my.cnf.oldversion
+++ b/jails/config/db/my.cnf.oldversion
@ -0,0 +1,99 @@
 # Example MySQL config file for small systems.
 #
 # This is for a system with little memory (<= 64M) where MySQL is only used
 # from time to time and it's important that the mysqld daemon
 # doesn't use much resources.
 #
 # MySQL programs look for option files in a set of
 # locations which depend on the deployment platform.
 # You can copy this option file to one of those
 # locations. For information about these locations, see:
 # http://dev.mysql.com/doc/mysql/en/option-files.html
 #
 # In this file, you can use all long options that a program supports.
 # If you want to know which options a program supports, run the program
 # with the "--help" option.
 # The following options will be passed to all MySQL clients
 [client]
 #password	= your_password
 port		= 3306
 socket		= /tmp/mysql.sock
 # Here follows entries for some specific programs
 # The MySQL server
 [mysqld]
 bind-address    = *
 port		= 3306
 socket		= /tmp/mysql.sock
 skip-external-locking
 key_buffer_size = 16K
 max_allowed_packet = 64M
 table_open_cache = 16
 sort_buffer_size = 64K
 read_buffer_size = 256K
 read_rnd_buffer_size = 256K
 net_buffer_length = 2K
 thread_stack = 240K
 # Don't listen on a TCP/IP port at all. This can be a security enhancement,
 # if all processes that need to connect to mysqld run on the same host.
 # All interaction with mysqld must be made via Unix sockets or named pipes.
 # Note that using this option without enabling named pipes on Windows
 # (using the "enable-named-pipe" option) will render mysqld useless!
 # 
 #skip-networking
 server-id	= 1
 # Uncomment the following if you want to log updates
 #log-bin=mysql-bin
 # binary logging format - mixed recommended
 binlog_format=ROW
 # Causes updates to non-transactional engines using statement format to be
 # written directly to binary log. Before using this option make sure that
 # there are no dependencies between transactional and non-transactional
 # tables such as in the statement INSERT INTO t_myisam SELECT * FROM
 # t_innodb; otherwise, slaves may diverge from the master.
 #binlog_direct_non_transactional_updates=TRUE
 # Uncomment the following if you are using InnoDB tables
 #innodb_data_home_dir = /var/db/mysql
 #innodb_data_file_path = ibdata1:10M:autoextend
 innodb_log_group_home_dir = /var/db/mysql-log
 # You can set .._buffer_pool_size up to 50 - 80 %
 # of RAM but beware of setting memory usage too high
 innodb_buffer_pool_size = 1G
 innodb_io_capacity=4000
 transaction-isolation = READ-COMMITTED
 # Set .._log_file_size to 25 % of buffer pool size
 innodb_log_file_size = 250M
 #innodb_log_buffer_size = 8M
 innodb_flush_log_at_trx_commit = 2
 #innodb_lock_wait_timeout = 50
 innodb_doublewrite = 0
 innodb_checksum_algorithm = none
 slow_query_log_file = /var/db/mysql-log/slow.log
 log-error = /var/db/mysql-log/error.log
 log_bin = /var/db/mysql-log/binlog
 relay_log = /var/db/mysql-log/relay-bin
 expire_logs_days = 7
 [mysqldump]
 quick
 max_allowed_packet = 16M
 [mysql]
 no-auto-rehash
 # Remove the next comment character if you are not familiar with SQL
 #safe-updates
 [myisamchk]
 key_buffer_size = 8M
 sort_buffer_size = 8M
 [mysqlhotcopy]
 interactive-timeout
--- a/jails/config/db/server.cnf
+++ b/jails/config/db/server.cnf
@ -0,0 +1,90 @@
 # Options specific to server applications, see
 # https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#server-option-groups
 # Options specific to all server programs
 [server]
 # Options specific to MariaDB server programs
 [server-mariadb]
 #
 # Options for specific server tools
 #
 [mysqld]
 user				= mysql
 # port				= 3306 # set in /usr/local/etc/mysql/my.cnf
 # socket			= /var/run/mysql/mysql.sock # set in /usr/local/etc/mysql/my.cnf
 bind-address			= *
 basedir				= /usr/local
 datadir				= /var/db/mysql
 net_retry_count			= 16384
 # [mysqld] configuration for ZFS
 # From https://www.percona.com/resources/technical-presentations/zfs-mysql-percona-technical-webinar
 # Create separate datasets for data and logs, eg
 # zroot/mysql      compression=on recordsize=128k atime=off
 # zroot/mysql/data recordsize=16k
 # zroot/mysql/logs
 datadir = /var/db/mysql
 innodb_log_group_home_dir	= /var/db/mysql-log
 #audit_log_file		= /var/db/mysql-log/audit.log
 general_log_file		= /var/db/mysql-log/general.log
 log_bin			= /var/db/mysql-log/mysql-bin
 relay_log			= /var/db/mysql-log/relay-log
 slow_query_log_file		= /var/db/mysql-log/slow.log
 innodb_doublewrite		= 0
 innodb_flush_method		= O_DSYNC
 ##
 log-error = /var/db/mysql-log/error.log
 ### custom optimizations
 skip-external-locking
 key_buffer_size = 16K
 max_allowed_packet = 64M
 table_open_cache = 16
 sort_buffer_size = 64K
 read_buffer_size = 256K
 read_rnd_buffer_size = 256K
 net_buffer_length = 2K
 thread_stack = 240K
 server-id   = 1
 binlog_format=ROW
 innodb_buffer_pool_size = 1G
 innodb_io_capacity=4000
 transaction-isolation = READ-COMMITTED
 innodb_log_file_size = 250M
 innodb_flush_log_at_trx_commit = 2
 innodb_checksum_algorithm = none
 slow_query_log_file = /var/db/mysql-log/slow.log
 expire_logs_days = 7
 ###
 # Options read by `mysqld_safe`
 # Renamed from [mysqld_safe] starting with MariaDB 10.4.6.
 [mariadb_safe]
 # Options read my `mariabackup`
 [mariabackup]
 # Options read by `mysql_upgrade`
 # Renamed from [mysql_upgrade] starting with MariaDB 10.4.6.
 [mariadb-upgrade]
 # Specific options read by the mariabackup SST method
 [sst]
 # Options read by `mysqlbinlog`
 # Renamed from [mysqlbinlog] starting with MariaDB 10.4.6.
 [mariadb-binlog]
 # Options read by `mysqladmin`
 # Renamed from [mysqladmin] starting with MariaDB 10.4.6.
 [mariadb-admin]
--- a/jails/config/monitor/elasticsearch.yml
+++ b/jails/config/monitor/elasticsearch.yml
@ -36,7 +36,6 @@ xpack.security.http.ssl.certificate_authorities: certs/cacert.pem
 xpack.security.transport.ssl.key: certs/diyprivkeyr.pem
 xpack.security.transport.ssl.certificate: certs/diyfullchain.pem
 xpack.security.transport.ssl.certificate_authorities: certs/cacert.pem
 #
 # ----------------------------------- Paths ------------------------------------
 #
@ -76,16 +75,17 @@ network.host: _epair0b_
 #
 # --------------------------------- Discovery ----------------------------------
 #
-# Pass an initial list of hosts to perform discovery when new node is started:
+# Pass an initial list of hosts to perform discovery when this node is started:
 # The default list of hosts is ["127.0.0.1", "[::1]"]
 #
-#discovery.zen.ping.unicast.hosts: ["host1", "host2"]
+#discovery.seed_hosts: ["host1", "host2"]
 #
-# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
+# Bootstrap the cluster using an initial set of master-eligible nodes:
 #
-#discovery.zen.minimum_master_nodes: 
+cluster.initial_master_nodes: ["node-1"]
 #cluster.initial_master_nodes: ["node-1", "node-2"]
 #
-# For more information, consult the zen discovery module documentation.
+# For more information, consult the discovery and cluster formation module documentation.
 #
 # ---------------------------------- Gateway -----------------------------------
 #
--- a/jails/config/elk/fstab
+++ b/jails/config/elk/fstab
@ -0,0 +1,2 @@
 fdesc   /dev/fd     fdescfs     rw,auto  0   0
 proc    /proc       procfs      rw,auto  0   0
--- a/jails/config/monitor/heartbeat.yml
+++ b/jails/config/monitor/heartbeat.yml
@ -24,8 +24,7 @@ heartbeat.monitors:
 - type: http
  # List or urls to query
-  #urls: ["http://localhost:9200"]
+  urls: ["https://cloud.google.com","https://azure.microsoft.com","https://aws.amazon.com"]
  urls: ["https://google.com","https://aws.amazon.com"]
  # Configure task schedule
  schedule: '@every 10s'
@ -56,46 +55,6 @@ setup.template.settings:
 #  env: staging
 #================================= Paths ======================================
 # The home path for the filebeat installation. This is the default base path
 # for all other path settings and for miscellaneous files that come with the
 # distribution (for example, the sample dashboards).
 # If not set by a CLI flag or in the configuration file, the default for the
 # home path is the location of the binary.
 #path.home:
 # The configuration path for the filebeat installation. This is the default
 # base path for configuration files, including the main YAML configuration file
 # and the Elasticsearch template file. If not set by a CLI flag or in the
 # configuration file, the default for the configuration path is the home path.
 #path.config: ${path.home}
 # The data path for the filebeat installation. This is the default base path
 # for all the files in which filebeat needs to store its data. If not set by a
 # CLI flag or in the configuration file, the default for the data path is a data
 # subdirectory inside the home path.
 #path.data: ${path.home}/data
 # The logs path for a filebeat installation. This is the default location for
 # the Beat's log files. If not set by a CLI flag or in the configuration file,
 # the default for the logs path is a logs subdirectory inside the home path.
 #path.logs: ${path.home}/logs
 #============================== Dashboards =====================================
 # These settings control loading the sample dashboards to the Kibana index. Loading
 # the dashboards is disabled by default and can be enabled either by setting the
 # options here, or by using the `-setup` CLI flag or the `setup` command.
 #setup.dashboards.enabled: false
 #setup.dashboards.enabled: true
 # The URL from where to download the dashboards archive. By default this URL
 # has a value which is computed based on the Beat name and version. For released
 # versions, this URL points to the dashboard archive on the artifacts.elastic.co
 # website.
 #setup.dashboards.url:
 #============================== Kibana =====================================
 # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
@ -106,9 +65,7 @@ setup.kibana:
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
-  #host: "localhost:5601"
+  host: "http://elk.diyit.org:5601"
  #host: "https://kibanax.diyit.org:443"
  host: "http://kibanax.diyit.org:5601"
  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
@ -117,7 +74,7 @@ setup.kibana:
 #============================= Elastic Cloud ==================================
-# These settings simplify using heartbeat with the Elastic Cloud (https://cloud.elastic.co/).
+# These settings simplify using Heartbeat with the Elastic Cloud (https://cloud.elastic.co/).
 # The cloud.id setting overwrites the `output.elasticsearch.hosts` and
 # `setup.kibana.host` options.
@ -137,36 +94,40 @@ setup.kibana:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]
-  # Enabled ilm (beta) to use index lifecycle management instead daily indices.
+  # Protocol - either `http` (default) or `https`.
  #ilm.enabled: false
  # Optional protocol and basic auth credentials.
  #protocol: "https"
  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"
 #----------------------------- Logstash output --------------------------------
 output.logstash:
  # The Logstash hosts
-  hosts: ["kibanax.diyit.org:5044"]
+  hosts: ["elk.diyit.org:5044"]
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
-  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+  #ssl.certificate_authorities: ["/mnt/certs/cacert.pem"]
  # Certificate for SSL client authentication
-  #ssl.certificate: "/etc/pki/client/cert.pem"
+  #ssl.certificate: "/mnt/certs/diyfullchain.pem"
  # Client Certificate Key
-  #ssl.key: "/etc/pki/client/cert.key"
+  #ssl.key: "/mnt/certs/diyprivkeyr.pem"
 #================================ Processors =====================================
 # Configure processors to enhance or manipulate events generated by the beat.
 processors:
-  - add_host_metadata: ~
+  - add_observer_metadata:
-  - add_cloud_metadata: ~
+  # Optional, but recommended geo settings for the location Heartbeat is running in
  #geo:
    # Token describing this location
    #name: us-east-1a
    # Lat, Lon "
    #location: "37.926868, -78.024902"
 #================================ Logging =====================================
@ -178,20 +139,30 @@ processors:
 # To enable all selectors use ["*"]. Examples of other selectors are "beat",
 # "publish", "service".
 #logging.selectors: ["*"]
 logging.to_syslog: true
 logging.to_files: false
-#============================== Xpack Monitoring ===============================
+#============================== X-Pack Monitoring ===============================
 # heartbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
 # reporting is disabled by default.
 # Set to true to enable the monitoring reporter.
-#xpack.monitoring.enabled: false
+#monitoring.enabled: false
 # Sets the UUID of the Elasticsearch cluster under which monitoring data for this
 # Heartbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
 # is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
 #monitoring.cluster_uuid:
 # Uncomment to send the metrics to Elasticsearch. Most settings from the
-# Elasticsearch output are accepted here as well. Any setting that is not set is
+# Elasticsearch output are accepted here as well.
-# automatically inherited from the Elasticsearch output configuration, so if you
+# Note that the settings should point to your Elasticsearch *monitoring* cluster.
-# have the Elasticsearch output configured, you can simply uncomment the
+# Any setting that is not set is automatically inherited from the Elasticsearch
-# following line.
+# output configuration, so if you have the Elasticsearch output configured such
-#xpack.monitoring.elasticsearch:
+# that it is pointing to your Elasticsearch monitoring cluster, you can simply
 # uncomment the following line.
 #monitoring.elasticsearch:
 #================================= Migration ==================================
 # This allows to enable 6.7 migration aliases
 #migration.6_to_7.enabled: true
--- a/jails/config/elk/jvm.options
+++ b/jails/config/elk/jvm.options
@ -0,0 +1,77 @@
 ## JVM configuration
 ################################################################
 ## IMPORTANT: JVM heap size
 ################################################################
 ##
 ## You should always set the min and max JVM heap
 ## size to the same value. For example, to set
 ## the heap to 4 GB, set:
 ##
 ## -Xms4g
 ## -Xmx4g
 ##
 ## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
 ## for more information
 ##
 ################################################################
 # Xms represents the initial size of total heap space
 # Xmx represents the maximum size of total heap space
 -Xms4g
 -Xmx4g
 ################################################################
 ## Expert settings
 ################################################################
 ##
 ## All settings below this section are considered
 ## expert settings. Don't tamper with them unless
 ## you understand what you are doing
 ##
 ################################################################
 ## GC configuration
 8-13:-XX:+UseConcMarkSweepGC
 8-13:-XX:CMSInitiatingOccupancyFraction=75
 8-13:-XX:+UseCMSInitiatingOccupancyOnly
 ## G1GC Configuration
 # NOTE: G1 GC is only supported on JDK version 10 or later
 # to use G1GC, uncomment the next two lines and update the version on the
 # following three lines to your version of the JDK
 # 10-13:-XX:-UseConcMarkSweepGC
 # 10-13:-XX:-UseCMSInitiatingOccupancyOnly
 14-:-XX:+UseG1GC
 14-:-XX:G1ReservePercent=25
 14-:-XX:InitiatingHeapOccupancyPercent=30
 ## JVM temporary directory
 -Djava.io.tmpdir=${ES_TMPDIR}
 ## heap dumps
 # generate a heap dump when an allocation from the Java heap fails
 # heap dumps are created in the working directory of the JVM
 -XX:+HeapDumpOnOutOfMemoryError
 # specify an alternative path for heap dumps; ensure the directory exists and
 # has sufficient space
 -XX:HeapDumpPath=data
 # specify an alternative path for JVM fatal error logs
 -XX:ErrorFile=logs/hs_err_pid%p.log
 ## JDK 8 GC logging
 8:-XX:+PrintGCDetails
 8:-XX:+PrintGCDateStamps
 8:-XX:+PrintTenuringDistribution
 8:-XX:+PrintGCApplicationStoppedTime
 8:-Xloggc:${ES_TMPDIR}/gc.log
 8:-XX:+UseGCLogFileRotation
 8:-XX:NumberOfGCLogFiles=32
 8:-XX:GCLogFileSize=64m
 # JDK 9+ GC logging
 9-:-Xlog:gc*,gc+age=trace,safepoint:file=${ES_TMPDIR}/gc.log:utctime,pid,tags:filecount=32,filesize=64m
--- a/jails/config/monitor/kibana.yml
+++ b/jails/config/monitor/kibana.yml
@ -25,7 +25,7 @@ server.host: "::"
 server.name: "kibana.diyit.org"
 # The URLs of the Elasticsearch instances to use for all your queries.
-elasticsearch.hosts: ["https://kibanax.diyit.org:9200"]
+elasticsearch.hosts: ["https://elk.diyit.org:9200"]
 # When this setting's value is true Kibana uses the hostname specified in the server.host
 # setting. When the value of this setting is false, Kibana uses the hostname of the host
@ -53,7 +53,8 @@ server.ssl.certificate: /mnt/certs/diyfullchain.pem
 server.ssl.key: /mnt/certs/diyprivkeyr.pem
 # Optional settings that provide the paths to the PEM-format SSL certificate and key files.
-# These files validate that your Elasticsearch backend uses the same key files.
+# These files are used to verify the identity of Kibana to Elasticsearch and are required when
 # xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
 #elasticsearch.ssl.certificate: /path/to/your/client.crt
 #elasticsearch.ssl.key: /path/to/your/client.key
@ -110,4 +111,5 @@ elasticsearch.ssl.verificationMode: full
 #ops.interval: 5000
 # Specifies locale to be used for all localizable strings, dates and number formats.
 # Supported languages are the following: English - en , by default , Chinese - zh-CN .
 #i18n.locale: "en"
--- a/jails/config/monitor/logstash.conf
+++ b/jails/config/monitor/logstash.conf
@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -10,6 +10,7 @@ input {
  beats {
    port => 5044
    ssl => false
    #https://discuss.elastic.co/t/problem-with-cipher-in-beat-input/67841
    ssl_key => '/mnt/certs/diyprivkeyr.pem'
    ssl_certificate => '/mnt/certs/diyfullchain.pem'
    ssl_certificate_authorities => ["/mnt/certs/cacert.pem"]
@ -22,7 +23,7 @@ output {
    ssl => true
    ssl_certificate_verification => true
    cacert => '/mnt/certs/cacert.pem'
-    hosts => ["https://kibanax.diyit.org:9200"]
+    hosts => ["https://elk.diyit.org:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "${es_pwd}"
--- a/jails/config/monitor/logstash.keystore
+++ b/jails/config/monitor/logstash.keystore
--- a/jails/config/monitor/logstash.yml
+++ b/jails/config/monitor/logstash.yml
@ -16,7 +16,6 @@
 #
 # Use a descriptive name for the node:
 #
 # node.name: test
 node.name: logstash
 #
 # If omitted the node name will default to the machine's host name
@ -26,7 +25,6 @@ node.name: logstash
 # Which directory should be used by logstash and its plugins
 # for any persistent needs. Defaults to LOGSTASH_HOME/data
 #
 # path.data:
 path.data: /var/db/logstash
 #
 # ------------ Pipeline Settings --------------
@ -40,7 +38,7 @@ path.data: /var/db/logstash
 #
 # This defaults to the number of the host's CPU cores.
 #
-pipeline.workers: 8
+pipeline.workers: 4
 #
 # How many events to retrieve from inputs before sending to filters+workers
 #
@ -207,7 +205,6 @@ path.config: /usr/local/etc/logstash/logstash.conf
 #   * trace
 #
 # log.level: info
 #log.level: debug
 # path.logs:
 #
 # ------------ Other Settings --------------
@ -215,17 +212,24 @@ path.config: /usr/local/etc/logstash/logstash.conf
 # Where to find custom plugins
 # path.plugins: []
 #
 # Flag to output log lines of each pipeline in its separate log file. Each log filename contains the pipeline.name
 # Default is false
 # pipeline.separate_logs: false
 #
 # ------------ X-Pack Settings (not applicable for OSS build)--------------
 #
 # X-Pack Monitoring
 # https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html
-xpack.monitoring.enabled: true
+xpack.monitoring.enabled: false
 xpack.monitoring.elasticsearch.username: logstash_system
 xpack.monitoring.elasticsearch.password: a746MPWa1AVieOJlDtM2
-xpack.monitoring.elasticsearch.hosts: ["https://kibanax.diyit.org:9200"]
+xpack.monitoring.elasticsearch.hosts: ["https://elk.diyit.org:9200"]
 #xpack.monitoring.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]
-xpack.monitoring.elasticsearch.ssl.certificate_authority: "/mnt/certs/cacert.pem"
+# an alternative to hosts + username/password settings is to use cloud_id/cloud_auth
-#xpack.monitoring.elasticsearch.ssl.truststore.path: /path/to/file
+#xpack.monitoring.elasticsearch.cloud_id: monitoring_cluster_id:xxxxxxxxxx
 #xpack.monitoring.elasticsearch.cloud_auth: logstash_system:password
 xpack.monitoring.elasticsearch.ssl.certificate_authority: "/mnt/certs/cacert.crt"
 #xpack.monitoring.elasticsearch.ssl.truststore.path: path/to/file
 #xpack.monitoring.elasticsearch.ssl.truststore.password: password
 #xpack.monitoring.elasticsearch.ssl.keystore.path: /path/to/file
 #xpack.monitoring.elasticsearch.ssl.keystore.password: password
@ -241,6 +245,9 @@ xpack.monitoring.elasticsearch.ssl.verification_mode: certificate
 #xpack.management.elasticsearch.username: logstash_admin_user
 #xpack.management.elasticsearch.password: password
 #xpack.management.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]
 # an alternative to hosts + username/password settings is to use cloud_id/cloud_auth
 #xpack.management.elasticsearch.cloud_id: management_cluster_id:xxxxxxxxxx
 #xpack.management.elasticsearch.cloud_auth: logstash_admin_user:password
 #xpack.management.elasticsearch.ssl.certificate_authority: [ "/path/to/ca.crt" ]
 #xpack.management.elasticsearch.ssl.truststore.path: /path/to/file
 #xpack.management.elasticsearch.ssl.truststore.password: password
--- a/jails/config/elk/rc.d/elasticsearch
+++ b/jails/config/elk/rc.d/elasticsearch
@ -0,0 +1,130 @@
 #!/bin/sh
 #
 # $FreeBSD: head/textproc/elasticsearch7/files/elasticsearch.in 538703 2020-06-13 22:41:04Z glewis $
 #
 # PROVIDE: elasticsearch
 # REQUIRE: NETWORKING SERVERS
 # BEFORE: DAEMON
 # KEYWORD: shutdown
 #
 # Add the following line to /etc/rc.conf to enable elasticsearch:
 #
 # elasticsearch_enable="YES"
 #
 # elasticsearch_user (username): Set to elasticsearch by default.
 #               Set it to required username.
 # elasticsearch_group (group):   Set to elasticsearch by default.
 #               Set it to required group.
 # elasticsearch_config (path):   Set to /usr/local/etc/elasticsearch/elasticsearch.yml by default.
 #               Set it to the config file location.
 # elasticsearch_java_home (path): Set to /usr/local/openjdk8 by default.
 #               Set it to the root of the JDK to use.
 #
 . /etc/rc.subr
 name=elasticsearch
 rcvar=elasticsearch_enable
 load_rc_config ${name}
 : ${elasticsearch_enable:=NO}
 : ${elasticsearch_user=elasticsearch}
 : ${elasticsearch_group=elasticsearch}
 : ${elasticsearch_config=/usr/local/etc/elasticsearch}
 : ${elasticsearch_login_class=root}
 : ${elasticsearch_java_home="/usr/local/openjdk11"}
 required_files="${elasticsearch_config}/elasticsearch.yml"
 _pidprefix=/var/run/elasticsearch/elasticsearch
 pidfile=${_pidprefix}.pid
 procname=${elasticsearch_java_home}/bin/java
 extra_commands="console status"
 console_cmd=elasticsearch_console
 start_precmd=elasticsearch_precmd
 command=/usr/local/lib/elasticsearch/bin/elasticsearch
 command_args="-d --pidfile=${pidfile}"
 export ES_PATH_CONF=${elasticsearch_config}
 export JAVA_HOME=${elasticsearch_java_home}
 elasticsearch_precmd()
 {
    /usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 ${pidfile%/*}
    /usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 /var/db/elasticsearch
    /usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 /var/log/elasticsearch
 }
 elasticsearch_console()
 {
    command_args=""
    run_rc_command "start"
 }
 if [ -n "$2" ]; then
    profile="$2"
    if [ "x${elasticsearch_profiles}" != "x" ]; then
        eval elasticsearch_config="\${elasticsearch_${profile}_config:-}"
        if [ "x${elasticsearch_config}" = "x" ]; then
            echo "You must define a configuration  (elasticsearch_${profile}_config)"
            exit 1
        fi
 	export ES_PATH_CONF=${elasticsearch_config}
        required_files="${elasticsearch_config}/elasticsearch.yml"
        required_files="${elasticsearch_config}/jvm.options"
        eval elasticsearch_enable="\${elasticsearch_${profile}_enable:-${elasticsearch_enable}}"
        pidfile="${_pidprefix}.${profile}.pid"
 	command_args="-d --pidfile=${pidfile}"
 	echo "===> elasticsearch profile: ${profile}"
    else
        echo "$0: extra argument ignored"
    fi
 else
    if [ "x${elasticsearch_profiles}" != "x" -a "x$1" != "x" ]; then
        for profile in ${elasticsearch_profiles}; do
            eval _enable="\${elasticsearch_${profile}_enable}"
            case "x${_enable:-${elasticsearch_enable}}" in
            x|x[Nn][Oo]|x[Nn][Oo][Nn][Ee])
                continue
                ;;
            x[Yy][Ee][Ss])
                ;;
            *)
                if test -z "$_enable"; then
                    _var=elasticsearch_enable
                else
                    _var=elasticsearch_"${profile}"_enable
                fi
                echo "Bad value" \
                    "'${_enable:-${elasticsearch_enable}}'" \
                    "for ${_var}. " \
                    "Profile ${profile} skipped."
                continue
                ;;
            esac
            /usr/local/etc/rc.d/elasticsearch $1 ${profile}
            retcode="$?"
            if [ "0${retcode}" -ne 0 ]; then
                failed="${profile} (${retcode}) ${failed:-}"
            else
                success="${profile} ${success:-}"
            fi
        done
        exit 0
    fi
 fi
 if [ "x${elasticsearch_mem_min}" != "x" ]; then
    echo "The elasticsearch_mem_min variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
    exit 1;
 fi
 if [ "x${elasticsearch_mem_max}" != "x" ]; then
    echo "The elasticsearch_mem_max variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
    exit 1;
 fi
 if [ "x${elasticsearch_props}" != "x" ]; then
    echo "The elasticsearch_props variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
    exit 1;
 fi
 run_rc_command "$1"
--- a/jails/config/elk/rc.d/logstash
+++ b/jails/config/elk/rc.d/logstash
@ -0,0 +1,121 @@
 #!/bin/sh
 # Configuration settings for logstash in /etc/rc.conf:
 #
 # PROVIDE: logstash
 # REQUIRE: DAEMON
 # BEFORE:  LOGIN
 # KEYWORD: shutdown
 #
 # logstash_enable (bool):
 #   Default value: "NO"
 #   Flag that determines whether Logstash is enabled.
 #
 # logstash_home (string):
 #   Default value: "/usr/local/logstash"
 #   Logstash installation directory.
 #
 # logstash_config (string):
 #   Default value: /usr/local/etc/${name}
 #   Logstash configuration path.
 #
 # logstash_log (bool):
 #   Set to "NO" by default.
 #   Set it to "YES" to enable logstash logging to file
 #   Default output to /var/log/logstash.log
 #
 # logstash_log_file (string):
 #   Default value: "${logdir}/${name}.log"
 #   Log file path.
 #
 # logstash_java_home (string):
 #   Default value: "/usr/local/openjdk8"
 #   Root directory of the desired Java SDK.
 #   The JAVA_HOME environment variable is set with the contents of this
 #   variable.
 #
 # logstash_java_opts (string):
 #   Default value: ""
 #   Options to pass to the Java Virtual Machine.
 #   The JAVA_OPTS environment variable is set with the contents of this
 #   variable.
 #
 # logstash_opts (string):
 #   Default value: ""
 #   Additional command line flags for logstash, eg. "-r"
 #
 . /etc/rc.subr
 name=logstash
 rcvar=logstash_enable
 load_rc_config ${name}
 logdir="/var/log"
 : ${logstash_enable="NO"}
 : ${logstash_user="logstash"}
 : ${logstash_group="logstash"}
 : ${logstash_home="/usr/local/logstash"}
 : ${logstash_config="/usr/local/etc/logstash"}
 : ${logstash_log="YES"}
 : ${logstash_log_dir="${logdir}/${name}"}
 : ${logstash_java_home="/usr/local/openjdk11"}
 : ${logstash_java_opts=""}
 : ${logstash_opts=""}
 pidfile=/var/run/${name}/${name}.pid
 extra_commands="configtest reload"
 start_precmd="logstash_precmd"
 configtest_cmd=configtest
 logstash_cmd="${logstash_home}/bin/logstash"
 procname="${logstash_java_home}/bin/java"
 logstash_chdir=${logstash_home}
 logstash_log_options=""
 if checkyesno logstash_log; then
  logstash_log_options=" -l ${logstash_log_dir}" 
 fi
 logstash_args="--path.settings ${logstash_config} ${logstash_log_options} ${logstash_opts}"
 JAVA_OPTS="${logstash_java_opts}"
 JAVA_HOME="${logstash_java_home}"
 export JAVA_OPTS
 export JAVA_HOME
 command="/usr/sbin/daemon"
 command_args="-f -p ${pidfile} ${logstash_cmd} ${logstash_args}"
 required_files="${logstash_home} ${logstash_java_home} ${logstash_cmd} ${logstash_config}"
 # Include /usr/local/bin in path because Logstash startup scripts
 # assume bash is in path.
 PATH=/usr/local/bin:$PATH
 logstash_precmd()
 {
    /usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 ${pidfile%/*}
    /usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 ${logstash_log_dir}
    /usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 /var/db/logstash
    /usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 /var/run/logstash
    if [ -d ${logstash_home}/data/queue ]; then
        chown ${logstash_user}:${logstash_group} ${logstash_home}/data/queue
    fi
 }
 configtest()
 {
    echo "${name} configtest:"
    echo "WARNING: this does not check validity of Grok patterns!"
    echo "WARNING: this does not check validity of Grok patterns!"
    echo "WARNING: this does not check validity of Grok patterns!"
    ${logstash_cmd} --path.settings ${logstash_config} --config.test_and_exit
 }
 run_rc_command "$1"
--- a/jails/config/elk/start_logstash.sh
+++ b/jails/config/elk/start_logstash.sh
@ -0,0 +1,7 @@
 ps axww | grep logstash
 echo press any key to continue - ctrl-c to abort
 read X
 mount proc
 service logstash start
 #/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
 ps axww | grep logstash
--- a/jails/config/elk/updateCerts.sh
+++ b/jails/config/elk/updateCerts.sh
@ -0,0 +1,3 @@
 cp /mnt/certs/diy*.pem /usr/local/etc/elasticsearch/certs
 cp /mnt/certs/cacert.pem /usr/local/etc/elasticsearch/certs
 service elasticsearch restart
--- a/jails/config/git/gitea/options/license
+++ b/jails/config/git/gitea/options/license
@ -1,6 +1,6 @@
 BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
-Copyright (c) 2018-2020, diyIT.org
+Copyright (c) 2018-2021, diyIT.org
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
--- a/jails/config/git/gitea/public/diyit-org-license.txt
+++ b/jails/config/git/gitea/public/diyit-org-license.txt
@ -1,6 +1,6 @@
 BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
-Copyright (c) 2018-2020, diyIT.org
+Copyright (c) 2018-2021, diyIT.org
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
--- a/jails/config/hass/.tmux.conf
+++ b/jails/config/hass/.tmux.conf
@ -0,0 +1,12 @@
 unbind C-b
 set -g prefix C-a
 bind C-a send-prefix
 setw -g mouse on
 # Set the default terminal mode to 256color mode
 set -g default-terminal "xterm-256color"
 # enable activity alerts
 setw -g monitor-activity on
 set -g visual-activity on
--- a/jails/config/hass/hass.sh
+++ b/jails/config/hass/hass.sh
@ -0,0 +1,15 @@
 #!/usr/local/bin/bash
 # Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 # https://diyit.org/license/
 #
 #
 # ./hass.sh under tmux
 cd /data/homeassistant/
 source bin/activate
 hass
--- a/jails/config/hass/heyu.sh
+++ b/jails/config/hass/heyu.sh
@ -0,0 +1,15 @@
 #!/usr/local/bin/bash
 # Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 # https://diyit.org/license/
 #
 #
 # ./hass.sh under tmux
 heyu start
 heyu info
 heyu monitor
--- a/jails/config/hass/setup_jail.sh
+++ b/jails/config/hass/setup_jail.sh
@ -0,0 +1,4 @@
 # requrired to run other configured scripts
 /bin/sh /etc/rc
 # launch tmux with jails
 /mnt/config/startsessions.sh
--- a/jails/config/hass/startsessions.sh
+++ b/jails/config/hass/startsessions.sh
@ -0,0 +1,31 @@
 #!/bin/sh
 # Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 # https://diyit.org/license/
 #
 #
 session="sess_tmux"
 # set up tmux
 tmux start-server
 # create a new tmux session, naming the window freepbx
 tmux new-session -d -s $session -n hass
 tmux selectp -t 1
 tmux send-keys "cd /mnt/config;./hass.sh" C-m
 # create a new window windows
 tmux new-window -t $session:1 -n heyu
 tmux selectp -t 1
 tmux send-keys "cd /mnt/config;./heyu.sh" C-m
 # return to main window
 tmux select-window -t $session:0
 tmux selectp -t 1
 # Finished setup, attach to the tmux session!
 #tmux attach-session -t $session
--- a/jails/config/hass/x10.conf
+++ b/jails/config/hass/x10.conf
@ -0,0 +1,264 @@
 # Example Heyu configuration file.  Copy this to file 'x10config' in
 # directory $HOME/.heyu/ and modify as required. This example uses
 # features which are new to heyu version 2
 # and which will not be recognized by heyu version 1.xx.
 # Note: This example file describes only a few of the most commom
 # configuration directives.  For the complete list see man page
 # x10config(5).
 # Anything on a line between a '#' character and the end of the line is
 # treated as a comment and ignored by Heyu, as are blank lines.
 # The various configuration directives in this file can be in any order
 # except that ALIAS directives must appear before any other directive
 # which references the alias label in place of a housecode|unit address.
 # See 'man x10config' for additional information and directives.
 # Serial port to which the CM11a is connected. Default is /dev/ttyS0.
 tty /dev/ttyU1
 check_ri_line NO
 # If you have an X10 compatible RF receiver connected to a second
 # serial port, use the TTY_AUX directive to specify the serial port
 # and model of receiver.  Supported receivers are W800RF32, MR26A,
 # and RFXCOM.  There are no defaults.
 tty_aux /dev/ttyU0 MR26A
 # The CM19A is both a receiver and transmitter for X10 RF signals.
 # The MR26A is a receiver only.
 # The CM19A is USB and the MR26A is serial port
 # Base housecode.  The default is A.
 #housecode A
 # Aliases:
 # Format:  ALIAS  Label  Housecode|Unitcode_string  [Module_Type]
 # The label is limited to 32 characters in length and is case-sensitive,
 # e.g., Front_Porch and front_porch are treated as different labels.
 # Each alias may reference a single unitcode or a multiple unitcode
 # string (no embedded blanks), but is limited to one housecode.
 # The optional Module_Type is the general type or specific model number
 # of a module currently supported by Heyu. (Knowing the characteristics
 # of a module allows Heyu to track changes in its On/Off/Dim state
 # as X10 signals are sent or received.)  The most commonly used modules
 # are the standard X10 lamp module (StdLM) and standard X10 appliance
 # module (StdAM).  Other modules currently supported by Heyu are listed
 # in x10config(5).  A standard X10 lamp module (StdLM) is the
 # default (changeable with the DEFAULT_MODULE directive)
 # for housecode|units which are not defined in an alias directive.
 # A module_type should normally not be defined for mutiple-unit
 # aliases, just for the single-unit aliases.  (The module characteristics
 # are associated with the housecode|unit, however referenced.)
 # Some examples:
 # Note: Prior versions of Heyu used a different format for
 # aliases - no ALIAS directive and the Housecode and Unitcode_string
 # were separated by a space, e.g., simply:
 #  front_porch  A  1
 # Heyu will continue to accept this older format for compatibility,
 # but its use is discouraged as modules cannot be specified.
 # Scenes and Usersyns (User-defined synonyms):
 # Format:  SCENE   Label Command1 <args> [; Command2 <args> [; ...
 # Format:  USERSYN Label Command1 <args> [; Command2 <args> [; ...
 # The label is limited to 32 characters and is case-sensitive.
 # Scenes and Usersyns are both semicolon-separated lists of
 # commands with their arguments which can be executed or used
 # in macros as if their labels were ordinary Heyu commands.
 # See 'man x10config' for the features and limitations of Scenes
 # and Usersyns.
 # (In the current version of heyu, the ONLY distinction between
 # scenes and usersyns is the 'show' menus in which they appear.)
 # Some examples:
 SCENE blinker on D5; off D5; on D5; off D5
 #USERSYN normal_lights on front_porch; on back_porch
 #SCENE tv_on on tv_set; dimb living_room 10
 # parameters, e.g., $1, $2, which are replaced by actual
 # parameters supplied when the scene/usersyn is run.
 #USERSYN night_lights dimb front_porch $1; dimb back_porch $1
 # Define the (writeable) directory where the Heyu state engine daemon
 # (started with 'heyu engine') is to write its log file 'heyu.log.<tty>'.
 # The default is 'NONE', indicating no log file is to be written.
 log_dir /usr/local/etc/heyu/log
 # The entries in the log file are similar to those which appear in
 # the heyu monitor, but in addition will include an entry when
 # a script is launched, and unless redirected elsewhere, any
 # text output from that script.
 # Note that the log file will continue to grow.  Manually delete
 # or trim it from time to time, or configure a Unix utility like
 # 'logrotate' to manage this task automatically.
 # If the Heyu state engine is running, Heyu can launch scripts
 # (or any Unix commands) when it sees specified X10 signals.
 # The format is:
 #SCRIPT [ -l label ] <launch conditions> :: [options] <command line>
 # where label is an optional label, <launch conditions> tell
 # Heyu under what conditions to launch the script, and
 # <command line> is the script command to be executed.
 # The '::' (two colons) separator is mandatory since the launch
 # conditions can be quite complex.
 # See x10scripts(5) for details, but here's a simple example
 # (with no label):
 #SCRIPT doorbell on :: play $HOME/sounds/barking_dog.wav
 # Users have the option of running either 'heyuhelper' in a manner
 # similar to heyu 1.35 or general scripts as above with the
 # following directive.  The default is SCRIPTS, to run general scripts.
 #script_mode SCRIPTS
 # (With the choice 'HEYUHELPER', a script named 'heyuhelper' on
 # the user's path is run every time any X10 signal is received
 # by heyu over the power line, assuming the heyu state engine
 # daemon is running.)
 ###  The following directives apply when a schedule is ###
 ###  is uploaded to the CM11A interface.               ###
 # The file name of the user's X10 schedule file in the Heyu base
 # directory. The default is 'x10.sched'.  If you regularly use
 # more than one, list them here and just comment/uncomment as
 # appropriate, e.g.,
 #schedule_file x10.sched
 #schedule_file normal.sched
 #schedule_file vacation.sched
 # The MODE directive - Heyu's two modes of operation:
 # In the default COMPATIBLE mode, the schedule uploaded to the
 # interface is configured to begin on Jan 1st of the current
 # year and # is valid for 366 days - through Dec 31st of the
 # current # year or Jan 1st of the following year, depending
 # whether # the current year is a leap or common year.
 # COMPATIBLE mode is the default.
 # In HEYU mode the schedule uploaded to the interface is
 # configured to begin on today's date and is valid for
 # the number days of provided by the PROGRAM_DAYS directive.
 # WARNING: The mere execution of X10's ActiveHome(tm) program
 # under MS-Windows, or having its resident driver running, when
 # the interface has been programmed by Heyu in HEYU mode can
 # cause problems.  See 'man x10config' for details.
 #mode COMPATIBLE
 # Number of days for which the interface is to be programmed
 # when running in HEYU mode.  It is ignored in COMPATIBLE mode.
 # (A shorter period can yield more accurate values for dawn
 # and dusk.)  The default is 366 days.
 #program_days 366
 # Should Heyu combine events having the same date range, time, etc.,
 # by concatenating the macros for similar events?   The default is YES.
 #combine_events YES
 # Should Heyu compress uploaded macros by combining unit codes for the same
 #housecode and command and eliminating duplicates? E.g.,
 #  (on A1; on B2; on A3, on B2) ==> (on A1,3; on B2)
 # The default is NO
 #compress_macros NO
 # The user's Longitude and Latitude, needed for dawn/dusk calculations.
 # There are no defaults.  Don't use these examples - put in values
 # for your own location.
 longitude W121:46
 latitude N37:16
 # For dawn/dusk related times, Heyu breaks up the schedule date intervals
 # into subintervals, each with a constant value of dawn or dusk time.
 # These directives instruct Heyu what value of dawn/dusk time to use.
 # The default value is FIRST, i.e., that on the first day of the subinterval,
 # which is most convenient for comparing Heyu's computations with actual.
 #dawn_option FIRST
 #dusk_option FIRST
 # The following times allow bounds to be placed on the times of Dawn
 # and Dusk computed by Heyu. For example, setting the value for
 #min_dawn to 06:30 will ensure that an event scheduled to be
 # executed at Dawn will occur at 06:30 during summer hours whenever
 # the actual computed value of Dawn is earlier than that time.
 # The value for these directives are specified as hh:mm Legal
 # (i.e., wall-clock) time, or the directives may be disabled with
 # the word OFF, which is the default.
 # Timer options DAWNLT, DAWNGT, DUSKLT, DUSKGT used in the Heyu
 # schedule file will usually eliminate the need for these directives.
 # See man page x10sched(5) for details.
 #min_dawn OFF
 #max_dawn OFF
 #min_dusk OFF
 #max_dusk OFF
 # Directory to write reports and files other than the critical files
 # The default is to write them in the Heyu base directory.
 #report_path ./
 # Replace events having delayed macros with new events and new
 # undelayed macros when possible. (The purpose is to avoid pending
 # delayed macros, which are purged when a new schedule is uploaded.)
 # The default is YES.
 #repl_delayed_macros YES
 # For test purposes, Heyu can write some additional files when
 # the command 'heyu upload check' is executed.  This directive
 # instructs Heyu to write these files.  The default is NO.
 #write_check_files NO
 START_ENGINE AUTO
 alias Kitchen D1 StdLM
 alias Family_Room D2 StdLM
 alias Hallway D3 StdLM
 alias Kitchen_Table D4 StdLM
 alias Stairway D5 StdLM
 alias Study D6 StdLM
 alias Dining D7 StdLM
 alias Bonus_Room D8 StdLM
 alias Living_Room_L0 D9 StdLM
 alias Front_Door D10 StdLM
 alias Living_Room_L1 D11 StdLM
 alias Living_Room_L2 D12 StdLM
 alias Piano_Room_L1 D13 StdLM
 alias Piano_Room_L2 D14 StdLM
 alias Family_Room_L0 D15 StdLM
 alias Chime G1 StdAM
 alias Main_Garage G2 StdAM
 alias Side_Garage G3 StdAM
 alias Front_Yard G13 StdLM
 alias Back_Yard G14 StdLM
 alias Plants_front_house I1 RAIN8II
 alias Plants_front_road I2 RAIN8II
 alias Lawn_front_road I3 RAIN8II
 alias Lawn_front_garage I4 RAIN8II
 alias Lawn_back_pool I5 RAIN8II
 alias Lawn_back_house I6 RAIN8II
 alias Plants_back_garage I7 RAIN8II
 alias Plants_back_road I8 RAIN8II
--- a/jails/config/hub/ipfw.rules
+++ b/jails/config/hub/ipfw.rules
@ -0,0 +1,23 @@
 #!/bin/sh
 # Flush out the list before we begin.
 ipfw -q -f flush
 # Set rules command prefix
 cmd="ipfw -q add"
 pif="epair0b"     # interface name of NIC attached to Internet
 $cmd 00100 allow ip from any to any via lo0
 $cmd 00200 deny ip from any to 127.0.0.0/8
 $cmd 00300 deny ip from 127.0.0.0/8 to any
 $cmd 00400 deny ip from any to ::1
 $cmd 00500 deny ip from ::1 to any
 $cmd 00600 allow ipv6-icmp from :: to ff02::/16
 $cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
 $cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
 $cmd 00900 allow ipv6-icmp from any to any icmp6types 1
 $cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
 $cmd 05000 reset ip from table(22) to me
 $cmd 65000 allow ip from any to any
 $cmd 65535 deny ip from any to any
 # https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
--- a/jails/config/hub/pkgp.conf
+++ b/jails/config/hub/pkgp.conf
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
    priority: 10
 }
-pkgp121: {
+pkgp122: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
--- a/jails/config/hub/sshguard.conf
+++ b/jails/config/hub/sshguard.conf
@ -0,0 +1,54 @@
 #!/bin/sh
 # sshguard.conf -- SSHGuard configuration
 # Options that are uncommented in this example are set to their default
 # values. Options without defaults are commented out.
 #### REQUIRED CONFIGURATION ####
 # Full path to backend executable (required, no default)
 #BACKEND="/usr/local/libexec/sshg-fw-hosts"
 BACKEND="/usr/local/libexec/sshg-fw-ipfw"
 #BACKEND="/usr/local/libexec/sshg-fw-pf"
 # Space-separated list of log files to monitor. (optional, no default)
 #FILES="/var/log/auth.log /var/log/maillog"
 FILES="/var/log/auth.log"
 # Shell command that provides logs on standard output. (optional, no default)
 # Example 1: ssh and sendmail from systemd journal:
 #LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
 # Example 2: ssh from os_log (macOS 10.12+)
 #LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"
 #### OPTIONS ####
 # Block attackers when their cumulative attack score exceeds THRESHOLD.
 # Most attacks have a score of 10. (optional, default 30)
 THRESHOLD=30
 # Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
 # Subsequent blocks increase by a factor of 1.5. (optional, default 120)
 BLOCK_TIME=120
 # Remember potential attackers for up to DETECTION_TIME seconds before
 # resetting their score. (optional, default 1800)
 DETECTION_TIME=1800
 # Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
 IPV6_SUBNET=128
 # Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
 IPV4_SUBNET=32
 #### EXTRAS ####
 # !! Warning: These features may not work correctly with sandboxing. !!
 # Full path to PID file (optional, no default)
 #PID_FILE=/var/run/sshguard.pid
 # Colon-separated blacklist threshold and full path to blacklist file.
 # (optional, no default)
 #BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db
 # IP addresses listed in the WHITELIST_FILE are considered to be
 # friendlies and will never be blocked.
 #WHITELIST_FILE=/usr/local/etc/sshguard.whitelist
--- a/jails/config/hub/vncmods/passwd
+++ b/jails/config/hub/vncmods/passwd
@ -0,0 +1 @@
 Í•it†Í®
--- a/jails/config/hub/vncmods/vncserver
+++ b/jails/config/hub/vncmods/vncserver
@ -0,0 +1,44 @@
 #!/bin/sh
 # the two lines below are not just comments but required by rcorder; service -e
 # PROVIDE: vncserver
 # REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv
 . /etc/rc.subr
 : ${vncserver_enable="NO"}
 : ${vncserver_user="p"}
 : ${vncserver_geometry="1600x900"}
 : ${vncserver_display="1"}
 : ${vncserver_securitytypes="vncauth"}
 # : ${vncserver_securitytypes="vencrypt,vncauth,tlsvnc"}
 # encryption incompatible with clients - vncconnect-realvnc and guacd
 name=vncserver
 rcvar=vncserver_enable
 VNCSERVER="/usr/local/bin/vncserver"
 start_cmd="vncserver_start"
 stop_cmd="vncserver_stop"
 restart_cmd="vncserver_restart"
 vncserver_start()
 {
        CMD="$VNCSERVER -geometry ${vncserver_geometry} -name $(hostname -s) -securitytypes ${vncserver_securitytypes} :${vncserver_display}"
        su -l ${vncserver_user} -c "${CMD}"
 }
 vncserver_stop()
 {
        CMD="$VNCSERVER -kill :${vncserver_display}"
        su -l ${vncserver_user} -c "${CMD}"
 }
 vncserver_restart()
 {
 	vncserver_stop
 	vncserver_start
 }
 load_rc_config ${name}
 run_rc_command "$1"
--- a/jails/config/ibm/ibm.sh
+++ b/jails/config/ibm/ibm.sh
@ -1,6 +1,6 @@
 #!/usr/local/bin/bash
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -10,9 +10,9 @@
 # ./ibm.sh under tmux
-ifconfig tun186 create
+ifconfig tun95 create
-ifconfig tun186 inet 172.16.0.186 172.16.0.100
+ifconfig tun95 inet 172.16.0.95 172.16.0.100
-chmod 666 /dev/tun186
+chmod 666 /dev/tun95
 cd /data/Z110/CONF
 # hercules
--- a/jails/config/ibm/startemu.sh
+++ b/jails/config/ibm/startemu.sh
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
--- a/jails/config/jump/enable-routing.sh
+++ b/jails/config/jump/enable-routing.sh
@ -0,0 +1,7 @@
 sysctl net.inet.ip.forwarding=1
 route add 10.1.2.0/24 192.168.55.105
 # on remote -
 #sudo sysctl net.ipv4.ip_forward=1
 #ip route add 192.168.0.0/24 via 192.168.55.1
 #OR
 #ip route add 192.168.0.0/24 dev tun0
--- a/jails/config/jump/guacamole-client/add-ldap.sh
+++ b/jails/config/jump/guacamole-client/add-ldap.sh
@ -0,0 +1 @@
 ldapadd -H ldaps://ldap.ahlawat.com -f $1 -D cn=admin,dc=infra -W
--- a/jails/config/jump/guacamole-client/extensions/guacamole-auth-ldap-1.2.0.jar
+++ b/jails/config/jump/guacamole-client/extensions/guacamole-auth-ldap-1.2.0.jar
--- a/jails/config/jump/guacamole-client/guacamole.properties
+++ b/jails/config/jump/guacamole-client/guacamole.properties
@ -0,0 +1,16 @@
 ###
 ### guacamole.properties.sample
 ###
 ### The Host the Guacamole proxy daemon (guacd) is listening on.
 #
 guacd-host: localhost
 guacd-port: 4822
 guacd-ssl: false
 ldap-hostname: ldap.ahlawat.com
 ldap-port: 636
 ldap-encryption-method: ssl
 ldap-user-base-dn: ou=people,dc=infra
 ldap-username-attribute: cn
 ldap-config-base-dn: ou=hosts,dc=infra
--- a/jails/config/jump/guacamole-client/logback.xml
+++ b/jails/config/jump/guacamole-client/logback.xml
@ -0,0 +1,20 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!-- Guacamole logs all messages to console by default. Servlet containers
  like Tomcat will automattically redirect these messages to a log file,
  catalina.out in the case of Tomcat. Valid levels= error, warn, info,  
   debug -->
 <configuration>
    <!-- Appender for debugging -->
    <appender name="GUAC-DEBUG" class="ch.qos.logback.core.ConsoleAppender">
        <encoder>
            <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
        </encoder>
    </appender>
    <!-- Log at DEBUG level -->
    <root level="info">
        <appender-ref ref="GUAC-DEBUG"/>
    </root>
 </configuration>
--- a/jails/config/jump/guacamole-client/rdp-windows.ldif
+++ b/jails/config/jump/guacamole-client/rdp-windows.ldif
@ -0,0 +1,14 @@
 dn: cn=rdp-windows,ou=hosts,dc=infra
 objectClass: guacConfigGroup
 objectClass: groupOfNames
 cn: Windows rdp
 guacConfigProtocol: rdp
 guacConfigParameter: hostname=192.168.0.81
 guacConfigParameter: port=3389
 guacConfigParameter: username=v
 guacConfigParameter: password=v
 guacConfigParameter: security=nla
 guacConfigParameter: ignore-cert=true
 member: cn=sharad,ou=people,dc=infra
 member: cn=diyit,ou=people,dc=infra
 # seeAlso: cn=ahlawat.com,ou=groups,dc=infra
--- a/jails/config/jump/guacamole-client/ssh-nas.ldif
+++ b/jails/config/jump/guacamole-client/ssh-nas.ldif
@ -0,0 +1,10 @@
 dn: cn=ssh-nas,ou=hosts,dc=infra
 objectClass: guacConfigGroup
 objectClass: groupOfNames
 cn: NAS ssh
 guacConfigProtocol: ssh
 guacConfigParameter: hostname=192.168.0.10
 guacConfigParameter: port=22
 member: cn=sharad,ou=people,dc=infra
 member: cn=diyit,ou=people,dc=infra
 # seeAlso: cn=ahlawat.com,ou=groups,dc=infra
--- a/jails/config/jump/guacamole-client/user-mapping.xml
+++ b/jails/config/jump/guacamole-client/user-mapping.xml
@ -0,0 +1,74 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!-- Guacamole's default authentication module is a simple xml file.
  Each user is specified with a corresponding <authorized> tag. This
  tag contains all authorized connections for that user each denoted
  with a <connections> tag. Each <connection> tag contains a
  protocol and set of protocol-specific parameters, specified with
  the <protocol> and <param> tags respectively. For more information
  visit http://guac-dev.org/doc/gug/configuring-guacamole.html -->
 <user-mapping>
    <!-- Per-user authentication and config information md5 -s "Npasswd" -->
    <authorize username="admin" password="4ee438b74bd65c9f8402e7e48fa64fb7" encoding="md5">
 	<connection name="vnc-hub">
 		<protocol>vnc</protocol>
 		<param name="hostname">192.168.0.50</param>
 		<param name="port">5901</param>
 		<param name="password">vncpass</param>
 		<param name="color-depth">24</param>
 	</connection>
 	<connection name="rdp-windows">
 		<protocol>rdp</protocol>
 		<param name="hostname">192.168.0.81</param>
 		<param name="port">3389</param>
 		<param name="security">nla</param>
 		<param name="ignore-cert">true</param>
 		<param name="username">v</param>
 		<param name="password">v</param>
 	</connection>
 	<connection name="ssh-nas">
        	<protocol>ssh</protocol>
        	<param name="hostname">192.168.0.10</param>
        	<param name="port">22</param>
 		<param name="font-name">monospace</param>
 	</connection>
 	<connection name="vnc-rpi3">
 		<protocol>vnc</protocol>
 		<param name="hostname">192.168.200.192</param>
 		<param name="port">5901</param>
 		<param name="password">vncpass</param>
 		<param name="color-depth">24</param>
 	</connection>
 	<connection name="ssh-rpi3">
        	<protocol>ssh</protocol>
        	<param name="hostname">192.168.200.192</param>
        	<param name="port">22</param>
 		<param name="font-name">monospace</param>
 	</connection>
 	<connection name="ssh-dev">
        	<protocol>ssh</protocol>
        	<param name="hostname">192.168.55.105</param>
        	<param name="port">22</param>
 		<param name="font-name">monospace</param>
 	</connection>
    </authorize>
    <authorize username="inseego" password="7cc6a3864acc736437f606146083abad" encoding="md5">
 	<connection name="vnc">
 		<protocol>vnc</protocol>
 		<param name="hostname">192.168.200.212</param>
 		<param name="port">5901</param>
 		<param name="password">vncpass</param>
 		<param name="color-depth">24</param>
 	</connection>
 	<connection name="ssh">
        	<protocol>ssh</protocol>
        	<param name="hostname">192.168.200.212</param>
        	<param name="port">22</param>
 		<param name="font-name">monospace</param>
 	</connection>
    </authorize>
 </user-mapping>
--- a/jails/config/jump/guacamole-client/vnc-hub.ldif
+++ b/jails/config/jump/guacamole-client/vnc-hub.ldif
@ -0,0 +1,12 @@
 dn: cn=vnc-hub,ou=hosts,dc=infra
 objectClass: guacConfigGroup
 objectClass: groupOfNames
 cn: HUB vnc
 guacConfigProtocol: vnc
 guacConfigParameter: hostname=192.168.0.50
 guacConfigParameter: port=5901
 guacConfigParameter: password=vncpass
 guacConfigParameter: color-depth=24
 member: cn=sharad,ou=people,dc=infra
 member: cn=diyit,ou=people,dc=infra
 # seeAlso: cn=ahlawat.com,ou=groups,dc=infra
--- a/jails/config/jump/guacamole-server/guacd.conf
+++ b/jails/config/jump/guacamole-server/guacd.conf
@ -0,0 +1,17 @@
 #
 # guacd.conf example
 #
 [daemon]
 # Possible log_level variables are:
 # trace, debug, info, warning, and error
 # Default is info
 log_level = info
 [server]
 bind_host = localhost
 bind_port = 4822
 [ssl]
 #server_certificate = /mnt/certs/fullchain.pem
 #server_key = /mnt/certs/privkeyr.pem
--- a/jails/config/jump/schema/guacConfigGroup.ldif
+++ b/jails/config/jump/schema/guacConfigGroup.ldif
@ -0,0 +1,28 @@
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #
 dn: cn=guacConfigGroup,cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: guacConfigGroup
 olcAttributeTypes: {0}( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol' SYNTAX 1.3.6.1.4.1.1466
 .115.121.1.15 )
 olcAttributeTypes: {1}( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter' SYNTAX 1.3.6.1.4.1.146
 6.115.121.1.15 )
 olcObjectClasses: {0}( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup' DESC 'Guacamole config
 uration group' SUP groupOfNames MUST guacConfigProtocol MAY guacConfigParameter )
--- a/jails/config/jump/schema/guacConfigGroup.schema
+++ b/jails/config/jump/schema/guacConfigGroup.schema
@ -0,0 +1,31 @@
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #
 attributetype ( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol'
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 attributetype ( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter'
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 objectClass ( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup'
    DESC 'Guacamole configuration group'
    SUP groupOfNames
    MUST guacConfigProtocol
    MAY guacConfigParameter )
--- a/jails/config/jump/setup_jail.sh
+++ b/jails/config/jump/setup_jail.sh
@ -0,0 +1,2 @@
 # requrired to run other configured scripts
 /bin/sh /etc/rc
--- a/jails/config/ldap/pkgp.conf
+++ b/jails/config/ldap/pkgp.conf
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
    priority: 10
 }
-pkgp121: {
+pkgp122: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
--- a/jails/config/ldap/schema-addons/guacConfigGroup.ldif
+++ b/jails/config/ldap/schema-addons/guacConfigGroup.ldif
@ -0,0 +1,28 @@
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #
 dn: cn=guacConfigGroup,cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: guacConfigGroup
 olcAttributeTypes: {0}( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol' SYNTAX 1.3.6.1.4.1.1466
 .115.121.1.15 )
 olcAttributeTypes: {1}( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter' SYNTAX 1.3.6.1.4.1.146
 6.115.121.1.15 )
 olcObjectClasses: {0}( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup' DESC 'Guacamole config
 uration group' SUP groupOfNames MUST guacConfigProtocol MAY guacConfigParameter )
--- a/jails/config/ldap/schema-addons/guacConfigGroup.schema
+++ b/jails/config/ldap/schema-addons/guacConfigGroup.schema
@ -0,0 +1,31 @@
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #
 attributetype ( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol'
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 attributetype ( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter'
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 objectClass ( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup'
    DESC 'Guacamole configuration group'
    SUP groupOfNames
    MUST guacConfigProtocol
    MAY guacConfigParameter )
--- a/jails/config/mail/.secret/dkim/ahlawat.com.dkim.key
+++ b/jails/config/mail/.secret/dkim/ahlawat.com.dkim.key
@ -1,28 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDECIuIzM+f5+s
 PdoTBSLGpARZkcKWboSUfLdiFsBEXkV5KLy12S6T2ja0oH5C6GfhkqpdzAsCPHKs
 SdIyJAmHj7FXnbOnP93N64E3n/wONj5cq9QAz2acKxS167DXpnSE7K+egcqI7ePL
 BBecLnKUUnSQ4JMAeUBatjnl5SsKF7pwDM1DsOYvWFpDH0BfjIlZq1JJIUnfE7pK
 b3ppdBSF0bum+/Y6TZVJdNg4fYj5k68vLeBp8PkJj60pO4B7oexLpXcz/pqkGi9a
 K5P86RzZliKMqGVAs3TmxWMskoX2Hpm1VXIg/Pht75FuaPqwkAW8FVb3Y7yvfmgU
 O7FaP423AgMBAAECggEAP7BG2LWZh7B32+8eAtPMdPsciHo1BJT1KN5HqfkvsaLu
 IA8S/nT45kF7VyKH1yS2tkoC4jk65vIBpws7XC+0BNT/3FGbVOJfc1qPiC/uRl2j
 ovJfeBw/roHKc1OPG/o3VSdKeAB8tpSlqaWeZ9oqgw8hDCSnGqJ8RqH06YEXumVO
 /59N5/kweoN1902nrsnhhY72cx/YY7TFZt+sbCs1D8rimHFX5UQUWGQgwqKeCvG2
 VmBtU+oXCBKdaR+IcJd9Oy/qkmEQZ6dDL7n/HUwOcRzuBuZoeXN9sc9z81mYEI2Q
 bYpowPOyqFArB08HjQpFndQFSyNwiVVSzaOHRUNBwQKBgQDkECi9WkyqGgVvSM6f
 fC9OTKKk5kI12j4I3aQKZSnW/eNTpaHykRhvUsr36zp58vRN4G9YDJyblgOhgr1U
 7SBwqZRLETwG0ktKDipgibWjBm+K5LfK+wWRwn/qzq494Qg2GQ/DniXqCZ6SI1s1
 wMBHS9s/VYPGaYvYrS1TD90JpwKBgQDa9R90rcyNlXTLHwYzxgjJczLKHz+0ANlR
 GORg31/VBxs94IYby+cZ/oGRjCB5syR/SaN5Z+N2w8GT0yFWN8UCJS0G4I6fGtCb
 wYWzhK2UtI4WyOH9jIdl8AYjFGRZMFJEkDPmac54jtNcqhfO/Eei9+yHq7llEnUP
 F4qKf8K9cQKBgQDEwDgVW4DGQxqrLhmrt3wsRasPLeKzCOv5xBTQLwRQiMoEkOFN
 HeYBrGCUT6gsKvCe+t+0C3VUOLA7N0pVqRkSeQoJVP3/OI9hfSUMEeHUminCnpz9
 DWB5pl2q2dGyaqAl46sY7SfyZ4gYtU3r6rU3DPdCBWlg1A+kx4pRnV7pAwKBgCOu
 fonNKOCJ0panX6NgSl5J36UAoqj62m9U1yLSRBO7LL1QsYomGGssBoFpjIFIqFH1
 9iX6wB7Cl/E3Ht+mBvzqggP05EkZXZWEW/19SaxKID2mTu260PXTv6xHznKaZU23
 Ej4iT/tlixw2u9qHUkVEkc8qNPQ7pcfn1jPrzhiBAoGBAN075cp3R9bzzfVzrFRh
 ZFWzSnWieSsOP635nj48HXKyne7gjvG1IG/HHSi3XPmRIdWTAfOYz29rWQEOaY7b
 wbNhvH7jvtq/A7/Uifh6l8cnN9TFAmN/wmKEUCloVxg1/GltXbR6UwzbJWAs40ya
 VtAxvncs1bqtPBAgfE5wwdCd
 -----END PRIVATE KEY-----
--- a/jails/config/mail/.secret/dkim/beyondbell.com.dkim.key
+++ b/jails/config/mail/.secret/dkim/beyondbell.com.dkim.key
@ -1,28 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYdTOGw8TvQtkr
 Z139xpQC1iXu/X+2ei7ascX6C2G8WM7NS3XphgMd0LgzEm9POoJyYP7KVjQdPK5m
 mRoZOCATmFhNPGSer96qjASHgm10GISKlUyGKRWv1mNHsLJaLwsd8ef13+qBsTvG
 pT0z2I/0OWwAuqQuZdMPuVskspF8jusycibpQ7WjqaOynPEUuRZHDLQToso02+Vd
 X3l3bU08Rz3vW7+hNjZYuzsfCTBzD91kxTGyetqg2CXyLM/dWbDFgY72zG682X0d
 CtoWoEAKdUJkPDxQeKJtqh84TsAOUvg/z3W6J7uJow9OcWsXWJcAJ/HG8gNPq4ho
 sVbc96SzAgMBAAECggEADXPTPPfjwF7uMkVdUQ1LW5XFi8HTcxrK2KqdvDmC3HrE
 d3vOGzJJ9UtodzwZENp5CvS+QQL0gDCqQhQXzCNx0uXv7vTm5/nUI9NJ4MYZWVLA
 wgAfXmMlRuVTDDyOCQ7NaRIEsYI2B9Nk/KZ+VD+MSshazvzKgVuwr1R8tp4mbpAx
 8f4xe51b5ZVqTLcnkoSR6lTmKMQruIZwQpvaGYZLjBRaBcACwYkbZksQZkx7xZdZ
 enpLcKoCc1xXg+gjlfF9HOD1e2GlYQTOgfDcQVJEIS+jjzMyiJA1BxqL8/LkafeD
 CKfx8mzd1LjyDDaAP8ruZb4Ns/6SazAPozxBSRnP2QKBgQD+uf+evckgN6+3/Bur
 egP6I4dUKw1joCo69p98388mWq+ywhIc2rquEfSoQCqjli4pG3iwBbDVxgjk08GV
 ayFaP3X3LvuqCZBktSjEJR6WUMB0kW77BigLCtbzyd2R9upp0A3CnXsmmLVL+o5n
 TD5w6cd67NPS/NGo2FyA6JQO5QKBgQDZijnfG4Yt6BdX3+WBFXNGkhdJziokmrfG
 no5p/tw+/kJfHFC017Z+EbLbcWMKL9cDzl9uMXGDy1xd8+OfolxZZEnrmt4btbmh
 wVzTPrhREwjqzwu/Y2jQwFBef+zJ+b8a1uZOFYVIWWeGCT7wirq54AslE8y0lNEF
 olBnP44TtwKBgQDyn4k50z16QXBOx4Q3fZ3CKQsigWtcZFc1GGlrEOaHesN1eeK0
 tyYu3Q1zIMM8U7SeFPuMda8sv1cDVitCPetjwaSED61IFZoCQoeU5GJQ/JODtG7I
 DOIhOm7pgHJaMJywsqoYn9WIOtYci4gOHhIvjI0jqeZNReARehwJ8P3tfQKBgEWD
 hAalNvVIat0rsJzVC+cLG+H7vT/BKOSRGhUI2bxPZ0oZNDj1jV0vrqWsz+cbbmvK
 8He32PwyaaukGaKTMUtnXq+o5zyXj1/+9/iQ3DkcCgdubeSUkZPTQFtSKYpJAiZD
 cYiWG+cImqocHj6jNhPbYfRRJWK3Ayv3uBWmG3J1AoGAGjKqKpd8+00IxElXpov9
 At2YzPZlzPQCU0+vcreGVTaO9wNdVKfc6uaeAO4D0DP9SOwEqRC9rv8FNb8DxgTB
 ryWMy8rY/CC3mhK6hnsWNRC0a1myKva2XwQ+jMKuCsznFE0N2xjizNdv2/HM2dcr
 ropb+P1w1KZyTiNbTTTC1eQ=
 -----END PRIVATE KEY-----
--- a/jails/config/mail/.secret/dkim/diyit.org.dkim.key
+++ b/jails/config/mail/.secret/dkim/diyit.org.dkim.key
@ -1,28 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDc2cV9/D/MWdUl
 DBfKzA3zNjFbzDJd4WP1fdRRIdell57kJwyKehYCw/HxWy4+AnWj6c2fhPXI2EQp
 K3I1QjNSxV4kq+Lr2SFJuDiZvDRLzihu24N6go34R9712mbZOWWl0KyihO6E2cH8
 h6cr2iahXmAjqVtm9/mBmdnrQ2Bv0fusdpS24x3NOPs4Q5gJTadJFGBkwXb88D/+
 mBDcEUFwDul4bVQWvqHk+8EJwApGLo7YVL2F0A25FAm43rWexjb+JeTsHRqN/TaV
 ALzQPr/DQIb2wyWsTnQMnd0t8qg9ErDAKgxMDeGDRFbHr5wNMTrewQkW7yd+H0T0
 Wa97aDXbAgMBAAECggEANUp/M0VZB7BtlED0xMS0YQmko2gEh07J1gUE5IbsCFMr
 zhX2GrwW75fkm77Ky7/AL0tNiL6GqG43FFAdgOh2hfSGIQcw/IQqWiWP0tjtLZWT
 gByL/1XdeBmvnVeUFbqZ4ocWASlefMQm4Q7Csfwz8iBZxoEpQxF3LWS4huJ9NL3d
 qiI1jX5otXN0ybA6jDpridvExRwWT6KrAykUrh5f7vRGUp0I7/GltvSHS4mu24C1
 08RUPE5NjynEX/amc1urMwH3ZdOZgCx819DfQXpQts9/TejSLlLL8s4lXTsZDoab
 DiJ1zZKZEpMIheEGAWSyLtqc1QxypauVAMeM6ZgasQKBgQD88Yf1E7X8zS4hYSyu
 WHiUgrin/0febsHWZAVBTwnzpDwfY0jNnq57tiALyaVzk3vCL3a9WckpXPbQk4Yk
 Oypu1eDyGT4Xf7hrXqFTlMtkupa3Os5/MlTXOFMMs5VISsxrbVjNlvSxITXASWwr
 IYVjmhgTx8Rg3ApM5X/Tqd8XxwKBgQDfhPZ2t+4fBwhzgydKnkPWMbJ6k17tWoZu
 8tzCzrxJd/cYUmi/44sOLrFCLwaS28I4sR7iBPCeiFnnbqlv+f6uw2Xmr5jc/BsT
 md6yl2gNmow//iGFwf8lAsA1VyoFbZoAvQUMVElaxvCngifsTNqRHap8KY6xv5r/
 C6MEoGd5TQKBgQDEoPXxnEsCpHXR2Pqk5X2G5T+qyRYTYcIpaUN0i37O+cMLG2FD
 BrHY1bF/uFd3yxSP1dnWRG/OSchMSAIlNCE+W+EsEldkaRLx1HRQxwB941a6RWq1
 EmlFjTFyVEAeHJdgg3ZfC5RYBdsFCY6e0MYisW06IzcTnLodIOMHpawZjQKBgQC+
 1RVbnINXyDhl7rbQFTlTmVCJKGMmgGBAP2dNhxXoH909zbYTBmFFdYXvPJj/L1Kt
 9kKos5D/uOgRGEDfEnBnovnQL2FyYmd3n6orjerPmoBdbkoOmeeNIMEbiVSeF8oh
 EUBLG3cZYro6OXx+WctNlCdnJE/o3+6kC7pdi9lsDQKBgEtkK4RpB1OKJm6sEiWe
 hoTI6yqflpkivWtV3F8/D37LbYT5wiAsRr6AkgetB7jsi0t//thJiAUUxhtb+u4M
 1zR7i9bIRv3lU8TgYpfS/Yq3T9feZoj682LKtBMPoSgm/p5+ogzIlAU3cpjAW+A8
 2CyzbDc7K58vuzaR8RHpnzYi
 -----END PRIVATE KEY-----
--- a/jails/config/mail/.secret/dkim/diyit.space.dkim.key
+++ b/jails/config/mail/.secret/dkim/diyit.space.dkim.key
@ -1,28 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDJE2rtl2EGU7YD
 TWSlapLqMgn02m9Valldv6u3NP5CZTwI9/xrlEZYzjArInvLE4SFx5VlgC52K92A
 tZUqs7ckZgDmMOIr1vXGP3YgzGO9NK3hqyPHlu2Twuu96rP9+CTTlU8ovun14Ucu
 b0+W3pH646kMZBc0wAAj0xg+QI0PhFphQZyHkV9laOFwx/ErCu9SdUfcUY+zouSG
 DMxPAL8pT1JS5IOVGDM7rXbAwZ1+LrHTmOD1Mi6jtYtV7/Pqga6CBpcQFa/kMvza
 idjPkVyUg4YY/9i+P9dRQMK6dJgmRSaLLaOTaYHCT6PgpWQvKhYJZsNIB+LmfdHp
 gzE4s0tfAgMBAAECggEBALtNkzVu5bp3D/1TgoV0GRZ/NjcXos32GvjxKoummZJP
 qvTPzBqKLF1c9BG6NYadz7yuhcPe+2iow9S5URJOBjOpsPy8XHJp8teRFgDHY8FD
 6RVlzhaFyRjzYZWvo6rYE7XkR7C05ktcZmoi1gi7m1AR8c7RDazdjUPRx6t1hfEE
 ubocsnwZ5McU3tHVHj8pHBM9nKaarVd3BSTydStjGOmoS+E5BR1NLMDpx3Aw9S/V
 tn1iJxxF9+GONFfCBQ/IQ4+rBbOPsICwhhhrTpJwPilzBynGQevtEHdpq6ewS2bq
 ESsgQoax70cW1TymOPOzYQvPUzJy0S68OoSMAXVr8MECgYEA755LulHIALONfQWG
 XBUT7UMaePyLDkuNoGkIDqIdqZiJf8kxDs8yWznCGim/vlnmK2hVn1nqi+omtbaG
 AsCgU9q2JnP4r0Nr7yb/L4WAHp5WxR5ifS/aOHUple9oQwfPkzpxWEGFFvN0PW7p
 4lk4lRNvI4q5zMdugpbwn4vbzEMCgYEA1tKRDfPY/9GV/dYnt433bjtlNU9j7UCc
 8iP26Rg8zjC4tzlVoZDZjov5FMG2Ifb7cLNroONATg2ivKNyRm73Le9p2KVqtvTX
 zHs1sKVJofWQ4+GzJd8MkUEXu397oTUudGV+z82Hd0iKkQBT7EYBybHl6kY4XbR1
 BS36gdW2oLUCgYBvt1LBNH3V7eCqiFfjOKSIuv9tpvjCGnGWd0GdaPIBby+0Fz47
 FFj69UvM3OgbvFg2prc8yzQyNWIE2GtUfzCAx/iipvEr7Xg2EO1q34gjPllgH9F1
 YkkQh3dzAyKOFecuUlIj/rApSipIthxvPn/F6UCoxnXnxpd8ZRkcmZ1JdwKBgQCZ
 bltb88YRMMhIPCSx3RvUB2gJ42Ijmfp+l2FKqp0DR5kmhDS86I/6V87XHGPRbm23
 2O4OQ0Eyflq1EKgV1juE+3JF4h+N/OIEkhuOxv8IRjPuDs29RsnbFPq2WB8czLcZ
 O0SPduRCNfWCCxHltzqfrAfig7TOeIz73hMFmHaP4QKBgQCN1XzjGMrL0ZlFQTM1
 ljaqWEaQ+JSzZtiVDdPcuKytyvz59OdJnag9O0TBaOY6XGG1Dbl8FJEG9KZCwYRv
 a+CKb6qHyowgu17GlWQBn2i3Ep5GOQhkR4ghvDXZPwOJfW5VbfWo4N/r3Q81kaRO
 Iovk5uipUk5dtW69hOYmq4OBxA==
 -----END PRIVATE KEY-----
--- a/jails/config/mail/pkgp.conf
+++ b/jails/config/mail/pkgp.conf
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
    priority: 10
 }
-pkgp121: {
+pkgp122: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
--- a/jails/config/mail/postfix/main.cf
+++ b/jails/config/mail/postfix/main.cf
@ -683,7 +683,7 @@ readme_directory = /usr/local/share/doc/postfix
 inet_protocols = ipv4, ipv6
 # sometimes comcast's IPv6 reverse DNS lookup stops working so you need to enable the line below (default: any)
-smtp_address_preference = ipv4
+#smtp_address_preference = ipv4
 meta_directory = /usr/local/libexec/postfix
 shlib_directory = /usr/local/lib/postfix
--- a/jails/config/mail/postfix/main.cf.default
+++ b/jails/config/mail/postfix/main.cf.default
@ -328,9 +328,9 @@ local_transport_rate_delay = $default_transport_rate_delay
 luser_relay =
 mail_name = Postfix
 mail_owner = postfix
-mail_release_date = 20200316
+mail_release_date = 20200516
 mail_spool_directory = /var/mail
-mail_version = 3.5.0
+mail_version = 3.5.2
 mailbox_command =
 mailbox_command_maps =
 mailbox_delivery_lock = flock, dotlock
@ -340,7 +340,7 @@ mailbox_transport_maps =
 maillog_file =
 maillog_file_compressor = gzip
 maillog_file_prefixes = /var, /dev/stdout
-maillog_file_rotate_suffix = %Y%M%d-%H%M%S
+maillog_file_rotate_suffix = %Y%m%d-%H%M%S
 mailq_path = /usr/local/bin/mailq
 manpage_directory = /usr/local/man
 maps_rbl_domains =
--- a/jails/config/mail/sendmail.cf
+++ b/jails/config/mail/sendmail.cf
--- a/jails/config/monitor/alert_rules.yml
+++ b/jails/config/monitor/alert_rules.yml
@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
--- a/jails/config/monitor/alertmanager.yml
+++ b/jails/config/monitor/alertmanager.yml
@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
--- a/jails/config/monitor/dbip-city-lite-2020-06.mmdb
+++ b/jails/config/monitor/dbip-city-lite-2020-06.mmdb
--- a/jails/config/monitor/matomo-archive
+++ b/jails/config/monitor/matomo-archive
@ -0,0 +1,2 @@
 MAILTO="sharad@diyit.org"
 5 5 * * * /usr/local/bin/php /usr/local/www/matomo/console core:archive --url=https://ahlawat.com/matomo/ >> /root/matomo-archive.log
--- a/jails/config/monitor/prometheus.yml
+++ b/jails/config/monitor/prometheus.yml
@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
--- a/jails/config/monitor/start_logstash.sh
+++ b/jails/config/monitor/start_logstash.sh
@ -1,3 +0,0 @@
 mount proc
 /usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
 ps axww | grep logstash
--- a/jails/config/pkgp/ccache.conf
+++ b/jails/config/pkgp/ccache.conf
@ -0,0 +1 @@
 max_size = 32.0G
--- a/jails/config/pkgp/freebsd-update.conf
+++ b/jails/config/pkgp/freebsd-update.conf
@ -1,4 +1,4 @@
-# $FreeBSD: releng/12.1/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
+# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
 # Trusted keyprint.  Changing this is a Bad Idea unless you've received
 # a PGP-signed email from <security-officer@FreeBSD.org> telling you to
--- a/jails/config/pkgp/make.conf
+++ b/jails/config/pkgp/make.conf
@ -1,2 +1,3 @@
 WANT_OPENLDAP_SASL=yes
 LICENSES_ACCEPTED+=DCC
 WITH_CCACHE_BUILD=yes
--- a/jails/config/pkgp/mypkgs
+++ b/jails/config/pkgp/mypkgs
@ -5,11 +5,14 @@ net/openldap24-sasl-client
 security/cyrus-sasl2
 www/apache24
 devel/apr1
-net/php73-ldap
+net/php74-ldap
 mail/postfix
 mail/dovecot
 mail/dovecot-pigeonhole
 mail/rspamd
 mail/dcc-dccd
 net/netatalk3
-net/samba410
+net/samba411
 net/nss-pam-ldapd
 net/nss-pam-ldapd-sasl
 #security/pam_ldap # included above
--- a/jails/config/pkgp/pkgp.conf
+++ b/jails/config/pkgp/pkgp.conf
@ -0,0 +1,11 @@
 FreeBSD: {
    url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
    enabled: no
 }
 pkgp-freebsd-pkg: {
    url: "http://pkgp-freebsd-pkg.ahlawat.com/${ABI}/latest",
    mirror_type: "http",
    enabled: yes,
    priority: 10
 }
--- a/jails/config/pkgp/poudriere.conf
+++ b/jails/config/pkgp/poudriere.conf
@ -133,7 +133,7 @@ PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/keys/poudriere.key
 # It will be mounted into the jail and be shared among all jails.
 # It is recommended that extra ccache configuration be done with
 # ccache -o rather than from the environment.
-#CCACHE_DIR=/var/cache/ccache
+CCACHE_DIR=/mnt/cache/ccache
 # Static ccache support from host.  This uses the existing
 # ccache from the host in the build jail.  This is useful for
@ -200,7 +200,7 @@ NOLINUX=yes
 # List of packages that will always be allowed to use MAKE_JOBS
 # regardless of ALLOW_MAKE_JOBS. This is useful for allowing ports
 # which holdup the rest of the queue to build more quickly.
-#ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py*"
+ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py* llvm*"
 # Timestamp every line of build logs
 # Default: no
@ -282,7 +282,7 @@ PRESERVE_TIMESTAMP=yes
 # Define pkgname globs to boost priority for
 # Default: none
-#PRIORITY_BOOST="pypy openoffice*"
+PRIORITY_BOOST="llvm*"
 # Define format for buildnames
 # Default: %Y-%m-%d_%Hh%Mm%Ss
--- a/jails/config/plex/plexconnect
+++ b/jails/config/plex/plexconnect
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
--- a/jails/config/proxy/haproxy.conf
+++ b/jails/config/proxy/haproxy.conf
@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -48,35 +48,31 @@ frontend stats
 frontend ft
  bind :::80 v4v6
-  bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/dithaproxy.pem crt /mnt/certs/xflowhaproxy.pem
+  bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/xflowhaproxy.pem crt /mnt/certs/dvpchaproxy.pem crt /mnt/certs/mdvpchaproxy.pem 
  redirect scheme https if !{ ssl_fc }
  log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc
  # passing on that browser is using https
-  reqadd X-Forwarded-Proto:\ https
+  ## http-request add-header Forwarded: proto=https  
  #enabling this breaks things, needs investigation
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Ssl on if { ssl_fc }
  # for Clickjacking - added to individual backends
-  # rspadd X-Frame-Options:\ SAMEORIGIN
+  # http-response add-header X-Frame-Options: SAMEORIGIN
  # prevent browser from using non-secure
-  rspadd Strict-Transport-Security:\ max-age=15768000
+  http-response add-header Strict-Transport-Security: max-age=15768000
  acl network_allowed src 192.168.0.0/24 192.168.100.0/24 2603:3024:3f6:e1::/64
  acl restricted_page path -i -m sub /wp-admin
  acl restricted_page path -i -m sub /wp-login
-  block if restricted_page !network_allowed
+  http-request deny if restricted_page !network_allowed
  use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com }
  use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com }
  use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
  use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
  use_backend bk_diyit if { ssl_fc_sni diyit.org }
  use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
  use_backend bk_diyit if { ssl_fc_sni xflow.org }
  use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
  use_backend bk_diyit if { ssl_fc_sni diyit.space }
  use_backend bk_diyit if { ssl_fc_sni www.diyit.space }
  use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com }
  use_backend bk_ahlawat-rachna if { ssl_fc_sni rachna.ahlawat.com }
@ -96,53 +92,67 @@ frontend ft
  use_backend bk_ahlawat-matrix if { ssl_fc_sni matrix.ahlawat.com }
  use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
  use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
  use_backend bk_ahlawat-jump if { ssl_fc_sni jump.ahlawat.com }
  use_backend bk_diyit if { ssl_fc_sni diyit.org }
  use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
  use_backend bk_diyit if { ssl_fc_sni xflow.org }
  use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
  use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org }
  use_backend bk_diyit-prometheus if { ssl_fc_sni prometheus.diyit.org }
  use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org }
  use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org }
  use_backend bk_dvpc if { ssl_fc_sni datavpc.com }
  use_backend bk_dvpc if { ssl_fc_sni www.datavpc.com }
  use_backend bk_dvpc if { ssl_fc_sni mydatavpc.com }
  use_backend bk_dvpc if { ssl_fc_sni www.mydatavpc.com }
  use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
  use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
  use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
  use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
  use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
-  use_backend bk_beyondbell-gs if { ssl_fc_sni gs.beyondbell.com }
+  use_backend bk_beyondbell-web-moonglade if { ssl_fc_sni moonglade.beyondbell.com }
  use_backend bk_beyondbell-web-moonglade-private if { ssl_fc_sni moonglade-private.beyondbell.com }
  use_backend bk_beyondbell-r-windows if { ssl_fc_sni moonglade-server.beyondbell.com }
  use_backend bk_beyondbell-windows if { ssl_fc_sni gs.beyondbell.com }
  default_backend bk_ahlawat
  acl is_websocket hdr(Upgrade) -i WebSocket
  acl is_websocket hdr_beg(Host) -i ws
  use_backend bk_ahlawat if is_websocket
 backend bk_ahlawat
  server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_beyondbell
  server srv1 192.168.0.77:8000
  rspadd X-Frame-Options:\ SAMEORIGIN
 backend bk_diyit
  server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
  rspadd X-Frame-Options:\ SAMEORIGIN
 backend bk_ahlawat-sharad
  balance roundrobin
  server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 #  http-response set-header Content-Security-Policy "default-src 'self' *.ahlawat.com"
 backend bk_ahlawat-rachna
  server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-nivi
  server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-rishabh
  server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 #backend bk_ahlawat-book
 #  server srv1 bookx.ahlawat.com:443 check ssl verify none
@ -150,102 +160,143 @@ backend bk_ahlawat-rishabh
 backend bk_ahlawat-book-443
 #  server srv1 2603:3024:3f6:e1::57:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-book-444
 #  server srv1 2603:3024:3f6:e1::57:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-book-445
 #  server srv1 2603:3024:3f6:e1::57:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-cam
  server srv1 192.168.0.54:8765 check
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-ci
 #  http-request set-header Host cix.ahlawat.com:8080
  http-request replace-header Host ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*)  \1\ http://cix.ahlawat.com:8080/\2
  http-response replace-header Host ^([^\ \t:]*:)\ http://cix.ahlawat.com:8080/(.*)  \1\ https://ci.ahlawat.com/\2
  server srv1 cix.ahlawat.com:8080 check
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-cloud
  server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-git
  server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspidel X-Frame-Options:*
+  http-response set-header X-Frame-Options "ALLOW-FROM *.diyit.org"
-#  http-request set-var(txn.src) src
+#  http-response add-header X-Frame-Options: SAMEORIGIN
 #  acl mynet var(txn.src) -m sub 192.168.0
 #  acl mynet var(txn.src) -m sub 2603:3024:3f6:e1
 #  rspidel X-Frame-Options:* if mynet
 #  rspadd X-Frame-Options:\ SAMEORIGIN unless mynet
 # The gitea server add this header be default
 backend bk_ahlawat-hub
  server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-matrix
  server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-meet
  server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-monitor
  server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+#  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-jump
  server srv1 jumpx.ahlawat.com:8080 check
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_diyit
  server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_diyit-grafana
  server srv1 monitorx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+#  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_diyit-prometheus
  server srv1 monitorx.ahlawat.com:9090 check
 # ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_diyit-kibana
-  server srv1 monitorx.ahlawat.com:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  server srv1 elk.diyit.org:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+#  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_diyit-maps
-  server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2
-  server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+#  server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
 #  server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
 #  http-response add-header X-Frame-Options: SAMEORIGIN
-backend bk_ahlawat-ci
+
-#  http-request  set-header Host cix.ahlawat.com:8180
+
-  reqirep  ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8180/\2
+backend bk_dvpc
-  rspirep  ^([^\ \t:]*:)\ http://cix.ahlawat.com:8180/(.*) \1\ https://ci.ahlawat.com/\2
+  server srv1 web.datavpc.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  server srv1 cix.ahlawat.com:8180 check
+  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_beyondbell
  server srv1 192.168.0.77:8000
 #  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_beyondbell-ci
 #  http-request set-header Host cix.beyondbell.com:8111
  http-request replace-header Host ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://192.168.0.73:8111/\2
  http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.73:8111/(.*) \1\ https://ci.beyondbell.com/\2
  server srv1 192.168.0.73:8111
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_beyondbell-git
  server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_beyondbell-ci
  http-request  set-header Host cix.beyondbell.com:8111
  reqirep  ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://cix.beyondbell.com:8111/\2
  rspirep  ^([^\ \t:]*:)\ http://cix.beyondbell.com:8111/(.*) \1\ https://ci.beyondbell.com/\2
  server srv1 cix.beyondbell.com:8111
  rspadd X-Frame-Options:\ SAMEORIGIN
 backend bk_beyondbell-repo
-#  http-request  set-header Host 192.168.0.75:8080
+#  http-request set-header Host 192.168.0.75:8081
-  reqirep  ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8080/\2
+#  http-request replace-header Host ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8081/\2
-  rspirep  ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2
+#  http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.75:8081/(.*) \1\ https://repo.beyondbell.com/\2
  server srv1 192.168.0.75:8080
  rspadd X-Frame-Options:\ SAMEORIGIN
-backend bk_beyondbell-gs
+  server srv1 192.168.0.75:8081
  http-response add-header X-Frame-Options: SAMEORIGIN
 #  http-response del-header Strict-Transport-Security
 #  http-response add-header Content-Security-Policy: upgrade-insecure-requests
 backend bk_beyondbell-web-moonglade
  server srv1 192.168.0.74:8000
 #  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_beyondbell-web-moonglade-private
  server srv1 192.168.0.74:4000
 #  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_beyondbell-r-windows
  server srv1 192.168.0.85:4000
 #  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_beyondbell-windows
  server srv1 192.168.0.81:26900 check
  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
--- a/jails/config/proxy/pkgp.conf
+++ b/jails/config/proxy/pkgp.conf
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
    priority: 10
 }
-pkgp121: {
+pkgp122: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
--- a/jails/config/proxy/port-fwd.sh
+++ b/jails/config/proxy/port-fwd.sh
@ -0,0 +1 @@
 ipfw add 10000 fwd 192.168.0.4,55820 udp from me to 192.168.0.55 dst-port 55820
--- a/jails/config/r-db/my.cnf
+++ b/jails/config/r-db/my.cnf
@ -1,99 +1,13 @@
 # Example MySQL config file for small systems.
 #
-# This is for a system with little memory (<= 64M) where MySQL is only used
+# This group is read both by the client and the server
-# from time to time and it's important that the mysqld daemon
+# use it for options that affect everything, see
-# doesn't use much resources.
+# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#option-groups
 #
-# MySQL programs look for option files in a set of
+[client-server]
 # locations which depend on the deployment platform.
 # You can copy this option file to one of those
 # locations. For information about these locations, see:
 # http://dev.mysql.com/doc/mysql/en/option-files.html
 #
 # In this file, you can use all long options that a program supports.
 # If you want to know which options a program supports, run the program
 # with the "--help" option.
 # The following options will be passed to all MySQL clients
 [client]
 #password	= your_password
 port	= 3306
-socket		= /tmp/mysql.sock
+socket	= /var/run/mysql/mysql.sock
 # Here follows entries for some specific programs
 # The MySQL server
 [mysqld]
 bind-address    = *
 port		= 3306
 socket		= /tmp/mysql.sock
 skip-external-locking
 key_buffer_size = 16K
 max_allowed_packet = 64M
 table_open_cache = 16
 sort_buffer_size = 64K
 read_buffer_size = 256K
 read_rnd_buffer_size = 256K
 net_buffer_length = 2K
 thread_stack = 240K
 # Don't listen on a TCP/IP port at all. This can be a security enhancement,
 # if all processes that need to connect to mysqld run on the same host.
 # All interaction with mysqld must be made via Unix sockets or named pipes.
 # Note that using this option without enabling named pipes on Windows
 # (using the "enable-named-pipe" option) will render mysqld useless!
 #
-#skip-networking
+# include *.cnf from the config directory
-server-id	= 1
+#
-
+!includedir /usr/local/etc/mysql/conf.d/
 # Uncomment the following if you want to log updates
 #log-bin=mysql-bin
 # binary logging format - mixed recommended
 binlog_format=ROW
 # Causes updates to non-transactional engines using statement format to be
 # written directly to binary log. Before using this option make sure that
 # there are no dependencies between transactional and non-transactional
 # tables such as in the statement INSERT INTO t_myisam SELECT * FROM
 # t_innodb; otherwise, slaves may diverge from the master.
 #binlog_direct_non_transactional_updates=TRUE
 # Uncomment the following if you are using InnoDB tables
 #innodb_data_home_dir = /var/db/mysql
 #innodb_data_file_path = ibdata1:10M:autoextend
 innodb_log_group_home_dir = /var/db/mysql-log
 # You can set .._buffer_pool_size up to 50 - 80 %
 # of RAM but beware of setting memory usage too high
 innodb_buffer_pool_size = 1G
 innodb_io_capacity=4000
 transaction-isolation = READ-COMMITTED
 # Set .._log_file_size to 25 % of buffer pool size
 innodb_log_file_size = 250M
 #innodb_log_buffer_size = 8M
 innodb_flush_log_at_trx_commit = 2
 #innodb_lock_wait_timeout = 50
 innodb_doublewrite = 0
 innodb_checksum_algorithm = none
 slow_query_log_file = /var/db/mysql-log/slow.log
 log-error = /var/db/mysql-log/error.log
 log_bin = /var/db/mysql-log/binlog
 relay_log = /var/db/mysql-log/relay-bin
 expire_logs_days = 7
 [mysqldump]
 quick
 max_allowed_packet = 16M
 [mysql]
 no-auto-rehash
 # Remove the next comment character if you are not familiar with SQL
 #safe-updates
 [myisamchk]
 key_buffer_size = 8M
 sort_buffer_size = 8M
 [mysqlhotcopy]
 interactive-timeout
--- a/jails/config/r-db/server.cnf
+++ b/jails/config/r-db/server.cnf
@ -0,0 +1,90 @@
 # Options specific to server applications, see
 # https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#server-option-groups
 # Options specific to all server programs
 [server]
 # Options specific to MariaDB server programs
 [server-mariadb]
 #
 # Options for specific server tools
 #
 [mysqld]
 user				= mysql
 # port				= 3306 # set in /usr/local/etc/mysql/my.cnf
 # socket			= /var/run/mysql/mysql.sock # set in /usr/local/etc/mysql/my.cnf
 bind-address			= *
 basedir				= /usr/local
 datadir				= /var/db/mysql
 net_retry_count			= 16384
 # [mysqld] configuration for ZFS
 # From https://www.percona.com/resources/technical-presentations/zfs-mysql-percona-technical-webinar
 # Create separate datasets for data and logs, eg
 # zroot/mysql      compression=on recordsize=128k atime=off
 # zroot/mysql/data recordsize=16k
 # zroot/mysql/logs
 datadir = /var/db/mysql
 innodb_log_group_home_dir	= /var/db/mysql-log
 #audit_log_file		= /var/db/mysql-log/audit.log
 general_log_file		= /var/db/mysql-log/general.log
 log_bin			= /var/db/mysql-log/mysql-bin
 relay_log			= /var/db/mysql-log/relay-log
 slow_query_log_file		= /var/db/mysql-log/slow.log
 innodb_doublewrite		= 0
 innodb_flush_method		= O_DSYNC
 ##
 log-error = /var/db/mysql-log/error.log
 ### custom optimizations
 skip-external-locking
 key_buffer_size = 16K
 max_allowed_packet = 64M
 table_open_cache = 16
 sort_buffer_size = 64K
 read_buffer_size = 256K
 read_rnd_buffer_size = 256K
 net_buffer_length = 2K
 thread_stack = 240K
 server-id   = 1
 binlog_format=ROW
 innodb_buffer_pool_size = 1G
 innodb_io_capacity=4000
 transaction-isolation = READ-COMMITTED
 innodb_log_file_size = 250M
 innodb_flush_log_at_trx_commit = 2
 innodb_checksum_algorithm = none
 slow_query_log_file = /var/db/mysql-log/slow.log
 expire_logs_days = 7
 ###
 # Options read by `mysqld_safe`
 # Renamed from [mysqld_safe] starting with MariaDB 10.4.6.
 [mariadb_safe]
 # Options read my `mariabackup`
 [mariabackup]
 # Options read by `mysql_upgrade`
 # Renamed from [mysql_upgrade] starting with MariaDB 10.4.6.
 [mariadb-upgrade]
 # Specific options read by the mariabackup SST method
 [sst]
 # Options read by `mysqlbinlog`
 # Renamed from [mysqlbinlog] starting with MariaDB 10.4.6.
 [mariadb-binlog]
 # Options read by `mysqladmin`
 # Renamed from [mysqladmin] starting with MariaDB 10.4.6.
 [mariadb-admin]
--- a/jails/config/r-git/gitea/options/license
+++ b/jails/config/r-git/gitea/options/license
@ -1,6 +1,6 @@
 BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
-Copyright (c) 2018-2020, BeyondBell.com
+Copyright (c) 2018-2021, BeyondBell.com
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
--- a/jails/config/r-git/gitea/public/beyondbell-com-license.txt
+++ b/jails/config/r-git/gitea/public/beyondbell-com-license.txt
@ -1,6 +1,6 @@
 BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
-Copyright (c) 2018-2020, BeyondBell.com
+Copyright (c) 2018-2021, BeyondBell.com
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
--- a/jails/config/r-ldap/pkgp.conf
+++ b/jails/config/r-ldap/pkgp.conf
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
    priority: 10
 }
-pkgp121: {
+pkgp122: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
--- a/jails/config/vm/create_taps.sh
+++ b/jails/config/vm/create_taps.sh
@ -1,6 +1,6 @@
 #!/bin/sh
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -18,6 +18,16 @@ ifconfig bridge1 addm tap82 up
 ifconfig tap82 up
 ifconfig tap82 inet6 auto_linklocal
 ifconfig tap1082 create
 ifconfig bridge10 addm tap1082 up
 ifconfig tap1082 up
 ifconfig tap1082 inet6 auto_linklocal
 ifconfig tap2082 create
 ifconfig bridge9 addm tap2082 up
 ifconfig tap2082 up
 ifconfig tap2082 inet6 auto_linklocal
 ifconfig tap83 create
 ifconfig bridge1 addm tap83 up
 ifconfig tap83 up
@ -33,6 +43,21 @@ ifconfig bridge1 addm tap85 up
 ifconfig tap85 up
 ifconfig tap85 inet6 auto_linklocal
 ifconfig tap86 create
 ifconfig bridge1 addm tap86 up
 ifconfig tap86 up
 ifconfig tap86 inet6 auto_linklocal
 ifconfig tap1086 create
 ifconfig bridge10 addm tap1086 up
 ifconfig tap1086 up
 ifconfig tap1086 inet6 auto_linklocal
 ifconfig tap2086 create
 ifconfig bridge9 addm tap2086 up
 ifconfig tap2086 up
 ifconfig tap2086 inet6 auto_linklocal
 ifconfig tap90 create
 ifconfig bridge1 addm tap90 up
 ifconfig tap90 up
@ -42,3 +67,33 @@ ifconfig tap190 create
 ifconfig bridge2 addm tap190 up
 ifconfig tap190 up
 ifconfig tap190 inet6 auto_linklocal
 ifconfig tap97 create
 ifconfig bridge1 addm tap97 up
 ifconfig tap97 up
 ifconfig tap97 inet6 auto_linklocal
 ifconfig tap1097 create
 ifconfig bridge10 addm tap1097 up
 ifconfig tap1097 up
 ifconfig tap1097 inet6 auto_linklocal
 ifconfig tap2097 create
 ifconfig bridge9 addm tap2097 up
 ifconfig tap2097 up
 ifconfig tap2097 inet6 auto_linklocal
 ifconfig tap96 create
 ifconfig bridge1 addm tap96 up
 ifconfig tap96 up
 ifconfig tap96 inet6 auto_linklocal
 ifconfig tap1096 create
 ifconfig bridge10 addm tap1096 up
 ifconfig tap1096 up
 ifconfig tap1096 inet6 auto_linklocal
 ifconfig tap2096 create
 ifconfig bridge9 addm tap2096 up
 ifconfig tap2096 up
 ifconfig tap2096 inet6 auto_linklocal
--- a/jails/config/vm/cvm-a.sh
+++ b/jails/config/vm/cvm-a.sh
@ -0,0 +1,70 @@
 #!/usr/local/bin/bash
 # Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 # https://diyit.org/license/
 #
 #
 # ./cvm-a.sh under tmux
 # clean cached state
 bhyvectl --destroy --vm=cvm-a
 while true
 do
 bhyve -c 4 -m 16G -A -H -P \
 -s 0,hostbridge \
 -s 3,ahci-cd \
 -s 4,virtio-blk,/dev/zvol/ship/raw/cvm-a \
 -s 5,virtio-net,tap97,mac=00:0A:0B:0C:0D:97 \
 -s 6,virtio-blk,/dev/zvol/ship/raw/cvm-a_data \
 -s 8,virtio-net,tap1097,mac=00:0A:0B:0C:8D:97 \
 -s 9,virtio-net,tap2097,mac=00:0A:0B:0C:9D:97 \
 -s 29,fbuf,tcp=0.0.0.0:5997,w=1600,h=900 \
 -s 30,xhci,tablet \
 -s 31,lpc -l com1,/dev/nmdm97A \
 -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
 cvm-a
 bhyve_exit=$?
 # bhyve returns the following status codes:
 #  0 - VM has been reset
 #  1 - VM has been powered off
 #  2 - VM has been halted
 #  3 - VM generated a triple fault
 #  all other non-zero status codes are errors
 #
 if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
 then
    break
 fi
 echo `date` - restarting cvm-a in 5 seconds - press ctrl-c to stop
 sleep 5
 done
 exit $?
 # -s 3,ahci-cd,/mnt/linux/ubuntu-20.04.1-live-server-amd64.iso \
 # bhyvectl --get-all --vm=cvm-a
 # cu -l /dev/nmdm97B
 # (This uses cu() so press ~+Ctrl-D to exit)
 #on base system:
 #zfs create -V 32G -o refreservation=none ship/raw/cvm-a - docker partition
 #zfs create -V 128G -o refreservation=none ship/raw/cvm-a_data - root partition
 # on boot
 #ifconfig tap97 create
 #ifconfig bridge1 addm tap97 up
 #ifconfig tap97 up
 #ifconfig tap97 inet6 auto_linklocal
 #ifconfig tap1097 create
 #ifconfig bridge10 addm tap1097 up
 #ifconfig tap1097 up
 #ifconfig tap1097 inet6 auto_linklocal
--- a/jails/config/vm/cvm-b.sh
+++ b/jails/config/vm/cvm-b.sh
@ -0,0 +1,70 @@
 #!/usr/local/bin/bash
 # Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 # https://diyit.org/license/
 #
 #
 # ./cvm-b.sh under tmux
 # clean cached state
 bhyvectl --destroy --vm=cvm-b
 while true
 do
 bhyve -c 4 -m 16G -A -H -P \
 -s 0,hostbridge \
 -s 3,ahci-cd \
 -s 4,virtio-blk,/dev/zvol/ship/raw/cvm-b \
 -s 5,virtio-net,tap96,mac=00:0A:0B:0C:0D:96 \
 -s 6,virtio-blk,/dev/zvol/ship/raw/cvm-b_data \
 -s 8,virtio-net,tap1096,mac=00:0A:0B:0C:8D:96 \
 -s 9,virtio-net,tap2096,mac=00:0A:0B:0C:9D:96 \
 -s 29,fbuf,tcp=0.0.0.0:5996,w=1600,h=900 \
 -s 30,xhci,tablet \
 -s 31,lpc -l com1,/dev/nmdm96A \
 -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
 cvm-b
 bhyve_exit=$?
 # bhyve returns the following status codes:
 #  0 - VM has been reset
 #  1 - VM has been powered off
 #  2 - VM has been halted
 #  3 - VM generated a triple fault
 #  all other non-zero status codes are errors
 #
 if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
 then
    break
 fi
 echo `date` - restarting cvm-b in 5 seconds - press ctrl-c to stop
 sleep 5
 done
 exit $?
 # -s 3,ahci-cd,/mnt/linux/ubuntu-20.04.1-live-server-amd64.iso \
 # bhyvectl --get-all --vm=cvm-b
 # cu -l /dev/nmdm96B
 # (This uses cu() so press ~+Ctrl-D to exit)
 #on base system:
 #zfs create -V 32G -o refreservation=none ship/raw/cvm-b - docker partition
 #zfs create -V 128G -o refreservation=none ship/raw/cvm-b_data - root partition
 # on boot
 #ifconfig tap96 create
 #ifconfig bridge1 addm tap96 up
 #ifconfig tap96 up
 #ifconfig tap96 inet6 auto_linklocal
 #ifconfig tap1096 create
 #ifconfig bridge10 addm tap1096 up
 #ifconfig tap1096 up
 #ifconfig tap1096 inet6 auto_linklocal
--- a/jails/config/vm/freebsd.sh
+++ b/jails/config/vm/freebsd.sh
@ -1,6 +1,6 @@
 #!/usr/local/bin/bash
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
--- a/jails/config/vm/kali.sh
+++ b/jails/config/vm/kali.sh
@ -0,0 +1,77 @@
 #!/usr/local/bin/bash
 # Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 # https://diyit.org/license/
 #
 #
 # ./kali.sh under tmux
 # clean cached state
 bhyvectl --destroy --vm=kali
 while true
 do
 bhyve -c 2 -m 4G -A -H -P \
 -s 0,hostbridge \
 -s 3,ahci-cd \
 -s 4,virtio-blk,/dev/zvol/ship/raw/kali \
 -s 5,virtio-net,tap86,mac=00:0A:0B:0C:0D:86 \
 -s 8,virtio-net,tap1086,mac=00:0A:0B:0C:8D:86 \
 -s 9,virtio-net,tap2086,mac=00:0A:0B:0C:9D:86 \
 -s 29,fbuf,tcp=0.0.0.0:5986,w=1280,h=720 \
 -s 30,xhci,tablet \
 -s 31,lpc -l com1,/dev/nmdm86A \
 -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
 kali
 bhyve_exit=$?
 # bhyve returns the following status codes:
 #  0 - VM has been reset
 #  1 - VM has been powered off
 #  2 - VM has been halted
 #  3 - VM generated a triple fault
 #  all other non-zero status codes are errors
 #
 if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
 then
    break
 fi
 echo `date` - restarting kali in 5 seconds - press ctrl-c to stop
 sleep 5
 done
 exit $?
 #-s 3,ahci-cd,/mnt/linux/kali-linux-2020.4-installer-amd64.iso \
 ##-s 6,virtio-blk,/dev/zvol/ship/raw/kali_data \
 # bhyvectl --get-all --vm=kali
 # cu -l /dev/nmdm86B
 # (This uses cu() so press ~+Ctrl-D to exit)
 #on base system:
 #zfs create -V 128G -o refreservation=none ship/raw/kali
 ##zfs create -V 128G -o refreservation=none ship/raw/kali_data
 # on boot
 #ifconfig tap86 create
 #ifconfig bridge1 addm tap86 up
 #ifconfig tap86 up
 #ifconfig tap86 inet6 auto_linklocal
 #ifconfig tap1086 create
 #ifconfig bridge10 addm tap1086 up
 #ifconfig tap1086 up
 #ifconfig tap1086 inet6 auto_linklocal
 # Install VNC
 # curl -o turbovnc_2.2.5_amd64.deb https://sourceforge.net/projects/turbovnc/files/2.2.5/turbovnc_2.2.5_amd64.deb/download# 
 # sudo apt install gdebi-core
 # sudo gdebi turbovnc_2.2.5_amd64.deb
 # sudo killall Xvnc; /opt/TurboVNC/bin/vncserver -name kali -geometry 1920x1080 :4
 # systemctl enable ssh.service; service ssh start 
--- a/Show More
+++ b/Show More
		`@ -0,0 +1,2 @@`
							`fdesc /dev/fd fdescfs rw,auto 0 0`
							`proc /proc procfs rw,auto 0 0`
		`@ -0,0 +1 @@`
							`ldapadd -H ldaps://ldap.ahlawat.com -f $1 -D cn=admin,dc=infra -W`
		`@ -0,0 +1,2 @@`
							`# requrired to run other configured scripts`
							`/bin/sh /etc/rc`
		`@ -0,0 +1,2 @@`
							`MAILTO="sharad@diyit.org"`
							`5 5 * * * /usr/local/bin/php /usr/local/www/matomo/console core:archive --url=https://ahlawat.com/matomo/ >> /root/matomo-archive.log`
		`@ -0,0 +1 @@`
							`ipfw add 10000 fwd 192.168.0.4,55820 udp from me to 192.168.0.55 dst-port 55820`