May 1, 2025 update

2025-05-01 21:19:17 -07:00
parent a2cdf26594
commit b33d54d723
261 changed files with 2451 additions and 12859 deletions
--- a/jails/config/hub/httpd.conf
+++ b/jails/config/hub/httpd.conf
@ -553,6 +553,14 @@ SSLRandomSeed connect builtin

 Include etc/apache24/Includes/*.conf

+# https://ssl-config.mozilla.org/#server=apache&version=2.4.60&config=intermediate&openssl=3.1.0&guideline=5.7
+
+<VirtualHost *:80>
+    RewriteEngine On
+    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
+    RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L]
+</VirtualHost>
+
 <VirtualHost *:443>
    ServerName hub.ahlawat.com
    ServerAlias *.ahlawat.com
@ -562,16 +570,20 @@ Include etc/apache24/Includes/*.conf

    DocumentRoot "/usr/local/www/apache24/data/"

+    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
+    Header always set Strict-Transport-Security "max-age=63072000"
+
    SSLEngine on
    SSLCertificateFile "/mnt/certs/fullchain.pem"
    SSLCertificateKeyFile "/mnt/certs/privkey.pem"
-    #SSLCertificateChainFile "/mnt/certs/fullchain.pem"
-    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-    SSLHonorCipherOrder off
-    SSLSessionTickets off
-    SSLOptions +StrictRequire
-#    SSLCompression off
+#    SSLCertificateChainFile "/mnt/certs/fullchain.pem"
+    SSLCACertificateFile "/mnt/certs/cacert.pem"
+
+    SSLProtocol             -all +TLSv1.2 +TLSv1.3
+    SSLOpenSSLConfCmd       Curves X25519:prime256v1:secp384r1
+    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    SSLHonorCipherOrder     off
+    SSLSessionTickets       off

    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
--- a/jails/config/hub/periodic.conf
+++ b/jails/config/hub/periodic.conf
@ -1,4 +1,4 @@
-daily_rkhunter_update_enable="YES"
-daily_rkhunter_update_flags="--update --nocolors"
-daily_rkhunter_check_enable="YES"
-daily_rkhunter_check_flags="--checkall --nocolors --skip-keypress"
+security_rkhunter_update_enable="YES"
+security_rkhunter_update_flags="--update --nocolors"
+security_rkhunter_check_enable="YES"
+security_rkhunter_check_flags="--checkall --nocolors --skip-keypress"
--- a/jails/config/hub/pkg-list-details-old.txt
+++ b/jails/config/hub/pkg-list-details-old.txt
@ -1,28 +1,34 @@
-pkgp123____apache24-2.4.54
-pkgp123____apr-1.7.0.1.6.1_2
-pkgp123____pkg-1.18.4
-pkgp123____samba413-4.13.17_4
-pkgp-freebsd-pkg____bash-5.2.9
-pkgp-freebsd-pkg____bash-completion-2.11_1,2
-pkgp-freebsd-pkg____firefox-esr-102.5.0,1
-pkgp-freebsd-pkg____fluxbox-1.3.7_5
-pkgp-freebsd-pkg____iperf3-3.12
-pkgp-freebsd-pkg____mc-4.8.28
-pkgp-freebsd-pkg____nano-6.4
+pkgp123____apache24-2.4.63
+pkgp123____apr-1.7.5.1.6.3_4
+pkgp123____ca_root_nss-3.108
+pkgp123____pkg-2.1.2
+pkgp123____samba416-4.16.11_6
+pkgp-freebsd-pkg____bash-5.2.37
+pkgp-freebsd-pkg____bash-completion-2.14.0,2
+pkgp-freebsd-pkg____fluxbox-1.3.7_10
+pkgp-freebsd-pkg____iperf3-3.18
+pkgp-freebsd-pkg____mc-4.8.32
+pkgp-freebsd-pkg____nano-8.4
 pkgp-freebsd-pkg____p7zip-16.02_3
-pkgp-freebsd-pkg____php81-ldap-8.1.12
-pkgp-freebsd-pkg____php81-mysqli-8.1.12
-pkgp-freebsd-pkg____php81-pgsql-8.1.12
-pkgp-freebsd-pkg____php81-session-8.1.12
-pkgp-freebsd-pkg____rename-1.99.2
-pkgp-freebsd-pkg____rkhunter-1.4.6_1
-pkgp-freebsd-pkg____rsync-3.2.6
-pkgp-freebsd-pkg____sshguard-2.4.2_2,1
-pkgp-freebsd-pkg____sudo-1.9.12p1
-pkgp-freebsd-pkg____tigervnc-server-1.12.0_5
-pkgp-freebsd-pkg____unrar-6.12,6
-pkgp-freebsd-pkg____wget-1.21.3_1
-pkgp-freebsd-pkg____xauth-1.1.1
+pkgp-freebsd-pkg____php84-8.4.6
+pkgp-freebsd-pkg____php84-filter-8.4.6
+pkgp-freebsd-pkg____php84-gd-8.4.6
+pkgp-freebsd-pkg____php84-iconv-8.4.6
+pkgp-freebsd-pkg____php84-ldap-8.4.6
+pkgp-freebsd-pkg____php84-mbstring-8.4.6
+pkgp-freebsd-pkg____php84-mysqli-8.4.6
+pkgp-freebsd-pkg____php84-pgsql-8.4.6
+pkgp-freebsd-pkg____php84-session-8.4.6
+pkgp-freebsd-pkg____rename-1.99.2_1
+pkgp-freebsd-pkg____rkhunter-1.4.6_3
+pkgp-freebsd-pkg____rsync-3.4.1_2
+pkgp-freebsd-pkg____sshguard-2.4.3_3,1
+pkgp-freebsd-pkg____sudo-1.9.16p2_1
+pkgp-freebsd-pkg____tigervnc-server-1.15.0
+pkgp-freebsd-pkg____tmux-3.5a_1
+pkgp-freebsd-pkg____unrar-7.11,6
+pkgp-freebsd-pkg____wget-1.25.0
+pkgp-freebsd-pkg____xauth-1.1.4
 pkgp-freebsd-pkg____xorg-fonts-truetype-7.7_1
-pkgp-freebsd-pkg____xorriso-1.5.4
-pkgp-freebsd-pkg____xterm-375
+pkgp-freebsd-pkg____xorriso-1.5.6_2
+pkgp-freebsd-pkg____xterm-397_2
--- a/jails/config/hub/pkg-list-details.txt
+++ b/jails/config/hub/pkg-list-details.txt
@ -1,28 +1,34 @@
-pkgp123____apache24-2.4.54
-pkgp123____apr-1.7.0.1.6.1_2
-pkgp123____pkg-1.18.4
-pkgp123____samba413-4.13.17_4
-pkgp-freebsd-pkg____bash-5.2.12
-pkgp-freebsd-pkg____bash-completion-2.11_2,2
-pkgp-freebsd-pkg____firefox-esr-102.5.0_1,1
-pkgp-freebsd-pkg____fluxbox-1.3.7_5
-pkgp-freebsd-pkg____iperf3-3.12
-pkgp-freebsd-pkg____mc-4.8.28
-pkgp-freebsd-pkg____nano-7.0
+pkgp123____apache24-2.4.63
+pkgp123____apr-1.7.5.1.6.3_4
+pkgp123____ca_root_nss-3.108
+pkgp123____pkg-2.1.2
+pkgp123____samba416-4.16.11_6
+pkgp-freebsd-pkg____bash-5.2.37
+pkgp-freebsd-pkg____bash-completion-2.14.0,2
+pkgp-freebsd-pkg____fluxbox-1.3.7_10
+pkgp-freebsd-pkg____iperf3-3.18
+pkgp-freebsd-pkg____mc-4.8.32
+pkgp-freebsd-pkg____nano-8.4
 pkgp-freebsd-pkg____p7zip-16.02_3
-pkgp-freebsd-pkg____php81-ldap-8.1.13
-pkgp-freebsd-pkg____php81-mysqli-8.1.13
-pkgp-freebsd-pkg____php81-pgsql-8.1.13
-pkgp-freebsd-pkg____php81-session-8.1.13
-pkgp-freebsd-pkg____rename-1.99.2
-pkgp-freebsd-pkg____rkhunter-1.4.6_1
-pkgp-freebsd-pkg____rsync-3.2.6
-pkgp-freebsd-pkg____sshguard-2.4.2_2,1
-pkgp-freebsd-pkg____sudo-1.9.12p1
-pkgp-freebsd-pkg____tigervnc-server-1.12.0_5
-pkgp-freebsd-pkg____unrar-6.12,6
-pkgp-freebsd-pkg____wget-1.21.3_1
-pkgp-freebsd-pkg____xauth-1.1.1
+pkgp-freebsd-pkg____php84-8.4.6
+pkgp-freebsd-pkg____php84-filter-8.4.6
+pkgp-freebsd-pkg____php84-gd-8.4.6
+pkgp-freebsd-pkg____php84-iconv-8.4.6
+pkgp-freebsd-pkg____php84-ldap-8.4.6
+pkgp-freebsd-pkg____php84-mbstring-8.4.6
+pkgp-freebsd-pkg____php84-mysqli-8.4.6
+pkgp-freebsd-pkg____php84-pgsql-8.4.6
+pkgp-freebsd-pkg____php84-session-8.4.6
+pkgp-freebsd-pkg____rename-1.99.2_1
+pkgp-freebsd-pkg____rkhunter-1.4.6_3
+pkgp-freebsd-pkg____rsync-3.4.1_2
+pkgp-freebsd-pkg____sshguard-2.4.3_3,1
+pkgp-freebsd-pkg____sudo-1.9.16p2_1
+pkgp-freebsd-pkg____tigervnc-server-1.15.0
+pkgp-freebsd-pkg____tmux-3.5a_1
+pkgp-freebsd-pkg____unrar-7.11,6
+pkgp-freebsd-pkg____wget-1.25.0
+pkgp-freebsd-pkg____xauth-1.1.4
 pkgp-freebsd-pkg____xorg-fonts-truetype-7.7_1
-pkgp-freebsd-pkg____xorriso-1.5.4
-pkgp-freebsd-pkg____xterm-377
+pkgp-freebsd-pkg____xorriso-1.5.6_2
+pkgp-freebsd-pkg____xterm-397_2
--- a/jails/config/hub/pkg-list-old.txt
+++ b/jails/config/hub/pkg-list-old.txt
@ -1 +1 @@
-apache24 apr bash bash-completion firefox-esr fluxbox iperf3 mc nano p7zip php81-ldap php81-mysqli php81-pgsql php81-session pkg rename rkhunter rsync samba413 sshguard sudo tigervnc-server unrar wget xauth xorg-fonts-truetype xorriso xterm
+apache24 apr bash bash-completion ca_root_nss fluxbox iperf3 mc nano p7zip php84 php84-filter php84-gd php84-iconv php84-ldap php84-mbstring php84-mysqli php84-pgsql php84-session pkg rename rkhunter rsync samba416 sshguard sudo tigervnc-server tmux unrar wget xauth xorg-fonts-truetype xorriso xterm
--- a/jails/config/hub/pkg-list.txt
+++ b/jails/config/hub/pkg-list.txt
@ -1 +1 @@
-apache24 apr bash bash-completion firefox-esr fluxbox iperf3 mc nano p7zip php81-ldap php81-mysqli php81-pgsql php81-session pkg rename rkhunter rsync samba413 sshguard sudo tigervnc-server unrar wget xauth xorg-fonts-truetype xorriso xterm
+apache24 apr bash bash-completion ca_root_nss fluxbox iperf3 mc nano p7zip php84 php84-filter php84-gd php84-iconv php84-ldap php84-mbstring php84-mysqli php84-pgsql php84-session pkg rename rkhunter rsync samba416 sshguard sudo tigervnc-server tmux unrar wget xauth xorg-fonts-truetype xorriso xterm
--- a/jails/config/hub/pkgp.conf
+++ b/jails/config/hub/pkgp.conf
@ -5,14 +5,12 @@ FreeBSD: {

 pkgp-freebsd-pkg: {
    url: "http://pkgp-freebsd-pkg.ahlawat.com/${ABI}/latest",
-    mirror_type: "http",
    enabled: yes,
    priority: 10
 }

 pkgp123: {
    url: "http://pkgp.ahlawat.com/packages/pj123-default",
-    mirror_type: "http",
    signature_type: "pubkey",
    pubkey: "/mnt/certs/poudriere.cert",
    enabled: yes,
--- a/jails/config/hub/smb4.conf
+++ b/jails/config/hub/smb4.conf
@ -57,30 +57,18 @@
    valid users = p
    browseable = yes

-[imax-4k]
-    path = /mnt/imax-4k
-    read only = yes
-    valid users = p
-    browseable = yes
-
-[movies-4k]
-    path = /mnt/movies-4k
-    read only = yes
-    valid users = p
-    browseable = yes
-
-[movies-hd]
-    path = /mnt/movies-hd
-    read only = yes
-    valid users = p
-    browseable = yes
-
 [movies]
    path = /mnt/movies
    read only = yes
    valid users = p
    browseable = yes

+[tv]
+    path = /mnt/tv
+    read only = yes
+    valid users = p
+    browseable = yes
+
 [tuts]
    path = /mnt/tuts
    read only = yes
@ -104,3 +92,15 @@
    read only = yes
    valid users = p
    browseable = yes
+
+[cam]
+    path = /mnt/cam
+    read only = yes
+    valid users = p
+    browseable = yes
+
+[media]
+    path = /mnt/cam/media
+    read only = yes
+    valid users = p
+    browseable = yes
--- a/jails/config/hub/sshd_config
+++ b/jails/config/hub/sshd_config
@ -1,5 +1,5 @@
-#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
-#	$FreeBSD: releng/12.1/crypto/openssh/sshd_config 338561 2018-09-10 16:20:12Z des $
+#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
+#	$FreeBSD$

 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@ -62,7 +62,7 @@ PasswordAuthentication no
 PermitEmptyPasswords no

 # Change to no to disable PAM authentication
-ChallengeResponseAuthentication no
+#KbdInteractiveAuthentication yes

 # Kerberos options
 #KerberosAuthentication no
@ -76,13 +76,13 @@ ChallengeResponseAuthentication no

 # Set this to 'no' to disable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
+# be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
+# PAM authentication via KbdInteractiveAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
+# and KbdInteractiveAuthentication to 'no'.
 #UsePAM yes

 #AllowAgentForwarding yes
@ -105,7 +105,7 @@ ClientAliveCountMax 1
 #PermitTunnel no
 #ChrootDirectory none
 #UseBlacklist no
-#VersionAddendum FreeBSD-20180909
+#VersionAddendum FreeBSD-20211221

 # no default banner path
 #Banner none