Jail rework

8 files changed, 5 insertions, 291 deletions

diff --git a/usr/local/etc/gmid.conf b/usr/local/etc/gmid.conf
deleted file mode 100644
index cf7b293..0000000
--- a/usr/local/etc/gmid.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# drop privileges
-user "_gmid"
-
-# it's a good idea to enable chroot, but
-# beware that can make CGI scripting harder
-#chroot "/var/gemini"
-
-# An example of a server block:
-server "jozanofastora.xyz" {
-	# set the directory to serve; it's relative to the
-	# chroot (if enabled)
-	root "/usr/local/gemini"
-
-	# Set self-signed TLS cert and key.  It's better to keep
-	# the keys outside the chroot.
-	#
-	# You should generate them manually, for example:
-	# openssl req -x509 -newkey rsa:4096 -nodes		\
-	#	-out /usr/local/etc/ssl/gmid/localhost.crt	\
-	#	-keyout /usr/local/etc/ssl/gmid/localhost.key	\
-	# 	-subj "/CN=localhost"
-	cert "/usr/local/etc/letsencrypt/live/jozanofastora.xyz/cert.pem"
-	key  "/usr/local/etc/letsencrypt/live/jozanofastora.xyz/privkey.pem"
-}
diff --git a/usr/local/etc/nginx/nginx.conf b/usr/local/etc/nginx/nginx.conf
deleted file mode 100644
index 3febbf9..0000000
--- a/usr/local/etc/nginx/nginx.conf
+++ /dev/null
@@ -1,202 +0,0 @@
-worker_processes  1;
-
-events {
-	worker_connections  1024;
-}
-
-http {
-	include			mime.types;
-	default_type		application/octet-stream;
-	sendfile		on;
-	keepalive_timeout	65;
-	gzip			on;
-	gzip_vary		on;
-	gzip_min_length		1k;
-	gzip_proxied		expired no-cache no-store private auth;
-	gzip_buffers		4 16k;
-	gzip_http_version	1.1;
-	gzip_comp_level		2;
-	gzip_types		text/plain application/x-javascript application/javascript text/css application/xml application/json;
-
-	map $sent_http_content_type $expires {
-		default                    off;
-		text/css                   15m;
-		application/javascript     15m;
-		~image/                    15m;
-	}
-
-	server{
-		server_name  jozanofastora.xyz;
-		root   /usr/local/www/jozan;
-		index  index.html;
-		expires $expires;
-
-		location / {
-			try_files $uri $uri/ =404;
-		} 
-		location ~ /\.ht {
-			deny all;
-		}
-		location ~ \.cgi$ {
-			include		fastcgi_params;
-			fastcgi_param   SCRIPT_FILENAME $document_root/asm-example.cgi;
-			fastcgi_param   PATH_INFO       $uri;
-			fastcgi_param   HTTP_HOST       $server_name;
-			fastcgi_pass    unix:/var/run/fcgiwrap/fcgiwrap.sock;
-		}
-		error_page  403 /403.html;
-		location = /403.html {
-			root /usr/local/www/jozan/err;
-		}
-		error_page  404 /404.html;
-		location = /404.html {
-			root /usr/local/www/jozan/err;
-		}
-		error_page   500 502 503 504  /50x.html;
-		location = /50x.html {
-			root   /usr/local/www/nginx-dist;
-		}
-	
-	listen 443 ssl;
-	ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz/fullchain.pem;
-	ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz/privkey.pem;
-}
-
-	server {
-		server_name gitjoe.xyz;
-		root /usr/local/www/gitjoe;
-		try_files $uri @cgit;
-		index cgit.cgi;
-
-		location @cgit {
-			include		fastcgi_params;
-			fastcgi_param   SCRIPT_FILENAME $document_root/cgit.cgi;
-			fastcgi_param   PATH_INFO       $uri;
-			fastcgi_param   QUERY_STRING    $args;
-			fastcgi_param   HTTP_HOST       $server_name;
-			fastcgi_param   CGIT_CONFIG	/usr/local/etc/cgitrc;
-			fastcgi_pass    unix:/var/run/fcgiwrap/fcgiwrap.sock;
-
-			gzip off;
-			rewrite ^/([^/]+/.*)?$ /cgit.cgi?url=$1 break;
-		}
-		error_page   500 502 503 504  /50x.html;
-		location = /50x.html {
-			root   /usr/local/www/nginx-dist;
-		}
-
-	listen 443 ssl;
-	ssl_certificate /usr/local/etc/letsencrypt/live/gitjoe.xyz/fullchain.pem;
-	ssl_certificate_key /usr/local/etc/letsencrypt/live/gitjoe.xyz/privkey.pem;
-} 
-	server{
-		server_name  watchoom.gitjoe.xyz;
-		root   /usr/local/www/watchoom;
-		index  index.html;
-		expires $expires;
-
-		location / {
-			try_files $uri $uri/ =404;
-		} 
-		location ~ /\.ht {
-			deny all;
-		}
-		error_page   500 502 503 504  /50x.html;
-		location = /50x.html {
-			root   /usr/local/www/nginx-dist;
-		}
-	
-	listen 443 ssl;
-	ssl_certificate /usr/local/etc/letsencrypt/live/gitjoe.xyz/fullchain.pem;
-	ssl_certificate_key /usr/local/etc/letsencrypt/live/gitjoe.xyz/privkey.pem;
-}
-
-	server {
-		server_name fossil.jozanofastora.xyz;
-		index  index.html;
-		root /usr/local/www/fossiljoe;
-
-		# Bypass Fossil for the static documentation generated from
-		# our source code by Doxygen, so it merges into the embedded
-		# doc URL hierarchy at Fossil’s $ROOT/doc without requiring that
-		# these generated files actually be stored in the repo.  This
-		# also lets us set aggressive caching on these docs, since
-		# they rarely change.
-		location /code/doc/html {
-			root /usr/local/www/fossiljoe;
-
-			location ~* \.(html|ico|css|js|gif|jpg|png)$ {
-				expires 7d;
-				add_header Vary Accept-Encoding;
-				access_log off;
-			}
-		}
-		# Redirect everything else to the Fossil instance
-		location /code {
-			include scgi_params;
-			scgi_param SCRIPT_NAME "/code";
-			scgi_pass 127.0.0.1:12345;
-		}
-}
-
-server{
-	if ($host = gitjoe.xyz) {
-		return 301 https://$host?p=about;
-	}
-
-	server_name  gitjoe.xyz;
-	listen 80;
-	return 404;
-}
-
-server{
-	if ($host = jozanofastora.xyz) {
-		return 301 https://$host$request_uri;
-	}
-
-	server_name  jozanofastora.xyz;
-	listen 80;
-	return 404;
-}
-
-server{
-	if ($host = watchoom.gitjoe.xyz) {
-		return 301 https://$host$request_uri;
-	}
-
-	server_name  watchoom.gitjoe.xyz;
-	listen 80;
-	return 404;
-}
-
-#server {
-#	if ($host = fossil.jozanofastora.xyz) {
-#		return 301 https://$host$request_uri;
-#	}
-#
-#	server_name fossil.jozanofastora.xyz;
-#	listen 80;
-#	return 404;
-#}
-
-server {
-	server_name  www.jozanofastora.xyz;
-	listen 80;
-	listen 443 ssl;
-	rewrite ^/(.*) http://jozanofastora.xyz/$1 permanent;
-	ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz/fullchain.pem;
-	ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz/privkey.pem;
-	return 404;
-}
-
-server {
-
-	server_name  www.gitjoe.xyz git.jozanofastora.xyz;
-	listen 80;
-	listen 443 ssl;
-	rewrite ^/(.*) http://gitjoe.xyz/?p=about permanent;
-	ssl_certificate /usr/local/etc/letsencrypt/live/gitjoe.xyz/fullchain.pem;
-	ssl_certificate_key /usr/local/etc/letsencrypt/live/gitjoe.xyz/privkey.pem;
-	return 404;
-}
-}
diff --git a/usr/local/etc/pf.conf b/usr/local/etc/pf.conf
deleted file mode 100644
index c514fe8..0000000
--- a/usr/local/etc/pf.conf
+++ /dev/null
@@ -1,60 +0,0 @@
-## Set public interface ##
-ext_if="vtnet0"
-
-## set and drop IP ranges on the public interface ##
-martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
-	    10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
-	    0.0.0.0/8, 240.0.0.0/4 }"
-
-table <spamd> persist
-table <spamd-allow> persist
-
-# Allowed webmail services
-#table <webmail> persist file "/usr/local/etc/pf.webmail.ip.conf"
-
-## Skip loop back interface - Skip all PF processing on interface ##
-set skip on lo
-
-## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
-set loginterface $ext_if
-
-# Deal with attacks based on incorrect handling of packet fragments 
-scrub in all
-
-
-# Pass spamd allow list
-rdr pass log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \
-	-> 127.0.0.1 port 25
-# Pass webmail servers
-rdr pass log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \
-	-> 127.0.0.1 port 25
-# pass submission messages.
-pass quick log on $ext_if inet proto tcp from any to $ext_if port submission modulate state
-# Pass unknown mail to spamd
-rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \
-	    -> 127.0.0.1 port 8025
-
-## Blocking spoofed packets
-antispoof quick for $ext_if
-
-## Set default policy ##
-block return in log all
-block out all
-
-# Drop all Non-Routable Addresses 
-block drop in quick on $ext_if from $martians to any
-block drop out quick on $ext_if from any to $martians
-
-pass in inet proto tcp to $ext_if port ssh
-
-# Allow Ping-Pong stuff. Be a good sysadmin 
-pass inet proto icmp icmp-type echoreq
-
-# Open up imap/pop3 support
-pass quick on $ext_if proto tcp from any to any port {imap, imaps, pop3, pop3s} modulate state
-
-
-# Allow outgoing traffic
-pass out on $ext_if proto tcp from any to any modulate state
-pass out on $ext_if proto udp from any to any keep state
-#pass quick on $ext_if from any to any port http
diff --git a/usr/local/etc/cgitrc b/var/jail/www/usr/local/etc/cgitrc
index b123224..cb8da04 100644
--- a/usr/local/etc/cgitrc
+++ b/var/jail/www/usr/local/etc/cgitrc
@@ -14,8 +14,8 @@ virtual-root=/
 
 root-title=GitJoe
 root-desc=where the good code belongs
-root-readme=/usr/local/www/gitjoe/about.html
-footer=/usr/local/www/gitjoe/footer.html
+root-readme=/var/www/gitjoe/about.html
+footer=/var/www/gitjoe/footer.html
 
 clone-url=git://gitjoe.xyz/$CGIT_REPO_URL
 
@@ -48,7 +48,7 @@ cache-size=0
 about-filter=/usr/local/lib/cgit/filters/about-formatting-edited.sh
 source-filter=/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh
 
-snapshots=tar.gz tar.bz2 tar.xz zip
+snapshots=tar.zst tar.gz tar.bz2 tar.xz zip
 max-stats=year
 
 readme=:README.md
@@ -80,4 +80,4 @@ readme=:install.txt
 readme=:INSTALL
 readme=:install
 
-scan-path=/usr/local/git
+scan-path=/var/mnt/git
diff --git a/usr/local/lib/cgit/filters/about-formatting-edited.sh b/var/jail/www/usr/local/lib/cgit/filters/about-formatting-edited.sh
index cf1140e..cf1140e 100755
--- a/usr/local/lib/cgit/filters/about-formatting-edited.sh
+++ b/var/jail/www/usr/local/lib/cgit/filters/about-formatting-edited.sh
diff --git a/usr/local/lib/cgit/filters/html-converters/md2html b/var/jail/www/usr/local/lib/cgit/filters/html-converters/md2html
index 7d97b1e..a4a43ff 100755
--- a/usr/local/lib/cgit/filters/html-converters/md2html
+++ b/var/jail/www/usr/local/lib/cgit/filters/html-converters/md2html
@@ -1,4 +1,4 @@
-#!/usr/local/bin/python3.8
+#!/usr/local/bin/python3.9
 import markdown
 import sys
 import io
diff --git a/usr/local/lib/cgit/filters/html-converters/org2html b/var/jail/www/usr/local/lib/cgit/filters/html-converters/org2html
index e9c3b44..e9c3b44 100755
--- a/usr/local/lib/cgit/filters/html-converters/org2html
+++ b/var/jail/www/usr/local/lib/cgit/filters/html-converters/org2html
diff --git a/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh b/var/jail/www/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh
index 3de95fa..3de95fa 100755
--- a/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh
+++ b/var/jail/www/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh