Jail rework

11 files changed, 197 insertions, 5 deletions

diff --git a/var/jail/git/etc/rc.conf b/var/jail/git/etc/rc.conf
new file mode 100644
index 0000000..30dad04
--- /dev/null
+++ b/var/jail/git/etc/rc.conf
@@ -0,0 +1,8 @@
+# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
+dumpdev="NO"
+cron_flags="-m ''"
+sendmail_enable="NONE"
+sendmail_submit_enable="NONE"
+sendmail_msp_queue_enable="NONE"
+sendmail_outbound_enable="NONE"
+sshd_enable="YES"
diff --git a/var/jail/i2p/etc/rc.conf b/var/jail/i2p/etc/rc.conf
new file mode 100644
index 0000000..ffd49a6
--- /dev/null
+++ b/var/jail/i2p/etc/rc.conf
@@ -0,0 +1,8 @@
+# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
+dumpdev="NO"
+cron_flags="-m ''"
+sendmail_enable="NONE"
+sendmail_submit_enable="NONE"
+sendmail_msp_queue_enable="NONE"
+sendmail_outbound_enable="NONE"
+i2pd_enable="YES"
diff --git a/var/jail/nextcloud/etc/rc.conf b/var/jail/nextcloud/etc/rc.conf
new file mode 100644
index 0000000..2307f03
--- /dev/null
+++ b/var/jail/nextcloud/etc/rc.conf
@@ -0,0 +1,8 @@
+sshd_enable="NO"
+# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
+dumpdev="NO"
+cron_flags="-m ''"
+sendmail_enable="NONE"
+sendmail_submit_enable="NONE"
+sendmail_msp_queue_enable="NONE"
+sendmail_outbound_enable="NONE"
diff --git a/var/jail/wireguard/etc/rc.conf b/var/jail/wireguard/etc/rc.conf
new file mode 100644
index 0000000..48ffe2d
--- /dev/null
+++ b/var/jail/wireguard/etc/rc.conf
@@ -0,0 +1,11 @@
+# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
+dumpdev="NO"
+cron_flags="-m ''"
+sendmail_enable="NONE"
+sendmail_submit_enable="NONE"
+sendmail_msp_queue_enable="NONE"
+sendmail_outbound_enable="NONE"
+wireguard_enable="NO"
+wireguard_interfaces="wg0"
+gateway_enable="YES"
+pf_enable="YES"
diff --git a/var/jail/www/etc/rc.conf b/var/jail/www/etc/rc.conf
new file mode 100644
index 0000000..682f65a
--- /dev/null
+++ b/var/jail/www/etc/rc.conf
@@ -0,0 +1,13 @@
+# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
+dumpdev="NO"
+cron_flags="-m ''"
+sendmail_enable="NONE"
+sendmail_submit_enable="NONE"
+sendmail_msp_queue_enable="NONE"
+sendmail_outbound_enable="NONE"
+nginx_enable="YES"
+fcgiwrap_enable="YES"
+fcgiwrap_user="www"
+fcgiwrap_group="www"
+fcgiwrap_socket_owner="www"
+fcgiwrap_socket_group="www"
diff --git a/usr/local/etc/cgitrc b/var/jail/www/usr/local/etc/cgitrc
index b123224..cb8da04 100644
--- a/usr/local/etc/cgitrc
+++ b/var/jail/www/usr/local/etc/cgitrc
@@ -14,8 +14,8 @@ virtual-root=/
 
 root-title=GitJoe
 root-desc=where the good code belongs
-root-readme=/usr/local/www/gitjoe/about.html
-footer=/usr/local/www/gitjoe/footer.html
+root-readme=/var/www/gitjoe/about.html
+footer=/var/www/gitjoe/footer.html
 
 clone-url=git://gitjoe.xyz/$CGIT_REPO_URL
 
@@ -48,7 +48,7 @@ cache-size=0
 about-filter=/usr/local/lib/cgit/filters/about-formatting-edited.sh
 source-filter=/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh
 
-snapshots=tar.gz tar.bz2 tar.xz zip
+snapshots=tar.zst tar.gz tar.bz2 tar.xz zip
 max-stats=year
 
 readme=:README.md
@@ -80,4 +80,4 @@ readme=:install.txt
 readme=:INSTALL
 readme=:install
 
-scan-path=/usr/local/git
+scan-path=/var/mnt/git
diff --git a/var/jail/www/usr/local/etc/nginx/nginx.conf b/var/jail/www/usr/local/etc/nginx/nginx.conf
new file mode 100644
index 0000000..869ff4d
--- /dev/null
+++ b/var/jail/www/usr/local/etc/nginx/nginx.conf
@@ -0,0 +1,144 @@
+worker_processes  1;
+
+events {
+	worker_connections  1024;
+}
+
+http {
+	include			mime.types;
+	default_type		application/octet-stream;
+	sendfile		on;
+	keepalive_timeout	65;
+	gzip			on;
+	gzip_vary		on;
+ 	gzip_min_length		1k;
+ 	gzip_proxied		expired no-cache no-store private auth;
+ 	gzip_buffers		4 16k;
+ 	gzip_http_version	1.1;
+ 	gzip_comp_level		2;
+ 	gzip_types		text/plain application/x-javascript application/javascript text/css application/xml application/json;
+
+	map $sent_http_content_type $expires {
+		default                    off;
+		text/css                   15m;
+		application/javascript     15m;
+		~image/                    15m;
+	}
+
+# JOZAN
+
+	server{
+		server_name  jozan.org;
+		root   /var/www/joe;
+		index  index.html;
+		expires $expires;
+
+		location / {
+			try_files $uri $uri/ =404;
+		} 
+		location ~ /\.ht {
+			deny all;
+		}
+		location ~ \.cgi$ {
+			include		fastcgi_params;
+			fastcgi_param   SCRIPT_FILENAME $document_root/asm-example.cgi;
+			fastcgi_param   PATH_INFO       $uri;
+			fastcgi_param   HTTP_HOST       $server_name;
+			fastcgi_pass    unix:/var/run/fcgiwrap/fcgiwrap.sock;
+		}
+		error_page  403 /403.html;
+		location = /403.html {
+			root /var/www/joe/err;
+		}
+		error_page  404 /404.html;
+		location = /404.html {
+			root /var/www/joe/err;
+		}
+		error_page   500 502 503 504  /50x.html;
+		location = /50x.html {
+			root   /usr/local/www/nginx-dist;
+		}
+	
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /usr/local/etc/letsencrypt/live/jozan.org/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /usr/local/etc/letsencrypt/live/jozan.org/privkey.pem; # managed by Certbot
+    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+
+}
+
+# GITJOE
+
+	server {
+		server_name gitjoe.xyz;
+		root /var/www/gitjoe;
+		try_files $uri @cgit;
+		index cgit.cgi;
+
+		location @cgit {
+			include		fastcgi_params;
+			fastcgi_param   SCRIPT_FILENAME $document_root/cgit.cgi;
+			fastcgi_param   PATH_INFO       $uri;
+			fastcgi_param   QUERY_STRING    $args;
+			fastcgi_param   HTTP_HOST       $server_name;
+			fastcgi_param   CGIT_CONFIG	/usr/local/etc/cgitrc;
+			fastcgi_pass    unix:/var/run/fcgiwrap/fcgiwrap.sock;
+
+			gzip off;
+			rewrite ^/([^/]+/.*)?$ /cgit.cgi?url=$1 break;
+		}
+		error_page   500 502 503 504  /50x.html;
+		location = /50x.html {
+			root   /usr/local/www/nginx-dist;
+		}
+
+	listen 443 ssl;
+
+    ssl_certificate /usr/local/etc/letsencrypt/live/jozan.org/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /usr/local/etc/letsencrypt/live/jozan.org/privkey.pem; # managed by Certbot
+}
+
+# REDIRECT 80 to 443
+
+server{
+    if ($host = jozan.org) {
+        return 301 https://$host$request_uri;
+    }
+
+
+    if ($host = www.jozanofastora.xyz) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    if ($host = jozanofastora.xyz) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    if ($host = www.jozan.org) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    if ($host = gitjoe.xyz) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+	server_name  jozan.org www.jozan.org jozanofastora.xyz www.jozanofastora.xyz gitjoe.xyz;
+    listen 80;
+    return 404;
+}
+
+# REDIRECT 443 to JOZAN 443
+
+server{
+	listen 443 ssl;
+	server_name www.jozan.org jozanofastora.xyz www.jozanofastora.xyz;
+	return 301 $scheme://jozan.org$request_uri;
+    ssl_certificate /usr/local/etc/letsencrypt/live/jozan.org/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /usr/local/etc/letsencrypt/live/jozan.org/privkey.pem; # managed by Certbot
+    include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+}
diff --git a/usr/local/lib/cgit/filters/about-formatting-edited.sh b/var/jail/www/usr/local/lib/cgit/filters/about-formatting-edited.sh
index cf1140e..cf1140e 100755
--- a/usr/local/lib/cgit/filters/about-formatting-edited.sh
+++ b/var/jail/www/usr/local/lib/cgit/filters/about-formatting-edited.sh
diff --git a/usr/local/lib/cgit/filters/html-converters/md2html b/var/jail/www/usr/local/lib/cgit/filters/html-converters/md2html
index 7d97b1e..a4a43ff 100755
--- a/usr/local/lib/cgit/filters/html-converters/md2html
+++ b/var/jail/www/usr/local/lib/cgit/filters/html-converters/md2html
@@ -1,4 +1,4 @@
-#!/usr/local/bin/python3.8
+#!/usr/local/bin/python3.9
 import markdown
 import sys
 import io
diff --git a/usr/local/lib/cgit/filters/html-converters/org2html b/var/jail/www/usr/local/lib/cgit/filters/html-converters/org2html
index e9c3b44..e9c3b44 100755
--- a/usr/local/lib/cgit/filters/html-converters/org2html
+++ b/var/jail/www/usr/local/lib/cgit/filters/html-converters/org2html
diff --git a/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh b/var/jail/www/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh
index 3de95fa..3de95fa 100755
--- a/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh
+++ b/var/jail/www/usr/local/lib/cgit/filters/syntax-highlighting-edited.sh