#+TITLE: freebsd root dotfiles xps #+STARTUP: overview hideblocks #+OPTIONS: num:nil author:nil #+PROPERTY: header-args :mkdirp yes * tangle dotfiles ** tangle document C-c C-v t ** tangle only one code block C-u C-c C-v t ** tangle from the command line tangle file from the command line where ~/git/freebsd/freebsd-root/freebsd-root.org is the path of the file to tangle #+begin_src sh emacs --batch -l org --eval '(org-babel-tangle-file "~/git/freebsd/freebsd-root/freebsd-root.org")' #+end_src * freebsd root dotfiles ** /boot *** loader.conf #+begin_example /boot/loader.conf #+end_example **** loader.conf config #+NAME: loader.conf #+BEGIN_SRC conf aesni_load="YES" geom_eli_load="YES" security.bsd.allow_destructive_dtrace=0 kern.geom.label.disk_ident.enable="0" kern.geom.label.gptid.enable="0" cryptodev_load="YES" zfs_load="YES" # nvidia modeset #hw.nvidiadrm.modeset="1" # nullfs tmpfs for poudriere nullfs_load="YES" tmpfs_load="YES" # audio snd_hda_load="YES" snd_uaudio_load="YES" # coretemp acpi_video_load="YES" coretemp_load="YES" # touchpad wsp_load="YES" # async i/o aio_load="YES" # cuse audio for virtual_oss cuse_load="YES" # virtual oss - start with: sudo sysrc onestart virtual_oss virtual_oss_enable="NO" # mixertui sysctlinfo_load="YES" sysctlbyname_improved_load="YES" # usb keyboard multimedia keys usbhid_load="YES" # setfibs net.fibs=2 #net.add_addr_allfibs=0 #+END_SRC **** loader.conf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: loader.conf-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/boot/loader.conf" <> #+END_SRC + current dir #+NAME: loader.conf-current-dir #+BEGIN_SRC conf :noweb yes :tangle "boot/loader.conf" <> #+END_SRC ** /etc *** devfs.rules #+begin_example /etc/devfs.rules #+end_example **** devfs.rules config #+NAME: devfs.rules #+BEGIN_SRC conf [localrules=5] add path 'da*' mode 0660 group operator [jail=7] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add path 'mixer*' unhide add path 'dsp*' unhide add path 'dri*' unhide add path 'drm*' unhide add path 'nvidia*' unhide add path 'speaker*' unhide #+END_SRC **** devfs.rules tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: devfs.rules-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/etc/devfs.rules" <> #+END_SRC + current dir #+NAME: devfs.rules-current-dir #+BEGIN_SRC conf :noweb yes :tangle "etc/devfs.rules" <> #+END_SRC *** dhclient-enter-hooks #+begin_example /etc/dhclient-enter-hooks #+end_example **** dhclient-enter-hooks config #+NAME: dhclient-enter-hooks #+BEGIN_SRC conf add_new_resolv_conf() { return 0 } #+END_SRC **** dhclient-enter-hooks tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: dhclient-enter-hooks-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/etc/dhclient-enter-hooks" <> #+END_SRC + current dir #+NAME: dhclient-enter-hooks-current-dir #+BEGIN_SRC conf :noweb yes :tangle "etc/dhclient-enter-hooks" <> #+END_SRC *** fstab #+begin_example /etc/fstab #+end_example **** fstab config #+NAME: fstab #+BEGIN_SRC conf # Device Mountpoint FStype Options Dump Pass# /dev/gpt/efiboot0 /boot/efi msdosfs rw 2 2 /dev/nda0p3.eli none swap sw 0 0 # linux proc /proc procfs rw 0 0 #+END_SRC **** fstab tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: fstab-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/etc/fstab" <> #+END_SRC + current dir #+NAME: fstab-current-dir #+BEGIN_SRC conf :noweb yes :tangle "etc/fstab" <> #+END_SRC *** jail.conf #+begin_example /etc/jail.conf #+end_example **** jail.conf config #+NAME: jail #+BEGIN_SRC conf # startup/logging exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.consolelog = "/var/log/jail_console_${name}.log"; # permissions allow.raw_sockets; exec.clean; mount.devfs; #+END_SRC **** jail.conf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: jail-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/etc/jail.conf" <> #+END_SRC + current dir #+NAME: jail-current-dir #+BEGIN_SRC conf :noweb yes :tangle "etc/jail.conf" <> #+END_SRC *** login.conf #+begin_example /etc/login.conf #+end_example **** login.conf config #+NAME: login #+BEGIN_SRC conf # login.conf - login class capabilities database. # # Remember to rebuild the database after each change to this file: # # cap_mkdb /etc/login.conf # # This file controls resource limits, accounting limits and # default user environment settings. # # # Default settings effectively disable resource limits, see the # examples below for a starting point to enable them. # defaults # These settings are used by login(1) by default for classless users # Note that entries like "cputime" set both "cputime-cur" and "cputime-max" # # Note that since a colon ':' is used to separate capability entries, # a \c escape sequence must be used to embed a literal colon in the # value or name of a capability (see the ``CGETNUM AND CGETSTR SYNTAX # AND SEMANTICS'' section of getcap(3) for more escape sequences). default:\ :passwd_format=sha512:\ :copyright=/etc/COPYRIGHT:\ :welcome=/var/run/motd:\ :setenv=BLOCKSIZE=K:\ :mail=/var/mail/$:\ :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\ :nologin=/var/run/nologin:\ :cputime=unlimited:\ :datasize=unlimited:\ :stacksize=unlimited:\ :memorylocked=unlimited:\ :memoryuse=unlimited:\ :filesize=unlimited:\ :coredumpsize=unlimited:\ :openfiles=unlimited:\ :maxproc=unlimited:\ :sbsize=unlimited:\ :vmemoryuse=unlimited:\ :swapuse=unlimited:\ :pseudoterminals=unlimited:\ :kqueues=unlimited:\ :umtxp=unlimited:\ :priority=0:\ :ignoretime@:\ :umask=022:\ :charset=UTF-8:\ :lang=C.UTF-8: # # A collection of common class names - forward them all to 'default' # (login would normally do this anyway, but having a class name # here suppresses the diagnostic) # standard:\ :tc=default: xuser:\ :tc=default: staff:\ :tc=default: # This PATH may be clobbered by individual applications. Notably, by default, # rc(8), service(8), and cron(8) will all override it with a default PATH that # may not include /usr/local/sbin and /usr/local/bin when starting services or # jobs. daemon:\ :path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin:\ :mail@:\ :memorylocked=128M:\ :tc=default: news:\ :tc=default: dialer:\ :tc=default: # # Root can always login # # N.B. login_getpwclass(3) will use this entry for the root account, # in preference to 'default'. root:\ :ignorenologin:\ :memorylocked=unlimited:\ :tc=default: # # Russian Users Accounts. Setup proper environment variables. # russian|Russian Users Accounts:\ :charset=UTF-8:\ :lang=ru_RU.UTF-8:\ :tc=default: ###################################################################### ###################################################################### ## ## Example entries ## ###################################################################### ###################################################################### ## Example defaults ## These settings are used by login(1) by default for classless users ## Note that entries like "cputime" set both "cputime-cur" and "cputime-max" # #default:\ # :cputime=infinity:\ # :datasize-cur=22M:\ # :stacksize-cur=8M:\ # :memorylocked-cur=10M:\ # :memoryuse-cur=30M:\ # :filesize=infinity:\ # :coredumpsize=infinity:\ # :maxproc-cur=64:\ # :openfiles-cur=64:\ # :priority=0:\ # :requirehome@:\ # :umask=022:\ # :tc=auth-defaults: # # ## ## standard - standard user defaults ## #standard:\ # :copyright=/etc/COPYRIGHT:\ # :welcome=/var/run/motd:\ # :setenv=BLOCKSIZE=K:\ # :mail=/var/mail/$:\ # :path=~/bin /bin /usr/bin /usr/local/bin:\ # :manpath=/usr/share/man /usr/local/man:\ # :nologin=/var/run/nologin:\ # :cputime=1h30m:\ # :datasize=8M:\ # :vmemoryuse=100M:\ # :stacksize=2M:\ # :memorylocked=4M:\ # :memoryuse=8M:\ # :filesize=8M:\ # :coredumpsize=8M:\ # :openfiles=24:\ # :maxproc=32:\ # :priority=0:\ # :requirehome:\ # :passwordtime=90d:\ # :umask=002:\ # :ignoretime@:\ # :tc=default: # # ## ## users of X (needs more resources!) ## #xuser:\ # :manpath=/usr/share/man /usr/local/man:\ # :cputime=4h:\ # :datasize=12M:\ # :vmemoryuse=infinity:\ # :stacksize=4M:\ # :filesize=8M:\ # :memoryuse=16M:\ # :openfiles=32:\ # :maxproc=48:\ # :tc=standard: # # ## ## Staff users - few restrictions and allow login anytime ## #staff:\ # :ignorenologin:\ # :ignoretime:\ # :requirehome@:\ # :accounted@:\ # :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ # :umask=022:\ # :tc=standard: # # ## ## root - fallback for root logins ## #root:\ # :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ # :cputime=infinity:\ # :datasize=infinity:\ # :stacksize=infinity:\ # :memorylocked=infinity:\ # :memoryuse=infinity:\ # :filesize=infinity:\ # :coredumpsize=infinity:\ # :openfiles=infinity:\ # :maxproc=infinity:\ # :memoryuse-cur=32M:\ # :maxproc-cur=64:\ # :openfiles-cur=1024:\ # :priority=0:\ # :requirehome@:\ # :umask=022:\ # :tc=auth-root-defaults: # # ## ## Settings used by /etc/rc ## #daemon:\ # :coredumpsize@:\ # :coredumpsize-cur=0:\ # :datasize=infinity:\ # :datasize-cur@:\ # :maxproc=512:\ # :maxproc-cur@:\ # :memoryuse-cur=64M:\ # :memorylocked-cur=64M:\ # :openfiles=1024:\ # :openfiles-cur@:\ # :stacksize=16M:\ # :stacksize-cur@:\ # :tc=default: # # ## ## Settings used by news subsystem ## #news:\ # :path=/usr/local/news/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ # :cputime=infinity:\ # :filesize=128M:\ # :datasize-cur=64M:\ # :stacksize-cur=32M:\ # :coredumpsize-cur=0:\ # :maxmemorysize-cur=128M:\ # :memorylocked=32M:\ # :maxproc=128:\ # :openfiles=256:\ # :tc=default: # # ## ## The dialer class should be used for a dialup PPP account ## Welcome messages/news suppressed ## #dialer:\ # :hushlogin:\ # :requirehome@:\ # :cputime=unlimited:\ # :filesize=2M:\ # :datasize=2M:\ # :stacksize=4M:\ # :coredumpsize=0:\ # :memoryuse=4M:\ # :memorylocked=1M:\ # :maxproc=16:\ # :openfiles=32:\ # :tc=standard: # # ## ## Site full-time 24/7 PPP connection ## - no time accounting, restricted to access via dialin lines ## #site:\ # :ignoretime:\ # :passwordtime@:\ # :refreshtime@:\ # :refreshperiod@:\ # :sessionlimit@:\ # :autodelete@:\ # :expireperiod@:\ # :graceexpire@:\ # :gracetime@:\ # :warnexpire@:\ # :warnpassword@:\ # :idletime@:\ # :sessiontime@:\ # :daytime@:\ # :weektime@:\ # :monthtime@:\ # :warntime@:\ # :accounted@:\ # :tc=dialer:\ # :tc=staff: # # ## ## Example standard accounting entries for subscriber levels ## # #subscriber|Subscribers:\ # :accounted:\ # :refreshtime=180d:\ # :refreshperiod@:\ # :sessionlimit@:\ # :autodelete=30d:\ # :expireperiod=180d:\ # :graceexpire=7d:\ # :gracetime=10m:\ # :warnexpire=7d:\ # :warnpassword=7d:\ # :idletime=30m:\ # :sessiontime=4h:\ # :daytime=6h:\ # :weektime=40h:\ # :monthtime=120h:\ # :warntime=4h:\ # :tc=standard: # # ## ## Subscriber accounts. These accounts have their login times ## accounted and have access limits applied. ## #subppp|PPP Subscriber Accounts:\ # :tc=dialer:\ # :tc=subscriber: # # #subshell|Shell Subscriber Accounts:\ # :tc=subscriber: # ## ## If you want some of the accounts to use traditional UNIX DES based ## password hashes. ## #des_users:\ # :passwd_format=des:\ # :tc=default: #+END_SRC **** login.conf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: login-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/etc/login.conf" <> #+END_SRC + current dir #+NAME: login-current-dir #+BEGIN_SRC conf :noweb yes :tangle "etc/login.conf" <> #+END_SRC *** pf.conf #+begin_example /etc/pf.conf #+end_example **** pf.conf config #+NAME: pf.conf #+BEGIN_SRC conf #=========================================================================# # variables, macro and tables # #=========================================================================# int_if="lagg0" # lagg0 failover #int_if="ue0" # usb to ethernet adaptor #int_if="bge0" # thunderbolt to ethernet adaptor #int_if="wlan0" # iwlwifi #int_if="wlan1" # ralink usb wifi vpn_if="tun0" # vpn interface all_networks="0.0.0.0/0" vpn_network="$vpn_if:network" # 6881, 6882 = transmission. , 22000, 21025 = syncthing tcp_services = "{ ntp, 6881, 22000 }" # tcp services - torrent udp_services = "{ ntp, 6882, 21025 }" # udp services - torrent #nfs_services = "{ 2049 }" # 2049 = nfs icmp_types = "{ echoreq, unreach }" tcp_state="flags S/SA keep state" udp_state="keep state" #table { $all_networks, !self, !$int_if:network } # internet table { $int_if:network, !self } # lan network table { self } # self table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ 203.0.113.0/24 } # broken networks #=========================================================================# # global policy # #=========================================================================# set block-policy drop set loginterface $int_if set fingerprints "/etc/pf.os" set skip on lo0 scrub in all fragment reassemble no-df max-mss 1440 # nat jail nat on $int_if from {lo1:network} to any -> ($int_if) antispoof log quick for { lo $int_if } label "block_spoofing" #=========================================================================# # block # #=========================================================================# block log all # block log all block return out quick inet6 all tag IPV6 # block ipv6 block in quick inet6 all tag IPV6 # block ipv6 # block broken networks - turned off for synergy # block in quick from { no-route urpf-failed } to any tag BAD_PACKET #=========================================================================# # anchors # #=========================================================================# # emerging threats - anchor #anchor "emerging-threats" #load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats" # openvpn - anchor anchor "openvpn" #=========================================================================# # traffic tag # #=========================================================================# # icmp pass inet proto icmp all icmp-type $icmp_types keep state tag ICMP # Allow the tcp and udp services defined in the macros at the top of the file pass in on $int_if inet proto tcp from any to ($int_if) port $tcp_services $tcp_state tag TCP_IN pass in on $int_if inet proto udp from any to ($int_if) port $udp_services $udp_state tag UDP_IN # nfs #pass in on $int_if inet proto tcp from to any port $nfs_services keep state # outbound traffic block out on $int_if all pass out quick on $int_if all modulate state #pass out quick on $int_if from to modulate state tag LAN_OUT #pass out quick on $int_if from to modulate state tag INTERNET_OUT #+END_SRC **** pf.conf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: pf.conf-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/etc/pf.conf" <> #+END_SRC + current dir #+NAME: pf.conf-current-dir #+BEGIN_SRC conf :noweb yes :tangle "etc/pf.conf" <> #+END_SRC *** rc.conf #+begin_example /etc/rc.conf #+end_example **** rc.conf config #+NAME: rc.conf #+BEGIN_SRC conf zfs_enable="YES" clear_tmp_enable="YES" syslogd_flags="-ss" hostname="pollux" local_unbound_enable="YES" sshd_enable="NO" moused_enable="NO" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="AUTO" # pf firewall pf_enable="YES" # time and date ntpd_enable="YES" ntpd_sync_on_start="YES" # power settings powerd_enable="YES" powerd_flags="-a hiadaptive -b adaptive" performance_cx_lowest="Cmax" economy_cx_lowest="Cmax" # kld list kld_list="nvidia-modeset nvidia-drm nvidia_gsp_tu10x_fw linux linux64 i915kms ext2fs mac_priority fusefs vmm nmdm" # wayland seatd_enable="YES" # dbus dbus_enable="YES" # linux linux_enable="YES" ubuntu_enable="NO" # virtual oss virtual_oss_enable="YES" virtual_oss_configs="dsp" virtual_oss_dsp="-T /dev/sndstat -S -Q 0 -C 2 -c 2 -r 48000 -b 16 -s 1024 -P /dev/dsp1 -R /dev/null -w vdsp.wav -l dsp -t vdsp.ctl" # sndiod audio sndiod_enable="YES" # jack jackd_enable="NO" jackd_user="djwilcox" jackd_rtprio="YES" # musicpd musicpd_enable="YES" # devfs rules for user mounting drives devfs_system_ruleset="localrules" # laggo failover device # ethernet mac address set to wifi mac address ifconfig_ue0="ether 78:2b:46:ee:27:a3" wlans_iwlwifi0="wlan0" ifconfig_wlan0="WPA" create_args_wlan0="country GB" cloned_interfaces="lagg0 lo1" #cloned_interfaces="lagg0 lo1 bridge0 tap0" #ifconfig_bridge0="up addm lagg0 addm tap0" ifconfig_lagg0="up laggproto failover laggport ue0 laggport wlan0 DHCP" # laggpf netif restart lagg0, and restart pf # needed for usb exthernet and wifi laggpf_enable="YES" # ralink wifi #wlans_run0="wlan0" #ifconfig_wlan0="WPA SYNDHCP" #dnscrypt_proxy_enable="YES" #dnscrypt_proxy_pidfile="/var/run/dnscrypt-proxy.pid" #dnscrypt_proxy_logfile="/var/log/dnscrypt-proxy.log" # jail enable jail_enable="YES" ifconfig_lo1_aliases="inet 10.10.0.1-12/24" #jail_parallel_start="YES" #jail_list="classic" # syncthing syncthing_enable="NO" syncthing_user="djwilcox" syncthing_group="djwilcox" # byhve vm_enable="YES" vm_dir="zfs:zroot/vm" # gateway enable for bhyve gateway_enable="YES" #+END_SRC **** rc.conf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: rc.conf-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/etc/rc.conf" <> #+END_SRC + current dir #+NAME: rc.conf-current-dir #+BEGIN_SRC conf :noweb yes :tangle "etc/rc.conf" <> #+END_SRC *** resolv.conf #+begin_example /etc/resolv.conf #+end_example **** resolv.conf config #+NAME: resolv.conf #+BEGIN_SRC conf # Generated by resolvconf search localdomain # nameserver 192.168.1.1 nameserver 127.0.0.1 options edns0 #+END_SRC **** resolv.conf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: resolv.conf-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/etc/resolv.conf" <> #+END_SRC + current dir #+NAME: resolv.conf-current-dir #+BEGIN_SRC conf :noweb yes :tangle "etc/resolv.conf" <> #+END_SRC *** sysctl.conf #+begin_example /etc/sysctl.conf #+end_example **** sysctl.conf config #+NAME: sysctl.conf #+BEGIN_SRC conf # # This file is read when going to multi-user and its contents piped thru # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details. # # Uncomment this to prevent users from seeing information about processes that # are being run under another UID. security.bsd.see_other_uids=0 security.bsd.see_other_uids=0 security.bsd.see_other_gids=0 security.bsd.see_jail_proc=0 security.bsd.unprivileged_read_msgbuf=0 security.bsd.unprivileged_proc_debug=0 # chroot security.bsd.unprivileged_chroot=1 kern.randompid=1 vfs.zfs.min_auto_ashift=12 # disable bell hw.syscons.bell=0 # user mount drives vfs.usermount=1 # default audio output - headphones hw.snd.default_unit=1 # use new audio devices automatically hw.snd.default_auto=1 # dont autoreset vol to default hw.snd.vpc_autoreset=0 # audio tweaks hw.snd.latency=0 kern.timecounter.alloweddeviation=0 hw.usb.uaudio.buffer_ms=2 # chromium kern.ipc.shm_allow_removed=1 # change reponsiveness from server to desktop kern.sched.preempt_thresh=224 # screen brightness hw.acpi.video.lcd0.economy=50 hw.acpi.video.lcd0.fullpower=100 hw.acpi.video.lcd0.brightness=100 # usb keyboard media keys hw.usb.usbhid.enable=1 # fib net.add_addr_allfibs=0 # byhve net.link.tap.up_on_open=1 net.inet.ip.forwarding=1 #+END_SRC **** sysctl.conf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: sysctl.conf-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/etc/sysctl.conf" <> #+END_SRC + current dir #+NAME: sysctl.conf-current-dir #+BEGIN_SRC conf :noweb yes :tangle "etc/sysctl.conf" <> #+END_SRC *** ttys #+begin_example /etc/ttys #+end_example **** ttys config #+NAME: ttys #+BEGIN_SRC conf # # @(#)ttys 5.1 (Berkeley) 4/17/89 # # This file specifies various information about terminals on the system. # It is used by several different programs. Common entries for the # various columns include: # # name The name of the terminal device. # # getty The program to start running on the terminal. Typically a # getty program, as the name implies. Other common entries # include none, when no getty is needed, and xdm, to start the # X Window System. # # type The initial terminal type for this port. For hardwired # terminal lines, this will contain the type of terminal used. # For virtual consoles, the correct type is typically xterm. # Other common values include dialup for incoming modem ports, and # unknown when the terminal type cannot be predetermined. # # status Must be on or off. If on, init will run the getty program on # the specified port. If the word "secure" appears, this tty # allows root login. # # name getty type status comments # # If console is marked "insecure", then init will ask for the root password # when going to single-user mode. console none unknown off insecure # ttyv0 "/usr/libexec/getty Pc" xterm onifexists insecure # Virtual terminals ttyv1 "/usr/libexec/getty Pc" xterm onifexists insecure ttyv2 "/usr/libexec/getty Pc" xterm onifexists insecure ttyv3 "/usr/libexec/getty Pc" xterm onifexists insecure ttyv4 "/usr/libexec/getty Pc" xterm onifexists insecure ttyv5 "/usr/libexec/getty Pc" xterm onifexists insecure ttyv6 "/usr/libexec/getty Pc" xterm onifexists insecure ttyv7 "/usr/libexec/getty Pc" xterm onifexists insecure ttyv8 "/usr/local/bin/xdm -nodaemon" xterm off insecure # Serial terminals # The 'dialup' keyword identifies dialin lines to login, fingerd etc. ttyu0 "/usr/libexec/getty 3wire" vt100 onifconsole insecure ttyu1 "/usr/libexec/getty 3wire" vt100 onifconsole insecure ttyu2 "/usr/libexec/getty 3wire" vt100 onifconsole insecure ttyu3 "/usr/libexec/getty 3wire" vt100 onifconsole insecure # Dumb console dcons "/usr/libexec/getty std.115200" vt100 off insecure # Xen Virtual console xc0 "/usr/libexec/getty Pc" xterm onifconsole insecure # RISC-V HTIF console rcons "/usr/libexec/getty std.115200" vt100 onifconsole insecure #+END_SRC **** ttys tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: ttys-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/etc/ttys" <> #+END_SRC + current dir #+NAME: ttys-current-dir #+BEGIN_SRC conf :noweb yes :tangle "etc/ttys" <> #+END_SRC *** unbound **** conf.d ***** custom.conf #+begin_example /etc/unbound/conf.d/custom.conf #+end_example ****** custom.conf config #+NAME: custom.conf #+BEGIN_SRC conf server: # include: "/etc/unbound/unbound_outgoing_interface" verbosity: 1 access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow access-control: ::ffff:127.0.0.1 allow # enable to not answer id.server and hostname.bind queries. hide-identity: yes hide-version: yes harden-glue: yes harden-dnssec-stripped: yes # dont query localhost needed for dnscrypt-proxy do-not-query-localhost: no # remote-control: # control-enable: no #+END_SRC ****** custom.conf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: custom.conf-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/etc/unbound/conf.d/custom.conf" <> #+END_SRC + current dir #+NAME: custom.conf-current-dir #+BEGIN_SRC conf :noweb yes :tangle "etc/unbound/conf.d/custom.conf" <> #+END_SRC **** forward.conf #+begin_example /etc/unbound/forward.conf #+end_example ***** forward.conf config #+NAME: forward.conf #+BEGIN_SRC conf # Generated by resolvconf forward-zone: name: "." forward-addr: 127.0.0.1@5353 #+END_SRC ***** forward.conf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: forward.conf-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/etc/unbound/forward.conf" <> #+END_SRC + current dir #+NAME: forward.conf-current-dir #+BEGIN_SRC conf :noweb yes :tangle "etc/unbound/forward.conf" <> #+END_SRC **** unbound_outgoing_interface #+begin_example /etc/unbound/unbound_outgoing_interface #+end_example ***** unbound_outgoing_interface config #+NAME: unbound_outgoing_interface #+BEGIN_SRC conf #+END_SRC ***** unbound_outgoing_interface tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: unbound_outgoing_interface-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/etc/unbound/unbound_outgoing_interface" <> #+END_SRC + current dir #+NAME: unbound_outgoing_interface-current-dir #+BEGIN_SRC conf :noweb yes :tangle "etc/unbound/unbound_outgoing_interface" <> #+END_SRC ** /usr/local/etc *** rc.d **** laggpf #+begin_example /usr/local/etc/rc.d/laggpf #+end_example ***** laggpf config #+NAME: laggpf #+BEGIN_SRC sh #!/bin/sh # PROVIDE: laggpf # REQUIRE: devd pf routing # KEYWORD: nojail . /etc/rc.subr name=laggpf desc="Wait for network devices or the network being up" rcvar=laggpf_enable start_cmd="${name}_start" stop_cmd=":" load_rc_config $name : ${laggpf_enable:=no} : ${laggpf_msg="Nothing started."} laggpf_start() { service netif restart lagg0 service pf restart } run_rc_command "$1" #+END_SRC ***** laggpf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: laggpf-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/usr/local/etc/rc.d/laggpf" :tangle-mode (identity #o755) <> #+END_SRC + current dir #+NAME: laggpf-current-dir #+BEGIN_SRC conf :noweb yes :tangle "usr/local/etc/rc.d/laggpf" <> #+END_SRC **** musicpd #+begin_example /usr/local/etc/rc.d/musicpd #+end_example ***** musicpd config #+NAME: musicpd #+BEGIN_SRC sh #!/bin/sh # PROVIDE: musicpd # REQUIRE: mixer LOGIN avahi_daemon oss # KEYWORD: shutdown # Add the following line to /etc/rc.conf to enable mpd: # # musicpd_enable=YES . /etc/rc.subr name=musicpd rcvar=musicpd_enable desc="Music Player Daemon" load_rc_config $name : ${musicpd_enable:=NO} command=/usr/local/bin/musicpd command_args=/home/djwilcox/.config/mpd/mpd.conf required_files=/home/djwilcox/.config/mpd/mpd.conf start_precmd=${name}_getpidfile stop_precmd=${name}_getpidfile musicpd_getpidfile() { if get_pidfile_from_conf pid_file /home/djwilcox/.config/mpd/mpd.conf ; then pidfile="$_pidfile_from_conf" else pidfile="/var/mpd/.mpd/pid" fi } run_rc_command $1 #+END_SRC ***** musicpd tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: musicpd-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/usr/local/etc/rc.d/musicpd" :tangle-mode (identity #o755) <> #+END_SRC + current dir #+NAME: musicpd-current-dir #+BEGIN_SRC conf :noweb yes :tangle "usr/local/etc/rc.d/musicpd" <> #+END_SRC *** usbhidaction.conf #+begin_example /usr/local/etc/usbhidaction.conf #+end_example **** usbhidaction.conf config #+NAME: usbhidaction.conf #+BEGIN_SRC conf # ducky one 2 mini Consumer:Volume_Increment 1 0 mixer vol +2 Consumer:Volume_Decrement 1 0 mixer vol -2 Consumer:Mute 1 0 mixer vol 0 #+END_SRC **** usbhidaction.conf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: usbhidaction.conf-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/usr/local/etc/usbhidaction.conf" <> #+END_SRC + current dir #+NAME: usbhidaction.conf-current-dir #+BEGIN_SRC conf :noweb yes :tangle "usr/local/etc/usbhidaction.conf" <> #+END_SRC *** devd **** devd.conf #+begin_example /usr/local/etc/devd/devd.conf #+end_example ***** devd.conf config #+NAME: devd.conf #+BEGIN_SRC conf # ducky one 2 mini attach 100 { device-name "uhid[0-9]+"; match "vendor" "0x0416"; # (1) match "product" "0x0123"; # (2) # # Do not add -d flag ! if you do it devd will never detach to background # because usbhidaction will run in foreground ! # # Remember you can add arguments after /etc/usbhidaction.conf like # action "/usr/bin/usbhidaction -f $device-name -c /etc/usbhidaction.conf /dev/mixer1 2" # action "/usr/bin/usbhidaction -f $device-name -c /usr/local/etc/usbhidaction.conf"; }; #+END_SRC ***** devd.conf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: devd.conf-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/usr/local/etc/devd/devd.conf" <> #+END_SRC + current dir #+NAME: devd.conf-current-dir #+BEGIN_SRC conf :noweb yes :tangle "usr/local/etc/devd/devd.conf" <> #+END_SRC *** dnscrypt-proxy **** dnscrypt-proxy.toml #+begin_example /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml #+end_example ***** dnscrypt-proxy.toml config #+NAME: dnscrypt-proxy.toml #+BEGIN_SRC conf ############################################## # # # dnscrypt-proxy configuration # # # ############################################## ## This is an example configuration file. ## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml" ## ## Online documentation is available here: https://dnscrypt.info/doc ################################## # Global settings # ################################## ## List of servers to use ## ## Servers from the "public-resolvers" source (see down below) can ## be viewed here: https://dnscrypt.info/public-servers ## ## If this line is commented, all registered servers matching the require_* filters ## will be used. ## ## The proxy will automatically pick the fastest, working servers from the list. ## Remove the leading # first to enable this; lines starting with # are ignored. # server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare'] server_names = ['google'] ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. ## Note: When using systemd socket activation, choose an empty set (i.e. [] ). listen_addresses = ['127.0.0.1:5353'] ## Maximum number of simultaneous client connections to accept max_clients = 250 ## Switch to a different system user after listening sockets have been created. ## Note (1): this feature is currently unsupported on Windows. ## Note (2): this feature is not compatible with systemd socket activation. ## Note (3): when using -pidfile, the PID file directory must be writable by the new user # user_name = 'nobody' ## Require servers (from static + remote sources) to satisfy specific properties # Use servers reachable over IPv4 ipv4_servers = true # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity ipv6_servers = false # Use servers implementing the DNSCrypt protocol #dnscrypt_servers = true dnscrypt_servers = false # Use servers implementing the DNS-over-HTTPS protocol doh_servers = true ## Require servers defined by remote sources to satisfy specific properties # Server must support DNS security extensions (DNSSEC) #require_dnssec = false require_dnssec = true # Server must not log user queries (declarative) require_nolog = true # Server must not enforce its own blacklist (for parental control, ads blocking...) require_nofilter = true ## Always use TCP to connect to upstream servers. ## This can be useful if you need to route everything through Tor. ## Otherwise, leave this to `false`, as it doesn't improve security ## (dnscrypt-proxy will always encrypt everything even using UDP), and can ## only increase latency. force_tcp = false ## SOCKS proxy ## Uncomment the following line to route all TCP connections to a local Tor node ## Tor doesn't support UDP, so set `force_tcp` to `true` as well. # proxy = "socks5://127.0.0.1:9050" ## HTTP/HTTPS proxy ## Only for DoH servers # http_proxy = "http://127.0.0.1:8888" ## How long a DNS query will wait for a response, in milliseconds timeout = 2500 ## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds keepalive = 30 ## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random' # lb_strategy = 'p2' ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors) # log_level = 2 ## log file for the application # log_file = 'dnscrypt-proxy.log' ## Use the system logger (syslog on Unix, Event Log on Windows) # use_syslog = true ## Delay, in minutes, after which certificates are reloaded cert_refresh_delay = 240 ## DNSCrypt: Create a new, unique key for every single DNS query ## This may improve privacy but can also have a significant impact on CPU usage ## Only enable if you don't have a lot of network load # dnscrypt_ephemeral_keys = false ## DoH: Disable TLS session tickets - increases privacy but also latency # tls_disable_session_tickets = false ## DoH: Use a specific cipher suite instead of the server preference ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 ## ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...), ## the following suite improves performance. ## This may also help on Intel CPUs running 32-bit operating systems. ## ## Keep tls_cipher_suite empty if you have issues fetching sources or ## connecting to some DoH servers. Google and Cloudflare are fine with it. # tls_cipher_suite = [52392, 49199] ## Fallback resolver ## This is a normal, non-encrypted DNS resolver, that will be only used ## for one-shot queries when retrieving the initial resolvers list, and ## only if the system DNS configuration doesn't work. ## No user application queries will ever be leaked through this resolver, ## and it will not be used after IP addresses of resolvers URLs have been found. ## It will never be used if lists have already been cached, and if stamps ## don't include host names without IP addresses. ## It will not be used if the configured system DNS works. ## A resolver supporting DNSSEC is recommended. This may become mandatory. ## ## People in China may need to use 114.114.114.114:53 here. ## Other popular options include 8.8.8.8 and 1.1.1.1. fallback_resolver = '9.9.9.9:53' ## Never let dnscrypt-proxy try to use the system DNS settings; ## unconditionally use the fallback resolver. ignore_system_dns = false ## Maximum time (in seconds) to wait for network connectivity before ## initializing the proxy. ## Useful if the proxy is automatically started at boot, and network ## connectivity is not guaranteed to be immediately available. ## Use 0 to disable. netprobe_timeout = 60 ## Offline mode - Do not use any remote encrypted servers. ## The proxy will remain fully functional to respond to queries that ## plugins can handle directly (forwarding, cloaking, ...) # offline_mode = false ## Automatic log files rotation # Maximum log files size in MB log_files_max_size = 10 # How long to keep backup files, in days log_files_max_age = 7 # Maximum log files backups to keep (or 0 to keep all backups) log_files_max_backups = 1 ######################### # Filters # ######################### ## Immediately respond to IPv6-related queries with an empty response ## This makes things faster when there is no IPv6 connectivity, but can ## also cause reliability issues with some stub resolvers. ## Do not enable if you added a validating resolver such as dnsmasq in front ## of the proxy. #block_ipv6 = false block_ipv6 = true ################################################################################## # Route queries for specific domains to a dedicated set of servers # ################################################################################## ## Example map entries (one entry per line): ## example.com 9.9.9.9 ## example.net 9.9.9.9,8.8.8.8,1.1.1.1 # forwarding_rules = 'forwarding-rules.txt' ############################### # Cloaking rules # ############################### ## Cloaking returns a predefined address for a specific name. ## In addition to acting as a HOSTS file, it can also return the IP address ## of a different name. It will also do CNAME flattening. ## ## Example map entries (one entry per line) ## example.com 10.1.1.1 ## www.google.com forcesafesearch.google.com # cloaking_rules = 'cloaking-rules.txt' ########################### # DNS cache # ########################### ## Enable a DNS cache to reduce latency and outgoing traffic cache = true ## Cache size cache_size = 512 ## Minimum TTL for cached entries cache_min_ttl = 600 ## Maximum TTL for cached entries cache_max_ttl = 86400 ## Minimum TTL for negatively cached entries cache_neg_min_ttl = 60 ## Maximum TTL for negatively cached entries cache_neg_max_ttl = 600 ############################### # Query logging # ############################### ## Log client queries to a file [query_log] ## Path to the query log file (absolute, or relative to the same directory as the executable file) # file = 'query.log' ## Query log format (currently supported: tsv and ltsv) format = 'tsv' ## Do not log these query types, to reduce verbosity. Keep empty to log everything. # ignored_qtypes = ['DNSKEY', 'NS'] ############################################ # Suspicious queries logging # ############################################ ## Log queries for nonexistent zones ## These queries can reveal the presence of malware, broken/obsolete applications, ## and devices signaling their presence to 3rd parties. [nx_log] ## Path to the query log file (absolute, or relative to the same directory as the executable file) # file = 'nx.log' ## Query log format (currently supported: tsv and ltsv) format = 'tsv' ###################################################### # Pattern-based blocking (blacklists) # ###################################################### ## Blacklists are made of one pattern per line. Example of valid patterns: ## ## example.com ## =example.com ## *sex* ## ads.* ## ads*.example.* ## ads*.example[0-9]*.com ## ## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/ ## A script to build blacklists from public feeds can be found in the ## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code. [blacklist] ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) # blacklist_file = 'blacklist.txt' ## Optional path to a file logging blocked queries # log_file = 'blocked.log' ## Optional log format: tsv or ltsv (default: tsv) # log_format = 'tsv' ########################################################### # Pattern-based IP blocking (IP blacklists) # ########################################################### ## IP blacklists are made of one pattern per line. Example of valid patterns: ## ## 127.* ## fe80:abcd:* ## 192.168.1.4 [ip_blacklist] ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) # blacklist_file = 'ip-blacklist.txt' ## Optional path to a file logging blocked queries # log_file = 'ip-blocked.log' ## Optional log format: tsv or ltsv (default: tsv) # log_format = 'tsv' ###################################################### # Pattern-based whitelisting (blacklists bypass) # ###################################################### ## Whitelists support the same patterns as blacklists ## If a name matches a whitelist entry, the corresponding session ## will bypass names and IP filters. ## ## Time-based rules are also supported to make some websites only accessible at specific times of the day. [whitelist] ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file) # whitelist_file = 'whitelist.txt' ## Optional path to a file logging whitelisted queries # log_file = 'whitelisted.log' ## Optional log format: tsv or ltsv (default: tsv) # log_format = 'tsv' ########################################## # Time access restrictions # ########################################## ## One or more weekly schedules can be defined here. ## Patterns in the name-based blocklist can optionally be followed with @schedule_name ## to apply the pattern 'schedule_name' only when it matches a time range of that schedule. ## ## For example, the following rule in a blacklist file: ## *.youtube.* @time-to-sleep ## would block access to YouTube only during the days, and period of the days ## define by the 'time-to-sleep' schedule. ## ## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00 ## {after= '9:00', before='18:00'} matches 9:00-18:00 [schedules] # [schedules.'time-to-sleep'] # mon = [{after='21:00', before='7:00'}] # tue = [{after='21:00', before='7:00'}] # wed = [{after='21:00', before='7:00'}] # thu = [{after='21:00', before='7:00'}] # fri = [{after='23:00', before='7:00'}] # sat = [{after='23:00', before='7:00'}] # sun = [{after='21:00', before='7:00'}] # [schedules.'work'] # mon = [{after='9:00', before='18:00'}] # tue = [{after='9:00', before='18:00'}] # wed = [{after='9:00', before='18:00'}] # thu = [{after='9:00', before='18:00'}] # fri = [{after='9:00', before='17:00'}] ######################### # Servers # ######################### ## Remote lists of available servers ## Multiple sources can be used simultaneously, but every source ## requires a dedicated cache file. ## ## Refer to the documentation for URLs of public sources. ## ## A prefix can be prepended to server names in order to ## avoid collisions if different sources share the same for ## different servers. In that case, names listed in `server_names` ## must include the prefixes. ## ## If the `urls` property is missing, cache files and valid signatures ## must be already present; This doesn't prevent these cache files from ## expiring after `refresh_delay` hours. [sources] ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers [sources.'public-resolvers'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'] cache_file = 'public-resolvers.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 prefix = '' ## Quad9 over DNSCrypt - https://quad9.net/ # [sources.quad9-resolvers] # urls = ["https://www.quad9.net/quad9-resolvers.md"] # minisign_key = "RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN" # cache_file = "quad9-resolvers.md" # refresh_delay = 72 # prefix = "quad9-" ## Another example source, with resolvers censoring some websites not appropriate for children ## This is a subset of the `public-resolvers` list, so enabling both is useless # [sources.'parental-control'] # urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md'] # cache_file = 'parental-control.md' # minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' ## Optional, local, static list of additional servers ## Mostly useful for testing your own servers. [static] # [static.'google'] # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA' #+END_SRC ***** dnscrypt-proxy.toml tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: dnscrypt-proxy.toml-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml" <> #+END_SRC + current dir #+NAME: dnscrypt-proxy.toml-current-dir #+BEGIN_SRC conf :noweb yes :tangle "usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml" <> #+END_SRC *** pkg **** repos ***** pkg/repos/poudriere.conf #+begin_example /usr/local/etc/pkg/repos/poudriere.conf #+end_example ****** pkg/repos/poudriere.conf config #+NAME: pkg/repos/poudriere.conf #+BEGIN_SRC conf Poudriere: { url: "file:///usr/local/poudriere/data/packages/freebsd_14-0x64-HEAD" mirror_type: "srv", signature_type: "pubkey", pubkey: "/usr/local/etc/ssl/certs/poudriere.cert", enabled: yes, priority: 100 } #+END_SRC ****** pkg/repos/poudriere.conf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: pkg/repos/poudriere.conf-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/usr/local/etc/pkg/repos/poudriere.conf" <> #+END_SRC + current dir #+NAME: pkg/repos/poudriere.conf-current-dir #+BEGIN_SRC conf :noweb yes :tangle "usr/local/etc/pkg/repos/poudriere.conf" <> #+END_SRC *** doas #+begin_example /usr/local/etc/doas.conf #+end_example **** doas config #+NAME: doas #+BEGIN_SRC conf # permit user permit keepenv :djwilcox # mount drives permit nopass :djwilcox cmd mount permit nopass :djwilcox cmd umount # restart networking permit nopass :djwilcox cmd service args netif start permit nopass :djwilcox cmd service args netif stop permit nopass :djwilcox cmd service args netif restart # ifconfig wlan0 permit nopass :djwilcox cmd ifconfig args wlan0 up permit nopass :djwilcox cmd ifconfig args wlan0 down # ifconfig ue0 - usb ethenet permit nopass :djwilcox cmd ifconfig args ue0 up permit nopass :djwilcox cmd ifconfig args ue0 down # ifconfig scan and wpa_supplicant permit nopass :djwilcox cmd ifconfig args wlan0 list scan permit nopass :djwilcox cmd wpa_supplicant args -B -i wlan0 -c /etc/wpa_supplicant.conf # pkg update permit nopass :djwilcox cmd pkg args update # pkg upgrade permit nopass :djwilcox cmd pkg args upgrade # dmesg permit nopass :djwilcox cmd dmesg # sysctl permit nopass :djwilcox cmd sysctl # chroot permit nopass :djwilcox cmd chroot # jail permit nopass :djwilcox cmd jexec permit nopass :djwilcox cmd service # sysrc permit nopass :djwilcox cmd sysrc # sysctl permit nopass :djwilcox cmd sysctl # ifconfig permit nopass :djwilcox cmd ifconfig # pfctl permit nopass :djwilcox cmd pfctl # vm-bhyve permit nopass :djwilcox cmd vm # root as root permit nopass keepenv root as root #+END_SRC **** doas tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: doas-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/usr/local/etc/doas.conf" <> #+END_SRC + current dir #+NAME: doas-current-dir #+BEGIN_SRC conf :noweb yes :tangle "usr/local/etc/doas.conf" <> #+END_SRC *** poudriere.conf #+begin_example /usr/local/etc/poudriere.conf #+end_example **** poudriere.conf config #+NAME: poudriere.conf #+BEGIN_SRC conf # Poudriere can optionally use ZFS for its ports/jail storage. For # ZFS define ZPOOL, otherwise set NO_ZFS=yes # #### ZFS # The pool where poudriere will create all the filesystems it needs # poudriere will use ${ZPOOL}/${ZROOTFS} as its root # # You need at least 7GB of free space in this pool to have a working # poudriere. # ZPOOL=zroot ### NO ZFS # To not use ZFS, define NO_ZFS=yes #NO_ZFS=yes # root of the poudriere zfs filesystem, by default /poudriere ZROOTFS=/poudriere # the host where to download sets for the jails setup # You can specify here a host or an IP # replace _PROTO_ by http or ftp # replace _CHANGE_THIS_ by the hostname of the mirrors where you want to fetch # by default: ftp://ftp.freebsd.org # # Also note that every protocols supported by fetch(1) are supported here, even # file:/// # Suggested: https://download.FreeBSD.org FREEBSD_HOST=https://download.FreeBSD.org # By default the jails have no /etc/resolv.conf, you will need to set # RESOLV_CONF to a file on your hosts system that will be copied has # /etc/resolv.conf for the jail, except if you don't need it (using an http # proxy for example) RESOLV_CONF=/etc/resolv.conf # The directory where poudriere will store jails and ports BASEFS=/usr/local/poudriere # The directory where the jail will store the packages and logs # by default a zfs filesystem will be created and set to # ${BASEFS}/data # #POUDRIERE_DATA=${BASEFS}/data # Use portlint to check ports sanity USE_PORTLINT=no # When building packages, a memory device can be used to speedup the build. # Only one of MFSSIZE or USE_TMPFS is supported. TMPFS is generally faster # and will expand to the needed amount of RAM. MFS is a slower since it # uses UFS and several abstraction layers. # If set WRKDIRPREFIX will be mdmfs of the given size (mM or gG) #MFSSIZE=4G # Use tmpfs(5) # This can be a space-separated list of options: # wrkdir - Use tmpfs(5) for port building WRKDIRPREFIX # data - Use tmpfs(5) for poudriere cache/temp build data # localbase - Use tmpfs(5) for LOCALBASE (installing ports for packaging/testing) # all - Run the entire build in memory, including builder jails. # yes - Enables tmpfs(5) for wrkdir and data # no - Disable use of tmpfs(5) # EXAMPLE: USE_TMPFS="wrkdir data" USE_TMPFS=yes # How much memory to limit tmpfs size to for *each builder* in GiB # (default: none) #TMPFS_LIMIT=8 # How much memory to limit jail processes to for *each builder* # in GiB (default: none) #MAX_MEMORY=8 # How many file descriptors to limit each jail process to (default: 1024) # This can also be set per PKGBASE, such as MAX_FILES_RStudio=2048. # Package names with hyphens (-) should be replaced with underscores (_). #MAX_FILES=1024 # If set the given directory will be used for the distfiles # This allows to share the distfiles between jails and ports tree # If this is "no", poudriere must be supplied a ports tree that already has # the required distfiles. DISTFILES_CACHE=/usr/ports/distfiles # If set the ports tree marked to use git will use the defined # mirror (default: git.FreeBSD.org/port.git) # # Example to use github mirror: #GIT_BASEURL=https://github.com/freebsd/freebsd-src.git # If set the source tree marked to use git will use the defined # mirror (default: git.FreeBSD.org/src.git) # # Example to use github mirror: #GIT_PORTSURL=https://github.com/freebsd/freebsd-ports.git # If set the ports tree or source tree marked to use svn will use the defined # mirror (default: svn.FreeBSD.org) # The SSL fingerprints are published here: # https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/svn.html#svn-mirrors #SVN_HOST=svn.FreeBSD.org # Automatic OPTION change detection # When bulk building packages, compare the options from kept packages to # the current options to be built. If they differ, the existing package # will be deleted and the port will be rebuilt. # Valid options: yes, no, verbose # verbose will display the old and new options CHECK_CHANGED_OPTIONS=verbose # Automatic Dependency change detection # When bulk building packages, compare the dependencies from kept packages to # the current dependencies for every port. If they differ, the existing package # will be deleted and the port will be rebuilt. This helps catch changes such # as DEFAULT_RUBY_VERSION, PERL_VERSION, WITHOUT_X11 that change dependencies # for many ports. # Valid options: yes, no # Default: yes CHECK_CHANGED_DEPS=yes # Consider bad dependency lines on the wrong PKGNAME as fatal. # For example: # BUILD_DEPENDS= p5-List-MoreUtils>=0:lang/p5-List-MoreUtils # If this port's PKGNAME were really "List-MoreUtils" then it would # not be recorded into the resulting package. The next build with # CHECK_CHANGED_DEPS enabled would consider it a "new dependency" # since it is in the port but not in the package. This is usually # a warning but can be made fatal instead by enabling this option. # Default: no #BAD_PKGNAME_DEPS_ARE_FATAL=yes # Path to the RSA key to sign the PKG repo with. See pkg-repo(8) # This produces a repo that supports SIGNATURE_TYPE=PUBKEY # Default: not set PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/keys/poudriere.key # Command to sign the PKG repo with. See pkg-repo(8) # This produces a repo that supports SIGNATURE_TYPE=FINGERPRINTS # Default: not set #SIGNING_COMMAND=ssh signing-server sign.sh # Repo signing command execution context # If SIGNING_COMMAND is set, run pkg-repo(8) on the host? # no - Run in the jail # yes - Run on the host # Default: no #PKG_REPO_FROM_HOST=yes # ccache support. Supply the path to your ccache cache directory. # It will be mounted into the jail and be shared among all jails. # It is recommended that extra ccache configuration be done with # ccache -o rather than from the environment. #CCACHE_DIR=/var/cache/ccache # Static ccache support from host. This uses the existing # ccache from the host in the build jail. This is useful for # using ccache+memcached which cannot easily be bootstrapped # otherwise. The path to the PREFIX where ccache was installed # must be used here, and ccache must have been built statically. # Note also that ccache+memcached will require network access # which is normally disabled. Separately setting RESTRICT_NETWORKING=no # may be required for non-localhost memcached servers. #CCACHE_STATIC_PREFIX=/usr/local # The jails normally only allow network access during the 'make fetch' # phase. This is a security restriction to prevent random things # ran during a build from accessing the network. Disabling this # is not advised. ALLOW_NETWORKING_PACKAGES may be used to allow networking # for a subset of packages only. #RESTRICT_NETWORKING=yes #ALLOW_NETWORKING_PACKAGES="npm-foo" # parallel build support. # # By default poudriere uses hw.ncpu to determine the number of builders. # You can override this default by changing PARALLEL_JOBS here, or # by specifying the -J flag to bulk/testport. # # Example to define PARALLEL_JOBS to one single job # PARALLEL_JOBS=1 # How many jobs should be used for preparing the build? These tend to # be more IO bound and may be worth tweaking. Default: PARALLEL_JOBS * 1.25 # PREPARE_PARALLEL_JOBS=1 # If set, failed builds will save the WRKDIR to ${POUDRIERE_DATA}/wrkdirs # SAVE_WRKDIR=yes # Choose the default format for the workdir packing: could be tar,tgz,tbz,txz,tzst # default is tbz # WRKDIR_ARCHIVE_FORMAT=tbz # Disable Linux support # NOLINUX=yes # By default poudriere sets FORCE_PACKAGE # To disable it (useful when building public packages): # NO_FORCE_PACKAGE=yes # By default poudriere sets PACKAGE_BUILDING # To disable it: # NO_PACKAGE_BUILDING=yes # If you are using a proxy define it here: # export HTTP_PROXY=bla # export FTP_PROXY=bla # # Cleanout the restricted packages # NO_RESTRICTED=yes # By default MAKE_JOBS is disabled to allow only one process per cpu # Use the following to allow it anyway # ALLOW_MAKE_JOBS=yes # List of packages that will always be allowed to use MAKE_JOBS # regardless of ALLOW_MAKE_JOBS. This is useful for allowing ports # which holdup the rest of the queue to build more quickly. #ALLOW_MAKE_JOBS_PACKAGES="pkg ccache py*" # Timestamp every line of build logs # Default: no #TIMESTAMP_LOGS=no # URL where your POUDRIERE_DATA/logs are hosted # This will be used for giving URL hints to the HTML output when # scheduling and starting builds #URL_BASE=http://yourdomain.com/poudriere/ # This defines the max time (in seconds) that a command may run for a build # before it is killed for taking too long. Default: 86400 #MAX_EXECUTION_TIME=86400 # This defines the time (in seconds) before a command is considered to # be in a runaway state for having no output on stdout. Default: 7200 #NOHANG_TIME=7200 # The repository is updated atomically if set yes. This leaves the # repository untouched until the build completes. This involves using # hardlinks and symlinks. The operations are fast, but can be intrusive # for remote syncing or backups. # Recommended to always keep on. # Default: yes #ATOMIC_PACKAGE_REPOSITORY=yes # When using ATOMIC_PACKAGE_REPOSITORY, commit the packages if some # packages fail to build. Ignored ports are considered successful. # This can be set to 'no' to only commit the packages once no failures # are encountered. # Default: yes #COMMIT_PACKAGES_ON_FAILURE=yes # Keep older package repositories. This can be used to rollback a system # or to bisect issues by changing the repository to one of the older # versions and reinstalling everything with `pkg upgrade -f` # ATOMIC_PACKAGE_REPOSITORY is required for this. # Default: no #KEEP_OLD_PACKAGES=no # How many old package repositories to keep with KEEP_OLD_PACKAGES # Default: 5 #KEEP_OLD_PACKAGES_COUNT=5 # Make testing errors fatal. # If set to 'no', ports with test failure will be marked as failed but still # packaged to permit testing dependent ports (useful for bulk -t -a) # Default: yes #PORTTESTING_FATAL=yes # Define the building jail hostname to be used when building the packages # Some port/packages hardcode the hostname of the host during build time # This is a necessary setup for reproducible builds. #BUILDER_HOSTNAME=pkg.FreeBSD.org # Define to get a predictable timestamp on the ports tree # This is a necessary setup for reproducible builds. #PRESERVE_TIMESTAMP=yes # Define to yes to build and stage as a regular user # Default: yes, unless CCACHE_DIR is set and CCACHE_DIR_NON_ROOT_SAFE is not # set. Note that to use ccache with BUILD_AS_NON_ROOT you will need to # use a non-shared CCACHE_DIR that is only built by PORTBUILD_USER and chowned # to that user. Then set CCACHE_DIR_NON_ROOT_SAFE to yes. #BUILD_AS_NON_ROOT=no # Define to the username to build as when BUILD_AS_NON_ROOT is yes. # Default: nobody (uid PORTBUILD_UID) #PORTBUILD_USER=nobody # Define to the uid to use for PORTBUILD_USER if the user does not # already exist in the jail. # Default: 65532 #PORTBUILD_UID=65534 # Define pkgname globs to boost priority for # Default: none #PRIORITY_BOOST="pypy openoffice*" # Define format for buildnames # Default: %Y-%m-%d_%Hh%Mm%Ss # ISO8601: #BUILDNAME_FORMAT="%FT%T%z" # Define format for build duration times # Default: %H:%M:%S #DURATION_FORMAT="%H:%M:%S" # Use colors when in a TTY # Default: yes #USE_COLORS=yes # Only build what is requested. Do not rebuild build deps if nothing requested # depends on them. This can create an inconsistent repository if you often # build one-off packages but expect the repository to stay consistent. # Defaut: yes #TRIM_ORPHANED_BUILD_DEPS=yes # A list of directories to exclude from leftover and filesystem violation # mtree checks. Ccache is used here as an example but is already # excluded by default. There is no need to add it here unless a # special configuration is used where it is a problem. # Default: none #LOCAL_MTREE_EXCLUDES="/usr/obj /var/tmp/ccache" # Set to hosted to use the /data directory instead of inline style HTML # Default: inline #HTML_TYPE="hosted" # Set to track remaining ports in the HTML interface. This can slow down # processing of the queue slightly, especially for bulk -a builds. # Default: no #HTML_TRACK_REMAINING=yes #+END_SRC **** poudriere.conf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: poudriere.conf-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/usr/local/etc/poudriere.conf" <> #+END_SRC + current dir #+NAME: poudriere.conf-current-dir #+BEGIN_SRC conf :noweb yes :tangle "usr/local/etc/poudriere.conf" <> #+END_SRC *** poudriere.d **** make.conf #+begin_example /usr/local/etc/poudriere.d/make.conf #+end_example ***** make.conf config #+NAME: make.conf #+BEGIN_SRC conf DISABLE_LICENSES=yes #+END_SRC ***** make.conf tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: make.conf-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/usr/local/etc/poudriere.d/make.conf" <> #+END_SRC + current dir #+NAME: make.conf-current-dir #+BEGIN_SRC conf :noweb yes :tangle "usr/local/etc/poudriere.d/make.conf" <> #+END_SRC **** port-list #+begin_example /usr/local/etc/poudriere.d/port-list #+end_example ***** port-list config #+NAME: port-list #+BEGIN_SRC conf www/linux-widevine-cdm emulators/libc6-shim #+END_SRC ***** port-list tangle :PROPERTIES: :ORDERED: t :END: + root dir #+NAME: port-list-root-dir #+BEGIN_SRC conf :noweb yes :tangle "/sudo::/usr/local/etc/poudriere.d/port-list" <> #+END_SRC + current dir #+NAME: port-list-current-dir #+BEGIN_SRC conf :noweb yes :tangle "usr/local/etc/poudriere.d/port-list" <> #+END_SRC