From 99b8524c16cc99ceeaf1ebf588f2fc0f2c0fbe0a Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Sat, 12 Oct 2024 08:14:59 -0400
Subject: add a bunch of hostclasses

---
 .../etc/asterisk/extensions.conf.asterisk_server   |   5 +
 .../local/etc/asterisk/logger.conf.asterisk_server |   3 +
 .../local/etc/asterisk/pjsip.conf.asterisk_server  |  26 ++++
 .../etc/asterisk/pjsip_wizard.conf.asterisk_server |  65 ++++++++++
 .../local/etc/asterisk/queues.conf.asterisk_server |  31 +++++
 .../local/etc/asterisk/rtp.conf.asterisk_server    |   3 +
 .../etc/asterisk/voicemail.conf.asterisk_server    |  31 +++++
 .../local/etc/dovecot/rspamd.conf.sh.imap_server   |   5 +
 files/usr/local/etc/nginx/fastcgi_params.common    |  31 +++++
 files/usr/local/etc/nginx/nginx.conf.common        |  37 +++++-
 .../local/etc/nginx/vhosts.conf.bitwarden_server   |  36 ++++++
 files/usr/local/etc/nginx/vhosts.conf.dav_server   |  55 ++++++++
 files/usr/local/etc/nginx/vhosts.conf.smtp_server  |   4 +-
 files/usr/local/etc/nginx/vhosts.conf.ttrss_server |  43 +++++++
 files/usr/local/etc/nginx/vhosts.conf.xmpp_server  |  21 ++++
 files/usr/local/etc/nginx/vhosts.conf.znc_server   |  21 ++++
 .../etc/nsd/nsd.conf.authoritative_nameserver      |  22 ++++
 files/usr/local/etc/nslcd.conf.common              |   2 +
 files/usr/local/etc/openldap/ldap.conf.common      |   1 +
 files/usr/local/etc/openldap/ldap.conf.idm_server  |   1 +
 files/usr/local/etc/php-fpm.conf.common            |   4 +
 .../local/etc/php-fpm.d/davical.conf.dav_server    |  20 +++
 .../local/etc/php-fpm.d/ttrss.conf.ttrss_server    |  23 ++++
 files/usr/local/etc/php.ini.common                 | 138 +++++++++++++++++++++
 .../local/etc/poudriere.d/pkglist.pkg_repository   |  28 +++++
 .../local/etc/prosody/prosody.cfg.lua.xmpp_server  | 106 ++++++++++++++++
 .../etc/rc.conf.d/vaultwarden.bitwarden_server     |  19 +++
 files/usr/local/etc/rc.d/ttrssd.ttrss_server       |  47 +++++++
 .../etc/ssh/sshd_config.d/acmeproxy.conf.common    |  11 ++
 files/usr/local/etc/ssh/sshd_config.freebsd        |   2 +-
 files/usr/local/etc/sudoers.d/acme.asterisk_server |   1 +
 .../usr/local/etc/sudoers.d/acme.public_webserver  |   1 +
 files/usr/local/etc/sudoers.d/acme.smtp_server     |   2 +-
 files/usr/local/etc/sudoers.d/acme.xmpp_server     |   1 +
 files/usr/local/etc/turnserver.conf.turn_server    |  61 +++++++++
 .../usr/local/etc/znc/configs/znc.conf.znc_server  |  55 ++++++++
 .../etc/znc/moddata/cyrusauth/.registry.znc_server |   2 +
 37 files changed, 955 insertions(+), 9 deletions(-)
 create mode 100644 files/usr/local/etc/asterisk/extensions.conf.asterisk_server
 create mode 100644 files/usr/local/etc/asterisk/logger.conf.asterisk_server
 create mode 100644 files/usr/local/etc/asterisk/pjsip.conf.asterisk_server
 create mode 100644 files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server
 create mode 100644 files/usr/local/etc/asterisk/queues.conf.asterisk_server
 create mode 100644 files/usr/local/etc/asterisk/rtp.conf.asterisk_server
 create mode 100644 files/usr/local/etc/asterisk/voicemail.conf.asterisk_server
 create mode 100644 files/usr/local/etc/dovecot/rspamd.conf.sh.imap_server
 create mode 100644 files/usr/local/etc/nginx/fastcgi_params.common
 create mode 100644 files/usr/local/etc/nginx/vhosts.conf.bitwarden_server
 create mode 100644 files/usr/local/etc/nginx/vhosts.conf.dav_server
 create mode 100644 files/usr/local/etc/nginx/vhosts.conf.ttrss_server
 create mode 100644 files/usr/local/etc/nginx/vhosts.conf.xmpp_server
 create mode 100644 files/usr/local/etc/nginx/vhosts.conf.znc_server
 create mode 100644 files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver
 create mode 100644 files/usr/local/etc/php-fpm.conf.common
 create mode 100644 files/usr/local/etc/php-fpm.d/davical.conf.dav_server
 create mode 100644 files/usr/local/etc/php-fpm.d/ttrss.conf.ttrss_server
 create mode 100644 files/usr/local/etc/php.ini.common
 create mode 100644 files/usr/local/etc/prosody/prosody.cfg.lua.xmpp_server
 create mode 100644 files/usr/local/etc/rc.conf.d/vaultwarden.bitwarden_server
 create mode 100644 files/usr/local/etc/rc.d/ttrssd.ttrss_server
 create mode 100644 files/usr/local/etc/ssh/sshd_config.d/acmeproxy.conf.common
 create mode 100644 files/usr/local/etc/sudoers.d/acme.asterisk_server
 create mode 100644 files/usr/local/etc/sudoers.d/acme.public_webserver
 create mode 100644 files/usr/local/etc/sudoers.d/acme.xmpp_server
 create mode 100644 files/usr/local/etc/turnserver.conf.turn_server
 create mode 100644 files/usr/local/etc/znc/configs/znc.conf.znc_server
 create mode 100644 files/usr/local/etc/znc/moddata/cyrusauth/.registry.znc_server

(limited to 'files/usr/local/etc')

diff --git a/files/usr/local/etc/asterisk/extensions.conf.asterisk_server b/files/usr/local/etc/asterisk/extensions.conf.asterisk_server
new file mode 100644
index 0000000..301fe66
--- /dev/null
+++ b/files/usr/local/etc/asterisk/extensions.conf.asterisk_server
@@ -0,0 +1,5 @@
+[public]
+exten => _X.,1,Hangup(3)
+
+[default]
+exten => _X.,1,Hangup(3)
diff --git a/files/usr/local/etc/asterisk/logger.conf.asterisk_server b/files/usr/local/etc/asterisk/logger.conf.asterisk_server
new file mode 100644
index 0000000..3bf2a53
--- /dev/null
+++ b/files/usr/local/etc/asterisk/logger.conf.asterisk_server
@@ -0,0 +1,3 @@
+[logfiles]
+console => notice,warning,error
+syslog.daemon => notice,warning,error,security,verbose1
diff --git a/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server b/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server
new file mode 100644
index 0000000..0f83a81
--- /dev/null
+++ b/files/usr/local/etc/asterisk/pjsip.conf.asterisk_server
@@ -0,0 +1,26 @@
+[transport-defaults](!)
+type                       = transport
+bind                       = 0.0.0.0
+local_net                  = 127.0.0.0/8
+local_net                  = 10.0.0.0/8
+local_net                  = 172.16.0.0/12
+local_net                  = 192.168.0.0/16
+external_media_address     = ${asterisk_public_ip}
+external_signaling_address = ${asterisk_public_ip}
+
+[transport-udp](transport-defaults)
+protocol = udp
+
+[transport-tcp](transport-defaults)
+protocol = tcp
+
+[transport-tls](transport-defaults)
+protocol      = tls
+bind          = 0.0.0.0:5061
+method        = tlsv1_2
+cert_file     = ${asterisk_public_tls_cert}
+priv_key_file = ${asterisk_public_tls_key}
+ca_list_file  = ${ca_root_nss_bundle}
+verify_client = no
+verify_server = yes
+allow_reload  = yes
diff --git a/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server b/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server
new file mode 100644
index 0000000..1de448f
--- /dev/null
+++ b/files/usr/local/etc/asterisk/pjsip_wizard.conf.asterisk_server
@@ -0,0 +1,65 @@
+;;;;;;;;;;;
+; Trunks
+;;;;;;;;;;;
+
+[trunk-defaults](!)
+type                                  = wizard
+sends_auth                            = yes
+sends_registrations                   = yes
+endpoint/rtp_symmetric                = yes
+endpoint/rewrite_contact              = yes
+endpoint/send_rpid                    = yes
+endpoint/from_domain                  = ${asterisk_sip_domain}
+endpoint/allow                        = !all,ulaw
+registration/max_retries              = 4294967295
+registration/auth_rejection_permanent = no
+aor/qualify_frequency                 = 30
+
+$(for trunk in ${asterisk_trunks:-}; do
+  eval "trunk_proto=\${asterisk_trunk_${trunk}_proto:-'tcp'}"
+  eval "trunk_remote=\${asterisk_trunk_${trunk}_remote}"
+  eval "trunk_username=\${asterisk_trunk_${trunk}_username}"
+  eval "trunk_password=\${asterisk_trunk_${trunk}_password}"
+  eval "trunk_context=\${asterisk_trunk_${trunk}_context}"
+  echo "\
+[${trunk}](trunk-defaults)
+transport                 = transport-${trunk_proto}
+remote_hosts              = ${trunk_remote}
+endpoint/context          = ${trunk_context}
+endpoint/media_encryption = no
+outbound_auth/username    = ${trunk_username}
+outbound_auth/password    = ${trunk_password}
+"; done)
+
+
+[extension-defaults](!)
+type                       = wizard
+accepts_registrations      = yes
+accepts_auth               = yes
+aor/remove_existing        = yes
+endpoint/allow             = !all,g722,ulaw
+endpoint/from_domain       = ${asterisk_sip_domain}
+endpoint/subscribe_context = subscribe
+
+$(for ext in ${asterisk_exts:-}; do
+  eval "ext_context=\${asterisk_ext_${ext}_context}"
+  eval "ext_password=\${asterisk_ext_${ext}_password}"
+  eval "ext_max_contacts=\${asterisk_ext_${ext}_max_contacts:-1}"
+  eval "ext_qualify_freq=\${asterisk_ext_${ext}_qualify_freq:-30}"
+  eval "ext_qualify_timeout=\${asterisk_ext_${ext}_qualify_timeout:-3.0}"
+  eval "ext_direct_media=\${asterisk_ext_${ext}_direct_media:-yes}"
+  eval "ext_cid_name=\${asterisk_ext_${ext}_cid_name}"
+  eval "ext_cid_number=\${asterisk_ext_${ext}_cid_number:-$ext}"
+  eval "ext_mailbox=\${asterisk_ext_${ext}_mailbox:-$ext}"
+  echo "\
+[${ext}](extension-defaults)
+endpoint/context     = ${ext_context}
+endpoint/mailboxes   = ${ext_mailbox}@default
+endpoint/callerid    = ${ext_cid_name} <${ext_cid_number}>
+inbound_auth/username = ${ext}
+inbound_auth/password = ${ext_password}
+aor/max_contacts      = ${ext_max_contacts}
+aor/qualify_frequency = ${ext_qualify_freq}
+aor/qualify_timeout   = ${ext_qualify_timeout}
+endpoint/direct_media = ${ext_direct_media}
+"; done)
diff --git a/files/usr/local/etc/asterisk/queues.conf.asterisk_server b/files/usr/local/etc/asterisk/queues.conf.asterisk_server
new file mode 100644
index 0000000..87b8ed4
--- /dev/null
+++ b/files/usr/local/etc/asterisk/queues.conf.asterisk_server
@@ -0,0 +1,31 @@
+[general]
+persistentmembers       = yes
+autofill                = yes
+monitor-type            = MixMonitor
+shared_lastcall         = yes
+log_membername_as_agent = yes
+
+$(for queue in ${asterisk_queues:-}; do
+  eval "queue_strategy=\${asterisk_queue_${queue}_strategy}"
+  eval "queue_timeout=\${asterisk_queue_${queue}_timeout:-15}"
+  eval "queue_retry=\${asterisk_queue_${queue}_retry:-5}"
+  eval "queue_ringinuse=\${asterisk_queue_${queue}_ringinuse:-yes}"
+  eval "queue_members=\${asterisk_queue_${queue}_members}"
+  echo "\
+[${queue}]
+strategy                    = ${queue_strategy}
+timeout                     = ${queue_timeout}
+retry                       = ${queue_retry}
+timeoutpriority             = app
+announce-frequency          = 0
+announce-holdtime           = no
+announce-position           = no
+periodic-announce-frequency = 0
+joinempty                   = yes
+leavewhenempty              = no
+ringinuse                   = ${queue_ringinuse}
+timeoutrestart              = yes"
+for member in $queue_members; do
+  eval "member_name=\${asterisk_ext_${member}_cid_name}"
+  echo "member => PJSIP/${member},0,${member_name},PJSIP/${member}"
+done; done)
diff --git a/files/usr/local/etc/asterisk/rtp.conf.asterisk_server b/files/usr/local/etc/asterisk/rtp.conf.asterisk_server
new file mode 100644
index 0000000..d16d1f0
--- /dev/null
+++ b/files/usr/local/etc/asterisk/rtp.conf.asterisk_server
@@ -0,0 +1,3 @@
+[general]
+rtpstart=${asterisk_rtp_start_port}
+rtpend=${asterisk_rtp_end_port}
diff --git a/files/usr/local/etc/asterisk/voicemail.conf.asterisk_server b/files/usr/local/etc/asterisk/voicemail.conf.asterisk_server
new file mode 100644
index 0000000..c67559f
--- /dev/null
+++ b/files/usr/local/etc/asterisk/voicemail.conf.asterisk_server
@@ -0,0 +1,31 @@
+[general]
+format=wav49|gsm|wav
+
+serveremail=${asterisk_from_email}
+attach=yes
+maxmsg=100
+maxsecs=300
+maxgreet=60
+skipms=3000
+maxsilence=10
+silencethreshold=128
+maxlogins=3
+
+emailsubject=New voicemail \${VM_MSGNUM} in mailbox \${VM_MAILBOX}
+emailbody=Hi \${VM_NAME},\n\nYou have a new voicemail in mailbox \${VM_MAILBOX}.\n\nFrom: \${VM_CALLERID}\nDate: \${VM_DATE}\nDuration: \${VM_DUR}\nMessage Number: \${VM_MSGNUM}
+emaildateformat=%A, %B %d, %Y at %r
+
+tz=myzone
+locale=${asterisk_locale}
+minpassword=4
+
+[zonemessages]
+myzone=${asterisk_timezone}|'vm-received' Q 'digits/at' IMp
+
+[default]
+$(for mailbox in ${asterisk_mailboxes:-}; do
+  eval "mailbox_password=\${asterisk_mailbox_${mailbox}_password:-${asterisk_default_mailbox_password}}"
+  eval "mailbox_name=\${asterisk_mailbox_${mailbox}_name:-}"
+  eval "mailbox_email=\${asterisk_mailbox_${mailbox}_email:-}"
+  echo "${mailbox} => ${mailbox_password},${mailbox_name},${mailbox_email},,,"
+done)
diff --git a/files/usr/local/etc/dovecot/rspamd.conf.sh.imap_server b/files/usr/local/etc/dovecot/rspamd.conf.sh.imap_server
new file mode 100644
index 0000000..c1293e4
--- /dev/null
+++ b/files/usr/local/etc/dovecot/rspamd.conf.sh.imap_server
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+RSPAMD_HOST="${rspamd_host}.${domain}"
+RSPAMD_PASSWORD="${rspamd_rw_password}"
+RSPAMD_KEY="${rspamd_pubkey}"
diff --git a/files/usr/local/etc/nginx/fastcgi_params.common b/files/usr/local/etc/nginx/fastcgi_params.common
new file mode 100644
index 0000000..d0a6c69
--- /dev/null
+++ b/files/usr/local/etc/nginx/fastcgi_params.common
@@ -0,0 +1,31 @@
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  PATH_INFO          $fastcgi_path_info;
+fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $host;
+fastcgi_param  REMOTE_USER        $remote_user if_not_empty;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;
+
+# Protect against HTTPoxy vuln
+fastcgi_param  HTTP_PROXY         "";
diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common
index 1da7c3c..98ff9f9 100644
--- a/files/usr/local/etc/nginx/nginx.conf.common
+++ b/files/usr/local/etc/nginx/nginx.conf.common
@@ -33,8 +33,22 @@ http {
   ssl_session_timeout        1d;
   ssl_session_cache          shared:SSL:10m;
   ssl_session_tickets        off;
-  ssl_protocols              TLSv1.3;
-  ssl_prefer_server_ciphers  off;
+$(if [ "${nginx_public:-}" = true ]; then <<EOF
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+  ssl_dhparam ${dhparams_path};
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  resolver ${resolvers};
+  resolver_timeout 5s;
+EOF
+else
+  cat <<EOF
+  ssl_protocols TLSv1.3;
+EOF
+fi
+)
+  ssl_prefer_server_ciphers off;
 
   map \$http_upgrade \$connection_upgrade {
     default upgrade;
@@ -47,10 +61,11 @@ $([ "${nginx_gssapi:-}" = true ] && cat <<EOF
 EOF
 )
 
-$([ "${acme:-}" = true ] && [ "${acme_standalone:-}" != true ] && cat <<EOF
+$(if [ "${acme:-}" = true ] && [ "${acme_standalone:-}" != true ]; then
+cat <<EOF
   server {
-    listen       0.0.0.0:80 default_server;
-    listen       [::]:80 default_server;
+    listen       0.0.0.0:80;
+    listen       [::]:80;
 
     location /.well-known/acme-challenge/ {
       root ${acme_webroot};
@@ -62,6 +77,18 @@ $([ "${acme:-}" = true ] && [ "${acme_standalone:-}" != true ] && cat <<EOF
     }
   }
 EOF
+  elif [ "${nginx_redirect:-}" != false ]; then
+cat <<EOF
+  server {
+    listen       0.0.0.0:80;
+    listen       [::]:80;
+
+    location / {
+      return 301 https://\$host\$request_uri;
+    }
+  }
+EOF
+  fi
 )
 
   include vhosts.conf;
diff --git a/files/usr/local/etc/nginx/vhosts.conf.bitwarden_server b/files/usr/local/etc/nginx/vhosts.conf.bitwarden_server
new file mode 100644
index 0000000..0ef31bb
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.bitwarden_server
@@ -0,0 +1,36 @@
+upstream vaultwarden {
+  zone vaultwarden 64k;
+  server 127.0.0.1:${vaultwarden_port};
+  keepalive 2;
+}
+
+map \$http_upgrade \$connection_upgrade {
+  default upgrade;
+  ''      "";
+}
+
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+  client_max_body_size 256M;
+
+  ssl_certificate      ${vaultwarden_https_cert};
+  ssl_certificate_key  ${vaultwarden_https_key};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  location / {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade \$http_upgrade;
+    proxy_set_header Connection \$connection_upgrade;
+
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+
+    proxy_pass http://vaultwarden/;
+  }
+}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.dav_server b/files/usr/local/etc/nginx/vhosts.conf.dav_server
new file mode 100644
index 0000000..71bbc71
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.dav_server
@@ -0,0 +1,55 @@
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+  root ${davical_webroot};
+  index index.html index.php;
+
+  ssl_certificate      ${davical_https_cert};
+  ssl_certificate_key  ${davical_https_key};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  auth_gss_keytab ${davical_keytab};
+  auth_gss_allow_basic_fallback off;
+
+  location / {
+    auth_gss on;
+    satisfy any;
+$(printf '    deny %s;\n' $kerberized_cidrs)
+    allow all;
+    try_files \$uri \$uri/ /caldav.php\$uri?\$query_string;
+  }
+
+  location /.well-known/ {
+    try_files \$uri \$uri/ /caldav.php\$uri?\$query_string;
+  }
+
+  location ~ ^/caldav\.php/\.well-known/ {
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    if (!-f \$document_root\$fastcgi_script_name) {
+      return 404;
+    }
+    fastcgi_index index.php;
+    fastcgi_intercept_errors on;
+    include fastcgi_params;
+    fastcgi_pass unix:${davical_fpm_socket};
+  }
+
+  location ~ [^/]\.php(/|$) {
+    auth_gss on;
+    satisfy any;
+$(printf '    deny %s;\n' $kerberized_cidrs)
+    allow all;
+
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    if (!-f \$document_root\$fastcgi_script_name) {
+      return 404;
+    }
+    fastcgi_index index.php;
+    fastcgi_intercept_errors on;
+    include fastcgi_params;
+    fastcgi_pass unix:${davical_fpm_socket};
+  }
+}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.smtp_server b/files/usr/local/etc/nginx/vhosts.conf.smtp_server
index 4b84ede..322ca34 100644
--- a/files/usr/local/etc/nginx/vhosts.conf.smtp_server
+++ b/files/usr/local/etc/nginx/vhosts.conf.smtp_server
@@ -4,8 +4,8 @@ server {
 
   http2 on;
 
-  ssl_certificate      ${rspamd_tls_cert};
-  ssl_certificate_key  ${rspamd_tls_key};
+  ssl_certificate      ${rspamd_https_cert};
+  ssl_certificate_key  ${rspamd_https_key};
 
   add_header Strict-Transport-Security "max-age=63072000" always;
 
diff --git a/files/usr/local/etc/nginx/vhosts.conf.ttrss_server b/files/usr/local/etc/nginx/vhosts.conf.ttrss_server
new file mode 100644
index 0000000..fb0343d
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.ttrss_server
@@ -0,0 +1,43 @@
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+  root ${ttrss_repo_dir};
+  index index.php index.html;
+
+  ssl_certificate      ${ttrss_https_cert};
+  ssl_certificate_key  ${ttrss_https_key};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  auth_gss_keytab ${ttrss_keytab};
+  auth_gss_allow_basic_fallback off;
+
+  location ~ ^/index\.php$ {
+    auth_gss on;
+    satisfy any;
+$(printf '    deny %s;\n' $kerberized_cidrs)
+    allow all;
+
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    if (!-f \$document_root\$fastcgi_script_name) {
+      return 404;
+    }
+    fastcgi_index index.php;
+    fastcgi_intercept_errors on;
+    include fastcgi_params;
+    fastcgi_pass unix:${ttrss_fpm_socket};
+  }
+
+  location ~ [^/]\.php(/|$) {
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    if (!-f \$document_root\$fastcgi_script_name) {
+      return 404;
+    }
+    fastcgi_index index.php;
+    fastcgi_intercept_errors on;
+    include fastcgi_params;
+    fastcgi_pass unix:${ttrss_fpm_socket};
+  }
+}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.xmpp_server b/files/usr/local/etc/nginx/vhosts.conf.xmpp_server
new file mode 100644
index 0000000..732a6de
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.xmpp_server
@@ -0,0 +1,21 @@
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+
+  http2 on;
+
+  ssl_certificate         ${prosody_https_cert};
+  ssl_certificate_key     ${prosody_https_key};
+  ssl_trusted_certificate ${prosody_https_cacert};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  location / {
+    proxy_http_version 1.1;
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+    proxy_pass http://127.0.0.1:${prosody_http_port};
+  }
+}
diff --git a/files/usr/local/etc/nginx/vhosts.conf.znc_server b/files/usr/local/etc/nginx/vhosts.conf.znc_server
new file mode 100644
index 0000000..ee75878
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.znc_server
@@ -0,0 +1,21 @@
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+  ssl_certificate      ${znc_tls_cert};
+  ssl_certificate_key  ${znc_tls_key};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  location / {
+    proxy_http_version 1.1;
+
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+
+    proxy_pass http://127.0.0.1:${znc_http_port}/;
+  }
+}
diff --git a/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver b/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver
new file mode 100644
index 0000000..b6d1e11
--- /dev/null
+++ b/files/usr/local/etc/nsd/nsd.conf.authoritative_nameserver
@@ -0,0 +1,22 @@
+server:
+  server-count: ${nsd_threads}
+  log-only-syslog: yes
+  verbosity: 1
+  hide-version: yes
+  minimal-responses: yes
+  refuse-any: yes
+$(for zone in ${nsd_zones:-}; do
+  eval "zone_name=\${nsd_${zone}_domain}"
+  eval "zone_slaves=\${nsd_${zone}_slaves:-}"
+  echo "zone:
+  name: ${zone_name}
+  zonefile: ${nsd_conf_dir}/${zone_name}.zone"
+  for slave in $zone_slaves; do
+    echo "  notify: ${slave} NOKEY"
+    echo "  provide-xfr: ${slave} NOKEY"
+  done
+done)
+
+remote-control:
+  control-enable: yes
+  control-interface: ${nsd_run_dir}/nsd.ctl
diff --git a/files/usr/local/etc/nslcd.conf.common b/files/usr/local/etc/nslcd.conf.common
index ca27337..9798ba9 100644
--- a/files/usr/local/etc/nslcd.conf.common
+++ b/files/usr/local/etc/nslcd.conf.common
@@ -12,3 +12,5 @@ sasl_mech GSSAPI
 nss_min_uid ${nslcd_min_uid}
 nss_initgroups_ignoreusers ALLLOCAL
 nss_nested_groups yes
+
+pam_authz_search (&(uid=\$username)(memberOf=cn=\$service-access,${roles_basedn}))
diff --git a/files/usr/local/etc/openldap/ldap.conf.common b/files/usr/local/etc/openldap/ldap.conf.common
index 2be3425..22b20bb 100644
--- a/files/usr/local/etc/openldap/ldap.conf.common
+++ b/files/usr/local/etc/openldap/ldap.conf.common
@@ -11,3 +11,4 @@ ACCOUNTS_BASE  ${accounts_basedn}
 USERS_BASE     ${users_basedn}
 GROUPS_BASE    ${groups_basedn}
 HOSTS_BASE     ${hosts_basedn}
+ROLES_BASE     ${roles_basedn}
diff --git a/files/usr/local/etc/openldap/ldap.conf.idm_server b/files/usr/local/etc/openldap/ldap.conf.idm_server
index 2e77244..4c7a929 100644
--- a/files/usr/local/etc/openldap/ldap.conf.idm_server
+++ b/files/usr/local/etc/openldap/ldap.conf.idm_server
@@ -11,3 +11,4 @@ ACCOUNTS_BASE  ${accounts_basedn}
 USERS_BASE     ${users_basedn}
 GROUPS_BASE    ${groups_basedn}
 HOSTS_BASE     ${hosts_basedn}
+ROLES_BASE     ${roles_basedn}
diff --git a/files/usr/local/etc/php-fpm.conf.common b/files/usr/local/etc/php-fpm.conf.common
new file mode 100644
index 0000000..e4c8f88
--- /dev/null
+++ b/files/usr/local/etc/php-fpm.conf.common
@@ -0,0 +1,4 @@
+[global]
+pid = run/php-fpm.pid
+error_log = syslog
+include=/usr/local/etc/php-fpm.d/*.conf
diff --git a/files/usr/local/etc/php-fpm.d/davical.conf.dav_server b/files/usr/local/etc/php-fpm.d/davical.conf.dav_server
new file mode 100644
index 0000000..faf5f62
--- /dev/null
+++ b/files/usr/local/etc/php-fpm.d/davical.conf.dav_server
@@ -0,0 +1,20 @@
+[davical]
+user = ${nginx_user}
+group = ${nginx_user}
+
+listen = ${davical_fpm_socket}
+
+listen.owner = ${nginx_user}
+listen.group = ${nginx_user}
+listen.mode = 0660
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+
+chdir = ${davical_webroot}
+
+catch_workers_output = yes
+decorate_workers_output = no
diff --git a/files/usr/local/etc/php-fpm.d/ttrss.conf.ttrss_server b/files/usr/local/etc/php-fpm.d/ttrss.conf.ttrss_server
new file mode 100644
index 0000000..9519ab5
--- /dev/null
+++ b/files/usr/local/etc/php-fpm.d/ttrss.conf.ttrss_server
@@ -0,0 +1,23 @@
+[ttrss]
+user = ${nginx_user}
+group = ${nginx_user}
+
+listen = ${ttrss_fpm_socket}
+
+listen.owner = ${nginx_user}
+listen.group = ${nginx_user}
+listen.mode = 0660
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+
+chdir = ${ttrss_repo_dir}
+
+catch_workers_output = yes
+decorate_workers_output = no
+
+; ttrss needs git to show its version info.
+env["PATH"] = "/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin"
diff --git a/files/usr/local/etc/php.ini.common b/files/usr/local/etc/php.ini.common
new file mode 100644
index 0000000..40cfa9e
--- /dev/null
+++ b/files/usr/local/etc/php.ini.common
@@ -0,0 +1,138 @@
+[PHP]
+engine = On
+short_open_tag = Off
+precision = 14
+output_buffering = 4096
+zlib.output_compression = Off
+implicit_flush = Off
+unserialize_callback_func =
+serialize_precision = -1
+disable_functions =
+disable_classes =
+zend.enable_gc = On
+zend.exception_ignore_args = On
+zend.exception_string_param_max_len = 0
+expose_php = On
+max_execution_time = 30
+max_input_time = 60
+memory_limit = 128M
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+display_errors = Off
+display_startup_errors = Off
+log_errors = On
+ignore_repeated_errors = Off
+ignore_repeated_source = Off
+report_memleaks = On
+html_errors = Off
+error_log = syslog
+syslog.ident = php
+syslog.facility = user
+variables_order = "GPCS"
+request_order = "GP"
+register_argc_argv = Off
+auto_globals_jit = On
+post_max_size = 8M
+auto_prepend_file =
+auto_append_file =
+default_mimetype = "text/html"
+default_charset = "UTF-8"
+doc_root =
+user_dir =
+enable_dl = Off
+file_uploads = On
+upload_max_filesize = 2M
+max_file_uploads = 20
+allow_url_fopen = On
+allow_url_include = Off
+default_socket_timeout = 60
+
+[CLI Server]
+cli_server.color = On
+
+[Date]
+;date.timezone =
+
+[Pdo_mysql]
+pdo_mysql.default_socket=
+
+
+[mail function]
+mail.add_x_header = Off
+mail.mixed_lf_and_crlf = Off
+
+[ODBC]
+odbc.allow_persistent = On
+odbc.check_persistent = On
+odbc.max_persistent = -1
+odbc.max_links = -1
+odbc.defaultlrl = 4096
+odbc.defaultbinmode = 1
+
+[MySQLi]
+mysqli.max_persistent = -1
+mysqli.allow_persistent = On
+mysqli.max_links = -1
+mysqli.default_port = 3306
+mysqli.default_socket =
+mysqli.default_host =
+mysqli.default_user =
+mysqli.default_pw =
+
+[mysqlnd]
+mysqlnd.collect_statistics = On
+mysqlnd.collect_memory_statistics = Off
+
+
+[PostgreSQL]
+pgsql.allow_persistent = On
+pgsql.auto_reset_persistent = Off
+pgsql.max_persistent = -1
+pgsql.max_links = -1
+pgsql.ignore_notice = 0
+pgsql.log_notice = 0
+
+[bcmath]
+bcmath.scale = 0
+
+[browscap]
+
+[Session]
+session.save_handler = files
+session.use_strict_mode = 1
+session.use_cookies = 1
+session.use_only_cookies = 1
+session.name = PHPSESSID
+session.auto_start = 0
+session.cookie_lifetime = 0
+session.cookie_path = /
+session.cookie_domain =
+session.cookie_httponly =
+session.cookie_samesite =
+session.serialize_handler = php
+session.gc_probability = 1
+session.gc_divisor = 1000
+session.gc_maxlifetime = 1440
+session.referer_check =
+session.cache_limiter = nocache
+session.cache_expire = 180
+session.use_trans_sid = 0
+session.sid_length = 26
+session.trans_sid_tags = "a=href,area=href,frame=src,form="
+session.sid_bits_per_character = 5
+
+[Assertion]
+zend.assertions = -1
+
+
+[Tidy]
+tidy.clean_output = Off
+
+[soap]
+soap.wsdl_cache_enabled=1
+soap.wsdl_cache_dir="/tmp"
+soap.wsdl_cache_ttl=86400
+soap.wsdl_cache_limit = 5
+
+[opcache]
+opcache.enable=1
+opcache.enable_cli=0
diff --git a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
index d24ce06..848e558 100644
--- a/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
+++ b/files/usr/local/etc/poudriere.d/pkglist.pkg_repository
@@ -1,4 +1,10 @@
+archivers/php${php_version}-phar
+archivers/php${php_version}-zip
 converters/php${php_version}-iconv
+converters/php${php_version}-mbstring
+databases/luadbi
+databases/p5-DBD-Pg
+databases/p5-DBI
 databases/php${php_version}-pdo_pgsql
 databases/php${php_version}-pgsql
 databases/postgresql${postgresql_version}-client
@@ -7,6 +13,9 @@ databases/redis
 devel/ccache
 devel/git@lite
 devel/php${php_version}-gettext
+devel/php${php_version}-intl
+devel/php${php_version}-pcntl
+devel/php${php_version}-tokenizer
 dns/bind-tools
 dns/nsd
 dns/powerdns
@@ -14,6 +23,10 @@ dns/unbound
 editors/vim@console
 editors/vim@tiny
 ftp/php${php_version}-curl
+graphics/php${php_version}-exif
+graphics/php${php_version}-gd
+irc/znc
+irc/znc-clientbuffer
 java/openjdk21
 lang/python
 lang/php${php_version}
@@ -25,6 +38,8 @@ mail/postfix
 mail/rspamd
 mail/sieve-connect
 misc/php${php_version}-calendar
+net/asterisk18
+net/lualdap
 net/nss-pam-ldapd-sasl
 net/openldap26-client
 net/openldap26-server
@@ -32,6 +47,10 @@ net/p5-perl-ldap
 net/php${php_version}-ldap
 net/py-python-ldap
 net/rsync
+net/php${php_version}-sockets
+net/turnserver
+net-im/prosody
+net-im/prosody-modules
 ports-mgmt/poudriere
 security/acme.sh
 security/cyrus-sasl2-saslauthd
@@ -41,16 +60,25 @@ security/krb5@ldap
 security/openssh-portable
 security/pam_krb5@mit
 security/pam_mkhomedir
+security/php${php_version}-filter
 security/sshpass
 security/sudo
+security/vaultwarden
 sysutils/htop
 sysutils/lsof
 sysutils/p5-Sys-Syslog
+sysutils/php${php_version}-fileinfo
+sysutils/php${php_version}-posix
 sysutils/pwgen
 sysutils/stow
 sysutils/tmux
 sysutils/tree
+textproc/p5-YAML
+textproc/php${php_version}-ctype
+textproc/php${php_version}-dom
+textproc/php${php_version}-simplexml
 textproc/php${php_version}-xml
+textproc/php${php_version}-xmlwriter
 www/nginx
 www/php${php_version}-opcache
 www/php${php_version}-session
diff --git a/files/usr/local/etc/prosody/prosody.cfg.lua.xmpp_server b/files/usr/local/etc/prosody/prosody.cfg.lua.xmpp_server
new file mode 100644
index 0000000..083a6ce
--- /dev/null
+++ b/files/usr/local/etc/prosody/prosody.cfg.lua.xmpp_server
@@ -0,0 +1,106 @@
+$([ -n "${prosody_admins:-}" ] && echo "admins = { \"$(join '", "' $prosody_admins)\" }")
+pidfile = "/var/run/prosody/prosody.pid"
+
+plugin_paths = { "/usr/local/lib/prosody-modules" }
+
+modules_enabled = {
+
+  -- Generally required
+    "disco"; -- Service discovery
+    "roster"; -- Allow users to have a roster. Recommended ;)
+    "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+    "tls"; -- Add support for secure TLS on c2s/s2s connections
+
+  -- Not essential, but recommended
+    "blocklist"; -- Allow users to block communications with other users
+    "bookmarks"; -- Synchronise the list of open rooms between clients
+    "carbons"; -- Keep multiple online clients in sync
+    "dialback"; -- Support for verifying remote servers using DNS
+    "limits"; -- Enable bandwidth limiting for XMPP connections
+    "pep"; -- Allow users to store public and private data in their account
+    "private"; -- Legacy account storage mechanism (XEP-0049)
+    "smacks"; -- Stream management and resumption (XEP-0198)
+    "vcard4"; -- User profiles (stored in PEP)
+    "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+
+  -- Nice to have
+    "ping"; -- Replies to XMPP pings with pongs
+    "register"; -- Allow users to register on this server using a client and change passwords
+    "time"; -- Let others know the time here on this server
+    "uptime"; -- Report how long server has been running
+    "version"; -- Replies to server version requests
+    "mam"; -- Store recent messages to allow multi-device synchronization
+    "turn_external"; -- Provide external STUN/TURN service for e.g. audio/video calls
+
+  -- Admin interfaces
+    "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+    "admin_shell"; -- Allow secure administration via 'prosodyctl shell'
+
+  -- Other specific functionality
+    "groups"; -- Shared roster support
+    "csi_battery_saver";
+    "reload_modules";
+}
+
+reload_modules = { "groups", "tls" }
+
+groups_file = "${prosody_roster_path}"
+
+s2s_secure_auth = true
+
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+authentication = "ldap"
+ldap_server = "${ldap_hosts}"
+ldap_tls = true
+ldap_base = "${users_basedn}"
+ldap_scope = "subtree"
+ldap_filter = "(&(memberOf=cn=${prosody_access_role},${roles_basedn})(mailAddress=\$user@\$host))"
+ldap_rootdn = "${prosody_dn}"
+ldap_password = "${prosody_ldap_password}"
+
+storage = "sql"
+sql = { driver = "PostgreSQL", database = "${prosody_dbname}", username = "${prosody_username}", host = "${prosody_dbhost}" }
+
+archive_expires_after = "${prosody_archive_expiration}"
+
+turn_external_host = "${prosody_turn_host}"
+turn_external_port = ${prosody_turn_port}
+turn_external_secret = "${prosody_turn_secret}"
+
+log = {
+  info = "*syslog";
+}
+
+certificates = "certs"
+
+http_ports = { ${prosody_http_port} }
+http_interfaces = { "127.0.0.1" }
+https_interfaces = { }
+https_ports = { }
+http_external_url = "https://${prosody_public_fqdn}/"
+https_external_url = "https://${prosody_public_fqdn}/"
+trusted_proxies = { "127.0.0.1" }
+http_max_content_size = ${prosody_upload_sizelimit}
+
+Component "${prosody_public_fqdn}" "http_upload"
+http_upload_file_size_limit = ${prosody_upload_sizelimit}
+http_upload_expire_after = ${prosody_upload_expiration}
+http_upload_quota = ${prosody_upload_quota}
+
+$(for vhost in $prosody_domains; do cat <<EOF
+VirtualHost "${vhost}"
+  disco_items = {
+    { "${prosody_public_fqdn}" }
+  }
+Component "conference.${vhost}" "muc"
+  modules_enabled = { "muc_mam"}
+EOF
+done)
diff --git a/files/usr/local/etc/rc.conf.d/vaultwarden.bitwarden_server b/files/usr/local/etc/rc.conf.d/vaultwarden.bitwarden_server
new file mode 100644
index 0000000..a0923d6
--- /dev/null
+++ b/files/usr/local/etc/rc.conf.d/vaultwarden.bitwarden_server
@@ -0,0 +1,19 @@
+export ROCKET_ADDRESS=127.0.0.1
+export ROCKET_PORT="${vaultwarden_port}"
+export ROCKET_CLI_COLORS=false
+export LOG_LEVEL=warn
+export EXTENDED_LOGGING=true
+export IP_HEADER=X-Forwarded-For
+
+export DATABASE_URL="postgresql://${vaultwarden_username}@${vaultwarden_dbhost}/${vaultwarden_dbname}"
+
+export SIGNUPS_ALLOWED=true
+export SIGNUPS_VERIFY=true
+
+export INVITATIONS_ALLOWED=false
+
+export DOMAIN="https://${vaultwarden_fqdn}"
+
+export USE_SENDMAIL=true
+export SMTP_FROM="bitwarden-noreply@${email_domain}"
+export SMTP_FROM_NAME=Bitwarden
diff --git a/files/usr/local/etc/rc.d/ttrssd.ttrss_server b/files/usr/local/etc/rc.d/ttrssd.ttrss_server
new file mode 100644
index 0000000..d04fa3d
--- /dev/null
+++ b/files/usr/local/etc/rc.d/ttrssd.ttrss_server
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# PROVIDE: ttrssd
+# REQUIRE: NETWORKING kstart
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+
+name='ttrssd'
+rcvar='ttrssd_enable'
+
+load_rc_config "$name"
+: ${ttrssd_enable='NO'}
+: ${ttrssd_webroot='/usr/local/www/tt-rss'}
+: ${ttrssd_user='www'}
+: ${ttrssd_syslog_priority:='info'}
+: ${ttrssd_syslog_facility:='daemon'}
+
+ttrssd_syslog_tag=$name
+ttrssd_chdir=$ttrssd_webroot
+
+pidfile="/var/run/${name}/${name}.pid"
+procname=/usr/local/bin/php
+
+command=/usr/sbin/daemon
+command_args="-f \
+-s ${ttrssd_syslog_priority} \
+-l ${ttrssd_syslog_facility} \
+-T ${ttrssd_syslog_tag} \
+-p ${pidfile} \
+-t ${name} \
+/usr/local/bin/php \
+-d syslog.ident=${ttrssd_syslog_tag} \
+-d syslog.facility=${ttrssd_syslog_facility} \
+${ttrssd_webroot}/update_daemon2.php"
+
+required_files="${ttrssd_webroot}/config.php"
+start_precmd=ttrssd_prestart
+
+ttrssd_prestart(){
+  install -d -m 0755 -o ${ttrssd_user} "/var/run/${name}"
+}
+
+# ttrss needs git to show its version info.
+PATH='/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin'
+
+run_rc_command "$1"
diff --git a/files/usr/local/etc/ssh/sshd_config.d/acmeproxy.conf.common b/files/usr/local/etc/ssh/sshd_config.d/acmeproxy.conf.common
new file mode 100644
index 0000000..63022e3
--- /dev/null
+++ b/files/usr/local/etc/ssh/sshd_config.d/acmeproxy.conf.common
@@ -0,0 +1,11 @@
+Match Group ${acmeproxy_client_group}
+  ChrootDirectory ${acmeproxy_home}
+  ForceCommand internal-sftp -R
+  DisableForwarding yes
+  PermitUserRC no
+  PermitTTY no
+  GSSAPIAuthentication yes
+  KbdInteractiveAuthentication no
+  PasswordAuthentication no
+  PubkeyAuthentication no
+  AuthenticationMethods gssapi-with-mic
diff --git a/files/usr/local/etc/ssh/sshd_config.freebsd b/files/usr/local/etc/ssh/sshd_config.freebsd
index 52d9bfe..eca2276 100644
--- a/files/usr/local/etc/ssh/sshd_config.freebsd
+++ b/files/usr/local/etc/ssh/sshd_config.freebsd
@@ -1,4 +1,4 @@
-Include /etc/ssh/sshd_config.d/*.conf
+Include /usr/local/etc/ssh/sshd_config.d/*.conf
 
 PermitRootLogin prohibit-password
 AuthorizedKeysFile .ssh/authorized_keys
diff --git a/files/usr/local/etc/sudoers.d/acme.asterisk_server b/files/usr/local/etc/sudoers.d/acme.asterisk_server
new file mode 100644
index 0000000..6ca9cd6
--- /dev/null
+++ b/files/usr/local/etc/sudoers.d/acme.asterisk_server
@@ -0,0 +1 @@
+${acme_user} ALL=(root) NOPASSWD: /usr/sbin/service asterisk reload
diff --git a/files/usr/local/etc/sudoers.d/acme.public_webserver b/files/usr/local/etc/sudoers.d/acme.public_webserver
new file mode 100644
index 0000000..9ca89b8
--- /dev/null
+++ b/files/usr/local/etc/sudoers.d/acme.public_webserver
@@ -0,0 +1 @@
+${acme_user} ALL=(root) NOPASSWD: /usr/sbin/service nginx reload
diff --git a/files/usr/local/etc/sudoers.d/acme.smtp_server b/files/usr/local/etc/sudoers.d/acme.smtp_server
index 5180fdc..4e8c381 100644
--- a/files/usr/local/etc/sudoers.d/acme.smtp_server
+++ b/files/usr/local/etc/sudoers.d/acme.smtp_server
@@ -1 +1 @@
-acme ALL=(root) NOPASSWD: /usr/sbin/service postfix reload
+${acme_user} ALL=(root) NOPASSWD: /usr/sbin/service postfix reload
diff --git a/files/usr/local/etc/sudoers.d/acme.xmpp_server b/files/usr/local/etc/sudoers.d/acme.xmpp_server
new file mode 100644
index 0000000..9ca89b8
--- /dev/null
+++ b/files/usr/local/etc/sudoers.d/acme.xmpp_server
@@ -0,0 +1 @@
+${acme_user} ALL=(root) NOPASSWD: /usr/sbin/service nginx reload
diff --git a/files/usr/local/etc/turnserver.conf.turn_server b/files/usr/local/etc/turnserver.conf.turn_server
new file mode 100644
index 0000000..dc62883
--- /dev/null
+++ b/files/usr/local/etc/turnserver.conf.turn_server
@@ -0,0 +1,61 @@
+relay-threads=${coturn_threads}
+listening-port=${coturn_listen_port}
+tls-listening-port=0
+
+listening-ip=${BOXCONF_DEFAULT_IPV4}
+relay-ip=${BOXCONF_DEFAULT_IPV4}
+external-ip=${coturn_external_ip}
+
+min-port=${coturn_min_port}
+max-port=${coturn_max_port}
+
+verbose
+
+use-auth-secret
+static-auth-secret=${coturn_secret}
+
+realm=${coturn_realm}
+
+no-tls
+no-dtls
+
+syslog
+
+no-software-attribute
+no-multicast-peers
+
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
+denied-peer-ip=::1
+denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+secure-stun
+
+# You can't drop privileges here, due to a FreeBSD issue with SO_REUSEPORT:
+# https://github.com/coturn/coturn/issues/1098
+# Do this in /etc/rc.conf instead.
+#proc-user=coturn
+#proc-group=coturn
+
+no-cli
+no-rfc5780
+no-stun-backward-compatibility
+response-origin-only-with-rfc5780
diff --git a/files/usr/local/etc/znc/configs/znc.conf.znc_server b/files/usr/local/etc/znc/configs/znc.conf.znc_server
new file mode 100644
index 0000000..487db8e
--- /dev/null
+++ b/files/usr/local/etc/znc/configs/znc.conf.znc_server
@@ -0,0 +1,55 @@
+LoadModule = cyrusauth saslauthd
+LoadModule = webadmin
+LoadModule = corecaps
+SSLCertFile = ${znc_tls_cert}
+SSLKeyFile = ${znc_tls_key}
+Version = 1.9.0
+
+<Listener web>
+  AllowIRC = false
+  AllowWeb = true
+  IPv4 = true
+  IPv6 = false
+  Host = 127.0.0.1
+  Port = ${znc_http_port}
+  SSL = false
+</Listener>
+
+<Listener irc>
+  AllowIRC = true
+  AllowWeb = false
+  IPv4 = true
+  IPv6 = true
+  Port = ${znc_irc_port}
+  SSL = true
+</Listener>
+
+<User admin>
+  Admin = true
+  Nick = znc_admin
+  AltNick = znc_admin_
+  Ident = znc_admin
+  RealName = ZNC Administrator
+
+  <Pass password>
+    Hash = ::
+    Method = MD5
+    Salt = ::
+  </Pass>
+</User>
+
+<User ${znc_clone_user}>
+  Admin = false
+  Nick = znc_user
+  AltNick = znc_user_
+  Ident = znc_user
+  RealName = ZNC User
+  MaxNetworks = ${znc_max_networks}
+  LoadModule = chansaver
+
+  <Pass password>
+    Hash = ::
+    Method = MD5
+    Salt = ::
+  </Pass>
+</User>
diff --git a/files/usr/local/etc/znc/moddata/cyrusauth/.registry.znc_server b/files/usr/local/etc/znc/moddata/cyrusauth/.registry.znc_server
new file mode 100644
index 0000000..539fee0
--- /dev/null
+++ b/files/usr/local/etc/znc/moddata/cyrusauth/.registry.znc_server
@@ -0,0 +1,2 @@
+CloneUser ${znc_clone_user}
+CreateUser yes
-- 
cgit v1.2.3