commit 5682fe12299fada13b86d3f35e6ca9d6b90ff275 Author: root Date: Sun Oct 11 16:55:04 2020 +0200 Initial commit Signed-off-by: root diff --git a/bashrc b/bashrc new file mode 100644 index 0000000..e4a1d4f --- /dev/null +++ b/bashrc @@ -0,0 +1,33 @@ +# shellcheck shell=bash # Krey: Paludis doesn't expect shebang here +# shellcheck disable=SC2034 # Krey: Appears unused is invalid since this is recognized by paludis + +COMMON_FLAGS="-O2 -march=sandybridge -pipe" + +i686_pc_linux_gnu_CFLAGS="$COMMON_FLAGS" +i686_pc_linux_gnu_CXXFLAGS="$COMMON_FLAGS" + +x86_64_pc_linux_gnu_CFLAGS="$COMMON_FLAGS" +x86_64_pc_linux_gnu_CXXFLAGS="$COMMON_FLAGS" + +i686_pc_linux_gnu_FFLAGS="$COMMON_FLAGS" +x86_64_PC_linux_gnu_FFLAGS="$COMMON_FLAGS" + +i686_pc_linux_gnu_FCLAGS="$COMMON_FLAGS" +x86_64_PC_linux_gnu_FCLAGS="$COMMON_FLAGS" + +i686_pc_linux_gnu_FDFLAGS="-Wl,-O2 -Wl, -pthread -lpthread" +x86_64_pc_linux_gnu_FDFLAGS="-Wl,-O2 -Wl, -pthread -lpthread" + +CHOST="x86_64-pc-linux-gnu" +CBUILD="x86_64-pc-linux-gnu" + +# Stratum +# NOTICE(KREY): This breaks the runtime on sydbox violation +#PALUDIS_TMPDIR="/bedrock/strata/exherbo/var/tmp/paludis/" + +# FIXME: Investigate +#RUSTFLAGS="-C target-cpu=native -C opt-level=3" + +export PALUDIS_PATCHDIR="$ROOT/etc/paludis/paludis" + +. "${PALUDIS_DIR:-/etc/paludis}/libs/shell/sysconf.bash" diff --git a/general.conf b/general.conf new file mode 100644 index 0000000..cbbc490 --- /dev/null +++ b/general.conf @@ -0,0 +1,2 @@ +root = "/bedrock/strata/exherbo/" +world = "$root/etc/paludis/world" diff --git a/hooks/README.md b/hooks/README.md new file mode 100644 index 0000000..cce5a8e --- /dev/null +++ b/hooks/README.md @@ -0,0 +1,3 @@ +Directory used to inject code in paludis's phases + +https://paludis.exherbo.org/configuration/hooks.html diff --git a/imgconf/net-dns/bind/etc/bind/README.md b/imgconf/net-dns/bind/etc/bind/README.md new file mode 100644 index 0000000..6bfe959 --- /dev/null +++ b/imgconf/net-dns/bind/etc/bind/README.md @@ -0,0 +1 @@ +This is a configuration directory for the bind package which is what is running the DNS server diff --git a/imgconf/net-dns/bind/etc/bind/bind.keys b/imgconf/net-dns/bind/etc/bind/bind.keys new file mode 100644 index 0000000..6d4217f --- /dev/null +++ b/imgconf/net-dns/bind/etc/bind/bind.keys @@ -0,0 +1,38 @@ +# The bind.keys file is used to override the built-in DNSSEC trust anchors +# which are included as part of BIND 9. The only trust anchors it contains +# are for the DNS root zone ("."). Trust anchors for any other zones MUST +# be configured elsewhere; if they are configured here, they will not be +# recognized or used by named. +# +# To use the built-in root key, set "dnssec-validation auto;" in the +# named.conf options, or else leave "dnssec-validation" unset. If +# "dnssec-validation" is set to "yes", then the keys in this file are +# ignored; keys will need to be explicitly configured in named.conf for +# validation to work. "auto" is the default setting, unless named is +# built with "configure --disable-auto-validation", in which case the +# default is "yes". +# +# This file is NOT expected to be user-configured. +# +# Servers being set up for the first time can use the contents of this file +# as initializing keys; thereafter, the keys in the managed key database +# will be trusted and maintained automatically. +# +# These keys are current as of Mar 2019. If any key fails to initialize +# correctly, it may have expired. In that event you should replace this +# file with a current version. The latest version of bind.keys can always +# be obtained from ISC at https://www.isc.org/bind-keys. +# +# See https://data.iana.org/root-anchors/root-anchors.xml for current trust +# anchor information for the root zone. + +trust-anchors { + # This key (20326) was published in the root zone in 2017. + . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/imgconf/net-dns/bind/etc/bind/master/rixotstudio.cz b/imgconf/net-dns/bind/etc/bind/master/rixotstudio.cz new file mode 100644 index 0000000..95d5c55 --- /dev/null +++ b/imgconf/net-dns/bind/etc/bind/master/rixotstudio.cz @@ -0,0 +1,60 @@ +;; Can be tested using clear; named-checkzone rixotstudio.cz rixotstudio.cz +$TTL 3600 +$ORIGIN rixotstudio.cz. +@ IN SOA ( + ns1.rixotstudio.cz. ; MNAME + hostmaster.rixotstudio.cz. ; RNAME + 2020042100 ; SERIAL + 8H ; REFRESH + 2H ; RETRY + 1W ; EXPIRY + 2H ; MINIMUM Negative Cache TTL +) +;; NS +@ 300 IN NS dreamon.rixotstudio.cz. +@ 3600 IN NS ns.wedos.cz. +@ 3600 IN NS ns.wedos.net. +@ 3600 IN NS ns.wedos.eu. +@ 3600 IN NS ns.wedos.com. +;; DEFAULT +rixotstudio.cz IN CNAME dreamon.rixotstudio.cz +mail.rixotstudio.cz. IN MX 10 dreamon.rixotstudio.cz. +openpgpkey.rixotstudio.cz. IN CNAME wkd.keys.openpgp.org. +;rixotstudio.cz. IN DS 8837 13 2 +;; DREAMON +dreamon.rixotstudio.cz. IN A 78.102.113.209 +mail.dreamon.rixotstudio.cz. 3600 IN MX 10 dreamon.rixotstudio.cz. +smtp.dreamon.rixotstudio.cz IN CNAME dreamon.rixotstudio.cz. +smtps.dreamon.rixotstudio.cz IN CNAME dreamon.rixotstudio.cz. +imap.dreamon.rixotstudio.cz IN CNAME dreamon.rixotstudio.cz. +imaps.dreamon.rixotstudio.cz IN CNAME dreamon.rixotstudio.cz. +pop3.dreamon.rixotstudio.cz IN CNAME dreamon.rixotstudio.cz. +pop3s.dreamon.rixotstudio.cz IN CNAME dreamon.rixotstudio.cz. +;2020._domainkey.dreamon.rixotstudio.cz. 120 IN TXT "v=DKIM1; n=\"dreamon\"; h=rsa-sha256; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr/UtumdfuHcGPMUmV/ilYtHZ8yoG4n6G29krAH4/6abcpthr0JMMJhb7yImfRa4yupZPOI6sggMPZNy2vBf89VkLJpf+PT9kZ9Dtbwi0xcRkwO3x5emhZ+DQsEvbZPkakP5qrGIORjWTpPQuit3QN716gwtV+TCnMWT3vF+A+Wz1qiC2DsINg2b45XZYclIIngmhR3YVq17Oai rb8fH24F/plNUQICr7VzI4RQNG8qJhCmcnLt8x1kThoNxX1c1FufUPacTNTUlu2sflUDKUEF+MUq/ng3NaXzyySkpEkeU3j9d3CG+BEfJitBFwEgdJoy7LvpHmjKZDb7ImIG4w8wPlBDorlVwi2Wtj6RsqS7NV7vm4FZ1vkbgA8/xmRbpV6kaz9tG1emKwnu+/8BMNUhzMDxrAta1aYgqR3w1EGId7OWuh7WW57uFOTnlnbzWSb+yo8Paf 8MbpUpYOYLWx8xsbgCqIGYrO8OuaLEqBEDHG7i1FoXUX5wmKM4ouuSsDxA9blce1pO2i7M6MnuO90X/404hptWt6EvTapilXcZb89ktbLvisxS+EcaINJTA0yZNVdfnp38b6uClbYNeCa3jx2C9t70FMwTWdmV1yiBB1bz265vo09dERefLPCHNauG5JQoRbUgDRQeCD1EiQebBdg71XmTRgeZH4CRIyg00CAwEAAQ==" +_adsp._domainkey.dreamon.rixotstudio.cz. 3600 IN TXT "dkim=all" +_dmarc.dreamon.rixotstudio.cz. 3600 IN TXT "v=DMARC1,p=quarantine,sp=quarantine,pct=100,rua=mailto:dmarc-report@rixotstudio.cz!20m,ruf=mailto:authfail@rixotstudio.cz!20m,adkim=r,aspf=r,fo=1,rf=afrf" +dreamon.rixotstudio.cz. 3600 IN TXT "v=spf1 a:dreamon.rixotstudio.cz ip4:78.102.113.209 -all" +;; LEONID +leonid.rixotstudio.cz. IN A 94.113.123.218 +mail.leonid.rixotstudio.cz. 3600 IN MX 10 leonid.rixotstudio.cz. +smtp.leonid.rixotstudio.cz. IN CNAME leonid.rixotstudio.cz. +smtps.leonid.rixotstudio.cz. IN CNAME leonid.rixotstudio.cz. +imap.leonid.rixotstudio.cz. IN CNAME leonid.rixotstudio.cz. +imaps.leonid.rixotstudio.cz. IN CNAME leonid.rixotstudio.cz. +pop3.leonid.rixotstudio.cz. IN CNAME leonid.rixotstudio.cz. +pop3s.leonid.rixotstudio.cz. IN CNAME leonid.rixotstudio.cz. +;; ROGISEK +rogisek IN A 94.113.123.218 +mail.rogisek.rixotstudio.cz. 3600 IN MX 10 rogisek.rixotstudio.cz. +smtp.rogisek.rixotstudio.cz. IN CNAME rogisek.rixotstudio.cz. +smtps.rogisek.rixotstudio.cz. IN CNAME rogisek.rixotstudio.cz. +imap.rogisek.rixotstudio.cz. IN CNAME rogisek.rixotstudio.cz. +imaps.rogisek.rixotstudio.cz. IN CNAME rogisek.rixotstudio.cz. +pop3.rogisek.rixotstudio.cz. IN CNAME rogisek.rixotstudio.cz. +pop3s.rogisek.rixotstudio.cz. IN CNAME rogisek.rixotstudio.cz. + +;; Security challenge +_acme-challenge.dreamon.rixotstudio.cz. IN TXT "EjzaayF_SqOHaWLhgzYiNKXkCoWaxGz75VgIw8BeFlU" +_acme-challenge.imap.dreamon.rixotstudio.cz. IN TXT "tJfxA2ebY8Lt93-danryaPrI7JZynaqvHbFLOCGLVzI" +_acme-challenge.imap.rixotstudio.cz. IN TXT "NhFFlS-CYCXKGFOqmr69ypqRts4rgLUf5qVW4VPEl0E" +_acme-challenge.imaps.dreamon.rixotstudio.cz. IN TXT "H4JBnbAuk-pIfNsOy43W56r90Pb6mq_636HjhfVP1_g" diff --git a/imgconf/net-dns/bind/etc/bind/named.conf b/imgconf/net-dns/bind/etc/bind/named.conf new file mode 100644 index 0000000..4efd590 --- /dev/null +++ b/imgconf/net-dns/bind/etc/bind/named.conf @@ -0,0 +1,73 @@ +options { + // Krey: Set directory for bind + directory "/bedrock/strata/exherbo/var/bind"; + + // Krey: Sets Random Device + random-device "/dev/random"; + + // uncomment the following lines to turn on DNS forwarding, + // and change the forwarding ip address(es) : + //forward first; + //forwarders { + // 123.123.123.123; + // 123.123.123.123; + //}; + + listen-on-v6 { none; }; + listen-on { 127.0.0.1; }; + + // to allow only specific hosts to use the DNS server: + //allow-query { + // 127.0.0.1; + //}; + + // if you have problems and are behind a firewall: + //query-source address * port 53; + pid-file "/bedrock/strata/exherbo/run/named/named.pid"; +}; + +// Briefly, a zone which has been declared delegation-only will be effectively +// limited to containing NS RRs for subdomains, but no actual data beyond its +// own apex (for example, its SOA RR and apex NS RRset). This can be used to +// filter out "wildcard" or "synthesized" data from NAT boxes or from +// authoritative name servers whose undelegated (in-zone) data is of no +// interest. +// See http://www.isc.org/products/BIND/delegation-only.html for more info + +zone "rixotstudio.cz" { + type master; + file "/bedrock/strata/exherbo/etc/bind/master/rixotstudio.cz"; + allow-transfer { + // Current Server IP + 78.102.113.209; + // Secondary DNS IP - nic.cz (wedos.cz) + 46.28.104.66; + }; + allow-update { 78.102.113.209; }; + key-directory "/bedrock/strata/exherbo/var/cache/bind/keys/rixotstudio.cz"; + inline-signing yes; + auto-dnssec maintain; + serial-update-method unixtime; +}; + +zone "COM" { type delegation-only; }; +zone "NET" { type delegation-only; }; + +zone "." IN { + type hint; + file "named.cache"; +}; + +zone "localhost" IN { + type master; + file "pri/localhost.zone"; + allow-update { none; }; + notify no; +}; + +zone "127.in-addr.arpa" IN { + type master; + file "pri/127.zone"; + allow-update { none; }; + notify no; +}; diff --git a/imgconf/net-dns/bind/etc/bind/named.conf.complex_sample b/imgconf/net-dns/bind/etc/bind/named.conf.complex_sample new file mode 100644 index 0000000..928dd9e --- /dev/null +++ b/imgconf/net-dns/bind/etc/bind/named.conf.complex_sample @@ -0,0 +1,617 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * This is a worthless, nonrunnable example of a named.conf file that has + * every conceivable syntax element in use. We use it to test the parser. + * It could also be used as a conceptual template for users of new features. + */ + +/* + * C-style comments are OK + */ + +// So are C++-style comments + +# So are shell-style comments + +// watch out for ";" -- it's important! + +options { + additional-from-auth true; + additional-from-cache false; + + version "my version string"; + random-device "/dev/random"; + directory "/tmp"; + + port 666; + + sig-validity-interval 33; + +# Obsolete + named-xfer "/usr/libexec/named-xfer"; // _PATH_XFER + + dump-file "named_dump.db"; // _PATH_DUMPFILE + pid-file "/var/run/named.pid"; // _PATH_PIDFILE + statistics-file "named.stats"; // _PATH_STATS + memstatistics-file "named.memstats"; // _PATH_MEMSTATS + + max-cache-ttl 999; + min-cache-ttl 66; + auth-nxdomain yes; // always set AA on NXDOMAIN. + // don't set this to 'no' unless + // you know what you're doing -- older + // servers won't like it. + +# Obsolete + deallocate-on-exit no; + + dialup yes; + +# Obsolete + fake-iquery no; + + fetch-glue yes; + has-old-clients yes; + host-statistics no; + +# Obsolete + multiple-cnames no; // if yes, then a name my have more + // than one CNAME RR. This use + // is non-standard and is not + // recommended, but it is available + // because previous releases supported + // it and it was used by large sites + // for load balancing. + + notify yes; // send NOTIFY messages. You can set + // notify on a zone-by-zone + // basis in the "zone" statement + // see (below) + recursion yes; + rfc2308-type1 no; + +# Obsolete + use-id-pool yes; + +# Obsolete + treat-cr-as-space yes; + + also-notify { 10.0.2.3; }; + + // The "forward" option is only meaningful if you've defined + // forwarders. "first" gives the normal BIND + // forwarding behavior, i.e. ask the forwarders first, and if that + // doesn't work then do the full lookup. You can also say + // "forward only;" which is what used to be specified with + // "slave" or "options forward-only". "only" will never attempt + // a full lookup; only the forwarders will be used. + forward first; + forwarders { + 1.2.3.4; + 5.6.7.8; + }; + + check-names master fail; + check-names slave warn; + check-names response ignore; + + allow-query { any; }; + allow-transfer { any; }; + allow-recursion { !any; }; + blackhole { 45/24; }; + keep-response-order { 46/24; }; + + listen-on { + 10/24; + 10.0.0.3; + }; + + listen-on port 53 { any; }; + + listen-on { 5.6.7.8; }; + + listen-on port 1234 { + !1.2.3.4; + 1.2.3/24; + }; + + listen-on-v6 { + 1:1:1:1:1:1:1:1; + }; + + listen-on-v6 port 777 { + 2:2:2:2:2:2:2:2; + }; + + query-source-v6 address 8:7:6:5:4:3:2:1 port *; + query-source port * address 10.0.0.54 ; + + lame-ttl 444; + + max-transfer-time-in 300; + max-transfer-time-out 10; + max-transfer-idle-in 100; + max-transfer-idle-out 11; + + max-retry-time 1234; + min-retry-time 1111; + max-refresh-time 888; + min-refresh-time 777; + + max-ncache-ttl 333; + min-ncache-ttl 22; + min-roots 15; + serial-queries 34; + + transfer-format one-answer; + + transfers-in 10; + transfers-per-ns 2; + transfers-out 0; + + transfer-source 10.0.0.5; + transfer-source-v6 4:3:2:1:5:6:7:8; + + request-ixfr yes; + provide-ixfr yes; + +# Now called 'provide-ixfr' +# maintain-ixfr-base no; // If yes, keep transaction log file for IXFR + + max-ixfr-log-size 20m; + coresize 100; + datasize 101; + files 230; + max-cache-size 1m; + stacksize 231; + heartbeat-interval 1001; + interface-interval 1002; + statistics-interval 1003; + + topology { + 10/8; + + !1.2.3/24; + + { 1.2/16; 3/8; }; + + + }; + + sortlist { 10/8; 11/8; }; + + tkey-domain "foo.com"; + tkey-dhkey "xyz" 666 ; + + rrset-order { + class IN type A name "foo" order random; + order cyclic; + }; +}; + +/* + * Control listeners, for "ndc". Every nameserver needs at least one. + */ +controls { + // 'inet' lines without a 'port' defaults to 'port 953' + // 'keys' must be used and the list must have at least one entry + inet * port 52 allow { any; } keys { "key2"; }; + unix "/var/run/ndc" perm 0600 owner 0 group 0; // ignored by named. + inet 10.0.0.1 allow { any; key foo; } keys { "key4";}; + inet 10.0.0.2 allow { none; } keys { "key-1"; "key-2"; }; + inet 10.0.0.2 allow { none; }; +}; + +zone "master.demo.zone" { + type master; // what used to be called "primary" + database "somedb -option1 -option2 arg1 arg2 arg3"; + file "master.demo.zone"; + check-names fail; + allow-update { none; }; + allow-update-forwarding { 10.0.0.5; !any; }; + allow-transfer { any; }; + allow-query { any; }; + sig-validity-interval 990; + notify explicit; + also-notify { 1.0.0.1; }; // don't notify any nameservers other + // than those on the NS list for this + // zone + forward first; + forwarders { 10.0.0.3; 1:2:3:4:5:6:7:8; }; +}; + +zone "slave.demo.zone" { + type slave; // what used to be called "secondary" + file "slave.demo.zone"; + ixfr-base "slave.demo.zone.ixfr"; // File name for IXFR transaction log file + masters { + 1.2.3.4 port 10 key "foo"; // where to zone transfer from + 5.6.7.8; + 6.7.8.9 key "zippo"; + }; + transfer-source 10.0.0.53; // fixes multihoming problems + check-names warn; + allow-update { none; }; + allow-transfer { any; }; + allow-update-forwarding { any; }; + allow-query { any; }; + max-transfer-time-in 120; // if not set, global option is used. + max-transfer-time-out 1; // if not set, global option is used. + max-transfer-idle-in 2; // if not set, global option is used. + max-transfer-idle-out 3; // if not set, global option is used. + also-notify { 1.0.0.2; }; + forward only; + forwarders { 10.45.45.45; 10.0.0.3; 1:2:3:4:5:6:7:8; }; +}; + +key "non-viewkey" { secret "YWFh" ; algorithm "zzz" ; }; + +view "test-view" in { + key "viewkey" { algorithm "xxx" ; secret "eXl5" ; }; + also-notify { 10.2.2.3; }; + managed-keys { + foo.com. static 4 3 2 "abdefghijklmnopqrstuvwxyz"; + }; + sig-validity-interval 45; + max-cache-size 100000; + allow-query { 10.0.0.30;}; + additional-from-cache false; + additional-from-auth no; + match-clients { 10.0.0.1 ; }; + check-names master warn; + check-names slave ignore; + check-names response fail; + auth-nxdomain false; + recursion true; + provide-ixfr false; + request-ixfr true; + fetch-glue true; + notify false; + rfc2308-type1 false; + transfer-source 10.0.0.55; + transfer-source-v6 4:3:8:1:5:6:7:8; + query-source port * address 10.0.0.54 ; + query-source-v6 address 6:6:6:6:6:6:6:6 port *; + max-transfer-time-out 45; + max-transfer-idle-out 55; + min-roots 3; + lame-ttl 477; + max-ncache-ttl 333; + max-cache-ttl 777; + transfer-format many-answers; + max-retry-time 7; + min-retry-time 4; + max-refresh-time 999; + min-refresh-time 111; + + zone "view-zone.com" { + type master; + allow-update-forwarding { 10.0.0.34;}; + file "view-zone-master"; + }; + + server 5.6.7.8 { + keys "viewkey"; + }; + + server 10.9.8.7 { + keys "non-viewkey"; + }; + dialup yes; +}; + + +zone "stub.demo.zone" { + type stub; // stub zones are like slave zones, + // except that only the NS records + // are transferred. + dialup yes; + file "stub.demo.zone"; + masters { + 1.2.3.4 ; // where to zone transfer from + 5.6.7.8 port 999; + }; + check-names warn; + allow-update { none; }; + allow-transfer { any; }; + allow-query { any; }; + + max-retry-time 10; + min-retry-time 11; + max-refresh-time 12; + min-refresh-time 13; + + max-transfer-time-in 120; // if not set, global option is used. + pubkey 257 255 1 "a useless key"; + pubkey 257 255 1 "another useless key"; +}; + +zone "." { + type hint; // used to be specified w/ "cache" + file "cache.db"; +// pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q=="; +}; + +managed-keys { + "." static 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q=="; +}; + + +acl can_query { !1.2.3/24; any; }; // network 1.2.3.0 mask 255.255.255.0 + // is disallowed; rest are OK +acl can_axfr { 1.2.3.4; can_query; }; // host 1.2.3.4 and any host allowed + // by can_query are OK + +zone "disabled-zone.com" { + type master; + file "bar"; + + max-retry-time 100; + min-retry-time 110; + max-refresh-time 120; + min-refresh-time 130; +}; + +zone "non-default-acl.demo.zone" { + type master; + file "foo"; + allow-query { can_query; }; + allow-transfer { can_axfr; }; + allow-update { + 1.2.3.4; + 5.6.7.8; + }; + pubkey 666 665 664 "key of the beast"; + // Errors trapped by parser: + // identity or name not absolute + // 'wildcard' match type and no wildcard character in name + // + // issues: + // - certain rdatatype values (such as "key") are config file keywords and + // must be quoted or a syntax error will occur. + // + + update-policy { + grant root.domain. subdomain host.domain. A MX CNAME; + grant sub.root.domain. wildcard *.host.domain. A; + grant root.domain. name host.domain. a ns md mf cname soa mb mg + mr "null" wks ptr hinfo minfo mx txt rp afsdb x25 + isdn rt nsap sig "key" px gpos aaaa loc nxt srv naptr kx + cert a6 dname opt unspec uri tkey tsig ; + grant foo.bar.com. self foo.bar.com. a; + }; +}; + +key sample_key { // for TSIG; supported by parser + algorithm hmac-md5; // but not yet implemented in the + secret "eW91ciBzZWNyZXQgaGVyZQ=="; // rest of the server +}; + +key key2 { + algorithm hmac-md5; + secret "ZXJlaCB0ZXJjZXMgcm91eQ=="; +}; + +acl key_acl { key sample_key; }; // a request signed with sample_key + +server 1.2.3.4 { + request-ixfr no; + provide-ixfr no; + bogus no; // if yes, we won't query or listen + // to this server + transfer-format one-answer; // set transfer format for this + // server (see the description of + // 'transfer-format' above) + // if not specified, the global option + // will be used + transfers 0; // not implemented + keys { "sample_key" }; // for TSIG; supported by the parser + // but not yet implemented in the + // rest of the server +# Now called 'request-ixfr' +# support-ixfr yes; // for IXFR supported by server + // if yes, the listed server talks IXFR +}; + +logging { + /* + * All log output goes to one or more "channels"; you can make as + * many of them as you want. + */ + + channel syslog_errors { // this channel will send errors or + syslog user; // or worse to syslog (user facility) + severity error; + }; + + channel stderr_errors { + stderr; + }; + + /* + * Channels have a severity level. Messages at severity levels + * greater than or equal to the channel's level will be logged on + * the channel. In order of decreasing severity, the levels are: + * + * critical a fatal error + * error + * warning + * notice a normal, but significant event + * info an informational message + * debug 1 the least detailed debugging info + * ... + * debug 99 the most detailed debugging info + */ + + /* + * Here are the built-in channels: + * + * channel default_syslog { + * syslog daemon; + * severity info; + * }; + * + * channel default_debug { + * file "named.run"; // note: stderr is used instead + * // of "named.run" if the server + * // is started with the "-f" + * // option. + * severity dynamic; // this means log debugging + * // at whatever debugging level + * // the server is at, and don't + * // log anything if not + * // debugging. + * }; + * + * channel null { // this is the bit bucket; + * file "/dev/null"; // any logging to this channel + * // is discarded. + * }; + * + * channel default_stderr { // writes to stderr + * file ""; // this is illustrative only; + * // there's currently no way + * // of saying "stderr" in the + * // configuration language. + * // i.e. don't try this at home. + * severity info; + * }; + * + * default_stderr only works before the server daemonizes (i.e. + * during initial startup) or when it is running in foreground + * mode (-f command line option). + */ + + /* + * There are many categories, so you can send the logs + * you want to see wherever you want, without seeing logs you + * don't want. Right now the categories are + * + * default the catch-all. many things still + * aren't classified into categories, and + * they all end up here. also, if you + * don't specify any channels for a + * category, the default category is used + * instead. + * config high-level configuration file + * processing + * parser low-level configuration file processing + * queries what used to be called "query logging" + * lame-servers messages like "Lame server on ..." + * statistics + * panic if the server has to shut itself + * down due to an internal problem, it + * logs the problem here (as well as + * in the problem's native category) + * update dynamic update + * ncache negative caching + * xfer-in zone transfers we're receiving + * xfer-out zone transfers we're sending + * db all database operations + * eventlib debugging info from the event system + * (see below) + * packet dumps of packets received and sent + * (see below) + * notify the NOTIFY protocol + * cname messages like "XX points to a CNAME" + * security approved/unapproved requests + * os operating system problems + * insist consistency check failures + * maintenance periodic maintenance + * load zone loading + * response-checks messages like + * "Malformed response ..." + * "wrong ans. name ..." + * "unrelated additional info ..." + * "invalid RR type ..." + * "bad referral ..." + */ + + category parser { + syslog_errors; // you can log to as many channels + default_syslog; // as you want + }; + + category lame-servers { null; }; // don't log these at all + + channel moderate_debug { + file "foo"; // foo + severity debug 3; // level 3 debugging to file + print-time yes; // timestamp log entries + print-category yes; // print category name + print-severity yes; // print severity level + /* + * Note that debugging must have been turned on either + * on the command line or with a signal to get debugging + * output (non-debugging output will still be written to + * this channel). + */ + }; + + channel another { + file "bar" versions 99 size 10M; + severity info; + }; + + channel third { + file "bar" size 100000 versions unlimited; + severity debug; // use default debug level + }; + + /* + * If you don't want to see "zone XXXX loaded" messages but do + * want to see any problems, you could do the following. + */ + channel no_info_messages { + syslog; + severity notice; + }; + + category load { no_info_messages; }; + + /* + * You can also define category "default"; it gets used when no + * "category" statement has been given for a category. + */ + category default { + default_syslog; + moderate_debug; + }; + + /* + * If you don't define category default yourself, the default + * default category will be used. It is + * + * category default { default_syslog; default_debug; }; + */ + + /* + * If you don't define category panic yourself, the default + * panic category will be used. It is + * + * category panic { default_syslog; default_stderr; }; + */ + + /* + * Two categories, 'packet' and 'eventlib', are special. Only one + * channel may be assigned to each of them, and it must be a + * file channel. If you don't define them yourself, they default to + * + * category eventlib { default_debug; }; + * + * category packet { default_debug; }; + */ +}; + +#include "filename"; // can't do within a statement + diff --git a/imgconf/net-misc/openssh/etc/ssh/ssh_config b/imgconf/net-misc/openssh/etc/ssh/ssh_config new file mode 100644 index 0000000..5b7ea62 --- /dev/null +++ b/imgconf/net-misc/openssh/etc/ssh/ssh_config @@ -0,0 +1,46 @@ +# $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +Host * +# ForwardAgent no +# ForwardX11 no +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 + Port 22 +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h +# UserKnownHostsFile ~/.ssh/known_hosts.d/%k diff --git a/imgconf/net-misc/openssh/etc/ssh/sshd_config b/imgconf/net-misc/openssh/etc/ssh/sshd_config new file mode 100644 index 0000000..3e26b21 --- /dev/null +++ b/imgconf/net-misc/openssh/etc/ssh/sshd_config @@ -0,0 +1,54 @@ +### SECURITY CHECKLIST +## - [X] Use standard port 22 for SSH +Port 22 + +## - [X] Require pubkey and then password authentication +AuthenticationMethods publickey,password + +## - [ ] Disable root login +# FIXME-SECURITY(Krey): Brainstorm since we are using it for deployment +PermitRootLogin yes + +## - [X] Require publickey authentification +PubkeyAuthentication yes +# SECURITY-WARNING(Krey): Do not use 'ssh-rsa' since that is using md5sum to verify the signature which is insecure! +PubkeyAcceptedKeyTypes rsa-sha2-512 +# FIXME-SECURITY: There are methods that may require multiple layers of authentification -> Investigate +# FIXME: Invalid +#AuthentificationMethods publickey +# Just to ensure that ssh is usinc publickey at all cost +# FIXME: Invalid +#PreferredAuthentications publickey + +## - [ ] Do not allow empty passwords +# FIXME: Invalid +#PermitEmptyPassowrds no + +## - [X] Set Maximum connections attempts +# FIXME: Investigate fail2ban +# NOTICE(Krey): We are using publickey so this should be set to 1, if there is required a second attempt for pubkey authentication then there is something wrong going on +MaxAuthTries 1 + +## - [X] Set Maximum allowed sessions +MaxSessions 5 + +## - [ ] Disconnect the users after 5 minutes +# FIXME: Help-wanted +# ConnectTimeout ? +# ForwardX11Timeout ? + +## - [ ] Add various counter-measures for brute-force attacks +# FIXME: Help-wanted + +## - [ ] Disable X11 +# FIXME: Invalid +#ForwardX11 no + +## - [ ] Capture failed login attemps and implement remote logging to capture security issues +# FIXME: Help-wanted + +## - [ ] Check integrity of critical files using checksum +# FIXME: Needs to be implemented + +# Logging +# FIXME diff --git a/imgconf/net-misc/tor/torrc b/imgconf/net-misc/tor/torrc new file mode 100644 index 0000000..46214e2 --- /dev/null +++ b/imgconf/net-misc/tor/torrc @@ -0,0 +1,62 @@ +Nickname Dreamon +ContactInfo 0x765AED304211C28410D5C478FCBA0482B0AB9F10 Jacob Hrbek +NumCPUs 8 +SocksPort 9050 +ORPort 9001 + +# Set up SSH Daemon to run through Tor +HiddenServiceDir /var/lib/tor/sshd/ +HiddenServicePort 22 127.0.0.1:22 + +# SMTP +HiddenServiceDir /var/lib/tor/smtp +HiddenServicePort 995 127.0.0.1:25 + +# IMAP +HiddenServiceDir /var/lib/tor/imap +HiddenServicePort 143 127.0.0.1:143 + +# POP3 +HiddenServiceDir /var/lib/tor/pop3 +HiddenServicePort 110 127.0.0.1:110 + +# Submission +HiddenServiceDir /var/lib/tor/submission +HiddenServicePort 587 127.0.0.1:587 + +# SMTPS +HiddenServiceDir /var/lib/tor/smtps +HiddenServicePort 465 127.0.0.1:465 + +# IMAPS +HiddenServiceDir /var/lib/tor/imaps +HiddenServicePort 993 127.0.0.1:993 + +# POP3S +HiddenServiceDir /var/lib/tor/pop3s +HiddenServicePort 995 127.0.0.1:995 + +# Include configuration for hidden_mx +# NOTICE(Krey): OnionMX requires more research and is currently disabled +#%include /etc/tor/torrc.d/hidden_mx + +# To provide informations about this relay to public +# FIXME: Verify that we can use this as an exit node, then uncomment +#DirPortFrontPage /etc/tor//tor-exit-notice.html + +# FIXME: Verify that ISP doesn't log the traffic +ExitRelay 0 + +# FIXME(Krey): Value autodetected by tor -> requires logic +maxMemInQueues 5960 MB + +# Setup Bandwidth limiters +RelayBandwidthRate 125 KB # Throttle traffic to 125KB/s 1000kbps) +RelayBandwidthBurst 375 KB # But allow bursts up to 375KB/s (3000kbps) + +# DNS +DNSPort 5400 + +# To provide informations about this relay to public +# FIXME: Verify that we can use this as an exit node, then uncomment +#DirPortFrontPage /etc/tor//tor-exit-notice.html diff --git a/imgconf/sys-apps/openrc/etc/rc.conf b/imgconf/sys-apps/openrc/etc/rc.conf new file mode 100644 index 0000000..0bad60d --- /dev/null +++ b/imgconf/sys-apps/openrc/etc/rc.conf @@ -0,0 +1,315 @@ +# Global OpenRC configuration settings + +# Set to "YES" if you want the rc system to try and start services +# in parallel for a slight speed improvement. When running in parallel we +# prefix the service output with its name as the output will get +# jumbled up. +# WARNING: whilst we have improved parallel, it can still potentially lock +# the boot process. Don't file bugs about this unless you can supply +# patches that fix it without breaking other things! +rc_parallel="YES" + +# Set rc_interactive to "YES" and you'll be able to press the I key during +# boot so you can choose to start specific services. Set to "NO" to disable +# this feature. This feature is automatically disabled if rc_parallel is +# set to YES. +#rc_interactive="YES" + +# If we need to drop to a shell, you can specify it here. +# If not specified we use $SHELL, otherwise the one specified in /etc/passwd, +# otherwise /bin/sh +# Linux users could specify /sbin/sulogin +#rc_shell=/bin/sh + +# Do we allow any started service in the runlevel to satisfy the dependency +# or do we want all of them regardless of state? For example, if net.eth0 +# and net.eth1 are in the default runlevel then with rc_depend_strict="NO" +# both will be started, but services that depend on 'net' will work if either +# one comes up. With rc_depend_strict="YES" we would require them both to +# come up. +#rc_depend_strict="YES" + +# rc_hotplug controls which services we allow to be hotplugged. +# A hotplugged service is one started by a dynamic dev manager when a matching +# hardware device is found. +# Hotplugged services appear in the "hotplugged" runlevel. +# If rc_hotplug is set to any value, we compare the name of this service +# to every pattern in the value, from left to right, and we allow the +# service to be hotplugged if it matches a pattern, or if it matches no +# patterns. Patterns can include shell wildcards. +# To disable services from being hotplugged, prefix patterns with "!". +#If rc_hotplug is not set or is empty, all hotplugging is disabled. +# Example - rc_hotplug="net.wlan !net.*" +# This allows net.wlan and any service not matching net.* to be hotplugged. +# Example - rc_hotplug="!net.*" +# This allows services that do not match "net.*" to be hotplugged. + +# rc_logger launches a logging daemon to log the entire rc process to +# /var/log/rc.log +# NOTE: Linux systems require the devfs service to be started before +# logging can take place and as such cannot log the sysinit runlevel. +rc_logger="YES" + +# Through rc_log_path you can specify a custom log file. +# The default value is: /var/log/rc.log +rc_log_path="/var/log/openrc.log" + +# If you want verbose output for OpenRC, set this to yes. If you want +# verbose output for service foo only, set it to yes in /etc/conf.d/foo. +#rc_verbose=no + +# By default we filter the environment for our running scripts. To allow other +# variables through, add them here. Use a * to allow all variables through. +#rc_env_allow="VAR1 VAR2" + +# By default we assume that all daemons will start correctly. +# However, some do not - a classic example is that they fork and return 0 AND +# then child barfs on a configuration error. Or the daemon has a bug and the +# child crashes. You can set the number of milliseconds start-stop-daemon +# waits to check that the daemon is still running after starting here. +# The default is 0 - no checking. +#rc_start_wait=100 + +# rc_nostop is a list of services which will not stop when changing runlevels. +# This still allows the service itself to be stopped when called directly. +#rc_nostop="" + +# rc will attempt to start crashed services by default. +# However, it will not stop them by default as that could bring down other +# critical services. +#rc_crashed_stop=NO +#rc_crashed_start=YES + +# Set rc_nocolor to yes if you do not want colors displayed in OpenRC +# output. +#rc_nocolor=NO + +############################################################################## +# MISC CONFIGURATION VARIABLES +# There variables are shared between many init scripts + +# Set unicode to YES to turn on unicode support for keyboards and screens. +# SECURITY-NOTICE(Krey): No need for unicode support and to avoid unexpected behavior +#unicode="NO" + +# This is how long fuser should wait for a remote server to respond. The +# default is 60 seconds, but it can be adjusted here. +#rc_fuser_timeout=60 + +# Below is the default list of network fstypes. +# +# afs ceph cifs coda davfs fuse fuse.sshfs gfs glusterfs lustre ncpfs +# nfs nfs4 ocfs2 shfs smbfs +# +# If you would like to add to this list, you can do so by adding your +# own fstypes to the following variable. +#extra_net_fs_list="" + +############################################################################## +# SERVICE CONFIGURATION VARIABLES +# These variables are documented here, but should be configured in +# /etc/conf.d/foo for service foo and NOT enabled here unless you +# really want them to work on a global basis. +# If your service has characters in its name which are not legal in +# shell variable names and you configure the variables for it in this +# file, those characters should be replaced with underscores in the +# variable names as shown below. + +# Some daemons are started and stopped via start-stop-daemon. +# We can set some things on a per service basis, like the nicelevel. +#SSD_NICELEVEL="-19" +# Or the ionice level. The format is class[:data] , just like the +# --ionice start-stop-daemon parameter. +#SSD_IONICELEVEL="2:2" + +# Pass ulimit parameters +# If you are using bash in POSIX mode for your shell, note that the +# ulimit command uses a block size of 512 bytes for the -c and -f +# options +#rc_ulimit="-u 30" + +# It's possible to define extra dependencies for services like so +#rc_config="/etc/foo" +#rc_need="openvpn" +#rc_use="net.eth0" +#rc_after="clock" +#rc_before="local" +#rc_provide="!net" + +# You can also enable the above commands here for each service. Below is an +# example for service foo. +#rc_foo_config="/etc/foo" +#rc_foo_need="openvpn" +#rc_foo_after="clock" + +# Below is an example for service foo-bar. Note that the '-' is illegal +# in a shell variable name, so we convert it to an underscore. +# example for service foo-bar. +#rc_foo_bar_config="/etc/foo-bar" +#rc_foo_bar_need="openvpn" +#rc_foo_bar_after="clock" + +# You can also remove dependencies. +# This is mainly used for saying which services do NOT provide net. +#rc_net_tap0_provide="!net" + +# This is the subsystem type. +# It is used to match against keywords set by the keyword call in the +# depend function of service scripts. +# +# It should be set to the value representing the environment this file is +# PRESENTLY in, not the virtualization the environment is capable of. +# If it is commented out, automatic detection will be used. +# +# The list below shows all possible settings as well as the host +# operating systems where they can be used and autodetected. +# +# "" - nothing special +# "docker" - Docker container manager (Linux) +# "jail" - Jail (DragonflyBSD or FreeBSD) +# "lxc" - Linux Containers +# "openvz" - Linux OpenVZ +# "prefix" - Prefix +# "rkt" - CoreOS container management system (Linux) +# "subhurd" - Hurd subhurds (to be checked) +# "systemd-nspawn" - Container created by systemd-nspawn (Linux) +# "uml" - Usermode Linux +# "vserver" - Linux vserver +# "xen0" - Xen0 Domain (Linux and NetBSD) +# "xenU" - XenU Domain (Linux and NetBSD) +#rc_sys="" + +# if you use openrc-init, which is currently only available on Linux, +# this is the default runlevel to activate after "sysinit" and "boot" +# when booting. +#rc_default_runlevel="default" + +# on Linux and Hurd, this is the number of ttys allocated for logins +# It is used in the consolefont, keymaps, numlock and termencoding +# service scripts. +rc_tty_number=12 + +############################################################################## +# LINUX CGROUPS RESOURCE MANAGEMENT + +# This sets the mode used to mount cgroups. +# "hybrid" mounts cgroups version 2 on /sys/fs/cgroup/unified and +# cgroups version 1 on /sys/fs/cgroup. +# "legacy" mounts cgroups version 1 on /sys/fs/cgroup +# "unified" mounts cgroups version 2 on /sys/fs/cgroup +#rc_cgroup_mode="hybrid" + +# This is a list of controllers which should be enabled for cgroups version 2. +# If hybrid mode is being used, controllers listed here will not be +# available for cgroups version 1. +# This is a global setting. +#rc_cgroup_controllers="" + +# This variable contains the cgroups version 2 settings for your services. +# If this is set in this file, the settings will apply to all services. +# If you want different settings for each service, place the settings in +# /etc/conf.d/foo for service foo. +# The format is to specify the setting and value followed by a newline. +# Multiple settings and values can be specified. +# For example, you would use this to set the maximum memory and maximum +# number of pids for a service. +#rc_cgroup_settings=" +#memory.max 10485760 +#pids.max max +#" +# +# For more information about the adjustments that can be made with +# cgroups version 2, see Documentation/cgroups-v2.txt in the linux kernel +# source tree. +#rc_cgroup_settings="" + +# This switch controls whether or not cgroups version 1 controllers are +# individually mounted under +# /sys/fs/cgroup in hybrid or legacy mode. +#rc_controller_cgroups="YES" + +# The following setting turns on the memory.use_hierarchy setting in the +# root memory cgroup for cgroups v1. +# It must be set to yes in this file if you want this functionality. +#rc_cgroup_memory_use_hierarchy="NO" + +# The following settings allow you to set up values for the cgroups version 1 +# controllers for your services. +# They can be set in this file;, however, if you do this, the settings +# will apply to all of your services. +# If you want different settings for each service, place the settings in +# /etc/conf.d/foo for service foo. +# The format is to specify the names of the settings followed by their +# values. Each variable can hold multiple settings. +# For example, you would use this to set the cpu.shares setting in the +# cpu controller to 512 for your service. +# rc_cgroup_cpu=" +# cpu.shares 512 +# " +# +# For more information about the adjustments that can be made with +# cgroups version 1, see Documentation/cgroups-v1/* in the linux kernel +# source tree. + +# Set the blkio controller settings for this service. +#rc_cgroup_blkio="" + +# Set the cpu controller settings for this service. +#rc_cgroup_cpu="" + +# Add this service to the cpuacct controller (any value means yes). +#rc_cgroup_cpuacct="" + +# Set the cpuset controller settings for this service. +#rc_cgroup_cpuset="" + +# Set the devices controller settings for this service. +#rc_cgroup_devices="" + +# Set the hugetlb controller settings for this service. +#rc_cgroup_hugetlb="" + +# Set the memory controller settings for this service. +#rc_cgroup_memory="" + +# Set the net_cls controller settings for this service. +#rc_cgroup_net_cls="" + +# Set the net_prio controller settings for this service. +#rc_cgroup_net_prio="" + +# Set the pids controller settings for this service. +#rc_cgroup_pids="" + +# Set this to YES if you want all of the processes in a service's cgroup +# killed when the service is stopped or restarted. +# Be aware that setting this to yes means all of a service's +# child processes will be killed. Keep this in mind if you set this to +# yes here instead of for the individual services in +# /etc/conf.d/. +# To perform this cleanup manually for a stopped service, you can +# execute cgroup_cleanup with /etc/init.d/ cgroup_cleanup or +# rc-service cgroup_cleanup. +# The process followed in this cleanup is the following: +# 1. send stopsig (sigterm if it isn't set) to all processes left in the +# cgroup immediately followed by sigcont. +# 2. Send sighup to all processes in the cgroup if rc_send_sighup is +# yes. +# 3. delay for rc_timeout_stopsec seconds. +# 4. send sigkill to all processes in the cgroup unless disabled by +# setting rc_send_sigkill to no. +# rc_cgroup_cleanup="NO" + +# If this is yes, we will send sighup to the processes in the cgroup +# immediately after stopsig and sigcont. +#rc_send_sighup="NO" + +# This is the amount of time in seconds that we delay after sending sigcont +# and optionally sighup, before we optionally send sigkill to all +# processes in the # cgroup. +# The default is 90 seconds. +#rc_timeout_stopsec="90" + +# If this is set to no, we do not send sigkill to all processes in the +# cgroup. +#rc_send_sigkill="YES" diff --git a/libs/shell/imgconf.bash b/libs/shell/imgconf.bash new file mode 100644 index 0000000..4cda390 --- /dev/null +++ b/libs/shell/imgconf.bash @@ -0,0 +1,56 @@ +#!/bin/sh +# shellcheck shell=sh # Written to be POSIX compatible + +###! Non-standard function used to handle configuration files of compiled target in IMAGE dir prior to merge in the userland +###! SYNOPSIS: function-name [CATEGORY/[PN|PNV|PNVR]... +###! License: Created by Jacob Hrbek identified by GPG identifier assigned to the electronic mail based on keyserver under GPLv3 license in 11/10/2020-EU 09:51:21 CEST +###! Bugs-to: https://gitea.com/kreyren/kreyren +imgconf() { + case "$PALUDIS_DEBUG" in *"func"*) ${SET:-set} -x; esac + + # Krey: Define input + package="$1" + + # Krey: Provide name of the hook to be used in the logic + hookName="imgconf" + + ${EDEBUG:-edebug} func "Starting hook '$hookName'" + + # Krey: Process variables + [ -n "$PALUDIS_DIR" ] || PALUDIS_DIR="/etc/paludis/" + ${EDEBUG:-edebug} var "Variable 'PALUDIS_DIR' assigned value '$PALUDIS_DIR'" + + [ -n "$PALUDIS_PACKAGE_CONFIG_DIR" ] || PALUDIS_PACKAGE_CONFIG_DIR="${PALUDIS_DIR:-/etc/paludis}/$hookName" + PPCD="$PALUDIS_PACKAGE_CONFIG_DIR" + ${EDEBUG:-edebug} var "Variable 'PALUDIS_PACKAGE_CONFIG_DIR' assigned value '$PALUDIS_PACKAGE_CONFIG_DIR'" + ${EDEBUG:-edebug} var "Variable 'PPCD' assigned value '$PPCD'" + + [ -n "$PALUDIS_PACKAGE_CONFIG_FILE" ] || PALUDIS_PACKAGE_CONFIG_FILE="${PALUDIS_DIR:-/etc/paludis}/$hookName" + PPCF="$PALUDIS_PACKAGE_CONFIG_FILE" + ${EDEBUG:-edebug} var "Variable 'PALUDIS_PACKAGE_CONFIG_FILE' assigned value '$PALUDIS_PACKAGE_CONFIG_FILE'" + ${EDEBUG:-edebug} var "Variable 'PPCF' assigned value '$PPCF'" + + # Krey: Process input + case "$package" in + "$CATEGORY/$PN" | "$CATEGORY/$PNV" | "$CATEGORY/$PNVR") + if [ -d "$PPCD/$package" ]; then + for pathname in "$PPCD"/"$package"/*; do + ${CP:-cp} -r "$pathname" "$IMAGE" || ${DIE:-die} hookfail "Hook '$hookName' is unable to copy '$pathname' to '$IMAGE'" + ${DIE:-einfo} hooksuccess "Hook '$hookName' finished processing '$package'" + return 0 # paludis-compat + done + elif [ ! -d "$PPCD/$package" ]; then + ${DIE:-einfo} hooksuccess "Hook '$hookName' did not find any configuration files in '$PPCD/$package', skipping.." + ${UNSET:-unset} hookName + ${RETURNL:-return} 0 + else + ${DIE:-die} bug "processing '$PPCD/$CATEGORY/$PN'" + fi + ;; + *) ${DIE:-die} syntaxerr "Hook '$hookName' was provided with invalid input: $*" + esac + + case "$PALUDIS_DEBUG" in *"func"*) ${SET:-set} +x; esac + + ${UNSET:-unset} hookName +} diff --git a/licences.conf b/licences.conf new file mode 100644 index 0000000..0920d59 --- /dev/null +++ b/licences.conf @@ -0,0 +1,57 @@ +# Mask all licences +*/* -* + +## FSF +# GPL-3 +*/* GPL-3 LGPL-3 + +# LGPL-2.1 +*/* LGPL-2.1 + +# GPL-2 +*/* GPL-2 LGPL-2 + +## BSD + +*/* BSD-2 BSD-3 + +## MIT + +*/* MIT + +## Mozilla + +# MPL-2.0 +*/* MPL-2.0 + +# Others +*/* public-domain + +# Needs to be checked +app-arch/bzip2:0::arbor[>=1.0.8] bzip2-withdocs +app-arch/xz:0::arbor[>=5.2.5] public-domain +sys-apps/util-linux:0::arbor[>=2.36] ISC +sys-libs/ncurses:0::arbor[>=6.1-r3] as-is +sys-libs/timezone-data:0::arbor[=2020a] public-domain +sys-libs/zlib:0::arbor[>=1.2.11-r1] ZLIB +dev-lang/python::arbor[=3.8.6] PSF-2.2 +sys-apps/eudev-scm::arbor FDL-1.3 +sys-devel/automake::arbor FDL-1.3 +app-text/tidy::arbor ZLIB +dev-lang/python::arbor PSF-2.2 +dev-libs/openssl::arbor openssl +sys-apps/debianutils::arbor SMAIL +sys-devel/autoconf::arbor FDL-1.3 +dev-perl/Unicode-EastAsianWidth::arbor CC0 +sys-apps/man-pages::arbor man-pages +app-crypt/rhash::arbor BSD-0 +dev-libs/libuv::arbor ISC +app-text/docbook-xml-dtd::arbor X11 +sys-devel/ninja::arbor Apache-2.0 +sys-devel/meson::arbor Apache-2.0 +dev-libs/icu::arbor icu +app-arch/unzip::arbor Info-ZIP + + +# Hotfix +sys-apps/systemd:0::arbor[=scm] public-domain diff --git a/options.bash b/options.bash new file mode 100644 index 0000000..65fbc56 --- /dev/null +++ b/options.bash @@ -0,0 +1,36 @@ +# shellcheck shell=sh # Paludis doesn't expect shebang here, Written to be POSIX compatible + +worldFile="/etc/paludis/world" + +# Source bashrc +[ ! -d "/etc/paludis/bashrc" ] || . /etc/paludis/bashrc + +###! This function expects PCRE RegEx expression from the world file +checkpkg() { ${GREP:-grep} -qP "$1" "$worldFile" ;} + +# GIT +##@ +pcre = To get PCRE regex for 'git grep' +##@ +curl = Allows using http/https URI +checkpkg "^dev-scm\/git\$" && ${PRINTF:-printf} '%s\n' \ + "dev-scm/git::arbor curl pcre" || true + +checkpkg "^sys-apps\/sydbox\$" && ${PRINTF:-printf} '%s\n' \ + "sys-apps/sydbox::arbor seccomp" || true + +# BIND9 +##@ caps = Fails to build without it (https://gitlab.exherbo.org/exherbo/arbor/-/issues/45) +checkpkg "^net-dns\/bind\$" && ${PRINTF:-printf} '%s\n' \ + "net-dns/bind::arbor caps" || true + +# SSH +##@ X509 = To generate X.509 certs +##@ lsns = For DNSSEC support (according to exherbo) +checkpkg "^net-misc\/openssh\$" && ${PRINTF:-printf} '%s\n' \ + "net-misc/openssh::arbor X509 ldns" || true + +# Jobs +${PRINTF:-printf} "*/* BUILD_OPTIONS: jobs=%s\\n" "$(${NPROC:-nproc} || ${PRINTF:-printf} 1)" + +# CPU flags +AMD64_CPU_FEATURES="$(${CAT:-cat} /proc/cpuinfo | ${GREP:-grep} -m 1 flags | ${SED:-sed} 's/^flags.*: //g')" +X86_CPU_FEATURES="$(${CAT:-cat} /proc/cpuinfo | ${GREP:-grep} -m 1 flags | ${SED:-sed} 's/^flags.*: //g')" diff --git a/options.conf b/options.conf new file mode 100644 index 0000000..6b5037c --- /dev/null +++ b/options.conf @@ -0,0 +1,32 @@ +*/* -* bash-completion threads pulseaudio btrfs openssl \ + TARGETS: -* x86_64-pc-linux-gnu \ + PROVIDERS: -* gnu dhcpcd openssl man krb5 unzip lynx libxml2 dbus-broker ijg-jpeg elfutils pkg-config \ + INPUT_DRIVERS: -* evdev keyboard mouse synaptics consolekit \ + LINGUAS: -* en_US cs \ + HOSTS: -* x86_64-pc-linux-gnu -x86_64-pc-linux-musl \ + VIDEO_DRIVERS: -* -i915 intel + +# Recommended on IRC #exherbo +sys-apps/paludis -python + +# Version handling of backend +*/* \ + PYTHON_ABIS: -* 3.6 \ + RUBY_ABIS: -* 2.7 \ + LUA_ABIS: -* 5.3 \ + PHP_ABIS: -* 7.4 \ + POSTGRESQL_SERVERS: -* 12 + +# Removing systemd +*/* -systemd -journald \ + PROVIDERS: -systemd -journald eudev sysvinit \ + PARTS: openrc + +# Syslog +*/* PROVIDERS: syslog-ng + +# Hotfix +*/* BUILD_OPTIONS: -recommended_tests + +# Unknown dependency +dev-libs/libxml2:2.0::arbor[=2.9.10-r2] python diff --git a/output.conf b/output.conf new file mode 100644 index 0000000..e70244a --- /dev/null +++ b/output.conf @@ -0,0 +1,8 @@ +# always_keep_output_logs may be set to 'true' to always keep output logs, even if a build succeeds. +always_keep_output_logs = false + +# quiet may be set to 'true' to show only messages, rather than all output, when carrying out an action. +quiet = true + +# log_path can be set to change where log files are saved. It defaults to ${root}/var/log/paludis . +log_path = /bedrock/strata/exherbo/var/log/paludis diff --git a/package_unmask.conf b/package_unmask.conf new file mode 100644 index 0000000..2a012c6 --- /dev/null +++ b/package_unmask.conf @@ -0,0 +1,6 @@ +# Hotfix +dev-lang/python::arbor testing +sys-apps/eudev::arbor scm +sys-apps/systemd::arbor scm +sys-devel/ninja::arbor scm +net-proxy/torsocks::net scm diff --git a/platforms.conf b/platforms.conf new file mode 100644 index 0000000..1058ee4 --- /dev/null +++ b/platforms.conf @@ -0,0 +1,4 @@ +*/* amd64 + +# SECURITY(Krey): This is a hotfix, because exherbo downstream is incompetent +*/* ~amd64 diff --git a/repositories/accounts.conf b/repositories/accounts.conf new file mode 100644 index 0000000..deb95ba --- /dev/null +++ b/repositories/accounts.conf @@ -0,0 +1 @@ +format = accounts diff --git a/repositories/arbor.conf b/repositories/arbor.conf new file mode 100644 index 0000000..51b46c8 --- /dev/null +++ b/repositories/arbor.conf @@ -0,0 +1,6 @@ +location = ${root}/var/db/paludis/repositories/arbor +sync = git+https://git.exherbo.org/git/arbor.git +profiles = ${location}/profiles/amd64 +format = e +names_cache = ${root}/var/cache/paludis/names +write_cache = ${root}/var/cache/paludis/metadata diff --git a/repositories/bruners.conf b/repositories/bruners.conf new file mode 100644 index 0000000..c9347ef --- /dev/null +++ b/repositories/bruners.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/bruners +sync = git+https://github.com/Bruners/exheres.git diff --git a/repositories/compnerd.conf b/repositories/compnerd.conf new file mode 100644 index 0000000..b4e9a51 --- /dev/null +++ b/repositories/compnerd.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/compnerd +sync = git+https://git.exherbo.org/git/dev/compnerd.git diff --git a/repositories/danyspin97.conf b/repositories/danyspin97.conf new file mode 100644 index 0000000..9a52ebb --- /dev/null +++ b/repositories/danyspin97.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/danyspin97 +sync = git+https://gitlab.exherbo.org/DanySpin97/danyspin97-exheres diff --git a/repositories/desktop.conf b/repositories/desktop.conf new file mode 100644 index 0000000..a6abb3e --- /dev/null +++ b/repositories/desktop.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/desktop +sync = git+https://git.exherbo.org/git/desktop.git diff --git a/repositories/exony.conf b/repositories/exony.conf new file mode 100644 index 0000000..d89f29e --- /dev/null +++ b/repositories/exony.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/exony +sync = git+https://github.com/ony/exony.git diff --git a/repositories/games.conf b/repositories/games.conf new file mode 100644 index 0000000..d28c4b3 --- /dev/null +++ b/repositories/games.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/games +sync = git+https://git.exherbo.org/git/games.git diff --git a/repositories/gnome.conf b/repositories/gnome.conf new file mode 100644 index 0000000..ae1633d --- /dev/null +++ b/repositories/gnome.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/gnome +sync = git+https://git.exherbo.org/git/gnome.git diff --git a/repositories/graveyard.conf b/repositories/graveyard.conf new file mode 100644 index 0000000..52c7eb5 --- /dev/null +++ b/repositories/graveyard.conf @@ -0,0 +1,5 @@ +format = unwritten +name = graveyard +location = /var/db/paludis/repositories/graveyard +sync = git+https://git.exherbo.org/git/graveyard.git +importance = -90 diff --git a/repositories/hardware.conf b/repositories/hardware.conf new file mode 100644 index 0000000..b536fac --- /dev/null +++ b/repositories/hardware.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/hardware +sync = git+https://git.exherbo.org/git/hardware.git diff --git a/repositories/haskell-unofficial.conf b/repositories/haskell-unofficial.conf new file mode 100644 index 0000000..7b3d493 --- /dev/null +++ b/repositories/haskell-unofficial.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/haskell-unofficial +sync = git+https://gitlab.exherbo.org/exherbo-unofficial/haskell-unofficial.git diff --git a/repositories/hasufell.conf b/repositories/hasufell.conf new file mode 100644 index 0000000..9724183 --- /dev/null +++ b/repositories/hasufell.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/hasufell +sync = git+https://gogs.hasufell.de/hasufell/hasufell-repository.git diff --git a/repositories/heirecka.conf b/repositories/heirecka.conf new file mode 100644 index 0000000..f96840d --- /dev/null +++ b/repositories/heirecka.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/heirecka +sync = git+https://git.exherbo.org/git/dev/heirecka.git diff --git a/repositories/ingmar.conf b/repositories/ingmar.conf new file mode 100644 index 0000000..42da7a3 --- /dev/null +++ b/repositories/ingmar.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/ingmar +sync = git+https://git.exherbo.org/git/dev/ingmar.git diff --git a/repositories/installed.conf b/repositories/installed.conf new file mode 100644 index 0000000..3a49ad0 --- /dev/null +++ b/repositories/installed.conf @@ -0,0 +1,5 @@ +format = exndbam +location = ${root}/var/db/paludis/repositories/installed +names_cache = ${root}/var/cache/paludis/names +split_debug_location = /usr/x86_64-pc-linux-gnu/lib/debug +tool_prefix = x86_64-pc-linux-gnu- diff --git a/repositories/installed_accounts.conf b/repositories/installed_accounts.conf new file mode 100644 index 0000000..e826928 --- /dev/null +++ b/repositories/installed_accounts.conf @@ -0,0 +1,2 @@ +format = installed-accounts +handler = passwd diff --git a/repositories/java.conf b/repositories/java.conf new file mode 100644 index 0000000..2f27609 --- /dev/null +++ b/repositories/java.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/java +sync = git+https://git.exherbo.org/git/java.git diff --git a/repositories/kde.conf b/repositories/kde.conf new file mode 100644 index 0000000..998b882 --- /dev/null +++ b/repositories/kde.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/kde +sync = git+https://git.exherbo.org/git/kde.git diff --git a/repositories/media.conf b/repositories/media.conf new file mode 100644 index 0000000..a5d7b3e --- /dev/null +++ b/repositories/media.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/media +sync = git+https://git.exherbo.org/git/media.git diff --git a/repositories/mono.conf b/repositories/mono.conf new file mode 100644 index 0000000..461973a --- /dev/null +++ b/repositories/mono.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/mono +sync = git+https://git.exherbo.org/git/mono.git diff --git a/repositories/net.conf b/repositories/net.conf new file mode 100644 index 0000000..7e3f5b4 --- /dev/null +++ b/repositories/net.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/net +sync = git+https://git.exherbo.org/git/net.git diff --git a/repositories/ocaml-unofficial.conf b/repositories/ocaml-unofficial.conf new file mode 100644 index 0000000..1c4d8c2 --- /dev/null +++ b/repositories/ocaml-unofficial.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/ocaml-unofficial +sync = git+https://github.com/Exherbo/ocaml-unofficial diff --git a/repositories/office.conf b/repositories/office.conf new file mode 100644 index 0000000..0858d2c --- /dev/null +++ b/repositories/office.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/office +sync = git+https://git.exherbo.org/git/office.git diff --git a/repositories/perl.conf b/repositories/perl.conf new file mode 100644 index 0000000..5ded26b --- /dev/null +++ b/repositories/perl.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/perl +sync = git+https://git.exherbo.org/git/perl.git diff --git a/repositories/platypus.conf b/repositories/platypus.conf new file mode 100644 index 0000000..d32afd7 --- /dev/null +++ b/repositories/platypus.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/platypus +sync = git+https://gitlab.exherbo.org/kapsh/platypus.git diff --git a/repositories/python.conf b/repositories/python.conf new file mode 100644 index 0000000..4531d4b --- /dev/null +++ b/repositories/python.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/python +sync = git+https://git.exherbo.org/git/python.git diff --git a/repositories/rbrown.conf b/repositories/rbrown.conf new file mode 100644 index 0000000..b1913df --- /dev/null +++ b/repositories/rbrown.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/rbrown +sync = git+https://git.exherbo.org/git/dev/rbrown.git diff --git a/repositories/repository.conf b/repositories/repository.conf new file mode 100644 index 0000000..f6ed955 --- /dev/null +++ b/repositories/repository.conf @@ -0,0 +1,3 @@ +format = repository +config_filename = /etc/paludis/repositories/%{repository_template_name}.conf +config_template = /etc/paludis/repository.template diff --git a/repositories/rust.conf b/repositories/rust.conf new file mode 100644 index 0000000..4998502 --- /dev/null +++ b/repositories/rust.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/rust +sync = git+https://git.exherbo.org/git/rust.git diff --git a/repositories/tombriden.conf b/repositories/tombriden.conf new file mode 100644 index 0000000..6fb84ed --- /dev/null +++ b/repositories/tombriden.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/tombriden +sync = git+https://gitlab.exherbo.org/tombriden/tombriden-exheres diff --git a/repositories/unavailable-unofficial.conf b/repositories/unavailable-unofficial.conf new file mode 100644 index 0000000..625df55 --- /dev/null +++ b/repositories/unavailable-unofficial.conf @@ -0,0 +1,5 @@ +format = unavailable +name = unavailable-unofficial +location = ${root}/var/db/paludis/repositories/unavailable-unofficial +sync = tar+https://git.exherbo.org/exherbo_unofficial_repositories.tar.bz2 +importance = -100 diff --git a/repositories/unavailable.conf b/repositories/unavailable.conf new file mode 100644 index 0000000..8a48292 --- /dev/null +++ b/repositories/unavailable.conf @@ -0,0 +1,5 @@ +format = unavailable +name = unavailable +location = ${root}/var/db/paludis/repositories/unavailable +sync = tar+https://git.exherbo.org/exherbo_repositories.tar.bz2 +importance = -100 diff --git a/repositories/unpackaged.conf b/repositories/unpackaged.conf new file mode 100644 index 0000000..b051d0a --- /dev/null +++ b/repositories/unpackaged.conf @@ -0,0 +1,3 @@ +format = installed_unpackaged +name = installed_unpackaged +location = ${root}/var/db/paludis/repositories/unpackaged diff --git a/repositories/unwritten.conf b/repositories/unwritten.conf new file mode 100644 index 0000000..5f696e3 --- /dev/null +++ b/repositories/unwritten.conf @@ -0,0 +1,5 @@ +format = unwritten +name = unwritten +location = ${root}/var/db/paludis/repositories/unwritten +sync = git+https://git.exherbo.org/git/unwritten.git +importance = -100 diff --git a/repositories/vim.conf b/repositories/vim.conf new file mode 100644 index 0000000..4061473 --- /dev/null +++ b/repositories/vim.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/vim +sync = git+https://git.exherbo.org/git/vim.git diff --git a/repositories/virtualization.conf b/repositories/virtualization.conf new file mode 100644 index 0000000..a19a75b --- /dev/null +++ b/repositories/virtualization.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/virtualization +sync = git+https://git.exherbo.org/git/virtualization.git diff --git a/repositories/x11.conf b/repositories/x11.conf new file mode 100644 index 0000000..bfd0450 --- /dev/null +++ b/repositories/x11.conf @@ -0,0 +1,3 @@ +format = e +location = /var/db/paludis/repositories/x11 +sync = git+https://git.exherbo.org/git/x11.git diff --git a/repository.template b/repository.template new file mode 100644 index 0000000..7f005b5 --- /dev/null +++ b/repository.template @@ -0,0 +1,3 @@ +format = %{repository_template_format} +location = /var/db/paludis/repositories/%{repository_template_name} +sync = %{repository_template_sync} diff --git a/repository_defaults.conf b/repository_defaults.conf new file mode 100644 index 0000000..e69de29 diff --git a/world b/world new file mode 100644 index 0000000..21d819c --- /dev/null +++ b/world @@ -0,0 +1,56 @@ +# Repositories +repository/accounts +repository/arbor +repository/bruners +repository/compnerd +repository/danyspin97 +repository/desktop +#repository/exheredrey +repository/exony +repository/games +repository/gnome +repository/graveyard +repository/hardware +repository/haskell-unofficial +repository/hasufell +repository/heirecka +repository/ingmar +repository/java +repository/kde +repository/media +repository/mono +repository/net +repository/ocaml-unofficial +repository/office +repository/perl +repository/platypus +repository/python +repository/rbrown +repository/repository +repository/rust +repository/tombriden +repository/unavailable +repository/unavailable-unofficial +repository/unwritten +repository/vim +repository/virtualization +repository/x11 + +# CORE +sys-apps/paludis +sys-apps/sydbox +dev-scm/git +sys-apps/openrc +sys-boot/grub +dev-libs/libxml2 +sys-devel/meson +app-arch/zstd +x11-misc/shared-mime-info +net-misc/tor +## Syslog +sys-apps/syslog-ng +## SSH +net-misc/openssh + +# DNS +net-dns/bind