updated for FreeBSD 12.2

diyit-org-license.txt

@@ -1,6 +1,6 @@
 BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 
-Copyright (c) 2018-2020, diyIT.org
+Copyright (c) 2018-2021, diyIT.org
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

jails/config/atm/afp.conf

@@ -1,32 +1,63 @@
 ;
 ; Netatalk 3.x configuration file
-;
+; http://netatalk.sourceforge.net/3.1/htmldocs/afp.conf.5.html
 
 [Global]
 ; Global server settings
 hostname = atm
-hosts allow = 192.168.0.0/24,192.168.100.0/24
+afp listen = ::
-afp listen = 0.0.0.0
+mimic model = TimeCapsule6,106
+uam list = uams_guest.so uams_dhx2_passwd.so
+; locate uam # show all the uam modules
+
+force xattr with sticky bit = yes
+
 zeroconf = yes
+afpstats = yes
+
+ldap auth method = simple
+;ldap auth dn = cn=admin,dc=infra
+;ldap auth pw = notrequired
+ldap server = ldap.ahlawat.com
+
+ldap name attr = cn
+ldap userbase = ou=people,dc=infra
+ldap userscope = one
+ldap uuid attr = uidNumber
+
+ldap group attr = cn
+ldap groupbase = ou=group,dc=infra
+ldap groupscope = one
+;ldap uuid attr = gidNumber #this is used both for users and groups.
+
+; You can comment these 2 lines when your setup is working
+;log level = default:maxdebug,afpdaemon:maxdebug,logger:maxdebug,uamsdaemon:maxdebug
+log file = /var/log/afpd.log
+
+[default_for_all_vol]
+cnid scheme = dbd
+appledouble = ea
+ea = ad
 
 ; [Homes]
 ; basedir regex = /xxxx
 
-; [My AFP Volume]
+[Sharad]
-; path = /path/to/volume
-
-[Sharad Time Machine Volume]
 path = /mnt/sharad
+valid users = sharad
 time machine = yes
 
-[Rachna Time Machine Volume]
+[Rachna]
 path = /mnt/rachna
+valid users = rachna
 time machine = yes
 
-[Nivi Time Machine Volume]
+[Nivi]
 path = /mnt/nivi
+valid users = nivi
 time machine = yes
 
-[Rishabh Time Machine Volume]
+[Rishabh]
 path = /mnt/rishabh
+valid users = rishabh
 time machine = yes

jails/config/atm/afpd.service

@@ -0,0 +1,14 @@
+<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
+<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
+<service-group>
+    <name replace-wildcards="yes">%h</name>
+    <service>
+        <type>_afpovertcp._tcp</type>
+        <port>548</port>
+    </service>
+    <service>
+        <type>_device-info._tcp</type>
+        <port>0</port>
+        <txt-record>model=Xserve</txt-record>
+    </service>
+</service-group>

jails/config/atm/ldap.conf

@@ -0,0 +1,15 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE	ou=people,dc=infra
+URI	ldaps://ldap.ahlawat.com:636
+ssl start_tls
+tls_cacert /mnt/certs/cacert.pem
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never

jails/config/atm/netatalk

@@ -0,0 +1,3 @@
+auth    required        /usr/local/lib/pam_ldap.so     try_first_pass
+account required        /usr/local/lib/pam_ldap.so     try_first_pass
+session required        /usr/local/lib/pam_ldap.so

jails/config/atm/nslcd.conf

@@ -0,0 +1,142 @@
+# This is the configuration file for the LDAP nameservice
+# switch library's nslcd daemon. It configures the mapping
+# between NSS names (see /etc/nsswitch.conf) and LDAP
+# information in the directory.
+# See the manual page nslcd.conf(5) for more information.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The uri pointing to the LDAP server to use for name lookups.
+# Multiple entries may be specified. The address that is used
+# here should be resolvable without using LDAP (obviously).
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+uri ldaps://ldap.ahlawat.com:636
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+#ldap_version 3
+
+# The distinguished name of the search base.
+base ou=people,dc=infra
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+#binddn cn=proxyuser,dc=example,dc=com
+
+# The credentials to bind with.
+# Optional: default is no credentials.
+# Note that if you set a bindpw you should check the permissions of this file.
+#bindpw secret
+
+# The distinguished name to perform password modifications by root by.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# The default search scope.
+#scope sub
+scope one
+#scope base
+
+# Customize certain database lookups.
+#base   group  ou=Groups,dc=example,dc=com
+#base   passwd ou=People,dc=example,dc=com
+#base   shadow ou=People,dc=example,dc=com
+#scope  group  onelevel
+#scope  hosts  sub
+
+# Bind/connect timelimit.
+#bind_timelimit 30
+
+# Search timelimit.
+#timelimit 30
+
+# Idle timelimit. nslcd will close connections if the
+# server has not been contacted for the number of seconds.
+#idle_timelimit 3600
+
+# Use StartTLS without verifying the server certificate.
+ssl start_tls
+#tls_reqcert never
+
+# CA certificates for server certificate verification
+tls_cacertdir /mnt/certs
+tls_cacertfile /mnt/certs/cacert.pem
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# Mappings for Services for UNIX 3.5
+#filter passwd (objectClass=User)
+#map    passwd uid              msSFU30Name
+#map    passwd userPassword     msSFU30Password
+#map    passwd homeDirectory    msSFU30HomeDirectory
+#map    passwd homeDirectory    msSFUHomeDirectory
+#filter shadow (objectClass=User)
+#map    shadow uid              msSFU30Name
+#map    shadow userPassword     msSFU30Password
+#filter group  (objectClass=Group)
+#map    group  member           msSFU30PosixMember
+
+# Mappings for Services for UNIX 2.0
+#filter passwd (objectClass=User)
+#map    passwd uid              msSFUName
+#map    passwd userPassword     msSFUPassword
+#map    passwd homeDirectory    msSFUHomeDirectory
+#map    passwd gecos            msSFUName
+#filter shadow (objectClass=User)
+#map    shadow uid              msSFUName
+#map    shadow userPassword     msSFUPassword
+#map    shadow shadowLastChange pwdLastSet
+#filter group  (objectClass=Group)
+#map    group  member           posixMember
+
+# Mappings for Active Directory
+#pagesize 1000
+#referrals off
+#idle_timelimit 800
+#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
+#map    passwd uid              sAMAccountName
+#map    passwd homeDirectory    unixHomeDirectory
+#map    passwd gecos            displayName
+#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
+#map    shadow uid              sAMAccountName
+#map    shadow shadowLastChange pwdLastSet
+#filter group  (objectClass=group)
+
+# Alternative mappings for Active Directory
+# (replace the SIDs in the objectSid mappings with the value for your domain)
+#pagesize 1000
+#referrals off
+#idle_timelimit 800
+#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
+#map    passwd uid           cn
+#map    passwd uidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
+#map    passwd gidNumber     objectSid:S-1-5-21-3623811015-3361044348-30300820
+#map    passwd homeDirectory "/home/$cn"
+#map    passwd gecos         displayName
+#map    passwd loginShell    "/bin/bash"
+#filter group (|(objectClass=group)(objectClass=person))
+#map    group gidNumber      objectSid:S-1-5-21-3623811015-3361044348-30300820
+
+# Mappings for AIX SecureWay
+#filter passwd (objectClass=aixAccount)
+#map    passwd uid              userName
+#map    passwd userPassword     passwordChar
+#map    passwd uidNumber        uid
+#map    passwd gidNumber        gid
+#filter group  (objectClass=aixAccessGroup)
+#map    group  cn               groupName
+#map    group  gidNumber        gid

jails/config/atm/nsswitch.conf

@@ -0,0 +1,18 @@
+#
+# nsswitch.conf(5) - name service switch configuration file
+# $FreeBSD: releng/12.1/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $
+#
+#group: compat
+group: files ldap
+group_compat: nis
+hosts: files dns
+netgroup: compat
+networks: files
+#passwd: compat
+passwd: files ldap
+passwd_compat: nis
+shells: files
+services: compat
+services_compat: nis
+protocols: files
+rpc: files

jails/config/atm/pam_ldap.conf

@@ -0,0 +1,17 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE	ou=people,dc=infra
+URI	ldaps://ldap.ahlawat.com:636
+ssl start_tls
+tls_cacert /mnt/certs/cacert.pem
+
+pam_login_attribute cn
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never

jails/config/atm/pkgp.conf

@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
     priority: 10
 }
 
-pkgp121: {
+pkgp122: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
     mirror_type: "http",
     signature_type: "pubkey",
     pubkey: "/mnt/certs/poudriere.cert",

jails/config/atm/sshd

@@ -0,0 +1,28 @@
+#
+# $FreeBSD: releng/12.1/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
+#
+# PAM configuration for the "sshd" service
+#
+
+# auth
+auth		sufficient	pam_opie.so		no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn allow_local
+#auth		sufficient	pam_krb5.so		no_warn try_first_pass
+#auth		sufficient	pam_ssh.so		no_warn try_first_pass
+auth        sufficient  /usr/local/lib/pam_ldap.so  no_warn
+auth		required	pam_unix.so		no_warn try_first_pass
+
+# account
+account		required	pam_nologin.so
+#account	required	pam_krb5.so
+account		required	pam_login_access.so
+account     required    /usr/local/lib/pam_ldap.so  no_warn ignore_authinfo_unavail ignore_unknown_user
+account		required	pam_unix.so
+
+# session
+#session	optional	pam_ssh.so		want_agent
+session		required	pam_permit.so
+
+# password
+#password	sufficient	pam_krb5.so		no_warn try_first_pass
+password	required	pam_unix.so		no_warn try_first_pass

jails/config/auto/portfolio

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

jails/config/auto/producthunt

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

jails/config/book/cps

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

jails/config/cam/camserver

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

jails/config/cert/backup.sh

@@ -0,0 +1 @@
+cp -r /root/.acme.sh /mnt/config/secret/

jails/config/common/freebsd-update.conf

@@ -0,0 +1,77 @@
+# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
+
+# Trusted keyprint.  Changing this is a Bad Idea unless you've received
+# a PGP-signed email from <security-officer@FreeBSD.org> telling you to
+# change it and explaining why.
+KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5
+
+# Server or server pool from which to fetch updates.  You can change
+# this to point at a specific server if you want, but in most cases
+# using a "nearby" server won't provide a measurable improvement in
+# performance.
+ServerName update.FreeBSD.org
+
+# Components of the base system which should be kept updated.
+#Components src world
+Components world
+
+# Example for updating the userland and the kernel source code only:
+# Components src/base src/sys world
+
+# Paths which start with anything matching an entry in an IgnorePaths
+# statement will be ignored.
+IgnorePaths
+
+# Paths which start with anything matching an entry in an IDSIgnorePaths
+# statement will be ignored by "freebsd-update IDS".
+IDSIgnorePaths /usr/share/man/cat
+IDSIgnorePaths /usr/share/man/whatis
+IDSIgnorePaths /var/db/locate.database
+IDSIgnorePaths /var/log
+
+# Paths which start with anything matching an entry in an UpdateIfUnmodified
+# statement will only be updated if the contents of the file have not been
+# modified by the user (unless changes are merged; see below).
+UpdateIfUnmodified /etc/ /var/ /root/ /.cshrc /.profile
+
+# When upgrading to a new FreeBSD release, files which match MergeChanges
+# will have any local changes merged into the version from the new release.
+MergeChanges /etc/ /boot/device.hints
+
+### Default configuration options:
+
+# Directory in which to store downloaded updates and temporary
+# files used by FreeBSD Update.
+# WorkDir /var/db/freebsd-update
+
+# Destination to send output of "freebsd-update cron" if an error
+# occurs or updates have been downloaded.
+# MailTo root
+
+# Is FreeBSD Update allowed to create new files?
+# AllowAdd yes
+
+# Is FreeBSD Update allowed to delete files?
+# AllowDelete yes
+
+# If the user has modified file ownership, permissions, or flags, should
+# FreeBSD Update retain this modified metadata when installing a new version
+# of that file?
+# KeepModifiedMetadata yes
+
+# When upgrading between releases, should the list of Components be
+# read strictly (StrictComponents yes) or merely as a list of components
+# which *might* be installed of which FreeBSD Update should figure out
+# which actually are installed and upgrade those (StrictComponents no)?
+# StrictComponents no
+
+# When installing a new kernel perform a backup of the old one first
+# so it is possible to boot the old kernel in case of problems.
+# BackupKernel yes
+
+# If BackupKernel is enabled, the backup kernel is saved to this
+# directory.
+# BackupKernelDir /boot/kernel.old
+
+# When backing up a kernel also back up debug symbol files?
+# BackupKernelSymbolFiles no

jails/config/common/pkgp.conf

@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
     priority: 10
 }
 
-pkgp121: {
+pkgp122: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
     mirror_type: "http",
     signature_type: "pubkey",
     pubkey: "/mnt/certs/poudriere.cert",

jails/config/common/snip-sendmail.sh

@@ -1,6 +1,6 @@
 #! /usr/local/bin/bash
 
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

jails/config/common/sshd_config

@@ -1,5 +1,5 @@
 #	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
-#	$FreeBSD: releng/12.1/crypto/openssh/sshd_config 338561 2018-09-10 16:20:12Z des $
+#	$FreeBSD: releng/12.2/crypto/openssh/sshd_config 360313 2020-04-25 15:38:48Z emaste $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -105,7 +105,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #PermitTunnel no
 #ChrootDirectory none
 #UseBlacklist no
-#VersionAddendum FreeBSD-20180909
+#VersionAddendum FreeBSD-20200214
 
 # no default banner path
 #Banner none

jails/config/common/vncserver

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

jails/config/db/my.cnf

@@ -1,99 +1,13 @@
-# Example MySQL config file for small systems.
 #
-# This is for a system with little memory (<= 64M) where MySQL is only used
+# This group is read both by the client and the server
-# from time to time and it's important that the mysqld daemon
+# use it for options that affect everything, see
-# doesn't use much resources.
+# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#option-groups
 #
-# MySQL programs look for option files in a set of
+[client-server]
-# locations which depend on the deployment platform.
+port	= 3306
-# You can copy this option file to one of those
+socket	= /var/run/mysql/mysql.sock
-# locations. For information about these locations, see:
+
-# http://dev.mysql.com/doc/mysql/en/option-files.html
 #
-# In this file, you can use all long options that a program supports.
+# include *.cnf from the config directory
-# If you want to know which options a program supports, run the program
+#
-# with the "--help" option.
+!includedir /usr/local/etc/mysql/conf.d/
-
-# The following options will be passed to all MySQL clients
-[client]
-#password	= your_password
-port		= 3306
-socket		= /tmp/mysql.sock
-
-# Here follows entries for some specific programs
-
-# The MySQL server
-[mysqld]
-bind-address    = *
-port		= 3306
-socket		= /tmp/mysql.sock
-skip-external-locking
-key_buffer_size = 16K
-max_allowed_packet = 64M
-table_open_cache = 16
-sort_buffer_size = 64K
-read_buffer_size = 256K
-read_rnd_buffer_size = 256K
-net_buffer_length = 2K
-thread_stack = 240K
-
-# Don't listen on a TCP/IP port at all. This can be a security enhancement,
-# if all processes that need to connect to mysqld run on the same host.
-# All interaction with mysqld must be made via Unix sockets or named pipes.
-# Note that using this option without enabling named pipes on Windows
-# (using the "enable-named-pipe" option) will render mysqld useless!
-# 
-#skip-networking
-server-id	= 1
-
-# Uncomment the following if you want to log updates
-#log-bin=mysql-bin
-
-# binary logging format - mixed recommended
-binlog_format=ROW
-
-# Causes updates to non-transactional engines using statement format to be
-# written directly to binary log. Before using this option make sure that
-# there are no dependencies between transactional and non-transactional
-# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
-# t_innodb; otherwise, slaves may diverge from the master.
-#binlog_direct_non_transactional_updates=TRUE
-
-# Uncomment the following if you are using InnoDB tables
-#innodb_data_home_dir = /var/db/mysql
-#innodb_data_file_path = ibdata1:10M:autoextend
-innodb_log_group_home_dir = /var/db/mysql-log
-# You can set .._buffer_pool_size up to 50 - 80 %
-# of RAM but beware of setting memory usage too high
-innodb_buffer_pool_size = 1G
-innodb_io_capacity=4000
-transaction-isolation = READ-COMMITTED
-# Set .._log_file_size to 25 % of buffer pool size
-innodb_log_file_size = 250M
-#innodb_log_buffer_size = 8M
-innodb_flush_log_at_trx_commit = 2
-#innodb_lock_wait_timeout = 50
-
-innodb_doublewrite = 0
-innodb_checksum_algorithm = none
-slow_query_log_file = /var/db/mysql-log/slow.log
-log-error = /var/db/mysql-log/error.log
-log_bin = /var/db/mysql-log/binlog
-relay_log = /var/db/mysql-log/relay-bin
-expire_logs_days = 7
-
-[mysqldump]
-quick
-max_allowed_packet = 16M
-
-[mysql]
-no-auto-rehash
-# Remove the next comment character if you are not familiar with SQL
-#safe-updates
-
-[myisamchk]
-key_buffer_size = 8M
-sort_buffer_size = 8M
-
-[mysqlhotcopy]
-interactive-timeout

jails/config/db/my.cnf.oldversion

@@ -0,0 +1,99 @@
+# Example MySQL config file for small systems.
+#
+# This is for a system with little memory (<= 64M) where MySQL is only used
+# from time to time and it's important that the mysqld daemon
+# doesn't use much resources.
+#
+# MySQL programs look for option files in a set of
+# locations which depend on the deployment platform.
+# You can copy this option file to one of those
+# locations. For information about these locations, see:
+# http://dev.mysql.com/doc/mysql/en/option-files.html
+#
+# In this file, you can use all long options that a program supports.
+# If you want to know which options a program supports, run the program
+# with the "--help" option.
+
+# The following options will be passed to all MySQL clients
+[client]
+#password	= your_password
+port		= 3306
+socket		= /tmp/mysql.sock
+
+# Here follows entries for some specific programs
+
+# The MySQL server
+[mysqld]
+bind-address    = *
+port		= 3306
+socket		= /tmp/mysql.sock
+skip-external-locking
+key_buffer_size = 16K
+max_allowed_packet = 64M
+table_open_cache = 16
+sort_buffer_size = 64K
+read_buffer_size = 256K
+read_rnd_buffer_size = 256K
+net_buffer_length = 2K
+thread_stack = 240K
+
+# Don't listen on a TCP/IP port at all. This can be a security enhancement,
+# if all processes that need to connect to mysqld run on the same host.
+# All interaction with mysqld must be made via Unix sockets or named pipes.
+# Note that using this option without enabling named pipes on Windows
+# (using the "enable-named-pipe" option) will render mysqld useless!
+# 
+#skip-networking
+server-id	= 1
+
+# Uncomment the following if you want to log updates
+#log-bin=mysql-bin
+
+# binary logging format - mixed recommended
+binlog_format=ROW
+
+# Causes updates to non-transactional engines using statement format to be
+# written directly to binary log. Before using this option make sure that
+# there are no dependencies between transactional and non-transactional
+# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
+# t_innodb; otherwise, slaves may diverge from the master.
+#binlog_direct_non_transactional_updates=TRUE
+
+# Uncomment the following if you are using InnoDB tables
+#innodb_data_home_dir = /var/db/mysql
+#innodb_data_file_path = ibdata1:10M:autoextend
+innodb_log_group_home_dir = /var/db/mysql-log
+# You can set .._buffer_pool_size up to 50 - 80 %
+# of RAM but beware of setting memory usage too high
+innodb_buffer_pool_size = 1G
+innodb_io_capacity=4000
+transaction-isolation = READ-COMMITTED
+# Set .._log_file_size to 25 % of buffer pool size
+innodb_log_file_size = 250M
+#innodb_log_buffer_size = 8M
+innodb_flush_log_at_trx_commit = 2
+#innodb_lock_wait_timeout = 50
+
+innodb_doublewrite = 0
+innodb_checksum_algorithm = none
+slow_query_log_file = /var/db/mysql-log/slow.log
+log-error = /var/db/mysql-log/error.log
+log_bin = /var/db/mysql-log/binlog
+relay_log = /var/db/mysql-log/relay-bin
+expire_logs_days = 7
+
+[mysqldump]
+quick
+max_allowed_packet = 16M
+
+[mysql]
+no-auto-rehash
+# Remove the next comment character if you are not familiar with SQL
+#safe-updates
+
+[myisamchk]
+key_buffer_size = 8M
+sort_buffer_size = 8M
+
+[mysqlhotcopy]
+interactive-timeout

jails/config/db/server.cnf

@@ -0,0 +1,90 @@
+# Options specific to server applications, see
+# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#server-option-groups
+
+# Options specific to all server programs
+[server]
+
+# Options specific to MariaDB server programs
+[server-mariadb]
+
+#
+# Options for specific server tools
+#
+
+[mysqld]
+user				= mysql
+# port				= 3306 # set in /usr/local/etc/mysql/my.cnf
+# socket			= /var/run/mysql/mysql.sock # set in /usr/local/etc/mysql/my.cnf
+bind-address			= *
+basedir				= /usr/local
+datadir				= /var/db/mysql
+net_retry_count			= 16384
+# [mysqld] configuration for ZFS
+# From https://www.percona.com/resources/technical-presentations/zfs-mysql-percona-technical-webinar
+# Create separate datasets for data and logs, eg
+# zroot/mysql      compression=on recordsize=128k atime=off
+# zroot/mysql/data recordsize=16k
+# zroot/mysql/logs
+datadir = /var/db/mysql
+innodb_log_group_home_dir	= /var/db/mysql-log
+#audit_log_file		= /var/db/mysql-log/audit.log
+general_log_file		= /var/db/mysql-log/general.log
+log_bin			= /var/db/mysql-log/mysql-bin
+relay_log			= /var/db/mysql-log/relay-log
+slow_query_log_file		= /var/db/mysql-log/slow.log
+innodb_doublewrite		= 0
+innodb_flush_method		= O_DSYNC
+
+##
+log-error = /var/db/mysql-log/error.log
+
+
+### custom optimizations
+skip-external-locking
+key_buffer_size = 16K
+max_allowed_packet = 64M
+table_open_cache = 16
+sort_buffer_size = 64K
+read_buffer_size = 256K
+read_rnd_buffer_size = 256K
+net_buffer_length = 2K
+thread_stack = 240K
+
+server-id   = 1
+binlog_format=ROW
+
+innodb_buffer_pool_size = 1G
+innodb_io_capacity=4000
+transaction-isolation = READ-COMMITTED
+innodb_log_file_size = 250M
+innodb_flush_log_at_trx_commit = 2
+innodb_checksum_algorithm = none
+
+slow_query_log_file = /var/db/mysql-log/slow.log
+
+expire_logs_days = 7
+###
+
+
+# Options read by `mysqld_safe`
+# Renamed from [mysqld_safe] starting with MariaDB 10.4.6.
+[mariadb_safe]
+
+# Options read my `mariabackup`
+[mariabackup]
+
+# Options read by `mysql_upgrade`
+# Renamed from [mysql_upgrade] starting with MariaDB 10.4.6.
+[mariadb-upgrade]
+
+# Specific options read by the mariabackup SST method
+[sst]
+
+# Options read by `mysqlbinlog`
+# Renamed from [mysqlbinlog] starting with MariaDB 10.4.6.
+[mariadb-binlog]
+
+# Options read by `mysqladmin`
+# Renamed from [mysqladmin] starting with MariaDB 10.4.6.
+[mariadb-admin]
+

jails/config/elk/elasticsearch.yml

@@ -36,7 +36,6 @@ xpack.security.http.ssl.certificate_authorities: certs/cacert.pem
 xpack.security.transport.ssl.key: certs/diyprivkeyr.pem
 xpack.security.transport.ssl.certificate: certs/diyfullchain.pem
 xpack.security.transport.ssl.certificate_authorities: certs/cacert.pem
-
 #
 # ----------------------------------- Paths ------------------------------------
 #
@@ -76,16 +75,17 @@ network.host: _epair0b_
 #
 # --------------------------------- Discovery ----------------------------------
 #
-# Pass an initial list of hosts to perform discovery when new node is started:
+# Pass an initial list of hosts to perform discovery when this node is started:
 # The default list of hosts is ["127.0.0.1", "[::1]"]
 #
-#discovery.zen.ping.unicast.hosts: ["host1", "host2"]
+#discovery.seed_hosts: ["host1", "host2"]
 #
-# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
+# Bootstrap the cluster using an initial set of master-eligible nodes:
 #
-#discovery.zen.minimum_master_nodes: 
+cluster.initial_master_nodes: ["node-1"]
+#cluster.initial_master_nodes: ["node-1", "node-2"]
 #
-# For more information, consult the zen discovery module documentation.
+# For more information, consult the discovery and cluster formation module documentation.
 #
 # ---------------------------------- Gateway -----------------------------------
 #

jails/config/elk/fstab

@@ -0,0 +1,2 @@
+fdesc   /dev/fd     fdescfs     rw,auto  0   0
+proc    /proc       procfs      rw,auto  0   0

jails/config/elk/heartbeat.yml

@@ -24,8 +24,7 @@ heartbeat.monitors:
 - type: http
 
   # List or urls to query
-  #urls: ["http://localhost:9200"]
+  urls: ["https://cloud.google.com","https://azure.microsoft.com","https://aws.amazon.com"]
-  urls: ["https://google.com","https://aws.amazon.com"]
 
   # Configure task schedule
   schedule: '@every 10s'
@@ -56,46 +55,6 @@ setup.template.settings:
 #  env: staging
 
 
-#================================= Paths ======================================
-
-# The home path for the filebeat installation. This is the default base path
-# for all other path settings and for miscellaneous files that come with the
-# distribution (for example, the sample dashboards).
-# If not set by a CLI flag or in the configuration file, the default for the
-# home path is the location of the binary.
-#path.home:
-
-# The configuration path for the filebeat installation. This is the default
-# base path for configuration files, including the main YAML configuration file
-# and the Elasticsearch template file. If not set by a CLI flag or in the
-# configuration file, the default for the configuration path is the home path.
-#path.config: ${path.home}
-
-# The data path for the filebeat installation. This is the default base path
-# for all the files in which filebeat needs to store its data. If not set by a
-# CLI flag or in the configuration file, the default for the data path is a data
-# subdirectory inside the home path.
-#path.data: ${path.home}/data
-
-# The logs path for a filebeat installation. This is the default location for
-# the Beat's log files. If not set by a CLI flag or in the configuration file,
-# the default for the logs path is a logs subdirectory inside the home path.
-#path.logs: ${path.home}/logs
-
-
-#============================== Dashboards =====================================
-# These settings control loading the sample dashboards to the Kibana index. Loading
-# the dashboards is disabled by default and can be enabled either by setting the
-# options here, or by using the `-setup` CLI flag or the `setup` command.
-#setup.dashboards.enabled: false
-#setup.dashboards.enabled: true
-
-# The URL from where to download the dashboards archive. By default this URL
-# has a value which is computed based on the Beat name and version. For released
-# versions, this URL points to the dashboard archive on the artifacts.elastic.co
-# website.
-#setup.dashboards.url:
-
 #============================== Kibana =====================================
 
 # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
@@ -106,9 +65,7 @@ setup.kibana:
   # Scheme and port can be left out and will be set to the default (http and 5601)
   # In case you specify and additional path, the scheme is required: http://localhost:5601/path
   # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
-  #host: "localhost:5601"
+  host: "http://elk.diyit.org:5601"
-  #host: "https://kibanax.diyit.org:443"
-  host: "http://kibanax.diyit.org:5601"
 
   # Kibana Space ID
   # ID of the Kibana Space into which the dashboards should be loaded. By default,
@@ -117,7 +74,7 @@ setup.kibana:
 
 #============================= Elastic Cloud ==================================
 
-# These settings simplify using heartbeat with the Elastic Cloud (https://cloud.elastic.co/).
+# These settings simplify using Heartbeat with the Elastic Cloud (https://cloud.elastic.co/).
 
 # The cloud.id setting overwrites the `output.elasticsearch.hosts` and
 # `setup.kibana.host` options.
@@ -137,36 +94,40 @@ setup.kibana:
   # Array of hosts to connect to.
   #hosts: ["localhost:9200"]
 
-  # Enabled ilm (beta) to use index lifecycle management instead daily indices.
+  # Protocol - either `http` (default) or `https`.
-  #ilm.enabled: false
-
-  # Optional protocol and basic auth credentials.
   #protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
   #username: "elastic"
   #password: "changeme"
 
 #----------------------------- Logstash output --------------------------------
 output.logstash:
   # The Logstash hosts
-  hosts: ["kibanax.diyit.org:5044"]
+  hosts: ["elk.diyit.org:5044"]
 
   # Optional SSL. By default is off.
   # List of root certificates for HTTPS server verifications
-  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+  #ssl.certificate_authorities: ["/mnt/certs/cacert.pem"]
 
   # Certificate for SSL client authentication
-  #ssl.certificate: "/etc/pki/client/cert.pem"
+  #ssl.certificate: "/mnt/certs/diyfullchain.pem"
 
   # Client Certificate Key
-  #ssl.key: "/etc/pki/client/cert.key"
+  #ssl.key: "/mnt/certs/diyprivkeyr.pem"
 
 #================================ Processors =====================================
 
-# Configure processors to enhance or manipulate events generated by the beat.
-
 processors:
-  - add_host_metadata: ~
+  - add_observer_metadata:
-  - add_cloud_metadata: ~
+  # Optional, but recommended geo settings for the location Heartbeat is running in
+  #geo:
+    # Token describing this location
+    #name: us-east-1a
+
+    # Lat, Lon "
+    #location: "37.926868, -78.024902"
 
 #================================ Logging =====================================
 
@@ -178,20 +139,30 @@ processors:
 # To enable all selectors use ["*"]. Examples of other selectors are "beat",
 # "publish", "service".
 #logging.selectors: ["*"]
-logging.to_syslog: true
-logging.to_files: false
 
-#============================== Xpack Monitoring ===============================
+#============================== X-Pack Monitoring ===============================
 # heartbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
 # reporting is disabled by default.
 
 # Set to true to enable the monitoring reporter.
-#xpack.monitoring.enabled: false
+#monitoring.enabled: false
+
+# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
+# Heartbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
+# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
+#monitoring.cluster_uuid:
 
 # Uncomment to send the metrics to Elasticsearch. Most settings from the
-# Elasticsearch output are accepted here as well. Any setting that is not set is
+# Elasticsearch output are accepted here as well.
-# automatically inherited from the Elasticsearch output configuration, so if you
+# Note that the settings should point to your Elasticsearch *monitoring* cluster.
-# have the Elasticsearch output configured, you can simply uncomment the
+# Any setting that is not set is automatically inherited from the Elasticsearch
-# following line.
+# output configuration, so if you have the Elasticsearch output configured such
-#xpack.monitoring.elasticsearch:
+# that it is pointing to your Elasticsearch monitoring cluster, you can simply
+# uncomment the following line.
+#monitoring.elasticsearch:
+
+#================================= Migration ==================================
+
+# This allows to enable 6.7 migration aliases
+#migration.6_to_7.enabled: true

jails/config/elk/jvm.options

@@ -0,0 +1,77 @@
+## JVM configuration
+
+################################################################
+## IMPORTANT: JVM heap size
+################################################################
+##
+## You should always set the min and max JVM heap
+## size to the same value. For example, to set
+## the heap to 4 GB, set:
+##
+## -Xms4g
+## -Xmx4g
+##
+## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
+## for more information
+##
+################################################################
+
+# Xms represents the initial size of total heap space
+# Xmx represents the maximum size of total heap space
+
+-Xms4g
+-Xmx4g
+
+################################################################
+## Expert settings
+################################################################
+##
+## All settings below this section are considered
+## expert settings. Don't tamper with them unless
+## you understand what you are doing
+##
+################################################################
+
+## GC configuration
+8-13:-XX:+UseConcMarkSweepGC
+8-13:-XX:CMSInitiatingOccupancyFraction=75
+8-13:-XX:+UseCMSInitiatingOccupancyOnly
+
+## G1GC Configuration
+# NOTE: G1 GC is only supported on JDK version 10 or later
+# to use G1GC, uncomment the next two lines and update the version on the
+# following three lines to your version of the JDK
+# 10-13:-XX:-UseConcMarkSweepGC
+# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
+14-:-XX:+UseG1GC
+14-:-XX:G1ReservePercent=25
+14-:-XX:InitiatingHeapOccupancyPercent=30
+
+## JVM temporary directory
+-Djava.io.tmpdir=${ES_TMPDIR}
+
+## heap dumps
+
+# generate a heap dump when an allocation from the Java heap fails
+# heap dumps are created in the working directory of the JVM
+-XX:+HeapDumpOnOutOfMemoryError
+
+# specify an alternative path for heap dumps; ensure the directory exists and
+# has sufficient space
+-XX:HeapDumpPath=data
+
+# specify an alternative path for JVM fatal error logs
+-XX:ErrorFile=logs/hs_err_pid%p.log
+
+## JDK 8 GC logging
+8:-XX:+PrintGCDetails
+8:-XX:+PrintGCDateStamps
+8:-XX:+PrintTenuringDistribution
+8:-XX:+PrintGCApplicationStoppedTime
+8:-Xloggc:${ES_TMPDIR}/gc.log
+8:-XX:+UseGCLogFileRotation
+8:-XX:NumberOfGCLogFiles=32
+8:-XX:GCLogFileSize=64m
+
+# JDK 9+ GC logging
+9-:-Xlog:gc*,gc+age=trace,safepoint:file=${ES_TMPDIR}/gc.log:utctime,pid,tags:filecount=32,filesize=64m

jails/config/elk/kibana.yml

@@ -25,7 +25,7 @@ server.host: "::"
 server.name: "kibana.diyit.org"
 
 # The URLs of the Elasticsearch instances to use for all your queries.
-elasticsearch.hosts: ["https://kibanax.diyit.org:9200"]
+elasticsearch.hosts: ["https://elk.diyit.org:9200"]
 
 # When this setting's value is true Kibana uses the hostname specified in the server.host
 # setting. When the value of this setting is false, Kibana uses the hostname of the host
@@ -53,7 +53,8 @@ server.ssl.certificate: /mnt/certs/diyfullchain.pem
 server.ssl.key: /mnt/certs/diyprivkeyr.pem
 
 # Optional settings that provide the paths to the PEM-format SSL certificate and key files.
-# These files validate that your Elasticsearch backend uses the same key files.
+# These files are used to verify the identity of Kibana to Elasticsearch and are required when
+# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
 #elasticsearch.ssl.certificate: /path/to/your/client.crt
 #elasticsearch.ssl.key: /path/to/your/client.key
 
@@ -110,4 +111,5 @@ elasticsearch.ssl.verificationMode: full
 #ops.interval: 5000
 
 # Specifies locale to be used for all localizable strings, dates and number formats.
+# Supported languages are the following: English - en , by default , Chinese - zh-CN .
 #i18n.locale: "en"

jails/config/elk/logstash.conf

@@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@@ -10,6 +10,7 @@ input {
   beats {
     port => 5044
     ssl => false
+    #https://discuss.elastic.co/t/problem-with-cipher-in-beat-input/67841
     ssl_key => '/mnt/certs/diyprivkeyr.pem'
     ssl_certificate => '/mnt/certs/diyfullchain.pem'
     ssl_certificate_authorities => ["/mnt/certs/cacert.pem"]
@@ -22,7 +23,7 @@ output {
     ssl => true
     ssl_certificate_verification => true
     cacert => '/mnt/certs/cacert.pem'
-    hosts => ["https://kibanax.diyit.org:9200"]
+    hosts => ["https://elk.diyit.org:9200"]
     index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
     user => "elastic"
     password => "${es_pwd}"

jails/config/elk/logstash.yml

@@ -16,7 +16,6 @@
 #
 # Use a descriptive name for the node:
 #
-# node.name: test
 node.name: logstash
 #
 # If omitted the node name will default to the machine's host name
@@ -26,7 +25,6 @@ node.name: logstash
 # Which directory should be used by logstash and its plugins
 # for any persistent needs. Defaults to LOGSTASH_HOME/data
 #
-# path.data:
 path.data: /var/db/logstash
 #
 # ------------ Pipeline Settings --------------
@@ -40,7 +38,7 @@ path.data: /var/db/logstash
 #
 # This defaults to the number of the host's CPU cores.
 #
-pipeline.workers: 8
+pipeline.workers: 4
 #
 # How many events to retrieve from inputs before sending to filters+workers
 #
@@ -207,7 +205,6 @@ path.config: /usr/local/etc/logstash/logstash.conf
 #   * trace
 #
 # log.level: info
-#log.level: debug
 # path.logs:
 #
 # ------------ Other Settings --------------
@@ -215,17 +212,24 @@ path.config: /usr/local/etc/logstash/logstash.conf
 # Where to find custom plugins
 # path.plugins: []
 #
+# Flag to output log lines of each pipeline in its separate log file. Each log filename contains the pipeline.name
+# Default is false
+# pipeline.separate_logs: false
+#
 # ------------ X-Pack Settings (not applicable for OSS build)--------------
 #
 # X-Pack Monitoring
 # https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html
-xpack.monitoring.enabled: true
+xpack.monitoring.enabled: false
 xpack.monitoring.elasticsearch.username: logstash_system
 xpack.monitoring.elasticsearch.password: a746MPWa1AVieOJlDtM2
-xpack.monitoring.elasticsearch.hosts: ["https://kibanax.diyit.org:9200"]
+xpack.monitoring.elasticsearch.hosts: ["https://elk.diyit.org:9200"]
 #xpack.monitoring.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]
-xpack.monitoring.elasticsearch.ssl.certificate_authority: "/mnt/certs/cacert.pem"
+# an alternative to hosts + username/password settings is to use cloud_id/cloud_auth
-#xpack.monitoring.elasticsearch.ssl.truststore.path: /path/to/file
+#xpack.monitoring.elasticsearch.cloud_id: monitoring_cluster_id:xxxxxxxxxx
+#xpack.monitoring.elasticsearch.cloud_auth: logstash_system:password
+xpack.monitoring.elasticsearch.ssl.certificate_authority: "/mnt/certs/cacert.crt"
+#xpack.monitoring.elasticsearch.ssl.truststore.path: path/to/file
 #xpack.monitoring.elasticsearch.ssl.truststore.password: password
 #xpack.monitoring.elasticsearch.ssl.keystore.path: /path/to/file
 #xpack.monitoring.elasticsearch.ssl.keystore.password: password
@@ -241,6 +245,9 @@ xpack.monitoring.elasticsearch.ssl.verification_mode: certificate
 #xpack.management.elasticsearch.username: logstash_admin_user
 #xpack.management.elasticsearch.password: password
 #xpack.management.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]
+# an alternative to hosts + username/password settings is to use cloud_id/cloud_auth
+#xpack.management.elasticsearch.cloud_id: management_cluster_id:xxxxxxxxxx
+#xpack.management.elasticsearch.cloud_auth: logstash_admin_user:password
 #xpack.management.elasticsearch.ssl.certificate_authority: [ "/path/to/ca.crt" ]
 #xpack.management.elasticsearch.ssl.truststore.path: /path/to/file
 #xpack.management.elasticsearch.ssl.truststore.password: password

jails/config/elk/rc.d/elasticsearch

@@ -0,0 +1,130 @@
+#!/bin/sh
+#
+# $FreeBSD: head/textproc/elasticsearch7/files/elasticsearch.in 538703 2020-06-13 22:41:04Z glewis $
+#
+# PROVIDE: elasticsearch
+# REQUIRE: NETWORKING SERVERS
+# BEFORE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following line to /etc/rc.conf to enable elasticsearch:
+#
+# elasticsearch_enable="YES"
+#
+# elasticsearch_user (username): Set to elasticsearch by default.
+#               Set it to required username.
+# elasticsearch_group (group):   Set to elasticsearch by default.
+#               Set it to required group.
+# elasticsearch_config (path):   Set to /usr/local/etc/elasticsearch/elasticsearch.yml by default.
+#               Set it to the config file location.
+# elasticsearch_java_home (path): Set to /usr/local/openjdk8 by default.
+#               Set it to the root of the JDK to use.
+#
+. /etc/rc.subr
+
+name=elasticsearch
+rcvar=elasticsearch_enable
+
+load_rc_config ${name}
+
+: ${elasticsearch_enable:=NO}
+: ${elasticsearch_user=elasticsearch}
+: ${elasticsearch_group=elasticsearch}
+: ${elasticsearch_config=/usr/local/etc/elasticsearch}
+: ${elasticsearch_login_class=root}
+: ${elasticsearch_java_home="/usr/local/openjdk11"}
+
+required_files="${elasticsearch_config}/elasticsearch.yml"
+_pidprefix=/var/run/elasticsearch/elasticsearch
+pidfile=${_pidprefix}.pid
+procname=${elasticsearch_java_home}/bin/java
+
+extra_commands="console status"
+console_cmd=elasticsearch_console
+start_precmd=elasticsearch_precmd
+command=/usr/local/lib/elasticsearch/bin/elasticsearch
+command_args="-d --pidfile=${pidfile}"
+
+export ES_PATH_CONF=${elasticsearch_config}
+export JAVA_HOME=${elasticsearch_java_home}
+
+elasticsearch_precmd()
+{
+    /usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 ${pidfile%/*}
+    /usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 /var/db/elasticsearch
+    /usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 /var/log/elasticsearch
+}
+
+elasticsearch_console()
+{
+    command_args=""
+    run_rc_command "start"
+}
+
+if [ -n "$2" ]; then
+    profile="$2"
+    if [ "x${elasticsearch_profiles}" != "x" ]; then
+        eval elasticsearch_config="\${elasticsearch_${profile}_config:-}"
+        if [ "x${elasticsearch_config}" = "x" ]; then
+            echo "You must define a configuration  (elasticsearch_${profile}_config)"
+            exit 1
+        fi
+	export ES_PATH_CONF=${elasticsearch_config}
+        required_files="${elasticsearch_config}/elasticsearch.yml"
+        required_files="${elasticsearch_config}/jvm.options"
+        eval elasticsearch_enable="\${elasticsearch_${profile}_enable:-${elasticsearch_enable}}"
+        pidfile="${_pidprefix}.${profile}.pid"
+	command_args="-d --pidfile=${pidfile}"
+	echo "===> elasticsearch profile: ${profile}"
+    else
+        echo "$0: extra argument ignored"
+    fi
+else
+    if [ "x${elasticsearch_profiles}" != "x" -a "x$1" != "x" ]; then
+        for profile in ${elasticsearch_profiles}; do
+            eval _enable="\${elasticsearch_${profile}_enable}"
+            case "x${_enable:-${elasticsearch_enable}}" in
+            x|x[Nn][Oo]|x[Nn][Oo][Nn][Ee])
+                continue
+                ;;
+            x[Yy][Ee][Ss])
+                ;;
+            *)
+                if test -z "$_enable"; then
+                    _var=elasticsearch_enable
+                else
+                    _var=elasticsearch_"${profile}"_enable
+                fi
+                echo "Bad value" \
+                    "'${_enable:-${elasticsearch_enable}}'" \
+                    "for ${_var}. " \
+                    "Profile ${profile} skipped."
+                continue
+                ;;
+            esac
+            /usr/local/etc/rc.d/elasticsearch $1 ${profile}
+            retcode="$?"
+            if [ "0${retcode}" -ne 0 ]; then
+                failed="${profile} (${retcode}) ${failed:-}"
+            else
+                success="${profile} ${success:-}"
+            fi
+        done
+        exit 0
+    fi
+fi
+
+if [ "x${elasticsearch_mem_min}" != "x" ]; then
+    echo "The elasticsearch_mem_min variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
+    exit 1;
+fi
+if [ "x${elasticsearch_mem_max}" != "x" ]; then
+    echo "The elasticsearch_mem_max variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
+    exit 1;
+fi
+if [ "x${elasticsearch_props}" != "x" ]; then
+    echo "The elasticsearch_props variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
+    exit 1;
+fi
+
+run_rc_command "$1"

jails/config/elk/rc.d/logstash

@@ -0,0 +1,121 @@
+#!/bin/sh
+
+# Configuration settings for logstash in /etc/rc.conf:
+#
+# PROVIDE: logstash
+# REQUIRE: DAEMON
+# BEFORE:  LOGIN
+# KEYWORD: shutdown
+#
+# logstash_enable (bool):
+#   Default value: "NO"
+#   Flag that determines whether Logstash is enabled.
+#
+# logstash_home (string):
+#   Default value: "/usr/local/logstash"
+#   Logstash installation directory.
+#
+# logstash_config (string):
+#   Default value: /usr/local/etc/${name}
+#   Logstash configuration path.
+#
+# logstash_log (bool):
+#   Set to "NO" by default.
+#   Set it to "YES" to enable logstash logging to file
+#   Default output to /var/log/logstash.log
+#
+# logstash_log_file (string):
+#   Default value: "${logdir}/${name}.log"
+#   Log file path.
+#
+# logstash_java_home (string):
+#   Default value: "/usr/local/openjdk8"
+#   Root directory of the desired Java SDK.
+#   The JAVA_HOME environment variable is set with the contents of this
+#   variable.
+#
+# logstash_java_opts (string):
+#   Default value: ""
+#   Options to pass to the Java Virtual Machine.
+#   The JAVA_OPTS environment variable is set with the contents of this
+#   variable.
+#
+# logstash_opts (string):
+#   Default value: ""
+#   Additional command line flags for logstash, eg. "-r"
+#
+
+. /etc/rc.subr
+
+name=logstash
+rcvar=logstash_enable
+
+load_rc_config ${name}
+
+logdir="/var/log"
+
+: ${logstash_enable="NO"}
+: ${logstash_user="logstash"}
+: ${logstash_group="logstash"}
+: ${logstash_home="/usr/local/logstash"}
+: ${logstash_config="/usr/local/etc/logstash"}
+: ${logstash_log="YES"}
+: ${logstash_log_dir="${logdir}/${name}"}
+: ${logstash_java_home="/usr/local/openjdk11"}
+: ${logstash_java_opts=""}
+: ${logstash_opts=""}
+
+pidfile=/var/run/${name}/${name}.pid
+
+extra_commands="configtest reload"
+start_precmd="logstash_precmd"
+configtest_cmd=configtest
+
+logstash_cmd="${logstash_home}/bin/logstash"
+procname="${logstash_java_home}/bin/java"
+
+logstash_chdir=${logstash_home}
+logstash_log_options=""
+
+if checkyesno logstash_log; then
+  logstash_log_options=" -l ${logstash_log_dir}" 
+fi
+
+logstash_args="--path.settings ${logstash_config} ${logstash_log_options} ${logstash_opts}"
+
+JAVA_OPTS="${logstash_java_opts}"
+JAVA_HOME="${logstash_java_home}"
+export JAVA_OPTS
+export JAVA_HOME
+
+command="/usr/sbin/daemon"
+command_args="-f -p ${pidfile} ${logstash_cmd} ${logstash_args}"
+required_files="${logstash_home} ${logstash_java_home} ${logstash_cmd} ${logstash_config}"
+
+# Include /usr/local/bin in path because Logstash startup scripts
+# assume bash is in path.
+PATH=/usr/local/bin:$PATH
+
+logstash_precmd()
+{
+    /usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 ${pidfile%/*}
+    /usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 ${logstash_log_dir}
+    /usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 /var/db/logstash
+    /usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 /var/run/logstash
+
+    if [ -d ${logstash_home}/data/queue ]; then
+        chown ${logstash_user}:${logstash_group} ${logstash_home}/data/queue
+    fi
+}
+
+configtest()
+{
+    echo "${name} configtest:"
+    echo "WARNING: this does not check validity of Grok patterns!"
+    echo "WARNING: this does not check validity of Grok patterns!"
+    echo "WARNING: this does not check validity of Grok patterns!"
+    ${logstash_cmd} --path.settings ${logstash_config} --config.test_and_exit
+}
+
+
+run_rc_command "$1"

jails/config/elk/start_logstash.sh

@@ -0,0 +1,7 @@
+ps axww | grep logstash
+echo press any key to continue - ctrl-c to abort
+read X
+mount proc
+service logstash start
+#/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
+ps axww | grep logstash

jails/config/elk/updateCerts.sh

@@ -0,0 +1,3 @@
+cp /mnt/certs/diy*.pem /usr/local/etc/elasticsearch/certs
+cp /mnt/certs/cacert.pem /usr/local/etc/elasticsearch/certs
+service elasticsearch restart

jails/config/git/gitea/options/license

@@ -1,6 +1,6 @@
 BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 
-Copyright (c) 2018-2020, diyIT.org
+Copyright (c) 2018-2021, diyIT.org
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

jails/config/git/gitea/public/diyit-org-license.txt

@@ -1,6 +1,6 @@
 BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 
-Copyright (c) 2018-2020, diyIT.org
+Copyright (c) 2018-2021, diyIT.org
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

jails/config/hass/.tmux.conf

@@ -0,0 +1,12 @@
+unbind C-b
+set -g prefix C-a
+bind C-a send-prefix
+
+setw -g mouse on
+
+# Set the default terminal mode to 256color mode
+set -g default-terminal "xterm-256color"
+
+# enable activity alerts
+setw -g monitor-activity on
+set -g visual-activity on

jails/config/hass/hass.sh

@@ -0,0 +1,15 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+# ./hass.sh under tmux
+
+cd /data/homeassistant/
+source bin/activate
+hass

jails/config/hass/heyu.sh

@@ -0,0 +1,15 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+# ./hass.sh under tmux
+
+heyu start
+heyu info
+heyu monitor

jails/config/hass/setup_jail.sh

@@ -0,0 +1,4 @@
+# requrired to run other configured scripts
+/bin/sh /etc/rc
+# launch tmux with jails
+/mnt/config/startsessions.sh

jails/config/hass/startsessions.sh

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+session="sess_tmux"
+
+# set up tmux
+tmux start-server
+
+# create a new tmux session, naming the window freepbx
+tmux new-session -d -s $session -n hass
+tmux selectp -t 1
+tmux send-keys "cd /mnt/config;./hass.sh" C-m
+
+# create a new window windows
+tmux new-window -t $session:1 -n heyu
+tmux selectp -t 1
+tmux send-keys "cd /mnt/config;./heyu.sh" C-m
+
+# return to main window
+tmux select-window -t $session:0
+tmux selectp -t 1
+
+# Finished setup, attach to the tmux session!
+#tmux attach-session -t $session

jails/config/hass/x10.conf

@@ -0,0 +1,264 @@
+# Example Heyu configuration file.  Copy this to file 'x10config' in
+# directory $HOME/.heyu/ and modify as required. This example uses
+# features which are new to heyu version 2
+# and which will not be recognized by heyu version 1.xx.
+
+# Note: This example file describes only a few of the most commom
+# configuration directives.  For the complete list see man page
+# x10config(5).
+
+# Anything on a line between a '#' character and the end of the line is
+# treated as a comment and ignored by Heyu, as are blank lines.
+# The various configuration directives in this file can be in any order
+# except that ALIAS directives must appear before any other directive
+# which references the alias label in place of a housecode|unit address.
+# See 'man x10config' for additional information and directives.
+
+# Serial port to which the CM11a is connected. Default is /dev/ttyS0.
+
+tty /dev/ttyU1
+check_ri_line NO
+
+# If you have an X10 compatible RF receiver connected to a second
+# serial port, use the TTY_AUX directive to specify the serial port
+# and model of receiver.  Supported receivers are W800RF32, MR26A,
+# and RFXCOM.  There are no defaults.
+
+tty_aux /dev/ttyU0 MR26A
+
+# The CM19A is both a receiver and transmitter for X10 RF signals.
+# The MR26A is a receiver only.
+# The CM19A is USB and the MR26A is serial port
+
+# Base housecode.  The default is A.
+
+#housecode A
+
+# Aliases:
+# Format:  ALIAS  Label  Housecode|Unitcode_string  [Module_Type]
+
+# The label is limited to 32 characters in length and is case-sensitive,
+# e.g., Front_Porch and front_porch are treated as different labels.
+# Each alias may reference a single unitcode or a multiple unitcode
+# string (no embedded blanks), but is limited to one housecode.
+
+# The optional Module_Type is the general type or specific model number
+# of a module currently supported by Heyu. (Knowing the characteristics
+# of a module allows Heyu to track changes in its On/Off/Dim state
+# as X10 signals are sent or received.)  The most commonly used modules
+# are the standard X10 lamp module (StdLM) and standard X10 appliance
+# module (StdAM).  Other modules currently supported by Heyu are listed
+# in x10config(5).  A standard X10 lamp module (StdLM) is the
+# default (changeable with the DEFAULT_MODULE directive)
+# for housecode|units which are not defined in an alias directive.
+# A module_type should normally not be defined for mutiple-unit
+# aliases, just for the single-unit aliases.  (The module characteristics
+# are associated with the housecode|unit, however referenced.)
+
+# Some examples:
+
+
+
+
+# Note: Prior versions of Heyu used a different format for
+# aliases - no ALIAS directive and the Housecode and Unitcode_string
+# were separated by a space, e.g., simply:
+#  front_porch  A  1
+# Heyu will continue to accept this older format for compatibility,
+# but its use is discouraged as modules cannot be specified.
+
+# Scenes and Usersyns (User-defined synonyms):
+# Format:  SCENE   Label Command1 <args> [; Command2 <args> [; ...
+# Format:  USERSYN Label Command1 <args> [; Command2 <args> [; ...
+# The label is limited to 32 characters and is case-sensitive.
+# Scenes and Usersyns are both semicolon-separated lists of
+# commands with their arguments which can be executed or used
+# in macros as if their labels were ordinary Heyu commands.
+# See 'man x10config' for the features and limitations of Scenes
+# and Usersyns.
+# (In the current version of heyu, the ONLY distinction between
+# scenes and usersyns is the 'show' menus in which they appear.)
+# Some examples:
+
+SCENE blinker on D5; off D5; on D5; off D5
+#USERSYN normal_lights on front_porch; on back_porch
+#SCENE tv_on on tv_set; dimb living_room 10
+
+# parameters, e.g., $1, $2, which are replaced by actual
+# parameters supplied when the scene/usersyn is run.
+
+#USERSYN night_lights dimb front_porch $1; dimb back_porch $1
+
+# Define the (writeable) directory where the Heyu state engine daemon
+# (started with 'heyu engine') is to write its log file 'heyu.log.<tty>'.
+# The default is 'NONE', indicating no log file is to be written.
+
+log_dir /usr/local/etc/heyu/log
+
+# The entries in the log file are similar to those which appear in
+# the heyu monitor, but in addition will include an entry when
+# a script is launched, and unless redirected elsewhere, any
+# text output from that script.
+
+# Note that the log file will continue to grow.  Manually delete
+# or trim it from time to time, or configure a Unix utility like
+# 'logrotate' to manage this task automatically.
+
+# If the Heyu state engine is running, Heyu can launch scripts
+# (or any Unix commands) when it sees specified X10 signals.
+# The format is:
+
+#SCRIPT [ -l label ] <launch conditions> :: [options] <command line>
+
+# where label is an optional label, <launch conditions> tell
+# Heyu under what conditions to launch the script, and
+# <command line> is the script command to be executed.
+# The '::' (two colons) separator is mandatory since the launch
+# conditions can be quite complex.
+# See x10scripts(5) for details, but here's a simple example
+# (with no label):
+
+#SCRIPT doorbell on :: play $HOME/sounds/barking_dog.wav
+
+# Users have the option of running either 'heyuhelper' in a manner
+# similar to heyu 1.35 or general scripts as above with the
+# following directive.  The default is SCRIPTS, to run general scripts.
+
+#script_mode SCRIPTS
+
+# (With the choice 'HEYUHELPER', a script named 'heyuhelper' on
+# the user's path is run every time any X10 signal is received
+# by heyu over the power line, assuming the heyu state engine
+# daemon is running.)
+
+###  The following directives apply when a schedule is ###
+###  is uploaded to the CM11A interface.               ###
+
+# The file name of the user's X10 schedule file in the Heyu base
+# directory. The default is 'x10.sched'.  If you regularly use
+# more than one, list them here and just comment/uncomment as
+# appropriate, e.g.,
+
+#schedule_file x10.sched
+#schedule_file normal.sched
+#schedule_file vacation.sched
+
+# The MODE directive - Heyu's two modes of operation:
+# In the default COMPATIBLE mode, the schedule uploaded to the
+# interface is configured to begin on Jan 1st of the current
+# year and # is valid for 366 days - through Dec 31st of the
+# current # year or Jan 1st of the following year, depending
+# whether # the current year is a leap or common year.
+# COMPATIBLE mode is the default.
+
+# In HEYU mode the schedule uploaded to the interface is
+# configured to begin on today's date and is valid for
+# the number days of provided by the PROGRAM_DAYS directive.
+# WARNING: The mere execution of X10's ActiveHome(tm) program
+# under MS-Windows, or having its resident driver running, when
+# the interface has been programmed by Heyu in HEYU mode can
+# cause problems.  See 'man x10config' for details.
+
+#mode COMPATIBLE
+
+# Number of days for which the interface is to be programmed
+# when running in HEYU mode.  It is ignored in COMPATIBLE mode.
+# (A shorter period can yield more accurate values for dawn
+# and dusk.)  The default is 366 days.
+
+#program_days 366
+
+# Should Heyu combine events having the same date range, time, etc.,
+# by concatenating the macros for similar events?   The default is YES.
+
+#combine_events YES
+
+# Should Heyu compress uploaded macros by combining unit codes for the same
+#housecode and command and eliminating duplicates? E.g.,
+#  (on A1; on B2; on A3, on B2) ==> (on A1,3; on B2)
+# The default is NO
+
+#compress_macros NO
+
+# The user's Longitude and Latitude, needed for dawn/dusk calculations.
+# There are no defaults.  Don't use these examples - put in values
+# for your own location.
+
+longitude W121:46
+latitude N37:16
+
+# For dawn/dusk related times, Heyu breaks up the schedule date intervals
+# into subintervals, each with a constant value of dawn or dusk time.
+# These directives instruct Heyu what value of dawn/dusk time to use.
+# The default value is FIRST, i.e., that on the first day of the subinterval,
+# which is most convenient for comparing Heyu's computations with actual.
+
+#dawn_option FIRST
+#dusk_option FIRST
+
+# The following times allow bounds to be placed on the times of Dawn
+# and Dusk computed by Heyu. For example, setting the value for
+#min_dawn to 06:30 will ensure that an event scheduled to be
+# executed at Dawn will occur at 06:30 during summer hours whenever
+# the actual computed value of Dawn is earlier than that time.
+# The value for these directives are specified as hh:mm Legal
+# (i.e., wall-clock) time, or the directives may be disabled with
+# the word OFF, which is the default.
+
+# Timer options DAWNLT, DAWNGT, DUSKLT, DUSKGT used in the Heyu
+# schedule file will usually eliminate the need for these directives.
+# See man page x10sched(5) for details.
+
+#min_dawn OFF
+#max_dawn OFF
+#min_dusk OFF
+#max_dusk OFF
+
+# Directory to write reports and files other than the critical files
+# The default is to write them in the Heyu base directory.
+
+#report_path ./
+
+# Replace events having delayed macros with new events and new
+# undelayed macros when possible. (The purpose is to avoid pending
+# delayed macros, which are purged when a new schedule is uploaded.)
+# The default is YES.
+
+#repl_delayed_macros YES
+
+# For test purposes, Heyu can write some additional files when
+# the command 'heyu upload check' is executed.  This directive
+# instructs Heyu to write these files.  The default is NO.
+
+#write_check_files NO
+
+START_ENGINE AUTO
+
+alias Kitchen D1 StdLM
+alias Family_Room D2 StdLM
+alias Hallway D3 StdLM
+alias Kitchen_Table D4 StdLM
+alias Stairway D5 StdLM
+alias Study D6 StdLM
+alias Dining D7 StdLM
+alias Bonus_Room D8 StdLM
+alias Living_Room_L0 D9 StdLM
+alias Front_Door D10 StdLM
+alias Living_Room_L1 D11 StdLM
+alias Living_Room_L2 D12 StdLM
+alias Piano_Room_L1 D13 StdLM
+alias Piano_Room_L2 D14 StdLM
+alias Family_Room_L0 D15 StdLM
+alias Chime G1 StdAM
+alias Main_Garage G2 StdAM
+alias Side_Garage G3 StdAM
+alias Front_Yard G13 StdLM
+alias Back_Yard G14 StdLM
+alias Plants_front_house I1 RAIN8II
+alias Plants_front_road I2 RAIN8II
+alias Lawn_front_road I3 RAIN8II
+alias Lawn_front_garage I4 RAIN8II
+alias Lawn_back_pool I5 RAIN8II
+alias Lawn_back_house I6 RAIN8II
+alias Plants_back_garage I7 RAIN8II
+alias Plants_back_road I8 RAIN8II

jails/config/hub/ipfw.rules

@@ -0,0 +1,23 @@
+#!/bin/sh
+# Flush out the list before we begin.
+ipfw -q -f flush
+
+# Set rules command prefix
+cmd="ipfw -q add"
+pif="epair0b"     # interface name of NIC attached to Internet
+
+$cmd 00100 allow ip from any to any via lo0
+$cmd 00200 deny ip from any to 127.0.0.0/8
+$cmd 00300 deny ip from 127.0.0.0/8 to any
+$cmd 00400 deny ip from any to ::1
+$cmd 00500 deny ip from ::1 to any
+$cmd 00600 allow ipv6-icmp from :: to ff02::/16
+$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
+$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
+$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
+$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
+$cmd 05000 reset ip from table(22) to me
+$cmd 65000 allow ip from any to any
+$cmd 65535 deny ip from any to any
+
+# https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html

jails/config/hub/pkgp.conf

@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
     priority: 10
 }
 
-pkgp121: {
+pkgp122: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
     mirror_type: "http",
     signature_type: "pubkey",
     pubkey: "/mnt/certs/poudriere.cert",

jails/config/hub/sshguard.conf

@@ -0,0 +1,54 @@
+#!/bin/sh
+# sshguard.conf -- SSHGuard configuration
+
+# Options that are uncommented in this example are set to their default
+# values. Options without defaults are commented out.
+
+#### REQUIRED CONFIGURATION ####
+# Full path to backend executable (required, no default)
+#BACKEND="/usr/local/libexec/sshg-fw-hosts"
+BACKEND="/usr/local/libexec/sshg-fw-ipfw"
+#BACKEND="/usr/local/libexec/sshg-fw-pf"
+
+# Space-separated list of log files to monitor. (optional, no default)
+#FILES="/var/log/auth.log /var/log/maillog"
+FILES="/var/log/auth.log"
+
+# Shell command that provides logs on standard output. (optional, no default)
+# Example 1: ssh and sendmail from systemd journal:
+#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
+# Example 2: ssh from os_log (macOS 10.12+)
+#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"
+
+#### OPTIONS ####
+# Block attackers when their cumulative attack score exceeds THRESHOLD.
+# Most attacks have a score of 10. (optional, default 30)
+THRESHOLD=30
+
+# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
+# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
+BLOCK_TIME=120
+
+# Remember potential attackers for up to DETECTION_TIME seconds before
+# resetting their score. (optional, default 1800)
+DETECTION_TIME=1800
+
+# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
+IPV6_SUBNET=128
+
+# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
+IPV4_SUBNET=32
+
+#### EXTRAS ####
+# !! Warning: These features may not work correctly with sandboxing. !!
+
+# Full path to PID file (optional, no default)
+#PID_FILE=/var/run/sshguard.pid
+
+# Colon-separated blacklist threshold and full path to blacklist file.
+# (optional, no default)
+#BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db
+
+# IP addresses listed in the WHITELIST_FILE are considered to be
+# friendlies and will never be blocked.
+#WHITELIST_FILE=/usr/local/etc/sshguard.whitelist

jails/config/hub/vncmods/passwd

@@ -0,0 +1 @@
+Í•it†Í­®

jails/config/hub/vncmods/vncserver

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+# the two lines below are not just comments but required by rcorder; service -e
+# PROVIDE: vncserver
+# REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv
+
+. /etc/rc.subr
+
+: ${vncserver_enable="NO"}
+: ${vncserver_user="p"}
+: ${vncserver_geometry="1600x900"}
+: ${vncserver_display="1"}
+: ${vncserver_securitytypes="vncauth"}
+# : ${vncserver_securitytypes="vencrypt,vncauth,tlsvnc"}
+# encryption incompatible with clients - vncconnect-realvnc and guacd
+ 
+name=vncserver
+rcvar=vncserver_enable
+ 
+VNCSERVER="/usr/local/bin/vncserver"
+ 
+start_cmd="vncserver_start"
+stop_cmd="vncserver_stop"
+restart_cmd="vncserver_restart"
+ 
+vncserver_start()
+{
+        CMD="$VNCSERVER -geometry ${vncserver_geometry} -name $(hostname -s) -securitytypes ${vncserver_securitytypes} :${vncserver_display}"
+        su -l ${vncserver_user} -c "${CMD}"
+}
+ 
+vncserver_stop()
+{
+        CMD="$VNCSERVER -kill :${vncserver_display}"
+        su -l ${vncserver_user} -c "${CMD}"
+}
+vncserver_restart()
+{
+	vncserver_stop
+	vncserver_start
+}
+
+load_rc_config ${name}
+run_rc_command "$1"

jails/config/ibm/ibm.sh

@@ -1,6 +1,6 @@
 #!/usr/local/bin/bash
 
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@@ -10,9 +10,9 @@
 
 # ./ibm.sh under tmux
 
-ifconfig tun186 create
+ifconfig tun95 create
-ifconfig tun186 inet 172.16.0.186 172.16.0.100
+ifconfig tun95 inet 172.16.0.95 172.16.0.100
-chmod 666 /dev/tun186
+chmod 666 /dev/tun95
 
 cd /data/Z110/CONF
 # hercules

jails/config/ibm/startemu.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

jails/config/jump/enable-routing.sh

@@ -0,0 +1,7 @@
+sysctl net.inet.ip.forwarding=1
+route add 10.1.2.0/24 192.168.55.105
+# on remote -
+#sudo sysctl net.ipv4.ip_forward=1
+#ip route add 192.168.0.0/24 via 192.168.55.1
+#OR
+#ip route add 192.168.0.0/24 dev tun0

jails/config/jump/guacamole-client/add-ldap.sh

@@ -0,0 +1 @@
+ldapadd -H ldaps://ldap.ahlawat.com -f $1 -D cn=admin,dc=infra -W

jails/config/jump/guacamole-client/guacamole.properties

@@ -0,0 +1,16 @@
+###
+### guacamole.properties.sample
+###
+
+
+### The Host the Guacamole proxy daemon (guacd) is listening on.
+#
+guacd-host: localhost
+guacd-port: 4822
+guacd-ssl: false
+ldap-hostname: ldap.ahlawat.com
+ldap-port: 636
+ldap-encryption-method: ssl
+ldap-user-base-dn: ou=people,dc=infra
+ldap-username-attribute: cn
+ldap-config-base-dn: ou=hosts,dc=infra

jails/config/jump/guacamole-client/logback.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Guacamole logs all messages to console by default. Servlet containers
+  like Tomcat will automattically redirect these messages to a log file,
+  catalina.out in the case of Tomcat. Valid levels= error, warn, info,  
+   debug -->
+<configuration>
+
+    <!-- Appender for debugging -->
+    <appender name="GUAC-DEBUG" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder>
+            <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
+        </encoder>
+    </appender>
+
+    <!-- Log at DEBUG level -->
+    <root level="info">
+        <appender-ref ref="GUAC-DEBUG"/>
+    </root>
+
+</configuration>

jails/config/jump/guacamole-client/rdp-windows.ldif

@@ -0,0 +1,14 @@
+dn: cn=rdp-windows,ou=hosts,dc=infra
+objectClass: guacConfigGroup
+objectClass: groupOfNames
+cn: Windows rdp
+guacConfigProtocol: rdp
+guacConfigParameter: hostname=192.168.0.81
+guacConfigParameter: port=3389
+guacConfigParameter: username=v
+guacConfigParameter: password=v
+guacConfigParameter: security=nla
+guacConfigParameter: ignore-cert=true
+member: cn=sharad,ou=people,dc=infra
+member: cn=diyit,ou=people,dc=infra
+# seeAlso: cn=ahlawat.com,ou=groups,dc=infra

jails/config/jump/guacamole-client/ssh-nas.ldif

@@ -0,0 +1,10 @@
+dn: cn=ssh-nas,ou=hosts,dc=infra
+objectClass: guacConfigGroup
+objectClass: groupOfNames
+cn: NAS ssh
+guacConfigProtocol: ssh
+guacConfigParameter: hostname=192.168.0.10
+guacConfigParameter: port=22
+member: cn=sharad,ou=people,dc=infra
+member: cn=diyit,ou=people,dc=infra
+# seeAlso: cn=ahlawat.com,ou=groups,dc=infra

jails/config/jump/guacamole-client/user-mapping.xml

@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Guacamole's default authentication module is a simple xml file.
+  Each user is specified with a corresponding <authorized> tag. This
+  tag contains all authorized connections for that user each denoted
+  with a <connections> tag. Each <connection> tag contains a
+  protocol and set of protocol-specific parameters, specified with
+  the <protocol> and <param> tags respectively. For more information
+  visit http://guac-dev.org/doc/gug/configuring-guacamole.html -->
+
+
+<user-mapping>
+	
+    <!-- Per-user authentication and config information md5 -s "Npasswd" -->
+    <authorize username="admin" password="4ee438b74bd65c9f8402e7e48fa64fb7" encoding="md5">
+	<connection name="vnc-hub">
+		<protocol>vnc</protocol>
+		<param name="hostname">192.168.0.50</param>
+		<param name="port">5901</param>
+		<param name="password">vncpass</param>
+		<param name="color-depth">24</param>
+	</connection>
+	<connection name="rdp-windows">
+		<protocol>rdp</protocol>
+		<param name="hostname">192.168.0.81</param>
+		<param name="port">3389</param>
+		<param name="security">nla</param>
+		<param name="ignore-cert">true</param>
+		<param name="username">v</param>
+		<param name="password">v</param>
+	</connection>
+	<connection name="ssh-nas">
+        	<protocol>ssh</protocol>
+        	<param name="hostname">192.168.0.10</param>
+        	<param name="port">22</param>
+		<param name="font-name">monospace</param>
+	</connection>
+	<connection name="vnc-rpi3">
+		<protocol>vnc</protocol>
+		<param name="hostname">192.168.200.192</param>
+		<param name="port">5901</param>
+		<param name="password">vncpass</param>
+		<param name="color-depth">24</param>
+	</connection>
+	<connection name="ssh-rpi3">
+        	<protocol>ssh</protocol>
+        	<param name="hostname">192.168.200.192</param>
+        	<param name="port">22</param>
+		<param name="font-name">monospace</param>
+	</connection>
+	<connection name="ssh-dev">
+        	<protocol>ssh</protocol>
+        	<param name="hostname">192.168.55.105</param>
+        	<param name="port">22</param>
+		<param name="font-name">monospace</param>
+	</connection>
+    </authorize>
+
+    <authorize username="inseego" password="7cc6a3864acc736437f606146083abad" encoding="md5">
+	<connection name="vnc">
+		<protocol>vnc</protocol>
+		<param name="hostname">192.168.200.212</param>
+		<param name="port">5901</param>
+		<param name="password">vncpass</param>
+		<param name="color-depth">24</param>
+	</connection>
+	<connection name="ssh">
+        	<protocol>ssh</protocol>
+        	<param name="hostname">192.168.200.212</param>
+        	<param name="port">22</param>
+		<param name="font-name">monospace</param>
+	</connection>
+    </authorize>
+
+</user-mapping>

jails/config/jump/guacamole-client/vnc-hub.ldif

@@ -0,0 +1,12 @@
+dn: cn=vnc-hub,ou=hosts,dc=infra
+objectClass: guacConfigGroup
+objectClass: groupOfNames
+cn: HUB vnc
+guacConfigProtocol: vnc
+guacConfigParameter: hostname=192.168.0.50
+guacConfigParameter: port=5901
+guacConfigParameter: password=vncpass
+guacConfigParameter: color-depth=24
+member: cn=sharad,ou=people,dc=infra
+member: cn=diyit,ou=people,dc=infra
+# seeAlso: cn=ahlawat.com,ou=groups,dc=infra

jails/config/jump/guacamole-server/guacd.conf

@@ -0,0 +1,17 @@
+#
+# guacd.conf example
+#
+
+[daemon]
+# Possible log_level variables are:
+# trace, debug, info, warning, and error
+# Default is info
+log_level = info
+
+[server]
+bind_host = localhost
+bind_port = 4822
+
+[ssl]
+#server_certificate = /mnt/certs/fullchain.pem
+#server_key = /mnt/certs/privkeyr.pem

jails/config/jump/schema/guacConfigGroup.ldif

@@ -0,0 +1,28 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+dn: cn=guacConfigGroup,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: guacConfigGroup
+olcAttributeTypes: {0}( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol' SYNTAX 1.3.6.1.4.1.1466
+ .115.121.1.15 )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter' SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.15 )
+olcObjectClasses: {0}( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup' DESC 'Guacamole config
+ uration group' SUP groupOfNames MUST guacConfigProtocol MAY guacConfigParameter )

jails/config/jump/schema/guacConfigGroup.schema

@@ -0,0 +1,31 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+attributetype ( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributetype ( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+objectClass ( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup'
+    DESC 'Guacamole configuration group'
+    SUP groupOfNames
+    MUST guacConfigProtocol
+    MAY guacConfigParameter )
+

jails/config/jump/setup_jail.sh

@@ -0,0 +1,2 @@
+# requrired to run other configured scripts
+/bin/sh /etc/rc

jails/config/ldap/pkgp.conf

@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
     priority: 10
 }
 
-pkgp121: {
+pkgp122: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
     mirror_type: "http",
     signature_type: "pubkey",
     pubkey: "/mnt/certs/poudriere.cert",

jails/config/ldap/schema-addons/guacConfigGroup.ldif

@@ -0,0 +1,28 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+dn: cn=guacConfigGroup,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: guacConfigGroup
+olcAttributeTypes: {0}( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol' SYNTAX 1.3.6.1.4.1.1466
+ .115.121.1.15 )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter' SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.15 )
+olcObjectClasses: {0}( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup' DESC 'Guacamole config
+ uration group' SUP groupOfNames MUST guacConfigProtocol MAY guacConfigParameter )

jails/config/ldap/schema-addons/guacConfigGroup.schema

@@ -0,0 +1,31 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+attributetype ( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributetype ( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+objectClass ( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup'
+    DESC 'Guacamole configuration group'
+    SUP groupOfNames
+    MUST guacConfigProtocol
+    MAY guacConfigParameter )
+

jails/config/mail/.secret/dkim/ahlawat.com.dkim.key

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDECIuIzM+f5+s
-PdoTBSLGpARZkcKWboSUfLdiFsBEXkV5KLy12S6T2ja0oH5C6GfhkqpdzAsCPHKs
-SdIyJAmHj7FXnbOnP93N64E3n/wONj5cq9QAz2acKxS167DXpnSE7K+egcqI7ePL
-BBecLnKUUnSQ4JMAeUBatjnl5SsKF7pwDM1DsOYvWFpDH0BfjIlZq1JJIUnfE7pK
-b3ppdBSF0bum+/Y6TZVJdNg4fYj5k68vLeBp8PkJj60pO4B7oexLpXcz/pqkGi9a
-K5P86RzZliKMqGVAs3TmxWMskoX2Hpm1VXIg/Pht75FuaPqwkAW8FVb3Y7yvfmgU
-O7FaP423AgMBAAECggEAP7BG2LWZh7B32+8eAtPMdPsciHo1BJT1KN5HqfkvsaLu
-IA8S/nT45kF7VyKH1yS2tkoC4jk65vIBpws7XC+0BNT/3FGbVOJfc1qPiC/uRl2j
-ovJfeBw/roHKc1OPG/o3VSdKeAB8tpSlqaWeZ9oqgw8hDCSnGqJ8RqH06YEXumVO
-/59N5/kweoN1902nrsnhhY72cx/YY7TFZt+sbCs1D8rimHFX5UQUWGQgwqKeCvG2
-VmBtU+oXCBKdaR+IcJd9Oy/qkmEQZ6dDL7n/HUwOcRzuBuZoeXN9sc9z81mYEI2Q
-bYpowPOyqFArB08HjQpFndQFSyNwiVVSzaOHRUNBwQKBgQDkECi9WkyqGgVvSM6f
-fC9OTKKk5kI12j4I3aQKZSnW/eNTpaHykRhvUsr36zp58vRN4G9YDJyblgOhgr1U
-7SBwqZRLETwG0ktKDipgibWjBm+K5LfK+wWRwn/qzq494Qg2GQ/DniXqCZ6SI1s1
-wMBHS9s/VYPGaYvYrS1TD90JpwKBgQDa9R90rcyNlXTLHwYzxgjJczLKHz+0ANlR
-GORg31/VBxs94IYby+cZ/oGRjCB5syR/SaN5Z+N2w8GT0yFWN8UCJS0G4I6fGtCb
-wYWzhK2UtI4WyOH9jIdl8AYjFGRZMFJEkDPmac54jtNcqhfO/Eei9+yHq7llEnUP
-F4qKf8K9cQKBgQDEwDgVW4DGQxqrLhmrt3wsRasPLeKzCOv5xBTQLwRQiMoEkOFN
-HeYBrGCUT6gsKvCe+t+0C3VUOLA7N0pVqRkSeQoJVP3/OI9hfSUMEeHUminCnpz9
-DWB5pl2q2dGyaqAl46sY7SfyZ4gYtU3r6rU3DPdCBWlg1A+kx4pRnV7pAwKBgCOu
-fonNKOCJ0panX6NgSl5J36UAoqj62m9U1yLSRBO7LL1QsYomGGssBoFpjIFIqFH1
-9iX6wB7Cl/E3Ht+mBvzqggP05EkZXZWEW/19SaxKID2mTu260PXTv6xHznKaZU23
-Ej4iT/tlixw2u9qHUkVEkc8qNPQ7pcfn1jPrzhiBAoGBAN075cp3R9bzzfVzrFRh
-ZFWzSnWieSsOP635nj48HXKyne7gjvG1IG/HHSi3XPmRIdWTAfOYz29rWQEOaY7b
-wbNhvH7jvtq/A7/Uifh6l8cnN9TFAmN/wmKEUCloVxg1/GltXbR6UwzbJWAs40ya
-VtAxvncs1bqtPBAgfE5wwdCd
------END PRIVATE KEY-----

jails/config/mail/.secret/dkim/beyondbell.com.dkim.key

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYdTOGw8TvQtkr
-Z139xpQC1iXu/X+2ei7ascX6C2G8WM7NS3XphgMd0LgzEm9POoJyYP7KVjQdPK5m
-mRoZOCATmFhNPGSer96qjASHgm10GISKlUyGKRWv1mNHsLJaLwsd8ef13+qBsTvG
-pT0z2I/0OWwAuqQuZdMPuVskspF8jusycibpQ7WjqaOynPEUuRZHDLQToso02+Vd
-X3l3bU08Rz3vW7+hNjZYuzsfCTBzD91kxTGyetqg2CXyLM/dWbDFgY72zG682X0d
-CtoWoEAKdUJkPDxQeKJtqh84TsAOUvg/z3W6J7uJow9OcWsXWJcAJ/HG8gNPq4ho
-sVbc96SzAgMBAAECggEADXPTPPfjwF7uMkVdUQ1LW5XFi8HTcxrK2KqdvDmC3HrE
-d3vOGzJJ9UtodzwZENp5CvS+QQL0gDCqQhQXzCNx0uXv7vTm5/nUI9NJ4MYZWVLA
-wgAfXmMlRuVTDDyOCQ7NaRIEsYI2B9Nk/KZ+VD+MSshazvzKgVuwr1R8tp4mbpAx
-8f4xe51b5ZVqTLcnkoSR6lTmKMQruIZwQpvaGYZLjBRaBcACwYkbZksQZkx7xZdZ
-enpLcKoCc1xXg+gjlfF9HOD1e2GlYQTOgfDcQVJEIS+jjzMyiJA1BxqL8/LkafeD
-CKfx8mzd1LjyDDaAP8ruZb4Ns/6SazAPozxBSRnP2QKBgQD+uf+evckgN6+3/Bur
-egP6I4dUKw1joCo69p98388mWq+ywhIc2rquEfSoQCqjli4pG3iwBbDVxgjk08GV
-ayFaP3X3LvuqCZBktSjEJR6WUMB0kW77BigLCtbzyd2R9upp0A3CnXsmmLVL+o5n
-TD5w6cd67NPS/NGo2FyA6JQO5QKBgQDZijnfG4Yt6BdX3+WBFXNGkhdJziokmrfG
-no5p/tw+/kJfHFC017Z+EbLbcWMKL9cDzl9uMXGDy1xd8+OfolxZZEnrmt4btbmh
-wVzTPrhREwjqzwu/Y2jQwFBef+zJ+b8a1uZOFYVIWWeGCT7wirq54AslE8y0lNEF
-olBnP44TtwKBgQDyn4k50z16QXBOx4Q3fZ3CKQsigWtcZFc1GGlrEOaHesN1eeK0
-tyYu3Q1zIMM8U7SeFPuMda8sv1cDVitCPetjwaSED61IFZoCQoeU5GJQ/JODtG7I
-DOIhOm7pgHJaMJywsqoYn9WIOtYci4gOHhIvjI0jqeZNReARehwJ8P3tfQKBgEWD
-hAalNvVIat0rsJzVC+cLG+H7vT/BKOSRGhUI2bxPZ0oZNDj1jV0vrqWsz+cbbmvK
-8He32PwyaaukGaKTMUtnXq+o5zyXj1/+9/iQ3DkcCgdubeSUkZPTQFtSKYpJAiZD
-cYiWG+cImqocHj6jNhPbYfRRJWK3Ayv3uBWmG3J1AoGAGjKqKpd8+00IxElXpov9
-At2YzPZlzPQCU0+vcreGVTaO9wNdVKfc6uaeAO4D0DP9SOwEqRC9rv8FNb8DxgTB
-ryWMy8rY/CC3mhK6hnsWNRC0a1myKva2XwQ+jMKuCsznFE0N2xjizNdv2/HM2dcr
-ropb+P1w1KZyTiNbTTTC1eQ=
------END PRIVATE KEY-----

jails/config/mail/.secret/dkim/diyit.org.dkim.key

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDc2cV9/D/MWdUl
-DBfKzA3zNjFbzDJd4WP1fdRRIdell57kJwyKehYCw/HxWy4+AnWj6c2fhPXI2EQp
-K3I1QjNSxV4kq+Lr2SFJuDiZvDRLzihu24N6go34R9712mbZOWWl0KyihO6E2cH8
-h6cr2iahXmAjqVtm9/mBmdnrQ2Bv0fusdpS24x3NOPs4Q5gJTadJFGBkwXb88D/+
-mBDcEUFwDul4bVQWvqHk+8EJwApGLo7YVL2F0A25FAm43rWexjb+JeTsHRqN/TaV
-ALzQPr/DQIb2wyWsTnQMnd0t8qg9ErDAKgxMDeGDRFbHr5wNMTrewQkW7yd+H0T0
-Wa97aDXbAgMBAAECggEANUp/M0VZB7BtlED0xMS0YQmko2gEh07J1gUE5IbsCFMr
-zhX2GrwW75fkm77Ky7/AL0tNiL6GqG43FFAdgOh2hfSGIQcw/IQqWiWP0tjtLZWT
-gByL/1XdeBmvnVeUFbqZ4ocWASlefMQm4Q7Csfwz8iBZxoEpQxF3LWS4huJ9NL3d
-qiI1jX5otXN0ybA6jDpridvExRwWT6KrAykUrh5f7vRGUp0I7/GltvSHS4mu24C1
-08RUPE5NjynEX/amc1urMwH3ZdOZgCx819DfQXpQts9/TejSLlLL8s4lXTsZDoab
-DiJ1zZKZEpMIheEGAWSyLtqc1QxypauVAMeM6ZgasQKBgQD88Yf1E7X8zS4hYSyu
-WHiUgrin/0febsHWZAVBTwnzpDwfY0jNnq57tiALyaVzk3vCL3a9WckpXPbQk4Yk
-Oypu1eDyGT4Xf7hrXqFTlMtkupa3Os5/MlTXOFMMs5VISsxrbVjNlvSxITXASWwr
-IYVjmhgTx8Rg3ApM5X/Tqd8XxwKBgQDfhPZ2t+4fBwhzgydKnkPWMbJ6k17tWoZu
-8tzCzrxJd/cYUmi/44sOLrFCLwaS28I4sR7iBPCeiFnnbqlv+f6uw2Xmr5jc/BsT
-md6yl2gNmow//iGFwf8lAsA1VyoFbZoAvQUMVElaxvCngifsTNqRHap8KY6xv5r/
-C6MEoGd5TQKBgQDEoPXxnEsCpHXR2Pqk5X2G5T+qyRYTYcIpaUN0i37O+cMLG2FD
-BrHY1bF/uFd3yxSP1dnWRG/OSchMSAIlNCE+W+EsEldkaRLx1HRQxwB941a6RWq1
-EmlFjTFyVEAeHJdgg3ZfC5RYBdsFCY6e0MYisW06IzcTnLodIOMHpawZjQKBgQC+
-1RVbnINXyDhl7rbQFTlTmVCJKGMmgGBAP2dNhxXoH909zbYTBmFFdYXvPJj/L1Kt
-9kKos5D/uOgRGEDfEnBnovnQL2FyYmd3n6orjerPmoBdbkoOmeeNIMEbiVSeF8oh
-EUBLG3cZYro6OXx+WctNlCdnJE/o3+6kC7pdi9lsDQKBgEtkK4RpB1OKJm6sEiWe
-hoTI6yqflpkivWtV3F8/D37LbYT5wiAsRr6AkgetB7jsi0t//thJiAUUxhtb+u4M
-1zR7i9bIRv3lU8TgYpfS/Yq3T9feZoj682LKtBMPoSgm/p5+ogzIlAU3cpjAW+A8
-2CyzbDc7K58vuzaR8RHpnzYi
------END PRIVATE KEY-----

jails/config/mail/.secret/dkim/diyit.space.dkim.key

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDJE2rtl2EGU7YD
-TWSlapLqMgn02m9Valldv6u3NP5CZTwI9/xrlEZYzjArInvLE4SFx5VlgC52K92A
-tZUqs7ckZgDmMOIr1vXGP3YgzGO9NK3hqyPHlu2Twuu96rP9+CTTlU8ovun14Ucu
-b0+W3pH646kMZBc0wAAj0xg+QI0PhFphQZyHkV9laOFwx/ErCu9SdUfcUY+zouSG
-DMxPAL8pT1JS5IOVGDM7rXbAwZ1+LrHTmOD1Mi6jtYtV7/Pqga6CBpcQFa/kMvza
-idjPkVyUg4YY/9i+P9dRQMK6dJgmRSaLLaOTaYHCT6PgpWQvKhYJZsNIB+LmfdHp
-gzE4s0tfAgMBAAECggEBALtNkzVu5bp3D/1TgoV0GRZ/NjcXos32GvjxKoummZJP
-qvTPzBqKLF1c9BG6NYadz7yuhcPe+2iow9S5URJOBjOpsPy8XHJp8teRFgDHY8FD
-6RVlzhaFyRjzYZWvo6rYE7XkR7C05ktcZmoi1gi7m1AR8c7RDazdjUPRx6t1hfEE
-ubocsnwZ5McU3tHVHj8pHBM9nKaarVd3BSTydStjGOmoS+E5BR1NLMDpx3Aw9S/V
-tn1iJxxF9+GONFfCBQ/IQ4+rBbOPsICwhhhrTpJwPilzBynGQevtEHdpq6ewS2bq
-ESsgQoax70cW1TymOPOzYQvPUzJy0S68OoSMAXVr8MECgYEA755LulHIALONfQWG
-XBUT7UMaePyLDkuNoGkIDqIdqZiJf8kxDs8yWznCGim/vlnmK2hVn1nqi+omtbaG
-AsCgU9q2JnP4r0Nr7yb/L4WAHp5WxR5ifS/aOHUple9oQwfPkzpxWEGFFvN0PW7p
-4lk4lRNvI4q5zMdugpbwn4vbzEMCgYEA1tKRDfPY/9GV/dYnt433bjtlNU9j7UCc
-8iP26Rg8zjC4tzlVoZDZjov5FMG2Ifb7cLNroONATg2ivKNyRm73Le9p2KVqtvTX
-zHs1sKVJofWQ4+GzJd8MkUEXu397oTUudGV+z82Hd0iKkQBT7EYBybHl6kY4XbR1
-BS36gdW2oLUCgYBvt1LBNH3V7eCqiFfjOKSIuv9tpvjCGnGWd0GdaPIBby+0Fz47
-FFj69UvM3OgbvFg2prc8yzQyNWIE2GtUfzCAx/iipvEr7Xg2EO1q34gjPllgH9F1
-YkkQh3dzAyKOFecuUlIj/rApSipIthxvPn/F6UCoxnXnxpd8ZRkcmZ1JdwKBgQCZ
-bltb88YRMMhIPCSx3RvUB2gJ42Ijmfp+l2FKqp0DR5kmhDS86I/6V87XHGPRbm23
-2O4OQ0Eyflq1EKgV1juE+3JF4h+N/OIEkhuOxv8IRjPuDs29RsnbFPq2WB8czLcZ
-O0SPduRCNfWCCxHltzqfrAfig7TOeIz73hMFmHaP4QKBgQCN1XzjGMrL0ZlFQTM1
-ljaqWEaQ+JSzZtiVDdPcuKytyvz59OdJnag9O0TBaOY6XGG1Dbl8FJEG9KZCwYRv
-a+CKb6qHyowgu17GlWQBn2i3Ep5GOQhkR4ghvDXZPwOJfW5VbfWo4N/r3Q81kaRO
-Iovk5uipUk5dtW69hOYmq4OBxA==
------END PRIVATE KEY-----

jails/config/mail/pkgp.conf

@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
     priority: 10
 }
 
-pkgp121: {
+pkgp122: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
     mirror_type: "http",
     signature_type: "pubkey",
     pubkey: "/mnt/certs/poudriere.cert",

jails/config/mail/postfix/main.cf

@@ -683,7 +683,7 @@ readme_directory = /usr/local/share/doc/postfix
 inet_protocols = ipv4, ipv6
 
 # sometimes comcast's IPv6 reverse DNS lookup stops working so you need to enable the line below (default: any)
-smtp_address_preference = ipv4
+#smtp_address_preference = ipv4
 
 meta_directory = /usr/local/libexec/postfix
 shlib_directory = /usr/local/lib/postfix

jails/config/mail/postfix/main.cf.default

@@ -328,9 +328,9 @@ local_transport_rate_delay = $default_transport_rate_delay
 luser_relay =
 mail_name = Postfix
 mail_owner = postfix
-mail_release_date = 20200316
+mail_release_date = 20200516
 mail_spool_directory = /var/mail
-mail_version = 3.5.0
+mail_version = 3.5.2
 mailbox_command =
 mailbox_command_maps =
 mailbox_delivery_lock = flock, dotlock
@@ -340,7 +340,7 @@ mailbox_transport_maps =
 maillog_file =
 maillog_file_compressor = gzip
 maillog_file_prefixes = /var, /dev/stdout
-maillog_file_rotate_suffix = %Y%M%d-%H%M%S
+maillog_file_rotate_suffix = %Y%m%d-%H%M%S
 mailq_path = /usr/local/bin/mailq
 manpage_directory = /usr/local/man
 maps_rbl_domains =

jails/config/monitor/alert_rules.yml

@@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

jails/config/monitor/alertmanager.yml

@@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

jails/config/monitor/matomo-archive

@@ -0,0 +1,2 @@
+MAILTO="sharad@diyit.org"
+5 5 * * * /usr/local/bin/php /usr/local/www/matomo/console core:archive --url=https://ahlawat.com/matomo/ >> /root/matomo-archive.log

jails/config/monitor/prometheus.yml

@@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

jails/config/monitor/start_logstash.sh

@@ -1,3 +0,0 @@
-mount proc
-/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
-ps axww | grep logstash

jails/config/pkgp/ccache.conf

@@ -0,0 +1 @@
+max_size = 32.0G

jails/config/pkgp/freebsd-update.conf

@@ -1,4 +1,4 @@
-# $FreeBSD: releng/12.1/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
+# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
 
 # Trusted keyprint.  Changing this is a Bad Idea unless you've received
 # a PGP-signed email from <security-officer@FreeBSD.org> telling you to

jails/config/pkgp/make.conf

@@ -1,2 +1,3 @@
 WANT_OPENLDAP_SASL=yes
 LICENSES_ACCEPTED+=DCC
+WITH_CCACHE_BUILD=yes

jails/config/pkgp/mypkgs

@@ -5,11 +5,14 @@ net/openldap24-sasl-client
 security/cyrus-sasl2
 www/apache24
 devel/apr1
-net/php73-ldap
+net/php74-ldap
 mail/postfix
 mail/dovecot
 mail/dovecot-pigeonhole
 mail/rspamd
 mail/dcc-dccd
 net/netatalk3
-net/samba410
+net/samba411
+net/nss-pam-ldapd
+net/nss-pam-ldapd-sasl
+#security/pam_ldap # included above

jails/config/pkgp/pkgp.conf

@@ -0,0 +1,11 @@
+FreeBSD: {
+    url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
+    enabled: no
+}
+
+pkgp-freebsd-pkg: {
+    url: "http://pkgp-freebsd-pkg.ahlawat.com/${ABI}/latest",
+    mirror_type: "http",
+    enabled: yes,
+    priority: 10
+}

jails/config/pkgp/poudriere.conf

@@ -133,7 +133,7 @@ PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/keys/poudriere.key
 # It will be mounted into the jail and be shared among all jails.
 # It is recommended that extra ccache configuration be done with
 # ccache -o rather than from the environment.
-#CCACHE_DIR=/var/cache/ccache
+CCACHE_DIR=/mnt/cache/ccache
 
 # Static ccache support from host.  This uses the existing
 # ccache from the host in the build jail.  This is useful for
@@ -200,7 +200,7 @@ NOLINUX=yes
 # List of packages that will always be allowed to use MAKE_JOBS
 # regardless of ALLOW_MAKE_JOBS. This is useful for allowing ports
 # which holdup the rest of the queue to build more quickly.
-#ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py*"
+ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py* llvm*"
 
 # Timestamp every line of build logs
 # Default: no
@@ -282,7 +282,7 @@ PRESERVE_TIMESTAMP=yes
 
 # Define pkgname globs to boost priority for
 # Default: none
-#PRIORITY_BOOST="pypy openoffice*"
+PRIORITY_BOOST="llvm*"
 
 # Define format for buildnames
 # Default: %Y-%m-%d_%Hh%Mm%Ss

jails/config/plex/plexconnect

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

jails/config/proxy/haproxy.conf

@@ -1,4 +1,4 @@
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@@ -48,35 +48,31 @@ frontend stats
 
 frontend ft
   bind :::80 v4v6
-  bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/dithaproxy.pem crt /mnt/certs/xflowhaproxy.pem
+  bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/xflowhaproxy.pem crt /mnt/certs/dvpchaproxy.pem crt /mnt/certs/mdvpchaproxy.pem 
 
   redirect scheme https if !{ ssl_fc }
 
   log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc
   # passing on that browser is using https
-  reqadd X-Forwarded-Proto:\ https
+  ## http-request add-header Forwarded: proto=https  
+  #enabling this breaks things, needs investigation
+
+  http-request set-header X-Forwarded-Proto https if { ssl_fc }
+  http-request set-header X-Forwarded-Ssl on if { ssl_fc }
 
   # for Clickjacking - added to individual backends
-  # rspadd X-Frame-Options:\ SAMEORIGIN
+  # http-response add-header X-Frame-Options: SAMEORIGIN
 
   # prevent browser from using non-secure
-  rspadd Strict-Transport-Security:\ max-age=15768000
+  http-response add-header Strict-Transport-Security: max-age=15768000
 
   acl network_allowed src 192.168.0.0/24 192.168.100.0/24 2603:3024:3f6:e1::/64
   acl restricted_page path -i -m sub /wp-admin
   acl restricted_page path -i -m sub /wp-login
-  block if restricted_page !network_allowed
+  http-request deny if restricted_page !network_allowed
 
   use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com }
   use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com }
-  use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
-  use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
-  use_backend bk_diyit if { ssl_fc_sni diyit.org }
-  use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
-  use_backend bk_diyit if { ssl_fc_sni xflow.org }
-  use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
-  use_backend bk_diyit if { ssl_fc_sni diyit.space }
-  use_backend bk_diyit if { ssl_fc_sni www.diyit.space }
 
   use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com }
   use_backend bk_ahlawat-rachna if { ssl_fc_sni rachna.ahlawat.com }
@@ -96,53 +92,67 @@ frontend ft
   use_backend bk_ahlawat-matrix if { ssl_fc_sni matrix.ahlawat.com }
   use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
   use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
+  use_backend bk_ahlawat-jump if { ssl_fc_sni jump.ahlawat.com }
 
+  use_backend bk_diyit if { ssl_fc_sni diyit.org }
+  use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
+  use_backend bk_diyit if { ssl_fc_sni xflow.org }
+  use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
   use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org }
   use_backend bk_diyit-prometheus if { ssl_fc_sni prometheus.diyit.org }
   use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org }
   use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org }
 
+  use_backend bk_dvpc if { ssl_fc_sni datavpc.com }
+  use_backend bk_dvpc if { ssl_fc_sni www.datavpc.com }
+  use_backend bk_dvpc if { ssl_fc_sni mydatavpc.com }
+  use_backend bk_dvpc if { ssl_fc_sni www.mydatavpc.com }
+
+  use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
+  use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
   use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
   use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
   use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
-  use_backend bk_beyondbell-gs if { ssl_fc_sni gs.beyondbell.com }
+  use_backend bk_beyondbell-web-moonglade if { ssl_fc_sni moonglade.beyondbell.com }
+  use_backend bk_beyondbell-web-moonglade-private if { ssl_fc_sni moonglade-private.beyondbell.com }
+  use_backend bk_beyondbell-r-windows if { ssl_fc_sni moonglade-server.beyondbell.com }
+  use_backend bk_beyondbell-windows if { ssl_fc_sni gs.beyondbell.com }
 
   default_backend bk_ahlawat
 
+  acl is_websocket hdr(Upgrade) -i WebSocket
+  acl is_websocket hdr_beg(Host) -i ws
+  use_backend bk_ahlawat if is_websocket
+
+
 backend bk_ahlawat
   server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
-
-backend bk_beyondbell
-  server srv1 192.168.0.77:8000
-  rspadd X-Frame-Options:\ SAMEORIGIN
-
-backend bk_diyit
-  server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
 
 backend bk_ahlawat-sharad
   balance roundrobin
   server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
+#  http-response set-header Content-Security-Policy "default-src 'self' *.ahlawat.com"
 
 backend bk_ahlawat-rachna
   server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-nivi
   server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-rishabh
   server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+
 
 #backend bk_ahlawat-book
 #  server srv1 bookx.ahlawat.com:443 check ssl verify none
@@ -150,102 +160,143 @@ backend bk_ahlawat-rishabh
 backend bk_ahlawat-book-443
 #  server srv1 2603:3024:3f6:e1::57:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-book-444
 #  server srv1 2603:3024:3f6:e1::57:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-book-445
 #  server srv1 2603:3024:3f6:e1::57:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-cam
   server srv1 192.168.0.54:8765 check
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_ahlawat-ci
+#  http-request set-header Host cix.ahlawat.com:8080
+  http-request replace-header Host ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*)  \1\ http://cix.ahlawat.com:8080/\2
+  http-response replace-header Host ^([^\ \t:]*:)\ http://cix.ahlawat.com:8080/(.*)  \1\ https://ci.ahlawat.com/\2
+  server srv1 cix.ahlawat.com:8080 check
+  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-cloud
   server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-git
   server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspidel X-Frame-Options:*
+  http-response set-header X-Frame-Options "ALLOW-FROM *.diyit.org"
-#  http-request set-var(txn.src) src
+#  http-response add-header X-Frame-Options: SAMEORIGIN
-#  acl mynet var(txn.src) -m sub 192.168.0
-#  acl mynet var(txn.src) -m sub 2603:3024:3f6:e1
-#  rspidel X-Frame-Options:* if mynet
-#  rspadd X-Frame-Options:\ SAMEORIGIN unless mynet
-# The gitea server add this header be default
 
 backend bk_ahlawat-hub
   server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-matrix
   server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-meet
   server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-monitor
   server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+#  http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_ahlawat-jump
+  server srv1 jumpx.ahlawat.com:8080 check
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+
+
+backend bk_diyit
+  server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_diyit-grafana
   server srv1 monitorx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+#  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_diyit-prometheus
   server srv1 monitorx.ahlawat.com:9090 check
 # ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_diyit-kibana
-  server srv1 monitorx.ahlawat.com:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  server srv1 elk.diyit.org:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+#  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_diyit-maps
-  server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2
-  server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  rspadd X-Frame-Options:\ SAMEORIGIN
+#  server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  http-response add-header X-Frame-Options: SAMEORIGIN
 
-backend bk_ahlawat-ci
+
-#  http-request  set-header Host cix.ahlawat.com:8180
+
-  reqirep  ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8180/\2
+backend bk_dvpc
-  rspirep  ^([^\ \t:]*:)\ http://cix.ahlawat.com:8180/(.*) \1\ https://ci.ahlawat.com/\2
+  server srv1 web.datavpc.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  server srv1 cix.ahlawat.com:8180 check
+  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+
+
+backend bk_beyondbell
+  server srv1 192.168.0.77:8000
+#  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_beyondbell-ci
+#  http-request set-header Host cix.beyondbell.com:8111
+  http-request replace-header Host ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://192.168.0.73:8111/\2
+  http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.73:8111/(.*) \1\ https://ci.beyondbell.com/\2
+  server srv1 192.168.0.73:8111
+  http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_beyondbell-git
   server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN
-
-backend bk_beyondbell-ci
-  http-request  set-header Host cix.beyondbell.com:8111
-  reqirep  ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://cix.beyondbell.com:8111/\2
-  rspirep  ^([^\ \t:]*:)\ http://cix.beyondbell.com:8111/(.*) \1\ https://ci.beyondbell.com/\2
-  server srv1 cix.beyondbell.com:8111
-  rspadd X-Frame-Options:\ SAMEORIGIN
 
 backend bk_beyondbell-repo
-#  http-request  set-header Host 192.168.0.75:8080
+#  http-request set-header Host 192.168.0.75:8081
-  reqirep  ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8080/\2
+#  http-request replace-header Host ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8081/\2
-  rspirep  ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2
+#  http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.75:8081/(.*) \1\ https://repo.beyondbell.com/\2
-  server srv1 192.168.0.75:8080
-  rspadd X-Frame-Options:\ SAMEORIGIN
 
-backend bk_beyondbell-gs
+  server srv1 192.168.0.75:8081
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+#  http-response del-header Strict-Transport-Security
+#  http-response add-header Content-Security-Policy: upgrade-insecure-requests
+
+backend bk_beyondbell-web-moonglade
+  server srv1 192.168.0.74:8000
+#  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_beyondbell-web-moonglade-private
+  server srv1 192.168.0.74:4000
+#  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_beyondbell-r-windows
+  server srv1 192.168.0.85:4000
+#  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_beyondbell-windows
   server srv1 192.168.0.81:26900 check
   server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-  rspadd X-Frame-Options:\ SAMEORIGIN
+  http-response add-header X-Frame-Options: SAMEORIGIN

jails/config/proxy/pkgp.conf

@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
     priority: 10
 }
 
-pkgp121: {
+pkgp122: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
     mirror_type: "http",
     signature_type: "pubkey",
     pubkey: "/mnt/certs/poudriere.cert",

jails/config/proxy/port-fwd.sh

@@ -0,0 +1 @@
+ipfw add 10000 fwd 192.168.0.4,55820 udp from me to 192.168.0.55 dst-port 55820

jails/config/r-db/my.cnf

@@ -1,99 +1,13 @@
-# Example MySQL config file for small systems.
 #
-# This is for a system with little memory (<= 64M) where MySQL is only used
+# This group is read both by the client and the server
-# from time to time and it's important that the mysqld daemon
+# use it for options that affect everything, see
-# doesn't use much resources.
+# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#option-groups
 #
-# MySQL programs look for option files in a set of
+[client-server]
-# locations which depend on the deployment platform.
+port	= 3306
-# You can copy this option file to one of those
+socket	= /var/run/mysql/mysql.sock
-# locations. For information about these locations, see:
+
-# http://dev.mysql.com/doc/mysql/en/option-files.html
 #
-# In this file, you can use all long options that a program supports.
+# include *.cnf from the config directory
-# If you want to know which options a program supports, run the program
+#
-# with the "--help" option.
+!includedir /usr/local/etc/mysql/conf.d/
-
-# The following options will be passed to all MySQL clients
-[client]
-#password	= your_password
-port		= 3306
-socket		= /tmp/mysql.sock
-
-# Here follows entries for some specific programs
-
-# The MySQL server
-[mysqld]
-bind-address    = *
-port		= 3306
-socket		= /tmp/mysql.sock
-skip-external-locking
-key_buffer_size = 16K
-max_allowed_packet = 64M
-table_open_cache = 16
-sort_buffer_size = 64K
-read_buffer_size = 256K
-read_rnd_buffer_size = 256K
-net_buffer_length = 2K
-thread_stack = 240K
-
-# Don't listen on a TCP/IP port at all. This can be a security enhancement,
-# if all processes that need to connect to mysqld run on the same host.
-# All interaction with mysqld must be made via Unix sockets or named pipes.
-# Note that using this option without enabling named pipes on Windows
-# (using the "enable-named-pipe" option) will render mysqld useless!
-# 
-#skip-networking
-server-id	= 1
-
-# Uncomment the following if you want to log updates
-#log-bin=mysql-bin
-
-# binary logging format - mixed recommended
-binlog_format=ROW
-
-# Causes updates to non-transactional engines using statement format to be
-# written directly to binary log. Before using this option make sure that
-# there are no dependencies between transactional and non-transactional
-# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
-# t_innodb; otherwise, slaves may diverge from the master.
-#binlog_direct_non_transactional_updates=TRUE
-
-# Uncomment the following if you are using InnoDB tables
-#innodb_data_home_dir = /var/db/mysql
-#innodb_data_file_path = ibdata1:10M:autoextend
-innodb_log_group_home_dir = /var/db/mysql-log
-# You can set .._buffer_pool_size up to 50 - 80 %
-# of RAM but beware of setting memory usage too high
-innodb_buffer_pool_size = 1G
-innodb_io_capacity=4000
-transaction-isolation = READ-COMMITTED
-# Set .._log_file_size to 25 % of buffer pool size
-innodb_log_file_size = 250M
-#innodb_log_buffer_size = 8M
-innodb_flush_log_at_trx_commit = 2
-#innodb_lock_wait_timeout = 50
-
-innodb_doublewrite = 0
-innodb_checksum_algorithm = none
-slow_query_log_file = /var/db/mysql-log/slow.log
-log-error = /var/db/mysql-log/error.log
-log_bin = /var/db/mysql-log/binlog
-relay_log = /var/db/mysql-log/relay-bin
-expire_logs_days = 7
-
-[mysqldump]
-quick
-max_allowed_packet = 16M
-
-[mysql]
-no-auto-rehash
-# Remove the next comment character if you are not familiar with SQL
-#safe-updates
-
-[myisamchk]
-key_buffer_size = 8M
-sort_buffer_size = 8M
-
-[mysqlhotcopy]
-interactive-timeout

jails/config/r-db/server.cnf

@@ -0,0 +1,90 @@
+# Options specific to server applications, see
+# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#server-option-groups
+
+# Options specific to all server programs
+[server]
+
+# Options specific to MariaDB server programs
+[server-mariadb]
+
+#
+# Options for specific server tools
+#
+
+[mysqld]
+user				= mysql
+# port				= 3306 # set in /usr/local/etc/mysql/my.cnf
+# socket			= /var/run/mysql/mysql.sock # set in /usr/local/etc/mysql/my.cnf
+bind-address			= *
+basedir				= /usr/local
+datadir				= /var/db/mysql
+net_retry_count			= 16384
+# [mysqld] configuration for ZFS
+# From https://www.percona.com/resources/technical-presentations/zfs-mysql-percona-technical-webinar
+# Create separate datasets for data and logs, eg
+# zroot/mysql      compression=on recordsize=128k atime=off
+# zroot/mysql/data recordsize=16k
+# zroot/mysql/logs
+datadir = /var/db/mysql
+innodb_log_group_home_dir	= /var/db/mysql-log
+#audit_log_file		= /var/db/mysql-log/audit.log
+general_log_file		= /var/db/mysql-log/general.log
+log_bin			= /var/db/mysql-log/mysql-bin
+relay_log			= /var/db/mysql-log/relay-log
+slow_query_log_file		= /var/db/mysql-log/slow.log
+innodb_doublewrite		= 0
+innodb_flush_method		= O_DSYNC
+
+##
+log-error = /var/db/mysql-log/error.log
+
+
+### custom optimizations
+skip-external-locking
+key_buffer_size = 16K
+max_allowed_packet = 64M
+table_open_cache = 16
+sort_buffer_size = 64K
+read_buffer_size = 256K
+read_rnd_buffer_size = 256K
+net_buffer_length = 2K
+thread_stack = 240K
+
+server-id   = 1
+binlog_format=ROW
+
+innodb_buffer_pool_size = 1G
+innodb_io_capacity=4000
+transaction-isolation = READ-COMMITTED
+innodb_log_file_size = 250M
+innodb_flush_log_at_trx_commit = 2
+innodb_checksum_algorithm = none
+
+slow_query_log_file = /var/db/mysql-log/slow.log
+
+expire_logs_days = 7
+###
+
+
+# Options read by `mysqld_safe`
+# Renamed from [mysqld_safe] starting with MariaDB 10.4.6.
+[mariadb_safe]
+
+# Options read my `mariabackup`
+[mariabackup]
+
+# Options read by `mysql_upgrade`
+# Renamed from [mysql_upgrade] starting with MariaDB 10.4.6.
+[mariadb-upgrade]
+
+# Specific options read by the mariabackup SST method
+[sst]
+
+# Options read by `mysqlbinlog`
+# Renamed from [mysqlbinlog] starting with MariaDB 10.4.6.
+[mariadb-binlog]
+
+# Options read by `mysqladmin`
+# Renamed from [mysqladmin] starting with MariaDB 10.4.6.
+[mariadb-admin]
+

jails/config/r-git/gitea/options/license

@@ -1,6 +1,6 @@
 BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 
-Copyright (c) 2018-2020, BeyondBell.com
+Copyright (c) 2018-2021, BeyondBell.com
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

jails/config/r-git/gitea/public/beyondbell-com-license.txt

@@ -1,6 +1,6 @@
 BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 
-Copyright (c) 2018-2020, BeyondBell.com
+Copyright (c) 2018-2021, BeyondBell.com
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

jails/config/r-ldap/pkgp.conf

@@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
     priority: 10
 }
 
-pkgp121: {
+pkgp122: {
-    url: "http://pkgp.ahlawat.com/packages/pj121-default/",
+    url: "http://pkgp.ahlawat.com/packages/pj122-default/",
     mirror_type: "http",
     signature_type: "pubkey",
     pubkey: "/mnt/certs/poudriere.cert",

jails/config/vm/create_taps.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
@@ -18,6 +18,16 @@ ifconfig bridge1 addm tap82 up
 ifconfig tap82 up
 ifconfig tap82 inet6 auto_linklocal
 
+ifconfig tap1082 create
+ifconfig bridge10 addm tap1082 up
+ifconfig tap1082 up
+ifconfig tap1082 inet6 auto_linklocal
+
+ifconfig tap2082 create
+ifconfig bridge9 addm tap2082 up
+ifconfig tap2082 up
+ifconfig tap2082 inet6 auto_linklocal
+
 ifconfig tap83 create
 ifconfig bridge1 addm tap83 up
 ifconfig tap83 up
@@ -33,6 +43,21 @@ ifconfig bridge1 addm tap85 up
 ifconfig tap85 up
 ifconfig tap85 inet6 auto_linklocal
 
+ifconfig tap86 create
+ifconfig bridge1 addm tap86 up
+ifconfig tap86 up
+ifconfig tap86 inet6 auto_linklocal
+
+ifconfig tap1086 create
+ifconfig bridge10 addm tap1086 up
+ifconfig tap1086 up
+ifconfig tap1086 inet6 auto_linklocal
+
+ifconfig tap2086 create
+ifconfig bridge9 addm tap2086 up
+ifconfig tap2086 up
+ifconfig tap2086 inet6 auto_linklocal
+
 ifconfig tap90 create
 ifconfig bridge1 addm tap90 up
 ifconfig tap90 up
@@ -42,3 +67,33 @@ ifconfig tap190 create
 ifconfig bridge2 addm tap190 up
 ifconfig tap190 up
 ifconfig tap190 inet6 auto_linklocal
+
+ifconfig tap97 create
+ifconfig bridge1 addm tap97 up
+ifconfig tap97 up
+ifconfig tap97 inet6 auto_linklocal
+
+ifconfig tap1097 create
+ifconfig bridge10 addm tap1097 up
+ifconfig tap1097 up
+ifconfig tap1097 inet6 auto_linklocal
+
+ifconfig tap2097 create
+ifconfig bridge9 addm tap2097 up
+ifconfig tap2097 up
+ifconfig tap2097 inet6 auto_linklocal
+
+ifconfig tap96 create
+ifconfig bridge1 addm tap96 up
+ifconfig tap96 up
+ifconfig tap96 inet6 auto_linklocal
+
+ifconfig tap1096 create
+ifconfig bridge10 addm tap1096 up
+ifconfig tap1096 up
+ifconfig tap1096 inet6 auto_linklocal
+
+ifconfig tap2096 create
+ifconfig bridge9 addm tap2096 up
+ifconfig tap2096 up
+ifconfig tap2096 inet6 auto_linklocal

jails/config/vm/cvm-a.sh

@@ -0,0 +1,70 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+# ./cvm-a.sh under tmux
+
+# clean cached state
+bhyvectl --destroy --vm=cvm-a
+
+while true
+do
+
+bhyve -c 4 -m 16G -A -H -P \
+-s 0,hostbridge \
+-s 3,ahci-cd \
+-s 4,virtio-blk,/dev/zvol/ship/raw/cvm-a \
+-s 5,virtio-net,tap97,mac=00:0A:0B:0C:0D:97 \
+-s 6,virtio-blk,/dev/zvol/ship/raw/cvm-a_data \
+-s 8,virtio-net,tap1097,mac=00:0A:0B:0C:8D:97 \
+-s 9,virtio-net,tap2097,mac=00:0A:0B:0C:9D:97 \
+-s 29,fbuf,tcp=0.0.0.0:5997,w=1600,h=900 \
+-s 30,xhci,tablet \
+-s 31,lpc -l com1,/dev/nmdm97A \
+-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
+cvm-a
+
+bhyve_exit=$?
+# bhyve returns the following status codes:
+#  0 - VM has been reset
+#  1 - VM has been powered off
+#  2 - VM has been halted
+#  3 - VM generated a triple fault
+#  all other non-zero status codes are errors
+#
+if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
+then
+    break
+fi
+echo `date` - restarting cvm-a in 5 seconds - press ctrl-c to stop
+sleep 5
+
+done
+
+exit $?
+
+# -s 3,ahci-cd,/mnt/linux/ubuntu-20.04.1-live-server-amd64.iso \
+
+# bhyvectl --get-all --vm=cvm-a
+
+# cu -l /dev/nmdm97B
+# (This uses cu() so press ~+Ctrl-D to exit)
+
+#on base system:
+#zfs create -V 32G -o refreservation=none ship/raw/cvm-a - docker partition
+#zfs create -V 128G -o refreservation=none ship/raw/cvm-a_data - root partition
+# on boot
+#ifconfig tap97 create
+#ifconfig bridge1 addm tap97 up
+#ifconfig tap97 up
+#ifconfig tap97 inet6 auto_linklocal
+#ifconfig tap1097 create
+#ifconfig bridge10 addm tap1097 up
+#ifconfig tap1097 up
+#ifconfig tap1097 inet6 auto_linklocal

jails/config/vm/cvm-b.sh

@@ -0,0 +1,70 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+# ./cvm-b.sh under tmux
+
+# clean cached state
+bhyvectl --destroy --vm=cvm-b
+
+while true
+do
+
+bhyve -c 4 -m 16G -A -H -P \
+-s 0,hostbridge \
+-s 3,ahci-cd \
+-s 4,virtio-blk,/dev/zvol/ship/raw/cvm-b \
+-s 5,virtio-net,tap96,mac=00:0A:0B:0C:0D:96 \
+-s 6,virtio-blk,/dev/zvol/ship/raw/cvm-b_data \
+-s 8,virtio-net,tap1096,mac=00:0A:0B:0C:8D:96 \
+-s 9,virtio-net,tap2096,mac=00:0A:0B:0C:9D:96 \
+-s 29,fbuf,tcp=0.0.0.0:5996,w=1600,h=900 \
+-s 30,xhci,tablet \
+-s 31,lpc -l com1,/dev/nmdm96A \
+-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
+cvm-b
+
+bhyve_exit=$?
+# bhyve returns the following status codes:
+#  0 - VM has been reset
+#  1 - VM has been powered off
+#  2 - VM has been halted
+#  3 - VM generated a triple fault
+#  all other non-zero status codes are errors
+#
+if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
+then
+    break
+fi
+echo `date` - restarting cvm-b in 5 seconds - press ctrl-c to stop
+sleep 5
+
+done
+
+exit $?
+
+# -s 3,ahci-cd,/mnt/linux/ubuntu-20.04.1-live-server-amd64.iso \
+
+# bhyvectl --get-all --vm=cvm-b
+
+# cu -l /dev/nmdm96B
+# (This uses cu() so press ~+Ctrl-D to exit)
+
+#on base system:
+#zfs create -V 32G -o refreservation=none ship/raw/cvm-b - docker partition
+#zfs create -V 128G -o refreservation=none ship/raw/cvm-b_data - root partition
+# on boot
+#ifconfig tap96 create
+#ifconfig bridge1 addm tap96 up
+#ifconfig tap96 up
+#ifconfig tap96 inet6 auto_linklocal
+#ifconfig tap1096 create
+#ifconfig bridge10 addm tap1096 up
+#ifconfig tap1096 up
+#ifconfig tap1096 inet6 auto_linklocal

jails/config/vm/freebsd.sh

@@ -1,6 +1,6 @@
 #!/usr/local/bin/bash
 
-# Copyright (c) 2018-2020, diyIT.org
+# Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")

jails/config/vm/kali.sh

@@ -0,0 +1,77 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+# ./kali.sh under tmux
+
+# clean cached state
+bhyvectl --destroy --vm=kali
+
+while true
+do
+
+bhyve -c 2 -m 4G -A -H -P \
+-s 0,hostbridge \
+-s 3,ahci-cd \
+-s 4,virtio-blk,/dev/zvol/ship/raw/kali \
+-s 5,virtio-net,tap86,mac=00:0A:0B:0C:0D:86 \
+-s 8,virtio-net,tap1086,mac=00:0A:0B:0C:8D:86 \
+-s 9,virtio-net,tap2086,mac=00:0A:0B:0C:9D:86 \
+-s 29,fbuf,tcp=0.0.0.0:5986,w=1280,h=720 \
+-s 30,xhci,tablet \
+-s 31,lpc -l com1,/dev/nmdm86A \
+-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
+kali
+
+bhyve_exit=$?
+# bhyve returns the following status codes:
+#  0 - VM has been reset
+#  1 - VM has been powered off
+#  2 - VM has been halted
+#  3 - VM generated a triple fault
+#  all other non-zero status codes are errors
+#
+if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
+then
+    break
+fi
+echo `date` - restarting kali in 5 seconds - press ctrl-c to stop
+sleep 5
+
+done
+
+exit $?
+
+#-s 3,ahci-cd,/mnt/linux/kali-linux-2020.4-installer-amd64.iso \
+##-s 6,virtio-blk,/dev/zvol/ship/raw/kali_data \
+
+# bhyvectl --get-all --vm=kali
+
+# cu -l /dev/nmdm86B
+# (This uses cu() so press ~+Ctrl-D to exit)
+
+#on base system:
+#zfs create -V 128G -o refreservation=none ship/raw/kali
+##zfs create -V 128G -o refreservation=none ship/raw/kali_data
+# on boot
+#ifconfig tap86 create
+#ifconfig bridge1 addm tap86 up
+#ifconfig tap86 up
+#ifconfig tap86 inet6 auto_linklocal
+#ifconfig tap1086 create
+#ifconfig bridge10 addm tap1086 up
+#ifconfig tap1086 up
+#ifconfig tap1086 inet6 auto_linklocal
+
+# Install VNC
+# curl -o turbovnc_2.2.5_amd64.deb https://sourceforge.net/projects/turbovnc/files/2.2.5/turbovnc_2.2.5_amd64.deb/download# 
+# sudo apt install gdebi-core
+# sudo gdebi turbovnc_2.2.5_amd64.deb
+# sudo killall Xvnc; /opt/TurboVNC/bin/vncserver -name kali -geometry 1920x1080 :4
+# systemctl enable ssh.service; service ssh start