Jun 1, 2020: update

configs/etc/ctl.conf

@@ -0,0 +1,35 @@
+portal-group pg0 {
+	discovery-auth-group no-authentication
+	listen 0.0.0.0
+	listen [::]
+}
+
+target iqn.nas.ahlawat.com:lab13 {
+#	auth-group no-authentication
+	portal-group pg0
+    chap user secretsecret
+	lun 0 {
+		path /dev/zvol/ship/raw/lab13
+		size 128G
+	}
+}
+
+target iqn.nas.ahlawat.com:lab17 {
+#	auth-group no-authentication
+	portal-group pg0
+    chap user secretsecret
+	lun 0 {
+		path /dev/zvol/ship/raw/lab17
+		size 128G
+	}
+}
+
+target iqn.nas.ahlawat.com:lab18 {
+#	auth-group no-authentication
+	portal-group pg0
+    chap user secretsecret
+	lun 0 {
+		path /dev/zvol/ship/raw/lab18
+		size 128G
+	}
+}

configs/etc/exports

@@ -0,0 +1,3 @@
+/mnt/ship/pxe/FreeBSD11 -alldirs -maproot=root
+/mnt/ship/pxe/FreeBSD12 -alldirs -maproot=root
+/mnt/ship/pxe/FreeBSD13 -alldirs -maproot=root

configs/pxe/.ssh/authorized_keys

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAGJkR8PJBp68y44o4H44HueSGYbyg1+8VJP43YEj4M7ssKagMTH5QQEifU1gepdLgoK7mr+9yLpNXUlzT56FOcpQ3cyjPtp58N3384FrewAgiyA2dqwSxN/UsPXXA5F88HxcuhKXfEZgugC92W3LL8/U8dC/nSwj1hFVjWf75OpXqTjJFaBKhVYDjo75OfkzIwWQLmrFO/VF9TmA41eRn/yXZs+S504iVV+0dK6MgkN5FJoPj+XsKNr1pgQTIn63AtdLB2wW4gafWTQI6SMBYUPkfcrFdLR73+g2+IOSiLdB37us2XXtwHw1shJwLlz0j+1EVjZjOFAWILDNwrzJt ahlawat@ahlawat.com

configs/pxe/ctl.conf

@@ -0,0 +1,35 @@
+portal-group pg0 {
+	discovery-auth-group no-authentication
+	listen 0.0.0.0
+	listen [::]
+}
+
+target iqn.nas.ahlawat.com:lab13 {
+#	auth-group no-authentication
+	portal-group pg0
+    chap user secretsecret
+	lun 0 {
+		path /dev/zvol/ship/raw/lab13
+		size 128G
+	}
+}
+
+target iqn.nas.ahlawat.com:lab17 {
+#	auth-group no-authentication
+	portal-group pg0
+    chap user secretsecret
+	lun 0 {
+		path /dev/zvol/ship/raw/lab17
+		size 128G
+	}
+}
+
+target iqn.nas.ahlawat.com:lab18 {
+#	auth-group no-authentication
+	portal-group pg0
+    chap user secretsecret
+	lun 0 {
+		path /dev/zvol/ship/raw/lab18
+		size 128G
+	}
+}

configs/pxe/exports

@@ -0,0 +1,3 @@
+/mnt/ship/pxe/FreeBSD11 -alldirs -maproot=root
+/mnt/ship/pxe/FreeBSD12 -alldirs -maproot=root
+/mnt/ship/pxe/FreeBSD13 -alldirs -maproot=root

configs/pxe/fstab.11

@@ -0,0 +1,3 @@
+# Device		Mountpoint	FStype	Options		Dump	Pass#
+192.168.0.10:/mnt/ship/pxe/FreeBSD11       /         nfs      rw        0    0
+fdescfs /dev/fd  fdescfs  rw  0  0

configs/pxe/fstab.12

@@ -0,0 +1,3 @@
+# Device		Mountpoint	FStype	Options		Dump	Pass#
+192.168.0.10:/mnt/ship/pxe/FreeBSD12       /         nfs      rw        0    0
+fdescfs /dev/fd  fdescfs  rw  0  0

configs/pxe/fstab.13

@@ -0,0 +1,3 @@
+# Device		Mountpoint	FStype	Options		Dump	Pass#
+192.168.0.10:/mnt/ship/pxe/FreeBSD13       /         nfs      rw        0    0
+fdescfs /dev/fd  fdescfs  rw  0  0

configs/pxe/iscsi.conf.13

@@ -0,0 +1,7 @@
+t0 {
+	TargetAddress   = 192.168.0.10
+	TargetName      = iqn.nas.ahlawat.com:lab13
+	AuthMethod      = CHAP
+	chapIName       = user
+	chapSecret      = secretsecret
+}

configs/pxe/iscsi.conf.17

@@ -0,0 +1,7 @@
+t0 {
+	TargetAddress   = 192.168.0.10
+	TargetName      = iqn.nas.ahlawat.com:lab17
+	AuthMethod      = CHAP
+	chapIName       = user
+	chapSecret      = secretsecret
+}

configs/pxe/iscsi.conf.18

@@ -0,0 +1,7 @@
+t0 {
+	TargetAddress   = 192.168.0.10
+	TargetName      = iqn.nas.ahlawat.com:lab18
+	AuthMethod      = CHAP
+	chapIName       = user
+	chapSecret      = secretsecret
+}

configs/pxe/rc.conf

@@ -0,0 +1,6 @@
+rpc_lockd_enable="YES"
+rpc_statd_enable="YES"
+sshd_enable="YES"
+iscsid_enable="YES"
+iscsictl_enable="YES"
+iscsictl_flags="-Aa"

configs/pxe/resolv.conf

@@ -0,0 +1,8 @@
+# Generated by resolvconf
+search ahlawat.com
+nameserver 192.168.0.5
+nameserver 2603:3024:3f6:e1::5
+nameserver 2603:3024:3f6:e2::5
+nameserver 2603:3024:3f6:e5::5
+nameserver 2603:3024:3f6:e9::5
+

configs/pxe/sshd_config

@@ -0,0 +1,121 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+#	$FreeBSD: head/crypto/openssh/sshd_config 357926 2020-02-14 19:06:59Z emaste $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# Note that some of FreeBSD's defaults differ from OpenBSD's, and
+# FreeBSD has a few additional options.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# Change to yes to enable built-in password authentication.
+#PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable PAM authentication
+#ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'no' to disable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+#UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#UseBlacklist no
+#VersionAddendum FreeBSD-20200214
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

jails/config/auto/portfolio

@@ -1,3 +1,5 @@
+#!/bin/sh
+
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,8 +8,6 @@
 #
 #
 
-#!/bin/sh
-
 # the two lines below are not just comments but required by rcorder; service -e
 # PROVIDE: portfolio
 # REQUIRE: NETWORKING DAEMON

jails/config/auto/producthunt

@@ -1,3 +1,5 @@
+#!/bin/sh
+
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,8 +8,6 @@
 #
 #
 
-#!/bin/sh
-
 # the two lines below are not just comments but required by rcorder; service -e
 # PROVIDE: producthunt
 # REQUIRE: NETWORKING DAEMON

jails/config/book/cps

@@ -1,3 +1,5 @@
+#!/bin/sh
+
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,8 +8,6 @@
 #
 #
 
-#!/bin/sh
-
 # the two lines below are not just comments but required by rcorder; service -e
 # PROVIDE: cpsserver
 # REQUIRE: NETWORKING DAEMON

jails/config/cam/camserver

@@ -1,3 +1,5 @@
+#!/bin/sh
+
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,8 +8,6 @@
 #
 #
 
-#!/bin/sh
-
 # the two lines below are not just comments but required by rcorder; service -e
 # PROVIDE: camserver
 # REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv
@@ -27,12 +27,12 @@ restart_cmd="camserver_restart"
  
 camserver_start()
 {
-        $camserver startserver -b -c /mnt/config/secret/motioneye/motioneye.conf
+	$camserver startserver -b -c /mnt/config/secret/motioneye/motioneye.conf
 }
  
 camserver_stop()
 {
-        $camserver stopserver
+	$camserver stopserver
 }
 camserver_restart()
 {

jails/config/common/snip-sendmail.sh

@@ -1,3 +1,5 @@
+#! /usr/local/bin/bash
+
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,7 +8,6 @@
 #
 #
 
-#! /usr/local/bin/bash
 # smart_host - mail - is the mail server's dns name
 # TO_IDENT sets O Timeout.ident=0s - to stop sendmail from making ident connections
 echo "define(\`SMART_HOST', \`mail')" >> /etc/mail/$HOSTNAME.mc

jails/config/common/vncserver

@@ -1,3 +1,5 @@
+#!/bin/sh
+
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,8 +8,6 @@
 #
 #
 
-#!/bin/sh
-
 # the two lines below are not just comments but required by rcorder; service -e
 # PROVIDE: vncserver
 # REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv

jails/config/hub/smb4.conf

@@ -36,20 +36,20 @@
     sync always = no
     workgroup = HUBX_Group
 
-[stmp]
+#[stmp]
-        path = /tmp
+#        path = /tmp
-        directory mask = 0700
+#        directory mask = 0700
-        create mask = 0400
+#        create mask = 0400
-        writeable = yes
+#        writeable = yes
-        valid users = p
+#        valid users = p
 
-[usb]
+#[usb]
-    path = /mnt/usb
+#    path = /mnt/usb
-    read only = yes
+#    read only = yes
-#    valid users = p
+##    valid users = p
-    browseable = yes
+#    browseable = yes
-    dos filemode = yes
+#    dos filemode = yes
-    guest ok = yes
+#    guest ok = yes
 
 [sw]
     path = /mnt/sw
@@ -57,6 +57,12 @@
     valid users = p
     browseable = yes
 
+[imax-4k]
+    path = /mnt/imax-4k
+    read only = yes
+    valid users = p
+    browseable = yes
+
 [movies-4k]
     path = /mnt/movies-4k
     read only = yes
@@ -86,3 +92,15 @@
     read only = yes
     valid users = p
     browseable = yes
+
+[tor-trgs]
+    path = /mnt/tor-trgs
+    read only = yes
+    valid users = p
+    browseable = yes
+
+[conf]
+    path = /mnt/conf
+    read only = yes
+    valid users = p
+    browseable = yes

jails/config/hub/sshd_config

@@ -33,7 +33,7 @@
 # Authentication:
 
 #LoginGraceTime 2m
-PermitRootLogin yes
+PermitRootLogin no
 #StrictModes yes
 MaxAuthTries 2
 MaxSessions 2
@@ -50,16 +50,16 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #AuthorizedKeysCommandUser nobody
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
+HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
+IgnoreRhosts yes
 
 # Change to yes to enable built-in password authentication.
 PasswordAuthentication no
-#PermitEmptyPasswords no
+PermitEmptyPasswords no
 
 # Change to no to disable PAM authentication
 ChallengeResponseAuthentication no
@@ -97,8 +97,8 @@ ChallengeResponseAuthentication no
 #TCPKeepAlive yes
 #PermitUserEnvironment no
 #Compression delayed
-#ClientAliveInterval 0
+ClientAliveInterval 300
-#ClientAliveCountMax 3
+ClientAliveCountMax 1
 #UseDNS yes
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
@@ -119,3 +119,5 @@ Subsystem	sftp	/usr/libexec/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
+
+AllowUsers p

jails/config/ibm/create_tuns.sh

@@ -1,3 +1,5 @@
+#!/bin/sh
+#
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,9 +8,6 @@
 #
 #
 
-#!/bin/sh
-#
-
 ifconfig tun181 create
 #ifconfig bridge1 addm tap181 up
 #ifconfig tap181 up

jails/config/ibm/ibm.sh

@@ -1,3 +1,5 @@
+#!/usr/local/bin/bash
+
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,7 +8,6 @@
 #
 #
 
-#!/usr/local/bin/bash
 # ./ibm.sh under tmux
 
 ifconfig tun186 create

jails/config/ibm/startemu.sh

@@ -1,3 +1,5 @@
+#!/bin/sh
+#
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,8 +8,6 @@
 #
 #
 
-#!/bin/sh
-#
 session="emu_tmux"
 
 # set up tmux

jails/config/plex/plexconnect

@@ -1,3 +1,5 @@
+#!/bin/sh
+#
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,8 +8,6 @@
 #
 #
 
-#!/bin/sh
-#
 # PROVIDE: plexconnect
 # REQUIRE: DAEMON
 # KEYWORD: shutdown

jails/config/vm/create_taps.sh

@@ -1,3 +1,5 @@
+#!/bin/sh
+
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,9 +8,6 @@
 #
 #
 
-#!/bin/sh
-#
-
 ifconfig tap81 create
 ifconfig bridge1 addm tap81 up
 ifconfig tap81 up

jails/config/vm/freebsd.sh

@@ -1,3 +1,5 @@
+#!/usr/local/bin/bash
+
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,7 +8,6 @@
 #
 #
 
-#!/usr/local/bin/bash
 # ./freebsd.sh under tmux
 
 # clean cached state

jails/config/vm/pbx.sh

@@ -1,3 +1,5 @@
+#!/usr/local/bin/bash
+
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,7 +8,6 @@
 #
 #
 
-#!/usr/local/bin/bash
 # ./pbx.sh under tmux
 
 # clean cached state

jails/config/vm/r-windows.sh

@@ -1,3 +1,5 @@
+#!/usr/local/bin/bash
+
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,7 +8,6 @@
 #
 #
 
-#!/usr/local/bin/bash
 # ./r-windows.sh under tmux
 
 # clean cached state

jails/config/vm/startvms.sh

@@ -1,3 +1,5 @@
+#!/bin/sh
+
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,8 +8,6 @@
 #
 #
 
-#!/bin/sh
-#
 session="vm_tmux"
 
 # set up tmux

jails/config/vm/ubuntu.sh

@@ -1,3 +1,5 @@
+#!/usr/local/bin/bash
+
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,7 +8,6 @@
 #
 #
 
-#!/usr/local/bin/bash
 # ./ubuntu.sh under tmux
 
 # clean cached state

jails/config/vm/w2019.sh

@@ -1,3 +1,5 @@
+#!/usr/local/bin/bash
+
 # Copyright (c) 2018-2020, diyIT.org
 # All rights reserved.
 #
@@ -6,7 +8,6 @@
 #
 #
 
-#!/usr/local/bin/bash
 # ./w2019.sh under tmux
 
 # clean cached state

jails/create.sh

@@ -99,6 +99,7 @@ iocage exec $JAIL "[ -f /mnt/config/nanorc ] && cp /mnt/config/nanorc /usr/local
 iocage exec $JAIL "cp -r /mnt/common/nano /usr/local/etc/"
 
 #iocage exec $JAIL "passwd root"
+iocage exec $JAIL "chsh -s /usr/sbin/nologin toor"
 iocage exec $JAIL "pw usermod -n root -s /usr/local/bin/bash -c jail-$JAIL"
 
 iocage exec $JAIL "[ -f /mnt/config/.bash_profile ] && cp /mnt/config/.bash_profile /root/ || cp /mnt/common/.bash_profile /root/"

jails/update.sh

@@ -27,7 +27,8 @@ update_jail ()
     iocage update $JAIL
 
     iocage exec $JAIL "pkg upgrade -f -y"
-    iocage exec $JAIL "mergemaster"
+    iocage exec $JAIL "rm -rf /var/tmp/temproot*"
+    iocage exec $JAIL "mergemaster -a"
 
     iocage exec $JAIL "freebsd-version"