updated for FreeBSD 12.2
This commit is contained in:
parent
bd3cffc61a
commit
5cee123a3c
@ -1,6 +1,6 @@
|
||||
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
||||
Copyright (c) 2018-2020, diyIT.org
|
||||
Copyright (c) 2018-2021, diyIT.org
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
|
@ -1,32 +1,63 @@
|
||||
;
|
||||
; Netatalk 3.x configuration file
|
||||
;
|
||||
; http://netatalk.sourceforge.net/3.1/htmldocs/afp.conf.5.html
|
||||
|
||||
[Global]
|
||||
; Global server settings
|
||||
hostname = atm
|
||||
hosts allow = 192.168.0.0/24,192.168.100.0/24
|
||||
afp listen = 0.0.0.0
|
||||
afp listen = ::
|
||||
mimic model = TimeCapsule6,106
|
||||
uam list = uams_guest.so uams_dhx2_passwd.so
|
||||
; locate uam # show all the uam modules
|
||||
|
||||
force xattr with sticky bit = yes
|
||||
|
||||
zeroconf = yes
|
||||
afpstats = yes
|
||||
|
||||
ldap auth method = simple
|
||||
;ldap auth dn = cn=admin,dc=infra
|
||||
;ldap auth pw = notrequired
|
||||
ldap server = ldap.ahlawat.com
|
||||
|
||||
ldap name attr = cn
|
||||
ldap userbase = ou=people,dc=infra
|
||||
ldap userscope = one
|
||||
ldap uuid attr = uidNumber
|
||||
|
||||
ldap group attr = cn
|
||||
ldap groupbase = ou=group,dc=infra
|
||||
ldap groupscope = one
|
||||
;ldap uuid attr = gidNumber #this is used both for users and groups.
|
||||
|
||||
; You can comment these 2 lines when your setup is working
|
||||
;log level = default:maxdebug,afpdaemon:maxdebug,logger:maxdebug,uamsdaemon:maxdebug
|
||||
log file = /var/log/afpd.log
|
||||
|
||||
[default_for_all_vol]
|
||||
cnid scheme = dbd
|
||||
appledouble = ea
|
||||
ea = ad
|
||||
|
||||
; [Homes]
|
||||
; basedir regex = /xxxx
|
||||
|
||||
; [My AFP Volume]
|
||||
; path = /path/to/volume
|
||||
|
||||
[Sharad Time Machine Volume]
|
||||
[Sharad]
|
||||
path = /mnt/sharad
|
||||
valid users = sharad
|
||||
time machine = yes
|
||||
|
||||
[Rachna Time Machine Volume]
|
||||
[Rachna]
|
||||
path = /mnt/rachna
|
||||
valid users = rachna
|
||||
time machine = yes
|
||||
|
||||
[Nivi Time Machine Volume]
|
||||
[Nivi]
|
||||
path = /mnt/nivi
|
||||
valid users = nivi
|
||||
time machine = yes
|
||||
|
||||
[Rishabh Time Machine Volume]
|
||||
[Rishabh]
|
||||
path = /mnt/rishabh
|
||||
valid users = rishabh
|
||||
time machine = yes
|
||||
|
14
jails/config/atm/afpd.service
Normal file
14
jails/config/atm/afpd.service
Normal file
@ -0,0 +1,14 @@
|
||||
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
|
||||
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
|
||||
<service-group>
|
||||
<name replace-wildcards="yes">%h</name>
|
||||
<service>
|
||||
<type>_afpovertcp._tcp</type>
|
||||
<port>548</port>
|
||||
</service>
|
||||
<service>
|
||||
<type>_device-info._tcp</type>
|
||||
<port>0</port>
|
||||
<txt-record>model=Xserve</txt-record>
|
||||
</service>
|
||||
</service-group>
|
15
jails/config/atm/ldap.conf
Normal file
15
jails/config/atm/ldap.conf
Normal file
@ -0,0 +1,15 @@
|
||||
#
|
||||
# LDAP Defaults
|
||||
#
|
||||
|
||||
# See ldap.conf(5) for details
|
||||
# This file should be world readable but not world writable.
|
||||
|
||||
BASE ou=people,dc=infra
|
||||
URI ldaps://ldap.ahlawat.com:636
|
||||
ssl start_tls
|
||||
tls_cacert /mnt/certs/cacert.pem
|
||||
|
||||
#SIZELIMIT 12
|
||||
#TIMELIMIT 15
|
||||
#DEREF never
|
3
jails/config/atm/netatalk
Normal file
3
jails/config/atm/netatalk
Normal file
@ -0,0 +1,3 @@
|
||||
auth required /usr/local/lib/pam_ldap.so try_first_pass
|
||||
account required /usr/local/lib/pam_ldap.so try_first_pass
|
||||
session required /usr/local/lib/pam_ldap.so
|
142
jails/config/atm/nslcd.conf
Normal file
142
jails/config/atm/nslcd.conf
Normal file
@ -0,0 +1,142 @@
|
||||
# This is the configuration file for the LDAP nameservice
|
||||
# switch library's nslcd daemon. It configures the mapping
|
||||
# between NSS names (see /etc/nsswitch.conf) and LDAP
|
||||
# information in the directory.
|
||||
# See the manual page nslcd.conf(5) for more information.
|
||||
|
||||
# The user and group nslcd should run as.
|
||||
uid nslcd
|
||||
gid nslcd
|
||||
|
||||
# The uri pointing to the LDAP server to use for name lookups.
|
||||
# Multiple entries may be specified. The address that is used
|
||||
# here should be resolvable without using LDAP (obviously).
|
||||
#uri ldap://127.0.0.1/
|
||||
#uri ldaps://127.0.0.1/
|
||||
#uri ldapi://%2fvar%2frun%2fldapi_sock/
|
||||
# Note: %2f encodes the '/' used as directory separator
|
||||
uri ldaps://ldap.ahlawat.com:636
|
||||
|
||||
# The LDAP version to use (defaults to 3
|
||||
# if supported by client library)
|
||||
#ldap_version 3
|
||||
|
||||
# The distinguished name of the search base.
|
||||
base ou=people,dc=infra
|
||||
|
||||
# The distinguished name to bind to the server with.
|
||||
# Optional: default is to bind anonymously.
|
||||
#binddn cn=proxyuser,dc=example,dc=com
|
||||
|
||||
# The credentials to bind with.
|
||||
# Optional: default is no credentials.
|
||||
# Note that if you set a bindpw you should check the permissions of this file.
|
||||
#bindpw secret
|
||||
|
||||
# The distinguished name to perform password modifications by root by.
|
||||
#rootpwmoddn cn=admin,dc=example,dc=com
|
||||
|
||||
# The default search scope.
|
||||
#scope sub
|
||||
scope one
|
||||
#scope base
|
||||
|
||||
# Customize certain database lookups.
|
||||
#base group ou=Groups,dc=example,dc=com
|
||||
#base passwd ou=People,dc=example,dc=com
|
||||
#base shadow ou=People,dc=example,dc=com
|
||||
#scope group onelevel
|
||||
#scope hosts sub
|
||||
|
||||
# Bind/connect timelimit.
|
||||
#bind_timelimit 30
|
||||
|
||||
# Search timelimit.
|
||||
#timelimit 30
|
||||
|
||||
# Idle timelimit. nslcd will close connections if the
|
||||
# server has not been contacted for the number of seconds.
|
||||
#idle_timelimit 3600
|
||||
|
||||
# Use StartTLS without verifying the server certificate.
|
||||
ssl start_tls
|
||||
#tls_reqcert never
|
||||
|
||||
# CA certificates for server certificate verification
|
||||
tls_cacertdir /mnt/certs
|
||||
tls_cacertfile /mnt/certs/cacert.pem
|
||||
|
||||
# Seed the PRNG if /dev/urandom is not provided
|
||||
#tls_randfile /var/run/egd-pool
|
||||
|
||||
# SSL cipher suite
|
||||
# See man ciphers for syntax
|
||||
#tls_ciphers TLSv1
|
||||
|
||||
# Client certificate and key
|
||||
# Use these, if your server requires client authentication.
|
||||
#tls_cert
|
||||
#tls_key
|
||||
|
||||
# Mappings for Services for UNIX 3.5
|
||||
#filter passwd (objectClass=User)
|
||||
#map passwd uid msSFU30Name
|
||||
#map passwd userPassword msSFU30Password
|
||||
#map passwd homeDirectory msSFU30HomeDirectory
|
||||
#map passwd homeDirectory msSFUHomeDirectory
|
||||
#filter shadow (objectClass=User)
|
||||
#map shadow uid msSFU30Name
|
||||
#map shadow userPassword msSFU30Password
|
||||
#filter group (objectClass=Group)
|
||||
#map group member msSFU30PosixMember
|
||||
|
||||
# Mappings for Services for UNIX 2.0
|
||||
#filter passwd (objectClass=User)
|
||||
#map passwd uid msSFUName
|
||||
#map passwd userPassword msSFUPassword
|
||||
#map passwd homeDirectory msSFUHomeDirectory
|
||||
#map passwd gecos msSFUName
|
||||
#filter shadow (objectClass=User)
|
||||
#map shadow uid msSFUName
|
||||
#map shadow userPassword msSFUPassword
|
||||
#map shadow shadowLastChange pwdLastSet
|
||||
#filter group (objectClass=Group)
|
||||
#map group member posixMember
|
||||
|
||||
# Mappings for Active Directory
|
||||
#pagesize 1000
|
||||
#referrals off
|
||||
#idle_timelimit 800
|
||||
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
|
||||
#map passwd uid sAMAccountName
|
||||
#map passwd homeDirectory unixHomeDirectory
|
||||
#map passwd gecos displayName
|
||||
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
|
||||
#map shadow uid sAMAccountName
|
||||
#map shadow shadowLastChange pwdLastSet
|
||||
#filter group (objectClass=group)
|
||||
|
||||
# Alternative mappings for Active Directory
|
||||
# (replace the SIDs in the objectSid mappings with the value for your domain)
|
||||
#pagesize 1000
|
||||
#referrals off
|
||||
#idle_timelimit 800
|
||||
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
|
||||
#map passwd uid cn
|
||||
#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
|
||||
#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
|
||||
#map passwd homeDirectory "/home/$cn"
|
||||
#map passwd gecos displayName
|
||||
#map passwd loginShell "/bin/bash"
|
||||
#filter group (|(objectClass=group)(objectClass=person))
|
||||
#map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
|
||||
|
||||
# Mappings for AIX SecureWay
|
||||
#filter passwd (objectClass=aixAccount)
|
||||
#map passwd uid userName
|
||||
#map passwd userPassword passwordChar
|
||||
#map passwd uidNumber uid
|
||||
#map passwd gidNumber gid
|
||||
#filter group (objectClass=aixAccessGroup)
|
||||
#map group cn groupName
|
||||
#map group gidNumber gid
|
18
jails/config/atm/nsswitch.conf
Normal file
18
jails/config/atm/nsswitch.conf
Normal file
@ -0,0 +1,18 @@
|
||||
#
|
||||
# nsswitch.conf(5) - name service switch configuration file
|
||||
# $FreeBSD: releng/12.1/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $
|
||||
#
|
||||
#group: compat
|
||||
group: files ldap
|
||||
group_compat: nis
|
||||
hosts: files dns
|
||||
netgroup: compat
|
||||
networks: files
|
||||
#passwd: compat
|
||||
passwd: files ldap
|
||||
passwd_compat: nis
|
||||
shells: files
|
||||
services: compat
|
||||
services_compat: nis
|
||||
protocols: files
|
||||
rpc: files
|
17
jails/config/atm/pam_ldap.conf
Normal file
17
jails/config/atm/pam_ldap.conf
Normal file
@ -0,0 +1,17 @@
|
||||
#
|
||||
# LDAP Defaults
|
||||
#
|
||||
|
||||
# See ldap.conf(5) for details
|
||||
# This file should be world readable but not world writable.
|
||||
|
||||
BASE ou=people,dc=infra
|
||||
URI ldaps://ldap.ahlawat.com:636
|
||||
ssl start_tls
|
||||
tls_cacert /mnt/certs/cacert.pem
|
||||
|
||||
pam_login_attribute cn
|
||||
|
||||
#SIZELIMIT 12
|
||||
#TIMELIMIT 15
|
||||
#DEREF never
|
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
|
||||
priority: 10
|
||||
}
|
||||
|
||||
pkgp121: {
|
||||
url: "http://pkgp.ahlawat.com/packages/pj121-default/",
|
||||
pkgp122: {
|
||||
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
|
||||
mirror_type: "http",
|
||||
signature_type: "pubkey",
|
||||
pubkey: "/mnt/certs/poudriere.cert",
|
||||
|
28
jails/config/atm/sshd
Normal file
28
jails/config/atm/sshd
Normal file
@ -0,0 +1,28 @@
|
||||
#
|
||||
# $FreeBSD: releng/12.1/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
|
||||
#
|
||||
# PAM configuration for the "sshd" service
|
||||
#
|
||||
|
||||
# auth
|
||||
auth sufficient pam_opie.so no_warn no_fake_prompts
|
||||
auth requisite pam_opieaccess.so no_warn allow_local
|
||||
#auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
#auth sufficient pam_ssh.so no_warn try_first_pass
|
||||
auth sufficient /usr/local/lib/pam_ldap.so no_warn
|
||||
auth required pam_unix.so no_warn try_first_pass
|
||||
|
||||
# account
|
||||
account required pam_nologin.so
|
||||
#account required pam_krb5.so
|
||||
account required pam_login_access.so
|
||||
account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
|
||||
account required pam_unix.so
|
||||
|
||||
# session
|
||||
#session optional pam_ssh.so want_agent
|
||||
session required pam_permit.so
|
||||
|
||||
# password
|
||||
#password sufficient pam_krb5.so no_warn try_first_pass
|
||||
password required pam_unix.so no_warn try_first_pass
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
1
jails/config/cert/backup.sh
Executable file
1
jails/config/cert/backup.sh
Executable file
@ -0,0 +1 @@
|
||||
cp -r /root/.acme.sh /mnt/config/secret/
|
77
jails/config/common/freebsd-update.conf
Normal file
77
jails/config/common/freebsd-update.conf
Normal file
@ -0,0 +1,77 @@
|
||||
# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
|
||||
|
||||
# Trusted keyprint. Changing this is a Bad Idea unless you've received
|
||||
# a PGP-signed email from <security-officer@FreeBSD.org> telling you to
|
||||
# change it and explaining why.
|
||||
KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5
|
||||
|
||||
# Server or server pool from which to fetch updates. You can change
|
||||
# this to point at a specific server if you want, but in most cases
|
||||
# using a "nearby" server won't provide a measurable improvement in
|
||||
# performance.
|
||||
ServerName update.FreeBSD.org
|
||||
|
||||
# Components of the base system which should be kept updated.
|
||||
#Components src world
|
||||
Components world
|
||||
|
||||
# Example for updating the userland and the kernel source code only:
|
||||
# Components src/base src/sys world
|
||||
|
||||
# Paths which start with anything matching an entry in an IgnorePaths
|
||||
# statement will be ignored.
|
||||
IgnorePaths
|
||||
|
||||
# Paths which start with anything matching an entry in an IDSIgnorePaths
|
||||
# statement will be ignored by "freebsd-update IDS".
|
||||
IDSIgnorePaths /usr/share/man/cat
|
||||
IDSIgnorePaths /usr/share/man/whatis
|
||||
IDSIgnorePaths /var/db/locate.database
|
||||
IDSIgnorePaths /var/log
|
||||
|
||||
# Paths which start with anything matching an entry in an UpdateIfUnmodified
|
||||
# statement will only be updated if the contents of the file have not been
|
||||
# modified by the user (unless changes are merged; see below).
|
||||
UpdateIfUnmodified /etc/ /var/ /root/ /.cshrc /.profile
|
||||
|
||||
# When upgrading to a new FreeBSD release, files which match MergeChanges
|
||||
# will have any local changes merged into the version from the new release.
|
||||
MergeChanges /etc/ /boot/device.hints
|
||||
|
||||
### Default configuration options:
|
||||
|
||||
# Directory in which to store downloaded updates and temporary
|
||||
# files used by FreeBSD Update.
|
||||
# WorkDir /var/db/freebsd-update
|
||||
|
||||
# Destination to send output of "freebsd-update cron" if an error
|
||||
# occurs or updates have been downloaded.
|
||||
# MailTo root
|
||||
|
||||
# Is FreeBSD Update allowed to create new files?
|
||||
# AllowAdd yes
|
||||
|
||||
# Is FreeBSD Update allowed to delete files?
|
||||
# AllowDelete yes
|
||||
|
||||
# If the user has modified file ownership, permissions, or flags, should
|
||||
# FreeBSD Update retain this modified metadata when installing a new version
|
||||
# of that file?
|
||||
# KeepModifiedMetadata yes
|
||||
|
||||
# When upgrading between releases, should the list of Components be
|
||||
# read strictly (StrictComponents yes) or merely as a list of components
|
||||
# which *might* be installed of which FreeBSD Update should figure out
|
||||
# which actually are installed and upgrade those (StrictComponents no)?
|
||||
# StrictComponents no
|
||||
|
||||
# When installing a new kernel perform a backup of the old one first
|
||||
# so it is possible to boot the old kernel in case of problems.
|
||||
# BackupKernel yes
|
||||
|
||||
# If BackupKernel is enabled, the backup kernel is saved to this
|
||||
# directory.
|
||||
# BackupKernelDir /boot/kernel.old
|
||||
|
||||
# When backing up a kernel also back up debug symbol files?
|
||||
# BackupKernelSymbolFiles no
|
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
|
||||
priority: 10
|
||||
}
|
||||
|
||||
pkgp121: {
|
||||
url: "http://pkgp.ahlawat.com/packages/pj121-default/",
|
||||
pkgp122: {
|
||||
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
|
||||
mirror_type: "http",
|
||||
signature_type: "pubkey",
|
||||
pubkey: "/mnt/certs/poudriere.cert",
|
||||
|
@ -1,6 +1,6 @@
|
||||
#! /usr/local/bin/bash
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
@ -1,5 +1,5 @@
|
||||
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
|
||||
# $FreeBSD: releng/12.1/crypto/openssh/sshd_config 338561 2018-09-10 16:20:12Z des $
|
||||
# $FreeBSD: releng/12.2/crypto/openssh/sshd_config 360313 2020-04-25 15:38:48Z emaste $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
@ -105,7 +105,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#UseBlacklist no
|
||||
#VersionAddendum FreeBSD-20180909
|
||||
#VersionAddendum FreeBSD-20200214
|
||||
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
@ -1,99 +1,13 @@
|
||||
# Example MySQL config file for small systems.
|
||||
#
|
||||
# This is for a system with little memory (<= 64M) where MySQL is only used
|
||||
# from time to time and it's important that the mysqld daemon
|
||||
# doesn't use much resources.
|
||||
# This group is read both by the client and the server
|
||||
# use it for options that affect everything, see
|
||||
# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#option-groups
|
||||
#
|
||||
# MySQL programs look for option files in a set of
|
||||
# locations which depend on the deployment platform.
|
||||
# You can copy this option file to one of those
|
||||
# locations. For information about these locations, see:
|
||||
# http://dev.mysql.com/doc/mysql/en/option-files.html
|
||||
#
|
||||
# In this file, you can use all long options that a program supports.
|
||||
# If you want to know which options a program supports, run the program
|
||||
# with the "--help" option.
|
||||
|
||||
# The following options will be passed to all MySQL clients
|
||||
[client]
|
||||
#password = your_password
|
||||
[client-server]
|
||||
port = 3306
|
||||
socket = /tmp/mysql.sock
|
||||
socket = /var/run/mysql/mysql.sock
|
||||
|
||||
# Here follows entries for some specific programs
|
||||
|
||||
# The MySQL server
|
||||
[mysqld]
|
||||
bind-address = *
|
||||
port = 3306
|
||||
socket = /tmp/mysql.sock
|
||||
skip-external-locking
|
||||
key_buffer_size = 16K
|
||||
max_allowed_packet = 64M
|
||||
table_open_cache = 16
|
||||
sort_buffer_size = 64K
|
||||
read_buffer_size = 256K
|
||||
read_rnd_buffer_size = 256K
|
||||
net_buffer_length = 2K
|
||||
thread_stack = 240K
|
||||
|
||||
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
|
||||
# if all processes that need to connect to mysqld run on the same host.
|
||||
# All interaction with mysqld must be made via Unix sockets or named pipes.
|
||||
# Note that using this option without enabling named pipes on Windows
|
||||
# (using the "enable-named-pipe" option) will render mysqld useless!
|
||||
#
|
||||
#skip-networking
|
||||
server-id = 1
|
||||
|
||||
# Uncomment the following if you want to log updates
|
||||
#log-bin=mysql-bin
|
||||
|
||||
# binary logging format - mixed recommended
|
||||
binlog_format=ROW
|
||||
|
||||
# Causes updates to non-transactional engines using statement format to be
|
||||
# written directly to binary log. Before using this option make sure that
|
||||
# there are no dependencies between transactional and non-transactional
|
||||
# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
|
||||
# t_innodb; otherwise, slaves may diverge from the master.
|
||||
#binlog_direct_non_transactional_updates=TRUE
|
||||
|
||||
# Uncomment the following if you are using InnoDB tables
|
||||
#innodb_data_home_dir = /var/db/mysql
|
||||
#innodb_data_file_path = ibdata1:10M:autoextend
|
||||
innodb_log_group_home_dir = /var/db/mysql-log
|
||||
# You can set .._buffer_pool_size up to 50 - 80 %
|
||||
# of RAM but beware of setting memory usage too high
|
||||
innodb_buffer_pool_size = 1G
|
||||
innodb_io_capacity=4000
|
||||
transaction-isolation = READ-COMMITTED
|
||||
# Set .._log_file_size to 25 % of buffer pool size
|
||||
innodb_log_file_size = 250M
|
||||
#innodb_log_buffer_size = 8M
|
||||
innodb_flush_log_at_trx_commit = 2
|
||||
#innodb_lock_wait_timeout = 50
|
||||
|
||||
innodb_doublewrite = 0
|
||||
innodb_checksum_algorithm = none
|
||||
slow_query_log_file = /var/db/mysql-log/slow.log
|
||||
log-error = /var/db/mysql-log/error.log
|
||||
log_bin = /var/db/mysql-log/binlog
|
||||
relay_log = /var/db/mysql-log/relay-bin
|
||||
expire_logs_days = 7
|
||||
|
||||
[mysqldump]
|
||||
quick
|
||||
max_allowed_packet = 16M
|
||||
|
||||
[mysql]
|
||||
no-auto-rehash
|
||||
# Remove the next comment character if you are not familiar with SQL
|
||||
#safe-updates
|
||||
|
||||
[myisamchk]
|
||||
key_buffer_size = 8M
|
||||
sort_buffer_size = 8M
|
||||
|
||||
[mysqlhotcopy]
|
||||
interactive-timeout
|
||||
# include *.cnf from the config directory
|
||||
#
|
||||
!includedir /usr/local/etc/mysql/conf.d/
|
||||
|
99
jails/config/db/my.cnf.oldversion
Normal file
99
jails/config/db/my.cnf.oldversion
Normal file
@ -0,0 +1,99 @@
|
||||
# Example MySQL config file for small systems.
|
||||
#
|
||||
# This is for a system with little memory (<= 64M) where MySQL is only used
|
||||
# from time to time and it's important that the mysqld daemon
|
||||
# doesn't use much resources.
|
||||
#
|
||||
# MySQL programs look for option files in a set of
|
||||
# locations which depend on the deployment platform.
|
||||
# You can copy this option file to one of those
|
||||
# locations. For information about these locations, see:
|
||||
# http://dev.mysql.com/doc/mysql/en/option-files.html
|
||||
#
|
||||
# In this file, you can use all long options that a program supports.
|
||||
# If you want to know which options a program supports, run the program
|
||||
# with the "--help" option.
|
||||
|
||||
# The following options will be passed to all MySQL clients
|
||||
[client]
|
||||
#password = your_password
|
||||
port = 3306
|
||||
socket = /tmp/mysql.sock
|
||||
|
||||
# Here follows entries for some specific programs
|
||||
|
||||
# The MySQL server
|
||||
[mysqld]
|
||||
bind-address = *
|
||||
port = 3306
|
||||
socket = /tmp/mysql.sock
|
||||
skip-external-locking
|
||||
key_buffer_size = 16K
|
||||
max_allowed_packet = 64M
|
||||
table_open_cache = 16
|
||||
sort_buffer_size = 64K
|
||||
read_buffer_size = 256K
|
||||
read_rnd_buffer_size = 256K
|
||||
net_buffer_length = 2K
|
||||
thread_stack = 240K
|
||||
|
||||
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
|
||||
# if all processes that need to connect to mysqld run on the same host.
|
||||
# All interaction with mysqld must be made via Unix sockets or named pipes.
|
||||
# Note that using this option without enabling named pipes on Windows
|
||||
# (using the "enable-named-pipe" option) will render mysqld useless!
|
||||
#
|
||||
#skip-networking
|
||||
server-id = 1
|
||||
|
||||
# Uncomment the following if you want to log updates
|
||||
#log-bin=mysql-bin
|
||||
|
||||
# binary logging format - mixed recommended
|
||||
binlog_format=ROW
|
||||
|
||||
# Causes updates to non-transactional engines using statement format to be
|
||||
# written directly to binary log. Before using this option make sure that
|
||||
# there are no dependencies between transactional and non-transactional
|
||||
# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
|
||||
# t_innodb; otherwise, slaves may diverge from the master.
|
||||
#binlog_direct_non_transactional_updates=TRUE
|
||||
|
||||
# Uncomment the following if you are using InnoDB tables
|
||||
#innodb_data_home_dir = /var/db/mysql
|
||||
#innodb_data_file_path = ibdata1:10M:autoextend
|
||||
innodb_log_group_home_dir = /var/db/mysql-log
|
||||
# You can set .._buffer_pool_size up to 50 - 80 %
|
||||
# of RAM but beware of setting memory usage too high
|
||||
innodb_buffer_pool_size = 1G
|
||||
innodb_io_capacity=4000
|
||||
transaction-isolation = READ-COMMITTED
|
||||
# Set .._log_file_size to 25 % of buffer pool size
|
||||
innodb_log_file_size = 250M
|
||||
#innodb_log_buffer_size = 8M
|
||||
innodb_flush_log_at_trx_commit = 2
|
||||
#innodb_lock_wait_timeout = 50
|
||||
|
||||
innodb_doublewrite = 0
|
||||
innodb_checksum_algorithm = none
|
||||
slow_query_log_file = /var/db/mysql-log/slow.log
|
||||
log-error = /var/db/mysql-log/error.log
|
||||
log_bin = /var/db/mysql-log/binlog
|
||||
relay_log = /var/db/mysql-log/relay-bin
|
||||
expire_logs_days = 7
|
||||
|
||||
[mysqldump]
|
||||
quick
|
||||
max_allowed_packet = 16M
|
||||
|
||||
[mysql]
|
||||
no-auto-rehash
|
||||
# Remove the next comment character if you are not familiar with SQL
|
||||
#safe-updates
|
||||
|
||||
[myisamchk]
|
||||
key_buffer_size = 8M
|
||||
sort_buffer_size = 8M
|
||||
|
||||
[mysqlhotcopy]
|
||||
interactive-timeout
|
90
jails/config/db/server.cnf
Normal file
90
jails/config/db/server.cnf
Normal file
@ -0,0 +1,90 @@
|
||||
# Options specific to server applications, see
|
||||
# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#server-option-groups
|
||||
|
||||
# Options specific to all server programs
|
||||
[server]
|
||||
|
||||
# Options specific to MariaDB server programs
|
||||
[server-mariadb]
|
||||
|
||||
#
|
||||
# Options for specific server tools
|
||||
#
|
||||
|
||||
[mysqld]
|
||||
user = mysql
|
||||
# port = 3306 # set in /usr/local/etc/mysql/my.cnf
|
||||
# socket = /var/run/mysql/mysql.sock # set in /usr/local/etc/mysql/my.cnf
|
||||
bind-address = *
|
||||
basedir = /usr/local
|
||||
datadir = /var/db/mysql
|
||||
net_retry_count = 16384
|
||||
# [mysqld] configuration for ZFS
|
||||
# From https://www.percona.com/resources/technical-presentations/zfs-mysql-percona-technical-webinar
|
||||
# Create separate datasets for data and logs, eg
|
||||
# zroot/mysql compression=on recordsize=128k atime=off
|
||||
# zroot/mysql/data recordsize=16k
|
||||
# zroot/mysql/logs
|
||||
datadir = /var/db/mysql
|
||||
innodb_log_group_home_dir = /var/db/mysql-log
|
||||
#audit_log_file = /var/db/mysql-log/audit.log
|
||||
general_log_file = /var/db/mysql-log/general.log
|
||||
log_bin = /var/db/mysql-log/mysql-bin
|
||||
relay_log = /var/db/mysql-log/relay-log
|
||||
slow_query_log_file = /var/db/mysql-log/slow.log
|
||||
innodb_doublewrite = 0
|
||||
innodb_flush_method = O_DSYNC
|
||||
|
||||
##
|
||||
log-error = /var/db/mysql-log/error.log
|
||||
|
||||
|
||||
### custom optimizations
|
||||
skip-external-locking
|
||||
key_buffer_size = 16K
|
||||
max_allowed_packet = 64M
|
||||
table_open_cache = 16
|
||||
sort_buffer_size = 64K
|
||||
read_buffer_size = 256K
|
||||
read_rnd_buffer_size = 256K
|
||||
net_buffer_length = 2K
|
||||
thread_stack = 240K
|
||||
|
||||
server-id = 1
|
||||
binlog_format=ROW
|
||||
|
||||
innodb_buffer_pool_size = 1G
|
||||
innodb_io_capacity=4000
|
||||
transaction-isolation = READ-COMMITTED
|
||||
innodb_log_file_size = 250M
|
||||
innodb_flush_log_at_trx_commit = 2
|
||||
innodb_checksum_algorithm = none
|
||||
|
||||
slow_query_log_file = /var/db/mysql-log/slow.log
|
||||
|
||||
expire_logs_days = 7
|
||||
###
|
||||
|
||||
|
||||
# Options read by `mysqld_safe`
|
||||
# Renamed from [mysqld_safe] starting with MariaDB 10.4.6.
|
||||
[mariadb_safe]
|
||||
|
||||
# Options read my `mariabackup`
|
||||
[mariabackup]
|
||||
|
||||
# Options read by `mysql_upgrade`
|
||||
# Renamed from [mysql_upgrade] starting with MariaDB 10.4.6.
|
||||
[mariadb-upgrade]
|
||||
|
||||
# Specific options read by the mariabackup SST method
|
||||
[sst]
|
||||
|
||||
# Options read by `mysqlbinlog`
|
||||
# Renamed from [mysqlbinlog] starting with MariaDB 10.4.6.
|
||||
[mariadb-binlog]
|
||||
|
||||
# Options read by `mysqladmin`
|
||||
# Renamed from [mysqladmin] starting with MariaDB 10.4.6.
|
||||
[mariadb-admin]
|
||||
|
@ -36,7 +36,6 @@ xpack.security.http.ssl.certificate_authorities: certs/cacert.pem
|
||||
xpack.security.transport.ssl.key: certs/diyprivkeyr.pem
|
||||
xpack.security.transport.ssl.certificate: certs/diyfullchain.pem
|
||||
xpack.security.transport.ssl.certificate_authorities: certs/cacert.pem
|
||||
|
||||
#
|
||||
# ----------------------------------- Paths ------------------------------------
|
||||
#
|
||||
@ -76,16 +75,17 @@ network.host: _epair0b_
|
||||
#
|
||||
# --------------------------------- Discovery ----------------------------------
|
||||
#
|
||||
# Pass an initial list of hosts to perform discovery when new node is started:
|
||||
# Pass an initial list of hosts to perform discovery when this node is started:
|
||||
# The default list of hosts is ["127.0.0.1", "[::1]"]
|
||||
#
|
||||
#discovery.zen.ping.unicast.hosts: ["host1", "host2"]
|
||||
#discovery.seed_hosts: ["host1", "host2"]
|
||||
#
|
||||
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
|
||||
# Bootstrap the cluster using an initial set of master-eligible nodes:
|
||||
#
|
||||
#discovery.zen.minimum_master_nodes:
|
||||
cluster.initial_master_nodes: ["node-1"]
|
||||
#cluster.initial_master_nodes: ["node-1", "node-2"]
|
||||
#
|
||||
# For more information, consult the zen discovery module documentation.
|
||||
# For more information, consult the discovery and cluster formation module documentation.
|
||||
#
|
||||
# ---------------------------------- Gateway -----------------------------------
|
||||
#
|
2
jails/config/elk/fstab
Normal file
2
jails/config/elk/fstab
Normal file
@ -0,0 +1,2 @@
|
||||
fdesc /dev/fd fdescfs rw,auto 0 0
|
||||
proc /proc procfs rw,auto 0 0
|
@ -24,8 +24,7 @@ heartbeat.monitors:
|
||||
- type: http
|
||||
|
||||
# List or urls to query
|
||||
#urls: ["http://localhost:9200"]
|
||||
urls: ["https://google.com","https://aws.amazon.com"]
|
||||
urls: ["https://cloud.google.com","https://azure.microsoft.com","https://aws.amazon.com"]
|
||||
|
||||
# Configure task schedule
|
||||
schedule: '@every 10s'
|
||||
@ -56,46 +55,6 @@ setup.template.settings:
|
||||
# env: staging
|
||||
|
||||
|
||||
#================================= Paths ======================================
|
||||
|
||||
# The home path for the filebeat installation. This is the default base path
|
||||
# for all other path settings and for miscellaneous files that come with the
|
||||
# distribution (for example, the sample dashboards).
|
||||
# If not set by a CLI flag or in the configuration file, the default for the
|
||||
# home path is the location of the binary.
|
||||
#path.home:
|
||||
|
||||
# The configuration path for the filebeat installation. This is the default
|
||||
# base path for configuration files, including the main YAML configuration file
|
||||
# and the Elasticsearch template file. If not set by a CLI flag or in the
|
||||
# configuration file, the default for the configuration path is the home path.
|
||||
#path.config: ${path.home}
|
||||
|
||||
# The data path for the filebeat installation. This is the default base path
|
||||
# for all the files in which filebeat needs to store its data. If not set by a
|
||||
# CLI flag or in the configuration file, the default for the data path is a data
|
||||
# subdirectory inside the home path.
|
||||
#path.data: ${path.home}/data
|
||||
|
||||
# The logs path for a filebeat installation. This is the default location for
|
||||
# the Beat's log files. If not set by a CLI flag or in the configuration file,
|
||||
# the default for the logs path is a logs subdirectory inside the home path.
|
||||
#path.logs: ${path.home}/logs
|
||||
|
||||
|
||||
#============================== Dashboards =====================================
|
||||
# These settings control loading the sample dashboards to the Kibana index. Loading
|
||||
# the dashboards is disabled by default and can be enabled either by setting the
|
||||
# options here, or by using the `-setup` CLI flag or the `setup` command.
|
||||
#setup.dashboards.enabled: false
|
||||
#setup.dashboards.enabled: true
|
||||
|
||||
# The URL from where to download the dashboards archive. By default this URL
|
||||
# has a value which is computed based on the Beat name and version. For released
|
||||
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
|
||||
# website.
|
||||
#setup.dashboards.url:
|
||||
|
||||
#============================== Kibana =====================================
|
||||
|
||||
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
|
||||
@ -106,9 +65,7 @@ setup.kibana:
|
||||
# Scheme and port can be left out and will be set to the default (http and 5601)
|
||||
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
|
||||
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
|
||||
#host: "localhost:5601"
|
||||
#host: "https://kibanax.diyit.org:443"
|
||||
host: "http://kibanax.diyit.org:5601"
|
||||
host: "http://elk.diyit.org:5601"
|
||||
|
||||
# Kibana Space ID
|
||||
# ID of the Kibana Space into which the dashboards should be loaded. By default,
|
||||
@ -117,7 +74,7 @@ setup.kibana:
|
||||
|
||||
#============================= Elastic Cloud ==================================
|
||||
|
||||
# These settings simplify using heartbeat with the Elastic Cloud (https://cloud.elastic.co/).
|
||||
# These settings simplify using Heartbeat with the Elastic Cloud (https://cloud.elastic.co/).
|
||||
|
||||
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
|
||||
# `setup.kibana.host` options.
|
||||
@ -137,36 +94,40 @@ setup.kibana:
|
||||
# Array of hosts to connect to.
|
||||
#hosts: ["localhost:9200"]
|
||||
|
||||
# Enabled ilm (beta) to use index lifecycle management instead daily indices.
|
||||
#ilm.enabled: false
|
||||
|
||||
# Optional protocol and basic auth credentials.
|
||||
# Protocol - either `http` (default) or `https`.
|
||||
#protocol: "https"
|
||||
|
||||
# Authentication credentials - either API key or username/password.
|
||||
#api_key: "id:api_key"
|
||||
#username: "elastic"
|
||||
#password: "changeme"
|
||||
|
||||
#----------------------------- Logstash output --------------------------------
|
||||
output.logstash:
|
||||
# The Logstash hosts
|
||||
hosts: ["kibanax.diyit.org:5044"]
|
||||
hosts: ["elk.diyit.org:5044"]
|
||||
|
||||
# Optional SSL. By default is off.
|
||||
# List of root certificates for HTTPS server verifications
|
||||
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
|
||||
#ssl.certificate_authorities: ["/mnt/certs/cacert.pem"]
|
||||
|
||||
# Certificate for SSL client authentication
|
||||
#ssl.certificate: "/etc/pki/client/cert.pem"
|
||||
#ssl.certificate: "/mnt/certs/diyfullchain.pem"
|
||||
|
||||
# Client Certificate Key
|
||||
#ssl.key: "/etc/pki/client/cert.key"
|
||||
#ssl.key: "/mnt/certs/diyprivkeyr.pem"
|
||||
|
||||
#================================ Processors =====================================
|
||||
|
||||
# Configure processors to enhance or manipulate events generated by the beat.
|
||||
|
||||
processors:
|
||||
- add_host_metadata: ~
|
||||
- add_cloud_metadata: ~
|
||||
- add_observer_metadata:
|
||||
# Optional, but recommended geo settings for the location Heartbeat is running in
|
||||
#geo:
|
||||
# Token describing this location
|
||||
#name: us-east-1a
|
||||
|
||||
# Lat, Lon "
|
||||
#location: "37.926868, -78.024902"
|
||||
|
||||
#================================ Logging =====================================
|
||||
|
||||
@ -178,20 +139,30 @@ processors:
|
||||
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
|
||||
# "publish", "service".
|
||||
#logging.selectors: ["*"]
|
||||
logging.to_syslog: true
|
||||
logging.to_files: false
|
||||
|
||||
#============================== Xpack Monitoring ===============================
|
||||
#============================== X-Pack Monitoring ===============================
|
||||
# heartbeat can export internal metrics to a central Elasticsearch monitoring
|
||||
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
|
||||
# reporting is disabled by default.
|
||||
|
||||
# Set to true to enable the monitoring reporter.
|
||||
#xpack.monitoring.enabled: false
|
||||
#monitoring.enabled: false
|
||||
|
||||
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
|
||||
# Heartbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
|
||||
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
|
||||
#monitoring.cluster_uuid:
|
||||
|
||||
# Uncomment to send the metrics to Elasticsearch. Most settings from the
|
||||
# Elasticsearch output are accepted here as well. Any setting that is not set is
|
||||
# automatically inherited from the Elasticsearch output configuration, so if you
|
||||
# have the Elasticsearch output configured, you can simply uncomment the
|
||||
# following line.
|
||||
#xpack.monitoring.elasticsearch:
|
||||
# Elasticsearch output are accepted here as well.
|
||||
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
|
||||
# Any setting that is not set is automatically inherited from the Elasticsearch
|
||||
# output configuration, so if you have the Elasticsearch output configured such
|
||||
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
|
||||
# uncomment the following line.
|
||||
#monitoring.elasticsearch:
|
||||
|
||||
#================================= Migration ==================================
|
||||
|
||||
# This allows to enable 6.7 migration aliases
|
||||
#migration.6_to_7.enabled: true
|
77
jails/config/elk/jvm.options
Executable file
77
jails/config/elk/jvm.options
Executable file
@ -0,0 +1,77 @@
|
||||
## JVM configuration
|
||||
|
||||
################################################################
|
||||
## IMPORTANT: JVM heap size
|
||||
################################################################
|
||||
##
|
||||
## You should always set the min and max JVM heap
|
||||
## size to the same value. For example, to set
|
||||
## the heap to 4 GB, set:
|
||||
##
|
||||
## -Xms4g
|
||||
## -Xmx4g
|
||||
##
|
||||
## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
|
||||
## for more information
|
||||
##
|
||||
################################################################
|
||||
|
||||
# Xms represents the initial size of total heap space
|
||||
# Xmx represents the maximum size of total heap space
|
||||
|
||||
-Xms4g
|
||||
-Xmx4g
|
||||
|
||||
################################################################
|
||||
## Expert settings
|
||||
################################################################
|
||||
##
|
||||
## All settings below this section are considered
|
||||
## expert settings. Don't tamper with them unless
|
||||
## you understand what you are doing
|
||||
##
|
||||
################################################################
|
||||
|
||||
## GC configuration
|
||||
8-13:-XX:+UseConcMarkSweepGC
|
||||
8-13:-XX:CMSInitiatingOccupancyFraction=75
|
||||
8-13:-XX:+UseCMSInitiatingOccupancyOnly
|
||||
|
||||
## G1GC Configuration
|
||||
# NOTE: G1 GC is only supported on JDK version 10 or later
|
||||
# to use G1GC, uncomment the next two lines and update the version on the
|
||||
# following three lines to your version of the JDK
|
||||
# 10-13:-XX:-UseConcMarkSweepGC
|
||||
# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
|
||||
14-:-XX:+UseG1GC
|
||||
14-:-XX:G1ReservePercent=25
|
||||
14-:-XX:InitiatingHeapOccupancyPercent=30
|
||||
|
||||
## JVM temporary directory
|
||||
-Djava.io.tmpdir=${ES_TMPDIR}
|
||||
|
||||
## heap dumps
|
||||
|
||||
# generate a heap dump when an allocation from the Java heap fails
|
||||
# heap dumps are created in the working directory of the JVM
|
||||
-XX:+HeapDumpOnOutOfMemoryError
|
||||
|
||||
# specify an alternative path for heap dumps; ensure the directory exists and
|
||||
# has sufficient space
|
||||
-XX:HeapDumpPath=data
|
||||
|
||||
# specify an alternative path for JVM fatal error logs
|
||||
-XX:ErrorFile=logs/hs_err_pid%p.log
|
||||
|
||||
## JDK 8 GC logging
|
||||
8:-XX:+PrintGCDetails
|
||||
8:-XX:+PrintGCDateStamps
|
||||
8:-XX:+PrintTenuringDistribution
|
||||
8:-XX:+PrintGCApplicationStoppedTime
|
||||
8:-Xloggc:${ES_TMPDIR}/gc.log
|
||||
8:-XX:+UseGCLogFileRotation
|
||||
8:-XX:NumberOfGCLogFiles=32
|
||||
8:-XX:GCLogFileSize=64m
|
||||
|
||||
# JDK 9+ GC logging
|
||||
9-:-Xlog:gc*,gc+age=trace,safepoint:file=${ES_TMPDIR}/gc.log:utctime,pid,tags:filecount=32,filesize=64m
|
@ -25,7 +25,7 @@ server.host: "::"
|
||||
server.name: "kibana.diyit.org"
|
||||
|
||||
# The URLs of the Elasticsearch instances to use for all your queries.
|
||||
elasticsearch.hosts: ["https://kibanax.diyit.org:9200"]
|
||||
elasticsearch.hosts: ["https://elk.diyit.org:9200"]
|
||||
|
||||
# When this setting's value is true Kibana uses the hostname specified in the server.host
|
||||
# setting. When the value of this setting is false, Kibana uses the hostname of the host
|
||||
@ -53,7 +53,8 @@ server.ssl.certificate: /mnt/certs/diyfullchain.pem
|
||||
server.ssl.key: /mnt/certs/diyprivkeyr.pem
|
||||
|
||||
# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
|
||||
# These files validate that your Elasticsearch backend uses the same key files.
|
||||
# These files are used to verify the identity of Kibana to Elasticsearch and are required when
|
||||
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
|
||||
#elasticsearch.ssl.certificate: /path/to/your/client.crt
|
||||
#elasticsearch.ssl.key: /path/to/your/client.key
|
||||
|
||||
@ -110,4 +111,5 @@ elasticsearch.ssl.verificationMode: full
|
||||
#ops.interval: 5000
|
||||
|
||||
# Specifies locale to be used for all localizable strings, dates and number formats.
|
||||
# Supported languages are the following: English - en , by default , Chinese - zh-CN .
|
||||
#i18n.locale: "en"
|
@ -1,4 +1,4 @@
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
@ -10,6 +10,7 @@ input {
|
||||
beats {
|
||||
port => 5044
|
||||
ssl => false
|
||||
#https://discuss.elastic.co/t/problem-with-cipher-in-beat-input/67841
|
||||
ssl_key => '/mnt/certs/diyprivkeyr.pem'
|
||||
ssl_certificate => '/mnt/certs/diyfullchain.pem'
|
||||
ssl_certificate_authorities => ["/mnt/certs/cacert.pem"]
|
||||
@ -22,7 +23,7 @@ output {
|
||||
ssl => true
|
||||
ssl_certificate_verification => true
|
||||
cacert => '/mnt/certs/cacert.pem'
|
||||
hosts => ["https://kibanax.diyit.org:9200"]
|
||||
hosts => ["https://elk.diyit.org:9200"]
|
||||
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
|
||||
user => "elastic"
|
||||
password => "${es_pwd}"
|
@ -16,7 +16,6 @@
|
||||
#
|
||||
# Use a descriptive name for the node:
|
||||
#
|
||||
# node.name: test
|
||||
node.name: logstash
|
||||
#
|
||||
# If omitted the node name will default to the machine's host name
|
||||
@ -26,7 +25,6 @@ node.name: logstash
|
||||
# Which directory should be used by logstash and its plugins
|
||||
# for any persistent needs. Defaults to LOGSTASH_HOME/data
|
||||
#
|
||||
# path.data:
|
||||
path.data: /var/db/logstash
|
||||
#
|
||||
# ------------ Pipeline Settings --------------
|
||||
@ -40,7 +38,7 @@ path.data: /var/db/logstash
|
||||
#
|
||||
# This defaults to the number of the host's CPU cores.
|
||||
#
|
||||
pipeline.workers: 8
|
||||
pipeline.workers: 4
|
||||
#
|
||||
# How many events to retrieve from inputs before sending to filters+workers
|
||||
#
|
||||
@ -207,7 +205,6 @@ path.config: /usr/local/etc/logstash/logstash.conf
|
||||
# * trace
|
||||
#
|
||||
# log.level: info
|
||||
#log.level: debug
|
||||
# path.logs:
|
||||
#
|
||||
# ------------ Other Settings --------------
|
||||
@ -215,17 +212,24 @@ path.config: /usr/local/etc/logstash/logstash.conf
|
||||
# Where to find custom plugins
|
||||
# path.plugins: []
|
||||
#
|
||||
# Flag to output log lines of each pipeline in its separate log file. Each log filename contains the pipeline.name
|
||||
# Default is false
|
||||
# pipeline.separate_logs: false
|
||||
#
|
||||
# ------------ X-Pack Settings (not applicable for OSS build)--------------
|
||||
#
|
||||
# X-Pack Monitoring
|
||||
# https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html
|
||||
xpack.monitoring.enabled: true
|
||||
xpack.monitoring.enabled: false
|
||||
xpack.monitoring.elasticsearch.username: logstash_system
|
||||
xpack.monitoring.elasticsearch.password: a746MPWa1AVieOJlDtM2
|
||||
xpack.monitoring.elasticsearch.hosts: ["https://kibanax.diyit.org:9200"]
|
||||
xpack.monitoring.elasticsearch.hosts: ["https://elk.diyit.org:9200"]
|
||||
#xpack.monitoring.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]
|
||||
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/mnt/certs/cacert.pem"
|
||||
#xpack.monitoring.elasticsearch.ssl.truststore.path: /path/to/file
|
||||
# an alternative to hosts + username/password settings is to use cloud_id/cloud_auth
|
||||
#xpack.monitoring.elasticsearch.cloud_id: monitoring_cluster_id:xxxxxxxxxx
|
||||
#xpack.monitoring.elasticsearch.cloud_auth: logstash_system:password
|
||||
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/mnt/certs/cacert.crt"
|
||||
#xpack.monitoring.elasticsearch.ssl.truststore.path: path/to/file
|
||||
#xpack.monitoring.elasticsearch.ssl.truststore.password: password
|
||||
#xpack.monitoring.elasticsearch.ssl.keystore.path: /path/to/file
|
||||
#xpack.monitoring.elasticsearch.ssl.keystore.password: password
|
||||
@ -241,6 +245,9 @@ xpack.monitoring.elasticsearch.ssl.verification_mode: certificate
|
||||
#xpack.management.elasticsearch.username: logstash_admin_user
|
||||
#xpack.management.elasticsearch.password: password
|
||||
#xpack.management.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]
|
||||
# an alternative to hosts + username/password settings is to use cloud_id/cloud_auth
|
||||
#xpack.management.elasticsearch.cloud_id: management_cluster_id:xxxxxxxxxx
|
||||
#xpack.management.elasticsearch.cloud_auth: logstash_admin_user:password
|
||||
#xpack.management.elasticsearch.ssl.certificate_authority: [ "/path/to/ca.crt" ]
|
||||
#xpack.management.elasticsearch.ssl.truststore.path: /path/to/file
|
||||
#xpack.management.elasticsearch.ssl.truststore.password: password
|
130
jails/config/elk/rc.d/elasticsearch
Executable file
130
jails/config/elk/rc.d/elasticsearch
Executable file
@ -0,0 +1,130 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# $FreeBSD: head/textproc/elasticsearch7/files/elasticsearch.in 538703 2020-06-13 22:41:04Z glewis $
|
||||
#
|
||||
# PROVIDE: elasticsearch
|
||||
# REQUIRE: NETWORKING SERVERS
|
||||
# BEFORE: DAEMON
|
||||
# KEYWORD: shutdown
|
||||
#
|
||||
# Add the following line to /etc/rc.conf to enable elasticsearch:
|
||||
#
|
||||
# elasticsearch_enable="YES"
|
||||
#
|
||||
# elasticsearch_user (username): Set to elasticsearch by default.
|
||||
# Set it to required username.
|
||||
# elasticsearch_group (group): Set to elasticsearch by default.
|
||||
# Set it to required group.
|
||||
# elasticsearch_config (path): Set to /usr/local/etc/elasticsearch/elasticsearch.yml by default.
|
||||
# Set it to the config file location.
|
||||
# elasticsearch_java_home (path): Set to /usr/local/openjdk8 by default.
|
||||
# Set it to the root of the JDK to use.
|
||||
#
|
||||
. /etc/rc.subr
|
||||
|
||||
name=elasticsearch
|
||||
rcvar=elasticsearch_enable
|
||||
|
||||
load_rc_config ${name}
|
||||
|
||||
: ${elasticsearch_enable:=NO}
|
||||
: ${elasticsearch_user=elasticsearch}
|
||||
: ${elasticsearch_group=elasticsearch}
|
||||
: ${elasticsearch_config=/usr/local/etc/elasticsearch}
|
||||
: ${elasticsearch_login_class=root}
|
||||
: ${elasticsearch_java_home="/usr/local/openjdk11"}
|
||||
|
||||
required_files="${elasticsearch_config}/elasticsearch.yml"
|
||||
_pidprefix=/var/run/elasticsearch/elasticsearch
|
||||
pidfile=${_pidprefix}.pid
|
||||
procname=${elasticsearch_java_home}/bin/java
|
||||
|
||||
extra_commands="console status"
|
||||
console_cmd=elasticsearch_console
|
||||
start_precmd=elasticsearch_precmd
|
||||
command=/usr/local/lib/elasticsearch/bin/elasticsearch
|
||||
command_args="-d --pidfile=${pidfile}"
|
||||
|
||||
export ES_PATH_CONF=${elasticsearch_config}
|
||||
export JAVA_HOME=${elasticsearch_java_home}
|
||||
|
||||
elasticsearch_precmd()
|
||||
{
|
||||
/usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 ${pidfile%/*}
|
||||
/usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 /var/db/elasticsearch
|
||||
/usr/bin/install -d -o ${elasticsearch_user} -g ${elasticsearch_group} -m 755 /var/log/elasticsearch
|
||||
}
|
||||
|
||||
elasticsearch_console()
|
||||
{
|
||||
command_args=""
|
||||
run_rc_command "start"
|
||||
}
|
||||
|
||||
if [ -n "$2" ]; then
|
||||
profile="$2"
|
||||
if [ "x${elasticsearch_profiles}" != "x" ]; then
|
||||
eval elasticsearch_config="\${elasticsearch_${profile}_config:-}"
|
||||
if [ "x${elasticsearch_config}" = "x" ]; then
|
||||
echo "You must define a configuration (elasticsearch_${profile}_config)"
|
||||
exit 1
|
||||
fi
|
||||
export ES_PATH_CONF=${elasticsearch_config}
|
||||
required_files="${elasticsearch_config}/elasticsearch.yml"
|
||||
required_files="${elasticsearch_config}/jvm.options"
|
||||
eval elasticsearch_enable="\${elasticsearch_${profile}_enable:-${elasticsearch_enable}}"
|
||||
pidfile="${_pidprefix}.${profile}.pid"
|
||||
command_args="-d --pidfile=${pidfile}"
|
||||
echo "===> elasticsearch profile: ${profile}"
|
||||
else
|
||||
echo "$0: extra argument ignored"
|
||||
fi
|
||||
else
|
||||
if [ "x${elasticsearch_profiles}" != "x" -a "x$1" != "x" ]; then
|
||||
for profile in ${elasticsearch_profiles}; do
|
||||
eval _enable="\${elasticsearch_${profile}_enable}"
|
||||
case "x${_enable:-${elasticsearch_enable}}" in
|
||||
x|x[Nn][Oo]|x[Nn][Oo][Nn][Ee])
|
||||
continue
|
||||
;;
|
||||
x[Yy][Ee][Ss])
|
||||
;;
|
||||
*)
|
||||
if test -z "$_enable"; then
|
||||
_var=elasticsearch_enable
|
||||
else
|
||||
_var=elasticsearch_"${profile}"_enable
|
||||
fi
|
||||
echo "Bad value" \
|
||||
"'${_enable:-${elasticsearch_enable}}'" \
|
||||
"for ${_var}. " \
|
||||
"Profile ${profile} skipped."
|
||||
continue
|
||||
;;
|
||||
esac
|
||||
/usr/local/etc/rc.d/elasticsearch $1 ${profile}
|
||||
retcode="$?"
|
||||
if [ "0${retcode}" -ne 0 ]; then
|
||||
failed="${profile} (${retcode}) ${failed:-}"
|
||||
else
|
||||
success="${profile} ${success:-}"
|
||||
fi
|
||||
done
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "x${elasticsearch_mem_min}" != "x" ]; then
|
||||
echo "The elasticsearch_mem_min variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
|
||||
exit 1;
|
||||
fi
|
||||
if [ "x${elasticsearch_mem_max}" != "x" ]; then
|
||||
echo "The elasticsearch_mem_max variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
|
||||
exit 1;
|
||||
fi
|
||||
if [ "x${elasticsearch_props}" != "x" ]; then
|
||||
echo "The elasticsearch_props variable is no longer supported please set this in ${elasticsearch_config}/jvm.options"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
run_rc_command "$1"
|
121
jails/config/elk/rc.d/logstash
Executable file
121
jails/config/elk/rc.d/logstash
Executable file
@ -0,0 +1,121 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Configuration settings for logstash in /etc/rc.conf:
|
||||
#
|
||||
# PROVIDE: logstash
|
||||
# REQUIRE: DAEMON
|
||||
# BEFORE: LOGIN
|
||||
# KEYWORD: shutdown
|
||||
#
|
||||
# logstash_enable (bool):
|
||||
# Default value: "NO"
|
||||
# Flag that determines whether Logstash is enabled.
|
||||
#
|
||||
# logstash_home (string):
|
||||
# Default value: "/usr/local/logstash"
|
||||
# Logstash installation directory.
|
||||
#
|
||||
# logstash_config (string):
|
||||
# Default value: /usr/local/etc/${name}
|
||||
# Logstash configuration path.
|
||||
#
|
||||
# logstash_log (bool):
|
||||
# Set to "NO" by default.
|
||||
# Set it to "YES" to enable logstash logging to file
|
||||
# Default output to /var/log/logstash.log
|
||||
#
|
||||
# logstash_log_file (string):
|
||||
# Default value: "${logdir}/${name}.log"
|
||||
# Log file path.
|
||||
#
|
||||
# logstash_java_home (string):
|
||||
# Default value: "/usr/local/openjdk8"
|
||||
# Root directory of the desired Java SDK.
|
||||
# The JAVA_HOME environment variable is set with the contents of this
|
||||
# variable.
|
||||
#
|
||||
# logstash_java_opts (string):
|
||||
# Default value: ""
|
||||
# Options to pass to the Java Virtual Machine.
|
||||
# The JAVA_OPTS environment variable is set with the contents of this
|
||||
# variable.
|
||||
#
|
||||
# logstash_opts (string):
|
||||
# Default value: ""
|
||||
# Additional command line flags for logstash, eg. "-r"
|
||||
#
|
||||
|
||||
. /etc/rc.subr
|
||||
|
||||
name=logstash
|
||||
rcvar=logstash_enable
|
||||
|
||||
load_rc_config ${name}
|
||||
|
||||
logdir="/var/log"
|
||||
|
||||
: ${logstash_enable="NO"}
|
||||
: ${logstash_user="logstash"}
|
||||
: ${logstash_group="logstash"}
|
||||
: ${logstash_home="/usr/local/logstash"}
|
||||
: ${logstash_config="/usr/local/etc/logstash"}
|
||||
: ${logstash_log="YES"}
|
||||
: ${logstash_log_dir="${logdir}/${name}"}
|
||||
: ${logstash_java_home="/usr/local/openjdk11"}
|
||||
: ${logstash_java_opts=""}
|
||||
: ${logstash_opts=""}
|
||||
|
||||
pidfile=/var/run/${name}/${name}.pid
|
||||
|
||||
extra_commands="configtest reload"
|
||||
start_precmd="logstash_precmd"
|
||||
configtest_cmd=configtest
|
||||
|
||||
logstash_cmd="${logstash_home}/bin/logstash"
|
||||
procname="${logstash_java_home}/bin/java"
|
||||
|
||||
logstash_chdir=${logstash_home}
|
||||
logstash_log_options=""
|
||||
|
||||
if checkyesno logstash_log; then
|
||||
logstash_log_options=" -l ${logstash_log_dir}"
|
||||
fi
|
||||
|
||||
logstash_args="--path.settings ${logstash_config} ${logstash_log_options} ${logstash_opts}"
|
||||
|
||||
JAVA_OPTS="${logstash_java_opts}"
|
||||
JAVA_HOME="${logstash_java_home}"
|
||||
export JAVA_OPTS
|
||||
export JAVA_HOME
|
||||
|
||||
command="/usr/sbin/daemon"
|
||||
command_args="-f -p ${pidfile} ${logstash_cmd} ${logstash_args}"
|
||||
required_files="${logstash_home} ${logstash_java_home} ${logstash_cmd} ${logstash_config}"
|
||||
|
||||
# Include /usr/local/bin in path because Logstash startup scripts
|
||||
# assume bash is in path.
|
||||
PATH=/usr/local/bin:$PATH
|
||||
|
||||
logstash_precmd()
|
||||
{
|
||||
/usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 ${pidfile%/*}
|
||||
/usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 ${logstash_log_dir}
|
||||
/usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 /var/db/logstash
|
||||
/usr/bin/install -d -o ${logstash_user} -g ${logstash_group} -m 755 /var/run/logstash
|
||||
|
||||
if [ -d ${logstash_home}/data/queue ]; then
|
||||
chown ${logstash_user}:${logstash_group} ${logstash_home}/data/queue
|
||||
fi
|
||||
}
|
||||
|
||||
configtest()
|
||||
{
|
||||
echo "${name} configtest:"
|
||||
echo "WARNING: this does not check validity of Grok patterns!"
|
||||
echo "WARNING: this does not check validity of Grok patterns!"
|
||||
echo "WARNING: this does not check validity of Grok patterns!"
|
||||
${logstash_cmd} --path.settings ${logstash_config} --config.test_and_exit
|
||||
}
|
||||
|
||||
|
||||
run_rc_command "$1"
|
7
jails/config/elk/start_logstash.sh
Executable file
7
jails/config/elk/start_logstash.sh
Executable file
@ -0,0 +1,7 @@
|
||||
ps axww | grep logstash
|
||||
echo press any key to continue - ctrl-c to abort
|
||||
read X
|
||||
mount proc
|
||||
service logstash start
|
||||
#/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
|
||||
ps axww | grep logstash
|
3
jails/config/elk/updateCerts.sh
Executable file
3
jails/config/elk/updateCerts.sh
Executable file
@ -0,0 +1,3 @@
|
||||
cp /mnt/certs/diy*.pem /usr/local/etc/elasticsearch/certs
|
||||
cp /mnt/certs/cacert.pem /usr/local/etc/elasticsearch/certs
|
||||
service elasticsearch restart
|
@ -1,6 +1,6 @@
|
||||
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
||||
Copyright (c) 2018-2020, diyIT.org
|
||||
Copyright (c) 2018-2021, diyIT.org
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
|
@ -1,6 +1,6 @@
|
||||
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
||||
Copyright (c) 2018-2020, diyIT.org
|
||||
Copyright (c) 2018-2021, diyIT.org
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
|
12
jails/config/hass/.tmux.conf
Normal file
12
jails/config/hass/.tmux.conf
Normal file
@ -0,0 +1,12 @@
|
||||
unbind C-b
|
||||
set -g prefix C-a
|
||||
bind C-a send-prefix
|
||||
|
||||
setw -g mouse on
|
||||
|
||||
# Set the default terminal mode to 256color mode
|
||||
set -g default-terminal "xterm-256color"
|
||||
|
||||
# enable activity alerts
|
||||
setw -g monitor-activity on
|
||||
set -g visual-activity on
|
15
jails/config/hass/hass.sh
Executable file
15
jails/config/hass/hass.sh
Executable file
@ -0,0 +1,15 @@
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
# https://diyit.org/license/
|
||||
#
|
||||
#
|
||||
|
||||
# ./hass.sh under tmux
|
||||
|
||||
cd /data/homeassistant/
|
||||
source bin/activate
|
||||
hass
|
15
jails/config/hass/heyu.sh
Executable file
15
jails/config/hass/heyu.sh
Executable file
@ -0,0 +1,15 @@
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
# https://diyit.org/license/
|
||||
#
|
||||
#
|
||||
|
||||
# ./hass.sh under tmux
|
||||
|
||||
heyu start
|
||||
heyu info
|
||||
heyu monitor
|
4
jails/config/hass/setup_jail.sh
Executable file
4
jails/config/hass/setup_jail.sh
Executable file
@ -0,0 +1,4 @@
|
||||
# requrired to run other configured scripts
|
||||
/bin/sh /etc/rc
|
||||
# launch tmux with jails
|
||||
/mnt/config/startsessions.sh
|
31
jails/config/hass/startsessions.sh
Executable file
31
jails/config/hass/startsessions.sh
Executable file
@ -0,0 +1,31 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
# https://diyit.org/license/
|
||||
#
|
||||
#
|
||||
|
||||
session="sess_tmux"
|
||||
|
||||
# set up tmux
|
||||
tmux start-server
|
||||
|
||||
# create a new tmux session, naming the window freepbx
|
||||
tmux new-session -d -s $session -n hass
|
||||
tmux selectp -t 1
|
||||
tmux send-keys "cd /mnt/config;./hass.sh" C-m
|
||||
|
||||
# create a new window windows
|
||||
tmux new-window -t $session:1 -n heyu
|
||||
tmux selectp -t 1
|
||||
tmux send-keys "cd /mnt/config;./heyu.sh" C-m
|
||||
|
||||
# return to main window
|
||||
tmux select-window -t $session:0
|
||||
tmux selectp -t 1
|
||||
|
||||
# Finished setup, attach to the tmux session!
|
||||
#tmux attach-session -t $session
|
264
jails/config/hass/x10.conf
Normal file
264
jails/config/hass/x10.conf
Normal file
@ -0,0 +1,264 @@
|
||||
# Example Heyu configuration file. Copy this to file 'x10config' in
|
||||
# directory $HOME/.heyu/ and modify as required. This example uses
|
||||
# features which are new to heyu version 2
|
||||
# and which will not be recognized by heyu version 1.xx.
|
||||
|
||||
# Note: This example file describes only a few of the most commom
|
||||
# configuration directives. For the complete list see man page
|
||||
# x10config(5).
|
||||
|
||||
# Anything on a line between a '#' character and the end of the line is
|
||||
# treated as a comment and ignored by Heyu, as are blank lines.
|
||||
# The various configuration directives in this file can be in any order
|
||||
# except that ALIAS directives must appear before any other directive
|
||||
# which references the alias label in place of a housecode|unit address.
|
||||
# See 'man x10config' for additional information and directives.
|
||||
|
||||
# Serial port to which the CM11a is connected. Default is /dev/ttyS0.
|
||||
|
||||
tty /dev/ttyU1
|
||||
check_ri_line NO
|
||||
|
||||
# If you have an X10 compatible RF receiver connected to a second
|
||||
# serial port, use the TTY_AUX directive to specify the serial port
|
||||
# and model of receiver. Supported receivers are W800RF32, MR26A,
|
||||
# and RFXCOM. There are no defaults.
|
||||
|
||||
tty_aux /dev/ttyU0 MR26A
|
||||
|
||||
# The CM19A is both a receiver and transmitter for X10 RF signals.
|
||||
# The MR26A is a receiver only.
|
||||
# The CM19A is USB and the MR26A is serial port
|
||||
|
||||
# Base housecode. The default is A.
|
||||
|
||||
#housecode A
|
||||
|
||||
# Aliases:
|
||||
# Format: ALIAS Label Housecode|Unitcode_string [Module_Type]
|
||||
|
||||
# The label is limited to 32 characters in length and is case-sensitive,
|
||||
# e.g., Front_Porch and front_porch are treated as different labels.
|
||||
# Each alias may reference a single unitcode or a multiple unitcode
|
||||
# string (no embedded blanks), but is limited to one housecode.
|
||||
|
||||
# The optional Module_Type is the general type or specific model number
|
||||
# of a module currently supported by Heyu. (Knowing the characteristics
|
||||
# of a module allows Heyu to track changes in its On/Off/Dim state
|
||||
# as X10 signals are sent or received.) The most commonly used modules
|
||||
# are the standard X10 lamp module (StdLM) and standard X10 appliance
|
||||
# module (StdAM). Other modules currently supported by Heyu are listed
|
||||
# in x10config(5). A standard X10 lamp module (StdLM) is the
|
||||
# default (changeable with the DEFAULT_MODULE directive)
|
||||
# for housecode|units which are not defined in an alias directive.
|
||||
# A module_type should normally not be defined for mutiple-unit
|
||||
# aliases, just for the single-unit aliases. (The module characteristics
|
||||
# are associated with the housecode|unit, however referenced.)
|
||||
|
||||
# Some examples:
|
||||
|
||||
|
||||
|
||||
|
||||
# Note: Prior versions of Heyu used a different format for
|
||||
# aliases - no ALIAS directive and the Housecode and Unitcode_string
|
||||
# were separated by a space, e.g., simply:
|
||||
# front_porch A 1
|
||||
# Heyu will continue to accept this older format for compatibility,
|
||||
# but its use is discouraged as modules cannot be specified.
|
||||
|
||||
# Scenes and Usersyns (User-defined synonyms):
|
||||
# Format: SCENE Label Command1 <args> [; Command2 <args> [; ...
|
||||
# Format: USERSYN Label Command1 <args> [; Command2 <args> [; ...
|
||||
# The label is limited to 32 characters and is case-sensitive.
|
||||
# Scenes and Usersyns are both semicolon-separated lists of
|
||||
# commands with their arguments which can be executed or used
|
||||
# in macros as if their labels were ordinary Heyu commands.
|
||||
# See 'man x10config' for the features and limitations of Scenes
|
||||
# and Usersyns.
|
||||
# (In the current version of heyu, the ONLY distinction between
|
||||
# scenes and usersyns is the 'show' menus in which they appear.)
|
||||
# Some examples:
|
||||
|
||||
SCENE blinker on D5; off D5; on D5; off D5
|
||||
#USERSYN normal_lights on front_porch; on back_porch
|
||||
#SCENE tv_on on tv_set; dimb living_room 10
|
||||
|
||||
# parameters, e.g., $1, $2, which are replaced by actual
|
||||
# parameters supplied when the scene/usersyn is run.
|
||||
|
||||
#USERSYN night_lights dimb front_porch $1; dimb back_porch $1
|
||||
|
||||
# Define the (writeable) directory where the Heyu state engine daemon
|
||||
# (started with 'heyu engine') is to write its log file 'heyu.log.<tty>'.
|
||||
# The default is 'NONE', indicating no log file is to be written.
|
||||
|
||||
log_dir /usr/local/etc/heyu/log
|
||||
|
||||
# The entries in the log file are similar to those which appear in
|
||||
# the heyu monitor, but in addition will include an entry when
|
||||
# a script is launched, and unless redirected elsewhere, any
|
||||
# text output from that script.
|
||||
|
||||
# Note that the log file will continue to grow. Manually delete
|
||||
# or trim it from time to time, or configure a Unix utility like
|
||||
# 'logrotate' to manage this task automatically.
|
||||
|
||||
# If the Heyu state engine is running, Heyu can launch scripts
|
||||
# (or any Unix commands) when it sees specified X10 signals.
|
||||
# The format is:
|
||||
|
||||
#SCRIPT [ -l label ] <launch conditions> :: [options] <command line>
|
||||
|
||||
# where label is an optional label, <launch conditions> tell
|
||||
# Heyu under what conditions to launch the script, and
|
||||
# <command line> is the script command to be executed.
|
||||
# The '::' (two colons) separator is mandatory since the launch
|
||||
# conditions can be quite complex.
|
||||
# See x10scripts(5) for details, but here's a simple example
|
||||
# (with no label):
|
||||
|
||||
#SCRIPT doorbell on :: play $HOME/sounds/barking_dog.wav
|
||||
|
||||
# Users have the option of running either 'heyuhelper' in a manner
|
||||
# similar to heyu 1.35 or general scripts as above with the
|
||||
# following directive. The default is SCRIPTS, to run general scripts.
|
||||
|
||||
#script_mode SCRIPTS
|
||||
|
||||
# (With the choice 'HEYUHELPER', a script named 'heyuhelper' on
|
||||
# the user's path is run every time any X10 signal is received
|
||||
# by heyu over the power line, assuming the heyu state engine
|
||||
# daemon is running.)
|
||||
|
||||
### The following directives apply when a schedule is ###
|
||||
### is uploaded to the CM11A interface. ###
|
||||
|
||||
# The file name of the user's X10 schedule file in the Heyu base
|
||||
# directory. The default is 'x10.sched'. If you regularly use
|
||||
# more than one, list them here and just comment/uncomment as
|
||||
# appropriate, e.g.,
|
||||
|
||||
#schedule_file x10.sched
|
||||
#schedule_file normal.sched
|
||||
#schedule_file vacation.sched
|
||||
|
||||
# The MODE directive - Heyu's two modes of operation:
|
||||
# In the default COMPATIBLE mode, the schedule uploaded to the
|
||||
# interface is configured to begin on Jan 1st of the current
|
||||
# year and # is valid for 366 days - through Dec 31st of the
|
||||
# current # year or Jan 1st of the following year, depending
|
||||
# whether # the current year is a leap or common year.
|
||||
# COMPATIBLE mode is the default.
|
||||
|
||||
# In HEYU mode the schedule uploaded to the interface is
|
||||
# configured to begin on today's date and is valid for
|
||||
# the number days of provided by the PROGRAM_DAYS directive.
|
||||
# WARNING: The mere execution of X10's ActiveHome(tm) program
|
||||
# under MS-Windows, or having its resident driver running, when
|
||||
# the interface has been programmed by Heyu in HEYU mode can
|
||||
# cause problems. See 'man x10config' for details.
|
||||
|
||||
#mode COMPATIBLE
|
||||
|
||||
# Number of days for which the interface is to be programmed
|
||||
# when running in HEYU mode. It is ignored in COMPATIBLE mode.
|
||||
# (A shorter period can yield more accurate values for dawn
|
||||
# and dusk.) The default is 366 days.
|
||||
|
||||
#program_days 366
|
||||
|
||||
# Should Heyu combine events having the same date range, time, etc.,
|
||||
# by concatenating the macros for similar events? The default is YES.
|
||||
|
||||
#combine_events YES
|
||||
|
||||
# Should Heyu compress uploaded macros by combining unit codes for the same
|
||||
#housecode and command and eliminating duplicates? E.g.,
|
||||
# (on A1; on B2; on A3, on B2) ==> (on A1,3; on B2)
|
||||
# The default is NO
|
||||
|
||||
#compress_macros NO
|
||||
|
||||
# The user's Longitude and Latitude, needed for dawn/dusk calculations.
|
||||
# There are no defaults. Don't use these examples - put in values
|
||||
# for your own location.
|
||||
|
||||
longitude W121:46
|
||||
latitude N37:16
|
||||
|
||||
# For dawn/dusk related times, Heyu breaks up the schedule date intervals
|
||||
# into subintervals, each with a constant value of dawn or dusk time.
|
||||
# These directives instruct Heyu what value of dawn/dusk time to use.
|
||||
# The default value is FIRST, i.e., that on the first day of the subinterval,
|
||||
# which is most convenient for comparing Heyu's computations with actual.
|
||||
|
||||
#dawn_option FIRST
|
||||
#dusk_option FIRST
|
||||
|
||||
# The following times allow bounds to be placed on the times of Dawn
|
||||
# and Dusk computed by Heyu. For example, setting the value for
|
||||
#min_dawn to 06:30 will ensure that an event scheduled to be
|
||||
# executed at Dawn will occur at 06:30 during summer hours whenever
|
||||
# the actual computed value of Dawn is earlier than that time.
|
||||
# The value for these directives are specified as hh:mm Legal
|
||||
# (i.e., wall-clock) time, or the directives may be disabled with
|
||||
# the word OFF, which is the default.
|
||||
|
||||
# Timer options DAWNLT, DAWNGT, DUSKLT, DUSKGT used in the Heyu
|
||||
# schedule file will usually eliminate the need for these directives.
|
||||
# See man page x10sched(5) for details.
|
||||
|
||||
#min_dawn OFF
|
||||
#max_dawn OFF
|
||||
#min_dusk OFF
|
||||
#max_dusk OFF
|
||||
|
||||
# Directory to write reports and files other than the critical files
|
||||
# The default is to write them in the Heyu base directory.
|
||||
|
||||
#report_path ./
|
||||
|
||||
# Replace events having delayed macros with new events and new
|
||||
# undelayed macros when possible. (The purpose is to avoid pending
|
||||
# delayed macros, which are purged when a new schedule is uploaded.)
|
||||
# The default is YES.
|
||||
|
||||
#repl_delayed_macros YES
|
||||
|
||||
# For test purposes, Heyu can write some additional files when
|
||||
# the command 'heyu upload check' is executed. This directive
|
||||
# instructs Heyu to write these files. The default is NO.
|
||||
|
||||
#write_check_files NO
|
||||
|
||||
START_ENGINE AUTO
|
||||
|
||||
alias Kitchen D1 StdLM
|
||||
alias Family_Room D2 StdLM
|
||||
alias Hallway D3 StdLM
|
||||
alias Kitchen_Table D4 StdLM
|
||||
alias Stairway D5 StdLM
|
||||
alias Study D6 StdLM
|
||||
alias Dining D7 StdLM
|
||||
alias Bonus_Room D8 StdLM
|
||||
alias Living_Room_L0 D9 StdLM
|
||||
alias Front_Door D10 StdLM
|
||||
alias Living_Room_L1 D11 StdLM
|
||||
alias Living_Room_L2 D12 StdLM
|
||||
alias Piano_Room_L1 D13 StdLM
|
||||
alias Piano_Room_L2 D14 StdLM
|
||||
alias Family_Room_L0 D15 StdLM
|
||||
alias Chime G1 StdAM
|
||||
alias Main_Garage G2 StdAM
|
||||
alias Side_Garage G3 StdAM
|
||||
alias Front_Yard G13 StdLM
|
||||
alias Back_Yard G14 StdLM
|
||||
alias Plants_front_house I1 RAIN8II
|
||||
alias Plants_front_road I2 RAIN8II
|
||||
alias Lawn_front_road I3 RAIN8II
|
||||
alias Lawn_front_garage I4 RAIN8II
|
||||
alias Lawn_back_pool I5 RAIN8II
|
||||
alias Lawn_back_house I6 RAIN8II
|
||||
alias Plants_back_garage I7 RAIN8II
|
||||
alias Plants_back_road I8 RAIN8II
|
23
jails/config/hub/ipfw.rules
Normal file
23
jails/config/hub/ipfw.rules
Normal file
@ -0,0 +1,23 @@
|
||||
#!/bin/sh
|
||||
# Flush out the list before we begin.
|
||||
ipfw -q -f flush
|
||||
|
||||
# Set rules command prefix
|
||||
cmd="ipfw -q add"
|
||||
pif="epair0b" # interface name of NIC attached to Internet
|
||||
|
||||
$cmd 00100 allow ip from any to any via lo0
|
||||
$cmd 00200 deny ip from any to 127.0.0.0/8
|
||||
$cmd 00300 deny ip from 127.0.0.0/8 to any
|
||||
$cmd 00400 deny ip from any to ::1
|
||||
$cmd 00500 deny ip from ::1 to any
|
||||
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
|
||||
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
|
||||
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
|
||||
$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
|
||||
$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
|
||||
$cmd 05000 reset ip from table(22) to me
|
||||
$cmd 65000 allow ip from any to any
|
||||
$cmd 65535 deny ip from any to any
|
||||
|
||||
# https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
|
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
|
||||
priority: 10
|
||||
}
|
||||
|
||||
pkgp121: {
|
||||
url: "http://pkgp.ahlawat.com/packages/pj121-default/",
|
||||
pkgp122: {
|
||||
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
|
||||
mirror_type: "http",
|
||||
signature_type: "pubkey",
|
||||
pubkey: "/mnt/certs/poudriere.cert",
|
||||
|
54
jails/config/hub/sshguard.conf
Normal file
54
jails/config/hub/sshguard.conf
Normal file
@ -0,0 +1,54 @@
|
||||
#!/bin/sh
|
||||
# sshguard.conf -- SSHGuard configuration
|
||||
|
||||
# Options that are uncommented in this example are set to their default
|
||||
# values. Options without defaults are commented out.
|
||||
|
||||
#### REQUIRED CONFIGURATION ####
|
||||
# Full path to backend executable (required, no default)
|
||||
#BACKEND="/usr/local/libexec/sshg-fw-hosts"
|
||||
BACKEND="/usr/local/libexec/sshg-fw-ipfw"
|
||||
#BACKEND="/usr/local/libexec/sshg-fw-pf"
|
||||
|
||||
# Space-separated list of log files to monitor. (optional, no default)
|
||||
#FILES="/var/log/auth.log /var/log/maillog"
|
||||
FILES="/var/log/auth.log"
|
||||
|
||||
# Shell command that provides logs on standard output. (optional, no default)
|
||||
# Example 1: ssh and sendmail from systemd journal:
|
||||
#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
|
||||
# Example 2: ssh from os_log (macOS 10.12+)
|
||||
#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"
|
||||
|
||||
#### OPTIONS ####
|
||||
# Block attackers when their cumulative attack score exceeds THRESHOLD.
|
||||
# Most attacks have a score of 10. (optional, default 30)
|
||||
THRESHOLD=30
|
||||
|
||||
# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
|
||||
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
|
||||
BLOCK_TIME=120
|
||||
|
||||
# Remember potential attackers for up to DETECTION_TIME seconds before
|
||||
# resetting their score. (optional, default 1800)
|
||||
DETECTION_TIME=1800
|
||||
|
||||
# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
|
||||
IPV6_SUBNET=128
|
||||
|
||||
# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
|
||||
IPV4_SUBNET=32
|
||||
|
||||
#### EXTRAS ####
|
||||
# !! Warning: These features may not work correctly with sandboxing. !!
|
||||
|
||||
# Full path to PID file (optional, no default)
|
||||
#PID_FILE=/var/run/sshguard.pid
|
||||
|
||||
# Colon-separated blacklist threshold and full path to blacklist file.
|
||||
# (optional, no default)
|
||||
#BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db
|
||||
|
||||
# IP addresses listed in the WHITELIST_FILE are considered to be
|
||||
# friendlies and will never be blocked.
|
||||
#WHITELIST_FILE=/usr/local/etc/sshguard.whitelist
|
1
jails/config/hub/vncmods/passwd
Normal file
1
jails/config/hub/vncmods/passwd
Normal file
@ -0,0 +1 @@
|
||||
Í•it†Í®
|
44
jails/config/hub/vncmods/vncserver
Executable file
44
jails/config/hub/vncmods/vncserver
Executable file
@ -0,0 +1,44 @@
|
||||
#!/bin/sh
|
||||
|
||||
# the two lines below are not just comments but required by rcorder; service -e
|
||||
# PROVIDE: vncserver
|
||||
# REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv
|
||||
|
||||
. /etc/rc.subr
|
||||
|
||||
: ${vncserver_enable="NO"}
|
||||
: ${vncserver_user="p"}
|
||||
: ${vncserver_geometry="1600x900"}
|
||||
: ${vncserver_display="1"}
|
||||
: ${vncserver_securitytypes="vncauth"}
|
||||
# : ${vncserver_securitytypes="vencrypt,vncauth,tlsvnc"}
|
||||
# encryption incompatible with clients - vncconnect-realvnc and guacd
|
||||
|
||||
name=vncserver
|
||||
rcvar=vncserver_enable
|
||||
|
||||
VNCSERVER="/usr/local/bin/vncserver"
|
||||
|
||||
start_cmd="vncserver_start"
|
||||
stop_cmd="vncserver_stop"
|
||||
restart_cmd="vncserver_restart"
|
||||
|
||||
vncserver_start()
|
||||
{
|
||||
CMD="$VNCSERVER -geometry ${vncserver_geometry} -name $(hostname -s) -securitytypes ${vncserver_securitytypes} :${vncserver_display}"
|
||||
su -l ${vncserver_user} -c "${CMD}"
|
||||
}
|
||||
|
||||
vncserver_stop()
|
||||
{
|
||||
CMD="$VNCSERVER -kill :${vncserver_display}"
|
||||
su -l ${vncserver_user} -c "${CMD}"
|
||||
}
|
||||
vncserver_restart()
|
||||
{
|
||||
vncserver_stop
|
||||
vncserver_start
|
||||
}
|
||||
|
||||
load_rc_config ${name}
|
||||
run_rc_command "$1"
|
@ -1,6 +1,6 @@
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
@ -10,9 +10,9 @@
|
||||
|
||||
# ./ibm.sh under tmux
|
||||
|
||||
ifconfig tun186 create
|
||||
ifconfig tun186 inet 172.16.0.186 172.16.0.100
|
||||
chmod 666 /dev/tun186
|
||||
ifconfig tun95 create
|
||||
ifconfig tun95 inet 172.16.0.95 172.16.0.100
|
||||
chmod 666 /dev/tun95
|
||||
|
||||
cd /data/Z110/CONF
|
||||
# hercules
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
7
jails/config/jump/enable-routing.sh
Executable file
7
jails/config/jump/enable-routing.sh
Executable file
@ -0,0 +1,7 @@
|
||||
sysctl net.inet.ip.forwarding=1
|
||||
route add 10.1.2.0/24 192.168.55.105
|
||||
# on remote -
|
||||
#sudo sysctl net.ipv4.ip_forward=1
|
||||
#ip route add 192.168.0.0/24 via 192.168.55.1
|
||||
#OR
|
||||
#ip route add 192.168.0.0/24 dev tun0
|
1
jails/config/jump/guacamole-client/add-ldap.sh
Executable file
1
jails/config/jump/guacamole-client/add-ldap.sh
Executable file
@ -0,0 +1 @@
|
||||
ldapadd -H ldaps://ldap.ahlawat.com -f $1 -D cn=admin,dc=infra -W
|
Binary file not shown.
16
jails/config/jump/guacamole-client/guacamole.properties
Normal file
16
jails/config/jump/guacamole-client/guacamole.properties
Normal file
@ -0,0 +1,16 @@
|
||||
###
|
||||
### guacamole.properties.sample
|
||||
###
|
||||
|
||||
|
||||
### The Host the Guacamole proxy daemon (guacd) is listening on.
|
||||
#
|
||||
guacd-host: localhost
|
||||
guacd-port: 4822
|
||||
guacd-ssl: false
|
||||
ldap-hostname: ldap.ahlawat.com
|
||||
ldap-port: 636
|
||||
ldap-encryption-method: ssl
|
||||
ldap-user-base-dn: ou=people,dc=infra
|
||||
ldap-username-attribute: cn
|
||||
ldap-config-base-dn: ou=hosts,dc=infra
|
20
jails/config/jump/guacamole-client/logback.xml
Normal file
20
jails/config/jump/guacamole-client/logback.xml
Normal file
@ -0,0 +1,20 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!-- Guacamole logs all messages to console by default. Servlet containers
|
||||
like Tomcat will automattically redirect these messages to a log file,
|
||||
catalina.out in the case of Tomcat. Valid levels= error, warn, info,
|
||||
debug -->
|
||||
<configuration>
|
||||
|
||||
<!-- Appender for debugging -->
|
||||
<appender name="GUAC-DEBUG" class="ch.qos.logback.core.ConsoleAppender">
|
||||
<encoder>
|
||||
<pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
|
||||
</encoder>
|
||||
</appender>
|
||||
|
||||
<!-- Log at DEBUG level -->
|
||||
<root level="info">
|
||||
<appender-ref ref="GUAC-DEBUG"/>
|
||||
</root>
|
||||
|
||||
</configuration>
|
14
jails/config/jump/guacamole-client/rdp-windows.ldif
Normal file
14
jails/config/jump/guacamole-client/rdp-windows.ldif
Normal file
@ -0,0 +1,14 @@
|
||||
dn: cn=rdp-windows,ou=hosts,dc=infra
|
||||
objectClass: guacConfigGroup
|
||||
objectClass: groupOfNames
|
||||
cn: Windows rdp
|
||||
guacConfigProtocol: rdp
|
||||
guacConfigParameter: hostname=192.168.0.81
|
||||
guacConfigParameter: port=3389
|
||||
guacConfigParameter: username=v
|
||||
guacConfigParameter: password=v
|
||||
guacConfigParameter: security=nla
|
||||
guacConfigParameter: ignore-cert=true
|
||||
member: cn=sharad,ou=people,dc=infra
|
||||
member: cn=diyit,ou=people,dc=infra
|
||||
# seeAlso: cn=ahlawat.com,ou=groups,dc=infra
|
10
jails/config/jump/guacamole-client/ssh-nas.ldif
Normal file
10
jails/config/jump/guacamole-client/ssh-nas.ldif
Normal file
@ -0,0 +1,10 @@
|
||||
dn: cn=ssh-nas,ou=hosts,dc=infra
|
||||
objectClass: guacConfigGroup
|
||||
objectClass: groupOfNames
|
||||
cn: NAS ssh
|
||||
guacConfigProtocol: ssh
|
||||
guacConfigParameter: hostname=192.168.0.10
|
||||
guacConfigParameter: port=22
|
||||
member: cn=sharad,ou=people,dc=infra
|
||||
member: cn=diyit,ou=people,dc=infra
|
||||
# seeAlso: cn=ahlawat.com,ou=groups,dc=infra
|
74
jails/config/jump/guacamole-client/user-mapping.xml
Normal file
74
jails/config/jump/guacamole-client/user-mapping.xml
Normal file
@ -0,0 +1,74 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!-- Guacamole's default authentication module is a simple xml file.
|
||||
Each user is specified with a corresponding <authorized> tag. This
|
||||
tag contains all authorized connections for that user each denoted
|
||||
with a <connections> tag. Each <connection> tag contains a
|
||||
protocol and set of protocol-specific parameters, specified with
|
||||
the <protocol> and <param> tags respectively. For more information
|
||||
visit http://guac-dev.org/doc/gug/configuring-guacamole.html -->
|
||||
|
||||
|
||||
<user-mapping>
|
||||
|
||||
<!-- Per-user authentication and config information md5 -s "Npasswd" -->
|
||||
<authorize username="admin" password="4ee438b74bd65c9f8402e7e48fa64fb7" encoding="md5">
|
||||
<connection name="vnc-hub">
|
||||
<protocol>vnc</protocol>
|
||||
<param name="hostname">192.168.0.50</param>
|
||||
<param name="port">5901</param>
|
||||
<param name="password">vncpass</param>
|
||||
<param name="color-depth">24</param>
|
||||
</connection>
|
||||
<connection name="rdp-windows">
|
||||
<protocol>rdp</protocol>
|
||||
<param name="hostname">192.168.0.81</param>
|
||||
<param name="port">3389</param>
|
||||
<param name="security">nla</param>
|
||||
<param name="ignore-cert">true</param>
|
||||
<param name="username">v</param>
|
||||
<param name="password">v</param>
|
||||
</connection>
|
||||
<connection name="ssh-nas">
|
||||
<protocol>ssh</protocol>
|
||||
<param name="hostname">192.168.0.10</param>
|
||||
<param name="port">22</param>
|
||||
<param name="font-name">monospace</param>
|
||||
</connection>
|
||||
<connection name="vnc-rpi3">
|
||||
<protocol>vnc</protocol>
|
||||
<param name="hostname">192.168.200.192</param>
|
||||
<param name="port">5901</param>
|
||||
<param name="password">vncpass</param>
|
||||
<param name="color-depth">24</param>
|
||||
</connection>
|
||||
<connection name="ssh-rpi3">
|
||||
<protocol>ssh</protocol>
|
||||
<param name="hostname">192.168.200.192</param>
|
||||
<param name="port">22</param>
|
||||
<param name="font-name">monospace</param>
|
||||
</connection>
|
||||
<connection name="ssh-dev">
|
||||
<protocol>ssh</protocol>
|
||||
<param name="hostname">192.168.55.105</param>
|
||||
<param name="port">22</param>
|
||||
<param name="font-name">monospace</param>
|
||||
</connection>
|
||||
</authorize>
|
||||
|
||||
<authorize username="inseego" password="7cc6a3864acc736437f606146083abad" encoding="md5">
|
||||
<connection name="vnc">
|
||||
<protocol>vnc</protocol>
|
||||
<param name="hostname">192.168.200.212</param>
|
||||
<param name="port">5901</param>
|
||||
<param name="password">vncpass</param>
|
||||
<param name="color-depth">24</param>
|
||||
</connection>
|
||||
<connection name="ssh">
|
||||
<protocol>ssh</protocol>
|
||||
<param name="hostname">192.168.200.212</param>
|
||||
<param name="port">22</param>
|
||||
<param name="font-name">monospace</param>
|
||||
</connection>
|
||||
</authorize>
|
||||
|
||||
</user-mapping>
|
12
jails/config/jump/guacamole-client/vnc-hub.ldif
Normal file
12
jails/config/jump/guacamole-client/vnc-hub.ldif
Normal file
@ -0,0 +1,12 @@
|
||||
dn: cn=vnc-hub,ou=hosts,dc=infra
|
||||
objectClass: guacConfigGroup
|
||||
objectClass: groupOfNames
|
||||
cn: HUB vnc
|
||||
guacConfigProtocol: vnc
|
||||
guacConfigParameter: hostname=192.168.0.50
|
||||
guacConfigParameter: port=5901
|
||||
guacConfigParameter: password=vncpass
|
||||
guacConfigParameter: color-depth=24
|
||||
member: cn=sharad,ou=people,dc=infra
|
||||
member: cn=diyit,ou=people,dc=infra
|
||||
# seeAlso: cn=ahlawat.com,ou=groups,dc=infra
|
17
jails/config/jump/guacamole-server/guacd.conf
Normal file
17
jails/config/jump/guacamole-server/guacd.conf
Normal file
@ -0,0 +1,17 @@
|
||||
#
|
||||
# guacd.conf example
|
||||
#
|
||||
|
||||
[daemon]
|
||||
# Possible log_level variables are:
|
||||
# trace, debug, info, warning, and error
|
||||
# Default is info
|
||||
log_level = info
|
||||
|
||||
[server]
|
||||
bind_host = localhost
|
||||
bind_port = 4822
|
||||
|
||||
[ssl]
|
||||
#server_certificate = /mnt/certs/fullchain.pem
|
||||
#server_key = /mnt/certs/privkeyr.pem
|
28
jails/config/jump/schema/guacConfigGroup.ldif
Normal file
28
jails/config/jump/schema/guacConfigGroup.ldif
Normal file
@ -0,0 +1,28 @@
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. See the NOTICE file
|
||||
# distributed with this work for additional information
|
||||
# regarding copyright ownership. The ASF licenses this file
|
||||
# to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
dn: cn=guacConfigGroup,cn=schema,cn=config
|
||||
objectClass: olcSchemaConfig
|
||||
cn: guacConfigGroup
|
||||
olcAttributeTypes: {0}( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol' SYNTAX 1.3.6.1.4.1.1466
|
||||
.115.121.1.15 )
|
||||
olcAttributeTypes: {1}( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter' SYNTAX 1.3.6.1.4.1.146
|
||||
6.115.121.1.15 )
|
||||
olcObjectClasses: {0}( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup' DESC 'Guacamole config
|
||||
uration group' SUP groupOfNames MUST guacConfigProtocol MAY guacConfigParameter )
|
31
jails/config/jump/schema/guacConfigGroup.schema
Normal file
31
jails/config/jump/schema/guacConfigGroup.schema
Normal file
@ -0,0 +1,31 @@
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. See the NOTICE file
|
||||
# distributed with this work for additional information
|
||||
# regarding copyright ownership. The ASF licenses this file
|
||||
# to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol'
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter'
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||
|
||||
objectClass ( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup'
|
||||
DESC 'Guacamole configuration group'
|
||||
SUP groupOfNames
|
||||
MUST guacConfigProtocol
|
||||
MAY guacConfigParameter )
|
||||
|
2
jails/config/jump/setup_jail.sh
Executable file
2
jails/config/jump/setup_jail.sh
Executable file
@ -0,0 +1,2 @@
|
||||
# requrired to run other configured scripts
|
||||
/bin/sh /etc/rc
|
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
|
||||
priority: 10
|
||||
}
|
||||
|
||||
pkgp121: {
|
||||
url: "http://pkgp.ahlawat.com/packages/pj121-default/",
|
||||
pkgp122: {
|
||||
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
|
||||
mirror_type: "http",
|
||||
signature_type: "pubkey",
|
||||
pubkey: "/mnt/certs/poudriere.cert",
|
||||
|
28
jails/config/ldap/schema-addons/guacConfigGroup.ldif
Normal file
28
jails/config/ldap/schema-addons/guacConfigGroup.ldif
Normal file
@ -0,0 +1,28 @@
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. See the NOTICE file
|
||||
# distributed with this work for additional information
|
||||
# regarding copyright ownership. The ASF licenses this file
|
||||
# to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
dn: cn=guacConfigGroup,cn=schema,cn=config
|
||||
objectClass: olcSchemaConfig
|
||||
cn: guacConfigGroup
|
||||
olcAttributeTypes: {0}( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol' SYNTAX 1.3.6.1.4.1.1466
|
||||
.115.121.1.15 )
|
||||
olcAttributeTypes: {1}( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter' SYNTAX 1.3.6.1.4.1.146
|
||||
6.115.121.1.15 )
|
||||
olcObjectClasses: {0}( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup' DESC 'Guacamole config
|
||||
uration group' SUP groupOfNames MUST guacConfigProtocol MAY guacConfigParameter )
|
31
jails/config/ldap/schema-addons/guacConfigGroup.schema
Normal file
31
jails/config/ldap/schema-addons/guacConfigGroup.schema
Normal file
@ -0,0 +1,31 @@
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. See the NOTICE file
|
||||
# distributed with this work for additional information
|
||||
# regarding copyright ownership. The ASF licenses this file
|
||||
# to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.38971.1.1.1 NAME 'guacConfigProtocol'
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.38971.1.1.2 NAME 'guacConfigParameter'
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||
|
||||
objectClass ( 1.3.6.1.4.1.38971.1.2.1 NAME 'guacConfigGroup'
|
||||
DESC 'Guacamole configuration group'
|
||||
SUP groupOfNames
|
||||
MUST guacConfigProtocol
|
||||
MAY guacConfigParameter )
|
||||
|
@ -1,28 +0,0 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDECIuIzM+f5+s
|
||||
PdoTBSLGpARZkcKWboSUfLdiFsBEXkV5KLy12S6T2ja0oH5C6GfhkqpdzAsCPHKs
|
||||
SdIyJAmHj7FXnbOnP93N64E3n/wONj5cq9QAz2acKxS167DXpnSE7K+egcqI7ePL
|
||||
BBecLnKUUnSQ4JMAeUBatjnl5SsKF7pwDM1DsOYvWFpDH0BfjIlZq1JJIUnfE7pK
|
||||
b3ppdBSF0bum+/Y6TZVJdNg4fYj5k68vLeBp8PkJj60pO4B7oexLpXcz/pqkGi9a
|
||||
K5P86RzZliKMqGVAs3TmxWMskoX2Hpm1VXIg/Pht75FuaPqwkAW8FVb3Y7yvfmgU
|
||||
O7FaP423AgMBAAECggEAP7BG2LWZh7B32+8eAtPMdPsciHo1BJT1KN5HqfkvsaLu
|
||||
IA8S/nT45kF7VyKH1yS2tkoC4jk65vIBpws7XC+0BNT/3FGbVOJfc1qPiC/uRl2j
|
||||
ovJfeBw/roHKc1OPG/o3VSdKeAB8tpSlqaWeZ9oqgw8hDCSnGqJ8RqH06YEXumVO
|
||||
/59N5/kweoN1902nrsnhhY72cx/YY7TFZt+sbCs1D8rimHFX5UQUWGQgwqKeCvG2
|
||||
VmBtU+oXCBKdaR+IcJd9Oy/qkmEQZ6dDL7n/HUwOcRzuBuZoeXN9sc9z81mYEI2Q
|
||||
bYpowPOyqFArB08HjQpFndQFSyNwiVVSzaOHRUNBwQKBgQDkECi9WkyqGgVvSM6f
|
||||
fC9OTKKk5kI12j4I3aQKZSnW/eNTpaHykRhvUsr36zp58vRN4G9YDJyblgOhgr1U
|
||||
7SBwqZRLETwG0ktKDipgibWjBm+K5LfK+wWRwn/qzq494Qg2GQ/DniXqCZ6SI1s1
|
||||
wMBHS9s/VYPGaYvYrS1TD90JpwKBgQDa9R90rcyNlXTLHwYzxgjJczLKHz+0ANlR
|
||||
GORg31/VBxs94IYby+cZ/oGRjCB5syR/SaN5Z+N2w8GT0yFWN8UCJS0G4I6fGtCb
|
||||
wYWzhK2UtI4WyOH9jIdl8AYjFGRZMFJEkDPmac54jtNcqhfO/Eei9+yHq7llEnUP
|
||||
F4qKf8K9cQKBgQDEwDgVW4DGQxqrLhmrt3wsRasPLeKzCOv5xBTQLwRQiMoEkOFN
|
||||
HeYBrGCUT6gsKvCe+t+0C3VUOLA7N0pVqRkSeQoJVP3/OI9hfSUMEeHUminCnpz9
|
||||
DWB5pl2q2dGyaqAl46sY7SfyZ4gYtU3r6rU3DPdCBWlg1A+kx4pRnV7pAwKBgCOu
|
||||
fonNKOCJ0panX6NgSl5J36UAoqj62m9U1yLSRBO7LL1QsYomGGssBoFpjIFIqFH1
|
||||
9iX6wB7Cl/E3Ht+mBvzqggP05EkZXZWEW/19SaxKID2mTu260PXTv6xHznKaZU23
|
||||
Ej4iT/tlixw2u9qHUkVEkc8qNPQ7pcfn1jPrzhiBAoGBAN075cp3R9bzzfVzrFRh
|
||||
ZFWzSnWieSsOP635nj48HXKyne7gjvG1IG/HHSi3XPmRIdWTAfOYz29rWQEOaY7b
|
||||
wbNhvH7jvtq/A7/Uifh6l8cnN9TFAmN/wmKEUCloVxg1/GltXbR6UwzbJWAs40ya
|
||||
VtAxvncs1bqtPBAgfE5wwdCd
|
||||
-----END PRIVATE KEY-----
|
@ -1,28 +0,0 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYdTOGw8TvQtkr
|
||||
Z139xpQC1iXu/X+2ei7ascX6C2G8WM7NS3XphgMd0LgzEm9POoJyYP7KVjQdPK5m
|
||||
mRoZOCATmFhNPGSer96qjASHgm10GISKlUyGKRWv1mNHsLJaLwsd8ef13+qBsTvG
|
||||
pT0z2I/0OWwAuqQuZdMPuVskspF8jusycibpQ7WjqaOynPEUuRZHDLQToso02+Vd
|
||||
X3l3bU08Rz3vW7+hNjZYuzsfCTBzD91kxTGyetqg2CXyLM/dWbDFgY72zG682X0d
|
||||
CtoWoEAKdUJkPDxQeKJtqh84TsAOUvg/z3W6J7uJow9OcWsXWJcAJ/HG8gNPq4ho
|
||||
sVbc96SzAgMBAAECggEADXPTPPfjwF7uMkVdUQ1LW5XFi8HTcxrK2KqdvDmC3HrE
|
||||
d3vOGzJJ9UtodzwZENp5CvS+QQL0gDCqQhQXzCNx0uXv7vTm5/nUI9NJ4MYZWVLA
|
||||
wgAfXmMlRuVTDDyOCQ7NaRIEsYI2B9Nk/KZ+VD+MSshazvzKgVuwr1R8tp4mbpAx
|
||||
8f4xe51b5ZVqTLcnkoSR6lTmKMQruIZwQpvaGYZLjBRaBcACwYkbZksQZkx7xZdZ
|
||||
enpLcKoCc1xXg+gjlfF9HOD1e2GlYQTOgfDcQVJEIS+jjzMyiJA1BxqL8/LkafeD
|
||||
CKfx8mzd1LjyDDaAP8ruZb4Ns/6SazAPozxBSRnP2QKBgQD+uf+evckgN6+3/Bur
|
||||
egP6I4dUKw1joCo69p98388mWq+ywhIc2rquEfSoQCqjli4pG3iwBbDVxgjk08GV
|
||||
ayFaP3X3LvuqCZBktSjEJR6WUMB0kW77BigLCtbzyd2R9upp0A3CnXsmmLVL+o5n
|
||||
TD5w6cd67NPS/NGo2FyA6JQO5QKBgQDZijnfG4Yt6BdX3+WBFXNGkhdJziokmrfG
|
||||
no5p/tw+/kJfHFC017Z+EbLbcWMKL9cDzl9uMXGDy1xd8+OfolxZZEnrmt4btbmh
|
||||
wVzTPrhREwjqzwu/Y2jQwFBef+zJ+b8a1uZOFYVIWWeGCT7wirq54AslE8y0lNEF
|
||||
olBnP44TtwKBgQDyn4k50z16QXBOx4Q3fZ3CKQsigWtcZFc1GGlrEOaHesN1eeK0
|
||||
tyYu3Q1zIMM8U7SeFPuMda8sv1cDVitCPetjwaSED61IFZoCQoeU5GJQ/JODtG7I
|
||||
DOIhOm7pgHJaMJywsqoYn9WIOtYci4gOHhIvjI0jqeZNReARehwJ8P3tfQKBgEWD
|
||||
hAalNvVIat0rsJzVC+cLG+H7vT/BKOSRGhUI2bxPZ0oZNDj1jV0vrqWsz+cbbmvK
|
||||
8He32PwyaaukGaKTMUtnXq+o5zyXj1/+9/iQ3DkcCgdubeSUkZPTQFtSKYpJAiZD
|
||||
cYiWG+cImqocHj6jNhPbYfRRJWK3Ayv3uBWmG3J1AoGAGjKqKpd8+00IxElXpov9
|
||||
At2YzPZlzPQCU0+vcreGVTaO9wNdVKfc6uaeAO4D0DP9SOwEqRC9rv8FNb8DxgTB
|
||||
ryWMy8rY/CC3mhK6hnsWNRC0a1myKva2XwQ+jMKuCsznFE0N2xjizNdv2/HM2dcr
|
||||
ropb+P1w1KZyTiNbTTTC1eQ=
|
||||
-----END PRIVATE KEY-----
|
@ -1,28 +0,0 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDc2cV9/D/MWdUl
|
||||
DBfKzA3zNjFbzDJd4WP1fdRRIdell57kJwyKehYCw/HxWy4+AnWj6c2fhPXI2EQp
|
||||
K3I1QjNSxV4kq+Lr2SFJuDiZvDRLzihu24N6go34R9712mbZOWWl0KyihO6E2cH8
|
||||
h6cr2iahXmAjqVtm9/mBmdnrQ2Bv0fusdpS24x3NOPs4Q5gJTadJFGBkwXb88D/+
|
||||
mBDcEUFwDul4bVQWvqHk+8EJwApGLo7YVL2F0A25FAm43rWexjb+JeTsHRqN/TaV
|
||||
ALzQPr/DQIb2wyWsTnQMnd0t8qg9ErDAKgxMDeGDRFbHr5wNMTrewQkW7yd+H0T0
|
||||
Wa97aDXbAgMBAAECggEANUp/M0VZB7BtlED0xMS0YQmko2gEh07J1gUE5IbsCFMr
|
||||
zhX2GrwW75fkm77Ky7/AL0tNiL6GqG43FFAdgOh2hfSGIQcw/IQqWiWP0tjtLZWT
|
||||
gByL/1XdeBmvnVeUFbqZ4ocWASlefMQm4Q7Csfwz8iBZxoEpQxF3LWS4huJ9NL3d
|
||||
qiI1jX5otXN0ybA6jDpridvExRwWT6KrAykUrh5f7vRGUp0I7/GltvSHS4mu24C1
|
||||
08RUPE5NjynEX/amc1urMwH3ZdOZgCx819DfQXpQts9/TejSLlLL8s4lXTsZDoab
|
||||
DiJ1zZKZEpMIheEGAWSyLtqc1QxypauVAMeM6ZgasQKBgQD88Yf1E7X8zS4hYSyu
|
||||
WHiUgrin/0febsHWZAVBTwnzpDwfY0jNnq57tiALyaVzk3vCL3a9WckpXPbQk4Yk
|
||||
Oypu1eDyGT4Xf7hrXqFTlMtkupa3Os5/MlTXOFMMs5VISsxrbVjNlvSxITXASWwr
|
||||
IYVjmhgTx8Rg3ApM5X/Tqd8XxwKBgQDfhPZ2t+4fBwhzgydKnkPWMbJ6k17tWoZu
|
||||
8tzCzrxJd/cYUmi/44sOLrFCLwaS28I4sR7iBPCeiFnnbqlv+f6uw2Xmr5jc/BsT
|
||||
md6yl2gNmow//iGFwf8lAsA1VyoFbZoAvQUMVElaxvCngifsTNqRHap8KY6xv5r/
|
||||
C6MEoGd5TQKBgQDEoPXxnEsCpHXR2Pqk5X2G5T+qyRYTYcIpaUN0i37O+cMLG2FD
|
||||
BrHY1bF/uFd3yxSP1dnWRG/OSchMSAIlNCE+W+EsEldkaRLx1HRQxwB941a6RWq1
|
||||
EmlFjTFyVEAeHJdgg3ZfC5RYBdsFCY6e0MYisW06IzcTnLodIOMHpawZjQKBgQC+
|
||||
1RVbnINXyDhl7rbQFTlTmVCJKGMmgGBAP2dNhxXoH909zbYTBmFFdYXvPJj/L1Kt
|
||||
9kKos5D/uOgRGEDfEnBnovnQL2FyYmd3n6orjerPmoBdbkoOmeeNIMEbiVSeF8oh
|
||||
EUBLG3cZYro6OXx+WctNlCdnJE/o3+6kC7pdi9lsDQKBgEtkK4RpB1OKJm6sEiWe
|
||||
hoTI6yqflpkivWtV3F8/D37LbYT5wiAsRr6AkgetB7jsi0t//thJiAUUxhtb+u4M
|
||||
1zR7i9bIRv3lU8TgYpfS/Yq3T9feZoj682LKtBMPoSgm/p5+ogzIlAU3cpjAW+A8
|
||||
2CyzbDc7K58vuzaR8RHpnzYi
|
||||
-----END PRIVATE KEY-----
|
@ -1,28 +0,0 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDJE2rtl2EGU7YD
|
||||
TWSlapLqMgn02m9Valldv6u3NP5CZTwI9/xrlEZYzjArInvLE4SFx5VlgC52K92A
|
||||
tZUqs7ckZgDmMOIr1vXGP3YgzGO9NK3hqyPHlu2Twuu96rP9+CTTlU8ovun14Ucu
|
||||
b0+W3pH646kMZBc0wAAj0xg+QI0PhFphQZyHkV9laOFwx/ErCu9SdUfcUY+zouSG
|
||||
DMxPAL8pT1JS5IOVGDM7rXbAwZ1+LrHTmOD1Mi6jtYtV7/Pqga6CBpcQFa/kMvza
|
||||
idjPkVyUg4YY/9i+P9dRQMK6dJgmRSaLLaOTaYHCT6PgpWQvKhYJZsNIB+LmfdHp
|
||||
gzE4s0tfAgMBAAECggEBALtNkzVu5bp3D/1TgoV0GRZ/NjcXos32GvjxKoummZJP
|
||||
qvTPzBqKLF1c9BG6NYadz7yuhcPe+2iow9S5URJOBjOpsPy8XHJp8teRFgDHY8FD
|
||||
6RVlzhaFyRjzYZWvo6rYE7XkR7C05ktcZmoi1gi7m1AR8c7RDazdjUPRx6t1hfEE
|
||||
ubocsnwZ5McU3tHVHj8pHBM9nKaarVd3BSTydStjGOmoS+E5BR1NLMDpx3Aw9S/V
|
||||
tn1iJxxF9+GONFfCBQ/IQ4+rBbOPsICwhhhrTpJwPilzBynGQevtEHdpq6ewS2bq
|
||||
ESsgQoax70cW1TymOPOzYQvPUzJy0S68OoSMAXVr8MECgYEA755LulHIALONfQWG
|
||||
XBUT7UMaePyLDkuNoGkIDqIdqZiJf8kxDs8yWznCGim/vlnmK2hVn1nqi+omtbaG
|
||||
AsCgU9q2JnP4r0Nr7yb/L4WAHp5WxR5ifS/aOHUple9oQwfPkzpxWEGFFvN0PW7p
|
||||
4lk4lRNvI4q5zMdugpbwn4vbzEMCgYEA1tKRDfPY/9GV/dYnt433bjtlNU9j7UCc
|
||||
8iP26Rg8zjC4tzlVoZDZjov5FMG2Ifb7cLNroONATg2ivKNyRm73Le9p2KVqtvTX
|
||||
zHs1sKVJofWQ4+GzJd8MkUEXu397oTUudGV+z82Hd0iKkQBT7EYBybHl6kY4XbR1
|
||||
BS36gdW2oLUCgYBvt1LBNH3V7eCqiFfjOKSIuv9tpvjCGnGWd0GdaPIBby+0Fz47
|
||||
FFj69UvM3OgbvFg2prc8yzQyNWIE2GtUfzCAx/iipvEr7Xg2EO1q34gjPllgH9F1
|
||||
YkkQh3dzAyKOFecuUlIj/rApSipIthxvPn/F6UCoxnXnxpd8ZRkcmZ1JdwKBgQCZ
|
||||
bltb88YRMMhIPCSx3RvUB2gJ42Ijmfp+l2FKqp0DR5kmhDS86I/6V87XHGPRbm23
|
||||
2O4OQ0Eyflq1EKgV1juE+3JF4h+N/OIEkhuOxv8IRjPuDs29RsnbFPq2WB8czLcZ
|
||||
O0SPduRCNfWCCxHltzqfrAfig7TOeIz73hMFmHaP4QKBgQCN1XzjGMrL0ZlFQTM1
|
||||
ljaqWEaQ+JSzZtiVDdPcuKytyvz59OdJnag9O0TBaOY6XGG1Dbl8FJEG9KZCwYRv
|
||||
a+CKb6qHyowgu17GlWQBn2i3Ep5GOQhkR4ghvDXZPwOJfW5VbfWo4N/r3Q81kaRO
|
||||
Iovk5uipUk5dtW69hOYmq4OBxA==
|
||||
-----END PRIVATE KEY-----
|
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
|
||||
priority: 10
|
||||
}
|
||||
|
||||
pkgp121: {
|
||||
url: "http://pkgp.ahlawat.com/packages/pj121-default/",
|
||||
pkgp122: {
|
||||
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
|
||||
mirror_type: "http",
|
||||
signature_type: "pubkey",
|
||||
pubkey: "/mnt/certs/poudriere.cert",
|
||||
|
@ -683,7 +683,7 @@ readme_directory = /usr/local/share/doc/postfix
|
||||
inet_protocols = ipv4, ipv6
|
||||
|
||||
# sometimes comcast's IPv6 reverse DNS lookup stops working so you need to enable the line below (default: any)
|
||||
smtp_address_preference = ipv4
|
||||
#smtp_address_preference = ipv4
|
||||
|
||||
meta_directory = /usr/local/libexec/postfix
|
||||
shlib_directory = /usr/local/lib/postfix
|
||||
|
@ -328,9 +328,9 @@ local_transport_rate_delay = $default_transport_rate_delay
|
||||
luser_relay =
|
||||
mail_name = Postfix
|
||||
mail_owner = postfix
|
||||
mail_release_date = 20200316
|
||||
mail_release_date = 20200516
|
||||
mail_spool_directory = /var/mail
|
||||
mail_version = 3.5.0
|
||||
mail_version = 3.5.2
|
||||
mailbox_command =
|
||||
mailbox_command_maps =
|
||||
mailbox_delivery_lock = flock, dotlock
|
||||
@ -340,7 +340,7 @@ mailbox_transport_maps =
|
||||
maillog_file =
|
||||
maillog_file_compressor = gzip
|
||||
maillog_file_prefixes = /var, /dev/stdout
|
||||
maillog_file_rotate_suffix = %Y%M%d-%H%M%S
|
||||
maillog_file_rotate_suffix = %Y%m%d-%H%M%S
|
||||
mailq_path = /usr/local/bin/mailq
|
||||
manpage_directory = /usr/local/man
|
||||
maps_rbl_domains =
|
||||
|
1903
jails/config/mail/sendmail.cf
Normal file
1903
jails/config/mail/sendmail.cf
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
BIN
jails/config/monitor/dbip-city-lite-2020-06.mmdb
Normal file
BIN
jails/config/monitor/dbip-city-lite-2020-06.mmdb
Normal file
Binary file not shown.
After Width: | Height: | Size: 85 MiB |
2
jails/config/monitor/matomo-archive
Normal file
2
jails/config/monitor/matomo-archive
Normal file
@ -0,0 +1,2 @@
|
||||
MAILTO="sharad@diyit.org"
|
||||
5 5 * * * /usr/local/bin/php /usr/local/www/matomo/console core:archive --url=https://ahlawat.com/matomo/ >> /root/matomo-archive.log
|
@ -1,4 +1,4 @@
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
@ -1,3 +0,0 @@
|
||||
mount proc
|
||||
/usr/sbin/daemon -f /usr/local/logstash/bin/logstash --path.settings /usr/local/etc/logstash -l /var/log/logstash
|
||||
ps axww | grep logstash
|
1
jails/config/pkgp/ccache.conf
Normal file
1
jails/config/pkgp/ccache.conf
Normal file
@ -0,0 +1 @@
|
||||
max_size = 32.0G
|
@ -1,4 +1,4 @@
|
||||
# $FreeBSD: releng/12.1/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
|
||||
# $FreeBSD: releng/12.2/usr.sbin/freebsd-update/freebsd-update.conf 337338 2018-08-04 22:25:41Z brd $
|
||||
|
||||
# Trusted keyprint. Changing this is a Bad Idea unless you've received
|
||||
# a PGP-signed email from <security-officer@FreeBSD.org> telling you to
|
||||
|
@ -1,2 +1,3 @@
|
||||
WANT_OPENLDAP_SASL=yes
|
||||
LICENSES_ACCEPTED+=DCC
|
||||
WITH_CCACHE_BUILD=yes
|
||||
|
@ -5,11 +5,14 @@ net/openldap24-sasl-client
|
||||
security/cyrus-sasl2
|
||||
www/apache24
|
||||
devel/apr1
|
||||
net/php73-ldap
|
||||
net/php74-ldap
|
||||
mail/postfix
|
||||
mail/dovecot
|
||||
mail/dovecot-pigeonhole
|
||||
mail/rspamd
|
||||
mail/dcc-dccd
|
||||
net/netatalk3
|
||||
net/samba410
|
||||
net/samba411
|
||||
net/nss-pam-ldapd
|
||||
net/nss-pam-ldapd-sasl
|
||||
#security/pam_ldap # included above
|
||||
|
11
jails/config/pkgp/pkgp.conf
Normal file
11
jails/config/pkgp/pkgp.conf
Normal file
@ -0,0 +1,11 @@
|
||||
FreeBSD: {
|
||||
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
|
||||
enabled: no
|
||||
}
|
||||
|
||||
pkgp-freebsd-pkg: {
|
||||
url: "http://pkgp-freebsd-pkg.ahlawat.com/${ABI}/latest",
|
||||
mirror_type: "http",
|
||||
enabled: yes,
|
||||
priority: 10
|
||||
}
|
@ -133,7 +133,7 @@ PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/keys/poudriere.key
|
||||
# It will be mounted into the jail and be shared among all jails.
|
||||
# It is recommended that extra ccache configuration be done with
|
||||
# ccache -o rather than from the environment.
|
||||
#CCACHE_DIR=/var/cache/ccache
|
||||
CCACHE_DIR=/mnt/cache/ccache
|
||||
|
||||
# Static ccache support from host. This uses the existing
|
||||
# ccache from the host in the build jail. This is useful for
|
||||
@ -200,7 +200,7 @@ NOLINUX=yes
|
||||
# List of packages that will always be allowed to use MAKE_JOBS
|
||||
# regardless of ALLOW_MAKE_JOBS. This is useful for allowing ports
|
||||
# which holdup the rest of the queue to build more quickly.
|
||||
#ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py*"
|
||||
ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py* llvm*"
|
||||
|
||||
# Timestamp every line of build logs
|
||||
# Default: no
|
||||
@ -282,7 +282,7 @@ PRESERVE_TIMESTAMP=yes
|
||||
|
||||
# Define pkgname globs to boost priority for
|
||||
# Default: none
|
||||
#PRIORITY_BOOST="pypy openoffice*"
|
||||
PRIORITY_BOOST="llvm*"
|
||||
|
||||
# Define format for buildnames
|
||||
# Default: %Y-%m-%d_%Hh%Mm%Ss
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
@ -48,35 +48,31 @@ frontend stats
|
||||
|
||||
frontend ft
|
||||
bind :::80 v4v6
|
||||
bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/dithaproxy.pem crt /mnt/certs/xflowhaproxy.pem
|
||||
bind :::443 v4v6 alpn http/1.1,h2 ssl crt /mnt/certs/haproxy.pem crt /mnt/certs/bbhaproxy.pem crt /mnt/certs/diyhaproxy.pem crt /mnt/certs/xflowhaproxy.pem crt /mnt/certs/dvpchaproxy.pem crt /mnt/certs/mdvpchaproxy.pem
|
||||
|
||||
redirect scheme https if !{ ssl_fc }
|
||||
|
||||
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ ssl_version:%sslv\ ssl_cipher:%sslc
|
||||
# passing on that browser is using https
|
||||
reqadd X-Forwarded-Proto:\ https
|
||||
## http-request add-header Forwarded: proto=https
|
||||
#enabling this breaks things, needs investigation
|
||||
|
||||
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
||||
http-request set-header X-Forwarded-Ssl on if { ssl_fc }
|
||||
|
||||
# for Clickjacking - added to individual backends
|
||||
# rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
# http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
# prevent browser from using non-secure
|
||||
rspadd Strict-Transport-Security:\ max-age=15768000
|
||||
http-response add-header Strict-Transport-Security: max-age=15768000
|
||||
|
||||
acl network_allowed src 192.168.0.0/24 192.168.100.0/24 2603:3024:3f6:e1::/64
|
||||
acl restricted_page path -i -m sub /wp-admin
|
||||
acl restricted_page path -i -m sub /wp-login
|
||||
block if restricted_page !network_allowed
|
||||
http-request deny if restricted_page !network_allowed
|
||||
|
||||
use_backend bk_ahlawat if { ssl_fc_sni ahlawat.com }
|
||||
use_backend bk_ahlawat if { ssl_fc_sni www.ahlawat.com }
|
||||
use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
|
||||
use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
|
||||
use_backend bk_diyit if { ssl_fc_sni diyit.org }
|
||||
use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
|
||||
use_backend bk_diyit if { ssl_fc_sni xflow.org }
|
||||
use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
|
||||
use_backend bk_diyit if { ssl_fc_sni diyit.space }
|
||||
use_backend bk_diyit if { ssl_fc_sni www.diyit.space }
|
||||
|
||||
use_backend bk_ahlawat-sharad if { ssl_fc_sni sharad.ahlawat.com }
|
||||
use_backend bk_ahlawat-rachna if { ssl_fc_sni rachna.ahlawat.com }
|
||||
@ -96,53 +92,67 @@ frontend ft
|
||||
use_backend bk_ahlawat-matrix if { ssl_fc_sni matrix.ahlawat.com }
|
||||
use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
|
||||
use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
|
||||
use_backend bk_ahlawat-jump if { ssl_fc_sni jump.ahlawat.com }
|
||||
|
||||
use_backend bk_diyit if { ssl_fc_sni diyit.org }
|
||||
use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
|
||||
use_backend bk_diyit if { ssl_fc_sni xflow.org }
|
||||
use_backend bk_diyit if { ssl_fc_sni www.xflow.org }
|
||||
use_backend bk_diyit-grafana if { ssl_fc_sni grafana.diyit.org }
|
||||
use_backend bk_diyit-prometheus if { ssl_fc_sni prometheus.diyit.org }
|
||||
use_backend bk_diyit-kibana if { ssl_fc_sni kibana.diyit.org }
|
||||
use_backend bk_diyit-maps if { ssl_fc_sni maps.diyit.org }
|
||||
|
||||
use_backend bk_dvpc if { ssl_fc_sni datavpc.com }
|
||||
use_backend bk_dvpc if { ssl_fc_sni www.datavpc.com }
|
||||
use_backend bk_dvpc if { ssl_fc_sni mydatavpc.com }
|
||||
use_backend bk_dvpc if { ssl_fc_sni www.mydatavpc.com }
|
||||
|
||||
use_backend bk_beyondbell if { ssl_fc_sni beyondbell.com }
|
||||
use_backend bk_beyondbell if { ssl_fc_sni www.beyondbell.com }
|
||||
use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
|
||||
use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
|
||||
use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
|
||||
use_backend bk_beyondbell-gs if { ssl_fc_sni gs.beyondbell.com }
|
||||
use_backend bk_beyondbell-web-moonglade if { ssl_fc_sni moonglade.beyondbell.com }
|
||||
use_backend bk_beyondbell-web-moonglade-private if { ssl_fc_sni moonglade-private.beyondbell.com }
|
||||
use_backend bk_beyondbell-r-windows if { ssl_fc_sni moonglade-server.beyondbell.com }
|
||||
use_backend bk_beyondbell-windows if { ssl_fc_sni gs.beyondbell.com }
|
||||
|
||||
default_backend bk_ahlawat
|
||||
|
||||
acl is_websocket hdr(Upgrade) -i WebSocket
|
||||
acl is_websocket hdr_beg(Host) -i ws
|
||||
use_backend bk_ahlawat if is_websocket
|
||||
|
||||
|
||||
backend bk_ahlawat
|
||||
server srv1 web.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_beyondbell
|
||||
server srv1 192.168.0.77:8000
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_diyit
|
||||
server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-sharad
|
||||
balance roundrobin
|
||||
server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
# http-response set-header Content-Security-Policy "default-src 'self' *.ahlawat.com"
|
||||
|
||||
backend bk_ahlawat-rachna
|
||||
server srv1 rachnax.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-nivi
|
||||
server srv1 nivix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-rishabh
|
||||
server srv1 rishabhx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
|
||||
|
||||
#backend bk_ahlawat-book
|
||||
# server srv1 bookx.ahlawat.com:443 check ssl verify none
|
||||
@ -150,102 +160,143 @@ backend bk_ahlawat-rishabh
|
||||
backend bk_ahlawat-book-443
|
||||
# server srv1 2603:3024:3f6:e1::57:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-book-444
|
||||
# server srv1 2603:3024:3f6:e1::57:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-book-445
|
||||
# server srv1 2603:3024:3f6:e1::57:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-cam
|
||||
server srv1 192.168.0.54:8765 check
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-ci
|
||||
# http-request set-header Host cix.ahlawat.com:8080
|
||||
http-request replace-header Host ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8080/\2
|
||||
http-response replace-header Host ^([^\ \t:]*:)\ http://cix.ahlawat.com:8080/(.*) \1\ https://ci.ahlawat.com/\2
|
||||
server srv1 cix.ahlawat.com:8080 check
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-cloud
|
||||
server srv1 cloudx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-git
|
||||
server srv1 gitx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspidel X-Frame-Options:*
|
||||
# http-request set-var(txn.src) src
|
||||
# acl mynet var(txn.src) -m sub 192.168.0
|
||||
# acl mynet var(txn.src) -m sub 2603:3024:3f6:e1
|
||||
# rspidel X-Frame-Options:* if mynet
|
||||
# rspadd X-Frame-Options:\ SAMEORIGIN unless mynet
|
||||
# The gitea server add this header be default
|
||||
http-response set-header X-Frame-Options "ALLOW-FROM *.diyit.org"
|
||||
# http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-hub
|
||||
server srv1 hubx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-matrix
|
||||
server srv1 matrix.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-meet
|
||||
server srv1 meet.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-monitor
|
||||
server srv1 monitorx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
# http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-jump
|
||||
server srv1 jumpx.ahlawat.com:8080 check
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
|
||||
|
||||
backend bk_diyit
|
||||
server srv1 web.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_diyit-grafana
|
||||
server srv1 monitorx.ahlawat.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
# http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_diyit-prometheus
|
||||
server srv1 monitorx.ahlawat.com:9090 check
|
||||
# ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_diyit-kibana
|
||||
server srv1 monitorx.ahlawat.com:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
server srv1 elk.diyit.org:5601 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_diyit-maps
|
||||
server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
# http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_ahlawat-ci
|
||||
# http-request set-header Host cix.ahlawat.com:8180
|
||||
reqirep ^([^\ \t:]*:)\ https://ci.ahlawat.com/(.*) \1\ http://cix.ahlawat.com:8180/\2
|
||||
rspirep ^([^\ \t:]*:)\ http://cix.ahlawat.com:8180/(.*) \1\ https://ci.ahlawat.com/\2
|
||||
server srv1 cix.ahlawat.com:8180 check
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
|
||||
backend bk_dvpc
|
||||
server srv1 web.datavpc.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
|
||||
|
||||
backend bk_beyondbell
|
||||
server srv1 192.168.0.77:8000
|
||||
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_beyondbell-ci
|
||||
# http-request set-header Host cix.beyondbell.com:8111
|
||||
http-request replace-header Host ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://192.168.0.73:8111/\2
|
||||
http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.73:8111/(.*) \1\ https://ci.beyondbell.com/\2
|
||||
server srv1 192.168.0.73:8111
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_beyondbell-git
|
||||
server srv1 gitx.beyondbell.com:3000 check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
|
||||
backend bk_beyondbell-ci
|
||||
http-request set-header Host cix.beyondbell.com:8111
|
||||
reqirep ^([^\ \t:]*:)\ https://ci.beyondbell.com/(.*) \1\ http://cix.beyondbell.com:8111/\2
|
||||
rspirep ^([^\ \t:]*:)\ http://cix.beyondbell.com:8111/(.*) \1\ https://ci.beyondbell.com/\2
|
||||
server srv1 cix.beyondbell.com:8111
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_beyondbell-repo
|
||||
# http-request set-header Host 192.168.0.75:8080
|
||||
reqirep ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8080/\2
|
||||
rspirep ^([^\ \t:]*:)\ http://192.168.0.75:8080/(.*) \1\ https://repo.beyondbell.com/\2
|
||||
server srv1 192.168.0.75:8080
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
# http-request set-header Host 192.168.0.75:8081
|
||||
# http-request replace-header Host ^([^\ \t:]*:)\ https://repo.beyondbell.com/(.*) \1\ http://192.168.0.75:8081/\2
|
||||
# http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.75:8081/(.*) \1\ https://repo.beyondbell.com/\2
|
||||
|
||||
backend bk_beyondbell-gs
|
||||
server srv1 192.168.0.75:8081
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
# http-response del-header Strict-Transport-Security
|
||||
# http-response add-header Content-Security-Policy: upgrade-insecure-requests
|
||||
|
||||
backend bk_beyondbell-web-moonglade
|
||||
server srv1 192.168.0.74:8000
|
||||
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_beyondbell-web-moonglade-private
|
||||
server srv1 192.168.0.74:4000
|
||||
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_beyondbell-r-windows
|
||||
server srv1 192.168.0.85:4000
|
||||
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
||||
backend bk_beyondbell-windows
|
||||
server srv1 192.168.0.81:26900 check
|
||||
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
|
||||
rspadd X-Frame-Options:\ SAMEORIGIN
|
||||
http-response add-header X-Frame-Options: SAMEORIGIN
|
||||
|
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
|
||||
priority: 10
|
||||
}
|
||||
|
||||
pkgp121: {
|
||||
url: "http://pkgp.ahlawat.com/packages/pj121-default/",
|
||||
pkgp122: {
|
||||
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
|
||||
mirror_type: "http",
|
||||
signature_type: "pubkey",
|
||||
pubkey: "/mnt/certs/poudriere.cert",
|
||||
|
1
jails/config/proxy/port-fwd.sh
Executable file
1
jails/config/proxy/port-fwd.sh
Executable file
@ -0,0 +1 @@
|
||||
ipfw add 10000 fwd 192.168.0.4,55820 udp from me to 192.168.0.55 dst-port 55820
|
@ -1,99 +1,13 @@
|
||||
# Example MySQL config file for small systems.
|
||||
#
|
||||
# This is for a system with little memory (<= 64M) where MySQL is only used
|
||||
# from time to time and it's important that the mysqld daemon
|
||||
# doesn't use much resources.
|
||||
# This group is read both by the client and the server
|
||||
# use it for options that affect everything, see
|
||||
# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#option-groups
|
||||
#
|
||||
# MySQL programs look for option files in a set of
|
||||
# locations which depend on the deployment platform.
|
||||
# You can copy this option file to one of those
|
||||
# locations. For information about these locations, see:
|
||||
# http://dev.mysql.com/doc/mysql/en/option-files.html
|
||||
#
|
||||
# In this file, you can use all long options that a program supports.
|
||||
# If you want to know which options a program supports, run the program
|
||||
# with the "--help" option.
|
||||
|
||||
# The following options will be passed to all MySQL clients
|
||||
[client]
|
||||
#password = your_password
|
||||
[client-server]
|
||||
port = 3306
|
||||
socket = /tmp/mysql.sock
|
||||
socket = /var/run/mysql/mysql.sock
|
||||
|
||||
# Here follows entries for some specific programs
|
||||
|
||||
# The MySQL server
|
||||
[mysqld]
|
||||
bind-address = *
|
||||
port = 3306
|
||||
socket = /tmp/mysql.sock
|
||||
skip-external-locking
|
||||
key_buffer_size = 16K
|
||||
max_allowed_packet = 64M
|
||||
table_open_cache = 16
|
||||
sort_buffer_size = 64K
|
||||
read_buffer_size = 256K
|
||||
read_rnd_buffer_size = 256K
|
||||
net_buffer_length = 2K
|
||||
thread_stack = 240K
|
||||
|
||||
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
|
||||
# if all processes that need to connect to mysqld run on the same host.
|
||||
# All interaction with mysqld must be made via Unix sockets or named pipes.
|
||||
# Note that using this option without enabling named pipes on Windows
|
||||
# (using the "enable-named-pipe" option) will render mysqld useless!
|
||||
#
|
||||
#skip-networking
|
||||
server-id = 1
|
||||
|
||||
# Uncomment the following if you want to log updates
|
||||
#log-bin=mysql-bin
|
||||
|
||||
# binary logging format - mixed recommended
|
||||
binlog_format=ROW
|
||||
|
||||
# Causes updates to non-transactional engines using statement format to be
|
||||
# written directly to binary log. Before using this option make sure that
|
||||
# there are no dependencies between transactional and non-transactional
|
||||
# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
|
||||
# t_innodb; otherwise, slaves may diverge from the master.
|
||||
#binlog_direct_non_transactional_updates=TRUE
|
||||
|
||||
# Uncomment the following if you are using InnoDB tables
|
||||
#innodb_data_home_dir = /var/db/mysql
|
||||
#innodb_data_file_path = ibdata1:10M:autoextend
|
||||
innodb_log_group_home_dir = /var/db/mysql-log
|
||||
# You can set .._buffer_pool_size up to 50 - 80 %
|
||||
# of RAM but beware of setting memory usage too high
|
||||
innodb_buffer_pool_size = 1G
|
||||
innodb_io_capacity=4000
|
||||
transaction-isolation = READ-COMMITTED
|
||||
# Set .._log_file_size to 25 % of buffer pool size
|
||||
innodb_log_file_size = 250M
|
||||
#innodb_log_buffer_size = 8M
|
||||
innodb_flush_log_at_trx_commit = 2
|
||||
#innodb_lock_wait_timeout = 50
|
||||
|
||||
innodb_doublewrite = 0
|
||||
innodb_checksum_algorithm = none
|
||||
slow_query_log_file = /var/db/mysql-log/slow.log
|
||||
log-error = /var/db/mysql-log/error.log
|
||||
log_bin = /var/db/mysql-log/binlog
|
||||
relay_log = /var/db/mysql-log/relay-bin
|
||||
expire_logs_days = 7
|
||||
|
||||
[mysqldump]
|
||||
quick
|
||||
max_allowed_packet = 16M
|
||||
|
||||
[mysql]
|
||||
no-auto-rehash
|
||||
# Remove the next comment character if you are not familiar with SQL
|
||||
#safe-updates
|
||||
|
||||
[myisamchk]
|
||||
key_buffer_size = 8M
|
||||
sort_buffer_size = 8M
|
||||
|
||||
[mysqlhotcopy]
|
||||
interactive-timeout
|
||||
# include *.cnf from the config directory
|
||||
#
|
||||
!includedir /usr/local/etc/mysql/conf.d/
|
||||
|
90
jails/config/r-db/server.cnf
Normal file
90
jails/config/r-db/server.cnf
Normal file
@ -0,0 +1,90 @@
|
||||
# Options specific to server applications, see
|
||||
# https://mariadb.com/kb/en/configuring-mariadb-with-option-files/#server-option-groups
|
||||
|
||||
# Options specific to all server programs
|
||||
[server]
|
||||
|
||||
# Options specific to MariaDB server programs
|
||||
[server-mariadb]
|
||||
|
||||
#
|
||||
# Options for specific server tools
|
||||
#
|
||||
|
||||
[mysqld]
|
||||
user = mysql
|
||||
# port = 3306 # set in /usr/local/etc/mysql/my.cnf
|
||||
# socket = /var/run/mysql/mysql.sock # set in /usr/local/etc/mysql/my.cnf
|
||||
bind-address = *
|
||||
basedir = /usr/local
|
||||
datadir = /var/db/mysql
|
||||
net_retry_count = 16384
|
||||
# [mysqld] configuration for ZFS
|
||||
# From https://www.percona.com/resources/technical-presentations/zfs-mysql-percona-technical-webinar
|
||||
# Create separate datasets for data and logs, eg
|
||||
# zroot/mysql compression=on recordsize=128k atime=off
|
||||
# zroot/mysql/data recordsize=16k
|
||||
# zroot/mysql/logs
|
||||
datadir = /var/db/mysql
|
||||
innodb_log_group_home_dir = /var/db/mysql-log
|
||||
#audit_log_file = /var/db/mysql-log/audit.log
|
||||
general_log_file = /var/db/mysql-log/general.log
|
||||
log_bin = /var/db/mysql-log/mysql-bin
|
||||
relay_log = /var/db/mysql-log/relay-log
|
||||
slow_query_log_file = /var/db/mysql-log/slow.log
|
||||
innodb_doublewrite = 0
|
||||
innodb_flush_method = O_DSYNC
|
||||
|
||||
##
|
||||
log-error = /var/db/mysql-log/error.log
|
||||
|
||||
|
||||
### custom optimizations
|
||||
skip-external-locking
|
||||
key_buffer_size = 16K
|
||||
max_allowed_packet = 64M
|
||||
table_open_cache = 16
|
||||
sort_buffer_size = 64K
|
||||
read_buffer_size = 256K
|
||||
read_rnd_buffer_size = 256K
|
||||
net_buffer_length = 2K
|
||||
thread_stack = 240K
|
||||
|
||||
server-id = 1
|
||||
binlog_format=ROW
|
||||
|
||||
innodb_buffer_pool_size = 1G
|
||||
innodb_io_capacity=4000
|
||||
transaction-isolation = READ-COMMITTED
|
||||
innodb_log_file_size = 250M
|
||||
innodb_flush_log_at_trx_commit = 2
|
||||
innodb_checksum_algorithm = none
|
||||
|
||||
slow_query_log_file = /var/db/mysql-log/slow.log
|
||||
|
||||
expire_logs_days = 7
|
||||
###
|
||||
|
||||
|
||||
# Options read by `mysqld_safe`
|
||||
# Renamed from [mysqld_safe] starting with MariaDB 10.4.6.
|
||||
[mariadb_safe]
|
||||
|
||||
# Options read my `mariabackup`
|
||||
[mariabackup]
|
||||
|
||||
# Options read by `mysql_upgrade`
|
||||
# Renamed from [mysql_upgrade] starting with MariaDB 10.4.6.
|
||||
[mariadb-upgrade]
|
||||
|
||||
# Specific options read by the mariabackup SST method
|
||||
[sst]
|
||||
|
||||
# Options read by `mysqlbinlog`
|
||||
# Renamed from [mysqlbinlog] starting with MariaDB 10.4.6.
|
||||
[mariadb-binlog]
|
||||
|
||||
# Options read by `mysqladmin`
|
||||
# Renamed from [mysqladmin] starting with MariaDB 10.4.6.
|
||||
[mariadb-admin]
|
||||
|
@ -1,6 +1,6 @@
|
||||
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
||||
Copyright (c) 2018-2020, BeyondBell.com
|
||||
Copyright (c) 2018-2021, BeyondBell.com
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
|
@ -1,6 +1,6 @@
|
||||
BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
||||
Copyright (c) 2018-2020, BeyondBell.com
|
||||
Copyright (c) 2018-2021, BeyondBell.com
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
|
@ -10,8 +10,8 @@ pkgp-freebsd-pkg: {
|
||||
priority: 10
|
||||
}
|
||||
|
||||
pkgp121: {
|
||||
url: "http://pkgp.ahlawat.com/packages/pj121-default/",
|
||||
pkgp122: {
|
||||
url: "http://pkgp.ahlawat.com/packages/pj122-default/",
|
||||
mirror_type: "http",
|
||||
signature_type: "pubkey",
|
||||
pubkey: "/mnt/certs/poudriere.cert",
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
@ -18,6 +18,16 @@ ifconfig bridge1 addm tap82 up
|
||||
ifconfig tap82 up
|
||||
ifconfig tap82 inet6 auto_linklocal
|
||||
|
||||
ifconfig tap1082 create
|
||||
ifconfig bridge10 addm tap1082 up
|
||||
ifconfig tap1082 up
|
||||
ifconfig tap1082 inet6 auto_linklocal
|
||||
|
||||
ifconfig tap2082 create
|
||||
ifconfig bridge9 addm tap2082 up
|
||||
ifconfig tap2082 up
|
||||
ifconfig tap2082 inet6 auto_linklocal
|
||||
|
||||
ifconfig tap83 create
|
||||
ifconfig bridge1 addm tap83 up
|
||||
ifconfig tap83 up
|
||||
@ -33,6 +43,21 @@ ifconfig bridge1 addm tap85 up
|
||||
ifconfig tap85 up
|
||||
ifconfig tap85 inet6 auto_linklocal
|
||||
|
||||
ifconfig tap86 create
|
||||
ifconfig bridge1 addm tap86 up
|
||||
ifconfig tap86 up
|
||||
ifconfig tap86 inet6 auto_linklocal
|
||||
|
||||
ifconfig tap1086 create
|
||||
ifconfig bridge10 addm tap1086 up
|
||||
ifconfig tap1086 up
|
||||
ifconfig tap1086 inet6 auto_linklocal
|
||||
|
||||
ifconfig tap2086 create
|
||||
ifconfig bridge9 addm tap2086 up
|
||||
ifconfig tap2086 up
|
||||
ifconfig tap2086 inet6 auto_linklocal
|
||||
|
||||
ifconfig tap90 create
|
||||
ifconfig bridge1 addm tap90 up
|
||||
ifconfig tap90 up
|
||||
@ -42,3 +67,33 @@ ifconfig tap190 create
|
||||
ifconfig bridge2 addm tap190 up
|
||||
ifconfig tap190 up
|
||||
ifconfig tap190 inet6 auto_linklocal
|
||||
|
||||
ifconfig tap97 create
|
||||
ifconfig bridge1 addm tap97 up
|
||||
ifconfig tap97 up
|
||||
ifconfig tap97 inet6 auto_linklocal
|
||||
|
||||
ifconfig tap1097 create
|
||||
ifconfig bridge10 addm tap1097 up
|
||||
ifconfig tap1097 up
|
||||
ifconfig tap1097 inet6 auto_linklocal
|
||||
|
||||
ifconfig tap2097 create
|
||||
ifconfig bridge9 addm tap2097 up
|
||||
ifconfig tap2097 up
|
||||
ifconfig tap2097 inet6 auto_linklocal
|
||||
|
||||
ifconfig tap96 create
|
||||
ifconfig bridge1 addm tap96 up
|
||||
ifconfig tap96 up
|
||||
ifconfig tap96 inet6 auto_linklocal
|
||||
|
||||
ifconfig tap1096 create
|
||||
ifconfig bridge10 addm tap1096 up
|
||||
ifconfig tap1096 up
|
||||
ifconfig tap1096 inet6 auto_linklocal
|
||||
|
||||
ifconfig tap2096 create
|
||||
ifconfig bridge9 addm tap2096 up
|
||||
ifconfig tap2096 up
|
||||
ifconfig tap2096 inet6 auto_linklocal
|
||||
|
70
jails/config/vm/cvm-a.sh
Executable file
70
jails/config/vm/cvm-a.sh
Executable file
@ -0,0 +1,70 @@
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
# https://diyit.org/license/
|
||||
#
|
||||
#
|
||||
|
||||
# ./cvm-a.sh under tmux
|
||||
|
||||
# clean cached state
|
||||
bhyvectl --destroy --vm=cvm-a
|
||||
|
||||
while true
|
||||
do
|
||||
|
||||
bhyve -c 4 -m 16G -A -H -P \
|
||||
-s 0,hostbridge \
|
||||
-s 3,ahci-cd \
|
||||
-s 4,virtio-blk,/dev/zvol/ship/raw/cvm-a \
|
||||
-s 5,virtio-net,tap97,mac=00:0A:0B:0C:0D:97 \
|
||||
-s 6,virtio-blk,/dev/zvol/ship/raw/cvm-a_data \
|
||||
-s 8,virtio-net,tap1097,mac=00:0A:0B:0C:8D:97 \
|
||||
-s 9,virtio-net,tap2097,mac=00:0A:0B:0C:9D:97 \
|
||||
-s 29,fbuf,tcp=0.0.0.0:5997,w=1600,h=900 \
|
||||
-s 30,xhci,tablet \
|
||||
-s 31,lpc -l com1,/dev/nmdm97A \
|
||||
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
|
||||
cvm-a
|
||||
|
||||
bhyve_exit=$?
|
||||
# bhyve returns the following status codes:
|
||||
# 0 - VM has been reset
|
||||
# 1 - VM has been powered off
|
||||
# 2 - VM has been halted
|
||||
# 3 - VM generated a triple fault
|
||||
# all other non-zero status codes are errors
|
||||
#
|
||||
if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
|
||||
then
|
||||
break
|
||||
fi
|
||||
echo `date` - restarting cvm-a in 5 seconds - press ctrl-c to stop
|
||||
sleep 5
|
||||
|
||||
done
|
||||
|
||||
exit $?
|
||||
|
||||
# -s 3,ahci-cd,/mnt/linux/ubuntu-20.04.1-live-server-amd64.iso \
|
||||
|
||||
# bhyvectl --get-all --vm=cvm-a
|
||||
|
||||
# cu -l /dev/nmdm97B
|
||||
# (This uses cu() so press ~+Ctrl-D to exit)
|
||||
|
||||
#on base system:
|
||||
#zfs create -V 32G -o refreservation=none ship/raw/cvm-a - docker partition
|
||||
#zfs create -V 128G -o refreservation=none ship/raw/cvm-a_data - root partition
|
||||
# on boot
|
||||
#ifconfig tap97 create
|
||||
#ifconfig bridge1 addm tap97 up
|
||||
#ifconfig tap97 up
|
||||
#ifconfig tap97 inet6 auto_linklocal
|
||||
#ifconfig tap1097 create
|
||||
#ifconfig bridge10 addm tap1097 up
|
||||
#ifconfig tap1097 up
|
||||
#ifconfig tap1097 inet6 auto_linklocal
|
70
jails/config/vm/cvm-b.sh
Executable file
70
jails/config/vm/cvm-b.sh
Executable file
@ -0,0 +1,70 @@
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
# https://diyit.org/license/
|
||||
#
|
||||
#
|
||||
|
||||
# ./cvm-b.sh under tmux
|
||||
|
||||
# clean cached state
|
||||
bhyvectl --destroy --vm=cvm-b
|
||||
|
||||
while true
|
||||
do
|
||||
|
||||
bhyve -c 4 -m 16G -A -H -P \
|
||||
-s 0,hostbridge \
|
||||
-s 3,ahci-cd \
|
||||
-s 4,virtio-blk,/dev/zvol/ship/raw/cvm-b \
|
||||
-s 5,virtio-net,tap96,mac=00:0A:0B:0C:0D:96 \
|
||||
-s 6,virtio-blk,/dev/zvol/ship/raw/cvm-b_data \
|
||||
-s 8,virtio-net,tap1096,mac=00:0A:0B:0C:8D:96 \
|
||||
-s 9,virtio-net,tap2096,mac=00:0A:0B:0C:9D:96 \
|
||||
-s 29,fbuf,tcp=0.0.0.0:5996,w=1600,h=900 \
|
||||
-s 30,xhci,tablet \
|
||||
-s 31,lpc -l com1,/dev/nmdm96A \
|
||||
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
|
||||
cvm-b
|
||||
|
||||
bhyve_exit=$?
|
||||
# bhyve returns the following status codes:
|
||||
# 0 - VM has been reset
|
||||
# 1 - VM has been powered off
|
||||
# 2 - VM has been halted
|
||||
# 3 - VM generated a triple fault
|
||||
# all other non-zero status codes are errors
|
||||
#
|
||||
if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
|
||||
then
|
||||
break
|
||||
fi
|
||||
echo `date` - restarting cvm-b in 5 seconds - press ctrl-c to stop
|
||||
sleep 5
|
||||
|
||||
done
|
||||
|
||||
exit $?
|
||||
|
||||
# -s 3,ahci-cd,/mnt/linux/ubuntu-20.04.1-live-server-amd64.iso \
|
||||
|
||||
# bhyvectl --get-all --vm=cvm-b
|
||||
|
||||
# cu -l /dev/nmdm96B
|
||||
# (This uses cu() so press ~+Ctrl-D to exit)
|
||||
|
||||
#on base system:
|
||||
#zfs create -V 32G -o refreservation=none ship/raw/cvm-b - docker partition
|
||||
#zfs create -V 128G -o refreservation=none ship/raw/cvm-b_data - root partition
|
||||
# on boot
|
||||
#ifconfig tap96 create
|
||||
#ifconfig bridge1 addm tap96 up
|
||||
#ifconfig tap96 up
|
||||
#ifconfig tap96 inet6 auto_linklocal
|
||||
#ifconfig tap1096 create
|
||||
#ifconfig bridge10 addm tap1096 up
|
||||
#ifconfig tap1096 up
|
||||
#ifconfig tap1096 inet6 auto_linklocal
|
@ -1,6 +1,6 @@
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
# Copyright (c) 2018-2020, diyIT.org
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
|
77
jails/config/vm/kali.sh
Executable file
77
jails/config/vm/kali.sh
Executable file
@ -0,0 +1,77 @@
|
||||
#!/usr/local/bin/bash
|
||||
|
||||
# Copyright (c) 2018-2021, diyIT.org
|
||||
# All rights reserved.
|
||||
#
|
||||
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
|
||||
# https://diyit.org/license/
|
||||
#
|
||||
#
|
||||
|
||||
# ./kali.sh under tmux
|
||||
|
||||
# clean cached state
|
||||
bhyvectl --destroy --vm=kali
|
||||
|
||||
while true
|
||||
do
|
||||
|
||||
bhyve -c 2 -m 4G -A -H -P \
|
||||
-s 0,hostbridge \
|
||||
-s 3,ahci-cd \
|
||||
-s 4,virtio-blk,/dev/zvol/ship/raw/kali \
|
||||
-s 5,virtio-net,tap86,mac=00:0A:0B:0C:0D:86 \
|
||||
-s 8,virtio-net,tap1086,mac=00:0A:0B:0C:8D:86 \
|
||||
-s 9,virtio-net,tap2086,mac=00:0A:0B:0C:9D:86 \
|
||||
-s 29,fbuf,tcp=0.0.0.0:5986,w=1280,h=720 \
|
||||
-s 30,xhci,tablet \
|
||||
-s 31,lpc -l com1,/dev/nmdm86A \
|
||||
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
|
||||
kali
|
||||
|
||||
bhyve_exit=$?
|
||||
# bhyve returns the following status codes:
|
||||
# 0 - VM has been reset
|
||||
# 1 - VM has been powered off
|
||||
# 2 - VM has been halted
|
||||
# 3 - VM generated a triple fault
|
||||
# all other non-zero status codes are errors
|
||||
#
|
||||
if [ $bhyve_exit = 1 ] || [ $bhyve_exit = 2 ]
|
||||
then
|
||||
break
|
||||
fi
|
||||
echo `date` - restarting kali in 5 seconds - press ctrl-c to stop
|
||||
sleep 5
|
||||
|
||||
done
|
||||
|
||||
exit $?
|
||||
|
||||
#-s 3,ahci-cd,/mnt/linux/kali-linux-2020.4-installer-amd64.iso \
|
||||
##-s 6,virtio-blk,/dev/zvol/ship/raw/kali_data \
|
||||
|
||||
# bhyvectl --get-all --vm=kali
|
||||
|
||||
# cu -l /dev/nmdm86B
|
||||
# (This uses cu() so press ~+Ctrl-D to exit)
|
||||
|
||||
#on base system:
|
||||
#zfs create -V 128G -o refreservation=none ship/raw/kali
|
||||
##zfs create -V 128G -o refreservation=none ship/raw/kali_data
|
||||
# on boot
|
||||
#ifconfig tap86 create
|
||||
#ifconfig bridge1 addm tap86 up
|
||||
#ifconfig tap86 up
|
||||
#ifconfig tap86 inet6 auto_linklocal
|
||||
#ifconfig tap1086 create
|
||||
#ifconfig bridge10 addm tap1086 up
|
||||
#ifconfig tap1086 up
|
||||
#ifconfig tap1086 inet6 auto_linklocal
|
||||
|
||||
# Install VNC
|
||||
# curl -o turbovnc_2.2.5_amd64.deb https://sourceforge.net/projects/turbovnc/files/2.2.5/turbovnc_2.2.5_amd64.deb/download#
|
||||
# sudo apt install gdebi-core
|
||||
# sudo gdebi turbovnc_2.2.5_amd64.deb
|
||||
# sudo killall Xvnc; /opt/TurboVNC/bin/vncserver -name kali -geometry 1920x1080 :4
|
||||
# systemctl enable ssh.service; service ssh start
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user