.

2021-04-01 01:23:14 -07:00 · 2021-04-01 01:23:14 -07:00 · 90c5709862
commit 90c5709862
parent 5cee123a3c
64 changed files with 802 additions and 140 deletions
--- a/configs/etc/hosts
+++ b/configs/etc/hosts
@ -0,0 +1,43 @@
 # $FreeBSD: releng/12.2/lib/libc/net/hosts 338729 2018-09-17 18:56:47Z brd $
 #
 # Host Database
 #
 # This file should contain the addresses and aliases for local hosts that
 # share this file.  Replace 'my.domain' below with the domainname of your
 # machine.
 #
 # In the presence of the domain name service or NIS, this file may
 # not be consulted at all; see /etc/nsswitch.conf for the resolution order.
 #
 #
 ::1			localhost localhost.my.domain
 127.0.0.1		localhost localhost.my.domain
 192.168.0.10		nas nas.ahlawat.com
 fd01::10	nas nas.ahlawat.com
 192.168.1.10		nas nas.ahlawat.com
 fd02::10	nas nas.ahlawat.com
 192.168.2.10		nas nas.ahlawat.com
 fd05::10	nas nas.ahlawat.com
 192.168.200.10		nas nas.ahlawat.com
 fd09::10	nas nas.ahlawat.com
 192.168.10.10		nas nas.ahlawat.com
 fd0a::10	nas nas.ahlawat.com
 192.168.48.10		nas nas.ahlawat.com
 2001:470:f835::10	nas nas.ahlawat.com
 #
 # Imaginary network. 10.0.0.2 myname.my.domain myname 10.0.0.3 myfriend.my.domain myfriend
 #
 # According to RFC 1918, you can use the following IP networks for
 # private nets which will never be connected to the Internet:
 #
 #	10.0.0.0	-   10.255.255.255
 #	172.16.0.0	-   172.31.255.255
 #	192.168.0.0	-   192.168.255.255
 #
 # In case you want to be able to connect to the Internet, you need
 # real official assigned numbers.  Do not try to invent your own network
 # numbers but instead get one from your network provider (if any) or
 # from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
 #
--- a/configs/etc/rc.conf
+++ b/configs/etc/rc.conf
@ -6,7 +6,8 @@ kld_list="nmdm vmm ipfw ipdivert linux64"
 geli_autodetach="NO"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
-dumpdev="/dev/ada2p3"
+#dumpdev="/dev/ada2p3"
 dumpdev="NO"
 dumpdir="/var/crash"
 savecore_enable="YES"
@ -31,49 +32,46 @@ firewall_logif="YES"
 # interfaces
 cloned_interfaces_sticky="YES"
-cloned_interfaces="lagg0 bridge1 bridge2 bridge5 bridge9"
+cloned_interfaces="lagg0 bridge1 bridge2 bridge5 bridge9 bridge10"
 ifconfig_lagg0="laggproto lacp laggport igb0 laggport igb1 up"
-ifconfig_igb0="up"
+ifconfig_igb0="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
-ifconfig_igb1="up"
+ifconfig_igb1="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
-vlans_lagg0="1 2 5 9"
+vlans_lagg0="1 2 5 9 10"
 ipv6_activate_all_interfaces="YES"
 rtsold_enable="YES"
 ifconfig_lagg0_1="inet 192.168.0.10/24"
-ifconfig_lagg0_1_ipv6="inet6 2603:3024:3f6:e1::10/64 auto_linklocal accept_rtadv"
+ifconfig_lagg0_1_ipv6="inet6 fd01::10/64 auto_linklocal accept_rtadv"
 ifconfig_lagg0_2="inet 192.168.1.10/24"
-ifconfig_lagg0_2_ipv6="inet6 2603:3024:3f6:e2::10/64 auto_linklocal accept_rtadv"
+ifconfig_lagg0_2_ipv6="inet6 fd02::10/64 auto_linklocal accept_rtadv"
 ifconfig_lagg0_5="inet 192.168.2.10/24"
-ifconfig_lagg0_5_ipv6="inet6 2603:3024:3f6:e5::10/64 auto_linklocal accept_rtadv"
+ifconfig_lagg0_5_ipv6="inet6 fd05::10/64 auto_linklocal accept_rtadv"
 ifconfig_lagg0_9="inet 192.168.200.10/24"
-ifconfig_lagg0_9_ipv6="inet6 2603:3024:3f6:e9::10/64 auto_linklocal accept_rtadv"
+ifconfig_lagg0_9_ipv6="inet6 fd09::10/64 auto_linklocal accept_rtadv"
 ifconfig_lagg0_10="inet 192.168.10.10/24"
 ifconfig_lagg0_10_ipv6="inet6 fd0a::10/64 auto_linklocal accept_rtadv"
 ifconfig_bridge1="addm lagg0.1 up"
 ifconfig_bridge2="addm lagg0.2 up"
 ifconfig_bridge5="addm lagg0.5 up"
 ifconfig_bridge9="addm lagg0.9 up"
 ifconfig_bridge10="addm lagg0.10 up"
 # adding IP to bridges does not work
 #ifconfig_bridge1="inet 192.168.0.10/24"
-#ifconfig_bridge1_ipv6="inet6 2603:3024:3f6:e1::10/64 auto_linklocal accept_rtadv"
+#ifconfig_bridge1_ipv6="inet6 fd01::10/64 auto_linklocal accept_rtadv"
 #ifconfig_bridge2="inet 192.168.1.10/24"
 #ifconfig_bridge2_ipv6="inet6 2603:3024:3f6:e2::10/64 auto_linklocal accept_rtadv"
 #ifconfig_bridge5="inet 192.168.2.10/24"
 #ifconfig_bridge5_ipv6="inet6 2603:3024:3f6:e5::10/64 auto_linklocal accept_rtadv"
 #ifconfig_bridge9="inet 192.168.200.10/24"
 #ifconfig_bridge9_ipv6="inet6 2603:3024:3f6:e9::10/64 auto_linklocal accept_rtadv"
 defaultrouter="192.168.0.5"
-ipv6_defaultrouter="2603:3024:3f6:e1::5"
+ipv6_defaultrouter="fd01::5"
 # interfaces
 hostname="nas.ahlawat.com"
 syslogd_enable="YES"
-syslogd_flags="-ss"
+syslogd_flags="-C -O rfc5424 -ss"
 syslog_ng_enable="NO"
 syslog_ng_config="-u daemon"
--- a/configs/etc/rctl.conf
+++ b/configs/etc/rctl.conf
@ -0,0 +1 @@
 jail:ioc-jump:vmemoryuse:deny=4G/jail
--- a/configs/etc/sysctl.conf
+++ b/configs/etc/sysctl.conf
@ -1,4 +1,4 @@
-# $FreeBSD: releng/12.1/sbin/sysctl/sysctl.conf 337624 2018-08-11 13:28:03Z brd $
+# $FreeBSD: releng/12.2/sbin/sysctl/sysctl.conf 337624 2018-08-11 13:28:03Z brd $
 #
 #  This file is read when going to multi-user and its contents piped thru
 #  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
@ -7,6 +7,7 @@
 # Uncomment this to prevent users from seeing information about processes that
 # are being run under another UID.
 security.bsd.see_other_uids=0
 security.bsd.see_other_gids=0
 security.bsd.unprivileged_read_msgbuf=0
 security.bsd.unprivileged_proc_debug=0
 kern.randompid=1
@ -32,6 +33,13 @@ hw.intr_storm_threshold=9000
 kern.ipc.maxsockbuf=16777216
 kern.ipc.shm_use_phys=1
 kern.ipc.soacceptqueue=1024
 kern.ipc.nmbclusters=24513148
 kern.ipc.nmbjumbop=9192430
 kern.ipc.nmbjumbo9=2723683
 kern.ipc.nmbjumbo16=1532071
 kern.ipc.nmbufs=117663120
 kern.maxvnodes=4194304
 kern.random.harvest.mask=351
 kern.threads.max_threads_per_proc=9000
@ -67,7 +75,7 @@ net.inet.tcp.recvbuf_inc=65536
 net.inet.tcp.recvbuf_max=16777216
 net.inet.tcp.recvspace=262144
 net.inet.tcp.rfc6675_pipe=1
-net.inet.tcp.sendbuf_inc=32768
+net.inet.tcp.sendbuf_inc=65536
 net.inet.tcp.sendbuf_max=16777216
 net.inet.tcp.sendspace=262144
 net.inet.tcp.syncache.rexmtlimit=0
@ -95,7 +103,7 @@ vfs.zfs.arc_max=51539607552
 vfs.zfs.delay_min_dirty_percent=96
 vfs.zfs.dirty_data_max=12884901888
 vfs.zfs.prefetch_disable=0
-vfs.zfs.top_maxinflight=128
+#vfs.zfs.top_maxinflight=128
 vfs.zfs.trim.txg_delay=2
 vfs.zfs.txg.timeout=90
 vfs.zfs.vdev.aggregation_limit=1048576
@ -116,3 +124,12 @@ net.inet.tcp.rack.data_after_close=0
 #Cheap Disk Issues
 kern.cam.ada.default_timeout=60
 kern.cam.da.default_timeout=90
 # best way to see misconfigured or non operational services
 net.inet.tcp.log_in_vain: 1
 net.inet.udp.log_in_vain: 1
 # Disable File Handle Affinity for NFS write operations.
 # It improves NFS write throughput with ZFS sync=always on ship/pxe
 vfs.nfsd.fha.write=0
 vfs.nfsd.fha.max_nfsds_per_fh=32
--- a/configs/pxe/resolv.conf
+++ b/configs/pxe/resolv.conf
@ -1,7 +1,7 @@
 # Generated by resolvconf
 search diyit.org
 nameserver 192.168.0.5
-nameserver 2603:3024:3f6:e1::5
+nameserver fd01::5
-nameserver 2603:3024:3f6:e2::5
+nameserver fd02::5
-nameserver 2603:3024:3f6:e5::5
+nameserver fd05::5
-nameserver 2603:3024:3f6:e9::5
+nameserver fd09::5
--- a/jails/config/ci/jenkins
+++ b/jails/config/ci/jenkins
@ -0,0 +1,86 @@
 #!/bin/sh
 # $FreeBSD: head/devel/jenkins/files/jenkins.in 544211 2020-08-05 09:10:47Z lwhsu $
 #
 # PROVIDE: jenkins
 # REQUIRE: LOGIN
 # KEYWORD: shutdown
 #
 # Configuration settings for jenkins in /etc/rc.conf:
 #
 # jenkins_enable (bool):
 #   Set to "NO" by default.
 #   Set it to "YES" to enable jenkins
 #
 # jenkins_args (str):
 #   Extra arguments passed to start command
 #
 # jenkins_home (str)
 #   Set to "/usr/local/jenkins" by default.
 #   Set the JENKINS_HOME variable for jenkins process
 #
 # jenkins_java_home (str):
 #   Set to "/usr/local/openjdk8" by default.
 #   Set the Java virtual machine to run jenkins
 #
 # jenkins_java_opts (str):
 #   Set to "" by default.
 #   Java VM args to use.
 #
 # jenkins_user (str):
 #   Set to "jenkins" by default.
 #   User to run jenkins as.
 #
 # jenkins_group (str):
 #   Set to "jenkins" by default.
 #   Group for data file ownership.
 #
 # jenkins_log_file (str):
 #   Set to "/var/log/jenkins.log" by default.
 #   Log file location.
 #
 . /etc/rc.subr
 name=jenkins
 desc="Jenkins automation server"
 rcvar=jenkins_enable
 load_rc_config "${name}"
 : ${jenkins_enable:=NO}
 : ${jenkins_home="/usr/local/jenkins"}
 : ${jenkins_args="--webroot=${jenkins_home}/war"}
 : ${jenkins_java_home="/usr/local/openjdk8"}
 : ${jenkins_user="jenkins"}
 : ${jenkins_group="jenkins"}
 : ${jenkins_log_file="/var/log/jenkins.log"}
 pidfile=/var/run/jenkins/jenkins.pid
 command=/usr/sbin/daemon
 java_cmd="${jenkins_java_home}/bin/java"
 procname="${java_cmd}"
 command_args="-p ${pidfile} ${java_cmd} -Xmx1g -DJENKINS_HOME=${jenkins_home} ${jenkins_java_opts} -jar /usr/local/share/jenkins/jenkins.war ${jenkins_args} >> ${jenkins_log_file} 2>&1"
 required_files="${java_cmd}"
 start_precmd=jenkins_prestart
 start_cmd=jenkins_start
 jenkins_prestart()
 {
 	if [ ! -f "${jenkins_log_file}" ]; then
 		install -o "${jenkins_user}" -g "${jenkins_group}" -m 640 /dev/null "${jenkins_log_file}"
 	fi
 	if [ ! -d "/var/run/jenkins" ]; then
 		install -d -o "${jenkins_user}" -g "${jenkins_group}" -m 750 "/var/run/jenkins"
 	fi
 }
 jenkins_start()
 {
 	check_startmsgs && echo "Starting ${name}."
 	su -l ${jenkins_user} -c "exec ${command} ${command_args} ${rc_arg}"
 }
 run_rc_command "$1"
--- a/jails/config/common/resolvconf.conf
+++ b/jails/config/common/resolvconf.conf
@ -0,0 +1,2 @@
 export search_domains=ahlawat.com
 export name_servers="192.168.0.5 fd01::5"
--- a/jails/config/common/snip-sendmail.sh
+++ b/jails/config/common/snip-sendmail.sh
@ -12,7 +12,7 @@
 # TO_IDENT sets O Timeout.ident=0s - to stop sendmail from making ident connections
 echo "define(\`SMART_HOST', \`mail')" >> /etc/mail/$HOSTNAME.mc
 echo "define(\`confDOMAIN_NAME', \`$HOSTNAME')" >> /etc/mail/$HOSTNAME.mc
-IP6=`ifconfig -f inet6:cidr | grep "2603:3024:3f6:e1::" | cut -d" " -f 2 | cut -d "/" -f 1`
+IP6=`ifconfig -f inet6:cidr | grep "fd01::" | cut -d" " -f 2 | cut -d "/" -f 1`
 echo "CLIENT_OPTIONS(\`Family=inet6, Address=$IP6')" >> /etc/mail/$HOSTNAME.mc
 echo "define(\`confDH_PARAMETERS', \`/mnt/certs/dhparam2048.pem')" >> /etc/mail/$HOSTNAME.mc
 echo "define(\`confTO_CONNECT', \`1m')" >> /etc/mail/$HOSTNAME.mc
--- a/jails/config/dns/update6.sh
+++ b/jails/config/dns/update6.sh
@ -0,0 +1,18 @@
 #!/usr/local/bin/bash
 # Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 # https://diyit.org/license/
 #
 #
 SIM="-s"
 #SIM=""
 rpl $SIM -v -R "2603:3024:3f6:21::" "2603:3024:3f6:1::" ./namedb
 rpl $SIM -v -R "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2" "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1" ./namedb
 rpl $SIM -v -R "2021030900" "2021031100" ./namedb
 service $SIM named $SIM restart
--- a/jails/config/elk/elasticsearch-xpack.yml
+++ b/jails/config/elk/elasticsearch-xpack.yml
@ -0,0 +1,10 @@
 # Module: elasticsearch
 # Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.10/metricbeat-module-elasticsearch.html
 - module: elasticsearch
  xpack.enabled: true
  period: 10s
  hosts: ["https://elk.diyit.org:9200"]
  #username: "user"
  #password: "secret"
--- a/jails/config/elk/jvm.options
+++ b/jails/config/elk/jvm.options
@ -19,8 +19,18 @@
 # Xms represents the initial size of total heap space
 # Xmx represents the maximum size of total heap space
-Xms4g
+-Xmn4G
-Xmx4g
+-Xms8G
 -Xmx8G
 -XX:MaxMetaspaceSize=2G
 -Xss2G
 -Xnoclassgc
 -XX:MaxDirectMemorySize=2G
 -XX:InitialRAMPercentage=80
 -XX:MaxRAMPercentage=80
 -XX:MinRAMPercentage=80
 ################################################################
 ## Expert settings
@ -33,7 +43,7 @@
 ################################################################
 ## GC configuration
-8-13:-XX:+UseConcMarkSweepGC
+8-9:-XX:+UseConcMarkSweepGC
 8-13:-XX:CMSInitiatingOccupancyFraction=75
 8-13:-XX:+UseCMSInitiatingOccupancyOnly
@ -43,9 +53,9 @@
 # following three lines to your version of the JDK
 # 10-13:-XX:-UseConcMarkSweepGC
 # 10-13:-XX:-UseCMSInitiatingOccupancyOnly
-14-:-XX:+UseG1GC
+11-:-XX:+UseG1GC
-14-:-XX:G1ReservePercent=25
+11-:-XX:G1ReservePercent=25
-14-:-XX:InitiatingHeapOccupancyPercent=30
+11-:-XX:InitiatingHeapOccupancyPercent=30
 ## JVM temporary directory
 -Djava.io.tmpdir=${ES_TMPDIR}
@ -58,10 +68,10 @@
 # specify an alternative path for heap dumps; ensure the directory exists and
 # has sufficient space
-XX:HeapDumpPath=data
+-XX:HeapDumpPath=/data
 # specify an alternative path for JVM fatal error logs
-XX:ErrorFile=logs/hs_err_pid%p.log
+-XX:ErrorFile=/var/log/hs_err_pid%p.log
 ## JDK 8 GC logging
 8:-XX:+PrintGCDetails
--- a/jails/config/elk/kibana-xpack.yml
+++ b/jails/config/elk/kibana-xpack.yml
@ -0,0 +1,10 @@
 # Module: kibana
 # Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.10/metricbeat-module-kibana.html
 - module: kibana
  xpack.enabled: true
  period: 10s
  hosts: ["localhost:5601"]
  #basepath: ""
  #username: "user"
  #password: "secret"
--- a/jails/config/elk/metricbeat.yml
+++ b/jails/config/elk/metricbeat.yml
@ -0,0 +1,189 @@
 ###################### Metricbeat Configuration Example #######################
 # This file is an example configuration file highlighting only the most common
 # options. The metricbeat.reference.yml file from the same directory contains all the
 # supported options with more comments. You can use it as a reference.
 #
 # You can find the full configuration reference here:
 # https://www.elastic.co/guide/en/beats/metricbeat/index.html
 # =========================== Modules configuration ============================
 metricbeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/metricbeat.modules.d/*.yml
  # Set to true to enable config reloading
  reload.enabled: false
  # Period on which files under path should be checked for changes
  #reload.period: 10s
 # ======================= Elasticsearch template setting =======================
 setup.template.settings:
  index.number_of_shards: 1
  index.codec: best_compression
  #_source.enabled: false
 # ================================== General ===================================
 # The name of the shipper that publishes the network data. It can be used to group
 # all the transactions sent by a single shipper in the web interface.
 #name:
 # The tags of the shipper are included in their own field with each
 # transaction published.
 #tags: ["service-X", "web-tier"]
 # Optional fields that you can specify to add additional information to the
 # output.
 #fields:
 #  env: staging
 # ================================= Dashboards =================================
 # These settings control loading the sample dashboards to the Kibana index. Loading
 # the dashboards is disabled by default and can be enabled either by setting the
 # options here or by using the `setup` command.
 #setup.dashboards.enabled: false
 # The URL from where to download the dashboards archive. By default this URL
 # has a value which is computed based on the Beat name and version. For released
 # versions, this URL points to the dashboard archive on the artifacts.elastic.co
 # website.
 #setup.dashboards.url:
 # =================================== Kibana ===================================
 # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
 # This requires a Kibana endpoint configuration.
 setup.kibana:
  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  #host: "localhost:5601"
  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:
 # =============================== Elastic Cloud ================================
 # These settings simplify using Metricbeat with the Elastic Cloud (https://cloud.elastic.co/).
 # The cloud.id setting overwrites the `output.elasticsearch.hosts` and
 # `setup.kibana.host` options.
 # You can find the `cloud.id` in the Elastic Cloud web UI.
 #cloud.id:
 # The cloud.auth setting overwrites the `output.elasticsearch.username` and
 # `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
 #cloud.auth:
 # ================================== Outputs ===================================
 # Configure what output to use when sending the data collected by the beat.
 # ---------------------------- Elasticsearch Output ----------------------------
 output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["elk.diyit.org:9200"]
  # Protocol - either `http` (default) or `https`.
  protocol: "https"
  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"
 # ------------------------------ Logstash Output -------------------------------
 #output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"
  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"
 # ================================= Processors =================================
 # Configure processors to enhance or manipulate events generated by the beat.
 processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
 #  - add_docker_metadata: ~
 #  - add_kubernetes_metadata: ~
 # ================================== Logging ===================================
 # Sets log level. The default log level is info.
 # Available log levels are: error, warning, info, debug
 #logging.level: debug
 # At debug level, you can selectively enable logging only for some components.
 # To enable all selectors use ["*"]. Examples of other selectors are "beat",
 # "publish", "service".
 #logging.selectors: ["*"]
 # ============================= X-Pack Monitoring ==============================
 # Metricbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
 # reporting is disabled by default.
 # Set to true to enable the monitoring reporter.
 #monitoring.enabled: false
 # Sets the UUID of the Elasticsearch cluster under which monitoring data for this
 # Metricbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
 # is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
 #monitoring.cluster_uuid:
 # Uncomment to send the metrics to Elasticsearch. Most settings from the
 # Elasticsearch output are accepted here as well.
 # Note that the settings should point to your Elasticsearch *monitoring* cluster.
 # Any setting that is not set is automatically inherited from the Elasticsearch
 # output configuration, so if you have the Elasticsearch output configured such
 # that it is pointing to your Elasticsearch monitoring cluster, you can simply
 # uncomment the following line.
 #monitoring.elasticsearch:
 # ============================== Instrumentation ===============================
 # Instrumentation support for the metricbeat.
 #instrumentation:
    # Set to true to enable instrumentation of metricbeat.
    #enabled: false
    # Environment in which metricbeat is running on (eg: staging, production, etc.)
    #environment: ""
    # APM Server hosts to report instrumentation results to.
    #hosts:
    #  - http://localhost:8200
    # API Key for the APM Server(s).
    # If api_key is set then secret_token will be ignored.
    #api_key:
    # Secret token for the APM Server(s).
    #secret_token:
 # ================================= Migration ==================================
 # This allows to enable 6.7 migration aliases
 #migration.6_to_7.enabled: true
--- a/jails/config/hass/hass-upgrade.sh
+++ b/jails/config/hass/hass-upgrade.sh
@ -0,0 +1,4 @@
 #!/usr/local/bin/bash
 source /data/homeassistant/bin/activate
 #pip install --upgrade git+git://github.com/home-assistant/home-assistant.git@dev
 pip install --upgrade homeassistant
--- a/jails/config/hub/sshguard.conf
+++ b/jails/config/hub/sshguard.conf
@ -23,21 +23,21 @@ FILES="/var/log/auth.log"
 #### OPTIONS ####
 # Block attackers when their cumulative attack score exceeds THRESHOLD.
 # Most attacks have a score of 10. (optional, default 30)
-THRESHOLD=30
+THRESHOLD=10
 # Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
 # Subsequent blocks increase by a factor of 1.5. (optional, default 120)
-BLOCK_TIME=120
+BLOCK_TIME=1200
 # Remember potential attackers for up to DETECTION_TIME seconds before
 # resetting their score. (optional, default 1800)
-DETECTION_TIME=1800
+DETECTION_TIME=18000
 # Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
-IPV6_SUBNET=128
+IPV6_SUBNET=64
 # Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
-IPV4_SUBNET=32
+IPV4_SUBNET=24
 #### EXTRAS ####
 # !! Warning: These features may not work correctly with sandboxing. !!
--- a/jails/config/ibm/ipfw.rules
+++ b/jails/config/ibm/ipfw.rules
@ -63,8 +63,8 @@ $cmd 01300 check-state
 # Allow access to DNS
 $cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state
 $cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state
-$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state
+$cmd 02112 $skip tcp from any to fd01::5 53 out via $rif setup keep-state
-$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state
+$cmd 02113 $skip udp from any to fd01::5 53 out via $rif keep-state
 # Allow access to ISP's DHCP server for cable/DSL configurations.
 # Use the first rule and check log for IP address.
--- a/jails/config/jump/branding/css/login-override.css
+++ b/jails/config/jump/branding/css/login-override.css
@ -0,0 +1,12 @@
 .login-ui .login-dialog .logo {
    background-image: url('app/ext/tempnamespace/images/logo-placeholder.png');
 	width: 5em;
 	-webkit-background-size: 5em auto;
 }
 div.login-ui {
 	background: #666;
 	background-color: #666;
 }
 .login-ui .login-dialog {
 	background-color: white;
 }
--- a/jails/config/jump/branding/guac-manifest.json
+++ b/jails/config/jump/branding/guac-manifest.json
@ -0,0 +1,20 @@
 {
        "guacamoleVersion" : "*",
        "name" : "Tempname",
        "namespace" : "tempnamespace",
        "translations" : [
 		"translations/en.json"
 	 ],
 	 "css" : [
                "css/login-override.css"
         ],
     "html" : [
                "loginDisclaimer.html"
         ],
 	 "resources" : {
                "images/logo-placeholder.png" : "image/png"
         }
 }
--- a/jails/config/jump/branding/images/logo-placeholder.png
+++ b/jails/config/jump/branding/images/logo-placeholder.png
--- a/jails/config/jump/branding/loginDisclaimer.html
+++ b/jails/config/jump/branding/loginDisclaimer.html
@ -0,0 +1,6 @@
 <meta name="after" content=".login-ui .login-dialog">
 <div class="welcome">
 Ahlawat Network's Remote Access Server
 <p>Restricted Access - only use if you have permission<p>
 </div>
--- a/jails/config/jump/branding/translations/en.json
+++ b/jails/config/jump/branding/translations/en.json
@ -0,0 +1,5 @@
 {
    "APP":{
 		"NAME" : "Ahlawat Net RAS"
 	  }
 }
--- a/jails/config/jump/guacamole-client/branding/css/login-override.css
+++ b/jails/config/jump/guacamole-client/branding/css/login-override.css
@ -0,0 +1,12 @@
 .login-ui .login-dialog .logo {
    background-image: url('app/ext/tempnamespace/images/logo-placeholder.png');
 	width: 5em;
 	-webkit-background-size: 5em auto;
 }
 div.login-ui {
 	background: #666;
 	background-color: #666;
 }
 .login-ui .login-dialog {
 	background-color: white;
 }
--- a/jails/config/jump/guacamole-client/branding/guac-manifest.json
+++ b/jails/config/jump/guacamole-client/branding/guac-manifest.json
@ -0,0 +1,20 @@
 {
        "guacamoleVersion" : "*",
        "name" : "Tempname",
        "namespace" : "tempnamespace",
        "translations" : [
 		"translations/en.json"
 	 ],
 	 "css" : [
                "css/login-override.css"
         ],
     "html" : [
                "loginDisclaimer.html"
         ],
 	 "resources" : {
                "images/logo-placeholder.png" : "image/png"
         }
 }
--- a/jails/config/jump/guacamole-client/branding/images/logo-placeholder.png
+++ b/jails/config/jump/guacamole-client/branding/images/logo-placeholder.png
--- a/jails/config/jump/guacamole-client/branding/loginDisclaimer.html
+++ b/jails/config/jump/guacamole-client/branding/loginDisclaimer.html
@ -0,0 +1,6 @@
 <meta name="after" content=".login-ui .login-dialog">
 <div class="welcome">
 Ahlawat Network's Remote Access Server
 <p>Restricted Access - only use if you have permission<p>
 </div>
--- a/jails/config/jump/guacamole-client/branding/translations/en.json
+++ b/jails/config/jump/guacamole-client/branding/translations/en.json
@ -0,0 +1,5 @@
 {
    "APP":{
 		"NAME" : "Ahlawat Net RAS"
 	  }
 }
--- a/jails/config/jump/guacamole-client/extensions/branding.jar
+++ b/jails/config/jump/guacamole-client/extensions/branding.jar
--- a/jails/config/jump/guacamole-client/extensions/guacamole-auth-ldap-1.3.0.jar
+++ b/jails/config/jump/guacamole-client/extensions/guacamole-auth-ldap-1.3.0.jar
--- a/jails/config/jump/guacamole-client/user-mapping.xml
+++ b/jails/config/jump/guacamole-client/user-mapping.xml
@ -34,14 +34,14 @@
        	<param name="port">22</param>
 		<param name="font-name">monospace</param>
 	</connection>
-	<connection name="vnc-rpi3">
+	<connection name="vnc-rpi">
 		<protocol>vnc</protocol>
 		<param name="hostname">192.168.200.192</param>
 		<param name="port">5901</param>
 		<param name="password">vncpass</param>
 		<param name="color-depth">24</param>
 	</connection>
-	<connection name="ssh-rpi3">
+	<connection name="ssh-rpi">
        	<protocol>ssh</protocol>
        	<param name="hostname">192.168.200.192</param>
        	<param name="port">22</param>
@ -58,14 +58,14 @@
    <authorize username="inseego" password="7cc6a3864acc736437f606146083abad" encoding="md5">
 	<connection name="vnc">
 		<protocol>vnc</protocol>
-		<param name="hostname">192.168.200.212</param>
+		<param name="hostname">192.168.200.192</param>
 		<param name="port">5901</param>
 		<param name="password">vncpass</param>
 		<param name="color-depth">24</param>
 	</connection>
 	<connection name="ssh">
        	<protocol>ssh</protocol>
-        	<param name="hostname">192.168.200.212</param>
+        	<param name="hostname">192.168.200.192</param>
        	<param name="port">22</param>
 		<param name="font-name">monospace</param>
 	</connection>
--- a/jails/config/ldap-mgr/httpd.conf
+++ b/jails/config/ldap-mgr/httpd.conf
@ -578,6 +578,16 @@ Include etc/apache24/Includes/*.conf
    Require all granted
  </Directory>
  Alias /ssp "/usr/local/www/self-service-password"
  <Directory "/usr/local/www/self-service-password">
    AllowOverride None
    Require all granted
  </Directory>
  <Directory "/usr/local/www/self-service-password/scripts">
    AllowOverride None
    Require all denied
  </Directory>
  ErrorLog "/var/log/ssl-error.log"
  CustomLog "/var/log/ssl-access_log" combined
 </VirtualHost>
--- a/jails/config/ldap-mgr/index.html
+++ b/jails/config/ldap-mgr/index.html
@ -0,0 +1,6 @@
 <head>
  <meta http-equiv="refresh" content="0; URL=https://ldap-mgr.ahlawat.com/ssp" />
 </head>
 <body>
  <p>If you are not redirected in zero seconds, <a href="https://ldap-mgr.ahlawat.com/ssp">click here</a>.</p>
 </body>
--- a/jails/config/mail/postfix/main.cf
+++ b/jails/config/mail/postfix/main.cf
@ -797,8 +797,10 @@ smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_n
 smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
 # !!! THE LAST SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
 # !!!      DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES      !!!
-smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unverified_recipient
+smtpd_recipient_restrictions = permit_mynetworks,check_recipient_access hash:/usr/local/etc/postfix/protected_destinations,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unverified_recipient
 smtpd_data_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_multi_recipient_bounce,reject_unauth_pipelining
 smtpd_restriction_classes = good_senders_only
 good_senders_only = check_sender_access hash:/usr/local/etc/postfix/restricted_senders,permit
 # deliver mail for virtual users to Dovecot's LMTP socket
 virtual_transport = lmtp:unix:private/dovecot-lmtp
--- a/jails/config/mail/postfix/protected_destinations
+++ b/jails/config/mail/postfix/protected_destinations
@ -0,0 +1,4 @@
 # not everyone can send to these destinations
 # we restrict some of them
 ahlawat.com     good_senders_only
--- a/jails/config/mail/postfix/reinit.sac
+++ b/jails/config/mail/postfix/reinit.sac
@ -1,10 +1,13 @@
 # update aliases.db
 newaliases
 #rm /usr/local/etc/postfix/system-virtual-mailboxes.db
 #postmap /usr/local/etc/postfix/system-virtual-mailboxes
 rm /usr/local/etc/postfix/virtual-maillist-alias-maps.db
 postmap /usr/local/etc/postfix/virtual-maillist-alias-maps
 rm /usr/local/etc/postfix/protected_destinations.db
 postmap /usr/local/etc/postfix/protected_destinations
 rm /usr/local/etc/postfix/restricted_senders.db
 postmap /usr/local/etc/postfix/restricted_senders
 service postfix reload
--- a/jails/config/mail/postfix/restricted_senders
+++ b/jails/config/mail/postfix/restricted_senders
@ -0,0 +1,5 @@
 # We do not want mail from these folks, generally
 cyou           REJECT  521
 qq.com         REJECT  521
 163.com        REJECT  521
--- a/jails/config/maps/maps
+++ b/jails/config/maps/maps
@ -14,30 +14,30 @@
 . /etc/rc.subr
-: ${mapsserver_enable="NO"}
+: ${maps_enable="NO"}
-name=mapsserver
+name=maps
 rcvar=${name}_enable
 start_cmd="${name}_start"
 stop_cmd="${name}_stop"
 restart_cmd="${name}_restart"
-mapsserver_start()
+maps_start()
 {
    cd /data/networkmaps; ./server.js --config /usr/local/etc/networkmaps/config.json &
    cd /data/networkmaps; ./smtp_daemon.js --config /usr/local/etc/networkmaps/config.json &
 }
-mapsserver_stop()
+maps_stop()
 {
        ps ax | grep -ie server.js | grep -v grep | awk '{print $1}' | xargs kill -9
        ps ax | grep -ie smtp_daemon.js | grep -v grep | awk '{print $1}' | xargs kill -9
 }
-mapsserver_restart()
+maps_restart()
 {
-	mapsserver_stop
+	maps_stop
-	mapsserver_start
+	maps_start
 }
 load_rc_config ${name}
--- a/jails/config/meet/hosts.txt
+++ b/jails/config/meet/hosts.txt
@ -1,9 +1,46 @@
 # $FreeBSD: releng/12.2/lib/libc/net/hosts 338729 2018-09-17 18:56:47Z brd $
 #
 # Host Database
 #
 # This file should contain the addresses and aliases for local hosts that
 # share this file.  Replace 'my.domain' below with the domainname of your
 # machine.
 #
 # In the presence of the domain name service or NIS, this file may
 # not be consulted at all; see /etc/nsswitch.conf for the resolution order.
 #
 #
 ::1			localhost localhost.my.domain
 127.0.0.1		localhost localhost.my.domain meet
 #
 # Imaginary network.
 #10.0.0.2		myname.my.domain myname
 #10.0.0.3		myfriend.my.domain myfriend
 #
 # According to RFC 1918, you can use the following IP networks for
 # private nets which will never be connected to the Internet:
 #
 #	10.0.0.0	-   10.255.255.255
 #	172.16.0.0	-   172.31.255.255
 #	192.168.0.0	-   192.168.255.255
 #
 # In case you want to be able to connect to the Internet, you need
 # real official assigned numbers.  Do not try to invent your own network
 # numbers but instead get one from your network provider (if any) or
 # from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
 #
 192.168.0.67	meet
 192.168.0.67 meet meet.ahlawat.com
 fd01::67 meet meet.ahlawat.com
 192.168.0.67 auth.meet.ahlawat.com
-2603:3024:3f6:e1::67 auth.meet.ahlawat.com
+fd01::67 auth.meet.ahlawat.com
 192.168.0.67 confrence.meet.ahlawat.com
-2603:3024:3f6:e1::67 conference.meet.ahlawat.com
+fd01::67 conference.meet.ahlawat.com
 192.168.0.67 focus.meet.ahlawat.com
-2603:3024:3f6:e1::67 focus.meet.ahlawat.com
+fd01::67 focus.meet.ahlawat.com
 192.168.0.67 jistsi-videobridge.meet.ahlawat.com
-2603:3024:3f6:e1::67 jitsi-videobridge.meet.ahlawat.com
+fd01::67 jitsi-videobridge.meet.ahlawat.com
--- a/jails/config/meet/prosody.cfg.lua
+++ b/jails/config/meet/prosody.cfg.lua
@ -13,7 +13,7 @@
 -- blanks. Good luck, and happy Jabbering!
 pidfile = "/var/run/prosody/prosody.pid"
-- interfaces = { "192.168.0.67", "2603:3024:3f6:e1::67" }
+-- interfaces = { "192.168.0.67", "fd01::67" }
 ---------- Server-wide settings ----------
 -- Settings in this section apply to the whole server and are the default settings
--- a/jails/config/pkgp/nginx.conf
+++ b/jails/config/pkgp/nginx.conf
@ -17,7 +17,7 @@ http {
    tcp_nopush          on;
    aio                 on;
-    resolver            192.168.0.5 [2603:3024:3f6:e1::5];
+    resolver            192.168.0.5 [fd01::5];
    proxy_http_version          1.1;
    proxy_set_header Connection "";
@ -182,7 +182,7 @@ http {
            listen      [::]:8013;
            server_name localhost;
            location / {
-                proxy_pass       http://update3.FreeBSD.org;
+                proxy_pass       http://update5.FreeBSD.org;
            }
        }
        server {
--- a/jails/config/proxy/haproxy.conf
+++ b/jails/config/proxy/haproxy.conf
@ -66,7 +66,7 @@ frontend ft
  # prevent browser from using non-secure
  http-response add-header Strict-Transport-Security: max-age=15768000
-  acl network_allowed src 192.168.0.0/24 192.168.100.0/24 2603:3024:3f6:e1::/64
+  acl network_allowed src 192.168.0.0/24 fd01::/64
  acl restricted_page path -i -m sub /wp-admin
  acl restricted_page path -i -m sub /wp-login
  http-request deny if restricted_page !network_allowed
@ -80,7 +80,6 @@ frontend ft
  use_backend bk_ahlawat-nivi if { ssl_fc_sni nivedita.ahlawat.com }
  use_backend bk_ahlawat-rishabh if { ssl_fc_sni rishabh.ahlawat.com }
 #  use_backend bk_ahlawat-book if { ssl_fc_sni book.ahlawat.com }
  use_backend bk_ahlawat-book-443 if { ssl_fc_sni book.ahlawat.com }
  use_backend bk_ahlawat-book-444 if { ssl_fc_sni book1.ahlawat.com }
  use_backend bk_ahlawat-book-445 if { ssl_fc_sni book2.ahlawat.com }
@ -93,6 +92,7 @@ frontend ft
  use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
  use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
  use_backend bk_ahlawat-jump if { ssl_fc_sni jump.ahlawat.com }
  use_backend bk_ahlawat-hass if { ssl_fc_sni hass.ahlawat.com }
  use_backend bk_diyit if { ssl_fc_sni diyit.org }
  use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
@ -113,6 +113,7 @@ frontend ft
  use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
  use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
  use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
  use_backend bk_beyondbell-dashboard if { ssl_fc_sni dashboard.beyondbell.com }
  use_backend bk_beyondbell-web-moonglade if { ssl_fc_sni moonglade.beyondbell.com }
  use_backend bk_beyondbell-web-moonglade-private if { ssl_fc_sni moonglade-private.beyondbell.com }
  use_backend bk_beyondbell-r-windows if { ssl_fc_sni moonglade-server.beyondbell.com }
@ -131,7 +132,7 @@ backend bk_ahlawat
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-sharad
-  balance roundrobin
+#  balance roundrobin
  server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
  http-response add-header X-Frame-Options: SAMEORIGIN
@ -154,26 +155,24 @@ backend bk_ahlawat-rishabh
 #backend bk_ahlawat-book
 #  server srv1 bookx.ahlawat.com:443 check ssl verify none
 backend bk_ahlawat-book-443
 #  server srv1 2603:3024:3f6:e1::57:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-book-444
 #  server srv1 2603:3024:3f6:e1::57:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-book-445
 #  server srv1 2603:3024:3f6:e1::57:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-cam
  server srv1 192.168.0.54:8765 check
  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-ci
@ -215,6 +214,12 @@ backend bk_ahlawat-monitor
 backend bk_ahlawat-jump
  server srv1 jumpx.ahlawat.com:8080 check
  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_ahlawat-hass
  server srv1 hassx.ahlawat.com:8123 check
  server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
  http-response add-header X-Frame-Options: SAMEORIGIN
@ -239,9 +244,6 @@ backend bk_diyit-kibana
 backend bk_diyit-maps
  server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2
 #  server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
 #  server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
 #  server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
 #  http-response add-header X-Frame-Options: SAMEORIGIN
@ -281,6 +283,12 @@ backend bk_beyondbell-repo
 #  http-response del-header Strict-Transport-Security
 #  http-response add-header Content-Security-Policy: upgrade-insecure-requests
 backend bk_beyondbell-dashboard
  http-request replace-header Host ^([^\ \t:]*:)\ https://dashboardx.beyondbell.com/(.*) \1\ http://192.168.0.92:8080/\2
  http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.92:8080/(.*) \1\ https://dashboardx.beyondbell.com/\2
  server srv1 192.168.0.92:8080
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_beyondbell-web-moonglade
  server srv1 192.168.0.74:8000
 #  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
@ -297,6 +305,6 @@ backend bk_beyondbell-r-windows
  http-response add-header X-Frame-Options: SAMEORIGIN
 backend bk_beyondbell-windows
-  server srv1 192.168.0.81:26900 check
+  server srv1 192.168.0.81:26900
-  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
+#  server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
  http-response add-header X-Frame-Options: SAMEORIGIN
--- a/jails/config/vm/create_taps.sh
+++ b/jails/config/vm/create_taps.sh
@ -28,6 +28,11 @@ ifconfig bridge9 addm tap2082 up
 ifconfig tap2082 up
 ifconfig tap2082 inet6 auto_linklocal
 ifconfig tap4882 create
 ifconfig bridge48 addm tap4882 up
 ifconfig tap4882 up
 ifconfig tap4882 inet6 auto_linklocal
 ifconfig tap83 create
 ifconfig bridge1 addm tap83 up
 ifconfig tap83 up
@ -58,6 +63,11 @@ ifconfig bridge9 addm tap2086 up
 ifconfig tap2086 up
 ifconfig tap2086 inet6 auto_linklocal
 ifconfig tap4886 create
 ifconfig bridge48 addm tap4886 up
 ifconfig tap4886 up
 ifconfig tap4886 inet6 auto_linklocal
 ifconfig tap90 create
 ifconfig bridge1 addm tap90 up
 ifconfig tap90 up
@ -83,6 +93,11 @@ ifconfig bridge9 addm tap2097 up
 ifconfig tap2097 up
 ifconfig tap2097 inet6 auto_linklocal
 ifconfig tap4897 create
 ifconfig bridge48 addm tap4897 up
 ifconfig tap4897 up
 ifconfig tap4897 inet6 auto_linklocal
 ifconfig tap96 create
 ifconfig bridge1 addm tap96 up
 ifconfig tap96 up
@ -97,3 +112,8 @@ ifconfig tap2096 create
 ifconfig bridge9 addm tap2096 up
 ifconfig tap2096 up
 ifconfig tap2096 inet6 auto_linklocal
 ifconfig tap4896 create
 ifconfig bridge48 addm tap4896 up
 ifconfig tap4896 up
 ifconfig tap4896 inet6 auto_linklocal
--- a/jails/config/vm/cvm-a.sh
+++ b/jails/config/vm/cvm-a.sh
@ -22,6 +22,7 @@ bhyve -c 4 -m 16G -A -H -P \
 -s 4,virtio-blk,/dev/zvol/ship/raw/cvm-a \
 -s 5,virtio-net,tap97,mac=00:0A:0B:0C:0D:97 \
 -s 6,virtio-blk,/dev/zvol/ship/raw/cvm-a_data \
 -s 7,virtio-net,tap4897,mac=00:0A:0B:0C:7D:97 \
 -s 8,virtio-net,tap1097,mac=00:0A:0B:0C:8D:97 \
 -s 9,virtio-net,tap2097,mac=00:0A:0B:0C:9D:97 \
 -s 29,fbuf,tcp=0.0.0.0:5997,w=1600,h=900 \
@ -59,12 +60,3 @@ exit $?
 #on base system:
 #zfs create -V 32G -o refreservation=none ship/raw/cvm-a - docker partition
 #zfs create -V 128G -o refreservation=none ship/raw/cvm-a_data - root partition
 # on boot
 #ifconfig tap97 create
 #ifconfig bridge1 addm tap97 up
 #ifconfig tap97 up
 #ifconfig tap97 inet6 auto_linklocal
 #ifconfig tap1097 create
 #ifconfig bridge10 addm tap1097 up
 #ifconfig tap1097 up
 #ifconfig tap1097 inet6 auto_linklocal
--- a/jails/config/vm/cvm-b.sh
+++ b/jails/config/vm/cvm-b.sh
@ -22,6 +22,7 @@ bhyve -c 4 -m 16G -A -H -P \
 -s 4,virtio-blk,/dev/zvol/ship/raw/cvm-b \
 -s 5,virtio-net,tap96,mac=00:0A:0B:0C:0D:96 \
 -s 6,virtio-blk,/dev/zvol/ship/raw/cvm-b_data \
 -s 7,virtio-net,tap4896,mac=00:0A:0B:0C:7D:96 \
 -s 8,virtio-net,tap1096,mac=00:0A:0B:0C:8D:96 \
 -s 9,virtio-net,tap2096,mac=00:0A:0B:0C:9D:96 \
 -s 29,fbuf,tcp=0.0.0.0:5996,w=1600,h=900 \
@ -59,12 +60,3 @@ exit $?
 #on base system:
 #zfs create -V 32G -o refreservation=none ship/raw/cvm-b - docker partition
 #zfs create -V 128G -o refreservation=none ship/raw/cvm-b_data - root partition
 # on boot
 #ifconfig tap96 create
 #ifconfig bridge1 addm tap96 up
 #ifconfig tap96 up
 #ifconfig tap96 inet6 auto_linklocal
 #ifconfig tap1096 create
 #ifconfig bridge10 addm tap1096 up
 #ifconfig tap1096 up
 #ifconfig tap1096 inet6 auto_linklocal
--- a/jails/config/vm/freebsd.sh
+++ b/jails/config/vm/freebsd.sh
@ -16,7 +16,7 @@ bhyvectl --destroy --vm=freebsd
 while true
 do
-bhyve -c 4 -m 8G -A -H -P \
+bhyve -c 2 -m 4G -A -H -P \
 -s 0,hostbridge \
 -s 3,ahci-cd \
 -s 4,virtio-blk,/dev/zvol/ship/raw/freebsd \
--- a/jails/config/vm/kali.sh
+++ b/jails/config/vm/kali.sh
@ -10,6 +10,9 @@
 # ./kali.sh under tmux
 # disabled for now
 exit
 # clean cached state
 bhyvectl --destroy --vm=kali
@ -21,6 +24,7 @@ bhyve -c 2 -m 4G -A -H -P \
 -s 3,ahci-cd \
 -s 4,virtio-blk,/dev/zvol/ship/raw/kali \
 -s 5,virtio-net,tap86,mac=00:0A:0B:0C:0D:86 \
 -s 7,virtio-net,tap4886,mac=00:0A:0B:0C:8D:86 \
 -s 8,virtio-net,tap1086,mac=00:0A:0B:0C:8D:86 \
 -s 9,virtio-net,tap2086,mac=00:0A:0B:0C:9D:86 \
 -s 29,fbuf,tcp=0.0.0.0:5986,w=1280,h=720 \
@ -59,15 +63,6 @@ exit $?
 #on base system:
 #zfs create -V 128G -o refreservation=none ship/raw/kali
 ##zfs create -V 128G -o refreservation=none ship/raw/kali_data
 # on boot
 #ifconfig tap86 create
 #ifconfig bridge1 addm tap86 up
 #ifconfig tap86 up
 #ifconfig tap86 inet6 auto_linklocal
 #ifconfig tap1086 create
 #ifconfig bridge10 addm tap1086 up
 #ifconfig tap1086 up
 #ifconfig tap1086 inet6 auto_linklocal
 # Install VNC
 # curl -o turbovnc_2.2.5_amd64.deb https://sourceforge.net/projects/turbovnc/files/2.2.5/turbovnc_2.2.5_amd64.deb/download# 
--- a/jails/config/vm/pbx.sh
+++ b/jails/config/vm/pbx.sh
@ -16,7 +16,7 @@ bhyvectl --destroy --vm=pbx
 while true
 do
-bhyve -c 2 -m 8G -A -H -P \
+bhyve -c 2 -m 4G -A -H -P \
 -s 0,hostbridge \
 -s 3,ahci-cd \
 -s 4,virtio-blk,/dev/zvol/ship/raw/pbx \
--- a/jails/config/vm/r-windows.sh
+++ b/jails/config/vm/r-windows.sh
@ -10,13 +10,16 @@
 # ./r-windows.sh under tmux
 # disabled for now
 exit
 # clean cached state
 bhyvectl --destroy --vm=r-windows
 while true
 do
-bhyve -c sockets=1,cores=2,threads=2 -m 16G -S -A -H -P \
+bhyve -c sockets=1,cores=2,threads=2 -m 8G -S -A -H -P \
 -s 0,hostbridge \
 -s 4,ahci-hd,/dev/zvol/ship/raw/r-windows,sectorsize=512 \
 -s 5,virtio-net,tap85,mac=00:0A:0B:0C:0D:85 \
--- a/jails/config/vm/ubuntu.sh
+++ b/jails/config/vm/ubuntu.sh
@ -22,6 +22,7 @@ bhyve -c 8 -m 16G -A -H -P \
 -s 4,virtio-blk,/dev/zvol/ship/raw/ubuntu \
 -s 5,virtio-net,tap82,mac=00:0A:0B:0C:0D:82 \
 -s 6,virtio-blk,/dev/zvol/ship/raw/ubuntu_data \
 -s 7,virtio-net,tap4882,mac=00:0A:0B:0C:7D:82 \
 -s 8,virtio-net,tap1082,mac=00:0A:0B:0C:8D:82 \
 -s 9,virtio-net,tap2082,mac=00:0A:0B:0C:9D:82 \
 -s 29,fbuf,tcp=0.0.0.0:5982,w=1600,h=900 \
@ -59,12 +60,3 @@ exit $?
 #on base system:
 #zfs create -V 32G -o refreservation=none ship/raw/ubuntu
 #zfs create -V 128G -o refreservation=none ship/raw/ubuntu_data
 # on boot
 #ifconfig tap82 create
 #ifconfig bridge1 addm tap82 up
 #ifconfig tap82 up
 #ifconfig tap82 inet6 auto_linklocal
 #ifconfig tap1082 create
 #ifconfig bridge10 addm tap1082 up
 #ifconfig tap1082 up
 #ifconfig tap1082 inet6 auto_linklocal
--- a/jails/config/vm/windows.sh
+++ b/jails/config/vm/windows.sh
@ -16,7 +16,7 @@ bhyvectl --destroy --vm=windows
 while true
 do
-bhyve -c sockets=1,cores=2,threads=2 -m 16G -S -A -H -P \
+bhyve -c sockets=1,cores=2,threads=2 -m 8G -S -A -H -P \
 -s 0,hostbridge \
 -s 4,ahci-hd,/dev/zvol/ship/raw/windows,sectorsize=512 \
 -s 5,virtio-net,tap81,mac=00:0A:0B:0C:0D:81 \
--- a/jails/config/vpngw/ipfw.rules
+++ b/jails/config/vpngw/ipfw.rules
@ -62,8 +62,8 @@ $cmd 01300 check-state
 # Allow access to DNS
 #$cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state
 #$cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state
-#$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state
+#$cmd 02112 $skip tcp from any to fd01::5 53 out via $rif setup keep-state
-#$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state
+#$cmd 02113 $skip udp from any to fd01::5 53 out via $rif keep-state
 # Allow access to ISP's DHCP server for cable/DSL configurations.
 # Use the first rule and check log for IP address.
--- a/jails/config/web-datavpc/resolvconf.conf
+++ b/jails/config/web-datavpc/resolvconf.conf
@ -1,2 +1,2 @@
 export search_domains="datavpc.com mydatavpc.com ahlawat.com"
-export name_servers="192.168.0.5 2603:3024:3f6:e1::5"
+export name_servers="192.168.0.5 fd01::5"
--- a/jails/config/web-diyit/resolvconf.conf
+++ b/jails/config/web-diyit/resolvconf.conf
@ -1,2 +1,2 @@
-export search_domains="diyit.org diyit.space ahlawat.com"
+export search_domains="diyit.org ahlawat.com"
-export name_servers="192.168.0.5 2603:3024:3f6:e1::5"
+export name_servers="192.168.0.5 fd01::5"
--- a/jails/config/web/ahlawat.com.ini
+++ b/jails/config/web/ahlawat.com.ini
@ -0,0 +1,16 @@
 imap_host = "mail.ahlawat.com"
 imap_port = 993
 imap_secure = "SSL"
 imap_short_login = On
 sieve_use = Off
 sieve_allow_raw = Off
 sieve_host = ""
 sieve_port = 4190
 sieve_secure = "None"
 smtp_host = "mail.ahlawat.com"
 smtp_port = 587
 smtp_secure = "TLS"
 smtp_short_login = On
 smtp_auth = On
 smtp_php_mail = Off
 white_list = ""
--- a/jails/config/web/disabled
+++ b/jails/config/web/disabled
@ -0,0 +1 @@
 outlook.com,qq.com,yahoo.com,gmail.com
--- a/jails/config/web/htaccess-rainloop
+++ b/jails/config/web/htaccess-rainloop
@ -0,0 +1,4 @@
 Deny from all
 <IfModule mod_autoindex.c>
 Options -Indexes
 </ifModule>
--- a/jails/config/web/plugin-ldap-change-password.ini
+++ b/jails/config/web/plugin-ldap-change-password.ini
@ -0,0 +1,9 @@
 ; RainLoop Webmail plugin (ldap-change-password)
 [plugin]
 hostname = "ldaps://ldap.ahlawat.com"
 port = 636
 user_dn_format = "cn={imap:login},ou=people,dc=infra"
 password_field = "userPassword"
 password_enc_type = "SSHA"
 allowed_emails = "*"
--- a/jails/create.sh
+++ b/jails/create.sh
@ -29,11 +29,11 @@ JAILUSERVNC=$7
 I6CONFIG=true
 I4NW="192.168.0"
-I6NW="2603:3024:3f6:e1"
+I6NW="fd01"
 I4GW="192.168.0.5"
-I6GW="2603:3024:3f6:e1::5"
+I6GW="fd01::5"
 I4NS="192.168.0.5"
-I6NS="2603:3024:3f6:e1::5"
+I6NS="fd01::5"
 # these IP spaces are diyit deployment specific
 echo "$JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC"
@ -69,15 +69,6 @@ if $I6CONFIG; then
 	iocage exec $JAIL "echo '$I6NW::$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
 fi
 # create resolvconf.conf - IPv6 SLAAC on freebsd removes all ipv4 configuraton from resolv.conf
 iocage exec $JAIL "echo 'export search_domains=$JAILDOMAIN' > /etc/resolvconf.conf"
 if $I6CONFIG; then
 	iocage exec $JAIL "echo 'export name_servers=\"$I4NS $I6NS\"' >> /etc/resolvconf.conf"
 else
 	iocage exec $JAIL "echo 'export name_servers=\"$I4NS\"' >> /etc/resolvconf.conf"
 fi
 iocage exec $JAIL "resolvconf -u"
 iocage exec $JAIL "mkdir -p /mnt/certs"
 iocage fstab -a $JAIL /mnt/ship/certs /mnt/certs nullfs ro 0 0
 iocage exec $JAIL "mkdir -p /mnt/config"
@ -87,6 +78,10 @@ iocage fstab -a $JAIL /var/db/freebsd-update/files /var/db/freebsd-update/files
 iocage exec $JAIL "mkdir -p /mnt/common"
 iocage fstab -a $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
 # create resolvconf.conf - IPv6 SLAAC/DHCP on freebsd removes all ipv4 configuraton from resolv.conf
 iocage exec $JAIL "[ -f /mnt/config/resolv.conf ] && cp /mnt/config/resolvconf.conf /etc/ || cp /mnt/common/resolvconf.conf /etc/"
 iocage exec $JAIL "resolvconf -u"
 iocage exec $JAIL "mkdir -p /usr/local/etc/pkg/repos"
 iocage exec $JAIL "[ -f /mnt/config/pkgp.conf ] && cp /mnt/config/pkgp.conf /usr/local/etc/pkg/repos/ || cp /mnt/common/pkgp.conf /usr/local/etc/pkg/repos/"
--- a/jails/jails-restore-httpd.sh
+++ b/jails/jails-restore-httpd.sh
@ -8,6 +8,9 @@
 #
 #
 echo "checking pkgp jail nginx instance is running"
 iocage exec pkgp "service nginx status"
 web_jails=(cloud hub nivi rachna rishabh sharad web web-diyit web-datavpc ldap-mgr r-ldap-mgr monitor)
 for i in ${web_jails[@]};
@ -35,7 +38,3 @@ do
 	iocage exec $i "cp /mnt/config/httpd.conf /usr/local/etc/apache24/httpd.conf"
 	iocage exec $i "service apache24 restart"
 done
 echo ""
 echo "checking pkgp jail nginx instance is running"
 iocage exec pkgp "service nginx status"
--- a/jails/jails-update-cert.sh
+++ b/jails/jails-update-cert.sh
@ -37,6 +37,9 @@ iocage exec mail "service dovecot restart"
 echo "restarting ELK in jail elk after SSL update"
 iocage exec elk "cp /mnt/certs/diy*.pem /usr/local/etc/elasticsearch/certs"
 iocage exec elk "cp /mnt/certs/cacert.pem /usr/local/etc/elasticsearch/certs"
 exit
 iocage exec elk "service elasticsearch restart"
 iocage exec elk "service kibana restart"
--- a/jails/jails-update-pkgs.sh
+++ b/jails/jails-update-pkgs.sh
@ -99,3 +99,5 @@ echo "check hub for index.html and adminer version"
 echo ""
 echo "iocage exec cert \"/root/.acme.sh/acme.sh --upgrade\""
 echo "iocage exec cert \"/mnt/config/backup.sh\""
 echo ""
 echo "iocage exec hass \"/mnt/config/hass-upgrade.sh\""
--- a/jails/post-restart-checks.txt
+++ b/jails/post-restart-checks.txt
@ -13,7 +13,7 @@ these certifcates need to be updated with /mnt/certs
 vpngw:
 service openvpn onestart
-service ipfw restart
+service natd restart
 ibm:
--- a/jails/update.sh
+++ b/jails/update.sh
@ -52,7 +52,7 @@ read -p "update pkgp jail (y/N)? " RESP
 if [ ! -z $RESP ] && [ $RESP == "y" ]; then
    JAIL="pkgp"
    update_jail
-    /root/FreeBSD/jail/jails-update-pkgs.sh pkgp-only
+    /root/FreeBSD/jails/jails-update-pkgs.sh pkgp-only
 fi
 read -p "update all jails (y/N)? " RESP
--- a/scripts/find-sonewconn.sh
+++ b/scripts/find-sonewconn.sh
@ -0,0 +1,16 @@
 #!/usr/local/bin/bash
 # Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 # https://diyit.org/license/
 #
 #
 for jail in $(jls -h name | tail +2); do
    sudo jexec $jail netstat -LAan 2>/dev/null | grep -q $1;
    if [ $? -eq 0 ]; then
        echo "found in jail $jail";
    fi;
 done
--- a/scripts/mbuf.sh
+++ b/scripts/mbuf.sh
@ -0,0 +1,74 @@
 #!/bin/sh
 # Copyright (c) 2018-2021, diyIT.org
 # All rights reserved.
 #
 # BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
 # https://diyit.org/license/
 #
 #
 MCLBYTES=2048
 MSIZE=256
 PHYSMEM=`sysctl -n hw.physmem`
 PAGE_SIZE=`sysctl -n hw.pagesize`
 VM_KMEM_SIZE=`sysctl -n vm.kmem_size`
 REALMEM=${VM_KMEM_SIZE}
 MAXMBUFMEM=`expr $REALMEM / 4 \* 3`
 MJUMPAGESIZE=$PAGE_SIZE
 MJUM9BYTES=`expr 9 \* 1024`
 MJUM16BYTES=`expr 16 \* 1024`
 #NMBCLUSTERS=`expr $MAXMBUFMEM / $MCLBYTES / 4` # higher # of jails
 NMBCLUSTERS=`expr $MAXMBUFMEM / $MCLBYTES / 3`
 NMBJUMBOP=`expr $MAXMBUFMEM / $MJUMPAGESIZE / 4`
 NMBJUMBO9=`expr $MAXMBUFMEM / $MJUM9BYTES / 6`
 NMBJUMBO16=`expr $MAXMBUFMEM / $MJUM16BYTES / 6`
 NMBUFS=`sysctl -n kern.ipc.nmbufs`
 NMMAX1=`expr $NMBCLUSTERS + $NMBJUMBOP + $NMBJUMBO9 + $NMBJUMBO16`
 NMMAX2=`expr $MAXMBUFMEM / $MSIZE / 5`
 if [ $NMMAX1 -gt $NMMAX2 ]; then
 	NMBUFS=$NMMAX1
 else
 	NMBUFS=$NMMAX2
 fi
 show()
 {
 	echo "# `basename $0 ` suggested settings:"
 	echo "kern.ipc.maxmbufmem=$MAXMBUFMEM"
 	echo "kern.ipc.nmbclusters=$NMBCLUSTERS"
 	echo "kern.ipc.nmbjumbop=$NMBJUMBOP"
 	echo "kern.ipc.nmbjumbo9=$NMBJUMBO9"
 	echo "kern.ipc.nmbjumbo16=$NMBJUMBO16"
 	echo "kern.ipc.nmbufs=$NMBUFS"
 }
 compare()
 {
 	echo "kern.ipc.maxmbufmem:  `sysctl -n kern.ipc.maxmbufmem` (current)"
 	echo "                 -->  $MAXMBUFMEM (suggested)"
 	echo "kern.ipc.nmbclusters: `sysctl -n kern.ipc.nmbclusters`"
 	echo "                  --> $NMBCLUSTERS"
 	echo "kern.ipc.nmbjumbop:   `sysctl -n kern.ipc.nmbjumbop`"
 	echo "                -->   $NMBJUMBOP"
 	echo "kern.ipc.nmbjumbo9:   `sysctl -n kern.ipc.nmbjumbo9`"
 	echo "                -->   $NMBJUMBO9"
 	echo "kern.ipc.nmbjumbo16:  `sysctl -n kern.ipc.nmbjumbo16`"
 	echo "                 -->  $NMBJUMBO16"
 	echo "kern.ipc.nmbufs:      `sysctl -n kern.ipc.nmbufs`"
 	echo "             -->      $NMBUFS"
    vmstat -z|grep -E '^ITEM|mbuf'
    netstat -m
    # vmstat -m
 }
 if [ $# -gt 0 ]; then
 	if [ $1 == '-c' ]; then
 		compare
 		exit 0
 	fi
 fi
 show
		`@ -0,0 +1,2 @@`
							`export search_domains=ahlawat.com`
							`export name_servers="192.168.0.5 fd01::5"`
`@ -1,2 +1,2 @@`
	`export search_domains="datavpc.com mydatavpc.com ahlawat.com"`	`export search_domains="datavpc.com mydatavpc.com ahlawat.com"`
	`export name_servers="192.168.0.5 2603:3024:3f6:e1::5"`	`export name_servers="192.168.0.5 fd01::5"`
`@ -1,2 +1,2 @@`
	`export search_domains="diyit.org diyit.space ahlawat.com"`	`export search_domains="diyit.org ahlawat.com"`
	`export name_servers="192.168.0.5 2603:3024:3f6:e1::5"`	`export name_servers="192.168.0.5 fd01::5"`