diff --git a/configs/etc/hosts b/configs/etc/hosts new file mode 100644 index 0000000..9516bed --- /dev/null +++ b/configs/etc/hosts @@ -0,0 +1,43 @@ +# $FreeBSD: releng/12.2/lib/libc/net/hosts 338729 2018-09-17 18:56:47Z brd $ +# +# Host Database +# +# This file should contain the addresses and aliases for local hosts that +# share this file. Replace 'my.domain' below with the domainname of your +# machine. +# +# In the presence of the domain name service or NIS, this file may +# not be consulted at all; see /etc/nsswitch.conf for the resolution order. +# +# +::1 localhost localhost.my.domain +127.0.0.1 localhost localhost.my.domain + +192.168.0.10 nas nas.ahlawat.com +fd01::10 nas nas.ahlawat.com +192.168.1.10 nas nas.ahlawat.com +fd02::10 nas nas.ahlawat.com +192.168.2.10 nas nas.ahlawat.com +fd05::10 nas nas.ahlawat.com +192.168.200.10 nas nas.ahlawat.com +fd09::10 nas nas.ahlawat.com +192.168.10.10 nas nas.ahlawat.com +fd0a::10 nas nas.ahlawat.com +192.168.48.10 nas nas.ahlawat.com +2001:470:f835::10 nas nas.ahlawat.com + +# +# Imaginary network. 10.0.0.2 myname.my.domain myname 10.0.0.3 myfriend.my.domain myfriend +# +# According to RFC 1918, you can use the following IP networks for +# private nets which will never be connected to the Internet: +# +# 10.0.0.0 - 10.255.255.255 +# 172.16.0.0 - 172.31.255.255 +# 192.168.0.0 - 192.168.255.255 +# +# In case you want to be able to connect to the Internet, you need +# real official assigned numbers. Do not try to invent your own network +# numbers but instead get one from your network provider (if any) or +# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.) +# diff --git a/configs/etc/rc.conf b/configs/etc/rc.conf index 4e1af89..c146569 100644 --- a/configs/etc/rc.conf +++ b/configs/etc/rc.conf @@ -6,7 +6,8 @@ kld_list="nmdm vmm ipfw ipdivert linux64" geli_autodetach="NO" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable -dumpdev="/dev/ada2p3" +#dumpdev="/dev/ada2p3" +dumpdev="NO" dumpdir="/var/crash" savecore_enable="YES" @@ -31,49 +32,46 @@ firewall_logif="YES" # interfaces cloned_interfaces_sticky="YES" -cloned_interfaces="lagg0 bridge1 bridge2 bridge5 bridge9" +cloned_interfaces="lagg0 bridge1 bridge2 bridge5 bridge9 bridge10" ifconfig_lagg0="laggproto lacp laggport igb0 laggport igb1 up" -ifconfig_igb0="up" -ifconfig_igb1="up" +ifconfig_igb0="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso" +ifconfig_igb1="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso" -vlans_lagg0="1 2 5 9" +vlans_lagg0="1 2 5 9 10" ipv6_activate_all_interfaces="YES" rtsold_enable="YES" ifconfig_lagg0_1="inet 192.168.0.10/24" -ifconfig_lagg0_1_ipv6="inet6 2603:3024:3f6:e1::10/64 auto_linklocal accept_rtadv" +ifconfig_lagg0_1_ipv6="inet6 fd01::10/64 auto_linklocal accept_rtadv" ifconfig_lagg0_2="inet 192.168.1.10/24" -ifconfig_lagg0_2_ipv6="inet6 2603:3024:3f6:e2::10/64 auto_linklocal accept_rtadv" +ifconfig_lagg0_2_ipv6="inet6 fd02::10/64 auto_linklocal accept_rtadv" ifconfig_lagg0_5="inet 192.168.2.10/24" -ifconfig_lagg0_5_ipv6="inet6 2603:3024:3f6:e5::10/64 auto_linklocal accept_rtadv" +ifconfig_lagg0_5_ipv6="inet6 fd05::10/64 auto_linklocal accept_rtadv" ifconfig_lagg0_9="inet 192.168.200.10/24" -ifconfig_lagg0_9_ipv6="inet6 2603:3024:3f6:e9::10/64 auto_linklocal accept_rtadv" +ifconfig_lagg0_9_ipv6="inet6 fd09::10/64 auto_linklocal accept_rtadv" +ifconfig_lagg0_10="inet 192.168.10.10/24" +ifconfig_lagg0_10_ipv6="inet6 fd0a::10/64 auto_linklocal accept_rtadv" ifconfig_bridge1="addm lagg0.1 up" ifconfig_bridge2="addm lagg0.2 up" ifconfig_bridge5="addm lagg0.5 up" ifconfig_bridge9="addm lagg0.9 up" +ifconfig_bridge10="addm lagg0.10 up" # adding IP to bridges does not work #ifconfig_bridge1="inet 192.168.0.10/24" -#ifconfig_bridge1_ipv6="inet6 2603:3024:3f6:e1::10/64 auto_linklocal accept_rtadv" -#ifconfig_bridge2="inet 192.168.1.10/24" -#ifconfig_bridge2_ipv6="inet6 2603:3024:3f6:e2::10/64 auto_linklocal accept_rtadv" -#ifconfig_bridge5="inet 192.168.2.10/24" -#ifconfig_bridge5_ipv6="inet6 2603:3024:3f6:e5::10/64 auto_linklocal accept_rtadv" -#ifconfig_bridge9="inet 192.168.200.10/24" -#ifconfig_bridge9_ipv6="inet6 2603:3024:3f6:e9::10/64 auto_linklocal accept_rtadv" +#ifconfig_bridge1_ipv6="inet6 fd01::10/64 auto_linklocal accept_rtadv" defaultrouter="192.168.0.5" -ipv6_defaultrouter="2603:3024:3f6:e1::5" +ipv6_defaultrouter="fd01::5" # interfaces hostname="nas.ahlawat.com" syslogd_enable="YES" -syslogd_flags="-ss" +syslogd_flags="-C -O rfc5424 -ss" syslog_ng_enable="NO" syslog_ng_config="-u daemon" diff --git a/configs/etc/rctl.conf b/configs/etc/rctl.conf new file mode 100644 index 0000000..7f0649b --- /dev/null +++ b/configs/etc/rctl.conf @@ -0,0 +1 @@ +jail:ioc-jump:vmemoryuse:deny=4G/jail diff --git a/configs/etc/sysctl.conf b/configs/etc/sysctl.conf index 4a4dd8d..55f3b5e 100644 --- a/configs/etc/sysctl.conf +++ b/configs/etc/sysctl.conf @@ -1,4 +1,4 @@ -# $FreeBSD: releng/12.1/sbin/sysctl/sysctl.conf 337624 2018-08-11 13:28:03Z brd $ +# $FreeBSD: releng/12.2/sbin/sysctl/sysctl.conf 337624 2018-08-11 13:28:03Z brd $ # # This file is read when going to multi-user and its contents piped thru # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details. @@ -7,6 +7,7 @@ # Uncomment this to prevent users from seeing information about processes that # are being run under another UID. security.bsd.see_other_uids=0 +security.bsd.see_other_gids=0 security.bsd.unprivileged_read_msgbuf=0 security.bsd.unprivileged_proc_debug=0 kern.randompid=1 @@ -32,6 +33,13 @@ hw.intr_storm_threshold=9000 kern.ipc.maxsockbuf=16777216 kern.ipc.shm_use_phys=1 kern.ipc.soacceptqueue=1024 + +kern.ipc.nmbclusters=24513148 +kern.ipc.nmbjumbop=9192430 +kern.ipc.nmbjumbo9=2723683 +kern.ipc.nmbjumbo16=1532071 +kern.ipc.nmbufs=117663120 + kern.maxvnodes=4194304 kern.random.harvest.mask=351 kern.threads.max_threads_per_proc=9000 @@ -67,7 +75,7 @@ net.inet.tcp.recvbuf_inc=65536 net.inet.tcp.recvbuf_max=16777216 net.inet.tcp.recvspace=262144 net.inet.tcp.rfc6675_pipe=1 -net.inet.tcp.sendbuf_inc=32768 +net.inet.tcp.sendbuf_inc=65536 net.inet.tcp.sendbuf_max=16777216 net.inet.tcp.sendspace=262144 net.inet.tcp.syncache.rexmtlimit=0 @@ -95,7 +103,7 @@ vfs.zfs.arc_max=51539607552 vfs.zfs.delay_min_dirty_percent=96 vfs.zfs.dirty_data_max=12884901888 vfs.zfs.prefetch_disable=0 -vfs.zfs.top_maxinflight=128 +#vfs.zfs.top_maxinflight=128 vfs.zfs.trim.txg_delay=2 vfs.zfs.txg.timeout=90 vfs.zfs.vdev.aggregation_limit=1048576 @@ -116,3 +124,12 @@ net.inet.tcp.rack.data_after_close=0 #Cheap Disk Issues kern.cam.ada.default_timeout=60 kern.cam.da.default_timeout=90 + +# best way to see misconfigured or non operational services +net.inet.tcp.log_in_vain: 1 +net.inet.udp.log_in_vain: 1 + +# Disable File Handle Affinity for NFS write operations. +# It improves NFS write throughput with ZFS sync=always on ship/pxe +vfs.nfsd.fha.write=0 +vfs.nfsd.fha.max_nfsds_per_fh=32 diff --git a/configs/pxe/resolv.conf b/configs/pxe/resolv.conf index f2c5c76..2bc218d 100644 --- a/configs/pxe/resolv.conf +++ b/configs/pxe/resolv.conf @@ -1,7 +1,7 @@ # Generated by resolvconf search diyit.org nameserver 192.168.0.5 -nameserver 2603:3024:3f6:e1::5 -nameserver 2603:3024:3f6:e2::5 -nameserver 2603:3024:3f6:e5::5 -nameserver 2603:3024:3f6:e9::5 +nameserver fd01::5 +nameserver fd02::5 +nameserver fd05::5 +nameserver fd09::5 diff --git a/jails/config/ci/jenkins b/jails/config/ci/jenkins new file mode 100755 index 0000000..36cb709 --- /dev/null +++ b/jails/config/ci/jenkins @@ -0,0 +1,86 @@ +#!/bin/sh + +# $FreeBSD: head/devel/jenkins/files/jenkins.in 544211 2020-08-05 09:10:47Z lwhsu $ +# +# PROVIDE: jenkins +# REQUIRE: LOGIN +# KEYWORD: shutdown + +# +# Configuration settings for jenkins in /etc/rc.conf: +# +# jenkins_enable (bool): +# Set to "NO" by default. +# Set it to "YES" to enable jenkins +# +# jenkins_args (str): +# Extra arguments passed to start command +# +# jenkins_home (str) +# Set to "/usr/local/jenkins" by default. +# Set the JENKINS_HOME variable for jenkins process +# +# jenkins_java_home (str): +# Set to "/usr/local/openjdk8" by default. +# Set the Java virtual machine to run jenkins +# +# jenkins_java_opts (str): +# Set to "" by default. +# Java VM args to use. +# +# jenkins_user (str): +# Set to "jenkins" by default. +# User to run jenkins as. +# +# jenkins_group (str): +# Set to "jenkins" by default. +# Group for data file ownership. +# +# jenkins_log_file (str): +# Set to "/var/log/jenkins.log" by default. +# Log file location. +# + +. /etc/rc.subr + +name=jenkins +desc="Jenkins automation server" +rcvar=jenkins_enable + +load_rc_config "${name}" + +: ${jenkins_enable:=NO} +: ${jenkins_home="/usr/local/jenkins"} +: ${jenkins_args="--webroot=${jenkins_home}/war"} +: ${jenkins_java_home="/usr/local/openjdk8"} +: ${jenkins_user="jenkins"} +: ${jenkins_group="jenkins"} +: ${jenkins_log_file="/var/log/jenkins.log"} + +pidfile=/var/run/jenkins/jenkins.pid +command=/usr/sbin/daemon +java_cmd="${jenkins_java_home}/bin/java" +procname="${java_cmd}" +command_args="-p ${pidfile} ${java_cmd} -Xmx1g -DJENKINS_HOME=${jenkins_home} ${jenkins_java_opts} -jar /usr/local/share/jenkins/jenkins.war ${jenkins_args} >> ${jenkins_log_file} 2>&1" +required_files="${java_cmd}" + +start_precmd=jenkins_prestart +start_cmd=jenkins_start + +jenkins_prestart() +{ + if [ ! -f "${jenkins_log_file}" ]; then + install -o "${jenkins_user}" -g "${jenkins_group}" -m 640 /dev/null "${jenkins_log_file}" + fi + if [ ! -d "/var/run/jenkins" ]; then + install -d -o "${jenkins_user}" -g "${jenkins_group}" -m 750 "/var/run/jenkins" + fi +} + +jenkins_start() +{ + check_startmsgs && echo "Starting ${name}." + su -l ${jenkins_user} -c "exec ${command} ${command_args} ${rc_arg}" +} + +run_rc_command "$1" diff --git a/jails/config/common/resolvconf.conf b/jails/config/common/resolvconf.conf new file mode 100644 index 0000000..f5ba56b --- /dev/null +++ b/jails/config/common/resolvconf.conf @@ -0,0 +1,2 @@ +export search_domains=ahlawat.com +export name_servers="192.168.0.5 fd01::5" diff --git a/jails/config/common/snip-sendmail.sh b/jails/config/common/snip-sendmail.sh index 7198c37..e83609f 100755 --- a/jails/config/common/snip-sendmail.sh +++ b/jails/config/common/snip-sendmail.sh @@ -12,7 +12,7 @@ # TO_IDENT sets O Timeout.ident=0s - to stop sendmail from making ident connections echo "define(\`SMART_HOST', \`mail')" >> /etc/mail/$HOSTNAME.mc echo "define(\`confDOMAIN_NAME', \`$HOSTNAME')" >> /etc/mail/$HOSTNAME.mc -IP6=`ifconfig -f inet6:cidr | grep "2603:3024:3f6:e1::" | cut -d" " -f 2 | cut -d "/" -f 1` +IP6=`ifconfig -f inet6:cidr | grep "fd01::" | cut -d" " -f 2 | cut -d "/" -f 1` echo "CLIENT_OPTIONS(\`Family=inet6, Address=$IP6')" >> /etc/mail/$HOSTNAME.mc echo "define(\`confDH_PARAMETERS', \`/mnt/certs/dhparam2048.pem')" >> /etc/mail/$HOSTNAME.mc echo "define(\`confTO_CONNECT', \`1m')" >> /etc/mail/$HOSTNAME.mc diff --git a/jails/config/dns/update6.sh b/jails/config/dns/update6.sh new file mode 100755 index 0000000..54095b1 --- /dev/null +++ b/jails/config/dns/update6.sh @@ -0,0 +1,18 @@ +#!/usr/local/bin/bash + +# Copyright (c) 2018-2021, diyIT.org +# All rights reserved. +# +# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") +# https://diyit.org/license/ +# +# + +SIM="-s" +#SIM="" + +rpl $SIM -v -R "2603:3024:3f6:21::" "2603:3024:3f6:1::" ./namedb +rpl $SIM -v -R "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2" "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1" ./namedb +rpl $SIM -v -R "2021030900" "2021031100" ./namedb + +service $SIM named $SIM restart diff --git a/jails/config/elk/elasticsearch-xpack.yml b/jails/config/elk/elasticsearch-xpack.yml new file mode 100644 index 0000000..5692b3e --- /dev/null +++ b/jails/config/elk/elasticsearch-xpack.yml @@ -0,0 +1,10 @@ +# Module: elasticsearch +# Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.10/metricbeat-module-elasticsearch.html + +- module: elasticsearch + xpack.enabled: true + period: 10s + hosts: ["https://elk.diyit.org:9200"] + #username: "user" + #password: "secret" + diff --git a/jails/config/elk/jvm.options b/jails/config/elk/jvm.options index 67dd885..dda380e 100755 --- a/jails/config/elk/jvm.options +++ b/jails/config/elk/jvm.options @@ -19,8 +19,18 @@ # Xms represents the initial size of total heap space # Xmx represents the maximum size of total heap space --Xms4g --Xmx4g +-Xmn4G +-Xms8G +-Xmx8G +-XX:MaxMetaspaceSize=2G +-Xss2G + +-Xnoclassgc +-XX:MaxDirectMemorySize=2G + +-XX:InitialRAMPercentage=80 +-XX:MaxRAMPercentage=80 +-XX:MinRAMPercentage=80 ################################################################ ## Expert settings @@ -33,7 +43,7 @@ ################################################################ ## GC configuration -8-13:-XX:+UseConcMarkSweepGC +8-9:-XX:+UseConcMarkSweepGC 8-13:-XX:CMSInitiatingOccupancyFraction=75 8-13:-XX:+UseCMSInitiatingOccupancyOnly @@ -43,9 +53,9 @@ # following three lines to your version of the JDK # 10-13:-XX:-UseConcMarkSweepGC # 10-13:-XX:-UseCMSInitiatingOccupancyOnly -14-:-XX:+UseG1GC -14-:-XX:G1ReservePercent=25 -14-:-XX:InitiatingHeapOccupancyPercent=30 +11-:-XX:+UseG1GC +11-:-XX:G1ReservePercent=25 +11-:-XX:InitiatingHeapOccupancyPercent=30 ## JVM temporary directory -Djava.io.tmpdir=${ES_TMPDIR} @@ -58,10 +68,10 @@ # specify an alternative path for heap dumps; ensure the directory exists and # has sufficient space --XX:HeapDumpPath=data +-XX:HeapDumpPath=/data # specify an alternative path for JVM fatal error logs --XX:ErrorFile=logs/hs_err_pid%p.log +-XX:ErrorFile=/var/log/hs_err_pid%p.log ## JDK 8 GC logging 8:-XX:+PrintGCDetails diff --git a/jails/config/elk/kibana-xpack.yml b/jails/config/elk/kibana-xpack.yml new file mode 100644 index 0000000..239d60d --- /dev/null +++ b/jails/config/elk/kibana-xpack.yml @@ -0,0 +1,10 @@ +# Module: kibana +# Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.10/metricbeat-module-kibana.html + +- module: kibana + xpack.enabled: true + period: 10s + hosts: ["localhost:5601"] + #basepath: "" + #username: "user" + #password: "secret" diff --git a/jails/config/elk/metricbeat.yml b/jails/config/elk/metricbeat.yml new file mode 100644 index 0000000..493f376 --- /dev/null +++ b/jails/config/elk/metricbeat.yml @@ -0,0 +1,189 @@ +###################### Metricbeat Configuration Example ####################### + +# This file is an example configuration file highlighting only the most common +# options. The metricbeat.reference.yml file from the same directory contains all the +# supported options with more comments. You can use it as a reference. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/metricbeat/index.html + +# =========================== Modules configuration ============================ + +metricbeat.config.modules: + # Glob pattern for configuration loading + path: ${path.config}/metricbeat.modules.d/*.yml + + # Set to true to enable config reloading + reload.enabled: false + + # Period on which files under path should be checked for changes + #reload.period: 10s + +# ======================= Elasticsearch template setting ======================= + +setup.template.settings: + index.number_of_shards: 1 + index.codec: best_compression + #_source.enabled: false + + +# ================================== General =================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging + +# ================================= Dashboards ================================= +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards is disabled by default and can be enabled either by setting the +# options here or by using the `setup` command. +#setup.dashboards.enabled: false + +# The URL from where to download the dashboards archive. By default this URL +# has a value which is computed based on the Beat name and version. For released +# versions, this URL points to the dashboard archive on the artifacts.elastic.co +# website. +#setup.dashboards.url: + +# =================================== Kibana =================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + #host: "localhost:5601" + + # Kibana Space ID + # ID of the Kibana Space into which the dashboards should be loaded. By default, + # the Default Space will be used. + #space.id: + +# =============================== Elastic Cloud ================================ + +# These settings simplify using Metricbeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +# ================================== Outputs =================================== + +# Configure what output to use when sending the data collected by the beat. + +# ---------------------------- Elasticsearch Output ---------------------------- +output.elasticsearch: + # Array of hosts to connect to. + hosts: ["elk.diyit.org:9200"] + + # Protocol - either `http` (default) or `https`. + protocol: "https" + + # Authentication credentials - either API key or username/password. + #api_key: "id:api_key" + #username: "elastic" + #password: "changeme" + +# ------------------------------ Logstash Output ------------------------------- +#output.logstash: + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Optional SSL. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + +# ================================= Processors ================================= + +# Configure processors to enhance or manipulate events generated by the beat. + +processors: + - add_host_metadata: ~ + - add_cloud_metadata: ~ +# - add_docker_metadata: ~ +# - add_kubernetes_metadata: ~ + + +# ================================== Logging =================================== + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: debug + +# At debug level, you can selectively enable logging only for some components. +# To enable all selectors use ["*"]. Examples of other selectors are "beat", +# "publish", "service". +#logging.selectors: ["*"] + +# ============================= X-Pack Monitoring ============================== +# Metricbeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#monitoring.enabled: false + +# Sets the UUID of the Elasticsearch cluster under which monitoring data for this +# Metricbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch +# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. +#monitoring.cluster_uuid: + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. +# Note that the settings should point to your Elasticsearch *monitoring* cluster. +# Any setting that is not set is automatically inherited from the Elasticsearch +# output configuration, so if you have the Elasticsearch output configured such +# that it is pointing to your Elasticsearch monitoring cluster, you can simply +# uncomment the following line. +#monitoring.elasticsearch: + +# ============================== Instrumentation =============================== + +# Instrumentation support for the metricbeat. +#instrumentation: + # Set to true to enable instrumentation of metricbeat. + #enabled: false + + # Environment in which metricbeat is running on (eg: staging, production, etc.) + #environment: "" + + # APM Server hosts to report instrumentation results to. + #hosts: + # - http://localhost:8200 + + # API Key for the APM Server(s). + # If api_key is set then secret_token will be ignored. + #api_key: + + # Secret token for the APM Server(s). + #secret_token: + + +# ================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: true + diff --git a/jails/config/hass/hass-upgrade.sh b/jails/config/hass/hass-upgrade.sh new file mode 100755 index 0000000..b993671 --- /dev/null +++ b/jails/config/hass/hass-upgrade.sh @@ -0,0 +1,4 @@ +#!/usr/local/bin/bash +source /data/homeassistant/bin/activate +#pip install --upgrade git+git://github.com/home-assistant/home-assistant.git@dev +pip install --upgrade homeassistant diff --git a/jails/config/hub/sshguard.conf b/jails/config/hub/sshguard.conf index a5e92bd..01457e3 100644 --- a/jails/config/hub/sshguard.conf +++ b/jails/config/hub/sshguard.conf @@ -23,21 +23,21 @@ FILES="/var/log/auth.log" #### OPTIONS #### # Block attackers when their cumulative attack score exceeds THRESHOLD. # Most attacks have a score of 10. (optional, default 30) -THRESHOLD=30 +THRESHOLD=10 # Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD. # Subsequent blocks increase by a factor of 1.5. (optional, default 120) -BLOCK_TIME=120 +BLOCK_TIME=1200 # Remember potential attackers for up to DETECTION_TIME seconds before # resetting their score. (optional, default 1800) -DETECTION_TIME=1800 +DETECTION_TIME=18000 # Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128) -IPV6_SUBNET=128 +IPV6_SUBNET=64 # Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32) -IPV4_SUBNET=32 +IPV4_SUBNET=24 #### EXTRAS #### # !! Warning: These features may not work correctly with sandboxing. !! diff --git a/jails/config/ibm/ipfw.rules b/jails/config/ibm/ipfw.rules index 1a2c1c5..330cdcf 100755 --- a/jails/config/ibm/ipfw.rules +++ b/jails/config/ibm/ipfw.rules @@ -63,8 +63,8 @@ $cmd 01300 check-state # Allow access to DNS $cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state $cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state -$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state -$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state +$cmd 02112 $skip tcp from any to fd01::5 53 out via $rif setup keep-state +$cmd 02113 $skip udp from any to fd01::5 53 out via $rif keep-state # Allow access to ISP's DHCP server for cable/DSL configurations. # Use the first rule and check log for IP address. diff --git a/jails/config/jump/branding/css/login-override.css b/jails/config/jump/branding/css/login-override.css new file mode 100644 index 0000000..fe6dfc1 --- /dev/null +++ b/jails/config/jump/branding/css/login-override.css @@ -0,0 +1,12 @@ +.login-ui .login-dialog .logo { + background-image: url('app/ext/tempnamespace/images/logo-placeholder.png'); + width: 5em; + -webkit-background-size: 5em auto; +} +div.login-ui { + background: #666; + background-color: #666; +} +.login-ui .login-dialog { + background-color: white; +} diff --git a/jails/config/jump/branding/guac-manifest.json b/jails/config/jump/branding/guac-manifest.json new file mode 100644 index 0000000..3a0570e --- /dev/null +++ b/jails/config/jump/branding/guac-manifest.json @@ -0,0 +1,20 @@ +{ + "guacamoleVersion" : "*", + "name" : "Tempname", + "namespace" : "tempnamespace", + "translations" : [ + "translations/en.json" + ], + + "css" : [ + "css/login-override.css" + ], + + "html" : [ + "loginDisclaimer.html" + ], + + "resources" : { + "images/logo-placeholder.png" : "image/png" + } +} diff --git a/jails/config/jump/branding/images/logo-placeholder.png b/jails/config/jump/branding/images/logo-placeholder.png new file mode 100644 index 0000000..e7863ad Binary files /dev/null and b/jails/config/jump/branding/images/logo-placeholder.png differ diff --git a/jails/config/jump/branding/loginDisclaimer.html b/jails/config/jump/branding/loginDisclaimer.html new file mode 100644 index 0000000..92cb31d --- /dev/null +++ b/jails/config/jump/branding/loginDisclaimer.html @@ -0,0 +1,6 @@ + + +
+Ahlawat Network's Remote Access Server +

Restricted Access - only use if you have permission

+

diff --git a/jails/config/jump/branding/translations/en.json b/jails/config/jump/branding/translations/en.json new file mode 100644 index 0000000..bd7846d --- /dev/null +++ b/jails/config/jump/branding/translations/en.json @@ -0,0 +1,5 @@ +{ + "APP":{ + "NAME" : "Ahlawat Net RAS" + } +} diff --git a/jails/config/jump/guacamole-client/branding/css/login-override.css b/jails/config/jump/guacamole-client/branding/css/login-override.css new file mode 100644 index 0000000..fe6dfc1 --- /dev/null +++ b/jails/config/jump/guacamole-client/branding/css/login-override.css @@ -0,0 +1,12 @@ +.login-ui .login-dialog .logo { + background-image: url('app/ext/tempnamespace/images/logo-placeholder.png'); + width: 5em; + -webkit-background-size: 5em auto; +} +div.login-ui { + background: #666; + background-color: #666; +} +.login-ui .login-dialog { + background-color: white; +} diff --git a/jails/config/jump/guacamole-client/branding/guac-manifest.json b/jails/config/jump/guacamole-client/branding/guac-manifest.json new file mode 100644 index 0000000..3a0570e --- /dev/null +++ b/jails/config/jump/guacamole-client/branding/guac-manifest.json @@ -0,0 +1,20 @@ +{ + "guacamoleVersion" : "*", + "name" : "Tempname", + "namespace" : "tempnamespace", + "translations" : [ + "translations/en.json" + ], + + "css" : [ + "css/login-override.css" + ], + + "html" : [ + "loginDisclaimer.html" + ], + + "resources" : { + "images/logo-placeholder.png" : "image/png" + } +} diff --git a/jails/config/jump/guacamole-client/branding/images/logo-placeholder.png b/jails/config/jump/guacamole-client/branding/images/logo-placeholder.png new file mode 100644 index 0000000..e7863ad Binary files /dev/null and b/jails/config/jump/guacamole-client/branding/images/logo-placeholder.png differ diff --git a/jails/config/jump/guacamole-client/branding/loginDisclaimer.html b/jails/config/jump/guacamole-client/branding/loginDisclaimer.html new file mode 100644 index 0000000..92cb31d --- /dev/null +++ b/jails/config/jump/guacamole-client/branding/loginDisclaimer.html @@ -0,0 +1,6 @@ + + +
+Ahlawat Network's Remote Access Server +

Restricted Access - only use if you have permission

+

diff --git a/jails/config/jump/guacamole-client/branding/translations/en.json b/jails/config/jump/guacamole-client/branding/translations/en.json new file mode 100644 index 0000000..bd7846d --- /dev/null +++ b/jails/config/jump/guacamole-client/branding/translations/en.json @@ -0,0 +1,5 @@ +{ + "APP":{ + "NAME" : "Ahlawat Net RAS" + } +} diff --git a/jails/config/jump/guacamole-client/extensions/branding.jar b/jails/config/jump/guacamole-client/extensions/branding.jar new file mode 100644 index 0000000..14cf59b Binary files /dev/null and b/jails/config/jump/guacamole-client/extensions/branding.jar differ diff --git a/jails/config/jump/guacamole-client/extensions/guacamole-auth-ldap-1.2.0.jar b/jails/config/jump/guacamole-client/extensions/guacamole-auth-ldap-1.3.0.jar similarity index 94% rename from jails/config/jump/guacamole-client/extensions/guacamole-auth-ldap-1.2.0.jar rename to jails/config/jump/guacamole-client/extensions/guacamole-auth-ldap-1.3.0.jar index 2cd5cb6..0730203 100644 Binary files a/jails/config/jump/guacamole-client/extensions/guacamole-auth-ldap-1.2.0.jar and b/jails/config/jump/guacamole-client/extensions/guacamole-auth-ldap-1.3.0.jar differ diff --git a/jails/config/jump/guacamole-client/user-mapping.xml b/jails/config/jump/guacamole-client/user-mapping.xml index e691390..51c6f17 100644 --- a/jails/config/jump/guacamole-client/user-mapping.xml +++ b/jails/config/jump/guacamole-client/user-mapping.xml @@ -34,14 +34,14 @@ 22 monospace - + vnc 192.168.200.192 5901 vncpass 24 - + ssh 192.168.200.192 22 @@ -58,14 +58,14 @@ vnc - 192.168.200.212 + 192.168.200.192 5901 vncpass 24 ssh - 192.168.200.212 + 192.168.200.192 22 monospace diff --git a/jails/config/ldap-mgr/httpd.conf b/jails/config/ldap-mgr/httpd.conf index a34ed13..3a15e45 100644 --- a/jails/config/ldap-mgr/httpd.conf +++ b/jails/config/ldap-mgr/httpd.conf @@ -578,6 +578,16 @@ Include etc/apache24/Includes/*.conf Require all granted + Alias /ssp "/usr/local/www/self-service-password" + + AllowOverride None + Require all granted + + + AllowOverride None + Require all denied + + ErrorLog "/var/log/ssl-error.log" CustomLog "/var/log/ssl-access_log" combined diff --git a/jails/config/ldap-mgr/index.html b/jails/config/ldap-mgr/index.html new file mode 100644 index 0000000..b9a3b71 --- /dev/null +++ b/jails/config/ldap-mgr/index.html @@ -0,0 +1,6 @@ + + + + +

If you are not redirected in zero seconds, click here.

+ diff --git a/jails/config/mail/postfix/main.cf b/jails/config/mail/postfix/main.cf index 98a8ef5..d0eda8c 100644 --- a/jails/config/mail/postfix/main.cf +++ b/jails/config/mail/postfix/main.cf @@ -797,8 +797,10 @@ smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_n smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination # !!! THE LAST SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!! # !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!! -smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unverified_recipient +smtpd_recipient_restrictions = permit_mynetworks,check_recipient_access hash:/usr/local/etc/postfix/protected_destinations,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unverified_recipient smtpd_data_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_multi_recipient_bounce,reject_unauth_pipelining +smtpd_restriction_classes = good_senders_only +good_senders_only = check_sender_access hash:/usr/local/etc/postfix/restricted_senders,permit # deliver mail for virtual users to Dovecot's LMTP socket virtual_transport = lmtp:unix:private/dovecot-lmtp diff --git a/jails/config/mail/postfix/protected_destinations b/jails/config/mail/postfix/protected_destinations new file mode 100644 index 0000000..27ebb65 --- /dev/null +++ b/jails/config/mail/postfix/protected_destinations @@ -0,0 +1,4 @@ +# not everyone can send to these destinations +# we restrict some of them + +ahlawat.com good_senders_only diff --git a/jails/config/mail/postfix/reinit.sac b/jails/config/mail/postfix/reinit.sac index b0112d1..38ce204 100755 --- a/jails/config/mail/postfix/reinit.sac +++ b/jails/config/mail/postfix/reinit.sac @@ -1,10 +1,13 @@ # update aliases.db newaliases -#rm /usr/local/etc/postfix/system-virtual-mailboxes.db -#postmap /usr/local/etc/postfix/system-virtual-mailboxes - rm /usr/local/etc/postfix/virtual-maillist-alias-maps.db postmap /usr/local/etc/postfix/virtual-maillist-alias-maps +rm /usr/local/etc/postfix/protected_destinations.db +postmap /usr/local/etc/postfix/protected_destinations + +rm /usr/local/etc/postfix/restricted_senders.db +postmap /usr/local/etc/postfix/restricted_senders + service postfix reload diff --git a/jails/config/mail/postfix/restricted_senders b/jails/config/mail/postfix/restricted_senders new file mode 100644 index 0000000..325ec42 --- /dev/null +++ b/jails/config/mail/postfix/restricted_senders @@ -0,0 +1,5 @@ +# We do not want mail from these folks, generally + +cyou REJECT 521 +qq.com REJECT 521 +163.com REJECT 521 diff --git a/jails/config/maps/maps b/jails/config/maps/maps index d53f5c1..089f446 100755 --- a/jails/config/maps/maps +++ b/jails/config/maps/maps @@ -14,30 +14,30 @@ . /etc/rc.subr -: ${mapsserver_enable="NO"} +: ${maps_enable="NO"} -name=mapsserver +name=maps rcvar=${name}_enable start_cmd="${name}_start" stop_cmd="${name}_stop" restart_cmd="${name}_restart" -mapsserver_start() +maps_start() { cd /data/networkmaps; ./server.js --config /usr/local/etc/networkmaps/config.json & cd /data/networkmaps; ./smtp_daemon.js --config /usr/local/etc/networkmaps/config.json & } -mapsserver_stop() +maps_stop() { ps ax | grep -ie server.js | grep -v grep | awk '{print $1}' | xargs kill -9 ps ax | grep -ie smtp_daemon.js | grep -v grep | awk '{print $1}' | xargs kill -9 } -mapsserver_restart() +maps_restart() { - mapsserver_stop - mapsserver_start + maps_stop + maps_start } load_rc_config ${name} diff --git a/jails/config/meet/hosts.txt b/jails/config/meet/hosts.txt index 9e66d2d..e063217 100644 --- a/jails/config/meet/hosts.txt +++ b/jails/config/meet/hosts.txt @@ -1,9 +1,46 @@ +# $FreeBSD: releng/12.2/lib/libc/net/hosts 338729 2018-09-17 18:56:47Z brd $ +# +# Host Database +# +# This file should contain the addresses and aliases for local hosts that +# share this file. Replace 'my.domain' below with the domainname of your +# machine. +# +# In the presence of the domain name service or NIS, this file may +# not be consulted at all; see /etc/nsswitch.conf for the resolution order. +# +# +::1 localhost localhost.my.domain +127.0.0.1 localhost localhost.my.domain meet +# +# Imaginary network. +#10.0.0.2 myname.my.domain myname +#10.0.0.3 myfriend.my.domain myfriend +# +# According to RFC 1918, you can use the following IP networks for +# private nets which will never be connected to the Internet: +# +# 10.0.0.0 - 10.255.255.255 +# 172.16.0.0 - 172.31.255.255 +# 192.168.0.0 - 192.168.255.255 +# +# In case you want to be able to connect to the Internet, you need +# real official assigned numbers. Do not try to invent your own network +# numbers but instead get one from your network provider (if any) or +# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.) +# +192.168.0.67 meet +192.168.0.67 meet meet.ahlawat.com +fd01::67 meet meet.ahlawat.com 192.168.0.67 auth.meet.ahlawat.com -2603:3024:3f6:e1::67 auth.meet.ahlawat.com +fd01::67 auth.meet.ahlawat.com + 192.168.0.67 confrence.meet.ahlawat.com -2603:3024:3f6:e1::67 conference.meet.ahlawat.com +fd01::67 conference.meet.ahlawat.com + 192.168.0.67 focus.meet.ahlawat.com -2603:3024:3f6:e1::67 focus.meet.ahlawat.com +fd01::67 focus.meet.ahlawat.com + 192.168.0.67 jistsi-videobridge.meet.ahlawat.com -2603:3024:3f6:e1::67 jitsi-videobridge.meet.ahlawat.com +fd01::67 jitsi-videobridge.meet.ahlawat.com diff --git a/jails/config/meet/prosody.cfg.lua b/jails/config/meet/prosody.cfg.lua index dc33145..91090df 100644 --- a/jails/config/meet/prosody.cfg.lua +++ b/jails/config/meet/prosody.cfg.lua @@ -13,7 +13,7 @@ -- blanks. Good luck, and happy Jabbering! pidfile = "/var/run/prosody/prosody.pid" --- interfaces = { "192.168.0.67", "2603:3024:3f6:e1::67" } +-- interfaces = { "192.168.0.67", "fd01::67" } ---------- Server-wide settings ---------- -- Settings in this section apply to the whole server and are the default settings diff --git a/jails/config/pkgp/nginx.conf b/jails/config/pkgp/nginx.conf index 931bf29..5594503 100644 --- a/jails/config/pkgp/nginx.conf +++ b/jails/config/pkgp/nginx.conf @@ -17,7 +17,7 @@ http { tcp_nopush on; aio on; - resolver 192.168.0.5 [2603:3024:3f6:e1::5]; + resolver 192.168.0.5 [fd01::5]; proxy_http_version 1.1; proxy_set_header Connection ""; @@ -182,7 +182,7 @@ http { listen [::]:8013; server_name localhost; location / { - proxy_pass http://update3.FreeBSD.org; + proxy_pass http://update5.FreeBSD.org; } } server { diff --git a/jails/config/proxy/haproxy.conf b/jails/config/proxy/haproxy.conf index 9384100..0f29fea 100644 --- a/jails/config/proxy/haproxy.conf +++ b/jails/config/proxy/haproxy.conf @@ -66,7 +66,7 @@ frontend ft # prevent browser from using non-secure http-response add-header Strict-Transport-Security: max-age=15768000 - acl network_allowed src 192.168.0.0/24 192.168.100.0/24 2603:3024:3f6:e1::/64 + acl network_allowed src 192.168.0.0/24 fd01::/64 acl restricted_page path -i -m sub /wp-admin acl restricted_page path -i -m sub /wp-login http-request deny if restricted_page !network_allowed @@ -80,7 +80,6 @@ frontend ft use_backend bk_ahlawat-nivi if { ssl_fc_sni nivedita.ahlawat.com } use_backend bk_ahlawat-rishabh if { ssl_fc_sni rishabh.ahlawat.com } -# use_backend bk_ahlawat-book if { ssl_fc_sni book.ahlawat.com } use_backend bk_ahlawat-book-443 if { ssl_fc_sni book.ahlawat.com } use_backend bk_ahlawat-book-444 if { ssl_fc_sni book1.ahlawat.com } use_backend bk_ahlawat-book-445 if { ssl_fc_sni book2.ahlawat.com } @@ -93,6 +92,7 @@ frontend ft use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com } use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com } use_backend bk_ahlawat-jump if { ssl_fc_sni jump.ahlawat.com } + use_backend bk_ahlawat-hass if { ssl_fc_sni hass.ahlawat.com } use_backend bk_diyit if { ssl_fc_sni diyit.org } use_backend bk_diyit if { ssl_fc_sni www.diyit.org } @@ -113,6 +113,7 @@ frontend ft use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com } use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com } use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com } + use_backend bk_beyondbell-dashboard if { ssl_fc_sni dashboard.beyondbell.com } use_backend bk_beyondbell-web-moonglade if { ssl_fc_sni moonglade.beyondbell.com } use_backend bk_beyondbell-web-moonglade-private if { ssl_fc_sni moonglade-private.beyondbell.com } use_backend bk_beyondbell-r-windows if { ssl_fc_sni moonglade-server.beyondbell.com } @@ -131,7 +132,7 @@ backend bk_ahlawat http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-sharad - balance roundrobin +# balance roundrobin server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN @@ -154,26 +155,24 @@ backend bk_ahlawat-rishabh -#backend bk_ahlawat-book -# server srv1 bookx.ahlawat.com:443 check ssl verify none - backend bk_ahlawat-book-443 -# server srv1 2603:3024:3f6:e1::57:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 + server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-book-444 -# server srv1 2603:3024:3f6:e1::57:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2 + server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-book-445 -# server srv1 2603:3024:3f6:e1::57:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2 server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2 + server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-cam server srv1 192.168.0.54:8765 check + server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN backend bk_ahlawat-ci @@ -215,6 +214,12 @@ backend bk_ahlawat-monitor backend bk_ahlawat-jump server srv1 jumpx.ahlawat.com:8080 check + server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 + http-response add-header X-Frame-Options: SAMEORIGIN + +backend bk_ahlawat-hass + server srv1 hassx.ahlawat.com:8123 check + server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN @@ -239,9 +244,6 @@ backend bk_diyit-kibana backend bk_diyit-maps server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2 -# server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 -# server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2 -# server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 # http-response add-header X-Frame-Options: SAMEORIGIN @@ -281,6 +283,12 @@ backend bk_beyondbell-repo # http-response del-header Strict-Transport-Security # http-response add-header Content-Security-Policy: upgrade-insecure-requests +backend bk_beyondbell-dashboard + http-request replace-header Host ^([^\ \t:]*:)\ https://dashboardx.beyondbell.com/(.*) \1\ http://192.168.0.92:8080/\2 + http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.92:8080/(.*) \1\ https://dashboardx.beyondbell.com/\2 + server srv1 192.168.0.92:8080 + http-response add-header X-Frame-Options: SAMEORIGIN + backend bk_beyondbell-web-moonglade server srv1 192.168.0.74:8000 # server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 @@ -297,6 +305,6 @@ backend bk_beyondbell-r-windows http-response add-header X-Frame-Options: SAMEORIGIN backend bk_beyondbell-windows - server srv1 192.168.0.81:26900 check - server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 + server srv1 192.168.0.81:26900 +# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2 http-response add-header X-Frame-Options: SAMEORIGIN diff --git a/jails/config/vm/create_taps.sh b/jails/config/vm/create_taps.sh index 8bef4b6..428d9b4 100755 --- a/jails/config/vm/create_taps.sh +++ b/jails/config/vm/create_taps.sh @@ -28,6 +28,11 @@ ifconfig bridge9 addm tap2082 up ifconfig tap2082 up ifconfig tap2082 inet6 auto_linklocal +ifconfig tap4882 create +ifconfig bridge48 addm tap4882 up +ifconfig tap4882 up +ifconfig tap4882 inet6 auto_linklocal + ifconfig tap83 create ifconfig bridge1 addm tap83 up ifconfig tap83 up @@ -58,6 +63,11 @@ ifconfig bridge9 addm tap2086 up ifconfig tap2086 up ifconfig tap2086 inet6 auto_linklocal +ifconfig tap4886 create +ifconfig bridge48 addm tap4886 up +ifconfig tap4886 up +ifconfig tap4886 inet6 auto_linklocal + ifconfig tap90 create ifconfig bridge1 addm tap90 up ifconfig tap90 up @@ -83,6 +93,11 @@ ifconfig bridge9 addm tap2097 up ifconfig tap2097 up ifconfig tap2097 inet6 auto_linklocal +ifconfig tap4897 create +ifconfig bridge48 addm tap4897 up +ifconfig tap4897 up +ifconfig tap4897 inet6 auto_linklocal + ifconfig tap96 create ifconfig bridge1 addm tap96 up ifconfig tap96 up @@ -97,3 +112,8 @@ ifconfig tap2096 create ifconfig bridge9 addm tap2096 up ifconfig tap2096 up ifconfig tap2096 inet6 auto_linklocal + +ifconfig tap4896 create +ifconfig bridge48 addm tap4896 up +ifconfig tap4896 up +ifconfig tap4896 inet6 auto_linklocal diff --git a/jails/config/vm/cvm-a.sh b/jails/config/vm/cvm-a.sh index d0f38f8..d246cf8 100755 --- a/jails/config/vm/cvm-a.sh +++ b/jails/config/vm/cvm-a.sh @@ -22,6 +22,7 @@ bhyve -c 4 -m 16G -A -H -P \ -s 4,virtio-blk,/dev/zvol/ship/raw/cvm-a \ -s 5,virtio-net,tap97,mac=00:0A:0B:0C:0D:97 \ -s 6,virtio-blk,/dev/zvol/ship/raw/cvm-a_data \ +-s 7,virtio-net,tap4897,mac=00:0A:0B:0C:7D:97 \ -s 8,virtio-net,tap1097,mac=00:0A:0B:0C:8D:97 \ -s 9,virtio-net,tap2097,mac=00:0A:0B:0C:9D:97 \ -s 29,fbuf,tcp=0.0.0.0:5997,w=1600,h=900 \ @@ -59,12 +60,3 @@ exit $? #on base system: #zfs create -V 32G -o refreservation=none ship/raw/cvm-a - docker partition #zfs create -V 128G -o refreservation=none ship/raw/cvm-a_data - root partition -# on boot -#ifconfig tap97 create -#ifconfig bridge1 addm tap97 up -#ifconfig tap97 up -#ifconfig tap97 inet6 auto_linklocal -#ifconfig tap1097 create -#ifconfig bridge10 addm tap1097 up -#ifconfig tap1097 up -#ifconfig tap1097 inet6 auto_linklocal diff --git a/jails/config/vm/cvm-b.sh b/jails/config/vm/cvm-b.sh index 8a75745..3804e0b 100755 --- a/jails/config/vm/cvm-b.sh +++ b/jails/config/vm/cvm-b.sh @@ -22,6 +22,7 @@ bhyve -c 4 -m 16G -A -H -P \ -s 4,virtio-blk,/dev/zvol/ship/raw/cvm-b \ -s 5,virtio-net,tap96,mac=00:0A:0B:0C:0D:96 \ -s 6,virtio-blk,/dev/zvol/ship/raw/cvm-b_data \ +-s 7,virtio-net,tap4896,mac=00:0A:0B:0C:7D:96 \ -s 8,virtio-net,tap1096,mac=00:0A:0B:0C:8D:96 \ -s 9,virtio-net,tap2096,mac=00:0A:0B:0C:9D:96 \ -s 29,fbuf,tcp=0.0.0.0:5996,w=1600,h=900 \ @@ -59,12 +60,3 @@ exit $? #on base system: #zfs create -V 32G -o refreservation=none ship/raw/cvm-b - docker partition #zfs create -V 128G -o refreservation=none ship/raw/cvm-b_data - root partition -# on boot -#ifconfig tap96 create -#ifconfig bridge1 addm tap96 up -#ifconfig tap96 up -#ifconfig tap96 inet6 auto_linklocal -#ifconfig tap1096 create -#ifconfig bridge10 addm tap1096 up -#ifconfig tap1096 up -#ifconfig tap1096 inet6 auto_linklocal diff --git a/jails/config/vm/freebsd.sh b/jails/config/vm/freebsd.sh index 87f0a40..35e7287 100755 --- a/jails/config/vm/freebsd.sh +++ b/jails/config/vm/freebsd.sh @@ -16,7 +16,7 @@ bhyvectl --destroy --vm=freebsd while true do -bhyve -c 4 -m 8G -A -H -P \ +bhyve -c 2 -m 4G -A -H -P \ -s 0,hostbridge \ -s 3,ahci-cd \ -s 4,virtio-blk,/dev/zvol/ship/raw/freebsd \ diff --git a/jails/config/vm/kali.sh b/jails/config/vm/kali.sh index 7ffd5f1..0d6f62f 100755 --- a/jails/config/vm/kali.sh +++ b/jails/config/vm/kali.sh @@ -10,6 +10,9 @@ # ./kali.sh under tmux +# disabled for now +exit + # clean cached state bhyvectl --destroy --vm=kali @@ -21,6 +24,7 @@ bhyve -c 2 -m 4G -A -H -P \ -s 3,ahci-cd \ -s 4,virtio-blk,/dev/zvol/ship/raw/kali \ -s 5,virtio-net,tap86,mac=00:0A:0B:0C:0D:86 \ +-s 7,virtio-net,tap4886,mac=00:0A:0B:0C:8D:86 \ -s 8,virtio-net,tap1086,mac=00:0A:0B:0C:8D:86 \ -s 9,virtio-net,tap2086,mac=00:0A:0B:0C:9D:86 \ -s 29,fbuf,tcp=0.0.0.0:5986,w=1280,h=720 \ @@ -59,15 +63,6 @@ exit $? #on base system: #zfs create -V 128G -o refreservation=none ship/raw/kali ##zfs create -V 128G -o refreservation=none ship/raw/kali_data -# on boot -#ifconfig tap86 create -#ifconfig bridge1 addm tap86 up -#ifconfig tap86 up -#ifconfig tap86 inet6 auto_linklocal -#ifconfig tap1086 create -#ifconfig bridge10 addm tap1086 up -#ifconfig tap1086 up -#ifconfig tap1086 inet6 auto_linklocal # Install VNC # curl -o turbovnc_2.2.5_amd64.deb https://sourceforge.net/projects/turbovnc/files/2.2.5/turbovnc_2.2.5_amd64.deb/download# diff --git a/jails/config/vm/pbx.sh b/jails/config/vm/pbx.sh index 0927a76..c33d433 100755 --- a/jails/config/vm/pbx.sh +++ b/jails/config/vm/pbx.sh @@ -16,7 +16,7 @@ bhyvectl --destroy --vm=pbx while true do -bhyve -c 2 -m 8G -A -H -P \ +bhyve -c 2 -m 4G -A -H -P \ -s 0,hostbridge \ -s 3,ahci-cd \ -s 4,virtio-blk,/dev/zvol/ship/raw/pbx \ diff --git a/jails/config/vm/r-windows.sh b/jails/config/vm/r-windows.sh index d35583e..4084799 100755 --- a/jails/config/vm/r-windows.sh +++ b/jails/config/vm/r-windows.sh @@ -10,13 +10,16 @@ # ./r-windows.sh under tmux +# disabled for now +exit + # clean cached state bhyvectl --destroy --vm=r-windows while true do -bhyve -c sockets=1,cores=2,threads=2 -m 16G -S -A -H -P \ +bhyve -c sockets=1,cores=2,threads=2 -m 8G -S -A -H -P \ -s 0,hostbridge \ -s 4,ahci-hd,/dev/zvol/ship/raw/r-windows,sectorsize=512 \ -s 5,virtio-net,tap85,mac=00:0A:0B:0C:0D:85 \ diff --git a/jails/config/vm/ubuntu.sh b/jails/config/vm/ubuntu.sh index 9352772..da09baf 100755 --- a/jails/config/vm/ubuntu.sh +++ b/jails/config/vm/ubuntu.sh @@ -22,6 +22,7 @@ bhyve -c 8 -m 16G -A -H -P \ -s 4,virtio-blk,/dev/zvol/ship/raw/ubuntu \ -s 5,virtio-net,tap82,mac=00:0A:0B:0C:0D:82 \ -s 6,virtio-blk,/dev/zvol/ship/raw/ubuntu_data \ +-s 7,virtio-net,tap4882,mac=00:0A:0B:0C:7D:82 \ -s 8,virtio-net,tap1082,mac=00:0A:0B:0C:8D:82 \ -s 9,virtio-net,tap2082,mac=00:0A:0B:0C:9D:82 \ -s 29,fbuf,tcp=0.0.0.0:5982,w=1600,h=900 \ @@ -59,12 +60,3 @@ exit $? #on base system: #zfs create -V 32G -o refreservation=none ship/raw/ubuntu #zfs create -V 128G -o refreservation=none ship/raw/ubuntu_data -# on boot -#ifconfig tap82 create -#ifconfig bridge1 addm tap82 up -#ifconfig tap82 up -#ifconfig tap82 inet6 auto_linklocal -#ifconfig tap1082 create -#ifconfig bridge10 addm tap1082 up -#ifconfig tap1082 up -#ifconfig tap1082 inet6 auto_linklocal diff --git a/jails/config/vm/windows.sh b/jails/config/vm/windows.sh index b7626b6..841d39b 100755 --- a/jails/config/vm/windows.sh +++ b/jails/config/vm/windows.sh @@ -16,7 +16,7 @@ bhyvectl --destroy --vm=windows while true do -bhyve -c sockets=1,cores=2,threads=2 -m 16G -S -A -H -P \ +bhyve -c sockets=1,cores=2,threads=2 -m 8G -S -A -H -P \ -s 0,hostbridge \ -s 4,ahci-hd,/dev/zvol/ship/raw/windows,sectorsize=512 \ -s 5,virtio-net,tap81,mac=00:0A:0B:0C:0D:81 \ diff --git a/jails/config/vpngw/ipfw.rules b/jails/config/vpngw/ipfw.rules index 0ea0c43..9d1282c 100755 --- a/jails/config/vpngw/ipfw.rules +++ b/jails/config/vpngw/ipfw.rules @@ -62,8 +62,8 @@ $cmd 01300 check-state # Allow access to DNS #$cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state #$cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state -#$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state -#$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state +#$cmd 02112 $skip tcp from any to fd01::5 53 out via $rif setup keep-state +#$cmd 02113 $skip udp from any to fd01::5 53 out via $rif keep-state # Allow access to ISP's DHCP server for cable/DSL configurations. # Use the first rule and check log for IP address. diff --git a/jails/config/web-datavpc/resolvconf.conf b/jails/config/web-datavpc/resolvconf.conf index 265151b..710615a 100644 --- a/jails/config/web-datavpc/resolvconf.conf +++ b/jails/config/web-datavpc/resolvconf.conf @@ -1,2 +1,2 @@ export search_domains="datavpc.com mydatavpc.com ahlawat.com" -export name_servers="192.168.0.5 2603:3024:3f6:e1::5" +export name_servers="192.168.0.5 fd01::5" diff --git a/jails/config/web-diyit/resolvconf.conf b/jails/config/web-diyit/resolvconf.conf index 9ea4ee9..3f5bb58 100644 --- a/jails/config/web-diyit/resolvconf.conf +++ b/jails/config/web-diyit/resolvconf.conf @@ -1,2 +1,2 @@ -export search_domains="diyit.org diyit.space ahlawat.com" -export name_servers="192.168.0.5 2603:3024:3f6:e1::5" +export search_domains="diyit.org ahlawat.com" +export name_servers="192.168.0.5 fd01::5" diff --git a/jails/config/web/ahlawat.com.ini b/jails/config/web/ahlawat.com.ini new file mode 100644 index 0000000..1f54c16 --- /dev/null +++ b/jails/config/web/ahlawat.com.ini @@ -0,0 +1,16 @@ +imap_host = "mail.ahlawat.com" +imap_port = 993 +imap_secure = "SSL" +imap_short_login = On +sieve_use = Off +sieve_allow_raw = Off +sieve_host = "" +sieve_port = 4190 +sieve_secure = "None" +smtp_host = "mail.ahlawat.com" +smtp_port = 587 +smtp_secure = "TLS" +smtp_short_login = On +smtp_auth = On +smtp_php_mail = Off +white_list = "" \ No newline at end of file diff --git a/jails/config/web/disabled b/jails/config/web/disabled new file mode 100644 index 0000000..f01e123 --- /dev/null +++ b/jails/config/web/disabled @@ -0,0 +1 @@ +outlook.com,qq.com,yahoo.com,gmail.com \ No newline at end of file diff --git a/jails/config/web/htaccess-rainloop b/jails/config/web/htaccess-rainloop new file mode 100644 index 0000000..c59c358 --- /dev/null +++ b/jails/config/web/htaccess-rainloop @@ -0,0 +1,4 @@ +Deny from all + +Options -Indexes + \ No newline at end of file diff --git a/jails/config/web/plugin-ldap-change-password.ini b/jails/config/web/plugin-ldap-change-password.ini new file mode 100644 index 0000000..d493e6d --- /dev/null +++ b/jails/config/web/plugin-ldap-change-password.ini @@ -0,0 +1,9 @@ +; RainLoop Webmail plugin (ldap-change-password) + +[plugin] +hostname = "ldaps://ldap.ahlawat.com" +port = 636 +user_dn_format = "cn={imap:login},ou=people,dc=infra" +password_field = "userPassword" +password_enc_type = "SSHA" +allowed_emails = "*" \ No newline at end of file diff --git a/jails/create.sh b/jails/create.sh index 78f49fd..b514b06 100755 --- a/jails/create.sh +++ b/jails/create.sh @@ -29,11 +29,11 @@ JAILUSERVNC=$7 I6CONFIG=true I4NW="192.168.0" -I6NW="2603:3024:3f6:e1" +I6NW="fd01" I4GW="192.168.0.5" -I6GW="2603:3024:3f6:e1::5" +I6GW="fd01::5" I4NS="192.168.0.5" -I6NS="2603:3024:3f6:e1::5" +I6NS="fd01::5" # these IP spaces are diyit deployment specific echo "$JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC" @@ -69,15 +69,6 @@ if $I6CONFIG; then iocage exec $JAIL "echo '$I6NW::$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts" fi -# create resolvconf.conf - IPv6 SLAAC on freebsd removes all ipv4 configuraton from resolv.conf -iocage exec $JAIL "echo 'export search_domains=$JAILDOMAIN' > /etc/resolvconf.conf" -if $I6CONFIG; then - iocage exec $JAIL "echo 'export name_servers=\"$I4NS $I6NS\"' >> /etc/resolvconf.conf" -else - iocage exec $JAIL "echo 'export name_servers=\"$I4NS\"' >> /etc/resolvconf.conf" -fi -iocage exec $JAIL "resolvconf -u" - iocage exec $JAIL "mkdir -p /mnt/certs" iocage fstab -a $JAIL /mnt/ship/certs /mnt/certs nullfs ro 0 0 iocage exec $JAIL "mkdir -p /mnt/config" @@ -87,6 +78,10 @@ iocage fstab -a $JAIL /var/db/freebsd-update/files /var/db/freebsd-update/files iocage exec $JAIL "mkdir -p /mnt/common" iocage fstab -a $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0 +# create resolvconf.conf - IPv6 SLAAC/DHCP on freebsd removes all ipv4 configuraton from resolv.conf +iocage exec $JAIL "[ -f /mnt/config/resolv.conf ] && cp /mnt/config/resolvconf.conf /etc/ || cp /mnt/common/resolvconf.conf /etc/" +iocage exec $JAIL "resolvconf -u" + iocage exec $JAIL "mkdir -p /usr/local/etc/pkg/repos" iocage exec $JAIL "[ -f /mnt/config/pkgp.conf ] && cp /mnt/config/pkgp.conf /usr/local/etc/pkg/repos/ || cp /mnt/common/pkgp.conf /usr/local/etc/pkg/repos/" diff --git a/jails/jails-restore-httpd.sh b/jails/jails-restore-httpd.sh index 9f65a02..a318414 100755 --- a/jails/jails-restore-httpd.sh +++ b/jails/jails-restore-httpd.sh @@ -8,6 +8,9 @@ # # +echo "checking pkgp jail nginx instance is running" +iocage exec pkgp "service nginx status" + web_jails=(cloud hub nivi rachna rishabh sharad web web-diyit web-datavpc ldap-mgr r-ldap-mgr monitor) for i in ${web_jails[@]}; @@ -35,7 +38,3 @@ do iocage exec $i "cp /mnt/config/httpd.conf /usr/local/etc/apache24/httpd.conf" iocage exec $i "service apache24 restart" done - -echo "" -echo "checking pkgp jail nginx instance is running" -iocage exec pkgp "service nginx status" diff --git a/jails/jails-update-cert.sh b/jails/jails-update-cert.sh index b592aff..ce8196b 100755 --- a/jails/jails-update-cert.sh +++ b/jails/jails-update-cert.sh @@ -37,6 +37,9 @@ iocage exec mail "service dovecot restart" echo "restarting ELK in jail elk after SSL update" iocage exec elk "cp /mnt/certs/diy*.pem /usr/local/etc/elasticsearch/certs" iocage exec elk "cp /mnt/certs/cacert.pem /usr/local/etc/elasticsearch/certs" + +exit + iocage exec elk "service elasticsearch restart" iocage exec elk "service kibana restart" diff --git a/jails/jails-update-pkgs.sh b/jails/jails-update-pkgs.sh index efa119f..e93f8f5 100755 --- a/jails/jails-update-pkgs.sh +++ b/jails/jails-update-pkgs.sh @@ -99,3 +99,5 @@ echo "check hub for index.html and adminer version" echo "" echo "iocage exec cert \"/root/.acme.sh/acme.sh --upgrade\"" echo "iocage exec cert \"/mnt/config/backup.sh\"" +echo "" +echo "iocage exec hass \"/mnt/config/hass-upgrade.sh\"" diff --git a/jails/post-restart-checks.txt b/jails/post-restart-checks.txt index 9404edf..4761d41 100644 --- a/jails/post-restart-checks.txt +++ b/jails/post-restart-checks.txt @@ -13,7 +13,7 @@ these certifcates need to be updated with /mnt/certs vpngw: service openvpn onestart -service ipfw restart +service natd restart ibm: diff --git a/jails/update.sh b/jails/update.sh index 117b1f0..3a9ad90 100755 --- a/jails/update.sh +++ b/jails/update.sh @@ -52,7 +52,7 @@ read -p "update pkgp jail (y/N)? " RESP if [ ! -z $RESP ] && [ $RESP == "y" ]; then JAIL="pkgp" update_jail - /root/FreeBSD/jail/jails-update-pkgs.sh pkgp-only + /root/FreeBSD/jails/jails-update-pkgs.sh pkgp-only fi read -p "update all jails (y/N)? " RESP diff --git a/scripts/find-sonewconn.sh b/scripts/find-sonewconn.sh new file mode 100755 index 0000000..5d2aa78 --- /dev/null +++ b/scripts/find-sonewconn.sh @@ -0,0 +1,16 @@ +#!/usr/local/bin/bash + +# Copyright (c) 2018-2021, diyIT.org +# All rights reserved. +# +# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") +# https://diyit.org/license/ +# +# + +for jail in $(jls -h name | tail +2); do + sudo jexec $jail netstat -LAan 2>/dev/null | grep -q $1; + if [ $? -eq 0 ]; then + echo "found in jail $jail"; + fi; +done diff --git a/scripts/mbuf.sh b/scripts/mbuf.sh new file mode 100755 index 0000000..f557f67 --- /dev/null +++ b/scripts/mbuf.sh @@ -0,0 +1,74 @@ +#!/bin/sh + +# Copyright (c) 2018-2021, diyIT.org +# All rights reserved. +# +# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License") +# https://diyit.org/license/ +# +# + +MCLBYTES=2048 +MSIZE=256 +PHYSMEM=`sysctl -n hw.physmem` +PAGE_SIZE=`sysctl -n hw.pagesize` +VM_KMEM_SIZE=`sysctl -n vm.kmem_size` +REALMEM=${VM_KMEM_SIZE} +MAXMBUFMEM=`expr $REALMEM / 4 \* 3` +MJUMPAGESIZE=$PAGE_SIZE +MJUM9BYTES=`expr 9 \* 1024` +MJUM16BYTES=`expr 16 \* 1024` + +#NMBCLUSTERS=`expr $MAXMBUFMEM / $MCLBYTES / 4` # higher # of jails +NMBCLUSTERS=`expr $MAXMBUFMEM / $MCLBYTES / 3` +NMBJUMBOP=`expr $MAXMBUFMEM / $MJUMPAGESIZE / 4` +NMBJUMBO9=`expr $MAXMBUFMEM / $MJUM9BYTES / 6` +NMBJUMBO16=`expr $MAXMBUFMEM / $MJUM16BYTES / 6` + +NMBUFS=`sysctl -n kern.ipc.nmbufs` +NMMAX1=`expr $NMBCLUSTERS + $NMBJUMBOP + $NMBJUMBO9 + $NMBJUMBO16` +NMMAX2=`expr $MAXMBUFMEM / $MSIZE / 5` +if [ $NMMAX1 -gt $NMMAX2 ]; then + NMBUFS=$NMMAX1 +else + NMBUFS=$NMMAX2 +fi + +show() +{ + echo "# `basename $0 ` suggested settings:" + echo "kern.ipc.maxmbufmem=$MAXMBUFMEM" + echo "kern.ipc.nmbclusters=$NMBCLUSTERS" + echo "kern.ipc.nmbjumbop=$NMBJUMBOP" + echo "kern.ipc.nmbjumbo9=$NMBJUMBO9" + echo "kern.ipc.nmbjumbo16=$NMBJUMBO16" + echo "kern.ipc.nmbufs=$NMBUFS" +} + +compare() +{ + echo "kern.ipc.maxmbufmem: `sysctl -n kern.ipc.maxmbufmem` (current)" + echo " --> $MAXMBUFMEM (suggested)" + echo "kern.ipc.nmbclusters: `sysctl -n kern.ipc.nmbclusters`" + echo " --> $NMBCLUSTERS" + echo "kern.ipc.nmbjumbop: `sysctl -n kern.ipc.nmbjumbop`" + echo " --> $NMBJUMBOP" + echo "kern.ipc.nmbjumbo9: `sysctl -n kern.ipc.nmbjumbo9`" + echo " --> $NMBJUMBO9" + echo "kern.ipc.nmbjumbo16: `sysctl -n kern.ipc.nmbjumbo16`" + echo " --> $NMBJUMBO16" + echo "kern.ipc.nmbufs: `sysctl -n kern.ipc.nmbufs`" + echo " --> $NMBUFS" + vmstat -z|grep -E '^ITEM|mbuf' + netstat -m + # vmstat -m +} + +if [ $# -gt 0 ]; then + if [ $1 == '-c' ]; then + compare + exit 0 + fi +fi + +show