summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoeServ <bousset.rudy@gmail.com>2023-02-27 15:41:41 +0100
committerJoeServ <bousset.rudy@gmail.com>2023-02-27 15:41:41 +0100
commit9208846b5747abcd08792605511a1dd1ab457ccf (patch)
tree4a4ca4dc60f12272c864a230f2f18519fd607ecf
parentupdate (diff)
downloadjoe-conf-9208846b5747abcd08792605511a1dd1ab457ccf.tar.gz
joe-conf-9208846b5747abcd08792605511a1dd1ab457ccf.tar.bz2
joe-conf-9208846b5747abcd08792605511a1dd1ab457ccf.tar.xz
joe-conf-9208846b5747abcd08792605511a1dd1ab457ccf.tar.zst
joe-conf-9208846b5747abcd08792605511a1dd1ab457ccf.zip
Jail rework
Diffstat (limited to '')
-rw-r--r--etc/rc.conf38
-rw-r--r--root/.cshrc4
-rw-r--r--usr/local/etc/gmid.conf24
-rw-r--r--usr/local/etc/nginx/nginx.conf202
-rw-r--r--usr/local/etc/pf.conf60
-rw-r--r--var/jail/git/etc/rc.conf8
-rw-r--r--var/jail/i2p/etc/rc.conf8
-rw-r--r--var/jail/nextcloud/etc/rc.conf8
-rw-r--r--var/jail/wireguard/etc/rc.conf11
-rw-r--r--var/jail/www/etc/rc.conf13
-rw-r--r--var/jail/www/usr/local/etc/cgitrc (renamed from usr/local/etc/cgitrc)8
-rw-r--r--var/jail/www/usr/local/etc/nginx/nginx.conf144
-rwxr-xr-xvar/jail/www/usr/local/lib/cgit/filters/about-formatting-edited.sh (renamed from usr/local/lib/cgit/filters/about-formatting-edited.sh)0
-rwxr-xr-xvar/jail/www/usr/local/lib/cgit/filters/html-converters/md2html (renamed from usr/local/lib/cgit/filters/html-converters/md2html)2
-rwxr-xr-xvar/jail/www/usr/local/lib/cgit/filters/html-converters/org2html (renamed from usr/local/lib/cgit/filters/html-converters/org2html)0
-rwxr-xr-xvar/jail/www/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh (renamed from usr/local/lib/cgit/filters/syntax-highlighting-edited.sh)0
16 files changed, 220 insertions, 310 deletions
diff --git a/etc/rc.conf b/etc/rc.conf
index 507adae..c96e4a5 100644
--- a/etc/rc.conf
+++ b/etc/rc.conf
@@ -1,6 +1,9 @@
-hostname="joe"
+hostname="alcatraz"
+clear_tmp_enable="YES"
+tmpmfs="YES"
+tmpsize="256m"
sshd_enable="YES"
-ntpd_enable="YES"
+ntpd_enable="NO"
static_routes="linklocal"
devmatch_blacklist="virtio_random.ko"
sendmail_enable="NONE"
@@ -8,19 +11,20 @@ sendmail_submit_enable="NONE"
sendmail_msp_queue_enable="NONE"
sendmail_outbound_enable="NONE"
ifconfig_vtnet0="DHCP -rxcsum -tso"
-nginx_enable="YES"
-fcgiwrap_enable="YES"
-fcgiwrap_user="www"
-fcgiwrap_group="www"
-fcgiwrap_socket_owner="www"
-fcgiwrap_socket_group="www"
+#nginx_enable="NO"
+#fcgiwrap_enable="NO"
+#fcgiwrap_user="www"
+#fcgiwrap_group="www"
+#fcgiwrap_socket_owner="www"
+#fcgiwrap_socket_group="www"
cron_flags="-m ''"
-gmid_enable="YES"
-pf_enable="NO"
-pf_rules="/usr/local/etc/pf.conf"
-plog_enable="NO"
-pflog_logfile="/var/log/pflog"
-obspamd_enable="NO"
-obspamd_flags="-v"
-obspamlogd_enable="NO"
-dovecot_enable="NO"
+jail_enable="YES"
+gateway_enable="YES"
+static_routes="net1"
+route_net1="-net 10.0.0.0/24 95.179.223.82"
+kld_list="if_bridge if_tap if_epair"
+cloned_interfaces="bridge0"
+ifconfig_bridge0="inet 10.0.0.254/24"
+#cloned_interfaces="bridge0 epair0"
+#ifconfig_bridge0="addm vtnet0 addm epair0a up"
+#ifconfig_epair0a="up"
diff --git a/root/.cshrc b/root/.cshrc
index b1c5b5b..fc22012 100644
--- a/root/.cshrc
+++ b/root/.cshrc
@@ -15,8 +15,8 @@ alias ls ls -lhG
alias tree tree -C
alias c clear
alias vim nvim
-alias diff colordiff -c
-alias confgit git --git-dir=/usr/local/git/jozan/joe-conf.git --work-tree=/
+alias confgit git --git-dir=/var/jail/git/var/git/jozan/joe-conf.git --work-tree=/
+alias jx jexec
# A righteous umask
umask 22
diff --git a/usr/local/etc/gmid.conf b/usr/local/etc/gmid.conf
deleted file mode 100644
index cf7b293..0000000
--- a/usr/local/etc/gmid.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# drop privileges
-user "_gmid"
-
-# it's a good idea to enable chroot, but
-# beware that can make CGI scripting harder
-#chroot "/var/gemini"
-
-# An example of a server block:
-server "jozanofastora.xyz" {
- # set the directory to serve; it's relative to the
- # chroot (if enabled)
- root "/usr/local/gemini"
-
- # Set self-signed TLS cert and key. It's better to keep
- # the keys outside the chroot.
- #
- # You should generate them manually, for example:
- # openssl req -x509 -newkey rsa:4096 -nodes \
- # -out /usr/local/etc/ssl/gmid/localhost.crt \
- # -keyout /usr/local/etc/ssl/gmid/localhost.key \
- # -subj "/CN=localhost"
- cert "/usr/local/etc/letsencrypt/live/jozanofastora.xyz/cert.pem"
- key "/usr/local/etc/letsencrypt/live/jozanofastora.xyz/privkey.pem"
-}
diff --git a/usr/local/etc/nginx/nginx.conf b/usr/local/etc/nginx/nginx.conf
deleted file mode 100644
index 3febbf9..0000000
--- a/usr/local/etc/nginx/nginx.conf
+++ /dev/null
@@ -1,202 +0,0 @@
-worker_processes 1;
-
-events {
- worker_connections 1024;
-}
-
-http {
- include mime.types;
- default_type application/octet-stream;
- sendfile on;
- keepalive_timeout 65;
- gzip on;
- gzip_vary on;
- gzip_min_length 1k;
- gzip_proxied expired no-cache no-store private auth;
- gzip_buffers 4 16k;
- gzip_http_version 1.1;
- gzip_comp_level 2;
- gzip_types text/plain application/x-javascript application/javascript text/css application/xml application/json;
-
- map $sent_http_content_type $expires {
- default off;
- text/css 15m;
- application/javascript 15m;
- ~image/ 15m;
- }
-
- server{
- server_name jozanofastora.xyz;
- root /usr/local/www/jozan;
- index index.html;
- expires $expires;
-
- location / {
- try_files $uri $uri/ =404;
- }
- location ~ /\.ht {
- deny all;
- }
- location ~ \.cgi$ {
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root/asm-example.cgi;
- fastcgi_param PATH_INFO $uri;
- fastcgi_param HTTP_HOST $server_name;
- fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;
- }
- error_page 403 /403.html;
- location = /403.html {
- root /usr/local/www/jozan/err;
- }
- error_page 404 /404.html;
- location = /404.html {
- root /usr/local/www/jozan/err;
- }
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/local/www/nginx-dist;
- }
-
- listen 443 ssl;
- ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz/fullchain.pem;
- ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz/privkey.pem;
-}
-
- server {
- server_name gitjoe.xyz;
- root /usr/local/www/gitjoe;
- try_files $uri @cgit;
- index cgit.cgi;
-
- location @cgit {
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi;
- fastcgi_param PATH_INFO $uri;
- fastcgi_param QUERY_STRING $args;
- fastcgi_param HTTP_HOST $server_name;
- fastcgi_param CGIT_CONFIG /usr/local/etc/cgitrc;
- fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;
-
- gzip off;
- rewrite ^/([^/]+/.*)?$ /cgit.cgi?url=$1 break;
- }
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/local/www/nginx-dist;
- }
-
- listen 443 ssl;
- ssl_certificate /usr/local/etc/letsencrypt/live/gitjoe.xyz/fullchain.pem;
- ssl_certificate_key /usr/local/etc/letsencrypt/live/gitjoe.xyz/privkey.pem;
-}
- server{
- server_name watchoom.gitjoe.xyz;
- root /usr/local/www/watchoom;
- index index.html;
- expires $expires;
-
- location / {
- try_files $uri $uri/ =404;
- }
- location ~ /\.ht {
- deny all;
- }
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/local/www/nginx-dist;
- }
-
- listen 443 ssl;
- ssl_certificate /usr/local/etc/letsencrypt/live/gitjoe.xyz/fullchain.pem;
- ssl_certificate_key /usr/local/etc/letsencrypt/live/gitjoe.xyz/privkey.pem;
-}
-
- server {
- server_name fossil.jozanofastora.xyz;
- index index.html;
- root /usr/local/www/fossiljoe;
-
- # Bypass Fossil for the static documentation generated from
- # our source code by Doxygen, so it merges into the embedded
- # doc URL hierarchy at Fossil’s $ROOT/doc without requiring that
- # these generated files actually be stored in the repo. This
- # also lets us set aggressive caching on these docs, since
- # they rarely change.
- location /code/doc/html {
- root /usr/local/www/fossiljoe;
-
- location ~* \.(html|ico|css|js|gif|jpg|png)$ {
- expires 7d;
- add_header Vary Accept-Encoding;
- access_log off;
- }
- }
- # Redirect everything else to the Fossil instance
- location /code {
- include scgi_params;
- scgi_param SCRIPT_NAME "/code";
- scgi_pass 127.0.0.1:12345;
- }
-}
-
-server{
- if ($host = gitjoe.xyz) {
- return 301 https://$host?p=about;
- }
-
- server_name gitjoe.xyz;
- listen 80;
- return 404;
-}
-
-server{
- if ($host = jozanofastora.xyz) {
- return 301 https://$host$request_uri;
- }
-
- server_name jozanofastora.xyz;
- listen 80;
- return 404;
-}
-
-server{
- if ($host = watchoom.gitjoe.xyz) {
- return 301 https://$host$request_uri;
- }
-
- server_name watchoom.gitjoe.xyz;
- listen 80;
- return 404;
-}
-
-#server {
-# if ($host = fossil.jozanofastora.xyz) {
-# return 301 https://$host$request_uri;
-# }
-#
-# server_name fossil.jozanofastora.xyz;
-# listen 80;
-# return 404;
-#}
-
-server {
- server_name www.jozanofastora.xyz;
- listen 80;
- listen 443 ssl;
- rewrite ^/(.*) http://jozanofastora.xyz/$1 permanent;
- ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz/fullchain.pem;
- ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz/privkey.pem;
- return 404;
-}
-
-server {
-
- server_name www.gitjoe.xyz git.jozanofastora.xyz;
- listen 80;
- listen 443 ssl;
- rewrite ^/(.*) http://gitjoe.xyz/?p=about permanent;
- ssl_certificate /usr/local/etc/letsencrypt/live/gitjoe.xyz/fullchain.pem;
- ssl_certificate_key /usr/local/etc/letsencrypt/live/gitjoe.xyz/privkey.pem;
- return 404;
-}
-}
diff --git a/usr/local/etc/pf.conf b/usr/local/etc/pf.conf
deleted file mode 100644
index c514fe8..0000000
--- a/usr/local/etc/pf.conf
+++ /dev/null
@@ -1,60 +0,0 @@
-## Set public interface ##
-ext_if="vtnet0"
-
-## set and drop IP ranges on the public interface ##
-martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
- 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
- 0.0.0.0/8, 240.0.0.0/4 }"
-
-table <spamd> persist
-table <spamd-allow> persist
-
-# Allowed webmail services
-#table <webmail> persist file "/usr/local/etc/pf.webmail.ip.conf"
-
-## Skip loop back interface - Skip all PF processing on interface ##
-set skip on lo
-
-## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
-set loginterface $ext_if
-
-# Deal with attacks based on incorrect handling of packet fragments
-scrub in all
-
-
-# Pass spamd allow list
-rdr pass log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \
- -> 127.0.0.1 port 25
-# Pass webmail servers
-rdr pass log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \
- -> 127.0.0.1 port 25
-# pass submission messages.
-pass quick log on $ext_if inet proto tcp from any to $ext_if port submission modulate state
-# Pass unknown mail to spamd
-rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \
- -> 127.0.0.1 port 8025
-
-## Blocking spoofed packets
-antispoof quick for $ext_if
-
-## Set default policy ##
-block return in log all
-block out all
-
-# Drop all Non-Routable Addresses
-block drop in quick on $ext_if from $martians to any
-block drop out quick on $ext_if from any to $martians
-
-pass in inet proto tcp to $ext_if port ssh
-
-# Allow Ping-Pong stuff. Be a good sysadmin
-pass inet proto icmp icmp-type echoreq
-
-# Open up imap/pop3 support
-pass quick on $ext_if proto tcp from any to any port {imap, imaps, pop3, pop3s} modulate state
-
-
-# Allow outgoing traffic
-pass out on $ext_if proto tcp from any to any modulate state
-pass out on $ext_if proto udp from any to any keep state
-#pass quick on $ext_if from any to any port http
diff --git a/var/jail/git/etc/rc.conf b/var/jail/git/etc/rc.conf
new file mode 100644
index 0000000..30dad04
--- /dev/null
+++ b/var/jail/git/etc/rc.conf
@@ -0,0 +1,8 @@
+# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
+dumpdev="NO"
+cron_flags="-m ''"
+sendmail_enable="NONE"
+sendmail_submit_enable="NONE"
+sendmail_msp_queue_enable="NONE"
+sendmail_outbound_enable="NONE"
+sshd_enable="YES"
diff --git a/var/jail/i2p/etc/rc.conf b/var/jail/i2p/etc/rc.conf
new file mode 100644
index 0000000..ffd49a6
--- /dev/null
+++ b/var/jail/i2p/etc/rc.conf
@@ -0,0 +1,8 @@
+# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
+dumpdev="NO"
+cron_flags="-m ''"
+sendmail_enable="NONE"
+sendmail_submit_enable="NONE"
+sendmail_msp_queue_enable="NONE"
+sendmail_outbound_enable="NONE"
+i2pd_enable="YES"
diff --git a/var/jail/nextcloud/etc/rc.conf b/var/jail/nextcloud/etc/rc.conf
new file mode 100644
index 0000000..2307f03
--- /dev/null
+++ b/var/jail/nextcloud/etc/rc.conf
@@ -0,0 +1,8 @@
+sshd_enable="NO"
+# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
+dumpdev="NO"
+cron_flags="-m ''"
+sendmail_enable="NONE"
+sendmail_submit_enable="NONE"
+sendmail_msp_queue_enable="NONE"
+sendmail_outbound_enable="NONE"
diff --git a/var/jail/wireguard/etc/rc.conf b/var/jail/wireguard/etc/rc.conf
new file mode 100644
index 0000000..48ffe2d
--- /dev/null
+++ b/var/jail/wireguard/etc/rc.conf
@@ -0,0 +1,11 @@
+# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
+dumpdev="NO"
+cron_flags="-m ''"
+sendmail_enable="NONE"
+sendmail_submit_enable="NONE"
+sendmail_msp_queue_enable="NONE"
+sendmail_outbound_enable="NONE"
+wireguard_enable="NO"
+wireguard_interfaces="wg0"
+gateway_enable="YES"
+pf_enable="YES"
diff --git a/var/jail/www/etc/rc.conf b/var/jail/www/etc/rc.conf
new file mode 100644
index 0000000..682f65a
--- /dev/null
+++ b/var/jail/www/etc/rc.conf
@@ -0,0 +1,13 @@
+# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
+dumpdev="NO"
+cron_flags="-m ''"
+sendmail_enable="NONE"
+sendmail_submit_enable="NONE"
+sendmail_msp_queue_enable="NONE"
+sendmail_outbound_enable="NONE"
+nginx_enable="YES"
+fcgiwrap_enable="YES"
+fcgiwrap_user="www"
+fcgiwrap_group="www"
+fcgiwrap_socket_owner="www"
+fcgiwrap_socket_group="www"
diff --git a/usr/local/etc/cgitrc b/var/jail/www/usr/local/etc/cgitrc
index b123224..cb8da04 100644
--- a/usr/local/etc/cgitrc
+++ b/var/jail/www/usr/local/etc/cgitrc
@@ -14,8 +14,8 @@ virtual-root=/
root-title=GitJoe
root-desc=where the good code belongs
-root-readme=/usr/local/www/gitjoe/about.html
-footer=/usr/local/www/gitjoe/footer.html
+root-readme=/var/www/gitjoe/about.html
+footer=/var/www/gitjoe/footer.html
clone-url=git://gitjoe.xyz/$CGIT_REPO_URL
@@ -48,7 +48,7 @@ cache-size=0
about-filter=/usr/local/lib/cgit/filters/about-formatting-edited.sh
source-filter=/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh
-snapshots=tar.gz tar.bz2 tar.xz zip
+snapshots=tar.zst tar.gz tar.bz2 tar.xz zip
max-stats=year
readme=:README.md
@@ -80,4 +80,4 @@ readme=:install.txt
readme=:INSTALL
readme=:install
-scan-path=/usr/local/git
+scan-path=/var/mnt/git
diff --git a/var/jail/www/usr/local/etc/nginx/nginx.conf b/var/jail/www/usr/local/etc/nginx/nginx.conf
new file mode 100644
index 0000000..869ff4d
--- /dev/null
+++ b/var/jail/www/usr/local/etc/nginx/nginx.conf
@@ -0,0 +1,144 @@
+worker_processes 1;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ include mime.types;
+ default_type application/octet-stream;
+ sendfile on;
+ keepalive_timeout 65;
+ gzip on;
+ gzip_vary on;
+ gzip_min_length 1k;
+ gzip_proxied expired no-cache no-store private auth;
+ gzip_buffers 4 16k;
+ gzip_http_version 1.1;
+ gzip_comp_level 2;
+ gzip_types text/plain application/x-javascript application/javascript text/css application/xml application/json;
+
+ map $sent_http_content_type $expires {
+ default off;
+ text/css 15m;
+ application/javascript 15m;
+ ~image/ 15m;
+ }
+
+# JOZAN
+
+ server{
+ server_name jozan.org;
+ root /var/www/joe;
+ index index.html;
+ expires $expires;
+
+ location / {
+ try_files $uri $uri/ =404;
+ }
+ location ~ /\.ht {
+ deny all;
+ }
+ location ~ \.cgi$ {
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root/asm-example.cgi;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param HTTP_HOST $server_name;
+ fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;
+ }
+ error_page 403 /403.html;
+ location = /403.html {
+ root /var/www/joe/err;
+ }
+ error_page 404 /404.html;
+ location = /404.html {
+ root /var/www/joe/err;
+ }
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/local/www/nginx-dist;
+ }
+
+ listen 443 ssl; # managed by Certbot
+ ssl_certificate /usr/local/etc/letsencrypt/live/jozan.org/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /usr/local/etc/letsencrypt/live/jozan.org/privkey.pem; # managed by Certbot
+ include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+
+}
+
+# GITJOE
+
+ server {
+ server_name gitjoe.xyz;
+ root /var/www/gitjoe;
+ try_files $uri @cgit;
+ index cgit.cgi;
+
+ location @cgit {
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param QUERY_STRING $args;
+ fastcgi_param HTTP_HOST $server_name;
+ fastcgi_param CGIT_CONFIG /usr/local/etc/cgitrc;
+ fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock;
+
+ gzip off;
+ rewrite ^/([^/]+/.*)?$ /cgit.cgi?url=$1 break;
+ }
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /usr/local/www/nginx-dist;
+ }
+
+ listen 443 ssl;
+
+ ssl_certificate /usr/local/etc/letsencrypt/live/jozan.org/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /usr/local/etc/letsencrypt/live/jozan.org/privkey.pem; # managed by Certbot
+}
+
+# REDIRECT 80 to 443
+
+server{
+ if ($host = jozan.org) {
+ return 301 https://$host$request_uri;
+ }
+
+
+ if ($host = www.jozanofastora.xyz) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+
+
+ if ($host = jozanofastora.xyz) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+
+
+ if ($host = www.jozan.org) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+
+ if ($host = gitjoe.xyz) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+
+ server_name jozan.org www.jozan.org jozanofastora.xyz www.jozanofastora.xyz gitjoe.xyz;
+ listen 80;
+ return 404;
+}
+
+# REDIRECT 443 to JOZAN 443
+
+server{
+ listen 443 ssl;
+ server_name www.jozan.org jozanofastora.xyz www.jozanofastora.xyz;
+ return 301 $scheme://jozan.org$request_uri;
+ ssl_certificate /usr/local/etc/letsencrypt/live/jozan.org/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /usr/local/etc/letsencrypt/live/jozan.org/privkey.pem; # managed by Certbot
+ include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+}
diff --git a/usr/local/lib/cgit/filters/about-formatting-edited.sh b/var/jail/www/usr/local/lib/cgit/filters/about-formatting-edited.sh
index cf1140e..cf1140e 100755
--- a/usr/local/lib/cgit/filters/about-formatting-edited.sh
+++ b/var/jail/www/usr/local/lib/cgit/filters/about-formatting-edited.sh
diff --git a/usr/local/lib/cgit/filters/html-converters/md2html b/var/jail/www/usr/local/lib/cgit/filters/html-converters/md2html
index 7d97b1e..a4a43ff 100755
--- a/usr/local/lib/cgit/filters/html-converters/md2html
+++ b/var/jail/www/usr/local/lib/cgit/filters/html-converters/md2html
@@ -1,4 +1,4 @@
-#!/usr/local/bin/python3.8
+#!/usr/local/bin/python3.9
import markdown
import sys
import io
diff --git a/usr/local/lib/cgit/filters/html-converters/org2html b/var/jail/www/usr/local/lib/cgit/filters/html-converters/org2html
index e9c3b44..e9c3b44 100755
--- a/usr/local/lib/cgit/filters/html-converters/org2html
+++ b/var/jail/www/usr/local/lib/cgit/filters/html-converters/org2html
diff --git a/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh b/var/jail/www/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh
index 3de95fa..3de95fa 100755
--- a/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh
+++ b/var/jail/www/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh