.

configs/etc/hosts

@@ -0,0 +1,43 @@
+# $FreeBSD: releng/12.2/lib/libc/net/hosts 338729 2018-09-17 18:56:47Z brd $
+#
+# Host Database
+#
+# This file should contain the addresses and aliases for local hosts that
+# share this file.  Replace 'my.domain' below with the domainname of your
+# machine.
+#
+# In the presence of the domain name service or NIS, this file may
+# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
+#
+#
+::1			localhost localhost.my.domain
+127.0.0.1		localhost localhost.my.domain
+
+192.168.0.10		nas nas.ahlawat.com
+fd01::10	nas nas.ahlawat.com
+192.168.1.10		nas nas.ahlawat.com
+fd02::10	nas nas.ahlawat.com
+192.168.2.10		nas nas.ahlawat.com
+fd05::10	nas nas.ahlawat.com
+192.168.200.10		nas nas.ahlawat.com
+fd09::10	nas nas.ahlawat.com
+192.168.10.10		nas nas.ahlawat.com
+fd0a::10	nas nas.ahlawat.com
+192.168.48.10		nas nas.ahlawat.com
+2001:470:f835::10	nas nas.ahlawat.com
+
+#
+# Imaginary network. 10.0.0.2 myname.my.domain myname 10.0.0.3 myfriend.my.domain myfriend
+#
+# According to RFC 1918, you can use the following IP networks for
+# private nets which will never be connected to the Internet:
+#
+#	10.0.0.0	-   10.255.255.255
+#	172.16.0.0	-   172.31.255.255
+#	192.168.0.0	-   192.168.255.255
+#
+# In case you want to be able to connect to the Internet, you need
+# real official assigned numbers.  Do not try to invent your own network
+# numbers but instead get one from your network provider (if any) or
+# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
+#

configs/etc/rc.conf

@@ -6,7 +6,8 @@ kld_list="nmdm vmm ipfw ipdivert linux64"
 geli_autodetach="NO"
 
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
-dumpdev="/dev/ada2p3"
+#dumpdev="/dev/ada2p3"
+dumpdev="NO"
 dumpdir="/var/crash"
 savecore_enable="YES"
 
@@ -31,49 +32,46 @@ firewall_logif="YES"
 
 # interfaces
 cloned_interfaces_sticky="YES"
-cloned_interfaces="lagg0 bridge1 bridge2 bridge5 bridge9"
+cloned_interfaces="lagg0 bridge1 bridge2 bridge5 bridge9 bridge10"
 
 ifconfig_lagg0="laggproto lacp laggport igb0 laggport igb1 up"
-ifconfig_igb0="up"
-ifconfig_igb1="up"
+ifconfig_igb0="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
+ifconfig_igb1="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
 
-vlans_lagg0="1 2 5 9"
+vlans_lagg0="1 2 5 9 10"
 
 ipv6_activate_all_interfaces="YES"
 rtsold_enable="YES"
 
 ifconfig_lagg0_1="inet 192.168.0.10/24"
-ifconfig_lagg0_1_ipv6="inet6 2603:3024:3f6:e1::10/64 auto_linklocal accept_rtadv"
+ifconfig_lagg0_1_ipv6="inet6 fd01::10/64 auto_linklocal accept_rtadv"
 ifconfig_lagg0_2="inet 192.168.1.10/24"
-ifconfig_lagg0_2_ipv6="inet6 2603:3024:3f6:e2::10/64 auto_linklocal accept_rtadv"
+ifconfig_lagg0_2_ipv6="inet6 fd02::10/64 auto_linklocal accept_rtadv"
 ifconfig_lagg0_5="inet 192.168.2.10/24"
-ifconfig_lagg0_5_ipv6="inet6 2603:3024:3f6:e5::10/64 auto_linklocal accept_rtadv"
+ifconfig_lagg0_5_ipv6="inet6 fd05::10/64 auto_linklocal accept_rtadv"
 ifconfig_lagg0_9="inet 192.168.200.10/24"
-ifconfig_lagg0_9_ipv6="inet6 2603:3024:3f6:e9::10/64 auto_linklocal accept_rtadv"
+ifconfig_lagg0_9_ipv6="inet6 fd09::10/64 auto_linklocal accept_rtadv"
+ifconfig_lagg0_10="inet 192.168.10.10/24"
+ifconfig_lagg0_10_ipv6="inet6 fd0a::10/64 auto_linklocal accept_rtadv"
 
 ifconfig_bridge1="addm lagg0.1 up"
 ifconfig_bridge2="addm lagg0.2 up"
 ifconfig_bridge5="addm lagg0.5 up"
 ifconfig_bridge9="addm lagg0.9 up"
+ifconfig_bridge10="addm lagg0.10 up"
 
 # adding IP to bridges does not work
 #ifconfig_bridge1="inet 192.168.0.10/24"
-#ifconfig_bridge1_ipv6="inet6 2603:3024:3f6:e1::10/64 auto_linklocal accept_rtadv"
-#ifconfig_bridge2="inet 192.168.1.10/24"
-#ifconfig_bridge2_ipv6="inet6 2603:3024:3f6:e2::10/64 auto_linklocal accept_rtadv"
-#ifconfig_bridge5="inet 192.168.2.10/24"
-#ifconfig_bridge5_ipv6="inet6 2603:3024:3f6:e5::10/64 auto_linklocal accept_rtadv"
-#ifconfig_bridge9="inet 192.168.200.10/24"
-#ifconfig_bridge9_ipv6="inet6 2603:3024:3f6:e9::10/64 auto_linklocal accept_rtadv"
+#ifconfig_bridge1_ipv6="inet6 fd01::10/64 auto_linklocal accept_rtadv"
 
 defaultrouter="192.168.0.5"
-ipv6_defaultrouter="2603:3024:3f6:e1::5"
+ipv6_defaultrouter="fd01::5"
 # interfaces
 
 hostname="nas.ahlawat.com"
 
 syslogd_enable="YES"
-syslogd_flags="-ss"
+syslogd_flags="-C -O rfc5424 -ss"
 
 syslog_ng_enable="NO"
 syslog_ng_config="-u daemon"

configs/etc/rctl.conf

@@ -0,0 +1 @@
+jail:ioc-jump:vmemoryuse:deny=4G/jail

configs/etc/sysctl.conf

@@ -1,4 +1,4 @@
-# $FreeBSD: releng/12.1/sbin/sysctl/sysctl.conf 337624 2018-08-11 13:28:03Z brd $
+# $FreeBSD: releng/12.2/sbin/sysctl/sysctl.conf 337624 2018-08-11 13:28:03Z brd $
 #
 #  This file is read when going to multi-user and its contents piped thru
 #  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
@@ -7,6 +7,7 @@
 # Uncomment this to prevent users from seeing information about processes that
 # are being run under another UID.
 security.bsd.see_other_uids=0
+security.bsd.see_other_gids=0
 security.bsd.unprivileged_read_msgbuf=0
 security.bsd.unprivileged_proc_debug=0
 kern.randompid=1
@@ -32,6 +33,13 @@ hw.intr_storm_threshold=9000
 kern.ipc.maxsockbuf=16777216
 kern.ipc.shm_use_phys=1
 kern.ipc.soacceptqueue=1024
+
+kern.ipc.nmbclusters=24513148
+kern.ipc.nmbjumbop=9192430
+kern.ipc.nmbjumbo9=2723683
+kern.ipc.nmbjumbo16=1532071
+kern.ipc.nmbufs=117663120
+
 kern.maxvnodes=4194304
 kern.random.harvest.mask=351
 kern.threads.max_threads_per_proc=9000
@@ -67,7 +75,7 @@ net.inet.tcp.recvbuf_inc=65536
 net.inet.tcp.recvbuf_max=16777216
 net.inet.tcp.recvspace=262144
 net.inet.tcp.rfc6675_pipe=1
-net.inet.tcp.sendbuf_inc=32768
+net.inet.tcp.sendbuf_inc=65536
 net.inet.tcp.sendbuf_max=16777216
 net.inet.tcp.sendspace=262144
 net.inet.tcp.syncache.rexmtlimit=0
@@ -95,7 +103,7 @@ vfs.zfs.arc_max=51539607552
 vfs.zfs.delay_min_dirty_percent=96
 vfs.zfs.dirty_data_max=12884901888
 vfs.zfs.prefetch_disable=0
-vfs.zfs.top_maxinflight=128
+#vfs.zfs.top_maxinflight=128
 vfs.zfs.trim.txg_delay=2
 vfs.zfs.txg.timeout=90
 vfs.zfs.vdev.aggregation_limit=1048576
@@ -116,3 +124,12 @@ net.inet.tcp.rack.data_after_close=0
 #Cheap Disk Issues
 kern.cam.ada.default_timeout=60
 kern.cam.da.default_timeout=90
+
+# best way to see misconfigured or non operational services
+net.inet.tcp.log_in_vain: 1
+net.inet.udp.log_in_vain: 1
+
+# Disable File Handle Affinity for NFS write operations.
+# It improves NFS write throughput with ZFS sync=always on ship/pxe
+vfs.nfsd.fha.write=0
+vfs.nfsd.fha.max_nfsds_per_fh=32

configs/pxe/resolv.conf

@@ -1,7 +1,7 @@
 # Generated by resolvconf
 search diyit.org
 nameserver 192.168.0.5
-nameserver 2603:3024:3f6:e1::5
-nameserver 2603:3024:3f6:e2::5
-nameserver 2603:3024:3f6:e5::5
-nameserver 2603:3024:3f6:e9::5
+nameserver fd01::5
+nameserver fd02::5
+nameserver fd05::5
+nameserver fd09::5

jails/config/ci/jenkins

@@ -0,0 +1,86 @@
+#!/bin/sh
+
+# $FreeBSD: head/devel/jenkins/files/jenkins.in 544211 2020-08-05 09:10:47Z lwhsu $
+#
+# PROVIDE: jenkins
+# REQUIRE: LOGIN
+# KEYWORD: shutdown
+
+#
+# Configuration settings for jenkins in /etc/rc.conf:
+#
+# jenkins_enable (bool):
+#   Set to "NO" by default.
+#   Set it to "YES" to enable jenkins
+#
+# jenkins_args (str):
+#   Extra arguments passed to start command
+#
+# jenkins_home (str)
+#   Set to "/usr/local/jenkins" by default.
+#   Set the JENKINS_HOME variable for jenkins process
+#
+# jenkins_java_home (str):
+#   Set to "/usr/local/openjdk8" by default.
+#   Set the Java virtual machine to run jenkins
+#
+# jenkins_java_opts (str):
+#   Set to "" by default.
+#   Java VM args to use.
+#
+# jenkins_user (str):
+#   Set to "jenkins" by default.
+#   User to run jenkins as.
+#
+# jenkins_group (str):
+#   Set to "jenkins" by default.
+#   Group for data file ownership.
+#
+# jenkins_log_file (str):
+#   Set to "/var/log/jenkins.log" by default.
+#   Log file location.
+#
+
+. /etc/rc.subr
+
+name=jenkins
+desc="Jenkins automation server"
+rcvar=jenkins_enable
+
+load_rc_config "${name}"
+
+: ${jenkins_enable:=NO}
+: ${jenkins_home="/usr/local/jenkins"}
+: ${jenkins_args="--webroot=${jenkins_home}/war"}
+: ${jenkins_java_home="/usr/local/openjdk8"}
+: ${jenkins_user="jenkins"}
+: ${jenkins_group="jenkins"}
+: ${jenkins_log_file="/var/log/jenkins.log"}
+
+pidfile=/var/run/jenkins/jenkins.pid
+command=/usr/sbin/daemon
+java_cmd="${jenkins_java_home}/bin/java"
+procname="${java_cmd}"
+command_args="-p ${pidfile} ${java_cmd} -Xmx1g -DJENKINS_HOME=${jenkins_home} ${jenkins_java_opts} -jar /usr/local/share/jenkins/jenkins.war ${jenkins_args} >> ${jenkins_log_file} 2>&1"
+required_files="${java_cmd}"
+
+start_precmd=jenkins_prestart
+start_cmd=jenkins_start
+
+jenkins_prestart()
+{
+	if [ ! -f "${jenkins_log_file}" ]; then
+		install -o "${jenkins_user}" -g "${jenkins_group}" -m 640 /dev/null "${jenkins_log_file}"
+	fi
+	if [ ! -d "/var/run/jenkins" ]; then
+		install -d -o "${jenkins_user}" -g "${jenkins_group}" -m 750 "/var/run/jenkins"
+	fi
+}
+
+jenkins_start()
+{
+	check_startmsgs && echo "Starting ${name}."
+	su -l ${jenkins_user} -c "exec ${command} ${command_args} ${rc_arg}"
+}
+
+run_rc_command "$1"

jails/config/common/resolvconf.conf

@@ -0,0 +1,2 @@
+export search_domains=ahlawat.com
+export name_servers="192.168.0.5 fd01::5"

jails/config/common/snip-sendmail.sh

@@ -12,7 +12,7 @@
 # TO_IDENT sets O Timeout.ident=0s - to stop sendmail from making ident connections
 echo "define(\`SMART_HOST', \`mail')" >> /etc/mail/$HOSTNAME.mc
 echo "define(\`confDOMAIN_NAME', \`$HOSTNAME')" >> /etc/mail/$HOSTNAME.mc
-IP6=`ifconfig -f inet6:cidr | grep "2603:3024:3f6:e1::" | cut -d" " -f 2 | cut -d "/" -f 1`
+IP6=`ifconfig -f inet6:cidr | grep "fd01::" | cut -d" " -f 2 | cut -d "/" -f 1`
 echo "CLIENT_OPTIONS(\`Family=inet6, Address=$IP6')" >> /etc/mail/$HOSTNAME.mc
 echo "define(\`confDH_PARAMETERS', \`/mnt/certs/dhparam2048.pem')" >> /etc/mail/$HOSTNAME.mc
 echo "define(\`confTO_CONNECT', \`1m')" >> /etc/mail/$HOSTNAME.mc

jails/config/dns/update6.sh

@@ -0,0 +1,18 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+SIM="-s"
+#SIM=""
+
+rpl $SIM -v -R "2603:3024:3f6:21::" "2603:3024:3f6:1::" ./namedb
+rpl $SIM -v -R "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2" "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1" ./namedb
+rpl $SIM -v -R "2021030900" "2021031100" ./namedb
+
+service $SIM named $SIM restart

jails/config/elk/elasticsearch-xpack.yml

@@ -0,0 +1,10 @@
+# Module: elasticsearch
+# Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.10/metricbeat-module-elasticsearch.html
+
+- module: elasticsearch
+  xpack.enabled: true
+  period: 10s
+  hosts: ["https://elk.diyit.org:9200"]
+  #username: "user"
+  #password: "secret"
+

jails/config/elk/jvm.options

@@ -19,8 +19,18 @@
 # Xms represents the initial size of total heap space
 # Xmx represents the maximum size of total heap space
 
--Xms4g
--Xmx4g
+-Xmn4G
+-Xms8G
+-Xmx8G
+-XX:MaxMetaspaceSize=2G
+-Xss2G
+
+-Xnoclassgc
+-XX:MaxDirectMemorySize=2G
+
+-XX:InitialRAMPercentage=80
+-XX:MaxRAMPercentage=80
+-XX:MinRAMPercentage=80
 
 ################################################################
 ## Expert settings
@@ -33,7 +43,7 @@
 ################################################################
 
 ## GC configuration
-8-13:-XX:+UseConcMarkSweepGC
+8-9:-XX:+UseConcMarkSweepGC
 8-13:-XX:CMSInitiatingOccupancyFraction=75
 8-13:-XX:+UseCMSInitiatingOccupancyOnly
 
@@ -43,9 +53,9 @@
 # following three lines to your version of the JDK
 # 10-13:-XX:-UseConcMarkSweepGC
 # 10-13:-XX:-UseCMSInitiatingOccupancyOnly
-14-:-XX:+UseG1GC
-14-:-XX:G1ReservePercent=25
-14-:-XX:InitiatingHeapOccupancyPercent=30
+11-:-XX:+UseG1GC
+11-:-XX:G1ReservePercent=25
+11-:-XX:InitiatingHeapOccupancyPercent=30
 
 ## JVM temporary directory
 -Djava.io.tmpdir=${ES_TMPDIR}
@@ -58,10 +68,10 @@
 
 # specify an alternative path for heap dumps; ensure the directory exists and
 # has sufficient space
--XX:HeapDumpPath=data
+-XX:HeapDumpPath=/data
 
 # specify an alternative path for JVM fatal error logs
--XX:ErrorFile=logs/hs_err_pid%p.log
+-XX:ErrorFile=/var/log/hs_err_pid%p.log
 
 ## JDK 8 GC logging
 8:-XX:+PrintGCDetails

jails/config/elk/kibana-xpack.yml

@@ -0,0 +1,10 @@
+# Module: kibana
+# Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.10/metricbeat-module-kibana.html
+
+- module: kibana
+  xpack.enabled: true
+  period: 10s
+  hosts: ["localhost:5601"]
+  #basepath: ""
+  #username: "user"
+  #password: "secret"

jails/config/elk/metricbeat.yml

@@ -0,0 +1,189 @@
+###################### Metricbeat Configuration Example #######################
+
+# This file is an example configuration file highlighting only the most common
+# options. The metricbeat.reference.yml file from the same directory contains all the
+# supported options with more comments. You can use it as a reference.
+#
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/metricbeat/index.html
+
+# =========================== Modules configuration ============================
+
+metricbeat.config.modules:
+  # Glob pattern for configuration loading
+  path: ${path.config}/metricbeat.modules.d/*.yml
+
+  # Set to true to enable config reloading
+  reload.enabled: false
+
+  # Period on which files under path should be checked for changes
+  #reload.period: 10s
+
+# ======================= Elasticsearch template setting =======================
+
+setup.template.settings:
+  index.number_of_shards: 1
+  index.codec: best_compression
+  #_source.enabled: false
+
+
+# ================================== General ===================================
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+#name:
+
+# The tags of the shipper are included in their own field with each
+# transaction published.
+#tags: ["service-X", "web-tier"]
+
+# Optional fields that you can specify to add additional information to the
+# output.
+#fields:
+#  env: staging
+
+# ================================= Dashboards =================================
+# These settings control loading the sample dashboards to the Kibana index. Loading
+# the dashboards is disabled by default and can be enabled either by setting the
+# options here or by using the `setup` command.
+#setup.dashboards.enabled: false
+
+# The URL from where to download the dashboards archive. By default this URL
+# has a value which is computed based on the Beat name and version. For released
+# versions, this URL points to the dashboard archive on the artifacts.elastic.co
+# website.
+#setup.dashboards.url:
+
+# =================================== Kibana ===================================
+
+# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
+# This requires a Kibana endpoint configuration.
+setup.kibana:
+
+  # Kibana Host
+  # Scheme and port can be left out and will be set to the default (http and 5601)
+  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
+  #host: "localhost:5601"
+
+  # Kibana Space ID
+  # ID of the Kibana Space into which the dashboards should be loaded. By default,
+  # the Default Space will be used.
+  #space.id:
+
+# =============================== Elastic Cloud ================================
+
+# These settings simplify using Metricbeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+# ================================== Outputs ===================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+# ---------------------------- Elasticsearch Output ----------------------------
+output.elasticsearch:
+  # Array of hosts to connect to.
+  hosts: ["elk.diyit.org:9200"]
+
+  # Protocol - either `http` (default) or `https`.
+  protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  #username: "elastic"
+  #password: "changeme"
+
+# ------------------------------ Logstash Output -------------------------------
+#output.logstash:
+  # The Logstash hosts
+  #hosts: ["localhost:5044"]
+
+  # Optional SSL. By default is off.
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+# ================================= Processors =================================
+
+# Configure processors to enhance or manipulate events generated by the beat.
+
+processors:
+  - add_host_metadata: ~
+  - add_cloud_metadata: ~
+#  - add_docker_metadata: ~
+#  - add_kubernetes_metadata: ~
+
+
+# ================================== Logging ===================================
+
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+#logging.level: debug
+
+# At debug level, you can selectively enable logging only for some components.
+# To enable all selectors use ["*"]. Examples of other selectors are "beat",
+# "publish", "service".
+#logging.selectors: ["*"]
+
+# ============================= X-Pack Monitoring ==============================
+# Metricbeat can export internal metrics to a central Elasticsearch monitoring
+# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
+# reporting is disabled by default.
+
+# Set to true to enable the monitoring reporter.
+#monitoring.enabled: false
+
+# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
+# Metricbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
+# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
+#monitoring.cluster_uuid:
+
+# Uncomment to send the metrics to Elasticsearch. Most settings from the
+# Elasticsearch output are accepted here as well.
+# Note that the settings should point to your Elasticsearch *monitoring* cluster.
+# Any setting that is not set is automatically inherited from the Elasticsearch
+# output configuration, so if you have the Elasticsearch output configured such
+# that it is pointing to your Elasticsearch monitoring cluster, you can simply
+# uncomment the following line.
+#monitoring.elasticsearch:
+
+# ============================== Instrumentation ===============================
+
+# Instrumentation support for the metricbeat.
+#instrumentation:
+    # Set to true to enable instrumentation of metricbeat.
+    #enabled: false
+
+    # Environment in which metricbeat is running on (eg: staging, production, etc.)
+    #environment: ""
+
+    # APM Server hosts to report instrumentation results to.
+    #hosts:
+    #  - http://localhost:8200
+
+    # API Key for the APM Server(s).
+    # If api_key is set then secret_token will be ignored.
+    #api_key:
+
+    # Secret token for the APM Server(s).
+    #secret_token:
+
+
+# ================================= Migration ==================================
+
+# This allows to enable 6.7 migration aliases
+#migration.6_to_7.enabled: true
+

jails/config/hass/hass-upgrade.sh

@@ -0,0 +1,4 @@
+#!/usr/local/bin/bash
+source /data/homeassistant/bin/activate
+#pip install --upgrade git+git://github.com/home-assistant/home-assistant.git@dev
+pip install --upgrade homeassistant

jails/config/hub/sshguard.conf

@@ -23,21 +23,21 @@ FILES="/var/log/auth.log"
 #### OPTIONS ####
 # Block attackers when their cumulative attack score exceeds THRESHOLD.
 # Most attacks have a score of 10. (optional, default 30)
-THRESHOLD=30
+THRESHOLD=10
 
 # Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
 # Subsequent blocks increase by a factor of 1.5. (optional, default 120)
-BLOCK_TIME=120
+BLOCK_TIME=1200
 
 # Remember potential attackers for up to DETECTION_TIME seconds before
 # resetting their score. (optional, default 1800)
-DETECTION_TIME=1800
+DETECTION_TIME=18000
 
 # Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
-IPV6_SUBNET=128
+IPV6_SUBNET=64
 
 # Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
-IPV4_SUBNET=32
+IPV4_SUBNET=24
 
 #### EXTRAS ####
 # !! Warning: These features may not work correctly with sandboxing. !!

jails/config/ibm/ipfw.rules

@@ -63,8 +63,8 @@ $cmd 01300 check-state
 # Allow access to DNS
 $cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state
 $cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state
-$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state
-$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state
+$cmd 02112 $skip tcp from any to fd01::5 53 out via $rif setup keep-state
+$cmd 02113 $skip udp from any to fd01::5 53 out via $rif keep-state
 
 # Allow access to ISP's DHCP server for cable/DSL configurations.
 # Use the first rule and check log for IP address.

jails/config/jump/branding/css/login-override.css

@@ -0,0 +1,12 @@
+.login-ui .login-dialog .logo {
+    background-image: url('app/ext/tempnamespace/images/logo-placeholder.png');
+	width: 5em;
+	-webkit-background-size: 5em auto;
+}
+div.login-ui {
+	background: #666;
+	background-color: #666;
+}
+.login-ui .login-dialog {
+	background-color: white;
+}

jails/config/jump/branding/guac-manifest.json

@@ -0,0 +1,20 @@
+{
+        "guacamoleVersion" : "*",
+        "name" : "Tempname",
+        "namespace" : "tempnamespace",
+        "translations" : [
+		"translations/en.json"
+	 ],
+
+	 "css" : [
+                "css/login-override.css"
+         ],
+
+     "html" : [
+                "loginDisclaimer.html"
+         ],
+
+	 "resources" : {
+                "images/logo-placeholder.png" : "image/png"
+         }
+}

jails/config/jump/branding/loginDisclaimer.html

@@ -0,0 +1,6 @@
+<meta name="after" content=".login-ui .login-dialog">
+
+<div class="welcome">
+Ahlawat Network's Remote Access Server
+<p>Restricted Access - only use if you have permission<p>
+</div>

jails/config/jump/branding/translations/en.json

@@ -0,0 +1,5 @@
+{
+    "APP":{
+		"NAME" : "Ahlawat Net RAS"
+	  }
+}

jails/config/jump/guacamole-client/branding/css/login-override.css

@@ -0,0 +1,12 @@
+.login-ui .login-dialog .logo {
+    background-image: url('app/ext/tempnamespace/images/logo-placeholder.png');
+	width: 5em;
+	-webkit-background-size: 5em auto;
+}
+div.login-ui {
+	background: #666;
+	background-color: #666;
+}
+.login-ui .login-dialog {
+	background-color: white;
+}

jails/config/jump/guacamole-client/branding/guac-manifest.json

@@ -0,0 +1,20 @@
+{
+        "guacamoleVersion" : "*",
+        "name" : "Tempname",
+        "namespace" : "tempnamespace",
+        "translations" : [
+		"translations/en.json"
+	 ],
+
+	 "css" : [
+                "css/login-override.css"
+         ],
+
+     "html" : [
+                "loginDisclaimer.html"
+         ],
+
+	 "resources" : {
+                "images/logo-placeholder.png" : "image/png"
+         }
+}

jails/config/jump/guacamole-client/branding/loginDisclaimer.html

@@ -0,0 +1,6 @@
+<meta name="after" content=".login-ui .login-dialog">
+
+<div class="welcome">
+Ahlawat Network's Remote Access Server
+<p>Restricted Access - only use if you have permission<p>
+</div>

jails/config/jump/guacamole-client/branding/translations/en.json

@@ -0,0 +1,5 @@
+{
+    "APP":{
+		"NAME" : "Ahlawat Net RAS"
+	  }
+}

jails/config/jump/guacamole-client/user-mapping.xml

@@ -34,14 +34,14 @@
         	<param name="port">22</param>
 		<param name="font-name">monospace</param>
 	</connection>
-	<connection name="vnc-rpi3">
+	<connection name="vnc-rpi">
 		<protocol>vnc</protocol>
 		<param name="hostname">192.168.200.192</param>
 		<param name="port">5901</param>
 		<param name="password">vncpass</param>
 		<param name="color-depth">24</param>
 	</connection>
-	<connection name="ssh-rpi3">
+	<connection name="ssh-rpi">
         	<protocol>ssh</protocol>
         	<param name="hostname">192.168.200.192</param>
         	<param name="port">22</param>
@@ -58,14 +58,14 @@
     <authorize username="inseego" password="7cc6a3864acc736437f606146083abad" encoding="md5">
 	<connection name="vnc">
 		<protocol>vnc</protocol>
-		<param name="hostname">192.168.200.212</param>
+		<param name="hostname">192.168.200.192</param>
 		<param name="port">5901</param>
 		<param name="password">vncpass</param>
 		<param name="color-depth">24</param>
 	</connection>
 	<connection name="ssh">
         	<protocol>ssh</protocol>
-        	<param name="hostname">192.168.200.212</param>
+        	<param name="hostname">192.168.200.192</param>
         	<param name="port">22</param>
 		<param name="font-name">monospace</param>
 	</connection>

jails/config/ldap-mgr/httpd.conf

@@ -578,6 +578,16 @@ Include etc/apache24/Includes/*.conf
     Require all granted
   </Directory>
 
+  Alias /ssp "/usr/local/www/self-service-password"
+  <Directory "/usr/local/www/self-service-password">
+    AllowOverride None
+    Require all granted
+  </Directory>
+  <Directory "/usr/local/www/self-service-password/scripts">
+    AllowOverride None
+    Require all denied
+  </Directory>
+
   ErrorLog "/var/log/ssl-error.log"
   CustomLog "/var/log/ssl-access_log" combined
 </VirtualHost>

jails/config/ldap-mgr/index.html

@@ -0,0 +1,6 @@
+<head>
+  <meta http-equiv="refresh" content="0; URL=https://ldap-mgr.ahlawat.com/ssp" />
+</head>
+<body>
+  <p>If you are not redirected in zero seconds, <a href="https://ldap-mgr.ahlawat.com/ssp">click here</a>.</p>
+</body>

jails/config/mail/postfix/main.cf

@@ -797,8 +797,10 @@ smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_n
 smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
 # !!! THE LAST SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
 # !!!      DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES      !!!
-smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unverified_recipient
+smtpd_recipient_restrictions = permit_mynetworks,check_recipient_access hash:/usr/local/etc/postfix/protected_destinations,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unverified_recipient
 smtpd_data_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_multi_recipient_bounce,reject_unauth_pipelining
+smtpd_restriction_classes = good_senders_only
+good_senders_only = check_sender_access hash:/usr/local/etc/postfix/restricted_senders,permit
 
 # deliver mail for virtual users to Dovecot's LMTP socket
 virtual_transport = lmtp:unix:private/dovecot-lmtp

jails/config/mail/postfix/protected_destinations

@@ -0,0 +1,4 @@
+# not everyone can send to these destinations
+# we restrict some of them
+
+ahlawat.com     good_senders_only

jails/config/mail/postfix/reinit.sac

@@ -1,10 +1,13 @@
 # update aliases.db
 newaliases
 
-#rm /usr/local/etc/postfix/system-virtual-mailboxes.db
-#postmap /usr/local/etc/postfix/system-virtual-mailboxes
-
 rm /usr/local/etc/postfix/virtual-maillist-alias-maps.db
 postmap /usr/local/etc/postfix/virtual-maillist-alias-maps
 
+rm /usr/local/etc/postfix/protected_destinations.db
+postmap /usr/local/etc/postfix/protected_destinations
+
+rm /usr/local/etc/postfix/restricted_senders.db
+postmap /usr/local/etc/postfix/restricted_senders
+
 service postfix reload

jails/config/mail/postfix/restricted_senders

@@ -0,0 +1,5 @@
+# We do not want mail from these folks, generally
+
+cyou           REJECT  521
+qq.com         REJECT  521
+163.com        REJECT  521

jails/config/maps/maps

@@ -14,30 +14,30 @@
 
 . /etc/rc.subr
 
-: ${mapsserver_enable="NO"}
+: ${maps_enable="NO"}
  
-name=mapsserver
+name=maps
 rcvar=${name}_enable
 
 start_cmd="${name}_start"
 stop_cmd="${name}_stop"
 restart_cmd="${name}_restart"
 
-mapsserver_start()
+maps_start()
 {
     cd /data/networkmaps; ./server.js --config /usr/local/etc/networkmaps/config.json &
     cd /data/networkmaps; ./smtp_daemon.js --config /usr/local/etc/networkmaps/config.json &
 }
 
-mapsserver_stop()
+maps_stop()
 {
         ps ax | grep -ie server.js | grep -v grep | awk '{print $1}' | xargs kill -9
         ps ax | grep -ie smtp_daemon.js | grep -v grep | awk '{print $1}' | xargs kill -9
 }
-mapsserver_restart()
+maps_restart()
 {
-	mapsserver_stop
-	mapsserver_start
+	maps_stop
+	maps_start
 }
 
 load_rc_config ${name}

jails/config/meet/hosts.txt

@@ -1,9 +1,46 @@
+# $FreeBSD: releng/12.2/lib/libc/net/hosts 338729 2018-09-17 18:56:47Z brd $
+#
+# Host Database
+#
+# This file should contain the addresses and aliases for local hosts that
+# share this file.  Replace 'my.domain' below with the domainname of your
+# machine.
+#
+# In the presence of the domain name service or NIS, this file may
+# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
+#
+#
+::1			localhost localhost.my.domain
+127.0.0.1		localhost localhost.my.domain meet
+#
+# Imaginary network.
+#10.0.0.2		myname.my.domain myname
+#10.0.0.3		myfriend.my.domain myfriend
+#
+# According to RFC 1918, you can use the following IP networks for
+# private nets which will never be connected to the Internet:
+#
+#	10.0.0.0	-   10.255.255.255
+#	172.16.0.0	-   172.31.255.255
+#	192.168.0.0	-   192.168.255.255
+#
+# In case you want to be able to connect to the Internet, you need
+# real official assigned numbers.  Do not try to invent your own network
+# numbers but instead get one from your network provider (if any) or
+# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
+#
+192.168.0.67	meet
+192.168.0.67 meet meet.ahlawat.com
+fd01::67 meet meet.ahlawat.com
 
 192.168.0.67 auth.meet.ahlawat.com
-2603:3024:3f6:e1::67 auth.meet.ahlawat.com
+fd01::67 auth.meet.ahlawat.com
+
 192.168.0.67 confrence.meet.ahlawat.com
-2603:3024:3f6:e1::67 conference.meet.ahlawat.com
+fd01::67 conference.meet.ahlawat.com
+
 192.168.0.67 focus.meet.ahlawat.com
-2603:3024:3f6:e1::67 focus.meet.ahlawat.com
+fd01::67 focus.meet.ahlawat.com
+
 192.168.0.67 jistsi-videobridge.meet.ahlawat.com
-2603:3024:3f6:e1::67 jitsi-videobridge.meet.ahlawat.com
+fd01::67 jitsi-videobridge.meet.ahlawat.com

jails/config/meet/prosody.cfg.lua

@@ -13,7 +13,7 @@
 -- blanks. Good luck, and happy Jabbering!
 
 pidfile = "/var/run/prosody/prosody.pid"
--- interfaces = { "192.168.0.67", "2603:3024:3f6:e1::67" }
+-- interfaces = { "192.168.0.67", "fd01::67" }
 
 ---------- Server-wide settings ----------
 -- Settings in this section apply to the whole server and are the default settings

jails/config/pkgp/nginx.conf

@@ -17,7 +17,7 @@ http {
     tcp_nopush          on;
     aio                 on;
 
-    resolver            192.168.0.5 [2603:3024:3f6:e1::5];
+    resolver            192.168.0.5 [fd01::5];
 
     proxy_http_version          1.1;
     proxy_set_header Connection "";
@@ -182,7 +182,7 @@ http {
             listen      [::]:8013;
             server_name localhost;
             location / {
-                proxy_pass       http://update3.FreeBSD.org;
+                proxy_pass       http://update5.FreeBSD.org;
             }
         }
         server {

jails/config/proxy/haproxy.conf

@@ -66,7 +66,7 @@ frontend ft
   # prevent browser from using non-secure
   http-response add-header Strict-Transport-Security: max-age=15768000
 
-  acl network_allowed src 192.168.0.0/24 192.168.100.0/24 2603:3024:3f6:e1::/64
+  acl network_allowed src 192.168.0.0/24 fd01::/64
   acl restricted_page path -i -m sub /wp-admin
   acl restricted_page path -i -m sub /wp-login
   http-request deny if restricted_page !network_allowed
@@ -80,7 +80,6 @@ frontend ft
   use_backend bk_ahlawat-nivi if { ssl_fc_sni nivedita.ahlawat.com }
   use_backend bk_ahlawat-rishabh if { ssl_fc_sni rishabh.ahlawat.com }
 
-#  use_backend bk_ahlawat-book if { ssl_fc_sni book.ahlawat.com }
   use_backend bk_ahlawat-book-443 if { ssl_fc_sni book.ahlawat.com }
   use_backend bk_ahlawat-book-444 if { ssl_fc_sni book1.ahlawat.com }
   use_backend bk_ahlawat-book-445 if { ssl_fc_sni book2.ahlawat.com }
@@ -93,6 +92,7 @@ frontend ft
   use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
   use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
   use_backend bk_ahlawat-jump if { ssl_fc_sni jump.ahlawat.com }
+  use_backend bk_ahlawat-hass if { ssl_fc_sni hass.ahlawat.com }
 
   use_backend bk_diyit if { ssl_fc_sni diyit.org }
   use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
@@ -113,6 +113,7 @@ frontend ft
   use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
   use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
   use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
+  use_backend bk_beyondbell-dashboard if { ssl_fc_sni dashboard.beyondbell.com }
   use_backend bk_beyondbell-web-moonglade if { ssl_fc_sni moonglade.beyondbell.com }
   use_backend bk_beyondbell-web-moonglade-private if { ssl_fc_sni moonglade-private.beyondbell.com }
   use_backend bk_beyondbell-r-windows if { ssl_fc_sni moonglade-server.beyondbell.com }
@@ -131,7 +132,7 @@ backend bk_ahlawat
   http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-sharad
-  balance roundrobin
+#  balance roundrobin
   server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
   http-response add-header X-Frame-Options: SAMEORIGIN
@@ -154,26 +155,24 @@ backend bk_ahlawat-rishabh
 
 
 
-#backend bk_ahlawat-book
-#  server srv1 bookx.ahlawat.com:443 check ssl verify none
-
 backend bk_ahlawat-book-443
-#  server srv1 2603:3024:3f6:e1::57:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
   http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-book-444
-#  server srv1 2603:3024:3f6:e1::57:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
   http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-book-445
-#  server srv1 2603:3024:3f6:e1::57:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
   server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
   http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-cam
   server srv1 192.168.0.54:8765 check
+  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
   http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_ahlawat-ci
@@ -215,6 +214,12 @@ backend bk_ahlawat-monitor
 
 backend bk_ahlawat-jump
   server srv1 jumpx.ahlawat.com:8080 check
+  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
+backend bk_ahlawat-hass
+  server srv1 hassx.ahlawat.com:8123 check
+  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
   http-response add-header X-Frame-Options: SAMEORIGIN
 
 
@@ -239,9 +244,6 @@ backend bk_diyit-kibana
 
 backend bk_diyit-maps
   server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
-#  server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
 #  http-response add-header X-Frame-Options: SAMEORIGIN
 
 
@@ -281,6 +283,12 @@ backend bk_beyondbell-repo
 #  http-response del-header Strict-Transport-Security
 #  http-response add-header Content-Security-Policy: upgrade-insecure-requests
 
+backend bk_beyondbell-dashboard
+  http-request replace-header Host ^([^\ \t:]*:)\ https://dashboardx.beyondbell.com/(.*) \1\ http://192.168.0.92:8080/\2
+  http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.92:8080/(.*) \1\ https://dashboardx.beyondbell.com/\2
+  server srv1 192.168.0.92:8080
+  http-response add-header X-Frame-Options: SAMEORIGIN
+
 backend bk_beyondbell-web-moonglade
   server srv1 192.168.0.74:8000
 #  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
@@ -297,6 +305,6 @@ backend bk_beyondbell-r-windows
   http-response add-header X-Frame-Options: SAMEORIGIN
 
 backend bk_beyondbell-windows
-  server srv1 192.168.0.81:26900 check
-  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+  server srv1 192.168.0.81:26900
+#  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
   http-response add-header X-Frame-Options: SAMEORIGIN

jails/config/vm/create_taps.sh

@@ -28,6 +28,11 @@ ifconfig bridge9 addm tap2082 up
 ifconfig tap2082 up
 ifconfig tap2082 inet6 auto_linklocal
 
+ifconfig tap4882 create
+ifconfig bridge48 addm tap4882 up
+ifconfig tap4882 up
+ifconfig tap4882 inet6 auto_linklocal
+
 ifconfig tap83 create
 ifconfig bridge1 addm tap83 up
 ifconfig tap83 up
@@ -58,6 +63,11 @@ ifconfig bridge9 addm tap2086 up
 ifconfig tap2086 up
 ifconfig tap2086 inet6 auto_linklocal
 
+ifconfig tap4886 create
+ifconfig bridge48 addm tap4886 up
+ifconfig tap4886 up
+ifconfig tap4886 inet6 auto_linklocal
+
 ifconfig tap90 create
 ifconfig bridge1 addm tap90 up
 ifconfig tap90 up
@@ -83,6 +93,11 @@ ifconfig bridge9 addm tap2097 up
 ifconfig tap2097 up
 ifconfig tap2097 inet6 auto_linklocal
 
+ifconfig tap4897 create
+ifconfig bridge48 addm tap4897 up
+ifconfig tap4897 up
+ifconfig tap4897 inet6 auto_linklocal
+
 ifconfig tap96 create
 ifconfig bridge1 addm tap96 up
 ifconfig tap96 up
@@ -97,3 +112,8 @@ ifconfig tap2096 create
 ifconfig bridge9 addm tap2096 up
 ifconfig tap2096 up
 ifconfig tap2096 inet6 auto_linklocal
+
+ifconfig tap4896 create
+ifconfig bridge48 addm tap4896 up
+ifconfig tap4896 up
+ifconfig tap4896 inet6 auto_linklocal

jails/config/vm/cvm-a.sh

@@ -22,6 +22,7 @@ bhyve -c 4 -m 16G -A -H -P \
 -s 4,virtio-blk,/dev/zvol/ship/raw/cvm-a \
 -s 5,virtio-net,tap97,mac=00:0A:0B:0C:0D:97 \
 -s 6,virtio-blk,/dev/zvol/ship/raw/cvm-a_data \
+-s 7,virtio-net,tap4897,mac=00:0A:0B:0C:7D:97 \
 -s 8,virtio-net,tap1097,mac=00:0A:0B:0C:8D:97 \
 -s 9,virtio-net,tap2097,mac=00:0A:0B:0C:9D:97 \
 -s 29,fbuf,tcp=0.0.0.0:5997,w=1600,h=900 \
@@ -59,12 +60,3 @@ exit $?
 #on base system:
 #zfs create -V 32G -o refreservation=none ship/raw/cvm-a - docker partition
 #zfs create -V 128G -o refreservation=none ship/raw/cvm-a_data - root partition
-# on boot
-#ifconfig tap97 create
-#ifconfig bridge1 addm tap97 up
-#ifconfig tap97 up
-#ifconfig tap97 inet6 auto_linklocal
-#ifconfig tap1097 create
-#ifconfig bridge10 addm tap1097 up
-#ifconfig tap1097 up
-#ifconfig tap1097 inet6 auto_linklocal

jails/config/vm/cvm-b.sh

@@ -22,6 +22,7 @@ bhyve -c 4 -m 16G -A -H -P \
 -s 4,virtio-blk,/dev/zvol/ship/raw/cvm-b \
 -s 5,virtio-net,tap96,mac=00:0A:0B:0C:0D:96 \
 -s 6,virtio-blk,/dev/zvol/ship/raw/cvm-b_data \
+-s 7,virtio-net,tap4896,mac=00:0A:0B:0C:7D:96 \
 -s 8,virtio-net,tap1096,mac=00:0A:0B:0C:8D:96 \
 -s 9,virtio-net,tap2096,mac=00:0A:0B:0C:9D:96 \
 -s 29,fbuf,tcp=0.0.0.0:5996,w=1600,h=900 \
@@ -59,12 +60,3 @@ exit $?
 #on base system:
 #zfs create -V 32G -o refreservation=none ship/raw/cvm-b - docker partition
 #zfs create -V 128G -o refreservation=none ship/raw/cvm-b_data - root partition
-# on boot
-#ifconfig tap96 create
-#ifconfig bridge1 addm tap96 up
-#ifconfig tap96 up
-#ifconfig tap96 inet6 auto_linklocal
-#ifconfig tap1096 create
-#ifconfig bridge10 addm tap1096 up
-#ifconfig tap1096 up
-#ifconfig tap1096 inet6 auto_linklocal

jails/config/vm/freebsd.sh

@@ -16,7 +16,7 @@ bhyvectl --destroy --vm=freebsd
 while true
 do
 
-bhyve -c 4 -m 8G -A -H -P \
+bhyve -c 2 -m 4G -A -H -P \
 -s 0,hostbridge \
 -s 3,ahci-cd \
 -s 4,virtio-blk,/dev/zvol/ship/raw/freebsd \

jails/config/vm/kali.sh

@@ -10,6 +10,9 @@
 
 # ./kali.sh under tmux
 
+# disabled for now
+exit
+
 # clean cached state
 bhyvectl --destroy --vm=kali
 
@@ -21,6 +24,7 @@ bhyve -c 2 -m 4G -A -H -P \
 -s 3,ahci-cd \
 -s 4,virtio-blk,/dev/zvol/ship/raw/kali \
 -s 5,virtio-net,tap86,mac=00:0A:0B:0C:0D:86 \
+-s 7,virtio-net,tap4886,mac=00:0A:0B:0C:8D:86 \
 -s 8,virtio-net,tap1086,mac=00:0A:0B:0C:8D:86 \
 -s 9,virtio-net,tap2086,mac=00:0A:0B:0C:9D:86 \
 -s 29,fbuf,tcp=0.0.0.0:5986,w=1280,h=720 \
@@ -59,15 +63,6 @@ exit $?
 #on base system:
 #zfs create -V 128G -o refreservation=none ship/raw/kali
 ##zfs create -V 128G -o refreservation=none ship/raw/kali_data
-# on boot
-#ifconfig tap86 create
-#ifconfig bridge1 addm tap86 up
-#ifconfig tap86 up
-#ifconfig tap86 inet6 auto_linklocal
-#ifconfig tap1086 create
-#ifconfig bridge10 addm tap1086 up
-#ifconfig tap1086 up
-#ifconfig tap1086 inet6 auto_linklocal
 
 # Install VNC
 # curl -o turbovnc_2.2.5_amd64.deb https://sourceforge.net/projects/turbovnc/files/2.2.5/turbovnc_2.2.5_amd64.deb/download# 

jails/config/vm/pbx.sh

@@ -16,7 +16,7 @@ bhyvectl --destroy --vm=pbx
 while true
 do
 
-bhyve -c 2 -m 8G -A -H -P \
+bhyve -c 2 -m 4G -A -H -P \
 -s 0,hostbridge \
 -s 3,ahci-cd \
 -s 4,virtio-blk,/dev/zvol/ship/raw/pbx \

jails/config/vm/r-windows.sh

@@ -10,13 +10,16 @@
 
 # ./r-windows.sh under tmux
 
+# disabled for now
+exit
+
 # clean cached state
 bhyvectl --destroy --vm=r-windows
 
 while true
 do
 
-bhyve -c sockets=1,cores=2,threads=2 -m 16G -S -A -H -P \
+bhyve -c sockets=1,cores=2,threads=2 -m 8G -S -A -H -P \
 -s 0,hostbridge \
 -s 4,ahci-hd,/dev/zvol/ship/raw/r-windows,sectorsize=512 \
 -s 5,virtio-net,tap85,mac=00:0A:0B:0C:0D:85 \

jails/config/vm/ubuntu.sh

@@ -22,6 +22,7 @@ bhyve -c 8 -m 16G -A -H -P \
 -s 4,virtio-blk,/dev/zvol/ship/raw/ubuntu \
 -s 5,virtio-net,tap82,mac=00:0A:0B:0C:0D:82 \
 -s 6,virtio-blk,/dev/zvol/ship/raw/ubuntu_data \
+-s 7,virtio-net,tap4882,mac=00:0A:0B:0C:7D:82 \
 -s 8,virtio-net,tap1082,mac=00:0A:0B:0C:8D:82 \
 -s 9,virtio-net,tap2082,mac=00:0A:0B:0C:9D:82 \
 -s 29,fbuf,tcp=0.0.0.0:5982,w=1600,h=900 \
@@ -59,12 +60,3 @@ exit $?
 #on base system:
 #zfs create -V 32G -o refreservation=none ship/raw/ubuntu
 #zfs create -V 128G -o refreservation=none ship/raw/ubuntu_data
-# on boot
-#ifconfig tap82 create
-#ifconfig bridge1 addm tap82 up
-#ifconfig tap82 up
-#ifconfig tap82 inet6 auto_linklocal
-#ifconfig tap1082 create
-#ifconfig bridge10 addm tap1082 up
-#ifconfig tap1082 up
-#ifconfig tap1082 inet6 auto_linklocal

jails/config/vm/windows.sh

@@ -16,7 +16,7 @@ bhyvectl --destroy --vm=windows
 while true
 do
 
-bhyve -c sockets=1,cores=2,threads=2 -m 16G -S -A -H -P \
+bhyve -c sockets=1,cores=2,threads=2 -m 8G -S -A -H -P \
 -s 0,hostbridge \
 -s 4,ahci-hd,/dev/zvol/ship/raw/windows,sectorsize=512 \
 -s 5,virtio-net,tap81,mac=00:0A:0B:0C:0D:81 \

jails/config/vpngw/ipfw.rules

@@ -62,8 +62,8 @@ $cmd 01300 check-state
 # Allow access to DNS
 #$cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state
 #$cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state
-#$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state
-#$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state
+#$cmd 02112 $skip tcp from any to fd01::5 53 out via $rif setup keep-state
+#$cmd 02113 $skip udp from any to fd01::5 53 out via $rif keep-state
 
 # Allow access to ISP's DHCP server for cable/DSL configurations.
 # Use the first rule and check log for IP address.

jails/config/web-datavpc/resolvconf.conf

@@ -1,2 +1,2 @@
 export search_domains="datavpc.com mydatavpc.com ahlawat.com"
-export name_servers="192.168.0.5 2603:3024:3f6:e1::5"
+export name_servers="192.168.0.5 fd01::5"

jails/config/web-diyit/resolvconf.conf

@@ -1,2 +1,2 @@
-export search_domains="diyit.org diyit.space ahlawat.com"
-export name_servers="192.168.0.5 2603:3024:3f6:e1::5"
+export search_domains="diyit.org ahlawat.com"
+export name_servers="192.168.0.5 fd01::5"

jails/config/web/ahlawat.com.ini

@@ -0,0 +1,16 @@
+imap_host = "mail.ahlawat.com"
+imap_port = 993
+imap_secure = "SSL"
+imap_short_login = On
+sieve_use = Off
+sieve_allow_raw = Off
+sieve_host = ""
+sieve_port = 4190
+sieve_secure = "None"
+smtp_host = "mail.ahlawat.com"
+smtp_port = 587
+smtp_secure = "TLS"
+smtp_short_login = On
+smtp_auth = On
+smtp_php_mail = Off
+white_list = ""

jails/config/web/disabled

@@ -0,0 +1 @@
+outlook.com,qq.com,yahoo.com,gmail.com

jails/config/web/htaccess-rainloop

@@ -0,0 +1,4 @@
+Deny from all
+<IfModule mod_autoindex.c>
+Options -Indexes
+</ifModule>

jails/config/web/plugin-ldap-change-password.ini

@@ -0,0 +1,9 @@
+; RainLoop Webmail plugin (ldap-change-password)
+
+[plugin]
+hostname = "ldaps://ldap.ahlawat.com"
+port = 636
+user_dn_format = "cn={imap:login},ou=people,dc=infra"
+password_field = "userPassword"
+password_enc_type = "SSHA"
+allowed_emails = "*"

jails/create.sh

@@ -29,11 +29,11 @@ JAILUSERVNC=$7
 I6CONFIG=true
 
 I4NW="192.168.0"
-I6NW="2603:3024:3f6:e1"
+I6NW="fd01"
 I4GW="192.168.0.5"
-I6GW="2603:3024:3f6:e1::5"
+I6GW="fd01::5"
 I4NS="192.168.0.5"
-I6NS="2603:3024:3f6:e1::5"
+I6NS="fd01::5"
 # these IP spaces are diyit deployment specific
 
 echo "$JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC"
@@ -69,15 +69,6 @@ if $I6CONFIG; then
 	iocage exec $JAIL "echo '$I6NW::$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
 fi
 
-# create resolvconf.conf - IPv6 SLAAC on freebsd removes all ipv4 configuraton from resolv.conf
-iocage exec $JAIL "echo 'export search_domains=$JAILDOMAIN' > /etc/resolvconf.conf"
-if $I6CONFIG; then
-	iocage exec $JAIL "echo 'export name_servers=\"$I4NS $I6NS\"' >> /etc/resolvconf.conf"
-else
-	iocage exec $JAIL "echo 'export name_servers=\"$I4NS\"' >> /etc/resolvconf.conf"
-fi
-iocage exec $JAIL "resolvconf -u"
-
 iocage exec $JAIL "mkdir -p /mnt/certs"
 iocage fstab -a $JAIL /mnt/ship/certs /mnt/certs nullfs ro 0 0
 iocage exec $JAIL "mkdir -p /mnt/config"
@@ -87,6 +78,10 @@ iocage fstab -a $JAIL /var/db/freebsd-update/files /var/db/freebsd-update/files
 iocage exec $JAIL "mkdir -p /mnt/common"
 iocage fstab -a $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
 
+# create resolvconf.conf - IPv6 SLAAC/DHCP on freebsd removes all ipv4 configuraton from resolv.conf
+iocage exec $JAIL "[ -f /mnt/config/resolv.conf ] && cp /mnt/config/resolvconf.conf /etc/ || cp /mnt/common/resolvconf.conf /etc/"
+iocage exec $JAIL "resolvconf -u"
+
 iocage exec $JAIL "mkdir -p /usr/local/etc/pkg/repos"
 iocage exec $JAIL "[ -f /mnt/config/pkgp.conf ] && cp /mnt/config/pkgp.conf /usr/local/etc/pkg/repos/ || cp /mnt/common/pkgp.conf /usr/local/etc/pkg/repos/"
 

jails/jails-restore-httpd.sh

@@ -8,6 +8,9 @@
 #
 #
 
+echo "checking pkgp jail nginx instance is running"
+iocage exec pkgp "service nginx status"
+
 web_jails=(cloud hub nivi rachna rishabh sharad web web-diyit web-datavpc ldap-mgr r-ldap-mgr monitor)
 
 for i in ${web_jails[@]};
@@ -35,7 +38,3 @@ do
 	iocage exec $i "cp /mnt/config/httpd.conf /usr/local/etc/apache24/httpd.conf"
 	iocage exec $i "service apache24 restart"
 done
-
-echo ""
-echo "checking pkgp jail nginx instance is running"
-iocage exec pkgp "service nginx status"

jails/jails-update-cert.sh

@@ -37,6 +37,9 @@ iocage exec mail "service dovecot restart"
 echo "restarting ELK in jail elk after SSL update"
 iocage exec elk "cp /mnt/certs/diy*.pem /usr/local/etc/elasticsearch/certs"
 iocage exec elk "cp /mnt/certs/cacert.pem /usr/local/etc/elasticsearch/certs"
+
+exit
+
 iocage exec elk "service elasticsearch restart"
 iocage exec elk "service kibana restart"
 

jails/jails-update-pkgs.sh

@@ -99,3 +99,5 @@ echo "check hub for index.html and adminer version"
 echo ""
 echo "iocage exec cert \"/root/.acme.sh/acme.sh --upgrade\""
 echo "iocage exec cert \"/mnt/config/backup.sh\""
+echo ""
+echo "iocage exec hass \"/mnt/config/hass-upgrade.sh\""

jails/post-restart-checks.txt

@@ -13,7 +13,7 @@ these certifcates need to be updated with /mnt/certs
 
 vpngw:
 service openvpn onestart
-service ipfw restart
+service natd restart
 
 
 ibm:

jails/update.sh

@@ -52,7 +52,7 @@ read -p "update pkgp jail (y/N)? " RESP
 if [ ! -z $RESP ] && [ $RESP == "y" ]; then
     JAIL="pkgp"
     update_jail
-    /root/FreeBSD/jail/jails-update-pkgs.sh pkgp-only
+    /root/FreeBSD/jails/jails-update-pkgs.sh pkgp-only
 fi
 
 read -p "update all jails (y/N)? " RESP

scripts/find-sonewconn.sh

@@ -0,0 +1,16 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+for jail in $(jls -h name | tail +2); do
+    sudo jexec $jail netstat -LAan 2>/dev/null | grep -q $1;
+    if [ $? -eq 0 ]; then
+        echo "found in jail $jail";
+    fi;
+done

scripts/mbuf.sh

@@ -0,0 +1,74 @@
+#!/bin/sh
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+MCLBYTES=2048
+MSIZE=256
+PHYSMEM=`sysctl -n hw.physmem`
+PAGE_SIZE=`sysctl -n hw.pagesize`
+VM_KMEM_SIZE=`sysctl -n vm.kmem_size`
+REALMEM=${VM_KMEM_SIZE}
+MAXMBUFMEM=`expr $REALMEM / 4 \* 3`
+MJUMPAGESIZE=$PAGE_SIZE
+MJUM9BYTES=`expr 9 \* 1024`
+MJUM16BYTES=`expr 16 \* 1024`
+
+#NMBCLUSTERS=`expr $MAXMBUFMEM / $MCLBYTES / 4` # higher # of jails
+NMBCLUSTERS=`expr $MAXMBUFMEM / $MCLBYTES / 3`
+NMBJUMBOP=`expr $MAXMBUFMEM / $MJUMPAGESIZE / 4`
+NMBJUMBO9=`expr $MAXMBUFMEM / $MJUM9BYTES / 6`
+NMBJUMBO16=`expr $MAXMBUFMEM / $MJUM16BYTES / 6`
+
+NMBUFS=`sysctl -n kern.ipc.nmbufs`
+NMMAX1=`expr $NMBCLUSTERS + $NMBJUMBOP + $NMBJUMBO9 + $NMBJUMBO16`
+NMMAX2=`expr $MAXMBUFMEM / $MSIZE / 5`
+if [ $NMMAX1 -gt $NMMAX2 ]; then
+	NMBUFS=$NMMAX1
+else
+	NMBUFS=$NMMAX2
+fi
+
+show()
+{
+	echo "# `basename $0 ` suggested settings:"
+	echo "kern.ipc.maxmbufmem=$MAXMBUFMEM"
+	echo "kern.ipc.nmbclusters=$NMBCLUSTERS"
+	echo "kern.ipc.nmbjumbop=$NMBJUMBOP"
+	echo "kern.ipc.nmbjumbo9=$NMBJUMBO9"
+	echo "kern.ipc.nmbjumbo16=$NMBJUMBO16"
+	echo "kern.ipc.nmbufs=$NMBUFS"
+}
+
+compare()
+{
+	echo "kern.ipc.maxmbufmem:  `sysctl -n kern.ipc.maxmbufmem` (current)"
+	echo "                 -->  $MAXMBUFMEM (suggested)"
+	echo "kern.ipc.nmbclusters: `sysctl -n kern.ipc.nmbclusters`"
+	echo "                  --> $NMBCLUSTERS"
+	echo "kern.ipc.nmbjumbop:   `sysctl -n kern.ipc.nmbjumbop`"
+	echo "                -->   $NMBJUMBOP"
+	echo "kern.ipc.nmbjumbo9:   `sysctl -n kern.ipc.nmbjumbo9`"
+	echo "                -->   $NMBJUMBO9"
+	echo "kern.ipc.nmbjumbo16:  `sysctl -n kern.ipc.nmbjumbo16`"
+	echo "                 -->  $NMBJUMBO16"
+	echo "kern.ipc.nmbufs:      `sysctl -n kern.ipc.nmbufs`"
+	echo "             -->      $NMBUFS"
+    vmstat -z|grep -E '^ITEM|mbuf'
+    netstat -m
+    # vmstat -m
+}
+
+if [ $# -gt 0 ]; then
+	if [ $1 == '-c' ]; then
+		compare
+		exit 0
+	fi
+fi
+
+show