This commit is contained in:
Sharad Ahlawat 2021-04-01 01:23:14 -07:00
parent 5cee123a3c
commit 90c5709862
64 changed files with 802 additions and 140 deletions

43
configs/etc/hosts Normal file
View File

@ -0,0 +1,43 @@
# $FreeBSD: releng/12.2/lib/libc/net/hosts 338729 2018-09-17 18:56:47Z brd $
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file. Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1 localhost localhost.my.domain
127.0.0.1 localhost localhost.my.domain
192.168.0.10 nas nas.ahlawat.com
fd01::10 nas nas.ahlawat.com
192.168.1.10 nas nas.ahlawat.com
fd02::10 nas nas.ahlawat.com
192.168.2.10 nas nas.ahlawat.com
fd05::10 nas nas.ahlawat.com
192.168.200.10 nas nas.ahlawat.com
fd09::10 nas nas.ahlawat.com
192.168.10.10 nas nas.ahlawat.com
fd0a::10 nas nas.ahlawat.com
192.168.48.10 nas nas.ahlawat.com
2001:470:f835::10 nas nas.ahlawat.com
#
# Imaginary network. 10.0.0.2 myname.my.domain myname 10.0.0.3 myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
# 10.0.0.0 - 10.255.255.255
# 172.16.0.0 - 172.31.255.255
# 192.168.0.0 - 192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers. Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
#

View File

@ -6,7 +6,8 @@ kld_list="nmdm vmm ipfw ipdivert linux64"
geli_autodetach="NO"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="/dev/ada2p3"
#dumpdev="/dev/ada2p3"
dumpdev="NO"
dumpdir="/var/crash"
savecore_enable="YES"
@ -31,49 +32,46 @@ firewall_logif="YES"
# interfaces
cloned_interfaces_sticky="YES"
cloned_interfaces="lagg0 bridge1 bridge2 bridge5 bridge9"
cloned_interfaces="lagg0 bridge1 bridge2 bridge5 bridge9 bridge10"
ifconfig_lagg0="laggproto lacp laggport igb0 laggport igb1 up"
ifconfig_igb0="up"
ifconfig_igb1="up"
ifconfig_igb0="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
ifconfig_igb1="up -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso"
vlans_lagg0="1 2 5 9"
vlans_lagg0="1 2 5 9 10"
ipv6_activate_all_interfaces="YES"
rtsold_enable="YES"
ifconfig_lagg0_1="inet 192.168.0.10/24"
ifconfig_lagg0_1_ipv6="inet6 2603:3024:3f6:e1::10/64 auto_linklocal accept_rtadv"
ifconfig_lagg0_1_ipv6="inet6 fd01::10/64 auto_linklocal accept_rtadv"
ifconfig_lagg0_2="inet 192.168.1.10/24"
ifconfig_lagg0_2_ipv6="inet6 2603:3024:3f6:e2::10/64 auto_linklocal accept_rtadv"
ifconfig_lagg0_2_ipv6="inet6 fd02::10/64 auto_linklocal accept_rtadv"
ifconfig_lagg0_5="inet 192.168.2.10/24"
ifconfig_lagg0_5_ipv6="inet6 2603:3024:3f6:e5::10/64 auto_linklocal accept_rtadv"
ifconfig_lagg0_5_ipv6="inet6 fd05::10/64 auto_linklocal accept_rtadv"
ifconfig_lagg0_9="inet 192.168.200.10/24"
ifconfig_lagg0_9_ipv6="inet6 2603:3024:3f6:e9::10/64 auto_linklocal accept_rtadv"
ifconfig_lagg0_9_ipv6="inet6 fd09::10/64 auto_linklocal accept_rtadv"
ifconfig_lagg0_10="inet 192.168.10.10/24"
ifconfig_lagg0_10_ipv6="inet6 fd0a::10/64 auto_linklocal accept_rtadv"
ifconfig_bridge1="addm lagg0.1 up"
ifconfig_bridge2="addm lagg0.2 up"
ifconfig_bridge5="addm lagg0.5 up"
ifconfig_bridge9="addm lagg0.9 up"
ifconfig_bridge10="addm lagg0.10 up"
# adding IP to bridges does not work
#ifconfig_bridge1="inet 192.168.0.10/24"
#ifconfig_bridge1_ipv6="inet6 2603:3024:3f6:e1::10/64 auto_linklocal accept_rtadv"
#ifconfig_bridge2="inet 192.168.1.10/24"
#ifconfig_bridge2_ipv6="inet6 2603:3024:3f6:e2::10/64 auto_linklocal accept_rtadv"
#ifconfig_bridge5="inet 192.168.2.10/24"
#ifconfig_bridge5_ipv6="inet6 2603:3024:3f6:e5::10/64 auto_linklocal accept_rtadv"
#ifconfig_bridge9="inet 192.168.200.10/24"
#ifconfig_bridge9_ipv6="inet6 2603:3024:3f6:e9::10/64 auto_linklocal accept_rtadv"
#ifconfig_bridge1_ipv6="inet6 fd01::10/64 auto_linklocal accept_rtadv"
defaultrouter="192.168.0.5"
ipv6_defaultrouter="2603:3024:3f6:e1::5"
ipv6_defaultrouter="fd01::5"
# interfaces
hostname="nas.ahlawat.com"
syslogd_enable="YES"
syslogd_flags="-ss"
syslogd_flags="-C -O rfc5424 -ss"
syslog_ng_enable="NO"
syslog_ng_config="-u daemon"

1
configs/etc/rctl.conf Normal file
View File

@ -0,0 +1 @@
jail:ioc-jump:vmemoryuse:deny=4G/jail

View File

@ -1,4 +1,4 @@
# $FreeBSD: releng/12.1/sbin/sysctl/sysctl.conf 337624 2018-08-11 13:28:03Z brd $
# $FreeBSD: releng/12.2/sbin/sysctl/sysctl.conf 337624 2018-08-11 13:28:03Z brd $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
@ -7,6 +7,7 @@
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1
@ -32,6 +33,13 @@ hw.intr_storm_threshold=9000
kern.ipc.maxsockbuf=16777216
kern.ipc.shm_use_phys=1
kern.ipc.soacceptqueue=1024
kern.ipc.nmbclusters=24513148
kern.ipc.nmbjumbop=9192430
kern.ipc.nmbjumbo9=2723683
kern.ipc.nmbjumbo16=1532071
kern.ipc.nmbufs=117663120
kern.maxvnodes=4194304
kern.random.harvest.mask=351
kern.threads.max_threads_per_proc=9000
@ -67,7 +75,7 @@ net.inet.tcp.recvbuf_inc=65536
net.inet.tcp.recvbuf_max=16777216
net.inet.tcp.recvspace=262144
net.inet.tcp.rfc6675_pipe=1
net.inet.tcp.sendbuf_inc=32768
net.inet.tcp.sendbuf_inc=65536
net.inet.tcp.sendbuf_max=16777216
net.inet.tcp.sendspace=262144
net.inet.tcp.syncache.rexmtlimit=0
@ -95,7 +103,7 @@ vfs.zfs.arc_max=51539607552
vfs.zfs.delay_min_dirty_percent=96
vfs.zfs.dirty_data_max=12884901888
vfs.zfs.prefetch_disable=0
vfs.zfs.top_maxinflight=128
#vfs.zfs.top_maxinflight=128
vfs.zfs.trim.txg_delay=2
vfs.zfs.txg.timeout=90
vfs.zfs.vdev.aggregation_limit=1048576
@ -116,3 +124,12 @@ net.inet.tcp.rack.data_after_close=0
#Cheap Disk Issues
kern.cam.ada.default_timeout=60
kern.cam.da.default_timeout=90
# best way to see misconfigured or non operational services
net.inet.tcp.log_in_vain: 1
net.inet.udp.log_in_vain: 1
# Disable File Handle Affinity for NFS write operations.
# It improves NFS write throughput with ZFS sync=always on ship/pxe
vfs.nfsd.fha.write=0
vfs.nfsd.fha.max_nfsds_per_fh=32

View File

@ -1,7 +1,7 @@
# Generated by resolvconf
search diyit.org
nameserver 192.168.0.5
nameserver 2603:3024:3f6:e1::5
nameserver 2603:3024:3f6:e2::5
nameserver 2603:3024:3f6:e5::5
nameserver 2603:3024:3f6:e9::5
nameserver fd01::5
nameserver fd02::5
nameserver fd05::5
nameserver fd09::5

86
jails/config/ci/jenkins Executable file
View File

@ -0,0 +1,86 @@
#!/bin/sh
# $FreeBSD: head/devel/jenkins/files/jenkins.in 544211 2020-08-05 09:10:47Z lwhsu $
#
# PROVIDE: jenkins
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
# Configuration settings for jenkins in /etc/rc.conf:
#
# jenkins_enable (bool):
# Set to "NO" by default.
# Set it to "YES" to enable jenkins
#
# jenkins_args (str):
# Extra arguments passed to start command
#
# jenkins_home (str)
# Set to "/usr/local/jenkins" by default.
# Set the JENKINS_HOME variable for jenkins process
#
# jenkins_java_home (str):
# Set to "/usr/local/openjdk8" by default.
# Set the Java virtual machine to run jenkins
#
# jenkins_java_opts (str):
# Set to "" by default.
# Java VM args to use.
#
# jenkins_user (str):
# Set to "jenkins" by default.
# User to run jenkins as.
#
# jenkins_group (str):
# Set to "jenkins" by default.
# Group for data file ownership.
#
# jenkins_log_file (str):
# Set to "/var/log/jenkins.log" by default.
# Log file location.
#
. /etc/rc.subr
name=jenkins
desc="Jenkins automation server"
rcvar=jenkins_enable
load_rc_config "${name}"
: ${jenkins_enable:=NO}
: ${jenkins_home="/usr/local/jenkins"}
: ${jenkins_args="--webroot=${jenkins_home}/war"}
: ${jenkins_java_home="/usr/local/openjdk8"}
: ${jenkins_user="jenkins"}
: ${jenkins_group="jenkins"}
: ${jenkins_log_file="/var/log/jenkins.log"}
pidfile=/var/run/jenkins/jenkins.pid
command=/usr/sbin/daemon
java_cmd="${jenkins_java_home}/bin/java"
procname="${java_cmd}"
command_args="-p ${pidfile} ${java_cmd} -Xmx1g -DJENKINS_HOME=${jenkins_home} ${jenkins_java_opts} -jar /usr/local/share/jenkins/jenkins.war ${jenkins_args} >> ${jenkins_log_file} 2>&1"
required_files="${java_cmd}"
start_precmd=jenkins_prestart
start_cmd=jenkins_start
jenkins_prestart()
{
if [ ! -f "${jenkins_log_file}" ]; then
install -o "${jenkins_user}" -g "${jenkins_group}" -m 640 /dev/null "${jenkins_log_file}"
fi
if [ ! -d "/var/run/jenkins" ]; then
install -d -o "${jenkins_user}" -g "${jenkins_group}" -m 750 "/var/run/jenkins"
fi
}
jenkins_start()
{
check_startmsgs && echo "Starting ${name}."
su -l ${jenkins_user} -c "exec ${command} ${command_args} ${rc_arg}"
}
run_rc_command "$1"

View File

@ -0,0 +1,2 @@
export search_domains=ahlawat.com
export name_servers="192.168.0.5 fd01::5"

View File

@ -12,7 +12,7 @@
# TO_IDENT sets O Timeout.ident=0s - to stop sendmail from making ident connections
echo "define(\`SMART_HOST', \`mail')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confDOMAIN_NAME', \`$HOSTNAME')" >> /etc/mail/$HOSTNAME.mc
IP6=`ifconfig -f inet6:cidr | grep "2603:3024:3f6:e1::" | cut -d" " -f 2 | cut -d "/" -f 1`
IP6=`ifconfig -f inet6:cidr | grep "fd01::" | cut -d" " -f 2 | cut -d "/" -f 1`
echo "CLIENT_OPTIONS(\`Family=inet6, Address=$IP6')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confDH_PARAMETERS', \`/mnt/certs/dhparam2048.pem')" >> /etc/mail/$HOSTNAME.mc
echo "define(\`confTO_CONNECT', \`1m')" >> /etc/mail/$HOSTNAME.mc

18
jails/config/dns/update6.sh Executable file
View File

@ -0,0 +1,18 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
SIM="-s"
#SIM=""
rpl $SIM -v -R "2603:3024:3f6:21::" "2603:3024:3f6:1::" ./namedb
rpl $SIM -v -R "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2" "100.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1" ./namedb
rpl $SIM -v -R "2021030900" "2021031100" ./namedb
service $SIM named $SIM restart

View File

@ -0,0 +1,10 @@
# Module: elasticsearch
# Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.10/metricbeat-module-elasticsearch.html
- module: elasticsearch
xpack.enabled: true
period: 10s
hosts: ["https://elk.diyit.org:9200"]
#username: "user"
#password: "secret"

View File

@ -19,8 +19,18 @@
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms4g
-Xmx4g
-Xmn4G
-Xms8G
-Xmx8G
-XX:MaxMetaspaceSize=2G
-Xss2G
-Xnoclassgc
-XX:MaxDirectMemorySize=2G
-XX:InitialRAMPercentage=80
-XX:MaxRAMPercentage=80
-XX:MinRAMPercentage=80
################################################################
## Expert settings
@ -33,7 +43,7 @@
################################################################
## GC configuration
8-13:-XX:+UseConcMarkSweepGC
8-9:-XX:+UseConcMarkSweepGC
8-13:-XX:CMSInitiatingOccupancyFraction=75
8-13:-XX:+UseCMSInitiatingOccupancyOnly
@ -43,9 +53,9 @@
# following three lines to your version of the JDK
# 10-13:-XX:-UseConcMarkSweepGC
# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
14-:-XX:+UseG1GC
14-:-XX:G1ReservePercent=25
14-:-XX:InitiatingHeapOccupancyPercent=30
11-:-XX:+UseG1GC
11-:-XX:G1ReservePercent=25
11-:-XX:InitiatingHeapOccupancyPercent=30
## JVM temporary directory
-Djava.io.tmpdir=${ES_TMPDIR}
@ -58,10 +68,10 @@
# specify an alternative path for heap dumps; ensure the directory exists and
# has sufficient space
-XX:HeapDumpPath=data
-XX:HeapDumpPath=/data
# specify an alternative path for JVM fatal error logs
-XX:ErrorFile=logs/hs_err_pid%p.log
-XX:ErrorFile=/var/log/hs_err_pid%p.log
## JDK 8 GC logging
8:-XX:+PrintGCDetails

View File

@ -0,0 +1,10 @@
# Module: kibana
# Docs: https://www.elastic.co/guide/en/beats/metricbeat/7.10/metricbeat-module-kibana.html
- module: kibana
xpack.enabled: true
period: 10s
hosts: ["localhost:5601"]
#basepath: ""
#username: "user"
#password: "secret"

View File

@ -0,0 +1,189 @@
###################### Metricbeat Configuration Example #######################
# This file is an example configuration file highlighting only the most common
# options. The metricbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/metricbeat/index.html
# =========================== Modules configuration ============================
metricbeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/metricbeat.modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
# Period on which files under path should be checked for changes
#reload.period: 10s
# ======================= Elasticsearch template setting =======================
setup.template.settings:
index.number_of_shards: 1
index.codec: best_compression
#_source.enabled: false
# ================================== General ===================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:
# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false
# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
# =================================== Kibana ===================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
#host: "localhost:5601"
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used.
#space.id:
# =============================== Elastic Cloud ================================
# These settings simplify using Metricbeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["elk.diyit.org:9200"]
# Protocol - either `http` (default) or `https`.
protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
#username: "elastic"
#password: "changeme"
# ------------------------------ Logstash Output -------------------------------
#output.logstash:
# The Logstash hosts
#hosts: ["localhost:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
# ================================= Processors =================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
# - add_docker_metadata: ~
# - add_kubernetes_metadata: ~
# ================================== Logging ===================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
# ============================= X-Pack Monitoring ==============================
# Metricbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#monitoring.enabled: false
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Metricbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:
# ============================== Instrumentation ===============================
# Instrumentation support for the metricbeat.
#instrumentation:
# Set to true to enable instrumentation of metricbeat.
#enabled: false
# Environment in which metricbeat is running on (eg: staging, production, etc.)
#environment: ""
# APM Server hosts to report instrumentation results to.
#hosts:
# - http://localhost:8200
# API Key for the APM Server(s).
# If api_key is set then secret_token will be ignored.
#api_key:
# Secret token for the APM Server(s).
#secret_token:
# ================================= Migration ==================================
# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

View File

@ -0,0 +1,4 @@
#!/usr/local/bin/bash
source /data/homeassistant/bin/activate
#pip install --upgrade git+git://github.com/home-assistant/home-assistant.git@dev
pip install --upgrade homeassistant

View File

@ -23,21 +23,21 @@ FILES="/var/log/auth.log"
#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=30
THRESHOLD=10
# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
BLOCK_TIME=120
BLOCK_TIME=1200
# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
DETECTION_TIME=1800
DETECTION_TIME=18000
# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
IPV6_SUBNET=128
IPV6_SUBNET=64
# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
IPV4_SUBNET=32
IPV4_SUBNET=24
#### EXTRAS ####
# !! Warning: These features may not work correctly with sandboxing. !!

View File

@ -63,8 +63,8 @@ $cmd 01300 check-state
# Allow access to DNS
$cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state
$cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state
$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state
$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state
$cmd 02112 $skip tcp from any to fd01::5 53 out via $rif setup keep-state
$cmd 02113 $skip udp from any to fd01::5 53 out via $rif keep-state
# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.

View File

@ -0,0 +1,12 @@
.login-ui .login-dialog .logo {
background-image: url('app/ext/tempnamespace/images/logo-placeholder.png');
width: 5em;
-webkit-background-size: 5em auto;
}
div.login-ui {
background: #666;
background-color: #666;
}
.login-ui .login-dialog {
background-color: white;
}

View File

@ -0,0 +1,20 @@
{
"guacamoleVersion" : "*",
"name" : "Tempname",
"namespace" : "tempnamespace",
"translations" : [
"translations/en.json"
],
"css" : [
"css/login-override.css"
],
"html" : [
"loginDisclaimer.html"
],
"resources" : {
"images/logo-placeholder.png" : "image/png"
}
}

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.5 KiB

View File

@ -0,0 +1,6 @@
<meta name="after" content=".login-ui .login-dialog">
<div class="welcome">
Ahlawat Network's Remote Access Server
<p>Restricted Access - only use if you have permission<p>
</div>

View File

@ -0,0 +1,5 @@
{
"APP":{
"NAME" : "Ahlawat Net RAS"
}
}

View File

@ -0,0 +1,12 @@
.login-ui .login-dialog .logo {
background-image: url('app/ext/tempnamespace/images/logo-placeholder.png');
width: 5em;
-webkit-background-size: 5em auto;
}
div.login-ui {
background: #666;
background-color: #666;
}
.login-ui .login-dialog {
background-color: white;
}

View File

@ -0,0 +1,20 @@
{
"guacamoleVersion" : "*",
"name" : "Tempname",
"namespace" : "tempnamespace",
"translations" : [
"translations/en.json"
],
"css" : [
"css/login-override.css"
],
"html" : [
"loginDisclaimer.html"
],
"resources" : {
"images/logo-placeholder.png" : "image/png"
}
}

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.5 KiB

View File

@ -0,0 +1,6 @@
<meta name="after" content=".login-ui .login-dialog">
<div class="welcome">
Ahlawat Network's Remote Access Server
<p>Restricted Access - only use if you have permission<p>
</div>

View File

@ -0,0 +1,5 @@
{
"APP":{
"NAME" : "Ahlawat Net RAS"
}
}

View File

@ -34,14 +34,14 @@
<param name="port">22</param>
<param name="font-name">monospace</param>
</connection>
<connection name="vnc-rpi3">
<connection name="vnc-rpi">
<protocol>vnc</protocol>
<param name="hostname">192.168.200.192</param>
<param name="port">5901</param>
<param name="password">vncpass</param>
<param name="color-depth">24</param>
</connection>
<connection name="ssh-rpi3">
<connection name="ssh-rpi">
<protocol>ssh</protocol>
<param name="hostname">192.168.200.192</param>
<param name="port">22</param>
@ -58,14 +58,14 @@
<authorize username="inseego" password="7cc6a3864acc736437f606146083abad" encoding="md5">
<connection name="vnc">
<protocol>vnc</protocol>
<param name="hostname">192.168.200.212</param>
<param name="hostname">192.168.200.192</param>
<param name="port">5901</param>
<param name="password">vncpass</param>
<param name="color-depth">24</param>
</connection>
<connection name="ssh">
<protocol>ssh</protocol>
<param name="hostname">192.168.200.212</param>
<param name="hostname">192.168.200.192</param>
<param name="port">22</param>
<param name="font-name">monospace</param>
</connection>

View File

@ -578,6 +578,16 @@ Include etc/apache24/Includes/*.conf
Require all granted
</Directory>
Alias /ssp "/usr/local/www/self-service-password"
<Directory "/usr/local/www/self-service-password">
AllowOverride None
Require all granted
</Directory>
<Directory "/usr/local/www/self-service-password/scripts">
AllowOverride None
Require all denied
</Directory>
ErrorLog "/var/log/ssl-error.log"
CustomLog "/var/log/ssl-access_log" combined
</VirtualHost>

View File

@ -0,0 +1,6 @@
<head>
<meta http-equiv="refresh" content="0; URL=https://ldap-mgr.ahlawat.com/ssp" />
</head>
<body>
<p>If you are not redirected in zero seconds, <a href="https://ldap-mgr.ahlawat.com/ssp">click here</a>.</p>
</body>

View File

@ -797,8 +797,10 @@ smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_n
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
# !!! THE LAST SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
# !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!!
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unverified_recipient
smtpd_recipient_restrictions = permit_mynetworks,check_recipient_access hash:/usr/local/etc/postfix/protected_destinations,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unverified_recipient
smtpd_data_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_multi_recipient_bounce,reject_unauth_pipelining
smtpd_restriction_classes = good_senders_only
good_senders_only = check_sender_access hash:/usr/local/etc/postfix/restricted_senders,permit
# deliver mail for virtual users to Dovecot's LMTP socket
virtual_transport = lmtp:unix:private/dovecot-lmtp

View File

@ -0,0 +1,4 @@
# not everyone can send to these destinations
# we restrict some of them
ahlawat.com good_senders_only

View File

@ -1,10 +1,13 @@
# update aliases.db
newaliases
#rm /usr/local/etc/postfix/system-virtual-mailboxes.db
#postmap /usr/local/etc/postfix/system-virtual-mailboxes
rm /usr/local/etc/postfix/virtual-maillist-alias-maps.db
postmap /usr/local/etc/postfix/virtual-maillist-alias-maps
rm /usr/local/etc/postfix/protected_destinations.db
postmap /usr/local/etc/postfix/protected_destinations
rm /usr/local/etc/postfix/restricted_senders.db
postmap /usr/local/etc/postfix/restricted_senders
service postfix reload

View File

@ -0,0 +1,5 @@
# We do not want mail from these folks, generally
cyou REJECT 521
qq.com REJECT 521
163.com REJECT 521

View File

@ -14,30 +14,30 @@
. /etc/rc.subr
: ${mapsserver_enable="NO"}
: ${maps_enable="NO"}
name=mapsserver
name=maps
rcvar=${name}_enable
start_cmd="${name}_start"
stop_cmd="${name}_stop"
restart_cmd="${name}_restart"
mapsserver_start()
maps_start()
{
cd /data/networkmaps; ./server.js --config /usr/local/etc/networkmaps/config.json &
cd /data/networkmaps; ./smtp_daemon.js --config /usr/local/etc/networkmaps/config.json &
}
mapsserver_stop()
maps_stop()
{
ps ax | grep -ie server.js | grep -v grep | awk '{print $1}' | xargs kill -9
ps ax | grep -ie smtp_daemon.js | grep -v grep | awk '{print $1}' | xargs kill -9
}
mapsserver_restart()
maps_restart()
{
mapsserver_stop
mapsserver_start
maps_stop
maps_start
}
load_rc_config ${name}

View File

@ -1,9 +1,46 @@
# $FreeBSD: releng/12.2/lib/libc/net/hosts 338729 2018-09-17 18:56:47Z brd $
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file. Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1 localhost localhost.my.domain
127.0.0.1 localhost localhost.my.domain meet
#
# Imaginary network.
#10.0.0.2 myname.my.domain myname
#10.0.0.3 myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
# 10.0.0.0 - 10.255.255.255
# 172.16.0.0 - 172.31.255.255
# 192.168.0.0 - 192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers. Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
#
192.168.0.67 meet
192.168.0.67 meet meet.ahlawat.com
fd01::67 meet meet.ahlawat.com
192.168.0.67 auth.meet.ahlawat.com
2603:3024:3f6:e1::67 auth.meet.ahlawat.com
fd01::67 auth.meet.ahlawat.com
192.168.0.67 confrence.meet.ahlawat.com
2603:3024:3f6:e1::67 conference.meet.ahlawat.com
fd01::67 conference.meet.ahlawat.com
192.168.0.67 focus.meet.ahlawat.com
2603:3024:3f6:e1::67 focus.meet.ahlawat.com
fd01::67 focus.meet.ahlawat.com
192.168.0.67 jistsi-videobridge.meet.ahlawat.com
2603:3024:3f6:e1::67 jitsi-videobridge.meet.ahlawat.com
fd01::67 jitsi-videobridge.meet.ahlawat.com

View File

@ -13,7 +13,7 @@
-- blanks. Good luck, and happy Jabbering!
pidfile = "/var/run/prosody/prosody.pid"
-- interfaces = { "192.168.0.67", "2603:3024:3f6:e1::67" }
-- interfaces = { "192.168.0.67", "fd01::67" }
---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings

View File

@ -17,7 +17,7 @@ http {
tcp_nopush on;
aio on;
resolver 192.168.0.5 [2603:3024:3f6:e1::5];
resolver 192.168.0.5 [fd01::5];
proxy_http_version 1.1;
proxy_set_header Connection "";
@ -182,7 +182,7 @@ http {
listen [::]:8013;
server_name localhost;
location / {
proxy_pass http://update3.FreeBSD.org;
proxy_pass http://update5.FreeBSD.org;
}
}
server {

View File

@ -66,7 +66,7 @@ frontend ft
# prevent browser from using non-secure
http-response add-header Strict-Transport-Security: max-age=15768000
acl network_allowed src 192.168.0.0/24 192.168.100.0/24 2603:3024:3f6:e1::/64
acl network_allowed src 192.168.0.0/24 fd01::/64
acl restricted_page path -i -m sub /wp-admin
acl restricted_page path -i -m sub /wp-login
http-request deny if restricted_page !network_allowed
@ -80,7 +80,6 @@ frontend ft
use_backend bk_ahlawat-nivi if { ssl_fc_sni nivedita.ahlawat.com }
use_backend bk_ahlawat-rishabh if { ssl_fc_sni rishabh.ahlawat.com }
# use_backend bk_ahlawat-book if { ssl_fc_sni book.ahlawat.com }
use_backend bk_ahlawat-book-443 if { ssl_fc_sni book.ahlawat.com }
use_backend bk_ahlawat-book-444 if { ssl_fc_sni book1.ahlawat.com }
use_backend bk_ahlawat-book-445 if { ssl_fc_sni book2.ahlawat.com }
@ -93,6 +92,7 @@ frontend ft
use_backend bk_ahlawat-meet if { ssl_fc_sni meet.ahlawat.com }
use_backend bk_ahlawat-monitor if { ssl_fc_sni monitor.ahlawat.com }
use_backend bk_ahlawat-jump if { ssl_fc_sni jump.ahlawat.com }
use_backend bk_ahlawat-hass if { ssl_fc_sni hass.ahlawat.com }
use_backend bk_diyit if { ssl_fc_sni diyit.org }
use_backend bk_diyit if { ssl_fc_sni www.diyit.org }
@ -113,6 +113,7 @@ frontend ft
use_backend bk_beyondbell-ci if { ssl_fc_sni ci.beyondbell.com }
use_backend bk_beyondbell-git if { ssl_fc_sni git.beyondbell.com }
use_backend bk_beyondbell-repo if { ssl_fc_sni repo.beyondbell.com }
use_backend bk_beyondbell-dashboard if { ssl_fc_sni dashboard.beyondbell.com }
use_backend bk_beyondbell-web-moonglade if { ssl_fc_sni moonglade.beyondbell.com }
use_backend bk_beyondbell-web-moonglade-private if { ssl_fc_sni moonglade-private.beyondbell.com }
use_backend bk_beyondbell-r-windows if { ssl_fc_sni moonglade-server.beyondbell.com }
@ -131,7 +132,7 @@ backend bk_ahlawat
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-sharad
balance roundrobin
# balance roundrobin
server srv1 sharadx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 web.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
@ -154,26 +155,24 @@ backend bk_ahlawat-rishabh
#backend bk_ahlawat-book
# server srv1 bookx.ahlawat.com:443 check ssl verify none
backend bk_ahlawat-book-443
# server srv1 2603:3024:3f6:e1::57:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 bookx.ahlawat.com:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-book-444
# server srv1 2603:3024:3f6:e1::57:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 bookx.ahlawat.com:444 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-book-445
# server srv1 2603:3024:3f6:e1::57:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 bookx.ahlawat.com:445 check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-cam
server srv1 192.168.0.54:8765 check
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-ci
@ -215,6 +214,12 @@ backend bk_ahlawat-monitor
backend bk_ahlawat-jump
server srv1 jumpx.ahlawat.com:8080 check
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_ahlawat-hass
server srv1 hassx.ahlawat.com:8123 check
server srv2 sharadx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN
@ -239,9 +244,6 @@ backend bk_diyit-kibana
backend bk_diyit-maps
server srv1 mapsx.diyit.org:443 ssl ca-file /mnt/certs/cacert.pem alpn h2
# server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# server srv1 mapsx.diyit.org:443 check ssl ca-file /mnt/certs/cacert.pem alpn h2
# server srv2 web.diyit.org:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
# http-response add-header X-Frame-Options: SAMEORIGIN
@ -281,6 +283,12 @@ backend bk_beyondbell-repo
# http-response del-header Strict-Transport-Security
# http-response add-header Content-Security-Policy: upgrade-insecure-requests
backend bk_beyondbell-dashboard
http-request replace-header Host ^([^\ \t:]*:)\ https://dashboardx.beyondbell.com/(.*) \1\ http://192.168.0.92:8080/\2
http-response replace-header Host ^([^\ \t:]*:)\ http://192.168.0.92:8080/(.*) \1\ https://dashboardx.beyondbell.com/\2
server srv1 192.168.0.92:8080
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-web-moonglade
server srv1 192.168.0.74:8000
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
@ -297,6 +305,6 @@ backend bk_beyondbell-r-windows
http-response add-header X-Frame-Options: SAMEORIGIN
backend bk_beyondbell-windows
server srv1 192.168.0.81:26900 check
server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
server srv1 192.168.0.81:26900
# server srv2 rishabhx.ahlawat.com:443 backup check ssl ca-file /mnt/certs/cacert.pem alpn h2
http-response add-header X-Frame-Options: SAMEORIGIN

View File

@ -28,6 +28,11 @@ ifconfig bridge9 addm tap2082 up
ifconfig tap2082 up
ifconfig tap2082 inet6 auto_linklocal
ifconfig tap4882 create
ifconfig bridge48 addm tap4882 up
ifconfig tap4882 up
ifconfig tap4882 inet6 auto_linklocal
ifconfig tap83 create
ifconfig bridge1 addm tap83 up
ifconfig tap83 up
@ -58,6 +63,11 @@ ifconfig bridge9 addm tap2086 up
ifconfig tap2086 up
ifconfig tap2086 inet6 auto_linklocal
ifconfig tap4886 create
ifconfig bridge48 addm tap4886 up
ifconfig tap4886 up
ifconfig tap4886 inet6 auto_linklocal
ifconfig tap90 create
ifconfig bridge1 addm tap90 up
ifconfig tap90 up
@ -83,6 +93,11 @@ ifconfig bridge9 addm tap2097 up
ifconfig tap2097 up
ifconfig tap2097 inet6 auto_linklocal
ifconfig tap4897 create
ifconfig bridge48 addm tap4897 up
ifconfig tap4897 up
ifconfig tap4897 inet6 auto_linklocal
ifconfig tap96 create
ifconfig bridge1 addm tap96 up
ifconfig tap96 up
@ -97,3 +112,8 @@ ifconfig tap2096 create
ifconfig bridge9 addm tap2096 up
ifconfig tap2096 up
ifconfig tap2096 inet6 auto_linklocal
ifconfig tap4896 create
ifconfig bridge48 addm tap4896 up
ifconfig tap4896 up
ifconfig tap4896 inet6 auto_linklocal

View File

@ -22,6 +22,7 @@ bhyve -c 4 -m 16G -A -H -P \
-s 4,virtio-blk,/dev/zvol/ship/raw/cvm-a \
-s 5,virtio-net,tap97,mac=00:0A:0B:0C:0D:97 \
-s 6,virtio-blk,/dev/zvol/ship/raw/cvm-a_data \
-s 7,virtio-net,tap4897,mac=00:0A:0B:0C:7D:97 \
-s 8,virtio-net,tap1097,mac=00:0A:0B:0C:8D:97 \
-s 9,virtio-net,tap2097,mac=00:0A:0B:0C:9D:97 \
-s 29,fbuf,tcp=0.0.0.0:5997,w=1600,h=900 \
@ -59,12 +60,3 @@ exit $?
#on base system:
#zfs create -V 32G -o refreservation=none ship/raw/cvm-a - docker partition
#zfs create -V 128G -o refreservation=none ship/raw/cvm-a_data - root partition
# on boot
#ifconfig tap97 create
#ifconfig bridge1 addm tap97 up
#ifconfig tap97 up
#ifconfig tap97 inet6 auto_linklocal
#ifconfig tap1097 create
#ifconfig bridge10 addm tap1097 up
#ifconfig tap1097 up
#ifconfig tap1097 inet6 auto_linklocal

View File

@ -22,6 +22,7 @@ bhyve -c 4 -m 16G -A -H -P \
-s 4,virtio-blk,/dev/zvol/ship/raw/cvm-b \
-s 5,virtio-net,tap96,mac=00:0A:0B:0C:0D:96 \
-s 6,virtio-blk,/dev/zvol/ship/raw/cvm-b_data \
-s 7,virtio-net,tap4896,mac=00:0A:0B:0C:7D:96 \
-s 8,virtio-net,tap1096,mac=00:0A:0B:0C:8D:96 \
-s 9,virtio-net,tap2096,mac=00:0A:0B:0C:9D:96 \
-s 29,fbuf,tcp=0.0.0.0:5996,w=1600,h=900 \
@ -59,12 +60,3 @@ exit $?
#on base system:
#zfs create -V 32G -o refreservation=none ship/raw/cvm-b - docker partition
#zfs create -V 128G -o refreservation=none ship/raw/cvm-b_data - root partition
# on boot
#ifconfig tap96 create
#ifconfig bridge1 addm tap96 up
#ifconfig tap96 up
#ifconfig tap96 inet6 auto_linklocal
#ifconfig tap1096 create
#ifconfig bridge10 addm tap1096 up
#ifconfig tap1096 up
#ifconfig tap1096 inet6 auto_linklocal

View File

@ -16,7 +16,7 @@ bhyvectl --destroy --vm=freebsd
while true
do
bhyve -c 4 -m 8G -A -H -P \
bhyve -c 2 -m 4G -A -H -P \
-s 0,hostbridge \
-s 3,ahci-cd \
-s 4,virtio-blk,/dev/zvol/ship/raw/freebsd \

View File

@ -10,6 +10,9 @@
# ./kali.sh under tmux
# disabled for now
exit
# clean cached state
bhyvectl --destroy --vm=kali
@ -21,6 +24,7 @@ bhyve -c 2 -m 4G -A -H -P \
-s 3,ahci-cd \
-s 4,virtio-blk,/dev/zvol/ship/raw/kali \
-s 5,virtio-net,tap86,mac=00:0A:0B:0C:0D:86 \
-s 7,virtio-net,tap4886,mac=00:0A:0B:0C:8D:86 \
-s 8,virtio-net,tap1086,mac=00:0A:0B:0C:8D:86 \
-s 9,virtio-net,tap2086,mac=00:0A:0B:0C:9D:86 \
-s 29,fbuf,tcp=0.0.0.0:5986,w=1280,h=720 \
@ -59,15 +63,6 @@ exit $?
#on base system:
#zfs create -V 128G -o refreservation=none ship/raw/kali
##zfs create -V 128G -o refreservation=none ship/raw/kali_data
# on boot
#ifconfig tap86 create
#ifconfig bridge1 addm tap86 up
#ifconfig tap86 up
#ifconfig tap86 inet6 auto_linklocal
#ifconfig tap1086 create
#ifconfig bridge10 addm tap1086 up
#ifconfig tap1086 up
#ifconfig tap1086 inet6 auto_linklocal
# Install VNC
# curl -o turbovnc_2.2.5_amd64.deb https://sourceforge.net/projects/turbovnc/files/2.2.5/turbovnc_2.2.5_amd64.deb/download#

View File

@ -16,7 +16,7 @@ bhyvectl --destroy --vm=pbx
while true
do
bhyve -c 2 -m 8G -A -H -P \
bhyve -c 2 -m 4G -A -H -P \
-s 0,hostbridge \
-s 3,ahci-cd \
-s 4,virtio-blk,/dev/zvol/ship/raw/pbx \

View File

@ -10,13 +10,16 @@
# ./r-windows.sh under tmux
# disabled for now
exit
# clean cached state
bhyvectl --destroy --vm=r-windows
while true
do
bhyve -c sockets=1,cores=2,threads=2 -m 16G -S -A -H -P \
bhyve -c sockets=1,cores=2,threads=2 -m 8G -S -A -H -P \
-s 0,hostbridge \
-s 4,ahci-hd,/dev/zvol/ship/raw/r-windows,sectorsize=512 \
-s 5,virtio-net,tap85,mac=00:0A:0B:0C:0D:85 \

View File

@ -22,6 +22,7 @@ bhyve -c 8 -m 16G -A -H -P \
-s 4,virtio-blk,/dev/zvol/ship/raw/ubuntu \
-s 5,virtio-net,tap82,mac=00:0A:0B:0C:0D:82 \
-s 6,virtio-blk,/dev/zvol/ship/raw/ubuntu_data \
-s 7,virtio-net,tap4882,mac=00:0A:0B:0C:7D:82 \
-s 8,virtio-net,tap1082,mac=00:0A:0B:0C:8D:82 \
-s 9,virtio-net,tap2082,mac=00:0A:0B:0C:9D:82 \
-s 29,fbuf,tcp=0.0.0.0:5982,w=1600,h=900 \
@ -59,12 +60,3 @@ exit $?
#on base system:
#zfs create -V 32G -o refreservation=none ship/raw/ubuntu
#zfs create -V 128G -o refreservation=none ship/raw/ubuntu_data
# on boot
#ifconfig tap82 create
#ifconfig bridge1 addm tap82 up
#ifconfig tap82 up
#ifconfig tap82 inet6 auto_linklocal
#ifconfig tap1082 create
#ifconfig bridge10 addm tap1082 up
#ifconfig tap1082 up
#ifconfig tap1082 inet6 auto_linklocal

View File

@ -16,7 +16,7 @@ bhyvectl --destroy --vm=windows
while true
do
bhyve -c sockets=1,cores=2,threads=2 -m 16G -S -A -H -P \
bhyve -c sockets=1,cores=2,threads=2 -m 8G -S -A -H -P \
-s 0,hostbridge \
-s 4,ahci-hd,/dev/zvol/ship/raw/windows,sectorsize=512 \
-s 5,virtio-net,tap81,mac=00:0A:0B:0C:0D:81 \

View File

@ -62,8 +62,8 @@ $cmd 01300 check-state
# Allow access to DNS
#$cmd 02110 $skip tcp from any to 192.168.0.5 53 out via $rif setup keep-state
#$cmd 02111 $skip udp from any to 192.168.0.5 53 out via $rif keep-state
#$cmd 02112 $skip tcp from any to 2603:3024:3f6:e1::5 53 out via $rif setup keep-state
#$cmd 02113 $skip udp from any to 2603:3024:3f6:e1::5 53 out via $rif keep-state
#$cmd 02112 $skip tcp from any to fd01::5 53 out via $rif setup keep-state
#$cmd 02113 $skip udp from any to fd01::5 53 out via $rif keep-state
# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.

View File

@ -1,2 +1,2 @@
export search_domains="datavpc.com mydatavpc.com ahlawat.com"
export name_servers="192.168.0.5 2603:3024:3f6:e1::5"
export name_servers="192.168.0.5 fd01::5"

View File

@ -1,2 +1,2 @@
export search_domains="diyit.org diyit.space ahlawat.com"
export name_servers="192.168.0.5 2603:3024:3f6:e1::5"
export search_domains="diyit.org ahlawat.com"
export name_servers="192.168.0.5 fd01::5"

View File

@ -0,0 +1,16 @@
imap_host = "mail.ahlawat.com"
imap_port = 993
imap_secure = "SSL"
imap_short_login = On
sieve_use = Off
sieve_allow_raw = Off
sieve_host = ""
sieve_port = 4190
sieve_secure = "None"
smtp_host = "mail.ahlawat.com"
smtp_port = 587
smtp_secure = "TLS"
smtp_short_login = On
smtp_auth = On
smtp_php_mail = Off
white_list = ""

View File

@ -0,0 +1 @@
outlook.com,qq.com,yahoo.com,gmail.com

View File

@ -0,0 +1,4 @@
Deny from all
<IfModule mod_autoindex.c>
Options -Indexes
</ifModule>

View File

@ -0,0 +1,9 @@
; RainLoop Webmail plugin (ldap-change-password)
[plugin]
hostname = "ldaps://ldap.ahlawat.com"
port = 636
user_dn_format = "cn={imap:login},ou=people,dc=infra"
password_field = "userPassword"
password_enc_type = "SSHA"
allowed_emails = "*"

View File

@ -29,11 +29,11 @@ JAILUSERVNC=$7
I6CONFIG=true
I4NW="192.168.0"
I6NW="2603:3024:3f6:e1"
I6NW="fd01"
I4GW="192.168.0.5"
I6GW="2603:3024:3f6:e1::5"
I6GW="fd01::5"
I4NS="192.168.0.5"
I6NS="2603:3024:3f6:e1::5"
I6NS="fd01::5"
# these IP spaces are diyit deployment specific
echo "$JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC"
@ -69,15 +69,6 @@ if $I6CONFIG; then
iocage exec $JAIL "echo '$I6NW::$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
fi
# create resolvconf.conf - IPv6 SLAAC on freebsd removes all ipv4 configuraton from resolv.conf
iocage exec $JAIL "echo 'export search_domains=$JAILDOMAIN' > /etc/resolvconf.conf"
if $I6CONFIG; then
iocage exec $JAIL "echo 'export name_servers=\"$I4NS $I6NS\"' >> /etc/resolvconf.conf"
else
iocage exec $JAIL "echo 'export name_servers=\"$I4NS\"' >> /etc/resolvconf.conf"
fi
iocage exec $JAIL "resolvconf -u"
iocage exec $JAIL "mkdir -p /mnt/certs"
iocage fstab -a $JAIL /mnt/ship/certs /mnt/certs nullfs ro 0 0
iocage exec $JAIL "mkdir -p /mnt/config"
@ -87,6 +78,10 @@ iocage fstab -a $JAIL /var/db/freebsd-update/files /var/db/freebsd-update/files
iocage exec $JAIL "mkdir -p /mnt/common"
iocage fstab -a $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
# create resolvconf.conf - IPv6 SLAAC/DHCP on freebsd removes all ipv4 configuraton from resolv.conf
iocage exec $JAIL "[ -f /mnt/config/resolv.conf ] && cp /mnt/config/resolvconf.conf /etc/ || cp /mnt/common/resolvconf.conf /etc/"
iocage exec $JAIL "resolvconf -u"
iocage exec $JAIL "mkdir -p /usr/local/etc/pkg/repos"
iocage exec $JAIL "[ -f /mnt/config/pkgp.conf ] && cp /mnt/config/pkgp.conf /usr/local/etc/pkg/repos/ || cp /mnt/common/pkgp.conf /usr/local/etc/pkg/repos/"

View File

@ -8,6 +8,9 @@
#
#
echo "checking pkgp jail nginx instance is running"
iocage exec pkgp "service nginx status"
web_jails=(cloud hub nivi rachna rishabh sharad web web-diyit web-datavpc ldap-mgr r-ldap-mgr monitor)
for i in ${web_jails[@]};
@ -35,7 +38,3 @@ do
iocage exec $i "cp /mnt/config/httpd.conf /usr/local/etc/apache24/httpd.conf"
iocage exec $i "service apache24 restart"
done
echo ""
echo "checking pkgp jail nginx instance is running"
iocage exec pkgp "service nginx status"

View File

@ -37,6 +37,9 @@ iocage exec mail "service dovecot restart"
echo "restarting ELK in jail elk after SSL update"
iocage exec elk "cp /mnt/certs/diy*.pem /usr/local/etc/elasticsearch/certs"
iocage exec elk "cp /mnt/certs/cacert.pem /usr/local/etc/elasticsearch/certs"
exit
iocage exec elk "service elasticsearch restart"
iocage exec elk "service kibana restart"

View File

@ -99,3 +99,5 @@ echo "check hub for index.html and adminer version"
echo ""
echo "iocage exec cert \"/root/.acme.sh/acme.sh --upgrade\""
echo "iocage exec cert \"/mnt/config/backup.sh\""
echo ""
echo "iocage exec hass \"/mnt/config/hass-upgrade.sh\""

View File

@ -13,7 +13,7 @@ these certifcates need to be updated with /mnt/certs
vpngw:
service openvpn onestart
service ipfw restart
service natd restart
ibm:

View File

@ -52,7 +52,7 @@ read -p "update pkgp jail (y/N)? " RESP
if [ ! -z $RESP ] && [ $RESP == "y" ]; then
JAIL="pkgp"
update_jail
/root/FreeBSD/jail/jails-update-pkgs.sh pkgp-only
/root/FreeBSD/jails/jails-update-pkgs.sh pkgp-only
fi
read -p "update all jails (y/N)? " RESP

16
scripts/find-sonewconn.sh Executable file
View File

@ -0,0 +1,16 @@
#!/usr/local/bin/bash
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
for jail in $(jls -h name | tail +2); do
sudo jexec $jail netstat -LAan 2>/dev/null | grep -q $1;
if [ $? -eq 0 ]; then
echo "found in jail $jail";
fi;
done

74
scripts/mbuf.sh Executable file
View File

@ -0,0 +1,74 @@
#!/bin/sh
# Copyright (c) 2018-2021, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
MCLBYTES=2048
MSIZE=256
PHYSMEM=`sysctl -n hw.physmem`
PAGE_SIZE=`sysctl -n hw.pagesize`
VM_KMEM_SIZE=`sysctl -n vm.kmem_size`
REALMEM=${VM_KMEM_SIZE}
MAXMBUFMEM=`expr $REALMEM / 4 \* 3`
MJUMPAGESIZE=$PAGE_SIZE
MJUM9BYTES=`expr 9 \* 1024`
MJUM16BYTES=`expr 16 \* 1024`
#NMBCLUSTERS=`expr $MAXMBUFMEM / $MCLBYTES / 4` # higher # of jails
NMBCLUSTERS=`expr $MAXMBUFMEM / $MCLBYTES / 3`
NMBJUMBOP=`expr $MAXMBUFMEM / $MJUMPAGESIZE / 4`
NMBJUMBO9=`expr $MAXMBUFMEM / $MJUM9BYTES / 6`
NMBJUMBO16=`expr $MAXMBUFMEM / $MJUM16BYTES / 6`
NMBUFS=`sysctl -n kern.ipc.nmbufs`
NMMAX1=`expr $NMBCLUSTERS + $NMBJUMBOP + $NMBJUMBO9 + $NMBJUMBO16`
NMMAX2=`expr $MAXMBUFMEM / $MSIZE / 5`
if [ $NMMAX1 -gt $NMMAX2 ]; then
NMBUFS=$NMMAX1
else
NMBUFS=$NMMAX2
fi
show()
{
echo "# `basename $0 ` suggested settings:"
echo "kern.ipc.maxmbufmem=$MAXMBUFMEM"
echo "kern.ipc.nmbclusters=$NMBCLUSTERS"
echo "kern.ipc.nmbjumbop=$NMBJUMBOP"
echo "kern.ipc.nmbjumbo9=$NMBJUMBO9"
echo "kern.ipc.nmbjumbo16=$NMBJUMBO16"
echo "kern.ipc.nmbufs=$NMBUFS"
}
compare()
{
echo "kern.ipc.maxmbufmem: `sysctl -n kern.ipc.maxmbufmem` (current)"
echo " --> $MAXMBUFMEM (suggested)"
echo "kern.ipc.nmbclusters: `sysctl -n kern.ipc.nmbclusters`"
echo " --> $NMBCLUSTERS"
echo "kern.ipc.nmbjumbop: `sysctl -n kern.ipc.nmbjumbop`"
echo " --> $NMBJUMBOP"
echo "kern.ipc.nmbjumbo9: `sysctl -n kern.ipc.nmbjumbo9`"
echo " --> $NMBJUMBO9"
echo "kern.ipc.nmbjumbo16: `sysctl -n kern.ipc.nmbjumbo16`"
echo " --> $NMBJUMBO16"
echo "kern.ipc.nmbufs: `sysctl -n kern.ipc.nmbufs`"
echo " --> $NMBUFS"
vmstat -z|grep -E '^ITEM|mbuf'
netstat -m
# vmstat -m
}
if [ $# -gt 0 ]; then
if [ $1 == '-c' ]; then
compare
exit 0
fi
fi
show