kreyren/ paludis-config
1
0
Fork 0
Code Issues 2 Pull Requests Releases Activity

Initial commit 

Signed-off-by: root <root@dreamon.rixotstudio.cz>
This commit is contained in:
root 2020-10-11 16:55:04 +02:00
commit 5682fe1229
60 changed files with 1686 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
bashrc Normal file
View File

@ -0,0 +1,33 @@
# shellcheck shell=bash # Krey: Paludis doesn't expect shebang here
# shellcheck disable=SC2034 # Krey: Appears unused is invalid since this is recognized by paludis
COMMON_FLAGS="-O2 -march=sandybridge -pipe"
i686_pc_linux_gnu_CFLAGS="$COMMON_FLAGS"
i686_pc_linux_gnu_CXXFLAGS="$COMMON_FLAGS"
x86_64_pc_linux_gnu_CFLAGS="$COMMON_FLAGS"
x86_64_pc_linux_gnu_CXXFLAGS="$COMMON_FLAGS"
i686_pc_linux_gnu_FFLAGS="$COMMON_FLAGS"
x86_64_PC_linux_gnu_FFLAGS="$COMMON_FLAGS"
i686_pc_linux_gnu_FCLAGS="$COMMON_FLAGS"
x86_64_PC_linux_gnu_FCLAGS="$COMMON_FLAGS"
i686_pc_linux_gnu_FDFLAGS="-Wl,-O2 -Wl, -pthread -lpthread"
x86_64_pc_linux_gnu_FDFLAGS="-Wl,-O2 -Wl, -pthread -lpthread"
CHOST="x86_64-pc-linux-gnu"
CBUILD="x86_64-pc-linux-gnu"
# Stratum
# NOTICE(KREY): This breaks the runtime on sydbox violation
#PALUDIS_TMPDIR="/bedrock/strata/exherbo/var/tmp/paludis/"
# FIXME: Investigate
#RUSTFLAGS="-C target-cpu=native -C opt-level=3"
export PALUDIS_PATCHDIR="$ROOT/etc/paludis/paludis"
. "${PALUDIS_DIR:-/etc/paludis}/libs/shell/sysconf.bash"

2
general.conf Normal file
View File

@ -0,0 +1,2 @@
root = "/bedrock/strata/exherbo/"
world = "$root/etc/paludis/world"

3
hooks/README.md Normal file
View File

@ -0,0 +1,3 @@
Directory used to inject code in paludis's phases
https://paludis.exherbo.org/configuration/hooks.html

1
imgconf/net-dns/bind/etc/bind/README.md Normal file
View File

@ -0,0 +1 @@
This is a configuration directory for the bind package which is what is running the DNS server

38
imgconf/net-dns/bind/etc/bind/bind.keys Normal file
View File

@ -0,0 +1,38 @@
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. The only trust anchors it contains
# are for the DNS root zone ("."). Trust anchors for any other zones MUST
# be configured elsewhere; if they are configured here, they will not be
# recognized or used by named.
#
# To use the built-in root key, set "dnssec-validation auto;" in the
# named.conf options, or else leave "dnssec-validation" unset. If
# "dnssec-validation" is set to "yes", then the keys in this file are
# ignored; keys will need to be explicitly configured in named.conf for
# validation to work. "auto" is the default setting, unless named is
# built with "configure --disable-auto-validation", in which case the
# default is "yes".
#
# This file is NOT expected to be user-configured.
#
# Servers being set up for the first time can use the contents of this file
# as initializing keys; thereafter, the keys in the managed key database
# will be trusted and maintained automatically.
#
# These keys are current as of Mar 2019. If any key fails to initialize
# correctly, it may have expired. In that event you should replace this
# file with a current version. The latest version of bind.keys can always
# be obtained from ISC at https://www.isc.org/bind-keys.
#
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust
# anchor information for the root zone.
trust-anchors {
# This key (20326) was published in the root zone in 2017.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
};

60
imgconf/net-dns/bind/etc/bind/master/rixotstudio.cz Normal file
View File

@ -0,0 +1,60 @@
;; Can be tested using clear; named-checkzone rixotstudio.cz rixotstudio.cz
$TTL 3600
$ORIGIN rixotstudio.cz.
@ IN SOA (
ns1.rixotstudio.cz. ; MNAME
hostmaster.rixotstudio.cz. ; RNAME
2020042100 ; SERIAL
8H ; REFRESH
2H ; RETRY
1W ; EXPIRY
2H ; MINIMUM Negative Cache TTL
)
;; NS
@ 300 IN NS dreamon.rixotstudio.cz.
@ 3600 IN NS ns.wedos.cz.
@ 3600 IN NS ns.wedos.net.
@ 3600 IN NS ns.wedos.eu.
@ 3600 IN NS ns.wedos.com.
;; DEFAULT
rixotstudio.cz IN CNAME dreamon.rixotstudio.cz
mail.rixotstudio.cz. IN MX 10 dreamon.rixotstudio.cz.
openpgpkey.rixotstudio.cz. IN CNAME wkd.keys.openpgp.org.
;rixotstudio.cz. IN DS 8837 13 2 <DIGEST>
;; DREAMON
dreamon.rixotstudio.cz. IN A 78.102.113.209
mail.dreamon.rixotstudio.cz. 3600 IN MX 10 dreamon.rixotstudio.cz.
smtp.dreamon.rixotstudio.cz IN CNAME dreamon.rixotstudio.cz.
smtps.dreamon.rixotstudio.cz IN CNAME dreamon.rixotstudio.cz.
imap.dreamon.rixotstudio.cz IN CNAME dreamon.rixotstudio.cz.
imaps.dreamon.rixotstudio.cz IN CNAME dreamon.rixotstudio.cz.
pop3.dreamon.rixotstudio.cz IN CNAME dreamon.rixotstudio.cz.
pop3s.dreamon.rixotstudio.cz IN CNAME dreamon.rixotstudio.cz.
;2020._domainkey.dreamon.rixotstudio.cz. 120 IN TXT "v=DKIM1; n=\"dreamon\"; h=rsa-sha256; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr/UtumdfuHcGPMUmV/ilYtHZ8yoG4n6G29krAH4/6abcpthr0JMMJhb7yImfRa4yupZPOI6sggMPZNy2vBf89VkLJpf+PT9kZ9Dtbwi0xcRkwO3x5emhZ+DQsEvbZPkakP5qrGIORjWTpPQuit3QN716gwtV+TCnMWT3vF+A+Wz1qiC2DsINg2b45XZYclIIngmhR3YVq17Oai rb8fH24F/plNUQICr7VzI4RQNG8qJhCmcnLt8x1kThoNxX1c1FufUPacTNTUlu2sflUDKUEF+MUq/ng3NaXzyySkpEkeU3j9d3CG+BEfJitBFwEgdJoy7LvpHmjKZDb7ImIG4w8wPlBDorlVwi2Wtj6RsqS7NV7vm4FZ1vkbgA8/xmRbpV6kaz9tG1emKwnu+/8BMNUhzMDxrAta1aYgqR3w1EGId7OWuh7WW57uFOTnlnbzWSb+yo8Paf 8MbpUpYOYLWx8xsbgCqIGYrO8OuaLEqBEDHG7i1FoXUX5wmKM4ouuSsDxA9blce1pO2i7M6MnuO90X/404hptWt6EvTapilXcZb89ktbLvisxS+EcaINJTA0yZNVdfnp38b6uClbYNeCa3jx2C9t70FMwTWdmV1yiBB1bz265vo09dERefLPCHNauG5JQoRbUgDRQeCD1EiQebBdg71XmTRgeZH4CRIyg00CAwEAAQ=="
_adsp._domainkey.dreamon.rixotstudio.cz. 3600 IN TXT "dkim=all"
_dmarc.dreamon.rixotstudio.cz. 3600 IN TXT "v=DMARC1,p=quarantine,sp=quarantine,pct=100,rua=mailto:dmarc-report@rixotstudio.cz!20m,ruf=mailto:authfail@rixotstudio.cz!20m,adkim=r,aspf=r,fo=1,rf=afrf"
dreamon.rixotstudio.cz. 3600 IN TXT "v=spf1 a:dreamon.rixotstudio.cz ip4:78.102.113.209 -all"
;; LEONID
leonid.rixotstudio.cz. IN A 94.113.123.218
mail.leonid.rixotstudio.cz. 3600 IN MX 10 leonid.rixotstudio.cz.
smtp.leonid.rixotstudio.cz. IN CNAME leonid.rixotstudio.cz.
smtps.leonid.rixotstudio.cz. IN CNAME leonid.rixotstudio.cz.
imap.leonid.rixotstudio.cz. IN CNAME leonid.rixotstudio.cz.
imaps.leonid.rixotstudio.cz. IN CNAME leonid.rixotstudio.cz.
pop3.leonid.rixotstudio.cz. IN CNAME leonid.rixotstudio.cz.
pop3s.leonid.rixotstudio.cz. IN CNAME leonid.rixotstudio.cz.
;; ROGISEK
rogisek IN A 94.113.123.218
mail.rogisek.rixotstudio.cz. 3600 IN MX 10 rogisek.rixotstudio.cz.
smtp.rogisek.rixotstudio.cz. IN CNAME rogisek.rixotstudio.cz.
smtps.rogisek.rixotstudio.cz. IN CNAME rogisek.rixotstudio.cz.
imap.rogisek.rixotstudio.cz. IN CNAME rogisek.rixotstudio.cz.
imaps.rogisek.rixotstudio.cz. IN CNAME rogisek.rixotstudio.cz.
pop3.rogisek.rixotstudio.cz. IN CNAME rogisek.rixotstudio.cz.
pop3s.rogisek.rixotstudio.cz. IN CNAME rogisek.rixotstudio.cz.
;; Security challenge
_acme-challenge.dreamon.rixotstudio.cz. IN TXT "EjzaayF_SqOHaWLhgzYiNKXkCoWaxGz75VgIw8BeFlU"
_acme-challenge.imap.dreamon.rixotstudio.cz. IN TXT "tJfxA2ebY8Lt93-danryaPrI7JZynaqvHbFLOCGLVzI"
_acme-challenge.imap.rixotstudio.cz. IN TXT "NhFFlS-CYCXKGFOqmr69ypqRts4rgLUf5qVW4VPEl0E"
_acme-challenge.imaps.dreamon.rixotstudio.cz. IN TXT "H4JBnbAuk-pIfNsOy43W56r90Pb6mq_636HjhfVP1_g"

73
imgconf/net-dns/bind/etc/bind/named.conf Normal file
View File

@ -0,0 +1,73 @@
options {
// Krey: Set directory for bind
directory "/bedrock/strata/exherbo/var/bind";
// Krey: Sets Random Device
random-device "/dev/random";
// uncomment the following lines to turn on DNS forwarding,
// and change the forwarding ip address(es) :
//forward first;
//forwarders {
// 123.123.123.123;
// 123.123.123.123;
//};
listen-on-v6 { none; };
listen-on { 127.0.0.1; };
// to allow only specific hosts to use the DNS server:
//allow-query {
// 127.0.0.1;
//};
// if you have problems and are behind a firewall:
//query-source address * port 53;
pid-file "/bedrock/strata/exherbo/run/named/named.pid";
};
// Briefly, a zone which has been declared delegation-only will be effectively
// limited to containing NS RRs for subdomains, but no actual data beyond its
// own apex (for example, its SOA RR and apex NS RRset). This can be used to
// filter out "wildcard" or "synthesized" data from NAT boxes or from
// authoritative name servers whose undelegated (in-zone) data is of no
// interest.
// See http://www.isc.org/products/BIND/delegation-only.html for more info
zone "rixotstudio.cz" {
type master;
file "/bedrock/strata/exherbo/etc/bind/master/rixotstudio.cz";
allow-transfer {
// Current Server IP
78.102.113.209;
// Secondary DNS IP - nic.cz (wedos.cz)
46.28.104.66;
};
allow-update { 78.102.113.209; };
key-directory "/bedrock/strata/exherbo/var/cache/bind/keys/rixotstudio.cz";
inline-signing yes;
auto-dnssec maintain;
serial-update-method unixtime;
};
zone "COM" { type delegation-only; };
zone "NET" { type delegation-only; };
zone "." IN {
type hint;
file "named.cache";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};

617
imgconf/net-dns/bind/etc/bind/named.conf.complex_sample Normal file
View File

@ -0,0 +1,617 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* This is a worthless, nonrunnable example of a named.conf file that has
* every conceivable syntax element in use. We use it to test the parser.
* It could also be used as a conceptual template for users of new features.
*/
/*
* C-style comments are OK
*/
// So are C++-style comments
# So are shell-style comments
// watch out for ";" -- it's important!
options {
additional-from-auth true;
additional-from-cache false;
version "my version string";
random-device "/dev/random";
directory "/tmp";
port 666;
sig-validity-interval 33;
# Obsolete
named-xfer "/usr/libexec/named-xfer"; // _PATH_XFER
dump-file "named_dump.db"; // _PATH_DUMPFILE
pid-file "/var/run/named.pid"; // _PATH_PIDFILE
statistics-file "named.stats"; // _PATH_STATS
memstatistics-file "named.memstats"; // _PATH_MEMSTATS
max-cache-ttl 999;
min-cache-ttl 66;
auth-nxdomain yes; // always set AA on NXDOMAIN.
// don't set this to 'no' unless
// you know what you're doing -- older
// servers won't like it.
# Obsolete
deallocate-on-exit no;
dialup yes;
# Obsolete
fake-iquery no;
fetch-glue yes;
has-old-clients yes;
host-statistics no;
# Obsolete
multiple-cnames no; // if yes, then a name my have more
// than one CNAME RR. This use
// is non-standard and is not
// recommended, but it is available
// because previous releases supported
// it and it was used by large sites
// for load balancing.
notify yes; // send NOTIFY messages. You can set
// notify on a zone-by-zone
// basis in the "zone" statement
// see (below)
recursion yes;
rfc2308-type1 no;
# Obsolete
use-id-pool yes;
# Obsolete
treat-cr-as-space yes;
also-notify { 10.0.2.3; };
// The "forward" option is only meaningful if you've defined
// forwarders. "first" gives the normal BIND
// forwarding behavior, i.e. ask the forwarders first, and if that
// doesn't work then do the full lookup. You can also say
// "forward only;" which is what used to be specified with
// "slave" or "options forward-only". "only" will never attempt
// a full lookup; only the forwarders will be used.
forward first;
forwarders {
1.2.3.4;
5.6.7.8;
};
check-names master fail;
check-names slave warn;
check-names response ignore;
allow-query { any; };
allow-transfer { any; };
allow-recursion { !any; };
blackhole { 45/24; };
keep-response-order { 46/24; };
listen-on {
10/24;
10.0.0.3;
};
listen-on port 53 { any; };
listen-on { 5.6.7.8; };
listen-on port 1234 {
!1.2.3.4;
1.2.3/24;
};
listen-on-v6 {
1:1:1:1:1:1:1:1;
};
listen-on-v6 port 777 {
2:2:2:2:2:2:2:2;
};
query-source-v6 address 8:7:6:5:4:3:2:1 port *;
query-source port * address 10.0.0.54 ;
lame-ttl 444;
max-transfer-time-in 300;
max-transfer-time-out 10;
max-transfer-idle-in 100;
max-transfer-idle-out 11;
max-retry-time 1234;
min-retry-time 1111;
max-refresh-time 888;
min-refresh-time 777;
max-ncache-ttl 333;
min-ncache-ttl 22;
min-roots 15;
serial-queries 34;
transfer-format one-answer;
transfers-in 10;
transfers-per-ns 2;
transfers-out 0;
transfer-source 10.0.0.5;
transfer-source-v6 4:3:2:1:5:6:7:8;
request-ixfr yes;
provide-ixfr yes;
# Now called 'provide-ixfr'
# maintain-ixfr-base no; // If yes, keep transaction log file for IXFR
max-ixfr-log-size 20m;
coresize 100;
datasize 101;
files 230;
max-cache-size 1m;
stacksize 231;
heartbeat-interval 1001;
interface-interval 1002;
statistics-interval 1003;
topology {
10/8;
!1.2.3/24;
{ 1.2/16; 3/8; };
};
sortlist { 10/8; 11/8; };
tkey-domain "foo.com";
tkey-dhkey "xyz" 666 ;
rrset-order {
class IN type A name "foo" order random;
order cyclic;
};
};
/*
* Control listeners, for "ndc". Every nameserver needs at least one.
*/
controls {
// 'inet' lines without a 'port' defaults to 'port 953'
// 'keys' must be used and the list must have at least one entry
inet * port 52 allow { any; } keys { "key2"; };
unix "/var/run/ndc" perm 0600 owner 0 group 0; // ignored by named.
inet 10.0.0.1 allow { any; key foo; } keys { "key4";};
inet 10.0.0.2 allow { none; } keys { "key-1"; "key-2"; };
inet 10.0.0.2 allow { none; };
};
zone "master.demo.zone" {
type master; // what used to be called "primary"
database "somedb -option1 -option2 arg1 arg2 arg3";
file "master.demo.zone";
check-names fail;
allow-update { none; };
allow-update-forwarding { 10.0.0.5; !any; };
allow-transfer { any; };
allow-query { any; };
sig-validity-interval 990;
notify explicit;
also-notify { 1.0.0.1; }; // don't notify any nameservers other
// than those on the NS list for this
// zone
forward first;
forwarders { 10.0.0.3; 1:2:3:4:5:6:7:8; };
};
zone "slave.demo.zone" {
type slave; // what used to be called "secondary"
file "slave.demo.zone";
ixfr-base "slave.demo.zone.ixfr"; // File name for IXFR transaction log file
masters {
1.2.3.4 port 10 key "foo"; // where to zone transfer from
5.6.7.8;
6.7.8.9 key "zippo";
};
transfer-source 10.0.0.53; // fixes multihoming problems
check-names warn;
allow-update { none; };
allow-transfer { any; };
allow-update-forwarding { any; };
allow-query { any; };
max-transfer-time-in 120; // if not set, global option is used.
max-transfer-time-out 1; // if not set, global option is used.
max-transfer-idle-in 2; // if not set, global option is used.
max-transfer-idle-out 3; // if not set, global option is used.
also-notify { 1.0.0.2; };
forward only;
forwarders { 10.45.45.45; 10.0.0.3; 1:2:3:4:5:6:7:8; };
};
key "non-viewkey" { secret "YWFh" ; algorithm "zzz" ; };
view "test-view" in {
key "viewkey" { algorithm "xxx" ; secret "eXl5" ; };
also-notify { 10.2.2.3; };
managed-keys {
foo.com. static 4 3 2 "abdefghijklmnopqrstuvwxyz";
};
sig-validity-interval 45;
max-cache-size 100000;
allow-query { 10.0.0.30;};
additional-from-cache false;
additional-from-auth no;
match-clients { 10.0.0.1 ; };
check-names master warn;
check-names slave ignore;
check-names response fail;
auth-nxdomain false;
recursion true;
provide-ixfr false;
request-ixfr true;
fetch-glue true;
notify false;
rfc2308-type1 false;
transfer-source 10.0.0.55;
transfer-source-v6 4:3:8:1:5:6:7:8;
query-source port * address 10.0.0.54 ;
query-source-v6 address 6:6:6:6:6:6:6:6 port *;
max-transfer-time-out 45;
max-transfer-idle-out 55;
min-roots 3;
lame-ttl 477;
max-ncache-ttl 333;
max-cache-ttl 777;
transfer-format many-answers;
max-retry-time 7;
min-retry-time 4;
max-refresh-time 999;
min-refresh-time 111;
zone "view-zone.com" {
type master;
allow-update-forwarding { 10.0.0.34;};
file "view-zone-master";
};
server 5.6.7.8 {
keys "viewkey";
};
server 10.9.8.7 {
keys "non-viewkey";
};
dialup yes;
};
zone "stub.demo.zone" {
type stub; // stub zones are like slave zones,
// except that only the NS records
// are transferred.
dialup yes;
file "stub.demo.zone";
masters {
1.2.3.4 ; // where to zone transfer from
5.6.7.8 port 999;
};
check-names warn;
allow-update { none; };
allow-transfer { any; };
allow-query { any; };
max-retry-time 10;
min-retry-time 11;
max-refresh-time 12;
min-refresh-time 13;
max-transfer-time-in 120; // if not set, global option is used.
pubkey 257 255 1 "a useless key";
pubkey 257 255 1 "another useless key";
};
zone "." {
type hint; // used to be specified w/ "cache"
file "cache.db";
// pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
};
managed-keys {
"." static 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
};
acl can_query { !1.2.3/24; any; }; // network 1.2.3.0 mask 255.255.255.0
// is disallowed; rest are OK
acl can_axfr { 1.2.3.4; can_query; }; // host 1.2.3.4 and any host allowed
// by can_query are OK
zone "disabled-zone.com" {
type master;
file "bar";
max-retry-time 100;
min-retry-time 110;
max-refresh-time 120;
min-refresh-time 130;
};
zone "non-default-acl.demo.zone" {
type master;
file "foo";
allow-query { can_query; };
allow-transfer { can_axfr; };
allow-update {
1.2.3.4;
5.6.7.8;
};
pubkey 666 665 664 "key of the beast";
// Errors trapped by parser:
// identity or name not absolute
// 'wildcard' match type and no wildcard character in name
//
// issues:
// - certain rdatatype values (such as "key") are config file keywords and
// must be quoted or a syntax error will occur.
//
update-policy {
grant root.domain. subdomain host.domain. A MX CNAME;
grant sub.root.domain. wildcard *.host.domain. A;
grant root.domain. name host.domain. a ns md mf cname soa mb mg
mr "null" wks ptr hinfo minfo mx txt rp afsdb x25
isdn rt nsap sig "key" px gpos aaaa loc nxt srv naptr kx
cert a6 dname opt unspec uri tkey tsig ;
grant foo.bar.com. self foo.bar.com. a;
};
};
key sample_key { // for TSIG; supported by parser
algorithm hmac-md5; // but not yet implemented in the
secret "eW91ciBzZWNyZXQgaGVyZQ=="; // rest of the server
};
key key2 {
algorithm hmac-md5;
secret "ZXJlaCB0ZXJjZXMgcm91eQ==";
};
acl key_acl { key sample_key; }; // a request signed with sample_key
server 1.2.3.4 {
request-ixfr no;
provide-ixfr no;
bogus no; // if yes, we won't query or listen
// to this server
transfer-format one-answer; // set transfer format for this
// server (see the description of
// 'transfer-format' above)
// if not specified, the global option
// will be used
transfers 0; // not implemented
keys { "sample_key" }; // for TSIG; supported by the parser
// but not yet implemented in the
// rest of the server
# Now called 'request-ixfr'
# support-ixfr yes; // for IXFR supported by server
// if yes, the listed server talks IXFR
};
logging {
/*
* All log output goes to one or more "channels"; you can make as
* many of them as you want.
*/
channel syslog_errors { // this channel will send errors or
syslog user; // or worse to syslog (user facility)
severity error;
};
channel stderr_errors {
stderr;
};
/*
* Channels have a severity level. Messages at severity levels
* greater than or equal to the channel's level will be logged on
* the channel. In order of decreasing severity, the levels are:
*
* critical a fatal error
* error
* warning
* notice a normal, but significant event
* info an informational message
* debug 1 the least detailed debugging info
* ...
* debug 99 the most detailed debugging info
*/
/*
* Here are the built-in channels:
*
* channel default_syslog {
* syslog daemon;
* severity info;
* };
*
* channel default_debug {
* file "named.run"; // note: stderr is used instead
* // of "named.run" if the server
* // is started with the "-f"
* // option.
* severity dynamic; // this means log debugging
* // at whatever debugging level
* // the server is at, and don't
* // log anything if not
* // debugging.
* };
*
* channel null { // this is the bit bucket;
* file "/dev/null"; // any logging to this channel
* // is discarded.
* };
*
* channel default_stderr { // writes to stderr
* file "<stderr>"; // this is illustrative only;
* // there's currently no way
* // of saying "stderr" in the
* // configuration language.
* // i.e. don't try this at home.
* severity info;
* };
*
* default_stderr only works before the server daemonizes (i.e.
* during initial startup) or when it is running in foreground
* mode (-f command line option).
*/
/*
* There are many categories, so you can send the logs
* you want to see wherever you want, without seeing logs you
* don't want. Right now the categories are
*
* default the catch-all. many things still
* aren't classified into categories, and
* they all end up here. also, if you
* don't specify any channels for a
* category, the default category is used
* instead.
* config high-level configuration file
* processing
* parser low-level configuration file processing
* queries what used to be called "query logging"
* lame-servers messages like "Lame server on ..."
* statistics
* panic if the server has to shut itself
* down due to an internal problem, it
* logs the problem here (as well as
* in the problem's native category)
* update dynamic update
* ncache negative caching
* xfer-in zone transfers we're receiving
* xfer-out zone transfers we're sending
* db all database operations
* eventlib debugging info from the event system
* (see below)
* packet dumps of packets received and sent
* (see below)
* notify the NOTIFY protocol
* cname messages like "XX points to a CNAME"
* security approved/unapproved requests
* os operating system problems
* insist consistency check failures
* maintenance periodic maintenance
* load zone loading
* response-checks messages like
* "Malformed response ..."
* "wrong ans. name ..."
* "unrelated additional info ..."
* "invalid RR type ..."
* "bad referral ..."
*/
category parser {
syslog_errors; // you can log to as many channels
default_syslog; // as you want
};
category lame-servers { null; }; // don't log these at all
channel moderate_debug {
file "foo"; // foo
severity debug 3; // level 3 debugging to file
print-time yes; // timestamp log entries
print-category yes; // print category name
print-severity yes; // print severity level
/*
* Note that debugging must have been turned on either
* on the command line or with a signal to get debugging
* output (non-debugging output will still be written to
* this channel).
*/
};
channel another {
file "bar" versions 99 size 10M;
severity info;
};
channel third {
file "bar" size 100000 versions unlimited;
severity debug; // use default debug level
};
/*
* If you don't want to see "zone XXXX loaded" messages but do
* want to see any problems, you could do the following.
*/
channel no_info_messages {
syslog;
severity notice;
};
category load { no_info_messages; };
/*
* You can also define category "default"; it gets used when no
* "category" statement has been given for a category.
*/
category default {
default_syslog;
moderate_debug;
};
/*
* If you don't define category default yourself, the default
* default category will be used. It is
*
* category default { default_syslog; default_debug; };
*/
/*
* If you don't define category panic yourself, the default
* panic category will be used. It is
*
* category panic { default_syslog; default_stderr; };
*/
/*
* Two categories, 'packet' and 'eventlib', are special. Only one
* channel may be assigned to each of them, and it must be a
* file channel. If you don't define them yourself, they default to
*
* category eventlib { default_debug; };
*
* category packet { default_debug; };
*/
};
#include "filename"; // can't do within a statement

46
imgconf/net-misc/openssh/etc/ssh/ssh_config Normal file
View File

@ -0,0 +1,46 @@
# $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
# ForwardAgent no
# ForwardX11 no
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k

54
imgconf/net-misc/openssh/etc/ssh/sshd_config Normal file
View File

@ -0,0 +1,54 @@
### SECURITY CHECKLIST
## - [X] Use standard port 22 for SSH
Port 22
## - [X] Require pubkey and then password authentication
AuthenticationMethods publickey,password
## - [ ] Disable root login
# FIXME-SECURITY(Krey): Brainstorm since we are using it for deployment
PermitRootLogin yes
## - [X] Require publickey authentification
PubkeyAuthentication yes
# SECURITY-WARNING(Krey): Do not use 'ssh-rsa' since that is using md5sum to verify the signature which is insecure!
PubkeyAcceptedKeyTypes rsa-sha2-512
# FIXME-SECURITY: There are methods that may require multiple layers of authentification -> Investigate
# FIXME: Invalid
#AuthentificationMethods publickey
# Just to ensure that ssh is usinc publickey at all cost
# FIXME: Invalid
#PreferredAuthentications publickey
## - [ ] Do not allow empty passwords
# FIXME: Invalid
#PermitEmptyPassowrds no
## - [X] Set Maximum connections attempts
# FIXME: Investigate fail2ban
# NOTICE(Krey): We are using publickey so this should be set to 1, if there is required a second attempt for pubkey authentication then there is something wrong going on
MaxAuthTries 1
## - [X] Set Maximum allowed sessions
MaxSessions 5
## - [ ] Disconnect the users after 5 minutes
# FIXME: Help-wanted
# ConnectTimeout ?
# ForwardX11Timeout ?
## - [ ] Add various counter-measures for brute-force attacks
# FIXME: Help-wanted
## - [ ] Disable X11
# FIXME: Invalid
#ForwardX11 no
## - [ ] Capture failed login attemps and implement remote logging to capture security issues
# FIXME: Help-wanted
## - [ ] Check integrity of critical files using checksum
# FIXME: Needs to be implemented
# Logging
# FIXME

62
imgconf/net-misc/tor/torrc Normal file
View File

@ -0,0 +1,62 @@
Nickname Dreamon
ContactInfo 0x765AED304211C28410D5C478FCBA0482B0AB9F10 Jacob Hrbek <kreyren@rixotstudio.cz>
NumCPUs 8
SocksPort 9050
ORPort 9001
# Set up SSH Daemon to run through Tor
HiddenServiceDir /var/lib/tor/sshd/
HiddenServicePort 22 127.0.0.1:22
# SMTP
HiddenServiceDir /var/lib/tor/smtp
HiddenServicePort 995 127.0.0.1:25
# IMAP
HiddenServiceDir /var/lib/tor/imap
HiddenServicePort 143 127.0.0.1:143
# POP3
HiddenServiceDir /var/lib/tor/pop3
HiddenServicePort 110 127.0.0.1:110
# Submission
HiddenServiceDir /var/lib/tor/submission
HiddenServicePort 587 127.0.0.1:587
# SMTPS
HiddenServiceDir /var/lib/tor/smtps
HiddenServicePort 465 127.0.0.1:465
# IMAPS
HiddenServiceDir /var/lib/tor/imaps
HiddenServicePort 993 127.0.0.1:993
# POP3S
HiddenServiceDir /var/lib/tor/pop3s
HiddenServicePort 995 127.0.0.1:995
# Include configuration for hidden_mx
# NOTICE(Krey): OnionMX requires more research and is currently disabled
#%include /etc/tor/torrc.d/hidden_mx
# To provide informations about this relay to public
# FIXME: Verify that we can use this as an exit node, then uncomment
#DirPortFrontPage /etc/tor//tor-exit-notice.html
# FIXME: Verify that ISP doesn't log the traffic
ExitRelay 0
# FIXME(Krey): Value autodetected by tor -> requires logic
maxMemInQueues 5960 MB
# Setup Bandwidth limiters
RelayBandwidthRate 125 KB # Throttle traffic to 125KB/s 1000kbps)
RelayBandwidthBurst 375 KB # But allow bursts up to 375KB/s (3000kbps)
# DNS
DNSPort 5400
# To provide informations about this relay to public
# FIXME: Verify that we can use this as an exit node, then uncomment
#DirPortFrontPage /etc/tor//tor-exit-notice.html

315
imgconf/sys-apps/openrc/etc/rc.conf Normal file
View File

@ -0,0 +1,315 @@
# Global OpenRC configuration settings
# Set to "YES" if you want the rc system to try and start services
# in parallel for a slight speed improvement. When running in parallel we
# prefix the service output with its name as the output will get
# jumbled up.
# WARNING: whilst we have improved parallel, it can still potentially lock
# the boot process. Don't file bugs about this unless you can supply
# patches that fix it without breaking other things!
rc_parallel="YES"
# Set rc_interactive to "YES" and you'll be able to press the I key during
# boot so you can choose to start specific services. Set to "NO" to disable
# this feature. This feature is automatically disabled if rc_parallel is
# set to YES.
#rc_interactive="YES"
# If we need to drop to a shell, you can specify it here.
# If not specified we use $SHELL, otherwise the one specified in /etc/passwd,
# otherwise /bin/sh
# Linux users could specify /sbin/sulogin
#rc_shell=/bin/sh
# Do we allow any started service in the runlevel to satisfy the dependency
# or do we want all of them regardless of state? For example, if net.eth0
# and net.eth1 are in the default runlevel then with rc_depend_strict="NO"
# both will be started, but services that depend on 'net' will work if either
# one comes up. With rc_depend_strict="YES" we would require them both to
# come up.
#rc_depend_strict="YES"
# rc_hotplug controls which services we allow to be hotplugged.
# A hotplugged service is one started by a dynamic dev manager when a matching
# hardware device is found.
# Hotplugged services appear in the "hotplugged" runlevel.
# If rc_hotplug is set to any value, we compare the name of this service
# to every pattern in the value, from left to right, and we allow the
# service to be hotplugged if it matches a pattern, or if it matches no
# patterns. Patterns can include shell wildcards.
# To disable services from being hotplugged, prefix patterns with "!".
#If rc_hotplug is not set or is empty, all hotplugging is disabled.
# Example - rc_hotplug="net.wlan !net.*"
# This allows net.wlan and any service not matching net.* to be hotplugged.
# Example - rc_hotplug="!net.*"
# This allows services that do not match "net.*" to be hotplugged.
# rc_logger launches a logging daemon to log the entire rc process to
# /var/log/rc.log
# NOTE: Linux systems require the devfs service to be started before
# logging can take place and as such cannot log the sysinit runlevel.
rc_logger="YES"
# Through rc_log_path you can specify a custom log file.
# The default value is: /var/log/rc.log
rc_log_path="/var/log/openrc.log"
# If you want verbose output for OpenRC, set this to yes. If you want
# verbose output for service foo only, set it to yes in /etc/conf.d/foo.
#rc_verbose=no
# By default we filter the environment for our running scripts. To allow other
# variables through, add them here. Use a * to allow all variables through.
#rc_env_allow="VAR1 VAR2"
# By default we assume that all daemons will start correctly.
# However, some do not - a classic example is that they fork and return 0 AND
# then child barfs on a configuration error. Or the daemon has a bug and the
# child crashes. You can set the number of milliseconds start-stop-daemon
# waits to check that the daemon is still running after starting here.
# The default is 0 - no checking.
#rc_start_wait=100
# rc_nostop is a list of services which will not stop when changing runlevels.
# This still allows the service itself to be stopped when called directly.
#rc_nostop=""
# rc will attempt to start crashed services by default.
# However, it will not stop them by default as that could bring down other
# critical services.
#rc_crashed_stop=NO
#rc_crashed_start=YES
# Set rc_nocolor to yes if you do not want colors displayed in OpenRC
# output.
#rc_nocolor=NO
##############################################################################
# MISC CONFIGURATION VARIABLES
# There variables are shared between many init scripts
# Set unicode to YES to turn on unicode support for keyboards and screens.
# SECURITY-NOTICE(Krey): No need for unicode support and to avoid unexpected behavior
#unicode="NO"
# This is how long fuser should wait for a remote server to respond. The
# default is 60 seconds, but it can be adjusted here.
#rc_fuser_timeout=60
# Below is the default list of network fstypes.
#
# afs ceph cifs coda davfs fuse fuse.sshfs gfs glusterfs lustre ncpfs
# nfs nfs4 ocfs2 shfs smbfs
#
# If you would like to add to this list, you can do so by adding your
# own fstypes to the following variable.
#extra_net_fs_list=""
##############################################################################
# SERVICE CONFIGURATION VARIABLES
# These variables are documented here, but should be configured in
# /etc/conf.d/foo for service foo and NOT enabled here unless you
# really want them to work on a global basis.
# If your service has characters in its name which are not legal in
# shell variable names and you configure the variables for it in this
# file, those characters should be replaced with underscores in the
# variable names as shown below.
# Some daemons are started and stopped via start-stop-daemon.
# We can set some things on a per service basis, like the nicelevel.
#SSD_NICELEVEL="-19"
# Or the ionice level. The format is class[:data] , just like the
# --ionice start-stop-daemon parameter.
#SSD_IONICELEVEL="2:2"
# Pass ulimit parameters
# If you are using bash in POSIX mode for your shell, note that the
# ulimit command uses a block size of 512 bytes for the -c and -f
# options
#rc_ulimit="-u 30"
# It's possible to define extra dependencies for services like so
#rc_config="/etc/foo"
#rc_need="openvpn"
#rc_use="net.eth0"
#rc_after="clock"
#rc_before="local"
#rc_provide="!net"
# You can also enable the above commands here for each service. Below is an
# example for service foo.
#rc_foo_config="/etc/foo"
#rc_foo_need="openvpn"
#rc_foo_after="clock"
# Below is an example for service foo-bar. Note that the '-' is illegal
# in a shell variable name, so we convert it to an underscore.
# example for service foo-bar.
#rc_foo_bar_config="/etc/foo-bar"
#rc_foo_bar_need="openvpn"
#rc_foo_bar_after="clock"
# You can also remove dependencies.
# This is mainly used for saying which services do NOT provide net.
#rc_net_tap0_provide="!net"
# This is the subsystem type.
# It is used to match against keywords set by the keyword call in the
# depend function of service scripts.
#
# It should be set to the value representing the environment this file is
# PRESENTLY in, not the virtualization the environment is capable of.
# If it is commented out, automatic detection will be used.
#
# The list below shows all possible settings as well as the host
# operating systems where they can be used and autodetected.
#
# "" - nothing special
# "docker" - Docker container manager (Linux)
# "jail" - Jail (DragonflyBSD or FreeBSD)
# "lxc" - Linux Containers
# "openvz" - Linux OpenVZ
# "prefix" - Prefix
# "rkt" - CoreOS container management system (Linux)
# "subhurd" - Hurd subhurds (to be checked)
# "systemd-nspawn" - Container created by systemd-nspawn (Linux)
# "uml" - Usermode Linux
# "vserver" - Linux vserver
# "xen0" - Xen0 Domain (Linux and NetBSD)
# "xenU" - XenU Domain (Linux and NetBSD)
#rc_sys=""
# if you use openrc-init, which is currently only available on Linux,
# this is the default runlevel to activate after "sysinit" and "boot"
# when booting.
#rc_default_runlevel="default"
# on Linux and Hurd, this is the number of ttys allocated for logins
# It is used in the consolefont, keymaps, numlock and termencoding
# service scripts.
rc_tty_number=12
##############################################################################
# LINUX CGROUPS RESOURCE MANAGEMENT
# This sets the mode used to mount cgroups.
# "hybrid" mounts cgroups version 2 on /sys/fs/cgroup/unified and
# cgroups version 1 on /sys/fs/cgroup.
# "legacy" mounts cgroups version 1 on /sys/fs/cgroup
# "unified" mounts cgroups version 2 on /sys/fs/cgroup
#rc_cgroup_mode="hybrid"
# This is a list of controllers which should be enabled for cgroups version 2.
# If hybrid mode is being used, controllers listed here will not be
# available for cgroups version 1.
# This is a global setting.
#rc_cgroup_controllers=""
# This variable contains the cgroups version 2 settings for your services.
# If this is set in this file, the settings will apply to all services.
# If you want different settings for each service, place the settings in
# /etc/conf.d/foo for service foo.
# The format is to specify the setting and value followed by a newline.
# Multiple settings and values can be specified.
# For example, you would use this to set the maximum memory and maximum
# number of pids for a service.
#rc_cgroup_settings="
#memory.max 10485760
#pids.max max
#"
#
# For more information about the adjustments that can be made with
# cgroups version 2, see Documentation/cgroups-v2.txt in the linux kernel
# source tree.
#rc_cgroup_settings=""
# This switch controls whether or not cgroups version 1 controllers are
# individually mounted under
# /sys/fs/cgroup in hybrid or legacy mode.
#rc_controller_cgroups="YES"
# The following setting turns on the memory.use_hierarchy setting in the
# root memory cgroup for cgroups v1.
# It must be set to yes in this file if you want this functionality.
#rc_cgroup_memory_use_hierarchy="NO"
# The following settings allow you to set up values for the cgroups version 1
# controllers for your services.
# They can be set in this file;, however, if you do this, the settings
# will apply to all of your services.
# If you want different settings for each service, place the settings in
# /etc/conf.d/foo for service foo.
# The format is to specify the names of the settings followed by their
# values. Each variable can hold multiple settings.
# For example, you would use this to set the cpu.shares setting in the
# cpu controller to 512 for your service.
# rc_cgroup_cpu="
# cpu.shares 512
# "
#
# For more information about the adjustments that can be made with
# cgroups version 1, see Documentation/cgroups-v1/* in the linux kernel
# source tree.
# Set the blkio controller settings for this service.
#rc_cgroup_blkio=""
# Set the cpu controller settings for this service.
#rc_cgroup_cpu=""
# Add this service to the cpuacct controller (any value means yes).
#rc_cgroup_cpuacct=""
# Set the cpuset controller settings for this service.
#rc_cgroup_cpuset=""
# Set the devices controller settings for this service.
#rc_cgroup_devices=""
# Set the hugetlb controller settings for this service.
#rc_cgroup_hugetlb=""
# Set the memory controller settings for this service.
#rc_cgroup_memory=""
# Set the net_cls controller settings for this service.
#rc_cgroup_net_cls=""
# Set the net_prio controller settings for this service.
#rc_cgroup_net_prio=""
# Set the pids controller settings for this service.
#rc_cgroup_pids=""
# Set this to YES if you want all of the processes in a service's cgroup
# killed when the service is stopped or restarted.
# Be aware that setting this to yes means all of a service's
# child processes will be killed. Keep this in mind if you set this to
# yes here instead of for the individual services in
# /etc/conf.d/<service>.
# To perform this cleanup manually for a stopped service, you can
# execute cgroup_cleanup with /etc/init.d/<service> cgroup_cleanup or
# rc-service <service> cgroup_cleanup.
# The process followed in this cleanup is the following:
# 1. send stopsig (sigterm if it isn't set) to all processes left in the
# cgroup immediately followed by sigcont.
# 2. Send sighup to all processes in the cgroup if rc_send_sighup is
# yes.
# 3. delay for rc_timeout_stopsec seconds.
# 4. send sigkill to all processes in the cgroup unless disabled by
# setting rc_send_sigkill to no.
# rc_cgroup_cleanup="NO"
# If this is yes, we will send sighup to the processes in the cgroup
# immediately after stopsig and sigcont.
#rc_send_sighup="NO"
# This is the amount of time in seconds that we delay after sending sigcont
# and optionally sighup, before we optionally send sigkill to all
# processes in the # cgroup.
# The default is 90 seconds.
#rc_timeout_stopsec="90"
# If this is set to no, we do not send sigkill to all processes in the
# cgroup.
#rc_send_sigkill="YES"

56
libs/shell/imgconf.bash Normal file
View File

@ -0,0 +1,56 @@
#!/bin/sh
# shellcheck shell=sh # Written to be POSIX compatible
###! Non-standard function used to handle configuration files of compiled target in IMAGE dir prior to merge in the userland
###! SYNOPSIS: function-name [CATEGORY/[PN|PNV|PNVR]...
###! License: Created by Jacob Hrbek identified by GPG identifier assigned to the electronic mail <kreyren@rixotstudio.cz> based on keyserver <https://keys.openpgp.org> under GPLv3 license <https://www.gnu.org/licenses/gpl-3.0.en.html> in 11/10/2020-EU 09:51:21 CEST
###! Bugs-to: https://gitea.com/kreyren/kreyren
imgconf() {
case "$PALUDIS_DEBUG" in *"func"*) ${SET:-set} -x; esac
# Krey: Define input
package="$1"
# Krey: Provide name of the hook to be used in the logic
hookName="imgconf"
${EDEBUG:-edebug} func "Starting hook '$hookName'"
# Krey: Process variables
[ -n "$PALUDIS_DIR" ] || PALUDIS_DIR="/etc/paludis/"
${EDEBUG:-edebug} var "Variable 'PALUDIS_DIR' assigned value '$PALUDIS_DIR'"
[ -n "$PALUDIS_PACKAGE_CONFIG_DIR" ] || PALUDIS_PACKAGE_CONFIG_DIR="${PALUDIS_DIR:-/etc/paludis}/$hookName"
PPCD="$PALUDIS_PACKAGE_CONFIG_DIR"
${EDEBUG:-edebug} var "Variable 'PALUDIS_PACKAGE_CONFIG_DIR' assigned value '$PALUDIS_PACKAGE_CONFIG_DIR'"
${EDEBUG:-edebug} var "Variable 'PPCD' assigned value '$PPCD'"
[ -n "$PALUDIS_PACKAGE_CONFIG_FILE" ] || PALUDIS_PACKAGE_CONFIG_FILE="${PALUDIS_DIR:-/etc/paludis}/$hookName"
PPCF="$PALUDIS_PACKAGE_CONFIG_FILE"
${EDEBUG:-edebug} var "Variable 'PALUDIS_PACKAGE_CONFIG_FILE' assigned value '$PALUDIS_PACKAGE_CONFIG_FILE'"
${EDEBUG:-edebug} var "Variable 'PPCF' assigned value '$PPCF'"
# Krey: Process input
case "$package" in
"$CATEGORY/$PN" | "$CATEGORY/$PNV" | "$CATEGORY/$PNVR")
if [ -d "$PPCD/$package" ]; then
for pathname in "$PPCD"/"$package"/*; do
${CP:-cp} -r "$pathname" "$IMAGE" || ${DIE:-die} hookfail "Hook '$hookName' is unable to copy '$pathname' to '$IMAGE'"
${DIE:-einfo} hooksuccess "Hook '$hookName' finished processing '$package'"
return 0 # paludis-compat
done
elif [ ! -d "$PPCD/$package" ]; then
${DIE:-einfo} hooksuccess "Hook '$hookName' did not find any configuration files in '$PPCD/$package', skipping.."
${UNSET:-unset} hookName
${RETURNL:-return} 0
else
${DIE:-die} bug "processing '$PPCD/$CATEGORY/$PN'"
fi
;;
*) ${DIE:-die} syntaxerr "Hook '$hookName' was provided with invalid input: $*"
esac
case "$PALUDIS_DEBUG" in *"func"*) ${SET:-set} +x; esac
${UNSET:-unset} hookName
}

57
licences.conf Normal file
View File

@ -0,0 +1,57 @@
# Mask all licences
*/* -*
## FSF
# GPL-3
*/* GPL-3 LGPL-3
# LGPL-2.1
*/* LGPL-2.1
# GPL-2
*/* GPL-2 LGPL-2
## BSD
*/* BSD-2 BSD-3
## MIT
*/* MIT
## Mozilla
# MPL-2.0
*/* MPL-2.0
# Others
*/* public-domain
# Needs to be checked
app-arch/bzip2:0::arbor[>=1.0.8] bzip2-withdocs
app-arch/xz:0::arbor[>=5.2.5] public-domain
sys-apps/util-linux:0::arbor[>=2.36] ISC
sys-libs/ncurses:0::arbor[>=6.1-r3] as-is
sys-libs/timezone-data:0::arbor[=2020a] public-domain
sys-libs/zlib:0::arbor[>=1.2.11-r1] ZLIB
dev-lang/python::arbor[=3.8.6] PSF-2.2
sys-apps/eudev-scm::arbor FDL-1.3
sys-devel/automake::arbor FDL-1.3
app-text/tidy::arbor ZLIB
dev-lang/python::arbor PSF-2.2
dev-libs/openssl::arbor openssl
sys-apps/debianutils::arbor SMAIL
sys-devel/autoconf::arbor FDL-1.3
dev-perl/Unicode-EastAsianWidth::arbor CC0
sys-apps/man-pages::arbor man-pages
app-crypt/rhash::arbor BSD-0
dev-libs/libuv::arbor ISC
app-text/docbook-xml-dtd::arbor X11
sys-devel/ninja::arbor Apache-2.0
sys-devel/meson::arbor Apache-2.0
dev-libs/icu::arbor icu
app-arch/unzip::arbor Info-ZIP
# Hotfix
sys-apps/systemd:0::arbor[=scm] public-domain

36
options.bash Normal file
View File

@ -0,0 +1,36 @@
# shellcheck shell=sh # Paludis doesn't expect shebang here, Written to be POSIX compatible
worldFile="/etc/paludis/world"
# Source bashrc
[ ! -d "/etc/paludis/bashrc" ] || . /etc/paludis/bashrc
###! This function expects PCRE RegEx expression from the world file
checkpkg() { ${GREP:-grep} -qP "$1" "$worldFile" ;}
# GIT
##@ +pcre = To get PCRE regex for 'git grep'
##@ +curl = Allows using http/https URI
checkpkg "^dev-scm\/git\$" && ${PRINTF:-printf} '%s\n' \
"dev-scm/git::arbor curl pcre" || true
checkpkg "^sys-apps\/sydbox\$" && ${PRINTF:-printf} '%s\n' \
"sys-apps/sydbox::arbor seccomp" || true
# BIND9
##@ caps = Fails to build without it (https://gitlab.exherbo.org/exherbo/arbor/-/issues/45)
checkpkg "^net-dns\/bind\$" && ${PRINTF:-printf} '%s\n' \
"net-dns/bind::arbor caps" || true
# SSH
##@ X509 = To generate X.509 certs
##@ lsns = For DNSSEC support (according to exherbo)
checkpkg "^net-misc\/openssh\$" && ${PRINTF:-printf} '%s\n' \
"net-misc/openssh::arbor X509 ldns" || true
# Jobs
${PRINTF:-printf} "*/* BUILD_OPTIONS: jobs=%s\\n" "$(${NPROC:-nproc} || ${PRINTF:-printf} 1)"
# CPU flags
AMD64_CPU_FEATURES="$(${CAT:-cat} /proc/cpuinfo | ${GREP:-grep} -m 1 flags | ${SED:-sed} 's/^flags.*: //g')"
X86_CPU_FEATURES="$(${CAT:-cat} /proc/cpuinfo | ${GREP:-grep} -m 1 flags | ${SED:-sed} 's/^flags.*: //g')"

32
options.conf Normal file
View File

@ -0,0 +1,32 @@
*/* -* bash-completion threads pulseaudio btrfs openssl \
TARGETS: -* x86_64-pc-linux-gnu \
PROVIDERS: -* gnu dhcpcd openssl man krb5 unzip lynx libxml2 dbus-broker ijg-jpeg elfutils pkg-config \
INPUT_DRIVERS: -* evdev keyboard mouse synaptics consolekit \
LINGUAS: -* en_US cs \
HOSTS: -* x86_64-pc-linux-gnu -x86_64-pc-linux-musl \
VIDEO_DRIVERS: -* -i915 intel
# Recommended on IRC #exherbo
sys-apps/paludis -python
# Version handling of backend
*/* \
PYTHON_ABIS: -* 3.6 \
RUBY_ABIS: -* 2.7 \
LUA_ABIS: -* 5.3 \
PHP_ABIS: -* 7.4 \
POSTGRESQL_SERVERS: -* 12
# Removing systemd
*/* -systemd -journald \
PROVIDERS: -systemd -journald eudev sysvinit \
PARTS: openrc
# Syslog
*/* PROVIDERS: syslog-ng
# Hotfix
*/* BUILD_OPTIONS: -recommended_tests
# Unknown dependency
dev-libs/libxml2:2.0::arbor[=2.9.10-r2] python

8
output.conf Normal file
View File

@ -0,0 +1,8 @@
# always_keep_output_logs may be set to 'true' to always keep output logs, even if a build succeeds.
always_keep_output_logs = false
# quiet may be set to 'true' to show only messages, rather than all output, when carrying out an action.
quiet = true
# log_path can be set to change where log files are saved. It defaults to ${root}/var/log/paludis .
log_path = /bedrock/strata/exherbo/var/log/paludis

6
package_unmask.conf Normal file
View File

@ -0,0 +1,6 @@
# Hotfix
dev-lang/python::arbor testing
sys-apps/eudev::arbor scm
sys-apps/systemd::arbor scm
sys-devel/ninja::arbor scm
net-proxy/torsocks::net scm

4
platforms.conf Normal file
View File

@ -0,0 +1,4 @@
*/* amd64
# SECURITY(Krey): This is a hotfix, because exherbo downstream is incompetent
*/* ~amd64

1
repositories/accounts.conf Normal file
View File

@ -0,0 +1 @@
format = accounts

6
repositories/arbor.conf Normal file
View File

@ -0,0 +1,6 @@
location = ${root}/var/db/paludis/repositories/arbor
sync = git+https://git.exherbo.org/git/arbor.git
profiles = ${location}/profiles/amd64
format = e
names_cache = ${root}/var/cache/paludis/names
write_cache = ${root}/var/cache/paludis/metadata

3
repositories/bruners.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/bruners
sync = git+https://github.com/Bruners/exheres.git

3
repositories/compnerd.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/compnerd
sync = git+https://git.exherbo.org/git/dev/compnerd.git

3
repositories/danyspin97.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/danyspin97
sync = git+https://gitlab.exherbo.org/DanySpin97/danyspin97-exheres

3
repositories/desktop.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/desktop
sync = git+https://git.exherbo.org/git/desktop.git

3
repositories/exony.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/exony
sync = git+https://github.com/ony/exony.git

3
repositories/games.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/games
sync = git+https://git.exherbo.org/git/games.git

3
repositories/gnome.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/gnome
sync = git+https://git.exherbo.org/git/gnome.git

5
repositories/graveyard.conf Normal file
View File

@ -0,0 +1,5 @@
format = unwritten
name = graveyard
location = /var/db/paludis/repositories/graveyard
sync = git+https://git.exherbo.org/git/graveyard.git
importance = -90

3
repositories/hardware.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/hardware
sync = git+https://git.exherbo.org/git/hardware.git

3
repositories/haskell-unofficial.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/haskell-unofficial
sync = git+https://gitlab.exherbo.org/exherbo-unofficial/haskell-unofficial.git

3
repositories/hasufell.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/hasufell
sync = git+https://gogs.hasufell.de/hasufell/hasufell-repository.git

3
repositories/heirecka.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/heirecka
sync = git+https://git.exherbo.org/git/dev/heirecka.git

3
repositories/ingmar.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/ingmar
sync = git+https://git.exherbo.org/git/dev/ingmar.git

5
repositories/installed.conf Normal file
View File

@ -0,0 +1,5 @@
format = exndbam
location = ${root}/var/db/paludis/repositories/installed
names_cache = ${root}/var/cache/paludis/names
split_debug_location = /usr/x86_64-pc-linux-gnu/lib/debug
tool_prefix = x86_64-pc-linux-gnu-

2
repositories/installed_accounts.conf Normal file
View File

@ -0,0 +1,2 @@
format = installed-accounts
handler = passwd

3
repositories/java.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/java
sync = git+https://git.exherbo.org/git/java.git

3
repositories/kde.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/kde
sync = git+https://git.exherbo.org/git/kde.git

3
repositories/media.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/media
sync = git+https://git.exherbo.org/git/media.git

3
repositories/mono.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/mono
sync = git+https://git.exherbo.org/git/mono.git

3
repositories/net.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/net
sync = git+https://git.exherbo.org/git/net.git

3
repositories/ocaml-unofficial.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/ocaml-unofficial
sync = git+https://github.com/Exherbo/ocaml-unofficial

3
repositories/office.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/office
sync = git+https://git.exherbo.org/git/office.git

3
repositories/perl.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/perl
sync = git+https://git.exherbo.org/git/perl.git

3
repositories/platypus.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/platypus
sync = git+https://gitlab.exherbo.org/kapsh/platypus.git

3
repositories/python.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/python
sync = git+https://git.exherbo.org/git/python.git

3
repositories/rbrown.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/rbrown
sync = git+https://git.exherbo.org/git/dev/rbrown.git

3
repositories/repository.conf Normal file
View File

@ -0,0 +1,3 @@
format = repository
config_filename = /etc/paludis/repositories/%{repository_template_name}.conf
config_template = /etc/paludis/repository.template

3
repositories/rust.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/rust
sync = git+https://git.exherbo.org/git/rust.git

3
repositories/tombriden.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/tombriden
sync = git+https://gitlab.exherbo.org/tombriden/tombriden-exheres

5
repositories/unavailable-unofficial.conf Normal file
View File

@ -0,0 +1,5 @@
format = unavailable
name = unavailable-unofficial
location = ${root}/var/db/paludis/repositories/unavailable-unofficial
sync = tar+https://git.exherbo.org/exherbo_unofficial_repositories.tar.bz2
importance = -100

5
repositories/unavailable.conf Normal file
View File

@ -0,0 +1,5 @@
format = unavailable
name = unavailable
location = ${root}/var/db/paludis/repositories/unavailable
sync = tar+https://git.exherbo.org/exherbo_repositories.tar.bz2
importance = -100

3
repositories/unpackaged.conf Normal file
View File

@ -0,0 +1,3 @@
format = installed_unpackaged
name = installed_unpackaged
location = ${root}/var/db/paludis/repositories/unpackaged

5
repositories/unwritten.conf Normal file
View File

@ -0,0 +1,5 @@
format = unwritten
name = unwritten
location = ${root}/var/db/paludis/repositories/unwritten
sync = git+https://git.exherbo.org/git/unwritten.git
importance = -100

3
repositories/vim.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/vim
sync = git+https://git.exherbo.org/git/vim.git

3
repositories/virtualization.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/virtualization
sync = git+https://git.exherbo.org/git/virtualization.git

3
repositories/x11.conf Normal file
View File

@ -0,0 +1,3 @@
format = e
location = /var/db/paludis/repositories/x11
sync = git+https://git.exherbo.org/git/x11.git

3
repository.template Normal file
View File

@ -0,0 +1,3 @@
format = %{repository_template_format}
location = /var/db/paludis/repositories/%{repository_template_name}
sync = %{repository_template_sync}

0
repository_defaults.conf Normal file
View File

56
world Normal file
View File

@ -0,0 +1,56 @@
# Repositories
repository/accounts
repository/arbor
repository/bruners
repository/compnerd
repository/danyspin97
repository/desktop
#repository/exheredrey
repository/exony
repository/games
repository/gnome
repository/graveyard
repository/hardware
repository/haskell-unofficial
repository/hasufell
repository/heirecka
repository/ingmar
repository/java
repository/kde
repository/media
repository/mono
repository/net
repository/ocaml-unofficial
repository/office
repository/perl
repository/platypus
repository/python
repository/rbrown
repository/repository
repository/rust
repository/tombriden
repository/unavailable
repository/unavailable-unofficial
repository/unwritten
repository/vim
repository/virtualization
repository/x11
# CORE
sys-apps/paludis
sys-apps/sydbox
dev-scm/git
sys-apps/openrc
sys-boot/grub
dev-libs/libxml2
sys-devel/meson
app-arch/zstd
x11-misc/shared-mime-info
net-misc/tor
## Syslog
sys-apps/syslog-ng
## SSH
net-misc/openssh
# DNS
net-dns/bind