updated for FreeBSD 12.2

This commit is contained in:
Sharad Ahlawat 2021-02-13 11:38:38 -08:00
parent bd3cffc61a
commit 5cee123a3c
121 changed files with 7315 additions and 624 deletions

View File

@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
Copyright (c) 2018-2020, diyIT.org Copyright (c) 2018-2021, diyIT.org
All rights reserved. All rights reserved.
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without

View File

@ -1,32 +1,63 @@
; ;
; Netatalk 3.x configuration file ; Netatalk 3.x configuration file
; ; http://netatalk.sourceforge.net/3.1/htmldocs/afp.conf.5.html
[Global] [Global]
; Global server settings ; Global server settings
hostname = atm hostname = atm
hosts allow = 192.168.0.0/24,192.168.100.0/24 afp listen = ::
afp listen = 0.0.0.0 mimic model = TimeCapsule6,106
uam list = uams_guest.so uams_dhx2_passwd.so
; locate uam # show all the uam modules
force xattr with sticky bit = yes
zeroconf = yes zeroconf = yes
afpstats = yes
ldap auth method = simple
;ldap auth dn = cn=admin,dc=infra
;ldap auth pw = notrequired
ldap server = ldap.ahlawat.com
ldap name attr = cn
ldap userbase = ou=people,dc=infra
ldap userscope = one
ldap uuid attr = uidNumber
ldap group attr = cn
ldap groupbase = ou=group,dc=infra
ldap groupscope = one
;ldap uuid attr = gidNumber #this is used both for users and groups.
; You can comment these 2 lines when your setup is working
;log level = default:maxdebug,afpdaemon:maxdebug,logger:maxdebug,uamsdaemon:maxdebug
log file = /var/log/afpd.log
[default_for_all_vol]
cnid scheme = dbd
appledouble = ea
ea = ad
; [Homes] ; [Homes]
; basedir regex = /xxxx ; basedir regex = /xxxx
; [My AFP Volume] [Sharad]
; path = /path/to/volume
[Sharad Time Machine Volume]
path = /mnt/sharad path = /mnt/sharad
valid users = sharad
time machine = yes time machine = yes
[Rachna Time Machine Volume] [Rachna]
path = /mnt/rachna path = /mnt/rachna
valid users = rachna
time machine = yes time machine = yes
[Nivi Time Machine Volume] [Nivi]
path = /mnt/nivi path = /mnt/nivi
valid users = nivi
time machine = yes time machine = yes
[Rishabh Time Machine Volume] [Rishabh]
path = /mnt/rishabh path = /mnt/rishabh
valid users = rishabh
time machine = yes time machine = yes

View File

@ -0,0 +1,14 @@
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_afpovertcp._tcp</type>
<port>548</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=Xserve</txt-record>
</service>
</service-group>

View File

@ -0,0 +1,15 @@
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE ou=people,dc=infra
URI ldaps://ldap.ahlawat.com:636
ssl start_tls
tls_cacert /mnt/certs/cacert.pem
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

View File

@ -0,0 +1,3 @@
auth required /usr/local/lib/pam_ldap.so try_first_pass
account required /usr/local/lib/pam_ldap.so try_first_pass
session required /usr/local/lib/pam_ldap.so

142
jails/config/atm/nslcd.conf Normal file
View File

@ -0,0 +1,142 @@
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldaps://ldap.ahlawat.com:636
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name of the search base.
base ou=people,dc=infra
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret
# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com
# The default search scope.
#scope sub
scope one
#scope base
# Customize certain database lookups.
#base group ou=Groups,dc=example,dc=com
#base passwd ou=People,dc=example,dc=com
#base shadow ou=People,dc=example,dc=com
#scope group onelevel
#scope hosts sub
# Bind/connect timelimit.
#bind_timelimit 30
# Search timelimit.
#timelimit 30
# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600
# Use StartTLS without verifying the server certificate.
ssl start_tls
#tls_reqcert never
# CA certificates for server certificate verification
tls_cacertdir /mnt/certs
tls_cacertfile /mnt/certs/cacert.pem
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group member msSFU30PosixMember
# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map passwd uid msSFUName
#map passwd userPassword msSFUPassword
#map passwd homeDirectory msSFUHomeDirectory
#map passwd gecos msSFUName
#filter shadow (objectClass=User)
#map shadow uid msSFUName
#map shadow userPassword msSFUPassword
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=Group)
#map group member posixMember
# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map passwd uid sAMAccountName
#map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)
# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map passwd uid cn
#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd homeDirectory "/home/$cn"
#map passwd gecos displayName
#map passwd loginShell "/bin/bash"
#filter group (|(objectClass=group)(objectClass=person))
#map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map passwd uid userName
#map passwd userPassword passwordChar
#map passwd uidNumber uid
#map passwd gidNumber gid
#filter group (objectClass=aixAccessGroup)
#map group cn groupName
#map group gidNumber gid

View File

@ -0,0 +1,18 @@
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/12.1/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $
#
#group: compat
group: files ldap
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
#passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

View File

@ -0,0 +1,17 @@
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE ou=people,dc=infra
URI ldaps://ldap.ahlawat.com:636
ssl start_tls
tls_cacert /mnt/certs/cacert.pem
pam_login_attribute cn
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10 priority: 10
} }
pkgp121: { pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj121-default/", url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http", mirror_type: "http",
signature_type: "pubkey", signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert", pubkey: "/mnt/certs/poudriere.cert",

28
jails/config/atm/sshd Normal file
View File

@ -0,0 +1,28 @@
#
# $FreeBSD: releng/12.1/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass

View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

1
jails/config/cert/backup.sh Executable file
View File

@ -0,0 +1 @@
cp -r /root/.acme.sh /mnt/config/secret/

View File

@ -0,0 +1,77 @@
# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
# Trusted keyprint. Changing this is a Bad Idea unless you've received
# a PGP-signed email from <security-officer@FreeBSD.org> telling you to
# change it and explaining why.
KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5
# Server or server pool from which to fetch updates. You can change
# this to point at a specific server if you want, but in most cases
# using a "nearby" server won't provide a measurable improvement in
# performance.
ServerName update.FreeBSD.org
# Components of the base system which should be kept updated.
#Components src world
Components world
# Example for updating the userland and the kernel source code only:
# Components src/base src/sys world
# Paths which start with anything matching an entry in an IgnorePaths
# statement will be ignored.
IgnorePaths
# Paths which start with anything matching an entry in an IDSIgnorePaths
# statement will be ignored by "freebsd-update IDS".
IDSIgnorePaths /usr/share/man/cat
IDSIgnorePaths /usr/share/man/whatis
IDSIgnorePaths /var/db/locate.database
IDSIgnorePaths /var/log
# Paths which start with anything matching an entry in an UpdateIfUnmodified
# statement will only be updated if the contents of the file have not been
# modified by the user (unless changes are merged; see below).
UpdateIfUnmodified /etc/ /var/ /root/ /.cshrc /.profile
# When upgrading to a new FreeBSD release, files which match MergeChanges
# will have any local changes merged into the version from the new release.
MergeChanges /etc/ /boot/device.hints
### Default configuration options:
# Directory in which to store downloaded updates and temporary
# files used by FreeBSD Update.
# WorkDir /var/db/freebsd-update
# Destination to send output of "freebsd-update cron" if an error
# occurs or updates have been downloaded.
# MailTo root
# Is FreeBSD Update allowed to create new files?
# AllowAdd yes
# Is FreeBSD Update allowed to delete files?
# AllowDelete yes
# If the user has modified file ownership, permissions, or flags, should
# FreeBSD Update retain this modified metadata when installing a new version
# of that file?
# KeepModifiedMetadata yes
# When upgrading between releases, should the list of Components be
# read strictly (StrictComponents yes) or merely as a list of components
# which *might* be installed of which FreeBSD Update should figure out
# which actually are installed and upgrade those (StrictComponents no)?
# StrictComponents no
# When installing a new kernel perform a backup of the old one first
# so it is possible to boot the old kernel in case of problems.
# BackupKernel yes
# If BackupKernel is enabled, the backup kernel is saved to this
# directory.
# BackupKernelDir /boot/kernel.old
# When backing up a kernel also back up debug symbol files?
# BackupKernelSymbolFiles no

View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10 priority: 10
} }
pkgp121: { pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj121-default/", url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http", mirror_type: "http",
signature_type: "pubkey", signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert", pubkey: "/mnt/certs/poudriere.cert",

View File

@ -1,6 +1,6 @@
#! /usr/local/bin/bash #! /usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

View File

@ -1,5 +1,5 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# $FreeBSD: releng/12.1/crypto/openssh/sshd_config 338561 2018-09-10 16:20:12Z des $ # $FreeBSD: releng/12.2/crypto/openssh/sshd_config 360313 2020-04-25 15:38:48Z emaste $
# This is the sshd server system-wide configuration file. See # This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information. # sshd_config(5) for more information.
@ -105,7 +105,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#PermitTunnel no #PermitTunnel no
#ChrootDirectory none #ChrootDirectory none
#UseBlacklist no #UseBlacklist no
#VersionAddendum FreeBSD-20180909 #VersionAddendum FreeBSD-20200214
# no default banner path # no default banner path
#Banner none #Banner none

View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

View File

@ -1,99 +1,13 @@
# Example MySQL config file for small systems.
# #
# This is for a system with little memory (<= 64M) where MySQL is only used # This group is read both by the client and the server
# from time to time and it's important that the mysqld daemon # use it for options that affect everything, see
# doesn't use much resources. # https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#option-groups
# #
# MySQL programs look for option files in a set of [client-server]
# locations which depend on the deployment platform.
# You can copy this option file to one of those
# locations. For information about these locations, see:
# http://dev.mysql.com/doc/mysql/en/option-files.html
#
# In this file, you can use all long options that a program supports.
# If you want to know which options a program supports, run the program
# with the "--help" option.
# The following options will be passed to all MySQL clients
[client]
#password = your_password
port = 3306 port = 3306
socket = /tmp/mysql.sock socket = /var/run/mysql/mysql.sock
# Here follows entries for some specific programs
# The MySQL server
[mysqld]
bind-address = *
port = 3306
socket = /tmp/mysql.sock
skip-external-locking
key_buffer_size = 16K
max_allowed_packet = 64M
table_open_cache = 16
sort_buffer_size = 64K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 240K
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (using the "enable-named-pipe" option) will render mysqld useless!
# #
#skip-networking # include *.cnf from the config directory
server-id = 1 #
!includedir /usr/local/etc/mysql/conf.d/
# Uncomment the following if you want to log updates
#log-bin=mysql-bin
# binary logging format - mixed recommended
binlog_format=ROW
# Causes updates to non-transactional engines using statement format to be
# written directly to binary log. Before using this option make sure that
# there are no dependencies between transactional and non-transactional
# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
# t_innodb; otherwise, slaves may diverge from the master.
#binlog_direct_non_transactional_updates=TRUE
# Uncomment the following if you are using InnoDB tables
#innodb_data_home_dir = /var/db/mysql
#innodb_data_file_path = ibdata1:10M:autoextend
innodb_log_group_home_dir = /var/db/mysql-log
# You can set .._buffer_pool_size up to 50 - 80 %
# of RAM but beware of setting memory usage too high
innodb_buffer_pool_size = 1G
innodb_io_capacity=4000
transaction-isolation = READ-COMMITTED
# Set .._log_file_size to 25 % of buffer pool size
innodb_log_file_size = 250M
#innodb_log_buffer_size = 8M
innodb_flush_log_at_trx_commit = 2
#innodb_lock_wait_timeout = 50
innodb_doublewrite = 0
innodb_checksum_algorithm = none
slow_query_log_file = /var/db/mysql-log/slow.log
log-error = /var/db/mysql-log/error.log
log_bin = /var/db/mysql-log/binlog
relay_log = /var/db/mysql-log/relay-bin
expire_logs_days = 7
[mysqldump]
quick
max_allowed_packet = 16M
[mysql]
no-auto-rehash
# Remove the next comment character if you are not familiar with SQL
#safe-updates
[myisamchk]
key_buffer_size = 8M
sort_buffer_size = 8M
[mysqlhotcopy]
interactive-timeout

View File

@ -0,0 +1,99 @@
# Example MySQL config file for small systems.
#
# This is for a system with little memory (<= 64M) where MySQL is only used
# from time to time and it's important that the mysqld daemon
# doesn't use much resources.
#
# MySQL programs look for option files in a set of
# locations which depend on the deployment platform.
# You can copy this option file to one of those
# locations. For information about these locations, see:
# http://dev.mysql.com/doc/mysql/en/option-files.html
#
# In this file, you can use all long options that a program supports.
# If you want to know which options a program supports, run the program
# with the "--help" option.
# The following options will be passed to all MySQL clients
[client]
#password = your_password
port = 3306
socket = /tmp/mysql.sock
# Here follows entries for some specific programs
# The MySQL server
[mysqld]
bind-address = *
port = 3306
socket = /tmp/mysql.sock
skip-external-locking
key_buffer_size = 16K
max_allowed_packet = 64M
table_open_cache = 16
sort_buffer_size = 64K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 240K
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (using the "enable-named-pipe" option) will render mysqld useless!
#
#skip-networking
server-id = 1
# Uncomment the following if you want to log updates
#log-bin=mysql-bin
# binary logging format - mixed recommended
binlog_format=ROW
# Causes updates to non-transactional engines using statement format to be
# written directly to binary log. Before using this option make sure that
# there are no dependencies between transactional and non-transactional
# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
# t_innodb; otherwise, slaves may diverge from the master.
#binlog_direct_non_transactional_updates=TRUE
# Uncomment the following if you are using InnoDB tables
#innodb_data_home_dir = /var/db/mysql
#innodb_data_file_path = ibdata1:10M:autoextend
innodb_log_group_home_dir = /var/db/mysql-log
# You can set .._buffer_pool_size up to 50 - 80 %
# of RAM but beware of setting memory usage too high
innodb_buffer_pool_size = 1G
innodb_io_capacity=4000
transaction-isolation = READ-COMMITTED
# Set .._log_file_size to 25 % of buffer pool size
innodb_log_file_size = 250M
#innodb_log_buffer_size = 8M
innodb_flush_log_at_trx_commit = 2
#innodb_lock_wait_timeout = 50
innodb_doublewrite = 0
innodb_checksum_algorithm = none
slow_query_log_file = /var/db/mysql-log/slow.log
log-error = /var/db/mysql-log/error.log
log_bin = /var/db/mysql-log/binlog
relay_log = /var/db/mysql-log/relay-bin
expire_logs_days = 7
[mysqldump]
quick
max_allowed_packet = 16M
[mysql]
no-auto-rehash
# Remove the next comment character if you are not familiar with SQL
#safe-updates
[myisamchk]
key_buffer_size = 8M
sort_buffer_size = 8M
[mysqlhotcopy]
interactive-timeout

View File

@ -0,0 +1,90 @@
# Options specific to server applications, see
# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#server-option-groups
# Options specific to all server programs
[server]
# Options specific to MariaDB server programs
[server-mariadb]
#
# Options for specific server tools
#
[mysqld]
user = mysql
# port = 3306 # set in /usr/local/etc/mysql/my.cnf
# socket = /var/run/mysql/mysql.sock # set in /usr/local/etc/mysql/my.cnf
bind-address = *
basedir = /usr/local
datadir = /var/db/mysql
net_retry_count = 16384
# [mysqld] configuration for ZFS
# From https://www.percona.com/resources/technical-presentations/zfs-mysql-percona-technical-webinar
# Create separate datasets for data and logs, eg
# zroot/mysql compression=on recordsize=128k atime=off
# zroot/mysql/data recordsize=16k
# zroot/mysql/logs
datadir = /var/db/mysql
innodb_log_group_home_dir = /var/db/mysql-log
#audit_log_file = /var/db/mysql-log/audit.log
general_log_file = /var/db/mysql-log/general.log
log_bin = /var/db/mysql-log/mysql-bin
relay_log = /var/db/mysql-log/relay-log
slow_query_log_file = /var/db/mysql-log/slow.log
innodb_doublewrite = 0
innodb_flush_method = O_DSYNC
##
log-error = /var/db/mysql-log/error.log
### custom optimizations
skip-external-locking
key_buffer_size = 16K
max_allowed_packet = 64M
table_open_cache = 16
sort_buffer_size = 64K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 240K
server-id = 1
binlog_format=ROW
innodb_buffer_pool_size = 1G
innodb_io_capacity=4000
transaction-isolation = READ-COMMITTED
innodb_log_file_size = 250M
innodb_flush_log_at_trx_commit = 2
innodb_checksum_algorithm = none
slow_query_log_file = /var/db/mysql-log/slow.log
expire_logs_days = 7
###
# Options read by `mysqld_safe`
# Renamed from [mysqld_safe] starting with MariaDB 10.4.6.
[mariadb_safe]
# Options read my `mariabackup`
[mariabackup]
# Options read by `mysql_upgrade`
# Renamed from [mysql_upgrade] starting with MariaDB 10.4.6.
[mariadb-upgrade]
# Specific options read by the mariabackup SST method
[sst]
# Options read by `mysqlbinlog`
# Renamed from [mysqlbinlog] starting with MariaDB 10.4.6.
[mariadb-binlog]
# Options read by `mysqladmin`
# Renamed from [mysqladmin] starting with MariaDB 10.4.6.
[mariadb-admin]

View File

@ -36,7 +36,6 @@ xpack.security.http.ssl.certificate_authorities: certs/cacert.pem
xpack.security.transport.ssl.key: certs/diyprivkeyr.pem xpack.security.transport.ssl.key: certs/diyprivkeyr.pem
xpack.security.transport.ssl.certificate: certs/diyfullchain.pem xpack.security.transport.ssl.certificate: certs/diyfullchain.pem
xpack.security.transport.ssl.certificate_authorities: certs/cacert.pem xpack.security.transport.ssl.certificate_authorities: certs/cacert.pem
# #
# ----------------------------------- Paths ------------------------------------ # ----------------------------------- Paths ------------------------------------
# #
@ -76,16 +75,17 @@ network.host: _epair0b_
# #
# --------------------------------- Discovery ---------------------------------- # --------------------------------- Discovery ----------------------------------
# #
# Pass an initial list of hosts to perform discovery when new node is started: # Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"] # The default list of hosts is ["127.0.0.1", "[::1]"]
# #
#discovery.zen.ping.unicast.hosts: ["host1", "host2"] #discovery.seed_hosts: ["host1", "host2"]
# #
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1): # Bootstrap the cluster using an initial set of master-eligible nodes:
# #
#discovery.zen.minimum_master_nodes: cluster.initial_master_nodes: ["node-1"]
#cluster.initial_master_nodes: ["node-1", "node-2"]
# #
# For more information, consult the zen discovery module documentation. # For more information, consult the discovery and cluster formation module documentation.
# #
# ---------------------------------- Gateway ----------------------------------- # ---------------------------------- Gateway -----------------------------------
# #

2
jails/config/elk/fstab Normal file
View File

@ -0,0 +1,2 @@
fdesc /dev/fd fdescfs rw,auto 0 0
proc /proc procfs rw,auto 0 0

View File

@ -24,8 +24,7 @@ heartbeat.monitors:
- type: http - type: http
# List or urls to query # List or urls to query
#urls: ["http://localhost:9200"] urls: ["https://cloud.google.com","https://azure.microsoft.com","https://aws.amazon.com"]
urls: ["https://google.com","https://aws.amazon.com"]
# Configure task schedule # Configure task schedule
schedule: '@every 10s' schedule: '@every 10s'
@ -56,46 +55,6 @@ setup.template.settings:
# env: staging # env: staging
#================================= Paths ======================================
# The home path for the filebeat installation. This is the default base path
# for all other path settings and for miscellaneous files that come with the
# distribution (for example, the sample dashboards).
# If not set by a CLI flag or in the configuration file, the default for the
# home path is the location of the binary.
#path.home:
# The configuration path for the filebeat installation. This is the default
# base path for configuration files, including the main YAML configuration file
# and the Elasticsearch template file. If not set by a CLI flag or in the
# configuration file, the default for the configuration path is the home path.
#path.config: ${path.home}
# The data path for the filebeat installation. This is the default base path
# for all the files in which filebeat needs to store its data. If not set by a
# CLI flag or in the configuration file, the default for the data path is a data
# subdirectory inside the home path.
#path.data: ${path.home}/data
# The logs path for a filebeat installation. This is the default location for
# the Beat's log files. If not set by a CLI flag or in the configuration file,
# the default for the logs path is a logs subdirectory inside the home path.
#path.logs: ${path.home}/logs
#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
#setup.dashboards.enabled: false
#setup.dashboards.enabled: true
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
#============================== Kibana ===================================== #============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
@ -106,9 +65,7 @@ setup.kibana:
# Scheme and port can be left out and will be set to the default (http and 5601) # Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path # In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
#host: "localhost:5601" host: "http://elk.diyit.org:5601"
#host: "https://kibanax.diyit.org:443"
host: "http://kibanax.diyit.org:5601"
# Kibana Space ID # Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default, # ID of the Kibana Space into which the dashboards should be loaded. By default,
@ -117,7 +74,7 @@ setup.kibana:
#============================= Elastic Cloud ================================== #============================= Elastic Cloud ==================================
# These settings simplify using heartbeat with the Elastic Cloud (https://cloud.elastic.co/). # These settings simplify using Heartbeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and # The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options. # `setup.kibana.host` options.
@ -137,36 +94,40 @@ setup.kibana:
# Array of hosts to connect to. # Array of hosts to connect to.
#hosts: ["localhost:9200"] #hosts: ["localhost:9200"]
# Enabled ilm (beta) to use index lifecycle management instead daily indices. # Protocol - either `http` (default) or `https`.
#ilm.enabled: false
# Optional protocol and basic auth credentials.
#protocol: "https" #protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
#username: "elastic" #username: "elastic"
#password: "changeme" #password: "changeme"
#----------------------------- Logstash output -------------------------------- #----------------------------- Logstash output --------------------------------
output.logstash: output.logstash:
# The Logstash hosts # The Logstash hosts
hosts: ["kibanax.diyit.org:5044"] hosts: ["elk.diyit.org:5044"]
# Optional SSL. By default is off. # Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications # List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] #ssl.certificate_authorities: ["/mnt/certs/cacert.pem"]
# Certificate for SSL client authentication # Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem" #ssl.certificate: "/mnt/certs/diyfullchain.pem"
# Client Certificate Key # Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key" #ssl.key: "/mnt/certs/diyprivkeyr.pem"
#================================ Processors ===================================== #================================ Processors =====================================
# Configure processors to enhance or manipulate events generated by the beat.
processors: processors:
- add_host_metadata: ~ - add_observer_metadata:
- add_cloud_metadata: ~ # Optional, but recommended geo settings for the location Heartbeat is running in
#geo:
# Token describing this location
#name: us-east-1a
# Lat, Lon "
#location: "37.926868, -78.024902"
#================================ Logging ===================================== #================================ Logging =====================================
@ -178,20 +139,30 @@ processors:
# To enable all selectors use ["*"]. Examples of other selectors are "beat", # To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service". # "publish", "service".
#logging.selectors: ["*"] #logging.selectors: ["*"]
logging.to_syslog: true
logging.to_files: false
#============================== Xpack Monitoring =============================== #============================== X-Pack Monitoring ===============================
# heartbeat can export internal metrics to a central Elasticsearch monitoring # heartbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default. # reporting is disabled by default.
# Set to true to enable the monitoring reporter. # Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false #monitoring.enabled: false
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Heartbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:
# Uncomment to send the metrics to Elasticsearch. Most settings from the # Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is # Elasticsearch output are accepted here as well.
# automatically inherited from the Elasticsearch output configuration, so if you # Note that the settings should point to your Elasticsearch *monitoring* cluster.
# have the Elasticsearch output configured, you can simply uncomment the # Any setting that is not set is automatically inherited from the Elasticsearch
# following line. # output configuration, so if you have the Elasticsearch output configured such
#xpack.monitoring.elasticsearch: # that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:
#================================= Migration ==================================
# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

77
jails/config/elk/jvm.options Executable file
View File

@ -0,0 +1,77 @@
## JVM configuration
################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
## for more information
##
################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms4g
-Xmx4g
################################################################
## Expert settings
################################################################
##
## All settings below this section are considered
## expert settings. Don't tamper with them unless
## you understand what you are doing
##
################################################################
## GC configuration
8-13:-XX:+UseConcMarkSweepGC
8-13:-XX:CMSInitiatingOccupancyFraction=75
8-13:-XX:+UseCMSInitiatingOccupancyOnly
## G1GC Configuration
# NOTE: G1 GC is only supported on JDK version 10 or later
# to use G1GC, uncomment the next two lines and update the version on the
# following three lines to your version of the JDK
# 10-13:-XX:-UseConcMarkSweepGC
# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
14-:-XX:+UseG1GC
14-:-XX:G1ReservePercent=25
14-:-XX:InitiatingHeapOccupancyPercent=30
## JVM temporary directory
-Djava.io.tmpdir=${ES_TMPDIR}
## heap dumps
# generate a heap dump when an allocation from the Java heap fails
# heap dumps are created in the working directory of the JVM
-XX:+HeapDumpOnOutOfMemoryError
# specify an alternative path for heap dumps; ensure the directory exists and
# has sufficient space
-XX:HeapDumpPath=data
# specify an alternative path for JVM fatal error logs
-XX:ErrorFile=logs/hs_err_pid%p.log
## JDK 8 GC logging
8:-XX:+PrintGCDetails
8:-XX:+PrintGCDateStamps
8:-XX:+PrintTenuringDistribution
8:-XX:+PrintGCApplicationStoppedTime
8:-Xloggc:${ES_TMPDIR}/gc.log
8:-XX:+UseGCLogFileRotation
8:-XX:NumberOfGCLogFiles=32
8:-XX:GCLogFileSize=64m
# JDK 9+ GC logging
9-:-Xlog:gc*,gc+age=trace,safepoint:file=${ES_TMPDIR}/gc.log:utctime,pid,tags:filecount=32,filesize=64m

View File

@ -25,7 +25,7 @@ server.host: "::"
server.name: "kibana.diyit.org" server.name: "kibana.diyit.org"
# The URLs of the Elasticsearch instances to use for all your queries. # The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["https://kibanax.diyit.org:9200"] elasticsearch.hosts: ["https://elk.diyit.org:9200"]
# When this setting's value is true Kibana uses the hostname specified in the server.host # When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host # setting. When the value of this setting is false, Kibana uses the hostname of the host
@ -53,7 +53,8 @@ server.ssl.certificate: /mnt/certs/diyfullchain.pem
server.ssl.key: /mnt/certs/diyprivkeyr.pem server.ssl.key: /mnt/certs/diyprivkeyr.pem
# Optional settings that provide the paths to the PEM-format SSL certificate and key files. # Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files validate that your Elasticsearch backend uses the same key files. # These files are used to verify the identity of Kibana to Elasticsearch and are required when
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt #elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key #elasticsearch.ssl.key: /path/to/your/client.key
@ -110,4 +111,5 @@ elasticsearch.ssl.verificationMode: full
#ops.interval: 5000 #ops.interval: 5000
# Specifies locale to be used for all localizable strings, dates and number formats. # Specifies locale to be used for all localizable strings, dates and number formats.
# Supported languages are the following: English - en , by default , Chinese - zh-CN .
#i18n.locale: "en" #i18n.locale: "en"

View File

@ -1,4 +1,4 @@
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -10,6 +10,7 @@ input {
beats { beats {
port => 5044 port => 5044
ssl => false ssl => false
#https://discuss.elastic.co/t/problem-with-cipher-in-beat-input/67841
ssl_key => '/mnt/certs/diyprivkeyr.pem' ssl_key => '/mnt/certs/diyprivkeyr.pem'
ssl_certificate => '/mnt/certs/diyfullchain.pem' ssl_certificate => '/mnt/certs/diyfullchain.pem'
ssl_certificate_authorities => ["/mnt/certs/cacert.pem"] ssl_certificate_authorities => ["/mnt/certs/cacert.pem"]
@ -22,7 +23,7 @@ output {
ssl => true ssl => true
ssl_certificate_verification => true ssl_certificate_verification => true
cacert => '/mnt/certs/cacert.pem' cacert => '/mnt/certs/cacert.pem'
hosts => ["https://kibanax.diyit.org:9200"] hosts => ["https://elk.diyit.org:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
user => "elastic" user => "elastic"
password => "${es_pwd}" password => "${es_pwd}"

View File

@ -16,7 +16,6 @@
# #
# Use a descriptive name for the node: # Use a descriptive name for the node:
# #
# node.name: test
node.name: logstash node.name: logstash
# #
# If omitted the node name will default to the machine's host name # If omitted the node name will default to the machine's host name
@ -26,7 +25,6 @@ node.name: logstash
# Which directory should be used by logstash and its plugins # Which directory should be used by logstash and its plugins
# for any persistent needs. Defaults to LOGSTASH_HOME/data # for any persistent needs. Defaults to LOGSTASH_HOME/data
# #
# path.data:
path.data: /var/db/logstash path.data: /var/db/logstash
# #
# ------------ Pipeline Settings -------------- # ------------ Pipeline Settings --------------
@ -40,7 +38,7 @@ path.data: /var/db/logstash
# #
# This defaults to the number of the host's CPU cores. # This defaults to the number of the host's CPU cores.
# #
pipeline.workers: 8 pipeline.workers: 4
# #
# How many events to retrieve from inputs before sending to filters+workers # How many events to retrieve from inputs before sending to filters+workers
# #
@ -207,7 +205,6 @@ path.config: /usr/local/etc/logstash/logstash.conf
# * trace # * trace
# #
# log.level: info # log.level: info
#log.level: debug
# path.logs: # path.logs:
# #
# ------------ Other Settings -------------- # ------------ Other Settings --------------
@ -215,17 +212,24 @@ path.config: /usr/local/etc/logstash/logstash.conf
# Where to find custom plugins # Where to find custom plugins
# path.plugins: [] # path.plugins: []
# #
# Flag to output log lines of each pipeline in its separate log file. Each log filename contains the pipeline.name
# Default is false
# pipeline.separate_logs: false
#
# ------------ X-Pack Settings (not applicable for OSS build)-------------- # ------------ X-Pack Settings (not applicable for OSS build)--------------
# #
# X-Pack Monitoring # X-Pack Monitoring
# https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html # https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html
xpack.monitoring.enabled: true xpack.monitoring.enabled: false
xpack.monitoring.elasticsearch.username: logstash_system xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: a746MPWa1AVieOJlDtM2 xpack.monitoring.elasticsearch.password: a746MPWa1AVieOJlDtM2
xpack.monitoring.elasticsearch.hosts: ["https://kibanax.diyit.org:9200"] xpack.monitoring.elasticsearch.hosts: ["https://elk.diyit.org:9200"]
#xpack.monitoring.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"] #xpack.monitoring.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/mnt/certs/cacert.pem" # an alternative to hosts + username/password settings is to use cloud_id/cloud_auth
#xpack.monitoring.elasticsearch.ssl.truststore.path: /path/to/file #xpack.monitoring.elasticsearch.cloud_id: monitoring_cluster_id:xxxxxxxxxx
#xpack.monitoring.elasticsearch.cloud_auth: logstash_system:password
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/mnt/certs/cacert.crt"
#xpack.monitoring.elasticsearch.ssl.truststore.path: path/to/file
#xpack.monitoring.elasticsearch.ssl.truststore.password: password #xpack.monitoring.elasticsearch.ssl.truststore.password: password
#xpack.monitoring.elasticsearch.ssl.keystore.path: /path/to/file #xpack.monitoring.elasticsearch.ssl.keystore.path: /path/to/file
#xpack.monitoring.elasticsearch.ssl.keystore.password: password #xpack.monitoring.elasticsearch.ssl.keystore.password: password
@ -241,6 +245,9 @@ xpack.monitoring.elasticsearch.ssl.verification_mode: certificate
#xpack.management.elasticsearch.username: logstash_admin_user #xpack.management.elasticsearch.username: logstash_admin_user
#xpack.management.elasticsearch.password: password #xpack.management.elasticsearch.password: password
#xpack.management.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"] #xpack.management.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]
# an alternative to hosts + username/password settings is to use cloud_id/cloud_auth
#xpack.management.elasticsearch.cloud_id: management_cluster_id:xxxxxxxxxx
#xpack.management.elasticsearch.cloud_auth: logstash_admin_user:password
#xpack.management.elasticsearch.ssl.certificate_authority: [ "/path/to/ca.crt" ] #xpack.management.elasticsearch.ssl.certificate_authority: [ "/path/to/ca.crt" ]
#xpack.management.elasticsearch.ssl.truststore.path: /path/to/file #xpack.management.elasticsearch.ssl.truststore.path: /path/to/file
#xpack.management.elasticsearch.ssl.truststore.password: password #xpack.management.elasticsearch.ssl.truststore.password: password

View File

@ -0,0 +1,130 @@
#!/bin/sh
#
# $FreeBSD: head/textproc/elasticsearch7/files/elasticsearch.in 538703 2020-06-13 22:41:04Z glewis $
#
# PROVIDE: elasticsearch
# REQUIRE: NETWORKING SERVERS
# BEFORE: DAEMON
# KEYWORD: shutdown
#
# Add the following line to /etc/rc.conf to enable elasticsearch:
#
# elasticsearch_enable="YES"
#
# elasticsearch_user (username): Set to elasticsearch by default.
# Set it to required username.
# elasticsearch_group (group): Set to elasticsearch by default.
# Set it to required group.
# elasticsearch_config (path): Set to /usr/local/etc/elasticsearch/elasticsearch.yml by default.
# Set it to the config file location.
# elasticsearch_java_home (path): Set to /usr/local/openjdk8 by default.
# Set it to the root of the JDK to use.
#
. /etc/rc.subr
name=elasticsearch
rcvar=elasticsearch_enable
load_rc_config ${name}
: ${elasticsearch_enable:=NO}
: ${elasticsearch_user=elasticsearch}
: ${elasticsearch_group=elasticsearch}
: ${elasticsearch_config=/usr/local/etc/elasticsearch}
: ${elasticsearch_login_class=root}
: ${elasticsearch_java_home="/usr/local/openjdk11"}
required_files="${elasticsearch_config}/elasticsearch.yml"
_pidprefix=/var/run/elasticsearch/elasticsearch
pidfile=${_pidprefix}.pid
procname=${elasticsearch_java_home}/bin/java
extra_commands="console status"
console_cmd=elasticsearch_console
start_precmd=elasticsearch_precmd
command=/usr/local/lib/elasticsearch/bin/elasticsearch
command_args="-d --pidfile=${pidfile}"
export ES_PATH_CONF=${elasticsearch_config}
export JAVA_HOME=${elasticsearch_java_home}
elasticsearch_precmd()
{
/usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 ${pidfile%/*}
/usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 /var/db/elasticsearch
/usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 /var/log/elasticsearch
}
elasticsearch_console()
{
command_args=""
run_rc_command "start"
}
if [ -n "$2" ]; then
profile="$2"
if [ "x${elasticsearch_profiles}" != "x" ]; then
eval elasticsearch_config="\${elasticsearch_${profile}_config:-}"
if [ "x${elasticsearch_config}" = "x" ]; then
echo "You must define a configuration (elasticsearch_${profile}_config)"
exit 1
fi
export ES_PATH_CONF=${elasticsearch_config}
required_files="${elasticsearch_config}/elasticsearch.yml"
required_files="${elasticsearch_config}/jvm.options"
eval elasticsearch_enable="\${elasticsearch_${profile}_enable:-${elasticsearch_enable}}"
pidfile="${_pidprefix}.${profile}.pid"
command_args="-d --pidfile=${pidfile}"
echo "===> elasticsearch profile: ${profile}"
else
echo "$0: extra argument ignored"
fi
else
if [ "x${elasticsearch_profiles}" != "x" -a "x$1" != "x" ]; then
for profile in ${elasticsearch_profiles}; do
eval _enable="\${elasticsearch_${profile}_enable}"
case "x${_enable:-${elasticsearch_enable}}" in
x|x[Nn][Oo]|x[Nn][Oo][Nn][Ee])
continue
;;
x[Yy][Ee][Ss])
;;
*)
if test -z "$_enable"; then
_var=elasticsearch_enable
else
_var=elasticsearch_"${profile}"_enable
fi
echo "Bad value" \
"'${_enable:-${elasticsearch_enable}}'" \
"for ${_var}. " \
"Profile ${profile} skipped."
continue
;;
esac
/usr/local/etc/rc.d/elasticsearch $1 ${profile}
retcode="$?"
if [ "0${retcode}" -ne 0 ]; then
failed="${profile} (${retcode}) ${failed:-}"
else
success="${profile} ${success:-}"
fi
done
exit 0
fi
fi
if [ "x${elasticsearch_mem_min}" != "x" ]; then
echo "The elasticsearch_mem_min variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
exit 1;
fi
if [ "x${elasticsearch_mem_max}" != "x" ]; then
echo "The elasticsearch_mem_max variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
exit 1;
fi
if [ "x${elasticsearch_props}" != "x" ]; then
echo "The elasticsearch_props variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
exit 1;
fi
run_rc_command "$1"

121
jails/config/elk/rc.d/logstash Executable file
View File

@ -0,0 +1,121 @@
#!/bin/sh
# Configuration settings for logstash in /etc/rc.conf:
#
# PROVIDE: logstash
# REQUIRE: DAEMON
# BEFORE: LOGIN
# KEYWORD: shutdown
#
# logstash_enable (bool):
# Default value: "NO"
# Flag that determines whether Logstash is enabled.
#
# logstash_home (string):
# Default value: "/usr/local/logstash"
# Logstash installation directory.
#
# logstash_config (string):
# Default value: /usr/local/etc/${name}
# Logstash configuration path.
#
# logstash_log (bool):
# Set to "NO" by default.
# Set it to "YES" to enable logstash logging to file
# Default output to /var/log/logstash.log
#
# logstash_log_file (string):
# Default value: "${logdir}/${name}.log"
# Log file path.
#
# logstash_java_home (string):
# Default value: "/usr/local/openjdk8"
# Root directory of the desired Java SDK.
# The JAVA_HOME environment variable is set with the contents of this
# variable.
#
# logstash_java_opts (string):
# Default value: ""
# Options to pass to the Java Virtual Machine.
# The JAVA_OPTS environment variable is set with the contents of this
# variable.
#
# logstash_opts (string):
# Default value: ""
# Additional command line flags for logstash, eg. "-r"
#
. /etc/rc.subr
name=logstash
rcvar=logstash_enable
load_rc_config ${name}
logdir="/var/log"
: ${logstash_enable="NO"}
: ${logstash_user="logstash"}
: ${logstash_group="logstash"}
: ${logstash_home="/usr/local/logstash"}
: ${logstash_config="/usr/local/etc/logstash"}
: ${logstash_log="YES"}
: ${logstash_log_dir="${logdir}/${name}"}
: ${logstash_java_home="/usr/local/openjdk11"}
: ${logstash_java_opts=""}
: ${logstash_opts=""}
pidfile=/var/run/${name}/${name}.pid
extra_commands="configtest reload"
start_precmd="logstash_precmd"
configtest_cmd=configtest
logstash_cmd="${logstash_home}/bin/logstash"
procname="${logstash_java_home}/bin/java"
logstash_chdir=${logstash_home}
logstash_log_options=""
if checkyesno logstash_log; then
logstash_log_options=" -l ${logstash_log_dir}"
fi
logstash_args="--path.settings ${logstash_config} ${logstash_log_options} ${logstash_opts}"
JAVA_OPTS="${logstash_java_opts}"
JAVA_HOME="${logstash_java_home}"
export JAVA_OPTS
export JAVA_HOME
command="/usr/sbin/daemon"
command_args="-f -p ${pidfile} ${logstash_cmd} ${logstash_args}"
required_files="${logstash_home} ${logstash_java_home} ${logstash_cmd} ${logstash_config}"
# Include /usr/local/bin in path because Logstash startup scripts
# assume bash is in path.
PATH=/usr/local/bin:$PATH
logstash_precmd()
{
/usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 ${pidfile%/*}
/usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 ${logstash_log_dir}
/usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 /var/db/logstash
/usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 /var/run/logstash
if [ -d ${logstash_home}/data/queue ]; then
chown ${logstash_user}:${logstash_group} ${logstash_home}/data/queue
fi
}
configtest()
{
echo "${name} configtest:"
echo "WARNING: this does not check validity of Grok patterns!"
echo "WARNING: this does not check validity of Grok patterns!"
echo "WARNING: this does not check validity of Grok patterns!"
${logstash_cmd} --path.settings ${logstash_config} --config.test_and_exit
}
run_rc_command "$1"

View File

@ -0,0 +1,7 @@
ps axww | grep logstash
echo press any key to continue - ctrl-c to abort
read X
mount proc
service logstash start
#/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
ps axww | grep logstash

View File

@ -0,0 +1,3 @@
cp /mnt/certs/diy*.pem /usr/local/etc/elasticsearch/certs
cp /mnt/certs/cacert.pem /usr/local/etc/elasticsearch/certs
service elasticsearch restart

View File

@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
Copyright (c) 2018-2020, diyIT.org Copyright (c) 2018-2021, diyIT.org
All rights reserved. All rights reserved.
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without

View File

@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
Copyright (c) 2018-2020, diyIT.org Copyright (c) 2018-2021, diyIT.org
All rights reserved. All rights reserved.
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without

View File

@ -0,0 +1,12 @@
unbind C-b
set -g prefix C-a
bind C-a send-prefix
setw -g mouse on
# Set the default terminal mode to 256color mode
set -g default-terminal "xterm-256color"
# enable activity alerts
setw -g monitor-activity on
set -g visual-activity on

15
jails/config/hass/hass.sh Executable file
View File

@ -0,0 +1,15 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
# ./hass.sh under tmux
cd /data/homeassistant/
source bin/activate
hass

15
jails/config/hass/heyu.sh Executable file
View File

@ -0,0 +1,15 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
# ./hass.sh under tmux
heyu start
heyu info
heyu monitor

View File

@ -0,0 +1,4 @@
# requrired to run other configured scripts
/bin/sh /etc/rc
# launch tmux with jails
/mnt/config/startsessions.sh

View File

@ -0,0 +1,31 @@
#!/bin/sh
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
session="sess_tmux"
# set up tmux
tmux start-server
# create a new tmux session, naming the window freepbx
tmux new-session -d -s $session -n hass
tmux selectp -t 1
tmux send-keys "cd /mnt/config;./hass.sh" C-m
# create a new window windows
tmux new-window -t $session:1 -n heyu
tmux selectp -t 1
tmux send-keys "cd /mnt/config;./heyu.sh" C-m
# return to main window
tmux select-window -t $session:0
tmux selectp -t 1
# Finished setup, attach to the tmux session!
#tmux attach-session -t $session

264
jails/config/hass/x10.conf Normal file
View File

@ -0,0 +1,264 @@
# Example Heyu configuration file. Copy this to file 'x10config' in
# directory $HOME/.heyu/ and modify as required. This example uses
# features which are new to heyu version 2
# and which will not be recognized by heyu version 1.xx.
# Note: This example file describes only a few of the most commom
# configuration directives. For the complete list see man page
# x10config(5).
# Anything on a line between a '#' character and the end of the line is
# treated as a comment and ignored by Heyu, as are blank lines.
# The various configuration directives in this file can be in any order
# except that ALIAS directives must appear before any other directive
# which references the alias label in place of a housecode|unit address.
# See 'man x10config' for additional information and directives.
# Serial port to which the CM11a is connected. Default is /dev/ttyS0.
tty /dev/ttyU1
check_ri_line NO
# If you have an X10 compatible RF receiver connected to a second
# serial port, use the TTY_AUX directive to specify the serial port
# and model of receiver. Supported receivers are W800RF32, MR26A,
# and RFXCOM. There are no defaults.
tty_aux /dev/ttyU0 MR26A
# The CM19A is both a receiver and transmitter for X10 RF signals.
# The MR26A is a receiver only.
# The CM19A is USB and the MR26A is serial port
# Base housecode. The default is A.
#housecode A
# Aliases:
# Format: ALIAS Label Housecode|Unitcode_string [Module_Type]
# The label is limited to 32 characters in length and is case-sensitive,
# e.g., Front_Porch and front_porch are treated as different labels.
# Each alias may reference a single unitcode or a multiple unitcode
# string (no embedded blanks), but is limited to one housecode.
# The optional Module_Type is the general type or specific model number
# of a module currently supported by Heyu. (Knowing the characteristics
# of a module allows Heyu to track changes in its On/Off/Dim state
# as X10 signals are sent or received.) The most commonly used modules
# are the standard X10 lamp module (StdLM) and standard X10 appliance
# module (StdAM). Other modules currently supported by Heyu are listed
# in x10config(5). A standard X10 lamp module (StdLM) is the
# default (changeable with the DEFAULT_MODULE directive)
# for housecode|units which are not defined in an alias directive.
# A module_type should normally not be defined for mutiple-unit
# aliases, just for the single-unit aliases. (The module characteristics
# are associated with the housecode|unit, however referenced.)
# Some examples:
# Note: Prior versions of Heyu used a different format for
# aliases - no ALIAS directive and the Housecode and Unitcode_string
# were separated by a space, e.g., simply:
# front_porch A 1
# Heyu will continue to accept this older format for compatibility,
# but its use is discouraged as modules cannot be specified.
# Scenes and Usersyns (User-defined synonyms):
# Format: SCENE Label Command1 <args> [; Command2 <args> [; ...
# Format: USERSYN Label Command1 <args> [; Command2 <args> [; ...
# The label is limited to 32 characters and is case-sensitive.
# Scenes and Usersyns are both semicolon-separated lists of
# commands with their arguments which can be executed or used
# in macros as if their labels were ordinary Heyu commands.
# See 'man x10config' for the features and limitations of Scenes
# and Usersyns.
# (In the current version of heyu, the ONLY distinction between
# scenes and usersyns is the 'show' menus in which they appear.)
# Some examples:
SCENE blinker on D5; off D5; on D5; off D5
#USERSYN normal_lights on front_porch; on back_porch
#SCENE tv_on on tv_set; dimb living_room 10
# parameters, e.g., $1, $2, which are replaced by actual
# parameters supplied when the scene/usersyn is run.
#USERSYN night_lights dimb front_porch $1; dimb back_porch $1
# Define the (writeable) directory where the Heyu state engine daemon
# (started with 'heyu engine') is to write its log file 'heyu.log.<tty>'.
# The default is 'NONE', indicating no log file is to be written.
log_dir /usr/local/etc/heyu/log
# The entries in the log file are similar to those which appear in
# the heyu monitor, but in addition will include an entry when
# a script is launched, and unless redirected elsewhere, any
# text output from that script.
# Note that the log file will continue to grow. Manually delete
# or trim it from time to time, or configure a Unix utility like
# 'logrotate' to manage this task automatically.
# If the Heyu state engine is running, Heyu can launch scripts
# (or any Unix commands) when it sees specified X10 signals.
# The format is:
#SCRIPT [ -l label ] <launch conditions> :: [options] <command line>
# where label is an optional label, <launch conditions> tell
# Heyu under what conditions to launch the script, and
# <command line> is the script command to be executed.
# The '::' (two colons) separator is mandatory since the launch
# conditions can be quite complex.
# See x10scripts(5) for details, but here's a simple example
# (with no label):
#SCRIPT doorbell on :: play $HOME/sounds/barking_dog.wav
# Users have the option of running either 'heyuhelper' in a manner
# similar to heyu 1.35 or general scripts as above with the
# following directive. The default is SCRIPTS, to run general scripts.
#script_mode SCRIPTS
# (With the choice 'HEYUHELPER', a script named 'heyuhelper' on
# the user's path is run every time any X10 signal is received
# by heyu over the power line, assuming the heyu state engine
# daemon is running.)
### The following directives apply when a schedule is ###
### is uploaded to the CM11A interface. ###
# The file name of the user's X10 schedule file in the Heyu base
# directory. The default is 'x10.sched'. If you regularly use
# more than one, list them here and just comment/uncomment as
# appropriate, e.g.,
#schedule_file x10.sched
#schedule_file normal.sched
#schedule_file vacation.sched
# The MODE directive - Heyu's two modes of operation:
# In the default COMPATIBLE mode, the schedule uploaded to the
# interface is configured to begin on Jan 1st of the current
# year and # is valid for 366 days - through Dec 31st of the
# current # year or Jan 1st of the following year, depending
# whether # the current year is a leap or common year.
# COMPATIBLE mode is the default.
# In HEYU mode the schedule uploaded to the interface is
# configured to begin on today's date and is valid for
# the number days of provided by the PROGRAM_DAYS directive.
# WARNING: The mere execution of X10's ActiveHome(tm) program
# under MS-Windows, or having its resident driver running, when
# the interface has been programmed by Heyu in HEYU mode can
# cause problems. See 'man x10config' for details.
#mode COMPATIBLE
# Number of days for which the interface is to be programmed
# when running in HEYU mode. It is ignored in COMPATIBLE mode.
# (A shorter period can yield more accurate values for dawn
# and dusk.) The default is 366 days.
#program_days 366
# Should Heyu combine events having the same date range, time, etc.,
# by concatenating the macros for similar events? The default is YES.
#combine_events YES
# Should Heyu compress uploaded macros by combining unit codes for the same
#housecode and command and eliminating duplicates? E.g.,
# (on A1; on B2; on A3, on B2) ==> (on A1,3; on B2)
# The default is NO
#compress_macros NO
# The user's Longitude and Latitude, needed for dawn/dusk calculations.
# There are no defaults. Don't use these examples - put in values
# for your own location.
longitude W121:46
latitude N37:16
# For dawn/dusk related times, Heyu breaks up the schedule date intervals
# into subintervals, each with a constant value of dawn or dusk time.
# These directives instruct Heyu what value of dawn/dusk time to use.
# The default value is FIRST, i.e., that on the first day of the subinterval,
# which is most convenient for comparing Heyu's computations with actual.
#dawn_option FIRST
#dusk_option FIRST
# The following times allow bounds to be placed on the times of Dawn
# and Dusk computed by Heyu. For example, setting the value for
#min_dawn to 06:30 will ensure that an event scheduled to be
# executed at Dawn will occur at 06:30 during summer hours whenever
# the actual computed value of Dawn is earlier than that time.
# The value for these directives are specified as hh:mm Legal
# (i.e., wall-clock) time, or the directives may be disabled with
# the word OFF, which is the default.
# Timer options DAWNLT, DAWNGT, DUSKLT, DUSKGT used in the Heyu
# schedule file will usually eliminate the need for these directives.
# See man page x10sched(5) for details.
#min_dawn OFF
#max_dawn OFF
#min_dusk OFF
#max_dusk OFF
# Directory to write reports and files other than the critical files
# The default is to write them in the Heyu base directory.
#report_path ./
# Replace events having delayed macros with new events and new
# undelayed macros when possible. (The purpose is to avoid pending
# delayed macros, which are purged when a new schedule is uploaded.)
# The default is YES.
#repl_delayed_macros YES
# For test purposes, Heyu can write some additional files when
# the command 'heyu upload check' is executed. This directive
# instructs Heyu to write these files. The default is NO.
#write_check_files NO
START_ENGINE AUTO
alias Kitchen D1 StdLM
alias Family_Room D2 StdLM
alias Hallway D3 StdLM
alias Kitchen_Table D4 StdLM
alias Stairway D5 StdLM
alias Study D6 StdLM
alias Dining D7 StdLM
alias Bonus_Room D8 StdLM
alias Living_Room_L0 D9 StdLM
alias Front_Door D10 StdLM
alias Living_Room_L1 D11 StdLM
alias Living_Room_L2 D12 StdLM
alias Piano_Room_L1 D13 StdLM
alias Piano_Room_L2 D14 StdLM
alias Family_Room_L0 D15 StdLM
alias Chime G1 StdAM
alias Main_Garage G2 StdAM
alias Side_Garage G3 StdAM
alias Front_Yard G13 StdLM
alias Back_Yard G14 StdLM
alias Plants_front_house I1 RAIN8II
alias Plants_front_road I2 RAIN8II
alias Lawn_front_road I3 RAIN8II
alias Lawn_front_garage I4 RAIN8II
alias Lawn_back_pool I5 RAIN8II
alias Lawn_back_house I6 RAIN8II
alias Plants_back_garage I7 RAIN8II
alias Plants_back_road I8 RAIN8II

View File

@ -0,0 +1,23 @@
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="epair0b" # interface name of NIC attached to Internet
$cmd 00100 allow ip from any to any via lo0
$cmd 00200 deny ip from any to 127.0.0.0/8
$cmd 00300 deny ip from 127.0.0.0/8 to any
$cmd 00400 deny ip from any to ::1
$cmd 00500 deny ip from ::1 to any
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
$cmd 05000 reset ip from table(22) to me
$cmd 65000 allow ip from any to any
$cmd 65535 deny ip from any to any
# https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html

View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10 priority: 10
} }
pkgp121: { pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj121-default/", url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http", mirror_type: "http",
signature_type: "pubkey", signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert", pubkey: "/mnt/certs/poudriere.cert",

View File

@ -0,0 +1,54 @@
#!/bin/sh
# sshguard.conf -- SSHGuard configuration
# Options that are uncommented in this example are set to their default
# values. Options without defaults are commented out.
#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
#BACKEND="/usr/local/libexec/sshg-fw-hosts"
BACKEND="/usr/local/libexec/sshg-fw-ipfw"
#BACKEND="/usr/local/libexec/sshg-fw-pf"
# Space-separated list of log files to monitor. (optional, no default)
#FILES="/var/log/auth.log /var/log/maillog"
FILES="/var/log/auth.log"
# Shell command that provides logs on standard output. (optional, no default)
# Example 1: ssh and sendmail from systemd journal:
#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
# Example 2: ssh from os_log (macOS 10.12+)
#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"
#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=30
# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
BLOCK_TIME=120
# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
DETECTION_TIME=1800
# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
IPV6_SUBNET=128
# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
IPV4_SUBNET=32
#### EXTRAS ####
# !! Warning: These features may not work correctly with sandboxing. !!
# Full path to PID file (optional, no default)
#PID_FILE=/var/run/sshguard.pid
# Colon-separated blacklist threshold and full path to blacklist file.
# (optional, no default)
#BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db
# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.
#WHITELIST_FILE=/usr/local/etc/sshguard.whitelist

View File

@ -0,0 +1 @@
Í•it†Í­®

View File

@ -0,0 +1,44 @@
#!/bin/sh
# the two lines below are not just comments but required by rcorder; service -e
# PROVIDE: vncserver
# REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv
. /etc/rc.subr
: ${vncserver_enable="NO"}
: ${vncserver_user="p"}
: ${vncserver_geometry="1600x900"}
: ${vncserver_display="1"}
: ${vncserver_securitytypes="vncauth"}
# : ${vncserver_securitytypes="vencrypt,vncauth,tlsvnc"}
# encryption incompatible with clients - vncconnect-realvnc and guacd
name=vncserver
rcvar=vncserver_enable
VNCSERVER="/usr/local/bin/vncserver"
start_cmd="vncserver_start"
stop_cmd="vncserver_stop"
restart_cmd="vncserver_restart"
vncserver_start()
{
CMD="$VNCSERVER -geometry ${vncserver_geometry} -name $(hostname -s) -securitytypes ${vncserver_securitytypes} :${vncserver_display}"
su -l ${vncserver_user} -c "${CMD}"
}
vncserver_stop()
{
CMD="$VNCSERVER -kill :${vncserver_display}"
su -l ${vncserver_user} -c "${CMD}"
}
vncserver_restart()
{
vncserver_stop
vncserver_start
}
load_rc_config ${name}
run_rc_command "$1"

View File

@ -1,6 +1,6 @@
#!/usr/local/bin/bash #!/usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -10,9 +10,9 @@
# ./ibm.sh under tmux # ./ibm.sh under tmux
ifconfig tun186 create ifconfig tun95 create
ifconfig tun186 inet 172.16.0.186 172.16.0.100 ifconfig tun95 inet 172.16.0.95 172.16.0.100
chmod 666 /dev/tun186 chmod 666 /dev/tun95
cd /data/Z110/CONF cd /data/Z110/CONF
# hercules # hercules

View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

View File

@ -0,0 +1,7 @@
sysctl net.inet.ip.forwarding=1
route add 10.1.2.0/24 192.168.55.105
# on remote -
#sudo sysctl net.ipv4.ip_forward=1
#ip route add 192.168.0.0/24 via 192.168.55.1
#OR
#ip route add 192.168.0.0/24 dev tun0

View File

@ -0,0 +1 @@
ldapadd -H ldaps://ldap.ahlawat.com -f $1 -D cn=admin,dc=infra -W

View File

@ -0,0 +1,16 @@
###
### guacamole.properties.sample
###
### The Host the Guacamole proxy daemon (guacd) is listening on.
#
guacd-host: localhost
guacd-port: 4822
guacd-ssl: false
ldap-hostname: ldap.ahlawat.com
ldap-port: 636
ldap-encryption-method: ssl
ldap-user-base-dn: ou=people,dc=infra
ldap-username-attribute: cn
ldap-config-base-dn: ou=hosts,dc=infra

View File

@ -0,0 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- Guacamole logs all messages to console by default. Servlet containers
like Tomcat will automattically redirect these messages to a log file,
catalina.out in the case of Tomcat. Valid levels= error, warn, info,
debug -->
<configuration>
<!-- Appender for debugging -->
<appender name="GUAC-DEBUG" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
</encoder>
</appender>
<!-- Log at DEBUG level -->
<root level="info">
<appender-ref ref="GUAC-DEBUG"/>
</root>
</configuration>

View File

@ -0,0 +1,14 @@
dn: cn=rdp-windows,ou=hosts,dc=infra
objectClass: guacConfigGroup
objectClass: groupOfNames
cn: Windows rdp
guacConfigProtocol: rdp
guacConfigParameter: hostname=192.168.0.81
guacConfigParameter: port=3389
guacConfigParameter: username=v
guacConfigParameter: password=v
guacConfigParameter: security=nla
guacConfigParameter: ignore-cert=true
member: cn=sharad,ou=people,dc=infra
member: cn=diyit,ou=people,dc=infra
# seeAlso: cn=ahlawat.com,ou=groups,dc=infra

View File

@ -0,0 +1,10 @@
dn: cn=ssh-nas,ou=hosts,dc=infra
objectClass: guacConfigGroup
objectClass: groupOfNames
cn: NAS ssh
guacConfigProtocol: ssh
guacConfigParameter: hostname=192.168.0.10
guacConfigParameter: port=22
member: cn=sharad,ou=people,dc=infra
member: cn=diyit,ou=people,dc=infra
# seeAlso: cn=ahlawat.com,ou=groups,dc=infra

View File

@ -0,0 +1,74 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- Guacamole's default authentication module is a simple xml file.
Each user is specified with a corresponding <authorized> tag. This
tag contains all authorized connections for that user each denoted
with a <connections> tag. Each <connection> tag contains a
protocol and set of protocol-specific parameters, specified with
the <protocol> and <param> tags respectively. For more information
visit http://guac-dev.org/doc/gug/configuring-guacamole.html -->
<user-mapping>
<!-- Per-user authentication and config information md5 -s "Npasswd" -->
<authorize username="admin" password="4ee438b74bd65c9f8402e7e48fa64fb7" encoding="md5">
<connection name="vnc-hub">
<protocol>vnc</protocol>
<param name="hostname">192.168.0.50</param>
<param name="port">5901</param>
<param name="password">vncpass</param>
<param name="color-depth">24</param>
</connection>
<connection name="rdp-windows">
<protocol>rdp</protocol>
<param name="hostname">192.168.0.81</param>
<param name="port">3389</param>
<param name="security">nla</param>
<param name="ignore-cert">true</param>
<param name="username">v</param>
<param name="password">v</param>
</connection>
<connection name="ssh-nas">
<protocol>ssh</protocol>
<param name="hostname">192.168.0.10</param>
<param name="port">22</param>
<param name="font-name">monospace</param>
</connection>
<connection name="vnc-rpi3">
<protocol>vnc</protocol>
<param name="hostname">192.168.200.192</param>
<param name="port">5901</param>
<param name="password">vncpass</param>
<param name="color-depth">24</param>
</connection>
<connection name="ssh-rpi3">
<protocol>ssh</protocol>
<param name="hostname">192.168.200.192</param>
<param name="port">22</param>
<param name="font-name">monospace</param>
</connection>
<connection name="ssh-dev">
<protocol>ssh</protocol>
<param name="hostname">192.168.55.105</param>
<param name="port">22</param>
<param name="font-name">monospace</param>
</connection>
</authorize>
<authorize username="inseego" password="7cc6a3864acc736437f606146083abad" encoding="md5">
<connection name="vnc">
<protocol>vnc</protocol>
<param name="hostname">192.168.200.212</param>
<param name="port">5901</param>
<param name="password">vncpass</param>
<param name="color-depth">24</param>
</connection>
<connection name="ssh">
<protocol>ssh</protocol>
<param name="hostname">192.168.200.212</param>
<param name="port">22</param>
<param name="font-name">monospace</param>
</connection>
</authorize>
</user-mapping>

View File

@ -0,0 +1,12 @@
dn: cn=vnc-hub,ou=hosts,dc=infra
objectClass: guacConfigGroup
objectClass: groupOfNames
cn: HUB vnc
guacConfigProtocol: vnc
guacConfigParameter: hostname=192.168.0.50
guacConfigParameter: port=5901
guacConfigParameter: password=vncpass
guacConfigParameter: color-depth=24
member: cn=sharad,ou=people,dc=infra
member: cn=diyit,ou=people,dc=infra
# seeAlso: cn=ahlawat.com,ou=groups,dc=infra

View File

@ -0,0 +1,17 @@
#
# guacd.conf example
#
[daemon]
# Possible log_level variables are:
# trace, debug, info, warning, and error
# Default is info
log_level = info
[server]
bind_host = localhost
bind_port = 4822
[ssl]
#server_certificate = /mnt/certs/fullchain.pem
#server_key = /mnt/certs/privkeyr.pem

View File

@ -0,0 +1,28 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
dn: cn=guacConfigGroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: guacConfigGroup
olcAttributeTypes: {0}( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol' SYNTAX 1.3.6.1.4.1.1466
.115.121.1.15 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter' SYNTAX 1.3.6.1.4.1.146
6.115.121.1.15 )
olcObjectClasses: {0}( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup' DESC 'Guacamole config
uration group' SUP groupOfNames MUST guacConfigProtocol MAY guacConfigParameter )

View File

@ -0,0 +1,31 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
attributetype ( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
objectClass ( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup'
DESC 'Guacamole configuration group'
SUP groupOfNames
MUST guacConfigProtocol
MAY guacConfigParameter )

View File

@ -0,0 +1,2 @@
# requrired to run other configured scripts
/bin/sh /etc/rc

View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10 priority: 10
} }
pkgp121: { pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj121-default/", url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http", mirror_type: "http",
signature_type: "pubkey", signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert", pubkey: "/mnt/certs/poudriere.cert",

View File

@ -0,0 +1,28 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
dn: cn=guacConfigGroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: guacConfigGroup
olcAttributeTypes: {0}( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol' SYNTAX 1.3.6.1.4.1.1466
.115.121.1.15 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter' SYNTAX 1.3.6.1.4.1.146
6.115.121.1.15 )
olcObjectClasses: {0}( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup' DESC 'Guacamole config
uration group' SUP groupOfNames MUST guacConfigProtocol MAY guacConfigParameter )

View File

@ -0,0 +1,31 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
attributetype ( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
objectClass ( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup'
DESC 'Guacamole configuration group'
SUP groupOfNames
MUST guacConfigProtocol
MAY guacConfigParameter )

View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDECIuIzM+f5+s
PdoTBSLGpARZkcKWboSUfLdiFsBEXkV5KLy12S6T2ja0oH5C6GfhkqpdzAsCPHKs
SdIyJAmHj7FXnbOnP93N64E3n/wONj5cq9QAz2acKxS167DXpnSE7K+egcqI7ePL
BBecLnKUUnSQ4JMAeUBatjnl5SsKF7pwDM1DsOYvWFpDH0BfjIlZq1JJIUnfE7pK
b3ppdBSF0bum+/Y6TZVJdNg4fYj5k68vLeBp8PkJj60pO4B7oexLpXcz/pqkGi9a
K5P86RzZliKMqGVAs3TmxWMskoX2Hpm1VXIg/Pht75FuaPqwkAW8FVb3Y7yvfmgU
O7FaP423AgMBAAECggEAP7BG2LWZh7B32+8eAtPMdPsciHo1BJT1KN5HqfkvsaLu
IA8S/nT45kF7VyKH1yS2tkoC4jk65vIBpws7XC+0BNT/3FGbVOJfc1qPiC/uRl2j
ovJfeBw/roHKc1OPG/o3VSdKeAB8tpSlqaWeZ9oqgw8hDCSnGqJ8RqH06YEXumVO
/59N5/kweoN1902nrsnhhY72cx/YY7TFZt+sbCs1D8rimHFX5UQUWGQgwqKeCvG2
VmBtU+oXCBKdaR+IcJd9Oy/qkmEQZ6dDL7n/HUwOcRzuBuZoeXN9sc9z81mYEI2Q
bYpowPOyqFArB08HjQpFndQFSyNwiVVSzaOHRUNBwQKBgQDkECi9WkyqGgVvSM6f
fC9OTKKk5kI12j4I3aQKZSnW/eNTpaHykRhvUsr36zp58vRN4G9YDJyblgOhgr1U
7SBwqZRLETwG0ktKDipgibWjBm+K5LfK+wWRwn/qzq494Qg2GQ/DniXqCZ6SI1s1
wMBHS9s/VYPGaYvYrS1TD90JpwKBgQDa9R90rcyNlXTLHwYzxgjJczLKHz+0ANlR
GORg31/VBxs94IYby+cZ/oGRjCB5syR/SaN5Z+N2w8GT0yFWN8UCJS0G4I6fGtCb
wYWzhK2UtI4WyOH9jIdl8AYjFGRZMFJEkDPmac54jtNcqhfO/Eei9+yHq7llEnUP
F4qKf8K9cQKBgQDEwDgVW4DGQxqrLhmrt3wsRasPLeKzCOv5xBTQLwRQiMoEkOFN
HeYBrGCUT6gsKvCe+t+0C3VUOLA7N0pVqRkSeQoJVP3/OI9hfSUMEeHUminCnpz9
DWB5pl2q2dGyaqAl46sY7SfyZ4gYtU3r6rU3DPdCBWlg1A+kx4pRnV7pAwKBgCOu
fonNKOCJ0panX6NgSl5J36UAoqj62m9U1yLSRBO7LL1QsYomGGssBoFpjIFIqFH1
9iX6wB7Cl/E3Ht+mBvzqggP05EkZXZWEW/19SaxKID2mTu260PXTv6xHznKaZU23
Ej4iT/tlixw2u9qHUkVEkc8qNPQ7pcfn1jPrzhiBAoGBAN075cp3R9bzzfVzrFRh
ZFWzSnWieSsOP635nj48HXKyne7gjvG1IG/HHSi3XPmRIdWTAfOYz29rWQEOaY7b
wbNhvH7jvtq/A7/Uifh6l8cnN9TFAmN/wmKEUCloVxg1/GltXbR6UwzbJWAs40ya
VtAxvncs1bqtPBAgfE5wwdCd
-----END PRIVATE KEY-----

View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYdTOGw8TvQtkr
Z139xpQC1iXu/X+2ei7ascX6C2G8WM7NS3XphgMd0LgzEm9POoJyYP7KVjQdPK5m
mRoZOCATmFhNPGSer96qjASHgm10GISKlUyGKRWv1mNHsLJaLwsd8ef13+qBsTvG
pT0z2I/0OWwAuqQuZdMPuVskspF8jusycibpQ7WjqaOynPEUuRZHDLQToso02+Vd
X3l3bU08Rz3vW7+hNjZYuzsfCTBzD91kxTGyetqg2CXyLM/dWbDFgY72zG682X0d
CtoWoEAKdUJkPDxQeKJtqh84TsAOUvg/z3W6J7uJow9OcWsXWJcAJ/HG8gNPq4ho
sVbc96SzAgMBAAECggEADXPTPPfjwF7uMkVdUQ1LW5XFi8HTcxrK2KqdvDmC3HrE
d3vOGzJJ9UtodzwZENp5CvS+QQL0gDCqQhQXzCNx0uXv7vTm5/nUI9NJ4MYZWVLA
wgAfXmMlRuVTDDyOCQ7NaRIEsYI2B9Nk/KZ+VD+MSshazvzKgVuwr1R8tp4mbpAx
8f4xe51b5ZVqTLcnkoSR6lTmKMQruIZwQpvaGYZLjBRaBcACwYkbZksQZkx7xZdZ
enpLcKoCc1xXg+gjlfF9HOD1e2GlYQTOgfDcQVJEIS+jjzMyiJA1BxqL8/LkafeD
CKfx8mzd1LjyDDaAP8ruZb4Ns/6SazAPozxBSRnP2QKBgQD+uf+evckgN6+3/Bur
egP6I4dUKw1joCo69p98388mWq+ywhIc2rquEfSoQCqjli4pG3iwBbDVxgjk08GV
ayFaP3X3LvuqCZBktSjEJR6WUMB0kW77BigLCtbzyd2R9upp0A3CnXsmmLVL+o5n
TD5w6cd67NPS/NGo2FyA6JQO5QKBgQDZijnfG4Yt6BdX3+WBFXNGkhdJziokmrfG
no5p/tw+/kJfHFC017Z+EbLbcWMKL9cDzl9uMXGDy1xd8+OfolxZZEnrmt4btbmh
wVzTPrhREwjqzwu/Y2jQwFBef+zJ+b8a1uZOFYVIWWeGCT7wirq54AslE8y0lNEF
olBnP44TtwKBgQDyn4k50z16QXBOx4Q3fZ3CKQsigWtcZFc1GGlrEOaHesN1eeK0
tyYu3Q1zIMM8U7SeFPuMda8sv1cDVitCPetjwaSED61IFZoCQoeU5GJQ/JODtG7I
DOIhOm7pgHJaMJywsqoYn9WIOtYci4gOHhIvjI0jqeZNReARehwJ8P3tfQKBgEWD
hAalNvVIat0rsJzVC+cLG+H7vT/BKOSRGhUI2bxPZ0oZNDj1jV0vrqWsz+cbbmvK
8He32PwyaaukGaKTMUtnXq+o5zyXj1/+9/iQ3DkcCgdubeSUkZPTQFtSKYpJAiZD
cYiWG+cImqocHj6jNhPbYfRRJWK3Ayv3uBWmG3J1AoGAGjKqKpd8+00IxElXpov9
At2YzPZlzPQCU0+vcreGVTaO9wNdVKfc6uaeAO4D0DP9SOwEqRC9rv8FNb8DxgTB
ryWMy8rY/CC3mhK6hnsWNRC0a1myKva2XwQ+jMKuCsznFE0N2xjizNdv2/HM2dcr
ropb+P1w1KZyTiNbTTTC1eQ=
-----END PRIVATE KEY-----

View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDc2cV9/D/MWdUl
DBfKzA3zNjFbzDJd4WP1fdRRIdell57kJwyKehYCw/HxWy4+AnWj6c2fhPXI2EQp
K3I1QjNSxV4kq+Lr2SFJuDiZvDRLzihu24N6go34R9712mbZOWWl0KyihO6E2cH8
h6cr2iahXmAjqVtm9/mBmdnrQ2Bv0fusdpS24x3NOPs4Q5gJTadJFGBkwXb88D/+
mBDcEUFwDul4bVQWvqHk+8EJwApGLo7YVL2F0A25FAm43rWexjb+JeTsHRqN/TaV
ALzQPr/DQIb2wyWsTnQMnd0t8qg9ErDAKgxMDeGDRFbHr5wNMTrewQkW7yd+H0T0
Wa97aDXbAgMBAAECggEANUp/M0VZB7BtlED0xMS0YQmko2gEh07J1gUE5IbsCFMr
zhX2GrwW75fkm77Ky7/AL0tNiL6GqG43FFAdgOh2hfSGIQcw/IQqWiWP0tjtLZWT
gByL/1XdeBmvnVeUFbqZ4ocWASlefMQm4Q7Csfwz8iBZxoEpQxF3LWS4huJ9NL3d
qiI1jX5otXN0ybA6jDpridvExRwWT6KrAykUrh5f7vRGUp0I7/GltvSHS4mu24C1
08RUPE5NjynEX/amc1urMwH3ZdOZgCx819DfQXpQts9/TejSLlLL8s4lXTsZDoab
DiJ1zZKZEpMIheEGAWSyLtqc1QxypauVAMeM6ZgasQKBgQD88Yf1E7X8zS4hYSyu
WHiUgrin/0febsHWZAVBTwnzpDwfY0jNnq57tiALyaVzk3vCL3a9WckpXPbQk4Yk
Oypu1eDyGT4Xf7hrXqFTlMtkupa3Os5/MlTXOFMMs5VISsxrbVjNlvSxITXASWwr
IYVjmhgTx8Rg3ApM5X/Tqd8XxwKBgQDfhPZ2t+4fBwhzgydKnkPWMbJ6k17tWoZu
8tzCzrxJd/cYUmi/44sOLrFCLwaS28I4sR7iBPCeiFnnbqlv+f6uw2Xmr5jc/BsT
md6yl2gNmow//iGFwf8lAsA1VyoFbZoAvQUMVElaxvCngifsTNqRHap8KY6xv5r/
C6MEoGd5TQKBgQDEoPXxnEsCpHXR2Pqk5X2G5T+qyRYTYcIpaUN0i37O+cMLG2FD
BrHY1bF/uFd3yxSP1dnWRG/OSchMSAIlNCE+W+EsEldkaRLx1HRQxwB941a6RWq1
EmlFjTFyVEAeHJdgg3ZfC5RYBdsFCY6e0MYisW06IzcTnLodIOMHpawZjQKBgQC+
1RVbnINXyDhl7rbQFTlTmVCJKGMmgGBAP2dNhxXoH909zbYTBmFFdYXvPJj/L1Kt
9kKos5D/uOgRGEDfEnBnovnQL2FyYmd3n6orjerPmoBdbkoOmeeNIMEbiVSeF8oh
EUBLG3cZYro6OXx+WctNlCdnJE/o3+6kC7pdi9lsDQKBgEtkK4RpB1OKJm6sEiWe
hoTI6yqflpkivWtV3F8/D37LbYT5wiAsRr6AkgetB7jsi0t//thJiAUUxhtb+u4M
1zR7i9bIRv3lU8TgYpfS/Yq3T9feZoj682LKtBMPoSgm/p5+ogzIlAU3cpjAW+A8
2CyzbDc7K58vuzaR8RHpnzYi
-----END PRIVATE KEY-----

View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDJE2rtl2EGU7YD
TWSlapLqMgn02m9Valldv6u3NP5CZTwI9/xrlEZYzjArInvLE4SFx5VlgC52K92A
tZUqs7ckZgDmMOIr1vXGP3YgzGO9NK3hqyPHlu2Twuu96rP9+CTTlU8ovun14Ucu
b0+W3pH646kMZBc0wAAj0xg+QI0PhFphQZyHkV9laOFwx/ErCu9SdUfcUY+zouSG
DMxPAL8pT1JS5IOVGDM7rXbAwZ1+LrHTmOD1Mi6jtYtV7/Pqga6CBpcQFa/kMvza
idjPkVyUg4YY/9i+P9dRQMK6dJgmRSaLLaOTaYHCT6PgpWQvKhYJZsNIB+LmfdHp
gzE4s0tfAgMBAAECggEBALtNkzVu5bp3D/1TgoV0GRZ/NjcXos32GvjxKoummZJP
qvTPzBqKLF1c9BG6NYadz7yuhcPe+2iow9S5URJOBjOpsPy8XHJp8teRFgDHY8FD
6RVlzhaFyRjzYZWvo6rYE7XkR7C05ktcZmoi1gi7m1AR8c7RDazdjUPRx6t1hfEE
ubocsnwZ5McU3tHVHj8pHBM9nKaarVd3BSTydStjGOmoS+E5BR1NLMDpx3Aw9S/V
tn1iJxxF9+GONFfCBQ/IQ4+rBbOPsICwhhhrTpJwPilzBynGQevtEHdpq6ewS2bq
ESsgQoax70cW1TymOPOzYQvPUzJy0S68OoSMAXVr8MECgYEA755LulHIALONfQWG
XBUT7UMaePyLDkuNoGkIDqIdqZiJf8kxDs8yWznCGim/vlnmK2hVn1nqi+omtbaG
AsCgU9q2JnP4r0Nr7yb/L4WAHp5WxR5ifS/aOHUple9oQwfPkzpxWEGFFvN0PW7p
4lk4lRNvI4q5zMdugpbwn4vbzEMCgYEA1tKRDfPY/9GV/dYnt433bjtlNU9j7UCc
8iP26Rg8zjC4tzlVoZDZjov5FMG2Ifb7cLNroONATg2ivKNyRm73Le9p2KVqtvTX
zHs1sKVJofWQ4+GzJd8MkUEXu397oTUudGV+z82Hd0iKkQBT7EYBybHl6kY4XbR1
BS36gdW2oLUCgYBvt1LBNH3V7eCqiFfjOKSIuv9tpvjCGnGWd0GdaPIBby+0Fz47
FFj69UvM3OgbvFg2prc8yzQyNWIE2GtUfzCAx/iipvEr7Xg2EO1q34gjPllgH9F1
YkkQh3dzAyKOFecuUlIj/rApSipIthxvPn/F6UCoxnXnxpd8ZRkcmZ1JdwKBgQCZ
bltb88YRMMhIPCSx3RvUB2gJ42Ijmfp+l2FKqp0DR5kmhDS86I/6V87XHGPRbm23
2O4OQ0Eyflq1EKgV1juE+3JF4h+N/OIEkhuOxv8IRjPuDs29RsnbFPq2WB8czLcZ
O0SPduRCNfWCCxHltzqfrAfig7TOeIz73hMFmHaP4QKBgQCN1XzjGMrL0ZlFQTM1
ljaqWEaQ+JSzZtiVDdPcuKytyvz59OdJnag9O0TBaOY6XGG1Dbl8FJEG9KZCwYRv
a+CKb6qHyowgu17GlWQBn2i3Ep5GOQhkR4ghvDXZPwOJfW5VbfWo4N/r3Q81kaRO
Iovk5uipUk5dtW69hOYmq4OBxA==
-----END PRIVATE KEY-----

View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10 priority: 10
} }
pkgp121: { pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj121-default/", url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http", mirror_type: "http",
signature_type: "pubkey", signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert", pubkey: "/mnt/certs/poudriere.cert",

View File

@ -683,7 +683,7 @@ readme_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4, ipv6 inet_protocols = ipv4, ipv6
# sometimes comcast's IPv6 reverse DNS lookup stops working so you need to enable the line below (default: any) # sometimes comcast's IPv6 reverse DNS lookup stops working so you need to enable the line below (default: any)
smtp_address_preference = ipv4 #smtp_address_preference = ipv4
meta_directory = /usr/local/libexec/postfix meta_directory = /usr/local/libexec/postfix
shlib_directory = /usr/local/lib/postfix shlib_directory = /usr/local/lib/postfix

View File

@ -328,9 +328,9 @@ local_transport_rate_delay = $default_transport_rate_delay
luser_relay = luser_relay =
mail_name = Postfix mail_name = Postfix
mail_owner = postfix mail_owner = postfix
mail_release_date = 20200316 mail_release_date = 20200516
mail_spool_directory = /var/mail mail_spool_directory = /var/mail
mail_version = 3.5.0 mail_version = 3.5.2
mailbox_command = mailbox_command =
mailbox_command_maps = mailbox_command_maps =
mailbox_delivery_lock = flock, dotlock mailbox_delivery_lock = flock, dotlock
@ -340,7 +340,7 @@ mailbox_transport_maps =
maillog_file = maillog_file =
maillog_file_compressor = gzip maillog_file_compressor = gzip
maillog_file_prefixes = /var, /dev/stdout maillog_file_prefixes = /var, /dev/stdout
maillog_file_rotate_suffix = %Y%M%d-%H%M%S maillog_file_rotate_suffix = %Y%m%d-%H%M%S
mailq_path = /usr/local/bin/mailq mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man manpage_directory = /usr/local/man
maps_rbl_domains = maps_rbl_domains =

File diff suppressed because it is too large Load Diff

View File

@ -1,4 +1,4 @@
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

View File

@ -1,4 +1,4 @@
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

Binary file not shown.

After

Width:  |  Height:  |  Size: 85 MiB

View File

@ -0,0 +1,2 @@
MAILTO="sharad@diyit.org"
5 5 * * * /usr/local/bin/php /usr/local/www/matomo/console core:archive --url=https://ahlawat.com/matomo/ >> /root/matomo-archive.log

View File

@ -1,4 +1,4 @@
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

View File

@ -1,3 +0,0 @@
mount proc
/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
ps axww | grep logstash

View File

@ -0,0 +1 @@
max_size = 32.0G

View File

@ -1,4 +1,4 @@
# $FreeBSD: releng/12.1/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $ # $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
# Trusted keyprint. Changing this is a Bad Idea unless you've received # Trusted keyprint. Changing this is a Bad Idea unless you've received
# a PGP-signed email from <security-officer@FreeBSD.org> telling you to # a PGP-signed email from <security-officer@FreeBSD.org> telling you to

View File

@ -1,2 +1,3 @@
WANT_OPENLDAP_SASL=yes WANT_OPENLDAP_SASL=yes
LICENSES_ACCEPTED+=DCC LICENSES_ACCEPTED+=DCC
WITH_CCACHE_BUILD=yes

View File

@ -5,11 +5,14 @@ net/openldap24-sasl-client
security/cyrus-sasl2 security/cyrus-sasl2
www/apache24 www/apache24
devel/apr1 devel/apr1
net/php73-ldap net/php74-ldap
mail/postfix mail/postfix
mail/dovecot mail/dovecot
mail/dovecot-pigeonhole mail/dovecot-pigeonhole
mail/rspamd mail/rspamd
mail/dcc-dccd mail/dcc-dccd
net/netatalk3 net/netatalk3
net/samba410 net/samba411
net/nss-pam-ldapd
net/nss-pam-ldapd-sasl
#security/pam_ldap # included above

View File

@ -0,0 +1,11 @@
FreeBSD: {
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
enabled: no
}
pkgp-freebsd-pkg: {
url: "http://pkgp-freebsd-pkg.ahlawat.com/${ABI}/latest",
mirror_type: "http",
enabled: yes,
priority: 10
}

View File

@ -133,7 +133,7 @@ PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/keys/poudriere.key
# It will be mounted into the jail and be shared among all jails. # It will be mounted into the jail and be shared among all jails.
# It is recommended that extra ccache configuration be done with # It is recommended that extra ccache configuration be done with
# ccache -o rather than from the environment. # ccache -o rather than from the environment.
#CCACHE_DIR=/var/cache/ccache CCACHE_DIR=/mnt/cache/ccache
# Static ccache support from host. This uses the existing # Static ccache support from host. This uses the existing
# ccache from the host in the build jail. This is useful for # ccache from the host in the build jail. This is useful for
@ -200,7 +200,7 @@ NOLINUX=yes
# List of packages that will always be allowed to use MAKE_JOBS # List of packages that will always be allowed to use MAKE_JOBS
# regardless of ALLOW_MAKE_JOBS. This is useful for allowing ports # regardless of ALLOW_MAKE_JOBS. This is useful for allowing ports
# which holdup the rest of the queue to build more quickly. # which holdup the rest of the queue to build more quickly.
#ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py*" ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py* llvm*"
# Timestamp every line of build logs # Timestamp every line of build logs
# Default: no # Default: no
@ -282,7 +282,7 @@ PRESERVE_TIMESTAMP=yes
# Define pkgname globs to boost priority for # Define pkgname globs to boost priority for
# Default: none # Default: none
#PRIORITY_BOOST="pypy openoffice*" PRIORITY_BOOST="llvm*"
# Define format for buildnames # Define format for buildnames
# Default: %Y-%m-%d_%Hh%Mm%Ss # Default: %Y-%m-%d_%Hh%Mm%Ss

View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

View File

@ -1,4 +1,4 @@
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -48,35 +48,31 @@ frontend stats
frontend ft frontend ft
bind :::80 v4v6 bind :::80 v4v6
bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/dithaproxy.pem crt /mnt/certs/xflowhaproxy.pem bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/xflowhaproxy.pem crt /mnt/certs/dvpchaproxy.pem crt /mnt/certs/mdvpchaproxy.pem
redirect scheme https if !{ ssl_fc } redirect scheme https if !{ ssl_fc }
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc
# passing on that browser is using https # passing on that browser is using https
reqadd X-Forwarded-Proto:\ https ## http-request add-header Forwarded: proto=https
#enabling this breaks things, needs investigation
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Ssl on if { ssl_fc }
# for Clickjacking - added to individual backends # for Clickjacking - added to individual backends
# rspadd X-Frame-Options:\ SAMEORIGIN # http-response add-header X-Frame-Options: SAMEORIGIN
# prevent browser from using non-secure # prevent browser from using non-secure
rspadd Strict-Transport-Security:\ max-age=15768000 http-response add-header Strict-Transport-Security: max-age=15768000
acl network_allowed src 192.168.0.0/24 192.168.100.0/24 2603:3024:3f6:e1::/64 acl network_allowed src 192.168.0.0/24 192.168.100.0/24 2603:3024:3f6:e1::/64
acl restricted_page path -i -m sub /wp-admin acl restricted_page path -i -m sub /wp-admin
acl restricted_page path -i -m sub /wp-login acl restricted_page path -i -m sub /wp-login
block if restricted_page !network_allowed http-request deny if restricted_page !network_allowed
use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com } use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com }
use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com } use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com }
use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
use_backend bk_diyit if { ssl_fc_sni diyit.org }
use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
use_backend bk_diyit if { ssl_fc_sni xflow.org }
use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
use_backend bk_diyit if { ssl_fc_sni diyit.space }
use_backend bk_diyit if { ssl_fc_sni www.diyit.space }
use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com } use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com }
use_backend bk_ahlawat-rachna if { ssl_fc_sni rachna.ahlawat.com } use_backend bk_ahlawat-rachna if { ssl_fc_sni rachna.ahlawat.com }
@ -96,53 +92,67 @@ frontend ft
use_backend bk_ahlawat-matrix if { ssl_fc_sni matrix.ahlawat.com } use_backend bk_ahlawat-matrix if { ssl_fc_sni matrix.ahlawat.com }
use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com } use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com } use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
use_backend bk_ahlawat-jump if { ssl_fc_sni jump.ahlawat.com }
use_backend bk_diyit if { ssl_fc_sni diyit.org }
use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
use_backend bk_diyit if { ssl_fc_sni xflow.org }
use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org } use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org }
use_backend bk_diyit-prometheus if { ssl_fc_sni prometheus.diyit.org } use_backend bk_diyit-prometheus if { ssl_fc_sni prometheus.diyit.org }
use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org } use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org }
use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org } use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org }
use_backend bk_dvpc if { ssl_fc_sni datavpc.com }
use_backend bk_dvpc if { ssl_fc_sni www.datavpc.com }
use_backend bk_dvpc if { ssl_fc_sni mydatavpc.com }
use_backend bk_dvpc if { ssl_fc_sni www.mydatavpc.com }
use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com } use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com } use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com } use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
use_backend bk_beyondbell-gs if { ssl_fc_sni gs.beyondbell.com } use_backend bk_beyondbell-web-moonglade if { ssl_fc_sni moonglade.beyondbell.com }
use_backend bk_beyondbell-web-moonglade-private if { ssl_fc_sni moonglade-private.beyondbell.com }
use_backend bk_beyondbell-r-windows if { ssl_fc_sni moonglade-server.beyondbell.com }
use_backend bk_beyondbell-windows if { ssl_fc_sni gs.beyondbell.com }
default_backend bk_ahlawat default_backend bk_ahlawat
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
use_backend bk_ahlawat if is_websocket
backend bk_ahlawat backend bk_ahlawat
server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell
server srv1 192.168.0.77:8000
rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_diyit
server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_ahlawat-sharad backend bk_ahlawat-sharad
balance roundrobin balance roundrobin
server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
# http-response set-header Content-Security-Policy "default-src 'self' *.ahlawat.com"
backend bk_ahlawat-rachna backend bk_ahlawat-rachna
server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-nivi backend bk_ahlawat-nivi
server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-rishabh backend bk_ahlawat-rishabh
server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
#backend bk_ahlawat-book #backend bk_ahlawat-book
# server srv1 bookx.ahlawat.com:443 check ssl verify none # server srv1 bookx.ahlawat.com:443 check ssl verify none
@ -150,102 +160,143 @@ backend bk_ahlawat-rishabh
backend bk_ahlawat-book-443 backend bk_ahlawat-book-443
# server srv1 2603:3024:3f6:e1::57:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 # server srv1 2603:3024:3f6:e1::57:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-book-444 backend bk_ahlawat-book-444
# server srv1 2603:3024:3f6:e1::57:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2 # server srv1 2603:3024:3f6:e1::57:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-book-445 backend bk_ahlawat-book-445
# server srv1 2603:3024:3f6:e1::57:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2 # server srv1 2603:3024:3f6:e1::57:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-cam backend bk_ahlawat-cam
server srv1 192.168.0.54:8765 check server srv1 192.168.0.54:8765 check
rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-ci
# http-request set-header Host cix.ahlawat.com:8080
http-request replace-header Host ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8080/\2
http-response replace-header Host ^([^\ \t:]*:)\ http://cix.ahlawat.com:8080/(.*) \1\ https://ci.ahlawat.com/\2
server srv1 cix.ahlawat.com:8080 check
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-cloud backend bk_ahlawat-cloud
server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-git backend bk_ahlawat-git
server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspidel X-Frame-Options:* http-response set-header X-Frame-Options "ALLOW-FROM *.diyit.org"
# http-request set-var(txn.src) src # http-response add-header X-Frame-Options: SAMEORIGIN
# acl mynet var(txn.src) -m sub 192.168.0
# acl mynet var(txn.src) -m sub 2603:3024:3f6:e1
# rspidel X-Frame-Options:* if mynet
# rspadd X-Frame-Options:\ SAMEORIGIN unless mynet
# The gitea server add this header be default
backend bk_ahlawat-hub backend bk_ahlawat-hub
server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-matrix backend bk_ahlawat-matrix
server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-meet backend bk_ahlawat-meet
server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-monitor backend bk_ahlawat-monitor
server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN # http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-jump
server srv1 jumpx.ahlawat.com:8080 check
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit
server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-grafana backend bk_diyit-grafana
server srv1 monitorx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 monitorx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN # http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-prometheus backend bk_diyit-prometheus
server srv1 monitorx.ahlawat.com:9090 check server srv1 monitorx.ahlawat.com:9090 check
# ssl ca-file /mnt/certs/cacert.pem alpn h2 # ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-kibana backend bk_diyit-kibana
server srv1 monitorx.ahlawat.com:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 elk.diyit.org:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN # http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_diyit-maps backend bk_diyit-maps
server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 # server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# rspadd X-Frame-Options:\ SAMEORIGIN # server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-ci
# http-request set-header Host cix.ahlawat.com:8180
reqirep ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8180/\2 backend bk_dvpc
rspirep ^([^\ \t:]*:)\ http://cix.ahlawat.com:8180/(.*) \1\ https://ci.ahlawat.com/\2 server srv1 web.datavpc.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 cix.ahlawat.com:8180 check server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell
server srv1 192.168.0.77:8000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-ci
# http-request set-header Host cix.beyondbell.com:8111
http-request replace-header Host ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://192.168.0.73:8111/\2
http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.73:8111/(.*) \1\ https://ci.beyondbell.com/\2
server srv1 192.168.0.73:8111
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-git backend bk_beyondbell-git
server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-ci
http-request set-header Host cix.beyondbell.com:8111
reqirep ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://cix.beyondbell.com:8111/\2
rspirep ^([^\ \t:]*:)\ http://cix.beyondbell.com:8111/(.*) \1\ https://ci.beyondbell.com/\2
server srv1 cix.beyondbell.com:8111
rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell-repo backend bk_beyondbell-repo
# http-request set-header Host 192.168.0.75:8080 # http-request set-header Host 192.168.0.75:8081
reqirep ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8080/\2 # http-request replace-header Host ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8081/\2
rspirep ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2 # http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.75:8081/(.*) \1\ https://repo.beyondbell.com/\2
server srv1 192.168.0.75:8080
rspadd X-Frame-Options:\ SAMEORIGIN
backend bk_beyondbell-gs server srv1 192.168.0.75:8081
http-response add-header X-Frame-Options: SAMEORIGIN
# http-response del-header Strict-Transport-Security
# http-response add-header Content-Security-Policy: upgrade-insecure-requests
backend bk_beyondbell-web-moonglade
server srv1 192.168.0.74:8000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-web-moonglade-private
server srv1 192.168.0.74:4000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-r-windows
server srv1 192.168.0.85:4000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-windows
server srv1 192.168.0.81:26900 check server srv1 192.168.0.81:26900 check
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
rspadd X-Frame-Options:\ SAMEORIGIN http-response add-header X-Frame-Options: SAMEORIGIN

View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10 priority: 10
} }
pkgp121: { pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj121-default/", url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http", mirror_type: "http",
signature_type: "pubkey", signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert", pubkey: "/mnt/certs/poudriere.cert",

1
jails/config/proxy/port-fwd.sh Executable file
View File

@ -0,0 +1 @@
ipfw add 10000 fwd 192.168.0.4,55820 udp from me to 192.168.0.55 dst-port 55820

View File

@ -1,99 +1,13 @@
# Example MySQL config file for small systems.
# #
# This is for a system with little memory (<= 64M) where MySQL is only used # This group is read both by the client and the server
# from time to time and it's important that the mysqld daemon # use it for options that affect everything, see
# doesn't use much resources. # https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#option-groups
# #
# MySQL programs look for option files in a set of [client-server]
# locations which depend on the deployment platform.
# You can copy this option file to one of those
# locations. For information about these locations, see:
# http://dev.mysql.com/doc/mysql/en/option-files.html
#
# In this file, you can use all long options that a program supports.
# If you want to know which options a program supports, run the program
# with the "--help" option.
# The following options will be passed to all MySQL clients
[client]
#password = your_password
port = 3306 port = 3306
socket = /tmp/mysql.sock socket = /var/run/mysql/mysql.sock
# Here follows entries for some specific programs
# The MySQL server
[mysqld]
bind-address = *
port = 3306
socket = /tmp/mysql.sock
skip-external-locking
key_buffer_size = 16K
max_allowed_packet = 64M
table_open_cache = 16
sort_buffer_size = 64K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 240K
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (using the "enable-named-pipe" option) will render mysqld useless!
# #
#skip-networking # include *.cnf from the config directory
server-id = 1 #
!includedir /usr/local/etc/mysql/conf.d/
# Uncomment the following if you want to log updates
#log-bin=mysql-bin
# binary logging format - mixed recommended
binlog_format=ROW
# Causes updates to non-transactional engines using statement format to be
# written directly to binary log. Before using this option make sure that
# there are no dependencies between transactional and non-transactional
# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
# t_innodb; otherwise, slaves may diverge from the master.
#binlog_direct_non_transactional_updates=TRUE
# Uncomment the following if you are using InnoDB tables
#innodb_data_home_dir = /var/db/mysql
#innodb_data_file_path = ibdata1:10M:autoextend
innodb_log_group_home_dir = /var/db/mysql-log
# You can set .._buffer_pool_size up to 50 - 80 %
# of RAM but beware of setting memory usage too high
innodb_buffer_pool_size = 1G
innodb_io_capacity=4000
transaction-isolation = READ-COMMITTED
# Set .._log_file_size to 25 % of buffer pool size
innodb_log_file_size = 250M
#innodb_log_buffer_size = 8M
innodb_flush_log_at_trx_commit = 2
#innodb_lock_wait_timeout = 50
innodb_doublewrite = 0
innodb_checksum_algorithm = none
slow_query_log_file = /var/db/mysql-log/slow.log
log-error = /var/db/mysql-log/error.log
log_bin = /var/db/mysql-log/binlog
relay_log = /var/db/mysql-log/relay-bin
expire_logs_days = 7
[mysqldump]
quick
max_allowed_packet = 16M
[mysql]
no-auto-rehash
# Remove the next comment character if you are not familiar with SQL
#safe-updates
[myisamchk]
key_buffer_size = 8M
sort_buffer_size = 8M
[mysqlhotcopy]
interactive-timeout

View File

@ -0,0 +1,90 @@
# Options specific to server applications, see
# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#server-option-groups
# Options specific to all server programs
[server]
# Options specific to MariaDB server programs
[server-mariadb]
#
# Options for specific server tools
#
[mysqld]
user = mysql
# port = 3306 # set in /usr/local/etc/mysql/my.cnf
# socket = /var/run/mysql/mysql.sock # set in /usr/local/etc/mysql/my.cnf
bind-address = *
basedir = /usr/local
datadir = /var/db/mysql
net_retry_count = 16384
# [mysqld] configuration for ZFS
# From https://www.percona.com/resources/technical-presentations/zfs-mysql-percona-technical-webinar
# Create separate datasets for data and logs, eg
# zroot/mysql compression=on recordsize=128k atime=off
# zroot/mysql/data recordsize=16k
# zroot/mysql/logs
datadir = /var/db/mysql
innodb_log_group_home_dir = /var/db/mysql-log
#audit_log_file = /var/db/mysql-log/audit.log
general_log_file = /var/db/mysql-log/general.log
log_bin = /var/db/mysql-log/mysql-bin
relay_log = /var/db/mysql-log/relay-log
slow_query_log_file = /var/db/mysql-log/slow.log
innodb_doublewrite = 0
innodb_flush_method = O_DSYNC
##
log-error = /var/db/mysql-log/error.log
### custom optimizations
skip-external-locking
key_buffer_size = 16K
max_allowed_packet = 64M
table_open_cache = 16
sort_buffer_size = 64K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 240K
server-id = 1
binlog_format=ROW
innodb_buffer_pool_size = 1G
innodb_io_capacity=4000
transaction-isolation = READ-COMMITTED
innodb_log_file_size = 250M
innodb_flush_log_at_trx_commit = 2
innodb_checksum_algorithm = none
slow_query_log_file = /var/db/mysql-log/slow.log
expire_logs_days = 7
###
# Options read by `mysqld_safe`
# Renamed from [mysqld_safe] starting with MariaDB 10.4.6.
[mariadb_safe]
# Options read my `mariabackup`
[mariabackup]
# Options read by `mysql_upgrade`
# Renamed from [mysql_upgrade] starting with MariaDB 10.4.6.
[mariadb-upgrade]
# Specific options read by the mariabackup SST method
[sst]
# Options read by `mysqlbinlog`
# Renamed from [mysqlbinlog] starting with MariaDB 10.4.6.
[mariadb-binlog]
# Options read by `mysqladmin`
# Renamed from [mysqladmin] starting with MariaDB 10.4.6.
[mariadb-admin]

View File

@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
Copyright (c) 2018-2020, BeyondBell.com Copyright (c) 2018-2021, BeyondBell.com
All rights reserved. All rights reserved.
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without

View File

@ -1,6 +1,6 @@
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
Copyright (c) 2018-2020, BeyondBell.com Copyright (c) 2018-2021, BeyondBell.com
All rights reserved. All rights reserved.
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without

View File

@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
priority: 10 priority: 10
} }
pkgp121: { pkgp122: {
url: "http://pkgp.ahlawat.com/packages/pj121-default/", url: "http://pkgp.ahlawat.com/packages/pj122-default/",
mirror_type: "http", mirror_type: "http",
signature_type: "pubkey", signature_type: "pubkey",
pubkey: "/mnt/certs/poudriere.cert", pubkey: "/mnt/certs/poudriere.cert",

View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@ -18,6 +18,16 @@ ifconfig bridge1 addm tap82 up
ifconfig tap82 up ifconfig tap82 up
ifconfig tap82 inet6 auto_linklocal ifconfig tap82 inet6 auto_linklocal
ifconfig tap1082 create
ifconfig bridge10 addm tap1082 up
ifconfig tap1082 up
ifconfig tap1082 inet6 auto_linklocal
ifconfig tap2082 create
ifconfig bridge9 addm tap2082 up
ifconfig tap2082 up
ifconfig tap2082 inet6 auto_linklocal
ifconfig tap83 create ifconfig tap83 create
ifconfig bridge1 addm tap83 up ifconfig bridge1 addm tap83 up
ifconfig tap83 up ifconfig tap83 up
@ -33,6 +43,21 @@ ifconfig bridge1 addm tap85 up
ifconfig tap85 up ifconfig tap85 up
ifconfig tap85 inet6 auto_linklocal ifconfig tap85 inet6 auto_linklocal
ifconfig tap86 create
ifconfig bridge1 addm tap86 up
ifconfig tap86 up
ifconfig tap86 inet6 auto_linklocal
ifconfig tap1086 create
ifconfig bridge10 addm tap1086 up
ifconfig tap1086 up
ifconfig tap1086 inet6 auto_linklocal
ifconfig tap2086 create
ifconfig bridge9 addm tap2086 up
ifconfig tap2086 up
ifconfig tap2086 inet6 auto_linklocal
ifconfig tap90 create ifconfig tap90 create
ifconfig bridge1 addm tap90 up ifconfig bridge1 addm tap90 up
ifconfig tap90 up ifconfig tap90 up
@ -42,3 +67,33 @@ ifconfig tap190 create
ifconfig bridge2 addm tap190 up ifconfig bridge2 addm tap190 up
ifconfig tap190 up ifconfig tap190 up
ifconfig tap190 inet6 auto_linklocal ifconfig tap190 inet6 auto_linklocal
ifconfig tap97 create
ifconfig bridge1 addm tap97 up
ifconfig tap97 up
ifconfig tap97 inet6 auto_linklocal
ifconfig tap1097 create
ifconfig bridge10 addm tap1097 up
ifconfig tap1097 up
ifconfig tap1097 inet6 auto_linklocal
ifconfig tap2097 create
ifconfig bridge9 addm tap2097 up
ifconfig tap2097 up
ifconfig tap2097 inet6 auto_linklocal
ifconfig tap96 create
ifconfig bridge1 addm tap96 up
ifconfig tap96 up
ifconfig tap96 inet6 auto_linklocal
ifconfig tap1096 create
ifconfig bridge10 addm tap1096 up
ifconfig tap1096 up
ifconfig tap1096 inet6 auto_linklocal
ifconfig tap2096 create
ifconfig bridge9 addm tap2096 up
ifconfig tap2096 up
ifconfig tap2096 inet6 auto_linklocal

70
jails/config/vm/cvm-a.sh Executable file
View File

@ -0,0 +1,70 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
# ./cvm-a.sh under tmux
# clean cached state
bhyvectl --destroy --vm=cvm-a
while true
do
bhyve -c 4 -m 16G -A -H -P \
-s 0,hostbridge \
-s 3,ahci-cd \
-s 4,virtio-blk,/dev/zvol/ship/raw/cvm-a \
-s 5,virtio-net,tap97,mac=00:0A:0B:0C:0D:97 \
-s 6,virtio-blk,/dev/zvol/ship/raw/cvm-a_data \
-s 8,virtio-net,tap1097,mac=00:0A:0B:0C:8D:97 \
-s 9,virtio-net,tap2097,mac=00:0A:0B:0C:9D:97 \
-s 29,fbuf,tcp=0.0.0.0:5997,w=1600,h=900 \
-s 30,xhci,tablet \
-s 31,lpc -l com1,/dev/nmdm97A \
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
cvm-a
bhyve_exit=$?
# bhyve returns the following status codes:
# 0 - VM has been reset
# 1 - VM has been powered off
# 2 - VM has been halted
# 3 - VM generated a triple fault
# all other non-zero status codes are errors
#
if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
then
break
fi
echo `date` - restarting cvm-a in 5 seconds - press ctrl-c to stop
sleep 5
done
exit $?
# -s 3,ahci-cd,/mnt/linux/ubuntu-20.04.1-live-server-amd64.iso \
# bhyvectl --get-all --vm=cvm-a
# cu -l /dev/nmdm97B
# (This uses cu() so press ~+Ctrl-D to exit)
#on base system:
#zfs create -V 32G -o refreservation=none ship/raw/cvm-a - docker partition
#zfs create -V 128G -o refreservation=none ship/raw/cvm-a_data - root partition
# on boot
#ifconfig tap97 create
#ifconfig bridge1 addm tap97 up
#ifconfig tap97 up
#ifconfig tap97 inet6 auto_linklocal
#ifconfig tap1097 create
#ifconfig bridge10 addm tap1097 up
#ifconfig tap1097 up
#ifconfig tap1097 inet6 auto_linklocal

70
jails/config/vm/cvm-b.sh Executable file
View File

@ -0,0 +1,70 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
# ./cvm-b.sh under tmux
# clean cached state
bhyvectl --destroy --vm=cvm-b
while true
do
bhyve -c 4 -m 16G -A -H -P \
-s 0,hostbridge \
-s 3,ahci-cd \
-s 4,virtio-blk,/dev/zvol/ship/raw/cvm-b \
-s 5,virtio-net,tap96,mac=00:0A:0B:0C:0D:96 \
-s 6,virtio-blk,/dev/zvol/ship/raw/cvm-b_data \
-s 8,virtio-net,tap1096,mac=00:0A:0B:0C:8D:96 \
-s 9,virtio-net,tap2096,mac=00:0A:0B:0C:9D:96 \
-s 29,fbuf,tcp=0.0.0.0:5996,w=1600,h=900 \
-s 30,xhci,tablet \
-s 31,lpc -l com1,/dev/nmdm96A \
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
cvm-b
bhyve_exit=$?
# bhyve returns the following status codes:
# 0 - VM has been reset
# 1 - VM has been powered off
# 2 - VM has been halted
# 3 - VM generated a triple fault
# all other non-zero status codes are errors
#
if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
then
break
fi
echo `date` - restarting cvm-b in 5 seconds - press ctrl-c to stop
sleep 5
done
exit $?
# -s 3,ahci-cd,/mnt/linux/ubuntu-20.04.1-live-server-amd64.iso \
# bhyvectl --get-all --vm=cvm-b
# cu -l /dev/nmdm96B
# (This uses cu() so press ~+Ctrl-D to exit)
#on base system:
#zfs create -V 32G -o refreservation=none ship/raw/cvm-b - docker partition
#zfs create -V 128G -o refreservation=none ship/raw/cvm-b_data - root partition
# on boot
#ifconfig tap96 create
#ifconfig bridge1 addm tap96 up
#ifconfig tap96 up
#ifconfig tap96 inet6 auto_linklocal
#ifconfig tap1096 create
#ifconfig bridge10 addm tap1096 up
#ifconfig tap1096 up
#ifconfig tap1096 inet6 auto_linklocal

View File

@ -1,6 +1,6 @@
#!/usr/local/bin/bash #!/usr/local/bin/bash
# Copyright (c) 2018-2020, diyIT.org # Copyright (c) 2018-2021, diyIT.org
# All rights reserved. # All rights reserved.
# #
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

77
jails/config/vm/kali.sh Executable file
View File

@ -0,0 +1,77 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
# ./kali.sh under tmux
# clean cached state
bhyvectl --destroy --vm=kali
while true
do
bhyve -c 2 -m 4G -A -H -P \
-s 0,hostbridge \
-s 3,ahci-cd \
-s 4,virtio-blk,/dev/zvol/ship/raw/kali \
-s 5,virtio-net,tap86,mac=00:0A:0B:0C:0D:86 \
-s 8,virtio-net,tap1086,mac=00:0A:0B:0C:8D:86 \
-s 9,virtio-net,tap2086,mac=00:0A:0B:0C:9D:86 \
-s 29,fbuf,tcp=0.0.0.0:5986,w=1280,h=720 \
-s 30,xhci,tablet \
-s 31,lpc -l com1,/dev/nmdm86A \
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
kali
bhyve_exit=$?
# bhyve returns the following status codes:
# 0 - VM has been reset
# 1 - VM has been powered off
# 2 - VM has been halted
# 3 - VM generated a triple fault
# all other non-zero status codes are errors
#
if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
then
break
fi
echo `date` - restarting kali in 5 seconds - press ctrl-c to stop
sleep 5
done
exit $?
#-s 3,ahci-cd,/mnt/linux/kali-linux-2020.4-installer-amd64.iso \
##-s 6,virtio-blk,/dev/zvol/ship/raw/kali_data \
# bhyvectl --get-all --vm=kali
# cu -l /dev/nmdm86B
# (This uses cu() so press ~+Ctrl-D to exit)
#on base system:
#zfs create -V 128G -o refreservation=none ship/raw/kali
##zfs create -V 128G -o refreservation=none ship/raw/kali_data
# on boot
#ifconfig tap86 create
#ifconfig bridge1 addm tap86 up
#ifconfig tap86 up
#ifconfig tap86 inet6 auto_linklocal
#ifconfig tap1086 create
#ifconfig bridge10 addm tap1086 up
#ifconfig tap1086 up
#ifconfig tap1086 inet6 auto_linklocal
# Install VNC
# curl -o turbovnc_2.2.5_amd64.deb https://sourceforge.net/projects/turbovnc/files/2.2.5/turbovnc_2.2.5_amd64.deb/download#
# sudo apt install gdebi-core
# sudo gdebi turbovnc_2.2.5_amd64.deb
# sudo killall Xvnc; /opt/TurboVNC/bin/vncserver -name kali -geometry 1920x1080 :4
# systemctl enable ssh.service; service ssh start

Some files were not shown because too many files have changed in this diff Show More